320 likes | 477 Views
Motorola TGr Fast Handover Proposal. Authors: Steve Emeott, Tony Braskich, Floyd Simpson, Ruben Formoso, Stephen Wang Motorola, Inc. Date: October 15, 2004. Reasons for Pursuing Faster BSS Transitions. The following are excerpts from the 802.11r PAR
E N D
Motorola TGr Fast Handover Proposal Authors: Steve Emeott, Tony Braskich, Floyd Simpson, Ruben Formoso, Stephen Wang Motorola, Inc. Date: October 15, 2004 Steve Emeott (Motorola), et. al.
Reasons for Pursuing Faster BSS Transitions • The following are excerpts from the 802.11r PAR • The purpose of this project is to improve BSS transitions within an 802.11 ESS and to support real time constraints imposed by applications such as Voice over Internet Protocol (VoIP). • With increasing amounts of state being needed before connectivity is allowed as amendments are made to the 802.11 standard, the time taken to complete a BSS transition is increasing while next generation applications demand decreased BSS transition time. • The scope of this project are enhancements to the 802.11 Medium Access Control (MAC) layer to minimize or eliminate the amount of time data connectivity between the Station (STA) and the Distribution System (DS) is absent during a Basic Service Set (BSS) transition… Security must not be decreased as a result of the enhancement. Steve Emeott (Motorola), et. al.
Traffic Endpoint Authentication Server DS Current AP New AP STA BSS Transition BSS Transition Time Definition • With Security enabled • The period between the last possible point in time where STA-TE communication can pass through the current AP, to the point in time where the first MSDU can pass through the controlled port [New AP] Steve Emeott (Motorola), et. al.
STA Activities during BSS Transition • (Re)association • Frame exchange to reconfigure the DS so a supplicant (STA) may communicate with the authentication server (AS) and, eventually, its TE • Authentication • 10 frames initiating 802.1X authentication between a supplicant and an authentication server for establishing the PMK at a new AP • 4-way Handshake • 4 frame exchange to test liveness of a new AP and STA and to establish the PTK to be used during a session • 802.11e Admissions Control • Frame exchange required to ensure that time on the channel is reserved by a QoS-enabled AP for the QoS-enabled STA Steve Emeott (Motorola), et. al.
Authenticator (AP) AS Supplicant (STA) EAPOL-start EAP-TLS: start EAP-Req/ID EAP-Resp/ID EAP-TLS: client Hello EAP-TLS: server Hello, server Cert, done EAP-TLS: cert, change cipher, finished EAP-TLS: change cipher, finished EAP-TLS: empty EAP-success Transfer PMK 802.11i authentication continues with 4-way handshake Setting Up a PMK • Figure illustrates 802.1X EAP-TLS authentication between the station and an authentication server (AS) • First message pair sets up EAPOL ID • After 4 more message pairs, STA is authenticated and pairwise master key (PMK) has been calculated • Finally, in last step, AS forwards PMK to current AP Steve Emeott (Motorola), et. al.
New AP STA Reassociation Request + PMKID Locate PMK Reassociation Response 4-way H.S. #1 (ANonce) Calculate PTK 4-way H.S. #2 (SNonce, MIC, RSN IE) Calculate PTK 4-way H.S. #3 (ANonce, MIC, GTK, RSN IE) 4-way H.S. #4 (MIC) Authentication complete; data traffic may begin. 4-way Security Handshake • Once a PMK has been installed at both the STA and its current AP, the current AP initiates a 4-way handshake with the STA (figure illustrates case where PMK is cached at the new AP) • The 4-way handshake ensures liveness by generating a unique pairwise transient key (PTK) to be used during a session • The PTK is used for data encryption Steve Emeott (Motorola), et. al.
Traffic Endpoint Authentication Server 2 DS Current AP New AP 1 STA Traffic Endpoint Authentication Server DS 2 Current AP New AP 1 STA Setting up a PMK in Advance • EAPOL and 802.11i preauthentication (bottom figure) allows a STA to authenticate with a New AP in advance of a transition • A station begins preauthentication by sending an EAPOL-Start message to the New AP • Useful when a handover target is known in advance, or the number of neighbors is small • The STA will then perform the 4-way handshake with New AP Authentication Preauthentication Steve Emeott (Motorola), et. al.
Shortcomings of Current Procedure • Full 802.1X authentication (e.g. EAP-TLS) involves many messages with a potentially slow AS • Preauthentication is only a partial solution • Reverts to full authentication if the STA fails to preauthenticate prior to the transition (e.g. STA finds new target around the corner) • Load on both the channel and the server grows with number of potential handover targets, unless STA is selective • If a group of people move at the same time (e.g. leaving a room), load placed on the authentication server is high • May require communication with (slow) AS when the STA is pressed for time, due to an impending handover • The handshaking that occurs during the BSS transition requires too many messages • The STA must transition blindly, not knowing if the target AP will admit new traffic or not Steve Emeott (Motorola), et. al.
Fast Handover Proposal • Fast Handover Key • Fast Handover Point (Depository) • Split 4-way Handshake • Preadmissions Steve Emeott (Motorola), et. al.
Fast Handover Key (Part 1) • A fast handover key is an 802.11i PMK • It is obtained by a STA, from an authentication server, while the STA is associated with its current AP • A fast handover PMKID identifies the fast handover key and is used when the STA transitions to a new AP • After each transition, the STA must obtain a new fast handover key Steve Emeott (Motorola), et. al.
Traffic Endpoint Authentication Server 2 DS Current AP New AP 1 STA Establishment of Fast Handover Key • In this example, a STA uses a preauthentication process to establish a fast handover key at its current AP (through paths 1 and 2) • EAPOL messages employed by the STA enable the fast handover key to be established at the current AP or at another suitable point (more details to follow) • During a transition, a new AP may retrieve a station’s fast handover key from its previous AP (not shown) BSS Transition Steve Emeott (Motorola), et. al.
Traffic Endpoint Authentication Server DS Prior AP New AP 2 1 3 BSS Transition STA Use of the Fast Handover Key • This figure shows a STA initiating a fast handover by transmitting the fast handover PMKID to the new AP in its reassociation message (step 1) • Upon receiving the fast handover PMKID, the new AP obtains the fast handover key from the prior AP and commences the 802.11i handshake (steps 2 and 3) • If the fast handover key is not available, the STA must go through full authentication Steve Emeott (Motorola), et. al.
Trust via 802.1X Supplicant Inter- mediary Authen- tication Server Trust via Shared Secret Current AP STA Depository Fast Handover Point Trust via Shared Secret Authen- ticator New AP Fast Handover Point (Part 2) • Problem • The current AP of each STA is not always the most convenient or efficient location at which to store its fast handover key • There are scenarios to consider where centralized storage of the fast handover key is desired or where lightweight APs or WLAN switches are employed • Solution: • The concept of a fast handover point (FHP), a depository for the fast handover key and related information • The FHP is introduced to allow the process of storing and distributing a fast handover key to be abstracted, and centralized • A trust relationship established via a shared key permits the depository to hold the fast handover key for future authenticators Steve Emeott (Motorola), et. al.
Traffic Endpoint Authentication Server 2 DS Current AP New AP 1 STA Traffic Endpoint Authentication Server Fast Handover Point 2 DS Current AP New AP 1 STA Use of the Fast Handover Point • In the upper figure, the STA uses preauthentication to establish a fast handover key at its current AP • In the lower figure, the STA establishes the fast handover key at its fast handover point instead • If a fast handover point is not present in the network, the new AP should retrieve the fast handover key from the prior AP of the STA • If trust relationships exists, the FHP may push the fast handover key out to a set of trusted neighbors APs, foreshortening the handshake Current AP Depository Fast Handover Point Depository Steve Emeott (Motorola), et. al.
Fast Handover Point Implementation • The fast handover point is a functional entity and may be implemented any number of ways: • Standalone device • Embedded within an AP (e.g. current AP) • Paired with authentication server • Embedded in a WLAN switch • Options provide ample opportunity for product differentiation Steve Emeott (Motorola), et. al.
Split 4-way Handshake (Part 3) • Proposal splits 4-way handshake into two parts • First part • Current AP (or if present the fast handover point) generates fast handover Anonce, forwards it to station and neighbor AP • Second part • When STA transitions to a New AP, it continues the security setup by transmitting second message of the 4-way handshake Steve Emeott (Motorola), et. al.
STA FHP AS EAPOL-Start (initiate 802.1X auth.) 802.1X Authentication exchange; communication via the FHP. PMK Optional – Request to distribute PMK Target AP PMK for STA, (unique) ANonce ANonce Table Handover Decision Reassociation Request (PMKID included) Reassociation Response Fast Handover Anonce • Figure illustrates how FHP generates and distributes fast handover Anonce values • Unique Anonce value may be calculated for each neighbor AP • FHP provides STA with table of unique Anonce values, one for each neighbor Steve Emeott (Motorola), et. al.
Traffic Endpoint Authentication Server Fast Handover Point 1 DS 3 2 Current AP New AP STA BSS Transition Anonce Generation and Distribution • Once the fast handover point obtains the fast handover PMK (step 1), it generates a table of Anonce values, one for each neighbor AP • It also generates a fast handover Anonce to use for APs not on the neighbor list • FHP forwards Anonce table to the STA, and distributes an Anonce value to each neighbor AP (steps 2 & 3) • Neighbor APs not receiving an Anonce may query FHP for fast handover Anonce Steve Emeott (Motorola), et. al.
New AP STA Calculate PTK Reassociation Request + PMKID + message 4 intent + H.S. Message 2 (SNonce) Locate PMK Calculate PTK Reassociation Response + H.S. Message 3 (GTK) Security H.S. Message #4 – Optional Normal operation resumes. Post Transition Handshake • Since both the STA and new AP know the Anonce in advance, message #1 of the 4-way handshake may be omitted • Message #2 may be piggybacked onto reassociation request • The total number of reassociation and authentication messages is reduced from 6 to 3, without giving up liveness checks and without compromising security Steve Emeott (Motorola), et. al.
New AP STA Calculate PTK Reassociation Request + PMKID + message 4 intent + H.S. Message 2 (SNonce) Locate PMK Calculate PTK Reassociation Response + H.S. Message 3 (GTK) Normal operation resumes. Abbreviated Handshake • The final message in the 4-way handshake serves no cryptographic purpose, and may be eliminated • STA may indicate in “message 4 intent” field of fast handover IE in reassociation request that it will not be supplying the ack message • End result is that only 2 of 4 messages in 4-way handshake need be exchanged following a transition Steve Emeott (Motorola), et. al.
Putting it all Together • The STA obtains a fast handover key, which the AS also deposited in the fast handover point • The fast handover point generates an Anonce for each neighbor AP, and forwards it to STA • Once these two tasks are completed, the STA is ready to complete a fast BSS transition Steve Emeott (Motorola), et. al.
New AP STA Open System Auth. (Request) Open System Auth. (Response) Calculate PTK Reassociation Request + PMKID + message 4 intent + H.S. Message 2 (SNonce) Locate PMK Calculate PTK Reassociation Response + H.S. Message 3 (GTK) Security H.S. Message #4 – Optional Normal operation resumes. Completing the fast BSS Transition • Legacy Open-System Authentication is preserved • The STA initiates a fast handover by inserting the fast handover PMKID and Snonce in its reassociation request • At this point, both the STA and new AP can calculate the PTK • The AP replies with a reassociation response including the contents of handshake message #3 • Once the STA receives this reply, normal operation resumes Steve Emeott (Motorola), et. al.
Traffic Endpoint Authentication Server Fast Handover Point 2 DS 1 Other AP New AP BSS Transition STA Fast Handover Key Cleanup • The fast handover key is intended for use at one and only one AP • Once a STA uses its fast handover key when transitioning to a new AP, the key remains with the new AP and the STA must obtain a new fast handover key prior to the next transition • If the FHP takes the initiative to distribute the key to trusted AP, it must also take the initiative to delete the key once a transition is complete (step 2) Steve Emeott (Motorola), et. al.
Setting up for the Next Handover • Once a STA completes a fast transition, it can begin setting up for the next • First step is to set up a new fast handover key both at the STA and the FHP • Second step is for the FHP to generate fast handover Anonce values and distribute to the STA and potential handover targets • Once these steps are completed, the STA is prepared to execute another fast handover Steve Emeott (Motorola), et. al.
Preadmissions (Part 4) • Problem • When the STA transitions between BSS, it does so blindly, not knowing if the new AP will accept the stations TSPECs • The time required to a complete TSPEC signaling exchange contributes to unacceptable service interruption time • Solution • Just prior to making a transition and while still associated with its AP, the STA reserves bandwidth from the new AP via the DS • When reassociating with the new AP, the STA piggybacks its TSPEC information to its reassociation message to activate its TSPECs Steve Emeott (Motorola), et. al.
Traffic Endpoint Bandwidth Manager Fast Handover Point DS Current AP New AP BSS Transition STA TSPEC Setup • While associated with the current AP, the STA sends a preadmissions message to one or more new APs (paths 1 & 2) • The preadmissions message carries TSPECs used by the STA, and specifies a hold times for storing the TSPECs and for keeping a bandwidth reservation • The new AP may contact a bandwidth manager (path 3) to reserve resources and/or time on the media for the STA • The new AP responds to the request, but otherwise leaves QoS functions such as polling in a suspended mode until after reassociation 3 2 1 Steve Emeott (Motorola), et. al.
Traffic Endpoint Bandwidth Manager Fast Handover Point DS 3 Current AP New AP BSS Transition STA Retrieving the Fast Handover PMK • Upon receiving a preadmissions request from a STA (paths 1 & 2), the new AP should retrieve the fast handover key from the fast handover point (path 3). • Once the fast handover key is cached, the new AP is able to more efficiently process a reassociation request from the STA • If the current AP and fast handover point are co-located, the fast handover PMK may be sent along with the preadmissions request 2 1 Steve Emeott (Motorola), et. al.
Traffic Endpoint Bandwidth Manager Fast Handover Point DS Current AP New AP 1 BSS Transition STA Activating the TSPEC • When reassociating, the STA activates its cached TSPEC using a label provided by the new AP during preadmission (step 1) • The STA may also piggyback its TSPECs onto the reassociation message in case the information installed during preadmission has timed out • Fast handover allows the STA to hold off with preadmissions until immediately before a handover, knowing that the fast handover key is available for any AP Steve Emeott (Motorola), et. al.
Fast Handover Proposal Summary A means of expediting BSS transitions without compromising security has been proposed and includes the following elements: • Fast Handover Key • Fast Handover Point (Depository) • Split 4-way Handshake • Preadmissions Steve Emeott (Motorola), et. al.
Pros and Cons • Pros • STA need not know handover target in advance • Reduction in the number of association and authentication messages exchanged during transition from 6 to 2 • Procedure built upon preauthentication and handshake procedures already defined by 802.11i • Make before break admissions • Cons • Fast handover key shared between four parties instead of three (with the addition of the fast handover point) • If there is trust between neighbor APs, fast handover key may be distributed even more widely (each AP uses a different Anonce) • Anonce is selected in advance (shared over DS between trusted parties) Steve Emeott (Motorola), et. al.
Thank you, and are there any questions? Steve Emeott (Motorola), et. al.
Straw Poll • The TG requests the presenter to provide further details of the proposal at the next step. • Yes • No • Abstain Steve Emeott (Motorola), et. al.