WiFoo..The.Secrets.of.Wireless.Hacking [Electronic resources] نسخه متنی

Figure 9-1. Roaming

Wi-Fi Alliance, during its development of the certification plan, determined that clients should be able to roam across different vendors' APs on the same network. However, the Wi-Fi Alliance did not test the efficiency of how well and how fast clients did actually roam. The client just must associate to a new AP and be able to ping across the network after roaming.

The following sections discuss several area roaming issues, and the methods and concerns related to roaming in a Layer 2 and Layer 3 network. The supporting wired infrastructure devices need to be able to support the necessary services if certain WLAN features are implemented.

Developing a Policy for Device Roaming

Many WLANs are limited in geographic area, such as a single building or facility, or even a single campus. With this type of design, it might be possible to maintain a single Layer 2 subnet for all wireless users and devices. This Layer 2 roaming makes implementation of wireless easier, simpler, and more efficient for roaming between APs. As wireless network usage grows and the number of users and geographic areas grow, however, it becomes necessary to place devices and users on different subnets. This in turn creates the need for Layer 3 roaming capabilities.

Figure 9-2 shows both types of roaming. Client 1 is performing a Layer 2 roam, moving between two APs, which are both located on subnet A. Client 2 is performing a Layer 3 roam, moving from an AP on subnet A to an AP on subnet B.

IT managers need to determine whether all devices affiliated with the network should be allowed to roam. An IT manager should consider the following questions when making this decision:

Are all devices capable of roaming?

Should devices be allowed to roam through all subnets, including networks that might carry sensitive traffic?

Can VLANs be used to provide necessary separation between users?

Are all the roaming devices capable of roaming quickly enough to support the applications of the WLAN users?

The answers to these questions vary according to the type of network:

If your network is a university campus, roaming might be a requirement for all students. However, you might need to impose certain restrictions to limit student roaming to selected "student" subnets or VLANs in dormitories, lunch areas, classrooms, and open spaces. This will facilitate the separation of sensitive university operations traffic from student traffic.

If your network is a large corporate campus, mobility might be available only in conference rooms or group work areas.

A police department might have an arrangement with local hospitals to allow radio clients in the police cruisers to access the hospital's network while parked near the emergency room entrance. The hospital provides the police department with access to a particular subnet or VLAN with only Internet access, segmenting this traffic from its main hospital network.

802.11f IAPP

Recently, the IEEE completed the 802.11f, Inter-Access Point Protocol (IAPP), which is a best-practices document. This document specifies the information to be exchanged between APs among themselves and higher-layer management entities to support the 802.11 networks and enable the roaming interoperation of wireless networks containing APs from different vendors.

This recommended practice describes a set of functions and a protocol that allows APs to interoperate on a common network, using TCP/IP or UDP/IP to carry IAPP packets between APs, and describes the use of the Remote Authentication Dial-In User Service (RADIUS) protocol, whereby APs can obtain information about one another. A proactive caching mechanism is also described that provides faster roaming times by sending client information to neighboring APs. The devices that primarily would use the IAPP are 802.11 APs. However, other devices in a network that are affected by the operation of the IAPP are Layer 2 networking devices, such as bridges and switches.

Chapter 5, "Selecting the WLAN Architecture and Hardware," you must consider roaming when deciding which product to choose. Products intended for the small office and home typically do not have an extensive roaming algorithm because these devices are typically used in a single-AP environment. The lack of a high-quality, fast-roaming algorithm could result in poor or failed performance of some applications during a roam.

Association of Clients

Before you can gain a good understanding of roaming, you need to understand how the client-to-AP association process occurs.

While trying to connect to a WLAN, the client adapter card undergoes a two-step process: authentication and association. Authentication is the process of verifying the credentials (MAC layer credentials at this point) of a client adapter card desiring to join a WLAN. Association is the process of associating a client adapter card with a given AP in the WLAN.

Figure 9-3 illustrates the following process:

system set identifier (SSID), but can also contain some vendor proprietary information such as RF load, number of users, repeater operation, and so on. The client adapter card listens to all APs that it can hear (beacons received) and makes the decision as to which to associate to. Note here that it is the client that makes the decision for which AP to associate to, not the AP. However, the decision is based on information it receives from the AP.

Layer 2 Roaming

Although there are many different designs for roaming, this section discusses the general methods of Layer 2 roaming. Two types of roamingactive and passivecan occur. In active roaming, the APs do part of the data message handling. In the passive scheme, the APs do little in the data stream except pass the data to the client or drop the data.

Keep in mind that as a client is moving out of range of its associated AP, the signal strength will start to drop off. At the same time, the strength of another AP will begin to increase. It is important to make sure there is overlap between cells strong enough so that the client has a usable signal at all times.

In some devices, a roam occurs only after the client has lost association (that is, no longer has network connectivity) to the present AP. At that point, the client starts the authentication/association process again, as detailed in the preceding section.

In other devices, the client actively listens to the beacon from all APs that it can hear. As signal strength of the present AP drops below a specified level (which might or might not be a parameter available to the user), the client evaluates other APs' signal strength.

Figure 9-4 corresponds to the following re-association process:

throughput performance. Or if the client is in range of both a repeater and an AP that is attached directly to the infrastructure, the client would determine that the wired AP would be more efficient. These are just examples of differences in vendor implementations. Not all vendors offer the same features, and most features are not cross-vendor interoperable.

Layer 3 Roaming

As WLANs grow, so does the demand for Layer 3 roaming. Roaming beyond the single buildingmoving from one building to another, across campus, or even across townhas become a highly desired feature for WLAN users. In many cases, this can be an easy thing with today's client devices. In most environments, users are not actively connected to the network during this roaming time. The computer or device is stowed away during transit and then brought back alive after the roam. In other cases, users might want to use a VoIP phone while walking from one campus building to another.

Various approaches exist to provide network access to devices or nodes that have roamed away from their home network to a foreign network. A foreign network might be a Layer 3 subnet at a remote facility of a large enterprise or university campus, or a network owned or administered by an entirely different entity, such as a police or fire department.

The Nomadic-Node Approach

One way to provide network access to devices or nodes that have roamed away from their home network is the nomadic-node approach. A nomadic node is a device that moves or roams from one network to another and must renew its IP address and reestablish connectivity to the network applications in progress.

One advantage of nomadic roaming is that it requires nothing special in the client, infrastructure, or APs. It follows the simple Layer 2 roaming and association methods. However, nomadic roaming does not maintain any connection-oriented sessions that are in progress. Nomadic roaming might require user intervention (re-log in, perform a release/renew, or reboot) to continue to work on the network. This is typically how most laptop computers are used with roaming. The user closes the computer, moves to another building or site, and opens the computer, starting a new IP session.

The Mobile-Node Approach

An alternative method to provide network access to roaming devices or nodes is the mobile-node approach. A mobile node is a device that moves from one network to another, but keeps its original IP address, allowing for uninterrupted access to connection-oriented applications (assuming the brief delay involved in roaming does not prompt a disconnect). The major advantage of mobile nodes is that they allow devices to cross Layer 3 boundaries and, by means of a tunnel back to a router on their home network, have their network traffic forwarded. This allows a device to keep its original IP address even though its IP address is no longer valid for the subnet upon which it presently resides.

One of the most common applications requiring a mobile-node approach is a wireless VoIP phone. Maintaining an IP connection while roaming is required to maintain the call, and therefore the IP address must stay the same while roaming.

Mobile IP

Mobile IP has been around for many years, but it has really never gotten much play in the enterprise industry because it relies on the mobile node using specialized Mobile IP client software. This means replacing the IP stack with a special version, different from the supplied Microsoft IP stack or other OS-supplied IP stack. This software provides the intelligence to communicate with other Mobile IP entities, such as home agents and foreign agents, and the capability to generate registrations as appropriate.

For a mobile node to successfully roam across subnets, it must first be anchored to its home network by the home agent router. The home agent router contains a list of all devices, by IP address, capable of roaming from its network. When the mobile node roams to a new network, it registers with the home agent as being away from home. The home agent also maintains an association between the mobile node's "home" IP address and the care-of address (CoA) or "loaned address" on the foreign network. It also redirects and tunnels packets to the CoA on the foreign network.

The mobile node's registration is sent using the foreign agent router that is providing service on the foreign network. The foreign agent includes a CoA in the registration it sends to the home agent. This address is used as the termination address of the tunnel on the foreign router. A tunnel is then built between the home agent and foreign agent for all traffic destined for the mobile node. When the mobile node sends traffic to another device (known as the correspondent node, such as a web server), that outbound traffic can be routed directly to the destination device. The destination device replies to the source IP address. This results in the traffic being routed to the home agent because it is the default router for the subnet from which the mobile node originated. The home agent then forwards that traffic through the tunnel to the foreign agent, which then forwards it to the mobile node.

Figure 9-5 presents the key components and traffic flow of Mobile IP:

When the mobile node roams back to its home network, it drops its registration with the home agent and the tunnel is removed. If more than one node roams from the same home network to the same foreign network, a single tunnel is used to service traffic for all mobile nodes between those two tunnel endpoints. Internet Control Message Protocol (ICMP) Router Discovery Protocol (IRDP) is the protocol used to exchange information between the home agent, foreign agent, and mobile node. Extensions have been added to this protocol to accommodate Mobile IP operation.

Mobile IP Disadvantages

Some aspects of Mobile IP make it difficult to manage. The cost of the client software and the administration time required to load this software onto the devices might be a burden to the IT department. Also because the population of mobile nodes might change over time, management of Mobile IP can be a challenge.

In addition, the infrastructure devices must also contain support for Mobile IP. You must have at least one home agent on the overall network and at least one foreign agent per subnet. Typically, a home agent is located wherever clients are located for the majority of time (home location). This reduces the number of tunnels needed.

Another disadvantage is the roam time. The time it takes to build a tunnel can be in excess of 10 seconds. Although this long roam time might be okay for some applications, it poses a problem for session-persistent applications and VoIP systems.

Proxy Mobile IP

Proxy Mobile IP supports Mobile IP for wireless nodes without requiring specialized software for those devices. With Proxy Mobile IP, the wireless AP acts as a proxy on behalf of wireless clients, so the wireless clients are unaware they have roamed onto a different Layer 3 network. The AP handles IRDP communications to the foreign agent and manages registrations to the home agent. The Proxy Mobile IP scheme is less expensive, requires less administration overhead, and is faster to deploy than Mobile IP.

Any AP in the network might be designated as an authoritative AP. An authoritative access point is responsible for informing all other APs on the network about networks that have mobile nodes and specifies which home agent must be contacted to register a roaming mobile node.

Not all APs support Proxy Mobile IP, and its overall deployment is still very limited in the WLAN industry.

Before deploying Proxy Mobile IP, network design and implementation engineers should address these fundamental questions:

Is there an alternative approach to using Proxy Mobile IP?

What is the corporate policy with regard to device roaming?

Should static or dynamic IP address assignment be used?

Does an operational Mobile IP network currently exist or will a new Mobile IP network need to be built?

If building a new Mobile IP network, is the correct software version and feature set available on existing routers?

The answers to these questions will vary depending on the network, desired applications, and environment. Several answers to these questions are presented in the next sections.

Most IT managers use dynamic IP address assignment with DHCP. However, when using DHCP with the Microsoft Windows 2000 or Windows XP operating systems, the operating system automatically sends a broadcast DHCP renew packet with its existing source IP address when the client roams to a new AP. If the operating system does not receive a response, it reverts to a standard Windows IP address and looks for a new address using DHCP. This capability to "sense the media" results in a failed Proxy Mobile IP connection.

Deploying VLANs over Wireless."

Layer 3 Wireless Switching

As discussed in Chapter 5, a surge of "wireless switches" has recently hit the WLAN market. Although these are truly not "switched wireless," where you create a unique collision domain (within your wireless RF channel), these systems use wired network switches to control the access ports and manipulate data traffic. Almost every vendor of enterprise-class WLANs has some type of integration between their wired switches and APs today.

The first type of these wireless switch products discussed is the appliance or wireless AP controller. Although not a switch (it does not do network switching of data, but just manages wireless traffic and configuration for the APs), these controllers provide the tunnels between appliances, which in turn forward data to the proper subnet. The client is actually sending data to the controller, which in turn is forwarding it with the proper addressing scheme for the subnet (see Figure 9-6).

The second type of wireless switch that was discussed earlier does actual network packet switching, and handles traffic for the APs. This type of device, although very similar to the WLAN controller, incorporates both the controller and the network switch into one device (see Figure 9-7). One thing to note is that all wireless traffic must be routed through the controlling switch, as shown by the traffic flow from Client 2 to Client 3.

The downside of this type of device is that it usually requires a different type of network management than the existing network switches deployed for the wired part of the network, and requires the IT staff to learn yet another new interface and configuration utility.