Several phases are in the critical path of the 802.11 handoff process. For this reason, the handoff latency effect can be caused by a combination of different factors. This article collects scientific publications related to this topic.
- An empirical analysis of the IEEE 802.11 MAC layer handoff process [Mishra 2003]: Study that shows latency introduced by probe/scanning phase and possible optimization by fine tuning scan timers.
- Improving the latency of 802.11 hand-offs using neighbor graphs [Minho 2004]: Discovery method using neighbor graphs for optimizing scanning delays during handoffs.
- Techniques to reduce the IEEE 802.11b handoff time [Velayos 2004]: Performance measurements indicating that the detection and search phases are the main contributors to the handoff time (in pre-802.11i). The authors propose optimal timings for the active scanning method.
Some comments on reactive approach presented in the second part of this paper
- The specification does not tell what happens if the protocol fails, the following should be added “If the STA moves to a new AP that uses a AAA server that does not share MSKID with the STA, the STA will try to use the fast re-authentication but the AAA server will refuse by issuing Access-Reject or initiating a full EAP exchange”.
- The reactive approach presented in this paper relies on the use of canned EAP-Success message. EAP Success are not acknowledged, for this reason, an EAP success message lost in the air (from AP→STA), will not be re-issued (The Access-Accept may be re-issued by the RADIUS server at the AAA layer, when the AP re-sends the Access-Request). The STA, thus will wait indefinitely for EAP Success messages lost in the air?. Re-issuing a new EAP-Identity Response message is not possible since it will be discarded as replay. If the STA does not wait for the EAP Success, then the protocol is vulnerable to DoS attacks, where a rogue AP advertising fake SSIDs can drive the STA until the 4-way hand-shake. The 4whs is vulnerable to Dos attacks since after reception of the first message, the station does not timeout before receiving subsequent messages from the AP. Rogue APs are generally detected earlier during the EAP authentication and can be blacklisted before reaching the 4whs.
- The following assumption is made: The EAP-Method derives PMK0 from a key MK freshly derived and unknown to the AP through which the EAP authentication took place (PMK0 != MK), otherwise the protocol would be vulnerable to impersonation by a compromised AP. As stated in RFC3748 Section 7.10. “In many existing protocols that use EAP, the AAA-Key (PMK0) and MSK (MK) are equivalent”. The proposed protocol may not work with methods that do not fulfill this requirement.
- A compromised AP may oblige the STA to use full EAP authentication (by issuing a fake EAP-Failure), obtain PMK0 (from EAP-Success), then impersonate the STA in the local access network by issuing PMKID1 in a fake Identity-Response message to the AAA server. Next time the STA wants to do fast re authentication, the AAA server will discard the message as replay.
- Context Caching using Neighbor Graphs for Fast Handoffs in a Wireless Network [Mishra 2004]: Same as above ?
- An ccelerated IEEE 802.11 Handoff Process Based on the Dynamic Cluster Chain Method [Huang 2007]: Using neighbor graphs to dynamically select clusters of APs where PMKSA is proactively distributed to speed authentication process.
- Experimental Evaluation of EAP Performance in Roaming Scenarios [Zrelli 2007]: Performance of inter-domain EAP authentication over RADIUS in an emulated environment.
- EAP Fast Re-Authentication Protocol (EAP-FRAP) [Zrelli 2008]: An extension to the AAA/EAP authentication and key management framework that allows an EAP peer to perform fast re-authentications with the local EAP server after an initial full EAP authentication using a legacy EAP method with the same or another EAP server.
Please let me know if you want to suggest other papers
|Labels: wireless, performance, security|