80211

50
802.11 Wireless LANs Abhishek Karnik, Dr. Ratan Guha University Of Central Florida

description

 

Transcript of 80211

Page 1: 80211

802.11 Wireless LANs

Abhishek Karnik,

Dr. Ratan Guha

University Of Central Florida

Page 2: 80211

OVERVIEW

• Introduction

• 802.11 Basics

• 802.11e for QoS

• WEP

Page 3: 80211

• In 1997 the IEEE adopted IEEE Std. 802.11-1997

• Defines MAC and PHY layers for LAN and wireless connectivity.

• Facilitate ubiquitous communication and location independent computing

• 802.11b operates at 11Mbps in the 2.4 GHz ISM Band (‘99)

• 802.11a operates at 54Mbps in the 5 GHz Band (’99)

• 802.11g operates at 54Mbps in the 2.4 GHz Band (’02)

• Increased deployment and popularity lead to introduction of QoS

• 802.11e for QoS – Draft Supplement – Nov 2002

INTRODUCTION

Page 4: 80211

• Wireless LAN StationThe station (STA) is any device that contains the functionality of the 802.11

protocol, that being MAC, PHY, and a connection to the wireless media. Typically the 802.11 functions are implemented in the hardware and software of a network interface card (NIC).

Ex : PC , Handheld , AP (Access Point)

• Basic Service Set (BSS)802.11 defines the Basic Service Set (BSS) as the basic building block of an

802.11 wireless LAN. The BSS consists of a group of any number of stations.

802.11 BASICS

Page 5: 80211

STA

STA

STA

STA

IBSS (Independent Basic Service Set – Ad-hoc Mode)

peer-peer connections

Page 6: 80211

AP

Wired Backbone

Infrastructure Basic Service Set

Page 7: 80211

AP

Wired Backbone

AP

ESS (Extended Service Set)

BSS1 BSS2

Page 8: 80211

PCF DCF

Super Frame

DCF - Distributed Coordinated Function (Contention Period - Ad-hoc Mode)

PCF - Point Coordinated Function (Contention Free Period – Infrastructure BSS)

Beacon - Management Frame

Synchronization of Local timers

Delivers protocol related parameters

TBTT - Target Beacon Transition Time

Beacon TBTT

Page 9: 80211

Distributed Coordinated Function (DCF)

• Also known as the Contention Period

• STAs form peer-peer connections. No central authority

• First listen and then speak

• Uses CSMA/CA (Carrier Sense Multiple Access with

Collision Avoidance)

• ACK indicates successful delivery

• Each node has one output buffer

Page 10: 80211

Inter-Frame Spacing :

DIFS - 34 µsec

PIFS - 25 µsec ( Used in PCF )

SIFS - 16 µsec

Slot Time - 9 µsec

DIFS = SIFS + (2 * Slot Time)

SIFS required for turn around of Tx to Rx and vice versa

Page 11: 80211

DATAA ACKBACK

DIFS SIFS

DIFSCWA

Data Transmission from Node A to B

• CW – Contention Window. Starts only after DIFS.

• Random number ‘r’ picked form range ( 0-CW )

• CWmin minimum value of CW

• CWmax maximum value the CW can grow to after collisions

• ‘r’ can be decremented only in CW

• CW doubles after every collision

Page 12: 80211

DATAA ACKBACK

DIFS SIFS

DIFSCWA

• What if some node C wanted to send data while A was transmitting

data to B ?

• What about during SIFS ?

• What if after ACK, more than one say B,C,D,E nodes are waiting

to transmit data ?

Page 13: 80211

Example :

rA = 4 and rC = 6

DATAA ACKBACK

DIFS SIFS

DIFS

DATAC

• What if rA and rC had both been picked as 4 ?

• What if rA and rC has collided and DATAA length was 10 while

DATAC length were 15 ?

Page 14: 80211

DATAAACK

DIFS

DATAC

SIFSDIFS

A Collision between nodes A and C

• Length (DATAA) = 10 Slot times

• Length (DATAC) = 15 Slot times

• CW after Collision 1 0 – 7

• CW after Collision 2 0 – 15

• CW after Collision 3 0 – 31

• CW after Collision 4 0 – 63

Page 15: 80211

NAV – Network Allocation Vector

DATA

ACK

STAA

STAB

STAC ACK

DIFS SIFS

DIFS

NAVB and C

Page 16: 80211

STAA

STAB

STAC

Hidden Node Problem and Exposed Node Problem

Page 17: 80211

RTS/CTS :

• RTS (Request To Send) - (Approx 20 bytes)

• CTS (Clear To Send) - (Approx 16 bytes)

• Use of RTS/CTS is optional

• Solves two problems :

1. Hidden Node Problem

2. Wastage of time due to collisions

• Maximum MSDU is 2304 bytes

Page 18: 80211

A C

D

B

RTS

CTS

CTS

CTS

Preventing a collision at STAB

Page 19: 80211

RTSSTAA

STAB

STAC

STAD

CTS

DATA

ACK

ACK NAV

NAV

NAVNew Node

DIFS SIFS SIFS SIFS DIFSCW

Page 20: 80211

Point Coordinated Function (PCF)

• Also known as the CFP (Contention Free Period)

• Operation in an Infrastructure BSS

• STAs communicate using central authority known as PC

(Point Coordinator) or AP (Access Point)

• No Collisions take place

• AP takes over medium after waiting a period of PIFS

• Starts with issue of a Beacon

Page 21: 80211

PCF DCF

Super Frame

Beacon TBTT

Beacon • Management Frame • Synchronization of Local timers• Delivers protocol related parameters• TBTT - Target Beacon Transition Time

Page 22: 80211

DATA A

DIFS SIFS DIFS

PIFSB

DIFS - 34 µsecPIFS - 25 µsec SIFS - 16 µsecSlot Time - 9 µsecB - Beacon

AP taking over the Wireless medium using PIFS

Page 23: 80211

B D1 + Poll

U1 + ACK

D2 + ACK + Poll

U1 + ACK

CF_End

Operation in CFP

CPCFP

SIFS

Page 24: 80211

• Admission Control

• Purpose of having separate DCF and PCF

• Different 802.11 Working groups

• 802.11a (54Mpbs in 5GHz Band)

• 802.11b (11 Mbps in 2.4 GHz Band)

• 802.11c Wireless AP Bridge Operations

• 802.11d Internationalization

• 802.11e (QoS)

• 802.11f Inter-vendor AP hand-offs

• 802.11h Power control for 5Ghz region

• 802.11g (54Mbps in 2.4 GHz Band)

• 802.11i (Security)

Page 25: 80211

802.11e for QoS

• QoS (Quality of Service)

• 802.11e for QoS – Draft Supplement – Nov 2002

• Introduction of new QoS mechanism for WLANs

Page 26: 80211

PC

BSS

(Basic Service Set)

QBSS

(Basic Service Set for QoS)

HC

( Enhanced Station )

HCCA EDCAPCF DCF

Page 27: 80211

QoS Support Mechanisms of 802.11e :

EDCA :

• Introduction of 4 Access Categories ( AC ) with 8 Traffic

Classes ( TC )

• MSDU are delivered through multiple back offs

within one station using AC specific parameters.

• Each AC independently starts a back off after

detecting the channel being idle for AIFS

• After waiting AIFS , each back off sets counter from

number drawn from interval [1,CW+1]

• newCW [AC] >= ((oldCW[TC] + 1 ) * PF ) - 1

Page 28: 80211

Prioritized Channel Access is realized with the QoS parameters per TC, which include :

• AIFS[AC]

• CWmin[AC]

• PF[AC]

AC_VO [0] AC_VI [1] AC_BE [2] AC_BK [3]

AIFSN 2 2 3 7

CWmin 3 7 15 15

CWmax 7 15 1023 1023

Page 29: 80211

EDCA

Virtual Collision

AC1 AC2 AC3 AC4TC

Page 30: 80211

ACK BackOff[AC0] + Frame BackOff[AC1] + Frame

BackOff[AC2] + Frame

AIFS[AC0]

AIFS[AC1]

AIFS[AC2]

BackOff[AC3] + Frame

AIFS[AC3]

Access Category based Back-offs

Page 31: 80211

Element IDCWmin[AC]

CWmin[0]….CWmin[3]CWmax[AC]

CWmax[0]….CWmax[3]

AIFSN[AC]AIFSN[0]….AIFSN[3]

TxOPLimit[AC]TxOP[0]….TxOP[3]

QoS Parameter Set Element Format

AIFS [AC] = AIFSN [AC] * aSlotTime + SIFS

Page 32: 80211

HCCA ( Hybrid Coordination Function Controlled Channel Access )

Extends the EDCA access rules.

CP : TxOP

• After AIFS + Back off

• QoS Poll ; After PIFS

CFP : TxOP

• Starting and duration specified by HC using

QoS Poll .

Page 33: 80211

HCCA EDCA

HC

PIFS

DATA A

AIFS SIFS AIFS

PIFS

DATA

Hybrid Coordinator

Page 34: 80211

802.11e Operation in the CFP

• Guaranteed channel access on successful registration

• Each node will receive a TxOP by means of polls granted

to them by the HC

• TxOP based on negotiated Traffic specification (TSPEC) and

observed node activity

• TxOP is at least the size of one Maximum sized MSDU at the

PHY rate.

• Access Point advertises polling list

Page 35: 80211

Traffic Specification (TSPEC)

Element ID (1)

Length (1)

Maximum MSDU size

(2)

TS info (2)

Nominal size MSDU (2)

Minimum Service

Interval (4)

Maximum Service

Interval (4)

Mean DataRate (4)

Inactivity Interval

(4)

Minimum Data Rate (4)

Maximum Burst Size

(4)

Minimum PHY Rate

(4)

Surplus Bandwidth Allowed (2)

Peak DataRate (2)

Delay Bound(2)

Page 36: 80211

AC[0] AC[1] AC[2]

AIFSN 2 4 7

CWmin 7 10 15

CWmax 7 31 255

PF 1 2 2

Example :

Page 37: 80211

AIFS[AC] = AIFSN[AC] * aSlotTime + SIFS

PIFS - 25 µsec ( Used in HCCA)SIFS - 16 µsecSlot Time - 9 µsec

AIFS[0] = (2 * 9) + 16 = 34 µsec = DIFS

AIFS[1] = (4 * 9) + 16 = 52 µsec (52 – 34) / 9 = 18/9 = 2 Slots

AIFS[2] = (7 * 9) + 16 = 79 µsec (79 – 34) / 9 = 45/9 = 5 Slots

Page 38: 80211

Back-off Algorithm :

802.11 : CWRANGE = [ 0 , 2 2+i – 1 ]

802.11e : newCW[AC] = [(oldCW[AC] + 1) * PF] - 1

Collision1 Collision2 Collision3

AC[0] [(7+1)*1]-1 = 7

( 0 - 7 )

( 0-7 ) ( 0-7 )

AC[1] [(10+1)*2]-1 = 21

( 0 - 21 )

[(21+1)*2]-1 = 43

( 0 – 31 )

( 0 – 31 )

AC[2] [(15+1)*2]-1 = 31

( 0 – 31 )

[(31+1)*2]-1 = 63

( 0 – 63 )

[(63+1)*2]-1 = 127

( 0 – 127 )

Page 39: 80211

WEP (Wired Equivalent Privacy)

• Optional in WLANS• Uses the RC4 (Rivest Cipher 4) Stream Cipher generated with a 64bit/128 bit Key• Key composed of 24 bit IV (Initialization Vector)• Key = (24 Bit IV, 40 Bit WEP Key) = 64 Bits• Key = (24 Bit IV, 104 Bit WEP Key) = 128 Bits• Goal to provide authentication, confidentiality and data integrity• Secret Key is shared between communicators• The encrypted packet is generated with a bitwise exclusive OR

(XOR) of the original packet and the RC4 stream.• 4-byte Integrity Check Value (ICV) is computed on the original

packet and appended to the end which is also encrypted with the RC4 cipher stream.

• Encryption done only between 802.11 stations.

Page 40: 80211

Encrypted WEP Frame

http://www-106.ibm.com/developerworks/security/library/s-wep/

Page 41: 80211

Encryption / Decryption :

• M – Original Data Frame

• CRC-32 (c) applied to M to obtain c (M)

• c (M) and M are concatenated to get Plain Text P = (M, c (M))

• WEP produces a Key-stream as a function 24 bit IV and 40-bit WEP Key

using RC4; equal to the length of P.

• Key Stream and the Plaintext are XORed to produce the Cipher Text

• The IV is transmitted in the clear (unencrypted)

• The receiver uses the IV and the shared key to decrypt the message

Page 42: 80211

Draw Backs of WEP:

• A number of attacks can be used against WEP

• Passive Attacks based on statistical analysis

• Active Attacks based on known plain text

• WEP relies on a Shared Key to ensure that packets are not

modified in transit.

• There is no discussion on how these keys are distributed and

hence usually a single key is used which is shared amongst

all STA’s and the AP

Page 43: 80211

• Shared Key is long lived – May last a week, month,

even a year or more

• Consider a busy AP which constantly sends packets

of length 1500 bytes at 11Mbps

• Since IV on 24 bits in length and Shared key is

unchanged, IV gets exhausted after

2^24 * (1500 * 8) / (11 * 10^6)

= 18000 secs = 5 hours

• Lucent wireless cards

All in a days work :

Page 44: 80211

PT Key CT CT Key PT

XOR :

0 0 0

0 1 1

1 0 1

1 1 0

• XORing a Bit with itself gives 0

Page 45: 80211

Sender

PT K CT

0 0 0

0 1 1

1 0 1

1 1 0

Receiver

CT K PT

0 0 0

1 1 0

1 0 1

0 1 1

PASSIVE ATTACK

Page 46: 80211

MSG1 K C ( MSG1 )

MSG2 K C ( MSG2 )

• IV repeats generating K

• Identical K used to encrypt MSG1 and MSG2

• Obtain C( MSG1) and C( MSG2) and XOR them

• XORing causes Key Stream to cancel which yields

the XOR of MSG1 and MSG2 i.e. XOR of Plain Text packets

• This XOR can now be used to apply Statistical Analysis

Page 47: 80211

Example :

MSG1 0 0 1 1

MSG2 1 0 1 1

MSG1

PT1 K CT1

0 0 0

0 1 1

1 0 1

1 1 0

MSG2

PT2 K CT2

1 0 1

0 1 1

1 0 1

1 1 0

Page 48: 80211

CT1 XOR CT2

CT1 CT2

0 1 1

1 1 0

1 1 0

0 0 0

MSG1 XOR MSG2

MSG1 MSG2

0 1 1

0 0 0

1 1 0

1 1 0

Apply Statistical analysis on last three bits and educated guess on the rest

Page 49: 80211

Attacker

AP Wired Network

Hi

xx

Page 50: 80211

Active Attack :

• Attacker knows exact plain text for one encrypted packet

• Use this knowledge to construct correct encrypted packet

• Construct a new message , calculate CRC-32 and perform

bit flips on original encrypted packet to change the plaintext

to the new message.