WPA2-PSK host_roaming / handover performance with hostap-driver

Duncan Grove duncan.grove at dsto.defence.gov.au
Mon Aug 1 03:56:07 EDT 2005


I am trying to figure out the best way to determine when and how to
roam between access points in order to minimise handoff time and was
wondering if anyone has any suggestions. Here is my setup:

      |-------IPv6 only backbone------|
      |          |        ...         |
    router1     router2             routerN
    | ... |     | ... |             | ... |
  AP1,1 AP1,N AP2,1 AP2,N         APN,1 APN,N

  MN -------------------------------------->

Every AP is on its own lan segment / IPv6 network, so the AP's can't
communicate by MAC address (hence IAPP etc won't help) or IP (since
the APs don't have IPv6 support). The APs are all Cisco 1231's running
IOS 1.3(2)JA2 with WPA2-PSK allowing AES-CCM or TKIP and
broadcast-ssid. All APs have the same PSK (I'm not using EAP because
the APs don't support IPv6-based RADIUS).

The MN is an ARM-based handheld (using a relatively modern 2.4 series
kernel) with a prism2-based wireless card (f/w version 1.7.4).  I am
using wpa_supplicant-0.4.3, hostap-driver-0.4.0 and Jean Tourrilhes'
wireless_tools-28-pre6 (WE-18).

My wpa_supplicant.conf looks like this:

~ # more /etc/wpa_supplicant.conf

# Annex user trial network
        group=CCMP TKIP

With this setup the MN will not automatically handover to new
AP unless the link is completely dropped. Manual roaming can be
initiated, however, by running "wpa_cli scan" or "wpa_cli reassoc"
which seems to scan for BS and pick the one with the best
signal. Therefore, as a stopgap solution to provide automatic
roaming I have a iwconfig-roamd script running in the background,
parsing the recieved signal strenth, and issuing the reassoc request
if the signal strength gets too low. While this works ok (handover
takes about 0.8s-1.5s or so if cells overlap enough) I am curious as to
whether anyone has any better ways of doing this? Is there a way to
get wpa_supplicant to do smooth roaming yet?

In particular I am a little unsure of how all the prism2_param and
wpa_supplicant.conf options might be used to help:

1) Can wpa_supplicant.conf's ap_scan help? I have tried changing it
from the default of 1 to 0 and 2, but with 0 to card never associates
to anything and with 2 I get "failed to process WPA IE from
association info" messages.

2) How is wpa_supplicant.conf's ap_scan related to the prism2_param
host_roaming parameter? If I change prism2_param host_roaming from 2
(manual) to 0 (firmware-based) the firwmare only takes about 0.3s to
handover, but all traffic to and from the new BS gets dropped for the
next second because of either "dropped unencrypted TX data frame" or
"replay detected". I think wpa_supplicant doesn't detect the roam and
rekey the encryption channel until a 1s timeout occurs. Is it possible
to make wpa_supplicant react to and rekey for firmware-based handovers
any faster?

3) Can wpa_supplicant make use of prism2_param ap_scan passive AP
scans? If I set prism2_param ap_scan 1 then I get log messages about
passive scans of a new channel each second, but neither iwlist (using
cached scan results) or wpa_cli scan_results report any new signal
qualities or APs - should they be able to use this information?

4) Are there any other ways to get passive reporting of signal
strengths from various APs? I would like to have a script (or
wpa_supplicant itself) take this information, select the best signal
(based on quality / history, etc) and then select a specific AP with
wpa_cli bssid and wpa_cli reassoc to it. I have tried setting wpa_cli
bssid manually and handoff performance is good. I have started trying
to automate this using iwspy, but this requires some a priori
information (the MAC addresses) and even worse iwspy only seems to
prolduce stable signal levels for the currently associated AP - signal
levels for other APs jump around quite widlly.

5) Could any other [combination of] prism2_param or iwpriv settings
such as other_ap_policy, host_roaming, ap_scan, tkip_countermea,
drop_unencrypted or scan_channels help? Eg I tried ap_scan 1 for
passive scanning with other_ap_policy 1 to listen to beacons from
other AP in my ssid but this didn't appear to help at all.

6) I have decided to set up my APs on channels 1, 6 and 11. Setting
iwpriv wlan0 scan_channels 0x0421 decreases the channel scanning time
significantly, from about 0.5s to 0.15s. Is this as good as I can do

7) What's should perform better: a wpa_cli scan or wpa_cli reassoc?
Scanning seems to take about 0.3s on average, but sometimes has
trouble with the encryption keys and this time blows out to several
seconds. Reassoc'ing seems to take a more stable amount of time.

8) Is prism2_param hostscan the default means of doing scanning with
hostap/wpa_supplicant i.e. does issuing a wpa_cli scan or reassoc use
non-destructive scanning? What performance overheads should I expect?

9) Does proactive_key_caching help? It seems that if I have been on a
particular AP recently handoff to it only takes 300ms (using 0x0421)
but otherwise it takes 1-1.3s. Is this because the key has been lost
and rekeying must take place? What / where is the timeout?

10) Does preauth work for WPA2-PSK or only for full WPA-Enterprise?

TIA for any help or suggestions!


PS On another note, would it be useful to allow the user to specify a
a bunch of (BSSID, PSK) tuples per SSID in the wpa_supplicant.conf
file and then have wpa_supplicant select the correct key as
appropriate when roaming?

More information about the HostAP mailing list