I set out to experiment with just how much faster roaming occurs on an 802.1X WPA2-Enterprise WLAN, when 802.11r is enabled. Also, what is the time difference between the two method's of implementation -- Over-the-Air Vs. Over-the-DS?
Rather than explain the nuances of 802.11r, 802.11k and Fast BSS Transition, I've included 'Recommended readings' at the bottom of this post, which explain it way better than I ever could.
Roaming Analysis
Until my employer springs for the fancy OmniPeek (which I recommend, especially for WLAN packet analysis), I'll be doing all my analysis in Wireshark. For Over-the-Air 802.11r I'll be analyzing the time from the first 802.11 Authentication frame (to AP-2) to the final Reassociation Response frame (from AP-2). For Over-the-DS 802.11r, I'll be measuring from the first Action frame (FT Action Request to AP-1) to the final Reassociation Response frame (from AP-2).
For the non-802.11r WPA2/802.1X analysis, I'll be using the first 802.11 Authentication frame (to AP-2) to the final EAPOL Key message (4 of 4 from AP-2).
My goal here is to eliminate the variations introduced by upper layer protocols. For that reason, I'm not measuring 'Data' frames; for example when a ping drops, VoWIFI call, iperf etc.
The devices I'm using:
Capturing on MBA. For all but one test (Over-the-DS), I was capturing one channel on OSX, and the other channel using AirPcap NX (Windows running on a Parallels VM). Concerned about having the most accurate time, I captured the Over-the-DS exchange by capturing 40MHz on MBA with AP-1 & AP-2 set to adjacent 5GHz channels. This actually seemed to work quite well, in liu of having a Tripple Blendy.
Capturing on MBA. For all but one test (Over-the-DS), I was capturing one channel on OSX, and the other channel using AirPcap NX (Windows running on a Parallels VM). Concerned about having the most accurate time, I captured the Over-the-DS exchange by capturing 40MHz on MBA with AP-1 & AP-2 set to adjacent 5GHz channels. This actually seemed to work quite well, in liu of having a Tripple Blendy.
Client device is iPad (Air)
I've also included links at the bottom of the post to all the .pcap files used for these tests.
Over-the-Air Vs. Over-the-DS
Non-802.11r -- Filename: non-802.11r-ap2.wcap.
The first test, for reference, is a non-802.11r WPA2-Enterprise SSID (802.1X & PEAP).
I'll also take this time to show how I perform the time differentials using Wireshark.
I locate the first frame I'm looking for, in this case the 802.11 Authentication to AP-2. Select "Edit-->Set/Unset Time Reference:
Set your Time Reference
You will then notice that the "Time since reference or first frame" field is set to all zero's:
Time reference of 0 for Authentication Request
I then look for the 4th EAPOL key frame which signifies the completion of the Pairwise Transient Key generation (minus the final 802.11 Ack of course). I simply type in 'eapol' into the display filter and select the last frame.
Time since reference frame
This shows me the 'roam time' of 0.151745000 seconds; or ~150 milliseconds.
Note: For a good reference on colorizing, filtering and using Wireshark, see the recommended readings below.
For these tests, I did not expect 802.11k to change the roam-time much, but I did do the tests with both .11k enabled & disabled. I've included the pcaps in the link below if interested in comparing, or looking at the .11k neighbor messages (at time of writing Wireshark doesn't properly decode them, but OmniPeek does).
In this first Auth. frame (763) to AP-2 we see the the Mobility Domain and Fast BSS Transition IE's (including Supplicant Nonce, MDID, Over-the-DS bit set to 0 etc.):
802.11 Authentication Request to AP-2
I set my Time Reference, and look for the final frame which in this case would be an 'successful' Re-Association Response frame (769). Again, notice the FT IE's (this time including both Authenticator Nonce & Supplicant Nonce, MIC, PMK-R0/1 etc.)
Reassociation Response
This shows me a the 'roam time' of '0.016093000' or ~16 milliseconds. The same test with 802.11k disabled (filename: 802.11r-ota-ap2.wcap) yielded a bit over 15 milliseconds, ie no real change.
Note: for details on what many of these IE's mean, and the process behind being able to establish the session keys (PTK/GTK) without needing to full auth with RADIUS server (the magic behind all this), see the links below -- Recommended Readings; and CWAP book (Chapter 9).
This one is a bit trickier, since the first step in this process is an Action frame (FT Action Request) to AP-1. This frame (1163) is forward over the DS (802.3 Ethernet in this case) to to AP-2. Note, the inclusion of the 'Target AP' (AP-2):
FT Action Request frame
This shows me a 'roam time' of '0.071227000' seconds or ~71 milliseconds
For reference, filename: 802.11r-ods-ap1-2.wcap is the same thing, without 802.11k enabled. It too, was ~71 milliseconds.Looking inside the CAPWAP tunnel, captured by mirroring the wired port connected to AP-1 (Filename: 802.11r-11k-overds-ap-wire.pcapng), we see the following (notice the Over-DS bit set to 1):
802.11r Over-the-DS inside CAPWAP tunnel
Summary
non-802-11r: 150ms
802.11r-Over-the-Air: 16ms
802.11r-Over-the-DS: 71ms
That's a huge difference. 16ms compared to 150ms is the difference between many latency-sensitive applications having a noticeable affect and not. Keep in mind, the way I'm testing 'roam time' to get apples to apples comparisons is not likely going to equal the ms delay imposed upon upper layer protocols. To a VoWiFi conversation, that 150ms number may very well be noticeable. Also, this is done in a controlled environment. Not the 'cleanest' RF space, but I'd say this is about the fastest non-802.11r exchange I'd ever expect to see. Typically, it will be much longer, with a lot more points of contention. As an example: Middle of the day, my LDAP server is a lot more loaded (currently between ~400K & 500K auths/day), and is much slower to respond.
Recommended Readings
- First, this great Whitepaper by Andrew von Nagy (@revolutionwifi): Voice-Enterprise
- CWNP Whitepaper on FT BSS transition: http://www.cwnp.com/wp-content/uploads/pdf/802.11_RSN_FT.pdf
- CWAP Book, page 339 - 344
- Roaming analysis, parts 1 - 4 (actually, just read the entire blog, it will make you a better Wireless Engineer) http://www.revolutionwifi.net/2011/12/wi-fi-roaming-analysis-part-1.html