web analytics

IEEE 802.11r for fast and secure wireless handoffs

The IEEE task group `r' has undertaken the specification of extensions to the IEEE 802.11i standard for enabling fast roaming between access points. This article is a detailed analysis of how the 802.11r standard works and how it reduces handoff delays.

The 802.11r operations

The 802.11r standard applies to a 3-tier reference architecture that divides the access network into mobility zones. A mobility zone is defined as the collection of lightweight access points connected to a central management unit, here after referred to as controller. Generally, neighboring access points covering a certain geographic zone are grouped into a single mobility zone.

When a 802.11r compliant station enters a mobility zone, it first performs authentication using EAP. The resulting MSK is used by the station and the controller to derive a key called PMK-R0. PMK-R0 is then used to derive per-access-point PMKs. The name for such keys is PMK-R1. The controller finally sends the PMK-R1 keys to their corresponding access points. The mobility zone controller that holds the PMK-R0 key is called R0 Key Holder (R0KH), while the access points to which PMK-R1 keys are delivered are R1 Key Holder(R1KH).

The key hierarchy specified by the IEEE 802.11r standard is depicted in the figure below.

R0-Key-Data = KDF-384(XXKey, "FT-R0", SSIDlength || SSID || MDID || R0KHlength || R0KH-ID || S0KH-ID)

PMK-R0 = L(R0-Key-Data, 0, 256)

PMK-R1 = KDF-256(PMK-R0, "FT-R1", R1KH-ID || S1KH-ID)

PTK = KDF-PTKLen(PMK-R1, "FT-PTK", SNonce || ANonce || BSSID || STA-ADDR)


- XXKey is be the second 256 bits of the MSK
- S0KH-ID/S1KH-ID is the Supplicant’s MAC address (SPA).
- R0KH-ID is the identifier of the holder of PMK-R0 in the Authenticator.
- MDID is the Mobility Domain Identifier
- R1KH-ID is a MAC address of the holder of the PMK-R1 in the Authenticator of the AP.
- SNonce is a 256-bit random bit string contributed by the S1KH.
- ANonce is a 256-bit random bit string contributed by the R1KH.

Access points that support 802.11r fast transition advertise this capability in Beacon and Probe response frames by including a Mobility Domain Information Element (MDIE) described in 802.11r.

During the initial association in a mobility zone, a 802.11r capable STA and AP perform an Open System Authentication exchange, followed by a a FT Reassociation Exchange that differs from 802.11 Reassociation Exchange by including an MDIE in the Reassociation Request to indicate that the STA wishes to use 802.11r. Moreover, a Fast Transition Information Element (FTIE) is included in the Reassiciation Response frame issued by the AP. The FTIE carries the R0KH-ID as well as the current access point's R1KH-ID. After successful 802.11X authentication, the AP and STA engage in a FT four-way handshake that differs from the 802.11i handshake by carrying extra MDIE and FTIE components, needed for the derivation of PMK-R1s and PTKs.

Exchanges for performing subsequent handoffs within the mobility domain are slightly different. The 802.11r amendment attempts to reduce latency by overlaying key management on top of the 802.11 re association process. The Authentication Exchange and the Association Exchange are used to perform a FT Protocol exchange that allows the STA and AP to agree on the PMK-R1 and derive PTKs. The FT protocol thus replaces the FT four-way handshake and reduces the total number of messages to perform a full re-association to four.

When the STA wishes to (pre-)associate with an AP over the distribution system, the STA and the AP perform an Over the DS FT Protocol exchange. The AP to which the STA is currently associated routes the frames between the STA and the target AP. The FT protocol over the DS uses a new FT Request/Response (Action Frames) Exchange to replace the Authentication exchange followed by an Association Exchange to negociate ciphersuites and derive PTKs on both the STA and the AP.

802.11r performance improvements over 802.11i

The 802.11r amendment reduces the number of messages to establish fresh PTKs to four messages involving only the STA and the local AP (and the DS in case of pre-association). Following the FT protocol exchange the STA and the AP are ready to transmit data securely.

Performance evaluations [ 1 ] [ 2 ] have shown that over the air 802.11r fast transitions take from 40 to 50 ms (excluding scanning delays). which is considerably faster than using the traditional 802.11i handoff scheme that requires EAP authentication at each handoff.