BSS transition optimizations and analysis for VoIP over WLAN

Wireless Pers Commun (2007) 43:907–918DOI 10.1007/s11277-007-9264-5

BSS transition optimizations and analysis for VoIP overWLAN

Emily Qi · Sangeetha Bangolae · Kapil Sood ·Jesse Walker

Received: 15 May 2006 / Accepted: 22 January 2007 / Published online: 12 April 2007© Springer Science+Business Media B.V. 2007

Abstract Voice over IP (VoIP) is emerging as acritical application for IEEE 802.11 Wireless LocalArea Networks (WLANs). However, the limitedrange of the IEEE 802.11 radio forces frequenttransitions from one access point to another. More-over, the introduction of IEEE 802.11i securityand IEEE 802.11e Quality of Service (QoS) hasincreased the average transition time from ms toseconds, leaving mobile users with the unenviabledilemma of choosing good security and QoS whilesacrificing real-time performance, or gaining accep-table real-time performance at the expense ofsecurity and QoS. Thus, optimizations to devicetransitioning that will provide an acceptable bal-ance of latency, security, and QoS are needed toenable VoIP. This paper analyzes WLANs MAClayer transition procedure and optimizations beingconsidered by IEEE 802.11 Working Group toimprove transition times while retaining good secu-rity and QoS. The transition time improvementsproposed in this paper are achieved through dis-

E. Qi (B) · S. Bangolae · K. Sood · J. WalkerCorporate Technology Group, Intel Corporation,Hillsboro, OR, USAe-mail: [email protected]

S. Bangolaee-mail: [email protected]

K. Soode-mail: [email protected]

J. Walkere-mail: [email protected]

covery phase optimizations and transition phaseoptimizations. The selective scanning and smartAP selection algorithms are designed to optimizethe discovery phase to enable the mobile device tobetter exploit its ambient radio resource environ-ment. The transition phase optimization seeks toaccelerate device transition without compromisingsecurity. The paper then identifies security flaws inthe current design and proposes simple corrections.Finally, experiment results for transition optimiza-tion are explained that demonstrate a significantincrease in transition efficiency.

Keywords Seamless Handover · Quality ofService · VoIP · Security · Wireless LAN · IEEE802.11 · BSS Transition

1 Introduction

The IEEE 802.11 Standard [1] enables low cost andeffective Wireless Local Area Networks (WLANs).This standard operates in unlicensed spectrum(2.4 GHz in 802.11b/g and 5 GHz in 802.11a), ena-bling high speed networks (11 Mbps in 802.11b, andup to 54 Mbps for 802.11 g/a) that can be deployedby individuals and organizations. IEEE 802.11 sup-port has become standard on mobile devices, suchas laptop computers and handheld devices. Withthis broad adoption of IEEE 802.11, Voice over IP

908 E. Qi et al.

(VoIP) is emerging as an attractive application forIEEE 802.11.

To improve the WLAN capacity and scalability,enterprises deploy a large number of Access Points(APs), resulting in High-Density 802.11 networks.High density networks, however, suffer from gre-ater interference among radios, which, even with-out client movement, causes devices to transitionamong APs during on-going communication. Atransition scheme that preserves both security andQoS without disrupting existing transfers is there-fore required. Furthermore, VoIP imposes strin-gent performance constraints on device transition.Humans perceive degraded voice quality if the dev-ice transition between APs exceeds about 50 ms,and if device transition between APs consumesmore than about 500 ms, the voice call may bedropped.

AP scanning and discovery consumes the lion’sshare of the time needed to select a new AP underthe legacy IEEE 802.11 design. Improved WLANsecurity and QoS, however, have introduced addi-tional delay to device transition that increases thepossible transition time from a few hundred ms toseveral seconds. Indeed, IEEE 802.11i [2] adds aminimum of two round trips and a series of cryp-tographic operations to each transition, and IEEE802.11e [3] adds at least one round trip and a com-plex bandwidth allocation algorithm. The latencyintroduced by these new services can greatly exc-eed the real-time constraints imposed by VoIP.Thus, VoIP will become viable within an 802.11WLAN only if better latency bounds are achieved.

This paper analyzes the optimizations we andothers have proposed to the IEEE 802.11 Work-ing Group to improve transition latency withoutdegrading security and QoS. Two categories of opti-mizations are defined, one for the discovery phase,and a second for the transition phase. The discoveryphase optimizations are based on the NeighborReport proposed in IEEE 802.11 k draft [4]. TheNeighbor Report identifies other APs near adevice’s currently associated AP, allowing it toreduce the scanning latency needed to identifypotential target APs. The transition phase optimi-zations are based on the Fast Transition scheme inIEEE 802.11r draft [5,7], which defines a new keyhierarchy optimized for mobility, as well as a “com-pactification” of 802.11 Reassociation, 802.11i key

management, and 802.11e bandwidth allocationinto two round trips.

How does this design measure up against itsobjectives? Qualitatively, it seems to improveperformance noticeably. The design removes theexpensive scanning step from the direct transi-tion process. It reduces the number of round tripsat transition from five or more to two, and all-ows pre-computation of the PTK. It permits datato continue to flow until the moment of transi-tion, resulting in fewer lost data frames. This paperalso presents experimental evidence supportingthis qualitative analysis.

The remainder of this paper is organized asfollows. Section 2 gives a more detailed descrip-tion of the MAC layer architecture of WLAN andof the IEEE 802.11 transition procedures. Section3 focuses on the discovery phase transition opt-imizations. Section 4 presents the transition phaseoptimizations [5,7,8], along with a security and per-formance evaluation of the existing design. Section5 provides a security analysis of the new transi-tion process. Section 6 describes a test bed andexperiments to evaluate the efficacy of the design.Section 7 summarizes the paper.

2 IEEE 802.11 MAC Layer roaming procedures

The 802.11 architecture is comprised of severalcomponents and services that interact to providestation (STA) mobility. The 802.11 architecture issplit into a physical (PHY) layer and a medium acc-ess control (MAC) layer. The PHY layer consists ofthe radio and the radio’s shared channel. The MACLayer maintains communications among 802.11STAs by managing the operation of the PHY andby utilizing protocols that support and enhancecommunications over the radio medium.

A Basic Service Set (BSS) is a “network seg-ment.” A BSS consists of a single AP, togetherwith the group of associated 802.11 STAs. A BSSnetwork is also called an infrastructure network.During transition, a mobile station leaves one BSSand joins another. A transition requires two exe-cution phases: a Discovery phase and a Transi-tion phase. The following sections describe eachphase in detail. Figure 1 depicts the entireprocess.

BSS transition optimizations and analysis 909

Fig. 1 BSS transitionprocedure

Probe Request

Probe Response

802.11 Authentication Exchange

(Re)Association Exchange

Successful (and Secure) Association and Data Exchange

STA Old AP New AP

Successful (and secure) Association and Data

exchange

Distribution System

802.1X Authentication Method and Key Exchange

Beacon

Dis

cove

ry P

hase

Tra

nsiti

on P

hase

2.1 Discovery phase

The 802.11 discovery consists of scanning to locatecandidate APs, and deciding on the target AP withwhich to associate. A mobile station continuouslyscans for all of the APs within its range. Scanning iseither active or passive. Passive scanning is accom-plished by listening for Beacon frames, which anAP typically sends at 100 ms intervals to announceits presence. Each Beacon provides timing for itsBSS, and also advertises the BSS configuration andpolicy. A mobile station listens for Beacons on eachradio channel in succession, thereby identifying theAPs that are using a particular channel. A mobilestation actively scans by broadcasting a Probe Req-uest message on each radio channel. An AP thatreceives a Probe Request replies with a Probe Res-ponse frame, which reports the same policy andconfiguration as does the Beacon.

For each AP discovered, the mobile station accu-mulates roaming triggers that are used as input toAP selection. Roaming triggers consist of the mea-sured signal strength and signal-to-noise ratio ofeach AP known to be within range, as well as theframe loss rate of the current association. When thestation has identified one or more candidate APs,

it selects a new target AP based on the informationaccumulated during the scanning process.

Scanning dominates the discovery phase latency.This latency is a function of the number of radiochannels available and the waiting time for eachchannel. In a typical enterprise environment, scan-ning can take up to 1 s, but a scanning latency of200–300 ms is typical. Figure 2 depicts a typicalscanning process.

2.2 Transition phase

Once a mobile station identifies a suitable can-didate AP, the station breaks its association withthe current AP and then reassociates with the tar-geted AP. The mobile station performs the follow-ing transition steps:

1. The mobile station stops data transmission to itscurrent AP.

2. The mobile station switches its radio to the chan-nel used by the targeted AP.

3. The mobile station completes a ReassociationRequest/Response exchange with the targetedAP.

910 E. Qi et al.

Fig. 2 Typical scanningprocess

4. If Reassociation succeeds, the targeted AP isthe mobile station’s new AP, and the mobilestation authenticates and performs 802.11i keymanagement with the new AP, to secure its newlink.

5. The mobile station requests that the new APallocate bandwidth to maintain the quality-of-service required by its applications.

6. When these steps are completed, data flowresumes between mobile station and the infra-structure, now via the new AP.

The introduction of IEEE 802.11i security and thenegotiation of QoS using 802.11e have increasedthis transition time from a few ms to a few seconds.

3 Discovery phase optimizations

This section describes two schemes designed todecrease the discovery phase latency: SelectiveChannel Scanning and Smart AP Selection.

3.1 Selective channel scanning

Scanning latency is a function of the number ofradio channels available and the waiting time foreach channel. The waiting time is the time it takesfor the mobile station to receive the Beacon andProbe Responses. Since Beacons arrive periodi-cally, the total scanning delay can be determinedby the number of channels that must be scanned.In the United States, 11 channels may be used inIEEE 802.11b and 802.11g networks, and up to 14channels may be used in IEEE 802.11a networks.

However, in order to avoid adjacent channel inter-ference, only three channels are typically used. Ifthe channels where mobile station can locate anAP are identified, the mobile station scans onlythose specific channels.

The IEEE 802.11 k draft addresses this delayby introducing the Neighbor Report. An AP cansend unsolicited Neighbor Reports to associatedmobile stations, or it can send Neighbor Reportsin response to a mobile station’s request. A list ofcandidate APs that the mobile station may con-sider as potential transition targets is identifiedin the Neighbor Report. Each Neighbor Reportmessage conveys the following information aboutthe nearby APs within the same administrativedomain:

• The AP’s MAC address,• The AP’s current channel, and• The AP’s PHY type, i.e., whether it uses an

802.11a, 802.11b, or 802.11g radio.

A mobile station receiving an 802.11 k NeighborReport may use this information to implementselective channel scanning. With selective channelscanning, the mobile station scans only the chan-nels specified by the Neighbor Report to receiveBeacons and Probe Responses. Limiting channelscanning in this manner can significantly reducescanning latency because it allows the STA toignore unused channels.

3.2 Smart AP selection

During scanning, the mobile station measures thesignal strength of the AP via received Beacons


and Probe Responses. The mobile station uses thisinformation to help choose a target AP. However,a higher received signal strength indicator doesnot guarantee that the mobile station will expe-rience higher throughput in the selected AP orreceive a service with characteristics acceptablefor a VoIP call. The reason is that, in currentlydeployed WLANs, the 802.11 Distributed Coor-dination Function (DCF) mediates access to themedium. The performance of a DCF mediatedchannel primarily depends on channel busy frac-tion, the number of competing (active) mobile sta-tions, and the available admission capacity. Thethroughput per device decreases when the num-ber of devices competing for the channel increases,resulting in degraded performance. If a mobilestation were to target an AP based only on thereceived signal quality, it could potentially buyitself poor network service.

To help a mobile station more intelligentlyselect a new AP, the IEEE 802.11e standard intro-duced the QoS Basic Station Set (QBSS) Loadinformation element. The QBSS Load informa-tion element characterizes the current station pop-ulation and traffic levels at the AP, including thetotal number of STAs currently associated with thisAP, its total channel utilization, and theAvailable Admission Capacity (AAC). The AACfield specifies the remaining medium time avail-able.

An AP advertises its QBSS load element in Bea-cons and Probe Responses, allowing the STA tolearn the AP load along with the Received Sig-nal Strength during scanning. Based on the chan-nel characterization and its own VoIP needs, theSmart AP Selection algorithm at the STA estimatesits QoS bandwidth requirements, and then selectsan AP that can provide a service acceptable fora VoIP call. It accomplishes this as follows. TheVoIP-Capability is defined as the AP’s AvailableAdmission Capacity (AP-AAC), from the QBSSLoad, divided by the STA’s Estimated MediumTime (STA-EMT):

VoIP-Capability = AP-AAC/STA-EMT, (1)

where,STA-EMT = Surplus Bandwidth Allowance × pps

× MPDUExchangeTime;

pps = �Mean Data Rate / (8× Nominal MSDUSize) �

MPDUExchangeTime=duration (Nominal MSDUSize, Minimum PHY Rate) + SIFS + ACKduration

duration () is the 802.11 PLME-TXTIME primitivethat returns the duration of a frame based on itspayload size and the PHY data rate employed.There are two points to consider when estimat-

ing STA-EMT. The first is the traffic requirementsof the application, which are captured by two par-ameters, the Nominal MSDU Size and the MeanData Rate. The second is the expected error rateof the medium. The expected error rate of themedium is captured by two parameters, the SurplusBandwidth Allowance and Minimum PHY Rate.The Surplus Bandwidth Allowance indicates theexcess allocation of time (and bandwidth) overand above the stated application rates requiredto transport an MSDU belonging to the TrafficStream. After estimating the VoIP Capability forpotential APs, the mobile station can select the APthat offers the highest VoIP Capability. The opti-mization tends to minimize the need for frequentAP-to-AP transitions, and improves the efficiencyand effectiveness of AP Discovery phase.

4 Transition phase optimizations

While the Discovery phase enhancements addressshortcomings in the original 802.11 design, the tran-sition phase design addresses latencies introducedby recent 802.11 amendments, notably the IEEE802.11i security and 802.11e QoS enhancements.These services introduce several new latencies intoAP-to-AP transition, including 802.1X authentica-tion, 802.11i key management, and 802.11e band-width allocation. Such new latencies must bereduced to fall within VoIP’s real-time constraints,in order to ensure that the voice application canmaintain quality of service during device transi-tions within the WLAN.

To deal with these new constraints, the IEEE802.11r is being written to reduce transition phaselatencies by setting the following objectives:

• Reduce latency due to the 802.11e and 802.11iround trip times by piggybacking the messages

912 E. Qi et al.

for these functions over the Reassociationexchange.

• Facilitate session key pre-computation, using anew key hierarchy, to ease the computationalbottlenecks on resource-constrained devices,such as VoIP handsets.

• Eliminate the need for authentication on everyAP-to-AP transition. This step typically removestwo or more round trips induced by 802.1X aut-hentication, and usually eliminates several com-putationally expensive cryptographic operations.

• Introduce mechanisms to afford target APs timeto accommodate transitioning STAs, by usingindications prior to Reassociation.

The transition phase optimizations are fromIEEE 802.11r D 2.0 [5], the current version atthe time of this writing. These optimizations arecomprised of our proposal [7] and a proposal byStanley, Calhoun, et al [8].

4.1 Key hierarchy

One of the most important components of the802.11r transition solution is its key hierarchy, asdepicted by Fig. 3. To understand the motivationfor this design, it is useful to recall the 802.11i keyhierarchy. The 802.11i key hierarchy has three lay-ers:

• A master session key (MSK), shared betweenan Authentication Server (AS) and the mobilestation,

• A Pairwise Master Key (PMK), which is an aut-horization token shared between the AP and themobile station, and finally

• A Pairwise Transient Key (PTK), which is a con-catenation of session keys derived from the PMKby the AP and the mobile station.

As the final authentication step, the AS and mo-bile station derive the MSK, and the AS trans-ports this key to the AP in a (presumably secure)manner that is outside the scope of the standard.802.11i then creates the PMK from the MSK; thePMK can be cached across different associationsbetween this AP and station. 802.11i derives aPTK from the PMK on each reassociation, guar-

anteeing a fresh session key that is cryptographi-cally separated from the key used with any othersession.

The design of the 802.11i key hierarchy wasinspired by the classical “fat” AP model. In thismodel each AP is a stand-alone device, itself per-forming all access point functions. However, costhas made “thin” APs the norm in enterprise dep-loyments, with functionality being split between“light-weight” APs and a central “controller.” Inmost of these designs, the controller performs the802.11i PTK derivation for each AP that it controls.Since the controller maintains the PMK withina single cryptographic boundary, there should beno harm in using it to derive a different PTK foreach “thin” AP under its control. Indeed, thisdesign potentially could eliminate the performanceproblem of requiring a full authentication betweenthe mobile station and the authentication servervia each AP, which is especially onerous when theauthentication server is remote. However, nothingin 802.11i allows the mobile station to distinguishthis “thin” AP usage from a compromised keybeing shared among a set of compromised “fat”APs, so such an implementation would introduce asecurity flaw. All correct 802.11i implementationswithin the “thin” AP model still cache a differentPMK for each distinct thin AP.

The 802.11r design attempts to accommodatethe “thin” AP model by introducing a new layerof keys. Instead of eliminating the need for a per-AP PMK, it adds a new layer to eliminate frequentauthentications between the station and authen-tication server. 802.11r splits the PMK into twolayers, called the PMK-R0 and PMK-R1.

802.11r defines the notion of a mobility domainto utilize the key hierarchy. The mobile stationauthenticates once with the mobility domain at ini-tial contact. This authentication generates a MSK,which is used to derive a PMK-R0. The initial con-tact AP or its controller caches the PMK-R0. Thisparty is called the R0 Key Holder. The R0 KeyHolder never shares any PMK-R0 with any otherparty. The R0 Key Holder uses the PMK-R0 onlyto derive PMK-R1 keys, which it communicates tothe R1 Key Holder for each access point within themobility domain. The PMK-R0 and PMK-R1 life-times cannot exceed that of the MSK from whichit was derived.


Fig. 3 IEEE 802.11r keyhierarchy

4.2 Handshake optimizations

The 802.11r optimized handshake, depicted byFig. 4, attempts to reduce latency by overlayingkey management and QoS bandwidth allocationon top of the 802.11 reassociation process.

The optimized handshake introduces a numberof new information elements. The most importantof these information elements are the ResourceInformation Container (RIC) and the EAPOL-Key (EAPK). The mobile station uses a RICinformation element in a Reassociation Requestto indicate its QoS bandwidth requirements. In asuccessful Reassociation Response, the RIC infor-mation element indicates either that the AP couldhonor the mobile station’s request, or else suggestan alternative amount of bandwidth which the APcan allocate. The EAPK information element pig-gybacks variants of the 802.11i key exchange overthe reassociation.

The original 802.11 standard begins an AP-to-AP transition with an Open System Authentication.The optimized handshake replaces Open SystemAuthentication with a new exchange. The mobilestation begins by sending an “authentication”

request message that includes an RSN informationelement, defined by 802.11i, to suggest the securitypolicy the station wishes to use with this associ-ation. The first message also contains an EAPKinformation element conveying a variant of thefirst message of the 802.11i 4-Way Handshake. TheEAPK information element includes a 256 bitrandom challenge called SNonce and the R0 KeyHolder (R0KH) identity with which the STA per-formed its Initial Association. This allows the tar-geted AP to identify or acquire the neededPMK-R1.

The AP responds with message 2, which includescorresponding RSN and EAPK information ele-ments. The response EAPK information elementincludes a 256 bit random challenge ANonce fromthe AP. The message includes the PMK-R1 nameand key lifetime.

When the mobile station is ready to transition,it resumes the optimized handshake with a Reas-sociation Request as message 3. This includes aRIC information element, to request QoS band-width, and an EAPK information, continuing thekey exchange. The third message reflects theAP’s ANonce from Message 2. It also incorporates

914 E. Qi et al.

Fig. 4 The 802.11roptimized handshake

a message integrity code (MIC) to detectforgeries.

The AP finishes the exchange with a Reassocia-tion Response. The Reassociation Response eitherconfirms that the reassociation succeeded or failed.The message can also indicate that the reassocia-tion succeeded, but that the AP could not honorthe station’s bandwidth request. When the reas-sociation succeeds, the AP and station open theirrespective 802.1X controlled ports, permitting datato flow over the protected channel between them.In the case where the reassociation succeeded butthe AP could not honor the station’s bandwidthrequest, the station may invoke normal 802.11emechanisms to procure bandwidth beyond that setaside for best effort traffic. A MIC also protectsthis message from forgery, including the SNoncereplicated from Message 1. The Optimized Hand-shake assumes a secure transfer of the PMK-R1from the R0KH to the R1KH, but does not definethis, as back-end mechanisms in the infrastructureare out of scope of the standard. The design is toenable both push and pull key deliver mechanisms.

5 Security analysis

The key hierarchy and the transition algorithmhave their own security defects.

5.1 Key hierarchy security analysis

Ironically, 802.11r draft 2.0 includes a security errorthat prevents the STA from distinguishing correctkey sharing from a compromised PMK. It defines

PMK-R1 = kdf(PMK-R0, “R1 Key Derivation”,PMKR0Name || R1KH-ID ||0 × 00|| SPA)

where,

• kdf(., .,.) is the 802.11r key derivation function,with its first parameter being a key derivationkey, its second a label, and the third a contextdelimiter;

• PMKR0Name is the name of the PMK-R0 key;• R1KH-ID denotes that name of the R1 Key

Holder; and• SPA denotes the MAC address of the mobile

station.

It is easy to create an attack against this key sharewhen 802.11r is used with “fat” access points:

1. Compromise a “fat” AP;2. At a second “fat” AP, provision the R1 KH-ID

and the PMK-R1 from the compromised AP.

If a mobile station transitions from the compro-mised AP to the new AP, the 802.11r design allowsthe station to use the same PMK-R1 to derive itsPTK, in countering the desired solution to one ofthe problems that originally motivated the 802.11r


design. This flaw is easily rectified by putting themobility domain’s R1 Key Holders into one-to-onecorrespondence with APs, and letting the MACaddress of each AP be the R1 KH-ID. We expectthis security flaw to be corrected in future versionsof the 802.11r draft.

5.2 Transition security analysis

Unfortunately, draft 2.0 of 802.11r introduces threesecurity flaws into the transition process:

• Message 2 of the optimized handshake fails toinclude any quantity computed from the randomvalue SNonce from Message 1 of the optimizedhandshake. Thus, it is impossible for the mobilestation to match the appropriate Message 2 toreply with its request in Message 1, i.e., Message2 does not belong to a well-defined session. The802.11i 4-Way Handshake solved this problemby deriving the PTK from SNonce and includinga MIC computed over the message under partof this key. Since the PMK-R1 is not necessar-ily available for computing Message 2, the onlyviable solution seems to be to include SNonce inMessage 2 instead.

• A flooding attack exists against Message 3, theReassociation Request. To mount this attack,the adversary floods a large number of first mes-sages to the AP, each giving a distinct SNoncevalue. The AP will not know that these messagesare invalid, and must cache a <SNonce, ANon-ce> pair for each (or the PTK that results fromeach of them). Then the adversary sends oneReassociation Request for each SNonce value,each with a random value in place of the Mes-sage 3 MIC. While these Reassociation Requestswill be invalid, the AP can determine this onlyby trying to verify MIC using each and every<SNonce, ANonce> pair. Thus, the protocolrequires the AP to undertake n2 MIC verifica-tions for n forged Message 1’s. It may be arg-ued that using distinct ANonce values for eachANonce alleviates this problem directly, but thethird security flaw below rules out this option.802.11i solved this problem by requiring the mob-ile station to commit to its SNonce value andby including SNonce instead of ANonce in itsequivalent of Message 3. 802.11r could defend

against the flooding attack with the sameprecaution.

• A similar flooding attack exists against Message4, the Reassociation Response. This defect canbe rectified by requiring the AP to commit to itsANonce value for this session and by includingANonce instead of SNonce in Message 4. Com-mitting to an ANonce value rules out the naïvesolution to the second security flaw.

We expect future versions of the draft will addressthese security flaws.

6 Performance evaluation

We implemented a Linux-based prototype to char-acterize the transition times of the optimized hand-shake. The host AP software is used for implemen-tation purposes and the host AP daemon is mod-ified to support fast BSS transition. The mobilestation prototype was based on the public domainLinux WPA Supplicant, and used the IPW 2200 b/gwireless card and its associated Linux device driver.We also modified the WPA Supplicant softwareto use the fast transition algorithms. The imple-mentations support both first contact and subse-quent transitions. Figure 5 depicts the experimentalframework used in our test bed for the “fat AP”model. The authors are planning to conduct afuture research experiment for the controller-based“thin” AP.

The test bed consists of two Linux-based APslabeled as AP1 and AP2, a traffic endpoint server,a traffic analyzer, and an 802.1X authenticationserver. The APs are set to different channels toavoid co-channel interference. The traffic analyzeraggregates data about the system’s behavior dur-ing the experiment. The authentication server pro-vides the 802.11r PMK-R0 during initial contact.The Distribution System is provided by an Ether-net. We used an SSL channel to transfer the appro-priate PMK-R1 from AP1 to AP2.

In our experiment, a STA performs an 802.11rinitial association with AP1 to populate the keyhierarchy. Once this association is complete, theSTA establishes a two-way, constant bit rate datastream with the traffic endpoint server, with onemessage in each direction every 20 ms. This process

916 E. Qi et al.

Fig. 5 Test-bed setup for802.11r Transition

Traffic Analyzer

Distribution System

AP1

STA

AP2Authentication

server

Traffic endpoint

Test ControllerTraffic

Analyzer

AP1

STA

AP2Authentication

server

Traffic endpoint

Test Controller

Fig. 6 CDF of BSStransition time

CDF of BSS Transition time

0

0.2

0.4

0.6

0.8

1

1.2

0 500 1000 1500 2000BSS Transition time (ms)

P(T

ran

siti

on

Tim

e <

x)

Fig. 7 CDF of Fast BSStransition time

CDF of Fast BSS Transition time

0

0.2

0.4

0.6

0.8

1

1.2

0 20 40 60 80 100 120

Fast BSS Transition time (ms)

P(T

ran

siti

on

Tim

e <

x)

Average: 49 msStdev: 10.1 ms

simulates VoIP over WLAN RTP traffic using a20 ms codec. The STA is moved from AP1towards AP2. Since it is difficult to know whena STA actually decides to move, the station itselfhas to record when it enters and exits transition.The time taken for transition is measured dur-ing the baseline 802.11i and prototype (802.11r)scenarios and compared. The results are collatedand presented in Figs. 6 and 7. The 802.11r opti-mized handshake shows that there is significantlyless transition time compared to the methods basedon IEEE 802.11i, resulting in fewer packet lossand hence much better user experience throughimproved voice quality [6].

Table 1 shows the detailed results of averageroaming time and packet loss using baseline 802.11iauthentication and fast BSS transition. The experi-ment result was achieved by running severalsessions of a 2-way G.711u codec VoIP stream(20 ms interval) between the STA and endpoint

and performing BSS transition during a particularinstance of the testing. The transition time and thepacket losses recorded during each session wereaveraged to obtain the following results.

7 Summary

Improved AP-to-AP transition performance is acritical mobility feature for Voice over IP overWLAN. It is important to maintain acceptable voicequality [6] during the roaming process while alsomaintaining acceptable security and quality of ser-vice. This paper has described the on-going effortswithin the 802.11 Working Group to address theseproblems. Our research prototype has shown that,with the proposed optimizations described in thispaper, typical transition times range from 25 to50 ms, a 90% reduction compared with 200–500 msthat was measured without fast transition optimi-zation.


Table 1 Effect of roaming on packet loss

Authentication method Average roaming time (ms) Average packet loss % Maximumconsecutive lostdatagram (Average)

Baseline—full 802.1X EAP authentication 525 1.8 53Fast transition using 802.11r 42 0.2 6

References

1. IEEE, IEEE standard for information technology —telecommunications and information exchange betweensystems—specific requirements—Part 11: Wireless LANMAC and PHY specifications. IEEE Standard 802.11–1999.

2. IEEE, Draft supplement to standard for telecommu-nications and information exchange between systems— LAN/MAN Specific requirements—Part 11: Wirelessmedium access control (MAC) and physical layer (PHY)specification: Amendment i: Medium access control(MAC) security enhancements. IEEE Standard 802.11idraft D10.0, April 2004.

3. IEEE, Draft supplement to standard for telecommuni-cations and information exchange between systems—LAN/MAN Specific requirements—Part 11: Wirelessmedium access control (MAC) and physical layer (PHY)specification: Amendment e: Quality of service (QoS)enhancements. IEEE Standard 802.11e draft D13.0,January 2005.

4. IEEE, Draft supplement to standard for telecommuni-cations and information exchange between systems—LAN/MAN specific requirements—Part 11: Wirelessmedium access control (MAC) and physical layer (PHY)specification: Specification for radio resource measure-ment. IEEE Standard 802.11 k draft 4.0, March 2006.

5. IEEE, Draft supplement to standard for telecommuni-cations and information exchange between systems—LAN/MAN specific requirements–Part 11: Wirelessmedium access control (MAC) and physical layer (PHY)specification: Amendment r: Fast BSS transition. IEEEStandard 802.11r draft D2.0, March 2006.

6. Intel White Paper, “Overcoming Barriers to High-Quality Voice over IP Deployments”.

7. Sood, K., Walker, J., Qi, E., et al. 802.11 TGr Just-In-TimeTransition Acceleration Proposal (JIT-TAP) Proposal.Submission to IEEE 802.11 Task Group r: 11-05-0362-01-000r-jit-tap-proposal-text.doc.

8. Stanley, D., Calhoun, S., et al. Transition Acceler-ation Protocol (TAP). Submission to IEEE 802.11Task Group r: 11-04-1542-00-000r-transition-accelera-tion-protocol-draft-text.doc.

Emily Qi is a Wireless Ar-chitect and Research Sci-entist in the Communica-tions Technology Lab ofIntel Corporation. She istechnical editor of IEEE802.11 TGv. Her researchinterests include distrib-uted wireless networking,radio resource measure-ment, wireless securityand VoIP over WLAN. Qireceived her M.S. degreesin electrical and computer

engineering from Tsinghua University in China and Port-land State University.

Sangeetha Bangolae is aNetwork Software Engi-neer in the Communica-tions Technology lab of In-tel Corporation. Her re-search interests includeVoIP over WLAN androaming in heterogeneousnetworks. She receivedher M.S. degree in Elec-trical and Computer En-gineering from ColoradoState University.

918 E. Qi et al.

Kapil Sood servers as aSecurity Architect for In-tel Labs, driving strategicmobile and industry en-abling standards and plat-form technologies. Kapil isa key contributor at IEEE802.11 WLAN standardsfor Management FramesProtection (TGw), SecureFast Roaming (TGr), andat the WiFi Alliance andIETF. Kapil earned MS(CS), MBA, and BS (CS),

with multiple patents, papers, and open-source contribu-tions.

Jesse Walker is a principalengineer in Intel Corpo-rations CommunicationsTechnology Lab. His pri-mary interest concernsnetwork security proto-cols. Dr. Walker served aseditor for IEEE 802.11iand has contributed tomany other IEEE 802.11amendments. He also hascontributed to numerousIETF standards. Prior tojoining Intel, he worked at

Shiva, Raptor Systems, Digital Equipment Corporation,Rockwell International, Datapoint, and Iowa State. He holdsa PhD in mathematics from University of Texas.

BSS transition optimizations and analysis for VoIP over WLAN

Documents