3.- Wireless technologies
http://www.redes.upv.es/ralir/en/
 Basics





Applications
The physical media
Free-space loss and frequency dependency
The IEEE 802 specification family
Comparison between different wireless technologies (PHY and
MAC layers)
 IEEE 802.11
 Bluetooth
Local Area Networks/School of Engineering in Computer Science/2009-2010
Local Area Networks (RALIR) /School of Engineering in Computer Science
2
Wireless? Why?
 Mobility (anytime)
 Coverage (anywhere)
 New applications potential (services)
 Healthcare
 Lab administration
 People with disabilities
 Point-of-Care testing
 Homecare administration
 Controlling patient data
 Education
 More efficient learning methods
 Wireless is ideal for campus-wide coverage
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
Some Application Areas
 Retail
 Direct inventory management
 Mobile POS
 Self-checkout
 Mobile scanners
 Manufacturing
 Field based data collections
 Product management
 Inventory visibility and planning
3
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
4
Vehicular Networks
 Safety and transport efficiency
 In Europe around 40,000 people die and more than 1.5 millions are injured
every year on the roads
 Traffic jams generate a tremendous waste of time and of fuel
 Most of these problems can be solved by providing appropriate
information to the driver or to the vehicle
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
5
Vehicle Communication (VC)
 VC promises safer roads,
 … more efficient driving,
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
6
Vehicle Communication (VC)
 … more fun,
 … and easier maintenance.
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
Rural communications
 Rural communications on the global agenda
 Connecting villages with Information and Communication Technologies
(ICT) and establishing community access points
 Benefits
 E-business and e-commerce could play an important role in enabling local
artisans to reach national and international markets
Over 40% of the world’s population lives in rural and remote areas of
developing countries and have difficult or no access to even basic
telecommunications services. Development of telecommunications in rural and
remote areas, therefore forms an important mission of the ITU Development
sector.
Yasuhiko Kawasumi, “Rural communications on the global agenda,” Global Survey on
Rural Communications for the ITU-D on Communications for rural and remote areas.
7
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
Rural populations and their ICT needs
 Needs of rural people in connection with e-services
 E-health, e-education and e-administration top the list as primary needs
 E-business and e-banking also scored highly
ITU-D global survey, Doc 111/SG2
For many rural areas,
electricity supply is simply
non-existent or insufficient
Telemedicine Training in Bhutan by Tokai University: Tokai University Institute of
Medical Sciences donated the medical equipments with ICT functions and provided the training
on the use of equipments. Tokai University Second Opinion center provides the assistance
service over the internet when requested by the Bhutanese ends.
8
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
9
About the “Wireless Internet”
WWAN (3G,4G?)
Low throughput, Long range
WMAN (Wi-Max)
High throughput, short range WLAN (Wi-Fi)
Low throughput, short range
http://www.redes.upv.es/ralir/en/
WPAN
Bluetooth
RFID
Local Area Networks (RALIR) /School of Engineering in Computer Science
1
0
Big Picture – WPAN’s
 WPAN technologies – RFID, Bluetooth
 RFID used in tagging applications, restricted environments
(supermarkets, institutions)
 10 billion RFID tags to be sold by the end of 2005 (source:
Deloitte & Touche)
 Bluetooth – technology has matured
 56% of mainstream devices commercialised will have Bluetooth
support by 2008 (Source: IDC)
 Poor interoperability between vendors restricts the wide use of
Bluetooth
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
1
1
Big Picture – WLAN’s
 WLAN – based on WiFi (802.11x)
 Adoption rate increased worldwide
 Up 51% more units sold globally in 2004 compared to 2003 (source: Infonetics
Research)
 European cities’ infrastructure facilitates the adoption of WiFi
against wired alternatives
 Old buildings
 High population density
 Poor telecommunications infrastructure
 Wi-Fi mesh infrastructure:
 Current backend implementations of Wi-Fi mesh infrastructure are based on
proprietary solutions
 Usage: wireless coverage of WLANs, blanketing large areas with hot-spot
coverage
 Coverage: 100m to 10km
 Data rate:54Mbps- 100Mbps
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
1
2
Big Picture –WMAN’s
 WiMax (Worldwide Interoperability for Microwave Access)
 Standards-based technology
 Deployment of broadband wireless networks based on the IEEE
802.16 standard
 Enables the delivery of last mile wireless broadband access as an
alternative to cable and DSL
 Some characteristics of the 802.16- 2004 standard:




Improve user connectivity
Higher quality of services
Full support for WMAN service
Robust carrier-class operation
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
Big Picture –WMAN’s Mobile Networks Evolution
Download
Speed
HSDPA
1-10 Mbps
250-384 kbps
UMTS
90-180 kbps
40 kbps
EDGE
GPRS
1995
1
3
http://www.redes.upv.es/ralir/en/
2005
2015
3.- Wireless technologies
http://www.redes.upv.es/ralir/en/
 Basics





Applications
The physical media
Free-space loss and frequency dependency
The IEEE 802 specification family
Comparison between different wireless technologies (PHY and
MAC layers)
 IEEE 802.11
 Bluetooth
Local Area Networks/School of Engineering in Computer Science/2009-2010
Local Area Networks (RALIR) /School of Engineering in Computer Science
1
5
Antennas basics
 Directional Antenna
 "An antenna having the property
of radiating or receiving
electromagnetic waves more
effectively in some directions than
others".
 Omni-Directional Antenna
 "A hypothetical, lossless antenna
having equal radiation intensity in
all directions". For a WLAN
antenna, the gain in dBi is
referenced to that of an omnidirectional (isotropic) antenna
(which is defined as 0 dBi).
http://www.redes.upv.es/ralir/en/
YAGI Directional Antenna
Local Area Networks (RALIR) /School of Engineering in Computer Science
Directional antennas
Yagi antenna (13,5 dBi)
reach:
6 Km at 2 Mb/s
2 Km at 11 Mb/s
1
6
http://www.redes.upv.es/ralir/en/
Parabolic antenna (20 dBi)
reach:
10 Km at 2 Mb/s
4,5 Km at 11 Mb/s
Local Area Networks (RALIR) /School of Engineering in Computer Science
1
7
More antennas examples
Horizontal Radiation
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
1
8
ISM frequency bands
ISM (Industrial, Scientific and Medical) frequency bands:
• 900 MHz band (902 … 928 MHz)
• 2.4 GHz band (2.4 … 2.4835 GHz)
• 5.8 GHz band (5.725 … 5.850 GHz)
Anyone is allowed to use radio equipment for transmitting
in these bands (provided specific transmission power
limits are not exceeded) without obtaining a license.
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
ISM frequency band at 2.4 GHz
The ISM band at 2.4 GHz can be used by anyone as long
as (in Europe...)
Transmitters using FH (Frequency Hopping) technology:
• Total transmission power < 100 mW
• Power density < 100 mW / 100 kHz
Transmitters using DSSS technology:
• Total transmission power < 100 mW
• Power density < 10 mW / 1 MHz
1
9
http://www.redes.upv.es/ralir/en/
ETSI
EN 300 328-1
requirements
Local Area Networks (RALIR) /School of Engineering in Computer Science
2
0
Free-space loss
The free-space loss L of a radio signal is:
4

d
4

d
f

 
L

 


  c 
2
2
where d is the distance between transmitter and receiver,
 is the rf wavelength, f is the radio frequency, and c is
the speed of light. The formula is valid for d >> , and
does not take into account antenna gains (=> Friis
formula) or obstucting elements causing additional loss.
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
2
1
Power budget graphical representation
http://www.redes.upv.es/ralir/en/
3.- Wireless technologies
http://www.redes.upv.es/ralir/en/
 Basics





Applications
The physical media
Free-space loss and frequency dependency
The IEEE 802 specification family
Comparison between different wireless technologies (PHY and
MAC layers)
 IEEE 802.11
 Bluetooth
Local Area Networks/School of Engineering in Computer Science/2009-2010
Local Area Networks (RALIR) /School of Engineering in Computer Science
2
3
IEEE 802 wireless network technology options
Network definition
IEEE standard
Known as
Wireless personal area
network (WPAN)
IEEE 802.15.1
Bluetooth
Low-rate WPAN (LRWPAN)
IEEE 802.15.4
ZigBee
Wireless local area
network (WLAN)
IEEE 802.11
WiFi
Wireless metroplitan
area network (WMAN)
IEEE 802.16
WiMAX
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
IEEE 802 standardisation framework
802.1
802.2 Logical Link Control (LLC)
Management
802.3
802.5
802.11 Medium Access Control (MAC)
MAC
MAC
CSMA/CA
802.3
802.5
802.11
802.11a
802.11b
802.11g
PHY
PHY
PHY
PHY
PHY
PHY
CSMA/CD
(Ethernet)
2
4
http://www.redes.upv.es/ralir/en/
Token
Ring
CSMA/CA (Wireless LAN)
Local Area Networks (RALIR) /School of Engineering in Computer Science
2
5
CSMA/CA Wireless LAN
CSMA/CA = Carrier Sense Multiple Access with Collision
Avoidance
Unlike wired LAN
stations, WLAN
stations cannot
detect collisions
=>
avoid collisions
http://www.redes.upv.es/ralir/en/
802.11 Medium Access Control (MAC)
CSMA/CA
802.11
PHY
802.11a
802.11b
A common MAC
PHY
layer,
but PHY
many
PHY options
802.11g
PHY
Local Area Networks (RALIR) /School of Engineering in Computer Science
WLAN physical layer (1)
The original physical layer specified in 802.11 defines two
signal formats:
FHSS (Frequency
Hopping Spread
Spectrum)
DSSS (Direct
Sequence Spread
Spectrum)
Data rates supported:
1 and 2 Mbit/s.
2
6
http://www.redes.upv.es/ralir/en/
802.11 Medium Access Control (MAC)
CSMA/CA
802.11
802.11a
802.11b
802.11g
PHY
PHY
PHY
PHY
ISM band: 2.4 … 2.4835 GHz
Local Area Networks (RALIR) /School of Engineering in Computer Science
WLAN physical layer (2)
The first widely implemented physical layer was 802.11b
that uses:
DSSS (Direct
Sequence Spread
Spectrum) like in
802.11 but with
larger bit rates:
1, 2, 5.5, 11 Mbit/s
Automatic fall-back to
lower speeds in case
of bad radio channel.
2
7
http://www.redes.upv.es/ralir/en/
802.11 Medium Access Control (MAC)
CSMA/CA
802.11
802.11a
802.11b
802.11g
PHY
PHY
PHY
PHY
ISM band: 2.4 … 2.4835 GHz
Local Area Networks (RALIR) /School of Engineering in Computer Science
WLAN physical layer (3)
802.11a operates in the 5.8 GHz band.
The signal format is
OFDM (Orthogonal
Frequency Division
Multiplexing)
Data rates supported:
Various bit rates from
6 to 54 Mbit/s.
802.11 Medium Access Control (MAC)
CSMA/CA
802.11
802.11a
802.11b
802.11g
PHY
PHY
PHY
PHY
5 GHz frequency band
2
8
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
WLAN physical layer (4)
802.11g is the most recent physical layer, operating in the
same band as 802.11b
The signal format is
OFDM (Orthogonal
Frequency Division
Multiplexing)
Data rates supported:
Various bit rates from
6 to 54 Mbit/s (same
as 802.11a)
2
9
http://www.redes.upv.es/ralir/en/
802.11 Medium Access Control (MAC)
CSMA/CA
802.11
802.11a
802.11b
802.11g
PHY
PHY
PHY
PHY
ISM band: 2.4 … 2.4835 GHz
Local Area Networks (RALIR) /School of Engineering in Computer Science
Wireless Fidelity (WiFi)
The WiFi certification program of the Wireless Ethernet
Compatibility Alliance
(WECA) addresses
compatibility of IEEE
802.11 Medium Access Control (MAC)
802.11 equipment
CSMA/CA
=>
WiFi ensures
interoperability of
equipment from
different vendors.
3
0
http://www.redes.upv.es/ralir/en/
802.11
802.11a
802.11b
802.11g
PHY
PHY
PHY
PHY
WiFi5
WiFi
Local Area Networks (RALIR) /School of Engineering in Computer Science
Wireless Personal Area Network (WPAN)
802.1
802.2 LLC
Management
802.3
MAC
802.3
PHY
802.5
802.11
MAC
Data
MACup
rates
to 700 kbit/s
802.5
(2.1 Mbit/s)
802.11
PHY
PHY
802.15.1
802.15.4
802.16
MAC
MAC
MAC
+
+
+
PHY
PHY
PHY
ISM band: 2.4 … 2.4835 GHz
Bluetooth Special Interest Group (SIG)
3
1
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
Low-rate WPAN (LR-WPAN)
802.1
802.2 LLC
Management
802.3
802.5
802.11
MAC
MAC
MAC
802.3
802.5
802.11
PHY
PHY
PHY
802.15.1
Data rates
MAC up
to 250 kbit/s
+
PHY
802.15.4
802.16
MAC
MAC
+
+
PHY
PHY
ISM band: 2.4 … 2.4835 GHz
ZigBee Alliance
3
2
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
Wireless Metropolitan Area Network (WMAN)
802.1
802.2 LLC
Management
802.3
802.5
802.11
MAC
MAC
MAC
802.3
802.5
802.11
PHY
PHY
PHY
802.15.1
802.15.4
Various data
MAC
MAC
rates up
to
+100 Mbit/s
+
PHYand more
PHY
802.16
MAC
+
PHY
Various frequency bands (not only ISM)
WiMAX
3
3
http://www.redes.upv.es/ralir/en/
3.- Wireless technologies
http://www.redes.upv.es/ralir/en/
 Basics





Applications
The physical media
Free-space loss and frequency dependency
The IEEE 802 specification family
Comparison between different wireless technologies (PHY and
MAC layers)
 IEEE 802.11
 Bluetooth
Local Area Networks/School of Engineering in Computer Science/2009-2010
Local Area Networks (RALIR) /School of Engineering in Computer Science
Possible architectures
 Independent Basic Service Set
(IBSS)
 Decentralized structure
 Flexible:
 Permanent and temporary
networks
 Allows to control power
consumption
 infrastructure Basic Service Set
(BSS)
 Components:
 Station (STA)
 Access Point (AP)
or Point Coordinator (PC)
 Basic Service Set (BSS)
 Extended Service Set (ESS)
3
5
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
The Extended Service Set (ESS)
BSS
AP
Distribution System (DS)
WLAN
LAN
 The standard does not
define the implementation
details
 exists a proposal by a
group of industries:
3
6
http://www.redes.upv.es/ralir/en/
Inter-acces point protocol
(IAPP)
Local Area Networks (RALIR) /School of Engineering in Computer Science
3
7
Task Group f
 Scope of Project: to develop recommended practices for an InterAccess Point Protocol (IAPP) which provides the necessary capabilities
to achieve multi-vendor Access Point interoperability across a
Distribution System supporting IEEE P802.11 Wireless LAN Links.
 Purpose of Project: ... including the concepts of Access Points and
Distribution Systems. Implementation of these concepts where
purposely not defined by P802.11 ... As 802.11 based systems have
grown in popularity, this limitation has become an impediment to
WLAN market growth.
This project proposes to specify the necessary information that needs
to be exchanged between Access Points to support the P802.11 DS
functions. The information exchanges required will be specified for, one
or more Distribution Systems; in a manner sufficient to enable the
implementation of Distribution Systems containing Access Points from
different vendors which adhere to the recommended practices
 Status: Work has been completed and is now part of the Standard as a
recommended practice.
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
Frames structure
Types of addresses:
• Source address (SA)
• Destination Address (DA)
• Transmitter Address (TA)
• management (00)
• control (01),
• data (10),
• reserved (11)
3
8
http://www.redes.upv.es/ralir/en/
• Receiver Address (RA)
• BSS identifier (BSSID)
Función
To
DS
From
DS
Addr. 1
Addr. 2
Addr. 3
Addr. 4
IBSS
0
0
RA = DA
SA
BSSID
-
From the AP
0
1
RA = DA
BSSID
SA
-
To the AP
1
0
RA = BSSID
SA
DA
-
Wireless DS
1
1
RA
TA
DA
SA
Local Area Networks (RALIR) /School of Engineering in Computer Science
3
9
BSSID y SSID
 BSSID (Basic Service Set Identity)
 BSS: AP’s MAC address
 Ad-Hoc: 46 bit random number
 SSID (Service Set ID)
 Known as the Network Name
 Length: 0~32 bytes
 0: is the broadcast SSID
 Handled either manually or automatically
 Should be unique; used to distinguish WLAN
 Access point and station that would like to form a unique WLAN should use
the same SSID
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
Addressing and DS bits
DS
TA
RA (BSSID)
SA/TA
AP
AP
SA
Client
RA
AP
DA
Client
DA
Server
Server
4
0
Función
To
DS
From
DS
Addr. 1
Addr. 2
Addr. 3
Addr. 4
IBSS
0
0
RA = DA
SA
BSSID
-
From the AP
0
1
RA = DA
BSSID
SA
-
To the AP
1
0
RA = BSSID
SA
DA
-
Wireless DS
1
1
RA
TA
DA
SA
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
4
1
Services
 The IEEE 802.11 architecture defines 9 services: for the station
and for the distribution
 Station services:




Authentication
Deauthentication
Privacy  WEP
Data delivery
Similar to connect/disconnect a
cable to a traditional network
 Distribution services:





Association
Disassociation
Reassociation
Distribution
integration
http://www.redes.upv.es/ralir/en/
 generates a connection between a STA and a AP
 like association but informing about the previous AP
 connects the WLAN with other LANs;
Local Area Networks (RALIR) /School of Engineering in Computer Science
State variables and services
Class 1
frames
Successful authentication
Class 1 & 2
frames
Successful authentication
or reassociation
Class 1, 2 & 3
frames
4
2
State 1:
unauthenticated,
unassociated
http://www.redes.upv.es/ralir/en/
In a IBSS there is
neither auth., nor ass.
Data service is allowed
Deauthentication notification
State 2:
authenticated,
unassociated
Deauthentication notification
Disassociation notification
State 3:
authenticated,
associated
A STA can be
authenticated with
various AP but it
can be associated
with only one AP
Local Area Networks (RALIR) /School of Engineering in Computer Science
4
3
Scanning
 Parameters: BSStype, BSSID, SSID, ScanType, ChannelList,
ProbeDelay, Min/MaxChannelDelay
 ScanType: Passive
 The stations wait for the APs beacons
 ScanType: Active
 Stations send probe requests
 scan report are generated
 The following phase is joining; this phase precedes the sequence
of actions up to association
http://www.redes.upv.es/ralir/en/
 CSMA/CA with binary
exponential backoff
No contention
 The minimum protocol
consists of two frames: the
data and the ACK
The 5 timing values:
• Slot time
• SIFS: short interframe space (< slot
Point
Coordination
Function (PCF)
Distributed Coordination
Function (DCF)
time)
• PIFS: PCF interframe space (=SIFS+1slot)
• DIFS: DCF interframe space (=SIFS+2slots)
• EIFS: extended interframe space
DIFS
DIFS
Contention window
PIFS
SIFS
defer access
http://www.redes.upv.es/ralir/en/
slot
busy medium
4
4
MAC
Local Area Networks (RALIR) /School of Engineering in Computer Science
The MAC: reliable data delivery
With contention
Local Area Networks (RALIR) /School of Engineering in Computer Science
DCF behaviour
 The back off values are chosen inside the congestion window.
That is, inside the interval [0, CW]
 CW can vary between 31 slots (CWmin) and 1023 slots (CWmax)
 CW is incremented after every failed sending and reset after
every successful transmission
B1 = 25
B1 = 5
wait
data
data
B2 = 20
wait
B2 = 15
 B1 and B2 are the back off interval at STA 1 and 2
 CW = 31
4
5
http://www.redes.upv.es/ralir/en/
B2 = 10
Local Area Networks (RALIR) /School of Engineering in Computer Science
Problematic configurations
Hidden node
Exposed node
A
A
B
B
C
4
6
http://www.redes.upv.es/ralir/en/
C
D
Local Area Networks (RALIR) /School of Engineering in Computer Science
RTS/CTS mechanism
 Based on the network allocation vector (NAV)
DIFS
source
data
RTS
SIFS
destination
SIFS
SIFS
ACK
CTS
DIFS
other STA
4
7
NAV (RTS)
NAV (CTS)
defer access
http://www.redes.upv.es/ralir/en/
Contention window
Local Area Networks (RALIR) /School of Engineering in Computer Science
4
8
PCF: Point Coordination Function
PIFS SIFS
PC
SIFS
SIFS
Data+Poll
STA1
Beacon
STA2
STA3
Data+Poll
DATA+ACK
CP
PIFS
SIFS
SIFS
CF-End
Data+Poll
SIFS
(no response)
ACK
Contention Free Period
CP
NAV
Reset
Station 2 sets NAV(Network Allocation Vector)
Station 3 is hidden to the PC, it does not set the NAV.
It continues to operate in DCF.
Time
• Beacons are used to keep timers in the stations synchronized and to
send control information
• The AP generates beacons at regular intervals
• Stations know when the following beacon is arriving
The target beacon transmission time (TBTT) is announced in the
previous beacon
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
4
9
PCF: the superframe
 There is an repetition of contention-free (CFP) and contention
(CP) periods
 A CFP and the following CP form a superframe.
802.11 periodic Superframe
PC
STAs
CFP(Contention Free Period)
CF-End
CF-Poll
Beacon
DATA
DATA
http://www.redes.upv.es/ralir/en/
DATA
CP(Contention Period)
DATA
DATA
DATA
Local Area Networks (RALIR) /School of Engineering in Computer Science
5
0
Broadcast trafic
 It is not possible to fragment frames whose destination is a
group address
 Acknowledgement are not sent
 MAC does not offer any retransmission service to broadcast or
multicast frames
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
802.11b channels overview
 The standard defines 14 channels, 22 MHz wide
 FCC only uses the first 11
 In Spain only channel 10 and 11
 3 channel do not overlap (1, 6,11)
 data rate is 11 Mbps
5
1
http://www.redes.upv.es/ralir/en/
3.- Wireless technologies
http://www.redes.upv.es/ralir/en/
 Basics





Applications
The physical media
Free-space loss and frequency dependency
The IEEE 802 specification family
Comparison between different wireless technologies (PHY and
MAC layers)
 IEEE 802.11: SECURITY
 Bluetooth
Local Area Networks/School of Engineering in Computer Science/2009-2010
Local Area Networks (RALIR) /School of Engineering in Computer Science
Wireless LAN Security Issues
Issue
 Wireless sniffer can view all WLAN
data packets
 Anyone in AP coverage area can get
on WLAN
Wireless LAN
(WLAN)
client
802.11 WEP Solution
 Encrypt all data transmitted
between client and AP
 Without encryption key, user cannot
transmit or receive data
Wired LAN
access point (AP)
Goal: Make WLAN security equivalent to that of wired LANs (Wired Equivalent
Privacy)
5
3
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
WEP – Protection for 802.11b
 Wired Equivalent Privacy
 No worse than what you get with wire-based systems.
 Criteria:
 “Reasonably strong”
 Self-synchronizing – stations often go in and out of coverage
 Computationally efficient – in HW or SW since low MIPS CPUs might be
used
 Exportable – US export codes (relaxed in Jan 2000 / “Wassenaar
Arrangement”)
 Optional – not required to used it
 Objectives:
 confidentiality
 integrity
 authentication
5
4
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
WEP – How It Works
 Secret key (40 bits or 104 bits)
 can use up to 4 different keys
 Initialization vector (24 bits, by IEEE std.)
 total of 64 or 128 bits “of protection.”
 RC4-based pseudo random number generator (PRNG)
 Integrity Check Value (ICV): CRC 32
Frame header
IV
(4 bytes)
Init Vector
(3 bytes)
5
5
http://www.redes.upv.es/ralir/en/
Data (PDU)
( 1 byte)
1 byte
Pad
6 bits
Key ID
2 bits
ICV
(4 bytes)
FCS
Local Area Networks (RALIR) /School of Engineering in Computer Science
WEP Encryption Process
1) Compute ICV using CRC-32 over plaintext msg.
2) Concatenate ICV to plaintext message.
3) Choose random IV and concat it to secret key and input it to
RC4 to produce pseudo random key sequence.
4) Encrypt plaintext + ICV by doing bitwise XOR with key
sequence to produce ciphertext.
5) Put IV in front of cipertext.
Initialization
Vector (IV)
Seed
Secret Key
WEP PRNG
Key
Sequence
Plaintext
Integrity Algorithm
Integrity Check Value (ICV)
5
6
http://www.redes.upv.es/ralir/en/
IV
Ciphertext
Message
Local Area Networks (RALIR) /School of Engineering in Computer Science
WEP Decryption Process
1) IV of message used to generate key sequence, k.
2) Ciphertext XOR k  original plaintext + ICV.
3) Verify by computing integrity check on plaintext (ICV’) and
comparing to recovered ICV.
4) If ICV  ICV’ then message is in error; send error to MAC
management and back to sending station.
Secret Key
IV
Message
Ciphertext
WEP PRNG
Key
Sequence
Plaintext
Seed
Integrity Algorithm
ICV’
ICV
5
7
http://www.redes.upv.es/ralir/en/
ICV’ - ICV
Local Area Networks (RALIR) /School of Engineering in Computer Science
WEP Station Authentication
 Wireless Station (WS) sends
Authentication Request to Access Point
(AP).
 AP sends (random) challenge text T.
 WS sends challenge response
(encrypted T).
 AP sends ACK/NACK.
WS
Auth. Req.
Challenge Text
Challenge Response
Ack
5
8
AP
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
WEP Weaknesses
 Forgery Attack
 Packet headers are unprotected, can fake src and dest addresses.
 AP will then decrypt data to send to other destinations.
 Can fake CRC-32 by flipping bits.
 Replay
 Can eavesdrop and record a session and play it back later.
 Collision (24 bit IV; how/when does it change?)
 Sequential: roll-over in < ½ day on a busy net
 Random: After 5000 packets, > 50% of reuse.
 Weak Key
 If ciphertext and plaintext are known, attacker can determine key.
 Certain RC4 weak keys reveal too many bits. Can then determine RC4 base
key.
 Well known attack described in Fluhrer/Mantin/Shamir paper
5
9
 “Weaknesses in the Key Scheduling Algorithm of RC4”, Scott Fluhrer, Itsik
Mantin, and Adi Shamir
 using
: http://www.aircrack-ng.org/
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
Ways to Improve Security with WEP
 Use WEP(!)
 Change wireless network name from
default
 any, 101, tsunami
 Turn on closed group feature, if
available in AP
 Turns off beacons, so you must
know name of the wireless
network
 MAC access control table in AP
 Use Media Access Control
address of wireless LAN cards to
control access
 Use 802.11i support if available in AP
 Define user profiles based on
user name and password
6
0
http://www.redes.upv.es/ralir/en/
 War Driving in New Orleans
(back in December 2001)
 Equipment
 Laptop, wireless card, software
 GPS, booster antenna (optional)
 Results
 64 Wireless LAN’s
 Only 8 had WEP Enabled (12%)
 62 AP’s & 2 Peer to Peer
Networks
 25 Default (out of the box)
Settings (39%)
 29 Used The Company Name
For ESSID (45%)
Local Area Networks (RALIR) /School of Engineering in Computer Science
War Driving in New Orleans
(back in December 2001)
6
1
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
Other solutions
 VPN Connectivity
 PPTP
 L2TP
 Third Party
 IPSec
 Many vendors
 Password-based Layer 2 Authentication
 Cisco LEAP
 RSA/Secure ID
 IEEE 802.1x PEAP/MSCHAP v2
 Certificate-based Layer 2 Authentication
 IEEE 802.1x EAP/TLS
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
WLAN Security Comparisons
Security
Level
Ease of
Deployment
Usability and
Integration
Low
High
High
VPN
Medium
Medium
Low
Password-based
Medium
Medium
High
IPSec
High
Low
Low
IEEE 802.1x TLS
High
Low
High
WLAN Security Type
IEEE 802.11
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
802.1X
 Defines port-based access control mechanism
 Works on anything, wired and wireless
 Access point must support 802.1X
 No special encryption key requirements
 Allows choice of authentication methods using EAP
 Chosen by peers at authentication time
 Access point doesn’t care about EAP methods
 Manages keys automatically
 No need to preprogram wireless encryption keys
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
Wi-Fi Protected Access (WPA)
 A specification of standards-based, interoperable security
enhancements that strongly increase the level of data protection
and access control for existing and future wireless LAN systems
 Goals




Enhanced Data Encryption (TKIP)
Provide user authentication (802.1x)
Be forward compatible with (802.11i)
Provide non-RADIUS solution for Small/Home offices WPA-PSK
 Typically a software upgrade and Wi-Fi Alliance began
certification testing for interoperability on Wi-Fi Protected Access
products in February 2003
 WPA2
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
Wi-Fi Protected Access (WPA)
 WEPs IV only 24 bits and so are repeated every few hours 
WPA increased IV to 24 bits repeated 900 years
 WPA alters values acceptable as IVs
 Protects against forgery and replay attacks
 IV formed MAC address
 TSC




TKIP: New password generated every 10,000 packets
WPA-PSK  Passphrase
WPA 802.ii1 recommend 20-character password
Crack is brute force based
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
802.1x and PEAP
http://www.redes.upv.es/ralir/en/
3.- Wireless technologies
http://www.redes.upv.es/ralir/en/
 Basics





Applications
The physical media
Free-space loss and frequency dependency
The IEEE 802 specification family
Comparison between different wireless technologies (PHY and
MAC layers)
 IEEE 802.11: CONFIGURATION
 Bluetooth
Local Area Networks/School of Engineering in Computer Science/2009-2010
6
9
Local Area Networks (RALIR) /School of Engineering in Computer Science
Linksys Wireless-G Access Point
http://www.redes.upv.es/ralir/en/
7
0
Local Area Networks (RALIR) /School of Engineering in Computer Science
Linksys Wireless-G Access Point
http://www.redes.upv.es/ralir/en/
7
1
Local Area Networks (RALIR) /School of Engineering in Computer Science
Linksys Wireless-G Access Point
http://www.redes.upv.es/ralir/en/
7
2
Local Area Networks (RALIR) /School of Engineering in Computer Science
Linksys Wireless-G Access Point
http://www.redes.upv.es/ralir/en/
7
3
Local Area Networks (RALIR) /School of Engineering in Computer Science
Linksys Wireless-G Access Point
http://www.redes.upv.es/ralir/en/
7
4
Local Area Networks (RALIR) /School of Engineering in Computer Science
Linksys Wireless-G Access Point
http://www.redes.upv.es/ralir/en/
7
5
Local Area Networks (RALIR) /School of Engineering in Computer Science
Linksys Wireless-G Access Point
http://www.redes.upv.es/ralir/en/
7
6
Local Area Networks (RALIR) /School of Engineering in Computer Science
Linksys Wireless-G Access Point
http://www.redes.upv.es/ralir/en/
7
7
Local Area Networks (RALIR) /School of Engineering in Computer Science
Linksys Wireless-G Access Point
http://www.redes.upv.es/ralir/en/
7
8
Local Area Networks (RALIR) /School of Engineering in Computer Science
Linksys Wireless-G Access Point
http://www.redes.upv.es/ralir/en/
7
9
Local Area Networks (RALIR) /School of Engineering in Computer Science
Linksys Wireless-G Access Point
http://www.redes.upv.es/ralir/en/
3.- Wireless technologies
http://www.redes.upv.es/ralir/en/
 Bluetooth
Local Area Networks/School of Engineering in Computer Science/2009-2010
Local Area Networks (RALIR) /School of Engineering in Computer Science
Bluetooth history
 De facto standard - open specifications.
 publicly available on Bluetooth.com:
 http://bluetooth.com/Bluetooth/Technology/Works/
 Bluetooth specs developed by Bluetooth SIG.
 February 1998: The Bluetooth SIG is formed
 promoter company group: Ericsson, IBM, Intel, Nokia, Toshiba




May 1998: The Bluetooth SIG goes “public”
July 1999: 1.0A spec (>1,500 pages) is published
December 1999: ver. 1.0B is released
December 1999: The promoter group increases to 9
 3Com, Lucent, Microsoft, Motorola
 February 2000: There are 1,500+ adopters
 Versions:
 0.7  0.9  1.0A  1.0B  1.1  …
 November 2003: release 1.2
 November 2004: release 2.0+EDR
 (EDR or Extended Data Rate) triples the data rate up to about 3 Mb/s
 Currently (July 2007): release 2.1+EDR
 Next specification (2Q08) will include ability to utilize additional radio
technologies to enable high speed Bluetooth applications.
8
1
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
8
2
Versions
 The 1.2 version, unlike the 1.1, provides a complementary
wireless solution to co-exist Bluetooth and Wi-Fi in the 2.4 GHz
spectrum without interference between them.
 uses the technique "Adaptive Frequency Hopping (AFH), which runs a more
efficient transmission and a more secure encryption.
 offers voice quality (Voice Quality - Enhanced Voice Processing) with less
noise, and provides a faster configuration of communication with other
Bluetooth devices within range of reach.
 Version 2.0, created to be a separate specification, mainly
incorporates the technique "Enhanced Data Rate (EDR) that
allows you to improve transmission speeds up to 3Mbps while
trying to solve some errors specification 1.2.
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
Release 2.1
 Near Field Communication (NFC) Technology
 NFC may also be used in the new pairing system, enabling a user to hold
two devices together at a very short range to complete the pairing process.
 Lower Power Consumption
 Reduced power consumption means longer battery life in devices like mice and
keyboards. Bluetooth Specification Version 2.1 + EDR can increase battery life by
up to five times.
 Improved Security
 For pairing scenarios that require user interaction, eavesdropper protection makes
a simple six-digit passkey stronger than a 16-digit alphanumberic character
random PIN code. Improved pairing also offers "Man in the Middle" protection
that in reality eliminates the possibility for an undetected middle man intercepting
information.
8
3
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
8
4
Bluetooth usage
 Low-cost, low-power, short range radio  a cable replacement
technology
 Common (File transfer, synchronisation, internet bridge, conference table)
 Hidden computing (background synchronisation, audio/video player)
 Future (PC login, remote control)
 Why not use Wireless LANs?
 power
 cost
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
8
5
Bluetooth RF
1 Mb/s symbol rate
Normal range
10m (0dBm)
Optional range
100m (+20dBm)
Normal transmission power
0dBm (1mW)
Optional transmission power
-30 to +20dBm (100mW)
Receiver sensitivity
-70dBm
Frequency band
2.4Ghz ISM band
Gross data rate
1Mbit/s
Max data transfer
721+56kbps/3 voice channels
Power consumption 30uA(max), 300uA(standby),
~50uA(hold/park)
 Packet switching protocol based on frequency hop scheme with
1600 hops/s










http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
8
6
Bluetooth Power Class Table
Power Class
Max Output Power
Max Output Power
Expected Range
Range in
Free Space
Class 1
100mW
20dBm
42m
300m
Class 2
2.5mW
4dBm
16m
50m
Class 3
1mW
0dBm
10m
30m
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
Bluetooth Network Topology
 Bluetooth devices have the ability to work as a slave or a master
in an ad hoc network. The types of network configurations for
Bluetooth devices can be three.
 Single point-to-point (Piconet): In this topology the network consists of one
master and one slave device.
 Multipoint (Piconet): Such a topology combines one master device and up
to seven slave devices in an ad hoc network.
o Scatternet: A Scatternet is a group of Piconets linked via a slave device in
one Piconet which plays master role in other Piconet.
The Bluetooth standard
M
M
M
Master/Slave
S
M
S
S
8
7
http://www.redes.upv.es/ralir/en/
S
S
S
i) Piconet (Pointto-Point)
S
S
ii) Piconet (Multipoint)
S
S
iii) Scatternet
does not describe any
routing protocol for
scatternets and most of
the hardware available
today has no capability
of forming scatternets.
Some even lack the
ability to communicate
between slaves of one
piconet or to be a
member of two piconets
at the same time.
Local Area Networks (RALIR) /School of Engineering in Computer Science
Bluetooth stack: short version
Applications
RFCOMM
SDP
L2CAP
HCI
Link Manager
Baseband
RF
8
8
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
Transport Protocol Group (contd.)
 Radio Frequency (RF)
 Sending and receiving
modulated bit streams

Baseband
 Defines the timing, framing
 Flow control on the link.
 Link Manager
 The Radio, Baseband and Link
Manager are on firmware.
 The higher layers could be in software.
 The interface is then through the Host
Controller (firmware and driver).
 The HCI interfaces defined for
Bluetooth are UART, RS232 and USB.
 Managing the connection states.
 Enforcing Fairness among
slaves.
 Power Management
 Logical Link Control & Adaptation
Protocol
 Handles multiplexing of higher
level protocols
 Segmentation & reassembly of
large packets
 Device discovery & QoS
8
9
BLUETOOTH SPECIFICATION, Core Version 1.1 page 543
Source:
Farinaz Edalat, Ganesh Gopal, Saswat Misra, Deepti Rao
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
9
0
End to End Overview of Lower Software Layers to
Transfer Data
BLUETOOTH SPECIFICATION, Core Version 1.1 page 544
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
9
1
Physical Link Definition
 Synchronous Connection-Oriented (SCO) Link
 circuit switching
 symmetric, synchronous services
 slot reservation at fixed intervals
 Asynchronous Connection-Less (ACL) Link




packet switching
(a)symmetric,
asynchronous services
polling access scheme
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
9
2
ACL data rates
P
a
c
k
e
tt
y
p
e
N
a
m
e
S
y
m
m
e
t
r
ic
(
k
b
p
s
)
1s
lo
t+
F
E
C
D
M
1
1
0
8
.8
1
0
8
.8
1
0
8
.8
1s
lo
t
D
H
1
1
7
2
.8
1
7
2
.8
1
7
2
.8
3s
lo
t+
F
E
C
D
M
3
2
5
6
.0
3
8
4
.0
5
4
.4
3s
lo
t
D
H
3
3
8
4
.0
5
7
6
.0
8
6
.4
5s
lo
t+
F
E
C
D
M
5
2
8
6
.7
4
7
7
.8
3
6
.3
5s
lo
t
D
H
5
4
3
2
.6
7
2
1
.0
5
7
.6
http://www.redes.upv.es/ralir/en/
A
s
y
m
m
e
t
r
ic
(
k
b
p
s
)
Local Area Networks (RALIR) /School of Engineering in Computer Science
Multi-slot packets
fn
Single slot
Three slot
Five slot
9
3
http://www.redes.upv.es/ralir/en/
fn+1
fn+2
fn+3
fn+4
fn+5
Local Area Networks (RALIR) /School of Engineering in Computer Science
Symmetric single slot
fn
fn+1
fn+2
Master
Slave
9
4
http://www.redes.upv.es/ralir/en/
fn+3
fn+4
fn+5 fn+6
fn+7
fn+8
fn+9
fn+10 fn+11 fn+12
Local Area Networks (RALIR) /School of Engineering in Computer Science
Mixed Link Example
MASTER
SCO
ACL
SLAVE 1
SLAVE 2
SLAVE 3
9
5
http://www.redes.upv.es/ralir/en/
SCO
ACL
ACL SCO
SCO
ACL
Local Area Networks (RALIR) /School of Engineering in Computer Science
Polling on ACL links




Slave is allowed to send only after it has been polled.
Master polls slave at least Npoll slots (negotiated).
Master may send at will.
Polling algorithm is proprietary.
POLL
Data
Master
Data
Slave
Slot
TDD frame
9
6
http://www.redes.upv.es/ralir/en/
time
Local Area Networks (RALIR) /School of Engineering in Computer Science
9
7
Bluetooth Connection States
 There are four Connection states on
Bluetooth Radio:
 Active: Both master and slave
participate actively on the channel by
transmitting or receiving the packets
(A,B,E,F,H)
 Sniff: In this mode slave rather than
listening on every slot for master's
message for that slave, sniffs on
specified time slots for its messages.
Hence the slave can go to sleep in the
free slots thus saving power (C)
 Hold: In this mode, a device can
temporarily not support ACL packets
and go to low power sleep mode to
make the channel available for things
like paging, scanning etc (G)
 Park: Slave stays synchronized but not
participating in the Piconet, then the
device is given a Parking Member
Address (PMA) and it loses its Active
Member Address (AMA) (D,I)
http://www.redes.upv.es/ralir/en/
A
H
B
C
Master
H
D
E
I
G
Bluetooth Connection States
C
F
Local Area Networks (RALIR) /School of Engineering in Computer Science
Bluetooth Forming a Piconet







9
8
Inquiry: Inquiry is used to find the
identity of the Bluetooth devices in the
close range.
Inquiry Scan: In this state, devices are
listening for inquiries from other
devices.
Inquiry Response: The slave responds
with a packet that contains the slave's
device access code, native clock and
some other slave information.
Page: Master sends page messages by
transmitting slave's device access code
(DAC) in different hop channels.
Page Scan: The slave listens at a single
hop frequency (derived from its page
hopping sequence) in this scan
window.
Slave Response: Slave responds to
master's page message
Master Response: Master reaches this
substate after it receives slave's
response to its page message for it.
http://www.redes.upv.es/ralir/en/
Master
Inquiry
Slave
1
Inquiry Scan
2
3
Page
Inquiry
Response
4
5
Page Scan
Slave Response
6
Master
Response
7
Connection
Connection
Forming a Piconet Procedures
Local Area Networks (RALIR) /School of Engineering in Computer Science
SDP - Service Discovery
 Focus
 Service discovery within Bluetooth environment
 Optimized for dynamic nature of Bluetooth
 Services offered by or through Bluetooth devices
 Some Bluetooth SDP Requirements (partial list)




Search for services based upon service attributes and service classes
Browse for services without a priori knowledge of services
Suitable for use on limited-complexity devices
Enable caching of service information
 How it works?
 Establish L2CAP connection to remote device
 Query for services
 Search for specific class of service, or
 Browse for services
 Retrieve attributes that detail how to connect to the service
 Establish a separate (non-SDP) connection to use the service
9
9
http://www.redes.upv.es/ralir/en/
Local Area Networks (RALIR) /School of Engineering in Computer Science
Packet Structure
72 bits
54 bits
Access Code Header
Payload
Control packets
ID*
Null
Poll
FHS
DM1
Guard
Data/voice packets
Voice
HV1
HV2
HV3
DV
•No retries
•No CRC
•FEC (optional)
1
0
0
220s
0 - 2745 bits
Source:
Farinaz Edalat, Ganesh Gopal, Saswat Misra, Deepti Rao
http://www.redes.upv.es/ralir/en/
data
(136 bits)
DH1
DH3
DH5 (2712 bits)
DM1
DM3
DM5
Header
Data
•ARQ
•CRC
•FEC (optional)
CRC
1
0
1
Local Area Networks (RALIR) /School of Engineering in Computer Science
Bluez
http://www.redes.upv.es/ralir/en/