Re: [STDS-802-11-TGBN] LB291 CR Request: MAPC security part 2

Thread Links	Date Links
Thread Prev	Thread Next	Thread Index	Date Prev	Date Next	Date Index

Hi Mike,

Merry Christmas eve.

Thanks for the high level comments. Unfortunately, I fails to recognize the relevant CIDs on the following comments. And thus I just share some high level response.

The MAPC network topology is quite different from the traditional infrastructure network, e.g. MAPC APs may have the back haul connection, may belong to the members of different ESS , may associated with the same remote Radius server. All the cases we need to consider when we design the security model for MAPC , and the threat model we face.

1) MAPC PASN is still the optional procedure for MAPC framework in baseline, as all the MAPC relevant MGMT . frames can be exchanged via the backhaul , we don't need additional protection.

2) The Protected Negotiations Required flag is included in the MAPC discovery frame in baseline, which will force the two APs generates PTK before MAPC negotiation establishment if it's set to 1.

Let's move forward based on the simple approach, which will be easier to be accepted by the Market. For the new ideas, welcome to present it in TGbn or WNG .

Also, if you find any use case missing mentioned on one special CID, we can dedicate the discussion on it.

Thanks

Best Regards

Jay Yang (杨志杰)

Original

From: MMontemurro <montemurro.michael@xxxxxxxxx>

To: STDS-802-11-TGBN@xxxxxxxxxxxxxxxxx <STDS-802-11-TGBN@xxxxxxxxxxxxxxxxx>;

Date: 2025年12月22日 23:47

Subject: Re: [STDS-802-11-TGBN] LB291 CR Request: MAPC security part 2

Hi Jay,

Thanks for this and all of your work in this area. However I fail to see why the majority of this work even needs to be done as part of the 802.11bn amendment.

If you look at the baseline and the amendments that precede P802.11bn, all the protocols needed to establish a secure MAPC session are in place.

The only difference between MAPC and traditional infrastructure association or even PASN is that:

- the APs that enter a MAPC agreement are peers that are operating one or more BSSs

- the security required for a MAPC agreement is likely different from the security to gain network access.

The only work that needs to be done in P802.11bn is as follows:

- The MAPC discovery frames need to include the security requirements associated with MAPC agreements.

- MAPC authentication does not need to use Authentication frames, all it needs to do is to create an element to carry authentication frame contents in the MAPC Session establishment frames.

- MAPC needs to can either reference existing key derviations

The bottom line is that MAPC PASN is not required at all. You need MAPC Authentication and the authentication type could be PASN .

Cheers,

Mike

On Wed, Dec 10, 2025 at 7:21 PM Jay Yang <yang.zhijie@xxxxxxxxxx> wrote:

Dear MAPC Security TTTs and all,

CR for CIDs on MAPC security part 2 is already on the mentor, please help review it.(https://mentor.ieee.org/802.11/dcn/25/11-25-1860-00-00bn-lb291-cr-for-cids-on-mapc-security-part2.docx)

Dear Alfred,

Could you help put it(11-25/1860r0 CR for CIDs on MAPC Security part 2) to the MAC agenda (topic: Security)? It's expected to be presented in the ad-hoc hybrid session.

Thanks

Best Regards

Jay Yang (杨志杰)

To unsubscribe from the STDS-802-11-TGBN list, click the following link: https://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-TGBN&A=1

To unsubscribe from the STDS-802-11-TGBN list, click the following link: https://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-TGBN&A=1