IEEE 802.1X pre-authentication: Reducing handoff delays in 802.11 wireless networks

The IEEE 802.11i wireless security standard specifies how wireless stations can perform pre-authentication over the distribution system while still connected to their current access point. The idea is that if the station can perform authentication in advance, the only remaining procedure that needs to be carried out during the handoff is the four-way-handshake (4WHS), which reduces the handoff latency.

IEEE 802.1X Pre-authentication, as described in IEEE 802.11i, Section 8.4.6.1, allows the station to exchange IEEE 802.1X frames with the AP in order to establish a security association PMKSA which will be then used in the 4WHS when the station performs the actual handoff.

While connected to the access network, the wireless station gathers information about neighboring access points (The process of discovering neighboring access points is out of the scope of IEEE 802.11i). The wireless station then picks an access point with which it wants to pre-establish a security context by performing IEEE 802.1X pre-authentication. The pre-authentication capability is not mandatory to support. Access points that support pre-authentication set the Pre-Authentication bit in the RSN-IE of the Beacon and Probe-Response frames.

To initiate a pre-authentication, the station issues an IEEE 802.1X EAPOL-Start message destined to the target AP. The routing information is carried in the DA field of the message which is set to the BSSID of the target AP. The RA field of the message which indicates the source of the wireless cell that issued the message is set to the BSSID of the AP with which the station is currently associated (current AP). The message is forwarded by the current AP to the target AP based on the DA field. The target AP processes the EAPOl-Start message and initiates an IEEE 802.1X authentication using EAP. The reply message from the targe AP is forwarded by the current AP to the wireless station.

The result of a successful IEEE 802.1X pre-authentication is a PMKSA at the station and the AP. The PMKSA is stored at the PMKSA cache. When the station eventually decides to associate with the target AP, both the station and AP will negociate the use of the pre-established SA, the 4WHS is then used to establish link layer keys and finalize the association process.

The 802.1X pre-authentication over the DS is useful only when the 802.1X pre-authentication can complete before the wireless station disassociates from the current access point. In scenarios where the wireless station is moving at high speeds, such as cars in a highway, the station performs handoffs frequently and the time between two handoffs must be long enough to allow the 802.1X pre-authentication to complete. The period of time that separates handoffs depends on the size of the wireless cell and the speed of the moving wireless station.

The amount of time available for pre-authentication depends on the degree of coverage overlap as well as the velocity of the wireless station. As an example lets consider a roaming station moving at velocity v, and transitioning from association with AP A to an association with AP B. The coverage overlap between the two access points is assumed to be c, the coverage diameter is D, and the re-association roundtrip time is RTT. The figure below depicts the example scenario.

Given these parameters, the time allocated to Pre-authentication T must be equal or less than c/v in order to avoid loss of connectivity. For example, where the coverage overlap c is 5 meters, scanning delays about 100ms and pre-authentication delays of 250ms, the access network supports the maximum velocity of

c / T = (5 / 1000) km / ( 350 / 3600000) h = 51Km/h

This assuming that the station initiates pre-authentication when it enters the coverage overlap area where it detects the presence of the candidate access point B.

Depending on scenarios the coverage overlap area need to be adjusted. For example, consider the scenario of a bullet train running at speeds above 300Km/h. The coverage overlap c must be at least

c = 300km/h * T = (300 * 10^3 * 350) / (3600 * 1000) ~ 30m

Assuming a 100m range 802.11 technology, the overlap of 30 meters means that the distance between APs must be at maximum 170m.

Labels: wireless, security, performance