~~NOTOC~~




====== IEEE 802.1X pre-authentication: Reducing handoff delays in 802.11 wireless networks ======

The IEEE 802.11i wireless security standard specifies how wireless stations can perform pre-authentication over the distribution system while still connected to their current access point. The idea is that if the station can perform authentication in advance, the only remaining procedure that needs to be carried out during the handoff is the four-way-handshake (4WHS), which reduces the handoff latency.



===== IEEE 802.1X wireless pre-authentication : Operations =====


IEEE 802.1X Pre-authentication, as described in IEEE 802.11i, Section 8.4.6.1, allows the station to exchange IEEE 802.1X frames with the AP in order to establish a security association PMKSA which will be then used in the 4WHS when the station performs the actual handoff.

While connected to the access network, the wireless station gathers information about neighboring access points (The process of discovering neighboring access points is out of the scope of IEEE 802.11i). The wireless station then picks an access point with which it wants to pre-establish a security context by performing IEEE 802.1X pre-authentication. The pre-authentication capability is not mandatory to support. Access points that support pre-authentication set the //Pre-Authentication bit// in the RSN-IE of the //Beacon// and //Probe-Response// frames. 

To initiate a pre-authentication, the station issues
an IEEE 802.1X //EAPOL-Start// message destined to
the target AP. The routing information is carried in the
DA field of the message which is set to the BSSID of the
target AP. The RA field of the message which indicates the
source of the wireless cell that issued the message is set
to the BSSID of the AP with which the station is currently
associated (current AP). The message is forwarded by the
current AP to the target AP based on the DA field. The
target AP processes the EAPOl-Start message and initiates
an IEEE 802.1X authentication using EAP. The reply message
from the targe AP is forwarded by the current AP to the
wireless station.

The result of a successful IEEE 802.1X pre-authentication
is a PMKSA at the station and the AP. The PMKSA is stored
at the PMKSA cache. When the station eventually decides to
associate with the target AP, both the station and AP will
negociate the use of the pre-established SA, the 4WHS is
then used to establish link layer keys and finalize the
association process.

===== IEEE 802.1X pre-authentication : Deployment considerations =====

The 802.1X pre-authentication over the DS is useful only
when the 802.1X pre-authentication can complete before
the wireless station disassociates from the current
access point. In scenarios where the wireless station
is moving at high speeds, such as cars in a highway,
the station performs handoffs frequently and the time
between two handoffs must be long enough to allow the
802.1X pre-authentication to complete. The period of time
that separates handoffs depends on the size of the wireless
cell and the speed of the moving wireless station.

The amount of time available for pre-authentication depends
on the degree of coverage overlap as well as the velocity
of the wireless station. As an example lets consider
a roaming station moving at velocity //v//, and
transitioning from association with AP A to an association
with AP B. The coverage overlap between the two access
points is assumed to be //c//, the coverage diameter
is D, and the re-association roundtrip time is RTT. The
figure below depicts the example scenario.

\\

|{{technotes:pre-auth-perf.jpeg?350|}}|

\\


Given these parameters, the time allocated to Pre-authentication //T// must be equal or less than
//c/v// in order to avoid loss of connectivity. For example,
where the coverage overlap //c// is 5 meters, scanning delays about 100ms and pre-authentication delays of 250ms, the access network supports the maximum velocity of 

<code>
c / T = (5 / 1000) km / ( 350 / 3600000) h = 51Km/h
</code>
This assuming that the station initiates pre-authentication when it enters the coverage overlap area where it detects the presence of the candidate access point B.

Depending on scenarios the coverage overlap area need to be adjusted. For example, consider the scenario of a bullet train 
running at speeds above 300Km/h. The coverage overlap c must be at least 

<code>
c = 300km/h * T = (300 * 10^3 * 350) / (3600 * 1000) ~ 30m
</code>

Assuming a 100m range 802.11 technology, the overlap of 30 meters means that the distance between APs must be at maximum 170m.
 
\\


{{tag>wireless security performance}}