I was looking at information on authenticating with WEP and found that the AP sends an unencrypted challenge, then the client is supposed to send the encrypted challenge back. When deauthenticating is the request sent encrypted or unencrypted?

What I'm trying to ask is how does Aireplay do the deauth attack?