Network Working Group                                          B. O'Hara
Request for Comments: 3990                                    P. Calhoun
Category: Informational                                        Airespace
                                                                J. Kempf
                                                         Docomo Labs USA
                                                           February 2005
        
Network Working Group                                          B. O'Hara
Request for Comments: 3990                                    P. Calhoun
Category: Informational                                        Airespace
                                                                J. Kempf
                                                         Docomo Labs USA
                                                           February 2005
        

Configuration and Provisioning for Wireless Access Points (CAPWAP) Problem Statement

无线接入点(CAPWAP)的配置和设置问题陈述

Status of This Memo

关于下段备忘

This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.

本备忘录为互联网社区提供信息。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。

Copyright Notice

版权公告

Copyright (C) The Internet Society (2005).

版权所有(C)互联网协会(2005年)。

Abstract

摘要

This document describes the Configuration and Provisioning for Wireless Access Points (CAPWAP) problem statement.

本文档介绍无线接入点(CAPWAP)的配置和设置问题说明。

1. Introduction
1. 介绍

With the approval of the 802.11 standard by the IEEE in 1997, wireless LANs (WLANs) began a slow entry into enterprise networks. The limited data rates of the original 802.11 standard, only 1 and 2 Mbps, limited the widespread adoption of the technology. 802.11 found wide deployment in vertical applications, such as inventory management, point of sale, and transportation management. Pioneering enterprises began to deploy 802.11, mostly for experimentation.

随着IEEE于1997年批准802.11标准,无线局域网(WLAN)开始缓慢地进入企业网络。原始802.11标准的有限数据速率(仅为1和2Mbps)限制了该技术的广泛采用。802.11在垂直应用中得到广泛部署,如库存管理、销售点和运输管理。先锋企业开始部署802.11,主要用于试验。

In 1999, the IEEE approved the 802.11a and 802.11b amendments to the base standard, increasing the available data rate to 54 and 11 Mbps, respectively, and expanding to a new radio band. This removed one of the significant factors holding back adoption of 802.11 in large enterprise networks. These large deployments were bound by the definition and functionality of an 802.11 Access Point (AP), as described in the 802.11 standard. The techniques required extensive use of layer 2 bridging and widespread VLANs to ensure the proper operation of higher layer protocols. Deployments of 802.11 WLANs as large as several thousand APs have been described.

1999年,IEEE批准了对基本标准的802.11a和802.11b修正案,将可用数据速率分别提高到54和11Mbps,并扩展到新的无线电频段。这消除了阻碍在大型企业网络中采用802.11的一个重要因素。这些大型部署受802.11接入点(AP)的定义和功能的约束,如802.11标准所述。这些技术需要广泛使用第2层桥接和广泛的VLAN,以确保更高层协议的正确运行。已经描述了多达数千个接入点的802.11无线局域网的部署。

Large deployments of 802.11 WLANs have introduced several problems that require solutions. The limitations on the scalability of bridging should come as no surprise to the networking community, as similar limitations arose in the early 1980s for wired network bridging during the expansion and interconnection of wired local area networks. This document will describe the problems introduced by the large-scale deployment of 802.11 WLANs in enterprise networks.

802.11无线局域网的大规模部署带来了一些需要解决的问题。桥接可扩展性的限制对于网络社区来说并不奇怪,因为在有线局域网的扩展和互连过程中,有线网络桥接在20世纪80年代早期出现了类似的限制。本文档将描述在企业网络中大规模部署802.11无线局域网所带来的问题。

2. Problem Statement
2. 问题陈述

Large WLAN deployments introduce several problems. First, each AP is an IP-addressable device requiring management, monitoring, and control. Deployment of a large WLAN will typically double the number of network infrastructure devices that require management. This presents a significant additional burden to the network administration resources and is often a hurdle to adoption of wireless technologies, particularly because the configuration of each access point is nearly identical to the next. This near-sameness often leads to misconfiguration and improper operation of the WLAN.

大型WLAN部署会带来几个问题。首先,每个AP都是需要管理、监视和控制的IP可寻址设备。部署大型WLAN通常会使需要管理的网络基础设施设备数量增加一倍。这给网络管理资源带来了巨大的额外负担,并且通常是采用无线技术的障碍,特别是因为每个接入点的配置几乎与下一个相同。这种近乎相同的特性通常会导致WLAN的配置错误和操作不当。

Second, distributing and maintaining a consistent configuration throughout the entire set of access points in the WLAN is problematic. Access point configuration consists of both long-term static information (such as addressing and hardware settings) and more dynamic provisioning information (such as individual WLAN settings and security parameters). Large WLAN installations that have to update dynamic provisioning information in all the APs in the WLAN require a prolonged phase-over time. As each AP is updated, the WLAN will not have a single, consistent configuration.

其次,在WLAN中的整个接入点集合中分布和维护一致的配置是有问题的。接入点配置包括长期静态信息(如寻址和硬件设置)和更多动态资源调配信息(如单个WLAN设置和安全参数)。大型WLAN安装必须更新WLAN中所有AP中的动态资源调配信息,这需要一段时间的延长。随着每个AP的更新,WLAN将不会有单一的、一致的配置。

Third, dealing effectively with the dynamic nature of the WLAN medium itself is difficult. Due to the shared nature of the wireless medium (shared with APs in the same WLAN, with APs in other WLANs, and with devices that are not APs at all), parameters controlling the wireless medium on each AP must be monitored frequently and modified in a coordinated fashion to maximize WLAN performance. This must be coordinated among all the access points, to minimize the interference of one access point with its neighbors. Manually monitoring these metrics and determining a new, optimum configuration for the parameters related to the wireless medium is a task that takes significant time and effort.

第三,有效处理WLAN媒体本身的动态特性是困难的。由于无线介质的共享性质(与同一WLAN中的AP共享,与其他WLAN中的AP共享,以及与根本不是AP的设备共享),因此必须经常监控并以协调的方式修改每个AP上控制无线介质的参数,以最大化WLAN性能。这必须在所有接入点之间进行协调,以最小化一个接入点与其邻居的干扰。手动监控这些指标并确定与无线媒体相关的参数的新的最佳配置是一项需要花费大量时间和精力的任务。

Fourth, securing access to the network and preventing installation of unauthorized access points is challenging. Physical locations for access points are often difficult to secure since their location must often be outside of a locked network closet or server room. Theft of an access point, with its embedded secrets, allows a thief to obtain access to the resources secured by those secrets.

第四,保护对网络的访问并防止安装未经授权的接入点是一项挑战。接入点的物理位置通常很难确保安全,因为它们的位置通常必须位于锁定的网络机柜或服务器机房之外。盗取带有嵌入秘密的接入点,允许窃贼访问这些秘密所保护的资源。

Recently, to address some, or all, of the above problems, multiple vendors have begun offering proprietary solutions that combine aspects of network switching, centralized control and management, and distributed wireless access in a variety of new architectures. Since interoperable solutions allow enterprises and service providers a broader choice, a standardized, interoperable interface between access points and a centralized controller addressing the problems seems desirable.

最近,为了解决上述部分或全部问题,多家供应商已经开始提供专有解决方案,这些解决方案结合了网络交换、集中控制和管理以及各种新体系结构中的分布式无线接入等方面。由于可互操作的解决方案允许企业和服务提供商有更广泛的选择,因此在接入点和解决问题的集中控制器之间建立一个标准化、可互操作的接口似乎是可取的。

In currently fielded devices, the physical portions of this network system are one or more 802.11 access points (APs) and one or more central control devices, alternatively described as controllers (or as access controllers, ACs). Ideally, a network designer would be able to choose one or more vendors for the APs and one or more vendors for the central control devices in sufficient numbers to design a network with 802.11 wireless access to meet the designer's requirements.

在当前部署的设备中,该网络系统的物理部分是一个或多个802.11接入点(AP)和一个或多个中央控制设备,或者称为控制器(或访问控制器,ACs)。理想情况下,网络设计师将能够选择一个或多个APs供应商和一个或多个中央控制设备供应商(数量足够),以设计具有802.11无线接入的网络,以满足设计师的要求。

Current implementations are proprietary and are not interoperable. This is due to a number of factors, including the disparate architectural choices made by the various manufacturers. A taxonomy of the architectures employed in the existing products in the market will provide the basis of an output document to be provided to the IEEE 802.11 Working Group. This taxonomy will be utilized by the 802.11 Working Group as input to their task of defining the functional architecture of an access point. The functional architecture, including descriptions of detailed functional blocks, interfaces, and information flow, will be reviewed by CAPWAP to determine if further work is necessary to apply or develop standard protocols providing for multi-vendor interoperable implementations of WLANs built from devices that adhere to the newly appearing hierarchical architecture using a functional split between an access point and an access controller.

当前的实现是专有的,不可互操作。这是由许多因素造成的,包括不同制造商做出的不同的体系结构选择。市场上现有产品中采用的体系结构分类将为提供给IEEE 802.11工作组的输出文件提供基础。802.11工作组将使用该分类法作为其定义接入点功能架构任务的输入。功能架构,包括详细功能块、接口和信息流的描述,将由CAPWAP审查,以确定是否需要进一步的工作来应用或开发标准协议,以提供多供应商可互操作的无线局域网实现,该无线局域网由遵守新出现的分层体系结构的设备构建,使用接入点和接入控制器之间的功能划分。

3. Security Considerations
3. 安全考虑

The devices used in WLANs control network access and provide for the delivery of packets between hosts using the WLAN and other hosts on the WLAN or elsewhere on the Internet. Therefore, the functions for control and provisioning of wireless access points, require protection to prevent misuse of the devices.

WLAN中使用的设备控制网络访问,并提供在使用WLAN的主机和WLAN上或互联网上其他地方的其他主机之间传送数据包的功能。因此,控制和提供无线接入点的功能需要保护,以防止设备误用。

Confidentiality, integrity, and authenticity requirements should address central management, monitoring, and control of wireless access points that should be addressed. Once an AP and AC have been authenticated to each other, a single level of authorization allowing monitoring, control, and provisioning may not be sufficient. The requirement for more than a single level of authorization should be

保密性、完整性和真实性要求应解决无线接入点的集中管理、监控和控制问题。一旦AP和AC相互认证,允许监视、控制和资源调配的单一授权级别可能不够。应满足不止一个授权级别的要求

determined. Physical security should also be addressed for those devices that contain sensitive security parameters that might compromise the security of the system, if those parameters were to fall into the hands of an attacker.

决心对于那些包含敏感安全参数的设备,如果这些参数落入攻击者手中,则还应解决物理安全问题,这些参数可能会危及系统的安全。

To provide comprehensive radio coverage, APs are often installed in locations that are difficult to secure. The CAPWAP architecture may reduce the consequences of a stolen AP. If high-value secrets, such as a RADIUS shared secret, are stored in the AC, then the physical loss of an AP does not compromise these secrets. Further, the AC can easily be located in a physically secure location. Of course, concentrating all the high-value secrets in one place makes the AC an attractive target, and strict physical, procedural, and technical controls are needed to protect the secrets.

为了提供全面的无线电覆盖,AP通常安装在难以安全的位置。CAPWAP体系结构可以减少AP被盗的后果。如果高价值机密(如RADIUS共享机密)存储在AC中,则AP的物理丢失不会泄露这些机密。此外,AC可以容易地位于物理安全位置。当然,将所有高价值机密集中在一个地方会使AC成为一个有吸引力的目标,需要严格的物理、程序和技术控制来保护这些机密。

Authors' Addresses

作者地址

Bob O'Hara Airespace 110 Nortech Parkway San Jose, CA 95134

Bob O'Hara Airespace 110 Nortech Parkway San Jose,加利福尼亚州95134

   Phone: +1 408-635-2025
   EMail: bob@airespace.com
        
   Phone: +1 408-635-2025
   EMail: bob@airespace.com
        

Pat R. Calhoun Airespace 110 Nortech Parkway San Jose, CA 95134

帕特R.卡尔霍恩航空空间110诺特公园路圣何塞,加利福尼亚州95134

   Phone: +1 408-635-2000
   EMail: pcalhoun@airespace.com
        
   Phone: +1 408-635-2000
   EMail: pcalhoun@airespace.com
        

James Kempf Docomo Labs USA 181 Metro Drive, Suite 300 San Jose, CA 95110

詹姆斯·肯普夫·多科莫实验室美国加利福尼亚州圣何塞市地铁路181号300室95110

   Phone: +1 408 451 4711
   EMail: kempf@docomolabs-usa.com
        
   Phone: +1 408 451 4711
   EMail: kempf@docomolabs-usa.com
        

Full Copyright Statement

完整版权声明

Copyright (C) The Internet Society (2005).

版权所有(C)互联网协会(2005年)。

This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.

本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。

This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

本文件及其包含的信息是按“原样”提供的,贡献者、他/她所代表或赞助的组织(如有)、互联网协会和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。

Intellectual Property

知识产权

The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the IETF's procedures with respect to rights in IETF Documents can be found in BCP 78 and BCP 79.

IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关IETF文件中权利的IETF程序信息,请参见BCP 78和BCP 79。

Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.

向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.

The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.

IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.

Acknowledgement

确认

Funding for the RFC Editor function is currently provided by the Internet Society.

RFC编辑功能的资金目前由互联网协会提供。