ANALYSIS AND PERFORMANCEEVALUATION OF WIRELESS LAN HANDOVER

Maria Stella lacobucci, Giuliano Paris, Dante Simboli, Gabriella ZittiTelecom Italia Learning Services (TILS) Campus Reiss Romoli, Via G. Falcone 25, 67100 L'Aquila, Italy

Abstract-Wireless LAN (WLAN) is a wireless network whichprovides connectivity in a limited area; IEEE 802.11 is themost widespread standard for wireless LANs. The paper, aftera brief introduction on the WLAN technology, describes thehandover procedure, the related security issues and the labscenario measurement results. In the first part of the work, thevalue of path loss in an in-building line of sight condition has beenestimated and the expression of the critical speed for a successfulhandover has been derived; the second part of the paper dealswith handover latency measurements in a IEEE 802.11g WLANlab scenario with PEAP/MSCHAPv2 authentication. The resultsshow that the 802.1x authentication delay takes the longesttime, and that it can be reduced through a pre-authenticationmechanism which brings to a very short handover time, suitableeven for real time services.

I. INTRODUCTIONA WLAN is a wireless network which provides connectivity

in a limited area. IEEE 802.11 [1] is the most widespreadstandard for wireless LANs and includes two network topolo-gies: Infrastructure and Ad Hoc Network. The InfrastructureNetwork consists of a Distribution System (DS) that connectstwo or more Access Points (APs). Each AP provides a radiocoverage and each Mobile Terminal (MT) is attached to oneAP. One AP with the attached MTs is called Basic ServiceSet (BSS). A set of one or more interconnected BSSs and theDS is defined Extended Service Set (ESS). The ESS allowsthe communication between MTs belonging to different BSSs.In an Ad Hoc Network the MTs are connected peer-to-peerwithout involved APs . The MTs which share a radio channelform an Independent Basic Service Set (IBSS). Performancesof an Ad Hoc Network strictly depend on the MTs number, onthe mutual distance, and on their instantaneous position. TheIEEE 802.1 1 standard defines the physical (PHY) and MediumAcces Control (MAC) layers for Wireless LANs.The most important IEEE 802.11 PHYs are:

. b, which works at 2.4 GHz and provides up to 11 Mb/s;

. a, which works at 5 GHz and provides up to 54 Mb/s;

. g, which works at 2.4 GHz and provides up to 54 Mb/s.The g PHY is backward compatible with the b standard. TheMAC layer is the same for each PHY, and is based on CarrierSense Multiple Access/Collision Avoidance (CSMA/CA) [1].In an Infrastructure Network the APs provide the radio cov-erage by re-using frequency channels whose bandwidth is 22MHz. Because of the high frequency and the low transmittedpower, the cells have a limited coverage and therefore aMobile Terminal (MT) crosses several cells when it moves.The handover procedure guarantees that when a MT moves

0-7803-9206-X/05/$20.00 ©2005 IEEE

from a cell to another, a new radio connection must be setup and the old one must be released (hard handover). Whilein radio-mobile networks the handover is controlled by thenetwork and assisted by the terminal, with todays standardsin wireless LANs the handover is completely driven by theMT. That implies a simpler network, but on the other side therequirements in terms of throughput, delay and jitter for realtime services are not guaranteed.If the MT moves from cell to cell belonging to the sameIP subnetwork, the handover procedure is handled by theMAC level and is called layer-two handover. When the MTroams between APs belonging to different IP subnetworks, thehandover must be also handled at the IP level and is calledlayer-three handover. It can be solv bed using the Mobile IP(MIP) protocol. [2].The goal of the paper is to analyze WLANs handover pro-cedure and to evaluate the measurements obtained in a labscenario with PEAP/MSCHAPv2 authentication [3]. The paperis organized as follows. Section 2 presents security issues in-cluding the description of PEAP/MSCHAPv2 protocol imple-mented in the experiments; in section 3 the handover procedureis described and some parameters are evaluated; sections 4describes the lab scenario and analyzes measurement results.Finally, section 5 presents the conclusions.

II. SECURITY ISSUESSecurity is an important concern of any network, especially

for wireless and mobile ones. The first encryption algorithmimplemented in IEEE 802.11 WLANs has been Wired Equiv-alent Privacy (WEP). It uses a 40 or 104 bit shared secret key;each radio NIC and access point must be manually configuredwith the same WEP key. In [4] is shown that WEP is notsecure, and therefore VVLANs needed the standardization of802.11i with more powerful security features. The 802.11iincludes new mechanisms for user authentication and dataencription. It was approved only in June 2004, but in March2003 the Wi-Fi Alliance released the Wi-Fi Protected Access(WPA) draft version 802.1 li [5] which includes Temporal KeyIntegrity Protocol (TKIP), 802.1 x [6] and EAP (Extensible Au-thentication Protocol) mechanisms. The combination of thesemechanisms provides dynamic key encryption and mutualauthentication. The 802.1 1i standard is backward compatiblewith WPA and includes an optional Advanced EncryptionStandard (AES) encryption. In the performed lab experimentsProtected EAP (PEAP) with MSCHAPv2 [3] has been usedfor authentication and encryption. Figure 1 shows the authenti-

337

Whrd_aimsd A.

StPrte-Ikq- Ieadty-

RADIUSSW_ ADIS)- PMmt

;9iIE.Iw

Ml.

E11N K"HI

Fig. 1. WPAvl authentication procedure: PEAP & MSCHAPv2.

cation procedure which can be summarized with the followingthree phases:

. open reassociation or null-authentication mechanism: theopen reassociation phase establishes a logical link be-tween MT and the authentication server and the usercredentials are requested;

* 802.lx authentication: the MT and the RADIUS servermutually autenticate;

* key management: the encryption keys are generated anddistributed.

III. WIRELESS LAN HANDOVER AND MOBILITY

A. Handover procedureThe handover procedure is described in the standard [1] in

terms of exchanged messages between MT and AP, and theimplementation details (algorithm and criteria) are demandedto the manufactories.The handover process implies the following actions:

* detection phase: the MT senses that the power levelreceived from the AP is decreasing;

* search phase: the MT starts a searching phase for anotherAP;

. execution phase: the MT switches from the old to thenew AP.

After the detection phase, the MT sends probe request man-agement frames in broadcast [1] on each radio channel; the APanswers with a probe response that carries informations aboutAP radio parameters and implemented security protocols.From the received probe responses , the MT is able to selectthe AP to send a reassociation request. After the reassociationresponse the execution phase is performed. Figure 2 showsthe handover messages exchanged during the search andthe execution phase. The execution phase may include theexchange of authentication messages, allowing the MT to beauthenticated by the new AP.

B. Handover criteriaIn the handover procedure, the start of search phase depends

on NICs radio thresholds, generally expressed in terms ofSignal to Noise Ratio (SNR) at the receiver side. The decisioncriterion implemented in the tested NICs chipset (ATHEROS

STA

Fig. 2. Messages exchanged during handover procedure.

chipset, http: //www. atheros. com) is shown in figure 3and works as follows:

1) when SNR < SNRth, the cell search phase starts;2) if the condition SNRneW > SNRId + A is satisfied,

then the handover is executed and the station reassoci-ates to the new AP.

3) Cell search phase continues until SNR > SNRth.

SNRdB(')

SNR-h - --

12 -3

Fig. 3. Decision points of the handover procedure.

SNRth and A thresholds the considered values are reportedin table I: In the tested NICs SNRth = 10dB and A = 6dB.

Threshold Low Medium HighSNRth(dB) 10 23 | 30

A(dB) 6 7 8

TABLE I

SNRth AND A THRESHOLDS

338

C. MT speed limits evaluationSignal to Noise Ratio is defined by:

SNRdB 101090(PS )PN

SNRdB

(1)

where P, is the signal power and PN is the noise power.Generally, at distance x from AP, the received power is:

p (x) =PtGtG,AO(47wx)/3

SNRth

OORth

(2)

where: Pt the input power, Gt is the trasmitter antenna's gain,Gr is the receiver antenna's gain; : is the Path-loss exponent,A is the wave length. The table LI shows some values of ,.Assuming AWGN (Additive White Gaussian Noise) condition,

EnvironmentFree-space 2

Shadowed urban area 2.7 .5In building line-of-sight 1.6 . 1.8In building obstructed 4 . 6

TABLE II

PATH LOSS EXPONENT

the noise power is given by:

PN(x) = NoB

No is the single side noise power spectral density andthe band of the signal. By substuting the (2) and the (3) inwe derive:

SNRdB(x) = 10 log10 P'G(4Grx' 1 log1oNoB

AlO loglo (Pt GtGr) + 103logl0(-)-

47w

-10 log10 NoB - 10/ log10x =

= C - 10/3log1o x

The first term of (4), C = C(Pt, Gt, Gr,A, /) is surely C > 0

and the second represents the path loss. Assuming that theMT moves at constant speed v:

SNRdB(t) = C(Pt, Gt, GrA, /)-10/31og1o(xo + vt) (5)

The (5) shows the dependence of SNRdB with the speed.Figure 4 shows that the higher is the speed, the steeper is theSNRdB. In the figure, other radio parameters are represented:SNRth is the threshold which determines the start of searchprocedure; OORth sets the out of range; tAp is the minimumtime needed to find a new AP, At is the time between thebeginning of the search phase and the out of range and dependson the speed v of the MT (At = At(v)).If At < tAp, then the handover procedure fails (no reasso-

ciation) and therefore the MT must start a new associationprocedure.

tt tre tl t

1. At

Fig. 4. SNR at the receiver side function of the MT's speed.

PtGt = EIRP 100mWGr 1

Wavelength A 0.124mNoise Power PN -95dBm

TABLE IIIPROPAGATION PARAMETERS

D. MT critical speed calculation

(3)1

By substituting the real values of parameters shown in table(3) III, the value is obtained equal to 2.6; from (5), is obtained:is

(1)62.8 - 26 log10 (xo + Vt) (6)

Measured values with the theoretical curve are compared infigure 5. Each point in the figure is obtained as the average oftwenty measurements. By imposing SNRdB(t) = SNRth =

(4) ;

Fig. 5. Comparison of measured values and theoretical values of SNRdB (X)

lOdB (referring to table I):

10 = 62.873 - 26 log10(xo + vti)

from wich:102.033 xo 107.9 -xo

tl = =v v

339

'' 1 ~~~~~~~~~~v2> vl

' 2 \tex' \ F ~~tAP

~~---r----------- ------------------~~~~~~~

~~~ .l

tl t2

;2

Now in (6) is imposed SNRdB(t) = 0ORth = OdB:

0 = 62.873 - 26 log10(xo + Vt2)from wich:

102.418 - x0 261.8 -xt2 = =

v v

finally:At(v) = t2 - t1 = v

Cisco Aironet 802.1 la/b/g (AIR-CB21AG) [10] acts as snifferand performs radio captures. The authentication procedurewas implemented with PEAP/MSCHAPv2 [3] as shown inthe previous paragraph. Table IV reports delays introduced

(7)

(8)The critical value of MT speed v, is such that At(v,) = tAP,therefore from (8):

153.9Vc=tAP

The value of tAp is unknown and depend from the manufac-tories implementation criteria.However v, can be improved increasing the value of SNRththreshold; given, for example, SNRth = 23dB the followingresult is obtained: 227.7

V=tAPwith a percentage increase of:

I v' - 10oo0= 227.7 - 153.9 * 100=47-9%V, ~153.9 10

IV. LAB SCENARIO AND MEASUREMENTS RESULTSIn order to measure the handover latency (service inter-

ruption time), the scenario represented in figure 6 has beenreproduced in laboratory. In the experiments there is only oneMT communicating with current AP and RTS (Request ToSend) - CTS (Clear To Send) frames transmission [1] wasdeactivated in order to avoid a useless protocol overhead. The

Traffic g -or Authetkation Ser,er(MGEN) (F-RADIUS)

UDP P,kd,v

-~~~~~(b.1) API (ChaS 1

gW ,.~~~~~~~---,'----.,-

~~~~~~-- ----,--

V

Fig. 6. Lab scenario.

DS is a 100 Mbit/s LAN, whose hosts are: a PC with trafficgenerator functionality; a RADIUS (Remote Access Dial-InUser Service) server (FreeRADIUS); two Access Points (APIand AP2) Proxim AP4000 [7] using channels 1 and 11 [81respectively. The MT is a laptop with wireless PCMCIAProxim 802.11 a/b/g Gold [9], to which UDP packets at about2Mbit/s are addressed; another laptop with wireless PCMCIA

Phase1: Open Reassociation2: 802.Ix authentication3: key management1+2+3

Time (ns)3.2

257.440.3300.9

TABLE IVMEASUREMENTS RESULTS

by the three phases of handover execution procedure. Thesevalues are obtained as an average of ten measures. As shown,the 802.lx authentication takes the longest time, which isapproximately 85% of total handover latency. Figure 7 shows,

Fig. 7. service interruption.

in function of time, the packets received at the MT. In thefigure a service interruption of several milliseconds can benoted.

V. CONCLUSIONS AND FURTHER WORK

The paper, after a brief introduction on the WLAN tech-nology, describes the handover procedure, the related securityissues and the lab scenario measurement results. In the firstpart of the work, the value of path loss in an in-buildingline of sight condition has been estimated and the expressionof the MT critical speed for a successful handover has beenderived. The MT can move faster by increasing the value of thethreshold SNRth, but on the other hand, this condition causesa signalling messages increase and therefore a throughputreduction.The second part of the paper deals with handover latencymeasurements in WLAN lab scenario with PEAP/MSCHAPv2authentication. The 802.lx authentication takes the longesttime. However the recent 802.1 1i standard provides a featureto strongly reduce this delay through a pre-authenticationmechanism [5]. With pre-authentication procedure a MT, oncehas performed an authentication with one AP, by means ofit, starts further authentications towards neighbour APs. As

340

further work, the handover latency could be measured usingthis new pre-authentication procedure in the lab scenario,in order to verify the decrease of the authentication delay.Moreover, using network simulators (e.g. NS2, OMNET++),an optimal or suboptimal value of SNRth could be estimated,this value will be a compromise between throughput and MTmaximum speed.

REFERENCES[1] Part 11: Wireless LAN Medium Access Control (MAC) and Physical

Layer Specification (PHY), ANSI/IEEE 802.11 Std., 1999.[2] C. E. Perkins, RFC 3344 - IP Mobility Support for IPv4, Internet

RFC/STD/FYI/BCP Archives, August 2002.[3] A Comprehensive Review of 802.11 Wireless LAN Security and the Cisco

Wireless Security Suite, Cisco Systems, Inc., 2002.[4] S. Fluhrer, I. Mantin, and A. Shamir, Weakness in the key scheduling

algorithm of RC4.[5] 802.11i - IEEE Standard for Information technology - Telecommunica-

tions and information exchange between systems - Local and metropoli-tan area networks - Specific requirements - Part 11: Wireless Medium

Access Control (MAC) and Physical Layer (PHY) specifications: Amend-ment 6: Medium Access Control (MAC) Security Enhancements, IEEEComputer Society 802.1 1i Std., July 2004.

[6] IEEE standard for Local and Metropolitan Area Networks, Port-BasedNetwork Access control, IEEE Computer Society 802.1 x Std., October2001.

[7] ORiNOCO AP4000 Access Point User Guide, Proxim Corporation, 2004,http://www.proxim.com.

[8] IEEE standard for information technology - telecommunications andinformation exchange between systems -local and metropolitan areanetworks - specific requirements Part II: wireless LAN medium accesscontrol (MAC) and physical laver (PHY) specifications, IEEE ComputerSociety 802.1 Ig Std., 2003.

[9] ORiNOCO lla/big Combocard, Proxim Corporation, 2004, http:/Hwww.proxim.com.

[10] Cisco Aironet 802.1 la/b/g Wireless LAN Client Adapters (CB21AG andPI21AG) Installation and Configuration Guide , OL-4211-02, CiscoSystems, 2004, http://www.cisco.com.

341