Thread Links Date Links
Thread Prev Thread Next Thread Index Date Prev Date Next Date Index

[STDS-802-11-ARC] Group addressed downlink traffic, and the Controlled Port

--- This message came from the IEEE 802.11 ARC Reflector ---

All, (especially security experts):


I have a question/suggestion about the “IEEE 802.1X Controlled and Uncontrolled Port Filtering (optional)” component, at the top of the stack in Figure 5-1, et al.  For this discussion, I’m focused on downlink traffic only, to keep it simple (for now).


  • For downlink traffic, the 802.1X filtering, and the concept of Controlled and Uncontrolled Port, as far as I can tell, applies only to directed traffic (DA is not a group address).  That is, all group addressed traffic will always be permitted through the controlled port, and there is no concept of the controlled port being “open” or not, to such traffic.  Any disagreement with that, or something I’m missing?


NB: The 802.1X filtering block applies to MSDUs (being at the top of the stack), so this is all with reference only to the DA, not the RA, so we can ignore special cases like GLK, DMS, etc.


Should we perhaps add something (maybe in 5th paragraph) to be clear that the port blocking/unblocking applies only to directed (downlink) MSDUs? 


Or, alternatively, should we add/clarify a view that the concept of controlled/uncontrolled port is replicated for each peer STA, and as such applies only to traffic directed to/received from that peer, and therefore (downlink) group address traffic is exempt?  This approach might be more accurate and clean up other confusion about the nature of the Authenticator/Supplicant, etc., if we also clarify that due to 802.11 being a “multi-drop” (shared medium) network, it is a little more complicated to discuss a port-based facility like 802.1X when applied to 802.11?




By the way, my thinking here was triggered by discussion ongoing in TGbc about how to handle group addressed traffic that will not follow the group frame protection in an RSN.  If it is correct that downlink group addressed traffic is exempt from 802.1X processing, their scenario(s) will be much simpler to describe.


Thanks.  Mark

To unsubscribe from the STDS-802-11-ARC list, click the following link: