802.11 Fast BSS Transition (FT) Part 2 of 2By CWNP On 08/22/2007 - 8 Comments
The IEEE 802.11r amendment introduces a new 3-tier AKM architecture and some new terminology such as Mobility Domain, Key Holders, RICs, and two tiers of Pairwise Master Keys (PMKs). A Mobility Domain is a set of BSSs, within the same ESS, identified by a Mobility Domain Identifier (a numerical value). Fast BSS Transition (FT) is not specified between Mobility Domains. The definition of an authenticator is, under the new amendment, split into two pieces – each being responsible for certain tasks. These two pieces are called the PMK-R0 Key Holder (R0KH) and the PMK-R1 Key Holder (R1KH). These could, in many instances, be considered the WLAN controller (R0KH) and the lightweight AP (R1KH) though this is not a requirement of the amendment.
To contrast with the current AKM structure, the 802.11r authentication server (typically a RADIUS server) sends the Master Session Key (MSK), which is formed at the supplicant and authentication server during the “Initial Mobility Domain Association (IMDA)”, to the authenticator instead of the PMK that is currently sent using 802.11i AKM. This MSK is used to derive the same PMK-R0 (the highest level PMK) on both the supplicant and authenticator. From this PMK-R0, a set of unique-per-AP PMK-R1 keys (the second highest level PMK) is derived on the supplicant and authenticator. The R0KH then distributes (through a mutually-authenticated and confidential connection) each PMK-R1 to the correct R1KH.
Once the PMK-R1 keys are held by the R1KH and the supplicant (which is both an S0KH and S1KH), the FT 4-Way Handshake (performed only once, during the IMDA) can proceed for the purpose of establishing a PTK which will be used for data frame encryption. From there, the FT reassociation mechanism is handled either over-the-DS as part of an FT Request/Response (using Action frames) or over-the-air as part of an authentication request/response procedure. The 802.11r amendment additionally specifies the use of Resource Information Containers (RICs), which are sequences of information elements that include resource request and response parameters. RICs are used as bolt-on parts of over-the-air and over-the-DS FT protocols allowing the supplicant to request resources from new APs for QoS purposes.
For more detailed information on IEEE 802.11r Robust Security Network (RSN) Fast BSS Transition (FT), refer to the CWNP whitepaper by the same name found here: