Protected Management Frames
2 minute read
The IEEE 802.11w-2009 amendment (now part of IEEE 802.11-2020) introduced Protected Management Frames (PMF) which addresses the protection of robust management frames. Prior to WPA3 and Enhanced Open, most management frames are not encrypted. Since Wi-Fi is a broadcast medium, any device can eavesdrop or participate as a legitimate or rogue client. Securing management frames also is equally important as data frames. Without PMF, all management frames are sent unprotected in the open. PMF protects a set of robust management frames and augments privacy protections already in place for data frames (802.11i). WPA3 and Enhanced Open require use of PMF.
PMF is also referred to as Management Frame Protection (MFP). When discussing whether Protected Management Frames are optional or required, the terms MFPR (required) and MFPC (capable) will be used. Their configuration options are discussed below. Throughout the security mode sections the terms PMF and MFP may be used interchangeably. In the context of HPE Aruba Networking, these terms mean the same thing.
Three possible configurations exist for Protected Management Frames:
Configuration | Parameters | PMF Capable Client | Non-PMF Client |
---|---|---|---|
Disabled | MFPR=0/MFPC=0 | No benefit | No benefit |
Capable (Optional) | MFPR=0/MFPC=1 | Protection benefit | No benefit |
Mandatory (Required) | MFPR=1/MFPC=1 | Protection benefit | Cannot connect |
Protected Management Frames help secure robust management frames against various attacks. The key security objective is to protect against passive eavesdropping, prevent forgery of unicast and multicast action frames, allow replay detection, and prevent stations from masquerading as another station.
PMF protects against forged disassociation and de-authentication frames post association.
Examples of protected robust action frames include:
- Channel Switch Announcements
- QoS
- ADDBA Negotiation
- Block ACK
- Radio Measurement
- Security Association (QA) Query
- Wireless Network Management
Support for Protected Management Frames is advertised in the RSN Capabilities of the RSNE which can be found in beacons, probe responses, and association responses.
AOS specifics:
- PMF is not user configurable for WPA3 or Enhanced Open security modes. MFPR (Required) and MFPC (Capable) configuration is automatic.
Feedback
Was this page helpful?
Glad to hear it!
Sorry to hear that.