Reducing Security Handoff Overhead with Opportunistic Key Caching



The good news is that the 802.1X mechanisms can be taken out of the picture for handoffs, for wireless architectures with a controller (or large number of radios in one access point). This mechanism, available today for many vendors, is known as opportunistic key caching (OKC). The name comes from the main concept underlying the technology. Once a client performs the authentication with the RADIUS server, and has a PMK, there is no reason for it to have to negotiate a new one just to handoff and create a new PTK just for that access point. The term "opportunistic" is used because the mechanism was designed to be a simple extension of 802. Hi, and the client is not made aware that OKC is enabled. If it works, it works. If not, no problems arise except the increased time required for doing the handshake.
The main protocol for OKC is identical to the ordinary key caching. The only difference is that whereas ordinary key caching requires that the client is returning to an access point where it had already performed 802. IX, opportunistic key caching requires only that the new access point somehow have access to the PMK, even though it was created on a different access point.
How can this work? The PMK, if you recall, does not have any information unique to the wireless network within it. It is a function purely of the EAP protocol in use between the wireline RADIUS server and the wireless client. There is no intrinsic reason that the same PMK cannot be used for different access points, as long as the following two restrictions are held to: the PMK must never be transmitted as plaintext or using weak encryption, and the PMK must not have expired.
In practice, opportunistic key caching implementations never move around the PMK. Instead, these implementations take advantage of the architecture of the WPA2 protocol and how it interacts with 802. IX. 802. IX doesn't know about clients and access points. Instead, it uses a different language, in which the role of the user is held by a supplicant, and the role of the network is held by an authenticator. The mapping of the supplicant to real devices is clear: the supplicant is a part of the client. The authenticator, on the other hand, has flexibility built in. For standalone access point architectures, the authenticator is a part of the access point. For controller-based architectures, however, the authenticator is almost always in the controller.
Now we get a sense for the scale of opportunistic key caching. The PMK was originally created in the authenticator, and most opportunistic key caching architectures leave the PMK inside the authenticator, never to come out. For controller-based architectures, the controller generates the PTK within the authenticator, and then distributes it to the encryption engine, which may be located locally in the controller or in the access points. With opportunistic key caching, then, the only change is to allow a client with a PMK to associate to a new access point, and to use the PMK for the new connection as if it had been negotiated on that access point.
There is no addition of protocols or state changes in opportunistic key caching, which explains why it is so prevalent within network implementations. The only changes are to clients, who have to create a new PMKID, based on the original PMK, when they associate to a new access point, and to the authenticator, which needs to look past that a PMKID was not created for the PMK, create the new one, and then continue as if nothing unusual had happened.
You should look for wireless clients and network infrastructure that supports opportunistic key caching when rolling out a voice mobility network. OKC has been generally embraced by the industry, though there are a few notable exceptions, and is generally used as the solution to the 802.1X overhead.

11 comments:

Unknown said...

very good n impressive blog post..I would like to read more good stuff keep it up!

audio conference

callingcards said...

international callings cards are accessible in an array of ante and and features. With the advice of such calling cards, you can calmly alarm all-embracing destinations at the every man amount and at the aforementioned time can accomplish bargain and accessible calls from landlines, mobiles and added options.


international long distance call

simplecall said...

I want to know how to make international calls from multiple registered numbers without using lengthy pin, password and calling cards numbers,Easy with SimpleCall. It would be help full for me.

Unknown said...

Web Designing

i really bookmarked reader

Market Research Reports said...

It is actually an awesome and useful item for details. Please remain us advised like this. Developments in the technological innovation of the telecoms have shown an unambiguous risk to totalitarian routines everywhere. Telecommunication Market

Max Telecom said...

It is very good blog.I am also looking for this from a long time.Many people like to visit here.I have seen many things over here.It is very good.

Business Phone Plans/>

Max Telecom said...

It is very good blog.I am also looking for this from a long time.Many people like to visit here.I have seen many things over here.It is very good.

Business Phone Plans

Unknown said...

Nice Post! I would like to follow your blog for latest updates on telecom services

afaqs said...

Indian consumer like to use the CDMA phone.Here i mention the most popular CDMA phone according Indian consumer.http://www.themobileindian.com/handset-guide/category-search/CDMA

Unknown said...

With the advice of such calling cards, you can calmly alarm all-embracing destinations at the every man amount and at the aforementioned time can accomplish bargain and accessible calls from landlines, mobiles and added options. Hosted dialer

Unknown said...

very nice blog
Post processing

Telecom Made Simple

Related Posts with Thumbnails