Thread Links | Date Links | ||||
---|---|---|---|---|---|
Thread Prev | Thread Next | Thread Index | Date Prev | Date Next | Date Index |
All, (especially security experts): I have a question/suggestion about the “IEEE 802.1X Controlled and Uncontrolled Port Filtering (optional)” component, at the top of the stack in Figure 5-1, et al. For this discussion, I’m focused on downlink traffic only, to keep it simple (for now).
NB: The 802.1X filtering block applies to MSDUs (being at the top of the stack), so this is all with reference only to the DA, not the RA, so we can ignore special cases like GLK, DMS, etc. Should we perhaps add something (maybe in 4.5.3.3 5th paragraph) to be clear that the port blocking/unblocking applies only to directed (downlink) MSDUs? Or, alternatively, should we add/clarify a view that the concept of controlled/uncontrolled port is replicated for each peer STA, and as such applies only to traffic directed to/received from that peer, and therefore (downlink) group address traffic is exempt? This approach might be more accurate and clean up other confusion about the nature of the Authenticator/Supplicant, etc., if we also clarify that due to 802.11 being a “multi-drop” (shared medium) network, it is a little more complicated to discuss a port-based facility like 802.1X when applied to 802.11? Thoughts? By the way, my thinking here was triggered by discussion ongoing in TGbc about how to handle group addressed traffic that will not follow the group frame protection in an RSN. If it is correct that downlink group addressed traffic is exempt from 802.1X processing, their scenario(s) will be much simpler to describe. Thanks. Mark To unsubscribe from the STDS-802-11-TGBC list, click the following link: https://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-TGBC&A=1 |