IEEE 802.11r-2008

IEEE 802.11r-2008 or fast BSS transition (FT), is an amendment to the IEEE 802.11 standard to permit continuous connectivity aboard wireless devices in motion, with fast and secure client transitions from one Basic Service Set (abbreviated BSS, and also known as a base station or more colloquially, an access point) to another performed in a nearly seamless manner. It was published on July 15, 2008. IEEE 802.11r-2008 was rolled up into 802.11-2012. The terms handoff and roaming are often used, although 802.11 transition is not a true handoff/roaming process in the cellular sense, where the process is coordinated by the base station and is generally uninterrupted.

Rationale for the amendment
802.11, commonly known as Wi-Fi, is widely used for wireless local area communications. Many deployed implementations have effective ranges of only a few dozen meters, so, to maintain communications, devices in motion that use it will need to transition from one access point to another. In an automotive environment, this could easily result in a transition every five to ten seconds.

Transitions are already supported under the preexisting standard. The fundamental architecture for transition is identical for 802.11 with and without 802.11r: the client device (known as the Station, or STA) is entirely in charge of deciding when to transition and to which BSS it wishes to transition. In the early days of 802.11, transition was a much simpler task for the client device. Only four messages were required for the device to establish a connection with a new BSS (five if counting the optional "I'm leaving" message (deauthentication and disassociation frame) the client could send to the old access point). However, as additional features were added to the standard, including 802.11i with 802.1X authentication and 802.11e (QoS) or Wireless Multimedia Extensions (WMM) with admission control requests, the number of messages required went up dramatically. During the time these additional messages are being exchanged, the mobile device's traffic, including that from voice calls, cannot proceed, and the loss experienced by the user could amount to several seconds. Generally, the highest amount of delay or loss that the edge network should introduce into a voice call is 50 ms.

802.11r was launched to attempt to undo the added burden that security and quality of service added to the transition process, and restore it to the original four-message exchange. In this way, transition problems are not eliminated, but at least are returned to the status quo ante.

The primary application currently envisioned for the 802.11r standard is voice over IP (VOIP) via mobile phones designed to work with wireless Internet networks, instead of (or in addition to) standard cellular networks.

Fast BSS Transition
IEEE 802.11r specifies fast Basic Service Set (BSS) transitions between access points by redefining the security key negotiation protocol, allowing both the negotiation and requests for wireless resources (similar to RSVP but defined in 802.11e) to occur in parallel.

The key negotiation protocol in 802.11i specifies that, for 802.1X-based authentication, the client is required to renegotiate its key with the RADIUS or other authentication server supporting Extensible Authentication Protocol (EAP) on every transition, a time-consuming process. The solution is to allow for the part of the key derived from the server to be cached in the wireless network, so that a reasonable number of future connections can be based on the cached key, avoiding the 802.1X process. A feature known as opportunistic key caching (OKC) exists today, based on 802.11i, to perform the same task. 802.11r differs from OKC by fully specifying the key hierarchy.

Protocol operation
The non-802.11r BSS transition goes through six stages:
 * Scanning – active or passive for other APs in the area.
 * Exchanging 802.11 authentication messages (first from the client, then from the AP) with the target access point.
 * Exchanging reassociation messages to establish connection at target AP.

At this point in an 802.1X BSS, the AP and Station have a connection, but are not allowed to exchange data frames, as they have not established a key.
 * 802.1X pairwise master key (PMK) negotiation.
 * Pairwise transient key (PTK) derivation – 802.11i 4-way handshake of session keys, creating a unique encryption key for the association based on the master key established from the previous step.
 * QoS admission control to re-establish QoS streams.

A fast BSS transition performs the same operations except for the 802.1X negotiation, but piggybacks the PTK and QoS admission control exchanges with the 802.11 Authentication and Reassociation messages.

Problems
In October 2017 security researchers Mathy Vanhoef (imec-DistriNet, KU Leuven) and Frank Piessens (imec-DistriNet, KU Leuven) published their paper "Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2" (KRACK). This paper also listed a vulnerability of common 802.11r implementations and registered the CVE identifier CVE-2017-13082.

On August 4, 2018, researcher Jens Steube (of Hashcat) described a new technique to crack WPA2 and WPA PSK (pre-shared key) passwords that he states will likely work against all 802.11i/p/r networks with transition functions enabled.