Introduction to IEEE 802.11 Wireless LAN Difference Between Wired

Introduction to IEEE 802.11
Wireless LAN
Li-Hsing Yen
Chung Hua University
Fall 2006
Difference Between Wired and
Wireless LANs
•The medium impacts the design
•stations are mobile
•different MAC
1
Medium Impacts
•shared medium.
•unprotected from outside signals.
•significantly less reliable than wired
PHYs.
•dynamic topologies
Mobile Vs. Wireless
•Mobile
–moved from location to location, but is
only used while at a fixed location
•Wireless
–access the LAN while in motion
2
IEEE 802 Committees
802.0 SEC
802.1 High Level Interface (HILI)
802.2 Logical Link Control (LLC)
802.3 CSMA/CD Working Group
802.4 Token Bus
802.5 Token Ring
802.6 Metropolitan Area Network (MAN)
802.7 BroadBand Technical Adv. Group (BBTAG)
802.8 Fiber Optics Technical Adv. Group (FOTAG)
802.9 Integrated Services LAN (ISLAN)
802.10 Standard for Interoperable LAN Security (SILS)
801.11 Wireless LAN (WLAN)
IEEE 802.11
IEEE 802.11a
IEEE 802.11b WiFi
IEEE 802.11g
IEEE 802.15.1 Bluetooth
IEEE 802.11e
IEEE 802.11f
IEEE 802.11h
IEEE 802.11i Security 2004
802.12 Demand Priority
IEEE 802.15 TG2
802.14 Cable-TV Based Broadband Communication
Network
IEEE 802.15 TG4
IEEE 802.15 TG3
802.15 Wireless Personal Area Network (WPAN)
802.16 Broadband Wireless Access (BBWA)
RPRSG Resilient Packet Ring Study Group (RPRSG)
802.11 Specifications
•One MAC specification
–CSMA/CA
•Three Physical specification
–Radio
•Frequency hopping spread spectrum (FHSS)
•Direct sequence spread spectrum (DSSS)
–Infrared Red
3
IEEE 802.11 Family
•IEEE 802.11b
–2.45 GHz / 11 Mbps (300m range)
•IEEE 802.11a
–5.8 GHz / 54 Mbps
•IEEE 802.11g
–2.4 GHz / 54 Mbps
2.4 GHz Radio Licenses NOT required in these bands 5 GHz
Direct Sequence Spread Spectrum
IEEE 802.11
Standard for WLAN operations at data rates up to 2 Mbps
in the 2.4 GHz ISM band. DSSS modulation.
IEEE 802.11a
Standard for WLAN operations at data rates up to 54 Mbps
in the 5 GHz band. Proprietary “
rate doubling" has achieved
108 Mbps. Realistic rating is 20-26 Mbps.
IEEE 802.11b
Wi-Fi™ or “
high-speed wireless”1, 2, 5.5 and 11 Mbps in
the 2.4 GHz band. All 802.11b systems are backward
compliant. Realistic rating is 2 to 4 Mbps.
IEEE 802.11g
802.11a backward compatible to the 802.11b 2.4 GHz band
using OFDM.
Orthogonal Frequency Division Multiplexing
4
Standard
802.11
Data Rate
≤2Mbps
2.4GHz
802.11a
≤54Mbps
802.11b
≤11Mbps
802.11g
≤54Mbps
Bluetooth
Up to 2Mbps
2.45GHz
5GHz
2.4GHz
2.4GHz
Modulation
Scheme
FHSS or
DSSS
OFDM
Pros/Cons
This specification has been extended into 802.11b.
"Wi-Fi Certified." 8 available channels. Less potential for
RF interference than 802.11b and 802.11g. Better than
802.11b at supporting multimedia voice, video and largeimage applications in densely populated user environments.
Relatively shorter range than 802.11b. Not interoperable
with 802.11b.
DSSS with
CCK
"Wi-Fi Certified." 14 channels available. Not
interoperable with 802.11a. Requires fewer access points
than 802.11a for coverage of large areas. High-speed
access to data at up to 300 feet from base station.
OFDM >
20Mbps
DSSS + CCK
< 20Mbps
"Wi-Fi Certified." 14 channels available. May replace
802.11b. Improved security enhancements over 802.11.
Compatible with 802.11b.
FHSS
No native support for IP, so it does not support TCP/IP
and wireless LAN applications well. Best suited for
connecting PDAs, cell phones and PCs in short intervals.
Adaptive
5
Spread Spectrum modulation schemes ease address
problems, each in their own way.
•
DSSS Direct Sequence Spread Spectrum
•
OFDM Orthogonal Frequency Division Multiplexing
•
FHSS Frequency Hopping Spread Spectrum
•
DSSS Direct Sequence Spread Spectrum
The result is a string of chips.
•
In DSSS individual pulses are increased to a much higher
frequency by multiplying them with a code that is unique to each
WLAN. All the stations know the code.
6
•
DSSS Direct Sequence Spread Spectrum
•
DSSS Direct Sequence Spread Spectrum
DSSS has good interference rejection.
7
OFDM Orthogonal Frequency Division Multiplexing
Direct
signal.
Original reflected
signal.
Longer reflected
signal.
In OFDM, the reverse happens. 10 (say) serial bits are converted into 10 parallel
bits, each of which modulates its own radio carrier. Each carrier is now carrying
a bit rate that is 1/10th the bit rate of the original. A reflected signal path
needs to be 10 times longer to cause the same interference. Longer paths are
more attenuated so the strength of the interference is also less.
Wireless NICs
8
Access Point (AP)
• Usually connects wireless and
wired networks
–if not wired
•acts as an extension point
(wireless bridge)
• consists of a radio, a wired network interface (e.g.,
802.3), and bridging software conforming to the 802.1d
bridging standard
• Number of clients supported
–device dependent
AP as a Wireless Bridge
fixed terminal
mobile terminal
server
infrastructure network
access point
application
Application
TCP
TCP
IP
IP
LLC
LLC
LLC
802.11 MAC
802.11 MAC 802.3 MAC
802.3 MAC
802.11 PHY
802.11 PHY 802.3 PHY
802.3 PHY
9
Basic Service Set (BSS)
Coordinated
function
BSS
Independent Basic Service Set
(IBSS)
A BSS without
Access Point
IBSS
An ad hoc network
10
Extended Service Set (ESS)
•ESS: one or more BSSs
interconnected by a Distribution
System (DS)
•Traffic always flows via Access Point
•allows clients to seamlessly roam
between APs
Distributed System (DS)
• A thin layer in each AP
–embodied as part of the bridge function
–keeps track of AP-MN associations
–delivers frames between APs
• Three types:
–Integrated: A single AP in a standalone network
–Wired: Using cable to interconnect the AccessPoints
–Wireless: Using wireless to interconnect the
Access-Points
11
ESS:
Single BSS (with integrated DS)
A cell
Access
Point
91.44 to 152.4 meters
BSS
ESS: BSS’
s with Wired
Distribution System (DS)
20-30% overlap
BSS
Di
st
Sy ribu
s t t io
em n
BSS
12
ESS: BSS’
s with Wireless
Distribution System (DS)
Di
st
Sy ribu
s t ti o
em n
BSS
BSS
SSID (Service Set Identifier)
•Service set ID used in an ESS or IBSS
–An IBSS with no APs uses the Basic Service Set
Identification (BSSID)
•The BSSID field is a 48-bit field of the same
format as an IEEE 802 MAC address
–In an infrastructure wireless network that includes
an AP, the Extended Service Set Identification
(ESSID) is used
•ESSID is the identifying name of an 802.11 wireless
network
13
ESSID in an ESS
•ESSID differentiates one WLAN from another
•Client must be configured with the right
ESSID to be able to associate itself with a
specific AP
•ESSID is not designed to be part of security
mechanism, and it is unfitted to be one
•AP broadcast the SSID(s) they support
•Client association requests contain the
ESSID
•Transmitted in the clear
Connecting to the Network
Access Point
Client
Probe Request
Probe Response
Authentication Request
Authentication Response
Probing
802.11
Authentication
Association Request
Association Response
Association
14
Probing Phase
•Find an available AP
•APs may operate at different channels
(11 channels in total in case of 802.11a)
•Should scan a channel at least
MinChannelTime
•If an AP is found, should last
MaxChannelTime
Active Scanning
AP
MN
probe request with SSID
probe response
If SSID matches
Service Set Identifier (SSID)
15
Passive Scanning
AP
MN
beacon with SSID
Service Set Identifier (SSID)
Full Scanning
MN
AP 1
AP 2
AP 3
Scan channel 1
MinChannelTime
Scan channel 2
MaxChannelTime
Beacon or Probe Resp
Scan channel 3
…
Scan channel 11
16
Association & Re-association
•Association: The mapping between
some AP’
s port and an MN
•Association must exist before network
services can be used
•Wireless LAN Association replaces the
physical link in a wired LAN
•MN may later re-associate to another
AP with higher signal quality
Authentication and
Association
Unauthenticated and unassociated
The node is disconnected from the
network and not associated to an
access point.
Authenticat
ion
Authenticated and unassociated
The node has been authenticated
on the network but has not yet
associated with the access point.
Authenticated and associated
The node is connected to the
network and able to transmit and
receive data through the access
point.
17
802.11 Authentication
Methods
•Open Authentication (standard)
•Shared key authentication (standard)
•MAC Address authentication (commonly
used)
Open Authentication
•The authentication request contain a NULL
authentication protocol. It must have the AP
SSID.
•The access point will grant any request for
authentication
Access Point
Client
Authentication Request
Authentication response
18
Shared Key Authentication
• Requires that the client configures a static WEP key
Access Point
Client
Authentication Request
Authentication response (challenge)
Authentication Request(encrypted challenge)
Authentication response(Success/Failure)
MAC Address Authentication
•Not specified in the 802.11 standard, but
supported by many vendors (e.g. Cisco)
•Can be added to open and shared key
authentication
Client
Access Point
Auth. Request
Auth. Response (Success/Reject)
RADIUS
Server
Access-Request
(MAC sent as RADIUS req.)
Access-Success/Reject
19
WEP Encapsulation
1.
2.
3.
4.
P=
M || checksum(M)
KeyStream = RC4 (IV || k)
C = XOR (P, KeyStream)
Transmit (IV, C)
{p=plaintext}
{k=shared-key}
{c=ciphertext}
{IV=init-vector}
IV
Initialization
Vector (IV)



seed
WEP Key
RC4
PRNG
Key Stream

Plaintext



C
Ciphertext
P
CRC-32
Integrity Check Value (ICV)
Message
WEP Decapsulation
1.
2.
3.
WEP Key
IV
Ciphertext
KeyStream = RC4 (IV || k)
P’= XOR (C, KeyStream) = 
M’|| checksum(M)
If checksum(M’
) = (checksum(M))’
Then P’is accepted
M’



Seed
RC4
PRNG
Key stream
P’

Plaintext
CRC 32
ICV
ICV’
ICV' = ICV?
Message
20
802.11 WEP frame
The IV sent with the ciphertext contains
two fields: = IV & KeyID
Unencrypted
802.11
header
IV
KEY ID
Payload
ICV
(FCS)
Encrypted
ICV is a CRC-32 checksum
over the Payload (802 Header
and the Data)
WEP Key Management
•What is “
KeyID”
?
–Each entity in the wireless LAN (AP, clients)
is configured with four static WEP keys
•KeyIDs 0,1,2,3
–The keys are shared by an AP and all the
wireless stations accessing it
–The ID of the key used for
encryption/decryption appears in the
packet WEP header
21
RC4 key
IV
(3 octets)
•Standard:
Secret Key (5 or 13 octets)
24 + 40 = 64 bit RC4 key
•Vendors: 24 + 104 = 128 bit RC4 key
•We’
ll see that key-size doesn’
t prevent the attacks
Details - Checksum
•CRC-32 - detecting single random bit
errors
•If CRC is correct, WEP assumes
–Packet has not been modified
–Packet is from authorized user
•Linear Property:
CRC (XOR(A,B)) = XOR(CRC (A), CRC(B))
22
RC4
• Developed by Rivest in 1987
• Kept as a trade secret (but leaked in 1994)
• Key can be between 1 and 256 bytes
• Used as a simple and fast generator of pseudorandom sequences of bytes (to be used as “
onetime-pad”
)
• Should discard first 256 bytes of generated pad
• Passes all usual randomness tests
802.11 Vulnerabilities
• RC 4 stream ciper not suited for data with lots of
packet loss
•Loss of data requires re-synch, new key every
time
• Poor key management
–WEP uses same key for authentication/encryption
–Provides no mechanism for session key refreshing
• one-way authentication:
–has no provision for MNs to authenticate/verify the
integrality of AP
23
Weaknesses of WEP:
Overall Key Space is Too Small
•IV change per packet is OPTIONAL
–If the “
IV || key”for RC4 is changed
for every 802.11 packet, repeated
patterns can occur more frequently
–at the rate of 11 Mbps of 1,500
bytes/packet, all key space will be
exhausted in about 5 hours.
802.1X
•based on EAP (extensible
authentication protocol, RFC 2284)
–still one-way authentication
–initially, MN is in an unauthorized port
–an “
authentication server”exists
–after authorized, the MH enters an
authorized port
–802.1X ties it to the physical medium,
be it Ethernet, Token Ring or
wireless LAN.
24
Three Main Components
–supplicant: usually the client
software
–authenticator: usually the
access point
–authentication server: usually a
Remote Authentication Dial-In
User Service (RADIUS) server
802.1X –How it works
Client
AP
Auth Server
“RADIUS”
Let me in! (EAP Start)
What’
s your ID? (EAP-request identity message)
ID = xxx@yyy.local (EAP Response)
The answer is “
47”
Is xxx@yyy.local OK?
Prove to me that you are
xxx@yyy.local
EAP Challenge/
Authentication
Let him in. Here is the session key.
Come in. Here is the session key.
network
http://yyy.local\index.htm
Encrypted
session
25
Step 1
•Initially, MN is in an unauthorized port
–only 802.1X traffic from MN is forwarded.
–Traffics such as Dynamic Host
Configuration Protocol (DHCP), HTTP,
FTP, SMTP and Post Office Protocol 3
(POP3) are all blocked.
•The client then sends an EAP-start
message.
Step 2
•The AP will then reply with an EAP-request
identity message to obtain the client's identity.
– The client's EAP-response packet containing the
client's identity is forwarded to the authentication
server.
•The authentication server is configured to
authenticate clients with a specific
authentication algorithm.
– The result is an accept or reject packet from the
authentication server to the access point.
26
Steps 3 and 4
•Upon receiving the accept packet, the AP will
transit the client's port to an authorized state,
– then all traffic will be forwarded.
•Notes:
– 802.1X for wireless LANs makes NO mention of
key distribution or management.
•This is left for vendor implementation.
– At logoff, the client will send an EAP-logoff
message to force the AP to transit the client port
to an unauthorized state.
802.11 Key Management
•Key Management:
–BKR (broadcast key rotation)
•AP periodically broadcasts WEP shared key
•The initial WEP key only used for registration at
the first time.
–So the WEP key is used less frequently.
–TKIP (temporal key integrity protocol)
•hashing the key before using it for encrypting a
packet
27
MAC Management Layer
• Synchronization
–Time Synchronization Function (TSF)
• Power Management
–Sleeping without missing any messages
–Power management functions
•Periodic sleeping, frame buffering, traffic
indication map
• Association and reassociation
–Joining a network
–Roaming, moving from one AP to another
Synchronization in 802.11
•All stations maintain a local timer
•Time Synchronization Function
–Keeps timers from all stations in sync
•Timing conveyed by periodic Beacon
transmissions
–Beacon contains Timestamp for the entire
BSS
–Timestamp from Beacons used to calibrate
local clocks
28
802.11 Time Synchronization
Function (TSF)
•Beacon的產生週期稱為Beacon Period
•可以傳送Beacon訊息的時間點稱為Target
Beacon Transmission Times (TBTTs)
–每個TBTT間隔一個Beacon Period的時間
•Beacon transmission may be delayed by
CSMA deferral
•Timestamp contains timer value at transmit
time
TSF in Ad Hoc Mode: Which One
Generates the Beacon?
•
•
•
•
當TBTT時間點到時,每個節點並不立即送
出Beacon訊息,而是等待t時槽的時間。t
的值由節點個別從[0, w]之間的整數中隨機
選出,其中w是一個固定的系統參數,稱
為Beacon Contention Window Size。
節點等待時同時監聽網路上的訊息。若節
點在t時槽時間內未聽到其他節點送出的
Beacon訊息,則在t時槽時間過後可送出
自己的Beacon訊息。
若節點在t時槽時間內聽到別的節點送出的
Beacon訊息,則取消傳送,改為接收此訊
息。
每個接收到Beacon訊息的節點檢視其中的
時間戳記。若發現Beacon訊息的時間戳記
晚於自己本身時鐘的時間,則將自己的時
鐘調整成時間戳記所示的時間。
29
Power Management
•Power management is important to mobile
devices that are battery powered.
•Current LAN protocol assumes stations are
always ready to receive
–Idle receive state dominates LAN adaptor
power consumption over time
•802.11 Power Management Protocol
–allows transceiver to be off as much as
possible
–is transparent to existing protocols
Power Management in
Infrastructure Mode
•Allow idle stations to go to sleep
–Station’
s power save mode stored in
AP
•APs buffer packets for sleeping stations
–AP announces which stations have
frames buffered
–Traffic Indication Map (TIM) sent with
every Beacon
30
Power Management in
Infrastructure Mode (cont.)
•Power saving stations wake up periodically
–listen for Beacons
•If it has packets buffered, it then sends a
power-save poll request frame to the AP
•AP will send the buffered frame to the station
•The station can sleep again
Power Management in Ad Hoc
Mode
•Similar to the infrastructure mode
•However, the buffering scheme is achieved
by the sending station (as no AP here)
•Sleeping station also wakes up periodically to
listen Beacon and ATIM
–If it has data buffered, sends an Ack and
wakes up
–Sending station sends the data to the
sleeping station
31
Distributed Coordination
Function: CSMA/CA
•CSMA: Carrier Sense Multiple Access
–physical carrier sense: physical layer
–virtual carrier sense: MAC layer
•network allocation vector (NAV)
•CA: Collision Avoidance
–random backoff procedure
•shall be implemented in all stations and
APs
Carrier Sense: Carrier
Presence
B wants to
send to C
at this time
A
B senses
carrier
so it starts
sending
B
C
Data
time
32
Carrier Sense: No Carrier
A
Data
B
B wants to
send to C
at this time
C
Data
B senses
no carrier
so it defers
sending
B starts sending only
after the medium is
free
time
Hidden Terminal Problem
B’
s signal
range
B
Data
B’
s a hidden
terminal to C
and vise versa
C wants to
send to A
at this time
A
collision
Data
C senses
carrier
so it starts
sending
C
time
33
ACK: Collision Detection
B
A
Data 1
C
ACK 1
Data 7
Data 1
OK
Data 2
No ACK 7
No ACK 2
Data 2
CTS/RTS: Virtual Carrier
B
B knows A is
to receive C’
s
data in d
CTS(d)
d
B won’
t send
A any data in d
C wants to
send to A
A
RTS(k)
CTS(d)
Data
C
C knows
A is ready
to receive
ACK
RTS
time
34
Problem With Persistent CSMA
B
B wants to
send to A
at this time
C wants to
send to A
at this time
A
B senses signal
so it waits too
busy
B starts sending
as soon as it
senses carrier
collide
C
C senses
A’
s signal
so it waits
C starts sending
as soon as it
senses carrier
time
Collision Avoidance:
Random Backoff
B
A
When B senses
carrier it starts a timer
B senses signal
at this time
C
busy
When C senses
carrier it starts a timer
Timer value is
determined by random
time
35
Contention Window
data frame
random 1
The winner
contention
window
busy
DIFS
random 2
All stations must wait DIFS
after medium is free
random 3
time
SIFS: Giving Priority to
RTS/CTS/ACK
data frame
Source
busy
Destination
contention
window
ACK
DIFS
DIFS
SIFS
SIFS
Others
Defer access
36
SIFS: Transmitting Fragments
Source
DIFS
SIFS
Fragment 1
SIFS
Fragment 2
Destination
SIFS
ACK
SIFS
Contention
Window
ACK
Others
Defer access
EIFS: Low Priority
Retransmission
data frame
Source
busy
Destination
contention
window
can
resend
EIFS
DIFS
DIFS
SIFS
No
ACK
SIFS
Others
Defer access
contension
37
CSMA/CA with RTS/CTS
SIFS
SIFS
data frame
Source
RTS
busy
ACK
Destination
contention
window
CTS
DIFS
SIFS
SIFS
Others
NAV (RTS)
NAV (CTS)
RTS/CTS is Optional
•system parameter RTSThread
–RTS/CTS is used only when frame
size RTSThread
38
Point Coordination Function
•An alternative access method
•Shall be implemented on top of the DCF
•A point coordinator (polling master) is used to
determine which station currently has the
right to transmit.
•Shall be built up from the DCF through the
use of an access priority mechanism.
•Different accesses of traffic can be defined
through the use of different values of IFS.
Contention Free Period
Contention free Period (CFP)
SIFS
B
SIFS
D2+ack
+poll
D1+poll
U1+ack
PIFS
SIFS
SIFS
SIFS
PIFS
D3+ack
D4+poll
+poll
U2+ack
SIFS
CF+End
U4+ack
SIFS
SIFS<PIFS<DIFS
NAV
39
Summary
•IEEE 802.11 Wireless LAN Architecture
•IEEE 802.11 Physical Layer
–DSSS
–Authentication: WEP, 802.1x
•IEEE 802.11 MAC
–CSMA/CA
–PCF
40