Handoff delays in 802.11 wireless networks
Performance evaluation of wireless security systems - Part 3
In 802.11 wireless networks, handoff refers to the process that takes place when a station (STA) decides to change of access point (AP). As I explainted in the previous article of this series ( Part2: The 802.11 handoff process ), the handoff process can be subdivided into 4 phases, each of these phases introduce communication and processing overhead that contributes to the overall handoff delay. This article examines the factors affecting handoff performance in 802.11 wireless access networks by investigating each of the four handoff phases and understand how performance degradation can occur.
Scanning delays
After detecting the need for a handoff (e.g. when signal quality drops), the STA initiates a handoff procedure in order to discover and select a better AP. The first phase of the handoff process thus, consists of network selection. This phase is also referred to as “scannig”. The STA listens on different radio communication channels for “Beacon frames” sent by neighboring APs. The Beacon frames advertise the presence of the AP sending them and are issued periodically at fixed interval. Generally, this interval is about 100ms.
The STA may wait for up to 100ms on each channel before receiving a 802.11 beacon from the AP assigned to that channel. In the worst case thus, the STA can wait for 100ms x NumberOfChannels. In a typical deployment using three non-overlapping channels, the scanning delay alone may reach 300ms.
Association/Re-association delays
After selecting a suitable AP, the STA needs to associate withe the new AP. The association process allows the new AP to allocate resources for the STA. If IAPP is deployed, the access network removes any context information from the old AP an using IAPP notify exchange. The association, also, allows the new AP to inform the link layer devices (bridges, switches) to update their L2 table so that packets in destination to the STA get forwarded to the new location.
When the IAPP exchange is secured, IPSec security policies and keying material is negotiated between the new AP and the old AP. This involve communication with a central RADIUS server, as well as cryptographic operations. The overhead of the IAPP protocol when security enabled has not been investigated. However, the non secure scenario has been investigated in existing studies and it was shown to take up to 10ms. When IAPP is not used, the association delay becomes minimal.
EAP/802.1X authentication
This step is specific to wireless access networks using 802.11i in “Enterprise” mode (i.e. no PSK stored on the AP). 802.1X enabled APs only accept 802.1X frames from non-authenticated STAs. The 802.1X frames contain EAP messages that are forwarded by the AP to a back-end RADIUS server over the RADIUS protocol.
The STA and back-end RADIUS server thus exchange EAP messages relayed by the AP. The goal of the EAP exchanges is to authenticate the station to the RADIUS server. In order for this to work, the STA and the RADIUS server must shared credentials (e.g. password) that allow the STA to unambiguously prove its identity.
The RADIUS messages transporting EAP payload are transported using UDP from the AP to the RADIUS server and are secured using a shared key between the two.
The delay of the EAP authentication may be affected by several factors :
Network latency
The RADIUS server and the AP are linked by a network infrastructure that generally involve several routing devices. Since the IP protocol is used, network delays in the communication between the AP and the RADIUS server can vary depending on traffic load and distance. It is easy to see that when, for example RTT increases, the EAP authentication can take longer. An RTT of 20ms would introduce more that 120ms delay, assuming that 3 exchanges are necessary to authenticate the STA.
Packet loss rate
When a packet is lost, the AP will issue another packet after waiting for a certain amount of time. As stated by the RADIUS specification, the AP follows an exponential back-off algorithm to determine the waiting time before re-forwarding the EAP message to the RADIUS server. The more packets lost, the more the EAP authentication will last. The parameters of the retransmission algorithm must be chosen adequately in order to retransmit lost EAP messages as fast as possible. On the other hand, care must be taken not to cause excessive and not needed retransmissions in order to avoid flooding the back-end network.
Number of EAP messages
EAP can use different authentication mechanisms each based on different cryptographic algorithms and requires different number of messages. Depending on network delay and packet loss rate, the number of messages can become an important factor affecting EAP authentication delay. For example, assuming a network delay of 10ms, an EAP method that requires 5 exchanges would introduce more than 100ms delay.
Cryptographic operations
Any EAP authentication mechanism is based on cryptographic algorithms using symmetric-key cryptography or/and Public-Key cryptography. It is a known fact that cryptographic operations may require large processing time. In the context of ubiquitous computing in general, this can rise a concern especially when the STA consists of non-computer devices (PDA, sensors …). In such cases the cryptographic overhead may introduce un-acceptable additional delays.
Summary
Most of the literature attributes delays in wireless handoffs to the scanning phase. However, as we have seen in this article, the EAP authentication may also introduce substantial delays. This is particularity true when the authentication of a wireless client requires communication with back-end RADIUS servers that are not located near the fringe of the wireless access network.
In the next issue
In the next article in the series “Performance evaluation of wireless security systems”, we will see how to use tshark to capture RADIUS/EAP authentication exchanges and extract basic statistics that help in assessing the performance of wireless authentication systems.
