Mobile Networks
Module B
WLAN – Engineering Aspects
Prof. JP Hubaux
http://mobnet.epfl.ch
1
Reminder on frequencies and wavelenghts
twisted
pair
coax cable
1 Mm
300 Hz
10 km
30 kHz
VLF
LF
optical transmission
100 m
3 MHz
MF
HF
1m
300 MHz
VHF
VLF = Very Low Frequency
LF = Low Frequency
MF = Medium Frequency
HF = High Frequency
VHF = Very High Frequency
UHF
10 mm
30 GHz
SHF
EHF
100 m
3 THz
infrared
1 m
300 THz
visible light UV
UHF = Ultra High Frequency
SHF = Super High Frequency
EHF = Extra High Frequency
UV = Ultraviolet Light
Frequency and wave length:
 = c/f
wave length , speed of light c  3x108m/s, frequency f
2
Frequencies for mobile communication

VHF-/UHF-ranges for mobile radio

simple, small antenna for handset
 deterministic propagation characteristics, reliable connections

SHF and higher for directed radio links, satellite communication

small antenna
 large bandwidth available

Wireless LANs use frequencies in UHF to SHF spectrum


some systems planned up to EHF
limitations due to absorption by water and oxygen molecules
(resonance frequencies)

Weather-dependent fading, signal loss caused by heavy rainfall etc.
3
Frequency allocation
Mobile
phones
Cordless
telephones
Wireless
LANs
Europe
USA
Japan
Dig. Dividend
800MHz
GSM 890-915 MHz,
935-960 MHz;
1710-1785 MHz,
1805-1880 MHz
UMTS
1920-1980 MHz
2110-2170 MHz
LTE
2600MHz
CT1+ 885-887 MHz,
930-932 MHz;
CT2
864-868 MHz
DECT
1880-1900 MHz
IEEE 802.11
2400-2483 MHz
5725–5875 MHz
AMPS, TDMA, CDMA
824-849 MHz,
869-894 MHz;
TDMA, CDMA, GSM
1850-1910 MHz,
1930-1990 MHz;
UMTS
1850-1910 MHz
1930-1990 MHz
PDC
810-826 MHz,
940-956 MHz;
1429-1465 MHz,
1477-1513 MHz
UMTS
1749.9-1784.9
1844.9-1879.9
PACS 1850-1910 MHz,
1930-1990 MHz
PACS-UB 1910-1930 MHz
PHS
1895-1918 MHz
JCT
254-380 MHz
IEEE 802.11
2400-2483 MHz
5725–5875 MHz
IEEE 802.11
2471-2497 MHz
5725–5875 MHz
Note: in the coming years, frequencies will become technology-neutral
4
Characteristics of Wireless LANs
Advantages

flexibility
 (almost) no wiring difficulties (e.g., historic buildings)
 more robust against disasters like, e.g., earthquakes, fire - or users
pulling a plug...
Disadvantages

lower bitrate compared to wired networks
 More difficult to secure
5
Scope of Various WLAN and WPAN Standards
Power consumption
802.11n
Complexity
802.11a
802.11g
802.11b
802.11
WLAN
802.15.I
Bluetooth
802.15.4
WPAN
WPAN: Wireless Personal Area Network
Data rate
6
Design goals for wireless LANs








low power
no special permissions or licenses needed to use the LAN
robust transmission technology
easy to use for everyone, simple management
protection of investment in wired networks (internetworking)
security, privacy, safety (low radiation)
transparency concerning applications and higher layer protocols
location awareness if necessary
7
Comparison: infrared vs. radio transmission
Infrared

uses IR diodes
Radio

Advantages

simple, cheap, available in
many mobile devices
 no licenses needed
 simple shielding possible
Disadvantages

interference by sunlight, heat
sources etc.
 many materials shield or absorb
IR light
 low bandwidth
Example

IrDA (Infrared Data Association)
interface used to be available
on many devices
typically using the license free
ISM band at 2.4 GHz and 5 GHz
Advantages

coverage of larger areas possible
(radio can penetrate walls,
furniture etc.)
Disadvantages

very limited license free
frequency bands
 shielding more difficult,
interference with other electrical
devices
 more difficult to secure
Examples

IEEE 802.11, Bluetooth
8
Infrastructure vs. ad hoc networks
infrastructure
network
AP: Access Point
AP
AP
wired network
AP
Ad hoc network
9
IEEE 802.11 - Architecture of an
infrastructure network
Station (STA)
802.11 LAN
STA1
802.x LAN

Basic Service Set (BSS)
BSS1
Portal
Access
Point
Access
Point
ESS

group of stations using the same
radio frequency
Access Point
Distribution System

station integrated into the wireless
LAN and the distribution system
Portal

BSS2
bridge to other (wired) networks
Distribution System

STA2
terminal with access mechanisms
to the wireless medium and radio
contact to the access point
802.11 LAN
STA3
interconnection network to form
one logical network (ESS:
Extended Service Set) based
on several BSS
10
802.11 - Architecture of an ad-hoc network
Direct communication within a
limited range
802.11 LAN
STA3
STA1
BSS1
STA2

Station (STA):
terminal with access
mechanisms to the wireless
medium
 Basic Service Set (BSS):
group of stations using the
same radio frequency
802.11 LAN
BSS2
STA5
STA4
11
Interconnection of IEEE 802.11 with Ethernet
fixed terminal
mobile station
server
infrastructure network
access point
application
application
TCP
TCP
IP
IP
802.11 MAC
802.11 MAC
802.3 MAC
802.3 MAC
802.11 PHY
802.11 PHY
802.3 PHY
802.3 PHY
12
802.11 - Layers and functions
PLCP (Physical Layer Convergence Protocol)
MAC

clear channel assessment
signal (carrier sense)
PMD (Physical Medium Dependent)
MAC Management


access mechanisms,
fragmentation, encryption
synchronization, roaming, MIB,
power management

modulation, coding
PHY Management

channel selection, MIB
Station Management
IP
PHY
MAC
MAC Management
PLCP
PHY Management
PMD
coordination of all management
functions
Station Management

13
802.11b - Physical layer
3 versions: 2 radio: DSSS and FHSS (both typically at 2.4 GHz), 1 IR

data rates 1, 2, 5 or 11 Mbit/s
DSSS (Direct Sequence Spread Spectrum)

DBPSK modulation (Differential Binary Phase Shift Keying) or DQPSK
(Differential Quadrature PSK)
 chipping sequence: +1, -1, +1, +1, -1, +1, +1, +1, -1, -1, -1 (Barker code)
 max. radiated power 1 W (USA), 100 mW (EU), min. 1mW
FHSS (Frequency Hopping Spread Spectrum)

spreading, despreading, signal strength
 min. 2.5 frequency hops/s, two-level GFSK modulation (Gaussian
Frequency Shift Keying)
Infrared (rarely used in practice)


850-950 nm, diffuse light, around 10 m range
carrier detection, energy detection, synchronization
14
802.11 - MAC layer principles (1/2)
Traffic services

Asynchronous Data Service (mandatory)
exchange of data packets based on “best-effort”
 support of broadcast and multicast


Time-Bounded Service (optional)

implemented using PCF (Point Coordination Function)
Access methods (called DFWMAC: Distributed Foundation Wireless
MAC)

DCF CSMA/CA (mandatory)
collision avoidance via randomized „back-off“ mechanism
 minimum distance between consecutive packets
 ACK packet for acknowledgements (not for broadcasts)


DCF with RTS/CTS (optional)


avoids hidden terminal problem
PCF (optional and rarely used in practice)

access point polls terminals according to a list
DCF: Distributed Coordination Function
PCF: Point Coordination Function
15
802.11 - MAC layer principles (2/2)
Priorities

defined through different inter frame spaces
 no guaranteed, hard priorities
 SIFS (Short Inter Frame Spacing)


PIFS (PCF IFS)


highest priority, for ACK, CTS, polling response
medium priority, for time-bounded service using PCF
DIFS (DCF, Distributed Coordination Function IFS)

lowest priority, for asynchronous data service
DIFS
DIFS
medium busy
PIFS
SIFS
direct access if
medium is free  DIFS
Note : IFS durations are specific to each PHY
contention
next frame
t
time slot
16
802.11 - CSMA/CA principles
DIFS
DIFS
medium busy
direct access if
medium has been free
for at least DIFS
contention window
(randomized back-off
mechanism)
next frame
t
time slot

station ready to send starts sensing the medium (Carrier Sense
based on CCA, Clear Channel Assessment)
 if the medium is free for the duration of an Inter-Frame Space (IFS),
the station can start sending (IFS depends on service type)
 if the medium is busy, the station has to wait for a free IFS, then the
station must additionally wait a random back-off time (collision
avoidance, multiple of slot-time)
 if another station occupies the medium during the back-off time of
the station, the back-off timer stops (to increase fairness)
17
802.11 – CSMA/CA broadcast
=
DIFS
DIFS
station1
station2
DIFS
boe
bor
boe
busy
DIFS
boe bor
boe
busy
busy
station3
boe busy
station4
boe bor
station5
boe
busy
(detection by upper layer)
(detection by upper layer)
t
Here St4 and St5 happen to have
the same back-off time
busy
medium not idle (frame, ack etc.)
boe elapsed backoff time
packet arrival at MAC
bor residual backoff time
The size of the contention window can be adapted
(if more collisions, then increase the size)
Note: broadcast is not acknowledged 18
802.11 - CSMA/CA unicast
Sending unicast packets

station has to wait for DIFS before sending data
 receiver acknowledges at once (after waiting for SIFS) if the packet
was received correctly (CRC)
 automatic retransmission of data packets in case of transmission
errors
DIFS
sender
data
SIFS
receiver
ACK
DIFS
other
stations
waiting time
The ACK is sent right at the end of SIFS
(no contention)
data
t
Contention
window
19
802.11 – DCF with RTS/CTS
Sending unicast packets

station can send RTS with reservation parameter after waiting for DIFS
(reservation determines amount of time the data packet needs the medium)
 acknowledgement via CTS after SIFS by receiver (if ready to receive)
 sender can now send data at once, acknowledgement via ACK
 other stations store medium reservations distributed via RTS and CTS
DIFS
sender
RTS
data
SIFS
receiver
other
stations
CTS SIFS
SIFS
NAV (RTS)
NAV (CTS)
defer access
NAV: Net Allocation Vector
ACK
DIFS
data
t
Contention
window
RTS/CTS can be present for
some packets and not for other
20
Fragmentation mode
DIFS
sender
RTS
frag1
SIFS
receiver
CTS SIFS
frag2
SIFS
ACK1 SIFS
SIFS
ACK2
NAV (RTS)
NAV (CTS)
other
stations
NAV (frag1)
NAV (ACK1)
DIFS
contention
data
t
• Fragmentation is used in case the size of the packets sent has to be
reduced (e.g., to diminish the probability of erroneous frames)
• Each fragi (except the last one) also contains a duration (as RTS does),
which determines the duration of the NAV
• By this mechanism, fragments are sent in a row
• In this example, there are only 2 fragments
21
802.11 - MAC frame format
Types

control frames, management frames, data frames
Sequence numbers

important against duplicated frames due to lost ACKs
Addresses

receiver, transmitter (physical), BSS identifier, sender (logical)
Miscellaneous

bytes
2
Frame
Control
sending time, checksum, frame control, data
2
6
6
6
2
6
Duration Address Address Address Sequence Address
ID
1
2
3
Control
4
version, type, fragmentation, security, ...
0-2312
4
Data
CRC
detection of duplication
22
MAC address format
scenario
ad-hoc network
infrastructure
network, from AP
infrastructure
network, to AP
infrastructure
network, within DS
to DS from
DS
0
0
0
1
address 1 address 2 address 3 address 4
DA
DA
SA
BSSID
BSSID
SA
-
1
0
BSSID
SA
DA
-
1
1
RA
TA
DA
SA
DS: Distribution System
AP: Access Point
DA: Destination Address
SA: Source Address
BSSID: Basic Service Set Identifier
- infrastructure BSS : MAC address of the Access Point
- ad hoc BSS (IBSS): random number
RA: Receiver Address
TA: Transmitter Address
23
802.11 - MAC management
Synchronization

Purpose

for the physical layer (e.g., maintaining in sync the frequency hop
sequence in the case of FHSS)
 for power management

Principle: beacons with time stamps
Power management

sleep-mode without missing a message
 periodic sleep, frame buffering, traffic measurements
Association/Reassociation

integration into a LAN
 roaming, i.e. change networks by changing access points
 scanning, i.e. active search for a network
MIB - Management Information Base

managing, read, write
24
Synchronization (infrastructure case)
beacon interval
access
point
medium
B
B
busy
busy
B
busy
B
busy
t
value of the timestamp
B
beacon frame
• The access point transmits the (quasi) periodic beacon signal
• The beacon contains a timestamp and other management information used for
power management and roaming
• All other wireless nodes adjust their local timers to the timestamp
25
Synchronization (ad-hoc case)
beacon interval
station1
B1
B1
B2
station2
medium
busy
busy
B2
busy
busy
t
value of the timestamp
B
beacon frame
random delay (back-off)
• Each node maintains its own synchronization timer and starts the transmission
of a beacon frame after the beacon interval
• Contention  back-off mechanism  only 1 beacon wins
• All other stations adjust their internal clock according to the received beacon
and suppress their beacon for the current cycle
26
Power management
Idea: switch the transceiver off if not needed
States of a station: sleep and awake
Timing Synchronization Function (TSF)

stations wake up at the same time
Infrastructure case

Traffic Indication Map (TIM)


list of unicast receivers transmitted by AP
Delivery Traffic Indication Map (DTIM)

list of broadcast/multicast receivers transmitted by AP
Ad-hoc case

Ad-hoc Traffic Indication Map (ATIM)

announcement of receivers by stations buffering frames
 more complicated - no central AP
 collision of ATIMs possible (scalability?)
27
Power saving (infrastructure case)
Here the access point announces
data addressed to the station
TIM interval
access
point
DTIM interval
D B
T
busy
medium
busy
T
d
busy
busy
p
station
D B
d
t
T
TIM
D
B
broadcast/multicast
DTIM
awake
d data transmission
to/from the station
p Power Saving poll: I am awake, please send the data
28
Power saving (ad-hoc case)
ATIM
window
station1
beacon interval
B1
station2
A
B2
B2
D
a
B1
d
t
B
beacon frame
awake
random delay
a acknowledge ATIM
A transmit ATIM
D transmit data
d acknowledge data
• ATIM: Ad hoc Traffic Indication Map (a station announces the list of buffered frames)
• Potential problem: scalability (high number of collisions)
29
802.11 - Roaming
No or bad connection? Then perform:
Scanning

scan the environment, i.e., listen into the medium for beacon
signals or send probes into the medium and wait for an answer
Reassociation Request

station sends a request to one or several AP(s)
Reassociation Response


success: AP has answered, station can now participate
failure: continue scanning
AP accepts Reassociation Request

signal the new station to the distribution system
 the distribution system updates its data base (i.e., location
information)
 typically, the distribution system now informs the old AP so it can
release resources
30
Security of 802.11

WEP: Wired Equivalent Privacy
 Objectives:

Confidentiality
 Access control
 Data integrity
k
M
k
Integrity
checksum
IV
C(M)
P=
M
C(M)
RC4
IV
RC4
P=
M
Note: several security weaknesses have been identified and WEP should not be used
anymore.
C(M)
31
The new solution for 802.11 security:
standard 802.1x
EAPOL
(over Ethernet or 802.11)
Supplicant
Encapsulated EAP,
Typically on RADIUS
Authenticator
Authentication Server
EAP: Extensible Authentication Protocol (RFC 2284, 1998)
EAPOL: EAP over LAN
RADIUS: Remote authentication dial in user service (RFC 2138, 1997)
Features:
- Supports a wide range of authentication schemes, thanks to the usage of EAP
- One-way authentication
- Optional encryption and data integrity
32
More on IEEE 802.1x
Example of authentication, using one-time passwords (OTP):
Supplicant
Authenticator
Authentication server
EAP-request/identity
EAP-response/identiy (MYID)
EAP-request/OTP,
OTP challenge
EAP-response/OTP,
OTPpassword
EAP-success
Authentication
successfully
completed
Port authorized
: exchange of EAPOL frame
: exchange of EAP frames in a higher layer protocol (e.g., RADIUS)
Notes :
1. Weaknesses have been found in 802.1x as well, but are corrected in the
various implementations.
2. New standard in the making : IEEE 802.11i
33
IEEE 802.11 – Standardization efforts
IEEE 802.11b



2.4 GHz band
DSSS (Direct-sequence spread spectrum)
Bitrates 1 – 11 Mbit/s
IEEE 802.11a




5 GHz band
Based on OFDM (orthogonal frequency-division multiplexing)
transmission rates up to 54 Mbit/s
Coverage is not as good as in 802.11b
IEEE 802.11g



2.4 GHz band (same as 802.11b)
Based on OFDM
Bitrates up to 54Mb/s
IEEE 802.11n




MIMO (multiple-input multiple-output)
40MHz channel (instead of 20MHz)
Can operate in the 5GHz or 2.4Ghz (risk of interference with other systems, however)
Bitrates up to 600Mb/s
IEEE 802.11ac

Extension of IEEE 802.11n, under development
IEEE 802.11e

Enhanced DCF: to support differentiated service
IEEE 802.11i

Security, makes use of IEEE 802.1x
IEEE 802.11p

For vehicular communications
IEEE 802.11s

For mesh networks
34
Conclusion of Wireless LANs

IEEE 802.11

Very widespread
 Often considered as the system underlying larger scale ad hoc
networks (although far from optimal, not designed for this purpose)
 Tremendous potential as a competitor of 3G cellular networks in hot
spots



Bluetooth
Security perceived as a major obstacle; initial solutions were
flawed in both IEEE 802.11 (WEP) and Bluetooth
Future developments

Ultra Wide Band?
35
References





J. Schiller: Mobile Communications, Addison-Wesley, Second Edition,
2004
Leon-Garcia & Widjaja: Communication Networks, McGrawHill, 2000
IEEE 802.11 standards, available at www.ieee.org
www.bluetooth.com
J. Edney and W. Arbaugh: Real 802.11 Security, Addison-Wesley,
2003
36
Ad Hoc On-Demand Distance Vector
Routing (AODV)
Note: this and the following slides are provided here because
AODV is used in the hands-on exercises. We will come
back to this topic in a later module of the course.
37
AODV : Route discovery (1)
F
Q
K
H
A
E
S
G
D
P
J
B
M
R
I
L
C
N
38
AODV : Route discovery (2)
F
Q
K
H
A
E
S
G
D
P
J
B
M
R
I
L
C
N
: Route Request (RREQ)
Note: if one of the intermediate nodes (e.g., A)
39
knows a route to D, it responds immediately to S
AODV : Route discovery (3)
F
Q
K
H
A
E
S
G
D
P
J
B
M
R
I
L
C
N
: represents a link on the reverse path
40
AODV : Route discovery (4)
F
Q
K
H
A
E
S
G
D
P
J
B
M
R
I
L
C
N
41
AODV : Route discovery (5)
F
Q
K
H
A
E
S
G
D
P
J
B
M
R
I
L
C
N
42
AODV : Route discovery (6)
F
Q
K
H
A
E
S
G
D
P
J
B
M
R
I
L
C
N
43
AODV : Route discovery (7)
F
Q
K
H
A
E
S
G
D
P
J
B
M
R
I
L
C
N
44
AODV : Route reply and setup of the forward
path
F
Q
K
H
A
E
S
G
D
P
J
B
M
R
I
L
C
N
: Link over which the RREP is transmitted
: Forward path
45
Route reply in AODV
In case it knows a path more recent than the one previously known
to sender S, an intermediate node may also send a route reply
(RREP)
The freshness of a path is assessed by means of destination
sequence numbers
Both reverse and forward paths are purged at the expiration of
appropriately chosen timeout intervals
46
AODV : Data delivery
F
Q
K
H
A
Data
S
E
G
D
P
J
B
M
R
I
L
C
N
The route is not included in the packet header
47
AODV : Route maintenance (1)
F
Q
K
H
A
Data
S
E
B
G
X
D
P
J
M
R
I
L
C
N
48
AODV : Route maintenance (2)
F
Q
K
H
A
E
S
B
RERR(G-J)
G
X
D
P
J
M
R
I
L
C
N
When receiving the Route Error message (RERR),
S removes the broken link from its cache.
49
It then initializes a new route discovery.
AODV (unicast) : Conclusion
Nodes maintain routing information only for routes that are in active
use
Unused routes expire even when the topology does not change
Each node maintains at most one next-hop per destination
50
2011 Trial in MobNet with Nokia
Adversary’s APs
http://lca.epfl.ch/projects/lca1-nokia
186 m
66 m
51