Protected WLAN (802.11 and hidden SSID)
Tim Smith
tim at electronghost.co.uk
Mon May 23 16:18:24 UTC 2011
On Monday 23 May 2011 16:03:42 Genes MailLists wrote:
> (sorry I lost the threading info ... )
>
> > Time Smith wrote:
>
> > Late to the party, but just for useful information, disabling SSID
> > broadcast is NOT a violation of of 802.11 :-) It's mandatory to put
> > the SSID information element in your beacons, but there's nothing
> > that says you have to tell the truth, and likewise no explicit
> > prohibition against including multiple SSID
>
>
> Thanks for clarifying - I suppose this is the relevant section (8.4.2
> in 802.11i):
>
> > > The STA’s IEEE 802.11 management entity shall utilize the
> MLME-SCAN.request primitive to identify
> > neighboring STAs that assert robust security and advertise an SSID
identifying an authorized ESS or IBSS.
> > A STA may decline to communicate with STAs that fail to advertise an RSN
information element in their
> > Beacon and Probe Response frames or that do not advertise an authorized
SSID. A STA may also decline to
> > communicate with other STAs that do not advertise authorized
authentication and cipher suites within their
> > RSN information elements.
> >
> > A STA shall advertise the same RSN information element in both its
Beacon and Probe Response frames.
> >
>
> Kinda reads like in fact it does require the beacon to tell the truth
> ... and therefore that the SSID must indeed be in beacon and be the same
> as in the probe response ... but perhaps others can parse this document
> better than me .. :-)
>
> The above to me, reads like it violates 802.11 not to have the SSID in
> the beacon ... and as a consequence clients may 'decline to communicate'
> with an AP which does not.
>
Actually, it says the RSN IE must be the same in Probe Responses and
Beacons.
When it talks about SSID IEs, however, it isn't mentioning Probe Response or
Beacon explicity, but uses the weasel phrase "or that do not advertise an
authorised SSID" without specifying *HOW* that SSID is to be advertised :-)
Also note the "an authorised SSID" in the sense of "at least one".
I can "advertise an authorised SSID" in selected Probe Responses only when
the Probe Request contained that SSID and satisfy that requirement[1].
7.2.3.1 in the 11N spec makes SSID IE *presence* mandatory in beacons by not
explicitly noting it as optional, but it still doesn't prescribe its
contents...
As a practical matter, it doesn't make sense to have different RSN IEs for
different SSIDs on the same BSSID, since there's no way to do a selective
group key update within a BSS.
> Course this could also have been superceded by 802.11zzzZZzzz :-)
It's pretty much the same in the 11n spec. I don't expect it to change
much...
[1] Yes, I do 802.11 for my day job. Yes, interop can be a nightmare.
--
But while the ant gathered food, the grasshopper contracted to a point on a
manifold that was NOT a 3-sphere...
More information about the users
mailing list