Many companies are now transitioning their wireless LANs from weak WEP to 802.1X and TKIP (aka WPA Enterprise). Very soon, they will have the opportunity to upgrade to AES (WPA2). There are clear benefits to strengthening security, but any upgrade requires both careful planning and coexistence of old and new. Virtual access points (APs) can help you provide peaceful coexistence during this transition and beyond.
The challenge
Every WLAN, whether based on 802.11a, b, or g, is identified by a network name, called an Extended Service Set Identifier (ESSID, often shortened to SSID). Stations wanting to connect to a WLAN look for an AP with the desired ESSID. Once a station associates with a given AP, it starts sending traffic to that AP's address, called a Basic Service Set Identifier (BSSID).
AP's advertise themselves and their capabilities by sending beacons and probe responses. Beacons and probe responses carry the AP's BSSID, WLAN's ESSID, supported data rates, and security parameters that indicate WEP and WPA support (if any). A WLAN's security policy is therefore bound to both ESSID and BSSID.
Now, suppose that you have a WLAN named "net1." Your APs all share this ESSID and use WEP encryption; stations roam freely between those APs. When you upgrade to WPA, you'll create a new WLAN "net2" that requires TKIP encryption. Upgraded stations will roam within "net2" while older stations will roam within "net1."
Supporting multiple ESSIDs
Most APs send beacons that carry just one ESSID. So how do you provide simultaneous support for both "net1" and "net2"?
You could use two completely independent APs, installing a new AP right next to every existing AP to provide similar coverage for both ESSIDs. But you'll run into contention for channels; there are only so many non-overlapping channels. And you'll have to buy and manage twice as many APs. Not a very pretty picture.
You might use APs that send multiple ESSIDs in every beacon/probe response. Several APs can do that -- primarily enterprise-grade APs. Unfortunately, those frames can't link different capabilities to different ESSIDs. How do stations determine that "net1" uses WEP and "net2" uses WPA? They may end up using the lowest common denominator.
You might use an AP that can send several different beacons, each beacon carrying a unique ESSID. But stations may get confused about the capabilities of the AP if all those beacons emanate from the same BSSID, and overall WLAN performance can suffer.
How virtual APs help
An alternative that's been gaining steam is the "Virtual AP." Here, the AP sends multiple beacons, each beacon carrying a unique ESSID and associated capabilities. However, the AP no longer uses a single BSSID. Instead, it uses a unique BSSID per ESSID.
Like a multi-homed web server that supports virtual domains, each with its own hostname and IP address, a physical AP can now support virtual WLANs, each with its own ESSID and BSSID. The BSSID is still a MAC address that belongs to the AP, but the AP is now reachable through more than one MAC address.
In fact, if this is done right, stations won't even know whether BSSIDs belong to the same AP or several APs. Virtual APs should be transparent to other devices -- the only node with special code is the AP itself.
WPA transition and more
With virtual APs, transitioning from WEP to WPA becomes a matter of adding a second ESSID that requires TKIP to every AP. Transitioning to WPA2 means adding a third ESSID that requires AES. Older stations using WEP, stations purchased today with TKIP, and new stations purchased next year with AES can theoretically all be supported by the same set of APs. (Note this probably won't ever be true for older APs.)
Of course, you'll want your AP to handle traffic sent to/from each ESSID differently. Typically, that's done by applying a different VLAN tag to each ESSID, allowing traffic to be segmented and routed in accordance with local security policy.
With this kind infrastructure, it's easy to see other use cases for Virtual APs. They can help you support a guest WLAN and employee WLAN on the same physical network. Virtual APs can be used in multi-unit dwellings to support tenant WLANs with shared infrastructure. They can be used by hotspot providers to support many branded ESSIDs to earn more revenue from roaming subscribers.
Virtual APs are now being discussed within IEEE 802.11 and the Wi-Fi Alliance. Industry guidelines could help to promote consistent implementation and interoperability. Several vendors have already released products that incorporate Virtual AP features, including Colubris, Aruba, Airflow and Symbol. To learn more, read this presentation by Microsoft's Bernard Aboba (PPT) or the white paper on Colubris Networks' Web site.
About the author: Lisa Phifer is vice president of Core Competence, Inc., a consulting firm specializing in network security and management technology. She is also a site expert to SearchMobileComputing.com and SearchNetworking.com.
