I read that this MIC is derived from the PSK (e.g. WPA2 key). Does
this mean that these frames are still spoofable from inside the
network (i.e. if you own the PSK)? Or does it defend against insider
de-auth attacks as well?
If you have the AP's MAC address, SSID and WiFi password then you have everything you need to impersonate an AP running 802.11w anyway (how else are the clients going to know the difference between real and fake?). So while a user on the LAN alone (i.e. they have plugged themselves into a nearby networking switch) may not be able to spoof your AP without having the PSK it does not defend against users who are trusted on the wireless (and have the ability to recover the wireless password) sending de-auths to other clients.
does not defend against most other attacks such as RF jamming, evil
twin and rogue APs, but it does defend against misassociation attacks
and de-auth attacks. Is it still useful for this reason?
Put simply 802.11w just signs the integrity of management frame packets as coming from the AP. Previously only a MAC spoof of the AP was all it took to pretend to be the router asking you to leave the network. So once you know this, 802.11w will obviously not guard against jamming caused by a splatter of nonsense in the RF (because 802.11w is not above the laws of physics) or another AP with the same SSID and PSK of a stronger signal (because then the clients will just join that instead anyway).
802.11w put simply is there to stop the man/woman in the street telling your devices to disassociate from the WiFi network (in the hope of capturing your authentication data to then bruteforce the PSK), that is who it's protecting against. 802.11w is NOT there to defend against someone determined who is already on the inside from impersonating your access points or who can just jam every 2.4Ghz frame on those channels in that area.
If your clients support 802.11w (and they support it well!) and your Cisco AP isn't running a buggy 802.11w implementation itself, then why not turn it on :-)?
I have not heard much about Protected Management Frames and cannot really find much information about them from after 2009. Are they widely used? In public and private networks?
"802.11w is an IEEE standard based on Cisco’s Management Frame Protection(MFP), a feature that was first supported on autonomous access points in release 12.3(8)JA in 2006 and in the unified release 4.0.155.5 in 2008. 802.11w isn’t a new standard. IEEE ratified the 802.11w standard in 2009, however the adoption has been slow to date, but that is expected to change with Windows 8."
Windows did not really support it until Windows 8 and up (though I speculate given it's the driver that supports it, probably any new driver does and very likely 802.11ac supporting ones).
There's also some horrendously buggy wireless implementations that claim to support message signing (because they have just repeated back the AP saying it supported it) but then refuse to sign even a single packet with it. See also https://supportforums.cisco.com/discussion/12543141/wap371-firmware-v1202-wireless-client-incompatibility which also links off to a list of bad clients I have discovered (I don't have the rep points on this site to post more than 2 links yet).
I also found this online (unable to link to source due to reputation limitation):
"The IEEE 802.11w amendment added this functionality to the 802.11 standard and since July 1st 2014, the Wi-Fi Alliance (WFA) made the support of Protected Management Frames (PMF) mandatory to pass 802.11ac or Passpoint aka HotSpot2.0 R2 interoperability certification. So we will see a much greater adoption of this feature in the near future."
The standard is probably the best guide to read (http://standards.ieee.org/getieee802/download/802.11w-2009.pdf).
802.11w uses AES in CMAC mode and AES was added as part of WPA2, so WPA2 support looks required to enable it.
Also to help your research, Cisco refer to it as Management Frame Protection (MFP) but the standard refers to it as Protected Management Frames (PMF). "For reference, 802.11w was rolled up in the 802.11-2012 maintenance release of the 802.11 standard."
