ICOM 6505: Wireless Networks Wireless LAN

1
ICOM 6505 Wireless Networks- Wireless LAN -

• By Dr. Kejie Lu
• Department of Electronic and Computer Engineering
• Spring 2009

2
Outline

• Standards
• Architecture
• The Physical Layer
• The MAC Layer
• Security
• Roaming Approach
• Power Management

3
Standards

• IEEE 802.11 is a working group for WLAN standards
  
• Website http//www.ieee802.org/11/
• Major standards
• 11-1997
• 11a up to 54Mbps in 5GHz band
• 11b up to 11Mbps in 2.4GHaz band
• 11e quality of service
• 11g up to 54Mbps in 2.4GHz band
• 11i security
• 11n high throughput

4
IEEE 802.11a

• A physical layer standard for WLANs in the 5GHz
  radio band.
• 8 available radio channels
• 12 channels in some countries because of
  available radio spectrum permitted.
• Maximum link rate of 54-Mbps per channel
• Maximum user data throughput will be
  approximately half of this because the throughput
  is shared by all users of the same radio channel
• The data rate decreases as the distance between
  the user and the radio access point increases.

5
IEEE 802.11b

• A physical layer standard for WLANs in the 2.4GHz
  radio band.
• Up to 3 non-overlapped radio channels
• Maximum link rate of 11-Mbps per channel
• Maximum user throughput will be approximately
  half of this because the throughput is shared by
  all users of the same radio channel.
• The data rate decreases as the distance between
  the user and the radio access point increases

6
IEEE 802.11d

• Supplementary to the MAC layer in 802.11 to
  promote worldwide use of 802.11 WLANs
• It will allow access points to communicate
  information on the permissible radio channels
  with acceptable power levels for user devices
• The 802.11 standards cannot legally operate in
  some countries the purpose of 11d is to add
  features and restrictions to allow WLANs to
  operate within the rules of these countries

7
IEEE 802.11e

• Supplementary to the MAC layer to provide QOS
  support for LAN applications
• It will apply to 802.11 physical standards 11a,
  11b and 11g
• The purpose is to provide classes of service with
  managed levels of QOS for data, voice and video
  applications

8
IEEE 802.11f

• A "recommended practice" document that aims to
  achieve radio AP interoperability within a
  multivendor WLAN network
• The standard defines the registration of APs
  within a network and the interchange of
  information between APs when a user is handed
  over from one AP to another

9
IEEE 802.11g

• A physical layer standard for WLANs in the 2.4GHz
  radio band.
• The maximum link rate is 54Mbps per channel
• By comparison, 11b only provides 11Mbps rate
• Modulations used in the 802.11g standard
• Orthogonal frequency-division multiplexing (OFDM)
  modulation is mandatory
• Supports complementary code keying (CCK)
  modulation for backward compatibility with 11b,
• packet binary convolutional coding (PBCC)
  modulation as option for faster link rates

10
IEEE 802.11h

• Supplementary to the MAC layer to comply with
  European regulations for 5GHz WLANs
• European regulations require products to have
  transmission power control (TPC) and dynamic
  frequency selection (DFS)
• TPC limits the transmitted power to the minimum
  needed to reach the furthest user.
• DFS selects the radio channel at the access point
  to minimize interference with other systems,
  particularly radar

11
IEEE 802.11i

• Supplementary to the MAC layer to improve
  security.
• It will apply to 802.11 physical standards a, b
  and g.
• It provides an alternative to Wired Equivalent
  Privacy (WEP) with new encryption methods and
  authentication procedures.
• IEEE 802.1x forms a key part of 802.11i

12
802.11a or 802.11b

• Consider using 802.11b if
• Range requirements are significant
• Already have a large investment in 802.11b
• End users are sparsely populated

• Consider using 802.11a if
• There's need for much higher performance
• Significant RF interference is present within the
  2.4 GHz band
• End users are densely populated

13
Outline

• Standards
• Architecture
• The Physical Layer
• The MAC Layer
• Security
• Roaming Approach
• Power Management

14
OSI Reference Model
15
802.x Standard

• The IEEE 802 Local and Metropolitan Area Network
  Standards Committee is a major working group
  charted by IEEE to create, maintain, and
  encourage the use of IEEE and equivalent ISO
  standards.
• The MAC and Physical layers of the 802 standard
  were organized into a separate set of standards
  from the LLC because of the interdependence
  between medium access control, medium, and
  topology.

16
802.2 LLC Overview

• The LLC is the highest layer of the IEEE 802
  Reference Model and provides functions similar to
  the traditional data link control protocol
• The purpose of the LLC is to exchange data
  between end users across a LAN using an 802-based
  MAC controlled link.
• The LLC provides addressing and data link
  control, and it is independent of the topology,
  transmission medium, and medium access control
  technique chosen.
• Higher layers, such as TCP/IP, pass user data
  down to the LLC expecting error-free transmission
  across the network.
• The LLC provides end-to-end link control over an
  802.11-based wireless LAN.

17
802.2 LLC Services

• Unacknowledged connectionless service
• Is a datagram-style service that does not involve
  any error-control or flow-control mechanisms.
• Connection-oriented service
• It establishes a logical connection that provides
  flow control and error control between two
  stations needing to exchange data.
• Acknowledged connectionless service
• It does not involve the establishment of a
  logical connection with the distant station.
• But the receiving stations do confirm successful
  delivery of datagrams.

18
Service Set

• Independent Basic Service Set (IBSS)
• Basic Service Set (BSS)
• Extended Service Set (ESS)

19
Independent Basic Service Set (IBSS)
20
Basic Service Set (BSS)
21
Extended Service Set (ESS)
22
Outline

• Standards
• Architecture
• The Physical Layer
• The MAC Layer
• Security
• Roaming Approach
• Power Management

23
802.11 Physical Layer

• The 802.11 standard specifies several Physical
  layers
• Initial standard, 1997
• Current standards
• 802.11a
• 802.11b
• 802.11g
• Coming standard
• 802.11n

24
Initial standard

• The initial standard approved in 1997 supports
  data rates of 1 and 2Mbps in the 2.4GHz band
• FHSS frequency hopping spread spectrum
• DSSS direct sequence spread spectrum
• This initial release also defines an infrared
  Physical layer operating at 1 and 2Mbps via
  passive ceiling reflection

25
Current Standards

• IEEE 802.11b adds an 11Mbps, high-rate version
  direct sequence standard
• IEEE 802.11a defines a Physical layer using OFDM
  (orthogonal frequency division multiplexing) to
  deliver data rates of up to 54Mbps in the 5GHz
  frequency band
• IEEE 802.11g uses OFDM in the 2.4GHz frequency
  band to provide up to 54Mbps data rate

26
802.11b Physical Layer
27
802.11 World Wide Spectrum
28
802.11 DSSS Channel
29
What is Spread Spectrum?

• The transmitted signal bandwidth is much greater
  than the information bandwidth
• Some function other than the information being
  transmitted is employed to determine the
  resultant transmitted bandwidth - Spreading Code

30
Advantages of Spread Spectrum

• Low power density
• The transmitted energy is spread over a wide
  band, and therefore, the amount of energy per
  specific frequency is very low.
• The effect of the low power density
• Such a signal will not disturb (interfere with)
  the activity of other systems' receivers in the
  same area, and
• Such a signal can not be detected by intruders,
  providing a high level of intrinsic security.

31
Advantages of Spread Spectrum

• Redundancy
• The message is present on different frequencies
  from where it may be recovered in case of errors.
  
• The effect of redundancy
• Spread Spectrum systems present high resistance
  to noises and interference, being able to recover
  their messages even if noises are present on the
  medium.

32
Spread Spectrum Modulations

• Two methods
• FHSS, or Frequency Hopping Spread Spectrum
• DSSS, or Direct Sequence Spread Spectrum

33
FHSS - Modulation

• Spreading code modulation
• The frequency of the carrier is periodically
  modified (hopped) following a specific sequence
  of frequencies.
• The spreading code is this list of frequencies to
  be used for the carrier signal - "hopping
  sequence".
• The amount of time spent on each hop is known as
  dwell time.

34
FHSS - Modulation

• Message modulation
• The message modulates the (hopping) carrier
  (FSK), thus generating a narrow band signals for
  the duration of each dwell,
• But also generating a wide band signal, if the
  process is regarded over periods of time in the
  range of seconds.
• Redundancy is achieved by the possibility to
  execute re-transmissions on different carrier
  frequencies (hops).

35
Example of FHSS
36
DSSS - Modulation

• Spreading code modulation
• For the duration of every message bit, the
  carrier is modulated (PSK) following a specific
  sequence of bits (known as chips).
• The process is known as "chipping and results in
  the substitution of every message bit by (same)
  sequence of chips.
• In DSSS systems, the spreading code is the chip
  sequence used to represent message bits.

37
DSSS - Modulation

• Message modulation
• For message bits 0 and 1, the sequence of
  chips used to represent the bit remains as
  dictated by process above.
• In this way message bits "0" and "1" are
  represented by different chip sequences (one
  being the inverted version of the other one).
• Redundancy is achieved by the presence of the
  message bit on each chip of the spreading code.

38
DSSS
39
System Collocation - DSSS

• How many independent systems may operate
  simultaneously without interference
• Collocation could be based on the use of
  different spreading codes (sequences) for each
  active system.
• On condition that the sequences used are highly
  distinguishable one from the other one (known as
  orthogonality) each receiver will be able to
  "read" only the information dedicated to it
  (receiver and transmitter use same spreading
  code).
• The number of orthogonal pseudo-random sequences
  is limited and it is a function of the sequence
  length - number of chips (bits) in the sequence.

40
System Collocation - DSSS

• The following table is taken from "Modern
  Communications and Spread Spectrum" by G.R.
  Cooper and C. D. McGillan

41
System Collocation - DSSS

• Actual DSSS systems use 11 bit long spreading
  sequences
• Making the use of CDMA impossible.
• System collocation is therefore based on the
  fixed allocation of bandwidth to each system.
• For the transmission of 11 Mchips per second
  (Msymbols per sec), IEEE 802.11 needs
• A contiguous band of 22 MHz, and
• A minimum distance of 3 MHz between the carrier
  frequencies of collocated DSSS systems.

42
System Collocation - DSSS

• only 3 DSSS systems may be collocated
• The total available bandwidth in the ISM band is
  83.5MHz (2.4GHz - 2.4835GHz) and
• The distance (guide band) between carriers has to
  be 3 MHz
• Simple math 3222372 MHz

43
802.11 DSSS Channel
44
System Collocation - FHSS

• IEEE 802.11 defines 79 different hops for the
  carrier frequency.
• Using these 79 frequencies, IEEE 802.11 defines
  78 hopping sequences (each with 79 hops) grouped
  in three sets of 26 sequences each.
• 326 78 (thus, max 3 APs allowed in the same
  area)
• FHS1 (0, 3, 6, 9, , 75)
• FHS2 (1, 4, 7, 10, , 76)
• FHS3 (2, 5, 8, 11, , 77)
• Sequences from same set encounter minimum
  collisions and therefore may be allocated to
  collocated systems.

45
System Collocation - FHSS

• Theoretically, 26 FHSS systems may be collocated,
  but collisions will still occur in significant
  amounts.
• To lower the amount of collisions to acceptable
  levels, the actual number of FHSS collocated
  systems should be around 15.

46
Noise and Interference

• There are two types
• All band interference, and
• Narrow band interference

47
All Band Interference

• The whole spectrum used by the radio is 83.5 MHz
  in FHSS (the whole ISM band) while for DSSS it is
  only 22 MHz (one of the sub-bands).
• The chances of having an interference covering a
  range of 22 MHz are obviously greater than the
  chances of having the interference covering 83.5
  MHz.
• A 22 MHz wide interference may totally block a
  DSSS system, while it will block only 33 of the
  hops in a FHSS system.
• A FHSS system will work in these conditions at
  66 of its capacity, but it will work! A DSSS
  system would not work at all.

48
Narrow Band Interference

• A DSSS narrow band interference signal
  (interference present around one single
  frequency) is accepted by the receiver,
• If enough energy is present on it, the
  interfering signal will totally block the
  receiver.

49
Narrow Band Interference

• FHSS systems work with narrow band signals
  (located each time around a different carrier
  frequency).
• A narrow band interference signal present on a
  specific frequency will block only one specific
  hop.
• The FHSS receiver will not be able to operate at
  that specific hop,
• But, after hopping to a different frequency, the
  signal will be accepted by the receiver.

50
Near/Far Problem

• The interfering signals may be generated, for
  example, by another radio transmitter located
  close to the receiver of a DSSS system.
• The signals generated by such a transmitter,
  being received by the DSSS receiver at higher
  power levels, could blind it, making it unable to
  hear its partner.
• On the other hand, if the receiver is FHSS, the
  worst case will be that the other transmitter
  will block some hops, forcing the FHSS system to
  work in less than optimum conditions, but work.

51
Multipath

• Environments with reflective surfaces (such as
  buildings, office walls, furniture, etc.)
• Generate multiple possible paths between
  transmitter and receiver and
• Therefore the receiver receives multiple copies
  of the original (transmitted) signal.
• Due to signals received taken different paths,
  and therefore, different delays

52
Multipath in Time Domain

• In DSSS systems, the chipping process generates a
  high rate transmitted signal.
• The symbols of this transmitted signal are much
  shorter / narrower (in time) than the symbols
  generated by a FHSS system transmitting the same
  data rate.
• Obviously, a narrow pulse (DSSS systems) is more
  sensitive to delays (shifts in time) than a wider
  pulse (FHSS systems) and
• As a result the FHSS systems have better chances
  to be undisturbed by the presence of multipath
  effects

53
Multipath in Time Domain

• Results of a shift of x
• A shift of x for a FHSS system,
• A shift of 11x, assuming in a DSSS system
  operating with 11 chip spreading sequence

54
Multipath in Time Domain
55
Multipath in Frequency Domain - Fading

• The multiple copies of the original signal arrive
  at the receiver with different instantaneous
  amplitudes and phases.
• The mixing of these copies at the receiver
  results in having some frequencies canceling one
  another, while other frequencies will sum up.
• The result is a process of selective fading of
  frequencies in the spectrum of the received
  signal.

56
Multipath in Frequency Domain - Fading

• FHSS systems operate with narrow band signals
  located around different carrier frequencies.
• If at a specific moment, the FHSS system is using
  a carrier frequency significantly faded as a
  result of multipath, the FHSS receiver could not
  get enough energy to detect the radio signal.
• The resultant loss of information is corrected by
  re-transmitting the lost packets.

57
Multipath in Frequency Domain - Fading

• DSSS systems operate over wider bands,
  transmitting their signal over a group of
  frequencies simultaneously.
• As long as the average level within the wide
  rectangle in is high enough, the DSSS receiver
  will be able to detect the radio signal.

58
Time and Frequency Diversity

• Both DSSS and FHSS retransmit lost packets, until
  the receiving party acknowledges correct
  reception.
• A packet could be lost because of noises or
  multipath effects.
• This capability of a system to repeat
  unsuccessful transmissions at later moments in
  time is known as "time diversity".

59
Time and Frequency Diversity

• DSSS systems use time diversity, but the problem
  is that they retransmit on the same 22 MHz
  sub-band.
• If the noise is still there or if the topography
  of the site did not change, the transmission
  could be again unsuccessful.
• As a result the multipath effects will be again
  present
• The multipath effects are a function of
  frequency.
• For same topography, some frequencies encounter
  multipath effects, while others do not.

60
Time and Frequency Diversity

• FHSS systems use "time diversity" (they
  retransmit lost packets at later moments in time)
  but they also use "frequency diversity" (packets
  are retransmitted on different frequencies /
  hops).
• Even if some hops (frequencies) encounter
  multipath effects or noises, others will not, and
  the FHSS system will succeed in executing its
  transmission.

61
Throughput Analysis

• There are two types
• Single system throughput, and
• Aggregate throughput of collocated systems

62
Single System Throughput

• DSSS systems transmit at rates of up to 11 Mbps
• Use a contiguous sub-band of 22 MHz.
• The efficiency of such a system is 11 Mbps / 22
  MHz 0.5 bits / Hertz.
• FHSS systems (as of today) transmit at rates of
  up to 3 Mbps
• Use a channel of 1 MHz.
• The efficiency of such a system is 3 Mbps / 1 MHz
  3 bits / Hertz.

63
Single System Throughput

• FHSS systems (future)
• A result of the latest FCC decision (summer 2000)
  to allow FHSS operation in the 2.4 GHz band with
  5MHz channels (instead of 1 MHz),
• Operating at about 15 Mbps should be expected in
  the market in the future.
• The throughput is about 7 Mbps for 11 Mbps DSSS,
  and about 2 Mbps for 3 Mbps FHSS.

64
Aggregate Throughput

• Based on the IEEE 802.11 specifications, the max
  number of DSSS systems that can be collocated is
  3.
• These 3 collocated systems provide an aggregate
  rate of 3 x 11 Mbps 33 Mbps, or
• A net aggregate throughput of 3 x 7 Mbps 21
  Mbps.

65
Aggregate Throughput

• FHSS systems may be operated with synchronized or
  non-synchronized hopping sequences
• In the case of non-synchronized hopping sequences
• The band is allocated in a dynamic way among the
  collocated systems
• They use different hopping sequences which are
  not synchronized
• Collisions do occur, lowering the actual
  throughput.

66
Aggregate Throughput

• In the synchronized case,
• Collisions are totally eliminated,
• Up to 12 systems can be collocated, and
• The aggregate rate and throughput is a linear
  function of the number of collocated end systems.

67
Throughput
68
Outline

• Standards
• Architecture
• The Physical Layer
• The MAC Layer
• Security
• Roaming Approach
• Power Management

69
802.11 MAC Layer Services

• Authentication
• De-authentication
• Association
• De-association
• Re-association

• Privacy
• Data transfer
• Distribution
• Integration
• Power management

70
Authentication

• The process of proving client identity which
  takes place prior to a wireless client
  associating with an AP.
• Essentially any wireless client can associate
  with an AP without checking credentials.
• 802.11 provides option known as Wired Equivalent
  Privacy (WEP)
• A shared key is configured into the AP and its
  wireless clients.
• Only those devices with a valid shared key will
  be allowed to be associated to the AP.

71
De-authentication

• The de-authentication function is performed by
  the base station.
• It is a process of denying client credentials,
  based on
• incorrect authentication settings, or
• applied IP or MAC filters.

72
Association

• Association.
• Enables the establishment of wireless links
  between wireless clients and APs in
  infrastructure networks.
• Disassociation.
• Cancels the wireless links between wireless
  clients and APs in infrastructure networks.

73
Re-association

• Re-association.
• Occurs in addition to association when a wireless
  client moves from one BSS to another.
• Two adjoining BSSs form an ESS if they are
  defined by a common ESSID, providing a wireless
  client with the capability to roam from one area
  to another.
• Although re-association is specified in 802.11,
  the mechanism that allows AP-to-AP coordination
  to handle roaming is not specified.

74
Privacy

• By default, data is transferred in the clear
• Allowing any 802.11-compliant device to
  potentially eavesdrop on similar PHY 802.11
  traffic within range.
• The WEP option encrypts data before it is sent
  wirelessly, using a 40-bit encryption algorithm
  known as RC4.
• The same shared key used in authentication is
  used to encrypt or decrypt the data, allowing
  only wireless clients with the exact shared key
  to correctly decipher the data.

75
Data Transfer Distribution

• Data transfer.
• The primary service of MAC layer is to provide
  frame exchange between MAC layers.
• Wireless clients use a Collision Sense Multiple
  Access with Collision Avoidance (CSMA/CA)
  algorithm as the media access scheme.
• Distribution.
• The distribution function is performed by DS and
  it is used in special cases in frame transmission
  between APs.

76
Integration Power management

• Integration.
• A function performed by the portal
• Design to provide logical integration between
  existing wired LANs and 802.11 LANs.
• Power management.
• IEEE 802.11 defines two power modes
• Active mode, where a wireless client is powered
  to transmit and receive and,
• Power save mode, where a client is not able to
  transmit or receive, consuming less power.
• Actual power consumption is not defined and is
  dependent upon the implementation.

77
CSMA/CD

• The classic CSMA/CD method is a very effective
  mechanism in a wired environment,
• Enabling speeds of 10 (T-base), 100
  (Fast-Ethernet), or 1000 (Gigabit-Ethernet).
• However, unlike wired networks, CSMA/CD cannot be
  implemented for WLANs for two reasons.

78
Why Not Classic CSMA/CD?

• First, in CSMA/CD, one of the basic suggestions
  is all stations hear each other,
• In WLAN, where this cannot be guaranteed.
• There is a hidden station effect where the
  station hears the AP, but does not hear all other
  members of the cell.
• Secondly, it is not possible to both transmit and
  receive on the same channel using radio
  transceivers
• Unless we use a full duplex radio which could
  increase the price significantly.

79
Hidden Terminal Problem

• Node B can communicate with A and C both
• A and C cannot hear each other
• When A transmits to B, C cannot detect the
  transmission using the carrier sense mechanism
• If C transmits to D, collision will occur at B

B
C
A
D
80
CSMA/CA

• Collision avoidance mechanisms are related more
  to deterministic type of networks, where the
  response time is predictable.
• 802.11 standard for CSMA/CA defines two different
  access methods
• the Distributed Coordination Function (DCF) and
• the Optional Point Coordination Function (PCF).

81
Distributed Coordination Function (DCF)

• A station wishing to transmit data, senses the
  medium first.
• If the medium is busy, then the station defers
  its transmission to a later time,
• If the medium is free for a specified time
  (Distributed Inter Frame Space (DIFS)), the
  station transmits.

82
Distributed Coordination Function (DCF)

• The receiving station then checks the CRC of the
  received packet and sends an ACK packet.
• This indicates to the transmitting station that
  there were no collisions detected.
• If the sender does not receive ACK, then it
  re-transmits the last fragment.

83
Point Coordination Function

• Used to implement time-critical services, like
  voice or video transmission.
• A single AP controls access to the media and a
  point coordinator resides in the AP.
• If a BSS is set up with PCF enabled, time is
  spliced between the system being in PCF mode and
  in DCF mode,
• No station is allowed to transmit unless it is
  polled, and stations receive data from the access
  point only when they are polled.

84
What about Hidden Node?

• The effect of the hidden station could cause a
  collision at any stage of the transmit-receive
  process.
• To reduce the probability of two stations
  colliding, the standard defines a Virtual Carrier
  Sense mechanism.

85
Virtual Carrier Sense

• A station waiting to transmit a packet will first
  transmit a short control packet RTS
• called Request To Send
• includes the source, destination and the duration
  of the following transaction.
• If the medium is free, the destination station
  responds with a response control packet CTS
• called Clear To Send
• includes the same duration information.

86
Virtual Carrier Sense

• All stations receiving either RTS and/or CTS, set
  their Virtual Carrier Sense indicator for the
  given duration
• called NAV, for Network Allocation Vector,
• This information is used together with the
  Physical Carrier Sense when sensing the medium.

87
Virtual Carrier Sense
88
Virtual Carrier Sense
89
802.11 Association

• The association process is a two step process
  involving three states
• Unauthenticated and unassociated,
• Authenticated and unassociated, and
• Authenticated and associated.

90
Outline

• Standards
• Architecture
• The Physical Layer
• The MAC Layer
• Security
• Roaming Approach
• Power Management

91
802.11 Security

• The organizations have canalized their external
  network traffic through distinct openings
  protected by firewalls.
• Simple and effective idea.
• By limiting external connections to a few well
  protected openings, the organization can better
  protect itself.
• Unfortunately, the deployment of a wireless
  network opens a back door

92
Wireless Security Back Door

• A wireless back door
• Permits an attacker access beyond the physical
  security perimeter of the organization.
• The attacker can implement the parking lot
  attack
• The attacker sits in the organizations parking
  lot and accesses hosts on the internal network.

93
Parking Lot Attack
94
802.11 Standard Security

• Two services are provided to bring the IEEE
  802.11 functionality in line with wired LAN
  assumptions.
• Authenticationprovided by the authentication
  service.
• Privacy provided by the WEP (Wired Equivalent
  Privacy) mechanism.

95
Authentication Supported in 802.11

• Wired Equivalent Privacy (WEP) protocol
• Open System Authentication
• Closed Network Access Control (proprietary)
• Access Control Lists (proprietary)

96
Shared Key Authentication

• A WEP feature called shared key authentication,
  ensures only authorized stations can access the
  WLAN.
• A station requesting 802.11 service sends an
  authentication frame to another station.
• When a station receives the initial
  authentication frame, the station replies with an
  authentication frame containing challenge text.

97
Shared Key Authentication

• The requesting station copies the challenge text
  into an authentication frame,
• encrypts it with a shared key using the WEP
  service, and
• sends the frame to the responding station.
• The receiving station decrypts the challenge text
  using the same shared key and compares it to the
  challenge text sent earlier.
• If they match, the receiving station replies with
  an authentication acknowledgement.
• If not, the station sends a negative
  authentication notice.

98
Shared Key Authentication
99
Open System Authentication

• Open system authentication is the default
  authentication protocol for 802.11.
• As the name implies, open system authentication
  authenticates anyone who requests authentication.
  
• Essentially, it provides a NULL authentication
  process.

100
Closed Network Access Control

• Lucent has defined a proprietary access control
  mechanism called Closed Network.
• With this mechanism, a network manager can use
  either an open or a closed network.
• In an open network, anyone is permitted to join
  the network.
• In a closed network, only those clients with
  knowledge of the network name can join.
• In essence, the network name acts as a shared
  secret.

101
Access Control List

• Another mechanism used by vendors (but not
  defined in the standard) to provide security is
  the use of access control lists based on the
  Ethernet MAC address of the client.
• Each access point can limit the clients of the
  network to those using a listed MAC address.
• If a clients MAC address is listed, then they
  are permitted access to the network.
• If the address is not listed, then access to the
  network is prevented.

102
WEP Algorithm Discussion

• Reasonably strong
• The security provided by the algorithm relies on
  the difficulty of discovering the secret key.
• Self- synchronizing
• Very important when mobile stations go in and out
  of coverage.

• Computationally efficient
• It can be easily implemented in both hardware and
  software.
• Exportable
• It can be exported outside the US.
• Optional
• It is an option not required in an 802.11-
  compliant system.

103
WEP Encryption Algorithm

• Two processes are applied to the plaintext data.
• One encrypts the plaintext
• The other protect against unauthorized data
  modification

104
WEP Integrity Algorithm

• The integrity check field CRC- 32 checksum
• CRC- 32 checksum calculates a checksum based on a
  cyclic redundancy check

105
Key Management

• Key management is a misnomer with respect to
  802.11 as it is left as an exercise for vendors.
• The 802.11 standard does, however, provide for
  two methods for using WEP keys.

106
Key Management

• The first provides a window of four keys.
• A station or AP can decrypt packets enciphered
  with any one of the four keys.
• The second method is called a key mappings table.
  
• In this method, each unique MAC address can have
  a separate key.
• The size of a key mappings table should be at
  least ten entries according to the 802.11
  specification.

107
Key Management
108
Passive Attack

• A passive eavesdropper can intercept all wireless
  traffic, until an IV collision occurs.
• By XORing two packets that use the same IV, the
  attacker obtains the XOR of the two plaintext
  messages.
• The resulting XOR can be used to infer data about
  the contents of the two messages.
• IP traffic is often very predictable and includes
  a lot of redundancy.
• This redundancy can be used to eliminate many
  possibilities for the contents of messages.

109
Passive Attack - Extension

• An extension to this attack uses a host somewhere
  on the Internet to send traffic from the outside
  to a host on the wireless network installation.
• The contents of such traffic will be known to the
  attacker, yielding known plaintext.
• When the attacker intercepts the encrypted
  version of his message sent over 802.11, he will
  be able to decrypt all packets that use the same
  initialization vector.

110
Passive Attack - Extension
111
Active Attack

• Once plaintext is known. An attacker can use that
  to construct his own correct encrypted packets.
• This involves
• Constructing a new message,
• Calculating the CRC- 32
• Performing bit flips on the original encrypted
  message to change the plaintext to the new
  message.

112
Outline

• Standards
• Architecture
• The Physical Layer
• The MAC Layer
• Security
• Roaming Approach
• Power Management

113
Roaming

• The standard includes mechanisms to allow a
  client to roam among multiple APs that can be
  operating on the same or separate channels.
• Each AP transmits a beacon signal which includes
• a time stamp for client synchronization,
• a traffic indication map,
• an indication of supported data rates, and
• other parameters.

114
Roaming

• Roaming clients use the beacon to gauge the
  strength of their existing connection to an AP.
• If the connection is considered weak, the roaming
  station can attempt to associate itself with a
  new AP.

115
Roaming Operations

• The specific actions which occur as a user roams
  from one AP to another is as follows.
• The station sends a re-association request to a
  new AP.
• If the re-association response is successful,
  then station has roamed to the new AP otherwise,
  the station scans for another AP.
• If AP accepts a re-association request, the AP
  indicates re-association to the Distribution
  System, the DS information is updated, and the
  old AP is notified through the DS.

116
Roaming Re-asscoiation

• Re-association usually occurs because
• The wireless station has physically moved away
  from the original access point
• Change in radio characteristics in the building
• High network traffic on the original access point
• High network traffic causes re-association which
  also performs a load balancing function.
• This process of dynamically associating and
  re-associating with APs allows a customer to set
  up WLANs with very broad coverage by creating a
  series of overlapping 802.11b cells throughout a
  building or across a campus.

117
Outline

• Standards
• Architecture
• The Physical Layer
• The MAC Layer
• Security
• Roaming Approach
• Power Management

118
Power Management

• 802.11 supports two power-utilization modes,
• Continuous Aware Mode and
• Power Save Polling Mode.
• The MAC layer implements power management
  functions by putting the radio to sleep when no
  transmission activity occurs for some specific or
  user-defined time period.

119
Power Management

• Potential problem
• A sleeping station can miss critical data
  transmissions.
• 802.11 solution
• Incorporating buffers to queue messages.

120
Power Management

• The standard calls for sleeping stations to
  awaken periodically and retrieve any applicable
  messages.
• The client radio will wake up periodically to
  receive regular beacon signals from the AP.
• The beacon includes information regarding which
  stations have traffic waiting for them,
• The client can thus awake upon beacon
  notification and receive its data, returning to
  sleep afterward.