Wireless Technologies

1
Wireless Technologies

• Ashok K. Agrawala
• December 16, 2002

2
Today

• Wireless Traffic Characterization/Sniffing
• AP Monitoring
• SIM-based Wireless Security
• Sensor Networks/Adhoc Networking
• RSSI based Location Determination

3
Wireless Traffic Characterization
4
Understanding Wireless Traffic Characteristics

• University UMDnet
• gt1000 Aps
• gt300 Now
• Large User population
• Monitoring
• Wired Net
• AP
• Over the Air (Sniffing)

5
Wireless Traffic Monitoring

• Easy to setup no interaction with existing
  infrastructure
• Provide local and global status of network nodes
  at the same time
• Provide good traces of 802.11 link-level
  operations

6
(No Transcript)
7
Captured Information

• Physical layer (Prism2 monitor header)
• RSSI (Received Signal Strength Indication, SQ
  (Signal Quality), Signal strength and Noise (in
  dBm)
• 802.11 Link layer
• Protocol version, frame type(management, control
  and data), Duration for NAV(Network Allocation
  Vector) calculation, BSS Id, Source and
  Destination address, fragment, sequence numbers
• TCP/IP, application layer info also available

8
802.11 Basic Architecture
Channel-6
WAN
Access Point
Ethernet LAN
Channel-1
Access Point
DS (Distribution System)
9
Sniffing Each Access Point
Channel-6
WAN
Access Point
Ethernet LAN
Ch. 6 Sniffer
Channel-1
Access Point
Ch. 1 Sniffer
DS (Distribution System)
10
Wireless Monitoring Hidden Terminal Problem,
Losses

• Hidden Terminal Problem
• Difficult for sniffers to detect all the wireless
  stations.
• Various losses are observed in sniffers
• Frame loss
• AP loss Some APs are not correctly detected by
  some cards.
• Type loss Control/Management types are not
  correctly detected by some cards.
• Loss variability
• Due to signal strength variability and card
  variability

11
Sniffing n APs with m sniffers
Channel-6
Hidden Terminals
WAN
Access Point
Ethernet LAN
Ch. 6 Sniffer
Channel-6
Access Point
DS (Distribution System)
12
Challenges of Wireless Monitoring Placement of
Sniffers

• Proper placement of sniffers can improve terminal
  detection ability and reduce various losses in
  sniffers.
• Where to place sniffers?
• Too close to APs incur signal saturations.
• Too far from APs cause hidden terminals.
• How many sniffers to place?

13
Study to date

• Extensive passive observations on loss and loss
  variability
• Observed hidden terminal problems
• Observed frame loss, AP loss and Type loss
• Observed loss varies from 0 to 100
• Active end-to-end delay experiment
• Causes of end-to-end delay in wireless network

14
Methodology

• Location A.V. Williams Bldg, UMD.
• 3 different WLANs (umd, cswireless, nist)
• 58 Access Points 29 Cisco (umd), 12 Lucent
  (cswireless), 17 Prism2-based (nist)
• Sniffers
• Linux OS 2.4.19
• Wireless card driver orinoco_cs
• Capturing tool libpcap 0.7, ethereal 0.9.6
• Wireless cards used Lucent Orinoco, Linksys,
  D-Link etc.

15
Passive Observations Hidden Terminals and Losses

• Hidden terminals vary depending on cards used in
  sniffers and sniffer locations.
• Loss in sniffers
• Frame losses are calculated from 802.11 sequence
  numbers.
• From-AP and To-AP losses are noted
  separately.
• Findings
• More To-AP losses are observed than From-AP.
• Most of To-AP losses are caused by a small number
  of wireless stations.
• Linksys cards cannot detect some APs correctly.
• Lucent cards cannot detect ACK/RTS/CTS frames.

16
Passive Sniffing on Ch. 11 with 6 Sniffers (4th
floor, A.V. Williams Bldg)
APs
Ch.1
Ch.1
Ch.1
Hidden terminals are observed by 6 sniffers.
Detected sets of wireless stations vary depending
on sniffer locations and the cards used.
umd
cswireless
nist
Sniffers
L
S
Z
ZoomAir
Lucent
LinkSys
L1
Z1
L3
S3
L2
Z2
Ch.11
Ch.11
17
(No Transcript)
18
Hidden terminals are observed by 6 sniffers.
Detected set of wireless stations varies
depending on sniffer locations and the cards used.
Frame losses calculated by sequence numbers.
To-AP frame loss is more than From-AP loss.
Majority of losses are caused by a small number
of clients.
19
Linksys and Lucent sniffers are set to Ch. 11.
Linksys sniffer has AP losses on AP3 and AP7.
Linksys detects AP2, whose channel is 6.
20
Lucent shows Type loss on control frames (ACK,
RTS, CTS and Power-Save).
21
Passive Observation Loss Variability

• Findings
• Frame loss varies upto 100 during 4-day passive
  experiments
• To-AP shows more loss variability than
  From-AP
• Card/AP compatibility may affect AP loss
  variability.

22
Figure 1. Loss percentage varies from 0 to 100
during 4-day experiment. To-AP loss shows more
variability than From-AP loss.
23
Frame loss varies over the card and the
associated AP All the traffics are measured in
the same experiment. Card variability affects
frame loss.
24
Diagnosis on End-to-end Delay

• Active experiment set-up
• Use NetDyn on wireless network
• Source, echo and sink timestamps are available
• Source and sink machines are the same
• Sniffers are in between source(sink) and AP
• Objective infer the causes of high RTT
  end-to-end delays, using the sniffer traces.

25
NetDyn
NetDyn Tool
Fine-grained RTT measurements
Expose fine-grain characteristics of Networks
26
Avg loss of both F/B paths lt 3
NetDyn Packet Loss (Average)
Avg loss of both F/B paths gt 10
67.5
90
45
112.5
135
Problem case 1
X
X
22.5
X
157.5
X
X
X
X
S
S
180
S
0
Ch.11
Problem case 2
24
36
48
60
72
84
24
36
48
72
0
12
96
12
60
84
96
27
Effect of Weak Signal Strength

• Problem Case 1RTT(Roundtrip Time) delay of 1
  second and 57 packet loss.
• Weak signal strength causes retransmissions
  between source and the AP.
• Delays occur in the sending buffer in source.

28
High RTT delays up to 0.8 seconds and 57 packet
loss.
29
Source, echo, sink timestamps (by NetDyn),
From-AP, To-AP timestamps (by sniffers). Delays
exist between source and echo every 0.5 second
periodically. No high delays exist on wireless
path.
30
Signal strength is consistently low, which incurs
many retransmissions between source and the AP.
31
Effect of Signal Strength and Card Variability

• Problem Case 2 RTT delay of 2.2 seconds and 75
  packet loss.
• Signal strength variability makes the AP shift
  the sending data rate (at 11/5.5/2 mbps
  adaptively).
• Source wireless card fails to receive traffic at
  lower data rates (due to card implementation
  variability).
• Delays occur on wireless From-AP path due to
  many retransmissions at lower data rates.

32
High RTT delays up to 2.3 seconds and 75 packet
loss.
33
Source, echo, sink timestamps. Delays exist
between echo and sink.
34
To-AP/From-AP traffics are captured by the
sniffers. Delays may reside on wired echo-AP path
or wireless AP-sink path.
35
RTS/CTS data rates captured by sniffers. AP tries
to synchronize its data rate with source
consistently.
36
AP varies data rates at 11, 5.5 and 2 Mbps
(From-AP data rate, graph on top). Source but
cannot synchronize with the AP, send/receive
packets only at 11Mbps (To-AP data rate, graph at
bottom).
37
High variability in signal strength is observed
by sniffers, which causes AP to shift data rate
adaptively.
38
Where are we?

• Sniffing in wireless environment is much more
  difficult than we thought
• Using multiple sniffers we can get a good
  estimate of wireless traffic

39
Access Point Monitor(APM)

• Kevin Kamel
• Jaime Lafleur-Vetter

40
Why APM?

• Currently Available AP Monitoring Tools
• Provided By The Manufacturer
• Closed source
• Unsupported
• Functionality
• Limited feature set
• Not extendable
• Difficult to use
• More robust solution needed

41
Introducing APM

• AP Platform
• Soekris NET4521 Board
• 486 133mhz AMD (x86)
• 64MB onboard RAM
• 64MB compact flash
• Prism2 PCMCIA card
• In Host AP mode
• External Antenna
• RJ-45 Port for LAN/WAN connectivity
• Operating System
• Customized OpenBSD 3.2

42
APM (Continued)

• AP Patch
• Extends open source AP software
• Sends event messages to kernel device
• System daemon
• Reads and broadcasts events over the wire.
• Listens for Admin requests
• Sets daemon and AP configuration settings
• Monitor Client
• .NET Windows GUI
• Listens for broadcasted events from the AP
• Displays event information graphically
• Sends configuration information

43
Current Features

• Multiple simultaneous monitor applications that
  can see multiple APs.
• Station Monitoring
• Current state (i.e. Auth, Assoc)
• Event history
• AP Diagnostics
• Interface counters
• Logger

44
Feature WalkthroughInitialized View
45
Feature Walkthrough Initialized Statistics
46
Feature WalkthroughClients Are Logged In
47
Feature WalkthroughClient Disassociates
48
Feature WalkthroughClient times out
49
Feature WalkthroughAP Interface Statistics
50
Features Under Development

• Administrative Control
• Settings TX Rate, SSID, MTU, Channel, MAC
• Control Shutdown, Restart
• Access Wireless client ACL support
• On Board Packet Monitoring
• Obsoletes traditional wireless packet capture
• Traffic log
• User Friendly Addressing
• Alias MAC addresses

51
SIM-based Wireless Security

• KoolSpan Approach

52
WiFi Problems
Authentication
Security

• Three main problems
• Authentication who are you?
• Security is my data transmission safe?
• Roaming inter-network roaming?
• Other Problems
• Is it a pain to set up and keep running?
• What about all the new wireless things I read
  about?

53
What really is the problem everyone is trying to
solve?

1. Wired networks are safe!
2. No major issues with authentication, encryption.
3. Existing vendors provide support for the
   Enterprise
4. Were happy with what we have!

54
Now we add wireless

1. Our network is exposed!
2. Our data is no longer secure!
3. How do we separate our users from the hackers?

55
The Real Problem

1. We need to screen users at the Access Point
2. We need to make sure nobody other than legitimate
   users get onto the wired network
3. We need to guarantee data sent across the
   WIRELESS segment is safe

The point is the problem exists ONLY between the
AP and the client
56
Koolspan SolutionA simple, cost-effective
solution

• Solution
• Provide a lock at the Access Point
• Provide a network access KEY for the client

• Result
• Nobody gets past Access Point without a valid key

57
How do we do this?Simply and cost-effectively

• Padlock
• USB, Serial or Ethernet-based adapter that
  secures the Access Point (can only be unlocked
  with a valid client network key

• Key Ring
• USB adapter that can hold keys to numerous
  networks

58
Koolspan IQ Key
Physical Identification Adapter

• SIM Chip
• Tamper Resistant Physical Token
• Secure Token
• On-Chip Crypto Engine
• 2,048 bit keys possible
• Cryptoflex processor uses DES, Triple-DES and RSA
  algorithms
• Can rotate WEP keys fast enough to make WEP
  secure AS IS!
• Provides
• complete authentication
• security
• secure storage
• automatic connections

59
SmartWiFi

• Plug It In Youre Connected
• Solves security problem
• Solves authentication problem
• Automatic Network Connection
• Advantages
• No new servers, no new headaches
• No scalability issues
• Works equally well at home and in the enterprise
• Best of all Makes Wi-Fi easy to use!

60
How does it work?
Bi-directional Authentication

1. Client SIM generates random number R1 and
   encrypts it with its secret Key (NK_UIDs)
2. Client SIM sends client serial number and
   encrypted R1 to AP (Packet 1)
3. AP SIM uses Client SIM Serial Number to look up
   Client SIMs secret key.
4. AP SIM decrypts R1 with using clients secret key
5. AP now generates R2 and encrypts it with Clients
   secret key
6. AP sends Packet 2 back to Client.
7. Client SIM decrypts R2 from AP with its secret
   key
8. Both AP and Client now use R1 R2 to generate
   new 256-bit Session Key used for all further AES
   transmissions.

(6) R2e
SIM
Wi-Fi
(2) R1e
Client NIC
Secret Network Key pre-stored in SIM At Access
Point and users PCs
61
Benefits

• Very simple solution
• No Wi-Fi settings necessary
• Only two packets are exchanged resulting in
  bi-directional authentication
• No online server involved
• Very fast authentication (only 2 packets
  exchanged, no remote server)
• No issues of scale
• Authentication takes place at edge of the
  network.
• Secret Keys pre-stored in SIMs at both ends NEVER
  leave SIM- therefore never exposed.
• Software impact on AP is minimal, easy retrofit
• SIM token carries user credentials in convenient
  portable device

Secret Network Key pre-stored in SIM At Access
Point and users PCs
62
Koolspan 802.11 Technology

• makes Wi-Fi easy
• solves Wi-Fi security problems
• market flexibility
• provides frictionless portability

63
Adhoc Networking Energy-Efficient Sensor Networks

• Energy is a constrained resource for wireless
  environments
• Objective Compute a low energy end-to-end path
  for reliable communication in multi-hop wireless
  networks
• Technique Avoid links with high error rates or
  large distance
• Studied effects of node mobility and wireless
  noise

64
Representative Results

• Grid topology of 49 nodes
• 4 traffic sources
• Between corner nodes
• UDP and TCP sources

65
Representative Results Grid Topology
Energy
Throughput

• UDP flows, fixed noise
• Proposed scheme performs better than existing
  techniques

66
Results Summary

• Significant improvement in energy costs and
  throughput if link characteristics are modeled in
  computing paths
• Link properties affected by mobility
• Better models needed for link dynamics under
  mobility

67
Localization Technologies

• Based on Signal Intensity
• The intensity of the signal from access points is
  used to determine location.
• Our current results give location to within about
  5-8 feet.
• Based on Arrival Time
• PinPoint Technology requires the time-stamping of
  the arriving signals with accuracy of 1 ns (in
  order to achieve an accuracy of 30cms in
  location).
• Current commercial hardware does not support this
  function or accuracy. We are currently
  developing hardware which will achieve this.

68
Signal Strength-based Localization
Localization based on signal strength is a hard
problem due to spatial and temporal variability
of the signal
69
Horus

• At a location X measure distribution of S(X)
• Sampling Interval
• Correlation function
• Can we eliminate correlation?
• Density function
• Radio Map
• How many location?
• Interpolation Function

70
Signal Strength Chracteristics
71
Horus Radio Map and Estimation

• To address noise characteristics
• Radio map stores signal-strength distributions
  from K strongest access points
• (instead of scalar mean/maximum)
• To address scalability and cost of estimation
• Clustering techniques for radio map locations
• incremental clustering
• joint clustering
• Outperforms other RF signal strength techniques
• significantly better accuracy
• efficient enough to be implemented on PDAs

72
Temporal VariationsCorrelation
73
Spatial Variations Large-Scale
74
Spatial Variations Small-Scale
75
Sampling Process

• Active scanning
• Send a probe request
• Receive a probe response
• Sample

76
Handling Correlation Averaging
77
Gaussian Approximation

• Approximate signal strength histograms using
  Gaussian distribution
• Saves space
• Smoothes histograms
• Analytically tractable
• Comparable accuracy

78
(No Transcript)
79
Gaussian Approximation
80
AVW Results
81
FLA-Mind Ekahau vs Horus
82
FLA-Mind Ekahau vs Horus (cont)
Ekahau
Horus
83
Questions??