doc.: IEEE 802.11-01/252 Bernard Aboba Microsoft May 2001 16 January 2019 Fast Handoff Issues Bernard Aboba Microsoft Bernard Aboba, Microsoft Bernard Aboba, Microsoft

Outline Problem Statement Overall latency budget Pre-authentication 16 January 2019 Outline Problem Statement Overall latency budget Pre-authentication Fast-Handoff Performance diagram Key Generation Bernard Aboba, Microsoft

16 January 2019 Problem Statement To attempt to complete all activities necessary for a STA to be functional when connected to a new AP More than just an 802.11 problem, but 802.11 latency is important Definition of “functional” depends on the application Example applications Multimedia streaming (150ms) VOIP (50ms) Bernard Aboba, Microsoft

Latency Budget 16 January 2019 Bernard Aboba, Microsoft Layer Item Time (ms) L2 802.11 scan (passive) 0 ms (cached), 1 second (wait for Beacon) 802.11 scan (active) 40 to 300 ms 802.11 assoc/reassoc (no IAPP) 2 802.11 assoc/reassoc (w/ IAPP) 40 802.1X authentication (full) 1000 802.1X authentication (fast resume) 250 Fast handoff (4-way handshake only) 60 L3 DHCPv4 Initial RS/RA 5 Wait for subsequent RA 1500 DAD (full) Optimistic DAD MN-HA BU 1 RTT (IKE w/HA SA), 4 RTT (IKE w/CoA SA) MN-CN BU 1-1.5 RTT (CAM) to 2.5 RTT (RR) L4 TCP parameter adjustment (status quo) 5000 (802.11/CDMA) - 20000 (802.11/GPRS) Best case All fixes 150 ms Average case 6to4, RR, Active scan 1300 ms Worst case No TCP changes, full EAP auth, IAPP, DHCPv4 25000 ms Bernard Aboba, Microsoft

Pre-Authentication w/802.1X 16 January 2019 Pre-Authentication w/802.1X Channel 11 Channel 6 c v D AP B STA AP A STA authenticates and associates to AP A on Channel 6 802.1X data frames with “From DS” and “To DS” set to false (Class 1) STA does passive or active scan, moves, selects AP B as “potential roam” STA authenticates to AP B before connectivity is lost to AP A (if DT < c/v) Can send unicast 802.1X data frames to AP B, forwarded by AP A “From DS” or “To DS” set to true (Class 3) Can tune radio to Channel 11 (if B > r DT) STA reassociates to AP B Bernard Aboba, Microsoft

Reassociation w/4-way Handshake Only 16 January 2019 Reassociation w/4-way Handshake Only Channel 11 Channel 6 c v D AP B STA AP A STA had previously associated with AP B STA authenticates and associates to AP A on Channel 6 802.1X data frames with “From DS” and “To DS” set to false (Class 1) STA does passive or active scan, moves, selects AP B as “potential roam” STA recognizes that it has already derived a PMK with AP B that still has lifetime remaining STA sends Reassociation Request to AP B, asserts the “PMK cached” bit, receives Reassociation Response with “PMK cached” bit set (means AP has a PMK for the STA) STA completes 4-way handshake with AP B Bernard Aboba, Microsoft

Pre-Authentication Performance 16 January 2019 Pre-Authentication Performance Maximum velocity (no PMK cached on AP B) v = c/ DTPA DTPA = DTSCAN + DT802.1X + DT4way + DTREASSOC Example: c = 2 ft; DT = 250 ms (fast resume), V=8 ft/sec (5.5 MPH, pedestrian) If STA can learn of alternative APs via other mechanisms (e.g. advertisement over IP), then c ~ D. Maximum velocity (PMK cached on AP B) DTPA = DTSCAN + DT4way + DTREASSOC Example: c = 2 ft; DT = 100 ms, V=20 ft/sec (14 MPH) Server load Do a full authentication for all APs in the roaming set (N) for which a PMK has not been derived and cached Authentication Load = N * V/D (for path with all new APs) Authentication Load = N * V/(D * Tkey) (for path with old APs) Bernard Aboba, Microsoft

Fast Handoff Channel 11 Channel 6 c v D AP B STA AP A 16 January 2019 Fast Handoff Channel 11 Channel 6 c v D AP B STA AP A STA authenticates and associates to AP A on Channel 6 PMK provided to AP B via IAPP or AAA (University of Maryland proposal) STA does passive or active scan, moves, selects AP B as “potential roam” STA authenticates to AP B STA reassociates to AP B Bernard Aboba, Microsoft

Fast Handoff Performance 16 January 2019 Fast Handoff Performance Maximum velocity calculation v = D/DTFH DTFH = Max (DTSCAN, 2RTTAAA) + DT4way + DTREASSOC Example: D = 100 ft, DTSCAN = 40 ms, RTTAAA = 50 ms DT4way = 60 ms, DTREASSOC = 10 ms V = 100 ft/170ms = Mach 0.6! Server load Do a key generation + 2 AAA round-trips for all APs in the neighbor set (M) where cache entry is still valid Key lifetime has a large impact on performance Load multiplied by 2M * V/(D * Tkey) Bernard Aboba, Microsoft

The Problem Space Rate Scan + Pre-auth via Old AP B DT Scan + 16 January 2019 The Problem Space Rate Scan + Pre-auth via Old AP B DT Faster Handoff Association not possible Fast Handoff Scan + Radio tuning c DTPA D DTFH D DTReassoc Stationary Pedestrian Vehicular High Speed Station Velocity Bernard Aboba, Microsoft

Issues with Fast Handoff 16 January 2019 Issues with Fast Handoff Key lifetime Load proportional to reciprocal of key lifetime PMK “generations” AP, STA may need to keep both current and previous PMKs Performance is best if PMKs are not updated until key lifetime expires Reuse the PMK, but rerun 4-way handshake to ensure liveness Works with pre-authentication too (if STA revisits an AP with a cached PMK) Binding attacks With Fast Handoff, key binding attacks are easier to carry out Bernard Aboba, Microsoft

Issues With Fast Handoff (cont’d) 16 January 2019 Issues With Fast Handoff (cont’d) EAP method compatibility PRF used to generate handoff PMKs should not depend on the EAP method Most EAP methods cannot export the MK PMK for fast handoff cannot be calculated from the MK For Perfect Forward Secrecy (PFS), handoff PMK must be computed from a quantity that the AP does not have access to Alternatives: MSK (63,127) (not transmitted to NAS in RFC 2548) Not supported by Diameter EAP Bernard Aboba, Microsoft

TGi Pairwise Key Hierarchy 16 January 2019 TGi Pairwise Key Hierarchy Master Key (MK) Pairwise Master Key (PMK) = MSK(0,31) Pairwise Transient Key (PTK) = EAPoL-PRF(PMK, AP Nonce | STA Nonce | AP MAC Addr | STA MAC Addr) Key Confirmation Key (KCK) – PTK bits 0–127 Key Encryption Key (KEK) – PTK bits 128–255 Temporal Key – PTK bits 256–n – can have cipher suite specific structure Bernard Aboba, Microsoft

Alternative PMK Calculation 16 January 2019 Alternative PMK Calculation Variation on University of Maryland approach PMK generated for an AP only when a full authentication occurs, or key lifetime expires No PMK “generations” Example Formulas PMK0 = MSK (0,31) PMK1-B = Handoff-PRF(MSK(63,95), PMK0,APB-MAC-Addr, STA-MAC-Addr) PMK1-E = Handoff-PRF(MSK(63,95), PMK0,APE-MAC-Addr, STA-MAC-Addr) STA roams to APB: PMK1-B  PMK0 Bernard Aboba, Microsoft

Alternative Synchronization Example 16 January 2019 Alternative Synchronization Example STA roam pattern: AB C D PMKC PMKB PMKD PMKE PMK0A PMKG 1 2 3 4 Generation Bernard Aboba, Microsoft

Binding Attacks With fast handoff, key binding issue becomes critical 16 January 2019 Binding Attacks With fast handoff, key binding issue becomes critical Example attack: NAS impersonation In RADIUS, shared secret is verified based on the Source Address, not the NAS-Identifier, NAS-IPv6-Address or NAS-IP-Address attributes Most proxies don’t check source address against these attributes either Diameter has the Route-Record AVP, but not clear it solves the problem Result A rogue NAS can claim to be any other NAS served by the AAA proxy AAA server cannot verify the NAS identification attributes In fast handoff via AAA, result will be PMK sent to a NAS of the attacker’s choice Bernard Aboba, Microsoft

Solution Key binding Status 16 January 2019 Solution Key binding Addition of NAS & STA Identification attributes to keying attribute packages Addition of anti-replay attributes Nonce? Event-Timestamp Question: do we need CMS keywrap to protect the binding? Status Diameter EAP & NASREQ: vulnerable to attack RFC 2869bis: vulnerable Bernard Aboba, Microsoft

16 January 2019 Recommendations Add a “PMK cached” bit to Association/Reassociation Request/Response Decreases latency and AAA server load Useful for both pre-authentication and fast handoff Reserve (but do not allocate) bits in 4-way handshake May be required to solve “generations” problem Too early to know what form the solution should take Specification can be left until later (maybe another PAR) Bernard Aboba, Microsoft

16 January 2019 Feedback? Bernard Aboba, Microsoft