Background

The IEEE 802.11 specification defines a hierarchy of three states a client can be in. When a client wishes to connect to an Access Point (AP) he progresses from state 1 to 2 to 3. The client progresses initially from state 1 to state 2 by successfully authenticating (this authentication stage happens even when there is no security enabled). Similarly the client progresses from state 2 to 3 by associating. Once a client as associated he enters state 3 and can transmit data using the AP.

Unlike ethernet, 802.3, or other link layer headers, 802.11 headers contain at least 3 addresses: source, destination, and Basic Service Set ID (BSSID). The BSSID can be best thought of as a through field. Packets destined for the APs interface have both destination and BSSID set to the same value. A packet destined to a different host on the same WLAN however would have the BSSID set to the AP and the destination set to the host.

The state transition diagram in the standard dictates that if a client receives an association response with a different BSSID than the BSSID that it was associating with, then the client should associate to the new BSSID. The technique of sending an association response with a different BSSID in the header is known as association redirection. While the motivation for this idiosyncrasy is unclear, it can be leveraged to dynamically create what has been described as a personal virtual bridged LAN (PVLAN).