支援IEEE 802.11s無線區域網狀網路整合式安全網域之機制

Abstract

本論文針對無線區域網狀網路（WLAN Mesh），提出一套機制將IEEE 802.11i標準之認證機制及金鑰管理與WLAN Mesh環境加以整合。WLAN Mesh具備不需佈線以及功能強大的繞徑機制，可提供快速與低成本的骨幹網路佈建。然而現有WLAN Mesh的安全機制自外於802.11i，因此換手處理與訊框繞送之效能不佳，足以影響即時性服務之品質。

本論文之機制以不影響802.11i之安全性為前提，將MAP（mesh access point）的認證者（authenticator）功能改設置於MPP（mesh portal），降低行動端於換手時執行IEEE 802.1X認證之需求。因此，換手延遲與訊息流量將可有效降低，同時加密訊框之繞送效能也獲得改善。此外，本機制可相容於IEEE 802.11i標準，不需更動行動端即可達成上述之改良。對於WLAN Mesh而言，本機制可與IEEE 802.11s標準同時運作，不影響原有之安全機制與繞送機制。

另一方面，本論文提出一分析模型用以計算行動端漫遊於WLAN Mesh時，安全程序所衍生之換手延遲與流量。根據計算結果顯示，本機制可降低換手延遲達245%，並提供等同於802.11i preauthentication機制運作於80%-90%成功率之效能。此模型亦可運用於分析集中式WLAN架構下，認證者與存取點（access point）位於不同網路實體時，單一認證者管理存取點數量之最佳值。

This thesis proposes a mechanism to integrate the authentication and key management scheme of the IEEE 802.11i standard with the WLAN Mesh environment. WLAN Mesh eliminates the need for cabling and provides a powerful routing mechanism, so that deployments of the backbone network will be faster and less expensive than the wired counterpart. However, the security mechanism of the WLAN Mesh is isolated from 802.11i. This isolation of security mechanism introduces extra overhead in handoff handling and routing, and thus degrades the quality of real-time services.

In order to improve the handoff performance while fulfilling the security requirement of 802.11i, the proposed mechanism makes the mesh portal (MPP), instead of the mesh access point (MAP), the IEEE 802.1X authenticator so that it can reduce the demand for performing the IEEE 802.1X authentication in handoffs. As a consequence, it not only reduces the handoff latency and message traffic but also improves the routing performance of the encrypted frame. Meanwhile, the mechanism is compatible with IEEE 802.11i and can be used by a station without any modification. Furthermore, the mechanism can also operate with IEEE 802.11s, affecting neither the original routing mechanism nor the security mechanism of IEEE 802.11s.

We also propose an analytical model to evaluate the handoff latency and message traffic caused by the security procedures while a station roaming within a WLAN Mesh network. The results show that the proposed mechanism can reduce the handoff latency up to 245% and achieve the same performance as the one accomplished by the 802.11i preauthentication with a successful probability of 80%-90%. Moreover, this model can be further applied in analyzing the optimum number of APs managed by one authenticator in a centralized WLAN architec-ture, where authenticators and APs are implemented in distinct network entities.