802.11w applies to robust management frames protected by Protected Management Frame (PMF).
Wireless environment includes:
- Rogues
- Susceptible to eavesdropping
- Data traffic is usually encrypted
- Management frame is usually unencrypted
Goal of 802.11w is to protect management frames from forgery or spoofing.
I see it all the time in San Francisco. Deauthentication attacks coming left, right, and center from neighboring wireless networks.
802.11w secures deauthentication and disassociation frames from spoofing to prevent DoS attacks.
Features defined for an RSNA include enhanced cryptographic encapsulation mechanisms for robust Management frames.
Robust management frames are:
- Dissassocation
- Deauthentication
- Action frames
Stations not supporting 802.11w receiving protected robust management frames are discarded.
Key to 802.11w is data origin authenticity. It is being able to guarantee the origin of authenticity of a received protected management frame. This helps prevent spoofing or masquerading from another station of AP.
Within the frame control field is a Protected Frame field. When management frame protection is enabled, the Protected Frame field is set to 1.
A network be broadcasting a network the is Management Frame Protection Capable or Management Frame Protection Required.
If the AP is MFPR but the client is not capable, the AP will reject the association with a status code of Robust Management Frame Protection Violation.
An AP broadcasting MFPC indicates MFP is enabled.
Broadcast/multicast integrity protocol (BIP) provides data integrity and replay protection for group addressed management frames. It is negotiated after the IGTKSA.
MFP applies to multicast/broadcast. Frames are encapsulated and protected using an MGTK.
The BIP is identified in the RSN Information Element under Group Management Cipher Suite
Any frames received without BIP protection are discarded.
How does this look implemented? In my network I have an AP broadcasting an SSID, Clear To Send. Without Management Frame Protection required, it is susceptible to a DOS attack. Within the RSN Information Element, Management Frame Protection Required and Management Frame Protection Capable is set to No.
How does this look implemented? In my network I have an AP broadcasting an SSID, Clear To Send. Without Management Frame Protection required, it is susceptible to a DOS attack. Within the RSN Information Element, Management Frame Protection Required and Management Frame Protection Capable is set to No.
With another wireless system, I enable containment on my Clear To Send SSID and can gather the deauthentication frames via frame capture. Noticeably, I am disconnected from my network.
Next, I enable Protected Management Frame on my Clear To Send wireless network. With it enabled, the RSN Information Element is changed to Management Frame Protection Required and Management Frame Protection Capable of Yes.
With containment still occurring, I am successful in joining my wireless network without being disconnected due to deauthentication frames.
Links & Resources
- Samsung Flagship 802.11ax phones
- Sample frame capture
- Look at the RSN IE for the beacon frame
- Notice the signal strength of the beacon frame
- Then take a look at the deauthentication frames from the same BSSID & its signal strength
- Wireshark Cheat Sheet
thanks Rowell
Its very useful Rowell..thanks a lot for sharing on the CTS pod cast.
Thank you Prashant!
Very useful, thank you very much.
Glad you found it useful!