SECURING MULTIPLE LINKS AND PATHS IN A WIRELESS MESH NETWORK INCLUDING RAPID ROAMING

US 20070250713A1
Filed: 06/29/2007
Published: 10/25/2007
Est. Priority Date: 03/06/2006
Status: Active Grant

First Claim

Patent Images

1. A method in a mesh point, the method comprising:

the mesh point associating with a first parent mesh point of a wireless mesh network as a child mesh point to the first parent mesh point, the first parent mesh point being coupled to an authenticator and a member of a mesh domain of the mesh network;

the child mesh point undergoing an authentication with the authenticator via the first parent mesh point of the mesh domain, the authentication resulting in a root pairwise master key of a multiple-identities-key hierarchy; and

undergoing a 4-way handshake initiated by the child mesh point using the multiple-identities-key hierarchy to determine a transient key for the child mesh point to securely communicate with the first parent mesh point in the mesh network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and logic encoded in tangible media and apparatus for securing links between a mesh point and one or more identities of one or more parent mesh points of a wireless mesh network in order to secure the links. A first association is carried out to one of the identities of one of the parent mesh points. The first mesh point undergoes a mutual authentication with an authenticator and announces the possibility of multiple links and/or multiple paths. The authentication generates a first master key from which the root master key of the key hierarchy is derived so that other master keys for different identities are derivable using a hierarchy. The mesh point undergoes a 4-way handshake to derive a first transient key. Other transient keys are obtained by a fast roaming method without having to re-undergo a backend authentication, the other transient keys being for other links and/or paths and derived using the hierarchy.

Citations

45 Claims

1. A method in a mesh point, the method comprising:
- the mesh point associating with a first parent mesh point of a wireless mesh network as a child mesh point to the first parent mesh point, the first parent mesh point being coupled to an authenticator and a member of a mesh domain of the mesh network;
  
  the child mesh point undergoing an authentication with the authenticator via the first parent mesh point of the mesh domain, the authentication resulting in a root pairwise master key of a multiple-identities-key hierarchy; and
  
  undergoing a 4-way handshake initiated by the child mesh point using the multiple-identities-key hierarchy to determine a transient key for the child mesh point to securely communicate with the first parent mesh point in the mesh network.
- View Dependent Claims (2, 3, 4)
- - 2. A method as recited in claim 1, wherein the authentication is mutual authentication.
  - 3. A method as recited in claim 1, wherein the authentication is a certificate-based mutual authentication.
  - 4. A method as recited in claim 1, wherein the child mesh point includes access point functionality controlled by a controller using a protocol, and wherein the first parent mesh point has a secure link to a first controller using the protocol, the method further comprising:
    - once the link between the child mesh point and the first parent mesh point is secured, the child mesh point joining the first controller by forming a secure link to the controller via the first parent mesh point such that the child mesh point can function as an access point.

5. A method in a mesh point comprising:
- the mesh point associating with a first parent mesh point of a wireless mesh network as a child mesh point, the first parent mesh point being coupled to an authenticator in a mesh domain of the network;
  
  the first child mesh point undergoing an authentication to the mesh domain using the authenticator via the first parent mesh point of the mesh network, the authentication resulting in a first pairwise master key that is a root of a multiple-identities-key hierarchy, the hierarchy being usable to define how to determine derived master keys based on the first pairwise master key that is the result of the authentication; and
  
  undergoing a 4-way handshake to determine a transient key for the child mesh point to securely communicate with the first parent mesh point in the mesh network, such that a new link between the child mesh point and a new different parent mesh point is securable by a new pairwise transient key determined according to the multiple-identities-key hierarchy without the child mesh point needing to re-undergo a full authentication.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 6. A method as recited in claim 5, wherein the authentication is mutual authentication.
  - 7. A method as recited in claim 5, wherein the authentication is a certificate-based mutual authentication.
  - 8. A method as recited in claim 5, wherein the authentication is an IEEE 802.1x Extensible Authentication Protocol authentication.
  - 9. A method as recited in claim 5, wherein the child mesh point includes access point functionality controlled by a controller using a protocol, and wherein the first parent mesh point has a secure link to a first controller using the protocol, the method further comprising:
    - once the link between the child mesh point and the first parent mesh point is secured, the child mesh point joining the first controller by forming a secure link to the controller via the first parent mesh point such that the child mesh point can function as an access point.
  - 10. A method as recited in claim 5, further comprising the child mesh point rejoining the mesh network via a second parent mesh point of the mesh domain, including associating with the second parent mesh point and securing the link between the child mesh point and the second parent mesh point using a new pairwise transient key determined according to the multiple-identities-key hierarchy without the child mesh point re-undergoing an authentication.
  - 11. A method as recited in claim 5, wherein the child mesh point is a mesh point that is configured to be part of a multipath mesh network such that the child mesh point can have a plurality of alternate parent mesh points or mesh point identities in the multipath mesh network, wherein the first parent mesh point and a second parent mesh point, or a first and a second identity of the first or second mesh point are each configured to be mesh points or mesh point identities that are part of multiple paths of a multipath mesh network, and configured to send neighbor advertisements that announce their multipath capabilities using a multiple identities information element;
    - wherein the child mesh point associating with the first parent mesh point is as a result of the child mesh point receiving neighbor advertisements from the first and second parent mesh points or mesh point identities and includes the child mesh point announcing its ability to have multiple parents in multiple paths, and sending a multiple identities information element received from the first and second parent mesh points or identities to announce that an multiple-identities-key hierarchy is to be used;
      
      wherein the child mesh point undergoing the authentication results in the first pairwise master key that is in the multiple-identities-key hierarchy; and
      
      wherein the first 4-way handshake is for the first parent mesh point or an identity thereof and forms a transient key via the first parent mesh point, such that an alternate path from the child mesh point via the second parent mesh point or identity is securable by a new pairwise transient key determined according to the key hierarchy without the child mesh point needing to re-undergo a full authentication.
  - 12. A method as recited in claim 5, wherein the child mesh point is a mesh point that is configured to have multiple identities, wherein the child mesh point associating with the first parent mesh point is for a first child mesh point identity of the child mesh point associating with a first identity of the first parent mesh point and is a result of the child mesh point receiving neighbor advertisements from the first parent mesh point and includes the child mesh point announcing its multiple identities by sending its multiple identities information element to announce that a multiple-identities-key hierarchy is to be used;
    - wherein the child mesh point undergoing the authentication results in the first pairwise master key that is the root of the multiple-identities-key hierarchy; and
      
      wherein the first 4-way handshake is for the first parent mesh point and forms a transient key via the first parent mesh point between the first child mesh point identity and the first parent mesh point, such that a new link between a different identity of the child mesh point and the first parent mesh point is securable by a new pairwise transient key determined according to the key hierarchy without the child mesh point needing to re-undergo a full authentication.
  - 13. A method as recited in claim 5, further comprising:
    - the child mesh point rejoining the mesh network via a second parent mesh point, including associating with the second parent mesh point and securing the link between the child mesh point and the second parent mesh point using a new pairwise transient key determined according to the key hierarchy without the child mesh point re-undergoing an authentication.
  - 14. A method as recited in claim 13, wherein the child mesh point includes access point functionality controlled by a controller using a protocol, wherein the first parent mesh point has a secure link to a first controller using the protocol, and wherein the second parent mesh point has a secure link to a second controller in the same mesh domain using the protocol, the method further comprising:
    - once the link between the child mesh point and the first parent mesh point is secured, the child mesh point joining the first controller by forming a secure link to the controller via the first parent mesh point such that the child mesh point can function as an access point; and
      
      once the link between the child mesh point and second parent mesh point is secured, the child mesh point re-joining a controller in the same mesh domain by re-forming the secure link to the controller in the same mesh domain via the second parent mesh point such that the child mesh point can function as an access point.
  - 15. A method as recited in claim 5, wherein the wireless mesh network is a mesh network substantially conforming to the IEEE 802.11 standard, and wherein the 4-way handshake is substantially an IEEE 8011.11i 4-way handshake, with the child mesh point initiating the 4-way handshake as supplicant.

16. A method in a child mesh point, the child mesh point having a plurality of identities, the method comprising:
- receiving a neighbor advertisement from a first parent mesh point of a wireless mesh network, the first parent mesh point part of a mesh domain and coupled to an authenticator of the mesh domain;
  
  sending an association request to the first parent mesh point, the association request including a multiple identities information element listing the multiple identities of the child mesh point;
  
  undergoing an authentication with the authenticator via the first parent mesh point, the authentication resulting in a first pairwise master key usable to generate a multiple-identities-key hierarchy, wherein the authentication including authenticating the multiple identities listed in the multiple identities information element and resulting in an authorization to use the multiple-identities-key hierarchy to derive keys for securing links between any of the multiple identities and the parent mesh point;
  
  using the multiple-identities-key hierarchy of derived keys to determine one or more derived master keys based on the first pairwise master key that is the result of the authentication and authorization; and
  
  undergoing a 4-way handshake initiated by the child mesh point as supplicant to determine a transient key for a selected identity of the child mesh point to secure communication between the selected identity and the first parent mesh point in the mesh network, such that a new link between a different identity of the child mesh point and the first parent mesh point is securable by a new pairwise transient key determined according to the key hierarchy without the child mesh point needing to re-undergo a full authentication.
- View Dependent Claims (17, 18, 19, 20, 21, 22)
- - 17. A method as recited in claim 16, wherein the authentication is a certificate-based mutual authentication.
  - 18. A method as recited in claim 16, wherein the authentication is an IEEE 802.1x Extensible Authentication Protocol authentication.
  - 19. A method as recited in claim 16, wherein the child mesh point is a mesh point that is configured to be part of a multipath mesh network such that the child mesh point can have a plurality of alternate parent mesh points or mesh point identities in the multipath mesh network, wherein the first parent mesh point and a second parent mesh point, or a first and a second identity of the first or second mesh point are each configured to be mesh points or mesh point identities that are part of multiple paths of a multipath mesh network, and configured to send neighbor advertisements that announce their multipath capabilities using a multiple identities information element;
    - wherein the child mesh point associating with the first parent mesh point is as a result of the child mesh point receiving neighbor advertisements from the first and second parent mesh points or mesh point identities and includes the child mesh point announcing its ability to have multiple parents in multiple paths, and sending a multiple identities information element received from the first and second parent mesh points or identities to announce that an multiple-identities-key hierarchy is to be used;
      
      wherein the child mesh point undergoing the authentication results in the first pairwise master key that is in the multiple-identities-key hierarchy; and
      
      wherein the first 4-way handshake is for the first parent mesh point or an identity thereof and forms a transient key via the first parent mesh point, such that an alternate path from the child mesh point via the second parent mesh point or identity is securable by a new pairwise transient key determined according to the key hierarchy without the child mesh point needing to re-undergo a full authentication.
  - 20. A method as recited in claim 16, wherein the first mesh point includes access point functionality controlled by a controller using a protocol, and wherein the first parent mesh point has a secure link to the controller using the protocol, the method further comprising:
    - once the link between the first mesh point and the first parent mesh point is secured, the first mesh point joining the controller by forming a secure link to the controller via the first parent mesh point such that the first mesh point can function as an access point.
  - 21. A method as recited in claim 16, further comprising:
    - a different one of the child mesh point'"'"'s identities joining the mesh network, including associating with the first parent mesh point and securing the link between the different identity and the first parent mesh point using a new pairwise transient key determined according to the key hierarchy without the child mesh point re-undergoing an authentication.
  - 22. A method as recited in claim 16, wherein the wireless mesh network is a mesh network substantially conforming to the IEEE 802.11 standard, and wherein the 4-way handshake is substantially an IEEE 801.11i 4-way handshake, with the child mesh point initiating the 4-way handshake as supplicant.

23. A method in a child mesh point comprising:
- receiving one or more advertisements from one or more parent mesh points of a wireless mesh network, each parent mesh point being in a mesh domain, an advertisement from a parent mesh point that has a plurality of identities including a multiple identities information element listing the multiple identities of the parent mesh point, the one or more advertisements including a multipath indication to indicate that the respective parent mesh point allows association from a child mesh point on a path of a plurality of paths;
  
  sending an association request to a first parent mesh point, the first parent mesh point being one whose advertisement was received and whose advertisement includes a multipath indication, the first parent mesh point being coupled to an authenticator of the mesh domain, the association request including a multiple identities information element listing the multiple identities of the plurality of parents of the multiple paths that the child mesh point desires to have;
  
  undergoing an authentication with the authenticator via the first parent mesh point, the authentication resulting in a first pairwise master key usable to generate a multiple-identities-key hierarchy, wherein the authentication including authenticating the multiple paths between the child mesh point and the parent mesh point identities listed in the multiple identities information element and resulting in an authorization to use the multiple-identities-key hierarchy to derive keys for securing links between the child mesh point and any of the parent mesh point identities;
  
  using the multiple-identities-key hierarchy of derived keys to determine one or more derived master keys based on the first pairwise master key that is the result of the authentication and authorization;
  
  undergoing a 4-way handshake initiated by the child mesh point as supplicant to determine a transient key to secure communication between the selected identity and the first parent mesh point in the mesh network, such that a new path between a the child mesh point and a different parent mesh point identity is securable by a new pairwise transient key determined according to the key hierarchy without the child mesh point needing to re-undergo a full authentication.
- View Dependent Claims (24, 25, 26, 27, 28, 29)
- - 24. A method as recited in claim 23, wherein the authentication is a certificate-based mutual authentication.
  - 25. A method as recited in claim 23, wherein the authentication is an IEEE 802.1x Extensible Authentication Protocol authentication.
  - 26. A method as recited in claim 23, wherein the child mesh point includes access point functionality controlled by a controller using a protocol, and wherein the first parent mesh point has a secure link to a first controller using the protocol, the method further comprising:
    - once the link between the child mesh point and the first parent mesh point is secured, the child mesh point joining the first controller by forming a secure link to the controller via the first parent mesh point such that the child mesh point can function as an access point.
  - 27. A method as recited in claim 23, further comprising the child mesh point rejoining the mesh network via a second parent mesh point or second mesh point identity of the mesh domain, including associating with the second parent mesh point or identity and securing the link between the child mesh point and the second parent mesh point or identity using a new pairwise transient key determined according to the multiple-identities-key hierarchy without the child mesh point re-undergoing an authentication.
  - 28. A method as recited in claim 23, wherein the child mesh point includes access point functionality controlled by a controller using a protocol, wherein the first parent mesh point has a secure link to a first controller using the protocol, and wherein the second parent mesh point has a secure link to a second controller in the same mesh domain using the protocol, the method further comprising:
    - once the link between the child mesh point and the first parent mesh point is secured, the child mesh point joining the first controller by forming a secure link to the controller via the first parent mesh point such that the child mesh point can function as an access point; and
      
      once the link between the child mesh point and second parent mesh point or parent mesh point identity is secured, the child mesh point re-joining a controller in the same mesh domain by re-forming the secure link to the controller in the same mesh domain via the second parent mesh point such that the child mesh point can function as an access point.
  - 29. A method as recited in claim 23, wherein the wireless mesh network is a mesh network substantially conforming to the IEEE 802.11 standard, and wherein the 4-way handshake is substantially an IEEE 801.11i 4-way handshake, with the child mesh point initiating the 4-way handshake as supplicant.

30. A method in a child mesh point comprising:
- (a) the child mesh point associating with a first parent mesh point of a wireless mesh network, the first parent mesh point being coupled to an authenticator of a mesh domain, wherein one or both of the child mesh point or the first parent mesh point has multiple identities, wherein the first parent mesh point is one of a set of one or more parent mesh points to which the first mesh point requests to form one or more paths, wherein one or more of the following is true;
  
  the first parent mesh point has one or multiple identities, the first parent mesh point allows association from a child on a path of a plurality of paths, and the child mesh point desires to authenticate multiple paths including a path to the first parent mesh point, the child mesh point has multiple identities, and the child mesh point desires to authenticate multiple links via its multiple identities, including associating one of its links with the first parent mesh point or with an identity of the first parent mesh point in the case the parent mesh point has multiple identities, wherein, in the case that the first parent mesh point has multiple identities, the associating including the child mesh point responding to receiving a neighbor advertisement from the first parent mesh point that included a multiple identities information element listing the multiple identities of the first parent mesh point, wherein, in the case that the first parent mesh point allows association from a child on a path of a plurality of paths and the child mesh point desires to associate with the first parent mesh point or with an identity of the first parent mesh point to form one of multiple paths to a respective plurality of parent mesh points or mesh point identities, the associating including the child mesh point responding to receiving a neighbor advertisement from the first parent mesh point that included an indication that the first parent mesh point accepts multiple path associations, and the associating including an association request to the first parent mesh point that includes a multiple identities information element listing the multiple identities of the plurality of parent mesh points or parent identities of the multiple paths;
  
  wherein in the case the child mesh point has multiple identities, the associating including an association request to the first parent mesh point that includes a multiple identities information element listing the multiple identities of the child mesh point, and (b) the child mesh point undergoing an authentication with the authenticator via the first parent mesh point, the authentication resulting in a first pairwise master key usable to generate a multiple-identities-key hierarchy, wherein the authentication including authenticating the multiple identities listed in the multiple identities information element or elements and resulting in an authorization to use the multiple-identities-key hierarchy to derive keys for securing links that include any of the multiple identities;
  
  (c) using the multiple-identities-key hierarchy of derived keys to determine one or more derived master keys based on the first pairwise master key that is the result of the authentication and authorization;
  
  (d) undergoing a 4-way handshake initiated by the child mesh point as supplicant to determine a transient key to secure communication between the child mesh point or an identity thereof in the case of a multiple identity child mesh point and the first parent mesh point in the mesh network, such that a new link between the child mesh point or a different identity of the child mesh point in the case of a multiple identities child mesh point, and the first parent mesh point, or a different parent mesh point of parent mesh point identity in the case of multiple path to multiple parent mesh points or identities is securable by a new pairwise transient key determined according to the key hierarchy without the child mesh point needing to re-undergo a full authentication.
- View Dependent Claims (31)
- - 31. A method as recited in claim 30, wherein the authentication is a certificate-based mutual authentication.

32. Logic encoded in one or more tangible media for execution by one or more processors of a processing system in a mesh point and when executed causing the mesh point to carry out a method comprising:
- the mesh point associating with a first parent mesh point of a wireless mesh network as a child mesh point, the first parent mesh point being coupled to an authenticator in a mesh domain of the network;
  
  the first child mesh point undergoing an authentication to the mesh domain using the authenticator via the first parent mesh point of the mesh network, the authentication resulting in a first pairwise master key that is a root of a multiple-identities-key hierarchy, the hierarchy being usable to define how to determine derived master keys based on the first pairwise master key that is the result of the authentication; and
  
  undergoing a 4-way handshake to determine a transient key for the child mesh point to securely communicate with the first parent mesh point in the mesh network, such that a new link between the child mesh point and a new different parent mesh point is securable by a new pairwise transient key determined according to the multiple-identities-key hierarchy without the child mesh point needing to re-undergo a full authentication.
- View Dependent Claims (33, 34, 35, 36)
- - 33. Logic as recited in claim 32, wherein the authentication is a certificate-based mutual authentication.
  - 34. Logic as recited in claim 32, wherein the child mesh point includes access point functionality controlled by a controller using a protocol, and wherein the first parent mesh point has a secure link to a first controller using the protocol, the method further comprising:
    - once the link between the child mesh point and the first parent mesh point is secured, the child mesh point joining the first controller by forming a secure link to the controller via the first parent mesh point such that the child mesh point can function as an access point.
  - 35. Logic as recited in claim 32, wherein the child mesh point is a mesh point that is configured to be part of a multipath mesh network such that the child mesh point can have a plurality of alternate parent mesh points or mesh point identities in the multipath mesh network, wherein the first parent mesh point and a second parent mesh point, or a first and a second identity of the first or second mesh point are each configured to be mesh points or mesh point identities that are part of multiple paths of a multipath mesh network, and configured to send neighbor advertisements that announce their multipath capabilities using a multiple identities information element;
    - wherein the child mesh point associating with the first parent mesh point is as a result of the child mesh point receiving neighbor advertisements from the first and second parent mesh points or mesh point identities and includes the child mesh point announcing its ability to have multiple parents in multiple paths, and sending a multiple identities information element received from the first and second parent mesh points or identities to announce that an multiple-identities-key hierarchy is to be used;
      
      wherein the child mesh point undergoing the authentication results in the first pairwise master key that is in the multiple-identities-key hierarchy; and
      
      wherein the first 4-way handshake is for the first parent mesh point or an identity thereof and forms a transient key via the first parent mesh point, such that an alternate path from the child mesh point via the second parent mesh point or identity is securable by a new pairwise transient key determined according to the key hierarchy without the child mesh point needing to re-undergo a full authentication.
  - 36. Logic as recited in claim 32, wherein the child mesh point is a mesh point that is configured to have multiple identities, wherein the child mesh point associating with the first parent mesh point is for a first child mesh point identity of the child mesh point associating with a first identity of the first parent mesh point and is a result of the child mesh point receiving neighbor advertisements from the first parent mesh point and includes the child mesh point announcing its multiple identities by sending its multiple identities information element to announce that a multiple-identities-key hierarchy is to be used;
    - wherein the child mesh point undergoing the authentication results in the first pairwise master key that is the root of the multiple-identities-key hierarchy; and
      
      wherein the first 4-way handshake is for the first parent mesh point and forms a transient key via the first parent mesh point between the first child mesh point identity and the first parent mesh point, such that a new link between a different identity of the child mesh point and the first parent mesh point is securable by a new pairwise transient key determined according to the key hierarchy without the child mesh point needing to re-undergo a full authentication.

37. Logic encoded in one or more tangible media for execution by one or more processors of a processing system in a child mesh point, the child mesh point having a plurality of identities, the logic when executed causing the mesh point to carry out a method comprising:
- receiving a neighbor advertisement from a first parent mesh point of a wireless mesh network, the first parent mesh point part of a mesh domain and coupled to an authenticator of the mesh domain;
  
  sending an association request to the first parent mesh point, the association request including a multiple identities information element listing the multiple identities of the child mesh point;
  
  undergoing an authentication with the authenticator via the first parent mesh point, the authentication resulting in a first pairwise master key usable to generate a multiple-identities-key hierarchy, wherein the authentication including authenticating the multiple identities listed in the multiple identities information element and resulting in an authorization to use the multiple-identities-key hierarchy to derive keys for securing links between any of the multiple identities and the parent mesh point;
  
  using the multiple-identities-key hierarchy of derived keys to determine one or more derived master keys based on the first pairwise master key that is the result of the authentication and authorization; and
  
  undergoing a 4-way handshake initiated by the child mesh point as supplicant to determine a transient key for a selected identity of the child mesh point to secure communication between the selected identity and the first parent mesh point in the mesh network, such that a new link between a different identity of the child mesh point and the first parent mesh point is securable by a new pairwise transient key determined according to the key hierarchy without the child mesh point needing to re-undergo a full authentication.

38. Logic encoded in one or more tangible media for execution by one or more processors of a processing system in a mesh point and when executed causing the mesh point to carry out a method comprising:
- receiving one or more advertisements from one or more parent mesh points of a wireless mesh network, each parent mesh point being in a mesh domain, an advertisement from a parent mesh point that has a plurality of identities including a multiple identities information element listing the multiple identities of the parent mesh point, the one or more advertisements including a multipath indication to indicate that the respective parent mesh point allows association from a child mesh point on a path of a plurality of paths;
  
  sending an association request to a first parent mesh point, the first parent mesh point being one whose advertisement was received and whose advertisement includes a multipath indication, the first parent mesh point being coupled to an authenticator of the mesh domain, the association request including a multiple identities information element listing the multiple identities of the plurality of parents of the multiple paths that the child mesh point desires to have;
  
  undergoing an authentication with the authenticator via the first parent mesh point, the authentication resulting in a first pairwise master key usable to generate a multiple-identities-key hierarchy, wherein the authentication including authenticating the multiple paths between the child mesh point and the parent mesh point identities listed in the multiple identities information element and resulting in an authorization to use the multiple-identities-key hierarchy to derive keys for securing links between the child mesh point and any of the parent mesh point identities;
  
  using the multiple-identities-key hierarchy of derived keys to determine one or more derived master keys based on the first pairwise master key that is the result of the authentication and authorization;
  
  undergoing a 4-way handshake initiated by the child mesh point as supplicant to determine a transient key to secure communication between the selected identity and the first parent mesh point in the mesh network, such that a new path between a the child mesh point and a different parent mesh point identity is securable by a new pairwise transient key determined according to the key hierarchy without the child mesh point needing to re-undergo a full authentication.

39. Logic encoded in one or more tangible media for execution by one or more processors of a processing system in a child mesh point and when executed causing the mesh point to carry out a method comprising:
- (a) the child mesh point associating with a first parent mesh point of a wireless mesh network, the first parent mesh point being coupled to an authenticator of a mesh domain, wherein one or both of the child mesh point or the first parent mesh point has multiple identities, wherein the first parent mesh point is one of a set of one or more parent mesh points to which the first mesh point requests to form one or more paths, wherein one or more of the following is true;
  
  the first parent mesh point has one or multiple identities, the first parent mesh point allows association from a child on a path of a plurality of paths, and the child mesh point desires to authenticate multiple paths including a path to the first parent mesh point, the child mesh point has multiple identities, and the child mesh point desires to authenticate multiple links via its multiple identities, including associating one of its links with the first parent mesh point or with an identity of the first parent mesh point in the case the parent mesh point has multiple identities, wherein, in the case that the first parent mesh point has multiple identities, the associating including the child mesh point responding to receiving a neighbor advertisement from the first parent mesh point that included a multiple identities information element listing the multiple identities of the first parent mesh point, wherein, in the case that the first parent mesh point allows association from a child on a path of a plurality of paths and the child mesh point desires to associate with the first parent mesh point or with an identity of the first parent mesh point to form one of multiple paths to a respective plurality of parent mesh points or mesh point identities, the associating including the child mesh point responding to receiving a neighbor advertisement from the first parent mesh point that included an indication that the first parent mesh point accepts multiple path associations, and the associating including an association request to the first parent mesh point that includes a multiple identities information element listing the multiple identities of the plurality of parent mesh points or parent identities of the multiple paths;
  
  wherein in the case the child mesh point has multiple identities, the associating including an association request to the first parent mesh point that includes a multiple identities information element listing the multiple identities of the child mesh point, and (b) the child mesh point undergoing an authentication with the authenticator via the first parent mesh point, the authentication resulting in a first pairwise master key usable to generate a multiple-identities-key hierarchy, wherein the authentication including authenticating the multiple identities listed in the multiple identities information element or elements and resulting in an authorization to use the multiple-identities-key hierarchy to derive keys for securing links that include any of the multiple identities;
  
  (c) using the multiple-identities-key hierarchy of derived keys to determine one or more derived master keys based on the first pairwise master key that is the result of the authentication and authorization;
  
  (d) undergoing a 4-way handshake initiated by the child mesh point as supplicant to determine a transient key to secure communication between the child mesh point or an identity thereof in the case of a multiple identity child mesh point and the first parent mesh point in the mesh network, such that a new link between the child mesh point or a different identity of the child mesh point in the case of a multiple identities child mesh point, and the first parent mesh point, or a different parent mesh point of parent mesh point identity in the case of multiple path to multiple parent mesh points or identities is securable by a new pairwise transient key determined according to the key hierarchy without the child mesh point needing to re-undergo a full authentication.

40. An apparatus in a mesh point comprising:
- logic configured to cause the mesh point to;
  
  associate with a first parent mesh point of a wireless mesh network as a child mesh point, the first parent mesh point being coupled to an authenticator in a mesh domain of the network;
  
  undergo an authentication to the mesh domain using the authenticator via the first parent mesh point of the mesh network, the authentication resulting in a first pairwise master key that is a root of a multiple-identities-key hierarchy, the hierarchy being usable to define how to determine derived master keys based on the first pairwise master key that is the result of the authentication; and
  
  undergo a 4-way handshake to determine a transient key for the child mesh point to securely communicate with the first parent mesh point in the mesh network, such that a new link between the child mesh point and a new different parent mesh point is securable by a new pairwise transient key determined according to the multiple-identities-key hierarchy without the child mesh point needing to re-undergo a full authentication.
- View Dependent Claims (41, 42, 43)
- - 41. An apparatus as recited in claim 40, wherein the child mesh point includes access point functionality controlled by a controller using a protocol, and wherein the first parent mesh point has a secure link to a first controller using the protocol, the logic further configured to cause the mesh point to join the first controller once the link between the child mesh point and the first parent mesh point is secured, the joining the controller including forming a secure link to the controller via the first parent mesh point such that the child mesh point can function as an access point.
  - 42. An apparatus as recited in claim 40, wherein the child mesh point is a mesh point that is configured to be part of a multipath mesh network such that the child mesh point can have a plurality of alternate parent mesh points or mesh point identities in the multipath mesh network, wherein the first parent mesh point and a second parent mesh point, or a first and a second identity of the first or second mesh point are each configured to be mesh points or mesh point identities that are part of multiple paths of a multipath mesh network, and configured to send neighbor advertisements that announce their multipath capabilities using a multiple identities information element;
    - wherein the child mesh point associating with the first parent mesh point is as a result of the child mesh point receiving neighbor advertisements from the first and second parent mesh points or mesh point identities and includes the child mesh point announcing its ability to have multiple parents in multiple paths, and sending a multiple identities information element received from the first and second parent mesh points or identities to announce that an multiple-identities-key hierarchy is to be used;
      
      wherein the child mesh point undergoing the authentication results in the first pairwise master key that is in the multiple-identities-key hierarchy; and
      
      wherein the first 4-way handshake is for the first parent mesh point or an identity thereof and forms a transient key via the first parent mesh point, such that an alternate path from the child mesh point via the second parent mesh point or identity is securable by a new pairwise transient key determined according to the key hierarchy without the child mesh point needing to re-undergo a full authentication.
  - 43. An apparatus as recited in claim 40, wherein the child mesh point is a mesh point that is configured to have multiple identities, wherein the child mesh point associating with the first parent mesh point is for a first child mesh point identity of the child mesh point associating with a first identity of the first parent mesh point and is a result of the child mesh point receiving neighbor advertisements from the first parent mesh point and includes the child mesh point announcing its multiple identities by sending its multiple identities information element to announce that a multiple-identities-key hierarchy is to be used;
    - wherein the child mesh point undergoing the authentication results in the first pairwise master key that is the root of the multiple-identities-key hierarchy; and
      
      wherein the first 4-way handshake is for the first parent mesh point and forms a transient key via the first parent mesh point between the first child mesh point identity and the first parent mesh point, such that a new link between a different identity of the child mesh point and the first parent mesh point is securable by a new pairwise transient key determined according to the key hierarchy without the child mesh point needing to re-undergo a full authentication.

44. An apparatus in a child mesh point having a plurality of identities, the apparatus comprising:
- logic configured to cause the mesh point to;
  
  receive a neighbor advertisement from a first parent mesh point of a wireless mesh network, the first parent mesh point part of a mesh domain and coupled to an authenticator of the mesh domain;
  
  send an association request to the first parent mesh point, the association request including a multiple identities information element listing the multiple identities of the child mesh point;
  
  undergo an authentication with the authenticator via the first parent mesh point, the authentication resulting in a first pairwise master key usable to generate a multiple-identities-key hierarchy, wherein the authentication including authenticating the multiple identities listed in the multiple identities information element and resulting in an authorization to use the multiple-identities-key hierarchy to derive keys for securing links between any of the multiple identities and the parent mesh point;
  
  use the multiple-identities-key hierarchy of derived keys to determine one or more derived master keys based on the first pairwise master key that is the result of the authentication and authorization; and
  
  undergo a 4-way handshake initiated by the child mesh point as supplicant to determine a transient key for a selected identity of the child mesh point to secure communication between the selected identity and the first parent mesh point in the mesh network, such that a new link between a different identity of the child mesh point and the first parent mesh point is securable by a new pairwise transient key determined according to the key hierarchy without the child mesh point needing to re-undergo a full authentication.

45. An apparatus in a mesh point comprising:
- logic configured to cause the mesh point to;
  
  receive one or more advertisements from one or more parent mesh points of a wireless mesh network, each parent mesh point being in a mesh domain, an advertisement from a parent mesh point that has a plurality of identities including a multiple identities information element listing the multiple identities of the parent mesh point, the one or more advertisements including a multipath indication to indicate that the respective parent mesh point allows association from a child mesh point on a path of a plurality of paths;
  
  send an association request to a first parent mesh point, the first parent mesh point being one whose advertisement was received and whose advertisement includes a multipath indication, the first parent mesh point being coupled to an authenticator of the mesh domain, the association request including a multiple identities information element listing the multiple identities of the plurality of parents of the multiple paths that the child mesh point desires to have;
  
  undergo an authentication with the authenticator via the first parent mesh point, the authentication resulting in a first pairwise master key usable to generate a multiple-identities-key hierarchy, wherein the authentication including authenticating the multiple paths between the child mesh point and the parent mesh point identities listed in the multiple identities information element and resulting in an authorization to use the multiple-identities-key hierarchy to derive keys for securing links between the child mesh point and any of the parent mesh point identities;
  
  use the multiple-identities-key hierarchy of derived keys to determine one or more derived master keys based on the first pairwise master key that is the result of the authentication and authorization;
  
  undergo a 4-way handshake initiated by the child mesh point as supplicant to determine a transient key to secure communication between the selected identity and the first parent mesh point in the mesh network, such that a new path between a the child mesh point and a different parent mesh point identity is securable by a new pairwise transient key determined according to the key hierarchy without the child mesh point needing to re-undergo a full authentication.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Cam-Winget, Nancy, Rahman, Shahriar, Dharanipragada, Kalyan

Granted Patent

US 8,037,305 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/171
CPC Class Codes

H04L 63/064   Hierarchical key distributi...

H04L 63/068   using time-dependent keys, ...

H04L 63/08   for authentication of entit...

H04L 63/162   at the data link layer

H04N 21/4126   The peripheral being portab...

H04W 12/06   Authentication

H04W 12/50   Secure pairing of devices

H04W 76/10   Connection setup

H04W 84/18   Self-organising networks, e...

H04W 88/08   Access point devices

SECURING MULTIPLE LINKS AND PATHS IN A WIRELESS MESH NETWORK INCLUDING RAPID ROAMING

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

45 Claims

Specification

Solutions

Use Cases

Quick Links

SECURING MULTIPLE LINKS AND PATHS IN A WIRELESS MESH NETWORK INCLUDING RAPID ROAMING

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

45 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links