SYSTEM AND METHOD FOR SECURING MESH ACCESS POINTS IN A WIRELESS MESH NETWORK, INCLUDING RAPID ROAMING

US 20070206537A1
Filed: 07/06/2006
Published: 09/06/2007
Est. Priority Date: 03/06/2006
Status: Active Grant

First Claim

Patent Images

1. An authentication method in a mesh AP of a wireless mesh network, a mesh AP being a mesh point with or without access point capability, the method comprising:

using authentication mechanisms between the mesh AP and an authenticator for authenticating the mesh AP to become a child mesh AP to a parent mesh AP that has a secure tunnel to a Controller, the authentication mechanisms including an authentication followed by a 4-way handshake initiated by the mesh AP as supplicant, the handshake substantially conforming to a standard wireless network 4-way handshake and securing a layer-2 link between the child mesh AP and the parent mesh AP; and

after a layer-2 link between the child mesh AP and the parent mesh AP is secured, undergoing a join exchange to form a secure tunnel between the child mesh AP and the Controller.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An authentication method in a mesh AP including using standard IEEE 802.11i mechanisms between the mesh AP and an authenticator for authenticating the mesh AP to become a child mesh AP with a secure layer-2 link to a first parent mesh AP that has a secure tunnel to a Controller, including, after a layer-2 link between the child mesh AP and the first parent mesh AP is secured, undergoing a join exchange for form a secure tunnel between the child mesh AP and the Controller. Further, a fast roaming method for re-establishing a secure layer-2 link with a new parent mesh AP including, while the mesh AP is a child mesh AP to the first parent mesh AP and has a secure layer-2 link to the first parent mesh AP, caching key information and wireless mesh network identity information, and using the cached information to establish a secure layer-2 link with a new parent mesh AP without having to undergo a 4-way authentication. Further, while the mesh AP is a child mesh AP to the first parent mesh AP, has a secure layer-2 link to the first parent mesh AP, and has a secure tunnel to the Controller, caching session information on the secure tunnel, and using the cached information to re-establish the secure tunnel with the Controller, the secure tunnel now via the new mesh AP.

241 Citations

49 Claims

1. An authentication method in a mesh AP of a wireless mesh network, a mesh AP being a mesh point with or without access point capability, the method comprising:
- using authentication mechanisms between the mesh AP and an authenticator for authenticating the mesh AP to become a child mesh AP to a parent mesh AP that has a secure tunnel to a Controller, the authentication mechanisms including an authentication followed by a 4-way handshake initiated by the mesh AP as supplicant, the handshake substantially conforming to a standard wireless network 4-way handshake and securing a layer-2 link between the child mesh AP and the parent mesh AP; and
  
  after a layer-2 link between the child mesh AP and the parent mesh AP is secured, undergoing a join exchange to form a secure tunnel between the child mesh AP and the Controller.
- View Dependent Claims (46)
- - 46. A method as recited in claim 1, wherein the authentication is a certificate based mutual authentication.

2. A fast roaming method in a mesh AP of a wireless mesh network in a Controller-based environment for re-establishing a secure layer-2 link with a new parent mesh AP that has a secure tunnel to the Controller, a mesh point with or without access point capability, the method comprising:
- while the mesh AP is a child mesh AP to a first parent mesh AP, including having a secure layer-2 link to the first parent mesh AP, caching key context information and wireless mesh network identity information;
  
  using the cached information to derive a key from the cashed key context information to use to establish a secure layer-2 link with a new parent mesh AP without having to undergo a full authentication.
- View Dependent Claims (3)
- - 3. A method as recited in claim 2, further comprising:
    - while the mesh AP is a child mesh AP to a first parent mesh AP, has a secure layer-2 link to the first parent mesh AP, and has a secure tunnel to the Controller, caching session information on the secure tunnel; and
      
      using the cached information to re-establish the secure tunnel with the Controller, the re-established secure tunnel being via the new mesh AP.

4. A fast roaming method in a mesh AP of a wireless mesh network in a Controller-based environment for re-establishing a secure tunnel to the Controller when a mesh point that was the child mesh AP of a first parent mesh AP roams to become the child mesh AP of a second parent mesh AP that has a secure tunnel to the Controller, a mesh AP being a mesh point with or without access point capability, the method comprising:
- while the mesh AP is a child mesh AP to a first parent mesh AP, including having a secure layer-2 link to the first parent mesh AP and a secure tunnel to the Controller, caching session information on the secure tunnel; and
  
  using the cached information to re establish the secure tunnel with the Controller, the re-established secure tunnel being via the second mesh AP.

5. A computer-readable carrier medium carrying instructions to instruct one or more processors of a processing system in a mesh AP to execute an authentication method in a mesh AP of a wireless mesh network, a mesh AP being a mesh point with or without access point capability, the method comprising:
- using authentication mechanisms between the mesh AP and an authenticator for authenticating the mesh AP to become a child mesh AP to a parent mesh AP that has a secure tunnel to a Controller, the authentication mechanisms including an authentication followed by a 4-way handshake initiated by the mesh AP as supplicant the handshake substantially conforming to a standard wireless network 4-way handshake and securing a layer-2 link between the child mesh AP and the parent mesh AP; and
  
  after a layer-2 link between the child mesh AP and the parent mesh AP is secured, undergoing a join exchange to form a secure tunnel between the child mesh AP and the Controller.
- View Dependent Claims (47)
- - 47. A method as recited in claim 5, wherein the authentication is a certificate based mutual authentication.

6. An apparatus in a mesh AP to execute an authentication method in a mesh AP of a wireless mesh network, a mesh AP being a mesh point with or without access point capability, the apparatus comprising:
- means for using authentication mechanisms between the mesh AP and an authenticator for authenticating the mesh AP to become a child mesh AP to a parent mesh AP that has a secure tunnel to a Controller, the authentication mechanisms including an authentication followed by a 4-way handshake initiated by the mesh AP as supplicant the handshake substantially conforming to a wireless network standard 4-way handshake and securing a layer-2 link between the child mesh AP and the parent mesh AP; and
  
  means operative after a layer-2 link between the child mesh AP and the parent mesh AP is secured, for undergoing a join exchange to form a secure tunnel between the child mesh AP and the Controller.

7. A method in a first mesh AP in a wireless mesh network, a mesh AP being a mesh point with or without access point capability, the wireless mesh network including a second mesh AP that has a secure tunnel to a Controller, each mesh AP of the wireless mesh network being a lightweight mesh AP having AP and mesh functionality controlled by the Controller, one of the mesh APs of the wireless mesh network being a root AP in the wireless mesh network, the method comprising:
- sending a mesh-specific association request frame to the second mesh AP indicating that the first mesh AP would like to join the mesh network with the second mesh AP as its parent mesh AP;
  
  receiving a mesh-specific association response frame from the second mesh AP indicating that the Controller will accept the first mesh AP to the mesh network, the response as a result of the second mesh AP receiving the association request frame and acting as a pass-through to send information to the Controller about the first mesh AP'"'"'s request to secure the layer-2 link between the first mesh AP and the second mesh AP, the Controller receiving the information about the first mesh AP and ascertaining that the Controller will allow the first mesh AP to secure a layer-2 link with the second mesh AP as its parent mesh AP, and the Controller sending a response frame to the second mesh AP indicating that the Controller will accept the first mesh AP to the mesh network, and as a result of the second mesh AP sending the mesh-specific association response frame to the first mesh AP;
  
  undergoing an authentication with an authenticator including a first 4-way handshake with the authenticator, the authentication resulting in a first pairwise master key available at the first mesh AP and the authenticator;
  
  undergoing a second 4-way handshake initiated by the first mesh AP and using the first pairwise master key to determine a first pairwise transient key to use between the first mesh AP and the second mesh AP, wherein the second 4-way handshake substantially conform to a standard wireless network 4-way handshake; and
  
  sending a join request and carrying out a join exchange with the Controller by securely communicating to the Controller via the second mesh AP, such that a secure tunnel is formed between the first mesh AP and the Controller;
  
  such that the use of an authentication provides a secure mechanism for establishing a fresh key for every session compared to using a pre-shared master key or a bridge master key.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 48)
- - 8. A method as recited in claim 7, wherein the authenticator is the Controller.
  - 9. A method as recited in claim 7, wherein the first mesh AP has access point functionality, and wherein after the secure tunnel is established between the Controller and the first mesh AP, all wireless client data frames from the first mesh AP are passed through to the Controller.
  - 10. A method as recited in claim 9, wherein no wireless client data frames are passed through to the Controller until the secure tunnel is established between the Controller and the first mesh AP, and wherein control frames needed for the join exchange are passed through to the Controller before the secure tunnel is established between the Controller and the first mesh AP.
  - 11. A method as recited in claim 7, further comprising:
    - receiving a mesh beacon frame sent by the second mesh AP advertising the second mesh AP'"'"'s capabilities as a parent, the advertising frame including information related to how to associate with the mesh network, and information about the mesh network'"'"'s security profile; and
      
      ascertaining based on information related to the receiving of the mesh beacon frame, that the first mesh AP is to attempt joining the mesh network via the second mesh AP.
  - 12. A method as recited in claim 11, further comprising:
    - caching a roam key and an identifier therefor, including mesh domain identification information, such that a secure link can be rapidly established between the first mesh AP and a third mesh AP that has a secure tunnel with the Controller, wherein the third mesh AP sends mesh beacon frames that include an indication that the third mesh AP supports fast roaming of links between a child mesh AP and the third mesh AP as a parent mesh AP, the indication sufficient to ascertain if fast roaming is possible to the third mesh AP, and wherein the rapidly establishing of the secure link with the third mesh AP includes using a key hierarchy to determine a new pairwise transient key for use between the first mesh AP and the second mesh AP without having to undergo a backend authentication.
  - 13. A method as recited in claim 12, further comprising:
    - after the secure tunnel is formed between the first mesh AP and the Controller, caching the session identifier for the secure tunnel with the Controller, the key for the secure tunnel, the roam key and the identity of the Controller, such that a secure tunnel with the Controller can be rapidly re-established via a third mesh AP that has a secure link with the Controller, the re-establishing not requiring a complete discover exchange between the first mesh AP and the Controller via the third mesh AP, the re-establishing further not requiring a complete join exchange between the first mesh AP and the Controller via the third mesh AP.
  - 14. A method as recited in claim 13, wherein the third mesh AP sends mesh beacon frames that include an indication that the third mesh AP supports fast roaming of secure tunnels.
  - 15. A method as recited in claim 11, wherein the mesh beacon frame includes quality of service (QoS) information.
  - 16. A method as recited in claim 7, wherein the certificate-based authentication is an Extensible Authentication Protocol IEEE 802.1x authentication and the second 4-way handshake is an IEEE 802.11i 4-way handshake initiated by the first mesh AP.
  - 17. A method as recited in claim 7, further comprising:
    - using a key hierarchy that enables deriving pairwise transient keys from a master key determined during the authentication; and
      
      caching a roam key and an identifier therefor, including mesh domain identification information, such that a secure layer-2 link can be rapidly established between the first mesh AP and a third mesh AP that has a secure link with the Controller including using the key hierarchy with cached information to derive a pairwise transient key to use for the link via the third mesh AP.
  - 18. A method as recited in claim 7, further comprising:
    - after the secure tunnel is formed between the first mesh AP and the Controller, caching the session identifier for the secure tunnel with the Controller, the key for the secure tunnel, a roam key, and the identity of the Controller such that a secure tunnel with the Controller can be rapidly re-established via a third mesh AP that has a secure link with the Controller, the re-establishing not requiring a complete discover exchange between the first mesh AP and the Controller via the third mesh AP, the re-establishing further not requiring a complete join exchange between the first mesh AP and the Controller via the third mesh AP.
  - 48. A method as recited in claim 7, wherein the authentication is a certificate based mutual authentication.

19. A method in a wireless mesh network, the wireless mesh network including a first mesh AP and a second mesh AP, the method in the second mesh AP having a secure tunnel to the Controller, each mesh AP of the wireless mesh network being a lightweight AP having AP functionality controlled by the Controller, one of the mesh APs of the wireless mesh network being a root AP in the wireless mesh network, the method comprising:
- receiving a mesh-specific association request frame from the first mesh AP, and passing information about the association request and about the first mesh AP to the Controller so that the Controller can ascertain whether the Controller will allow the first mesh AP to secure a layer-2 link with the second mesh AP as its parent mesh AP;
  
  receiving a response frame from the Controller indicating that the Controller will accept the first mesh AP to the mesh network in the case that the Controller has ascertained to allow the first mesh AP to secure a layer-2 link with the second mesh AP as its parent mesh AP, and sending a mesh-specific association response frame to the first mesh AP indicating that the Controller will accept the first mesh AP to the mesh network;
  
  passing through frames between the first mesh AP and an authenticator coupled to the second mesh AP related to the first mesh AP and an authenticator carrying out an authentication with the authenticator including a first 4-way handshake with the authenticator, the certificate-based backend authentication resulting in a first pairwise master key available at the first mesh AP and at the authenticator;
  
  passing through frames between the first mesh AP to the Controller related to the first mesh AP and the Controller carrying out a standard 4-way handshake initiated by the first mesh AP, the second standard 4-way handshake using the first pairwise master key and resulting in a first pairwise transient key available at the first mesh AP and at the Controller, wherein the based authentication and the second 4-way handshake substantially conform to standard network authentication and a standard wireless network 4-way handshake, respectively;
  
  obtaining or deriving the first pairwise transient key so that the first mesh AP and the second mesh AP know the first pairwise transient key;
  
  passing through frames between the first mesh AP and the Controller related to the first mesh AP and the Controller authenticator carrying out a join exchange, such that a secure tunnel is formed between the first mesh AP and the Controller; and
  
  after the secure tunnel is formed between the first mesh AP and the Controller via the second mesh AP, allowing wireless client data frames to pass to the Controller from the first mesh AP, such that the use of an authentication provides a secure mechanism for establishing a fresh key for every session compared to using a pre-shared master key or a bridge master key.
- View Dependent Claims (20, 49)
- - 20. A method as recited in claim 19, wherein the authentication is an Extensible Authentication Protocol IEEE 802.1x authentication and the second 4-way handshake is an IEEE 802.11i 4-way handshake initiated by the first mesh AP.
  - 49. A method as recited in claim 19, wherein the authentication is a certificate based mutual authentication.

21. A method of authenticating a mesh AP that was a child mesh AP of a first parent mesh AP in a wireless mesh network to become the child mesh AP of a second parent mesh AP, a mesh AP being a mesh point with or without access point capability, the first parent and second parent mesh APs being in the wireless mesh network and being lightweight access points each having a secure tunnel with a Controller, the mesh AP being a lightweight access point that when the mesh AP was the child mesh AP of the first parent mesh AP, had a secure tunnel with the Controller, the method comprising:
- (a) when the mesh AP was the child mesh AP of the first parent mesh AP, caching a roam key and an identifier therefor, including identification information on the mesh network, such that a secure link can be rapidly established between the mesh AP and another mesh AP that can be a parent mesh AP and that has a secure tunnel with the Controller, the Controller also caching the roam key;
  
  (b) receiving a mesh beacon frame sent by the second parent mesh AP to advertise the second parent mesh AP'"'"'s capabilities as a parent mesh AP, including an indication that the second parent mesh AP supports fast roaming, the indication sufficient to ascertain that fast roaming is possible to the second parent mesh AP;
  
  (c) ascertaining based on information related to the receiving of the mesh beacon frame, and the contents of the beacon frame, that the mesh AP is to attempt securing a layer-2 link between the mesh AP and the second parent mesh AP by fast roaming;
  
  (d) sending a re-authentication request frame to the second parent mesh AP, the re-authentication request frame including child information useful for forming a pairwise transient key to use for the mesh AP to communicate with the second parent mesh AP, the re-authentication request frame further including information on the roam key to indicate to the second parent mesh AP that the mesh AP is already in session with the Controller, such that that the second parent mesh AP can pass-through information to the Controller about the mesh AP to validate the mesh AP securing a layer-2 link between the mesh AP and the second parent mesh AP to re-join the mesh network, including information on the roam key, such that there is sufficient information for a transient pairwise key to be available at the Controller or the second parent mesh AP for use for the mesh AP securely communicating with the second parent mesh AP;
  
  (d) receiving a re-authentication response frame from the second parent mesh AP, the re-authentication response frame including parent information for encryption, such that the mesh AP can generate the pairwise transient key for communicating with the second parent mesh AP, the receiving of the re-authentication response frame as a result of the second parent mesh AP receiving the re-authentication request frame and sending the re-authentication response frame;
  
  (e) sending a mesh re-association request to the second parent mesh AP indicating that the first parent mesh AP would like to establish a secure layer-2 link with the second parent mesh AP to join the mesh network, the re-association request frame including identification information on the mesh network the mesh AP was associated with, and a message integrity check to provide proof of identity to a receiving parent mesh AP; and
  
  (f) receiving a re-association response frame from the second parent mesh AP indicating, in the case that the Controller has validated accepting the mesh AP via the second parent mesh AP, an indication that the Controller will accept the mesh AP to the mesh network, the response as a result of a validation process comprising;
  
  (i) the second parent mesh AP sending the information to the Controller about the child AP;
  
  (ii) the Controller receiving the information about the mesh AP and ascertaining whether the Controller will accept the mesh AP as a child mesh AP of the second parent mesh AP;
  
  (iii) in the case that the Controller ascertains to accept the mesh AP, the Controller sending an indication that the Controller will accept the mesh AP to the mesh network and either the Controller determining the pairwise transient key and sending the pairwise transient key to the second parent mesh AP, or the second parent mesh AP having the pairwise transient key;
  
  (iv) the second parent mesh AP receiving the re-association request frame; and
  
  (v) the second parent mesh AP confirming the re-association request frame, and after affirmative confirmation and after receiving or having the pairwise transient key, sending the re-association response frame to the mesh AP;
  
  such that both the mesh AP and the second parent mesh AP have a pairwise transient key for a secure layer-2 link established from the mesh AP to the second parent mesh AP without requiring a full backend authentication.
- View Dependent Claims (22, 23)
- - 22. A method as recited in claim 21, wherein after a secure tunnel is first formed between the child mesh AP and the Controller, caching the session identifier for the secure tunnel with the Controller, the key for the secure tunnel, and the identity of the Controller, the method further comprising:
    - after the child mesh AP and the second parent mesh AP have established a secure layer-2 link, re-establishing the secure tunnel to the Controller, the re-establishing using the cached session identifier, and not needing a complete discovery exchange with the Controller.
  - 23. A method as recited in claim 22, wherein the mesh beacon frames sent by the second parent mesh AP include an indication that the second parent mesh AP supports fast roaming of secure tunnels.

24. A method in a child mesh AP of a wireless mesh network, a mesh AP being a mesh point with or without access point capability, the child mesh AP having had a layer-2 secure link to a first parent mesh AP at a time when the first parent mesh AP had a secure tunnel established with a Controller, each mesh AP being a lightweight AP controlled by the Controller using frames conforming to a control protocol, the controlling including establishing security, the method comprising:
- establishing a secure layer-2 link to a second parent mesh AP, the second parent mesh AP having a secure tunnel with the Controller; and
  
  establishing a secure tunnel to the Controller via the second parent mesh AP.
- View Dependent Claims (25, 26)
- - 25. A method as recited in claim 24, wherein the establishing of the secure layer-2 link from the child mesh AP to the second parent mesh AP is a fast layer-2 roam without requiring a full backend authentication via the second parent mesh AP.
  - 26. A method as recited in claim 24, wherein the establishing of the secure tunnel to the Controller uses a first session identifier from the secure tunnel and does not need a complete discovery exchange with the Controller or a complete join exchange with the Controller.

27. A method in a mesh AP of a wireless mesh network, a mesh AP being a mesh point with or without access point capability, the mesh AP having had a secure tunnel to a Controller via a first parent mesh AP, the method being of re-establishing a secure tunnel to the Controller via a second mesh AP, the method comprising:
- caching session information about a first session when it has a secure tunnel to the Controller via the first parent mesh AP;
  
  establishing a secure-layer-2 link to a second parent mesh AP; and
  
  having a re-join exchange with the Controller via the second mesh AP and using the cached session information and information cached at the Controller on the first session to re-establish a secure tunnel with the Controller, the re-establish secure tunnel being via the second parent mesh AP, such that the re-establishing does not require a complete discovery exchange with the Controller or a complete join exchange with the Controller.

28. A method in a Controller of re-establishing a secure tunnel with a mesh AP of a wireless mesh network that at a time had a secure tunnel with the Controller via a first parent mesh AP, a mesh AP being a mesh point with or without access point capability, the method comprising:
- caching session information about a first session when there is a secure tunnel from the mesh AP to the Controller via the first parent mesh AP;
  
  receiving information from a second parent mesh AP that the mesh AP has a secure secure-layer-2 link to the second parent mesh AP; and
  
  having a re-join exchange with the mesh AP via the second mesh AP and using the cached session information and information cached at the mesh AP on the first session to re-establish a secure tunnel between the Controller and the mesh AP, the re-establish secure tunnel being via the second parent mesh AP, such that the re-establishing does not require a complete discovery exchange between the mesh AP and the Controller or a complete join exchange between the mesh AP and the Controller.

29. A computer readable carrier medium carrying instructions that when executed by one or more processors of a processing system in a first mesh AP in a wireless mesh network, cause the processor(s) to implement a method, the wireless mesh network including a second mesh AP that has a secure tunnel to a Controller, each mesh AP of the wireless mesh network being a lightweight AP having AP functionality controlled by the Controller, one of the mesh APs of the wireless mesh network being a root AP in the wireless mesh network, the method comprising:
- sending a mesh-specific association request frame to the second mesh AP indicating that the first mesh AP would like to join the mesh network with the second mesh AP as its parent mesh AP;
  
  receiving a mesh-specific association response frame from the second mesh AP indicating that the Controller will accept the first mesh AP to the mesh network, the response as a result of the second mesh AP receiving the association request frame and acting as a pass-through to send information to the Controller about the first mesh AP'"'"'s request to secure the layer-2 link between the first mesh AP and the second mesh AP, the Controller receiving the information about the first mesh AP and ascertaining that the Controller will allow the first mesh AP to secure a layer-2 link with the second mesh AP as its parent mesh AP, and the Controller sending a response frame to the second mesh AP indicating that the Controller will accept the first mesh AP to the mesh network, and as a result of the second mesh AP sending the mesh-specific association response frame to the first mesh AP;
  
  undergoing a certificate-based backend authentication with an authenticator including a first 4-way handshake with the authenticator, the certificate-based backend authentication resulting in a first pairwise master key available at the first mesh AP and the authenticator;
  
  undergoing a second 4-way handshake initiated by the first mesh AP and using the first pairwise master key to determine a first pairwise transient key to use between the first mesh AP and the second mesh AP, wherein the second 4-way handshake substantially conform to a standard wireless network 4-way handshake; and
  
  sending a join request and carrying out a join exchange with the Controller by securely communicating to the Controller via the second mesh AP, such that a secure tunnel is formed between the first mesh AP and the Controller;
  
  such that the use of a certificate based backend authentication provides a secure mechanism for establishing a fresh key for every session compared to using a pre-shared master key or a bridge master key.

30. A computer readable carrier medium carrying instructions that when executed by one or more processors of a processing system in a mesh AP in a wireless mesh network, cause the processor(s) to implement a method of authenticating the mesh AP that was a child mesh AP of a first parent mesh AP to become the child mesh AP of a second parent mesh AP, the first and second parent mesh APs being in the wireless mesh network and being lightweight access points each having a secure tunnel with a Controller, the child mesh AP being a lightweight access point that when the child mesh AP was the child of the first parent mesh AP, had a secure tunnel with the Controller, the method comprising:
- (a) when the mesh AP was the child mesh AP of the first parent mesh AP, caching a roam key and an identifier therefor, including identification information on the mesh network, such that a secure link can be rapidly established between the mesh AP and another mesh AP that can be a parent mesh AP and that has a secure tunnel with the Controller, the Controller also caching the roam key;
  
  (b) receiving a mesh beacon frame sent by the second parent mesh AP to advertise the second parent mesh AP'"'"'s capabilities as a parent mesh AP, including an indication that the second parent mesh AP supports fast roaming, the indication sufficient to ascertain that fast roaming is possible to the second parent mesh AP;
  
  (c) ascertaining based on information related to the receiving of the mesh beacon frame, and the contents of the beacon frame, that the mesh AP is to attempt securing a layer-2 link between the mesh AP and the second parent mesh AP by fast roaming;
  
  (d) sending a re-authentication request frame to the second parent mesh AP, the re-authentication request frame including child information useful for forming a pairwise transient key to use for the mesh AP to communicate with the second parent mesh AP, the re-authentication request frame further including information on the roam key to indicate to the second parent mesh AP that the mesh AP is already in session with the Controller, such that that the second parent mesh AP can pass-through information to the Controller about the mesh AP to validate the mesh AP securing a layer-2 link between the mesh AP and the second parent mesh AP to re-join the mesh network, including information on the roam key, such that there is sufficient information for a transient pairwise key to be available at the Controller or the second parent mesh AP for use for the mesh AP securely communicating with the second parent mesh AP;
  
  (d) receiving a re-authentication response frame from the second parent mesh AP, the re-authentication response frame including parent information for encryption, such that the mesh AP can generate the pairwise transient key for communicating with the second parent mesh AP, the receiving of the re-authentication response frame as a result of the second parent mesh AP receiving the re-authentication request frame and sending the re-authentication response frame;
  
  (e) sending a mesh re-association request to the second parent mesh AP indicating that the first parent mesh AP would like to establish a secure layer-2 link with the second parent mesh AP to join the mesh network, the re-association request frame including identification information on the mesh network the mesh AP was associated with, and a message integrity check to provide proof of identity to a receiving parent mesh AP; and
  
  (f) receiving a re-association response frame from the second parent mesh AP indicating, in the case that the Controller has validated accepting the mesh AP via the second parent mesh AP, an indication that the Controller will accept the mesh AP to the mesh network, the response as a result of a validation process comprising;
  
  (i) the second parent mesh AP sending the information to the Controller about the child AP;
  
  (ii) the Controller receiving the information about the mesh AP and ascertaining whether the Controller will accept the mesh AP as a child mesh AP of the second parent mesh AP;
  
  (iii) in the case that the Controller ascertains to accept the mesh AP, the Controller sending an indication that the Controller will accept the mesh AP to the mesh network and either the Controller determining the pairwise transient key and sending the pairwise transient key to the second parent mesh AP, or the second parent mesh AP having the pairwise transient key;
  
  (iv) the second parent mesh AP receiving the re-association request frame; and
  
  (v) the second parent mesh AP confirming the re-association request frame, and after affirmative confirmation and after receiving or having the pairwise transient key, sending the re-association response frame to the mesh AP;
  
  such that both the mesh AP and the second parent mesh AP have a pairwise transient key for a secure layer-2 link established from the mesh AP to the second parent mesh AP without requiring a full backend authentication.
- View Dependent Claims (31)
- - 31. A carrier medium as recited in claim 30, wherein after a secure tunnel is first formed between the child mesh AP and the Controller, caching the session identifier for the secure tunnel with the Controller, the key for the secure tunnel, and the identity of the Controller, and wherein the method further comprises:
    - after the child mesh AP and the second parent mesh AP have established a secure layer-2 link, re-establishing the secure tunnel to the Controller, the re-establishing using the cached session identifier, and not needing a complete discovery exchange with the Controller.

32. A computer readable carrier medium carrying instructions that when executed by one or more processors of a processing system in a Controller in a wireless mesh network, cause the processor(s) to implement a method of authenticating a mesh AP that is a child mesh AP of a first parent mesh AP to become the child mesh AP of a second parent mesh AP, the first and second parent mesh APs being in the wireless mesh network and being lightweight access points each having a secure tunnel with the Controller, the child mesh AP being a lightweight access point that when the child mesh AP was the child of the first parent mesh AP, had a secure tunnel with the Controller, the method comprising:
- when the child mesh AP was the child of the first parent mesh AP, caching a roam key and an identifier therefor, including identification information on the mesh network, such that a secure link can be rapidly established between the child mesh AP and a any mesh AP that can be a parent mesh AP and that has a secure tunnel with the Controller;
  
  receiving information from the second mesh AP about the child AP to validate the child mesh AP joining the mesh network via the second parent mesh AP, including information on the roam key, parent information for encryption, child information for encryption, and any other information needed for the Controller to generate a pairwise transient key for the child mesh AP to communicate with the second parent mesh AP, the receiving information as a result of;
  
  the child mesh AP sending a re-authentication request frame to the second parent mesh AP, the re-authentication request frame including child information for encryption and for forming a pairwise transient key for the child mesh AP to communicate with the second parent mesh AP, the re-authentication request frame further including information on the roam key to indicate to the second parent mesh AP that the child mesh AP is already in session with the Controller; and
  
  the second mesh AP'"'"'s sending as a pass-through information to the Controller about the child AP to validate the child mesh AP joining the mesh network via the second parent mesh AP;
  
  ascertaining whether to accept the child mesh AP as a child of the second mesh AP;
  
  in the case that the ascertaining ascertains to accept the child mesh AP;
  
  determining the pairwise transient key sending the pairwise transient key to the second mesh AP with an indication that the Controller will accept the child mesh AP to the mesh network; and
  
  sending a response frame to the second parent mesh AP to pass through to the send from the second mesh AP with an indication that the Controller will accept the child mesh AP to the mesh network;
  
  such that both the child mesh AP and the second parent mesh AP have a pairwise transient key for a secure layer-2 link established from the child mesh AP to the second parent mesh AP without requiring either a full backend authentication or a 4-way handshake.

33. A computer readable carrier medium carrying instructions that when executed by one or more processors of a processing system in a child mesh AP of a wireless mesh network, cause the processor(s) to execute a method of re-establishing a secure tunnel to a Controller, a mesh AP being a mesh point with or without access point capability, the method comprising:
- caching session information about a first session when it has a secure tunnel to the Controller via a first parent mesh AP;
  
  establishing a secure-layer-2 link to a second parent mesh AP; and
  
  having a re-join exchange with the Controller via the second mesh AP and using the cached session information and information cached at the Controller on the first session to re-establish a secure tunnel with the Controller, the re-establish secure tunnel being via the second parent mesh AP, such that the re-establishing does not require a complete discovery exchange with the Controller or a complete join exchange with the Controller.

34. A computer readable carrier medium carrying instructions that when executed by one or more processors of a processing system in a Controller cause the processor(s) to execute a method of re-establishing a secure tunnel with a mesh AP of a wireless mesh station of a wireless station that at a time had a secure tunnel with the Controller via a first parent mesh AP, a mesh AP being a mesh point with or without access point capability, the method comprising:
- caching session information about a first session when there is a secure tunnel from the mesh AP to the Controller via the first parent mesh AP;
  
  receiving information from a second parent mesh AP that the mesh AP has a secure secure-layer-2 link to the second parent mesh AP; and
  
  having a re-join exchange with the mesh AP via the second mesh AP and using the cached session information and information cached at the mesh AP on the first session to re-establish a secure tunnel between the Controller and the mesh AP, the re-establish secure tunnel being via the second parent mesh AP, such that the re-establishing does not require a complete discovery exchange between the mesh AP and the Controller or a complete join exchange between the mesh AP and the Controller.

35. An apparatus in a first mesh AP in a wireless mesh network, the wireless mesh network including a second mesh AP that has a secure tunnel to a Controller, each mesh AP of the wireless mesh network being a lightweight mesh AP having AP and mesh functionality controlled by the Controller, one of the mesh APs of the wireless mesh network being a root AP in the wireless mesh network, the apparatus comprising:
- means for sending a mesh-specific association request frame to the second mesh AP indicating that the first mesh AP would like to join the mesh network with the second mesh AP as its parent mesh AP;
  
  means for receiving a mesh-specific association response frame from the second mesh AP indicating that the Controller will accept the first mesh AP to the mesh network, the response as a result of the second mesh AP receiving the association request frame and acting as a pass-through to send information to the Controller about the first mesh AP'"'"'s request to secure the layer-2 link between the first mesh AP and the second mesh AP, the Controller receiving the information about the first mesh AP and ascertaining that the Controller will allow the first mesh AP to secure a layer-2 link with the second mesh AP as its parent mesh AP, and the Controller sending a response frame to the second mesh AP indicating that the Controller will accept the first mesh AP to the mesh network, and as a result of the second mesh AP sending the mesh-specific association response frame to the first mesh AP;
  
  means for undergoing an authentication process including a certificate-based backend authentication with an authenticator including a first 4-way handshake with the authenticator, the certificate-based backend authentication resulting in a first pairwise master key available at the first mesh AP and the Controller, the substantially conforming authentication process further including a second 4-way handshake initiated by the first mesh AP with the Controller using the first pairwise master key to determine a first pairwise transient key to use between the first mesh AP and the second mesh AP; and
  
  means for sending a join request and carrying out a join exchange with the Controller by securely communicating to the Controller via the second mesh AP, such that a secure tunnel is formed between the first mesh AP and the Controller;
  
  such that the use of a certificate based backend authentication provides a secure mechanism for establishing a fresh key for every session compared to using a pre-shared master key or a bridge master key.

36. An apparatus in a mesh AP of a wireless mesh network, the apparatus for authenticating the mesh AP that was a child mesh AP of a first parent mesh AP to become the child mesh AP of a second parent mesh AP, the first parent and second parent mesh APs being in the wireless mesh network and being lightweight access points each having a secure tunnel with a Controller, the mesh AP being a lightweight access point that when the mesh AP was the child mesh AP of the first parent mesh AP, had a secure tunnel with the Controller, the apparatus comprising:
- (a) means for caching a roam key and an identifier therefor, the caching being when the mesh AP was the child mesh AP of the first parent mesh AP, caching including caching identification information on the mesh network, such that a secure link can be rapidly established between the child mesh AP and another mesh AP that can be a parent mesh AP and that has a secure tunnel with the Controller, the Controller also caching the roam key;
  
  (b) means for receiving a mesh beacon frame sent by the second parent mesh AP to advertise the second parent mesh AP'"'"'s capabilities as a parent mesh AP, including an indication that the second parent mesh AP supports fast roaming, the indication sufficient to ascertain that fast roaming is possible to the second parent mesh AP;
  
  (c) means for ascertaining based on information related to the receiving of the mesh beacon frame, and the contents of the beacon frame, that the mesh AP is to attempt securing a layer-2 link between the mesh AP and the second parent mesh AP by fast roaming;
  
  (d) means for sending a re-authentication request frame to the second parent mesh AP, the re-authentication request frame including child information useful for forming a pairwise transient key to use for the mesh AP to communicate with the second parent mesh AP, the re-authentication request frame further including information on the roam key to indicate to the second parent mesh AP that the mesh AP is already in session with the Controller, such that that the second parent mesh AP can pass-through information to the Controller about the mesh AP to validate the mesh AP securing a layer-2 link between the mesh AP and the second parent mesh AP to re-join the mesh network, including information on the roam key, such that there is sufficient information for a transient pairwise key to be available at the Controller or the second parent mesh AP for use for the mesh AP securely communicating with the second parent mesh AP;
  
  (d) means for receiving a re-authentication response frame from the second parent mesh AP, the re-authentication response frame including parent information for encryption, such that the mesh AP can generate the pairwise transient key for communicating with the second parent mesh AP, the receiving of the re-authentication response frame as a result of the second parent mesh AP receiving the re-authentication request frame and sending the re-authentication response frame;
  
  (e) means for sending a mesh re-association request to the second parent mesh AP indicating that the first parent mesh AP would like to establish a secure layer-2 link with the second parent mesh AP to join the mesh network, the re-association request frame including identification information on the mesh network the mesh AP was associated with, and a message integrity check to provide proof of identity to a receiving parent mesh AP; and
  
  (f) means for receiving a re-association response frame from the second parent mesh AP indicating, in the case that the Controller has validated accepting the mesh AP via the second parent mesh AP, an indication that the Controller will accept the mesh AP to the mesh network, the response as a result of a validation process comprising;
  
  (i) the second parent mesh AP sending the information to the Controller about the child AP;
  
  (ii) the Controller receiving the information about the mesh AP and ascertaining whether the Controller will accept the mesh AP as a child mesh AP of the second parent mesh AP;
  
  (iii) in the case that the Controller ascertains to accept the mesh AP, the Controller sending an indication that the Controller will accept the mesh AP to the mesh network and either the Controller determining the pairwise transient key and sending the pairwise transient key to the second parent mesh AP, or the second parent mesh AP having the pairwise transient key;
  
  (iv) the second parent mesh AP receiving the re-association request frame; and
  
  (v) the second parent mesh AP confirming the re-association request frame, and after affirmative confirmation and after receiving or having the pairwise transient key, sending the re-association response frame to the mesh AP;
  
  such that both the mesh AP and the second parent mesh AP have a pairwise transient key for a secure layer-2 link established from the mesh AP to the second parent mesh AP without requiring a full backend authentication.

37. An apparatus in a child mesh AP of a wireless mesh network, the child mesh AP having had a layer-2 secure link to a first parent mesh AP at a time when the first parent mesh AP had a secure tunnel established with a Controller, each mesh AP being a lightweight AP controlled by the Controller using frames conforming to a control protocol, the controlling including establishing security, the apparatus comprising:
- means for establishing a secure layer-2 link to a second parent mesh AP, the second parent mesh AP having a secure tunnel with the Controller; and
  
  means for establishing a secure tunnel to the Controller via the second parent mesh AP.
- View Dependent Claims (38, 39)
- - 38. An apparatus as recited in claim 37, wherein the means for establishing the secure layer-2 link from the child mesh AP to the second parent mesh AP uses a fast layer-2 roam without requiring a full backend authentication via the second parent mesh AP.
  - 39. An apparatus as recited in claim 37, wherein the means for establishing of the secure tunnel to the Controller uses a first session identifier from the secure tunnel and does not need a complete discovery exchange with the Controller or a complete join exchange with the Controller.

40. A method in a first mesh point, including:
- the first mesh point associating with a first parent mesh point of a wireless mesh network, the first parent mesh point being coupled to an authenticator;
  
  the first mesh point undergoing a certificate-based backend mutual authentication with the authenticator via the first parent mesh point of the mesh network, the certificate-based backend authentication resulting in a first pairwise master key;
  
  using a hierarchy of derived keys to define how to determine derived master key keys based on the first pairwise master key that is the result of the certificate-based backend authentication; and
  
  undergoing a 4-way handshake initiated by the first mesh point as supplicant using a master key derived from the certificate-based backend authentication using the hierarchy, the 4-way handshake to determine a transient key for the first mesh point to securely communicate with the first parent mesh point in the mesh network;
  
  such that a new link between the first mesh point and a new different parent mesh point is securable by a new transient key determined according to the key hierarchy without the first mesh point needing to re-undergo a certificate-based backend authentication.
- View Dependent Claims (41, 42, 43, 44, 45)
- - 41. A method as recited in claim 40, further comprising:
    - the first mesh point rejoining the mesh network via a second parent mesh point, including associating with the second parent mesh point and securing the link between the first mesh point and the second parent mesh point using a new transient key determined according to the key hierarchy without the first mesh point re-undergoing a certificate-based backend authentication.
  - 42. A method as recited in claim 41, wherein the first mesh point includes access point functionality controlled by a controller using a protocol, and wherein the first parent mesh point and the second parent mesh point each has a secure tunnel to the controller using the protocol, the method further comprising:
    - once the link between the first mesh point and the first parent mesh point is secured, the first mesh point joining the controller by forming a secure tunnel to the controller via the first parent mesh point such that the first mesh point can function as an access point; and
      
      once the link between the first mesh point and second parent mesh point is secured, the first mesh point re-joining the controller by re-forming the secure tunnel to the controller via the second parent mesh point such that the first mesh point can function as an access point.
  - 43. A method as recited in claim 40, wherein the certificate-based backend authentication is an IEEE 802.1x Extensible Authentication Protocol authentication.
  - 44. A method as recited in claim 43, wherein the wireless mesh network is a mesh network substantially conforming to the IEEE 802.11 standard., and wherein the 4-way handshake is substantially an IEEE 801.11i 4-way handshake, with the first mesh point initiating the 4-way handshake as supplicant.
  - 45. A method as recited in claim 40, wherein the first mesh point includes access point functionality controlled by a controller using a protocol, and wherein the first parent mesh point has a secure tunnel to the controller using the protocol, the method further comprising:
    - once the link between the first mesh point and the first parent mesh point is secured, the first mesh point joining the controller by forming a secure tunnel to the controller via the first parent mesh point such that the first mesh point can function as an access point.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Cam-Winget, Nancy, Rahman, Shahriar

Granted Patent

US 8,023,478 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/331
CPC Class Codes

H04L 63/064   Hierarchical key distributi...

H04L 63/068   using time-dependent keys, ...

H04L 63/08   for authentication of entit...

H04L 63/162   at the data link layer

H04N 21/4126   The peripheral being portab...

H04W 12/06   Authentication

H04W 12/50   Secure pairing of devices

H04W 76/10   Connection setup

H04W 84/18   Self-organising networks, e...

H04W 88/08   Access point devices

SYSTEM AND METHOD FOR SECURING MESH ACCESS POINTS IN A WIRELESS MESH NETWORK, INCLUDING RAPID ROAMING

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

241 Citations

49 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR SECURING MESH ACCESS POINTS IN A WIRELESS MESH NETWORK, INCLUDING RAPID ROAMING

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

241 Citations

49 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links