Search

US-12627983-B2 - Intrusion prevention using reconfiguration multi-link elements in WiFi 7

US12627983B2US 12627983 B2US12627983 B2US 12627983B2US-12627983-B2

Abstract

A communication link between an unauthorized AP MLD in a wireless network and a client device is terminated in response to spoofing a communication from the unauthorized AP MLD. The communication is sent from a device different than the unauthorized AP MLD to the client device and includes a source identifier that identifies the unauthorized AP MLD as a source device of the communication. The communication additionally or alternatively may contain or indicate a management or configuration element. The management or configuration element may include a reconfiguration multi-link element that specifies the first wireless communication link as no longer available.

Inventors

  • Ashutosh Sharma
  • Jatin Parekh
  • Anubhav Gupta

Assignees

  • ARISTA NETWORKS, INC.

Dates

Publication Date
20260512
Application Date
20240220

Claims (17)

  1. 1 . One or more non-transitory media having instructions which, when executed by one or more processors, cause a plurality of operations, the operations comprising: upon determining that an access point multi-link device (AP MLD) prohibited from connecting to a client device is connected to the client device over a first wireless communication link: causing a communication from the AP MLD to be spoofed by transmitting, from a device different than the AP MLD, a frame comprising (a) a source identifier that identifies the AP MLD as a source device of the frame and (b) a reconfiguration multi-link element indicating that the first wireless communication link is no longer available, wherein the reconfiguration multi-link element comprises a value in a type subfield of a multi-link control field of the frame, and wherein the client device terminates the first wireless communication link in response to receiving the frame.
  2. 2 . The one or more non-transitory media of claim 1 , wherein the frame further comprises (c) a destination identifier that identifies the client device as a destination device.
  3. 3 . The one or more non-transitory media of claim 1 , wherein the operations further comprise determining that the first wireless communication link is impermissible, and wherein causing the communication from the AP MLD to be spoofed is further responsive to the determining that the first wireless communication link is impermissible.
  4. 4 . The one or more non-transitory media of claim 1 , wherein the reconfiguration multi-link element further indicates that a second wireless communication link, which connects the AP MLD and the client device, is no longer available.
  5. 5 . The one or more non-transitory media of claim 1 , wherein the first wireless communication link is one of a plurality of wireless communication links established between the client device and the AP MLD, wherein the frame indicates that each of the plurality of wireless communication links is no longer available, and wherein the client device terminates each of the plurality of wireless communication links in response to receiving the frame.
  6. 6 . The one or more non-transitory media of claim 1 , wherein the frame includes an unencrypted frame.
  7. 7 . The one or more non-transitory media of claim 1 , wherein the frame includes an unencrypted beacon frame.
  8. 8 . The one or more non-transitory media of claim 1 , wherein the frame includes an unencrypted probe response frame.
  9. 9 . A system having one or more processors configured to facilitate a plurality of operations, the operations comprising: determining that an access point multi-link device (AP MLD), prohibited from connecting to a client device, is connected to the client device over a first wireless communication link; and based on the determining, spoofing a communication from the AP MLD by causing transmission, from a device different than the AP MLD, of a frame comprising: a source identifier indicating the AP MLD as a source device of the frame; and a reconfiguration multi-link element indicating that the first wireless communication link is no longer available, wherein the frame comprises a multi-link control field having a value indicative of the reconfiguration multi-link element, wherein the value is in a type subfield of the multi-link control field, and wherein the frame is configured to cause the client device to terminate the first wireless communication link.
  10. 10 . The system of claim 9 , wherein the frame further comprises a destination identifier configured to identify the client device as a destination device.
  11. 11 . The system of claim 9 , wherein spoofing the communication from the AP MLD is responsive further to a determination, by the one or more processors, that the first wireless communication link is impermissible.
  12. 12 . The system of claim 9 , wherein the first wireless communication link is one of a plurality of wireless communication links established between the client device and the AP MLD, and wherein the frame indicates termination of each of the plurality of wireless communication links.
  13. 13 . The system of claim 12 , wherein the frame includes an unencrypted frame, and wherein the client device terminates each of the plurality of wireless communication links in response to receiving the unencrypted frame.
  14. 14 . A method, comprising: in response to determining a prohibited wireless communication link between an access point multi-link device (AP MLD) and a client device, generating a frame comprising: a source identifier and a reconfiguration multi-link element indicating that the AP MLD is a source device of the frame and that the prohibited wireless communication link is no longer available, wherein the reconfiguration multi-link element comprises a value in a multi-link control field of the frame and wherein the value is in a type subfield of the multi-link control field of the frame; and causing the frame to be transmitted from a device different than the AP MLD, wherein the transmitting causes the client device to terminate the prohibited wireless communication link.
  15. 15 . The method of claim 14 , further comprising determining that the prohibited wireless communication link is impermissible.
  16. 16 . The method of claim 15 , wherein determining that the prohibited wireless communication link is impermissible is based on stored information indicating the AP MLD is an unauthorized AP MLD, and wherein the frame includes a destination identifier that identifies the client device as a destination device.
  17. 17 . The method of claim 14 , wherein: the prohibited wireless communication link is one of a plurality of wireless communication links established between the client device and the AP MLD; the frame indicates that each of the plurality of wireless communication links is no longer available; and the client device terminates each of the plurality of wireless communication links in response to receiving the frame.

Description

TECHNICAL FIELD The present disclosure relates to a computer-implemented technique for terminating a wireless communication link with an unauthorized device in a wireless network environment. BACKGROUND Within a wireless local area network (WLAN), a connection of a client device to an unauthorized or rogue access point (AP) can pose a significant threat to client security in particular and network security in general. For instance, establishing an illegitimate wireless fidelity (WiFi) hotspot within a wireless communications environment typically can be performed by nearly any user having basic computer skills. A bad actor with minimal computer programming and networking knowledge may set up an unauthorized hotspot, commonly known as a honeypot, within a wireless communications environment by utilizing a device including an off-the-shelf modem or router. Even a commonplace smartphone may hold the capability to function as a cost-free hotspot, e.g., honeypot, accomplishable by configuring specific parameters within the smartphone's general settings menu. An unauthorized entity or bad actor may enable a Wifi hotspot, e.g., corresponding to a honeypot, within a WLAN to enable client devices to establish connections with the Internet. Typically, the honeypot may adopt the name of a legitimate establishment's WiFi network or a name that the client would naturally assume to be a permitted or preferred AP. For example, when a client device scans for an available AP (e.g., at a commercial establishment or in the vicinity of an enterprise) and encounters the name, the client may initiate a connection with the honeypot without suspicion. Once the client device connects, e.g., via an authentication process, a malevolent actor or unpermitted entity behind the connection or enabling the connection may be able to scrutinize and intercept the client's private information through sundry stratagems or surreptitious acts such as traffic filtering. As WLAN and wireless intrusion prevention system (WIPS) technologies advance and increase in complexity, challenges related to protecting users and client devices from connecting to unauthorized APs continue to grow and evolve commensurately. The approaches described in this section are approaches that could be pursued, but not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated, it should not be assumed that any of the content or approaches described in this section qualify as prior art merely by virtue of their inclusion in this section. BRIEF DESCRIPTION OF THE DRAWINGS The embodiments of this disclosure are illustrated by way of example and not by way of limitation in the figures of the accompanying drawings. It should be noted that references to “an” or “one” embodiment of the disclosure in this disclosure are not necessarily to the same embodiment of the disclosure, and they mean at least one. In the drawings: FIG. 1A illustrates an example computing system including multiple AP MLDs and a client device in a wireless environment and including a network manager station in accordance with one or more embodiments of the disclosure; FIG. 1B depicts the network manager station in accordance with one or more embodiments of the disclosure; FIG. 2 shows an example set of operations for terminating a first wireless communication link between the client device and an unpermitted AP MLD in accordance with one or more embodiments of the disclosure; FIGS. 3A-3D depict an example implementation of terminating a prohibited wireless communication link between a client device and an unpermitted AP MLD in accordance with one or more embodiments of the disclosure; and FIG. 4 illustrates a block diagram that includes a computer system in accordance with one or more embodiments of the disclosure. DETAILED DESCRIPTION In the following description, for the purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the disclosure. One or more embodiments of the disclosure may be practiced without these specific details. Features described in one embodiment of the disclosure may be combined with features described in a different embodiment of the disclosure. In some examples, well-known structures and devices are described with reference to a block diagram form in order to avoid unnecessarily obscuring the present invention. 1. GENERAL OVERVIEW2. MULTI-LINK OPERATION (MLO) INTRUSION PREVENTION ARCHITECTURE3. TERMINATING A LINK WITH AN ACCESS POINT MULTI-LINK DEVICE (AP MLD)4. EXAMPLE EMBODIMENT5. HARDWARE OVERVIEW6. MISCELLANEOUS; EXTENSIONS 1. General Overview One or more embodiments terminate a wireless communication link between a client device and an AP MLD by transmitting a frame, e.g., a management frame, that spoofs the frame-originator as the AP MLD. For instance, following a multi-link setup or association process, one or more communication links, e.g., channels, may be established