250 likes | 398 Views
Fast Roaming Using Multiple Concurrent Associations . Bob Beach Symbol Technologies. Agenda. Background The Proposal Access Point Mobile Station Questions/Objections Enhancements for Split MAC Infrastructures. Associations in 1999 IEEE 802.11.
E N D
Fast Roaming Using Multiple Concurrent Associations Bob Beach Symbol Technologies Bob Beach, Symbol Technologies
Agenda • Background • The Proposal • Access Point • Mobile Station • Questions/Objections • Enhancements for Split MAC Infrastructures Bob Beach, Symbol Technologies
Associations in 1999 IEEE 802.11 • When a STA associates with a “1999” AP, four major actions result: • (A1) The AP allocates data structures for the STA • (A2) The AP accepts additional types of packets for the STA (I.e. data frames, poll packets, etc..) • (A3) The AP begins forwarding data to/from the DS for the STA • (A4) The AP notifies other APs and the wired infrastructure of the new “location” of the STA • Two of these actions (A1 and A2) are “local” to the AP and two are visible to the “DS” (A3 and A4) • For a 1999 AP, all of these actions take place at virtually the same time • A STA may be associated with only one AP at time Bob Beach, Symbol Technologies
Associations with TGi • New actions are introduced in the association sequence • Authentication • Key derivation • These occur between A1/A2 and A3/A4 • These new actions may cause significant delay in the start of data transfer between the DS and STA Bob Beach, Symbol Technologies
Associations with TGe • The major rationale for TGe is that a STA may obtain some type of service guarantees from an AP • These service guarantees (TSPEC) are negotiated after the association process is complete • The AP with which a STA associates may not be able to support the desired TSPEC • The STA must now find yet another AP having left its old AP and having discovered the new AP is not suitable • Roaming is slow due to selection of wrong AP Bob Beach, Symbol Technologies
Association actions with Tge and TGi • There are now 6 actions involved in an association • (A1) The AP allocates data structures for the STA • (A2) The AP accepts additional types of packets for the STA • (A3) Authentication/key derivation • (A4) Negotiation of TSPEC • (A5) The AP begins forwarding data to/from the DS for the STA • (A6) The AP notifies other APs and the wired infrastructure of the new “location” of the STA • Actions A1 to A4 are Local to the AP and do not involve the DS, Actions A5 and A6 involve the DS Bob Beach, Symbol Technologies
Multiple Concurrent “Local” Associations • The roaming problems caused by Tge and Tgi can be solved by allowing STAs to establish multiple “local” associations with different APs • A “Local” association consists of actions A1 to A4 • The association is just between the AP and STA • The DS is not aware of the association • Actions A5 and A6 are triggered by a secure data packet between the AP and STA • The data packets have unique content and are fully encrypted • Upon reception of such a packet, the AP “opens” the data gate Bob Beach, Symbol Technologies
From the STA’s Perspective • The STA identifies “interesting” APs and performs actions A1 to A4 with them • This may take place once or on an ongoing basis • The STA thus has a collection of ‘N’ ports to the DS with N-1 of them in “hot standby” • A roam simply consists of a two data packet exchange with the AP of choice • The STA maintains as many APs in this state as it desires. It may add or drop APs over time. Bob Beach, Symbol Technologies
Requesting “Local” Associations • The availability of local associations is indicated in beacons/probe responses via a capability bit • A new element is added to the association request packets and association response packets • For the association request, the element simply requests a “local association” • For the association response, the element indicates if the request has been granted and the lifetime of the local association • New status values are defined accordingly Bob Beach, Symbol Technologies
Opening the Data Gate on an AP (1) • A STA opens the “data gate” on the desired AP by a two data packet exchange • The STA sends the first packet and the AP responds with the second packet. • Both packets are regular 802.11 data packets and are fully encrypted using the negotiated mechanism and keys • They are identified by a unique OUI value in the 802.1h header • The packets contain two fields • 128 bits of random bits • The current 64 bit TSF value for the AP • Upon reception the receiver will discard the 128 bits of random data and verify the TSF time is “recent” Bob Beach, Symbol Technologies
Opening the Data Gate on an AP (2) • Upon receipt of the data packet the AP will: • Forward data between the DS and the STA • Notify other APs about the roam • If the AP does not recognize the packet it sends a Disassociate packet to the STA • In such a case the STA must begin the entire association process over again • The AP that was forwarding data for the STA will stop doing so, but will maintain the local association • Upon receipt of the data packet from the AP the STA will begin forwarding data to it Bob Beach, Symbol Technologies
Summary of Protocol Enhancements • New capability bit in beacons/probe responses • One new element in associate request packet • One new element in associate response packet • New 802.1h packet values and format for “open data gate” data packet exchange Bob Beach, Symbol Technologies
Questions (1) • While the STA is talking to other APs, what happens to data for it from its current AP? • The STA can either “time” the transactions so as not to lose data or place itself in PSP mode with the current AP so data will be buffered • What happens to data sent to the STA from APs with which it has a local association but are not the currently active AP? • The data is buffered via the PSP mechanism Bob Beach, Symbol Technologies
Questions (2) • What is the burden on the STA from this approach? • Its mostly memory space. Most STA currently have a list of “interesting” APs that include MAC address, RSSI values, TSF, etc.. This approach simply increases the size of that list to include encryption keys and sequence numbers. Additional statistics may also be kept on a per AP basis. The total cost is probably a few hundred bytes per AP Bob Beach, Symbol Technologies
Questions (3) • How does this approach effect the wired infrastructure? • It has no effect on it at all. It will work with all forms of wired infrastructure. Local associations are not visible to the DS. Bob Beach, Symbol Technologies
Objections (1) • Multiple concurrent associations are too great a departure from “classic” 802.11 • Not really. “Preauthentication” already envisions a STA communicating with multiple APs concurrently. Likewise the idea of separating the association process from actual “data forwarding” is also present in Tgi/802.1x. This is just the natural conclusion of a process already started. Bob Beach, Symbol Technologies
Objections (2) • The burden on STAs is too large • The burden is not that large and would be undertaken only by devices that care about fast roaming. The primary burden is memory and even that is modest (~256 bytes/AP). Keeping track of 10 AP requires only 2.5KB. Most mobile devices these days have > 32 MB anyway. Bob Beach, Symbol Technologies
Objections (3) • The data packet exchange is insecure • This mechanism is actually more secure than regular associations since the contents of the packets are encrypted using the same keys as are used for data transfer. • The TSF values in the data packets ensure the frames are not replays. Bob Beach, Symbol Technologies
Operations with Split MAC Infrastructure • The “split MAC” or switch architecture is growing in popularity for 802.11 infrastructure • These architectures incorporate a centralized controller that handles, among many other things, association and authentication • It may also perform key derivation and encryption • They also include a number of “lightweight” APs that handle the transmission and reception of RF packets • Together they look just like a collection of “fat APs” • In such systems the proposed architecture can be enhanced to greatly simply the burden on STA while speeding up the roaming process Bob Beach, Symbol Technologies
Associations with Split MAC Systems • In such systems, a STA generally associates with each lightweight AP as if was a “fat AP” • A STA cannot tell the difference between the two (that’s the point!) • However with the approach described in this proposal, doing the same association and authentication sequence with the same entity (the centralized controller) is redundant, slow, and wasteful Bob Beach, Symbol Technologies
The Association/Authentication Agent • For split MAC systems we define the notion of an “Association/Authentication Agent (AsA)” • An AsA is responsible for the association, authentication, and optionally, the key derivation process, for a number of (lightweight) APs • An AsA has a unique 48 MAC address that is different from those of any AP on the system. • The existence and identify of the AsA is contained in the beacons/probe responses of those APs handled by the AsA Bob Beach, Symbol Technologies
Operating with an AsA • For a split MAC system, a STA associates and authenticates once with the AsA which is valid for all the APs handled by the AsA • The STA still builds a table of APs but need not do the association/authentication sequence for each of them • The selection of which AP is to be used for data transfer is done by the secure data packet handshake described earlier. The packet is addressed to the AsA (Address 3). Bob Beach, Symbol Technologies
AsA Protocol Enhancements • The existence/identity of the AsA is contained in an element within beacons/probe responses of those APs handled by the AsA • Association and data packets are addressed to the AsA by placing the AsA MAC address in the Address 3 field of the packet header • Association Ids are allocated globally for all APs supported by the AsA Bob Beach, Symbol Technologies
Different Split MAC architectures • There are two major approaches that differ primarily in where the encryption is performed. • Centralized agent or on each AP • This approach operates with both approaches • Centralized crypto • One key derivation sequence that is used for all APs • Distributed crypto • One key derivation sequence for each AP Bob Beach, Symbol Technologies
Conclusion • This proposal addresses the fast roaming problem with only minor changes to the 802.11 protocols • The burden on both infrastructure and mobile clients is minor • It works with both traditional APs as well as split-MAC architectures Bob Beach, Symbol Technologies