Wi-Fi Roaming Secrets Revealed – Part 2

Photo of author

Tim Higgins



Introduction

Part 1 of this series looked at how a device with known roaming behavior worked with a NETGEAR Orbi router and satellite. Since the octoScope Pal device supports 802.11v BSS Transition Management Requests, we got to see how that feature was used in band steering the Pal.

Before we move on to look at the roaming behavior of a Windows and Android STA, I thought we would take a short detour to look at how to tell whether devices support 802.11k, v and r. From my time working with an assortment of devices in preparing this series, I’ve found the indications are not always obvious. I’ve also found that even when support is indicated, the actual function might be improperly or incompletely implemented.

To recap, the Windows STA is a Lenovo M600 computer running Windows 10 Pro 64 bit with an Intel Wireless-AC 8260 internal adapter with latest 20.40.0.4 driver. I chose this adapter because Intel says the AC-8260 supports 802.11k,v and r and Microsoft says Windows 10 supports 802.11k,v and r (depending on device driver support, of course).

The Samsung Galaxy Tab A 8" (2017 version – SM-T380) was chosen because it was found to support 802.11k and v by packet inspection, even though neither is specified.

Note: This article will use access point or AP to refer to the devices creating your Wi-Fi network. This includes wireless routers, mesh nodes, Wi-Fi systems, Wi-Fi extenders, etc. In the end, they all meet the definition of an access point, i.e. a network device that enables Wi-Fi devices to connect to a wired network.

STA (station) will be used to refer to wireless client devices.

The Wireshark capture files used came from an octoScope Pal-24 (2.4 GHz) and octoScope Pal-5 tuned to the two channels in use (6 and 40). The files were merged before analysis.

How To Tell – 802.11k

802.11k is the IEEE Radio Resource Management standard. Its focus is on making the roaming process more efficient by reducing the need for a STA to probe (scan) for information about possible APs to roam to. The summary below from an excellent 7Signal whitepaper outlines key 802.11k features. (You can also see Veli-Pekka Ketonen from 7Signal deliver the presentation in this video.)

802.11k Radio Resource Management

802.11k Radio Resource Management

We can start by filtering for STA Association wlan.fc.type_subtype ==0 or Reassociation Requests wlan.fc.type_subtype ==2, looking for Radio Management Capabilities Beacon Passive wlan.rmcap.b4 == 1 and Beacon Active Measurement wlan.rmcap.b5 == 1 fields enabled. The entire Wireshark filter is:

((wlan.fc.type_subtype ==0)||(wlan.fc.type_subtype ==2)) && (wlan.rmcap.b4 == 1 || wlan.rmcap.b5 == 1). 

If we drop the STA Association Request part of the filter, however, we see Orbi advertising its 11k support in Beacon’s and Probe responses, as shown in the Wireshark detail below.

11k support indicators

11k support indicators

Another thing we can look for as an indication of 11k support is a STA actually issuing a Neighbor Report request wlan.rm.action_code == 4. The capture below shows the Intel STA issuing a request twice. But the Orbi’s response is not very helpful, with no neighbor information supplied. [NOTE! If you are using Wireshark version 3.2.9 or higher, replace wlan.rm.action_code with wlan.fixed.action_code.]

11k Neighbor Report Request & Response

11k Neighbor Report Request & Response

We can also look for a Neighbor Report itself by applying a wlan.tag.number == 52 filter. The screenshot below shows Orbi providing a Neighbor Report in the same frame that it issues a BSS Transition Management Request. There is only one BSSID in the report, which is the 5 GHz radio of the same AP, 08:02:8e:9f:39:c8.

11k Neighbor Report

11k Neighbor Report

802.11k also supports Measurement Requests, found using a wlan.rm.action_code == 0 filter. The screenshot below shows Orbi issuing a Beacon request. A more specific filter would be wlan.tag.number == 38, found under Tagged Parameters.

11k Radio Measurement Request

11k Radio Measurement Request

If we go looking for a Measurement Report by filtering for wlan.tag.number == 39, however, we don’t find one in this capture, or any others for the Intel STA. But looking at a capture using the Samsung Tab STA, shows two responses. However, the report details says no measurement was actually made as indicated by measurement duration: 0x0000 and all the other zero values. This is an example of a feature that appears to be supported, but actually isn’t because no actionable information is provided.

11k Radio Measurement Report

11k Radio Measurement Report

If you still haven’t had enough fun with 11k hunting, you can check out this video by Mark Williams that has more examples with commentary.

How To Tell – 802.11v

802.11v is the IEEE standard focused on the process of STAs making a BSS transition. Key features of the spec are summarized in the 7signal slide below.

802.11v BSS Transition Management

802.11v BSS Transition Management

For 11v, we look for BSS Transition: Supported (wlan.extcap.b19 == 1). If it’s supported, you’ll find it in AP Beacons and Probe Responses, which are plentiful, but only in STA association or reassociation frames, which are not. So if you’re looking for STAs that support 11v BSS Transition, you should add filters for Association (wlan.fc.type_subtype == 0) and Reassociation (wlan.fc.type_subtype == 2) requests to the filter, as shown below.

11v BSS Transition supported

11v BSS Transition supported

You can also AND the BSS Transition filter with your STA’s MAC address to home right in.

Using STA MAC address to find 11v support

Using STA MAC address to find 11v support

Once we know 11v is supported, we can filter for BSS Transition Management Requests (wlan.fixed.action_code == 7) and Responses (wlan.fixed.action_code == 8). Here’s Orbi issuing the request, and supplying a Neighbor Report to try to aid the move. I’m not sure if it is part of the standard, but the Candidate list obfuscates the suggested BSS, which I’ve circled in red.

11v BSS Transition Management Request

11v BSS Transition Management Request

The Intel STA’s response clearly indicates the target BSS, however.

11v BSS Transition Management Request

11v BSS Transition Management Request

The 7signal slide shows three other ways APs or STAs can make roam requests or suggestions. But I haven’t been able to track down the filters to check for them.

How To Tell – 802.11r

The last of the three roaming assistance standards is 802.11r Fast Roaming/Fast BSS Transition. This appears to be the least implemented (or enabled) of the three, because it can cause problems for older devices, which may be unable to connect to an AP because they can’t understand the additional 11r information in AP beacons and probe responses.

The 7signal summary slide shows 11r’s focus is reducing authentication time. 11r is focused on enabling sub-second roaming, which is most important for uninterrupted voice or video calling.

802.11r BSS Fast Transition

802.11r BSS Fast Transition

AP 11r support indication is found in the RSN-IE (Robust Security Network Information Element), Authentication Key Mangement (AKM) Suite. If you apply a wlan.rsn.akms.type == 4 filter and see type = FT using PSK, you found it ! Applying this filter, however, returns no hits on captures of either the Samsung Tab or Intel AC 8260. So I have to say neither supports 11r.

The screenshot below shows what it looks like in a capture I ran across in an online archive.

11r support indicator

11r support indicator

Filtering for wlan.tag.number == 55 will show Authentication or Reassociation frames with the Fast BSS Transition.

11r support indicator

11r support indicator

I’ve seen 11r support only once in my captures, on a Ubiquiti UAP-AC-Lite.

Update 8/16/18 – I’ve learned that STAs will not advertise 11r support unless they detect an AP advertising 11r support. Since the Orbi doesn’t support 11r, I had no way of properly detecting STA 11r support.

Closing Thoughts

I know this information might be arcane or uninteresting to some. But I hope it saves someone the hours it took me to track all this down. Like many new Wi-Fi technologies that are supposed to enhance our experience, 802.11k,v and r are taking a long time to make their way into widespread implementation. And it’s not like they’re new; 11k and 11r were released in 2008 and 11v in 2010.

Also typically for Wi-Fi, implementations vary widely. These standards leave lots of room for interpretation, with many optional features. So to repeat an answer I gave to an SNBForums member, not all 11k, v or r implementations are created equal. Just because your Wi-Fi system and devices say they support one or more of these roaming assistance technologies, doesn’t mean that quick and smooth roaming is assured. And it’s possible that your roaming experience can be just fine without them.

In the end, the two most important factors in smooth roaming are client behavior and AP overlap–on both bands! 802.11k and v, and to a lesser extent, r support are still a work very much in progress.



Related posts

D-Link Turns to Ralink for sub $100 dual-band draft 802.11n

Dual-band draft 802.11n has continued to be too expensive for most consumers. But D-Link may have a reasonable lower-cost alternative in its new dual-band AP/bridge.

The Feds can own your WLAN too

WEP cracking usually conjures up images of geeks with evil intent. But Humphrey Cheung recently attended an FBI demonstration that showed at least some law enforcement types not only know about the latest generation of tools but also how to use 'em.