Performance evaluation of wireless security systems - Part 2

This second article in the series “Performance evaluation of wireless security systems” is an in depth review of the 802.11 handoff process that occurs when a station (STA) changes of access point (AP). Since in this series we are focusing on enterprise networks, we will examine the 802.11i handoff and authentication process relying on back-end RADIUS servers.

A handoff in 802.11 is the process that allows a wireless client (STA) to change of access point (AP). When the STA detects degradation of the communication quality, it considers changing of access point and eventually decides to perform a handoff to a candidate access point that offers better quality of signal. During a handoff, the station can not communicate with any host in the Internet, only 802.11 management frames are exchanged with the infrastructure in order to establish a secure association with the next access point.

When the signal quality reaches a minimal threshold, the station may take the decision to initiate a handoff in order to connect to other APs offering better quality of signal. This is often referred to as handoff detection. The handoff detection and decision process is vendor specific and is not specified by 802.11 standards. Wireless interface drivers often offer configuration parameters that allows the user to have more control on the handoff decision process. The signal strength and signal to noise ratio are the most used metrics. Signal strength decreases when the station is getting out of the radio range of the current AP, or when an obstacle between the STA and AP is blocking the signal. Signal to noise ratio, on the other hand, generally worsens because of radio interferences.

The decision to perform a handoff is a proactive measure for guaranteeing continuous network connectivity. When the station senses that the signal quality is getting bad, it assumes that it is going to be even worse.

The handoff procedure in 802.11 wireless networks can be divided into four phases :

When a station decides to perform a handoff, it needs to find candidate access points. In order to discover the possible APs to which it may switch, a STA performs a link layer procedure called “scan”. In 802.11, there are two methods of scan, passive and active. In active scanning, the STA listens for beacons frames issued by the APs at regular intervals. The beacon includes information such as SSID, supported rates and security parameters. The STA can also obtain the same information by using active scanning. Active scanning (or probing) consists on issuing probe request frames to which APs will respond with probe response frames including information similar to the information included in beacon frames.

This way, the STA collects information about candidate APs and choses one of them. The selection of which access point to use depends on several parameters such as quality of signal, access network capabilities, user preferences and policy.

After locating and selecting a handoff candidate AP, the STA negotiates the communication data rate and reserves resources on the new AP. The Open System Authentication and Association consists of two exchanges. First an Open System authentication request is issued by the STA. The AP replies with an Open System Authentication Response that contains a success indication. The STA then issues an Association request that includes the desired SSID and supported rates, the AP finally replies with an Association response including the supported data rates and the session ID.

In pre-802.11i deployments, after the Open System Authentication and Association, the STA would be able to gain network access. However in 802.11i, this is not enough. In order to transmit data frames through an established association, the STA must unlock the 802.1X port mapped to the newly created association. In order to do that, the STA will perform EAP authentication using 802.1X frames.

The EAP authentication is initiated when the STA issues an EAPOL-Start frame, or when the AP issues an EAP-Identity Request frame. The STA then must use authentication credentials and a certain EAP authentication method to authenticate against a back-end EAP server. The AP acts as a pass-through entity by forwarding EAP packets from the STA to the back-end EAP server and vice versa. EAP packets are extracted from 802.1X frames and encapsulated in AAA (RADIUS/Diameter) messages then sent to the back-end EAP server, which extracts the EAP payload from the AAA packet then process it before sending the reply message to the STA through AP.

After several round trips (The number of round-trips depends on the EAP authentication method in use), the EAP server decides whether the STA has successfully proven its identity. In case of success, the EAP server issues an EAP-Success message to the AP, the AP then unlocks the 802.1X port mapped with the associated STA. The unlocked 802.1X port allows only protected and authenticated data frames to pass through. In order to build authenticated data frames the STA needs to establish link layer security association and establish cryptographic keys with the AP. This keying material is derived from a shared key called Pairwise Master Key (PMK). The PMK is itself extracted from another key called Master Session Key (MSK). The MSK is generated by the EAP server and the STA as a result of a successful EAP authentication. It is delivered by the EAP server to the AP in the final AAA message concluding a successful authentication.

In order to establish a security association, the STA and the AP perform a 4-way handshake. The objective of the exchange is to confirm that the STA and the AP hold the PMK. Confirm that the PMK is current , and derive a fresh Pairwise Transient Key (PTK) from the PMK. Its the PMK that will be used to protect the data frames using the TKIP or CCMP mechanisms.

We have seen the details of 801.11 handoff process in enterprise networks (using 802.11i and EAP authentication). In the next article, we discuss different factors that may affect performance in each of the four phases of the 802.11 handoff process.

• Part 1 : Introduction
• Part 2 : The 802.11 handoff process
• Part 3 : Wireless handoff performance: Understanding the delays
• Part 4 : Capture and Analysis of RADIUS traffic with tshark
• Part 5 : Visualizing wireless authentication delays

Labels: wireless, security, performance