Protected WLAN (802.11 and hidden SSID)

Mon May 23 16:18:24 UTC 2011

On Monday 23 May 2011 16:03:42 Genes MailLists wrote:
>  (sorry I lost the threading info ... )
> 
> > Time Smith wrote:
> 
> > Late to the party, but just for useful information, disabling SSID
> > broadcast is NOT a violation of of 802.11 :-) It's mandatory to put
> > the SSID information element in your beacons, but there's nothing
> > that says you have to tell the truth, and likewise no explicit
> > prohibition against including multiple SSID
> 
> 
>   Thanks for clarifying - I suppose this is the relevant section (8.4.2
> in 802.11i):
> 
> > > The STA’s IEEE 802.11 management entity shall utilize the
> MLME-SCAN.request primitive to identify
> > neighboring STAs that assert robust security and advertise an SSID 
identifying an authorized ESS or IBSS.
> > A STA may decline to communicate with STAs that fail to advertise an RSN 
information element in their
> > Beacon and Probe Response frames or that do not advertise an authorized 
SSID. A STA may also decline to
> > communicate with other STAs that do not advertise authorized 
authentication and cipher suites within their
> > RSN information elements.
> >
> > A STA shall advertise the same RSN information element in both its 
Beacon and Probe Response frames.
> >
> 
>   Kinda reads like in fact it does require the beacon to tell the truth
> ... and therefore that the SSID must indeed be in beacon and be the same
> as in the probe response ... but perhaps others can parse this document
> better than me .. :-)
>
>   The above to me, reads like it violates 802.11 not to have the SSID in
> the beacon ... and as a consequence clients may 'decline to communicate'
> with an AP which does not.
> 

Actually, it says the RSN IE must be the same in Probe Responses and 
Beacons.

When it talks about SSID IEs, however, it isn't mentioning Probe Response or 
Beacon explicity, but uses the weasel phrase "or that do not advertise an 
authorised SSID" without specifying *HOW* that SSID is to be advertised :-)
Also note the "an authorised SSID" in the sense of "at least one".

I can "advertise an authorised SSID" in selected Probe Responses only when 
the Probe Request contained that SSID and satisfy that requirement[1].

7.2.3.1 in the 11N spec makes SSID IE *presence* mandatory in beacons by not 
explicitly noting it as optional, but it still doesn't prescribe its 
contents...

As a practical matter, it doesn't make sense to have different RSN IEs for 
different SSIDs on the same BSSID, since there's no way to do a selective 
group key update within a BSS.

>   Course this could also have been superceded by 802.11zzzZZzzz :-)

It's pretty much the same in the 11n spec. I don't expect it to change 
much...

[1] Yes, I do 802.11 for my day job. Yes, interop can be a nightmare.

-- 
But while the ant gathered food, the grasshopper contracted to a point on a 
manifold that was NOT a 3-sphere...