1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
|
<pre>Network Working Group P. McCann
Request for Comments: 4260 Lucent Technologies
Category: Informational November 2005
<span class="h1">Mobile IPv6 Fast Handovers for 802.11 Networks</span>
Status of This Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2005).
Abstract
This document describes how a Mobile IPv6 Fast Handover could be
implemented on link layers conforming to the 802.11 suite of
specifications.
Table of Contents
<a href="#section-1">1</a>. Introduction ....................................................<a href="#page-2">2</a>
<a href="#section-1.1">1.1</a>. Conventions Used in This Document ..........................<a href="#page-2">2</a>
<a href="#section-2">2</a>. Terminology .....................................................<a href="#page-2">2</a>
<a href="#section-3">3</a>. Deployment Architectures for Mobile IPv6 on 802.11 ..............<a href="#page-3">3</a>
<a href="#section-4">4</a>. 802.11 Handovers in Detail ......................................<a href="#page-5">5</a>
<a href="#section-5">5</a>. FMIPv6 Message Exchanges ........................................<a href="#page-7">7</a>
<a href="#section-6">6</a>. Beacon Scanning and NAR Discovery ...............................<a href="#page-8">8</a>
<a href="#section-7">7</a>. Scenarios .......................................................<a href="#page-9">9</a>
<a href="#section-7.1">7.1</a>. Scenario 1abcdef23456g .....................................<a href="#page-9">9</a>
<a href="#section-7.2">7.2</a>. Scenario ab123456cdefg ....................................<a href="#page-10">10</a>
<a href="#section-7.3">7.3</a>. Scenario 123456abcdefg ....................................<a href="#page-10">10</a>
<a href="#section-8">8</a>. Security Considerations ........................................<a href="#page-10">10</a>
<a href="#section-9">9</a>. Conclusions ....................................................<a href="#page-12">12</a>
<a href="#section-10">10</a>. References ....................................................<a href="#page-13">13</a>
<a href="#section-10.1">10.1</a>. Normative References .....................................<a href="#page-13">13</a>
<a href="#section-10.2">10.2</a>. Informative References ...................................<a href="#page-13">13</a>
<a href="#section-11">11</a>. Acknowledgements ..............................................<a href="#page-13">13</a>
<span class="grey">McCann Informational [Page 1]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-2" ></span>
<span class="grey"><a href="./rfc4260">RFC 4260</a> 802.11 Fast Handover November 2005</span>
<span class="h2"><a class="selflink" id="section-1" href="#section-1">1</a>. Introduction</span>
The Mobile IPv6 Fast Handover protocol [<a href="#ref-2" title=""Fast Handovers for Mobile IPv6"">2</a>] has been proposed as a way
to minimize the interruption in service experienced by a Mobile IPv6
node as it changes its point of attachment to the Internet. Without
such a mechanism, a mobile node cannot send or receive packets from
the time that it disconnects from one point of attachment in one
subnet to the time it registers a new care-of address from the new
point of attachment in a new subnet. Such an interruption would be
unacceptable for real-time services such as Voice-over-IP.
The basic idea behind a Mobile IPv6 fast handover is to leverage
information from the link-layer technology to either predict or
rapidly respond to a handover event. This allows IP connectivity to
be restored at the new point of attachment sooner than would
otherwise be possible. By tunneling data between the old and new
access routers, it is possible to provide IP connectivity in advance
of actual Mobile IP registration with the home agent or correspondent
node. This allows real-time services to be reestablished without
waiting for such Mobile IP registration to complete. Because Mobile
IP registration involves time-consuming Internet round-trips, the
Mobile IPv6 fast handover can provide for a smaller interruption in
real-time services than an ordinary Mobile IP handover.
The particular link-layer information available, as well as the
timing of its availability (before, during, or after a handover has
occurred), differs according to the particular link-layer technology
in use. This document gives a set of deployment examples for Mobile
IPv6 Fast Handovers on 802.11 networks. We begin with a brief
overview of relevant aspects of basic 802.11 [<a href="#ref-3" title=""Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications"">3</a>]. We examine how and
when handover information might become available to the IP layers
that implement Fast Handover, both in the network infrastructure and
on the mobile node. Finally, we trace the protocol steps for Mobile
IPv6 Fast Handover in this environment.
<span class="h3"><a class="selflink" id="section-1.1" href="#section-1.1">1.1</a>. Conventions Used in This Document</span>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <a href="./rfc2119">RFC 2119</a> [<a href="#ref-1" title=""Key words for use in RFCs to Indicate Requirement Levels"">1</a>].
<span class="h2"><a class="selflink" id="section-2" href="#section-2">2</a>. Terminology</span>
This document borrows all of the terminology from Mobile IPv6 Fast
Handovers [<a href="#ref-2" title=""Fast Handovers for Mobile IPv6"">2</a>], with the following additional terms from the 802.11
specification [<a href="#ref-3" title=""Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications"">3</a>] (some definitions slightly modified for clarity):
<span class="grey">McCann Informational [Page 2]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-3" ></span>
<span class="grey"><a href="./rfc4260">RFC 4260</a> 802.11 Fast Handover November 2005</span>
Access Point (AP): Any entity that has station functionality and
provides access to the distribution services, via the
wireless medium (WM) for associated stations.
Association: The service used to establish access point/station
(AP/STA) mapping and enable STA access to the
Distribution System.
Basic Service Set (BSS): A set of stations controlled by a single
coordination function, where the coordination function
may be centralized (e.g., in a single AP) or
distributed (e.g., for an ad hoc network). The BSS
can be thought of as the coverage area of a single AP.
Distribution System (DS): A system used to interconnect a set of
basic service sets (BSSs) and integrated local area
networks (LANs) to create an extended service set
(ESS).
Extended Service Set (ESS): A set of one or more interconnected basic
service sets (BSSs) and integrated local area networks
(LANs) that appears as a single BSS to the logical
link control layer at any station associated with one
of those BSSs. The ESS can be thought of as the
coverage area provided by a collection of APs all
interconnected by the Distribution System. It may
consist of one or more IP subnets.
Station (STA): Any device that contains an IEEE 802.11 conformant
medium access control (MAC) and physical layer (PHY)
interface to the wireless medium (WM).
<span class="h2"><a class="selflink" id="section-3" href="#section-3">3</a>. Deployment Architectures for Mobile IPv6 on 802.11</span>
In this section, we describe the two most likely relationships
between Access Points (APs), Access Routers (ARs), and IP subnets
that are possible in an 802.11 network deployment. In this document,
our focus is mainly on the infrastructure mode [<a href="#ref-3" title=""Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications"">3</a>] of 802.11.
Usually, a given STA is associated with one and only one AP at any
given instant; however, implementations are possible [<a href="#ref-4" title=""MultiNet: Enabling Simultaneous Connections to Multiple Wireless Networks Using a Single Radio"">4</a>] where
multiple associations per STA may be maintained as long as the APs
are connected to disjoint DSs. An STA may be in communication with
an AP only when radio propagation conditions permit. Note that, as
with any layer-2 technology, handover from one layer-2 point of
attachment (AP) to another does not necessarily mean a change of AR
or subnet.
<span class="grey">McCann Informational [Page 3]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-4" ></span>
<span class="grey"><a href="./rfc4260">RFC 4260</a> 802.11 Fast Handover November 2005</span>
AR AR
AR | AR AR | AR
\ | / \ | /
Subnet 1 Subnet 2
/ / | \ \ / / | \ \
/ / | \ \ / / | \ \
/ | | | \ / | | | \
AP1 AP2 AP3 AP4 AP5 AP6 AP7 AP8 AP9 AP10
Figure 1. An 802.11 deployment with relay APs.
Figure 1 depicts a typical 802.11 deployment with two IP subnets,
each with three Access Routers and five Access Points. Note that the
APs in this figure are acting as link-layer relays, which means that
they transport Ethernet-layer frames between the wireless medium and
the subnet. Note that APs do not generally implement any particular
spanning tree algorithm, yet are more sophisticated than simple
bridges that would relay all traffic; only traffic addressed to STAs
known to be associated on a given AP would be forwarded. Each subnet
is on top of a single LAN or VLAN, and we assume in this example that
APs 6-10 cannot reach the VLAN on which Subnet 1 is implemented.
Note that a handover from AP1 to AP2 does not require a change of AR
(here we assume the STA will be placed on the same VLAN during such a
handoff) because all three ARs are link-layer reachable from an STA
connected to any AP1-5. Therefore, such handoffs would not require
IP-layer mobility management, although some IP-layer signaling may be
required to determine that connectivity to the existing AR is still
available. However, a handover from AP5 to AP6 would require a
change of AR, because AP6 cannot reach the VLAN on which Subnet 1 is
implemented and therefore the STA would be attaching to a different
subnet. An IP-layer handover mechanism would need to be invoked in
order to provide low-interruption handover between the two ARs.
Internet
/ | \
/ | \
/ | \
AR AR AR
AP1 AP2 AP3
Figure 2. An 802.11 deployment with integrated APs/ARs.
Figure 2 depicts an alternative 802.11 deployment where each AP is
integrated with exactly one AR on a disjoint VLAN. In this case,
every change of AP would result in a necessary change of AR, which
<span class="grey">McCann Informational [Page 4]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-5" ></span>
<span class="grey"><a href="./rfc4260">RFC 4260</a> 802.11 Fast Handover November 2005</span>
would require some IP-layer handover mechanism to provide for low-
interruption handover between the ARs. Also, the AR shares a MAC-
layer identifier with its attached AP.
In the next section, we examine the steps involved in any 802.11
handover. Subsequent sections discuss how these steps could be
integrated with an IP-layer handover mechanism in each of the above
deployment scenarios.
<span class="h2"><a class="selflink" id="section-4" href="#section-4">4</a>. 802.11 Handovers in Detail</span>
An 802.11 handover takes place when an STA changes its association
from one AP to another ("re-association"). This process consists of
the following steps:
0. The STA realizes that a handoff is necessary due to degrading
radio transmission environment for the current AP.
1. The STA performs a scan to see what APs are available. The
result of the scan is a list of APs together with physical layer
information, such as signal strength.
2. The STA chooses one of the APs and performs a join to
synchronize its physical and MAC-layer timing parameters with
the selected AP.
3. The STA requests authentication with the new AP. For an "Open
System", such authentication is a single round-trip message
exchange with null authentication.
4. The STA requests association or re-association with the new AP.
A re-association request contains the MAC-layer address of the
old AP, while a plain association request does not.
5. If operating in accordance with 802.11i [<a href="#ref-6" title=""Medium Access Control (MAC) Security Enhancements"">6</a>], the STA and AP
would execute 802.1X EAP-on-LAN procedures to authenticate the
association (step 3 would have executed in "Open System" mode).
6. The new AP sends a Layer 2 Update frame on the local LAN segment
to update the learning tables of any connected Ethernet bridges.
Although we preface step 1 with step 0 for illustration purposes,
there is no standardized trigger for step 1. It may be performed as
a result of decaying radio conditions on the current AP or at other
times as determined by local implementation decisions. Some network
interface cards (NICs) may do scanning in the background,
interleaving scans between data packets. This decreases the time
required to roam if the performance of the current AP proves
<span class="grey">McCann Informational [Page 5]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-6" ></span>
<span class="grey"><a href="./rfc4260">RFC 4260</a> 802.11 Fast Handover November 2005</span>
unsatisfactory, but it imposes more of a burden on the AP, since
typically the STA places it in power-save mode prior to the scan,
then once the scan is complete, returns to the AP channel in order to
pick up queued packets. This can result in buffer exhaustion on the
AP and attendant packet loss.
During step 2, the STA performs rate adjustment where it chooses the
best available transmission rate. Rate adjustment can be quite
time-consuming as well as unpredictable.
Note that in some existing 802.11 implementations, steps 1-4 are
performed by firmware in rapid succession (note that even in these
implementations step 3 is sometimes performed in a host driver,
especially for newer implementations). This might make it impossible
for the host to take any actions (including sending or receiving IP
packets) before the handover is complete. In other 802.11
implementations, it is possible to invoke the scan (step 1) and join
(step 2) operations independently. This would make it possible to,
e.g., perform step 1 far in advance of the handover and perhaps in
advance of any real-time traffic. This could substantially reduce
the handover latency, as one study has concluded that the 802.11
beacon scanning function may take several hundred milliseconds to
complete [<a href="#ref-8" title=""An Empirical Analysis of the IEEE 802.11 MAC Layer Handoff Process"">8</a>], during which time sending and receiving IP packets is
not possible. However, scanning too far in advance may make the
information out-of-date by the time of handover, which would cause
the subsequent joint operation to fail if radio conditions have
changed so much in the interim that the target AP is no longer
reachable. So, a host may choose to do scanning based on, among
other considerations, the age of the previously scanned information.
In general, performing such subsequent scans is a policy issue that a
given implementation of FMIPv6 over 802.11 must consider carefully.
Even if steps 1 and 2 are performed in rapid succession, there is no
guarantee that an AP found during step 1 will be available during
step 2 because radio conditions can change dramatically from moment
to moment. The STA may then decide to associate with a completely
different AP. Often, this decision is implemented in firmware and
the attached host would have no control over which AP is chosen.
However, tools such as the host AP driver [<a href="#ref-10" title=""Host AP driver for Intersil Prism2/2.5/3 and WPA Supplicant"">10</a>] offer full control
over when and to which AP the host needs to associate. Operation as
an Independent BSS (IBSS) or "ad-hoc mode" [<a href="#ref-3" title=""Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications"">3</a>] may also permit the
necessary control, although in this latter case attachment to an
infrastructure AP would be impossible. Implementers can make use of
such tools to obtain the best combination of flexibility and
performance.
<span class="grey">McCann Informational [Page 6]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-7" ></span>
<span class="grey"><a href="./rfc4260">RFC 4260</a> 802.11 Fast Handover November 2005</span>
The coverage area of a single AP is known as a Basic Service Set
(BSS). An Extended Service Set (ESS) is formed from a collection of
APs that all broadcast the same ESSID. Note that an STA would send a
re-association (which includes both the old and new AP addresses)
only if the ESSID of the old and new APs are the same.
A change of BSS within an ESS may or may not require an IP-layer
handover, depending on whether the APs can send packets to the same
IP subnets. If an IP-layer handover is required, then FMIPv6 can
decrease the overall latency of the handover. The main goal of this
document is to describe the most reasonable scenarios for how the
events of an 802.11 handover may interleave with the message
exchanges in FMIPv6.
<span class="h2"><a class="selflink" id="section-5" href="#section-5">5</a>. FMIPv6 Message Exchanges</span>
An FMIPv6 handover nominally consists of the following messages:
a. The mobile node (MN) sends a Router Solicitation for Proxy
(RtSolPr) to find out about neighboring ARs.
b. The MN receives a Proxy Router Advertisement (PrRtAdv)
containing one or more [AP-ID, AR-Info] tuples.
c. The MN sends a Fast Binding Update (FBU) to the Previous Access
Router (PAR).
d. The PAR sends a Handover Initiate (HI) message to the New Access
Router (NAR).
e. The NAR sends a Handover Acknowledge (HAck) message to the PAR.
f. The PAR sends a Fast Binding Acknowledgement (FBack) message to
the MS on the new link. The FBack is also optionally sent on
the previous link if the FBU was sent from there.
g. The MN sends Fast Neighbor Advertisement (FNA) to the NAR after
attaching to it.
The MN may connect to the NAR prior to sending the FBU if the
handover is unanticipated. In this case, the FNA (step g) would
contain the FBU (listed as step c above) and then steps d, e, and f
would take place from there.
<span class="grey">McCann Informational [Page 7]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-8" ></span>
<span class="grey"><a href="./rfc4260">RFC 4260</a> 802.11 Fast Handover November 2005</span>
<span class="h2"><a class="selflink" id="section-6" href="#section-6">6</a>. Beacon Scanning and NAR Discovery</span>
The RtSolPr message is used to request information about the
router(s) connected to one or more APs. The APs are specified in the
New Access Point Link-Layer Address option in the RtSolPr and
associated IP-layer information is returned in the IP Address Option
of the PrRtAdv [<a href="#ref-2" title=""Fast Handovers for Mobile IPv6"">2</a>]. In the case of an 802.11 link, the link-layer
address is the BSSID of some AP.
Beacon scanning (step 1 from <a href="#section-4">Section 4</a>) produces a list of available
APs along with signal strength information for each. This list would
supply the necessary addresses for the New Access Point Link-Layer
Address option(s) in the RtSolPr messages. To obtain this list, the
host needs to invoke the MLME-SCAN.request primitive (see <a href="#section-10.3.2.1">Section</a>
<a href="#section-10.3.2.1">10.3.2.1</a> of the 802.11 specification [<a href="#ref-3" title=""Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications"">3</a>]). The BSSIDs returned by
this primitive are the link-layer addresses of the available APs.
Because beacon scanning takes on the order of a few hundred
milliseconds to complete, and because it is generally not possible to
send and receive IP packets during this time, the MN needs to
schedule these events with care so that they do not disrupt ongoing
real-time services. For example, the scan could be performed at the
time the MN attaches to the network prior to any real-time traffic.
However, if the interval between scanning and handover is too long,
the neighbor list may be out of date. For example, the signal
strengths of neighboring APs may have dramatically changed, and a
handover directed to the apparently best AP from the old list may
fail. If the handover is executed in firmware, the STA may even
choose a new target AP that is entirely missing from the old list
(after performing its own scan). Both cases would limit the ability
of the MN to choose the correct NAR for the FBU in step c during an
anticipated handover. Ongoing work in the IEEE 802.11k task group
may address extensions that allow interleaving beacon scanning with
data transmission/reception along with buffering at APs to minimize
packet loss.
Note that, aside from physical layer parameters such as signal
strength, it may be possible to obtain all necessary information
about neighboring APs by using the wildcard form of the RtSolPr
message. This would cause the current access router to return a list
of neighboring APs and would not interrupt ongoing communication with
the current AP. This request could be made at the time the MN first
attaches to the access router and periodically thereafter. This would
enable the MN to cache the necessary [AP-ID, AR-Info] tuples and
might enable it to react more quickly when a handover becomes
necessary due to a changing radio environment. However, because the
information does not include up-to-date signal strength, it would not
enable the MN to predict accurately the next AP prior to a handover.
<span class="grey">McCann Informational [Page 8]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-9" ></span>
<span class="grey"><a href="./rfc4260">RFC 4260</a> 802.11 Fast Handover November 2005</span>
Also, if the scale of the network is such that a given access router
is attached to many APs, then it is possible that there may not be
room to list all APs in the PrRtAdv.
The time taken to scan for beacons is significant because it involves
iteration through all 802.11 channels and listening on each one for
active beacons. A more targeted approach would allow the STA to
scan, e.g., only one or two channels of interest, which would provide
for much shorter interruption of real-time traffic. However, such
optimizations are currently outside the scope of 802.11
specifications.
<span class="h2"><a class="selflink" id="section-7" href="#section-7">7</a>. Scenarios</span>
In this section, we look at a few of the possible scenarios for using
FMIPv6 in an 802.11 context. Each scenario is labeled by the
sequence of events that take place, where the numbered events are
from <a href="#section-4">Section 4</a> and the lettered events are from <a href="#section-5">Section 5</a>. For
example, "1abcde23456fg" represents step 1 from <a href="#section-4">Section 4</a> followed by
steps a-e from <a href="#section-5">Section 5</a> followed by steps 2-6 from <a href="#section-4">Section 4</a>
followed by steps f and g from <a href="#section-5">Section 5</a>. This is the sequence where
the MN performs a scan, then the MN executes the FMIPv6 messaging to
obtain NAR information and send a binding update, then the PAR
initiates HI/HAck exchange, then the 802.11 handover completes, and
finally the HAck is received at the PAR and the MN sends an FNA.
Each scenario is followed by a brief description and discussion of
the benefits and drawbacks.
<span class="h3"><a class="selflink" id="section-7.1" href="#section-7.1">7.1</a>. Scenario 1abcdef23456g</span>
This scenario is the predictive mode of operation from the FMIPv6
specification. In this scenario, the host executes the scan sometime
prior to the handover and is able to send the FBU prior to handover.
Only the FNA is sent after the handover. This mode of operation
requires that the scan and join operations (steps 1 and 2) can be
performed separately and under host control, so that steps a-f can be
inserted between 1 and 2. As mentioned previously, such control may
be possible in some implementations [<a href="#ref-10" title=""Host AP driver for Intersil Prism2/2.5/3 and WPA Supplicant"">10</a>] but not in others.
Steps 1ab may be executed far in advance of the handover, which would
remove them from the critical path. This would minimize the service
interruption from beacon scanning and allow at least one
RtSolPr/PrRtAdv exchange to complete so that the host has link-layer
information about some NARs. Note that if steps ab were delayed
until handover is imminent, there would be no guarantee that the
RtSolPr/PrRtAdv exchange would complete especially in a radio
environment where the connection to the old AP is deteriorating
<span class="grey">McCann Informational [Page 9]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-10" ></span>
<span class="grey"><a href="./rfc4260">RFC 4260</a> 802.11 Fast Handover November 2005</span>
rapidly. However, if there were a long interval between the scan and
the handover, then the FBU (step c) would be created with out-of-date
information. There is no guarantee that the MN will actually attach
to the desired new AP after it has sent the FBU to the oAR, because
changing radio conditions may cause NAR to be suddenly unreachable.
If this were the case, then the handover would need to devolve into
one of the reactive cases given below.
<span class="h3"><a class="selflink" id="section-7.2" href="#section-7.2">7.2</a>. Scenario ab123456cdefg</span>
This is the reactive mode of operation from the FMIPv6 specification.
This scenario does not require host intervention between steps 1 and
2.
However, it does require that the MN obtain the link-layer address of
NAR prior to handover, so that it has a link-layer destination
address for outgoing packets (default router information). This
would then be used for sending the FNA (with encapsulated FBU) when
it reaches the new subnet.
<span class="h3"><a class="selflink" id="section-7.3" href="#section-7.3">7.3</a>. Scenario 123456abcdefg</span>
In this scenario, the MN does not obtain any information about the
NAR prior to executing the handover. It is completely reactive and
consists of soliciting a router advertisement after handover and then
sending an FNA with encapsulated FBU immediately.
This scenario may be appropriate when it is difficult to learn the
link-layer address of the NAR prior to handover. This may be the
case, e.g., if the scan primitive is not available to the host and
the wildcard PrRtAdv form returns too many results. It may be
possible to skip the router advertisement/solicitation steps (ab) in
some cases, if it is possible to learn the NAR's link-layer address
through some other means. In the deployment illustrated in Figure 2,
this would be exactly the new AP's MAC-layer address, which can be
learned from the link-layer handover messages. However, in the case
of Figure 1, this information must be learned through router
discovery of some form. Also note that even in the case of Figure 2,
the MN must somehow be made aware that it is in fact operating in a
Figure 2 network and not a Figure 1 network.
<span class="h2"><a class="selflink" id="section-8" href="#section-8">8</a>. Security Considerations</span>
The security considerations applicable to FMIPv6 are described in the
base FMIPv6 specification [<a href="#ref-2" title=""Fast Handovers for Mobile IPv6"">2</a>]. In particular, the PAR must be
assured of the authenticity of the FBU before it begins to redirect
user traffic. However, if the association with the new AP is not
<span class="grey">McCann Informational [Page 10]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-11" ></span>
<span class="grey"><a href="./rfc4260">RFC 4260</a> 802.11 Fast Handover November 2005</span>
protected using mutual authentication, it may be possible for a rogue
AP to fool the MN into sending an FBU to the PAR when it is not in
its best interest to do so.
Note that step 6 from <a href="#section-4">Section 4</a> installs layer-2 forwarding state
that can redirect user traffic and cause disruption of service if it
can be triggered by a malicious node.
Note that step 3 from <a href="#section-4">Section 4</a> could potentially provide some
security; however, due to the identified weaknesses in Wired
Equivalent Privacy (WEP) shared key security [<a href="#ref-9" title=""Intercepting Mobile Communications: The Insecurity of 802.11"">9</a>] this should not be
relied upon. Instead, the Robust Security Network [<a href="#ref-6" title=""Medium Access Control (MAC) Security Enhancements"">6</a>] will require
the STA to undergo 802.1X Port-Based Network Access Control [<a href="#ref-5" title=""Port-Based Network Access Control"">5</a>]
before proceeding to steps 5 or 6. 802.1X defines a way to
encapsulate Extensible Authentication Protocol (EAP) on 802 networks
(EAPOL, for "EAP over LANs"). With this method, the client and AP
participate in an EAP exchange that itself can encapsulate any of the
various EAP authentication methods. The EAPOL exchange can output a
Master Session Key (MSK) and Extended Master Session Key (EMSK),
which can then be used to derive transient keys, which in turn can be
used to encrypt/authenticate subsequent traffic. It is possible to
use 802.1X pre-authentication [<a href="#ref-6" title=""Medium Access Control (MAC) Security Enhancements"">6</a>] between an STA and a target AP
while the STA is associated with another AP; this would enable
authentication to be done in advance of handover, which would allow
faster resumption of service after roaming. However, because EAPOL
frames carry only MAC-layer instead of IP-layer addresses, this is
currently only specified to work within a single VLAN, where IP-layer
handover mechanisms are not necessarily needed anyway. In the most
interesting case for FMIPv6 (roaming across subnet boundaries), the
802.1X exchange would need to be performed after handover to the new
AP. This would introduce additional handover delay while the 802.1X
exchange takes place, which may also involve round-trips to RADIUS or
Diameter servers. The EAP exchange could be avoided if a preexisting
Pairwise Master Key (PMK) is found between the STA and the AP, which
may be the case if the STA has previously visited that AP or one that
shares a common back-end infrastructure.
Perhaps faster cross-subnet authentication could be achieved with the
use of pre-authentication using an IP-layer mechanism that could
cross subnet boundaries. To our knowledge, this sort of work is not
currently under way in the IEEE. The security considerations of
these new approaches would need to be carefully studied.
<span class="grey">McCann Informational [Page 11]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-12" ></span>
<span class="grey"><a href="./rfc4260">RFC 4260</a> 802.11 Fast Handover November 2005</span>
<span class="h2"><a class="selflink" id="section-9" href="#section-9">9</a>. Conclusions</span>
The Mobile IPv6 Fast Handover specification presents a protocol for
shortening the period of service interruption during a change in
link-layer point of attachment. This document attempts to show how
this protocol may be applied in the context of 802.11 access
networks.
Implementation of FMIPv6 must be done in the context of a particular
link-layer implementation, which must provide the triggers for the
FMIPv6 message flows. For example, the host must be notified of such
events as degradation of signal strength or attachment to a new AP.
The particular implementation of the 802.11 hardware and firmware may
dictate how FMIPv6 is able to operate. For example, to execute a
predictive handover, the scan request primitive must be available to
the host and the firmware must execute join operations only under
host control [<a href="#ref-10" title=""Host AP driver for Intersil Prism2/2.5/3 and WPA Supplicant"">10</a>], not autonomously in response to its own handover
criteria. Obtaining the desired PrRtAdv and sending an FBU
immediately prior to handover requires that messages be exchanged
over the wireless link during a period when connectivity is
degrading. In some cases, the scenario given in <a href="#section-7.1">Section 7.1</a> may not
complete successfully or the FBU may redirect traffic to the wrong
NAR. However, in these cases the handover may devolve to the
scenario from <a href="#section-7.2">Section 7.2</a> or the scenario from <a href="#section-7.3">Section 7.3</a>.
Ultimately, falling back to basic Mobile IPv6 operation [<a href="#ref-7" title=""Mobility Support in IPv6"">7</a>] and
sending a Binding Update directly to the Home Agent can be used to
recover from any failure of the FMIPv6 protocol.
<span class="grey">McCann Informational [Page 12]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-13" ></span>
<span class="grey"><a href="./rfc4260">RFC 4260</a> 802.11 Fast Handover November 2005</span>
<span class="h2"><a class="selflink" id="section-10" href="#section-10">10</a>. References</span>
<span class="h3"><a class="selflink" id="section-10.1" href="#section-10.1">10.1</a>. Normative References</span>
[<a id="ref-1">1</a>] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", <a href="https://www.rfc-editor.org/bcp/bcp14">BCP 14</a>, <a href="./rfc2119">RFC 2119</a>, March 1997.
[<a id="ref-2">2</a>] Koodli, R., "Fast Handovers for Mobile IPv6", <a href="./rfc4068">RFC 4068</a>, July
2005.
[<a id="ref-3">3</a>] "Wireless LAN Medium Access Control (MAC) and Physical Layer
(PHY) Specifications", ANSI/IEEE Std 802.11, 1999 Edition.
[<a id="ref-4">4</a>] Bahl, P., Bahl, P., and Chandra, R., "MultiNet: Enabling
Simultaneous Connections to Multiple Wireless Networks Using a
Single Radio", Microsoft Tech Report, MSR-TR-2003-46, June 2003.
[<a id="ref-5">5</a>] "Port-Based Network Access Control", IEEE Std 802.1X-2004, July
2004.
[<a id="ref-6">6</a>] "Medium Access Control (MAC) Security Enhancements", IEEE Std
802.11i-2004, July 2004.
[<a id="ref-7">7</a>] Johnson, D., Perkins, C., and J. Arkko, "Mobility Support in
IPv6", <a href="./rfc3775">RFC 3775</a>, June 2004.
<span class="h3"><a class="selflink" id="section-10.2" href="#section-10.2">10.2</a>. Informative References</span>
[<a id="ref-8">8</a>] Mitra, A., Shin, M., and Arbaugh, W., "An Empirical Analysis of
the IEEE 802.11 MAC Layer Handoff Process", CS-TR-4395,
University of Maryland Department of Computer Science, September
2002.
[<a id="ref-9">9</a>] Borisov, N., Goldberg, I., and Wagner, D., "Intercepting Mobile
Communications: The Insecurity of 802.11", Proceedings of the
Seventh Annual International Conference on Mobile Computing and
Networking, July 2001, pp. 180-188.
[<a id="ref-10">10</a>] Malinen, J., "Host AP driver for Intersil Prism2/2.5/3 and WPA
Supplicant", <a href="http://hostap.epitest.fi/">http://hostap.epitest.fi/</a>, July 2004.
<span class="h2"><a class="selflink" id="section-11" href="#section-11">11</a>. Acknowledgements</span>
Thanks to Bob O'Hara for providing explanation and insight on the
802.11 standards. Thanks to James Kempf, Erik Anderlind, Rajeev
Koodli, and Bernard Aboba for providing comments on earlier versions.
<span class="grey">McCann Informational [Page 13]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-14" ></span>
<span class="grey"><a href="./rfc4260">RFC 4260</a> 802.11 Fast Handover November 2005</span>
Author's Address
Pete McCann
Lucent Technologies
Rm 9C-226R
1960 Lucent Lane
Naperville, IL 60563
Phone: +1 630 713 9359
Fax: +1 630 713 1921
EMail: mccap@lucent.com
<span class="grey">McCann Informational [Page 14]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-15" ></span>
<span class="grey"><a href="./rfc4260">RFC 4260</a> 802.11 Fast Handover November 2005</span>
Full Copyright Statement
Copyright (C) The Internet Society (2005).
This document is subject to the rights, licenses and restrictions
contained in <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a>, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a> and <a href="https://www.rfc-editor.org/bcp/bcp79">BCP 79</a>.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
<a href="http://www.ietf.org/ipr">http://www.ietf.org/ipr</a>.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at ietf-
ipr@ietf.org.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
McCann Informational [Page 15]
</pre>
|
