IETF 67 CAPWAP WG Meeting Monday, November 6, 2006 1520-1720, Harbor Island III ======================== AGENDA: - Agenda Bashing, Administrivia -- Chairs (5 min) - Charter Milestone/Status Review -- Chairs (10 min) http://www.ietf.org/html.charters/capwap-charter.html - CAPWAP MIB Update -- Chairs (2 min) Should we have two MIBs to match document split? Goals: Call for volunteers and useful examples (no document available) - CAPWAP Threat Analysis -- Charles Clancey/Scott Kelly (30 min) http://www.ietf.org/internet-drafts/draft-kelly-capwap-threat- analysis-00.txt Goal: Understand threats and potential impacts on CAPWAP specs Question: Adopt as a WG work item? - CAPWAP Protocol Updates -- Dorothy Stanley (10 min) http://www.ietf.org/internet-drafts/draft-ietf-capwap-protocol- binding-ieee80211-00.txt http://www.ietf.org/internet-drafts/draft-ietf-capwap-protocol- specification-03.txt Goal: Understand document split and review major resolved issues - CAPWAP Protocol Open Issues -- Chairs/Editors (60 min) Structured discussion of unresolved issues from tracker: #1: How to differentiate between encrypted and unencrypted packets? #2: What RSC value should AC use when the WTP does encryption? #3: How does DTLS establishment interact with CAPWAP start-up? #4: How/if to handle QoS across DTLS-encrypted CAPWAP connections? #5: Proposed CAPWAP header changes (and, if time allows...) #6: Firmware upgrade/image data issues #7: Configuration error handling Note: More information on each topic is included below in the section labled "GROUPING OF CAPWAP ISSUES FOR DISCUSSION.") Goal: Discuss and close issues where possible (subject to review on mailing list) PREPARATION: In order to have a fruitful discussion on these topics that does not repeat all of the discussion on the mailing list, please read the information below and familiarize yourself with recent mailing list discussions before the meeting. Thank you!! GROUPING OF CAPWAP ISSUES FOR DISCUSSION: Note: Further detail about each issue, including the message that opened each issue can be found in the issue tracker at: http://www.capwap.org/cgi-bin/roundup/CAPWAP/ The CAPWAP mailing list archives can be found at: http://lists.frascone.com/pipermail/capwap/ TOPIC #1: How to differentiate between encrypted and unencrypted packets? Related Issues: 89 How does the AC differentiate Discovery Request/Client Hello 137 Proposal for CAPWAP packet format 217 What is frame format when WTP encrypts/decrypts 221 No way to signal DTLS for data plane 224 Control channel packet classification 227 Need Shim Header to indicate crypto property of packet Issue Summary: The CAPWAP spec does not specify how implementations should differentiate between unencrypted and DTLS-encrypted packets on either the control or data ports. Open proposals: (1) Use additional ports, up to four for all combinations of control/data, encrypted/unencrypted. (2) Insert a short (4 byte?) CAPWAP MUX header after the UDP header to indicate type of packet enclosed (unencrypted, DTLS encrypted, etc.) Default Action: N/A, some solution is needed. Goal: Reach consensus on a solution. TOPIC #2: What RSC value should AC use when the WTP does encryption? Related Issues: 43 IEEE 802.11i Considerations Discussion Summary: When the WTP does encryption and the AC does authentication, the AC does not have the correct RSC value to generate the third message of the IEEE 802.11i 4-way handshake. Open Proposals: (1) Pass a partial third message to the WTP, so that the WTP can calculate the MIC and send the completed message. (2) Add a mechanism for the AC to get the RSC from the WTP. (3) Indicate that the AC should use an RSC of 0, unless it is aware of a better value. Default Action: N/A, some solution is needed. Goal: Reach consensus on a solution. TOPIC #3: How does DTLS establishment interact with CAPWAP start-up? Related Issues: 226 Transition to join state Discussion Summary: There has been discussion of adding a new state to the state machine between the "Discover"/"Idle" and "Join" states called "DTLS Establishment". This state would delay transition to the "Join" state until the DTLS session has been fully established. Active Proposals: There is a single proposal with some additions/corrections described in the issue tracker. Default State: N/A, some solution is needed. Goal: Reach consensus on a solution. TOPIC #4: How/if to handle QoS across DTLS-encrypted CAPWAP connections? Related Issues: 196 Issues with update mobile QoS 212 References to "QoS field" is invalid 214 Should 802.1X frames be prioritized? Discussion Summary: There has been some discussion of whether we need to have per-QoS DTLS sessions or another way to handle QoS across the encrypted CAPWAP link. Default Action: None, do not add special QoS handling. Goal: Understand the issue, determine if solution is needed. TOPIC #5: Proposed CAPWAP header changes Related Issues: 127 Usage of the Session ID field 137 Proposal for CAPWAP packet format 146 Updated proposal for packet formats 168 Session is not required Discussion Summary: A proposal was made (and later updated) to change the CAPWAP packet formats. Part of the proposal was covered above. There has been no recent discussion of the other parts of the proposal on the mailing list. There was also a proposal to add a session ID field to the CAPWAP header, and a later statement that a Session ID was not required due to the use of DTLS. Default Action: None, headers remain unchanged. Goal: Determine whether or not there is consensus that the headers need to be changed and, if so, in what ways. TOPIC #6: Firmware upgrade/image data issues Related Issues: 126 Wrong place for "Image data" state 192 Problems with image data request and response 200 Trickle firmware download Discussion Summary: Various issues in this area have been discussed on the list. There seems to be agreement that some state machine updates are needed, but perhaps not on the specifics and/or extent of the required changes. Default Action: None, firmware upgrade text remains as-is. Goal: Understand the issues in this area and decide what problems with the firmware upgrade process need to be fixed, if any. TOPIC #7: Configuration error handling Related Issues: 108 Configuration Failure Processing chatting 175 WTP Board Data belongs in the Join, not configure 181 Configuration Status is broken 190 Issues with configuration update response Discussion Summary: There has been some discussion on the list indicating that our configuration error handlng may be inadequate. It is not clear that we have a shared understanding of what level of error handling is required, though. Default Action: None, configuration responses remain as-is. Goal: Understand the issues around configuration error handling and determine what problems in this area need to be fixed, if any. ISSUES FOR MAILING LIST These issues probably represent real problems with the specs, but our discussions have not advanced to the point were it would be useful to discuss these issues in a face-to-face setting. In some cases, these issues may not be well-understood by the group and/or there are no specific proposals to address them. These issues should be further explored/discussed on the mailing list. Specific proposals should be made and considered to address them. 114 How does CAPWAP know there's a NAT? 140 Use of VLAN name in Add Mobile Station (section 4.4.8) 173 What if all of the message elements do not fit within a single frame 219 Insufficient description of WTPs during discovery MINOR/EDITORIAL ISSUES: These issues are well-enough understood and simple enough that they probably wouldn't benefit from face-to-face discussion by the CAPWAP WG. The editors should propose solutions on the mailing list. 122 Editorial Issues in CAPWAP-01 144 Need length value for Vendor-specific payload 149 IPv6 Multicast address for Discover 152 Which message elements can be repeated? 153 Can "additional" message elements be added to a message? 177 WTP Reboot Statistics belongs in the Join 187 AC Timestamp doesn't belong in the configuration 191 Clear Config Request. this operation has several problems 194 Handling duplicate IPV4 addresses 203 CAPWAP headers must be 4 byte aligned 211 References to "Clear Text" invalid 216 'M' bit required in AC->WTP traffic to support 802.3 frame encap 218 Static IP Address message element is a MUST 222 Need clarity on how managment frames are carried 223 Description of RID field is unclear NON-ACTIONABLE ISSUES: These issues do not contain enough information to be actionable. A message will be sent to the mailing list indicating that these issues will be closed unless further information and/or specific proposals for improvement are provided. 107 Broadcast Probe Mode and Supress SSID Configuration 159 Operations should have listed in which states they are applicable 183 Report Timer needs to be in section 4.5 or 11 188 Add MAC ACL Entry issue