Personal virtual bridged local area networks

Abstract

A mechanism for segregating traffic amongst STAs that are associated with a bridge, referred to herein as the personal virtual bridged local area network (personal VLAN), is based upon the use of a VLAN to segregate traffic. The IEEE 802.1Q-1998 (virtual bridged LANs) protocol provides a mechanism that is extended by the invention to partition a LAN segment logically into multiple VLANs. In the preferred embodiment, a VLAN bridge forwards unicast and group frames only to those ports that serve the VLAN to which the frames belong. One embodiment of the invention extends the standard VLAN bridge model to provide a mechanism that is suitable for use within an AP. In a preferred embodiment, the Personal VLAN bridge extends the standard VLAN bridge in at least any of the following ways: VLAN discovery in which a personal VLAN bridge provides a protocol for VLAN discovery; VLAN extension in which a Personal VLAN allows a station to create a new port that serves a new VLAN, or to join an existing VLAN via an authentication protocol; Logical ports in which a Personal VLAN bridge can maintain more than one logical port per physical port, and bridges between ports of any kind; and cryptographic VLAN separation.

Description

BACKGROUND OF THE INVENTION

[0002] 1. Technical Field

[0003] The invention relates to local area networks. More particularly, the invention relates to a personal virtual bridged local area network.

[0004] 2. Description of the Prior Art

[0005] An access point (AP) is a link-layer bridge between one or more stations (STAs) and a distribution system (DS). See IEEE 802.11, Wireless LAN Medium Access Control and Physical Layer Specifications, ISO/IEC 8802-11:1999(E), ANSI/IEEE Std 802.11, 1999 Edition. An example of a DS is a LAN segment, or an intranet. An AP enables packets to be transmitted via radio either from a station (STA) to the DS, or from the DS to a STA. An access point therefore has at least two physical ports. One is the DS interface and the other is a radio interface. Multiple STAs, each with their own radio interface, can send packets to the DS by multiplexing the single shared radio interface of an AP. The radio interface operates at a particular frequency and the STAs share the medium through a MAC-PHY protocol that guarantees mutually exclusive access to the medium. The DS also sends packets to STAs by using the same protocol.

[0006] The STA of an AP has a Basic Service Set ID (BSSID). It serves to partition 802.11 Basic Service Sets logically. Every STA that associates with an AP shares the AP's BSSID. A frame destined for a group address received by an AP or a STA is discarded if the BSS to which the AP or STA belong does not match the BSSID of the frame. In this sense, the BSSID behaves as a Virtual LAN ID (VID). See IEEE 802.1Q, IEEE Standards for Local and Metropolitan Area Networks: Virtual Bridged Local Area Networks, IEEE Std 802.1Q-1998. Every STA is therefore a member of the same virtual LAN (VLAN) as a consequence of associating with the same AP.

[0007] Every STA in a BSS, however, should not share the same VLAN unless the STAs trust each other. Yet in public space deployments, all STAs associated with an AP are required to share the same VLAN when typically there is no trust among them. This can make a STA vulnerable, for instance, to various link-layer attacks launched by an untrusted STA, such as Address Resolution Protocol (ARP) cache re-mapping.

[0008] It would be advantageous to provide a mechanism for segregating traffic amongst STAs that are associated with a bridge such that, for example, an untrusted STA associated with said bridge can not be used to launch a link layer (OSI Layer 2) attack on another STA associated with the same bridge.

SUMMARY OF THE INVENTION

[0009] The invention provides a mechanism for segregating traffic amongst STAs that are associated with a bridge such that, for example, an untrusted STA associated with said bridge can not be used to launch a link layer (OSI Layer 2) attack on another STA associated with the same bridge. The invention is based upon the use of a VLAN to segregate traffic. The IEEE 802.1Q-1998 (Virtual Bridged LANs) protocol provides a mechanism that is extended by the invention to partition a LAN segment logically into multiple VLANs. In the preferred embodiment, a VLAN bridge forwards unicast and group frames only to those ports that serve the VLAN to which the frames belong. One embodiment of the invention extends the standard VLAN bridge model to provide a mechanism that is suitable for use within an AP.

[0010] Suppose an AP is attached to a DS. Every STA that associates with the AP should have an opportunity to create a new VLAN with itself and the DS as its members. This way traffic between trusted and untrusted STAs can be separated even though they associate with the same AP. In general, if the DS comprises multiple VLANs, then the members of any subset of them can be members of the new VLAN. So there should be a way to discover existing VLANs. Furthermore, there should be a protocol for joining an existing VLAN. Creating a VLAN and joining an existing VLAN are both operations that require authentication. The IEEE Std 802.1Q-1998 VLAN model is deficient for such purposes because it does not provide these capabilities. The preferred embodiment of the invention comprises a mechanism for providing such capability, referred to herein as the personal virtual bridged local area network (Personal VLAN).

[0011] In a preferred embodiment, the Personal VLAN bridge extends the standard VLAN bridge in at least any of the following ways:

[0012] VLAN discovery: A Personal VLAN provides a protocol for VLAN discovery (discussed below).

[0013] VLAN extension/creation: A Personal VLAN bridge allows a station to create a new port that serves a new VLAN, or to join an existing VLAN or to join an existing VLAN via an authentication protocol.

[0014] Logical ports: A Personal VLAN bridge can maintain more than one logical port per physical port. It bridges between ports of any kind. A VLAN's member set is defined in terms of logical and physical ports. Every logical port has a lifetime controlled by the bridge.

[0015] Cryptographic VLAN separation: In a Personal VLAN, a logical port serves at most one VLAN. However, because there may be more than one logical port per physical port, more than one VLAN may exist on a physical port. Traffic within one VLAN is separated from another VLAN on the same physical port by cryptography. An authentication code uniquely identifies the VLAN to which the traffic belongs, while another level of encryption keeps the traffic private except to members of the VLAN.

[0016] Layer-2 VLAN support across routers: When an STA can roam and reattach to a network at a different bridge, e.g. by associating with a new AP, the STA can inform the bridge of a VLAN to which it already belongs. The VLAN may have been created by a station, e.g. itself, at another bridge that links the VLAN with one or more logical or physical ports at that bridge. The STA can maintain its membership in the VLAN at layer 2 even though the new bridge may be located on a different subnet. This capability subsumes Mobile IP capability because Mobile IP aims to retain subnet membership for a station across routers. A subnet may correspond to a VLAN, but in general it does not.

[0017] Spanning tree maintenance: A Personal VLAN bridge permits an STA to create a VLAN where the STA itself is a bridge. A spanning tree algorithm eliminates cycles among bridges when membership is granted. The process for joining a personal VLAN enforces restrictions on VLAN topology that make re-constructing a spanning tree unnecessary after a new bridge joins a VLAN.

BRIEF DESCRIPTION OF THE DRAWINGS

[0018] FIG. 1 is a block schematic diagram that illustrates two bridges in a Personal VLAN network according to the invention;

[0019] FIG. 2 is a block schematic diagram which shows an embodiment in which station A shares SA1 with bridge 1;

[0020] FIG. 3 is a block schematic diagram which shows an embodiment in which stations D and E belong to VLAN5, however unlike the other stations, they do not share security associations with bridge 1, but rather with personal VLAN bridge 2;

[0021] FIG. 4 is a block schematic diagram that shows Personal VLAN discovery according to the invention;

[0022] FIG. 5 is a flow diagram that shows the requesting of service for a new VLAN according to the invention;

[0023] FIG. 6 is a flow diagram that shows linking of a VLAN served by a logical port at a bridge to one or more VLANs served by physical ports at a bridge according to the invention;

[0024] FIG. 7 is a flow diagram that shows inter-station authentication that is triggered when a bridge receives a join-VLAN request whose destination VLAN set consists of a single VLAN served by a logical port according to the invention; and

[0025] FIG. 8 is a flow diagram showing ingress filtering a logical ports according to the invention.

DETAILED DESCRIPTION OF THE INVENTION

[0026] The presently preferred embodiment of the invention provides a mechanism for segregating traffic amongst STAs that are associated with a bridge such that, for example, an untrusted STA associated with said bridge can not be used to launch a link layer (OSI Layer 2) attack on another STA associated with the same bridge. Those skilled in the art will appreciate that the invention disclosed herein is applicable to a wide range of systems and networks, including but not limited to wired and wireless networks.

[0027] The Personal VLAN Bridge Model

[0028] The invention is based upon the use of a VLAN to segregate traffic. The IEEE 802.1Q-1998 (Virtual Bridged LANS) protocol provides a mechanism that is extended by the invention to partition a LAN segment logically into multiple VLANs. In the preferred embodiment, a VLAN bridge forwards unicast and group frames only to those ports that serve the VLAN to which the frames belong. One embodiment of the invention extends the standard VLAN bridge model to provide a mechanism that is suitable for use within an AP.

[0029] Suppose an AP is attached to a DS. Every STA that associates with the AP should have an opportunity to create a new VLAN with itself and the DS as its members. This way traffic between trusted and untrusted STAs can be separated even though they associate with the same AP. In general, if the DS comprises multiple VLANs, then the members of any subset of them can be members of the new VLAN. So there should be a way to discover existing VLANs. Furthermore, there should be a protocol for joining an existing VLAN.

[0030] Creating a VLAN and joining an existing VLAN are both operations that require authentication. The IEEE Std 802.1Q-1998 VLAN model is deficient for such purposes because it does not provide these capabilities. The preferred embodiment of the invention comprises a mechanism for providing such capability, referred to herein as the personal virtual bridged local area network (Personal VLAN).

[0031] A presently preferred embodiment of the invention is discussed herein in connection with FIGS. 1-3. It will be appreciated by those skilled in the art that the configurations shown in FIGS. 1-3 are provided for purposes of example only and are not intended to limit the configurations with which the invention may be practiced.

[0032] FIG. 1 is a block schematic diagram that illustrates two bridges 10, 12. Personal VLAN Bridge 1 (10) has four physical ports 11, 13, 15, 17, two of which 11, 13 are wired Ethernet. The wired ports serve VLAN1 and VLAN2 respectively. The other two ports 15, 17 are wireless Ethernet ports. One of these ports 15 conforms to the high-rate (54 Mbps) 802.11g standard, and the other port 17 conforms to the 802.11a standard. There are three logical ports 19, 21, 23 associated with the 802.11g port. Each logical port has its own security association 25, 27, 29 which is shared by some number of end stations 20, 22, 24 to constitute a separate VLAN.

[0033] Station A 20 shares SA125 with bridge 110, as illustrated in FIG. 2. No other stations share SA1 and so STA A is in a unique VLAN, i.e. VLAN3, represented by a spanning tree whose root is bridge 1.

[0034] Stations B and C 22, 24, on the other hand, belong to VLAN4 because they share SA227 with bridge 1 (see FIG. 2). This VLAN was created by one of STA A or STA B. Then the other station joined it after being authenticated by the creator. This illustrates case of joining a personal VLAN (see below). VLAN4 is also represented by a spanning tree with bridge 1 as root.

[0035] Stations D 16 and E 18 belong to VLAN5. However, unlike the other stations, they do not share security associations with bridge 1 but, rather, with Personal VLAN bridge 212 (see FIG. 3). Bridge 2 is the root of a spanning tree for VLAN5 until the tree was extended, making bridge 1 the new root.

[0036] In one embodiment, the Personal VLAN bridge extends the standard VLAN bridge in at least any of the following ways:

[0037] VLAN discovery: A Personal VLAN provides a protocol for VLAN discovery (discussed below).

[0038] VLAN extension/creation: A Personal VLAN bridge allows a station to create a new port that serves a new VLAN, or to join an existing VLAN or to join an existing VLAN via an authentication protocol.

[0039] Logical ports: A Personal VLAN bridge can maintain more than one logical port per physical port. It bridges between ports of any kind. A VLAN's member set is defined in terms of logical and physical ports. Every logical port has a lifetime controlled by the bridge.

[0040] Cryptographic VLAN separation: In a Personal VLAN, a logical port serves at most one VLAN. However, because there may be more than one logical port per physical port, more than one VLAN may exist on a physical port. Traffic within one VLAN is separated from another VLAN on the same physical port by cryptography. An authentication code uniquely identifies the VLAN to which the traffic belongs, while another level of encryption keeps the traffic private except to members of the VLAN.

[0041] Layer-2 VLAN support across routers: When an STA can roam and re-attach to a network at a different bridge, e.g. by associating with a new AP, the STA can inform the bridge of a VLAN to which it already belongs. The VLAN may have been created by a station, e.g. itself, at another bridge that links the VLAN with one or more logical or physical ports at that bridge. The STA can maintain its membership in the VLAN at layer 2 even though the new bridge may be located on a different subnet. This capability subsumes Mobile IP capability because Mobile IP aims to retain subnet membership for a station across routers. A subnet may correspond to a VLAN, but in general it does not.

[0042] Spanning tree maintenance: A Personal VLAN bridge permits an STA to create a VLAN where the STA itself is a bridge. A spanning tree algorithm eliminates cycles among bridges when membership is granted. The process for joining a personal VLAN enforces restrictions on VLAN topology that make re-constructing a spanning tree unnecessary after a new bridge joins a VLAN.

[0043] The presently preferred Personal VLAN bridge model parallels the VLAN model in terms of its rules for tagging frames, determining member/untagged sets, and in terms of components involved with relaying MAC frames, as described in IEEE Std 802.1Q-1998, IEEE Standards for Local and Metropolitan Area Networks: Virtual Bridged Local Area Networks, pp. 28. Extensions to these components in a Personal VLAN bridge are described below.

[0044] Personal VLAN Control Channels

[0045] Every physical port has a Personal VLAN control channel 40, 42 for sending and receiving control frames and authentication protocol frames. The channel has no security association and is identified by a frame field, e.g. Ethernet Type encoded. Authentication frames are preferably encapsulated using a format such as EAPoL (see IEEE 802.1X, IEEE Standards for Local and Metropolitan Area Networks: Port based Network Access Control, IEEE Std 802.1X-2001) which can handle a variety of authentication protocols.

[0046] VLAN discovery

[0047] A Personal VLAN bridge runs server and client VLAN discovery agents 26 and 28, 30, respectively. The server agent responds to information requests, while the client agent issues information requests. An example of such agents is the client and server agents of the Service Location Protocol v2, IETF, RFC 2608. Therefore, a Personal VLAN can discover other VLANs and/or allow the VLANs it serves to be discovered. Discovery (see FIG. 4) involves transmission of a VLAN-DISCOVER frame. In response, a VLAN-OFFER frame is sent to the source MAC address of the discover frame. An offer frame lists all or some of the VLANs served by a bridge and information that can be used to select from among them. There may be more than one offer frame received by a client in response to a discover frame it sent. Transmission of a VLAN-OFFER frame is delayed by some randomly chosen period of time to minimize collisions among responders.

[0048] Serving a New VLAN

[0049] A Personal VLAN bridge can receive a request to serve a new VLAN. The request contains the VID of the new VLAN. A request is not granted unless the requester is authorized, the request is fresh, and it can be authenticated through a control channel. To serve a new VLAN at a bridge requires making the bridge the root of a spanning tree for the named VLAN. Requesting service for a new VLAN consists of the following steps:

[0050] The bridge receives a request frame with a source MAC address through the control channel of some physical port. The holder of that MAC address is the requester (100).

[0051] Receipt of the request frame initiates an authentication protocol with the requester through the control channel (102).

[0052] If the requester cannot be authenticated, or is not authorized to request VLAN service from the bridge (104), then the request is discarded (106).

[0053] If there is no conflict in using the VID requested (105), anew logical port is created and associated with the physical port through which the request frame is received (108). This is the logical port the bridge uses to serve the VLAN. Otherwise, the bridge negotiates a VID with the requester (110). The VLAN's filtering rules are determined by a policy for the requester.

[0054] The port state information is updated for the logical port to include a security association (SA), shared with the requester that is in effect for all traffic through that port (112). Only the holder of the SA can change the logical port state

[0055] Upon completion of these steps, a new logical port exists to serve the new VLAN, but the VLAN is not linked to any other VLAN served by the bridge until a request is made to join a particular VLAN. Until this time, the new VLAN is inoperable at the bridge.

[0056] Joining a VLAN

[0057] A new VLAN served by a bridge must extend one or more existing VLANs served by physical ports of the bridge to be useful. In other words, it must be linked to one or more existing VLANs. Linking the VLAN served by a logical port at a bridge to one or more VLANs served by physical ports at a bridge is performed through a join-VLAN request sent over a control channel. The request does not bridge the VLANs served by the physical ports. Rather, they remain separate yet the new VLAN extends all of them simultaneously.

[0058] A join-VLAN request contains the VID V′ of a VLAN served by a logical port P′ of the bridge, referred to herein as the source VLAN, and a set V of VIDs for VLANs served by a set of physical ports P, referred to herein as the destination VLANs. The request aims to link V′ to every VLAN ID in V, or in other words, to allow the requester to join every VLAN in V. The requester has already created V′.

[0059] The bridge takes the following steps (see FIG. 6):

[0060] First the request is authenticated (200). This is done with respect to the SA associated with V′ which was established when the bridge was asked to serve V′. A simple challenge-response strategy is used in the preferred embodiment, although other approaches may be used as appropriate. If authentication fails, the request is discarded.

[0061] Logical port P′ is added to the member set of every VID in V (202), and every physical port in P is added to the member set of V′ (204). The untagged set of V′ is formed by taking a union of all untagged sets for VIDs in V (206). If the request frame contains a null VID in its tag header, or it is untagged, then P′ is added to the untagged set of every VID in V (208).

[0062] The requests to serve a new VLAN and to link it to other VLANs can be combined into one request. Thus, creating a VLAN and joining another can be performed through one authentication process, specifically, the process required for serving a new VLAN.

[0063] Joining a Personal VLAN

[0064] Joining a personal VLAN, i.e. one served by a logical port, requires special treatment. A Personal VLAN bridge is not authorized to link VLANs served by logical ports because it did not create the ports, unlike its physical ports. In this case, the creator of the logical port authenticates the requester through a mutually-agreed upon protocol, for example, challenge-response. This inter-station authentication (see FIG. 7) is triggered when the bridge receives a join-VLAN request whose destination VLAN set consists of a single VLAN served by a logical port (298).

[0065] There are three cases:

[0066] The source and destination VLANs have the same creator, and the creator issued the join-VLAN request (300). In this case, the request is discarded (302). Otherwise, a cycle could result in the bridged VLANs.

[0067] The source and destination VLANs are identical and the creator did not issue the request (304). In this case, the creator authenticates the requester for membership into the Personal VLAN (306).

[0068] In all other cases (308), the bridge first authenticates the request to make sure that the requester is the creator of the source VLAN (same as step 1 for joining VLANs served by physical ports only—see above) (310). If authentication succeeds (312), then the creator authenticates the requester for membership into the destination VLAN (314).

[0069] When joining a personal VLAN, the destination VLAN set is preferably limited to exactly one VLAN, i.e. the source VLAN. It is constrained in this way because the request would otherwise reflect an attempt by a station to bridge a VLAN it does not own to other VLANs, something it is not authorized to do. The owner of a VLAN can join a new VLAN and, as a result, all its member stations also become members of the new VLAN.

[0070] Authentication of a requester by a creator is facilitated by a control channel of the bridge and respective Auth/Supplicant modules 50, 52, 54. The bridge uses the channel to relay authentication protocol messages between the creator and requester. Management of the control channel and relaying messages can be implemented using, for example, IEEE 802.1X, IEEE Standards for Local and Metropolitan Area Networks: Port based Network Access Control IEEE Std 802.1X-2001. In the 802.1X model, the requester is the Supplicant and the creator is the Authenticator. If the creator can authenticate the requester, then it shares the SA it holds with the bridge with the requester as well. It is not the bridge's responsibility to decide whether it should share with the requester the SA it holds with the creator. This is the creator's responsibility. There are many ways to achieve sharing. One way is to use the requester's public key to encrypt a Transport-Layer Security (TLS v1.0) pre-master secret from which the SA could be derived at the requester's station.

[0071] Ingress Filtering at Logical Ports

[0072] A security association contains at least two keys, one for encryption and the other for computing an authentication code, referred to herein as the Message Integrity Code (MIC). Uniquely, the SA is associated with a VLAN. The authentication code is used to limit traffic at the logical port to members of an entire VLAN, while encryption keeps the traffic private except to members. Only stations having the SA belong to the VLAN. There is a single broadcast domain for each SA. All stations having the SA belong to the same broadcast domain. Therefore, no separate encryption key is needed for broadcasts.

[0073] A physical port may serve more than one VLAN by virtue of having multiple logical ports associated with it (see FIG. 1). Therefore, unless the frame received at such a port carries a VID, its VLAN classification must use rules beyond port-based classification. See IEEE 802.1Q, IEEE Standards for Local and Metropolitan Area Networks: Virtual Bridged Local Area Networks IEEE Std 802.1Q-1998, D.2.2. Otherwise, there is no way to know at this stage which VID should be assigned from among the VLANs served by the port. It is necessary to identify the logical port through which the frame is received.

[0074] See FIG. 8 in connection with the following discussion. If the received frame carries a null VID or is untagged (400), then its source MAC address is used to determine a preliminary VLAN classification (402). This is the PVID of a logical port. If the frame carries a VID, then the VID is used as the preliminary classification instead (404). The preliminary classification is used to index into a table of security associations giving a MIC key (406). The received frame carries a MIC computed over the frame payload using a message digest algorithm, e.g. HMAC-MD5, agreed upon by both the bridge and requester at authentication time and recorded in the SA. The Personal VLAN bridge recomputes the MIC (408), using its MIC key, over the payload of the received frame, and then compares it with the received MIC (410). If they match (412), then the preliminary VLAN classification becomes the final VLAN classification (414). The final classification is used as the value of the VLAN classification parameter of any corresponding data request primitives (416). The frame is then decrypted, using the SA, and then submitted to the IEEE802.1Q Forwarding and Learning Processes (418). Otherwise, the frame is discarded.

[0075] Egress Filtering at Logical Ports

[0076] In the VLAN bridge model, if the transmission port for a frame that belongs to some VLAN is not in the member set of the VLAN, then the frame is discarded. The same rule applies to all logical transmission ports.

[0077] Although the invention is described herein with reference to the preferred embodiment, one skilled in the art will readily appreciate that other applications may be substituted for those set forth herein without departing from the spirit and scope of the present invention. Accordingly, the invention should only be limited by the claims included below.

Claims

1. An apparatus for segregating traffic amongst a plurality of stations that are associated with an access point, comprising: a LAN segment; and a personal virtual bridged local area network (personal VLAN) for partitioning said LAN segment logically into multiple virtual bridged local area networks (VLANs).

2. The apparatus of claim 1, said personal VLAN further comprising: a VLAN bridge for forwarding unicast and group frames only to those ports that serve the VLAN to which the frames belong.

3. The apparatus of claim 1, said personal VLAN further comprising: a protocol for VLAN discovery.

4. The apparatus of claim 1, said personal VLAN further comprising: means for allowing a station to create a new port that serves a new VLAN, or to join an existing VLAN via an authentication protocol.

5. The apparatus of claim 1, said personal VLAN further comprising: one or more logical ports in which a Personal VLAN bridge can maintain more than one logical port per physical port, and bridges between ports of any kind.

6. The apparatus of claim 1, said personal VLAN further comprising: means for cryptographic VLAN separation in which in a Personal VLAN, a logical port serves at most one VLAN but, because there may be more than one logical port per physical port, more than one VLAN may exist on a physical port.

7. The apparatus of claim 1, wherein traffic within one VLAN is separated from another VLAN on a same physical port by cryptography.

8. The apparatus of claim 1, wherein an authentication code uniquely identifies a VLAN to which traffic belongs, while another level of encryption keeps traffic private except to members of said VLAN.

9. The apparatus of claim 1, said personal VLAN further comprising: an extended protocol comprising the IEEE 802.1Q-1998 (Virtual Bridged LANS) protocol.

10. The apparatus of claim 1, further comprising: means for providing layer-2 VLAN support across routers.

11. The apparatus of claim 1, further comprising: means for implementing a spanning tree algorithm when a personal VLAN permits an STA to create a VLAN where the STA itself is a bridge.

12. A method for segregating traffic amongst a plurality of stations that are associated with an access point, comprising the steps of: providing a distribution system comprising multiple virtual local area networks (VLANs), wherein every station that associates with said access point can create a new VLAN with itself and said distribution system as its members, wherein a creator of a new VLAN can authenticate stations that wish to join said new VLAN; and separating traffic between trusted and untrusted stations even though they associate with a same access point.

13. The method of claim 12, further comprising the step of: discovering existing VLANs.

14. The method of claim 12, further comprising the step of: joining an existing VLAN.

15. A method for segregating traffic amongst a plurality of stations that are associated with an access point, comprising the steps of: providing a protocol for virtual local area network (VLAN) discovery; allowing a station to create a new port that serves a new VLAN, or to join an existing VLAN. maintaining more than one logical port per physical port; and providing cryptographic VLAN separation, wherein traffic within one VLAN is separated from another VLAN on a same physical port by cryptography.

16. The method of claim 15, further comprising the step of: providing an authentication code that uniquely identifies a VLAN to which traffic belongs.

17. The method of claim 16, further comprising the step of: providing an encryption mechanism for keeping traffic private except to members of said VLAN.

18. The method of claim 15, further comprising the step of: providing for every port a personal VLAN control channel for sending and receiving control frames and authentication protocol frames.

19. In a system for segregating traffic amongst a plurality of stations that are associated with an access point, an apparatus for virtual local area network (VLAN) discovery, comprising: a personal VLAN bridge for partitioning a LAN segment logically into multiple VLANs; and server and client VLAN discovery agents associated with said VLAN bridge for discovering other VLANs and/or allowing VLANs that said VLAN bridge serves to be discovered.

20. The apparatus of claim 19, further comprising: means for transmitting a discover frame.

21. The apparatus of claim 20, further comprising: in response, means for transmitting a VLAN-OFFER frame to a source MAC address of said discover frame; wherein said offer frame lists at least some of the VLANs served by a bridge and information that can be used to select from among them.

22. The apparatus of claim 19, further comprising: means for receiving a request to serve a new VLAN.

23. The apparatus of claim 22, wherein said request contains a virtual LAN ID (VID) of a new VLAN.

24. In a system for segregating traffic amongst a plurality of stations that are associated with an access point, a method for requesting service for a new virtual local area network (VLAN), comprising the steps of: a bridge receiving a request frame with a source MAC address through a control channel of a physical port, wherein a holder of said MAC address is a requester; receiving said request frame initiating an authentication protocol with said requester through said control channel; discarding said request if said requester cannot be authenticated, or is not authorized to request VLAN service from said bridge; creating a new logical port and associating said new logical port with a physical port through which said request frame is received if there is no conflict in using a virtual LAN ID (VID) requested; otherwise, said bridge negotiating a VID with said requester; and updating port state information for said logical port to include a security association, shared with said requester, that is in effect for all traffic through said port

25. In a system for segregating traffic amongst a plurality of stations that are associated with an access point, a method for linking a new virtual local area network (VLAN) to one or more existing VLANs served by physical ports of a bridge, comprising the steps of: sending a join-VLAN request over a control channel; authenticating said request wherein, if authentication fails, said request is discarded; adding a logical port that serves a source VLAN to a member set of every virtual LAN ID (VID) in a set of VIDs for VLANs served by a set of physical ports which comprise destination VLANs; and adding every physical port in said set of physical ports to a member set of said source VLAN; and forming an untagged set of said source VLAN by taking a union of all untagged sets for VIDs in said set of VIDs for VLANs served by a set of physical ports which comprise destination VLANs; wherein if a request frame contains a null VID in its tag header, or it is untagged, then a logical port of said bridge is added to an untagged set of every VID in set of VIDs for VLANs served by a set of physical ports which comprise destination VLANs.

26. In a system for segregating traffic amongst a plurality of stations that are associated with an access point, a method for joining a personal virtual local area network (VLAN) served by a logical port, comprising the steps of: if source and destination VLANs have a same creator, and said creator issued a join-VLAN request, then said request is discarded; if said source and destination VLANs are identical and said creator did not issue said request, then said creator authenticates said requester for membership into said personal VLAN; and in all other cases, a bridge first authenticates said request to make sure that said requester is the creator of said source VLAN; wherein if authentication succeeds, then said creator authenticates said requester for membership into said destination VLAN; and wherein said requester authenticated said creator to make sure that said creator is the creator of said destination VLAN.

27. In a system for segregating traffic amongst a plurality of stations that are associated with an access point, a method for authenticating a request for joining a personal virtual local area network (VLAN) served by a logical port, comprising the steps of: providing a personal VLAN bridge having a control channel for authentication of a requester by a creator; said personal VLAN bridge using said control channel to relay authentication protocol messages between said creator and said requester; and if said creator can authenticate said requester, then said creator sharing a security association it holds with said personal VLAN bridge with said requester as well.

28. The method of claim 27, further comprising the step of: providing ingress filtering at logical ports.

29. The method of claim 27, wherein said security association contains at least two keys, one key for encryption and another key for computing an authentication code, wherein said security association is associated with a VLAN, wherein said authentication code is used to limit traffic at a logical port to members of an entire VLAN, wherein encryption is used to keep traffic private except to members, wherein only stations having said security association belong to said VLAN, and wherein all stations having said security association belong to the same broadcast domain.

30. The method of claim 28, wherein a physical port may serve more than one VLAN by having multiple logical ports associated with it.

31. The method of claim 27, further comprising the steps of: if a received frame carries a null virtual LAN ID (VID) or is untagged, then using its source MAC address to determine a preliminary VLAN classification of a logical port; if said frame carries a VID, then using said VID as said preliminary classification instead; using said preliminary classification to index into a table of security associations giving an authentication code key; said received frame carrying an authentication code computed over a frame payload using a message digest algorithm agreed upon by both said personal VLAN bridge and said requester at authentication time and having been recorded in said security association; said personal VLAN bridge re-computing said authentication code, using said authentication code as an authentication code key, over said payload of said received frame; comparing said re-computed authentication code with said received authentication code; wherein if said re-computed authentication code and said received authentication code match, then said preliminary VLAN classification becomes a final VLAN classification; using said final classification as a value of a VLAN classification parameter of any corresponding data request primitives; decrypting said frame using said security association; and submitting said decrypted frame to a forwarding and learning process; otherwise, discarding said frame.

32. The method of claim 27, wherein if a transmission port for a frame that belongs to a VLAN is not in a member set of said VLAN, then said frame is discarded.

33. An apparatus for segregating traffic amongst stations (STAs) that are associated with a bridge, comprising: a personal virtual bridged local area network (personal VLAN) that uses a VLAN to segregate traffic.

34. The apparatus of claim 33 said personal VLAN further comprising: means associated with said personal VLAN for partitioning a LAN segment logically into multiple VLANs; and a personal VLAN bridge associated with said personal VLAN for forwarding unicast and group frames only to those ports that serve a VLAN to which said frames belong.

35. The apparatus of claim 34, wherein said personal VLAN bridge extends a standard VLAN bridge in at least any of the following ways: VLAN discovery in which a personal VLAN bridge provides a protocol for VLAN discovery; VLAN extension in which a personal VLAN allows a station to create a new port that serves a new VLAN, or to join an existing VLAN via an authentication protocol; logical ports in which a personal VLAN bridge maintains more than one logical port per physical port, and bridges between ports of any kind; and cryptographic VLAN separation in which in a personal VLAN, a logical port serves at most one VLAN but, because there may be more than one logical port per physical port, more than one VLAN may exist on a physical port.

36. The apparatus of claim 35, wherein traffic within one VLAN is separated from another VLAN on a same physical port by cryptography.

37. The apparatus of claim 35, wherein an authentication code uniquely identifies a VLAN to which said traffic belongs, while another level of encryption keeps traffic private except to members of said VLAN.