Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LCOS 3.50
231
Wireless LAN – WLAN
Similar to TKIP, CCM uses a 48-bit Initial Vector in each packet—an IV
repetition is impossible in practice. As in TKIP, the receiver notes the last IV
used and discards packets with an IV which is equal to or less than the
comparison value.
Pre-authentication and PMK caching
As mentioned earlier, the delay in publishing standards is usually due to the
details. In the case of 802.11i, there were two details which should
particularly help with the use of WLAN for speech connection (VoIP) in
enterprise networks. Especially in connection with WLAN-based wireless
telephony, quick roaming (switching from one access point to another without
lengthy interruptions) is of special significance. In telephone conversations,
interruptions of 100 milliseconds are irritating, but the full authentication
process over 802.11x, including the subsequent key negotiation with the
access point, could take significantly longer.
For this reason, the so-called PMK caching was introduced as a first measure.
The PMK, of course, serves as the basis for key negotiation in an 802.1x
authentication for both client and access point. In VoIP environments it is
possible that a user moves back and forth among a relatively small number of
access points. Thus it may happen that a client switches back to an access
point in which it was already registered earlier. In this case it wouldn't be
sensible to repeat the entire 802.1x authentication again. For this reason, the
access point can provide the PMK with a code, the so-called PMKID, which it
transmits to the client. Upon a new registration, the client uses the PMKID to
ask whether this PMK is still stored. If yes, the 802.1x phase can be skipped
and only the exchange of six short packets is required before the connection
is restored. This optimisation is unnecessary if the PMK in a WLAN is
calculated from a passphrase as this applies everywhere and is known.
A second measure allows for some acceleration even in the case of first-time
registration, but it requires a little care on the part of the client. The client
must already detect a degrading connection to the access point during
operation and select a new access point while it is still in communication with
the old access point. In this case it has the opportunity to perform the 802,1x
negotiation with the new access point over the old one, which again reduces
the "dead time" by the time required for the 802.1x negotiation.
11.2.7 SummaryAfter the security loopholes in WEP encryption became public knowledge, the
presentation of short-term solutions such as WEPplus and the intermediate