802.11 Wireless Networks: The Definitive Guide, Second Edition [2 ed.] 9780596100520, 0596100523

Citation preview

802.11® Wireless Networks The Definitive Guide By Matthew Gast ............................................... Publisher: O' Re illy Pub Dat e: Apr il 2 0 0 5 I SBN: 0 - 5 9 6 - 1 0 0 5 2 - 3 Pages: 6 5 6

Table of Cont ent s | I ndex

As we all know by now, wireless net works offer m any advant ages over fixed ( or wired) net works. Forem ost on t hat list is m obilit y, since going wireless frees you from t he t et her of an Et hernet cable at a desk. But t hat 's j ust t he t ip of t he cable- free iceberg. Wireless net works are also m ore flexible, fast er and easier for you t o use, and m ore affordable t o deploy and m aint ain. The de fact o st andard for wireless net working is t he 802.11 prot ocol, which includes Wi- Fi ( t he wireless st andard known as 802.11b) and it s fast er cousin, 802.11g. Wit h easy- t o- inst all 802.11 net work hardware available everywhere you t urn, t he choice seem s sim ple, and m any people dive int o wireless com put ing wit h less t hought and planning t han t hey'd give t o a wired net work. But it 's wise t o be fam iliar wit h bot h t he capabilit ies and risks associat ed wit h t he 802.11 prot ocols. And 802.11 Wireless Net works: The Definit ive Guide, 2nd Edit ion is t he perfect place t o st art . This updat ed edit ion covers everyt hing you'll ever need t o know about wireless t echnology. Designed wit h t he syst em adm inist rat or or serious hom e user in m ind, it 's a no- nonsense guide for set t ing up 802.11 on Windows and Linux. Am ong t he wide range of t opics covered are discussions on:

deploym ent considerat ions net work m onit oring and perform ance t uning wireless securit y issues how t o use and select access point s net work m onit oring essent ials wireless card configurat ion securit y issues unique t o wireless net works

Wit h wireless t echnology, t he advant ages t o it s users are indeed plent iful. Com panies no longer have t o deal wit h t he hassle and expense of wiring buildings, and households wit h several com put ers can avoid fight s over who's online. And now, wit h 802.11 Wireless Net works: The Definit ive Guide, 2nd Edit ion, you can int egrat e wireless t echnology int o your current infrast ruct ure wit h t he ut m ost confidence.

802.11® Wireless Networks The Definitive Guide By Matthew Gast ............................................... Publisher: O' Re illy Pub Dat e: Apr il 2 0 0 5 I SBN: 0 - 5 9 6 - 1 0 0 5 2 - 3 Pages: 6 5 6

Table of Cont ent s | I ndex

Copyright Foreword Preface Prometheus Untethered: The Possibilities of Wireless LANs Audience Overture for Book in Black and White, Opus 2 Conventions Used in This Book How to Contact Us Safari Enabled Acknowledgments Chapter 1. Introduction to Wireless Networking Why Wireless? What Makes Wireless Networks Different A Network by Any Other Name... Chapter 2. Overview of 802.11 Networks IEEE 802 Network Technology Family Tree 802.11 Nomenclature and Design 802.11 Network Operations Mobility Support Chapter 3. 802.11 MAC Fundamentals Challenges for the MAC MAC Access Modes and Timing Contention-Based Access Using the DCF Fragmentation and Reassembly Frame Format Encapsulation of Higher-Layer Protocols Within 802.11 Contention-Based Data Service Frame Processing and Bridging Chapter 4. 802.11 Framing in Detail Data Frames Control Frames Management Frames Frame Transmission and Association and Authentication States Chapter 5. Wired Equivalent Privacy (WEP) Cryptographic Background to WEP WEP Cryptographic Operations Problems with WEP

Dynamic WEP Chapter 6. User Authentication with 802.1X The Extensible Authentication Protocol EAP Methods 802.1X: Network Port Authentication 802.1X on Wireless LANs Chapter 7. 802.11i: Robust Security Networks, TKIP, and CCMP The Temporal Key Integrity Protocol (TKIP) Counter Mode with CBC-MAC (CCMP) Robust Security Network (RSN) Operations Chapter 8. Management Operations Management Architecture Scanning Authentication Preauthentication Association Power Conservation Timer Synchronization Spectrum Management Chapter 9. Contention-Free Service with the PCF Contention-Free Access Using the PCF Detailed PCF Framing Power Management and the PCF Chapter 10. Physical Layer Overview Physical-Layer Architecture The Radio Link RF Propagation with 802.11 RF Engineering for 802.11 Chapter 11. The Frequency-Hopping (FH) PHY Frequency-Hopping Transmission Gaussian Frequency Shift Keying (GFSK) FH PHY Convergence Procedure (PLCP) Frequency-Hopping PMD Sublayer Characteristics of the FH PHY Chapter 12. The Direct Sequence PHYs: DSSS and HR/DSSS (802.11b) Direct Sequence Transmission Differential Phase Shift Keying (DPSK) The "Original" Direct Sequence PHY Complementary Code Keying High Rate Direct Sequence PHY Chapter 13. 802.11a and 802.11j: 5-GHz OFDM PHY Orthogonal Frequency Division Multiplexing (OFDM) OFDM as Applied by 802.11a OFDM PLCP OFDM PMD Characteristics of the OFDM PHY Chapter 14. 802.11g: The Extended-Rate PHY (ERP) 802.11g Components ERP Physical Layer Convergence (PLCP) ERP Physical Medium Dependent (PMD) Layer

Chapter 15. A Peek Ahead at 802.11n: MIMO-OFDM Common Features WWiSE TGnSync Comparison and Conclusions Chapter 16. 802.11 Hardware General Structure of an 802.11 Interface Implementation-Specific Behavior Reading the Specification Sheet Chapter 17. Using 802.11 on Windows Windows XP Windows 2000 Windows Computer Authentication Chapter 18. 802.11 on the Macintosh The AirPort Extreme Card 802.1X on the AirPort Chapter 19. Using 802.11 on Linux PCMCIA Support on Linux Linux Wireless Extensions and Tools Agere (Lucent) Orinoco Atheros-Based cards and MADwifi 802.1X on Linux with xsupplicant Chapter 20. Using 802.11 Access Points General Functions of an Access Point Power over Ethernet (PoE) Selecting Access Points Cisco 1200 Access Point Apple AirPort Chapter 21. Logical Wireless Network Architecture Evaluating a Logical Architecture Topology Examples Choosing Your Logical Architecture Chapter 22. Security Architecture Security Definition and Analysis Authentication and Access Control Ensuring Secrecy Through Encryption Selecting Security Protocols Rogue Access Points Chapter 23. Site Planning and Project Management Project Planning and Requirements Network Requirements Physical Layer Selection and Design Planning Access-Point Placement Using Antennas to Tailor Coverage Chapter 24. 802.11 Network Analysis Network Analyzers Ethereal 802.11 Network Analysis Checklist Other Tools Chapter 25. 802.11 Performance Tuning

802.11 Performance Calculations Improving Performance Tunable 802.11 Parameters Chapter 26. Conclusions and Predictions Standards Work Current Trends in Wireless Networking The End glossary About the Author Colophon Index

8 0 2 .1 1 ® W ir e le ss N e t w or k s: Th e D e fin it ive Gu ide , Se con d Edit ion by Mat t hew S. Gast Copyright © 2005 Mat t hew S. Gast . All right s reserved. Print ed in t he Unit ed St at es of Am erica. Published by O'Reilly Media, I nc., 1005 Gravenst ein Highway Nort h, Sebast opol, CA 95472. O'Reilly books m ay be purchased for educat ional, business, or sales prom ot ional use. Online edit ions are also available for m ost t it les ( safari.oreilly.com ) . For m ore inform at ion, cont act our corporat e/ inst it ut ional sales depart m ent : ( 800) 998- 9938 or corporat [email protected] . Edit or :

Mike Loukides

Pr odu ct ion Edit or :

Colleen Gorm an

Cove r D e sign e r :

Ellie Volckhausen

I n t e r ior D e sign e r :

David Fut at o

Pr in t in g H ist or y: April 2002:

First Edit ion.

April 2005:

Second Edit ion.

Nut shell Handbook, t he Nut shell Handbook logo, and t he O'Reilly logo are regist ered t radem arks of O'Reilly Media, I nc. 802.11® Wireless Net works: The Definit ive Guide, Second Edit ion, t he im age of a horseshoe bat , and relat ed t rade dress are t radem arks of O'Reilly Media, I nc. 802.11® and all 802.11- based t radem arks and logos are t radem arks or regist ered t radem arks of I EEE, I nc. in t he Unit ed St at es and ot her count ries. O'Reilly Media, I nc. is independent of I EEE. Many of t he designat ions used by m anufact urers and sellers t o dist inguish t heir product s are claim ed as t radem arks. Where t hose designat ions appear in t his book, and O'Reilly Media, I nc. was aware of a t radem ark claim , t he designat ions have been print ed in caps or init ial caps. While every precaut ion has been t aken in t he preparat ion of t his book, t he publisher and aut hor assum e no responsibilit y for errors or om issions, or for dam ages result ing from t he use of t he inform at ion cont ained herein. I SBN: 0- 596- 10052- 3 [ M]

Foreword Mat t hew Gast was m y m ent or long before I m et him . I began report ing on wireless dat a net working in Oct ober 2000 when I discovered t hat Apple's claim s for it s 802.11b- based AirPort Base St at ion were act ually t rue. I 'd been burned wit h anot her form of wireless net working t hat used infrared, and had spent m any fruit less hours using ot her " int erest ing" net working t echnologies t hat led t o dead ends. I figured 802.11b was j ust anot her one. Was I glad I was wrong! This discovery t ook m e down a pat h t hat led, inexorably, t o t he first edit ion of 802.11 Wireless Net works. How did t his st uff act ually work as advert ised? I knew plent y about t he I SO m odel, TCP/ I P, and Et hernet fram es, but I couldn't reconcile a m edium in which all part ies t alked in t he sam e space wit h what I knew about Et hernet 's m et hods of coping wit h shared cont ent ion. Mat t hew t aught m e t hrough words and figures t hat I didn't originally underst and, but ret urned t o again and again as I descended furt her int o t echnical det ail in m y at t em pt s t o explain Wi- Fi t o a broader and broader audience t hrough art icles in The New York Tim es, The Seat t le Tim es, PC World, and m y own Wi- Fi Net working News ( ht t p: / / www.wifinet news.com ) sit e over t he last five years. I st art ing learning acronym s from 802.11 Wireless Net works and used Mat t hew's book t o go beyond expanding WDS int o Wireless Dist ribut ion Syst em int o underst anding precisely how t wo access point s could exchange dat a wit h each ot her t hrough a built - in 802.11 m echanism t hat allowed four part ies t o a packet 's t ransit . Now as t im e went by and t he 802.11 fam ily grew and becam e baroque, t he first edit ion of t his t it le st art ed feeling a lit t le out of dat ealt hough it rem ained surprising how m any " new" innovat ions were firm ly root ed in developm ent s of t he early t o m id- 1990s. The alphabet soup of t he first edit ion was gruel com pared t o t he m ulligat awny of 2005. Mat t hew filled t he gap bet ween t he book and cont em porary wireless realit y t hrough his ongoing writ ing at O'Reilly's Wireless DevCent er, which I read avidly. And som ewhere in t here I was int roduced t o Mat t hew at a Wi- Fi Planet conference. We hit it off im m ediat ely: I st art ed pest ering him for det ails about 802.1X, if I rem em ber correct ly, and he want ed t o t alk about books and business. ( I wound up writ ing t wo edit ions of a general m arket Wi- Fi book, neit her of which did nearly as well as Mat t hew's ext raordinarily t echnical one.) Since t hen, I have been in t he rare and privileged posit ion t o be t he recipient of Mat t hew's generosit y wit h his knowledge and hum ble insight . Mat t hew isn't one who assum es; he researches. His nat ural curiosit y com pels him t o dig unt il he get s an answer t hat 's t echnically and logically consist ent . Take, for inst ance, t he incredibly polit ical and com plicat ed evolut ion of t he 802.1X st andard. ( I know, from Mat t hew, t hat it 's properly capit alized since it 's a freest anding st andard not reliant on ot her specificat ions. Even t he I EEE m akes t his m ist ake, and it 's t heir rule for capit alizat ion t hat we're bot h following.) 802.1X is sim ple enough in it s use of t he Ext ensible Aut hent icat ion Prot ocol, a generic m et hod of passing m essages am ong part ies t o aut hent icat ion. But t he ways in which EAP is secured are, quit e frankly, insanereflect ing Microsoft and Cisco's parallel but conflict ing at t em pt s t o cont rol support of legacy prot ocols in a way t hat only dam ages easy access t o it s higher level of securit y. Mat t hew eschewed t he religious debat e and spelled out t he various m et hods, difficult ies, and

int eroperabilit y issues in an O'Reilly Net work art icle t hat 's t he nugget of t he expanded coverage in t his book. I defy any reader t o find as cogent and exhaust ive an explanat ion before t his book was published. There's not hing as clear, com prehensive, and unaffect ed by m arket polit ics. At t im es, Mat t hew bem oaned t he delays t hat led t o t he gap bet ween edit ions of t his book, due part ly t o his j oining a st art up wireless LAN swit ch com pany, but I t hink readers are bet t er served t hrough his very hard- won, lat e- night , long- hours knowledge. Mat t hew's relat ionship wit h 802.11 m ight have previously been considered t hat of a handy m an who knew his way around t he infrast ruct ure of his house. I f a t oilet was running, he could replace a valve. I f t he living room needed new out let s, he could research t he process and wire t hem in. But Mat t hew's new j ob t ook him allegorically from a weekend household warrior t o a j ack- of- allt radesm an. Mat t hew can t ear out t hose inner walls, refram e, plum b, and wire t hem , all t he while bit ching about t he local building code. I t 's been a pleasure knowing Mat t hew, and it 's even m ore a pleasure t o int roduce you t o his book, and let you all in on what I and ot hers have been m ore privat e recipient s of for t he last few years. Glenn Fleishm an Seat t le, Washingt on February 2005

Preface People m ove. Net works don't . More t han anyt hing else, t hese t wo st at em ent s can explain t he explosion of wireless LAN hardware. I n j ust a few years, wireless LANs have grown from a high- priced, alpha- geek curiosit y t o m ainst ream t echnology. By rem oving t he net work port from t he equat ion, wireless net works separat e user connect ivit y from a direct physical locat ion at t he end of a cord. To abst ract t he user locat ion from t he net work, however, requires a great deal of prot ocol engineering. For users t o have locat ion- independent services, t he net work m ust becom e m uch m ore aware of t heir locat ion. This book has been writ t en on m ore airplanes, in m ore airport s, and on m ore t rains t han I care t o count . Much of t he research involved in dist illing evolving net work t echnology int o a book depends on I nt ernet access. I t is safe t o say t hat wit hout ubiquit ous net work access, t he arrival of t his book would have been m uch delayed. The advant ages of wireless net works has m ade t hem a fast - growing m ult ibillion dollar equipm ent m arket . Wireless LANs are now a fixt ure on t he net working landscape, which m eans you need t o learn t o deal wit h t hem .

Prometheus Untethered: The Possibilities of Wireless LANs Wireless net works offer several advant ages over fixed ( or " wired" ) net works:

Mobilit y Users m ove, but dat a is usually st ored cent rally, enabling users t o access dat a while t hey are in m ot ion can lead t o large product ivit y gains. Net works are built because t hey offer valuable services t o users. I n t he past , net work designers have focused on working wit h net work port s because t hat is what t ypically m aps t o a user. Wit h wireless, t here are no port s, and t he net work can be designed around user ident it y.

Ease and speed of deploym ent Many areas are difficult t o wire for t radit ional wired LANs. Older buildings are oft en a problem ; running cable t hrough t he walls of an older st one building t o which t he blueprint s have been lost can be a challenge. I n m any places, hist oric preservat ion laws m ake it difficult t o carry out new LAN inst allat ions in older buildings. Even in m odern facilit ies, cont ract ing for cable inst allat ion can be expensive and t im e- consum ing.

Flexibilit y No cables m eans no recabling. Wireless net works allow users t o quickly form am orphous, sm all group net works for a m eet ing, and wireless net working m akes m oving bet ween cubicles and offices a snap. Expansion wit h wireless net works is easy because t he net work m edium is already everywhere. There are no cables t o pull, connect , or t rip over. Flexibilit y is t he big selling point for t he " hot spot " m arket , com posed m ainly of hot els, airport s, t rain st at ions ( and even t rains t hem selves! ) , libraries, and cafes.

Cost I n som e cases, cost s can be reduced by using wireless t echnology. As an exam ple, 802.11® equipm ent can be used t o creat e a wireless bridge bet ween t wo buildings. Set t ing up a wireless bridge requires som e init ial capit al cost in t erm s of out door equipm ent , access point s, and wireless int erfaces. Aft er t he init ial capit al expendit ure, however, an 802.11- based, line- ofsight net work will have only a negligible recurring m ont hly operat ing cost . Over t im e, point - t opoint wireless links are far cheaper t han leasing capacit y from t he t elephone com pany. Unt il t he com plet ion of t he 802.11 st andard in 1997, however, users want ing t o t ake advant age of t hese at t ribut es were forced t o adopt single- vendor solut ions wit h all of t he risk t hat ent ailed. Once 802.11 st art ed t he ball rolling, speeds quickly increased from 2 Mbps t o 11 Mbps t o 54 Mbps. St andardized wireless int erfaces and ant ennas have m ade it m uch easier t o build wireless net works.

Several service providers have j um ped at t he idea, and ent husiast ic bands of volunt eers in m ost m aj or cit ies have st art ed t o build public wireless net works based on 802.11. 802.11 has becom e som et hing of a universally assum ed connect ivit y m et hod as well. Rat her t han wiring public access port s up wit h Et hernet , a collect ion of access point s can provide connect ivit y t o guest s. I n t he years since 802.11 was st andardized, so- called " hot spot s" have gone from an exot ic curiosit y in venues t hat do not m ove, t o t echnology t hat is providing connect ivit y even while in t ransit . By coupling 802.11 access wit h a sat ellit e uplink, it is possible t o provide I nt ernet access even while m oving quickly. Several com m ut er rail syst em s provide m obile hot - spot s, and Boeing's Connexion service can do t he sam e for an airplane, even at a cruising speed of 550 m iles per hour.

Audience This book is int ended for readers who need t o learn m ore about t he t echnical aspect s of wireless LANs, from operat ions t o deploym ent t o m onit oring: Net work archit ect s cont em plat ing rolling out 802.11 equipm ent ont o net works or building net works based on 802.11 Net work adm inist rat ors responsible for building and m aint aining 802.11 net works Securit y professionals concerned about t he exposure from deploym ent of 802.11 equipm ent and int erest ed in m easures t o reduce t he securit y headaches The book assum es t hat you have a solid background in com put er net works. You should have a basic underst anding of I EEE 802 net works ( part icularly Et hernet ) , t he OSI reference m odel, and t he TCP/ I P prot ocols, in addit ion t o any ot her prot ocols on your net work. Wireless LANs are not t ot ally new ground for m ost net work adm inist rat ors, but t here will be new concept s, part icularly involving radio t ransm issions.

Overture for Book in Black and White, Opus 2 Part of t he difficult y in writ ing a book on a t echnology t hat is evolving quickly is t hat you are never quit e sure what t o include. The years bet ween t he first and second edit ion were filled wit h m any developm ent s in securit y, and updat ing t he securit y- relat ed inform at ion was one of t he m aj or part s of t his revision. This book has t wo m ain purposes: it is m eant t o t each t he reader about t he 802.11 st andard it self, and it offers pract ical advice on building wireless LANs wit h 802.11 equipm ent . These t wo purposes are m eant t o be independent of each ot her so you can easily find what int erest s you. To help you decide what t o read first and t o give you a bet t er idea of t he layout , t he following are brief sum m aries of all t he chapt ers. Chapt er 1, I nt roduct ion t o Wireless Net working, list s ways in which wireless net works are different from t radit ional wired net works and discusses t he challenges faced when adapt ing t o fuzzy boundaries and unreliable m edia. Wireless LANs are perhaps t he m ost int erest ing illust rat ion of Christ ian Huit em a's assert ion t hat t he I nt ernet has no cent er, j ust an ever- expanding edge. Wit h wireless LAN t echnology becom ing com m onplace, t hat edge is now blurring. Chapt er 2, Overview of 802.11 Net works, describes t he overall archit ect ure of 802.11 wireless LANs. 802.11 is som ewhat like Et hernet but wit h a num ber of new net work com ponent s and a lot of new acronym s. This chapt er int roduces you t o t he net work com ponent s t hat you'll work wit h. Broadly speaking, t hese com ponent s are st at ions ( m obile devices wit h wireless cards) , access point s ( glorified bridges bet ween t he st at ions and t he dist ribut ion syst em ) , and t he dist ribut ion syst em it self ( t he wired backbone net work) . St at ions are grouped logically int o Basic Service Set s ( BSSs) . When no access point is present , t he net work is a loose, ad- hoc confederat ion called an independent BSS ( I BSS) . Access point s allow m ore st ruct ure by connect ing disparat e physical BSSs int o a furt her logical grouping called an Ext ended Service Set ( ESS) . Chapt er 3, 802.11 MAC Fundam ent als, describes t he Media Access Cont rol ( MAC) layer of t he 802.11 st andard in det ail. 802.11, like all I EEE 802 net works, split s t he MAC- layer funct ionalit y from t he physical m edium access. Several physical layers exist for 802.11, but t he MAC is t he sam e across all of t hem . The m ain m ode for accessing t he net work m edium is a t radit ional cont ent ion- based access m et hod, t hough it em ploys collision avoidance ( CSMA/ CA) rat her t han collision det ect ion ( CSMA/ CD) . The chapt er also discusses dat a encapsulat ion in 802.11 fram es and helps net work adm inist rat ors underst and t he fram e sequences used t o t ransfer dat a. Chapt er 4, 802.11 Fram ing in Det ail, builds on t he end of Chapt er 3 by describing t he various fram e t ypes and where t hey are used. This chapt er is int ended m ore as a reference t han act ual reading m at erial. I t describes t he t hree m aj or fram e classes. Dat a fram es are t he workhorse of 802.11. Cont rol fram es serve supervisory purposes. Managem ent fram es assist in perform ing t he ext ended operat ions of t he 802.11 MAC. Beacons announce t he exist ence of an 802.11 net work, assist in t he associat ion process, and are used for aut hent icat ing st at ions. Chapt er 5, Wired Equivalent Privacy ( WEP), describes t he Wired Equivalent Privacy prot ocol. I n spit e of it s flaws, WEP is t he basis for m uch of t he following work in wireless LAN securit y. This chapt er discusses what WEP is, how it works, and why you can't rely on it for any m eaningful privacy or securit y. Chapt er 6, User Aut hent icat ion wit h 802.1X, describes t he 802.1X aut hent icat ion fram ework. I n conj unct ion wit h t he Ext ensible Aut hent icat ion Prot ocol, 802.1X provides st rong aut hent icat ion solut ions and im proved encrypt ion on Wireless LANs.

Chapt er 7, 802.11i: Robust Securit y Net works, TKI P, and CCMP, describes t he 802.11i st andard for wireless LAN securit y. I n recognit ion of t he fundam ent al flaws of WEP, t wo new link- layer encrypt ion prot ocols were designed, com plet e wit h new m echanism s t o derive and dist ribut e keys. Chapt er 8, Managem ent Operat ions, describes t he m anagem ent operat ions on 802.11 net works. To find net works t o j oin, st at ions scan for act ive net works announced by access point s or t he I BSS creat or. Before sending dat a, st at ions m ust associat e wit h an access point . This chapt er also discusses t he power- m anagem ent feat ures incorporat ed int o t he MAC t hat allow bat t ery- powered st at ions t o sleep and pick up buffered t raffic at periodic int ervals. Chapt er 9, Cont ent ion- Free Service wit h t he PCF, describes t he point coordinat ion funct ion. The PCF is not widely im plem ent ed, so t his chapt er can be skipped for m ost purposes. The PCF is t he basis for cont ent ion- free access t o t he wireless m edium . Cont ent ion- free access is like a cent rally cont rolled, t oken- based m edium , where access point s provide t he " t oken" funct ion. Chapt er 10, Physical Layer Overview, describes t he general archit ect ure of t he physical layer ( PHY) in t he 802.11 m odel. The PHY it self is broken down int o t wo " sublayers." The Physical Layer Convergence Procedure ( PLCP) adds a pream ble t o form t he com plet e fram e and it s own header, while t he Physical Medium Dependent ( PMD) sublayer includes m odulat ion det ails. The m ost com m on PHYs use radio frequency ( RF) as t he wireless m edium , so t he chapt er closes wit h a short discussion on RF syst em s and t echnology t hat can be applied t o any PHY discussed in t he book. Chapt er 11, The Frequency- Hopping ( FH) PHY, describes t he oldest physical layer wit h 802.11. Product s based on t he FH PHY are no longer widely sold, but a great deal of early 802.11 equipm ent was based on t hem . Organizat ions wit h a long hist ory of involvem ent wit h 802.11 t echnology m ay need t o be fam iliar wit h t his PHY. Chapt er 12, The Direct Sequence PHYs: DSSS and HR/ DSSS ( 802.11b) , describes t wo physical layers based on direct sequence spread spect rum t echnology. The init ial 802.11 st andard included a layer which offered speeds of 1 Mbps and 2 Mbps. While int erest ing, it was not unt il 802.11b added 5.5 Mbps and 11 Mbps dat a rat es t hat t he t echnology really t ook off. This chapt er describes t he t wo closely- relat ed PHYs as a single package. Chapt er 13, 802.11a and 802.11j : 5- GHz OFDM PHY, describes t he 5- GHz PHY st andardized wit h 802.11a, which operat es at 54 Mbps. This physical layer uses anot her m odulat ion t echnique known as ort hogonal frequency division m ult iplexing ( OFDM) . Slight m odificat ions were required t o use t his PHY in Japan, which were m ade by t he 802.11j st andard. Chapt er 14, 802.11g: The Ext ended- Rat e PHY ( ERP), describes a PHY which uses OFDM t echnology, but in t he 2.4 GHz frequency band shared by 802.11b. I t has largely supplant ed 802.11b, and is a com m on opt ion for built - in connect ivit y wit h new not ebook com put ers. The PHY it self is alm ost ident ical t o t he 802.11a PHY. The differences are in allowing for backwards com pat ibilit y wit h older equipm ent sharing t he sam e frequency band. Chapt er 15, A Peek Ahead at 802.11n: MI MO- OFDM, describes t he PHY current ly in developm ent . 802.11n uses a PHY based on m ult iple- input / m ult iple- out put ( MI MO) t echnology for m uch higher speed. At t he t im e t his book went t o press, t wo proposed st andards were dueling in t he com m it t ee. This chapt er describes bot h. Chapt er 16, 802.11 Hardware, begins t he t ransit ion from t heoret ical m at t ers based on t he st andards t o how t he st andards are im plem ent ed. 802.11 is a relat ively loose st andard, and allows a large num ber of im plem ent at ion choices. Cards m ay differ in t heir specified perform ance, or in t he m anner in which cert ain prot ocols are im plem ent ed. Many of t hese variat ions are based on how t hey are built . Chapt er 17, Using 802.11 on Windows, describes t he basic driver inst allat ion procedure in Windows, and how t o configure securit y set t ings.

Chapt er 18, 802.11 on t he Macint osh, describes how t o use t he AirPort card on MacOS X t o connect t o 802.11 net works. I t focuses on Mac OS X 10.3, which was t he first soft ware version t o include 802.1X support . Chapt er 19, Using 802.11 on Linux, discusses how t o inst all 802.11 support on a Linux syst em . Aft er discussing how t o add PC Card support t o t he operat ing syst em , it shows how t o use t he wireless ext ensions API . I t discusses t wo com m on drivers, one for t he older Orinoco 802.11b card, and t he MADwifi driver for newer cards based on chipset s from At heros Com m unicat ions. Finally, it shows how t o configure 802.1X securit y using xsupplicant . Chapt er 20, Using 802.11 Access Point s, describes t he equipm ent used on t he infrast ruct ure end of 802.11 net works. Com m ercial access point product s have varying feat ures. This chapt er describes t he com m on feat ures of access point s, offers buying advice, and present s t wo pract ical configurat ion exam ples. Chapt er 21, Logical Wireless Net work Archit ect ure, m arks t he t hird t ransit ion in t he book, from t he im plem ent at ion of 802.11 on t he scale of an individual device, t o how t o build 802.11 net works on a larger scale. There are several m aj or st yles t hat can be used t o build t he net work, each wit h it s advant ages and disadvant ages. This chapt er sort s t hrough t he com m on t ypes of net work t opologies and offers advice on select ing one. Chapt er 22, Securit y Archit ect ure, should be read in t andem wit h t he previous chapt er. Maint aining net work securit y while offering net work access on an open m edium is a m aj or challenge. Securit y choices and archit ect ure choices are m ut ually influent ial. This chapt er addresses t he m aj or choices t o be m ade in designing a net work: what t ype of aut hent icat ion will be used and how it int egrat es wit h exist ing user dat abases, how t o encrypt t raffic t o keep it safe, and how t o deal wit h unaut horized access point deploym ent . Chapt er 23, Sit e Planning and Proj ect Managem ent , is t he final com ponent of t he book for net work adm inist rat ors. Designing a large- scale wireless net work is difficult because t here is great user dem and for access. Ensuring t hat t he net work has sufficient capacit y t o sat isfy user dem ands in all t he locat ions where it will be used requires som e planning. Choosing locat ions for access point s depends a great deal on t he radio environm ent , and has t radit ionally been one of t he m ost t im econsum ing t asks in building a net work. Chapt er 24, 802.11 Net work Analysis, t eaches adm inist rat ors how t o recognize what 's going on wit h t heir wireless LANs. Net work analyzers have proven t heir wort h t im e and t im e again on wired net works. Wireless net work analyzers are j ust as valuable a t ool for 802.11 net works. This chapt er discusses how t o use wireless net work analyzers and what cert ain sym pt om s m ay indicat e. I t also describes how t o build an analyzer using Et hereal, and what t o look for t o t roubleshoot com m on problem s. Chapt er 25, 802.11 Perform ance Tuning, describes how net work adm inist rat ors can increase t hroughput . I t begins by describing how t o calculat e overall t hroughput for payload dat a, and com m on ways of increasing perform ance. I n rare cases, it m ay m ake sense t o change com m only exposed 802.11 param et ers. Chapt er 26, Conclusions and Predict ions, sum m arizes current st andards work in t he 802.11 working group. Aft er sum m arizing t he work in progress, I get t o prognost icat e and hope t hat I don't have t o revise t his t oo ext ensively in fut ure edit ions.

Major Changes from the First Edition The t hree years bet ween 2002 and 2005 saw a great deal of change in wireless LANs. The st andards t hem selves cont inued t o evolve t o provide great er securit y and int eroperabilit y. Following t he t ypical

t echnology pat h of " fast er, bet t er, and cheaper," t he dat a rat e of m ost 802.11 int erfaces has shot from 2 or 11 Mbps wit h 802.11b t o 54 Mbps wit h 802.11a and 802.11g. I ncreased speed wit h backwards com pat ibilit y has proved t o be a com m ercially successful form ula for 802.11g, even if it has lim it at ions when used for large- scale net works. The com ing st andardizat ion of 802.11n is set t o boost speeds even fart her. New developm ent s in PHY t echnology are anxiously await ed by users, as shown by t he popular releases of pre- st andard t echnology. Two ent irely new chapt ers are devot ed t o 802.11g and 802.11n. European adopt ion of 802.11a was cont ingent on t he developm ent of spect rum m anagem ent in 802.11h, which result ed in ext ensive revisions t o t he m anagem ent chapt er. When t he first edit ion was released in 2002, t he percept ion of insecurit y dom inat ed discussions of t he t echnology. WEP was clearly insufficient , but t here was no good alt ernat ive. Most net work adm inist rat ors were m aking do wit h rem ot e access syst em s t urned inward, rat her t han t heir nat ural out ward orient at ion. The developm ent of 802.11i was done a great deal t o sim plify net work securit y. Securit y is now built in t o t he specificat ion, rat her t han som et hing which m ust be added on aft er get t ing t he net work right . Securit y im provem ent s perm eat e t he book, from new chapt ers showing how t he new prot ocols work, t o showing how t hey can be used on t he client side, t o how t o sort t hrough different opt ions when building a net work. Sort ing t hrough securit y opt ions is m uch m ore com plex now t han it was t hree years ago, and m ade it necessary t o expand a sect ion of t he deploym ent discussion in t he first edit ion int o it s own chapt er. Three years ago, m ost access point s were expensive devices t hat did not work well in large num bers. Net work deploym ent was oft en an exercise in working around t he lim it at ions of t he devices of t he t im e. Three years lat er, vast ly m ore capable devices allow m uch m ore flexible deploym ent m odels. Rat her t han j ust a " one size fit s all" deploym ent m odel, t here are now m ult iple opt ions t o sort t hrough. Securit y prot ocols have im proved enough t hat discussions of deploying t echnology are based on what it can do for t he organizat ion, not on fear and how t o keep it cont rolled. As a result , t he original chapt er on net work deploym ent has grown int o t hree, each t ackling a m aj or part of t he deploym ent process.

Conventions Used in This Book I t alic is used for: Pat hnam es, filenam es, class nam es, and direct ories New t erm s where t hey are defined I nt ernet addresses, such as dom ain nam es and URLs Bold is used for: GUI com ponent s Constant Width is used for:

Com m and lines and opt ions t hat should be t yped verbat im on t he screen All code list ings Constant Width Italic is used for:

General placeholders t hat indicat e t hat an it em should be replaced by som e act ual value in your own program Constant Width Bold is used for:

Text t hat is t yped in code exam ples by t he user

I ndicat es a t ip, suggest ion, or general not e

I ndicat es a warning or caut ion

How to Contact Us Please address com m ent s and quest ions concerning t his book t o t he publisher: O'Reilly Media, I nc. 1005 Gravenst ein Highway Nort h Sebast opol, CA 95472 ( 800) 998- 9938 ( in t he U.S. or Canada) ( 707) 829- 0515 ( int ernat ional/ local) ( 707) 829- 0104 ( fax) There is a web sit e for t he book, where errat a and any addit ional inform at ion will be list ed. You can access t his page at :

http://www.oreilly.com/catalog/802dot112/

I n a fast - m oving field, sm aller art icles bridge t he gap bet ween cont em porary pract ice and t he last version of t he print ed book. You can access m y weblog and art icles at :

http://weblogs.oreillynet.com/pub/au/692/

To com m ent or ask t echnical quest ions about t his book, send em ail t o:

[email protected]

For m ore inform at ion about our books, conferences, soft ware, Resource Cent ers, and t he O'Reilly Net work, see our web sit e at :

http://www.oreilly.com/

Safari Enabled

When you see a Safari® Enabled icon on t he cover of your favorit e t echnology book, it m eans t he book is available online t hrough t he O'Reilly Net work Safari Bookshelf. Safari offers a solut ion t hat 's bet t er t han e- books. I t 's a virt ual library t hat let s you easily search t housands of t op t echnology books, cut and past e code sam ples, download chapt ers, and find quick answers when you need t he m ost accurat e, current inform at ion. Try it for free at ht t p: / / safari.oreilly.com .

Acknowledgments As m uch as I would like t o believe t hat you are reading t his book for it s ent ert ainm ent value, I know bet t er. Technical books are valued because t hey get t he det ails right , and convey t hem in an easier fashion t han t he unadorned t echnical specificat ion. Behind every t echnical book, t here is a review t eam t hat saw t he first draft and helped t o im prove it . My review t eam caught num erous m ist akes and m ade t he book significant ly bet t er. Dr. Malik Audeh of Tropos Net works is, for lack of a bet t er t erm , m y radio conscience. I am no radio expert what I know about radio, I learned because of m y int erest in 802.11. Malik knew radio t echnology before 802.11, and I have been privileged t o share in his insight . Gerry Creager of Texas A&M offered insight int o t he FCC rules and regulat ions for unlicensed devices, which was valuable because wireless LANs have been upending t he rules in recent years. When Glenn Fleishm an agreed t o writ e t he foreword, I had no idea t hat he would offer so m uch help in placing 802.11 wit hin it s larger cont ext . Many of t he det ails he suggest ed were references t o art icles t hat had run in t he past years on his own Wi- Fi Net working News sit e. As a writ er him self, Glenn also point ed out several locat ions where bet t er exam ples would m ake m y point s m uch clearer. Finally, Terry Sim ons of t he Open1X proj ect has worked ext ensively wit h 802.11 on Linux, and wit h nearly every 802.1X supplicant on t he m aj or operat ing syst em s. Terry also is one of t he archit ect s of t he wireless aut hent icat ion syst em at t he Universit y of Ut ah. His expert ise can be felt t hroughout t he early part of t he book on securit y specificat ions, as well as in t he pract ical m at t er of using supplicant s and building an aut hent icat ion syst em . I am also indebt ed t o m any ot hers who help keep m e abreast of current developm ent s in 802.11, and share t heir knowledge wit h m e. Since 2002, I have been privileged t o part icipat e in t he I nt erop Labs init iat ives relat ed t o wireless securit y and 802.1X. The real world is far t oo m essy for t he classroom . Every year, I learn m ore about t he st at e of t he art by volunt eering t han I ever could by t aking a prepared class. Through t he I nt erop Labs, I m et Chris Hessing, t he developm ent lead for xsupplicant . Chris has always generously explained how all t he keying bit s m ove around in 802.11, which is no sm all feat ! Sudheer Mat t a, a colleague of m ine, always has t im e t o explain what is happening in t he st andards world, and how t he m inut e det ails of t he MAC work. The large support ing cast at O'Reilly was t rem endously helpful in a wide variet y of ways. Ellie Volckhausen designed a st unning cover t hat has adorned m y cubicle as well as m ost of t he personal elect ronics devices I own since 2001, when I began writ ing t he first edit ion. ( I t even looks good as t he wallpaper on m y m obile t elephone! ) Jessam yn Read t ook a huge m ass of raw sket ches and convert ed every last one int o som et hing t hat is wort h looking at , and did so on a grueling schedule. I do not know how m any hours Colleen Gorm an, t he product ion edit or, put int o t his book t o get it finished, but I hope her fam ily and her cat , Phineas, forgive m e. And, as always, I am t hankful for t he wisdom of Mike Loukides, t he edit or. Mike kept t his proj ect m oving forward in t he innum erable ways I have been accust om ed t o from our past collaborat ions, and his background as a ham radio operat or proved especially useful when I st art ed writ ing about t he dark and forbidding world of ant ennas and RF t ransm ission. ( Am ong m any, m any ot her it em s, you have him t o t hank for t he foot not e on t he gain of t he Aricebo radio t elescope! ) As wit h so m uch in life, t he devil of writ ing is in t he det ails. Get t ing it right m eans rewrit ing, and t hen probably rewrit ing som e m ore. I did not at t em pt a large writ ing proj ect unt il college, when I t ook Brad Bat em an's U.S. Financial Syst em class. Alt hough I cert ainly learned about t he flow of m oney t hrough t he econom y and t he t ools t hat t he Federal Reserve uses in form ulat ing policy, what I m ost value in ret rospect was t he highly st ruct ured process of writ ing a lengt hy paper t hroughout t he sem est er. I n addit ion t o sim ply producing a large docum ent , Dr. Bat em an st ressed t he revision process, a skill t hat I had t o use repeat edly in t he preparat ion of t his book and it s second edit ion. I t would be a m ist ake, however, for m e t o sim ply credit Dr. Bat em an as an out st anding writ ing t eacher

or an econom ist gift ed wit h t he abilit y t o explain com plex subj ect s t o his st udent s. Dr. Bat em an is not shackled by his narrow academ ic expert ise. During t he preparat ion of t he second edit ion of t his book, I at t ended a lect ure of his about t he social hist ory of m y alm a m at er. I n a capt ivat ing hour, he t raced t he hist ory of t he inst it ut ion and it s int ersect ion wit h wider social m ovem ent s, which explained it s present - day cult ure in far m ore dept h t han I ever appreciat ed while a st udent . Not all professors t each t o prepare st udent s for graduat e school, and not all professors confine t heir t eaching t o t he classroom . I am a far bet t er writ er, econom ist , and cit izen for his influence. When writ ing a book, it is easy t o acknowledge t he t angible cont ribut ions of ot hers. Behind every aut hor, t hough, t here is a support ive cast of relat ives and friends. As always, m y wife Ali cont inued t o indulge m y writ ing habit wit h ext rem ely good hum or, especially considering t he num ber of weekends t hat were sacrificed t o t his book. Many of m y friends inform ally support ed t his proj ect wit h a great deal of encouragem ent and support ; m y t hanks m ust go t o ( in alphabet ical order) Annie, Aram azd, Brian, Dam eon, Kevin, and Nick. Mat t hew Gast San Francisco, California February 2005

Chapter 1. Introduction to Wireless Networking Over t he past five years, t he world has becom e increasingly m obile. As a result , t radit ional ways of net working t he world have proven inadequat e t o m eet t he challenges posed by our new collect ive lifest yle. I f users m ust be connect ed t o a net work by physical cables, t heir m ovem ent is dram at ically reduced. Wireless connect ivit y, however, poses no such rest rict ion and allows a great deal m ore free m ovem ent on t he part of t he net work user. As a result , wireless t echnologies are encroaching on t he t radit ional realm of " fixed" or " wired" net works. This change is obvious t o anybody who drives on a regular basis. One of t he " life and deat h" challenges t o t hose of us who drive on a regular basis is t he daily gaunt let of errat ically driven cars cont aining m obile phone users in t he driver's seat . Wireless connect ivit y for voice t elephony has creat ed a whole new indust ry. Adding m obile connect ivit y int o t he m ix for t elephony has had profound influences on t he business of delivering voice calls because callers could be connect ed t o people, not devices. We are on t he cusp of an equally profound change in com put er net working. Wireless t elephony has been successful because it enables people t o connect wit h each ot her regardless of locat ion. New t echnologies t arget ed at com put er net works prom ise t o do t he sam e for I nt ernet connect ivit y. The m ost successful wireless dat a net working t echnology t his far has been 802.11. I n t he first edit ion of t his book, I wrot e about 802.11 being t he t ip of t he t rend in m obile dat a net working. At t he t im e, 802.11 and t hird- generat ion m obile t echnologies were duking it out for m indshare, but 802.11 has unquest ionably been m ore successful t o dat e.

Why Wireless? To dive int o a specific t echnology at t his point is get t ing a bit ahead of t he st ory, t hough. Wireless net works share several im port ant advant ages, no m at t er how t he prot ocols are designed, or even what t ype of dat a t hey carry. The m ost obvious advant age of wireless net working is m obilit y. Wireless net work users can connect t o exist ing net works and are t hen allowed t o roam freely. A m obile t elephone user can drive m iles in t he course of a single conversat ion because t he phone connect s t he user t hrough cell t owers. I nit ially, m obile t elephony was expensive. Cost s rest rict ed it s use t o highly m obile professionals such as sales m anagers and im port ant execut ive decision m akers who m ight need t o be reached at a m om ent 's not ice regardless of t heir locat ion. Mobile t elephony has proven t o be a useful service, however, and now it is relat ively com m on in t he Unit ed St at es and ext rem ely com m on am ong Eur opeans. [ * ] [*]

While most of my colleagues, acquaintances, and family in the U.S. have mobile telephones, it is still possible to be a holdout. In Europe, it seems as if everybody has a mobile phoneone cab driver in Finland I spoke with while writing the first edition of this book took great pride in the fact that his family of four had six mobile telephones!

Likewise, wireless dat a net works free soft ware developers from t he t et hers of an Et hernet cable at a desk. Developers can work in t he library, in a conference room , in t he parking lot , or even in t he coffee house across t he st reet . As long as t he wireless users rem ain wit hin t he range of t he base st at ion, t hey can t ake advant age of t he net work. Com m only available equipm ent can easily cover a corporat e cam pus; wit h som e work, m ore exot ic equipm ent , and favorable t errain, you can ext end t he range of an 802.11 net work up t o a few m iles. Wireless net works t ypically have a great deal of flexibilit y , which can t ranslat e int o rapid deploym ent . Wireless net works use a num ber of base st at ions t o connect users t o an exist ing net work. ( I n an 802.11 net work, t he base st at ions are called access point s.) The infrast ruct ure side of a wireless net work, however, is qualit at ively t he sam e whet her you are connect ing one user or a m illion users. To offer service in a given area, you need base st at ions and ant ennas in place. Once t hat infrast ruct ure is built , however, adding a user t o a wireless net work is m ost ly a m at t er of aut horizat ion. Wit h t he infrast ruct ure built , it m ust be configured t o recognize and offer services t o t he new users, but aut horizat ion does not require m ore infrast ruct ure. Adding a user t o a wireless net work is a m at t er of configuring t he infrast ruct ure, but it does not involve running cables, punching down t erm inals, and pat ching in a new j ack. [ ] [

] This simple example ignores the challenges of scale. Naturally, if the new users will overload the existing infrastructure, the infrastructure itself will need to be beefed up. Infrastructure expansion can be expensive and time-consuming, especially if it involves legal and regulatory approval. However, my basic point holds: adding a user to a wireless network can often be reduced to a matter of configuration (moving or changing bits) while adding a user to a fixed network requires making physical connections (moving atoms), and moving bits is easier than moving atoms.

Flexibilit y is an im port ant at t ribut e for service providers. One of t he m arket s t hat m any 802.11 equipm ent vendors have been chasing is t he so- called " hot spot " connect ivit y m arket . Airport s and t rain st at ions are likely t o have it inerant business t ravelers int erest ed in net work access during connect ion delays. Coffeehouses and ot her public gat hering spot s are social venues in which net work access is desirable. Many cafes already offer I nt ernet access; offering I nt ernet access over a wireless net work is a nat ural ext ension of t he exist ing I nt ernet connect ivit y. While it is possible t o serve a fluid group of users wit h Et hernet j acks, supplying access over a wired net work is problem at ic for several reasons. Running cables is t im e- consum ing and expensive and m ay also require const ruct ion. Properly guessing t he correct num ber of cable drops is m ore an art t han a science. Wit h a wireless

net work, t hough, t here is no need t o suffer t hrough const ruct ion or m ake educat ed ( or wild) guesses about dem and. A sim ple wired infrast ruct ure connect s t o t he I nt ernet , and t hen t he wireless net work can accom m odat e as m any users as needed. Alt hough wireless LANs have som ewhat lim it ed bandwidt h, t he lim it ing fact or in net working a sm all hot spot is likely t o be t he cost of WAN bandwidt h t o t he support ing infrast ruct ure. Flexibilit y m ay be part icularly im port ant in older buildings because it reduces t he need for const ruct ion. Once a building is declared hist orical, rem odeling can be part icularly difficult . I n addit ion t o m eet ing owner requirem ent s, hist orical preservat ion agencies m ust be sat isfied t hat new const ruct ion is not desecrat ing t he past . Wireless net works can be deployed ext rem ely rapidly in such environm ent s because t here is only a sm all wired net work t o inst all. Flexibilit y has also led t o t he developm ent of grassroot s com m unit y net works. Wit h t he rapid price erosion of 802.11 equipm ent , bands of volunt eers are set t ing up shared wireless net works open t o visit ors. Com m unit y net works are also ext ending t he range of I nt ernet access past t he lim it at ions for DSL int o com m unit ies where high- speed I nt ernet access has been only a dream . Com m unit y net works have been part icularly successful in out - of- t he way places t hat are t oo rugged for t radit ional wireline approaches. Like all net works, wireless net works t ransm it dat a over a net work m edium . The m edium is a form of elect rom agnet ic radiat ion. [ * ] To be well- suit ed for use on m obile net works, t he m edium m ust be able t o cover a wide area so client s can m ove t hroughout a coverage area. Early wireless net works used infrared light. However, infrared light has lim it at ions; it is easily blocked by walls, part it ions, and ot her office const ruct ion. Radio waves can penet rat e m ost office obst ruct ions and offer a wider coverage range. I t is no surprise t hat m ost , if not all, 802.11 product s on t he m arket use t he radio wave physical layer. [*]

Laser light is also used by some wireless networking applications, but the extreme focus of a laser beam makes it suited only for applications in which the ends are stationary. "Fixed wireless" applications, in which lasers replace other access technology such as leased telephone circuits, are a common application.

Radio Spectrum: The Key Resource Wireless devices are const rained t o operat e in a cert ain frequency band. Each band has an associat ed bandwidt h, which is sim ply t he am ount of frequency space in t he band. Bandwidt h has acquired a connot at ion of being a m easure of t he dat a capacit y of a link. A great deal of m at hem at ics, inform at ion t heory, and signal processing can be used t o show t hat higher- bandwidt h slices can be used t o t ransm it m ore inform at ion. As an exam ple, an analog m obile t elephony channel requires a 20- kHz bandwidt h. TV signals are vast ly m ore com plex and have a correspondingly larger bandwidt h of 6 MHz.

Early Adoption of 802.11 802.11's explosive advance has not been even. Som e m arket s have evolved m ore quickly t han ot hers because t he value of wireless net works is m ore pronounced in som e m arket s. I n general, t he higher t he value placed on m obilit y and flexibilit y, t he great er t he int erest in wireless LANs. Logist ics organizat ions responsible for m oving goods around ( t hink UPS, FedEx, or airlines) , were perhaps t he earliest adopt ers of 802.11. Well before t he advent of 802.11, package t racking was done wit h propriet ary wireless LANs. St andardized product s lowered t he price and enabled com pet it ion bet ween suppliers of net work equipm ent , and it was an easy decision t o replace propriet ary product s wit h st andardized ones. Healt h care has been an early adopt er of wireless net works because of t he great flexibilit y t hat is oft en required of healt h care equipm ent . Pat ient s can be m oved t hroughout a hospit al, and t he healt h care professionals t hat spend t im e wit h pat ient s are am ong som e of t he m ost m obile workers in t he econom y. Technologically advanced healt h care organizat ions have adopt ed wireless LANs t o m ake pat ient inform at ion available over wireless LANs t o im prove pat ient care by m aking inform at ion m ore accessible t o doct ors. Com put erized records can be t ransferred bet ween depart m ent s wit hout t he requirem ent t o decipher t he legendarily illegible doct or scrawls. I n t he clut t ered environm ent s of an em ergency room , rapid access t o im aging dat a can quit e lit erally be a lifesaver. Several hospit als have deployed PCs t o m ake radiology im ages available over wireless LANs on specially- equipped " crash cart s" t hat offer inst ant access t o X- rays, allowing doct ors t o m ake quick decisions wit hout wait ing for film t o be dev eloped. Many educt ional inst it ut ions have ent husiast ically adopt ed wireless LANs. 10 years ago, colleges com pet ed for st udent s based on how " wired" t he cam pus was. More high speed dat a port s everywhere was assum ed t o be bet t er. Nowadays, t he leading st ories in educat ion are t he colleges using wireless LANs t o blanket coverage t hroughout t he cam pus. St udent s are highly m obile net work users, and can benefit great ly from net work access bet ween classes or in t heir " hom es away from hom e" ( t he library, st udio, or science lab, depending on m aj or) .

Radio spect rum allocat ion is rigorously cont rolled by regulat ory aut horit ies t hrough licensing processes. Most count ries have t heir own regulat ory bodies, t hough regional regulat ors do exist . I n t he U.S., regulat ion is done by t he Federal Com m unicat ions Com m ission ( FCC) . Many FCC rules are adopt ed by ot her count ries t hroughout t he Am ericas. European allocat ion is perform ed by t he European Radiocom m unicat ions Office ( ERO) . Ot her allocat ion work is done by t he I nt ernat ional Telecom m unicat ions Union ( I TU) . To prevent overlapping uses of t he radio waves, frequency is allocat ed in bands, which are sim ply ranges of frequencies available t o specified applicat ions. Table 1 - 1 list s som e com m on frequency bands used in t he U.S. [ * ] [*]

The full spectrum allocation map is available from the National Telecommunications and Information Administration at http://www.ntia.doc.gov/osmhome/allochrt.pdf.

Ta ble 1 - 1 . Com m on U.S. fr e qu e n cy ba n ds

Ba n d

Fr e qu e n cy r a n ge

UHF I SM

902- 928 MHz

S- Band

2- 4 GHz

S- Band I SM

2.4- 2.5 GHz

C- Band

4- 8 GHz

C- Band sat ellit e downlink

3.7- 4.2 GHz

C- Band Radar ( weat her)

5.25- 5.925 GHz

C- Band I SM

5.725- 5.875 GHz

C- Band sat ellit e uplink

5.925- 6.425 GHz

X- Band

8- 12 GHz

X- Band Radar ( police/ weat her)

8.5- 10.55 GHz

Ku- Band

12- 18 GHz

Ku- Band Radar ( police)

13.4- 14 GHz 15.7- 17.7 GHz

The ISM bands I n Table 1- 1, t here are t hree bands labeled I SM, which is an abbreviat ion for indust rial, scient ific, and m edical. I SM bands are set aside for equipm ent t hat , broadly speaking, is relat ed t o indust rial or scient ific processes or is used by m edical equipm ent . Perhaps t he m ost fam iliar I SM- band device is t he m icrowave oven, which operat es in t he 2.4- GHz I SM band because elect rom agnet ic radiat ion at t hat frequency is part icularly effect ive for heat ing wat er. I pay special at t ent ion t o t he I SM bands in t he t able because t hose bands allow license- free operat ion, provided t he devices com ply wit h power const raint s. 802.11 operat es in t he I SM bands, along wit h m any ot her devices. Com m on cordless phones operat e in t he I SM bands as well. 802.11b and 802.11g devices operat e wit hin t he 2.4 GHz I SM band, while 802.11a devices operat e in t he 5 GHz band. The m ore com m on 802.11b/ g devices operat e in S- band I SM. The I SM bands are generally licensefree, provided t hat devices are low- power. How m uch sense does it m ake t o require a license for m icrowave ovens, aft er all? Likewise, you don't need a license t o set up and operat e a low- power wireless LAN.

What Makes Wireless Networks Different Wireless net works are an excellent com plem ent t o fixed net works, but t hey are not a replacm ent t echnology. Just as m obile t elephones com plem ent fixed- line t elephony, wireless LANs com plem ent exist ing fixed net works by providing m obilit y t o users. Servers and ot her dat a cent er equipm ent m ust access dat a, but t he physical locat ion of t he server is irrelevant . As long as t he servers do not m ove, t hey m ay as well be connect ed t o wires t hat do not m ove. At t he ot her end of t he spect rum , wireless net works m ust be designed t o cover large areas t o accom m odat e fast - m oving client s. Typical 802.11 access point s do not cover large areas, and would have a hard t im e coping wit h users on rapidlym oving vehicles.

Lack of Physical Boundary Tradit ional net work securit y places a great deal of em phasis on physical securit y of t he net work com ponent s. Dat a on t he net work t ravels over well- defined pat hways, usually of copper or fiber, and t he net work infrast ruct ure is prot ect ed by st rong physical access cont rol. Equipm ent is safely locked away in wiring closet s, and set up so t hat it cannot be reconfigured by users. Basic securit y st em s from t he ( adm it t edly m arginal) securit y of t he physical layer. Alt hough it is possible t o t ap or redirect signals, physical access cont rol m akes it m uch harder for an int ruder t o gain surrept it ious access t o t he net work. Wireless net works have a m uch m ore open net work m edium . By definit ion, t he net work m edium in a wireless net work is not a well- defined pat h consist ing of a physical cable, but a radio link wit h a part icular encoding and m odulat ion. Signals can be sent or received by anybody in possession of t he radio t echniques, which are of course well known because t hey are open st andards. I nt ercept ion of dat a is child's play, given t hat t he m edium is open t o anybody wit h t he right net work int erface, and t he net work int erface can be purchased for less t han $50 at your local consum er elect ronics st ore. Careful shopping online m ay get you cards for half of t hat . Furt herm ore, radio waves t end t o t ravel out side t heir int ended locat ion. There is no abrupt physical boundary of t he net work m edium , and t he range at which t ransm issions can be received can be ext ended wit h high- gain ant ennas on eit her side. When building a wireless net work, you m ust carefully consider how t o secure t he connect ion t o prevent unaut horized use, t raffic inj ect ion, and t raffic analysis. Wit h t he m at urat ion of wireless prot ocols, t he t ools t o aut hent icat e wireless users and properly encrypt t raffic are now well wit hin reach.

Dynamic Physical Medium Once a wired net work is put in place, it t ends t o be boring, which is t o say, predict able. Once t he cables have been put in place, t hey t end t o do t he sam e t hing day in and day out . Provided t he net work has been designed according t o t he engineering rules laid out in t he specificat ion, t he net work should funct ion as expect ed. Capacit y can be added t o a wired net work easily by upgrading t he swit ches in t he wiring closet . I n cont rast , t he physical m edium on wireless LANs is m uch m ore dynam ic. Radio waves bounce off obj ect s, penet rat e t hrough walls, and can oft en behave som ewhat unpredict ably. Radio waves can suffer from a num ber of propagat ion problem s t hat m ay int errupt t he radio link, such as m ult ipat h

int erference and shadows. Wit hout a reliable net work m edium , wireless net works m ust carefully validat e received fram es t o guard against fram e loss. Posit ive acknowledgm ent , t he t act ic used by 802.11, does an excellent j ob at assuring delivery at som e cost t o t hroughput . Radio links are subj ect t o several addit ional const raint s t hat fixed net works are not . Because radio spect rum is a relat ively scarce resource, it is carefully regulat ed. Two ways exist t o m ake radio net works go fast er. Eit her m ore spect rum can be allocat ed, or t he encoding on t he link can be m ade m ore sensit ive so t hat it packs m ore dat a in per unit of t im e. Addit ional spect rum allocat ions are relat ively rare, especially for license- free net works. 802.11 net works have kept t he bandwidt h of a st at ion's radio channel t o approxim at ely 30 MHz, while developing vast ly im proved encoding t o im prove t he speed. Fast er coding m et hods can increase t he speed, but do have one pot ent ial drawback. Because t he fast er coding m et hod depends on t he receiver t o pick out subt le signal differences, m uch great er signal- t o- noise rat ios are required. Higher dat a rat es t herefore require t he st at ion t o be locat ed closer t o it s access point . Table 1- 2 shows t he st andardized physical layers in 802.11 and t heir respect ive speeds.

Ta ble 1 - 2 . Com pa r ison of 8 0 2 .1 1 ph ysica l la ye r s ( PH Ys) I EEE st a n da r d

Spe e d

Fr e qu e n cy ba n d

802.11

1 Mbps 2 2.4 GHz Mbps

First PHY st andard ( 1997) . Feat ured bot h frequency- hopping and direct - sequence m odulat ion t echniques.

802.11a

Up t o 54 Mbps

Second PHY st andard ( 1999) , but product s not released unt il lat e 2000.

802.11b

5.5 Mbps 2.4 GHz 11 Mbps

Third PHY st andard, but second wave of product s. The m ost com m on 802.11 equipm ent as t he first edit ion of t his book was writ t en, and t he m aj orit y of t he legacy inst alled base at t he t im e t he second edit ion was writ t en.

802.11g

Up t o 54 Mbps

Fourt h PHY st andard ( 2003) . Applies t he coding t echniques of 802.11a for higher speed in t he 2.4 GHz band, while ret aining backwards com pat ibilit y wit h exist ing 802.11b net works. The m ost com m on t echnology included wit h lapt ops in 2005.

5 GHz

2.4 GHz

N ot e s

Radio is inherent ly a broadcast m edium . When one st at ion t ransm it s, all ot her st at ions m ust list en. Access point s act m uch like old shared Et hernet hubs in t hat t here is a fixed am ount of t ransm ission capacit y per access point , and it m ust be shared by all t he at t ached users. Adding capacit y requires t hat t he net work adm inist rat or add access point s while sim ult aneously reducing t he coverage area of exist ing access point s.

Security Many wireless net works are based on radio waves, which m akes t he net work m edium inherent ly open t o int ercept ion. Properly prot ect ing radio t ransm issions on any net work is always a concern for prot ocol designers. 802.11 did not build in m uch in t he way of securit y prot ocols. Coping wit h t he inherent unreliabilit y of t he wireless m edium and m obilit y required several prot ocol feat ures t o confirm fram e delivery, save power, and offer m obilit y. Securit y was quit e far down t he list , and proved inadequat e in t he early specificat ions.

Wireless net works m ust be st rongly aut hent icat ed t o prevent use by unaut horized users, and aut hent icat ed connect ions m ust be st rongly encrypt ed t o prevent t raffic int ercept ion and inj ect ion by unaut horized part ies. Technologies t hat offer st rong encrypt ion and aut hent icat ion have em erged since t he first edit ion of t his book, and are a m aj or com ponent of t he revisions for t he second edit ion.

A Network by Any Other Name... Wireless net working is a hot indust ry segm ent . Several wireless t echnologies have been t arget ed prim arily for dat a t ransm ission. Bluet oot h is a st andard used t o build sm all net works bet ween peripherals: a form of " wireless wires," if you will. Most people in t he indust ry are fam iliar wit h t he hype surrounding Bluet oot h, t hough it seem s t o have died down as real devices have been brought t o m arket . I n t he first edit ion, I wrot e t hat I have not m et m any people who have used Bluet oot h devices, but it is m uch m ore com m on t hese days. ( I use a Bluet oot h headset on a regular basis.) Post - second- generat ion ( 2.5G) and t hird- generat ion ( 3G) m obile t elephony net works are also a fam iliar wireless t echnology. They prom ise dat a rat es of m egabit s per cell, as well as t he " always on" connect ions t hat have proven t o be quit e valuable t o DSL and cable m odem cust om ers. Aft er m any years of hype and press from 3G equipm ent vendors, t he rollout of com m ercial 3G services is finally underway. 2.5G services like GPRS, EDGE, and 1xRTT are now widely available, and t hird- generat ion net works based on UMTS or EV- DO are quickly being built . ( I recent ly subscribed t o an unlim it ed GPRS service t o get connect ed during m y t rain t rips bet ween m y office and m y hom e.) Many art icles quot e peak speeds for t hese t echnologies in t he hundreds of kilobit s per second or even m egabit s, but t his capacit y m ust be shared bet ween all users in a cell. Real- world downst ream speeds are roughly com parable t o dial- up m odem connect ions and cannot t ouch an 802.11 hot spot . This is a book about 802.11 net works. 802.11 goes by a variet y of nam es, depending on who is t alking about it . Som e people call 802.11 wireless Et hernet , t o em phasize it s shared lineage wit h t he t radit ional wired Et hernet ( 802.3) . A second nam e which has grown dram at ically in popularit y since t he first edit ion of t his book is Wi- Fi, from t he int eroperabilit y cert ificat ion program run by t he Wi- Fi Alliance, t he m aj or t rade assocat ion of 802.11 equipm ent vendors. The Wi- Fi Alliance, form erly known as t he Wireless Et hernet Com pat ibilit y Alliance ( WECA) , will t est m em ber product s for com pat ibilit y wit h 802.11 st andards. [ * ] Ot her organizat ions will perform com pat ibilit y t est ing as well; t he Universit y of New Ham pshire's I nt erOperabilit y Lab ( I OL) recent ly launched a wireless t est consor t ium . [*]

More details on the Wi-Fi Alliance and its certification program can be found at http://www.wi-fi.org/.

The Wonderful Thing About Standards... Several st andards groups are involved in 802.11- relat ed st andardizat ion effort s because 802.11 cut s across m any form erly dist inct boundaries in net working. Most of t he effort rem ains concent rat ed in t he I EEE, but im port ant cont ribut ions t o wireless LAN st andards have com e from several m aj or locat ions. The first is t he I nst it ut e of Elect ronics and Elect rical Engineers ( I EEE) . I n addit ion t o it s act ivit ies as a professional societ y, t he I EEE works on st andardizing elect rical equipm ent , including several t ypes of com m unicat ion t echnology. I EEE st andardizat ion effort s are organized by pr oj ect s, each of which is assigned a num ber. By far t he m ost fam ous I EEE proj ect is t he I EEE 802 proj ect t o develop LAN st andards. Wit hin a proj ect , individual working groups develop st andards t o address a part icular facet of t he problem . Working groups are also given a num ber, which is writ t en aft er t he decim al point for t he corresponding proj ect s. Et hernet , t he m ost widely used I EEE LAN t echnology, was st andardized by t he t hird working group, 802.3. Wireless LANs were t he elevent h working group form ed, hence t he nam e 802.11.

Wit hin a working group, t ask groups form t o revise part icular aspect s of t he st andard or add on t o t he general area of funct ionalit y. Task groups are assigned a let t er beneat h t he working group, and t he docum ent produced by a t ask group com bines t he proj ect and working group num ber, followed by t he let t er from t he t ask group. ( Som e let t ers t hat are subj ect t o easy confusion wit h let t ers, such as t he lowercase " l," are not used.) I n wireless net working, t he first t ask group t o gain wide recognit ion was Task Group B ( TGb) , which produced t he 802.11b specificat ion. Table 1- 3 is a basic list ing of t he different 802.11 st andards. I nt erest ingly enough, t he case of t he let t er in a st andards revision encodes inform at ion. Lowercase let t ers indicat e dependent st andards t hat cannot st and alone from t heir parent , while uppercase let t ers indicat e full- fledged st andalone specificat ions. 802.11b adds a new clause t o 802.11, but cannot st and alone, so t he " b" is writ t en in lowercase. I n const rast , st andards like 802.1Q and 802.1X are st andalone specificat ions t hat are com plet ely self- cont ained in one docum ent , and t herefore use uppercase let t ers.

At periodic int ervals, t he addit ions from dependent t ask groups will be " rolled up" int o t he m ain parent specificat ion. The init ial revision of 802.11 cam e out in 1997. Minor changes t o t he t ext were released as 802.11- 1999, which was t he baseline st andard for quit e som e t im e. The m ost recent rollup is 802.11- 2003.

Ta ble 1 - 3 . st a n da r ds I EEE st a n da r d

N ot e s

802.11

First st andard ( 1997) . Specified t he MAC and t he original slower frequency- hopping and direct - sequence m odulat ion t echniques.

802.11a

Second physical layer st andard ( 1999) , but product s not released unt il lat e 2000.

802.11b

Third physical layer st andard ( 1999) , but second wave of product s. The m ost com m on 802.11 equipm ent as t he first book was writ t en.

TGc

Task group t hat produced a correct ion t o t he exam ple encoding in 802.11a. Since t he only product was a correct ion, t here is no 802.11c.

802.11d

Ext ends frequency- hopping PHY for use across m ult iple regulat ory dom ains

TGe ( fut ure 802.11e)

Task group producing qualit y- of- service ( QoS) ext ensions for t he MAC. An int erim snapshot called Wi- Fi Mult i- Media ( WMM) is likely t o be im plem ent ed before t he st andard is com plet e.

802.11F

I nt er- access point prot ocol t o im prove roam ing bet ween direct ly at t ached access point s

802.11g

Most recent ly st andardized ( 2003) PHY for net works in t he I SM band.

802.11h

St andard t o m ake 802.11a com pat ible wit h European radio em issions regulat ions. Ot her regulat ors have adopt ed it s m echanism s for different purposes.

802.11i

I m provem ent s t o securit y at t he link layer.

802.11j

Enhancem ent s t o 802.11a t o conform t o Japanese radio em ission regulat ions.

I EEE st a n da r d

N ot e s

TGk ( fut ure 802.11k)

Task group t o enhance com m unicat ion bet ween client s and net work t o bet t er m anage scarce radio use.

TGm

Task group t o incorporat e changes m ade by 802.11a, 802.11b, and 802.11d, as well as changes m ade by TGc int o t he m ain 802.11 specificat ion. ( Think " m " for m aint enance.)

TGn ( fut ure 802.11n)

Task group founded t o creat e a high- t hroughput st andard. The design goal is t hroughput in excess of 100 Mbps, and t he result ing st andard will be called 802.11n.

TGp ( fut ure 802.11p)

Task group adopt ing 802.11 for use in aut om obiles. The init ial use is likely t o be a st andard prot ocol used t o collect t olls.

TGr ( fut ure 802.11r)

Enhancem ent s t o roam ing perform ance.

TGs ( fut ure 802.11s)

Task group enhancing 802.11 for use as m esh net working t echnology.

TGT ( fut ure 802.11T)

Task group designing t est and m easurem ent specificat ion for 802.11. I t s result will be st andalone, hence t he uppercase let t er.

TGu ( fut ure 802.11u)

Task group m odifying 802.11 t o assist in int erworking wit h ot her net work t echnologies.

When it becam e clear t hat aut hent icat ion on wireless net works was fundam ent ally broken, t he I EEE adopt ed several aut hent icat ion st andards originally developed by t he I nt ernet Engineering Task Force ( I ETF) . Wireless LAN aut hent icat ion depends heavily on prot ocols defined by t he I ETF. The Wi- Fi Alliance is a com binat ion of a t rade associat ion, t est ing organizat ion, and st andardizat ion organizat ion. Most of t he Wi- Fi Alliance's em phasis is on act ing as a t rade associat ion for it s m em bers, t hough it also well- known for t he Wi- Fi cert ificat ion program . Product s are t est ed for int eroperabilit y wit h a t est bed consist ing of product s from m aj or vendors, and product s t hat pass t he t est suit e are awarded t he right t o use t he Wi- Fi m ark. The Wi- Fi Alliance's st andardizat ion effort s are done in support of t he I EEE. When t he securit y of wireless net works was called int o quest ion, t he Wi- Fi Alliance produced an int erim securit y specificat ion called Wi- Fi Prot ect ed Access ( WPA) . WPA was essent ially a snapshot of t he work done by t he I EEE securit y t ask group. I t is m ore of a m arket ing st andard t han a t echnical st andard, since t he t echnology was developed by t he I EEE. However, it serves a role in accelerat ing t he developm ent of secure wireless LAN solut ions.

Chapter 2. Overview of 802.11 Networks Before st udying t he det ails of anyt hing, it oft en helps t o get a general " lay of t he land." A basic int roduct ion is oft en necessary when st udying net working t opics because t he num ber of acronym s can be overwhelm ing. Unfort unat ely, 802.11 t akes acronym s t o new height s, which m akes t he int roduct ion t hat m uch m ore im port ant . To underst and 802.11 on anyt hing m ore t han a superficial basis, you m ust get com fort able wit h som e esot eric t erm inology and a herd of t hree- let t er acronym s. This chapt er is t he glue t hat binds t he ent ire book t oget her. Read it for a basic underst anding of 802.11, t he concept s t hat will likely be im port ant t o users, and how t he prot ocol is designed t o provide an experience as m uch like Et hernet as possible. Aft er t hat , m ove on t o t he low- level prot ocol det ails or deploym ent , depending on your int erest s and needs. Part of t he reason t his int roduct ion is im port ant is because it int roduces t he acronym s used t hroughout t he book. Wit h 802.11, t he int roduct ion serves anot her im port ant purpose. 802.11 is superficially sim ilar t o Et hernet . Underst anding t he background of Et hernet helps slight ly wit h 802.11, but t here is a host of addit ional background needed t o appreciat e how 802.11 adapt s t radit ional Et hernet t echnology t o a wireless world. To account for t he differences bet ween wired net works and t he wireless m edia used by 802.11, a num ber of addit ional m anagem ent feat ures were added. At t he heart of 802.11 is a whit e lie about t he m eaning of m edia access cont rol ( MAC) . Wireless net work int erface cards are assigned 48- bit MAC addresses, and, for all pract ical purposes, t hey look like Et hernet net work int erface cards. I n fact , t he MAC address assignm ent is done from t he sam e address pool so t hat 802.11 cards have unique addresses even when deployed int o a net work wit h wired Et hernet st at ions. To out side net work devices, t hese MAC addresses appear t o be fixed, j ust as in ot her I EEE 802 net works; 802.11 MAC addresses go int o ARP t ables alongside Et hernet addresses, use t he sam e set of vendor prefixes, and are ot herwise indist inguishable from Et hernet addresses. The devices t hat com prise an 802.11 net work ( access point s and ot her 802.11 devices) know bet t er. There are m any differences bet ween an 802.11 device and an Et hernet device, but t he m ost obvious is t hat 802.11 devices are m obile; t hey can easily m ove from one part of t he net work t o anot her. The 802.11 devices on your net work underst and t his and deliver fram es t o t he current locat ion of t he m obile st at ion.

IEEE 802 Network Technology Family Tree 802.11 is a m em ber of t he I EEE 802 fam ily, which is a series of specificat ions for local area net work ( LAN) t echnologies. Figure 2- 1 shows t he relat ionship bet ween t he various com ponent s of t he 802 fam ily and t heir place in t he OSI m odel.

Figu r e 2 - 1 . Th e I EEE 8 0 2 fa m ily a n d it s r e la t ion t o t h e OSI m ode l

I EEE 802 specificat ions are focused on t he t wo lowest layers of t he OSI m odel because t hey incorporat e bot h physical and dat a link com ponent s. All 802 net works have bot h a MAC and a Physical ( PHY) com ponent . The MAC is a set of rules t o det erm ine how t o access t he m edium and send dat a, but t he det ails of t ransm ission and recept ion are left t o t he PHY. I ndividual specificat ions in t he 802 series are ident ified by a second num ber. For exam ple, 802.3 is t he specificat ion for a Carrier Sense Mult iple Access net work wit h Collision Det ect ion ( CSMA/ CD) , which is relat ed t o ( and oft en m ist akenly called) Et hernet , and 802.5 is t he Token Ring specificat ion. Ot her specificat ions describe ot her part s of t he 802 prot ocol st ack. 802.2 specifies a com m on link layer, t he Logical Link Cont rol ( LLC) , which can be used by any lower- layer LAN t echnology. Managem ent feat ures for 802 net works are specified in 802.1. Am ong 802.1's m any provisions are bridging ( 802.1D) and virt ual LANs, or VLANs ( 802.1Q) . 802.11 is j ust anot her link layer t hat can use t he 802.2/ LLC encapsulat ion. The base 802.11 specificat ion includes t he 802.11 MAC and t wo physical layers: a frequency- hopping spread- spect rum ( FHSS) physical layer and a direct - sequence spread- spect rum ( DSSS) link layer. Lat er revisions t o 802.11 added addit ional physical layers. 802.11b specifies a high- rat e direct - sequence layer ( HR/ DSSS) ; product s based on 802.11b hit t he m arket place in 1999 and was t he first m ass- m arket PHY. 802.11a describes a physical layer based on ort hogonal frequency division m ult iplexing ( OFDM) ; product s based on 802.11a were released as t he first edit ion of t his book was com plet ed. 802.11g is t he newest physical layer on t he block. I t offers higher speed t hrough t he use of OFDM, but wit h backwards com pat ibilit y wit h 802.11b. Backwards com pat ibilit y is not wit hout a price, t hough. When 802.11b and 802.11g users coexist on t he sam e access point , addit ional prot ocol overhead is required, reducing t he m axim um speed for 802.11g users. To say t hat 802.11 is " j ust anot her link layer for 802.2" is t o om it t he det ails in t he rest of t his book, but 802.11 is excit ing precisely because of t hese det ails. 802.11 allows for m obile net work access; in accom plishing t his goal, a num ber of addit ional feat ures were incorporat ed int o t he MAC. As a result ,

t he 802.11 MAC m ay seem baroquely com plex com pared t o ot her I EEE 802 MAC specificat ions. The use of radio waves as a physical layer requires a relat ively com plex PHY, as well. 802.11 split s t he PHY int o t wo generic PMcom ponent s: t he Physical Layer Convergence Procedure ( PLCP) , t o m ap t he MAC fram es ont o t he m edium , and a Physical Medium Dependent ( PMD) syst em t o t ransm it t hose fram es. The PLCP st raddles t he boundary of t he MAC and physical layers, as shown in Figure 22. I n 802.11, t he PLCP adds a num ber of fields t o t he fram e as it is t ransm it t ed " in t he air."

Figu r e 2 - 2 . PH Y com pon e n t s

All t his com plexit y begs t he quest ion of how m uch you act ually need t o know. As wit h any t echnology, t he m ore you know, t he bet t er off you will be. The 802.11 prot ocols have m any knobs and dials t hat you can t weak, but m ost 802.11 im plem ent at ions hide t his com plexit y. Many of t he feat ures of t he st andard com e int o t heir own only when t he net work is congest ed, eit her wit h a lot of t raffic or wit h a large num ber of wireless st at ions. Net works are increasingly pushing t he lim it s in bot h respect s. At any rat e, I can't blam e you for want ing t o skip t he chapt ers about t he prot ocols and j um p ahead t o t he chapt ers about planning and inst alling an 802.11 net work. Aft er you've read t his chapt er, you can skip ahead t o Chapt ers 17 - 23 and ret urn t o t he chapt ers on t he prot ocol's inner workings when you need ( or want ) t o know m ore.

802.11 Nomenclature and Design 802.11 net works consist of four m aj or physical com ponent s, which are sum m arized in Figure 2- 3 .

Figu r e 2 - 3 . Com pon e n t s of 8 0 2 .1 1 LAN s

The com ponent s are:

St at ions Net works are built t o t ransfer dat a bet ween st at ions. St at ions are com put ing devices wit h wireless net work int erfaces. Typically, st at ions are bat t ery- operat ed lapt op or handheld com put ers. There is no reason why st at ions m ust be port able com put ing devices, t hough. I n som e environm ent s, wireless net working is used t o avoid pulling new cable, and deskt ops are connect ed by wireless LANs. Large open areas m ay also benefit from wireless net working, such as a m anufact uring floor using a wireless LAN t o connect com ponent s. 802.11 is fast becom ing a de fact o st andard for linking t oget her consum er elect ronics. Apple's AirPort Express connect s com put ers t o st ereos via 802.11. TiVos can connect t o wireless net works. Several consum er elect ronics com panies have j oined t he 802.11 working group, apparent ly wit h t he int ent of enabling high- speed m edia t ransfers over 802.11.

Access point s Fram es on an 802.11 net work m ust be convert ed t o anot her t ype of fram e for delivery t o t he rest of t he world. Devices called access point s perform t he wireless- t o- wired bridging funct ion. ( Access point s perform a num ber of ot her funct ions, but bridging is by far t he m ost im port ant .) I nit ially, access point funct ions were put int o st andalone devices, t hough several newer product s are dividing t he 802.11 prot ocol bet ween " t hin" access point s and AP cont rollers.

Wireless m edium To m ove fram es from st at ion t o st at ion, t he st andard uses a wireless m edium . Several different

physical layers are defined; t he archit ect ure allows m ult iple physical layers t o be developed t o support t he 802.11 MAC. I nit ially, t wo radio frequency ( RF) physical layers and one infrared physical layer were st andardized, t hough t he RF layers have proven far m ore popular. Several addit ional RF layers have been st andardized as well.

Dist ribut ion syst em When several access point s are connect ed t o form a large coverage area, t hey m ust com m unicat e wit h each ot her t o t rack t he m ovem ent s of m obile st at ions. The dist ribut ion syst em is t he logical com ponent of 802.11 used t o forward fram es t o t heir dest inat ion. 802.11 does not specify any part icular t echnology for t he dist ribut ion syst em . I n m ost com m ercial product s, t he dist ribut ion syst em is im plem ent ed as a com binat ion of a bridging engine and a dist ribut ion syst em m edium , which is t he backbone net work used t o relay fram es bet ween access point s; it is oft en called sim ply t he backbone net work . I n nearly all com m ercially successful product s, Et hernet is used as t he backbone net work t echnology.

Types of Networks The basic building block of an 802.11 net work is t he basic service set ( BSS) , which is sim ply a group of st at ions t hat com m unicat e wit h each ot her. Com m unicat ions t ake place wit hin a som ewhat fuzzy area, called t he basic service area, defined by t he propagat ion charact erist ics of t he wireless m edium . [ * ] When a st at ion is in t he basic service area, it can com m unicat e wit h t he ot her m em bers of t he BSS. BSSs com e in t wo flavors, bot h of which are illust rat ed in Figure 2- 4 . [*]

All of the wireless media used will propagate in three dimensions. From that perspective, the service area should perhaps be called the service volume. However, the term area is widely used and accepted.

Figu r e 2 - 4 . I n de pe n de n t a n d in fr a st r u ct u r e BSSs

Independent networks On t he left is an independent BSS ( I BSS) . St at ions in an I BSS com m unicat e direct ly wit h each ot her and t hus m ust be wit hin direct com m unicat ion range. The sm allest possible 802.11 net work is an

I BSS wit h t wo st at ions. Typically, I BSSs are com posed of a sm all num ber of st at ions set up for a specific purpose and for a short period of t im e. One com m on use is t o creat e a short - lived net work t o support a single m eet ing in a conference room . As t he m eet ing begins, t he part icipant s creat e an I BSS t o share dat a. When t he m eet ing ends, t he I BSS is dissolved. [ ] Due t o t heir short durat ion, sm all size, and focused purpose, I BSSs are som et im es referred t o as ad hoc BSSs or ad hoc net works. [

]

IBSSs have found a similar use at LAN parties throughout the world.

Infrastructure networks On t he right side of Figure 2- 4 is an infrast ruct ure BSS. ( To avoid overloading t he acronym , an infrast ruct ure BSS is never called an I BSS) . I nfrast ruct ure net works are dist inguished by t he use of an access point . Access point s are used for all com m unicat ions in infrast ruct ure net works, including com m unicat ion bet ween m obile nodes in t he sam e service area. I f one m obile st at ion in an infrast ruct ure BSS needs t o com m unicat e wit h a second m obile st at ion, t he com m unicat ion m ust t ake t wo hops. First , t he originat ing m obile st at ion t ransfers t he fram e t o t he access point . Second, t he access point t ransfers t he fram e t o t he dest inat ion st at ion. Wit h all com m unicat ions relayed t hrough an access point , t he basic service area corresponding t o an infrast ruct ure BSS is defined by t he point s in which t ransm issions from t he access point can be received. Alt hough t he m ult ihop t ransm ission t akes m ore t ransm ission capacit y t han a direct ed fram e from t he sender t o t he receiver, it has t wo m aj or advant ages: An infrast ruct ure BSS is defined by t he dist ance from t he access point . All m obile st at ions are required t o be wit hin reach of t he access point , but no rest rict ion is placed on t he dist ance bet ween m obile st at ions t hem selves. Allowing direct com m unicat ion bet ween m obile st at ions would save t ransm ission capacit y but at t he cost of increased physical layer com plexit y because m obile st at ions would need t o m aint ain neighbor relat ionships wit h all ot her m obile st at ions wit hin t he service area. Access point s in infrast ruct ure net works are in a posit ion t o assist wit h st at ions at t em pt ing t o save power. Access point s can not e when a st at ion ent ers a power- saving m ode and buffer fram es for it . Bat t ery- operat ed st at ions can t urn t he wireless t ransceiver off and power it up only t o t ransm it and ret rieve buffered fram es from t he access point . I n an infrast ruct ure net work, st at ions m ust associat e wit h an access point t o obt ain net work services. Associat ion is t he process by which m obile st at ion j oins an 802.11 net work; it is logically equivalent t o plugging in t he net work cable on an Et hernet . I t is not a sym m et ric process. Mobile st at ions always init iat e t he associat ion process, and access point s m ay choose t o grant or deny access based on t he cont ent s of an associat ion request . Associat ions are also exclusive on t he part of t he m obile st at ion: a m obile st at ion can be associat ed wit h only one access point . [ * ] The 802.11 st andard places no lim it on t he num ber of m obile st at ions t hat an access point m ay serve. I m plem ent at ion considerat ions m ay, of course, lim it t he num ber of m obile st at ions an access point m ay serve. I n pract ice, however, t he relat ively low t hroughput of wireless net works is far m ore likely t o lim it t he num ber of st at ions placed on a wireless net work. [*]

One reviewer noted that a similar restriction was present in traditional Ethernet networks until the development of VLANs and specifically asked how long this restriction was likely to last. I am not intimately involved with the standardization work, so I cannot speak to the issue directly. I do, however, agree that it is an interesting question.

Extended service areas

BSSs can creat e coverage in sm all offices and hom es, but t hey cannot provide net work coverage t o larger areas. 802.11 allows wireless net works of arbit rarily large size t o be creat ed by linking BSSs int o an ext ended service set ( ESS) . An ESS is creat ed by chaining BSSs t oget her wit h a backbone net work. All t he access point s in an ESS are given t he sam e service set ident ifier ( SSI D) , which serves as a net work " nam e" for t he users. 802.11 does not specify a part icular backbone t echnology; it requires only t hat t he backbone provide a specified set of services. I n Figure 2- 5 , t he ESS is t he union of t he four BSSs ( provided t hat all t he access point s are configured t o be part of t he sam e ESS) . I n real- world deploym ent s, t he degree of overlap bet ween t he BSSs would probably be m uch great er t han t he overlap in Figure 2- 5 . I n real life, you would want t o offer cont inuous coverage wit hin t he ext ended service area; you wouldn't want t o require t hat users walk t hrough t he area covered by BSS3 when en rout e from BSS1 t o BSS2.

Figu r e 2 - 5 . Ex t e n de d se r vice se t

St at ions wit hin t he sam e ESS m ay com m unicat e wit h each ot her, even t hough t hese st at ions m ay be in different basic service areas and m ay even be m oving bet ween basic service areas. For st at ions in an ESS t o com m unicat e wit h each ot her, t he wireless m edium m ust act like a single layer 2 connect ion. Access point s act as bridges, so direct com m unicat ion bet ween st at ions in an ESS requires t hat t he backbone net work also look like a layer 2 connect ion. First - generat ion access point s required direct layer 2 connect ions t hrough hubs or virt ual LANs; newer product s im plem ent a variet y of t unneling t echnologies t o em ulat e t he layer 2 environm ent .

802.11 supplies link- layer m obilit y wit hin an ESS, but only if t he backbone net work appears t o be a single link- layer dom ain. This im port ant const raint on m obilit y is oft en a m aj or fact or in t he way t hat wireless LANs are deployed, and one of t he m aj or ways t hat vendors different iat e t heir product s. Early access point s required t hat t he backbone net work be a single hub or VLAN, but newer product s can int erface direct ly wit h t he backbone. Many can support m ult iple VLANs sim ult aneously wit h 802.1Q t ags, and som e can even dynam ically inst ant iat e VLANs based on aut hent icat ion inform at ion.

Ext ended service areas are t he highest - level abst ract ion support ed by 802.11 net works. Access point s in an ESS operat e in concert t o allow t he out side world t o use t he st at ion's MAC address t o t alk t o a st at ion no m at t er what it s locat ion is wit hin t he ESS. I n Figure 2- 5 , t he rout er uses t he st at ion's MAC address as t he dest inat ion t o deliver fram es t o a m obile st at ion; only t he access point wit h which t hat m obile st at ion is associat ed delivers t he fram e. The rout er rem ains ignorant of t he locat ion of t he m obile st at ion and relies on t he access point s t o deliver t he fram e.

Multi-BSS environments: "virtual APs" Early 802.11 radio chips had t he abilit y t o creat e a single basic service set . An AP could have connect users t o only one " wireless net work," and all users on t hat net work had sim ilar, if not ident ical, privileges. I n early deploym ent s wit h lim it ed user count s, a single logical net work was sufficient . As wireless net working grew in popularit y, one net work no longer sufficed. As an exam ple, m ost organizat ions get regular visit ors, m any of whom have 802.11 equipm ent and need ( or st rongly desire) I nt ernet access. Guest s are not t rust ed users. One com m on way of coping wit h guest access is t o creat e t wo ext ended service set s on t he sam e physical infrast ruct ure. Current 802.11 chipset s can creat e m ult iple net works wit h t he sam e radio. Using m odern chipset s, each access point hardware device can creat e t wo BSSs, one for t he net work nam ed guest , and one for t he net work nam ed int ernal. Wit hin t he AP, each SSI Ds is associat ed wit h a VLAN. The guest net work is connect ed t o a VLAN prepared for public access by unknown and unt rust ed users, and is alm ost cert ainly at t ached out side t he firewall. Wireless devices see t wo separat e net works in t he radio dom ain, and can connect t o what ever one suit s t heir needs. ( Nat urally, t he int ernal net work is probably prot ect ed by aut hent icat ion prevent unaut horized use.) Users who connect t o t he wireless net work nam ed guest will be placed on t he guest VLAN, while users who connect t o t he wireless net work nam ed int ernal will be aut hent icat ed and placed on t he int ernal net work. This som ewhat cont rived exam ple illust rat es t he developm ent of what m any call virt ual access point s. Each BSS act s like it s own self- cont ained AP, wit h it s own ESSI D, MAC address, aut hent icat ion configurat ion, and encrypt ion set t ings. Virt ual APs are also used t o creat e parallel net works wit h different securit y levels, a configurat ion t hat will be discussed in Chapt er 22. Current 802.11 radio chipset s have t he abilit y t o creat e 32 or even 64 BSSes, which is adequat e for nearly every configurat ion.

Robust security networks (RSNs) Early wireless LANs proved t o have feeble built - in securit y. 802.11i, which was rat ified in June 2004, specifies a set of im proved securit y m echanism s t hat provide robust securit y net work associat ions

( RSNAs) . Robust securit y net work associat ions are form ed when im proved t he aut hent icat ion and confident ialit y prot ocols defined in 802.11i are in use. Support for 802.11i m ay be com posed of hardware, soft ware, or bot h, depending on t he exact archit ect ure of a part icular device. Hardware which does not support t he im proved prot ocols is referred t o as pre- RSN capable. Many recent preRSN capable devices m ay be upgradeable t o support 802.11i, but m ost older devices will not be upgradeable.

The Distribution System, Revisited Wit h an underst anding of how an ext ended service set is built , I 'd like t o ret urn t o t he concept of t he dist ribut ion syst em . 802.11 describes t he dist ribut ion syst em in t erm s of t he services it provides t o wireless st at ions. While t hese services will be described in m ore det ail lat er in t his chapt er, it is wort h describing t heir operat ion at a high level. The dist ribut ion syst em provides m obilit y by connect ing access point s. When a fram e is given t o t he dist ribut ion syst em , it is delivered t o t he right access point and relayed by t hat access point t o t he int ended dest inat ion. The dist ribut ion syst em is responsible for t racking where a st at ion is physically locat ed and delivering fram es appropriat ely. When a fram e is sent t o a m obile st at ion, t he dist ribut ion syst em is charged wit h t he t ask of delivering it t o t he access point serving t he m obile st at ion. As an exam ple, consider t he rout er in Figure 2- 5 . The rout er sim ply uses t he MAC address of a m obile st at ion as it s dest inat ion. The dist ribut ion syst em of t he ESS pict ured in Figure 2- 5 m ust deliver t he fram e t o t he right access point . Obviously, part of t he delivery m echanism is t he backbone Et hernet , but t he backbone net work cannot be t he ent ire dist ribut ion syst em because it has no way of choosing bet ween access point s. I n t he language of 802.11, t he backbone Et hernet is t he dist ribut ion syst em m edium , but it is not t he ent ire dist ribut ion syst em . To find t he rest of t he dist ribut ion syst em , we need t o look t o t he access point s t hem selves. Most access point s current ly on t he m arket operat e as bridges. They have at least one wireless net work int erface and at least one Et hernet net work int erface. The Et hernet side can be connect ed t o an exist ing net work, and t he wireless side becom es an ext ension of t hat net work. Relaying fram es bet ween t he t wo net work m edia is cont rolled by a bridging engine. Figure 2- 6 illust rat es t he relat ionship bet ween t he access point , t he backbone net work, and t he dist ribut ion syst em . The access point has t wo int erfaces connect ed by a bridging engine. Arrows indicat e t he pot ent ial pat hs t o and from t he bridging engine. Fram es m ay be sent by t he bridge t o t he wireless net work; any fram es sent by t he bridge's wireless port are t ransm it t ed t o all associat ed st at ions. Each associat ed st at ion can t ransm it fram es t o t he access point . Finally, t he backbone port on t he bridge can int eract direct ly wit h t he backbone net work. The dist ribut ion syst em in Figure 2- 6 is com posed of t he bridging engine plus t he wired backbone net work.

Figu r e 2 - 6 . D ist r ibu t ion syst e m in com m on 8 0 2 .1 1 a cce ss poin t im ple m e n t a t ion s

Every fram e sent by a m obile st at ion in an infrast ruct ure net work m ust use t he dist ribut ion syst em . I t is easy t o underst and why int eract ion wit h host s on t he backbone net work m ust use t he dist ribut ion syst em . Aft er all, t hey are connect ed t o t he dist ribut ion syst em m edium . Wireless st at ions in an infrast ruct ure net work depend on t he dist ribut ion syst em t o com m unicat e wit h each ot her because t hey are not direct ly connect ed t o each ot her. The only way for st at ion A t o send a fram e t o st at ion B is by relaying t he fram e t hrough t he bridging engine in t he access point . However, t he bridge is a com ponent of t he dist ribut ion syst em . While what exact ly m akes up t he dist ribut ion syst em m ay seem like a narrow t echnical concern, t here are som e feat ures of t he 802.11 MAC t hat are closely t ied t o it s int eract ion wit h t he dist ribut ion syst em .

Interaccess point communication as part of the distribution system I ncluded wit h t his dist ribut ion syst em is a m et hod t o m anage associat ions. A wireless st at ion is associat ed wit h only one access point at a t im e. I f a st at ion is associat ed wit h one access point , all t he ot her access point s in t he ESS need t o learn about t hat st at ion. I n Figure 2- 5 , AP4 m ust know about all t he st at ions associat ed wit h AP1. I f a wireless st at ion associat ed wit h AP4 sends a fram e t o a st at ion associat ed wit h AP1, t he bridging engine inside AP4 m ust send t he fram e over t he backbone Et hernet t o AP1 so it can be delivered t o it s ult im at e dest inat ion. To fully im plem ent t he dist ribut ion syst em , access point s m ust inform ot her access point s of associat ed st at ions. Nat urally, m any access point s on t he m arket use an int eraccess point prot ocol ( I APP) over t he backbone m edium . Many vendors developed propriet ary prot ocols bet ween access point s t o carry associat ion dat a. A st andard I APP was produced as 802.11F, but I am not aware of it s use in any product s.

Wireless bridges and the distribution system Up t o t his point , I have t acit ly assum ed t hat t he dist ribut ion syst em m edium was an exist ing fixed net work. While t his will oft en be t he case, t he 802.11 specificat ion explicit ly support s using t he wireless m edium it self as t he dist ribut ion syst em . The wireless dist ribut ion syst em ( WDS) configurat ion is oft en called a " wireless bridge" configurat ion because it allows net work engineers t o connect t wo LANs at t he link layer. Wireless bridges can be used t o quickly connect dist inct physical locat ions and are well- suit ed for use by access providers. Most 802.11 access point s on t he m arket now support t he wireless bridge configurat ion, t hough it m ay be necessary t o upgrade t he firm ware on older unit s.

Network Boundaries

Because of t he nat ure of t he wireless m edium , 802.11 net works have fuzzy boundaries. I n fact , som e degree of fuzziness is desirable. As wit h m obile t elephone net works, allowing basic service areas t o overlap increases t he probabilit y of successful t ransit ions bet ween basic service areas and offers t he highest level of net work coverage. The basic service areas on t he right of Figure 2- 7 overlap significant ly. This m eans t hat a st at ion m oving from BSS2 t o BSS4 is not likely t o lose coverage; it also m eans t hat AP3 ( or, for t hat m at t er, AP4) can fail wit hout com prom ising t he net work t oo badly. On t he ot her hand, if AP2 fails, t he net work is cut int o t wo disj oint part s, and st at ions in BSS1 lose connect ivit y when m oving out of BSS1 and int o BSS3 or BSS4. Coping wit h " coverage holes" from access point failures is a t ask t hat requires at t ent ion during t he net work design phase; m any newer product s offer dynam ic radio t uning capabilit ies t o aut om at ically fill in holes t hat develop during net work operat ion.

Figu r e 2 - 7 . Ove r la ppin g BSSs in a n ESS

Different t ypes of 802.11 net works m ay also overlap. I ndependent BSSs m ay be creat ed wit hin t he basic service area of an access point . Figure 2- 8 illust rat es spat ial overlap. An access point appears at t he t op of t he figure; it s basic service area is shaded. Two st at ions are operat ing in infrast ruct ure m ode and com m unicat e only wit h t he access point . Three st at ions have been set up as an independent BSS and com m unicat e wit h each ot her. Alt hough t he five st at ions are assigned t o t wo different BSSs, t hey m ay share t he sam e wireless m edium . St at ions m ay obt ain access t o t he m edium only by using t he rules specified in t he 802.11 MAC; t hese rules were carefully designed t o enable m ult iple 802.11 net works t o coexist in t he sam e spat ial area. Bot h BSSs m ust share t he capacit y of a single radio channel, so t here m ay be adverse perform ance im plicat ions from co- locat ed BSSs.

Figu r e 2 - 8 . Ove r la ppin g n e t w or k t ype s

802.11 Network Operations From t he out set , 802.11 was designed t o be j ust anot her link layer t o higher- layer prot ocols. Net work adm inist rat ors fam iliar wit h Et hernet will be im m ediat ely com fort able wit h 802.11. The shared herit age is deep enough t hat 802.11 is som et im es referred t o as " wireless Et hernet ." The core elem ent s present in Et hernet are present in 802.11. St at ions are ident ified by 48- bit I EEE 802 MAC addresses. Concept ually, fram es are delivered based on t he MAC address. Fram e delivery is unreliable, t hough 802.11 incorporat es som e basic reliabilit y m echanism s t o overcom e t he inherent ly poor qualit ies of t he radio channels it uses. [ * ] [*]

I don't mean "poor" in an absolute sense. But the reliability of wireless transmission is really not comparable to the reliability of a wired network.

From a user's perspect ive, 802.11 m ight j ust as well be Et hernet . Net work adm inist rat ors, however, need t o be conversant wit h 802.11 at a m uch deeper level. Providing MAC- layer m obilit y while following t he pat h blazed by previous 802 st andards requires a num ber of addit ional services and m ore com plex fram ing.

Network Services One way t o define a net work t echnology is t o define t he services it offers and allow equipm ent vendors t o im plem ent t hose services in what ever way t hey see fit . 802.11 provides nine services. Only t hree of t he services are used for m oving dat a; t he rem aining six are m anagem ent operat ions t hat allow t he net work t o keep t rack of t he m obile nodes and deliver fram es accordingly. The services are described in t he following list and sum m arized in Table 2- 1:

Dist ribut ion This service is used by m obile st at ions in an infrast ruct ure net work every t im e t hey send dat a. Once a fram e has been accept ed by an access point , it uses t he dist ribut ion service t o deliver t he fram e t o it s dest inat ion. Any com m unicat ion t hat uses an access point t ravels t hrough t he dist ribut ion service, including com m unicat ions bet ween t wo m obile st at ions associat ed wit h t he sam e access point .

I nt egrat ion I nt egrat ion is a service provided by t he dist ribut ion syst em ; it allows t he connect ion of t he dist ribut ion syst em t o a non- I EEE 802.11 net work. The int egrat ion funct ion is specific t o t he dist ribut ion syst em used and t herefore is not specified by 802.11, except in t erm s of t he services it m ust offer.

Associat ion Delivery of fram es t o m obile st at ions is m ade possible because m obile st at ions regist er, or associat e, wit h access point s. The dist ribut ion syst em can t hen use t he regist rat ion inform at ion t o det erm ine which access point t o use for any m obile st at ion. Unassociat ed st at ions are not " on t he net work," m uch like workst at ions wit h unplugged Et hernet cables. 802.11 specifies t he funct ion t hat m ust be provided by t he dist ribut ion syst em using t he associat ion dat a, but it does not m andat e any part icular im plem ent at ion. When robust securit y net work prot ocols are in use, associat ion is a precursor t o aut hent icat ion. Prior t o t he com plet ion of aut hent icat ion, an access point will drop all net work prot ocol t raffic from a st at ion.

Reassociat ion When a m obile st at ion m oves bet ween basic service areas wit hin a single ext ended service area, it m ust evaluat e signal st rengt h and perhaps swit ch t he access point wit h which it is associat ed. Reassociat ions are init iat ed by m obile st at ions when signal condit ions indicat e t hat a different associat ion would be beneficial; t hey are never init iat ed direct ly by t he access point . ( Som e APs will kick st at ions off in order t o force a client int o being t he reassociat ion process; in t he fut ure, reassociat ion m ay be m ore dependent on t he infrast ruct ure wit h t he developm ent of bet t er net work m anagem ent st andards.) Aft er t he reassociat ion is com plet e, t he dist ribut ion syst em updat es it s locat ion records t o reflect t he reachabilit y of t he m obile st at ion t hrough a different access point . As wit h t he associat ion service, a robust securit y net work will drop net work prot ocol t raffic before t he successful com plet ion of aut hent icat ion.

Disassociat ion To t erm inat e an exist ing associat ion, st at ions m ay use t he disassociat ion service. When st at ions invoke t he disassociat ion service, any m obilit y dat a st ored in t he dist ribut ion syst em is rem oved. Once disassociat ion is com plet e, it is as if t he st at ion is no longer at t ached t o t he net work. Disassociat ion is a polit e t ask t o do during t he st at ion shut down process. The MAC is, however, designed t o accom m odat e st at ions t hat leave t he net work wit hout form ally disassociat ing.

Aut hent icat ion Physical securit y is a m aj or com ponent of a wired LAN securit y solut ion. Net work at t achm ent point s are lim it ed, oft en t o areas in offices behind perim et er access cont rol devices. Net work equipm ent can be secured in locked wiring closet s, and dat a j acks in offices and cubicles can be connect ed t o t he net work only when needed. Wireless net works cannot offer t he sam e level of physical securit y, however, and t herefore m ust depend on addit ional aut hent icat ion rout ines t o ensure t hat users accessing t he net work are aut horized t o do so. Aut hent icat ion is a necessary prerequisit e t o associat ion because only aut hent icat ed users are aut horized t o use t he net work. Aut hent icat ion m ay happen m ult iple t im es during t he connect ion of net work. Prior t o associat ion, a st at ion will perform a basic ident it y point consist ing of it s MAC address. This exchange is oft en referred aut hent icat ion, which is dist inct from t he robust crypt ographic user follows.

a client t o a wireless exchange wit h an access t o as " 802.11" aut hent icat ion t hat oft en

Deaut hent icat ion Deaut hent icat ion t erm inat es an aut hent icat ed relat ionship. Because aut hent icat ion is needed before net work use is aut horized, a side effect of deaut hent icat ion is t erm inat ion of any current associat ion. I n a robust securit y net work, deaut hent icat ion also clears keying inform at ion.

Confident ialit y St rong physical cont rols can prevent a great num ber of at t acks on t he privacy of dat a in a wired LAN. At t ackers m ust obt ain physical access t o t he net work m edium before at t em pt ing t o eavesdrop on t raffic. On a wired net work, physical access t o t he net work cabling is a subset of physical access t o ot her com put ing resources. By design, physical access t o wireless net works is a com parat ively sim pler m at t er of using t he correct ant enna and m odulat ion m et hods. I n t he init ial revision of 802.11, t he confident ialit y service was called privacy, and provided by t he now- discredit ed Wired Equivalent Privacy ( WEP) prot ocol. I n addit ion t o new encrypt ion schem es, 802.11i augm ent s t he confident ialit y service by providing user- based aut hent icat ion and key m anagem ent services, t wo crit ical issues t hat WEP failed t o address.

MSDU delivery Net works are not m uch use wit hout t he abilit y t o get t he dat a t o t he recipient . St at ions provide t he MAC Service Dat a Unit ( MSDU) delivery service, which is responsible for get t ing t he dat a t o t he act ual endpoint .

Transm it Power Cont rol ( TPC) TPC is a new service t hat was defined by 802.11h. European st andards for t he 5 GHz band require t hat st at ions cont rol t he power of radio t ransm issions t o avoid int erfering wit h ot her users of t he 5 GHz band. Transm it power cont rol also helps avoid int erference wit h ot her wireless LANs. Range is a funct ion of power; high t ransm it power set t ings m ake it m ore likely t hat a client 's great er range will int erfere wit h a neighboring net work. By cont rolling power t o a level t hat is " j ust right ," it is less likely t hat a st at ion will int erfere wit h neighboring st at ions.

Dynam ic Frequency Select ion ( DFS) Som e radar syst em s operat e in t he 5 GHz range. As a result , som e regulat ory aut horit ies have m andat ed t hat wireless LANs m ust det ect radar syst em s and m ove t o frequencies t hat are not in use by radar. Som e regulat ory aut horit ies also require uniform use of t he 5 GHz band for wireless LANs, so net works m ust have t he abilit y t o re- m ap channels so t hat usage is equalized.

Ta ble 2 - 1 . N e t w or k se r vice s

Se r v ice

St a t ion or dist r ibu t ion D e scr ipt ion se r vice ?

Dist ribut ion

Dist ribut ion

Service used in fram e delivery t o det erm ine dest inat ion address in infrast ruct ure net works

I nt egrat ion

Dist ribut ion

Fram e delivery t o an I EEE 802 LAN out side t he wireless net work

Associat ion

Dist ribut ion

Used t o est ablish t he AP which serves as t he gat eway t o a part icular m obile st at ion

Reassociat ion

Dist ribut ion

Used t o change t he AP which serves as t he gat eway t o a part icular m obile st at ion

Disassociat ion

Dist ribut ion

Rem oves t he wireless st at ion from t he net work

Aut hent icat ion

St at ion

Est ablishes st at ion ident it y ( MAC address) prior t o est ablishing associat ion

Deaut hent icat ion

St at ion

Used t o t erm inat e aut hent icat ion, and by ext ension, associat ion

Confident ialit y

St at ion

Provides prot ect ion against eavesdropping

MSDU delivery

St at ion

Delivers dat a t o t he recipient

Transm it Power Cont rol ( TPC)

St at ion/ spect rum m anagem ent

Reduces int erference by m inim izing st at ion t ransm it power

Dynam ic Frequency Select ion ( DFS)

St at ion/ spect rum m anagem ent

Avoids int erfering wit h radar operat ion in t he 5 GHz band

Station services St at ion services are part of every 802.11- com pliant st at ion and m ust be incorporat ed by any product claim ing 802.11 com pliance. St at ion services are provided by bot h m obile st at ions and t he wireless int erface on access point s. St at ions provide fram e delivery services t o allow m essage delivery, and, in support of t his t ask, t hey m ay need t o use t he aut hent icat ion services t o est ablish associat ions. St at ions m ay also wish t o t ake advant age of confident ialit y funct ions t o prot ect m essages as t hey t raverse t he vulnerable wireless link.

Distribution system services Dist ribut ion syst em services connect access point s t o t he dist ribut ion syst em . The m aj or role of access point s is t o ext end t he services on t he wired net work t o t he wireless net work; t his is done by providing t he dist ribut ion and int egrat ion services t o t he wireless side. Managing m obile st at ion associat ions is t he ot her m aj or role of t he dist ribut ion syst em . To m aint ain associat ion dat a and st at ion locat ion inform at ion, t he dist ribut ion syst em provides t he associat ion, reassociat ion, and disassociat ion services.

Confidentiality and access control Confident ialit y and access cont rol services are int ert wined. I n addit ion t o secrecy of t he dat a in

t ransit , t he confident ialit y service also proves t he int egrit y of fram e cont ent s. Bot h secrecy and int egrit y depend on shared crypt ographic keying, so t he confident ialit y service necessarily depends on ot her services t o provide aut hent icat ion and key m anagem ent .

Aut hent icat ion and key m anagem ent ( AKM) Crypt ographic int egrit y is wort hless if it does not prevent unaut horized users from at t aching t o t he net work. The confident ialit y service depends on t he aut hent icat ion and key m anagem ent suit e t o est ablish user ident it y and encrypt ion keys. Aut hent icat ion m ay be accom plished t hrough an ext ernal prot ocol, such as 802.1X, or wit h pre- shared keys.

Crypt ographic algorit hm s Fram es m ay be prot ect ed by t he t radit ional WEP algorit hm , using 40- or 104- bit secret keys, t he Tem poral Key I nt egrit y Prot ocol ( TKI P) , or t he Count er Mode CBC- MAC Prot ocol ( CCMP) . All of t hese algorit hm s are discussed in det ail in Chapt ers 5 and 7.

Origin aut hent icit y TKI P and CCMP allow t he receiver t o validat e t he sender's MAC address t o prevent spoofing at t acks. Origin aut hent icit y prot ect ion is only available for unicast dat a.

Replay det ect ion TKI P and CCMP prot ect against replay at t acks by incorporat ing a sequence count er t hat is validat ed upon receipt . Fram es which are " t oo old" t o be valid are discarded.

Ext ernal prot ocols and syst em s The confident ialit y service depends heavily on ext ernal prot ocols t o run. Key m anagem ent is provided by 802.1X, which t oget her wit h EAP carries aut hent icat ion dat a. 802.11 places no const raint on t he prot ocols used, but t he m ost com m on choices are EAP for aut hent icat ion, and RADI US t o int erface wit h t he aut hent icat ion server.

Spectrum management services Spect rum m anagem ent services are a special subset of st at ion services. They are designed t o allow t he wireless net work t o react t o condit ions and change radio set t ings dynam ically. Two services were defined in 802.11h t o help m eet regulat ory requirem ent s. The first service, t ransm it power cont rol ( TPC) , can dynam ically adj ust t he t ransm ission power of a st at ion. Access point s will be able t o use t he TPC operat ions t o advert ise t he m axim um perm issible power, and rej ect associat ions from client s t hat do not com ply wit h t he local radio regulat ions. Client s can use TPC t o adj ust power so t hat range is " j ust right " t o get t o t he access point . Digit al cellular syst em s have a sim liar feat ure designed t o ext end t he bat t ery life of m obile phones. [ * ] Lower

t ransm it power also will have som e benefit in t he form of increased bat t ery life, t hough t he ext ent of t he im provem ent will depend on how m uch t he t ransm it power can be reduced from what t he client would ot herwise have used. [*]

Power control also helps to simplify the electronics in the base station because all signals will be received at roughly the same signal.

The second service, dynam ic frequency select ion ( DFS) , was developed m ainly t o avoid int erfering wit h som e 5 GHz radar syst em s in use in Europe. Alt hough originally developed t o sat isfy European regulat ors, t he underlying principles have been required by ot her regulat ors as well. DFS was key t o t he U.S. decision t o open up m ore spect rum in t he 5 GHz band in 2004. [ ] DFS includes a way for t he access point t o quiet t he channel so t hat it can search for radar wit hout int erference, but t he m ost significant part of DFS is t he way t hat it can reassign t he channel on an access point on t he fly. Client s are inform ed of t he new channel j ust before t he channel is swit ched. [

]

The decision was made in November 2003, and released as FCC 03-287. The text of the decision is available at http://hraunfoss.fcc.gov/edocs_public/attachmatch/FCC-03-287A1.pdf. Although the spectrum has been allocated, test procedures were still in development as of this writing, so no FCC-certified devices are yet able to use the new spectrum.

Mobility Support Mobilit y is t he usually t he prim ary m ot ivat ion for deploying an 802.11 net work. Transm it t ing dat a fram es while t he st at ion is m oving will do for dat a com m unicat ions what m obile t elephony did for voice. 802.11 provides m obilit y bet ween basic service areas at t he link layer. However, it is not aware of anyt hing t hat happens above t he link layer. When designing deploying 802.11, net works engineers m ust t ake care so t hat t he seam less t ransit ion at t he radio layer is also support ed at t he net work prot ocol layer t hat t he st at ion I P address can be preserved. As far as 802.11 is concerned, t here are t hree t ypes of t ransit ions bet ween access point s:

No t ransit ion When st at ions do not m ove out of t heir current access point 's service area, no t ransit ion is necessary. This st at e occurs because t he st at ion is not m oving or it is m oving wit hin t he basic service area of it s current access point . [ * ] ( Arguably, t his isn't a t ransit ion so m uch as t he absence of a t ransit ion, but it is defined in t he specificat ion.) [* ]

Alt hough m y explanat ion m akes it sound as if t he " no m ot ion" and " local m ot ion" subst at es are easily dist inguishable, t hey are not . The underlying physics of RF propagat ion can m ake it im possible t o t ell whet her a st at ion is m oving because t he signal st rengt h can vary wit h t he placem ent of obj ect s in t he room , which, of course, includes t he people who m ay be walking around.

BSS t ransit ion St at ions cont inuously m onit or t he signal st rengt h and qualit y from all access point s adm inist rat ively assigned t o cover an ext ended service area. Wit hin an ext ended service area, 802.11 provides MAC layer m obilit y. St at ions at t ached t o t he dist ribut ion syst em can send out fram es addressed t o t he MAC address of a m obile st at ion and let t he access point s handle t he final hop t o t he m obile st at ion. Dist ribut ion syst em st at ions do not need t o be aware of a m obile st at ion's locat ion as long as it is wit hin t he sam e ext ended service area. Figure 2- 9 illust rat es a BSS t ransit ion. The t hree access point s in t he pict ure are all assigned t o t he sam e ESS. At t he out set , denot ed by t = 1, t he lapt op wit h an 802.11 net work card is sit t ing wit hin AP1's basic service area and is associat ed wit h AP1. When t he lapt op m oves out of AP1's basic service area and int o AP2's at t = 2, a BSS t ransit ion occurs. The m obile st at ion uses t he reassociat ion service t o associat e wit h AP2, which t hen st art s sending fram es t o t he m obile st at ion. BSS t ransit ions require t he cooperat ion of access point s. I n t his scenario, AP2 needs t o inform AP1 t hat t he m obile st at ion is now associat ed wit h AP2. 802.11 does not specify t he det ails of t he com m unicat ions bet ween access point s during BSS t ransit ions. Not e t hat even t hough t wo access point s are m em bers of t he sam e ext ended set , t hey m ay nonet heless be connect ed by a rout er, which is a layer 3 boundary. I n such a scenario, t here is no way t o guarant ee seam less connect ivit y using 802.11 prot ocols only.

Figu r e 2 - 9 . BSS t r a n sit ion

ESS t ransit ion An ESS t ransit ion refers t o t he m ovem ent from one ESS t o a second dist inct ESS. 802.11 does not support t his t ype of t ransit ion, except t o allow t he st at ion t o associat e wit h an access point in t he second ESS once it leaves t he first . Higher- layer connect ions are alm ost guarant eed t o be int errupt ed. I t would be fair t o say t hat 802.11 support s ESS t ransit ions only t o t he ext ent t hat it is relat ively easy t o at t em pt associat ing wit h an access point in t he new ext ended service area. Maint aining higher- level connect ions requires support from t he prot ocol suit es in quest ion. I n t he case of TCP/ I P, Mobile I P is required t o seam lessly support an ESS t ransit ion. Figure 2- 10 illust rat es an ESS t ransit ion. Four basic service areas are organized int o t wo ext ended service areas. Seam less t ransit ions from t he left hand ESS t o t he right hand ESS are not support ed. ESS t ransit ions are support ed only because t he m obile st at ion will quickly associat e wit h an access point in t he second ESS. Any act ive net work connect ions are likely t o be dropped when t he m obile st at ion leaves t he first ESS.

Designing Networks for Mobility Most net works are designed so t hat a group of access point s provides access t o a group of resources. All t he access point s under cont rol of t he net working organizat ion are assigned t o t he sam e SSI D, and client s are configured t o use t hat SSI D when connect ing t o t he wireless net work. As client syst em s m ove around, t hey cont inuously m onit or net work connect ivit y, and shift bet ween access point s in t he sam e SSI D. 802.11 ensures t hat client s will be able t o m ove associat ions bet ween t he access point s in t he sam e SSI D, but net work archit ect s m ust build t he net work t o support m obile client s. Sm all net works are oft en built on a single VLAN wit h a single subnet , in which case t here is no need t o worry about m obilit y. Larger net works t hat span subnet boundaries m ust apply som e addit ional t echnology t o provide m obilit y support . Many product s can work

Figu r e 2 - 1 0 . ESS t r a n sit ion

wit h a VLAN core, which allows client s t o always at t ach t o t he sam e VLAN t hroughout an organizat ion. New product s even allow dynam ic VLAN assignm ent based on aut hent icat ion dat a. When users connect t o t he net work, t hey are at t ached t o t he sam e VLAN everywhere; t he swit ched net work sim ply requires t hat t he wireless LAN device t ag fram es appropriat ely. Som e product s support t he Mobile I P st andard, or use VPN t echnology creat ively. Trade- offs bet ween all t he different m obilit y st rat egies are discussed in Chapt er 21. I n pract ice, ESS t ransit ions are quit e rare. They usually only occur when users leave one adm inist rat ive dom ain for anot her ( say, t he corporat e net work for a hot spot ) , in which case t he t wo net works in quest ion would have different I P addresses and no t rust relat ionship t o t ransparent ly at t ach a client wit hout int errupt ing net work- layer connect ivit y.

Proprietary mobility systems Many vendors, especially t hose who have designed product s t o build large- scale net work environm ent s, have designed t heir own prot ocols and procedures for m obilit y. When I st art ed revising t his book, one of t he big problem s wit h 802.11 was t hat it generally required a single I P subnet across an ent ire roam ing area. As a result , wireless LAN deploym ent oft en required subst ant ial archit ect ure work as well as m aj or backbone re- engineering effort s. Several vendors rushed t o fill t he gap by im plem ent ing propriet ary prot ocols t hat enabled sessions t o m ove quickly bet ween access point s over arbit rary net work t opologies. Basic concept s for t hese solut ions will be discussed in t he deploym ent sect ion of t his book.

Chapter 3. 802.11 MAC Fundamentals This chapt er begins our explorat ion of t he 802.11 st andard in dept h. Chapt er 2 provided a high- level overview of t he st andard and discussed som e of it s fundam ent al at t ribut es. You are now at a fork in t he book. St raight ahead lies a great deal of inform at ion on t he 802.11 specificat ion and t he various relat ed st andards t hat it uses liberally. I t is possible, however, t o build a wired net work wit hout a t horough and det ailed underst anding of t he prot ocols, and t he sam e is t rue for wireless net works. However, t here are a num ber of sit uat ions in which you m ay need a deeper knowledge of t he m achinery under t he hood: Alt hough 802.11 has been widely and rapidly adopt ed, securit y issues have cont inued t o grab headlines. Net work m anagers will undoubt edly be asked t o com m ent on securit y issues, especially in any wireless LAN proposals. To underst and and part icipat e in t hese discussions, read Chapt ers 5 and 6. WEP wit h st at ic keys should be considered fully broken. Solut ions based on 802.1X and dynam ic WEP keying are significant ly st ronger, wit h t he full com plem ent of prot ocols in 802.11i described in Chapt er 7 st ronger st ill. Troubleshoot ing wireless net works is sim ilar t o t roubleshoot ing wired net works but can be m uch m ore com plex. As always, a t rust y packet sniffer can be an invaluable aid. To t ake full advant age of a packet sniffer, t hough, you need t o underst and what t he packet s m ean t o int erpret your net work's behavior. Tuning a wireless net work is t ied int im at ely t o a num ber of param et ers in t he specificat ion, as well as t he behavior of t he underlying radio t echnology. To underst and t he behavior of your net work and what effect t he opt im izat ions will have requires a knowledge of what t hose param et ers really do and how radio waves t ravel t hroughout your environm ent . Device drivers m ay expose low- level knobs and dials for you t o play wit h. Most drivers provide good default s for all of t he param et ers, but som e give you freedom t o experim ent . Open source soft ware users have t he source code and are free t o experim ent wit h any and all set t ings. Wireless LAN t echnology is developing rapidly, and new prot ocol feat ures are const ant ly being added. A solid underst anding of t he base prot ocol allows you t o underst and how new feat ures will funct ion and what t hey will m ean for your net work. As wit h m any ot her t hings in life, t he m ore you know, t he bet t er off you are. Et hernet is usually t rouble- free, but serious net work adm inist rat ors have long known t hat when you do run int o t rouble, t here is no subst it ut e for t horough knowledge of how t he net work is working. When t he first edit ion of t his book was out , wireless LANs had been given a " free ride." Because t hey were cool, users were forgiving when t hey failed; wireless connect ivit y was a privilege, not a right . And since t here were relat ively few net works and relat ively few users on t hose net works, t he net works were rarely subj ect ed t o severe st resses. An Et hernet t hat has only a half dozen nodes is not likely t o be a source of problem s; problem s occur when you add a few high- capacit y servers, a few hundred users, and t he associat ed bridges and rout ers t o glue everyt hing t oget her. As t he t ypical 802.11 net work grew up from an access point or t wo serving a dozen users int o a m uch larger net work designed t o provide seam less coverage t hroughout a building, t he st resses on t he equipm ent and prot ocols has becom e m uch m ore apparent . That is why you should read t his chapt er. Now on t o t he det ails. The key t o t he 802.11 specificat ion is t he MAC. I t rides on every physical layer and cont rols t he t ransm ission of user dat a int o t he air. I t

provides t he core fram ing operat ions and t he int eract ion wit h a wired net work backbone. Different physical layers m ay provide different t ransm ission speeds, all of which are supposed t o int eroperat e. 802.11 does not depart from t he previous I EEE 802 st andards in any radical way. The st andard successfully adapt s Et hernet - st yle net working t o radio links. Like Et hernet , 802.11 uses a carrier sense m ult iple access ( CSMA) schem e t o cont rol access t o t he t ransm ission m edium . However, collisions wast e valuable t ransm ission capacit y, so rat her t han t he collision det ect ion ( CSMA/ CD) em ployed by Et hernet , 802.11 uses collision avoidance ( CSMA/ CA) . Also like Et hernet , 802.11 uses a dist ribut ed access schem e wit h no cent ralized cont roller. Each 802.11 st at ion uses t he sam e m et hod t o gain access t o t he m edium . The m aj or differences bet ween 802.11 and Et hernet st em from t he differences in t he underlying m edium . This chapt er provides som e insight int o t he m ot ivat ions of t he MAC designers by describing som e challenges t hey needed t o overcom e and describes t he rules used for access t o t he m edium , as well as t he basic fram e st ruct ure. I f you sim ply want t o underst and t he basic fram e sequences t hat you will see on an 802.11 net work, skip ahead t o t he end of t his chapt er. For furt her inform at ion on t he MAC, consult it s form al specificat ion in Clause 9 of t he 802.11 st andard; det ailed MAC st at e diagram s are in Annex C.

Challenges for the MAC Differences bet ween t he wireless net work environm ent and t he t radit ional wired environm ent creat e challenges for net work prot ocol designers. This sect ion exam ines a num ber of t he hurdles t hat t he 802.11 designers faced.

RF Link Quality On a wired Et hernet , it is reasonable t o t ransm it a fram e and assum e t hat t he dest inat ion receives it correct ly. Radio links are different , especially when t he frequencies used are unlicensed I SM bands. Even narrowband t ransm issions are subj ect t o noise and int erference, but unlicensed devices m ust assum e t hat int erference will exist and work around it . The designers of 802.11 considered ways t o work around t he radiat ion from m icrowave ovens and ot her RF sources. I n addit ion t o t he noise, m ult ipat h fading m ay also lead t o sit uat ions in which fram es cannot be t ransm it t ed because a node m oves int o a dead spot . Unlike m any ot her link layer prot ocols, 802.11 incorporat es posit ive acknowledgm ent s. All t ransm it t ed fram es m ust be acknowledged, as shown in Figure 3- 1 . I f any part of t he t ransfer fails, t he fram e is considered lost .

Figu r e 3 - 1 . Posit ive a ck n ow le dgm e n t of da t a t r a n sm ission s

The sequence in Figure 3- 1 is an at om ic operat ion, which m eans it is a single t ransact ional unit . Alt hough t here are m ult iple st eps in t he t ransact ion, it is considered a single indivisible operat ion. At om ic operat ions are " all or not hing." Eit her every st ep in t he sequence m ust com plet e successfully, or t he ent ire operat ion is considered a failure. The sender of t he dat a fram e m ust receive an acknowledgm ent , or t he fram e is considered lost . I t does not m at t er from t he sender's perspect ive whet her t he init ial dat a fram e was lost in t ransit , or t he corresponding acknowledgm ent was lost in t ransit . I n eit her case, t he dat a fram e m ust be ret ransm it t ed. One of t he addit ional com plexit ies of t reat ing t he fram e t ransm ission of Figure 3- 1 as at om ic is t hat t he t ransact ion occurs in t wo pieces, subj ect t o cont rol by t wo different st at ions. Bot h st at ions m ust

work t oget her t o j oint ly t ake cont rol of t he net work m edium for t ransm issions during t he ent ire t ransact ion. 802.11 allows st at ions t o lock out cont ent ion during at om ic operat ions so t hat at om ic sequences are not int errupt ed by ot her st at ions at t em pt ing t o use t he t ransm ission m edium . Radio link qualit y also influences t he speed at which a net work can operat e. Good qualit y signals can carry dat a at a higher speed. Signal qualit y degrades wit h range, which m eans t hat t he dat a t ransm ission speed of an 802.11 st at ion depends on it s locat ion relat ive t o t he access point . St at ions m ust im plem ent a m et hod for det erm ining when t o change t he dat a rat e in response t o changing condit ions. Furt herm ore, t he com plet e collect ion of st at ions in a net work m ust m anage t ransm issions at m ult iple speeds. Rules for m ult irat e support are discussed lat er in t his chapt er.

The Hidden Node Problem I n Et hernet net works, st at ions depend on t he recept ion of t ransm issions t o perform t he carrier sensing funct ions of CSMA/ CD. Wires in t he physical m edium cont ain t he signals and dist ribut e t hem t o net work nodes. Wireless net works have fuzzier boundaries, som et im es t o t he point where each node m ay not be able t o direct ly com m unicat e wit h every ot her node in t he wireless net work, as in Figure 3- 2 .

Figu r e 3 - 2 . N ode s 1 a n d 3 a r e " h idde n "

I n t he Figure 3- 2 , node 2 can com m unicat e wit h bot h nodes 1 and 3, but som et hing prevent s nodes 1 and 3 from com m unicat ing direct ly. ( The obst acle it self is not relevant ; it could be as sim ple as nodes 1 and 3 being as far away from 2 as possible, so t he radio waves cannot reach t he full dist ance from 1 t o 3.) From t he perspect ive of node 1, node 3 is a " hidden" node. I f a sim ple t ransm it - andpray prot ocol was used, it would be easy for node 1 and node 3 t o t ransm it sim ult aneously, t hus rendering node 2 unable t o m ake sense of anyt hing. Furt herm ore, nodes 1 and 3 would not have any indicat ion of t he error because t he collision was local t o node 2. Collisions result ing from hidden nodes m ay be hard t o det ect in wireless net works because wireless t ransceivers are generally half- duplex ; t hey don't t ransm it and receive at t he sam e t im e. To prevent collisions, 802.11 allows st at ions t o use Request t o Send ( RTS) and Clear t o Send ( CTS) signals t o clear out an area. Bot h t he RTS and CTS fram es ext end t he fram e t ransact ion, so t hat t he RTS fram e, CTS fram e, t he dat a fram e, and t he final acknowledgm ent are all considered part of t he sam e at om ic operat ion. Figure 3- 3 illust rat es t he procedure.

Figu r e 3 - 3 . RTS/ CTS cle a r in g

I n Figure 3- 3 , node 1 has a fram e t o send; it init iat es t he process by sending an RTS fram e. The RTS fram e serves several purposes: in addit ion t o reserving t he radio link for t ransm ission, it silences any st at ions t hat hear it . I f t he t arget st at ion receives an RTS, it responds wit h a CTS. Like t he RTS fram e, t he CTS fram e silences st at ions in t he im m ediat e vicinit y. Once t he RTS/ CTS exchange is com plet e, node 1 can t ransm it it s fram es wit hout worry of int erference from any hidden nodes. Hidden nodes beyond t he range of t he sending st at ion are silenced by t he CTS from t he receiver. When t he RTS/ CTS clearing procedure is used, any fram es m ust be posit ively acknowledged. The m ult ifram e RTS/ CTS t ransm ission procedure consum es a fair am ount of capacit y, especially because of t he addit ional lat ency incurred before t ransm ission can com m ence. As a result , it is used only in high- capacit y environm ent s and environm ent s wit h significant cont ent ion on t ransm ission. For lower- capacit y environm ent s, it is not necessary. Hidden nodes have also becom e less of a problem as 802.11 has grown up. I n sm all, quiescent net works wit h only a few st at ions associat ed t o an access point , t here is very lit t le risk of sim ult aneous t ransm ission, and plent y of spare capacit y t o be used for ret ransm ission. I n m any larger environm ent s, t he coverage is dense enough t hat t he client s are locat ed physically close enough t o an access point t hat t hey are all wit hin range of each ot her. ( I n fact , t he range of m any client syst em s is probably t oo large for m ost net works, which will be explored in t he planning phase of t his book.) You can cont rol t he RTS/ CTS procedure by set t ing t he RTS t hreshold if t he device driver for your 802.11 card allows you t o adj ust it . The RTS/ CTS exchange is perform ed for fram es larger t han t he t hreshold. Fram es short er t han t he t hreshold are sim ply sent .

MAC Access Modes and Timing Access t o t he wireless m edium is cont rolled by coordinat ion funct ions. Et hernet - like CSMA/ CA access is provided by t he dist ribut ed coordinat ion funct ion ( DCF) . I f cont ent ion- free service is required, it can be provided by t he point coordinat ion funct ion ( PCF) , which is built on t op of t he DCF. Bet ween t he free- for- all of t he DCF and t he precision of t he PCF, net works can use t he hybrid coordinat ion funct ion ( HCF) , a m iddle ground for qualit y of service bet ween t he t wo ext rem es. Cont ent ion- free services are provided only in infrast ruct ure net works, but qualit y of service m ay be provided in any net work t hat has HCF support in t he st at ions. The coordinat ion funct ions are described in t he following list and illust rat ed in Figure 3- 4 :

DCF The DCF is t he basis of t he st andard CSMA/ CA access m echanism . Like Et hernet , it first checks t o see t hat t he radio link is clear before t ransm it t ing. To avoid collisions, st at ions use a random backoff aft er each fram e, wit h t he first t ransm it t er seizing t he channel. I n som e circum st ances, t he DCF m ay use t he CTS/ RTS clearing t echnique t o furt her reduce t he possibilit y of collisions.

PCF The point coordinat ion funct ion provides cont ent ion- free services. Special st at ions called point coor dinat or s are used t o ensure t hat t he m edium is provided wit hout cont ent ion. Point coordinat ors reside in access point s, so t he PCF is rest rict ed t o infrast ruct ure net works. To gain priorit y over st andard cont ent ion- based services, t he PCF allows st at ions t o t ransm it fram es aft er a short er int erval. The PCF is not widely im plem ent ed and is described in Chapt er 9.

HCF Som e applicat ions need t o have service qualit y t hat is a st ep above best - effort delivery, but t he rigorous t im ing of t he PCF is not required. The HCF allows st at ions t o m aint ain m ult iple service queues and balance access t o t he wireless m edium in favor of applicat ions t hat require bet t er service qualit y. The HCF is not fully st andardized yet , but is being produced as part of t he event ual 802.11e specificat ion. Adding qualit y of service t o t he 802.11 MAC was a significant undert aking. Due t o t he added com plexit y in t erm s of fram ing, queue m anagem ent , and signaling, t he qualit y of service specificat ions were st ill subj ect t o st andards com m it t ee wrangling as t his book was writ t en, and discussion of t hem m ust be post poned t o a fut ure edit ion.

Carrier-Sensing Functions and the Network Allocation Vector Carrier sensing is used t o det erm ine if t he m edium is available. Two t ypes of carrier- sensing funct ions in 802.11 m anage t his process: t he physical carrier- sensing and virt ual carrier- sensing

funct ions. I f eit her carrier- sensing funct ion indicat es t hat t he m edium is busy, t he MAC report s t his t o higher layers.

Figu r e 3 - 4 . M AC coor din a t ion fu n ct ion s

Physical carrier- sensing funct ions are provided by t he physical layer in quest ion and depend on t he m edium and m odulat ion used. I t is difficult ( or, m ore t o t he point , expensive) t o build physical carrier- sensing hardware for RF- based m edia, because t ransceivers can t ransm it and receive sim ult aneously only if t hey incorporat e expensive elect ronics. Furt herm ore, wit h hidden nodes pot ent ially lurking everywhere, physical carrier- sensing cannot provide all t he necessary inform at ion. Virt ual carrier- sensing is provided by t he Net work Allocat ion Vect or ( NAV) . Most 802.11 fram es carry a durat ion field, which can be used t o reserve t he m edium for a fixed t im e period. The NAV is a t im er t hat indicat es t he am ount of t im e t he m edium will be reserved, in m icroseconds. St at ions set t he NAV t o t he t im e for which t hey expect t o use t he m edium , including any fram es necessary t o com plet e t he current operat ion. Ot her st at ions count down from t he NAV t o 0. When t he NAV is nonzero, t he virt ual carrier- sensing funct ion indicat es t hat t he m edium is busy; when t he NAV reaches 0, t he virt ual carrier- sensing funct ion indicat es t hat t he m edium is idle. By using t he NAV, st at ions can ensure t hat at om ic operat ions are not int errupt ed. For exam ple, t he RTS/ CTS sequence in Figure 3- 3 is at om ic. Figure 3- 5 shows how t he NAV prot ect s t he sequence from int errupt ion. ( This is a st andard form at for a num ber of diagram s in t his book t hat illust rat e t he int eract ion of m ult iple st at ions wit h t he corresponding t im ers.) Act ivit y on t he m edium by st at ions is represent ed by t he shaded bars, and each bar is labeled wit h t he fram e t ype. I nt erfram e spacing is depict ed by t he lack of any act ivit y. Finally, t he NAV t im er is represent ed by t he bars on t he NAV line at t he bot t om of t he figure. The NAV is carried in t he fram e headers on t he RTS and CTS fram es; it is depict ed on it s own line t o show how t he NAV relat es t o act ual t ransm issions in t he air. When a NAV bar is present on t he NAV line, st at ions should defer access t o t he m edium because t he virt ual carrier- sensing m echanism will indicat e a busy m edium . To ensure t hat t he sequence is not int errupt ed, node 1 set s t he NAV in it s RTS t o block access t o t he m edium while t he RTS is being t ransm it t ed. All st at ions t hat hear t he RTS defer access t o t he m edium unt il t he NAV elapses.

Figu r e 3 - 5 . Usin g t h e N AV for vir t u a l ca r r ie r se n sin g

RTS fram es are not necessarily heard by every st at ion in t he net work. Therefore, t he recipient of t he int ended t ransm ission responds wit h a CTS t hat includes a short er NAV. This NAV prevent s ot her st at ions from accessing t he m edium unt il t he t ransm ission com plet es. Aft er t he sequence com plet es, t he m edium can be used by any st at ion aft er dist ribut ed int erfram e space ( DI FS) , which is depict ed by t he cont ent ion window beginning at t he right side of t he figure. RTS/ CTS exchanges m ay be useful in crowded areas wit h m ult iple overlapping net works. Every st at ion on t he sam e physical channel receives t he NAV and defers access appropriat ely, even if t he st at ions are configured t o be on different net works.

Interframe Spacing As wit h t radit ional Et hernet , t he int erfram e spacing plays a large role in coordinat ing access t o t he t ransm ission m edium . 802.11 uses four different int erfram e spaces. Three are used t o det erm ine m edium access; t he relat ionship bet ween t hem is shown in Figure 3- 6 .

Figu r e 3 - 6 . I n t e r fr a m e spa cin g r e la t ion sh ips

We've already seen t hat as part of t he collision avoidance built int o t he 802.11 MAC, st at ions delay t ransm ission unt il t he m edium becom es idle. Varying int erfram e spacings creat e different priorit y levels for different t ypes of t raffic. The logic behind t his is sim ple: high- priorit y t raffic doesn't have t o wait as long aft er t he m edium has becom e idle. Therefore, if t here is any high- priorit y t raffic wait ing, it grabs t he net work before low- priorit y fram es have a chance t o t ry. To assist wit h int eroperabilit y bet ween different dat a rat es, t he int erfram e space is a fixed am ount of t im e, independent of t he t ransm ission speed. ( This is only one of t he m any problem s caused by having different physical layers use t he sam e radio resources, which are different m odulat ion t echniques.) Different physical layers, however, can specify different int erfram e space t im es.

Short int erfram e space ( SI FS) The SI FS is used for t he highest - priorit y t ransm issions, such as RTS/ CTS fram es and posit ive acknowledgm ent s. High- priorit y t ransm issions can begin once t he SI FS has elapsed. Once t hese high- priorit y t ransm issions begin, t he m edium becom es busy, so fram es t ransm it t ed aft er t he SI FS has elapsed have priorit y over fram es t hat can be t ransm it t ed only aft er longer int ervals.

PCF int erfram e space ( PI FS) The PI FS, som et im es erroneously called t he priorit y int erfram e space, is used by t he PCF during cont ent ion- free operat ion. St at ions wit h dat a t o t ransm it in t he cont ent ion- free period can t ransm it aft er t he PI FS has elapsed and preem pt any cont ent ion- based t raffic.

DCF int erfram e space ( DI FS) The DI FS is t he m inim um m edium idle t im e for cont ent ion- based services. St at ions m ay have im m ediat e access t o t he m edium if it has been free for a period longer t han t he DI FS.

Ext ended int erfram e space ( EI FS) The EI FS is not illust rat ed in Figure 3- 6 because it is not a fixed int erval. I t is used only when t here is an error in fram e t ransm ission.

Interframe spacing and priority At om ic operat ions st art like regular t ransm issions: t hey m ust wait for t he t he relevant int erfram e space, t ypically t he DI FS, t o end before t hey can begin. However, t he second and any subsequent st eps in an at om ic operat ion t ake place aft er t he SI FS, rat her t han aft er t he DI FS. Because t he SI FS is short er t han t he ot her int erfram e spaces, t he second ( and subsequent ) part s of an at om ic operat ion will grab t he m edium before anot her t ype of fram e can be t ransm it t ed. By using t he SI FS and t he NAV, st at ions can seize t he m edium for as long as necessary. I n Figure 3- 5 , for exam ple, t he short int erfram e space is used bet ween t he different unit s of t he at om ic exchange. Aft er t he sender gains access t o t he m edium , t he receiver replies wit h a CTS aft er t he SI FS. Any st at ions t hat m ight at t em pt t o access t he m edium at t he conclusion of t he RTS would wait for one DI FS int erval. Part way t hrough t he DI FS int erval, t hough, t he SI FS int erval elapses, and t he CTS is t ransm it t ed.

Contention-Based Access Using the DCF Most t raffic uses t he DCF, which provides a st andard Et hernet - like cont ent ion- based service. The DCF allows m ult iple independent st at ions t o int eract wit hout cent ral cont rol, and t hus m ay be used in eit her I BSS net works or in infrast ruct ure net works. Before at t em pt ing t o t ransm it , each st at ion checks whet her t he m edium is idle. I f t he m edium is not idle, st at ions defer t o each ot her and em ploy an orderly exponent ial backoff algorit hm t o avoid collisions. I n dist illing t he 802.11 MAC rules, t here is a basic set of rules t hat are always used, and addit ional rules m ay be applied depending on t he circum st ances. Two basic rules apply t o all t ransm issions using t he DCF:

1 . I f t he m edium has been idle for longer t han t he DI FS, t ransm ission can begin im m ediat ely. Carrier sensing is perform ed using bot h a physical m edium - dependent m et hod and t he virt ual ( NAV) m et hod.

a . I f t he previous fram e was received wit hout errors, t he m edium m ust be free for at least t he DI FS. b. I f t he previous t ransm ission cont ained errors, t he m edium m ust be free for t he am ount of t he EI FS. 2 . I f t he m edium is busy, t he st at ion m ust wait for t he channel t o becom e idle. 802.11 refers t o t he wait as access deferral. I f access is deferred, t he st at ion wait s for t he m edium t o be idle for t he DI FS and prepares for t he exponent ial backoff procedure. Addit ional rules m ay apply in cert ain sit uat ions. Many of t hese rules depend on t he part icular sit uat ion " on t he wire" and are specific t o t he result s of previous t ransm issions.

1 . Error recovery is t he responsibilit y of t he st at ion sending a fram e. Senders expect acknowledgm ent s for each t ransm it t ed fram e and are responsible for ret rying t he t ransm ission unt il it is successful.

a . Posit ive acknowledgm ent s are t he only indicat ion of success. At om ic exchanges m ust com plet e in t heir ent iret y t o be successful. I f an acknowledgm ent is expect ed and does not arrive, t he sender considers t he t ransm ission lost and m ust ret ry. b. All unicast dat a m ust be acknowledged. Broadcast dat a is not acknowledged. ( As a result , unicast dat a has an inherent ly higher service qualit y t han broadcast dat a, even t hough t he radio link is inherent ly a broadcast m edium .) c. Any failure increm ent s a ret ry count er, and t he t ransm ission is ret ried. A failure can be

c. due t o a failure t o gain access t o t he m edium or a lack of an acknowledgm ent . However, t here is a longer congest ion window when t ransm issions are ret ried ( see next sect ion) . 2 . Mult ifram e sequences m ay updat e t he NAV wit h each st ep in t he t ransm ission procedure. When a st at ion receives a m edium reservat ion t hat is longer t han t he current NAV, it updat es t he NAV. Set t ing t he NAV is done on a fram e- by- fram e basis and is discussed in m uch m ore det ail in t he next chapt er. 3 . The following t ypes of fram es can be t ransm it t ed aft er t he SI FS and t hus receive m axim um priorit y: acknowledgm ent s, t he CTS in an RTS/ CTS exchange sequence, and fragm ent s in fragm ent sequences.

a . Once a st at ion has t ransm it t ed t he first fram e in a sequence, it has gained cont rol of t he channel. Any addit ional fram es and t heir acknowledgm ent s can be sent using t he short int erfram e space, which locks out any ot her st at ions. b. Addit ional fram es in t he sequence updat e t he NAV for t he expect ed addit ional t im e t he m edium will be used. 4 . Ext ended fram e sequences are required for higher- level packet s t hat are larger t han configured t hresholds.

a . Packet s larger t han t he RTS t hreshold m ust have RTS/ CTS exchange. b. Packet s larger t han t he fragm ent at ion t hreshold m ust be fragm ent ed.

Error Recovery with the DCF Error det ect ion and correct ion is up t o t he st at ion t hat begins an at om ic fram e exchange. When an error is det ect ed, t he st at ion wit h dat a m ust resend t he fram e. Errors m ust be det ect ed by t he sending st at ion. I n som e cases, t he sender can infer fram e loss by t he lack of a posit ive acknowledgm ent from t he receiver. Ret ry count ers are increm ent ed when fram es are ret ransm it t ed. Each fram e or fragm ent has a single ret ry count er associat ed wit h it . St at ions have t wo ret ry count ers: t he short ret ry count and t he long ret ry count . Fram es t hat are short er t han t he RTS t hreshold are considered t o be short ; fram es longer t han t he t hreshold are long. Depending on t he lengt h of t he fram e, it is associat ed wit h eit her a short or long ret ry count er. Fram e ret ry count s begin at 0 and are increm ent ed when a fram e t ransm ission fails. The short ret ry count is reset t o 0 when: A CTS fram e is received in response t o a t ransm it t ed RTS A MAC- layer acknowledgm ent is received aft er a nonfragm ent ed t ransm ission A broadcast or m ult icast fram e is received The long ret ry count is reset t o 0 when: A MAC- layer acknowledgm ent is received for a fram e longer t han t he RTS t hreshold

A broadcast or m ult icast fram e is received I n addit ion t o t he associat ed ret ry count , fragm ent s are given a m axim um " lifet im e" by t he MAC. When t he first fragm ent is t ransm it t ed, t he lifet im e count er is st art ed. When t he lifet im e lim it is reached, t he fram e is discarded and no at t em pt is m ade t o t ransm it any rem aining fragm ent s. Nat urally, higher- layer prot ocols m ay det ect any loss and ret ransm it t he dat a; when a higher- level prot ocol such as TCP ret ransm it s dat a, t hough, it would be a new fram e t o t he 802.11 MAC and all t he ret ry count ers will be rest art ed.

Using the retry counters Like m ost ot her net work prot ocols, 802.11 provides reliabilit y t hrough ret ransm ission. Dat a t ransm ission happens wit hin t he confines of an at om ic sequence, and t he ent ire sequence m ust com plet e for a t ransm ission t o be successful. When a st at ion t ransm it s a fram e, it m ust receive an acknowledgm ent from t he receiver or it will consider t he t ransm ission t o have failed. Failed t ransm issions increm ent t he ret ry count er associat ed wit h t he fram e ( or fragm ent ) . I f t he ret ry lim it is reached, t he fram e is discarded, and it s loss is report ed t o higher- layer prot ocols. One of t he reasons for having short fram es and long fram es is t o allow net work adm inist rat ors t o cust om ize t he robust ness of t he net work for different fram e lengt hs. Large fram es require m ore buffer space, so one pot ent ial applicat ion of having t wo separat e ret ry lim it s is t o decrease t he long ret ry lim it t o decrease t he am ount of buffer space required.

Backoff with the DCF Aft er fram e t ransm ission has com plet ed and t he DI FS has elapsed, st at ions m ay at t em pt t o t ransm it congest ion- based dat a. A period called t he cont ent ion window or backoff window follows t he DI FS. This window is divided int o slot s. Slot lengt h is m edium - dependent ; higher- speed physical layers use short er slot t im es. St at ions pick a random slot and wait for t hat slot before at t em pt ing t o access t he m edium ; all slot s are equally likely select ions. When several st at ions are at t em pt ing t o t ransm it , t he st at ion t hat picks t he first slot ( t he st at ion wit h t he lowest random num ber) wins. According t o t he st andard, all slot num bers should be equally likely; see t he sidebar on Spect ralink Voice Priorit y lat er in t his chapt er for one not able except ion. As in Et hernet , t he backoff t im e is select ed from a larger range each t im e a t ransm ission fails. Figure 3 - 7 illust rat es t he growt h of t he cont ent ion window as t he num ber of t ransm issions increases, using t he num bers from t he 802.11b direct - sequence spread- spect rum ( DSSS) physical layer. Ot her physical layers use different sizes, but t he principle is ident ical. Cont ent ion window sizes are always 1 less t han a power of 2 ( e.g., 31, 63, 127, 255) . Each t im e t he ret ry count er increases, t he cont ent ion window m oves t o t he next great est power of t wo. The size of t he cont ent ion window is lim it ed by t he physical layer. For exam ple, t he DS physical layer lim it s t he cont ent ion window t o 1,023 t ransm ission slot s. When t he cont ent ion window reaches it s m axim um size, it rem ains t here unt il it can be reset . Allowing long cont ent ion windows when several com pet ing st at ions are at t em pt ing t o gain access t o t he m edium keeps t he MAC algorit hm s st able even under m axim um load. The cont ent ion window is reset t o it s m inim um size when fram es are t ransm it t ed successfully, or t he associat ed ret ry count er is reached, and t he fram e is discarded.

Figu r e 3 - 7 . D SSS con t e n t ion w in dow size

Fragmentation and Reassembly Higher- level packet s and som e large m anagem ent fram es m ay need t o be broken int o sm aller pieces t o fit t hrough t he wireless channel. Fragm ent at ion m ay also help im prove reliabilit y in t he presence of int erference. Wireless LAN st at ions m ay at t em pt t o fragm ent t ransm issions so t hat int erference affect s only sm all fragm ent s, not large fram es. By im m ediat ely reducing t he am ount of dat a t hat can be corrupt ed by int erference, fragm ent at ion m ay result in a higher effect ive t hroughput . I nt erference m ay com e from a variet y of sources. Som e, but by no m eans all, m icrowave ovens cause int erference wit h 2.4 GHz net works. [ * ] Elect rom agnet ic radiat ion is generat ed by t he m agnet ron t ube during it s ram p- up and ram p- down, so m icrowaves em it int erference half t he t im e. Many newer cordless phones also cause int erference. [ ] Out door net works are subj ect t o a m uch wider variet y of int er fer ence. [*]

In the U.S., appliances are powered by 60-Hz alternating current, so microwaves interfere for about 8 milliseconds (ms) out of every 16-ms cycle. Much of the rest of the world uses 50-Hz current, and interference takes place for 10 ms out of the 20-ms cycle. [

] If you need to use a cordless phone in the same area as a wireless LAN, I suggest purchasing a 900 MHz cordless phone on eBay.

Wireless LAN st at ions m ay at t em pt t o fragm ent t ransm issions so t hat int erference affect s only sm all fragm ent s, not large fram es. By im m ediat ely reducing t he am ount

Spectralink Voice Priority One of t he challenges in support ing voice on wireless net works is t hat voice is far m ore sensit ive t o poor net work service t han dat a applicat ions. I f a 1,500 byt e fragm ent of a graphics file is a t ent h of a second lat e, t he t ypical user will not even not ice. I f a delay of a t ent h of a second is int roduced int o a phone conversat ion, t hough, it will be t oo m uch. Providing high- qualit y service over an I P net work is hard enough. Doing so over a wireless LAN is doubly challenging. One of t he m aj or problem s t hat net work engineers face in designing wireless LAN voice net works is t hat all dat a is t reat ed equally. I f t here is a short voice fram e and a long dat a fram e, t here is no inherent preference for one or t he ot her. Spect ralink, a m anufact urer of handheld 802.11 phones, has devised a special set of prot ocol ext ensions, called Spect ralink Voice Priorit y ( SVP) , t o assist in m aking t he net work m ore useful for voice t ransport . SVP consist s of com ponent s im plem ent ed in bot h access point s and in handset s t o priorit ze voice over dat a and coordinat e several voice calls on a single AP. SVP assist s wit h bot h t he downlink from t he AP and t he uplink from handset s. To support SVP, an access point m ust t ransm it voice fram es wit h zero backoff. Rat her t han select ing a backoff slot num ber as required by t he 802.11 st andard, access point s wit h SVP enabled will always choose zero. I n t he presence of cont ent ion for t he wireless m edium , t he voice fram es wit h zero backoff will have de fact o priorit y boost because dat a fram es are likely t o have a posit ive backoff slot . St rict ly speaking, st at ions

im plem ent ing zero backoff are no longer com pliant wit h 802.11 because it m andat es select ion of a backoff slot in accordance wit h defined rules. ( To preserve st abilit y under load, however, ret ransm it t ed voice fram es are subj ect t o t he backoff rules.) By select ing zero backoff, access point s im plem ent ing SVP ensure t hat voice fram es have preferent ial access t o t he air. Access point s t hat im plem ent SVP m ust also keep t rack of voice fram es and provide preferent ial queuing t reat m ent as well. SVP requires t hat voice fram es be pushed t o t he head of t he queue for t ransm ission. APs im plem ent t ransm it queues in m any different ways; t he im port ant point is t he funct ional result , which is t hat voice fram es m ove t o t he head of t he line. Som e APs m ay m ove voice fram es up t o t he head of a single t ransm it queue, while ot her APs m ay m aint ain m ult iple t ransm it queues and serve t he high- priorit y voice queue first .

of dat a t hat can be corrupt ed by int erference, fragm ent at ion m ay result in a higher effect ive t hroughput . Fragm ent at ion t akes place when t he lengt h of a higher- level packet exceeds t he fragm ent at ion t hreshold configured by t he net work adm inist rat or. Fragm ent s all have t he sam e fram e sequence num ber but have ascending fragm ent num bers t o aid in reassem bly. Fram e cont rol inform at ion also indicat es whet her m ore fragm ent s are com ing. All of t he fragm ent s t hat com prise a fram e are norm ally sent in a fragm ent at ion burst , which is shown in Figure 3- 8 . This figure also incorporat es an RTS/ CTS exchange, because it is com m on for t he fragm ent at ion and RTS/ CTS t hresholds t o be set t o t he sam e value. The figure also shows how t he NAV and SI FS are used in com binat ion t o cont rol access t o t he m edium .

Figu r e 3 - 8 . Fr a gm e n t a t ion bu r st

Fragm ent s and t heir acknowledgm ent s are separat ed by t he SI FS, so a st at ion ret ains cont rol of t he channel during a fragm ent at ion burst . The NAV is also used t o ensure t hat ot her st at ions do not use t he channel during t he fragm ent at ion burst . As wit h any RTS/ CTS exchange, t he RTS and CTS bot h set t he NAV from t he expect ed t im e t o t he end of t he first fragm ent s in t he air. Subsequent fragm ent s t hen form a chain. Each fragm ent set s t he NAV t o hold t he m edium unt il t he end of t he acknowledgm ent for t he next fram e. Fragm ent 0 set s t he NAV t o hold t he m edium unt il ACK 1, fragm ent 1 set s t he NAV t o hold t he m edium unt il ACK 2, and so on. Aft er t he last fragm ent and it s acknowledgm ent have been sent , t he NAV is set t o 0, indicat ing t hat t he m edium will be released aft er t he fragm ent at ion burst com plet es.

Frame Format To m eet t he challenges posed by a wireless dat a link, t he MAC was forced t o adopt several unique feat ures, not t he least of which was t he use of four address fields. Not all fram es use all t he address fields, and t he values assigned t o t he address fields m ay change depending on t he t ype of MAC fram e being t ransm it t ed. Det ails on t he use of address fields in different fram e t ypes are present ed in Chapt er 4. Figure 3- 9 shows t he generic 802.11 MAC fram e. All diagram s in t his sect ion follow t he I EEE convent ions in 802.11. Fields are t ransm it t ed from left t o right .

Figu r e 3 - 9 . Ge n e r ic 8 0 2 .1 1 M AC fr a m e

802.11 MAC fram es do not include som e of t he classic Et hernet fram e feat ures, m ost not ably t he t ype/ lengt h field and t he pream ble. The pream ble is part of t he physical layer, and encapsulat ion det ails such as t ype and lengt h are present in t he header on t he dat a carried in t he 802.11 fram e.

Frame Control Each fram e st art s wit h a t wo- byt e Fram e Cont rol subfield, shown in Figure 3- 10. The com ponent s of t he Fram e Cont rol subfield are:

Prot ocol version Two bit s indicat e which version of t he 802.11 MAC is cont ained in t he rest of t he fram e. At present , only one version of t he 802.11 MAC has been developed; it is assigned t he prot ocol num ber 0. Ot her values will appear when t he I EEE st andardizes changes t o t he MAC t hat render it incom pat ible wit h t he init ial specificat ion. So far, none of t he revisions t o 802.11 have required increm ent ing t he prot ocol num ber.

Type and subt ype fields Type and subt ype fields ident ify t he t ype of fram e used. To cope wit h noise and unreliabilit y, a num ber of m anagem ent funct ions are incorporat ed int o t he 802.11 MAC. Som e, such as t he RTS/ CTS operat ions and t he acknowledgm ent s, have already been discussed. Table 3- 1 shows how t he t ype and subt ype ident ifiers are used t o creat e t he different classes of fram es.

Figu r e 3 - 1 0 . Fr a m e con t r ol fie ld

I n Table 3- 1, bit st rings are writ t en m ost - significant bit first , which is t he reverse of t he order used in Figure 3- 10. Therefore, t he fram e t ype is t he t hird bit in t he fram e cont rol field followed by t he second bit ( b3 b2) , and t he subt ype is t he sevent h bit , followed by t he sixt h, fift h, and fourt h bit s ( b7 b6 b5 b4) .

Ta ble 3 - 1 . Type a n d su bt ype ide n t ifie r s Su bt ype va lu e

Su bt ype n a m e

Managem ent fram es ( t ype= 00) a 0000

Associat ion request

0001

Associat ion response

0010

Reassociat ion request

0011

Reassociat ion response

0100

Probe request

0101

Probe response

1000

Beacon

1001

Announcem ent t raffic indicat ion m essage ( ATI M)

1010

Disassociat ion

1011

Aut hent icat ion

1100

Deaut hent icat ion

1101

Act ion ( for spect rum m anagem ent wit h 802.11h, also for QoS)

Cont rol fram es ( t ype= 01) b 1000

Block Acknowledgm ent Request ( QoS)

1001

Block Acknowledgm ent ( QoS)

1010

Power Save ( PS) - Poll

1011

RTS

1100

CTS

1101

Acknowledgm ent ( ACK)

Su bt ype va lu e

Su bt ype n a m e

1110

Cont ent ion- Free ( CF) - End

1111

CF- End+ CF- Ack

Dat a fram es ( t ype= 10) 0000

Dat a

0001

Dat a+ CF- Ack

0010

Dat a+ CF- Poll

0011

Dat a+ CF- Ack+ CF- Poll

0100

Null dat a ( no dat a t ransm it t ed)

0101

CF- Ack ( no dat a t ransm it t ed)

0110

CF- Poll ( no dat a t ransm it t ed)

0111

CF- Ack+ CF- Poll ( no dat a t ransm it t ed)

1000

QoS Dat ac

1001

QoS Dat a + CF- Ack c

1010

QoS Dat a + CF- Pollc

1011

QoS Dat a + CF- Ack + CF- Poll c

1100

QoS Null ( no dat a t ransm it t ed) c

1101

QoS CF- Ack ( no dat a t ransm it t ed) c

1110

QoS CF- Poll ( no dat a t ransm it t ed) c

1111

QoS CF- Ack+ CF- Poll ( no dat a t ransm it t ed) c

( Fram e t ype 11 is reserved) a

Managem ent subt ypes 0110- 0111 and 1110- 1111 are reserved and not current ly used.

b

Cont rol subt ypes 0000- 0111 are reserved and not current ly used.

c

Proposed by t he 802.11e t ask group, but not yet st andardized. Not e t hat t hese fram es all have a leading one, which has caused som e t o refer t o t he first bit as t he QoS bit .

ToDS and From DS bit s These bit s indicat e whet her a fram e is dest ined for t he dist ribut ion syst em . All fram es on infrast ruct ure net works will have one of t he dist ribut ion syst em bit s set . Table 3- 2 shows how t hese bit s are int erpret ed. As Chapt er 4 will explain, t he int erpret at ion of t he address fields depends on t he set t ing of t hese bit s.

Ta ble 3 - 2 . I n t e r pr e t in g t h e ToD S a n d Fr om D S bit s

To D S= 0

To D S= 1

From DS= 0

All m anagem ent and cont rol fram es Dat a fram es wit hin an I BSS ( never infrast ruct ure dat a fram es)

Dat a fram es t ransm it t ed from a wireless st at ion in an infrast ruct ure net work.

From DS= 1

Dat a fram es received for a wireless st at ion in an infrast ruct ure net work

Dat a fram es on a " wireless bridge"

More fragm ent s bit This bit funct ions m uch like t he " m ore fragm ent s" bit in I P. When a higher- level packet has been fragm ent ed by t he MAC, t he init ial fragm ent and any following nonfinal fragm ent s set t his bit t o 1. Large dat a fram es and som e m anagem ent fram es m ay be large enough t o require fragm ent at ion; all ot her fram es set t his bit t o 0. I n pract ice, m ost dat a fram es are t ransm it t ed at t he m axim um Et hernet size and fragm ent at ion is not oft en used.

Ret ry bit From t im e t o t im e, fram es m ay be ret ransm it t ed. Any ret ransm it t ed fram es set t his bit t o 1 t o aid t he receiving st at ion in elim inat ing duplicat e fram es.

Power m anagem ent bit Net work adapt ers built on 802.11 are oft en built t o t he PC Card form fact or and used in bat t ery- powered lapt op or handheld com put ers. To conserve bat t ery life, m any sm all devices have t he abilit y t o power down part s of t he net work int erface. This bit indicat es whet her t he sender will be in a powersaving m ode aft er t he com plet ion of t he current at om ic fram e exchange. 1 indicat es t hat t he st at ion will be in powersave m ode, and 0 indicat es t hat t he st at ion will be act ive. Access point s perform a num ber of im port ant m anagem ent funct ions and are not allowed t o save power, so t his bit is always 0 in fram es t ransm it t ed by an access point .

More dat a bit To accom m odat e st at ions in a powersaving m ode, access point s m ay buffer fram es received from t he dist ribut ion syst em . An access point set s t his bit t o indicat e t hat at least one fram e is available and is addressed t o a dozing st at ion.

Prot ect ed Fram e bit Wireless t ransm issions are inherent ly easier t o int ercept t han t ransm issions on a fixed net work. I f t he fram e is prot ect ed by link layer securit y prot ocols, t his bit is set t o 1, and t he fram e changes slight ly. The Prot ect ed Fram e bit was previously called t he WEP bit .

Order bit Fram es and fragm ent s can be t ransm it t ed in order at t he cost of addit ional processing by bot h

t he sending and receiving MACs. When t he " st rict ordering" delivery is em ployed, t his bit is set t o 1.

Duration/ID Field The Durat ion/ I D field follows t he fram e cont rol field. This field has several uses and t akes one of t he t hree form s shown in Figure 3- 11.

Figu r e 3 - 1 1 . D u r a t ion / I D fie ld

Duration: setting the NAV When bit 15 is 0, t he durat ion/ I D field is used t o set t he NAV. The value represent s t he num ber of m icroseconds t hat t he m edium is expect ed t o rem ain busy for t he t ransm ission current ly in progress. All st at ions m ust m onit or t he headers of all fram es t hey receive and updat e t he NAV accordingly. Any value t hat ext ends t he am ount of t im e t he m edium is busy updat es t he NAV and blocks access t o t he m edium for addit ional t im e.

Frames transmitted during contention-free periods During t he cont ent ion- free periods, bit 14 is 0 and bit 15 is 1. All ot her bit s are 0, so t he durat ion/ I D field t akes a value of 32,768. This value is int erpret ed as a NAV. I t allows any st at ions t hat did not receive t he Beacon [ * ] announcing t he cont ent ion- free period t o updat e t he NAV wit h a suit ably large value t o avoid int erfering wit h cont ent ion- free t ransm issions. [*]

Beacon frames are a subtype of management frames, which is why "Beacon" is capitalized.

PS-Poll frames Bit s 14 and 15 are bot h set t o 1 in PS- Poll fram es. Mobile st at ions m ay elect t o save bat t ery power by t urning off ant ennas. Dozing st at ions m ust wake up periodically. To ensure t hat no fram es are lost , st at ions awaking from t heir slum ber t ransm it a PS- Poll fram e t o ret rieve any buffered fram es from t he access point . Along wit h t his request , waking st at ions incorporat e t he associat ion I D ( AI D)

t hat indicat es which BSS t hey belong t o. The AI D is included in t he PS- Poll fram e and m ay range from 1- 2,007. Values from 2,008- 16,383 are reserved and not used.

Address Fields An 802.11 fram e m ay cont ain up t o four address fields. The address fields are num bered because different fields are used for different purposes depending on t he fram e t ype ( det ails are found in Chapt er 4) . The general rule of t hum b is t hat Address 1 is used for t he receiver, Address 2 for t he t ransm it t er, and Address 3 field for filt ering by t he receiver. I n an infrast ruct ure net work, for exam ple, t he t hird address field is used by t he receiver t o det erm ine whet her t he fram e is part of t he net work it is associat ed t o. [ * ] [*]

802.11 specifies that stations should ignore frames that do not have the same BSSID, but most products do not correctly implement BSSID filtering and will pass any received frame up to higher protocol layers.

Addressing in 802.11 follows t he convent ions used for t he ot her I EEE 802 net works, including Et hernet . Addresses are 48 bit s long. I f t he first bit sent t o t he physical m edium is a 0, t he address represent s a single st at ion ( unicast ) . When t he first bit is a 1, t he address represent s a group of physical st at ions and is called a m ult icast ( or group) address. I f all bit s are 1s, t hen t he fram e is a broadcast and is delivered t o all st at ions connect ed t o t he wireless m edium . 48- bit addresses are used for a variet y of purposes:

Dest inat ion address As in Et hernet , t he dest inat ion address is t he 48- bit I EEE MAC ident ifier t hat corresponds t o t he final recipient : t he st at ion t hat will hand t he fram e t o higher prot ocol layers for processing.

Source address This is t he 48- bit I EEE MAC ident ifier t hat ident ifies t he source of t he t ransm ission. Only one st at ion can be t he source of a fram e, so t he I ndividual/ Group bit is always 0 t o indicat e an individual st at ion.

Receiver address This is a 48- bit I EEE MAC ident ifier t hat indicat es which wireless st at ion should process t he fram e. I f it is a wireless st at ion, t he receiver address is t he dest inat ion address. For fram es dest ined t o a node on an Et hernet connect ed t o an access point , t he receiver is t he wireless int erface in t he access point , and t he dest inat ion address m ay be a rout er at t ached t o t he Et hernet .

Transm it t er address This is a 48- bit I EEE MAC address t o ident ify t he wireless int erface t hat t ransm it t ed t he fram e ont o t he wireless m edium . The t ransm it t er address is used only in wireless bridging.

Basic Service Set I D ( BSSI D) To ident ify different wireless LANs in t he sam e area, st at ions m ay be assigned t o a BSS. I n infrast ruct ure net works, t he BSSI D is t he MAC address used by t he wireless int erface in t he access point . Ad hoc net works generat e a random BSSI D wit h t he Universal/ Local bit set t o 1 t o prevent conflict s wit h officially assigned MAC addresses. The num ber of address fields used depends on t he t ype of fram e. Most dat a fram es use t hree fields for source, dest inat ion, and BSSI D. The num ber and arrangem ent of address fields in a dat a fram e depends on how t he fram e is t raveling relat ive t o t he dist ribut ion syst em . Most t ransm issions use t hree addresses, which is why only t hree of t he four addresses are cont iguous in t he fram e form at .

Sequence Control Field This 16- bit field is used for bot h defragm ent at ion and discarding duplicat e fram es. I t is com posed of a 4- bit fragm ent num ber field and a 12- bit sequence num ber field, as shown in Figure 3- 12. Sequence num bers are not used in cont rol fram es, so t he Sequence Cont rol field is not present .

Figu r e 3 - 1 2 . Se qu e n ce Con t r ol fie ld

Higher- level fram es are each given a sequence num ber as t hey are passed t o t he MAC for t ransm ission. The sequence num ber subfield operat es as a m odulo- 4096 count er of t he fram es t ransm it t ed. I t begins at 0 and increm ent s by 1 for each higher- level packet handled by t he MAC. I f higher- level packet s are fragm ent ed, all fragm ent s will have t he sam e sequence num ber. When fram es are ret ransm it t ed, t he sequence num ber is not changed. What differs bet ween fragm ent s is t he fragm ent num ber. The first fragm ent is given a fragm ent num ber of 0. Each successive fragm ent increm ent s t he fragm ent num ber by 1. Ret ransm it t ed fragm ent s keep t heir original sequence num bers t o assist in reassem bly. St at ions t hat im plem ent t he QoS ext ensions use a slight ly different int erpret at ion of t he sequence cont rol field because m ult iple t ransm it queues need t o be m aint ained.

Frame Body The fram e body, also called t he Dat a field, m oves t he higher- layer payload from st at ion t o st at ion. As originally specified, 802.11 can t ransm it fram es wit h a m axim um payload of 2,304 byt es of higher-

level dat a. I m plem ent at ions m ust support larger fram e bodies t o accom m odat e addit ional headers for securit y and QoS. 802.2 LLC headers use 8 byt es for a m axim um net work prot ocol payload of 2,296 byt es. Prevent ing fragm ent at ion m ust be done at t he prot ocol layer. On I P net works, Pat h MTU Discovery ( RFC 1191) will prevent t he t ransm ission of fram es wit h Dat a fields larger t han 1,500 byt es. 802.11 differs from ot her link layer t echnologies in t wo not able ways. First , t here is no higher- level prot ocol t ag in t he 802.11 fram e t o dist inguish bet ween higher- layer prot ocol t ypes. Higher- level prot ocols are t agged wit h a t ype field by an addit ional header, which is used as t he st art of t he 802.11 payload. Second, 802.11 does not generally pad fram es t o a m inim um lengt h. Many fram es used by 802.11 are short , and t he chips and elect ronics used in net work int erfaces has progressed t o t he point where a pad is no longer necessary.

Frame Check Sequence As wit h Et hernet , t he 802.11 fram e closes wit h a fram e check sequence ( FCS) . The FCS is oft en referred t o as t he cyclic redundancy check ( CRC) because of t he underlying m at hem at ical operat ions. The FCS allows st at ions t o check t he int egrit y of received fram es. All fields in t he MAC header and t he body of t he fram e are included in t he FCS. Alt hough 802.3 and 802.11 use t he sam e m et hod t o calculat e t he FCS, t he MAC header used in 802.11 is different from t he header used in 802.3, so t he FCS m ust be recalculat ed by access point s. When fram es are sent t o t he wireless int erface, t he FCS is calculat ed before t hose fram es are sent out over t he wireless link. Receivers can t hen calculat e t he FCS from t he received fram e and com pare it t o t he received FCS. I f t he t wo m at ch, t here is a high probabilit y t hat t he fram e was not dam aged in t ransit . On Et hernet s, fram es wit h a bad FCS are sim ply discarded, and fram es wit h a good FCS are passed up t he prot ocol st ack. On 802.11 net works, fram es t hat pass t he int egrit y check m ay also require t he receiver t o send an acknowledgm ent . For exam ple, dat a fram es t hat are received correct ly m ust be posit ively acknowledged, or t hey are ret ransm it t ed. 802.11 does not have a negat ive acknowledgm ent for fram es t hat fail t he FCS; st at ions m ust wait for t he acknowledgm ent t im eout before ret ransm it t ing.

Encapsulation of Higher-Layer Protocols Within 802.11 Like all ot her 802 link layers, 802.11 can t ransport any net work- layer prot ocol. Unlike Et hernet , 802.11 relies on 802.2 logical- link cont rol ( LLC) encapsulat ion t o carry higher- level prot ocols. Figure 3- 13 shows how 802.2 LLC encapsulat ion is used t o carry an I P packet . I n t he figure, t he " MAC headers" for 802.1H and RFC 1042 m ight be t he 12 byt es of source and dest inat ion MAC address inform at ion on Et hernet or t he long 802.11 MAC header from t he previous sect ion.

Figu r e 3 - 1 3 . I P e n ca psu la t ion in 8 0 2 .1 1

Two different m et hods can be used t o encapsulat e LLC dat a for t ransm ission. One is described in RFC 1042, and t he ot her in 802.1H. Bot h st andards m ay go by ot her nam es. RFC 1042 is som et im es referred t o as I ETF encapsulat ion, while 802.1H is som et im es called t unnel encapsulat ion. As you can see in Figure 3- 13, t hough, t he t wo m et hods are quit e sim ilar. An Et hernet fram e is shown in t he t op line of Figure 3- 13. I t has a MAC header com posed of source and dest inat ion MAC addresses, a t ype code, t he em bedded packet , and a fram e check field. I n t he I P world, t he Type code is eit her 0x0800 ( 2048 decim al) for I P it self, or 0x0806 ( 2054 decim al) for t he Address Resolut ion Prot ocol ( ARP) . Bot h RFC 1042 and 802.1H are derivat ives of 802.2's sub- net work access prot ocol ( SNAP) . The MAC addresses are copied int o t he beginning of t he encapsulat ion fram e, and t hen a SNAP header is

insert ed. SNAP headers begin wit h a dest inat ion service access point ( DSAP) and a source service access point ( SSAP) . Aft er t he addresses, SNAP includes a Cont rol header. Like high- level dat a link cont rol ( HDLC) and it s progeny, t he Cont rol field is set t o 0x03 t o denot e unnum bered inform at ion ( UI ) , a cat egory t hat m aps well t o t he best - effort delivery of I P dat agram s. The last field insert ed by SNAP is an organizat ionally unique ident ifier ( OUI ) . I nit ially, t he I EEE hoped t hat t he 1- byt e service access point s would be adequat e t o handle t he num ber of net work prot ocols, but t his proved t o be an overly opt im ist ic assessm ent of t he st at e of t he world. As a result , SNAP copies t he t ype code from t he original Et hernet fram e. The only difference bet ween 802.1H and RFC 1042 is t he OUI used. At one point , m any product s offered t he opt ion t o swit ch bet ween t he t wo encapsulat ion st andards, t hough t his opt ion is m uch less com m on. Microsoft operat ing syst em s default t o using 802.1H for t he AppleTalk prot ocol suit e and I PX, and use RFC 1042 for all ot her prot ocols. Most access point s now conform t o t he Microsoft behavior, and no longer have an opt ion t o swit ch encapsulat ion t ype. I n fact , t he Microsoft encapsulat ion select ion is so widely support ed t hat it was part of t he Wi- Fi Alliance's cert ificat ion t est suit e at one point .

Contention-Based Data Service The addit ional feat ures incorporat ed int o 802.11 t o add reliabilit y lead t o a confusing t angle of rules about which t ypes of fram es are perm it t ed at any point . They also m ake it m ore difficult for net work adm inist rat ors t o know which fram e exchanges t hey can expect t o see on net works. This sect ion clarifies t he at om ic exchanges t hat m ove dat a on an 802.11 LAN. ( Most m anagem ent fram es are announcem ent s t o int erest ed part ies in t he area and t ransfer inform at ion in only one direct ion.) The exchanges present ed in t his sect ion are at om ic, which m eans t hat t hey should be viewed as a single unit . Two dist inct set s of at om ic exchanges are defined by 802.11. One is used by t he DCF for cont ent ion- based service; t hose exchanges are described in t his chapt er. A second set of exchanges is specified for use wit h t he PCF for cont ent ion- free services. Fram e exchanges used wit h cont ent ionfree services are int ricat e and harder t o underst and. Since very few ( if any) com m ercial product s im plem ent cont ent ion- free service, t hese exchanges are not described. Fram e exchanges under t he DCF dom inat e t he 802.11 MAC. According t o t he rules of t he DCF, all product s are required t o provide best - effort delivery. To im plem ent t he cont ent ion- based MAC, st at ions process MAC headers for every fram e while t hey are act ive. Exchanges begin wit h a st at ion seizing an idle m edium aft er t he DI FS.

Broadcast and Multicast Data or Management Frames Broadcast and m ult icast fram es, which can also be referred t o as group fram es because t hey are dest ined for m ore t han one receiving st at ion, have t he sim plest fram e exchanges because t here is no acknowledgm ent . Fram ing and addressing are som ewhat m ore com plex in 802.11, so t he t ypes of fram es t hat m at ch t his rule are t he following: Broadcast dat a fram es wit h a broadcast address in t he Address 1 field Mult icast dat a fram es wit h a m ult icast address in t he Address 1 field Broadcast m anagem ent fram es wit h a broadcast address in t he Address 1 field ( Beacon, Probe Request , and I BSS ATI M fram es) Fram es dest ined for group addresses cannot be fragm ent ed and are not acknowledged. The ent ire at om ic sequence is a single fram e, sent according t o t he rules of t he cont ent ion- based access cont rol. Aft er t he previous t ransm ission concludes, all st at ions wait for t he DI FS and begin count ing down t he random delay int ervals in t he cont ent ion window. Because t he fram e exchange is a single- fram e sequence, t he NAV is set t o 0. Wit h no furt her fram es t o follow, t here is no need t o use t he virt ual carrier- sense m echanism t o lock ot her st at ions out of using t he m edium . Aft er t he fram e is t ransm it t ed, all st at ions wait t hrough t he DI FS and begin count ing down t hrough t he cont ent ion window for any deferred fram es. See Figure 3- 14.

Figu r e 3 - 1 4 . Br oa dca st / m u lt ica st da t a a n d br oa dca st m a n a ge m e n t a t om ic fr a m e e x ch a n ge

Depending on t he environm ent , fram es sent t o group addresses m ay have lower service qualit y because t he fram es are not acknowledged. Som e st at ions m ay t herefore m iss broadcast or m ult icast t raffic, but t here is no facilit y built int o t he MAC for ret ransm it t ing broadcast or m ult icast fram es.

Unicast Frames Fram es t hat are dest ined for a single st at ion are called direct ed dat a by t he 802.11 st andard. This book uses t he m ore com m on t erm unicast . Unicast fram es m ust be acknowledged t o ensure reliabilit y, which m eans t hat a variet y of m echanism s can be used t o im prove efficiency. All t he sequences in t his sect ion apply t o any unicast fram e and t hus can apply t o m anagem ent fram es and dat a fram es. I n pract ice, t hese operat ions are usually observed only wit h dat a fram es.

Basic positive acknowledgment (final fragment) Reliable t ransm ission bet ween t wo st at ions is based on sim ple posit ive acknowledgm ent s. Unicast dat a fram es m ust be acknowledged, or t he fram e is assum ed t o be lost . The m ost basic case is a single fram e and it s accom panying acknowledgm ent , as shown in Figure 3- 15.

Figu r e 3 - 1 5 . Ba sic posit ive a ck n ow le dgm e n t of da t a

The fram e uses t he NAV t o reserve t he m edium for t he fram e, it s acknowledgm ent , and t he int ervening SI FS. By set t ing a long NAV, t he sender locks t he virt ual carrier for t he ent ire sequence, guarant eeing t hat t he recipient of t he fram e can send t he acknowledgm ent . Because t he sequence concludes wit h t he ACK, no furt her virt ual carrier locking is necessary, and t he NAV in t he ACK is set t o 0.

Fragmentation

Many higher- layer net work prot ocols, including I P, incorporat e fragm ent at ion. The disadvant age of net work- layer fragm ent at ion is t hat reassem bly is perform ed by t he final dest inat ion; if any of t he fragm ent s are lost , t he ent ire packet m ust be ret ransm it t ed. Link layers m ay incorporat e fragm ent at ion t o boost speed over a single hop wit h a sm all MTU. [ * ] 802.11 can also use fragm ent at ion t o help avoid int erference. Radio int erference is oft en in t he form of short , high- energy burst s and is frequent ly synchronized wit h t he AC power line. Breaking a large fram e int o sm all fram es allows a larger percent age of t he fram es t o arrive undam aged. The basic fragm ent at ion schem e is shown in Figure 3- 16. [*]

This is the approach used by Multi-link PPP (RFC 1990).

The last t wo fram es exchanged are t he sam e as in t he previous sequence, and t he NAV is set ident ically. However, all fram es prior t o t he penult im at e fram e use t he NAV t o lock t he m edium for t he next fram e. The first dat a fram e set s t he NAV for a long enough period t o accom m odat e it s ACK, t he next fragm ent , and t he acknowledgm ent following t he next fragm ent . To indicat e t hat it is a fragm ent , t he MAC set s t he More Fragm ent s bit in t he fram e cont rol field t o 1. All nonfinal ACKs cont inue t o ext end t he lock for t he next dat a fragm ent and it s ACK. Subsequent dat a fram es t hen

Figu r e 3 - 1 6 . Fr a gm e n t a t ion

cont inue t o lengt hen t he NAV t o include successive acknowledgm ent s unt il t he final dat a fram e, which set s t he More Fragm ent s bit t o 0, and t he final ACK, which set s t he NAV t o 0. No lim it is placed on t he num ber of fragm ent s, but t he t ot al fram e lengt h m ust be short er t han any const raint placed on t he exchange by t he PHY. Fragm ent at ion is cont rolled by t he fragm ent at ion t hreshold param et er in t he MAC. Most net work card drivers allow you t o configure t his param et er. Any fram es larger t han t he fragm ent at ion t hreshold are fragm ent ed in an im plem ent at ion- dependent way. Net work adm inist rat ors can change t he fragm ent at ion t hreshold t o t une net work behavior. Higher fragm ent at ion t hresholds m ean t hat fram es are delivered wit h less overhead, but t he cost t o a lost or dam aged fram e is m uch higher because m ore dat a m ust be discarded and ret ransm it t ed. Low fragm ent at ion t hresholds have m uch higher overhead, but t hey offer increased robust ness in t he face of host ile condit ions.

RTS/CTS

To guarant ee reservat ion of t he m edium and unint errupt ed dat a t ransm ission, a st at ion can use t he RTS/ CTS exchange. Figure 3- 17 shows t his process. The RTS/ CTS exchange act s exact ly like t he init ial exchange in t he fragm ent at ion case, except t hat t he RTS fram e does not carry dat a. The NAV in t he RTS allows t he CTS t o com plet e, and t he CTS is used t o reserve access for t he dat a fram e. RTS/ CTS can be used for all fram e exchanges, none of t hem , or som et hing in bet ween. Like fragm ent at ion, RTS/ CTS behavior is cont rolled by a t hreshold set in t he driver soft ware. Fram es larger t han t he t hreshold are preceded by an RTS/ CTS exchange t o clear t he m edium , while sm aller fram es are sim ply t ransm it t ed.

Figu r e 3 - 1 7 . RTS/ CTS lock ou t

RTS/CTS with fragmentation I n pract ice, t he RTS/ CTS exchange is oft en com bined wit h fragm ent at ion ( Figure 3- 18) . Fragm ent ed fram es are usually quit e long and t hus benefit from t he use of t he RTS/ CTS procedure t o ensure exclusive access t o t he m edium , free from cont ent ion from hidden nodes. Som e vendors set t he default fragm ent at ion t hreshold t o be ident ical t o t he default RTS/ CTS t hreshold.

Figu r e 3 - 1 8 . RTS/ CTS w it h fr a gm e n t a t ion

Powersaving Sequences The m ost power- hungry com ponent s in RF syst em s are t he am plifiers used t o boost a signal im m ediat ely prior t o t ransm ission and t o boost t he received signal t o an int elligible level im m ediat ely aft er it s recept ion. 802.11 st at ions can m axim ize bat t ery life by shut t ing down t he radio t ransceiver and sleeping periodically. During sleeping periods, access point s buffer any unicast fram es for sleeping st at ions. These fram es are announced by subsequent Beacon fram es. To ret rieve buffered fram es, newly awakened st at ions use PS- Poll fram es. An access point t hat receives a PS- Poll fram e m ay respond wit h t he request ed dat a im m ediat ely, or at it s leisure when circum st ances perm it . I n som e cases, t he PS- Poll response is det erm ined by t he 802.11 chipset vendor in t he AP. Som e chipset vendors support bot h m odes, while ot hers support only one. 802.11 only requires t hat one m et hod be support ed; bot h approaches are equally st andards- com pliant .

Immediate response Access point s can respond im m ediat ely t o t he PS- Poll. Aft er a short int erfram e space, an access point m ay t ransm it t he fram e. Figure 3- 19 shows an im plied NAV as a result of t he PS- Poll fram e. The PSPoll fram e cont ains an Associat ion I D in t he Durat ion/ I D field so t hat t he access point can det erm ine which fram es were buffered for t he m obile st at ion. However, t he MAC specificat ion requires all st at ions receiving a PS- Poll t o updat e t he NAV wit h an im plied value equal t o a short int erfram e space and one ACK. Alt hough t he NAV is t oo short for t he dat a fram e, t he access point acquires t hat t he m edium and all st at ions defer access for t he ent ire dat a fram e. At t he conclusion of t he dat a fram e, t he NAV is updat ed t o reflect t he value in t he header of t he dat a fram e.

Figu r e 3 - 1 9 . I m m e dia t e PS- Poll r e spon se

I f t he buffered fram e is large, it m ay require fragm ent at ion. Figure 3- 20 illust rat es an im m ediat e PSPoll response requiring fragm ent at ion. Like all ot her st at ions, access point s t ypically have a configurable fragm ent at ion t hreshold.

Deferred response

I nst ead of an im m ediat e response, access point s can also respond wit h a sim ple acknowledgm ent . This is called a deferred response because t he access point acknowledges t he request for t he buffered fram e but does not act on it im m ediat ely. One of t he advant ages of using deferred response is t hat t he soft ware on t he access point is som ewhat easier t o im plem ent because t he acknowledgm ent can be

Figu r e 3 - 2 0 . I m m e dia t e PS- Poll r e spon se w it h fr a gm e n t a t ion

t ransm it t ed im m ediat ely by t he chipset firm ware, and t he buffered dat a m ay be queued for t ransm ission norm ally. A st at ion request ing a fram e wit h a PS- Poll m ust st ay awake unt il it is delivered. Under cont ent ionbased service, however, t he access point can deliver a fram e at any point . A st at ion cannot ret urn t o a low- power m ode unt il it receives a Beacon fram e in which it s bit in t he t raffic indicat ion m ap ( TI M) is clear. Figure 3- 21 illust rat es t his process. I n t his figure, t he st at ion has recent ly changed from a low- power m ode t o an act ive m ode, and it not es t hat t he access point has buffered fram es for it . I t t ransm it s a PS- Poll t o t he access point t o ret rieve t he buffered fram es. However, t he access point m ay choose t o defer it s response by t ransm it t ing only an ACK. At t his point , t he access point has acknowledged t he st at ion's request for buffered fram es and prom ised t o deliver t hem at som e point in t he fut ure. The st at ion m ust wait in act ive m ode, perhaps t hrough several at om ic fram e exchanges, before t he access point delivers t he dat a. A buffered fram e m ay be subj ect t o fragm ent at ion, alt hough Figure 321 does not illust rat e t his case.

Figu r e 3 - 2 1 . D e fe r r e d PS- Poll r e spon se e x a m ple

Aft er receiving a dat a fram e, t he st at ion m ust rem ain awake unt il t he next Beacon is t ransm it t ed. Beacon fram es only not e whet her fram es are buffered for a st at ion and have no way of indicat ing t he num ber of fram es. Once t he st at ion receives a Beacon fram e indicat ing t hat no m ore t raffic is buffered, it can conclude t hat it has received t he last buffered fram e and ret urn t o a low- power m ode.

Multirate Support Net work t echnologies t hat operat e at a variet y of different speeds m ust have a m et hod of negot iat ing a m ut ually accept able dat a rat e. Speed negot iat ion is part icularly t hat are available t o st at ions. St at ions m ay also change speed frequent ly in response t o rapid changes in t he radio environm ent . As t he dist ance bet ween st at ions varies, t he speed will vary as well. St at ions m ust adapt t o t he changing environm ent by alt ering t ransm ission speed as necessary. As wit h m any ot her prot ocol feat ures, t he 802.11 st andards do not specify how a rat e is select ed. General rules are laid down by t he st andard, and vendors have a great deal of freedom in im plem ent ing t he det ails. There are a few general rules t hat are required of all st at ions:

1 . Every st at ion m aint ains a list of operat ional rat es, which is t he list of rat es t hat are support ed by bot h t he st at ion and t he BSS serving it . ( A BSS t ypically corresponds t o an access point , but newer product s m ay offer t he abilit y t o cust om ize operat ional rat es on a " virt ual AP" basis.) No fram es m ay be t ransm it t ed at a rat e t hat is higher t han any rat e in t he operat ional rat e set . 2 . Every BSS m ust also m aint ain a basic rat e set , which is a list of dat a rat es t hat m ust be support ed by every st at ion j oining t he BSS. Any fram e sent t o a group receiver address m ust be t ransm it t ed at a basic rat e, ensuring t hat all st at ions can dem odulat e it correct ly. 3 . Cont rol fram es t hat st art a fram e exchange, such as RTS and CTS fram es, m ust also be t ransm it t ed at one of t he rat es in t he basic rat e set . This rule ensures t hat a st at ion which m ust t ransm it a CTS fram e in response t o an RTS fram e can do so at t he sam e rat e. Cont rol fram es m ay be used in a backwards- com pat iblit y m ode called prot ect ion ( see Chapt er 14 ) . Prot ect ion m ode is int ended t o prevent int erference bet ween a st at ion support ing only an older, slower radio m odulat ion and a newer st at ion t hat support s fast er radio m odulat ions. Prot ect ion fram es m ust be t ransm it t ed using older m odulat ions if t here are st at ions incapable of using newer m odulat ions in t he area. 4 . Fram es dest ined for a single st at ion will have a unicast dest inat ion address in t he Address 1 field of t he fram e. Unicast fram es can be t ransm it t ed at any rat e which is known t o be support ed by t he dest inat ion. Select ion of t he dat a rat e is not specified by any 802.11 st andard. Fram es used in t he cont ent ion- free period ( see Chapt er 9) m ay serve m ult iple purposes. I f a fram e includes an ACK, it is int ended for t he previous t ransm it t er rat her t han t he fram e recipient . The t ransm it t er m ust ensure t hat t he fram e is t ransm it t ed at a rat e support ed by bot h t he receiver and t he st at ion t he ACK is int ended for. 5 . Response fram es, such as acknowledgm ent s or CTS fram es, m ust be t ransm it t ed at a rat e in t he basic rat e set , but no fast er t han t he init ial fram e in t he sequence was t ransm it t ed. Response fram es m ust use t he sam e m odulat ion as t he init ial fram e ( DSSS, CCK, or OFDM) . [ * ] [* ]

This is not always st rict ly obeyed. One chipset vendor always t ries t o t ransm it ACK fram es at 24 Mbps because it is usually t he highest m andat ory dat a rat e.

Rate selection and fallback Every 802.11 int erface on t he m arket support s som e sort of rat e fallback m echanism , which st eps down t he dat a rat e in response t o adverse net work condit ions. Rat e select ion behavior also det erm ines when a card det erm ines t hat it should upgrade it s dat a rat e due t o im proved link qualit y. Exact ly how an 802.11 st at ion det erm ines it should go t o a lower rat e ( or a higher rat e) is not specified, so t he im plem ent at ion of rat e select ion is left t o chipset vendors. Nearly every chipset has it s own rat e select ion m echanism , and as a result , m ost 802.11 int erfaces behave different ly. Rat e select ion behavior is program m able, and is cont rolled by t he code t hat runs t he int erface. I t m ay be alt ered by driver version changes or firm ware changes t o an int erface. The m ost com m on algorit hm s used t o det erm ine when t o change t he dat a rat e depend on som e loose m easurem ent of signal qualit y. Signal qualit y m ay be m easured direct ly by t he signal- t o- noise rat io, or indirect ly by observing how m any fram es require ret ransm ission. Direct m easurem ent s of signal- t o- noise rat ios m ay be an inst ant aneous m easurem ent of t he last fram e, or t hey m ay be averaged over som e recent period or num ber of recent ly received fram es. Som e chipset s use a direct m easurem ent of signal- t o- noise rat io, but will convert it int o a " signal qualit y" m easurem ent first . As t he signal qualit y drops, t he chip reduces t he dat a rat e t o com pensat e. [ ] [

] The signal quality measurement is often used to make roaming decisions when stations move between APs, though no standard specifies how or even whether signal quality is an input to the algorithm.

I ndirect m easurem ent s m ay m onit or inst ant aneous or average fram e loss, and com pensat e appropriat ely. A sim ple algorit hm using indirect m easurem ent is " if t he fram e is lost and t he fram e ret ry count er is exhaust ed, st ep down t o t he next dat a rat e and t ry again; repeat unt il t he fram e is delivered or t he slowest dat a rat e is unable t o successfully deliver." Chipset s t hat perform indirect signal qualit y m easurem ent s m ay m ake som e m odificat ions t o avoid a t im e- consum ing st ep down t hrough all t he rat es support ed by t he PHY, especially since recent chipset s support a great num ber of rat es, and t he t im e t o ret ry at t he slower rat es is ext rem ely t im e- consum ing.

Frame Processing and Bridging At t he core, a wireless access point is a glorified bridge t hat t ranslat es fram es bet ween a wireless m edium and a wired m edium . Alt hough 802.11 does not place any const raint on t he wired m edium 's t echnology, I am not aware of an access point t hat does not use Et hernet . Most access point s are designed as 802.11- t o- Et hernet bridges, so it is im port ant t o underst and t he way t hat fram es are t ransferred bet ween t he t wo m edia. See Figure 3- 22.

Figu r e 3 - 2 2 . Tr a n sla t in g fr a m e s be t w e e n a w ir e le ss a n d a w ir e d m e diu m

Wireless Medium to Wired Medium (802.11 to Ethernet) When a fram e is received on t he wireless int erface of an access point bound for t he wired net work, t he access point m ust bridge t he fram e bet ween t he t wo m edia. I nform ally, t his is t he series of t asks perform ed by t he access point :

1 . When a fram e is received at t he access point , it first checks for basic int egrit y. Physical layer headers t hat are discussed in t he chapt ers for t heir respect ive physical layers are checked, and t he FCS on t he 802.11 fram e is validat ed. 2 . Aft er verifying t hat t he fram e was likely received wit hout error, t he access point checks whet her it should process t he fram e furt her.

a . Fram es sent t o an access point have t he MAC address of t he AP ( t he BSSI D) in t he Address 1 field of t he 802.11 MAC header. Fram es t hat do not m at ch t he BSSI D of t he AP should be discarded. ( This st ep is not im plem ent ed by m any product s.) b. The 802.11 MAC det ect s and rem oves duplicat e fram es. Fram es m ay be duplicat ed for a variet y of reasons, but one of t he m ost com m on is t hat t he 802.11 acknowledgm ent is lost or corrupt ed in t ransit . To sim plify higher- level processing, t he 802.11 MAC is responsible for filt ering out duplicat e fram es. 3 . Once t he access point det erm ines t he fram e should be processed furt her, it m ust decrypt fram es prot ect ed by a link layer securit y algorit hm . Det ails of t he decrypt ion can be found in subsequent chapt ers on securit y. 4 . Once t he fram e is successfully decrypt ed, it is checked t o see if it is a const it uent fragm ent of a larger fram e t hat requires reassem bly. Reassem bled fram es are subj ect t o int egrit y prot ect ion on t he whole reassem bled unit , rat her t han t he individual com ponent s. 5 . I f t he AP should bridge t he fram e, as det erm ined by t he BSSI D check in st ep 2a, t he relat ively com plex wireless MAC header is t ranslat ed int o t he sim ple Et hernet MAC header.

a . The dest inat ion address, which is found in t he Address 3 field of t he 802.11 MAC header, is copied t o t he Et hernet dest inat ion address. b. The source address, which is found in t he Address 2 field of t he 802.11 MAC header, is copied t o t he Et hernet source address. c. The Et hernet t ype code is copied from t he SNAP header in t he 802.11 Dat a field t o t he Type code in t he Et hernet fram e. I f t he Et hernet fram e uses SNAP as well, t he ent ire SNAP header can be copied. d. Sequence inform at ion is used in fragm ent at ion reassem bly, but is discarded when t he fram e is bridged. e . When qualit y of service processing is st andardized, t he QoS m apping from t he wireless int erface t o t he wired int erface will occur here. For t he m om ent , t hough, it sufficies t o say t hat it m ay t ake t he form of an 802.1p priorit izat ion bit on t he wired fram e, or som e ot her form of cont rol. 6 . The FCS is recalculat ed. Bot h Et hernet and 802.11 use t he sam e algorit hm t o calculat e t he FCS, but t he 802.11 fram e has several ext ra fields t hat are prot ect ed by t he FCS. 7 . The new fram e is t ransm it t ed on t he Et hernet int erface.

Wired Medium to Wireless Medium (Ethernet to 802.11)

Bridging fram es from t he wired side of an access point t o t he wireless m edium is quit e sim ilar t o t he reverse process:

1 . Aft er validat ing t he Et hernet FCS, t he access point first checks t hat a received fram e should be processed furt her by checking t hat t he dest inat ion address belongs t o a st at ion current ly associat ed wit h t he access point . 2 . The SNAP header is prepended t o t he dat a in t he Et hernet fram e. The higher- level packet is encapsulat ed wit hin a SNAP header whose Type code is copied from t he Et hernet t ype code. I f t he Et hernet fram e uses SNAP as well, t he ent ire SNAP header can be copied. 3 . The fram e is scheduled for t ransm ission. 802.11 includes com plex powersaving operat ions t hat m ay cause an access point t o hold t he fram e in a buffer before placing it on t he t ransm it queue. Powersaving operat ions are described in Chapt er 8. 4 . Once a fram e has been queued for t ransm ission, it is assigned a sequence num ber. The result ing dat a is prot ect ed by an int egrit y check, if required. I f fragm ent at ion is required, t he fram e will be split according t o t he configured fragm ent at ion t hreshold. I f t he fram e is fragm ent ed, fragm ent num bers in t he Sequence Cont rol field will also be assigned. 5 . I f fram e prot ect ion is required, t he body of t he fram e ( or each fragm ent ) is encrypt ed. 6 . The 802.11 MAC header is const ruct ed from t he Et hernet MAC header.

a . The Et hernet dest inat ion address is copied t o t he Address 1 field of t he 802.11 MAC header. b. The BSSI D is placed in t he Address 2 field of t he MAC header, as t he sender of t he fram e on t he wireless m edium . c. The source address of t he fram e is copied t o t he Address 3 field of t he MAC header. d. Ot her fields in t he 802.11 MAC header are filled in. The expect ed t ransm ission t im e will be placed in t he Durat ion field and t he appropriat e flags are filled in in t he Fram e Cont rol field. 7 . The FCS is recalculat ed. Bot h Et hernet and 802.11 use t he sam e algorit hm t o calculat e t he FCS, but t he 802.11 fram e has several ext ra fields t hat are prot ect ed by t he FCS. 8 . The new fram e is t ransm it t ed on t he 802.11 int erface.

Quality of Service Extensions Qualit y of service ext ensions m ay affect t he order in which fram es are t ransm it t ed, but it does not alt er t he basic pat h t hat a fram e t akes t hrough t he 802.11 MAC. Rat her t han using a single t ransm it queue, t he 802.11e qualit y of service ext ensions will have m ult iple t ransm it queues operat ing at st eps 4, 5, and 7 of t he wired- t o- wireless bridging procedure described above. At each of t hose st eps, fram es are processed in a priorit y order t hat can be affect ed by t he cont ent s of t he fram e and locally configured priorit izat ion rules.

Chapter 4. 802.11 Framing in Detail Chapt er 3 present ed t he basic fram e st ruct ure and t he fields t hat com prise it , but it did not go int o det ail about t he different fram e t ypes. Et hernet fram ing is a sim ple m at t er: add a pream ble, som e addressing inform at ion, and t ack on a fram e check at t he end. 802.11 fram ing is m uch m ore involved because t he wireless m edium requires several m anagem ent feat ures and corresponding fram e t ypes not found in wired net works. Three m aj or fram e t ypes exist . Dat a fram es are t he pack horses of 802.11, hauling dat a from st at ion t o st at ion. Several different dat a fram e flavors can occur, depending on t he net work. Cont rol fram es are used in conj unct ion wit h dat a fram es t o perform area- clearing operat ions, channel acquisit ion and carrier- sensing m aint enance funct ions, and posit ive acknowledgm ent of received dat a. Cont rol and dat a fram es work in conj unct ion t o deliver dat a reliably from st at ion t o st at ion. Managem ent fram es perform supervisory funct ions; t hey are used t o j oin and leave wireless net works and m ove associat ions from access point t o access point . This chapt er is int ended t o be a reference. There is only so m uch life any aut hor can breat he int o fram ing det ails, no m at t er how m uch effort is expended t o m ake t he det ails int erest ing. Please feel free t o skip t his chapt er in it s ent iret y and flip back when you need in- dept h inform at ion about fram e st ruct ure. Wit h rare except ion, det ailed fram ing relat ionships generally do not fall int o t he cat egory of " som et hing a net work adm inist rat or needs t o know." This chapt er t ends t o be a bit acronym - heavy as well, so refer t o t he glossary at t he back of t he book if you do not recognize an acronym .

Data Frames Dat a fram es carry higher- level prot ocol dat a in t he fram e body. Figure 4- 1 shows a generic dat a fram e. Depending on t he part icular t ype of dat a fram e, som e of t he fields in t he figure m ay not be used.

Figu r e 4 - 1 . Ge n e r ic da t a fr a m e

The different dat a fram e t ypes can be cat egorized according t o funct ion. One such dist inct ion is bet ween dat a fram es used for cont ent ion- based service and t hose used for cont ent ion- free service. Any fram es t hat appear only in t he cont ent ion- free period can never be used in an I BSS. Anot her possible division is bet ween fram es t hat carry dat a and fram es t hat perform m anagem ent funct ions. Table 4- 1 shows how fram es m ay be divided along t hese lines. Fram es used in cont ent ion- free service are discussed in det ail in Chapt er 9.

Ta ble 4 - 1 . Ca t e gor iza t ion of da t a fr a m e t ype s

Fr a m e t ype

Con t e n t ion - ba se d se r vice

Con t e n t ion - fr e e se r vice

Ca r r ie s da t a

D oe s n ot ca r r y da t a

Dat a Dat a+ CF- Ack Dat a+ CF- Poll

AP only

Dat a+ CF- Ack+ CFPoll

AP only

Null CF- Ack CF- Poll

AP only

CF- Ack+ CF- Poll

AP only

Frame Control All t he bit s in t he Fram e Cont rol field are used according t o t he rules described in Chapt er 3. Fram e

Cont rol bit s m ay affect t he int erpret at ion of ot her fields in t he MAC header, t hough. Most not able are t he address fields, which depend on t he value of t he ToDS and From DS bit s.

Duration The Durat ion field carries t he value of t he Net work Allocat ion Vect or ( NAV) . Access t o t he m edium is rest rict ed for t he t im e specified by t he NAV. Four rules specify t he set t ing for t he Durat ion field in dat a fram es:

1 . Any fram es t ransm it t ed during t he cont ent ion- free period set t he Durat ion field t o 32,768. Nat urally, t his applies t o any dat a fram es t ransm it t ed during t his period. 2 . Fram es t ransm it t ed t o a broadcast or m ult icast dest inat ion ( Address 1 has t he group bit set ) have a durat ion of 0. Such fram es are not part of an at om ic exchange and are not acknowledged by receivers, so cont ent ion- based access t o t he m edium can begin aft er t he conclusion of a broadcast or m ult icast dat a fram e. The NAV is used t o prot ect access t o t he t ransm ission m edium for a fram e exchange sequence. Wit h no link- layer acknowledgm ent following t he t ransm ission of a broadcast or m ult icast fram e, t here is no need t o lock access t o t he m edium for subsequent fram es. 3 . I f t he More Fragm ent s bit in t he Fram e Cont rol field is 0, no m ore fragm ent s rem ain in t he fram e. The final fragm ent need only reserve t he m edium for it s own ACK, at which point cont ent ion- based access resum es. The Durat ion field is set t o t he am ount of t im e required for one short int erfram e space and t he fragm ent acknowledgm ent . Figure 4- 2 illust rat es t his process. The penult im at e fragm ent 's Durat ion field locks access t o t he m edium for t he t ransm ission of t he last fragm ent .

Figu r e 4 - 2 . D u r a t ion se t t in g on fin a l fr a gm e n t

4 . I f t he More Fragm ent s bit in t he Fram e Cont rol field is set t o 1, m ore fragm ent s rem ain. The Durat ion field is set t o t he am ount of t im e required for t ransm ission of t wo acknowledgm ent s, plus t hree short int erfram e spaces, plus t he t im e required for t he next fragm ent . I n essence, nonfinal fragm ent s set t he NAV j ust like an RTS would ( Figure 4- 3 ) ; for t his reason, t hey are referred t o as a virt ual RTS.

Figu r e 4 - 3 . D u r a t ion se t t in gs on n on fin a l fr a gm e n t

Addressing and DS Bits The num ber and funct ion of t he address fields depends on which of t he dist ribut ion syst em bit s are set , so t he use of t he address fields indirect ly depends on t he t ype of net work deployed. Table 4- 2 sum m arizes t he use of t he address fields in dat a fram es. The fourt h address field is only used by wireless bridges, and is t herefore relat ively uncom m on.

Ta ble 4 - 2 . Use of t h e a ddr e ss fie lds in da t a fr a m e s Fu n ct ion

ToD S Fr om D S

Addr e ss 1 ( r e ce iv e r )

Addr e ss 2 ( t r a n sm it t e r )

Addr e ss 3

Addr e ss 4

I BSS

0

0

DA

SA

BSSI D

Not used

To AP ( infra.)

1

0

BSSI D

SA

DA

Not used

From AP ( infra.)

0

1

DA

BSSI D

SA

Not used

WDS ( bridge)

1

1

RA

TA

DA

SA

Address 1 indicat es t he receiver of t he fram e. I n m any cases, t he receiver is t he dest inat ion, but not always. The dest inat ion is t he st at ion t hat will process t he net work- layer packet cont ained in t he fram e; t he receiver is t he st at ion t hat will at t em pt t o decode t he radio waves int o an 802.11 fram e. I f Address 1 is set t o a broadcast or m ult icast address, t he BSSI D is also checked. St at ions respond only t o broadcast s and m ult icast s originat ing in t he sam e basic service set ( BSS) ; t hey ignore broadcast s and m ult icast s from different BSSI Ds. [ * ] Address 2 is t he t ransm it t er address and is used t o send acknowledgm ent s. Transm it t ers are not necessarily senders. The sender is t he fram e t hat generat ed t he net work- layer prot ocol packet in t he fram e; t he t ransm it t er put t he fram e on t o t he radio link. The Address 3 field is used for filt ering by access point s and t he dist ribut ion syst em , but t he use of t he field depends on t he part icular t ype of net work used. [*]

Not all cards perform this BSSID filtering correctly. Many products will pass all broadcasts up to higher protocol layers without validating the BSSID first.

I n t he case of an I BSS, no access point s are used, and no dist ribut ion syst em is present . The t ransm it t er is t he source, and t he receiver is t he dest inat ion. All fram es carry t he BSSI D so t hat st at ions m ay check broadcast s and m ult icast s; only st at ions t hat belong t o t he sam e BSS will process broadcast s and m ult icast s. I n an I BSS, t he BSSI D is creat ed by a random - num ber generat or.

802.11 draws a dist inct ion bet ween t he source and t ransm it t er and a parallel dist inct ion bet ween t he dest inat ion and t he receiver. The t ransm it t er sends a fram e on t o t he wireless m edium but does not necessarily creat e t he fram e. A sim ilar dist inct ion holds for dest inat ion addresses and receiver addresses. A receiver m ay be an int erm ediat e dest inat ion, but fram es are processed by higher prot ocol levels only when t hey reach t he dest inat ion.

The BSSID I n t he PS- Poll fram e, t he Durat ion/ I D field is an associat ion I D rat her t han a value used by t he virt ual carrier- sensing funct ion. When m obile st at ions associat e wit h an access point , t he access point assigns a value called t he Associat ion I D ( AI D) from t he range 12,007. The AI D is used for a variet y of purposes t hat appear t hroughout t his book. Each BSS is assigned a BSSI D, a 48- bit binary ident ifier t hat dist inguishes it from ot her BSSs t hroughout t he net work. The m aj or advant age of t he BSSI D is filt ering. Several dist inct 802.11 net works m ay overlap physically, and t here is no reason for one net work t o receive link- layer broadcast s from a physically overlapping net work. I n an infrast ruct ure BSS, t he BSSI D is t he MAC address of t he wireless int erface in t he access point creat ing t he BSS. I BSSs m ust creat e BSSI Ds for net works brought int o exist ence. To m axim ize t he probabilit y of creat ing a unique address, 46 random bit s are generat ed for t he BSSI D. The Universal/ Local bit for t he new BSSI D is set t o 1, indicat ing a local address, and t he I ndividual/ Group bit is set t o 0. For t wo dist inct I BSSs t o creat e t he sam e BSSI D, t hey would need t o generat e an ident ical random 46 bit s. One BSSI D is reserved. The all- 1s BSSI D is t he broadcast BSSI D. Fram es t hat use t he broadcast BSSI D pass t hrough any BSSI D filt ering in t he MAC. BSSI D broadcast s are used only when m obile st at ions t ry t o locat e a net work by sending probe request s. I n order for probe fram es t o det ect t he exist ence of a net work, t hey m ust not be filt ered by t he BSSI D filt er. Probe fram es are t he only fram es allowed t o use t he broadcast BSSI D.

To expand on t hese dist inct ions, consider t he use of t he address fields in infrast ruct ure net works. Figure 4- 4 shows a sim ple net work in which a wireless client is connect ed t o a server t hrough an 802.11 net work. Fram es sent by t he client t o t he server use t he address fields as specified in t he second line of Table 4- 2.

Figu r e 4 - 4 . Addr e ss fie ld u sa ge in fr a m e s t o t h e dist r ibu t ion syst e m

I n t he case of fram es bound for a dest inat ion on t he dist ribut ion syst em , t he client is bot h source and t ransm it t er. The receiver of t he wireless fram e is t he access point , but t he access point is only an int erm ediat e dest inat ion. When t he fram e reaches t he access point , it is relayed t o t he dist ribut ion syst em t o reach t he server. Thus, t he access point is t he receiver, and t he ( ult im at e) dest inat ion is t he server. I n infrast ruct ure net works, access point s creat e associat ed BSSs wit h t he address of t heir wireless int erfaces, which is why t he receiver address ( Address 1) is set t o t he BSSI D. When t he server replies t o t he client , fram es are t ransm it t ed t o t he client t hrough t he access point , as in Figure 4- 5 . This scenario corresponds t o t he t hird line in Table 4- 2.

Figu r e 4 - 5 . Addr e ss fie ld u sa ge in fr a m e s fr om t h e dist r ibu t ion syst e m

Fram es are creat ed by t he server, so t he server's MAC address is t he source address for fram es. When fram es are relayed t hrough t he access point , t he access point uses it s wireless int erface as t he t ransm it t er address. As in t he previous case, t he access point 's int erface address is also t he BSSI D. Fram es are ult im at ely sent t o t he client , which is bot h t he dest inat ion and receiver. The fourt h line in Table 4- 2 shows t he use of t he address fields in a wireless dist ribut ion syst em ( WDS) , which is som et im es called a wireless bridge. I n Figure 4- 6 , t wo wired net works are j oined by access point s act ing as wireless bridges. Fram es bound from t he client t o t he server t raverse t he 802.11 WDS. The source and dest inat ion addresses of t he wireless fram es rem ain t he client and server addresses. These fram es, however, also ident ify t he t ransm it t er and receiver of t he fram e on t he wireless m edium . For fram es bound from t he client t o t he server, t he t ransm it t er is t he client side access point , and t he receiver is t he server- side access point . Separat ing t he source from t he t ransm it t er allows t he server- side access point t o send required 802.11 acknowledgm ent s t o it s peer access point wit hout int erfering wit h t he wired link layer.

Figu r e 4 - 6 . W ir e le ss dist r ibu t ion syst e m

Variations on the Data Frame Theme 802.11 uses several different dat a fram e t ypes. Variat ions depend on whet her t he service is cont ent ion- based or cont ent ion- free. Cont ent ion- free fram es can incorporat e several funct ions for t he sake of efficiency. Dat a m ay be t ransm it t ed, but by changing t he fram e subt ype, dat a fram es in t he cont ent ion- free period m ay be used t o acknowledge ot her fram es, saving t he overhead of int erfram e spaces and separat e acknowledgm ent s. Here are t he different dat a fram e t ypes t hat are com m only used:

Dat a Fram es of t he Dat a subt ype are t ransm it t ed only during t he cont ent ion- based access periods. They are sim ple fram es wit h t he sole purpose of m oving t he fram e body from one st at ion t o anot her.

Null Null fram es [ * ] are a bit of an oddit y. They consist of a MAC header followed by t he FCS t railer. I n a t radit ional Et hernet , em pt y fram es would be ext raneous overhead; in 802. 11 net works, t hey are used by m obile st at ions t o inform t he access point of changes in power- saving st at us. When st at ions sleep, t he access point m ust begin buffering fram es for t he sleeping st at ion. I f t he m obile st at ion has no dat a t o send t hrough t he dist ribut ion syst em , it can use a Null fram e wit h t he Power Managem ent bit in t he Fram e Cont rol field set . Access point s never ent er power- saving m ode and do not t ransm it Null fram es. Usage of Null fram es is shown in Figure 4 - 7. [* ]

To indicat e t hat Null is used as t he fram e t ype from t he specificat ion rat her t han t he English word, it is capit alized. This convent ion will be followed t hroughout t he chapt er.

Figu r e 4 - 7 . D a t a fr a m e of su bt ype N u ll

Several ot her fram e t ypes exist for use wit hin t he cont ent ion- free period. However, cont ent ion- free service is not widely im plem ent ed; t he discussion of t he cont ent ion- free fram es ( Dat a+ CF- Ack, Dat a+ CF- Poll, Dat a+ CF- Ack+ CF- Poll, CF- Ack, CF- Poll, and CF- Ack+ CF- Poll) can be found in Chapt er 9.

Applied Data Framing The form of a dat a fram e can depend on t he t ype of net work. The act ual subt ype of t he fram e is det erm ined solely by t he subt ype field, not by t he presence or absence of ot her fields in t he fram e.

IBSS frames I n an I BSS, t hree address fields are used, as shown in Figure 4- 8 . The first address ident ifies t he receiver, which is also t he dest inat ion address in an I BSS. The second address is t he source address. Aft er t he source and dest inat ion addresses, dat a fram es in an I BSS are labeled wit h t he BSSI D. When t he wireless MAC receives a fram e, it checks t he BSSI D and passes only fram es in t he st at ion's current BSSI D t o higher prot ocol layers.

Figu r e 4 - 8 . I BSS da t a fr a m e

I BSS dat a fram es have t he subt ype dat a or Null; t he lat t er is used only t o com m unicat e power m anagem ent st at e.

Frames from the AP Figure 4- 9 shows t he form at of a fram e sent from an access point t o a m obile st at ion. As in all dat a fram es, t he first address field indicat es t he receiver of t he fram e on t he wireless net work, which is t he fram e's dest inat ion. The second address holds t he t ransm it t er address. On infrast ruct ure net works, t he t ransm it t er address is t he address of t he st at ion in t he access point , which is also t he BSSI D. Finally, t he fram e indicat es t he source MAC address of t he fram e. The split bet ween source and t ransm it t er is necessary because t he 802.11 MAC sends acknowledgm ent s t o t he fram e's t ransm it t er ( t he access point ) , but higher layers send replies t o t he fram e's source.

Figu r e 4 - 9 . D a t a fr a m e s fr om t h e AP

Not hing in t he 802.11 specificat ion forbids an access point from t ransm it t ing Null fram es, but t here is no reason t o t ransm it t hem . Access point s are forbidden from using t he power- saving rout ines, and t hey can acknowledge Null fram es from st at ions wit hout using Null fram es in response. I n pract ice, access point s send Dat a fram es during t he cont ent ion- based access period, and t hey send fram es incorporat ing t he CF- Poll feat ure during t he cont ent ion- free period.

Frames to the AP Figure 4- 10 shows t he form at of a fram e sent from a m obile st at ion in an infrast ruct ure net work t o t he access point current ly serving it . The receiver address is t he BSSI D. I n infrast ruct ure net works, t he BSSI D is t aken from t he MAC address of t he net work st at ion in t he access point . Fram es dest ined for an access point t ake t heir source/ t ransm it t er address from t he net work int erface in t he wireless st at ion. Access point s do not perform filt ering, but inst ead use t he t hird address t o forward dat a t o t he appropriat e locat ion in t he dist ribut ion syst em . Fram es from t he dist ribut ion syst em have t he ToDS bit set , but t he From DS bit is 0. Mobile st at ions in an infrast ruct ure net work cannot becom e t he point coordinat or, and t hus never send fram es t hat incorporat e t he cont ent ion- free polling ( CF- Poll) funct ions.

Frames in a WDS When access point s are deployed in a wireless bridge ( or WDS) t opology, all four address fields are used, as shown in Figure 4- 11. Like all ot her dat a fram es, WDS fram es use t he first address for t he receiver of t he fram e and t he second address for t he t ransm it t er. The MAC uses t hese t wo addresses for acknowledgm ent s and cont rol t raffic, such as RTS, CTS, and ACK fram es. Two m ore address fields are necessary t o indicat e t he source and dest inat ion of t he fram e and dist inguish t hem from t he addresses used on t he wireless link.

Figu r e 4 - 1 0 . D a t a fr a m e s t o t h e AP

Figu r e 4 - 1 1 . W D S fr a m e s

On a wireless bridging link, t here are no m obile st at ions, and t he cont ent ion- free period is not used. Access point s are forbidden t o ent er power- saving m odes, so t he power m anagem ent bit is always set t o 0.

Encrypted frames Fram es prot ect ed by link layer securit y prot ocols are not new fram e t ypes. When a fram e is handled by encrypt ion, t he Prot ect ed Fram e bit in t he Fram e Cont rol field is set t o 1, and t he Fram e Body field begins wit h t he appropriat e crypt ographic header described in Chapt ers 5 or Chapt er 7, depending on t he prot ocol.

Control Frames Cont rol fram es assist in t he delivery of dat a fram es. They adm inist er access t o t he wireless m edium ( but not t he m edium it self) and provide MAC- layer reliabilit y funct ions.

Common Frame Control Field All cont rol fram es use t he sam e Fram e Cont rol field, which is shown in Figure 4- 12.

Figu r e 4 - 1 2 . Fr a m e Con t r ol fie ld in con t r ol fr a m e s

Prot ocol version The prot ocol version is shown as 0 in Figure 4- 12 because t hat is current ly t he only version. Ot her versions m ay exist in t he fut ure.

Type Cont rol fram es are assigned t he Type ident ifier 01. By definit ion, all cont rol fram es use t his ident ifier .

Subt ype This field indicat es t he subt ype of t he cont rol fram e t hat is being t ransm it t ed.

ToDS and From DS bit s Cont rol fram es arbit rat e access t o t he wireless m edium and t hus can only originat e from wireless st at ions. The dist ribut ion syst em does not send or receive cont rol fram es, so t hese bit s are always 0.

More Fragm ent s bit

Cont rol fram es are not fragm ent ed, so t his bit is always 0.

Ret ry bit Cont rol fram es are not queued for ret ransm ission like m anagem ent or dat a fram es, so t his bit is always 0.

Power Managem ent bit This bit is set t o indicat e t he power m anagem ent st at e of t he sender aft er conclusion of t he current fram e exchange.

More Dat a bit The More Dat a bit is used only in m anagem ent and dat a fram es, so t his bit is set t o 0 in cont rol fram es.

Prot ect ed Fram e bit Cont rol fram es m ay not be encrypt ed. Thus, for cont rol fram es, t he Prot ect ed Fram e bit is always 0.

Order bit Cont rol fram es are used as com ponent s of at om ic fram e exchange operat ions and t hus cannot be t ransm it t ed out of order. Therefore, t his bit is set t o 0.

Request to Send (RTS) RTS fram es are used t o gain cont rol of t he m edium for t he t ransm ission of " large" fram es, in which " large" is defined by t he RTS t hreshold in t he net work card driver. Access t o t he m edium can be reserved only for unicast fram es; broadcast and m ult icast fram es are sim ply t ransm it t ed. The form at of t he RTS fram e is shown in Figure 4- 13. Like all cont rol fram es, t he RTS fram e is all header. No dat a is t ransm it t ed in t he body, and t he FCS im m ediat ely follows t he header.

Figu r e 4 - 1 3 . RTS fr a m e

Four fields m ake up t he MAC header of an RTS:

Fram e Cont rol There is not hing special about t he Fram e Cont rol field. The fram e subt ype is set t o 1011 t o indicat e an RTS fram e, but ot herwise, it has all t he sam e fields as ot her cont rol fram es. ( The m ost significant bit s in t he 802.11 specificat ion com e at t he end of fields, so bit 7 is t he m ost significant bit in t he subt ype field.)

Dur at ion An RTS fram e at t em pt s t o reserve t he m edium for an ent ire fram e exchange, so t he sender of an RTS fram e calculat es t he t im e needed for t he fram e exchange sequence aft er t he RTS fram e ends. The ent ire exchange, which is depict ed in Figure 4- 14, requires t hree SI FS periods, t he durat ion of one CTS, t he final ACK, plus t he t im e needed t o t ransm it t he fram e or first fragm ent . ( Fragm ent at ion burst s use subsequent fragm ent s t o updat e t he Durat ion field.) The num ber of m icroseconds required for t he t ransm ission is calculat ed and placed in t he Durat ion field. I f t he result is fract ional, it is rounded up t o t he next m icrosecond.

Figu r e 4 - 1 4 . D u r a t ion fie ld in RTS fr a m e

Address 1: Receiver Address The address of t he st at ion t hat is t he int ended recipient of t he large fram e.

Address 2: Transm it t er Address The address of t he sender of t he RTS fram e.

Clear to Send (CTS) The CTS fram e, whose form at is shown in Figure 4- 15, has t wo purposes. I nit ially, CTS fram es were used only t o answer RTS fram es, and were never generat ed wit hout a preceding RTS. CTS fram es were lat er adopt ed for use by t he 802.11g prot ect ion m echanism t o avoid int erfering wit h older st at ions. The prot ect ion m echanism is described wit h t he rest of 802.11g in Chapt er 14.

Figu r e 4 - 1 5 . CTS fr a m e

Three fields m ake up t he MAC header of a CTS fram e:

Fram e Cont rol The fram e subt ype is set t o 1100 t o indicat e a CTS fram e.

Dur at ion When used in response t o an RTS, t he sender of a CTS fram e uses t he durat ion from t he RTS fram e as t he basis for it s durat ion calculat ion. RTS fram es reserve t he m edium for t he ent ire RTS- CTS- fram e- ACK exchange. By t he t im e t he CTS fram e is t ransm it t ed, t hough, only t he pending fram e or fragm ent and it s acknowledgm ent rem ain. The sender of a CTS fram e subt ract s t he t im e required for t he CTS fram e and t he short int erfram e space t hat preceded t he CTS from t he durat ion in t he RTS fram e, and places t he result of t hat calculat ion in t he Durat ion field. Figure 4- 16 illust rat es t he relat ionship bet ween t he CTS durat ion and t he RTS durat ion. Rules for CTS fram es used in prot ect ion exchanges are described wit h t he prot ect ion m echanism .

Address 1: Receiver Address

The receiver of a CTS fram e is t he t ransm it t er of t he previous RTS fram e, so t he MAC copies t he t ransm it t er address of t he RTS fram e int o t he receiver address of t he CTS fram e. CTS fram es used in 802.11g prot ect ion are sent t o t he sending st at ion, and are used only t o set t he NAV.

Figu r e 4 - 1 6 . CTS du r a t ion

Acknowledgment (ACK) ACK fram es are used t o send t he posit ive acknowledgm ent s required by t he MAC and are used wit h any dat a t ransm ission, including plain t ransm issions, fram es preceded by an RTS/ CTS handshake, and fragm ent ed fram es ( see Figure 4- 17) . Qualit y- of- service enhancem ent s relax t he requirem ent for a single acknowledgm ent per Dat a fram e. To assess t he im pact of acknowledgm ent s on net t hroughput , see Chapt er 25.

Figu r e 4 - 1 7 . ACK fr a m e

Three fields m ake up t he MAC header of an ACK fram e:

Fram e Cont rol The fram e subt ype is set t o 1101 t o indicat e an ACK fram e.

Dur at ion The durat ion m ay be set in one of t wo ways, depending on t he posit ion of t he ACK wit hin t he fram e exchange. ACKs for com plet e dat a fram es and final fragm ent s in a fragm ent burst set t he durat ion t o 0. The dat a sender indicat es t he end of a dat a t ransm ission by set t ing t he More Fragm ent s bit in t he Fram e Cont rol header t o 0. I f t he More Fragm ent s bit is 0, t he t ransm ission is com plet e, and t here is no need t o ext end cont rol over t he radio channel for addit ional t ransm issions. Thus, t he durat ion is set t o 0. I f t he More Fragm ent s bit is 1, a fragm ent burst is in progress. The Durat ion field is used like t he Durat ion field in t he CTS fram e. The t im e required t o t ransm it t he ACK and it s short int erfram e space is subt ract ed from t he durat ion in t he m ost recent fragm ent ( Figure 4- 18) . The durat ion calculat ion in nonfinal ACK fram es is sim ilar t o t he CTS durat ion calculat ion. I n fact , t he 802.11 specificat ion refers t o t he durat ion set t ing in t he ACK fram es as a virt ual CTS.

Figu r e 4 - 1 8 . D u r a t ion in n on - fin a l ACK fr a m e s

Address 1: Receiver Address The receiver address is copied from t he t ransm it t er of t he fram e being acknowledged. Technically, it is copied from t he Address 2 field of t he fram e being acknowledged. Acknowledgm ent s are t ransm it t ed in response t o direct ed dat a fram es, m anagem ent fram es, and PS- Poll fram es.

Power-Save Poll (PS-Poll) When a m obile st at ion wakes from a power- saving m ode, it t ransm it s a PS- Poll fram e t o t he access point t o ret rieve any fram es buffered while it was in power- saving m ode. The form at of t he PS- Poll fram e is shown in Figure 4- 19. Furt her det ails on t he operat ion of power saving m odes appears in Chapt er 8.

Figu r e 4 - 1 9 . PS- Poll fr a m e

Four fields m ake up t he MAC header of a PS- Poll fram e:

Fram e Cont rol The fram e subt ype is set t o 1010 t o indicat e a PS- Poll fram e.

Associat ion I D ( AI D) I nst ead of a Durat ion field, t he PS- Poll fram e uses t he t hird and fourt h byt es in t he MAC header for t he associat ion I D. This is a num eric value assigned by t he access point t o ident ify t he associat ion. I ncluding t his I D in t he fram e allows t he access point t o find any fram es buffered for t he now- awakened m obile st at ion.

Address 1: BSSI D This field cont ains t he BSSI D of t he BSS creat ed by t he access point t hat t he sender is current ly associat ed wit h.

Address 2: Transm it t er Address This is t he address of t he sender of t he PS- Poll fram e. The PS- Poll fram e does not include durat ion inform at ion t o updat e t he NAV. However, all st at ions receiving a PS- Poll fram e updat e t he NAV by t he short int erfram e space plus t he am ount of t im e required t o t ransm it an ACK. The aut om at ic NAV updat e allows t he access point t o t ransm it an ACK wit h a sm all probabilit y of collision wit h a m obile st at ion.

Association ID (AID) I n t he PS- Poll fram e, t he Durat ion/ I D field is an associat ion I D rat her t han a value used by t he virt ual carrier- sensing funct ion. When m obile st at ions associat e wit h an access point , t he access point assigns a value called t he Associat ion I D ( AI D) from t he range 12,007. The AI D is used for a variet y of purposes t hat appear t hroughout t his book.

Management Frames Managem ent is a large com ponent of t he 802.11 specificat ion. Several different t ypes of m anagem ent fram es are used t o provide services t hat are sim ple on a wired net work. Est ablishing t he ident it y of a net work st at ion is easy on a wired net work because net work connect ions require dragging wires from a cent ral locat ion t o t he new workst at ion. I n m any cases, pat ch panels in t he wiring closet are used t o speed up inst allat ion, but t he essent ial point rem ains: new net work connect ions can be aut hent icat ed by a personal visit when t he new connect ion is brought up. Wireless net works m ust creat e m anagem ent feat ures t o provide sim ilar funct ionalit y. 802.11 breaks t he procedure up int o t hree com ponent s. Mobile st at ions in search of connect ivit y m ust first locat e a com pat ible wireless net work t o use for access. Wit h wired net works, t his st ep t ypically involves finding t he appropriat e dat a j ack on t he wall. Next , t he net work m ust aut hent icat e m obile st at ions t o est ablish t hat t he aut hent icat ed ident it y is allowed t o connect t o t he net work. The wired- net work equivalent is provided by t he net work it self. I f signals cannot leave t he wire, obt aining physical access is at least som et hing of an aut hent icat ion process. Finally, m obile st at ions m ust associat e wit h an access point t o gain access t o t he wired backbone, a st ep equivalent t o plugging t he cable int o a wired net work.

The Structure of Management Frames 802.11 m anagem ent fram es share t he st ruct ure shown in Figure 4- 20. The MAC header is t he sam e in all m anagem ent fram es; it does not depend on t he fram e subt ype. Managem ent fram es use inform at ion elem ent s, lit t le chunks of dat a wit h a num erical label, t o com m unicat e inform at ion t o ot her syst em s.

Figu r e 4 - 2 0 . Ge n e r ic m a n a ge m e n t fr a m e

Address fields As wit h all ot her fram es, t he first address field is used for t he fram e's dest inat ion address. Som e m anagem ent fram es are used t o m aint ain propert ies wit hin a single BSS. To lim it t he effect of broadcast and m ult icast m anagem ent fram es, st at ions are required t o inspect t he BSSI D aft er receiving a m angem ent fram e, t hough not all im plem ent at ions perform BSSI D filt ering. Only broadcast and m ult icast fram es from t he BSSI D t hat a st at ion is current ly associat ed wit h are passed t o MAC m anagem ent layers. The one except ion t o t his rule is Beacon fram es, which are used t o

announce t he exist ence of an 802.11 net work. BSSI Ds are assigned in t he fam iliar m anner. Access point s use t he MAC address of t he wireless net work int erface as t he BSSI D. Mobile st at ions adopt t he BSSI D of t he access point t hey are current ly associat ed wit h. St at ions in an I BSS use t he random ly generat ed BSSI D from t he BSS creat ion. One except ion t o t he rule: fram es sent by t he m obile st at ion seeking a specific net work m ay use t he BSSI D of t he net work t hey are seeking, or t hey m ay use t he broadcast BSSI D t o find all net works in t he vicinit y.

Duration calculations Managem ent fram es use t he Durat ion field in t he sam e m anner t hat ot her fram es do:

1 . Any fram es t ransm it t ed in t he cont ent ion- free period set t he durat ion t o 32,768. 2 . Fram es t ransm it t ed during t he cont ent ion- based access periods using only t he DCF use t he Durat ion field t o block access t o t he m edium t o allow any at om ic fram e exchanges t o com plet e.

a . I f t he fram e is a broadcast or m ult icast ( t he dest inat ion address is a group address) , t he durat ion is 0. Broadcast and m ult icast fram es are not acknowledged, so t he NAV is not needed t o block access t o t he m edium . b. I f a nonfinal fragm ent is part of a m ult ifram e exchange, t he durat ion is set t o t he num ber of m icroseconds t aken up by t hree SI FS int ervals plus t he next fragm ent and it s acknowledgm ent . c. Final fragm ent s use a durat ion t hat is t he t im e required for one acknowledgm ent plus one SI FS.

Frame body Managem ent fram es are quit e flexible. Most of t he dat a cont ained in t he fram e body uses fixedlengt h fields called fixed fields and variable- lengt h fields called inform at ion elem ent s. I nform at ion elem ent s are blobs of dat a of varying size. Each dat a blob is t agged wit h a t ype num ber and a size, and it is underst ood t hat an inform at ion elem ent of a cert ain t ype has it s dat a field int erpret ed in a cert ain way. New inform at ion elem ent s can be defined by newer revisions t o t he 802.11 specificat ion; im plem ent at ions t hat predat e t he revisions can ignore newer elem ent s. Old im plem ent at ions depend on backward- com pat ible hardware and frequent ly can't j oin net works based on t he newer st andards. Fort unat ely, new opt ions usually can be easily t urned off for com pat ibilit y. This sect ion present s t he fixed fields and inform at ion elem ent s as building blocks and shows how t he building blocks are assem bled int o m anagem ent fram es. 802.11 m andat es t he order in which inform at ion elem ent s appear, but not all elem ent s are m andat ory. This book shows all t he fram e building blocks in t he specified order, and t he discussion of each subt ype not es which elem ent s are rare and which are m ut ually exclusive.

Fixed-Length Management Frame Components

10 fixed- lengt h fields m ay appear in m anagem ent fram es. Fixed- lengt h fields are oft en referred t o sim ply as fields t o dist inguish t hem from t he variable- lengt h inform at ion elem ent s. Fields do not have a header t o dist inguish t hem from ot her part s of t he fram e body. Because t hey have a fixed lengt h and appear in a known order, fields can be delim it ed wit hout using a field header.

Authentication Algorithm Number Two byt es are used for t he Aut hent icat ion Algorit hm Num ber field, which are shown in Figure 4- 21. This field ident ifies t he t ype of aut hent icat ion used in t he init ial 802.11- level aut hent icat ion process before associat ion occurs. 802.1X aut hent icat ion occurs aft er associat ion, and is not assigned an algorit hm num ber. ( The aut hent icat ion process is discussed m ore t horoughly in Chapt er 8.) The values perm it t ed for t his field are shown in Table 4- 3. Only t wo values are current ly defined. Ot her values are reserved for fut ure st andardizat ion work.

Figu r e 4 - 2 1 . Au t h e n t ica t ion Algor it h m N u m be r fie ld

Ta ble 4 - 3 . Va lu e s of t h e Au t h e n t ica t ion Algor it h m N u m be r fie ld Va lu e

M e a n in g

0

Open Syst em aut hent icat ion ( t ypically used wit h 802.1X aut hent icat ion)

1

Shared Key aut hent icat ion ( deprecat ed by 802.11i)

2- 65,535

Reser v ed

Authentication Transaction Sequence Number Aut hent icat ion is a m ult ist ep process t hat consist s of a challenge from t he access point and a response from t he m obile st at ion at t em pt ing t o associat e. The Aut hent icat ion Transact ion Sequence Num ber, shown in Figure 4- 22, is a t wo- byt e field used t o t rack progress t hrough t he aut hent icat ion exchange. I t t akes values from 1 t o 65,535; it is never set t o 0. Use of t his field is discussed in Chapt er 8.

Figu r e 4 - 2 2 . Au t h e n t ica t ion Tr a n sa ct ion Se qu e n ce N u m be r fie ld

Beacon interval Beacon t ransm issions announce t he exist ence of an 802.11 net work at regular int ervals. Beacon fram es carry inform at ion about t he BSS param et ers and t he fram es buffered by access point s, so m obile st at ions m ust list en t o Beacons. The Beacon I nt erval, shown in Figure 4- 23, is a 16- bit field set t o t he num ber of t im e unit s bet ween Beacon t ransm issions. One t im e unit , which is oft en abbreviat ed TU, is 1,024 m icroseconds ( m s) , which is about 1 m illisecond. [ * ] Tim e unit s m ay also be called kilo- m icroseconds in various docum ent at ion ( Km s or km s) . I t is com m on for t he Beacon int erval t o be set t o 100 t im e unit s, which corresponds t o an int erval bet ween Beacon t ransm issions of approxim at ely 100 m illiseconds or 0.1 seconds. [*]

Kilo-microseconds are an odd blend of the powers-of-2 used in computing for the kilo, and the more common 1/1,000 for micro. Presumably, the International Bureau of Weights and Measures would protest the mangling of the traditional form of the prefixes.

Figu r e 4 - 2 3 . Be a con I n t e r va l fie ld

Capability Information The 16- bit Capabilit y I nform at ion field (Figure 4- 24) is used in Beacon t ransm issions t o advert ise t he net work's capabilit ies. Capabilit y I nform at ion is also used in Probe Request and Probe Response fram es. I n t his field, each bit is used as a flag t o advert ise a part icular funct ion of t he net work. St at ions use t he capabilit y advert isem ent t o det erm ine whet her t hey can support all t he feat ures in t he BSS. St at ions t hat do not im plem ent all t he feat ures in t he capabilit y advert isem ent are not allowed t o j oin.

Figu r e 4 - 2 4 . Ca pa bilit y I n for m a t ion fie ld

ESS/ I BSS These t wo bit s are m ut ually exclusive. Access point s set t he ESS field t o 1 and t he I BSS field t o 0 t o indicat e t hat t he access point is part of an infrast ruct ure net work. St at ions in an I BSS set t he ESS field t o 0 and t he I BSS field t o 1.

Privacy Set t ing t he Privacy bit t o 1 requires t he use of WEP for confident ialit y. I n infrast ruct ure net works, t he t ransm it t er is an access point . I n I BSSs, Beacon t ransm ission m ust be handled by a st at ion in t he I BSS.

Short Pream ble This field was added t o 802.11b t o support t he high- rat e DSSS PHY. Set t ing it t o 1 indicat es t hat t he net work is using t he short pream ble as described in Chapt er 12. Zero m eans t he opt ion is not in use and is forbidden in t he BSS. 802.11g requires use of t he short pream ble, so t his field is always set t o 1 in a net work built on t he 802.11g st andard.

PBCC This field was added t o 802.11b t o support t he high- rat e DSSS PHY. When it is set t o 1, it indicat es t hat t he net work is using t he packet binary convolut ion coding m odulat ion schem e described in Chapt er 12, or t he higher- speed 802.11g PBCC m odulat ion described in Chapt er 14 . Zero m eans t hat t he opt ion is not in use and is forbidden in t he BSS.

Channel Agilit y This field was added t o 802.11b t o support t he high rat e DSSS PHY. When it is set t o one, it indicat es t hat t he net work is using t he Channel Agilit y opt ion described in Chapt er 12. Zero m eans t he opt ion is not in use and is forbidden in t he BSS.

Short Slot Tim e ( 802.11g) This bit is set t o one t o indicat e t he use of t he short er slot t im e support ed by 802.11g, which is discussed in Chapt er 14.

DSSS- OFDM ( 802.11g) This bit is set t o one t o indicat e t hat t he opt ional DSSS- OFDM fram e const ruct ion in 802.11g is in use.

Cont ent ion- free polling bit s St at ions and access point s use t hese t wo bit s as a label. The m eanings of t he labels are shown in Table 4- 4.

Ta ble 4 - 4 . I n t e r pr e t a t ion of pollin g bit s in Ca pa bilit y I n for m a t ion

CF- Poll Re q u e st

I n t e r pr e t a t ion

0

0

St at ion does not support polling

0

1

St at ion support s polling but does not request t o be put on t he polling list

1

0

St at ion support s polling and request s a posit ion on t he polling list

1

1

St at ion support s polling and request s t hat it never be polled ( result s in st at ion t reat ed as if it does not support cont ent ion- free operat ion)

0

0

Access point does not im plem ent t he point coordinat ion funct ion

0

1

Access point uses PCF for delivery but does not support polling

1

0

Access point uses PCF for delivery and polling

1

1

Reserved; unused

CF- Polla ble St at ion usage

Access point usage

Current AP Address Mobile st at ions use t he Current AP Address field, shown in Figure 4- 25, t o indicat e t he MAC address of t he access point wit h which t hey are associat ed. This field is used t o ease associat ions and reassociat ions. St at ions t ransm it t he address of t he access point t hat handled t he last associat ion wit h t he net work. When an associat ion is est ablished wit h a different access point , t his field can be used t o t ransfer t he associat ion and ret rieve any buffered fram es.

Figu r e 4 - 2 5 . Cu r r e n t AP Addr e ss fie ld

Listen interval To save bat t ery power, st at ions m ay shut off t he ant enna unit s in 802.11 net work int erfaces. While st at ions are sleeping, access point s m ust buffer fram es for t hem . Dozing st at ions periodically wake up t o list en t o t raffic announcem ent s t o det erm ine whet her t he access point has any buffered fram es. When st at ions associat e wit h an access point , part of t he saved dat a is t he List en I nt erval, which is t he num ber of Beacon int ervals t hat st at ions wait bet ween list ening for Beacon fram es. The List en

I nt erval, shown in Figure 4- 26, allows m obile st at ions t o indicat e how long t he access point m ust ret ain buffered fram es. Higher list en int ervals require m ore access point m em ory for fram e buffering. Access point s m ay use t his feat ure t o est im at e t he resources t hat will be required and m ay refuse resource- int ensive associat ions. The List en I nt erval is described in Chapt er 8.

Figu r e 4 - 2 6 . List e n I n t e r va l fie ld

Association ID The Associat ion I D, shown in Figure 4- 27, is a 16- bit field. When st at ions associat e wit h an access point , t hey are assigned an Associat ion I D t o assist wit h cont rol and m anagem ent funct ions. Even t hough 14 bit s are available for use in creat ing Associat ion I Ds, t hey range only from 1- 2,007. To m aint ain com pat ibilit y wit h t he Durat ion/ I D field in t he MAC header, t he t wo m ost significant bit s are set t o 1.

Timestamp The Tim est am p field, shown in Figure 4- 28, allows synchronizat ion bet ween t he st at ions in a BSS. The m ast er t im ekeeper for a BSS periodically t ransm it s t he num ber of m icroseconds it has been act ive. When t he count er reaches it s m axim um value, it wraps around. ( Count er wraps are unlikely given t he lengt h of t im e it t akes t o wrap a

Figu r e 4 - 2 7 . Associa t ion I D fie ld

64- bit count er. At over 580,000 years, I would bet on a required pat ch or t wo before t he count er wrap.)

Figu r e 4 - 2 8 . Tim e st a m p fie ld

Reason Code St at ions m ay send Disassociat ion or Deaut hent icat ion fram es in response t o t raffic when t he sender has not properly j oined t he net work. Part of t he fram e is a 16- bit Reason Code field, shown in Figure 4- 29 , t o indicat e what t he sender has done incorrect ly. Table 4- 5 shows why cert ain reason codes are generat ed. Fully underst anding t he use of reason codes requires an underst anding of t he different classes of fram es and st at es of t he 802.11 st at ion, which is discussed in t he sect ion " Fram e Transm ission and Associat ion and Aut hent icat ion St at es."

Figu r e 4 - 2 9 . Re a son Code fie ld

Ta ble 4 - 5 . Re a son code s Code

Ex pla n a t ion

0

Reserved; unused

1

Unspecified

2

Prior aut hent icat ion is not valid

3

St at ion has left t he basic service area or ext ended service area and is deaut hent icat ed

4

I nact ivit y t im er expired and st at ion was disassociat ed

5

Disassociat ed due t o insufficient resources at t he access point

6

I ncorrect fram e t ype or subt ype received from unaut hent icat ed st at ion

7

I ncorrect fram e t ype or subt ype received from unassociat ed st at ion

8

St at ion has left t he basic service area or ext ended service area and is disassociat ed

9

Associat ion or reassociat ion request ed before aut hent icat ion is com plet e

Code

Ex pla n a t ion

10 ( 802.11h)

Disassociat ed because of unaccept able values in Power Capabilit y elem ent

11 ( 802.11h)

Disassociat ed because of unaccept able values in Support ed Channels elem ent

12

Reser v ed

13 ( 802.11i) I nvalid inform at ion elem ent ( added wit h 802.11i, and likely one of t he 802.11i inform at ion elem ent s) 14 ( 802.11i) Message int egrit y check failure 15 ( 802.11i) 4- way keying handshake t im eout 16 ( 802.11i) Group key handshake t im eout 17 ( 802.11i) 4- way handshake inform at ion elem ent has different securit y param et ers from init ial param et er set 18 ( 802.11i) I nvalid group cipher 19 ( 802.11i) I nvalid pairwise cipher 20 ( 802.11i) I nvalid Aut hent icat ion and Key Managem ent Prot ocol 21 ( 802.11i) Unsupport ed Robust Securit y Net work I nform at ion Elem ent ( RSN I E) version 22 ( 802.11i) I nvalid capabilit ies in RSN inform at ion elem ent 23 ( 802.11i) 802.1X aut hent icat ion failure 24 ( 802.11i) Proposed cipher suit e rej ect ed due t o configured policy 25- 65,535

Reserved; unused

Status Code St at us codes indicat e t he success or failure of an operat ion. The St at us Code field, shown in Figure 430 , is 0 when an operat ion succeeds and nonzero on failure. Table 4- 6 shows t he st at us codes t hat have been st andardized.

Figu r e 4 - 3 0 . St a t u s Code fie ld

Ta ble 4 - 6 . St a t u s code s

Code

Ex pla n a t ion

0

Operat ion com plet ed successfully

1

Unspecified failure

2- 9

Reserved; unused

10

Request ed capabilit y set is t oo broad and cannot be support ed

11

Reassociat ion denied; prior associat ion cannot be ident ified and t ransferred

12

Associat ion denied for a reason not specified in t he 802.11 st andard

13

Request ed aut hent icat ion algorit hm not support ed

14

Unexpect ed aut hent icat ion sequence num ber

15

Aut hent icat ion rej ect ed; t he response t o t he challenge failed

16

Aut hent icat ion rej ect ed; t he next fram e in t he sequence did not arrive in t he expect ed window

17

Associat ion denied; t he access point is resource- const rained

18

Associat ion denied; t he m obile st at ion does not support all of t he dat a rat es required by t he BSS

19 ( 802.11b)

Associat ion denied; t he m obile st at ion does not support t he Short Pream ble opt ion

20 ( 802.11b)

Associat ion denied; t he m obile st at ion does not support t he PBCC m odulat ion opt ion

21 ( 802.11b)

Associat ion denied; t he m obile st at ion does not support t he Channel Agilit y opt ion

22 ( 802.11h)

Associat ion denied; Spect rum Managem ent is required

23 ( 802.11h)

Associat ion denied; Power Capabilit y value is not accept able

24 ( 802.11h)

Associat ion denied; Support ed Channels is not accept able

25 ( 802.11g)

Associat ion denied; t he m obile st at ion does not support t he Short Slot Tim e

26 ( 802.11g)

Associat ion denied; t he m obile st at ion does not support DSSS- OFDM

27- 39

Reser v ed

40 ( 802.11i) I nform at ion elem ent not valid 41 ( 802.11i) Group ( broadcast / m ult icast ) cipher not valid 42 ( 802.11i) Pairwise ( unicast ) cipher not valid 43 ( 802.11i) Aut hent icat ion and Key Managem ent Prot ocol ( AKMP) not valid 44 ( 802.11i) Robust Securit y Net work inform at ion elem ent ( RSN I E) version is not support ed 45 ( 802.11i) RSN I E capabilit es are not support ed 46 ( 802.11i) Cipher suit e rej ect ed due t o policy 47- 65,535

Reserved for fut ure st andardizat ion work

Management Frame Information Elements I nform at ion elem ent s are variable- lengt h com ponent s of m anagem ent fram es. A generic inform at ion elem ent has an I D num ber, a lengt h, and a variable- lengt h com ponent , as shown in Figure 4- 31. St andardized values for t he elem ent I D num ber are shown in Table 4- 7.

Figu r e 4 - 3 1 . Ge n e r ic m a n a ge m e n t fr a m e in for m a t ion e le m e n t

Ta ble 4 - 7 . I n for m a t ion e le m e n t s Ele m e n t I D N a m e 0

Service Set I dent it y ( SSI D)

1

Support ed Rat es

2

FH Param et er Set

3

DS Param et er Set

4

CF Param et er Set

5

Traffic I ndicat ion Map ( TI M)

6

I BSS Param et er Set

7 ( 802.11d)

Count ry

8 ( 802.11d)

Hopping Pat t ern Param et ers

9 ( 802.11d)

Hopping Pat t ern Table

10 ( 802.11d)

Request

11- 15

Reserved; unused

16

Challenge t ext

17- 31

Reser v ed a ( form erly for challenge t ext ext ension, before 802.11 shared key aut hent icat ion was discont inued)

32 ( 802.11h)

Power Const raint

33 ( 802.11h)

Power Capabilit y

Ele m e n t I D N a m e 34 ( 802.11h)

Transm it Power Cont rol ( TPC) Request

35 ( 802.11h)

TPC Report

36 ( 802.11h)

Support ed Channels

37 ( 802.11h)

Channel Swit ch Announcem ent

38 ( 802.11h)

Measurem ent Request

39 ( 802.11h)

Measurem ent Report

40 ( 802.11h)

Quiet

41 ( 802.11h)

I BSS DFS

42 ( 802.11g)

ERP inform at ion

43- 49

Reser v ed

48 ( 802.11i) Robust Securit y Net work 50 ( 802.11g)

Ext ended Support ed Rat es

32- 255

Reserved; unused

221 b

Wi- Fi Prot ect ed Access

a

802.11 shared key aut hent icat ion is no longer recom m ended, so it is unlikely t hat t hese fields will ever be used.

a

This is used by WPA, and is not an official part of 802.11. However, it is widely im plem ent ed, so I include it in t he t able.

Service Set Identity (SSID) Net work m anagers are only hum an, and t hey usually prefer t o work wit h let t ers, num bers, and nam es rat her t han 48- bit ident ifiers. 802.11 net works, in t he broadest sense, are eit her ext ended service set s or independent BSSs. The SSI D, shown in Figure 4- 32, allows net work m anagers t o assign an ident ifier t o t he service set . St at ions at t em pt ing t o j oin a net work m ay scan an area for available net works and j oin t he net work wit h a specified SSI D. The SSI D is t he sam e for all t he basic service areas com posing an ext ended service area.

Figu r e 4 - 3 2 . Se r vice Se t I de n t it y in for m a t ion e le m e n t

Som e docum ent at ion refers t o t he SSI D as t he net work nam e because net work adm inist rat ors frequent ly assign a charact er st ring t o it . However, t he SSI D is j ust a st ring of byt es t hat labels t he BSSI D as belonging t o a larger agglom erat ion. Som e product s require t hat t he st ring be a garden variet y ASCI I st ring, t hough t he st andard has no requirem ent on t he cont ent of t he st ring. I n all cases, t he lengt h of t he SSI D ranges bet ween 0 and 32 byt es. The zero- byt e case is a special case called t he broadcast SSI D; it is used only in Probe Request fram es when a st at ion at t em pt s t o discover all t he 802.11 net works in it s area.

Supported Rates Several dat a rat es have been st andardized for wireless LANs. The Support ed Rat es inform at ion elem ent allows an 802.11 net work t o specify t he dat a rat es it support s. When m obile st at ions at t em pt t o j oin t he net work, t hey check t he dat a rat es used in t he net work. Som e rat es are m andat ory and m ust be support ed by t he m obile st at ion, while ot hers are opt ional. The Support ed Rat es inform at ion elem ent is shown in Figure 4- 33. I t consist s of a st ring of byt es. Each byt e uses t he seven low- order bit s for t he dat a rat e; t he m ost significant bit indicat es whet her t he dat a rat e is m andat ory. Mandat ory rat es are encoded wit h t he m ost significant bit set t o 1 and opt ional rat es have a 0. Up t o eight rat es m ay be encoded in t he inform at ion elem ent . As t he num ber of dat a rat es has proliferat ed, t he Ext ended Support ed Rat es elem ent was st andardized t o handle m ore t han eight dat a rat es. I n t he init ial revision of t he 802.11 specificat ion, t he seven bit s encoded t he dat a rat e as a m ult iple of 500 kbps. New t echnology, especially ETSI 's HI PERLAN effort s, required a change t o t he int erpret at ion. When 7 bit s are used t o have a m ult iple of

Figu r e 4 - 3 3 . Su ppor t e d Ra t e s in for m a t ion e le m e n t

500 kbps, t he m axim um dat a rat e t hat can be encoded is 63.5 Mbps. Research and developm ent on wireless LAN t echnology has m ade t his rat e achievable in t he near fut ure. As a result , t he I EEE changed t he int erpret at ion from a m ult iple of 500 kbps t o a sim ple label in 802.11b. Previously st andardized rat es were given labels corresponding t o t he m ult iple of 500 kbps, but fut ure st andards m ay use any value. Current st andardized values are shown in Table 4- 8.

Ta ble 4 - 8 . Su ppor t e d Ra t e la be ls Bin a r y va lu e

Cor r e spon din g r a t e ( M bps)

2

1

4

2

11 ( 802.11b)

5.5

12 ( 802.11g)

6

18 ( 802.11g)

9

22 ( 802.11b)

11

24 ( 802.11g)

12

36 ( 802.11g)

18

44 ( 802.11g)

22 ( opt ional 802.11g PBCC)

48 ( 802.11g)

24

66 ( 802.11g)

33 ( opt ional 802.11g PBCC)

72 ( 802.11g)

36

96 ( 802.11g)

48

108 ( 802.11g)

54

As an exam ple, Figure 4- 33 shows t he encoding of t wo dat a rat es. 2- Mbps service is m andat ory and

11- Mbps service is support ed. This is encoded as a m andat ory 2- Mbps rat e and an opt ional 11- Mbps rat e.

FH Parameter Set The FH Param et er Set inform at ion elem ent , shown in Figure 4- 34, cont ains all param et ers necessary t o j oin a frequency- hopping 802.11 net work.

Figu r e 4 - 3 4 . FH Pa r a m e t e r Se t in for m a t ion e le m e n t

The FH Param et er Set has four fields t hat uniquely specify an 802.11 net work based on frequency hopping. Chapt er 12 describes t hese ident ifiers in dept h.

Dwell Tim e 802.11 FH net works hop from channel t o channel. The am ount of t im e spent on each channel in t he hopping sequence is called t he dwell t im e. I t is expressed in t im e unit s ( TUs) .

Hop Set Several hopping pat t erns are defined by t he 802.11 frequency- hopping PHY. This field, a single byt e, ident ifies t he set of hop pat t erns in use.

Hop Pat t ern St at ions select one of t he hopping pat t erns from t he set . This field, also a single byt e, ident ifies t he hopping pat t ern in use.

Hop I ndex Each pat t ern consist s of a long sequence of channel hops. This field, a single byt e, ident ifies t he current point in t he hop sequence.

DS Parameter Set Direct - sequence 802.11 net works have only one param et er: t he channel num ber used by t he net work. High- rat e direct sequence net works use t he sam e channels and t hus can use t he sam e param et er set . The channel num ber is encoded as a single byt e, as shown in Figure 4- 35.

Figu r e 4 - 3 5 . D S Pa r a m e t e r Se t in for m a t ion e le m e n t

Traffic Indication Map (TIM) Access point s buffer fram es for m obile st at ions sleeping in low- power m ode. Periodically, t he access point at t em pt s t o deliver buffered fram es t o sleeping st at ions. A pract ical reason for t his arrangem ent is t hat m uch m ore power is required t o power up a t ransm it t er t han t o sim ply t urn on a receiver. The designers of 802.11 envisioned bat t ery- powered m obile st at ions; t he decision t o have buffered fram es delivered t o st at ions periodically was a way t o ext end bat t ery life for low- power devices. Part of t his operat ion is t o send t he Traffic I ndicat ion Map ( TI M) inform at ion elem ent ( Figure 4- 36) t o t he net work t o indicat e which st at ions have buffered t raffic wait ing t o be picked up.

Figu r e 4 - 3 6 . Tr a ffic I n dica t ion M a p in for m a t ion e le m e n t

The m eat of t he t raffic indicat ion m ap is t he virt ual bit m ap, a logical st ruct ure com posed of 2,008 bit s. Each bit is t ied t o t he Associat ion I D. When t raffic is buffered for t hat Associat ion I D, t he bit is 1. I f no t raffic is buffered, t he bit t ied t o t he Associat ion I D is 0.

DTI M Count This one- byt e field is t he num ber of Beacons t hat will be t ransm it t ed before t he next DTI M fram e. DTI M fram es indicat e t hat buffered broadcast and m ult icast fram es will be delivered short ly. Not all Beacon fram es are DTI M fram es.

DTI M Period This one- byt e field indicat es t he num ber of Beacon int ervals bet ween DTI M fram es. Zero is reserved and is not used. The DTI M count cycles t hrough from t he period down t o 0.

Bit m ap Cont rol and Part ial Virt ual Bit m ap The Bit m ap Cont rol field is divided int o t wo subfields. Bit 0 is used for t he t raffic indicat ion st at us of Associat ion I D 0, which is reserved for m ult icast t raffic. The rem aining seven bit s of t he Bit m ap Cont rol field are used for t he Bit m ap Offset field. To save t ransm ission capacit y, t he Bit m ap Offset field can be used t o t ransm it a port ion of t he virt ual bit m ap. The Bit m ap Offset is relat ed t o t he st art of t he virt ual bit m ap. By using t he Bit m ap Offset and t he Lengt h, 802.11 st at ions can infer which part of t he virt ual bit m ap is included.

CF Parameter Set The CF Param et er Set inform at ion elem ent is t ransm it t ed in Beacons by access point s t hat support cont ent ion- free operat ion. Cont ent ion- free service is discussed in Chapt er 9 because of it s opt ional nat ur e.

IBSS Parameter Set I BSSs current ly have only one param et er, t he announcem ent t raffic indicat ion m ap ( ATI M) window, shown in Figure 4- 37. This field is used only in I BSS Beacon fram es. I t indicat es t he num ber of t im e unit s ( TUs) bet ween ATI M fram es in an I BSS.

Figu r e 4 - 3 7 . I BSS Pa r a m e t e r Se t in for m a t ion e le m e n t

Country The init ial 802.11 specificat ions were designed around t he exist ing regulat ory const raint s in place in t he m aj or indust rialized count ries. Rat her t han cont inue t o revise t he specificat ion each t im e a new

count ry was added, a new specificat ion was added t hat provides a way for net works t o describe regulat ory const raint s t o new st at ions. The m ain pillar of t his is t he Count ry inform at ion elem ent, shown in Figure 4- 38.

Figu r e 4 - 3 8 . Cou n t r y in for m a t ion e le m e n t

Aft er t he init ial t ype/ lengt h inform at ion elem ent header, t here is a count ry ident ifier, followed by a series of t hree- byt e descript ors for regulat ory const raint s. Each const raint descript or specifies a unique band, and t hey m ay not overlap, since a given frequency has only one m axim um allowed power.

Count ry St ring ( 3 byt es) A t hree- charact er ASCI I st ring of where t he st at ion is operat ing. The first t wo let t ers are t he I SO count ry code ( e.g., " US" for t he Unit ed St at es) . Many count ries have different indoor and out door regulat ions, and t he t hird charact er dist inguishes bet ween t he t wo. When a single set of om nibus regulat ions covers all environm ent s, t he t hird charact er is a space. To designat e indoor or out door regulat ions only, t he t hird charact er m ay be set t o " I " or " O" , respect ively.

First Channel Num ber ( 1 byt e) The first channel num ber is t he lowest channel subj ect t o t he power const raint . Channel num ber assignm ent for each PHY is discussed in t he appropriat e chapt er.

Num ber of Channels ( 1 byt e) The size of t he band subj ect t o t he power const raint is indicat ed by t he num ber of channels. The size of a channel is PHY- dependent .

Maxim um Transm it Power ( 1 byt e) The m axim um t ransm it power, expressed in dBm .

Pad ( 1 byt e; opt ional) The size of t he inform at ion elem ent m ust be an even num ber of byt es. I f t he lengt h of t he inform at ion elem ent is an odd num ber of byt es, a single byt e of zeroes is appended as a pad.

Hopping Pattern Parameters and Hopping Pattern Table The init ial 802.11 frequency hopping specificat ion, described in Chapt er 11, was built around t he regulat ory const raint s in effect during it s design. These t wo elem ent s can be used t o build a hopping pat t ern t hat com plies wit h regulat ory const raint s in addit ional count ries, which allows furt her adopt ion of t he frequency- hopping PHY wit hout requiring addit ional revision t o t he specificat ion.

Request I n Probe Request fram es, t he Request inform at ion elem ent is used t o ask t he net work for cert ain inform at ion elem ent s. The Request inform at ion elem ent has t he t ype/ lengt h header, and is followed by a list of int egers wit h t he num bers of t he inform at ion elem ent s being request ed ( Figure 4- 39) .

Figu r e 4 - 3 9 . Re qu e st in for m a t ion e le m e n t

Challenge Text The shared- key aut hent icat ion syst em defined by 802.11 requires t hat t he m obile st at ion successfully decrypt an encrypt ed challenge. The challenge is sent using t he Challenge Text inform at ion elem ent , which is shown in Figure 4- 40.

Power Constraint The Power Const raint inform at ion elem ent is used t o allow a net work t o describe t he m axim um t ransm it power t o st at ions. I n addit ion t o a regulat ory m axim um , t here m ay be anot her m axim um in effect . The only field, a one- byt e int eger, is t he num ber

Figu r e 4 - 4 0 . Ch a lle n ge Te x t in for m a t ion e le m e n t

of decibels by which any local const raint reduces t he regulat ory m axim um . I f, for exam ple, t he regulat ory m axim um power were 10 dBm , but t his inform at ion elem ent cont ained t he value 2, t hen t he st at ion would set it s m axim um t ransm it power t o 8 dBm (Figure 4- 41) .

Figu r e 4 - 4 1 . Pow e r Con st r a in t in for m a t ion e le m e n t

Power Capability 802.11 st at ions are bat t ery powered, and oft en have radios t hat are not as capable as access point s, in part because t here is not usually t he need for m obile client devices t o t ransm it at high power. The Power Capabilit y inform at ion elem ent allows a st at ion t o report it s m inim um and m axim um t ransm it power, in int eger unit s of dBm ( Figure 4- 42) .

Figu r e 4 - 4 2 . Pow e r Ca pa bilit y in for m a t ion e le m e n t

TPC Request The Transm it Power Cont rol ( TPC) Request inform at ion elem ent is used t o request radio link m anagem ent inform at ion. I t has no associat ed dat a, so t he lengt h field is always zero (Figure 4- 43) .

Figu r e 4 - 4 3 . Tr a n sm it Pow e r Re qu e st in for m a t ion e le m e n t

TPC Report For st at ions t o know how t o t une t ransm ission power, it helps t o know t he at t enuat ion on t he link. TPC Report inform at ion elem ent s are included in several t ypes of m anagem ent fram es, and include t wo one- byt e fields ( Figure 4- 44) . The first , t he t ransm it power, is t he t ransm it power of t he fram e cont aining t he inform at ion elem ent , in unit s of dBm . The second, t he link m argin, represent s t he num ber of decibels of safet y t hat t he st at ion requires. Bot h are used by t he st at ion t o adapt it s t ransm ission power, as described in Chapt er 8.

Figu r e 4 - 4 4 . Tr a n sm it Pow e r Re por t in for m a t ion e le m e n t

Supported Channels The Support ed Channels inform at ion elem ent is sim ilar t o t he Count ry inform at ion elem ent , in t hat it describes sub- bands t hat are support ed. Aft er t he header, t here is a series of sub- band descript ors. Each sub- band descript or consist s of a first channel num ber, which is t he lowest channel in a support ed sub- band, followed by t he num ber of channels in t he sub- band ( Figure 4- 45) . For exam ple, a device t hat only support ed channels 40 t hrough 52 would set t he first channel num ber t o 40, and t he num ber of channels t o 12.

Figu r e 4 - 4 5 . Su ppor t e d Ch a n n e ls in for m a t ion e le m e n t

Channel Switch Announcement 802.11h added t he abilit y of net works t o dynam ically swit ch channels. To warn st at ions in t he net work about t he im pending channel change, m anagem ent fram es m ay include t he Channel Swit ch Announcem ent elem ent shown in Figure 4- 46.

Figu r e 4 - 4 6 . Ch a n n e l Sw it ch An n ou n ce m e n t in for m a t ion e le m e n t

Channel Swit ch Mode When t he operat ing channel is changed, it disrupt s com m unicat ion. I f t his field is set t o 1, associat ed st at ions should st op t ransm it t ing fram es unt il t he channel swit ch has occurred. I f it is set t o zero, t here is no rest rict ion on fram e t ransm ission.

New Channel Num ber The new channel num ber aft er t he swit ch. At present , t here is no need for t his field t o exceed a value of 255.

Channel Swit ch Count Channel swit ching can be scheduled. This field is t he num ber of Beacon fram e t ransm ission int ervals t hat it will t ake t o change t he channel. Channel swit ch occurs j ust before t he Beacon t ransm ission is t o begin. A non- zero value indicat es t he num ber of Beacon int ervals t o wait ; a zero indicat es t hat t he channel swit ch m ay occur wit hout any furt her warning.

Measurement Request and Measurement Report

Regular channel m easurem ent s are im port ant t o m onit oring t he channel and power set t ings. Two inform at ion elem ent s are defined t o allow st at ions t o request m easurem ent s and receive report s. Report s are a key com ponent of 802.11h, and will be discussed in det ail in t he " Spect rum Managem ent " sect ion of Chapt er 8.

Quiet One of t he reasons for t he developm ent of dynam ic frequency select ion was t he need t o avoid cert ain m ilit ary radar t echnologies. To find t he presence of radar or ot her int erference, an AP can use t he Quiet elem ent , shown in Figure 4- 47, t o t em porarily shut down t he channel t o im prove t he qualit y of m easurem ent s.

Figu r e 4 - 4 7 . Qu ie t in for m a t ion e le m e n t

Following t he header, t here are four fields:

Quiet Count Quiet periods are scheduled. The count is t he num ber of Beacon t ransm ission int ervals unt il t he quiet period begins. I t works in a sim ilar fashion t o t he Channel Swit ch Count field.

Quiet Period Quiet periods m ay also be periodically scheduled. I f t his field is zero, it indicat es t here are no scheduled quiet periods. A non- zero value indicat es t he num ber of beacon int ervals bet ween quiet periods.

Quiet Durat ion Quiet periods do not need t o last for an ent ire Beacon int erval. This field specifies t he num ber of t im e unit s t he quiet period last s.

Quiet Offset Quiet periods do not necessarily have t o begin wit h a Beacon int erval. The Offset field is t he num ber of t im e unit s aft er a Beacon int erval t hat t he next quiet period will begin. Nat urally, it

m ust be less t han one Beacon int erval.

IBSS DFS I n an infrast ruct ure net work, t he access point is responsible for dynam ic frequency select ion. I ndependent net works m ust have a designat ed owner of t he dynam ic frequency select ion ( DFS) algorit hm . Managem ent fram es from t he designat ed st at ion in an I BSS m ay t ransm it t he I BSS DFS inform at ion elem ent, shown in Figure 4- 48.

Figu r e 4 - 4 8 . I BSS D yn a m ic Fr e qu e n cy Se le ct ion ( D FS) in for m a t ion e le m e n t

Aft er t he header, it has t he MAC address of t he st at ion responsible for m aint aining DFS inform at ion, as well as a m easurem ent int erval. The bulk of t he fram e is a series of channel m aps, which report what is det ect ed on each channel. The channel m ap consist s of a channel num ber, followed by a m ap byt e, which has t he following fields:

BSS ( 1 bit ) This bit will be set if fram es from anot her net work are det ect ed during a m easurem ent period.

OFDM Pream ble ( 1 bit ) This bit is set if t he 802.11a short t raining sequence is det ect ed, but wit hout being followed by t he rest of t he fram e. HI PERLAN/ 2 net works use t he sam e pream ble, but obviously not t he sam e fram e const ruct ion.

Unident ified Signal ( 1 bit ) This bit is set when t he received power is high, but t he signal cannot be classified as eit her anot her 802.11 net work ( and hence, set t he BSS bit ) , anot her OFDM net work ( and hence, set t he OFDM Pream ble bit ) , or a radar signal ( and hence, set t he Radar bit ) . The st andard does not specify what power level is high enough t o t rigger t his bit being set .

Radar ( 1 bit ) I f a radar signal is det ect ed during a m easurem ent period, t his bit will be set . Radar syst em s which m ust be det ect ed are defined by regulat ors, not t he 802.11 t ask group.

Unm easured ( 1 bit ) I f t he channel was not m easured, t his bit will be set . Nat urally, when t here was no m easurem ent t aken, not hing can be det ect ed in t he band and t he previous four bit s will be set t o zero.

ERP Information 802.11g defined t he ext ended rat e PHY ( ERP) . To provide backwards com pat ibilit y, t he ERP inform at ion elem ent, shown in Figure 4- 49, was defined. I n it s first it erat ion, it is t hree bit flags in a single byt e.

Non- ERP present This bit will be set when an older, non- 802.11g st at ion associat es t o a net work. I t m ay also be set when overlapping net works t hat are not capable of using 802.11g are det ect ed.

Use Prot ect ion When st at ions incapable of operat ing at 802.11g dat a rat es are present , t he prot ect ion bit is set t o 1. This enables backwards com pat ibilit y wit h older st at ions, as described in Chapt er 14.

Barker Pream ble Mode This bit will be set if t he st at ions which have associat ed t o t he net work are not capable of t he short pream ble m ode described in Chapt er 12.

Figu r e 4 - 4 9 . ERP in for m a t ion e le m e n t

Robust Security Network Wit h t he significant securit y enhancem ent s in 802.11i, it was necessary t o develop a way t o com m unicat e securit y inform at ion bet ween st at ions. The m ain t ool for t his is t he Robust Securit y Net work ( RSN) inform at ion elem ent , shown in Figure 4- 50. There are several variable com ponent s, and in som e cases, t he RSN inform at ion elem ent m ight run int o t he lim it s of t he inform at ion elem ent size of 255 byt es past t he header.

Version The version field m ust be present . 802.11i defined version 1. Zero is reserved, and versions of t wo or great er are not yet defined.

Figu r e 4 - 5 0 . Robu st Se cu r it y N e t w or k ( RSN ) in for m a t ion e le m e n t

Group cipher suit e Following t he version num ber is t he group cipher suit e descript or. Access point s m ust select a single group cipher com pat ible wit h all associat ed st at ions t o prot ect broadcast and m ult icast fram es. Only one group cipher is allowed. A cipher suit e select or is four byt es long. I t st art s wit h an OUI for t he vendor, and a num ber t o ident ify t he cipher. Table 4- 9 shows t he st andardized cipher suit es. ( Values not shown in t he t able are reserved.) The OUI used by 802.11i is 00- 0F- AC, which is used by t he 802.11 working group.

Ta ble 4 - 9 . Ciph e r su it e s OUI

Su it e Type D e fin it ion

00- 0F- AC ( 802.11)

0

Use t he group cipher suit e ( only valid for pairwise ciphers)

00- 0F- AC

1

WEP- 40

00- 0F- AC

2

TKI P

OUI

Su it e Type D e fin it ion

00- 0F- AC

3

Reser v ed

00- 0F- AC

4

CCMPa

00- 0F- AC

5

WEP- 104

Vendor OUI

Any value

Defined by vendor

a

This is t he default value for an 802.11i net work.

Pairwise Cipher Suit es ( count + list ) Following t he group cipher suit e m ay be several pairwise cipher suit es t o prot ect unicast fram es. There is a t wo- byt e count , followed by a series of support ed cipher descript ors. The suit e select or m ay be set t o zero t o indicat e support for only t he group cipher suit e. There is no lim it , ot her t han t he size of t he inform at ion elem ent , on t he num ber of support ed pairwise cipher s.

Aut hent icat ion and Key Managem ent ( AKM) suit es ( count + list ) Like t he pairwise cipher suit e select or, t here m ay be m ult iple aut hent icat ion t ypes defined. Following a count , t here is a series of four- byt e suit e ident ifiers. As wit h t he cipher suit es, t he four- byt e ident ifier consist s of an OUI and a suit e t ype num ber. Table 4- 10 shows t he st andard aut hent icat ion t ypes.

Ta ble 4 - 1 0 . Au t h e n t ica t ion a n d k e y m a n a ge m e n t su it e s Su it e t ype

OUI

Au t h e n t ica t ion

Ke y m a n a ge m e n t

00- 0F- AC 1

802.1X or PMK caching

Key derivat ion from preshared m ast er key, as described in Chapt er 7

00- 0F- AC 2

Pre- shared key

Key derivat ion from pre- shared key, as described in Chapt er 7

Vendor OUI

Vendor- specific

Vendor- specific

Any

RSN Capabilt ies This t wo- byt e field consist s of four flags used t o describe what t he t ransm it t er is capable of, followed by reserved bit s t hat m ust be set t o zero.

Pre- aut hent icat ion An AP m ay set t his bit t o indicat e it can perform pre- aut hent icat ion wit h ot her APs on t he

net work t o m ove securit y sessions around. Ot herwise, t his bit is set t o zero. Preaut hent icat ion is discussed in Chapt er 8.

No Pairwise This bit is set when a st at ion can support a m anual WEP key for broadcast dat a in conj unct ion wit h a st ronger unicast key. Alt hough support ed by t he st andard, t his configurat ion should not be used unless absolut ely necessary.

Pairwise Replay Count er and Group Replay Count er Separat e replay count ers m ay be m aint ained for each priorit y level defined in em erging qualit y of service ext ensions. These bit s describe t he num ber of replay count ers support ed by t he st at ion.

PMK list ( count + list ) Fast er hand- offs bet ween access point s are possible when t he pairwise m ast er key is cached by t he AP. St at ions m ay provide a list of m ast er keys t o an AP on associat ion in an at t em pt t o bypass t he t im e- consum ing aut hent icat ion. PMK caching is discussed in m ore det ail in Chapt er 8.

Extended Supported Rates The Ext ended Support ed Rat es inform at ion elem ent act s ident ically t o t he Support ed Rat es elem ent in Figure 4- 33, but it allows an inform at ion elem ent body of up t o 255 byt es t o be support ed.

Wi-Fi Protected Access (WPA) Wi- Fi Prot ect ed Access is a slight m odificat ion of a subset of 802.11i, designed t o bring TKI P t o t he m arket m ore quickly. I t is ident ical t o t he Robust Securit y Net work inform at ion elem ent in Figure 450 , but wit h t he following changes: The elem ent I D is 221, not 48. A WPA- specific t ag of 00: 50: F2: 01 is insert ed before t he version field. Microsoft 's OUI ( 00: 50: F2) is used inst ead of t he 802.11 working group's OUI . Only one cipher suit e and one aut hent icat ion suit e are support ed in t he inform at ion elem ent . However, m any WPA im plem ent at ions do not follow t his rest rict ion. TKI P is t he default cipher, rat her t han CCMP. Preaut hent icat ion is not support ed in WPA, so t he preaut hent icat ion capabilit ies bit is always zero.

Types of Management Frames The fixed fields and inform at ion elem ent s are used in t he body of m anagem ent fram es t o convey inform at ion. Several t ypes of m anagem ent fram es exist and are used for various link- layer m aint enance funct ions.

Beacon Beacon fram es announce t he exist ence of a net work and are an im port ant part of m any net work m aint enance t asks. They are t ransm it t ed at regular int ervals t o allow m obile st at ions t o find and ident ify a net work, as well as m at ch param et ers for j oining t he net work. I n an infrast ruct ure net work, t he access point is responsible for t ransm it t ing Beacon fram es. The area in which Beacon fram es appear defines t he basic service area. All com m unicat ion in an infrast ruct ure net work is done t hrough an access point , so st at ions on t he net work m ust be close enough t o hear t he Beacons. Figure 4- 51 shows m ost t he fields t hat can be used in a Beacon fram e in t he order in which t hey appear. Not all of t he elem ent s are present in all Beacons. Opt ional fields are present only when t here is a reason for t hem t o be used. The FH and DS Param et er Set s are used only when t he underlying physical layer is based on frequency hopping or direct - sequence t echniques. Only one physical layer can be in use at any point , so t he FH and DS Param et er Set s are m ut ually exclusive. The CF Param et er Set is used only in fram es generat ed by access point s t hat support t he PCF, which is opt ional. The TI M elem ent is used only in Beacons generat ed by access point s, because only access point s perform fram e buffering. I f t he Count ry- specific frequency hopping ext ensions were t o be present , t hey would follow t he Count ry inform at ion elem ent . Frequency hopping net works are m uch less com m on now, t hough, so I om it t he frequency hopping ext ensions for sim plicit y. Likewise, t he I BSS DFS elem ent occur bet ween t he Quiet and TPC Report elem ent s, were it t o appear.

Figu r e 4 - 5 1 . Be a con fr a m e

Probe Request

Mobile st at ions use Probe Request fram es t o scan an area for exist ing 802.11 net works. The form at of t he Probe Request fram e is shown in Figure 4- 52. All fields are m andat ory.

Figu r e 4 - 5 2 . Pr obe Re qu e st fr a m e

A Probe Request fram e cont ains t wo fields: t he SSI D and t he rat es support ed by t he m obile st at ion. St at ions t hat receive Probe Request s use t he inform at ion t o det erm ine whet her t he m obile st at ion can j oin t he net work. To m ake a happy union, t he m obile st at ion m ust support all t he dat a rat es required by t he net work and m ust want t o j oin t he net work ident ified by t he SSI D. This m ay be set t o t he SSI D of a specific net work or set t o j oin any com pat ible net work. Drivers t hat allow cards t o j oin any net work use t he broadcast SSI D in Probe Request s.

Probe Response I f a Probe Request encount ers a net work wit h com pat ible param et ers, t he net work sends a Probe Response fram e. The st at ion t hat sent t he last Beacon is responsible for responding t o incom ing probes. I n infrast ruct ure net works, t his st at ion is t he access point . I n an I BSS, responsibilit y for Beacon t ransm ission is dist ribut ed. Aft er a st at ion t ransm it s a Beacon, it assum es responsibilit y for sending Probe Response fram es for t he next Beacon int erval. The form at of t he Probe Response fram e is shown in Figure 4- 53. Som e of t he fields in t he fram e are m ut ually exclusive; t he sam e rules apply t o Probe Response fram es as t o Beacon fram es.

Figu r e 4 - 5 3 . Pr obe Re spon se fr a m e

The Probe Response fram e carries all t he param et ers in a Beacon fram e, which enables m obile st at ions t o m at ch param et ers and j oin t he net work. Probe Response fram es can safely leave out t he TI M elem ent because st at ions sending probes are not yet associat ed and t hus would not need t o know which associat ions have buffered fram es wait ing at t he access point .

IBSS announcement traffic indication map (ATIM) I BSSs have no access point s and t herefore cannot rely on access point s for buffering. When a st at ion in an I BSS has buffered fram es for a receiver in low- power m ode, it sends an ATI M fram e during t he delivery period t o not ify t he recipient it has buffered dat a. See Figure 4- 54.

Figu r e 4 - 5 4 . ATI M fr a m e

Disassociation and Deauthentication Disassociat ion fram es are used t o end an associat ion relat ionship, and Deaut hent icat ion fram es are used t o end an aut hent icat ion relat ionship. Bot h fram es include a single fixed field, t he Reason Code, as shown in Figure 4- 55. Of course, t he Fram e Cont rol fields differ because t he subt ype dist inguishes bet ween t he different t ypes of m anagem ent fram es. 802.11 revisions did not need t o change t he form at , but m any have added new reason codes.

Figu r e 4 - 5 5 . D isa ssocia t ion a n d D e a u t h e n t ica t ion fr a m e s

Association Request Once m obile st at ions ident ify a com pat ible net work and aut hent icat e t o it , t hey m ay at t em pt t o j oin t he net work by sending an Associat ion Request fram e. The form at of t he Associat ion Request fram e is shown in Figure 4- 56.

Figu r e 4 - 5 6 . Associa t ion Re qu e st fr a m e

The Capabilit y I nform at ion field is used t o indicat e t he t ype of net work t he m obile st at ion want s t o j oin. Before an access point accept s an associat ion request , it verifies t hat t he Capabilit y I nform at ion, SSI D, and ( Ext ended) Support ed Rat es all m at ch t he param et ers of t he net work. Access point s also not e t he List en I nt erval, which describes how oft en a m obile st at ion list ens t o Beacon fram es t o m onit or t he TI M. St at ions t hat support spect rum m anagem ent will have t he power and channel capabilit y inform at ion elem ent s, and st at ions support ing securit y will have t he RSN inform at ion elem ent .

Reassociation Request Mobile st at ions m oving bet ween basic service areas wit hin t he sam e ext ended service area need t o reassociat e wit h t he net work before using t he dist ribut ion syst em again. St at ions m ay also need t o reassociat e if t hey leave t he coverage area of an access point t em porarily and rej oin it lat er. See Figure 4- 57.

Figu r e 4 - 5 7 . Re a ssocia t ion Re qu e st fr a m e

Associat ion and Reassociat ion Request s differ only in t hat a Reassociat ion Request includes t he address of t he m obile st at ion's current access point . I ncluding t his inform at ion allows t he new access point t o cont act t he old access point and t ransfer t he associat ion dat a. The t ransfer m ay include fram es t hat were buffered at t he old access point .

Association Response and Reassociation Response When m obile st at ions at t em pt t o associat e wit h an access point , t he access point replies wit h an Associat ion Response or Reassociat ion Response fram e, shown in Figure 4- 58. The t wo differ only in t he subt ype field in t he Fram e Cont rol field. All fields are m andat ory. As part of t he response, t he access point assigns an Associat ion I D. How an access point assigns t he associat ion I D is im plem ent at ion- dependent .

Figu r e 4 - 5 8 . ( Re ) Associa t ion Re spon se fr a m e

Authentication At t he beginning of 802.11 net working, st at ions aut hent icat ed using a shared key, and exchanged Aut hent icat ion fram es, which are shown in Figure 4- 59. Wit h 802.11i, shared key aut hent icat ion was kept in t he st andard, but m ade incom pat ible wit h t he new securit y m echanism s. I f a st at ion uses shared key aut hent icat ion, it will not be allowed t o use t he st rong securit y prot ocols described in Chapt er 8.

Figu r e 4 - 5 9 . Au t h e n t ica t ion fr a m e s

Different aut hent icat ion algorit hm s m ay co- exist . The Aut hent icat ion Algorit hm Num ber field is used for algorit hm select ion. The aut hent icat ion process m ay involve a num ber of st eps ( depending on t he algorit hm ) , so t here is a sequence num ber for each fram e in t he aut hent icat ion exchange. The St at us Code and Challenge Text are used in different ways by different algorit hm s; det ails are discussed in

Chapt er 8.

Action frame 802.11h added support for Act ion fram es, which t rigger m easurem ent s. These fram es will be described in det ail in t he " Spect rum Managem ent " sect ion of Chapt er 8.

Frame Transmission and Association and Authentication States Allowed fram e t ypes vary wit h t he associat ion and aut hent icat ion st at es. St at ions are eit her aut hent icat ed or unaut hent icat ed and can be associat ed or unassociat ed. These t wo variables can be com bined int o t hree allowed st at es, result ing in t he 802.11 Hierarchy of Net work Developm ent :

1 . I nit ial st at e; not aut hent icat ed and not associat ed 2 . Aut hent icat ed but not yet associat ed 3 . Aut hent icat ed and associat ed Each st at e is a successively higher point in t he developm ent of an 802.11 connect ion. All m obile st at ions st art in St at e 1, and dat a can be t ransm it t ed t hrough a dist ribut ion syst em only in St at e 3. ( I BSSs do not have access point s or associat ions and t hus only reach St age 2.) Figure 4- 60 is t he overall st at e diagram for fram e t ransm ission in 802.11.

Frame Classes Fram es are also divided int o different classes. Class 1 fram es can be t ransm it t ed in St at e 1; Class 1 and 2 fram es in St at e 2; and Class 1, 2, and 3 fram es in St at e 3.

Class 1 frames Class 1 fram es m ay be t ransm it t ed in any st at e and are used t o provide t he basic operat ions used by 802.11 st at ions. Cont rol fram es are received and processed t o provide basic respect for t he CSMA/ CA " rules of t he road" and t o t ransm it fram es in an I BSS. Class 1 fram es also allow st at ions t o find an infrast ruct ure net work and aut hent icat e t o it . Table 4- 11 shows a list of t he fram es t hat belong t o t he Class 1 group.

Figu r e 4 - 6 0 . Ove r a ll 8 0 2 .1 1 st a t e dia gr a m

Ta ble 4 - 1 1 . Cla ss 1 fr a m e s Con t r ol

M a n a ge m e n t

Data

Request t o Send ( RTS)

Probe Request

Any fram e wit h ToDS and From DS false ( 0)

Clear t o Send ( CTS)

Probe Response

Acknow ledgm ent ( ACK)

Beacon

CF- End

Aut hent icat ion

CF- End+ CF- Ack

Deaut hent icat ion Announcem ent Traffic I ndicat ion Message ( ATI M)

Class 2 frames Class 2 fram es can be t ransm it t ed only aft er a st at ion has successfully aut hent icat ed t o t he net work, and t hey can be used only in St at es 2 and 3. Class 2 fram es m anage associat ions. Successful associat ion or reassociat ion request s m ove a st at ion t o St at e 3; unsuccessful associat ion at t em pt s cause t he st at ion t o st ay in St at e 2. When a st at ion receives a Class 2 fram e from a nonaut hent icat ed peer, it responds wit h a Deaut hent icat ion fram e, dropping t he peer back t o St at e 1. [ * ] Table 4- 12 shows t he Class 2 fram es. [*]

This rejection action takes place only for frames that are not filtered. Filtering prevents frames from a different BSS from triggering a rejection.

Ta ble 4 - 1 2 . Cla ss 2 fr a m e s

Con t r ol

M a n a ge m e n t

Data

None

Associat ion Request / Response

None

Reassociat ion Request / Response Disassociat ion

Class 3 frames Class 3 fram es are used when a st at ion has been successfully aut hent icat ed and associat ed wit h an access point . Once a st at ion has reached St at e 3, it is allowed t o use dist ribut ion syst em services and reach dest inat ions beyond it s access point . St at ions m ay also use t he power- saving services provided by access point s in St at e 3 by using t he PS- Poll fram e. Table 4- 13 list s t he different t ypes of Class 3 fram es.

Ta ble 4 - 1 3 . Cla ss 3 fr a m e s Con t r ol M a n a ge m e n t PS- Poll

Data

Deaut hent icat ion Any fram es, including t hose wit h eit her t he ToDS or From DS bit s set

I f an access point receives fram es from a m obile st at ion t hat is aut hent icat ed but not associat ed, t he access point responds wit h a Disassociat ion fram e t o bum p t he m obile st at ion back t o St at e 2. I f t he m obile st at ion is not even aut hent icat ed, t he access point responds wit h a Deaut hent icat ion fram e t o force t he m obile st at ion back int o St at e 1.

Chapter 5. Wired Equivalent Privacy (WEP) Anyone who is not shocked by quant um t heory has not underst ood it. Niels Bohr I n wireless net works, t he word " broadcast " t akes on an ent irely new m eaning. Wireless net works rely on an open m edium , and t he risk of using t hem is great ly increased if no crypt ographic prot ect ion can be applied on t he air link. Wit h an open net work m edium , unprot ect ed t raffic can be seen by anybody wit h t he right equipm ent . I n t he case of wireless LANs, t he " right equipm ent " is a radio capable of receiving and decoding 802.11, which is hardly an expensive purchase. For ext ra eavesdropping power, a high- gain ext ernal ant enna m ay be used. Ant ennas are inexpensive enough t hat you m ust assum e t hat a det erm ined at t acher has purchased one. Guarding against t raffic int ercept ion is t he dom ain of crypt ographic prot ocols. As fram es fly t hrough t he air, t hey m ust be prot ect ed against harm . Prot ect ion t akes m any form s, but t he t wo m ost com m only cit ed inform al obj ect ives are m aint aining t he secrecy of net work dat a and ensuring it has not been t am pered wit h. I nit ially, t he Wired Equivalent Privacy ( WEP) st andard was t he answer for wireless securit y. I n t he first four years of 802.11's life, researchers built a st rong case for t he insecurit y of WEP. I f WEP is so bad, why bot her wit h it ? I n m any cases, it is t he only securit y prot ocol available on a part icular device. WEP's design is easy t o im plem ent . Though it lacks t he sophist icat ion of lat er crypt ographic prot ocols, it does not require t he com put at ional power, eit her. Older devices, especially handheld applicat ion- specific devices, m ay lack t he processing punch necessary t o run anyt hing bet t er, and WEP is t he best t hat you can do. I t is also im port ant t o learn about WEP because t he WEP fram e- handling operat ions underlie newer t echnology such as TKI P.

Cryptographic Background to WEP Before discussing t he design of WEP, it 's necessary t o cover som e basic crypt ographic concept s. I am not a crypt ographer, and a det ailed discussion of t he crypt ography involved would not be appropriat e in t his book, so t his chapt er is necessarily brief. [ * ] [*]

Readers interested in more detailed explanations of the cryptographic algorithms involved should consult Applied Cryptography by Bruce Schneier (Wiley, 1996).

To prot ect dat a, WEP requires t he use of t he RC4 cipher, which is a sym m et ric ( secret - key) st ream cipher. RC4 shares a num ber of propert ies wit h all st ream ciphers. Generally speaking, a st ream cipher uses a st ream of bit s, called t he keyst ream . The keyst ream is t hen com bined wit h t he m essage t o produce t he ciphert ext . To recover t he original m essage, t he receiver processes t he ciphert ext wit h an ident ical keyst ream . RC4 uses t he exclusive OR ( XOR) operat ion t o com bine t he keyst ream and t he ciphert ext . Figure 5- 1 illust rat es t he process.

Figu r e 5 - 1 . Ge n e r ic st r e a m ciph e r ope r a t ion

Most st ream ciphers operat e by t aking a relat ively short secret key and expanding it int o a pseudorandom keyst ream t he sam e lengt h as t he m essage. This process is illust rat ed in Figure 5- 2 . The pseudorandom num ber generat or ( PRNG) is a set of rules used t o expand t he key int o a keyst ream . To recover t he dat a, bot h sides m ust share t he sam e secret key and use t he sam e algorit hm t o expand t he key int o a pseudorandom sequence. Because t he securit y of a st ream cipher rest s ent irely on t he random ness of t he keyst ream , t he design of t he key- t o- keyst ream expansion is of t he ut m ost im port ance. When RC4 was select ed by t he 802.11 working group, it appeared t o be quit e secure. But once RC4 was select ed as t he ciphering engine of WEP, it spurred research t hat ult im at ely found an exploit able flaw in t he RC4 cipher t hat will be discussed lat er.

Figu r e 5 - 2 . Ke ye d st r e a m ciph e r ope r a t ion

Stream Cipher Security A t ot ally random keyst ream is called a one- t im e pad and is t he only known encrypt ion schem e t hat is m at hem at ically proven t o prot ect against cert ain t ypes of at t acks. One- t im e pads are not com m only used because t he keyst ream m ust be perfect ly random and t he sam e lengt h as t he dat a t hat will be prot ect ed, and it can never be reused. At t ackers are not lim it ed t o at t acking t he underlying cipher. They can choose t o exploit any weak point in a crypt ographic syst em . One fam ous West ern int elligence effort , code- nam ed VENONA, broke Soviet m essages encrypt ed wit h one- t im e pads t hat were reused. [ * ] I t is easy t o underst and t he t em pt at ion t o reuse t he one- t im e pads. Huge volum es of keying m at erial are necessary t o prot ect even a sm all am ount of dat a, and t hose keying pads m ust be securely dist ribut ed, which in pract ice proves t o be a m aj or challenge. One dat a bit m ust have a corresponding one- t im e pad bit . A 54 Mbps net work can m ove about 25 Mbps of user dat a. I f t he net work operat es at j ust 10% of t hat capacit y, t he dat a t ransfer in an 8- hour workday is st ill 9 gigabyt es. Dist ribut ing m ult iple gigabyt es of keying m at erial t o every access point is t ot ally im pract ical. [*]

The United States National Security Agency has made some information on the project public at http://www.nsa.gov/docs/venona.

St ream ciphers are a com prom ise bet ween securit y and pract icalit y. The perfect random ness ( and perfect securit y) of a one- t im e pad is at t ract ive, but t he pract ical difficult ies and cost incurred in generat ing and dist ribut ing t he keying m at erial is wort hwhile only for short m essages t hat require t he ut m ost securit y. St ream ciphers use a less random keyst ream but one t hat is random enough for m ost applicat ions.

Cryptographic Politics No discussion of crypt ography would be com plet e wit hout a passing reference t o som e of t he m any legal and regulat ory concerns surrounding it s use. Three m aj or issues im pinge upon t he use of WEP, t hough t he effect of t hese issues has dim inished over t im e. WEP requires t he use of t he RC4 cipher t o encrypt t he fram e. When t he first edit ion of t his book was writ t en, WEP was opt ional and not incorporat ed int o all product s. Host soft ware could incorporat e RC4 code, but open source proj ect s had concerns about including code t hat infringed on t he

int ellect ual propert y of RSA Securit y, I nc. I n t he t im e since t he first edit ion was published, t his concern has faded int o t he background. All t he m aj or chipset vendors have licensed RC4 encrypt ion and incorporat ed hardware support for RC4 int o 802.11 chipset s. Device drivers are responsible for pushing WEP keys down t o t he hardware. Perform ing encrypt ion in hardware on t he card m eans t hat soft ware no longer needs t o risk infringing on RSA's int ellect ual propert y. WEP was init ially designed wit h short keys t o sat isfy t he U.S. export regulat ions regarding crypt ographic product s. I nit ially, t he st andard required short 40- bit keys, but every product on t he m arket support s at least 104- bit keys now. For a brief t im e, long keys looked like an im port ant ext ension t o t he st andard, t hough t he addit ional securit y proved illusory. Finally, som e governm ent s st rict ly regulat e t he use of any crypt ographic syst em , WEP included. I n addit ion t o Unit ed St at es export regulat ions, m any count ries have im port regulat ions t hat rest rict im port ing crypt ographic equipm ent . Ot her governm ent s are also free t o require addit ional crypt ographic m easures. The governm ent of China has developed an alt ernat ive securit y syst em called WLAN Aut hent icat ion and Privacy I nfrast ruct ure ( WAPI ) , and has m ade it opt ional for wireless LAN equipm ent sold in China.

WEP Cryptographic Operations Com m unicat ions securit y has t hree m aj or obj ect ives. Any prot ocol t hat at t em pt s t o secure dat a as it t ravels across a net work m ust help net work m anagers t o achieve t hese goals. Confident ialit y is t he t erm used t o describe dat a t hat is prot ect ed against int ercept ion by unaut horized part ies. I nt egrit y m eans t hat t he dat a has not been m odified. Aut hent icat ion underpins any securit y st rat egy because part of t he reliabilit y of dat a is based on it s origin. Users m ust ensure t hat dat a com es from t he source it purport s t o com e from . Syst em s m ust use aut hent icat ion t o prot ect dat a appropriat ely. Aut horizat ion and access cont rol are bot h im plem ent ed on t op of aut hent icat ion. Before grant ing access t o a piece of dat a, syst em s m ust find out who t he user is ( aut hent icat ion) and whet her t he access operat ion is allowed ( aut horizat ion) . WEP provides operat ions t hat at t em pt t o m eet t hese obj ect ives, t hough t hey oft en fail under serious scrut iny or at t ack. Fram e body encrypt ion support s confident ialit y. An int egrit y check sequence prot ect s dat a in t ransit and allows receivers t o validat e t hat t he received dat a was not alt ered in t ransit . I n pract ice, t he operat ions offered by WEP are not st rong and require addit ional st rengt hening m easures, as discussed in t he next t wo chapt ers.

WEP Data Processing Confident ialit y and int egrit y are handled sim ult aneously, as illust rat ed in Figure 5- 3 . Before encrypt ion, t he fram e is run t hrough an int egrit y check algorit hm , generat ing a hash called an int egrit y check value ( I CV) . The I CV prot ect s t he cont ent s against t am pering by ensuring t hat t he fram e has not changed in t ransit . The fram e and t he I CV are bot h encrypt ed, so t he I CV is not available t o casual at t ackers.

Figu r e 5 - 3 . W EP ope r a t ion s

As input , WEP requires t hree it em s: The payload t o be prot ect ed, which com es from t he upper layer prot ocol st ack. A secret key, used in fram e encrypt ion. Depending on im plem ent at ion, keys m ay be specified as a st ring of key bit s, or by key num ber. WEP allows four keys t o be st ored sim ult aneously. An init ializat ion vect or, used along wit h t he secret key in fram e t ransm ission. Aft er processing, WEP has a single out put : An encrypt ed fram e, ready for t ransm ission over an unt rust ed net work wit h enough inform at ion t o enable decrypt ion at t he rem ot e end.

WEP data transmission Driver soft ware and t he int erface hardware are responsible for processing t he dat a and sending out t he encrypt ed packet , using t he following sequence:

1 . The 802.11 fram e is queued for t ransm ission. I t consist s of a fram e header and t he payload. WEP prot ect s only t he payload of t he 802.11 MAC, and leaves t he 802.11 fram e header, as well as any lower- layer headers, int act . 2.

2 . An int egrit y check value ( I CV) is calculat ed over t he payload of t he 802.11 MAC fram e. I t is calculat ed over t he fram e payload, so it st art s at t he first bit of t he SNAP header, and goes up t o t he last dat a bit in t he body. The 802.11 fram e check sequence has not yet been calculat ed, so it is not included in t he I CV calculat ion. The I CV used by WEP is a Cyclic Redundancy Check ( CRC) , a point t hat will be expanded on lat er. 3 . The fram e encrypt ion key, or WEP seed, is assem bled. WEP keys com e in t wo part s: t he secret key, and t he init ializat ion vect or ( I V) . St ream ciphers will produce t he sam e key st ream from t he sam e key, so an init ializat ion vect or is used t o produce different st ream ciphers for each t ransm it t ed fram e. To reduce t he occurrence of encrypt ion wit h t he sam e key st ream , t he sending st at ion prepends t he I V t o t he secret key. 802.11 does not place any const raint s on t he algorit hm used t o choose I Vs; som e product s assign I Vs sequent ially, while ot hers use a pseudorandom hashing algorit hm . I V select ion has som e securit y im plicat ions because poor I V select ion can com prom ise keys. 4 . The fram e encrypt ion key is used as t he RC4 key t o encrypt t he 802.11 MAC payload from st ep 1 and t he I CV from st ep 2. The encrypt ion process is oft en assist ed wit h dedicat ed RC4 circuit ry on t he card. 5 . Wit h t he encrypt ed payload in hand, t he st at ion assem bles t he final fram e for t ransm ission. The 802.11 header is ret ained int act . Bet ween t he 802.11 MAC header and t he encrypt ed payload, a WEP header is insert ed. I n addit ion t o t he I V, t he WEP header includes a key num ber. WEP allows up t o four keys t o be defined, so t he sender m ust ident ify which key is in use. Once t he final header is assem bled, t he 802.11 FCS value can be calculat ed over t he ent ire MAC fram e from t he st art of t he header t o t he end of t he ( encrypt ed) I CV. Decrypt ion happens in t he reverse order. As wit h any ot her t ransm ission on t he wireless net work, t he FCS is validat ed t o ensure t hat t he fram e received was not corrupt ed in t ransit . To decrypt t he prot ect ed part of t he fram e, t he receiver will t ake it s secret key, prepend t he I V, and generat e t he key st ream . Wit h t he decrypt ed dat a, it can t hen validat e t he I CV. Once t he I CV is successfully validat ed, t he packet dat a can be passed t o t he appropriat e upper- layer prot ocol depending on t he cont ent of t he SNAP header.

WEP key length I n t heory, WEP can be used wit h keys of any lengt h because RC4 does not require t he use of any part icular key size. Most product s im plem ent one of t wo key lengt hs, t hough. The only key lengt h present in t he st andard is a 64- bit WEP seed, of which 40 bit s are shared as a secret bet ween t he t wo com m unicat ing st at ions. Vendors have used a variet y of nam es for t he st andard WEP m ode: " st andard WEP," " 802.11- com pliant WEP," " 40- bit WEP," " 40+ 24- bit WEP," or even " 64- bit WEP." I personally feel t hat t he last t erm is a st ret ch, based on hoodwinking t he consum er wit h t he lengt h of t he shared key and not t he size of t he shared secret , but it has becom e som ewhat st andard t hroughout t he indust ry. I t is also com m on t o im plem ent a longer key lengt h, t ypically wit h a 128- bit WEP seed, of which 104 bit s are a kept secret . This is referred t o as " WEP- 104" by m any docum ent s, t hough it is alm ost always called " 128- bit WEP" by sales lit erat ure. I t is rare, t hough not unheard of, t o use a t hird key lengt h of 128 secret bit s, which result s in a 152- bit WEP seed. Confusingly, t his rare im plem ent at ion is oft en also called " 128- bit WEP," alt hough t he differing key lengt hs m akes it incom pat ible wit h WEP- 104. One vendor even offers t he opt ion of using 256- bit secret keys wit h WEP, alt hough t he increm ent al securit y from such a long key is dubious. I n a well- designed crypt ographic syst em , addit ional securit y can be obt ained by using a longer key. Each addit ional bit doubles t he num ber of pot ent ial keys and, in t heory, doubles t he am ount of t im e

required for a successful at t ack. WEP, however, is not a well- designed crypt ographic syst em , and t he ext ra bit s in t he key buy you very lit t le. The best publicly disclosed at t ack against st at ic WEP can recover t he key in seconds, no m at t er what it s lengt h is.

Types of WEP keys WEP can em ploy t wo different t ypes of keys. Mapped keys prot ect t raffic bet ween a part icular source and receiver. Mapped keys are som et im es referred t o as unicast keys or st at ion keys because t hey are well- suit ed t o prot ect unicast t raffic. I n an infrast ruct ure net work, dat a is always t ransferred bet ween a st at ion and t he access point serving it . 802.11 fram es have bot h a receiver address and a dest inat ion address. Unicast t raffic m ay have m any different dest inat ion addresses, but every unicast fram e t ransm it t ed in an infrast ruct ure net work will use t he MAC address of t he AP as it s receiver address. All unicast t raffic t o or from a part icular st at ion can be encrypt ed by a single m apping key. Default keys, which are also referred t o as broadcast keys, are used when no m apping relat ionship exist s bet ween t wo 802.11 st at ions. Default keys are a nat ural fit for broadcast and m ult icast fram es because group addresses represent m ult iple st at ions and t herefore cannot support key m apping relat ionships.

Manual (static) versus automatic (dynamic) WEP 802.11 does not specify any part icular key dist ribut ion m echanism for use wit h WEP. As far as WEP is concerned, keys m agically appear. Early WEP im plem ent at ions relied on m anual key dist ribut ion. Adm inist rat ors were responsible for dist ribut ing a single default key t o all st at ions in t he net work, usually m anually. Key updat es were also m anual. I n pract ice, m ost net work deploym ent s wound up using t he sam e key for a very long t im e due t o t he high m anagem ent overhead in changing t he key. For t his reason, WEP wit hout any key dist ribut ion m echanism is oft en called m anual WEP or st at ic WEP. Manual keys are an awful idea. Managing key dist ribut ion across a whole net work of access point s is very difficult . Keys prot ect dat a, and should t herefore be changed whenever som ebody wit h knowledge of t he key leaves t he organizat ion. I n t heory, a well designed crypt ographic syst em t ries t o lim it t he use of a key t o as narrow a purpose as possible j ust in case a key is com prom ised. St at ic WEP used t he sam e key for all fram es t ransm it t ed by every st at ion, which worsens t he consequences of a key com prom ise. St at ic WEP should not be used wit hout a clear reason t o do so. St at ic WEP is bet t er t han not hing, but lit t le m ore can be said in it s favor. I t is effect ive for det erring casual at t acks, but will not wit hst and det erm ined assault . Many low- power devices such as 802.11 phones, handheld bar code scanners, and even som e PDAs m ay not support anyt hing bet t er t han st at ic WEP. Unt il t hey can be replaced, st at ic WEP offers t he only possible link layer securit y for t hese devices. Bet t er solut ions are based on dynam ic WEP. Rat her t han a single key dist ribut ed t o all st at ions, each st at ion uses t wo keys. One is a key m apping key, shared bet ween t he st at ion and access point , used t o prot ect unicast fram es. The second key is a default key, shared by all st at ions in t he sam e service set , t hat prot ect s broadcast and m ult icast fram es. The encrypt ion keys used by t he client s are dist ribut ed using key encrypt ion keys derived from st rong aut hent icat ion prot ocols t hat will be discussed in t he next chapt er. Dynam ic WEP offers significant advant ages over st at ic WEP solut ions. At t he highest level, t he scope of each key is lim it ed. Keys are used less oft en, and t he result of com prom ising a key is lessened by using it t o prot ect less t raffic. At t ackers can st ill m ount assault s on t he keys, but t hey have m uch less dat a t o work for each key, m aking at t acks m ore t im e- consum ing. Nearly as im port ant , dynam ic keys can, as t he nam e im plies, change. At periodic int ervals, t he keys can be refreshed by t he access

point , which requires at t ackers t o t hrow out accum ulat ed dat a and st art t he assault on a key over again. By configuring short rekeying int ervals, significant m it igat ion against at t acks on keys is possible. Dynam ic WEP solut ions will be discussed lat er in t his chapt er.

WEP key numbering and storage WEP keys have an associat ed num ber so t hat up t o four keys m ay be defined on an 802.11 st at ion. I n t he beginning, t he WEP key num ber was m eant t o help facilit at e changing t he key across t he net work. Rat her t han swit ch every st at ion t o a new key sim ult aneously, t he new key could be defined across t he net work and st at ions could be gradually swit ched. I f, for exam ple, an organizat ion used key num ber 0 and wished t o change it , key num ber 1 could be defined on t he net work. Rat her t han change all st at ions at t he sam e t im e t o t he new key, st at ions could be configured t o st art using key num ber 1 during a defined t ransit ion period. At t he end of t he t ransit ion period, key num ber 0 would be disabled. Key num bering t akes on a slight ly different role in dynam ic WEP solut ions. Each st at ion receives t wo keys from t he access point : a m apping key, t ypically st ored as key num ber 0, and a default key, t ypically st ored as key num ber 1. St at ions use key 0 for prot ect ion of unicast t raffic, and key 1 for prot ect ion of broadcast t raffic. When fram es are queued by t he driver for t ransm ission, t he driver soft ware will label unicast fram es as requiring encrypt ion wit h key 0, and broadcast fram es as requiring encrypt ion wit h key 1. When 802.11 was new, m any cards did not support WEP, or perform ed t he RC4 encrypt ion on t he host CPU, lim it ing perform ance. RC4 is very easy t o im plem ent in hardware, and virt ually every wireless LAN int erface sold since 1999 has provided hardware- based RC4 encrypt ion in t he int erface card it self t o reduce t he perform ance hit from encrypt ion. ( This includes m ost 802.11b cards and everyt hing t hat has com e lat er.) Som e older cards also used firm ware t o lim it key lengt h t o 40- bit keys rat her t han 104- bit keys, such as t he Orinoco Silver and Gold cards. Key lengt h rest rict ions were lift ed in lat er firm ware releases. To efficient ly encrypt fram es, m any 802.11 chipset s include a dat a st ruct ure called t he key cache. Key caches consist of m appings bet ween t uples of t he dest inat ion address, t he key ident ifier num ber, and t he bit s of t he key it self. Most chipset s int ended for use in st at ion int erface cards have four key slot s. St at ic WEP uses one key slot ; dynam ic WEP solut ions use t wo. When fram es are queued for t ransm ission, t he dest inat ion address is looked up in t he key cache and t he result ing key is used t o encrypt t he fram e. Dynam ic keying solut ions funct ion ident ically t o st at ic WEP solut ions, except t hat t he cont ent s of t he key cache m ay be overwrit t en by key m anagem ent soft ware. One of t he ways in which chipset s int ended for use in cards differ from chipset s int ended for use in access point s is t hat t he AP chipset s have m uch larger key caches, oft en capable of 256 or m ore key ent ries. Even wit h t wo ent ries required ( one m apped key and one default key) for a st at ion, such a dat a st ruct ure can handle keying for m ore t han 100 st at ions. Given t he lim it ed capacit y of m ost wireless link t echnologies, such a large dat a will handle any reasonable t raffic load wit h room t o spare. However, som e early APs capable of dynam ic keying were unable t o m aint ain large key dat a st ruct ures, and had t o share keys am ong m ult iple st at ions. To cut cost s, som e vendors used card chipset s rat her t han AP chipset s in t he AP radio. As a result , t hey only had four key slot s and needed t o share a single unicast key am ong all st at ions at t ached t o an AP.

WEP Encapsulation When WEP is in use, t he fram e body expands by eight byt es. Four byt es are used for a fram e body I V header, and four are used for t he I CV t railer. See Figure 5- 4 .

Figu r e 5 - 4 . W EP fr a m e e x t e n sion s

The I V header uses 3 byt es for t he 24- bit I V, wit h t he fourt h byt e used for padding and key ident ificat ion. When a default key is used, t he Key I D subfield ident ifies t he default key t hat was used t o encrypt t he fram e. I f a key m apping relat ionship is used, t he Key I D subfield is 0. The 6 padding bit s of t he last byt e m ust be 0. The int egrit y check is a 32- bit CRC of t he dat a fram e; it is appended t o t he fram e body and prot ect ed by RC4. The fram e check sequence prot ect s t he encrypt ed dat a.

Problems with WEP Crypt ographers have ident ified m any flaws in WEP. The designers specified t he use of RC4, which is widely accept ed as a st rong crypt ographic cipher. At t ackers, however, are not lim it ed t o a full- front al assault on t he crypt ographic algorit hm st hey can at t ack any weak point in t he crypt ographic syst em . Met hods of defeat ing WEP have com e from every angle. One not able slip was a vendor who shipped access point s t hat exposed t he secret WEP keys t hrough SNMP, allowing an at t acker t o ask for j ust t he key. Most of t he press, t hough, has been devot ed t o flaws beyond im plem ent at ion errors, which are m uch harder t o correct .

Cryptographic Properties of RC4 Reuse of t he keyst ream is t he m aj or weakness in any st ream cipher- based crypt osyst em . When fram es are encrypt ed wit h t he sam e RC4 keyst ream , t he XOR of t he t wo encrypt ed packet s is equivalent t o t he XOR of t he t wo plaint ext packet s. By analyzing differences bet ween t he t wo st ream s in conj unct ion wit h t he st ruct ure of t he fram e body, at t ackers can learn about t he cont ent s of t he plaint ext fram es t hem selves. To help prevent t he reuse of t he keyst ream , WEP uses t he I V t o encrypt different packet s wit h different RC4 keys. However, t he I V is part of t he packet header and is not encrypt ed, so eavesdroppers are t ipped off t o packet s t hat are encrypt ed wit h t he sam e RC4 key. I m plem ent at ion problem s can cont ribut e t o t he lack of securit y . 802.11 adm it s t hat using t he sam e I V for a large num ber of fram es is insecure and should be avoided. The st andard allows for using a different I V for each fram e, but it is not required. WEP incorporat es an int egrit y check, but t he algorit hm used is a cyclic redundancy check ( CRC) . CRCs can cat ch single- bit alt erat ions wit h high probabilit y, but t hey are not crypt ographically secure. Crypt ographically secure int egrit y checks are based on hash funct ions, which are unpredict able. Wit h unpredict able funct ions, if t he at t acker changes even one bit of t he fram e, t he int egrit y check will change in unpredict able ways. The odds of an at t acker finding an alt ered fram e wit h t he sam e int egrit y check are so slim t hat it cannot be done in real t im e. CRCs are not crypt ographically secure. CRC calculat ions are st raight forward m at hem at ics, and it is easy t o predict how changing a single bit will affect t he result of t he CRC calculat ion. ( This propert y is oft en used by com pressed dat a files for repair! I f j ust a few bit s are bad, t hey can som et im es be ident ified and correct ed based on a CRC value.)

Design Flaws of the WEP System WEP's design flaws init ially gained prom inence when t he I nt ernet Securit y, Applicat ions, Aut hent icat ion, and Crypt ography ( I SAAC) group at t he Universit y of California, Berkeley, published prelim inary result s based on t heir analysis of t he WEP st andard. [ * ] None of t he problem s ident ified by researchers depend on breaking RC4. Here's a sum m ary of t he problem s t hey found; I 've already t ouched on som e of t hem : [*]

The report is available on the Web at http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html. Items 36 on the following list are summarized from that report.

1 . Manual key m anagem ent is a m inefield of problem s. Set t ing aside t he operat ional issues wit h dist ribut ing ident ical shared secret s t o t he user populat ion, t he securit y concerns are night m arish. New keying m at erial m ust be dist ribut ed on a " flag day" t o all syst em s sim ult aneously, and prudent securit y pract ices would lean st rongly t oward rekeying whenever anybody using WEP leaves t he com pany ( t he adm inist rat ive burden m ay, however, preclude doing t his) . Widely dist ribut ed secret s t end t o becom e public over t im e. Passive sniffing at t acks require obt aining only t he WEP keys, which are likely t o be changed infrequent ly. Once a user has obt ained t he WEP keys, sniffing at t acks are easy, especially since 802.11 analyzers incorporat e decrypt ion capabilit ies. 2 . As st andardized, st at ic WEP offers a shared secret of only 40 bit s. Securit y expert s have long quest ioned t he adequacy of 40- bit privat e keys, and m any recom m end t hat sensit ive dat a be prot ect ed by at least 128- bit keys.[ * ] I n t he years since t he init ial flaws in WEP were published, t he indust ry- st andard ext ended key lengt h is only 104 bit s. [ * ] To be fair, WEP was originally developed wit h t he goal of being export able under t he t hen- current U.S. regulat ions for export of crypt ographic syst em s. A longer key could not have been used wit hout j eopardizing t he com m ercial viabilit y of U.S.- built 802.11 product s.

3 . St ream ciphers are vulnerable t o analysis when t he keyst ream is reused. WEP's use of t he I V t ips off an at t acker t o t he reuse of a keyst ream . Two fram es t hat share t he sam e I V alm ost cert ainly use t he sam e secret key and keyst ream . This problem is m ade worse by poor im plem ent at ions, which m ay not pick random I Vs. The Berkeley t eam ident ified one im plem ent at ion t hat st art ed wit h an I V of 0 when t he card was insert ed and sim ply increm ent ed t he I V for each fram e. Furt herm ore, t he I V space is quit e sm all ( less t han 17 m illion) , so repet it ions are guarant eed on busy net works. 4 . I nfrequent rekeying allows at t ackers t o assem ble what t he Berkeley t eam calls decrypt ion dict ionaries large collect ions of fram es encrypt ed wit h t he sam e keyst ream s. As m ore fram es wit h t he sam e I V pile up, m ore inform at ion is available about t he unencrypt ed fram es even if t he secret key is not recovered. Given how overworked t he t ypical syst em and net work adm inist rat ion st aff is, infrequent rekeying is t he rule. 5 . WEP uses a CRC for t he int egrit y check. Alt hough t he value of t he int egrit y check is encrypt ed by t he RC4 keyst ream , CRCs are not crypt ographically secure. Use of a weak int egrit y check does not prevent det erm ined at t ackers from t ransparent ly m odifying fram es. [ ] [

] 802.11 requires fram e ret ransm issions in t he case of loss, so it m ay be possible for an at t acker t o ret ransm it a fram e and cause a replacem ent inj ect ed fram e t o be accept ed as legit im at e.

6 . The access point is in a privileged posit ion t o decrypt fram es. Concept ually, t his feat ure can be at t acked by t ricking t he access point int o ret ransm it t ing fram es t hat were encrypt ed by WEP. Fram es received by t he access point would be decrypt ed and t hen ret ransm it t ed t o t he at t acker's st at ion. I f t he at t acker is using WEP, t he access point would helpfully encrypt t he fram e using t he at t acker's key.

Key Recovery Attacks Against WEP I n August 2001, Scot t Fluhrer, I t sik Mant in, and Adi Sham ir published a paper t it led " Weaknesses in t he Key Scheduling Algorit hm of RC4." At t he end of t he paper, t he aut hors describe a t heoret ical at t ack on WEP. At t he heart of t he at t ack is a weakness in t he way t hat RC4 expands t he key int o t he key st ream , a process called t he key scheduling algorit hm . The Fluhrer- Mant in- Sham ir at t ack, or FMS at t ack for short , assum es t he abilit y t o recover t he first byt e of t he encrypt ed payload. I n m any crypt ographic syst em s, t hat would be a big assum pt ion.

WEP, however, is used t o prot ect 802.11 fram es, and t he 802.11 fram e body begins wit h a SNAP header. Therefore, t he cleart ext value of t he first byt e is known t o be 0xAA. Because t he first cleart ext byt e is known, t he first byt e of t he keyst ream can be easily deduced from a t rivial XOR operat ion wit h t he first encrypt ed byt e. The paper's at t acks are focused on a class of weak keys writ t en in t he form ( B+ 3) : FF: N. Each weak I V is used t o at t ack a part icular byt e of t he secret port ion of t he RC4 key. Key byt es are num bered from zero. Therefore, t he weak I V corresponding t o byt e zero of t he secret key has t he form 3: FF: N. The second byt e m ust be 0xFF; knowledge of t he t hird byt e in t he key is required, but it need not be any specific value. A st andard WEP key is 40 secret bit s, or 5 byt es num bered consecut ively from 0 t o 4. Weak I Vs on a net work prot ect ed by st andard WEP m ust have a first byt e t hat ranges from 3 ( B= 0) t o 7 ( B= 4) and a second byt e of 255. The t hird byt e m ust be not ed but is not const rained t o any specific value. There are 5 x 1 x 256= 1,280 weak I Vs of t his t ype in a st at ic WEP net work. Addit ional classes of weak I Vs have been exploit ed since t he publicat ion of t he paper, bringing t he t ot al num ber of weak I Vs t o about 9,000; t his is approxim at ely 5% of t he t ot al num ber of I Vs. These new classes depend on t he relat ionships bet ween I V byt es. Readers who are int erest ed in t he ot her classes of weak I Vs should refer t o t he source code of WEP cracking t ools. [ * ] [*]

For example, see the classify() function in Airsnort's crack.c.

Each weak I V leaks inform at ion about a key byt e. By applying probabilit y t heory, Fluhrer, Mant in, and Sham ir est im at ed t hat about 60 weak I Vs need t o be collect ed for each key byt e. Furt herm ore, and perhaps worst of all, t he at t ack gains speed as m ore key byt es are det erm ined. Guessing t he first key byt e helps you get t he second, and so on. Success cascades t hrough t he at t ack, and it works in linear t im e. Doubling t he key lengt h only doubles t he com put at ional t im e for t he at t ack t o succeed. Wit h such a t ant alizing result , it was only a m at t er of t im e before it was used t o at t ack a real syst em . I n early August 2001, Adam St ubblefield, John I oannidis, and Avi Rubin applied t he FMS at t ack t o an experim ent al, but real, net work wit h devast at ing effect . [ * ] I n t heir t est ing, 60 resolved cases usually det erm ined a key byt e, and 256 resolved cases always yielded a full key. I t t ook less t han a week t o im plem ent t he at t ack, from t he ordering of t he wireless card t o t he recovery of t he first full key. Coding t he at t ack t ook only a few hours. Key recovery was accom plished bet ween five and six m illion packet s, which is a sm all num ber for even a m oderat ely busy net work. [*]

This work is described more fully in AT&T Labs Technical Report TD-4ZCPZZ.

Report ing on a successful at t ack, however, is not hing com pared t o having a public code base available t o use at will. The hard part of t he Fluhrer- Mant in- Sham ir at t ack was finding t he RC4 weakness. I m plem ent ing t heir recom m endat ions is not t oo difficult . I n lat e August 2001, AirSnort , an open source WEP key recovery program , was released. Many t ools have followed AirSnort .

Key recovery defenses Longer keys are no defense against key recovery at t acks. The t im e required t o recover a key can be broken up int o t he gat hering t im e required t o collect enough fram es for t he at t ack, plus t he com put at ional t im e required t o run t he program and get t he key. Com put at ional t im e is only a few seconds; gat hering t im e generally dom inat es t he at t ack. Longer keys require slight ly m ore com put at ional t im e, but do not require different gat hering t im e. As t he key lengt h increases, m ore weak I Vs are caught in t he dragnet . One defense adopt ed by m any vendors is t o avoid using weak I Vs. Most vendors have now changed product s so t hat each I V t o be used is first checked against a classifier, and any weak I Vs are

replaced by non- weak I Vs. Unfort unat ely, reducing t he size of t he I V space m ay cause I V re- use t o happen earlier. Net work adm inist rat ors have responded t o key recovery at t acks by using st ronger prot ocols, such as t he 802.11i prot ocols discussed in Chapt er 7. For m any organizat ions, t his is a solut ion. However, newer prot ocols m ay not be as com pat ible as dynam ic WEP wit h exist ing equipm ent . To m it igat e t he use of WEP, m ost net work adm inist rat ors set a re- key t im e of bet ween 5 and 15 m inut es, depending on t he accept able overhead on t he net work.

Dynamic WEP Wit h t he at t ent ion devot ed t o securit y, it was not long before t he indust ry st art ed t o develop wireless LAN t echnologies wit h significant ly im proved securit y. The first st ep along t his road was t o bolst er WEP by refreshing t he keys dynam ically. Rat her t han a single st at ic WEP key for all fram es on t he net work shared by all st at ions, dynam ic WEP solut ions use a set of different keys. All st at ions in a net work share a key t o encrypt broadcast fram es, and each st at ion has it s own m apping key for unicast fram es. [ * ] [*]

With appropriate key distribution protocols in place, you can even have multiple groups share the same infrastructure. Each station has its own mapping key for unicast frames, but there may be multiple independent broadcast groups, each with its own default key for group frames.

WEP did not specify a key m anagem ent fram ework. Keys are generat ed and dist ribut ed t hrough a syst em t hat is not writ t en down in 802.11. The first , and easiest key m anagem ent " fram ework" t o be im plem ent ed was m anual. Net work adm inist rat ors needed t o com e up wit h a st ring of bit s used as a key, and t hen dist ribut e t hat key t o all st at ions part icipat ing in an 802.11 service set secured by WEP. To set a key, adm inist rat ors needed t o t ouch a m achine t o configure a new key.

Layered Security Protocols When t he first edit ion of t his book was writ t en, WEP was right ly viewed as an insecure securit y syst em . Classic old- school m anually- dist ribut ed st at ic- key WEP is fundam ent ally broken. When it becam e clear t hat t he relat ively m inim al prot ect ion provided by WEP was insufficient for m ost net work environm ent s, a t ask group form ed t o develop enhancem ent s t o t he securit y of t he MAC. That work was st andardized as 802.11i in June of 2004. During t he gap bet ween t he init ial research t hat exposed WEP's flaws and t he developm ent of m ore secure t echnologies t o bolst er it , net work adm inist rat ors t urned t o proven securit y prot ocols at higher layers in t he st ack, such as I Psec ( layer 3) , SSL ( layer 4) , and SSH ( layer 7) . Wit h st at ic WEP offering only m inim al securit y, t he addit ional encrypt ion st rengt h provided by higher- layer t echnology was well wort h it . Wit h t he developm ent of st ronger link layer t echnologies, layered securit y prot ocols are no longer t he m agic bullet t hey once appeared t o be. I Psec requires client soft ware t o be inst alled and configured. SSL- based VPNs are m uch sim pler t o set up, t hough t hey oft en have short com ings when securing applicat ions t hat are not web- based. SSH is wellunderst ood and can creat e arbit rary TCP t unnels, but it oft en requires significant m odificat ions t o user procedures. ( Chances are t hat if you are reading t his book, SSH is second nat ure; however, it is probably not som et hing you want your users t rying t o figure out .) Wit h t he developm ent of t he im proved link layer securit y t echnologies discussed in t his chapt er and t he next t wo, it is finally possible t o build secure net works at t he link layer. One increasingly com m on approach t o building secure wireless net works is t o consider what t hese new t echnologies can do, and t hen det erm ine whet her addit ional prot ect ion

at higher layer prot ocols is required. Balancing t he t rade- offs is t he subj ect of Chapt er 22 , in t he deploym ent sect ion of t he book.

Dynam ic WEP uses an im proved key m anagem ent fram ework. Rat her t han depend on t he adm inist rat or for so m uch m anual work, dynam ic WEP uses st rong crypt ographic prot ocols t o generat e keys and t hen dist ribut e t hem , in encrypt ed form , over unt rust ed net works. WEP key generat ion t ypically depends on t he use of a crypt ographic aut hent icat ion prot ocol, which is discussed in t he next chapt er. Dynam ic WEP handles fram es in an ident ical fashion t o st at ic WEP. The only difference is t hat t here is a m uch im proved m echanism t o generat e and dist ribut e keys on a periodic basis. The aut om at ic key m anagem ent of dynam ic WEP achieves m uch great er securit y t han st at ic WEP because it dram at ically short ens t he lifet im e of a key. Any at t acks against t he key m ust t ake place wit hin a single key lifet im e. Fram e init ializat ion vect ors can be re- used aft er a key refresh because t hey correspond t o t wo different WEP seeds. Key recovery at t acks using Fluhrer/ Mant in/ Sham ir m ust occur wit hin a single key lifet im e as well, for obvious reasons. Dynam ic WEP is by no m eans perfect , but it is a subst ant ial im provem ent over st at ic WEP. I t is widely support ed by alm ost every card and driver.

Chapter 6. User Authentication with 802.1X What is your nam e? What is your quest ? What is your favorit e color? The Bridgekeeper Mont y Pyt hon and t he Holy Grail Securit y is a com m on t hread linking m any of t he wireless LAN st ories in t he news t hroughout t he past several years, and polls repeat edly show t hat net work m anagers consider securit y t o be a significant obst acle t o wider deploym ent of wireless LANs. Many of t he securit y problem s t hat have prevent ed st ronger accept ance of 802.11 are caused by flaws in t he design of st at ic WEP. Manual WEP at t em pt s t o be t oo m any solut ions t o m ult iple problem s. I t was int ended t o be used bot h for aut hent icat ion, by rest rict ing access t o t hose in possession of a key, and confident ialit y, by encrypt ing dat a as it t raversed wireless links. I n t he final analysis, it does neit her part icularly well. Bot h aut hent icat ion and confident ialit y are im port ant issues for wireless LANs, and t he subj ect of a great deal of t echnology developm ent since t he first edit ion of t his book. This chapt er t akes on t he problem of aut hent icat ion, which is provided at t he link layer t hrough t he use of 802.1X. [ * ] 802.1X has m at ured a great deal since t he first edit ion of t his book, and is increasingly t he aut hent icat ion prot ocol of choice on wireless LANs. [ ] St at ic WEP aut hent icat es m achines in possession of a crypt ographic key. 802.1X allows net work adm inist rat ors t o aut hent icat e users rat her t han m achines, and can be used t o ensure t hat users connect t o legit im at e, aut horized net works rat her t han credent ial- st ealing im post or net works. [*]

802.1X is written with a capital X. In the IEEE nomenclature, lowercase letters ("802.11a" and "802.11b") are reserved for addon specifications that revise an existing standard. Uppercase letters are used for standalone specifications. As a full, standalone protocol specification in its own right, 802.1X gets a capital letter. [

] One of my personal yardsticks for the maturity of a specification is the existence of an open source implementation. Open source software frequently serves a valuable role by keeping proprietary implementations honest, and providing a low-cost reality check for users. In the 802.1X world, the xsupplicant and wpa_supplicant projects have taken on this role.

I dent ifying users inst ead of m achines can lead t o m ore effect ive net work archit ect ure. Rat her t han grouping users by funct ion and applying securit y cont rols t o t he physical port s in a physical locat ion, t he ident it y of t he user and any access right s can be int egrat ed int o t he net work swit ch fabric, and follow users around t he net work. Wireless LANs are oft en t he first use of ident it y- based policy enforcem ent . I t is not uncom m on for com panies t o use t he capabilit y on wireless net works, and t hen find it so useful t hat it is lat er int egrat ed int o t he wired net work. No m at t er where or how users at t ach t o t he net work, policy follows t hem around. One of t he com plexit ies in dealing wit h 802.1X is t hat it is a fram ework. I t is an I EEE adapt at ion of t he I ETF's Ext ensible Aut hent icat ion Prot ocol ( EAP) , originally specified in RFC 2284 and updat ed by RFC 3748. EAP is a fram ework prot ocol. Rat her t han specifying how t o aut hent icat e users, EAP allows prot ocol designers t o build t heir own EAP m et hods, subprot ocols t hat perform t he aut hent icat ion t ransact ion. EAP m et hods can have different goals, and t herefore, oft en use m any different m et hods for aut hent icat ing users depending on t he requirem ent s of a part icular sit uat ion. Before a det ailed

discussion of how t he different m et hods work, t hough, a det ailed underst anding of how EAP works is necessary.

The Extensible Authentication Protocol 802.1X is based on EAP. Recent work in wireless net working required an updat e t o t he st andard, which is now found in RFC 3748. Back in t he early 1990s, when PPP was first int roduced, t here were t wo prot ocols available t o aut hent icat e users, each of which required t he use of a PPP prot ocol num ber. Aut hent icat ion is not a " one size fit s all" problem , and it was an act ive area of research at t he t im e. Rat her t han burn up PPP prot ocol num bers for aut hent icat ion prot ocols t hat m ight becom e obsolet e, t he I ETF st andardized EAP. EAP used a single PPP prot ocol num ber while support ing a wide variet y of aut hent icat ion m echanism s. EAP is a sim ple encapsulat ion t hat can run over any link layer, but it has been m ost widely deployed on PPP links. Figure 6- 1 shows t he basic EAP archit ect ure, which is designed t o run over any link layer and use any num ber of aut hent icat ion m et hods.

Figu r e 6 - 1 . EAP a r ch it e ct u r e

EAP Packet Format Figure 6- 2 shows t he form at of an EAP packet . When used on PPP links, EAP is carried in PPP fram es wit h a prot ocol num ber of 0xC227. There is no st rict requirem ent t hat EAP run on PPP; t he packet shown in Figure 6- 2 can be carried in any t ype of fram e. The fields in an EAP packet are:

Code The Code field, t he first field in t he packet , is one byt e long and ident ifies t he t ype of EAP packet . I t is used t o int erpret t he Dat a field of t he packet .

I dent ifier The I dent ifier field is one byt e long. I t cont ains an unsigned int eger used t o m at ch request s wit h responses t o t hem . Ret ransm issions reuse t he sam e ident ifier num bers, but new t ransm issions use new ident ifier num bers.

Lengt h The Lengt h field is t wo byt es long. I t is t he num ber of byt es in t he ent ire packet , which includes t he Code, I dent ifier, Lengt h, and Dat a fields. On som e link layer prot ocols, padding m ay be required. EAP assum es t hat any dat a in excess of t he Lengt h field is link- layer padding and can be ignored.

Dat a The last field is t he variable- lengt h Dat a field. Depending on t he t ype of packet , t he Dat a field m ay be zero byt es long. I nt erpret at ion of t he Dat a field is based on t he value of t he Code field.

Figu r e 6 - 2 . EAP pa ck e t for m a t

EAP Requests and Responses EAP exchanges are com posed of request s and responses. The aut hent icat or sends request s t o t he syst em seeking access, and based on t he responses, access m ay be grant ed or denied. Client syst em s only send response packet s when t here is an out st anding request t o send. There is no such t hing as an unsolicit ed packet from t he syst em seeking aut hent icat ion. The form at of request and response packet s is shown in Figure 6- 3 .

Figu r e 6 - 3 . EAP Re qu e st a n d EAP Re spon se pa ck e t s

The Code field is set t o 1 for request s and 2 for responses. The I dent ifier and Lengt h fields are used

as described in t he previous sect ion on t he generic form at . The Dat a field carries t he dat a used in request s and responses. Each Dat a field carries one t ype of dat a, broken down int o a t ype ident ifier code and t he associat ed dat a:

Type The Type field is a one- byt e field t hat indicat es t he t ype of request or response. Only one t ype is used in each packet . Wit h one except ion, t he Type field of t he response m at ches t he corresponding request . That except ion is t hat when a request is unaccept able, t he peer m ay send a NAK t o suggest an alt ernat ive t ype. Types great er t han or equal t o 4 indicat e aut hent icat ion m et hods.

Type- Dat a The Type- Dat a field is a variable field t hat m ust be int erpret ed according t o t he rules for each t ype, as described in t he following sect ions.

Type code 1: Identity The aut hent icat or generally uses t he I dent it y t ype as t he init ial request , which is oft en writ t en as EAP- Request / I dent it y , or sim ply Request / I dent it y t o indicat e t hat t he aut hent icat or is at t em pt ing t o est ablish som e sort of usernam e t o aut hent icat e. Frequent ly, t he EAP I dent it y is t he user ident ifier, possibly wit h rout ing inform at ion. Som e t echnologies work by subm it t ing an EAP I dent it y t hat m ay correspond t o t he m achine. I n t he init ial Request / I dent it y packet , if any inform at ion is present in t he Type- Dat a field, it is used t o prom pt t he user, t hough t his is relat ively uncom m on. I f t he Type- Dat a field is present and cont ains a prom pt st ring, it s lengt h is inferred from t he lengt h of t he EAP packet , rat her t han having a separat e delim it er. Many EAP im plem ent at ions are capable of prom pt ing t he ( hum an) user for input t o det erm ine t he user ident it y, t hough it is not required. For great er usabilit y, m ost EAP im plem ent at ions also allow t he ident it y t o be st at ically configured. Once t he user nam e has been det erm ined, t he EAP client will respond wit h a Response/ I dent it y packet . I n Response/ I dent it y packet s, t he Type- Dat a field cont ains t he usernam e. I t m ay be a " bare" usernam e, such as m gast, or it m ay be qualified wit h an I nt ernet st yle dom ain ( m gast @dom ain.com ) , or a Windows- st yle dom ain nam e ( DOMAI N\ m gast ) . Som e EAP im plem ent at ions m ay at t em pt t o look up t he user ident it y in a Response even before issuing t he aut hent icat ion challenge. I f t he user does not exist , t he aut hent icat ion can fail wit hout furt her processing. Most im plem ent at ions aut om at ically reissue t he ident it y request t o give t he user an opport unit y t o correct t ypos.

Type code 2: Notification The aut hent icat or can use t he Not ificat ion t ype t o send a m essage t o t he user. The user's syst em can t hen display t he m essage in t he Request / Not ificat ion for t he user's benefit . Not ificat ion m essages are used t o provide m essages t o t he user from t he aut hent icat ion syst em , such as a password about t o expire, or t he reason for an account lockout . Not ificat ion m essages are not com m only used wit h 802.1X; only a few vendors im plem ent t hem . Responses m ust be sent in reply t o Not ificat ion

request s. However, Response/ Not ificat ion packet s serve as sim ple acknowledgm ent s, and t he TypeDat a field has a zero lengt h.

Type code 3: NAK Null acknowledgm ent s ( NAKs) are used t o suggest a new aut hent icat ion m et hod. The aut hent icat or issues a challenge, encoded by a t ype code. Aut hent icat ion t ypes are num bered 4 and above. I f t he end user syst em does not support t he aut hent icat ion t ype of t he challenge, it can issue a NAK. The Type- Dat a field of a NAK m essage includes a single byt e corresponding t o t he suggest ed aut hent icat ion t ype. Most 802.1X im plem ent at ions do not act ively negot iat e, and will sim ply log an error m essage if t he client at t em pt s t o use an unsupport ed t ype.

EAP Authentication Methods I n addit ion t o flow- cont rol m essages and negot iat ion m essages, EAP assigns t ype codes t o aut hent icat ion m et hods. EAP delegat es t he work of proving a user ident it y t o a subsidary prot ocol, t he EAP m et hod, which is a set of rules for aut hent icat ing a user. The advant age of using t he m et hod const ruct ion is t hat it frees EAP from any part icular set of assum pt ions about what is necessary t o aut hent icat e a user. When requirem ent s change, as t hey did wit h t he popularit y of wireless net works, new EAP m et hods can be developed t o m eet t he challenge. Table 6- 1 list s several EAP m et hods wit h t heir t ype codes. A m ore det ailed descript ion of t he EAP m et hods com m only used on wireless LANs will follow lat er in t his chapt er.

Ta ble 6 - 1 . Com m on EAP m e t h ods for 8 0 2 .1 X a u t h e n t ica t ion Type code

Au t h e n t ica t ion pr ot ocol

D e scr ipt ion

4

MD5 Challenge

CHAP- like aut hent icat ion in EAP

6

GTC

Originally int ended for use wit h t oken cards such as RSA SecurI D

13

EAP- TLS

Mut ual aut hent icat ion wit h digit al cert ificat es

21

TTLS

Tunneled TLS; prot ect s weaker aut hent icat ion m et hods wit h TLS encrypt ion

25

PEAP

Prot ect ed EAP; prot ect s weaker EAP m et hods wit h TLS encrypt ion

18

EAP- SI M

Aut hent icat ion by m obile phone Subscriber I dent it y Module ( SI M)

29

MS- CHAP- V2

Microsoft encrypt ed password aut hent icat ion; com pat ible wit h Windows dom ains

EAP Success and Failure

At t he conclusion of an EAP exchange, t he user has eit her aut hent icat ed successfully or has failed t o aut hent icat e ( Figure 6- 4 ) . Once t he aut hent icat or det erm ines t hat t he exchange is com plet e, it can issue an EAP- Success ( code 3) or EAP- Failure ( code 4) fram e t o end t he EAP exchange. I m plem ent at ions are allowed t o send m ult iple request s before failing t he aut hent icat ion t o allow a user t o get t he correct aut hent icat ion dat a.

Figu r e 6 - 4 . EAP Su cce ss a n d Fa ilu r e fr a m e s

Success and Failure fram es are not aut hent icat ed in any way. I n t he dial- up world, t he t elephone net work provides a m odicum of securit y t hat t he sender is at t he ot her end of t he circuit . I n wireless LANs, t he lack of aut hent icat ion on Success and Failure fram es m ay require ext ra prot ocol design.

A Sample EAP Exchange A sam ple EAP exchange is shown in Figure 6- 5 . I t is not a " real" exchange t hat would be seen on a wireless net work because it uses prot ocols t hat are not in wide deploym ent . I t is int ended only t o give you a basic idea of how t he prot ocol is supposed t o work. The EAP exchange is a series of st eps beginning wit h a request for ident it y and ending wit h a success or failure m essage. As a m at t er of not at ion, packet s t ransm it t ed as part of an EAP m et hod exchange are writ t en Request / Met hod when t hey com e from t he aut hent icat or, and Response/ Met hod when t hey are sent in response.

1 . The aut hent icat or issues a Request / I dent it y packet t o ident ify t he user. Request / I dent it y packet s serve t wo purposes. I n addit ion t o st art ing t he exchange, t hey also serve not ice t o t he client t hat t he net work is likely t o drop any dat a t raffic before aut hent icat ion com plet es. 2 . The end user syst em prom pt s for input , collect s t he user ident ifier, and sends t he user ident ifier in a Response/ I dent it y m essage. 3 . Wit h t he user ident ified, t he aut hent icat or can issue aut hent icat ion challenges. I n st ep 3 in t he figure, t he aut hent icat or issues an MD- 5 Challenge t o t he user wit h a Request / MD- 5 Challenge packet . 4 . The user syst em is configured t o use a t oken card for aut hent icat ion, so it replies wit h a Response/ NAK, suggest ing t he use of Generic Token Card aut hent icat ion. 5 . The aut hent icat or issues a Request / Generic Token Card challenge, prom pt ing for t he num erical sequence on t he card. 6 . The user t ypes a response, which is passed along in a Response/ Generic Token Card. 7 . I f t he user response is not correct , aut hent icat ion is not possible. However, t he aut hent icat or EAP im plem ent at ion allows for m ult iple aut hent icat ion Request s, so a second Request / Generic

Token Card is issued. 8 . Once again, t he user t ypes a response, which is passed along in a Response/ Generic Token Card. 9 . On t he second t ry, t he response is correct , so t he aut hent icat or issues a Success m essage.

Figu r e 6 - 5 . Sa m ple EAP e x ch a n ge

EAP Methods The E in EAP is bot h it s great est st rengt h and great est weakness. Ext ensibilit y allows a prot ocol t o develop new feat ures as new requirem ent s present t hem selves. EAP has gone from a way t o preserve PPP prot ocol num bers int o t he cornerst one of wireless LAN securit y because of it s ext ensibilit y. Correct ly deploying EAP can be difficult , however, since t here can be a great num ber of quest ions t o sort t hrough t o select t he right prot ocol opt ions. The key t o EAP's flexibilit y is it s st at us as a fram ework. New m et hods can be designed as new requirem ent s arise, which enable t he developm ent of new m et hods for use in wireless LANs. The t opic of wireless LAN securit y prot ocols is a broad one, and t his chapt er draws t he line at t he det ailed m echanics of how t he prot ocols work on a bit - by- bit basis. A great deal of com plexit y will be described qualit at ively, wit hout t he use of det ailed packet diagram s.

Cryptographic Methods Select ing an EAP m et hod is usually driven by t he t ype of back- end aut hent icat ion syst em in use. Early EAP m et hods focused m ainly on providing a channel t o com m unicat e wit h t he aut hent icat ion server. Newer m et hods designed for wireless net works enable com m unicat ion wit h t he aut hent icat ion server, but also m eet t hree m aj or goals t hat are unique t o wireless LANs:

St rong crypt ographic prot ect ion of user credent ials By definit ion, wireless LAN m edia should be regarded as open. Any dat a sent over a wireless net work m ust be prot ect ed if it is t o rem ain secure. Most EAP m et hods designed for wireless LANs use TLS t o provide crypt ographic prot ect ion of credent ials.

Mut ual aut hent icat ion Early wireless LAN prot ocol design considered aut hent icat ion t o be som et hing t hat users perform ed when required by APs. Falling AP prices have enabled at t ackers t o deploy " rogue" APs t o st eal user credent ials. Com m on sense dict at es in addit ion t o user aut hent icat ion, client devices m ust be able t o validat e t hat t hey are connect ing t o a net work t hat is what it appears t o be.

Key derivat ion WEP wit h m anually- defined keys provides very lit t le prot ect ion of fram es on t he radio link. St ronger securit y prot ocols need t o use dynam ic keys t hat are derived from an ent ropy pool. One of t he side effect s of providing st rong crypt ographic prot ect ion is t hat such prot ocols also generat e a shared st ream of crypt ographically secure bit s t hat can be used t o dist ribut e keys t o link- layer securit y prot ocols.

LEAP The first widely- used m et hod for aut hent icat ing wireless net works was Cisco's propriet ary Light weight EAP ( LEAP) . [ * ] LEAP was a huge st ep forward from m anual- key WEP, t hough it leaves a great deal t o be desired. I n essence, LEAP is t wo MS- CHAP version 1 exchanges. One aut hent icat es t he net work t o t he user, and t he second aut hent icat es t he user t o t he net work. Dynam ic keys are derived from t he MS- CHAP exchanges. [*]

Some standards may refer to LEAP as "EAP-CiscoWireless."

Many of t he worst securit y problem s st em from t he use of MS- CHAP version 1, which has num erous securit y problem s, and is subj ect t o dict ionary at t acks. Code t o exploit LEAP's weaknesses is now widely available. LEAP was an int erim solut ion t hat had significant securit y benefit s when com pared t o m anually keyed WEP, but t he use of t he ant iquat ed MS- CHAP at it s core lim it ed it s useful life. Once ot her prot ocols becam e available, LEAP's purpose was ext inguished. Cisco now recom m ends using PEAP or EAPFAST.

Code 13: EAP-TLS Transport Layer Securit y ( TLS) was designed for use on links subj ect t o eavesdropping. TLS is t he st andards- based successor t o t he Secure Socket Layer ( SSL) , t he prot ocol t hat enabled secure web t ransact ions. I n m any respect s, t he use case for wireless LANs is sim ilar t o t he I nt ernet . Dat a m ust be t ransm it t ed over a t ot ally unt rust ed net work wit h all m anner of at t ackers. Est ablishing a t rust ed com m unicat ion channel over an unt rust ed net work is t he purpose of TLS. TLS provides m ut ual aut hent icat ion t hrough cert ificat e exchange. The user is required t o subm it a digit al cert ificat e t o t he aut hent icat ion server for validat ion, but t he aut hent icat ion server m ust also supply a cert ificat e. By validat ing t he server cert ificat e against a list of t rust ed cert ificat e aut horit ies, t he client can be assured t hat it is connect ing t o an net work aut horized by t he cert ificat e aut horit y. EAP- TLS was t he first aut hent icat ion m et hod t o m eet all t hree goals for wireless net works. Cert ificat es provide st rong aut hent icat ion of bot h t he users t o t he net work, and t he net work t o users. Mut ual aut hent icat ion provides a st rong guard against so- called " rogue" access point s by enabling client s t o det erm ine t hat an AP has been configured by t he right depart m ent , rat her t han an at t acker who is int ent only on st ealing passwords. TLS also est ablishes a m ast er secret t hat can be used t o derive keys for link layer securit y prot ocols. Though secure, EAP- TLS has seen only lim it ed use. Any pot ent ial user of t he wireless net work m ust possess a digit al cert ificat e. Generat ing and dist ribut ing cert ificat es while following processes t o verify t rust is a m aj or challenge. Organizat ions t hat already had a public key infrast ruct ure were able t o use EAP- TLS easily; m any organizat ions have shied away from building a PKI , and use an alt ernat ive m et hod.

Code 21: EAP-TTLS and Code 25: EAP-PEAP Pract ically speaking, t he requirem ent for PKI was a m aj or bar t o t he use of st rong aut hent icat ion on wireless LANs. PKI s are a significant undert aking in bot h t echnology and process. Most organizat ions found it desirable t o re- use exist ing aut hent icat ion syst em s, such as a Windows dom ain or Act ive

Direct ory, LDAP direct ory, or Kerberos realm . Re- using exist ing account s is m uch easier t han creat ing a parallel aut hent icat ion syst em . The t wo EAP m et hods int ended t o enable t he use of so- called " legacy aut hent icat ion m et hods" are Tunneled TLS ( TTLS) and Prot ect ed EAP ( PEAP) . Bot h TTLS and PEAP work in a sim ilar fashion. I n t he first st ep of t he prot ocol, t hey est ablish a TLS t unnel using rout ines sim ilar t o EAP- TLS. Digit al cert ificat es on t he aut hent icat ion server are used t o validat e t hat t he net work should be t rust ed before proceeding t o t he second st ep. I n t he second st ep, t he TLS t unnel is used t o encrypt an older aut hent icat ion prot ocol t hat aut hent icat es t he user t o t he net work. The first st ep is som et im es referred t o as t he " out er" aut hent icat ion, since it is a t unnel t hat prot ect s t he second or " inner" aut hent icat ion. Cert ificat es are st ill required, but only for t he out er aut hent icat ion. Reducing t he num ber of cert ificat es from hundreds or t housands down t o a handful for aut hent icat ion servers has m ade bot h TTLS and PEAP m uch m ore popular t han EAP- TLS. Wit hin an organizat ion, t he sm all num ber of cert ificat es can be generat ed by a sm all cert ificat e aut horit y, rat her t han relying on expensive cert ificat es signed by an ext ernal cert ificat e aut horit y. The slight difference bet ween TTLS and PEAP is in t he way t he inner aut hent icat ion is handled. TTLS uses t he encrypt ed channel t o exchange at t ribut e- value pairs ( AVPs) , while PEAP uses t he encrypt ed channel t o st art a second EAP exchange inside of t he t unnel. The use of AVPs m akes TTLS m uch m ore flexible because AVPs can be used t o run aut hent icat ion m et hods t hat do not have corresponding EAP m et hods. One m inor advant age t o t he use of TTLS and PEAP is t hat t he inner and out er aut hent icat ions can use dist inct usernam es. Rat her t han revealing t he usernam e in unencrypt ed fram es, bot h prot ocols can subm it an anonym ous usernam e for t he out er aut hent icat ion, and only reveal t he user's t rue ident it y t hrough t he encrypt ed channel. Not all client soft ware support s t he use of ident it y hiding.

Noncryptographic EAP Methods Several EAP m et hods are not suit able for use direct ly on wireless net works wit hout st rong crypt ographic prot ect ion. However, t hey m ay be useful as inner aut hent icat ion m et hods wit h PEAP or TTLS.

Code 4: MD-5 Challenge The MD- 5 Challenge is used t o im plem ent t he EAP analog of t he CHAP prot ocol, specified in RFC 1994. Request s cont ain a challenge t o t he end user. For successful aut hent icat ion, CHAP requires t hat t he challenge be successfully encoded wit h a shared secret . All EAP im plem ent at ions m ust support t he MD- 5 Challenge. I t is not , however, widely support ed on wireless net works because it does not provide dynam ic keys on wireless net works.

Code 6: Generic Token Card Token cards such as RSA's SecurI D and Secure Com put ing's Safeword are popular wit h m any inst it ut ions because t hey offer t he securit y of " random " one- t im e passwords wit hout t he hassle of a one- t im e password ( OTP) rollout . The Request cont ains t he Generic Token Card inform at ion necessary for aut hent icat ion. The Type- Dat a field of t he request m ust be great er t han zero byt es in lengt h. I n t he Response, t he Type- Dat a field is used t o carry t he inform at ion copied from t he t oken card by t he user. I n bot h Request and Response packet s, t he Lengt h field of t he EAP packet is used

t o com put e t he lengt h of t he Type- Dat a request . EAP- GTC was st andardized along wit h EAP in RFC 2284. I t allows t he exchange of cleart ext aut hent icat ion credent ials across t he net work. I n addit ion t o use wit h t oken cards, EAP- GTC is oft en used in pract ice as an EAP m et hod for " usernam e+ password" aut hent icat ion. I f t he exist ing user account s are in a dat abase t hat has one- way encrypt ed passwords ( or com pare- only passwords) , EAP- GTC provides an EAP m et hod t hat can validat e users. Nat urally, if EAP- GTC is used t o t ransport reusable passwords, it m ust be used inside a t unnel for prot ect ion and server aut hent icat ion.

Code 29: EAP-MSCHAP-V2 Microsoft CHAP version 2 ( MS- CHAP- V2) was init ially int roduced wit h Windows 2000 and is docum ent ed in RFC 2759. I t was designed t o address t he short com ings of MS- CHAP by elim inat ing t he weak encoding of passwords for older client s, providing m ut ual aut hent icat ion, and im proving keying and key generat ion. MS- CHAP- V2 is widely support ed by Microsoft client s, and is com m only support ed and used as an inner aut hent icat ion m et hod wit h PEAP. MS- CHAP- V2 is t he m ost com m on inner m et hod used wit h Windows dom ains. When used as an EAP m et hod, EAP- MSCHAP- V2 can be used wit h eit her TTLS or PEAP.

Code 18: EAP-SIM and Code 23: EAP-AKA Two not able EAP m et hods working t hrough t he st andards process are EAP- SI M and EAP- AKA, which can be used for aut hent icat ion against m obile t elephone dat abases. EAP- SI M provides an int erface t o t he Subscriber I dent it y Module ( SI M) dat abase on GSM t elephone net works. EAP- AKA is based on t he aut hent icat ion syst em in t hird- generat ion m obile t elephone net works, called Aut hent icat ion and Key Agreem ent ( AKA) . EAP- SI M and EAP- AKA are useful for t elecom m unicat ions com panies t hat are int erest ed in providing int egrat ed billing wit h m obile t elephone account s. Rat her t han require t hat users generat e new passwords t o aut hent icat e t o dat a net works, t hey can use an exist ing sm art chip and user account .

Other Inner Authentication Methods TTLS is not rest rict ed t o using an EAP m et hod for inner aut hent icat ion. As a result , som e older m et hods m ay be used wit h TTLS. For som e net works, t he user dat abase is st ored in such a way t hat t here is no EAP m et hod t hat provides a usable int erface.

Password Authentication Protocol (PAP) PAP was originally specified for use wit h PPP in RFC 1334. PAP t ransm it s t he usernam e and password across t he net work unencrypt ed. When used wit h wireless net works, PAP should not be used direct ly, but only as an inner m et hod inside of TTLS t o ensure t hat t he password is not revealed. PAP can be used wit h any t ype of aut hent icat ion syst em . Net work logons can be validat ed against a net work operat ing syst em s. Token card servers can validat e cleart ext t oken codes. PAP is also useful for one- way encrypt ed passwords t hat can be com pared, but not read. One- way encrypt ed passwords are used in Unix / et c/ passwd files, as well as m ost LDAP direct ories. Kerberos syst em s

also st ore passwords wit h one- way encrypt ion.

Challenge Handshake Authentication Protocol (CHAP) Like PAP, CHAP was originally designed for use wit h PPP, and is specified in RFC 1994. I n CHAP, t he aut hent icat ion server challenges t he client , and t he client proves t hat it is in possession of t he shared secret by successfully responding t o t he challenge. CHAP was originally designed t o avoid sending secret s, such as passwords, in t he clear. The downside of CHAP is t hat it requires t he password in cleart ext at bot h ends of t he link. On t he server end, t he password m ust eit her be st ored in t he clear, or reversibly encrypt ed t o enable server soft ware t o recover t he cleart ext . CHAP is not t ypically used in wireless environm ent s unless a large user dat abase already exist s and is using CHAP.

MS-CHAP, version 1 MS- CHAP was designed by Microsoft t o offer sim ilar funct ionalit y t o CHAP, but wit h enhanced funct ionalit y for Windows syst em s. I t is propriet ary t o Microsoft , but docum ent ed in RFC 2433. Unlike CHAP, MS- CHAP does not require t hat t he shared secret be st ored in cleart ext at bot h ends of t he link. I nst ead of using t he cleart ext password as t he shared secret , MS- CHAP uses t he MD4 hash of t he user password. MS- CHAP is useful in environm ent s where Microsoft aut hent icat ion dat abases are used. However, t here are part icular issues wit h MS- CHAP t hat m ake it undesirable from a securit y point of view; it should only be used by net work m anagers who m ust support very old Microsoft client s, such as Windows 95/ 98. MS- CHAP is not an EAP m et hod, and is only support ed by TTLS.

EAP Method Filtering Som e EAP m et hods are st ronger t han ot hers. I n t he int erest s of " securit y," som e equipm ent vendors filt er EAP m et hods in t he aut hent icat or. EAP- MD5 is oft en select ed as a t arget for EAP t ype filt ering because it is m uch weaker t han TLS- based m et hods. EAP m et hod filt ering is not necessary, and has t he pot ent ial t o get in t he way of good securit y pract ice. Many filt ers only allow TLS- based t unnel m et hods ( t ypes 13, 21, and 25) . I f a new EAP m et hod is defined, m any EAP m et hod filt er im plem ent at ions will block it by default . Allowing configurable EAP m et hod filt ers would be one pot ent ial solut ion, but I do not know of any such im plem ent at ions. I n pract ice, EAP m et hod filt ers are not t hat valuable from a securit y perspect ive. Aut hent icat ion servers can enforce t he use of st rong aut hent icat ion by refusing any request s using weak m et hods. I n any case, t he lack of keying m at erial m ay prevent net work connect ion. I f no keys can be derived from t he aut hent icat ion, m any APs will void t he aut hent icat ion, kick t he client off, and st art over. EAP- MD5 aut hent icat ions will st art , succeed, fail t o key, and be rest art ed when t he AP dissassociat es t he client . Due in part t o t hese problem s, EAP m et hod filt ering is not allowed by t he EAP specificat ion. Sect ion 2.3 of RFC 3748 m andat es t hat aut hent icat ors m ust forward any

EAP m et hods t o t he aut hent icat ion server for processing.

802.1X: Network Port Authentication As LAN accept ance m ushroom ed in t he 1990s, LAN port s popped up everywhere. Som e t ypes of organizat ions, such as universit ies, were furt her ham pered by a need for openness. Net work resources m ust be m ade available t o a user com m unit y, but t hat com m unit y is fluid. St udent s are not like m any net work users. They frequent ly m ove from com put er t o com put er and do not have a fixed net work address; t hey m ay also graduat e, t ransfer, enroll, leave cam pus, work on st aff, or undergo any num ber of changes t hat m ay require changes in access privileges. Alt hough net work access m ust be ext ended t o t his fluid com m unit y, academ ic budget s are frequent ly t ight , so it is im port ant t o prevent unaut horized use by out siders. I n short , a generic net work sign- on was required. Academ ic environm ent s would not be t he sole beneficiaries, however. Aut hent icat ion t o access net work resources is com m on am ong I nt ernet service providers, and corporat ions found t he idea at t ract ive because of t he increasing flexibilit y of st affing plans. Aut hent icat ion t o net work devices at t he link layer is not new. Net work port aut hent icat ion has been required by dial- up access servers for years. Most inst it ut ions already have a wide range of deployed infrast ruct ure t o support user aut hent icat ion, such as RADI US servers and LDAP direct ories. PPP over Et hernet ( PPPoE) could conceivably be used t o require user aut hent icat ion t o access an Et hernet , but it would add an unaccept able level of encapsulat ion overhead and com plexit y. I nst ead, t he I EEE t ook t he PPP aut hent icat ion prot ocols and developed LAN- based versions. The result ing st andard was 802.1X, " Port - Based Net work Access Cont rol."

802.1X Architecture and Nomenclature 802.1X defines t hree com ponent s t o t he aut hent icat ion conversat ion, which are all shown in Figure 6 - 6 ( a) . The supplicant is t he end user m achine t hat seeks access t o net work resources. Net work access is cont rolled by t he aut hent icat or; it serves t he sam e role as t he access server in a t radit ional dial- up net work. Bot h t he supplicant and t he aut hent icat or are referred t o as Port Aut hent icat ion Ent it ies ( PAEs) in t he specificat ion. The aut hent icat or t erm inat es only t he link- layer aut hent icat ion exchange. I t does not m aint ain any user inform at ion. Any incom ing request s are passed t o an aut hent icat ion server, such as a RADI US server, for act ual processing. Port s on an 802.1X- capable device are in an aut horized st at e, in which t he port is enabled, or an unaut horized st at e, in which it is disabled. Even while in t he unaut horized st at e, however, t he specificat ion allows DHCP and ot her init ializat ion t raffic if perm it t ed by a net work m anager. The aut hent icat ion exchange is logically carried out bet ween t he supplicant and t he aut hent icat ion server, wit h t he aut hent icat or act ing only as a bridge. Figure 6- 6 ( b) shows t he logical prot ocol archit ect ure. From t he supplicant t o t he aut hent icat or ( t he " front end" ) , t he prot ocol is EAP over LANs ( EAPOL) , as defined by 802.1X. On t he " back end," EAP is carried in RADI US packet s. Som e docum ent at ion m ay refer t o it as " EAP over RADI US." The supplicant is carrying on an EAP exchange wit h a RADI US server, even t hough t he port is unaut horized and t he supplicant is not using an I P address. Figure 6- 6 can be read as t wo different scenarios. I n t he ent erprise scenario, t he supplicant is a corporat e host on t he edge of t he ent erprise net work, and t he RADI US server is locat ed in t he

ent erprise core. The figure also depict s an I SP using 802.1X t o aut hent icat e users, in which case t he left hand side of t he figure is an I SP access area, and t he right hand side is t he I SP backbone.

Figu r e 6 - 6 . 8 0 2 .1 X a r ch it e ct u r e

One of t he advant ages of using RADI US is t hat it has a great deal of support for m any different user dat abases. I n addit ion t o local dat abases, a RADI US server can be used as a gat eway t o LDAP direct ories, Unix aut hent icat ion such as NI S or PAM, Kerberos realm s, Microsoft Windows user account s, or even ot her RADI US servers. RADI US is quit e flexible, and can be designed t o accom m odat e a wide range of user dat abases, and can even serve t o int egrat e several disparat e user dat abases int o a unified form . There are som e rest rict ions when using RADI US t o provide aut hent icat ion based on Windows dom ains or Act ive Direct ory t hat will be discussed in Chapt er 22. 802.1X is a fram ework, not a com plet e specificat ion in and of it self. The act ual aut hent icat ion m echanism is im plem ent ed by t he aut hent icat ion server. 802.1X supplies a m echanism for issuing challenges and confirm ing or denying access, but it does not pass j udgm ent on t he offered credent ials. Changes t o t he aut hent icat ion m et hod do not require com plex changes t o t he end user devices or t he net work infrast ruct ure. The aut hent icat ion server can be reconfigured t o " plug in" a new aut hent icat ion service wit hout changes t o t he end user driver soft ware or swit ch firm ware.

802.1X frame filtering 802.1X prevent s net work access by unaut horized users by requiring aut hent icat ion before allowing t raffic t o pass. Port s in t he unaut horized st at e are usually rest rict ed t o sending aut hent icat ion fram es only, while t raffic is dropped. The 802.1X st andard has a form al discussion of how t o accom plish t his process. For t he purposes of t his book, however, it suffices t o say t hat unaut horized port s will drop

any non- EAPOL fram es. Once t he st at ion has successfully aut hent icat ed, dat a fram es are sent t o t he appropriat e net work.

EAPOL Encapsulation The basic form at of an EAPOL fram e is shown in Figure 6- 7 . EAPOL encapsulat ion is now analyzed by m any popular net work analyzers, including Et hereal. The fram e's com ponent s are:

MAC header Figure 6- 7 shows t he encapsulat ion on bot h wired Et hernet and 802.11. The t wo MAC headers differ, alt hough t he payload of t he 802.1X fram e is ident ical.

Figu r e 6 - 7 . EAPOL fr a m e for m a t

Et hernet Type As wit h any ot her Et hernet fram e, t he Et hernet Type field cont ains t he t wo- byt e t ype code assigned t o EAPOL: 88- 8e.

Version Version 1 was st andardized in t he 2001 version of 802.1X; version 2 was specified in 802.1X2004. This chapt er describes t he 2001 version, which is m uch m ore com m only im plem ent ed.

Packet Type EAPOL is an ext ension of EAP. I n addit ion t o t he EAP m essages t hat are described in t he previous sect ion, EAPOL adds som e m essages t o adapt EAP t o t he port - based LAN environm ent . Table 6- 2 list s t he packet t ypes and t heir descript ions.

Ta ble 6 - 2 . EAPOL m e ssa ge t ype s Pa ck e t t ype

Nam e

D e scr ipt ion

0000 0000

EAP- Packet

Cont ains an encapsulat ed EAP fram e. Most fram es are EAP- Packet fram es.

0000 0001

EAPOL- St art

I nst ead of wait ing for a challenge from t he aut hent icat or, t he supplicant can issue an EAPOL- St art fram e. I n response, t he aut hent icat or sends an EAP- Request / I dent it y fram e.

0000 0010

EAPOL- Logoff

When a syst em is done using t he net work, it can issue an EAPOLLogoff fram e t o ret urn t he port t o an unaut horized st at e.

0000 0011

EAPOL- Key

0000 0100

EAPOLEncapsulat ed- ASFAlert

EAPOL can be used t o exchange crypt ographic keying inform at ion. The Alert ing St andards Forum ( ASF) has defined a way of allowing alert s, such as SNMP t raps, t o be sent t o an unaut horized port using t his fram e t ype.

Packet Body Lengt h This t wo- byt e field is t he lengt h of t he Packet Body field in byt es. I t is set t o 0 when no packet body is present .

Packet Body This variable- lengt h field is present in all EAPOL fram es except t he EAPOL- St art and EAPOLLogoff m essages. I t encapsulat es one EAP packet in EAP- Packet fram es, one key descript or in EAPOL- Key fram es, and one alert in EAPOL- Encapsulat ed- ASF- Alert fram es.

Addressing I n shared- m edia LANs such as Et hernet , supplicant s send EAPOL m essages t o t he group address of 01: 80: C2: 00: 00: 03. On 802.11 net works, port s do not exist as such, and EAPOL can proceed only aft er t he associat ion process has allowed bot h t he supplicant ( m obile wireless st at ion) and t he aut hent icat or ( access point ) t o exchange MAC addresses. I n environm ent s such as 802.11, EAPOL request s use st at ion addresses.

802.1X on Wireless LANs 802.1X provides a fram ework for user aut hent icat ion over any LANs, including wireless. For t he purposes of t his book, t he " port " in 802.1X on wireless is an associat ion bet ween a wireless device and it s access point . The successful exchange of Associat ion Request and Associat ion Response fram es is report ed t o t he 802.1X st at e engine as t he link layer becom ing act ive. Once associat ed, a st at ion can exchange 802.1X fram es in an at t em pt t o becom e aut horized. The com plet ion of t he 802.1X aut hent icat ion exchange, including key dist ribut ion, is report ed t o t he user as t he int erface com ing up.

Sample 802.1X Exchange on 802.11 EAPOL exchanges look alm ost exact ly like EAP exchanges. The m ain difference is t hat supplicant s can issue EAPOL- St art fram es t o t rigger t he EAP exchange, and t hey can use EAPOL- Logoff m essages t o deaut horize t he port when t he st at ion is done using t he net work. The exam ples in t his sect ion assum e t hat a RADI US server is used as t he back- end aut hent icat ion server, and t herefore t hey show t he aut hent icat or perform ing t ranslat ion from EAP on t he front end t o RADI US on t he back end. EAP aut hent icat ion in RADI US packet s is specified in RFC 2869. This exam ple exchange also shows t he use of EAPOL- Key fram es t o dist ribut e key inform at ion for link layer securit y prot ocols. Figure 6- 8 shows a sam ple EAPOL exchange on an 802.11 net work. The figure shows a successful aut hent icat ion, whose st eps are:

1 . The supplicant associat es wit h t he 802.11 net work. Associat ion is a sim ple t wo- fram e exchange which nearly always succeeds. 2 . The supplicant st art s t he 802.1X exchange wit h an EAPOL- St art m essage. This st ep is opt ional. Not all supplicant s send EAPOL- St art m essages, so t his st ep m ay not be present . 3 . The " norm al" EAP exchange begins. The aut hent icat or ( access point ) issues an EAPRequest / I dent it y fram e. Request / I dent it y fram es m ay be sent wit hout first having an EAPOLSt art if t he access point only forwards fram es for aut hent icat ed sessions. Unsolicit ed Request / I dent it y fram es indicat e t o t he supplicant t hat 802.1X aut hent icat ion is required. 4 . The supplicant replies wit h an EAP- Response/ I dent it y fram e, which is passed on t o t he RADI US server as a Radius- Access- Request packet . 5 . The RADI US server det erm ines t he t ype of aut hent icat ion t hat is required, and sends an EAPRequest for t he m et hod t ype. The EAP- Request is encapsulat ed in a Radius- Access- Challenge packet t o t he AP. When it reaches t he AP, t he EAP- Request is passed on t o t he supplicant . EAP Request s are are oft en denot ed EAP- Request / Met hod , where t he Met hod refers t o t he EAP m et hod in use. I f PEAP is in use, t he ret urn packet will be writ t en as EAP- Request / PEAP. 6 . The supplicant gat hers t he reply from t he user and sends an EAP- Response in ret urn. The response is t ranslat ed by t he aut hent icat or int o a Radius- Access- Request wit h t he response t o t he challenge as a dat a field. St eps five and six repeat as m any t im es as is necessary t o com plet e t he aut hent icat ion. I f it is

an EAP m et hod t hat requires cert ificat e exchange, m ult iple st eps are alm ost cert ainly required. Many EAP exchanges can require 10- 20 round t rips bet ween t he client and RADI US server. 7 . The RADI US server grant s access wit h a Radius- Access- Accept packet , so t he aut hent icat or issues an EAP- Success fram e and aut horizes t he port . Aut horizat ion m ay depend on param et ers passed back from t he RADI US server. 8 . I m m ediat ely following receipt of t he Access- Accept packet , t he access point dist ribut es keys t o t he supplicant using EAPOL- Key m essages. Key dist ribut ion is discussed in t he next chapt er. 9 . Once keys are inst alled in t he supplicant , it can begin sending dat a fram es t o access t he net work. I t is quit e com m on at t his point for DHCP configurat ion t o t ake place. 1 0 . When t he supplicant is done accessing t he net work, it sends an EAPOL- Logoff m essage t o put t he port back int o an unaut horized st at e.

Figu r e 6 - 8 . Typica l 8 0 2 .1 X e x ch a n ge on 8 0 2 .1 1

Exchanges sim ilar t o Figure 6- 8 m ay be used at any point . I t is not necessary for t he user t o begin an EAPOL exchange wit h t he EAPOL- St art m essage. At any point , t he aut hent icat or can begin an EAPOL exchange by issuing an EAP- Request / I dent it y fram e t o refresh t he aut hent icat ion dat a. Re-

aut hent icat ions are oft en t riggered by session t im eout values t o refresh keys.

Dynamic keying The EAPOL- Key fram e allows keys t o be sent from t he access point t o t he client and vice versa. Key exchange fram es are sent only if t he aut hent icat ion succeeds; t his prevent s t he com prom ise of key inform at ion. EAPOL- Key fram es can be used periodically t o updat e keys dynam ically as well. Several of t he weaknesses in WEP st em from t he long lifet im e of t he keys. When it is difficult t o rekey every st at ion on t he net work, keys t end t o be used for long periods of t im e. Several expert s have recom m ended changing WEP keys on a regular basis, but no pract ical m echanism t o do so exist ed unt il t he developm ent of 802.1X.

Chapter 7. 802.11i: Robust Security Networks, TKIP, and CCMP 802.1X provides a fram ework for aut hent icat ion and key m anagem ent , which addresses t wo of t he m aj or flaws in t he design of WEP. The m aj or rem aining flaw t o be addressed is t he lack of confident ialit y provided by WEP encrypt ion. Fixing link layer encrypt ion was t aken on by Task Group I of t he 802.11 working group. I n June 2004, t heir work was finally com plet e when t he st andard was rat ified, aft er several delays. 802.11i t akes a t wo- t rack approach t o addressing t he weaknesses in link- layer encrypt ion. I t s m aj or com ponent s are t wo new link- layer encrypt ion prot ocols. The first , t he Tem poral Key I nt egrit y Prot ocol ( TKI P) was designed t o bolst er securit y t o t he great est ext ent possible on pre- 802.11i hardware. The second, Count er Mode wit h CBC- MAC Prot ocol ( CCMP) , is a new encrypt ion prot ocol designed from t he ground up t o offer t he highest level of securit y possible.

The Temporal Key Integrity Protocol (TKIP) The first new link layer encrypt ion prot ocol t o be widely im plem ent ed was t he Tem poral Key I nt egrit y Prot ocol ( TKI P) . [ * ] The m aj or m ot ivat ion for t he developm ent of TKI P was t o upgrade t he securit y of WEP- based hardware. Typically, chipset s capable of WEP offered hardware support for RC4 encrypt ion. Wit h t he heavy lift ing of encrypt ion im plem ent ed in hardware, soft ware and firm ware upgrades m ake t he rest possible. TKI P ret ains t he basic archit ect ure and operat ions of WEP because it was designed t o be a soft ware upgrade t o WEP- based solut ions. [*]

TKIP was initially called "WEP2" as it worked through the standards organizations. When WEP was shown to be fundamentally flawed, the protocol was renamed to try to distinguish it from WEP.

TKIP Differences from WEP TKI P incorporat es several new prot ocol feat ures t o defend WEP's weak point s against at t ack. TKI P ret ains WEP's basic archit ect ure and operat ion, but adds " safet y belt s" around WEP's m ost vulnerable point s:

Key hierarchy and aut om at ic key m anagem ent Rat her t han t ake t he WEP approach of only a single m ast er key t hat is used direct ly, TKI P uses m ast er keys. The keys t hat are ult im at ely used t o encrypt fram es are derived from m ast er keys. TKI P was also developed wit h key m anagem ent operat ions so t hat m ast er keys can be refreshed in a secure m anner.

Per- fram e keying Alt hough TKI P ret ains t he RC4- based fram e encrypt ion of WEP, it derives a unique RC4 key for each fram e ( from t he m ast er key) t o m it igat e at t acks against weak WEP keys. The process by which a unique key is derived for each key is called key m ixing.

Sequence count er By num bering each fram e wit h a sequence num ber, out - of- order fram es can be flagged, m it igat ing against reply at t acks, in which at t ackers capt ure valid t raffic and re- t ransm it it at a lat er t im e.

New m essage int egrit y check ( MI C) TKI P replaces WEP's linear hash wit h a m ore robust crypt ographic int egrit y check hashing algorit hm called Michael. More robust hashing m akes it easier t o det ect fram e forgeries.

Addit ionally, t he source address is am ong t he it em s prot ect ed by t he int egrit y check, which m akes it possible t o det ect forged fram es t hat claim t o be from a part icular source.

Count erm easures on m essage int egrit y check failures TKI P was designed t o be im plem ent ed on exist ing hardware, and suffers from a num ber of lim it at ions. Michael can be com prom ised in an act ive at t ack wit h relat ive ease, so TKI P includes count erm easures t o lim it t he dam age from an act ive at t ack. TKI P is also com m only used in t andem wit h key m anagem ent prot ocols based on 802.1X, which enables t he TKI P m ast er keys t o be derived from aut hent icat ion t ransact ions.

TKIP initialization vector use and key mixing WEP's const ruct ion of WEP seeds from t he init ializat ion vect or ( I V) and t he WEP key int roduces m aj or weaknesses. By sim ply concat enat ing t he I V and t he key t o build t he seed, t he I V it self reveals a significant am ount of key st ruct ure. At t ackers can not ice t hat I V re- use, and not e t hat t herefore, t he key st ream used t o encrypt t he fram e is ident ical. Wit h a 24- bit I V, t he I V space last s for 16 m illion fram es. On a busy net work, 16 m illion fram es is not very m any. To m ake m at t ers worse, t he I V space is specific t o t he scope of t he key in use. On a net work t hat uses st at ic WEP, t he I V space is shared by all st at ions on t he net work. Finally, and m ost fam ously, t he I V is t he init ial 24 bit s of t he key, and m akes WEP keys vulnerable t o recovery wit h t he Fluher/ Mant in/ Sham ir at t ack discussed in Chapt er 5. To m it igat e t he at t acks against init ializat ion vect ors, TKI P doubles t he lengt h of t he I V from 24 t o 48 bit s. This increases t he size of t he init ializat ion vect or space from 16 m illion t o 281 t rillion, which effect ively prevent s exhaust ing t he I V space during t he lim it ed lifet im e of a key. TKI P also perform s key m ixing t o count er at t acks against WEP. Key m ixing changes t he RC4 key used t o encrypt each fram e. Every fram e in TKI P is encrypt ed wit h an RC4 key unique t o t hat fram e. Key m ixing, which will be discussed in m ore det ail lat er, furt her ext ends t he init ializat ion vect or space. By incorporat ing t he sender's MAC address int o t he m ixing calculat ion, t wo st at ions can use t he sam e init ializat ion vect or, yet st ill derive different RC4 keys t o encrypt fram es. Key m ixing also helps t o count er t he Fluhrer/ Mant in/ Sham ir at t ack. Successful applicat ion of t he principles of t he at t ack require a collect ion of " weak keys" wit h t he sam e secret bit s. By changing t he key for every fram e, TKI P prevent s an at t acker from gat hering enough dat a t o at t ack any of t he per- fram e keys.

TKIP sequence counter and replay protection I n addit ion t o it s larger size, t he TKI P init ializat ion vect or serves as a sequence count er. When a new m ast er key is inst alled, t he init ializat ion vect or/ sequence count er is set t o one. Each fram e t ransm it t ed increm ent s t he sequence count er by one. To defend against replay at t acks, TKI P m aint ains t he m ost recent sequence count er value received from each st at ion. When a fram e is successfully received, t he sequence count er is checked against t he m ost recent ly received sequence count er. I f it is larger t han any previous value, t he fram e is accept ed. I f it is sm aller t han t he m ost recent ly received sequence count er value, it is rej ect ed. Task group E is developing qualit y of service ext ensions. Current 802.11e draft s cont ain a block acknowledgm ent prot ocol feat ure t hat uses a single fram e t o acknowledge m ult iple t ransm issions. I n

t he January 2005 draft of 802.11e, re- ordering due t o block acknowledgm ent s m ust com plet e before applying replay det ect ion. 802.11 unicast fram es m ust be acknowledged. I f eit her t he original fram e or it s acknowledgm ent is lost , t he fram e will be ret ransm it t ed. At t he receiver, t his m ay result in t he sam e sequence count er being received t wice. Duplicat e sequence num bers m ay sim ply represent evidence of an error on t he link and do not necessarily indicat e an act ive at t ack in progress.

The Michael integrity check and countermeasures WEP's int egrit y check is a linear hash value, which is t ot ally unsuit able for crypt ographic applicat ions. One of t he m aj or design challenges faced by TKI P was st rengt hening t he int egrit y check while ret aining reasonable perform ance. Most 802.11 chipset s in use at t he t im e TKI P was designed used a relat ively low- power processor, and were t hus not capable of perform ing m at hem at ical operat ions fast enough t o do int egrit y checks at " air- speed." Michael is im plem ent ed ent irely wit h bit wise operat ions such as swaps, shift s, or even discarding bit s. As a result , it can run wit hout delet erious perform ance effect s, even on t he t iny m icroprocessors found in m ost 802.11 int erfaces. ( Michael is discussed in det ail lat er in t his chapt er.) The corollary t o Michael's design is t hat it does not provide a great deal of securit y. I t is significant ly bet t er t han a cyclic redundancy check, but it does not offer securit y against a sust ained and det erm ined at t ack. TKI P incorporat es count erm easures t o det ect and respond t o an act ive at t ack by shut t ing down t he net work and refreshing t he keys in use. Michael's count erm easures are an adm ission of t he weakness of t he underlying crypt ographic fundam ent als. Design of Michael was const rained by t he need t o be backwards- com pat ible wit h m ost of t he exist ing RC4- based hardware on t he m arket . Michael's design is elegant and accom plishes a great deal wit hin it s severe design const raint s, but it is st ill built on a foundat ion of sand. Tim e will t ell whet her Michael is sufficient ly secure; I would not be surprised t o see a m aj or at t ack against it in t he next year. However, t he im proved prot ocol design of TKI P lim it s t he negat ive consequences of an at t ack. I expect t hat a com prom ise of Michael would result in denial- of- service at t acks, but would not lead t o wholesale net work com prom ise.

TKIP Data Processing and Operation Like WEP, TKI P provides support for encrypt ion and int egrit y prot ect ion as part of t he sam e process, as shown in Figure 7- 1 . TKI P's design as a set of safet y feat ures around WEP is quit e clear from t he diagr am . As input, TKI P t akes t he following it em s: The fram e, nat urally. A t em poral key used t o encrypt t he fram e. A MI C key used wit h Michael t o prot ect t he fram e cont ent s. TKI P derives a pair of keys so t hat t he st at ion- t o- AP MI C key is different from t he AP- t o- st at ion MI C key. One of t he ways t hat TKI P differs from WEP is t hat t he MI C uses a key. The t ransm it t er address is used as an input t o TKI P because it is required t o perform origin aut hent icat ion. The t ransm it t er address is supplied wit h t he fram e and does not need t o be supplied by higher level soft ware.

A sequence count er, m aint ained by t he driver or t he firm ware.

Figu r e 7 - 1 . TKI P fr a m e pr oce ssin ge n cr ypt ion

TKIP key mixing and key construction TKI P derives a unique key for each fram e t ransm it t ed. The key is derived from t he init ializat ion vect or/ sequence count er, t he address of t he t ransm it t er of t he fram e ( which m ay not be t he source of t he fram e) , and t he t em poral key. Key m ixing ensures t hat t he key used varies significant ly from one fram e t o t he next , and prevent s any at t acks which assum e t hat t he secret com ponent of t he WEP key are const ant from fram e t o fram e. By including t he t ransm it t er address in t he m ixing com put at ion, t wo st at ions can use t he sam e init ializat ion vect or yet derive different t wo RC4 keys. Lim it ed processing power of t he 802.11 cont rollers dict at ed t he design of t he key m ixing funct ion, which is shown in Figure 7- 2 . TKI P split s t he com put at ion of t he m ixed key int o t wo phases. Phase one t akes, as input , t he t ransm it t er address, t he high- order 32 bit s of t he sequence count er, and t he 128- bit t em poral key. As out put , it gives an 80- bit value. Alt hough t he com put at ion is som ewhat involved, it consist s ent irely of " easy" operat ions such as addit ion, shift s, and exclusive ORs, t o reduce t he com put at ional load. The phase one value is const ant as long as t he 32 high- order bit s of t he sequence count er are const ant , so it only needs t o be com put ed once every 65,536 fram es. Phase t wo of t he key m ixing funct ion m ust be com put ed for every fram e. As input , phase t wo t akes t he phase one result , t he t em poral key, and t he 16 low- order bit s of t he sequence count er. The only input t hat changes from fram e t o fram e is t he sequence count er. I t changes in a well- defined way, so im plem ent at ions can and do pre- com put e values based on t he next set of sequence count er values t hat will be needed as fram es are queued for t ransm ission.

Figu r e 7 - 2 . TKI P k e y m ix in g

The out put of t he phase t wo of t he key m ixing process is a 128- bit RC4 key t hat can be used as a WEP seed. The 16 low- order byt es are used t o generat e a WEP I V. The m iddle byt e of t he WEP I V is const ruct ed so t hat it avoids generat ing weak RC4 keys. Many 802.11 int erfaces incorporat e hardware assist ance t hat can t ake an RC4 key as input and generat e and apply t he result ing keyst ream t o encrypt t he fram e. The out put of t he phase t wo m ixing process can be given direct ly t o an 802.11 int erface t hat support s t his t ype of hardware assist ance.

TKI P data transmission When a fram e is generat ed and sent t o TKI P for t ransm ission, t he following sequence of event s occur.

1 . The 802.11 fram e is queued for t ransm ission. I t consist s of a fram e header and t he payload. Like WEP, TKI P prot ect s only t he payload of t he 802.11 MAC, and leaves t he 802.11 fram e header, as well as any lower- layer headers, int act . 2 . The Message I nt egrit y Check ( MI C) is com put ed. Unlike WEP, TKI P's MI C is a m ore robust crypt ographic hash. I t uses a secret key as part of it s validat ion process, and prot ect s m uch m ore t han j ust t he 802.11 fram e payload. I n addit ion t o t he fram e dat a, t he MI C incorporat es t he source and dest inat ion address as well as t he addit ion of priorit y bit s t hat will be used by t he fut ure 802.11e st andard. 3 . Sequence num bers are assigned t o fragm ent s. Unlike WEP init ializat ion vect ors, TKI P's sequence count er increases by one wit h each fragm ent . I f no fragm ent at ion is necessary, only one sequence count er increm ent will be necessary. I n t he case of m ult iple fragm ent s, t he

count er will increm ent m ult iple t im es. 4 . Each fram e is encrypt ed wit h a unique per- fram e WEP key. By carrying out t he key m ixing funct ions, TKI P derives t he WEP key used for t he fram e. The per- fram e key is passed t o WEP as an I V plus a secret key; bot h com ponent s will change for every fram e. 5 . The fram e plus Michael m essage int egrit y check value from st ep 2 and t he RC4 key from st ep 4 are passed t o WEP, which encapsulat es t he fram e as described in Chapt er 5. Not e t hat t his m eans t hat a TKI P- prot ect ed fram e will include WEP com ponent s as well. TKI P fram es have WEP- like encapsulat ion. Figure 7- 3 shows t he encapsulat ion of a fram e t hat has been prot ect ed by TKI P. The I V/ KeyI D is ret ained from WEP, but has a different int erpret at ion. The first t hree byt es carry part of t he TKI P sequence count er, and ident ify t he key num ber in use. Alt hough TKI P can support m ult iple keys, in pract ice, only KeyI D 0 is dist ribut ed. An Ext ended I V ( EI V) field is used t o carry t he rem ainder of t he sequence count er. Following t he dat a payload, TKI P appends t he MI C. WEP adds it s own int egrit y check value, t o ret ain WEP in as unchanged a form as possible.

Figu r e 7 - 3 . TKI P e n ca psu la t ion

TKIP reception When TKI P receives a fram e, t he encrypt ion and t ransm ission process m ust be reversed. TKI P's design as an expanded version of WEP adds several new checkpoint s in t he decrypt ion process, and t herefore it is wort h t reat ing in m ore det ail. Figure 7- 4 shows a block diagram , wit h all of t he ways t hat fram es m ay be discarded before passing up t o higher prot ocol layers.

1 . When a fram e is received by t he wireless int erface and passes t he fram e check sequence t o ensure it has not been corrupt ed, it is passed t o TKI P for validat ion. 2 . The first st ep TKI P t akes is t o check t he sequence num ber t o prevent replay at t acks. TKI P's replay prot ect ion requires t hat fram es be received in st rict order. Fram es t hat have a sequence num ber equal t o or lower t han t he last received valid fram e are discarded as a replay at t em pt . This is st rict er t han som e ot her t echnologies, which m aint ain a replay window and allow " recent " arrivals t o be som ewhat out of order. For a link layer t echnology, however, it m akes sense t o insist on st rict ordering because t here is only a sm all possibilit y of out - of- order delivery on a single hop. 3 . The WEP seed used t o encrypt t he packet is recovered. Wit h t he t ransm it t er address, t em poral key, and sequence count er, t he receiver can unm ix t he key t o recover t he WEP seed. 4 . Wit h t he WEP seed in hand, t he out er WEP layer around t he fram e can be rem oved and t he

4. cont ent s recovered. As part of t his process, t he WEP I CV is checked. Alt hough it is a weak int egrit y check, it can be used t o prot ect against applying count erm easures unnecessarily. 5 . I f fragm ent at ion was applied, it m ay be necessary t o wait for furt her fram es t o arrive before reassem bling a com plet e payload. Fragm ent at ion is not used oft en on 802.11, however. 6 . Once t he fram e is reassem bled, Michael is calculat ed over t he cont ent s of t he fram e. I f t he calculat ed MI C m at ches t he MI C on t he packet , t he fram e is passed t o higher layers, and t he sequence count er is set t o t he value of t he sequence count er on t he fram e. I f t he MI C check fails, count erm easures are t riggered.

Figu r e 7 - 4 . TKI P r e ce pt ion pr oce ss

One of t he reasons for ret aining t he WEP encapsulat ion is t hat it enables great er backwardscom pat ibilit y wit h exist ing hardware. I t also prevent s unnecessary t riggers of MI C failures. Fram es t hat are corrupt ed due t o noise on t he radio link will likely fail eit her t he 802.11 fram e check sequence or t he WEP int egrit y check value, and will be discarded before t riggering a MI C failure.

The Michael Integrity Check One of WEP's weakest point s was t he int egrit y check, which was supposed t o ensure t hat t he fram e was not t am pered wit h as it t raversed t he wireless m edium . WEP adopt ed t he cyclic redundancy check ( CRC) , which proved woefully inadequat e. One of t he m aj or goals of TKI P was t o design a m essage int egrit y check ( MI C) wit h m uch m ore solid crypt ographic underpinnings. The result ing algorit hm , called Michael, is a com prom ise in m any ways. Michael is st ronger t han a sim ple linear hash, but t he desire of t he st andards com m it t ee t o m ake it easy t o im plem ent wit h low overhead placed severe const raint s on it s design. From an archit ect ural point of view, Michael plugs in t o t he MAC service layer. That is, Michael operat es on fram es passed down t o it from higher- layer prot ocols. Michael does not prot ect individual 802.11 fram es; it prot ect s t he reassem bled dat a unit given t o 802.11 for t ransm ission. [ * ] Part of t he reason for im plem ent ing Michael above t he MAC layer as opposed t o wit hin it is t hat it leaves product s t he flexibilit y t o im plem ent Michael in dedicat ed hardware or in driver soft ware running on t he device. Older chipset s and 802.11 int erfaces did not build in specialized hardware assist ance for Michael because it had not been developed; t hese product s can im plem ent Michael wit h updat ed drivers or host soft ware. Newer devices designed wit h em erging st andards in m ind are able t o build Michael support int o t he chipset if desired, and will not need driver support t hat is as ext ensive. [*]

In practice, the distinction between the MAC service layer and the MAC protocol layer is not particularly necessary. Although 802.11 can accommodate frames over 2,000 bytes, most commercial implementations limit frame size to be compatible with Ethernet to avoid higher-layer fragmentation.

Several at t acks discussed previously served as t he m ot ivat ion for Michael. Two of t he m ost not able are t he bit flipping at t ack and a whole class of header m odificat ion. The form er at t ack depends on t he weak crypt ographic propert ies of t he CRC. As a linear hash algorit hm , it is well known how changing t he CRC input bit s will change t he out put . At t ackers could pot ent ially flip bit s in t he fram e t o change it s cont ent , and change a bit in t he WEP int egrit y check t o com pensat e. I n header m odificat ion at t acks, m alicious at t ackers m ay forge t he source or t ransm it t er address, or at t em pt t o redirect fram es by m odifying t he dest inat ion address. Make no m ist ake, Michael is not a part icularly secure crypt ographic prot ocol. I t was designed t o offer breat hing room t o users who have an ext ensive inst alled base while t hey upgrade t he securit y of t heir net works. I t is only a short - t erm fix while t he long- t erm solut ion is developed.

Michael data processing Michael operat es on higher- level fram es passed down t o t he MAC. When a higher- level fram e is queued for t ransm ission, one of t he first t ransm ission st eps is t o com put e t he m essage int egrit y check ( MI C) value. Michael operat es on t he input shown in Figure 7- 5 ( a) . I n addit ion t o t he dest inat ion address ( DA) and source address ( SA) , Michael adds four zero byt es before t he unencrypt ed dat a. The last t hree byt es are reserved; t he first is a priorit y field t hat is reserved for fut ure st andardizat ion work. Michael operat es on 32- bit blocks of dat a. Dat a is padded out wit h zeros so t hat it will be a m ult iple of 32- bit blocks. Padding is used only for t he com put at ion of t he MI C. I t is not t ransm it t ed. Michael com put es t he MI C value by working on successive 32- bit blocks of dat a.

Figu r e 7 - 5 . M ich a e l in pu t

When com plet e, t he MI C is added on t o t he t ail of t he dat a fram e, and t he dat a- plus- MI C is given t o 802.11 for t ransm ission. I f it needs t o be fragm ent ed, it will be. During t he fragm ent at ion process, t he MI C value m ay be split across m ult iple 802.11 fragm ent s, which is accept able. I n Figure 7- 5 , t he dat a- plus- MI C unit from higher layers requires fragm ent at ion and is split across t he fram e boundary. This is a perfect ly accept able occurrence because t he t wo fragm ent s will be reassem bled before validat ing t he MI C. Figure 7- 5 ( b) illust rat es t his process. The input from Figure 7- 5 ( a) has been split int o t wo fram es for t ransm ission. Each layer will get it s own MAC and PLCP headers, and will be processed by t he WEP layer in TKI P.

Michael countermeasures Michael is not very resist ant t o at t ack, alt hough it appears t o be as good as one could hope, given t he const raint s of a great deal of legacy hardware on t he m arket . Michael is not able t o wit hst and a det erm ined act ive at t ack, so it incorporat es count erm easures against such at t acks. Count erm easures happen at t he MI C check. To m ake it t o t hat point , a fram e m ust have passed t hrough t he replay prot ect ion and t he WEP int egrit y check value validat ion. Forging a fram e t o pass t he replay prot ect ion and t he WEP int egrit y check is not a t rivial m at t er, especially since t he lat t er value depends on t he value of t he m ixed per- fram e key. I f an at t acker were able t o bypass replay prot ect ion and t he WEP int egrit y check, it would be possible t o m ount a brut e- force at t ack on t he Michael int egrit y check. To guard against brut e- force at t em pt s t o pass Michael, Michael's count erm easures shut down com m unicat ions t o lim it t he num ber of act ive at t acks t hat can be m ade against any part icular key. I f an at t ack is sust ained, count erm easures call for refreshing t he key and shut t ing down com m unicat ions. When a st at ion det ect s a MI C failure, it execut es t he following procedure:

1 . The MI C failure is not ed and logged. Before t he MI C is validat ed, t he fram e m ust pass t hrough t he replay prot ect ion hurdle as well as t he legacy WEP int egrit y check. Get t ing a fram e t o Michael for validat ion is not a t rivial undert aking. Therefore, any MI C validat ion error is likely t o be an ext rem ely securit y- relevant m at t er t hat should be invest igat ed by syst em adm inist rat ors. 2 . I f t he failure is t he second one wit hin a 60- second window, count erm easures dict at e shut t ing down com m unicat ions for a furt her 60 seconds. When t he second MI C failure wit hin 60 seconds is det ect ed, all TKI P com m unicat ion is disabled for 60 seconds. I nst it ut ing a com m unicat ion

blackout m akes it im possible for an at t acker t o m ount a sust ained at t ack quickly. 3 . Keys are refreshed. St at ions delet e t heir copies of t he m ast er keys and request new keys from t he aut hent icat or; aut hent icat ors are responsible for generat ing and dist ribut ing new keys. Alt hough 802.11i set s t he Michael count erm easures t im e at 60 seconds, som e vendors allow configurat ion of t he Michael count erm easures window t o ot her values.

Counter Mode with CBC-MAC (CCMP) TKI P is bet t er t han WEP, but t hat is t he only st at em ent t hat can be m ade wit h cert aint y. WEP's basis in a st ream cipher will always leave lingering doubt s about t he securit y of anyt hing built using a sim ilar set of operat ions. To address t he concerns of t he 802.11 user com m unit y, t he I EEE working group began developing a securit y prot ocol based on t he Advanced Encrypt ion St andard ( AES) block cipher. AES is a flexible

What Is WPA? Wi- Fi Prot ect ed Access ( WPA) is a m arket ing st andard put t oget her by t he Wi- Fi Alliance. The Wi- Fi Alliance leaves t he det ails of ham m ering out st andards t o ot her bodies like t he I EEE. As a t rade associat ion, however, t hey react t o ensure t hat t he percept ion of t he indust ry rem ains posit ive. When t he first cracks appeared in t he foundat ion of WEP, t he I EEE launched a working group t o develop im proved securit y st andards. Building secure crypt ographic prot ocols is difficult work, however, and 802.11i has been delayed repeat edly past it s expect ed due dat e. 802.11i specifies t wo new securit y prot ocols: TKI P and CCMP. TKI P was designed t o be backwards com pat ible wit h exist ing hardware at t he t im e it was developed, whereas CCMP was designed essent ially from t he ground up. As a result , TKI P was finished well before CCMP was ready. To address securit y concerns in t he m arket , t he Wi- Fi Alliance worked t o speed up deploym ent of TKI P by com ing up wit h an int erim m arket ing st andard called WPA. WPA version 1 is based on t he t hird draft of 802.11i ( from m id- 2003) ; WPA version 2 is t he final st andardized version of 802.11i from m id- 2004. WPA includes bot h aut hent icat ion t hrough 802.1X and encrypt ion. I t com es in t wo flavors: WPA Personal, which is equivalent t o pre- shared key aut hent icat ion in 802.11i, and WPA Ent erprise, which uses t he aut hent icat ed key m ode t hat derives keys from TLS ent ropy.

cipher t hat can operat e at m any key lengt hs and block sizes; t o prevent user confusion, 802.11i m andat es t he use of AES wit h bot h 128- bit keys and 128- bit blocks. There has been som e concern over t he key size used wit h 802.11i. AES can operat e wit h a variet y of key lengt hs. The U.S. Nat ional Securit y Agency has approved AES for use wit h " secret " dat a wit h 128- bit and longer keys, but m ore sensit ive " t op secret " dat a requires t he use of 192- or 256- bit keys. [ * ] Som e observers have t herefore concluded t hat 128- bit keys do not offer adequat e securit y. Regardless of t he m erit s in t he debat e over key size, 128- bit AES is m uch bet t er suit ed t o 802.11 fram e encrypt ion RC4 at any key lengt h. [*]

See the Committee on National Security Systems (CNSS) Policy No. 15, Fact Sheet No. 1, "National Policy on the Use of the Advanced Encryption Standard (AES) to Protection National Security Systems and National Security Information" at http://www.nstissc.gov/Assets/pdf/fact%20sheet.pdf.

The link- layer securit y prot ocol based on AES is called t he Count er Mode wit h CBC- MAC Prot ocol ( CCMP) . [ ] The nam e com es from t he underlying use of t he block cipher, in t he Count er Mode wit h CBC- MAC ( CCM) m ode, which is specified in RFC 3610. CCM is a " com bined" m ode of operat ion, in which t he sam e key is used in encrypt ion for confident ialit y as well as creat ing a crypt ographically secure int egrit y check value. [

] One of the delays in finishing 802.11i was that the AES algorithm was initially based on a different mode of operation, AESOCB. Intellectual property concerns required that it be dropped from the final specification in favor of CCMP.

I n Sept em ber 2003, t he Nat ional I nst it ut e of St andards and Technology ( NI ST) began a st udy of CCM. I n May 2004, NI ST gave it s approval t o CCM, which will allow 802.11i t o serve as t he basis for secure wireless LANs in dem anding applicat ions.

CCMP Data Processing Like ot her link- layer encrypt ion m et hods, CCMP provides support for encrypt ion and int egrit y prot ect ion as part of t he sam e process, as shown in Figure 7- 6 .

Figu r e 7 - 6 . CCM P fr a m e pr oce ssin ge n cr ypt ion

As input, CCMP t akes t he following it em s: The fram e, nat urally. A t em poral key used t o encrypt and aut hent icat e t he fram e. One key is used for bot h fram e encrypt ion and fram e aut hent icat ion.

A key ident ifier t o support t he use of m ult iple keys over t he air. Only one key, however, will be used for any given fram e. A packet num ber, used t o uniquely ident ify t he fram e being t ransm it t ed. The packet num ber is increm ent ed for each fram e t ransm ission, but it rem ains t he sam e for each at t em pt t o t ransm it t he fram e. That is, ret ransm issions do not cause t he PN t o increm ent .

CCMP data transmission When a fram e is generat ed and sent t o TKI P for t ransm ission, t his procedure occurs:

1 . The 802.11 fram e is queued for t ransm ission. I t consist s of a fram e header and t he payload. Like WEP, TKI P prot ect s only t he payload of t he 802.11 MAC, and leaves t he 802.11 fram e header, as well as any lower- layer headers, int act . 2 . A 48- bit Packet Num ber ( PN) is assigned. As wit h t he TKI P sequence num ber, packet num bers are never re- used for t he sam e t em poral key. Packet num bers are increased by one for every t ransm ission, and are used for replay det ect ion. 3 . The Addit ional Aut hent icat ion Dat a ( AAD) field is const ruct ed. I t consist s of t he fields in t he fram e header which m ust be aut hent icat ed for securit y but m ust also rem ain unencrypt ed so t hat t he 802.11 prot ocols m ay operat e. The receiver will use t he AAD field t o verify t hat t he aut hent icat ed fields were not alt ered in t ransit . The AAD field prot ect s t he 802.11 prot ocol version, fram e t ype, t he dist ribut ion syst em bit s, and fragm ent at ion and order bit s. I t also prot ect s t he address fields from t he MAC header, and t he sequence cont rol field, wit h t he sequence num ber ( t hough not t he fragm ent num ber) set t o zero. I t ends wit h t wo opt ional com ponent s: t he fourt h address field from t he MAC header ( if t he wireless dist ribut ion syst em is in use) , and qualit y of service header inform at ion. 4 . Next , t he CCMP nonce is built . Nonces are lit t le bit s of dat a t hat guarant ee t hat t he encrypt ion operat ion occurs on unique dat a. Nonces should never be re- used wit h t he sam e key. I n CCMP, t he nonce is const ruct ed wit h t he packet num ber and t he sender's address so t hat t he sam e packet num ber can be used by m ult iple st at ions. The nonce also includes priorit y dat a used in QoS. 5 . Next , t he CCMP header is built . I t consist s of t he packet num ber, broken across six byt es, wit h a key ident ifier in t he m iddle. As in WEP, t here are four pot ent ial key slot s used in CCMP. The Ext ended I V bit is always set t o 1 in CCMP because an eight - byt e header is always needed t o accom m odat e t he large packet num ber field. The header is shown in Figure 7- 7 . 6 . All t he input s t o t he CCM encrypt ion engine are available at t his point . As input , it t akes t he 128- bit t em poral key, t he nonce from st ep 4, t he addit ional aut hent icat ion dat a from st ep 3, and t he fram e body. All t he dat a is aut hent icat ed wit h a 8- byt e MI C, and t he fram e body and MI C are encrypt ed. Figure 7- 6 illust rat es t he encrypt ion process. 7 . The encrypt ed fram e is prepared for t ransm ission by t aking t he original MAC header and appending t he CCMP header and t he encrypt ed dat a from st ep 6. The result ing fram e is pushed down t o t he radio int erface for t ransm ission, and looks like Figure 7- 10. The encapsulat ion of a CCMP- prot ect ed fram e is quit e st raight forward, and is shown in Figure 7- 7 . Following t he MAC header, a CCMP header holds t he packet num ber and key I D. The higher- layer prot ocol fram e and it s MI C are encrypt ed before t he FCS.

Figu r e 7 - 7 . CCM P e n ca psu la t ion

CCMP reception When CCMP receives a fram e, t he encrypt ion and t ransm ission process m ust be reversed. Wit h no backwards com pat ibilit y baggage requiring t he use of t he WEP engine, t he CCMP decrypt ion process is a st raight forward reversal of Figure 7- 6 :

1 . When a fram e is received by t he wireless int erface and passes t he fram e check sequence t o ensure it has not been corrupt ed, it is passed t o CCMP for validat ion. 2 . The addit ional aut hent icat ion dat a ( AAD) is recovered from t he received fram e. I t consist s only of fram e headers, which are t ransm it t ed in t he clear. 3 . The CCMP nonce is also recovered from t he fram e. I t consist s of t he packet num ber, t he sender's address, and cont ent s of t he qualit y of service field, all of which are available in t he fram e header in t he clear. 4 . The receiver decrypt s t he ciphert ext . I t requires t he t em poral key, t he nonce recovered from st ep 3, t he aut hent icat ion dat a from st ep 2, and of course, t he encrypt ed fram e body. When t he process com plet es, t he receiver has a copy of t he decrypt ed fram e plus t he decrypt ed int egrit y code. 5 . The int egrit y check is calculat ed over t he plaint ext dat a and t he addit ional aut hent icat ion dat a. I f t he calculat ed int egrit y check value m at ches t he int egrit y check value ext ract ed in st ep 4, t hen processing proceeds. Ot herwise, processing ends. 6 . A plaint ext fram e is const ruct ed from t he MAC header and t he dat a recovered in st ep 4. To pass t hrough t he replay det ect ion check, t he packet num ber m ust be great er t han or equal t o t he last received packet num ber t hat passed t hrough t he int egrit y check process.

Robust Security Network (RSN) Operations I n addit ion t o defining TKI P and CCMP, 802.11i also defines a set of procedures t hat build what t he st andard calls Robust Securit y Net works ( RSNs) . These operat ions define how keys are derived and dist ribut ed.

802.11i Key Hierarchy There are t wo t ypes of keys used by link layer encrypt ion prot ocols. Pairwise keys prot ect t raffic bet ween a st at ion and t he AP it is current ly serving. Group keys prot ect broadcast or m ult icast t raffic from an AP t o it s associat ed client s. Pairwise keys are ult im at ely derived from t he aut hent icat ion inform at ion discussed in t he previous chapt er; group keys are creat ed random ly and dist ribut ed t o each st at ion at t he whim of t he access point .

Pairwise key hierarchy Bot h TKI P and CCMP t ake a single m ast er key and expand it int o t he different keys required for fram e prot ect ion operat ions. By using key derivat ion, st at ions can refresh encrypt ion keys wit hout re- running t he whole aut hent icat ion process. The m ast er key is t he root secret t hat m ust be carefully prot ect ed because all keying m at erial is derived from it . Part of t he key hierarchy's purpose is t o derive keys used t o prot ect t ransm ission of t he t em poral keys. Keying st art s wit h t he m ast er key. I n t he pairwise key hierarchy, which is shown in Figure 7- 8 , t he m ast er key is unsurprisingly called t he pairwise m ast er key ( PMK) , which is 256 bit s long. The PMK m ust com e from som ewhere. I n WPA- PSK, t he pairwise m ast er key is configured. I n configurat ions using an aut hent icat ion server, t he m ast er key is com put ed by t he RADI US server and sent t o t he access point in a Microsoft Point - t o- Point Encrypt ion ( MPPE) vendor- specific RADI US at t ribut e.

Figu r e 7 - 8 . Pa ir w ise k e y h ie r a r ch ie s

To obt ain t he t em poral keys described earlier in t his chapt er, t he PMK is expanded t hrough t he use of a defined pseudorandom funct ion. [ * ] To furt her random ize dat a, t he expansion is based on t he prem ast er key, t he MAC addresses of bot h t he supplicant and aut hent icat or, and t wo random nonce values t ransm it t ed as part of t he four- way key exchange handshake. [*]

Many encryption protocols use pseudorandom functions to expand a small seed into a large amount of random data. TLS is perhaps the best known example.

Bot h TKI P and CCMP use t he pseudorandom funct ion expansion t o expand t he 256 bit s int o t he pairwise t ransient key ( PTK) . I n bot h t he TKI P and CCMP hierarchy, t he t wo chunks of 128 bit s of t he t ransient key are used for keys t hat prot ect t he t em poral keys during dist ribut ion. Bot h key hierarchies st art wit h t wo EAPOL keys, used t o secure t ransm ission of keying m at erial using t he EAPOL- Key m essage discussed in t he previous chapt er. Two 128- bit keys are used. The first , t he EAPOL Key Confirm at ion Key ( KCK) , is used t o com put e m essage int egrit y checks on keying m essages. The second, t he EAPOL Key Encrypt ion Key ( KEK) , is used t o encrypt keying m essages. Bot h will be discussed in t he sect ion on t he four- way handshake. TKI P's t ransient key consist s of a t ot al of 512 bit s, wit h t he addit ional 256 bit s used as t he 128- bit t em poral key t hat is used in TKI P dat a processing, and t he 128- bit key for t he Michael int egrit y check. TKI P requires t wo addit ional keys because it uses t radit ional encrypt ion and aut hent icat ion schem es t hat st rict ly separat e encrypt ion from aut hent icat ion. CCMP's t ransient key is only 384 bit s because only a single 128- bit t em poral key is used for aut hent icat ion and encrypt ion.

Group key hierarchy Link layer securit y prot ocols use a different set of keys for broadcast and m ult icast t ransm issions. Every associat ed st at ion will have a different pre- m ast er key, and t hus, t here is no way t o derive a key for use wit h m ult iple dest inat ions from t he disparat e aut hent icat ion exchanges. I nst ead, t he aut hent icat or m aint ains a group m ast er key ( GMK) as t he basis for t em poral keys. The group m ast er key is expanded int o t he group key hierarchy shown in Figure 7- 9 by t he use of a pseudorandom funct ion. No key encrypt ion or key confirm at ion keys are generat ed because t he key exchange uses t he pairwise EAPOL keys for key dist ribut ion.

Figu r e 7 - 9 . Gr ou p k e y h ie r a r ch y

Net works m ay updat e t he group keys when st at ions leave t he net work, eit her because t hey are finished or are deaut hent icat ed. I n TKI P, count erm easures m ay also t rigger t he regenerat ion of t he group keys.

802.11i Key Derivation and Distribution Rat her t han sim ply t aking t he m ast er secret and using it as t he input t o a crypt ographic prot ocol, 802.11i specifies a m echanism t o derive keys. To prevent replay at t acks, t he exchange m akes use of random num bers, and requires a handshake. Pairwise and group keys are updat ed t hrough separat e handshakes, which are bot h shown in Figure 7- 10.

Figu r e 7 - 1 0 . Ke y e x ch a n ge h a n dsh a k e s

Updating pairwise keys: the four-way handshake Pairwise, or unicast , keys are dist ribut ed t hrough a procedure known as t he four- way handshake, shown in Figure 7- 10. Bot h t he supplicant and aut hent icat or are in possession of a shared pairwise m ast er key. The four- way handshake exchanges param et ers used t o derive t he t em poral keys, as well as confirm t hat bot h sides are ready t o begin encrypt ed t ransm ission. Messages in sequence are im plicit ly acknowledged by t he next m essage.

1 . The aut hent icat or sends t he supplicant a nonce, which is a random value t hat prevent s replay at t acks. There is no aut hent icat ion of t he m essage, but t here is no danger from t am pering. I f t he m essage is alt ered, t he handshake fails and will be rerun. At t his point , t he supplicant can expand t he pairwise m ast er key int o t he full pairwise key hierarchy. Expansion requires t he MAC addresses of t he supplicant and aut hent icat or, t he pairwise m ast er key, and t he t wo nonces. 2 . The supplicant sends a m essage t hat has t he supplicant nonce and a copy of t he securit y

2. param et ers from t he init ial associat ion wit h t he net work. The whole m essage is aut hent icat ed by an int egrit y check code calculat ed using t he EAPOL Key Confirm at ion Key. The aut hent icat or receives t he m essage and ext ract s t he supplicant nonce, which allows t he aut hent icat or t o derive t he full pairwise key hierarchy. Part of t he key hierarchy is t he key used t o " sign" t he m essage. I f t he aut hent icat or cannot validat e t he m essage, t he handshake fails. 3 . Keys are now in place on bot h sides of t he handshake, but need t o be confirm ed. The Aut hent icat or sends t he supplicant a m essage indicat ing t he sequence num ber for which t he pairwise key will be added. I t also includes t he current group t ransient key t o enable updat e of t he group key. The group t ransient key is encrypt ed using t he EAPOL Key Encrypt ion Key, and t he ent ire m essage is aut hent icat ed using t he Key Confirm at ion Key. 4 . The supplicant sends a final confirm at ion m essage t o t he aut hent icat or t o indicat e t hat it has received t he keying m essages and t he aut hent icat or m ay st art using t he keys. The m essage is aut hent icat ed using t he Key Confirm at ion Key.

Updating group keys: the group key handshake The group key handshake is considerably sim pler t han t he four- way handshake, in part because it uses part of t he result s from t he four- way handshake. Because t he group t ransient key is encrypt ed wit h t he Key Encrypt ion Key from t he pairwise hierarchy, t he group key handshake requires t hat a successful four- way handshake has already occurred. I t consist s of only t wo st eps:

1 . The aut hent icat or sends t he group t ransient key ( GTK) , encrypt ed wit h t he Key Encrypt ion Key from t he pairwise key hierarchy. The m essage is also aut hent icat ed wit h a code calculat ed wit h t he Key Confirm at ion Key. 2 . The supplicant sends an acknowledgm ent m essage, indicat ing t he aut hent icat or should begin t o use t he new key for group fram es. This m essage is also aut hent icat ed using t he Key Confirm at ion Key. Even t hough t he group key handshake is updat ing a key used by several st at ions, t he use of t he Key Encrypt ion Key t o prot ect dat a m eans t hat t he handshake is inherent ly pairwise. When t he group key is updat ed, t he group key exchange m ust be run once for each st at ion. Alt hough group key updat es are generally cont rolled by t he aut hent icat or, st at ions m ay request a group key updat e by sending an unsolicit ed confirm at ion m essage.

Mixing Encryption Types To allow for m igrat ion bet ween different encrypt ion prot ocols, as well as t o accom m odat e older devices incapable of anyt hing st ronger t han WEP, 802.11i defines a t rust hierarchy for encrypt ion prot ocols. WEP wit h 40- bit keys is t he weakest prot ocol, followed by WEP wit h 104- bit keys, TKI P, and CCMP. As part of t he init ial associat ion t o t he net work, each st at ion can negot iat e t he encrypt ion prot ocols it uses for bot h unicast and group dat a. The only rest rict ion is t hat t he group key m ust use eit her t he sam e st rengt h or a weaker encrypt ion prot ocol. Access point s use t he " lowest com m on denom inat or" for t he group key. I n a net work where t he least capable associat ed st at ion is only able t o run

dynam ic WEP, t he group key will be dynam ic WEP. Ot her st at ions m ay, however, use st ronger unicast prot ect ion m echanism s. Many access point s provide policy cont rols t o set a m inim um accept able encrypt ion st rengt h, and m ay prevent st at ions from associat ing wit h weaker prot ocols t han desired by t he net work adm inist rat ors. The st andard allows for nearly any m ixt ure of encrypt ion m et hods, wit h t he except ion t hat a st at ion using CCMP for group fram es m ust only support CCMP for unicast fram es. However, m any drivers do not support every allowed m ode. Most not ably, drivers usually do not support t he com binat ion of CCMP for unicast dat a in com binat ion wit h older RC4- based fram e encrypt ion for t he group key.

Key Caching Pairwise m ast er keys are t he foundat ion of 802.11i securit y. Generat ing t hem is quit e an expensive operat ion if t he pairwise m ast er key is t he result of an 802.1X exchange. Most EAP m et hods require m ult iple m essages and a significant am ount of com put at ion per st ep. The 802.1X aut hent icat ion process m ay t ake several seconds, during which t he user is unable t o send or receive dat a. Client syst em s locat ed on t he boundary bet ween t wo access point s m ay be part icularly affect ed if t he wireless int erface bounces back and fort h bet ween t wo ( or m ore) access point s wit h equivalent signal st rengt h. Reducing t he aut hent icat ion overhead is t he m ot ivat ion for PMK caching, which is shown in Figure 711 . Rat her t han require a st at ion t o perform t he full 802.1X exchange every t im e it connect s t o an access point , it references an exist ing session by t he pairwise m ast er key securit y associat ion ident ifier. I f t he access point has an exist ing associat ion, it accept s t he associat ion and proceeds im m ediat ely t o t he four- way handshake. I n t he four- way handshake, bot h t he supplicant and aut hent icat or will prove t o each ot her possession of t he cached PMK.

Figu r e 7 - 1 1 . PM K ca ch in g

St at ions t hat do not have cached m ast er keys m ust perform a full 802.1X aut hent icat ion t o generat e

t hem . One of t he m ot ivat ions for preaut hent icat ion, which is discussed in t he next chapt er, is t hat can be used t o est ablish m ast er keys on access point s before t he handoff occurs, so t hat a m ast er key is wait ing.

Chapter 8. Management Operations While being unt et hered from a wired net work can be an advant age, it can lead t o problem s: t he m edium is unreliable, unaut horized users can t ake advant age of t he lack of physical boundaries, and power consum pt ion is crit ical when devices are running on bat t eries. The m anagem ent feat ures of t he 802.11 prot ocol were designed t o reduce t he effect of t hese problem s. I n essence, m anagem ent operat ions are all t he behind- t he- scenes t asks t hat wireless net work devices perform so t hat t he wireless link looks m uch like ot her t ypes of net work connect ions. 802.11 m anagem ent is a cooperat ive affair, shared bet ween client devices and t he net work infrast ruct ure. Unfort unat ely, t his leaves a great deal of t he prot ocol operat ion in t he hands of devices t hat m ay vary great ly. Som e device drivers allow you t o cust om ize t he m anagem ent feat ures discussed in t his chapt er. Keep in m ind, t hough, t hat t he capabilit ies of t he device driver vary from one product t o anot her, and t he st at e of wireless net working is such t hat som e vendors are t rying t o produce t he m ost feat ure- rich product s possible, while ot hers are aim ing at a lower- cost m arket and t rying t o produce t he sim plest product s. The only way t o know what is possible is t o underst and t he capabilit ies t hat have been built int o t he prot ocol. Then you'll be in a good posit ion t o work wit h what ever hardware drops in your lap.

Management Architecture Concept ually, t he 802.11 m anagem ent archit ect ure is com posed of t hree com ponent s: t he MAC layer m anagem ent ent it y ( MLME) , a physical- layer m anagem ent ent it y ( PLME) , and a syst em m anagem ent ent it y ( SME) . The relat ion bet ween t he different m anagem ent ent it ies and t he relat ed part s of 802.11 is shown in Figure 8- 1 .

Figu r e 8 - 1 . Re la t ion sh ip be t w e e n m a n a ge m e n t e n t it ie s a n d com pon e n t s of t h e 8 0 2 .1 1 spe cifica t ion

802.11 does not form ally specify t he SME. I t is t he m et hod by which users and device drivers int eract wit h t he 802.11 net work int erface and gat her inform at ion about it s st at us. Bot h t he MAC and PHY layers have access t o a m anagem ent inform at ion base ( MI B) . The MI B has obj ect s t hat can be queried t o gain st at us inform at ion, as well as obj ect s t hat can cause cert ain act ions t o t ake place. There are t hree defined int erfaces bet ween t he m anagem ent com ponent s. The st at ion m anagem ent ent it y m ay alt er bot h t he MAC and PHY MI Bs t hrough t he MLME and PLME service int erfaces. Addit ionally, changes t o t he MAC m ay require corresponding changes in t he PHY, so an addit ional int erface bet ween t he MLME and PLME allows t he MAC t o m ake changes t o t he PHY.

Scanning Before using any net work, you m ust first find it . Wit h wired net works, finding t he net work is easy: look for t he cable or a j ack on t he wall. I n t he wireless world, st at ions m ust ident ify a com pat ible net work before j oining it . The process of ident ifying exist ing net works in t he area is called scanning. Several param et ers are used in t he scanning procedure. These param et ers m ay be specified by t he user; m any im plem ent at ions have default values for t hese param et ers in t he driver.

BSSType ( independent , infrast ruct ure, or bot h) Scanning can specify whet her t o seek out independent ad hoc net works, infrast ruct ure net works, or all net works.

BSSI D ( individual or broadcast ) The device can scan for a specific net work t o j oin ( individual) or for any net work t hat is willing t o allow it t o j oin ( broadcast ) . When 802.11 devices are m oving, set t ing t he BSSI D t o broadcast is a good idea because t he scan result s will include all BSSs in t he area.

SSI D ( " net work nam e" ) The SSI D assigns a st ring of bit s t o an ext ended service set . Most product s refer t o t he SSI D as t he net work nam e because t he st ring of bit s is com m only set t o a hum an- readable st ring. Client s wishing t o find any net work should set t his t o t he broadcast SSI D.

ScanType ( act ive or passive) Act ive scanning uses t he t ransm ission of Probe Request fram es t o ident ify net works in t he area. Passive scanning saves bat t ery power by list ening for Beacon fram es.

ChannelList Scans m ust eit her t ransm it a Probe Request or list en on a channel for t he exist ence of a net work. 802.11 allows st at ions t o specify a list of channels t o t ry. Product s allow configurat ion of t he channel list in different ways. What exact ly const it ut es a channel depends on t he physical layer in use. Wit h direct - sequence product s, it is a list of channels. Wit h frequencyhopping product s, it is a hop pat t ern.

ProbeDelay This is t he delay, in m icroseconds, before t he procedure t o probe a channel in act ive scanning begins. This delay ensures t hat an em pt y or light ly loaded channel does not com plet ely block t he scan.

MinChannelTim e and MaxChannelTim e These values, specified in t im e unit s ( TUs) , specify t he m inim um and m axim um am ount of t im e t hat t he scan works wit h any part icular channel.

Passive Scanning Passive scanning saves bat t ery power because it does not require t ransm it t ing. I n passive scanning, a st at ion m oves t o each channel on t he channel list and wait s for Beacon fram es. Any Beacons received are buffered t o ext ract inform at ion about t he BSS t hat sent t hem . I n t he passive scanning procedure, t he st at ion sweeps from channel t o channel and records inform at ion from any Beacons it receives. Beacons are designed t o allow a st at ion t o find out everyt hing it needs t o m at ch param et ers wit h t he basic service set ( BSS) and begin com m unicat ions. I n Figure 8- 2 , t he m obile st at ion uses a passive scan t o find BSSs in it s area; it hears Beacon fram es from t he first t hree access point s. I f it does not hear Beacons from t he fourt h access point , it report s t hat only t hree BSSs were found.

Figu r e 8 - 2 . Pa ssive sca n n in g

Active Scanning I n act ive scanning, a st at ion t akes a m ore assert ive role. On each channel, Probe Request fram es are used t o solicit responses from a net work wit h a given nam e. Rat her t han list ening for t hat net work t o announce it self, an act ive scan at t em pt s t o find t he net work. St at ions using act ive scanning em ploy t he following procedure for each channel in t he channel list :

1 . Move t o t he channel and wait for eit her an indicat ion of an incom ing fram e or for t he ProbeDelay t im er t o expire. I f an incom ing fram e is det ect ed, t he channel is in use and can be probed. The t im er prevent s an em pt y channel from blocking t he ent ire procedure; t he st at ion won't wait indefinit ely for incom ing fram es. 2 . Gain access t o t he m edium using t he basic DCF access procedure and send a Probe Request fram e. 3 . Wait for t he m inim um channel t im e, MinChannelTim e, t o elapse.

a . I f t he m edium was never busy, t here is no net work. Move t o t he next channel. b. I f t he m edium was busy during t he MinChannelTim e int erval, wait unt il t he m axim um t im e, MaxChannelTim e, and process any Probe Response fram es. Probe Response fram es are generat ed by net works when t hey hear a Probe Request t hat is searching for t he ext ended service set t o which t he net work belongs. At a part y, you m ight look for a friend by wandering around t he dance floor shout ing out her nam e. ( I t 's not polit e, but if you really want t o find your friend, you m ay not have m uch choice.) I f your friend hears you, she will respondot hers will ( you hope) ignore you. Probe Request fram es funct ion sim ilarly, but t hey can also use a broadcast SSI D, which t riggers a Probe Response from all 802.11 net works in t he area. ( I t 's like shout ing " Fire! " at t he part yt hat 's sure t o result in a response from everybody! ) One st at ion in each BSS is responsible for responding t o Probe Request s. The st at ion t hat t ransm it t ed t he last Beacon fram e is also responsible for t ransm it t ing any necessary Probe Response fram es. I n infrast ruct ure net works, t he access point s t ransm it Beacons and t hus are also responsible for responding t o it inerant st at ions searching t he area wit h Probe Request s. I BSSs m ay pass around t he responsibilit y of sending Beacon fram es, so t he st at ion t hat t ransm it s Probe Response fram es m ay vary. Probe Responses are unicast m anagem ent fram es and are t herefore subj ect t o t he posit ive acknowledgm ent requirem ent of t he MAC. I t is com m on for m ult iple Probe Responses t o be t ransm it t ed as a result of a single Probe Request . The purpose of t he scanning procedure is t o find every basic service area t hat t he scanning st at ion can j oin, so a broadcast Probe Request result s in a response from every access point wit hin range. Any overlapping independent BSSs m ay also respond. Figure 8- 3 shows t he relat ionship bet ween t he t ransm ission of Probe fram es and t he various t im ing int ervals t hat can be configured as part of a scan.

Figu r e 8 - 3 . Act ive sca n n in g pr oce du r e a n d m e diu m a cce ss

I n Figure 8- 3 ( a) , a m obile st at ion t ransm it s a probe request t o which t wo access point s respond. The act ivit y on t he m edium is shown in Figure 8- 3 ( b) . The scanning st at ion t ransm it s t he Probe Request aft er gaining access t o t he m edium . Bot h access point s respond wit h a Probe Response t hat report s t heir net work's param et ers. Not e t hat t he second Probe Response is subj ect t o t he rules of t he dist ribut ed coordinat ion funct ion and m ust wait for t he cont ent ion window t o elapse before t ransm it t ing. The first response is t ransm it t ed before t he m inim um response t im e elapses, so t he st at ion wait s unt il t he m axim um response t im e has elapsed before collat ing t he result s. I n areas wit h a large num ber of net works, it m ay be necessary t o adj ust t he m axim um channel t im e so t he responses from all t he access point s in t he area can be processed.

Scan Report A scan report is generat ed at t he conclusion of a scan. The report list s all t he BSSs t hat t he scan discovered and t heir param et ers. The com plet e param et er list enables t he scanning st at ion t o j oin any of t he net works t hat it discovered. I n addit ion t o t he BSSI D, SSI D, and BSSType, t he param et ers also include: [ * ] [*]

The items actually exposed by any particular software vary.

Beacon int erval ( int eger) Each BSS can t ransm it Beacon fram es at it s own specific int erval, m easured in TUs.

DTI M period ( int eger) DTI M fram es are used as part of t he powersaving m echanism .

Tim ing param et ers Two fields assist in synchronizing t he st at ion's t im er t o t he t im er used by a BSS. The Tim est am p field indicat es t he value of t he t im er received by t he scanning st at ion; t he ot her field is an offset t o enable a st at ion t o m at ch t im ing inform at ion t o j oin a part icular BSS.

PHY param et ers, CF param et ers, and I BSS param et ers These t hree facet s of t he net work have t heir own param et er set s, each of which was discussed in det ail in Chapt er 4. Channel inform at ion is included in t he physical- layer param et ers.

BSSBasicRat eSet The basic rat e set is t he list of dat a rat es t hat m ust be support ed by any st at ion wishing t o j oin t he net work. St at ions m ust be able t o receive dat a at all t he rat es list ed in t he set . The basic rat e set is com posed of t he m andat ory rat es in t he Support ed Rat es inform at ion elem ent of m anagem ent fram es, as in Chapt er 4.

What's in a Name? (or, the Security Fallacy of Hidden SSIDs) WEP is not required by 802.11, and a num ber of earlier product s im plem ent only opensyst em aut hent icat ion. To provide m ore securit y t han st raight open- syst em aut hent icat ion allows, m any product s offer an " aut horized MAC address list ." Net work adm inist rat ors can ent er a list of aut horized client addresses, and only client s wit h t hose addresses are allowed t o connect . The SSI D is an im port ant scanning param et er. St at ions search for an SSI D when scanning, and m ay build a list of SSI Ds for present at ion t o t he user. As a unique ident ifier for a net work, t he SSI D is oft en given m yt hic securit y propert ies it does not act ually possess. At t he dawn of 802.11, t he SSI D was broadcast in t he clear in Beacon fram es, right t here for t he list ening. All t hat was necessary was an 802.11 int erface t uned t o t he right radio channel. When t he st one age of 802.11 began, one vendor began t o t reat t he SSI D as a valuable securit y t oken. By enabling t he " closed net work" opt ion on t hat vendor's equipm ent , t he SSI D was no longer put in Beacon fram es, t hus " prot ect ing" t he net work from at t ackers. To furt her " prot ect " t he SSI D from prying eyes, access point s operat ing a closed net work would not respond t o Probe Request s wit h t he broadcast SSI D. Closed net works break passive scanning because t he SSI D is no longer available for easy collect ion. I n order t o prevent a closed net work from being com plet ely closed t o client s, however, access point s m ust respond t o Probe Request s cont aining t he correct SSI D. Managem ent fram es have no encrypt ion, and t he SSI D value is right t here for t he t aking in t he Probe Request . To be scrupulously correct , t he closed net work m ay offer a vanishingly sm all increm ent al am ount of securit y because t he SSI D is only available when st at ions search for t he net work, rat her t han several t im es per second in Beacon fram es.

Hiding an SSI D can cause problem s wit h 802.11 m anagem ent . Alt hough m ost 802.11 int erfaces and t heir associat ed drivers can handle hidden SSI Ds, not all can. Hiding an SSI D is a nonst andard procedure t hat can cause problem s, and does not provide any real securit y. Leave t he SSI D in t he Beacon fram es for int eroperabilit y, and use a real securit y solut ion like 802.1X if you need it .

Joining Aft er com piling t he scan result s, a st at ion can elect t o j oin one of t he BSSs. Joining is a precursor t o associat ion; it is analogous t o aim ing a weapon. I t does not enable net work access. Before t his can happen, bot h aut hent icat ion and associat ion are required. Choosing which BSS t o j oin is an im plem ent at ion- specific decision and m ay even involve user int ervent ion. BSSs t hat are part of t he sam e ESS are allowed t o m ake t he decision in any way t hey choose; com m on crit eria used in t he decision are power level and signal st rengt h. Observers cannot t ell when a st at ion has j oined a net work because t he j oining process is int ernal t o a node; it involves m at ching local param et ers t o t he param et ers required by t he select ed BSS. One of t he m ost im port ant t asks is t o synchronize t im ing inform at ion bet ween t he m obile st at ion and t he rest of t he net work, a process discussed in m uch m ore det ail in t he sect ion " Tim er Synchronizat ion ," lat er in t his chapt er. The st at ion m ust also m at ch t he PHY param et ers, which guarant ees t hat any t ransm issions wit h t he BSS are on t he right channel. ( Tim er synchronizat ion also guarant ees t hat frequency- hopping st at ions hop at t he correct t im e, t oo.) Using t he BSSI D ensures t hat t ransm issions are direct ed t o t he correct set of st at ions and ignored by st at ions in anot her BSS. [ * ] Capabilit y inform at ion is also t aken from t he scan result , which m at ches t he use of WEP and any high- rat e capabilit ies. St at ions m ust also adopt t he Beacon int erval and DTI M period of t he BSS, t hough t hese param et ers are not as im port ant as t he ot hers for enabling com m unicat ion. [*]

Technically, this is true only for stations obeying the filtering rules for received frames. Malicious attackers intent on compromising network security can easily choose to disobey these rules and capture frames, and most existing product implementations do not correctly implement the filtering rules.

Authentication Wireless net work m edia of any sort can lit erally im m erse t hem selves in st anding in it . Prepare now t o ent er " aut hent icat ion" offered by 802.11, securit y expert s.

are open t o all sort s of m alicious t am pering because at t ackers t he net work m edium . Gaining a foot hold is t rivial if you are t he aut hent icat ion t wilight zone. There are m ult iple form s of m any of which would not pass t he laugh t est from serious

When m ost net work adm inist rat ors refer t o aut hent icat ion, t he im plicat ion is t hat only st rong aut hent icat ion is wort h considering as aut hent icat ion. Anyt hing t hat is not based on crypt ography does not prove ident it y. Wit h t he right EAP m et hod, 802.1X aut hent icat ion can be quit e st rong, but 802.1X m essages can only be exchanged once a syst em has perform ed a lower- level 802.11 " aut hent icat ion" prior t o associat ion.

802.11 "Authentication" 802.11 requires t hat a st at ion est ablish it s ident it y before sending fram es. This init ial 802.11 " aut hent icat ion" occurs every t im e a st at ion at t aches t o a net work. I t should be st ressed, however, t hat t hey provide no m eaningful net work securit y. There are no crypt ographic secret s t hat are passed around or validat ed, and t he aut hent icat ion process is not m ut ual. I t is far m ore accurat e t o t hink of 802.11's low- level aut hent icat ion as an init ial st ep in t he handshake process t hat a st at ion uses t o at t ach t o t he net work, and one t hat ident ifies t he st at ion t o t he net work. 802.11 aut hent icat ion is a one- way st reet . St at ions wishing t o j oin a net work m ust perform 802.11 aut hent icat ion t o it , but net works are under no obligat ion t o aut hent icat e t hem selves t o a st at ion. The designers of 802.11 probably felt t hat access point s were part of t he net work infrast ruct ure and t hus in a m ore privileged posit ion.

Open-system authentication Open- syst em aut hent icat ion is t he only m et hod required by 802.11. Calling it aut hent icat ion is st ret ching t he m eaning of t he t erm a great deal. I n open- syst em aut hent icat ion, t he access point accept s t he m obile st at ion at face value wit hout verifying it s ident it y. ( I m agine a world where sim ilar aut hent icat ion applied t o bank wit hdrawals! ) Providing net work securit y requires building som et hing on t op of t he result ing net work session. An open- syst em aut hent icat ion exchange consist s of t wo fram es, shown in Figure 8- 4 .

Figu r e 8 - 4 . Ope n - syst e m a u t h e n t ica t ion e x ch a n ge

The first fram e from t he m obile st at ion is a m anagem ent fram e of subt ype aut hent icat ion. 802.11 does not form ally refer t o t his fram e as an aut hent icat ion request , but t hat is it s pract ical purpose. I n 802.11, t he ident it y of any st at ion is it s MAC address. Like Et hernet net works, MAC addresses m ust be unique t hroughout t he net work and can readily double as st at ion ident ifiers. Access point s use t he source address of fram es as t he ident it y of t he sender; no fields wit hin t he fram e are used t o furt her ident ify t he sender. There are t wo inform at ion elem ent s in t he body of t he aut hent icat ion request . First , t he Aut hent icat ion Algorit hm I dent ificat ion is set t o 0 t o indicat e t hat t he open- syst em m et hod is in use. Second, t he Aut hent icat ion Transact ion Sequence num ber is set t o 1 t o indicat e t hat t he first fram e is in fact t he first fram e in t he sequence. The access point t hen processes t he aut hent icat ion request and ret urns it s response. Like t he first fram e, t he response fram e is a m anagem ent fram e of subt ype aut hent icat ion. Three inform at ion elem ent s are present : t he Aut hent icat ion Algorit hm I dent ificat ion field is set t o 0 t o indicat e opensyst em aut hent icat ion, t he Sequence Num ber is 2, and a St at us Code indicat es t he out com e of t he aut hent icat ion request . Values for t he St at us Code are shown in Table 4- 6.

Address Filtering (MAC "Authentication") Roam ing is not a word used in t he 802.11 st andard at all. ( A t ask group recent ly form ed t o address roam ing issues, but it is far from com plet ing it s work.) However, people use t he word roam ing inform ally a great deal when t alking about 802.11. Generally speaking, m ost people are referring t o t he process of m oving from one access point t o anot her. WEP is not required by 802.11, and a num ber of earlier product s im plem ent only opensyst em aut hent icat ion. To provide m ore securit y t han st raight open- syst em aut hent icat ion allows, m any product s offer an " aut horized MAC address list ." Net work adm inist rat ors can ent er a list of aut horized client addresses, and only client s wit h t hose addresses are allowed t o connect . While address filt ering is bet t er t han not hing, it leaves a great deal t o be desired. MAC addresses are generally soft ware- or firm ware- program m able and can easily be overridden by an at t acker wishing t o gain net work access. Dist ribut ion of list s of aut horized devices can be painful because it t ypically m ust be done for each device in t he net work. Furt herm ore, t here is a fair am ount of churn on t he list . New cards are purchased, old cards break down, em ployees leave t he organizat ion and t ake cards wit h t hem , and so on. Aut horized address filt ering m ay be part of a securit y solut ion, but it should not be t he linchpin. Rat her t han depend on MAC address, use 802.1X- based user aut hent icat ion if possible. Once net work adm inist rat ors have m ade t he effort t o aut hent icat e users,

aut hent icat ion will be as secure as st andards provide for, and address filt ering will only add com plexit y wit hout any subst ant ial addit ional securit y benefit .

The legacy of shared-key authentication Shared- key aut hent icat ion m akes use of WEP and t herefore can be used only on product s t hat im plem ent WEP, t hough non- WEP product s are now nearly im possible t o find. Shared- key aut hent icat ion, as it s nam e im plies, requires t hat a shared key be dist ribut ed t o st at ions before at t em pt ing aut hent icat ion. The fundam ent al t heoret ical underpinning of shared- key aut hent icat ion is t hat a challenge can be sent t o t he client , and a response proves possession of t he shared key. A shared- key aut hent icat ion exchange consist s of four m anagem ent fram es of subt ype aut hent icat ion, shown in Figure 8- 5 . The first fram e is nearly ident ical t o t he first fram e in t he open- syst em aut hent icat ion exchange. Like t he open- syst em fram e, it has inform at ion elem ent s t o ident ify t he aut hent icat ion algorit hm and t he sequence num ber; t he Aut hent icat ion Algorit hm I dent ificat ion is set t o 1 t o indicat e shared- key aut hent icat ion.

Figu r e 8 - 5 . Sh a r e d- k e y a u t h e n t ica t ion e x ch a n ge

I nst ead of blindly allowing adm ission t o t he net work, t he second fram e in a shared- key exchange serves as a challenge. Up t o four inform at ion elem ent s m ay be present in t he second fram e. Nat urally, t he Aut hent icat ion Algorit hm I dent ificat ion, Sequence Num ber, and St at us Code are present . The access point m ay deny an aut hent icat ion request in t he second fram e, ending t he t ransact ion. To proceed, however, t he St at us Code should be set t o 0 ( success) , as shown in Figure 8 - 5. When t he St at us Code is successful, t he fram e also includes a fourt h inform at ion elem ent , t he Challenge Text . The Challenge Text is com posed of 128 byt es generat ed using t he WEP keyst ream generat or wit h a random key and init ializat ion vect or. The t hird fram e is t he m obile st at ion's response t o t he challenge. To prove t hat it is allowed on t he net work, t he m obile st at ion const ruct s a m anagem ent fram e wit h t hree inform at ion elem ent s: t he Aut hent icat ion Algorit hm I dent ifier, a Sequence Num ber of 3, and t he Challenge Text . Before t ransm it t ing t he fram e, t he m obile st at ion processes t he fram e wit h WEP. The header ident ifying t he fram e as an aut hent icat ion fram e is preserved, but t he inform at ion elem ent s are hidden by WEP.

Aft er receiving t he t hird fram e, t he access point at t em pt s t o decrypt it and verify t he WEP int egrit y check. I f t he fram e decrypt s t o t he Challenge Text , and t he int egrit y check is verified, t he access point will respond wit h a st at us code of successful. Successful decrypt ion of t he challenge t ext proves t hat t he m obile st at ion has been configured wit h t he WEP key for t he net work and should be grant ed access. I f any problem s occur, t he access point ret urns an unsuccessful st at us code.

Defeating shared-key authentication Shared key aut hent icat ion is subj ect t o a t rivial at t ack. At t he heart of t he shared- key aut hent icat ion procedure is t he encrypt ion of t he challenge t ext . Upon receipt of t he random challenge, a st at ion in posession of t he WEP key is able t o generat e a keyst ream from t he WEP key, t hen perform an exclusive- OR operat ion bet ween t he keyst ream and t he dat a. However, t he exclusive- OR is a reversible operat ion t hat relat es t he challenge t ext , keyst ream , and t he response t ext . Wit h any t wo it em s, recovering t he t hird is a m at t er of reversing t he right operat ion. An at t acker can observe t he challenge t ext and response, and use t hat t o derive a keyst ream . Alt hough t his allows an at t acker t o aut hent icat e t o a net work by playing back t he recovered keyst ream on a new challenge, it does not allow an at t acker t o send arbit rary dat a wit hout recovering t he WEP key first . Figure 8- 6 illust rat es t he keyst ream recovery procedure.

Figu r e 8 - 6 . D e fe a t in g sh a r e d- k e y a u t h e n t ica t ion

Nevert heless, at t acks against shared key aut hent icat ion are effect ive enough t hat it is generally not recom m ended. 802.11i does not allow a st at ion t hat perform ed 802.11 aut hent icat ion via shared keys t o becom e associat ed t o a Robust Securit y Net work.

Preauthentication Preaut hent icat ion is used t o speed up associat ion t ransfer. Aut hent icat ion can oft en cause a lag bet ween t he t im e a st at ion decides t o m ove t o a new AP and t he t im e t hat t he fram es st art flowing t hrough t hat AP. Preaut hent icat ion at t em pt s t o reduce t he t im e by get t ing t he t im e- consum ing aut hent icat ion relat ionship est ablished before it is needed. Due t o t he overloading of t he t erm " aut hent icat ion" by bot h t he low- level 802.11 aut hent icat ion and t he 802.1X aut hent icat ion, t here are t wo different t ypes of preaut hent icat ion . As it is com m only used by net work engineers, t hough, it usually refers t o t he 802.1X aut hent icat ion.

802.11 Preauthentication St at ions m ust aut hent icat e wit h an access point before associat ing wit h it , but not hing in 802.11 requires t hat low- level aut hent icat ion t ake place im m ediat ely before associat ion. St at ions can 802.11- aut hent icat e wit h several access point s during t he scanning process so t hat when associat ion is required, t he st at ion is already aut hent icat ed. As a result of preaut hent icat ion, st at ions can reassociat e wit h access point s im m ediat ely upon m oving int o t heir coverage area, rat her t han having t o wait for t he aut hent icat ion exchange. I n bot h part s of Figure 8- 7 , t here is an ext ended service set com posed of t wo access point s. Only one m obile st at ion is shown for sim plicit y. Assum e t he m obile st at ion st art s off associat ed wit h AP1 at t he left side of t he diagram because it was powered on in AP1's coverage area. As t he m obile st at ion m oves t owards t he right , it m ust event ually associat e wit h AP2 as it leaves AP1's coverage area.

Figu r e 8 - 7 . Tim e sa vin gs of pr e a u t h e n t ica t ion

Preaut hent icat ion is not used in t he m ost lit eral int erpret at ion of 802.11, shown in Figure 8- 7 ( a) . As t he m obile st at ion m oves t o t he right , t he signal from AP1 weakens. The st at ion cont inues m onit oring Beacon fram es corresponding t o it s ESS, and will event ually not e t he exist ence of AP2. At som e point , t he st at ion m ay choose t o disassociat e from AP1, and t hen aut hent icat e and reassociat e wit h AP2. These st eps are ident ified in t he figure, in which t he num bers are t he t im e values from Table 81.

Ta ble 8 - 1 . Ch r on ology for Figu r e 8 - 7 St e p

Act ion w it h ou t pr e a u t h e n t ica t ion : Figu r e 8 - 7 ( a )

Act ion w it h pr e a u t h e n t ica t ion : Figu r e 8 - 7 ( b)

0

St at ion is associat ed wit h AP1

St at ion is associat ed wit h AP1

1

St at ion m oves right int o t he overlap bet ween BSS1 and BSS2

St at ion m oves right int o t he overlap bet ween BSS1 and BSS2 and det ect s t he presence of AP2

1.5

St at ion preaut hent icat es t o AP2

2

AP2's signal is st ronger, so st at ion decides t o m ove associat ion t o AP2

AP2's signal is st ronger, so st at ion decides t o m ove associat ion t o AP2

3

St at ion aut hent icat es t o AP2

St at ion begins using t he net work

4

St at ion reassociat es wit h AP2

5

St at ion begins using t he net work

Figure 8- 7 ( b) shows what happens when t he st at ion is capable of preaut hent icat ion. Wit h t his m inor soft ware m odificat ion, t he st at ion can aut hent icat e t o AP2 as soon as it is det ect ed. As t he st at ion is leaving AP1's coverage area, it is aut hent icat ed wit h bot h AP1 and AP2. The t im e savings becom e apparent when t he st at ion leaves t he coverage area of AP1: it can im m ediat ely reassociat e wit h AP2 because it is already aut hent icat ed. Preaut hent icat ion m akes roam ing a sm oot her operat ion because aut hent icat ion can t ake place before it is needed t o support an associat ion. All t he st eps in Figure 8- 7 ( b) are ident ified by t im e values from Table 8- 1.

802.11i Preauthentication and Key Caching When a net work is aut hent icat ed wit h 802.1X, t he m ost t im e- consum ing st ep in get t ing from t he 802.11 j oin t o t he abilit y t o send net work prot ocol packet s is t he 802.1X aut hent icat ion, especially if it uses an EAP m et hod wit h several fram e round- t rips. Preaut hent icat ion, shown in Figure 8- 8 , allows a st at ion t o est ablish a securit y cont ext wit h a new AP before associat ing t o it . I n essence, preaut hent icat ion decouples t he associat ion and securit y procedures, and allows t hem t o be perform ed independent ly. WPA explicit ly excluded preaut hent icat ion.

Figu r e 8 - 8 . 8 0 2 .1 1 i pr e a u t h e n t ica t ion

Figure 8- 8 shows t he following sequence of st eps.

1 . The st at ion associat es t o t he first access point it finds on t he net work. I t select s t his AP based on t he crit eria in it s firm ware. 2 . Once associat ed, t he st at ion can perform an 802.1X aut hent icat ion. This st ep uses EAPOL fram es as described in Chapt er 6, wit h an Et hert ype of ( hexadecim al) 88- 8E. EAPOL fram es are convert ed int o RADI US packet s by t he AP, and t he session is aut hent icat ed. 3 . Dynam ic keys for t he radio link are derived on bot h sides t hrough t he four- way handshake for pairwise keys and t he group key handshake for t he group keys. 4 . Wit h keys configured, t he st at ion is " on t he air" and can send and receive net work prot ocol packet s. St at ion soft ware is in cont rol of roam ing behavior, and can use t hat t o it s advant age. As t he st at ion m oves in such a way t hat AP2 appears t o be a bet t er choice, it can perform preaut hent icat ion t o speed up t he process of m oving over t o AP2. Rat her t han m ove everyt hing all at once, t hough, it perform s preaut hent icat ion t o cut down on t he int errupt ion bet ween sending net work packet s. 5 . Preaut hent icat ion com m ences wit h an EAPOL- St art m essage sent from t he st at ion t o t he new AP. A st at ion can only be associat ed wit h a single AP, so t he preaut hent icat ion fram es are channeled t hrough t he old AP. Preaut hent icat ion is a com plet e 802.1X exchange.

a . Preaut hent icat ion fram es use t he Et hert ype of ( hexadecim al) 88- C7 because m ost APs apply special processing t o t he regular aut hent icat ion Et hert ype. The source address of t he fram es is t he st at ion, t he receiver address is t he BSSI D of it s current AP ( in t his case, t he MAC address of AP1's wireless int erface) , and t he dest inat ion address is t he BSSI D of t he new AP ( in t his case, AP2's wireless int erface) . b. When received by AP1, t he fram es are sent over t he dist ribut ion syst em t o AP2. The AP only has a MAC address. I f t he t wo APs are not connect ed direct ly t o t he sam e Et hernet broadcast dom ain, t hey m ust have an alt ernat ive m et hod of shut t ling preaut hent icat ion fram es bet ween devices. c.

c. During t his ent ire st ep, t he st at ion rem ains associat ed t o AP1, and can send and receive net work packet s t hrough it s exist ing encrypt ed connect ion. Because t he st at ion is st ill on t he air, t here is no apparent aut hent icat ion occuring. d. The result of t he preaut hent icat ion is t hat a securit y cont ext wit h AP2 is est ablished. The st at ion and AP2 have derived a pairwise m ast er key, which can be furt her processed t o creat e keys bet ween t he st at ion and AP2. Bot h t he st at ion and t he AP st ore t he pairwise m ast er key in a key cache. 6 . When t he st at ion pulls t he t rigger, t he associat ion is m oved t o AP2. As part of t he init ial associat ion, t he st at ion includes a copy of it s key cache t o t ell AP2 t hat it was already aut hent icat ed. 7 . AP2 receives t he aut hent icat ion request and searches it s key cache. Finding an ent ry, it st art s t he fourway pairwise key handshake im m ediat ely. By proceeding t o key derivat ion, t he st at ion is unable t o send and receive packet s for only a short t im e. 802.11 preaut hent icat ion m oves t he t im e- consum ing 802.1X EAP m et hod t o occur in parallel wit h sending and receiving net work fram es on an aut hent icat ed connect ion. The first associat ion will be slow because t he full EAP exchange is required. On subsequent associat ions, however, preaut hent icat ion can dram at ically reduce handoff t im es.

Association Once aut hent icat ion has com plet ed, st at ions can associat e wit h an access point ( or reassociat e wit h a new access point ) t o gain full access t o t he net work. Associat ion is a recordkeeping procedure t hat allows t he dist ribut ion syst em t o t rack t he locat ion of each m obile st at ion, so fram es dest ined for t he m obile st at ion can be forwarded t o t he correct access point . Aft er associat ion com plet es, an access point m ust regist er t he m obile st at ion on t he net work so fram es for t he m obile st at ion are delivered t o t he access point . One m et hod of regist ering is t o send a grat uit ous ARP so t he st at ion's MAC address is associat ed wit h t he swit ch port connect ed t o t he access point . Associat ion is rest rict ed t o infrast ruct ure net works and is logically equivalent t o plugging int o a wired net work. Once t he procedure is com plet e, a wireless st at ion can use t he dist ribut ion syst em t o reach out t o t he world, and t he world can respond t hrough t he dist ribut ion syst em . 802.11 explicit ly forbids associat ing wit h m ore t han one access point .

Association Procedure The basic associat ion procedure is shown in Figure 8- 9 .

Figu r e 8 - 9 . Associa t ion pr oce du r e

Like aut hent icat ion, associat ion is init iat ed by t he m obile st at ion. No sequence num bers are needed because t he associat ion process is a t hree- st ep exchange. The t wo fram es are m anagem ent fram e subt ypes defined by t he specificat ion. As unicast m anagem ent fram es, bot h st eps in t he associat ion procedure are com posed of an associat ion fram e and t he required link- layer acknowledgm ent :

1 . Once a m obile st at ion has aut hent icat ed t o an access point , it can issue an Associat ion Request fram e. St at ions t hat have not yet aut hent icat ed receive a Deaut hent icat ion fram e from t he access point in response. 2 . The access point t hen processes t he associat ion request . 802.11 does not specify how t o det erm ine whet her an associat ion should be grant ed; it is specific t o t he access point im plem ent at ion. One com m on considerat ion is t he am ount of space required for fram e buffering. Rough est im at es are possible based on t he List en I nt erval in t he Associat ion Request fram e.

a . When t he associat ion request is grant ed, t he access point responds wit h a st at us code of 0 ( successful) and t he Associat ion I D ( AI D) . The AI D is a num erical ident ifier used t o logically ident ify t he m obile st at ion t o which buffered fram es need t o be delivered. More det ail on t he process can be found in t he " Power Conservat ion" sect ion of t his chapt er. b. Unsuccessful associat ion request s include only a st at us code, and t he procedure ends. 3 . The access point begins processing fram es for t he m obile st at ion. I n all com m only used product s, t he dist ribut ion syst em m edium is Et hernet . When an access point receives a fram e dest ined for an associat ed m obile st at ion, t hat fram e can be bridged from t he Et hernet t o t he wireless m edium or buffered if t he m obile st at ion is in a powersaving st at e. I n shared Et hernet s, t he fram e will be sent t o all t he access point s and will be bridged by t he correct one. I n swit ched Et hernet s, t he st at ion's MAC address will be associat ed wit h a part icular swit ch port . That swit ch port is, of course, connect ed t o t he access point current ly providing service for t he st at ion.

Reassociation Procedure Reassociat ion is t he process of m oving an associat ion from an old access point t o a new one. Over t he air, it is alm ost t he sam e as an associat ion; on t he backbone net work, however, access point s m ay int eract wit h each ot her t o m ove fram es. When a st at ion m oves from t he coverage area of one access point t o anot her, it uses t he reassociat ion process t o inform t he 802.11 net work of it s new locat ion. The procedure is shown in Figure 8- 10.

Figu r e 8 - 1 0 . Re a ssocia t ion pr oce du r e

The m obile st at ion begins t he procedure associat ed wit h an access point . The st at ion m onit ors t he qualit y of t he signal it receives from t hat access point , as well as t he signal qualit y from ot her access point s in t he sam e ESS. When t he m obile st at ion det ect s t hat anot her access point would be a bet t er choice, it init iat es t he reassociat ion procedure. The fact ors used t o m ake t hat decision are product dependent . Received signal st rengt h can be used on a fram e- by- fram e basis, and t he const ant Beacon t ransm issions provide a good baseline for signal st rengt h from an access point . Before t he first st ep, t he m obile st at ion m ust aut hent icat e t o t he new access point if it has not done so already.

Figure 8- 10 depict s t he following st eps:

1 . The m obile st at ion issues a Reassociat ion Request t o t he new access point . Reassociat ion Request s have cont ent sim ilar t o Associat ion Request s. The only difference is t hat Reassociat ion Request fram es cont ain a field wit h t he address of t he old access point . The new access point m ust com m unicat e wit h t he old access point t o det erm ine t hat a previous associat ion did exist . Alt hough a st andard int er- access point prot ocol was defined by t he I EEE, m any im plem ent at ions rem ain propriet ary. I f t he new access point cannot verify t hat t he old access point aut hent icat ed t he st at ion, t he new access point responds wit h a Deaut hent icat ion fram e and ends t he pr ocedur e. 2 . The access point processes t he Reassociat ion Request . Processing Reassociat ion Request s is sim ilar t o processing Associat ion Request s; t he sam e fact ors m ay be used in deciding whet her t o allow t he reassociat ion:

a . I f t he Reassociat ion Request is grant ed, t he access point responds wit h a St at us Code of 0 ( successful) and t he AI D. b. Unsuccessful Reassociat ion Request s include j ust a St at us Code, and t he procedure ends. 3 . The new access point cont act s t he old access point t o finish t he reassociat ion procedure. This com m unicat ion is part of t he I APP. 4 . The old access point sends any buffered fram es for t he m obile st at ion t o t he new access point . 802.11 does not specify t he com m unicat ion bet ween access point s. At t he conclusion of t he buffered fram e t ransfer:

a . Any fram es buffered at t he old access point are t ransferred t o t he new access point so t hey can be delivered t o t he m obile st at ion. b. The old access point t erm inat es it s associat ion wit h t he m obile st at ion. Mobile st at ions are allowed t o associat e wit h only one access point at any given t im e. 5 . The new access point begins processing fram es for t he m obile st at ion. When it receives a fram e dest ined for t he m obile st at ion, t hat fram e is bridged from t he Et hernet t o t he wireless m edium or buffered for a m obile st at ion in a powersaving m ode. Reassociat ion is also used t o rej oin a net work if t he st at ion leaves t he coverage area and ret urns lat er t o t he sam e access point . Figure 8- 11 illust rat es t his scenario.

Figu r e 8 - 1 1 . Re a ssocia t ion w it h t h e sa m e a cce ss poin t

What Is Roaming? Roam ing is not a word used in t he 802.11 st andard at all. ( A t ask group recent ly form ed t o address roam ing issues, but it is far from com plet ing it s work.) However, people use t he word roam ing inform ally a great deal when t alking about 802.11. Generally speaking, m ost people are referring t o t he process of m oving from one access point t o anot her. Roam ing has suffered a bit from " buzzword overload" in t he past few years, and now m eans different t hings t o different speakers. At t he m ost basic level, roam ing is t he process of m oving a st at ion bet ween APs. How does a st at ion decide t o m ove bet ween APs? The 802.11 st andard has not hing t o say on t he m at t er. Decisions t o m ove bet ween APs are based ent irely on t he hardware and soft ware, and up t o each m anufact urer. Som e client devices will pick up on t he st rongest signal available when t he int erface is init ialized, and hang on for dear life, only m oving when t he init ial AP is no longer reachable. Som e devices will always head for t he st rongest available signal, which m ay result in flip- flops bet ween APs when t wo signals are evenly balanced. St ill ot her devices will incorporat e recent hist ory int o roam ing decisions t o avoid excessive m ovem ent s bet ween t wo nearby APs. How st at ions decide if and when t o m ove bet ween APs is ent irely up t o t he m anufact urer. Wit h apologies t o Milt on Friedm an, roam ing is always and everywhere a client phenom enon. Digging deeper int o a second level of m eaning, " roam ing" is also used t o discuss how a st at ion can change APs while keeping act ive net work connect ions open. I f I P subnet boundaries are involved, t his is an added level of com plexit y t hat needs t o be addressed out side any st andards. Chapt er 21 discusses how t o build a wireless LAN, and discusses how t o achieve seam less roam ing across arbit rary net work t opologies. Roam ing is som et im es given yet anot her m eaning, referring t o t he process of m oving a net work session from one net work ( say, an 802.11 wireless LAN) t o anot her disparat e net work ( say, a 3G m obile t elephone net work) . The I EEE has st art ed anot her working group t o define roam ing operat ions t o m ove net work sessions and st at e bet ween different t ypes of I EEE 802 net works.

Power Conservation The m aj or advant age of wireless net works is t hat net work access does not require nodes t o be in any part icular locat ion. To t ake full advant age of m obilit y, not hing can const rain t he locat ion of a node, including t he availabilit y of elect rical power. Mobilit y t herefore im plies t hat m ost m obile devices can run on bat t eries. But bat t ery power is a scarce resource; bat t eries can run only so long before t hey need t o be recharged. Requiring m obile users t o ret urn frequent ly t o com m ercial power is inconvenient , t o say t he least . Many wireless applicat ions require long bat t ery life wit hout sacrificing net work connect ivit y. As wit h any ot her net work int erface, powering down t he t ransceiver can lead t o great power savings in wireless net works. When t he t ransceiver is off, it is said t o be sleeping, dozing, or in powersaving m ode ( PS) . When t he t ransceiver is on, it is said t o be awake, act ive, or sim ply on. Power conservat ion in 802.11 is achieved by m inim izing t he t im e spent in t he lat t er st age and m axim izing t he t im e in t he form er. 802.11 accom plishes t his wit hout sacrificing connect ivit y.

Power Management in Infrastructure Networks Power m anagem ent can achieve t he great est savings in infrast ruct ure net works. All t raffic for m obile st at ions m ust go t hrough access point s, so t hey are an ideal locat ion t o buffer t raffic. Most t raffic can be buffered. The st andard forbids buffering fram es t hat require in- order delivery and have Order bit set because buffer im plem ent at ions could possibly re- order fram es. There is no need t o work on a dist ribut ed buffer syst em t hat m ust be im plem ent ed on every st at ion; t he bulk of t he work is left t o t he access point . By definit ion, access point s are aware of t he locat ion of m obile st at ions, and a m obile st at ion can com m unicat e it s power m anagem ent st at e t o it s access point . Furt herm ore, access point s m ust rem ain act ive at all t im es; it is assum ed t hat t hey have access t o cont inuous power. Com bining t hese t wo fact s allows access point s t o play a key role in power m anagem ent on infrast ruct ure net works. Access point s have t wo power m anagem ent - relat ed t asks. First , because an access point knows t he power m anagem ent st at e of every st at ion t hat has associat ed wit h it , it can det erm ine whet her a fram e should be delivered t o t he wireless net work because t he st at ion is act ive or buffered because t he st at ion is asleep. But buffering fram es alone does not enable m obile st at ions t o pick up t he dat a wait ing for t hem . An access point 's second t ask is t o announce periodically which st at ions have fram es wait ing for t hem . The periodic announcem ent of buffer st at us also helps t o cont ribut e t o t he power savings in infrast ruct ure net works. Powering up a receiver t o list en t o t he buffer st at us requires far less power t han periodically t ransm it t ing polling fram es. St at ions only need t o power up t he t ransm it t er t o t ransm it polling fram es aft er being inform ed t hat t here is a reason t o expend t he energy. Power m anagem ent is designed around t he needs of t he bat t ery- powered m obile st at ions. Mobile st at ions can sleep for ext ended periods t o avoid using t he wireless net work int erface. Part of t he associat ion request is t he List en I nt erval param et er, t he num ber of Beacon periods for which t he m obile st at ion m ay choose t o sleep. Longer list en int ervals require m ore buffer space on t he access point ; t herefore, t he List en I nt erval is one of t he key param et ers used in est im at ing t he resources required t o support an associat ion. The List en I nt erval is a cont ract wit h t he access point . I n agreeing t o buffer any fram es while t he m obile st at ion is sleeping, t he access point agrees t o wait for at least t he list en int erval before discarding fram es. I f a m obile st at ion fails t o check for wait ing fram es aft er each list en int erval, t hey m ay be discarded wit hout not ificat ion.

Unicast frame buffering and delivery using the Traffic Indication Map (TIM) When fram es are buffered, t he dest inat ion node's Associat ion I D ( AI D) provides t he logical link bet ween t he fram e and it s dest inat ion. Each AI D is logically connect ed t o fram es buffered for t he m obile st at ion t hat is assigned t hat AI D. Mult icast and broadcast fram es are buffered and linked t o an AI D of zero. Delivery of buffered m ult icast and broadcast fram es is t reat ed in t he next sect ion. Buffering is only half t he bat t le. I f st at ions never pick up t heir buffered fram es, saving t he fram es is a rat her point less exercise. To inform st at ions t hat fram es are buffered, access point s periodically assem ble a t raffic indicat ion m ap ( TI M) and t ransm it it in Beacon fram es. The TI M is a virt ual bit m ap com posed of 2,008 bit s; offset s are used so t hat t he access point needs t o t ransm it only a sm all port ion of t he virt ual bit m ap. This conserves net work capacit y when only a few st at ions have buffered dat a. Each bit in t he TI M corresponds t o a part icular AI D; set t ing t he bit indicat es t hat t he access point has buffered unicast fram es for t he st at ion wit h t he AI D corresponding t o t he bit posit ion. Mobile st at ions m ust wake up and ent er t he act ive m ode t o list en for Beacon fram es t o receive t he TI M. By exam ining t he TI M, a st at ion can det erm ine if t he access point has buffered t raffic on it s behalf. To ret rieve buffered fram es, m obile st at ions use PS- Poll Cont rol fram es. When m ult iple st at ions have buffered fram es, all st at ions wit h buffered dat a m ust use t he random backoff algorit hm before t ransm it t ing t he PS- Poll. Each PS- Poll fram e is used t o ret rieve one buffered fram e. That fram e m ust be posit ively acknowledged before it is rem oved from t he buffer. Posit ive acknowledgm ent is required t o keep a second, ret ried PS- Poll from act ing as an im plicit acknowledgm ent . Figure 8- 12 illust rat es t he pr ocess. I f m ult iple fram es are buffered for a m obile st at ion, t hen t he More Dat a bit in t he Fram e Cont rol field is set t o 1. Mobile st at ions can t hen issue addit ional PS- Poll request s t o t he access point unt il t he More Dat a bit is set t o 0, t hough no t im e const raint is im posed by t he st andard.

Figu r e 8 - 1 2 . PS- Poll fr a m e r e t r ie va l

Aft er t ransm it t ing t he PS- Poll, a m obile st at ion m ust rem ain awake unt il eit her t he polling t ransact ion has concluded or t he bit corresponding t o it s AI D is no longer set in t he TI M. The reason for t he first case is obvious: t he m obile st at ion has successfully polled t he access point ; part of t hat t ransact ion was a not ificat ion t hat t he m obile st at ion will be ret urning t o a sleeping m ode. The second case allows t he m obile st at ion t o ret urn t o a power conservat ion m ode if t he access point discards t he buffered fram e. Once all t he t raffic buffered for a st at ion is delivered or discarded, t he st at ion can resum e sleeping. The buffering and delivery process is illust rat ed in Figure 8- 13, which shows t he m edium as it appears t o an access point and t wo associat ed powersaving st at ions. The hash m arks on t he t im eline represent t he beacon int erval. Every beacon int erval, t he access point t ransm it s a Beacon fram e wit h a TI M inform at ion elem ent . ( This figure is som ewhat sim plified. A special kind of TI M is used t o deliver m ult icast t raffic; it will be described in t he next sect ion.) St at ion 1 has a list en int erval of 2, so it m ust wake up t o receive every ot her TI M, while st at ion 2 has a list en int erval of 3, so it wakes up t o process every t hird TI M. The lines above t he st at ion base lines indicat e t he ram p- up process of t he receiver t o list en for t he TI M. At t he first beacon int erval, t here are fram es buffered for st at ion 1. No fram es are buffered for st at ion 2, t hough, so it can im m ediat ely ret urn t o sleep. At t he second beacon int erval, t he TI M indicat es t hat t here are buffered fram es for st at ions 1 and 2, alt hough only st at ion 1 woke up t o list en t o t he TI M. St at ion 1 issues a PS- Poll and receives t he fram e in response. At t he conclusion of t he exchange, st at ion 1 ret urns t o sleep. Bot h st at ions are asleep during t he t hird beacon. At t he fourt h beacon, bot h wake up t o list en t o t he TI M, which indicat es t hat t here are fram es buffered for bot h.

Figu r e 8 - 1 3 . Bu ffe r e d fr a m e r e t r ie va l pr oce ss

Bot h st at ion 1 and st at ion 2 prepare t o t ransm it PS- Poll fram es aft er t he expirat ion of a cont ent ion window count down, as described in Chapt er 3. St at ion 1 wins because it s random delay was short er. St at ion 1 issues a PS- Poll and receives it s buffered fram e in response. During t he t ransm ission, st at ion 2 defers. I f, at t he end of t hat fram e t ransm ission, a t hird st at ion, which is not illust rat ed, seizes t he m edium for t ransm ission, st at ion 2 m ust cont inue t o st ay awake unt il t he next TI M. I f t he access point has run out of buffer space and has discarded t he buffered fram e for st at ion 2, t he TI M at t he fift h beacon indicat es t hat no fram es are buffered, and st at ion 2 can finally ret urn t o a lowpower m ode. St at ions m ay swit ch from a power conservat ion m ode t o act ive m ode at any t im e. I t is com m on for lapt op com put ers t o operat e wit h full power t o all peripherals when connect ed t o AC power and conserve power only when using t he bat t ery. I f a m obile st at ion swit ches t o t he act ive m ode from a sleeping m ode, fram es can be t ransm it t ed wit hout wait ing for a PS- Poll. PS- Poll fram es indicat e t hat a powersaving m obile st at ion has t em porarily swit ched t o an act ive m ode and is ready t o receive a buffered fram e. By definit ion, act ive st at ions have t ransceivers operat ing cont inuously. Aft er a swit ch t o act ive m ode, t he access point can assum e t hat t he receiver is operat ional, even wit hout receiving explicit not ificat ion t o t hat effect . Access point s m ust ret ain fram es long enough for m obile st at ions t o pick t hem up, but buffer m em ory is a finit e resource. 802.11 m andat es t hat access point s use an aging funct ion t o det erm ine when buffered fram es are old enough t o be discarded. The st andard leaves a great deal t o t he discret ion of t he developer because it specifies only one const raint . Mobile st at ions depend on access point s t o buffer t raffic for at least t he list en int erval specified wit h t he associat ion, and t he st andard forbids t he aging funct ion from discarding fram es before t he list en int erval has elapsed. Beyond t hat , however, t here is a great deal of lat it ude for vendors t o develop different buffer m anagem ent rout ines.

Delivering multicast and broadcast frames: the Delivery TIM (DTIM) Fram es wit h a group address cannot be delivered using a polling algorit hm because t hey are, by definit ion, addressed t o a group. Therefore, 802.11 incorporat es a m echanism for buffering and delivering broadcast and m ult icast fram es. Buffering is ident ical t o t he unicast case, except t hat fram es are buffered whenever any st at ion associat ed wit h t he access point is sleeping. Buffered broadcast and m ult icast fram es are saved using AI D 0. Access point s indicat e whet her any broadcast or m ult icast fram es are buffered by set t ing t he first bit in t he TI M; t his bit corresponds t o AI D 0. Each BSS has a param et er called t he DTI M Period. TI Ms are t ransm it t ed wit h every Beacon. At a

fixed num ber of Beacon int ervals, a special t ype of TI M, a Delivery Traffic I ndicat ion Map ( DTI M) , is sent . The TI M elem ent in Beacon fram es cont ains a count er t hat count s down t o t he next DTI M; t his count er is zero in a DTI M fram e. Buffered broadcast and m ult icast t raffic is t ransm it t ed aft er a DTI M Beacon. Mult iple buffered fram es are t ransm it t ed in sequence; t he More Dat a bit in t he Fram e Cont rol field indicat es t hat m ore fram es m ust be t ransm it t ed. Norm al channel acquisit ion rules apply t o t he t ransm ission of buffered fram es. The access point m ay choose t o defer t he processing of incom ing PS- Poll fram es unt il t he fram es in t he broadcast and m ult icast t ransm ission buffers have been t ransm it t ed. Figure 8- 14 shows an access point and one associat ed st at ion. The DTI M int erval of t he access point is set t o 3, so every t hird TI M is a DTI M. St at ion 1 is operat ing in a sleep m ode wit h a list en int erval of 3. I t will wake up on every t hird beacon t o receive buffered broadcast and m ult icast fram es. Aft er a DTI M fram e is t ransm it t ed, t he buffered broadcast and m ult icast fram es are t ransm it t ed, followed by any PS- Poll exchanges wit h associat ed st at ions. At t he second beacon int erval, only broadcast and m ult icast fram es are present in t he buffer, and t hey are t ransm it t ed t o t he BSS. At t he fift h beacon int erval, a fram e has also been buffered for st at ion 1. I t can m onit or t he m ap in t he DTI M and send a PS- Poll aft er t he t ransm ission of buffered broadcast and m ult icast fram es has concluded.

Figu r e 8 - 1 4 . M u lt ica st a n d br oa dca st bu ffe r t r a n sm ission a ft e r D TI M s

To receive broadcast and m ult icast fram es, a m obile st at ion m ust be awake for DTI M t ransm issions. Not hing in t he specificat ion, however, keeps powersaving st at ions in infrast ruct ure net works from waking up t o list en t o DTI M fram es. Som e product s t hat im plem ent powersaving m odes will at t em pt t o align t heir awakenings wit h DTI M t ransm issions. I f t he syst em adm inist rat or det erm ines t hat bat t ery life is m ore im port ant t han receiving broadcast and m ult icast fram es, a st at ion can be configured t o sleep for it s list en period wit hout regard t o DTI M t ransm issions. Som e docum ent at ion m ay refer t o t his as ext rem ely low power , ult ra powersaving m ode, deep sleep, or som et hing sim ilar. Several product s allow configurat ion of t he DTI M int erval. Lengt hening t he DTI M int erval allows m obile st at ions t o sleep for longer periods and m axim izes bat t ery life at t he expense of t im ely delivery. Short er DTI M int ervals em phasize quick delivery at t he expense of m ore frequent power- up and power- down cycles. You can use a longer DTI M when bat t ery life is at a prem ium and delivery of broadcast and m ult icast fram es is not im port ant . Whet her t his is appropriat e depends on t he applicat ions you are using and how t hey react t o long link- layer delays.

IBSS Power Management Power m anagem ent in an I BSS is not as efficient as power m anagem ent in an infrast ruct ure net work. I n an I BSS, far m ore of t he burden is placed on t he sender t o ensure t hat t he receiver is act ive.

Receivers m ust also be m ore available and cannot sleep for t he sam e lengt hs of t im e as in infrast ruct ure net works. As in infrast ruct ure net works, power m anagem ent in independent net works is based on t raffic indicat ion m essages. I ndependent net works m ust use a dist ribut ed syst em because t here is no logical cent ral coordinat or. St at ions in an independent net work use announcem ent t raffic indicat ion m essages ( ATI Ms) , which are som et im es called ad hoc t raffic indicat ion m essages, t o preem pt ot her st at ions from sleeping. All st at ions in an I BSS list en for ATI M fram es during specified periods aft er Beacon t ransm issions. I f a st at ion has buffered dat a for anot her st at ion, it can send an ATI M fram e as not ificat ion. I n effect , t he ATI M fram e is a m essage t o keep t he t ransceiver on because t here is pending dat a. St at ions t hat do not receive ATI M fram es are free t o conserve power. I n Figure 8- 15 ( a) , st at ion A has buffered a fram e for st at ion C, so it sends a unicast ATI M fram e t o st at ion C during t he ATI M t ransm ission window, which has t he effect of not ifying st at ion C t hat it should not ent er powersaving m ode. St at ion B, however, is free t o power down it s wireless int erface. Figure 8- 15 ( b) shows a m ult icast ATI M fram e in use. This fram e can be used t o not ify an ent ire group of st at ions t o avoid ent ering lowpower m odes.

Figu r e 8 - 1 5 . ATI M u sa ge

A t im e window called t he ATI M window follows t he Beacon t ransm ission. This window is t he period during which nodes m ust rem ain act ive. No st at ions are perm it t ed t o power down t heir wireless int erfaces during t he ATI M window. I t st art s at t he t im e when t he beacon is expect ed and ends aft er a period specified when t he I BSS is creat ed. I f t he beacon is delayed due t o a t raffic overrun, t he usable port ion of t he ATI M window shrinks by t he sam e am ount . The ATI M window is t he only I BSS- specific param et er required t o creat e an I BSS. Set t ing it t o 0 avoids using any power m anagem ent . Figure 8- 16 illust rat es t he ATI M window and it s relat ion t o t he beacon int erval. I n t he figure, t he fourt h beacon is delayed due t o a busy m edium . The ATI M window rem ains const ant , st art ing at t he t arget beacon int erval and ext ending t he lengt h of t he ATI M window. The usable period of t he ATI M window shrinks by t he lengt h of t he delay in beacon t ransm ission.

Figu r e 8 - 1 6 . ATI M w in dow

To m onit or t he ent ire ATI M window, st at ions m ust wake up before t he t arget beacon t ransm ission. Four sit uat ions are possible: t he st at ion has t ransm it t ed an ATI M, received an ATI M, neit her t ransm it t ed nor received, or bot h t ransm it t ed and received. St at ions t hat t ransm it ATI M fram es m ust not sleep. Transm it t ing an ATI M indicat es an int ent t o t ransm it buffered t raffic and t hus an int ent t o st ay act ive. St at ions t o which ATI M fram es are addressed m ust also avoid sleeping so t hey can receive any fram es t ransm it t ed by t he ATI M's sender. I f a st at ion bot h t ransm it s and receives ATI M fram es, it st ays up. A st at ion is perm it t ed t o sleep only if it neit her t ransm it s nor receives an ATI M. When a st at ion st ays up due t o ATI M t raffic, it rem ains act ive unt il t he conclusion of t he next ATI M window, as shown in Figure 8- 17. I n t he figure, t he st at ion goes act ive for t he first ATI M window. I f it does not send or receive any ATI M fram es, it sleeps at t he end of t he ATI M window. I f it sends or receives an ATI M fram e, as in t he second ATI M window, t he st at ion st ays act ive unt il t he conclusion of t he t hird ATI M window.

Figu r e 8 - 1 7 . ATI M e ffe ct s on pow e r sa vin g m ode s

Only cert ain cont rol and m anagem ent fram es can be t ransm it t ed during t he ATI M window: Beacons, RTS, CTS, ACK, and, of course, ATI M fram es. Transm ission t akes place according t o t he rules of t he DCF. ATI M fram es m ay be t ransm it t ed only during t he ATI M window because st at ions m ay be sleeping out side t he ATI M window. Sending an ATI M fram e is useless if ot her st at ions in t he I BSS are sleeping. I n t he sam e vein, acknowledgm ent s are required for unicast ATI M fram es because t hat is t he only guarant ee t hat t he ATI M was received and t hat t he fram e dest inat ion will be act ive for t he rem ainder of t he beacon int erval. Acknowledgm ent s are not required for m ult icast ATI M fram es because m ult icast fram es cannot be efficient ly acknowledged by a large group of st at ions. I f all pot ent ial recipient s of an ATI M fram e were required t o acknowledge it , t he m ass of acknowledgm ent s could pot ent ially int errupt net work service. Buffered broadcast and m ult icast fram es are t ransm it t ed aft er t he conclusion of t he ATI M window, subj ect t o DCF const raint s. Following t he t ransm ission of broadcast and m ult icast fram es, a st at ion m ay at t em pt t o t ransm it unicast fram es t hat were announced wit h an ATI M and for which an acknowledgm ent was received. Following all t ransm issions announced wit h an ATI M, st at ions m ay t ransm it unbuffered fram es t o ot her st at ions t hat are known t o be act ive. St at ions are act ive if t hey have t ransm it t ed t he Beacon, an ATI M, or are not capable of sleeping. I f cont ent ion is severe enough t o prevent a st at ion from sending t he buffered fram e it announced wit h an ATI M, t he st at ion m ust reannounce t he t ransm ission wit h an ATI M at t he st art of t he next ATI M window.

Figure 8- 18 illust rat es several of t hese rules. I n t he first beacon int erval, t he first st at ion t ransm it s a m ult icast ATI M t o st at ions 2, 3, and 4. Mult icast ATI M fram es need not be acknowledged, but t he t ransm ission of t he ATI M m eans t hat all st at ions m ust rem ain act ive for t he durat ion of t he first beacon window t o receive m ult icast fram es from st at ion 1. When t he ATI M window ends, st at ion 1 can t ransm it it s m ult icast fram e t o t he ot her t hree st at ions. Aft er doing so, st at ion 4 can t ake advant age of t he rem aining t im e before t he beacon t o t ransm it a fram e t o st at ion 1. I t was not cleared wit h an ATI M, but it is known t o be act ive.

Figu r e 8 - 1 8 . Effe ct of ATI M on pow e r sa vin g m ode s in a n I BSS n e t w or k

I n t he second beacon int erval, st at ions 2 and 3 have bot h buffered a fram e for st at ion 4, so each t ransm it s an ATI M. St at ion 4 acknowledges bot h. At t he conclusion of t he ATI M window, st at ion 1 has neit her t ransm it t ed nor received an ATI M and can ent er a low- power st at e unt il t he next beacon int erval. However, st at ion 2's fram e is ext rem ely long and robs st at ion 3 of t he opport unit y t o t ransm it it s fram e. St at ion 3 st ill has a buffered fram e for st at ion 4 when t he t hird beacon int erval opens. I t t herefore ret ransm it s it s ATI M fram e t o st at ion 4, which is acknowledged. St at ion 2 is not involved in any ATI M exchanges and can ent er a low- power st at e when t he ATI M window ends. At t hat t im e, no broadcast or m ult icast fram es have been buffered, and t he ATI M- cleared fram e from st at ion 3 t o st at ion 4 can be t ransm it t ed. Aft er t he fram e from 3 t o 4 is t ransm it t ed, st at ion 4 can again t ake advant age of t he rem aining t im e before t he beacon fram e t o t ransm it a fram e of it s own t o st at ion 3, which is known t o be act ive because of t he ATI M exchange. St at ions are responsible for m aint aining sufficient m em ory t o buffer fram es, but t he buffer size m ust be t raded off against t he use of t hat m em ory for ot her purposes. The st andard allows a st at ion in an independent net work t o discard fram es t hat have been buffered for an " excessive" am ount of t im e, but t he algorit hm used t o m ake t hat det erm inat ion is beyond t he scope of t he st andard. The only requirem ent placed on any buffer m anagem ent funct ion is t hat it ret ain fram es for at least one beacon period.

Timer Synchronization Like ot her wireless net work t echnologies, 802.11 depends a great deal on t he dist ribut ion of t im ing inform at ion t o all t he nodes. I t is especially im port ant in frequency- hopping net works because all st at ions on t he net work m ust change frequency channels in a coordinat ed pat t ern. Tim ing inform at ion is also used by t he m edium reservat ion m echanism s. I n addit ion t o local st at ion t im ing, each st at ion in a basic service area m aint ains a copy of t he t im ing synchronizat ion funct ion ( TSF) , which is a local t im er synchronized wit h t he TSF of every ot her st at ion in t he basic service area. The TSF is based on a 1- MHz clock and " t icks" in m icroseconds. Beacon fram es are used t o periodically announce t he value of t he TSF t o ot her st at ions in t he net work. The " now" in a t im est am p is when t he first bit of t he t im est am p hit s t he PHY for t ransm ission.

Infrastructure Timing Synchronization The ease of power m anagem ent in an infrast ruct ure net work is based on t he use of access point s as cent ral coordinat ors for dat a dist ribut ion and power m anagem ent funct ions. Tim ing in infrast ruct ure net works is quit e sim ilar. Access point s are responsible for m aint aining t he TSF t im e, and any st at ions associat ed wit h an access point m ust sim ply accept t he access point 's TSF as valid. When access point s prepare t o t ransm it a Beacon fram e, t he access point t im er is copied int o t he Beacon's t im est am p field. St at ions associat ed wit h an access point accept t he t im ing value in any received Beacons, but t hey m ay add a sm all offset t o t he received t im ing value t o account for local processing by t he ant enna and t ransceiver. Associat ed st at ions m aint ain local TSF t im ers so t hey can m iss a Beacon fram e and st ill rem ain roughly synchronized wit h t he global TSF. The wireless m edium is expect ed t o be noisy, and Beacon fram es are unacknowledged. Therefore, m issing a Beacon here and t here is t o be expect ed, and t he local TSF t im er m it igat es against t he occasional loss of Beacon fram es. To assist act ive scanning st at ions in m at ching param et ers wit h t he BSS, t im ing values are also dist ribut ed in Probe Response fram es. When a st at ion finds a net work by scanning, it saves t he t im est am p from t he Beacon or Probe Response and t he value of t he local t im er when it was received. To m at ch t he local t im er t o t he net work t im er, a st at ion t hen t akes t he t im est am p in t he received net work advert isem ent and adds t he num ber of m icroseconds since it was received. Figure 8- 19 illust rat es t his process.

Figu r e 8 - 1 9 . M a t ch in g t h e loca l t im e r t o a n e t w or k t im e r

IBSS Timing Synchronization I BSSs lack a cent ral coordinat ion point , so t he Beacon process is dist ribut ed. TSF m aint enance is a subset of t he Beacon generat ion process. Tim e is divided int o segm ent s equivalent t o t he int erbeacon t im ing period. Beacon fram es are supposed t o be t ransm it t ed exact ly as t he beacon int erval ends, at t he so- called t arget Beacon t ransm ission t im e ( TBTT) . I ndependent net works t ake t he TBTT as a guideline. All st at ions in t he I BSS prepare t o t ransm it a Beacon fram e at t he t arget t im e. As it approaches, all ot her t raffic is suspended. Tim ers for t he t ransm ission of fram es ot her t han Beacon fram es or ATI M fram es are st opped and held t o clear t he m edium for t he im port ant m anagem ent t raffic. All st at ions in t he I BSS generat e a backoff t im er for Beacon t ransm ission; t he backoff t im er is a random delay bet ween zero and t wice t he m inim um cont ent ion window for t he m edium . Aft er t he t arget beacon int erval, all st at ions begin t o count t he Beacon backoff t im er down t o zero. I f a Beacon is received before t he st at ion's t ransm ission t im e, t he pending Beacon t ransm ission is canceled. I n Figure 8- 20, each st at ion select s a random delay; st at ion 2 has random ly generat ed t he short est delay. When st at ion 2's t im er expires, it t ransm it s a Beacon, which is received by st at ions 1 and 3. Bot h st at ions 1 and 3 cancel t heir Beacon t ransm issions as a result . Because t im er synchronizat ion ensures t hat all st at ions have synchronized t im ers, m ult iple Beacon fram es do not pose a problem . Receivers sim ply process m ult iple Beacon fram es and perform m ult iple updat es t o t he TSF t im er. Beacon generat ion int eract s closely wit h power m anagem ent . Beacon fram es m ust be generat ed during t he act ive period around each Beacon int erval so t hat all st at ions are available t o process t he Beacon. Furt herm ore, t he Beacon sender is not allowed t o ent er a low- power st at e unt il t he end of t he next act ive period. The lat t er rule ensures t hat at least one st at ion is awake and can respond t o probes from new st at ions scanning t o discover net works. Rules for adopt ing t he received t im est am p are m ore com plex in an independent net work. No cent ralized t im er exist s, so t he goal of t he st andard is t o synchronize all t im ers t o t he t im er of t he fast est - running clock in t he BSS. When a Beacon is received, t he

Figu r e 8 - 2 0 . D ist r ibu t e d Be a con ge n e r a t ion

t im est am p is adj ust ed for processing delays and com pared t o t he local TSF. The received t im est am p updat es t he local t im er only if it is lat er t han t he local t im er.

Spectrum Management 802.11a was originally developed as a st andard for t he Unit ed St at es only. European radio regulat ions for t he 5 GHz frequency band are st rict er, which necessit at ed t he developm ent of special procedures t o adapt t he 802.11 MAC for use in Europe, which were event ually st andardized as 802.11h in 2003.

Transmit Power Control (TPC) Transm it power cont rol is required by European regulat ions [ * ] t o ensure t hat 5 GHz radio t ransm it t ers st ay wit hin regulat ory power lim it s and avoid int erfering wit h cert ain sat ellit e services. Developing bet t er cont rol over t ransm ission power brings m any ot her benefit s, som e of which have been long known in t he world of m obile t elephony. High- powered client t ransm issions m ay cover very large areas. I n a densely- deployed net work of APs, a single client at high power m ay have m uch higher range t han is necessary. Long range is not always a plus. Running a radio t ransm it t er at high power decreases bat t ery life. I f t he range of a t ransm ission is longer t han necessary, t he ext ra reach represent s " wast ed" power. Higher power m ay also lead t o a reduct ion in net work t hroughput as client devices int erfere wit h each ot her unnecessarily. [*]

ERC/DEC/(99)23, available at http://www.ero.dk/doc98/Official/Pdf/DEC9923E.PDF.

Figu r e 8 - 2 1 . H igh clie n t pow e r in t e r fe r e n ce w it h m u lt iple APs

For an illust rat ion of problem s caused by high client power, consider Figure 8- 21. I n t he figure, nine APs are shown in a net work. [ * ] Client # 1 is associat ed wit h t he cent er AP in t he t op row. I f t he client com put er is configured t o t ransm it at m axim um power, t he range of t he t ransm ission will reach out t o t he out er circle. However, t he t ransm ission t o t he AP requires power t o only t he inner circle. The difference bet ween t he t wo circles is t he excess range caused by t ransm it t ing t oo high. Running t he radio t ransm it t er higher t han necessary will drain t he bat t ery on a port able device fast er t han is st rict ly necessary. ( To ext end t he bat t ery life of phones, m obile t elephone net works have incorporat ed t ransm it power lim it at ion t echniques for m any years.) [*]

Note that laying out a nine-AP network using only three non-overlapping channels is not possible, which is a strong argument for using 802.11a in high-density environments.

Cont rolling t he range of t ransm ission also m akes t he net work funct ion m ore sm oot hly. All t ransm issions m ust gain exclusive access t o t he radio m edium . When excessive power is used, t he area covered by a t ransm ission is m uch larger t han it should be. Any st at ion operat ing on channel 11 wit hin t he out er circle m ust defer t o a fram e in progress from Client # 1. The shaded area bet ween t he opt im um t ransm it power and t he excessive power represent s t he area which is blocked because Client # 1 is t ransm it t ing at power t hat is t oo high. For exam ple, Client # 2 is blocked from com m unicat ing wit h it s nearby AP because it m ust share t he radio m edium . Reducing t ransm ission power t o t he level required t o reach only t he serving AP m ay im prove com m unicat ions t hroughout t he net work by lim it ing overlap bet ween nearby APs.

Basic operation of transmit power control

Transm it power cont rol ( TPC) is an 802.11 service t hat at t em pt s t o hold t ransm it power t o t he lowest possible product ive level. I t t akes int o account t he m axim um power allowed by regulat ors, as well as furt her const raint s. Alt hough designed t o sat isfy regulat ory requirem ent s, t ransm it power cont rol m ay have addit ional benefit s. The absolut e cap on any radio t ransm ission is set by regulat ory aut horit ies, and is found in t he relevant docum ent s and rules published by t he aut horit y. Regulat ory m axim um power m ay be configured int o an AP or st at ion, or it m ay be learned from Beacon fram es cont aining Count ry elem ent s. Radio t ransm issions m ay be subj ect t o addit ional const raint s t hat furt her reduce t he m axim um power. European regulat ions specify a furt her m it igat ion requirem ent of at least 3 dB t o reduce int erference wit h sat ellit e services. Maxim um t ransm ission power is specified using t he Count ry elem ent in Beacon fram es, and is available t o any st at ion wishing t o associat e t o a net work. The Count ry elem ent specifies t he regulat ory m axim um power, and t he Power Const raint elem ent can be used t o specify a lower m axim um t ransm ission power specific t o t he net work. Before beginning operat ion, st at ions m ust calculat e t he m axim um t ransm ission power t hat m ay be used. Typically, t his is calculat ed by t aking t he regulat ory m axim um power and subt ract ing any const raint s for m it igat ion or addit ional local const raint s. For exam ple, net work adm inist rat ors m ay wish t o specify a rest rict ive local m axim um t ransm ission power t o reduce range and t herefore int er fer ence.

Changes to the association process When a spect rum m anagem ent - capable st at ion associat es ( or reassociat es) t o an access point , it m ust supply t he m inim um and m axim um t ransm ission power in a Power Capabilit y inform at ion elem ent . Access point s m ay incorporat e t he inform at ion supplied by a client int o t he associat ion process, and are free t o use it any m anner. How, or even whet her, an access point uses t he power capabilit y inform at ion is not specified by 802.11 st andards. St at ions t hat have high power and m ay violat e regulat ions m ay be rej ect ed t o preserve regulat ory com pliance. Access point s m ay also rej ect client s wit h low t ransm it power capabilit y; t he st andard suggest s t hat it m ay increase t he possibilit y of hidden nodes, alt hough t hat seem s unlikely.

Changing the transmission power Bot h access point s and client st at ions m ay dynam ically adj ust t he t ransm ission power on a fram e- byfram e basis. For each fram e, t he receiver m ay com put e t he link m argin, t he am ount by which t he received power exceeds t he m inim um accept able value. Link m argin is t he m argin of safet y. I f a st at ion's t ransm issions were received at t he m inim um accept able value, t he link m argin would be zero, indicat ing t hat any det rim ent al change t o t he link would int errupt com m unicat ion. Most st at ions aim for a sm all link m argin, but t he specific calculat ion of link m argin and t he det erm inat ion of a part icular desired value are not specified by t he st andard. To m ake inform ed changes t o t ransm ission power, st at ions m ay request a radio link m easurem ent . St at ions send an Act ion fram e request ing a t ransm ission report . The Act ion fram e sent in response cont ains a TPC Report elem ent wit h t wo descript ive st at ist ics. First , it cont ains t he t ransm it power of t he report fram e. Based on t he t ransm ission power, t he receiver of t he report can est im at e t he pat h loss of t he radio link. Second, t he report fram e cont ains a value for t he link m argin, which inform s t he receiver of t he rat io bet ween t he received power and t he m inim um accept able power. I f t he m inim um accept able power were, say, - 70 dBm and t he signal was received at - 60 dBm , t he link

m argin would be report ed as 10 dB. I f t he link m argin is " t oo high," t ransm it power can be reduced. I f t he link m argin is " t oo low," t he t ransm it power can be increased. Like m any ot her com ponent s of t he 802.11 st andard, " t oo high" and " t oo low" are left t o t he discret ion of t he soft ware. The st andard is designed t o ensure t hat t he m axim um t ransm ission power is not exceeded, but it does not rest rict power select ion in any way. There is no requirem ent for advanced funct ionalit y. That said, it is conceivable t hat advanced access point s support ing t ransm it power cont rol m ay at t em pt t o keep t rack of t he power required t o reach each associat ed st at ion, so t hat close- in st at ions require less power t han far- away st at ions.

Dynamic Frequency Selection (DFS) I n addit ion t o t he requirem ent for t ransm it power cont rol, European regulat ions require t hat st at ions avoid int erfering wit h 5 GHz radar syst em s, as well as spread t he power load across all available channels. Accom plishing t his is t he t ask of 802.11's Dynam ic Frequency Select ion ( DFS) m echanism .

Basic operation of DFS Dynam ic frequency select ion consist s of a num ber of procedures t o enable 802.11 devices t o change t he radio channel based on m easurem ent s and regulat ory requirem ent s. I t can affect t he init ial associat ion procedure and ongoing net work operat ion. When st at ions first associat e t o t he net work, t he Associat ion Request fram e includes a Support ed Channels inform at ion elem ent , which com m unicat es t he channels support ed by t he st at ion. Access point s m ay rej ect t he associat ion based on t he cont ent of t he inform at ion elem ent , t hough such behavior is not specified by t he st andard. One approach would be t o rej ect st at ions t hat support " t oo few" channels, on t he t heory t hat it lim it s t he abilit y of t he access point t o swit ch operat ion on t o different channels because it m ust m ove t o a channel support ed by all associat ed st at ions. Once used on an operat ional net work, DFS will periodically t est t he channel for pot ent ial int erference from ot her radio syst em s, m ost not ably 5 GHz European radar syst em s. Test ing t he channel is accom plished by st opping t ransm issions on t he net work, m easuring for pot ent ial int erference, and, if necessary, advert ising t hat t he channel will change.

Quieting the channel To perform t est s on t he radio channel, quiet periods or quiet int ervals are used. Quiet int ervals are a t im e when all st at ions in t he BSS do not t ransm it , which is helpful when m aking m easurem ent s for pot ent ial int erference from radar syst em s. Quiet periods are scheduled by t he inclusion of t he Quiet inform at ion elem ent in Beacon and Probe Response fram es, and describe when and how long all st at ions should cease t ransm issions. Only t he m ost recent ly t ransm it t ed Quiet inform at ion is effect ive. When m ult iple Quiet inform at ion elem ent s are t ransm it t ed, t he m ost recent one supercedes all prior scheduled quiet periods. During t he quiet period, all st at ions set t he net work allocat ion vect or ( NAV) t o t he lengt h of t he quiet period t o ensure t hat t he virt ual carrier sensing algorit hm will defer t ransm issions. When an upcom ing quiet int erval is scheduled, t he radio channel st ill operat es under norm al rules for access t o t he radio m edium , wit h t he addit ional rule t hat any fram e exchange m ust com plet e before t he st art of t he quiet period. I f a scheduled fram e exchange cannot be com plet ed, t he st at ion relinquishes cont rol of t he channel and defers t ransm ission unt il aft er t he conclusion of t he quiet period. Failure t o t ransm it a fram e due t o an im pending quiet period does not , however, increase t he

t ransm ission count . When t he quiet period resum es, all st at ions m ust cont end for access t o t he radio channel again. There is no preservat ion of channel access across a quiet period. I n an infrast ruct ure net work, channel quiet scheduling is com plet ely under t he cont rol of t he access point . Access point s are allowed t o change t he durat ion of quiet periods, t he t im e bet ween quiet periods, or even t o st op scheduling quiet periods alt oget her. I ndependent net works choose t he quiet period scheduling when t he net work is creat ed. When new st at ions t ake over responsibilit y for sending Beacon and Probe Response fram es, t hey have no discret ion t o alt er t he quiet period param et ers, and sim ply copy t he previously used param et ers.

Measuring At any point , m easurem ent s of t he radio channel can be t aken. St at ions m ay request ot her st at ions t o m easure t he radio channel. Access point s m ay find m easurem ent s from st at ions t o be part icularly useful in learning about t he st at e of t he radio channel because t he report s from st at ions are likely t o com e from a variet y of different geographical locat ions. Measurem ent s m ay be t aken in a quiet period or while t he radio is in service. Any st at ion m ay ask ot her st at ions t o m ake a m easurem ent . I nquiries for radio inform at ion are sent in Measurem ent Request fram es, described in Figure 8- 23. I n an infrast ruct ure net work, all fram es m ust go t hrough t he access point . Associat ed client st at ions m ay only ask t he AP for radio inform at ion. Access point s in an infrast ruct ure net work m ay ask eit her a single st at ion or a group of st at ions for a m easurem ent , sim ply by addressing t he request fram e appropriat ely. I n independent net works, t here is no cent ralized point of cont rol, and any st at ion m ay issue a request t o any ot her single st at ion or group of st at ions. Alt hough request s t o a group address field are allowed, receiving st at ions are also allowed t o disregard t hem . Aft er sending a m easurem ent request , t he st andard assum es t hat t he receiver needs t im e t o gat her t he dat a for it s reply. Following t he t ransm ission of a m easurem ent request , a st at ion refrains from sending any furt her fram es. Upon receipt of a Measurem ent Request fram e, a st at ion m ust det erm ine how t o respond. The Measurem ent Request fram e m ust always be answered, even if t he response is a refusal t o perform t he request ed m easurem ent . To be processed, a request m ust be received in enough t im e t o set up and t ake t he m easurem ent . Measurem ent request s specify a t im e at which t he m easurem ent is t o occur. I f a request is held in a long t ransm ission queue, it is conceivable t hat it could be arrive at t he dest inat ion aft er t he request ed m easurem ent should begin. St at ions are allowed t o ignore such " lat e" request s. The receiver of a m easurem ent request m ust also be able t o collect t he dat a support ed in t he request . Depending on t he receiver's hardware, it m ay not be possible t o support all request s. Alt hough increasingly rare, not all 802.11 hardware is capable of support ing every allowed channel. [ * ] Many cards on t he m arket t oday do not support m ult ichannel operat ion, eit her, so a request t o m easure a different channel from t he current operat ing channel cannot be support ed. St at ions m ay refuse t o perform a m easurem ent for any nonspecified reason, provided t he request er has not m arked t he request as m andat ory. [*]

For example, the Cisco CB-20 card, based on the Radiata chipset, could only support the eight lowest 802.11a channels. It would be appropriate for such a card to refuse a measurement request in the high U-NII band.

I n addit ion t o t he polled operat ion, in which st at ions ask for m easurem ent s, it is possible for st at ions t o spont aneously report st at ist ics by sending unsolicit ed Measurem ent Report fram es.

Radar scan One of t he m aj or reasons t o quiet t he channel is t o search for t he presence of 5 GHz radar syst em s

in use in Europe. The regulat ions[ * ] do not require any part icular search m et hod for t hese radar syst em s. I t only requires t hat radar be det ect ed when it s signal st rengt h rises above a defined int erference t hreshold. [*]

ETSI EN 301 893, available from http://www.etsi.org.

When a radio int erface is st art ed, it m ust search for a radar signal on t he channel. No t ransm issions are allowed unt il t he " coast is clear" and it has been est ablished t hat t here is no radar t o int erfere wit h. Radar det ect ion m ust be carried out periodically t hroughout operat ion. Whenever radar signals are det ect ed, t he net work m ust swit ch t o anot her channel t o avoid int erference. Spect rum m anagem ent services enable a net work t o m ove t o anot her channel. The decision t o m ove t o anot her channel m ay be caused by t he presence of radar int erference, but t he generic m echanism t o swit ch channels m ay be useful for a variet y of purposes beyond com pliance wit h European radio regulat ions. Net works capable of alt ering t heir operat ional channel m ay do so t o m inim ize int erference wit h ot her 802.11 devices and opt im ize t he radio plan. Channel swit ching is designed t o m ove as m any of t he associat ed st at ions t o t he new channel as possible, but it is always possible t hat com m unicat ions wit h som e or all of t he associat ed st at ions m ay be disrupt ed. The st andards do not place any const raint s on how t o select t he new channel, but sim ply say t hat an access point should at t em pt t o choose a channel support ed by as m any of it s st at ions as possible. Som e regulat ors have draft ed rules t hat m andat e energy spreading across t he ent ire band, so it m ay be t hat regulat ory requirem ent s force a swit ch t o channels t hat are not support ed by all st at ions. I n an infrast ruct ure net work, t he select ion of t he operat ing channel is under t he sole cont rol of t he access point . As part of t he associat ion process, access point s collect inform at ion about which channels can be support ed by t he associat ed st at ions. Access point s inform associat ed st at ions of t he im pending swit ch by using t he Channel Swit ch Announcem ent inform at ion elem ent in m anagem ent fram es, as well as Act ion fram es. To im prove t he abilit y of an access point t o send an channel swit ch announcem ent , t he appropriat e act ion fram e m ay be sent aft er t he PCF I nt erfram e Space ( PI FS) , which gives it a higher priorit y t han any new at om ic exchange on t he m edium . The st andard suggest s, but does not require, t hat t he channel swit ch be scheduled far enough in advance t hat any powersaving st at ions have t he opport unit y t o becom e act ive and receive t he channel swit ch announcem ent .

IBSS operation Changing t he operat ing channel in an independent net work is significant ly m ore com plicat ed t han in an infrast ruct ure net work because t here is no single logical cont roller for frequency select ion operat ion. I nst ead of having t he funct ion reside in t he access point , independent net works have t he DFS owner service, which coordinat es m ult iple st at ions t o run t he frequency select ion service. One st at ion in a net work is designat ed t he DFS owner, and is responsible for collect ing m easurem ent report s and m onit oring t he channel for radar signals. I f any st at ion in t he independent net work observes a radar signal, it will be report ed in t he channel m ap subfield. Upon not ificat ion t hat radar has been det ect ed, t he DFS owner t akes charge of changing t he channel. The DFS owner is responsible for deciding on t he new channel, and sending t he channel swit ch announcem ent fram e. I t m ay not be possible t o select a channel t hat com plies wit h regulat ory requirem ent s and is support ed by all st at ions. I ndependent net works do not have a cent ral point of dat a collect ion, so even if t here is a channel support ed by all st at ions, t here is no guarant ee t hat t he DFS owner will be aware of it . I n an independent net work, t he DFS owner m ay change. Just like Beacon generat ion, st at ions m ay j oin or leave t he net work, including t he DFS owner. To cope wit h t he DFS owner going away, st at ions m ay ent er DFS owner recovery m ode. I n t his m ode, m ult iple st at ions can becom e DFS owners, and

will schedule t he channel swit ch announcem ent fram es required by t he st andard. However, t he first st at ion t o t ransm it t he channel swit ch fram e becom es t he only DFS owner, and ot her st at ions will drop t he role. DFS owner recover is sim ilar in concept t o t he dist ribut ed Beacon generat ion discussed in Figure 8- 20.

Action Frames Act ion fram es are used t o request a st at ion t o t ake act ion on behalf of anot her. Spect rum m anagem ent services use Act ion fram es t o request t hat m easurem ent s be t aken, gat her t he result s of t hose m easurem ent s, and announce any required channel swit ches. Figure 8- 22 shows t he form at of t he Act ion fram e, which is essent ially a cat egory plus det ails t hat depend on t he cat egory. The act ion det ails m ay vary depending on t he cat egory field.

Figu r e 8 - 2 2 . Act ion fr a m e

Cat egory The cat egory field is set t o zero for spect rum m anagem ent .

Act ion All spect rum m anagem ent fram es use t he first byt e of t he act ion det ails t o specify t he t ype of act ion being undert aken. Table 8- 2 shows t he possible values for t he Act ion subfield. Values not shown are reserved.

Elem ent s Spect rum m anagem ent act ion fram es carry inform at ion in inform at ion elem ent s. The det ails for m any inform at ion elem ent s can be found in Chapt er 4. Several addit ional inform at ion elem ent s were defined in 802.11h and are described in t his sect ion.

Ta ble 8 - 2 . Type s of spe ct r u m m a n a ge m e n t a ct ion fr a m e s Va lu e Type of spe ct r u m m a n a ge m e n t a ct ion fr a m e 0

Measurem ent Request

Va lu e Type of spe ct r u m m a n a ge m e n t a ct ion fr a m e 1

Measurem ent Report

2

TPC Request

3

TPC Report

4

Channel Swit ch Announcem ent

Measurement Request frame The Measurem ent Request fram e is used t o request t hat a st at ion m ake m easurem ent s and send t he result s t o t he sender. I t s form at is shown in Figure 8- 23. The fram e consist s of a series of m easurem ent request inform at ion elem ent s. The num ber of pot ent ial m easurem ent s is lim it ed by t he size of t he fram e, rat her t han any aspect of t he fram e const ruct ion. Periodic m easurem ent s are allowed by t he st andard. Periodic report s are enabled or disabled by sending a m easurem ent request t o a st at ion wit h inst ruct ions t o t urn t he periodic m easurem ent on or off. St at ions cannot disable m easurem ent s on access point s in infrast ruct ure net works.

Cat egory Set t o zero t o indicat e spect rum m anagem ent act ion fram es.

Act ion Set t o zero t o indicat e t hat it is a m easurem ent request .

Dialog Token This field act s like a sequence num ber. I t is set t o a non- zero value t o assist in m at ching m easurem ent responses t o out st anding request s. A single Measurem ent Request fram e m ay request m ult iple m easurem ent s by using m ult iple Measurem ent Request inform at ion elem ent s wit hin t he body of t he fram e.

Figu r e 8 - 2 3 . M e a su r e m e n t Re qu e st fr a m e

A single inform at ion elem ent is shown in exploded view, consist ing of t he following fields:

Elem ent I D Measurem ent Request elem ent s are t ype 38.

Lengt h The lengt h, in byt es, of t he inform at ion elem ent following t his field.

Measurem ent Token Each Measurem ent Request fram e m ay m ake several request s by including several Measurem ent Request elem ent s wit hin t he fram e body. Each request is given it s own value for t he Measurem ent Token so t hat t he different request s can be dist inguished.

Measurem ent Request Mode bit m ap There are t hree bit s in t he Measurem ent Request Mode bit m ap t hat are used t o indicat e what t ypes of spect rum m anagem ent fram es are support ed. Bit num ber 2 ( num bered st art ing from 0) is t he Request bit , and is set t o one t o signify t hat t he t ransm it t er will process incom ing m easurem ent request s. Bit num ber 3 is t he Report bit , which is set t o one t o signify t hat t he t ransm it t er will accept unsolicit ed report s. The Enable bit is set t o one when t he ot her t wo bit s are valid.

Measurem ent Type The t ype of m easurem ent being request ed by t he inform at ion elem ent , as shown in Table 8- 3.

Measurem ent Request I f a m easurem ent is request ed, t here m ay be an addit ional field t o give t im ing param et ers. As it t urns out , t he t hree t ypes of m easurem ent s t hat are current ly st andardized all have t he sam e form at , consist ing of a channel num ber, t he value of t he t im er funct ion at which t he m easurem ent should st art , and t he durat ion of t he m easurem ent in t im e unit s. A t im er st art value of zero indicat es t he m easurem ent should be t aken im m ediat ely. This field is not present when t he fram e is used t o t urn m easurem ent s on or off.

Ta ble 8 - 3 . M e a su r e m e n t Type va lu e s M e a su r e m e n t Type va lu e

Nam e

0

Basic m easurem ent

1

Clear channel assessm ent

2

Receive power indicat ion ( RPI ) hist ogram

Measurement Report The Measurem ent Report fram e is used t o send t he result s of a m easurem ent t o t he request er. I t s form at is shown in Figure 8- 24. The fram e consist s of a series of m easurem ent report inform at ion elem ent s. The num ber of pot ent ial report s is lim it ed by t he size of t he fram e, rat her t han any aspect of t he fram e const ruct ion.

Cat egory Set t o zero t o indicat e spect rum m anagem ent act ion fram es.

Act ion Set t o one t o indicat e t hat it is a m easurem ent report .

Dialog Token I f t he m easurem ent s were t aken as t he result of a m easurem ent request from anot her st at ion, t he Dialog Token field from t hat request is copied int o t he response. I f t he fram e is sent as an unsolicit ed report , t he Dialog Token is zero.

A single Measurem ent Report fram e m ay cont ain t he result s for several m easurem ent s, each t ransm it t ed in it s own inform at ion elem ent . For clarit y, a single inform at ion elem ent is shown in t he inform at ion elem ent header, and t he t hree possible report elem ent s are shown below.

Elem ent I D Measurem ent Request elem ent s are t ype 39.

Lengt h The lengt h, in byt es, of t he inform at ion elem ent following t his field.

Measurem ent Token Each Measurem ent Request fram e m ay m ake several request s by including several Measurem ent Request elem ent s wit hin t he fram e body. Each request is

Figu r e 8 - 2 4 . M e a su r e m e n t Re por t fr a m e

given it s own value for t he Measurem ent Token so t hat t he different request s can be

dist inguished.

Measurem ent Report Mode bit m ap There are t hree bit s in t he Measurem ent Report Mode bit m ap t hat are used t o indicat e why a m easurem ent is being refused, if t he report fram e is being used t o deny a m easurem ent . The Lat e bit is set t o one when t he m easurem ent request arrives aft er t he st art t im e specified in t he m easurem ent . The I ncapable bit is set t o one when a st at ion is unable t o perform t he request ed m easurem ent . The Refused bit is set t o one when t he st at ion is capable of perform ing t he m easurem ent , but does not wish t o do so.

Measurem ent Type The t ype of m easurem ent being request ed by t he inform at ion elem ent , as shown in Table 8- 3.

Measurem ent Report The Measurem ent Report fram e cont ains t he request ed m easurem ent dat a. Unlike t he Measurem ent Request , t he cont ent s are different for each t ype of report . All t hree report s are shown underneat h t he inform at ion elem ent header. All share a com m on header t hat report s t he channel num ber t hat t he request is for, t he t im e t he m easurem ent st art ed, and t he durat ion of t he m easurem ent . However, t he dat a is report ed in different ways for each t ype of m easurem ent . I n a basic report , t he dat a report ed are a series of bit flags for t he channel:

BSS ( 1 bit ) This bit will be set if fram es from anot her net work are det ect ed during a m easurem ent period.

OFDM Pream ble ( 1 bit ) This bit is set if t he 802.11a short t raining sequence is det ect ed, but wit hout being followed by t he rest of t he fram e. HI PERLAN/ 2 net works use t he sam e pream ble, but not t he sam e fram e const ruct ion.

Unident ified Signal ( 1 bit ) This bit is set when t he received power is high, but t he signal cannot be classified as eit her anot her 802.11 net work ( and hence, set t he BSS bit ) , anot her OFDM net work ( and hence, set t he OFDM Pream ble bit ) , or a radar signal ( and hence, set t he Radar bit ) . The st andard does not specify what power level is high enough t o t rigger t his bit being set .

Radar ( 1 bit )

I f a radar signal is det ect ed during a m easurem ent period, t his bit will be set . Radar syst em s t hat m ust be det ect ed are defined by regulat ors, not t he 802.11 t ask group.

Unm easured ( 1 bit ) I f t he channel was not m easured, t his bit will be set . Nat urally, if t here was no m easurem ent t aken, not hing can be det ect ed in t he band and t he previous four bit s will be set t o zero. I n a CCA report , t he m ain field is t he CCA Busy Fract ion, which describes t he fract ion of t im e on which t he clear channel assessm ent funct ion was set t o busy. I t is a single byt e, so t he fract ion is m ult iplied by 255 t o convert t o an int eger ranging from 0 t o 255, where higher values indicat e t he channel was busy m ore oft en. RPI hist ogram report s are used t o report t he spread of received power on an int erface. St at ions can request an RPI hist ogram t o det erm ine how well anot her st at ion is able t o see signals from t he current net work, or it m ay use t he report t o scout out ot her channels when it is t im e t o change t he operat ing channel. An RPI hist ogram report cont ains inform at ion on t he st rengt h of received signals. However, unlike a one- fram e m easurem ent , it can report t he spread of power received over t he m easurem ent durat ion t o give t he receiver an indicat ion of t he overall level of t ransm issions. The hist ogram cont ains eight byt es, each of which represent s a range of received power, as shown in Table 8- 4. Each byt e has a value represent ing t he fract ion of power signals t hat fall int o it s range. The t im e fract ion over which t he received signal falls int o t he power range for t he byt e is scaled so t hat each byt e ranges from 0 t o 255, wit h it s value depending on t he fract ion of t im e signals were received at t hat power level. [ * ] [*]

Although the values of all 8 bytes theoretically add to 255, the standard notes that they may add up to 262 due to rounding effects.

Ta ble 8 - 4 . RPI pow e r m a ppin g RPI n u m be r

Cor r e spon din g pow e r ( dBm )

0

Less t han - 87

1

- 87 t o - 82

2

- 81 t o - 77

3

- 78 t o - 72

4

- 71 t o - 67

5

- 66 t o - 62

6

- 61 t o - 57

7

- 56 and higher

TPC Request and Report TPC Request and TPC Report fram es are bot h shown in Figure 8- 25. They are bot h st raight forward, consist ing of Act ion fram es wit h t he spect rum m anagem ent t ype. Each fram e cont ains it s corresponding inform at ion elem ent , as described in Chapt er 4. As wit h ot her fram es, t he Dialog

Token field is used t o m at ch up request s wit h responses.

Figu r e 8 - 2 5 . TPC Re qu e st a n d Re por t fr a m e s

Channel Switch Announcement When t he channel m ust be changed, st at ions t hat are part of t he net work m ust be inform ed of t he im pending change so t hat t hey m ay prepare t o swit ch t o t he specified new channel. Channel Swit ch Announcem ent fram es, shown in Figure 8- 26, are essent ially Act ion fram e wrappers around t he Channel Swit ch Announcem ent elem ent t hat was described in Chapt er 4. As such, t hey have all t he funct ions of a channel swit ch announcem ent elem ent , and are used t o specify t he t im e at which t he net work will swit ch t o a new channel.

Figu r e 8 - 2 6 . Ch a n n e l Sw it ch An n ou n ce m e n t fr a m e

Chapter 9. Contention-Free Service with the PCF To support applicat ions t hat require near real- t im e service, t he 802.11 st andard includes a second coordinat ion funct ion t o provide a different way of accessing t he wireless m edium . The point coordinat ion funct ion ( PCF) allows an 802.11 net work t o provide an enforced " fair" access t o t he m edium . I n som e ways, access t o t he m edium under t he PCF resem bles t oken- based m edium access cont rol schem es, wit h t he access point holding t he t oken. This chapt er describes m edium access under t he PCF, det ailed fram e diagram s for t he PCF fram es, and how power m anagem ent operat ions int eract wit h t he PCF. The PCF has not been widely im plem ent ed. A m edia server product for t he hom e im plem ent ed t he PCF, t hough it was not com m ercially successful. Som e ent erprise- class product s have im plem ent ed t he PCF because it gives t he access point s m ore cont rol over access t o t he wireless m edium , and helps t he net work t o t o wrest cont rol away from t he anarchy of a herd of individual st at ions. For m any readers, t his chapt er m ay not be necessary. I f you are not using a product t hat im plem ent s t he PCF, t here is no need t o read t his chapt er unless you have an int erest in t he st andard it self.

Contention-Free Access Using the PCF I f cont ent ion- free delivery is required, t he PCF m ay be used. The PCF is an opt ional part of t he 802.11 specificat ion; product s are not required t o im plem ent it . However, t he I EEE designed t he PCF so st at ions t hat im plem ent only t he dist ribut ed coordinat ion funct ion ( DCF) will int eroperat e wit h point coordinat ors. Cont ent ion- free service is not provided full- t im e. Periods of cont ent ion- free service arbit rat ed by t he point coordinat or alt ernat e wit h t he st andard DCF- based service. The relat ive size of t he cont ent ionfree period can be configured. 802.11 describes t he cont ent ion- free periods as providing " near isochronous" services because t he cont ent ion- free periods will not always st art at t he expect ed t im e, as described in t he " Cont ent ion- Free Period Durat ion" sect ion lat er in t his chapt er. Cont ent ion- free service uses a cent ralized access cont rol m et hod. Access t o t he m edium is rest rict ed by t he point coordinat or, a specialized funct ion im plem ent ed in access point s. Associat ed st at ions can t ransm it dat a only when t hey are allowed t o do so by t he point coordinat or. I n som e ways, cont ent ion- free access under t he PCF resem bles t oken- based net working prot ocols, wit h t he point coordinat or's polling t aking t he place of a t oken. Fundam ent als of t he 802.11 m odel rem ain in place, however. Alt hough access is under t he cont rol of a cent ral ent it y, all t ransm issions m ust be acknowledged.

PCF Operation Figure 9- 1 shows a t ransfer using t he PCF. When t he PCF is used, t im e on t he m edium is divided int o t he cont ent ion- free period ( CFP) and t he cont ent ion period. Access t o t he m edium in t he form er case is cont rolled by t he PCF, while access t o t he m edium in t he lat t er case is cont rolled by t he DCF and t he rules from Chapt er 8. The cont ent ion period m ust be long enough for t he t ransfer of at least one m axim um - size fram e and it s associat ed acknowledgm ent . Alt ernat ing periods of cont ent ion- free service and cont ent ion- based service repeat at regular int ervals, which are called t he cont ent ion- free repet it ion int erval.

Figu r e 9 - 1 . Usin g t h e PCF

Reserving the medium during the contention-free period At t he beginning of t he cont ent ion- free period, t he access point t ransm it s a Beacon fram e. One com ponent of t he beacon announcem ent is t he m axim um durat ion of t he cont ent ion- free period, CFPMaxDurat ion. All st at ions receiving t he Beacon set t he NAV t o t he m axim um durat ion t o lock out DCF- based access t o t he wireless m edium . As an addit ional safeguard t o prevent int erference, all cont ent ion- free t ransm issions are separat ed only by t he short int erfram e space and t he PCF int erfram e space. Bot h are short er t han t he DCF int erfram e space, so no DCF- based st at ions can gain access t o t he m edium using t he DCF.

The polling list Aft er t he access point has gained cont rol of t he wireless m edium , it polls any associat ed st at ions on a polling list for dat a t ransm issions. During t he cont ent ion- free period, st at ions m ay t ransm it only if t he access point solicit s t he t ransm ission wit h a polling fram e. Cont ent ion- free polling fram es are oft en abbreviat ed CF- Poll. Each CF- Poll is a license t o t ransm it one fram e. Mult iple fram es can be t ransm it t ed only if t he access point sends m ult iple poll request s. The polling list is t he list of privileged st at ions solicit ed for fram es during t he cont ent ion- free period. St at ions get on t he polling list when t hey associat e wit h t he access point . The Associat ion Request includes a field t hat indicat es whet her t he st at ion is capable of responding t o polls during t he cont ent ion- free period.

Transmissions from the Access Point Generally, all t ransm issions during t he cont ent ion- free period are separat ed by only t he short int erfram e space. To ensure t hat t he point coordinat or ret ains cont rol of t he m edium , it m ay send t o t he next st at ion on it s polling list if no response is received aft er an elapsed PCF int erfram e space. ( Such a sit uat ion is illust rat ed in Figure 9- 1 .) The access point polls t he second st at ion on it s list but receives no response. Aft er wait ing one PCF int erfram e space, t he access point m oves t o t he t hird st at ion on t he list . By using t he PCF int erfram e space, t he access point ensures t hat it ret ains access t o t he m edium .

The access point m ay use several different t ypes of fram es during t he cont ent ion- free period. During t his period, t he point coordinat or has four m aj or t asks. I n addit ion t o t he " norm al" t asks of sending buffered fram es and acknowledging fram es from t he st at ions, t he point coordinat or can poll st at ions on t he polling list t o enable t hem t o send fram es; it m ay also need t o t ransm it m anagem ent fram es. Tim e in t he cont ent ion- free period is precious, so acknowledgm ent s, polling, and dat a t ransfer m ay be com bined t o im prove efficiency. When any subset of t hese funct ions are com bined int o a single fram e, t he result is a bit st range. A single fram e could, for exam ple, acknowledge t he receipt of t he previous fram e, poll a different st at ion for buffered dat a, and send it s own dat a t o t he st at ion on t he polling list . Several different fram e t ypes can be used in t he cont ent ion- free period:

Dat a The st andard vanilla Dat a fram e is used when t he access point is sending a fram e t o a st at ion and does not need t o acknowledge a previous t ransm ission. The st andard Dat a fram e does not poll t he recipient and t hus does not allow t he recipient t o t ransm it any dat a in ret urn. The dat a only fram e used in t he cont ent ion- free period is ident ical t o t he Dat a fram e used in cont ent ionbased periods.

CF- Ack This fram e is used by st at ions t o acknowledge t he receipt of a fram e when no dat a needs t o be t ransm it t ed. Cont ent ion- free acknowledgm ent s are longer t han t he st andard cont rol fram e acknowledgm ent , so t his fram e m ay not be used in act ual im plem ent at ions.

CF- Poll CF- Poll fram es are sent by t he access point t o a m obile st at ion t o give t he m obile st at ion t he right t o t ransm it a single buffered fram e. I t is used when t he access point does not have any dat a for t he m obile st at ion. When a fram e for t he m obile st at ion is available, t he access point uses t he Dat a+ CF- Poll fram e t ype.

Dat a+ CF- Ack This fram e com bines dat a t ransm ission wit h an acknowledgm ent . Dat a is direct ed t o t he fram e recipient ; t he acknowledgm ent is for t he previous fram e t ransm it t ed and usually is not for t he recipient of t he dat a.

Dat a+ CF- Poll This fram e is used by access point s t o t ransm it dat a t o a m obile st at ion and request one pending fram e from t he m obile st at ion. The Dat a+ CF- Poll can only be sent by t he access point during t he cont ent ion- free period.

CF- ACK+ CF- Poll This fram e acknowledges t he last fram e from one of t he access point 's client s and request s a buffered fram e from t he next st at ion on t he polling list . I t is direct ed t o t he next st at ion on t he polling list , alt hough t he acknowledgm ent m ay be int ended for any m obile st at ion associat ed wit h t he access point .

Dat a+ CF- ACK+ CF- Poll This fram e brings t oget her t he dat a t ransm ission, polling feat ure, and acknowledgm ent int o one fram e for m axim um efficiency.

CF- End This fram e ends t he cont ent ion- free period and ret urns cont rol of t he m edium t o t he cont ent ion- based m echanism s of t he DCF.

CF- End+ CF- Ack This is t he sam e as t he CF- End fram e but also acknowledges t he previously t ransm it t ed Dat a fram e.

Any Managem ent No rest rict ion is placed by t he st andard on which m anagem ent fram es can be t ransm it t ed during t he cont ent ion- free period. I f t he rules applying t o a part icular fram e t ype allow it s t ransm ission, t he access point m ay t ransm it it .

Contention-Free Period Duration The m inim um lengt h of t he cont ent ion period is t he t im e required t o t ransm it and acknowledge one m axim um - size fram e. I t is possible for cont ent ion- based service t o overrun t he end of t he cont ent ion period, however. When cont ent ion- based service runs past t he expect ed beginning of t he cont ent ionfree period, t he cont ent ion- free period is foreshort ened, as in Figure 9- 2 .

Figu r e 9 - 2 . D a t a + CF- Ack a n d D a t a + CF- Poll u sa ge

When t he cont ent ion- free period is foreshort ened, t he exist ing fram e exchange is allowed t o com plet e before t he beacon announcing t he st art of cont ent ion- free operat ion is t ransm it t ed. The cont ent ion- free period is short ened by t he am ount of t he delay. Cont ent ion- free service ends no lat er t han t he m axim um durat ion from t he expect ed beginning point , which is referred t o as t he Target Beacon Transm ission Tim e ( TBTT) . The point coordinat or m ay also t erm inat e t he cont ent ion- free period prior t o it s m axim um durat ion by t ransm it t ing a CF- End fram e. I t can base t his decision on t he size of t he polling list , t he t raffic load, or any ot her fact or t hat t he access point considers im port ant . Product s will som et im es select ively use t he PCF for a part icular fram e exchange by st art ing cont ent ion- free service, perform ing t he desired fram e t ransm ission, and t hen ending it .

Detailed PCF Framing Several fram e t ypes are used exclusively wit hin t he cont ent ion- free period. They com bine, in various st at es, dat a t ransm ission, acknowledgm ent , and polling. This sect ion describes when various fram es are used and how t he different funct ions int eract during fram e exchanges. Cont ent ion- free fram es com bine several funct ions int o a single fram e.

Dat a+ CF- Ack The Dat a+ CF- Ack fram e com bines t wo different funct ions for t ransm ission efficiency. Dat a is t ransm it t ed in t he fram e payload, and t he fram e im plicit ly acknowledges t he receipt of dat a received one short int erfram e space previously. Generally, t he dat a and t he acknowledgm ent are int ended for t wo separat e st at ions. I n Figure 9- 3 , t he cont ent ion- free acknowledgm ent is coupled wit h t he dat a for t ransm ission t o t he access point in t he previous fram e, but t he dat a m ay be int ended for any st at ion on t he 802.11 net work.

Figu r e 9 - 3 . D a t a + CF- Ack u sa ge

This fram e is used only in infrast ruct ure net works because it is t ransm it t ed during t he cont ent ion- free period. I t m ay be t ransm it t ed by eit her t he access point or a m obile st at ion. During t he cont ent ion- free period, however, t he access point is responsible for polling, and it is unlikely t hat it would t ransm it t his fram e subt ype because it does not include a poll.

Dat a+ CF- Poll The Dat a+ CF- Poll fram e is used by access point s in infrast ruct ure net works during t he cont ent ion- free period. When t he access point does not need t o acknowledge any out st anding fram es, it sends a Dat a+ CF- Poll t o t ransm it dat a t o t he recipient and allows t he recipient t o send one buffered fram e in response. The dat a in t he fram e body m ust be int ended for t he recipient of t he poll; t he t wo operat ions cannot be " split " across t wo different receivers. I n Figure 9- 3 , t he access point uses a Dat a+ CF- Poll fram e t o send one fram e t o t he m obile st at ion and t o solicit t he response.

Dat a+ CF- Ack+ CF- Poll The Dat a+ CF- Ack+ CF- Poll fram e is used by access point s in infrast ruct ure net works during t he cont ent ion- free period. When t he access point has dat a t o t ransm it , m ust acknowledge a fram e, and needs t o poll a st at ion on t he polling list , all t he funct ions can be com bined int o one fram e. Figure 9- 4 illust rat es t he usage of Dat a+ CF- Ack+ CF- Poll. As wit h Dat a+ CF- Ack, t he com ponent s of t he Dat a+ CF- Ack+ CF- Poll fram e are generally int ended for different st at ions. The dat a t ransm ission and polling m ust be int ended for t he sam e st at ion, but t he acknowledgm ent is for t he previous t ransm ission.

Figu r e 9 - 4 . Usa ge of D a t a + CF- Ack + CF- Poll

The figure begins wit h m obile st at ion 1 ( MS1) t ransm it t ing a Dat a+ CF- Ack fram e. The Dat a m ust go t o t he access point , but t he CF- Ack is used t o acknowledge t he previous Dat a fram e t ransm it t ed by t he access point . ( That fram e is not shown in t he figure.) Moving down t he polling list , t he access point t hen polls m obile st at ion 2 ( MS2) . However, t he access point m ust acknowledge t he dat a from MS1, which it does by t ransm it t ing a fram e wit h a CF- Ack com ponent . When t he access point also has dat a t o t ransm it , all t hree feat ures can be com bined int o one om nibus fram e. The Dat a and CF- Poll com ponent s are int ended for t he recipient of t he fram e, but t he CF- Ack is int ended for t he t ransm it t er of t he previous fram e. MS1 m ust list en t o t he access point fram es t o not e t he acknowledgm ent .

CF- Ack ( no dat a) When only an acknowledgm ent is required, a header- only fram e wit h j ust t he CF- Ack funct ion can be t ransm it t ed. I n Figure 9- 4 , if MS2 had no dat a t o t ransm it , it would have responded wit h a CF- Ack fram e.

CF- Poll ( no dat a) CF- Poll can also be t ransm it t ed by it self. Nat urally, only access point s perform t his funct ion, so t he CF- Poll fram e is t ransm it t ed only by access point s in infrast ruct ure net works during t he cont ent ion- free period. " Naked" CF- Polls are t ransm it t ed when t he access point has no buffered dat a for t he recipient and does not need t o acknowledge t he receipt of previous fram es. One com m on sit uat ion in which no acknowledgm ent is necessary is when t he access point t ransm it s a CF- Poll and t he polled st at ion has no dat a and does not respond. I f t he access point has no dat a for t he next st at ion on t he polling list , it t ransm it s a CF- Poll, as in Figure 9- 5 .

Figu r e 9 - 5 . CF- Poll fr a m in g u sa ge

I n Figure 9- 5 , t he access point at t em pt s t o t ransm it dat a t o MS1 but does not receive a response. Aft er t he PCF int erfram e space has elapsed, t he access point can proceed down t he polling list t o MS2. No fram e from MS1 needs t o be acknowledged, and if t he access point has no dat a for MS2, it can use a CF- Poll t o allow MS2 t o send dat a.

CF- Ack+ CF- Poll ( no dat a) The final subt ype of Dat a fram e is t he CF- Ack+ CF- Poll, which is also t ransm it t ed by access point s. Like all CF- Poll fram es, it is used only during t he cont ent ion- free period and only by access point s. I t incorporat es t he acknowledgm ent funct ion and t he polling funct ion int o a fram e wit h no dat a. Figure 9- 6 illust rat es it s usage.

Figu r e 9 - 6 . CF- Ack + CF- Poll u sa ge

The scenario is a slight variat ion on t he previous set t ing. I nst ead of a t im eout wait ing for MS1 t o respond, MS1 ret urns a fram e. When t he access point t akes cont rol of t he m edium , it uses a CF- Ack+ CF- Poll t o acknowledge receipt of t he fram e from MS1 and not ifies MS2 t hat it is allowed t o send a fram e.

Contention-Free End (CF-End) When t he cont ent ion- free period ends, t he access point t ransm it s a CF- End fram e t o release st at ions from t he PCF access rules and begin cont ent ion- based service. The form at of t he CF- End fram e is shown in Figure 9- 7 . Four fields m ake up t he MAC header of t he CF- End fram e:

Fram e Cont rol The fram e subt ype is set t o 1110 t o indicat e a CF- End fram e.

Dur at ion CF- End announces t he end of t he cont ent ion- free period and t hus does not need t o ext end t he virt ual carrier sense. Durat ion is set t o 0. St at ions t hat receive t he CF- End fram e cut t he virt ual carrier sense short t o resum e cont ent ion- based access.

Address 1: Receiver Address CF- End is relevant t o t he operat ion of all m obile st at ions, so t he receiver address is t he broadcast address.

Address 2: BSSI D CF- End is announced by t he access point t o all t he st at ions associat ed wit h it s BSS, so t he second address field is t he BSSI D. I n infrast ruct ure net works, t he BSSI D is t he address of t he wireless int erface in t he access point , so t he BSSI D is also t he t ransm it t er address.

Figu r e 9 - 7 . CF- En d fr a m e

CF-End+CF-Ack When t he cont ent ion- free period ends, t he access point t ransm it s a CF- End fram e t o release st at ions from t he PCF access rules and t hen begins cont ent ion- based service using t he DCF. I f t he access point m ust also acknowledge receipt of dat a, it m ay sim ult aneously end t he cont ent ion- free period and acknowledge t he previous fram e by using t he CF- End+ CF- Ack fram e, which com bines bot h funct ions. The form at of t he CF- End+ CF- Ack fram e is shown in Figure 9- 8 . Four fields m ake up t he MAC header of t he CF- End+ CF- Ack fram e:

Fram e Cont rol

The fram e subt ype is set t o 1111 t o indicat e a CF- End+ CF- Ack fram e.

Dur at ion CF- End+ CF- Ack announces t he end of t he cont ent ion- free period and t hus does not need t o ext end t he virt ual carrier sense. Durat ion is set t o 0.

Address 1: Receiver Address CF- End+ CF- Ack is relevant t o t he operat ion of all m obile st at ions, so t he receiver address is t he broadcast address.

Address 2: BSSI D CF- End+ CF- Ack is announced by t he access point t o all t he st at ions associat ed wit h it s BSS, so t he second address field is t he BSSI D. I n infrast ruct ure net works, t he BSSI D is t he address of t he wireless int erface in t he access point , so t he BSSI D is also t he t ransm it t er address.

Figu r e 9 - 8 . CF- En d+ CF- Ack fr a m e

CF Parameter Set Access point s t hat support cont ent ion- free operat ion m ay include t he CF Param et er Set inform at ion elem ent , which is shown in Figure 9- 9 . CF Param et er Set elem ent s are included in Beacon fram es t o keep all m obile st at ions apprised of cont ent ion- free operat ions. They are also included in Probe Response fram es t o allow st at ions t o learn about cont ent ion- free opt ions support ed by a BSS. Four fields m ake up t he CF Param et er Set inform at ion elem ent :

CFP Count This field, which is one byt e in lengt h, t ells how m any DTI M fram es will be t ransm it t ed before t he st art of t he next cont ent ion- free period. Zero indicat es t hat t he current fram e is t he st art of cont ent ion- free service.

CFP Period This one- byt e field indicat es t he num ber of DTI M int ervals bet ween t he st art of cont ent ion- free per iods.

CFP MaxDurat ion This value is t he m axim um durat ion of t he cont ent ion- free period as m easured in t im e unit s ( TUs) . Mobile st at ions use t his value t o set t he NAV t o busy for t he ent ire cont ent ion- free period.

CFP DurRem aining This value is t he num ber of TUs rem aining in t he current cont ent ion- free period. Mobile st at ions use it t o updat e t he NAV t hroughout t he cont ent ion- free period. When DCF- based cont ent ion- free service is provided, it is set t o 0.

Figu r e 9 - 9 . CF Pa r a m e t e r Se t in for m a t ion e le m e n t

Power Management and the PCF Power conservat ion during t he cont ent ion- free period is sim ilar t o power conservat ion during t he cont ent ion- based period, wit h a few m inor except ions. The basic dist inct ion bet ween t he t wo is t hat fram e delivery m ust obey t he PCF rules, so buffered fram es can be delivered only t o CF- Pollable st at ions. St at ions t hat do not support PCF operat ions m ust wait unt il cont ent ion- based service resum es before ret rieving buffered fram es. St at ions on t he polling list are not allowed t o sleep during t he cont ent ion- free period. When t he access point is perform ing it s point coordinat ion funct ions, it m ay poll any st at ion on t he polling list at any t im e. Fram es dest ined for st at ions on t he polling list do not need t o be buffered during t he cont ent ion- free period because t hose st at ions do not sleep. Fram e buffering is ident ical under cont ent ion- free and cont ent ion- based service. By m aint aining power- saving st at us for each st at ion, t he access point can buffer fram es for any st at ion in a lowpower m ode. Broadcast and m ult icast fram es are buffered whenever an associat ed st at ion is in a low- power m ode. I n addit ion t o t he buffer st at us associat ed wit h cont ent ion- free service, t he access point also set s bit s in t he TI M for any st at ion it int ends t o poll. The reason for set t ing t hese bit s is relat ed t o how buffered fram es are delivered. Like cont ent ion- based service, DTI M fram es t rigger t he t ransm ission of broadcast and m ult icast fram es. I f t he t ot al t im e required t o t ransm it m ult icast and broadcast fram es exceeds t he Beacon int erval, t he access point will t ransm it one Beacon int erval's wort h of buffered fram es and st op. Rem aining fram es will, however, cause t he access point t o keep t he bit corresponding t o AI D 0 set . Aft er t ransm it t ing t he buffered broadcast and m ult icast fram es, t he access point goes t hrough t he list of AI Ds whose TI M bit s are set in increasing order and t ransm it s any pending dat a. Transm issions are conduct ed according t o t he rules of t he PCF, so it is not necessary t o include a delay before beginning t ransm ission. St at ions on t he polling list are added t o t he TI M, so t hey will be included in t his process. Mult iple buffered fram es can be t ransm it t ed, but t his is ent irely up t o t he access point im plem ent at ionin cont ent ion- free service, m obile st at ions can t ransm it only when given perm ission by t he access point . A st at ion is not allowed t o resum e sleeping unt il all fram es have been delivered t o it , as indicat ed by a 0 More Dat a bit . When a st at ion is cleared t o resum e sleeping, it sleeps unt il t he next DTI M t ransm ission. DTI M fram es signal t he beginning of t he cont ent ion- free period, so all st at ions t hat im plem ent t he PCF are required t o wake up for every DTI M. I f a st at ion swit ches from a low- power m ode t o t he act ive m ode, any fram es buffered for it are t ransferred t o t he point coordinat ion funct ion for delivery during t he cont ent ion- free period. The t ransfer does not result in im m ediat e delivery, but t he access point can place t he fram es int o a queue for t ransm ission as soon as t he point coordinat ion funct ion perm it s.

Chapter 10. Physical Layer Overview Any girl can be glam orous. All you have t o do is st and st ill and look st upid. Hedy Lam arr Prot ocol layering allows for research, experim ent at ion, and im provem ent on different part s of t he prot ocol st ack. The second m aj or com ponent of t he 802.11 archit ect ure is t he physical layer, which is oft en abbreviat ed PHY. This chapt er int roduces t he com m on t hem es and t echniques t hat appear in each of t he radio- based physical layers and describes t he problem s com m on t o all radio- based physical layers; it is followed by m ore det ailed explanat ions of each of t he physical layers t hat are st andardized for 802.11.

Physical-Layer Architecture The physical layer is divided int o t wo sublayers: t he Physical Layer Convergence Procedure ( PLCP) sublay er and t he Physical Medium Dependent ( PMD) sublayer. The PLCP ( Figure 10- 1) is t he glue bet ween t he fram es of t he MAC and t he radio t ransm issions in t he air. I t adds it s own header. Norm ally, fram es include a pream ble t o help synchronize incom ing t ransm issions. The requirem ent s of t he pream ble m ay depend on t he m odulat ion m et hod, however, so t he PLCP adds it s own header t o any t ransm it t ed fram es. The PMD is responsible for t ransm it t ing any bit s it receives from t he PLCP int o t he air using t he ant enna. The physical layer also incorporat es a clear channel assessm ent ( CCA) funct ion t o indicat e t o t he MAC when a signal is det ect ed.

Figu r e 1 0 - 1 . Ph ysica l la ye r logica l a r ch it e ct u r e

The Radio Link Three physical layers were st andardized in t he init ial revision of 802.11, which was published in 1997: Frequency- hopping ( FH) spread- spect rum radio PHY Direct - sequence ( DS) spread- spect rum radio PHY I nfrared light ( I R) PHY Lat er, t hree furt her physical layers based on radio t echnology were developed: 802.11a: Ort hogonal Frequency Division Mult iplexing ( OFDM) PHY 802.11b: High- Rat e Direct Sequence ( HR/ DS or HR/ DSSS) PHY 802.11g: Ext ended Rat e PHY ( ERP) The fut ure 802.11n, which is colloquially called t he MI MO PHY or t he High- Throughput PHY This book discusses t he physical layers based on radio waves in det ail; it does not discuss t he infrared physical layer, which t o m y knowledge has never been im plem ent ed in a com m ercial pr oduct .

The IR PHY I t is oft en said t hat m icrowave ovens operat e at 2.45 GHz because it corresponds t o a part icular excit at ion m ode of wat er m olecules. This is som et im es even offered as a reason why 802. 11 cannot be used over long dist ances. I f at m ospheric wat er vapor would severely at t enuat e any m icrowave signals in rain or in hum id clim at es, t hen 802.11 is not suit able for use over long dist ances. 802.11 also includes a specificat ion for a physical layer based on infrared ( I R) light . Using infrared light inst ead of radio waves seem s t o have several advant ages. I R port s are less expensive t han radio t ransceiversin fact , t he cost is low enough t hat I R port s are st andard on pract ically every lapt op. I R is ext rem ely t olerant of radio frequency ( RF) int erference because radio waves operat e at a t ot ally different frequency. This leads t o a second advant age: I R is unregulat ed. Product developers do not need t o invest igat e and com ply wit h direct ives from several regulat ory organizat ions t hroughout t he world. Securit y concerns regarding 802.11 are largely based on t he t hreat of unaut horized users connect ing t o a net work. Light can be confined t o a conference room or office by sim ply closing t he door. I R- based LANs can offer som e of t he advant ages of flexibilit y

and m obilit y but wit h fewer securit y concerns. This com es at a price. I R LANs rely on scat t ering light off t he ceiling, so range is m uch short er. This discussion is academ ic, however. No product s have been creat ed based on t he I R PHY. The infrared port s on lapt ops com ply wit h a set of st andards developed by t he I nfrared Dat a Associat ion ( I rDA) , not 802.11. Even if product s were creat ed around t he I R PHY, t he big drivers t o adopt 802.11 are flexibilit y and m obilit y, which are bet t er achieved by radio's longer range and abilit y t o penet rat e opaque obj ect s.

Licensing and Regulation The classic approach t o radio com m unicat ions is t o confine an inform at ion- carrying signal t o a narrow frequency band and pum p as m uch power as possible ( or legally allowed) int o t he signal. Noise is sim ply t he nat urally present dist ort ion in t he frequency band. Transm it t ing a signal in t he face of noise relies on brut e forceyou sim ply ensure t hat t he power of t he t ransm it t ed signal is m uch great er t han t he noise. I n t he classic t ransm ission m odel, avoiding int erference is a m at t er of law, not physics. Wit h high power out put in narrow bands, a legal aut horit y m ust im pose rules on how t he RF spect rum is used. I n t he Unit ed St at es, t he Federal Com m unicat ions Com m ission ( FCC) is responsible for regulat ing t he use of t he RF spect rum . Many FCC rules are adopt ed by ot her count ries t hroughout t he Am ericas. European allocat ion is perform ed by t he European Radiocom m unicat ions Office ( ERO) and t he European Telecom m unicat ions St andards I nst it ut e ( ETSI ) . I n Japan, t he Minist ry of I nt ernal Com m unicat ions ( MI C) regulat es radio usage. Worldwide " harm onizat ion" work is oft en done under t he auspices of t he I nt ernat ional Telecom m unicat ions Union ( I TU) . Many nat ional regulat ors will adopt I TU recom m endat ions. For t he m ost part , an inst it ut ion m ust have a license t o t ransm it at a given frequency. Licenses can rest rict t he frequencies and t ransm ission power used, as well as t he area over which radio signals can be t ransm it t ed. For exam ple, radio broadcast st at ions m ust have a license from t he FCC. Likewise, m obile t elephone net works m ust obt ain licenses t o use t he radio spect rum in a given m arket . Licensing guarant ees t he exclusive use of a part icular set of frequencies. When licensed signals are int erfered wit h, t he license holder can dem and t hat a regulat ory aut horit y st ep in and resolve t he problem , usually by shut t ing down t he source of int erference. I nt ent ional int erference is equivalent t o t respassing, and m ay be subj ect t o crim inal or civil penalt ies.

Frequency allocation and unlicensed frequency bands Radio spect rum is allocat ed in bands dedicat ed t o a part icular purpose. A band defines t he frequencies t hat a part icular applicat ion m ay use. I t oft en includes guard bands, which are unused port ions of t he overall allocat ion t hat prevent ext raneous leakage from t he licensed t ransm ission from affect ing anot her allocat ed band. Several bands have been reserved for unlicensed use. For exam ple, m icrowave ovens operat e at 2.45 GHz, but t here is lit t le sense in requiring hom eowners t o obt ain perm ission from t he FCC t o operat e m icrowave ovens in t he hom e. To allow consum er m arket s t o develop around devices built for hom e use, t he FCC ( and it s count erpart s in ot her count ries) designat ed cert ain bands for t he use of " indust rial, scient ific, and m edical" equipm ent . These frequency bands are com m only referred t o as t he I SM bands. The 2.4- GHz band is available worldwide for unlicensed use. [ * ] Unlicensed use, however, is not t he sam e as unlicensed sale. Building, m anufact uring, and designing 802.11 equipm ent does require a license; every 802.11 card legally sold in t he U.S. carries an FCC

ident ificat ion num ber. The licensing process requires t he m anufact urer t o file a fair am ount of inform at ion wit h t he FCC. Much t his inform at ion is a m at t er of public record and can be looked up online by using t he FCC ident ificat ion num ber. [*]

The 2.4-GHz ISM band is reserved by the FCC rules (Title 47 of the Code of Federal Regulations), part 15.247. ETSI reserved the same spectrum in ETSI Technical Specifications (ETS) 300-328.

The Nonexistent Microwave Absorption Peak of Water Spread spect rum was pat ent ed in t he early 1940s by Aust rian- born act ress Hedy Lam arr. She was cert ainly bet t er known for ot her reasons: appearing in t he first nude scene on film in t he Czech film Ecst asy, her lat er billing as " t he m ost beaut iful wom an in t he world" by Hollywood m agnat e Louis Mayer, and as t he m odel for Cat wom an in t he Bat m an com ics. I t is oft en said t hat m icrowave ovens operat e at 2.45 GHz because it corresponds t o a part icular excit at ion m ode of wat er m olecules. This is som et im es even offered as a reason why 802. 11 cannot be used over long dist ances. I f at m ospheric wat er vapor would severely at t enuat e any m icrowave signals in rain or in hum id clim at es, t hen 802.11 is not suit able for use over long dist ances. The exist ence of a wat er excit at ion m ode in t he m icrowave range is a m yt h. I f t here was an excit at ion m ode, wat er would absorb a significant am ount of t he m icrowave energy. And if t hat energy was absorbed effect ively by wat er, m icrowave ovens would be unable t o heat anyt hing ot her t han t he wat er near t he surface of food, which would absorb all t he energy, leaving t he cent er cold and raw. An absorpt ion peak would also m ean t hat at m ospheric wat er vapor would disrupt sat ellit e com m unicat ions, which is not an observed phenom enon. NASA Reference Publicat ion 1108( 02) , Propagat ion Effect s on Sat ellit e Syst em s at Frequencies Below 10 GHz, discusses t he expect ed signal loss due t o at m ospheric effect s, and t he loss is m uch m ore pronounced at frequencies above 10 GHz. The absorpt ion peak for wat er, for exam ple, is at 22.2 GHz. Microwave ovens do not work by m oving wat er m olecules int o an excit ed st at e. I nst ead, t hey exploit t he unusually st rong dipole m om ent of wat er. Alt hough elect rically neut ral, t he dipole m om ent allows a wat er m olecule t o behave as if it were com posed of sm all posit ive and negat ive charges at eit her end of a rod. I n t he cavit y of a m icrowave oven, t he changing elect ric and m agnet ic fields t wist t he wat er m olecules back and fort h. Twist ing excit es t he wat er m olecules by adding kinet ic energy t o t he ent ire m olecule but does not change t he excit at ion st at e of t he m olecule or any of it s com ponent s.

Use of equipm ent in t he I SM bands is generally license- free, provided t hat devices operat ing in t hem do not em it significant am ount s of radiat ion. Microwave ovens are high- powered devices, but t hey have ext ensive shielding t o rest rict radio em issions. Unlicensed bands have seen a great deal of act ivit y in t he past t hree years as new com m unicat ions t echnologies have been developed t o exploit t he unlicensed band. Users can deploy new devices t hat operat e in t he I SM bands wit hout going t hrough any licensing procedure, and m anufact urers do not need t o be fam iliar wit h t he licensing procedures and requirem ent s. At t he t im e t his book was writ t en, a num ber of new com m unicat ions syst em s were being developed for t he 2.4- GHz I SM band: The variant s of 802.11 t hat operat e in t he band ( t he frequency- hopping layer, bot h direct sequence layers, and t he OFDM layer)

Bluet oot h, a short - range wireless com m unicat ions prot ocol developed by an indust ry consort ium led by Ericsson Spread- spect rum cordless phones int roduced by several cordless phone m anufact urers X10, a prot ocol used in hom e aut om at ion equipm ent t hat can use t he I SM band for video t ransm ission Unfort unat ely, " unlicensed" does not necessarily m ean " plays well wit h ot hers." All t hat unlicensed devices m ust do is obey lim it at ions on t ransm it t ed power. No regulat ions specify coding or m odulat ion, so it is not difficult for different vendors t o use t he spect rum in incom pat ible ways. As a user, t he only way t o resolve t his problem is t o st op using one of t he devices; because t he devices are unlicensed, regulat ory aut horit ies will not st ep in.

Other unlicensed bands Addit ional spect rum is available in t he 5 GHz range. The Unit ed St at es was t he first count ry t o allow unlicensed device use in t he 5 GHz range, t hough bot h Japan and Europe followed. [ * ] There is a large swat h of spect rum available in various count ries around t he world: [*]

Europe is obviously not a single country, but there is a European-wide spectrum regulator.

4.92- 4.98 GHz ( Japan) 5.04- 5.08 GHz ( Japan) 5.15- 5.25 GHz ( Unit ed St at es, Japan) 5.25- 5.35 GHz ( Unit ed St at es) 5.47- 5.725 GHz ( Unit ed St at es, Europe) 5.725- 5.825 GHz ( Unit ed St at es) Devices operat ing in 5 GHz range m ust obey lim it at ions on channel widt h and radiat ed power, but no furt her const raint s are im posed. Japanese regulat ions specify narrower channels t han eit her t he U.S. or Europe.

Spread Spectrum Spread- spect rum t echnology is t he foundat ion used t o reclaim t he I SM bands for dat a use. Tradit ional radio com m unicat ions focus on cram m ing as m uch signal as possible int o as narrow a band as possible. Spread spect rum works by using m at hem at ical funct ions t o diffuse signal power over a large range of frequencies. When t he receiver perform s t he inverse operat ion, t he sm earedout signal is reconst it ut ed as a narrow- band signal, and, m ore im port ant ly, any narrow- band noise is sm eared out so t he signal shines t hrough clearly. Use of spread- spect rum t echnologies is a requirem ent for unlicensed devices. I n som e cases, it is a requirem ent im posed by t he regulat ory aut horit ies; in ot her cases, it is t he only pract ical way t o m eet regulat ory requirem ent s. As an exam ple, t he FCC requires t hat devices in t he I SM band use spread- spect rum t ransm ission and im pose accept able ranges on several param et ers.

Spreading t he t ransm ission over a wide band m akes t ransm issions look like noise t o a t radit ional narrowband receiver. Som e vendors of spread- spect rum devices claim t hat t he spreading adds securit y because narrowband receivers cannot be used t o pick up t he full signal. Any st andardized spread- spect rum receiver can easily be used, t hough, so addit ional securit y m easures are m andat ory in nearly all environm ent s. This does not m ean t hat spread spect rum is a " m agic bullet " t hat elim inat es int erference problem s. Spread- spect rum devices can int erfere wit h ot her com m unicat ions syst em s, as well as wit h each ot her; and t radit ional narrow- spect rum RF devices can int erfere wit h spread spect rum . Alt hough spread spect rum does a bet t er j ob of dealing wit h int erference wit hin ot her m odulat ion t echniques, it doesn't m ake t he problem go away. As m ore RF devices ( spread- spect rum or ot herwise) occupy t he area t hat your wireless net work covers, you'll see t he noise level go up, t he signal- t o- noise rat io decrease, and t he range over which you can reliably com m unicat e drop. To m inim ize int erference bet ween unlicenced devices, t he FCC im poses lim it at ions on t he power of spread- spect rum t ransm issions. The legal lim it s are one wat t of t ransm it t er out put power and four wat t s of effect ive radiat ed power ( ERP) . Four wat t s of ERP are equivalent t o 1 wat t wit h an ant enna syst em t hat has 6- dB gain, or 500 m illiwat t s wit h an ant enna of 10- dB gain, et c. [ * ] The t ransm it t ers and ant ennas in PC Cards are obviously well wit hin t hose lim it sand you're not get t ing close even if you use a com m ercial ant enna. But it is possible t o cover larger areas by using an ext ernal am plifier and a higher- gain ant enna. There's no fundam ent al problem wit h doing t his, but you m ust m ake sure t hat you st ay wit hin t he FCC's power regulat ions. [*]

Remember that the transmission line is part of the antenna system, and the system gain includes transmission line losses. So an antenna with 7.5-dB gain and a transmission line with 1.5-dB loss has an overall system gain of 6 dB. It's worth noting that transmission line losses at UHF freqencies are often very high; as a result, you should keep your amplifier as close to the antenna as possible.

The Unlikely Invention of Spread Spectrum Spread spect rum was pat ent ed in t he early 1940s by Aust rian- born act ress Hedy Lam arr. She was cert ainly bet t er known for ot her reasons: appearing in t he first nude scene on film in t he Czech film Ecst asy, her lat er billing as " t he m ost beaut iful wom an in t he world" by Hollywood m agnat e Louis Mayer, and as t he m odel for Cat wom an in t he Bat m an com ics. Before fleeing t he advance of Nazi Germ any, she was m arried t o an Aust rian arm s m erchant . While occupying t he only socially accept able role available t o her as a host ess and ent ert ainer of her husband's business client s, she learned t hat radio rem ot e cont rol of t orpedoes was a m aj or area of research for arm am ent s vendors. Unfort unat ely, narrowband radio com m unicat ions were subj ect t o j am m ing, which neut ralized t he advant age of radio- guided weapons. From t hese discussions, she first hit on t he idea of using a com plex but predet erm ined hopping pat t ern t o m ove t he frequency of t he cont rol signal around. Even if short burst s on a single frequency could be j am m ed, t hey would m ove around quickly enough t o prevent t ot al blockage. Lam arr worked out everyt hing except how t o precisely cont rol t he frequency hops. Aft er arriving in t he Unit ed St at es, she m et George Ant heil, an avant - garde Am erican com poser known as t he " bad boy of m usic" for his dissonant st yle. His fam ous Ballet m écanique used ( am ong m any out rageous noisem akers) 16 player pianos cont rolled from a single locat ion. Perform ing t he piece required precisely cont rolled t im ing bet ween dist ribut ed elem ent s, which was Lam arr's only rem aining challenge in cont rolling t he hopping pat t ern. Toget her, t hey were grant ed U.S. pat ent num ber 2,292,387 in 1942. The pat ent expired in 1959 wit hout earning a cent for eit her of t hem , and Lam arr's

cont ribut ions went unacknowledged for m any years because t he nam e on t he pat ent was Hedy Kiesler Markey, her m arried nam e at t he t im e. The em erging wireless LAN m arket in t he lat e 1990s led t o t he rediscovery of her invent ion and widespread recognit ion for t he pioneering work t hat laid t he foundat ion for m odern t elecom m unicat ions. Frequency- hopping t echniques were first used by U.S. ships blockading Cuba during t he Cuban Missile Crisis. I t t ook m any years for t he elect ronics underpinning spreadspect rum t echnology t o becom e com m ercially viable. Now t hat t hey have, spreadspect rum t echnologies are used in cordless and m obile phones, high- bandwidt h wireless LAN equipm ent , and every device t hat operat es in t he unlicensed I SM bands. Unfort unat ely, Hedy Lam arr died in early 2000, j ust as t he wireless LAN m arket was gaining m ainst ream at t ent ion.

Types of spread spectrum The radio- based physical layers in 802.11 use t hree different spread- spect rum t echniques:

Frequency hopping ( FH or FHSS) Frequency- hopping syst em s j um p from one frequency t o anot her in a random pat t ern, t ransm it t ing a short burst at each subchannel. The 2- Mbps FH PHY is specified in clause 14.

Direct sequence ( DS or DSSS) Direct - sequence syst em s spread t he power out over a wider frequency band using m at hem at ical coding funct ions. Two direct - sequence layers were specified. The init ial specificat ion in clause 15 st andardized a 2- Mbps PHY, and 802.11b added clause 18 for t he HR/ DSSS PHY.

Ort hogonal Frequency Division Mult iplexing ( OFDM) OFDM divides an available channel int o several subchannels and encodes a port ion of t he signal across each subchannel in parallel. The t echnique is sim ilar t o t he Discret e Mult i- Tone ( DMT) t echnique used by som e DSL m odem s. Clause 17, added wit h 802.11a, specifies t he OFDM PHY. Clause 18, added in 802.11g, specifies t he ERP PHY, which is essent ially t he sam e but operat ing at a lower frequency. Frequency- hopping syst em s are t he cheapest t o m ake. Precise t im ing is needed t o cont rol t he frequency hops, but sophist icat ed signal processing is not required t o ext ract t he bit st ream from t he radio signal. Direct - sequence syst em s require m ore sophist icat ed signal processing, which t ranslat es int o m ore specialized hardware and higher elect rical power consum pt ion. Direct - sequence t echniques also allow a higher dat a rat e t han frequency- hopping syst em s.

RF Propagation with 802.11 I n fixed net works, signals are confined t o wire pat hways, so net work engineers do not need t o know anyt hing about t he physics of elect rical signal propagat ion. I nst ead, t here are a few rules used t o calculat e m axim um cable lengt h, and as long as t he rules are obeyed, problem s are rare. RF propagat ion is not anywhere near as sim ple.

Signal Reception and Performance Space is full of random elect rom agnet ic waves, which can easily be heard by t uning a radio t o an unused frequency. Radio com m unicat ion depends on m aking a signal int elligible over t he background noise. As condit ions for recept ion degrade, t he signal get s closer t o t he noise floor. Perform ance is det erm ined largely by t he t he m ost im port ant fact or, t he signal- t o- noise rat io ( SNR) . I n Figure 10- 2, t he SNR is illust rat ed by t he height of t he peak of t he signal above t he noise floor.

Figu r e 1 0 - 2 . Sign a l- t o- n oise r a t io a n d t h e n oise floor

Having a st rong signal is im port ant , but not t he whole st ory. St rong signals can be hard t o pick out of noisy environm ent s. I n som e sit uat ions, it m ay be possible t o raise t he power t o com pensat e for a high noise floor. Unlicensed net works have only lim it ed abilit y t o raise power because of t ight regulat ory const raint s. As a result , m ore effort is placed on int roducing as lit t le addit ional noise as possible before at t em pt ing t o decode t he radio signal.

The Shannon limit I nt erest ingly enough, t here is no t heoret ical m axim um t o t he am ount of dat a t hat can be carried by a radio channel. The capacit y of a com m unicat ions channel is given by t he Shannon- Hart ley t heorem , which was proved by Bell Labs researcher Claude Shannon in 1948. The t heorem expresses t he m at hem at ical lim it of t he capacit y of a com m unicat ions channel, which is nam ed aft er t he t heorem and is oft en called t he Shannon lim it or t he Shannon capacit y . The original Shannon t heorem expressed t he m axim um capacit y C bit s per second as a funct ion of t he bandwidt h W in Hert z, and t he absolut e rat io of signal power t o noise. I f t he gain is m easured in decibels, sim ply solve t he

equat ion t hat defines a decibel for t he power rat io for t he second form . Figure 10- 3 shows t he Shannon lim it as a funct ion of t he signal- t o- noise rat io. Shannon's t heorem reflect s a t heoret ical realit y of an unlim it ed bit rat e. To get t o an unlim it ed bit rat e, t he code designer can require an arbit rarily large num ber of signal levels t o dist inguish bet ween bit s, but t he fine dist inct ions bet ween t he arbit rarily close signal rat es will be swam ped by t he noise. One of t he m aj or goals for 802.11 PHY designers is t o design encoding rat es as close t o t he Shannon lim it as possible. Alt ernat ively, t he Shannon t heorem can be used t o prescribe t he m inim um t heoret ical signal t o noise rat io t o at t ain a given dat a rat e. Solve t he previous equat ions for t he signal t o noise rat io: S/ N = 2 ^ ( C/ W) - 1 ( S/ N as power rat io) SNR = 10 * log10 ( 2 ^ ( C/ W) - 1) ( SNR as dB)

Figu r e 1 0 - 3 . Sh a n n on lim it a s a fu n ct ion of SN R

Take 802.11a as an exam ple. A single 20 MHz channel can carry a signal at a dat a rat e up t o 54 Mbps. Solving for t he required signal- t o- noise rat io yields 7.4 dB, which is m uch lower t han what is required by m ost real product s on t he m arket , reflect ing t he need of product s t o work in t he realworld wit h m uch worse t han ideal perform ance. [ * ] [*]

Or, as another example, the telephone network makes channels with a frequency band of 180 Hz to 3.2 kHz, at a signal-tonoise ratio of 45 dB. That makes the maximum theoretical speed of an analog signal about 45 kbps. The trick behind the 56 kbps modem is that the downstream path is all digital, and as a result has a higher signal-to-noise ratio.

Decibels and Signal Strength Am plifiers m ay boost signals by orders of m agnit ude. Rat her t han keep t rack of all t hose zeroes, am plifier power is m easured in decibels ( dB) . dB = 10 x log 10 ( power out / power in) Decibel rat ings are posit ive when t he out put is larger t han t he input and negat ive when t he out put is sm aller t han t he input . Each 10- dB change corresponds t o a fact or of 10, and 3- dB changes are a fact or of 2. Thus, a 33- dB change corresponds t o a fact or of 2000: 33 dB = 10 dB + 10 dB + 10 dB + 3 dB = 10 x 10 x 10 x 2 = 2000 Power is som et im es m easured in dBm , which st ands for dB above one m illiwat t . To find t he dBm rat io, sim ply use 1 m W as t he input power in t he first equat ion. I t is helpful t o rem em ber t hat doubling t he power is a 3- dB increase. A 1- dB increase is roughly equivalent t o a power increase of 25% . Wit h t hese num bers in m ind, you can quickly perform m ost gain calculat ions in your head.

Path Loss, Range, and Throughput I n 802.11, t he speed of t he net work depends on range. Several m odulat ion t ypes are defined by t he various 802.11 st andards, ranging in speed from 1 Mbps t o 54 Mbps. Receiver circuit s m ust dist inguish bet ween st at es t o ext ract bit s from radio waves. Higher speed m odulat ions pack m ore bit s int o a given t im e int erval, and require a cleaner signal ( and t hus higher signal- t o- noise rat io) t o successfully decode. As radio signals t ravel t hrough space, t hey degrade. For t he m ost part , t he noise floor will be relat ively const ant over t he lim it ed range of an 802.11 net work. Over dist ance, t he degradat ion of t he signal will lim it t he signal- t o- noise rat io at t he receiver. As a st at ion st rays fart her from an access point , t he signal level drops; wit h a const ant noise floor, t he degraded signal will result in a degraded signal t o noise rat io. Figure 10- 4 illust rat es t his concept . As range from t he access point increases, t he received signal get s closer t o t he noise floor. St at ions t hat are closer have higher signal t o noise rat ios. As a m at t er of net work engineering, when t he signal- t o- noise rat io get s t oo sm all t o support a high dat a rat e, t he st at ion will fall back t o a lower dat a rat e wit h less dem anding signal- t o- noise rat io requirem ent s.

Figu r e 1 0 - 4 . Th r ou gh pu t ve r su s dist a n ce

When t here are no obst acles t o obst ruct t he radio wave, t he signal degradat ion can be calculat ed wit h t he following equat ion. The loss in free- space is som et im es called t he pat h loss because it is t he m inim um loss t hat would be expect ed along a pat h wit h a given lengt h. Pat h loss depends on t he dist ance and t he frequency of t he radio wave. Higher dist ances and higher frequencies lead t o higher pat h loss. One reason why 802.11a has short er range t han 802.11b and 802.11g is t hat t he pat h loss is m uch higher at t he 5 GHz used by 802.11a. The equat ion for free- space pat h loss is: Pat h loss ( dB) = 32.5 + 20 log F + log d where t he frequency F is expressed in GHz, and t he dist ance d is expressed in m et ers. Pat h loss is not , however, t he only det erm inant of range. Obst acles such as walls and windows will reduce t he signal, and ant ennas and am plifiers m ay be used t o boost t he signal, which com pensat es for t ransm ission losses. Range calculat ions oft en include a fudge fact or called t he link m argin t o account for unforeseen losses. Tot al loss = TX power + TX ant enna gain - pat h loss - obst acle loss - link m argin + RX ant enna gain

Multipath Interference Alt hough t here is a relat ively sim ple equat ion for predict ing radio propagat ion, it is only an est im at e for 802.11 net works. I n addit ion t o st raight - line pat h losses, t here are ot her phenom ena t hat can inhibit signal recept ion wit h 802.11. One of t he m aj or problem s t hat plague radio net works is m ult ipat h fading. Waves are added by superposit ion. When m ult iple waves converge on a point , t he t ot al wave is sim ply t he sum of any com ponent waves. Figure 10- 5 shows a few exam ples of superposit ion.

Figu r e 1 0 - 5 . W a ve com bin a t ion by su pe r posit ion

I n Figure 10- 5 ( c) , t he t wo waves are alm ost exact ly t he opposit e of each ot her, so t he net result is alm ost not hing. Unfort unat ely, t his result is m ore com m on t han you m ight expect in wireless net works. Most 802.11 equipm ent uses om nidirect ional ant ennas, so RF energy is radiat ed in every direct ion. Waves spread out ward from t he t ransm it t ing ant enna in all direct ions and are reflect ed by surfaces in t he area. Figure 10- 6 shows a highly sim plified exam ple of t wo st at ions in a rect angular area wit h no obst ruct ions.

Figu r e 1 0 - 6 . M u lt iple pa t h s

This figure shows t hree pat hs from t he t ransm it t er t o t he receiver. The wave at t he receiver is t he sum of all t he different com ponent s. I t is cert ainly possible t hat t he pat hs shown in Figure 10- 6 will all com bine t o give a net wave of 0, in which case t he receiver will not underst and t he t ransm ission because t here is no t ransm ission t o be received.

Because t he int erference is a delayed copy of t he sam e t ransm ission on a different pat h, t he phenom enon is called m ult ipat h fading or m ult ipat h int erference. I n m any cases, m ult ipat h int erference can be resolved by changing t he orient at ion or posit ion of t he receiver.

Inter-Symbol Interference (ISI) Mult ipat h fading is a special case of int er- sym bol int erference. Waves t hat t ake different pat hs from t he t ransm it t er t o t he receiver will t ravel different dist ances and be delayed wit h respect t o each ot her, as in Figure 10- 7. Once again, t he t wo waves com bine by superposit ion, but t he effect is t hat t he t ot al waveform is garbled. I n real- world sit uat ions, wavefront s from m ult iple pat hs m ay be added. The t im e bet ween t he arrival of t he first wavefront and t he last m ult ipat h echo is called t he delay spread. Longer delay spreads require m ore conservat ive coding m echanism s. 802.11b net works can handle delay spreads of up t o 500 ns, but perform ance is m uch bet t er when t he delay spread is lower. When t he delay spread is large, m any cards will reduce t he t ransm ission rat e; several vendors claim t hat a 65- ns delay spread is required for full- speed 11- Mbps perform ance at a reasonable fram e error rat e. ( Discussion of reading t he specificat ion sheet s is found in Chapt er 16.) Analysis t ools can be used t o m easure t he delay spread.

Figu r e 1 0 - 7 . I n t e r - sym bol in t e r fe r e n ce

RF Engineering for 802.11 802.11 has been adopt ed at a st unning rat e. Many net work engineers accust om ed t o signals flowing along well- defined cable pat hs are now faced wit h a LAN t hat runs over a noisy, error- prone, quirky radio link. I n dat a net working, t he success of 802.11 has inexorably linked it wit h RF engineering. A t rue int roduct ion t o RF engineering requires at least one book, and probably several. For t he lim it ed purposes I have in m ind, t he m assive t opic of RF engineering can be divided int o t wo part s: how t o m ake radio waves and how radio waves m ove.

RF Components RF syst em s com plem ent wired net works by ext ending t hem . Different com ponent s m ay be used depending on t he frequency and t he dist ance t hat signals are required t o reach, but all syst em s are fundam ent ally t he sam e and m ade from a relat ively sm all num ber of dist inct pieces. Two RF com ponent s are of part icular int erest t o 802.11 users: ant ennas and am plifiers. Ant ennas are of general int erest since t hey are t he m ost t angible feat ure of an RF syst em . Am plifiers com plem ent ant ennas by allowing t he ant ennas t o pum p out m ore power, which m ay be of int erest depending on t he t ype of 802.11 net work you are building.

Antennas Ant ennas are t he m ost crit ical com ponent of any RF syst em because t hey convert elect rical signals on wires int o radio waves and vice versa. I n block diagram s, ant ennas are usually represent ed by a t riangular shape, as shown in Figure 10- 8.

Figu r e 1 0 - 8 . An t e n n a r e pr e se n t a t ion s in dia gr a m s

To funct ion at all, an ant enna m ust be m ade of conduct ing m at erial. Radio waves hit t ing an ant enna cause elect rons t o flow in t he conduct or and creat e a current . Likewise, applying a current t o an ant enna creat es an elect ric field around t he ant enna. As t he current t o t he ant enna changes, so does t he elect ric field. A changing elect ric field causes a m agnet ic field, and t he wave is off. The size of t he ant enna you need depends on t he frequency: t he higher t he frequency, t he sm aller t he ant enna. The short est sim ple ant enna you can m ake at any frequency is 1/ 2 wavelengt h long ( alt hough ant enna engineers can play t ricks t o reduce ant enna size furt her) . This rule of t hum b account s for t he huge size of radio broadcast ant ennas and t he sm all size of m obile phones. An AM

st at ion broadcast ing at 830 kHz has a wavelengt h of about 360 m et ers and a correspondingly large ant enna, but an 802.11b net work int erface operat ing in t he 2.4- GHz band has a wavelengt h of j ust 12.5 cent im et ers. Wit h som e engineering t ricks, an ant enna can be incorporat ed int o a PC Card or around t he lapt op LCD screen, and a m ore effect ive ext ernal ant enna can easily be carried in a backpack or com put er bag. Ant ennas can also be designed wit h direct ional preference. Many ant ennas are om nidirect ional, which m eans t hey send and receive signals from any direct ion. Som e applicat ions m ay benefit from direct ional ant ennas, which radiat e and receive on a narrower port ion of t he field. Figure 10- 9 com pares t he radiat ed power of om nidirect ional and direct ional ant ennas.

Figu r e 1 0 - 9 . Ra dia t e d pow e r for om n idir e ct ion a l a n d dir e ct ion a l a n t e n n a s

For a given am ount of input power, a direct ional ant enna can reach fart her wit h a clearer signal. They also have m uch higher sensit ivit y t o radio signals in t he dom inant direct ion. When wireless links are used t o replace wireline net works, direct ional ant ennas are oft en used. Mobile t elephone net work operat ors also use direct ional ant ennas when cells are subdivided. 802.11 net works t ypically use om nidirect ional ant ennas for bot h ends of t he connect ion, alt hough t here are except ionspart icularly if you want t he net work t o span a longer dist ance. Also, keep in m ind t hat t here is no such t hing as a t ruly om nidirect ional ant enna. We're accust om ed t o t hinking of vert ically m ount ed ant ennas as om nidirect ional because t he signal doesn't vary significant ly as you t ravel around t he ant enna in a horizont al plane. But if you look at t he signal radiat ed vert ically ( i.e., up or down) from t he ant enna, you'll find t hat it 's a different st ory. And t hat part of t he st ory can becom e im port ant if you're building a net work for a college or corporat e cam pus and want t o locat e ant ennas on t he t op floors of your buildings. Of all t he com ponent s present ed in t his sect ion, ant ennas are t he m ost likely t o be separat ed from t he rest of t he elect ronics. I n t his case, you need a t ransm ission line ( som e kind of cable) bet ween t he ant enna and t he t ransceiver. Transm ission lines usually have an im pedance of 50 ohm s. I n t erm s of pract ical ant ennas for 802.11 devices in t he 2.4- GHz band, t he t ypical wireless PC Card has an ant enna built in. Built - in ant ennas work, but t hey will never be anyt hing t o writ e hom e about . At best , t he built in ant enna in a PC card is m ediocre. Larger ant ennas perform bet t er. Som e PC Card 802.11 int erfaces have ext ernal ant enna j acks. Wit h an opt ional ext ernal ant enna, t he card has bet t er perform ance, at t he cost of aest het ic qualit y. I n response t o t he need for im proved ant enna perform ance wit hout ugly space- consum ing ext ernal ant ennas, m any lapt ops now use an ant enna built int o t he fram e around t he lapt op screen.

Amplifiers

Am plifiers m ake signals bigger. Signal boost , or gain, is m easured in decibels ( dB) . Am plifiers can be broadly classified int o t hree cat egories: low- noise, high- power, and everyt hing else. Low- noise am plifiers ( LNAs) are usually connect ed t o an ant enna t o boost t he received signal t o a level t hat is recognizable by t he elect ronics t he RF syst em is connect ed t o. LNAs are also rat ed for noise fact or, which is t he m easure of how m uch ext raneous inform at ion t he am plifier int roduces. Sm aller noise fact ors allow t he receiver t o hear sm aller signals and t hus allow for a great er range. High- power am plifiers ( HPAs) are used t o boost a signal t o t he m axim um power possible before t ransm ission. Out put power is m easured in dBm , which are relat ed t o wat t s ( see t he " Decibels and Signal St rengt h" sidebar earlier in t his chapt er) . Am plifiers are subj ect t o t he laws of t herm odynam ics, so t hey give off heat in addit ion t o am plifying t he signal. The t ransm it t er in an 802.11 PC Card is necessarily low- power because it needs t o run off a bat t ery if it 's inst alled in a lapt op, but it 's possible t o inst all an ext ernal am plifier at fixed access point s, which can be connect ed t o t he power grid where power is m ore plent iful. This is where t hings can get t ricky wit h respect t o com pliance wit h regulat ions. 802.11 devices are lim it ed t o one wat t of power out put and four wat t s effect ive radiat ed power ( ERP) . ERP m ult iplies t he t ransm it t er's power out put by t he gain of t he ant enna m inus t he loss in t he t ransm ission line. So if you have a 1- wat t am plifier, an ant enna t hat gives you 8 dB of gain, and 2 dB of t ransm ission line loss, you have an ERP of 4 wat t s; t he t ot al syst em gain is 6 dB, which m ult iplies t he t ransm it t er's power by a fact or of 4.

Chapter 11. The Frequency-Hopping (FH) PHY Of all t he physical layers st andardized in t he first draft of 802.11 in 1997, t he frequency- hopping spread spect rum ( FH or FHSS) layer was t he first layer t o see widespread deploym ent . The elect ronics used t o support FH m odulat ion are relat ively cheap and do not have high power requirem ent s. I nit ially, t he m ain advant age t o using frequency- hopping net works was t hat a great er num ber of net works could coexist , and t he aggregat e t hroughput of all t he net works in a given area was high. At t his point , however, FH net works are largely a foot not e in t he hist ory of 802.11. Alt hough it is a st andard, only one vendor st ill m anufact ures and sells frequency- hopping syst em s, and t hey are being phased out . Higher- t hroughput specificat ions have dem olished t he advant age of aggregat e t hroughput , and newer chipset s are less power- hungry. This chapt er describes t he basic concept s used by t he frequency- hopping PHY and t he m odulat ion t echniques used. I t also shows how t he physical layer convergence procedure prepares fram es for t ransm ission on t he radio link and t ouches briefly on a few det ails of t he physical m edium it self. At t his point , t he FH PHY is largely a foot not e in t he hist ory of 802.11, so you m ay want t o skip t his chapt er and m ove ahead t o t he next sect ion on t he direct - sequence PHY. However, underst anding how 802.11 t echnology developed will give you a bet t er feeling for how all t he pieces fit t oget her.

Frequency-Hopping Transmission Frequency hopping depends on rapidly changing t he t ransm ission frequency in a predet erm ined, pseudorandom pat t ern, as illust rat ed in Figure 11- 1. The vert ical axis of t he graph divides t he available frequency int o a num ber of slot s. Likewise, t im e is divided int o a series of slot s. A hopping pat t ern cont rols how t he slot s are used. I n t he figure, t he hopping pat t ern is { 2,8,4,6} . Tim ing t he hops accurat ely is t he key t o success; bot h t he t ransm it t er and receiver m ust be synchronized so t he receiver is always list ening on t he t ransm it t er's frequency.

Figu r e 1 1 - 1 . Fr e qu e n cy h oppin g

Frequency hopping is sim ilar t o frequency division m ult iple access ( FDMA) but wit h an im port ant t wist . I n FDMA syst em s, each device is allocat ed a fixed frequency. Mult iple devices share t he available radio spect rum by using different frequencies. I n frequency- hopping syst em s, t he frequency is t im e- dependent rat her t han fixed. Each frequency is used for a sm all am ount of t im e, called t he dwell t im e. Am ong ot her t hings, frequency hopping allows devices t o avoid int erfering wit h prim ary users assigned t o t he sam e frequency band. I t works because prim ary users are assigned narrow frequency bands and t he right t o t ransm it at a power high enough t o override t he wireless LAN. Any int erference caused by t he secondary user t hat affect s t he prim ary user is t ransient because t he hopping sequence spreads t he energy out over a wide band. [ * ] Likewise, t he prim ary user only knocks out one of t he spread- spect rum device's slot s and looks like t ransient noise. Figure 11- 2 shows t he result when frequency slot 7 is given t o a prim ary user. Alt hough t he t ransm ission in t he fourt h t im e slot is corrupt ed, t he ot her t hree t ransm issions succeed. [*]

If the primary user of a frequency band notices interference from secondary users, regulators can (and will) step in to shut down the secondary user, hence the low power used by spread-spectrum modulation techniques.

I f t wo frequency- hopping syst em s need t o share t he sam e band, t hey can be configured wit h different hopping sequences so t hey do not int erfere wit h each ot her. During each t im e slot , t he t wo hopping sequences m ust be on different frequency slot s. As long as t he syst em s st ay on different frequency slot s, t hey do not int erfere wit h each ot her, as shown in Figure 11- 3. The gray rect angles have a hopping sequence of { 2,8,4,7} , as in t he previous figures. A second syst em wit h a hopping

sequence of { 6,3,7,2} is added. Hopping sequences t hat do not overlap are called ort hogonal. When m ult iple 802.11 net works are configured in a single area, ort hogonal hopping sequences m axim izes t hroughput .

Figu r e 1 1 - 2 . Avoidin g in t e r fe r e n ce w it h fr e qu e n cy h oppin g

Figu r e 1 1 - 3 . Or t h ogon a l h oppin g se qu e n ce s

802.11 FH Details 802.11 divides t he m icrowave I SM band int o a series of 1- MHz channels. Approxim at ely 99% of t he radio energy is confined t o t he channel. The m odulat ion m et hod used by 802.11 encodes dat a bit s as shift s in t he t ransm ission frequency from t he channel cent er. Channels are defined by t heir cent er frequencies, which begin at 2.400 GHz for channel 0. Successive channels are derived by adding 1MHz st eps: channel 1 has a cent er frequency of 2.401 GHz, channel 2 has a cent er frequency of 2.402 GHz, and so on up t o channel 95 at 2.495 GHz. Different regulat ory aut horit ies allow use of different part s of t he I SM band; t he m aj or regulat ory dom ains and t he available channels are shown in Table 11- 1 .

Ta ble 1 1 - 1 . Ch a n n e ls u se d in diffe r e n t r e gu la t or y dom a in s Re gu la t or y dom a in

Allow e d ch a n n e ls

U.S. ( FCC)

2 t o 79 ( 2.402- 2.479 GHz)

Canada ( I C)

2 t o 79 ( 2.402- 2.479 GHz)

Europe ( excluding France and Spain) ( ETSI )

2 t o 79 ( 2.402- 2.479 GHz)

France

48 t o 82 ( 2.448- 2.482 GHz)

Spain

47 t o 73 ( 2.447- 2.473 GHz)

Japan ( MKK)

73 t o 95 ( 2.473- 2.495 GHz)

The dwell t im e used by 802.11 FH syst em s is 390 t im e unit s, which is alm ost 0.4 seconds. When an 802.11 FH PHY hops bet ween channels, t he hopping process can t ake no longer t han 224 m icroseconds. The frequency hops t hem selves are subj ect t o ext ensive regulat ion, bot h in t erm s of t he size of each hop and t he rat e at which hops m ust occur.

802.11 Hop Sequences Mat hem at ical funct ions for deriving hop set s are part of t he FH PHY specificat ion and are found in clause 14.6.8 of t he 802.11 specificat ion. As an exam ple, hopping sequence 1 for Nort h Am erica and m ost of Europe begins wit h t he sequence { 3, 26, 65, 11, 46, 19, 74, 50, 22, ...} . 802.11 furt her divides hopping sequences int o nonoverlapping set s, and any t wo m em bers of a set are ort hogonal hopping sequences. I n Europe and Nort h Am erica, each set cont ains 26 m em bers. Regulat ory aut horit ies in ot her areas have rest rict ed t he num ber of hopped channels, and t herefore each set has a sm aller num ber of m em bers. Table 11- 2 has det ails.

Ta ble 1 1 - 2 . Size of h op se t s in e a ch r e gu la t or y dom a in Re gu la t or y dom a in

H op se t size

U.S. ( FCC)

26

Canada ( I C)

26

Europe ( excluding France and Spain) ( ETSI )

26

France

27

Spain

35

Japan ( MI C)

23

Joining an 802.11 Frequency-Hopping Network Joining a frequency- hopping net work is m ade possible by t he st andardizat ion of hop sequences. Beacon fram es on FH net works include a t im est am p and t he FH Param et er Set elem ent . The FH Param et er Set elem ent includes t he hop pat t ern num ber and a hop index. By receiving a Beacon fram e, a st at ion knows everyt hing it needs t o synchronize it s hopping pat t ern.

Based on t he hop sequence num ber, t he st at ion knows t he channel- hopping order. As an exam ple, say t hat a st at ion has received a Beacon fram e t hat indicat es t hat t he BSS is using t he Nort h Am erica/ Europe hop sequence num ber 1 and is at hop index 2. By looking up t he hop sequence, t he st at ion can det erm ine t hat t he next channel is 65. Hop t im es are also well- defined. Each Beacon fram e includes a Tim est am p field, and t he hop occurs when t he t im est am p m odulo dwell t im e included in t he Beacon is 0.

ISM Emission Rules and Maximum Throughput Spect rum allocat ion policies are t he lim it ing fact or of frequency- hopping 802.11 syst em s. As an exam ple, consider t he t hree m aj or rules im posed by t he FCC in t he U.S.: [ * ] [*]

These rules are in rule 247 of part 15 of the FCC rules (47 CFR 15.247).

1 . There m ust be at least 75 hopping channels in t he band, which is 83.5- MHz wide. 2 . Hopping channels can be no wider t han 1 MHz. 3 . Devices m ust use all available channels equally. I n a 30- second period, no m ore t han 0.4 seconds m ay be spent using any one channel. Of t hese rules, t he m ost im port ant is t he second one. No m at t er what fancy encoding schem es are available, only 1 MHz of bandwidt h is available at any t im e. The frequency at which it is available shift s cont inuously because of t he ot her t wo rules, but t he second rule lim it s t he num ber of signal t ransit ions t hat can be used t o encode dat a. Wit h a st raight forward, t wo- level encoding, each cycle can encode one bit . At 1 bit per cycle, 1 MHz yields a dat a rat e of 1 Mbps. More sophist icat ed m odulat ion and dem odulat ion schem es can im prove t he dat a rat e. Four- level coding can pack 2 bit s int o a cycle, and 2 Mbps can be squeezed from t he 1MHz bandwidt h. The European Telecom m unicat ions St andards I nst it ut e ( ETSI ) also has a set of rules for spreadspect rum devices in t he I SM band, published in European Telecom m unicat ions St andard ( ETS) 300328. The ETSI rules allow far fewer hopping channels; only 20 are required. Radiat ed power, however, is cont rolled m uch m ore st rict ly. I n pract ice, t o m eet bot h t he FCC and ETSI requirem ent s, devices use t he high num ber of hopping channels required by t he FCC wit h t he low radiat ed power requirem ent s of ETSI .

Effect of Interference 802.11 is a secondary use of t he 2.4- GHz I SM band and m ust accept any int erference from a higherpriorit y t ransm ission. Cat ast rophic int erference on a channel m ay prevent t hat channel from being used but leave ot her channels unaffect ed. Wit h approxim at ely 80 usable channels in t he U.S. and Europe, int erference on one channel reduces t he raw bit rat e of t he m edium by approxim at ely 1.25% . ( The cost at t he I P layer will be som ewhat higher because of t he int erfram e gaps, 802.11 acknowledgm ent s, and fram ing and physical- layer covergence headers.) As m ore channels are affect ed by int erference, t he t hroughput cont inues t o drop. See Figure 11- 4.

Figu r e 1 1 - 4 . Th r ou gh pu t r e spon se t o in t e r fe r e n ce in FH SS syst e m s

Gaussian Frequency Shift Keying (GFSK) The FH PHY uses Gaussian frequency shift keying ( GFSK) . [ * ] Frequency shift keying encodes dat a as a series of frequency changes in a carrier. One advant age of using frequency t o encode dat a is t hat noise usually changes t he am plit ude of a signal; m odulat ion syst em s t hat ignore am plit ude ( broadcast FM radio, for exam ple) t end t o be relat ively im m une t o noise. The Gaussian in GFSK refers t o t he shape of radio pulses; GFSK confines em issions t o a relat ively narrow spect ral band and is t hus appropriat e for secondary uses. Signal processing t echniques t hat prevent widespread leakage of RF energy are a good t hing, part icularly for secondary users of a frequency band. By reducing t he pot ent ial for int erference, GFSK m akes it m ore likely t hat 802.11 wireless LANs can be built in an area where anot her user has priorit y. [*]

The term keying is a vestige of telegraphy. Transmission of data across telegraph lines required the use of a key. Sending data through a modern digital system employs modulation techniques instead, but the word keying persists.

2-Level GFSK The m ost basic GFSK im plem ent at ion is called 2- level GFSK ( 2GFSK) . Two different frequencies are used, depending on whet her t he dat a t hat will be t ransm it t ed is a 1 or a 0. To t ransm it a 1, t he carrier frequency is increased by a cert ain deviat ion. Zero is encoded by decreasing t he frequency by t he sam e deviat ion. Figure 11- 5 illust rat es t he general procedure. I n real- world syst em s, t he frequency deviat ions from t he carrier are m uch sm aller; t he figure is deliberat ely exaggerat ed t o show how t he encoding works. The rat e at which dat a is sent t hrough t he syst em is scalled t he sym bol rat e. Because it t akes several cycles t o det erm ine t he frequency of t he underlying carrier and whet her 1 or 0 was t ransm it t ed, t he sym bol rat e is a very sm all fract ion of t he carrier frequency. Alt hough t he carrier frequency is roughly 2.4 billion cycles per second, t he sym bol rat e is only 1 or 2 m illion sym bols per second.

Figu r e 1 1 - 5 . 2 - le ve l GFSK

Frequency changes wit h GFSK are not sharp changes. I nst ant aneous frequency changes require m ore expensive elect ronic com ponent s and higher power. Gradual frequency changes allow lower- cost

equipm ent wit h lower RF leakage. Figure 11- 6 shows how frequency varies as a result of encoding t he let t er M ( 1001101 binary) using 2GFSK. Not e t hat t he vert ical axis is t he frequency of t he t ransm ission. When a 1 is t ransm it t ed, t he frequency rises t o t he cent er frequency plus an offset , and when a 0 is t ransm it t ed, t he frequency drops by t he sam e offset . The horizont al axis, which represent s t im e, is divided int o sym bol periods. Around t he m iddle of each period, t he receiver m easures t he frequency of t he t ransm ission and t ranslat es t hat frequency int o a sym bol. ( I n 802.11 frequency- hopping syst em s, t he higher- level dat a is scram bled before t ransm ission, so t he bit sequence t ransm it t ed t o t he peer st at ion is not t he sam e as t he bit sequence over t he air. The figure illust rat es how t he principles of 2GFSK work and doesn't st ep t hrough an act ual encoding.)

Figu r e 1 1 - 6 . GFSK e n codin g of t h e le t t e r M

4-Level GFSK Using a schem e such as t his, t here are t wo ways t o send m ore dat a: use a higher sym bol rat e or encode m ore bit s of inform at ion int o each sym bol. 4- level GFSK ( 4GFSK) uses t he sam e basic approach as 2GFSK but wit h four sym bols inst ead of t wo. The four sym bols ( 00, 01, 10, and 11) each correspond t o a discret e frequency, and t herefore 4GFSK t ransm it s t wice as m uch dat a at t he sam e sym bol rat e. Obviously, t his increase com es at a cost : 4GFSK requires m ore com plex t ransm it t ers and receivers. Mapping of t he four sym bols ont o bit s is shown in Figure 11- 7.

Figu r e 1 1 - 7 . M a ppin g of sym bols t o fr e qu e n cie s in 4 GFSK

Wit h it s m ore sophist icat ed signal processing, 4GFSK packs m ult iple bit s int o a single sym bol. Figure 11- 8 shows how t he let t er M m ight be encoded. Once again, t he vert ical axis is frequency, and t he horizont al axis is divided int o sym bol t im es. The frequency changes t o t ransm it t he sym bols; t he frequencies for each sym bol are shown by t he dashed lines. The figure also hint s at t he problem wit h ext ending GFSK- based m et hods t o higher bit rat es. Dist inguishing bet ween t wo levels is fairly easy. Four is harder. Each doubling of t he bit rat e requires t hat t wice as m any levels be present , and t he RF com ponent s dist inguish bet ween ever- sm aller frequency changes. These lim it at ions pract ically lim it t he FH PHY t o 2 Mbps.

Figu r e 1 1 - 8 . 4 GFSK e n codin g of t h e le t t e r M

FH PHY Convergence Procedure (PLCP) Before any fram es can be m odulat ed ont o t he RF carrier, t he fram es from t he MAC m ust be prepared by t he Physical Layer Convergence Procedure ( PLCP) . Different underlying physical layers m ay have different requirem ent s, so 802.11 allows each physical layer som e lat it ude in preparing MAC fram es for t ransm ission over t he air.

Framing and Whitening The PLCP for t he FH PHY adds a five- field header t o t he fram e it receives from t he MAC. The PLCP is a relay bet ween t he MAC and t he physical m edium dependent ( PMD) radio int erface. I n keeping wit h I SO reference m odel t erm inology, fram es passed from t he MAC are PLCP service dat a unit s ( PSDUs) . The PLCP fram ing is shown in Figure 11- 9.

Pream ble As in a wired Et hernet , t he pream ble synchronizes t he t ransm it t er and receiver and derives com m on t im ing relat ionships. I n t he 802.11 FH PHY, t he Pream ble is com posed of t he Sync field and t he St art Fram e Delim it er field.

Figu r e 1 1 - 9 . PLCP fr a m in g in t h e FH PH Y

Sync The sync field is 80 bit s in lengt h and is com posed of an alt ernat ing zero- one sequence ( 010101...01) . St at ions search for t he sync pat t ern t o prepare t o receive dat a. I n addit ion t o synchronizing t he sender and receiver, t he Sync field serves t hree purposes. First of all, t he presence of a sync signal indicat es t hat a fram e is im m inent . Second, st at ions t hat have m ult iple ant ennas t o com bat m ult ipat h fading or ot her environm ent al recept ion problem s can select t he ant enna wit h t he st rongest signal. Finally, t he receiver can m easure t he frequency of t he incom ing signal relat ive t o it s nom inal values and perform any correct ions needed t o t he received signal.

St art Fram e Delim it er ( SFD) As in Et hernet , t he SFD signals t he end of t he pream ble and m arks t he beginning of t he fram e. The FH PHY uses a 16- bit SFD: 0000 1100 1011 1101.

Header The PLCP header follows t he pream ble. The header has PHY- specific param et ers used by t he PLCP. Three fields com prise t he header: a lengt h field, a speed field, and a fram e check sequence.

PSDU Lengt h Word ( PLW) The first field in t he PLCP header is t he PLW. The payload of t he PLCP fram e is a MAC fram e t hat m ay be up t o 4,095 byt es long. The 12- bit lengt h field inform s t he receiver of t he lengt h of t he MAC fram e t hat follows t he PLCP header.

PLCP Signaling ( PSF) Bit 0, t he first bit t ransm it t ed, is reserved and set t o 0. Bit s 1- 3 encode t he speed at which t he payload MAC fram e is t ransm it t ed. Several speeds are available, so t his field allows t he receiver t o adj ust t o t he appropriat e dem odulat ion schem e. Alt hough t he st andard allows for dat a rat es in increm ent s of 500 kbps from 1.0 Mbps t o 4.5 Mbps, t he m odulat ion schem e has been defined only for 1.0 Mbps and 2.0 Mbps. [ * ] See Table 11- 3 . [* ]

I t is unlikely t hat significant furt her work will be done on high- rat e, frequency- hopping syst em s. For high dat a rat es, direct sequence is a m ore cost - effect ive choice.

Ta ble 1 1 - 3 . PSF m e a n in g Bit s ( 1 - 2 - 3 )

Data rate

000

1.0 Mbps

001

1.5 Mbps

010

2.0 Mbps

011

2.5 Mbps

100

3.0 Mbps

101

3.5 Mbps

110

4.0 Mbps

111

4.5 Mbps

Header Error Check ( HEC)

To prot ect against errors in t he PLCP header, a 16- bit CRC is calculat ed over t he cont ent s of t he header and placed in t his field. The header does not prot ect against errors in ot her part s of t he fram e. No rest rict ions are placed on t he cont ent of t he Dat a field. Arbit rary dat a m ay cont ain long st rings of consecut ive 0s or 1s, which m akes t he dat a m uch less random . To m ake t he t ransm it t ed dat a m ore like random whit e noise, t he FH PHYs apply a w hit ening algorit hm t o t he MAC fram e. This algorit hm scram bles t he dat a before radio t ransm ission. Receivers invert t he process t o recover t he dat a.

Frequency-Hopping PMD Sublayer Alt hough t he PLCP header has a field for t he speed at which t he MAC fram e is t ransm it t ed, only t wo of t hese rat es have corresponding st andardized PMD layers. Several feat ures are shared bet ween bot h PMDs: ant enna diversit y support , allowances for t he ram p up and ram p down of t he power am plifiers in t he ant ennas, and t he use of a Gaussian pulse shaper t o keep as m uch RF power as possible in t he narrow frequency- hopping band. Figure 11- 10 shows t he general design of t he t ransceiver used in 802.11 frequency- hopping net works. I t is required t hat t he t ransceiver have a sensit ivit y of - 80 dBm for bot h 1 Mbps and 2 Mbps t ransm ission.

Figu r e 1 1 - 1 0 . Fr e qu e n cy- h oppin g t r a n sce ive r

PMD for 1.0-Mbps FH PHY The basic frequency- hopping PMD enables dat a t ransm ission at 1.0 Mbps. Fram es from t he MAC have t he PLCP header appended, and t he result ing sequence of bit s is t ransm it t ed out of t he radio int erface. I n keeping wit h t he com m on regulat ory rest rict ion of a 1- MHz bandwidt h, 1 m illion sym bols are t ransm it t ed per second. 2GFSK is used as t he m odulat ion schem e, so each sym bol can be used t o encode a single bit . 802.11 specifies a m inim um power of 10 m illiwat t s ( m W) and requires t he use of a power cont rol funct ion t o cap t he radiat ed power at 100 m W, if necessary.

PMD for 2.0-Mbps FH PHY A second, higher- speed PMD is available for t he FH PHY. As wit h t he 1.0- Mbps PMD, t he PLCP header is appended and is t ransm it t ed at 1.0 Mbps using 2GFSK. I n t he PLCP header, t he PSF field indicat es t he speed at which t he fram e body is t ransm it t ed. At t he higher dat a rat e, t he fram e body is t ransm it t ed using a different encoding m et hod t han t he physical- layer header. Regulat ory requirem ent s rest rict all PMDs t o a sym bol rat e of 1 MHz, so 4GFSK m ust be used for t he fram e body. Two bit s per sym bol yields a rat e of 2.0 Mbps at 1 m illion sym bols per second. Firm ware t hat support s t he 2.0- Mbps PMD can fall back t o t he 1.0- Mbps PMD if signal qualit y is t oo poor t o sust ain t he higher rat e.

Carrier sense/clear channel assessment (CS/CCA) To im plem ent t he CSMA/ CA foundat ion of 802.11, t he PCLP includes a funct ion t o det erm ine whet her

t he wireless m edium is current ly in use. The MAC uses bot h a virt ual carrier- sense m echanism and a physical carrier- sense m echanism ; t he physical layer im plem ent s t he physical carrier sense. 802.11 does not specify how t o det erm ine whet her a signal is present ; vendors are free t o innovat e wit hin t he required perform ance const raint s of t he st andard. 802.11 requires t hat 802.11- com pliant signals wit h cert ain power levels m ust be det ect ed wit h a corresponding m inim um probabilit y.

Characteristics of the FH PHY Table 11- 4 shows t he values of a num ber of param et ers in t he FH PHY. I n addit ion t o t he param et ers in t he t able, which are st andardized, t he FH PHY has a num ber of param et ers t hat can be adj ust ed t o balance delays t hrough various part s of an 802.11 frequency- hopping syst em . I t includes variables for t he lat ency t hrough t he MAC, t he PLCP, and t he t ransceiver, as well as variables t o account for variat ions in t he t ransceiver elect ronics. One ot her it em of not e is t hat t he t ot al aggregat e t hroughput of all frequency- hopping net works in an area can be quit e high. The t ot al aggregat e t hroughput is a funct ion of t he hop set size. All sequences in a hop set are ort hogonal and nonint erfering. I n Nort h Am erica and m ost of Europe, 26 frequency- hopping net works can be deployed in an area at once. I f each net work is run at t he opt ional 2 Mbps rat e and half t he airt im e is able t o carry user payload dat a, t he area can have a t ot al of 26 Mbps t hroughput provided t hat t he I SM band is relat ively free of int erference.

Ta ble 1 1 - 4 . FH PH Y pa r a m e t e r s Pa r a m e t e r

Va lu e

N ot e s

Slot t im e

50 m s

SI FS t im e

28 m s

Cont ent ion window size

15- 1,023 slot s

Pream ble dur at ion

96 m s

Pream ble sym bols are t ransm it t ed at 1 MHz, so a sym bol t akes 1 m s t o t ransm it ; 96 bit s require 96 sym bol t im es.

PLCP header dur at ion

32 m s

The PLCP header is 32 bit s, so it requires 32 sym bol t im es.

Maxim um MAC fram e

4,095 by t es

802.11 recom m ends a m axim um of 400 sym bols ( 400 byt es at 1 Mbps, 800 byt es at 2 Mbps) t o ret ain perform ance across different t ypes of environm ent s.

Minim um sensit ivit y

- 80 dBm

The SI FS is used t o derive t he value of t he ot her int erfram e spaces ( DI FS, PI FS, and EI FS) .

Chapter 12. The Direct Sequence PHYs: DSSS and HR/DSSS (802.11b) The int ial revision of t he 802.11 specificat ion in 1997 had a second physical layer based on direct sequence spread spect rum ( DSSS) t echnology. The DSSS PHY in 802.11 had dat a rat es of 1 Mbps and 2 Mbps. Alt hough it operat ed at t he sam e speed as t he frequency hopping PHY, it quickly becam e clear t hat direct sequence t echnolgies had t he pot ent ial for higher speeds t han frequency hopping t echnologies. As a result , even t hough t he t wo had equivalent speeds, direct sequence becam e t he PHY of choice. I n 1999, a PHY wit h dat a rat es of 5.5 Mbps and 11 Mbps was specified in 802.11b. The older 1 and 2 Mbps PHYs and t he newer 5.5 and 11 Mbps PHYs are oft en com bined int o a single int erface, even t hough t hey are described by different specificat ions. ( I t is usually referred t o as " 802.11b" support , even t hough t he t wo lower rat es are not part of 802.11b.) This chapt er describes t he basic concept s and m odulat ion t echniques used by t he direct sequence physical layers. I t also shows how t he PLCP prepares fram es for t ransm ission on t he radio link and t ouches briefly on a few det ails of t he physical m edium it self.

Direct Sequence Transmission Direct sequence t ransm ission is an alt ernat ive spread- spect rum t echnique t hat can be used t o t ransm it a signal over a m uch wider frequency band. The basic approach of direct - sequence t echniques is t o sm ear t he RF energy over a wide band in a carefully cont rolled way. Changes in t he radio carrier are present across a wide band, and receivers can perform correlat ion processes t o look for changes. The basic high- level approach is shown in Figure 12- 1.

Figu r e 1 2 - 1 . Ba sic D SSS t e ch n iqu e

At t he left is a t radit ional narrowband radio signal. I t is processed by a spr eader, which applies a m at hem at ical t ransform t o t ake a narrowband input and flat t en t he am plit ude across a relat ively wide frequency band. To a narrowband receiver, t he t ransm it t ed gnal looks like low- level noise because it s RF energy is spread across a very wide band. The key t o direct - sequence t ransm ission is t hat any m odulat ion of t he RF carrier is also spread across t he frequency band. Receivers can m onit or a wide frequency band and look for changes t hat occur across t he ent ire band. The original signal can be recovered wit h a cor r elat or, which invert s t he spreading process. At a high level, a correlat or sim ply looks for changes t o t he RF signal t hat occur across t he ent ire frequency band. Correlat ion gives direct - sequence t ransm issions a great deal of prot ect ion against int erference. Noise t ends t o t ake t he form of relat ively narrow pulses t hat , by definit ion, do not produce coherent effect s across t he ent ire frequency band. Therefore, t he correlat ion funct ion spreads out noise across t he band, and t he correlat ed signal shines t hrough, as illust rat ed in Figure 12- 2 .

Figu r e 1 2 - 2 . Spr e a din g of n oise by t h e cor r e la t ion pr oce ss

Direct - sequence m odulat ion works by applying a chipping sequence t o t he dat a st ream . A chip is a binary digit used by t he spreading process. Bit s are higher- level dat a, while chips are binary num bers used in t he encoding process. There is no m at hem at ical difference bet ween a bit and a chip, but spread- spect rum developers have adopt ed t his t erm inology t o indicat e t hat chips are only a part of t he encoding and t ransm ission process and do not carry any dat a. Chipping st ream s, which are also called pseudorandom noise codes ( PN codes) , m ust run at a m uch higher rat e t han t he underlying dat a. ( The requirem ent for high- speed oscillat ors t o generat e chip st ream s and recover dat a from chip st ream s is one of t he m aj or power drains in direct sequence PHYs.) Figure 12- 3 illust rat es how chipping sequences are used in t he t ransm ission of dat a using direct - sequence m odulat ion. At t he left - hand side is a single dat a bit , which is eit her a one or a zero. For each dat a bit , several chips are used. I n t he figure, t he chip st ream consist s of an 11- bit code. I t is com bined wit h t he single dat a bit , t o produce 11 chips t hat carry t he single dat a bit . The 11- chip/ single- dat a- bit sequence is t ransm it t ed over t he radio link and received at t he ot her end. Every chunk of 11 chips is t he com pared t o an ident ical chip st ream . I f it m at ches t he spreading code, a single zero dat a bit is recovered; if not , a single one dat a bit is recovered. The process of encoding a low bit - rat e signal at a high chip rat e has t he side effect of spreading t he signal's power over a m uch wider bandwidt h. One of t he m ost im port ant quant it ies in a direct sequence syst em is it s spreading rat io, which is t he num ber

Figu r e 1 2 - 3 . Ch ippin g

of chips used t o t ransm it a single bit . [ * ] Higher spreading rat ios im prove t he abilit y t o recover t he t ransm it t ed signal but require a higher chipping rat e and a larger frequency band. Doubling t he spreading rat io requires doubling t he chipping rat e and doubles t he required bandwidt h as well. There are t wo cost s t o increased chipping rat ios. One is t he direct cost of m ore expensive RF com ponent s operat ing at t he higher frequency, and t he ot her is an indirect cost in t he am ount of bandwidt h required. Therefore, in designing direct - sequence syst em s for t he real world, t he spreading rat io should be as low as possible t o m eet design requirem ent s and t o avoid wast ing bandwidt h. [*]

The spreading ratio is related to a figure known as the processing gain. The two are sometimes used interchangeably, but the processing gain is slightly lower because it takes into account the effects of using real-world systems as opposed to perfect ideal systems with no losses.

Direct - sequence m odulat ion t rades bandwidt h for t hroughput . Com pared t o t radit ional narrowband t ransm ission, direct - sequence m odulat ion requires significant ly m ore radio spect rum and is m uch slower. However, it can oft en coexist wit h ot her int erference sources because t he receiver's correlat ion funct ion effect ively ignores narrowband noise. I t is easier t o achieve high t hroughput using direct - sequence t echniques t han wit h frequency hopping. Regulat ory aut horit ies do not im pose a lim it on t he am ount of spect rum t hat can be used; t hey generally set a m inim um lower bound on t he processing gain. Higher rat es can be achieved wit h a wider band, t hough wider bands require a higher chip rat e.

Encoding in 802.11 Direct Sequence Networks For t he PN code, 802.11 adopt ed an 11- bit Barker word. Each bit is encoded using t he ent ire Barker word as a chipping sequence. Det ailed discussion of Barker words and t heir propert ies are well beyond t he scope of t his book. The key at t ribut e for 802.11 net works is t hat Barker words have good aut ocorrelat ion propert ies, which m eans t hat t he correlat ion funct ion at t he receiver operat es as expect ed in a wide range of environm ent s and is relat ively t olerant t o m ult ipat h delay spreads. 11 bit s are in t he word because regulat ory aut horit ies oft en require a 10- dB processing gain in direct sequence syst em s. Using an 11- bit spreading code for each bit allows 802.11 t o m eet t he regulat ory requirem ent s wit h som e m argin of safet y, but it is sm all enough t o allow as m any overlapping net works as possible. Longer spreading codes allow higher processing gains but require wider frequency channels. 802.11 uses t he Barker sequence { + 1, - 1, + 1, + 1, - 1, + 1, + 1, + 1, - 1, - 1, - 1} . As used in 802.11, + 1 becom es 1, and - 1 becom es 0, so t he Barker sequence becom es 10110111000. I t is applied t o each bit in t he dat a st ream by a m odulo- 2 adder. [ * ] When a 1 is encoded, all t he bit s in t he spreading code change; for 0, t hey st ay t he sam e. Figure 12- 4 shows t he encoding process. [*]

Encoding with the Barker sequence is similar to a number of other techniques. Some cellular systems, most notably in North America, use code division multiple access (CDMA) to allow several stations to access the radio medium. CDMA exploits some extremely complex mathematics to ensure that transmissions from each mobile phone look like random noise to every other mobile phone in the cell. The underlying mathematics are far more complicated than a simple, fixed pseudorandom noise code.

Figu r e 1 2 - 4 . En codin g w it h t h e Ba r k e r w or d

Receivers can look at t he num ber of 1s in a received bit t im e. The Barker sequence has six 1s and five 0s. An 11- bit sequence wit h six 1s m ust t herefore correspond t o a t ransm it t ed 0, and an 11- bit sequence wit h six 0s m ust correspond t o a t ransm it t ed 1. I n addit ion t o count ing t he num bers of 1s and 0s, t he receiver can analyze t he pat t ern of received bit s t o infer t he value of t he t ransm it t ed bit .

Radio Spectrum Usage in 802.11 Direct Sequence Networks Channels for t he DS PHY are m uch larger t han t he channels for t he FH PHY. The DS PHY has 14 channels in t he 2.4- GHz band, each 5 MHz wide. Channel 1 is placed at 2.412 GHz, channel 2 at 2.417 GHz, and so on up t o channel 13 at 2.472 GHz. Channel 14 was defined especially for operat ion in Japan, and has a cent er frequency t hat is 12 MHz from t he cent er frequency of channel 13. Table 12- 1 shows which channels are allowed by each regulat ory aut horit y. Channel 10 is available t hroughout Nort h Am erica and Europe, which is why m any product s use channel 10 as t he

default operat ing channel.

Ta ble 1 2 - 1 . Ch a n n e ls u se d in diffe r e n t r e gu la t or y dom a in s Re gu la t or y dom a in

Allow e d ch a n n e ls

U.S. ( FCC) / Canada ( I C)

1 t o 11 ( 2.412- 2.462 GHz)

Europe, excluding Spain ( ETSI )

1 t o 13 ( 2.412- 2.472 GHz)

Spain

10 t o 11 ( 2.457- 2.462 GHz)

Japan ( MI C)

1 t o 13 ( 2.412- 2.462 GHz) and 14 ( 2.484 GHz)

Channel energy spread Wit hin a channel, m ost of t he energy is spread across a 22- MHz band. Because t he DS PHY uses an 11- MHz chip clock, energy spreads out from t he channel cent er in m ult iples of 11 MHz, as shown in Figure 12- 5. To prevent int erference t o adj acent channels, t he first side lobe is filt ered t o 30 dB below t he power at t he channel cent er frequency, and addit ional lobes are filt ered t o 50 dB below t he power at t he channel cent er. This corresponds t o reducing t he power by a fact or of 1,000 and 100,000, respect ively. These lim it s are not ed in Figure 12- 5 by t he use of dBr, which m eans dB relat ive t o t he power at t he channel cent er. Figure 12- 5 uses a logarit hm ic scale: - 30 dBr is only one t housandt h, and - 50 dBr is one hundred t housandt h.

Figu r e 1 2 - 5 . En e r gy spr e a d in a sin gle 8 0 2 .1 1 D S t r a n sm ission ch a n n e l

Wit h t he t ransm it filt ers in place, RF power is confined m ost ly t o 22- MHz frequency bands. European regulat ors cap t he m axim um radiat ed power at 100 m W; t he FCC in t he U.S. allows a subst ant ially higher t ransm ission power of 1,000 m W. I f direct ional ant ennas are used, t he power can be concent rat ed int o an even higher radiat ed power.

Adjacent channel rejection and channel separation To avoid int erference, 802.11 equipm ent m ust be separat ed in t he frequency dom ain. The init ial specificat ion called for 35 dB rej ect ion when t wo signals were 30 MHz apart , but t he spect ral separat ion was t ight ened up t o 25 MHz in 802.11b. To m easure adj acent channel rej ect ion, input a m axim um - speed signal at t he cent er frequency of a channel, shown by t he left curve in Figure 12- 6. I t s power is 6 dB above t he specified m inim um sensit ivit y; for an 802.11b receiver, t hat is - 70 dBm . A second 802.11b signal at 11 Mbps is sent in, 35 dB st ronger, but at least 25 MHz away. The right curve depict s t he int erference t est signal. As long as t he fram e error rat e is less t han 8% , t he receiver passes t he t est . Not e t hat t here is reasonably significant overlap bet ween t he first lobe of t he int erfering signal and t he m ain cent er lobe of t he on- channel signal.

Figu r e 1 2 - 6 . Adj a ce n t ch a n n e l r e j e ct ion

Adj acent channel rej ect ion also influences t he num ber of channels t hat can be used sim ult aneously. Alt hough 802.11 net works operat ing in t he I SM band have 14 defined channels, t hey are closely packed. Real signals m ust be spaced out t o prevent int erference. 802.11b specifies t hat a 25 MHz ( 5 channel num ber) spacing is sufficient . Figure 12- 7 shows t he spect ral m ask of t ransm issions on t he so- called non- overlapping channels ( 1, 6, and 11) . By com paring Figure 12- 7 t o t he previous figure, it is easy t o see t hat using t he nonoverlapping channel set requires all com ponent s in t he syst em t o run at m axim um effect iveness. Many real- world radios, however, are incapable of rej ect ing st rong adj acent - channel t ransm issions near t he lim it . Alt hough it is possible t o have channels overlap m ore closely by using a four- channel layout ( say, 1, 4, 7, and 11) , it is not a generally useful deploym ent st rat egy. Great er overlap of t he channels will result in m ore int erference bet ween radios operat ing on adj acent frequencies. Great er int erference m ay t rigger t he carrier sensing m echanism s t o report t hat t he m edium is busy or cause fram es t o be m angled in flight . I n eit her case, t he peak t hroughput of each channel is less. I t m ay be t hat t rading som e am ount of peak t hroughput for t ot al area capacit y is a good t rade, but t hat is not generally t rue.

Whet her you call t hem 1, 6, and 11; A, B, and C; or Tom , Dick, and Harry, you only have t hree m ost ly nonoverlapping channels wit h 2.4 GHz wireless LANs.

Figu r e 1 2 - 7 . Ch a n n e l se pa r a t ion in 8 0 2 .1 1 D S n e t w or k s

Maximum theoretical throughput I f t he signal processing t echniques used by t he DS PHY are used, t hen t he m axim um t hroughput would be a funct ion of t he frequency space used. Roughly speaking, t he I SM band is 80- MHz wide. Using t he sam e spreading fact or of 11 would lead t o a m axim um bit rat e of slight ly m ore t han 7 Mbps. However, only one channel would be available, and product s would need t o have an oscillat or running at 77 MHz t o generat e t he chipping sequence. High- frequency devices are a t rem endous drain on bat t eries, and t he hypot het ical high- rat e encoding t hat uses t he ent ire band m akes t errible use of t he available spect rum . To achieve higher t hroughput , m ore sophist icat ed t echniques m ust be used. 802.11b increases t he sym bol rat e slight ly, but it get s far m ore m ileage from m ore sophist icat ed encoding t echniques.

Interference response Direct - sequence- m odulat ed signals are m ore resist ant t o int erference t han frequency- hopping signals. The correlat ion process enables direct - sequence syst em s t o work around narrowband int erference m uch m ore effect ively. Wit h 11 chips per bit , several chips can be lost or dam aged before a single dat a bit is lost . The disadvant age is t hat t he response of direct - sequence syst em s t o noise is not increm ent al. Up t o a cert ain level, t he correlat or can rem ove noise, but once int erference obscures a cert ain am ount of t he frequency band, not hing can be recovered. Figure 12- 8 shows how direct - sequence syst em s degrade in response t o noise.

Figu r e 1 2 - 8 . Th r ou gh pu t r e spon se t o in t e r fe r e n ce in D SSS syst e m s

Direct - sequence syst em s also avoid int erfering wit h a prim ary user m ore effect ively t han frequencyhopping syst em s. Aft er direct - sequence processing, signals are m uch wider and have lower am plit udes, so t hey appear t o be random background noise t o t radit ional narrowband receivers. Two direct - sequence users in t he sam e area can cause problem s for each ot her quit e easily if t he t wo direct - sequence channels are not separat ed by an adequat e am ount . Generally speaking, int erference bet ween t wo direct - sequence devices is a problem long before a prim ary band user not ices anyt hing.

Differential Phase Shift Keying (DPSK) Different ial phase shift keying ( DPSK) is t he basis for 802.11 direct - sequence syst em s. As t he nam e im plies, phase shift keying ( PSK) encodes dat a in phase changes of t he t ransm it t ed signal. The absolut e phase of a waveform is not relevant in PSK; only changes in t he phase encode dat a. Like frequency shift keying, PSK resist s int erference because m ost int erference causes changes in am plit ude. Figure 12- 8 shows t wo ident ical sine waves shift ed by a sm all am ount along t he t im e axis. The offset bet ween t he sam e point on t wo waves is t he phase difference.

Figu r e 1 2 - 9 . Ph a se diffe r e n ce be t w e e n t w o sin e w a ve s

Differential Binary Phase Shift Keying (DBPSK) The sim plest form of PSK uses t wo carrier waves, shift ed by a half cycle relat ive t o each ot her. One wave, t he reference wave, is used t o encode a 0; t he half- cycle shift ed wave is used t o encode a 1. Table 12- 2 sum m arizes t he phase shift s.

Ta ble 1 2 - 2 . D BPSK ph a se sh ift s Sym bol

Ph a se sh ift

0

0

1

180° ( p radians)

Figure 12- 10 illust rat es t he encoding as a phase difference from a preceding sine wave.

Figu r e 1 2 - 1 0 . D BPSK e n codin g

To st ick wit h t he sam e exam ple, encoding t he let t er M ( 1001101 in binary) is a m at t er of dividing up t he t im e int o seven sym bol t im es t hen t ransm it t ing t he wave wit h appropriat e phase shift at each sym bol boundary. Figure 12- 11 illust rat es t he encoding. Tim e is divided int o a series of sym bol periods, each of which is several t im es t he period of t he carrier wave. When t he sym bol is a 0, t here is no change from t he phase of t he previous sym bol, and when t he sym bol is a 1, t here is a change of half a cycle. These changes result in " pinches" of t he carrier when 1 is t ransm it t ed and a sm oot h t ransit ion across t he sym bol t im e boundary for 0.

Figu r e 1 2 - 1 1 . Th e le t t e r M e n code d in D BPSK

Differential Quadrature Phase Shift Keying (DQPSK) Like 2GFSK, DBPSK is lim it ed t o one bit per sym bol. More advanced receivers and t ransm it t ers can encode m ult iple bit s per sym bol using a t echnique called different ial quadrat ure phase shift keying ( DQPSK) . Rat her t han a fundam ent al wave and a half- cycle shift ed wave, DQPSK uses a fundam ent al wave and t hree addit ional waves, each shift ed by a quart er cycle, as shown in Figure 12- 12. Table 12- 3 sum m arizes t he phase shift s.

Figu r e 1 2 - 1 2 . D QPSK e n codin g

Ta ble 1 2 - 3 . D QPSK ph a se sh ift s Sym bol

Ph a se sh ift

00

0

01

90° ( p / 2 radians)

11

180° ( p radians)

10

270° ( 3 p / 2 or - p / 2 radians)

Now encode M in DQPSK ( Figure 12- 13) . I n t he UTF- 8 charact er set , M is represent ed by t he binary st ring 01001101 or, as t he sequence of four t wo- bit sym bols, 01- 00- 11- 01. I n t he first sym bol period, t here is a phase shift of 90 degrees; for clarit y, t he figure shows t he phase shift from a pure sine wave. The second sym bol result s in no phase shift , so t he wave cont inues wit hout a change. The t hird sym bol causes a phase shift of 180 degrees, as shown by t he sharp change from t he highest am plit ude t o t he lowest am plit ude. The final sym bol causes a phase shift of 90 degrees.

Figu r e 1 2 - 1 3 . Th e le t t e r M e n code d in D QPSK

The obvious advant age of DQPSK relat ive t o DBPSK is t hat t he four- level encoding m echanism can have a higher t hroughput . The cost of using DQPSK is t hat it cannot be used in som e environm ent s because of severe m ult ipat h int erference. Mult ipat h int erference occurs when t he signal t akes several pat hs from t he t ransm it t er t o t he receiver. Each pat h has a different lengt h; t herefore, t he received signal from each pat h has a different delay relat ive t o t he ot her pat hs. This delay is t he enem y of an encoding schem e based on phase shift s. Wavefront s are not labeled or paint ed different colors, so a wavefront could arrive lat er t han expect ed because of a long pat h or it could sim ply have been t ransm it t ed lat e and phase- shift ed. I n environm ent s where m ult ipat h int erference is severe, DQPSK will break down m uch quicker t han DBPSK.

The "Original" Direct Sequence PHY The physical layer it self consist s of t wo com ponent s. The Physical Layer Convergence Procedure ( PLCP) perform s som e addit ional PHY- dependent fram ing before t ransm ission, while t he Physical Medium Dependent ( PMD) layer is responsible for t he act ual t ransm ission of fram es.

PLCP Framing and Processing The PLCP for t he DS PHY adds a six- field header t o t he fram es it receives from t he MAC. I n keeping wit h I SO reference m odel t erm inology, fram es passed from t he MAC are PLCP service dat a unit s ( PSDUs) . The PLCP fram ing is shown in Figure 12- 14.

Figu r e 1 2 - 1 4 . D S PLCP fr a m in g

The FH PHY uses a dat a whit ener t o random ize t he dat a before t ransm ission, but t he dat a whit ener applies only t o t he MAC fram e t railing t he PLCP header. The DS PHY has a sim ilar funct ion called t he scram bler , but t he scram bler is applied t o t he ent iret y of t he direct - sequence fram e, including t he PLCP header and pream ble.

Pream ble The Pream ble synchronizes t he t ransm it t er and receiver and allows t hem t o derive com m on t im ing relat ionships. I t is com posed of t he Sync field and t he St art Fram e Delim it er field. Before t ransm ission, t he pream ble is scram bled using t he direct - sequence scram bling funct ion.

Sync The Sync field is a 128- bit field com posed ent irely of 1s. Unlike t he FH PHY, t he Sync field is scram bled before t ransm ission.

St art Fram e Delim it er ( SFD)

The SFD allows t he receiver t o find t he st art of t he fram e, even if som e of t he sync bit s were lost in t ransit . This field is set t o 0000 0101 1100 1111, which is different from t he SFD used by t he FH PHY.

Header The PLCP header follows t he pream ble. The header has PHY- specific param et ers used by t he PLCP. Five fields com prise t he header: a signaling field, a service ident ificat ion field, a Lengt h field, a Signal field used t o encode t he speed, and a fram e- check sequence.

Signal The Signal field is used by t he receiver t o ident ify t he t ransm ission rat e of t he encapsulat ed MAC fram e. I t is set t o eit her 0000 1010 ( 0x0A) for 1- Mbps operat ion or 0001 0100 ( 0x14) for 2- Mbps operat ion.

Service This field is reserved for fut ure use and m ust be set t o all 0s.

Lengt h This field is set t o t he num ber of m icroseconds required t o t ransm it t he fram e as an unsigned 16- bit int eger, t ransm it t ed least - significant bit t o m ost - significant bit .

CRC To prot ect t he header against corrupt ion on t he radio link, t he sender calculat es a 16- bit CRC over t he cont ent s of t he four header fields. Receivers verify t he CRC before furt her fram e pr ocessing. No rest rict ions are placed on t he cont ent of t he Dat a field. Arbit rary dat a m ay cont ain long st rings of consecut ive 0s or 1s, which m akes t he dat a m uch less random . To m ake t he dat a m ore like random background noise, t he DS PHY uses a polynom ial scram bling m echanism t o rem ove long st rings of 1s or 0s from t he t ransm it t ed dat a st ream .

DS Physical Medium Dependent Sublayer The PMD is a com plex and lengt hy specificat ion t hat incorporat es provisions for t wo dat a rat es ( 1.0 and 2.0 Mbps) . Figure 12- 15 shows t he general design of a t ransceiver for 802.11 direct - sequence net works.

Figu r e 1 2 - 1 5 . D ir e ct - se qu e n ce t r a n sce ive r

Transmission at 1.0 Mbps At t he low dat a rat e, t he direct - sequence PMD enables dat a t ransm ission at 1.0 Mbps. The PLCP header is appended t o fram es arriving from t he MAC, and t he ent ire unit is scram bled. The result ing sequence of bit s is t ransm it t ed from t he physical int erface using DBPSK at a rat e of 1 m illion sym bols per second. The result ing t hroughput is 1.0 Mbps because one bit is encoded per sym bol. Like t he FH PMD, t he DS PMD has a m inim um power requirem ent and can cap t he power at 100 m W if necessary t o m eet regulat ory requirem ent s.

Transmission at 2.0 Mbps Like t he FH PHY, t ransm ission at 2.0 Mbps uses t wo encoding schem es. The PLCP pream ble and header are t ransm it t ed at 1.0 Mbps using DBPSK. Alt hough using a slower m et hod for t he header t ransm ission reduces t he effect ive t hroughput , DBPSK is far m ore t olerant of noise and m ult ipat h int erference. Aft er t he pream ble and header are finished, t he PMD swit ches t o DQPSK m odulat ion t o provide 2.0- Mbps service. As wit h t he FH PHY, m ost product s t hat im plem ent t he 2.0- Mbps rat e can det ect int erference and fall back t o lower- speed 1.0- Mbps service.

CS/CCA for the DS PHY 802.11 allows t he carrier sense/ clear channel assessm ent funct ion t o operat e in one of t hree m odes:

Mode 1 When t he energy exceeds t he energy det ect ion ( ED) t hreshold, it report s t hat t he m edium is busy. The ED t hreshold depends on t he t ransm it power.

Mode 2 I m plem ent at ions using Mode 2 m ust look for an act ual DSSS signal and report t he channel busy when one is det ect ed, even if t he signal is below t he ED t hreshold.

Mode 3

Mode 3 com bines Mode 1 and Mode 2. A signal m ust be det ect ed wit h sufficient energy before t he channel is report ed busy t o higher layers. Once a channel is report ed busy, it st ays busy for t he durat ion of t he int ended t ransm ission, even if t he signal is lost . The t ransm ission's durat ion is t aken from t he t im e int erval in t he Lengt h field. Busy m edium report s m ust be very fast . When a signal is det ect ed at t he beginning of a cont ent ion window slot , t he CCA m echanism m ust report a busy m edium by t he t im e t he slot has ended. This relat ively high perform ance requirem ent m ust be set because once a st at ion has begun t ransm ission at t he end of it s cont ent ion delay, it should seize t he m edium , and all ot her st at ions should defer access unt il it s fram e has concluded.

Characteristics of the DS PHY Table 12- 4 shows t he values of a num ber of param et ers in t he DS PHY. I n addit ion t o t he param et ers in t he t able, which are st andardized, t he DS PHY has a num ber of param et ers t hat can be adj ust ed t o balance delays t hrough various part s of an 802.11 direct - sequence syst em . I t includes variables for t he lat ency t hrough t he MAC, t he PLCP, and t he t ransceiver, as well as variables t o account for variat ions in t he t ransceiver elect ronics. One ot her it em of not e is t hat t he t ot al aggregat e t hroughput of all direct - sequence net works in an area is m uch lower t han t he t ot al aggregat e t hroughput of all nonoverlapping frequency- hopping net works in an area. The t ot al aggregat e t hroughput is a funct ion of t he num ber of nonoverlapping channels. I n Nort h Am erica and m ost of Europe, t hree direct - sequence net works can be deployed in an area at once. I f each net work is run at t he opt ional 2 Mbps rat e and t he efficiency of t he prot ocol allows 50% of t he headline rat e t o becom e user dat a t hroughput , t he t ot al t hroughput is 3 Mbps, which is dram at ically less t han t he frequencyhopping t ot al aggregat e t hroughput .

Ta ble 1 2 - 4 . D S PH Y pa r a m e t e r s Pa r a m e t e r

Va lu e

N ot e s

Slot t im e

20 m s

SI FS t im e

10 m s

Cont ent ion window size

31 t o 1,023 slot s

Pream ble durat ion

144 m s

Pream ble sym bols are t ransm it t ed at 1 MHz, so a sym bol t akes 1 m s t o t ransm it ; 144 bit s require 144 sym bol t im es.

PLCP header dur at ion

48 m s

The PLCP header is 48 bit s, so it requires 48 sym bol t im es.

Maxim um MAC fram e

4- 8,191 by t es

Minim um receiver sensit ivit y

- 80 dBm

Adj acent channel rej ect ion

35 dB

The SI FS is used t o derive t he value of t he ot her int erfram e spaces ( DI FS, PI FS, and EI FS) .

See t ext for m easurem ent det ails.

Like t he FH PHY, t he DS PHY has a num ber of at t ribut es t hat can be adj ust ed by a vendor t o balance

delays in various part s of t he syst em . I t includes variables for t he lat ency t hrough t he MAC, t he PLCP, and t he t ransceiver, as well as variables t o account for variat ions in t he t ransceiver elect ronics.

Complementary Code Keying 802.11 direct - sequence syst em s use a rat e of 11 m illion chips per second. The original DS PHYs divided t he chip st ream up int o a series of 11- bit Barker words and t ransm it t ed 1 m illion Barker words per second. Each word encoded eit her one bit or t wo bit s for a corresponding dat a rat e of 1.0 Mbps or 2.0 Mbps, respect ively. Achieving higher dat a rat es and com m ercial ut ilit y requires t hat each code sym bol carry m ore inform at ion t han a bit or t wo. St raight phase shift encoding cannot hope t o carry m ore t han a few bit s per code word. DQPSK requires t hat receivers dist inguish quart er- cycle phase differences. Furt her increasing t he num ber of bit s per sym bol would require processing even finer phase shift s, such as an eight h- cycle or sixt eent h- cycle shift . Det ect ing sm aller phase shift s is m ore difficult in t he presence of m ult ipat h int erference and requires m ore sophist icat ed ( and t hus expensive) elect ronics. I nst ead of cont inuing wit h st raight phase- shift keying, t he I EEE 802.11 working group t urned t o an alt ernat e encoding m et hod. Com plem ent ary code keying ( CCK) divides t he chip st ream int o a series of 8- bit code sym bols, so t he underlying t ransm ission is based on a series of 1.375 m illion code sym bols per second. CCK is based on sophist icat ed m at hem at ical t ransform s t hat allow t he use of a few 8- bit sequences t o encode 4 or even 8 bit s per code word, for a dat a t hroughput of 5.5 Mbps or 11 Mbps. I n addit ion, t he m at hem at ics underlying CCK t ransform s allow receivers t o dist inguish bet ween different codes easily, even in t he presence of int erference and m ult ipat h fading. Figure 1216 illust rat es t he use of code sym bols in CCK. I t is quit e sim ilar t o t he chipping process used by t he slower direct - sequence layers; t he difference is t hat t he code words are derived part ially from t he dat a. A st at ic repeat ing code word such as t he Barker word is not used.

Figu r e 1 2 - 1 6 . Code sym bols in CCK

Barker spreading, as used in t he lower- rat e, direct - sequence layers, uses a st at ic code t o spread t he signal over t he available frequency band. CCK uses t he code word t o carry inform at ion, as well as sim ply t o spread t he signal. Several phase angles are used t o prepare a com plex code word of eight bit s.

High Rate Direct Sequence PHY To dist inguish it from t he original direct sequence PHY, t he high rat e PHY t hat runs at 11 Mbps is abbreviat ed as HR/ DSSS. Like it s predecessor, it is split int o a convergence procedure t hat prepares fram es for radio t ransm ission, and a m edium - dependent layer t hat t urns t he bit s int o radio waves in t he air.

PLCP Framing and Scrambling The long headers required by t he original PHY great ly reduce perform ance. The 802.11 MAC requires an acknowledgm ent for every dat a fram e, and t he 192 m icrosecond pream ble is m uch, m uch longer t han t he MAC acknowledgm ent . At t he 11 Mbps dat a rat e, t he pream ble and PLCP fram ing header sucks up 25% of t he t im e used t o t ransm it a 1,500 byt e fram e and it s corresponding MAC acknowledgm ent . As long as a new PHY was being developed, t he designers of 802.11b cam e up wit h a new " short " fram ing form at t hat im proves prot ocol efficiency and, hence, t hroughput . Using t he short headers cut s t he pream ble and PLCP fram ing overhead cut s t he pream ble and fram ing overhead t o 14% . While st ill subst ant ial, it is a dram at ic im provem ent . Figure 12- 17 shows t he PLCP fram ing specified in 802.11b. When 802.11b was first released, short headers were not support ed by all devices because of t he large inst alled base of 2 Mbps direct sequence equipm ent . At t his point , alm ost every card can safely support t he short pream ble, and m ost access point vendors use it by default . Nat urally, t he opt ional short form at m ay be used only if all st at ions support it . To prevent net works configured for t he short form at from disappearing, 802.11b requires t hat st at ions answering Probe Request s from an act ive scan ret urn a response using t he sam e PLCP header t hat was received. I f a st at ion t hat support s

Figu r e 1 2 - 1 7 . H R/ D SSS PLCP fr a m in g

only t he long PLCP header sends a Probe Response, an access point ret urns a response using t he long header, even if t he BSS is configured for t he short header.

Pream ble Fram es begin wit h t he pream ble, which is com posed of t he Sync field and t he SFD field. The pream ble is t ransm it t ed at 1.0 Mbps using DBPSK.

Long Sync The Long Sync field is com posed of 128 one bit s. I t is processed by t he scram bler before t ransm ission, t hough, so t he dat a cont ent varies. High- rat e syst em s use a specified seed for t he scram bling funct ion but support backwards com pat ibilit y wit h older syst em s t hat do not specify a seed.

Short Sync The Short Sync field is com posed of 56 zero bit s. Like t he Long Sync, it is also processed by t he scram bler.

Long SFD To indicat e t he end of t he Sync field, t he long pream ble concludes wit h a St art of Fram e Delim it er ( SFD) . I n t he long PLCP, t he SFD is t he sequence 1111 0011 1010 0000. As wit h all I EEE specificat ions, t he order of t ransm ission from t he physical int erface is least - significant bit first , so t he st ring is t ransm it t ed right t o left .

Short SFD To avoid confusion wit h t he Long SFD, t he Short SFD is t he reverse value, 0000 0101 1100 1111. The PLCP header follows t he pream ble. I t is com posed of t he Signal, Service, Lengt h, and CRC fields. The long header is t ransm it t ed at 1.0 Mbps using DBPSK. However, t he short header's purpose is t o reduce t he t im e required for overhead t ransm ission so it is t ransm it t ed at 2.0 Mbps using DQPSK.

Long Signal The Long Signal field indicat es t he speed and t ransm ission m et hod of t he enclosed MAC fram e. Four values for t he 8- bit code are current ly defined and are shown in Table 12- 5 .

Ta ble 1 2 - 5 . Sign a l fie ld va lu e s Spe e d

Va lu e ( m sb t o lsb)

H e x va lu e

1 Mbps

0000 1010

0x0A

2 Mbps

0001 0100

0x14

5.5 Mbps

0011 0111

0x37

11 Mbps

0110 1110

0x6E

Short Signal The Short Signal field indicat es t he speed and t ransm ission m et hod of t he enclosed fram e, but only t hree values are defined. Short pream bles can be used only wit h 2 Mbps, 5.5 Mbps, and 11 Mbps net works.

Service The Service field, which is shown in Figure 12- 18, was reserved for fut ure use by t he first version of 802.11, and bit s were prom pt ly used for t he high- rat e ext ensions in 802.11b. First of all, t he Lengt h field describes t he am ount of t im e used for t he enclosed fram e in m icroseconds. Above 8 Mbps, t he value becom es am biguous. Therefore, t he eight h bit of t he service field is used t o ext end t he Lengt h field t o 17 bit s. The t hird bit indicat es whet her t he 802.11b im plem ent at ion uses locked clocks; clock locking m eans t hat t ransm it frequency and sym bol clock use t he sam e oscillat or. The fourt h bit indicat es t he t ype of coding used for t he packet , which is eit her 0 for CCK or 1 for PBCC. All reserved bit s m ust be set t o 0. The Service field is t ransm it t ed from left t o right ( b0 t o b7) , which is t he sam e in bot h t he short and long PLCP fram e form at s. ( Furt her changes are m ade by 802.11g, which will be discussed in Chapt er 14.)

Figu r e 1 2 - 1 8 . Se r vice fie ld in t h e H R/ D SSS PLCP h e a de r

Lengt h The Lengt h field is t he sam e in bot h t he short and long PLCP fram e form at s and is t he num ber of m icroseconds required t o t ransm it t he enclosed MAC fram e. Approxim at ely t wo pages of t he 802.11b st andard are devot ed t o calculat ing t he value of t he Lengt h fram e, but t he det ails are beyond t he scope of t his book.

CRC The CRC field is t he sam e in bot h t he short and t he long PLCP fram es. Senders calculat e a CRC checksum using t he Signal, Service, and Lengt h fields. Receivers can use t he CRC value t o ensure t hat t he header was received int act and was not dam aged during t ransm ission. CRC calculat ions t ake place before dat a scram bling. The dat a scram bling procedure for t he HR/ DSSS PHY is nearly ident ical t o t he dat a scram bling procedure used wit h t he original DS PHY. The only difference is t hat t he scram bling funct ion is seeded t o specified values in t he HR/ DSSS PHY. Different seeds are used for short and long PLCP fram es.

HR/DSSS PMD Like t he DS PHY, t he 802.11b PHY uses a single PMD specificat ion. The general t ransceiver design is shown in Figure 12- 19.

Figu r e 1 2 - 1 9 . H R/ D SSS t r a n sce ive r

Transmission at 1.0 Mbps or 2.0 Mbps To ensure backwards com pat ibilit y wit h t he inst alled base of 802.11- based, direct - sequence hardware, t he HR/ DSSS PHY can t ransm it and receive at 1.0 Mbps or 2.0 Mbps. Slower t ransm issions are support ed in t he sam e m anner as t he lower- rat e, direct - sequence layers described in previously in t his chapt er. Any t ransm issions at t he slower rat es m ust use long headers.

Transmission at 5.5 Mbps with CCK Higher- rat e t ransm ission is accom plished by building on t he DQPSK- based phase shift keying t echniques. DQPSK t ransm it s t wo bit s per sym bol period, encoded as one of four different phase shift s. By using CCK, t he sym bol words t hem selves carry addit ional inform at ion. 5.5- Mbps t ransm ission encodes four dat a bit s int o a sym bol. Two bit s are carried using convent ional DQPSK, and t he ot her t wo are carried t hrough t he cont ent of t he code words. Figure 12- 20 illust rat es t he overall process.

Figu r e 1 2 - 2 0 . 8 0 2 .1 1 b t r a n sm ission a t 5 .5 M bps

1.

1 . The MAC fram e em bedded in t he PCLP fram e is divided int o a st ring of 4- bit blocks. Each 4- bit block is furt her divided int o t wo 2- bit segm ent s. 2 . The first 2- bit segm ent is encoded by m eans of a DQPSK- t ype phase shift bet ween t he current sym bol and t he previous sym bol ( Table 12- 6 ) . Even and odd sym bols use a different phase shift for t echnical reasons. Sym bol num bering st art s wit h 0 for t he first 4- bit block.

Ta ble 1 2 - 6 . I n t e r - sym bol D QPSK ph a se sh ift s Bit pa t t e r n

Ph a se a n gle ( e ve n sym bols)

Ph a se a n gle ( odd sym bols)

00

0

P

01

p /2

3p / 2

11

p

0

10

3p / 2

p /2

3 . The second 2- bit segm ent is used t o select one of four code words for t he current sym bol (Table 12- 7 ) . The four code words can be derived using t he m at hem at ics laid out in clause 18.4.6.5 of t he 802.11 st andard.

Ta ble 1 2 - 7 . M bps code w or ds Bit se qu e n ce

Code w or d

00

i,1,i,- 1,i,1,- i,1

01

- i,- 1,- i,1,1,1,- i,1

10

- i,1,- i,- 1,- i,1,i,1

11

i,- 1,i,1,- i,1,i,1

Transmission at 11 Mbps with CCK To m ove t o a full 11 Mbps, 8 bit s m ust be encoded wit h each sym bol. As wit h ot her t echniques, t he first t wo bit s are encoded by t he phase shift of t he t ransm it t ed sym bol relat ive t o t he previous sym bol. Six bit s are encoded using CCK. Figure 12- 21 illust rat es t he process.

Figu r e 1 2 - 2 1 . 8 0 2 .1 1 b t r a n sm ission a t 1 1 M bps

1 . The MAC fram e em bedded in t he PCLP fram e is divided int o a st ring of 8- bit blocks. Each 8- bit block is furt her divided int o four 2- bit segm ent s. 2 . The first 2- bit segm ent is encoded by m eans of a DQPSK- t ype phase shift bet ween t he current sym bol and t he previous sym bol. As wit h t he 5.5- Mbps rat e, even and odd sym bols use a different phase shift for t echnical reasons. Sym bol num bering st art s wit h 0 for t he first 8- bit block. The phase shift s are ident ical t o t he phase shift s used in 5.5- Mbps t ransm ission. 3 . The rem aining six bit s are grouped int o t hree successive pairs. Each pair is associat ed wit h t he phase angle in Table 12- 8 and is used t o derive a code word.

Ta ble 1 2 - 8 . Ph a se a n gle e n codin g for 1 1 - M bps t r a n sm ission Bit pa t t e r n

Ph a se a n gle

00

0

01

p /2

10

p

11

3p / 2

As an exam ple, consider t he conversion of t he bit sequence 0100 1101 int o a com plex code for t ransm ission on an 802.11b net work. The first t wo bit s, 01, encode a phase shift from t he previous sym bol. I f t he sym bol is an even sym bol in t he MAC fram e, t he phase shift is p / 2; ot herwise, t he shift is 3p / 2. ( Sym bols in t he MAC fram e are num bered st art ing from 0, so t he first sym bol in a fram e is even.) The last six bit s are divided int o t hree 2- bit groups: 00, 11, and 01. Each of t hese is used t o encode an angle in t he code word equat ion. The next st ep in t ransm ission is t o convert t he phase angles int o t he com plex code word for t ransm ission.

Clear channel assessment Like t he original DS PHY, high- rat e im plem ent ers have t hree choices for t he CS/ CCA operat ion m ode. All t he direct - sequence CCA m odes are considered t o be part of t he sam e list . Mode 1 is ident ical t o t he DS PHY's CCA Mode 1, and Modes 2 and 3 are used exclusively by t he original DS PHY. Modes 4 and 5 are t he HR/ DSSS- specific CCA m odes.

Mode 1 When t he energy exceeds t he energy det ect ion ( ED) t hreshold, t he m edium is report ed busy. The ED t hreshold depends on t he t ransm it power used. This m ode is also available for classic direct - sequence syst em s.

Mode 4 I m plem ent at ions using Mode 4 look for an act ual signal. When t riggered, a Mode 4 CCA im plem ent at ion st art s a 3.65 m s t im er and begins count ing down. I f no valid HR/ DSSS signal is received by t he expirat ion of t he t im er, t he m edium is report ed idle. 3.65 m s corresponds t o t he t ransm ission t im e required for t he largest possible fram e at 5.5 Mbps.

Mode 5 Mode 5 com bines Mode 1 and Mode 4. A signal m ust be det ect ed wit h sufficient energy before t he channel is report ed busy t o higher layers. Once a channel is report ed busy, it st ays busy for t he durat ion of t he int ended t ransm ission, even if t he signal is lost . The channel is considered busy unt il t he t im e int erval in t he Lengt h field has elapsed. I m plem ent at ions t hat look for a valid signal m ay override t his requirem ent if a second PLCP header is det ect ed.

Optional Features of the 802.11b PHY 802.11b includes t wo opt ional physical- layer feat ures, neit her of which is widely used. Packet Binary Convolut ional Coding ( PBCC) was proposed as a m et hod of reaching t he 11 Mbps dat a rat e, but it was never widely im plem ent ed. Proposals for furt her revisions t o wireless LAN t echnology in t he I SM band specified PBCC, but t hose proposals were rej ect ed in t he sum m er of 2001. A second opt ional feat ure, channel agilit y , was designed t o assist net works in avoiding int erference. Channel agilit y causes t he cent er channel t o shift periodically in t he hope t hat int erference can be avoided. Channel agilit y was never widely used because it was not part icularly helpful. I n t he presence of int erference, som e t hroughput would be recovered as receivers hopped t o anot her channel, but t he addit ional spect rum required m ade it m uch m ore effect ive t o hunt down and fix t he int erference, or rem ap channels around it .

Characteristics of the HR/DSSS PHY Table 12- 9 shows t he values of a num ber of param et ers in t he HR/ DSSS PHY. Like t he DS PHY, t he HR/ DSSS PHY has a num ber of param et ers t hat can be adj ust ed t o com pensat e for delays in any part of a real syst em .

Ta ble 1 2 - 9 . H R/ D SSS PH Y pa r a m e t e r s

Pa r a m e t e r

Va lu e

N ot e s

Maxim um MAC fram e lengt h

4,095 byt es

Slot t im e

20 m s

SI FS t im e

10 m s

Cont ent ion window size

31 t o 1,023 slot s

Pream ble durat ion

144 m s

Pream ble sym bols are t ransm it t ed at 1 MHz, so a sym bol t akes 1 m s t o t ransm it ; 96 bit s require 96 sym bol t im es.

PLCP header dur at ion

48 bit s

The PLCP header t ransm ission t im e depends on whet her t he short pream ble is used.

The SI FS is used t o derive t he value of t he ot her int erfram e spaces ( DI FS, PI FS, and EI FS) .

Minim um sensit ivit y - 76 dBm Adj acent channel rej ect ion

35 dB

See t ext for m easurem ent not es.

One ot her it em of not e is t hat t he t ot al aggregat e t hroughput of all HR/ DSSS net works in an area is st ill lower t han t he t ot al aggregat e t hroughput of all nonoverlapping frequency- hopping net works in an area. The t ot al aggregat e t hroughput is a funct ion of t he num ber of nonoverlapping channels. I n Nort h Am erica and m ost of Europe, t hree HR/ DSSS net works can be deployed in an area at once. Running each net work at t he t op speed of 11 Mbps, and assum ing user payload dat a t hroughput of 50% , t he t ot al aggregat e t hroughput will be 16.5 Mbps.

Chapter 13. 802.11a and 802.11j: 5-GHz OFDM PHY Go West , young m an, and grow up wit h t he count ry! John B.L. Soule[ * ] [*]

This is often attributed to Horace Greeley, who did much to popularize it.

The 2.4 GHz I SM bands are crowded, and oft en choked wit h non- 802.11 t raffic. I n an at t em pt t o develop higher dat a rat es, t he 802.11 working group st andardized a physical layer using unlicensed spect rum around 5 GHz. Large t ract s of undeveloped spect rum were available for unlicensed use, and far fewer devices have used t he spect rum . 802.11a was st andardized in 1999, but it t ook a significant am ount of t im e t o bring product s t o m arket . 802.11a hardware finally hit t he m arket in lat e 2001. Today, t he best known m anufact urer of 802.11a chipset s is At heros Com m unicat ions. I n form and funct ion, t hey look sim ilar t o any ot her wireless LAN card. Most are CardBus cards, alt hough som e addit ional form fact ors are used m ore widely now. The range of very high dat a rat es is quit e short , but generally, 802.11a has a com parable dat a rat e t o 802.11b at com parable dist ance. I nit ially, 802.11a was designed for t he 5- GHz Unlicensed Nat ional I nform at ion I nfrast ruct ure ( U- NI I ) bands in t he Unit ed St at es. Wit h t he success of 802.11a in t he Am erican m arket , ot her regulat ors developed rules t o allow 802.11a. The 802.11 working group support ed t hese effort s t hrough 802.11h for Europe, which was discussed in Chapt er 8, and 802.11j for Japan. This chapt er begins wit h a qualit at ive int roduct ion t o t he basis of OFDM. When all t he m at hem at ical form alism is st ripped away, OFDM is a m et hod for chopping a large frequency channel int o a num ber of subchannels. The subchannels are t hen used in parallel for higher t hroughput . I ant icipat e t hat m any readers will skip t he first sect ion, eit her because t hey are already fam iliar wit h OFDM or are int erest ed only in how t he frequency bands are used and how t he PCLP wraps up fram es for t ransm ission.

Orthogonal Frequency Division Multiplexing (OFDM) 802.11a is based on ort hogonal frequency division m ult iplexing ( OFDM) . OFDM is not a new t echnique. Most of t he fundam ent al work was done in t he lat e 1960s, and U.S. pat ent num ber 3,488,445 was issued in January 1970. Recent DSL work ( HDSL, VDSL, and ADSL) and wireless dat a applicat ions have rekindled int erest in OFDM, especially now t hat bet t er signal- processing t echniques m ake it m ore pract ical. [ * ] OFDM does, however, differ from ot her em erging encoding t echniques such as code division m ult iple access ( CDMA) in it s approach. CDMA uses com plex m at hem at ical t ransform s t o put m ult iple t ransm issions ont o a single carrier; OFDM encodes a single t ransm ission int o m ult iple subcarriers. The m at hem at ics underlying t he code division in CDMA is far m ore com plicat ed t han in OFDM. [*]

The lack of interest in OFDM means that references on it are sparse. Readers interested in the mathematical background that is omitted in this chapter should consult OFDM for Wireless Multimedia Applications by Richard van Nee and Ramjee Prasad (Artech House, 2000).

OFDM devices use one wide- frequency channel by breaking it up int o several com ponent subchannels. Each subchannel is used t o t ransm it dat a. All t he " slow" subchannels are t hen m ult iplexed int o one " fast " com bined channel.

Carrier Multiplexing When net work m anagers solicit user input on net work build- out s, one of t he m ost com m on dem ands is for m ore speed. The hunger for increased dat a t ransm issions has driven a host of t echnologies t o increase speed. OFDM t akes a qualit at ively sim ilar approach t o Mult ilink PPP: when one link isn't enough, use several in parallel. OFDM is closely relat ed t o plain old frequency division m ult iplexing ( FDM) . Bot h divide t he available bandwidt h int o slices called car r ier s or subcar r ier s and m ake t hose carriers available as dist inct channels for dat a t ransm ission. OFDM boost s t hroughput by using several subcarriers in parallel and m ult iplexing dat a over t he set of subcarriers. Tradit ional FDM was widely used by first - generat ion m obile t elephones as a m et hod for radio channel allocat ion. Each user was given an exclusive channel, and guard bands were used t o ensure t hat spect ral leakage from one user did not cause problem s for users of adj acent channels. Figure 13- 1 illust rat es t he t radit ional FDM approach. The t rouble wit h t radit ional FDM is t hat t he guard bands wast e bandwidt h and t hus reduce capacit y. To avoid wast ing t ransm ission capacit y wit h unused guard bands, OFDM select s channels t hat overlap but do not int erfere wit h each ot her. Figure 13- 2 illust rat es t he cont rast bet ween t radit ional FDM and OFDM.

Figu r e 1 3 - 1 . Tr a dit ion a l FD M

Figu r e 1 3 - 2 . FD M ve r su s OFD M

Overlapping carriers are allowed because t he subcarriers are defined so t hat t hey are easily dist inguished from one anot her. The abilit y t o separat e t he subcarriers hinges on a com plex m at hem at ical relat ionship called ort hogonalit y .

Orthogonality Explained (Without Calculus) Ort hogonal is a m at hem at ical t erm derived from t he Greek word or t hos, m eaning st raight , right , or t rue. I n m at hem at ics, t he word " ort hogonal" is used t o describe independent it em s. Ort hogonalit y is best seen in t he frequency dom ain, looking at a spect ral breakdown of a signal. OFDM works because t he frequencies of t he subcarriers are select ed so t hat at each subcarrier frequency, all ot her subcarriers do not cont ribut e t o t he overall waveform . One com m on way of looking at ort hogonalit y is shown in Figure 13- 3. The signal has been divided int o it s t hree subcarriers. The peak of each subcarrier, shown by t he heavy dot at t he t op, encodes dat a. The subcarrier set is carefully designed t o be ort hogonal; not e t hat at t he peak of each of t he subcarriers, t he ot her t wo subcarriers have zero am plit ude. OFDM t akes t he coded signal for each subchannel and uses t he inverse fast Fourier t ransform ( I FFT) t o creat e a com posit e waveform from t he st rengt h of each subchannel. OFDM receivers can t hen apply t he FFT t o a received waveform t o ext ract t he am plit ude of each com ponent subcarrier.

Guard Time Wit h t he physical layers discussed in Chapt er 12, t he m ain problem for receivers was int er- sym bol int erference ( I SI ) (Figure 13- 4) . I SI occurs when t he delay spread bet ween different pat hs is large and causes a delayed copy of t he t ransm it t ed bit s t o shift ont o a previously arrived copy.

Figu r e 1 3 - 3 . Or t h ogon a lit y in t h e fr e qu e n cy dom a in

Figu r e 1 3 - 4 . I SI r e vie w e d

Wit h OFDM, int er- sym bol int erference does not pose t he sam e kind of problem . The Fourier t ransform used by OFDM dist ills t he received waveform int o t he st rengt hs of t he subcarriers, so t im e shift s do not cause dram at ic problem s. I n Figure 13- 4, t here would be a st rong peak for t he fundam ent al low- frequency carrier, and t he lat e- arriving high- frequency com ponent could be ignored. As wit h all benefit s, however, t here is a price t o pay. OFDM syst em s use m ult iple subcarriers of different frequencies. The subcarriers are packed t ight ly int o an operat ing channel, and sm all shift s in subcarrier frequencies m ay cause int erference bet ween carriers, a phenom enon called int er- carrier int erference ( I CI ) . Frequency shift s m ay occur because of t he Doppler effect or because t here is a slight difference bet ween t he t ransm it t er and receiver clock frequencies.

Fourier Analysis, the Fourier Transform, and Signal Processing The Fourier t ransform is oft en called " t he Swiss Arm y knife of signal processing." Signal processing oft en defines act ions in t erm s of frequency com ponent s. Receivers, however, process a t im e- varying signal am plit ude. The Fourier t ransform is a m at hem at ical operat ion t hat divides a waveform int o it s com ponent part s. Fourier analysis t akes a t im e- varying signal and convert s it t o t he set of frequency- dom ain com ponent s t hat m ake up t he signal. Signal- processing applicat ions oft en need t o perform t he reverse operat ion as well. Given a set of frequency com ponent s, t hese applicat ions use t hem like a recipe t o build t he com posit e waveform . The m at hem at ical operat ion used t o build t he com posit e waveform from t he known ingredient s in t he frequency dom ain is t he inverse Fourier t ransform . St rict ly speaking, Fourier analysis is applied t o sm oot h curves of t he sort found in physics t ext books. To work wit h a set of discret e dat a point s, a relat ive of Fourier t ransform called t he discret e Fourier t ransform ( DFT) m ust be used. Like t he Fourier t ransform , t he DFT has it s invert ed part ner, t he inverse DFT ( I DFT) . The DFT is a com put at ionally int ensive process of order N2 , which m eans t hat it s running t im e is proport ional t o t he square of t he size of t he num ber of dat a point s. I f t he num ber of dat a point s is an even power of t wo, however, several com put at ional short cut s can be t aken t o cut t he com plexit y t o order N log N. On large dat a set s, t he reduced com plexit y boost s t he speed of t he algorit hm . As a result , t he " short " DFT applied t o 2 n dat a point s is called t he fast Fourier t ransform ( FFT) . I t also has an invert ed relat ive, t he inverse fast Fourier t ransform ( I FFT) . Fast Fourier t ransform s used t o be t he dom ain of supercom put ers or special- purpose, signal- processing hardware. But wit h t he m icroprocessor speeds available t oday, sophist icat ed signal processing is well wit hin t he capabilit ies of a PC. Specialized digit al signal processors ( DSPs) are now cheap enough t o be used in alm ost anyt hingincluding t he chip set s on com m odit y 802.11 cards.

To address bot h I SI and I CI , OFDM t ransceivers reserve t he beginning port ion of t he sym bol t im e as t he guard t im e and perform t he Fourier t ransform only on t he non- guard t im e port ion of t he sym bol t im e. The non- guard t im e port ion of t he sym bol is oft en called t he FFT int egrat ion t im e because t he Fourier t ransform is perform ed only on t hat port ion of t he sym bol. Delays short er t han t he guard t im e do not cause I CI because t hey do not allow frequency com ponent s t o leak int o successive sym bol t im es. Select ing t he guard t im e is a m aj or t ask for designers of OFDM syst em s. The guard t im e obviously reduces t he overall t hroughput of t he syst em because it reduces t he t im e during which dat a t ransm ission is allowed. A guard t im e t hat is t oo short does not prevent int erference but does reduce t hroughput , and a guard t im e t hat is t oo long reduces t hroughput unnecessarily.

Cyclic Extensions (Cyclic Prefixes) The m ost st raight forward m et hod of im plem ent ing t he guard t im e would be sim ply t o t ransm it not hing during t he guard t im e, as shown in Figure 13- 5.

Figu r e 1 3 - 5 . N a ive im ple m e n t a t ion of gu a r d t im e ( do n ot do t h is!)

Sim plist ic im plem ent at ions of t he guard t im e can dest roy ort hogonalit y in t he presence of com m on delay spreads. OFDM depends on having an int eger num ber of wavelengt hs bet ween each of t he carriers. When t he guard t im e is perfect ly quiet , it is easy t o see how a delay can dest roy t his necessary precondit ion, as in Figure 13- 5. When t he t wo subcarriers are added t oget her, t he spect ral analysis shows subcarrier 1 ( t wo cycles/ sym bol) as a st rong opdpresence and a relat ively sm aller am ount of subcarrier 2 ( t hree cycles/ sym bol) . I n addit ion, t he spect ral analysis shows a large num ber of high- frequency com ponent s, m uddying t he wat ers furt her. These com ponent s are t he consequence of suddenly t urning a signal " on." Solving t he problem s associat ed wit h a quiet guard t im e is quit e sim ple. Each subcarrier is ext ended t hrough t he FFT int egrat ion period back t hrough t he preceding guard t im e. Ext ending each subcarrier ( and hence t he ent ire OFDM sym bol) yields a Fourier t ransform t hat shows only t he am plit udes of t he subcarrier frequencies. This t echnique is com m only called cyclic ext ension , and it m ay be referred t o as t he " cyclic prefix ext ension." The guard t im e wit h t he ext ended prefix is called t he cyclic prefix. I n Figure 13- 6, t he cyclic prefix preserves t he spect ral analysis. Subcarrier 1 was not shift ed and is not a problem . Subcarrier 2 is delayed, but t he previous sym bol appears only in t he guard t im e and is not processed by t he Fourier t ransform . Thanks t o t he cyclic prefix ext ension, when subcarrier 2 is processed by t he Fourier t ransform , it is a pure wave at t hree cycles per int egrat ion t im e.

Figu r e 1 3 - 6 . Cyclic pr e fix e x t e n sion

Windowing One furt her enhancem ent helps OFDM t ransceivers cope wit h real- world effect s. Transit ions can be abrupt at sym bol boundaries, causing a large num ber of high- frequency com ponent s ( noise) . To m ake OFDM t ransm it t ers good radio cit izens, it is com m on t o add padding bit s at t he beginning and end of t ransm issions t o allow t ransm it t ers t o " ram p up" and " ram p down" from full power. Padding bit s are frequent ly needed when error correct ion coding is used. Som e docum ent at ion m ay refer t o t he padding as " t raining sequences." Windowing is a t echnique used t o bring t he signal for a new sym bol gradually up t o full st rengt h while allowing t he old sym bol t o fade away. Figure 13- 7 shows a com m on windowing funct ion based on a cosine curve. At t he st art of t he sym bol period, t he new funct ion is brought up t o full st rengt h according t o t he cosine funct ion. When t he sym bol ends, t he cosine curve is used t o fade out t he bit s at t he end of t he sym bol.

Figu r e 1 3 - 7 . Cosin e w in dow in g t e ch n iqu e

OFDM as Applied by 802.11a 802.11a is not a radical applicat ion of OFDM. The t ask group responsible for st andardizing OFDM t ook t he m iddle ground t o apply OFDM t o wireless LAN.

OFDM Parameter Choice for 802.11a When choosing OFDM param et ers, t here are usually t hree given it em s of inform at ion. Bandwidt h is fixed, oft en by regulat ory aut horit ies. Delay is det erm ined by t he environm ent in which t he OFDM syst em will operat e; m ost office buildings generally show a delay spread of 40- 70 ns, t hough in som e environm ent s, t he delay spread can approach 200 ns. Finally, t he bit rat e is usually a design goal, alt hough t he goal is usually " m ake t he bit rat e as high as possible, given t he const raint s of t he ot her param et ers." One com m on guideline is t hat t he guard t im e should be t wo t o four t im es t he average delay spread. As a result , t he 802.11a designers select ed a guard t im e of 800 ns. Sym bol durat ion should be m uch larger t han t he guard t im e, but wit hin reason. Larger sym bol t im es m ean t hat m ore subcarriers can fit wit hin t he sym bol t im e. More subcarriers increase t he signal- processing load at bot h t he sender and receiver, increasing t he cost and com plexit y of t he result ing device. A pract ical choice is t o select a sym bol t im e at least five t im es t he guard t im e; 802.11a m at ches t he 800- ns guard t im e wit h a 4m s sym bol t im e. Subcarrier spacing is inversely relat ed t o t he FFT int egrat ion t im e. 802.11a has a 3.2- m s int egrat ion t im e and a subcarrier spacing of 0.3125 MHz ( 1/ 3.2 m s) . Operat ing channels in 802.11a are specified as 20 MHz- wide. The bandwidt h of an operat ing channel is a design decision. Wider operat ing channels have higher t hroughput , but fewer operat ing channels fit int o t he assigned frequency spect rum . The use of a 20- MHz operat ing channel allows for reasonable speeds on each channel ( up t o 54 Mbps) , as well as a reasonable num ber of operat ing channels in t he assigned spect rum . 802.11a offers a wide variet y of choices in m odulat ion and coding t o allow for a t rade- off bet ween robust m odulat ion and conservat ive coding, which yields low, reliable t hroughput , finer- grained m odulat ion, and aggressive coding, result ing in higher, yet som ewhat m ore fragile, t hroughput .

Structure of an Operating Channel Like t he DS PHYs, t he OFDM physical layer organizes t he spect rum int o operat ing channels. Each 20MHz channel is com posed of 52 subcarriers. 4 of t he subcarriers are used as pilot carriers for m onit oring pat h shift s and I CI , while t he ot her 48 subcarriers are used t o t ransm it dat a. Subcarriers are spaced 0.3125 MHz apart . As shown in Figure 13- 8, channels are num bered from - 26 t o 26. Subcarrier 0 is not used for signal- processing reasons. Pilot subcarriers are assigned t o subcarriers - 21, - 7, 7, and 21. To avoid st rong spect ral lines in t he Fourier t ransform , t he pilot subcarriers t ransm it a fixed bit sequence specified in 802.11a using a conservat ive m odulat ion t echnique.

Figu r e 1 3 - 8 . St r u ct u r e of a n OFD M ch a n n e l

Subchannel modulation techniques 802.11a uses a t echnique called quadrat ure am plit ude m odulat ion ( QAM) on each of t he subcarriers t o t ransm it dat a. QAM encodes dat a on a single carrier wave, but t hat carrier wave is com posed of t wo com ponent s, called t he in- phase and quadr at ur e com ponent s. QAM perform s am plit ude m odulat ion on bot h com ponent s; t hat is, it varies t he size of t he carrier wave based on t he input . The m ain carrier wave is called in t he in- phase com ponent , abbreviat ed I . Lagging behind a quart ercycle out of phase is t he quadrat ure com ponent , abbreviat ed Q. ( Alt ernat ively, QAM can be m odeled m at hem at ically as a single wave by using com plex num bers.) Essent ially, t he am plit ude of t he com posit e signal and phase shift s wit hin it bot h encode inform at ion. [ * ] [*]

The phase shift modulation used by direct-sequence 802.11 PHYs is a special case of QAM, where the amplitude does not change but the phase does.

QAM is widely used in radio t ransm ission syst em s. I n Nort h Am erican t elevision t ransm ission, t he inphase com ponent carries lum inance, or bright ness inform at ion, while t he quadrat ure com ponent carries t he color inform at ion. AM radio is capable of st ereo recept ion as well; a QAM syst em syst em called C- QUAM encodes t he st ereo inform at ion on t he quadrat ure com ponent . Bot h t elevision and radio are analog syst em s. I n digit al syst em s, t he in- phase and quadrat ure com ponent s are rest rict ed t o part icular levels, or quant ized. Wit h bot h com ponent s rest rict ed t o a part icular set of levels, t he result is t hat a const ellat ion is form ed. Const ellat ions are usually displayed by plot t ing allowed values of t he in- phase signal and quadrat ure signal against each ot her on a t wo- dim ensional plot . Each point in t he const ellat ion is assigned t o a sym bol, and each sym bol is assigned t o a specific bit value. QAM is described in writ ing wit h t he num ber of bit s in t he const ellat ion, such as 64- QAM. Because t he num ber of quant ized values should always be a m ult iple of t wo in each direct ion, t he num ber preceding QAM is always a power of t wo. 802.11a uses square const ellat ions, and m any of t he proposals for fast er codes use square const ellat ions as well, which m eans t hat bot h direct ions m ust be an even power of t wo, and t he num ber is also a perfect square ( 16- QAM, 64- QAM, 256- QAM) . To t ransm it dat a at higher rat es, define a const ellat ion wit h m ore point s. However, as t he dat a rat e increases, t he received signal qualit y m ust be good enough t o dist inguish bet ween adj acent point s in t he const ellat ion. As t hey are packed closer t oget her, t he accept able error range around a point shrinks. 802.11a specifies t he m axim um accept able errors from a const ellat ion point as part of t he PHY. Figure 13- 10 shows t he const ellat ions used by 802.11a. At t he lowest bit rat es are BPSK and QPSK, t he t wo phase- shift keying m odulat ions used by t he direct sequence PHYs.

Figu r e 1 3 - 9 . Con st e lla t ion s u se d by 8 0 2 .1 1 a

The t ot al capacit y of t he radio channel is obt ained by m ult iplying t he num ber of subchannels by t he num ber of bit s per channel. A radio channel using 64- QAM on each subchannel can carry six bit s per subchannel. I n 802.11a, t here are 48 subchannels, which gives a capacit y of 288 bit s per channel. However, t here is a second at t ribut e t o account for. Most radio channels are not capable of error- free operat ion, and incorporat e an error correct ion code.

Forward error correction with convolutional coding St rict ly speaking, forward error correct ion is not part of OFDM. However, OFDM is used in applicat ions for which t he signal is subj ect t o narrowband int erference or frequency- specific narrowband fading, also known as deep fading. When fading occurs, a channel's abilit y t o carry dat a m ay go t o zero because t he received am plit ude is so sm all. To keep a few faded channels from driving t he bit error rat e t o t he sky, OFDM im plem ent at ions oft en apply an error correct ion code across all t he subchannels. I m plem ent at ions t hat use an error correct ion code in conj unct ion wit h OFDM are som et im es called coded OFDM ( COFDM) . Coded OFDM uses a forward error correct ion ( FEC) code on each channel. Forward error correct ion is a syst em t hat allows a receiver t o det ect corrupt ed bit s and repair t he t ransm ission, provided t hat t he fract ion of lost or dam aged bit s is sm all enough. To provide t he error- correct ion capabilit y, redundant bit s are added t o t he dat a st ream . FEC codes work by creat ing a st at e engine t hat depends on t he dat a bit s current ly being t ransm it t ed and encoding t hem across several sym bols. By sm earing noise out t hrough several t ransm it t ed sym bols, t ransient noise m ay be reduced t o t he point where result ing errors do not affect t he receiver's abilit y t o reconst ruct t he bit st ream .

Two classes of forward error correct ion codes can be used. Block codes work by t aking input blocks of a fixed size, while convolut ional codes work on st ream s of any lengt h. Block codes are used for applicat ions in which t he dat a is nat urally st ored, t ransm it t ed, or processed in chunks. DVDs, CDs, and hard disks use a block code. Convolut ional codes, however, are t he easy choice for wireless LANs because t he fram es being t ransm it t ed m ay be a variet y of sizes. [ * ] [*]

In 1993, it was discovered that two convolutional codes can be combined into a turbo code. Turbo codes are extremely powerful, though at the cost of additional latency over convolutional codes. They are used in applications where the additional latency is not a major factor, such as space and satellite communications. For further information about turbo codes, see the Jet Propulsion Laboratory's site at http://www331.jpl.nasa.gov/public/JPLtcodes.html, which features overview comparing the performance of turbo codes to the error correction codes used on the Voyager and Cassini probes. Turbo codes also underpin 1xEV-DO, Qualcomm's 3G Internet access system.

Convolut ional codes have t wo m ain param et ers. The const raint lengt h det erm ines how long a dat a bit is averaged int o successive t ransm issions. Longer const raint lengt hs average dat a bit s ( and hence, any noise) over a longer t im e period, im proving t he reliabilit y of t he t ransm ission at t he cost of m ore com plexit y in t he decoder. For relat ively short const raint lengt hs, t he Vit erbi algorit hm is used; it is recom m ended by t he 802.11a st andard it self. One of t he reasons for t he recom m endat ion is t hat t he Vit erbi decoder is a m axim um likelihood decoder. The result s from a Vit erbi decoder are t he m ost likely dat a bit s t hat were t ransm it t ed. Not all decoders are m axim um likelihood, t hough it is obviously an im port ant propert y for digit al t ransm ission syst em s. 802.11a uses a const raint lengt h of 7, which is t he lim it of where a Vit erbi decoder can pract ically be used. ( Com plexit y of Vit erbi decoding grows exponent ially wit h const raint lengt h.) The second param et er, t he coding rat e ( R) , det erm ines how m any redundant bit s are added. I t is expressed as t he num ber of dat a bit s t ransm it t ed as a rat io of t he t ot al num ber of coded bit s. A convolut ional code wit h R= 1/ 2 t ransm it s one dat a bit for every t wo code bit s. More aggressive codes m ay have less redundant inform at ion, such as R= 3/ 4, where only 25% of t he bit s are redundant . Select ing a coding rat e is a m at t er of engineering. As t he code rat e decreases, m ore code bit s are available t o correct errors, and t he code becom es m ore robust . However, t he price of robust ness is decreased t hroughput . 802.11a specifies t hree code rat es ranging from 1/ 2 at t he m ost conservat ive end t o 3/ 4 at t he m ost aggressive end. [ * ] [*]

The basic convolutional code specified by 802.11a uses a constraint length of 7 and a code rate of 1/2. This code was used on the Voyager deep-space probe.

Convolut ional code rat es m ay be t ransform ed by punct uring. A punct ured code changes a lower- rat e convolut ional code int o a higher- rat e code by discarding som e of t he coded bit s. When dat a is coded, t he lower- rat e code is run. I n t he case of 802.11a, t he lowest code rat e is 1/ 2, which doubles t he size of t he dat a. To punct ure t o a 3/ 4 rat e, one t hird of t he coded dat a is discarded, or " punct ured." To punct ure t o a 2/ 3 rat e, 30% of t he coded dat a is discarded. The coded dat a, m inus t he dropped bit s, are t ransm it t ed. At t he receiver, dum m y bit s are st uffed int o t he decoder t o st and in for t he punct ured bit s. Figure 13- 10 illust rat es t he process t o punct ure a rat e 1/ 2 code t o a rat e 3/ 4 code. One of t he advant ages of using a punct ured code is t hat it can be im plem ent ed as single convolut ional coder under soft ware cont rol, and different punct uring pat t erns can be used t o alt er t he rat e in soft ware.

Figu r e 1 3 - 1 0 . Pu n ct u r in g t o in cr e a se t h e code r a t e

Subchannel interleaving Each operat ing channel has 48 const it uent subcarriers. I n essence, each operat ing channel is a m ult iplexed sum of 48 separat e dat a st ream s. The incom ing st ream of coded bit s m ust be m apped on t o t he correct subcarrier. Rat her t han use a sim ple round- robin algorit hm t hat m aps t he first bit on t o t he first subcarrier, t he second bit on t o t he second subcarrier, and so on, 802.11a uses a pair of int erleaving rules. The first rule ensures t hat bit s in sequence are t ransm it t ed on widely separat ed subcarriers, and t he second ensures t hat bit s in sequence are m apped on t o different const ellat ion point s. As an exam ple, Figure 13- 11 illust rat es t he int erleaver in operat ion wit h 16- QAM, which has 192 bit s. Each of t he 192 bit s m ust be m apped on t o one of t he 48 dat a- carrying subcarriers. The figure plot s t he bit posit ion against t he subcarrier, clearly showing how each subcarrier is responsible for four coded bit s.

Figu r e 1 3 - 1 1 . I n t e r le a vin g w it h 1 6 - QAM

Operating Channels Channels in t he 5- GHz band are num bered st art ing every 5 MHz according t o t he following form ulas: Obviously, each 20- MHz 802.11a channel occupies four channel num bers. The recom m ended channel use is given in Table 13- 1 . 802.11a was originally designed for t he Unit ed St at es. European channelizat ion was added as part of 802.11h in lat e 2003, and Japanese operat ion was added wit h 802.11j in lat e 2004. [ * ] [*]

European radio regulations are standardized by the European Conference of Postal and Telecommunications Administrations (CEPT). The European Radiocommunications Office develops regulations for CEPT; the 5 GHz radio LAN regulations are ERC/DEC/(99)23 (available at http://www.ero.dk/doc98/Official/Pdf/DEC9923E.PDF). Japanese operation was approved by the Ministry of Internal Communications (http://www.soumu.go.jp/), in Articles 49.20 and 49.21 (http://www.soumu.go.jp/joho_tsusin/eng/Resources/Legislation/MRA/020226_00.html).

Ta ble 1 3 - 1 . Ope r a t in g ch a n n e ls for 8 0 2 .1 1 a / j

Fr e qu e n cy

Allow e d in ?

Allow e d pow e r a

4.920- 4.980 GHz

Japan

250 m W EI RP and < 1 W, or 10 m W EI RP

5.040- 5.080 GHz

Japan

5.15- 5.25 GHz Japan

250 m W EI RP and < 1 W, or 10 m W EI RP

200 m W ( < 10 m W/ MHz)

Ch a n n e l n u m be r s

Ce n t e r fr e qu e n cy ( GH z)

240

4.920

244

4.940

248

4.960

252

4.980

8

5.040

12

5.060

16

5.080

34

5.170

Fr e qu e n cy

U- NI I lower band

Allow e d in ?

Unit ed St at es

Ch a n n e l n u m be r s

Ce n t e r fr e qu e n cy ( GH z)

38

5.190

42

5.210

46

5.230

36

5.180

40

5.200

44

5.220

48

5.240

52

5.260

56

5.280

60

5.300

64

5.320

100

5.500

104

5.520

108

5.540

112

5.560

116

5.580

120

5.600

124

5.620

128

5.640

132

5.660

136

5.680

140

5.700

800 m W

149

5.745

( 50 m W/ MHz)

153

5.765

157

5.785

161

5.805

Allow e d pow e r a m W/ MHz)

40 m W ( 2.5 m W/ MHz)

( 5.15- 5.25 GHz)

U- NI I m idband

Unit ed St at es

200 m W ( 12.5 m W/ MHz)

( 5.25- 5.35 GHz)

5.470- 5.725

U- NI I upper band ( 5.725- 5.825 GHz)

a b

Europe ( CEPT) ( allowed in Unit ed St at es as of 11/ 2003, subj ect t o U- NI I rulesb )

1 W EI RP

I n t he Unit ed St at es, t he allowed power is t he m axim um out put power using a 6- dBi ant enna gain.

The addit ional spect rum was opened in FCC 03- 287 ( ht t p: / / hraunfoss.fcc.gov/ edocs_public/ at t achm at ch/ FCC- 03- 287A1.pdf) , but t est procedures were st ill in developm ent as t his book went t o press. Wit hout t est ing, no devices were able t o be cert ified t o operat e in t his spect rum in t he Unit ed St at es.

There is one ot her feat ure of not e about t he operat ing bands. As wit h t he DS PHYs, a t ransm it m ask lim it s power leakage int o t he side bands. The m ask is shown in Figure 13- 12.

Figu r e 1 3 - 1 2 . Tr a n sm it spe ct r u m m a sk for 8 0 2 .1 1 a

Figure 13- 13 gives an overall view of t he 802.11a channels available in t he U.S. Four channels are available in each of t he U- NI I bands in t he U.S. I n t he t wo lower U- NI I bands, channels are allowed t o overlap, and a 30- MHz guard band is present at bot h t he lower end of t he low U- NI I band and t he upper end of t he m id U- NI I band.

Figu r e 1 3 - 1 3 . Ope r a t in g ba n ds fr om Ta ble 1 3 - 1

OFDM PLCP Like all t he ot her physical layers, t he OFDM PHY includes it s own PLCP, which adds physical layerspecific fram ing param et ers.

Framing The OFDM PHY adds a pream ble and a PLCP header. I t also adds t railing bit s t o assist t he encoding schem es used. This sect ion divides t he PLCP fram e logically, but som e com ponent s span different fields in t he prot ocol unit . Figure 13- 14 is t he j um ping- off point for discussion of t he OFDM fram e.

Figu r e 1 3 - 1 4 . OFD M PLCP fr a m in g for m a t

Figure 13- 15 shows t he st art of a fram e, but includes t he guard int ervals and windowing used by t he t ransm it t er. The pream ble last s 16 m s, which is evenly divided bet ween short and long t raining sequences; t he difference bet ween t he t wo is described in t he next sect ion. Aft er t he pream ble, one OFDM sym bol carries t he Signal field, t hen a variable num ber of dat a sym bols carry t he end of t he PLCP header , t he MAC payload, and t he t railer. All sym bols use a m odified cosine window t o ensure sm oot h t ransit ions. Aft er t he short pream ble, which is used t o synchronize frequencies, a guard t im e prot ect s against m ult ipat h fading.

Figu r e 1 3 - 1 5 . Pr e a m ble a n d fr a m e st a r t

Preamble

As wit h all ot her com m on I EEE 802 net works, and cert ainly all 802.11 physical layers, t he OFDM physical prot ocol unit begins wit h a pream ble. I t is com posed of 12 OFDM sym bols t hat synchronize various t im ers bet ween t he t ransm it t er and t he receiver. The first 10 sym bols are a short t raining sequence, which t he receiver uses t o lock on t o t he signal, select an appropriat e ant enna if t he receiver is using m ult iple ant ennas, and synchronize t he large- scale t im ing relat ionships required t o begin decoding t he following sym bols. The short t raining sequences are t ransm it t ed wit hout a guard period. Two long t raining sequences follow t he short t raining sequences. Long t raining sequences fine- t une t he t im ing acquisit ion and are prot ect ed by a guard int erval.

Header The PLCP header is t ransm it t ed in t he Signal field of t he physical prot ocol unit ; it incorporat es t he Service field from t he Dat a field of t he physical prot ocol unit . As shown in Figure 13- 16, t he Signal field incorporat es t he Rat e field, a Lengt h field, and a Tail field.

Figu r e 1 3 - 1 6 . Sign a l fie ld of OFD M PLCP fr a m e

Rat e ( 4 bit s) Four bit s encode t he dat a rat e. Table 13- 2 shows t he bit s used t o encode each of t he dat a rat es. See t he sect ion " OFDM PMD" lat er in t his chapt er for det ails on t he encoding and m odulat ion schem e used for each dat a rat e.

Ta ble 1 3 - 2 . Ra t e bit s D a t a r a t e ( M bps)

Bit s ( t r a n sm ission or de r )

6

1101

9

1111

12

0101

18

0111

24

1001

36

1011

48

0001

54

0011

Lengt h ( 12 bit s) 12 bit s encode t he num ber of byt es in t he em bedded MAC fram e. Like m ost fields, it is t ransm it t ed least - significant bit t o m ost - significant bit . The lengt h is processed by a convolut ional code t o prot ect against bit errors.

Parit y ( 1 bit ) and Reserved ( 1 bit ) Bit 4 is reserved for fut ure use and m ust be set t o 0. Bit 17 is an even parit y bit for t he first 16 Signal bit s t o prot ect against dat a corrupt ion.

Tail ( 6 bit s) The Signal field ends wit h six 0 t ail bit s used t o unwind t he convolut ional code. As such, t hey m ust by definit ion be processed by t he convolut ional code.

Service ( 16 bit s) The final field in t he PLCP header is t he 16- bit Service field. Unlike t he ot her com ponent s of t he PLCP header, it is t ransm it t ed in t he Dat a field of t he physical prot ocol unit at t he dat a rat e of t he em bedded MAC fram e. The first eight bit s are set t o 0. As wit h t he ot her physical layers, MAC fram es are scram bled before t ransm ission; t he first six bit s are set t o 0 t o init ialize t he scram bler. The rem aining nine bit s are reserved and m ust set t o 0 unt il t hey are adopt ed for fut ure use.

Data The encoding schem e used for t he dat a depends on t he dat a rat e. Before t ransm ission, dat a is scram bled, as it is wit h t he ot her physical layers. The Service field of t he header is included in t he Dat a field of t he physical prot ocol unit because it init ializes t he scram bler.

Trailer The Dat a field of t he physical prot ocol unit ends wit h a t railer. ( The 802.11a specificat ion does not call t he ending fields a t railer, but it is a descript ive t erm .) I t is com posed of t wo fields:

Tail ( 6 bit s) Like t he t ail bit s in t he PLCP header, t he t ail bit s appended t o t he end of t he MAC fram e bring t he convolut ional code sm oot hly t o an end. Six bit s are required because t he convolut ional code has a const raint lengt h of seven.

Pad ( variable)

As used by 802.11a, OFDM requires t hat fixed- size blocks of dat a bit s be t ransferred. The Dat a field is padded so t hat it s lengt h is an int eger m ult iple of t he block size. The block size depends on t he m odulat ion and coding used by t he dat a rat e; it is discussed in t he next sect ion.

OFDM PMD The OFDM PHY uses a cockt ail of different m odulat ion schem es t o achieve dat a rat es ranging from 6 Mbps t o 54 Mbps. I n all cases, t he physical layer uses a sym bol rat e of 250,000 sym bols per second across 48 subchannels; t he num ber of dat a bit s per sym bol varies. An OFDM sym bol spans all 48 subchannels.

Encoding and Modulation There are four rat e t iers wit h t he OFDM PHY: 6 and 9 Mbps, 12 and 18 Mbps, 24 and 36 Mbps, and 48 and 54 Mbps. Support is required for 6, 12, and 24 Mbps, which are lowest speeds in each of t he first t hree t iers, and t herefore t he m ost robust in t he presence of int erference. The lowest t ier uses binary phase shift keying ( BPSK) t o encode 1 bit per subchannel, or 48 bit s per sym bol. The convolut ional coding m eans t hat eit her half or one quart er of t he bit s are redundant bit s used for error correct ion, so t here are only 24 or 36 dat a bit s per sym bol. The next t ier uses quadrat ure phase shift keying ( QPSK) t o encode 2 bit s per subchannel, for a t ot al of 96 bit s per sym bol. Aft er subt ract ing overhead from t he convolut ional code, t he receiver is left wit h 48 or 72 dat a bit s. The t hird and fourt h t iers use generalized form s of BPSK and QPSK known as quadrat ure am plit ude m odulat ion ( QAM) . 16- QAM encodes 4 bit s using 16 sym bols, and 64- QAM encodes 6 bit s using 64 sym bols. The t hird t ier uses 16- QAM along wit h t he st andard R= 1/ 2 and R= 3/ 4 convolut ional codes. To achieve higher rat es wit h 64- QAM, however, t he convolut ional codes use R= 2/ 3 and R= 3/ 4. Table 13- 3 sum m arizes t he coding m et hods used by each dat a rat e in t he OFDM PHY.

Ta ble 1 3 - 3 . En codin g de t a ils for diffe r e n t OFD M da t a r a t e s Spe e d ( M b p s)

M odu la t ion a n d codin g r a t e ( R)

Code d bit s pe r ca r r ie r a

Code d bit s pe r sy m b ol

D a t a bit s pe r sy m b ol b

6

BPSK, R= 1/ 2

1

48

24

9

BPSK, R= 3/ 4

1

48

36

12

QPSK, R= 1/ 2

2

96

48

18

QPSK, R= 3/ 4

2

96

72

24

16- QAM, R= 1/ 2

4

192

96

36

16- QAM, R= 3/ 4

4

192

144

48

64- QAM, R= 2/ 3

6

288

192

54

64- QAM, R= 3/ 4

6

288

216

72 c

64- QAM

6

288

288

a

Coded bit s per subchannel is a funct ion of t he m odulat ion ( BPSK, QPSK, 16- QAM, or 64- QAM) .

b

The dat a bit s per sym bol is a funct ion of t he rat e of t he convolut ional code.

Spe e d ( M b p s)

M odu la t ion a n d codin g r a t e ( R)

Code d bit s pe r ca r r ie r a

Code d bit s pe r sy m b ol

D a t a bit s pe r sy m b ol b

c

Alt hough no rat e has been st andardized wit hout a convolut ional code, m any product s offer a m ode where it is dropped for addit ional t hroughput .

Radio Performance: Sensitivity and Channel Rejection Like ot her physical layers, 802.11a specifies m inim um perform ance requirem ent s for t he receiver, which are shown in Table 13- 4 . Minim um sensit ivit y has been discussed for t he ot her physical layers. The only feat ure of not e in 802.11a is t hat t he wide range in dat a speeds m eans t hat a m inim um perform ance requirem ent is quot ed for each dat a speed. I n com parison wit h t he requirem ent s laid down by t he direct - sequence layers, 802.11a is j ust as st ringent . 802.11a requires a - 76 dBm sensit ivit y, which is com parable t o t he 18 Mbps and 24 Mbps dat a rat es in 802.11a. [ * ] [*]

Note, however, that path loss is worse at the 802.11a frequencies.

More int erest ing is t he specificat ion of channel rej ect ion. As wit h t he ot her physical layers, begin by inj ect ing a signal slight ly ( 3 dB) above t he m inim um sensit ivit y on a given channel. On eit her rej ect ion t est , bring up a second signal on eit her an adj acent or nonadj acent channel. When t he channel under t est suffers a 10% fram e error rat e, not e t he difference in power bet ween t he t wo channels. What t he t able says is t hat as t he dat a rat e increases, t he m ore easily a signal is disrupt ed at t he receiver. I f an 802.11a net work is built t oo dense, so t hat 54 Mbps signals from adj acent APs are regularly received in t he m iddle of t he t wo, it is possible t hat t he client radio chipset s will not be able t o decode t he t ransm issions. However, t his scenario is unlikely due t o t he relat ively short range of 54 Mbps t ransm issions. Furt herm ore, m any chipset s will perform bet t er t han t he st andard requires, but m ost vendors do not quot e rej ect ion in t he dat a sheet s for t heir cards.

Ta ble 1 3 - 4 . Re ce ive r pe r for m a n ce r e qu ir e m e n t s Data rate ( M b p s)

M in im u m se n sit ivit y ( dBm )

Adj a ce n t ch a n n e l r e j e ct ion ( dB)

N on a dj a ce n t ch a n n e l r e j e ct ion ( dB)

6

- 82

16

32

9

- 81

15

31

12

- 79

13

29

18

- 77

11

27

24

- 74

8

24

36

- 70

4

20

48

- 66

0

16

54

- 65

-1

15

Clear Channel Assessment

The OFDM PHY specificat ion leaves im plem ent ers a great deal of lat it ude in select ing t echniques for not ing a busy channel. Received signal st rengt h t hresholds det erm ine whet her t he channel is in use, but t he m ain guideline for 802.11a equipm ent is t hat it m ust m eet cert ain perform ance st andards. I m plem ent at ions are free t o use t he Packet Lengt h field from t he PLCP header t o augm ent clear channel assessm ent , but t his is not required.

Transmission and Reception The block diagram for an 802.11a receiver is shown in Figure 13- 17. When a fram e is ready for t ransm ission, t he 802.11a int erface runs t he following procedure:

1 . Select a t ransm ission rat e. Algorit hm s for select ing a dat a rat e are im plem ent at ion- dependent , so product s sold by different vendors m ay select different rat es under ident ical circum st ances. The rat e dict at es t he m odulat ion and convolut ional code, as well as t he num ber of dat a bit s per subcarrier. See Table 13- 3 . 2 . Transm it t he PLCP pream ble, which consist s of long and short t raining sequences. 3 . Begin t ransm ission of t he PLCP header wit h t he SI GNAL field, which is not scram bled. I t is coded wit h t he convolut ional coder. 4 . Creat e t he dat a field of t he packet .

a . Creat e t he SERVI CE field, which is current ly set t o all zeros. I t has seven zeros for scram bler init ializat ion, and nine reserved bit s set t o zero. b. Append t he dat a. c. Put on t he six zero t ail bit s. d. Pad wit h zeros t o a m ult iple of t he dat a bit per subcarrier block size. 5 . Scram ble t he dat a, which helps avoid long st rings of zeros or ones. 6 . Encode t he dat a wit h t he convolut ional coder. I f necessary, punct ure t he out put of t he convolut ional code t o generat e an encoded st ring at a higher rat e t han 1/ 2. 7 . Divide t he coded dat a int o blocks for processing. The block size depends on t he m odulat ion rat e for t he dat a sym bols.

a . Perform t he int erleaving process and m ap bit s from t he block on t o t he 48 subcarriers. b. I nsert t he four pilot subcarriers at t he designat ed locat ions.in t he channel. c. Use t he inverse Fourier t ransform t o convert t he frequency- dom ain dat a int o t im e- dom ain dat a for t ransm ission. 8 . Repeat st ep 5 for each dat a block unt il t here are no m ore.

Figu r e 1 3 - 1 7 . A t r a n sce ive r block dia gr a m

Acknowledgment Support of t he 6, 12, and 24 Mbps dat a rat es is required by 802.11a. Upon receipt of a fram e, t he 802.11 MAC requires an acknowledgm ent . Acknowledgm ent s m ust be sent at a support ed dat a rat e for all associat ed st at ions. Most devices send acknowledgm ent s at 24 Mbps because it m inim izes t he overhead while obeying t he st rict ure t o t ransm it at a m andat ory rat e.

An example of OFDM encoding OFDM encoding, as you can no doubt see by now, is an int ense, m ult ist ep process. One of t he addit ions t hat 802.11a m ade t o t he original specificat ion was Annex G, an encoding of Schiller's Ode t o Joy for t ransm ission over an 802.11a net work. Short ly aft er 802.11a was published, t he I EEE 802.11 working group discovered several errors in t he exam ple and published a correct ion. I f you are int erest ed in learning about OFDM encoding in det ail, you can refer t o t his exam ple.

Characteristics of the OFDM PHY Param et ers specific t o t he OFDM PHY are list ed in Table 13- 5 . Like t he physical layers present ed in Chapt ers 11 and 12 , t he OFDM PHY also incorporat es a num ber of param et ers t o adj ust for t he delay in various processing st ages in t he elect ronics. As a final not e, t he ext ra radio bandwidt h provided offers a great deal of t hroughput . I n t he Unit ed St at es, t here are current ly 12 channels, wit h t he addit ional space for eight channels recent ly cleared. 20 co- locat ed channels operat ing wit h 50% of t he t ransm ission t im e devot ed t o user t raffic can m ove over 500 Mbps. This num ber is far great er t han any ot her physical layer yet st andardized.

Ta ble 1 3 - 5 . OFD M PH Y pa r a m e t e r s Pa r a m e t e r

Va lu e

Maxim um MAC fram e lengt h

4,095 byt es

Slot t im e

9 m s

SI FS t im e

16 m s

Cont ent ion window size

15 t o 1,023 slot s

Pream ble durat ion

20 m s

PLCP header durat ion

4 m s

Receiver sensit ivit y

- 65 t o - 82 dBm

N ot e s

The SI FS is used t o derive t he value of t he ot her int erfram e spaces ( DI FS, PI FS, and EI FS) .

Depends on speed of dat a t ransm ission.

Like t he ot her physical layers, t he OFDM PHY has a num ber of at t ribut es t hat can be adj ust ed by a vendor t o balance delays in various part s of t he syst em . I t includes variables for t he lat ency t hrough t he MAC, t he PLCP, and t he t ransceiver, as well as variables t o account for variat ions in t he t ransceiver elect ronics.

Chapter 14. 802.11g: The Extended-Rate PHY (ERP) When wireless LANs first ent ered t he m ainst ream com put ing consciousness, t here was one pract ical choice. 802.11b had recent ly been st andardized, and offered t he prospect of near- Et hernet speed, which, t o be fair, by t hat point was not very fast at all. As 802.11a em erged from t he laborat ory int o com m ercially- available chipset s, users had a desire t o obt ain higher speeds t han 802.11b, while ret aining backwards com pat ibilit y wit h t he inst alled base of 802.11b hardware. The result is 802.11g, which offers a headline bit rat e com parable t o 802.11a while st ill operat ing in t he m icrowave band. By working at slight ly less t han half t he frequency, 802.11g devices have bet t er range t han t he 5 GHz 802.11a devices. 802.11g is not a revolut ionary specificat ion. I n fact , if you read t he new clauses added by t he specificat ion, it is clear t hat it uses m uch of t he exist ing work done elsewhere. The new physical layers it specifies are built on exist ing work, and t here are only slight m odificat ions. Most of 802.11g is occupied wit h providing backwards com pat ibilit y.

802.11g Components 802.11g is really several physical layer specificat ions in one. I t adds one um brella clause for t he Ext ended Rat e PHY ( ERP) . However, t here are several different " flavors" of ERP:

ERP- DSSS and ERP- CCK These m odes are backwards com pat ible wit h t he original direct sequence specificat ion ( 1 Mbps and 2 Mbps) described in Chapt er 11, as well as t he 802.11b enhancem ent s ( 5.5 Mbps and 11 Mbps) described in Chapt er 12. To ret ain backwards com pat ibilit y, a few m inor changes are r equir ed.

ERP- OFDM This is t he m aj or m ode of 802.11g. I t is essent ially running 802.11a in t he I SM frequency band ( 2.4 GHz) , wit h a few m inor changes t o provide backwards com pat ibilit y . I t support s t he sam e speeds as 802.11a: 6, 9, 12, 18, 24, 36, 48, and 54 Mbps. Speeds of 6, 12, and 24 Mbps are m andat ory.

ERP- PBCC This is an opt ional ext ension t o t he PBCC st andard provided in 802.11b, and provides dat a rat es of 22 Mbps and 33 Mbps. Alt hough it is part of t he st andard, it is not im plem ent ed by m ost m aj or chipset s in t he m arket , and is not widely used.

DSSS- OFDM This a hybrid schem e, which encodes packet dat a using t he DSSS headers, and OFDM encoding of t he payload. Part of t he reason for developing t his im plem ent at ion was for backwards com pat ibilit y. Alt hough t he body is OFDM- m odulat ed and unint elligible t o 802.11b, inform at ion in t he headers is able t o provide inform at ion on t he durat ion of t he packet . I t is opt ional, and not widely im plem ent ed. Any device t hat im plem ent s 802.11g is required t o support a few m andat ory m odes. For backwards com pat ibilit y, 802.11g devices m ust support DSSS m odulat ion ( 802.11) at 1 and 2 Mbps, and CCK m odulat ion ( 802.11b) at 5.5 and 11 Mbps. Basic OFDM support is required, and all 802.11g st at ions are furt her required t o support OFDM m odulat ion at 6, 12, and 24 Mbps.

Compatibility Changes The m andat ory m odes in 802.11g are slight m odificat ions of exist ing physical layers, wit h a few

m inor alt erat ions m ade for backwards com pat ibilit y. The m odificat ions required of 802.11g st at ions assist coexist ence wit h older im plem ent at ions. They are not changes t o t he exist ing specificat ions. An 802.11b card will work as it always has. The only difference is t hat an 802.11g card will have a few feat ures not present in 802.11b. 802.11b devices im plem ent t wo different specificat ions: t he original, slow direct sequence ( DSSS) from t he init ial 802.11 st andard, and t he high- rat e com plem ent ary code keying ( CCK) PHY from 802.11b. 802.11g adopt s bot h of t hose st andards, and m akes only a few m inor changes. Nat urally, any 802.11g st at ion m ust be able t o hear not only older st at ions but ot her 802.11g st at ions, so any 802.11g- com pliant st at ion m ust support all t he pream bles and synchronizat ion found in 802.11g. More significant ly, 802.11g st at ions m ust support t he short pream ble because it helps a great deal in m aint aining high t hroughput . 802.11g radios are required t o be m ore sensit ive t o signals as well. 802.11g devices m ust also im plem ent ERP- OFDM, which is based heavily on 802.11a. I n fact , it looks alm ost exact ly like 802.11a, wit h a few obvious changes. Most not ably, 802.11g adopt s t he frequency plan of 802.11b, so t here are st ill only t hree ost ensibly nonoverlapping channels for use. ( See Chapt er 13 for t he adj acent - channel overlap m ap; t he sam e not e about t hree m ost ly nonoverlapping channels applies t o 802.11g as well.) I t also uses int erfram e spacing and slot t im es t hat are com pat ible wit h older I SM- band 802.11 st at ions. Regulat ory st ruct ures m ay be different around 802.11g and 802.11b, however. Japan allows 802.11b operat ion in channels 1- 14, but 802.11g is only allowed on channels 1- 13.

Protection One of t he m aj or differences bet ween 802.11b and 802.11g is prot ect ion, which is required because of an asym m et ry bet ween t he chipset s t hat im plem ent t he specificat ions. One of t he problem s faced by t he designers of 802.11g is t hat it uses a different m odulat ion schem e t han 802.11b. 802.11g chips are built wit h backwards com pat ibilit y, and have no problem receiving and decoding an 802.11b signal. As is norm ally t he case in t echnology, t he converse is not t rue. 802.11b chipset s have no way of m aking sense of t he higher- speed 802.11g t ransm issions. Part of t he solut ion is t o require t hat 802.11g st at ions t ransm it at a rat e support ed by all st at ions in basic service set . I f an AP is t o serve bot h 802.11b and 802.11g st at ions, it will need t o send Beacon fram es at a fram e dat a rat e of no higher t han 11 Mbps. The second part of t he solut ion is t o avoid int erference bet ween 802.11g and 802.11b net works. To ensure t hat 802.11b st at ions are aware of 802.11g t ransm issions, 802.11g specifies a prot ect ion m echanism t o " prot ect " 802.11b st at ions from int erference. The basic operat ion of t he prot ect ion m echanism is shown in Figure 14- 1. To avoid int erference during t he t ransm ission of t he OFDM fram e and it s acknowledgm ent , a slower fram e is sent t o updat e t he NAV. There are t wo m ain prot ect ion m odes. More com m only, 802.11g st at ions will use CTS- t o- self prot ect ion, as shown in Figure 14- 1 ( a) . When a st at ion has a fram e for t ransm ission t hat needs prot ect ion, it will t ransm it a CTS fram e wit h a receiver address of it s own MAC address; t hat is, t he dest inat ion of t he CTS fram e is t he st at ion it self. I n t he CTS, it will updat e t he Net work Allocat ion Vect or ( NAV) t o t ell ot her st at ions using t he physical m edium t hat it will be using t he radio link for t he t im e necessary t o t ransm it t he CTS, t he OFDM- m odulat ed fram e, and an OFDM- m odulat ed acknowledgm ent . Alt hough t he st at ion sends t he CTS t o it self, all st at ions on t he net work are required t o list en t o CTS fram es and updat e t he NAV accordingly. The CTS fram e is sent at t he m axim um speed it can be, using a m odulat ion t hat can be received by all st at ions. Throughput m ay suffer a significant hit as a result of t his exchange. A m axim um Et hernet - size dat a fram e and it s acknowledgm ent require 294 m icroseconds at t he highest speed, but t he CTS t o clear out t he net work requires at least 107 m icroseconds, and possibly m ore t han 200 m icroseconds if long pream bles are in use. Figure 14- 1 ( b) shows t he second m echanism , which is a full RTS/ CTS exchange. Full RTS/ CTS exchanges are m ore robust against hidden nodes, but com e wit h a cost in net work capacit y. As in t he CTS- t o- self case, t he com pat ibilit y fram es used t o reserve t he m edium m ay be have a t ransm ission

t im e com parable t o or longer t han t he dat a. Bot h t he RTS and CTS fram es will t ake 100 m icroseconds, while a m axim um - size dat a fram e and it s ACK only require 300 m icroseconds. Based on calculat ions of t he t im e required for t he ext ra RTS, I est im at e t hat t he use of full RTS/ CTS exchanges versus CTS- t o- self t o be a reduct ion of approxim at ely one t hird in overall dat a t hroughput . [ * ] [*]

See "When is 54 Not Equal to 54: An Analysis of 802.11g Throughput" at http://www.oreillynet.com/pub/a/wireless/2003/08/08/wireless_throughput.html.

Figu r e 1 4 - 1 . Ba sic ove r vie w of pr ot e ct ion m e ch a n ism

To ensure t hat t he prot ect ion fram es are received and processed by all st at ions on t he net work, prot ect ion fram es are t ransm it t ed using 802.11b rules. They m ay be t ransm it t ed using phase shift keying at 1 Mbps or 2 Mbps, or CCK at 5.5 Mbps or 11 Mbps. Any 802.11b st at ion will be able t o underst and t hese m odulat ions, and can updat e it s virt ual carrier sense accordingly. Figure 14- 1 shows t his by labeling t he t ransm ission m odulat ion, and only showing t he com pat ible m odulat ions as received by an 802.11b st at ion.

Only t he prot ect ion fram es are required t o be t ransm it t ed at t he 802.11bcom pat ible dat a rat es. Prot ect ion does not require 802.11g st at ions t o use a slower dat a rat e for t he payload dat a, as is com m only assert ed.

Prot ect ion is act ivat ed whenever t here is a need t o ensure 802.11g st at ions do not int erfere wit h 802.11b st at ions. One obvious case in which t his happens is when an 802.11b st at ion associat es wit h an AP. All t he 802.11g st at ions associat ed wit h t he AP will t hen st art using prot ect ion t o ensure t hat t he 802.11b st at ion does not suffer from or cause int erference. Prot ect ion is also act ivat ed in t he less obvious case of a co- channel AP wit h 802.11b- only t raffic. Because t he t wo co- channel APs share t he sam e physical m edium , an 802.11b st at ion using t he sam e channel on a different AP also t riggers prot ect ion. Prot ect ion is cont rolled t hrough t he ERP inform at ion elem ent in Beacon fram es. 802.11g adds a Use Prot ect ion bit in t o an inform at ion elem ent in t he Beacon. When t he bit is set , st at ions m ust use prot ect ion. When a non- 802.11g- capable st at ion associat es t o a wireless LAN, t he prot ect ion bit will be set . The st at ion responsible for sending t he Beacon is also responsible for deciding whet her t o act ivat e prot ect ion. I n infrast ruct ure net works, t he prot ect ion act ivat ion is handled by t he access point s; in independent net works, it is t he Beacon generat or. Prot ect ion is act ivat ed when a non802.11g st at ion associat es wit h t he net work, as well as when non- 802.11g- capable st at ions are t ransm it t ing in t he area. Non- 802.11g- capable st at ions m ay be deduced by t he recept ion of a m anagem ent fram es, including Beacons and Probe Responses, from an overlapping net work t hat does not indicat e t he dat a rat es support ed by 802.11g. Beacons in 802.11g net works can also cont rol t he pream ble lengt h for prot ect ion purposes. I n t he ERP inform at ion elem ent , t he Barker Pream ble Mode bit can be used t o t ell associat ed st at ions whet her t o use t he long pream ble or short pream ble. I f all t he st at ions associat ed t o a net work are capable of short pream bles, t he Barker Pream ble Mode bit will be set t o zero, and all st at ions will use short pream bles for efficiency. Once a st at ion t hat is not capable of short pream bles associat es wit h t he net work, however, t he bit will be set t o one, and all prot ect ion fram es will use long pream bles. As wit h m ost ot her t echnology t hat is required t o be backwards com pat ible, 802.11g can suffer for it . I f prot ect ion is not enabled, 802.11a and 802.11g t hroughput is ident ical. Once prot ect ion is act ivat ed, however, m y calculat ions showed it t o be very roughly 50% , depending on t he rat io of TCP dat a segm ent s t o TCP ACKs. Transm it t ing a full- size 1,500 byt e Et hernet fram e over 802.11 requires 428 m icroseconds for bot h t he fram e and t he 802.11 acknowledgm ent . When CTS- t o- self prot ect ion is used, t he t ransm ission t im e j um ps t o 557 m icroseconds; RTS/ CTS adds furt her bloat , and requires 774 m icroseconds for t he sam e t ransm ission. Avoiding t he need for prot ect ion is one of t he reasons t hat m any 802.11g access point s offer t he abilit y t o accept associat ions from 802.11g- capable st at ions only. By shunning st at ions t hat are not capable of 802.11g speeds, t here is an increased probabilit y t hat prot ect ion can rem ain disabled. Of course, a st at ion t hat is shunned m ay very well find a different net work t hat can accom m odat e it on t he sam e channel, which would st ill t rigger t he act ivat ion of prot ect ion. Alt hough 802.11a and 802.11g are capable of t he sam e speed, t he ext ra t ransm ission t im e required for prot ect ion m ay cut payload dat a t hroughput by half.

Prot ect ion is not required for t he ERP- PBCC and DSSS- OFDM physical layers. As shown in Figure 142, bot h of t hem begin wit h an 802.11b- com pat ible header, and t herefore t he virt ual carrier sense and NAV are updat ed wit hout needing t o send ext ra fram es. An 802.11b st at ion will receive t he header and updat e t he virt ual carrier sensing m echanism based on t he cont ent s of t he header. No t ransm issions will be allowed unt il t he m edium lock expires. Alt hough t he 802.11b st at ion cannot

det ect t he body of t he fram e, it is prevent ed from int erference by t he header. There is a cost t o using ERP- PBCC or DSSS- OFDM. I n a sense, t hey are always using prot ect ion because t hey use a m uch slower header. Bot h ERP- PBCC and DSSS- OFDM have, at m inim um , 96 m icrosecond headers t hat can never be dropped. I n cont rast , t he com m on ERP- OFDM m ode m ust use t he sam e header on a CTS fram e t hat t akes 107 m icroseconds t o t ransm it , plus a 10 m icrosecond SI FS gap. However, ERPOFDM needs t o pay t he penalt y only when prot ect ion is required, while t he opt ional m odes always need t o suffer t he hit .

Figu r e 1 4 - 2 . ERP- PBCC a n d D SSS- OFD M fr a m e for m a t

ERP Physical Layer Convergence (PLCP) The ERP PHY's convergence layer is quit e com plicat ed. Due t o t he plet hora of operat ional m odes, t here are a num ber of different ways t hat fram es will be bundled up for t ransm ission by t he radio int erface. Each of t he m odes described at t he st art of t he chapt er has it s own physical layer fram ing .

ERP-OFDM Framing This m ode is t he m eat of t he specificat ion. All st at ions are required t o im plem ent it , and it is what is colloquially m eant by " 802.11g support " because m ost st at ions default t o using it . I n pract ice, underst anding ERP- OFDM physical fram ing will provide you wit h t he underst anding of m ost 802.11g t ransm issions in t he air. The form at of t he ERP- OFDM fram e at t he physical layer, shown in Figure 14- 3, is nearly ident ical t o 802.11a. ERP- OFDM uses an ident ical logical prot ocol dat a unit , shown as t he t op line of t he figure. I n fact , t he only m aj or difference from 802.11a is t hat t he fram e is followed by a six m icrosecond idle t im e called t he signal ext ension , which is shown in t he second line of t he figure, where t he logical const ruct ion is assem bled for t ransm ission. The reason for t he ext ra 6 m s is t o m ake t im ing calculat ions and fram e rat es ident ical t o 802.11a. 802.11a uses a 16 m s SI FS t im e, which is used in part t o finish decoding t he previous fram e. For backwards com pat ibilit y, 802.11g uses t he 10 m s idle t im e used by 802.11b. To provide enough t im e for t he decoding process t o finish, 802.11g adds 6 m s idle t im e t o t he end of t he fram e, leaving a 16 m s gap for t he hardware t o run it s decode process. Of course, t he NAV is set so t hat t he virt ual carrier sense m echanism report s t he m edium idle aft er t he signal ext ension period com plet es. I n t he lower line, t he OFDM t ransm issions are shown. I t is ident ical t o 802.11a.

Single-Carrier Framing with 802.11g Alt hough t he OFDM m odulat ion discussed in t he previous sect ion is by far t he m ost com m on, it is also possible t o use 802.11b- com pat ible fram ing direct ly around t he higher speed body. Tradit ional fram ing is used wit h bot h t he packet binary convolut ion coding and t he DSSS- OFDM layer. Because older 802.11b st at ions can read t he fram e header, t hey can avoid using t he m edium during t ransm ission and do not require prot ect ion. Figure 14- 4 shows t he use of t radit ional single- carrier fram ing in 802.11g.

Pream ble The Pream ble is ident ical t o t he 802.11b pream ble discussed in Chapt er 12, and consist s of a synchronizat ion field followed by a st art of fram e delim it er. I t m ay be eit her t he long pream ble of 144 bit s or t he short pream ble of 72 bit s. I n eit her case, t he Pream ble is t ransm it t ed at 1 Mbps using DBPSK m odulat ion. Before m odulat ion, t he dat a is scram bled j ust as it is in 802.11b.

Figu r e 1 4 - 3 . ERP- OFD M PLCP fr a m e for m a t

Figu r e 1 4 - 4 . Lon g pr e a m ble ERP PLCP fr a m e for m a t

PLCP Header The PLCP header is ident ical t o t he PLCP header discussed in Chapt er 12. I t consist s of t he Signal field, Service field, a Lengt h field, and a PLCP- layer CRC check. The Lengt h and CRC fields are ident ical t o t he 802.11b int erpret at ion.

Signal field This field is used t o show t he rat e at which t he PLCP payload ( t he MAC fram e) is m odulat ed. I nit ially, it was defined as t he m ult iplier of 100 kbps t hat would result in t he encoding rat e. Wit h t he field defined as only eight bit s, it would lim it t he encoding speed t o 25.5 Mbps. To accom m odat e increased speeds, t he Signal field consist s of a label t hat describes t he speed, as shown in Table 14- 1 . The signal field is not needed t o t ell t he receiver what t he encoding rat e of a DSSS- OFDM fram e is because t here is a separat e OFDM header t o perform t hat t ask.

Ta ble 1 4 - 1 . Va lu e of t h e SI GN AL fie ld in t h e sin gle - ca r r ie r fr a m e h e a de r Spe e d

Sign a l fie ld va lu e ( h e x / bin a r y)

Sign a l fie ld va lu e , de cim a l

1 Mbps ( ERP- DSSS)

0x0A ( 0000 1010)

10

2 Mbps ( ERP- DSSS)

0x14 ( 0001 0100)

20

5.5 Mbps ( ERP- CCK, ERPPBCC)

0x37 ( 0011 0111)

55

11 Mbps ( ERP- CCK, ERPPBCC)

0x6E ( 0110 1110)

110

22 Mbps ( ERP- PBCC)

0xDC ( 1101 1100)

220

33 Mbps ( ERP- PBCC)

0x21 ( 0010 0001)

33

Any DSSS- OFDM speed

0x1E ( 0001 1110)

30

Service field The service field, shown in Figure 14- 5, cont ains cont rol bit s t o help t he receiver decode t he fram e. As discussed previously, bit s 0, 1, and 4 are reserved and m ust be set t o zero. I n all 802.11g st at ions, t he t ransm it and sym bol clocks are locked, so bit 2 is always set t o 1. Bit 3 is set when t he fram e body is m odulat ed wit h PBCC, and set t o zero for DSSS, CCK, and DSSSOFDM m odulat ions. The last t hree lengt h ext ension bit s are used t o assist receivers in det erm ining t he fram e lengt h in byt es from t he Lengt h field, which is expressed in t erm s of t he num ber of m icroseconds required for t ransm ission. The st andards have a com plicat ed set of rules for when t he bit s m ust be set , but t hey are beyond t he level of det ail required for t his book, especially since t he single- carrier fram ing t echnique is uncom m on.

Figu r e 1 4 - 5 . 8 0 2 .1 1 g SERVI CE fie ld

Fram e Body The final com ponent of t he PLCP fram e is it s payload, which is t he MAC fram e, m odulat ed eit her by PBCC or OFDM. Det ails of t he fram e body m odulat ion will be discussed in subsequent sect ions.

PBCC coding

To t ransm it a fram e using PBCC, t he fram e dat a is first run t hrough a convolut ional code. The fram e is broken int o 2- bit elem ent s, and are used as input int o a convolut ional code t hat out put s t hree bit s. Each 3- bit block is m apped on t o a sym bol using 8PSK. Receivers will reverse t he process, t ranslat ing a single phase shift int o one of eight sym bols. Aft er t ranslat ing t he sym bol t o a t hree- bit sequence, t he convolut ional code is used t o rem ove t he redundant bit and recover t he original dat a. See Figure 14- 6 .

Figu r e 1 4 - 6 . PBCC pr oce ssin g

Achieving a 22 Mbps dat a rat e wit h t his physical encoding is st raight forward. The sym bol clock cont inues t o run at 11 MHz, j ust as in 802.11b, but each sym bol is now capable of t ransm it t ing t wo bit s. To run at 33 Mbps, t he sym bol rat e for t he dat a port ion of t he fram e m ust be increased t o 16.5 MHz. At t wo bit s per sym bol, t he overall dat a rat e is 33 Mbps. Clock speed swit ching m ust occur bet ween t he PLCP pream ble and it s payload.

DSSS-OFDM framing DSSS- OFDM is a hybrid fram ing t echnique. The higher- layer packet is encoded wit h OFDM, and t he OFDM- m odulat ed packet is fram ed wit h a t radit ional- single carrier header, as shown in Figure 14- 7. Headers are t ransm it t ed in accord wit h 802.11b ( including t he dat a scram bler used by 802.11b) , but t he fram e body is m odulat ed using OFDM, in a process ident ical t o t he encoding used in 802.11 and described in Chapt er 13. Alt hough sim ilar t o t he encoding in 802.11a, t he DSSS- OFDM fram ing elim inat es t he init ial short t raining sequences. I t also adds a 6 m s signal ext ension field t o allow t he convolut ion decode ext ra t im e t o finish. The t ransit ion from direct sequence m odulat ion t o OFDM t hat occurs at t he end of t he PLCP header is som ewhat com plex from a radio engineering point of view, but is beyond t he scope of t his book.

ERP Physical Medium Dependent (PMD) Layer Once t he PLCP fram e is ready for t ransm ission, it is dispat ched t o t he Physical Medium Dependent ( PMD) layer. The PMD is responsible for t aking t he dat a and sending it out t he ant enna. Due t o t he wide variet y of m odulat ion schem es t hat m ight be used, an 802.11g t ransceiver m ust im plem ent several different t ransm ission m odes, eit her wholly or part ially, and swit ch bet ween t hem as needed. Som e funct ions, however, are shared by all t ransceivers regardless of operat ing m ode.

Sidebar 3.1. Atheros "Super G" Extensions Alt hough t he speed has increased dram at ically in t he past several years, wireless net works are st ill not fast . Under opt im um condit ions, a st andards- based wireless net work can achieve about 30 Mbps. I n t he race t o get t he highest num ber possible on t he side of t he box, nearly all chipset m anufact urers have im plem ent ed ext ended funct ions t o increase speed. By far, t he m ost not able ( or not orious) was At heros' Super G enhancem ent s, wit h t hree good feat ures, and one t hat has drawn a great deal of fire.

Block acknowledgm ent ( also called fram e burst ing) I n t he st andard 802.11 radio link m anagem ent schem e, every dat a fram e m ust be followed by an acknowledgm ent , aft er which t he st at ion m ust re- cont end for t he m edium . Block acknowledgm ent s allow a st at ion t o t ransm it several fram es, separat ed only by t he short int erfram e space so t here is no cont ent ion for t he m edium . The sequence is t hen followed by a single block acknowledgm ent . Block acknowledgm ent developed according t o t he current 802.11e draft s is generally int eroperable bet ween vendors.

Packet clust ering The 802.11 fram e can hold m uch m ore dat a t han a st andard 1,500 byt e Et hernet size fram e. Using t he full payload size im proves t he payload- t o- overhead rat io, and increases speed.

Hardware dat a com pression By com pressing dat a prior t o t ransm ission, it requires less t im e t o t ransm it and gives an effect ive t hroughput increase t o t he link. Hardware com pression is m ost effect ive when t here is redundant dat a, such as uncom pressed t ext . I t is not as effect ive when t ransm it t ing com pressed im ages.

Channel bonding ( also called " t urbo m ode" ) I nst ead of using a single 22 MHz channel, t he bonding feat ure doubles t he bandwidt h. Wit h m ore spect rum t o spread t he signal over, a higher num ber of bit s can be pushed t hrough t he now- wider channel. To ensure t hat t he wider bandwidt h st ays wit hin regulat ory lim it s, channel bonding is rest rict ed in som e product s t o operat e in t he m iddle of t he band on channel 6. By far t he m ost cont roversial feat ure of t he Super G feat ure set is t he channel bonding. I n lat e 2003, Broadcom accused Super G of int erfering wit h regular 802.11g t ransm issions, and had a privat e dem onst rat ion at Com dex. ( I was barred from observing.) Lat er t est s revealed som e int erference, but found t hat Broadcom 's chipset s were m ore suscept ible t o degredat ion t han t hose of ot her vendors. At heros has im plem ent ed a m ode which m onit ors for st andard 802.11g t ransm issions, and refrains from using channel bonding if ot her net works are present . The m ain lesson is t hat any channel bonding feat ure is likely t o increase int erference by sucking up m ore of t he available scarce spect rum . Spect rum - hungry t ransm issions m odes are unsuit able for use in a large area requiring m ult iple access point s because t hey cut t he num ber of available channels from an already- t oo- low t hree t o one. Deploy a channel bonding device in your hom e, but keep it off your com pany's net work.

Figu r e 1 4 - 7 . D SSS- OFD M fr a m e for m a t

Clear Channel Assessment (CCA) Only one CCA m ode is defined for 802.11g, which com bines a m inim um energy t hreshold wit h t he abilit y t o decode a signal. Energy det ect ion is based on receiving a valid signal at t he st art of a t ransm ission slot wit h a signal power of - 76 dBm or great er. As a perform ance requirem ent , wit hin a specified window, t he PHY should have a high probabilit y of correct ly report ing t he m edium busy. Bot h t he t im e window and t he probabilit y are shown in Table 14- 2 .

Ta ble 1 4 - 2 . 8 0 2 .1 1 g CCA pe r for m a n ce r e qu ir e m e n t s Lon g slot ( 2 0 m s)

Sh or t slot ( 9 m s)

CCA t im e

15 m s

4 m s

Det ect ion probabilit y

> 99%

> 90%

CCA is int egrat ed wit h a PLCP- level virt ual carrier sense. When a PLCP header is received, it will include a lengt h field t hat indicat es t he am ount of t im e t he m edium will be busy. The physical layer will cont inue t o report t he m edium busy for t hat t im e period, even if t he physical signal is lost . ( Not e t hat t his is sim ilar in concept and operat ion t o t he Net work Allocat ion Vect or at t he MAC layer.) Part of t he reason for doing t his is t hat not all im plem ent at ions will support all t he t ransm ission m odes, so it is im port ant t hat t he physical layer correct ly avoids int erfering wit h t ransm issions it cannot dem odulat e.

Reception Procedure 802.11g st at ions have a m ore com plicat ed procedure for receiving fram es t han chips t hat im plem ent ot her st andards because of t he choice and backwards com pat ibilit y. When an incom ing fram e is det ect ed, an 802.11g st at ion will need t o det ect it and t hen dem odulat e it wit h t he correct physical layer.

1 . I s t he pream ble an OFDM pream ble ( like 802.11a) , or t he t radit ional single- carrier pream ble used by 802.11b? Fram es m odulat ed wit h OFDM will be processed exact ly t he sam e as 802.11a fram es, j ust received on a different frequency. 2 . I f t he fram e is not an OFDM fram e, it m ust decode t he pream ble, and find t he end of t he pream ble t o see t he PCLP SI GNAL and SERVI CE fields. 3 . By decoding t he PLCP header, t he appropriat e m odulat ion can be em ployed t o dem odulat e t he fram e body.

a . I f t he SERVI CE field indicat es t hat t he fram e is m odulat ed wit h PBCC, t he PBCC recept ion procedures will be t riggered. b. I f t he SERVI CE field doesn't indicat e t he presence of PBCC, t he dat a rat e is checked. Dat a rat es of 1 and 2 Mbps are processed wit h t he DSSS recept ion algorit hm , and dat a rat es of 5.5 Mbps and 11 Mbps are processed according t o t he CCK recept ion algorit hm ; bot h are described in Chapt er 12. c. I f t he SI GNAL field indicat es a speed of 3 Mbps, DSSS- OFDM recept ion is used. I t will swit ch t he dem odulat or t o receiving OFDM at t he end of t he PCLP header.

Characteristics of the ERP PHY

802.11g has very sim ilar charact erist ics t o 802.11a, wit h one not able except ion. Alt hough each channel has sim ilar perform ance t o an 802.11a channel, t here are only t hree channels. I f each channel is run at t he highest dat a rat e and 50% efficiency, t he t ot al aggregat e t hroughput is only 81 Mbps. I t is a high num ber, but does not begin t o approach 802.11a.

Ta ble 1 4 - 3 . ERP PH Y pa r a m e t e r s Pa r a m e t e r

Va lu e

Maxim um MAC fram e lengt h

4,095 byt es

Slot t im e

20 m s 9 m s

N ot e s

I f t he net work consist s only of 802.11g st at ions, t he slot t im e m ay be short ened from t he 802.11b- com pat ible value t o t he short er value used in 802.11a.

SI FS t im e

10 m s

The SI FS is used t o derive t he value of t he ot her int erfram e spaces ( DI FS, PI FS, and EI FS) .

Signal ext ension t im e

6 m s

Every 802.11g packet is followed by t he signal ext ension t im e.

Cont ent ion window size

15 or 31 t o 1,023 slot s

I f t he st at ion support s only 802.11b rat es, it will be 31 slot s for com pat ibilit y. Ot herwise, t he cont ent ion window m ay be short er.

Pream ble dur at ion

20 m s

Chapter 15. A Peek Ahead at 802.11n: MIMO-OFDM 802.11 t ask group N ( TGn) has an int erest ing goal. Most I EEE t ask groups focus on increasing t he peak t hroughput , m aking dat a fly as fast as possible during t he t im e it is being t ransm it t ed. TGn's goal is t o achieve 100 Mbps net t hroughput , aft er subt ract ing all t he overhead for prot ocol m anagem ent feat ures like pream bles, int erfram e spacing, and acknowledgm ent s. Alt hough t he goal is 100 Mbps net t hroughput , t he final proposal seem s cert ain t o blow past t hat num ber, and offer m any t im es t hat t hroughput in m axim um configurat ions. There are t wo roads t o 100 Mbps: im prove t he efficiency of t he MAC, increase t he peak dat a rat e well beyond 100 Mbpsor bot h. Six com plet e proposals were m ade t o t he group creat ing t he event ual 802.11n, but support has coalesced around t wo m ain proposals, from groups nam ed TGnSync and WWiSE ( short for " WorldWide Spect rum Efficiency" ) . Bot h cam ps have chip- m akers. At heros, Agere, Marvell, and I nt el are part of TGnSync; Airgo, Broadcom , Conexant , and Texas I nst rum ent s are t he core of WWiSE. However, quit e a few m anufact urers of elect ronic devices t hat m ight use 802.11 ( Cisco, Nokia, Nort el, Philips, Sam sung, Sanyo, Sony, and Toshiba) have also becom e part of t he effort , and t hey are disproport ionat ely represent ed in TGnSync. At a very high level, bot h proposals are sim ilar, t hough t hey differ in t he em phasis on increasing peak dat a rat es versus im proving efficiency. Each of t hem m akes use of m ult iple- input / m ult ipleout put ( MI MO) t echnology in several configurat ions and provides for backwards com pat ibilit y wit h inst alled syst em s in t he sam e frequency band. Bot h support operat ion in t he current 20 MHz channels, wit h provisions t o use double- widt h 40 MHz channels for ext ra t hroughput . As t he st andards war is fought across t he globe at I EEE m eet ings, a " pre- N" access point has already hit t he st reet s, based on Airgo's chipset . Purchasing it well before t he st andards process is underway is a roll of t he dice. When m ost " pre- G" product s were brought t o m arket , t he t ask group had begun t o work in earnest on a single proposal. TGn is current ly in t he " dueling proposal" st age right now, and t here is no guarant ee t hat an early device will be firm ware upgradeable t o t he final 802.11n st andard. 802.11n is likely t o be t he last chance t o st andardize a PHY t his decade. Developing a st andard is as m uch polit ical engineering as t echnical engineering. I EEE rules require t hat a proposal get a 75% superm aj orit y vot e before becom ing t he basis for a st andard. As t his book went t o press, TGnSync was garnering a clear m aj orit y of support , but was st ill falling short of t he necessary 75% . I expect t hat feat ures from com pet ing proposals will be incorporat ed int o t he working docum ent t o bring t he vot e count t o t he necessary level. As a result , t his chapt er describes bot h of t he m ain com pet ing proposals. Alt hough TGnSync will probably be t he basis for t he 802.11n specificat ion, som e horse t rading will likely result in a few WWiSE feat ures being incorporat ed. This chapt er describes bot h t he WWiSE and TGnSync proposals. The final st andard will have som e resem blance t o bot h of t hem , and will likely pick and choose feat ures from each. Fort unat ely, m any basic concept s are shared bet ween t he t wo. As you read t his, keep in m ind t hat t he proposals t hem selves m ay have changed quit e a bit since t he draft s upon which t his chapt er was based were writ t en.

Common Features Alt hough t he t wo proposals are different , t here is a great deal of sim ilarit y bet ween t he t wo. Pract ically speaking, som e feat ures are required t o reach t he goal of 100 Mbps t hroughput .

Multiple-Input/Multiple-Output (MIMO) Up unt il 2004, 802.11 int erfaces had a single ant enna. To be sure, som e int erfaces had t wo ant ennas in a diversit y configurat ion, but t he basis of diversit y is t hat t he " best " ant enna is select ed. I n diversit y configurat ions, only a single ant enna is used at any point . Alt hough t here m ay be t wo or m ore ant ennas, t here is only one set of com ponent s t o process t he signal, or RF chain . The receiver has a single input chain, and t he t ransm it t er has a single out put chain. The next st ep beyond diversit y is t o at t ach an RF chain t o each ant enna in t he syst em . This is t he basis of Mult iple- I nput / Mult iple- Out put ( MI MO) operat ion. [ * ] Each RF chain is capable of sim ult aneous recept ion or t ransm ission, which can dram at ically im prove t hroughput . Furt herm ore, sim ult aneous receiver processing has benefit s in resolving m ult ipat h int erference, and m ay im prove t he qualit y of t he received signal far beyond sim ple diversit y. Each RF chain and it s corresponding ant enna are responsible for t ransm it t ing a spat ial st ream . A single fram e can be broken up and m ult iplexed across m ult iple spat ial st ream s, which are reassem bled at t he receiver. Bot h t he WWiSE and TGnSync proposals em ploy MI MO t echnology t o boost t he dat a rat e, t hough t heir applicat ions differ. [*]

MIMO is pronounced "MyMoe." I attended a symposium in which a standards committee attendee described the standardization vote on the acronym's pronunciation.

MI MO ant enna configurat ions are oft en described wit h t he short hand " YxZ," where Y and Z are int egers, used t o refer t o t he num ber of t ransm it t er ant ennas and t he num ber of receiver ant ennas. For exam ple, bot h WWiSE and TGnSync require 2x2 operat ion, which has t wo t ransm it chains, t wo receive chains, and t wo spat ial st ream s m ult iplexed across t he radio link. Bot h proposals also have addit ional required and opt ional m odes. I expect t hat t he com m on hardware configurat ions will have t wo RF chains on t he client side t o save cost and bat t ery power, while at least t hree RF chains will be used on m ost access point s. This configurat ion would use 2x3 MI MO for it s uplink, and 3x2 MI MO on t he downlink.

Channel Width 802.11a current ly uses 20 MHz channels because t hat is t he channel bandwidt h allowed by all regulat ors worldwide. Doubling t he channel bandwidt h t o 40 MHz doubles t he t heoret ical inform at ion capacit y of t he channel. Alt hough prom ising for t he fut ure, som e regulat ors do not current ly allow 40 MHz operat ion. Japan is t he m ost not able except ion.

MAC Efficiency Enhancements As t his book has repeat edly point ed out , t he efficiency of t he 802.11 MAC is oft en poor. I n m ost

usage scenarios, it is very difficult t o exceed 50- 60% of t he nom inal bit rat e of t he underlying physical layer. Every fram e t o be t ransm it t ed requires a physical- layer fram e header, as well as t he pure overhead of pream ble t ransm ission. The 802.11 MAC adds furt her overhead by requiring t hat each fram e be acknowledged. Overhead is part icular bad for sm all fram es, when t he overhead t akes m ore t im e t han t he fram e dat a it self. Figure 15- 1 shows t he efficiency, defined as t he percent age of t he nom inal bit rat e devot ed t o MAC payload dat a, for a variet y of fram e sizes. The values in t he figure are exclusively for MAC payload dat a. Any net work m easurem ent would require addit ional LLC dat a, and net works t hat are encrypt ed would have addit ional overhead byt es. Furt herm ore, m ost net work prot ocols provide t heir own acknowledgm ent facilit ies, which furt her reduces real- world efficiency. The point of Figure 15- 1 is t hat sm all fram es have part icularly poor efficiency. Bot h TGnSync and WWiSE adopt t echniques t o im prove t he efficiency of t he radio channel. Concept s are sim ilar, but t he det ails differ. Bot h offer som e form of block ACKs ( som et im es called fram e burst ing) . By rem oving t he need for one acknowledgm ent fram e for every dat a fram e, t he am ount of overhead required for t he ACK fram es, as well as pream ble and fram ing, is reduced. Block acknowledgm ent s are helpful, but only if all t he fram es in a burst can be delivered wit hout a problem . Missing one fram e in t he block or losing t he acknowledgm ent it self carries a st eep penalt y in prot ocol operat ions because t he ent ire block m ust be ret ransm it t ed.

Figu r e 1 5 - 1 . M AC Efficie n cy

Fram e aggregat ion is also part of bot h proposals. Many of t he packet s carried by 802.11 are sm all. I nt eract ive net work sessions, such as t elnet and SSH, m ake heavy use of rapid- fire sm all packet s. Sm all packet s becom e sm all fram es, each of which requires physical- layer fram ing and overhead. Com bining several sm all packet s int o a single relat ively large fram e im proves t he dat a- t o- overhead rat io. Fram e aggregat ion is oft en used wit h MAC header com pression, since t he MAC header on m ult iple fram es t o t he sam e dest inat ion is quit e sim ilar.

WWiSE The WWiSE consort ium includes several well- known chipm akers: Airgo ( t he m anufact urer of t he first " pre- N" devices on t he m arket ) , Broadcom , Conexant , and Texas I nst rum ent s. Mot orola j oined t he consort ium in February 2005, j ust as t his book headed t o press.

MAC Enhancements As would be expect ed from a nam e t out ing spect ral efficiency, WWiSE is m ore t he m ore heavily weight ed t owards im proving t he MAC efficiency of t he t wo proposals. To get t o 100 Mbps net payload t hroughput , 12,000 byt es ( 960,000 bit s) need t o be t ransm it t ed in 960 m icroseconds. WWiSE's PHY specificat ion has a 135 Mbps dat a rat e in a basic t wo- ant enna configurat ion wit h t wo dat a st ream s, which can m ove t he dat a in 711 m icroseconds. The rem aining 249 m icroseconds are used for pream bles, fram ing, int erfram e spacing, and t he single block acknowledgm ent .

Channels and radio modes WWiSE uses bot h 20 MHz and 40 MHz channels. 40 MHz operat ion m ay be t hrough a single 40 MHz channel, or t hrough a 20 MHz channel pair in which bot h channels are used sim ult aneously for dat a t ransm ission. One channel is designat ed as t he prim ary channel, and operat es norm ally. The secondary channel is used only for channel aggregat ion, and does not have st at ions associat ed on it . The secondary channel is used for " overflow" from t he prim ary; carrier sensing funct ions are perform ed only on t he prim ary channel. Alt hough t he use of t wo channels is really a physical layer operat ion, t here are som e housekeeping funct ions perform ed by t he MAC. A new inform at ion elem ent , t he Channel Set elem ent , is sent in t he prim ary channel Beacon fram es so t hat st at ions are inform ed of t he secondary channel in t he pair. Access point s also send Beacon fram es on t he secondary channel; unlike m ost Beacon operat ions, t hough, t he purpose is t o discourage client s from associat ing, or ot her devices from choosing t hat channel for operat ion. A secondary channel Beacon fram e is very sim ilar t o t he prim ary channel Beacon, but t he only support ed rat e is a m andat ory MI MO PHY rat e. To furt her discourage use of t he channel, it m ay also include t he cont ent ion- free inform at ion elem ent .

Protection Like 802.11g, t he new PHYs require enhanced prot ect ion m echanism s t o avoid int erfering wit h exist ing st at ions. Nat urally, t he prot ect ion m echanism s specified in 802.11g are adopt ed for operat ion of 2.4 GHz st at ions t hat m ay have t o avoid int erfering wit h older direct sequence or 802.11b equipm ent . When access point s det ect t he presence of older equipm ent , it will t rigger t he use of RTS- CTS or CTS- t o- self prot ect ion as described in Chapt er 14. However, addit ional prot ect ion m ay be required t o avoid having a MI MO st at ion t ransm it at a rat e not underst ood by 802.11a or 802.11g equipm ent . The WWiSE proposal cont ains an OFDM prot ect ion schem e t o allow MI MO st at ions t o appropriat ely set t he NAV on older OFDM st at ions. The prot ect ion m echanism is ident ical t o t he one described in Chapt er 14, but it t akes place using OFDM dat a rat es.

Finally, t he WWiSE proposal uses t wo bit s in t he ERP inform at ion elem ent in Beacon fram es t o indicat e whet her OFDM prot ect ion is needed. I n som e cases, OFDM prot ect ion m ay be needed t o assist an older 802.11g net work, but no prot ect ion is needed for 802.11b st at ions. Access point s m onit or t he radio link t o det erm ine if OFDM prot ect ion is needed. To assist st at ions using channel pairs, t hey also report on whet her a secondary channel is in use.

Aggregation, bursting, and acknowledgment The WWiSE proposal increases t he m axim um payload size from 2,304 byt es t o over 8,000 byt es. I ncreasing t he payload increases t he payload- t o- overhead and t he rat io can increase efficiency if t he larger fram es or burst s can be delivered successfully. Aggregat ion bundles m ult iple higher- level net work prot ocol packet s int o a single fram e. Each packet get s a subfram e header wit h source and dest inat ion addresses, and a lengt h t o delim it t he packet , as shown in Figure 15- 2. Aggregat ion can only be used when t he fram es bundled t oget her have t he sam e value for t he Address 1 field, which is t he receiver of t he fram e. Fram es from an access point in an infrast ruct ure net work use Address 1 as t he dest inat ion, so access point s can only aggregat e fram es bound for a single st at ion. A st at ion in an infrast ruct ure net work can, however, aggregat e fram es t o m ult iple dest inat ions. St at ion t ransm issions use t he Address 1 field for t he AP, since all fram es m ust be processed by t he AP prior t o reaching t he backbone net work. Upon aggregat ion, t he dest inat ion address is t he " next hop" processing st at ion, and t he source is t he creat or of t he fram e. Upon deaggregat ion, t he individual subfram es will be processed according t o t he sub- fram e headers. Due t o t he requirem ent t hat t he receiver address m ust be t he sam e, it is not possible t o aggregat e a m ixt ure of unicast , broadcast , and m ult icast dat a. The proposal cont ains no rules about when t o use aggregat ion.

Figu r e 1 5 - 2 . Aggr e ga t ion in W W iSE

Burst ing is a relat ed, but slight ly different concept . Fram e aggregat ion glues higher- layer prot ocol packet s t oget her for t ransm ission in larger lum ps. Burst ing does t he sam e at t he physical layer. Once a st at ion has invest ed a significant am ount of prot ocol overhead t o obt ain cont rol of t he channel, it can j ust keep on t ransm it t ing. One of t he advant ages of using m ult iple physical fram es, as opposed t o higher- layer fram es, is t hat each physical fram e has it s own source and dest inat ion. A fram e burst can consist of t raffic int ended for a variet y of different dest inat ion addresses. I n a fram e burst , t here are t wo addit ional int erfram e spaces defined, t he Zero I nt erfram e Space ( ZI FS) and t he Reduced I nt erfram e Space ( RI FS) . Successive fram es t hat use t he sam e t ransm it power m ay use t he ZI FS for im m ediat e t ransm ission. I f t he t ransm it power is changed bet ween fram es, t he RI FS m ay be used. The RI FS is short er t han ot her int erfram e spaces, t hough, so it allows a st at ion t o ret ain cont rol of t he channel. I n Figure 15- 3, t he first fram e cannot be aggregat ed, and is t ransm it t ed aft er t he

t ransm it t er gains cont rol of t he channel. Once it has gained cont rol, it can hold on as long as allowed. The second and t hird fram es use t he sam e t ransm ission power, and so are t ransm it t ed aft er t he zero int erfram e space. Addit ionally, t hey share t he Address 1 field and are t herefore bundled int o an aggregat e fram e. For t ransm ission of t he next fram e, power needs t o be changed, requiring t he use of t he reduced int erfram e space. The fourt h and fift h fram es can be aggregat ed, and are t ransm it t ed as a single aggregat e fram e. When t he queued dat a has been t ransm it t ed, t he st at ion relinquishes cont rol of t he channel.

Figu r e 1 5 - 3 . Bu r st in g in W W iSE

I n t he init ial version of t he 802.11 MAC, a posit ive acknowledgm ent was required for every unicast dat a fram e. WWiSE lift s t his rest rict ion, and allows for a m ore flexible acknowledgm ent policy. I n addit ion t o t he " norm al" policy, fram es can be t ransm it t ed wit hout an acknowledgm ent requirem ent , or wit h block acknowledgm ent s inst ead.

The WWiSE MIMO PHY The WWiSE proposal is a slight evolut ion of 802.11a, using MI MO t echnology. The basic channel access m echanism s are ret ained, as is t he OFDM encoding. At a high level, t he WWiSE PHY is m ainly devot ed t o assigning bit s t o different ant ennas.

Structure of an operating channel Like 802.11a, t he radio channel is divided int o 0.3125 MHz subcarriers. As in t he 802.11a channel subdivisions, a 20 MHz channel in t he WWiSE proposal is divided int o 56 subcarriers. 40 MHz channels, which are opt ional, are divided int o 112 subcarriers. I n addit ion t o being opt ional, 40 MHz channels are only support ed in t he 5 GHz band because it is not possible t o squeeze m ult iple 40 MHz channels int o t he I SM band. ( And if you t hought net work layout was hard wit h t hree channels, wait unt il you t ry wit h t wo! ) Figure 15- 4 shows t he st ruct ure of bot h t he 20 MHz and 40 MHz operat ing channels in t he WWiSE proposal. As in 802.11a, subcarriers are set aside as pilot s t o m onit or t he perform ance of t he radio link. Fewer pilot carriers are needed in a MI MO syst em because t he pilot carriers run t hrough as m any receiver chains. A 20 MHz 802.11a channel uses four pilot

Figu r e 1 5 - 4 . W W iSE pilot ca r r ie r st r u ct u r e

subcarriers. I n t he WWiSE proposal, a 20 MHz channel requires only t wo pilot carriers because each pilot is processed by t wo receiver chains, which has t he sam e effect as four pilot s processed by a single receiver chain. Wit h fewer pilot s, m ore subcarriers can be devot ed t o carrying dat a. 20 MHz WWiSE channels have 54 dat a subcarriers; 40 MHz channels have exact ly t wice as m any at 108.

Modulation and encoding The WWiSE proposal does not require new m odulat ion rat es. I t uses 16- QAM ( 4 bit ) and 64- QAM ( 6 bit ) m odulat ion ext ensively, but does not require finer- grained m odulat ion const ellat ions. Coding is enhanced, however. A new convolut ional code rat e of 5/ 6 is added. Like t he 2/ 3 and 3/ 4 code rat es defined by 802.11a, t he 5/ 6 code is defined by punct uring t he out put t o obt ain a higher code rat e. WWiSE also defines t he use of a low densit y parit y check ( LDPC) code.

Interleaver I n 802.11a, t he int erleaver is responsible for assigning bit s t o subcarriers. MI MO int erleavers are m ore com plex because t hey m ust assign bit s t o a spat ial st ream in addit ion t o assigning bit s t o posit ions on t he channel it self. The WWiSE int erleaver t akes bit s from t he forward error coder and cycles t hrough each spat ial st ream . The first bit is assigned t o t he first spat ial st ream , t he second bit is assigned t o t he second spat ial st ream , and so on. The int erleaver is also responsible for scram bling t he encoded bit s wit hin each spat ial st ream .

Space-time block coding I n m ost cases, an ant enna will be used for each spat ial st ream . However, t here m ay be cases when t he num ber of ant ennas is great er t han t he num ber of spat ial st ream s. I f, for exam ple, m ost APs wind up using t hree ant ennas while client s only use t wo, t here is an " ext ra" t ransm it ant enna, and t he t wo spat ial dat a st ream s need t o be assigned t o t he t hree ant ennas. Transm it t ing a single spat ial st ream across m ult iple ant ennas is called space- t im e block coding ( STBC) . The basic rule for split t ing a spat ial st ream across m ult iple ant ennas is t o t ransm it t wo relat ed st ream s on different ant ennas. As discussed in Chapt er 13 on 802.11a, t he radio wave is com posed of in- phase and quadrat ure com ponent s, where t he quadrat ure wave is a quart er- cycle out of phase wit h t he in- phase com ponent . Phase shift s are represent ed m at hem at ically by t he im aginary part of t he com plex num ber in t he const ellat ion. The com plex conj ugat e of a com plex num ber has t he sam e real part , but flips t he sign on t he im aginary part . Physically, t he radio wave from t he com plex conj ugat e will have t he sam e in- phase com ponent , but t he quadrat ure com ponent will have t he

oppose phase shift . When t here are ext ra ant ennas, t he WWiSE proposal m andat es t hat a spat ial st ream and it s com plex conj ugat e are t ransm it t ed on an ant enna pair. Table 15- 1 reviews t he rules. The rules for split t ing spat ial st ream s are independent of t he channel bandwidt h, alt hough 40 MHz spat ial st ream s will carry m ore bit s.

Ta ble 1 5 - 1 . W W iSE e n codin g r u le s w h e n a n t e n n a s ou t n u m be r spa t ia l st r e a m s Tr a n sm it antennas

Spa t ia l st r e a m s

Fir st spa t ia l st r e a m Se con d spa t ia l st r e a m

Th ir d spa t ia l st r e a m

2

1

Coded across ant ennas 1 and 2

N/ A

N/ A

3

2

Coded across ant ennas 1 and 2

Transm it t ed norm ally on t hird ant enna

N/ A

4

2

Coded across ant ennas 1 and 2

Coded across ant ennas 3 and 4

N/ A

4

3

Coded across ant ennas 1 and 2

Third ant enna

Fourt h ant enna

Modulation rates There are 24 dat a rat es defined by t he WWiSE PHY, wit h 49 different m odulat ion opt ions. Rat her t han t ake up a great deal of space in a t able, here is a basic form ula for t he dat a rat es: Dat a rat e ( Mbps) = 0.0675 x channel bandwidt h x num ber of spat ial st ream s x coded bit s per subcarrier x code rat e

Channel bandwidt h Eit her 20 for 20 MHz channels, or 40 for 40 MHz channels or channel pairs.

Num ber of spat ial st ream s The num ber of spat ial st ream s can be equal t o 1, 2, 3, or 4. I t m ust be less t han or equal t o t he num ber of t ransm ission ant ennas. Support for at least t wo spat ial st ream s is m andat ory.

Coded bit s per subcarrier I n m ost cases, t his will eit her be 6 for 64- QAM or 4 for 16- QAM. BPSK ( 1 coded bit per subcarrier) and QPSK ( 2 coded bit s per subcarrier) are only support ed in t he 20 MHz channel m ode wit h one spat ial st ream .

Code rat e The code rat e m ay be 1/ 2 or 3/ 4 when used wit h 16- QAM, and 2/ 3, 3/ 4, or 5/ 6 when used wit h 64- QAM. There m ay be m ult iple ways t o get t o t he sam e dat a rat e. As an exam ple, t here are four ways t o get 108 Mbps: Four spat ial st ream s in 20 MHz channels, using 16- QAM wit h R= 1/ 2. Two spat ial st ream s in 20 MHz channels, using 64- QAM wit h R= 2/ 3. One spat ial st ream in a 40 MHz channel, using 64- QAM wit h R= 2/ 3. Two spat ial st ream s in 40 MHz channels, using 16- QAM wit h R= 1/ 2. I n a basic m ode wit h a single spat ial st ream , channel capacit y is slight ly higher t han wit h 802.11a because fewer pilot carriers are used. Single- channel m odulat ion t ops out at 60.75 Mbps, rat her t han t he 54 Mbps in 802.11a. By using all t he highest t hroughput param et ers ( four 40 MHz spat ial st ream s, wit h 64- QAM and a 5/ 6 code) , t he WWiSE proposal has a m axim um t hroughput of 540 Mbps.

MIMO and transmission modes Previous 802.11 PHY specificat ions had fairly sim ple t ransm ission m odes. The WWiSE proposal has 14 t ransm ission m odes, depending on 3 it em s: The num ber of t ransm it ant ennas, not ed by xTX, where x is t he num ber of t ransm it ant ennas. I t ranges from 1 t o 4, alt hough a single ant enna is only support ed for 40 MHz channels. All 20 MHz channels m ust use at least t wo t ransm it ant ennas, t hough t hey m ay have only one spat ial st r eam . Whet her t he fram e is used in a greenfield ( GF) or m ixed m ode ( MM) environm ent . Mixed m ode t ransm issions use physical headers t hat are backwards- com pat ible wit h ot her OFDM PHYs, while greenfield t ransm issions use a fast er physical header. The channel bandwidt h, which m ay be 20 MHz or 40 MHz. Table 15- 2 shows t he result ing 14 t ransm ission m odes. There are several physical layer encodings defined for each of t hese m odes, and t hey will be discussed in t he PLCP sect ion. The num ber of act ive ant ennas is only loosely relat ed t o t he num ber of spat ial st ream s. A syst em operat ing in t he 4TX40MM m ode has four t ransm it ant ennas, but it m ay have t wo or t hree spat ial st ream s.

Ta ble 1 5 - 2 . W W iSE t r a n sm ission m ode s

Greenfield

2 0 M H x ch a n n e ls

4 0 M H z ch a n n e ls

2TX20GF

1TX40GF

3TX20GF

2TX40GF

4TX20GF

3TX40GF 4TX40GF

Mixed m ode

2TX20MM

1TX40MM

3TX20MM

2TX40MM

4TX20MM

3TX40MM 4TX40MM

WWiSE PLCP The PLCP m ust operat e in t wo m odes. I n Greenfield m ode, it operat es wit hout using backwardscom pat ible physical headers. Greenfield access is sim pler: it can operat e wit hout backwards com pat ibilit y. As a st art ing point , consider Figure 15- 5; it shows t he PLCP encapsulat ion in t he 1TX40GF, 2TX20GF, and 2TX40GF m odes.

Figu r e 1 5 - 5 . Gr e e n fie ld 1 TX4 0 a n d 2 TX2 0 / 2 TX4 0 m ode s

The fields in t he fram e are sim ilar in nam e and purpose t o all of t he ot her PLCP fram es discussed in t his book.

MI MO- OFDM PLCP Pream ble The pream ble consist s of well- known bit sequences t o help receivers lock on t o t he signal. Depending on t he t ransm ission m ode, t he pream ble m ay be split int o m ult iple part s. I t generally consist s of bot h short and long t raining sequences. I n t he WWiSE proposal, t he sam e pream ble is t ransm it t ed on all t he ant ennas, but wit h sm all t im e shift s relat ive t o t he ot hers. Figure 15- 5 shows t he t raining sequences used by t wo- ant enna t ransm ission m odes. Alt hough t he t raining sequences consist of different bit s, t he shift is t he sam e. Nat urally, t he single ant enna 40 MHz m ode would only have one act ive ant enna t ransm it t ing a pream ble.

SI GNAL- N The SI GNAL- N field cont ains inform at ion t hat helps t o decode t he dat a st ream . I t is always sent using QPSK, R= 1/ 2, and is not scram bled. I t cont ains inform at ion on t he num ber of spat ial st ream s, channel bandwidt h, m odulat ion, and coding, and a CRC. More det ail on t he SI GNAL- N field follows t his sect ion.

SERVI CE The SERVI CE field is ident ical t o it s usage in 802.11a. Unlike t he ot her com ponent s of t he PLCP header, it is t ransm it t ed in t he Dat a field of t he physical prot ocol unit at t he dat a rat e of t he em bedded MAC fram e. The first eight bit s are set t o 0. As wit h t he ot her physical layers, MAC fram es are scram bled before t ransm ission; t he first six bit s are set t o 0 t o init ialize t he scram bler. The rem aining nine bit s are reserved and m ust set t o 0 unt il t hey are adopt ed for fut ure use.

Dat a The final field is a sequence of four m icrosecond sym bols t hat carry t he dat a. Dat a bit s have six zero t ail bit s t o ram p down t he error correct ing code, and as m any pad bit s as are required t o have an even sym bol block size.

The SIGNAL-N field The SI GNAL- N field is used in all t ransm ission m odes. I t has inform at ion t o recover t he bit st ream from t he dat a sym bols. The SI GNAL- N field is shown in Figure 15- 6.

Figu r e 1 5 - 6 . W W iSE SI GN AL- N fie ld

CONFI G Six fields are grouped int o t he Configurat ion subfield.

NSS ( num ber of spat ial st ream s) Three bit s are used t o indicat e how m any spat ial st ream s are used. The value is zerobased, so it ranges from zero t o t hree.

NTX ( num ber of t ransm ission ant ennas) Three bit s are used t o indicat e how m any ant ennas are used t o carry t he num ber of spat ial st ream s. The value is zero- based, so it ranges from zero t o t hree.

BW ( bandwidt h) Two bit s carry t he channel bandwidt h. 20 MHz is represent ed by zero, and 40 MHz is represent ed by one.

CR ( code rat e) Three bit s indicat e t he code rat e. 1/ 2 is zero, 2/ 3 is one, 3/ 4 is t wo, and 5/ 6 is t hree.

CT ( code t ype) Two bit s indicat e t he t ype of code. Zero is a convolut ional code, and one is t he opt ional LDPC.

CON ( const ellat ion t ype) Three bit s indicat e t he t ype of const ellat ion: zero for BPSK, one for QPSK, t wo for 16QAM, and t hree for 64- QAM.

LENGTH A 13- bit ident ifier for t he num ber of byt es in t he payload of t he physical fram e. I t ranges from zero t o 8,191.

LPI ( Last PSDU indicat or)

When m ult iple physical fram es are sent in a burst , t he LPI bit is set on t he last one t o not ify ot her st at ions t hat t he burst is com ing t o an end.

CRC The CRC is calculat ed over all t he fields except for t he CRC and t he t ail bit s.

Tail Six bit s are used as t ail bit s t o ram p down t he convolut ional coder. I n t he ot her t ransfer m odes, shown in Figure 15- 7, t he pream ble is split int o chunks. I n bet ween t he chunks, t here m ay be Signal fields. SI GNAL- N fields are defined by t he 802.11n proposal and are only decoded by 802.11n st at ions; t he SI GNAL- MM field is used t o ret ain backwards com pat ibilit y in a m ixed m ode wit h older OFDM st at ions. I t is ident ical t o t he Signal field used by 802.11a, and is shown in Figure 13- 16.

Figu r e 1 5 - 7 . PLCP fr a m e for m a t for ot h e r t r a n sfe r m ode s

WWiSE PMD Figure 15- 8 shows t he basic layout of t he WWiSE t ransm it t er. I t is essent ially t he sam e as t he 802.11a t ransceiver, but it has m ult iple t ransm it chains. The int erleaver is responsible for dividing

coded bit s am ong t he different t ransm it chains and spat ial st ream s.

Figu r e 1 5 - 8 . W W iSE t r a n sce ive r

Sensit ivit y is specified by t he proposal, and it is ident ical t o what is required of 802.11a receivers. Table 15- 3 shows t he required sensit ivit y. The proposal does not have any adj acent channel rej ect ion requirem ent s.

Ta ble 1 5 - 3 . W W iSE r e ce ive r se n sit ivit y Con st e lla t ion Ra t e Se n sit ivit y ( dBm )

8 0 2 .1 1 a Se n sit ivit y ( dBm ) , for r e fe r e n ce

BPSK

1/ 2

- 82

- 82

BPSK

3/ 4

- 81

- 81

QPSK

1/ 2

- 79

- 79

QPSK

3/ 4

- 77

- 77

16- QAM

1/ 2

- 74

- 74

16- QAM

3/ 4

- 70

- 70

64- QAM

2/ 3

- 66

- 66

64- QAM

3/ 4

- 65

- 65

Con st e lla t ion Ra t e Se n sit ivit y ( dBm )

8 0 2 .1 1 a Se n sit ivit y ( dBm ) , for r e fe r e n ce

64- QAM

N/ A

5/ 6

- 64

Characteristics of the WWiSE PHY Param et ers specific t o t he WWiSE PHY are list ed in Table 15- 4 . Like t he ot her physical layers, it also incorporat es a num ber of param et ers t o adj ust for t he delay in various processing st ages in t he elect r onics.

Ta ble 1 5 - 4 . W W iSE M I M O PH Y pa r a m e t e r s Pa r a m e t e r

Va lu e

Maxim um MAC fram e lengt h

8,191 byt es

Slot t im e

9 m s

SI FS t im e

16 m s

RI FS t im e

2 m s

Cont ent ion window size

15 t o 1,023 slot s

Pream ble durat ion

16 m s

PLCP header durat ion

4 m s

Receiver sensit ivit y

- 64 t o - 82 dBm

N ot e s

The SI FS is used t o derive t he value of t he ot her int erfram e spaces ( DI FS, PI FS, and EI FS) .

Depends on speed of dat a t ransm ission

TGnSync The TGnSync consort ium is com posed of a wider array of com panies. I n addit ion t o t he chipm akers t hat one would expect t o find ( At heros, Agere, and I nt el, and Qualcom m ) , TGnSync not ably includes m anufact urers of ot her elect ronic devices. Net work equipm ent m anufact urers and even consum er elect ronics com panies are represent ed. One of t he goals of TGnSync is t o support new net worked devices in t he hom e; prom ot ional m at erials refer t o sending HDTV or DVD video st ream s across wireless net works. The goal of st ream ing video probably account s for som e of t he em phasis placed on high peak dat a rat es.

TGnSync MAC Enhancements Alt hough t he TGnSync proposal has a higher peak dat a rat e, t he group did not com plet ely neglect t he developm ent of MAC enhancem ent s t o im prove efficiency and operat ion. Efficiency is im proved t hrough t he developm ent of fram e aggregat ion and burst ing, as well as changes t o acknowledgm ent policies. Som e prot ect ion of older t ransm issions is perform ed at t he MAC layer. Not ably, several MAC enhancem ent s are designed t o save bat t ery power, which is likely a reflect ion of t he group's m em bership.

Channels, radio modes, and coexistence Alt hough som e regulat ors do not allow t hem , t he TGnSync proposal m akes 40 MHz channel support m andat ory. I f it were adopt ed wit hout change, a TGnSync chipset would support bot h 20 MHz and 40 MHz channels, even in regulat ory dom ains t hat did not allow t he lat t er channel bandwidt h. The TGnSync proposal also has MAC feat ures t hat enable t he use of net works wit h bot h 20 MHz- and 40 MHz- capable st at ions. When st at ions have large am ount s of dat a t o t ransm it , it is possible t o negot iat e a t em porary use of a wider channel before falling back t o 20 MHz operat ion. MAC operat ional m odes can also be classified based on t he t ypes of st at ions in t he net work. Pure m ode net works consist only of 802.11n st at ions. No prot ect ion is necessary t o account for older 802.11a and 802.11g st at ions. Alt ernat ively, TGnSync 802.11n devices m ay operat e in t he legacy m ode j ust like an 802.11a or 802.11g st at ion. Most operat ion, t hough, will be in m ixed m ode, where a TGnSync net work m ust co- exist wit h a legacy net work on t he sam e channel, and m ay accept associat ions from older 802.11a or 802.11g st at ions. Associat ion request s are handled different ly in each m ode. Pure m ode net works st ay pure by ignoring associat ion request s from older st at ions, and sending Beacon fram es wit h an inform at ion elem ent t hat direct s associat ed st at ions t o use only t he new 802.11n t ransm ission m odes. Pure m ode net works also t ransm it Beacon fram es using t he TGnSync high t hroughput PLCP, which m akes t hem unreadable by legacy devices. Mixed m ode access point s are visible t o legacy devices because t hey t ransm it Beacons using t he legacy form at . Mixed m ode is required t o coexist wit h older devices. ( I f t he experience of 802.11g deploym ent is any guide, m ost 802.11n devices are likely t o operat e in t he m ixed m ode for quit e som e t im e.) Mixed m ode is a broad classificat ion wit h several subdivisions. Mixed capable net works will allow associat ion from legacy devices, but do not divide t im e bet ween legacy and high- t hroughput t ransm issions.

Access point s in m anaged m ixed net works do act ively divide t he t im e bet ween high- t hroughput t ransm issions and legacy t ransm issions. Much like t he division bet ween t he cont ent ion- free period and t he cont ent ion period ( see Chapt er 9) , an AP operat ing in m anaged m ixed m ode will allow legacy st at ions t heir t im eslice, while using m echanism s sim ilar t o t he prot ect ion m echanism t o reserve som e t im eslice for MI MO st at ions only.

Aggregation and bursting I nit ial 802.11 st at ions t ypically send fram es in t he order t hey are received. For t hroughput purposes, it is highly desirable t o reorder fram es so t hat t hey can coalesce int o larger aggregat ed fram es. Aggregat ion in TGnSync is a MAC- layer funct ion t hat bundles several MAC fram es int o a single PLCP fram e for t ransm ission. Figure 15- 9 shows t he basic form at of a single physical- layer fram e cont aining several MAC layer fram es. Several MAC fram es are put int o t he sam e PLCP fram e, wit h an appropriat e delim it er bet ween t hem . The delim it er has a sm all reserved field, a lengt h field for t he following MAC fram e, a CRC t o prot ect t he delim it er, and a unique pat t ern t o assist in recovering individual fram es from t he aggregat e. MAC fram es are put int o t he aggregat e wit hout m odificat ion, and cont ain t he full header and MAC CRC. Even if one fram e out of an aggregat e is lost , it m ay be possible t o successfully receive all t he rem aining fram es.

Figu r e 1 5 - 9 . TGn Syn c fr a m e a ggr e ga t ion

Exchanging aggregat ed fram es is only possible once t he channel has been configured for it . Figure 15- 10 illust rat es t he process. The sender of an aggregat e, called t he init iat or, m ust send an I nit iat or Aggregat ion Cont rol ( I AC) fram e. I AC fram es work m uch like RTS fram es, but have addit ional fields t o assist wit h channel cont rol. I nit iat ors can request channel m easurem ent s, offer different t ypes of coding on t he aggregat e fram e, and accept aggregat es in t he ret urn direct ion. Upon receiving t he I AC, t he dest inat ion syst em , called t he responder , generat es a Responder Aggregat ion Cont rol ( RAC) fram e. RAC fram es work m uch like CTS fram es: t hey close t he loop by not ifying t he sender t hat an aggregat e will be accept ed, and finishing t he param et er negot iat ion. When aggregat e fram es are received, an acknowledgm ent is required. TGnSync defines a new acknowledgm ent t ype, t he BlockACK, which can be used t o acknowledge all t he MAC fram es cont ained in an aggregat e. To furt her im prove MAC efficiency, TGnSync defines a MAC header com pression algorit hm for use in

conj unct ion wit h aggregat e fram es. I t works in t he sam e m anner as Van Jacobsen header com pression on serial dial- up lines. Fram es bet ween t wo dest inat ions share m ost of t he fields in t he MAC header, m ost not ably t he MAC addresses inside t he packet . Therefore, a one- byt e Header I D ( HI D) is assigned t o a unique set of t he t hree MAC addresses inside a MAC fram e. The Header I D can also save t he Durat ion field, since t he aggregat e will have it s own Durat ion, as well as t he t wo byt es for QoS cont rol. When fram es are t ransm it t ed bet ween t he sam e sender

Figu r e 1 5 - 1 0 . TGn Syn c block a ck n ow le dgm e n t

and dest inat ion, rat her t han repeat ing t he sam e 22 byt es of header inform at ion, it is replaced by t he corresponding single byt e Header I D. Figure 15- 11 ( a) shows t he use of t he header com pression MAC fram es. First , a header fram e cont aining t he full header is t ransm it t ed, and a header I D is assigned. The header I D can be used t o reference t he prior full header by sending a single byt e t o reference previously- t ransm it t ed inform at ion about t he Durat ion, addressing, and QoS dat a. Figure 15- 11 ( b) illust rat es t he use of header com pression. Five fram es for t wo dest inat ions from t he MAC have been aggregat ed int o a single fram e for physical t ransm ission. Rat her t han t ransm it a com plet e header on each const it uent MAC fram e in t he aggregat e, t he syst em uses header com pression. There are t wo dest inat ions and t herefore t wo unique MAC headers. They are each t ransm it t ed and assigned a header I D num ber. The five dat a fram es following t he aggregat e each refer t o t he appropriat e header num ber. A header I D num ber is unique only wit hin t he cont ext of a single aggregat e fram e. Com pared t o t ransm it t ing full headers on all five fram es, t he overhead due t o MAC fram ing is cut by m ore t han half. Header com pression is useful when a single aggregat e cont ains m ult iple fram es bet ween t he sam e source and dest inat ion pair. However, t he benefit s of aggregat ion in TGnSync are not confined t o pairs. Single- receiver aggregat ion is required; an opt ional ext ension allows aggregat e fram es t o cont ain MAC fram es for m ult iple receivers, in which case t hey are called Mult iple Receiver Aggregat e ( MRA) fram es. I nside t he single t ransm it t ed aggregat e fram e, t here are m ult iple I nit iat or Access Cont rol fram es. Each I AC specifies an offset t o t ransm it t he response t o t he aggregat ed fram es, which will usually be a block acknowledgm ent response. To dist inguish m ult iple receiver aggregat e fram es from single- receiver aggregat e fram es, m ult iple- receiver fram es st art wit h a cont rol it em called t he Mult iple Receiver Aggregat e Descript or ( MRAD) . Figure 15- 12 shows t he operat ion of m ult iple- receiver aggregat ion. The init iat or's aggregat e fram e st art s wit h t he aggregat e descript or, and is followed by t he aggregat ed fram es for each dest inat ion. An I AC fram e is used t o divide t hem .

Figu r e 1 5 - 1 1 . TGn Syn c M AC h e a de r com pr e ssion

Figu r e 1 5 - 1 2 . TGn Syn c M RA

Protection As wit h all PHYs t hat have followed exist ing hardware on t o t he m arket , t he TGnSync proposal im plem ent s prot ect ion t o avoid having t he new PHY st ep on t ransm issions from t he old PHY.

Prot ect ion in t he TGnSync proposal can t ake one of t wo m ain form s. The first class is based on t he MAC's virt ual carrier sensing m echanism wit h t he net work allocat ion vect or. The second class is based on " spoofing," which uses t he exist ing PLCP header form at t o carry durat ion inform at ion. Each st at ion m ay m ake it s own det erm inat ion as t o t he appropriat e m echanism . Set t ing long NAV values t o prot ect t he durat ion of a fram e exchange is a sm all adapt at ion of t he 802.11g prot ect ion m echanism . At t he st art of a fram e exchange, t he RTS fram e will cont ain a NAV long enough t o prot ect t he ent ire fram e exchange. The RTS fram e is sent using a " legacy" rat e, and can be underst ood by exist ing OFDM receivers. I n response, t he t arget st at ion sends a CTS m essage back, also wit h a long NAV value. According t o t he basic access rules of t he MAC, ot her st at ions defer access t o t he m edium due t o t he RTS/ CTS clearing, and t he t wo st at ions are free t o exchange fram es at higher dat a rat es using m odulat ions t hat would not be underst ood by older st at ions. LongNAV int ervals m ay be t erm inat ed early by using a CF- End fram e. When t his prot ect ion is used for aggregat e fram es, t he RTS is replaced by an I nit iat or Access Cont rol ( I AC) fram e, and t he CTS is replaced by a Responder Access Cont rol ( RAC) fram e; t he principle of operat ion, however, rem ains ident ical. See Figure 15- 13.

Figu r e 1 5 - 1 3 . TGn Syn c pr ot e ct ion : Lon gN AV

The second class of prot ect ion is called " spoofing," and depends on set t ing t he lengt h field in t he PLCP header. TGnSync ret ains t he exist ing OFDM header described in Chapt er 13. Because it is ident ical t o t he 802.11a/ g form at , spoofing is effect ive wit h all st at ions. The OFDM PLCP header cont ains t wo num bers t hat are used by receivers t o det erm ine how long t he t ransm ission will t ake. The SI GNAL field, which is shown in Figure 13- 16, encodes bot h t he t ransm ission rat e for t he body and it s lengt h in bit s. St at ions decode t he signal field and divide t he num ber of bit s by t he rat e t o com e up wit h an approxim at e t ransm ission t im e. [ * ] To m axim ize t he am ount of t im e t hat can be spoofed, t he dat a rat e in t he legacy SI GNAL field is always set t o t he lowest possible value of six Mbps. [*]

There are some slight offsets to account for interframe spacing, but the concept remains identical.

I n pairwise spoofing, t wo st at ions will each send an incorrect lengt h and rat e so t hat older st at ions will be in receiving m ode for t he durat ion of t he current fram e and it s next response. Newer TGnSync st at ions ignore t he older SI GNAL field, and use an 802.11n SI GNAL field inst ead. Figure 15- 14 illust rat es pairwise spoofing. When Fram e 1 is t ransm it t ed, pairwise spoofing is used t o lengt hen t he receiving t im e of t he fram e t hrough t he end of Fram e 2. TGnSync st at ions will int erpret t he spoofing as a longer NAV, and will t herefore act as if t he NAV were set for t he durat ion of Fram e 2. Nat urally, a st at ion wit hin range of t he responder will be set t o t he receiving st at e; if, however, t here is a hidden node, t he NAV will prot ect t ransm ission over Fram e 2. 802.11a/ g st at ions will int erpret t he spoofed t im e as receiving t im e, even if t hey are out of range of t he second fram e. When Fram e 2 is t ransm it t ed, it also em ploys pairwise spoofing t o prot ect Fram e 2 and Fram e 3.

Figu r e 1 5 - 1 4 . TGn Syn c pr ot e ct ion : pa ir w ise spoofin g

I f a long lock- out period is needed for m ult iple responses t o a single fram e, single- ended spoofing m ay also be used. Wit h single- ended spoofing, t he first fram e in t he exchange uses spoofing t o prot ect t he ent ire exchange, allowing all t he responses t o com e in during t he prot ect ed period. Figure 15- 15 illust rat es single- ended spoofing wit h fram e aggregat ion. The first aggregat e fram e is a m ult iple- receiver aggregat e, allowing responses from t wo ot her st at ions. I t set s spoofed durat ion equal t o t he t im e expect ed for t he ent ire exchange. TGnSync st at ions will go int o receiving m ode for t he durat ion of t he first fram e, and t hen act as if t he NAV were set for t he spoofed durat ion. Legacy devices go int o receiving m ode for t he ent ire spoofed durat ion.

Figu r e 1 5 - 1 5 . TGn Syn c pr ot e ct ion : sin gle - e n de d spoofin g

Powersaving

TGnSync defines t he Tim ed Receive Mode Swit ching ( TRMS) prot ocol t o conserve energy and ext end bat t ery life. Tradit ional 802.11 powersaving works by com plet ely shut t ing down an int erface and requiring buffering at t he AP. I n single- input / single- out put radios, t here is only one RF chain t o shut down. Wit h MI MO syst em s, however, t here can be significant power savings by shut t ing down unused RF chains, but ret aining a single act ive chain t o m onit or t he radio link. The t wo st at es of t he syst em are called MI MO enabled for full receive capabilit y, and MI MO disabled when all but one RF chain is shut down. St at ions act ivat e TRMS power saving by including an inform at ion elem ent in t he associat ion request . The basic param et er in TRMS powersaving is t he hold t im e. Aft er a st at ion t ransm it s a fram e, it st ays awake for t he durat ion of t he hold t im e. Any t ransm it t ed fram e reset s t he hold t im er t o it s m axim um value. Set t ing t he hold t im e t o zero indicat es t hat t he st at ion will rem ain fully operat ional for one slot t im e before sleeping. I n infrast ruct ure net works, t he AP is responsible for m aint aining t he TRMS hold t im er for every st at ion. I f t he t im er elapses, t he AP m ust conclude it has ent ered t he MI MO disabled st at e, and t rigger it t o power on sleeping receive chains. I n an independent BSS, each st at ion m ust m aint ain a hold t im er for all t he ot her st at ions. The t im er is a t unable param et er. I f it is set t o a larger value, st at ions will use m ore power t o keep t he receiver fully operat ional. Throughput is likely t o be bet t er, but at t he cost of som e bat t ery life. I n som e cases, net work capacit y m ay not be affect ed m uch at all. Net works t hat use t he NAV lengt hening procedure for prot ect ion m ust t ransm it t he init ial RTS/ CTS exchange in single- ant enna m ode m anner com pat ible wit h all OFDM st at ions, and will cause st at ions t o enable MI MO operat ion wit hout addit ional fram es. Advanced t ransm ission m odes m ay suffer, however, because m any of t hem require m ult iant enna fram e exchanges t o becom e fully operat ional.

TGnSync PHY Enhancements To develop a higher peak dat a rat e, t he TGnSync proposal depends on t echnology sim ilar t o WWiSE. Fram es are divided int o spat ial st ream s t hat can be m ult iplexed across ant ennas in a MI MO configurat ion. More aggressive coding, including a larger const ellat ion, higher convolut ional code rat e, and a reduced guard int erval are present t o im prove t he dat a rat e. Wider channels are also required by TGnSync where support ed. Support for 40 MHz channels m ust be built in t o TGnSynccom pliant devices, whereas it is opt ional in WWiSE.

Structure of a channel Bot h 20 MHz and 40 MHz channels are divided int o 0.3125 MHz subcarriers, j ust as in 802.11a. The 20 MHz channel is ident ical t o an 802.11a channel, and is shown in Figure 15- 16 ( a) . The 40 MHz channel proposed in TGn Figure 15- 16 ( b) is a m odificat ion of t he 20 MHz st ruct ure. Two 20 MHz channels are bonded t oget her, and t he result ing spect ral band is divided int o 128 subchannels. The cent er frequencies of t he old 20 MHz channels are locat ed at + / - 32. The legacy channels apply a spect ral m ask from - 6 t o + 6 and roll off t he am plit ude of t ransm issions at t he end of t he bands. Wit h a single cont inuous channel, however, t here is no need t o use a spect ral m ask, and t he m iddle of t he band can be used at full st rengt h. Full- st rengt h t ransm issions in t he m iddle of t he band allow for eight new subcarriers. Using a single cont iguous 40 MHz block of spect rum reclaim s subcarriers t hat would have ot herwise been wast ed. Thus, in TGnSync, a 40 MHz channel provides t hroughput equal t o 2.25 t im es t he 20 MHz channel, rat her t han sim ply doubling t he t hroughput . To furt her boost t hroughput , one of t he pilot carriers from t he 20 MHz channel is rem oved, so a 40 MHz channel has 6 pilot carriers inst ead of 8.

Figu r e 1 5 - 1 6 . TGn Syn c ch a n n e l st r u ct u r e

Basic MIMO rates There are 32 m odulat ion and coding pairs defined by t he TGnSync PHY. I n t he basic MI MO m ode, every spat ial st ream m ust use an ident ical m odulat ion t echnique, so t he dat a rat e is sim ply a m ult iple of t he single spat ial st ream dat a rat e. Rat her t han t ake up a great deal of space in a t able, here is a basic form ula for t he dat a rat es: Dat a rat e ( Mbps) = 12 x channel bandwidt h fact or x num ber of spat ial st ream s x coded bit s per subcarrier x code rat e x guard int erval fact or

Channel bandwidt h fact or 20 MHz channels are t he baseline, and are assigned a channel bandwidt h fact or of 1. 40 MHz channels carry m ore t han t wice t he dat a, and are assigned a channel bandwidt h fact or of 2.25.

Num ber of spat ial st ream s The num ber of spat ial st ream s can be equal t o 1, 2, 3, or 4. I t m ust be less t han or equal t o t he num ber of t ransm ission ant ennas. Support for at least t wo spat ial st ream s is m andat ory.

Coded bit s per subcarrier This is eit her 6 for 64- QAM, 4 for 16- QAM, 2 for QPSK, or 1 for BPSK.

Code rat e The code rat e m ay be 1/ 2 when used wit h BPSK; 1/ 2 or 3/ 4 when used wit h QPSK or 16- QAM; or 2/ 3, 3/ 4, or 7/ 8 when used wit h 64- QAM.

Guard int erval fact or The basic guard int erval is 800 ns, and is assigned t he fact or 1. 400 ns guard int ervals increase t hroughput slight ly, and are assigned a fact or of 1.11. I n a basic m ode wit h a single spat ial st ream , channel capacit y is ident ical t o 802.11a, wit h t he except ion t hat a 7/ 8 rat e code m ay be used for a 63 Mbps dat a rat e. By using t he highest capacit y param et ers ( four 40 MHz channels, 64- QAM wit h a 7/ 8 code rat e, and t he short guard int erval) , t he TGnSync proposal has a m axim um t hroughput of 630 Mbps.

Transmit modes There are t hree MI MO m odes t hat t he TGnSync proposal calls for. I n t he m andat ory basic MI MO m ode, t he num ber of spat ial st ream s is equal t o t he num ber of ant ennas. Each spat ial st ream is m odulat ed and t ransm it t ed ident ically. Each channel is coded using t he sam e m odulat ion, and sent wit h t he sam e t ransm ission power. Any changes in t ransm ission rat e are based on t he im plicit feedback of lost acknowledgm ent s. Two opt ional m odes t ake advant age of inform at ion learned about t he radio channel, which is referred t o as " closed- loop" operat ion. TGnSync devices send " sounding" fram es t o each ot her t o m easure t he perform ance of t he link. Based on t he inform at ion gleaned from sounding and calibrat ion, beam form ing can be used t o boost signal qualit y. Higher signal qualit y m eans t hat a given dat a rat e can be used at longer range. For a given signal- t o- noise rat io, a beam form ed t ransm ission can carry m ore dat a. Beam form ing is an opt ional prot ocol feat ure. I t is unlikely t hat m ost client devices will be unable t o send beam form ed t ransm issions. However, client devices m ust be able t o receive beam form ed fram es t o receive t he benefit s. I n t he basic MI MO wit h beam form ing m ode, every channel m ust be coded t he sam e way. Before beginning t ransm ission, a sounding exchange is required t o calibrat e t he radio channel. Based on t he inform at ion from t he sounding exchange, t he power and coding for t he spat ial st ream s is select ed. Basic beam form ing m ode requires t hat all spat ial st ream s be t ransm it t ed at t he sam e power wit h t he sam e coding. Basic beam form ing can be used whenever t he num ber of spat ial st ream s is less t han or equal t o t he num ber of t ransm ission ant ennas, but it s signal processing advant ages are m ost evident when t he num ber of ant ennas t ransm it t ing a signal is great er t han t he num ber of receiving ant ennas. I f t he num ber of spat ial st ream s is less t han t he num ber of t ransm it ant ennas, a spat ial st eering m at rix is used t o assign bit s t o t ransm ission ant ennas. An opt ional advanced beam form ing MI MO ( ABF- MI MO) m ode is also defined. I t works in a m anner sim ilar t o t he basic beam form ing m ode, but wit h t he addit ional capabilit y of using different t ransm ission power on each t ransm it st ream , as well as t he possibilit y of using a different m odulat ion and code on each spat ial st ream . Like t he basic beam form ing m ode, it requires t he gat hering of radio st at us inform at ion t o calibrat e t he channel. An opt ional m ode in t he advanced beam form ing m ode allows beam form ing t o occur in bot h direct ions if it is support ed in bot h direct ions. The advanced beam form ing MI MO m ode also includes one new const ellat ion: 256- QAM, which t ransm it s 8 coded bit s per subcarrier. To obt ain t he t hroughput for t he advanced beam form ing m ode, use t he equat ion in t he previous sect ion for each spat ial st ream , and add t he spat ial st ream s t oget her. For 256- QAM, use 8 coded bit s per subcarrier. 256- QAM is only used wit h a rat e R= 3/ 4 code rat e.

Optional coding

I n addit ion t o t he convolut ional code support ed by t he original OFDM specificat ion, t he TGnSync proposal also includes t wo opt ional addit ional error correct ion codes. The first t echnique uses t he Reed- Solom on block code, which was developed in 1960. I t is widely used in m any digit al applicat ions, m ost not ably as t he error- correct ion code on CDs and DVDs. The TGnSync proposal com bines t he Reed- Solom on code wit h t he exist ing convolut ional code in a convent ional m anner. First , t he dat a st ream is encoded wit h t he Reed- Solom on code, and t hen t he out put of t hat encoding process is handed t o a convolut ional code. [ * ] Bot h codes have com plem ent ary propert ies. Convolut ional codes work by spreading errors out over t im e, and can deal wit h relat ively isolat ed errors; t he Reed- Solom on code works well at correct ing error burst s. An alt ernat ive t o t he ReedSolom on/ convolut ional com binat ion is a low- densit y parit y check ( LDPC) code. [*]

The combination of a block encoder followed by a convolutional encoder is especially popular, and has been used extensively by deep-space probes. Galileo, Cassini, the Mars Pathfinder, and the Mars Rover all used Reed-Solomon/convolutional code combinations.

Optional short guard interval To furt her im prove MAC efficiency, t he TGnSync proposal allows t he use of a short guard int erval. I n t he 802.11a and 802.11g st andards as well as t he WWiSE proposal, t he guard int erval is 800 ns. I n Chapt er 13, it was discussed t hat t hat t he guard int erval should be t wo t o four t im es t he delay spread. An 800 ns guard int erval allows a 200 ns delay spread, which is m uch higher t han was observed in m any environm ent s. Most offices and hom es have a m uch sm aller delay spread, on t he order of 50- 100 ns. I n t hat case, using a 400 ns guard int erval can boost t hroughput by approxim at ely 10% .

TGnSync Physical Transmission (PLCP and PMD) The basic fram e form at of t he PLCP in t he TGnSync proposal is shown in Figure 15- 17. I t uses t he sam e header as t he exist ing OFDM, and t herefore does not require t he use of high- overhead prot ect ion t o avoid int erfering wit h 802.11a or 802.11g net works. Fields prefaced wit h " L- " in t he figure are legacy fields com m on t o 802.11a and 802.11g; see Chapt ers 13 and 14 for det ails.

Figu r e 1 5 - 1 7 . TGn Syn c PLCP fr a m e for m a t

Legacy header The first t hree fields in t he TGnSync PLCP fram e are ident ical t o t he 802.11a/ g PLCP header.

L- STF ( Legacy Short Training Field) The legacy short t raining field is ident ical t o it s definit ion in 802.11a. I t last s eight m icr oseconds.

L- LTF ( Legacy Long Training Field) The legacy long t raining field is ident ical t o it s definit ion in 802.11a. I t also last s eight m icr oseconds.

L- SI G ( Legacy Signal) These t hree fields are ident ical t o t he corresponding fields used by 802.11a and adopt ed by 802.11g. For det ails, see Figure 13- 16. The L- SI G field is t ransm it t ed using BPSK, R= 1/ 2 m odulat ion and coding. The cont ent s of t he L- SI G field is ignored by TGnSync st at ions. When spoofing prot ect ion is em ployed, t he cont ent s of t he legacy signal field are not descript ive. TGnSync st at ions will look in t he high- t hroughput headers following t he legacy headers for t he act ual lengt h and coding rat e of t he enclosed MAC fram e.

To t ake advant age of t he spat ial diversit y t hat is t he result of having m ult iple ant ennas t ransm it t ing t he sam e legacy header, TGnSync offers an opt ional cyclic delay. Each ant enna t ransm it s it s legacy fram e wit h a slight alt erat ion in it s cyclic prefix lengt h, such t hat t he t ot al delay shift is 50 ns. When 40 MHz channels are used, as in Figure 15- 17 ( b) , t he legacy header is t ransm it t ed on each 20 MHz subchannel. That is, subcarriers - 58 t o - 6 in t he lower 20 MHz subchannel and subcarriers + 6 t o + 58 in t he upper 20 MHz subchannel bot h t ransm it t he older 802.11a- st yle header.

High Throughput header I m m ediat ely following t he legacy pream ble is a " high t hroughput " header specific t o t he TGnSync proposal. The m ain com ponent of t he high t hroughput header is t he high t hroughput signal ( HT- SI G) field, which is shown in Figure 15- 18. The HT- SI G field is used t o det ect whet her a fram e carries TGnSync- encoded dat a at high dat a rat es, or if it is m erely a legacy dat a fram e. The HT- SI G field is m odulat ed conservat ively, using Q- BPSK, R= 1/ 2 m odulat ion and coding. Q- BPSK uses t wo dat a point s in it s const ellat ion, but t hey are present on t he in t he quadrat ure com ponent . The Q- BPSK const ellat ion is com pared t o t he BPSK const ellat ion in Figure 15- 18 ( b) . The t hree- byt e high- t hroughput header is com posed of several fields, and is t ransm it t ed in t he order shown. Least significant bit s in each field are t ransm it t ed first .

Figu r e 1 5 - 1 8 . TGn Syn c H T- SI G fie ld

HT- Lengt h ( 18 bit s) This field is t he num ber of byt es in t he payload of t he PLCP fram e. When aggregat ion is used, it m ay be quit e large if several full- size MAC fram es are included in t he payload.

Modulat ion and Coding Set ( MCS) ( 6 bit s) One of t he disadvant ages t o using MI MO is t hat t here are m yriad opt ions when you account for different m odulat ion schem es, differing num bers of spat ial st ream s, and different code rat es.

The MCS field select s t he m odulat ion and coding schem e, along wit h t he num ber of spat ial st ream s. Values of 0- 31 are used for basic MI MO m odes, and values of 33- 63 are used for advanced MI MO m odes.

Advanced Coding ( 2 bit s) This t wo- bit field is used t o indicat e whet her t he opt ional advanced coding is used. No advanced coding is indicat ed by zero. LDPC is indicat ed by 1. Reed- Solom on coding is indicat ed by 2. The value 3 is not used.

Sounding packet ( 1 bit ) Request s and responses used t o m easure channel perform ance set t his bit . When set , it indicat es t hat every ant enna is t ransm it t ing it s own spat ial st ream . I f it is not set , t hen t he fram e should not be used t o m easure channel inform at ion.

Num ber of HT- LTFs ( 2 bit s) Following t he HT- Signal field are high- t hroughput t raining fields. Each spat ial st ream requires a t raining field.

Short Guard I nt erval ( 1 bit ) When set t o one, t his bit flag indicat es t hat t he short 400 ns guard int erval is used on MI MO sym bols in t he Dat a field of t he fram e.

Aggregat ion ( 1 bit ) I f t his bit is set t o one, it indicat es t hat t he PLCP fram e carries several MAC fram es in an aggregat e burst .

Scram bler init ializat ion ( 2 bit s) These t wo bit s are used t o seed t he scram bler.

20/ 40 BW ( 1 bit ) I f set t o one, t his bit indicat es t hat a 40 MHz channel is used. When set t o zero, it indicat es a 20 MHz channel.

CRC ( 8 bit s) The CRC is used t o prot ect t he legacy signal field, and all t he fields in t he HT- SI G field before

t he CRC.

Tail ( 6 bit s) The HT- SI G field is prot ect ed by a convolut ional code, and as always, six bit s are needed t o ram p down t he convolut ional coder.

High-Throughput training fields Following t he high- t hroughput headers are high- t hroughput short and long t raining fields. A single short t raining field spans t he ent ire operat ing channel. I n 20 MHz channels, t he bandwidt h of t he high- t hroughput short t raining field ( HT- STF) is 20 MHz. When t he wider 40 MHz channels are used, t he HT- STF has a bandwidt h of 40 MHz. The short t raining field fine- t unes t he receivers in MI MO operat ion. When several spat ial st ream s are t ransm it t ed over several chains, finer cont rol of t he am plificat ion applied t o t he incom ing signal is im port ant . Long t raining fields ( HT- LTFs) are used t o furt her t une each receiver chains. One HT- LTF is used for each spat ial st ream . I n basic MI MO m ode, t here is one receiver chain for each spat ial st ream ; in t he advanced m ode, t here m ay be m ore receiver chains t han spat ial st ream s.

Data, tail, and padding Dat a bit s are encoded according t o m odulat ion and coding m et hods t hat are defined by t he hight hroughput header. Like ot her OFDM physical layers, dat a is scram bled before t ransm ission, using t he scram bler init ializat ion bit s in t he high- t hroughput header. Following t he dat a, t here is a six- bit t ail t hat ram ps down t he convolut ional code, and enough padding bit s t o m ake t he dat a t o be t ransm it t ed equal t o t he sym bol block size.

TGnSync PMD The basic design of a TGnSync t ransceiver is shown in Figure 15- 19, which depict s t he design of a beam form ing t ransm it t er, rat her t han a basic MI MO t ransm it t er. An incom ing scram bled fram e is handed t o t he forward- error correct ion coder, which is usually a convolut ional coder. Coded bit s from t he FEC coder are t hen sent t o different spat ial st ream s by t he spat ial parser, which is responsible for dividing t he unified bit st ream int o subsidiary st ream s for t ransm ission. Each spat ial st ream is punct ured up t o t he desired rat e. I n t he beam form ing m ode, t he punct uring occurs for each spat ial st ream and m ay occur at different rat es. Basic t ransm it t ers m ust punct ure every st ream t o t he sam e rat e. ( Logically, t he punct uring in t he basic MI MO t ransm it t er can occur before t he spat ial parser.) Each spat ial st ream now consist s of a sequence of coded bit s, ready for m apping on t o OFDM carriers by t he int erleaver. Aft er t he int erleaver, each block of bit s can be m apped on t o a single sym bol by t he const ellat ion m apper. I n t he basic MI MO m ode, each int erleaved spat ial st ream is processed by a single t ransm ission chain; t he advanced m ode uses a spat ial st eering m at rix t o assign sym bols t o any t ransm it chain. The spat ial st eering m at rix shown in t he figure could be replaced by a one- t o- one int erface bet ween t he spat ial st ream processors and t he t ransm it ant ennas for basic MI MO operat ion. Each t ransm it chain t akes it s sym bol sequence and m odulat es it on t o t he airwaves. There is no m ent ion in t he specificat ion of required channel rej ect ion or sensit ivit y perform ance.

Figu r e 1 5 - 1 9 . 2 x 2 TGn Syn c M I M O t r a n sce ive r

Comparison and Conclusions Bot h proposals are essent ially MI MO evolut ions of t he 802.11a PHY. Bot h require support for a 2x2 m ode, where bot h t he sender and receiver have t wo t ransceivers act ive. However, it is likely t hat m ost product s t hat are based on t he event ual 802.11n st andard ( which m ay or m ay not resem ble eit her of t he proposals) will support at least som e of t he opt ional m odes. I t is likely t hat cost const raint s on client devices will rest rict t hem t o operat ing in a t wo- t ransceiver m ode, while APs will have m ore t ransceivers. Basic APs m ay have only t wo, while t he m ost expensive ent erprise- class APs have t hree or four t ransceivers. Table 15- 5 shows t he dat a rat es for t he t wo spat ial st ream m odes for each proposal. Higher dat a rat es are possible wit h addit ional spat ial st ream s, albeit at t he ext ra cost of silicon. TGnSync's proposed peak rat es are higher, alt hough at t he cost of m ore aggressive coding. WWiSE's 135 Mbps dat a rat e is accom plished by using 64- QAM at R= 5/ 6; TGnSync get s t o 140 Mbps by using a 7/ 8 rat e code and cut t ing t he guard int erval t o half. ( Wit hout t he short guard int erval, TGnSync's dat a rat e is only 126 Mbps.) The advanced beam form ing m ode uses t he m uch larger 256- QAM const ellat ion. Though TGnSync's dat a rat es are higher, I expect t hat t he m ore aggressive coding will lead t o short er range.

Ta ble 1 5 - 5 . Top spe e d for m a j or 8 0 2 .1 1 n pr oposa ls ( t w o spa t ia l st r e a m s) 2 0 M H z ch a n n e ls

4 0 M H z ch a n n e ls

135 Mbps

270 Mbps

Basic m ode

140 Mbps ( + 3.7% )

315 Mbps ( + 16.7% )

Advanced beam form ing m ode

160 Mbps ( + 18.5% )

360 Mbps ( + 33.3% )

WWI SE TGnSync

Spect ral usage is a m aj or point of cont ent ion bet ween t he t wo groups. WWiSE has focused m uch m ore heavily on im proving MAC efficiency t han on t he dat a rat e, even going so far as t o argue t hat using 40 MHz channels t o im prove t he dat a rat e before im proving efficiency is a wast e of scarce unlicensed spect rum . While t here m ay be m erit t o t hat point , t he 40 MHz channelizat ion approach used by TGnSync has t he advant age of being able t o reclaim spect rum in t he m iddle of a wider channel. WWiSE m erely doubles t hroughput in t heir 40 MHz m ode, while TGnSync squeezes m ore t han double t he capacit y out of t he wider channel. Bot h approaches have t heir drawbacks. TGnSync's proposal would probably lead t o chipset s t hat are always capable of 40 MHz operat ion, adding ext ra cost and com plexit y, even t hough regulat ors m ay not allow t hem . I n count ries where 40 MHz channels are allowed, t he ext ra speed would be welcom e. I n areas where 40 MHz channels are only a pipe dream of chipset m anufact urers, t he ext ra cost m ay not be welcom e. On t he ot her hand, WWiSE's denial of t he need for high- speed channels seem s t o be denying t he five- fold leap in dat a rat es t hat occurs wit h every new 802.11 PHY. For m axim um speed, TGnSync requires closed- loop operat ion, which would be a m aj or undert aking t o im plem ent in silicon. Sounding fram es m ust be used t o m easure t he channel, and responses m ust be collect ed t o calibrat e t he radio channel. WWiSE uses only open loop operat ion, which is sim pler t o

im plem ent . The WWiSE proposal also offers t he abilit y t o spread a single encoded st ream across m ult iple ant ennas wit hout using closed- loop operat ion. I f closed- loop operat ion were t o be problem at ic t o im plem ent in silicon, 802.11n could be delayed unaccept ably. Fram e aggregat ion is an im port ant part of m eet ing t he larger goal set for t he event ual 802.11n st andard. However, t aking full advant age of aggregat ion opport unit ies requires m ore int elligent queuing t han is current ly im plem ent ed. Whet her 802.11n offers a huge increase in speed is likely t o depend a great deal on how well im proved queuing algorit hm s are able t o coalesce collect ions of sm all packet s int o large aggregat es. Neit her proposal specifies queueing, so t he perform ance boost m ay vary bet ween vendors. Aggregat ion as designed by t he prot ocol is a bit m ore int elligent in TGnSync, alt hough t his is only a m inor advant age. WWiSE's proposal only allows aggregat ion when t he Address 1 field in t he MAC header is t he sam e. I n an infrast ruct ure net work, t he Address 1 field is t he BSSI D. All fram es from a st at ion t o an AP can be aggregat ed, so t he t wo proposals are ident ical in t he upst ream direct ion. I n t he downst ream direct ion, WWiSE m ust use a physical- layer fram e burst t o change direct ions. Each new direct ion m ust have a new PLCP header. TGnSync can reduce overhead by using a m ult iplereceiver aggregat e fram e, and collect ing responses from each receiver in t he aggregat e. Powersaving m odes in 802.11 have been neglect ed, and are not very sophist icat ed. TGnSync at t em pt s t o com e up wit h ext ended powersaving operat ions for som e of t he new MAC st ruct ures, while WWiSE does not . This is likely due t o t he presence of equipm ent vendors t hat use chips in t he TGnSync consort ium , while WWiSE is com prised only of chip vendors. While t he t rade- off bet ween high speed and bat t ery life is applicat ion- specific and m ay not always m ake sense, it is always good t o see t he st andards bodies t hinking ahead about problem s t hat m ay occur.

Chapter 16. 802.11 Hardware When writ ing a specificat ion, it is im port ant t o leave som e room for int erpret at ion t o allow innovat ion. A st andard which is t oo rigid will drain t he life out of im plem ent at ion, while a st andard t hat is t oo loose does not fost er int eroperabilit y. This chapt er is about what t he st andard does not exact ly specify. How does hardware im plem ent t he st andard? Where does t he st andard allow discret ion in prot ocol im plem ent at ion, and what does t hat m ean for t he adm inist rat or?

General Structure of an 802.11 Interface Figure 16- 1 shows a block diagram of a generic wireless LAN int erface. I t is not represent at ive of any part icular m anufact urer's product , but is int ended t o serve as a general guide t o t he discussion of how cards are put t oget her. Cards m ust im plem ent t he physical int erface and t he link- layer cont rol expect ed by t he operat ing syst em . Like any ot her syst em based on radio t echnology, wireless LAN int erfaces have ant ennas. Most 802.11 int erfaces have t wo ant ennas for ant enna diversit y t o im prove recept ion in t he presence of m ult ipat h int erference. When a radio signal is received, t he radio syst em select s t he ant enna wit h t he st rongest signal, and runs wit h it . Ant enna diversit y alleviat es m ult ipat h because one of t he t wo ant ennas should receive a signal if t he weak signal is caused by self- int erference of m ult iple signals. Diversit y cannot help if t he signal weakness is caused by dist ance because bot h ant ennas will receive equally weak signals. Many t ypes of diversit y are possible, but by far t he m ost com m on im plem ent at ion is t o perform diversit y recept ion on received fram es only. Most , if not all, product s on t he m arket do not have any diversit y for t ransm it t ed fram es, and will always use a " prim ary" ant enna for t ransm issions. Early ant enna diversit y im plem ent at ions were helpful, but lim it ed by lack of sophist icat ion. Mult ipleinput / m ult iple- out put ( MI MO) t echnology prom ises higher dat a rat es and bet t er perform ance. Det ailed descript ions of MI MO are beyond t his book. I n essence, it im proves t he receiver's perform ance by using bot h ant ennas rat her t han choosing one exclusively.

Figu r e 1 6 - 1 . Ge n e r ic w ir e le ss ca r d st r u ct u r e

Ant ennas deliver t he radio signal t o a t ransceiver . The t ransceiver is som et im es called a radio

" m odem " by analogy wit h t he m odem s com m only used for t elecom m unicat ions. Transceivers will use am plifiers t o boost t he out going signal for dist ance, or t he incom ing signal for furt her processing. Radio t ransceivers also downconvert t he high- frequency signals int o m uch m ore m anageable signals by ext ract ing t he dat a bit s from t he high- frequency carrier waves. Transceiver syst em s are usually shielded t o prevent t he high frequencies in use from int erfering wit h ot her syst em com ponent s, which is why radio int erfaces t ypically have a m et al shield covering a good chunk of t he int erface card's area. Aft er t he t ransceiver, t he next st ep in t he chain is t he baseband processor, which is t he int erface bet ween t he digit al and analog part s of t he wireless LAN syst em . Bit s com e from t he com put er, and are t urned int o radio waves for t he ant ennas. Turning bit s int o radio waves is called m odulat ion; t he reverse process is called dem odulat ion. The baseband processor is responsible for handling t he com plex spread- spect rum m odulat ions, as well as physical carrier sensing. Generally speaking, physical carrier sensing is int egrat ed wit h dem odulat ion. When radio energy is received in excess of a t hreshold, t he baseband processor at t em pt s t o dem odulat e it . Many different m odulat ion t echniques exist for use wit h wireless LANs. One of t he reasons why older 802.11b st at ions are blind t o t he exist ence of 802.11g t ransm issions is t hat t he older baseband processors used in 802.11b st at ions are not capable of dem odulat ing OFDM t ransm issions. At t he heart of t he int erface is t he m edium access cont roller ( MAC) , which is responsible for t aking incom ing fram es from t he host operat ing syst em 's net work st ack and deciding when t o squirt t he fram es out t he ant enna int o t he air. The MAC accept s fram es from t he operat ing syst em for delivery t hrough a syst em bus int erface. Most wireless LAN int erfaces are based on t he CardBus st andard; som e int erfaces use Mini- PCI . On t he ot her side of t he MAC, it t ies int o t he baseband processor t o send fram es t o t he radio syst em . MACs m ay work wit h several fram es at once, and can use a sm all RAM buffer t o st ore fram es being worked on. One of t he m ost com m on reasons t o work on a fram e is t o offload securit y funct ions from t he host operat ing syst em . Rat her t han requiring fram es t o have been encrypt ed by t he m ain syst em CPU before t ransm ission, a MAC wit h securit y funct ions can accept fram es from t he driver t hat are t o be encrypt ed wit h a specified key. Frequent ly, such MACs im plem ent a key cache, which can st ore m ult iple keys. Drivers queue fram es wit h a not at ion t o encrypt wit h key 1 before t ransm ission, and t he MAC offloads t he encrypt ion from t he host syst em . Older MAC chips could perform RC4 encrypt ion offload for WEP and could be ret rofit t ed for TKI P, while t he newest MAC chips are able t o perform AES encrypt ion in hardware. I n addit ion t o t he RAM buffer for fram es in process, m ost int erfaces also have a sm all flash m em ory t o st ore firm ware for t he MAC. When t he MAC is powered up, it ret rieves and runs code from flash. To im plem ent a new securit y prot ocol like TKI P, put new firm ware in t he flash and reboot t he MAC. Firm ware allows t he use of relat ively generic processors rat her t han hard- t o- change applicat ionspecific int egrat ed circuit s ( ASI Cs) , which is a great help when working wit h prot ocols like 802.11 t hat m ay change quickly. Most 802.11 MAC chips are act ually fairly generic m icroprocessors. Som e MACs im plem ent a " real- t im e" sect ion of t he 802.11 MAC for it em s t hat require im m ediat e response. Rat her t han requiring t he host operat ing syst em t o respond t o power- save polling operat ions or send acknowledgm ent s, t hese fram es are oft en aut om at ically generat ed by t he MAC. I n ot her syst em s, t he real- t im e funct ions are handled by t he baseband processor. ( Most m odern syst em s im plem ent bot h t he MAC and baseband in a single chip, so t he dist inct ion is no longer of burning relevance.) The block diagram of Figure 16- 1 is a general guide only. To reduce cost and com plexit y, m any syst em s use a single chip for bot h t he MAC and t he baseband processor. Som e solut ions even im plem ent t he radio t ransceiver on t he sam e chip as t he MAC and baseband cont roller. I nt erfaces based on At heros chipset s do not have flash m em ory for firm ware because At heros chips are given code when t he MAC is st art ed by t he driver. Firm ware generally refers t o code st ored wit h t he hardware; At heros devices can be program m ed by syst em soft ware.

Software-Defined Radios: A Digression Two significant problem s wit h 802.11 are t he inefficiency of t he MAC, which lim it s t hroughput , and t he rapid change in physical layer t echnology, which m akes devices obsolet e quickly. A nat ural react ion t o t he inefficiency, especially from t echnically adept engineers, is t o want t o im plem ent specific opt im izat ions or new prot ocol feat ures on t he hardware t hey already own. Wit h wireless LANs, cust om izing t he behavior of t he int erface is generally not possible. The baseband processor, or t he funct ions of t he baseband processor, are im plem ent ed direct ly in t he int egrat ed circuit for speed, and cannot be changed. So- called applicat ion specific int egrat ed circuit s ( ASI Cs) have part icular logic laid out in t heir circuit ry, and cannot be used for anyt hing ot her t han what t hey were designed for. Furt herm ore, wireless LAN int erfaces use radio com ponent s opt im ized t o run wit h t he frequencies allocat ed t o wireless LAN usage by regulat ors. However, fut ure radios m ay be reprogram m able. I nst ead of using dedicat ed hardware for t he baseband processor, designers can use " program m able logic" devices, such as Field Program m able Gat e Arrays ( FPGAs) . Radio waves are analog waves t hat carry digit al dat a. I n m any cases, radios only need program m able signal processing, and can use digit al signal processor ( DSP) chips. No m at t er what t ype of program m able logic is used, t he end goal is t he sam e. Rat her t han having a m odulat ion fixed in place during t he design phase, radios based on program m able logic can change m odulat ion, coding, and bit rat e on t he fly wit h new soft ware. The price of t he flexibilit y is t hat program m able logic devices are bigger, run slower, and consum e m ore power ( and t herefore generat e m ore heat ) t han nonprogram m able devices. [ * ] By using program m able devices, t he behavior of t he radio can be changed at will, sim ply by loading new soft ware. New m odulat ion t ypes, bit rat es, or even new frequency bands can be im plem ent ed wit hout changing hardware. [ ] [*]

Programmable logic devices are often used in the design of application-specific devices. After the logic is designed and thoroughly tested, the FPGA will be redesigned as an application-specific device. The resulting fixed-logic device is sometimes called a "hard copy" of its programmable ancestor. [

] It's intereting to note that the open source process has started to adopt programmable logic. OpenCores (http://www.opencores.org) is the repository of hardware designs in the same pattern that SourceForge (http://www.sourceforge.net) is for software.

Radio int erfaces cont rolled com plet ely by soft ware ( or program m able logic) are called soft waredefined radios or universal radios. I n environm ent s where t he m odulat ion and coding change rapidly or frequent ly, t hey are ext rem ely useful. One of t he first m aj or soft ware- defined radios was t he SPEAKEasy proj ect , launched by t he U.S. m ilit ary t o replace 10 radio syst em s using different m odulat ions wit h a single soft ware radio t hat could perform t he sam e work as all 10 radio syst em s, but in a m uch sm aller package. Soft ware- defined radios are subj ect t o cert ificat ion rules in t he Unit ed St at es t hat couple t he radio soft ware wit h t he hardware, and require m anufact urers t o t ake st eps t o avoid alt erat ion of t he soft ware t o operat e out side t he approved range. [ ] [ ]

The FCC rules regarding the certification of software-defined radios are in Appendix B of FCC 01-264, which is available at http://www.fcc.gov/Bureaus/Engineering_Technology/Orders/2001/fcc01264.pdf. The first software-defined radio, a GSM base station developed by Vanu, was certified in November 2004.

Alt hough soft ware defined radios are an int erest ing developm ent wort h wat ching, t he full program m abilit y will probably not be im plem ent ed in 802.11 devices. ( Lim it ed program m abilit y is used by bot h Broadcom and At heros in t heir current chipset s.) Program m able logic is m uch m ore expensive, and would price t he result ing 802.11 devices out of t he m arket . I t m ay find a foot hold for use wit h 802.11 in a radio t hat im plem ent s several t ypes of radio link, of which 802.11 is one.

A Few Words on 802.11 Hardware Implementations

At t he t im e t his book was writ t en, t here were four m aj or chipset s used t o build 802.11 vendors. I n alphabet ical order, t he est ablished vendors are:

At heros Most int erfaces t hat include 802.11a are based on At heros chipset s. Many 802.11g devices are based on At heros chipset s as well.

Broadcom Most of t he non- Cent rino built - in 802.11g int erfaces available at t he t im e t his book was writ t en were based on t he Broadcom 802.11g chipset . Apple's AirPort Ext rem e is based on Broadcom silicon.

Conexant ( Prism ) The Prism chipset line went t hrough several corporat e t ransit ions before it wound up at Conexant .

I nt el ( Cent rino) Many built - in wireless LAN int erfaces in lapt ops are based on I nt el's " Cent rino" brand. Technically, Cent rino is a m arket ing t erm t hat refers t o a whole set of I nt el silicon, including t he syst em CPU. For exam ple, t he I nt el/ PRO 2200 card is t he t he Cent rino 802.11g int erface. One of t he m ore not able new chipset vendors is Airgo Net works, which is building a MI MO chipset t hat underlies prest andard 802.11n product s on t he m arket . I t is oft en useful t o know t he chipset vendor behind t he card. Most of t he chipset vendors m ake reference designs available t o t heir cust om ers. Reference designs t ypically include bot h hardware and soft ware. 802.11 card vendors can t ake a reference design, m odify it slight ly ( or not at all) , arrange for a new label t o be put on t he m anufact ured device, and st art selling it . Very few card vendors m ake significant enhancem ent s t o t he driver, and will sim ply repackage reference drivers. Nat urally, t he t rack record of different vendors varies. Som e m ake updat ed drivers available quickly, ot hers m ay not . Knowing who supplied t he chipset in t he card can m ake it easier t o obt ain eit her t he reference driver, or a m ore recent driver for anot her sim ilar card using t he sam e chipset . Nat urally, knowing t he chipset is vit al for picking out t he correct driver for open souce operat ing syst em s.

Learning more about cards: FCC filings 802.11 int erfaces are, in t he language of regulat ory agencies, int ent ional radiat ors. Rat her t han sim ply com plying wit h a st andard t hat lim it s t he am ount of radio frequency energy given off, 802.11 int erfaces are designed t o spew radio waves int o t he air. I nt ent ional radiat ors are t est ed for com pliance wit h every count ry's regulat ory requirem ent s, which generat es a great deal of paperwork.

I n t he Unit ed St at es, radio devices are regulat ed by t he Federal Com m unicat ions Com m ission ( FCC) , and radio t ransm ission devices are t est ed for com pliance wit h FCC rules. Before a device can legally be sold, it m ust be assigned an ident ificat ion num ber. Take a look at your favorit e card and look for t he FCC I D. An FCC I D is com posed of t wo part s: t he grant ee code, which is t he first t hree let t ers, and t he product code, which m ay be up t o 14 let t ers and num bers. Grant ee codes are unique t o an organizat ion. ( The grant ee code m ay be separat ed by a space, dash, or not at all.) For exam ple, t he FCC I D for a Lucent Gold card is I MR- WLPCE24H. I MR is Lucent 's grant ee code, while WLPCE24H is specific t o t he Gold card. As part of t he t est ing process, m anufact urers m ust subm it t est report s, product phot ographs, and ot her docum ent at ion, which becom es part of t he public record. To look up inform at ion on your favorit e card, go t o t he search engine m aint ained by t he FCC's Office of Engineering Technology at ht t p: / / www.fcc.gov/ oet / fccid/ . FCC ident ifiers can be useful if you are t rying t o figure out what driver t o use wit h a part icular card. Most product s have int ernal phot ographs available, which m ay enable you t o det erm ine whose chipset is in use. Say, for exam ple, you had a Proxim Gold a/ b/ g com bo card and want ed t o know what chipset it used. By searching t he FCC dat abase on it s I D ( HZB- 8460) , you could obt ain int ernal phot ographs of t he device, which clearly show t he presence of At heros chips on t he syst em board.

Implementation-Specific Behavior 802.11 is not a rigorous st andard. Several com ponent s of t he st andard are relat ively loose and leave a great deal up t o t he part icular im plem ent at ion. Most im plem ent at ions are also relat ively young, and m ay behave in a nondet erm inist ic fashion. I have part icipat ed in t est s t hat m ade use of several ident ical com put ers, all im aged from t he sam e soft ware dist ribut ion and using t he exact sam e wireles LAN hardware and driver revision. Even t hough t here were several com put ers in t he sam e locat ion wit h ident ical configurat ion, behavior was significant ly different .

Rebooting Interface Cards 802.11 is a com plex prot ocol wit h m any opt ions, and running t he newest prot ocols exposes t he newest bugs. 802.11 int erfaces use relat ively general- purpose m icroprocessors running soft ware. As wit h a great deal of soft ware, cards t hat are in a st range st at e m ay be helped by " reboot ing" t o clear any prot ocol st at e st ored in t he MAC processor. Ext ernal cards can be reboot ed by rem oving and reinsert ing t hem ; int ernal cards m ust be reboot ed by power cycling t hem t hrough t he syst em soft ware. I t is not sufficient t o unload and reload drivers, since t he obj ect is t o clear all st at e in t he wireless LAN int erface. Rest art ing a card m ay be required t o clear st at e t hat is prevent ing successful operat ion. As a first st ep, rest art t he card when: The client syst em is associat ed, but cannot send or receive t raffic. I f t he net work is encrypt ed, t he problem is oft en a lack of synchronizat ion of crypt ographic keys. This problem is oft en exacerbat ed by roam ing because every change bet ween APs result s in t he t ransm ission of new keys. No scan list can be built . I f you are sure t hat t here is a net work wit hin range but it will not show up in t he client ut ilit y, t he card m ay be in a st at e where it is unable t o supply a scan list . Aut hent icat ion/ associat ion failures occur in rapid succession. I f t he st at e of t he client syst em soft ware prevent s a successful connect ion but t he net work is on a " preferred" list for connect ion, t he at t em pt will be ret ried.

Scanning and Roaming Every card behaves different ly when searching for a net work t o at t ach t o, and in how it decides t o m ove bet ween APs. 802.11 places no const raint s on how a client device m akes it s decision on how t o m ove bet ween APs, and does not allow for any st raight forward way for t he AP t o influence t he decision. Most client syst em s use signal st rengt h or qualit y as t he prim ary m et ric, and will at t em pt t o com m unicat e wit h t he st rongest AP signal. Most cards m onit or t he signal- t o- noise rat io of received fram es, as well as t he dat a rat e in use, t o det erm ine when t o roam t o a new AP. When t he signal- t o- noise rat io is low at a slow dat a rat e, t he client syst em begins t o look for anot her AP. Many client s put off m oving as long as possible, in part

because t he process of looking for a new AP requires t uning t o ot her channels and m ay int errupt com m unicat ions in process. Client st ickiness is som et im es referred t o as t he bug light syndrom e. Once a client has at t ached t o an AP, it hangs on for dear life, like a bug drawn t o a bug zapper. Even if t he client m oves a great dist ance from t he AP wit h a consequent drop in signal st rengt h, m ost client s do not begin t he roam ing process unt il t he signal is alm ost lost . Roam ing in 802.11 is ent irely driven by client decisions. Where t o send t he Associat ion Request fram es is ent irely in t he hands of t he client syst em 's driver and firm ware, and is not const rained by t he 802.11 specificat ion in any way. I t would be 802.11- com pliant , t hough awful, t o connect t o t he AP wit h t he weakest signal! ( An unfort unat e corollary is t hat driver updat es t o fix bugs m ay alt er t he roam ing behavior of client syst em s in undesirable ways.) Access point s do not have prot ocol operat ions t hat can influence where client s at t ach t o, and whet her t hey will m ove or not . I m plem ent ing bet t er roam ing t echnology is a m aj or t ask for 802.11 as t im e- crit ical st ream ing applicat ions begin t o use 802.11. To borrow a phrase from Milt on Friedm an, roam ing is always and everywhere a client phenom enon.

Rate Selection 802.11 lays out basic ground rules for how m ult irat e support needs t o work, but it leaves t he rat e select ion algorit hm up t o t he soft ware running on t he int erface. Generally speaking, an int erface t ries t o t ransm it at higher speeds several t im es before downgrading t o lower speeds. Part of t hat is sim ply com m on sense. I n t he t im e it t akes t o t ransm it a fram e wit h a 1,500- byt e payload at 1 Mbps, it would be possible t o t ransm it t he sam e fram e 8 t im es at 11 Mbps, or over 20 t im es on an 802.11g net work running at 54 Mbps wit h prot ect ion enabled. ( Wit hout prot ect ion, t he m ult iplier is 40! ) I f t he fram e was corrupt ed by a one- t im e event , it m akes sense t o ret ry a few t im es before accept ing t he m ore drast ic penalt y of lowering t he dat a rat e. St ep- down algorit hm s are generally sim ilar. Aft er t rying som e num ber of t im es t o t ransm it a fram e, it falls t o a lower dat a rat e. Most cards st ep down one rat e at a t im e unt il an acknowledgm ent is received, t hough t here is no requirem ent for t hem t o do so. I t would be a valid rat e select ion algorit hm t o slow down t o t he m inim um dat a rat e at t he first sign of t rouble. St ep- up algorit hm s work t he sam e way in reverse. When " several" fram es are received wit h a m uch higher signal- t onoise rat io t han is required for t he current rat e, t he int erface m ay consider st epping up t o t he next highest rat e.

Reading the Specification Sheet Early t est ing of 802.11 devices focused on range and t hroughput because t here was lit t le else t hat could be t est ed. I n som e environm ent s, range m ay be an im port ant fact or, and one t hat can be det erm ined in part by reading t he specificat ion sheet for a card. Range is largely a funct ion of receiver sensit ivit y, which is a m easurem ent of t he weakest signal t hat a receiver can correct ly t ranslat e int o dat a. Bet t er sensit ivit y m easurem ent s result in im proved range. ( I m proving sensit ivit y can also help ot her perform ance fact ors, t oo, but range is t he easiest one t o discuss.) Most vendors have focused on im proving perform ance, and t he result ing im provem ent s ( At heros' XR, and Broadcom 's BroadRange) have been announced wit h great fanfare. Not all vendors publish com plet e specificat ion sheet s. Cisco discloses a great deal of inform at ion, wit h receiver sensit ivit ies disclosed at each dat a rat e in all frequency bands support ed. ( The card's 5 GHz perform ance has a slight dependence on t he frequency.) Many vendors sim ply report t he support ed dat a rat es wit hout any indicat ion of sensit ivit y.

Sensitivity Comparison As an exam ple, com pare t he sensit ivit y of som e com m on 802.11b cards. Sensit ivit y is defined by each 802.11 PHY. For t he direct sequence rat es, it is defined as t he received power at which t he input fram e error rat e is 8% , for 1024 byt e fram es. The st andards require t hat t he sensit ivit y be - 76 dBm or bet t er for 11 Mbps, and - 80 dBm for 2 Mbps. [ * ] Lower sensit ivit y is bet t er because it m eans t he card can receive weaker signals t han required. [*]

This corresponds roughly to a bit error rate of .001% (10-5).

The sensit ivit ies report ed in Table 16- 1 were t aken from dat a sheet s and user m anuals for four wellknown 802.11b cards and a new a/ b/ g card. The Cisco Aironet 350 had a reput at ion for pulling in weak signals well, which is ent irely j ust ified by t he dat a. At 11 Mbps, it was sensit ive t o a signal half as st rong as t he Orinoco Gold card, and nearly a quart er of t he signal required by t he Microsoft card. However, t he m arch of t echnology has im proved sensit ivit ies at higher bit rat es. All t he oldergenerat ion cards are less sensit ive t han t he At heros- based Cisco t ri- m ode card current ly on t he m arket .

Ta ble 1 6 - 1 . Se n sit ivit y ( in dBm ) for va r iou s ca r ds Ca r d

1 1 M bps

5 .5 M bps

2 M bps 1 M bps

Cisco 350

- 85

- 89

- 91

- 94

Orinoco Gold ( Herm es)

- 82

- 87

- 91

- 94

Linksys WPC11 ( Prism )

- 82

- 85

- 89

- 91

Microsoft MN- 520

- 80

- 83

- 83

- 83

Cisco CB- 21 ( a/ b/ g) ; 802.11b perform ance only

- 90

- 92

- 93

- 94

Delay Spread When radio waves bounce off obj ect s, several echos of t he wave will converge on t he receiver. The difference bet ween t he first wave's arrival and t he last arrival is t he delay spread . Receivers can pick t hrough t he noise t o find t he signal, but only if t he delay spread is not excessive. Som e vendors also quot e t he m axim um delay spread on t heir dat a sheet s. Table 16- 2 report s t he delay spread for t hree of t he cards list ed above.

Ta ble 1 6 - 2 . D e la y spr e a d ( in n s) for va r iou s ca r ds Ca r d

1 1 M bps

5 .5 M bps

2 M bps 1 M bps

Cisco 350

140

300

400

500

Orinoco Gold ( Herm es)

65

225

400

500

Cisco CB- 21 ( a/ b/ g) ; 802.11b perform ance only

130

200

300

350

Cards rat ed for higher delay spreads are capable of dealing wit h worse m ult ipat h int erference. Again, t he Cisco Aironet 350 was an ext rem ely capable card for it s day, capable of dealing wit h over t wice t he t im e- sm earing as t he Herm es- based card.

Chapter 17. Using 802.11 on Windows Whet her you've m ade it t o t his point by skipping Chapt ers 3- 16 , or whet her you've read all t he t heory, we're now going t o get our hands dirt y and st art inst alling equipm ent . Developm ent of 802.11 m anagem ent int erfaces has followed t he fam iliar progression of Windows applicat ions. I n t he beginning, t here was a great deal of variat ion bet ween individual vendors. As popularit y grew, Microsoft int egrat ed 802.11 configurat ion int o t he operat ing syst em , subsum ing vendor- specific m anagem ent t ools int o an overall fram ework. From t he st andpoint of pract ical syst em and net work adm inist rat ion, working wit h 802.11 is sim ilar t o working wit h Et hernet . I nst alling 802.11 drivers is nearly ident ical t o inst alling Et hernet drivers, and t he net work int erfaces behave alm ost exact ly like Et hernet int erfaces. 802.11 int erfaces cause an ARP cache t o be brought int o exist ence, and ot her soft ware m ay even perceive t he wireless int erface as an Et hernet int erface. Unlike m any Et hernet drivers, however, 802.11 drivers can have a num ber of advanced knobs and feat ures t hat reflect t he addit ional m anagem ent feat ures present ed in Chapt er 8. This chapt er discusses Windows configurat ion of wireless cards on bot h Windows XP and Windows 2000. I st rongly advise using Windows XP for wireless- enabled m achines because it is generally easier t o use and has subst ant ial addit ional support for new prot ocols. Third- part y supplicant s generally disable t he built - in supplicant . Occasionally, however, a driver will refuse t o work wit h a securit y syst em ot her t han Microsoft securit y st ack.

Windows XP Windows XP cont inues t he long- t im e Windows pract ice of incorporat ing funct ionalit y t hat was previously only supplied by t hird part ies int o t he operat ing syst em it self. Rat her t han relying on each 802.11 card m anufact urer t o supply a configurat ion ut ilit y, Microsoft has built a st andard configurat ion ut ilit y, called Windows Zero Configurat ion ( also called ZeroConfig, ZeroConf, or WZC) , which works wit h m ost cards. Card m anufact urers m ust st ill provide driver soft ware, but t he configurat ion can be handled t hrough Windows screens rat her t han card- specific program s. This sect ion discusses ZeroConfig because it present s a card- independent view of configurat ion, which m akes it popular wit h net work adm inist rat ors and help desks.

Card Installation Before st art ing t he process, it generally pays t o get t he lat est drivers for your card from t he m anufact urer's web sit e. Ot her net work t echnologies are far m ore m at ure t han 802.11, and do not require frequent driver updat es. Unfort unat ely, rapid innovat ion in wireless is accom panied by rapid driver changes. For m aj or vendors, t his is usually found in a " support " or " downloads" sect ion. Many sm aller vendors are rebadging reference designs, and m ay not have drivers available. I n such cases, it is oft en possible t o use t he reference driver from t he chipset vendor. Many drivers ship wit h an inst aller, which I generally prefer not t o run. Several cards have licensed t hird- part y 802.1X st acks, which can int erfere wit h t he operat ion of ZeroConf. I t is usually best t o obt ain t he lat est drivers from t he card vendor's web sit e before inst alling t he card.

Third-party 802.1X stacks and the driver update process Several t hird- part y 802.1X st acks exist . On Windows, t hey are generally im plem ent ed as a shim in t he net work st ack t hat int ercept s EAPOL fram es bet ween t he hardware and t he net work prot ocol. Many card vendors, frust rat ed wit h t he progress of t he built - in Microsoft supplicant , have t urned t o t hird- part y st acks t o enable 802.1X. Many t hird- part y st acks are incom pat ible wit h ZeroConfig. Rat her t han use t he ZeroConfig screens t o set param et ers, t hird- part y st acks oft en require an addit ional soft ware configurat ion t ool. They m ay also require addit ional supplicant soft ware t o support advanced prot ocols. To avoid using t he bundled 802.1X st ack, updat e t he driver wit hout running t he inst aller from t he vendor. The best pract ice is t o get t he driver from t he vendor web sit e, unzip it , and t hen use t he updat e driver panel of t he device m anager t o roll t he new version of t he driver int o your operat ing syst em configurat ion. Figure 17- 1 illust rat es how t o upgrade only t he driver. By going t o t he Driver t ab of t he hardware propert ies, you can access t he Updat e Driver but t on. Two t ricks m ay be used t o avoid inst alling t he t hird- part y 802.1X st acks. Many execut able driver inst allat ion files are self- ext ract ing ZI P packages, and can be opened by an unzip program . Ext ract t he drivers t o a t em porary locat ion, and updat e from a

Figu r e 1 7 - 1 . Upda t in g t h e dr ive r w it h ou t t h e ba gga ge

file. An alt ernat ive is t o run t he soft ware inst aller, and im m ediat ely run t he uninst aller. Most uninst allers will rem ove configurat ion t ools and t hird- part y shim s while leaving t he new driver in place.

Cisco client software Cisco cards have one addit ional pit fall. Prot ect ed EAP ( PEAP) is st ill a developing st andard. Alt hough writ t en by represent at ives from bot h Cisco and Microsoft , t he t wo com panies' im plem ent at ions are not com pat ible. Most of t he indust ry has shipped PEAP im plem ent at ions t hat will aut odet ect which version is in use. [ * ] Even Cisco's aut hent icat ion server, CiscoSecure ACS, has a configurat ion opt ion t o be com pat ible wit h t he Microsoft PEAP im plem ent at ion. [*]

Both the Funk and Meetinghouse clients do this, as does the Radiator RADIUS server.

Microsoft 's PEAP im plem ent at ion support s t he use of EAP- MS- CHAP- V2 and EAP- TLS as inner aut hent icat ion prot ocols; Cisco's PEAP im plem ent at ion support s EAP- SI M and EAP- GTC. Most Windows shops will be seeking t o use an exist ing user dat abase, such as an Act ive Direct ory, which is possible only wit h EAP- MS- CHAP- V2. As part of t he bundled soft ware set , Cisco ships replacem ent ( Cisco) PEAP soft ware t hat overwrit es t he st andard ( Microsoft ) PEAP im plem ent at ion on t he syst em . To use Microsoft PEAP, you m ust rem ove t he Cisco PEAP drivers and replace t hem wit h Microsoft PEAP. There is only one set of PEAP

soft ware for t he ent ire syst em , so inst alling Cisco PEAP will affect all cards on t he syst em , not j ust Cisco cards. See Table 17- 1 .

Ta ble 1 7 - 1 . I n n e r EAP m e t h ods

EAP m e t h od

Cisco or M icr osoft PEAP?

Au t h e n t ica t ion cr e de n t ia ls

N ot e s

EAP- MS- CHAPV2 Microsoft

Used wit h Windows dom ain Shared password ( or MD4 hash aut hent icat ion; easy t o plug in t o of t he password) Act ive Direct ory

EAP- TLS

Microsoft

User cert ificat e

Generally not used

Cisco

Subscriber I dent it y Module ( SI M) card

Based on GSM m obile t elephone aut hent icat ion; not yet widely used

Cleart ext aut hent icat ion st ring passed t hrough encrypt ed t unnels

Can be used for t oken cards as well as a generic m et hod for st at ic passw or ds

EAP- SI M

EAP- GTC ( Generic Token Cisco Car d)

Many lapt op vendors offer 802.11 cards preinst alled int o t he syst em , wit h soft ware preloaded and configured. When t he card in quest ion is a Cisco card, chances are t hat t he lapt op vendor has inst alled Cisco PEAP and your organizat ion will need t o adj ust it s syst em build process t o rest ore Microsoft PEAP. To rest ore Microsoft PEAP, you m ust reinst all t he lat est service pack t o overwrit e t he Cisco PEAP drivers wit h t he Microsoft PEAP drivers.

Choosing a Network When Windows st art s up, t he ZeroConfig syst em will at t em pt t o find any net works in t he area. ZeroConfig m ay aut om at ically connect t o net works which it already has a configurat ion for. I f no net works have yet been configured, t he wireless int erface will produce t he bubble shown in Figure 17- 2 .

Figu r e 1 7 - 2 . Pr om pt t h a t W LAN s a r e in t h e n e igh bor h ood

By clicking on t he box, or by right clicking on t he wireless int erface and choosing " View Available Wireless Net works" , you can get t o t he list of det ect ed net works ( Figure 17- 3) . By choosing t o

Connect t o any one of t hem , Windows will at t em pt t o aut om at ically configure t he appropriat e set t ings. However, it has no way of select ing t he appropriat e EAP m et hod, and t herefore is oft en unable t o aut om at ically configure encrypt ed net works. At t aching t o an unencrypt ed net work is easy, but you will be prom pt ed t o confirm connect ing t o a net work t hat provides no securit y.

Figu r e 1 7 - 3 . Vie w in g a va ila ble w ir e le ss LAN s

Configuring Security Parameters and 802.1X I n m any cases, it is necessary t o m anually configure t he securit y propert ies of a net work. Windows can aut om at ically default set t ings for encrypt ion and aut hent icat ion t ype, but m ay st ill be wrong. 802.1X set t ings are always default ed t o using EAP- TLS, even t hough EAP- TLS is not com m only used. To change securit y param et ers, go t o " Change Advanced Set t t ings" t o get t he int erface propert ies, and hit t he Wireless Net works t ab ( Figure 17- 4) . To add a net work, you can select it from t he Preferred Net works pane and choose Propert ies, or you m ay add it m anually by specifying a net work nam e, as in Figure 17- 5. I f you are m anually adding a net work, you m ust configure t he correct propert ies from scrat ch. I f Windows has aut om at ically configured t he net work, it will pick t he st rongest prot ocols available.

Figu r e 1 7 - 4 . W ir e le ss N e t w or k s t a b

One of t he posit ive at t ribut es of ZeroConf is t hat it can m aint ain propert ies for several different wireless LANs, and connect t o net works for which you have defined set t ings appropriat ely. The first m aj or choice t o m ake is t he t ype of net work aut hent icat ion you will use. I n t he figure, I show WPA. However, t here are four opt ions:

Open aut hent icat ion. This is used for net works t hat perform no aut hent icat ion, as well as net works t hat are using legacy dynam ic WEP solut ions. Select ing it m eans t hat t he init ial link layer aut hent icat ion t akes place using t he open aut hent icat ion m et hod described in Chapt er 8. Any net work im plem ent ing open aut hent icat ion m ay require 802.1X on t op of it , t hough it does not have t o.

Shared aut hent icat ion. This opt ion is used for net works t hat do shared- key WEP aut hent icat ion. I t will require you t o ent er a key in t he " Net work Key" fields. Shared- key WEP aut hent icat ion is not very st rong, and does not offer serious prot ect ion. The only reason t o use t his opt ion is t o connect t o a net work of APs t hat requires it .

Figu r e 1 7 - 5 . Associa t ion pr ope r t ie s

WPA aut hent icat ion . This is short for WPA Ent erprise. I t uses 802.1X for user aut hent icat ion, and uses t he aut hent icat ed keying m ode defined in 802.11i. This opt ion is only available if WPA soft ware is inst alled and t he driver has support for WPA.

WPA- PSK aut hent icat ion. This is short for WPA Personal. Rat her t han derive t he m ast er secret , t his m et hod uses a preshared m ast er key. Link encrypt ion keys are derived from t he preshared key and random values exchanged by bot h t he client and t he AP. Aft er choosing t he aut hent icat ion t ype, you will need t o select t he encrypt ion used on t he link.

Disabled. This is used on open net works t hat do not apply link layer encrypt ion. Many 802.11 hot spot s current ly fall int o t his cat egory, alt hough m ost should offer st ronger encrypt ion in t he fut ure.

WEP.

This includes WEP using bot h m anual and dynam ic keys. To use dynam ic WEP, check t he box t hat says " The key is provided t o m e aut om at ically" . Manual WEP keys can be configured by unchecking t he box and ent ering t he key.

TKI P. This opt ion is used for TKI P, which is t he default value for WPA net works.

AES. Windows does not refer t o CCMP, but inst ead labels it AES in t he ZeroConf configurat ion. [ * ] This is believed t o be t he st rongest encrypt ion available for use on wireless net works. [* ]

This is probably due t o int ellect ual propert y concerns t hat caused t he AES- based encrypt ion algorit hm t o be changed during t he 802.11i draft process.

The dialog box offers t he opt ion t o ent er a key, or use aut om at ically provided keys. I f 802.1X is in use, t he key will be provided aut om at ically and t he checkbox will be cleared. Net works t hat use WPA aut hent icat ion m ust use aut om at ic keys; net works built on WPA- PSK m ust have t he preshared key ent ered for t hem . Table 17- 2 sum m arizes t he encrypt ion and aut hent icat ion opt ions t hat are suppor t ed.

Ta ble 1 7 - 2 . Su m m a r y of e n cr ypt ion a n d a u t h e n t ica t ion m e t h ods Au t h e n t ica t ion fr a m e w or k

Su ppor t e d e n cr ypt ion

Au t h e n t ica t ion m e t h ods

Open

Disabled ( no WEP)

802.1X opt ional

WEP ( key specified) WEP ( aut om at ic key) WPA

WEP ( aut om at ic key)

802.1X required

TKI P AES ( support ed cards only) WPA- PSK

WEP ( aut om at ic key)

802.1X not used

TKI P AES ( support ed cards only)

Aft er configuring t he associat ion propert ies, configure t he aut hent icat ion propert ies. The associat ion propert ies t ab, shown in Figure 17- 6, is t he screen on which t he EAP m et hod is select ed. The figure shows a m achine which has t hree opt ions: PEAP, EAP- TLS ( " Sm art card or ot her Cert ificat e" ) , and TTLS ( " SecureW2" ) . Clicking on t he propert ies but t on will configure t he select ed EAP m et hod. Aft er t he EAP m et hod, t here is a checkbox t o " Aut hent icat e as com put er when com put er inform at ion is available" . Checking t his box allows a syst em t o aut hent icat e t o t he net work using m achine credent ials, which allows Windows dom ain housekeeping t o occur before user aut hent icat ion.

Operat ion of t his process is discussed in a lat er sect ion of t his chapt er.

Figu r e 1 7 - 6 . Au t h e n t ica t ion pr ope r t ie s

Configuring EAP Methods On t he aut hent icat ion t ab, you select an EAP m et hod, but configurat ion is handled by clicking on t he Propert ies but t on. Not all t he m et hods displayed in t he aut hent icat ion propert ies t ab are supplied by Microsoft . Third- part y soft ware can add EAP t ypes t o t he drop- down list . Text in t he EAP m et hod box is one of t he ways t hat you can det erm ine whet her Microsoft or Cisco PEAP is in use. Microsoft PEAP, which is t echnically PEAP version 0, displays as " Prot ect ed EAP ( PEAP) " , while Cisco PEAP displays sim ply as " PEAP" .

EAP-TLS Figure 17- 7 shows t he configurat ion screen t hat is displayed when EAP- TLS is select ed. The t op box specifies whet her t he client cert ificat e used t o aut hent icat e t he user is st ored on a sm art card, or in t he cert ificat e st ores t hat Windows m aint ains. Large organizat ions issue sm art cards t o em ployees, som et im es em bedded in em ployee ident ificat ion card. Most m idsized and sm aller com panies will opt inst ead t o issue cert ificat es st ored on each m achine.

Server validat ion is a key t o building a secure net work. The Microsoft supplicant allows t wo different levels of aut hent icat ion. When t he aut hent icat ion server present s a cert ificat e t o t he client , t he client can validat e t hat against t he list of t rust ed cert ificat ion aut horit ies. I f a self- signed cert ificat e is in use, you m ust uncheck t he validat ion box. The supplicant will t rust any cert ificat e it received, which opens a huge pot ent ial rout e of at t ack because t he supplicant will t rust any AP wit h any cert ificat e. As an opt ional addit ional safeguard, t he nam e list ed in t he server cert ificat e can be validat ed t o ensure t hat it com es from a known DNS dom ain.

Figu r e 1 7 - 7 . EAP- TLS con figu r a t ion scr e e n

PEAP version 0 Microsoft PEAP configurat ion, shown in Figure 17- 8, is sim ilar t o EAP- TLS. Server validat ion is ident ical, and should be enabled. The m aj or configurat ion is t he inner aut hent icat ion m et hod t o be used inside t he prot ect ed t unnel; see Table 17- 1 for a brief discussion of t he various opt ions. Microsoft 's im plem ent at ion allows t he list t o cont ain any EAP aut hent icat ion plug- in. By default , t he list cont ains EAP- TLS and EAP- MSCHAP- V2. The lat t er is m ore com m on because it enables easy int egrat ion wit h Act ive Direct ory or NT Dom ain user account s. Each inner aut hent icat ion m et hod can have it s own subconfigurat ion. Wit h EAP- MSCHAP- V2, t he inner m et hod configurat ion has only one opt ion. When t he box is checked, t he Windows logon credent ials are aut om at ically subm it t ed t o t he net work. The checkbox is som et im es called t he PEAP single sign- on because t he supplicant

aut om at ically subm it s logon credent ials wit hout prom pt ing t he end user.

Figu r e 1 7 - 8 . PEAP ve r sion 0 con figu r a t ion

Clearing credentials from the registry When single sign- on is not enabled, user passwords will be saved t o t he regist ry. When a user connect s t o a part icular net work nam e for t he first t im e, t he syst em will prom pt t he user for a usernam e, password, and Windows dom ain. I f aut hent icat ion is successful, t he credent ials are saved t o t he Regist ry for fut ure use. Whenever t he user chooses t o connect t o t he sam e net work in t he fut ure, Windows will aut om at ically subm it t he previously successful credent ials. As a user- friendly feat ure, credent ial caching leaves som et hing t o be desired, in large part because t here is not a convenient way t o clear out user credent ials t hat are no longer useful. Many wireless net works plug in t o exist ing aut hent icat ion sources, and m ost large- scale net works enforce regular password change policies. When an enforced password change invalidat es t he cached credent ials in t he Regist ry, t he user m ust clear out t he regist ry t o change t he password. User credent ials are st ored in t he Regist ry under HKCU\ Soft ware\ Microsoft \ EAPOL\ UserEapI nfo, as shown in Figure 17- 9. Each net work int erface configured t o do PEAP aut hent icat ion wit hout singlesign on will be represent ed by a long ident ifier consist ing of a big st ring of let t ers and num bers.

Figu r e 1 7 - 9 . St or e d u se r cr e de n t ia ls in t h e Re gist r y

Each net work card is given an ident ifier. I n Figure 17- 9, t he int erface wit h t he ident ifier {768EB04A989E-4C89-9B85-93DF52F5EDE6} has t hree cached net work passwords. To rem ove t he cached password for t he net work, delet e it s corresponding regist ry key. To find out which net work int erface t he st ring corresponds t o, go t o HKLM\ Soft ware\ Microsoft \ WindowsNT\ Current Version\ Net workCards and check out keys below t hat value. Figure 17- 10 shows t he m apping of t he regist ry st ring t o an " ORiNOCO 802.11abg Com boCard Gold."

Figu r e 1 7 - 1 0 . Cr oss- r e fe r e n cin g t h e in t e r fa ce t o t h e t e x t n a m e in t h e Re gist r y

St oring t he user password in t he regist ry decreases t he usabilit y of t he Windows supplicant wit h a user- ent ered password. Microsoft represent at ives have defended password caching as a user convenience feat ure t hat prevent s t he need t o repeat edly re- ent er t he password, and point ed out t he benefit of using an exist ing Act ive Direct ory user account wit h aut om at ic use of Windows credent ials. Ot her supplicant s, however, st ore t he user password in a m ore easily accessible place. The Microsoft supplicant on Windows CE does not cache credent ials. Users are prom pt ed for credent ials every t im e t he supplicant reaut hent icat es. Most Windows CE devices do not have keyboards, and ent ering credent ials quickly can be quit e difficult .

SecureW2: TTLS with ZeroConfig Third- part y supplicant s present net work adm inist rat ors wit h a difficult choice. Users are oft en com fort able wit h t he Windows GUI for configuring wireless int erfaces, but TTLS support is generally only available by using a t hird- part y client t hat disables ZeroConfig. Fort unat ely, t here is a solut ion. ZeroConfig has a program m ing int erface t hat enables addit ional EAP support t hrough " plug- ins" t hat im plem ent a part icular aut hent icat ion m et hod. SecureW2 is a TTLS plug- in for Windows ZeroConfig. I t is an open source proj ect , released under t he GPL. Source code and binary packages are available from ht t p: / / www.securew2.com . As a plug- in, SecureW2 configurat ion is accessed t hrough t he sam e screens as EAP- TLS and PEAP. When t he Propert ies but t on is first clicked, SecureW2 displays it s m ain configurat ion screen (Figure 17- 11) . SecureW2 configurat ion dat a is bundled int o a profile. Each wireless net work st ored by ZeroConfig is associat ed wit h a SecureW2 profile. Different net works m ay each be associat ed wit h a single SecureW2 profile. SecureW2 inst allers can be built wit h an adm inist rat ive packaging t ool t hat allows profiles t o be included in t he inst aller.

Figu r e 1 7 - 1 1 . Se cu r e W 2 m a in scr e e n

Four t abs are used t o define t he profile. The Connect ion t ab, shown in Figure 17- 12, is used t o specify t he first - st age ident it y used by TTLS. By unchecking t he box, t he user account specified on t he fourt h t ab will be used in t he first st age. By default , t he out er ident it y is anonym ous.

Figu r e 1 7 - 1 2 . Se cu r e W 2 pr ofile cr e a t ion

Server aut hent icat ion is configured wit h t he second t ab, t he Cert ificat es t ab shown in Figure 17- 13. Rat her t han present ing a long list of cert ificat e checkboxes t o accept , you m ust add each cert ificat e aut horit y m anually. By clicking t he Add CA but t on, t he list will pop up. I n XP Service Pack 2, t he list present ed is pulled from t he com put er's cert ificat e st ore. Just as wit h t he Microsoft supplicant , it is possible t o validat e t he server nam e in t he cert ificat e. Wit h t he out er usernam e and net work aut hent icat ion configured, it is possible t o finally configure t he user account for t he inner aut hent icat ion. Aut hent icat ion t ype is configured wit h t he " Select Aut hent icat ion" t ab drop- down ( see Figure 17- 14) . Much of t he im pet us for using TTLS is t hat cleart ext password aut hent icat ion is required; in such cases, t he Aut hent icat ion Met hod will be set t o PAP. The user account is configured on t he fourt h t ab.

Figu r e 1 7 - 1 3 . Se cu r e W 2 ce r t ifica t e con figu r a t ion

Figu r e 1 7 - 1 4 . Se cu r e W 2 a u t h e n t ica t ion m e t h od a n d u se r a ccou n t scr e e n s

WPA Configuration and Installation Wi- Fi Prot ect ed Access ( WPA) is t he t ypical securit y baseline used in m ost organizat ions. WPA is built int o Windows XP Service Pack 2, and available as a pat ch for XP Service Pack 1. Enabling WPA is a m at t er of select ing eit her WPA or WPA- PSK as t he aut hent icat ion m et hod in t he associat ion propert ies of t he card. Microsoft does not im plem ent WPA for ot her operat ing syst em s; use of WPA on ot her operat ing syst em s requires a t hird- part y supplicant . To use WPA, t he ent ire syst em m ust support it . I n addit ion t o OS- level support , t he hardware and it s driver m ust be capable of WPA support . Drivers will prevent unsupport ed opt ions from being displayed. On a Dell TrueMobile 1150 card, t he opt ion for AES does not appear because t hat device only has RC4 encrypt ion built - in. I f WPA is not working as expect ed, ensure t hat t he lat est driver is

inst alled before cont act ing your vendor's support organizat ion.

Windows 2000 Windows 2000 is st ill widely used. Many older m achines have not been upgraded t o Windows XP t o save m oney, and Windows 2000 rem ains a serviceable operat ing syst em . Wireless configurat ion on Windows 2000 is significant ly m ore com plex t han on Windows XP, in large part because it lacks solid int egrat ion bet ween t he select ion of a wireless net work and t he corresponding securit y configurat ion. Windows 2000 did not ship wit h 802.1X support from t he st art . I t was init ially added as a pat ch on t op of Service Pack 3, [ * ] and was lat er int egrat ed int o Service Pack 4. Microsoft has not port ed WPA funct ionalit y t o Windows 2000, alt hough a WPA client is available from t he Wireless Securit y Corporat ion ( ht t p: / / www.wirelesssecurit ycorp.com ) . Many observers feel t hat 802.1X support on Windows 2000 is not a priorit y for Microsoft , and it s inclusion int o recent service packs is an illust rat ion of increased difficult y in persuading users t o upgrade. [*]

See Microsoft knowledge base article 313664 for the patch.

Alt hough 802.1X configurat ion has been int egrat ed int o t he driver layer, Windows 2000 st ill depends on a card ut ilit y t o configure which net work t he syst em will at t ach t o. The separat ion can be part icularly problem at ic for users who t ravel bet ween an encrypt ed net works and unencrypt ed net works. Alt hough using t he card ut ilit y t o swit ch net works is st raight forward, it is usually necessary t o m anually enable or disable securit y. Windows 2000 m ay present net work adm inist rat ors wit h a difficult choice. I f t he soft ware configurat ion t ool bundles a t hird- part y 802.1X st ack, ext ra adm inist rat ion work m ust be done t o separat e t he t wo.

Dynamic WEP Configuration The Wireless Configurat ion Service on Windows 2000 only support s dynam ic WEP for encrypt ion. TKI P support is only possible by using a t hird- part y supplicant . To configure dynam ic WEP, set up t he card's ut ilit y for use wit h m anual WEP key. As far as t he card ut ilit y is concerned, a m anual WEP key is in use. Fram es are dispat ched by t he driver t o t he card, t o be encrypt ed by one of t he keys st ored in t he card's key cache. The Wireless Configurat ion process, however, will push new keys int o t he card as required by t he net work's securit y policy. The m anual WEP key need not be configured anywhere else on t he net work. I t m ust only be t he correct lengt h. For net works using 128- bit WEP, t he key should be ent ered as 26 hexadecim al digit s, such as 12345678901234567890123456. This dum m y key is never used, since it is replaced by t he dynam ically derived key aft er a successful 802.1X aut hent icat ion. I n m y experience, t he Wireless Configurat ion Service on Windows 2000 is not as reliable as t he process on Windows XP. Several bugs have caused t he service t o fail aft er a successful aut hent icat ion. I nt erest ingly enough, t he sym pt om of t his t ype of failure is t hat t he connect ion will be keyed succesfully, but t raffic will be disrupt ed at t he first reaut hent icat ion period. Wit h no soft ware running t o process 802.1X fram es, any at t em pt ed reaut hent icat ions or re- key operat ions will fail.

Windows Computer Authentication When t he Windows aut hent icat ion subsyst em was designed, it used a net work connect ion t o send user credent ials t o t he dom ain cont roller for validat ion. When t he net work subsyst em st art ed, it would obt ain a net work address, if necessary for t he prot ocol in use, and cont act t he dom ain cont roller. Besides validat ing user credent ials, t he dom ain offered several ot her services. Net work adm inist rat ors could define dom ain policies t o cont rol t he behavior of any syst em in t he dom ain, or login script s t o cust om ize t he user environm ent as part of t he login process. I n t he wired world, dom ain services are not a problem . Users at t ach t o t he net work, and t he syst em it self st art s sending packet s. When t he Windows st art up process was designed, t here was no way of aut hent icat ing wired net work connect ions. I n t he wireless world, t hough, where users m ust aut hent icat e t o act ive a wireless connect ion, net work aut hent icat ion can be a bit of a chicken and egg problem . Users can cert ainly aut hent icat e t o t he wireless net work once t hey supply credent ials t o t he login box, but how can t hose credent ials be validat ed wit hout a net work connect ion t o send packet s t o t he dom ain cont roller? Windows NT, 2000, and XP provide a part ial solut ion in t erm s of credent ial caching. Once a user has successfully logged in t o a com put er t hat is a m em ber of a Windows dom ain, credent ials are cached for t he fut ure. Credent ial caching is only part of t he solut ion because it depends on logging in t o t he com put er on a wired connect ion first . Microsoft has developed a m uch bet t er solut ion called com put er aut hent icat ion or m achine aut hent icat ion. When t he syst em first st art s up, t he com put er aut hent icat es t o t he wireless net work as it self. Wit h t he wireless net work up and operat ional, t he com put er can t hen download any required inform at ion from t he dom ain and validat e t he credent ials of any user against t he dom ain cont roller. Users who have never logged in t o t he syst em and have no cached credent ials can log in as well. A fair am ount of funct ionalit y depends on having a net work connect ion early in t he boot process. I n addit ion t o dom ain services, drive m appings are at t em pt ed early enough t hat t hey m ay fail if t he com put er is not aut hent icat ed. I n m ost cases, Windows com put er aut hent icat ion should be considered m andat ory for a sm oot h- funct ioning net work. To set up Windows com put er aut hent icat ion, you m ust have an Act ive Direct ory back end. Com put ers m ust have account s defined in t he Act ive Direct ory, and t hey m ust be grant ed Dial- I n perm ission.

How It Works Com put er aut hent icat ion adds an ext ra 802.1X aut hent icat ion process t o t he boot process. First t he com put er aut hent icat es as it self. Aft er obt aining user credent ials from t he login box, a second 802.1X t ransact ion is run t o aut hent icat e as t he user. The process is shown in Figure 17- 15. The figure ident ifies several st eps in t he process. I t st art s when t he com put er com es up and st art s it s net working syst em . I t begins an 802.1X aut hent icat ion as t he com put er in parallel t o ot her syst em st art - up t asks.

1 . The m achine aut hent icat ion is st art ed. I t m ay be st art ed by an EAPOL- St art from t he supplicant , or by a Request / I dent it y fram e from t he aut hent icat or. 2.

2 . The net work collect s t he ident it y of t he m achine. I n t he first aut hent icat ion, t he " user" ident it y is of t he form host/ComputerName.ActiveDirectoryDomain, where bot h t he ComputerName and t he ActiveDirectoryDomain are available from t he syst em propert ies. 3 . The com put er aut hent icat es against it s com put er account on t he RADI US server, or in t he backend dat abase behind t he RADI US server. This process m ay t ake several round- t rips because of t he need t o exchange cert ificat es, est ablish crypt ographic keys, and so fort h. Com put er aut hent icat ion uses t he sam e EAP m et hod as user aut hent icat ion. I f EAP- TLS is em ployed for user aut hent icat ion, t he com put er m ust also have it s own cert ificat e. When PEAP is configured for user aut hent icat ion, t he com put er uses EAP- MSCHAP- V2 as it s inner m et hod. The " password" used in t he inner aut hent icat ion is generat ed when t he com put er j oins t he dom ain, and is not available t o any ot her soft ware. 4 . W h e n t h e a u t h e n t ica t ion su cce e ds, t h e com pu t e r is a t t a ch e d t o t h e n e t w or k . I t r e ce ive s a n EAP- Su cce ss fr a m e fr om t h e a u t h e n t ica t or , a n d on w ir e le ss LAN s, EAPOLKe y fr a m e s t o pr ovide k e ys for t h e con n e ct ion. When aut hent icat ion com plet es, t he com put er will be at t ached t o t he net work, and can send and receive t raffic. By sending a DHCP request , t he com put er can j oin t he net work and locat e a nearby dom ain cont roller by using Net BI OS over

Figu r e 1 7 - 1 5 . St a r t u p pr oce ss w it h W in dow s com pu t e r a u t h e n t ica t ion

TCP/ I P. Before user aut hent icat ion, t he com put er can est ablish a relat ionship wit h t he dom ain cont roller. The user presses Cont rol- Alt - Delet e t o begin t he login process. The syst em uses it s connect ion t o t he dom ain cont roller t o load t he user login script , configure Windows dom ain policies, and perform ot her login t asks. 5 . When t he user deskt op is about t o st art , t he second aut hent icat ion st art s. The end user aut hent icat ion m ust be t riggered by t he operat ing syst em . Typically, t he m achine aut hent icat ion est ablished at t he st art of t he session is only used for a few m inut es unt il t he user aut hent icat ion begins. 6 . The net work request s t he ident it y of t he end user. On Windows net works, t his is t ypically of t he form DOMAI N\ user, where t he t wo com ponent s are t he Windows NT- st yle dom ain nam e, and t he user account . 7 . The supplicant aut hent icat es t o t he net work wit h credent ials from t he user. Wit h t he Windows supplicant , t he sam e EAP plug- in m ust be used for bot h t he com put er aut hent icat ion and t he

user aut hent icat ion. Like t he previous st ep, it m ay require m ult iple round- t rips t o est ablish a secure crypt ographic channel. 8 . The user aut hent icat ion succeeds, and keys are provided for t he connect ion. These keys will be different from t he com put er keys because t hey are derived from a different TLS session. Com put er aut hent icat ions can be t reat ed separat ely from user aut hent icat ions. Aut horizat ion of t he t wo aut hent icat ions m ay occur separat ely. For exam ple, in a net work t hat perform s dynam ic VLAN assignm ent , it m ay be possible t o assign t he com put er account t o a different VLAN from t he user account . Early versions of t he Microsoft supplicant did not t rigger DHCP request s upon successful aut hent icat ion, which prevent ed t he user from sending and receiving t raffic. Pat ches are available t o fix t his problem .

Chapter 18. 802.11 on the Macintosh Apple Com put er has been a key player in est ablishing t he m arket for 802.11 equipm ent . Most com panies in t he 802.11 m arket saw t heir cont ribut ions in t erm s of st andards com m it t ee act ivit y and t echnology developm ent . Apple cont ribut ed by dist illing com plex t echnology int o an easy- t o- use form fact or and applying it s m ass- m arket ing expert ise. I n 1999, 802.11 was a prom ising t echnology t hat had dem onst rat ed it s value in a few narrow m arket s. 802.11 int erfaces cost around $300, and access point s were around $1,000. Apple saw t he prom ise in t he t echnology and m oved aggressively, releasing $300 access point s and $99 int erfaces. Wit h a new com pet it or suddenly pricing t he gear at a t hird of t he prevailing price, ot her vendors were forced t o drop prices dram at ically, and t he m arket t ook off. Prices have been dropping ever since. Apple's cards are branded wit h t he nam e AirPort . AirPort refers t o t he first - generat ion 802.11b net work int erfaces, while AirPort Ext rem e is used t o refer t o newer 802.11g- based hardware. ( Due t o a focus on sm all offices and hom e offices, Apple does not sell 802.11a hardware.) This chapt er discusses only t he AirPort Ext rem e hardware, alt hough t he differences in configurat ion and m anagem ent are vanishingly sm all. I n addit ion t o easy configurat ion of t he wireless int erface, t he Apple 802.1X supplicant is t he easiest t o configure. The 802.1X supplicant was included for t he first t im e in OS X 10.3, bet t er known t o m ost of t he world by it s code nam e of Pant her.

The AirPort Extreme Card Apple offers t ight ly int egrat ed syst em s because t he hardware and t he soft ware are designed in t andem . Unlike t he chaot ic I BM- com pat ible world, wit h Apple one com pany is responsible for bot h t he hardware and soft ware, and it shows. You can inst all t he hardware and soft ware and connect t o an exist ing net work in only a few m inut es. I f an AirPort card is plugged in during syst em inst allat ion, t his can be done as part of t he init ial configurat ion.

Software Installation Drivers for t he AirPort are included in OS 9.1 and lat er, so t here is no need t o download and inst all drivers. I f t he AirPort card is inst alled before t he syst em first boot s, t he first - t im e boot configurat ion ut ilit y will allow you t o configure t he AirPort int erface out of t he box by select ing a net work nam e and choosing how t o configure TCP/ I P. For a net work t hat uses DHCP, t he configurat ion inst ruct ions are only a few screens long. AirPort cards added aft er t he syst em first boot s can be configured by t he AirPort Set up Assist ant . [ * ] Aft er insert ing t he card, run t he Set up Assist ant . When it st art s, you will see t he dialog box in Figure 18- 1 . [*]

Cards can also be configured with the System Preferences application. For completeness, this chapter discusses the Setup Assistant first and the System Preferences application later in terms of monitoring and changing the configuration. However, there is no reason why you cannot configure the card straight from the System Preferences application.

Figu r e 1 8 - 1 . I n it ia l Air Por t Se t u p Assist a n t scr e e n

Choose t o configure t he AirPort card and click Cont inue. The next st ep, shown in Figure 18- 2, is t o select t he net work you wish t o j oin. Every net work wit hin range is displayed in t he pop- up m enu. Figure 18- 2 shows t he user select ing t he secure.ut ah.edu net work.

Figu r e 1 8 - 2 . Air Por t ca r d n e t w or k se le ct ion

Once t he net work is select ed, you can m ove on t o t he t hird st ep: ent ering t he nework password, which is only useful for net works prot ect ed by WEP or WPA. 802.1X configurat ions m ust be set up in I nt ernet Connect , as described lat er in t his chapt er. When connect ing t o a net work, several different t ypes of securit y can be select ed. Figure 18- 3 shows t he dialog box. The t ype of securit y is select ed wit h t he drop- down box from WPA Personal ( WPAPSK) , WPA Ent erprise ( WPA wit h RADI US aut hent icat ion) , and WEP. To m ake m at t ers easier for users, Apple has allowed adm inist rat ors t o input WEP keys as variable- lengt h passwords. The ASCI I t ext of t he password is t hen hashed int o a WEP key of t he appropriat e lengt h. WEP keys can also be ent ered in hexadecim al by prefacing t hem wit h a dollar sign, such as $EB102393BF. Hex keys are eit her 10 hex digit s ( 40- bit ) or 26 hex digit s ( 104- bit ) . I nt erpret at ion of t he input st ring can be forced t o ASCI I by enclosing t he key in double quot es. [ * ] [*]

For more information, see article 106250 in Apple's Knowledge Base at http://kbase.info.apple.com.

Configuring and Monitoring an AirPort Interface You m ay need t o change t he AirPort configurat ion from t im e t o t im e. You m ay m ove bet ween different 802.11 net works ( ESSs) or need t o change t he WEP keys or I P set t ings. Once t he card is inst alled, you can change it s configurat ion wit h t he configurat ion t ools provided wit h OS X. Apple's configurat ion program s don't allow users t o change any of t he m ore com plex 802.11 param et ers. All t he inform at ion needed t o j oin a net work, for exam ple, is broadcast in t he Beacon fram es. Apple decided in m ost cases, it 's enough t o present t he user wit h net work nam es and prom pt for securit y set t ings.

Figu r e 1 8 - 3 . Air Por t n e t w or k pa ssw or d e n t r y

Basic configuration with the AirPort status icon Once configurat ion is com plet e, t he AirPort st at us icon is displayed in t he upper- right corner of t he screen, next t o t he speaker volum e, bat t ery, and clock icons, provided you haven't t urned off t hose icons. The AirPort icon also indicat es radio st rengt h. I n Figure 18- 4, t here are several solid wavefront s on t he icon. As you m ove fart her from t he access point and t he signal degrades, t he num ber of bars decreases. When it is clicked, a drop- down com m and list offers t he opt ion of t urning t he power t o t he AirPort card on or off, select ing or creat ing net works, and opening t he I nt ernet Connect applicat ion t o m onit or t he radio int erface. I t is quit e handy for users t o be able t o t urn off t he card at will. When you are out of range of a net work, or j ust not using it , t he card can easily be powered down t o save bat t ery power.

Figu r e 1 8 - 4 . Air Por t st a t u s icon

I n Figure 18- 4, t here are t wo net works wit hin range: " Lit t le Green Men" and " Lum iniferous Et her." The checkm ark by " Lit t le Green Men" indicat es t hat it is t he net work t o which t he user is current ly connect ed, alt hough t he user can swit ch bet ween t he t wo net works sim ply by select ing a preference. Any ot her net work can be select ed by using t he " Ot her..." opt ion and ent ering t he nam e of t he net work. An I BSS can be creat ed by going t o t he Creat e Net work opt ion and select ing t he basic radio param et ers shown in Figure 18- 5. The com put er is set t o creat e an I BSS wit h t he net work nam e of Very I ndependent BSS; t he radio channel default s t o 11 but can be changed t o any of t he 11 channels accept able in Nort h Am erica and Europe. Every com put er t aking part in t he I BSS m ust use t he sam e channel. I BSS net works can only be configured for WEP.

Figu r e 1 8 - 5 . I BSS pa r a m e t e r se t u p

Aft er you've set up an independent net work, t he syst em adds a new sect ion t it led " Com put er t o Com put er Net works" t o t he drop- down list , as shown in Figure 18- 6. The AirPort st at us icon also changes t o a com put er in t he pie- wedge shape t o indicat e t hat t he net work is an I BSS rat her t han an infrast ruct ure net work.

Figu r e 1 8 - 6 . Air Por t st a t u s icon w h ile a ssocia t e d t o a n I BSS

Configuration with the System Preferences application I f you m ove bet ween different ESSs, you can creat e a " locat ion" for each and use t his t o configure t he ESS/ password pair, which you can t hen pick from a m enu as you m ove t o a different locat ion. You can also preconfigure an ESS/ password pair if you're not current ly on t he net work for which you are set t ing up. The Syst em Preferences applicat ion allows you t o configure m any syst em at t ribut es, including t hose t hat are net work- relat ed. Figure 18- 7 shows t he net work panel of t he Syst em Preferences applicat ion. The Show pop- up list can be set t o any of t he net work int erfaces in t he syst em . Nat urally, when set t o AirPort , it enables t he fourt h t ab, as shown in t he figure. The default t ab is TCP/ I P ( Figure 18- 7) , which can be set t o configure int erfaces m anually or wit h t he assist ance of DHCP or Boot P. When set t o DHCP, as in t he figure, t he leased address is shown. Alt hough t he DHCP server on m y net work provided DNS servers, t he server I P addresses are not shown. ( They are, however, placed in / et c/ resolv.conf, as wit h any ot her com m on Unix syst em .)

The ot her net work panel wort hy of not e is t he AirPort t ab ( Figure 18- 8) , which can set t he net work t o j oin by default . I n m ost cases, it should be left t o Aut om at ic, which enables t he com put er t o search t hrough any net works in t he general vicinit y for one t hat has already been configured. Aut om at ic select ion can reference securit y configurat ions built wit h I nt ernet Connect , if necessary.

Monitoring the wireless interface The wireless- int erface st at us can be m onit ored wit h t he I nt ernet Connect applicat ion. The I nt ernet Connect applicat ion can be launched from eit her t he Applicat ions folder on t he hard disk or from t he AirPort st at us icon. I t can be used t o display t he signal st rengt h of t he nearest access point , as well as change t he net work wit h which t he st at ion is associat ed. I f t he net work is changed, it will reference any 802.1X configurat ion necessary t o aut hent icat e t o t he net work. See Figure 18- 9.

802.1X on the AirPort 802.1X on Pant her is set up t hrough t he I nt ernet Connect applicat ion, which can be launched from t he drop- down m enu under t he AirPort st at us icon, or direct ly from t he hard disk. To see t he 802.1X configurat ion, click on t he lock labeled 802.1X. I f t he lock does not appear, eit her select New 802.1X Configurat ion from t he File m enu, or press Com m and- Shift - X. Once 802.1X has been displayed for t he first t im e, it will always appear as an icon across t he t op ( Figure 18- 10) . To see t he full configurat ion, select t he Configurat ion drop down m enu and choose Edit Configurat ion..., which brings up t he m ain configurat ion screen ( Figure 18- 11) . The easiest t ask from here is t o edit t he configurat ion. This brings up a configurat ion screen. Put in t he usernam e and password, and select any aut hent icat ion prot ocols t hat m ay be used. This screen allows select ion of t he net work int erface t o which t he 802.1X credent ials apply. I n m ost cases, it will rem ain set t o t he AirPort card, alt hough wired 802.1X is gaining prom inence. The usernam e and password are st raight forward, as is t he wireless net work. By default , t he drop down for Wireless Net work will display any encrypt ed net works det ect ed by t he AirPort , but it is possible t o t ype in an arbit rary SSI D.

Figu r e 1 8 - 7 . TCP/ I P pr e fe r e n ce s t a b of t h e N e t w or k Pr e fe r e n ce s se t t in gs

Aft er t yping in credent ials, it m ay be necessary t o configure t he aut hent icat ion m et hod. The supplicant has different configurat ion screens for each m et hod, as discussed in subsequent sect ions. Aft er ret urning t o t he m ain screen of I nt ernet Connect , you can press t he Connect but t on t o associat e t o t he net work and at t em pt 802.1X aut hent icat ion. The st at us bar at t he bot t om will go t hrough t he following st ages:

Figu r e 1 8 - 8 . Air Por t pr e fe r e n ce s t a b of t h e N e t w or k Pr e fe r e n ce s se t t in gs

I dle The AirPort is not associat ed t o any net work.

Connect ing The AirPort is associat ing wit h t he select ed SSI D.

Aut hent icat ing The AirPort is t rading EAPOL fram es wit h t he AP or swit ch as it t ries t o validat e user credent ials.

Connect ed via ( EAP m et hod)

I f t he aut hent icat ion succeeds, t he st at us bar will not e t hat t he syst em is connect ed, and it will display t he EAP m et hod in use, as well as t he t im e which t he syst em has been aut hent icat ed.

Figu r e 1 8 - 9 . I n t e r n e t Con n e ct m on it or in g a pplica t ion

Figu r e 1 8 - 1 0 . 8 0 2 .1 X con figu r a t ion in I n t e r n e t Con n e ct

Configuring EAP Methods Each of t he EAP m et hods has a different m et hod configurat ion. Generally speaking, t he Mac supplicant hides a great deal of t he com plexit y, unless it is required.

TTLS configuration There are t wo pot ent ial TTLS configurat ion opt ions, shown in Figure 18- 12. The first , which is m andat ory, is t he inner aut hent icat ion t ype. I n m ost cases, I expect t his will be set t o PAP, t hough it

is also possible t o use CHAP, MS- CHAP, or MS- CHAP- V2. Like m ost supplicant s, t he Mac supplicant support s hiding t he user ident it y by configuring an anonym ous out er ident it y.

Figu r e 1 8 - 1 1 . 8 0 2 .1 X Con figu r a t ion scr e e n

Figu r e 1 8 - 1 2 . TTLS con figu r a t ion scr e e n

PEAP configuration On t he Mac supplicant , only EAP- MSCHAP- V2 is support ed as an inner aut hent icat ion m et hod. This allows int eroperabilit y wit h user account s st ored as MD4 hashes or in cleart ext . The m ain use for t his m et hod is t o support user account s st ored in a Windows net work. On t he configurat ion screen, Figure 18- 13, t he only opt ion is t o configure an out er ident it y t o hide t he user ident it y.

The Keychain

I n Mac OS, passwords and cert ificat es are st ored on a keychain , which holds securit y- relevant inform at ion in a cent ralized locat ion. By logging in, t he cert ificat es and user credent ials required for net work aut hent icat ion are available t o any applicat ion allowed by t he user. Figure 18- 14 shows a sim ple keychain, which cont ains one RADI US server cert ificat e, t he CA t hat signed t hat cert ificat e, and t he 802.1X configurat ion for a net work. The keychain provides access cont rol t o prot ect configurat ions.

Figu r e 1 8 - 1 3 . PEAP con figu r a t ion scr e e n

Figu r e 1 8 - 1 4 . Th e k e ych a in vie w e r

Adding to the keychain When connect ing t o an 802.1X- prot ect ed net work for t he first t im e, any cert ificat es t hat are not yet t rust ed will cause t he aut hent icat ion t o fail. Rat her t han failing t he aut hent icat ion, t he supplicant will present t he cert ificat es t o t he user, as shown in Figure 18- 15. By inspect ing t he cert ificat es, users can m ake a decision about whet her t o t rust t hem . More likely, a cent ralized inform at ion t echnology depart m ent will t est user credent ials on t he wireless net work before t urning t he syst em over t o t he end user, and can add any relevant cert ificat es during t he build process.

Figu r e 1 8 - 1 5 . Addin g a ce r t ifica t e t o t h e k e ych a in

Troubleshooting

When 802.1X aut hent icat ion fails, t he m essage t hat is received ( Figure 18- 16) does not provide a great deal of inform at ion. An error code does not provide det ailed diagnost ic inform at ion about why t he failure has occurred.

Figu r e 1 8 - 1 6 . X fa ilu r e dia log box

Fort unat ely, t he supplicant is capable of producing ext ensive debug logging. Creat e t he direct ory / var/ log/ eapolclient. I f t he direct ory exist s and t he NSDebugEnabled environm ent variable is set when I nt ernet Connect launches, it will log EAPOL fram es from t he user t o / var/ log/ eapolclient / uid( num ber) - ( net work int erface) .log. For exam ple, if UI D 501 at t em pt s t o use 802.1X on t he AirPort ( t ypically en1) , t he file will be uid501- en1.log. I nt ernet Connect m ust be launched from t he com m and line t o pick up t he environm ent variable in t he Term inal it is launched fr om .

Mac:~$ sudo mkdir /var/log/eapolclient Mac:~$ NSDebugEnabled=YES; export NSDebugEnabled Mac:~$ /Applications/Internet\ Connect.app/Contents/MacOS/Internet\ Connect

The debug log will dum p out every fram e sent and received, in bot h ASCI I and hexadecim al. I t does not print decrypt ed fram es for EAP m et hods t hat use encrypt ion. As an exam ple, t he following t wo EAPOL- Key fram es were received aft er a successful 802.1X aut hent icat ion:

---------------------------------------2005/02/15 17:00:42.903841 Receive Packet Size: 75 Ether packet: dest 0:30:65:2:e7:36 source 0:b:e:a:70:2 type 0x888e EAPOL: proto version 0x1 type Key (3) length 57 Signature: 6c 08 b3 97 b1 74 f2 ec 0e 2c 1f 66 ff 40 78 42 is valid EAPOL Key Descriptor: type RC4 (1) length 13 Broadcast index 2 replay_counter: 42 11 48 e2 00 00 00 18 key_IV: ca 7e d9 ff d4 47 80 ba 9e eb 33 c8 82 17 02 7c key_signature: 6c 08 b3 97 b1 74 f2 ec 0e 2c 1f 66 ff 40 78 42 key: fc 7a 7c 67 f6 f6 f5 7d a5 94 cb 49 1a ---------------------------------------2005/02/15 17:00:42.960436 Receive Packet Size: 64 Ether packet: dest 0:30:65:2:e7:36 source 0:b:e:a:70:2 type 0x888e EAPOL: proto version 0x1 type Key (3) length 44

Signature: ce b3 45 05 47 72 5a 98 7c 64 0c d8 52 0d 8f 78 is valid EAPOL Key Descriptor: type RC4 (1) length 13 Unicast index 0 replay_counter: 42 11 48 e2 00 00 00 19 key_IV: 45 e5 2a ad 1c 9c ea 8f 3c 58 a4 c4 6a e0 fa 82 key_signature: ce b3 45 05 47 72 5a 98 7c 64 0c d8 52 0d 8f 78 EAPOL: 2 bytes follow body: 0000 00 00

Mixing WPA and WEP on the Mac As t his book went t o press, t he Mac supplicant had a bug relat ed t o t he int eroperabilit y in environm ent s which m ix encrypt ion t ypes. I t is relat ively com m on t o run dynam ic WEP and TKI P sim ult aneously. St at ions t hat are capable of TKI P run it for unicast dat a, while broadcast dat a is encrypt ed wit h dynam ic WEP. St at ions t hat are only capable of dynam ic WEP use it for bot h unicast and broadcast dat a. I n a m ixed WEP/ TKI P environm ent , Macint oshes are unable t o connect ed t o t he net work. During t he associat ion process, t he supplicant learns t he net work support s bot h WEP and TKI P, and accept s t he securit y param et ers by associat ing. However, during t he key handshake, t he supplicant insist s on running only TKI P. Wit h t wo different set s of securit y param et ers in t he associat ion process and t he keying process, t he st andards dict at e t hat t he AP should fail keying and kick t he syst em off t he net work. As a workaround, eit her reduce t he securit y of t he net work t o run only dynam ic WEP, run t wo parallel wireless net works ( one WEP and one TKI P) so t hat Macs can use a TKI Ponly net work, or force all dynam ic WEP devices off t he net work unt il t hey can be upgraded t o TKI P.

Chapter 19. Using 802.11 on Linux When t he first edit ion of t his book was writ t en, 802.11 was only j ust com ing t o Linux. Cards had t o be select ed carefully because very few cards were support ed wit h full open source drivers t hat evolved at t he sam e pace as t he Linux kernel. Linux support has now m oved int o t he m ainst ream , wit h m any vendors act ively sponsoring driver developm ent proj ect s, or at t he very least support ing effort s t o t arget t heir hardware. Broadcom is a not able except ion. Most 802.11 devices are support ed by t he PCMCI A syst em . As wit h Windows drivers, inst alling wireless cards on Linux creat es Et hernet int erfaces. Many Linux drivers expose an Et hernet int erface t hrough t he kernel, and m ost drivers even nam e t he result ing int erfaces wit h t he et h prefix. Program s can use t he Et hernet int erface t o send and receive dat a at t he link layer, and t he driver handles Et hernet - t o- 802.11 conversions. [ * ] Many of t he t hings you would expect t o see wit h an Et hernet int erface rem ain t he sam e. ARP works ident ically, and t he I P configurat ion is done wit h t he sam e ut ilit ies provided by t he operat ing- syst em dist ribut ion. ifconfig can even be used t o m onit or t he int erface st at us and see t he dat a sent and received. [*]

There are two major encapsulation formats for data on 802.11. RFC 1042 is used for IP, and universally supported. Windows and MacOS support IPX and AppleTalk with 802.1H. Not all Linux drivers support 802.1H.

PCMCIA Support on Linux I nit ially, m ost wireless net working adapt ers were add- on cards t hat were based on t he PC Card specificat ion. [ ] PC Cards at t ach t o t he syst em bus t hrough a 16- bit cont roller int erface t hat operat es at 8 MHz. Even t hough perform ance was lim it ed by t he bus t o be roughly com parable t o t he 16- bit I SA bus, it was m ore t han capable of support ing relat ively slow 802.11b wireless LANs. Higherperform ance 802.11a and 802.11g cards require t he perform ance of t he next - generat ion CardBus int erface, which drives a 32- bit bus at 33 MHz. CardBus provides t he dram at ically im proved perform ance required by higher- bandwidt h net work int erfaces. CardBus cards look nearly ident ical t o PC Cards, and are used in t he sam e slot s. Bot h CardBus and PC Cards are, not surprisingly, configured and m anaged t hrough t he Linux PCMCI A ut ilit ies. [

] The Personal Computer Memory Card International Association (PCMCIA) is the industry group that came up with the PC Card specification. Initially, the cards were known as "PCMCIA cards," but the name was later shortened to "PC Card." I use both interchangeably, especially since Linux support for these cards still goes by the longer PCMCIA. (In reference to the unwieldy nature of the acronym, one common joke expands it as "People who Can't Manage Computer Industry Acronyms.")

Using ext ernal int erfaces wit h ant ennas t hat prot rude from t he case of t he lapt op is not always desirable. Lapt op vendors have adopt ed a different form fact or for " built - in" wireless devices called Mini- PCI . Mini- PCI is a sm all version of t he PCI int erface t hat is only a few inches long. There no lim it on what could be m ade int o a Mini- PCI card, but by far t he m ost popular use of t he slot is t o add wireless net working capabilt ies t o lapt ops. Most Mini- PCI wireless cards consist of a PCI - t o- Cardbus bridge com bined wit h a CardBus wireless LAN int erface, and are t herefore configured and m anaged t hrough t he Linux PCMCI A syst em .

PCMCIA Card Services Overview Card Services grew out of an at t em pt t o sim plify syst em configurat ion. Rat her t han dedicat ing syst em resources t o individual devices, t he host syst em m aint ained a pool of resources for PC Cards and allocat ed resources as necessary. Figure 19- 1 shows t he procedure by which cards are configured on Linux. When a card is insert ed, t he cardm gr process orchest rat es t he configurat ion of t he device, as shown in Figure 19- 1 . The orchest rat ion pulls t oget her syst em resources, kernel com ponent s, and kernel driver m odules t hrough t he configurat ion files st ored in / et c/ pcm cia . Roughly speaking, t he host t akes t he following st eps:

1 . A card is insert ed int o an em pt y PC Card socket , and cardm gr is not ified of t his event . I n addit ion t o any hardware operat ions ( such as supplying power t o t he socket ) , cardm gr queries t he card inform at ion st ruct ure ( CI S) t o det erm ine t he t ype of card insert ed and t he resources it needs. For m ore inform at ion on t he CI S, see t he sidebar " Card I nform at ion St ruct ure " lat er in t his chapt er. 2 . cardm gr at t em pt s t o ident ify t he card and load t he appropriat e kernel m odules for support . The PCMCI A card dat abase st ored in / et c/ pcm cia/ config is used t o m ap t he CI S dat abase t o drivers. Drivers can also be loaded aut om at ically t hrough a hardware ident ificat ion list t hat is part of t he m odule and st ored in a m odule m ap ( / lib/ m odules/ ( kernel version) / m odule.* m ap ) . The m ain t ask of t he ident ificat ion is t o associat e cards wit h a class . For t he purposes of configuring

net work cards, t he im port ant point t o not e is t hat it em s in t he net work class have addit ional net work configurat ion operat ions perform ed on t hem lat er. The card is ident ified by t he CI S dat a from st ep 1, and t he class set t ing is set in t he m ain syst em configurat ion file. At t his point , cardm gr beeps once. Successful ident ificat ion result s in a high- pit ched beep; unsuccessful ident ificat ions are indicat ed by a beep of lower pit ch.

Figu r e 1 9 - 1 . Lin u x PCM CI A con figu r a t ion syst e m

3 . cardm gr det erm ines which resources are available t o allocat e t o t he card. Blocks of syst em resources are reserved for PCMCI A card use in t he m ain configurat ion file, and cardm gr doles out resources as needed t o cards. The num ber of I / O port s needed and t he size of t he required m em ory window are obt ained from t he CI S. 4 . Resources allocat ed by cardm gr are program m ed int o t he PCMCI A cont roller, which is depict ed in Figure 19- 1 as int eract ion wit h t he PCMCI A device driver. The I nt el i82365SL PCMCI A cont roller is t he m ost com m on chip on t he m arket , which is why t he kernel m odule is shown as " i82365." The new kernel- based PCMCI A syst em uses t he yent a_socket driver inst ead of a chipset - specific driver. PCMCI A cont rollers im plem ent resource st eering t o m ap resources required by t he card ont o available syst em resources. A card m ay ask for an int errupt , but t he act ual assigned int errupt is irrelevant . I n operat ion, t he card sim ply asks t he PCMCI A cont roller t o raise an int errupt , and t he cont roller is responsible for looking up t he int errupt assigned t o t he socket and firing t he correct int errupt line. 5 . Part of t he configurat ion inform at ion obt ained from t he lookup in st ep 2 is t he nam e of t he device driver t hat should be loaded t o use t he newly insert ed card. Drivers for PCMCI A cards are im plem ent ed as kernel m odules. As part of t he insert ion process, t he driver is inform ed of

resources allocat ed in st ep 4. Wit h proper m odule dependencies, m odule st acking can be used t o load m ult iple m odules. 6 . Furt her user- space configurat ion is perform ed based on t he class of t he device. Net work cards, for exam ple, have furt her configurat ion done by t he / et c/ pcm cia/ net work script , which is configured by edit ing / et c/ pcm cia/ net work.opt s . Successful configurat ion in t his st ep generat es a second high beep, and failure is report ed wit h a low beep. Addit ional configurat ion m ay also be perform ed by t he Linux hot plug syst em .

Interface names in Linux When a driver creat es t he net work int erface, it is given a nam e consist ing of a prefix and a num ber. Many drivers will creat e addit ional net work int erface wit h a nam e of t he form et hX , where X is t he next num ber in sequence. Most lapt ops now have built - in Et hernet int erfaces t hat com e up on boot as et h0 , which m akes m any wireless int erfaces st art as et h1 . Older versions of t he WaveLAN driver creat ed int erfaces beginning wit h t he prefix wvlan , but current versions use et h . At heros- based cards com e up using t he prefix at h .

Hotplug system for automatic configuration To perform aut om at ic configurat ion, Linux depends on t he work of t he hot plug configurat ion proj ect , whose web sit e is found at ht t p: / / linux- hot plug.sourceforge.net / . When a device is insert ed, t he hot plug syst em will call any needed PCI configurat ion com m ands before configuring t he int erface. Hot plug script s can help t o aut om at ically configure syst em s wit h large num bers of net work int erfaces, or perform arbit rary configurat ion t asks. Many wireless devices im plem ent ing new st andards are under cont inued developm ent aft er t he product is released. New firm ware updat es t o cards can m ake new prot ocol feat ures possible, or fix bugs in t he released version. Hot plug can also be configured t o aut om at ically updat e firm ware when part icular cards are plugged in.

Card Information Structure When using dynam ic WEP on Linux, t he 802.1X supplicant derives WEP keys from t he aut hent icat ion exchange, and t hen loads t hem int o t he driver. Up unt il 1999, m any cards did not support t he dynam ic provisioning of keys, and needed t o reset t he m icrocont roller in t he card t o m ake t he new key t ake effect . Drivers were writ t en wit h t his assum pt ion, and t he code t hat updat ed keys would reset t he hardware. To enable aut om at ic configurat ion, every PC Card has a blob of dat a t hat enables t he card t o describe it self t o t he host syst em . The blob is called t he card inform at ion st ruct ure ( CI S) and t akes a relat ively st raight forward link- list form at . The building blocks of t he CI S are called t uples because t hey have t hree com ponent s: a t ype code t o ident ify t he t ype of t uple, a lengt h field, and a series of dat a byt es. Tuple form at s range from t rivial t o highly com plex, which is why t his book does not at t em pt t o classify t hem any furt her. Brave, st out - heart ed readers can order t he specificat ion from t he PCMCI A and use t he dum p_cis t ool on Linux t o read t he CI S of insert ed cards. The CI S assist s t he host in aut om at ic configurat ion by report ing inform at ion about it self t o t he host operat ing syst em . For exam ple, net work int erface cards ident ify t hem selves as such, and t he CI S enables t he Card Services soft ware t o allocat e t he appropriat e resources such as I / O port s and int errupt request ( I RQ) lines. On Linux, t he syst em adm inist rat or uses configurat ion files t o m at ch t he CI S dat a t o t he driver.

PCMCIA Card Services Installation As of kernel 2.4, PCMCI A support has been int egrat ed int o t he kernel, and was probably inst alled wit h your dist ribut ion. I t is not necessary t o upgrade t he kernel PCMCI A support . I t m ay be necessary t o fet ch drivers for your int erface, but it is alm ost cert ain t hat t he PCMCI A support is upt o- dat e enough t o handle any wireless int erface you t hrow at it . ( Older dist ribut ions can updat e PCMCI A soft ware t hrough a dist ribut ion m aint ainer's package, or by building from t he source at ht t p: / / pcm cia- cs.sourceforge.net / . ) Most configurat ion inform at ion is aut om at ically det ect ed from t he environm ent wit hout difficult y. Depending on t he dist ribut ion and it s inst allat ion, it m ay be necessary t o inform t he PCMCI A soft ware which cont roller is running t he PCMCI A slot s by set t ing t he PCI C variable in t he syst em configurat ion file. Kernel PCMCI A soft ware set s t he value t o yent a_socket . Syst em s t hat use t he st andalone PCMCI A support will set t he variable t o eit her t cic for Dat abook TCI C- 2 chipset s, or i82365 for t he I nt el i82365SL chipset . Slackware feat ures a " probe" opt ion t o load m odules unt il one successfully loads.

Monitoring the Cards The m ain t ool used t o cont rol t he PCMCI A subsyst em is t he cardct l com m and. I t has several subcom m ands t hat can be used t o view inform at ion or configurat ion st at us. Each argum ent can also t ake a slot num ber. Many lapt op com put ers have t wo PCMCI A slot s, in which case t he slot s are num bered 0 and 1. An increasing num ber of not ebooks designed for port abilit y have only a single slot , and t herefore only have slot 0. I n addit ion t o t he hardware- based ej ect syst em , cardct l can be used t o rem ove drivers by sending t he " card is rem oved" not ificat ion. Once t he soft ware has rem oved all t he associat ed drivers and powered t he slot down, t he card can be rest art ed by sending a soft ware not ificat ion of t he card insert ion. Having soft ware cont rol over t he card allows t he " reboot " of a card wit hout having t o physically rem ove and reinsert it .

[root@bloodhound]# cardctl eject 0 [root@bloodhound]# cardctl insert 0

Drivers are select ed based on t he CI S dat a. To see t he cont ent s of t he card's CI S, insert it and wait for it t o power up, t hen use t he info or ident subcom m ands t o cardct l t o see t he ident ificat ion inform at ion. Here is t he inform at ion from a Proxim 8480 Gold card. Like nearly all cards wit h 802.11a capabilit ies, it is based on t he At heros chipset . The card even report s it self as an At heros reference design:

root@bloodhound:~# cardctl info 0 PRODID_1="Atheros Communications, Inc." PRODID_2="AR5001-0000-0000" PRODID_3="Wireless LAN Reference Card" PRODID_4="00" MANFID=0271,0012 FUNCID=6 root@bloodhound:~# cardctl ident 0 product info: "Atheros Communications, Inc.", "AR5001-0000-0000", "Wireless LAN Referenc manfid: 0x0271, 0x0012 function: 6 (network)

I n addit ion t o ext ract ing t he CI S ident ificat ion wit h cardct l , t he com plet e st ruct ure can be print ed out wit h cis_dum p . I n addit ion t o ident ificat ion inform at ion, t he CI S includes inform at ion about t he support ed speeds. I n t he case of t he Proxim 8480, it report s exclusively on t he 802.11a speeds, even t hough it is capable of 802.11b- com pat ible operat ion:

root@bloodhound:~# dump_cis Socket 0: manfid 0x0271, 0x0012 config_cb base 0x0000 last_index 0x01 cftable_entry_cb 0x01 [default] [master] [parity] [serr] [fast back] Vcc Vnom 3300mV Istatic 25mA Iavg 450mA Ipeak 500mA irq mask 0xffff [level] mem_base 1 BAR 1 size 64kb [mem] vers_1 7.1, "Atheros Communications, Inc.", "AR5001-0000-0000", "Wireless LAN Reference Card", "00" funcid network_adapter [post] lan_speed 6 mb/sec lan_speed 9 mb/sec lan_speed 12 mb/sec lan_speed 18 mb/sec lan_speed 24 mb/sec lan_speed 36 mb/sec lan_speed 48 mb/sec lan_speed 54 mb/sec lan_speed 72 mb/sec lan_media 5.4_GHz lan_node_id 20 00 4d a6 d4 0a lan_connector Closed connector standard Socket 1: no CIS present

Once t he card has been insert ed int o t he syst em , use t he st at us subcom m and t o check on it . The config subcom m and will also report t he syst em int errupt assigned by t he syst em . I n m y case, t he lapt op uses a PCI - t o- Cardbus bridge, so t he card inherit s t he I RQ assigned t o t he PCI bus.

root@bloodhound:~# cardctl status 0 3.3V CardBus card function 0: [ready] root@bloodhound:~# cardctl config 0 Vcc 3.3V Vpp1 3.3V Vpp2 3.3V interface type is "cardbus" irq 11 [exclusive] [level] function 0:

The lights are not useful Many drivers are int ended t o work wit h several different pieces of hardware, and each m anufact urer m ay cust om ize t he num ber and purpose of t he light s on t he card. Usually, t here is one light t o indicat e t hat t he card is powered up, and a second light t hat will blink t o indicat e t raffic from t he card. I t m ay or m ay not blink in response t o t raffic from ot her st at ions. A few cards m ay have a t hird light t o indicat e associat ion st at us. Linux drivers generally do not m ake an at t em pt t o cont rol t he light s on each card in a vendor- specific way, and int ernal cards m ay not have any light s at all. I f your card behaves different ly, don't panic. Check at t he access point for an associat ion; if an associat ion exist s, t hen t he card is funct ioning norm ally but uses t he light s in a different m anner.

Troubleshooting Resource Conflicts One of t he revolut ionary developm ent s hyped by PCMCI A card vendors was t hat users were no longer direct ly responsible for m aint aining low- level hardware configurat ions on I BM- com pat ible hardware. I n m any respect s, t his hype was overblown because users are st ill responsible for m aint aining t he resource pools used by PCMCI A Card Services t o draw from for aut om at ic configurat ion, and t herefore t hey m ust st ill be fam iliar wit h t he hardware configurat ion. Three m aj or resources are m anaged by Card Services for users: I RQ lines, I / O port s, and direct m em ory access ( DMA) channels. DMA channels are not required by net work cards, however, and are not discussed in t his sect ion.

IRQs I RQs are used by devices t hat m ust use t he CPU periodically. I nt erfaces use I RQs so t hat when a buffer fills, t he syst em CPU can be not ified and drain t he buffer. One lim it at ion of t he PC archit ect ure is t hat it has only 15 available I RQs, and m any are occupied by st andard hardware. Table 19- 1 shows com m on I RQ usage, which m ay help you det erm ine which I RQs are available for PCMCI A cards. Disabling any ext ra com ponent s frees t he I RQ. Table 19- 1 also shows com m on I RQ set t ings on PC hardware. As a rule of t hum b, I RQs 3, 5, and 10 are readily available on m ost m achines. 0 Syst em t im er Fires 18 t im es per second t o m aint ain coarse clocking. 1 Keyboard Allows operat ing syst em t o m onit or keyboard st rokes by user. 2 Cascade Two int errupt cont roller chips are used; t he second cont rols I RQs 8- 15 and is wired int o I RQ 2 on t he prim ary. 3 Second serial port

The second and fourt h serial port s ( COM2 and COM4 under Windows) bot h use I RQ 3. I f only one serial port is present , I RQ 3 m ay be used by expansion devices. 4 First / t hird serial port The first and t hird serial port s ( COM1 and COM3 under Windows) bot h use I RQ 4. Generally, it is not a good idea t o use I RQ 4 for expansion devices because loss of t he serial port also m eans t hat t erm inal- em ulat ion soft ware cannot be used. 5 Second parallel port Most syst em s have only one parallel port , but I RQ 5 is also com m only used for sound cards. 6 Floppy cont roller All syst em s have floppy disks, which can be especially im port ant on port able com put ers. 7 First parallel port The first parallel port can frequent ly be disabled on lapt ops wit hout an issue, unless t he parallel port is used ext ensively for print ing. 8 RTC The Real- Tim e Clock m aint ains finer- grained t im ers 9 Video ( older syst em s) Older syst em s required an I RQ for t he video cont roller, and it was t ypically assigned t o I RQ 9. Most video cont rollers are now on t he PCI bus and do not require a dedicat ed I RQ. 10

Usually available for expansion devices. 11 Usually PCI bus or SCSI cont roller Generally not available for expansion devices. 12 Usually PS/ 2 m ouse port

Generally not available. 13 FPU The float ing- point unit I RQ is used by t he m at h coprocessor, even on syst em s wit h a CPU wit h an int egrat ed m at h coprocessor such as t he Pent ium series. 14 Prim ary I DE The first I DE channel is used by t he m ain syst em hard disk, and t hus I RQ 14 is alm ost never available on a port able syst em . 15 Secondary I DE Port able syst em s t ypically place t he CD- ROM on I RQ 15, m aking t his I RQ unavailable for use.

Ta ble 1 9 - 1 . Com m on I RQ se t t in gs I RQ n u m be r

Com m on u sa ge

Pu r pose

I/O ports I / O addresses are used for bidirect ional com m unicat ion bet ween t he syst em and a peripheral device. They t end t o be som ewhat poorly organized, and m any devices have overlapping default s. Each I / O port can be used t o t ransfer a byt e bet ween t he peripheral device and t he CPU. Most devices require t he abilit y t o t ransfer m ult iple byt es at a t im e, so a block of port s is assigned t o t he device. The lowest port num ber is also called t he base I / O address. A second param et er describes t he size of t he I / O window. Table 19- 2 list s som e of t he com m on port assignm ent s. Refer t o your hardware vendor's docum ent at ion for det ails on addit ional devices such as I R port s, USB cont rollers, t he PCMCI A cont roller, and any resources t hat m ay be required by m ot herboard com ponent s. Com m unicat ion port s

First parallel port 0x3bc- 0x3bf ( 4) First serial port 0x3f8- 0x3ff ( 8) Second serial port 0x2f8- 0x2ff ( 8) D isk dr ive s

Prim ary I DE m ast er: 0x1f00x1f7 ( 8) slave: 0x3f60x3f7 ( 2) Secondary I DE m ast er: 0x1700x177 ( 8) slave: 0x376 ( 1) Floppy cont roller 0x3f00x3f5 ( 6) I n pu t de vice s

Keyboard 0x060 ( 1) 0x064 ( 1) M u lt im e dia / ga m in g

Sound card 0x2200x22f ( 16) FM Synt h: 0x3880x38b ( 4) MI DI : 0x3300x331 ( 2) Joyst ick/ Gam e port 0x2000x207 ( 8) Syst e m de vice s

I nt errupt cont rollers 0x0200x021 ( 2) 0x0a00x0a1 ( 2) DMA cont rollers DMA channels 0- 3: 0x0000x00f ( 16)

Page regist ers: 0x0800x08f ( 16) DMA channels 4- 7: 0x0c00x0df CMOS/ real t im e clock 0x0700x073 ( 4) Speaker 0x061 Mat h coprocessor 0x0f00x0ff ( 16)

Ta ble 1 9 - 2 . Com m on I / O por t s D e vice n a m e

I / O r a n ge ( size )

Linux Wireless Extensions and Tools 802.11 int erfaces act like Et hernet int erfaces once t hey are act ive, but t hey have m any m ore configurat ion opt ions t han Et hernet int erfaces because of t he underlying radio t echnology. Rat her t han have each driver responsible for im plem ent ing it s own configurat ion ut ilit y and report ing m echanism s, t he Wireless Ext ension API was developed t o allow all drivers t o im plem ent com m on funct ionalit y and use com m on configurat ion com m ands. Wireless ext ensions are also a great help t o applicat ion developers needing t o get det ails from t he int erface because t hey can do it in a deviceindependent way. For exam ple, xsupplicant m akes use of wireless ext ensions t o set WEP keys on an int erface wit hout having t o underst and each driver's operat ions for set t ing keys. ( At press t im e, syst em calls for WPA keying were not yet part of t he official wireless ext ensions release.)

Compiling and Installing Wireless LAN ext ensions are enabled wit h t he CONFI G_NET_RADI O kernel configurat ion opt ion. CONFI G_NET_RADI O- enabled kernels collect wireless st at ist ics and expose addit ional dat a st ruct ures used by m ost drivers. Most dist ribut ions t hat include kernels wit h wireless ext ensions also include t he wireless t ools. I f m ore recent versions are required, you m ay download t hem from ht t p: / / www.hpl.hp.com / personal/ Jean_Tourrilhes/ Linux, alt hough it is probably easier t o wait for your dist ribut ion's kernel source t o int egrat e t he lat est version and rebuild t he kernel.

Interface Configuration with Wireless Tools and iwconfig The m ain com m and- line t ool for m anaging a wireless- ext ension- enabled driver is iwconfig, which is designed t o be a " wireless ifconfig." I t can be used t o set t he radio int erface param et ers before using ifconfig t o set t radit ional net work param et ers. When run wit h no param et ers, iwconfig displays a list of syst em int erfaces. I nt erfaces t hat are not wireless will report t hat t hey have no wireless- specific dat a, while int erfaces t hat do report wireless dat a will dum p out t he dat a t hat t hey have. Not all drivers im plem ent all feat ures. When iwconfig is run on a syst em wit h an old Orinoco card and an At heros CardBus card, for exam ple, t he out put will probably resem ble t his:

[root@bloodhound]# iwconfig lo no wireless extensions. eth0

no wireless extensions.

eth1

IEEE 802.11-DS ESSID:"11b-is-slow" Nickname:"HERMES I" Mode:Managed Frequency:2.457GHz Access Point:00:E0:03:04:18:1C Bit Rate:2Mb/s Tx-Power=15 dBm Sensitivity:1/3 RTS thr:off Fragment thr:off Encryption key:off Power Management:off Link Quality:46/92 Signal level:-51 dBm Noise level:-94 dBm Rx invalid nwid:0 invalid crypt:0 invalid misc:0

ath0

IEEE 802.11 ESSID:"11a-is-very-fast" Mode:Managed Frequency:5.28GHz Access Point: 00:0B:0E:00:F0:43 Bit Rate:36Mb/s Tx-Power:off Sensitivity=0/3 Retry:off RTS thr:off Fragment thr:off Encryption key:E452-94AC-09DB-2200-1256-6D7D-74 Security mode:open Power Management:off Link Quality:31/94 Signal level:-64 dBm Noise level:-95 dBm Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0 Tx excessive retries:0 Invalid misc:0 Missed beacon:0

Bot h cards report t he frequency of operat ion and som e st at ist ics about t he qualit y of recept ion. The " nicknam e" report ed by t he Orinoco card is not report ed by t he At heros card because it is a feat ure t hat is not im plem ent ed by t he At heros driver. ( By default , t he nicknam e is set t o " HERMES I " aft er t he nam e of t he Lucent chipset used in t he Orinoco card.) Wireless Ext ensions report s inform at ion on t he link qualit y in t wo ways. I t report s a noise floor and signal level, and bot h are print ed out by t he driver. The signal t o noise rat io is t he difference bet ween t hem . I n t he previous exam ple, t he SNR on et h1 was 43 dB, and t he SNR on at h 0 is 31 dB. The Link Qualit y st at ist ic print ed out by t he driver report s t he RSSI and t he noise floor. I n t he previous exam ple, t he card is report ing an RSSI of 31 dB over a noise floor of - 94 dBm .

Finding networks Som e drivers support t he use of wireless ext ensions t o build a list of net works in t he area. Rat her t han configurat ion, use t he iwlist com m and t o get inform at ion from t he card. As argum ent s, it t akes t he int erface and a subcom m and. scan will print out t he list of inform at ion discovered in t he area. Root privileges are required t o ret rieve scan dat a.

root@bloodhound:~# iwlist eth1 scan eth1 Scan completed : Cell 01 - Address: 00:07:50:D5:CE:88 ESSID:"LuminiferousEther" Mode:Master Frequency:2.417GHz Quality:0/10 Signal level:-70 dBm Encryption key:on Bit Rate:1Mb/s Bit Rate:2Mb/s Bit Rate:5.5Mb/s Bit Rate:11Mb/s Cell 02 - Address: 00:09:5B:72:12:58 ESSID:"Mom's House" Mode:Master Frequency:2.467GHz Quality:0/10 Signal level:-22 dBm Encryption key:on Bit Rate:1Mb/s Bit Rate:2Mb/s Bit Rate:5.5Mb/s Bit Rate:11Mb/s Cell 03 - Address: 00:0D:72:9B:FE:69

Noise level:-256 dBm

Noise level:-256 dBm

ESSID:"2WIRE086" Mode:Master Frequency:2.442GHz Quality:0/10 Signal level:-28 dBm Encryption key:on Bit Rate:1Mb/s Bit Rate:2Mb/s Bit Rate:5.5Mb/s Bit Rate:11Mb/s Bit Rate:22Mb/s Bit Rate:6Mb/s Bit Rate:9Mb/s Bit Rate:12Mb/s

Noise level:-256 dBm

Setting the network name To connect t o a net work, t he first t ask is t o select t he net work t hat will be j oined. That is done by configuring t he SSI D wit h t he essid [ * ] param et er. I f t he net work nam e includes a space, it m ust be enclosed in quot at ion m arks. The net work int erface probably will not becom e act ive and st art searching for t he net work unt il you use ifconfig t o act ivat e it . Progress of t he scan can be checked by repeat edly running iwconfig and looking at t he frequency. For exam ple, t he scan searching out an AP on channel 56 m ight look som et hing like t his: [*]

I use the term SSID in this book to refer to a network name. Some drivers, including the WaveLAN drivers, use ESSID instead. The distinction is that an ESSID is a network name assigned to an extended service set, not any old service set.

[root@bloodhound]# iwconfig ath0 [root@bloodhound]# ifconfig ath0 [root@bloodhound]# iwconfig ath0 . . . Mode:Managed Frequency:2.412GHz . . . [root@bloodhound]# iwconfig ath0 . . . Mode:Managed Frequency:2.447Hz . . . [root@bloodhound]# iwconfig ath0 . . . Mode:Managed Frequency:5.17GHz . . . [root@bloodhound]# iwconfig ath0 . . . Mode:Managed Frequency:5.28GHz . . .

essid "Space Cadet" up

Access Point: 00:00:00:00:00:00

Access Point: 00:00:00:00:00:00

Access Point: 00:00:00:00:00:00

Access Point: 00:0B:0E:00:F0:43

When t he card discovers t he net work, it will associat e wit h t he AP and report t he AP's MAC address in t he iwconfig out put . Associat ing wit h t he net work is m erely t he first st ep. Ot her configurat ion m ay be necessary before t he logical net work connect ion. Som e drivers have problem s if t he channel is aut om at ically configured. I f t he channel is hard set , t he driver m ay not search. To get a driver st uck on a channel t o search, disable t he card wit h cardct l

ej ect , reset t he SSI D, and t hen reenable t he int erface wit h ifconfig.

Setting the network channel Different cards support different operat ing frequencies. On a m odern At heros- based card, t he ent ire I SM band is support ed up t o channel 14, and all t hree of t he 5 GHz bands are support ed as well. Wit h drivers t hat support t he operat ion, it is possible t o get a list of support ed channels by using t he iwlist com m and:

root@bloodhound:~# iwlist ath0 channel ath0 255 channels in total; available frequencies : Channel 01 : 2.412 GHz Channel 02 : 2.417 GHz Channel 03 : 2.422 GHz Channel 04 : 2.427 GHz Channel 05 : 2.432 GHz Channel 06 : 2.437 GHz Channel 07 : 2.442 GHz Channel 08 : 2.447 GHz Channel 09 : 2.452 GHz Channel 10 : 2.457 GHz Channel 11 : 2.462 GHz Channel 12 : 2.467 GHz Channel 13 : 2.472 GHz Channel 14 : 2.484 GHz Channel 34 : 5.17 GHz Channel 36 : 5.18 GHz Channel 38 : 5.19 GHz Channel 40 : 5.2 GHz Channel 42 : 5.21 GHz Channel 44 : 5.22 GHz Channel 46 : 5.23 GHz Channel 48 : 5.24 GHz Channel 50 : 5.25 GHz Channel 52 : 5.26 GHz Channel 56 : 5.28 GHz Channel 58 : 5.29 GHz Channel 60 : 5.3 GHz Channel 64 : 5.32 GHz Channel 100 : 5.5 GHz Channel 104 : 5.52 GHz Channel 108 : 5.54 GHz Channel 112 : 5.56 GHz Current Frequency:5.28GHz (channel 56)

The operat ing frequency can be select ed in t hree ways. Most cards will hunt for an SSI D if it is given t o t hem as described previously. For cards t hat do not support scanning, t he freq param et er can t ake an operat ing frequency direct ly, or t he channel param et er can be used wit h t he appropriat e channel num ber, and t he driver will derive t he frequency from t he channel num ber. The following t wo com m ands are equivalent :

[root@bloodhound]# iwconfig ath0 freq 2.432G [root@bloodhound]# iwconfig ath0 channel 4

Setting the network mode and associating with an access point Most 802.11 st at ions are in eit her ad hoc net works or infrast ruct ure net works. The iwconfig nom enclat ure for t hese t wo m odes is Ad- hoc and Managed. Select bet ween t hem by using t he m ode param et er:

[root@bloodhound]# iwconfig ath0 mode Ad-hoc [root@bloodhound]# iwconfig ath0 mode Managed

For st at ions in an infrast ruct ure net work, t he ap param et er m ay be used t o request an associat ion wit h t he specified MAC address. However, t he st at ion is not required t o rem ain associat ed wit h t he specified access point and m ay choose t o roam t o a different access point if t he signal st rengt h drops t oo m uch:

[root@bloodhound]# iwconfig ath0 ap 01:02:03:04:05:06

Setting the data rate Most cards support m ult iple bit rat es. iwconfig allows t he adm inist rat or t o choose bet ween t hem by using t he rat e param et er. Bit rat es can be specified aft er t he rat e param et er, or t he keyword aut o can be used t o specify t hat t he card should fall back t o lower bit rat es on poor- qualit y channels. I f aut o is com bined wit h a bit rat e, t he driver m ay use any rat e lower t han t he specified rat e:

[root@bloodhound]# iwconfig ath0 rate auto

Configuring static WEP keys The key param et er cont rols t he WEP funct ion of t he driver. Keys can be ent ered as hexadecim al st rings using t he key subcom m and. Ent er t he st ring wit hout any delim it ers, four digit s at a t im e wit h dashes bet ween t he t wo- byt e groups, or in t he colon- separat ed byt e form . The following com m ands are equivalent :

[root@bloodhound]# iwconfig ath0 key 0123456789 [root@bloodhound]# iwconfig ath0 key 0123-4567-89 [root@bloodhound]# iwconfig ath0 key 01:23:45:67:89

Many drivers support t he use of 104- bit WEP keys as well. 104 bit s is 13 byt es, or 26 hexadecim al

charact ers:

[root@bloodhound]# iwconfig ath0 key 12345678901234567890123456 [root@bloodhound]# iwconfig ath0 key 1234-5678-9012-3456-7890-1234-56 [root@bloodhound]# iwconfig ath0 key 12:34:56:78:90:12:34:56:78:90:12:34:56

Alt hough m ult iple keys can be ent ered using a bracket ed index num ber, t his capabilit y is not used on m any net works. Dynam ic WEP key assignm ent t hrough 802.1X is a m uch easier way t o ensure t he use of m ult iple keys, and is m uch m ore secure.

[root@bloodhound]# iwconfig ath0 key 0123-4567-89 [root@bloodhound]# iwconfig ath0 key 9876-5432-01 [2] [root@bloodhound]# iwconfig ath0 key 5432-1678-90 [3]

Once m ult iple keys have been ent ered, select one by ent ering t he index num ber wit hout a key value:

[root@bloodhound]# iwconfig ath0 key [2]

Act ivat e WEP processing using key on and disable WEP using key off. These can be com bined wit h an index num ber t o select a new WEP key:

[root@bloodhound]# iwconfig ath0 key [3] on [root@bloodhound]# iwconfig ath0 key off

Finally, t wo t ypes of WEP processing can be done. An open syst em accept s dat a fram es sent in t he clear, and a rest rict ed syst em discards cleart ext dat a fram es. Bot h of t hese param et ers can be com bined wit h an index num ber:

[root@bloodhound]# iwconfig ath0 key [4] open [root@bloodhound]# iwconfig ath0 key [3] restricted

The key param et er m ay also be accessed wit h t he encrypt ion param et er, which m ay be abbreviat ed t o as few charact ers as enc. I prefer t o use key because it seem s clearer t o m e, but you m ay choose whichever you like.

Tuning 802.11 parameters iwconfig allows you t o t une t he RTS and fragm ent at ion t hresholds. The RTS t hreshold of m ost drivers is 2,347, which effect ively disables RTS clearing. I n an environm ent likely t o have hidden nodes, it can be set using t he rt s_t hreshold param et er wit h iwconfig. rt s_t hreshold can be abbreviat ed as r t s.

[root@bloodhound]# iwconfig wvlan0 rts 500

The default value of t he fragm ent at ion t hreshold is 2,346. I n noisy environm ent s, it m ay be wort h lowering t he fragm ent at ion t hreshold t o reduce t he am ount of dat a, which m ust be ret ransm it t ed when fram es are lost t o corrupt ion on t he wireless m edium . Set t he param et er by using t he fragm ent at ion_t hreshold argum ent t o iwconfig. I t m ay be set anywhere from 256 t o 2,356, but it m ay t ake on only even values. fragm ent at ion_t hreshold m ay be abbreviat ed as frag.

[root@bloodhound]# iwconfig ath0 frag 500

802.11 st at ions m aint ain several ret ry count ers. When fram es are ret ransm it t ed " t oo m any" t im es or wait for t ransm ission for " t oo long," t hey are discarded. Two ret ry count ers are m aint ained. The long ret ry count er, set by t he ret ry param et er, is t he num ber of t im es t ransm ission is at t em pt ed for a fram e longer t han t he RTS t hreshold. The short ret ry count er, set by t he ret ry m in param et er, is t he num ber of t im es t ransm ission will be at t em pt ed for a fram e short er t han t he RTS t hreshold. Unlike m any drivers, iwconfig also allows for configurat ion of t he m axim um fram e lifet im e wit h t he ret ry lifet im e param et er. To specify a value in m illiseconds or m icroseconds, append " m " or " u" t o t he value:

[root@bloodhound]# iwconfig ath0 retry 4 [root@bloodhound]# iwconfig ath0 retry min 7 [root@bloodhound]# iwconfig ath0 retry lifetime 400m

Agere (Lucent) Orinoco Wireless net working is far older t han t he 802.11 st andard. Several propriet ary approaches had been released and were gaining a foot hold in t he m arket in t he early 1990s. One of t he first not able product s was t he NCR WaveLAN, released when NCR was a division at AT&T. [ * ] When Lucent was spun off from AT&T in 1996, t he WaveLAN division, like m ost com m unicat ions product m anufact uring at AT&T, was m ade a part of Lucent . [*]

NCR, which was founded in 1884 as the National Cash Register Company, was acquired by AT&T in 1991. I can only assume that a cash register company was interested in wireless networking because it would enable cash registers to be placed anywhere without wiring.

Early WaveLAN hardware was a com plet ely propriet ary syst em . Aft er 802.11 was finally st andardized in 1997, new hardware t hat com plied wit h t he st andard was sold under t he WaveLAN brand. To dist inguish t he st andards- com pliant cards from t he propriet ary cards, t he form er were called " WaveLAN I EEE" cards, while t he lat t er were sim ply " WaveLAN" cards. As t he m arket for 802.11 hardware cont inued t o develop, Lucent decided t o renam e t he WaveLAN division under anot her brand nam e. The new nam e, Orinoco, com es from t he t hird largest river syst em in t he world. During t he rainy season in Sout h Am erica, t he Orinoco swells wit h fresh rainfall flowing in from over 200 t ribut aries. At it s peak, t he river grows t o over 10 m iles wide and m ore t han 300 feet deep. Nearly 1,000 m iles of t he Orinoco's 1,300 m iles are navigable; it is no wonder t hat t he river's nam e is derived from t he nat ive words for " a place t o paddle." Lucent 's init ial st rat egy for support on open source plat form s was t o offer a choice of drivers. A closed- source propriet ary binary driver, wavelan2_cs , provided full funct ionalit y, and a second, less funct ional open source driver, wvlan_cs , was m ade available under t he GPL. wvlan_cs was based on a low- library provided wit h t he closed source driver, and it was an evolut ionary dead- end. Rat her t han cont inue along t hat pat h, wvlan_cs was rewrit t en wit h new low- level operat ions and becam e orinoco_cs in Linux kernel version 2.4. ( orinoco_cs was originally known as dldw d_cs , which st ood for David's Less Dodgy WaveLAN Driver! ) I n addit ion t o t he WaveLAN cards and any OEM versions of WaveLAN cards, orinoco_cs cont ains basic support for som e PRI SM- 2- based cards and Sym bol cards t hat use t he sam e MAC chipset . orinoco_cs has been part of t he Linux kernel dist ribut ion since kernel Version 2.4.3.

Compiling and Installing All dist ribut ions based on t he 2.4 and lat er kernels include orinoco_cs . I n m any cases, it will be possible t o use t he driver t hat shipped wit h your kernel. The m aj or except ion is if you plan t o run xsupplicant and need t o apply t he key m anagem ent pat ch, which will be discussed lat er.

PCMCIA configuration Older dist ribut ions m ay ship wit h t he wvlan_cs driver st ill enabled. To change t he driver used by t he dist ribut ion, it is sufficient t o change t he m odule binding t he PCMCI A configurat ion. The aut hor of orinoco_cs supplies a file, herm es.conf , which cont ains card definit ions for t he cards support ed by orinoco_cs . Because herm es.conf ends in .conf , it is sourced by t he line at t he end of / et c/ pcm cia/ config t hat reads all .conf files. However, t o avoid binding conflict s, you m ust com m ent

out all t he lines t hat bind t he older wvlan_cs driver t o newly insert ed cards. Alt ernat ively, it is sufficient t o edit t he definit ion of your wireless card t o bind t he orinoco_cs driver aft er grabbing ident ificat ion inform at ion from t he out put of dum p_cis :

# in hermes.conf # card "Lucent Technologies Wavelan/IEEE" version "Lucent Technologies", "WaveLAN/IEEE" bind "orinoco_cs" # from standard /etc/pcmcia/config # # card "Lucent Technologies WaveLAN/IEEE" # version "Lucent Technologies", "WaveLAN/IEEE" # bind "wvlan_cs"

Doing it yourself This is part of t he kernel, so you generally don't need t o inst all it unless you're looking for a part icular bug fix or feat ure enhancem ent . The m ost com m on reason t o recom pile t he driver is a requirem ent t o support dynam ic WEP wit h 802.1X aut hent icat ion. xsupplicant dist ribut es a pat ch t o be applied for rekeying. Firm ware updat es m ay also be necessary t o support dynam ic keys. I have used firm ware version 8.42. Lat er versions alm ost cert ainly work, but earlier versions m ay not . Requirem ent s are st raight forward. The code it self is fet ched from t he dist ribut ion sit e at ht t p: / / ozlabs.org/ people/ dgibson/ dldwd/ . Make sure t hat you have a copy of pat ch t o apply t he pat ches of int erest ( t he rekey pat ch is not required in version 0.15rc2) :

gast@bloodhound:~$ cd orinoco-0.13e gast@bloodhound:~/orinoco-0.13e$ patch -p1 < ../rekey_patch_orinoco-0.13e patching file orinoco.c patching file orinoco.h msg@bloodhound:~/orinoco-0.13e$ make (build messages snipped) root@bloodhound:/home/msg/orinoco-0.13e# make install if [ -d /etc/pcmcia ]; then install -m 644 -o 0 -g 0 hermes.conf /etc/pcmcia/hermes.conf; mkdir -p /lib/modules/2.4.26/kernel/drivers/net/wireless for f in hermes.o orinoco.o orinoco_cs.o orinoco_plx.o orinoco_tmd.o orinoco_pci.o; do \ if test -e /lib/modules/2.4.26/pcmcia/$f; then \ install -m 644 -o 0 -g 0 $f /lib/modules/2.4.26/pcmcia/$f; \ else \ install -m 644 -o 0 -g 0 $f /lib/modules/2.4.26/kernel/drivers/net/wireless/$f; \ fi; \ done depmod -a

At t he end of t he build process, t he syst em has several kernel m odules: or inoco_cs.o , t he PCMCI A int erface; or inoco.o , t he hardware driver; and her m es.o , t he driver for t he MAC chip.

Configuring the orinoco_cs Interface Configurat ion of orinoco_cs is ident ical t o t he configurat ion of wvlan_cs . When t he card is insert ed, t he / et c/ pcm cia/ w ireless script is run, using t he configurat ion opt ions in / et c/ pcm cia/ wireless.opt s . The wireless script is a front end t o t he iwconfig program . Edit ing fields in wireless.opt s set s t he argum ent s t o iwconfig . For det ails on configuring t he opt ions t o iwconfig , see t he previous sect ion on t he wvlan_cs driver.

Resetting on WEP Key Installation Not all card m anufact urers have com m it t ed t o support ing Linux. Revealing int ellect ual propert y by giving away driver source code is usually t he m aj or concern. Finding t he engineering t im e t o writ e, m aint ain, and support drivers given t o t he user com m unit y is anot her. When using dynam ic WEP on Linux, t he 802.1X supplicant derives WEP keys from t he aut hent icat ion exchange, and t hen loads t hem int o t he driver. Up unt il 1999, m any cards did not support t he dynam ic provisioning of keys, and needed t o reset t he m icrocont roller in t he card t o m ake t he new key t ake effect . Drivers were writ t en wit h t his assum pt ion, and t he code t hat updat ed keys would reset t he hardware. Reset t ing t he hardware when a key is inst alled is undesirable behavior wit h dynam ic WEP. Once t he aut hent icat ion has com plet ed, a key m ust be inst alled. I f t he driver reset s aft er key inst allat ion, t he link will bounce. I n m any cases, t he AP will not e t he link bounce and require a new aut hent icat ion. Once t he supplicant det ect s t he link st at e change, it will run t he aut hent icat ion again t o derive a new key. Aft er t he new aut hent icat ion com plet es, t he supplicant reset s t he card t o inst all t he new key, st art ing t he cycle over yet again. Most int erface cards have firm ware upgrades available which elim inat e t he need t o reset t he hardware aft er key inst allat ion. Once t he right version of firm ware is in place, t he driver needs t o be updat ed t o a dynam ic WEP- capable version t hat does not send reset com m ands. I f dynam ic WEP is not working because t he card reset s aft er t he aut hent icat ion succeeds, check eit her t he source code or t he online forum s for t he driver for your card t o see if an updat e or pat ch is r equir ed.

Atheros-Based cards and MADwifi 802.11a is t he choice for high- speed, high- densit y 802.11 net works, and m ost 802.11a devices on t he m arket use At heros chipset s. [ * ] The driver proj ect is called t he " Mult iband At heros Driver for WiFi," or MADwifi ; t he proj ect 's hom e page is ht t p: / / sourceforge.net / proj ect s/ m adwifi/ . [*]

It is likely that any card with 802.11a support is based on an Atheros chipset. Rather than include a list that will quickly become outdated, I suggest you refer to the searchable list at http://customerproducts.atheros.com/customerproducts/ .

Alt hough best known for 802.11a support , t here are several At heros chips available. There are t hree generat ions of chipset . The init ial chipset , t he 5210, only support ed 802.11a. I t was followed by t he first dual- band chipset , t he 5211, which added 802.11b support . Most devices now on t he m arket use t he 5212, which is a dual- band/ t ri- m ode chipset t hat can support 802.11a, 802.11b, and 802.11g. I n addit ion t o t he different radio support , lat er generat ions are capable of perform ing m uch m ore com plex securit y operat ions. All chipset s are support ed by MADwifi.

Driver Architecture and the Hardware Access Layer (HAL) MADwifi is split int o t wo part s: an open source driver, and a closed- source library called t he Hardware Access Layer ( HAL) . At heros chipset s are ext rem ely flexible, and capable of t uning out side t he unlicensed bands because t hey use a lim it ed form of a soft ware- defined radio. At heros has int erpret ed FCC regulat ions as requiring t hat t he HAL be kept closed. ( Broadcom int erpret s t he rules in t he sam e way, and t hey have a sim ilar chipset on t he m arket .) FCC rules require t hat soft ware- defined radios m ust not be m odifiable by t he user t o operat e out side of t heir cert ified frequency bands. Devices t hat do not enforce t he t erm s of t heir cert ificat ion are pot ent ially subj ect t o sanct ions. I f devices sold for use in t he unlicensed spect rum were suddenly able t o disrupt licensed com m unicat ions, vendors of such devices m ight also be penalized. [ * ] [*]

Christian Sandvig, a professor at the University of Illinois at Urbana-Champaign, takes exception to the SDR interpretation of FCC rules in a paper titled "Hidden Interfaces to 'Ownerless' Networks" (http://www.spcomm.uiuc.edu/users/csandvig/research/Hidden_Interfaces.pdf ).

For com m ercial product s, ensuring t hat t he soft ware st ays in t he unlicensed spect rum is easyj ust avoid com piling and dist ribut ing code t hat breaks t he rules. Users cannot edit com piled code, so t hey are unable t o break t he rules. Open source soft ware changes t he gam e. Dist ribut ing code t hat follows t he rules does not prevent m odificat ion t hat break t he rules. At heros faced a choice: ship a driver wit h com plet ely open source code and risk losing regulat ory approval t o sell chips, or find som e way of prot ect ing t he radio spect rum . Obviously, a driver exist s because t hey t ook t he lat t er course. Rat her t han have t he open source driver int erface direct ly wit h t he radio chipset , it accesses t he radio t hrough t he HAL's API . The HAL is generic enough t hat it is used unchanged by m any ot her operat ing syst em s developing open source drivers; t here are zero dependencies on t he host syst em soft ware, t hough it does depend on t he host hardware's inst ruct ion set . The HAL is available for x86 archit ect ures ( bot h 32- and 64- bit ) , ARM, MI PS, PowerPC, and XScale. Alt hough closed- source code is oft en viewed wit h suspicion in t he open source com m unit y, I consider it a sign of corporat e com m it m ent t o t he Linux plat form t hat At heros was willing t o support t he developm ent of t he driver.

Requirements

MADwifi m akes ext ensive use of wireless ext ensions, and is consist ent ly developed against t he lat est version. Eit her use a recent dist ribut ion wit h current wireless ext ensions support , or upgrade t he kernel t o a recent dist ribut ion. Drivers oft en m ake use of ot her kernel funct ionalit y, and MADwifi is no different . Building MADwifi depends on having kernel headers and configurat ion files for t he running kernel. I f you have built a cust om kernel for your hardware, by definit ion you have kernel source and configurat ion. Not all dist ribut ions will inst all t he kernel source and configurat ion by default ; you m ay have t o find t he right package. UUCP t ools will also be necessary t o get t he HAL. To safely t ransfer t he binary HAL over arbit rary net work pat hs, it is uuencoded. MADwifi's m ake script calls uudecode. Depending on your dist ribut ion, uudecode m ay be part of t he shell archive ut ilit ies package (sharut ils ) , or it m ay be part of a UUCP t ools package.

Building the Driver MADwifi is st ill under act ive developm ent , and it changes regularly. Rat her t han having periodic packaged releases, it is const ant ly m aint ained in CVS. Fet ch t he lat est version from CVS:

root@bloodhound:~# cvs -z3 -d:pserver:[email protected]:/cvsroot/madwifi co ma

When t he com m and com plet es, t he source code and ( encoded HAL files) will be downloaded int o a direct ory m adwifi . To build t he driver, use t he st andard open source com m and set :

root@bloodhound:~# cd madwifi root@bloodhound:~/bloodhound# make (lots of build messages) root@bloodhound:~/bloodhound# make install

The m ain m odules are wlan.o , at h_pci.o , and at h_hal.o . Several ot her crypt ographic m odules are loaded on dem and t o support part icular encrypt ion schem es. I f t he MADwifi build syst em cannot det ect t he right place in t he filesyst em t o inst all t o, you m ay need t o m anually place t he required m odules in t he correct locat ion and run depm od - a t o updat e m odules.

Using the Driver Current versions of t he MADwifi driver publish a list of support ed cards t o t he kernel, which is revealed when m odule dependencies are built . The MADwifi driver support ed device list includes several devices wit h t he m anufact urer I D of 0x168c, which belongs t o At heros. Provided t hat m odule dependencies are built correct ly, t here is no need t o m odify t he PCMCI A configurat ion script s. Loading t he driver creat es an int erface prefaced wit h at h . Most likely, it will be at h 0 , since you will only have one At heros card running in your syst em . Older versions of MADwifi used t he prefix wlan . I f you see wlan0 , updat e t he driver. MADwifi is correct ly int egrat ed wit h t he Linux hot plug syst em . When t he m odule is insert ed, t he hot plug syst em will at t em pt t o regist er t he int erface. I t is alm ost cert ain t hat t he st art - up script s in

place on your dist ribut ion will need t o be edit ed. Open wireless net works can probably have light edit ing; using 802.1X requires heavier edit ing because t he int erface m ust be aut hent icat ed before st art ing DHCP.

Using Windows Drivers Under Linux I n addit ion t o xsupplicant , t here is one com m ercial program available from Meet inghouse Dat a Com m unicat ions. Meet inghouse's AEGI S client support s a wide variet y of EAP m et hods ( MD5, TLS, TTLS, PEAP, and LEAP) . Due t o t he difficult ies in keeping up wit h new dist ribut ions, however, it is only officially support ed on RedHat versions 8 and 9. The Linux version of t he Meet inghouse supplicant does not support WPA for t he sam e reason xsupplicant does not : t he lack of a st andard WPA keying API . Not all card m anufact urers have com m it t ed t o support ing Linux. Revealing int ellect ual propert y by giving away driver source code is usually t he m aj or concern. Finding t he engineering t im e t o writ e, m aint ain, and support drivers given t o t he user com m unit y is anot her. Drivers writ t en nat ively for Linux are preferable for a variet y of reasons. However, if your card vendor does not yet have a Linux driver, you can use t he Windows driver t hrough a wrapper program . Two soft ware packages can run t he Windows NDI S driver in a sandbox and t ranslat e Windows syst em calls int o t heir Linux equivalent s. The NDI SWrapper proj ect ( ht t p: / / ndiswrapper.sourceforge.net / ) is a com plet ely open source im plem ent at ion. A com pany called Linuxant provides a com m ercial program called DriverLoader ( ht t p: / / www.linuxant .com / driverloader/ ) for t he sam e purpose. Trial licenses are free, but ongoing use does require paym ent .

802.1X on Linux with xsupplicant I have been fort unat e enough t o volunt eer at t he I nt erop Labs wireless securit y init iat ives for t he past few years, where I get t o experience int eroperabilit y close up. I n 2004, developers from t he Open1X proj ect part icipat ed in t he int eroperabilit y t est event , bringing open source code int o an event t hat had previously been t he preserve of product m anufact urers. As t he popularit y of wireless net works has waxed, so has int erest in solut ions for connect ing Linux syst em s t o secure wireless LANs. xsupplicant is one of t he leading im plem ent at ions of 802.1X for Linux.

Requirements Before even considering working wit h xsupplicant , t he m ost im port ant t ask is t o ensure t hat 802.11 is already working! Many " wireless" problem s are really PC Card problem s. Obviously, you will not be able t o at t ach t o an aut hent icat ed net work unt il building and configuring xsupplicant , but you should be able t o insert your wireless card and have it recognized by t he syst em . Card Services will generally sound a high- pit ched beep when a card is insert ed t o indicat e it is recognized, resources were successfully allocat ed, and t he driver was loaded. ( A second low- pit ched beep m ay follow indicat ing a configurat ion failure, but t hat is okay. Chances are t hat you want your ult im at e configurat ion t o run xsupplicant , so it 's accept able at t he out set t o not have configurat ion support im m ediat ely.) Wit h t he driver successfully loaded, you should be able t o run iwconfig and obt ain st at ist ics from t he driver. Even if t he driver for your chosen card is working, m ake sure it has support for dynam ic WEP. Alt hough t here is som e disput e over t he absolut e securit y level of dynam ically keyed WEP syst em s, it is unquest ionable t hat dynam ic WEP has a significant ly higher level of securit y t han a single- key WEP syst em . I t is a virt ual cert aint y t hat any card you want t o use wit h xsupplicant should support t he use of dynam ic keys. Most m odern cards, t hose released in early 2003 and lat er, have driver support for dynam ic WEP already, but a few older cards require pat ches. The popular Herm es- based Orinoco 802.11b cards fall int o t he lat t er cat egory. Depending on t he driver, you m ay also need t o rebuild your kernel ( or at least get a copy of your kernel's configurat ion) in order t o com pile a driver. Finally, xsupplicant needs one m aj or library. As discussed previously, m ost EAP m et hods are based on TLS in one way or anot her. xsupplicant uses t he OpenSSL TLS im plem ent at ion. I nst all version 0.9.7 or lat er. Before fet ching t he source from openssl.org , check t o see if t here is a package available for your dist ribut ion.

Compiling and Installing xsupplicant Com piling and inst alling xsupplicant follows t he sam e rout ine t hat any ot her open- source package. Released code can be fet ched from ht t p: / / sourceforge.net / proj ect s/ open1x/ , and com piled in t he st andard Unix way:

root@bloodhound:~# tar -xzvf xsupplicant-1.0.1.tar.gz root@bloodhound:~# cd xsupplicant root@bloodhound:~/xsupplicant# ./configure root@bloodhound:~/xsupplicant# make root@bloodhound:~/xsupplicant# make install

As t his book went t o press, xsupplicant 1.0.1 was several m ont hs old, and m assive developm ent had occurred in t he CVS version. ( This sect ion is writ t en using a lat e 2004 CVS version.) Am ong m any ot her im provem ent s, t he CVS version has prelim inary WPA support . The CVS version can be fet ched from an anonym ous CVS server, and com piled in t he st andard Unix way:

root@bloodhound:~# cvs -z3 -d:pserver:[email protected]:/cvsroot/xsupplicant c root@bloodhound:~# cd xsupplicant root@bloodhound:~/xsupplicant# ./configure root@bloodhound:~/xsupplicant# make root@bloodhound:~/xsupplicant# make install

As a result of t he build, you get t hree execut ables inst alled; t he only one you are likely t o use is / usr/ local/ sbin/ xsupplicant .

Configuring xsupplicant When run, xsupplicant searches for it s configurat ion file in / et c . The config file, / et c/ xsupplicant .conf , does not get inst alled by default , so copy it over t o t he expect ed locat ion.

root@bloodhound:~/xsupplicant# cp etc/xsupplicant.conf /etc/

Configurat ion files specify t he aut hent icat ion m et hod, user ident it y, possibly t he password, and a cert ificat e locat ion t o validat e t he cert ificat e from t he net work. Cert ificat e aut hent icat ion of t he net work m ay be disabled by set t ing t he cert ificat e locat ion t o NONE, but it is not recom m ended. When set t ing up t he net work, you m ay need t o convert cert ificat es bet ween different form s. OpenSSL can easily convert bet ween different form at s by specifying t he form at s on t he com m and line.

root@bloodhound:~# openssl x509 -inform DER -outformPEM -in MyCA.der -out MyCa.pem

Passwords are st ored in t he configurat ion file in a nonencrypt ed form , so you m ay wish t o have t he syst em prom pt for t he password t o avoid put t ing sensit ive inform at ion in configurat ion files. When no password is in t he file for t he net work you are connect ing t o, xsupplicant will prom pt t he user. I n t he configurat ion file, set t ings can be st ored as part of a profile for an SSI D. The following exam ple is a sim ple configurat ion for a net work using PEAP, wit h EAP- MSCHAP- V2 inner aut hent icat ion on a net work called bat net . xsupplicant can be configured t o run a com m and aft er aut hent icat ion com plet es, or t hat can be left t o t he configurat ion script s on t he operat ing syst em .

### GLOBAL SECTION logfile = /var/log/xsupplicant.log network_list = all

default_netname = batnet first_auth_command = dhcpcd %i ###

NETWORK SECTION

batnet{ # allow_types = eap_tls, eap_md5, eap_gtc, eap-otp allow_types = eap_peap # Phase 1 ("outer") identity identity = msg # Alternative, but common specification is to not reveal username # identity = anonymous eap-peap { # It is a good idea to validate the certificate and not do "none" # root_cert = NONE root_cert = rootCA.pem root_dir = /etc/xsupplicant.d chunk_size = 1398 random_file = /dev/random # ** Inner method configuration allow_types = eap_mschapv2 # Inner method configuration eap-mschapv2 { username = msg password = imnottelling } } }

Pseudorandom number generation Like m any ot her securit y prot ocols, EAP m et hods require a " good" source of random num bers. Linux provides t wo random num ber devices, / dev/ random and / dev/ urandom . The form er ret urns random bit s t hat are wit hin t he syst em 's ent ropy pool. I f insufficient ent ropy is available, t he read will block unt il sufficient ent ropy is available, while t he lat t er will ret urn as m uch dat a is request ed, perhaps at t he cost of qualit y.

Connecting and Authenticating to a Network The first st ep in gaining access t o an 802.1X- prot ect ed net work is t o associat e t o it . xsupplicant depends on t he syst em t o perform t he associat ion. The init ial configurat ion should also configure t he card t o use encrypt ed fram es, alt hough t he key configured does not m at t er. Configure a dum m y key t o indicat e t o t he driver t hat it should run in encrypt ed m ode; xsupplicant will replace t he key aft er successful aut hent icat ion wit h a wireless ext ension library call. The m ost com m on way of configuring t he connect ion is t o use iwconfig t o plum b a key and configure t he net work, and t hen use ifconfig t o bring t he int erface up and st art searching for t he net work. Nat urally, t hese com m ands m ay be t riggered by t he configurat ion syst em script s when a wireless card is insert ed.

root@bloodhound:~# iwconfig ath0 key 12345678901234567890123456 root@bloodhound:~# iwconfig essid essid "batnet" root@bloodhound:~# ifconfig ath0 up

Aft er t he syst em has associat ed wit h t he net work, run xsupplicant . The - i opt ion indicat es which int erface it should run on. Debugging is act ivat ed wit h - d , wit h t he following let t ers det erm ining what inform at ion is print ed out . Log m essages are sent t o t he console wit h - f . The following exam ple has cut t he raw packet dum ps.

root@bloodhound:~# /usr/local/sbin/xsupplicant -i ath0 -dasic -f Using default config! network_list: all Default network: "default" Startup command: "echo "some command"" First_Auth command: "dhclient %i" Reauth command: "echo "authenticated user %i"" Logfile: "/var/log/xsupplicant.log" Allow Types: ALL ID: "msg" peap root_cert: "NONE" peap chunk: 1398 peap rand: "/dev/random" PEAP Allow Types: ALL mschapv2 username: "msg" mschapv2 password: "imnottelling" Interface ath0 initalized!

At t his point , xsupplicant has read t he configurat ion file, and checks t o see if t he wireless int erface is associat ed t o an AP. I f it is, t he aut hent icat ion process can begin.

[INT] Interface ath0 is wireless! [INT] The card reported that the destination MAC address is now 00 0B 0E 00 F0 40 [INT] Working with ESSID : batnet [CONFIG] Working from config file /etc/xsupplicant.conf. [STATE] (global) -> DISCONNECTED [STATE] Processing DISCONNECTED state. [STATE] DISCONNECTED -> CONNECTING [STATE] CONNECTING -> ACQUIRED [STATE] Processing ACQUIRED state.

Once t he syst em has associat ed t o an AP, it begins aut hent icat ing.

Connection established, authenticating... [STATE] Sending EAPOL-Response-Identification [STATE] ACQUIRED -> AUTHENTICATING) [STATE] Processing AUTHENTICATING state.

[STATE] Sending EAPOL-Response-Authentication ****WARNING**** Turning off certificate verification is a *VERY* bad idea! [AUTH TYPE] Packet in (1) : 20 [AUTH TYPE] Setting Key Constant for PEAP v0! [INT] Interface eth0 is NOT wireless! Userdata is NULL! We will probably have problems! [STATE] (global) -> DISCONNECTED [STATE] Processing DISCONNECTED state. [STATE] DISCONNECTED -> CONNECTING [STATE] Processing AUTHENTICATING state. [STATE] Sending EAPOL-Response-Authentication

You should not

At t his point , a great deal of debugging out put will appear as cert ificat es are exchanged back and fort h and validat ed by bot h sides of t he conversat ion. Once t he TLS t unnel is est ablished, t he debug out put shows t he inner aut hent icat ion. I n t he case of EAP- MSCHAP- V2, t he RADI US server sends a challenge. Based on t he challenge value and t he shared secret , a response is generat ed.

[AUTH TYPE] (EAP-MSCHAPv2) Challenge [AUTH TYPE] (EAP-MS-CHAPv2) ID : 2F [AUTH TYPE] Authenticator Challenge : C6 02 26 BE C3 E0 44 03 13 6E 1F BA F0 B3 1D 5A [AUTH TYPE] Generated PeerChallenge : 28 62 AA A2 8C 8E EB 82 D1 9B 2F 9A 54 67 93 2C [AUTH TYPE] PeerChallenge : 28 62 AA A2 8C 8E EB 82 [AUTH TYPE] AuthenticatorChallenge : C6 02 26 BE C3 E0 44 03 [AUTH TYPE] Username : msg [AUTH TYPE] Challenge : 48 E7 AA 53 54 52 98 62 [AUTH TYPE] PasswordHash : C5 A2 37 B7 E9 D8 E7 08 D8 43 6B 61 48 A2 5F A1 [AUTH TYPE] Response : 4D 96 51 8C 18 3A F7 C7 70 15 47 13 19 D8 D6 9B 36 00 AD E8 FA 9A 0 [AUTH TYPE] myvars->NtResponse = 4D 96 51 8C 18 3A F7 C7 70 15 47 13 19 D8 D6 9B 36 00 AD [AUTH TYPE] response->NT_Response = 4D 96 51 8C 18 3A F7 C7 70 15 47 13 19 D8 D6 9B 36 00 [AUTH TYPE] (EAP-MSCHAPv2) Success! [AUTH TYPE] Server authentication check success! Sending phase 2 success!

Once t he syst em has successfully aut hent icat ed, t he AP will supply keys. Keys are bot h encrypt ed and aut hent icat ed, using keys derived from t he shared crypt ographic keys from t he phase 1 TLS exchange. Two key m essages are sent , one wit h t he unique unicast key for t he st at ion, and one wit h t he broadcast key shared by all st at ions. xsupplicant uses t he wireless ext ensions API t o set t he keys in t he driver, where t hey will be viewable wit h iwconfig .

Processing EAPoL-Key! [INT] Key Descriptor = 1 [INT] Key Length = 13 [INT] Replay Counter = 41 2F BB 2D 00 00 00 D5 [INT] Key IV = 69 4C 45 D7 CF C3 DD CD 2A 3A F3 CB 04 7A F4 A3 [INT] Key Index (RAW) = 01 [INT] Key Signature = C2 05 6C 3A EB 25 E9 B9 8E FC 60 D6 77 44 57 22 [INT] EAPoL Key Processed: broadcast [2] 13 bytes. [INT] Key before decryption : ED 5D 03 D2 7A DE B4 60 29 FD FD F5 42 [INT] Key after decryption : FB BB AC D3 6F 7D 0A 3F FF 2A CF 33 4E [INT] Successfully set WEP key [2]

Processing EAPoL-Key! [INT] Key Descriptor = 1 [INT] Key Length = 13 [INT] Replay Counter = 41 2F BB 2D 00 00 00 D6 [INT] Key IV = 66 15 69 E2 B2 8C 0E 89 7C D3 94 8C 93 25 43 1B [INT] Key Index (RAW) = 80 [INT] Key Signature = 49 C1 15 B8 E9 D0 87 53 A6 FD 5D 76 CB 51 9D 65 [INT] EAPoL Key Processed: unicast [1] 13 bytes. [INT] Using peer key! [INT] Successfully set WEP key [1] [INT] Successfully set the WEP transmit key [1]

Som e drivers im plem ent privat e syst em calls t o report keys. At heros cards using t he MADwifi driver can list keys wit h iwlist at h0 key ; m any drivers will also report t he unicast key in iwconfig .

Commercial 802.1X on Linux I n addit ion t o xsupplicant , t here is one com m ercial program available from Meet inghouse Dat a Com m unicat ions. Meet inghouse's AEGI S client support s a wide variet y of EAP m et hods ( MD5, TLS, TTLS, PEAP, and LEAP) . Due t o t he difficult ies in keeping up wit h new dist ribut ions, however, it is only officially support ed on RedHat versions 8 and 9. The Linux version of t he Meet inghouse supplicant does not support WPA for t he sam e reason xsupplicant does not : t he lack of a st andard WPA keying API .

WPA on Linux WPA is not generally available on Linux because t here is no st andard way of obt aining t he necessary inform at ion t o perform t he four- way handshake. xsupplicant runs in user space, but som e of t he dat a necessary t o com put e t he four- way handshake m ust be obt ained t hrough t he driver. Each driver has defined it s own syst em calls for fet ching t his dat a, which requires supplicant s t o t rack t he developm ent of privat e syst em calls in every driver. A fut ure release of t he wireless ext ensions API will support t he necessary syst em calls, and WPA will be m ade available in bot h open source and com m ercial product s.

Chapter 20. Using 802.11 Access Points I n even t he sim plest 802.11 net work, proper configurat ion of t he access point s is essent ial. Wit hout properly configured net work int erfaces, no t raffic will be bridged on t o t he wired net work. I n t he early days of 802.11, access point s were sim ple devices. They had a pair of int erfaces, and connect ed wireless devices t o an exist ing wired LAN. Early APs were bridges bet ween t he wireless and wired realm s, wit h few addit ional feat ures. When t he first generat ion of wireless LAN product s hit t he m arket , t here was a broad separat ion int o cheaper hom e gat eways and expensive business- class product s. Product s in bot h classes perform ed t he sam e funct ions, alt hough t he lat t er t ypically used higher- capacit y com ponent s t o provide flexibilit y and invest m ent prot ect ion, as well as t he first crude large- scale m anagem ent t ools. At t he dawn of 802.11, APs were init ially st andalone independent devices. I n t he early days, wireless LANs offered t he abilit y t o have unt et hered access, but lacked serious securit y and m anagem ent capabilit ies. Alt hough t hese islands of net working occasionally com m unicat ed wit h each ot her, t hey were not oft en used as part of a large- scale net work syst em because t he prot ocols t o enable t hem t o do so had not been developed or t est ed on a large scale. As wireless net works becam e m ore popular and grew larger, flaws in t he t radit ional st andalone access point m odel becam e apparent . Sensing a m arket opport unit y, several vendors have built a second generat ion of wireless net work hardware. Newer approaches concent rat e m anagem ent and support funct ions for APs int o an chassis t hat has t he basic funct ions of an Et hernet swit ch, which enables t he APs t hem selves t o be dum beddown radio int erfaces. Alt hough t here are several approaches, t he broad cat egory of " light weight " or " t hin" access point s plus a cont rol syst em is oft en labeled a wireless swit ch. A great deal of int erest has surrounded t he swit ch- based archit ect ure since it was first popularized in lat e 2002, but t he fundam ent al t echnology m ust perform t he sam e funct ions as first - generat ion access point s. This chapt er discusses, in general t erm s, how t o use access point s. I t t akes a look at a full- feat ured st andalone device, t he Cisco 1200 series AP. Alt hough t here is a great deal of power in t he Cisco 1200, it can be form idable t o configure. For a look at t he lower end of t he m arket , t his chapt er looks at t he Apple AirPort Express.

General Functions of an Access Point Broadly speaking, t here are t wo price classes of access point s in t he m arket place. A low- cost t ier consist ing of hom e devices is sold widely t hrough ret ail channels direct ly t o t he end user. These lowcost devices are oft en specialized com put ing plat form s wit h only lim it ed m em ory and st orage. [ * ] The higher- cost t ier incorporat es addit ional feat ures required t o support large deploym ent s; frequent ly, t hese devices have addit ional m em ory and st orage and incorporat e m ore general- purpose hardware. The difference bet ween t he t wo price t iers is t hat t he higher- cost devices are m eant t o work t oget her as a syst em t o build a m uch m ore reliable, secure, and m anageable net work. To use a som ewhat sim plist ic analogy, t he sm all- scale wireless LANs t hat have proliferat ed in hom es and sm all offices are like cordless phones. They ext end a single net work out over a lim it ed range, and t hat is all. Large- scale wireless LANs are m uch m ore like cellular t elephony, wit h a st rong focus on m aint aining a net work connect ion in a m uch m ore dem anding environm ent . Frequent user m ot ion and and handoff bet ween APs is a given, as is a m uch higher st andard of m anagem ent and t roubleshoot ing t ools. [*]

For cost savings, many of the low-cost run a stripped-down version of Linux, and have been the subject of a great deal of software hacking. See, for example, the HyperWRT (http://www.hyperwrt.org) and wifi-box (http://sourceforge.net/projects/wifibox) projects.

Cut t ing across t he different m arket segm ent s, however, is a set of generic feat ures t hat are required t o fulfill t he service prom ises m ade in t he 802.11 st andard. Configurat ion of t hese feat ures, of course, is vendor- specific, but m any product s are fairly sim ilar t o each ot her in purpose and design. Most obviously, access point s are bridges bet ween t he wireless world and t he wired world. As bridges, t hen, all access point s have feat ures t hat one would expect t o see on a net work bridge. They have at least t wo net work int erfaces: a wireless int erface t hat underst ands t he det ails of 802.11 and a second int erface t o connect t o wired net works. I am not aware of any access point t hat does not use Et hernet as t he wired back- end, t hough it is cert ainly not required by any part of t he st andard. As wireless LANs have grown up, m ore of t he high- end access point s have begun t o support VLANs on t he net work uplink. Lower- end access point s m ay have a " WAN" port , which is usually a second Et hernet port for use wit h a cable m odem or DSL, t hough I have seen a few product s t hat have RS232 serial port s t o support dial- up m odem s. All wireless int erfaces m ust provide basic support for t he 802.11 channel access rules, but t he sim ilarit y ends t here. Early access point s im plem ent ed t he ent ire 802.11 prot ocol at t he edge of t he net work; m any newer devices have m oved som e of t he 802.11 processing away from t he edge of t he net work and have split t he 802.11 MAC across m ult iple syst em com ponent s. Most access point s offer t he abilit y t o use ext ernal ant ennas t o fine- t une range and coverage area. Bridges have som e buffer m em ory t o hold fram es as t hey are t ransferred bet ween t he t wo int erfaces, and t hey st ore MAC address associat ions for each port in a set of int ernal t ables. Bridging t ables are, of course, highly im plem ent at ion- specific, and t here is no guarant ee of sim ilarit ies across t he indust ry. The m ost basic and inexpensive devices will usually assum e t hat t hey are t he only access point in t he net work, and bridge accordingly. When access point s support roam ing, it m ay be necessary t o m ove sessions and user dat a in bet ween access point s. High- end access point s m ay need t o augm ent a basic bridging t able wit h VLAN inform at ion on t he wired int erface, as well as inform at ion about how users aut hent icat e t heir connect ions. Com m ercial- grade devices are also designed t o work cooperat ively; t he m ost com m on feat ure is a vendor- propriet ary m et hod t o m ove associat ion dat a from access point t o access point wit hout int errupt ing link- layer connect ivit y. Net work m anagem ent is generally m uch m ore sophist icat ed on

com m ercial- grade product s t o enable net work engineers t o m anage t he t ens or hundreds of devices used t o creat e a large- scale coverage area. I nit ially, m anagem ent t hrough a TCP/ I P net work int erface was a st andard feat ure. One of t he big innovat ions in t he past few years has been t he developm ent of " t hin" access point solut ions t hat m ove m anagem ent funct ions from access point s t o cent ral concent rat ion devices. Depending on t he m arket for which an access point is developed, it m ay offer services t o it s wireless client s. The m ost popular service is DHCP; wireless st at ions m ay be assigned addresses aut om at ically upon associat ion. Larger- scale devices oft en rely on exist ing DHCP servers on t he net work t o ensure consist ence across access point s. Many access point s can also perform net work address t ranslat ion ( NAT) , especially t he " hom e gat eway" - t ype product s t hat can connect t o a m odem and dial up an I SP. Securit y has been a sore point for wireless net work m anagers since before t he advent of 802.11's success. Access point s have a privileged posit ion wit h respect t o securit y concerns because t hey are t he gat eways t o t he wired net work and are ideally posit ioned t o im plem ent securit y policies. I n addit ion t o first - generat ion securit y approaches such as MAC address filt ering, m ost product s now im plem ent st ronger user- based aut hent icat ion. Wi- Fi Prot ect ed Access ( WPA) can be run wit h a preshared key in m ost hom e product s, and wit h an ext ernal aut hent icat ion server in large corporat e deploym ent s. Many high- end devices now offer significant int egrat ion wit h t he exist ing wired net work. Using t hose feat ures t o best ext end t he wired net work will be discussed in t he next chapt er. Managem ent int erfaces oft en leave som et hing t o be desired. Configurat ion of access point s t ends t o be challenging because access point s m ust be m anufact ured cheaply, and low- cost devices t end not t o have t he processing power t o run an easy- t o- use configurat ion engine. Most vendors use light weight operat ing syst em s running on low- powered hardware, but one of t he t rade- offs of using a light weight operat ing syst em is t hat it does not provide t he program m ing environm ent necessary t o build rich funct ionalit y. Early access point s offered bot h a com m and- line int erface and a web- based m anagem ent int erface. The recent developm ent of " Wi- Fi swit ches" offers som e hope for net work adm inist rat ors. Rat her t han requiring m anagem ent of individual APs as st andalone net work elem ent s, st ripped- down ( or " t hin" ) access point s are m anaged t hrough a handful of cent ralized cont rol swit ches. Wit h great er processing power and funct ionalit y, t he swit ches can support m ore funct ionalit y and m uch im proved m anagem ent int erfaces. Debugging and t roubleshoot ing t ools are as advanced as m anagem ent t ools, which unfort unat ely m eans t hat t hey oft en leave net work adm inist rat ors m ired in inconclusive or irrelevant inform at ion. I deally, product s should m aint ain det ailed logs of act ivit ies, but it is com m on t o find vague logs of result s t hat give very lit t le insight int o failures. Count ers can be helpful, but only if t he right count ers are accurat ely m aint ained. Tools such as ping and t racerout e are com m on, but net work analyzers and packet capt ure t ools are not .

Types of Access Points Broadly speaking, t here are t hree m aj or t ypes of access point s. Many of t he best - known devices are low- cost access point s sold at m aj or consum er elect ronics out let s. Alt hough t hese devices m ake up t he bulk of t he m arket , t hey are unsuit ed for use in a large- scale deploym ent . Just as consum er elect ronics- class Et hernet swit ches are not suit able for building a m aj or net work, cheap APs cannot offer t he feat ures needed t o build a m aj or wireless net owrk. Higher- priced devices wit h significant addit ional funct ionalit y exist for t he corporat e ent erprise m arket .

For the home: residential gateways

The low- cost t ier is com posed of devices oft en called resident ial gat eways. Resident ial gat eways are designed t o be as low- cost as possible, so only t he basic feat ures required for t he t ypical sm all or hom e office are included. To furt her reduce cost , m ost of t he resident ial product s are based on " reference designs" from 802.11 chipm akers. Equipm ent m anufact urers m ay ( or m ay not ) cust om ize a reference design, t he ext ernal case, and sell t he result ing device under t heir own brands. Resident ial gat eways generally share t he following charact erist ics: Most devices include a DHCP server t o m ake plug- and- play configurat ion easier. They are oft en deployed by users wit h one rout able I P address, so NAT im plem ent at ions are com m on. [ * ] Many can use PPPoE or DHCP t o dynam ically assign t he rout able ext ernal address. [*]

The NAT implementation is usually restrictive. It is able to translate many internal devices to varying ports on the external IP address, and fixed ports on the external IP address to specific internal addresses (for, say, inbound web or SSH requests). Some vendors may refer to this as port address translation (PAT) instead of NAT.

Depending on t he t ype of cust om er t he resident ial gat eway is aim ed at , t he WAN int erface is a m odem , a serial port , or even DSL. ( Som e resident ial gat eway product s m ay use an Et hernet port as t he " WAN" connect ion t o a cable m odem or DSL m odem .) They are oft en built as a single int egrat ed unit , com plet e wit h a built - in ant enna. I f suit able coverage cannot be found, it is necessary t o relocat e t he ent ire unit . Many product s now claim t o have an I Psec pass- t hrough feat ure t o allow t he use of I Psec t hrough NAT, which works wit h varying degrees of success depending on t he I Psec VPN solut ion chosen. Configurat ion of resident ial gat eways usually relies on a default int ernal I P address. When it is plugged in and powered up for t he first t im e, you connect wit h a web browser t o it s default address and ent er t he default usernam e and password. I n som e cases, all of a m anufact urer's devices m ay com e up wit h t he sam e address by default . A popular choice for t he default web address is oft en 192.168.0.1, t he first address in t he RFC 1918 reserved address block of t radit ional class C address. As wireless LANs have becom e m ore popular, however, som e vendors have built equipm ent t o coexist wit h ot her gear by default , eit her by choosing a random value for t he final num ber in t he I P address, or by t est ing t o ensure t he address is not in use. They are oft en sold direct ly t o t he end user and are designed t o be aest het ically pleasing. Unfort unat ely for m any end users, t he im proved visual design som et im es prevent s t he st acking of resident ial gat eways wit h ot her net work equipm ent . Many vendors design t heir equipm ent t o be st ackable wit h t heir ot her com ponent s, however. Securit y configurat ion opt ions are oft en lim it ed t o sm aller- scale solut ions. Much older resident ial gat eways only im plem ent ed MAC filt ering or st at ic WEP, so be careful about purchasing used equipm ent . Nearly every device now sold uses WPA's preshared key aut hent icat ion wit h dynam ic encrypt ion keys. Most resident ial devices do not have sophist icat ed radios. They t ypically have j ust a single radio int erface, running eit her 802.11g or 802.11a. The form er is m ore com m on in resident ial devices because t he 2.4 GHz frequency used by 802.11g has great er coverage. Resident ial net works are t ypically lim it ed by t heir uplink t o t he I nt ernet , and do not need t o be built wit h sm all coverage areas for dense, high- bandwidt h coverage. As t his book was writ t en, resident ial gat eways t ypically cost $35 t o $100. Com m on m anufact urers are D- Link, Linksys, and Net gear. Apple's AirPort is som et im es placed in t his cat egory as well, alt hough it is priced significant ly higher and has m ore feat ures.

For the office: enterprise access points Ent erprise gat eways, which oft en go by m any ot her nam es t hat im ply t he buyer values feat ures over cost , provide everyt hing resident ial gat eways do, plus addit ional feat ures useful for larger- scale environm ent s. Ent erprise gat eways generally share t he following charact erist ics: The area over which m obilit y is required is m uch larger and requires several access point s working in concert . Ent erprise product s support som e sort of prot ocol t o m ove sessions bet ween access point s. Ent erprise product s are built around upgradeabilit y t o offer a service life as long as possible. They are t ypically built on relat ively high- powered generic hardware, and im plem ent a great deal of higher- layer funct ionalit y in soft ware t hat can be easily upgraded. They m ay have radios t hat are easy t o swap out . Early ent erprise APs used PC Card radios, so a swit ch from 802.11b t o 802.11a involved changing a card, and possibly a soft ware upgrade. As t he price of com ponent s has fallen, radio cards are t ypically no longer upgradeable, but t he soft ware is. One of t he advant ages t o t he high level of soft ware cont rol of an ent erprise- grade AP is t hat new securit y developm ent s can oft en be added in wit h a soft ware updat e. Any serious ent erprise- grade AP will support WPA, and m ost vendors prom ised easy soft ware upgrade pat hs t o 802.11i. As new securit y feat ures are st andardized, t hey can be added on t o an exist ing net work wit hout changing hardware. Ent erprise- grade APs oft en add securit y in layers, so new securit y m echanism s can be used in conj unct ion wit h older m echanism s. Hardware- based enhancem ent s t o securit y oft en appear in m ore expensive devices first , t oo. When chipset s st art ed support ing AES accelerat ion in hardware, it appeared on high- end devices first . Som e ent erprise APs can support m ult iple securit y st andards sim ult anously. Ent erprise- t ype deploym ent s are frequent ly int ended t o creat e a coverage blanket t hroughout a relat ively large area. Power is not always convenient t o t he locat ion of an access point , but it is t ypically abundant in t he wiring closet . All ent erprise- grade APs support drawing power over Et hernet using I EEE 802.3af. The radio side of a high- end AP is frequent ly m uch m ore sophist icat ed t han a low- cost AP. Most ent erprise APs have an ant enna connect or t hat allows t he at t achm ent of a variet y of ext ernal ant ennas t o t ailor t he coverage area and coverage qualit y t o your needs. Som e APs are beginning t o incorporat e highly advanced ant enna t echnology t hat allows very fine cont rol over t ransm ission pat t erns, or allows a single ant enna t o be used by m ult iple MAC chips. Transm ission power can usually be adj ust ed t o enlarge or shrink t he coverage area as desired. Many ent erprise APs can also support m ult iple virt ual radio net works over t he ant enna. I n addit ion t o radio t unabilit y, ent erprise APs can support som e form of virt ual access point s. Mult iple SSI Ds can be configured, and each can be assigned it s own aut hent icat ion and encrypt ion set t ings. This feat ure is oft en used t o creat e parallel net works wit h different securit y set t ings t o accom m odat e older equipm ent while offering m axim um securit y for newer equipm ent . Ent erprise APs are designed t o int egrat e int o an exist ing net work. On t he securit y side, t hat m eans t hat t hey oft en m ust int egrat e int o an exist ing securit y archit ect ure, usually by plugging in t o an exist ing user dat abase. Once users are successfully aut hent icat ed t o t he net work, t hough, t hey m ust t ake advant age of net work services. A second int egrat ion point is t he way t hat an ent erprise AP ext ends exist ing access cont rol and user privileges t hat m ay already be present on t he wired net work.

I nt egrat ion wit h an exist ing net work also ext ends t o t he dat a plane as well. Most ent erprisegrade APs are designed t o perform dynam ic VLAN assignm ent based on user at t ribut es from t he aut hent icat ion server. Frequent ly, sit e survey t ools com e bundled wit h ent erprise- class product s so net work m anagers can plan large deploym ent s by direct ly assessing coverage qualit y. These t ools vary great ly in t heir sophist icat ion. Som e sit e survey t ools are lit t le m ore t han a hist orical st at ist ical readout , while ext rem ely advanced t ools can derive a net work layout from t he physical environm ent . Reflect ing t he adm inist rat ive dem ands, configurat ion of ent erprise- class devices is done wit h easily script ed com m and- line int erfaces or SNMP, and m onit oring and m anagem ent capabilit ies are far m ore ext ensive t han in resident ial gat eways. Som e product s are also cont rolled t hrough large- scale m anagem ent fram eworks t hat enable a single adm inist rat or t o m onit or and change configurat ion on hundreds or even t housands of access point s. Ent erprise gat eways are oft en deployed in packs. Aest het ic requirem ent s in t ypical office space m ay require unobt rusive m ount ing, so t hese devices offer flexibilit y in t he way t hat t hey m ount in t he building. Many are designed t o be m ount ed above ceilings, and m ay be plenum rat ed.[ * ] Devices inst alled in air duct s and air- handling spaces m ust m eet st rict sm oke em ission requirem ent s for safet y reasons. Plenum - rat ed APs can be inst alled nearly everywhere; devices t hat lack t he necessary cert ificat ions m ay be rest rict ed in possible m ount ing locat ions. [*]

For information on flame tests, see http://www.houwire.com/catalog/technical/cable_flame.asp.

Nat urally, t hese addit ional capabilit ies do not com e wit hout a price. Most ent erprise- grade APs list for $500 t o 1,000, t hough t hey are oft en available at significant discount s. Over t im e, t he price of highend APs does fall, but it is not subj ect t o t he sam e downward pressure as resident ial- class product s. The canonical exam ple of an ent erprise- grade AP is t he Cisco 1200 or Cisco 1100. Bot h are built on relat ively generic hardware, run a full- blown version of t he I nt ernet work Operat ing Syst em , and are given new feat ures on a regular basis. Proxim , Sym bol, 3Com , and HP produce com pet ing product s wit h sim ilar feat ure set s.

For the large office: wireless switches One of t he biggest changes in t he t im e since t he first edit ion of t his book was published is t he em ergence of t he " wireless swit ch" or " t hin AP" archit ect ure, in which relat ively light weight access point s are cont rolled by a cent ralized swit ch. The driver behind t he t hin AP or wireless swit ch archit ect ure is increased efficiency over first - generat ion product s. Part of t he efficiency is based on t he t echnology it self. Thin AP archit ect ures rem ove processing from t he AP and m ove it t o an aggregat ion device. Elim inat ing processing at t he AP rem oves com ponent s and cost from t he AP, increasing service lifet im e. I f configurat ion is rem oved from t he AP as well, t here are fewer m anaged elem ent s in t he net work. Cent ralizing capabilit ies in t he cont roller can also lead t o increased flexibilit y. For t he sam e cost , concent rat ed hardware in t he cont roller can provide m ore processing power t han dist ribut ed processing at t he access point . Coordinat ing act ivit y bet ween access point s allows net work m anagers t o load- balance client s bet ween APs, m onit or radio act ivit y cent rally, and ext end t he exist ing net work m ore easily. The cost of a wireless swit ch- based solut ion m ay depend a great deal on it s size. Most vendors offer a variet y of cont rollers, which m ay range from j ust a few APs up t o hundreds of APs. The original swit ch solut ion was Sym bol's Mobius product ; solut ions were lat er built from t he ground up by Airespace, Aruba, and Trapeze.

Power over Ethernet (PoE) I f your net work will be of any size at all, power over Et hernet ( PoE) is ext rem ely im port ant . When designing a wireless net work, access point s should be locat ed where it m akes sense t o put t hem for radio propagat ion purposes, not where it m akes sense t o put t hem for elect rical power purposes. Access point s sold in t he first wave of product s had t o be powered like m ost ot her com put ing devicest hat is, plugged int o a nearby AC power out let . To m ake m at t ers worse, m any of t hem used large " wall wart " t ransform ers t hat blocked adj acent out let s, t oo. Locat ing access point s was not a m at t er of finding t he best locat ions for providing service, but near nearby power out let s. Modifying access point locat ions can be challenging if one of t he const raint s is st aying near elect rical power. Due t o t he dangers of elect rical work, t here are legal requirem ent s t o use licensed elect ricians in m any locat ions. Som e organizat ions m ay have also negot iat ed wit h unions t o provide skilled elect rical labor. I n eit her case, m odifying access point locat ions m ay be quit e expensive. I n m any locat ions, dat a cable such as Et hernet can be m oved or inst alled by net work t echnicians, so APs can be inst alled or relocat ed by nonunion labor. [ ] []

Some jurisdictions may define Ethernet as "low-voltage wiring," which requires that it be installed by an electrician. The city of Redmond, Washington, taxes low-voltage wiring as part of the building permit process.

Types of PoE There are a num ber of t ypes of power equipm ent on t he m arket ; m any com ply wit h t he I EEE 802.3af st andard. 802.3af defines a t ransm ission st andard t hat can supply 48 volt s DC up t o a m axim um of approxim at ely 15 wat t s at t he full lengt h- reach of an Et hernet cable. The st andard it self can be downloaded from t he I EEE Get 802 sit e, and m ore inform at ion is available from ht t p: / / www.poweroveret hernet .com / . The m ost basic dist inct ion is which wires in t he Et hernet cable supply t he power. Dat a is always carried on t he dat a conduct ors ( wire pairs 1 and 2 and 3 and 6) . Alt ernat ive A in t he st andard carries power on t he dat a conduct ors, while Alt ernat ive B carries power on t he unused pairs ( wire pairs 4 and 5 and 7 and 8) . When power is carried on t he dat a cables, t he volt age polarit y m ay go eit her way, as shown in Figure 20- 1. The corresponding pinout is in Table 20- 1 . Power carried on t he unused dat a cables m ust have a specified polarit y. Nearly all vendors use posit ive polarit y on t he first pair; t he not able except ion is early Cisco- propriet ary power devices, which reversed polarit y from m ost ot her devices.

Figu r e 2 0 - 1 . Pow e r w ir e m a p

Ta ble 2 0 - 1 . W ir e u sa ge in 8 0 2 .3 a f W ir e n u m be r

Pa ir m a ppin g

Alt e r n a t ive A ( M D I - X)

Alt e r n a t ive A ( M D I )

1

1 - dat a

-

+

2

1 - dat a

-

+

3

2 - dat a

+

-

4

3 ( unused)

+

5

3 ( unused)

+

6

2 - dat a

7

4 ( unused)

-

8

4 ( unused)

-

+

Alt e r n a t ive B

-

A furt her dist inct ion bet ween t ypes of power devices is where t he power is supplied. Power equipm ent m ay be present in t he swit ch, which is referred t o as endpoint power. Alt ernat ively, it m ay be added int o t he wiring by a power inj ect or , in which case it is called m id- span equipm ent . Most 802.11 inst allat ions t o dat e have used power inj ect ors, and t herefore m id- span equipm ent . As swit ch vendors have com e out wit h power blades and t hey have been m uch m ore widely purchased, endpoint inj ect ion is becom e m uch m ore com m on. Figure 20- 2 illust rat es t he difference bet ween t he t wo opt ions. The inj ect or shown in t he m id- span case m ay be a st and- alone device, or it m ay be a " power pat ch panel" wit h m ult iple port s. Gigabit dat a links can only be endpoint powered, alt hough t his is not yet an im port ant dist inct ion for 802.11.

Figu r e 2 0 - 2 . En dpoin t a n d m id- spa n pow e r in j e ct or s

802.3af incorporat es det ect ion of powered devices t o avoid frying equipm ent plugged int o a power port . Early PoE equipm ent would supply t he full volt age all t he t im e, and had a propensit y t o dest roy devices t hat were not designed t o cope wit h power. For safet y reasons, 802.3af includes a handshake t hat slowly ram ps up power. I f t here is no response t o t he init ial probe from t he power equipm ent , it st ops providing it t o prot ect t he device at t he end. Power inj ect ors alm ost always have t wo copper Et hernet port s and a power cord. One Et hernet port is for t he net work connect ion, and t he second provides power on t he net work connect ion on t he first port . A not able except ion is t he Cisco AI R- PWRI NJ- FI B, which provides power on an Et hernet port while using a 100BASE- FX fiber for net work connect ivit y.

Selecting Access Points When choosing an access point , you should t ake a num ber of fact ors int o account . Wit h t he em ergence of 802.11 as t he m ain vendor- neut ral st andard, st andards com pliance is generally not a big fact or. Any serious vendor hoping t o build large net works m ust prom ise com pat ibilit y wit h all exist ing st andards, and will oft en need t o com m it t o support ing im port ant fut ure landm ark st andards. Several organizat ions have launched t est program s t o cert ify int eroperabilit y. The best - known program is t he Wi- Fi Alliance's Wi- Fi cert ificat ion, t hough ot her organizat ions are seeking t o capit alize on t he popularit y of wireless LANs by launching com pet ing program s. The m ost rigorous t est program in t he indust ry is run by t he Universit y of New Ham pshire's I nt er- Operabilit y Lab ( I OL) . The I OL t est program is not as widely known as t he com m ercial program s because it is int ended t o help build bet t er product s, not t o provide m arket ing " seals of approval" t o vendors. As always, when you st udy cert ificat ion program s, ensure t hat t he vendor has gone t hrough t he relevant t est s t hat are of int erest t o you. Securit y is oft en a prim e concern when deploying a wireless net work. Wit h WEP t horoughly broken, you alm ost cert ainly want t o select an access point t hat has securit y capabilit ies based on 802.1X and 802.11i. Sm all inst allat ions can use pre- shared key aut hent icat ion, while m ore securit yconscious inst allat ions should opt for full RADI US int egrat ion. I n larger environm ent s, it m ay also be wort hwhile t o select a product t hat can act as m ult iple virt ual access point s as well as m ix encrypt ion and aut hent icat ion t ypes. I n som e deploym ent s, get t ing power t o t he access point s can be a m aj or headache. To blanket an area wit h t he coverage required for a large im plem ent at ion, access point s oft en need t o be placed in an area where power is not easily accessible. Long ant enna runs can degrade signal qualit y unaccept ably, so it is m uch bet t er t o bring power t o t he locat ion. I nst alling new elect rical conduit s is oft en quit e expensive. Work m ust be perform ed by licensed elect ricians, and building codes m ay im pose addit ional rest rict ions. Many product s can supply power over t he Et hernet cable. Cheaper product s oft en have propriet ary power equipm ent , while m ore expensive product s can use st andardsbased power equipm ent . Net work wire is not subj ect t o t he sam e rest rict ions as elect rical cable and can be inst alled by net work adm inist rat ors. Som e environm ent s m ay require providing coverage over bot h indoor and out door areas. Ext ernal ant ennas are oft en useful for creat ing a dense coverage blanket over an area, or for beam ing t he signal in a part icular direct ion over a court yard. Not all access point s can connect t o ext ernal ant ennas; it m ay be an ext ra- cost opt ion. Even if an access point has an ext ernal ant enna connect or, t here is no guarant ee t hat you'll be able t o find a wide range of ant ennas available for use. 802.11 only requires t hat any connect ors for ext ernal ant ennas have a st andard im pedance of 50 ohm s. I f ext ernal ant ennas are im port ant for your deploym ent plans, m ake sure t hat a wide range of ant ennas is available, whet her t hrough t he 802.11 vendor or anot her source. Out door inst allat ions m ay require environm ent ally " hardened" access point s or enclosures as well. Environm ent al considerat ions m ay also play a role in cert ificat ions required for APs. Equipm ent inst alled in air- handling spaces m ust be plenum rat ed. Cert ified plenum - rat ed devices are lit on fire and t he result ing sm oke is t est ed for clarit y. Opaque sm oke m ight be forced t hrough a vent ilat ion syst em and dist ribut ed t hroughout a building, which would obscure em ergency exit signs and would be a hazard. Plenum - rat ed devices are m ade of m at erials t hat do not release dense sm oke. The sm oke is oft en quit e hazardous. Plenum - rat ed APs are safer because t hey will not obscure exit s, not because t he sm oke is nont oxic. Devices t hat are inst alled above t he ceiling do not generally need t o be plenum rat ed unless t he above- ceiling area is an air ret urn space. Buildings wit h air- handling

duct s do not generally need plenum - rat ed APs, but m any building inspect ors will m ist akenly require t hem . Local building codes m ay also require t hem . I f roam ing is im port ant , you will need t o sort t hrough a variet y of different t echnologies and approaches, wit h t he added wrinkle t hat roam ing m ay not always perform well bet ween different vendors' product s. The best way t o ensure int eroperabilit y bet ween vendors is t o select a syst em t hat bases roam ing and handoff on dynam ic VLAN assignm ent . As st at ions aut hent icat e, t hey will ret ain t he sam e logical point of at t achm ent t o t he net work. 802.11 includes a num ber of powersaving funct ions in t he st andard. Most are opt ional. I f your deploym ent is based heavily on bat t ery- powered devices, it m ay be wort h evaluat ing which powersaving feat ures are included wit h part icular devices. I t m ay also be wort h experim ent ing wit h devices t o see j ust how m uch longer bat t eries last wit h t he powersaving funct ions enabled. Device m anagem ent is an im port ant considerat ion. Wireless net works are a new service, and net work st aff will need t o plan, evaluat e, purchase, deploy, and m aint ain t he addit ional hardware. Large deploym ent s m ay have t ens or hundreds of access point s, which can easily m ake net work m anagem ent a headache wit hout good t ools. Does t he vendor offer an access point m anager t o configure large num bers of devices in parallel? Can m anagem ent of t he access point s be incorporat ed int o your exist ing net work m anagem ent infrast ruct ure using t ools t hat you already have deployed? Are t he m anagem ent t ools secure enough? Many product s can be m anaged only wit h cleart ext prot ocols, which m ay be j ust an annoyance or a m aj or violat ion of a securit y policy. Experience wit h ot her net work devices has shown t hat soft ware upgrades are a frequent occurrence. How is t he soft ware upgraded, and how m uch funct ionalit y can upgrades add? Can new prot ocol feat ures be added wit h firm ware updat es? Depending on t he size of t he deploym ent , it m ay be possible t o evaluat e equipm ent before buying. See if you can get a feel for t he range of each access point and t est wit h a variet y of com m on cards. Capacit y on an 802.11 net work is ult im at ely lim it ed by t he radio link, but you will want t o m ake sure t hat t here are no ot her capacit y rest rict ions. Does t he access point provide t he processing power t o run t he wireless side at m axim um capacit y wit h securit y prot ocols enabled? Not all product s incorporat e crypt ographic accelerat ion for all prot ocols. Product s t hat depend on a cent ral crypt ographic processor t o run securit y syst em s m ay run out of capacit y if t hey are upgraded t o fast er PHY st andards, and m ay also suffer if t he uplink is insufficient . Fast Et hernet suffices for 802.11a/ g- based net works t oday, but it will likely lim it t he perform ance of radios built on t he fut ure 802.11n st andard. Try t o set up a t est net work and get a feel for t he configurat ion required t o int egrat e t he access point s wit h t he rest of your net work gear. As wit h m any ot her purchasing decisions, of course, t here are a num ber of " soft " fact ors t hat m ay not be easily quant ifiable. Warrant ies, a relat ionship wit h t he vendor, and t he qualit y of t he t echnical support m ay all influence t he purchasing decision. Soft fact ors are not t echnical nor easily quant ifiable, however, so I will not discuss t hem .

Are Access Points Really Necessary? Access point s are not required for a wireless net work. Wireless st at ions can be used in independent net works, which do not require an access point . Building a Unix box t hat rout es bet ween an Et hernet net work and a wireless net work is not difficult , and hardware can oft en be reused from t he scrap pile. Why, t hen, would anybody use an access point ? Now t hat m ost access point s have fallen well below t he $100 m ark, building a Unix rout er is no longer a cost - effect ive opt ion for single- access point net works. Once you consider what your t im e is wort h, building a Unix rout er is a pret t y silly use of t im e. Access point hardware has som e advant ages over redeployed general- purpose plat form s, t oo. Access point s are sm all devices wit h no

m oving part s. As a result , t hey do not consum e a great deal of elect rical power and do not generat e m uch heat . There is one not able except ion t o t his rule, t hough. Apple offers a " soft ware base st at ion" t hat t ransform s any deskt op m achine int o a bridging access point . Wit h a few m ouse clicks and very lit t le effort , a deskt op com put er can becom e a base st at ion. Unix- based rout ers have never been effect ive in larger deploym ent s because of t he lack of m obilit y support . Effect ive roam ing requires t ransparent br idged access, not rout ed access, t o t he link layer at different physical locat ions. However, roam ing wit h 802.11 is possible only when access point s can com m unicat e wit h each ot her t o t rack t he m ovem ent of a wireless st at ion. I n t he fut ure, it is likely t hat an open source Unix dist ribut ion will have t he feat ures necessary for an access point : low- level access t o fundam ent al 802.11 param et ers on t he card, Et hernet bridging, and an I APP. Unt il t hen, t hough, t here is no subst it ut e for com m ercial product s.

Unix-Based Access Points One of t he m ost basic precondit ions for m aking a Unix- based access point is enabling access point funct ions in t he wireless int erface card. One of t he m aj or hurdles is rewrit ing t he 802.11 headers. All t raffic in an infrast ruct ure net work flows t hrough t he access point . Access point s m ust rewrit e t he t ransm it t er and receiver addresses in t he 802.11 headers. Ot her m anagem ent funct ions m ay be required as well. For exam ple, 802.11 includes a num ber of powersaving m echanism s for infrast ruct ure net works in t he specificat ion, but t hey can be used only on net works wit h access point s t hat im plem ent t hem . There is also a nont echnical hurdle. Many vendors have act ively support ed t he developm ent of open source Unix drivers for t heir cards. Aft er all, vendors m ake m oney selling hardware, and it is a good t hing for t hem t o sell cards for all client syst em s, even t hose t hat run open source Unix. Access point s are a different st ory, however. Vendors have not been as fort hcom ing wit h t he int erface used t o put cards int o t he access point m ode. Access point s are quit e lucrat ive, and providing a driver int erface in t he access point m ode in t he card could pot ent ially cannibalize access point sales. At one point , t he only way t o get an I nt ersil- based card t o act as an access point int erface was t o purchase t he reference design from I nt ersil. ( The reference design shipped wit h firm ware t hat had access point funct ionalit y, and t hat firm ware was not sold separat ely.) I nt ersil's shipping st at ion firm ware does, however, include som et hing called a " Host AP Mode." I n t he Host AP Mode, t he PRI SM chipset aut om at ically t akes care of " m enial" t asks, such as t ransm it t ing Beacon fram es and acknowledging incom ing t ransm issions. Jouni Malinen has developed a driver t o use t he Host AP Mode wit h Linux. I n conj unct ion wit h t he Et hernet bridging im plem ent at ion in t he kernel, t his driver can be used t o build an access point wit h full 802.1X and WPA support . I t is available from ht t p: / / www.epit est .fi/ Prism 2/ . Wit h t he present st at e of driver soft ware, it is possible t o build a Unix- based rout er. ( I m ean " rout er" pedant ically, as " layer 3 net work device." ) One int erface would connect t o a wired net work as it always has, and a second wireless int erface could be run in I BSS m ode. Ross Finlayson has est ablished a com m unit y net work at a coffee house in Mount ain View, California using a FreeBSD- based rout er. The proj ect 's hom e page is at ht t p: / / www.live.com / danast reet / , and t here is a page devot ed specifically t o t he rout er it self at ht t p: / / w w w .live.com / wireless/ unix- base- st at ion.ht m l.

Cisco 1200 Access Point Cisco's 1200 Series access point is t he st andard- bearer for st andalone access point s. I t runs a version of Cisco's I nt ernet work Operat ing Syst em ( I OS) . At first , 1200s ran a syst em based on VxWorks, but Cisco released an I OS upgrade t o bring t he 1200 in t o t he fold. The upgrade t ool is available from Cisco's support web sit e. No new feat ures or cont inuing developm ent has been done on VxWorks for quit e som e t im e. On an individual basis, t he Cisco 1200 can be m anaged from eit her a web int erface or an I OS com m and- line int erface. Larger inst allat ions can be m anaged t hrough t he Wireless LAN Solut ions Engine ( WLSE) . The com m and- line int erface is available t hrough a local console serial cable wit h a Cisco RJ- 45 pinout , or once t he net work int erface is configured, t elnet or SSH.

Setting Up the 1200 Hardware set up on t he 1200 is st raight forward. I t m ay be powered eit her from a local power supply or wit h a Cisco- specific power inj ect or. The power circuit ry is t he sam e. The power supply put s out 48 volt s, j ust as a power inj ect or would. The 1200 uses a Bridge- group Virt ual I nt erface ( BVI ) . BVI s are a soft ware const ruct used in I OS t hat allows rout ing and bridging of prot ocols over t he sam e int erface. APs need t o bridge 802.11 fram es t o 802.3, but also need t o rout e I P for m anagem ent purposes, which m akes BVI s t he obvious choice. Configure t he I P address on a BVI from t he global configurat ion prom pt . APs m ay get t heir I P address eit her from a st at ic assignm ent , or from a built - in DHCP client . Bot h com m ands are shown below:

ap1200# configure terminal ap1200(config)# interface BVI1 ap1200(config-if)# ip address 192.168.1.5 255.255.255.0 ap1200(config-if)# ip address dhcp client-id FastEthernet0

To check on t he st at us of t he int erface and see what addresses have been assigned, use show ip int erface:

ap1200#show ip interface brief Interface IP-Address Dot11Radio0 unassigned FastEthernet0 unassigned Virtual-Dot11Radio0 unassigned BVI1 192.168.5.191

Configuring Radio Interfaces

OK? YES YES YES YES

Method TFTP NVRAM TFTP DHCP

Status up up down up

Protocol up up down up

The 1200 has t wo radios. Radio 0 is t he 2.4 GHz radio, which is usually 802.11g, but m ay be 802.11b in older hardware. Radio 1 is t he 5 GHz radio. Each radio can be configured independent ly by using t he int erface configurat ion com m ands. Dat a rat es can be allowed sim ply by ent ering t hem wit h t he speed com m and, or t hey m ay be labeled as required by prefacing t hem wit h basic- . I n t he following com m and list , t he first speed com m and allows all dat a rat es. The second requires 1 Mbps and 2 Mbps operat ion, but allows 5.5 Mbps and 11 Mbps operat ion. The last t wo are special. speed r ange allows all, but requires only t he slowest speed. speed t hroughput set s all dat a rat es t o r equir ed.

ap1200# configure terminal ap1200(config)# interface dot11radio 0 ap1200(config-if)# speed 1.0 2.0 5.5 11.0 ap1200(config-if)# speed basic-1.0 basic-2.0 5.5 11.0 ap1200(config-if)# speed range ap1200(config-if)# speed throughput

Transm ission power m ay be configured for each radio by set t ing a local m axim um power in m illiwat t s. Like speed, power is an int erface- specific configurat ion com m and. 802.11b/ g radios are capable of up t o 100 m W power. Due t o lim it at ions in chip design wit h OFDM, 802.11a radios are only capable of 40 m W t ransm ission.

ap1200# configure terminal ap1200(config)# interface dot11radio 0 ap1200(config-if)# power local 100

I n addit ion t o power set t ings, t he operat ing channel m ay be configured for each radio wit h t he channel com m and. As an argum ent , channel t akes t he frequency in MHz. Alt ernat ively, using t he least - congest ed keyword will force t he AP t o m onit or all channels and pick t he clearest one.

ap1200# configure terminal ap1200(config)# interface dot11radio 0 ap1200(config-if)# channel 2412 ap1200(config-if)# channel least-congested

Two different t ypes of 802.11b pream bles are used. Long pream bles are m ore com pat ible, but short pream bles give m uch bet t er perform ance. Generally, t his opt ion should be set t o short unless t here is a known older device t hat needs t o use t he net work. To disable short pream ble, use t he no pream ble- short int erface com m and.

ap1200# configure terminal ap1200(config)# interface dot11radio 0 ap1200(config-if)# no preamble-short

Beacon fram es are used t o announce t he exist ence of a net work, as well as announce buffered wit h DTI M inform at ion elem ent s. The Beacon int erval can be t uned t o balance delivery of buffered fram es wit h bat t ery consum pt ion using t he beacon period and beacon dt im - period com m ands.

ap1200# configure terminal ap1200(config)# interface dot11radio 0 ap1200(config-if)# beacon period 100 ap1200(config-if)# beacon dtim-period 5

I n addit ion t o t he Beacon int erval, t he RTS/ CTS t hreshold can be configured. Lower values will cause RTS/ CTS handshaking t o occur. Depending on t he environm ent , it m ight also be wort h alt ering t he num ber of t im es a fram e will be ret ransm it t ed, or t he t hreshold at which it will be fragm ent ed using t he following com m ands.

ap1200# configure terminal ap1200(config)# interface dot11radio 0 ap1200(config-if)# rts threshold 2000 ap1200(config-if)# rts retries 2 ap1200(config-if)# packet retries 8 ap1200(config-if)# fragment-threshold 1500

Internetworking Different client s will encapsulat e fram es in different ways. By far t he m ost com m on is t o use RFC 1042 SNAP encapsulat ion, which is t he default . I OS allows configurat ion of 802.1H as well. The set t ing is global for a radio, and cannot be configured on a per- prot ocol basis.

ap1200# configure terminal ap1200(config)# interface dot11radio 0 ap1200(config-if)# payload-encapsulation snap ap1200(config-if)# payload-encapsulation dot1h

Wit h dynam ic VLAN assignm ent , t he use of VLANs on t he wired side is becom ing increasingly com m on. I OS on t he 1200 support s bot h nat ive and t agged VLANs. I t is im port ant t o assign VLAN 1, t he nat ive VLAN, t o t he sam e I P net work as ot her devices on t he net work t o ensure com m unicat ion across t he so- called nat ive VLAN. The nat ive VLAN is not ed by adding t he keyword nat ive at t he end of an encapsulat ion com m and for t he subint erface.

ap1200# configure terminal ap1200(config)# interface dot11radio0.1 ap1200(config-subif)# encapsulation dot1q 1 native ap1200(config-subif)# interface fastethernet0.1 ap1200(config-subif)# encapsulation dot1q 1 native

Furt her VLANs can be configured in a sim ilar way, om it t ing t he nat ive. I t is com m on pract ice t o keep t he subint erface num ber equal t o t he VLAN t ag. For exam ple, t o configure VLAN 10, t he following com m ands would be used. To configure VLAN 20, all t he references t o 10 would be replaced wit h 20.

ap1200# configure terminal ap1200(config)# interface dot11radio0.10 ap1200(config-subif)# encapsulation dot1q 10 ap1200(config-subif)# interface fastethernet0.10 ap1200(config-subif)# encapsulation dot1q 10

Configuring Security Radio net works are broadcast from an AP as an SSI D. Each SSI D act s som ewhat like it s own virt ual self- cont ained access point wit hin t he 1200. Each SSI D can have it s own securit y configurat ion, as well as it s own VLAN m apping. I nt erest ingly enough, t he VLAN m apping is slight ly spongy. A default VLAN can be assigned t o an SSI D. I f t he RADI US server in use ret urns a different VLAN, t he client device will be re- m apped on t o t he specified VLAN. [ ] The per- SSI D default will only be used when not hing is supplied by t he RADI US server. ( This approach is not quit e as clean as m any ot her product s on t he m arket , which work on an eit her/ or basis wit h default VLANs and RADI US servers.) []

Cisco APs require a set of RADIUS tunnel attributes to be supplied, and they must be tagged. It requires the Tunnel-Type attribute to be set to "VLAN", the Tunnel-Medium-Type attribute to be set to IEEE-802, and the Tunnel-Private-Group-ID attribute to be set to the VLAN ID.

Aut hent icat ion t o each SSI D is configured using t he aut hent icat ion com m and. I n general, t his com m and will be set t o " open" aut hent icat ion, but m ay add EAP aut hent icat ion as an opt ional m et hod. The following com m ands configure an SSI D of babelfish t o m ap t o VLAN 42 while requiring EAP aut hent icat ion against t he server group r ad_eap.

ap1200# configure terminal ap1200(config)# interface dot11radio 0 ap1200(config-if)# ssid babelfish ap1200(config-ssid)# vlan 42 ap1200(config-ssid)# authentication open eap rad_eap

To define t he RADI US server for EAP aut hent icat ion, define each server, and associat e it wit h a group. By default , RADI US servers t hat are not assigned UDP port s are assigned t o t he old RADI US port s ( 1645 and 1646) , so t hey m ust be explicit ly assigned t o t he new port s.

ap1200# configure terminal ap1200(config)#radius-server host 192.168.200.187 auth-port 1645 acct-port 1646 key MySecret ap1200(config)#radius-server host 192.168.200.188 auth-port 1812 acct-port 1813 key MySecret ap1200(config)#aaa group server radius rad_eap ap1200(config-sg-radius)#server 192.168.200.187 auth-port 1645 acct-port 1646 ap1200(config-sg-radius)#server 192.168.200.188 auth-port 1812 acct-port 1813

Configuring WPA-PSK WPA preshared keys are configured t hrough t he SSI D com m and. By set t ing t he SSI D up for WPA key m anagem ent , it is possible t o specify eit her an ASCI I or hexadecim al pre- shared key for use wit h WPA.

ap1200(config)#interface dot11radio 0 ap1200(config-if)#ssid LuminiferousEther ap1200(config-ssid)#authentication key-management wpa optional ap1200(config-ssid)#wpa-psk ascii Thisisaverylongsecretpresharedkey!

Monitoring A basic m onit oring t ool is t he list of associat ed st at ions, which can be obt ained from an unprivileged pr om pt :

ap1200> show dot11 association 802.11 Client Stations on Dot11Radio0: SSID [LuminiferousEther] : MAC Address IP address Device 0002.2d6e.abda 192.168.200.150 -

Name -

Parent self

State Assoc

To view det ails on a part icular associat ion, ask for it by MAC address. The com plet e associat ion record will be print ed out , including t he t ypes of encrypt ion in use. This st at ion is associat ed and uses TKI P for encrypt ion.

ap1200> show dot11 association 0002.2d6e.abda Address : 0002.2d6e.abda Name : IP Address : 192.168.200.150 Interface : Dot11Radio 0 Device : Software Version : CCX Version : State : Assoc SSID : LuminiferousEther Hops to Infra : 1 Clients Associated: 0 Tunnel Address :0.0.0.0 Key Mgmt type : WPA PSK Current Rate : 11.0 Supported Rates : 1.0 2.0 5.5 11.0 Signal Strength : -39 dBm Signal Quality : 79 % Power-save : Off

Parent : self VLAN : 0 Association Id : 120 Repeaters associated: 0 Encryption Capability

: TKIP :

Connected for : 1463 seconds Activity Timeout : 55 seconds Last Activity : 4 seconds ago

Packets Input Bytes Input Duplicates Rcvd Decrypt Failed MIC Failed MIC Missing

: : : : : :

535 61629 0 0 0 0

Packets Output Bytes Output Data Retries RTS Retries

: : : :

245 137018 18 0

Troubleshooting I OS has ext ensive debugging facilit ies t hat can be used t o t roubleshoot problem s. Tracing is act ivat ed by t he debug com m and, which is followed by t he area t o perform t racing on. By default , t racing is sent t o t he console. I f you are at t ached t o t he device over t he net work, you will need t o send t he debugging out put t o t he current login screen wit h t he following com m and:

ap1200# terminal monitor

The m ost t roublesom e part of working wit h secure 802.11 net works is t he init ial associat ion and key dist ribut ion phase. Troubleshoot ing of t hese act ions can be accom plished wit h debug dot 11 and it s subcom m ands. Som e com m on t roubleshoot ing debugging com m ands are shown in Table 20- 2 .

Ta ble 2 0 - 2 . Cisco 1 2 0 0 de bu ggin g com m a n ds D e bu g a r e a

Com m a n ds

Re m a r k s

debug radius aut hent icat ion EAP aut hent icat ion

debug dot 11 aaa aut hent icat or process debug dot 11 aaa aut hent icat or st at e- m achine

MAC filt ering

debug dot 11 aaa aut hent icat or m ac- aut hen

Print s out RADI US packet s; decodes at t ribut es; explains act ions May show servers t im eout or fail

Shows MAC addresses and response from aut hent icat ion syst em

debug dot 11 aaa aut hent icat or process WPA

debug dot 11 aaa aut hent icat or st at e- m achine

Shows key exchange

debug dot 11 aaa m anager keys

Turning off debugging is sim ple. Just ent er t he following com m and:

ap1200# undebug all

Apple AirPort There are now t wo t ypes of AirPort base st at ions t hat are on t he m arket from Apple. Bot h t he AirPort Express and AirPort Ext rem e Base St at ion are 802.11g devices. The AirPort Ext rem e is designed m ore as a hom e gat eway, and it has a m odem and ext ernal ant enna port . Alt hough m ore cost ly t han a num ber of ot her devices on t he m arket , it is also m ore funct ional and is a com m on sm all- office solut ion.

First-Time Setup The first - t im e set up is done wit h t he sam e AirPort Set up Assist ant applicat ion t hat configures new wireless int erfaces. AirPort s fresh out of t he shrink wrap broadcast t heir exist ence t o t he world so t hat a Mac OS client can be used for configurat ion. Aft er connect ing t o t he AirPort and clicking t hrough t o t he configurat ion screen, t he net work securit y set up screen of Figure 20- 3 is present ed. The configurat ion displayed shows a WPA pre- shared key securit y m et hod. I t is also possible t o configure WEP from t his screen.

Figu r e 2 0 - 3 . N e t w or k se cu r it y se t t in gs

The Management Interface

Once t he boot st rap configurat ion is done wit h t he Set up Assist ant , t he AirPort Base St at ion is on t he net work and m ust be configured wit h t he AirPort Ut ilit y ( Figure 20- 4) . This is a separat e configurat ion ut ilit y t hat will feel vaguely fam iliar if you have ever seen Lucent 's AP Manager. When it is st art ed, t he AirPort Adm in Ut ilit y searches all t he AirPort base st at ions on t he net work and displays t hem in a list . I ndividual base st at ions can be select ed for furt her configurat ion. When changes are m ade, t he base st at ion m ust be rest art ed for t he changes t o t ake effect . The " Ot her" but t on at t he t op allows configurat ion of any AirPort Base St at ion t hat t he m anager can send I P packet s t o. Faraway base st at ions m ay not appear on t he browse list , but by clicking on " Ot her" and ent ering an I P address, t he Manager can configure any base st at ion t o which it has I P connect ivit y.

Figu r e 2 0 - 4 . Air Por t Adm in Ut ilit y m a in scr e e n

Configuring the wireless interface When a base st at ion is select ed for configurat ion, t he configurat ion screen will pop up. Several t abs are used t o group configurat ion inform at ion int o logical subset s, and t he wireless int erface configurat ion is available by default . Across t he t op, t here are but t ons t o rest art t he access point , upload new firm ware, ret urn t he base st at ion t o fact ory default s, and change t he password. ( New firm ware is dist ribut ed as part of t he Adm in Ut ilit y package, and will aut om at ically be used t o updat e old AirPort s as t he m anager discovers t hem .) The AirPort configurat ion is shown in Figure 20- 5. Securit y set t ings are sim ilar t o t hose shown in previously in Figure 20- 3. The " closed net work" opt ion prevent s t he inclusion of t he SSI D inform at ion elem ent in Beacon fram es and requires t hat st at ions associat ing provide it . I t is a t oy securit y opt ion, and does not really close t he net work. As dual- m ode 802.11b/ g devices, it is possible t o configure t hem in a b/ g com pat ibilit y m ode, or at t em pt t o keep 802.11b devices off t he net work t o reduce t he overhead of prot ect ion.

Figu r e 2 0 - 5 . W ir e le ss in t e r fa ce con figu r a t ion

Configuration of the LAN interface The AirPort m ay be used as a NAT device, in which case it will t ranslat e I P t raffic from wireless devices on t o it s address on t he Et hernet int erface. Client com put ers can be st at ically addressed by t he net work adm inist rat or, or t he built - in DHCP server can be t urned on and assigned a range of addresses t o assign t o client s. When NAT is used t o hide several com put ers behind one I P address, t he address specified in t he I nt ernet propert ies is used as t he public address. The wired LAN int erface is given t he privat e address 10.0.1.1, and DHCP is used t o lease out addresses from 10.0.1.2 t o 10.0.1.200 ( in t his case, you can't select t he range of addresses for t he DHCP server t o give out ) . The AirPort base st at ion can be connect ed t o wired net works by it s Fast Et hernet LAN port if t he DHCP server is disabled. The Port Mapping t ab, shown in Figure 20- 6, can be used t o add inbound st at ic port m appings. The public port is t ranslat ed t o t he privat e I P address and port num ber list ed in t he m apping. The figure illust rat es an address t ranslat ion for inbound web services t o port 80 on host 10.0.1.201.

Figu r e 2 0 - 6 . Por t M a ppin g t a b

Access control Like m ost ot her product s, t he AirPort Base St at ion support s filt ering by client MAC address. The Access Cont rol t ab let s you ident ify client s by t heir AirPort I D ( MAC address) and add t hem t o a list of allowed client s, t oget her wit h a descript ion.

Chapter 21. Logical Wireless Network Architecture Planning a wireless LAN inst allat ion is a significant undert aking t hat cut s across m any previously disparat e disciplines. This chapt er begins t he discussion of wireless LAN deploym ent by t ackling t he net work archit ect ure. Net work design is about t rade- offs bet ween several fact ors, including cost , m anageabilit y, availabilit y, and perform ance. Wireless net works add t he addit ional dim ension of m obilit y t o t he m ix. Wireless net works oft en ext end an exist ing wired infrast ruct ure. The wired infrast ruct ure m ay be quit e com plex t o begin wit h, especially if it spans several buildings in a cam pus set t ing. Wireless net works depend on having a solid, st able, well- designed wired net work in place. I f t he exist ing net work is not st able, chances are t he wireless ext ension is doom ed t o inst abilit y as well. This chapt er discusses four approaches t o building a wireless LAN. All are discussed in t erm s of t he t echnical feat ures of wireless LANs t hat influence how you design your wireless net work. How do t he feat ures of wireless LANs influence net work t opology? Besides t he 802.11 equipm ent , what ot her equipm ent is needed t o deploy a net work? How should t he logical net work be const ruct ed for m axim um m obilit y?

Evaluating a Logical Architecture Before present ing any t opologies in det ail, I will discuss how t o evaluat e a proposed net work. Each of t he t opologies present ed in t his chapt er has it s own st rengt hs and weaknesses. Choosing a t opology depends on which crit eria are com pelling on your net work. Here are discuss several evaluat ion crit eria t hat I have found t o be im port ant .

Mobility Port abilit y result s in a product ivit y gain because users can access inform at ion resources wherever it is convenient t o do so. At t he core, however, port abilit y rem oves only t he physical barriers t o connect ivit y. I t is easy t o carry a lapt op bet ween several locat ions, so people do. But port abilit y does not change t he rit ual of connect ing t o net works at each new locat ion. I t is st ill necessary t o physically connect t o t he net work and reest ablish net work connect ions, and net work connect ions cannot be used while t he device is being m oved. I f, for exam ple, you have a rem ot ely m ount ed filesyst em and put a lapt op t o sleep, it m ay not be t here when t he lapt op wakes up in a different locat ion. Any open files or act ivit y against t he filesyst em m ay need t o t im eout before you can regain cont rol of t he com put er. DHCP client s m ay im pose m ore pedest rian rest rict ions. Com m on DHCP client s at t em pt t o renew t he lease on t he last address obt ained, and m ay need t o go t hrough m ult iple DHCP exchanges t o get an address on a new I P subnet . Mobilit y, on t he ot her hand, is a far m ore powerful concept : it rem oves furt her barriers, m ost of which are based on t he logical net work archit ect ure. Net work connect ions st ay act ive even while t he device is in m ot ion. This is crit ical for t asks requiring persist ent , long- lived connect ions, which m ay be found in dat abase applicat ions. Support personnel frequent ly access a t racking dat abase t hat logs quest ions, problem s, and resolut ions. The sam e argum ent can be m ade for a num ber of t racking applicat ions in a healt h care set t ing. Accessing t he dat abase t hrough a wireless net work can boost product ivit y because it allows people t o add sm all am ount s of inform at ion from different locat ions wit hout needing t o reconnect t o t he dat abase each t im e. I nvent ory applicat ions are anot her exam ple and one of t he reasons why ret ail and logist ics are t wo of t he m arket s t hat have been quicker t o adopt 802.11. When t aking invent ory, it m akes far m ore sense t o count boxes or product s where t hey sit and relay dat a over a wireless net work t han t o record dat a on paper and collat e t he dat a at t he end of t he process. [ * ] [*]

Indeed, the early adopters of wireless LAN technology tended to be in organizations where the work was mobilehealth care, logistics, and education.

Tradit ional wired Et hernet connect ions provide port abilit y. I can t ake m y lapt op com put er anywhere on t he cam pus at work and plug in. ( I f I 'll t olerat e slow speeds, I can even m ake a phone call and access m y corporat e net work anywhere in t he world.) Each t im e I access t he net work, t hough, I 'm st art ing from scrat ch. I have t o reest ablish connect ions, even if I only m oved a few feet . What I 'd really like is t o walk int o t he conference room and connect t o t he corporat e net work wit hout doing anyt hing.

Defining "mobility"

Wireless net working and m obilit y are int ert wined concept s. Wit hout m obilit y, wireless net working would not be part icularly int erest ing. Mobilit y m eans t hat applicat ions j ust work, no m at t er where t he com put er is. Unfort unat ely, building a net work t hat provides locat ion- independent services requires a great deal of locat ion- based configurat ion and knowledge. Translat ing t he high- level definit ion of m obilit y int o t echnical det ails can be done in several different ways. Many t echnologies can be used t o provide m obilit y for net work users, and not all of t hem are good. Providing net work t ransport t hat is t ruly independent of t he applicat ion and t ransparent t o it has several requirem ent s.

1 . Consist ent MAC- layer at t achm ent t o t he sam e link- layer net work. Mobilit y requires t hat t he exist ing dat a- link layer look t he sam e regardless of locat ion. Ext ensive engineering in 802.11 provides link- layer m obilit y.

a . Transparent handoffs bet ween access point s. Users m ay need t o perform an init ial configurat ion operat ion t o select a net work t o connect t o, but t hey should not be involved in handoff decisions. I f t he signal st rengt h get s t oo low, t he soft ware should at t em pt t o locat e a bet t er signal and t ransfer t o it wit hout user int ervent ion. Every wireless card I am aware of current ly swit ches bet ween access point s t hat are part of t he sam e net work. 802.11 was designed around t his requirem ent , and any piece of wireless LAN equipm ent you buy should have no t rouble m eet ing it . b. The int er- access point handoff can break down when t he access point s are locat ed in different broadcast dom ains. I f t wo st at ions are exchanging fram es and one m oves t o a new access point , 802.11 cannot guarant ee t hat t he t wo st at ions st ay at t ached t o t he sam e broadcast dom ain. One opport unit y for vendors t o im prove on 802.11 is t o link access point s wit h t he sam e SSI D t oget her so t hey no m at t er where t hey at t ach t o t he net work, st at ions in t he wireless LAN at t ach t he sam e broadcast dom ain everywhere, even if t he access point s are connect ed t o different local broadcast dom ains. c. Moving a client syst em bet ween t wo access point s also requires eit her set t ing up a new set of securit y param et ers for encrypt ion and int egrit y prot ect ion, or t ransferring securit y param et ers from t he old access point t o t he new access point . 802.11 does not specify eit her procedure. Depending on t he hardware in use, t he process of est ablishing a securit y cont ext wit h t he new access point can t ake a fair am ount of t im e. I n bulk dat a t ransfer, t he blip m ay not be not iceable; for voice conversat ions, it oft en is. 2 . No configurat ion changes are required t o t he client net work st ack. For t he m ost part , t his m eans t hat client s can m aint ain t he sam e net work address as t hey m ove t hroughout t he net work. I n m ost net works, t he address is an I P address, alt hough t here m ay be som e applicat ions t hat require m aint enance of ot her net work prot ocol addresses as well. Ext ensive engineering has been devot ed t o net work layer m obilit y, especially in t he I P world, which t radit ionally has not provided it . Address m aint enance is a m aj or net work engineering challenge, especially if it is required across what would ot herwise be an I P subnet boundary.

a . Before m aint aining an address, t he client m ust obt ain one. At t he init ial connect ion t o a wireless LAN, t he syst em should som ehow get an address, m ost likely t hrough DHCP. That address should be used for t he durat ion of t he wireless LAN session. From t he client 's perspect ive, it keeps t he I P address as it m oves t hrough t he net work, and does not need t o alt er it s address or any ot her st ack inform at ion t o at t ach t o any new access point s. b.

b. Wireless net works can have brief int errupt ions of connect ivit y as client s m ove bet ween coverage areas or suffer from t ransient radio link problem s. For brief int errupt ions, access point s should m aint ain enough session inform at ion so t hat t he client can sim ply rej oin t he net work. Access point s m ay also need t o buffer fram es so t hat client s can fet ch any t raffic t hat was received during t he int errupt ion. c. Equally im port ant , t he client m ust appear t o m aint ain it s address. I f t he client connect s t o a server som ewhere, t he server should be able t o use t he sam e address for t he durat ion of t he connect ion. Furt herm ore, any ot her st at e t he net work m aint ains is oft en associat ed wit h an I P address. Many net works use NAT t o reach t he I nt ernet , and t he NAT records are associat ed wit h t he client I P address. d. Depending on t he applicat ion, it m ay be necessary t o have logical net work pat h preservat ion. Transm it t ed fram es m ust always em erge from t he sam e egress point on t he net work, so t hey are subj ect t o what ever cont rols t he net work requires. No m at t er what t he locat ion of t he client t hroughout t he net work, it always appears as if it is at t ached t o t he sam e point at t he edge of t he net work. No single t echnology supplies all of t he com ponent s of m obilit y. At t he link layer, m uch is provided by 802.11, alt hough addit ional funct ionalit y is oft en required above and beyond what t he st andard lays out . By and large, m oving t he associat ion bet ween access point s is easy. I n net works t hat do not use link- layer securit y, bridging records can be t ransferred bet ween access point s in a few m illiseconds t o t ens of m illiseconds. Re- est ablishing t he link- layer securit y cont ext m ay t ake a few hundred m illiseconds, and depends heavily on t he responsiveness of t he aut hent icat ion server. Som e com panies have devot ed significant engineering resources t o building product s t hat accelerat e t he securit y cont ext est ablishm ent . Newer " Wi- Fi swit ch" product s m ay also speed up t he roam ing process by holding client associat ion records in a cent ralized locat ion so t hat t here is no need t o t ransfer it bet ween APs. At t he net work layer, several different approaches m ay be t aken t o offer net work- layer m obilit y. Several early devices used address t ranslat ion ( NAT) . NAT is not , never has been, and never will be a m obilit y prot ocol. By dragging t he net work infrast ruct ure up int o higher prot ocol layers, any failure of t he t ranslat ion breaks applicat ions. Som e applicat ions are alm ost incom pat ible wit h NAT, such as H.323, while ot hers require specific applicat ion support , such as I Psec's use of NAT Traversal. Som e devices rely heavily on NAT t o provide m obilit y. Avoid t hem . Som e form of t unneling is oft en used t o provide applicat ion- independent m obilit y. Client devices are designat ed wit h a " hom e" net work, and t hen int er- AP prot ocols aut om at ically direct t raffic back t o t he hom e locat ion from any place it is not direct ly accessible. Tunneling prot ocols m ust be defined at t he net work layer so t hat t unnels can carry dat a across arbit rary net work boundaries. However, t he t unneling prot ocol it self m ay work at t he link layer ( m aking VLAN at t achm ent point s available t hroughout t he net work) or at t he net work layer ( m aking I P addresses rout able t hroughout t he net work) . The only open indust ry st andard t unneling prot ocol is Mobile I P ( see sidebar lat er in t his chapt er) . One challenge net work archit ect s oft en face is t he dist ance over which m obilit y m ust be provided. Sm all inst allat ions are easy because t here are a num ber of t echniques t hat offer com parable funct ionalit y for up t o 25 access point s. The real challenges com e when designing m obilit y for larger inst allat ions, or organizat ions t hat have widely dist ribut ed locat ions. Part of t he key t o designing a successful m obilit y solut ion is t o det erm ine what users expect . What sort of t asks require t hat an I P address be cont inuously m aint ained? I nt eract ive t erm inal sessions, such as t elnet and SSH, require t hat t he source I P address rem ain t he sam e. Ot her applicat ions m ay be able t o init iat e new connect ions upon reat t aching t o t he net work, and t he process of reconnect ing m ay be t ransparent t o t he users. Generally speaking, m ost users do not expect t o m aint ain an I P address if t hey need t o use a car, t rain, or plane t o t ravel bet ween net work sit es. St ill, large, spread- out cam puses m ight require higher- t han- average m obilit y support .

Call it t he " dinosaur j uice" rule for m obilit y: if you burn fossil fuels for t ransport at ion, it is probably accept able for t he I P address t o change.

Mobile IP One of t he m ost t alked- about developm ent s in wireless net works in t he past few years is t he em ergence of t he new " Wi- Fi swit ch" archit ect ure. I n broad t erm s, Wi- Fi swit ches m ove net work funct ions from access point s int o an aggregat ion device t hat provides cont rol and m anagem ent funct ions. 802.11 perform s a sleight - of- hand t rick wit h MAC addresses: st at ions com m unicat e wit h a MAC address as if it were fixed in place, j ust like any ot her Et hernet st at ion. I nst ead of being fixed in a set locat ion, however, access point s not e when t he m obile st at ion is nearby and relay fram es from t he wired net work t o it over t he airwaves. I t does not m at t er which access point t he m obile st at ion associat es wit h because t he appropriat e access point perform s t he relay funct ion. The st at ion on t he wired net work can com m unicat e wit h t he m obile st at ion as if it were direct ly at t ached t o t he wire. Mobile I P perform s a sim ilar t rick wit h I P addresses. The out side world uses a single I P address t hat appears t o rem ain in a fixed locat ion, called t he hom e locat ion. Rat her t han being serviced by a user's syst em , however, t he I P address at t he hom e locat ion ( t he hom e address) is serviced by what is called t he hom e agent . Like t he access point , t he hom e agent is responsible for keeping t rack of t he current locat ion of t he m obile node. When t he m obile node is " at hom e," packet s can sim ply be delivered direct ly t o it . I f t he m obile node at t aches t o a different net work ( called a foreign net work or visit ed net work ) , it regist ers it s so- called foreign locat ion wit h t he hom e agent so t hat t he hom e agent can redirect all t raffic from t he hom e address t o t he m obile node on t he foreign net work. Consider t wo wireless LANs built on different I P subnet s. On it s hom e subnet , a wireless st at ion can send and receive t raffic " norm ally." When t he wireless st at ion m oves from it s hom e subnet t o t he second ( " foreign" ) subnet , it at t aches t o t he net work using t he norm al procedure. I t associat es wit h an access point and probably request s an I P address using DHCP. On a wireless st at ion t hat is unable t o use Mobile I P, connect ions are int errupt ed at t his point because t he I P address changes suddenly, invalidat ing t he st at e of all open TCP connect ions. Wireless st at ions equipped wit h Mobile I P soft ware, however, can preserve connect ion st at e by regist ering wit h t he hom e agent . The hom e agent can accept packet s for t he m obile st at ion, check it s regist rat ion t ables, and t hen send t he packet s t o t he m obile st at ion at it s current locat ion. The m obile st at ion has, in effect , t wo addresses. I t has it s hom e address, and it can cont inue t o use t his address for connect ions t hat were est ablished using t he hom e address. I t m ay also use t he address it has been assigned on t he foreign net work. No TCP st at e is invalidat ed because t he m obile st at ion never st opped using it s hom e address. Nat urally, syst em adm inist rat ors ( right ly) rebel at inst alling new soft ware on end- user syst em s. An alt ernat ive is t o use proxy m obile I P, in which t he net work edge incorporat es t he funct ions of t he agent soft ware. Moving Mobile I P funct ions int o t he access point s elim inat es t he need t o inst all client soft ware, alt hough it does increase t he

com plexit y of t he access point s.

I have om it t ed a great deal of t he prot ocol operat ions. Designing a prot ocol t o allow a st at ion t o at t ach anywhere in t he world and use an address from it s hom e net work is a significant engineering endeavor. Several securit y problem s are evident , m ost not ably t he aut hent icat ion of prot ocol operat ions and t he securit y of t he redirect ed packet s from t he hom e net work t o t he m obile st at ion's current locat ion. Maint aining accurat e rout ing inform at ion, bot h t he t radit ional forwarding t ables at I nt ernet gat eways and t he Mobile I P agent s, is a m aj or challenge. And, of course, t he prot ocol m ust work wit h bot h I Pv4 and I Pv6. For a far m ore det ailed t reat m ent of Mobile I P, I highly recom m end Mobile I P: Design Principles and Pract ices by Charles Perkins ( Prent ice Hall) .

Security As t he net works of t he world have unit ed int o a single, globe- spanning behem ot h, securit y has t aken on new im port ance. Wireless LANs were once t he bane of securit y- conscious net working organizat ions, but newer t ools m ake it easier t o build net works wit h significant securit y prot ect ions. I n addit ion t o t radit ional securit y issues such as t raffic separat ion bet ween user groups and m aint aining appropriat e access privileges, wireless net works present new challenges, like rogue access point s and unaut horized client s. Many of logical archit ect ure's securit y ram ificat ions are relat ed t o t he select ion of encrypt ion and aut hent icat ion prot ocols. But t he archit ect ure m ay have som e addit ional securit y im plicat ions based on t echnology available at t he edge of t he net work. Tradit ional access point s are aut onom ous devices t hat act as independent net work elem ent s. Access point s are placed out in user areas, and are usually not physically secured. Unfort unat ely, t he popularit y of 802.11 m ay m ake unsecured access point s in public areas t arget s for t heft . Tradit ional access point s have local soft ware and configurat ion, and m ay also be at t ract ive t arget s t o at t ackers who can use learn sensit ive securit y inform at ion from t he configurat ion, such as t he RADI US shared secret . Newer " t hin" access point s help address t his concern by rem oving a great deal of funct ionalit y from t he access point and pulling it back int o secured cont rollers t hat can be locked away in wiring closet s. At t ackers m ay also rem ove access point s t o obt ain addit ional net work privileges. I n som e archit ect ures, access point s m ust be connect ed t o relat ively privileged net work port s. I f, for exam ple, several VLANs are m ade available t hrough a wireless net work, m any access point s require t hat t he access point connect t o a link t agged wit h all t he available VLANs. I n such a set up, an at t acker m ay obt ain direct access t o t he backbone by rem oving an access point and connect ing t o it s port . One addit ional concern is t hat m any governm ent net works need t o be designed t o com ply wit h regulat ions and best pract ices. The Nat ional I nst it ut e of St andards and Technology ( NI ST) is responsible for developing m any of t he com put ing st andards used by t he U.S. federal governm ent ; t hese st andards are referred t o as Federal I nform at ion Processing St andards ( FI PS) . One part icular st andard, FI PS- 140, lays out requirem ent s for secure net work designs. Not surprisingly, FI PS- 140 specifies t hat cert ain t ypes of dat a m ust be encrypt ed. Less obviously, FI PS- 140 also requires t hat approved encrypt ion algorit hm s and m odes m ust be used. Not all securit y prot ocols and st andards are creat ed equal, and only som e net work designs are capable of m eet ing FI PS- 140 crit eria. FI PS requirem ent s affect m ost federal agencies, but m ay also exert a powerful influence by requiring com pliance on t he part of an agency's suppliers and cont ract ors. ( FI PS requirem ent s are discussed in m ore det ail in Chapt er 22.)

Performance

For t he benefit of m obilit y, wireless net works im pose a cost . Sim ply, perform ance is nowhere near what can be expect ed from a well- engineered wired LAN. Wireless net works have sm aller advert ised bit rat es t han wired LANs. To m ake m at t ers worse, t he big num ber in t he glossy brochure om it s a great deal of prot ocol overhead. [ ] Table 21- 1 gives rule- of- t hum b est im at es for t he m axim um t hroughput based on t he t echnology. []

The effective throughput is actually much lower. Quantifying the exact impact of the protocol overhead is very difficult; for one straw-man calculation, see http://www.oreillynet.com/pub/a/wireless/2003/08/08/wireless_throughput.html.

Ta ble 2 1 - 1 . M a x im u m t h r ou gh pu t for diffe r e n t 8 0 2 .1 1 t e ch n ologie s Adve r t ise d t h r ou gh pu t

Est im a t e d m a x im u m con t in u ou s t h r ou gh pu t

Est im a t e d m a x im u m pe r ce ive d t h r ou gh pu t w it h 5 :1 m u lt iple x in g fa ct or

802.11b

11 Mbps

6 Mbps

30 Mbps

802.11a

54 Mbps

30 Mbps

150 Mbps

802.11g, no prot ect ion

54 Mbps

30 Mbps

150 Mbps

802.11g, wit h prot ect ion

54 Mbps

15 Mbps

225 Mbps

802.11a+ 802.11b

11+ 54 Mbps

36 Mbps

180 Mbps

802.11a+ 802.11g ( wit hout prot ect ion)

54+ 54 Mbps

60 Mbps

300 Mbps

Te ch n ology Single radio syst em s

Dual radio syst em s

Unlike wired net works, t he speed at which wireless net works operat e depends on t he dist ance from t he nearest net work uplink. As st at ions m ove fart her from t he serving access point , signals becom e weaker and t he operat ional speed falls. Throughput depends on dist ance from t he access point and t he posit ion of t he device in a way t hat is unfam iliar t o users of wired net works. Throughput s in t he neighborhood of Table 21- 1 require very st rong signals, and by necessit y, lim it ed dist ances from t he access point . As a pract ical m at t er, m ost wireless LANs have been built for coverage. At t he fringes of connect ivit y, t hroughput is at t he lowest rat e for t he t echnology, not t he highest rat e. Figure 21- 1 illust rat es t he t ypical scenario. Alt hough st at ions close- in connect at t he m axim um dat a rat e, st at ions t hat are furt her away require m uch longer t im e int ervals t o t ransm it t he sam e dat a. Even if t he radio m edium is in const ant use, t he m axim um t hroughput of t he st at ions associat ed t o t he AP in Figure 21- 1 would be m uch less t han 6 Mbps. Even t hough t he m axim um dat a rat es shown in Figure 21- 1 are sm all, t he m agic of st at ist ical m ult iplexing can m ake t he rat e seem m uch bigger t han it is. Net works are based on t he principle t hat user t raffic is oft en quit e burst y. Alt hough users dem and a peak dat a rat e of a m egabit per second, users are oft en idle. The net work only needs t o supply t he peak dat a rat e during em ail fet ches and web page downloads; when t he connect ion is idle, ot her users can get t heir m egabit per second service. I n m y experience, a m ult iplexing fact or of bet ween 3: 1 and 7: 1 can be used t o account for t he burst iness of net work t raffic. Alt hough an 802.11b net work m ay only deliver 6 Mbps, it can accom m odat e 20- 30 users dem anding m egabit service because very few applicat ions require cont inuous service. ( Voice applicat ions are a not able except ion.) The last colum n in Table 21- 1 shows t he effect ive t hroughput wit h a 5: 1 m ult iplexing fact or. Depending on applicat ions and experience,

you m ay need t o use a higher or lower fact or on your net work. Figure 21- 1 is only a qualit at ive display of how t he speed of a net work changes wit h dit sance. Freespace loss calcuat ions can be used t o get a m ore quant it at ive grasp of a net work's range and propagat ion charact erist ics. Free- space loss, or pat h loss, is t he t ransm ission loss over space, wit h no obst ruct ions. I t is an " ideal" num ber, describing only how t he elect rom agnet ic waves dim inish in st rengt h over dist ance while neglect ing a num ber of fact ors t hat are relevant t o building 802.11 net works. I ndoor net works m ust deal wit h walls, windows, doors, and t he fact t hat m any signals m ay not be line of sight . Free- space loss calculat ions assum e t he noise floor is also sufficient ly low t hat t he receiver sensit ivit y is t he lim it ing fact or. I n m any environm ent s, t he num ber of unlicensed devices operat ing in t he 2.4 GHz I SM band push up t he noise floor well past t he lower lim it s of m any receivers.

Figu r e 2 1 - 1 . D e pe n de n ce of pe r for m a n ce on r a n ge

Free- space loss depends only on t wo input s: t he frequency of t he signal and t he dist ance it m ust cover. Higher frequencies at t enuat e fast er, as do longer dist ances.

Table 21- 2 is based on a free- space calcuat ion for bot h 2.4 GHz and 5 GHz wireless LANs. For t he I SM frequency, it uses 2.437 GHz, t he cent er frequency of channel 6. For t he 5 GHz frequency, it uses 5.250 GHz, which is t he m idpoint of t he U- NI I lower and m id- bands. ( Som e early 802.11 cards were only able t o funct ion in t he t wo low bands, so som e net works rest rict 802.11a channel usage t o t he first 8.) I t assum es t hat power is t ransm it t ed at t he m axim um of 20 dBm ( 100 m W) in t he 2.4 GHz band, and at t he m axim um pract ical power of 14 dBm ( 25 m W) for m any 802.11a devices. For a receiver cut - off, t he sensit ivit y list ed on t he dat a sheet for t he Cisco CB- 21 a/ b/ g client card was used. By using t he sensit ivit y direct ly, it is an im plied assum pt ion t hat t he noise floor is significant ly below t he values list ed in t he sensit ivit y colum n. Do not expect t o get t he ranges not ed in t his t able, since it is only a calculat ion of t he m axim um ideal range. I t is, however, a useful guide t o com paring different m odulat ion rat es as well as t he different frequency bands in use.

Ta ble 2 1 - 2 . Fr e e - spa ce r a n ge for diffe r e n t m odu la t ion spe e ds M odu la t ion Se n sit ivit y t ype a n d spe e d ( Cisco CB- 2 1 )

M a x im u m fr e e spa ce r a n ge ( m e t e r s)

Fr e e - spa ce r a n ge r e la t ive t o m a x im u m spe e d

Pe r ce n t a ge of m a x im u m r a n ge m odu la t ion

2.4 GHz 1 Mbps DSSS

- 94

4,850

13.9

100%

2 Mbps DSSS

- 93

4,300

12.3

89%

5.5 Mbps CCK

- 92

3,850

11.0

79%

11 Mbps CCK

- 90

3,050

8.7

63%

6 Mbps OFDM

- 86

1,930

5.5

40%

9 Mbps OFDM

- 86

1,930

5.5

40%

12 Mbps OFDM

- 86

1,930

5.5

40%

18 Mbps OFDM

- 86

1,930

5.5

40%

24 Mbps OFDM

- 84

1,530

4.4

32%

36 Mbps OFDM

- 80

970

2.8

20%

48 Mbps OFDM

- 75

550

1.6

11%

54 Mbps OFDM

- 71

350

1.0

7%

6 Mbps OFDM

- 89

630

7.0

100%

9 Mbps OFDM

- 89

630

7.0

100%

12 Mbps OFDM

- 89

630

7.0

100%

18 Mbps OFDM

- 85

400

4.4

63%

24 Mbps OFDM

- 82

280

3.1

44%

36 Mbps OFDM

- 79

200

2.2

32%

48 Mbps OFDM

- 74

110

1.2

18%

54 Mbps OFDM

- 72

90

1.0

14%

5 GHz

The perform ance of a wireless net work differs from a wired net work in anot her im port ant way. Most

wireline net works are built using swit ches, so m ult iple independent t raffic flows can be swit ched independent ly. Wireless net works are inherent ly a shared m edium . Wit hin an access point 's coverage area, only one client m ay t ransm it dat a. Wireless net works oft en are built sim ply t o cover an area. As t hey becom e popular, net work adm inist rat ors m ust add capacit y by shrinking t he coverage area of individual APs t o reduce bandwidt h cont ent ion. Lim it ing bandwidt h cont ent ion by m aking coverage areas sm aller is t he approach t aken by m ost " Wi- Fi swit ches." Physical charact erist ics of t he wireless m edium negat ively affect perform ance and service qualit y. 802.11 uses a fully- acknowledged MAC for reliabilit y, but t he need for acknowledgm ent s increases t he t ransm ission lat ency for fram es. Lost packet s and t he pot ent ial for ret ransm ission m ay also increase t he variabilit y in lat ency, called j it t er . For som e applicat ions, t he difference in service is im percept ible t o t he user. Bulk dat a t ransfers depend m uch m ore on available capacit y t han t he service qualit y. However, if you plan t o run voice on your wireless net work, you will need t o spend som e t im e engineering accept able service qualit y. Voice depends on regular delivery of sm all am ount s of dat a, not high t hroughput . Som e of t he archit ect ures discussed in t his chapt er are bet t er suit ed t o applicat ions wit h dem ands for high qualit y net work service. Tradit ional qualit y of service queuing and cont rols are im port ant not only because of t he need t o cope wit h t he relat ively low reliabilit y of wireless signals, but also because t he bandwidt h is so lim it ed. Wit h only a few m egabit s per second on each access point , a single ill- behaved client can soak up all t he available capacit y. Som e access point s provide bet t er t raffic shaping and policing t o engineer allocat ion of scarce wireless m edium capacit y t han ot hers, and som e logical archit ect ures are bet t er able t o cope wit h high- bandwidt h applicat ions. As wit h m any ot her net work engineering t asks, building a wireless LAN wit h t he necessary perform ance is a m at t er of analyzing t he t ypes of applicat ions you int end t o run on t he LAN and rem oving as m any bot t lenecks as possible. I n som e cases, it m ay be possible t o build enough net work capacit y t o provide t he required user experience. For ot her applicat ions, it m ay be necessary t o m anage resource allocat ions using t raffic m anagem ent t ools on t he access point s m aking up t he net work.

Backbone Engineering Access point s are t he edge of t he ever- expanding net work. I n m ost cases, t hey do not offer new net work services; t hey j ust m ake exist ing services m ore widely available and easy t o use. As edge devices, t hough, t hey m ust plug int o a net work core t o int erconnect users wit h resources. Expect t o do som e addit ional configurat ion of t he net work core when wireless is added t o t he edge of t he LAN. When 802.11 was a new st andard and product s had j ust em erged, t here was no m obilit y except for what t he net work engineers creat ed, and no t raffic separat ion at all. Mobilit y was ent irely up t o t he net work engineer. I f t he access point s could be placed in a single link layer net work, m obilit y exist ed. I f not , m obilit y rem ained elusive. Early wireless LANs required, as a m at t er of pract ice, t hat t he net work be built around a swit ched core so t hat a single subnet snaking t hrough t he ent ire cam pus could be used t o connect up all t he access point s. Many newer net works are built around a swit ched core, but older net works frequent ly have const raint s t hat prevent s building a purely swit ched core. Aft er t he first wave of product s arrived, t he indust ry produced devices t hat could at t ach users t o m ult iple VLANs. Alt hough t hese product s allowed for m ult iple user groups over t he air and t he backbone wire, t he backbone configurat ion im pact was even larger. Rat her t han ext ending a single VLAN t hrough t he cam pus for t he access point s, every VLAN had t o be ext ended t o every access point t hroughout t he cam pus. One of t he goals of cent ralized Wi- Fi cont rollers is t o furt her reduce backbone reengineering by allowing for sim pler configurat ions of t he access device connect ions.

Beacons, BSSIDs, and VLAN integration Ext ending exist ing VLANs over t he air is one of t he m aj or t asks t hat st andards groups are working on. I n t he m eant im e, vendors have t aken a variet y of approaches. As you evaluat e t hese approaches, t here are a few fundam ent als. 802.11 built in t he concept of having m ult iple " service set s," but did not explicit ly define what a service set was. Moreover, t here are t wo t ypes of service set ident ifiers ( SSI Ds) in 802.11. Ext ended Service Set I Ds ( ESSI Ds) are " net work nam es." [ * ] Mult iple APs can be configured t o advert ise a set of connect ions int o t he air. When a client wishes t o connect t o a wireless net work, it issues probes for t he ESSI D it is t rying t o find, and APs belonging t o t hat SSI D respond. ESSI Ds can be t ransm it t ed in Beacon fram es, alt hough t hey do not have t o be. ( ESSI D hiding is a securit y- t hrough- obscurit y pract ice; if you flip back t o Chapt er 9 you will not e t hat t he Probe Response fram e includes t he unencrypt ed SSI D.) The second t ype of service set , t he Basic Service Set I D ( BSSI D) , is t he MAC address of t he AP. I t is used as t he t ransm it t er or receiver address on fram es t hat are bridged bet ween t he wireless and wired net works. [*]

This is a bit of a simplification. ESSIDs are only network names for infrastructure networks. As always, this book generally assumes that you are running an infrastructure network, not an ad hoc network.

Generally speaking, each ESSI D being t ransm it t ed should have it s own BSSI D. Alt hough t here is not hing t o prevent an access point from t ransm it t ing m ult iple ESSI Ds in a single Beacon, or even responding t o ESSI Ds not included in it s Beacon, such behavior causes problem s for m any drivers. The Windows Zero Configurat ion soft ware, for exam ple, generally does not accept a configurat ion for a secondary, hidden ESSI D. Rat her t han probing for t he hidden ESSI D, it at t em pt s t o at t ach t o t he t ransm it t ed ESSI D in t he Beacon. When APs were first able t o at t ach users t o different VLANs, a com m on way of providing t he configurat ion t o users was t o expose each VLAN as an SSI D, and allow users t o choose. While such an approach allows a great deal of flexibilit y in t he way t hat users are assigned t o VLANs, and allows t hem t o swit ch bet ween VLANs as circum st ances dict at e, t he flexibilit y is a double- edged sword t hat m ay lead t o confusion for users as t hey select t he wrong configurat ion. Transm it t ing Beacon fram es for a num ber of ext ra SSI Ds requires t he use of scarce wireless net work capacit y. For m any environm ent s, it m akes m ore sense t o dynam ically assign users t o VLANs based on a user profile dat abase.

IP addressing I P addresses are oft en a reflect ion of t he physical net work t opology, and wireless net works are no different . Assigning I P addresses is a subordinat e decision t o t he t opology t hat you choose. Som e net work designs m ay require new address assignm ent s and rout ing configurat ion, while ot hers do not . Organizat ions t hat at t em pt t o allocat e address space hierarchically, perhaps for reasons of rout ing t able size, m ay find it difficult t o reconcile logical address assignm ent wit h t he underlying physical t opology. Furt herm ore, organizat ions t hat m ake use of regist ered I P address space m ay find t hat it is at a prem ium .

Network Services I deally, new net work devices should plug int o exist ing infrast ruct ure and j ust work wit h a m inim um of reconfigurat ion. A few net work services are im port ant t o t he user experience, and should be considered in som e det ail.

DHCP Users expect t o be able t o plug in t o a net work and j ust have it work. Wireless net works are no except ion, and can m ake t he problem worse. Users expect t o be able t o at t ach t o any wireless net work and have it j ust work. Pract ically speaking, t he only way t o have t he I P st ack for a wireless int erface self- configure appropriat ely for an arbit rary num ber of net works is t o use DHCP. Many access point s have built - in DHCP servers. Sm aller net works consist ing of an access point or t wo m ay choose t o use t he built - in DHCP service, but larger net works should have a single source of DHCP addressing inform at ion. Access point DHCP servers m ay not cope wit h t he load very well, and som e access point s m ay reclaim leased addresses when an associat ion lapses. Any DHCP service should have a view of t he t ot al available address space, and t his is best done out side t he access point . Access point s act like bridges, and pass DHCP request s from t he wireless net work t hrough t o t he wired net work, where a DHCP server can reply. Wit h j udicious use of DHCP helpers, a single server can support m ult iple I P net works, whet her t hey are im plem ent ed as VLANs or m ult iple wireless subnet s. Users expect DHCP, so use it . For m axim um effect , deploy as few DHCP servers as possible.

Operating system login One of t he challenges t o wireless net working is t hat validat ing user credent ials oft en depends on m aking a net work connect ion t o an aut hent icat ion server. For exam ple, Windows logins are validat ed against dom ain cont rollers. I n a wired world, m aking t hat connect ion is t rivial because t he net work is available whenever t he cable is plugged in. I n a wireless net work, t hough, t here is a bit of a chicken and egg problem . User credent ials are used t o aut hent icat e t he net work connect ion, but a net work connect ion is required t o validat e t he user credent ials. Not all operat ing syst em vendors have considered t his problem . I f yours has not , you m ay need t o configure special login feat ures or use addit ional client soft ware t o plug t he gap.

Client Integration Different logical archit ect ures require different client soft ware support . I t is easy t o build a net work t hat has no client int egrat ion beyond t he new drivers by leaving out securit y ent irely. However, securit y is a requirem ent for nearly every net work. The m ost basic level of securit y is a st at ic WEP key. Som e older devices m ay not support anyt hing bet t er t han st at ic WEP, in which case you are st uck wit h it in t he absence of a forklift upgrade. St at ic WEP configurat ion is t ypically built int o driver soft ware or client configurat ion ut ilit ies, and requires no m ore client int egrat ion t han using t he card it self. For securit y reasons, t hough, you want t o run som et hing ot her t han st at ic WEP if at all possible. Link- layer solut ions based on 802.1X offer significant advances in securit y, but require m ore sigificant client int egrat ion work. 802.1X supplicant soft ware m ust be loaded on t he client syst em and set up correct ly. Supplicant soft ware is incorporat ed int o recent operat ing syst em s ( Windows 2000, Windows XP, and Mac OS X 10.3) . Older syst em s m ay require a client soft ware package t o

im plem ent 802.1X. VPN solut ions vary, depending on bot h t he vendor and t he t ype of VPN t echnology. SSL- based VPNs work by direct ing client access t hrough a secure web sit e t hat act s as a port al for applicat ions. Because t he t echnology is based on a secure web sit e, t here is no client inst allat ion beyond t he web browser t hat probably is already inst alled on m ost syst em s. One downside t o SSL VPN t echnology, however, is securing non- web applicat ions m ay require addit ional effort and user ret raining. I Psec VPNs require a m uch m ore disrupt ive soft ware inst allat ion, but are m uch bet t er at handling an arbit rary I P- based applicat ion. One of t he reasons t hat VPN client soft ware loads are m ore com plex is t hat m ost vendors require t heir own VPN client for m axim um funct ionalit y bet ween t he client and gat eway. Som e organizat ions m ay be lim it ed in t heir abilit y t o im pose client soft ware on users. Universit ies, for exam ple, oft en have users who m ust open VPN t unnels t o ext ernal net work sit es. Professional developm ent classes are oft en t aken by st udent s who have careers, and m ay need t o connect t o corporat e resources from t he classroom . Generally speaking, I Psec t unnels inside I Psec t unnels wit h m ult iple client s is a configurat ion t hat does not work well, if at all.

Topology Examples Aft er deciding what is im port ant , you can sket ch out what t he wireless LAN will look like. Broadly speaking, t here are t wo m aj or ways of deploying a wireless LAN, and t he choice depends broadly on whet her you decide t o use securit y at t he link layer. This sect ion describes and analyzes four different m aj or archit ect ures for wireless LANs. To a cert ain ext ent , t his sect ion present s four fairly rigid exam ples. As t he m arket for wireless LAN net work hardware m at ures, equipm ent m ay incorporat e feat ures from m ult iple t opologies, allowing you t o m ix and m at ch t he feat ures t hat best suit your needs.

Topology 1: The Monolithic Single-Subnet Network I n t he beginning, t here was one t opology . Access point s were sim ple bridges, and served only t o at t ach wireless st at ions t o t he single wired net work t hey were connect ed t o. Wit hout m uch net working int elligence in t he access point , wireless net works needed t o be designed around t he t rivial bridging engines in access point s. Net works t hat support ed m obilit y were correspondingly sim ple. When access point s are sim ple bridges wit hout any sophist icat ed knowledge of, say, VLANs or rout ing, t hey m ust all at t ach t o t he sam e I P subnet . As long as a st at ion st ays on t he sam e I P subnet , it does not need t o reinit ialize it s net working st ack and can keep it s TCP connect ions open. Equipm ent lim it at ions dict at ed t he result ing net work archit ect ure. Every AP was at t ached t o a single net work. While t he net work provided m obilit y, it was oft en difficult t o build, especially on large cam puses. I n addit ion t o m odifying backbone net work configurat ion, adm inist rat ors had t o set aside new I P address ranges and rout e appropriat ely. The archit ect ure was developed t o shield wired net works from t he danger of wireless net works in t he t im e before t he developm ent of st rong securit y prot ocols. These days, t he high configurat ion overhead and m anagem ent cost of building t wo parallel net works has driven t his t opology nearly t o ext inct ion on any net work larger t han a few access point s. Figure 21- 2 shows t he t ypical early wireless LAN deploym ent t opology. All t he APs are connect ed t o a single m onolit hic net work. The net work is a single link- layer dom ain, and every st at ion connect ed t o t he net work is given an I P address on t he I P subnet . For t his reason, t he m onolit hic archit ect ure m ay be referred t o as t he single- subnet wireless LAN, t he walled garden archit ect ure, or occasionally t he VPN archit ect ure. ( I t should also be not ed t hat m ost hom e net works t ake t he single subnet approach, alt hough t ypically wit h only one access point .) [ * ] The guiding principle of Figure 21- 2 is t hat t he access point s in use cannot provide any services ot her t han link- layer m obilit y, so t hey m ust all be connect ed t o t he sam e logical link layer. Ot her design decisions underlying t his t opology help augm ent t he access cont rol of t he wireless device and lower m anagem ent overhead by t aking advant age of exist ing services, each of which will be considered in t urn. [*]

Very large homes may require multiple APs. Generally speaking, an AP should be good for coverage over 3,000-5,000 square feet, which is sufficient for all but the largest homes.

Figu r e 2 1 - 2 . Th e sin gle su bn e t w ir e le ss LAN de ploym e n t t opology

Mobility I n Figure 21- 2, t he net work linking all t he access point s, which is oft en called t he access point backbone, is a single I P subnet . To allow users t o roam bet ween access point s, t he net work should be a single I P subnet , even if it spans m ult iple locat ions, because I P does not allow for net work- layer m obilit y. ( Mobile I P is t he except ion t o t his rule; see t he sidebar earlier in t his chapt er.) Net worklayer m obilit y is supplied by t he use of a swit ching infrast ruct ure t hat support s linking all t he access point s t oget her, and an I P addressing schem e t hat does not require anyt hing beyond link- layer m obilit y. I n Figure 21- 2, t he backbone net work m ay be physically large, but it is const rained by t he requirem ent t hat all access point s connect direct ly t o t he backbone rout er ( and each ot her) at t he link layer. 802.11 host s can m ove wit hin t he last net work freely, but I P, as it is current ly deployed, provides no way t o m ove across subnet boundaries. To t he I P- based host s of t he out side world, t he VPN/ access cont rol boxes of Figure 21- 2 are t he last - hop rout ers. To get t o an 802.11 wireless st at ion wit h an I P address on t he wireless net work, sim ply go t hrough t he I P rout er t o t hat net work. I t doesn't m at t er whet her a wireless st at ion is connect ed t o t he first or t hird access point because it is reachable t hrough t he last - hop rout er. As far as t he out side world can t ell, t he wireless st at ion m ight as well be a workst at ion connect ed t o an Et hernet . I f it leaves t he subnet , t hough, it needs t o get a I P new address and reest ablish any open connect ions. The purpose of t he design in Figure 21- 2 is t o assign a single I P subnet t o t he wireless st at ions and allow t hem t o m ove freely bet ween access point s. Mult iple subnet s are not forbidden, but if you have different I P subnet s, seam less m obilit y bet ween subnet s is not possible.

Older access point s t hat cooperat e in providing m obilit y need t o be connect ed t o each ot her at layer 2. One m et hod of doing t his, shown in Figure 21- 3 ( a) , builds t he wireless infrast ruct ure of Figure 212 in parallel t o t he exist ing wired infrast ruct ure. Access point s are support ed by a separat e set of swit ches, cables, and uplinks in t he core net work. Virt ual LANs ( VLANs) can be em ployed t o cut down on t he required physical infrast ruct ure, as in Figure 21- 3 ( b) . Rat her t han act ing as a sim ple layer- 2 repeat er, t he swit ch in Figure 21- 3 ( b) can logically divide it s port s int o m ult iple layer- 2 net works. The access point s can be placed on a separat e VLAN from t he exist ing wired st at ions, and t he " wireless VLAN" can be given it s own I P subnet . Fram es leaving t he swit ch for t he net work core are t agged wit h t he VLAN num ber t o keep t hem logically dist inct and m ay be sent t o different dest inat ions based on t he t ag. Mult iple subnet s can be run over t he sam e uplink because t he VLAN t ag allows fram es t o be logically separat ed. I ncom ing fram es for t he wired net works are t agged wit h one VLAN ident ifier, and fram es for t he wireless VLAN are t agged wit h a different VLAN ident ifier. Fram es are sent only t o port s on t he swit ch t hat are part of t he sam e VLAN, so incom ing fram es t agged wit h t he wireless VLAN are delivered only t o t he access point s. By m aking t he access point backbone a VLAN, it can span long dist ances. VLAN- aware swit ches can be connect ed t o each ot her, and t he t agged link can be used t o j oin m ult iple physical locat ions int o a single logical net work. I n Figure 21- 4, t wo swit ches are connect ed by a t agged link, and all four access point s are assigned t o t he sam e VLAN. The four access point s can be put on t he sam e I P subnet and act as if t hey are connect ed t o a single hub. The t agged link allows t he t wo swit ches t o be separat ed, and t he dist ance can depend on t he t echnology. By using fiber- opt ic links, VLANs can be m ade t o go bet ween buildings, so a single I P subnet can be ext ended across as m any buildings as necessary.

Figu r e 2 1 - 3 . Ph ysica l t opologie s for 8 0 2 .1 1 n e t w or k de ploym e n t

Figu r e 2 1 - 4 . Usin g VLAN s t o spa n m u lt iple sw it ch e s

Tagged links can vary widely in cost and com plexit y. To connect different physical locat ions in one building, you can use a regular copper Et hernet cable. To connect t wo buildings t oget her, fiber- opt ic cable is a m ust . Different buildings are usually at different volt age levels relat ive t o each ot her. Connect ing t wo buildings wit h a conduct or such as copper would enable current t o flow bet ween ( and possibly t hrough) t he t wo Et hernet swit ches, result ing in expensive dam age. Fiber- opt ic cable does not conduct elect ricit y and does not pick up elect rical noise in t he out door environm ent , which is a part icular concern during elect rical st orm s. Fiber also has t he added benefit of high speeds for longdist ance t ransm issions. I f several Fast Et hernet devices are connect ed t o a swit ch, t he uplink is a bot t leneck if it is only a Fast Et hernet int erface. For best result s on larger net works, uplinks are t ypically Gigabit Et hernet . For very large organizat ions wit h very large budget s, uplinks do not need t o be Et hernet . One com pany I have worked wit h uses a m et ro- area ATM cloud t o connect buildings t hroughout a cit y at t he link layer. Wit h appropriat e t ranslat ions bet ween Et hernet and ATM, such a service can be used as a t runk bet ween swit ches.

Address assignment through DHCP Wit hin t he cont ext of Figure 21- 2, t here are t wo places t o put a DHCP server. One is on t he access point backbone subnet it self. A st andalone DHCP server would be responsible for t he addresses available for wireless st at ions on t he wireless subnet . Each subnet would require a DHCP server as part of t he rollout . Alt ernat ively, m ost devices capable of rout ing also include DHCP relay. The securit y device shown in Figure 21- 2 includes rout ing capabilit ies, and som e firewalls and VPN devices include DHCP relay. Wit h DHCP relay, request s from t he wireless net work are bridged t o t he access point backbone by t he access point and t hen furt her relayed by t he access cont roller t o t he m ain corporat e DHCP server. I f your organizat ion cent ralizes address assignm ent wit h DHCP, t ake advant age of t he est ablished, reliable DHCP service by using DHCP relay. One drawback t o DHCP relay is t hat t he relay process requires addit ional t im e and not all client s will wait pat ient ly, so DHCP relay m ay not be an opt ion. St at ic addressing is accept able, of course. The drawback t o st at ic addressing is t hat m ore addresses are required because all users, act ive or not , are using an address. To m inim ize end- user

configurat ion, it is wort h considering using DHCP t o assign fixed addresses t o MAC addresses. As a final point , t here m ay be an int eract ion bet ween address assignm ent and securit y. I f VPN solut ions are deployed, it is possible t o use RFC 1918 ( privat e) address space for t he infrast ruct ure. DHCP servers could hand out privat e addresses t hat enable nodes t o reach t he VPN servers, and t he VPN servers hand out rout able addresses once VPN aut hent icat ion succeeds.

Security This is t he oldest of t he archit ect ures in t his chapt er, and pre- dat es all t he work done on link- layer securit y in t he past several years. I t is generally used on net works where link- layer securit y is not a priorit y, eit her because securit y is secondary t o providing services ( as in t he case of an I SP) or because securit y is provided t hrough higher- layer prot ocols wit h VPN t echnology. Securit y t rade- offs in wireless net work design are discussed in m ore det ail in Chapt er 22.

Backbone engineering Depending on t he exist ing backbone, using t his t opology m ay require prohibit ive work on t he backbone, or it m ay be relat ively easy. For m axim um m obilit y, every access point m ust be at t ached t o t he wireless VLAN t hat snakes t hroughout t he cam pus. I f a net work is built on a swit ched core, it m ay be relat ively easy t o creat e a VLAN t hat spans m ult iple swit ches across several wiring closet s. However, t here m ay be fundam ent al lim it at ions on what is possible. I f buildings are separat ed by rout ers, it m ay not be possible t o build a single VLAN t hat spans an ent ire cam pus, and it m ay be necessary t o set t le for disj oint ed islands of m obilit y. Even worse, m any older net works are not built around swit ched cores t hat allow easy VLAN ext ensions everywhere. Furt herm ore, t here is a pract ical lim it at ion on t he net work diam et er of a VLAN. 802.1D, t he bridging st andard, recom m ends t hat VLANs be built wit h a m axim um diam et er of seven swit ch hops. Depending on t he physical t opology, it m ay be im possible t o build a single VLAN t hat can span t he desired coverage area wit hin t he recom m ended lim it . Alt ernat ively, it m ay be possible t o do so, but only wit h ext ensive m odificat ions t o t he net work core.

Performance Perform ance of t his design can vary great ly because it incorporat es a single choke point . One of t he m ost im port ant aspect s of m aking t his design perform well is lim it ing t he effect of pushing all t he t raffic t hrough a single logical pat h. All t he backbone devices m ust have sufficient capacit y t o handle t he load from t he ent ire wireless net work. Wireless LAN prot ocols are based on collision avoidance, and can sust ain m uch higher loads t han t he collision- det ect ion prot ocols used on wired LANs. Depending on t he num ber of users associat ed wit h a part icular access point , it m ay be reasonable t o assum e t hat t he radio link is sat urat ed. Maxim um t hroughput rat es vary slight ly from product t o product , but 6 Mbps is a reasonable m axim um rat e for 802.11b, wit h 802.11a and 802.11g bot h weighing in at 27- 30 Mbps. Avoiding congest ion is m uch easier wit h t he slow speeds of 802.11b. Wit h only a 6 Mbps pot ent ial load per access point , a full duplex Fast Et hernet links t o t he access point backbone should be able t o handle slight ly over 30 APs. While 30 APs is not a m onst rous net work, it is enough t o provide blanket coverage over a large open space for low- bandwidt h applicat ions. Upgrading t o Gigabit Et hernet on t he choke point vast ly increases t he num ber of APs t hat can be at t ached. Depending on t he breakdown bet ween upst ream and downst ream t raffic, it is possible t o connect 200- 300 APs wit hout worrying about backbone net work congest ion. Of course, gigabit choke point devices cost

significant ly m ore t han Fast Et hernet choke point devices. 802.11a and 802.11g, wit h t heir pot ent ially higher speeds, could pose m ore of a problem . Wit h several t im es t he speed, only a few access point s can sat urat e a Fast Et hernet choke point . Assum ing a favorable breakdown bet ween upst ream and downst ream t ransm ission, full duplex Fast Et hernet can connect six APs, which is not enough t o cover m any m idsized offices. Dual- band APs t hat do bot h 802.11a and 802.11g present a double wham m y because each radio m ay offer a high load. Table 21- 3 sum m arizes t he discussion of backbone t echnology and t he num ber of APs required t o sat urat e t he link. I t is m eant only as a " back of t he envelope" est im at e. Each backbone t echnology is divided by t he AP- offered load t o est im at e t he num ber of APs required t o sat urat e t he link. I t does not t ake int o account any prot ocol overhead or realist ic split bet ween upst ream and downst ream t raffic. I t is m eant as a rough guide t o select an appropriat e uplink t echnology from your wireless subnet .

Ta ble 2 1 - 3 . Est im a t e d APs r e qu ir e d for ba ck bon e sa t u r a t ion

Half- duplex Fast Et hernet

8 0 2 .1 1 b ( ~ 6 M bps)

8 0 2 .1 1 a or 8 0 2 .1 1 g ( ~ 3 0 M bps)

D u a l- ba n d a / b ( ~ 3 6 M bps)

D u a l- ba n d a / g ( ~ 6 0 M bps)

16

3

2

1

33

6

5

3

333

66

55

33

( 100 Mbps) Full- duplex Fast Et hernet ( 200 Mbps) Full- duplex Gigabit Et hernet ( 2,000 Mbps)

Client integration This is t he m ost varied of t he archit ect ures in t erm s of client int egrat ion. I n t he case of a service provider, it is likely t hat lit t le or no client work is required. No securit y of any sort is applied, so t here is not hing t o configure. I f ext ensive higher- layer securit y is applied on t op of t his archit ect ure, however, t here is ext ensive deskt op int egrat ion t o be done.

Topology 2: "E.T. Phone Home" or "Island Paradise" Som e organizat ions are sim ply t oo large t o build a single access point net work. The classic exam ple is a m aj or research universit y wit h m ult iple buildings dist ribut ed over several square m iles. Configuring a single access point net work t o snake t hrough t he ent ire cam pus is sim ply out of t he quest ion, not least because large cam puses depend on rout ed net works for broadcast isolat ion. Net work adm inist rat ors com prom ised by dividing t he wireless net work int o several " islands" of connect ivit y. I n t he universit y environm ent , an island oft en corresponds t o a building or depart m ent ,

and it t akes it s I P addressing and rout ing inform at ion from t hat depart m ent 's address allocat ion. Separat ing wireless LANs int o islands also serves a valuable polit ical purpose. Different depart m ent s can each build t heir own wireless net work, com plet e wit h it s own securit y policies and net work service goals. I slands can also be built m ore quickly because no coordinat ion is required bet ween t hem . Many islands can be built sim ult aneously. Piecem eal deploym ent s look like m ult iple inst ances of t he single subnet of Figure 21- 2. The t opology provides seam less m obilit y bet ween t he access point s connect ed t o t he access point backbone net work. I n net works t hat cannot support a single VLAN for t he access point backbone, a frequent com prom ise is t o lim it m obilit y t o local areas where it is m ost useful. For exam ple, in a m ult i- building cam pus, a t ypical goal is t o provide seam less m obilit y wit hin individual buildings, but not roam ing bet ween buildings. Each building would have a wireless LAN t hat looked som et hing like Figure 21- 2, and all t he access point backbone net works would ult im at ely connect t o a cam pus backbone. I n Figure 21- 5 ( a) , t here are several " islands" of connect ivit y, and each island provides m obilit y wit hin it self. I nt er- island roam ing cannot be provided by 802.11 it self, but requires addit ional t echnology such as Mobile I P or a special client . 802.11 allows an ESS t o ext end across subnet boundaries, but does not support a seam less roam ing operat ion.

Figu r e 2 1 - 5 . N on con t igu ou s de ploym e n t s

I f you m ust break t he cam pus int o disj oint ed coverage areas, be sure t o preserve t he m obilit y t hat is m ost im port ant t o your users. I n m ost cases, m obilit y wit hin a building is im port ant . Most buildings are built around a swit ched core, and can support an island of connect ivit y.

Mobility The single- subnet archit ect ure achieved m obilit y by creat ing a single subnet for all access point s, and keeping all t he users on t he t hat rest rict ed subnet . This archit ect ure borrows t he sam e philosophy, but is designed t o work wit h net works t hat are not able t o creat e a single subnet . At t he m ost basic level, t his archit ect ure provides port abilit y. Users can m ove bet ween islands wit hout rest rict ion, but need t o reest ablish any open net work connect ions as t hey m ove bet ween islands. Connect ion reest ablishm ent m ay be handled in a variet y of ways, som e of which m ay be t ransparent t o t he user. Many universit ies sim ply accept t he lim it at ions of port abilit y, and inst ruct users t o close any applicat ions t hat use net work resources before m oving. I f port abilit y lim it at ions are problem at ic, it m ay be possible t o achieve m obilit y bet ween I P net works by using client soft ware or t unneling prot ocols. This t opology looks m uch like t he first t opology, except t hat it is replicat ed in several pieces. Most likely, t he islands of connect ivit y connect t o t he net work core t hrough firewalls. Mobilit y bet ween islands m ay be achieved by using a t unneling prot ocol t hat ensures t hat a user at t aches t o t he sam e

logical locat ion on t he net work, no m at t er what t heir physical locat ion. Figure 21- 6 shows how m obilit y can be graft ed on t o a collect ion of scat t ered net works. I n Figure 216 ( a) , client s are given a local I P address t hat is t ied t o locat ion. The local net works are represent ed by Net X and Net Y. Upon connect ion, client s are issued addresses from t he I P space assigned t o t he X and Y net works. However, t he client also init iat es a connect ion t o a cent ral concent rat ion point . Client s logically at t ach t o t he concent rat or, and receive an address from a net work logically at t ached t o t he concent rat or, which is denot ed by Net Z in t he diagram . Packet s sent from t he client use it s cent ral anchor point address, Z, as t he source, but t hey are bundled int o a t unnel for t ransm ission. Replies are rout ed back t o Z, but t he concent rat or m aint ains a m apping of addresses on net work Z t o locat ion- based addresses. Not e t hat Figure 21- 6 ( a) does not specify any part icular t unneling m et hod. Mobile I P works in essent ially t his way, and a few specialized I Psec client s work t his way as well. Alt hough t he approach of Figure 21- 6 ( a) is concept ually st raight forward, it requires changing t he soft ware on all wireless devices. I n addit ion t o t he adm inist rat ive challenge of loading new soft ware on any wireless device and t he pot ent ial inst abilit y of changing t he net work st ack, it is likely t hat vendors of t his soft ware would not be able t o support every operat ing syst em plat form . Even if t he m aj or operat ing syst em s were support ed, m any em bedded devices could not be. Figure 21- 6 ( b) offers an alt ernat ive approach where t he t unneling is m oved int o t he net work. I n Figure 21- 6 ( b) , access point s do not connect t o a backbone net work for t he purpose of delivering t raffic. The backbone net work is used only t o connect APs t o t he t raffic concent rat ion point . Any fram es or packet s from t he client are delivered t hrough t he t unnel t o t he concent rat or device, where t hey are sent on t o t he rest of t he net work. I t does not m at t er where client s at t ach t o t he net work because t raffic is always rout ed t o t he t raffic concent rat ion point . I n bot h of t he cases in Figure 21- 6, t he key is t hat client I P addresses becom e locat ion- independent . I P addresses on local net works are used for t he purpose of connect ivit y, but t he logical point of at t achm ent t o t he net work is t hrough a defined anchor point , j ust as in t he previous t opology. Tunneling approaches work t o unit e disj oint ed coverage areas. I n t he first t opology, m obilit y was allor- not hing. Figure 21- 5's disj oint ed coverage areas force net work archit ect s t o design m obilit y around areas t hat are m ost im port ant t o users, subj ect t o t he const raint s of t he local net work design. By using a t unneling approach, t he net work can be reunit ed int o a single m obilit y cloud, but wit hout t he need t o re- engineer t he ent ire net work backbone. There is, however, t he difficult y of configuring any t unneling and working out t he overlay t opology.

Figu r e 2 1 - 6 . M obilit y t h r ou gh t u n n e lin g

Security One of t he advant ages of t his archit ect ure is t hat it is easy t o use it wit h I Psec. I Psec is a suit e of st rong, t rust ed encrypt ion prot ocols t hat have been widely used in host ile net work environm ent s, and t hat t rust has allowed I Psec t o be used t o prot ect a great deal of sensit ive inform at ion t raversing t he I nt ernet . Many organizat ions t hat have a need t o prot ect privat e personal inform at ion m ake ext ensive use of I Psec. One drawback t o relying on net work- layer securit y is t hat it gives m alicious at t ackers a foot hold on your net work. I f associat ion t o t he net work is not prot ect ed, t hen at t ackers m ay obt ain a net work address and st art launching at t acks against against ot her client s or t he net work infrast ruct ure out side t he firewall. St rong firewall prot ect ion is a m ust t o cont ain any at t acks originat ing on t he

unt rust ed net work. Host securit y is also ext rem ely im port ant because devious at t ackers would also likely at t em pt t o subvert host securit y on t he client s t o hij ack VPN t unnels, so personal firewall soft ware is a m ust . I Psec was designed wit h a point - t o- point archit ect ure in m ind. When used bet ween m aj or sit es, t raffic is inherent ly point - t o- point . However, LANs are not m eant t o be point t o point net works. ( Just ask anybody who has experience wit h ATM LAN Em ulat ion! ) Applicat ions t hat m ake use of m ult icast will probably not work wit h I Psec wit hout m odificat ion or net work reconfigurat ion.

Performance Providing connect ivit y t hrough isolat ed islands gives t his t opology a dist inct advant age over t he first t opology. Rat her t han one gat eway device t hat handles all t raffic from t he wireless LAN, each island gat eway m ust be capable of fowarding only t hat island's t raffic. Mult iple choke point s bet ween wireless and wired net works allow each choke point t o be a sm aller, and t herefore less expensive, device. This archit ect ure is frequent ly used wit h I Psec, oft en wit h an exist ing VPN t erm inat ion device. One problem t hat can occur is t hat VPN devices are oft en sized for rem ot e user t erm inat ion. I f LAN users suddenly st art using I Psec, t he exist ing VPN t erm inat ion device m ay prove inadequat e. A cent rally locat ed VPN device m ust be able t o provide encrypt ion for t he ent ire wireless LAN t raffic load; each 802.11b access point m ay offer a t raffic load of up t o 6 Mbps each, while an 802.11a or 802.11g access point m ay serve up a load approaching 30 Mbps. There are m any different t unneling opt ions available for t his broad t opology. Tunneling always im poses a net work overhead because it requires encapsulat ion. An addit ional challenge t hat wireless LAN devices m ust face is t he need for fragm ent at ion in t unneling prot ocols. Many of t he LAN backbones used t o connect access point s do not support j um bo fram es, so any t unneling prot ocol t hat runs over Et hernet m ust incorporat e fragm ent at ion and reassem bly. Beyond t he fragm ent at ion overhead, any t unneling prot ocol requires addit ional header inform at ion. Depending on t he prot ocol select ed, fragm ent at ion overhead m ay be nont rivial. Running user t raffic across a net work backbone m ay dim inish t he service qualit y. Large net works m ay not be able t o provide consist ent low- lat ency forwarding perform ance bet ween t he access point s and t he concent rat ion device, especially if t he t unneling m echanism is im plem ent ed over a best effort prot ocol like I P. I n t he case of user dat a t raffic, any service qualit y dim inishm ent is likely t o be negligable. I f t he wireless net work m ust be used t o support voice prot ocols, however, t he im pact of t unneling m ay be m ore subst ant ial.

Backbone Com pared t o t he single- subnet archit ect ure, t his t opology int egrat es m uch bet t er wit h net works t hat cannot support a single VLAN everywhere. At worst , t his archit ect ure requires creat ing several m iniat ure single- subnet backbones. I f t unneling funct ions are m oved int o t he net work, t hough, it is possible t o ext end net works out t o rem ot e locat ions wit hout any backbone work.

Client VPN soft ware is t ypically used wit h t his approach, which requires configuring client soft ware on any m achine t hat will use t he wireless net work. I n som e organizat ions, t his m ay not represent a large burden, especially if m ost of t he users already have VPN soft ware. However, m any organizat ions lim it t he num ber of users given rem ot e access privileges t o lim it t he am ount of client int egrat ion work

necessary, or prevent rem ot e access devices from being overwhelem ed wit h t he load. I f you work for such an organizat ion, t here is a significant client soft ware inst allat ion burden wit h a widespread wireless deploym ent . As m ent ioned previously, personal firewall soft ware is m andat ory t o prot ect each client from link- layer at t acks. Give preference t o VPN client s t hat include personal firewall soft ware, especially if t he personal firewall policies can be cent rally m anaged.

Topology 3: Dynamic VLAN Assignment Bot h t he single- subnet and island t opologies are designed around t he lim it at ions of t he first access point s t o hit t he m arket . Early access point s at t ached all users t o t he sam e net work, and did very lit t le t o enforce different privileges on different groups of users. This t opology was t he first t o em brace t he wired world of VLANs and m ake t hem available t o user groups. I nst ead of building a second parallel net work, t his t opology ext ends t he exist ing net work, com plet e wit h any securit y syst em s and filt ers, int o t he wireless realm . 802.1X is t he cornerst one of dynam ic VLAN assignm ent . I t plugs t he wireless net work neat ly int o an exist ing aut hent icat ion infrast ruct ure. Aut hent icat ion servers have user profiles and privileges, and can m ap t hat privilege inform at ion on t o t he wireless LAN. For exam ple, Figure 21- 7 shows a RADI US server handing out VLAN assignm ent s t o t he access point . As part of t he RADI US access accept m essage, it includes an at t ribut e t hat assigns an aut hent icat ed user t o a part icular VLAN. Based on t hat inform at ion, t he access point t ags any fram es from t he user on t o t he appropriat e VLAN. The advant age of doing aut hent icat ion at t he link layer, rat her t han a higher layer, is t hat users can be placed on a part icular net work wit h t he privileges associat ed wit h t hat net work from t he st art . When t he access point receives t he Access Accept m essage from t he RADI US server, it sends an 802.1X EAP Success m essage t o t he client . Net work card drivers on t he client int erpret t he EAP Success m essage as t he equivalent event t o a " link up" m essage, and send t heir DHCP request and begin init ializing t he net work st ack. By t he t im e t he net work st ack has begun t o init ialize, t he net work has already aut om at ically configured it self t o rest rict t he user t o a part icular set of access right s.

Figu r e 2 1 - 7 . D yn a m ic VLAN t opology

Mobility At t he highest level, m obilit y in t his t opology is ident ical t o t he first t opology. Users are at t ached t o a consist ent VLAN t hroughout t he net work, and t hus can m aint ain t he sam e I P address regardless of locat ion. Wit h t he sam e I P address, any t ransport - layer st at e or applicat ion st at e rem ains valid t hroughout t he life of t he connect ion. However, t he underlying im plem ent at ion of m obilit y offers several advant ages over t he single- subnet archit ect ure. The first set of advant ages have t o do wit h t he use of aut hent icat ion services. At t ribut es from t he RADI US server ensure t hat users are always at t ached t o t he sam e VLAN, and hence, t hey st ay at t ached t o t he sam e logical point on t he net work. I n addit ion t o aiding m obilit y, providing consist ent VLAN at t achm ent can m ake ot her services work bet t er. Providing m obilit y at t he link layer reduces t he apparent m obilit y t o higher- layer prot ocols, and hence, t he am ount of work required of t hem . I Psec t unnels st ay up consist ent ly because t he I P address does not change. Likewise, Mobile I P locat ion updat es are not necessary because t he I P address is m aint ained.

Security Because t he VLAN assignm ent is based on 802.1X and RADI US, securit y in t his t opology is based on dynam ically generat ed keys at t he link layer, eit her t hrough dynam ic WEP, WPA, or CCMP. Dynam ic key generat ion enables t he second benefit of using aut hent icat ion services. Once users have been ident ified, t hey can be separat ed int o groups for different securit y t reat m ent . To separat e t raffic in t he air bet ween user groups, access point s use m ult iple key set s. Upon aut hent icat ion, every user is given a default ( broadcast ) key, and a key m apping ( unicast ) key. Broadcast dom ains are defined by t he st at ions in possession of t he sam e broadcast key. I n Figure

21- 8 , t he t wo users on t he left are part of t he sam e user group, and share t he sam e broadcast key. When one sends, say, an ARP request , t he ot her responds. Users who are part of a different broadcast dom ain are not able t o decrypt and process t he fram e because t hey have a different broadcast key. Alt hough user groups share t he sam e radio capacit y, t hey are not m em bers of t he sam e user group and rem ain separat ed over t he radio net work.

Figu r e 2 1 - 8 . Br oa dca st se pa r a t ion by k e ys

Furt herm ore, t he separat ion of user groups by VLAN allows t he applicat ion of different iat ed services, as shown in Figure 21- 9. One com m on use of user ident ificat ion and different iat ion is t o offer guest services. I nt ernal users are ident ified and aut hent icat ed against a user dat abase, and t hen connect ed t o t he int ernal net work. Guest users do not have account s on t he m ain user dat abase and cannot aut hent icat e t o t he net work. Aft er failing t o do so, t hey are at t ached t o a different logical net work. Guest net works m ay have " splash pages" t hat require a click- t hrough agreem ent t o not abuse t he net work; som e organizat ions m ay also wish t o require paym ent for guest access.

Figu r e 2 1 - 9 . D iffe r e n t ia t e d u se r se r vice s

An addit ional advant age t o link- layer securit y is t hat m ult icast is well- int egrat ed int o t he securit y prot ocol. LAN prot ocols oft en m ake heavy use of m ult icast or broadcast fram es, and t he use of m ult icast LAN fram es can only increase. Wireless net works are at t ract ive because of t heir flexibilit y and locat ion- independence. Prot ocols t hat assist in t he aut om at ic discovery and configurat ion of new devices usually rely heavily on m ult icast fram es. One downside t o t his t opology relat es t o bureaucrat ic requirem ent s around securit y. At t he t im e t his book was writ t en, link- layer securit y could not com ply wit h FI PS- 140, t he U.S. federal governm ent 's net work securit y st andard, because of a subt le flaw wit h t he dynam ic key derivat ion algorit hm s in 802.11i. Alt hough t he encrypt ion m ode used by CCMP is approved, a sm all change t o t he key derivat ion algorit hm is likely t o be required before 802.11i- based net works can m eet t he FI PS- 140 bar.

Performance This archit ect ure does not necessarily require a choke point . Swit ching fram es at t he net work edge elim inat es t he requirem ent for an oversized packet forwarding device. Wireless LANs are access net works, so by definit ion, a wireless LAN should not be able t o overload a well- built net work core. One of t he downsides of t his archit ect ure, however, is t hat it is best deployed around a big, fast swit ched core.

Backbone

Redesigning a net work t o use VLAN inform at ion dynam ically can oft en im pose a subst ant ial redesign of t he t he net work backbone. What is required depends on how t he wireless LAN connect s t o t he net work core. When a wireless LAN connect s t o t he core t o at t ach users t o m ult iple net works, it t ypically uses an 802.1Q t agged link. Wireless LAN product s vary in how widely t agging is used, and t o what ext ent t he t ags m ust be pushed across t he net work. I n broad t erm s, t here are t wo m aj or ways t o push VLAN inform at ion out t o access point s.

Direct core connect ion When t he connect ion t o t he net work core is m ade direct ly, t he access point s m ust connect direct ly t o t he net work core, usually t hrough an 802.1Q- t agged link. Not e t hat t he connect ion t o t he core is t he logical connect ion from t he access point s. Wit h som e product s, t he access point s m ust connect direct ly t o t he core, which m eans t hat every swit ch port used t o connect t o an access point m ust support any VLAN used by wireless users. Direct core connect ions for every access point im poses a huge backbone engineering requirem ent , and m ay even rule out t he use of t his t opology. I f t he VLANs do not exist in every closet where APs connect , t hey m ust be ext ended everywhere before t he wireless deploym ent can even begin. Direct connect ions t o t he core m ay also pose a securit y risk. Most APs aut hent icat e users, but t he APs t hem selves do not aut hent icat e. An at t acker who replaces an AP wit h his own device m ay have a direct connect ion t o t he net work core.

I ndirect ( t unneled) core connect ion I nst ead of requiring every access point t o connect direct ly t o t he core, som e product s allow t he use of t unneling prot ocols t o avoid significant changes t o t he backbone. Users connect t o an access point , but t he AP t unnels t he user's fram es t o a rem ot e locat ion before t hey are placed on t o t he core net work. Tunneling can be accom plished bet ween access point s, or bet ween an access point and an aggregat ion device. The t unneling prot ocol m ay be propriet ary, or it m ay be based on a sim ple encapsulat ion st andard like t he Generic Rout ing Encapsulat ion ( GRE) , I P in I P, or t he Point - t o- Point Prot ocol over Et hernet ( PPPoE) . I n Figure 21- 10 ( a) , t here are t wo APs on separat e VLANs. Aft er user aut hent icat ion com plet es, t he AP is responsible for connect ing t he user on t o t he appropriat e VLAN. I f t he AP is direct ly at t ached, t hen t he connect ion is easy. When t he AP is not direct ly at t ached t o t he VLAN t he user m ust be connect ed t o, t he t unnel is built bet ween APs. AP2 locat es t he VLAN t he user should be at t ached t o, and sends user fram es t hrough t he t unnel t o AP1. AP1 t hen sends fram es out on t o t he net work norm ally. The user's logical at t achm ent rem ains AP1, no m at t er what t he physical locat ion is. Depending on t he im plem ent at ion, it m ay be necessary t o prevent t unneling across long dist ances. I f t he t wo net works are separat ed by st at e lines, or even an ocean, t unneling t raffic is likely t o result in user dissat isfact ion. I n Figure 21- 10 ( b) , t he at t achm ent is cent ralized at t he core of t he net work rat her t han being dist ribut ed at t he edge. Fram es received by t he access point s are shut t led up t hrough t he t unnel t o t he concent rat or, where t hey are placed on t he appropriat e net work. VLAN inform at ion is only relevant at t he end of a fram e's j ourney t hrough t he wireless LAN syst em . Unt il t he fram es reach t he concent rat or, t hey do not carry VLAN t ags. The advant age of a rem ot e t unneling syst em is t hat users can be at t ached t o VLANs t hat are not locally present . The VLANs need t o be m ade available only t o t he concent rat or.

Of t he t wo m et hods, t unneled connect ions t end t o im pose less of a backbone engineering requirem ent because t ags can be dist ribut ed on a m ore local basis. I n t he direct connect case, every port connect ed t o an access point m ust carry t he com plet e set of VLANs users m ay want t o work wit h. The backbone im pact is j ust as great as t he first t opology for each VLAN. I n cont rast , indirect connect ions can span wider areas by operat ing out side of a spanning t ree dom ain, and configurat ion of individual swit ch port s m ay be easier.

Client 802.1X supplicant s are now built - in t o t he m ost com m on client operat ing syst em s. Windows 2000, Windows XP, and Mac OS X 10.3 all have 802.1X supplicant soft ware built int o t he operat ing syst em . Provided t hat you wish t o use one of t he aut hent icat ion prot ocols support ed by t he operat ing syst em 's supplicant , t here is no client inst allat ion t o worry about . Furt herm ore, t he built - in supplicant configurat ion can oft en be assist ed by t he use of large- scale syst em adm inist rat ion t ools t o dist ribut e t he required cert ificat es or configurat ion inform at ion.

Topology 4: Virtual Access Points A st raight forward applicat ion of 802.1X and VLAN assignm ent leads direct ly t o t he previous t opology. However, it works best when t he net work has only one class of userand t hat is hardly realist ic. Most net works are now built t o connect em ployees t o int ernal resources while sim ult aneously giving guest s access t o t he I nt ernet . Support ing m ult iple classes of user is becom ing m uch m ore com m on, but it creat es addit ional work for securit y archit ect s. Different logical net works m ust be run in parallel, oft en wit h vast ly different securit y m odels.

Figu r e 2 1 - 1 0 . Cor e con n e ct ion s for dyn a m ic VLAN pr odu ct s

One m et hod of building m ult iple logical net works is t o build m ult iple physical net works, and m anage each separat ely. Com pet it ion for net work adm inist rat or t im e, access point locat ions, power and net work connect ions, and radio resources m akes building m ult iple physical net works unproduct ive. I nst ead, archit ect s are t urning t o virt ual access point s, which enable m ult iple logical net works t o be built on a single physical infrast ruct ure. The physical net work owner is responsible for m aint aining t he infrast ruct ure as a com m on carrier, and serving as a t ransit net work t o ot her exist ing net works.

Several years ago, airport s woke up t o t he possibilit y of using 802.11 as a net work m edium t o connect business t ravelers ( and t heir wallet s) t o t he I nt ernet . I n t he first wave, airport s worked wit h specialist int egrat ors t o build a single wireless LAN t hat looked som et hing like t he first t opology in t his chapt er. I t could be used by business t ravelers, but was not at all suit ed t o use by anybody else. Many applicat ions of wireless net working went unheeded. Wireless net works are ideal for providing connect ions t hat m ay need t o be m oved and changed on a regular basis, such as ret ail kiosks or even t he airline equipm ent at gat es. I t is easy t o underst and why a credit - card processing service or an airline would feel t hat a net work designed for road warriors did not provide adequat e securit y. Wit h a net work designed around virt ual APs, t here is one set of physical infrast ruct ure, owned by t he building owner. The building owner is responsible for frequency coordinat ion t hroughout t he building. [ ] From a m onet ary perspect ive, t he single physical net work is also t he only gam e in t own, and t he building owner can charge for access t o t he net work. I n office buildings designed for m ult iple t enant s, t he owner m ay choose t o use t he wireless net work as an am enit y t o m ake t enancy m ore at t ract ive. []

Newer leases for multitenant buildings are increasingly being written so that the owner retains control of the electromagnetic spectrum and can construct a building-wide network without working around tenant equipment, although the FCC takes a dim view of these provisions.

Virt ual APs m ay also m ake a great deal of sense for t he net work users. Wit h one organizat ion handling physical inst allat ion, t here is no overlapping inst allat ion effort , and it lessens t urf wars over radio spect rum . A virt ual AP can offer t he sam e services as a dedicat ed AP, but a virt ual AP is oft en cheaper t o inst all because of t he shared infrast ruct ure. The m ost advanced virt ual APs look exact ly like m ult iple st andalone APs. I expect t hat t he m anagem ent of virt ual AP syst em s offer t he abilit y t o ext end m anagem ent infrast ruct ure t o t he users, so t hat t here is a low- level adm inist rat ion int erface plus t he abilit y t o configure virt ual net works for every cust om er subscribing t o a m ult it enant net work service. Figure 21- 11 shows what a net work built on virt ual access point s would look like. I n essence, it allows t he net work adm inist rat or t o creat e several copies of t he dynam ic VLAN t opology on one set of physical infrast ruct ure, wit h each virt ual net work adm inist ered. I n t he figure, t here are t hree dist inct net works t o be ext ended by t he wireless LAN. Net work A is a t ypical corporat e net work. Users who wish t o gain access t o it m ust have account s on t he corporat e RADI US server. Net work B is a hot spot service provider. For device- independence, m any service providers use web- based aut hent icat ion syst em s t hat t rap user request s unt il users have ident ified t hem selves and m ade appropriat e arrangem ent s t o pay for net work access. Finally, Net work C is designed t o support voice over I P, and has an I P PBX syst em . One set of access point s is deployed t o support all t hree net works. One SSI D ident ifies Net work A. That SSI D has a securit y configuat ion t hat requires 802.1X aut hent icat ion against t he RADI US server on Net work A, and it m ay be t hat syst em s at t aching t o t he net work have appropriat e client soft ware inst alled, such as ant iviral prot ect ion. SSI D A m ay support several different VLANs on Net work A, depending on how t he RADI US server is configured. Net work A is also configured t o support st rong encrypt ion. Net work B is support ed by a second SSI D t hat is configured for web- based aut hent icat ion. Once users aut hent icat e t hrough t he web syst em , t hey are allowed I nt ernet access. Net work B has no encrypt ion because t he service provider does not want t o rest rict subscriber com put ing plat form s or require special client soft ware beyond a web browser. SSI D C is deployed t o support voice over I P. Traffic on SSI D C is likely priorit ized over t he ot her t wo because of t he t ight er qualit y of service requirem ent s for voice t raffic. How devices aut hent icat e against SSI D C depends on t he handset s in use. Many VoI P handset s do not yet support 802.1X, leaving net work adm inist rat ors t o rely on MAC filt ering and st at ic WEP for securit y.

Figu r e 2 1 - 1 1 . Vir t u a l a cce ss poin t s

Mobility This t opology provides essent ially t he sam e m obilit y as t he previous t opology. VLANs can be dynam ically inst ant iat ed at t he edge t o connect users, so client st at ions are dynam ically at t ached t o t he correct point on t he net work. As in t he previous case, addit ional prot ocols m ay be used t o ext end m obilit y across m ore t han a single VLAN dom ain. Wit h virt ual access point s, lim it ing m obilit y m ay be im port ant . This archit ect ure is designed around providing service, and it m ay be t hat service should not be ubiquit ous. I f an office building were t o provide connect ivit y for t enant s, t he owners m ay choose t o lim it where t enant s can connect . Rat her t han connect ing anywhere in t he building, t he service m ay be lim it ed t o a part icular floor or wing. I f an airport were t o deploy a net work using virt ual access point s, t he public hot spot service providers would likely be rest rict ed t o t he public areas, while t he airport operat ional net work was available t hrough m ore of t he facilit y. Different product s provide alt ernat e approaches t o lim it ing m obilit y. As wit h m any ot her net work cont rol funct ions, your preference should be for cent rally- adm inist ered access cont rols.

Security Due t o t he t ie- in wit h t he link layer, t his t opology is oft en used in conj unct ion wit h 802.1X and RADI US. 802.1X should not be a requirem ent . Each of t he virt ual net works should have it s own securit y configurat ion, which would allow every cust om er t o enforce t heir own securit y policy. Different cust om ers m ay have different requirem ent s, and a net work built on virt ual access point s should accom m odat e any reasonable securit y policy. For exam ple, m ost hot spot providers are running web- based login syst em s. While a web- based login syst em m ay be good enough for som e

applicat ions, legal requirem ent s would im pose m uch st rict er handling on a syst em t hat accessed personally- ident ifiable inform at ion. Virt ual AP- based net works need t o accom m odat e bot h t ypes of access sim ult aneously.

Performance Perform ance is not const rained by a choke point anywhere. Wit h t he wireless net work connect ing direct ly int o a larger net work core, t he only perform ance const raint is congest ion on t he core. The biggest problem facing a m ult it enant net work is t hat t he net work owner has t o design a net work wit h enough capacit y for all t he users. I n t he case of a privat e net work owned and operat ed by one organizat ion for it s own purposes, it m ay be possible t o est im at e t he net work requirem ent s. Wit h a net work service provided t o ot hers, t he est im at es obt ained by consult ing wit h users m ay be som ewhat m urky. One addit ional it em wort hy of not e is t hat analyzers m ay report overloaded channels because a single AP act s as m ult iple virt ual APs. Provided t hat t he net work has been designed around t he t ot al t hroughput required by all users, it is accept able t o have m ult iple net works over t he air.

Backbone Like any ot her AP, a virt ual AP connect s a radio net work t o a wired net work. I n t he case of a virt ual AP, bot h t he radio and fixed net works m ay be creat ed over a shared physical infrast ruct ure. Rat her t han one wired net work, or a set of net works owned by one organizat ion, t here m ay be a need t o connect t o several cust om er net works on t he back end. When all t he net works belong t o one organizat ion, t hey probably have sim ilar securit y requirem ent s and can be connect ed easily t o wireless net works. Mapping wireless net works on t o t he wired net works of several different ( and possibly com pet ing) cust om ers m ay require addit ional m easures t o ensure securit y and t raffic separ at ion.

Client As wit h t he ot her t opologies, t he client soft ware load depends a great deal on t he securit y prot ocols. At t he easy end of t he spect rum , a net work can be deployed using web- based aut hent icat ion wit hout requiring any client soft ware. At t he m ost difficult , t he net work can use several securit y prot ocols, each wit h it s own client soft ware requirem ent . One of t he advant ages t o virt ual AP- based net works is t hat t he virt ual APs m ay be used t o creat e several net works, each wit h it s own special securit y configurat ion.

Blurring the Boundaries: Wi-Fi Switching One of t he m ost t alked- about developm ent s in wireless net works in t he past few years is t he em ergence of t he new " Wi- Fi swit ch" archit ect ure. I n broad t erm s, Wi- Fi swit ches m ove net work funct ions from access point s int o an aggregat ion device t hat provides cont rol and m anagem ent funct ions. Cont rol and m anagem ent funct ions are quit e im port ant t o a wireless net work. Wireless net works oft en require a great deal of net work adm inist rat ion support because t hey are com posed of a herd of sm all devices. Wi- Fi swit ches can help adm inist rat ors build larger net works by providing m anagem ent support . Rat her t han m anaging m any aut onom ous access point s, net work adm inist rat ors can work wit h a handful of swit ch devices t hat cont rol access point s. By reducing t he t im e and effort required t o cont rol an AP, Wi- Fi swit ches can m ake it possible t o have m ore APs on a wireless net work. More APs usually m eans a denser coverage blanket wit h sm aller coverage areas for each AP, and less bandwidt h cont ent ion. Wi- Fi swit ches can be used in any of t he t opologies discussed in t his chapt er, alt hough devices from part icular m anufact urers m ay adapt bet t er or worse t o cert ain t opologies. Different vendors have t aken different approaches t o easing m anagem ent pain, as well as providing net work- wide m obilit y, so choose one t hat fit s int o your net work and support s your select ed t opology.

Choosing Your Logical Architecture When choosing a logical archit ect ure, you m ust weigh several t rade- offs. Som e of t hese are securit y t rade- offs are discussed in t he next chapt er. Many are, however, a m at t er of balancing perform ance, sim plicit y, or funct ionalit y.

1 . Mobilit y is a baseline funct ion t hat should be provided by any archit ect ure you choose. 802.11 provides for m obilit y wit hin an ext ended service set , and t hat ESS m ust be visible t o t he client as a single I P subnet . All of t he archit ect ures present ed here at t ach client s t o a single subnet , alt hough t he m echanics of how t hey do so differ radically.

a . For sm all- scale deploym ent s using a handful of APs, any of t he archit ect ures work. The first t wo are easy t o set up on a very sm all scale, and m ay have t he advant age for cost conscious deploym ent s t hat will never grow beyond t he init ial handful of APs. b. The I EEE's int er- access point prot ocol provides link- layer m obilit y only. Crossing rout er boundaries int o new broadcast dom ains requires net work- layer coordinat ion bet ween wireless LAN access devices. At t he t im e t his book was writ t en, subnet m obilit y generally required picking a single- vendor solut ion. Mobile I P is an open st andard, but it is not widely im plem ent ed. 2 . Client s m ust perceive t hat t hey are at t ached t o a single I P subnet , no m at t er what t he physical locat ion of t heir at t achm ent . This does not , however, require t hat all client s be at t ached t o t he sam e subnet . Mult iple subnet s m ay overlap " over t he air." Mult iple subnet s over t he air offer t he abilit y t o m ore finely cont rol user access privileges and different iat e bet ween user groups, but require t he use of 802.1X. 3 . What lim it at ions does t he exist ing net work im pose? Baggage from past decisions m ay lim it t he choices t hat you can m ake.

a . A sprawling net work wit h a large diam et er m ay not be able t o ext end VLANs across t he ent ire net work due t o spanning t ree lim it at ions. This m ay rule out t he use of a single wireless VLAN, or a dynam ic VLAN m odel where t he access point s m ust be connect ed t o t he core. b. The dynam ic VLAN t opology m ay depend on widely dist ribut ing 802.1Q t ags t hroughout your net work. I f VLAN inform at ion is not already available, net work adm inist rat ors m ust find a way t o dist ribut e it t o all t he locat ions t hat support a wireless net work. Product s t hat require direct connect ion int o t he core are incom pat ible wit h a rout ed core net work. c. Net works m ay have choke point s in a variet y of places. Pre- exist ing choke point s m ay lim it t he num ber of wireless devices t hat can be at t ached in m any locat ions. I f your desired archit ect ure int ent ionally int roduces a choke point , it m ust be fast enough t o not lim it t hroughput . 4 . The choice of net work t opology m ay be driven in part by t he securit y prot ocols used on t he

4. net work. Dynam ic VLAN assignm ent is possible only wit h 802.1X, so t he last t wo t opologies work best for adm inist rat ors who want t o use link layer securit y m echanism s. The first t wo t opologies are m uch m ore suit ed t o use wit h net work- layer securit y based on I Psec and personal firewall soft ware. This chapt er has not direct ly explored t he t rade- off bet ween t he different securit y approaches, but t he next chapt er does. 5 . St at ic addressing is not necessary. I t adds needless com plexit y wit h very lit t le benefit in ret urn. Net work adm inist rat ors m ust m anage address allocat ion, and get direct ly involved in adding new syst em s t o t he wireless LAN.

a . St at ic addressing provides only a m inim al direct securit y benefit . Source I P addresses are not aut hent icat ed by t he sender, and at t ackers are likely t o learn t he I P addresses being used on t he wireless net work unless you em ploy st rong link- layer prot ect ion. b. Tracking users is bet t er done t hrough t he user- based net working t hat 802.1X provides. Wit h a usernam e available t o t he net work t hrough t he RADI US server, t here is no need t o associat e a user wit h an I P address. The user can be associat ed wit h t he usernam e inst ead. c. Dynam ic addressing m inim izes t he chance t hat t wo users m ay accident ally be assigned t he sam e address. Only one DHCP server is needed for several VLANs wit h j udicious use of DHCP helper; if a DHCP server already exist s, t here m ay not be any reason t o use anot her one. Table 21- 4 sum m arizes t he different fact ors discussed in t his chapt er. Securit y is t oo com plex t o be reduced t o a sim ple t able ent ry, so it receives t he full at t ent ion of t he next chapt er. As you consider t his t able and a purchase decision, keep in m ind t hat som e product s work wit h cert ain t opologies bet t er t han ot hers.

Ta ble 2 1 - 4 . Topology com pa r ison ch a r t Sin gle su bn e t

ET ph on e h om e D yn a m ic VLAN

Vir t u a l AP

Mobilit y

High if VLAN is large; lim it ed by m axim um 802.1D diam et er

Depends on size of islands

High

High; but enforcing lim it at ions m ay be im port ant

Per for m ance

Depends on choke point capacit y

Depends on concent rat or capacit y

High due t o dist ribut ed encrypt ion

Sam e as dynam ic VLAN

Backbone

High; t hough m ay depend on exist ing net work

Depends on t ype Varies wit h range of connect ion t o of m obilit y [ a] net work core

Sam e as dynam ic VLAN

Client

Depends on client soft ware [ b]

Depends on Built - in t o client soft ware [ b] operat ing syst em

Sam e as dynam ic VLAN; handles m ult iple client securit y m odels bet t er

IP addressing

High ( new subnet s and rout ing)

High ( new subnet s and rout ing)

Sam e as dynam ic VLAN

Not required

[a]

Newer products may reduce the backbone impact by logically attaching access points to a control device in the network.

[b]

Both the single subnet and central concentrator architectures are typically used with VPN software for additional security. Obviously, if VPN software is used, the amount of client integration work is much larger. [b]

Both the single subnet and central concentrator architectures are typically used with VPN software for additional security. Obviously, if VPN software is used, the amount of client integration work is much larger.

Chapter 22. Security Architecture From t he t im e t hat wireless LANs burst on t o t he scene, t hey have been inext ricably associat ed wit h securit y, or rat her, t he lack of securit y. One of t he reasons t hat wireless LAN deploym ent is such a significant undert aking is t hat securing an open net work m edium is a m aj or challenge. Early wireless net works were, wit h good reason, likened t o leaving an open net work j ack in t he parking lot for public use. Early solut ions for rest rict ing access and prot ect ing dat a were laughable, in part because t he lessons of hist ory did not im m ediat ely apply. Tradit ional net work securit y has focused on securing t he physical m edium t o reduce t he risk of net work at t ack, but wireless net works are useful precisely because t he m edium is not locked behind walls and doors. Short of building a m assive RF shield around t he building, you m ust assum e t hat t he physical layer is open t o anybody who want s t o access it . Wit h a net work m edium t hat provides negligible physical securit y, crypt ography m ust be used t o prot ect user sign- ons and t he dat a t hat flows over est ablished connect ions. Encrypt ion can be used t o est ablish t rust bet ween devices connect ed only by radio waves. Crypt ography helps t o est ablish t he user ident it y, and assure t hat access point s are part of t he net work t hey claim t o be. Once a user has been aut hent icat ed, crypt ography assum es it s bet t er- known role of scram bling net work t raffic t o prevent t raffic int ercept ion. Net work securit y is int ert wined wit h net work archit ect ure. Early fundam ent al insecurit ies in 802.11 net works led t o an archit ect ure t hat im posed physical and logical barriers bet ween t he exist ing wired net work and any wireless ext ensions, at a cost of usabilit y. I m proved securit y prot ocols enable t he wireless net work t o be reint egrat ed int o t he exist ing wired net work. The physical net work is likely t o rem ain separat e because of t he radically different physical propert ies of t he wireless m edium . For t he users and net work adm inist rat ors, it will be part of t he sam e int egrat ed whole. I n som e respect s, it will resem ble evolut ion of t he m obile t elephone net work. Cellular net works are physically separat e because t hey require specialized equipm ent and m anagem ent syst em s t o deal wit h t he challenges posed by radio links t o subscribers. However, t hey are logical ext ensions of t he exist ing t elephone net work. Users can run t he sam e applicat ion ( voice) on t he cellular net work wit h no ret raining, and t he m obile t elephone net work is int egrat ed int o t he overall m anagem ent syst em of t elephony. Now t hat wireless LANs can provide appropriat e securit y, t he int egrat ion has begun.

Security Definition and Analysis I nform ally, dat a securit y is defined in t erm s of t hree at t ribut es, all of which m ust be m aint ained t o ensure securit y. My definit ion is not m eant t o be form al. I n t his sect ion, I 'm t rying t o t ake a fundam ent al approach t o securit y by showing how wireless LAN securit y fails and how som e of t he failures can be solved by applying solut ions t he indust ry has already developed.

I nt egrit y Broadly speaking, int egrit y is com prom ised when dat a is m odified by unaut horized users. ( " Has som ebody im properly changed t he dat a?" )

Secrecy Of t he t hree it em s, secrecy is perhaps t he easiest t o underst and. We all have secret s and can easily underst and t he effect of a leak. ( " Has t he dat a been im properly disclosed?" )

Availabilit y Dat a is only as good as your abilit y t o use it . Denial- of- service at t acks are t he m ost com m on t hreat t o availabilit y. ( " Can I read m y dat a when I want t o?" ) Wireless LAN t echnology has t aken a fair num ber of knocks for it s failures in all t hree areas. Most of t he not able st ories have focused on t he secrecy aspect , bot h in t erm s of t he fundam ent al flaws in early encrypt ion prot ocols t hat allowed relat ively easy eavesdropping and t he lack of st rong user aut hent icat ion. However, ot her flaws are present . I nj ect ing t raffic int o wireless LANs has been difficult t o prevent before recent prot ocol developm ent s, and t he lack of fram e aut hent icat ion has m ade service denial t oo easy. Net work and com put er securit y is oft en an issue of risk m anagem ent , and wireless securit y is no except ion. There are m any ways t o bolst er t he securit y of your wireless net work, and m any product s can help m eet your needs. Before building anyt hing, st art wit h a roadm ap of what you want t o do. What net work securit y issues are t he m ost im port ant for your net work? Based on t he risks t hat your hot - but t on issues pose, how m uch can be spent t o m it igat e t hem ? This chapt er provides a brief sket ch of t he issues you m ay wish t o consider. More com plet e t reat m ent s can be found in som e key governm ent publicat ions, including t he Nat ional I nst it ut e of St andards and Technology's Special Publicat ion series on com put er securit y. Special Publicat ion 800- 48 discusses m any of t he issues relat ed t o wireless LANs, alt hough it does not have a great deal of det ail on 802.1X. [ * ] NI ST is also responsible for producing Federal I nform at ion Processing St andards ( FI PS) ; som e FI PS publicat ions address t he challenges of building a secure net work environm ent . [*]

NIST SP 800-48 can be found at http://csrc.nist.gov/publications/nistpubs/800-48/NIST_SP_800-48.pdf.

Wireless LAN Security Problems A st eady st ream of securit y research and analysis followed t he publicat ion of t he init ial 802.11 st andard. Securit y was not designed int o t he init ial specificat ion, which left net works open t o unaut horized users and failed t o prot ect dat a in flight over t he net work. By design, wireless LANs are flexible. Flexibilit y is oft en a boon; in t he case of t echnology t hat can be deployed wit hout proper securit y considerat ions, flexibilit y m ay also be a curse.

Your credentials, please: authentication Aut horizing users depends on ident ifying t hem . To m ake t he dist inct ion bet ween people who should have access t o dat a and t hose who should not , crypt ography can be used t o provide aut hent icat ion. Only aft er t he net work has ident ified a user can it est ablish t he crypt ographic keys used for confident ialit y prot ocols. One of t he failings of early prot ocols is t hat t hey aut hent icat ed t he hardware people used, rat her t han t he users t hem selves. While t here is oft en a t ie bet ween user and m achine, it is not as consist ent and predict able as it m ight seem at first glance. Several approaches have been developed t o im prove on t he init ial 802.11 aut hent icat ion t ypes. One of t he m ost com m on was t o build a t ransparent proxy t hat would t rap web request s and redirect t hem t o a cust om port al page for aut hent icat ion purposes. Web aut hent icat ion can successfully im prove aut hent icat ion by using encrypt ed pages, but it does not provide st ronger encrypt ion because it cannot be used t o derive keys for link- layer securit y prot ocols.

Secrecy over the air: encryption Keeping dat a t raveling across a wireless link secret is t he first challenge t hat wireless net works of any t ype m ust m eet . Wit hout physical boundaries, dat a will be present quit e lit erally " in t he air," readily available t o anybody wit h t he appropriat e receiver equipm ent . I n t he case of 802.11 wireless LANs, t he appropriat e receiver is your favorit e 802.11 net work int erface, perhaps bolst ered by a high- gain ext ernal ant enna. Keeping dat a out of t he hands of t he " wrong" people requires crypt ographic cont rols t o keep dat a out of t he wrong hands. Obviously, crypt ography m ust be used t o prot ect all dat a from int ercept ion by at t ackers passively list ening for fram es and analyzing dat a. Like a broad- spect rum ant ibiot ic, crypt ography can serve t he goal of confident ialit y by prot ect ing dat a from everybody who should not have it . Dat a confident ialit y is t ypically m aint ained by an encrypt ion prot ocol t hat provides only aut horized users wit h t he keys t o access t he dat a, and ensures t he dat a is not t am pered wit h inflight .

Secrecy and integrity of the whole network: rogue access points I f you m ent ion t he phrase " wireless securit y" t o m ost net work engineers, you will get a response t hat is heavily focused on securing t he radio link by providing appropriat e crypt ographic operat ions t o secure t he link. Secrecy is also a m at t er of keeping unaut horized users off t he net work, whet her it is t he wired net work or t he wireless net work. Wireless net works have t he pot ent ial t o be a side door int o t he net work t hat is not prot ect ed by appropriat e securit y m echanism s. I f access point s are connect ed incorrect ly t o a secure int ernal net work, t hey m ay afford a rout e int o t he net work t hat bypasses t he perim et er securit y t hat is in

place. Many net work m anagers also worry about unaut horized ( or " rogue" ) access point s t hat m ay be connect ed t o t he net work wit hout perm ission. Rogue devices are oft en consum er elect ronics, wit h all t he securit y and reliabilit y im plied by t hat st at em ent . I n t he end, rogue devices are not a part icularly int erest ing securit y problem . Every new wave in net working has brought risk, but ult im at ely, t hat risk has been addressed. Rogue devices are no different . The linchpin of a rogue st rat egy is t o locat e t hem and lim it t he dam age t hey can do. Locat ing unaut horized devices can be accom plished in several ways. The oldest and crudest locat ion m et hod is t o use Net st um bler on a lapt op and walk around looking for APs. When unaut horized devices are det ect ed, t he lapt op carrier can t ake sm aller st eps in an at t em pt t o pin down t he physical locat ion. Net st um bler is a sim plist ic t ool, and m ost of t he 802.11 int erfaces can offer only a rough indicat ion of signal st rengt h. Wireless prot ocol analyzers offer a st ep up from sim ply walking around. Many analyzers offer addit ional feat ures t o help t rack down unaut horized access point s, such as direct ional ant ennas t o aid in t he search, or specialized " find" m odes t hat report t he running signal st rengt h in real- t im e. Even wit hout direct ional ant ennas, a search m ode t hat report s rapid change in signal st rengt h can be quit e effect ive in hom ing in on a device; I have been able t o t rack down an AP in a few m inut es using an AirMagnet analyzer. Walking around t o locat e devices is problem at ic, especially since users event ually learn t o recognize t he AP hunt ers and t urn off unaut horized devices. Rat her t han using a labor- int ensive search process, net work engineers are t urning increasingly t o net work- based solut ions. By placing radio probes st rat egically t hroughout an area, adm inist rat ors can wat ch for devices as t hey are powered on. Mult iple list eners can be used t o locat e devices based on t heir locat ion and t he received signal st rengt h. Probe- based t ools can be a special m ode in a dist ribut ed analyzer, a specialized wireless I DS, or a feat ure in a cent ralized AP m anagem ent syst em . Som e net work- based syst em s even offer t he abilit y t o respond t o unaut horized devices by j am m ing or ot herwise act ing t o deny service, but t hese abilit ies probably need t o be refined before t hey can see widespread deploym ent .

Network integrity: traffic injection As wit h wired Et hernet , fram e spoofing is sim ple on 802.11. I f no encrypt ion prot ocols are used, a m alicious user can sim ply assign a MAC address t o an 802.11 int erface and spoof away. Unlike Et hernet , however, 802.11 uses a physical m edium t hat diffuses easily t hrough space. Rat her t han at t aching t o t he physical m edium , 802.11 devices are im m ersed in it . Ensuring t hat fram es in t he air belong and are legit im at ely aut horized net work t raffic is a difficult proposit ion t hat requires a whole suit e of crypt ographic prot ocols. I n addit ion t o im proved encrypt ion, WPA offers encrypt ion prot ocols t hat allow each fram e t o be aut hent icat ed t o prevent forgery and inj ect ion at t acks. As wit h m any ot her problem s, t he risk of t raffic inj ect ion depends m ay depend on several fact ors. Many ent erprise net works are probably at higher risk for eavesdropping rat her t han t raffic inj ect ion. Spoofing fram es m ay be a m aj or risk for service providers, however, because spoofed t raffic does not generat e revenue.

Network availability: denial of service There are t wo m aj or t ypes of denial of service against 802.11 net works. At t he radio layer, noise can severely disrupt com m unicat ions. Any source of radio noise in t he 802.11 frequency bands has t he pot ent ial t o int errupt com m unicat ions. At t ackers m ay use noise t hat is known t o com plet ely disrupt com m unicat ions t o prevent any dat a from flowing. Short of building a Faraday cage for an ent ire building, t he best t hat can be done is t o t rack down t he noise source and shut it off. I n m ost cases, noise sources are not operat ed m aliciously, and it suffices t o t rack t hem down. Som e handheld

devices can report noise levels, which can help t o find noise sources. Even wit h TKI P and CCMP, only fram es t hat carry user dat a payloads will have proof of t he t ransm it t er address. Managem ent and cont rol fram es are not aut hent icat ed, and can easily be spoofed. Denial- of- service at t acks are t rivial because an at t acker need only learn t he MAC address of an AP t o begin sending Disassociat ion or Deaut hent icat ion m essages. At som e point , it is probably t hat im port ant cont rol m essages will also be aut hent icat ed by t he 802.11 prot ocol. Unt il t hat point , net work adm inist rat ors can eit her deploy a t ool t hat will at t em pt t o det ect forged cont rol fram es, or live wit h t he risk.

Network integrity and availability: rogue clients Wireless securit y prot ocols are designed t o aut hent icat e and aut horize users, but users oft en use different m achines. Many users like t o bring personal m achines t o t he office and connect t hem t o t heir em ployer's net work. Personal m achines usually do not have t he full com plem ent of prot ect ive soft ware and configurat ion t hat em ployer- owned m achines do. At hom e, personal m achines m ay be connect ed direct ly t o t he unfilt ered fury of t he I nt ernet and infect ed wit h all m anner of viruses and worm s. When a virus- laden m achine is connect ed t o t he net work, it can easily act as a vect or t o bypass st rong perim et er securit y. The " viral vect or" oft en com es up when discussing wireless LAN securit y, even t hough it is a generic securit y problem . Any m achine brought int o t he office and connect ed t o t he net work can bring m alware, whet her it is connect ed t o a copper net work or a radio net work. Two m aj or t hreads are em erging t o deal wit h viral vect ors. One is t o push virus scanning out t o t he edge of t he net work by incorporat ing virus scanners and sim ilar t ools int o net work swit ches. I n t he long t erm , t his st rat egy m ay work; in t he short t erm , I do not underst and how t he dissim ilar requirem ent s of virus scanning and m alware det ect ion ( high CPU load, large m em ory requirem ent s) can be reconciled wit h exist ing swit ch hardware, which is t ypically designed around a set of specialized packet - forwarding chips wit h only a lim it ed general- purpose processor. The second t hread is now beginning t o em erge. Many net works based on Microsoft t echnology are, pract ically speaking, required t o use Microsoft 's m achine aut hent icat ion. To ensure t hat a user is working wit h an aut horized m achine t hat has appropriat e securit y prot ect ions, aut hent icat ion servers need t o t ie t he user aut hent icat ion t o t he m achine aut hent icat ion. Som e 802.1X aut hent icat ors offer t he abilit y t o t ie t he t wo aut hent icat ions t oget her, alt hough doing so is not crypt ographically sound because t he t wo aut hent icat ions are not st rongly bound. RADI US server vendors are beginning t o im plem ent sim ilar m et hods of correlat ing t he t wo aut hent icat ions. I t seem s likely t hat if t he aut hent icat ion bonding approach is successful, new aut hent icat ion prot ocols ( or prot ocol opt ions) will be devised t o add proven crypt ographic securit y t o t he bond.

Network integrity: traffic separation Net works are usually built t o serve m ult iple groups of users. The groups are oft en separat e and should not share dat a. User group separat ion m ay be enforced on t he backbone by VLANs, packet filt ers, and firewalls. Ret aining user group separat ion on t he wireless link requires giving different crypt ographic keys t o different groups. This concept was discussed in t he previous chapt er's virt ual AP archit ect ure. Traffic separat ion works best when it can be enforced at t he edge of t he net work. I t is relat ively rare for a service provider t o be able t o dict at e soft ware configurat ion t o cust om ers. Very few, if any, service providers could specify a part icular vendor's VPN client for use on a public net work. However, it is m uch easier t o m andat e t he use of built - in 802.1X soft ware t o enforce privilege separat ion.

Traffic separat ion m ay not have a role in ent erprise 802.11 net works, especially when t hey are new and relat ively sm all. However, t he definit ion of " service provider" can be quit e expansive wit h a flexible net work. Many colleges are int erest ed in using 802.11 t o save cabling cost in new const ruct ion or renovat ions, as well as enable a t hird part y t o sell I nt ernet access t o increase revenue. Many cit ies are working t owards t he sam e goal, especially at sit es t hat already provide I nt ernet access, such as libraries. Public users will be placed on an I nt ernet - only net work t hat is already m ade available t o pat rons, while a separat e net work m ay be used by cit y em ployees. I t m ay be desirable t o furt her separat e m unicipal em ployees by depart m ent , especially if som e of t hem handle prot ect ed dat a, such as elect ion ret urns on public healt h inform at ion. Flexibilit y m ay also assist cit ies in accom plishing t heir social goals if exist ing venues such as libraries can be easily used by em ployees.

Authentication and Access Control Connect ing t o wireless net works is designed t o be easy. I n fact , ease of connect ion is one of t he m aj or advant ages t o m any newer wireless t echnologies. 802.11 net works announce t hem selves t o anybody willing t o list en for t he Beacon fram es. To prot ect net works against t he t hreat of unaut horized access, st rong access cont rol m ust be applied. When a wireless st at ion connect s t o a wireless LAN, t here are four ways in which access cont rol can be applied:

St at ion aut hent icat ion The first st ep in connect ing t o a wireless LAN is t o perform 802.11 st at ion aut hent icat ion. St at ion aut hent icat ion is eit her open syst em aut hent icat ion, in which only t rivial aut hent icat ion is perform ed, or shared key aut hent icat ion, which depends on t he use of a WEP key. ( For m ore det ails, see Chapt er 9.) Many product s offer t he abilit y t o perform MAC address filt ering at t he aut hent icat ion phase t o screen out " unaut horized" client s by MAC address.

Associat ion Aft er aut hent icat ion com plet es, st at ions at t em pt t o associat e wit h t he access point . Generally, t his process does not have any securit y com ponent s, t hough MAC address filt ering could also be applied at t his st ep.

Link layer Once associat ion has est ablished t he virt ual net work " port " on t he access point for t he wireless st at ion, link- layer securit y prot ocols based on 802.1X can be applied. Aut horized users can be connect ed t o resources t hey are allowed t o use, and unaut horized users will be kicked off t he net work. Wireless net works are open t o eavesdropping, so it is necessary t o choose an aut hent icat ion prot ocol based on st rong crypt ographic fundam ent als.

Net work- or t ransport - layer I P- based net works have an unfort unat e hist ory of securit y failings, and a num ber of higherlayer securit y product s can be applied t o crit ical point s in t he net work. Firewalls can be used t o isolat e unt rust ed net works and aut hent icat e users, and VPN t erm inat ion devices can supply encrypt ion over unt rust ed net works. Different aut hent icat ion prot ocols work at different layers in t he OSI st ack. I nit ially, t he nat ive linklayer securit y m echanism s were quit e weak, and net work adm inist rat ors were forced t o work at higher layers in t he st ack. Much of t he engineering and design effort in wireless LAN securit y over t he past few years has focused on developing st rong link- layer securit y m echanism s. At t his point , net work adm inist rat ors have a choice of prot ocols t o secure t he net work. I n order from weakest t o st rongest , t hey are:

WEP shared key aut hent icat ion I n shared key aut hent icat ion, syst em s seeking net work access respond t o a challenge from t he AP. Shared key aut hent icat ion is so horribly const ruct ed t hat it was deprecat ed ( it s use was recom m ended against ) by 802.11i.

MAC address filt ering Every AP in t he net work is program m ed wit h a list of MAC addresses allowed net work access. MAC addresses are easily forged and duplicat ed, but som e older devices m ay offer not hing bet t er.

WPA preshared key ( WPA- PSK or WPA Personal) One of WPA's m aj or addit ions was a preshared key m ode t hat allows st at ions t o aut hent icat e t o a net work while in possession of only a passphrase. I t is significant ly st ronger t han eit her of t he previous approaches, but even st ronger m et hods exist .

802.1X- based prot ocols 802.1X was designed t o ident ify and aut hent icat e users before grant ing net work access. Because it is based on t he Ext ensible Aut hent icat ion Prot ocol ( EAP) , " 802.1X" is oft en used t o refer t o any one of t he ext ended aut hent icat ion m et hods t hat runs over EAP. Som e soft ware m ay refer t o t his as WPA Ent erprise.

Net work- layer aut hent icat ion I nsecurit y of I P- based net works is hardly a new phenom enon. Many past product s have at t em pt ed t o address aut hent icat ion of net work users in one form or anot her, and t here is a plet hora of syst em s and prot ocols t hat can be used once t he net work ( I P) layer is est ablished. Most of t he appropriat e m et hods for use wit h wireless net works will t ie in wit h VPN t echnology t hat can also be used t o secure t he net work t raffic.

Station Authentication and Association Applying securit y at t he st at ion aut hent icat ion phase or t he associat ion phase is quit e weak. Securit y m echanism s available at first st ages of connect ion are not st rong at all. An early " securit y" feat ure began life as t he so- called closed net work.[ * ] I n t he early days of 802.11, st at ions had t o be configured wit h t he net work nam e ( SSI D) used by an access point . Client soft ware was so prim it ive t hat it searched Beacons in t he air for a given net work nam e before associat ing. The closed net work consist ed of t wo com ponent s. Access point s would send Beacons as required by t he st andard, but wit hout t he SSI D inform at ion elem ent . Wit hout t he SSI D in t he Beacon fram es, t here was a m inor gain in privacy because som e client soft ware would not display an available net work. To

associat e, client s were required t o send a Probe Request t hat includes t he SSI D, m aking it funct ion as a hidden " key." APs using t he SSI D hiding feat ures would only accept Probe Request s from st at ions t hat already are configured wit h t he hidden SSI D. However, Probe Request s are not encrypt ed; any st at ion t hat observes a successful exchange of probe fram es can see t he SSI D and use it in a subsequent associat ion at t em pt . At t ackers who need t o know t he SSI D im m ediat ely can even disassociat e aut horized st at ions t o force t ransm ission of t he SSI D in t he probe exchange when t he st at ion reconnect s. [*]

This feature may go by several names, including cloaked network, SSID broadcast suppression, private network name, and several further variations.

One com m on approach, support ed by nearly every product , is MAC address filt ering. Access point s m aint ain a list of aut horized MAC addresses, and deny connect ion request s from st at ions not on t he list . Screening MAC addresses is bet t er t han not hing, but cert ainly leaves a great deal t o be desired. Like wired Et hernet cards, 802.11 cards m ay change t he t ransm it t er MAC address, which underm ines t he use of t he MAC address as an access cont rol t oken. At t ackers equipped wit h packet sniffers can easily m onit or successful associat ions t o acquire a list of allowed MAC addresses. Pract ical headaches oft en com pound t he use of MAC address filt ering. Maint aining t he address list is an adm inist rat ive headache, especially if users are prone t o using m ult iple devices or changing t he cards t hey use. Many product s were not designed for large- scale m anagem ent and require t he sam e inform at ion t o be ent ered in t o each device individually. Many product s t hat have cent ralized dist ribut ion of address list s require t he use of TFTP. TFTP has no place on a secure net work. A second approach t o aut hent icat ion is WEP shared key aut hent icat ion. Access point s issue a challenge t o a device seeking net work access. As discussed in Chapt er 5, shared key aut hent icat ion is broken, and cannot provide any prot ect ion from m alicious users seeking t o aut hent icat e t o t he net work. I t is possible t o fake a legit im at e response t o a WEP challenge wit hout any knowledge of t he WEP key. ( I t would, however, be im possible t o send t raffic wit hout first recovering t he WEP key.) I n som e product s, address filt ering and shared key aut hent icat ion m ay be com bined. However, bot h are easily defeat ed. Only consider t hese t wo rudim ent ary m et hods if you are st uck wit h wireless client devices t hat cannot support st ronger prot ocols, and an upgrade is out of t he quest ion. Devices t hat are st uck wit h crude aut hent icat ion m echanism s are usually quit e old. Logist ics applicat ions of 802.11 were an early win for t he t echnology, and t he handheld invent ory and t racking scanners used in t he logist ics field t ypically have lim it ed com put ing power. Som e cannot even do WEP, and quit e a few run MS- DOS! Address filt ering and shared key aut hent icat ion are awful securit y, and should only be used when absolut ely necessary, such as wit h devices t hat do not support anyt hing bet t er.

Link-Layer Authentication Link- layer aut hent icat ion, in t he form of 802.1X and WPA, is a significant st ep up from sim ple filt ering approaches. Aut hent icat ing users has several advant ages. Typical link- layer aut hent icat ion schem es allow very rest rict ed net work access for t he purpose of aut hent icat ion. Full net work access is only grant ed once t he user is posit ively ident ified. I n t he wireless LAN world, obt aining user ident it y early in t he net work at t achm ent process allows t he net work t o provide m uch finer access cont rols because users can be classified and rest rict ed before obt aining net work access. Link- layer aut hent icat ion is t ransparent t o net work prot ocols, and will work for any net work prot ocol you choose. Net works are increasingly hom ogenous and based on I P, alt hough t here m ay be pocket s of older prot ocols such as I PX. Link- layer aut hent icat ion can be used t o secure bot h I P and I PX. I n

m any cases, link- layer aut hent icat ion is also relat ively fast because it can happen as t he net work int erface is brought up. Rat her t han using prot ocols designed t o work across wide- area net works, link- layer aut hent icat ion can st art im m ediat ely when t he link is est ablished.

WPA Personal (preshared key) WPA has t wo m odes. The sim pler of t he t wo is based on dist ribut ing a preshared key ( WPA- PSK) t o all wireless client s. Key derivat ion for t he wireless link is based on random num bers exchanged along wit h t he preshared key. As wit h any prot ocol t hat uses a preshared key, WPA is vulnerable t o dict ionary at t acks by det erm ined at t ackers. [ * ] I n essence, WPA PSK is a short cut . Rat her t han depending on a com put at ionally int ensive m ult im essage TLS exchange t o derive keys, WPA- PSK derives t he preshared m ast er key from a passphrase and t he SSI D. [*]

An attack tool, called coWPAtty, is available from http://remote-exploit.org.

I n m ost cases, a single preshared key is used for all st at ions in an SSI D. I n such net works, all st at ions share t he sam e m ast er key. Wit h t he preshared key, an at t acker can m onit or t he four- way handshake described in Chapt er 7 and derive t he unique keys for any ot her st at ion which shares t he sam e preshared key. At t ackers can also forge m essages t hat force reaut hent icat ion, which enables t hem t o capt ure t he four- way handshake. Securit y of WPA- PSK depends a great deal on t he qualit y of t he passphrase. 802.11i Annex H discusses passphrase qualit y, and not es t hat a passphrase usually only has 2.5 bit s of securit y per charact er. Very short passphrases are subj ect t o dict ionary at t ack. The best defense against weak passphrases is t o use eit her t he binary preshared key m ode and ent er t he 256- bit preshared key, or t o use a st rong passphrase. ( Not all product s support ent ering t he preshared key direct ly.) The best passphrases will have m ore t han 20 charact ers, and avoid com m on phrases and dict ionary at t acks. Furt her advice on passphrases and discussion of passphrase qualit y can be found in t he Passphrase FAQ. [ * ] [*]

The Passphrase FAQ is available from http://www.stack.nl/~galactus/remailers/passphrase-faq.html. It was written for PGP, but much of the advice applies to any passphrase-based technology, including WPA-PSK.

WPA's preshared key m ode m akes sense for sm aller net works t hat are not st uffed wit h valuable dat a. Securit y is essent ially risk m anagem ent , and m any net works m ay not need anyt hing st ronger t han WPA PSK because t hey do not have m uch of value. Use WPA wit h preshared keys only for sm all, low- risk net works, or net works which have guest users t hat do not need m axim um prot ect ion. Ot herwise, use one of t he following aut hent icat ion prot ocols.

802.1X-based EAP authentication 802.1X is an ext ensible fram ework, not a prot ocol in and of it self. Net work adm inist rat ors can select from a m enu of prot ocols, each wit h it s own st rengt hs and weaknesses. To whit t le down t he choices t o a set of candidat es, consider t he pract ical requirem ent s im posed by wireless net works. By t ransm it t ing over t he air, wireless net works are inherent ly subj ect t o eavesdropping. St rong encrypt ion t o prot ect credent ials is a m ust . Beyond sim ply t ransm it t ing encrypt ed user credent ials, it is desirable t o provide m ut ual aut hent icat ion. Obviously, users m ust be aut hent icat ed. I n t he absence of a physical connect ion, however, som e crypt ographic operat ion is necessary so t hat users can be

sure t hey are connect ing t o t he legit im at e, sanct ioned wireless LAN deploym ent . Finally, aut om at ic WEP key dist ribut ion is a no- brainer. Random ly generat ed keys are m ore secure t han st at ic keys, especially if t he random key can be refreshed at regular int ervals. Three prot ocols m eet t hese pract ical requirem ent s, alt hough a fourt h is oft en considered as well. Cisco's Light weight LEAP ( LEAP) is an older, prest andard prot ocol t hat Cisco designed t o address som e of t he init ial securit y flaws discovered in wireless LANs. I t is not able for being t he first prot ocol t o dynam ically derive keys for each user, but it s design fails t he ot her pract ical requirem ent s. LEAP t ransm it s scram bled credent ials using MS- CHAP version 1. Alt hough MS- CHAP version 1 does not t ransm it credent ials in t he clear, it is a fundam ent ally broken prot ocol t hat cannot provide signficant crypt ographic prot ect ion. [ * ] ( I t rem ains in use on som e em bedded devices because of t he relat ively sm all am ount of CPU power reuqired.) Furt herm ore, LEAP provides m ut ual aut hent icat ion only by running t wo MS- CHAP exchanges ( one in each direct ion) . As a final st raw, LEAP is propriet ary t o Cisco. While t here are ot her opt ions for som e of t he com ponent s in t he syst em , it requires eit her addit ional client soft ware or Cisco cards on t he client end, and m ay require Cisco access point s in t he aut hent icat or role. I have worked wit h m ore t han one organizat ion t hat is at t em pt ing t o m ove away from LEAP because of it s propriet ary nat ure. Client syst em s m ust have LEAP soft ware, which can be part of t he Cisco driver load or a t hird- part y client ; it is not uncom m on t o see organizat ions t hat adopt ed LEAP heavily t o purchase Cisco cards for t he LEAP client and put t hem in port able devices t hat have built - in wireless cards. LEAP's weaknesses have led t o an effort t o st andardize a replacem ent prot ocol, EAP- FAST. At t he t im e t his book was writ t en, EAP- FAST was not widely im plem ent ed. [*]

See http://asleap.sourceforge.net/, a tool used to recover LEAP passwords. It works by forcing users to authenticate, and then brute-forcing their password hash.

The t hree widely considered st andards- based prot ocols are EAP- Transport Layer Securit y ( EAP- TLS) , Prot ect ed EAP ( PEAP) , and Tunneled Transport Layer Securit y ( TTLS) . All t hree use TLS t o provide st rong crypt ographic prot ect ion of user credent ials, and use t he TLS key exchange t o provide t he seed for link- layer keys. Furt herm ore, all can provide m ut ual aut hent icat ion. Each of t hem est ablishes a TLS t unnel wit h t he aut hent icat ion server, and uses t he cert ificat e supplied by t he aut hent icat ion server as t he basis for t he net work- t o- user half of m ut ual aut hent icat ion. EAP- TLS uses cert ificat es in bot h direct ions for aut hent icat ion. As part of t he TLS t unnel est ablishm ent , t he net work supplies a cert ificat e t o t he user, which t he user will check for validit y. Provided t he user can validat e t he server cert ificat e, t he client syst em will t ransm it t he user's cert ificat e for sim ilar validat ion by t he aut hent icat ion server. EAP- TLS is st rong, secure, and easy t o underst and, but it does have an Achilles heel. The client aut hent icat ion is provided by a client cert ificat e, which requires t he exist ence of a PKI t o generat e, sign, and dist ribut e cert ificat es. I f you do not already have a cert ificat e syst em in place, EAP- TLS is probably not for you. The t wo rem aining prot ocols, PEAP and TTLS, are quit e sim ilar. Bot h use t he server cert ificat e in t he TLS t unnel t o provide t he first - st age net work- t o- user aut hent icat ion, and use t he TLS t unnel t o encrypt t he user credent ials used for t he user- t o- net work aut hent icat ion in t he second st age. PEAP and TTLS do not depend on ext ensive use of cert ificat es, but t hey do require a cert ificat e for each aut hent icat or on t he wireless net work. Choosing bet ween PEAP and TTLS is m ore a m at t er of fit t ing a prot ocol t o your requirem ent s. TTLS is m ore flexible in t he way it passes dat a for t he user- t o- net work aut hent icat ion in t he t unnel, and it can be used wit h nearly any form of second- st age aut hent icat ion. PEAP is m ore lim it ed because it requires t hat t he second st age be perform ed using an EAP m et hod. I n pract ice, t he m ost com m only used PEAP supplicant is t he built - in supplicant in Windows XP/ 2000, and it only support s one second st age prot ocol t hat does not require cert ificat es: MS- CHAP, version 2. For net works t hat have a large num ber of Windows client s, PEAP is a good choice because it obviat es t he need t o license and load addit ional soft ware.

Avoid LEAP because it is propriet ary and relat ively weak. I nst ead, use an aut hent icat ion prot ocol based on TLS because it can provide m ut ual aut hent icat ion and key dist ribut ion. Three candidat es are based on TLS: EAP- TLS, PEAP, and TTLS. EAP- TLS requires client cert ificat es for aut hent icat ion, and is not likely t o be an opt ion unless a PKI already exist s. PEAP and TTLS are quit e sim ilar, and eit her m akes a fine choice. The form er is m ore useful in m onolit hic Windows environm ent s, while t he lat t er is m ore useful wit h older aut hent icat ion syst em s.

Network Layer Authentication Many early wireless net works were built as separat e net works from t he exist ing wired infrast ruct ure, and recycled exist ing aut hent icat ion and access cont rol m echanism s. For exam ple, in t he single subnet t opology in Figure 20- 1 in t he previous chapt er, t here is a nat ural choke point . Firewalls are oft en deployed at choke point s, and m ay provide som e access cont rol funct ionalit y. I f t he choke point device is also capable of t erm inat ing VPNs, t he VPN soft ware will cert ainly provide user aut hent icat ion in addit ion t o t raffic encrypt ion. Firewalls are well- known for providing a num ber of st rong aut hent icat ion m echanism s, and t hey have a proven abilit y t o int egrat e wit h one- t im e password syst em s such as RSA's SecurI D t okens. Many I Psec VPN devices also have t his capabilit y, alt hough it requires t he use of prot ocol ext ensions such as eXt ended Aut hent icat ion ( XAUTH) , Hybrid Mode I KE, or Challenge/ Reponse for Aut hent icat ed Cont rol Keys ( CRACK) . XAUTH is quit e popular, but it suffers from t he com pound binding problem s discussed in t his chapt er. High- securit y net works m ay wish t o avoid som e of t he problem s wit h prot ocol ext ensions by deploying I Psec wit h user cert ificat es for aut hent icat ion. I nst ead of I Psec t erm inat ion, t he VPN device m ay be an SSL VPN device. Rat her t han using client soft ware, SSL- based VPN devices m ay be subst ant ially easier t o use because t hey require only a web browser. I nst ead of using a full- blown ( and expensive) firewall, m any organizat ions st art ed using web- based aut hent icat ion syst em s. The wireless net work it self is run wit h m inim al aut hent icat ion and encrypt ion t o enable unrest rict ed access from pot ent ial users. Many net works are run using open 802.11 aut hent icat ion and no encrypt ion. ( Som e securit y- conscious net works are beginning t o use WPA- PSK for web- aut hent icat ed net works, but it is a relat ively new pract ice.) The first request t o a web sit e is t rapped by a proxy and redirect ed t o a secure login page. Before aut hent icat ion com plet es, t he web syst em drops any packet s from t he client . Once aut hent icat ion succeeds, t he client syst em s packet s are allowed t hrough. I t is im port ant t o not e t hat m any web aut hent icat ion syst em s do encrypt t he login, but have no way of providing st rong link- layer encrypt ion. When wireless LAN securit y first becam e a burning issue, several vendors began selling " wireless access cont roller" devices, which t ypically com bine packet filt ering, aut hent icat ion, aut horizat ion, and account ing services ( AAA) , and a DHCP server; m any devices also include a DNS server, VPN t erm inat ion, and packet shaping or rat e lim it ing. AAA feat ures are t ypically provided by an int erface t o an exist ing corporat e infrast ruct ure such as RADI US, which has already oft en been configured for rem ot e access purposes. Som e product s m ay also include dynam ic DNS so t hat a dom ain nam e is assigned t o a user, but t he I P num ber can be assigned wit h DHCP.

Integrating User Authentication Through RADIUS RADI US is oft en used as t he aut hent icat ion back end, no m at t er where aut hent icat ion is perform ed in

t he prot ocol st ack. Bot h wireless devices and VPNs can reference ext ernal RADI US servers. Most organizat ions have a cent ralized user account syst em som ewhere, and placing a RADI US server in front of it is a com m on way t o provide access t o m any net work devices. RADI US servers can also be used t o t ie t oget her m ult iple user account syst em s t o present a single int egrat ed view of user account s in an organizat ion. Alt hough RADI US servers have t he abilit y t o define local users, t he user m anagem ent t ools are not part icularly powerful or sophist icat ed. Most RADI US servers are deployed in such a way t hat t hey refer t o ot her sources of dat a for user account s, leaving t he RADI US server t o act as prot ocol t ranslat ors. Som e of t he m ost com m on form s of ext ernal user dat abases are:

Windows dom ains Most organizat ions have at least som e users in a Windows dom ain or Act ive Direct ory. I nt egrat ing a RADI US server wit h Windows passwords is easy for users because t he Windows password is oft en t he m ain user credent ial. End users hat e rem em bering passwords. Referring t o a Windows dom ain allows users t o keep using t he sam e credent ial for a variet y of purposes. Windows prevalence varies from t he odd depart m ent al net work at m aj or universit ies all t he way t o huge m ult inat ional corporat e net works, m any of which are built around Windows net work t echnology.

Token cards ( such as RSA SecurI D, Secure Com put ing SafeWord) Token cards oft en have RADI US front ends; m any RADI US servers can also pass credent ials direct ly t o a t oken card server for approval. I nt egrat ion wit h t oken card servers enables adm inist rat ors t o require st rong t oken aut hent icat ion wit h wireless net works.

LDAP direct ories Direct ories are highly ext ensible, and valued by organizat ions t hat desire a single user dat a st ore for everyt hing. Passwords, access privileges, policies, and cont act inform at ion can all be st ored in a direct ory. When used t o access LDAP direct ories, RADI US servers can perform aut horizat ion based on inform at ion learned from LDAP. For exam ple, universit ies m ay ident ify users as eit her facult y or st udent s, wit h st udent s having rest rict ed net work privileges.

Kerberos realm s Many universit ies also have a large invest m ent in Kerberos aut hent icat ion. RADI US servers accept credent ials from t he end user and use t hem t o obt ain a Kerberos t icket . I f t he aut hent icat ion is succesful, access is grant ed. Kerberos int egrat ion is relat ively loose right now. The t icket s grant ed t o users are dum m y t icket s t hat are not used in aut horizat ion, but m any universit ies would like t o ext end exist ing Kerberos infrast ruct ure t o new wireless net works. I expect t o see addit ional prot ocol developm ent t hat uses Kerberos t icket dat a for aut hent icat ion in t he fut ure.

Unix password syst em s

Unix password syst em s include Pluggable Aut hent icat ion Modules ( PAM) and Net work I nform at ion Syst em ( NI S) . Organizat ions wit h a significant invest m ent in Unix m ay be able t o creat e single- sign- on by recycling t heir exist ing aut hent icat ion syst em . RADI US servers t hat use t hese aut hent icat ion schem es are inst alled on Unix syst em s, and at t em pt t o validat e user credent ials wit h a syst em call.

RADI US proxy RADI US servers m ay pass aut hent icat ion request s t o ot her RADI US servers. I n environm ent s wit h dist ribut ed user enrollm ent and account creat ion, such as m ost large research universit ies, it is hopeless t o t ry t o creat e a cent ralized dat abase. The best solut ion is t o accept t he dist ribut ed nat ure of user account s, and ensure t hat RADI US servers can refer aut hent icat ion request s t o ot her RADI US servers for processing.

TACACS TACACS is an alt ernat ive access cont rol service. I t is used widely by net work devices, but is not oft en used t o st ore account s for anybody ot her t han net work adm inist rat ion st aff.

RADIUS authentication and Microsoft Windows databases There are t wo ways of looking up Windows user account s. Operat ing syst em API calls can look up user account s on dom ain cont rollers. Net work prot ocols bet ween servers can also be used t o look up user account s. I n older Windows NT4- based net works, t he dom ain cont rollers used an int er- server prot ocol t hat has been reverse engineered by t he open source com m unit y. Ext ernal RADI US servers can run soft ware t hat pret ends t o be a dom ain cont roller, and can t herefore look up Windows account s across t he net work. I n fact , m ost RADI US servers developed on Unix syst em s can use t he reverse engineering t o perform aut hent icat ion against NT Dom ain user account s. Windows- based RADI US servers m ust be inst alled on a dom ain cont roller t o look up user account s. Net works built around Windows 2000 are largely built wit h Act ive Direct ory. I n addit ion t o it s m any feat ures, Act ive Direct ory int roduced newer int er- server prot ocols t hat have rem ained propriet ary t o Microsoft . I nt ernet Aut hent icat ion Server ( I AS) , Microsoft 's RADI US server, can use Act ive Direct ory com m unicat ions t o look up user account s st ored on any ot her m em ber server in Act ive Direct ory. These prot ocols have not yet been reverse engineered, and are not available t o t hird- part y RADI US servers. They m ust inst ead rely on t he syst em call API on a dom ain cont roller. Once an request for user credent ials is dispat ched t o t he dom ain cont roller via it s API , t he dom ain cont roller m ay proceed t o use Act ive Direct ory prot ocols t o look up t he user account rem ot ely. [ * ] [*]

The indirect nature of the credential lookup and the domain controller requirement is a subtle advantage for Microsoft's RADIUS server, which is bundled with Windows server operating systems. Third-party RADIUS servers must be installed on a domain controller, and hence, a server installation. Network administrators must therefore justify the additional cost of the third-party RADIUS server over the inexpensive Microsoft RADIUS server.

Act ive Direct ory can be inst alled in a nat ive m ode, in which t he m em ber servers use only t he newer Act ive Direct ory prot ocols, or a com pat ibilit y m ode in which t he older, less- secure NT Dom ain prot ocols are used as well. Most current inst allat ions of Act ive Direct ory are now based on t he nat ive m ode wit hout com pat ibilit y opt ions. The bot t om line present s net work adm inist rat ors wit h a choice: run Microsoft 's RADI US server, run a t hird- part y RADI US server on a dom ain cont roller, or run Act ive Direct ory in com pat ibilit y m ode. The

last opt ion is fraught wit h securit y problem s, and is generally not workable because it also lim it s t he funct ionalit y of Act ive Direct ory. I f you need t o aut hent icat e against Act ive Direct ory user account s, t he choice is eit her t o use Microsoft 's I AS or find a dom ain cont roller for a t hird- part y RADI US server. ( Not e t hat not all t hird- part y RADI US servers can be inst alled on Windows; m ost t hird- part y RADI US applicances, for exam ple, do not run Windows.) I n m any organizat ions, bot h t asks can be quit e challenging sim ply because a large net work of dom ain cont rollers generally cannot be dist urbed wit hout ext ensive change cont rol procedures. Most RADI US server soft ware cannot access Windows user credent ials unless inst alled on a dom ain cont roller. I f you need t o aut hent icat e Windows user account s, be prepared t o set aside a dom ain cont roller for t hat purpose.

Ensuring Secrecy Through Encryption Aft er properly det erm ining user ident it y and assigning access privileges, t he net work m ust prot ect user t ransm issions from eavesdropping. Several encrypt ion prot ocols can be used on wireless LANs:

St at ic WEP Wit h st at ic WEP, a single key is used t o secure t ransm issions bet ween t he client and t he access point . I n m ost im plem ent at ions, t he sam e key is used by every st at ion, which dram at ically reduces t he securit y.

802.1X- based dynam ic WEP I n lat e 2001, t he flaws in t radit ional single- key st at ic WEP becam e im possible t o ignore. Fort unat ely, t he 802.1X specificat ion had em erged from t he st andards com m it t ees and provided a way t o dynam ically send keys t o client s. Refreshing WEP keys at short int ervals provides defense against m any of t he at t acks against st at ic WEP.

Tem poral Key I nt egrit y Prot ocol ( TKI P) TKI P is part of 802.11i, and is designed t o offer increased securit y on wireless int erfaces wit h hardware assist ance for RC4. To ensure fram e int egrit y, TKI P is used wit h t he Michael int egrit y check t o det ect fram e t am pering during flight . TKI P and Michael are a bandage on t he open wound t hat is WEP. They are m ore secure, but it is hard t o say how m uch m ore secure.

Count er Mode CBC- MAC Prot ocol ( CCMP) CCMP is t he second m aj or com ponent of 802.11i. Rat her t han using t wo separat e prot ocols for encrypt ion and int egrit y, CCMP uses new crypt ographic operat ions t o com bine bot h operat ions int o a single prot ocol. I t is a clean break wit h t he checkered RC4- based past of link- layer securit y. Chipset s now incorporat e hardware assist ance for AES, which is t he cipher t hat CCMP is based on.

Net work- layer encrypt ion I nst ead of prot ect ing t he wireless net work at t he link layer, it is possible t o apply long- st anding net work- layer encrypt ion prot ocols, such as I Psec, SSL, or SSH.

Static WEP

St at ic WEP is a horrendous securit y prot ocol. I t is bet t er t han not hing, but t hat is not saying m uch. Do not use st at ic WEP unless t here is not hing else t hat can be done t o encrypt t he net work t raffic. Wit h m ost devices, st at ic WEP can be considered obsolet e. Nearly all cards have t he abilit y t o support im proved 802.1X- based link- layer securit y m echanism s when used wit h recent drivers on support ed operat ing syst em s. The only real reason t o consider st at ic WEP is t he presence of applicat ion- specific devices t hat support not hing bet t er. You m ay have som e older devices t hat support not hing bet t er t han st at ic WEP due t o lim it ed processing power, and t he cost of upgrading t o a device capable of support ing bet t er securit y prot ocols cannot be j ust ified. Many handheld 802.11 invent ory scanners and voice over I P t elephones fall int o t his cat egory. I f you m ust use st at ic WEP, first check for t he m ost glaring securit y hole. Weak I Vs are t he lifeblood of st at ic WEP t ools. When Airsnort first m ade t he news, m any vendors updat ed radio firm ware t o avoid using weak I Vs. Alt hough an I V rest rict ing firm ware revision does lit t le t o address m any of st at ic WEP's flaws, it does dram at ically reduce t he exposure. Before deploym ent , check t o see whet her your st at ic WEP im plem ent at ions generat e weak I Vs. I f t hey do, dem and a fix. I t is unconscionable t hat any vendor st ill ships product s t hat are suscept ible t o t his at t ack. St at ic WEP is bet t er t han not hing, but it does offer som e prot ect ion, especially com pared t o not using it any securit y m easures. I t is best at prevent ing nonhost ile users from accident ially associat ing wit h t he a net work next door. However, st at ic WEP will not prot ect against an even m ildly det erm ined at t acker. I f you are required t o use st at ic WEP, t ake precaut ions t o ensure t hat t he com prom ise of t he WEP net work is cont ained and cannot be used as a launch point for furt her at t acks against your net work. St at ic WEP is an encrypt ion prot ocol of last resort . Use it only if you have no ot her choice, and t ake appropriat e securit y m easures t o lim it your exposure.

Dynamic WEP Keying with 802.1X Alt hough 802.1X was designed for user aut hent icat ion, it s im provem ent s t o WEP are as im port ant . 802.1X includes m essages t o dist ribut e keys from t he access point t o client st at ions. Dynam ic keying does a great deal t o address out st anding flaws in WEP, alt hough it is by no m eans a com plet e solut ion. Dynam ic keying has one im port ant dependency. Keys should appear t o be random , which m eans t here m ust be a source of keying m at erial or key ent ropy ( random bit s) som ewhere. Keying m at erial m ay com e from an aut hent icat ion m et hod t hat generat es it , such as one based on TLS, or it m ay be ent ered direct ly as a preshared secret . Through a series of operat ions t hat depends on t he prot ocol in use, t he keying m at erial is t ransform ed from a collect ion of random bit s int o t he series of bit s used as t he link- layer encrypt ion key. Dynam ic link- layer keys m ust be derived from a m ast er secret . The m ast er secret m ay be supplied direct ly, or com e from t he aut hent icat ion.

Most im port ant ly from a syst em adm inist rat or's perspect ive is t hat t he radio link can be keyed dynam ically. WEP keys need not be dream ed up by t he net work adm inist rat ion or dist ribut ed t o users and net work devices. I nst ead, t he user aut hent icat ion creat es a crypt ographically secure pool of random dat a t hat can be used t o derive t he WEP key. St at ions st ill do WEP encrypt ion t o prot ect

fram es, but t he key used t o encrypt t he fram e is unique t o t he user and changes periodically. The rekey int erval can be set by t he net work adm inist rat or. Rat her t han having a single key t hat is used unt il it is changed on all devices at t he sam e t im e, t he user's key is creat ed on aut hent icat ion and refreshed at regular int ervals. Keying m essages can be used t o dist ribut e eit her t he user keys ( key m apping or unicast keys) as well as t he broadcast keys ( group or default keys) . Default keys can be refreshed whenever a st at ion leaves t he net work, as well as at regular int ervals t o bolst er t he prot ect ion. I nit ializat ion vect ors will repeat over t he lifet im e of a st at ion associat ion. However, t he problem wit h I Vs st em s from repeat ed use of t he sam e I V wit h t he sam e secret key. By set t ing a suit ably short key regenerat ion t im er, it is possible t o avoid repeat ing t he I V+ secret key com binat ion. Wit h a 24- bit I V, it will be 16 m illion ( 2 24 ) fram es before an I V is repeat ed. By com paring t he 16 m illion fram e figure wit h 802.11 fram e rat es, you can derive a m axim um key lengt h. My analysis of 802.11 fram e rat es used a t raffic load com posed of " t ransact ions" consist ing of a TCP segm ent and corresponding TCP ACK. [ * ] Each t ransact ion consum es t wo I Vs. Based on t he 16 m illion figure, you can calcuat e t he t im e unt il t he I V space is exhaused. Table 22- 1 present s t he result s of t his calculat ion for a variet y of load fact ors. I n several ways, t he t able present s an unrealist ically short lifet im e for t he key. For safet y, t he key lifet im e is oft en set t o half an hour, which provides a great deal of prot ect ion against I V reuse. [*]

See the analysis in "When Is 54 Not Equal to 54? An Analysis of the Maximum TCP Throughput of 802.11a, b, and g" (http://www.oreillynet.com/pub/a/wireless/2003/08/08/wireless_throughput.html). Note that this analysis assumes a 1:1 ratio between TCP segments and their ACKs, and thus consumes many more IVs than a model that assumes a better ratio of TCP segments to ACKs. However, for the purpose of security, it is useful to use an unrealistically stressful model to engineer a safe limit.

Ta ble 2 2 - 1 . I V spa ce life t im e 8 0 2 .1 1 b 8 0 2 .1 1 a / g, n o pr ot e ct ion Transact ions per second

479

2,334

I Vs used per second

958

4,668

100% load

4.8 hr

1.0 hr

75% load

6.5 hr

1.3 hr

50% load

9.7 hr

2.0 hr

25% load

19.5 hr

2.4 hr

I V spa ce life t im e , h ou r s

The earliest WEP at t ack t ools based on t he Fluhrer- Mant in- Sham ir at t ack, air snor t and wepcrack, relied on t he collect ion of weak I Vs and each required several m illion fram es t o recover keys. More recent t ools, m ost not ably air cr ack,[ * ] com bine t he Fluhrer- Mant in- Sham ir at t ack wit h ot her at t acks and can recover keys m uch fast er, som et im es wit h less t han a m illion fram es. [*]

Available from http://www.cr0.net:8040/code/network/aircrack/.

WEP is st ill subj ect t o at t acks on t he fram e int egrit y check, and t here is no way t o defend against t hem wit hin t he WEP fram ework. I ndeed, t he necessit y of im proving t he int egrit y check was one of t he m aj or t echnical t asks for 802.11i. The only saving grace is t hat t ools t hat exploit t he weak int egrit y check hardly exist in com parison t o t heir Fluhrer- Mant in- Sham ir bret hren.

At best , dynam ic WEP is an int erim st ep t owards bet t er securit y prot ocols, and should only be used when equipm ent does not support TKI P. When using dynam ic WEP, be sure t o set a relat ively short key lifet im e t o prot ect against WEP analysis t ools. I recom m end no longer t han 15 m inut es.

Improved RC4-Based Encryption: TKIP Dynam ic WEP is a Band- Aid® t hat can be used when not hing bet t er is available, or as a way of deploying a link- layer aut hent icat ed archit ect ure in a reasonably secure fashion while considering im proved alt ernat ives. 802.11i includes t wo new link- layer securit y m echanism s. The Tem poral Key I nt egrit y Prot ocol ( TKI P) is designed t o m it igat e known at t acks against WEP while ret aining backwards com pat ibilit y wit h exist ing hardware. TKI P is m ore secure t han WEP, but has not yet been ext ensively analyzed yet . TKI P's design goal is t o be as secure as possible while ret aining backwards com pat ibilit y. I n t he first wave of 802.11 chipset s, securit y was oft en im plem ent ed in soft ware, if at all. To avoid t he perform ance problem s of soft ware- based encrypt ion, t he second m aj or wave incorporat ed hardware assist ance for m any WEP- based fram e handling funct ions, including RC4 encrypt ion. TKI P was designed t o work wit h t he WEP fram e processing prim it ives while shoring up a num ber of t he weak point s in WEP. TKI P ret ains RC4- based fram e encrypt ion, which allows it t o be ret rofit t ed on t o exist ing 802.11 syst em s. As wit h dynam ic WEP, TKI P depends on a source of random dat a t o serve as t he basis for it s keys, so it m ust be used eit her wit h WPA- PSK or an 802.1X EAP m et hod. Beyond t he basic sim ilarit ies, it adds per- fram e keying t o disrupt at t acks against t he init ializat ion vect or, and replay prot ect ion t o st op fram es from being ret ransm it t ed at a lat er t im e. TKI P also im proves t he int egrit y check by ensuring t hat t he sender of a fram e is in possession of t he appropriat e crypt ographic key, and using an im proved int egrit y check. TKI P and dynam ic WEP can coexist on m ost hardware. Most access point s are capable of st oring unique link layer keys for every st at ion. I f one st at ion uses dynam ic WEP and anot her uses TKI P, t he key st orage will reflect t hat . Using bot h encrypt ion prot ocols sim ult aneously does weaken t he securit y of broadcast fram es because all st at ions on t he sam e net work m ust share t he broadcast key. For m ost deploym ent s, TKI P should be considered a pract ical m inim um st andard unless it is unavailable. However, TKI P is should not be considered a long- t erm solut ion.

CCMP: Encryption with AES TKI P is lim it ed by t he baggage of WEP. The Count er Mode wit h CBC- MAC Prot ocol ( CCMP) in 802.11i was designed from scrat ch wit h securit y in m ind. The design goal was t o offer securit y com parable t o exist ing t rust ed prot ocols such as I Psec wit hout som e of t he lim it at ions t hat I Psec im poses on wireless LANs. Design st art ed wit h t he AES cipher, which is t he building block of m ost of t he new securit y prot ocols being developed. WEP's legacy will prevent TKI P from being t reat ed as a serious securit y prot ocol, but CCMP's underlying st ruct ure has been approved for use in sensit ive U.S. governm ent applicat ions. I n addit ion t o t he efficiency gain from using AES, CCMP im proves efficiency over exist ing

crypt ographic prot ocols. Tradit ional crypt ographic prot ocols can be used eit her for encrypt ion, which prot ect s dat a over unt rust ed pat hs, or aut hent icat ion, which ensures t hat it it was not alt ered in t ransit . WEP only provides encrypt ion, and relied on a flawed int egrit y check algorit hm . TKI P uses keys in t wo dist inct ways. Like WEP, keys are used t o provide fram e encrypt ion. Addit ional keys are used for a separat e int egrit y check algorit hm . CCMP, however, allows a single key t o be used for bot h purposes, which reduces com put at ional overhead and im proves efficiency. The m ain drawback t o CCMP is a com m on im plem ent at ion deficiency in client soft ware. Alt hough t here is no reason why CCMP cannot coexist on t he radio link wit h t he RC4- based encrypt ion prot ocols, m ost drivers do not support it . Mixing CCMP wit h RC4- based encrypt ion requires t hat t he driver support using CCMP for unicast fram es and one of t he RC4- based encrypt ion prot ocols for broadcast fram es. I do not know of any client vendor t hat support s t his m ode of operat ion. Herein lies t he downside t o using CCMP: it will result in m ore com plex configurat ions t o support t wo net works in parallel, and it m ay require replacing t he wireless LAN int erfaces in your com put ing devices. CCMP is an at t ract ive long- t erm goal for a link- layer securit y prot ocol, but product lim it at ions m ay require running m ult iple wireless net works in parallel as well as a forklift upgrade.

Higher Layer Security Protocols (IPsec, SSL, and SSH) When wireless prot ocols were first shown t o be fundam ent ally broken, t here was a rush t o find a st opgap solut ion. Net work archit ect s t urned t o proven crypt ographic prot ocols t o encrypt net work t raffic as it flew t hrough t he air. I Psec was a m aj or beneficiary of t he at t ent ion paid t o wireless securit y, alt hough SSL and SSH are frequent ly considered. All of t hese prot ocols provide a way of ident ifying users, encrypt ing t raffic, and ensuring t hat t he packet s are not t am pered wit h in flight . One drawback t o using securit y at higher levels in t he st ack is t hat securit y prot ocols can only prot ect t heir cont ent s. Prot ect ion at t he net work layer provides securit y services t o t he net work layer and anyt hing higher in t he st ack, but cannot do m uch t o secure lower layers. Securit y adm inist rat ors oft en worry about " t urnaround" at t acks t hat subvert an VPN client and use an est ablished t unnel t o access t he prot ect ed net work. To address t his pot ent ial vulnerabilit y, bolst er t he st andard host - based securit y wit h personal firewall soft ware and ant ivirus soft ware. On t he personal firewall side, several product s are available, ranging from inexpensive one- off inst allat ions t o robust , feat ure- rich, cent rally m anaged product s. At t acks against VPN client st at ions are enough of a concern t hat m any VPN vendors bundle personal firewall soft ware as part of t he inst allat ion. Securit y prot ocols im plem ent ed above t he link layer do not offer effect ive prot ect ion t o t he link layer, so higher- layer securit y should be augm ent ed wit h addit ional host - based securit y, such as personal firewall soft ware.

I m plem ent at ion at higher prot ocol layers also t ends t o dict at e net work archit ect ure. VPN endpoint s are t ypically bound t o I P addresses, and m ost VPN client s do not cope well wit h having t he address t orn out from under t hem . Alt hough 802.11 support s roam ing by at t aching t o different net works, t hose net works m ay be different I P subnet s. I f t he I P address changes, t he VPN session m ust be reest ablished. More im port ant ly, users m ust accept t he effect s of changing addresses and t he need t o reest ablish connect ions. To keep connect ions as long- lived as possible, net work archit ect s need t o m aint ain net work st at e as st at ions m ove across t he net work. This can be done wit h link- layer ident it y m anagem ent t ools t hat

provide handoff bet ween APs using 802.1X- based prot ocols as in t he dynam ic VLAN archit ect ure in t he previous chapt er, or it can be done by designing t he net work around t he handoff lim it at ions as in t he single- subnet archit ect ure in t he previous chapt er. The form er case is a m ore com plicat ed archit ect ure for t he net work adm inist rat or t o configure, but it is probably easier t o build because it does not require ext ensive backbone engineering. Many VPN t echnologies were designed around point - t o- point encrypt ion. Mult icast applicat ions can be based on I P, but I Psec does not yet include any m et hod for group key dist ribut ion t o enable t he use of m any- t o- one t ransm issions. Dist ribut ing keys for point - t o- point links is an " easy" problem because t here are only t wo part ies t o t he conversat ion. ( By " easy," I m ean t hat t he problem is t ract able and t hat a solut ion exist s, not t hat it is t rivial t o accom plish.) Keying a point - t o- m ult ipoint connect ion is a " hard" problem because one sender and m any receivers m ust agree on a set of keys, and it m ay be desirable t o updat e keys as receivers j oin and leave t he m ult icast session. Mult icast dat a is a nat ural fit for several applicat ions, m ost not ably st ream ing m edia. Large com panies m ay hold int ernal m eet ings over int ernal m ult icast sessions, and would undoubt edly want t o ensure t hat any dat a from t hose sessions is encrypt ed over wireless net works. Mult icast dat a is also used ext ensively in financial m arket s because it is a nat ural m odel t o dist ribut e m arket dat a. Various approaches t o I Psec m ult icast are in progress in t he st andards com m unit ies, but have not been finalized yet . I Psec is oft en used because it is im plem ent ed at t he net work layer, and t hus is independent of t he applicat ion wit h which it is used. As long as t he applicat ions can cope wit h t he increased delay for I Psec encapsulat ion and decrypt ion, it will work. I n t he m ost com m on I Psec archit ect ures, no changes are required t o use new applicat ions or new servers locat ed in t he prot ect ed net work. I Psec's wide adopt ion for rem ot e access also m eans t hat t here is oft en an I Psec t erm inat ion device on t he net work t hat provides encrypt ion. Many m obile devices already have client s inst alled and configured, and users have been t rained and are com fort able using t hem . I f an exist ing VPN concent rat or is available and has spare capacit y, it m ay be possible t o ext end an exist ing rem ot e access I Psec deploym ent t o int ernal wireless LAN users. Adding new t asks t o an exist ing concent rat or m ay cause perform ance problem s, especially if t he VPN device was originally specified for rem ot e access. Rem ot e access users do not require significant bandwidt h, especially com pared t o local LAN users. By definit ion, rem ot e access capacit y is defined by your uplink t o t he I nt ernet . Wit h m any organizat ions st ill on T- 1 lines or t he equivalent speed SDSL connect ion, rem ot e access connect ions are by definit ion lim it ed t o less t han 2 Mbps. Ext ending a VPN t o t he wireless LAN m ay require significant VPN concent rat or upgrades, or a wireless LAN syst em wit h I Psec t erm inat ion built - in. I Psec m ay also cause perform ance problem s. Maxim um - size I P packet s will becom e t wo I P fragm ent s once t he I Psec header inform at ion is added. One packet will include header inform at ion and also be m axim um size, but t he dat a t hat was elbowed out of t he packet by t he I Psec headers will be a second, m inim al size I P fragm ent . Bot h fragm ent s m ust be t ransm it t ed before t he packet can be reassem bled and decrypt ed. While t he head end of an I Psec solut ion is under t he cont rol of syst em adm inist rat ors, t he client side is not . I nst alling and configuring client soft ware in a deploym ent of any size can be a challenge. That is, if t he client soft ware even exist s. I Psec client soft ware is t arget ed at t he lowest com m on plat form denom inat or, so m any solut ions are available only on Windows. Finding I Psec support for Mac OS and Linux is surprisingly difficult , in large part because of t he different iat ion on t he concent rat or side. Vendor X's t erm inat ion device requires Vendor X's client soft ware t o use t he feat ures t hat m ake rem ot e access easier. A few vendors provide client soft ware for t heir own t erm inat ion devices for Mac OS, but Linux client s are hard t o find. ( Free S/ WAN is an I Psec im plem ent at ion, but it does not support any of t he special client feat ures t hat are usually desirable in deploym ent s.) Client soft ware loads m ay not st op wit h t he I Psec client , eit her. I Psec prot ect s from a wide spect rum of at t acks at t he net work layer, but it is powerless t o prot ect dat a at t he link layer. For exam ple, ARP spoofing or ARP poisoning at t acks cannot be st opped by I Psec because it does not encrypt or aut hent icat e ARP fram es. I Psec cannot prot ect against som e net work layer at t acks, eit her. Because I Psec requires t hat t he client obt ain an I P address, m any wireless LANs secured by I Psec allow any syst em t o at t ach t o t he net work and obt ain an I P address t hrough DHCP. Wit h t hat foot hold, even

casual at t ackers can launch I P- based denial- of- service at t acks against t he net work infrast ruct ure. Addressing link- layer at t acks can be done t hrough personal firewall soft ware, but t hat present s anot her client com ponent t o inst all, configure, and m anage. Personal firewall soft ware has m ade great st rides in recent years, and t here are excellent solut ions t hat can be cent rally configured and m anaged. I Psec user aut hent icat ion m ay also result in a subt le securit y risk. Sit e- t o- sit e VPNs use peer syst em s t hat are well known t o each ot her and st ay in fixed locat ions. I n t he leased- line replacem ent scenario, a handful of syst em s in well- known locat ions can be issued cert ificat es for st rong aut hent icat ion. Rem ot e access is a different st ory, however. I Psec was not designed for user aut hent icat ion, and it shows. Digit al cert ificat es are one opt ion, but are oft en rej ect ed as an adm inist rat ive night m are. A variet y of specificat ions exist t o perform legacy user aut hent icat ion wit h I Psec, all of which are incom pat ible. The m aj or prot ocol, eXt ended Aut hent icat ion ( XAUTH) , is widely im plem ent ed but is not fully st andardized. XAUTH requires t he disclosure of ident it y early in t he I Psec handshake, and m ust run in t he securit y- dim inishing " aggressive" m ode. The securit y of t he handshake and t he result ing t unnel t o pass user credent ials depends on a shared secret . Many im plem ent at ions of XAUTH allow, or worse, require t he sam e shared secret t o be used for all users. Furt herm ore, XAUTH is poorly designed, and subj ect t o t he com pound binding problem discussed previously. ( The " FI PS m ode" on m any cert ified I Psec product s disables t he use of XAUTH.) Sadly, m any vendors cont inue t o use XAUTH because it is im plem ent ed by m any OEM client s. The m aj or alt ernat ive t o XAUTH is " Hybrid Mode." Hybrid Mode has a significant ly bet t er design, but is not as widely im plem ent ed. An alt ernat ive t o I Psec is t o allow only applicat ions wit h st rong built - in crypt ographic syst em s. Webbased syst em s can be secured wit h t he secure socket layer ( SSL) . Host logins can be secured wit h SSH. SSH can also be used t o secure m any t ypes of TCP- based net work t raffic, alt hough t he port forwarding configurat ion m ay be t oo com plex for m any users. Som e environm ent s m ay have already deployed a fram ework such as Kerberos for applicat ion layer securit y, in which case it can probably be ext ended t o wireless st at ions wit hout great difficult y.

Selecting Security Protocols When select ing securit y prot ocols, t he first decision is which layer of t he net working st ack should be secured: t he link layer, t he net work layer, t he t ransport layer, t he applicat ion layer, or som e com binat ion of all of t hem ? 802.1X- based link- layer securit y and VPNs are used at different layers of t he prot ocol st ack, and are not m ut ually exclusive. Your choice of layer 2 securit y, layer 3 securit y, or bot h will depend on your goals and requirem ent s. Bot h provide encrypt ion t o prot ect m essages from eavesdroppers. Bot h can provide user aut hent icat ion. 802.1X prot ect s against m any at t acks by denying net work access before aut hent icat ion com plet es, and it s aut hent icat ion is m uch bet t er t hought - out t han I Psec rem ot e access aut hent icat ion m et hods. 802.1X used in conj unct ion wit h im proved Layer 2 encrypt ion is likely t o m eet t he securit y needs of m any organizat ions. I n sim ple t erm s, t he securit y of an I Psec t unnel is great er t han a WEP " session," even one rekeyed frequent ly using 802.1X prot ect ion.

Applying Security in the Protocol Stack One of t he biggest changes in t he 802.11 landscape since t he first edit ion of t his book is t he em ergence of a reasonable securit y archit ect ure in 802.11. First and forem ost , t he securit y prot ocols m ust keep t he net work secure. I n wireless LANs, securit y is largely a funct ion of aut hent icat ion and encrypt ion.

Compound binding vulnerabilities Most t radit ional m et hods of user aut hent icat ion are not secure. Over t im e, t he resist ance of aut hent icat ion prot ocols t o at t ack is increasing, but widely- deployed older m et hods will be used for m any years t o com e. To secure older aut hent icat ion prot ocols, it is com m on t o provide som e form of encrypt ed channel t o prot ect t he insecure m et hod across an insecure net work. The developm ent of st rong t unneling t echnologies such as t he Transport Layer Securit y ( TLS) and t he I P Securit y prot ocols ( I Psec) offers an at t ract ive m et hod for prot ect ing older aut hent icat ion prot ocols. Using a secure t unnel t o prot ect a m uch weaker legacy m et hod is referred t o as com pound aut hent icat ion because t he aut hent icat ion is split int o it s m aj or t asks of est ablishing a secure channel and perform ing user aut hent icat ion. The m ost not able exam ples of com pound aut hent icat ion m et hods are t he TLS t unneling m et hods used on wireless net works ( TTLS and PEAP) , as well as t he eXt ended Aut hent icat ion ( XAUTH) com m only used wit h I Psec. Designing crypt ographically secure prot ocols is ext rem ely dem anding work, and it is easier and safer t o use a widely deployed and analyzed prot ocol such as TLS or I Psec t o provide t he necessary crypt ographic com ponent s. I n Oct ober 2002, however, research found t hat t he design shared by m ost com pound aut hent icat ion m et hods is insufficient t o prevent cert ain t ypes of m an- in- t he- m iddle ( MI TM) at t acks. One of t he m aj or problem s is t hat t he t unneled " inner" aut hent icat ion m et hod is not st rongly associat ed wit h, or " bound t o," t he " out er" prot ect ive t unnel. Before exchanging t he sensit ive " inner" aut hent icat ion dat a inside t he t unnel, t he prot ocols do not provide for a check t hat t he aut hent icat ion is occurring wit h t he endpoint of t he " out er" t unnel. The com pound binding problem does not occur because of weaknesses wit hin t he t unnel prot ocols or inner m et hods, but rat her in t he way t hey are com bined. I nner aut hent icat ion prot ocols m ust prove t hat t he endpoint s of t he inner t unnel use t he endpoint s of any previous out er t unnels. [ * ]

[*]

IPsec's Quick Mode (phase 2) does this by including signature messages that rely on the results of the IKE (phase 1) exchange protecting it. XAUTH deliberately broke this model.

At t his point , t he vulnerabilit ies associat ed wit h weak com pound bindings are largely t heoret ical. Successful use of t hese vulnerabilit ies would require act ive part icipat ion on t he part of t he at t acker. To carry out a successful MI TM at t ack, t he at t acker would need t o insert a radio device int o t he t arget net work, carry out t he first phase of aut hent icat ion wit h a legit im at e aut hent icat or, and t hen at t ract a client t o st eal credent ials from . Success requires physical access t o t he net work and facilit y, as well as num erous act ive radio t ransm issions. XAUTH is no longer subj ect t o act ive st andardizat ion effort s, and m ay not be fixed t o address com pound binding vulnerabilit ies. Com pound binding problem s in I Psec can be avoided t hrough t he use of digit al cert ificat es on every client . Wireless LAN prot ocols have not yet reached t he final st age, and are in t he process of being m odified t o address com pound binding flaws.

Encryption An I Psec session probably provides superior encrypt ion st rengt h t o any of t he RC4- based fram e encrypt ion m et hods, and t he age of t he st andards and m ost im plem ent at ions can offer a high degree of t rust , especially if st at ic addressing and digit al client cert ificat es are used. I f it has a weakness, it is t hat a net work- layer prot ocol cannot provide securit y for t he MAC layer. I n m ost wireless net works secured by I Psec, at t ackers can easily obt ain I P addresses and launch at t acks against ot her net work users or denial- of- service at t acks against t he VPN com ponent s because t here is no aut hent icat ion before t he net work prot ocol is enabled.

Security certifications Depending on t he environm ent , it m ay be necessary t o use product s t hat have passed securit y cert ificat ion evaluat ions. As a rule, m any governm ent net works require t he use of net work product s t hat have been evaluat ed. I n t he Unit ed St at es, t his process is based on Federal I nform at ion Processing St andard ( FI PS) 140- 2; several m aj or goverm ent s have j oined t oget her t o replace a pat chwork of nat ional st andards wit h t he Com m on Crit eria evaluat ion. Great weight is oft en given t o t hese securit y evaluat ions, but it is wort h not ing t hat m any product s t hat are cert ified under m eaningful evaluat ion crit eria oft en have t o rem ove m any ease- of- use feat ures. At t his point , link- layer wireless securit y prot ocols cannot be given securit y FI PS 140- 2 cert ificat ion. Several com ponent s of t he ent ire link- layer securit y syst em m ust be approved by t he Nat ional I nst it ut e of St andards and Technology ( NI ST) before t he ent ire syst em can be cert ified. For a current list of validat ed com ponent s, see ht t p: / / csrc.nist .gov/ crypt val/ . The m aj or com ponent s of a syst em t hat need t o gain individual approval before t he syst em can be approved are:

Encrypt ion cipher 802.11i's CCMP uses AES, which is approved. RC4 is not approved and alm ost cert ainly never will be, which bars TKI P from cert ificat ion.

Cipher m ode of operat ion The CCM m ode, which is used by 802.11i's CCMP, was approved in NI ST Special Publicat ion 800- 38C in May 2004.

Hash algorit hm s The pseudorandom funct ion t hat expands m ast er keys int o key hierarchies is based on HMACSHA1, which is approved.

Key wrap Keys are sensit ive m at erial and need t o be encrypt ed for t ransport across t he net work. RFC 3394 defines t he NI ST key wrap funct ion, which has been approved.

Key derivat ion I n January 2005, NI ST released im plem ent at ion guidance (ht t p: / / csrc.nist .gov/ crypt val/ 1401/ FI PS1402I G.pdf) . According t o t he im plem ent at ion guidance docum ent , NI ST is planning t o release Special Publicat ion 800- 56, which will form ally approve key derivat ion m et hods. Even t hough t here are no generally available com m ercial product s t hat m eet securit y st andards, t here is an int erest ing except ion. Harris Corporat ion, a large governm ent cont ract or ( and, coincident ally, t he init ial developer of t he 802.11 PRI SM chipset ) , sells an 802.11 syst em called SecNet 11 t hat uses a Nat ional Securit y Agency- cert ified encrypt ion schem e. Buyers m ust be given approval by t he NSA. The price is, not surprisingly, ext rem ely high: over $3,000 per wireless LAN int erface, and $1,600 per AP.

Network support Aside from securit y it self, ot her fact ors influence t he decision over how t o apply securit y in t he net work st ack. One of t he largest nonsecurit y considerat ions is relat ed t o client soft ware. Support ing soft ware is t rying, even at t he best of t im es. Working wit h com ponent s built in t o t he operat ing syst em m ay be a significant advant age. 802.1X- based syst em s have t he advant age, now t hat 802.1X supplicant s are built in t o t he recent versions of m aj or operat ing syst em s. I Psec client s are generally specific t o t he vendor of t erm inat ion devices. I n bot h cases, client configurat ion is a one- t im e event . 802.1X client s m ay have slight ly bet t er cont rol over when t hey need t o run, provided t he corporat e SSI D is different from ot her net works. I f I Psec is already widely deployed, it m ay be m uch easier init ially t o t reat t he wireless LAN as a rem ot e access net work, especially since t hat will not require user ret raining. Before choosing I Psec, however, ensure t hat t here is enough capacit y on t he VPN t erm inat ion device t o handle LAN- speed access from t he new users. Support for m obilit y is likely t o be an im port ant considerat ion. To prevent I Psec t unnels from being t orn down, som e arrangem ent m ust be m ade t o provide I P m obilit y across t he net work. Som e refer t o t his t ask as t he creat ion of a " m obile VPN." I P m obilit y can be provided by t he net work it self t hrough t he use of a single VLAN for all APs, or t hrough overlay t unnels from every AP t o a VPN server, or even 802.1X- based dynam ic VLAN assignm ent . Wit h t he abilit y of 802.11i- com pliant devices t o m ove securit y cont ext s bet ween APs, it probably has a slight edge for net works wit h highly m obile users. Support for net work applicat ions m ay also lead t owards a preference for one prot ocol. Non- I P prot ocols are not support ed by I Psec. Net works t hat st ill use I PX or AppleTalk m ay not have a choice. I P m ult icast is not support ed by I Psec, alt hough it is support ed by link- layer securit y solut ions as a series of m ult icast fram es. I Psec is also likely t o be t oo slow for applicat ions t hat require low lat ency,

such as voice t ransm ission; I am also unaware of any exist ing phone t hat support s I Psec, or any plans t o int roduce an I Psec 802.11 phone. Different applicat ions m ay also require prot ect ion over different dom ains. I n m any cases, it is enough t o prot ect com m unicat ions over only t he m ost vulnerable part of t he pat h, and radio link encrypt ion is sufficient . I n som e cases, it will be necessary t o use sit e- t o- sit e encrypt ion t o provide securit y all t he way t o t he border of anot her net work. The dist ance over which t he dat a needs prot ect ion is a funct ion of t he securit y of t he net work past t he radio. I f t he access point s are connect ed t o t he sam e backbone as t he dest inat ion t raffic, radio link encrypt ion is probably sufficient . I f t he t raffic m ust t ravel across unt rust ed net works aft er leaving t he radio, som e form of net work- or higher- layer encrypt ion is required. Table 22- 2 sum m arizes m any of t he fact ors t hat com e int o play when deciding where t o im plem ent aut hent icat ion in your net work.

Ta ble 2 2 - 2 . Su m m a r y of m a j or fa ct or s in a u t h e n t ica t ion la ye r de cision Lin k la ye r ( 8 0 2 .1 X)

N e t w or k la ye r ( VPN )

I nt egrat ed operat ing syst em com ponent s

May already be deployed wit h exist ing capacit y on VPN concent rat or

Prot ect ion of layer 2 net work from at t ack

More fam iliar for users; less ret raining is required

Bet t er m obilit y archit ect ure

Prot ect s beyond t he radio link

Support for I P m ult icast and non- I P prot ocols

Securit y cert ificat ions require VPN; e.g., FI PS

Fast handoff support for voice

Choose Authentication The choice of aut hent icat ion t echnology oft en depends on t he way it will int erface wit h t he exist ing user dat abase. As a first st ep, ident ify where t he user account s current ly live. Are t hey in a Windows NT Dom ain or an Act ive Direct ory? Do t hey live in an LDAP dat abase, or a Kerberos realm ? Once you know where t o find t he users, t he choice of syst em t o aut hent icat e t hem is usually st raight forward.

Choosing an EAP method Pract ically speaking, it is necessary t o use an EAP m et hod based on TLS t o provide st rong crypt ographic keys for fram e encrypt ion. This const raint leaves us wit h t hree choices: EAP- TLS, PEAP, and TTLS. EAP- TLS is difficult t o use because it requires cert ificat es for every client . Wit hout a PKI already inst alled, using EAP- TLS m ay be considered a pract ical im possibilit y. PEAP and TTLS are quit e sim ilar, so t he quest ion becom es which one t o use. Alt hough t he prot ocols are sim ilar, t hey support different aut hent icat ion m et hods inside t he encrypt ed t unnel. Let t he int erface t o exist ing user dat abases m ake t he decision about t he aut hent icat ion m et hod. How t he user credent ials are accessed for verificat ion det erm ines your EAP m et hod. Three of t he aut hent icat ion m et hods will work wit h m ost aut hent icat ion dat abases, wit h ot her m et hods available t o cover t he rem aining few cases. PAP, t he Password Aut hent icat ion Prot ocol, t ransm it s t he usernam e and password wit hout any

encrypt ion. I t sim ply subm it s a usernam e and a password t o t he aut hent icat ion server, and t he aut hent icat ion server com pares t he subm it t ed password t o a st ored copy. Wit hout any encrypt ion, PAP should not be used across a net work connect ion t hat does not provide privacy prot ect ion. ( When PAP is used on wireless LANs, it is used in an encrypt ed channel, and t herefore safely.) PAP is not an EAP m et hod, and is t herefore not support ed by PEAP. The m ost com m on use of PAP is wit h user dat abases t hat one- way encrypt passwords, such as LDAP direct ories or t he Unix / et c/ password file. Rat her t han st ore t he password it self, or t he password in som e recoverable form , som e syst em s st ore a one- way hash of t he password such as t he SHA- 1 or MD5 hash. When a client user or program wishes t o prove it s ident it y, t he password is processed by t he one- way hash, and t he result ing hash is com pared t o st ored hash. PAP is com m only used wit h t oken cards because t he alphanum eric code from t he t oken can be subm it t ed along wit h a user nam e. Som e supplicant s have a " TTLS/ Token Card" m et hod t hat is TTLS/ PAP, but wit hout any caching of t he password, since t oken codes expire. Because nearly every legacy aut hent icat ion dat abase support s password aut hent icat ion, TTLS/ PAP is like Type O blood. I f in doubt , it is generally a safe bet . Microsoft CHAP version 2 ( MS- CHAP- V2) perform s a challenge/ response handshake. The client and server share a secret , and challenge each ot her t o perform com put at ions on challenge values wit h t he secret . The secret is t he MD4 hash of t he user password. Alt hough it is not reversible, t he hash value is used as t he secret , which m akes it a " password equivalent ." MS- CHAP- V2 is widely support ed by Microsoft client s, and is com m only support ed and used as an inner aut hent icat ion m et hod wit h PEAP. I f you have an exist ing aut hent icat ion dat abase st ored in a Windows dom ain or Act ive Direct ory, MS- CHAP- V2 is a logical choice for t he inner aut hent icat ion m et hod. I t can eit her be used " as- is" wit hin TTLS, or it can be used as an EAP m et hod wit h addit ional header inform at ion ( EAP- MSCHAP- V2) . The t hird com m on inner aut hent icat ion m et hod is EAP- Generic Token Card ( EAP- GTC) . EAP- GTC was originally designed t o t ake a usernam e and t oken code. I t does not provide any handshaking or privacy prot ect ion. Given it s init ial int ent of shut t ling a nonreusable code t o a server, t he lack of privacy prot ect ion is underst andable. However, it has seen recent adopt ion as an EAP m et hod t hat allows t he subm ission of a usernam e and associat ed aut hent icat ion credent ials. No EAP m et hod allows t he subm ission of usernam e and password pairs direct ly, but t here is not hing in EAP- GTC t hat prevent s it from being used as a password subm ission prot ocol. Not hing, ot her t han im plem ent at ion, prevent s EAP- GTC from being used as a PAP- like aut hent icat ion m et hod. As an EAP m et hod, EAP- GTC can be used wit h eit her TTLS or PAP. Several ot her inner aut hent icat ion m et hods are available, including t he Challenge Handshake Aut hent icat ion Prot ocol ( CHAP) , Microsoft CHAP, version 1 ( MS- CHAP) , and EAP- MD5 Challenge ( EAPMD5) . CHAP and Microsoft CHAP are only used by older aut hent icat ion dat abases. They should only be used when t he exist ing aut hent icat ion dat abase does not support one of t he newer m et hods. Bot h can only be used wit h TTLS, since neit her is an EAP m et hod. EAP- MD5 does not provide securit y services. I t is used for 802.1X on wired net works, but alm ost never on wireless because of t he lack of eavesdropping prot ect ion. I t is likely t hat one of t he t hree inner aut hent icat ion m et hods shown in Table 22- 3 will work wit h your user dat abase. Based on t he inner aut hent icat ion m et hod, choose eit her PEAP or TTLS. The choice of inner m et hod m ay also depend on t he TTLS or PEAP im plem ent at ion t hat you consider. The st andards allow EAP- GTC t o be used wit hin PEAP, but it is not support ed by t he built - in Windows supplicant .

Ta ble 2 2 - 3 . Su m m a r y of com m on EAP m e t h ods

I nner a u t h e n t ica t ion m e t h od

Ou t e r EAP m e t h od

PAP

Type of a ccou n t or u se r da t a ba se

Com m e n t s

TTLS only

One- way hash syst em s ( m ost LDAP direct ories, Unix password form at ) , t oken cards

Probably t he second m ost com m on inner aut hent icat ion m et hod. Most universal; generally works wit h any dat abase.

MS- CHAP- V2

TTLS or PEAP

Windows user account s ( NT dom ains, Act ive Direct ory) or anyt hing t hat st ores an MD4 hash

Most com m on form of inner aut hent icat ion due t o t he prevalence of Windows

EAP- GTC

TTLS or Sam e as PAP Cisco PEAP

Only support ed by Cisco supplicant on Windows

Aft er select ing bot h t he EAP m et hod and inner aut hent icat ion prot ocol, build t he required int erface. To work wit h a set of Windows user account s, t he RADI US server m ust access t he MD4 hashes of t he user passwords. I f m ade a m em ber of a dom ain, Microsoft 's I nt ernet Aut hent icat ion Server can pull user credent ials out of a dom ain syst em wit hout addit ional configurat ion. Third- part y RADI US servers m ay need t o be inst alled on dom ain cont rollers t o access t he user account inform at ion. Any dom ain t hat is t rust ed can also be accessed t hrough t he dom ain prot ocols. LDAP direct ories are increasingly popular, especially at large sit es t hat require scalabilit y. LDAP direct ories m ay be accessed in m ult iple ways. Som e direct ories m ay offer RADI US front ends. Wireless LAN devices can speak direct ly t o t he RADI US front end, or t o t he direct ory's RADI US server t hrough an alt ernat ive RADI US server perform ing RADI US proxy funct ions. Many RADI US servers are also capable of working as an LDAP client . When provided wit h direct ory credent ials, t he RADI US server is able t o bind t o t he direct ory and validat e user credent ials direct ly. The advant age of binding t o t he direct ory is t hat it is usually possible t o secure direct ory access t hrough SSL, which furt her prot ect s t he aut hent icat ion back- end connect ions. Less funct ional RADI US servers m ay int erface wit h LDAP by at t em pt ing t o bind t o t he direct ory using t he LDAP credent ials supplied by t he client and checking for success. However, by perform ing a bind and looking only for success, t he RADI US server is unable t o access any user m et adat a from t he direct ory. I f t he direct ory st ores privilege inform at ion t hat can be used by t he wireless LAN, it is desirable t o have t he RADI US server bind t o t he direct ory so t hat t he user aut horizat ion inform at ion can be provided t o t he wireless devices. Kerberos servers are popular in m any academ ic environm ent s, and a few RADI US servers can check user credent ials against Kerberos. These RADI US servers at t em pt t o obt ain a t icket from t he Kerberos server; if t he t icket request is successful, t he user is allowed access. However, Kerberos t icket s are bound t o I P addresses, and are not useful for client aut horizat ion.

Authentication architecture To be successful, an aut hent icat ion syst em m ust int erface wit h t he exist ing user account s. I n m any cases, t he user account syst em is sm all and confined, and t he m ain problem t he net work adm inist rat or has is det erm ining how t o build t he int erface bet ween t he wireless LAN and t he user account dat abase. Many organizat ions are large enough, or perhaps divided enough, for t he responsibilit y for m aint aining user account s t o be dist ribut ed across geographic or adm inist rat ive boundaries. Users are not m em bers of rival depart m ent al arm ies, however, and m ay need t o m ove across geographic or adm inist rat ive boundaries in t he course of work. The end goal of t he net work design should be t o facilit at e user m obilit y and product ivit y across boundaries. ( I f you like, call it t he Schengen design crit erion for dist ribut ed wireless LANs.) This design is oft en found on universit y cam puses, where individual schools, depart m ent s, or facilit ies m ay run t heir own net works.

Figure 22- 1 shows a port ion of a m ade- up universit y cam pus, wit h five net works: t he cam pus library, a cent ral I T services depart m ent t hat handles net working for com m on areas and depart m ent s t hat do not need t o run t heir own net works, a school of engineering t hat prides it self on running an independent net work, t he cam pus m edical cent er, and t he business school. Each of t hese depart m ent s m aint ains it s own user dat abase, in what ever form t hey prefer. For wireless LAN access, each of t he dat abases is provided t hrough a RADI US front end. I n t he figure, t he user dat abase and RADI US front end are shown sym bolically. I n designing t he aut hent icat ion archit ect ure, t he goal is t o provide an aut hent icat ion facilit y t hat allows a single user account t o be used across all cam pus net works. For exam ple, anybody ent ering t he library, whet her st udent or st aff, should be able t o use t he library's net work based on t he credent ials on t heir hom e net work. I f t he RADI US servers in each depart m ent have t rust relat ionships and are able t o refer aut hent icat ion request s t o each ot her, only one account is necessary. Account s are assigned t o RADI US realm s, which allow t he rout ing of request s t o a defined server. The library's RADI US server knows t hat request s for user@m ed m ust go t o t he m edical cent er's RADI US server. I f t hat server accept s t he user, access is grant ed. Trust relat ionships bet ween net works are a key com ponent of t he archit ect ure. Just as in t he cellular world, t o get net work connect ivit y anywhere, it is necessary t o have a roam ing agreem ent bet ween your " hom e" net work and t he net work you are " visit ing." Net work m anagers depend on t he t rust because t hey are grant ing access t o users aut hent icat ed by a t hird part y. I n a cam pus environm ent , t he roam ing agreeem ent m ight be inform al. On a larger scale, form al, legally binding agreem ent s m ay be required. EduRoam , a consort ium of European universit ies, is building a RADI US m esh on a cont inent al scale, and does require signed form al agreem ent s t o j oin t he m esh. Account ing m ay also be helpful in t his t ype of environm ent . Cam pus libraries devot e budget dollars t o t he acquisit ion of scholarly m at erial, not t o t he building of

Figu r e 2 2 - 1 . M e sh a u t h e n t ica t ion a r ch it e ct u r e

advanced net work services. Through account ing records, a net provider of service ( such as t he library) can est ablish t hat net work services are being consum ed by users from ot her net works, which m ay assist in funding net work expansion where service is useful, as opposed t o where t here is m oney.

Choose Encryption Aft er select ing an aut hent icat ion m et hod, it is usually st raight forward t o choose a link- layer encrypt ion m et hod because you will be picking t he st rongest prot ocol support ed on m ost hardware. Configurat ion is alm ost ident ical bet ween t he prot ocols, and t he funct ionalit y from t he user perspect ive is ident ical. Most of what can be said about st at ic WEP has already been said. Do not use it unless you have no alt ernat ive. Nearly all general- purpose devices now support bet t er prot ocols, leaving only applicat ionspecific devices like 802.11 phones or barcode scanners in securit y lim bo. Depending on your securit y requirem ent s, it m ay be

Authorization Aft er ident ifying users and validat ing ident it y, it m ay be desirable t o furt her rest rict net work access. Rest rict ions m ay be enforced in m any different ways, but t wo of t he t ypical policy t ools are packet filt ering t hrough access cont rol list s, and VLAN assignm ent . I n som e ways, t he lat t er is a handy way of applying basic rules t o user groups by t aking advant age of exist ing packet filt ers bet ween VLANs on your net work. Oft en, t he user account will cont ain som e piece of m et adat a t hat indicat es what sort of aut horizat ion should be applied. That ident ifier is oft en indicat ive of an organizat ional role. Roles m ust be t ranslat ed int o concret e act ion, such as " put all users from Group A on t o VLAN A" or " apply Filt er B t o devices in Group B." I dent it y and role live wit h t he user account , and t hat dat a is t ypically t ranslat ed int o rest rict ions by bot h t he RADI US server and t he wireless LAN device it self. Based on t he role, t he RADI US server m ay pass som e set of rest rict ing at t ribut es. RADI US at t ribut es m ay also t rigger furt her, m ore det ailed act ions from t he wireless LAN device. As an exam ple, t he RADI US server m ay specify t hat a filt er should be applied t o t raffic from a part icular device, but it is alm ost cert ainly up t o t he wireless LAN hardware t o define t he specifics of t hat filt er.

necessary t o shut down deploym ent s of t elephony or aut om at ion if t he securit y risks cannot be adequat ely addressed t hrough ot her m eans, or if a risk analysis shows t hat t he t hreat is large. Using WEP wit h dynam ically derived keys is significant ly bet t er because a frequent rekeying int erval can m it igat e m any of t he at t acks against WEP discussed in Chapt er 5. Dynam ic WEP should be considered t he m inim um accept able level of securit y for user payload dat a on general- purpose com put ing devices. I n m any cases, m anufact urers had t o pat ch drivers, but m ost drivers from m idt o- lat e 2002 onwards have support for dynam ic keys. Because of t he lingering flaws in WEP, even when used wit h dynam ic keys, TKI P is t he t arget level of securit y for m ost net works being built as t his book was writ t en. Hardware support requirem ent s for TKI P are ident ical t o WEP, so nearly every 802.11 device has t he required hardware. Soft ware support or TKI P is also required, but is increasingly com m on. TKI P and WPA are built in t o t he m ost recent versions of Windows ( XP) and MacOS ( 10.3) WPA is not yet widely available on Linux because t he driver fram ework does not yet have t he required level of int egrat ion wit h t he supplicant soft ware, alt hough t he enhancem ent s are expect ed in t he fut ure. Most organizat ions should t arget TKI P for deploym ent while m aking plans for m igrat ion t o enhanced prot ocols. Consider dynam ic WEP a m inim um requirem ent .

When securit y is of t he ut m ost im port ance in link- layer encrypt ion, CCMP is t he clear choice. TKI P requires prot ocol " count erm easures" t o det ect keys under at t ack and m it igat e t he t hreat . Count erm easures are an adm ission t hat t here is a fundam ent al lim it on t he st rengt h of t he prot ocol. Securit y does com e at a cost , however. CCMP has t he m ost st ringent hardware and soft ware support requirem ent s of any of t he link- layer encrypt ion prot ocols. I t is only available for use on wireless int erfaces t hat can provide AES hardware assist ance. Nearly all recent cards do, but m any older cards do not . I f you have a significant base of older cards wit hout AES hardware support , t he upgrade t o AES- capable hardware m ay be an expensive and daunt ing challenge.

CCMP is likely t o offer t he best securit y. However, it also has t he m ost st ringent hardware and soft ware requirem ent s. Many lapt op m anufact urers choose t he cheapest chipset s available, and t hus m ay not support CCMP wit hout ext ernal cards.

Multiple SSID support The 802.11 securit y prot ocol archit ect ure allows t he sim ult aneous use of m ult iple crypt ographic prot ocols on t he sam e AP. Client s are free t o use any support ed prot ocol. Encrypt ion of unicast fram es is t ypically done using t he st rongest prot ocol support ed by a given syst em , while encrypt ion of fram es t o group addresses uses t he st rongest prot ocol support ed by all syst em s. I f an AP has a group of associat ed st at ions t hat support WPA, but t here is one st at ion t hat only support s dynam ic WEP, t he group key will be dynam ic WEP. The st andards do not lim it what m ay be support ed, but individual im plem ent at ions m ay have problem s m ixing crypt ographic t ypes. One of t he m ost com m on lim it at ions is t hat m ost client soft ware does not support using a CCMP key for unicast fram es while sim ult aneously using a nonCCMP encrypt ion t ype ( TKI P, dynam ic WEP, or st at ic WEP) for group fram es. Driver support for t his t ype of m ix m ay com e in t he fut ure. At t he t im e t his book was writ t en, support ing CCMP was generally done by providing an addit ional SSI D. One support s t he RC4- based encrypt ion prot ocols, while a second net work support s only CCMP. Unfort unat ely, using t wo SSI Ds does increase t he risk of user confusion because t he SSI D t o at t ach t o is a user- cont rolled param et er. Client soft ware lim it at ions prevent sim ult aneous use of CCMP and RC4- based encrypt ion on t he sam e SSI D. To use bot h at t he sam e t im e, you m ust use an 802.11 AP t hat support s m ult iple SSI Ds.

Rogue Access Points One of t he m aj or risks faced by net work adm inist rat ors is t he unaut horized inst allat ion of 802.11 net works by users. So- called " rogue" access point s can pose significant t hreat s. The prim ary t hreat is t hat a device inst alled by users will not have t he full securit y configurat ion of an aut horized deploym ent ; users probably are not sophist icat ed enough ( and m ay not be willing) t o enable highsecurit y feat ures correct ly. Even if t hey are appropriat ely secured, unaut horized devices m ay int erfere wit h t he operat ion of t he exist ing net work.

Detection The first st ep in dealing wit h rogue devices is t o find out t hat t hey exist . Som e radio device som ewhere m ust not e t he exist ence of an unaut horized device. I n t he init ial years of 802.11 equipm ent , access point s were expensive enough t hat carrying around a lapt op- or handheld- based sniffer was an effect ive det ect ion m echanism . As m ore people have becom e fam iliar wit h 802.11, det ect ion needed t o becom e a cont inuous, aut om at ed process. For cost and m anagem ent reasons, det ect ion is now int egrat ed int o m ost m ainst ream wireless LAN syst em s. Depending on t he vendor's im plem ent at ion, t he det ect ion com ponent m ay be im plem ent ed t hrough t he use of a scanning feat ure t hat searches periodically for unaut horized devices or dedicat ed scanning devices. Scans for unaut horized devices m ay be passive scans t hat list en for t raffic, Beacons, or Probe Responses, or t hey m ay be act ive scans t hat use 802.11 Probe Request fram es t o m ake unat horized net works reveal t hem selves. To be effect ive, det ect ion m ust cover all t he available 802.11 channels. I nit ial corporat e deploym ent s were largely based on 802.11b, and t he radio int erface chipset s were not capable of operat ing in t he 802.11a frequency range or wit h 802.11a m odulat ion. Clever deployers of rogue access point s have been known t o purchase unaut horized 802.11a devices on t he t heory t hat t he exist ing net work is not capable of det ect ing t hem , and any net work analysis t ools used by net work adm inist rat ors m ay be 802.11b- only as well. Det ect ion capabilit ies m ay be built int o wireless LAN infrast ruct ure, or it m ay require st andalone devices. There is usually a t rade- off bet ween t he qualit y of service provided t o users, t he qualit y of det ect ion inform at ion, and cost . Dedicat ed sensors provide t he best det ect ion, but also cost t he m ost . Using radios t hat provide service t o users t o det ect unaut horized devices is m uch cheaper, but m ay int errupt or dim inish service provided t o users. When a radio searches for unaut horized deploym ent , it will look for indicat ors of rogue devices. At t he m inim um , sensors m ust search for Beacon fram es. All access point s and ad hoc net works send Beacons. Som e com plet e 802.11 syst em s m ay also observe client t raffic and com pare t he list of client s seen in t he radio dom ain wit h t he client s associat ed t o t he infrast ruct ure. Any client s t hat are present in t he form er list but not t he lat t er are associat ed wit h unaut horized deploym ent s.

Physical Location Once a rogue AP is det ect ed, net work adm inist rat ors usually want t o locat e it , usually as a prelude t o som e sort of response. I n m any cases, it m ay be appropriat e t o sim ply not e t he exist ence of a rogue AP so t hat an adm inist rat or can visit t he user and deact ivat e t he device. I f act ive count erm easures

are required, it is oft en best t o lim it t hem t o rogue devices wit hin a specific area. There are several m aj or t ypes of locat ion t echnologies in use:

1 . Closest AP radius calculat ions 2 . Triangulat ion 3 . RF fingerprint ing 4 . Different ial t im ing The easiest m et hod of locat ing a rogue AP is t o use t he radius t o t he closest AP, as shown in Figure 22- 2 ( a) . Aft er searching t he net work for a MAC address, t he net work syst em can det erm ine a very rough locat ion based on t he locat ion of t he AP t hat det ect ed t he device. Radio signal propagat ion t hrough free space follows a well- known m at hem at ical m odel. Based on t he received signal st rengt h at t he det ect ing AP, t he m axim um radius can be calculat ed by finding out how far away a device operat ing at m axim um t ransm ission power would need t o be so t hat t he calculat ed received signal st rengt h would m at ch t he m easured value. I n Figure 22- 2 ( a) , t he received signal st rengt h at t he AP can be used t o det em ine t he free- space dist ance t o t he closest AP, but it does not offer any guidance as t o which posit ion on t he circle t he AP is at .

Figu r e 2 2 - 2 . Ra diu s t o t h e close st AP

AP radius calculat ions suffer from a num ber of flaws. First of all, t he free- space radius of a signal t ransm it t ed at m axim um power is likely t o be m uch larger t han t he act ual radius. While a free- space propagat ion m odel m ay allow for a 100- foot coverage radius, t he result ing 30,000 square foot space is t oo large t o be useful. To pinpoint t he offending device bet t er, som e locat ion t ools will build a m at hem at ical m odel of t he radio environm ent , and t ake int o account any building feat ures along a part icular pat h. I n m ost office buildings, t he effect ive coverage radius is oft en half t he free- space value or less. By reducing t he radius from a t heoret ical 100 feet in free space t o an environm ent specific value 50 feet or less, t he t arget is reduced t o a m uch sm aller 8,000 square feet . 8,000 square feet , however, is st ill an area of 70- 100 cubicles, depending on t heir size and t he office layout . I n Figure 22- 2 ( b) , t here is a wall on t he right - hand side of t he diagram , which has t he effect of reducing t he coverage radius because t he radio signals m ust penet rat e t he wall. The t hickness of t he arrow corresponds t o signal st rengt h at a given point . When t he radio signal encount ers t he wall, t he signal st rengt h drops, which has t he effect of reducing t he coverage area. Correct ion of coverage

radius for building feat ures works best when t here are a large num ber of t hem ; it is not m uch of an im provem ent in t ypical cubicle- filled offices where t he propagat ion dist ance is m uch fart her. AP radius- based approaches can be furt her refined by using t riangulat ion, as shown in Figure 22- 3. Triangulat ion, when used wit h it s original definit ion, m easures t he dist ance from t hree known point s t o det erm ine a locat ion. Many of t he " t riangulat ion" t echniques used in wireless LAN syst em s can work wit h m ore t han t hree m easurem ent point s. Overlapping coverage areas, overlapping radii, and in som e cases, probabalist ic sim ulat ions, are used t o com e up wit h likely locat ions for devices. I n Figure 22- 3 ( a) , t he overlapping coverage areas of t hree APs are used t o derive a guess at t he locat ion. As wit h t he AP radius approach, som e t riangulat ion algorit hm s can be used in conj unct ion wit h knowledge of t he building const ruct ion t o furt her refine t he locat ion. I n Figure 22- 3 ( b) , t he signal deadening effect s of t wo walls are t aken int o account , which result s in a m uch bet t er predict ion.

Figu r e 2 2 - 3 . Tr ia n gu la t ion

Locat ion can be furt her refined by t aking RF fingerprint m easurem ent s. Aft er generat ing a set of predict ions about how radio waves will int eract wit h t he building, t he m at hem at ical m odel is refined wit h dat a about how radio waves act ually behave. To build a fingerprint dat abase, devices are placed at known locat ions and t hen m easured. Dat a on received signal st rengt h and ot her signal charact erist ics is t hen st ored as a " fingerprint " for t hat locat ion. Fingerprint s include all t he signal propagat ion charact erist ics t hat are hard t o calculat e, such as reflect ion off of walls and m ult i- pat h int erference. When unknown devices are being locat ed, t heir signal charact erist ics can be com pared t o t he fingerprint dat abase t o refine t he locat ion predict ion. I m proving t he qualit y of locat ion predict ions depends on t he num ber of fingerprint locat ions collect ed as part of t he ext ended sit e survey. Alt hough fingerprint ing can im prove locat ion inform at ion, it m ay require t he collect ion of a great deal of addit ional dat a t o build a large enough fingerprint dat abase for t he desired accuracy. A final m et hod of locat ion is based on t he relat ive t im e of received signals. Signal st rengt h depends on a variet y of fact ors, including building const ruct ion. Radio waves, however, always t ravel at t he speed of light . Triangulat ion can be perform ed based on t he relat ive arrival t im e of t ransm issions at m easurem ent locat ions. Alt hough t his t echnique has t he pot ent ial t o be quit e accurat e, radio waves are ext rem ely fast , and incredibly precise t im ing synchronizat ion is required. I n Figure 22- 4, t wo APs are m easuring t he arrival of a t ransm ission from a source. Aft er som e am ount of t im e, t he signal reaches t he first AP. The locat ion syst em m ust m easure t he difference in t im e bet ween t he arrival of t he signal at t he first m easurem ent device and t he second m easurem ent device wit h ext rem ely high precision. Radio waves t ravel at approxim at ely one foot per nanosecond, which requires t hat t he

locat ion devices be able t o discern very sm all t im e differences bet ween dist ribut ed devices. Alt hough t heoret ically feasible, t he different ial t im e arrival approach t ypically requires t he use of highly specialized devices wit h t im ing equipm ent t hat is far m ore accurat e t han is found in t ypical access point s.

Figu r e 2 2 - 4 . D iffe r e n t ia l t im in g a n a lysis

Disabling Rogue APs Many product s offer t he abilit y t o aut om at ically shut off unaut horized net works, a feat ure t hat is oft en referred t o as cont ainm ent or suppression. The t echnical det ails vary, but som e com binat ion of prot ocol t ricks is used t o prevent or disrupt connect ions t o rogue APs. Generally speaking, t he t ricks eit her prevent associat ions t o rogue APs or disrupt est ablished connect ions. Many of t he t ricks depend on t he lack of aut hent icat ion on cont rol fram es, which allows infrast ruct ure devices t o im personat e rogue APs. I t rem ains t o be seen how effect ive count erm easures will be when t he 802.11 prot ocols aut hent icat e im port ant net work cont rol inform at ion. Figure 22- 5 illust rat es t he t wo m aj or t echniques for launching denial- of- service at t acks on rogue net works.

Figu r e 2 2 - 5 . Rogu e su ppr e ssion t e ch n iqu e s

To disrupt t he associat ion process, som e devices send spoofed Beacon or Probe Response fram es, as shown in Figure 22- 5 ( a) . Wit hout aut hent icat ion of Beacon or Probe Response fram es, an access point can easily im personat e t he rogue. The spoofed fram es m ay cont ain inform at ion t hat cont radict s t he corresponding fram es t ransm it t ed by t he rogue t o confuse client devices. Som e client s will be unable t o associat e t o a net work t hat appears t o be announcing it is bot h encrypt ed ( in Beacon fram es wit h t he Prot ect ed Fram e bit set ) and not encrypt ed ( wit h t he Prot ect ed Fram e bit clear) . Spoofed Probe Response fram es m ay have t he sam e effect . Som e wireless LAN syst em s m ay also at t em pt t o capt ure client associat ion request s by t rapping devices associat ing wit h rogue client s on t o a capt ive net work t o prevent dam age. To handle st at ions t hat are already associat ed wit h a rogue AP, Dissasociat ion and Deaut hent icat ion m essages can be used, as shown in Figure 22- 5 ( b) . These m essages are not signed, which will allow t he net work infrast ruct ure t o kick client s off of rogue net works. Using m essages t hat are t ransm it t ed in response t o client com m unicat ions is not foolproof. Due t o m ult ipat h coverage, and t he placem ent of infrast ruct ure devices in relat ion t o t he client s, it is not always be possible t o see all com m unicat ions init iat ed on behalf of rogue- at t ached client s. Som e devices will sim ult aneously send spoofed Deaut hent icat ion m essages from t he client addresses t o access point s t o force access point s t o drop t he connect ions of rogue associat ed client s. Som e wireless LAN m anagem ent syst em s m ay offer capabilit ies t hat can furt her lim it t he dam age from rogue APs. I f client s associat ed t o rogue APs can be ident ified, a wireless LAN m anagem ent syst em could, in t heory, t ake act ion on t he net work backbone t o lock out t he client s from net work services on t he backbone, as in Figure 22- 5 ( c) . One of t he int erest ing paradoxes of rogue suppression is t hat 802.11 net works oft en spring up in response t o t he self- det erm ined need of users t o have m obile net work connect ivit y. To ensure t hat supression devices have appropriat e coverage scope t o disable rogue net works, t here m ust be a fair

num ber of t hem . I n fact , t he num ber of 802.11 access point s required for decent rogue suppression is oft en quit e sim ilar, if not ident ical, t o t he num ber of APs required t o provide decent coverage. Providing t he desired level of supression capabilit ies oft en requires deploying enough access point s t o run a reasonable net work for t he users. One of t he reasons t hat som e access point s are becom ing 802.1X supplicant s is so t hat t hey m ust aut hent icat e t o t he net work t hem selves before providing service. Rat her t han wait for rogue APs t o pop up, an 802.1X- enabled wired net work sim ply rej ect s t hem before t hey becom e a problem .

And now, a word from your lawyers I nt erfering wit h a wireless net work t hrough rogue cont ainm ent m ay be t reat ed as net work t am pering or " hacking" under com put er crim e st at ut es. ( Please consult an at t orney who is fam iliar wit h all t he laws t hat m ay apply in your locat ion, especially since I am not a lawyer.) Equipm ent t hat is act ing t o st op rogue devices by spoofing t heir ident it y is designed t o int erfere wit h t he operat ion of t hat wireless net work. I f t he net work belongs t o a neighbor, or coffee shop across t he st reet , your act ion m ay be illegal or subj ect t o a civil act ion. To avoid creat ing m ore work for lawyers, it is an excellent idea t o ensure t hat a rogue AP is in fact connect ed t o t he net work t hat you are at t em pt ing t o prot ect before launching your count erat t ack. I f t he rogue AP is t he propert y of t he coffee shop across t he st reet , for exam ple, t he owners will alm ost cert ainly have a very st rong opinion about having t heir net work shut down. A wireless net work set up in a large building wit h m any offices m ay also have several neighboring net works which should be prot ect ed from count erm easures. ( Enabling unrest rict ed count erm easures if you rent an office next t o a law firm is probably part icularly dum b, especially if t he law firm is com put er savvy.) Recent FCC regulat ory act ions prevent propert y owners from assert ing any ownership over t he elect rom agnet ic spect rum . Therefore, it is unwise t o apply rogue count erm easures t o your t enant s or neighbors.

Chapter 23. Site Planning and Project Management Wireless LAN deploym ent is a significant undert aking part ly because t here is not a great deal of st ruct ure t o t he process, especially when cont rast ed wit h a wired LAN deploym ent . Building an Et hernet net work is st raight forward t hese days. Everybody get s a swit ched Fast Et hernet ( or fast er) port , and t here is a core swit ching locat ion t hat is built on even fast er, and possibly aggregat ed, links. For wiring, t here are a num ber of cabling firm s t hat spend a great deal of t im e pulling t he wire for net works, and enough t im e has passed so t hat t here is general agreem ent on t he principles by which wiring should be st ruct ured. I n com parison, radio net works are t he Wild West . Service qualit y from t he net work t o t he end user depends on where t he user is in relat ion t o t he closest net work elem ent , and degrades wit h dist ance. Net work capacit y m ay be based on t he sizes of coverage areas, and t he physical layout of t he building. Every building has it s own personalit y wit h respect t o radio t ransm issions, and unexpect ed int erference can pop up nearly everywhere because of m icrowave ovens, elect rical conduit s, or severe m ult ipat h int erference. To m ake m at t ers worse, t he qualit y of t he net work m edium depends not only on what you do for your wireless LAN, but also what your users do, and even what your neighbors do. When wireless LAN deploym ent is considered, you st art wit h t he obvious quest ions: " How m any access point s do I need, and where do I put t hem ?" To answer t hose quest ions, you need t o conduct a sit e survey. Sit e surveys oft en are done at t he beginning of a wireless LAN proj ect , and are usually a significant part of t he proj ect plan for t he net work. This chapt er discusses t he int ert wined nat ure of t he sit e survey and t he proj ect it self, again from a t echnical perspect ive. What do you need t o do at t he planning st age t o m ake a deploym ent successful? Planning where t o put access point s is a part of t he wireless LAN roll- out it self, so t his chapt er helps develop your deploym ent plan, including developing t he physical layout plans. The process of planning a wireless LAN breaks up int o several nat ural st ages. Gat hering requirem ent s need not be a long drawn- out process involving t he product ion of m any lengt hy docum ent s; at t he end of t he planning process, you should be fam iliar wit h t he coverage and capacit y requirem ent s of t he net work. Refining requirem ent s and t ranslat ing t hem int o a physical design consist ent wit h t he requirem ent s m ay t ake a great deal of t im e and effort at t he sit e.

Project Planning and Requirements St art planning t he wireless LAN as soon as it is clear t hat you want one. Wireless LANs are st ill an evolving t echnology, and t he sooner t he net working st aff is involved, t he bet t er it will be. I f t he wireless LAN is int ended for a new building, it would help t o involve t he net work st aff as soon as t here is a sket ch of t he basic archit ect ure of t he building, especially if t here are significant rest rict ions on t he placem ent of access point s. One inst it ut ion I worked wit h had a series of t ight aest het ic requirem ent s for APs, which forced t hem t o be next t o heavy st eel st ruct ural com ponent s, and kept behind paneling. I f t he net work t eam had been involved earlier, m ore suit able provision m ight have been m ade for AP placem ent , wit h a consequent reduct ion in t he am ount of m oney required for t he net work. Planning a wired LAN is relat ively st raight forward at t his point . Depending on t he size, it m ay require a fair degree of skill, but fundam ent ally, t he process is well underst ood. Cable- based net work m edia behave in predict able ways, and t he capacit y of fixed net works can be upgraded in a st raight forward fashion. Wireless LAN t echnology lacks t his level of m at urit y, which m akes t he planning process m uch m ore im port ant . Wireless LAN proj ect plans are oft en referred t o as sit e surveys. Sit e visit s are only one com ponent of inst alling a wireless LAN, and successful wireless LAN inst allat ions oft en require several visit s, each for different purposes. Wireless LANs being designed int o a building from t he beginning will probably require several visit s t hroughout t he const ruct ion proj ect . As always, begin planning before " breaking cable" on t he net work expansion. Sit e survey work is t he heart of inst alling a wireless LAN. To successfully run a sit e survey, t hough, preparat ion is very im port ant . Before " breaking cable" on a net work expansion, gat her t echnical requirem ent s and inform at ion t o find out which expect at ions are im port ant . Use t he following checklist t o flesh out t he net work requirem ent s; each point is det ailed furt her in a subsequent sect ion:

Throughput considerat ions How m uch t hroughput is required? This is part ly dependent on t he t ype of device t hat will be used on t he wireless LAN, alt hough if it is a PC- like device wit h t he abilit y t o display large and com plex graphics, you will want your wireless LAN t o be as fast as possible. I n m ost cases, t his will lead t o choosing 802.11a- or 802.11g- based net works t o use t he 54- Mbps physical layer.

Coverage area Where should coverage be provided? Everywhere? Som e areas are m uch harder t o cover t han ot hers. Elevat or shaft s are usually part of a cent ral building core, and very difficult t o cover. Providing coverage wit hin elevat or cars t hem selves is not out of t he quest ion, but probably not feasible for m ost users.

User densit y I n addit ion t o where t he users are locat ed, you will need t o pay at t ent ion t o t he num ber of t hem . Users m ay gat her m ore closely in public spot s, such as conference room s, lobbies, and t he cafet eria.

Mobilit y The days in which wireless LANs were a cool new t echnology populat ed by power users is long gone. A few years ago, it m ay have been accept able during a t ransit ion phase t o have t he net work m erely facilit at e aut om at ic reconfigurat ion. As wireless LANs becom e m ore m at ure, however, archit ect s m ust design net works t hat reflect t he ideal of cont inuous connect ivit y t hroughout t he coverage area.

User populat ion How m any people will use t he wireless net work, and what qualit y of service do t hey expect ? As always, be sure t o allow for growt h!

Physical considerat ions Will new net work cabling be needed t o supply t he wireless LAN backbone, or can you m ake do wit h exist ing cabling? How will t he new access point s be powered? Can t he access point s and ant ennas be inst alled in t he open or m ust t hey be hidden?

Aest het ic considerat ions To what ext ent m ust t he wireless LAN hide from public view? I s it accept able t o see t he access point s, or do t hey need t o be hidden?

Logical net work archit ect ure I n m ost cases, t he logical archit ect ure needs t o support an I P address block across t he ent ire area of cont iguous coverage. Different users m ay be present ed different I P addresses in som e of t he logical net work archit ect ures from Chapt er 21. Wit h t he recent developm ent of t he t echnology, it is no longer necessary t o t ailor m obilit y areas based on I P addressing archit ect ure.

Applicat ion charact erist ics Are any applicat ions sensit ive t o high or variable delays? Do any applicat ions provide t im ecrit ical dat a?

Securit y requirem ent s

Before deploym ent , you will want t o design a net work t hat can address m any of t he securit y concerns discussed t hroughout t his book, as well as provide a robust environm ent t hat supplies som e defense against t he possibilit y of fut ure at t acks. Securit y issues and archit ect ure were discussed in t he previous t wo chapt ers.

Sit e environm ent al considerat ions A num ber of fact ors can affect radio propagat ion and signal qualit y. Building m at erials, const ruct ion, and floor plan all affect how well radio waves can m ove t hroughout t he building. I nt erference is a fact of life, but it is m ore pronounced in som e buildings t han in ot hers. Tem perat ure and hum idit y have m inor effect s. Early sit e visit s can assist in ant icipat ing several fact ors, and a det ailed sit e survey can spot any real problem s before inst allat ion begins in earnest .

Proj ect m anagem ent As wit h m any ot her proj ect s, drawing up a schedule and budget is a necessary com ponent . This chapt er does not provide any guidance on nont echnical fact ors because t hey are oft en organizat ion- specific.

Network Requirements Like any ot her net work t echnology, before deploying a wireless LAN, you m ust answer t hree quest ions: " where?" , " how fast ?" , and " what can I spend?" Typically, t he cost is specified independent ly t hrough a budget process, and what t he archit ect is t rying t o do is achieve t he best possible LAN service wit hin t hat const raint . The where in building an 802.11 net work is t he set of locat ions where radio service will be provided. I t is usually desirable t o have coverage everywhere, but m any proj ect s st art as scaled- down deploym ent s for conference room s and public spaces only t o hold down cost . The how fast refers t o t he capacit y of t he radio net work. Wireless LAN client speeds depend on dist ance from t he access point and t he num ber and t ype of obst acles bet ween t he access point and t he client . Building a high- t hroughput requires at t ent ion t o det ail t o m inim ize t he average dist ance of a client from it s nearest AP. I n som e physical spaces, t he environm ent can obst ruct radio waves t o such a degree t hat a large num ber of APs are required sim ply t o achieve coverage. Net work archit ect s need t o opt im ize bet ween t he t rio of variables t o get t he right net work. I n som e environm ent s, t he physical design of t he building prevent s radio propagat ion, so t he net work will need t o have a sm aller foot print and less capacit y. Or perhaps t he cost is lim it ed and t he obj ect ive will be t o design as large a net work t hat m eet s som e m inim um capacit y specificat ion. I n rare cases, t he net work m ay even be designed around t ot al coverage at high capacit y, and cost is allowed t o be very high. Opt im izing bet ween t he t hree design fact ors is a cont inuous process t hat m ust occur on a regular basis. As a wireless net work grows in popularit y, t he net work will have t o grow wit h it . I nit ial lim it ed- area deploym ent s will probably need t o give way t o wall- t o- wall coverage. Net works designed for coverage only and based purely on a sparse AP layout t o keep cost s low m ay need t o m ove t o a higher- capacit y deploym ent t o accom m odat e addit ional dem ands for capacit y t o serve users, or an increased num ber of users. Finding t he balance bet ween t he t roika of dem ands is t he art of building a wireless net work. Fort unat ely, t here are a num ber of t ools available t o help m ake decisions bet ween t rade- offs.

Coverage Requirements All net works cover som e area. Wired net works get coverage t hrough net work port s placed t hroughout t he facilit y. To get net work coverage, you pull wire and drop in port s. Wireless net works approach coverage planning in a different way because t he physical net work m edium spreads out t hrough space and can penet rat e walls. Get t ing a handle on how radio waves propagat e t hrough your space is key t o underst anding how t o cover a net work. The first quest ion t o answer is where coverage will be provided. Are you blanket ing t he whole building or cam pus, or j ust put t ing wireless in select areas? I t is oft en com m on t o st art wit h a pilot deploym ent t hat covers a sm all area while get t ing fam iliar wit h t he t echnology. I n m any cases, t he pilot deploym ent will cover t he I T workspace, t hough it is also quit e com m on t o provide coverage for public areas such as lobbies or conference room s. " Ubiquit ous" is a popular word for t hose who are specifying wireless LAN coverage requirem ent s, alt hough it can be a horrific word for t hose who have t o fulfill t hem . Does t hat m ean t hat every square inch of t he building m ust be covered? I s it really necessary t o have high- qualit y coverage in, say, t he rest room ? For public buildings, should escape rout es be covered? The num ber of access point s required t o cover an indoor area m ay depend on several fact ors. First ,

t here is t he m at t er of building const ruct ion. More walls m ean m ore m at erial blocking radio waves, and hence m ore access point s will be required. Different t ypes of m at erial also affect RF in different ways. For a given m at erial, t hicker walls cause great er signal loss. Signal power is dim inished, or at t enuat ed, m ost by m et al, so elevat or shaft s and air duct s cause significant disrupt ion of com m unicat ions. Tint ed or coat ed windows frequent ly cause severe disrupt ion of radio signals. Som e buildings m ay have m et al- coat ed ceilings or significant am ount s of m et al in t he floor. Wood and m ost glass panes have only sm all effect s, alt hough bullet proof glass can be quit e bad. [ * ] Brick and concret e have effect s som ewhere bet ween m et al and unt reat ed plain glass. [*]

Bulletproof glass is far more common than one might otherwise assume.

The second m aj or fact or is t he desired speed. Sim ply providing som e wireless LAN access t hroughout an area is different from requiring a cert ain dat a rat e. 802.11a has speeds t hat go from 6 Mbps t o 54 Mbps, and t he coverage provided at t he slower speed will be m uch larger. Building a net work t hat support s t he 54 Mbps dat a rat e everywhere will require m any, m any m ore access point s t han a net work t hat sim ply provides som e 802.11 access everywhere. Figure 23- 1 is an at t em pt t o show how t he dist ance/ dat a rat e t rade- off com pares for t he t hree m aj or 802.11 physical layers. Higher dat a rat es do not t ravel as far. Figure 23- 1 is based on t heoret ical calculat ions of free- space loss. I t shows t he relat ive dist ance at which different speeds are available for 802.11a, 802.11b, and 802.11g. For t he calculat ion, I have assum ed a t ypical t ransm ission power ( 20 dBm or 100 m W for 802.11b/ g, and 11 dBm for 802.11a) and t hen calculat ed t he dist ance at which t he power would drop t o t he radio sensit ivit y for each speed. For t ypical sensit ivit y, I used t he det ailed specificat ions t hat Cisco m akes available for t heir a/ b/ g card. Range is shown relat ive t o t he m inim um range, which is t he t op operat ional rat e of 54 Mbps for 802.11a.

Figu r e 2 3 - 1 . Re la t ive r a n ge com pa r ison of fr e e spa ce loss

To m eet a perform ance t arget , it m ay be necessary t o have a lot of of overlap bet ween adj acent APs. I f t he goal is t o have high- speed coverage t hroughout an area at , say, 36 Mbps, t he range of t ransm issions at lower speeds will significant ly overlap. Planning for som e overlap t o ensure handoff

while m inim izing t he am ount necessary t o preserve opt im um perform ance is a delicat e t rade- off in t he design of a wireless LAN. A final fact or t o consider when designing coverage is t he obj ect ive of your net work. A radio will have a cert ain coverage area, but t he area covered by it s t ransm issions and t he area covered by it s recept ion m ay be different . I n general, t he lat t er is a m uch larger area, especially if you are not using t he m axim um t ransm ission power t he AP is capable of. One of t he advant ages of deploying a dense net work wit h relat ively low power is t hat t here is a great deal of overlap in t he recept ion areas. Any unaut horized APs t hat are deployed by t he user com m unit y will be det ect ed by several of t he APs in your net work, which will enable m ore precise locat ion. Out door coverage is subj ect t o a different set of t rade- offs and engineering requirem ent s t han indoor coverage, and is generally only a concern in m ild clim at es where users are likely t o be working out side on a regular basis. [ * ] Cert ain t ypes of applicat ions are also suit ed t o com bined indoor/ out door coverage; for exam ple, airport s m ay wish t o provide out door access t o t he airlines at t he curb for skycap equipm ent . Placing equipm ent out doors is oft en a challenge, in large part because it m ust be weat herproofed, and t here are a num ber of environm ent al and safet y rules t o com ply wit h. Any out door equipm ent should be st urdy enough t o work t here, which is largely a m at t er of wat erproofing and weat her resist ance. One solut ion is t o inst all access point s inside and run ant ennas t o out door locat ions, but ext ernal ant enna cables t hat are long enough are not always available, and in any case, t he cable loss is oft en severe. Many vendors will have weat herproof enclosures on t heir price list , especially if t hey have sold equipm ent t o a large com bined indoor/ out door inst allat ion. [*]

This chapter does not discuss the use of point-to-point 802.11 links; obviously, they are outdoor links that may be used yearround in any climate.

Weat herproof enclosures m ay be subj ect t o som e addit ional safet y requirem ent s. I nt ernat ional Elect rot echnical Com m ission ( I EC) St andard 60529 has t est procedures t o rat e enclosures on prot ect ion against wat er and debris. I n t he Unit ed St at es, enclosures m ay also be subj ect t o t he Nat ional Elect ric Manufact urer's Associat ion ( NEMA) St andard 250.

Coverage and physical installation restrictions Part of t he end- user requirem ent is a desired coverage area, and possibly som e physical rest rict ions t o go along wit h it . Physical rest rict ions, such as a lack of available elect rical power and net work connect ions, can be m undane. Som e inst it ut ions m ay also require t hat access point s and ant ennas are hidden; t his m ay be done t o m aint ain t he physical securit y of t he net work infrast ruct ure, or it m ay be sim ply t o preserve t he aest het ic appeal of t he building. I t is oft en desirable t o m ount access point s as high as possible. Just like scout s who t ry t o seize t he high ground for a bat t lefield, APs work best when t hey are above t he t ypical obst ruct ions t hat live on t he floor. By m ount ing t hem above cubicles and ot her obj ect s, it is oft en possible t o m ake t heir signals go fart her m ore reliably. Som e access point s have m ount ing kit s t hat enable t hem t o at t ach t o walls, or even t he suspension bars for t he dropped ceiling t ile. Ot her vendors will recom m end inst alling t he AP above t he ceiling t iles and using an unobt rusive ext ernal ant enna t hrough t he ceiling t ile. Ceiling t ile vendors are even get t ing int o t he m arket by producing ceiling t ile panels wit h int egrat ed ant ennas. [ ] [

]

See, for example, the Armstrong i-ceilings tile at http://www.armstrong.com/commceilingsna/article7399.html.

Many com m ercial buildings use " dropped" ceilings, where t he ceiling t ile is suspended from t he act ual ceiling. Net work wiring and elect rical cables are placed above t he ceiling t ile, along wit h air duct s. I n som e buildings, t he area bet ween t he ceiling and t he ceiling t iles m ay be used as part of t he building's air- handling syst em . Safet y st andards dict at e t hat if obj ect s are placed in t he air- handling

spaces ( plenum s) , t hey m ust not endanger t he building's occupant s. I n case of fire, one of t he biggest dangers t o people inside t he building is t hat t hick black sm oke m ay obscure vision and ot herwise obst ruct at t em pt s t o escape. I f an obj ect in t he air syst em were t o st art giving off sm oke, t he sm oke would be circulat ed t hroughout t he building. To prot ect people inside buildings, t herefore, t here are specific safet y st andards on how fire- ret ardant equipm ent placed in plenum s m ust be. I f you wish t o m ount wireless LAN equipm ent above t he ceiling, ensure t hat t he com ponent s placed above t he ceiling are plenum - rat ed. I n addit ion t o t he APs, t his would include any support equipm ent m ount ed up above t he ceiling as well. Power inj ect ors are oft en not plenum - rat ed because t hey can usually be locat ed safely in wiring closet s. Any cables used above t he ceiling t ile alm ost cert ainly need t o be plenum - rat ed. Plenum safet y st andards are developed by Underwrit ers Laborat ories and published as UL st andard 2043. UL also t est s product s for conform ance t o t he st andard and cert ifies t hose t hat pass.

Performance Requirements Coverage is not t he end of t he st ory in wireless LAN design. When operat ing under net work load, access point s act like hubs. For a given coverage area, t here is a fixed am ount of radio capacit y. An 802.11b access point can m ove about 6 Mbps of user dat a t o t he edge of it s coverage range. The physical m edium in 802.11 net works is inherent ly shared. A lone user connect ed t o an access point will be able t o obt ain speeds of about 6 Mbps because t here will be no congest ion window backoff. As m ore users are added t o t he net work, t he sam e 6 Mbps m ust be divided am ong t he users, and t he prot ocol m ust work t o fairly ( or unfairly, as users are sure t o cont end) allocat e t ransm ission capacit y bet ween st at ions. For a net work built t o serve users, coverage and qualit y are an inherent t rade- off. I t is possible t o use fewer access point s by at t aching high- gain ext ernal ant ennas, but t he capacit y is shared over larger areas. There is not hing inherent ly wrong wit h large coverage areas, especially if t he user densit y is not high. Som e deploym ent s m ay use a single access point wit h an ext ernal ant enna t o creat e a huge coverage area because t he dem and for net work capacit y is not very high at all. Many K- 12 schools wit h only a few users fall int o t his cat egory, which is represent ed by t he left - hand side " coverage" pict ure in Figure 23- 2. On t he ot her hand, a net work wit h lot s of users m ay wish t o use m any sm all coverage areas. Net work engineers will som et im es borrow a t erm from cellular t elephony and refer t o such a net work as having " m icrocells." Wit h sm aller areas, any given access point is likely ( alt hough not guarant eed) t o have fewer users t han t he large- coverage- area case. I n Figure 23- 2 , t he right - hand side pict ure has divided t he sam e area int o t hree separat e subareas. As a result , each AP handles a sm aller num ber of st at ions and t he per- st at ion t hroughput is likely t o be bet t er.

Figu r e 2 3 - 2 . Cove r a ge / qu a lit y t r a de - off

One m et ric t hat m ight be useful in evaluat ing your needs is t ot al area t hroughput ( or, it s close relat ive, t hroughput per unit of area) . Bot h net works in Figure 23- 2 cover t he sam e area. However, wit h t hree access point s, t he net work on t he right provides t hree t im es as m uch t hroughput . Not all net works need high t ot al area t hroughput , at least init ially. When t he wireless LAN proves popular, and t he 5 users shown in Figure 23- 2 becom e 10, 15, or even 50 users, t he t ot al area t hroughput m ay need t o be furt her increased. How m uch capacit y should be reserved for each user? One answer is t o undert ake a det ailed st udy of net work applicat ions and perform ance requirem ent s, and t o design t he net work appropriat ely. I n t he real world, however, m ost net works seem t o operat e on a Schrodinger's Cat sort of principle: as long as packet s are m oving, t he net work is working; if we were t o inquire t oo deeply about it s operat ion, it m ight cease t o funct ion. Generally speaking, m ost wireless net work proj ect s are st art ed wit h only t he vaguest idea of required applicat ion support , ot her t han perhaps t hat " it should feel som et hing like a wired connect ion." I n t he absence of any count ervailing dat a, I advise t o plan for at least 1 Mbps for each user. 802.11a and 802.11g net works allow planning for higher rat es per user, especially if you m ake aggressive assum pt ions about t he burst iness of t raffic.

Exploring the coverage/quality trade-off and total area throughput Under load, an access point will act like a hub, sharing capacit y bet ween users t hroughout it s coverage area. Net works built using large AP coverage areas are generally cheaper t o build because t hey use fewer access point s, but t hey m ay have poor service qualit y due t o lower aggregat e capacit y. When each AP is responsible for providing connect ivit y in a large area, t here is also a higher likelihood t hat st at ions far t he edge of t he net work will com m unicat e using slower speeds. One way of m easuring t he qualit y of coverage is t o consider t he t ot al aggregat e t hroughput available t o t he service area, which is in m any ways a reflect ion of t he densit y of t he access point s. All ot her t hings equal, m ore access point s m ean t hat t here is m ore radio capacit y. Figure 23- 3 shows t hree net works. On t he left , t here is a net work wit h one access point . I t is capable of offering up t o, say, 30 Mbps of user payload dat a t o client s in t he service area. I n t he m iddle, t here is a net work built wit h t hree access point s, operat ing on lower power. By separat ing t he coverage area int o independent radio cells, m ore t hroughput is available. Roughly speaking, t here will be 90 Mbps available t o serve client s. Finally, in t he net work on t he right , t here is a single access point wit h a sect orized ant enna, which act s like t hree com bined direct ional ant ennas. I n som e im plem ent at ions, each sect or is assigned it s own channel, which also reduces t he num ber of collisions bet ween st at ions at t em pt ing t o t ransm it . Done in t he m ost sophist icat ed m anner, each channel on t he sect orized ant enna will act like an independent access point , and t he aggregat e t hroughput available t o client s

will be 90 Mbps. Throughput qualit y m ay also be m easured in t erm s of m egabit s available per square foot of service area, which is consist ent wit h t he t ot al t hroughput available t o t he service area.

Figu r e 2 3 - 3 . Tot a l a ggr e ga t e se r vice a r e a t h r ou gh pu t illu st r a t ion

I n t he Et hernet world, Et hernet swit ches increase net work t hroughput by reducing t he cont ent ion for t he m edium . Any approach t o increasing t he capacit y of a wireless net work t akes t he sam e qualit at ive approach. By shrinking t he coverage area associat ed wit h any given access point , m ore access point s can be deployed in a single service area. Alt hough t here is a great deal of hype about so- called " Wi- Fi swit ches," t hey all share a relat ively sim ple design principle. Net work m anagem ent is harder when t here are m ore elem ent s in t he net work, so use aggregat ion devices t o concent rat e t he com plexit y in a few spot s where it can be dealt wit h, rat her t han scat t ered across t he net work. Coverage area and coverage qualit y are an inherent t rade- off in wireless LANs. I ncreasing t he qualit y requires decreasing t he coverage of each access point .

Client limitations One of t he m aj or challenges for t he indust ry is t hat a great deal of 802.11 operat ions are in cont rol of t he client m achine and it s soft ware, and t his m ay lead t o pat h dependencies and hyst eresis in t he behavior of client s. Nearly all of t he " int erest ing" prot ocol operat ions t hat support m obilit y are in t he hands of client s. Client soft ware decides when t o roam , how t o scan for a new access point , and where t o at t ach. Different m achines on t he sam e net work m ay behave different ly because 802.11 does not specify an algorit hm for deciding when t o roam or how t o select access point s. Wit h so m uch of t he prot ocol usage up t o client im plem ent at ion, yet unspecified by any st andard, t he behavior of client s is oft en a m yst ery. As a dem onst rat ion, get t hree lapt op com put ers, add 802.11 int erfaces, and roll t hem around your net work on a cart . The t hree com put ers will m ove bet ween access point s at different t im es, and generally exhibit different behavior. Fut ure st andards, especially t he fort hcom ing 802.11k, should help im prove t he qualit y of roam ing decisions. Take, for exam ple, t he case of a client deciding where t o associat e wit h t he net work. I n m ost cases, client s will do a relat ively int elligent scan when t hey are first act ivat ed, and choose t he access point wit h t he st rongest signal. For m any cards, int elligence ends t here. They will cont inue t o hang on t o t hat first access point for dear life, even t o t he exclusion of m uch bet t er access point s t hat are

nearby. Losing t he signal is t he only t hing t hat forces m any cards t o roam . This behavior is oft en called t he bug light problem because t he client resem bles a m ot h ent ranced by a flam e, unable t o m ove away. Bug light client s are part icularly bad for t hroughput . As t hey st ray far from t heir point of init ial connect ion, t hey drop t o slower speeds t o st ay connect ed. Not only does t his sap t he far- ranging client of speed, but it also dram at ically reduces t he t hroughput available t o ot her client s on t he sam e access point . A m axim um - size net work payload of 1,500 byt es encapsulat ed in an OFDM PHY ( 802.11a or 802.11g) requires a m uch great er t ransm ission t im e at slower speeds. To illust rat e t he ext rem es, t he m axim um size fram e at 54 Mbps requires 57 dat a sym bols and 248 m icroseconds t o t ransm it . At 6 Mbps, however, it requires 512 dat a sym bols for a t ot al t im e of 2,068 m icroseconds, or slight ly m ore t han 8 t im es longer. The slower t ransm ission rat e robs ot her client s of t he abilit y t o t ransm it for 1,800 m icroseconds. Leaving so m uch of t he overall prot ocol operat ion in t he hands of t he client lim it s t he abilit y of t he net work infrast ruct ure t o do t he " best " t hing under som e circum st ances. Cellular net works, for exam ple, have t he abilit y t o direct a m obile t elephone t o a t ower wit h m ore capacit y. Wireless LAN prot ocols do not yet have t hat abilit y. Many vendors of wireless LAN syst em s have im plem ent ed " AP load balancing" capabilit ies t hat claim t o give net work adm inist rat ors t he abilit y t o co- locat e t wo access point s in close proxim it y t o increase overall net work capacit y in t hat locat ion. A com m on approach is t o m onit or eit her t he num ber of associat ions on each access point , or t he am ount of t ransit t raffic t hrough each access point , and carefully disassociat e act ive client s on a loaded access point t o encourage t hem t o m ove t o an unloaded AP. Wit hout any client cooperat ion, it is difficult t o achieve t he opt im al balancing because m ost client s will t end t o go right back t o t he AP t hey were init ially associat ed wit h. Roam ing is always and everywhere a client - driven phenom enon. Wit h t he decision in t he hands of client soft ware, t here is only so m uch t hat net work equipm ent can do t o im prove t he user experience.

Realistic throughput expectations As m ore users are added t o a wireless LAN, t he net work's capacit y is divided bet ween m ore users and t hroughput suffers. For net works using t he dist ribut ed coordinat ion funct ion ( DCF) , a pract ical rule of t hum b is t o expect 50- 60% of t he nom inal bit rat e in order t o t ake int o account t he overhead from elem ent s such as int erfram e spacing, t he pream ble and fram ing headers. Net work prot ocols add addit ional overhead for net work- layer fram ing and ret ransm ission. An addit ional problem t hat m ost net work prot ocols will im pose is t hat reliable delivery assum es t hat t here will be a t ransport layer acknowledgm ent of t ransm issions. Every TCP segm ent m ust be acknowledged ( t hough not necessarily individually) , and t he TCP acknowledgm ent s m ay collide wit h addit ional segm ent s in t ransm ission. [ * ] Table 23- 1 shows a rough rule of t hum b for t he net work capacit y of an access point . [*]

One estimate I have heard is that you should expect about 10% of frames to be retransmitted if TCP/IP is used as the network and transport protocol combination.

Ta ble 2 3 - 1 . Ru le of t h u m b ca pa cit y for diffe r e n t 8 0 2 .1 1 t e ch n ologie s Te ch n ology

Appr ox im a t e ca pa cit y

802.11 direct sequence

1.3- 1.5 Mbps

802.11b

6 Mbps

Te ch n ology

Appr ox im a t e ca pa cit y

802.11g, wit h prot ect ion

15 Mbps

802.11g, no prot ect ion

30 Mbps, alt hough t his will be rare

802.11a

30 Mbps

Qualit y of service t echnologies are present ly being designed t o squeeze m ore net work capacit y, but t hey are not widely deployed. I f t he hist ory of QoS is any guide, t here will be a great deal of t alk, followed by st andards t hat very few people use.

Faster to the Future: 802.11n and beyond Where do you go past 54 Mbps? Once t he st andards for 802.11a and 802.11g were finished, and product s st art ed appearing on t he m arket , t he quest ion of t he next leap st art ed t o arise. I n 2003, t he I EEE 802.11 working group form ed a high- t hroughput st udy group t o st udy ways t o increase t he speeds of wireless LANs st ill fart her. Task Group N ( TGn) is working on a specificat ion t hat will offer a net t hroughput , aft er subt ract ing prot ocol overhead, in excess of 100 Mbps. The t ask group's goal is t o beat 100 Mbps, and it looks likely t hat t he goal will get blown out of t he wat er. There are t wo com pet ing proposals in t he t ask group right now; bot h are described in Chapt er 15. Bot h use m ult iple- input / m ult ipleout put ( MI MO) t o achieve higher rat es. Roughly speaking, one proposal works t o dram at ically increase t he peak dat a rat e as m uch as possible, while t he ot her keeps t he peak rat e relat ively low and focuses on increasing t he efficiency of t he radio link.

Number of users per access point When you are planning a net work, you m ust also ask how m any users can be at t ached t o an access point . 802.11 lim it s t he num ber of associat ed st at ions t o 2,016, which is for all pract ical purposes an infinit e lim it . Pract ical considerat ions dict at e t hat you lim it t he num ber of users per AP t o som et hing m uch, m uch sm aller. 6 Mbps is a reasonable assum pt ion for t he user payload t hroughput of 802.11b. To engineer a net work speed of 1 Mbps for each user, it would at first appear t hat only six users could be support ed on an 802.11b access point . However, net work t raffic is burst y, so t here is a nat ural oversubscript ion t hat can be built int o any assum pt ions about t raffic pat t erns. Engineering 1 Mbps for each user can be done by assum ing t hat t here are som e t im es when users will be idle. I have generally found t hat a rat io in t he neighborhood of 3: 1 t o 5: 1 will be reasonable. Given t hat rat io, an 802.11b access point can support approxim at ely 20 t o 30 users. However, t he num ber of users per access point does not get m uch bet t er if you go t o 802.11a or 802.11g. Speed depends on dist ance in 802.11. As st at ions get fart her from an AP, t hey will fall back t o m ore robust but slower encoding m et hods for t ransm ission. The higher speeds of 802.11a and 802.11g are available only relat ively close t o t he AP, so t he 20- 30 user per AP num ber rem ains reasonable. I f you are using applicat ions t hat are highly sensit ive t o net work charact erist icsfor exam ple, voice t raffic ( VoI P) - - t he num ber of st at ions per access point m ay be even lower. Wireless net works do not

yet have sophist icat ed qualit y of service priorit izat ion, and m ust rely on t he m edium it self t o arbit rat e access bet ween st at ions. Voice t raffic and dat a t raffic are at odds wit h each ot her. Dat a t hroughput is highest when t he m edium is sat urat ed and t he AP t ransm it queue is pum ping out dat a as fast as possible. Voice fram es need t o be delivered on t im e, and queues need t o rem ain relat ively free t o accept high- priorit y fram es for im m ediat e delivery. Voice t raffic, whet her run direct ly on t he 802.11 link layer or over I P, is highly sensit ive t o delay and j it t er. To avoid unnecessary delay in fram e delivery, you m ay need t o rest rict t he num ber of voice handset s even furt her, down t o 8- 10 handset s per AP, unt il t he arrival of bet t er QoS t echnology.

Mobility Requirements The days in which wireless LANs were a cool new t echnology populat ed by power users is long gone. A few years ago, it m ay have been accept able t o have t he net work m erely facilit at e aut om at ic reconfigurat ion as users m oved from one locat ion t o anot her. As wireless LANs have becom e m ore m at ure, however, users have com e t o expect net works t hat reflect t he ideal of cont inuous connect ivit y, regardless of physical locat ion or t he convenience of local at t achm ent point s. Cont inuous coverage and seam less roam ing should be t he norm t hroughout a cam pus environm ent . Users m ay m ove t hroughout a cam pus in unpredict able ways, while expect ing t hat t he net work will j ust run and support t heir connect ion. Generally speaking, users expect t hat any j ourney not involving m ot orized t ransport should be support ed by t he wireless LAN. I n designing coverage for an ent ire cam pus, you m ay need t o engineer t he net work so t hat users can cross rout er boundaries while ret aining t heir addresses, t ypically t hrough som e form of t unneling. Different wireless LAN archit ect ures will accom plish t he t unneling in different ways. For a det ailed discussion, see Chapt er 21 .

Network Integration Requirements There are t wo com ponent s t o net work planning. The first , physical int egrat ion is largely legwork. I n addit ion t o t he building m ap, it helps t o obt ain a physical net work m ap, if one exist s. I t is m uch easier t o inst all wireless LAN hardware when no expensive and t im e- consum ing wiring needs t o be done. Knowing t he locat ion and cont ent s of all t he wiring closet s is an im port ant first st ep. The second st ep, logical int egrat ion, consist s of hooking your wireless LAN up t o t he exist ing net work.

Physical integration Physical int egrat ion consist s of get t ing t he at om s in t he right places. APs need t o be m ount ed according t o your plan, and cabled appropriat ely. Connect ing new devices t o t he net work probably requires new cabling if you are concerned wit h aest het ic appearance. I f not , you can run pat ch cords from exist ing j acks t o t he AP locat ions. Depending on t he product and archit ect ure you choose, t he cable m ay be at t ached t o an AP cont roller, a special wireless VLAN, or t he net work t hat exist s in t he closet . I n addit ion t o supplying connect ivit y, you m ust power up t he APs. I t is possible, t hough unlikely, t hat you will power APs direct ly at service locat ions. Many ent erprise- grade APs are designed t o draw power from t he Et hernet cable prim arily, and m ay not even offer t he opt ion of an ext ernal power supply. ( Som e APs t hat offer t he opt ion of an ext ernal power supply draw 48 volt power from t heir power cords, which indicat es t hat t he power circuit ry was designed t o operat e at PoE volt ages.) Your swit ch vendor m ay offer power over Et hernet , but you need t o check and be sure it is com pat ible. The surest guarant ee of power com pat ibilit y is com pliance wit h 802.3af, but you m ay have prest andard product s t hat are vendor- propriet ary. I f you need t o add power t o t he wiring closet , you

can purchase t hird- part y power inj ect ors.

Logical integration Before at t em pt ing t he logical int egrat ion of your wireless LAN, you m ust first select it s archit ect ure ( see Chapt er 21) . Different archit ect ures will have different int egrat ion requirem ent s. Generally speaking, t hough, you will need t o connect at least one net work t o t he wireless LAN. Dynam ic net work assignm ent based on AAA m ay require connect ing m ore t han one net work. For t he m ost part , t hese net works will be I P net works. However, in som e cases, t here m ay be legacy net working prot ocols t hat also need support over t he wireless LAN. The second com ponent of net work planning is t hinking about changes t o t he logical net work. How will m obile st at ions be addressed? I f all wireless st at ions will use a single I P subnet , you need t o allocat e I P address space and ensure it is correct ly rout ed t o t he wireless subnet . As you allocat e new address space, ensure t hat you leave sufficient ext ra space for all t he access point s as well as any support devices. Do not succum b t o t he t em pt at ion t o use address t ranslat ion. Alt hough m any applicat ions work t hrough NAT, it is a pot ent ial disrupt ion t o fut ure applicat ions t hat are not NAT- aware. I t m ay also break applicat ions t hat were writ t en before NAT was com m onplace. As part of t he net work expansion, you will need t o add access point s. They will probably need I P addresses. I f t hese addresses are being assigned t hrough DHCP, you will probably want t o configure your DHCP server t o give each access point an assigned address rat her t han random ly fishing from an address pool. I f t he access point s connect t hrough an I P t unnel back t o a cent ralized cont roller, you m ay need t o configure filt ering rules t o allow t he com m unicat ion t hrough, as well as configuring t he t unnel on bot h t he AP and cent ralized device.

Physical Layer Selection and Design Select ion of t he 802.11 physical layer is t ypically driven by user requirem ent s rat her t han t he physical design. I n m ost cases, it is also driven by t he need t o build t he fast est net work possible, at least when next t o an access point . Choosing a physical layer is a m at t er of engineering. None of t hem are inherent ly superior t o t he ot hers. I n choosing a physical layer, you are t rading off m any different fact ors. I n a nut shell, t he 2.4 GHz I SM band is less affect ed by obst acles, so 802.11b/ g signals will t ravel fart her. However, backwards com pat ibilit y can lim it t hroughput , and it difficult t o lay out a net work wit h only t hree channels. Furt herm ore, m any devices use t he 2.4 GHz I SM band, and it is likely t hat t here will be som e sort of int erference from a Bluet oot h device, 2.4 GHz cordless phone, X10 video cam era, or som e sim ilar widget . I f not , t he use of only t hree channels will be lim it t hroughput as t he channels overlap wit h each ot her. 802.11a is ideally suit ed for high- densit y, highcapacit y net works because it does not have backwards com pat ibilit y lim it at ions and t he radio spect rum is m uch larger. Table 23- 2 shows a com parison bet ween 2.4 GHz and 5 GHz 802.11 net works.

Ta ble 2 3 - 2 . Qu ick r e fe r e n ce com pa r ison be t w e e n 2 .4 GH z a n d 5 GH z 8 0 2 .1 1 n e t w or k s 8 0 2 .1 1 b/ g ( 2 .4 GH z)

8 0 2 .1 1 a ( 5 GH z)

Per for m ance ( t hroughput ) per AP

Low for 802.11b; 802.11g m ay vary from m edium t o high

Highest t hroughput per channel

Pot ent ial perform ance per unit area

Lowwit h only 3 or 4 channels, channel overlap and int erference is pract ically guarant eed

Highgreat er num ber of channels m eans less self- int erference bet ween net work elem ent s

Range

Lower frequency has longer range

Worsefree- space loss of higher frequencies is higher

I nt er fer ence

Many ot her uses of frequency band

Frequency used by m any fewer dev ices

Very lim it ed channel select ion leads t o lot s of co- channel int erference Backwards Com pat ible wit h 802.11 direct com pat ibilit y wit h older sequence and 802.11b hardware har dw ar e

More channels m ake layout easier, especially in t hree dim ensions None

One of t he ways t o ease t he pain of large- scale wireless LAN deploym ent s is t o aut om at e as m uch as possible. Several product s offer t he abilit y t o aut om at ically lay out channels. One m aj or channel layout approach is based on physical m easurem ent s. Net work adm inist rat ors place access point s based on expect ed user densit y, m ount ing convenience, and environm ent al const raint s. When t he net work is powered on, t he APs com m unicat e wit h each ot her t hrough a wired net work t o select t he opt im um channel assignm ent . Som e product s cont inuously m onit or t he radio space t o adj ust t he channel set t ings dynam ically in response t o environm ent al changes. The m aj or alt ernat ive t o physical m easurem ent s is based on virt ual m odeling of a building. When creat ing a virt ual m odel of t he

building, channels can be assigned based on calculat ions wit h t he m at hem at ical m odel t o m inim ize int erference. As wit h m ay ot her aspect s of wireless LAN design, m any product s com bine bot h t echniques.

2.4 GHz (802.11b/g) Channel Layout 802.11b and 802.11g share t he sam e frequency band. They are subj ect t o t he sam e regulat ory requirem ent s, and use an ident ical channel m ap ( Table 23- 3 ) . Alt hough t here are 14 channels, each channel is only 5 MHz wide. A direct sequence t ransm ission is spread across a m uch wider band t han it s assigned channel. ( See Figure 12- 5.) For best effect , you will want t o keep bot h t he first and second lobes free of int erference. I deally, t hat leads t o a 33 MHz separat ion bet ween channel assignm ent s. There is not quit e enough radio spect rum assigned t o have t hree fully nonoverlapping channels in m ost j urisdict ions. Rat her t han have t wo int erference- free channels, m ost users allow a slight degree of overlap in t he second lobe and run on t hree channels wit h at least 25 MHz separat ion; t he result ing channel set is 1, 6, and 11. This causes a sm all am ount of int erference t o each channel, but it is wort hwhile t o accept a sm all reduct ion in t hroughput per channel t o get t he t hird channel. I n som e sit uat ions, it m ay m ake sense t o perform a four- channel assignm ent ( 1, 4, 8, and 11) . [ * ] The t rade- off is t hat t he signal overlap will be m ore crowded, furt her reducing peak t hroughput . Trading peak speed for a higher t ot al area speed m ay be wort hwhile in som e circum st ances, but I have generally found t his t o be a poor t rade- off. [*]

European regulations allow the use of wider-spacing, such as 1, 5, 9, and 13 in a four-channel layout.

Ta ble 2 3 - 3 . Ra dio ch a n n e l u sa ge in diffe r e n t r e gu la t or y dom a in s Ch a n n e l n u m be r

Ch a n n e l fr e qu e n cy ( GH z)

1

2.412

2

2.417

3

2.422

4

2.427

5

2.432

6

2.437

7

2.442

8

2.447

9

2.452

10 c

2.457

11

2.462

12

2.467

13

2.472

a

US/ Ca n a da a

ETSI b

802.11 allows different rules regarding t he use of radio spect rum in t he U.S. and Canada, but t he U.S. Federal Com m unicat ions Com m ission and I ndust ry Canada have adopt ed ident ical rules.

Ch a n n e l n u m be r

Ch a n n e l fr e qu e n cy ( GH z)

US/ Ca n a da a

ETSI b

b

Not all of Europe has adopt ed t he recom m endat ions of t he European Telecom m unicat ions St andards I nst it ut e ( ETSI ) . Spain, which does not appear in t he t able, allows t he use of only channels 10 and 11. c

Channel 10 is allowed by all regulat ory aut horit ies and is t he default channel for m ost access point s when t hey are init ially powered on.

Part of t he sit e survey is t o lay out coverage areas in a way t hat m inim izes channel overlap. Ant ennas can be a valuable t ool in doing t his because t hey can t ailor t he coverage area t o fit t he shape of t he building or room . No m at t er what t ype of ant ennas you select , t here is a general pat t ern t hat can be used. The cellular- t elephone indust ry uses a hex pat t ern as t he background for a channel layout . Figure 23- 4 shows t he problem s in planning out a large coverage area. The cent er channel, in bold, is set for one of t he t hree nonoverlapping channels. I n t his case, I chose channel 1 arbit rarily. To avoid overlap, t he next set of channels around t he cent er needs t o alt ernat e bet ween t he t wo rem aining nonoverlapping channels in a circle around t he channel. Aft er assigning channels t o t he ring, successive cent er channels can be laid out . Two such focal point s are shown in Figure 23- 4 wit h cir cles. Nat ur ally, Figure 23- 4 present s a channel layout under ideal circum st ances. Wit hin a building, radio propagat ion is subj ect t o obst acles, and it is usually im possible t o avoid overlapping channels. For exam ple, t he first " ring" of channels 6 and 11 around t he out side of t he cent er channel 1 m ay very well int erfere wit h each ot her, especially if t he hexagons represent t arget operat ional rat es t hat are m uch larger t han t he m inim um .

Figu r e 2 3 - 4 . Fr e qu e n cy pla n n in g

Limitations of the 2.4 GHz channel layout The inabilit y t o perform a channel layout wit h t hree channels is not surprising. I n m at hem at ics, t he general result is known as t he Four- Color Map Theorem . Map m akers discovered in t he m id- 19t h cent ury t hat an arbit rary t wo- dim ensional m ap can be filled in wit h four colors. [ * ] Unfort unat ely, 802.11b/ g net works have only t hree non- overlapping channels. Maps where adj acent regions share a color are unsight ly. Adj acent AP coverage areas sharing t he sam e channel are not unsight ly, unless

you can see int o t he m icrowave spect rum , but t hey do suffer from t hroughput - sapping co- channel int er fer ence. [*]

The Four-Color Theorem was finally proved in 1976 with the aid of 1,200 hours of time on a Cray, and was one of the first theorems to be proved with extensive computer assistance.

I t is oft en possible t o m inim ize channel overlap by careful AP placem ent or t he use of ext ernal ant ennas, but you will have t o devot e t im e and energy t o m inim izing channel overlap. I n t hree dim ensions, it get s even harder. Radio signals m ay bleed t hrough t he floor or t he ceiling, requiring you t o lay out channels in t hree dim ensions. Even in large, open, t wo- dim ensional spaces where you would not expect an int erference problem , t here can be one. I n 2002, t he Associat ed Press ran a st ory about t he problem s of int ereference, and cit ed a neighborhood in Florida t hat had form ed it s own ad- hoc frequency allocat ion com m it t ee t o ensure t hat neighbors were using nonadj acent channels for t heir hom e net works!

5 GHz (802.11a) Channel Layout 802.11a has t wo m aj or advant ages when laying out your net work. First , t here are at least 12 channels, so channel layout is a snap. Table 23- 4 shows t he channel frequencies. Be aware t hat som e of t he first 802.11a cards t o hit t he m arket did not support t he highest frequency band, so channels 149 and up m ay not be usable wit h all cards. Eit her replace t he old cards, or rest rict t he net work t o t he eight rem aining channels. I n eit her case, wit h 8 or 12 channels, t here are m ore t han enough channels for 2- dim ensional layout s, and 3- dim ensional layout s can be t aken care of in m ost cases.

Ta ble 2 3 - 4 . a ch a n n e ls ( w it h Un it e d St a t e s r e gu la t or y n ot e s) Ch a n n e l n u m be r

Fr e qu e n cy ( GH z)

N ot e s

36

5.180

Lowest m axim um power

40

5.200

Lowest m axim um power

44

5.220

Lowest m axim um power

48

5.240

Lowest m axim um power

52

5.260

Slight ly higher m axim um power

56

5.280

Slight ly higher m axim um power

60

5.300

Slight ly higher m axim um power

64

5.320

Slight ly higher m axim um power

149

5.745

Not support ed by all cards

153

5.765

Not support ed by all cards

157

5.785

Not support ed by all cards

161

5.805

Not support ed by all cards

Mixed Channel Layouts (802.11a+b/g Networks)

Most net works are being built wit h a com binat ion of 802.11b/ g radios for com pat ibilit y wit h past hardware, while building in 802.11a for fut ure capacit y. Dual- radio APs from m any vendors are only m arginally m ore expensive t han single- radio m odels. I n m any cases, t he cost of a t ri- m ode/ dualband net work is only a few hundred or t housand dollars m ore t han t he cost of an 802.11g- only net work. Unless your budget is ext rem ely t ight , it is wort h paying for m ore t han double t he capacit y. For t he foreseeable fut ure, m ost 802.11 devices are likely t o operat e in t he 2.4 GHz band. Most chipset vendors have concent rat ed on building 802.11g devices. There are several t ri- m ode chipset s capable of support ing 802.11a and 802.11b/ g sim ult aneously, but t hey are not yet widely purchased as a built - in lapt op opt ion. When I worked on t he Supercom put ing wireless net work, we had 1,300 users at t he peak, and only about 100 were using 802.11a. As t he price of chipset s and cards cont inues t o drop, and 802.11a becom es m ore widely appreciat ed, I expect t he balance t o shift drast ically t owards 802.11a for indoor usage. I n out door environm ent s, t ransm ission range rem ains t he prim e concern. Lower frequencies t ravel m uch fart her, which will enable 802.11b/ g t o ret ain it s current dom inant posit ion.

Planning Access-Point Placement At t his point , m ost users perceive t hat wired net works j ust work. I n t erm s of product m at urit y and predict abilit y, wireless net works are a st ep backwards. Prot ocols st ill behave som ewhat unpredict ably, and t he relat ively young prot ocols will require you t o roll up your sleeves. When planning a net work, you need t o put in a great deal of work up front . Because wireless net works m ake user- locat ion t ransparent t o resources, t he net work it self m ust be aware of user locat ion. Once you have an underst anding of t he requirem ent s and which 802.11 physical layers t o use, it is t im e t o figure out where t o put t he access point s t hem selves. Depending on requirem ent s and budget , figuring out placem ent m ay be a quick and dirt y proj ect t hat t akes a few hours, or it m ay involve several visit s and a great deal of t im e and m oney. This process is oft en called a sit e survey because som e of t he work t akes place at t he locat ion where t he net work is being inst alled, but a new wave of t ools is m aking it possible t o do m uch of t he access point placem ent work wit h com put at ional m odels. Several opt ions exist for det erm ining where t o put APs. Vendors m ay provide sit e surveys t o early adopt ers who agree t o be reference account s, alt hough t he t im e t o be an early adopt er of wireless faded long before t his book hit t he press. Value- added resellers m ay also have t he skills t o perform det ailed sit e surveys; resellers m ay sell sit e survey consult ing services or use sit e surveys as a way of com ing up wit h a wireless LAN deploym ent bid. Som e com panies t hat specialize in t echnical educat ion also offer classes on perform ing sit e surveys.

The Building One of t he m aj or const raint s on where access point s are placed is how t he building is const ruct ed. Walls, doors, and windows get in t he way of radio signals. I t is a great help t o get blueprint s or floor plans and t ake a t our of t he inst allat ion sit e as early as possible. Occasionally, you m ay get t he opport unit y t o work on a building as it is being const ruct ed. Seize any opport unit y for a walkt hrough because you will get a m uch bet t er view of t he int erior st ruct ure before t he walls are up. The m ain drawback t o working wit h a building under const ruct ion is t hat experim ent s are not possible unt il t he building is finished. Once you obt ain t he floor plans, not e where coverage m ust be provided. I f t he archit ect ural plans are com plet e and include wiring inform at ion, t hey should also not e t he locat ion of nearby power and elect rical drops. You m ay also be able t o m ake a prelim inary ident ificat ion of st ruct ures t hat m ay be problem at ic, such as vent ilat ion duct s or reinforced concret e walls. Whet her or not you are using an elect ronic t ool t o aut om at e t he planning process, you should t ake a walk t hrough t he facilit y. Look for any changes t hat are not reflect ed on t he blueprint s. Verify t he t ype of const ruct ion. Unless t he building is old and hist oric, t he walls are likely t o be m ade of sheet rock hung from st uds, alt hough you can verify t his by t apping on t he walls. Ask whet her t here are any firewalls ( of t he physical sort , not t he net work sort ) , since a firewall is likely t o be a significant barrier t o RF. St ruct ural, or load- bearing, walls are also likely t o have reinforcem ent s t hat pose a significant obst acle t o radio waves. I f you m ust conceal APs in cert ain areas, invest igat e t hese areas t horoughly t o det erm ine how t o hide t hem , as well as any pot ent ial im pact t o net work operat ions. High ceilings or ot her difficult m ount ing should also be invest igat ed. During t he walkt hrough, you are likely t o receive a num ber of st range looks; j ust keep m oving. Thorough walk-

t hroughs will result in a large num ber of st range looks. Consider it a m easure of t he qualit y of t he walk- t hrough. Based on t he first walk- t hrough, not e any relevant environm ent al fact ors. Most im port ant ly, you can correct t he blueprint s based on any changes m ade t o t he st ruct ure since t he blueprint s were drawn. Many m inor changes will not be reflect ed on t he blueprint s, especially if t he building is old. Also not e any pot ent ial sources of int erference. The 2.4- GHz I SM band is unlicensed, so m any t ypes of devices using t he band can be deployed wit hout cent ral coordinat ion. Newer cordless phones operat e in t he 2.4 GHz band, as well as Bluet oot h- based devices and a num ber of ot her unlicensed radio devices. I f you ant icipat e a large am ount of int erference, t est ing t ools called spect rum analyzers can ident ify t he am ount of radiat ion in t he wireless LAN frequency band. I n pract ice, spect rum analyzers will not be necessary m uch of t he t im e unless t here is a part icularly st ubborn source of int erference. One handheld analyzer, t he Berkeley Varit ronics YellowJacket , has a built - in spect rum analyzer for t he 2.4 GHz I SM band, and can be useful in t racking down non- 802.11 int erference. I f your organizat ion does RF t est ing, it m ay be necessary t o shield any labs where t est ing is done t o avoid int erference wit h t he wireless LAN. As a rule of t hum b, keep access point s at least 25 feet away from any st rong int erference sources.

Constraints on AP placement Pract ically speaking, keeping t he APs as high as possible m eans m ount ing t hem around t he ceiling level. I n m any office buildings, t he ceiling is a " dropped" or suspended ceiling. APs m ay be at t ached t o t he ceiling m ount ing bars, or possibly placed above t he ceiling t iles. I n a pinch, it is possible t o m ount APs at t he t op of cubicles. Check wit h your m anufact urer t o see what t he radiat ion pat t ern looks like. I f an AP is designed t o send radio waves down from t he ceiling, it m ay not work as well when m ount ed on t op of cubicle part it ions. I t is relat ively com m on t o m ake adj ust m ent s t o t he AP locat ions based on physical const raint s. One of t he prim ary rest rict ions is t hat APs t ypically connect t o t he net work t hrough an Et hernet cable. [ * ] Each AP m ust be wit hin a 100- m et er cable lengt h from t he nearest wiring closet . Wit h som e flexibilit y in t he specificat ions, it is occasionally possible t o run cables slight ly longer t han t he official lim it , alt hough it is never a good idea t o rely on it . Depending on t he exact configurat ion of pat ch panels, risers, and t he cabling in t he ceiling, t he cable run t o an AP locat ion m ay be m uch larger t han it appears. [*]

A few products can use a secondary radio as a "mesh" backhaul, and I expect this option to be more common as time passes.

Elect rical power is oft en a const raint on t he AP locat ions as well. Early APs required st andard elect rical out let s, but very few organizat ions had elect rical out let s in t he ceiling. I nst alling elect rical power is generally quit e expensive. Wit h t he developm ent of 802.3af, m ost organizat ions are powering up t heir access point s over t he net work cable. Power over Et hernet ( PoE) has m any advant ages; however, t he engineering difficult y of pushing 48 volt s t hrough 100 m et ers dim inishes your abilit y t o cheat on t he cable lengt h. I t is a wort h considering inst alling new wire t o support a wireless net work, especially if t he exist ing net work j acks will not easily support t he new APs. When exist ing wiring is used, it is oft en run near t he baseboards or ot herwise less t han ideal for use wit h high- m ount ed net work devices. Running new cable has several advant ages. I t can be run direct ly t o t he area above t he ceiling where t he APs will be m ount ed, which rem oves t he need for ugly cable runs up net work poles. Older cable syst em s m ay have been inst alled before Cat egory 5 wiring was st andard, or m odificat ions m ay have degraded it s capabilit es. New cable inst allat ions also add a degree of flexibilit y. I n recognit ion of t he need t o m ove APs, som e new cable inst allat ions will t erm inat e t he cable run above t he ceiling wit h a net work j ack, allowing t he use of pat ch cables t o m ove an AP wit hin short dist ances. Depending on t he layout of t he com ponent s above t he ceiling, it m ay be hard t o run cabling near

vent ilat ion duct s, or hard t o m ount an AP near a duct . Usually, a relocat ion of t he AP t o t he next t ile over is sufficient and does not radically dist urb t he coverage of t he AP. Likewise, keeping APs away from light fixt ures, as well as t he elect rical conduit s t o t hose fixt ures, is also im port ant . A final considerat ion relat es t o physical securit y. Som e organizat ions m ay feel t he need t o secure APs against t heft . Som et im es, m ount ing APs above t he ceiling m ay be a sufficient t heft - prevent ion m easure because t he AP is hidden from view. Many APs now include securit y slot s for physical at t achm ent t o an less m ovable obj ect . [ * ] [*]

See http://www.kensington.com/html/1356.html for more information on the Kensington Security Slot, which is commonly used for this purpose.

Buildings in progress Wit h t he increasing use of wireless LANs, m any are being designed during building const ruct ion. Working wit h a building under const ruct ion is bot h a great deal of fun and a sanit y- defying challenge. One of t he first problem s is a dependence on t he ot her schedules for t he building. Fort unat ely, it is possible t o get an idea of t he num ber of APs necessary by using an m odeling t ool. Archit ect ural drawings are com plet e, and generally readily available t o t he net work t eam even before ground is broken. St art by est im at ing t he various t ypes of m at erial and developing a m odel. Walk t hrough each area of t he building as it t akes shape. Depending on t he schedule, it m ay t ake shape in several st ages or all at once. Gaining access for a walk- t hrough during const ruct ion oft en requires t he perm ission of t he cont ract or, a hard hat , and a liabilit y waver. I n each area of t he building, t ry t o det erm ine if t he guesses m ade during t he m odeling st age were correct . Was t he radio loss fact or assigned t o t he walls accurat e, or does t he m odel need refining? As areas are finished, it m akes sense t o spot - check predict ions from t he m odeling t ool wit h a physical t est using an AP in it s final locat ion. One of t he biggest challenges in working on a building under const ruct ion is t hat t he environm ent is const ant ly changing. I n rare circum st ances, t he building m at erials m ay change due t o supply short ages or even last - m inut e changes driven by aest het ic considerat ions. Keep t he design flexible, and build in a m argin for error.

The Preliminary Plan Det erm ining t he num ber of APs and developing a set of prelim inary locat ions is t he first planning m ilest one. A few years ago, t he best way t o com e up wit h prelim inary locat ions was t o est im at e t he num ber of very expensive APs, and place t hem in open areas t hat were cent rally locat ed. Now t hat APs are m uch cheaper, t here is no longer m aj or pressure t o reduce t he AP count as far as possible. To get a very rough ballpark est im at e of t he num ber of APs needed, I use t wo rules of t hum b. The first is area- based. At m axim um power in a t ypical open office environm ent , an AP can provide service t o an area of 3,000 t o 5,000 square feet ( 275 t o 450 square m et ers) . Sim ply t ake t he area t o be covered, and divide by t he AP foot print . Use t he higher num ber if t here are lot s of open areas and relat ively few obst ruct ions; use t he lower num ber if t here is a preponderance of closed- wall offices wit h doors, or significant int erior st ruct ure t o t he building. I n addit ion t o t he area- based num ber, calculat e a user densit y- based num ber. Divide t he num ber of users in t he organizat ion by 20 t o 50. Use a num ber at t he low end if wireless net works are prevalent and widely used, and a num ber at t he high end if wireless net works are new and experim ent al. By t aking t he larger of t he t wo num bers, I have a very rough est im at e for t he num ber of APs required for an inst allat ion.

Knowing roughly how m any APs are needed does not provide any inform at ion on where t hey should go. Turning t he ext rem ely rough est im at e int o a prelim inary plan requires a bit m ore work. Wit h enough experience, t he AP locat ions are fairly st raight forward. St ruct ural walls or fire- cont ainm ent walls t end t o block a signal, oft en com plet ely. The cent ral core of a m ult ifloor building is usually t he m ain load- bearing st ruct ure, and is oft en m ade of reinforced concret e. Wit h at t enuat ion of 10 dB t o 20 dB per foot , it is best t o consider it an RF shield. Most APs are st ill usable at great er t han t he m inim um speed aft er t he signal has passed t hrough t wo t o t hree average- sized offices, depending on t he am ount of st raight - line propagat ion. Generally speaking, locat e APs in open areas wit h as few obst ruct ions as possible. I t always helps t o keep t hem accessible for any needed service, which generally m eans t hat areas above cubicles and hallways are preferred. Developing t he prelim inary plan has, up t o t his point , been largely a m anual process t hat requires high skill and ext ensive experience. I n t he past few years, m odeling t ools have em erged t hat can aut om at e t he prelim inary planning st age. These t ools t ake an archit ect ural drawing of t he building and creat e a m at hem at ical m odel of radio propagat ion. When t he net work designer changes t he locat ion of an AP in t he m odel, t he t ool recalulat es it s coverage im m ediat ely. Elect ronic t ools can be a valuable asset t o reduce t he physical validat ion by deriving a reasonable st art ing set of AP locat ions. They are especially valuable when t he building does not yet exist because it is st ill under const ruct ion. Depending on t he t ool, you m ay be able t o use t he archit ect ural drawing it self, which will t ypically be a Com put er- Aided Design ( CAD) file; som e t ools will only accept sim ple graphics files like GI Fs or JPEGs. Obt ain t he physical layout . I n m ost organizat ions, t he facilit ies depart m ent has archit ect ural drawings, or can work wit h t he landlord or building owner t o obt ain t hem . I n new const ruct ion proj ect s, an archit ect can usually supply t hem . As helpful as m odeling t ools are, it is im port ant not t o use t hem in a vacuum . Radio propagat ion is very com plicat ed, especially indoors at m icrowave frequencies. Radio waves m ay reflect in st range ways off different t ypes of m at erials, and a few inches here or t here can m ake all t he difference in t he world t o t he result ing coverage. Modeling t ools also depend on accurat e knowledge of t he const ruct ion of a building, which is not always available t o t he net work st aff. Modeling t ools are no subst it ut e for act ual experim ent at ion. No m at t er what t echnique you em ploy, use t he physical plans t o derive a prelim inary plan. Det ailed radio channel use planning is not yet necessary. I f you are using a m odeling t ool, have it suggest a radio plan, but expect t o m ake som e changes aft er inst allat ion. The prelim inary plan is, well, prelim inary. Expect it t o change. The purpose of t his st age is not t o get everyt hing right , but t o get a st art ing point t o work from . Table 23- 5 is based on t he best - case coverage radius from a t ypical om nidirect ional ant enna. I f you want t o incorporat e higher t han t he m inim um dat a rat e, you will probably need sm aller radii; t he best approach is t o use one of t he elect ronic t ools discussed briefly in t his sect ion.

Ta ble 2 3 - 5 . " Ru le - of- t h u m b" cove r a ge r a diu s for diffe r e n t t ype s of spa ce Type of spa ce

M a x im u m cove r a ge r a diu s ( 2 .4 GH z)

M a x im u m cove r a ge r a diu s ( 5 GH z)

Closed office

Up t o 50- 60 feet

35- 40 feet

Open office ( cubicles)

Up t o 90 feet

60 feet

Hallways and ot her large room s

Up t o 150 feet

75 feet

Out doors ( wit hout ant enna engineering)

Up t o 300 feet

Don't even bot her!

Out doors ( wit h cust om ant ennas)

Many m iles

Don't even bot her!

The preliminary report The prelim inary plan can be used as t he basis for furt her act ivit y. I t m ay be used t o provide an est im at e for t he cost of deploying t he wireless LAN in t he given area. I t m ay also be used t o hire a cabling cont ract or t o perform t he physical wiring. The plan it self m ay include:

1 . A brief sum m ary of requirem ent s. 2 . Est im at ed coverage areas based on t he sit e survey m easurem ent s. This m ay be divided int o areas wit h good coverage, m arginal coverage, and weak coverage. Report s based on m at hem at ical m odels m ay not e proj ect ed cont ours for different operat ional rat es. 3 . A descript ion of t he locat ions of all access point s, along wit h t heir configurat ion. Soft ware t ools for aut om at ed layout m ay be able t o provide det ailed locat ion and configurat ion inform at ion based on t he floor m aps, such as:

a . The AP's operat ing channel. b. Approxim at e coverage area, possibly shown as coverage cont ours at different speeds. c. I P configurat ion, if required. " Light weight " APs m ay not have an I P address. d. Ant enna t ype and configurat ion, including direct ion for direct ional ant ennas. e . Any ot her vendor- specific inform at ion t hat m ay be useful. Som e organizat ions t rack devices based on MAC address, so it would be useful t o include t hat in t he report .

Radio Resource Management and Channel Layout Figure 23- 4 m akes t he channel layout appear decept ively sim ple. When building a net work indoors, signal propagat ion is m uch m ore com plex. Channel overlap is far m ore likely indoors because of t he need t o have higher power direct ed t owards obst acles, which m ay result in higher t han desired power in ot her direct ions. Prelim inary plans should include a basic channel m ap. I t is alm ost cert ain t hat adj ust m ent s will need t o be m ade t o t he channel layout . Tuning m ay be done m anually by searching out overlapping channels wit h handheld t ools, or aut om at ically by access point s t hat at t em pt t o find t he least busy channel. Wit h only t hree channels in t he 2.4 GHz band, changes m ay " ripple" t hrough a net work and t ake som e t im e t o converge on a final solut ion.

Refining and Testing the Plan Depending on t he need for accuracy, as well as budget ary const raint s, t he process of refining t he plan m ay vary a great deal. I n sm all or budget - conscious inst allat ions, it m ay suffice t o st art wit h t he prelim inary plan, t urn it on, and see what develops. More m et hodical deploym ent s m ay inst all all or part of t he prelim inary plan and perform ext ensive t est s t o verify it m eet s requirem ent s. I f t he prelim inary plan is accurat e, t here m ay not be m uch m odificat ion required. The m aj or goal of t he

t est ing is t o discover any unforeseen int erference or bad spot s and redesign t he net work accordingly. I n m ost cases, int erference problem s can usually be repaired by relocat ing an access point . Adj ust m ent s t o AP locat ions are t ypically not large. Failing t hat , a different ant enna or anot her AP is usually t he answer. I n rare cases, m ult iple design and t est phases m ay be used, alt hough it is quit e unusual. When checking t he plan, duplicat e t he user experience as m uch as possible. Obst acles bet ween wireless LAN users and access point s decrease radio st rengt h, so m ake an effort t o replicat e exact ly t he inst allat ion during t he sit e survey. Ant ennas should be inst alled for t he t est exact ly as t hey would be inst alled on a com plet ed net work. I f office dwellers are part of t he user base, m ake sure t hat adequat e coverage is obt ained in offices when t he door is closed. Even m ore im port ant , close any m et al blinds, because m et al is t he m ost effect ive radio screen. Signal m easurem ent s should be ident ical t o t he expect ed use of t he net work users, wit h one except ion. Most sit e survey t ools at t em pt t o det erm ine t he signal qualit y at a single spat ial point t hroughout a sequence of several point s in t im e, and t hus it is im port ant t o keep t he lapt op in one locat ion as t he m easurem ent is carried out . Taking large num bers of m easurem ent s is im port ant because users will m ove wit h unt et hered lapt ops, and also because t he m ult ipat h fading effect s m ay lead t o pronounced signal qualit y differences even bet ween nearby locat ions. Ext rem ely t horough organizat ions m ay want t o t est wit h m ult iple client devices. Wireless LAN behavior can vary a great deal depending on im plem ent at ion, and client behavior oft en varies even wit h t he exact sam e soft ware. I f you need det ailed knowledge of how t he syst em will behave, it m ay be wort hwhile t o gat her several syst em s wit h ident ical soft ware configurat ions and run t hem t hrough t he sam e t est s at t he sam e t im e. The final t est report should result in det ailed knowledge of t he act ual coverage of t he APs in t heir final locat ions. Coverage m ay be report ed as an area, alt hough it is oft en m ore useful t o report on t he area over which a cert ain t ransm ission rat e is reliably obt ained. I n som e cases, it m ay also be useful t o report on perform ance charact erist ics, especially if applicat ion m ix is well- enough known t o be charact erized. I f t he building is under const ruct ion, validat ion m ay proceed in st ages as t he building is com plet ed. I f t he ent ire building is const ruct ed at t he sam e t im e, you m ay want t o t ake basic m easurem ent s early in t he process t o det erm ine if m aj or changes t o t he radio m odel are required, wit h m ore t im econsum ing and accurat e validat ion t est s at t he end.

Validation and test tools I n t he past , get t ing an idea of t he coverage of an AP and com ing up wit h an AP layout was t im econsum ing because it required repeat ed m easurem ent s of signal qualit y as an AP was placed in a t rial locat ion. Wit h t he developm ent of aut om at ic layout t ools, whet her based on m odeling or selft uning capabilit ies, t he validat ion phase m ay not require t he sam e ext ensive set of t ools. I n- dept h analysis of t he radio link perform ance is generally only required when t rouble wit h a t est syst em is discovered. The m ost com m on signal qualit y m easurem ent s are t he packet ( or, m ore properly, fram e) error rat e ( PER) and received signal st rengt h ( RSSI ) . Fram e error rat es need t o be kept as low as possible. I n t he past , an 8% t arget generally guarant eed accept able perform ance. More densely deployed net works should easily be able t o achieve 5% or lower. Sophist icat ed infrast ruct ure devices can oft en m easure t he per- client fram e error rat e direct ly, as well as t he RSSI and signal- t o- noise rat io. The RSSI and signal- t o- noise rat io are im port ant for achieving higher dat a rat es. To t ransm it an int elligible fram e at a given dat a rat e, t here is a given signal- t o- noise t hreshold. A few t ools report m ult ipat h t im e dispersion, which m easures t he degree t o which a signal is spread

out in t im e by pat h differences. Higher delay spreads m ake t he correlat ion of t he signals m ore difficult . Wit h a high delay spread, devices need t o accept eit her a higher error rat e or fall back t o a m ore conservat ive coding m et hod. Eit her way, t hroughput goes down. The higher t he delay spread, t he m ore t hroughput suffers. Measuring m ult ipat h dispersion is generally not im port ant , alt hough it is valuable t o have a t ool t hat gat hers t he dat a for persist ent m ult ipat h problem s. When 802.11b was t he wireless net work of choice, a large num ber of handheld t ools were developed for port able com put ing plat form s such as t he Com paq iPAQ. Wit h t he increasing adopt ion of 802.11a and 802.11g, t hough, handheld devices are falling out of favor and being replaced by Tablet PCs. Most handheld devices have relat ively slow ext ernal int erfaces t hat are unable t o cope wit h t he higher dat a rat es from newer st andards. The iPAQ, for exam ple, has an int erface for 16- bit PC Cards t hat run at 8 MHz. While such slow speeds are sufficient for an 11 Mbps 802.11b int erface, t he higher speed of 802.11a and 802.11g im poses a pract ical requirem ent for CardBus. Tablet PCs have a second advant age in t he validat ion phase as well. Many of t he planning t ools t hat you m ight use t o develop a prelim inary plan include t he abilit y t o run a validat ion client t hat collect s physical m easurem ent s and can t ie t he validat ion m easurem ent s back t o t he predict ions calculat ed earlier. Part icularly st ubborn int erference m ay require t he use of a spect rum analyzer t o locat e t he source of int erference from a non- 802.11 net work. Devices t hat can scan a wide frequency band t o locat e t ransm issions are not cheap. Expect t o pay several t housand dollars, or you can hire a consult ant and rent one. As an alt ernat ive, it m ay be possible t o use an I SM band- only spect rum analyzer t o t rack int erference t o it s source. I n any case, a spect rum analyzer is t he t ool of last resort , necessary for only t he m ost st ubborn problem s.

RF fingerprint collection Som e wireless LAN syst em s require t he collect ion of RF " fingerprint s," as discussed in t he previous chapt er. Fingerprint collect ion can only proceed once t he APs are in t heir final locat ions. At t hat point , t est devices can be posit ioned in com m on locat ions so t he syst em can collect t he result fingerprint s.

Preparing the Final Report During t he planning and t est ing cycle, you should have prepared prelim inary docum ent s t hat show AP inst allat ion locat ions. When t he final t est has com plet ed, t he net work should be docum ent ed. I f t he prelim inary plans are in elect ronic form , m odify t hem t o reflect t he result s of t est ing, and incorporat e t he changes int o a final report . I n addit ion t o access- point placem ent , m any cust om ers appreciat e an est im at e of t he work necessary t o inst all drivers ont o any affect ed lapt ops. The scope of t his it em depends a great deal on t he sophist icat ion of t he cust om er's m anagem ent t ools. For m any, it will be sufficient t o include a copy of t he driver inst allat ion inst ruct ions as an appendix t o t he report . Som e client s m ay require low- level det ails on t he driver inst allat ion so t hat t he driver inst allat ion can be com plet ely aut om at ed down t o any necessary regist ry changes on Windows syst em s.

Using Antennas to Tailor Coverage I t m ay be necessary t o provide coverage for a unique area t hat doesn't " play by t he rules" you expect it t o follow. Most access point s use om nidirect ional ant ennas, which radiat e equally in every direct ion. However, it m ay be desirable t o change t he basic radio coverage pat t ern from a circle t o som et hing else for som e applicat ions. This is work t hat is oft en done in t he field t o adj ust coverage from an AP t o m at ch a part icular area, or t o boost t he signal t o fill in a hole. Wit h t he cost of APs declining rapidly, cust om t ailoring coverage wit h ant ennas is not as necessary as it previously was, alt hough it is st ill im port ant . I n t he past , radio equipm ent vendors needed t o supply ant ennas and ensure t hat t he capabilit ies of t he com bined syst em would m eet t he unlicensed spect rum t ransm ission rules. I n July 2004, t he FCC relaxed t he rules t o allow a radio device m anufact urer t o specify a m axim um gain and allow t he user t o select any ant enna wit h t he sam e gain charact erist ics. [ * ] Before t he ruling, radios and ant ennas had t o be cert ified as a single unit , and it was t echnically illegal t o at t ach an ant enna from a source ot her t han t he radio vendor. Wit h t he new rules, m anufact urers can cert ify a syst em at t he lim it s of t he radio rules, and end users can choose any ant enna wit hin t hat out er boundary. I f, for exam ple, t he radio m anufact urer underwent cert ificat ion t est ing wit h a 10 dBi ant enna, a buyer is allowed t o find a lower gain version of t he sam e t ype of ant enna ( say, only 8 dBi) , and use it legally. [*]

See document 04-165 at http://hraunfoss.fcc.gov/edocs_public/attachmatch/FCC-04-165A1.pdf, which modifies the relevant telecommunications rules.

Antenna Types Wireless cards all have built - in ant ennas, but t hese ant ennas are, at best , m inim ally adequat e. I f you were planning t o cover an officeor an even larger area, such as a cam pusyou will alm ost cert ainly want t o use ext ernal ant ennas for your access point s. When considering specialized ant ennas, t here are only a few specificat ions t hat you need t o pay at t ent ion t o:

Ant enna t ype The ant enna t ype det erm ines it s radiat ion pat t ernis it om nidirect ional, bidirect ional, or unidirect ional? Om nidirect ional ant ennas are good for covering large areas; bidirect ional ant ennas are part icularly good at covering corridors; unidirect ional ant ennas are best at set t ing up point - t o- point links bet ween buildings, or even different sit es.

Gain The gain of t he ant enna is t he ext ent t o which it enhances t he signal in it s preferred direct ion. Ant enna gain is m easured in dBi, which st ands for decibels relat ive t o an isot ropic radiat or. An isot ropic radiat or is a t heoret ical beast t hat radiat es equally in all direct ions. To put som e st akes in t he ground: I 've never seen a specificat ion for t he gain of t he built - in ant enna on a wireless card, but I would guess t hat it 's negat ive ( i.e., worse t han an isot ropic radiat or) . Sim ple ext ernal ant ennas t ypically have gains of 3 t o 7 dBi. Direct ional ant ennas can have

gains as high as 24 dBi. [ * ] [* ]

I f you want one m ore st ake, t he radio t elescope at Arecibo has a gain in excess of 80 dBi.

Half- power beam widt h This is t he widt h of t he ant enna's radiat ion pat t ern, m easured in t erm s of t he point s at which t he ant enna's radiat ion drops t o half of it s peak value. Underst anding t he half- power beam widt h is im port ant t o underst anding your ant enna's effect ive coverage area. For a very highgain ant enna, t he half- power beam widt h m ay be a narrow angle. Once you get out side t he half- power beam widt h, t he signal t ypically drops off fairly quickly, alt hough t hat depends on t he ant enna's design. Don't be fooled int o t hinking t hat t he half- power beam widt h is irrelevant for an om nidirect ional ant enna. A t ypical om nidirect ional ( vert ical) ant enna is only om nidirect ional in t he horizont al plane. As you go above or below t he plane on which t he ant enna is m ount ed, t he signal decreases. We've discussed ant ennas ent irely in t erm s of t heir propert ies for t ransm it t ing, largely because m ost people find t hat easier t o underst and. Fort unat ely, an ant enna's receiving propert ies are ident ical t o it s t ransm it t ing propert iesan ant enna enhances a received signal t o t he sam e ext ent t hat it enhances t he t ransm it t ed signal. This result is probably what you would expect , but proving it is beyond t he scope of t his book. Now, let 's t alk about som e of t he ant enna t ypes t hat are available ( Figure 23- 5 shows a num ber of different ant enna t ypes) :

Vert ical This is a garden- variet y om nidirect ional ant enna. Most vendors sell several different t ypes of vert ical ant enna, differing prim arily in t heir gain; you m ight see a vert ical ant enna wit h a published gain as high as 10 dBi or as low as 3 dBi. How does an om nidirect ional ant enna generat e gain? Rem em ber t hat a vert ical ant enna is om nidirect ional only in t he horizont al plane. I n t hree dim ensions, it s radiat ion pat t ern looks som et hing like a donut . A higher gain m eans t hat t he donut is squashed. I t also m eans t hat t he ant enna is larger and m ore expensive, alt hough no ant ennas for 802.11 service are part icularly large. I f you want t o cover a confined out door areafor exam ple, a court yard bet ween several buildings of a corporat e cam pusnot e t hat t he half- power beam widt h m eans t hat a roofm ount ed vert ical ant enna m ight be less t han ideal, part icularly if t he building is t all. Vert ical ant ennas are good at radiat ing out horizont ally; t hey're not good at radiat ing down. I n a sit uat ion like t his, you would be bet t er off m ount ing t he ant enna out side a first - or second- st ory window.

Figu r e 2 3 - 5 . An t e n n a t ype s

Dipole A dipole ant enna has a figure- eight radiat ion pat t ern, which m eans it 's ideal for covering a

hallway or som e ot her long, t hin area. Physically, it won't look m uch different from a vert icalin fact , som e vert ical ant ennas are sim ply vert ically m ount ed dipoles.

Yagi A Yagi ant enna is a m oderat ely high- gain unidirect ional ant enna. I t looks som ewhat like a classic TV ant enna. There are a num ber of parallel m et al elem ent s at right angles t o a boom . However, you are not likely t o see t he elem ent s on a Yagi for 802.11 service; t he com m ercially m ade Yagis t hat I have seen are all enclosed in a radom e, which is a plast ic shell t hat prot ect s t he ant enna from t he elem ent s in out door deploym ent s. Yagi ant ennas for 802.11 service have gains bet ween 12 and 18 dBi; aim ing t hem is not as difficult as aim ing a parabolic ant enna, alt hough it can be t ricky.

Parabolic This is a very high- gain ant enna. Because parabolic ant ennas have very high gains ( up t o 24 dBi for com m ercially m ade 802.11 ant ennas) , t hey also have very narrow beam widt hs. You would probably use a parabolic ant enna only for a link bet ween buildings; because of t he narrow beam widt h, t hey are not very useful for providing services t o end users. Vendors publish ranges of up t o 20 m iles for t heir parabolic ant ennas. Presum ably, bot h ends of t he link are using a sim ilar ant enna. Do not underest im at e t he difficult y of aim ing a parabolic ant enna properlyone com m ercial product has a published beam widt h of only 6.5 degrees. I f you decide t o inst all a parabolic ant enna, m ake sure t hat you have it m ount ed firm ly. You do not want a bad st orm t o nudge it a bit and t ake down your connect ion. Som e vendors m ake an issue of t he dist inct ion bet ween " m esh" or " grid" parabolas ( in which t he ant enna's reflect or looks like a bent barbecue grill) and solid parabolas. Don't sweat it if t he ant enna is well- designed, t he difference in perform ance bet ween a m esh and a solid reflect or is not wort h worrying about . A m esh does have an advant age, t hough, in areas subj ect t o high winds. Parabolic and Yagi ant ennas are useful prim arily for links bet ween buildings. The biggest problem is aim ing t hem properly. I f t he t wo sit es are visible t o each ot her, you can play som e t ricks wit h gunsight salt hough if you can see one sit e from t he ot her, you probably don't need such a sophist icat ed ant enna syst em . Ot herwise, buy a good com pass and a t opographical m ap from t he U.S. Geological Survey, and com put e t he heading from one sit e t o t he ot her. Rem em ber t o correct for m agnet icNort h. I f you can spend som e ext ra m oney, you m ight be able t o sim plify t he set up by inst alling a high- gain vert ical ant enna at one sit e; t hen you need t o aim only one ant enna. I f t he signal is m arginal, replace t he vert ical wit h a parabolic ant enna once you have t he first ant enna aim ed correct ly. High- gain ant ennas can becom e a regulat ory problem , part icularly in Europe, because t ransm ission power lim it s are lower t han in t he U.S. The high- gain parabolic ant enna sold under t he Orinoco brand cannot legally be used at t he edges of t he I SM band in t he U.S. ( 1, 2, 10, and 11 are excluded) because of signal leakages out side t he band.

Antenna cabling Having put so m uch effort int o t hinking about ant ennas, we have t o spend som e t im e t hinking about how t o connect t he ant ennas t o t he access point s or wireless cards. Most vendors sell t wo kinds of cable: relat ively inexpensive t hin cable ( t ypically 0.1 inch in diam et er) and " low- loss cable" t hat 's

subst ant ially t hicker ( t ypically 0.4 inch) and m uch m ore expensive. The t hin cable is usually available only in lengt hs of a couple of feet , and t hat is as it should be: it is very lossy, and m ore t han a few feet can easily eat up your ent ire signal. One sit e I worked at concealed APs by m ount ing t hem above t he ceiling and using an unobt rusive ext ernal ant enna poking t hrough t he ceiling t ile. However, t he m ount ing schem e t urned out t o be a wash. The ext ernal ant ennas had a 2 dB gain, and t he cable connect ing t he ant ennas t o t he APs had a 2 dB loss. Thin cable is int ended for connect ing a wireless card in a lapt op t o a port able ant enna on your deskt op, and t hat is about all it is good for. To put num bers behind t his: one vendor specifies a loss of 2.5 dB for a 2- m et er cable. That m eans t hat close t o half of your signal st rengt h is disappearing in j ust t wo m et ers of cable. One cable vendor, for a cable t hat would t ypically be used in t his applicat ion, specifies a loss of 75 dB per 100 feet at 2.4 GHz. That m eans t hat your signal st rengt h will drop by a fact or of 2 25 ( roughly 33 m illion) , clearly not som et hing you want t o cont em plat e. I know of one vendor t hat recom m ends using RG58 cable wit h m edium - gain ant ennas. RG58 is bet t er t han t he really t hin cable int ended for port able use, but not m uch bet t er ( 35 dB per 100 feet ) ; if you use RG58 cable, keep t he cable run as short as possible. Bet t er yet , dit ch t he RG58 and see xsif you can replace it wit h LMR- 200 ( a high- qualit y equivalent wit h half t he loss) . What does t he pict ure look like when you're using a real low- loss cable? Significant ly bet t er, but m aybe not as m uch bet t er as you would like. A t ypical cable for t his applicat ionused by at least one 802.11 vendoris Tim es Microwave LMR- 400. LMR- 400 is a very high- qualit y cable, but it st ill has a loss of 6.8 dB per 100 feet at 2.4 GHz. This m eans t hat , in a 100- foot lengt h of cable, over t hree quart ers of your signal is lost . The m oral of t he st ory is clear: keep your access point s as close as possible t o your ant ennas. Minim ize t he lengt h of t he t ransm ission line. I f you want a roof- m ount ed ant enna, perhaps t o cover a court yard where people frequent ly have lunch, don't st ick your access point in a wiring closet in t he basem ent and run a cable t o t he roof. I f possible, put your access point in a weat herproof enclosure on t he roof. I f t hat 's not possible, at least put t he access point in an at t ic or crawlspace. There is no subst it ut e for keeping t he t ransm ission line as short as possible. Also, keep in m ind t hat t ransm ission lines have a st range abilit y t o shrink when t hey are rout ed t hrough walls or conduit s. I 've never underst ood why, but no m at t er how carefully you m easure, you are cert ain t o find t hat your cable is t wo feet short . More t o t he point : t he st raight - line dist ance from your access point t o t he ant enna m ay be only 20 feet , but don't be surprised if it t akes a 50- foot cable t o m ake t he t rip. The cable will probably have t o go around corners and t hrough conduit s and all sort s of ot her m isdirect ions before it arrives at it s dest inat ion. Finally, t here's t he m at t er of ant enna connect ors. All wireless vendors sell cables in various lengt h wit h t he proper connect ors and adapt ers. I st rongly recom m end t aking t he easy way out and buying cables wit h t he connect ors preinst alled. Connect or failure is one of t he m ost com m on causes for out ages in radio syst em s, part icularly if you don't have a lot of experience inst alling RF connect ors.

Antenna diversity One com m on m et hod of m inim izing m ult ipat h fading is t o have ant enna diversit y . Rat her t han m aking t he ant enna larger, radio syst em s can use m ult iple ant ennas and choose t he signal from t he ant enna wit h bet t er recept ion. Using m ult iple ant ennas does not require sophist icat ed m at hem at ical t heory or signal- processing t echniques. Several wireless LAN vendors have built m ult iple ant ennas int o wireless net work cards. Som e vendors even offer t he abilit y t o connect m ult iple ext ernal ant ennas t o net work cards int ended for access point s. Ant enna diversit y is recom m ended by t he 802.11 st andard, but it is not required. For environm ent s wit h large am ount s of int erference, ant enna diversit y is a wort hwhile opt ion t o consider when select ing vendors.

Amplifiers: bring on the heat Am plifiers increase t he power of a signal. On t he t ransm ission side of a radio net work, am plifiers help fling t he signal fart her t o cover m ore area. Many t ransm ission am plifiers also incorporat e pream plifiers for t he recept ion side of t he circuit as well, which helps increase t he receiver's sensit ivit y t o weak signals. I ndoor deploym ent s of 802.11 t ypically do not not need am plifiers t o increase t ransm ission power . As an AP's t ransm it power increases, it s coverage area can encom pass m ore area, and m ore st at ions can j oin t he net work. To preserve qualit y coverage, it is best t o design a net work consist ing of m any sm all APs wit h relat ively low t ransm it power. Even a wireless LAN deploym ent focused on providing coverage only, regardless of qualit y, alt hough a large area is probably able t o get by wit h a high- gain vert ical ant enna. Generally speaking, high t ransm it power sounds like a m uch bet t er idea t han it is in pract ice, wit h a few obvious except ions. Com m unit y net works m ay want t o provide coverage for a large area before increasing t he densit y of coverage, and APs m ay be m ore expensive t han t he am plificat ion part s. Point - t o- point links built on 802.11 are also a good applicat ion for am plificat ion. I f t he dist ance is sufficient ly large, all t he ant enna gain in t he world won't pull t he signal off t he noise floor. One of t he bet t er- docum ent ed out door point - t o- point shot s is t he uplink for t he Ruby Ranch I nt ernet Cooperat ive ( ht t p: / / www.rric.net ) . [ * ] Rem ot e I SPs building t heir WANs on 802.11 m ay also m ake ext ensive use of am plificat ion. [*]

The RRIC is a fascinating site in its own right, and I highly recommend it. The incumbent telephone carrier refused to deliver DSL in the neighborhood, so a group of committed volunteers made it happen.

SSB Elect ronics ( www. ssbusa.com / wireless.ht m l) and HyperLink Technologies ( ht t p: / / www.hyperlinkt ech.com / web/ am plifiers_2400.ht m l) are t wo vendors of 802.11 am plifiers. However, if you use am plifiers wit h 802.11, rem em ber: St ay wit hin t he legal power lim it , bot h for absolut e power and ERP. 802.11 is an unlicensed service. I f you int erfere wit h anot her service, it is your problem , by definit ion. And if a licensed service int erferes wit h you, it is your problem , by definit ion. I nt erference is m ore likely t o be a problem if your net work covers a large service area and if you are using high power. Use equipm ent t hat is approved for 802.11 service. Ot her am plifiers are available t hat cover t he frequency range, but using t hem is illegal. The FCC does enforce t heir rules, and t heir fines are large. I f you are in violat ion of t he regulat ions, t hey will not be am used, part icularly if you're in excess of t he power lim it or using unapproved equipm ent .

Chapter 24. 802.11 Network Analysis There is no com ing t o consciousness wit hout pain. At t ribut ed t o C.G. Jung I n t he 1990s, com put er professionals j oined doct ors as People Wit h Answers. Just as doct ors are asked m edical quest ions by com plet e st rangers, com put er professionals are asked a bewildering variet y of t echnical quest ions by com plet e st rangers. When t hese st rangers learn t hat I work wit h net works, I am oft en asked, " Why does t he I nt ernet break so oft en?" The m ore I cont em plat e t he quest ion, t he m ore I believe t hat t he quest ion should be, " Why doesn't t he I nt ernet break m ore oft en?" While I could never hope t o answer eit her quest ion in a single chapt er of a book, it is obvious t hat net work problem s are a fact of life. Net works break, and wireless net works are no except ion. Wireless LANs can im prove product ivit y, but t hey also carry a larger risk of com plet e out age, and t he lim it ed bandwidt h is alm ost sure t o be overloaded. Aft er building a wireless LAN, net work engineers m ust be ready t o invest igat e any problem s t hat m ay arise. As in m any ot her net work t ypes, t he t rust y net work analyzer is a key com ponent in t he engineer's t oolbox. Net work analyzers already exist for t he wired backbone side of t he wireless net work and can be used product ively in m any t roubleshoot ing scenarios. Wireless net work t roubleshoot ing depends on having a net work analyzer for exact ly t he sam e reason. Som et im es, you j ust need t o have a way of seeing what is on t he airwaves. This chapt er is devot ed t o t ools t hat allow net work engineers t o do j ust t hat . Several com m ercial analyzers are available, and t here are free t ools t hat run on Linux. Before diving int o t he t ools, t hough, it m ay help t o consider why wireless net work analyzers are a pract ical requirem ent for t he net work adm inist rat or.

Network Analyzers I n spit e of t he shared herit age, 802.11 is not Et hernet . I t has a num ber of addit ional prot ocol feat ures, each of which can cause problem s. Fixing problem s on 802.11 net works som et im es requires t hat a net work adm inist rat or get down t o t he low- level prot ocol det ails and see what is happening over t he airwaves. Net work analyzers have long been viewed as a useful com ponent of t he net work adm inist rat or's t oolkit on wired net works for t heir abilit y t o report on t he low- level det ails. Analyzers on wireless net works will be j ust as useful, and possibly even m ore im port ant . More t hings can go wrong on an 802.11 net work, so a good analyzer is a vit al t ool for quickly focusing t roubleshoot ing on t he likely culprit . Avoiding problem s begins at t he planning st ages. Som e analyzers can report det ailed st at ist ics on RF signal st rengt h, which can help place access point s. Analyzers can help net work adm inist rat ors avoid creat ing dead zones by ensuring t hat t here is enough overlap at t he edges of BSSs t o allow for t im ely t ransit ions. As wireless net works grow in popularit y, t hey m ay need t o support m ore users. To avoid perform ance problem s, adm inist rat ors m ay consider shrinking t he size of access point coverage areas t o get m ore aggregat e t hroughput in a given area. I n t he process of shrinking t he coverage areas, net work adm inist rat ors m ay go t hrough large part s of t he deploym ent plan all over again and depend once again on t heir analyzer. Wit h t he lim it ed bit rat es of wireless net works, perform ance is likely t o be a problem sooner or lat er. Perform ance problem s can be caused by cram m ing t oo m any users int o t oo few access point s, or t hey can be relat ed t o problem s happening at t he radio layer. The designers of 802.11 were aware of t he problem s t hat could be caused by t he radio t ransm ission m edium . Fram e t ransm issions succeed reliably. Most im plem ent at ions will also ret ransm it fram es wit h sim pler ( and slower) encoding m et hods and fragm ent fram es in t he presence of persist ent int erference. I nt erference can be a problem for 802.11 net work perform ance. I n addit ion t o t he direct effect of t rashing t ransm it t ed fram es t hat t hen require ret ransm ission, int erference has t wo indirect effect s. Poor t ransm ission qualit y m ay cause a st at ion t o st ep down t o a lower bit rat e in search of m ore reliable radio link qualit y. Even if slower t ransm issions usually succeed, som e m easure of t hroughput is lost at t he lower bit rat es. 802.11 st at ions m ay also at t em pt t o fragm ent pending fram es t o work around int erference, which reduces t he percent age of t ransm issions t hat carry end- user dat a. 802.11 headers are quit e large com pared t o ot her LAN prot ocols, and fragm ent at ion increases t he am ount of header inform at ion t ransm it t ed for a fixed am ount of dat a. On m any net works, however, only a few applicat ions are used. Do perform ance com plaint s indicat e a general net work problem , or a problem wit h a specific applicat ion? Net work analyzers can help you find t he cause of t he problem by exam ining t he dist ribut ion of packet sizes. More sm all packet s m ay indicat e excessive use of fragm ent at ion in t he face of int erference. Som e analyzers can also report on t he dist ribut ion of fram es' t ransm ission rat es on a wireless net work. 802.11b net works are capable of t ransm it t ing at 11 Mbps, but fram es m ay be t ransm it t ed at slower rat es ( 5. 5 Mbps, 2 Mbps, or even 1 Mbps) if int erference is a problem . St at ions capable of high- rat e operat ion but nonet heless t ransm it t ing at lower rat es m ay be subj ect t o a large am ount of int erference. Perform ance depends on radio capacit y. St at ions t hat have st epped down t o lower rat es m ay not require a great deal of t hroughput for dat a service, but t he slower rat es require a great deal of t im e on t he radio m edium . Som e analyzers can report t he radio ut ilizat ion as dist inct from t hroughput , which is valuable in t racking down cert ain t ypes of perform ance problem s. To solve int erference problem s, you can at t em pt t o reorient t he access point or it s ant enna, or place a new access point in a zone wit h poor coverage. Rat her t han wait ing for users t o report on t heir

experience wit h t he changes in place, you can use an analyzer t o get a quick idea of whet her t he changes will help alleviat e t he problem . Som e analyzers can provide ext ensive report s on t he RF signal qualit y of received fram es, which can help you place hardware bet t er t he first t im e around. Avoiding repeat ed experim ent at ion direct ly wit h end users m akes you look bet t er and m akes users happier. Short ening t roubleshoot ing cycles has always been a st rengt h of net work analyzers. Analyzers also help net work adm inist rat ors check on t he operat ion of unique feat ures of t he 802.11 MAC. While it is possible t o capt ure t raffic once it has been bridged on t o a wireless backbone net work and analyze it t here, t he problem could always be on t he wireless link. Are fram es being acknowledged? I f t hey are not , t here will be ret ransm issions. Are t he dist ribut ion syst em bit s set correct ly? I f t hey are not , t hen address fields will be m isint erpret ed. I f a m alform ed packet is seen on t he wired side of an access point , it could be m angled at several point s. A wireless analyzer can look at fram es as t hey t ravel t hrough t he air t o help you pin down t he source of t he m angled packet . Malform ed fram es m ay be t ransm it t ed by t he client or m angled by t he access point , and it is helpful t o pin down t he problem before request ing assist ance from t he vendor.

802.11 Network Analyzers 802.11 net work analyzers are now quit e com m on and should be a part of any wireless LAN adm inist rat or's t oolbox. Most 802.11 net work analyzers are soft ware packages t hat use an 802.11 net work card. No special hardware is required because 802.11 net work cards supply all t he RF hardware needed t o grab packet s. A net work analyzer should be part of t he deploym ent budget for any wireless net work. The choice t o buy or build is up t o you, alt hough I ant icipat e t hat m ost inst it ut ions will rely prim arily on com m ercial product s and leave developm ent and bug fixes t o t he net work analyzer vendors, especially because com m ercial analyzers can be purchased, inst alled, and m ade useful m uch m ore quickly. AirMagnet (ht t p: / / www.airm agnet .com ) and AiroPeek from WildPacket s ( ht t p: / / www.wildpacket s.com ) are t he t wo best - known com m ercial wireless analyzers. I have used bot h ext ensively in t he I nt erop Labs when t roubleshoot ing various wireless problem s.

Ethereal Et hereal is t he st andard open source net work analyzer. Like t he com m ercial analyzers, it support s a long list of prot ocols and can capt ure live dat a from a variet y of net work int erfaces. Unlike t he propriet ary analyzers, Et hereal com es com plet e wit h a slogan ( " Sniffing t he glue t hat holds t he I nt ernet t oget her" ) . Et hereal runs on m ost Unix plat form s as well as Windows. Source code is freely available for bot h, but m odificat ions are easier t o m ake on Unix because of t he availabilit y of com pilers in t he Unix program m ing environm ent . Like m any open source proj ect s, Et hereal is dist ribut ed under t he t erm s of t he GNU Public License. Prot ocol decodes are included for m any com m on net working prot ocols. For t he purpose of t his sect ion, t he im port ant prot ocols are I EEE 802.11 and LLC, bot h of which are used on every 802.11 fram e. Of course, t he TCP/ I P suit e is included as well. As 802.11 has becom e m ore popular and bet t er support ed on Linux, t he choice of analysis hardware has opened up. I nit ially, only Prism - based cards were support ed. However, m ost com m on int erface cards are now support ed out of t he box. This sect ion was writ t en about Et hereal version 0.10.9, which was released in lat e January 2005.

Packet Capture on Windows Binary packages are m ore im port ant in t he Windows world because of t he lack of a highqualit y, free developm ent environm ent . Alt hough Et hereal does not provide t he sam e level of 802.11 support under Windows, it can st ill be a valuable program t o have, especially in a day j ob t hat requires use of Windows syst em s. Binary versions of Et hereal for Windows are available from ht t p: / / www.et hereal.com . They require t he WinPcap library t o provide t he libpcap- t ype support on Windows. WinPcap can be downloaded from ht t p: / / net group- serv.polit o.it / winpcap/ . WinPcap is support ed only on 32- bit Windows syst em s ( 95, 98, ME, NT, and 2000) and is licensed under a BSD- st yle license. I nt erest ingly enough, WinPcap was support ed in part by Microsoft Research. Et hereal depends on pcap, t he packet capt ure library. WinPcap, a port of pcap t o Windows, can be used wit h Et hereal on Windows. Alt hough nearly every Et hernet int erface is support ed on Windows, wireless cards present different program m ing int erfaces. Many cards cannot capt ure any fram es when using prom iscuous m ode. By disabling prom iscuous m ode, m any cards are able t o capt ure fram es t o and from t he st at ion only. Wireless packet capt ure is m uch m ore card- dependent on Windows t han Linux, so I t end t o use Linux inst ead of Windows.

Compilation and Installation Building Et hereal for wireless net work analysis is m uch easier t han it used t o be. Many of t he pat ches form erly required for wireless analysis have been int egrat ed int o t he m ain source t ree, so wireless analysis works " out of t he box."

Et hereal depends on bot h libpcap, t he packet capt ure library, and t he GTK+ display library. Packet capt ure also requires kernel support t o grab packet s, in t he form of Packet Socket (CONFI G_PACKET) suppor t . Et hereal it self is com piled using t he st andard open- source rout ine of downloading t he source code from ht t p: / / www.et hereal.com , running ./ configure, m ake, and m ake inst all.

Ethereal on Windows Binary packages are m ore im port ant in t he Windows world because of t he lack of a highqualit y, free developm ent environm ent . Alt hough Et hereal does not provide t he sam e level of 802.11 support under Windows, it can st ill be a valuable program t o have, especially in a day j ob t hat requires use of Windows syst em s. Binary versions of Et hereal for Windows are available from ht t p: / / www.et hereal.com . They require t he WinPcap library t o provide t he libpcap- t ype support on Windows. WinPcap can be downloaded from ht t p: / / net group- serv.polit o.it / winpcap/ . WinPcap is support ed only on 32- bit Windows syst em s ( 95, 98, ME, NT, and 2000) and is licensed under a BSD- st yle license. I nt erest ingly enough, WinPcap was support ed in part by Microsoft Research.

Setting the Wireless Interface for Monitor Mode To capt ure packet s, t he wireless int erface m ust be put int o m onit oring m ode, which is t he equivalent of running an Et hernet int erface in prom iscuous m ode. Each wireless driver has it s own m et hod of act ivat ing m onit or m ode.

Cisco Aironet cards Cisco Aironet cards have t wo flavors of m onit oring m ode. I n t he first m ode, called rfm on, t he driver will pass up any fram es in t he st at ion's current net work. I n t he second m ode, denot ed wit h a sim ple y , t he driver will capt ure any fram es on t he current channel. Bot h m odes are select ed by m odifying t he driver's running configurat ion t hrough t he proc file syst em :

bloodhound:~# echo "Mode: rfmon" >/proc/driver/aironet/ethX/Config bloodhound:~# echo "Mode: y" >/proc/driver/aironet/ethX/Config

To ret urn t o a norm al st at ion set t ing, change t he m ode back t o ess:

bloodhound:~# echo "Mode: ess" >/proc/driver/aironet/ethX/Config

Et hereal requires a net work int erface nam e t o capt ure packet s. I n kernel versions up t o 2.4.19, use t he Et hernet nam e of t he int erface ( et hX) . I n 2.4.20 and lat er, use wifiX.

Prism cards Prism - based cards can use one of t wo drivers: t he linux- wlan- ng from Absolut e Value Syst em s ( ht t p: / / www.linux- wlan.org) , and t he Host AP driver ( ht t p: / / host ap.epit est .fi) . Monit oring has been a driver feat ure of t he linux- wlan- ng driver since version 0.1.15. I t is act ivat ed by using t he wlanct l- ng com m and, rat her t han a wireless ext ensions com m and:

bloodhound:~# wlanctl-ng wlan0 lnxreq_wlansniffer enable=true channel=6

To t urn off m onit or m ode, send a request t o disable it :

bloodhound:~# wlanctl-ng wlan0 enable=false

Monit oring wit h Prism - based cards can also be done wit h t he Host AP driver. I t uses a privat e syst em call for m onit oring m ode, sim ilar t o wireless ext ensions. Monit oring is act ivat ed by sending a m onit or m ode com m and t o t he card of eit her 2 or 3, depending on whet her you want full m onit oring headers ( 2) or j ust 802.11 headers ( 3) . Monit oring is deact ivat ed by sending a m ode of zero:

bloodhound:~# iwpriv eth1 monitor mode bloodhound:~# iwpriv eth1 monitor 0

Orinoco cards Version 0.15 and lat er of t he orinoco_cs driver support s m oinit oring m ode wit hout requiring pat ches. Pat ches against earlier versions m ay be found at ht t p: / / airsnort .shm oo.com / orinocoinfo.ht m l. To check t hat a driver has been pat ched, run iwpriv t o look for t he m onit or cont rol call:

bloodhound:~# iwpriv eth1

I f t he driver support s m onit oring, it can be act ivat ed wit h iwpriv as well. The m onit oring driver has t wo m odes. Mode 1 prepends Prism - st yle m onit oring headers t hat report signal st rengt h and ot her physical param et ers, while Mode 2 has only t he 802.11 header. Select one of t he t wo m odes, and a channel t o m onit or. To m onit or channel 6 wit h full Prism - header m onit oring inform at ion, run t his com m and:

bloodhound:~# iwpriv eth1 monitor 1 6

To st op m onit oring, use a m ode of zero:

bloodhound:~# iwpriv eth1 monitor 0

Atheros-based cards At heros- based cards use t he MADwifi driver discussed in Chapt er 19. Wit h current versions of MADwifi, t he card can be placed int o m onit oring m ode wit h iwconfig. I f necessary, a channel can also be select ed wit h iwconfig, as in t he following exam ples for int erface at h 0:

bloodhound:~# iwconfig ath0 mode monitor bloodhound:~# iwconfig ath0 channel 6

Wit h som e driver versions, I have found it necessary t o assign an I P address t o t he int erface before t he int erface appears in t he capt ure list . The I P address does not need t o be used on t he net work.

bloodhound:~# ifconfig ath0 1.2.3.4 bloodhound:~# ifconfig ath0 up

Running Ethereal St art ing Et hereal pops up t he m ain window, which is shown in Figure 24- 1. Any user m ay st art Et hereal, but adm inist rat or privileges are required t o capt ure packet s. ( Any user m ay load files for analysis, however.) The m ain window has t hree panes. The t op pane, called t he packet list pane, gives a high- level view of each packet . I t displays each packet 's capt ure t im e, source and dest inat ion address, t he prot ocol, and a basic decode of t he packet . The Prot ocol field is filled in wit h t he final decode, or dissect or, used t o analyze t he fram e. On 802.11 net works, t he final decode m ay be I EEE 802.11 for m anagem ent fram es, or it m ay go all t he way t o t he final TCP prot ocol for analysis, as in t he case of an 802.11 fram e holding an LLC- encapsulat ed I P packet wit h a TCP segm ent carrying HTTP. Wit h t he increasing use of link- layer encrypt ion, t he end decode is oft en 802.11 because Et hereal's raw capt ure cannot decrypt fram es and " see" t he prot ect ed higher- layer prot ocols.

Figu r e 2 4 - 1 . M a in Et h e r e a l w in dow

The m iddle pane, called t he t ree view pane, is a det ailed view of t he packet select ed in t he packet list . All t he m aj or headers in a packet are shown and can be expanded for m ore det ail. All packet s have t he basic " Fram e" t ree, which cont ains det ails on arrival t im e and capt ure lengt h. 802.11 net works m ay add t he Prism Monit oring header, which cont ains radio- link dat a. The Prism header was originally developed for use wit h Prism devices, but has been adopt ed by m ost drivers. The capt ure in Figure 24- 1 was t aken wit h an At heros card, but t he MADwifi driver appends t he Prism m onit oring header. Som e drivers have t he opt ion of enabling or disabling t he Prism header. The bot t om pane is called t he dat a view pane. I t shows t he raw binary dat a in t he select ed packet . I t also highlight s t he field select ed in t he t ree view pane. I f furt her dissect ors can be called t o decode t he fram e, t hey will be. For unencrypt ed t raffic, Et hereal can see t he Logical Link Cont rol ( LLC) header. From t here, t he LLC m ay cont ain ARP packet s, I P packet s, TCP segm ent s, and so on. Et hereal includes dissect ors for all t he com m only used prot ocols, so 802.11 fram es are fully decoded when available. However, encrypt ed fram es, such as t he one in t he figure, are present ed as opaque dat a. By select ing a field in t he t ree view pane, t he corresponding bit s are highlight ed in t he dat a view pane. I n Figure 24- 1, t he Dat a field of t he fram e is select ed, and highlight ed at t he bot t om . I prefer t o use a m onospace font so t hat t he dat a view pane at t he bot t om is present ed in colum ns. At t he t op of t he Et hereal window is a bar wit h four im port ant elem ent s. The left m ost but t on, " Filt er: " , is used t o creat e filt ers t hat reduce t he capt ured packet list t o t he packet s of int erest . The

t ext box j ust t o t he right allows you t o ent er filt ers wit hout going t hrough t he const ruct ion process. Et hereal m aint ains a filt er hist ory list t hat enables easy swit ching bet ween filt ers. At t he right is a t ext field t hat displays several kinds of inform at ion, depending on what Et hereal is doing. I t m ay indicat e t hat Et hereal is current ly capt uring dat a, display t he nam e of t he capt ure file loaded, or display t he field nam e current ly highlight ed in t he t ree view.

Capturing data Capt uring dat a is st raight forward. Go t o t he " Capt ure" m enu and choose " St art " . The Capt ure Preferences window opens. Et hereal can use any det ect ed int erface, even wireless LAN int erfaces. The first t hing t o do is select t he int erface you want t o m onit or. For wireless int erfaces, t he nam e m ay begin wit h et h, at h, or even wlan. Before st art ing t he capt ure, however, you m ust place t he int erface int o m onit or m ode. Et hereal accept s t he - i com m and- line opt ion t o specify an int erface. I f you plan t o do all of your analysis on one int erface, you can define a shell m apping of et hereal t o et hereal - i at h0 . I t ypically t urn on " Updat e list of packet s in real t im e" and " Aut om at ic scrolling in live capt ure" . I f t he form er is left unselect ed, t he t race appears only when t he capt ure st ops. I f t he lat t er is left unselect ed, t he t race does not scroll t o t he bot t om . Speed is im port ant t o real- t im e analysis. Disabling nam e resolut ion elim inat es overhead for every packet capt ured and m ay allow a st at ion t o avoid m issing fram es in t he air.

Data Reduction Raw capt ures can be quit e large, and ext raneous packet s can m ake finding wheat am ong t he chaff a challenge. One of t he keys t o successful use of a net work analyzer is t o winnow t he t orrent of packet s down t o t he few packet s at t he heart of t he m at t er. Et hereal provides t hree ways t o reduce t he am ount of dat a capt ured t o a m anageable am ount : capt ure filt ers, display filt ers, and m arking packet s.

Capture filters Capt ure filt ers are t he m ost efficient way t o cut down on t he am ount of dat a processed by Et hereal because t hey are pushed down int o t he packet sniffing int erface. I f t he packet capt ure int erface discards t he packet , t hat packet does not m ake it t o Et hereal for furt her processing. Unfort unat ely, capt ure filt ers are not t rem endously useful wit h 802.11. I f t he Prism m onit oring header is appended, capt ure filt ers cannot be applied. Et hereal uses libpcap, so t he capt ure filt er language is exact ly t he sam e as t he language used by t cpdum p. A num ber of prim it ives are available, which can be grouped int o arbit rarily long expressions. These prim it ives allow filt ering on Et hernet and I P addresses, TCP and UDP port s, and I P or Et hernet prot ocol num bers. Many can be applied t o source or dest inat ion num bers. Unfort unat ely, m ost of t he prot ocol num bers t hey apply t o are encrypt ed on m any 802.11 net works, and are t herefore not useful. 802.11 fram es carry t he Et hernet prot ocol num ber in t he LLC header, so it cannot be filt ered on easily if t he net work is encrypt ed.

Display filters Display filt ers can be used on any field t hat Et hereal ident ifies, which m akes t hem far m ore powerful t han capt ure filt ers. Display filt ers inherit t he knowledge of all t he dissect ors com piled int o Et hereal, so it is possible t o filt er on any of t he fields in any of t he prot ocols t hat Et hereal is program m ed t o recognize. Wireless LAN adm inist rat ors can filt er fram es based on anyt hing in t he 802.11 or LLC headers. Exam ples specific t o 802.11 are present ed lat er in t his chapt er.

Using Ethereal for 802.11 Analysis Several Et hereal feat ures are handy when applied t o 802.11 net works. This sect ion list s several t ips and t ricks for using Et hereal on wireless net works, in no part icular order.

Display filters Et hereal allows filt ering on all fields in t he 802.11 header. Fram e fields are st ruct ured hierarchically. All 802.11 fields begin wit h wlan. Two subcat egories hold inform at ion on t he Fram e Cont rol field ( wlan.fc) and t he WEP I nform at ion ( w lan.w ep) field. Figure 24- 2 shows t he variable nam es for 802.11 header com ponent s; in t he figure, each field is labeled wit h a dat a t ype. Boolean fields are labeled wit h a B, MAC addresses wit h MA, and unsigned int egers wit h U plus t he num ber of bit s. Table 24- 1 shows t he sam e inform at ion, om it t ing t he Et hereal display fields t hat are unlikely t o be useful for filt ering.

Figu r e 2 4 - 2 . H e a de r com pon e n t va r ia ble s

Ta ble 2 4 - 1 . Et h e r e a l fie lds for 8 0 2 .1 1 h e a de r com pon e n t s 8 0 2 .1 1 h e a de r fie ld

Et h e r e a l fie ld

Header fields Eit her source or dest inat ion address

wlan.addr

Transm it t er address

wlan.t a

Source address

wlan.sa

8 0 2 .1 1 h e a de r fie ld

Et h e r e a l fie ld

Receiver address

wlan.ra

Dest inat ion address

wlan.da

BSSI D

w lan.bssid

Fr a m e con t r ol su bfie lds Fram e t ype

wlan.fc.t ype

Fram e subt ype

wlan.fc.subt ype

ToDS flag

wlan.fc.t ods

From DS flag

wlan.fc.from ds

Ret ry flag

wlan.fc.ret ry

Prot ect ed fram e ( WEP) flag

wlan.fc.wep

Pr ot e ct ion fie lds WEP I nit ializat ion vect or

w lan.w ep.iv

TKI P I V

wlan.t kip.ext iv

CCMP I V

wlan.ccm p.ext iv

Key ident ifier

wlan.wep.key

Fields can be com bined using operat ors. Et hereal support s a st andard set of com parison operat ors: == for equalit y, != for inequalit y, > for great er t han, >= for great er t han or equal t o, < for less t han, and