SYSTEM AND METHOD FOR SECURING MESH ACCESS POINTS IN A WIRELESS MESH NETWORK, INCLUDING RAPID ROAMING

US 20110264915A1
Filed: 07/05/2011
Published: 10/27/2011
Est. Priority Date: 03/06/2006
Status: Active Grant

First Claim

Patent Images

1. A method in a first mesh access point (AP) comprising:

securing a layer-2 link between the first mesh AP and a second mesh AP, the second mesh AP part of a mesh network and that has a secure tunnel to a controller, wherein the controller controls the mesh network, including controlling functions other than authentication, authorization and accounting performed by a RADIUS server, the functions including access point capability of mesh points in the mesh network; and

undergoing a join exchange with the controller to establish a secure tunnel with the controller and to join the mesh network,wherein the securing the layer-2 link includes;

carrying out an association exchange with the controller via the second mesh AP;

undergoing a backend authentication with the controller as authenticator resulting in a pairwise master key available at the first mesh AP and the authenticator, such that a secure tunnel is established between the first mesh AP and the controller; and

undergoing a 4-way handshake with the first mesh AP as supplicant and the controller as authenticator using the pairwise master key to determine a pairwise transient key to use between the first mesh AP and the second mesh AP.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Authentication in a mesh network controlled by a central controller, including using standard IEEE 802.11i mechanisms between a potential child mesh access point (AP) as supplicant and the controller as authenticator. Each mesh AP in the mesh network has a secure tunnel to a controller using a protocol for controlling the mesh AP, including AP capabilities, and a fast roaming method for re-establishing a secure layer-2 link with a new parent mesh AP including, while the mesh AP is a child mesh AP to the first parent mesh AP and has a secure layer-2 link to the first parent mesh AP, caching key information and wireless mesh network identity information in the controller.

56 Citations

View as Search Results

26 Claims

1. A method in a first mesh access point (AP) comprising:
- securing a layer-2 link between the first mesh AP and a second mesh AP, the second mesh AP part of a mesh network and that has a secure tunnel to a controller, wherein the controller controls the mesh network, including controlling functions other than authentication, authorization and accounting performed by a RADIUS server, the functions including access point capability of mesh points in the mesh network; and
  
  undergoing a join exchange with the controller to establish a secure tunnel with the controller and to join the mesh network,wherein the securing the layer-2 link includes;
  
  carrying out an association exchange with the controller via the second mesh AP;
  
  undergoing a backend authentication with the controller as authenticator resulting in a pairwise master key available at the first mesh AP and the authenticator, such that a secure tunnel is established between the first mesh AP and the controller; and
  
  undergoing a 4-way handshake with the first mesh AP as supplicant and the controller as authenticator using the pairwise master key to determine a pairwise transient key to use between the first mesh AP and the second mesh AP.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. A method as recited in claim 1, wherein the first mesh AP has access point functionality and can have associated wireless clients, wherein no wireless client data frames of any wireless clients of the first mesh AP are passed through to the controller until the secure tunnel is established between the controller and the first mesh AP, the method further comprising, after the secure tunnel is established between the controller and the first mesh AP, passing all wireless client data frames from the first mesh AP to the controller.
  - 3. A method as recited in claim 1, wherein the securing a layer-2 link between the first mesh AP and a second mesh AP is a result of the first mesh AP'"'"'s receiving a mesh beacon frame sent by the second mesh AP advertising the second mesh AP'"'"'s capabilities as a parent, and ascertaining based on information related to the receiving of the mesh beacon frame, that the first mesh AP is to attempt joining the mesh network via the second mesh AP.
  - 4. A method as recited in claim 3, further comprising:
    - caching a roam key and an identifier therefor, including mesh domain identification information, such that a secure link can be rapidly established between the first mesh AP and a third mesh AP that has a secure tunnel with the controller and that sends mesh beacon frames that include an indication that the third mesh AP supports fast roaming of links between a child mesh AP and the third mesh AP as a parent mesh AP, the psidly establishing including using a key hierarchy to determine a new pairwise transient key for use between the first mesh AP and the third mesh AP without the first mesh AP having to undergo a backend authentication with the controller.
  - 5. A method as recited in claim 4, further comprising:
    - after the secure tunnel is formed between the first mesh AP and the controller, caching;
      
      the session identifier for the secure tunnel with the controller, the key for the secure tunnel, the roam key and the identity of the controller, such that a secure tunnel with the controller can be rapidly re-established via a third mesh AP that has a secure tunnel with the controller, the re-establishing not requiring a complete discover exchange between the first mesh AP and the controller via the third mesh AP, the re-establishing further not requiring a complete join exchange between the first mesh AP and the controller via the third mesh AP.
  - 6. A method as recited in claim 1, wherein the backend authentication authentication is an Extensible Authentication Protocol IEEE 802.1x authentication and the second 4-way handshake is an IEEE 802.11i 4-way handshake initiated by the first mesh AP.
  - 7. A method as recited in claim 1, further comprising:
    - using a key hierarchy that enables deriving other pairwise transient keys from the master key determined during the backend authentication; and
      
      caching a roam key and an identifier therefor, including mesh domain identification information, such that a secure layer-2 link can be rapidly established between the first mesh AP and a third mesh AP that has a secure tunnel with the controller, including using the key hierarchy with cached information to derive a pairwise transient key to use for the link via the third mesh AP.
  - 8. A method as recited in claim 1, further comprising:
    - after the secure tunnel is formed between the first mesh AP and the controller, caching the session identifier for the secure tunnel with the controller, the key for the secure tunnel, a roam key, and the identity of the controller such that a secure tunnel with the controller can be rapidly re-established via a third mesh AP that has a secure tunnel with the controller, the re-establishing not requiring a complete discover exchange between the first mesh AP and the controller via the third mesh AP, the re-establishing further not requiring a complete join exchange between the first mesh AP and the controller via the third mesh AP

9. A method in a controller comprising:
- controlling a mesh network comprising a root mesh access point (AP) and one or more other mesh APs, including controlling functions other than authentication,authorization and accounting performed by a RADIUS server, the functions including AP capability of the APs in the mesh network;
  
  maintaining a secure tunnel with a first mesh AP;
  
  carrying out an association exchange with the s second mesh AP via the first mesh AP;
  
  undergoing a backend authentication as authenticator, with the second mesh AP as supplicant, the authentication resulting in a pairwise master key available at the second mesh AP and the controller;
  
  undergoing a 4-way handshake as authenticator with the second mesh AP as supplicant using the pairwise master key to determine a pairwise transient key to use between the second mesh AP and the first mesh AP, such that a secure a layer-2 link between the second mesh AP and a first mesh AP is established for the first mesh AP to be a parent mesh AP to the second mesh AP in the mesh network;
  
  undergoing a join exchange with the second mesh AP to establish a secure tunnel between the second mesh AP and the controller such that the second mesh AP joins the mesh network.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. A method as recited in claim 9, wherein the second mesh AP has access point functionality and can have associated wireless clients, wherein no wireless client data frames of any wireless clients of the second mesh AP are passed through to the controller until the secure tunnel is established between the controller and the second mesh AP, and wherein all wireless client data frames from the second mesh AP is passed to the controller after the secure tunnel is established between the controller and the second mesh AP.
  - 11. A method as recited in claim 9, further comprising:
    - caching a roam key and an identifier therefor, including mesh domain identification information, such that a secure link can be rapidly established between the second mesh AP and a third mesh AP that has a secure tunnel with the controller and that sends mesh beacon frames that include an indication that the third mesh AP supports fast roaming of links between a child mesh AP and the third mesh AP as a parent mesh AP, the rapidly establishing including using a key hierarchy to determine a new pairwise transient key for use between the second mesh AP and the third mesh AP without the second mesh AP having to undergo a backend authentication with the controller.
  - 12. A method as recited in claim 11, further comprising:
    - after the secure tunnel is formed between the second mesh AP and the controller, caching;
      
      the session identifier for the secure tunnel with the controller, the key for the secure tunnel, the roam key and the identity of the controller, such that a secure tunnel with the controller can be rapidly re-established via a third mesh AP that has a secure tunnel with the controller, the re-establishing not requiring a complete discover exchange between the second mesh AP and the controller via the third mesh AP, the re-establishing further not requiring a complete join exchange between the second mesh AP and the controller via the third mesh AP.
  - 13. A method as recited in claim 9, wherein the backend authentication authentication is an Extensible Authentication Protocol IEEE 802.1x authentication and the first 4-way handshake is an IEEE 802.11i 4-way handshake initiated by the second mesh AP.
  - 14. A method as recited in claim 9, further comprising:
    - using a key hierarchy that enables deriving other pairwise transient keys from the master key determined during the backend authentication; and
      
      caching a roam key and an identifier therefor, including mesh domain identification information, such that a secure layer-2 link can be rapidly established between the second mesh AP and a third mesh AP that has a secure tunnel with the controller, including using the key hierarchy with cached information to derive a pairwise transient key to use for the link via the third mesh AP.
  - 15. A method as recited in claim 9, further comprising:
    - after the secure tunnel is formed between the second mesh AP and the controller, caching the session identifier for the secure tunnel with the controller, the key for the secure tunnel, a roam key, and the identity of the controller such that a secure tunnel with the controller can be rapidly re-established via a third mesh AP that has a secure tunnel with the controller, the re-establishing not requiring a complete discover exchange between the second mesh AP and the controller via the third mesh AP, the re-establishing further not requiring a complete join exchange between the second mesh AP and the controller via the third mesh AP

16. A controller comprising:
- one or more processors, anda storage subsystem,wherein the storage subsystem is configured with instructions that when executed, cause;
  
  controlling a mesh network comprising a root mesh access point (AP) and one or more other mesh APs, including controlling functions other than authentication, authorization and accounting performed by a RADIUS server, the functions including AP capability of the APs in the mesh network;
  
  maintaining a secure tunnel with a first mesh AP;
  
  carrying out an association exchange with the s second mesh AP via the first mesh AP;
  
  undergoing a backend authentication with the controller as authenticator, with the second mesh AP as supplicant, the authentication resulting in a pairwise master key available at the second mesh AP and the controller;
  
  storing the pairwise master key in the storage subsystem;
  
  the controller undergoing a 4-way handshake as authenticator with the second mesh AP as supplicant using the pairwise master key to determine a pairwise transient key to use between the second mesh AP and the first mesh AP, such that a secure a layer-2 link between the second mesh AP and a first mesh AP is established for the first mesh AP to be a parent mesh AP to the second mesh AP in the mesh network;
  
  undergoing a join exchange with the second mesh AP to establish a secure tunnel between the second mesh AP and the controller such that the second mesh AP joins the mesh network.
- View Dependent Claims (17, 18, 19, 20)
- - 17. A controller as recited in claim 16, wherein the second mesh AP has access point functionality and can have associated wireless clients, wherein no wireless client data frames of any wireless clients of the second mesh AP are passed through to the controller until the secure tunnel is established between the controller and the second mesh AP, and wherein all wireless client data frames from the second mesh AP is passed to the controller after the secure tunnel is established between the controller and the second mesh AP.
  - 18. A controller as recited in claim 16, wherein the instructions when executed are further configured to cause:
    - storing in the storage subsystem a roam key and an identifier therefor, including mesh domain identification information, such that a secure link can be rapidly established between the second mesh AP and a third mesh AP that has a secure tunnel with the controller and that sends mesh beacon frames that include an indication that the third mesh AP supports fast roaming of links between a child mesh AP and the third mesh AP as a parent mesh AP, the rapidly establishing including using a key hierarchy to determine a new pairwise transient key for use between the second mesh AP and the third mesh AP without the second mesh AP having to undergo a backend authentication with the controller.
  - 19. A controller as recited in claim 18, further comprising:
    - storing in the storage subsystem and after the secure tunnel is formed between the second mesh AP and the controller, the session identifier for the secure tunnel with the controller, the key for the secure tunnel, the roam key and the identity of the controller, such that a secure tunnel with the controller can be rapidly re-established via a third mesh AP that has a secure tunnel with the controller, the re-establishing not requiring a complete discover exchange between the second mesh AP and the controller via the third mesh AP, the re-establishing further not requiring a complete join exchange between the second mesh AP and the controller via the third mesh AP.
  - 20. A controller as recited in claim 16, further comprising:
    - using a key hierarchy that enables deriving other pairwise transient keys from the master key determined during the backend authentication; and
      
      storing in the storage subsystem a roam key and an identifier therefor, including mesh domain identification information, such that a secure layer-2 link can be rapidly established between the second mesh AP and a third mesh AP that has a secure tunnel with the controller, including using the key hierarchy with cached information to derive a pairwise transient key to use for the link via the third mesh AP.

21. A method in a first mesh point, including:
- the first mesh point associating with a first parent mesh point of a wireless mesh network, the first parent mesh point being coupled to a Controller acting as an authenticator, the Controller to centrally control the mesh points of the wireless mesh network, including acting as authenticator for authentication of mesh points and including controlling control functions other than authentication, authorization and accounting performed by a RADIUS server, said control functions including controlling access point capability of mesh points of the mesh network, the controlling using control frames conforming to a protocol for controlling access point functionality;
  
  the first mesh point undergoing a certificate-based backend mutual authentication with the Controller as authenticator via the first parent mesh point of the mesh network, the certificate-based backend authentication resulting in a first pairwise master key;
  
  using a hierarchy of derived keys to define how to determine derived master key keys based on the first pairwise master key that is the result of the certificate-based backend authentication; and
  
  undergoing a 4-way handshake initiated by the first mesh point as supplicant and the Controller as authenticator using a master key derived from the certificate-based backend authentication using the hierarchy, the 4-way handshake to determine a transient key for the first mesh point to securely communicate with the first parent mesh point in the mesh network;
  
  such that a new link between the first mesh point and a new different parent mesh point is securable by a new transient key determined according to the key hierarchy without the first mesh point needing to re-undergo a certificate-based backend authentication.
- View Dependent Claims (22, 23, 24, 25, 26)
- - 22. A method as recited in claim 21, further comprising:
    - the first mesh point rejoining the mesh network via a second parent mesh point, including associating with the second parent mesh point and securing the link between the first mesh point and the second parent mesh point using a new transient key determined according to the key hierarchy without the first mesh point re-undergoing a certificate-based backend authentication.
  - 23. A method as recited in claim 22, wherein the first mesh point includes access point functionality controlled by the Controller using a protocol, and wherein the first parent mesh point and the second parent mesh point each has a secure tunnel to the controller using the protocol, the method further comprising:
    - once the link between the first mesh point and the first parent mesh point is secured, the first mesh point joining the Controller by forming a secure tunnel to the Controller via the first parent mesh point such that the first mesh point can function as an access point; and
      
      once the link between the first mesh point and second parent mesh point is secured, the first mesh point re-joining the Controller by re-forming the secure tunnel to the Controller via the second parent mesh point such that the first mesh point can function as an access point.
  - 24. A method as recited in claim 21, wherein the certificate-based backend authentication is an IEEE 802.1x Extensible Authentication Protocol authentication.
  - 25. A method as recited in claim 24, wherein the wireless mesh network is a mesh network substantially conforming to the IEEE 802.11 standard., and wherein the 4-way handshake is substantially an IEEE 801.11i 4-way handshake, with the first mesh point initiating the 4-way handshake as supplicant.
  - 26. A method as recited in claim 21, wherein the first mesh point includes access point functionality controlled by the Controller using a protocol, and wherein the first parent mesh point has a secure tunnel to the Controller using the protocol, the method further comprising:
    - once the link between the first mesh point and the first parent mesh point is secured, the first mesh point joining the Controller by forming a secure tunnel to the Controller via the first parent mesh point such that the first mesh point can function as an access point.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nancy Cam-Winget, Shahriar I. Rahman
Original Assignee
Nancy Cam-Winget, Shahriar I. Rahman
Inventors
Cam-Winget, Nancy, Rahman, Shahriar I.

Granted Patent

US 8,270,382 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/171
CPC Class Codes

H04L 63/064   Hierarchical key distributi...

H04L 63/068   using time-dependent keys, ...

H04L 63/08   for authentication of entit...

H04L 63/162   at the data link layer

H04N 21/4126   The peripheral being portab...

H04W 12/06   Authentication

H04W 12/50   Secure pairing of devices

H04W 76/10   Connection setup

H04W 84/18   Self-organising networks, e...

H04W 88/08   Access point devices

SYSTEM AND METHOD FOR SECURING MESH ACCESS POINTS IN A WIRELESS MESH NETWORK, INCLUDING RAPID ROAMING

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

56 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR SECURING MESH ACCESS POINTS IN A WIRELESS MESH NETWORK, INCLUDING RAPID ROAMING

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

56 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links