3.- Wireless technologies

Local Area Networks/School of Engineering in Computer Science/2009-2010

http://www.redes.upv.es/ralir/en/

3.- Wireless technologies

Basics Applications The physical media Free-space loss and frequency dependency The IEEE 802 specification family Comparison between different wireless technologies

(PHY and MAC layers) IEEE 802.11 Bluetooth

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


Wireless? Why?

Mobility (anytime) Coverage (anywhere) New applications potential (services)

Healthcare Lab administration People with disabilities Point-of-Care testing Homecare administration Controlling patient data

Education More efficient learning methods Wireless is ideal for campus-wide coverage

2

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


Some Application Areas

Retail Direct inventory management Mobile POS Self-checkout Mobile scanners

Manufacturing Field based data collections Product management Inventory visibility and planning

3

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


Vehicular Networks

Safety and transport efficiency In Europe around 40,000 people die and more than 1.5 millions are

injured every year on the roads Traffic jams generate a tremendous waste of time and of fuel

Most of these problems can be solved by providing appropriate information to the driver or to the vehicle

4

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


Vehicle Communication (VC)

VC promises safer roads,

… more efficient driving,

5

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


Vehicle Communication (VC)

… more fun,

… and easier maintenance.

6

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


Rural communications

Rural communications on the global agenda Connecting villages with Information and Communication

Technologies (ICT) and establishing community access points

Benefits E-business and e-commerce could play an important role in

enabling local artisans to reach national and international markets

7

Yasuhiko Kawasumi, “Rural communications on the global agenda,” Global Survey on Rural Communications for the ITU-D on Communications for rural and remote areas.

Over 40% of the world’s population lives in rural and remote areas of developing countries and have difficult or no access to even basic telecommunications services. Development of telecommunications in rural and remote areas, therefore forms an important mission of the ITU Development sector.

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


Rural populations and their ICT needs

Needs of rural people in connection with e-services E-health, e-education and e-administration top the list as primary

needs E-business and e-banking also scored highly

8

ITU-D global survey, Doc 111/SG2

For many rural areas, electricity supply is

simply non-existent or insufficient

Telemedicine Training in Bhutan by Tokai University:Telemedicine Training in Bhutan by Tokai University: Tokai University Institute of Medical Sciences donated the medical equipments with ICT functions and provided the training on the use of equipments. Tokai University Second Opinion center provides the assistance service over the internet when requested by the Bhutanese ends.

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


About the “Wireless Internet”

9

WWAN (3G,4G?)

Low throughput, short range

WLAN (Wi-Fi)

WPAN

WMAN (Wi-Max)

BluetoothRFID

High throughput, short range

Low throughput, Long range

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


Big Picture – WPAN’s

WPAN technologies – RFID, Bluetooth RFID used in tagging applications, restricted

environments (supermarkets, institutions) 10 billion RFID tags to be sold by the end of 2005

(source: Deloitte & Touche) Bluetooth – technology has matured 56% of mainstream devices commercialised will have

Bluetooth support by 2008 (Source: IDC) Poor interoperability between vendors restricts the wide

use of Bluetooth

10

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


Big Picture – WLAN’s

WLAN – based on WiFi (802.11x) Adoption rate increased worldwide

Up 51% more units sold globally in 2004 compared to 2003 (source: Infonetics Research)

European cities’ infrastructure facilitates the adoption of WiFi against wired alternatives

Old buildings High population density Poor telecommunications infrastructure

Wi-Fi mesh infrastructure: Current backend implementations of Wi-Fi mesh infrastructure are

based on proprietary solutions Usage: wireless coverage of WLANs, blanketing large areas with

hot-spot coverage Coverage: 100m to 10km Data rate:54Mbps- 100Mbps

11

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


Big Picture –WMAN’s

WiMax (Worldwide Interoperability for Microwave Access)

Standards-based technology Deployment of broadband wireless networks based on

the IEEE 802.16 standard Enables the delivery of last mile wireless broadband

access as an alternative to cable and DSL Some characteristics of the 802.16- 2004 standard:

Improve user connectivity Higher quality of services Full support for WMAN service Robust carrier-class operation

12

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


Big Picture –WMAN’s Mobile Networks Evolution

13

GPRS

EDGE

UMTS

HSDPA

2G2G

3G3G

19951995 20152015

4G4G

20052005

DownloadSpeed

1-10 Mbps

250-384 kbps

90-180 kbps

40 kbps

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


Antennas basics

Directional Antenna "An antenna having the

property of radiating or receiving electromagnetic waves more effectively in some directions than others".

Omni-Directional Antenna "A hypothetical, lossless

antenna having equal radiation intensity in all directions". For a WLAN antenna, the gain in dBi is referenced to that of an omni-directional (isotropic) antenna (which is defined as 0 dBi).

15

YAGI Directional Antenna

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


Directional antennas

16

Yagi antenna (13,5 dBi)reach: 6 Km at 2 Mb/s

2 Km at 11 Mb/sParabolic antenna (20 dBi)reach: 10 Km at 2 Mb/s

4,5 Km at 11 Mb/s

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


More antennas examples

17

Horizontal Radiation

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


ISM frequency bands

18

ISM (Industrial, Scientific and Medical) frequency bands:

• 900 MHz band (902 … 928 MHz) • 2.4 GHz band (2.4 … 2.4835 GHz)• 5.8 GHz band (5.725 … 5.850 GHz)

Anyone is allowed to use radio equipment for transmitting in these bands (provided specific transmission power limits are not exceeded) without obtaining a license.

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


ISM frequency band at 2.4 GHz

19

The ISM band at 2.4 GHz can be used by anyone as long as (in Europe...)

Transmitters using FH (Frequency Hopping) technology:

• Total transmission power < 100 mW • Power density < 100 mW / 100 kHz

Transmitters using DSSS technology:

• Total transmission power < 100 mW • Power density < 10 mW / 1 MHz

ETSI EN 300 328-1 requirements

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


Free-space loss

20

The free-space loss L of a radio signal is:

2 24 4d df

Lc

where d is the distance between transmitter and receiver, is the rf wavelength, f is the radio frequency, and c is the speed of light. The formula is valid for d >> , and does not take into account antenna gains (=> Friis formula) or obstucting elements causing additional loss.

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


Power budget graphical representation

21

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


IEEE 802 wireless network technology options

23

Network definition

Wireless personal area network (WPAN)

Low-rate WPAN (LR-WPAN)

Wireless local area network (WLAN)

Wireless metroplitan area network (WMAN)

IEEE standard

IEEE 802.15.1

IEEE 802.15.4

IEEE 802.11

IEEE 802.16

Known as

Bluetooth

ZigBee

WiFi

WiMAX

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


IEEE 802 standardisation framework

24

802.1

Manage-ment

802.3

MAC

802.3

PHY

802.5

MAC

802.5

PHY

802.11

PHY

802.11a

PHY

802.11b

PHY

802.11g

PHY

802.2 Logical Link Control (LLC)

802.11 Medium Access Control (MAC)

CSMA/CD(Ethernet)

CSMA/CA

Token Ring

CSMA/CA (Wireless LAN)

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


CSMA/CA Wireless LAN

25

802.11

PHY

802.11a

PHY

802.11b

PHY

802.11g

PHY


CSMA/CA

CSMA/CA = Carrier Sense Multiple Access with Collision Avoidance

Unlike wired LAN stations, WLAN stations cannot detect collisions

=>

avoid collisions A common MAC layer, but many

PHY options

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


WLAN physical layer (1)

26

802.11

PHY

802.11a

PHY

802.11b

PHY

802.11g

PHY


CSMA/CA

The original physical layer specified in 802.11 defines two signal formats:

FHSS (Frequency Hopping Spread Spectrum)

DSSS (Direct Sequence Spread Spectrum)

Data rates supported: 1 and 2 Mbit/s. ISM band: 2.4 … 2.4835 GHz

Outdated, never

implemented

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce



27

802.11

PHY

802.11a

PHY

802.11b

PHY

802.11g

PHY


CSMA/CA

The first widely implemented physical layer was 802.11b that uses:

DSSS (Direct Sequence Spread Spectrum) like in 802.11 but with larger bit rates:1, 2, 5.5, 11 Mbit/s

Automatic fall-back to lower speeds in case of bad radio channel.

ISM band: 2.4 … 2.4835 GHz

Becoming

outdated

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce



28

802.11

PHY

802.11a

PHY

802.11b

PHY

802.11g

PHY


CSMA/CA

802.11a operates in the 5.8 GHz band.

5 GHz frequency band

The signal format is OFDM (Orthogonal Frequency Division Multiplexing)

Data rates supported: Various bit rates from 6 to 54 Mbit/s.

Not too used

in Europe

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce



29

802.11

PHY

802.11a

PHY

802.11b

PHY

802.11g

PHY


CSMA/CA

802.11g is the most recent physical layer, operating in the same band as 802.11b

ISM band: 2.4 … 2.4835 GHz

The signal format is OFDM (Orthogonal Frequency Division Multiplexing)

Data rates supported: Various bit rates from 6 to 54 Mbit/s (same as 802.11a)

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


Wireless Fidelity (WiFi)

30

802.11

PHY

802.11a

PHY

802.11b

PHY

802.11g

PHY


CSMA/CA

WiFi

The WiFi certification program of the Wireless EthernetCompatibility Alliance (WECA) addresses compatibility of IEEE 802.11 equipment

=>

WiFi ensures interoperability of equipment from different vendors. WiFi5

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


Wireless Personal Area Network (WPAN)

31

802.1

Manage-ment

802.3

MAC

802.3

PHY

802.5

MAC

802.5

PHY

802.11

PHY

802.15.1

MAC

+

PHY

802.2 LLC

802.11

MAC

802.15.4

MAC

+

PHY

802.16

MAC

+

PHY

Bluetooth Special Interest Group (SIG)

ISM band: 2.4 … 2.4835 GHz

Data rates up to 700 kbit/s (2.1 Mbit/s)

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


Low-rate WPAN (LR-WPAN)

32

802.15.1

MAC

+

PHY

802.15.4

MAC

+

PHY

802.16

MAC

+

PHY

802.1

Manage-ment

802.3

MAC

802.3

PHY

802.5

MAC

802.5

PHY

802.11

PHY

802.2 LLC

802.11

MAC

ISM band: 2.4 … 2.4835 GHz

ZigBee Alliance

Data rates up to 250 kbit/s

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


Wireless Metropolitan Area Network (WMAN)

33

802.15.1

MAC

+

PHY

802.15.4

MAC

+

PHY

802.16

MAC

+

PHY

802.1

Manage-ment

802.3

MAC

802.3

PHY

802.5

MAC

802.5

PHY

802.11

PHY

802.2 LLC

802.11

MAC

Various frequency bands (not only ISM)

WiMAX

Various data rates up to 100 Mbit/s and more

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


Possible architectures

Independent Basic Service Set (IBSS) Decentralized structure Flexible:

Permanent and temporary networks

Allows to control power consumption

infrastructure Basic Service Set (BSS) Components:

Station (STA)

Access Point (AP)or Point Coordinator (PC)

Basic Service Set (BSS) Extended Service Set (ESS)

35

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


The Extended Service Set (ESS)

36

BSSBSS

APAP

WLANWLAN LANLAN

The standard does not define the implementation details

exists a proposal by a group of industries:Inter-acces point protocol (IAPP)

Distribution System (DS)

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


Task Group f

Scope of Project: to develop recommended practices for an Inter-Access Point Protocol (IAPP) which provides the necessary capabilities to achieve multi-vendor Access Point interoperability across a Distribution System supporting IEEE P802.11 Wireless LAN Links.

Purpose of Project: ... including the concepts of Access Points and Distribution Systems. Implementation of these concepts where purposely not defined by P802.11 ... As 802.11 based systems have grown in popularity, this limitation has become an impediment to WLAN market growth. This project proposes to specify the necessary information that needs to be exchanged between Access Points to support the P802.11 DS functions. The information exchanges required will be specified for, one or more Distribution Systems; in a manner sufficient to enable the implementation of Distribution Systems containing Access Points from different vendors which adhere to the recommended practices

Status: Work has been completed and is now part of the Standard as a recommended practice.

37

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


Frames structure

38

• management (00)• control (01), • data (10), • reserved (11)

Types of addresses:

• Source address (SA)

• Destination Address (DA)

• Transmitter Address (TA)

• Receiver Address (RA)

• BSS identifier (BSSID)

Types of addresses:

• Source address (SA)

• Destination Address (DA)

• Transmitter Address (TA)

• Receiver Address (RA)

• BSS identifier (BSSID)

SADATARA11Wireless DS

-DASARA = BSSID01To the AP

-SABSSIDRA = DA10From the AP

-BSSIDSARA = DA00IBSS

Addr. 4Addr. 3Addr. 2Addr. 1From DS

To DS

Función

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


BSSID y SSID

BSSID (Basic Service Set Identity) BSS: AP’s MAC address Ad-Hoc: 46 bit random number

SSID (Service Set ID) Known as the Network Name Length: 0~32 bytes

0: is the broadcast SSID Handled either manually or automatically Should be unique; used to distinguish WLAN Access point and station that would like to form a unique WLAN

should use the same SSID

39

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


Addressing and DS bits

40

SADATARA11Wireless DS

-DASARA = BSSID01To the AP

-SABSSIDRA = DA10From the AP

-BSSIDSARA = DA00IBSS

Addr. 4Addr. 3Addr. 2Addr. 1From DS

To DS

Función

Server

DA

DSRA (BSSID)

SA/TA

ClientAP

Server

SAAP

AP

TA

Client

RA

DA

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


Services

The IEEE 802.11 architecture defines 9 services: for the station and for the distribution

Station services: Authentication Deauthentication Privacy WEP Data delivery

Distribution services: Association generates a connection between a STA and a AP Disassociation Reassociation like association but informing about the

previous AP Distribution integration connects the WLAN with other LANs;

41

Similar to connect/disconnect a cable to a traditional network

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


State variables and services

42

State 1:unauthenticated,

unassociated

State 1:unauthenticated,

unassociated

State 2:authenticated,unassociated

State 2:authenticated,unassociated

State 3:authenticated,

associated

State 3:authenticated,

associated

Disassociation notification

Successful authentication Deauthentication notification

Successful authenticationor reassociation

Class 1, 2 & 3 frames

Class 1 & 2 frames

Class 1frames

Deauthentication notification

In a IBSS there is neither auth., nor ass. Data service is allowed

A STA can be authenticated with various AP but it can be associated with only one AP

A STA can be authenticated with various AP but it can be associated with only one AP

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


Scanning

Parameters: BSStype, BSSID, SSID, ScanType, ChannelList, ProbeDelay, Min/MaxChannelDelay

ScanType: Passive The stations wait for the APs beacons

ScanType: Active Stations send probe requests

scan report are generated The following phase is joining; this phase precedes the

sequence of actions up to association

43

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


The MAC: reliable data delivery

CSMA/CA with binary exponential backoff

The minimum protocol consists of two frames: the data and the ACK

44

Point CoordinationFunction (PCF)

Distributed Coordination Function (DCF)

MA

C

No contentionWith contention

DIFS DIFS

PIFS

SIFS

Contention window

defer access

busy medium

slot

The 5 timing values:• Slot time• SIFS: short interframe space (< slot

time)• PIFS: PCF interframe space (=SIFS+1slot)• DIFS: DCF interframe space

(=SIFS+2slots)• EIFS: extended interframe space

The 5 timing values:• Slot time• SIFS: short interframe space (< slot

time)• PIFS: PCF interframe space (=SIFS+1slot)• DIFS: DCF interframe space

(=SIFS+2slots)• EIFS: extended interframe space

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


DCF behaviour

The back off values are chosen inside the congestion window. That is, inside the interval [0, CW]

CW can vary between 31 slots (CWmin) and 1023 slots (CWmax)

CW is incremented after every failed sending and reset after every successful transmission

45

data

wait

B1 = 5

B2 = 15

data

wait

B1 = 25

B2 = 20

B1 and B2 are the back off interval at STA 1 and 2 CW = 31

B2 = 10

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


Problematic configurations

46

Exposed nodeHidden node

A

B

C

A

B C

D

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


RTS/CTS mechanism

Based on the network allocation vector (NAV)

47

RTS

DIFS

CTS

SIFS

data

ACK

SIFS SIFS

DIFS

NAV (RTS)NAV (CTS)

source

destination

other STA

defer access

Contention window

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


PCF: Point Coordination Function

48

Data+Poll

DATA+ACKBeacon

Data+Poll

ACK

Station 2 sets NAV(Network Allocation Vector)

CF-End

PIFS SIFS SIFS SIFS SIFS

SIFS(no response)

PIFS

CP

PC

STA1

Contention Free Period CP

Data+Poll

SIFS

STA2 NAVReset

TimeSTA3 Station 3 is hidden to the PC, it does not set the NAV.

It continues to operate in DCF.

• Beacons are used to keep timers in the stations synchronized and to send control information

• The AP generates beacons at regular intervals• Stations know when the following beacon is arriving

The target beacon transmission time (TBTT) is announced in the previous beacon

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


PCF: the superframe

There is an repetition of contention-free (CFP) and contention (CP) periods

A CFP and the following CP form a superframe.

49

Beacon

CF-PollCF-End

802.11 periodic Superframe

DATA DATA DATA

CFP(Contention Free Period) CP(Contention Period)

DATA DATA DATA

PC

STAs

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


Broadcast trafic

It is not possible to fragment frames whose destination is a group address

Acknowledgement are not sent MAC does not offer any retransmission service to

broadcast or multicast frames

50

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


802.11b channels overview

The standard defines 14 channels, 22 MHz wide FCC only uses the first 11 In Spain only channel 10 and 11

3 channel do not overlap (1, 6,11) data rate is 11 Mbps

51





(PHY and MAC layers) IEEE 802.11: SECURITY Bluetooth

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


Wireless LAN Security Issues

Issue Wireless sniffer can view all

WLAN data packets Anyone in AP coverage area

can get on WLAN

802.11 WEP Solution Encrypt all data transmitted

between client and AP Without encryption key, user

cannot transmit or receive data

53

Wireless LAN (WLAN)

Wired LAN

Goal: Make WLAN security equivalent to that of wired LANs (Wired Equivalent Privacy)

client access point (AP)

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


WEP – Protection for 802.11b

Wired Equivalent Privacy No worse than what you get with wire-based systems.

Criteria: “Reasonably strong” Self-synchronizing – stations often go in and out of coverage Computationally efficient – in HW or SW since low MIPS CPUs might

be used Exportable – US export codes (relaxed in Jan 2000 / “Wassenaar

Arrangement”) Optional – not required to used it

Objectives: confidentiality integrity authentication

54

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


WEP – How It Works

Secret key (40 bits or 104 bits) can use up to 4 different keys

Initialization vector (24 bits, by IEEE std.) total of 64 or 128 bits “of protection.”

RC4-based pseudo random number generator (PRNG) Integrity Check Value (ICV): CRC 32

55

IV(4 bytes)

Data (PDU)( 1 byte)

Init Vector(3 bytes)

1 byte

Pad6 bits

Key ID2 bits

Frame header

ICV(4 bytes)

FCS

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


WEP Encryption Process

1) Compute ICV using CRC-32 over plaintext msg.2) Concatenate ICV to plaintext message.3) Choose random IV and concat it to secret key and input

it to RC4 to produce pseudo random key sequence.4) Encrypt plaintext + ICV by doing bitwise XOR with key

sequence to produce ciphertext.5) Put IV in front of cipertext.

56

InitializationVector (IV)

Secret Key

Plaintext

Integrity Algorithm

Seed WEP PRNG

Key Sequence

Integrity Check Value (ICV)

IV

CiphertextMessage

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


WEP Decryption Process

1) IV of message used to generate key sequence, k.2) Ciphertext XOR k original plaintext + ICV.3) Verify by computing integrity check on plaintext (ICV’)

and comparing to recovered ICV.4) If ICV ICV’ then message is in error; send error to MAC

management and back to sending station.

57

IV

Ciphertext

Secret Key

Message

WEP PRNG

Seed

Key Sequence

Integrity Algorithm

Plaintext

ICV’

ICV

ICV’ - ICV

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


WEP Station Authentication

Wireless Station (WS) sends Authentication Request to Access Point (AP).

AP sends (random) challenge text T.

WS sends challenge response (encrypted T).

AP sends ACK/NACK.

58

WS APAuth. Req.

Challenge Text

Challenge Response

Ack

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


WEP Weaknesses

Forgery Attack Packet headers are unprotected, can fake src and dest addresses. AP will then decrypt data to send to other destinations. Can fake CRC-32 by flipping bits.

Replay Can eavesdrop and record a session and play it back later.

Collision (24 bit IV; how/when does it change?) Sequential: roll-over in < ½ day on a busy net Random: After 5000 packets, > 50% of reuse.

Weak Key If ciphertext and plaintext are known, attacker can determine key. Certain RC4 weak keys reveal too many bits. Can then determine

RC4 base key.

Well known attack described in Fluhrer/Mantin/Shamir paper “Weaknesses in the Key Scheduling Algorithm of RC4”, Scott Fluhrer, Itsik

Mantin, and Adi Shamir using : http://www.aircrack-ng.org/5

9

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


Ways to Improve Security with WEP

Use WEP(!) Change wireless network name

from default any, 101, tsunami

Turn on closed group feature, if available in AP Turns off beacons, so you

must know name of the wireless network

MAC access control table in AP Use Media Access Control

address of wireless LAN cards to control access

Use 802.11i support if available in AP Define user profiles based

on user name and password

War Driving in New Orleans (back in December 2001) Equipment

Laptop, wireless card, software

GPS, booster antenna (optional)

Results 64 Wireless LAN’s Only 8 had WEP Enabled

(12%) 62 AP’s & 2 Peer to Peer

Networks 25 Default (out of the box)

Settings (39%) 29 Used The Company

Name For ESSID (45%)

60

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


War Driving in New Orleans (back in December 2001)

61

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


Other solutions

VPN Connectivity PPTP L2TP Third Party

IPSec Many vendors

Password-based Layer 2 Authentication Cisco LEAP RSA/Secure ID IEEE 802.1x PEAP/MSCHAP v2

Certificate-based Layer 2 Authentication IEEE 802.1x EAP/TLS

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


WLAN Security Type Security Level

Ease of Deployment

Usability and Integration

IEEE 802.11 Low High High

VPN Medium Medium Low

Password-based Medium Medium High

IPSec High Low Low

IEEE 802.1x TLS High Low High

WLAN Security Comparisons

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


802.1X

Defines port-based access control mechanism Works on anything, wired and wireless Access point must support 802.1X No special encryption key requirements

Allows choice of authentication methods using EAP Chosen by peers at authentication time Access point doesn’t care about EAP methods

Manages keys automatically No need to preprogram wireless encryption keys

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


Wi-Fi Protected Access (WPA)

A specification of standards-based, interoperable security enhancements that strongly increase the level of data protection and access control for existing and future wireless LAN systems

Goals Enhanced Data Encryption (TKIP) Provide user authentication (802.1x) Be forward compatible with (802.11i) Provide non-RADIUS solution for Small/Home offices WPA-PSK

Typically a software upgrade and Wi-Fi Alliance began certification testing for interoperability on Wi-Fi Protected Access products in February 2003

WPA2

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


Wi-Fi Protected Access (WPA)

WEPs IV only 24 bits and so are repeated every few hours WPA increased IV to 24 bits repeated 900 years

WPA alters values acceptable as IVs Protects against forgery and replay attacks

IV formed MAC address TSC

TKIP: New password generated every 10,000 packets WPA-PSK Passphrase WPA 802.ii1 recommend 20-character password Crack is brute force based

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


802.1x and PEAP





(PHY and MAC layers) IEEE 802.11: CONFIGURATION Bluetooth

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce

http://www.redes.upv.es/ralir/en/69

Linksys Wireless-G Access Point

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce






Bluetooth

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


Bluetooth history

De facto standard - open specifications. publicly available on Bluetooth.com:

http://bluetooth.com/Bluetooth/Technology/Works/

Bluetooth specs developed by Bluetooth SIG. February 1998: The Bluetooth SIG is formed

promoter company group: Ericsson, IBM, Intel, Nokia, Toshiba May 1998: The Bluetooth SIG goes “public” July 1999: 1.0A spec (>1,500 pages) is published December 1999: ver. 1.0B is released December 1999: The promoter group increases to 9

3Com, Lucent, Microsoft, Motorola February 2000: There are 1,500+ adopters

Versions: 0.7 0.9 1.0A 1.0B 1.1 …

November 2003: release 1.2 November 2004: release 2.0+EDR

(EDR or Extended Data Rate) triples the data rate up to about 3 Mb/s Currently (July 2007): release 2.1+EDR Next specification (2Q08) will include ability to utilize

additional radio technologies to enable high speed Bluetooth applications.

81

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


Versions

The 1.2 version, unlike the 1.1, provides a complementary wireless solution to co-exist Bluetooth and Wi-Fi in the 2.4 GHz spectrum without interference between them. uses the technique "Adaptive Frequency Hopping (AFH), which

runs a more efficient transmission and a more secure encryption. offers voice quality (Voice Quality - Enhanced Voice Processing)

with less noise, and provides a faster configuration of communication with other Bluetooth devices within range of reach.

Version 2.0, created to be a separate specification, mainly incorporates the technique "Enhanced Data Rate (EDR) that allows you to improve transmission speeds up to 3Mbps while trying to solve some errors specification 1.2.

82

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


Release 2.1

Near Field Communication (NFC) Technology NFC may also be used in the new pairing system, enabling a user

to hold two devices together at a very short range to complete the pairing process.

Lower Power Consumption Reduced power consumption means longer battery life in devices like

mice and keyboards. Bluetooth Specification Version 2.1 + EDR can increase battery life by up to five times.

Improved Security For pairing scenarios that require user interaction, eavesdropper

protection makes a simple six-digit passkey stronger than a 16-digit alphanumberic character random PIN code. Improved pairing also offers "Man in the Middle" protection that in reality eliminates the possibility for an undetected middle man intercepting information.

83

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


Bluetooth usage

Low-cost, low-power, short range radio a cable replacement technology Common (File transfer, synchronisation, internet bridge,

conference table) Hidden computing (background synchronisation, audio/video

player) Future (PC login, remote control)

Why not use Wireless LANs? power cost

84

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


Bluetooth RF

1 Mb/s symbol rate Normal range 10m (0dBm) Optional range 100m (+20dBm) Normal transmission power 0dBm (1mW) Optional transmission power -30 to +20dBm (100mW) Receiver sensitivity -70dBm Frequency band 2.4Ghz ISM band Gross data rate 1Mbit/s Max data transfer 721+56kbps/3 voice channels Power consumption 30uA(max), 300uA(standby),

~50uA(hold/park) Packet switching protocol based on frequency hop

scheme with 1600 hops/s

85

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


Bluetooth Power Class Table

86

30m10m0dBm1mWClass 3

50m16m4dBm2.5mWClass 2

300m42m20dBm100mWClass 1

Range inFree SpaceExpected RangeMax Output PowerMax Output PowerPower Class

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


Bluetooth Network Topology

Bluetooth devices have the ability to work as a slave or a master in an ad hoc network. The types of network configurations for Bluetooth devices can be three. Single point-to-point (Piconet): In this topology the network

consists of one master and one slave device. Multipoint (Piconet): Such a topology combines one master device

and up to seven slave devices in an ad hoc network.o Scatternet: A Scatternet is a group of Piconets linked via a slave

device in one Piconet which plays master role in other Piconet.

87

M

S

i) Piconet (Point-to-Point)

M

SS

S

S

ii) Piconet (Multipoint)

M

S S S

M

S S

Master/Slave

iii) Scatternet

The Bluetooth standard does not describe any routing protocol for scatternets and most of the hardware available today has no capability of forming scatternets. Some even lack the ability to communicate between slaves of one piconet or to be a member of two piconets at the same time.

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


Bluetooth stack: short version

88

RF

BasebandLink Manager

L2CAP

SDPRFCOMM

Applications

HCI

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


Transport Protocol Group (contd.)

Radio Frequency (RF) Sending and receiving

modulated bit streams Baseband

Defines the timing, framing Flow control on the link.

Link Manager Managing the connection

states. Enforcing Fairness among

slaves. Power Management

Logical Link Control & Adaptation Protocol Handles multiplexing of

higher level protocols Segmentation & reassembly

of large packets Device discovery & QoS

The Radio, Baseband and Link Manager are on firmware.

The higher layers could be in software.

The interface is then through the Host Controller (firmware and driver).

The HCI interfaces defined for Bluetooth are UART, RS232 and USB.

89

Source: Farinaz Edalat, Ganesh Gopal, Saswat Misra, Deepti RaoBLUETOOTH SPECIFICATION, Core Version 1.1 page 543

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


End to End Overview of Lower Software Layers to Transfer Data

90

BLUETOOTH SPECIFICATION, Core Version 1.1 page 544

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


Physical Link Definition

Synchronous Connection-Oriented (SCO) Link circuit switching symmetric, synchronous services slot reservation at fixed intervals

Asynchronous Connection-Less (ACL) Link packet switching (a)symmetric, asynchronous services polling access scheme

91

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


ACL data rates

92

Packet type Name Symmetric (kbps)

Asymmetric (kbps)

1 slot + FEC DM1 108.8 108.8 108.8

1 slot DH1 172.8 172.8 172.8

3 slot + FEC DM3 256.0 384.0 54.4

3 slot DH3 384.0 576.0 86.4

5 slot + FEC DM5 286.7 477.8 36.3

5 slot DH5 432.6 721.0 57.6

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


Multi-slot packets

93

Single slot

Three slot

Five slot

fn fn+1 fn+2 fn+3 fn+4 fn+5

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


Symmetric single slot

94

fn fn+1 fn+2 fn+3 fn+4 fn+5 fn+6 fn+7 fn+8 fn+9 fn+10 fn+11 fn+12

Master

Slave

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


Mixed Link Example

95

MASTER

SLAVE 1

SLAVE 2

SLAVE 3

ACL ACLSCO SCO SCO SCO ACLACL

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


Polling on ACL links

Slave is allowed to send only after it has been polled. Master polls slave at least Npoll slots (negotiated). Master may send at will. Polling algorithm is proprietary.

96

time

Master

Slave

Data

Data

POLL

Slot

TDD frame

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


Bluetooth Connection States

There are four Connection states on Bluetooth Radio:

Active: Both master and slave participate actively on the channel by transmitting or receiving the packets (A,B,E,F,H)

Sniff: In this mode slave rather than listening on every slot for master's message for that slave, sniffs on specified time slots for its messages. Hence the slave can go to sleep in the free slots thus saving power (C)

Hold: In this mode, a device can temporarily not support ACL packets and go to low power sleep mode to make the channel available for things like paging, scanning etc (G)

Park: Slave stays synchronized but not participating in the Piconet, then the device is given a Parking Member Address (PMA) and it loses its Active Member Address (AMA) (D,I)

97

E

A

G

H

C

D

I

H

C

B

F

Master

Bluetooth Connection States

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


Bluetooth Forming a Piconet

Inquiry: Inquiry is used to find the identity of the Bluetooth devices in the close range.

Inquiry Scan: In this state, devices are listening for inquiries from other devices.

Inquiry Response: The slave responds with a packet that contains the slave's device access code, native clock and some other slave information.

Page: Master sends page messages by transmitting slave's device access code (DAC) in different hop channels.

Page Scan: The slave listens at a single hop frequency (derived from its page hopping sequence) in this scan window.

Slave Response: Slave responds to master's page message

Master Response: Master reaches this substate after it receives slave's response to its page message for it. 9

8

Master

Inquiry

Inquiry Scan

Inquiry Response

Page

Page Scan

Slave Response

Master Response

ConnectionConnection

Slave

3

2

4

1

5

7

6

Forming a Piconet Procedures

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


SDP - Service Discovery

Focus Service discovery within Bluetooth environment Optimized for dynamic nature of Bluetooth Services offered by or through Bluetooth devices

Some Bluetooth SDP Requirements (partial list) Search for services based upon service attributes and service

classes Browse for services without a priori knowledge of services Suitable for use on limited-complexity devices Enable caching of service information

How it works? Establish L2CAP connection to remote device Query for services

Search for specific class of service, or Browse for services

Retrieve attributes that detail how to connect to the service Establish a separate (non-SDP) connection to use the service

99

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


Packet Structure

100

Control packets Data/voice packets

Voicedata

HV1HV2HV3DV

(136 bits) DM1 DM3 DM5

DH1DH3DH5 (2712 bits)

ID*NullPollFHSDM1

Source: Farinaz Edalat, Ganesh Gopal, Saswat Misra, Deepti Rao

DataHeader CRC

•ARQ•CRC•FEC (optional)

72 bits 54 bits 0 - 2745 bits

Access Code Header Payload Guard

•No retries •No CRC•FEC (optional)

220s

Loca

l Are

a Ne

twor

ks (R

ALIR

) /Sc

hool

of E

ngin

eerin

g in

Com

pute

r Scie

nce


Bluez

101

3.- Wireless technologies

Documents

Transcript of 3.- Wireless technologies