Thanks Keith. My name is Perry Correll. I’m Director Product Management over at Aerohive. And thanks for attending.
I was just talking to David Coleman. He said that I should spend some of my time explaining to you the value of using the “Wi-Fi 6” moniker. Just checking the audience, checking the audience. That’s what it is. OK.
We’re going to talk about 802.11kvr which in reality isn’t kvr anymore it’s been wrapped into the 802.11 spec 2012, 2016, 2019 whatever comes along. But it’s important to understand when we’re talking about standards like that whether it happens to be kvr, happens to be 11ax or any of them. What’s in this standard isn’t really what people use. So if you look at what’s in IEEE spec, what’s in a Wi-Fi Alliance certification and what the vendors are doing there all over the map. And it’s important to understand that.
So when we talk about 11 “k” functionality. There’s probably 10 times more stuff in that people aren’t using than people actually are using. The same thing with “v” same thing with “r”. So it’s very important to understand that those of you who really like to get into read these I mean the the 11v spec is 500 pages long. I don’t think many of you would bother reading that.
But be aware if you read through all that and start a lot of the features and a lot of the capabilities just like with 11ax and you’re never going to see those be used anywhere. It’s just different groups of people are involved in doing this stuff. So just kind of understand that from the very beginning of what’s happening with that.
The other thing too is things change over time. I mean, we’ll talk about a lot of the standards that have evolved over the last years about Wi-Fi, about Roaming in particular. And if you think about Wi-Fi a lot of smart people in here. The first thing is about association. I want to get connected and the next thing is about mobility and when you talk about mobility you’re talking about roaming.
What’s the difference between nomadic and seamless roaming? See I make you guys talk. What’s nomadic roaming?
When you drop or typically it’s like if you’re in a class you open your laptop, you do your work class and you close your laptop, you go to the next room, you open it up and you connect again. But it’s really not designed to be seamless. We’re seamlessly roaming is really more about Wi-Fi. Voice over Wi-Fi in that it’s supposed to say associate as I go along with you.
So the whole idea is Wi-Fi is supposed to stay seamless connected to the same SSID when you roam without losing that connection. That’s the goal. That’s the dream. You’re always going to lose some, you’re gonna drop a little bit about that functionality. So what’s the difference between cellular roaming and Wi-Fi roaming?
See I told you I make your guys answer questions. Well I can’t answer questions at the end he said. So in the middle I can’t.
Control but they carry. Typically when cellular roaming you make before you break. With Wi-Fi I break before I make, I got actually do the disassociation before I do the reassociation. I can actually authenticate ahead of time, but I can’t associate ahead of time. So you’ve got to do it. So that’s one of the things I’ve been challenging with all these years and stuff is dealing with this. So with roaming. What’s good enough?
How fast should a client roam from disassociate with one AP to associate with the next AP?
Whatever. That’s actually a very good idea if you didn’t hear it. Whatever doesn’t break your application. The answer is what depend, it depends. If you’re doing real-time voice you get up here and help if you want. But it’s Thursday. OK.
But that’s the whole idea it depends on the application you’re doing. Some application they’re very very sensitive. Others hack you could disconnect for a week and probably would know depending on what you’re trying to do, but the all idea is to make it a seamless as possible. and there’s a lot of tools, there’s as a lot of capabilities that come along to try to help you do that.
The other thing is there is a big interest right now in what’s called the client experience or the user experience. I participate in something called HTNG which is a hospitality workgroup. And they’re trying to define what that experience is? What’s an acceptable level of delay of latency when you’re Roam dependent and if you’re a five-star hotel or one-star hotel. Because once again different levels.
The Wi-Fi Alliance right now is even starting to have just general feelers of could we actually do a certification along these lines. It’s kind of tough it’s almost impossible to do that. Because the different clients, the different use cases, the different environment so it’s going to be very difficult to do that.
But you’re also going to see a lot of vendors do it first. I mean I’m in Aerohive and this is a marketing thing but we’re doing things like how to identify what’s happened at the client? What are their roaming experience? Can I identify why that roam took so long? And every other vendor is doing that at the same level.
So that’s kind of where we are right now. So the idea today is kind of understand what’s going on there and understand where the industry is gone. And roaming is a tough subject a lot of people have different ideas of what it is. A lot of people have different ideas had a design for it.
What’s the appropriate overlap and what the RSSI level is? You could have religious discussions about that and that’s really not where we’re going to have today.
So that being said kind of moving along. One of the common I want to make is doing the 11r stuff. I got more into authentication and key management than I ever wanted to do in my entire life. And to those of you who enjoy that.
I’m very impressed and slightly sad. Because it’s unbelievable. I mean some of this stuff David helped me with is like I only had to read the thing 14 times to understand what they were trying to accomplish. Well, we’re going to talk through that. And I’ll actually explain it to you as we go along.
So that being said important thing understand we start to talk about roaming. How does a client roam today? How does it work? I’m associated to a client. Fat dumb and happy. Everything’s good. When do I decide to Roam? What makes me decide to Roam?
And I hear that a lot depends on. Typically it’s gonna be RSSI. My RSSI is going down here I could maybe I can hear another AP with a hierarchy. But vendor specific stuff it could be CRC or is it could be lost packets, I could have missed some beacons, it could be SNRA. Any one of those values and there is actually gonna make the decision. So at that point I need to scan. I need to find another AP to connect to.
And by the way there’s different ways you can do that. I can actually scan before I disassociate or I can scan after I disassociate. Once again lots of different types of clients out there that have lots of different types of capabilities be aware of. So if I want to look for a new access point I can do a prediscovery.
Before I actually am in the roaming stage. I can look at the environment. And it say whether AP’s are out here, whether they’re using my SSID. what are there in my environment?
That’s a great idea because it saves time on roaming. It’s a really bad idea because actually, I lose connection on my channel while I’m looking at these other channels. So if I’m gonna go and look at I’m in a mixed environment 2.4 and 5 I can have 20 21 22 other channels I have to look at. To try to figure out if an SSID idea I’m looking for is over there. How long do I have to spend on each channel?
What’s a beacon interval? You guys better all know this. Hundred milliseconds. So I got to stay there about that time. So I have to stay over 100 milliseconds on each channel. Probably a bad idea. That’s a passive roam type environment. The other is an active roam. I go to this channel I send out a probe should get back to me with 10 20 milliseconds whatever. Kind of a faster way to do it.
But once again is a problem associated with this. What if I’m on a DFS channel? What if I’m connected on a DFS channel? I’m not allowed to leave that channel let’s see what else is available in other channels. Lot of challenges associated with roaming that we really don’t think about.
The other thing is once I determine the target how do I determine who I want to roam to? Most of the time it’s a stronger RSSI. That’s one of the things that we need to deal with and fix it and then finally have to roam. How do I roam? Once again as crazy it may seem they’re different clients to do different things. Some actually just leave which isn’t really a roam. If I’ve got an AP and kicks a client off. Is that a roam?
No,it isn’t. It’s just being kicked off. A roaming is actually a process where I do a disassociation. Once I do that disassociation. Some clients that’s when they start looking for the next AP to join. Probably not a good way to do it but once again that’s one of the options associate and I’ll eventually find a good client to associate with.
Then I’m gonna send it off their authentication request to that client I’m going to get authentication response. Then I’m gonna do an association request and I’m going to go an association response.
And then depending on the environment, depending on what kind of security I’m using. It’s either open and it’s really easy. It’s pre-shared key. Not too bad or it’s 802.1x or it’s eduroam where I don’t know where that authentication server is. So how long can that take?
Hundred milliseconds, three days whatever it’s going to actually take to pay them what it was. And that’s the problem. That’s the problem. Most of this other stuff I don’t lose the next sessions with most. But this is the problem if I have to Re-authenticate and go through the problem. So that’s what we’re trying to fix. And you get the four way handshake and you get connected.
And by the way there’s also a backup that’s additional part where typically if I connected to AP2, AP2 supposed to send a message back to AP1 saying hey by the way this guy roamed over to me and sent me all the buffered frames you have.
Got a lot of people do that. But actually it’s mentioned in the spec but nobody tells anybody how to do it or if they even have to do it.
At the same time I have to tell the switch on connected to that send all the update the forwarding table send all that information to me. So that’s kind of where we are today that we just walk down the hall and connect from one to the other. That’s what we have a lot of problems associated with it roaming.
And the biggest problem is the clients are making the decision. The clients decide when to Roam where for the most part. And so that’s what we’ve been trying to buy say we the industry been trying to fix for about 21 years now. Wi-Fi 80211 came out 1997. So we’ve been working on this for quite some time.
So how do we fix that? Or what do we do with that?
A lot of different things we’ve tried to do obviously we had some proprietary stuff came out. Cisco did some neat stuff, you had opportunistic key caching where you had a great idea Who’s meru people? Raise your hand. Don’t roam don’t let the client know they’re Roaming. Put everybody on the same BSSID. and they don’t know when they’re wrong.
It’s actually a really good idea for time sensitive applications. Not so good for high density type deployments. But it is kind of a neat way they did that. But then the standards organization came along and said we got some great ideas. 80211 E F. And then we never heard of F?
Come on let me see a hand one hand two hands. I think Cisco’s the only one even tried to do it. That’s the only standard or spec I ever saw that was withdrawn. People gave up on it that it just kind of didn’t go where they wanted to do. You had 11I had 11u had 11k and 11v 11r now you’ve got Ai which is fast initial links session. you got 2.21. How do I roam between technologies?
So once again there’s a lot of effort associated this both in the IEEE and the Wi-Fi Alliance. Wi-Fi Alliance so we’ll talk about this before the voice enterprise an advantage and is probably another half dozen other work groups involved that all have fast transition part of their solution.
Because once again, we’re at the point now and I’m not going to say Wi-Fi is fast enough but it is. It’s fast enough there’s enough good enough stuff associated with it. Now it’s making it seamless make it more reliable. If you look at what’s coming out last year and this year you had ax you got WPA3 security performance.
Now let’s make it a little bit more better user experience improve the experience. And that’s what these standards are trying to do. And be aware every vendor’s on a different page. I’m not saying every vendor but be aware it just because one vendor whether it happens to be an AP vendor or whether it happens to be a client vendor. Just because they’re doing something that doesn’t mean everybody else is doing things the exact same way. Just to let you know about six months ago we were working with a customer and they had different persons AP’s mixed with our AP’s and we had all kinds of problems.
Just because we were both doing our just a little bit different. We were both doing it legally according to the spec. But we just did a little bit differently and actually caused some interoperability issues. Which is why you guys get the big bucks for troubleshooting and you learn a lot more about doing traces. But that’s kind of where we’re at today.
So coming along 11kvr came out in 2004, 2008, 2011 is pretty much when they showed up.
Support of real time applications. How can I make this seamless? How can I drop as few packets as possible?
If you look at what the Wi-Fi Alliance tried to do Vantage they said loss of under 50 milliseconds. Jitter of under 50 milliseconds. loss of less than 1 percent packets no more than three packets lost in a row. Pretty strict requirements as far as that’s concerned. so that’s kind of what they were trying to do. Packet loss latency efficiency sessions.
I can’t emphasize enough that when we talk about kv and r. when we’re talking about that for the most of us we’re talking about how they assist roaming? There’s tons of other functionalities that was built in that. So as I said there’s hundreds of pages in each one of these documents and we’re just touching on that very high level. Really important to realize that a lot of that stuff if you read through every page you’re never going to see all of it. So just be aware of it that we just try to make things a little bit better.
So 11k Resource management. tries to make life easier on you, tries to make it simpler. Okay. I need to Roam. Where should I go?
Well typically the client’s going to look around and say well is there’s a stronger. AP over there, there’s a stronger radio over there. I don’t know anything about it. I don’t know the load on that device. I don’t know the performance on that device. I don’t know noise levels I don’t know anything about that device at all.
So the whole idea of K or one of the ideas about K is for me we’re able to get choices before I actually do it. So instead of having to go off my channel. And Scan either passively or actively for other SSID’s or excuse me for other APIs on my same s this idea that I might want to join.
The ideas. Can I just ask somebody? Can I just ask somebody and they can give me this information? So that’s what 11k is really all about the ability of client now. I can ask my associate AP and say Hey! I need to roam. What’s around me?
Once again there’s some different vendors do different things how they gather this information. If I’m talking in a controller based environment, controller connected a bunch AP’s that controller has a lot of a good view of the environment they’re getting information from their their AP’s they know what’s going on in there.
And that controller can send you out a neighbor packet or a neighbor message and say this is your neighbors. This is kind of maybe you’re the signal strength of them. This is your reachable to them. They’re using your same security functionality. They’re all using the same five functionality you have. So this is a candidate for you to roam to.
If I’m not in a controller based environment. Different vendors have different solutions within aerohive our AP’s talk to each other with protocols. ACMSP and AMRP. And we learn that same information. So somehow, someway, the AP is going to be a gather and build a database of this.
The other part about this is in the actual 11 case standard the idea is it’s supposed to be reactive. So when a client asks the AP what’s around me? What can you tell me about? At that point the AP is actually supposed to build the database.
In reality that database is probably already built, they might refresh some stuff, get some different information. But the whole idea is to build that information up note a neighbor notification and send that information back to the device and say here’s your choices.
With 11k the AP is not actually telling them where to go. They’re just saying what’s available. It’s really designed to safe scanning time. More efficient usage of the air. People even say it’s more efficient use of a better battery management. And assuming if I’ve got to jump in check 20 different channels and probes on each and listen. Yeah it’s a little bit of that better management type functionality for that, but totally is better. So better roaming, better searching, better capabilities all that type functionality.
The other thing about 11k is what everybody thinks about as a neighbor report. The clients gather an awful lot of information and they can push that information up to the AP’s.
What the status of me is? What’s happening on my own network? What’s happening on my channel? what beacons I’m seeing from other devices? All this information on the right. This is what’s gathered with 11k.
Problem is a lot of people don’t do a lot more than just the neighbor report. So it’s important to understand that as I said when you’re looking through this and saying well I can find out all the other beacon traffic. Well yes theoretically I can look for that but I’m not. I can actually see the station statistics the location configuring multiple BBM, the SSID type functionality on their. Transmit power control on stream category, linked measurement information.
That stuff was all built in there once again. If you’ve ever been involved in writing in IEEE spec obviously everybody’s got their little baby they want to get in there. And when something comes along like resource management they put all that stuff in. But for the most part what we’re really focused on is a neighbor report. Neighbor report is just the idea to kind of see what’s happening on the network.
So this is really what’s going to happen. Clients associate the AP number one. Client decides to roam based on whatever their internal functionality tells them to do.
Client requests a neighbor report. So it’s going to request this from its associate the AP its associated to. The AP is going to build that report AP controller switch that could also be vendor specific information, there’s other stuff that can actually go in there. So there’s a lot of open fields available and it’s going to send that down and it’s going to have the information that the SSID, the AP’s and channel the RSSI, all the information a client needs to know.
Now the client once again is going to make the best choice. Mind you all I know is this information. I don’t know at this point. Maybe there’s 2 AP’s right next to each other. And I can roam either one of them.
One of them has a little bit stronger RSSI than the other. But that one also might be 200 percent overloaded on the radios and the other one might have three people connected to it. I don’t know that at this point. We might talk about that a little bit more and we get to 11v. But the whole idea is it’s the first step it’s what it does. People are going to implement it as more and more as far as clients IOS is implemented a lot of this. That was one of the challenges I had looking around is that you know what vendors doing what with the client side and the AP side and it’s kind of all over the map as far as they’re concerned.
So at this point I’m gonna make a decision I’m going to Roam deassociate, do the authentication. If indication the association association I’m up and running. Pretty basic type functionality.
If you kind of Step through neighbor report notification. This is kind of what the frame’s gonna look like. I’m gonna get one of these for each essential. Each BSSID or each AP able to identify neighbor report. The MAC address whether it’s reachable or not.
Operating class what it’s doing can I connect to isn’t within my save ESSS. Is it within my same environment. Is it a real roam. A roam has to be within my same SSID. I can still go to another one but that’s actually not a true roam.
The fi level all that type of information associated with it. And we kind of look at this is kind of small it’s hard to see maybe you guys can capture one later day. Kind of shows you what it looks like in here. If you go up to the top under the red you’ll see BSSID. then I’ll give all the information about it. If what channel no it was on fire type all this information and with this the client’s gonna make a decision.
It’s not a perfect decision. I don’t know what exactly that client is doing what exactly that AP is doing but it’s better than what I had before and this is where we’re gonna go. We’re gonna go baby steps a little bit of time different vendors are doing things, different vendors are offering different capabilities.
Alright! So I got all this information. I know a lot more about what’s going on in the environment. Things are looking good. Now comes along something else comes along. 11 v basically BSS transition
There’s been proprietary protocols in the past that have said if I can put a client on the it. If can put a software client on the client I can control when it moves.
Well that’s part of the idea of this is I want to be able to see the environment I want to make decisions I want to make intelligent decisions. That’s what 11v does and important understand especially you know we’re going to be talking about the BSS transition management.
But there’s a tremendous amount of topology information is tremendous amount of multiple BSSID type functionality. Is a tremendous amount of other information that is in the 11v standard that very few vendor. Nobody Leverages all of it. They just don’t. So different vendors leverage different things. But the high call idea once again is where k is really designed to speed up a decision making these really designed to help you make a better decision is probably the best way to say it.
So if you look at this functionality here it’s not only Roman related. Once again we keep focused on roaming with kvr but it’s actually more to that. Lane’s clients to exchange information that clients can tell the AP a lot more stuff. What what am I seeing what’s around my environment you see I got this AP and APIs are sensors. They see the environment they see what’s going on.
But every client that’s attached to them sees a lot more information. But they surround an environment with an AP client attached to an AP might hear beacons from other AP’s that this one just doesn’t know exists. I want to learn what that whole environment looks like location information, sleep modes all this type functionality.
For the most part all we’re really dealing with the as far as what most people think about as roaming and that actually has to do with some making some better decisions.
These are the iV capabilities. Once again the highlighted one is that when we focus on. All the other stuff is stuff people threw in there and I don’t mean that negatively in any way shape or form. It’s a great idea within the Wi-Fi Alliance is actually a work group now called Data Elements.
Has anybody heard of that? None. OK. Data Element is kind of like what other information can I get clients to give me? And can I encourage them to actually do that. Once again the more information controller, a network management system has the better decision they can make on the overall network.
So as you can see, as a lot of different information up there transition management is pretty much where we live. So what happens with this? What is 11v going to do for me? There’s a kind of different things as what’s called a solicitor request and there’s unsolicited requests.
Solicited request is pretty easy. The. Client gets their information they roam. They connect to another AP and based on whatever they think data throughput, whatever they can actually send a request saying it’s this the best I can do. Is there a better AP out there that maybe has less load on it.
Maybe it will offer me a stronger RSSI or maybe a higher data rate. Maybe this RSSI is really really high but I didn’t know the SNR Na was really really high. So I a win over here with a lower RSSI. Lower SNR I can actually have a better data rate.
So that’s kind of the idea for it. So it’s actually the client’s pay. Point me in a different direction. Give me a better shot. Obviously very very useful. The other three are what’s called unsolicited requests and this is where the AP you try to connect to the AP. Eleven cases go to me you try to connect to me and I say I’m not your best choice.
Why did you go to connect to this guy? For whatever reason maybe because I see what you’re trying to do. Maybe I’m overloaded. Maybe RSSI, maybe data rates. I can do it for lower RSSI. I can do for low data rates I can do it. I got enough devices on me. I know this AP 60 feet away is only got 17 clients on it. I know I’ve already got five hundred and twelve which some better say they can sport don’t understand that.
And then the last one is the AP 11v is actually positioned as advice to a client. It actually also has the ability to disassociate the client. 11v actually has the ability to say hey I think it’s better if you go somewhere else. I think it’s better if you go to this guy. It’s really better if you go to them and if you don’t within the next three seconds I’m going to kick you off.
So it actually has the ability to do that most vendors don’t actually implement that. Or if you do you’ve got to have some system in place that after you kick them off. Maybe he only wants to be on you and you gotta let him back or he goes one.
So once again this is kind of a whole process associate this. This is the management phase is the functionality but this is probably about 50 of the 500 pages in this document. So it’s a lot of other good stuff hopefully coming down the pipe. You can’t see it now because nobody is actually gathering this. I don’t know what was gathered but nobody’s actually transferring this information so it’s very important.
The last. Fast transition in Roaming and 11r. 11r as I said the very beginning when I got in is kind of exciting. Reading through this and you’ve got what’s going on I like to ask questions. so authentication and key management. How many people love that? One, two. Did you say yes or do you just pointed him?
What’s gone. I joke but it is actually important but it’s the most convoluted stuff at least for me. So I’m looking at this I’m going to go through this and the whole idea is that one of the biggest problems if I’m in a secure environment and I’m roaming that’s going to be where your application breaks. That’s where your session is going break down. Because open pre-shared key even SAE is a little bit faster it’s probably not going to go an issue. but if I got to go through 802.1x each time I go to another AP is gonna be obviously the client experience is gonna be lacking.
So you go through this and you look at this and I actually kind of spend some time going through it. What essentially happens? Who’s my 802.1x experts? I want to ask you a question I want to see raise your hand. Nobody! my God!. I’m so smart up here I feel. Or your lying.
With 802.1x when I go through that whole process I create what’s called a triple A key or a master session key. Right? Everybody nod their heads OK. That master session key then gets derived into what’s called the pairwise master key.
At this point I can also tie in pre-shared key. Because you pre-shared key whether you’re WPA2 WPA3 SAE whatever. That can actually come and that becomes a pre-shared master key. Those PMK’s Then when you get into R become what’s called. PMKR zeros.
Which get hosted on the authenticated device. I’m going to confuse you all and we’re gonna actually go through because this is what I had to go through. They get hosted on the authenticator device. So the client and the authenticator that authenticator could be a controller or it could be an AP and distribute environment.
So now they both have this this pairwise Master key or PMKR zero. They then take those keys and create something called the PMKR1 confused yet. Now I’ve got PMKR1 and PMKR1 here. If I’m not a controller environment I take that PMKR1 and I give it to all my other AP’s. Trying to give an idea how I can seamlessly roam.
If I’m in a distributed environment the first AP that does this they have to have a mechanism to distribute that PMKR1 to all the other AP’s. Don’t tell you how to do it. But you just have to do it and those PMKR1 they become. Your PTK Which is pairwise transit Key which actually make your encryption active. So once again you can all take past the security close. Right? Pretty good in that.
That’s what I read about 17 times before I figured out actually what they were talking about. But it’s kind of important and it’s useful to know. So let’s kind of go through here a little bit.
The whole idea of 11r is to simplify this. lot of different words, lot of different acronyms it’s kind of insane. but it’s all designed so when I go through the first time I associate to my first AP. I go through the whole 802.1x process I get on-boarded now when I roam I want that to be seamless. I don’t want to have to do that. That’s the whole process here.
And once again there’s some proprietary ways with opportunistic key caching and pre-caching and all this stuff in the past but there had to be a standard way to do it. So the idea here is OK secure works with everything, no need to reauthenicate benefits.
Obviously voice multimedia any real time application. Obviously it’s very very valuable to it because you can’t recover that stuff. I mean none real time if I drop a bunch of packets if it’s TCP they’ll come back. If it’s UDP I probably won’t worried about him to begin with so the whole idea.
So this is kind of a step in a way what I just said maybe a little bit and I’m not quite sure who I stole this from but if it was one of you people in this room on a blog. Thank you. And let me know I’ll give you credit.
The MSK resigned to the client subsequent event. Pretty much what happens the 802.1x process creates a triple A key or an MSK key terms are used interchangeably whichever you like. I have no problem with. This also and that eventually gets derived into the pairwise master key which once again works the same way with WP2.
Eventually you get a PSK at some point the Pairwise master key within 11r is called PMK-R0. PMK-R0 is hosted in the 2 people that started it the client and the controller or the first AP.
Those devices then create what’s called excuse me PMK-R1. This is derived from that and that gets distributed to the other AP’s. And then from that I can actually create the encryption keys. So now you can actually see what I said.
So working through this in a much much deeper clearer way and obviously these presentations are available for you guys. This kind of takes what I just said and with that just went and goes in depth step by step.
So once again the first time I go through. I go through the 802.1x set all that functionality up. Uses this radius key exchange, get the first level pairwise master key. first level pairwise master key called PMK-R0. Sent to authenticator and the wireless LAN client.
Once again the authenticator could be an AP. The authenticator could be the wireless LAN controller, really doesn’t matter to me depending on which environment you want. That’s a. Debatable decision.
Three levels once again PMC0, PM0 only stays in the authenticator. PMK-R1 that’s actually used to create the PTK or a lot more information associated with that.
Various levels a key is controlled by different people. Once again as you can see I got that and the supplicant has the R01. The supplicant and the authenticator will always have the R0 and they’ll create the sublevel keys associated with that.
Kind of talked about that already. The keys are cast on the AP’s that’s the key to all this. Then once I get the PMK-R0 I turn it new PMK-R1 those keys are distributed to the client. They have the client has it and obviously the AP’s have it.
That’s the whole key point with previous 802.11i where you had pre-shared of keys, you could only see one half away and you can only go backwards, they had some vendor specific proprietary ones. It’s actually standardize the whole process.
So once again once I’ve got that R0 defined. Once I have my mobility zone defined everybody within that and with mobility domain. That’s an AP gets that R1 key which means I’m able to communicate, I’m able to roam. And get through some of this stuff PMK used to drive the pre-shared. I talked about that, talked about that. I’m going to kind of show the roam.
And this is kind of what happens before here now. My first original AP got that information it sends the PMK-R1 via whatever back. I can do it over the air. I can do it over the wire. And by the way this 11r actually works over the air or over the back end.
The back end over the wired infrastructure it is optional. Good luck! I don’t mean that negatively whatever but it’s pretty much it’s up to you guys to figure out or it’s up to the vendor to figure out how to do that. It’s not part of it doesn’t actually say how to do it over 802.3 but that’s actually how that functionality works. Talked about that.
So non roaming this is kind of what we’re gonna have I got to Roam. I’m in a secure environment. I go up. I connect to the target AP. I go through the authentication. I go through the reassociation. And I go through the four way handshake functionality.
This is kind of what happens here and once again it gets a little bit convoluted. But the whole idea behind here is add more acronyms. That’s the key focus of 11r.
So I’m associated to the original IP I decide I want to roam. I’ve gone through this before I’ve already exchanged either my controller or my original AP is already exchanged PMK-R1 with all the other AP’s. So I’m gonna go in here and I’m gonna generate an association of frame.
Association frames got a few more things associated with it now. It’s got a fast transition authentication algorithm. It’s got our Robust secure network.
Information element with PMK-R0 with the mobile domain information element with the fast transition information element with an S nuts as the station nuts. This kind of looks like, if you’ll look at the information here it kind of looks like a four way handshake if you think about if you’re familiar with that and I send that over. because what I’m trying to do with that is I’m trying to say is the AP I’m trying to roam too. Are they aware of PMK-R0.
If they are then they’re within my environment. If they’re not they’re not going to give me the right replies. What happened? He’s going to reply back to me once again robust security network information element PMK-R1, MDIE, FTIE ANonce SNonce and the R1. Now I know that he’s already got that information.
So with that what we can actually do is go through and do the four way handshake essentially that what we’re doing. We’re doing a four way handshake by any other thing. We go back and forth the ANonce, the SNonce, the source our dress, the destination address.
Once again if you’ve gone through any of the four way handshake stuff. All these terms look very very familiar with you as far as you. At that point we’re done. We’re set up. It’s done in four. And it uses the existing for exchanges. It uses the existing authentication reply, authentication response, association requests, association response. So once again it’s very very simple and very very easy. Anyone here chassing SAE very much looking How that works? WPA3? SAE?
If you look at how that authentication works in that they’re doing a similar type stuff prior to all this stuff coming out the authentication really wasn’t very much. It was like Are you 802.11? Yeah I’m 802.11 and the last time anybody use that was back in the web days.
So then I actually start to use those frames which are kind of. I don’t say they weren’t important but they weren’t doing very much the same. Why don’t we use that information exchange to do this instead of repeating it later. Once again once I get the PMK-R1 once I know that the client has. I can go associate over there. We can create a new pairwise transition key between the that AP and the client. And we’re up and running. Same thing.
The BSS transmission PSK authorization once again works the same way. Because if you think about it when we start to 802.1x we got to the master session key and that became a Pairwise master key. We start with the PSK we get to the Pairwise master key.
So it works the same in both ways. So if there’s really not going to be much difference at all. Essentially is if roaming in appreciated key environment or passphrase environment or 802.1x environment as long as I support 802.11r
Gonna be a couple more AKM’s. If you’re interested when stations go to associate to an access point, exit point. They exchange information about what authentication key management schemes can you support. Obviously this adds a few more to that.
So what’s kind of happening now? Every vendor is doing their own thing we’ve got something called 360 once again. We’re looking at this stuff. We’re looking at data elements. We’re looking at anything a client will give us. And try to figure out how I can suck in this information in a standard based way or proprietary way to actually make better decisions because it’s very very important.
Within the Wi-Fi Alliance. Obviously there’s a lot of different activity going on there and pretty much almost all the certifications associated are the adding some form of fast transition in.
So if they’re not there already there’s actually action going on. Typically in the past like 11r functionality fast transition lived within the security task group pretty much lives in every function living and every task group right now. So it’s kind of interested.
And as I said before in hospitality and also in healthcare I know there’s a big effort going on right now in the client experience, the user experience. How do I define it? How do I improve it? How do I do things better going forward?
As far as who supports what. IOS is doing a great job of supporting a lot of this stuff. K and V R type functionality not all versions I think 10.0. IOS 10.0 it has a lot of this functionality in it.
I’m not saying Samsung doesn’t or Android doesn’t it whatever. But there’s so many different cases out there you’re really going to have to check it individually. This is something from a network management point of view. We are looking at a company that if I’m having issues with the devices roaming or associate or whatever. To have the ability to say OK that’s a x y z device with firmware X X X which I can gather just from looking at how they generate traffic.
And then if I can have some back end database and wow I know this guy does not support 11r. So I need to make I got assist that or I need to make sure they get on SSID that doesn’t have 11r.
Because a lot of times an AP that supports in a client that doesn’t support it. Sometimes a client just gives up. Says I do not like what you’re saying and I’m not going to talk to you. Which is not a good idea in a public environment. If you control all your client, you control your AP’s that actually works pretty good. But just kind of be aware about that. So be aware what’s going on there.
Summary roaming. Roaming is a good thing. Very few people don’t want to roam association number one. roaming is number two. The idea roaming is seamless. Not many people care about nomadic roaming anymore except classroom to classroom type functionality.
Ivr goals is to simplify your life. Be aware there is gonna be what we’re talking about right now is just roaming. It’s a lot of the Functionality I think I beat that point to death. It’s just a matter of How do I say this nicely? It’s forcing the clients to do it.
I’ll be honest most year AP vendors would love all this information and we will implement it, will suck it in, will gather it, because we can use that. It’s very very useful to us. But depending on you your apples of the world are going to do a lot of stuff you’re at your lower end stuff. Probably never will. And now you’ve got this whole IOT world that are gonna have the cheapest possible chipsets and firmware so how that works? but hopefully a lot of the IOT devices aren’t really designed as roaming you’re stuck up on a wall so they’ll do that. Vendor specific solutions you’re always gonna see them they’re always gonna be around round. And that’s it.
Thank you very much.