protected management frame

CTS 158: 802.11w – Management Frame Protection

802.11w applies to robust management frames protected by Protected Management Frame (PMF).

Wireless environment includes:

  • Rogues
  • Susceptible to eavesdropping
  • Data traffic is usually encrypted
  • Management frame is usually unencrypted

Goal of 802.11w is to protect management frames from forgery or spoofing.

I see it all the time in San Francisco. Deauthentication attacks coming left, right, and center from neighboring wireless networks.

802.11w secures deauthentication and disassociation frames from spoofing to prevent DoS attacks.

Features defined for an RSNA include enhanced cryptographic encapsulation mechanisms for robust Management frames.

Robust management frames are:

  • Dissassocation
  • Deauthentication
  • Action frames

Stations not supporting 802.11w receiving protected robust management frames are discarded.

Key to 802.11w is data origin authenticity. It is being able to guarantee the origin of authenticity of a received protected management frame. This helps prevent spoofing or masquerading from another station of AP.

Within the frame control field is a Protected Frame field. When management frame protection is enabled, the Protected Frame field is set to 1.

A network be broadcasting a network the is Management Frame Protection Capable or Management Frame Protection Required.

If the AP is MFPR but the client is not capable, the AP will reject the association with a status code of Robust Management Frame Protection Violation.

An AP broadcasting MFPC indicates MFP is enabled.

Broadcast/multicast integrity protocol (BIP) provides data integrity and replay protection for group addressed management frames. It is negotiated after the IGTKSA.

MFP applies to multicast/broadcast. Frames are encapsulated and protected using an MGTK.

The BIP is identified in the RSN Information Element under Group Management Cipher Suite

Any frames received without BIP protection are discarded.

BIP within the RSN IE at the bottom of the screenshot

How does this look implemented? In my network I have an AP broadcasting an SSID, Clear To Send. Without Management Frame Protection required, it is susceptible to a DOS attack. Within the RSN Information Element, Management Frame Protection Required and Management Frame Protection Capable is set to No.

How does this look implemented? In my network I have an AP broadcasting an SSID, Clear To Send. Without Management Frame Protection required, it is susceptible to a DOS attack. Within the RSN Information Element, Management Frame Protection Required and Management Frame Protection Capable is set to No.

With another wireless system, I enable containment on my Clear To Send SSID and can gather the deauthentication frames via frame capture. Noticeably, I am disconnected from my network.

Management Frame Protection not set within the RSN IE

Next, I enable Protected Management Frame on my Clear To Send wireless network. With it enabled, the RSN Information Element is changed to Management Frame Protection Required and Management Frame Protection Capable of Yes.

Management Frame Protection enabled and required

With containment still occurring, I am successful in joining my wireless network without being disconnected due to deauthentication frames.

Links & Resources