The Inter Access Point Protocol (IAPP) is an IEEE standard (802.11F) that allows an enhanced management of resources and wireless stations within an ESS.

IAPP involves communication between different APs over UDP. The packets can be protected using IPSec (ESP). All APs within an ESS share a secret with a central RADIUS server which is used as a distribution center for IPSec security policies and security associations.

During a handoff, IAPP allows the new AP to remove any context information and free resources associated with the STA from the old AP.

• Case 1 : During the handoff process, if the STA does not mention associations with previous APs, the new AP issues an UDP multicast message to all APs in the ESS. The IAPP ADD-notify packet can be protected using IPSec (ESP).

• Case 2 : In case of reassociation, the new AP will issue a unicast IAPP ADD-notify packet to the previous AP. The unicast packet cane be secured using IPsec (ESP) and the SAs are obtained from the RADIUS server.

In either case thus, the old AP receives the notification message from the new AP. Upon reception of this message, the old AP frees resources and removes any context information related to the STA.

The new AP issues an 802.2 Type 1 Logical Link Control (LLC) Exchange Identifier (XID) Update response frame which tells all L2 devices (bridges, switches and other APs) to update their forwarding table so that L2 packets in destination to the STA get forwarded to the new location (i.e. though the new AP).

IAPP allows the transfer of contexts from the old AP to the new AP. This feature can be used, for example, to transfer security context in order to speed the handoff process. By avoiding full reauthentication and reusing the previously established trust relationship, the STA can associate with the new AP as soon as the context transferred from the old AP. Note that IAPP does not define what is a context. It just specifies the protocol for transferring any kind of context information between two APs. (More info: Context transfer using neighbour graphs)

Proactive cashing is another feature of IAPP, it allows a STA to prepare context in its neighboring APs in order to reduce operations (authentication, context transfer) and speed during the roaming process. Proactive caching is thus simply as proactive context transfer.

802.11i does not allow security context transfer between APs (5.4.2.3 and 8.4.1.2.1). Therefore only the “L2 update” and “AP resource optimization” features are useful when IAPP is used in combination with 802.11i. IAPP can not be used to provide faster authentication with 802.11i. 802.11i specifies two alternatives for re-use of pre-established security association.

• PMK caching (8.4.6.2) : The STA can store, for a pre-defined period of time, security association established with the current AP to reuse it when the STA returns back. This feature useful when the STA comes back often to the same APs.

• Pre-authentication over the DS (8.4.6.1) : The STA can use its connection with the current AP in order to pre-authenticate with the next AP. The 802.1X frames are forwarded by the current AP over the DS to the next AP until the 802.1X authentication is achieved. When the STA associates with the new AP, only a 4 way hand shake is needed to establish a security association. This alternative requires that the old AP and the new AP belong to the same ESS.