| Hai Shalom | 021b0b5 | 2019-04-10 11:17:58 -0700 | [diff] [blame] | 1 | hostapd, wpa_supplicant and the Multi-AP Specification |
| 2 | ====================================================== |
| 3 | |
| 4 | This document describes how hostapd and wpa_supplicant can be configured to |
| 5 | support the Multi-AP Specification. |
| 6 | |
| 7 | Introduction to Multi-AP |
| 8 | ------------------------ |
| 9 | |
| 10 | The Wi-Fi Alliance Multi-AP Specification is the technical specification for |
| 11 | Wi-Fi CERTIFIED EasyMesh(TM) [1], the Wi-Fi Alliance® certification program for |
| 12 | Multi-AP. It defines control protocols between Wi-Fi® access points (APs) to |
| 13 | join them into a network with centralized control and operation. It is targeted |
| 14 | only at routers (repeaters, gateways, ...), not at clients. Clients are not |
| 15 | involved at all in the protocols. |
| 16 | |
| 17 | Most of the Multi-AP specification falls outside of the scope of |
| 18 | hostapd/wpa_supplicant. hostapd/wpa_supplicant is only involved for the items |
| 19 | summarized below. The rest of the protocol must be implemented by a separate |
| 20 | daemon, e.g., prplMesh [2]. That daemon also needs to communicate with hostapd, |
| 21 | e.g., to get a list of associated clients, but this can be done using the normal |
| 22 | hostapd interfaces. |
| 23 | |
| 24 | hostapd/wpa_supplicant needs to be configured specifically to support: |
| 25 | - the WPS onboarding process; |
| 26 | - configuring backhaul links. |
| 27 | |
| 28 | The text below refers to "Multi-AP Specification v1.0" [3]. |
| 29 | |
| 30 | |
| 31 | Fronthaul and backhaul links |
| 32 | ---------------------------- |
| 33 | |
| 34 | In a Multi-AP network, the central controller can configure the BSSs on the |
| 35 | devices that are joined into the network. These are called fronthaul BSSs. |
| 36 | From the point of view of hostapd, there is nothing special about these |
| 37 | fronthaul BSSs. |
| 38 | |
| 39 | In addition to fronthaul BSSs, the controller can also configure backhaul |
| 40 | links. A backhaul link is a link between two access point devices, giving |
| 41 | internet access to access point devices that don't have a wired link. The |
| 42 | Multi-AP specification doesn't dictate this, but typically the backhaul link |
| 43 | will be bridged into a LAN together with (one of) the fronthaul BSS(s) and the |
| 44 | wired Ethernet ports. |
| 45 | |
| 46 | A backhaul link must be treated specially by hostapd and wpa_supplicant. One |
| 47 | side of the backhaul link is configured through the Multi-AP protocol as the |
| 48 | "backhaul STA", i.e., the client side of the link. A backhaul STA is like any |
| 49 | station and is handled appropriately by wpa_supplicant, but two additional |
| 50 | features are required. It must send an additional information element in each |
| 51 | (Re)Association Request frame ([3], section 5.2, paragraph 4). In addition, it |
| 52 | must use 4-address mode for all frames sent over this link ([3], section 14). |
| 53 | Therefore, wpa_supplicant must be configured explicitly as the backhaul STA |
| 54 | role, by setting 'multi_ap_backhaul_sta=1' in the network configuration block |
| 55 | or when configuring the network profile through the control interface. When |
| 56 | 'multi_ap_backhaul_sta=1', wpa_supplicant includes the Multi-AP IE in |
| 57 | (Re)Association Request frame and verifies that it is included in the |
| 58 | (Re)Association Response frame. If it is not, association fails. If it is, |
| 59 | wpa_supplicant sets 4-address mode for this interface through a driver |
| 60 | callback. |
| 61 | |
| 62 | The AP side of the backhaul link is called a "backhaul BSS". Such a BSS must |
| 63 | be handled specially by hostapd, because it must add an additional information |
| 64 | element in each (Re)Association Response frame, but only to stations that have |
| 65 | identified themselves as backhaul stations ([3], section 5.2, paragraph 5-6). |
| 66 | This is important because it is possible to use the same BSS and SSID for |
| 67 | fronthaul and backhaul at the same time. The additional information element must |
| 68 | only be used for frames sent to a backhaul STA, not to a normal STA. Also, |
| 69 | frames sent to a backhaul STA must use 4-address mode, while frames sent to a |
| 70 | normal STA (fronthaul, when it's a fronthaul and backhaul BSS) must use |
| 71 | 3-address mode. |
| 72 | |
| 73 | A BSS is configured in Multi-AP mode in hostapd by setting the 'multi_ap' |
| 74 | configuration option to 1 (backhaul BSS), 2 (fronthaul BSS), or 3 |
| 75 | (simultaneous backhaul and fronthaul BSS). If this option is set, hostapd |
| 76 | parses the Multi-AP information element in the Association Request frame. If the |
| 77 | station is a backhaul STA and the BSS is configured as a backhaul BSS, |
| 78 | hostapd sets up 4-address mode. Since there may be multiple stations connected |
| 79 | simultaneously, and each of them has a different RA (receiver address), a VLAN |
| 80 | is created for each backhaul STA and it is automatically added to a bridge. |
| 81 | This is the same behavior as for WDS, and the relevant option ('bridge' or |
| 82 | 'wds_bridge') applies here as well. |
| 83 | |
| 84 | If 'multi_ap' is 1 (backhaul BSS only), any station that tries to associate |
| 85 | without the Multi-AP information element will be denied. |
| 86 | |
| 87 | If 'multi_ap' is 2 (fronthaul BSS only), any station that tries to associate |
| 88 | with the Multi-AP information element will be denied. That is also the only |
| 89 | difference with 'multi_ap' set to 0: in the latter case, the Multi-AP |
| 90 | information element is simply ignored. |
| 91 | |
| 92 | In summary, this is the end-to-end behavior for a backhaul BSS (i.e., |
| 93 | multi_ap_backhaul_sta=1 in wpa_supplicant on STA, and multi_ap=1 or 3 in |
| 94 | hostapd on AP). Note that point 1 means that hostapd must not be configured |
| 95 | with WPS support on the backhaul BSS (multi_ap=1). hostapd does not check for |
| 96 | that. |
| 97 | |
| 98 | 1. Backhaul BSS beacons do not advertise WPS support (other than that, nothing |
| 99 | Multi-AP specific). |
| 100 | 2. STA sends Authentication frame (nothing Multi-AP specific). |
| 101 | 3. AP sends Authentication frame (nothing Multi-AP specific). |
| 102 | 4. STA sends Association Request frame with Multi-AP IE. |
| 103 | 5. AP sends Association Response frame with Multi-AP IE. |
| 104 | 6. STA and AP both use 4-address mode for Data frames. |
| 105 | |
| 106 | |
| 107 | WPS support |
| 108 | ----------- |
| 109 | |
| 110 | WPS requires more special handling. WPS must only be advertised on fronthaul |
| 111 | BSSs, not on backhaul BSSs, so WPS should not be enabled on a backhaul-only |
| 112 | BSS in hostapd.conf. The WPS configuration purely works on the fronthaul BSS. |
| 113 | When a WPS M1 message has an additional subelement that indicates a request for |
| 114 | a Multi-AP backhaul link, hostapd must not respond with the normal fronthaul |
| 115 | BSS credentials; instead, it should respond with the (potentially different) |
| 116 | backhaul BSS credentials. |
| 117 | |
| 118 | To support this, hostapd has the 'multi_ap_backhaul_ssid', |
| 119 | 'multi_ap_backhaul_wpa_psk' and 'multi_ap_backhaul_wpa_passphrase' options. |
| 120 | When these are set on an BSS with WPS, they are used instead of the normal |
| 121 | credentials when hostapd receives a WPS M1 message with the Multi-AP IE. Only |
| 122 | WPA2-Personal is supported in the Multi-AP specification, so there is no need |
| 123 | to specify authentication or encryption options. For the backhaul credentials, |
| 124 | per-device PSK is not supported. |
| 125 | |
| 126 | If the BSS is a simultaneous backhaul and fronthaul BSS, there is no need to |
| 127 | specify the backhaul credentials, since the backhaul and fronthaul credentials |
| 128 | are identical. |
| 129 | |
| 130 | To enable the Multi-AP backhaul STA feature when it performs WPS, a new |
| 131 | parameter has been introduced to the WPS_PBC control interface call. When this |
| 132 | "multi_ap=1" option is set, it adds the Multi-AP backhaul subelement to the |
| 133 | Association Request frame and the M1 message. It then configures the new network |
| 134 | profile with 'multi_ap_backhaul_sta=1'. Note that this means that if the AP does |
| 135 | not follow the Multi-AP specification, wpa_supplicant will fail to associate. |
| 136 | |
| 137 | In summary, this is the end-to-end behavior for WPS of a backhaul link (i.e., |
| 138 | multi_ap=1 option is given in the wps_pbc call on the STA side, and multi_ap=2 |
| 139 | and multi_ap_backhaul_ssid and either multi_ap_backhaul_wpa_psk or |
| 140 | multi_ap_backhaul_wpa_passphrase are set to the credentials of a backhaul BSS |
| 141 | in hostapd on Registrar AP). |
| 142 | |
| 143 | 1. Fronthaul BSS Beacon frames advertise WPS support (nothing Multi-AP |
| 144 | specific). |
| 145 | 2. Enrollee sends Authentication frame (nothing Multi-AP specific). |
| 146 | 3. AP sends Authentication frame (nothing Multi-AP specific). |
| 147 | 4. Enrollee sends Association Request frame with Multi-AP IE. |
| 148 | 5. AP sends Association Response frame with Multi-AP IE. |
| 149 | 6. Enrollee sends M1 with additional Multi-AP subelement. |
| 150 | 7. AP sends M8 with backhaul instead of fronthaul credentials. |
| 151 | 8. Enrollee sends Deauthentication frame. |
| 152 | |
| 153 | |
| 154 | References |
| 155 | ---------- |
| 156 | |
| 157 | [1] https://www.wi-fi.org/discover-wi-fi/wi-fi-easymesh |
| Sunil Ravi | 79e6c4f | 2025-01-04 00:47:06 +0000 | [diff] [blame] | 158 | [2] https://gitlab.com/prpl-foundation/prplmesh/prplMesh |
| Hai Shalom | 021b0b5 | 2019-04-10 11:17:58 -0700 | [diff] [blame] | 159 | [3] https://www.wi-fi.org/file/multi-ap-specification-v10 |
| 160 | (requires registration) |