Cloud Information and Distribution

The Off-Road Trail to 6 GHz AP Discovery

Author, David Coleman, provides a brief preview of the blog in his own words in the audio clip below.


This is the fifth in a series of continuing blogs about Wi-Fi 6E and the new spectrum bonanza in the 6 GHz frequency band. And this is the second of two blogs where I discuss how the traditional methods of AP discovery no longer apply for Wi-Fi 6E clients.

Wi-Fi clients have traditionally used an active hunt-and-seek method to scan for access points (APs). Clients send out probe request frames across all channels to discover APs. However, as I discussed in my previous blog, we are now entering the age of Wi-Fi 6E, and active probing is discouraged in the 6 GHz frequency band. The traditional active scanning method is no longer efficient for initial AP discovery and even worse for roaming between APs. The bottom line is that client probing takes too much time because there are so many channels in the 6 GHz band. In my last blog, I covered the three in-band discovery mechanisms for 6 GHz. However, a new out-of-band AP discovery mechanism has been designated as the primary method for Wi-Fi 6E clients to find Wi-Fi 6E APs.

The chipsets used in Wi-Fi 6E client radios will also have 2.4 and 5 GHz capabilities, meaning they can also scan and connect to APs using the legacy frequency bands. A tri-band AP can inform a Wi-Fi 6E client actively probing the 2.4 GHz or 5 GHz bands about the existing 6 GHz radio co-located in the AP. Therefore, a clearly defined out-of-band discovery method to inform Wi-Fi 6E clients about 6 GHz APs provides a guiding light…  the reduced neighbor report (RNR).

802.11v first defined the possible use of a reduced neighbor report (RNR) information element that can be used to include information about a neighbor AP. For Wi-Fi 6E, the “neighbor AP” is actually the 6 GHz radio housed in the same AP along with the 2.4 GHz and 5 GHz radios. Wi-Fi 6E clients will learn about the available 6 GHz radio from the RNR information in either beacon or probe response frames sent by the AP’s 2.4 and 5 GHz radios.

In the example shown in Figure 1, a Wi-Fi 6E client sends directed probe requests across the 5 GHz band for an SSID called blue. Three APs answer with probe responses that carry basic service set (BSS) parameters for the blue SSID for the 5 GHz channels of 36, 40, and 44. However, inside each probe response is also RNR information about the 6 GHz radios transmitting on channels 53, 85, and 117. The SSID might be the same across bands or different in each frequency. The client can then decide whether to connect to the 5 GHz radio of the AP or, more likely, the available 6 GHz radio. Obviously, the goal is to eliminate probing time on the 6 GHz band. The client device is informed of available 6 GHz BSSs without ever scanning the 6 GHz band. By the way, the example in Figure 1 uses directed probe requests with a known SSID; however, the same RNR information is delivered to clients that send probe requests with a null SSID field, sometimes referred to as a Wildcard SSID.

Out-of-band discovery

Figure 1: Out-of-band discovery

Also, the same out-of-band discovery method is used when the Wi-Fi 6E client probes the 2.4 GHz band. The probe responses from the 2.4 GHz radios in the APs will respond about 2.4 GHz channel availability and RNR information about the 6 GHz radios co-located in the same AP. Figure 2 shows an RNR information element from a 5 GHz probe response frame. Note that it indicates a 6 GHz primary channel of 37 that is co-located in the same AP. The operating class is an indication of the 6 GHz channel size. An operating class of 134 indicates a 160 MHz channel. Likewise, 133 denotes an 80 MHz channel, 132 indicates a 40 MHz channel, and 131 indicates a channel size of 20 MHz.

Reduced neighbor report

Figure 2 – Reduced neighbor report

The Short SSID parameter in a reduced neighbor report (RNR) is effectively a hash of the 6 GHz SSID. The RNR information element can also indicate whether or not the 6 GHz SSID is the same as the 5 GHz SSID. If the reported 6 GHz radio and the reporting 2.4/5 GHz radios are configured with the same SSID, either the short SSID field is set to the short SSID of 6 GHz AP or same SSID subfield is set to 1. If the Same SSID field is set to 0, then the short SSID is strictly the 6 GHz SSID. In an earlier blog, I wrote that I expect there to be different SSIDs with different levels of security to be used on the various bands. WPA3 will indeed be used in 6 GHz. Yet, despite the support for WPA3 transition modes in the legacy bands, WPA2 will likely remain prevalent in the 2.4 GHz and 5 GHz bands for a very long time.

The operating class information mentioned earlier is important because for the first time, the use of 80 MHz channels will be a reality for enterprise deployments. In the United States, 14 channels are available for an 80 MHz channel reuse plan in 6 GHz. The FCC has defined new transmit power rules that actually favor the use of large 80 MHz channels. As a result, 80 MHz channel reuse patterns in the enterprise could become common in countries with 1,200 MHz of 6 GHz frequency space available. As shown in Figure 3, if the RNR information found in a 5 GHz probe response indicated a primary channel of 69 and an operating class of 133, the 6 GHz radio housed in the same AP would be transmitting on the 80 MHz channel of 71.

Operating class: 133 | Primary channel: 69 | 80 MHz channel: 71

Figure 3: Operating class: 133 | Primary channel: 69 | 80 MHz channel: 71

So, what if a client connects to a 6 GHz AP using the primary channel 53 and wants to roam to another 6 GHz AP? Believe it or not, the most likely client active scanning method will once again be for the Wi-Fi 6E client to probe the 2.4 and/or 5 GHz channels to get RNR information about possible nearby 6 GHz APs to which the client might roam. In the example shown in Figure 4, a Wi-Fi 6E client connected to the 6 GHz channel 53 of AP-1, can still use 5 GHz probe requests with RNR information to discover the 6 GHz radio housed in AP-2 using the primary channel of 85.  After learning about this information and building a 6 GHz roaming table, the Wi-Fi 6E client is free to roam based on whatever pre-determined roaming thresholds the client might use. Once again, client probing is inefficient in 6 GHz and takes too much time; there are too many 6 GHz channels to scan.

Roaming with out-of-band discovery

Figure 4 – Roaming with out-of-band discovery

On a side note, I think that once Wi-Fi 6E clients connect to a 6 GHz AP radio, it will be expedient to use action frames (in-band) to take advantage of 802.11k neighbor reports. Please don’t confuse an 802.11k neighbor report with a reduced neighbor report (RNR). Client stations use 802.11k neighbor report information to gain information from the associated AP about potential roaming neighbors. The neighbor report information assists the fast-roaming process by providing a method for the client to request the associated AP to measure and report about neighboring APs available. This can further assist the 6 GHz roaming process by informing the client device of nearby 6 GHz APs to which it may roam. The 802.11k neighbor report information is typically delivered through a request/report action frame exchange, as shown in Figure 5.

 802.11k neighbor report

Figure 5 – 802.11k neighbor report

Now you might ask, “How is all this going to work if there are multiple SSIDs available from the 6 GHz radio?” For example, an SSID for employees, an SSID for IoT devices, and an SSID for guests, as depicted in Figure 6.

 Three SSIDs on 6 GHz

Figure 6 – Three SSIDs on 6 GHz

The good news is that out-of-band discovery can also relay information about the existence of multiple 6 GHz SSIDs. As shown in Figure 7, the RNR information element can carry information about each available 6 GHz SSID in multiple TBTT subfields. So once again, the Wi-Fi 6E client probes out-of-band to learn about the 6 GHz radio primary channel, channel size, and multiple 6 GHz SSIDs.

 Multiple 6 GHz SSID information via out-of-band discovery

Figure 7 – Multiple 6 GHz SSID information via out-of-band discovery

So, you might also have noticed that none of the relevant SSID security information is delivered out-of-band. The Wi-Fi 6E clients can get that info via various frames as soon as they hop on the 6 GHz channel. And you might have also noticed other information in the RNR element, including the Multiple BSSID and Transmitted BSSID subfields. These fields are an indication that the 6 GHz radio is leveraging multiple BSSID beacon frames and probe responses.

Multiple BSSID is another capability that was originally specified in the IEEE 802.11v amendment. It reduces management frame overhead by eliminating the need for multiple beacons for multiple SSIDs and BSSIDs. For example, the SSID/BSSID information for the three SSIDs of employee-6, IoT-6, and Guest-6 can be consolidated into a single beacon or probe response. Figure 8 shows a packet capture of a 6 GHz beacon with a Multiple BSSID information element. As you can, the various subfields can relay information about multiple SSIDs, BSSIDs, and other parameters, including the RSN security information of each SSID. The upside is that the information is delivered in one beacon frame instead of three, reducing Layer 2 overhead that consumes airtime. I expect the Multiple BSSID option to be used in 6 GHz by most major enterprise WLAN vendors. Could you use Multiple BSSID in 2.4 and 5 GHz beacons? Sure, you could, but you would still need a unique beacon for each SSID in the legacy bands because the legacy clients cannot interpret the Multiple BSSID information. However, Multiple BSSID makes perfect sense in 6 GHz because no legacy clients exist. By the way, if you want to learn more about Multiple BSSID, Adrian Granados wrote a great technical blog on the subject.

 

Figure 8 – Multiple BSSID information in a 6 GHz beacon

I have covered a lot of topics in this blog…. RNR, roaming in 6 GHz, multiple BSSID, etc. However, I want to leave you with this last thought about out-of-band discovery. In my conversations with many people, I find them very resistant to the thought of Wi-Fi 6E clients not using the traditional in-band probing in 6 GHz and instead using the out-of-band discovery method of RNR. However, I will reiterate, out-of-band discovery will be the best method. There are simply too many channels in 6 GHz for the scanning methods of old.

Wi-Fi 6E clients can still get a roadmap for 6 GHz connectivity, but they must travel off-road on a different frequency to get the necessary information for their final destination.

Source