Introduction to Wireless Networking CS 490WN/ECE 401WN Winter 2007 Lecture 5: Wireless LANs and IEEE 802.11 Part III This lecture completes the study of wireless LANs, looking at the developing and security aspects of IEEE 802.11. I. Network Allocation Vector (NAV) Chapter 14 Wi-Fi and the IEEE 802.11 Wireless LAN Standard (continued) 802.11 frame headers notify the other nodes how long to freeze for a transmission. Nodes create what is called the Network Allocation Vector. This is especially helpful when all nodes cannot hear each other, since pure CSMA may not avoid collisions in that case. This can also save power. Why? Nodes do not need to listen to the channel the whole time. Lecture 5, Page 1 of 16
The RTS/CTS, therefore, helps to prevent collisions in what types of ways? If not using the RTS/CTS, the information in the MAC header also provides some of this functionality. Hidden nodes - Collisions when nodes are trying to start. - Collisions when nodes do not know others are finished yet. Collisions of packets, since RTS s will collide instead. II. IEEE 802.11 MAC Frame and Physical Layers The MAC Frame Lecture 5, Page 2 of 16
Frame Format Figure 14.8 shows the 802.11 frame format without security features enabled. Not all fields are used in all contexts. Duration/Connection ID Either indicates time (in microseconds) the channel will be busy, or an association identifier. - Duration helps stations know how long to wait until it is expected that the channel will no longer be busy. Addresses - 48 bits - 3 fields - The number and meanings of the fields depend on context. - Types include source or destination address. - And possibly the address of the network itself Called the service set ID (SSID). The SSID is the address of the AP for the BSS. Sequence Control used for numbering and reassembly in conjunction with fragmentation. Frame Check Sequence a 32 bit cyclic redundancy check. - Checks for bit errors in the entire frame. Bits of the Frame Control Field Protocol Version for 802.11 is currently version 0. Type control, management, or data. Subtype Further identification of the type of frame. See Table 14.4 on page 440 and discussion on pages 441-442. - Examples are association, reassociation, probe, RTS, CTS, ACK, etc. To DS Bit set to 1 if destined for the distribution system. From DS Set to 1 if coming from the distribution system. More fragments Set to 1 if more fragments are coming. Retry Set to 1 if this frame is a retransmission of a previous frame. Power management Set to 1 if transmitting station is in sleep mode. More data Indicates station has more data to send. - Each block of data may be sent by one frame or a group of fragments in multiple frames. WEP Set to 1 if the Wired Equivalent Protocol (WEP) or Wi-Fi Protected Access (WPA) are being used for security. Order Set to 1 to tell receiver that frames must be processed in order. Lecture 5, Page 3 of 16
Control Frames Details on page 441. Includes RTS, CTS, ACK, and indication of the end of the contention-free period (the contention-free period is the PCF part of the superframe). Data Frames Data plus possible information for the contention free period (ACKs, polls, etc.). There are also messages for stations to notify others that they are using power saving modes. Management Frames For association, reassociation, disassociation, authentication, deauthentication. Association establishes a link with a BSS and its AP. Reassociation allows transfer between BSS s without needing a new association. The new AP negotiates with the old AP for forwarding data frames. Probe To obtain information from another station or AP. - Used to locate a BSS. 802.11 Physical Layers 802.11 1 Mbps or 2 Mbps Three possibilities Two types of spread spectrum at 2.4 GHz (Direct Sequence Spread Spectrum and Frequency Hopping Spread Spectrum) for unlicensed bands and also infrared. Provides three non-overlapping frequency bands. - Provides overlapping channels numbered 1-11, but when using 1, 6, and 11, those three do not overlap. 802.11a Up to 54 Mbps Uses the Universal Networking Infrastructure (UNNI) bands. - Internationally recognized. - Parts between 5 and 6 GHz - Higher frequencies have shorter ranges. Can have more channels than 802.11b or 802.11g 4 nonoverlapping frequency bands. Same data rate as 802.11g Uses a relatively uncluttered spectrum (5 GHz). Lecture 5, Page 4 of 16
Not sure this will ever be popular. - Mainly because of shorter range because of the higher frequency. - Signals decay more quickly with distance at higher frequencies. Uses Orthogonal Frequency Division Multiplexing (OFDM). 802.11b Called Wi-Fi. Uses unlicensed 2.4 GHz. Advanced version of 802.11 Direct Sequence Spread Spectrum. - Added 5.5 Mbps and 11 Mbps. Has the same three non-overlapping frequency bands as 802.11. 802.11g Uses unlicensed 2.4 GHz. Up to 54 Mbps, now the most popular. Can operate the same as 802.11b, and also at 22 and 33 Mbps. Can also use OFDM for 6, 9, 12, 18, 24, 36, 48, and 54 Mbps. - Depending on channel conditions. - Same methods as 802.11a. Table 14.8 gives estimated ranges for a typical office environment. III. Other IEEE 802.11 Standards Other standards have been issued or are in the works. 802.11e Enhance the MAC to improve Quality of Service. Addresses Quality of Service - So some packets can be delivered with higher priority. - Important for audio, video, telephone, etc. - Details provided in the next section. Final approval by Task Group E occurred in July 2005. 802.11i Security and Authentication Mechanisms Developed Wired Equivalent Privacy (WEP) for 802.11. Lecture 5, Page 5 of 16
WEP proved to be too weak. The Wi-Fi Alliance developed Wi-Fi Protected Access (WPA) as a better alternative. - WPA is discussed in a later section of this lecture. 802.11k Radio Resource Measurements for Higher Layers Normally in the OSI layering model, upper layers know nothing about the physical layer. But in the wireless context, it is good for upper layers to know about the physical layer. How can this be beneficial? Routing decisions So upper layers can decide about retransmissions and timeouts until a lost packet is assumed. So applications can format the data (like MPEG video). 802.11k provides the following information. - Site reports help with roaming decisions. - As a station is moving away from an AP, an ordered list of other APs is provided. - From best to worst service. - To help in deciding a change to another AP. - Noise Histogram - Displays all non-802.11 energy on a channel. - Also displays how long a channel is used during a given time. - MAC Statistics - Retries - Packets transmitted - Packets received - Power Control - 802.11k extends transmit power control procedures. - For other regulatory domains - To reduce interference and power consumption. Lecture 5, Page 6 of 16
802.11n Physical/MAC Enhancements to Enable Higher Throughput Both Physical and MAC layer standards Physical - Multiple antennas - Allows the device to choose from multiple signals to find which is best (or combine them together). - Called making us of. - Makes use of MIMO (Multiple Input, Multiple Output) antenna technology. - Can create huge capacity gains. - Smart antennas to direct signal energy to specific locations. - New signal encoding schemes. MAC - Goal is to achieve over 100 Mbps. - As measured at the interface between the MAC layer and the Network layer. - Current specifications (like 54 Mbps 802.11g) measure only at the physical layer. - Actual data rates (to the network layer) today may only be ½ of that 54 Mbps. - Caused by overheads with frame preambles, acknowledgements, contention windows, and IFSs. - So the real goal is a jump from 27 Mbps to over 100 Mbps. - Ideas for accomplishing this. - MAC control of adaptation of the PHY to the current wireless environment. - Bidirectional transfer ACKs that also include data. - Feedback from the AP on what transfer rates are best. - Multiple MAC frames aggregated into larger frames for less header overhead and one ACK to cover multiple frames. - What is the potential drawback of using larger frames (larger than the current 802.11 maximum of 4096 octets)? Greater likelihood of a packet being lost/corrupted. More retransmissions. In some environments, this may not be possible. Lecture 5, Page 7 of 16
802.11n also addresses improved range at existing throughputs, increased resistance to interference, and more uniform coverage within a coverage area. IEEE Draft Version 1.10, soon to be called 2.0. - Approved in January 2007, with good likelihood of moving forward after compromises were struck between handset manufacturers, consumer electronics manufacturers, and major hardware network and chip manufacturers. (http://www.networkworld.com/news/2007/012207-ieee-80211nworking-group-approves.html). - 802.11n requires completely new hardware on clients access points. - Key features are MIMO, channel bonding, and frame aggregation (http://www.networkworld.com/news/tech/2006/103006techupdat e.html). - Channel bonding using more than one 20 MHz channel at a time. - Controversial - Causes harsh interference to other devices using the same unlicensed bands. - 802.11n devices will scan for the presence of those types of devices and refrain from using channel bonding when they are present. - Frame aggregation avoids the problem of 50% channel utilization because of backoffs. - It allows long packets to be transmitted without significant delays between transmissions. Other active groups. 802.11p, Wireless Access in the Vehicular Environment - enhancements to 802.11 required to support Intelligent Transportation Systems (ITS) applications 802.11r, Fast Roaming Fast Handoff 802.11s, Mesh Networking 802.11T, Wireless Performance Prediction 802.11u, Wireless Interworking With External Networks 802.11v, Wireless Network Management 802.11w, Protected Management Frames 802.11y, Contention Based Protocol Study Group Lecture 5, Page 8 of 16
IV. IEEE 802.11e The Need for QoS 802.11 LANs are increasingly used for a wide variety of applications. Data applications Web, e-mail, e-commerce, digital photos, etc. Real-time applications Voice telephone (VoIP), audio streaming, video, etc. - How is wireless especially helpful for these types of applications? With a potential for audio and video servers to distribute throughout a home. Real-time applications place special demands on a WLAN Packets must be delivered in a very steady stream. - Which means there should be lower packet delay and low variation in the delay. And video applications also have high data rate requirements. The solution: Preferential Treatment Some packets should be delivered before other packets. Even if they arrive later. So not just first-come, first-served. Preferential treatment is usually the model. It is hard to guarantee a certain performance. But can at least say some packets will be delivered before others. 802.11e provides enhancement to both the DCF and PCF. 1. Enhanced DCF (EDCF) Allows packets to be separated into 4 Access Categories (ACs) Each AC can have its own IFS, CW min, and CW max. Lecture 5, Page 9 of 16
All of this arbitration between classes happens a node, not nodes. The Virtual Collision Handler also enforces priorities if there is an internal collision. - Highest priority will be transmitted. - Lower priority will backoff - But not using exponential backoff. - Just reset its congestion window to CW min. Lecture 5, Page 10 of 16
The overall timing of EDCF can be seen below. A new IFS is used, called the Arbitration IFS (AIFS). - Those with shorter AIFSs start their contention windows earlier. - Note: They do not necessarily send their packets, they just start their backoff. - Although they may also have shorter backoff. EDCF requires admission control To put new flows of packets into the right ACs. And to make sure there are not too many flows. 2. Hybrid Coordination Function (HCF) HCF is an enhancement to PCF. In addition to polling by the AP, stations can also request transmission opportunities (called TXOPs). Then the AP uses a complicated scheduling mechanism to give each station a chance to send its packets. To provide the delay and throughput they require. Group Acknowledgements In 802.11 every frame is acknowledged before another frame can be sent. This creates a robust communication mechanism. But also adds a lot of overhead. - Extra packets that need to be sent. - Time delays waiting for those packets. - Time delays not being able to send more packets. Lecture 5, Page 11 of 16
802.11e allows groups of frames to be transmitted before any acknowledgement. After sending a burst of frames, the sender requests a group acknowledgement frame. Reference for 802.11e Y. Xiao, IEEE 802.11e: QoS Provisioning at the MAC Layer, IEEE Wireless Communications, June 2004. V. Wi-Fi Protected Access Security is of prime importance in a wireless LAN. Why is this especially difficult because of the wireless environment? Not confined physically (say, within a building) Users are expected to move in an out of the network a lot. Easy to obtain or use a rouge device. Lecture 5, Page 12 of 16
Owners may not configure properly. Some networks expect lots of new users (public hot spots). Naive end users. Security Requirements Security can be defined as having multiple types of requirements. Security is not either on or off. Instead it can be implemented at multiple levels. Here are a few requirements. Data Integrity Protect data from being modified. Privacy Protect data from being viewed. Authentication Make sure data is authentic really from the indicated sender. Non-repudiation Make sure those who send packets do not later claim they did not send those packets. An additional key requirement is Access Control Make sure that only those who are authorized are allowed to use a system or resources. Example: When might a person need data integrity but not necessarily privacy? Broadcasting, digitally signed letter from a school official. In such an example, the data may not be encrypted, but instead just have code that goes with it to make sure it arrives the same as it was sent. Encryption Foundational element to security. Packets are scrambled. Lecture 5, Page 13 of 16
Common approach: Using security keys. A key is used to encrypt and decrypt the data. - Hopefully this key cannot be discovered and used to decrypt the data. - The longer the key, the hard it is to discover through trial and error. Symmetric key mechanisms. - Trusted entities share a key. - They use the same key to encrypt and decrypt the data. - Keys must be securely distributed. Public key mechanisms - Two keys are used, say from user A. - Private key - Kept by A and never shared with anyone. - Public key - Key publicly available and known to apply to A. - Public and private keys are large numbers that are related mathematically. - But the mathematical relationship is very hard to discover. - From A to anyone else: - If a private key is used by A to encrypt a message, anyone with the public key can decrypt the message. - Lets you be confident that A sent the message. - From anyone to A: - Anyone can use the public key to encrypt a message, and only A can use the private key to decrypt the message. - A message can be sent that only A could read. - Public key mechanisms use larger keys. - So it is much more computationally expensive to do encryption using public keys. Original 802.11 had security, but with weak features. Used the Wired Equivalent Privacy (WEP) algorithm for privacy. Used the RC4 algorithm with a 40-bit key. - 40-bit was too short, so a later revision added a 104-bit key. Used symmetric keys for authentication. Two parties shared a key not used by any other party. WEP defines a protocol for using the key for mutual authentication. Weaknesses The 40-bit key was woefully inadequate. 104-bit key also vulnerable because of weaknesses in the protocol. Lecture 5, Page 14 of 16
Static keys were used Attackers could determine the key by looking at successive packets, or packets that were predictable (like control packets). Encryption sequences were heavily reused. - WEP used a short enough encryption sequence that it recurred fairly soon. - Patterns could be seen in the packets to determine the pattern. - Which could be used to compromise packets. Lack of any key management within the protocol. - How does one get another s key? - How is it protected? - Etc. Also a number of problems with the shared-key scheme. 802.11i Task Group Developed a set of capabilities to address WLAN security issues. Wi-Fi Alliance also promulgated Wi-Fi Protected Access (WPA). Three Main Security Areas of 802.11i Authentication Key Management Data Transfer Privacy Authentication Requires use of an authentication server - Plays an important role in key distribution. See Figure 14.13 Lecture 5, Page 15 of 16
First the station and the AP agree on security capabilities to be used. Then the authentication server (AS) and the station cooperate to provide secure authentication. Then the AS distributes keys to the AP. - The AP manages and distributes keys to stations. Finally strong encryption is used to protect data transfer between the station and the AP. Three main ingredients of the 802.11i architecture Authentication AS provides mutual authentication and temporary keys. - Authentication above LLC and MAC protocols is out of the scope of 802.11. - Can use Extensible Authentication Protocol (EAP), Remote Authentication Dial-In User Service (RADIUS), etc. Access control enforces use of authentication Privacy with message integrity MAC-level data is encrypted. - Along with a message integrity code to ensure data has not been altered. Access Control Makes use of 802.1X Port-Based Access Control A wireless port on an AP that a station wishes to use starts out blocked and is only unblocked once proper authentication is executed. Privacy with Message Integrity Two schemes are used. - TKIP Temporal Key Integrity Protocol - CCMP Counter Mode-CBC Mac Protocol TKIP is a huge improvement over WEP - WEP keys were static and short enough to be discovered by looking at consecutive packets. - TKIP uses a key that changes every packet. - TKIP uses a much longer key also. Much, much more can be said about WLAN security that is beyond the scope of this class (and the competence of the instructor!). Lecture 5, Page 16 of 16