SYSTEM AND METHOD FOR SECURING MESH ACCESS POINTS IN A WIRELESS MESH NETWORK, INCLUDING RAPID ROAMING
First Claim
1. An authentication method in a mesh AP of a wireless mesh network, a mesh AP being a mesh point with or without access point capability, the method comprising:
- using authentication mechanisms between the mesh AP and an authenticator for authenticating the mesh AP to become a child mesh AP to a parent mesh AP that has a secure tunnel to a Controller, the authentication mechanisms including an authentication followed by a 4-way handshake initiated by the mesh AP as supplicant, the handshake substantially conforming to a standard wireless network 4-way handshake and securing a layer-2 link between the child mesh AP and the parent mesh AP; and
after a layer-2 link between the child mesh AP and the parent mesh AP is secured, undergoing a join exchange to form a secure tunnel between the child mesh AP and the Controller.
1 Assignment
0 Petitions
Accused Products
Abstract
An authentication method in a mesh AP including using standard IEEE 802.11i mechanisms between the mesh AP and an authenticator for authenticating the mesh AP to become a child mesh AP with a secure layer-2 link to a first parent mesh AP that has a secure tunnel to a Controller, including, after a layer-2 link between the child mesh AP and the first parent mesh AP is secured, undergoing a join exchange for form a secure tunnel between the child mesh AP and the Controller. Further, a fast roaming method for re-establishing a secure layer-2 link with a new parent mesh AP including, while the mesh AP is a child mesh AP to the first parent mesh AP and has a secure layer-2 link to the first parent mesh AP, caching key information and wireless mesh network identity information, and using the cached information to establish a secure layer-2 link with a new parent mesh AP without having to undergo a 4-way authentication. Further, while the mesh AP is a child mesh AP to the first parent mesh AP, has a secure layer-2 link to the first parent mesh AP, and has a secure tunnel to the Controller, caching session information on the secure tunnel, and using the cached information to re-establish the secure tunnel with the Controller, the secure tunnel now via the new mesh AP.
241 Citations
49 Claims
-
1. An authentication method in a mesh AP of a wireless mesh network, a mesh AP being a mesh point with or without access point capability, the method comprising:
-
using authentication mechanisms between the mesh AP and an authenticator for authenticating the mesh AP to become a child mesh AP to a parent mesh AP that has a secure tunnel to a Controller, the authentication mechanisms including an authentication followed by a 4-way handshake initiated by the mesh AP as supplicant, the handshake substantially conforming to a standard wireless network 4-way handshake and securing a layer-2 link between the child mesh AP and the parent mesh AP; and
after a layer-2 link between the child mesh AP and the parent mesh AP is secured, undergoing a join exchange to form a secure tunnel between the child mesh AP and the Controller. - View Dependent Claims (46)
-
-
2. A fast roaming method in a mesh AP of a wireless mesh network in a Controller-based environment for re-establishing a secure layer-2 link with a new parent mesh AP that has a secure tunnel to the Controller, a mesh point with or without access point capability, the method comprising:
-
while the mesh AP is a child mesh AP to a first parent mesh AP, including having a secure layer-2 link to the first parent mesh AP, caching key context information and wireless mesh network identity information;
using the cached information to derive a key from the cashed key context information to use to establish a secure layer-2 link with a new parent mesh AP without having to undergo a full authentication. - View Dependent Claims (3)
-
-
4. A fast roaming method in a mesh AP of a wireless mesh network in a Controller-based environment for re-establishing a secure tunnel to the Controller when a mesh point that was the child mesh AP of a first parent mesh AP roams to become the child mesh AP of a second parent mesh AP that has a secure tunnel to the Controller, a mesh AP being a mesh point with or without access point capability, the method comprising:
-
while the mesh AP is a child mesh AP to a first parent mesh AP, including having a secure layer-2 link to the first parent mesh AP and a secure tunnel to the Controller, caching session information on the secure tunnel; and
using the cached information to re establish the secure tunnel with the Controller, the re-established secure tunnel being via the second mesh AP.
-
-
5. A computer-readable carrier medium carrying instructions to instruct one or more processors of a processing system in a mesh AP to execute an authentication method in a mesh AP of a wireless mesh network, a mesh AP being a mesh point with or without access point capability, the method comprising:
-
using authentication mechanisms between the mesh AP and an authenticator for authenticating the mesh AP to become a child mesh AP to a parent mesh AP that has a secure tunnel to a Controller, the authentication mechanisms including an authentication followed by a 4-way handshake initiated by the mesh AP as supplicant the handshake substantially conforming to a standard wireless network 4-way handshake and securing a layer-2 link between the child mesh AP and the parent mesh AP; and
after a layer-2 link between the child mesh AP and the parent mesh AP is secured, undergoing a join exchange to form a secure tunnel between the child mesh AP and the Controller. - View Dependent Claims (47)
-
-
6. An apparatus in a mesh AP to execute an authentication method in a mesh AP of a wireless mesh network, a mesh AP being a mesh point with or without access point capability, the apparatus comprising:
-
means for using authentication mechanisms between the mesh AP and an authenticator for authenticating the mesh AP to become a child mesh AP to a parent mesh AP that has a secure tunnel to a Controller, the authentication mechanisms including an authentication followed by a 4-way handshake initiated by the mesh AP as supplicant the handshake substantially conforming to a wireless network standard 4-way handshake and securing a layer-2 link between the child mesh AP and the parent mesh AP; and
means operative after a layer-2 link between the child mesh AP and the parent mesh AP is secured, for undergoing a join exchange to form a secure tunnel between the child mesh AP and the Controller.
-
-
7. A method in a first mesh AP in a wireless mesh network, a mesh AP being a mesh point with or without access point capability, the wireless mesh network including a second mesh AP that has a secure tunnel to a Controller, each mesh AP of the wireless mesh network being a lightweight mesh AP having AP and mesh functionality controlled by the Controller, one of the mesh APs of the wireless mesh network being a root AP in the wireless mesh network, the method comprising:
-
sending a mesh-specific association request frame to the second mesh AP indicating that the first mesh AP would like to join the mesh network with the second mesh AP as its parent mesh AP;
receiving a mesh-specific association response frame from the second mesh AP indicating that the Controller will accept the first mesh AP to the mesh network, the response as a result of the second mesh AP receiving the association request frame and acting as a pass-through to send information to the Controller about the first mesh AP'"'"'s request to secure the layer-2 link between the first mesh AP and the second mesh AP, the Controller receiving the information about the first mesh AP and ascertaining that the Controller will allow the first mesh AP to secure a layer-2 link with the second mesh AP as its parent mesh AP, and the Controller sending a response frame to the second mesh AP indicating that the Controller will accept the first mesh AP to the mesh network, and as a result of the second mesh AP sending the mesh-specific association response frame to the first mesh AP;
undergoing an authentication with an authenticator including a first 4-way handshake with the authenticator, the authentication resulting in a first pairwise master key available at the first mesh AP and the authenticator;
undergoing a second 4-way handshake initiated by the first mesh AP and using the first pairwise master key to determine a first pairwise transient key to use between the first mesh AP and the second mesh AP, wherein the second 4-way handshake substantially conform to a standard wireless network 4-way handshake; and
sending a join request and carrying out a join exchange with the Controller by securely communicating to the Controller via the second mesh AP, such that a secure tunnel is formed between the first mesh AP and the Controller;
such that the use of an authentication provides a secure mechanism for establishing a fresh key for every session compared to using a pre-shared master key or a bridge master key. - View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 48)
-
-
19. A method in a wireless mesh network, the wireless mesh network including a first mesh AP and a second mesh AP, the method in the second mesh AP having a secure tunnel to the Controller, each mesh AP of the wireless mesh network being a lightweight AP having AP functionality controlled by the Controller, one of the mesh APs of the wireless mesh network being a root AP in the wireless mesh network, the method comprising:
-
receiving a mesh-specific association request frame from the first mesh AP, and passing information about the association request and about the first mesh AP to the Controller so that the Controller can ascertain whether the Controller will allow the first mesh AP to secure a layer-2 link with the second mesh AP as its parent mesh AP;
receiving a response frame from the Controller indicating that the Controller will accept the first mesh AP to the mesh network in the case that the Controller has ascertained to allow the first mesh AP to secure a layer-2 link with the second mesh AP as its parent mesh AP, and sending a mesh-specific association response frame to the first mesh AP indicating that the Controller will accept the first mesh AP to the mesh network;
passing through frames between the first mesh AP and an authenticator coupled to the second mesh AP related to the first mesh AP and an authenticator carrying out an authentication with the authenticator including a first 4-way handshake with the authenticator, the certificate-based backend authentication resulting in a first pairwise master key available at the first mesh AP and at the authenticator;
passing through frames between the first mesh AP to the Controller related to the first mesh AP and the Controller carrying out a standard 4-way handshake initiated by the first mesh AP, the second standard 4-way handshake using the first pairwise master key and resulting in a first pairwise transient key available at the first mesh AP and at the Controller, wherein the based authentication and the second 4-way handshake substantially conform to standard network authentication and a standard wireless network 4-way handshake, respectively;
obtaining or deriving the first pairwise transient key so that the first mesh AP and the second mesh AP know the first pairwise transient key;
passing through frames between the first mesh AP and the Controller related to the first mesh AP and the Controller authenticator carrying out a join exchange, such that a secure tunnel is formed between the first mesh AP and the Controller; and
after the secure tunnel is formed between the first mesh AP and the Controller via the second mesh AP, allowing wireless client data frames to pass to the Controller from the first mesh AP, such that the use of an authentication provides a secure mechanism for establishing a fresh key for every session compared to using a pre-shared master key or a bridge master key. - View Dependent Claims (20, 49)
-
-
21. A method of authenticating a mesh AP that was a child mesh AP of a first parent mesh AP in a wireless mesh network to become the child mesh AP of a second parent mesh AP, a mesh AP being a mesh point with or without access point capability, the first parent and second parent mesh APs being in the wireless mesh network and being lightweight access points each having a secure tunnel with a Controller, the mesh AP being a lightweight access point that when the mesh AP was the child mesh AP of the first parent mesh AP, had a secure tunnel with the Controller, the method comprising:
-
(a) when the mesh AP was the child mesh AP of the first parent mesh AP, caching a roam key and an identifier therefor, including identification information on the mesh network, such that a secure link can be rapidly established between the mesh AP and another mesh AP that can be a parent mesh AP and that has a secure tunnel with the Controller, the Controller also caching the roam key;
(b) receiving a mesh beacon frame sent by the second parent mesh AP to advertise the second parent mesh AP'"'"'s capabilities as a parent mesh AP, including an indication that the second parent mesh AP supports fast roaming, the indication sufficient to ascertain that fast roaming is possible to the second parent mesh AP;
(c) ascertaining based on information related to the receiving of the mesh beacon frame, and the contents of the beacon frame, that the mesh AP is to attempt securing a layer-2 link between the mesh AP and the second parent mesh AP by fast roaming;
(d) sending a re-authentication request frame to the second parent mesh AP, the re-authentication request frame including child information useful for forming a pairwise transient key to use for the mesh AP to communicate with the second parent mesh AP, the re-authentication request frame further including information on the roam key to indicate to the second parent mesh AP that the mesh AP is already in session with the Controller, such that that the second parent mesh AP can pass-through information to the Controller about the mesh AP to validate the mesh AP securing a layer-2 link between the mesh AP and the second parent mesh AP to re-join the mesh network, including information on the roam key, such that there is sufficient information for a transient pairwise key to be available at the Controller or the second parent mesh AP for use for the mesh AP securely communicating with the second parent mesh AP;
(d) receiving a re-authentication response frame from the second parent mesh AP, the re-authentication response frame including parent information for encryption, such that the mesh AP can generate the pairwise transient key for communicating with the second parent mesh AP, the receiving of the re-authentication response frame as a result of the second parent mesh AP receiving the re-authentication request frame and sending the re-authentication response frame;
(e) sending a mesh re-association request to the second parent mesh AP indicating that the first parent mesh AP would like to establish a secure layer-2 link with the second parent mesh AP to join the mesh network, the re-association request frame including identification information on the mesh network the mesh AP was associated with, and a message integrity check to provide proof of identity to a receiving parent mesh AP; and
(f) receiving a re-association response frame from the second parent mesh AP indicating, in the case that the Controller has validated accepting the mesh AP via the second parent mesh AP, an indication that the Controller will accept the mesh AP to the mesh network, the response as a result of a validation process comprising;
(i) the second parent mesh AP sending the information to the Controller about the child AP;
(ii) the Controller receiving the information about the mesh AP and ascertaining whether the Controller will accept the mesh AP as a child mesh AP of the second parent mesh AP;
(iii) in the case that the Controller ascertains to accept the mesh AP, the Controller sending an indication that the Controller will accept the mesh AP to the mesh network and either the Controller determining the pairwise transient key and sending the pairwise transient key to the second parent mesh AP, or the second parent mesh AP having the pairwise transient key;
(iv) the second parent mesh AP receiving the re-association request frame; and
(v) the second parent mesh AP confirming the re-association request frame, and after affirmative confirmation and after receiving or having the pairwise transient key, sending the re-association response frame to the mesh AP;
such that both the mesh AP and the second parent mesh AP have a pairwise transient key for a secure layer-2 link established from the mesh AP to the second parent mesh AP without requiring a full backend authentication. - View Dependent Claims (22, 23)
-
-
24. A method in a child mesh AP of a wireless mesh network, a mesh AP being a mesh point with or without access point capability, the child mesh AP having had a layer-2 secure link to a first parent mesh AP at a time when the first parent mesh AP had a secure tunnel established with a Controller, each mesh AP being a lightweight AP controlled by the Controller using frames conforming to a control protocol, the controlling including establishing security, the method comprising:
-
establishing a secure layer-2 link to a second parent mesh AP, the second parent mesh AP having a secure tunnel with the Controller; and
establishing a secure tunnel to the Controller via the second parent mesh AP. - View Dependent Claims (25, 26)
-
-
27. A method in a mesh AP of a wireless mesh network, a mesh AP being a mesh point with or without access point capability, the mesh AP having had a secure tunnel to a Controller via a first parent mesh AP, the method being of re-establishing a secure tunnel to the Controller via a second mesh AP, the method comprising:
-
caching session information about a first session when it has a secure tunnel to the Controller via the first parent mesh AP;
establishing a secure-layer-2 link to a second parent mesh AP; and
having a re-join exchange with the Controller via the second mesh AP and using the cached session information and information cached at the Controller on the first session to re-establish a secure tunnel with the Controller, the re-establish secure tunnel being via the second parent mesh AP, such that the re-establishing does not require a complete discovery exchange with the Controller or a complete join exchange with the Controller.
-
-
28. A method in a Controller of re-establishing a secure tunnel with a mesh AP of a wireless mesh network that at a time had a secure tunnel with the Controller via a first parent mesh AP, a mesh AP being a mesh point with or without access point capability, the method comprising:
-
caching session information about a first session when there is a secure tunnel from the mesh AP to the Controller via the first parent mesh AP;
receiving information from a second parent mesh AP that the mesh AP has a secure secure-layer-2 link to the second parent mesh AP; and
having a re-join exchange with the mesh AP via the second mesh AP and using the cached session information and information cached at the mesh AP on the first session to re-establish a secure tunnel between the Controller and the mesh AP, the re-establish secure tunnel being via the second parent mesh AP, such that the re-establishing does not require a complete discovery exchange between the mesh AP and the Controller or a complete join exchange between the mesh AP and the Controller.
-
-
29. A computer readable carrier medium carrying instructions that when executed by one or more processors of a processing system in a first mesh AP in a wireless mesh network, cause the processor(s) to implement a method, the wireless mesh network including a second mesh AP that has a secure tunnel to a Controller, each mesh AP of the wireless mesh network being a lightweight AP having AP functionality controlled by the Controller, one of the mesh APs of the wireless mesh network being a root AP in the wireless mesh network, the method comprising:
-
sending a mesh-specific association request frame to the second mesh AP indicating that the first mesh AP would like to join the mesh network with the second mesh AP as its parent mesh AP;
receiving a mesh-specific association response frame from the second mesh AP indicating that the Controller will accept the first mesh AP to the mesh network, the response as a result of the second mesh AP receiving the association request frame and acting as a pass-through to send information to the Controller about the first mesh AP'"'"'s request to secure the layer-2 link between the first mesh AP and the second mesh AP, the Controller receiving the information about the first mesh AP and ascertaining that the Controller will allow the first mesh AP to secure a layer-2 link with the second mesh AP as its parent mesh AP, and the Controller sending a response frame to the second mesh AP indicating that the Controller will accept the first mesh AP to the mesh network, and as a result of the second mesh AP sending the mesh-specific association response frame to the first mesh AP;
undergoing a certificate-based backend authentication with an authenticator including a first 4-way handshake with the authenticator, the certificate-based backend authentication resulting in a first pairwise master key available at the first mesh AP and the authenticator;
undergoing a second 4-way handshake initiated by the first mesh AP and using the first pairwise master key to determine a first pairwise transient key to use between the first mesh AP and the second mesh AP, wherein the second 4-way handshake substantially conform to a standard wireless network 4-way handshake; and
sending a join request and carrying out a join exchange with the Controller by securely communicating to the Controller via the second mesh AP, such that a secure tunnel is formed between the first mesh AP and the Controller;
such that the use of a certificate based backend authentication provides a secure mechanism for establishing a fresh key for every session compared to using a pre-shared master key or a bridge master key.
-
-
30. A computer readable carrier medium carrying instructions that when executed by one or more processors of a processing system in a mesh AP in a wireless mesh network, cause the processor(s) to implement a method of authenticating the mesh AP that was a child mesh AP of a first parent mesh AP to become the child mesh AP of a second parent mesh AP, the first and second parent mesh APs being in the wireless mesh network and being lightweight access points each having a secure tunnel with a Controller, the child mesh AP being a lightweight access point that when the child mesh AP was the child of the first parent mesh AP, had a secure tunnel with the Controller, the method comprising:
-
(a) when the mesh AP was the child mesh AP of the first parent mesh AP, caching a roam key and an identifier therefor, including identification information on the mesh network, such that a secure link can be rapidly established between the mesh AP and another mesh AP that can be a parent mesh AP and that has a secure tunnel with the Controller, the Controller also caching the roam key;
(b) receiving a mesh beacon frame sent by the second parent mesh AP to advertise the second parent mesh AP'"'"'s capabilities as a parent mesh AP, including an indication that the second parent mesh AP supports fast roaming, the indication sufficient to ascertain that fast roaming is possible to the second parent mesh AP;
(c) ascertaining based on information related to the receiving of the mesh beacon frame, and the contents of the beacon frame, that the mesh AP is to attempt securing a layer-2 link between the mesh AP and the second parent mesh AP by fast roaming;
(d) sending a re-authentication request frame to the second parent mesh AP, the re-authentication request frame including child information useful for forming a pairwise transient key to use for the mesh AP to communicate with the second parent mesh AP, the re-authentication request frame further including information on the roam key to indicate to the second parent mesh AP that the mesh AP is already in session with the Controller, such that that the second parent mesh AP can pass-through information to the Controller about the mesh AP to validate the mesh AP securing a layer-2 link between the mesh AP and the second parent mesh AP to re-join the mesh network, including information on the roam key, such that there is sufficient information for a transient pairwise key to be available at the Controller or the second parent mesh AP for use for the mesh AP securely communicating with the second parent mesh AP;
(d) receiving a re-authentication response frame from the second parent mesh AP, the re-authentication response frame including parent information for encryption, such that the mesh AP can generate the pairwise transient key for communicating with the second parent mesh AP, the receiving of the re-authentication response frame as a result of the second parent mesh AP receiving the re-authentication request frame and sending the re-authentication response frame;
(e) sending a mesh re-association request to the second parent mesh AP indicating that the first parent mesh AP would like to establish a secure layer-2 link with the second parent mesh AP to join the mesh network, the re-association request frame including identification information on the mesh network the mesh AP was associated with, and a message integrity check to provide proof of identity to a receiving parent mesh AP; and
(f) receiving a re-association response frame from the second parent mesh AP indicating, in the case that the Controller has validated accepting the mesh AP via the second parent mesh AP, an indication that the Controller will accept the mesh AP to the mesh network, the response as a result of a validation process comprising;
(i) the second parent mesh AP sending the information to the Controller about the child AP;
(ii) the Controller receiving the information about the mesh AP and ascertaining whether the Controller will accept the mesh AP as a child mesh AP of the second parent mesh AP;
(iii) in the case that the Controller ascertains to accept the mesh AP, the Controller sending an indication that the Controller will accept the mesh AP to the mesh network and either the Controller determining the pairwise transient key and sending the pairwise transient key to the second parent mesh AP, or the second parent mesh AP having the pairwise transient key;
(iv) the second parent mesh AP receiving the re-association request frame; and
(v) the second parent mesh AP confirming the re-association request frame, and after affirmative confirmation and after receiving or having the pairwise transient key, sending the re-association response frame to the mesh AP;
such that both the mesh AP and the second parent mesh AP have a pairwise transient key for a secure layer-2 link established from the mesh AP to the second parent mesh AP without requiring a full backend authentication. - View Dependent Claims (31)
-
-
32. A computer readable carrier medium carrying instructions that when executed by one or more processors of a processing system in a Controller in a wireless mesh network, cause the processor(s) to implement a method of authenticating a mesh AP that is a child mesh AP of a first parent mesh AP to become the child mesh AP of a second parent mesh AP, the first and second parent mesh APs being in the wireless mesh network and being lightweight access points each having a secure tunnel with the Controller, the child mesh AP being a lightweight access point that when the child mesh AP was the child of the first parent mesh AP, had a secure tunnel with the Controller, the method comprising:
-
when the child mesh AP was the child of the first parent mesh AP, caching a roam key and an identifier therefor, including identification information on the mesh network, such that a secure link can be rapidly established between the child mesh AP and a any mesh AP that can be a parent mesh AP and that has a secure tunnel with the Controller;
receiving information from the second mesh AP about the child AP to validate the child mesh AP joining the mesh network via the second parent mesh AP, including information on the roam key, parent information for encryption, child information for encryption, and any other information needed for the Controller to generate a pairwise transient key for the child mesh AP to communicate with the second parent mesh AP, the receiving information as a result of;
the child mesh AP sending a re-authentication request frame to the second parent mesh AP, the re-authentication request frame including child information for encryption and for forming a pairwise transient key for the child mesh AP to communicate with the second parent mesh AP, the re-authentication request frame further including information on the roam key to indicate to the second parent mesh AP that the child mesh AP is already in session with the Controller; and
the second mesh AP'"'"'s sending as a pass-through information to the Controller about the child AP to validate the child mesh AP joining the mesh network via the second parent mesh AP;
ascertaining whether to accept the child mesh AP as a child of the second mesh AP;
in the case that the ascertaining ascertains to accept the child mesh AP;
determining the pairwise transient key sending the pairwise transient key to the second mesh AP with an indication that the Controller will accept the child mesh AP to the mesh network; and
sending a response frame to the second parent mesh AP to pass through to the send from the second mesh AP with an indication that the Controller will accept the child mesh AP to the mesh network;
such that both the child mesh AP and the second parent mesh AP have a pairwise transient key for a secure layer-2 link established from the child mesh AP to the second parent mesh AP without requiring either a full backend authentication or a 4-way handshake.
-
-
33. A computer readable carrier medium carrying instructions that when executed by one or more processors of a processing system in a child mesh AP of a wireless mesh network, cause the processor(s) to execute a method of re-establishing a secure tunnel to a Controller, a mesh AP being a mesh point with or without access point capability, the method comprising:
-
caching session information about a first session when it has a secure tunnel to the Controller via a first parent mesh AP;
establishing a secure-layer-2 link to a second parent mesh AP; and
having a re-join exchange with the Controller via the second mesh AP and using the cached session information and information cached at the Controller on the first session to re-establish a secure tunnel with the Controller, the re-establish secure tunnel being via the second parent mesh AP, such that the re-establishing does not require a complete discovery exchange with the Controller or a complete join exchange with the Controller.
-
-
34. A computer readable carrier medium carrying instructions that when executed by one or more processors of a processing system in a Controller cause the processor(s) to execute a method of re-establishing a secure tunnel with a mesh AP of a wireless mesh station of a wireless station that at a time had a secure tunnel with the Controller via a first parent mesh AP, a mesh AP being a mesh point with or without access point capability, the method comprising:
-
caching session information about a first session when there is a secure tunnel from the mesh AP to the Controller via the first parent mesh AP;
receiving information from a second parent mesh AP that the mesh AP has a secure secure-layer-2 link to the second parent mesh AP; and
having a re-join exchange with the mesh AP via the second mesh AP and using the cached session information and information cached at the mesh AP on the first session to re-establish a secure tunnel between the Controller and the mesh AP, the re-establish secure tunnel being via the second parent mesh AP, such that the re-establishing does not require a complete discovery exchange between the mesh AP and the Controller or a complete join exchange between the mesh AP and the Controller.
-
-
35. An apparatus in a first mesh AP in a wireless mesh network, the wireless mesh network including a second mesh AP that has a secure tunnel to a Controller, each mesh AP of the wireless mesh network being a lightweight mesh AP having AP and mesh functionality controlled by the Controller, one of the mesh APs of the wireless mesh network being a root AP in the wireless mesh network, the apparatus comprising:
-
means for sending a mesh-specific association request frame to the second mesh AP indicating that the first mesh AP would like to join the mesh network with the second mesh AP as its parent mesh AP;
means for receiving a mesh-specific association response frame from the second mesh AP indicating that the Controller will accept the first mesh AP to the mesh network, the response as a result of the second mesh AP receiving the association request frame and acting as a pass-through to send information to the Controller about the first mesh AP'"'"'s request to secure the layer-2 link between the first mesh AP and the second mesh AP, the Controller receiving the information about the first mesh AP and ascertaining that the Controller will allow the first mesh AP to secure a layer-2 link with the second mesh AP as its parent mesh AP, and the Controller sending a response frame to the second mesh AP indicating that the Controller will accept the first mesh AP to the mesh network, and as a result of the second mesh AP sending the mesh-specific association response frame to the first mesh AP;
means for undergoing an authentication process including a certificate-based backend authentication with an authenticator including a first 4-way handshake with the authenticator, the certificate-based backend authentication resulting in a first pairwise master key available at the first mesh AP and the Controller, the substantially conforming authentication process further including a second 4-way handshake initiated by the first mesh AP with the Controller using the first pairwise master key to determine a first pairwise transient key to use between the first mesh AP and the second mesh AP; and
means for sending a join request and carrying out a join exchange with the Controller by securely communicating to the Controller via the second mesh AP, such that a secure tunnel is formed between the first mesh AP and the Controller;
such that the use of a certificate based backend authentication provides a secure mechanism for establishing a fresh key for every session compared to using a pre-shared master key or a bridge master key.
-
-
36. An apparatus in a mesh AP of a wireless mesh network, the apparatus for authenticating the mesh AP that was a child mesh AP of a first parent mesh AP to become the child mesh AP of a second parent mesh AP, the first parent and second parent mesh APs being in the wireless mesh network and being lightweight access points each having a secure tunnel with a Controller, the mesh AP being a lightweight access point that when the mesh AP was the child mesh AP of the first parent mesh AP, had a secure tunnel with the Controller, the apparatus comprising:
-
(a) means for caching a roam key and an identifier therefor, the caching being when the mesh AP was the child mesh AP of the first parent mesh AP, caching including caching identification information on the mesh network, such that a secure link can be rapidly established between the child mesh AP and another mesh AP that can be a parent mesh AP and that has a secure tunnel with the Controller, the Controller also caching the roam key;
(b) means for receiving a mesh beacon frame sent by the second parent mesh AP to advertise the second parent mesh AP'"'"'s capabilities as a parent mesh AP, including an indication that the second parent mesh AP supports fast roaming, the indication sufficient to ascertain that fast roaming is possible to the second parent mesh AP;
(c) means for ascertaining based on information related to the receiving of the mesh beacon frame, and the contents of the beacon frame, that the mesh AP is to attempt securing a layer-2 link between the mesh AP and the second parent mesh AP by fast roaming;
(d) means for sending a re-authentication request frame to the second parent mesh AP, the re-authentication request frame including child information useful for forming a pairwise transient key to use for the mesh AP to communicate with the second parent mesh AP, the re-authentication request frame further including information on the roam key to indicate to the second parent mesh AP that the mesh AP is already in session with the Controller, such that that the second parent mesh AP can pass-through information to the Controller about the mesh AP to validate the mesh AP securing a layer-2 link between the mesh AP and the second parent mesh AP to re-join the mesh network, including information on the roam key, such that there is sufficient information for a transient pairwise key to be available at the Controller or the second parent mesh AP for use for the mesh AP securely communicating with the second parent mesh AP;
(d) means for receiving a re-authentication response frame from the second parent mesh AP, the re-authentication response frame including parent information for encryption, such that the mesh AP can generate the pairwise transient key for communicating with the second parent mesh AP, the receiving of the re-authentication response frame as a result of the second parent mesh AP receiving the re-authentication request frame and sending the re-authentication response frame;
(e) means for sending a mesh re-association request to the second parent mesh AP indicating that the first parent mesh AP would like to establish a secure layer-2 link with the second parent mesh AP to join the mesh network, the re-association request frame including identification information on the mesh network the mesh AP was associated with, and a message integrity check to provide proof of identity to a receiving parent mesh AP; and
(f) means for receiving a re-association response frame from the second parent mesh AP indicating, in the case that the Controller has validated accepting the mesh AP via the second parent mesh AP, an indication that the Controller will accept the mesh AP to the mesh network, the response as a result of a validation process comprising;
(i) the second parent mesh AP sending the information to the Controller about the child AP;
(ii) the Controller receiving the information about the mesh AP and ascertaining whether the Controller will accept the mesh AP as a child mesh AP of the second parent mesh AP;
(iii) in the case that the Controller ascertains to accept the mesh AP, the Controller sending an indication that the Controller will accept the mesh AP to the mesh network and either the Controller determining the pairwise transient key and sending the pairwise transient key to the second parent mesh AP, or the second parent mesh AP having the pairwise transient key;
(iv) the second parent mesh AP receiving the re-association request frame; and
(v) the second parent mesh AP confirming the re-association request frame, and after affirmative confirmation and after receiving or having the pairwise transient key, sending the re-association response frame to the mesh AP;
such that both the mesh AP and the second parent mesh AP have a pairwise transient key for a secure layer-2 link established from the mesh AP to the second parent mesh AP without requiring a full backend authentication.
-
-
37. An apparatus in a child mesh AP of a wireless mesh network, the child mesh AP having had a layer-2 secure link to a first parent mesh AP at a time when the first parent mesh AP had a secure tunnel established with a Controller, each mesh AP being a lightweight AP controlled by the Controller using frames conforming to a control protocol, the controlling including establishing security, the apparatus comprising:
-
means for establishing a secure layer-2 link to a second parent mesh AP, the second parent mesh AP having a secure tunnel with the Controller; and
means for establishing a secure tunnel to the Controller via the second parent mesh AP. - View Dependent Claims (38, 39)
-
-
40. A method in a first mesh point, including:
-
the first mesh point associating with a first parent mesh point of a wireless mesh network, the first parent mesh point being coupled to an authenticator;
the first mesh point undergoing a certificate-based backend mutual authentication with the authenticator via the first parent mesh point of the mesh network, the certificate-based backend authentication resulting in a first pairwise master key;
using a hierarchy of derived keys to define how to determine derived master key keys based on the first pairwise master key that is the result of the certificate-based backend authentication; and
undergoing a 4-way handshake initiated by the first mesh point as supplicant using a master key derived from the certificate-based backend authentication using the hierarchy, the 4-way handshake to determine a transient key for the first mesh point to securely communicate with the first parent mesh point in the mesh network;
such that a new link between the first mesh point and a new different parent mesh point is securable by a new transient key determined according to the key hierarchy without the first mesh point needing to re-undergo a certificate-based backend authentication. - View Dependent Claims (41, 42, 43, 44, 45)
-
Specification