IEEE 802.11r-2008
This article needs additional citations for verification. (May 2018) |
IEEE 802.11r-2008 or fast BSS transition (FT), is an amendment to the
Rationale for the amendment
802.11, commonly known as Wi-Fi, is widely used for wireless local area communications. Many deployed implementations have effective ranges of only a few dozen meters, so, to maintain communications, devices in motion that use it will need to transition from one access point to another. In an automotive environment, this could easily result in a transition every five to ten seconds.
Transitions are already supported under the preexisting standard. The fundamental architecture for transition is identical for 802.11 with and without 802.11r: the client device (known as the Station, or STA) is entirely in charge of deciding when to transition and to which BSS it wishes to transition. In the early days of 802.11, transition was a much simpler task for the client device. Only four messages were required for the device to establish a connection with a new BSS (five if counting the optional "I'm leaving" message (deauthentication and disassociation frame) the client could send to the old access point). However, as additional features were added to the standard, including
802.11r was launched to attempt to undo the added burden that security and quality of service added to the transition process, and restore it to the original four-message exchange. In this way, transition problems are not eliminated, but at least are returned to the status quo ante.
The primary application currently envisioned for the 802.11r standard is voice over IP (VOIP) via mobile phones designed to work with wireless Internet networks, instead of (or in addition to) standard cellular networks.
Fast BSS Transition
IEEE 802.11r specifies fast
The key negotiation protocol in
Protocol operation
The non-802.11r BSS transition goes through six stages:
- Scanning – active or passive for other APs in the area.
- Exchanging 802.11 authentication messages (first from the client, then from the AP) with the target access point.
- Exchanging reassociation messages to establish connection at target AP.
At this point in an
- 802.1Xpairwise master key (PMK) negotiation.
- Pairwise transient key (PTK) derivation – 802.11i4-way handshake of session keys, creating a unique encryption key for the association based on the master key established from the previous step.
- QoS admission control to re-establish QoS streams.
A fast BSS transition performs the same operations except for the 802.1X negotiation, but piggybacks the PTK and QoS admission control exchanges with the 802.11 Authentication and Reassociation messages.
Problems
In October 2017 security researchers Mathy Vanhoef (imec-DistriNet, KU Leuven) and Frank Piessens (imec-DistriNet, KU Leuven) published their paper "Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2" (
On August 4, 2018, researcher Jens Steube (of Hashcat) described a new technique [3] to crack WPA2 and WPA PSK (pre-shared key) passwords that he states will likely work against all 802.11i/p/r networks with transition functions enabled.
See also
- Unlicensed Mobile Access
- IEEE 802.11s - Mesh networking
- IEEE 802.11u - Cellular interworking
- Inter-Access Point Protocol
References
- ^ "IEEE 802.11-2012 - IEEE Standard for Information technology--Telecommunications and information exchange between systems Local and metropolitan area networks--Specific requirements Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications". standards.ieee.org.
- ^ Wright, Charles; Polanec, Chris (2004-09-07). "Metrics for Characterizing BSS Transition Time Performance".
{{cite journal}}
: Cite journal requires|journal=
(help) - ^ "New attack on WPA/WPA2 using PMKID". hashcat.net.