Securing multiple links and paths in a wireless mesh network including rapid roaming

US 8,037,305 B2
Filed: 06/29/2007
Issued: 10/11/2011
Est. Priority Date: 03/06/2006
Status: Active Grant

First Claim

Patent Images

1. A method in a mesh point, the method comprising:

the mesh point associating with a first parent mesh point of a wireless mesh network as a child mesh point to the first parent mesh point, the first parent mesh point having a secure tunnel to a controller acting as an authenticator or agent therefor, the first parent mesh point being a member of a mesh domain of the mesh network, the controller to centrally control a plurality of mesh points of the mesh domain, including controlling authentication of the plurality of mesh points and including controlling access point capability of the plurality of-mesh points of the mesh domain, the controlling using control frames conforming to a wireless access point control and provisioning protocol designed for controlling access point capability, a secure tunnel between the first parent mesh point and the controller being established by an authentication between the first parent mesh point as supplicant and the controller as authenticator or agent therefor, such that in the case the first parent mesh point has access point capability, the access point capability is controlled by the controller, the associating comprising receiving a response from the controller via the first parent mesh point as a result of the first parent mesh point sending an association request to the controller;

the child mesh point as supplicant undergoing an authentication with the controller as authenticator or agent therefor via the first parent mesh point of the mesh domain, such that the child mesh point and the controller establish trust, the authentication resulting in a root pairwise master key of a multiple-identities-key hierarchy; and

undergoing a 4-way handshake with the controller via the first parent mesh point, the 4-way handshake initiated by the child mesh point as supplicant and the controller as authenticator or agent therefor using the multiple-identities-key hierarchy to determine a transient key for the child mesh point to securely communicate with the first parent mesh point in the mesh network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and logic encoded in tangible media and apparatus for securing links between a mesh point and one or more identities of one or more parent mesh points of a wireless mesh network in order to secure the links. A first association is carried out to one of the identities of one of the parent mesh points. The first mesh point undergoes a mutual authentication with an authenticator and announces the possibility of multiple links and/or multiple paths. The authentication generates a first master key from which the root master key of the key hierarchy is derived so that other master keys for different identities are derivable using a hierarchy. The mesh point undergoes a 4-way handshake to derive a first transient key. Other transient keys are obtained by a fast roaming method without having to re-undergo a backend authentication, the other transient keys being for other links and/or paths and derived using the hierarchy.

49 Citations

View as Search Results

45 Claims

1. A method in a mesh point, the method comprising:
- the mesh point associating with a first parent mesh point of a wireless mesh network as a child mesh point to the first parent mesh point, the first parent mesh point having a secure tunnel to a controller acting as an authenticator or agent therefor, the first parent mesh point being a member of a mesh domain of the mesh network, the controller to centrally control a plurality of mesh points of the mesh domain, including controlling authentication of the plurality of mesh points and including controlling access point capability of the plurality of-mesh points of the mesh domain, the controlling using control frames conforming to a wireless access point control and provisioning protocol designed for controlling access point capability, a secure tunnel between the first parent mesh point and the controller being established by an authentication between the first parent mesh point as supplicant and the controller as authenticator or agent therefor, such that in the case the first parent mesh point has access point capability, the access point capability is controlled by the controller, the associating comprising receiving a response from the controller via the first parent mesh point as a result of the first parent mesh point sending an association request to the controller;
  
  the child mesh point as supplicant undergoing an authentication with the controller as authenticator or agent therefor via the first parent mesh point of the mesh domain, such that the child mesh point and the controller establish trust, the authentication resulting in a root pairwise master key of a multiple-identities-key hierarchy; and
  
  undergoing a 4-way handshake with the controller via the first parent mesh point, the 4-way handshake initiated by the child mesh point as supplicant and the controller as authenticator or agent therefor using the multiple-identities-key hierarchy to determine a transient key for the child mesh point to securely communicate with the first parent mesh point in the mesh network.
- View Dependent Claims (2, 3, 4)
- - 2. A method as recited in claim 1, wherein the authentication is mutual authentication.
  - 3. A method as recited in claim 1, wherein the authentication is a certificate-based mutual authentication.
  - 4. A method as recited in claim 1, wherein the child mesh point includes access point functionality, the method further comprising:
    - once the link between the child mesh point and the first parent mesh point is secured, the child mesh point joining the controller by forming a secure tunnel to the controller via the first parent mesh point such that the child mesh point can function as an access point controlled by the controller using the protocol.

5. A method in a mesh point comprising:
- the mesh point associating with a first parent mesh point of a wireless mesh network as a child mesh point, the first parent mesh point having a secure tunnel to a first controller acting as an authenticator or agent therefor in a mesh domain of the network, the first controller to centrally control a first plurality of the mesh points of the mesh domain, including controlling authentication of the first plurality of the mesh points and including controlling access point capability of the first plurality of the mesh points of the mesh domain, the controlling using control frames conforming to a wireless access point control and provisioning protocol designed for controlling access point capability, a secure tunnel between the first parent mesh point and the first controller being established by an authentication between the first parent mesh point as supplicant and the first controller as authenticator or agent therefor;
  
  the child mesh point as supplicant undergoing an authentication to the mesh domain with first controller as authenticator via the first parent mesh point of the mesh network, such that the child mesh point and the first controller establish trust, the authentication resulting in a first pairwise master key that is a root of a multiple-identities-key hierarchy, the hierarchy being usable to define how to determine derived master keys based on the first pairwise master key that is the result of the authentication; and
  
  undergoing a 4-way handshake initiated by the child mesh point as supplicant and the controller as authenticator or agent therefor to determine a transient key for the child mesh point to securely communicate with the first parent mesh point in the mesh network,such that a new link between the child mesh point and a new different parent mesh point is securable by a new pairwise transient key determined according to the multiple-identities-key hierarchy without the child mesh point needing to re-undergo a full authentication.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 6. A method as recited in claim 5, wherein the authentication is mutual authentication.
  - 7. A method as recited in claim 5, wherein the authentication is a certificate-based mutual authentication.
  - 8. A method as recited in claim 5, wherein the authentication is an IEEE 802.1x Extensible Authentication Protocol authentication.
  - 9. A method as recited in claim 5, wherein the child mesh point includes access point functionality, the method further comprising:
    - once the link between the child mesh point and the first parent mesh point is secured, the child mesh point joining the first controller by forming a secure tunnel to the first controller via the first parent mesh point such that the child mesh point can function as an access point.
  - 10. A method as recited in claim 5, further comprising the child mesh point rejoining the mesh network via a second parent mesh point of the mesh domain, the second parent mesh point having a secure tunnel to the first controller, the rejoining including associating with the second parent mesh point and securing the link between the child mesh point and the second parent mesh point using a new pairwise transient key determined according to the multiple-identities-key hierarchy without the child mesh point re-undergoing an authentication, the associating comprising receiving a response from the first controller via the second parent mesh point as a result of the second parent mesh point sending an association request to the first controller.
  - 11. A method as recited in claim 5,wherein the child mesh point is a mesh point that is configured to be part of a multipath mesh network such that the child mesh point can have a plurality of alternate parent mesh points or mesh point identities in the multipath mesh network,wherein the first parent mesh point and a second parent mesh point, or a first and a second identity of the first or second mesh point are each configured to be mesh points or mesh point identities that are part of multiple paths of a multipath mesh network, and configured to send neighbor advertisements that announce their multipath capabilities using a multiple identities information element;
12. A method as recited in claim 5,wherein the child mesh point is a mesh point that is configured to have multiple identities,wherein the child mesh point associating with the first parent mesh point is for a first child mesh point identity of the child mesh point associating with a first identity of the first parent mesh point and is a result of the child mesh point receiving neighbor advertisements from the first parent mesh point and includes the child mesh point announcing its multiple identities by sending its multiple identities information element to announce that a multiple-identities-key hierarchy is to be used;
- wherein the child mesh point undergoing the authentication results in the first pairwise master key that is the root of the multiple-identities-key hierarchy; and
  
  wherein the first 4-way handshake is for the first parent mesh point and forms a transient key via the first parent mesh point between the first child mesh point identity and the first parent mesh point,such that a new link between a different identity of the child mesh point and the first parent mesh point is securable by a new pairwise transient key determined according to the key hierarchy without the child mesh point needing to re-undergo a full authentication.
13. A method as recited in claim 5, further comprising:
- the child mesh point rejoining the mesh network via a second parent mesh point, including associating with the second parent mesh point and securing the link between the child mesh point and the second parent mesh point using a new pairwise transient key determined according to the key hierarchy without the child mesh point re-undergoing an authentication.
14. A method as recited in claim 13, wherein the child mesh point includes access point functionality controlled by a controller to which it has a secure tunnel, the controlling using a-the wireless access point control and provisioning protocol and wherein the second parent mesh point has a secure tunnel to a second controller in the same mesh domain using the wireless access point control and provisioning protocol, the method further comprising:
- once a link between the child mesh point and the first parent mesh point is secured, the child mesh point joining the first controller by forming a secure tunnel to the first controller via the first parent mesh point such that the child mesh point can function as an access point controlled by the first controller; and
  
  once the link between the child mesh point and second parent mesh point is secured, the child mesh point forming a secure tunnel to the second controller in the same mesh domain via the second parent mesh point such that the child mesh point can function as an access point controlled by the second controller.
15. A method as recited in claim 5, wherein the wireless mesh network is a mesh network substantially conforming to the IEEE 802.11 standard, and wherein the 4-way handshake is substantially an IEEE 801.11i 4-way handshake, with the child mesh point initiating the 4-way handshake as supplicant.

16. A method in a child mesh point, the child mesh point having a plurality of identities, the method comprising:
- receiving a neighbor advertisement from a first parent mesh point of a wireless mesh network, the first parent mesh point part of a mesh domain of mesh points and having a secure tunnel to a controller, the controller to centrally control a plurality of the mesh points of the mesh domain, including controlling authentication of the plurality of the mesh points by being an authenticator of the mesh domain or an agent for the authenticator, the controlling using control frames conforming to a wireless access point control and provisioning protocol designed for controlling access point capability, the controlling further including controlling access point capability of the plurality of the mesh points of the mesh domain, a secure tunnel between a particular mesh point and the controller being established by an authentication between the particular mesh point as supplicant and the controller as authenticator or agent therefor;
  
  sending an association request to the first parent mesh point, the association request including a multiple identities information element listing the multiple identities of the child mesh point;
  
  receiving an authentication response from the first parent mesh point as a result of the first parent mesh point sending a request to the controller for the child mesh point, and receiving a response from the controller that the child mesh point may associate with the first parent mesh point;
  
  undergoing an authentication with the child mesh point as supplicant and the controller as authenticator or agent therefor, the authentication being via the first parent mesh point, the authentication resulting in a first pairwise master key usable to generate a multiple-identities-key hierarchy, wherein the authentication including authenticating the multiple identities listed in the multiple identities information element and resulting in an authorization to use the multiple-identities-key hierarchy to derive keys for securing links between any of the multiple identities and the parent mesh point;
  
  using the multiple-identities-key hierarchy of derived keys to determine one or more derived master keys based on the first pairwise master key that is the result of the authentication and authorization; and
  
  undergoing a 4-way handshake initiated by the child mesh point as supplicant to determine a transient key for a selected identity of the child mesh point to secure communication between the selected identity and the first parent mesh point in the mesh network,such that a new link between a different identity of the child mesh point and the first parent mesh point is securable by a new pairwise transient key determined according to the key hierarchy without the child mesh point needing to re-undergo a full authentication.
- View Dependent Claims (17, 18, 19, 20, 21, 22)
- - 17. A method as recited in claim 16, wherein the authentication is a certificate-based mutual authentication.
  - 18. A method as recited in claim 16, wherein the authentication is an IEEE 802.1x Extensible Authentication Protocol authentication.
  - 19. A method as recited in claim 16,wherein the child mesh point is a mesh point that is configured to be part of a multipath mesh network such that the child mesh point can have a plurality of alternate parent mesh points or mesh point identities in the multipath mesh network,wherein the first parent mesh point and a second parent mesh point, or a first and a second identity of the first or second mesh point are each configured to be mesh points or mesh point identities that are part of multiple paths of a multipath mesh network, and configured to send neighbor advertisements that announce their multipath capabilities using a multiple identities information element;
    - wherein the child mesh point associating with the first parent mesh point is as a result of the child mesh point receiving neighbor advertisements from the first and second parent mesh points or mesh point identities and includes the child mesh point announcing its ability to have multiple parents in multiple paths, and sending a multiple identities information element received from the first and second parent mesh points or identities to announce that an multiple-identities-key hierarchy is to be used;
      
      wherein the child mesh point undergoing the authentication results in the first pairwise master key that is in the multiple-identities-key hierarchy; and
      
      wherein the first 4-way handshake is for the first parent mesh point or an identity thereof and forms a transient key via the first parent mesh point,such that an alternate path from the child mesh point via the second parent mesh point or identity is securable by a new pairwise transient key determined according to the key hierarchy without the child mesh point needing to re-undergo a full authentication.
  - 20. A method as recited in claim 16, wherein the first mesh point includes access point functionality controlled by the controller using the protocol, the method further comprising:
    - once a link between the first mesh point and the first parent mesh point is secured, the first mesh point joining the controller by forming a secure tunnel to the controller via the first parent mesh point such that the first mesh point can function as an access point.
  - 21. A method as recited in claim 16, further comprising:
    - a different one of the child mesh point'"'"'s identities joining the mesh network, including associating with the first parent mesh point and securing the link between the different identity and the first parent mesh point using a new pairwise transient key determined according to the key hierarchy without the child mesh point re-undergoing an authentication.
  - 22. A method as recited in claim 16, wherein the wireless mesh network is a mesh network substantially conforming to the IEEE 802.11 standard, and wherein the 4-way handshake is substantially an IEEE 801.11i 4-way handshake, with the child mesh point initiating the 4-way handshake as supplicant.

23. A method in a child mesh point comprising:
- receiving one or more advertisements from one or more parent mesh points of a wireless mesh network, each parent mesh point being in a particular mesh domain of mesh points, each parent mesh point having a secure tunnel to one of a set of one or more controllers each configured to centrally control a plurality of the mesh points of the particular mesh domain, including controlling authentication of the plurality of mesh points and including controlling access point capability of the plurality of mesh points of the particular mesh domain, the controlling using control frames conforming to a wireless access point control and provisioning protocol designed for controlling access point capability, a secure tunnel between a particular mesh point and a particular controller being established by an authentication between the particular mesh point as supplicant and the particular controller as authenticator or agent therefor, an advertisement from a parent mesh point that has a plurality of identities including a multiple identities information element listing the multiple identities of the parent mesh point, the one or more advertisements including a multipath indication to indicate that the respective parent mesh point allows association from a child mesh point on a path of a plurality of paths;
  
  sending an association request to a first parent mesh point, the first parent mesh point being one whose advertisement was received and whose advertisement includes a multipath indication, the first parent mesh point having a secure tunnel to a first controller of the particular mesh domain, the association request including a multiple identities information element listing the multiple identities of the plurality of parents of the multiple paths that the child mesh point desires to have;
  
  receiving a response to the association request as a result of the first parent mesh point sending a request to the first controller, and the first parent mesh point receiving a request response from the first controller;
  
  undergoing an authentication as supplicant with the first controller as authenticator or agent therefor via the first parent mesh point, the authentication resulting in a first pairwise master key usable to generate a multiple-identities-key hierarchy, wherein the authentication including authenticating the multiple paths between the child mesh point and the parent mesh point identities listed in the multiple identities information element and resulting in an authorization to use the multiple-identities-key hierarchy to derive keys for securing links between the child mesh point and any of the parent mesh point identities;
  
  using the multiple-identities-key hierarchy of derived keys to determine one or more derived master keys based on the first pairwise master key that is the result of the authentication and authorization;
  
  undergoing a 4-way handshake initiated by the child mesh point as supplicant to determine a transient key to secure communication between the selected identity and the first parent mesh point in the mesh network,such that a new path between a the child mesh point and a different parent mesh point identity is securable by a new pairwise transient key determined according to the key hierarchy without the child mesh point needing to re-undergo a full authentication.
- View Dependent Claims (24, 25, 26, 27, 28, 29)
- - 24. A method as recited in claim 23, wherein the authentication is a certificate-based mutual authentication.
  - 25. A method as recited in claim 23, wherein the authentication is an IEEE 802.1x Extensible Authentication Protocol authentication.
  - 26. A method as recited in claim 23, wherein the child mesh point includes access point functionality controlled by the first controller using the protocol, the method further comprising:
    - once the link between the child mesh point and the first parent mesh point is secured, the child mesh point joining the first controller by forming a secure tunnel to the controller via the first parent mesh point such that the child mesh point can function as an access point.
  - 27. A method as recited in claim 23, further comprising the child mesh point rejoining the mesh network via a second parent mesh point or second mesh point identity of the particular mesh domain, including associating with the second parent mesh point or identity and securing the link between the child mesh point and the second parent mesh point or identity using a new pairwise transient key determined according to the multiple-identities-key hierarchy without the child mesh point re-undergoing an authentication.
  - 28. A method as recited in claim 23, wherein the child mesh point includes access point functionality controlled by the first controller using the protocol, wherein the first parent mesh point has a secure tunnel to the first controller using the protocol, and wherein the second parent mesh point has a secure tunnel to a second controller in the particular mesh domain using the protocol,
- 29. A method as recited in claim 23, wherein the wireless mesh network is a mesh network substantially conforming to the IEEE 802.11 standard, and wherein the 4-way handshake is substantially an IEEE 801.11i 4-way handshake, with the child mesh point initiating the 4-way handshake as supplicant.

30. A method in a child mesh point comprising:
- (a) the child mesh point associating with a first parent mesh point of a wireless mesh network, the first parent mesh point having a secure tunnel to a controller of a mesh domain of mesh points, the controller to centrally control a plurality of the mesh points of the mesh domain, including controlling authentication of the plurality of the mesh points and including controlling access point capability of the plurality of the mesh points of the mesh domain, the controlling using control frames conforming to a wireless access point control and provisioning protocol designed for controlling access point capability, a secure tunnel between a particular mesh point and the controller being established by an authentication between the particular mesh point as supplicant and the controller as authenticator or agent therefor, the associating comprising receiving a response from the controller via the first parent mesh point as a result of the first parent mesh point sending an association request to the controller, wherein one or both of the child mesh point or the first parent mesh point has multiple identities, wherein the first parent mesh point is one of a set of one or more parent mesh points to which the first mesh point requests to form one or more paths,wherein one or more of the following is true;
  
  the first parent mesh point has one or multiple identities, the first parent mesh point allows association from a child on a path of a plurality of paths, and the child mesh point desires to authenticate multiple paths including a path to the first parent mesh point,the child mesh point has multiple identities, and the child mesh point desires to authenticate multiple links via its multiple identities, including associating one of its links with the first parent mesh point or with an identity of the first parent mesh point in the case the parent mesh point has multiple identities,wherein, in the case that the first parent mesh point has multiple identities, the associating including the child mesh point responding to receiving a neighbor advertisement from the first parent mesh point that included a multiple identities information element listing the multiple identities of the first parent mesh point,wherein, in the case that the first parent mesh point allows association from a child on a path of a plurality of paths and the child mesh point desires to associate with the first parent mesh point or with an identity of the first parent mesh point to form one of multiple paths to a respective plurality of parent mesh points or mesh point identities, the associating including the child mesh point responding to receiving a neighbor advertisement from the first parent mesh point that included an indication that the first parent mesh point accepts multiple path associations, and the associating including sending an association request to the first parent mesh point that includes a multiple identities information element listing the multiple identities of the plurality of parent mesh points or parent identities of the multiple paths;
  
  wherein in the case the child mesh point has multiple identities, the associating including sending an association request to the first parent mesh point that includes a multiple identities information element listing the multiple identities of the child mesh point, and(b) as a result of receiving a response to the association request, the response a result of the first parent mesh point sending a request to the controller and the first parent mesh point receiving from the controller a request response to the request, the child mesh point undergoing an authentication as supplicant with the controller as authenticator or agent therefor via the first parent mesh point, the authentication resulting in a first pairwise master key usable to generate a multiple-identities-key hierarchy, wherein the authentication including authenticating the multiple identities listed in the multiple identities information element or elements and resulting in an authorization to use the multiple-identities-key hierarchy to derive keys for securing links that include any of the multiple identities;
  
  (c) using the multiple-identities-key hierarchy of derived keys to determine one or more derived master keys based on the first pairwise master key that is the result of the authentication and authorization;
  
  (d) undergoing a 4-way handshake initiated by the child mesh point as supplicant and the controller as authenticator or agent therefor to determine a transient key to secure communication between the child mesh point or an identity thereof in the case of a multiple identity child mesh point and the first parent mesh point in the mesh network,such that a new link between the child mesh point or a different identity of the child mesh point in the case of a multiple identities child mesh point, and the first parent mesh point, or a different parent mesh point of parent mesh point identity in the case of multiple path to multiple parent mesh points or identities is securable by a new pairwise transient key determined according to the key hierarchy without the child mesh point needing to re-undergo a full authentication.
- View Dependent Claims (31)
- - 31. A method as recited in claim 30, wherein the authentication is a certificate-based mutual authentication.

32. A tangible computer-readable storage medium on which are encoded instructions that when executed by one or more processors of a processing system in a mesh point cause the mesh point to carry out a method comprising:
- the mesh point associating with a first parent mesh point of a wireless mesh network as a child mesh point, the first parent mesh point having a secure tunnel to a first controller acting as an authenticator or agent therefor, the first parent mesh point being in a mesh domain of mesh points of the wireless mesh network, the first controller to centrally control first plurality of the mesh points of the mesh domain, including controlling authentication of the first plurality of the mesh points and including controlling access point capability of the first plurality of the mesh points of the mesh domain, the controlling using control frames conforming to a wireless access point control and provisioning protocol designed for controlling access point capability, a secure tunnel between a particular mesh point and the first controller being established by an authentication between the particular mesh point as supplicant and the first controller as authenticator or agent therefor, the associating comprising receiving a response from the first controller via the first parent mesh point as a result of the first parent mesh point sending an association request to the first controller;
  
  the child mesh point as supplicant undergoing an authentication to the mesh domain with the first controller as authenticator or agent therefor via the first parent mesh point of the mesh network, such that the child mesh point and the first controller establish trust, the authentication resulting in a first pairwise master key that is a root of a multiple-identities-key hierarchy, the hierarchy being usable to define how to determine derived master keys based on the first pairwise master key that is the result of the authentication; and
  
  undergoing a 4-way handshake with the first controller via the first parent mesh point, the 4-way handshake initiated by the child mesh point as supplicant and the first controller as authenticator or agent therefor to determine a transient key for the child mesh point to securely communicate with the first parent mesh point in the mesh network,such that a new link between the child mesh point and a new different parent mesh point is securable by a new pairwise transient key determined according to the multiple-identities-key hierarchy without the child mesh point needing to re-undergo a full authentication.
- View Dependent Claims (33, 34, 35, 36)
- - 33. A tangible computer-readable storage medium as recited in claim 32, wherein the authentication is a certificate-based mutual authentication.
  - 34. A tangible computer-readable storage medium as recited in claim 32, wherein the child mesh point includes access point functionality controlled by the first controller using the protocol, the method further comprising:
    - once the link between the child mesh point and the first parent mesh point is secured, the child mesh point joining the first controller by forming a secure tunnel to the first controller via the first parent mesh point such that the child mesh point can function as an access point controlled by the first controller using the wireless access point control and provisioning protocol.
  - 35. A tangible computer-readable storage medium as recited in claim 32,wherein the child mesh point is a mesh point that is configured to be part of a multipath mesh network such that the child mesh point can have a plurality of alternate parent mesh points or mesh point identities in the multipath mesh network, each parent mesh point having a secure tunnel to the first or another controller,wherein the first parent mesh point and a second parent mesh point, or a first and a second identity of the first or second mesh point are each configured to be mesh points or mesh point identities that are part of multiple paths of a multipath mesh network, and configured to send neighbor advertisements that announce their multipath capabilities using a multiple identities information element;
36. A tangible computer-readable storage medium as recited in claim 32,wherein the child mesh point is a mesh point that is configured to have multiple identities,wherein the child mesh point associating with the first parent mesh point is for a first child mesh point identity of the child mesh point associating with a first identity of the first parent mesh point and is a result of the child mesh point receiving neighbor advertisements from the first parent mesh point and includes the child mesh point announcing its multiple identities by sending its multiple identities information element to announce that a multiple-identities-key hierarchy is to be used;
- wherein the child mesh point undergoing the authentication results in the first pairwise master key that is the root of the multiple-identities-key hierarchy; and
  
  wherein the first 4-way handshake is for the first parent mesh point and forms a transient key via the first parent mesh point between the first child mesh point identity and the first parent mesh point,such that a new link between a different identity of the child mesh point and the first parent mesh point is securable by a new pairwise transient key determined according to the key hierarchy without the child mesh point needing to re-undergo a full authentication.

37. A tangible computer-readable storage medium on which are encoded instructions that when executed by one or more processors of a processing system in a child mesh point, the child mesh point having a plurality of identities, cause the mesh point to carry out a method comprising:
- receiving a neighbor advertisement from a first parent mesh point of a wireless mesh network, the first parent mesh point part of a mesh domain of mesh points and having a secure tunnel to a controller, the controller to centrally control a plurality of the mesh points of the mesh domain, including controlling authentication of the plurality of the mesh points by being an authenticator of the mesh domain or an agent for the authenticator, the controlling using control frames conforming to a wireless access point control and provisioning protocol designed for controlling access point capability, the controlling further including controlling access point capability of the plurality of the mesh points of the mesh domain, a secure tunnel between a particular mesh point and the controller being established by an authentication between the particular mesh point as supplicant and the controller as authenticator or agent therefor;
  
  sending an association request to the first parent mesh point, the association request including a multiple identities information element listing the multiple identities of the child mesh point;
  
  receiving an authentication response from the first parent mesh point as a result of the first parent mesh point sending a request to the controller for the child mesh point, and receiving a response from the controller that the child mesh point may associate with the first parent mesh point;
  
  undergoing an authentication with the child mesh point as supplicant and the controller as authenticator or agent therefor, the authentication being via the first parent mesh point, the authentication resulting in a first pairwise master key usable to generate a multiple-identities-key hierarchy, wherein the authentication including authenticating the multiple identities listed in the multiple identities information element and resulting in an authorization to use the multiple-identities-key hierarchy to derive keys for securing links between any of the multiple identities and the parent mesh point;
  
  using the multiple-identities-key hierarchy of derived keys to determine one or more derived master keys based on the first pairwise master key that is the result of the authentication and authorization; and
  
  undergoing a 4-way handshake initiated by the child mesh point as supplicant to determine a transient key for a selected identity of the child mesh point to secure communication between the selected identity and the first parent mesh point in the mesh network,such that a new link between a different identity of the child mesh point and the first parent mesh point is securable by a new pairwise transient key determined according to the key hierarchy without the child mesh point needing to re-undergo a full authentication.

38. A tangible computer-readable storage medium on which are encoded instructions that when executed by one or more processors of a processing system in a mesh point cause the mesh point to carry out a method comprising:
- receiving one or more advertisements from one or more parent mesh points of a wireless mesh network, each parent mesh point being in a particular mesh domain of mesh points, each parent mesh node having a secure tunnel to one of a set of one or more controllers each configured to centrally control a respective plurality of the mesh points of the particular mesh domain, including controlling authentication of the mesh points and including controlling access point capability of the respective plurality of mesh points of the particular mesh domain, the controlling using control frames conforming to a wireless access point control and provisioning protocol designed for controlling access point capability, a secure tunnel between a particular mesh point and a particular controller being established by an authentication between the particular mesh point as supplicant and the particular controller as authenticator or agent therefor, an advertisement from a parent mesh point that has a plurality of identities including a multiple identities information element listing the multiple identities of the parent mesh point, the one or more advertisements including a multipath indication to indicate that the respective parent mesh point allows association from a child mesh point on a path of a plurality of paths;
  
  sending an association request to a first parent mesh point, the first parent mesh point being one whose advertisement was received and whose advertisement includes a multipath indication, the first parent mesh point having a secure tunnel to a first controller of the particular mesh domain, the association request including a multiple identities information element listing the multiple identities of the plurality of parents of the multiple paths that the child mesh point desires to have;
  
  receiving a response to the association request as a result of the first parent mesh node sending a request to the first controller, and the first parent mesh node receiving a request response from the first controller;
  
  undergoing an authentication as supplicant with the first controller as authenticator or agent therefor via the first parent mesh point, the authentication resulting in a first pairwise master key usable to generate a multiple-identities-key hierarchy, wherein the authentication including authenticating the multiple paths between the child mesh point and the parent mesh point identities listed in the multiple identities information element and resulting in an authorization to use the multiple-identities-key hierarchy to derive keys for securing links between the child mesh point and any of the parent mesh point identities;
  
  using the multiple-identities-key hierarchy of derived keys to determine one or more derived master keys based on the first pairwise master key that is the result of the authentication and authorization;
  
  undergoing a 4-way handshake initiated by the child mesh point as supplicant to determine a transient key to secure communication between the selected identity and the first parent mesh point in the mesh network,such that a new path between a the child mesh point and a different parent mesh point identity is securable by a new pairwise transient key determined according to the key hierarchy without the child mesh point needing to re-undergo a full authentication.

39. A tangible computer-readable storage medium on which are encoded instructions that when executed by one or more processors of a processing system in a child mesh point cause the mesh point to carry out a method comprising:
- (a) the child mesh point associating with a first parent mesh point of a wireless mesh network, the first parent mesh point having a secure tunnel to a first controller of a mesh domain of mesh points, the first controller to centrally control first plurality of the mesh points of the mesh domain, including controlling authentication of the first plurality of the mesh points and including controlling access point capability of the first plurality of the mesh points of the mesh domain, the controlling using control frames conforming to a wireless access point control and provisioning protocol designed for controlling access point capability, a secure tunnel between a particular mesh point and the first controller being established by an authentication between the particular mesh point as supplicant and the first controller as authenticator or agent therefor, the associating comprising receiving a response from the first controller via the first parent mesh point as a result of the first parent mesh point sending an association request to the first controller, wherein one or both of the child mesh point or the first parent mesh point has multiple identities, wherein the first parent mesh point is one of a set of one or more parent mesh points to which the first mesh point requests to form one or more paths,wherein one or more of the following is true;
  
  the first parent mesh point has one or multiple identities, the first parent mesh point allows association from a child on a path of a plurality of paths, and the child mesh point desires to authenticate multiple paths including a path to the first parent mesh point,the child mesh point has multiple identities, and the child mesh point desires to authenticate multiple links via its multiple identities, including associating one of its links with the first parent mesh point or with an identity of the first parent mesh point in the case the parent mesh point has multiple identities,wherein, in the case that the first parent mesh point has multiple identities, the associating including the child mesh point responding to receiving a neighbor advertisement from the first parent mesh point that included a multiple identities information element listing the multiple identities of the first parent mesh point,wherein, in the case that the first parent mesh point allows association from a child on a path of a plurality of paths and the child mesh point desires to associate with the first parent mesh point or with an identity of the first parent mesh point to form one of multiple paths to a respective plurality of parent mesh points or mesh point identities, the associating including the child mesh point responding to receiving a neighbor advertisement from the first parent mesh point that included an indication that the first parent mesh point accepts multiple path associations, and the associating including sending an association request to the first parent mesh point that includes a multiple identities information element listing the multiple identities of the plurality of parent mesh points or parent identities of the multiple paths;
  
  wherein in the case the child mesh point has multiple identities, the associating including sending an association request to the first parent mesh point that includes a multiple identities information element listing the multiple identities of the child mesh point, and(b) as a result of receiving a response to the association request, the response a result of the first parent mesh point sending a request to the first controller and the first parent mesh point receiving from the controller a request response to the request, the child mesh point undergoing an authentication as supplicant with the first controller as authenticator or agent therefor via the first parent mesh point, the authentication resulting in a first pairwise master key usable to generate a multiple-identities-key hierarchy, wherein the authentication including authenticating the multiple identities listed in the multiple identities information element or elements and resulting in an authorization to use the multiple-identities-key hierarchy to derive keys for securing links that include any of the multiple identities;
  
  (c) using the multiple-identities-key hierarchy of derived keys to determine one or more derived master keys based on the first pairwise master key that is the result of the authentication and authorization;
  
  (d) undergoing a 4-way handshake initiated by the child mesh point as supplicant and the first controller as authenticator or agent therefor to determine a transient key to secure communication between the child mesh point or an identity thereof in the case of a multiple identity child mesh point and the first parent mesh point in the mesh network,such that a new link between the child mesh point or a different identity of the child mesh point in the case of a multiple identities child mesh point, and the first parent mesh point, or a different parent mesh point of parent mesh point identity in the case of multiple path to multiple parent mesh points or identities is securable by a new pairwise transient key determined according to the key hierarchy without the child mesh point needing to re-undergo a full authentication.

40. An apparatus in a mesh point comprising:
- one or more processors;
  
  one or more storage media coupled to the one or more processors and on which is encoded logic configured to cause, when executed by at least one of the processors, the mesh point to;
  
  associate with a first parent mesh point of a wireless mesh network as a child mesh point, the first parent mesh point having a secure tunnel to a first controller acting as an authenticator or agent therefor, the first parent mesh point being in a mesh domain of mesh points of the wireless mesh network, the first controller to centrally control a first plurality of the mesh points of the mesh domain, including controlling authentication of the first plurality of the mesh points and including controlling access point capability of the first plurality of the mesh points of the mesh domain, the controlling using control frames conforming to a wireless access point control and provisioning protocol designed for controlling access point capability, a secure tunnel between a particular mesh point and the first controller being established by an authentication between the particular mesh point as supplicant and the first controller as authenticator or agent therefor, the associating comprising receiving a response from the first controller via the first parent mesh point as a result of the first parent mesh point sending an association request to the first controller;
  
  undergo as supplicant an authentication to the mesh domain with the first controller as authenticator or agent therefor via the first parent mesh point of the mesh network, such that the child mesh point and the first controller establish trust, the authentication resulting in a first pairwise master key that is a root of a multiple-identities-key hierarchy, the hierarchy being usable to define how to determine derived master keys based on the first pairwise master key that is the result of the authentication; and
  
  undergo a 4-way handshake as supplicant with the first controller as authenticator or agent therefor via the first parent mesh point, the 4-way handshake to determine a transient key for the child mesh point to securely communicate with the first parent mesh point in the mesh network,such that a new link between the child mesh point and a new different parent mesh point is securable by a new pairwise transient key determined according to the multiple-identities-key hierarchy without the child mesh point needing to re-undergo a full authentication.
- View Dependent Claims (41, 42, 43)
- - 41. An apparatus as recited in claim 40, wherein the child mesh point includes access point functionality controlled by the first controller using the wireless access point control and provisioning protocol, the logic further configured when executed to cause the mesh point to join the first controller once the link between the child mesh point and the first parent mesh point is secured, the joining the controller including forming a secure tunnel to the controller via the first parent mesh point such that the child mesh point can function as an access point.
  - 42. An apparatus as recited in claim 40,wherein the child mesh point is a mesh point that is configured to be part of a multipath mesh network such that the child mesh point can have a plurality of alternate parent mesh points or mesh point identities in the multipath mesh network, each parent mesh point having a secure tunnel to the first or another controller,wherein the first parent mesh point and a second parent mesh point, or a first and a second identity of the first or second mesh point are each configured to be mesh points or mesh point identities that are part of multiple paths of a multipath mesh network, and configured to send neighbor advertisements that announce their multipath capabilities using a multiple identities information element;
43. An apparatus as recited in claim 40,wherein the child mesh point is a mesh point that is configured to have multiple identities,wherein the child mesh point associating with the first parent mesh point is for a first child mesh point identity of the child mesh point associating with a first identity of the first parent mesh point and is a result of the child mesh point receiving neighbor advertisements from the first parent mesh point and includes the child mesh point announcing its multiple identities by sending its multiple identities information element to announce that a multiple-identities-key hierarchy is to be used;
- wherein the child mesh point undergoing the authentication results in the first pairwise master key that is the root of the multiple-identities-key hierarchy; and
  
  wherein the first 4-way handshake is for the first parent mesh point and forms a transient key via the first parent mesh point between the first child mesh point identity and the first parent mesh point,such that a new link between a different identity of the child mesh point and the first parent mesh point is securable by a new pairwise transient key determined according to the key hierarchy without the child mesh point needing to re-undergo a full authentication.

44. An apparatus in a child mesh point having a plurality of identities, the apparatus comprising:
- one or more processors;
  
  one or more storage media coupled to the one or more processors and on which is encoded logic configured to cause, when executed by at least one of the processors, the mesh point to;
  
  receive a neighbor advertisement from a first parent mesh point of a wireless mesh network, the first parent mesh point part of a mesh domain and having a secure tunnel to a controller, the controller to centrally control the mesh points of the mesh domain, including controlling authentication of the mesh points by being an authenticator of the mesh domain or an agent for the authenticator, the controlling using control frames conforming to a wireless access point control and provisioning protocol designed for controlling access point capability, the controlling further including controlling access point capability of the mesh points of the mesh domain, a secure tunnel between a particular mesh point and the controller being established by an authentication between the particular mesh point as supplicant and the controller as authenticator or agent therefor;
  
  send an association request to the first parent mesh point, the association request including a multiple identities information element listing the multiple identities of the child mesh point;
  
  receive an authentication response from the first parent mesh point as a result of the first parent mesh point sending a request to the controller for the child mesh point, and receiving a response from the controller that the child mesh point may associate with the first parent mesh node;
  
  undergo an authentication as supplicant with the controller as authenticator or agent therefor, the authentication being via the first parent mesh point, the authentication resulting in a first pairwise master key usable to generate a multiple-identities-key hierarchy, wherein the authentication including authenticating the multiple identities listed in the multiple identities information element and resulting in an authorization to use the multiple-identities-key hierarchy to derive keys for securing links between any of the multiple identities and the parent mesh point;
  
  use the multiple-identities-key hierarchy of derived keys to determine one or more derived master keys based on the first pairwise master key that is the result of the authentication and authorization; and
  
  undergo a 4-way handshake initiated by the child mesh point as supplicant to determine a transient key for a selected identity of the child mesh point to secure communication between the selected identity and the first parent mesh point in the mesh network,such that a new link between a different identity of the child mesh point and the first parent mesh point is securable by a new pairwise transient key determined according to the key hierarchy without the child mesh point needing to re-undergo a full authentication.

45. An apparatus in a mesh point comprising:
- one or more processors;
  
  one or more storage media coupled to the one or more processors and on which is encoded logic configured to cause, when executed by at least one of the processors, the mesh point to;
  
  receive one or more advertisements from one or more parent mesh points of a wireless mesh network, each parent mesh point being in a particular mesh domain of mesh points, each parent mesh node having a secure tunnel to one of a set of one or more controllers each configured to centrally control one or more of the mesh points of the particular mesh domain, including controlling authentication of the mesh points and including controlling access point capability of one or more mesh points of the particular mesh domain, the controlling using control frames conforming to a wireless access point control and provisioning protocol designed for controlling access point capability, a secure tunnel between a particular mesh point and a particular controller being established by an authentication between the particular mesh point as supplicant and the particular controller as authenticator or agent therefor, an advertisement from a parent mesh point that has a plurality of identities including a multiple identities information element listing the multiple identities of the parent mesh point, the one or more advertisements including a multipath indication to indicate that the respective parent mesh point allows association from a child mesh point on a path of a plurality of paths;
  
  send an association request to a first parent mesh point, the first parent mesh point being one whose advertisement was received and whose advertisement includes a multipath indication, the first parent mesh point having a secure tunnel to a first controller of the mesh domain, the association request including a multiple identities information element listing the multiple identities of the plurality of parents of the multiple paths that the child mesh point desires to have;
  
  receive a response to the association request as a result of the first parent mesh node sending a request to the first controller, and the first parent mesh node receiving a request response from the first controller;
  
  undergo an authentication as supplicant with the first controller as authenticator or agent therefor via the first parent mesh point, the authentication resulting in a first pairwise master key usable to generate a multiple-identities-key hierarchy, wherein the authentication including authenticating the multiple paths between the child mesh point and the parent mesh point identities listed in the multiple identities information element and resulting in an authorization to use the multiple-identities-key hierarchy to derive keys for securing links between the child mesh point and any of the parent mesh point identities;
  
  use the multiple-identities-key hierarchy of derived keys to determine one or more derived master keys based on the first pairwise master key that is the result of the authentication and authorization;
  
  undergo a 4-way handshake initiated by the child mesh point as supplicant to determine a transient key to secure communication between the selected identity and the first parent mesh point in the mesh network, such that a new path between a the child mesh point and a different parent mesh point identity is securable by a new pairwise transient key determined according to the key hierarchy without the child mesh point needing to re-undergo a full authentication.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Dharanipragada, Kalyan R., Cam-Winget, Nancy, Rahman, Shahriar I.
Primary Examiner(s)
EL HADY, NABIL M

Application Number

US11/771,027
Publication Number

US 20070250713A1
Time in Patent Office

1,565 Days
Field of Search

726/4, 713/153, 713/168, 380/270
US Class Current

713/168
CPC Class Codes

H04L 63/064   Hierarchical key distributi...

H04L 63/068   using time-dependent keys, ...

H04L 63/08   for authentication of entit...

H04L 63/162   at the data link layer

H04N 21/4126   The peripheral being portab...

H04W 12/06   Authentication

H04W 12/50   Secure pairing of devices

H04W 76/10   Connection setup

H04W 84/18   Self-organising networks, e...

H04W 88/08   Access point devices

Securing multiple links and paths in a wireless mesh network including rapid roaming

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

49 Citations

45 Claims

Specification

Solutions

Use Cases

Quick Links

Securing multiple links and paths in a wireless mesh network including rapid roaming

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

49 Citations

45 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links