For mobile wireless network real-time applications, such as voice over Internet protocol (IP) and live stream video, fast handoff is desirable to facilitate end user acceptance of the emerging advanced multi-hop wireless networks, such as wireless mesh networks. A seamless handoff for a mobile station moving from one access point (AP) to another AP greatly improves the application performance and usability.
The mobile station handoff between access points can involve one or both link layer and network layer handoffs. Due to the fact that a subnet usually covers multiple access points, most handoffs only occur at the link layer. Therefore, a fast and secure link layer handoff enhances overall network performance. When a mobile station first joins a network, the initial authentication and key management for a security association between the mobile station and the AP may take a relatively long time, sometimes on the order of several seconds. As the mobile station moves between APs, re-starting a full authentication and key management protocol will inevitably impact the handoff performance. In current wireless local area network (LAN) topologies, two classes of approaches for fast handoff have been proposed: these include “pre-authentication” handoff and “security context transfer” handoff.
With regard to the pre-authentication handoff approach, mobile devices can authenticate to a new access point before disconnecting with an old access point, either through the old AP or directly to the new AP. This handoff is relatively fast since the new security session key is ready to use when the mobile decides to move to the new access point. One challenge to the pre-authentication approach is finding a balance between locating the correct new AP and allocating adequate time for the pre-authentication. The difficulty increases with high speed environments where the handoff cannot efficiently incur the time delay necessary for a full authentication and key management process.
A variety of schemes have been proposed with regard to the security context transfer handoff approach. One such scheme is the Inter Access-Point Protocol (IAPP) exchange of a mobile device's security context between a current AP and a new AP. In this scheme, the security context can be proactively distributed using neighbor AP graphs or reactively pulled by the new AP from the old AP. In the newly proposed IEEE 802.11(r) standard, the security context is distributed among a hierarchy of key holders. Thus, in these types of handoff schemes, the delay of a four-way handshake for deriving new pairwise transient key (PTK) is not reduced and the overhead in terms of memory and computation requirements may be large. In IEEE 802.11(r), additional hardware for the top key holder may be needed.
Thus, it would be advantageous to provide a method for reducing the number of messages required for handoff in a secure fashion.
Skilled artisans will appreciate that elements in the figures are illustrated for simplicity and clarity and have not necessarily been drawn to scale. For example, the dimensions of some of the elements in the figures may be exaggerated relative to other elements to help to improve understanding of embodiments of the present invention.