Monday, November 9, 2015

Fast Secure Roaming (Mobility) in WiFi (802.11) Networks

Its wonderful to have voice calls over WiFi Network as it saves a lot of cost (especially for long distance calls). However, there are two big requirements for having good quality voice calls on WiFi network and these are covered under following WiFi alliance certifications:

  • Voice Personal: Relates with QoS requirements for voice on single access point so as voice can have low latency and low jitter.
  • Voice Enterprise: Relates to voice performance on multiple access points especially station movement from one access point to another. 

Key Terms:
  • BSS Transition: Movement of client from one BSS to another under the same ESS. Each BSS can be under same or different sub-net.
  • Mobility Domain: Group of access points across which a station can quickly roam. These access points can be under same or different sub-net.
  • Layer 2 Roaming: When a client moves from one BSS to another (with in the same sub-net).
  • Layer 3 [IP] Roaming: When a client moves from one BSS to another (each in different sub-net). Moving from one sub-net to another normally involves IP change. Hence, layer 3 roaming is trickier than layer 2 roaming. Vendors either implement proprietary tunneling methods or Mobile IP to preserve the IP.
  • Inter AP handover: Roaming often involves data exchange from one access point to another. However, communication between different access points is not defined in 802.11 standard. Vendors are free to implement their own mechanisms. 
    • For layer 2 roaming, this can be simple broadcast message or a layer 2 uni-cast packet.
    • For layer 3 roaming, it has to a uni-cast message from one access point to another.
    • Mobility Domain is the group of access points which knows the IP (or MAC or both) of other access points in that group.
    • Inter access point communication should be secure.


Roaming Objective:
When a VoIP phone moves from one access point during a call there is layer 2 connectivity transfer which leads to frame loss depending on time it takes for connectivity transfer. Large time can lead to call drop. In order to avoid call drop, connectivity transfer (roaming) time should be less than 50 msecs. However, when WPA2-enterprise level security is used then it generally takes 700 msecs for the station to authenticate and connect (that too when authentication server is on LAN). To overcome this large roaming time while using robust security mechanisms becomes the objective of roaming techniques. 

Roaming Techniques:

PMK vs PMKSA vs PMKID
  • PMK: Refer to this post to check how PMK is generated. 
  • PMKSA: Componenets of PMKSA includes the following:
    • PMK
    • PMKID
    • Authenticator MAC: This makes PMKSA specific to a given AP.  Hence, PMKSA cached at one AP cannot be used by other AP.
    • Lifetime
    • AKMP: Authentication & Key management protocol
    • Authorization Parameters: Any parameters specified by the authorization server.
  • PMKID: Each PMKSA has one ID which is used in Re-association request. 

Important Points:

In future posts, we will discuss some more details about specific roaming techniques.

No comments:

Post a Comment