Wireless Networking: Physical and Link Layer

About This Presentation

Title:

Wireless Networking: Physical and Link Layer

Description:

Each poll two messages sent and possibly received. Consecutive polls use different frequencies ... Must determine if previous or new packet should be sent ... – PowerPoint PPT presentation

Number of Views:32

Avg rating:3.0/5.0

Slides: 85

Provided by: prasun3

Category:

more less

Transcript and Presenter's Notes

Title: Wireless Networking: Physical and Link Layer

1
Wireless Networking Physical and Link Layer
Prasun Dewan
Department of Computer Science University of
North Carolina dewan_at_unc.edu
2
Wired vs. Wireless

Wired
Can have point to point connection
Not a scarce medium
Reliable
Communicating devices plentiful power

Wireless
Broadcast medium (within range)
Scarce medium
Unreliable
Communicating devices have scarce power

3
Bluetooth vs IEEE 802.11b

Wireless Personal Area Networking
Replaces cables between devices
Short range (lt 10 m)
Low cost
Isochronous
Cordless telephony/headsets
Peer to peer (ad hoc)
One device in multiple networks

Wireless LAN
Replaces Wired LANS
LAN-sized distance
Higher cost acceptable
No flow guarantees
Device to (wired) router backbone to device

4
Bluetooth Goals

Bluetooth Issues
Wireless Personal Area Networking
Replaces cables between devices
Short range (lt 10 m)
Low cost
Isochronous
Cordless telephony/headsets
Peer to peer (ad hoc)
Absolute location irrelevant
One device in multiple networks

Wireless
Broadcast medium (within range)
Scarce medium
Unreliable
Communicating devices have scarce power

5
Piconet (from paper)

Master connected to lt 7 slaves

6
Topologies (from paper)
7
Topologies (from paper)

Contention
Multiplexing

8
The Multiplexing Problem
frequency
A wireless channel
(how to divide resource among multiple
recipients?)
time
Analogy a highway shared by many users
from Zhang_at_UT 02
9
Frequency-Division Multiplexing
frequency
user 1
user 2
user 3
user 4
guard-band
time
Analogy a highway has multiple lanes
from Zhang_at_UT 02
10
Time-Division Multiplexing
frequency
user 1
user 2
user 3
user 4
user 1
user 2
guard-band
time
Requirement precise time coordination
from Zhang_at_UT 02
11
Frequency-Time-Division
frequency
time-slot (usually of the same size)
time
Analogy a highway has many cars
from Zhang_at_UT 02
12
BlueTooth Choice

Frequency-time division (frequency hopping) for
reducing inter-piconet interference
Static division difficult in dynamic environment.
Assume probability of contention is low
Issues
How to agree on frequency hopping pattern?
What to do when there is contention?

13
Frequency Hopping (from paper)

Use a well defined hopping pattern sequence for
each piconet.

14
Hop Selection (from paper)

Each Piconet has a master.
Master identity chooses sequence
Clock chooses index (phase) in sequence.
Offset established at connection time

15
Connection Establishment

Cellular systems
Common control channel
Need something for ad hoc systems
Must conserve power
Wake up sequence
32 unique hops
Spans 64Mhz of the 80 Mhz spectrum
Pseudo random and unique per device
Phase selected by clock
Clock schedules wake up event every 10 ms
Listens to next frequency for 10 ms and sleeps
again
More the sleep time
Less power consumption
Slower response time to paging unit (master)

16
Frequency time uncertainty

Uncertainty when paged unit will wake up and at
what frequency
Burden on paging unit rather than paged unit
to keep idle energy consumption low
Paging unit knows identity of paged unit and
hence wake-up sequence
Repeatedly polls for device

17
Polling for Device (from paper)

Polls every 1.25 ms
Each poll two messages sent and possibly received
Consecutive polls use different frequencies
In 10ms (sleep period) 16 frequencies visited
(half sequence)
After sleeping period over, tries other 16
frequencies
One frequency in common because device clock
progresses
Maximum delay twice (thrice?) sleeping period

18
Max Wakeup Time

Slave wakes up for 10ms
In this 10 ms 16 frequencies tried
F(i), .. F(i15)
Not one of the scan frequencies
Device sleeps for 10ms
the pager transmits on F(i-15), F(i)
Can take 30ms if it wakes up to F(i)

19
Frequency time uncertainty

Devices may establish connections repeatedly
Use information about device clock from last
connection
Possible drift may have occurred
Clock estimate k
Hop frequency f(k)
In 10 ms sends data at
f(k-8), f(k-7), f(k-6), , f(k), f(k1), ,
f(k8)
Assuming accuracy within 250 ppm
Clock estimate k useful 5hrs after last
connection

20
Finding device id

Send inquiry message to all devices within range
Get back address and clock
32-hop inquiry sequence
For return a random backoff algorithm used

21
Connection Establishment (from paper)
22
Media Access

To Coordinate Competing Requests (for the same
resource)
MAC from Wired Medium Unsuitable
Special Features of Wireless Medium
Hidden Terminals, exposed Terminals, Near/Far
Terminals
Example Carrier Sense Multiple Access with
Collision Detection (CSMA/CD)
send as soon as the medium is free, listen into
the medium if a collision occurs

23
The Hidden Terminal Problem
B
A
C

A sends to B, C cannot receive A
C wants to send to B
If use CSMA/CD
C senses a free medium, thus C sends to A
Collision at B, but A cannot detect the collision
Therefore, A is hidden for C

from Zhang_at_UT 02
24
The Exposed Terminal Problem
B
A
C
D

B sends to A, C wants to send to D
If use CSMA/CD
C senses an in-use medium, thus C waits
But A is outside the radio range of C, therefore
waiting is not necessary
Therefore, C is exposed to B

from Zhang_at_UT 02
25
The Near and Far Terminal Problem
B
A
C

A and B send to C
Friis Law (power decay proportional to distance
square)
B drowns out As signal (at the physical layer),
so C cannot receive A

26
Addressing Contention

Time division multiplexing to prevent
intra-piconet interference

27
Time Division Multiplexing

Alternating master and slave slots
Master slot says which slave goes next
Master polls slaves for slave-initiated
communication

28
Addressing Contention

Time division multiplexing to prevent
intra-piconet interference
Inter-piconet contention?
ack packet at link layer
also accounts for errors

29
Radio Propagation
detection of signal communication impossible
communication
The Friis free space propagation model Pr ? 1/d2
transmitter
d
(receiving power is inverse proportional to the
distance square)
receiver
becomes an interference source, background noise
from Zhang_at_UT02
30
But We Are Not Living in Vacuum
Additional Influences to Signal Propagation
Reflection (on large obstacles)
Scattering (on small obstacles)
Diffraction (at edges)
from Zhang_at_UT02
31
Multi-Path Propagation
Signal can take many different paths between
transmitter and receiver due to reflection,
scattering, and diffraction.
signal at receiver
signal at sender
The physical layer is very complicated.
from Zhang_at_UT02
32
Ack/Nacks

Between receiving and transmission time (200
micro sec)
Must determine if previous or new packet should
be sent
Determine if received message should be
acked/nacked
Determines size of received packet

33
Multiple packet sizes

Can send messages with odd number of slots
Because receiving occurs on an odd slot
Max packet size 5 slots

34
Packet Structure

Type
ID only packet (signalling)
NULL (Link info)
POLL packet
Clock synchronization
Synchronous and Asynchronous packets

Access code identifies master (a la network id)
Address identifies slave (max of 7 slaves)
ARQN (Automatic Repeat Request)
HEC (Header Error Check Code)

35
Guaranteeing Flows

Cordless telephony/headsets have real-time
constraints.
Reserve slots for synchronous traffic

36
Supporting Synchronous and Asynchronous
Communication
37
Power Management

Idle
Before connection established
Scans for 10 ms every 1.28 to 3.84s
Duty cycle 1
Park
Piconet established
Lower duty cycle
Keep resynchronizing clocks periodically
SNIFF
Wake up every N master-to-slave slots
Connected
Transmit when useful data
Absence of response implies NACK
Can send NULL packet for link info
If access code does not match go back to sleeping
Periodic clock synchronization packets

38
Security

Shorter range helps
For each set of devices that must work together
User must generate a secret key
By entering pin at each device
Authentication carried out at connection stage
Must ensure that result of authentication not
stored
Result depends on a random number
Encryption carried out for each message
Should prevent replay of messages
Random number generated at start of connection
Random number and slot used to influence content
of message

39
Authentication

Devices authenticate each other
Claimant sends 48 bit address to verifier
Verifier sends 128 bit random number as challenge
Claimant sends to verifier 32 bit SRES (Secure
Hash Function) based on
Address
Random number
Secret key
Verifier computes its own SRES and compares
Claimant also generates 96 bit cipher offset used
for encryption of messages

40
Security
41
Characteristics
42
Protocol Stack (from paper)
43
Bluetooth vs IEEE 802.11b

Wireless Personal Area Networking
Replaces cables between devices
Short range (lt 10 m)
Low cost
Isochronous
Cordless telephony/headsets
Peer to peer (ad hoc)
One device in multiple networks

Wireless LAN
Replaces Wired LANS
LAN-sized distance
Higher cost acceptable
No flow guarantees
Device to (wired) router backbone to device

44
Infrastructure Mode (from paper)
Wired Access Point
Wireless User Station
45
802.11 Architecture
Distribution System (DS)
AP
AP
Basic Service Set (BSS)
Basic Service Set (BSS)
station
Ethernet addr
Extended Service Set (ESS)
From Zhang_at_02
46
Ad Hoc Mode (from paper)
Wired User Station
Wireless User Station
47
IEEE 802 Protocol Stack
48
Issues

High bandwidth
10MB
Contention
Roaming
Synchronous (time-bound traffic)
Power Management
Security

49
High Bandwidth

Like Bluetooth uses 2.4GHz ISM band
Original 802.11 used frequency hopping and
created 75 1-Mhz sub channels
Max speed 2 Mbps
802.11b divides band into 14 22-Mhz channels
statically assigned to access points
3 of 14 are not overlapping
Adjacent access points use non overlapping
frequencies
5.5 Mbps and 11 Mbps
Direct Sequence Signalling

50
Data Rate Specification (from paper)

Dynamic rate shifting
Data rates adjusted automatically
Done in physical layer

51
Frequency Allocation
Adjacent access points use non overlapping
frequencies
52
Contention

Has near/far/hidden terminal problem
Every packet must be acked at link layer
Piggy backing?
Data rate much lower than wired LAN
Retransmission of large packets an issue
A station can ask access point to reserve channel
Request to Send/Clear to Send (RTS/CTS)
Station sends RTS
Access point sends CTS
All stations hear CTS
Station sends data
Ack of access point heard by everyone

53
802.11 MAC Timeline
RTS
data
src
CTS
ACK
dst
contention window open up again
other
defer access
backoff
From Zhang_at_UT 02
54
802.11 MAC Exceptions

Broadcast/multicast packet
No CTS/RTS
No ACK/NAK

From Zhang_at_UT 02
55
Roaming

Station chooses access point based on
signal strength of beacons
error rates
Asks access point to accept it
Periodically polls access points (probe requests)
Allows movement
Allows load balancing

56
Roaming
Migrating station
57
Time bounded data

Special PCF (Point Coordination Function) mode
Time spliced between PCF and CSMA/CA mode
In PCF mode access point polls each station
Station sends data only when polled
A la Bluetooth
Guarantee delivery to wired LAN
To destination station?

58
Power Management

Continuous aware mode
Radio always on
Power save mode
Periodically wakes up
Listens to beacon signal from access point
Beacon says which stations have data
Time-delay data?
Easier than Bluetooth
No frequency uncertainty
No need to poll for masters

59
Security

Access control
Access point has list of MAC addresses
Asymmetric
Access point always trusted
Data encryption
40-bit shared-key RC4 for data exchange
Access point issues encrypted challenge
Station encrypts response
Encryption an option
Scheme does not really work
Berkeley paper
Higher-level layers can also do security

60
Transmission

Message M
Checksum c(M)
Plaintext P ltM, c(M)gt
Key k
Initialization Vector v
Keystream of Pseudo Random Numbers RC4(v, k)
Ciphertext C P ? RC4(v, k)
Transmit v, C
A ? B v, (P ? RC4(v, k)), where P (ltM, c(M)gt)

61
Message Transmission (from paper)
62
Encryption/Decryption

Message M
Checksum c(M)
Plaintext P ltM, c(M)gt
Key k
Initialization Vector v
Keystream of Pseudo Random Numbers RC4(v, k)
Ciphertext C P ? RC4(v, k)
Transmit v, C
A ? B v, (P ? RC4(v, k)), where P (ltM, c(M)gt)

Key k
Extract v from message
Keystream of Pseudo Random Numbers RC4(v, k)
P C ? RC4(v, k))
(P ? RC4(v, k))) ? RC4(v, k))
P
Extract M, c from P
Check c c(M)

63
Security Goals

Confidentiality prevent eavesdropping
Access control Discard (at the link level)
packets not properly encrypted
Data integrity prevent tampering, hence checksum
Depends on not being able to guess K
40 bit initially
Now 128 bits
None of goals attained!

64
Attacker Technology

Security handled at physical layer
Attacker must be at this layer
Needs equipment
monitoring 2.4GHz frequency
understanding physical layer
transmitting at this frequency (active attacks)
Passive attacks
Off the shelf wavelan cards
Changed driver settings
Active attacks
Firmware needs to be changed
Systems allow upgrade of firmware

65
Keystream Reuse Problem

C1 P1 ? RC4(v, k))
C2 P2 ? RC4(v, k))
C1 ? C2 (P1 ? RC4(v, k)) ? (P2 ? RC4(v, k))
C1 ? C2 (P1 ? P2)
Assume know P1
P2 C1 ? C2 ? P1

66
Knowing Plaintext

P1 Password prompt
P2 actual password
Send known mail to user
Wait for user check mail over wireless
Can search for pairs of P1 and P2
Can narrow search based on length of messages
Can do this for N pairs of successive messages
Can broadcast packet to access point
Access point sends it in both encrypted and
unencrypted form
Not every station required to implement security

67
Keystream Reuse

Moral do not reuse keystream
Per packet v recommended in 802
But may use v that collides with earlier value
How to select vs undefined
Example implementation
Set to 0 on initialization
Incremented each time
Each insertion of card results in initialization
Random v?
24 bit v
Random v will collide in 5000 packets

68
Key Management

In practice all users in network have same key
assigned by administrator
Must trust all users
Network admin can configure key themselves
Can be reverse engineered

69
Message Modification

Reason checksum is a linear function of message
CRC Checksum distributes over XOR
c (x ? y) c (x) ? c(y)
Assume we have intercepted cypthertext
A ? (B) ltv, C)
We can replace C with an encryption C of M ? ?,
where M is original message
(A) ? B ltv, Cgt
Obtaining C
C C ? lt?, c(?)gt
RC4(v,k) ? ltM, c(M)gt ? lt?, c(?)gt
RC4(v,k) ? ltM ? ?, c(M) ? c(?)gt
RC4(v,k) ? ltM, c(M? ?)gt
RC4(v,k) ? ltM, c(M)gt
E.g. to flip bit of M, ? 100000

70
Message Injection

Reason checksum is an un keyed function of
message
Assuming adversary has plaintext P
Can recover key stream from corresponding C
P ? C P ? (P ? RC4(v,k)) RC4(v,k)
Can now inject message M
(A) ? B ltv, C)
C (M, c(M)gt ? RC4(v,k)
WEP allows reuse of keys, being conservative in
what you send and liberal in what you accept
No reuse of keys, or
Keyed message authentication code (SHA1-HMAC)

71
Authentication Spoofing

Authentication
Mobile station requests authentication
Access point sends it a challenge in clear text
Mobile sends back encryption of challenge
Attacker monitors this P,C pair
Derives key stream
Now uses this for the next challenge
All challenges are of same length

72
Message Decryption

Sniff a packet off the air
Change the destination address to host controlled
by adversary
Access point will decrypt it and send to that
address
Changing destination address involved
Problem with link-level encryption
Or put wireless network outside the firewall

73
Sensor Networking

Physical networking layer of Dust Mote?
Constraints
Small size
1 cubic mm
Low power
Solar power
1 joule storage in battery
10 micro watts if used in one day

74
RF vs. Optical

Radio Frequency
Small size ? small antennas ? short wavelength ?
high power consumption
Radio transceivers are complex
Modulation/de-modulation
Active bandpass filters
Multiplexing (time, frequency)

Optical
Much shorter wavelength ? narrower beam ? small
size ?
Space division multiplexing
Different sensors can send beams to different
regions of base station transceivers
Simple baseband analog circuitry
No modulation, filters
Passive optical transmission possible
Line of sight
Small size ? less obstruction

75
Space Division Multiplexing

Example
Base station viewing 17m X 17m sensor area
High-speed video camera 256pixel X 256pixel
imaging array
Each pixel views 6.6 cm square area
1700/256 6.6
Required sensor separation size of pack of
cigarettes
Can use TDMA for closely packed sensors

76
Passive Optical Transmission

Corner cube retro-reflector
Three mutually perpendicular mirrors
Incident ray of light reflected back to source
Restricted to range of angle around diagonal
Misaligned mirror ? no retro-reflection
Used to modulate incident light
Electrostatic deflection
Kilohertz rate

77
Implementation

Micro fabricated CCR
1 Kbps
150 m range
5-milliwatt illuminating laser

78
Base Station- Sensor Interaction
79
Transmitter/receiver relationship

BTS Interrogating beam angular spread should be
matched to field of view of imaging receiver
Does not make sense to interrogate sensor from
which it cannot receive and vice versa
Unless aiming at parts of sensor
Interrogating beam and imaging receiver aimed
(like a binocular) together as a unit
But passive transmitter can only receive light
incident within a narrow angle
Small size sensor cannot employ (imaging/non
imaging) optical transmitter in front of
photodetector
Receiver is omni directional
Asymmetric situation!
Make sure sensor does not try to answer queries
that cannot be received.