IEEE 802.11r-2008

IEEE 802.11r-2008 or fast BSS transition (FT), also called fast roaming, is an amendment to the IEEE 802.11 standard to permit continuous connectivity aboard wireless devices in motion, with fast and secure handoffs from one base station to another managed in a seamless manner. It was published on July 15, 2008. IEEE 802.11r-2008 was rolled up into 802.11-2012.^[1]

Rationale for the amendment

802.11, commonly referred to as Wi-Fi, is widely used for wireless communications. Many deployed implementations have effective ranges of only a few hundred meters, so, to maintain communications, devices in motion that use it will need to handoff from one access point to another. In an automotive environment, this could easily result in a handoff every five to ten seconds.

Handoffs are already supported under the preexisting standard. The fundamental architecture for handoffs is identical for 802.11 with and without 802.11r: the mobile device is entirely in charge of deciding when to hand off and to which access point it wishes to hand off. In the early days of 802.11, handoff was a much simpler task for the mobile device. Only four messages were required for the device to establish a connection with a new access point (five if you count the optional "I'm leaving" message (deauthentication and disassociation packet) the client could send to the old access point). However, as additional features were added to the standard, including 802.11i with 802.1X authentication and 802.11e or WMM with admission control requests, the number of messages required went up dramatically. During the time these additional messages are being exchanged, the mobile device's traffic, including that from voice calls, cannot proceed, and the loss experienced by the user could amount to several seconds.^[2] Generally, the highest amount of delay or loss that the edge network should introduce into a voice call is 50 ms.

802.11r was launched to attempt to undo the added burden that security and quality of service added to the handoff process, and restore it to the original four-message exchange. In this way, handoff problems are not eliminated, but at least are returned to the status quo ante.

启动802.11r是为了尝试消除增加到切换过程的安全性和服务质量的额外负担，并将其恢复到原始的四消息交换。通过这种方式，切换问题不会被消除，但至少会恢复到原状。（在802.11的早期阶段，切换对于移动设备来说是一项更简单的任务。设备只需要四条消息即可与新接入点建立连接，但是，随着标准中添加了其他功能，包括带有802.1X身份验证的802.11i和带有接入控制请求的802.11e或WMM，所需的消息数量也大幅增加。）

The primary application currently envisioned for the 802.11r standard is voice over IP (VOIP) via mobile phones designed to work with wireless Internet networks, instead of (or in addition to) standard cellular networks.

目前为802.11r标准设想的主要应用是通过设计用于无线互联网网络的移动电话的IP语音（VOIP），而不是（或除了）标准蜂窝网络。

Fast BSS Transition

IEEE 802.11r specifies fast Basic Service Set (BSS) transitions between access points by redefining the security key negotiation protocol, allowing both the negotiation and requests for wireless resources (similar to RSVP but defined in 802.11e) to occur in parallel.

The key negotiation protocol in 802.11i specifies that, for 802.1X-based authentication, the client is required to renegotiate its key with the RADIUS or other authentication server supporting Extensible Authentication Protocol (EAP) on every handoff, a time consuming process. The solution is to allow for the part of the key derived from the server to be cached in the wireless network, so that a reasonable number of future connections can be based on the cached key, avoiding the 802.1X process. A feature known as opportunistic key caching (OKC) exists today, based on 802.11i, to perform the same task. 802.11r differs from OKC by fully specifying the key hierarchy.

802.11i中的密钥协商协议规定，对于基于802.1X的身份验证，客户端需要在每次切换时与RADIUS或其他支持可扩展身份验证协议（EAP）的身份验证服务器重新协商其密钥，这是一个耗时的过程。 解决方案是允许从服务器派生的密钥部分缓存在无线网络中，以便可以基于缓存密钥确定合理数量的未来连接，从而避免802.1X过程。 目前存在称为机会密钥缓存（opportunistic key caching，OKC）的功能，基于802.11i，以执行相同的任务。 802.11r与OKC的不同之处在于完全指定密钥层次结构。

Protocol operation

The non-802.11r BSS transition goes through six stages:（6步骤）

• Scanning – active or passive for other APs in the area.（扫描 - 该区域中其他AP，主动或被动）
• Exchanging 802.11 authentication messages (first from the client, then from the AP) with the target access point.（ 将802.11身份验证消息与目标AP进行交换。）
• Exchanging reassociation messages to establish connection at target AP.（交换重新关联消息以在目标AP上建立连接）

At this point in an 802.1X BSS, the AP and Station have a connection, but are not allowed to exchange data frames, as they have not established a key.

此时，在802.1X BSS中，AP和STA具有连接，但不允许交换数据帧，因为它们尚未建立密钥

• 802.1X pairwise master key (PMK) negotiation. （802.1X成对主密钥（PMK）协商）
• Pairwise transient key (PTK) derivation – 802.11i 4-way handshake of session keys, creating a unique encryption key for the association based on the master key established from the previous step.（成对临时密钥（PTK）推导 - 会话密钥的802.11i 4次握手，根据从上一步骤建立的主密钥为关联创建唯一的加密密钥）
• QoS admission control to re-establish QoS streams.（QoS准入控制以重新建立QoS流）

A fast BSS transition performs the same operations except for the 802.1X negotiation, but piggybacks the PTK and QoS admission control exchanges with the 802.11 Authentication and Reassociation messages.

除了802.1X协商之外，fast BSS transition执行相同的操作，但是将PTK和QoS准入控制交换与802.11认证及重新关联消息搭载在一起。

Problems

In October 2017 security researchers Mathy Vanhoef (imec-DistriNet, KU Leuven) and Frank Piessens (imec-DistriNet, KU Leuven) published their paper "Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2" (KRACK). This paper also listed a vulnerability of common 802.11r implementations and registered the CVE identifier CVE-2017-13082.

On August 4th, 2018 researcher Jens Steube (of Hashcat) described a new technique ^[3] to crack WPA PSK (Pre-Shared Key) passwords that he states will likely work against all 802.11i/p/q/r networks with roaming functions enabled.

参考：

https://standards.ieee.org/standard/802_11r-2008.html