Page 44

Industrial Ethernet Book 103

Technology Application example of automated guided vehicle (AGV) communication. secure and fast Wi-Fi when roaming. In order to ensure both a fast and secure exchange, two problems must be addressed: • How can the mobile client switch as quickly as possible between access points? • How can the time for the negotiation of security parameters be minimized? The following optimizations lead to a significantly faster roaming while continuing to maintain good security. PMK (pre-master key) caching The PMK Caching method also uses a full authentication via IEEE 802.1X. However, the client and access points store/cache the negotiated keys and can reuse them for quick access to their next connection. Nevertheless, this method for fast roaming can only be used to a limited extent, since a client would have to log in to all access points in the system for the roaming processes to use the stored key information for a fast connection later on. Pre-authentication The Pre-Authentication method enables the client to authenticate via IEEE 802.1X to the next access point via the wired backhaul network, independent from the actual roaming procedure. This way, the client does not communicate directly with the access point via Wi-Fi but uses its currently active connection with the wired LAN in order to connect to the next access point. During this early authentication process, the Master Key is already negotiated between the client and the access point, which means that, when roaming at a later point, the connection to this access point is made without authentication. Although this method makes fast roaming possible, there are still some disadvantages: as a requirement for Pre-Authentication, a client must be able to predict with which access point it will connect as early as possible. This information may not be available in certain circumstances, since a client would have to scan the Wi-Fi channels in its surroundings for access points often and continuously. This in turn leads to loss of performance and interruptions. Alternatively, of course, a client can authenticate itself with as many access points as possible, regardless of whether it will connect with them later on. However, since a full IEEE 802.1X process is required for every authentication, this approach generates a significant load on the authentication server. Therefore, this Pre-Authentication method for fast roaming has limited applicability. Opportunistic key caching The utilization of Opportunistic Key Caching (OKC) can provide fast roaming without generating a heavy load on the IEEE 802.1X authentication server. The central approach of this method is the managing of key information for all access points by a Wi-Fi controller. The Wi-Fi controller can distribute the authentication information to all Wi-Fi access points under its control. Therefore, a client must no longer negotiate its own Pre-Master Key for every access point but is able to use the same Pre-Master Key for all access points managed by the single Wi-Fi controller. The Pre-Master Key will be negotiated during the first IEEE 802.1X authentication. Thus, a client must only complete a single IEEE 802.1X authentication to any access point in order to connect to all access points of the network. For this reason, fast roaming times of 50 ms are possible through the use of OKC, despite the use of the full security of IEEE 802.1X. IEEE 802.11r A conceptually very similar procedure to the Opportunistic Key Caching, 802.11r is specified in the IEEE standard. A significant difference between this specification and OKC is the use of a defined key hierarchy at the Wi-Fi controller and the connecting clients. Based on this hierarchy, the access point and the client are able to gain access to a part of the necessary information for key negotiation. System solutions The software used for access points, clients and WiFi controllers offers solutions for both core challenges of fast roaming. On the one hand, comprehensive configuration options for scanning behavior facilitate efficient, optimal roaming decisions. On the other hand, the mechanisms for fast roaming in combination with IEEE 802.1X authentication, such as Pre Authentication, Opportunistic Key Caching, and IEEE 802.11r are supported as well. Reliability and security Both train-to-ground communication and AGV applications need reliable communication between fast moving participants and the stationary infrastructure. Based on the high mobility and the specific requirements for the data throughput with very low packet loss, optimal “fast roaming” with the highest WiFi network security is needed. Only with optimization of the roaming behavior, and with the very short interruptions associated with it, can the target of low packet loss for these mobile applications be achieved. Dr. Tobias Heer, Technology & Innovations and Dr. Bernhard Wiegel - Embedded Software Development, Hirschmann Automation and Control. 44 industrial ethernet book 11.2017 SOURCE: BELDEN


Industrial Ethernet Book 103
To see the actual publication please follow the link above