802.11 Handoff performance -- Bibliography


Several phases are in the critical path of the 802.11 handoff process. For this reason, the handoff latency effect can be caused by a combination of different factors. This article collects scientific publications related to this topic.


Scanning phase, Performance evaluation and improvements

  • Techniques to reduce the IEEE 802.11b handoff time [Velayos 2004]: Performance measurements indicating that the detection and search phases are the main contributors to the handoff time (in pre-802.11i). The authors propose optimal timings for the active scanning method.

Proactive key distribution (to the AP) for reducing authentication time

  • Proactive key distribution using neighbor graphs draft [Mishra 2004]: Using neighbor graphs to obtain reduction in the authentication time of an IEEE 802.11 handoff (full EAP-TLS) by proactively distributing necessary key material one hop ahead of the mobile user.

Some comments on reactive approach presented in the second part of this paper

  • The specification does not tell what happens if the protocol fails, the following should be added “If the STA moves to a new AP that uses a AAA server that does not share MSKID with the STA, the STA will try to use the fast re-authentication but the AAA server will refuse by issuing Access-Reject or initiating a full EAP exchange”.
  • The reactive approach presented in this paper relies on the use of canned EAP-Success message. EAP Success are not acknowledged, for this reason, an EAP success message lost in the air (from AP→STA), will not be re-issued (The Access-Accept may be re-issued by the RADIUS server at the AAA layer, when the AP re-sends the Access-Request). The STA, thus will wait indefinitely for EAP Success messages lost in the air?. Re-issuing a new EAP-Identity Response message is not possible since it will be discarded as replay. If the STA does not wait for the EAP Success, then the protocol is vulnerable to DoS attacks, where a rogue AP advertising fake SSIDs can drive the STA until the 4-way hand-shake. The 4whs is vulnerable to Dos attacks since after reception of the first message, the station does not timeout before receiving subsequent messages from the AP. Rogue APs are generally detected earlier during the EAP authentication and can be blacklisted before reaching the 4whs.
  • The following assumption is made: The EAP-Method derives PMK0 from a key MK freshly derived and unknown to the AP through which the EAP authentication took place (PMK0 != MK), otherwise the protocol would be vulnerable to impersonation by a compromised AP. As stated in RFC3748 Section 7.10. “In many existing protocols that use EAP, the AAA-Key (PMK0) and MSK (MK) are equivalent”. The proposed protocol may not work with methods that do not fulfill this requirement.
  • A compromised AP may oblige the STA to use full EAP authentication (by issuing a fake EAP-Failure), obtain PMK0 (from EAP-Success), then impersonate the STA in the local access network by issuing PMKID1 in a fake Identity-Response message to the AAA server. Next time the STA wants to do fast re authentication, the AAA server will discard the message as replay.

Performance evaluation of EAP/RADIUS authentication


Other Approaches for optimizing handoff delays

  • EAP Fast Re-Authentication Protocol (EAP-FRAP) [Zrelli 2008]: An extension to the AAA/EAP authentication and key management framework that allows an EAP peer to perform fast re-authentications with the local EAP server after an initial full EAP authentication using a legacy EAP method with the same or another EAP server.

Please let me know if you want to suggest other papers


Related articles



Wireless Internet Security Performance RADIUS server Wireless Internet Security Performance RADIUS server