Manualshelf

User's Manual

ManualsBrandsTrilliant Networks ManualsElectronics802.11 BASED, SINGLE BAND FIXED WIRELESS NODE
891011121314151617
System Architecture and Protocol Guide – 9-05 15 © 2005 SkyPilot Networks, Inc.
VLANs
The SkyPilot system allows an operator to partition subscriber traffic through the use of Virtual LANs. VLANs limit the scope of
broadcast and multicast traffic, and facilitate the segmentation of traffic in the backbone network.
An individual subscriber can be configured to a single VLAN. In this mode all Ethernet packets received on the subscriber interface
of the SkyConnector or SkyExtender are tagged with the configured VLAN ID. These packets are then forwarded to the
SkyGateway, which transparently switches the frames without modifying the VLAN tag. In this mode, the SkyConnector or
SkyExtender will strip the VLAN tag (i.e. convert to standard Ethernet format) before transmitting the packet on the subscriber
interface.
In VLAN mode, any 802.1q format packets received by the SkyConnector or SkyExtender on the subscriber interface will be
checked for a VLAN ID. If the ID matches the configured VLAN ID, then the packets will be forwarded to the SkyGateway. If the ID
does not match, the packet will be discarded. If the VLAN mode is not configured, then a SkyConnector or SkyExtender will
transparently switch 802.1q VLAN tagged Ethernet frames.
Peer to Peer Switching
The SkyPilot system permits control over Layer 2 switching by the SkyGateway. An operator can enable or disable the Layer 2
switching between SkyConnectors and SkyExtenders on a per VLAN basis. With switching enabled, an operator can offer low
latency Layer 2 VLAN connectivity. With switching disabled, an operator can utilize an external switch or router for high levels of
network security and flexibility.
Encryption and Authentication
The SkyPilot network provides for subscriber confidentiality, message integrity, and endpoint and network authentication.
Confidentiality prevents unwanted listeners of network traffic. Message integrity ensures that network traffic has been delivered
unaltered to the intended recipient. Endpoint authentication provides trust between two nodes on a network. Without this endpoint
authentication, confidentiality and message integrity are difficult to achieve. Endpoint authentication also ensures that only
authorized nodes join the network. Network authentication ensures that nodes join only trusted networks.
Network Key
The SkyPilot system provides support for a shared network key. This static key is installed (via the CLI) by a network operator prior
to deployment. Only nodes that share the network key are authorized to join the network. Note that, due to security concerns, the
system key cannot be changed remotely.
Identification Certificate
All SkyPilot nodes have a unique identification certificate installed during manufacture. These are part of a certificate chain that is
signed all the way to the SkyPilot root certificate authority, and uniquely identify each SkyPilot node.
Authentication
When a SkyPilot node connects to the network via a SkyExtender or directly via a SkyGateway, the following peer-to-peer
authentication protocol is completed:
1. The authentication negotiation is initiated by the node with the numerically smaller MAC address (Node A). This node sends
an
SP_AUTH_HELLO message that contains its Identification Certificate to the node with the numerically larger MAC
address (Node B).
2. Upon receiving the SP_AUTH_HELLO message, Node B verifies that the ID certificate in the message has been signed
by the correct certificate authority (CA) using its root public key. This step provides assurance to Node B that Node A
possesses a valid certificate. If Node B successfully verifies the Identification Certificate, it will compute a random number.
This random number is one of the ingredients used in generating the secret session key.
3. Node B will encrypt the random number it generated with the shared network key. It will then encrypt the ciphertext with Node
A’s public key. The purpose of this dual encryption is to verify that Node A has the same shared static key as Node B, and to
ensure that only Node A can decrypt the message. The final ciphertext is combined with Node B’s Identification Certificate and
placed in an
SP_AUTH_CHALLENGE message. This message is sent to Node A.