Wireless LANs EPL 657 Andreas Pitsillides Contains slides and ideas from Teknillinen Korkeakoulou, Finland: Wireless personal, local, metropolitan, and wide area networks, S-72.3240, and EntNet@Supercom2004 WLAN tutorial, 23/6/2004 1 Feature Topic on the Future of Wi-Fi • Wi-Fi is a well researched topic with wide applicability… why study further? • E.g. call for Papers IEEE Communications Magazine – emerging and future generations of IEEE 802.11 Wi-Fi, such as Wi-Fi CERTIFIED(tm) ac and WiGig CERTIFIED(tm), will be capable of achieving multiple gigabits per second speeds and be used to do everything from simple web browsing and peer-to-peer sharing, to multimedia streaming, real-time teleconferencing, cable replacement, and wireless docking, to name a few. Coupled with the recent introduction of Wi-Fi CERTIFIED(tm) Passpoint by the Wi-Fi Alliance, users can further enjoy seamless and secure connectivity when roaming between cellular and Wi-Fi and between Wi-Fi networks. 2 Future wi-fi technologies • Topics of interest include, but are not limited to, the following categories: – - Technological overview of the recent, emerging, and future Wi-Fi technologies – - PHY-, MAC-, and network-layer architectures and protocols – - Privacy and Security – - Spectrum and Regulatory – - Wi-Fi and cellular interworking – - Implementation and deployment challenges – - Emerging applications and services 3 WIRELESS LAN (WLAN) • Selected topics • • • • • • • • • • • • Introduction WLAN aims WLAN characteristics WLAN design goals Infrared vs radio transmission Infrastructure-based vs ad-hoc networks WLAN Standards IEEE 802.11 WLAN Roaming WLAN Security WLAN enhancements WLAN design issues • Other technologies (separate slides) 4 Why Wireless LANs (WLANs) • Mobility (portability) and Flexibility • Places where there is no cabling infrastructure / Hard to wire areas • Reduced cost of wireless systems • Improved flexibility of wireless systems • Cost – Relatively low cost of deployment – Continual drop in price for WLAN equipment 5 Wireless LAN Applications • • • • LAN Extension Cross building interconnection Nomadic access Ad hoc networks 6 Vertical Markets Factory floor Home networking Hospital Office workers Retail stores Warehouse Stock market Airport Hotel Starbuck College campus Convention Center Miscellaneous 7 Example WLAN deployment - Hotel Competing Technologies Wired Ethernet (802.3) Phone Line xDSL Power Line Proposed: Wireless LAN (802.11) Why: Price/Performance and ease of deployment Current status: almost all major hotel chains in major (and not so major) cities 8 Wireless LANs 9 Wireless LAN considerations • • • • • • • • • • Throughput Number of nodes Connection to backbone Service area Battery power consumption Transmission robustness and security Collocated network operation License free operation Handoff/roaming Dynamic configuration 10 WLANs goal • A mature market introducing the flexibility of wireless access into office, home, or production environments. • Typically restricted in their diameter to buildings, a campus, single rooms etc. • The global goal of WLANs is to replace office cabling, increase flexibility of connection especially for portable devices and, additionally, to introduce a higher flexibility for ad hoc communication in, e.g., group meetings. 11 WLAN characteristics • Advantages: – very flexible within radio coverage – ad-hoc networks without previous planning possible – wireless networks allow for the design of small, independent devices – more robust against disasters (e.g., earthquakes, fire) 12 WLAN characteristics • Disadvantages: – typically lower bandwidth compared to wired networks (~11 – 300 Mbit/s) due to limitations in radio transmission, higher error rates due to interference, and higher delay/delay variation due to extensive error correction and error detection mechanisms • offer lower QoS – a number of proprietary solutions, especially for higher bit-rates, and standards take their time (e.g., IEEE 802.11n) • standardized functionality plus many enhanced features • additional features only work in a homogeneous environment (i.e., when adapters from same vendors used) – products have to follow many national restrictions if working wireless, it takes a very long time to establish global solutions 13 WLAN design goals • global, seamless operation of WLAN products • low power for battery use (special power saving modes and power management functions) • no special permissions or licenses needed (licensefree band) • robust transmission technology • easy to use for everyone, simple management • protection of investment in wired networks (support the same data types and services) • security – no one should be able to read other’s data, privacy – no one should be able to collect user profiles, safety – low radiation 14 Known problems with WLANs • Wireless link characteristics: media is error prone and the bit error rate (BER) is very high compared to the BER of wired networks. • Carrier Sensing/collision detection is difficult in wireless networks because a station is incapable of listening to its own transmissions in order to detect a collision (more later). • The Hidden Terminal problem also decreases the performance of a WLAN (more later). • Mobility (variation in link reliability, seamless connections required, battery limitations) (more later) 15 Wireless Link Characteristics Differences from wired link …. – decreased signal strength: radio signal attenuates as it propagates through matter (path loss) – interference from other sources: standardized wireless network frequencies (e.g., 2.4 GHz) shared by other devices (e.g., phone); also devices (e.g. motors) interfere as well (noise) – multipath propagation: radio signal reflects off objects, arriving at destination at slightly different times (channel quality varies over time) – shared with other technologies and spectrum users – more difficult security (shared medium) …. make communication across (even a point to point) wireless link much more “difficult” 16 Wireless LAN Radio Technology • • • • Infrared (IR) LANs Spread spectrum LANs Narrow band microwave Laser beam 17 ISM frequency bands ISM (Industrial, Scientific and Medical) frequency bands: • 900 MHz band (902 … 928 MHz) • 2.4 GHz band (2.4 … 2.4835 GHz) • 5.8 GHz band (5.725 … 5.850 GHz) Anyone is allowed to use radio equipment for transmitting in these bands (provided specific transmission power limits are not exceeded) without obtaining a license. 18 WLAN Standards • Several WLAN standards, e.g.: – IEEE 802.11b offering 11 Mbit/s at 2.4 GHz – The same radio spectrum is used by Bluetooth • A short-range technology to set-up wireless personal area networks with gross data rates less than 1 Mbit/s – IEEE 802.11a, operating at 5 GHz and offering gross data rates of 54 Mbit/s – IEEE 802.11g offering up to 54 Mbit/s at 2.4 GHz. – IEEE 802.11n up and coming standard up to 300 Mbit/s (two spatial streams; 600 Mbit/s with 4 spatial streams) –… 19 WLAN Standards Wireless LAN 2.4 GHz 5 GHz 802.11n (300Mb/sec) 802.11 802.11b 802.11g HiSWANa 802.11a HiperLAN2 (2 Mbps) (11 Mbps) (22-54 Mbps) (54 Mbps) (54 Mbps) (54 Mbps) HomeRF 2.0 Bluetooth HomeRF 1.0 (10 Mbps) (1 Mbps) (2 Mbps) 802.11e 802.11f 802.11h 802.11i (QoS) (IAPP) (TPC-DFS) (Security) 802.11 Protocols under development 20 IEEE 802 standardisation framework 802.1 802.2 Logical Link Control (LLC) Management 802.3 802.5 802.11 Medium Access Control (MAC) MAC MAC CSMA/CA 802.3 802.5 802.11 802.11a 802.11b 802.11g PHY PHY PHY PHY PHY PHY CSMA/CD (Ethernet) Token Ring CSMA/CA (Wireless LAN) 802.11n (300Mb/sec) Many more protocols recently developed or under development 21 Recent IEEE 802 standardisation efforts A recent call for papers (CFPs): A new generation of Wireless Local Area Networks (WLANs) is going to make its appearance in the upcoming years, with the IEEE 802.11aa (Robust Audio Video Transport Streaming), IEEE 802.11ac (Very-high throughput < 6GHz), IEEE 802.11af (TV White Spaces) and IEEE 802.11ad (Very-high throughput ~60 GHz), as examples of the most expected ones. Nevertheless, all nextgeneration standards will consider some of the most significant advances on the wireless communication and networking area in the last decade, developed by a highly active community, in both academia and industry. This special issue requests papers that advance the state-of-the-art of the recent and on-going IEEE 802.11 standards (i.e., IEEE 802.11p, IEEE 802.11s, IEEE 802.11aa, IEEE 802.11ac, IEEE 802.11ad, IEEE 802.11ae, IEEE 802.11ah, IEEE 802.11af, IEEE 802.11ai, etc.), as well as present mechanisms and solutions, from MAC or above layers, that could be readily transferred to the not-yet finished standards or their future amendments. 22 IEEE 802 wireless network technology options Network definition IEEE standard Known as Wireless personal area network (WPAN) IEEE 802.15.1 Bluetooth Low-rate WPAN (LRWPAN) IEEE 802.15.4 ZigBee Wireless local area network (WLAN) IEEE 802.11 WiFi Wireless metroplitan area network (WMAN) IEEE 802.16 WiMAX 23 IEEE 802.11 standard • As the standards number indicates, this standard belongs to the group of 802.x LAN standards. • This means that the standard specifies the physical and medium access layer adapted to the special requirements of wireless LANs, but offers the same interface as the others to higher layers to maintain interoperability. • The primary goal of the standard was the specification of a simple and robust WLAN which offers time-bounded and asynchronous services. 24 IEEE 802.11 Wireless LAN • 802.11g • 802.11b – 2.4-5 GHz unlicensed spectrum – up to 11 Mbps – direct sequence spread spectrum (DSSS) in physical layer • all hosts use same chipping code • 802.11a – 5-6 GHz range – up to 54 Mbps • Shading is much more severe compared to 2.4 GHz • Depending on the SNR, propagation conditions and distance between sender and receiver, data rates may drop fast – 2.4-5 GHz range – up to 54 Mbps – Benefits from the better propagation characteristics at 2.4 GHz compared to 5 GHz • Backward compatible to 802.11b • 802.11n: multiple antennae – 2.4-5 GHz range – typically 200++ Mbps • IEEE 802.11e – MAC enhancements for providing some QoS • Some QoS guarantees can be given only via polling using PCF all use CSMA/CA for multiple access all have base-station and ad-hoc network versions 25 Characteristics of selected wireless link standards Data rate (Mbps) 200 54 5-11 802.11n 802.11a,g 802.11b 4 1 802.11a,g point-to-point data 802.16 (WiMAX) UMTS/WCDMA-HSPDA, CDMA2000-1xEVDO 3G cellular enhanced 802.15 .384 UMTS/WCDMA, CDMA2000 .056 3G 2G IS-95, CDMA, GSM Indoor Outdoor 10-30m 50-200m Mid-range outdoor Long-range outdoor 200m – 4 Km 5Km – 20 Km 26 Infrastructure-based vs ad-hoc wireless networks Infrastructurebased wireless networks AP AP wired network AP: Access Point AP • Infrastructure networks provide access to other networks. • Communication typically takes place only between the wireless nodes and the access point, but not directly between the wireless nodes. • The access point does not just control medium access, but also acts as a bridge to other wireless or wired networks. 27 Infrastructure-based vs ad-hoc wireless networks • Several wireless networks may form one logical wireless network: – The access points together with the fixed network in between can connect several wireless networks to form a larger network beyond actual radio coverage. • Network functionality lies within the access point (controls network flow), whereas the wireless clients can remain quite simple. • Can use different access schemes with or without collision. – Collisions may occur if medium access of the wireless nodes and the access point is not coordinated. • If only the access point controls medium access, no collisions are possible. – Useful for quality of service guarantees (e.g., minimum bandwidth for certain nodes) – The access point may poll the single wireless nodes to ensure the data rate. 28 Infrastructure-based vs ad-hoc wireless networks • Infrastructure-based wireless networks loose some of the flexibility wireless networks can offer in general: – They cannot be used for disaster relief in cases where no infrastructure is left. 29 Infrastructure-based vs ad-hoc wireless networks Ad-hoc wireless networks • No need of any infrastructure to work – greatest possible flexibility • Each node communicate with other nodes, so no access point controlling medium access is necessary. – The complexity of each node is much higher • implement medium access mechanisms and forwarding data 30 Infrastructure-based vs ad-hoc wireless networks • Nodes within an ad-hoc network can only communicate if they can reach each other physically – if they are within each other’s radio range – if other nodes can/want to forward the message • IEEE 802.11 WLANs are typically infrastructurebased networks, which additionally support ad-hoc networking • Bluetooth is a typical wireless ad-hoc network 31 Elements of a wireless network network infrastructure wireless hosts laptop, PDA, IP phone run applications may be stationary (nonmobile) or mobile – wireless does not always mean mobility 32 Elements of a wireless network network infrastructure base station typically connected to wired network relay - responsible for sending packets between wired network and wireless host(s) in its “area” – e.g., cell towers, 802.11 access points 33 Elements of a wireless network network infrastructure wireless link typically used to connect mobile(s) to base station also can be used as backbone links multiple access protocol coordinates link access various data rates, transmission distance 34 Elements of a wireless network network infrastructure infrastructure mode base station connects mobiles into wired network handoff: mobile changes base station 35 Elements of a wireless network Ad hoc mode no base stations nodes can only transmit to other nodes within link coverage nodes organize themselves into a network: route among themselves Node disconnected from the rest of the ad-hoc network 36 WLAN components Figure 2.11 Photographs of popular 802.11b WLAN equipment. Access points and a client card are shown on top, and PCMCIA Client card is shown on left and WLAN router on right. (Courtesy of Cisco Systems, Inc.) 37 IEEE 802.11 terminology System Architecture of an infrastructure network 802.11 LAN 802.x LAN Basic Service Set (BSS) – group of stations using same radio frequency Access STA1 Point (AP) – station integrated into the wireless LAN and the distribution system BSS1 Portal Access Point Distribution System Access Point ESS Station (STA) – terminal with access mechanisms to wireless medium and radio contact to access point Portal – bridge to other (wired) networks BSS2 Distribution STA2 STA3 802.11 LAN System (DS) – interconnection network to form one logical network Extended – Service Set (EES) based on several BSS 38 IEEE 802.11 BSS • IEEE 802.11 allows the building of ad hoc networks between stations, thus forming one or more BSSs. – In this case, a BSS comprises a group of stations using the same radio frequency. – Several BSSs can either be formed via the distance between the BSSs or by using different carrier frequencies. 39 Distribution System (DS) • Used to interconnect wireless cells (multiple BSS to form an ESS) • Allows multiple mobile stations to access fixed resources • Interconnects 802.11 technology 40 Access Points (AP) • Allows stations to associate with it • Supports Distributed Coordination Function (DCF) and Point Coordination Function (PCF) • Provides management features – Join/Associate with BSS – Time synchronisation (beaconing) – Power management • all traffic flows through APs • Supports roaming 41 IEEE standard 802.11 fixed terminal mobile terminal infrastructure network access point application application TCP TCP IP IP LLC LLC LLC 802.11 MAC 802.11 MAC 802.3 MAC 802.3 MAC 802.11 PHY 802.11 PHY 802.3 PHY 802.3 PHY 42 IEEE 802.11 protocol • Protocol architecture aims – Applications should not notice any difference apart from the lower bandwidth and perhaps higher access time from the wireless LAN. • WLAN behaves like, perhaps a ‘slower’, wired LAN. – Consequently, the higher layers (application, TCP, IP) look the same for the wireless node as for the wired node. – The differences are in physical and link layer • different media and access control 43 IEEE 802.11 protocol – The physical layer provides a carrier sense signal, handles modulation and encoding/decoding of signals. – The basic tasks of the MAC-medium access control protocol comprise medium access, fragmentation of user data, and encryption. • The standard also specifies management layers. – The MAC management supports the association and reassociation of a station to an access point and roaming between different APs. – Furthermore, it controls authentication mechanisms, encryption, synchronization of a station with regard to an AP, and power management to save battery power. 44 IEEE 802.11 • Physical layer – Includes the provision of the Clear Channel AssessmentCCA signal (energy detection). – This signal is needed for the MAC mechanisms controlling medium access and indicates if the medium is currently idle. – A number of physical channels Logical Link Control (LLC) Media Access Control (MAC) 802.11 802.11 802.11 802.11a 802.11b 802.11g infrared FHSS DSSS OFDM HR-DSSS OFDM 45 Physical layer Wireless Transmission Infrared (IR) Radio Frequency (RF) Spread Spectrum Frequency Hopping Direct Sequence Orthogonal Frequency Division Multiplexing 46 Infrared vs radio transmission Infrared light typically using the license free frequency uses IR diodes, diffuse light reflected band at 2.4 GHz at walls, furniture etc, or directed light if a LOS exists btn sender and receiver Advantages Advantages simple, cheap, available in many mobile devices (PDAs, laptops, mobile phones) no licenses needed Disadvantages Radio interference by sunlight, heat sources etc. many things shield or absorb IR light cannot penetrate obstacles (e.g., walls) low bandwidth (~115kbit/s, 4Mbit/s) Example IrDA (Infrared Data Association) interface available everywhere – experience from wireless WAN (microwave links) and mobile phones can be used – coverage of larger areas possible (radio can penetrate (thinner) walls, furniture) – higher transmission rates (~11 – 54 Mbit/s) Disadvantages – very limited license free frequency bands – shielding more difficult, interference with other senders, or electrical devices Example – IEEE 802.11, HIPERLAN, Bluetooth 47 Example WLAN physical layer 802.11g is the most popular physical layer, operating in the same band as 802.11b The signal format is OFDM (Orthogonal Frequency Division Multiplexing) Data rates supported: various bit rates from 6 to 54 Mbit/s (same as 802.11a) 802.11 Medium Access Control (MAC) CSMA/CA 802.11 802.11a 802.11b 802.11g PHY PHY PHY PHY ISM band: 2.4 … 2.4835 GHz 48 ISM frequency band at 2.4 GHz The ISM band at 2.4 GHz can be used by anyone as long as (in Europe...) Transmitters using FH (Frequency Hopping) technology: • Total transmission power < 100 mW • Power density < 100 mW / 100 kHz Transmitters using DSSS technology: • Total transmission power < 100 mW • Power density < 10 mW / 1 MHz ETSI EN 300 328-1 requirements 49 802.11 spectrum at 2.4 GHz Divided into overlapping channels. For e.g. the 2.4000–2.4835 GHz band is divided into 13 channels each of width 22 MHz but spaced only 5 MHz apart, with channel 1 centred on 2.412 GHz and 13 on 2.472 GHz Availability of channels is regulated by country (e.g. Japan adds a 14th channel 12 MHz above channel 13). 3 channels are non overlapping Given the separation between channels 1, 6, and 11, the signal on any channel should be sufficiently attenuated to minimally interfere with a transmitter on any other channel. 50 Recall: Free-space loss is dependent on frequency The free-space loss L of a radio signal is: 4 d 4 df L c 2 2 where d is the distance between transmitter and receiver, is the rf wavelength, f is the radio frequency, and c is the speed of light. The formula is valid for d >> , and does not take into account antenna gains (=> Friis formula) or obstucting elements causing additional loss. 51 Free-space loss examples For example, when d is 10 or 100 m, the free-space loss values (in dB) for the different ISM bands are: d = 10 m d = 100 m f = 900 MHz L = 51.5 dB L = 71.5 dB f = 2.4 GHz L = 60.0 dB L = 80.0 dB f = 5.8 GHz L = 67.7 dB L = 87.7 dB 52 Maximum channel data rates Network Maximum data rate IEEE 802.15.1 WPAN (Bluetooth) 1 Mbit/s (Bluetooth v. 1.2) 3 Mbit/s (Bluetooth v. 2.0) IEEE 802.15.4 LRWPAN (ZigBee) 250 kbit/s IEEE 802.11 WLAN (WiFi) 11 Mbit/s (802.11b) 54 Mbit/s (802.11g) 300+ Mbit/s (802.11n) IEEE 802.16 WMAN (WiMAX) 134 Mbit/s 53 Modulation / Signal spreading Network Modulation / spreading method IEEE 802.15.1 WPAN (Bluetooth) Gaussian FSK / FHSS IEEE 802.15.4 LRWPAN (ZigBee) Offset-QPSK / DSSS IEEE 802.11 WLAN (WiFi) DQPSK / DSSS (802.11b) 64-QAM / OFDM (802.11g) IEEE 802.16 WMAN (WiMAX) 128-QAM / single carrier 64-QAM / OFDM 54 802.11: advanced capabilities 10-1 • base station and mobile dynamically change transmission rate (physical layer modulation technique) as mobile moves, SNR varies 10-2 QAM256 (8 Mbps) QAM16 (4 Mbps) BPSK (1 Mbps) 10-3 operating point BER Rate Adaptation 10-4 10-5 10-6 10-7 10 20 30 SNR(dB) 40 1. As node moves away from base station SNR decreases, BER increase 2. When BER becomes too high, switch to lower transmission rate but with lower BER 55 IEEE 802.11: MAC overview • Two basic access mechanisms have been defined for IEEE 802.11 – CSMA/CA (mandatory) summarized as distributed coordination function (DCF) • Optional method (RTS/CTS) avoiding the hidden terminal problem – A contention-free polling method for time-bounded service called point coordination function (PCF) • access point polls terminals according to a list – DCF only offers asynchronous service, while PCF offers both asynchronous and time-bounded service, but needs the access point to control medium access and to avoid contention. – only asynchronous data service in ad-hoc network mode 56 IEEE 802.11: MAC overview • Within the MAC layer, Distributed Coordination Function (DCF) (asynchronous service) is used as a fundamental access method, while Point Coordination Function (PCF) (synchronous service) is optional. – DCF is also known as Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA) protocol. It is an asynchronous access method based on the contention for the usage of shared channels. A contention-free access mechanism is provided through the RTS/CTS (Request to Send/Clear to Send) exchange. – PCF is used for time-bounded transfer of data 57 IEEE 802.11: MAC overview • most important differences between WLAN and LAN protocol design is the impossibility to detect all collisions. – difficult to receive (sense collisions) when transmitting due to weak received signals (fading) • with receiving and sending antennas immediately next to each other, a station is unable to see any signal but its own. • As a result, the complete packet will be sent before the incorrect checksum reveals that a collision has happened. • Furthermore, receiver and transmitter mostly not on at the same time – can’t sense all collisions in any case: hidden terminal, fading A C A B B C C’s signal strength A’s signal strength space 58 Hidden Station Problem A B C A is talking to B. C does not know this communication and starts talking to B. Collisions. 59 IEEE 802.11: MAC overview Utmost importance that number of collisions be limited to the absolute minimum. DCFs CSMA/CA (CA-Collision Avoidance) is the MAC method used in a WLAN. (Wireless stations cannot detect collisions, i.e. the whole packet will be transmitted anyway). Basic CSMA/CA operation: 1) If medium is free, then Wait a specified time (DIFS), Transmit frame 2) If medium busy, then backoff CSMA/CA rule: backoff before collision 60 IEEE 802.11: MAC overview • CSMA/CA protocol basics: – medium can be busy or idle (detected by the CCA Clear Channel Assessment-CCA signal of the physical layer) • If medium busy this can be due to data frames or other control frames – during a contention phase several nodes try to access medium – optionally, the standard allows for collision free operation through small reservation packets (RTS, CTS) 61 IEEE 802.11: MAC overview • Define (802.11b): – slot = 20 ms (9 or 20 ms for 802.11g) – Short inter-frame spacing (SIFS) = 10 ms (16 ms for 802.11a) • shortest waiting time for medium access • defined for short control messages (e.g., ACK of data packets) – DCF inter-frame spacing (DIFS) = 50 ms (28 ms for 802.11g) • longest waiting time used for asynchronous data service within a contention period DIFS=SIFS + two slot times – PCF inter-frame spacing (PIFS) • an access point polling other nodes only has to wait PIFS for medium access (for a time-bounded service) PIFS=SIFS + one slot time (30 ms for 802.11b) • The standard defines also two control frames: – RTS: Request To Send – CTS: Clear To Send 62 Interframe Spacing (IFS) and priorities • PIFS (PCF IFS) – PCF operation mode, including Beacon, Retransmitted poll messages • DIFS (DCF IFS) – DCF operation mode, including back-off, RTS • EIFS (Extended IFS) Shorter to longer time – ACK, CTS, Poll Messages, Poll responses, CF-End High to low priority • SIFS (Short IFS) – After detection of erroneous frame 63 IEEE 802.11: CSMA/CA • Collision Avoidance – idea is to prevent collisions at the moment they are most likely to occur , i.e. when the bus is released (since many stations may compete then). – In the event medium is sensed busy, all clients are forced to wait for a random number of timeslots and then sense the medium again, before starting a transmission. – If the medium is sensed to be busy, the client freezes its timer until it becomes free again. Thus, the chance of two clients starting to send simultaneously is reduced. 64 IEEE 802.11: CSMA/CA – the overhead introduced by the Collision Avoidance delays should be as small as possible. – the protocol should keep the number of collisions to a minimum, even under the highest possible load. • To this end, the range of the random delay, or the contention window, is set to vary with the load. • In the case of a collision, the congestion window (CW) is doubled progressively: 15, 31, 63,...1023, until a successful transmission occurs and the delay is reset to the minimal value. • From the number CW (= 15 / 31 … 1023 slots) the random backoff bn (in terms of slots) is chosen in such a way that bn is uniformly distributed between 15/31 … CW. • Since it is unlikely that several stations will choose the same value of bn, collisions are rare. • The 802.11 standard does not fix the minimum and maximum values of the contention window. However, it does advise a minimum of 15 or 31 and a maximum of 1023. 65 IEEE 802.11: CSMA/CA • Broadcast data transfer (DCF) DIFS DIFS medium busy direct access if medium is free DIFS contention window (randomized back-off mechanism) next frame t slot time – station ready to send starts sensing the medium (Carrier Sense based on CCA-Clear Channel Assessment) – if the medium is free for the duration of a Distributed Coordination Function Inter-Frame Space (DIFS), then station can start sending – if the medium is busy, the station has to wait for a free DIFS, then the station must additionally wait a random back-off time (collision avoidance) – if another station occupies the medium during the back-off time of the station, the back-off timer stops (fairness – during the next phase this node will continue its timer from where it stopped) 66 IEEE 802.11 : CSMA/CA • E.g. Unicast data transfer DIFS sender data SIFS ACK receiver DIFS other stations Channel sensed busy data t waiting time contention – station has to wait for DIFS before sending data – receivers acknowledge after waiting for a duration of a Short Inter-Frame Space (SIFS), if the packet was received correctly 67 EE802.11: Exponential backoff mechanism binary exponential backoff: After k collisions, a random number of slot times between 15 and 2k+5-1 is chosen. So, for the first collision, each sender might wait between 15 or 31 slot times. After the second collision, the senders might wait between 15 and 63 slot times, and so forth. As the number of retransmission attempts increases, the number of possibilities for delay increases . Note that the suggested minimum window is normally set at 15 (or 31) at start, so as to have some initial non-zero random delay and there is a max number prior to declaring the transmission not possible 68 EE802.11: Exponential backoff mechanism Contention window (CW) for 802.11b If transmission of a frame was unsuccessful and the frame is allowed to be retransmitted, before each retransmission the Contention Window (CW) from which bn is chosen (at random, starting from 15 or 31) is increased. 802.11b CW Initial attempt DIFS 1st retransm. DIFS … CW = 25-1 = 31 slots (slot = 20 ms) … CW = 26-1 = 63 slots : 5th (and further) retransmissions DIFS : … CW = 210-1 = 1023 slots 69 EE802.11: Exponential backoff mechanism Contention window (CW) for 802.11g In the case of 802.11g operation, the initial CW length is 15 slots. The slot duration is 9 ms. The backoff operation of 802.11g is substantially faster than that of 802.11b. 802.11g CW Initial attempt DIFS 1st retransm. DIFS … CW = 24-1 = 15 slots (slot = 9 ms) … CW = 25-1 = 31 slots : 6th (and further) retransmissions DIFS : … CW = 210-1 = 1023 slots 70 EE802.11: Exponential backoff mechanism Selection of random backoff From the number CW (= 15 / 31 … 2k+5-1 slots) the random backoff bn (in terms of slots) is chosen in such a way that bn is uniformly distributed between 0 … CW. Since it is unlikely that several stations will choose the same value of bn, collisions are rare. The next slides show wireless medium access in action. The example involves four stations: A, B, C and D. ”Sending a packet” means ”Data+SIFS+ACK” sequence. Note how the backoff time may be split into several parts. 71 EE802.11: Exponential backoff mechanism Wireless medium access example Data+SIFS+ACK Station A ACK Defer Station B 1 Station C Contention Window Backoff Defer 2 Station D DIFS 1) While station A is sending a packet, stations B and C also wish to send packets, but have to wait (defer + backoff) 2) Station C is ”winner” (backoff time expires first) and starts sending packet 72 EE802.11: Exponential backoff mechanism Wireless medium access example 3) Station D also wishes to send a packet Station A 4 Station B Station C ACK 3 Station D Defer DIFS DIFS 4) When medium becomes idle plus DIFS elapses, station B continues to count down and station D draws a CW number D(bn) station B is ”winner” After its CW counts down to zero it starts sending packet 73 EE802.11: Exponential backoff mechanism Wireless medium access example 5) Station D counts down to 0 and then starts sending packet. Now there is no competition. Station A Station B ACK Station C 5 Station D DIFS DIFS 74 EE802.11: Exponential backoff mechanism No shortcuts for any station… Transmitted frame (A=>B) DIFS Backoff ACK (B=>A) SIFS Next frame (A=>B) DIFS When a station wants to send more than one frame, it has to use the backoff mechanism like any other station (of course it can ”capture” the channel by sending a long frame, for instance using fragmentation). 75 IEEE 802.11: MAC overview Avoiding collisions (using extra signalling). How? idea: allow sender to “reserve” channel rather than random access of data frames: avoid collisions of long data frames • sender first transmits small request-to-send (RTS) packets to BS using CSMA – RTS packets may still collide with each other (but they are very short) • BS broadcasts clear-to-send CTS in response to RTS • CTS heard by all nodes – sender transmits data frame – other stations defer transmissions. For how long? avoid data frame collisions completely using small reservation packets! 76 Network Allocation Vector (NAV) Each RTS frame includes the duration of the time it needs to occupy the channel. NAV: a timer on other stations which have to wait NAV before checking if the channel/medium is free. When a station (WS1) sends RTS (or CTS), other stations on the system start NAV (WS2 and WS3 in example below) RTS WS3 RTS WS1 WS2 77 Hidden Station Problem (Solution) B can hear A and C A and C cannot hear each other A and C want to send to B A B RTS/NAV CTS Data C RTS/NAV B accepts RTS from A and rejects RTS from C. CTS/NAV CTS from B (actually BS) to A is also received on C which starts the NAV timer in CTS. 78 Busy Medium Physically busy: a station senses the wireless medium to determine if it is busy. Virtually busy: a station receives a control message (RTS or CTS) which indicates the wireless medium is busy for the duration of the NAV timer. All stations must monitor the headers of all frames they receive and store the NAV value in a counter. The counter decrements in steps of one microsecond. When the counter reaches zero, the channel is available again. 79 IEEE 802.11 • Sending unicast packets with RTS/CTS control frames DIFS sender RTS data SIFS receiver other stations CTS SIFS SIFS ACK NAV (RTS)=3SIFS+CTS+data+ACK DIFS NAV (CTS)=2SIFS+data+ACK defer access data t contention – station can send RTS with reservation parameter after waiting for DIFS (reservation determines amount of time the data packet needs the medium and the ACK related to it). – Every node receiving this RTS now has to set its net allocation vector – it specifies the earliest point at which the node can try to access the medium again – acknowledgement via CTS after SIFS by receiver (if ready to receive) – sender can now send data at once, acknowledgement via ACK – Other stations store medium reservations distributed via RTS and CTS 80 Collision Avoidance: RTS-CTS exchange A AP B reservation collision DATA (A) defer time 81 802.11 MAC Timing 82 Example calculation of throughput Masters thesis http://eeweb.poly. edu/dgoodman/fai nberg.pdf Note that DIFS should had been part of the idle time 83 84 Point Coordination Function (PCF) Optional and implemented on top of DCF. Must be running in conjunction with DCF. A single Access Point (AP) controls access to the medium, and a Point Coordinator Agent resides in the AP. AP sends a beacon message and all stations stop DCF. AP polls each station for data, and after a given time interval moves to the next station. Guaranteed maximum latency No station is allowed to transmit unless it is polled. AP could have a priority scheme for stations, and support time-sensitive applications. 85 PCF (cont.) repetition interval Contention free period (CFP) B PCF NAV Contention period (CP) DCF busy B PCF DCF NAV B: beacon message 86 Additional WLAN Features Positive Acknowledgement Sequence Control Fragmentation Large frames vs. small frames Error-prone medium 87 IEEE 802.11 framing and addressing 88 802.11 frame: addressing R1 router H1 Internet AP R1 MAC addr H1 MAC addr dest. address source address 802.3 frame AP MAC addr H1 MAC addr R1 MAC addr address 1 address 2 address 3 802.11 frame 89 802.11 frame: addressing 2 2 6 6 6 frame address address address duration control 1 2 3 2 6 seq address 4 control 0 - 2312 4 payload CRC Address 4: see later Address 1: MAC address of wireless host or AP to receive this frame Address 3: MAC address of router interface to which AP is attached Address 2: MAC address of wireless host or AP transmitting this frame 90 Recall: Routing in a (W)LAN Recall: Routing in a (W)LAN is based on MAC addresses. A router performs mapping between these two address types (IP-MAC): (W)LAN device IP network (W)LAN 00:90:4B:00:0C:72 Router 124.2.10.57 00:90:4B:00:0C:72 Server 124.2.10.57 91 Recall: Address allocation MAC addresses associated with hardware devices. IP addresses can be allocated to (W)LAN devices either on a permanent basis or dynamically from an address pool using the Dynamic Host Configuration Protocol (DHCP). The DHCP server may be a separate network element (or for example integrated into a RADIUS server that offers a set of additional features), or may be integrated with the address-mapping router and/or access point. RADIUS = Remote Authentication Dial-In User Service 92 Recall: Network Address Translation (NAT) Recall: On (W)LAN side of network address translator (NAT device), different (W)LAN users are identified using private (reusable, globally not unique) IP addresses. On Internet side of NAT device, only one (globally unique) IP address is used. Users are identified by means of different TCP/UDP port numbers. In client - server type of communication, application on the server is usually behind a certain TCP/UDP port number (e.g. 80 for HTTP) whereas clients can be allocated port numbers from a large address range. 93 Recall: NAT example IP network (W)LAN User 1 NAT device IP address for all users in (W)LAN: Server 124.0.6.12 User 2 User 1 IP address 10.2.1.57 User 1 TCP port number 14781 User 2 IP address 10.2.1.58 User 2 TCP port number 14782 94 Case study: ADSL WLAN router 1) The ADSL connection to the wide area network (WAN) is allocated a globally unique IP address using DHCP. 2) We assume that the router has NAT functionality. Behind the router, in the private LAN network, wireless and cabled LAN devices are allocated private IP addresses, again using DHCP (this is a kind of "double DHCP" scenario). Although routing in the LAN is based on MAC addresses, the IP applications running on the LAN devices still need their own "dummy" IP addresses. 95 802.11 frame: more frame seq # (for Reliable Data Transfer) duration of reserved transmission time (RTS/CTS) 2 2 6 6 6 frame address address address duration control 1 2 3 2 Protocol version 2 4 1 Type Subtype To AP 6 2 1 seq address 4 control 1 From More AP frag 1 Retry 1 0 - 2312 4 payload CRC 1 Power More mgt data 1 1 WEP Rsvd frame type (RTS, CTS, ACK, data) 96 802.11 Frame Format 2 Frame Control 2 Duration ID 6 Address 1 6 Address 2 6 Address 3 Frame Body (0 – 2312 bytes) 2 6 Sequence Control Address 4 4 FCS Ref. IEEE 802.11 standards Q: Why do we need four address fields in 802.11? 97 802.11 Addresses Address Address Address Address 1 2 3 4 To DS From DS 0 0 DA SA BSSID N/A 0 1 DA Sending AP SA N/A 1 0 Receiving AP SA DA N/A 1 1 Receiving AP Sending AP DA SA DS: Distribution System BSSID: Basic Service Set ID DA: Destination Address SA: Source Address 98 Case - 00 11-22-33-01-01-01 11-22-33-02-02-02 A1: 11-22-33-01-01-01 DA A2: 11-22-33-02-02-02 SA A3: BSS ID A4: not used 99 Case – 01 (wired to wireless) wireless 802.11 11-22-33-01-01-01 wired 802.3 99-88-77-09-09-09 DA A1: 11-22-33-01-01-01 Sending AP A2: 99-88-77-09-09-09 SA A3: 11-22-33-02-02-02 11-22-33-02-02-02 DA: 11-22-33-01-01-01 SA: 11-22-33-02-02-02 A4: not used 100 Case – 10 (wireless to wired) wired 802.3 wireless 802.11 11-22-33-01-01-01 99-88-77-09-09-09 Receiving AP A1: 99-88-77-09-09-09 SA A2: 11-22-33-01-01-01 DA A3: 11-22-33-02-02-02 11-22-33-02-02-02 DA: 11-22-33-02-02-02 SA: 11-22-33-01-01-01 A4: not used 101 Case – 11 (via wireless) wired 802.3 11-22-33-01-01-01 wireless 802.11 99-88-77-09-09-09 wired 802.3 99-88-77-08-08-08 11-22-33-02-02-02 DA: 11-22-33-02-02-02 A1: 99-88-77-08-08-08 DA: 11-22-33-02-02-02 SA: 11-22-33-01-01-01 A2: 99-88-77-09-09-09 SA: 11-22-33-01-01-01 A3: 11-22-33-02-02-02 A4: 11-22-33-01-01-01 102 Wireless Bridge Building A Ethernet Backbone Wireless Bridge Building B Ethernet Backbone Case 11 Wireless Bridge 103 IEEE 802.11 management issues: synchronisation, power management, and roaming 104 MAC management • Synchronization finding and staying with a WLAN synchronization functions • Power Management - sleeping without missing any messages - power management functions • Roaming - functions for joining a network - changing access points - scanning for access points • Management information base (MIB) - 105 IEEE 802.11 association, roaming, synchronisation • Stations can select an AP and associate with it. • The APs support roaming (i.e. changing access points), the distribution system (DS) then handles data transfer between the different APs. • Furthermore, APs provide synchronization within a BSS, support power management, and can control medium access to support time-bounded service. 106 Scanning • Scanning is required for many functions - finding and joining a network - finding a new access point during roaming • Passive scanning - find networks simply by listening for beacons • Active scanning - on each channel send a probe and wait for probe response 802.11: passive/active scanning BBS 1 AP 1 BBS 2 1 1 2 AP 2 BBS 1 BBS 2 AP 1 AP 2 1 2 3 2 3 4 H1 H1 Passive Scanning: Active Scanning: (1) beacon frames sent from APs (2) association Request frame sent: H1 to selected AP (3) association Response frame sent: AP to H1 (1) Probe Request frame broadcast from H1 (2) Probes response frame sent from APs (3) Association Request frame sent: H1 to selected AP (4) Association Response frame sent: AP to H1 108 802.11: Channels, association • 802.11b: 2.4GHz-2.485GHz spectrum divided into 13 channels (EU, USA 11 channels) at different frequencies – AP admin chooses frequency for AP – interference possible: channel can be same as that chosen by neighboring AP! • host: must associate with an AP – scans channels, listening for beacon frames containing AP’s name (SSID) and MAC address – selects AP to associate with – may perform authentication – will typically run DHCP to get IP address in AP’s subnet 109 Synchronization • Timing synchronization function (TSF) • Used for power management – beacons sent at well known intervals – all station timers in BSS are synchronized Beacon interval B Access B point busybusy medium B B busy B busy t B beacon Value of time stamp 110 Power Management • Mobile devices are battery powered - power management is important for mobility • 802.11 power management protocol - allows transceiver to be off as much as possible - is transparent to existing protocols Power management approach • Allow idle stations to go to sleep station’s power save mode stored in AP • APs buffer packets for sleeping stations - AP announces which stations have frames buffered - traffic indication map (TIM) sent with every beacon • Power saving stations wake up periodically 802.11: Power management approach node-to-AP: “I am going to sleep until next beacon frame” – AP knows not to transmit frames to this node – node wakes up before next beacon frame beacon frame: contains list of mobiles with APto-mobile frames waiting to be sent – node will stay awake if AP-to-mobile frames to be sent; otherwise sleep again until next beacon frame 113 802.11: beacon frames • Each beacon frame carries the following information in the frame body: – Beacon interval. amount of time between beacon transmissions. Before a station enters power save mode, station needs the beacon interval to know when to wake up to receive the beacon. – Timestamp. After receiving beacon frame, station uses timestamp value to update its local clock. Enables synchronization among all stations associated with the same access point. – Service Set Identifier (SSID). The SSID identifies a specific WLAN. Before associating with a particular WLAN, a station must have the same SSID as the access point. By default, access points include the SSID in the beacon frame to enable sniffing functions to identify the SSID and automatically configure the WLAN NIC with the proper SSID. – Supported rates. For example, a beacon may indicate that only 1, 2, and 5.5Mbps data rates are available. As a result, an 802.11b station would stay within limits and not use 11 Mbps. With this information, stations can use performance metrics to decide which access point to associate with. 114 802.11: beacon frames – Parameter Sets. The beacon includes information about the specific signalling methods (such as frequency hopping spread spectrum, direct sequence spread spectrum, etc.). For example, a beacon would include in the appropriate parameter set the channel number that an 802.11b access point is using. Likewise, a beacon belonging to frequency hopping network would indicate hopping pattern and dwell time. – Capability Information. This signifies requirements of stations that wish to belong to the wireless LAN that the beacon represents. For example, this information may indicate that all stations must use wired equivalent privacy (WEP) in order to participate on the network. – Traffic Indication Map (TIM). An access point periodically sends the TIM within a beacon to identify which stations using power saving mode have data frames waiting for them in the access point's buffer. The TIM identifies a station by the association ID that the access point assigned during the association process. 115 802.11: beacon frames and probe response frames • 802.11 probe response frame – similar to a beacon frame, except without TIM info and are only sent in response to a probe request. – A station may send a probe request frame to trigger a probe response when the station needs to obtain information from another station. – A radio NIC, for instance, will broadcast a probe request when using active scanning to determine which access points are within range for possible association. – Some sniffing software (e.g., NetStumbler) tools send probe requests so that access points will respond with desired info. 116 WLAN Roaming WLAN Roaming Computer Computer Computer Corporate Network Laptop B (with WLAN card) Laptop C (with WLAN card) Moving to Access Point B Laptop D (with WLAN card) Laptop E (with WLAN card) Laptop C (with WLAN card) Registering to Access Point B Reassociation Response Laptop A (with WLAN card) Reassociation Request Access Point B Access Point A Mobile stations may move beyond the coverage area of their AP but within range of another AP Re association allows station to continue operation. 118 WLAN Roaming • No or bad connection? Then perform: – Scanning • scan the environment, i.e., listen into the medium for beacon signals or send probes into the medium and wait for an answer – Reassociation Request • station sends a request to one or several AP(s) – Reassociation Response • success: AP has answered, station can now participate • failure: continue scanning – AP accepts Reassociation Request • signal the new station to the distribution system • the distribution system updates its data base (i.e., location information) • typically, the distribution system now informs the old AP so it can release resources 119 Roaming approach • • • • Station decides that link to its current AP is poor Station uses scanning function to find another AP Station sends Re-association Request to new AP If AP accepts Re-association Request - AP indicates Re-association to the distributed system - Distributed system information is updated • If Re-association Response is successful - then station has roamed to the new AP - else station scans for another AP Joining a network • Phase 1 – Scanning • Active (probe) • Passive (beacon) • Phase 2 – Authentication (more later) • Open system • Some admission scheme / shared key • Phase 3 – Association or Reassociation (allows mobility/roaming more later) 121 WLAN Roaming • L2 handover – If handover from one AP to another belonging to the same subnet, then handover is completed at L2 • L3 handover – If new AP is in another domain, then the handover must be completed at L3, due to the assignment of an IP belonging to the new domain – hence routing to the new IP. • Mobile IP deals with these issues – more later 122 802.11: mobility within same subnet • H1 remains in same IP subnet: IP address can remain same • switch: which AP is associated with H1? – self-learning: switch will see frame from H1 and “remember” which switch port can be used to reach H1 router hub or switch BBS 1 AP 1 AP 2 H1 BBS 2 123 Distribution system (DS) - IAPP DS is the mechanism by which APs and other nodes in the wired IP subnetwork communicate with each other. Distribution System (DS) AP AP Router External network (LAN or Internet) This communication, using the Inter-Access Point Protocol (IAPP), is essential for link-layer mobility (=> stations can seamlessly move between different BSS networks). 124 Distribution system (cont.) For instance, when a wireless station moves from one BSS to another, all nodes must update their databases, so that the DS can distribute packets via the correct AP. Distribution System (DS) AP 1 AP 2 WS WS moves to another BSS Router AP 1, AP 2 and router: update your databases! Packets for this WS will now be routed via AP 2. 125 Basic routing example When WS associates with AP 2, the router in charge of the IP subnet addressing obtains an IP address from the DHCP (Dynamic Host Configuration Protocol) server. Distribution System (DS) AP 1 1 Association 2 Fetch IP address Router AP 2 2 1 WS External network (LAN or Internet) DHCP Server 126 Basic routing example (cont.) The router must maintain binding between this IP address and the MAC address of the wireless station. Distribution System (DS) AP 1 124.2.10.57 00:90:4B:00:0C:72 AP 2 00:90:4B:00:0C:72 Router External network (LAN or Internet) WS 127 Basic routing example (cont.) The globally unique MAC address of the wireless station is used for routing the packets within the IP subnetwork (DS + attached BSS networks). Distribution System (DS) AP 1 124.2.10.57 00:90:4B:00:0C:72 AP 2 00:90:4B:00:0C:72 Router External network (LAN or Internet) WS 128 Basic routing example (cont.) The dynamic and local IP address of the wireless station is only valid for the duration of attachment to the WLAN and is used for communicating with the outside world. Distribution System (DS) AP 1 124.2.10.57 00:90:4B:00:0C:72 AP 2 00:90:4B:00:0C:72 Router External network (LAN or Internet) WS 129 Basic routing example (cont.) The router must also know (and use) the MAC address of the access point via which the packets must be routed. For this purpose, a special protocol (IAPP) is needed! Distribution System (DS) 00:03:76:BC:0D:12 AP 1 AP 2 00:90:4B:00:0C:72 Router 124.2.10.57 00:90:4B:00:0C:72 00:03:76:BC:0D:12 External network (LAN or Internet) WS 130 IAPP (Inter-Access Point Protocol) IAPP (defined in IEEE 802.11f) offers mobility in the Data link layer (within an ESS = Extended Service Set). Distribution System (DS) AP 1 1 AP 2 2 AP 3 Router External network (LAN or Internet) IAPP: APs must be able to communicate with each other when the station moves around in the WLAN 131 In addition to IAPP … IAPP alone is not sufficient to enable seamless handovers in a WLAN. The stations must be able to measure the signal strengths from surrounding APs and decide when and to which AP a handover should be performed (no 802.11 standardised solutions are available for this operation). In 802.11 networks, a handover means reassociating with the new AP. There may be two kinds of problems: • will handover work when APs are from different vendors? • will handover work together with security solutions? 132 Mobility Management (MM) There are basically two objectives of Mobility Management: 1. MM offers seamless handovers when moving from one network/subnetwork/BSS to another Active network connection – handover 2. MM makes sure that users or terminals can be reached when they move to another network/subnetwork/BSS Passive user/terminal – reachability 133 MM in cellular wireless networks (1) 1. Handover: In a cellular wireless network (e.g. GSM), the call is not dropped when a user moves to another cell. Handovers are based on measurements performed by the mobile terminal and base stations. BS 1 BS 2 134 MM in cellular wireless networks (2) 2. Reachability (allows roaming): In a cellular wireless network, the HLR (Home Location Register) knows in which VLR (Visitor Location Register) area the mobile terminal is located. The VLR then uses paging to find the terminal. Paging Mobile subscriber number points to HLR points to VLR HLR 135 MM in three different OSI layers Mobility Management (MM) schemes are possible in three different layers of the OSI protocol layer model: Application layer … … Transport layer Network layer Data link layer Physical layer e.g. SIP (Session Initiation Protocol) Personal mobility e.g. Mobile IP Terminal mobility IAPP (Inter-Access Point Protocol) Handovers 137 MM in the Data link layer Mobility Management (MM) schemes are possible in three different layers of the OSI protocol layer model: Application layer … … Transport layer Network layer Data link layer Physical layer IAPP (IEEE 802.11f): Seamless roaming within an ESS network (= IP subnet). Handover is not possible when moving from one ESS network to another. No reachability solutions. 138 MM in the Network layer Mobility Management (MM) schemes are possible in three different layers of the OSI protocol layer model: Application layer … … Transport layer Network layer Data link layer Physical layer Mobile IP: Seamless roaming between ESS networks (= IP subnetworks). Handover is possible when moving from one ESS (or WLAN) network to another. 139 MM in the Application layer Mobility Management (MM) schemes are possible in three different layers of the OSI protocol layer model: Application layer … … Transport layer Network layer Data link layer Physical layer SIP (or other application layer solutions): No seamless handovers as such... However, the terminal can be reached from the outside network, like with Mobile IP. 140 Mobility management summary Within a WLAN, handovers are possible (based on IAPP + proprietary solutions in equipment), but there is no IEEE-supported reachability solution available. Handovers between different WLANs require Mobile IP (which offers also reachability). Unfortunately, Mobile IP includes a nontransparent mechanism (Discovering Care-of Address) that must be implemented in all APs. Global reachability of wireless stations can be achieved using SIP or similar Application layer concepts. SIP does not require changes to APs. 141 IEEE 802.11f f e i IAPP QoS Security 802.11 basic protocol h d DFS/TCP Scanning a b OFDM 5GHz g DSSS 2.4GHz OFDM 2.4GHz The objective: to specify the Inter-Access Point Protocol (IAPP) that enables seamless roaming between different Access Points within an ESS. Note: 802.11f is not concerned with roaming between ESS networks. For this purpose, non-802.11 solutions must be used. 142 WLAN: Design and Deployment (part of design exercise Supplemented with Slides by Mr Mylonas in Lab part) 143 Wireless LAN Design Several design issues Business Case – justify your case and cost Product Selection Wireless Access points Location Frequency/Channel Security Performance Reliability Management Scalability Miscellaneous 144 Product Selection Wireless Stations Wireless Access Points (WAP) Wireless Bridge, if needed: connecting multiple WLAN segments A wireless bridge does not support end stations Wireless Repeater: Bridge + AP Desktop: PCI or USB Laptop PDA A wireless repeater supports end stations Wireless Switch Security Server (RADIUS Server) Ref: http://www.practicallynetworked.com/networking/wireless_bridge.htm 145 Multiple BSS Configuration (different channels/frequencies) Server Channel 11 Access Point LAN Backbone Access Point Channel 1 Wireless Clients Access Point Wireless Clients Channel 6 146 Office Design (802.11b) Location and Channel Selection Design: One AP or more APs? 100 metres Channel 1 Channel 6 Channel 11 Channel 1 Channel 1 100 metres 147 Dense populations Case study: 1000 users in 100mx100m facility 3 or 4 APs will cover the system (in range) Need more APs in the area than physically required? to provide Bandwidth that is defined by customer What side-effects are created, if any? Interference from neighbouring units 148 Determining Cell Density • Cell size and throughput-based data rate will affect the cell density (maximum number of users per cell. ). • To determine cell density for a best-effort network, • determine average throughput per user • divide throughput rate of AP by throughput per user. This provides maximum active transmissions per cell. • In a best-effort WLAN, data latency does not affect the outcome. • In general, throughput will be about half the data rate of the access point. Dense Population Area Reduce Cell size Reduce Antenna gain or transmitter power to create smaller cell size Pink: Channel 1 Yellow: Channel 6 Green: Channel 11 100m × 100m area 150 WLAN Performance 802.11b 802.11a 802.11g Link Rate (max) UDP 11M bps 54M bps 54M bps 7.1M bps 30.5M bps 30.5M bps TCP 5.9M bps 24.4M bps 24.4M bps The test was conducted in a lab environment, and the distance is expected to be less than 10m. Ref. “WLAN Testing with IXIA IxChariot,” IXIA White Paper Appears in EntNet@Supercom2004, 06/23/2004 151 WLAN Performance (line rate) WLAN Performance 60 Throughput (Mbps) 50 40 802.11g 30 20 802.11a 10 802.11b 0 0 30 60 90 120 150 Distance (m) Data Source: Cisco Networking Professional On-Line Live Tech Talk Appears in EntNet@Supercom2004, 06/23/2004 152 Determining Cell Size Cell size -- area of coverage provided by an access point. Size of the cell determined by several factors: • transmit power and receiver sensitivity of the radios in AP and client • antennas used by the AP and client • data rate used • frequency and modulation technique • antenna gain • Environment (e.g. actual coverage characteristics) Cell size is limited by the device with the weakest RF characteristics Coverage – design issues Figure 2.13 A predicted coverage plot for three access points in a modern large lecture hall. (Courtesy of Wireless Valley Communications, Inc., ©2000, all rights reserved.) 154 Coverage – design issues Figure 2.15 A typical neighborhood where high speed license free WLAN service from the street might be contemplated [Dur98b]. 155 Coverage – design issues Figure 2.16 Measured values of path loss using a street-mounted lamp-post transmitter at 5.8 GHz, for various types of customer premise antenna [from [Dur98], ©IEEE]. 156 Tools for WLAN planning Many tools are available offering differing functionalities for network design, planning, and monitoring One example is: http://www.softpedia.com/get/NetworkTools/Network-Monitoring/NetStumbler.shtml Another tool http://www.metageek.net/products/inssider/ Another is http://www.visiwave.com/index.php/ScrInfoProduct s.html?sid=EyUcNeJxwlyKbI46 157 WLAN security intro 158 WLAN Security • Not so efficient compared with Ethernet security due to the nature of the medium & the requirements of the users • Security mechanisms – Service Set Identifiers (SSID) • Used to name the network and provide initial authentication for each client – Wired Equivalent Privacy (WEP) • Data encryption technique using shared keys and a pseudorandom number as an initialization vector • 64-bit key level encryption BUT several vendors support 128-bit key level encryption – Wi-Fi Protected Access (WPA(2)) –replaced WEP • WPA2 uses encryption device which encrypts the network with a 256 bit key – Also a VPN could operate on top of the WLAN providing increased security 159 WLAN Security • IEEE newer standards – 802.11i (Advanced Encryption Standard – AES uses a symmetric block data encryption technique) – 802.1X for port based Network Access Control • provides an authentication mechanism to devices wishing to attach to LAN/WLAN (governs Extensible Authentication Protocol (EAP) encapsulation process that occurs between clients, wireless APs, and authentication servers (RADIUS) • EAP allows developers to pass authentication data between RADIUS servers and wireless APs. • has a number of variants, including: EAP MD5, EAP-TLS, EAP-TTLS, LEAP, and PEAP 160 WLAN Security - WEP Wired Equivalent Privacy (WEP) – Least secure - A network that is secured with WEP has been cracked in 3 minutes by the FBI Shared key encryption Stations use the same key for encryption. RC4 encryption algorithm Key: 40 bits or 128 bits User Authentication Not specified in 802.11. 802.1X VPN 162 WEP Operation RC4 Algorithm 40-bit WEP Key 24-bit IV 64-bit RC4 Integrity check RC4 Key Stream 24-bit IV randomly generated Frame Header IV Header 4 bytes Frame Body ICV Trailer FCS 4 bytes IV: initialization vector ICV: integrity check value 163 WEP Key Distribution Issue Key is manually set in the driver. The key cannot be protected from local users. When a user leaves the organization, technically you must change the key information on all stations. What if a station is stolen? For a large organization, there is a need to publish the key which is a security problem. 164 WEP Design Issue Weakness in the Key Scheduling Algorithm: “http://www.crypto.com/papers/others/rc4_ksaproc.pdf A weakness of RC4 in generating the keystream. Hacker attack: using weak IV to attack a particular byte of the secret portion of the RC4 key. The time to attack is a linear algorithm to the key length. This is a complete break for WEP. 165 WPA(2)- Wi-Fi Protected Access WPA intermediate measure to replace WEP pending availability of full IEEE 802.11i standard. requires firmware upgrades on wireless NICs and APs. implements much of IEEE 802.11i standard--adopts Temporal Key Integrity Protocol (TKIP) TKIP employs per-packet key; dynamically generates new 128-bit key for each packet - prevents types of attacks that compromised WEP WEP used a 40-bit or 128-bit encryption key manually entered on wireless APs and devices and does not change. includes message integrity check to prevent an attacker from capturing, altering and/or resending data packets. WPA2 replaced WPA. implements mandatory elements of IEEE 802.11i-- CCMP, AES based encryption mode requires testing and certification by Wi-Fi Alliance 166 Solutions to Security Issue Non-standard solutions Layer 3 – VPN Layer 4 – IP Address Control and Firewall Layer 7 –Proxy Standard solutions 802.11i (including 802.1X) 802.1X (including EAP) Extensible Authentication Protocol (EAP) 167 VPN for WLAN (Layer3) VPN Gateway LAN Layer 2 tunnel over a layer 3 protocol Ethernet RADIUS server VPN Tunnel IP IP Wireless LAN LAN 168 Router/Firewall (Layer4) LAN temp IP authentication Security Server Internet official IP 1. 2. 3. 4. Standard WLAN and DHCP procedure for a temp IP to the wireless station. The temp IP address is used for authentication only. All other traffic is blocked by the router. After user authentication, the station is given an official IP address which can go through the router. May also register the MAC address to reduce the risk of hacker attack. 169 Proxy/Gateway (Layer-7) Security Server LAN Proxy Gateway 1. 2. 3. 4. Standard WLAN and DHCP procedure for an IP address to the wireless station. User types any URL and the request is routed to the security server web page. • All other traffic is blocked. After entering account info or credit card, the user is authenticated. The gateway authorizes the traffic from the authenticated station. Internet 170 WLAN New Security Standards 802.1X and 802.11i 171 Extensible Authentication Protocol (EAP) EAP is an IETF standard (RFC 2284) and adopted by IEEE as the basis for 802.1X. It is called the port based network access control. (also know as postbased authentication protocol) EAP supports both wired and wireless authentication. MD5 TLS TTLS LEAP PEAP EAP PPP 802.3 802.11 802.5 TLS: Transport Layer Security TTLS: Tunnel TLS LEAP: Lightweight EAP PEAP: Protected EAP 172 EAP Authentication Methods MD5 (Message Digest 5) - Username/Password. This is similar to MS_CHAP. TLS (Transport Layer Security) - PKI (certificates), strong authentication TTLS (Tunnel TLS) - Username/Password LEAP - Cisco proprietary lightweight EAP. It is to be phased out in favor of PEAP. PEAP – Protected EAP. 173 802.1X 802.1X authentication involves three parties: a supplicant (client device) , an authenticator (Ethernet switch or wireless AP), and an authentication server typically a host running software supporting the RADIUS and EAP protocols. EAP data is first encapsulated in EAPOL frames between the Supplicant and Authenticator, then reencapsulated between Authenticator and Authentication server using RADIUS or Diameter. 174 802.1X Port-Based Network Access Control EAP over RADIUS EAP over LAN Supplicant Authenticator Association Authentication Server (RADIUS) EAP Request/Identify EAP Response/Identify Challenge (auth request) Response to the challenge success Authenticator may set restrictions on the access. 175 New Product: Wireless Switch What is the issue? It is not cost effective to implement 802.1X on all Access points. It is also a management issue. Authenticator (Wireless Switch) RADIUS If a switch supports 802.1X, could it perform the same function? Supplicant 176 802.11i Security Management EAP over RADIUS EAP over LAN Supplicant Authenticator Authentication Server (RADIUS) Security discovery capability 802.1X Authentication Key Management Key Distribution encryption Data Protection 177 802.11i Data Protection (encryption) Need to replace or improve WEP Wi-Fi Protected Access (WPA) and WPA2 Temporal Key Integrity Protocol (TKIP) A wrapper around WEP Use MAC address to create unique key for each station. Change temporal key every 10,000 packets It is interoperable with WEP-only device Advanced Encryption Standard (AES) This is included in 802.11i. WPA uses TKIP for encryption. This is to completely replace WEP. 802.11i makes use of the Advanced Encryption Standard (AES) block cipher, whereas WEP and WPA use the RC4 stream cipher 178 Windows 7 Wireless Adaptor card options Security Type: WPA(2) shared 802.X open CCKM Encryption Type: Network security key: TKIP, AES, WEP …. Network Authentication: (P)EAP (L) EAP -FAST -SIM –TTLS -AKA 179 WLAN enhancements 180 WLAN Performance 802.11b 802.11a 802.11g Link Rate (max) UDP 11M bps 54M bps 54M bps 7.1M bps 30.5M bps 30.5M bps TCP 5.9M bps 24.4M bps 24.4M bps The test was conducted in a lab environment, and the distance is expected to be less than 10m. Ref. “WLAN Testing with IXIA IxChariot,” IXIA White Paper 181 WLAN enhancements • See paper WLAN enhancements Performance enhancement of WLANs Methods for improving WLANs performance employ: • Enhanced hardware in the Physical Layer to achieve better physical (PHY) layer parameters, such as shorter Slot Time and shorter Short Inter-Frame Space (SIFS). • Better tuning of WLAN parameters, such as Fragmentation Threshold and RTS Threshold [2]. • Adaptive (rather than basic) back-off algorithms in the MAC layer]. • Proxy approaches in the link-layer, such as snoop protocol. • Split-connection approaches, such as I-TCP or M-TCP 182 IEEE 802.11 – enhancements • IEEE 802.11e – MAC enhancements for providing some QoS • No QoS in the DCF operation mode • Some QoS guarantees can be given only via polling using PCF • For applications such as audio, video, or media stream, distribution service classes have to be provided – For this reason, MAC layer must be enhanced 183 WLAN new technologies 802.11ac Based on Xirrus http://wifi.xirrus.com/abcs11ac?elq=502ceecd98ba417d93b3514b0bb15391&elqCampaignId=29 184