802.11r: Wireless LAN Fast Roaming: Page 4 of 5

The current 802.11i authentication process is notoriously slow. Although 11i included optional mechanisms such as pairwise master key caching and pre-authentication to minimize roaming times, these haven't been broadly implemented by vendors. In pure 11i, once a client has decided it needs to roam to a new AP, it must exchange association messages with the AP. After a user's login credentials have been authenticated, a master session key is derived. 802.11r ensures that the authentication processes and encryption keys are established before a roam takes place.

Timeline Click to enlarge in another window

To speed up roaming, 802.11r introduces "fast hand-off." Authentication occurs only once, when a client enters the mobility domain. Subsequent roams within a mobility domain use cryptographic material derived from the initial authentication, decreasing roam times and reducing load on back-end authentication servers.

To securely cache and distribute encryption keys, 802.11r includes a new key-management hierarchy. In this multilevel setup, the highest-level key holder (a WLAN controller, for instance) has access to the original cryptographic material and is responsible for deriving keys for lower-level key holders (APs). 802.11r's key-derivation algorithms are based on a one-way hash function ensuring that a compromised lower-level key cannot be used to decipher the original master key.

802.11r also tackles QoS. Even if a Wi-Fi device establishes QoS-based resource reservation when it connects to the network, when transitioning to a new AP, QoS is not preserved automatically. An optional mechanism in 11r lets a client request QoS resources on a target AP before choosing to roam.