Protected Management Frames (PMF)

Protected Management Frames (PMF) is described in the IEEE 802.11w-209 amendment. PMF increases security by providing data confidentiality of management frames, mechanisms that enable data integrity, data origin authenticity, and replay protection.

This protection applies only to Robust Security Networks (RSN) and just to a subset of the management frames. The frames which are required before and during the 4-way handshake are not protected. Therefore the protection is limited to the following frames:

  • Channel Switch Announcement
  • De-authentication
  • Disassociation
  • Robust Action
    • Block ACK Request / Response
    • Fast BSS Transition
    • QoS Admission Control
    • Radio Measurement
    • Spectrum Management

Another limitation is the support of this amendment on the wireless clients. The Wi-Fi Alliance (WFA) interoperability certification program requires support for PMF. However, this requirement applies only when certifying for 802.11ac. This means that there are a lot of devices which do not support PMF.

When you decide to enable PMF on your wireless network, beware of the consequences. You could potentially prevent a lot of clients from your connecting to your network. Unless you are in full control of the clients on your network and know if 802.11w is supported, my recommendation would be to disable PMF.

There are other options, such as enabling PMF as optional instead of disabled or mandatory, but I am not sure if all clients support this.

The 802.11w-2009 amendment has been superseded by the 802.11-2012 standard.

 

Leave a Reply

Your email address will not be published. Required fields are marked *