IEEE 802.11r-2008 or fast BSS transition (FT), also called fast roaming, is an amendment to the IEEE 802.11 standard to permit continuous connectivity aboard wireless devices in motion, with fast and secure handoffs from one base station to another managed in a seamless manner. It was published on July 15, 2008. IEEE 802.11r-2008 was rolled up into 802.11-2012.

[1]

 

Rationale for the amendment

802.11, commonly referred to as Wi-Fi, is widely used for wireless communications. Many deployed implementations have effective ranges of only a few hundred meters, so, to maintain communications, devices in motion that use it will need to handoff from one access point to another. In an automotive environment, this could easily result in a handoff every five to ten seconds.

Handoffs are already supported under the preexisting standard. The fundamental architecture for handoffs is identical for 802.11 with and without 802.11r: the mobile device is entirely in charge of deciding when to hand off and to which access point it wishes to hand off. In the early days of 802.11, handoff was a much simpler task for the mobile device. Only four messages were required for the device to establish a connection with a new access point (five if you count the optional "I'm leaving" message (deauthentication and disassociation packet) the client could send to the old access point)

. However, as additional features were added to the standard, including 802.11i with 802.1X authentication and 802.11e or WMM with admission control requests, the number of messages required went up dramatically. During the time these additional messages are being exchanged, the mobile device's traffic, including that from voice calls, cannot proceed, and the loss experienced by the user could amount to several seconds.^[2] Generally, the highest amount of delay or loss that the edge network should introduce into a voice call is 50 ms.

802.11r was launched to attempt to undo the added burden that security and quality of service added to the handoff process, and restore it to the original four-message exchange. In this way, handoff problems are not eliminated, but at least are returned to the status quo ante.

啟動802.11r是為了嘗試消除增加到切換過程的安全性和服務質量的額外負擔，並將其恢復到原始的四訊息交換。通過這種方式，切換問題不會被消除，但至少會恢復到原狀。（在802.11的早期階段，切換對於移動裝置來說是一項更簡單的任務。裝置只需要四條訊息即可與新接入點建立連線，但是，隨著標準中添加了其他功能，包括帶有802.1X身份驗證的802.11i和帶有接入控制請求的802.11e或WMM，所需的訊息數量也大幅增加。）

The primary application currently envisioned for the 802.11r standard is voice over IP (VOIP) via mobile phones designed to work with wireless Internet networks, instead of (or in addition to) standard cellular networks.

目前為802.11r標準設想的主要應用是通過設計用於無線網際網路網路的行動電話的IP語音（VOIP），而不是（或除了）標準蜂窩網路。

 

Fast BSS Transition

IEEE 802.11r specifies fast Basic Service Set (BSS) transitions between access points by redefining the security key negotiation protocol, allowing both the negotiation and requests for wireless resources (similar to RSVP but defined in 802.11e) to occur in parallel.

The key negotiation protocol in 802.11i specifies that, for 802.1X-based authentication, the client is required to renegotiate its key with the RADIUS or other authentication server supporting Extensible Authentication Protocol (EAP) on every handoff, a time consuming process. The solution is to allow for the part of the key derived from the server to be cached in the wireless network, so that a reasonable number of future connections can be based on the cached key, avoiding the 802.1X process. A feature known as opportunistic key caching (OKC) exists today, based on 802.11i, to perform the same task. 802.11r differs from OKC by fully specifying the key hierarchy.

802.11i中的金鑰協商協議規定，對於基於802.1X的身份驗證，客戶端需要在每次切換時與RADIUS或其他支援可擴充套件身份驗證協議（EAP）的身份驗證伺服器重新協商其金鑰，這是一個耗時的過程。 解決方案是允許從伺服器派生的金鑰部分快取在無線網路中，以便可以基於快取金鑰確定合理數量的未來連線，從而避免802.1X過程。 目前存在稱為機會金鑰快取（opportunistic key caching，OKC）的功能，基於802.11i，以執行相同的任務。 802.11r與OKC的不同之處在於完全指定金鑰層次結構。

 

Protocol operation

The non-802.11r BSS transition goes through six stages:（6步驟）

• Scanning – active or passive for other APs in the area.（掃描 - 該區域中其他AP，主動或被動）
• Exchanging 802.11 authentication messages (first from the client, then from the AP) with the target access point.（ 將802.11身份驗證訊息與目標AP進行交換。）
• Exchanging reassociation messages to establish connection at target AP.（交換重新關聯訊息以在目標AP上建立連線）

At this point in an 802.1X BSS, the AP and Station have a connection, but are not allowed to exchange data frames, as they have not established a key.

此時，在802.1X BSS中，AP和STA具有連線，但不允許交換資料幀，因為它們尚未建立金鑰

• 802.1X pairwise master key (PMK) negotiation. （802.1X成對主金鑰（PMK）協商）
• Pairwise transient key (PTK) derivation – 802.11i 4-way handshake of session keys, creating a unique encryption key for the association based on the master key established from the previous step.（成對臨時金鑰（PTK）推導 - 會話金鑰的802.11i 4次握手，根據從上一步驟建立的主金鑰為關聯建立唯一的加密金鑰）
• QoS admission control to re-establish QoS streams.（QoS准入控制以重新建立QoS流）

A fast BSS transition performs the same operations except for the 802.1X negotiation, but piggybacks the PTK and QoS admission control exchanges with the 802.11 Authentication and Reassociation messages.

除了802.1X協商之外，fast BSS transition執行相同的操作，但是將PTK和QoS准入控制交換與802.11認證及重新關聯訊息搭載在一起。

 

Problems

In October 2017 security researchers Mathy Vanhoef (imec-DistriNet, KU Leuven) and Frank Piessens (imec-DistriNet, KU Leuven) published their paper "Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2" (KRACK). This paper also listed a vulnerability of common 802.11r implementations and registered the CVE identifier CVE-2017-13082.

On August 4th, 2018 researcher Jens Steube (of Hashcat) described a new technique ^[3] to crack WPA PSK (Pre-Shared Key) passwords that he states will likely work against all 802.11i/p/q/r networks with roaming functions enabled.

 

參考：

https://standards.ieee.org/standard/802_11r-2008.html