The interested reader can look at an overview of Management Frame Protection in the following article<Management Frame Protection>
Management Frame Protection is indicated in the 802.11 frames in the following manner.
- The RSN Capabilities indicate that the management protection is enabled.
- Management Frame Protection Required
- True (set to 1) – Management Frame Protection is required
- False (set to 0) – Management Frame Protection is not required
- The RSN Capability also indicates Broadcast cipher Suite (BIP)
The below wire-shark RSN snippet for Group Management Cipher Suite shows the value for BIP
- The Protected field is set to 1 in the 802.11 flags to indicate that the management frame is protected
- A separate Sequence counter is incorporated into the management frame for frame protection
- When Management Frame Protection is negotiated with the use of the above – the pairwise cipher suite negotiated is used to encrypt individually addressed management frames.
- The Group Management cipher suite is used to protect group addressed robust management frames
- AES-128-CMAC is not allowed to be used for data frame encryption