Thursday, November 12, 2015

Fast BSS Transition (FT) or 802.11r

FT or 802.11r is first WiFi standard which offers standardized & scalable WFi roaming solution. Prior to this Pre-authentication & PMKSA caching (recommended in 802.11i) were based on PMKSA caching rather PMK due to which these methods were not scalable. Another roaming method OKC is scalable as it is based on PMK caching however, OKC is not a standard roaming method. 

Refer to this post for some basics on roaming.

Key Hierarchy:

Even though, FT can be used for Controller-less deployments but it was designed by keeping controller and thin APs architecture in mind. In this architecture, instead of access points, controller act as authenticator and is responsible for keys derivation and distribution to access points. 

In this architecture:

  • Controller is identified by PMKR0KH-ID acts as PMKR0-Key Holder.
  • Access Point is identified by PMKR1KH-ID acts as PMKR1-Key Holder.
  • PMKR0 is identified by its name PMKR0Name. (same as PMKR0ID)
  • PMKR1 is identified by its name PMKR1Name. (same as PMKR1ID)
  • PMKR0 is derived by controller from MSK/PMK using PMKR0KH-ID as input. Hence, PMKR0 is dependent on controller identifier.
  • PMKR1 is derived by controller from PMKR0 using PMKR1KH-ID as input and is responsible for distributing these keys to access points. Hence, PMKR1 can be different for each access point if all access points are configured with different identifier. It is possible to configure each AP with same identifier.

Information Elements [IEs] Changes

  • RSNIE (updated):
    • Holds PMKRxName (PMKRxID to be more precise)
    • AKM suite is updated to include FT.
  • MDIE  (new): Mainly holds Mobility Domain identifier & whether Over-the-DS mode is supported. As it holds mobility domain identifier, it is present in all frames related to 802.11r. However, its presence inside Beacons, Probe Response (from AP) & Association request (from stations) indicates 802.11r support on AP & station respectively. 

  • FTIE (new): This IE holds PMKR0KH-ID, PMKR1KH-ID (always) & additionally PTK Key derivation material such as ANounce, SNounce, MIC & GTK) (in re-association request & response frames).

Important Points: 
  • Over-the-air mode is mandatory but over-the-ds mode is optional. If access point supports both modes then client will attempt over-the-ds mode.
  • When FT is enabled, some non FT stations (which cannot decode updated RSNIE) might not be able to connect.
  • FT is even faster than PSK roaming because 4-Way handshake is eliminated.
  • 4-Way handshake is modified as now key data includes FTIE, RSNIE & MDIE.

Frame Exchanges:

  • Initial Mobility Domain Association:

In controller less environment or when PSK is used then its the responsibility of the initial AP to derives PMKR1-key for other key holders (access points in same mobility domain) and pass message to them so that other APs can build their PMKR1Key cache.
  • Over the Air Transition:

  • Over the DS Transition:

Why over-the-ds mode can be better when both access points are on different channels? (source)

Over the DS vs Over the Air:
Negotiation with the next AP can happen over the air, or over the DS. With "over the air", the client gets to the edge of the first cell, scans, finds another AP, and negotiates directly with this next AP the next key (and possibly QoS parameters). The advantage of this method is that communication is direct (no delay by going through the DS, not need for AP to AP wired communication protocol). The downside is that the client needs to leave its active channel to negotiate on another channel. Most BYODs send a frame to their current AP, telling them that they "go to sleep" (Null frame with Power Management set to 1, while in fact they go negotiate on another channel), then return to the active channel to "empty their and the AP buffer" (Null frame with Power management set to 0) before jumping out to the next AP.
The over the air process is direct, but may be disrupting in a location where the device is already at the edge of the cell (low data rate, lots of retries). To avoid that the negotiation also forces the device to go off channel for a while, the Over the DS method can be enabled. In this case, the device stays on the current channel (no need to pretend to sleep and leave the channel), and asks the current AP to negotiate with the next AP (your client still has to discover the next AP first, i.e. scan). This process saves time and increases efficiency, provided that both APs have a way to communicate. In a controller-based network, no problem. The unknown is in the efficiency (what is faster: direct negotiation, or going through the current AP, the WLC, then the next AP, with all the switches or routers that may be on the way?). The only answer is to test (or know your network, if APs are on the same switch and the WLC is close, DS is great. Add routers and switches, and the needle switches toward Over the air).

No comments:

Post a Comment