802.11 Roaming Keith Amann, Spectralink May 2004 802.11 Roaming Keith Amann, Spectralink Nancy Cam-Winget, Cisco Systems Darwin Engwer, Nortel Networks Nancy Cam-Winget, et. al.
Presentation Agenda and Scope May 2004 Presentation Agenda and Scope Agenda: present a tutorial of how 802.11 STAs may roam using (almost) current standards Scope includes: Existing standards: 1999 base, 802.11a, 802.11b, 802.11d, 802.11f, 802.11g and 802.11h Already or soon to be amendments: 802.11e, 802.11i (and WPA) Does not consider: 802.11j, 802.11k and 802.11n Nancy Cam-Winget, et. al.
May 2004 Roaming Definition Roaming occurs when an STA changes it’s association from one AP to another within the same ESS: i.e. the SSIDs of the two APs are identical this is called a “BSS-transition” per clause 5.4.2.1.b uses the reassociation service per clause 5.4.2.3 Changing to an AP with a different SSID represents a change to a different network. This is a meta-case and is not discussed in this presentation. (“ESS-transition” per 5.4.2.1.c) Nancy Cam-Winget, et. al.
Roaming Flow partitioned into 2 Phases May 2004 Roaming Flow partitioned into 2 Phases Phase 1: Discovery The STA determines which AP to roam to based on varying techniques STA may scan and probe various AP’s to make “best AP” determination STA may pre-authenticate with “best AP” or various AP’s employing TGi Phase 2: Commit The STA commits to roam to an AP the instant it triggers a reassociation request to the AP Premise: A STA can only be associated with one AP at any given point in time (per clause number 5.4.2.2) The ESS completes service transition from old AP to new AP Nancy Cam-Winget, et. al.
Core Roaming Sequence 1) STA is communicating with AP1. May 2004 Core Roaming Sequence 1) STA is communicating with AP1. 2) STA decides to move to AP2. 3) STA forms association with AP2 During this process: STA breaks the association with AP1 AP2 could use some TBD mechanism to tell AP1 to remove association state for this STA once the STA has fully associated with AP2 STA and AP2 either establish fresh PTKs or determines PTK liveness STA obtains GTKs 4) STA begins using AP2 for data traffic (the BSSID, in the Address1 field, in the MPDUs from this STA is now set to AP2's MAC address). Goal is to measure time commencing at Step 3 Nancy Cam-Winget, et. al.
Admission Ctrl, Stream Setup May 2004 Roaming (using TGi) STA APs … Probe Requests Probe Response Discovery Other APs New AP Re-association Exchange … 802.1X EAP Authentication IAPP Commit Phase 4-way handshake 50 ms Time requirement starts here… Admission Ctrl, Stream Setup Nancy Cam-Winget, et. al.
Optimizing Roam with pre-auth May 2004 Optimizing Roam with pre-auth STA APs … Probe Requests Probe Response Discovery … 802.1X EAP Authentication Other APs New AP IAPP Re-association Exchange Commit Phase 4-way handshake 50 ms Time requirement starts here… Admission Ctrl, Stream Setup Nancy Cam-Winget, et. al.
May 2004 Roam Flows There are different interfaces within 802.11 that drive some events To gain a better appreciation, a closer inspection of each Discovery and Commit phases are presented Nancy Cam-Winget, et. al.
Discovery Phase …with 802.11i pre-auth May 2004 STA SME STA MLME AP3 MLME-SCAN.request (SSID) Passive Scanning Beacon(AP1-BSSID, SSID) Beacon(AP2-BSSID, SSID) Beacon(AP3-BSSID, SSID) Active Scanning Probe Request(SSID) Probe Response(AP1-BSSID, SSID) Probe Response(AP2-BSSID, SSID) Probe Response(AP3-BSSID, SSID) MLME-SCAN.confirm (SSID) If multiple AP’s are found: STA determines which AP to “join” 802.11i also states (Clause 8.4.6): If a STA’s MLME-SCAN.confirm primitive finds another AP within the current ESS, a STA may signal its supplicant to use 802.1X to pre-authenticate to that AP. The STA must ensure that pairwise keys are used and the AP supports pre-authentication MLME-JOIN.request (SSID) MLME-JOIN .confirm (SSID) Nancy Cam-Winget, et. al.
802.11 Commit Phase (e.g. no admission control) May 2004 802.11 Commit Phase (e.g. no admission control) STA SME STA MLME AP1 MLME AP1 SME AS MLME-AUTHENTICATE.request (Open) Authentication Request (Open) MLME-AUTHENTICATE.indication Authentication Response (Open) MLME-REASSOCIATE.request Reassociate Request MLME-REASSOCIATE.indication Reassociate Response MLME-REASSOCIATE.confirm EAP ID Request EAP ID Request EAP Authentication (EAP-type determines number of message and process requirements) Msg 1: 4-way handshake Msg 2: 4-way handshake Msg 3: 4-way handshake MLME-SETKEYS.request (PTK,GTK) MLME-SETKEYS .confirm Msg 4: 4-way handshake MLME-SETPROTECTION.request MLME-SETKEYS.request (PTK,GTK) MLME-SETKEYS .confirm MLME-SETKEYS .confirm MLME-SETPROTECTION.request MLME-SETPROTECTION .confirm Nancy Cam-Winget, et. al.
802.1X EAP Authentication moved to Discovery Phase May 2004 Commit Phase …with 802.11i pre-auth STA SME STA MLME AP1 MLME AP1 SME AS MLME-AUTHENTICATE.request (Open) Authentication Request (Open) MLME-AUTHENTICATE.indication Authentication Response (Open) MLME-REASSOCIATE.request Reassociate Request MLME-REASSOCIATE.indication Reassociate Response MLME-REASSOCIATE.confirm 802.1X EAP Authentication moved to Discovery Phase EAP ID Request EAP ID Request EAP Authentication (EAP-type determines number of message and process requirements) Msg 1: 4-way handshake Msg 2: 4-way handshake Msg 3: 4-way handshake MLME-SETKEYS.request (PTK,GTK) MLME-SETKEYS .confirm Msg 4: 4-way handshake MLME-SETPROTECTION.request MLME-SETKEYS.request (PTK,GTK) MLME-SETKEYS .confirm MLME-SETKEYS .confirm MLME-SETPROTECTION.request MLME-SETPROTECTION .confirm Nancy Cam-Winget, et. al.
Current (security) optimizations help some…. May 2004 Current (security) optimizations help some…. PMK Caching helps only when roam returns to a previous AP Pre-authentication moves the problem from the Commit to the Discovery Phase. Nancy Cam-Winget, et. al.
Other issues to Discuss May 2004 Other issues to Discuss For voice, are other considerations required? Admission control Billing, accounting Where does admission control happen? Prior to commit but after discovery phase or after commit Does pre-establishment of a security association help? Discovery phase has a time limit associated with it? Security association not assured to be valid at the commit time Nancy Cam-Winget, et. al.
Overview of roaming sequence: May 2004 Overview of roaming sequence: discovery of candidate APs check resource availability prior to roam event roaming event triggered reassociate request to AP2 handover from AP1 to AP2 [IAPP] What needs to be handed from AP1 to AP2? AP2 sends reassociate response AP2 and STA must complete the WPA or TGi handshakes before first data packet is exchanged Nancy Cam-Winget, et. al.
Beginning of the Roaming Interval May 2004 Beginning of the Roaming Interval Defined: The last point in time when all network components know and agree upon the link path [to the STA]. The relevant components are: the STA the AP (AP1) the infrastructure network... Nancy Cam-Winget, et. al.
Beginning of the Roaming Interval May 2004 Beginning of the Roaming Interval Is it: the start of the Scan process? (i.e. MU sends probe request) No, STA could have scanned in advance No, STA could be doing passive scanning the start of the Join process? No, does not include any lost service due to possible scanning the reassociation request? No, again may not include any lost service due to possible scanning From the STA’s perspective the last data frame received from AP1 marks a definitive point in time when service via AP1 was known to be good. Nancy Cam-Winget, et. al.
End of the Roaming Interval May 2004 End of the Roaming Interval Defined: The point in time when all network components know and agree upon the new link path [to the STA]. The relevant components are: the STA the old AP (AP1) the new AP (AP2) the infrastructure network From the STA’s perspective the first data frame received from AP2 marks a definitive point in time when service via AP2 is known to be good. Nancy Cam-Winget, et. al.
May 2004 Roaming Interval Defined: the end of service from AP1 and the start of service from AP2 Beginning: last data frame successfully received from AP1 End: first data frame successfully received from AP2 Nancy Cam-Winget, et. al.
Some of the slides in this presentation were evolved or taken from: May 2004 Acknowledgements Many thanks to…. Thomas Maufer for providing valuable input and review comments Stefano Faccin for his early participation Some of the slides in this presentation were evolved or taken from: 11-04-0086-02-frfh-measurement-802-11-roaming-intervals.ppt Nancy Cam-Winget, et. al.
May 2004 Comments? Nancy Cam-Winget, et. al.