Basic Wi-Fi handoffs are always either break-before-make or just-in-time. In
other words, there is no ability for a wireless phone to decide on a
handoff and establish a relationship with a new access point without
disconnecting from the previous one. The rules of 802.11 are rather
simple here: no client is allowed to associate (send an Association
message to one while maintaining data connectivity to another) to two
access points at the same time. The reason for this is to remove any
ambiguity as to which access point should forward wireline traffic
destined to the client; otherwise, both access points would have the
requirement of receiving the client's traffic, and therefore would not
work in a switched wireline environment.
However, almost all of the important protocols for Wi-Fi happen only
after a data connection has been established. This prevents clients from
gaining much of a head start on establishing a connection when the old
one is at risk.
Let's look at the contents of the Wi-Fi handoff protocol itself step by step. It will be helpful for further information.
- Once a client has decided to hand off, it need not break the connection to the original access point, but it must not use it any longer.
- The client has the option of sending a Disassociation message to the old access point, a good practice that lets the old access point free up network resources.
- If the new channel is a DFS channel, the client is required to wait until it receives a beacon frame from the access point, unless it has recently heard one as a part of a passive scanning procedure.
- The client will send an Authentication message to the new access point, establishing the beginnings of a relationship with this new access point, but not yet enabling data services.
- The access point will respond with its own Authentication message, accepting the client. A rejection can occur if load balancing is enabled, and the access point decides that it is oversubscribed, or if key state tables in the access point are full.
- The client will send a Reassociation Request message to the access point, requesting data services.
- The access point will send a Reassociation Response message to the access point. If the message has a status code for success, the client is now associated with and connected to this access point, and only this access point. Controller-based wireless architectures will usually ensure this by immediately destroying any connection that may have been left over if step 2 has not been performed. The access point may reject the association if it is oversubscribed, or if the additional services the client requests (mostly security or quality-of-service) in the Reassociation Request will not be supported.At this point, the client is associated and data services are available. Usually, the access point or controller behind it will send a broadcast frame, spoofed to appear as if it were sent by the client, to the connected Ethernet switch, informing it of the client's presence on that particular link and not on any one that may have been used previously.If no security is employed, skip ahead to the admission control mechanisms, towards the end of the list. If PSK security is employed, skip ahead to the four-way handshake. Otherwise, if 802.1X and RADIUS authentication is employed (WPA/WPA2 Enterprise), we'll continue immediately next.
- The access point and client can only exchange EAP messages at this point. The client may solicit the EAP exchange with an optional EAP Start message.
- The access point will request the client to log in with an EAP Request Identity message.
- Depending on the EAP method required by the RADIUS server on the network, the client and access point will continue to exchange a number of data frames, all EAPOL.
- The access point relays the RADIUS server's EAP Success or EAP Failure message. If this is a failure, the access point will also likely send a Deauthentication or Disassociation message to the client, to kick it off of the access point.At this point, the client and access point have agreed on the pairwise master key (PMK), based on the key material generated during the RADIUS exchange and sent to the access point when the authentication process concluded. But, the access point and client still need to generate a per-connection, pairwise transient key (PTK), which will be used to do the actual encryption. Pre-shared key (PSK) networks skipped the listed EAP exchanges, and use the PSK as the master key.
- The access point send the first message in the RSN (802. Hi) four-way handshake. This is an EAPOL Key frame.
- The client sends the second message in the four-way handshake.
- The access point sends the third message in the four-way handshake.
- The client sends the fourth message in the four-way handshake.At this point, all data services are enabled, and the client and access point can exchange data frames. However, if a call is in progress, and WMM Admission Control is enabled, the client is required to request the voice resources before it can send or receive a single voice packet with priority. Until this point, both sides may either buffer the packets or send the voice packets as best-effort.
- The client sends the access point an ADDTS Request Action frame, with a TSPEC that specifies the over-the-air resources that both the upstream and downstream part of the voice call will occupy.
- The access point weighs whether it has enough resources to accept or deny the request. It sends an ADDTS Response Action frame with the results.
- If the request was successful, the client and access point will be sending voice traffic and the call successfully handed off. On the other hand, if the request fails, the client will disconnect from the access point with a Disassociation message, because, although it is allowed to remain on the access point, it can't send or receive any voice traffic.
Hopefully, everything went well and the handoff completed. On the other
hand, if any of the processes failed, the connection is broken. The old
connection was abandoned early on—in step 8 for sure and step 2 for more
charitable clients. In order to not drop the phone call, the phone will
need to restart the process from the beginning with another access
point—perhaps the original access point it just left, if none is
available.
You
will notice that the client has a lot of work to do to make the handoff
successful, and there are many places where the procedure can go wrong.
Even if every request were to be accepted, any loss of some of the
messages can cause long timeouts, often up to a second, as each side
waits to make sure that no messages are passing each other by.
If nothing at all is done to optimize this transition, the handoff
mechanics can take an additional second or two, on top of the second or
so taken by the scanning process before the handoff decision was made.
In the worst case, the 802.1X communication can take a number of
seconds.
Part of the issue is that the mechanisms are nearly the same for a
handoff as they are for when the client initially connects. This lack of
memory within the network within basic Wi-Fi prevents any optimizations
and requires a fresh start each time.