1
Introduction to IEEE 802.11Wireless LAN
Li-Hsing YenChung Hua University
Fall 2006
Difference Between Wired andWireless LANs
•The medium impacts the design•stations are mobile•different MAC
2
Medium Impacts
•shared medium.•unprotected from outside signals.•significantly less reliable than wired
PHYs.•dynamic topologies
Mobile Vs. Wireless
•Mobile–moved from location to location, but is
only used while at a fixed location•Wireless–access the LAN while in motion
3
802.6 Metropolitan Area Network (MAN)
RPRSG Resilient Packet Ring Study Group (RPRSG)
802.16 Broadband Wireless Access (BBWA)
802.15 Wireless Personal Area Network (WPAN)
802.14 Cable-TV Based Broadband CommunicationNetwork
802.12 Demand Priority
801.11 Wireless LAN (WLAN)
802.10 Standard for Interoperable LAN Security (SILS)
802.9 Integrated Services LAN (ISLAN)
802.8 Fiber Optics Technical Adv. Group (FOTAG)
802.7 BroadBand Technical Adv. Group (BBTAG)
802.5 Token Ring
802.4 Token Bus
802.3 CSMA/CD Working Group
802.2 Logical Link Control (LLC)
802.1 High Level Interface (HILI)
802.0 SEC
IEEE 802.15 TG4
IEEE 802.15 TG3
IEEE 802.15 TG2
IEEE 802.11i Security 2004
IEEE 802.11h
IEEE 802.11f
IEEE 802.11e
IEEE 802.15.1 Bluetooth
IEEE 802.11g
IEEE 802.11b WiFi
IEEE 802.11a
IEEE 802.11
IEEE 802 Committees
802.11 Specifications
•One MAC specification–CSMA/CA
•Three Physical specification–Radio
•Frequency hopping spread spectrum (FHSS)•Direct sequence spread spectrum (DSSS)
–Infrared Red
4
IEEE 802.11 Family
•IEEE 802.11b–2.45 GHz / 11 Mbps (300m range)
•IEEE 802.11a–5.8 GHz / 54 Mbps
•IEEE 802.11g–2.4 GHz / 54 Mbps
802.11a backward compatible to the 802.11b 2.4 GHz bandusing OFDM.IEEE 802.11g
Wi-Fi™ or “high-speed wireless”1, 2, 5.5 and 11 Mbps inthe 2.4 GHz band. All 802.11b systems are backwardcompliant. Realistic rating is 2 to 4 Mbps.
IEEE 802.11b
Standard for WLAN operations at data rates up to 54 Mbpsin the 5 GHz band. Proprietary “rate doubling" has achieved108 Mbps. Realistic rating is 20-26 Mbps.
IEEE 802.11a
Standard for WLAN operations at data rates up to 2 Mbpsin the 2.4 GHz ISM band. DSSS modulation.IEEE 802.11
Direct Sequence Spread Spectrum
Orthogonal Frequency Division Multiplexing
2.4 GHz Radio Licenses NOT required in these bands 5 GHz
5
No native support for IP, so it does not support TCP/IPand wireless LAN applications well. Best suited forconnecting PDAs, cell phones and PCs in short intervals.
FHSSUp to 2Mbps2.45GHzBluetooth
"Wi-Fi Certified." 14 channels available. May replace802.11b. Improved security enhancements over 802.11.Compatible with 802.11b.
OFDM >20Mbps
DSSS + CCK< 20Mbps
≤54Mbps2.4GHz
802.11g
"Wi-Fi Certified." 14 channels available. Notinteroperable with 802.11a. Requires fewer access pointsthan 802.11a for coverage of large areas. High-speedaccess to data at up to 300 feet from base station.
DSSS withCCK
≤11Mbps2.4GHz
802.11b
"Wi-Fi Certified." 8 available channels. Less potential forRF interference than 802.11b and 802.11g. Better than802.11b at supporting multimedia voice, video and large-image applications in densely populated user environments.Relatively shorter range than 802.11b. Not interoperablewith 802.11b.
OFDM≤54Mbps5GHz
802.11a
This specification has been extended into 802.11b.FHSS orDSSS
≤2Mbps2.4GHz
802.11
Pros/ConsModulationSchemeData RateStandard
Adaptive
6
Spread Spectrum modulation schemes ease addressproblems, each in their own way.
•DSSS Direct Sequence Spread Spectrum
•OFDM Orthogonal Frequency Division Multiplexing
•FHSS Frequency Hopping Spread Spectrum
•DSSS Direct Sequence Spread Spectrum
•In DSSS individual pulses are increased to a much higherfrequency by multiplying them with a code that is unique to each
WLAN. All the stations know the code.
The result is a string of chips.
7
•DSSS Direct Sequence Spread Spectrum
•DSSS Direct Sequence Spread Spectrum
DSSS has good interference rejection.
8
OFDM Orthogonal Frequency Division Multiplexing
In OFDM, the reverse happens. 10 (say) serial bits are converted into 10 parallelbits, each of which modulates its own radio carrier. Each carrier is now carryinga bit rate that is 1/10th the bit rate of the original. A reflected signal pathneeds to be 10 times longer to cause the same interference. Longer paths aremore attenuated so the strength of the interference is also less.
Directsignal.
Longer reflectedsignal.
Original reflectedsignal.
Wireless NICs
9
Access Point (AP)
•Usually connects wireless andwired networks–if not wired
•acts as an extension point(wireless bridge)
•consists of a radio, a wired network interface (e.g.,802.3), and bridging software conforming to the 802.1dbridging standard
•Number of clients supported–device dependent
AP as a Wireless Bridge
mobile terminal
access point
server
fixed terminal
application
TCP
802.11 PHY
802.11 MAC
IP
802.3 MAC
802.3 PHY
Application
TCP
802.3 PHY
802.3 MAC
IP
802.11 MAC
802.11 PHY
LLC
infrastructure network
LLC LLC
10
Basic Service Set (BSS)
BSS
Coordinatedfunction
Independent Basic Service Set(IBSS)
IBSS
A BSS withoutAccess Point
An ad hoc network
11
Extended Service Set (ESS)
•ESS: one or more BSSsinterconnected by a DistributionSystem (DS)
•Traffic always flows via Access Point•allows clients to seamlessly roam
between APs
Distributed System (DS)
•A thin layer in each AP–embodied as part of the bridge function–keeps track of AP-MN associations–delivers frames between APs
•Three types:–Integrated: A single AP in a standalone network–Wired: Using cable to interconnect the Access-
Points–Wireless: Using wireless to interconnect the
Access-Points
12
ESS:Single BSS (with integrated DS)
BSS
AccessPoint
A cell
91.44 to 152.4 meters
ESS: BSS’s with WiredDistribution System (DS)
BSS
BSS
DistributionSystem
20-30% overlap
13
ESS: BSS’s with WirelessDistribution System (DS)
BSS
BSS
Distribution
System
SSID (Service Set Identifier)
•Service set ID used in an ESS or IBSS–An IBSS with no APs uses the Basic Service Set
Identification (BSSID)•The BSSID field is a 48-bit field of the same
format as an IEEE 802 MAC address–In an infrastructure wireless network that includes
an AP, the Extended Service Set Identification(ESSID) is used•ESSID is the identifying name of an 802.11 wireless
network
14
ESSID in an ESS
•ESSID differentiates one WLAN from another•Client must be configured with the right
ESSID to be able to associate itself with aspecific AP
•ESSID is not designed to be part of securitymechanism, and it is unfitted to be one•AP broadcast the SSID(s) they support•Client association requests contain the
ESSID•Transmitted in the clear
Connecting to the NetworkClient Access Point
Probe Request
Probe Response
Authentication Response
Authentication Request
Association Response
Association Request
Probing
802.11Authentication
Association
15
Probing Phase
•Find an available AP•APs may operate at different channels
(11 channels in total in case of 802.11a)•Should scan a channel at least
MinChannelTime•If an AP is found, should last
MaxChannelTime
Active Scanning
probe request with SSID
probe responseIf SSID matches
Service Set Identifier (SSID)
APMN
16
Passive Scanning
beacon with SSID
Service Set Identifier (SSID)
APMN
Full Scanning
MN AP 1
Scan channel 1
AP 2 AP 3
Scan channel 2
Beacon or Probe Resp
MinChannelTime
MaxChannelTime
Scan channel 3
Scan channel 11
…
17
Association & Re-association
•Association: The mapping betweensome AP’s port and an MN
•Association must exist before networkservices can be used
•Wireless LAN Association replaces thephysical link in a wired LAN
•MN may later re-associate to anotherAP with higher signal quality
Authentication andAssociation
Authentication
Unauthenticated and unassociatedThe node is disconnected from thenetwork and not associated to anaccess point.
Authenticated and unassociatedThe node has been authenticatedon the network but has not yetassociated with the access point.
Authenticated and associatedThe node is connected to thenetwork and able to transmit andreceive data through the accesspoint.
18
802.11 AuthenticationMethods
•Open Authentication (standard)
•Shared key authentication (standard)
•MAC Address authentication (commonlyused)
Open Authentication•The authentication request contain a NULL
authentication protocol. It must have the APSSID.
•The access point will grant any request forauthenticationClient Access Point
Authentication Request
Authentication response
19
Shared Key Authentication•Requires that the client configures a static WEP key
Client Access Point
Authentication Request
Authentication response (challenge)
Authentication response(Success/Failure)
Authentication Request(encrypted challenge)
MAC Address Authentication•Not specified in the 802.11 standard, but
supported by many vendors (e.g. Cisco)•Can be added to open and shared key
authentication
Access-Request(MAC sent as RADIUS req.)
Auth. Request
Auth. Response (Success/Reject) Access-Success/Reject
ClientRADIUSServerAccess Point
20
WEP Encapsulation1. P = M || checksum(M) {p=plaintext}
2. KeyStream = RC4 (IV || k) {k=shared-key}
3. C = XOR (P, KeyStream) {c=ciphertext}
4. Transmit (IV, C) {IV=init-vector}
WEP Key
InitializationVector (IV)
Plaintext
Ciphertext
IV
seed
Message
Key Stream
CRC-32Integrity Check Value (ICV)
RC4PRNG
P
C
WEP Decapsulation1. KeyStream = RC4 (IV || k)2. P’= XOR (C, KeyStream) = M’|| checksum(M)3. If checksum(M’) = (checksum(M))’
Then P’is accepted
WEP Key
PlaintextKey stream
Message
Ciphertext
IV
ICV' = ICV?
CRC 32
RC4PRNG
ICV’
ICV
Seed
P’
M’
21
802.11 WEP frame
IVKEY ID
802.11header Payload ICV
(FCS)Encrypted
Unencrypted
The IV sent with the ciphertext containstwo fields: = IV & KeyID
ICV is a CRC-32 checksumover the Payload (802 Headerand the Data)
WEP Key Management•What is “KeyID”?
–Each entity in the wireless LAN (AP, clients)is configured with four static WEP keys
•KeyIDs 0,1,2,3
–The keys are shared by an AP and all thewireless stations accessing it
–The ID of the key used forencryption/decryption appears in thepacket WEP header
22
RC4 key
IV(3 octets) Secret Key (5 or 13 octets)
•Standard: 24 + 40 = 64 bit RC4 key
•Vendors: 24 + 104 = 128 bit RC4 key
•We’ll see that key-size doesn’t prevent the attacks
Details - Checksum•CRC-32 - detecting single random bit
errors
•If CRC is correct, WEP assumes
–Packet has not been modified
–Packet is from authorized user
•Linear Property:
CRC (XOR(A,B)) = XOR(CRC (A), CRC(B))
23
RC4•Developed by Rivest in 1987
•Kept as a trade secret (but leaked in 1994)
•Key can be between 1 and 256 bytes
•Used as a simple and fast generator of pseudo-random sequences of bytes (to be used as “one-time-pad”)
•Should discard first 256 bytes of generated pad
•Passes all usual randomness tests
802.11 Vulnerabilities
•RC 4 stream ciper not suited for data with lots ofpacket loss
•Loss of data requires re-synch, new key everytime
•Poor key management–WEP uses same key for authentication/encryption–Provides no mechanism for session key refreshing
•one-way authentication:–has no provision for MNs to authenticate/verify the
integrality of AP
24
Weaknesses of WEP:Overall Key Space is Too Small
•IV change per packet is OPTIONAL–If the “IV || key”for RC4 is changed
for every 802.11 packet, repeatedpatterns can occur more frequently
–at the rate of 11 Mbps of 1,500bytes/packet, all key space will beexhausted in about 5 hours.
802.1X•based on EAP (extensible
authentication protocol, RFC 2284)–still one-way authentication–initially, MN is in an unauthorized port–an “authentication server”exists–after authorized, the MH enters an
authorized port–802.1X ties it to the physical medium,
be it Ethernet, Token Ring orwireless LAN.
25
Three Main Components
–supplicant: usually the clientsoftware
–authenticator: usually theaccess point
–authentication server: usually aRemote Authentication Dial-InUser Service (RADIUS) server
802.1X –How it works
Auth Server“RADIUS”
APClient
Let me in! (EAP Start)
What’s your ID? (EAP-request identity message)
ID = [email protected] (EAP Response)Is [email protected] OK?
Prove to me that you [email protected]
The answer is “47”
Let him in. Here is the session key.Come in. Here is the session key.
http://yyy.local\index.htmnetwork
EAP Challenge/Authentication
Encryptedsession
26
Step 1
•Initially, MN is in an unauthorized port–only 802.1X traffic from MN is forwarded.–Traffics such as Dynamic Host
Configuration Protocol (DHCP), HTTP,FTP, SMTP and Post Office Protocol 3(POP3) are all blocked.
•The client then sends an EAP-startmessage.
Step 2
•The AP will then reply with an EAP-requestidentity message to obtain the client's identity.– The client's EAP-response packet containing the
client's identity is forwarded to the authenticationserver.
•The authentication server is configured toauthenticate clients with a specificauthentication algorithm.– The result is an accept or reject packet from the
authentication server to the access point.
27
Steps 3 and 4
•Upon receiving the accept packet, the AP willtransit the client's port to an authorized state,– then all traffic will be forwarded.
•Notes:– 802.1X for wireless LANs makes NO mention of
key distribution or management.•This is left for vendor implementation.
– At logoff, the client will send an EAP-logoffmessage to force the AP to transit the client portto an unauthorized state.
802.11 Key Management•Key Management:
–BKR (broadcast key rotation)•AP periodically broadcasts WEP shared key•The initial WEP key only used for registration at
the first time.–So the WEP key is used less frequently.
–TKIP (temporal key integrity protocol)•hashing the key before using it for encrypting a
packet
28
MAC Management Layer
•Synchronization–Time Synchronization Function (TSF)
•Power Management–Sleeping without missing any messages–Power management functions
•Periodic sleeping, frame buffering, trafficindication map
•Association and reassociation–Joining a network–Roaming, moving from one AP to another
Synchronization in 802.11
•All stations maintain a local timer•Time Synchronization Function
–Keeps timers from all stations in sync•Timing conveyed by periodic Beacon
transmissions–Beacon contains Timestamp for the entire
BSS–Timestamp from Beacons used to calibrate
local clocks
29
802.11 Time SynchronizationFunction (TSF)
•Beacon的產生週期稱為Beacon Period•可以傳送Beacon訊息的時間點稱為Target
Beacon Transmission Times (TBTTs)–每個TBTT間隔一個Beacon Period的時間
•Beacon transmission may be delayed byCSMA deferral
•Timestamp contains timer value at transmittime
TSF in Ad Hoc Mode: Which OneGenerates the Beacon?
• 當TBTT時間點到時,每個節點並不立即送出Beacon訊息,而是等待t時槽的時間。t的值由節點個別從[0, w]之間的整數中隨機選出,其中w是一個固定的系統參數,稱為Beacon Contention Window Size。
• 節點等待時同時監聽網路上的訊息。若節點在t時槽時間內未聽到其他節點送出的Beacon訊息,則在t時槽時間過後可送出自己的Beacon訊息。
• 若節點在t時槽時間內聽到別的節點送出的Beacon訊息,則取消傳送,改為接收此訊息。
• 每個接收到Beacon訊息的節點檢視其中的時間戳記。若發現Beacon訊息的時間戳記晚於自己本身時鐘的時間,則將自己的時鐘調整成時間戳記所示的時間。
30
Power Management
•Power management is important to mobiledevices that are battery powered.
•Current LAN protocol assumes stations arealways ready to receive–Idle receive state dominates LAN adaptor
power consumption over time•802.11 Power Management Protocol
–allows transceiver to be off as much aspossible
–is transparent to existing protocols
Power Management inInfrastructure Mode
•Allow idle stations to go to sleep–Station’s power save mode stored in
AP•APs buffer packets for sleeping stations–AP announces which stations have
frames buffered–Traffic Indication Map (TIM) sent with
every Beacon
31
Power Management inInfrastructure Mode (cont.)
•Power saving stations wake up periodically–listen for Beacons
•If it has packets buffered, it then sends apower-save poll request frame to the AP
•AP will send the buffered frame to the station•The station can sleep again
Power Management in Ad HocMode
•Similar to the infrastructure mode•However, the buffering scheme is achieved
by the sending station (as no AP here)•Sleeping station also wakes up periodically to
listen Beacon and ATIM–If it has data buffered, sends an Ack and
wakes up–Sending station sends the data to the
sleeping station
32
Distributed CoordinationFunction: CSMA/CA
•CSMA: Carrier Sense Multiple Access–physical carrier sense: physical layer–virtual carrier sense: MAC layer•network allocation vector (NAV)
•CA: Collision Avoidance–random backoff procedure
•shall be implemented in all stations andAPs
Carrier Sense: CarrierPresence
time
Data
A B C
B wants tosend to Cat this time
B sensescarrierso it startssending
33
Carrier Sense: No Carrier
Data
time
Data
A B C
B wants tosend to Cat this time
B sensesno carrierso it deferssending
B starts sending onlyafter the medium isfree
Hidden Terminal Problem
Data
time
AB C
C wants tosend to Aat this time
collision
B’s signalrange
B’s a hiddenterminal to Cand vise versa
Data
C sensescarrierso it startssending
34
Data 7
ACK: Collision Detection
Data 1AB C
ACK 1
Data 2
No ACK 2
Data 1OK
No ACK 7 Data 2
CTS/RTS: Virtual Carrier
time
AB CRTS(k)
C wants tosend to AB knows A is
to receive C’sdata in d
CTS(d) CTS(d)C knowsA is readyto receive
Data
ACKRTS
dB won’t sendA any data in d
35
busy
Problem With Persistent CSMA
time
AB C
C sensesA’s signalso it waits
C wants tosend to Aat this time
B starts sendingas soon as itsenses carrier
B senses signalso it waits too
B wants tosend to Aat this time
collideC starts sendingas soon as itsenses carrier
busy
Collision Avoidance:Random Backoff
time
AB C
When B sensescarrier it starts a timer
B senses signalat this time
When C sensescarrier it starts a timer
Timer value isdetermined by random
36
Contention Window
DIFS
contentionwindowbusy
All stations must wait DIFSafter medium is free
The winnerdata frame
random 1
random 2
random 3time
SIFS: Giving Priority toRTS/CTS/ACK
busy
DIFS
ACK
data frame
SIFSSIFS
DIFS
contentionwindow
Source
Destination
OthersDefer access
37
SIFS: Transmitting FragmentsSource
Destination
Others
ACK ACK
SIFS
DIFS
ContentionWindow
Defer access
SIFS
Fragment 1SIFS
SIFS
Fragment 2
EIFS: Low PriorityRetransmission
busy
data frame
SIFS
DIFS
SIFS
DIFS
contentionwindow
Source
Destination
OthersDefer access
EIFS
NoACK
canresend
contension
38
CSMA/CA with RTS/CTS
busy
DIFS
ACK
data frame
SIFSSIFS
Source
Destination
Others NAV (RTS)
RTS
CTS
NAV (CTS)
contentionwindow
SIFS SIFS
RTS/CTS is Optional
•system parameter RTSThread–RTS/CTS is used only when frame
size RTSThread
39
Point Coordination Function
•An alternative access method•Shall be implemented on top of the DCF•A point coordinator (polling master) is used to
determine which station currently has theright to transmit.
•Shall be built up from the DCF through theuse of an access priority mechanism.
•Different accesses of traffic can be definedthrough the use of different values of IFS.
Contention Free Period
B
PIFS
D1+poll
SIFS
D2+ack+poll
SIFS
D4+poll
PIFS
U1+ack
SIFS
U2+ack
SIFS
U4+ack
SIFS
CF+End
SIFS
Contention free Period (CFP)
NAV
SIFS<PIFS<DIFS
D3+ack+poll
SIFS