System and method for securing mesh access points in a wireless mesh network, including rapid roaming

US 8,023,478 B2
Filed: 07/06/2006
Issued: 09/20/2011
Est. Priority Date: 03/06/2006
Status: Active Grant

First Claim

Patent Images

1. An authentication method in a first mesh AP of a wireless mesh network, a mesh AP being a mesh point with or without access point capability, the method comprising:

the first mesh AP sending an association request to a Controller via a parent mesh AP that has a secure tunnel with the Controller as a result of the first mesh AP receiving a mesh beacon frame to advertise the parent mesh AP'"'"'s abilities, the Controller to centrally control the mesh points of the wireless mesh network, including acting as authenticator for authentication of mesh points and including controlling control functions other than authentication, authorization and accounting performed by a RADIUS server, said control functions including controlling access point capability of mesh points of the mesh network, the controlling using control frames conforming to a protocol for controlling access point functionality, a secure tunnel between a particular mesh AP and the Controller being established by an authentication between the particular mesh AP as supplicant and the Controller as authenticator;

the first mesh AP receiving a response from the Controller via the parent mesh AP to indicate successful association with the parent mesh AP as a child mesh AP to the parent mesh AP, the association including forming a secure tunnel with the Controller for control frames between the first mesh AP and the Controller;

the first mesh AP undergoing an authentication with the Controller as authenticator such that the first mesh AP and the Controller have a first key to use for secure communication;

the first mesh AP thereafter undergoing a 4-way handshake initiated by the first mesh AP as supplicant and the Controller as authenticator using the first key, the handshake substantially conforming to a standard wireless network 4-way handshake, the 4-way handshake to secure a layer-2 link between the child mesh AP and the parent mesh AP; and

after a layer-2 link between the child mesh AP and the parent mesh AP is secured, undergoing a join exchange to form a secure tunnel between the child mesh AP and the Controller such that the Controller can control operation of the first mesh AP as a mesh point of the wireless mesh network, and such that data frames can be securely communicated via the first mesh AP.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An authentication method in a mesh AP including using standard IEEE 802.11i mechanisms between the mesh AP and an authenticator for authenticating the mesh AP to become a child mesh AP with a secure layer-2 link to a first parent mesh AP that has a secure tunnel to a Controller, including, after a layer-2 link between the child mesh AP and the first parent mesh AP is secured, undergoing a join exchange for form a secure tunnel between the child mesh AP and the Controller. Further, a fast roaming method for re-establishing a secure layer-2 link with a new parent mesh AP including, while the mesh AP is a child mesh AP to the first parent mesh AP and has a secure layer-2 link to the first parent mesh AP, caching key information and wireless mesh network identity information, and using the cached information to establish a secure layer-2 link with a new parent mesh AP without having to undergo a 4-way authentication. Further, while the mesh AP is a child mesh AP to the first parent mesh AP, has a secure layer-2 link to the first parent mesh AP, and has a secure tunnel to the Controller, caching session information on the secure tunnel, and using the cached information to re establish the secure tunnel with the Controller, the secure tunnel now via the new mesh AP.

35 Citations

View as Search Results

33 Claims

1. An authentication method in a first mesh AP of a wireless mesh network, a mesh AP being a mesh point with or without access point capability, the method comprising:
- the first mesh AP sending an association request to a Controller via a parent mesh AP that has a secure tunnel with the Controller as a result of the first mesh AP receiving a mesh beacon frame to advertise the parent mesh AP'"'"'s abilities, the Controller to centrally control the mesh points of the wireless mesh network, including acting as authenticator for authentication of mesh points and including controlling control functions other than authentication, authorization and accounting performed by a RADIUS server, said control functions including controlling access point capability of mesh points of the mesh network, the controlling using control frames conforming to a protocol for controlling access point functionality, a secure tunnel between a particular mesh AP and the Controller being established by an authentication between the particular mesh AP as supplicant and the Controller as authenticator;
  
  the first mesh AP receiving a response from the Controller via the parent mesh AP to indicate successful association with the parent mesh AP as a child mesh AP to the parent mesh AP, the association including forming a secure tunnel with the Controller for control frames between the first mesh AP and the Controller;
  
  the first mesh AP undergoing an authentication with the Controller as authenticator such that the first mesh AP and the Controller have a first key to use for secure communication;
  
  the first mesh AP thereafter undergoing a 4-way handshake initiated by the first mesh AP as supplicant and the Controller as authenticator using the first key, the handshake substantially conforming to a standard wireless network 4-way handshake, the 4-way handshake to secure a layer-2 link between the child mesh AP and the parent mesh AP; and
  
  after a layer-2 link between the child mesh AP and the parent mesh AP is secured, undergoing a join exchange to form a secure tunnel between the child mesh AP and the Controller such that the Controller can control operation of the first mesh AP as a mesh point of the wireless mesh network, and such that data frames can be securely communicated via the first mesh AP.
- View Dependent Claims (2)
- - 2. A method as recited in claim 1, wherein the authentication is a certificate-based mutual authentication.

3. A fast roaming method in a first mesh AP of a wireless mesh network, a mesh AP being a mesh point with or without access point capability, the method comprising:
- while the first mesh AP is a child mesh AP to a first parent mesh AP, including having a secure layer-2 link to the first parent mesh AP, caching key context information and wireless mesh network identity information, the first mesh AP and the first parent mesh AP each having a secure tunnel with a Controller, the Controller to centrally control the mesh points of the wireless mesh network, including acting as authenticator for authentication of mesh points and including controlling control functions other than authentication, authorization and accounting performed by a RADIUS server, said control functions including controlling access point capability and using control frames conforming to a protocol for controlling access point functionality, the caching in the Controller;
  
  using the cached information to derive a key from the cashed key context information to use to establish a secure layer-2 link with a second parent mesh AP without having to undergo a full authentication, the second parent mesh AP having a secure tunnel to the Controller,wherein the secure tunnel to the Controller to the child mesh AP was established by the first mesh AP becoming the child mesh AP of the first parent mesh AP, the establishing becoming the child mesh AP of the first parent mesh AP comprising;
  
  the first mesh AP sending an association request to a Controller via the first parent mesh AP that has a secure tunnel with the Controller as a result of the first mesh AP receiving a mesh beacon frame to advertise the first parent mesh AP'"'"'s abilities;
  
  the first mesh AP receiving a response from the Controller via the first parent mesh AP to indicate successful association with the first parent mesh AP as a child mesh AP to the first parent mesh AP, the association including forming a secure tunnel with the Controller for control frames between the first mesh AP and the Controller;
  
  the first mesh AP undergoing an authentication with the Controller as authenticator such that the first mesh AP and the Controller have a first key to use for secure communication;
  
  the first mesh AP thereafter undergoing a 4-way handshake initiated by the first mesh AP as supplicant and the Controller as authenticator, the handshake substantially conforming to a standard wireless network 4-way handshake, the 4-way handshake to secure a layer-2 link between the child mesh AP and the first parent mesh AP; and
  
  after a layer-2 link between the child mesh AP and the first parent mesh AP is secured, undergoing a join exchange to form a secure tunnel between the child mesh AP and the Controller such that the Controller can control operation of the first mesh AP as a mesh point of the wireless mesh network, and such that data frames can be securely communicated via the first mesh AP.
- View Dependent Claims (4)
- - 4. A method as recited in claim 3, further comprising:
    - while the first mesh AP is a child mesh AP to a first parent mesh AP, has a secure layer-2 link to the first parent mesh AP, and has a secure tunnel to the Controller, caching session information on the secure tunnel; and
      
      using the cached information to re-establish the secure tunnel with the Controller, the re-established secure tunnel being via the second parent mesh AP.

5. A fast roaming method in a first mesh AP of a wireless mesh network, a mesh AP being a mesh point with or without access point capability, the method comprising:
- while the first mesh AP is a child mesh AP to a first parent mesh AP, including having a secure layer-2 link to the first parent mesh AP and a secure tunnel to a Controller, caching session information on the secure tunnel, wherein the Controller is to centrally control the mesh points of the wireless mesh network, including acting as authenticator for authentication of mesh points and including controlling control functions other than authentication, authorization and accounting performed by a RADIUS server, said control functions including controlling access point capability of mesh points of the mesh network, the controlling using control frames conforming to a protocol for controlling access point functionality, a secure tunnel between a particular mesh AP and the Controller being established by an authentication between the particular mesh AP as supplicant and the Controller as authenticator; and
  
  using the cached information to re establish the secure tunnel with the Controller, the re-established secure tunnel being via a second mesh AP that has a secure tunnel to the Controller, wherein the secure tunnel to the Controller to the child mesh AP was established by the first mesh AP becoming the child mesh AP of the first parent mesh AP, the establishing becoming the child mesh AP of the first parent mesh AP comprising;
  
  the first mesh AP sending an association request to a Controller via the first parent mesh AP that has a secure tunnel with the Controller as a result of the first mesh AP receiving a mesh beacon frame to advertise the first parent mesh AP'"'"'s abilities;
  
  the first mesh AP receiving a response from the Controller via the first parent mesh AP to indicate successful association with the first parent mesh AP as a child mesh AP to the first parent mesh AP, the association including forming a secure tunnel with the Controller for control frames between the first mesh AP and the Controller;
  
  the first mesh AP undergoing an authentication with the Controller as authenticator such that the first mesh AP and the Controller have a first key to use for secure communication;
  
  the first mesh AP thereafter undergoing a 4-way handshake initiated by the first mesh AP as supplicant and the Controller as authenticator, the handshake substantially conforming to a standard wireless network 4-way handshake, the 4-way handshake to secure a layer-2 link between the child mesh AP and the first parent mesh AP; and
  
  after a layer-2 link between the child mesh AP and the first parent mesh AP is secured, undergoing a join exchange via the Controller to form a secure tunnel between the child mesh AP and the Controller such that the Controller can control operation of the first mesh AP as a mesh point of the wireless mesh network, and such that data frames can be securely communicated via the first mesh AP.

6. A method in a first mesh AP in a wireless mesh network, a mesh AP being a mesh point with or without access point capability, the method comprising:
- sending a mesh-specific association request frame to a second mesh AP of the wireless mesh network indicating that the first mesh AP would like to join the mesh network with the second mesh AP as its parent mesh AP, the second mesh AP having a secure tunnel to a Controller, the Controller to centrally control the mesh points of the wireless mesh network, including acting as authenticator for authentication of mesh APs and including controlling control functions other than authentication, authorization and accounting performed by a RADIUS server, said control functions including controlling access point capability of mesh APs of the mesh network, each mesh AP of the wireless mesh network being a lightweight mesh AP having AP and mesh functionality centrally controlled by the Controller using control frames conforming to a protocol for controlling access point functionality, one of the mesh APs of the wireless mesh network being a root AP in the wireless mesh network, a secure tunnel between a particular mesh AP and the Controller being established by an authentication between the particular mesh AP as supplicant and the Controller as authenticator;
  
  receiving a mesh-specific association response frame from the second mesh AP indicating that the Controller will accept the first mesh AP to the mesh network, the response as a result of the second mesh AP receiving the association request frame and acting as a pass-through to send information to the Controller about the first mesh AP'"'"'s request to secure the layer-2 link between the first mesh AP and the second mesh AP, the Controller receiving the information about the first mesh AP and ascertaining that the Controller will allow the first mesh AP to secure a layer-2 link with the second mesh AP as its parent mesh AP, and the Controller sending a response frame to the second mesh AP indicating that the Controller will accept the first mesh AP to the mesh network, and as a result of the second mesh AP sending the mesh-specific association response frame to the first mesh AP;
  
  undergoing an authentication with the Controller being an authenticator including a first 4-way handshake with the Controller as authenticator, the authentication resulting in a first pairwise master key available at the first mesh AP and the authenticator;
  
  undergoing a second 4-way handshake initiated by the first mesh AP as supplicant and the Controller as authenticator, and using the first pairwise master key to determine a first pairwise transient key to use between the first mesh AP and the second mesh AP, wherein the second 4-way handshake substantially conforms to a standard wireless network 4-way handshake; and
  
  sending a join request and carrying out a join exchange with the Controller by securely communicating to the Controller via the second mesh AP, such that a secure tunnel is formed between the first mesh AP and the Controller;
  
  such that the use of an authentication provides a secure mechanism for establishing a fresh key for every session compared to using a pre-shared master key or a bridge master key,wherein the authenticator is the Controller.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 7. A method as recited in claim 6, wherein the first mesh AP has access point functionality, and wherein after the secure tunnel is established between the Controller and the first mesh AP, all wireless client data frames from the first mesh AP are passed through to the Controller.
  - 8. A method as recited in claim 7, wherein no wireless client data frames are passed through to the Controller until the secure tunnel is established between the Controller and the first mesh AP, and wherein control frames needed for the join exchange are passed through to the Controller before the secure tunnel is established between the Controller and the first mesh AP.
  - 9. A method as recited in claim 6, further comprising:
    - receiving a mesh beacon frame sent by the second mesh AP advertising the second mesh AP'"'"'s capabilities as a parent, the advertising frame including information related to how to associate with the mesh network, and information about the mesh network'"'"'s security profile; and
      
      ascertaining based on information related to the receiving of the mesh beacon frame, that the first mesh AP is to attempt joining the mesh network via the second mesh AP.
  - 10. A method as recited in claim 9, further comprising:
    - caching a roam key and an identifier therefor, including mesh domain identification information, such that a secure link can be rapidly established between the first mesh AP and a third mesh AP that has a secure tunnel with the Controller,
11. A method as recited in claim 10, further comprising:
- after the secure tunnel is formed between the first mesh AP and the Controller, caching;
  
  the session identifier for the secure tunnel with the Controller, the key for the secure tunnel, the roam key and the identity of the Controller, such that a secure tunnel with the Controller can be rapidly re-established via a third mesh AP that has a secure link with the Controller, the re-establishing not requiring a complete discover exchange between the first mesh AP and the Controller via the third mesh AP, the re-establishing further not requiring a complete join exchange between the first mesh AP and the Controller via the third mesh AP.
12. A method as recited in claim 11, wherein the third mesh AP sends mesh beacon frames that include an indication that the third mesh AP supports fast roaming of secure tunnels.
13. A method as recited in claim 9, wherein the mesh beacon frame includes quality of service (QoS) information.
14. A method as recited in claim 6, wherein the certificate-based authentication is an Extensible Authentication Protocol IEEE 802.1x authentication and the second 4-way handshake is an IEEE 802.11i 4-way handshake initiated by the first mesh AP.
15. A method as recited in claim 6, further comprising:
- using a key hierarchy that enables deriving pairwise transient keys from a master key determined during the authentication; and
  
  caching a roam key and an identifier therefor, including mesh domain identification information, such that a secure layer-2 link can be rapidly established between the first mesh AP and a third mesh AP that has a secure link with the Controller including using the key hierarchy with cached information to derive a pairwise transient key to use for the link via the third mesh AP.
16. A method as recited in claim 6, further comprising:
- after the secure tunnel is formed between the first mesh AP and the Controller, caching the session identifier for the secure tunnel with the Controller, the key for the secure tunnel, a roam key, and the identity of the Controller such that a secure tunnel with the Controller can be rapidly re-established via a third mesh AP that has a secure link with the Controller, the re-establishing not requiring a complete discover exchange between the first mesh AP and the Controller via the third mesh AP, the re-establishing further not requiring a complete join exchange between the first mesh AP and the Controller via the third mesh AP.
17. A method as recited in claim 6, wherein the authentication is a certificate-based mutual authentication.

18. A method in a wireless mesh network, the wireless mesh network including mesh APs including a first mesh AP and a second mesh AP, one of the mesh APs of the wireless mesh network being a root AP in the wireless mesh network, a mesh AP being a mesh point with or without access point capability, the method being in the second mesh AP and comprising:
- receiving in the second mesh AP a mesh-specific association request frame from the first mesh AP, the second mesh AP having a secure tunnel to a Controller, the Controller to centrally control the mesh APs of the wireless mesh network, including acting as authenticator for authentication of mesh points and including controlling control functions other than authentication, authorization and accounting performed by a RADIUS server, said control functions including controlling access point capability of mesh points of the mesh network, the controlling using control frames conforming to a protocol for controlling access point functionality, a secure tunnel between a particular mesh AP and the Controller being established by an authentication between the particular mesh AP as supplicant and the Controller as authenticator;
  
  passing information about the association request and about the first mesh AP to the Controller so that the Controller can ascertain whether the Controller will allow the first mesh AP to secure a layer-2 link with the second mesh AP as its parent mesh AP;
  
  receiving a response frame from the Controller indicating that the Controller will accept the first mesh AP to the mesh network in the case that the Controller has ascertained to allow the first mesh AP to secure a layer-2 link with the second mesh AP as its parent mesh AP, and sending a mesh-specific association response frame to the first mesh AP indicating that the Controller will accept the first mesh AP to the mesh network;
  
  passing through frames between the first mesh AP and the Controller acting as an authenticator, the frames related to the first mesh AP and the Controller carrying out an authentication including a first 4-way handshake between the first mesh AP and the Controller, the first 4-way handshake resulting in a first pairwise master key available at the first mesh AP and at the Controller acting as authenticator;
  
  passing through frames between the first mesh AP to the Controller related to the first mesh AP and the Controller carrying out a standard 4-way handshake initiated by the first mesh AP acting as supplicant, the second standard 4-way handshake using the first pairwise master key and resulting in a first pairwise transient key available at the first mesh AP and at the Controller, wherein the authentication and the second 4-way handshake substantially conform to standard network authentication and a standard wireless network 4-way handshake, respectively;
  
  obtaining or deriving the first pairwise transient key so that the first mesh AP and the second mesh AP know the first pairwise transient key;
  
  passing through frames between the first mesh AP and the Controller related to the first mesh AP and the Controller authenticator carrying out a join exchange, such that a secure tunnel is formed between the first mesh AP and the Controller; and
  
  after the secure tunnel is formed between the first mesh AP and the Controller via the second mesh AP, allowing wireless client data frames from the first mesh AP to pass to the Controller,such that the use of an authentication provides a secure mechanism for establishing a fresh key for every session compared to using a pre-shared master key or a bridge master key.
- View Dependent Claims (19, 20)
- - 19. A method as recited in claim 18, wherein the authentication is an Extensible Authentication Protocol IEEE 802.1x authentication and the second 4-way handshake is an IEEE 802.11i 4-way handshake initiated by the first mesh AP.
  - 20. A method as recited in claim 18, wherein the authentication is a certificate-based mutual authentication.

21. A method in a first mesh AP of a wireless mesh network that includes a first parent mesh AP and a second parent mesh AP, the first mesh AP having previously been a child mesh AP of the first parent mesh AP, a mesh AP being a mesh point with or without access point capability, the method comprising:
- (a) when the first mesh AP was the child mesh AP of the first parent mesh AP, the first parent mesh AP then having a secure tunnel with a Controller, the Controller to centrally control the mesh points of the wireless mesh network, including acting as authenticator for authentication of mesh points and including controlling control functions other than authentication, authorization and accounting performed by a RADIUS server, said control functions including controlling access point capability of mesh points of the mesh network, the controlling using control frames conforming to a protocol for controlling access point functionality, the secure tunnel having been established by an authentication between the first mesh AP as supplicant and the Controller as authenticator, caching a roam key and an identifier therefor, including identification information on the mesh network, such that a secure link can be rapidly established between the first mesh AP and another mesh AP that can be a parent mesh AP and that has a secure tunnel with the Controller, the Controller also caching the roam key;
  
  (b) receiving a mesh beacon frame sent by the second parent mesh AP to advertise the second parent mesh AP'"'"'s capabilities as a parent mesh AP, including an indication that the second parent mesh AP supports fast roaming, the indication sufficient to ascertain that fast roaming is possible to the second parent mesh AP;
  
  (c) ascertaining based on information related to the receiving of the mesh beacon frame, and the contents of the beacon frame, that the first mesh AP is to attempt securing a layer-2 link between the first mesh AP and the second parent mesh AP by fast roaming;
  
  (d) sending a re-authentication request frame to the second parent mesh AP, the re-authentication request frame including child information useful for forming a pairwise transient key to use for the first mesh AP to communicate with the second parent mesh AP, the re-authentication request frame further including information on the roam key to indicate to the second parent mesh AP that the first mesh AP is already in session with the Controller,such that that the second parent mesh AP can pass-through information to the Controller about the first mesh AP to validate the first mesh AP securing a layer-2 link between the first mesh AP and the second parent mesh AP to re-join the mesh network, including information on the roam key, such that there is sufficient information for a transient pairwise key to be available at the Controller or the second parent mesh AP for use for the first mesh AP securely communicating with the second parent mesh AP;
  
  (e) receiving a re-authentication response frame from the second parent mesh AP, the re-authentication response frame including parent information for encryption, such that the first mesh AP can generate the pairwise transient key for communicating with the second parent mesh AP, the receiving of the re-authentication response frame as a result of the second parent mesh AP receiving the re-authentication request frame and sending the re-authentication response frame;
  
  (f) sending a mesh re-association request frame to the second parent mesh AP indicating that the first parent mesh AP would like to establish a secure layer-2 link with the second parent mesh AP to join the mesh network, the re-association request frame including identification information on the mesh network the first mesh AP was associated with, and a message integrity check to provide proof of identity to a receiving parent mesh AP; and
  
  (g) receiving a re-association response frame from the second parent mesh AP indicating, in the case that the Controller has validated accepting the first mesh AP via the second parent mesh AP, an indication that the Controller will accept the first mesh AP to the mesh network, the response as a result of a validation process comprising;
  
  (i) the second parent mesh AP sending the information to the Controller about the first mesh AP;
  
  (ii) the Controller receiving the information about the first mesh AP and ascertaining whether the Controller will accept the first mesh AP as a child mesh AP of the second parent mesh AP;
  
  (iii) in the case that the Controller ascertains to accept the first mesh AP, the Controller sending an indication that the Controller will accept the first mesh AP to the mesh network and either the Controller determining the pairwise transient key and sending the pairwise transient key to the second parent mesh AP, or the second parent mesh AP having the pairwise transient key;
  
  (iv) the second parent mesh AP receiving the re-association request frame; and
  
  (v) the second parent mesh AP confirming the re-association request frame, and after affirmative confirmation and after receiving or having the pairwise transient key, sending the re-association response frame to the first mesh AP;
  
  such that both the first mesh AP and the second parent mesh AP have a pairwise transient key for a secure layer-2 link established from the first mesh AP to the second parent mesh AP without requiring a full backend authentication.
- View Dependent Claims (22, 23)
- - 22. A method as recited in claim 21, whereinafter a secure tunnel is first formed between the child mesh AP and the Controller, caching the session identifier for the secure tunnel with the Controller, the key for the secure tunnel, and the identity of the Controller,the method further comprising:
    - after the child mesh AP and the second parent mesh AP have established a secure layer-2 link, re-establishing the secure tunnel to the Controller, the re-establishing using the cached session identifier, and not needing a complete discovery exchange with the Controller.
  - 23. A method as recited in claim 22, wherein the mesh beacon frames sent by the second parent mesh AP include an indication that the second parent mesh AP supports fast roaming of secure tunnels.

24. A method in a first mesh AP of a wireless mesh network, a mesh AP being a mesh point with or without access point capability, the method comprising:
- caching session information about a first session when the first mesh AP has a secure tunnel to a Controller via a first parent mesh AP of the wireless mesh network that has a secure tunnel to the Controller, the Controller to centrally control the mesh points of the wireless mesh network, including acting as authenticator for authentication of mesh points and including controlling control functions other than authentication, authorization and accounting performed by a RADIUS server, said control functions including controlling access point capability of mesh points of the mesh network, the controlling using control frames conforming to a protocol for controlling access point functionality, wherein a particular mesh AP having a secure tunnel with the Controller is the result of the particular mesh AP as supplicant undergoing a backend authentication with the Controller as authenticator, the backend authentication including communicating with the Controller if a root mesh AP or via a parent mesh AP that has a secure tunnel with the Controller, and the particular mesh AP further undergoing a 4-way handshake with the Controller as authenticator;
  
  establishing a secure-layer-2 link to a second parent mesh AP of the wireless mesh network, the second mesh AP having a secure tunnel to the Controller, the establishing a secure-layer-2 link including communicating to the Controller via the second parent mesh AP'"'"'s secure tunnel; and
  
  having a re-join exchange with the Controller via the second mesh AP and using the cached session information and information cached at the Controller on the first session to re-establish a secure tunnel between the first mesh AP and the Controller, the re-establishing the secure tunnel being via the second parent mesh AP,such that the re-establishing does not require a complete discovery exchange with the Controller via the second parent mesh AP or a complete join exchange with the Controller via the second parent mesh AP.

25. A method in a Controller of a wireless mesh network that includes mesh APs, a mesh AP being a mesh point with or without access point capability, the method comprising:
- caching session information about a first session when there is a secure tunnel from a first mesh AP to the Controller via a first parent mesh AP in the mesh network, the Controller to centrally control the mesh points of the wireless mesh network, including acting as authenticator for authentication of mesh points and including controlling control functions other than authentication, authorization and accounting performed by a RADIUS server, said control functions including controlling access point capability of mesh points of the mesh network, the controlling using control frames conforming to a protocol for controlling access point functionality, wherein a secure tunnel between a particular mesh AP and the Controller via a particular parent mesh AP is first established by an exchange comprising;
  
  the Controller receiving an association request from the first mesh AP via the first parent mesh AP and responding to the first mesh AP via the first parent mesh AP to indicate successful association of the first mesh AP with the first parent mesh AP as a child mesh AP to the first parent mesh AP, the association including forming a secure tunnel for control frames between the first mesh AP and the Controller;
  
  the first mesh AP as supplicant undergoing an authentication with the Controller as authenticator such that the first mesh AP and the Controller have a first key to use for secure communication;
  
  the first mesh AP thereafter undergoing a 4-way handshake initiated by the first mesh AP as supplicant and the Controller as authenticator, the handshake substantially conforming to a standard wireless network 4-way handshake to secure a layer-2 link between the child mesh AP and the first parent mesh AP; and
  
  after a layer-2 link between the first mesh AP and the first parent mesh AP is secured, undergoing a join exchange to form a secure tunnel between the first mesh AP and the Controller such that the Controller can control operation of the first mesh AP as a mesh point of the wireless mesh network and a child mesh AP of the first parent mesh AP, and such that data frames can be securely communicated via the first mesh AP;
  
  receiving information from a second parent mesh AP that the first mesh AP has a secure secure-layer-2 link to the second parent mesh AP; and
  
  having a re-join exchange with the first mesh AP via the second mesh AP and using the cached session information and information cached at the first mesh AP on the first session to re-establish a secure tunnel between the Controller and the first mesh AP, the re-establish secure tunnel being via the second parent mesh AP,such that the re-establishing does not require a complete discovery exchange between the first mesh AP and the Controller or a complete join exchange between the first mesh AP and the Controller.

26. A computer-readable non-transitory storage medium having instructions stored therein that when executed by one or more processors of a processing system in a first mesh AP in a wireless mesh network, cause the first mesh AP to carry out a method, a mesh AP being a mesh point with or without access point capability, the method comprising:
- sending a mesh-specific association request frame to a second mesh AP of the wireless mesh network that has a secure tunnel to a Controller, the Controller to centrally control the mesh points of the wireless mesh network, including acting as authenticator for authentication of mesh points and including controlling control functions other than authentication, authorization and accounting performed by a RADIUS server, said control functions including controlling access point capability of mesh points of the mesh network, the controlling using control frames conforming to a protocol for controlling access point functionality, the association request frame indicating that the first mesh AP would like to join the mesh network with the second mesh AP as its parent mesh AP;
  
  receiving a mesh-specific association response frame from the second mesh AP indicating that the Controller will accept the first mesh AP to the mesh network, the response as a result of the second mesh AP receiving the association request frame and acting as a pass-through to send information to the Controller about the first mesh AP'"'"'s request to secure the layer-2 link between the first mesh AP and the second mesh AP, the Controller receiving the information about the first mesh AP and ascertaining that the Controller will allow the first mesh AP to secure a layer-2 link with the second mesh AP as its parent mesh AP, and the Controller sending a response frame to the second mesh AP indicating that the Controller will accept the first mesh AP to the mesh network, and as a result of the second mesh AP sending the mesh-specific association response frame to the first mesh AP;
  
  undergoing a certificate-based backend authentication with the first mesh AP as supplicant and the Controller as authenticator including a first 4-way handshake with the authenticator, the certificate-based backend authentication resulting in a first pairwise master key available at the first mesh AP and the authenticator;
  
  undergoing a second 4-way handshake initiated by the first mesh AP as supplicant and the Controller as authenticator, and using the first pairwise master key to determine a first pairwise transient key to use between the first mesh AP and the second mesh AP, wherein the second 4-way handshake substantially conforms to a standard wireless network 4-way handshake; and
  
  sending a join request and carrying out a join exchange with the Controller by securely communicating to the Controller via the second mesh AP, such that a secure tunnel is formed between the first mesh AP and the Controller;
  
  such that the use of a certificate based backend authentication provides a secure mechanism for establishing a fresh key for every session compared to using a pre-shared master key or a bridge master key.

27. A computer-readable non-transitory storage medium having instructions stored therein that when executed by one or more processors of a processing system in a first mesh AP in a wireless mesh network that includes a first mesh AP and a second mesh AP, cause the first mesh AP to carry out a method, the first mesh AP having previously been a child mesh AP of the first parent mesh AP, a mesh AP being a mesh point with or without access point capability, the method comprising:
- (a) when the first mesh AP was the child mesh AP of the first parent mesh AP, the first parent mesh AP then having a secure tunnel with a Controller, the Controller to centrally control the mesh points of the wireless mesh network, including acting as authenticator for authentication of mesh points and including controlling control functions other than authentication, authorization and accounting performed by a RADIUS server, said control functions including controlling access point capability of mesh points of the mesh network, the controlling using control frames conforming to a protocol for controlling access point functionality, the secure tunnel having been established by an authentication between the first mesh AP as supplicant and the Controller as authenticator, caching a roam key and an identifier therefor, including identification information on the mesh network, such that a secure link can be rapidly established between the first mesh AP and another mesh AP that can be a parent mesh AP and that has a secure tunnel with the Controller, the Controller also caching the roam key;
  
  (b) receiving a mesh beacon frame sent by the second parent mesh AP to advertise the second parent mesh AP'"'"'s capabilities as a parent mesh AP, including an indication that the second parent mesh AP supports fast roaming, the indication sufficient to ascertain that fast roaming is possible to the second parent mesh AP;
  
  (c) ascertaining based on information related to the receiving of the mesh beacon frame, and the contents of the beacon frame, that the first mesh AP is to attempt securing a layer-2 link between the first mesh AP and the second parent mesh AP by fast roaming;
  
  (d) sending a re-authentication request frame to the second parent mesh AP, the re-authentication request frame including child information useful for forming a pairwise transient key to use for the first mesh AP to communicate with the second parent mesh AP, the re-authentication request frame further including information on the roam key to indicate to the second parent mesh AP that the first mesh AP is already in session with the Controller,such that that the second parent mesh AP can pass-through information to the Controller about the first mesh AP to validate the first mesh AP securing a layer-2 link between the first mesh AP and the second parent mesh AP to re-join the mesh network, including information on the roam key, such that there is sufficient information for a transient pairwise key to be available at the Controller or the second parent mesh AP for use for the first mesh AP securely communicating with the second parent mesh AP;
  
  (e) receiving a re-authentication response frame from the second parent mesh AP, the re-authentication response frame including parent information for encryption, such that the first mesh AP can generate the pairwise transient key for communicating with the second parent mesh AP, the receiving of the re-authentication response frame as a result of the second parent mesh AP receiving the re-authentication request frame and sending the re-authentication response frame;
  
  (f) sending a mesh re-association request frame to the second parent mesh AP indicating that the first parent mesh AP would like to establish a secure layer-2 link with the second parent mesh AP to join the mesh network, the re-association request frame including identification information on the mesh network the first mesh AP was associated with, and a message integrity check to provide proof of identity to a receiving parent mesh AP; and
  
  (g) receiving a re-association response frame from the second parent mesh AP indicating, in the case that the Controller has validated accepting the first mesh AP via the second parent mesh AP, an indication that the Controller will accept the first mesh AP to the mesh network, the response as a result of a validation process comprising;
  
  (i) the second parent mesh AP sending the information to the Controller about the child AP;
  
  (ii) the Controller receiving the information about the first mesh AP and ascertaining whether the Controller will accept the first mesh AP as a child mesh AP of the second parent mesh AP;
  
  (iii) in the case that the Controller ascertains to accept the first mesh AP, the Controller sending an indication that the Controller will accept the first mesh AP to the mesh network and either the Controller determining the pairwise transient key and sending the pairwise transient key to the second parent mesh AP, or the second parent mesh AP having the pairwise transient key;
  
  (iv) the second parent mesh AP receiving the re-association request frame; and
  
  (v) the second parent mesh AP confirming the re-association request frame, and after affirmative confirmation and after receiving or having the pairwise transient key, sending the re-association response frame to the first mesh AP;
  
  such that both the first mesh AP and the second parent mesh AP have a pairwise transient key for a secure layer-2 link established from the first mesh AP to the second parent mesh AP without requiring a full backend authentication.
- View Dependent Claims (28)
- - 28. A computer-readable storage medium as recited in claim 27, whereinafter a secure tunnel is first formed between the child mesh AP and the Controller, caching the session identifier for the secure tunnel with the Controller, the key for the secure tunnel, and the identity of the Controller,and wherein the method further comprises:
    - after the child mesh AP and the second parent mesh AP have established a secure layer-2 link, re-establishing the secure tunnel to the Controller, the re-establishing using the cached session identifier, and not needing a complete discovery exchange with the Controller.

29. A computer-readable non-transitory storage medium having instructions stored therein that when executed by one or more processors of a processing system in a Controller in a wireless mesh network, cause the Controller to carry out a method, the wireless mesh network including a first parent mesh AP and a second parent mesh AP, a mesh AP being a mesh point with or without access point capability, the method comprising:
- when a first mesh AP was the child of the first parent mesh AP, caching a roam key and an identifier therefor, including identification information on the mesh network, such that a secure link can be rapidly established between the first mesh AP and any mesh AP that can be a parent mesh AP and that has a secure tunnel with the Controller, the Controller to centrally control the mesh points of the wireless mesh network, including acting as authenticator for authentication of mesh points and including controlling control functions other than authentication, authorization and accounting performed by a RADIUS server, said control functions including controlling access point capability of mesh points of the mesh network, the controlling using control frames conforming to a protocol for controlling access point functionality, the first parent mesh AP having had a secure tunnel with the Controller when the first mesh AP was the child mesh AP of the first parent mesh AP, wherein a particular mesh AP having a secure tunnel with the Controller is the result of the particular mesh AP as supplicant undergoing a backend authentication with the Controller as authenticator, the backend authentication including communicating with the Controller if a root mesh AP or via a parent mesh AP that has a secure tunnel with the Controller, and the particular mesh AP further undergoing a 4-way handshake with the Controller as authenticator;
  
  receiving information from the second mesh AP about the first mesh AP to validate the first mesh AP joining the mesh network via the second parent mesh AP, including information on the roam key, parent information for encryption, child information for encryption, and any other information needed for the Controller to generate a pairwise transient key for the first mesh AP to communicate with the second parent mesh AP, the receiving information as a result of;
  
  the first mesh AP sending a re-authentication request frame to the second parent mesh AP, the re-authentication request frame including child information for encryption and for forming a pairwise transient key for the first mesh AP to communicate with the second parent mesh AP, the re-authentication request frame further including information on the roam key to indicate to the second parent mesh AP that the first mesh AP is already in session with the Controller; and
  
  the second mesh AP'"'"'s sending as a pass-through information to the Controller about the child AP to validate the first mesh AP joining the mesh network via the second parent mesh AP;
  
  ascertaining whether to accept the first mesh AP as a child of the second mesh AP;
  
  in the case that the ascertaining ascertains to accept the first mesh AP;
  
  determining the pairwise transient key;
  
  sending the pairwise transient key to the second mesh AP with an indication that the Controller will accept the first mesh AP to the mesh network; and
  
  sending a response frame to the second parent mesh AP to pass through to the first mesh AP with an indication that the Controller will accept the first mesh AP to the mesh network;
  
  such that both the first mesh AP and the second parent mesh AP have a pairwise transient key for a secure layer-2 link established from the first mesh AP to the second parent mesh AP without requiring either a full backend authentication or a 4-way handshake.

30. A computer-readable non-transitory storage medium having instructions stored therein that when executed by one or more processors of a processing system in a child mesh AP of a wireless mesh network comprising mesh APs, cause the child mesh AP to execute a method, a mesh AP being a mesh point with or without access point capability, the method comprising:
- caching session information about a first session when the child mesh AP has a secure tunnel to a Controller via a first parent mesh AP of the wireless network that has a secure tunnel to the Controller, the Controller to centrally control the mesh points of the wireless mesh network, including acting as authenticator for authentication of mesh points and including controlling control functions other than authentication, authorization and accounting performed by a RADIUS server, said control functions including controlling access point capability of mesh points of the mesh network, the controlling using control frames conforming to a protocol for controlling access point functionality, wherein a particular mesh AP having a secure tunnel with the Controller is the result of the particular mesh AP as supplicant undergoing a backend authentication with the Controller as authenticator, the backend authentication including communicating with the Controller if a root mesh AP or via a parent mesh AP that has a secure tunnel with the Controller, and the particular mesh AP further undergoing a 4-way handshake with the Controller as authenticator;
  
  establishing a secure-layer-2 link to a second parent mesh AP of the wireless mesh network, the second mesh AP having a secure tunnel to the Controller, the establishing a secure-layer-2 link including communicating to the Controller via the second parent mesh AP'"'"'s secure tunnel; and
  
  having a re-join exchange with the Controller via the second mesh AP and using the cached session information and information cached at the Controller on the first session to re-establish a secure tunnel between the mesh AP and the Controller, the re-establishing the secure tunnel being via the second parent mesh AP,such that the re-establishing does not require a complete discovery exchange with the Controller via the second parent mesh AP or a complete join exchange with the Controller via the second parent mesh AP.

31. A computer-readable non-transitory storage medium having instructions stored therein that when executed by one or more processors of a processing system in a Controller of a wireless mesh network, cause the Controller to execute a method, the wireless mesh network including a first mesh AP and a second mesh AP, a mesh AP being a mesh point with or without access point capability, the method comprising:
- caching session information about a first session when there is a secure tunnel from a first mesh AP to the Controller via the first parent mesh AP that has a secure tunnel to the Controller, the Controller to centrally control the mesh points of the wireless mesh network, including acting as authenticator for authentication of mesh points and including controlling control functions other than authentication, authorization and accounting performed by a RADIUS server, said control functions including controlling access point capability of mesh points of the mesh network, the controlling using control frames conforming to a protocol for controlling access point functionality, wherein a particular mesh AP having a secure tunnel with the Controller is the result of the particular mesh AP as supplicant undergoing a backend authentication with the Controller as authenticator, the backend authentication including communicating with the Controller if a root mesh AP or via a parent mesh AP that has a secure tunnel with the Controller, and the particular mesh AP further undergoing a 4-way handshake with the Controller as authenticator;
  
  receiving information from a second parent mesh AP that has a secure tunnel to the Controller, that information including that the first mesh AP has a secure secure layer-2 link to the second parent mesh AP; and
  
  having a re-join exchange with the first mesh AP via the second mesh AP and using the cached session information and information cached at the first mesh AP on the first session to re-establish a secure tunnel between the Controller and the first mesh AP, the re-establishing the secure tunnel being via the second parent mesh AP,such that the re-establishing does not require a complete discovery exchange between the first mesh AP and the Controller or a complete join exchange between the first mesh AP and the Controller.

32. An apparatus in a first mesh AP in a wireless mesh network, a mesh AP being a mesh point with or without access point capability, the apparatus comprising:
- means for sending a mesh-specific association request frame to a second mesh AP indicating that the first mesh AP would like to join the mesh network with the second mesh AP as its parent mesh AP, the second mesh AP having a secure tunnel to a Controller, the Controller to centrally control the mesh points of the wireless mesh network, including acting as authenticator for authentication of mesh points and including controlling control functions other than authentication, authorization and accounting performed by a RADIUS server, said control functions including controlling access point capability and using control frames conforming to a protocol for controlling access point functionality, each mesh AP of the wireless mesh network being a lightweight mesh AP having AP and mesh functionality centrally controlled by the Controller using control frames conforming to a protocol for controlling access point functionality, one of the mesh APs of the wireless mesh network being a root AP in the wireless mesh network, a secure tunnel between a particular mesh AP and the Controller being established by an authentication between the particular mesh AP as supplicant and the Controller as authenticator;
  
  means for receiving a mesh-specific association response frame from the second mesh AP indicating that the Controller will accept the first mesh AP to the mesh network, the response as a result of the second mesh AP receiving the association request frame and acting as a pass-through to send information to the Controller about the first mesh AP'"'"'s request to secure the layer-2 link between the first mesh AP and the second mesh AP, the Controller receiving the information about the first mesh AP and ascertaining that the Controller will allow the first mesh AP to secure a layer-2 link with the second mesh AP as its parent mesh AP, and the Controller sending a response frame to the second mesh AP indicating that the Controller will accept the first mesh AP to the mesh network, and as a result of the second mesh AP sending the mesh-specific association response frame to the first mesh AP;
  
  means for undergoing an authentication process including a certificate-based backend authentication with the Controller being an authenticator including a first 4-way handshake with the Controller as authenticator, the certificate-based backend authentication resulting in a first pairwise master key available at the first mesh AP and the Controller, the substantially conforming authentication process further including a second 4-way handshake initiated by the first mesh AP with the Controller as supplicant and the Controller as authenticator, using the first pairwise master key to determine a first pairwise transient key to use between the first mesh AP and the second mesh AP; and
  
  means for sending a join request and carrying out a join exchange with the Controller by securely communicating to the Controller via the second mesh AP, such that a secure tunnel is formed between the first mesh AP and the Controller;
  
  such that the use of a certificate-based backend authentication provides a secure mechanism for establishing a fresh key for every session compared to using a pre-shared master key or a bridge master key.

33. An apparatus in a first mesh AP of a wireless mesh network that includes a first parent mesh AP and a second parent mesh AP, the first mesh AP having previously been a child mesh AP of the first parent mesh AP, the apparatus comprising:
- (a) means for caching a roam key and an identifier therefor, the caching being when the first mesh AP was the child mesh AP of the first parent mesh AP, the first parent mesh AP then having a secure tunnel with a Controller, the Controller to centrally control the mesh points of the wireless mesh network, including acting as authenticator for authentication of mesh points and including controlling control functions other than authentication, authorization and accounting performed by a RADIUS server, said control functions including controlling access point capability of mesh points of the mesh network, the controlling using control frames conforming to a protocol for controlling access point functionality, the secure tunnel having been established by an authentication between the first mesh AP as supplicant and the Controller as authenticator, caching including caching identification information on the mesh network, such that a secure link can be rapidly established between the first mesh AP and another mesh AP that can be a parent mesh AP and that has a secure tunnel with the Controller, the Controller also caching the roam key;
  
  (b) means for receiving a mesh beacon frame sent by the second parent mesh AP to advertise the second parent mesh AP'"'"'s capabilities as a parent mesh AP, including an indication that the second parent mesh AP supports fast roaming, the indication sufficient to ascertain that fast roaming is possible to the second parent mesh AP;
  
  (c) means for ascertaining based on information related to the receiving of the mesh beacon frame, and the contents of the beacon frame, that the first mesh AP is to attempt securing a layer-2 link between the first mesh AP and the second parent mesh AP by fast roaming;
  
  (d) means for sending a re-authentication request frame to the second parent mesh AP, the re-authentication request frame including child information useful for forming a pairwise transient key to use for the first mesh AP to communicate with the second parent mesh AP, the re-authentication request frame further including information on the roam key to indicate to the second parent mesh AP that the first mesh AP is already in session with the Controller,such that that the second parent mesh AP can pass-through information to the Controller about the first mesh AP to validate the first mesh AP securing a layer-2 link between the first mesh AP and the second parent mesh AP to re-join the mesh network, including information on the roam key, such that there is sufficient information for a transient pairwise key to be available at the Controller or the second parent mesh AP for use for the first mesh AP securely communicating with the second parent mesh AP;
  
  (e) means for receiving a re-authentication response frame from the second parent mesh AP, the re-authentication response frame including parent information for encryption, such that the first mesh AP can generate the pairwise transient key for communicating with the second parent mesh AP, the receiving of the re-authentication response frame as a result of the second parent mesh AP receiving the re-authentication request frame and sending the re-authentication response frame;
  
  (f) means for sending a mesh re-association request frame to the second parent mesh AP indicating that the first parent mesh AP would like to establish a secure layer-2 link with the second parent mesh AP to join the mesh network, the re-association request frame including identification information on the mesh network the first mesh AP was associated with, and a message integrity check to provide proof of identity to a receiving parent mesh AP; and
  
  (g) means for receiving a re-association response frame from the second parent mesh AP indicating, in the case that the Controller has validated accepting the first mesh AP via the second parent mesh AP, an indication that the Controller will accept the first mesh AP to the mesh network, the response as a result of a validation process comprising;
  
  (i) the second parent mesh AP sending the information to the Controller about the child AP;
  
  (ii) the Controller receiving the information about the first mesh AP and ascertaining whether the Controller will accept the first mesh AP as a child mesh AP of the second parent mesh AP;
  
  (iii) in the case that the Controller ascertains to accept the first mesh AP, the Controller sending an indication that the Controller will accept the first mesh AP to the mesh network and either the Controller determining the pairwise transient key and sending the pairwise transient key to the second parent mesh AP, or the second parent mesh AP having the pairwise transient key;
  
  (iv) the second parent mesh AP receiving the re-association request frame; and
  
  (v) the second parent mesh AP confirming the re-association request frame, and after affirmative confirmation and after receiving or having the pairwise transient key, sending the re-association response frame to the first mesh AP;
  
  such that both the first mesh AP and the second parent mesh AP have a pairwise transient key for a secure layer-2 link established from the first mesh AP to the second parent mesh AP without requiring a full backend authentication.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Rahman, Shahriar I., Cam-Winget, Nancy
Primary Examiner(s)
Afshar; Kamran
Assistant Examiner(s)
Iqbal; Khawar

Application Number

US11/456,045
Publication Number

US 20070206537A1
Time in Patent Office

1,902 Days
Field of Search

370/331, 370/338, 370/252, 713/168, 713/169, 713/171, 455/41.1, 455/411, 455/435.1
US Class Current

370/338
CPC Class Codes

H04L 63/064   Hierarchical key distributi...

H04L 63/068   using time-dependent keys, ...

H04L 63/08   for authentication of entit...

H04L 63/162   at the data link layer

H04N 21/4126   The peripheral being portab...

H04W 12/06   Authentication

H04W 12/50   Secure pairing of devices

H04W 76/10   Connection setup

H04W 84/18   Self-organising networks, e...

H04W 88/08   Access point devices

System and method for securing mesh access points in a wireless mesh network, including rapid roaming

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

35 Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for securing mesh access points in a wireless mesh network, including rapid roaming

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

35 Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links