CS4/MSc Computer Networking · PLCP preamble LLC PDU MAC MAC SDU header CRC PLCP header PLCP PDU...
37
CS4/MSc Computer Networking Lecture 12: Wireless Local Area Networks
Transcript of CS4/MSc Computer Networking · PLCP preamble LLC PDU MAC MAC SDU header CRC PLCP header PLCP PDU...
CS4/MScComputer Networking
Lecture 12:
Wireless Local Area Networks
2
Wireless Networking – Motivation
• Mobility– Connect from anywhere, anytime, on the move
– Wi-fi hotspots beginning to proliferate
» coffee shops, airports, hotels etc.
• Flexibility– Ad hoc networks whenever and wherever required
» meetings, multi-user networked games
– Home networks
» homes increasingly have multiple PCs with one Internet connection
• Costs– No fixed wiring
» may be difficult and expensive unless buildings designed for the purpose
– Cheap wireless interface cards and access points
3
• Radio and infra-red transmissions susceptible to noise and interference– not as reliable as wired transmission
• Strength of radio transmission varies in time and space– fading effects from multipath propagation
– uneven propagation due to physical barriers and geographic topography
• Radio transmissions can be intercepted by eavesdroppers– difficult to restrict transmissions to a specific area
• Radio spectrum is finite and must be shared with other users– your neighbour’s home wi-fi network
– competing WLAN standards e.g. Bluetooth v. 802.11, in 2.5GHz range
• Difficult to provide the high transmission speeds that are easy with wires– e.g. Gigabit wired ethernet
• Allocation of spectrum by national and international authorities – ITU, FCC etc.
– agreement often difficult; designing products for a global market difficult
Wireless Networking – Challenges
4
• Connections maintained over large geographical areas
– multiple antenna sites and cells or satellite systems
– automatic hand-off between adjacent cells for mobility
– international roaming between compatible systems
• Generations of systems
– 1G systems (analogue) : TACS (UK), AMPS (USA)
– 2G systems (digital) : GSM (Europe), TDMA (USA)
– 2½G systems : GPRS (Europe), EDGE
– 3G systems : UMTS (Europe), CDMA 2000 (USA), TD-SCDMA (China)
• Private as well as public networks
– E.g. GSM-R for railways – signalling, control & communications
Wireless Network Types – Wide Area Networks (WWAN)
5
• Wireless connections between multiple locations within a metro. area– e.g. multiple office buildings, a University campus etc.
• Backups for wired networks
• Radio or infra-red transmission
• Technologies:– Multichannel Multipoint Distribution Service (MMDS)
» 2 – 10GHz range, 30 miles radius, line-of-sight
– Local Multipoint Distribution Services (LMDS)» 24 - 40GHz range, 2 - 3 miles radius, line-of-sight
– IEEE 802.16» working group set up to establish standards for broadband wireless access» 10 – 66GHz range» Demand Assignment Multiple Access-Time Division Multiple Access (DAMA-TDMA)
Wireless Network Types – Metropolitan Area Networks (WMAN)
6
• Communications within a local area– within a corporate or campus building, public spaces – coffee shops, airports etc.
– 25m – 250m, farther outside than inside, speed decreasing with distance
• where wiring would be difficult or expensive– to supplement an existing LAN
• to create possibly temporary ad hoc networks– in a meeting room
• to facilitate mobility– laptops ubiquitous for `road warriers’
• IEEE standardisation: 802.11
Wireless Network Types – Local Area Networks (WLAN)
7
• Ad hoc communications within a personal operating space– e.g. PDAs, mobile phones, laptops, headsets, GPS navigators, printers etc.
• A cable replacement technology
• Technologies:– Infra-Red
– Bluetooth (IEEE 802.15.1)
– ZigBee (IEEE 802.15.4)
Wireless Network Types – Personal Area Networks (WPAN)
8
Wireless Local Area Networks – IEEE 802.11
• Local Area Networks:– Private ownership
» freedom from regulatory constraints of WANs– Short distance (~1km) between computers
» low cost» very high-speed, relatively error-free communication» complex error control unnecessary
– Machines are constantly moved» Keeping track of location of computers a chore» Simply give each machine a unique address» Flat address structure» Broadcast all messages to all machines in the LAN
– Need a medium access control protocol
• 802.11 is one of the IEEE 802 local area network standards– A number of variations exist
9
IEEE 802.11 Building Block – Basic Service Set (BSS)
• A group of stations that coordinate their access to the medium• Co-located and unrelated BSS’s can co-exist simultaneously
– via different channels
• Stations intercommunicate within a Basic Service Area (BSA)– analogous to a mobile phone cell– size depending on situation and conditions e.g. indoors v. outdoors
• Two cases– Infrastructure mode– Independent – ad hoc
A C
B D
10
• Independent Basic Service Set– A single BSS can form an ad hoc network
– No fixed infrastructure (access point)
– Typically temporary» can be formed spontaneously and disbanded
after a limited period of time
– Stations need to be in range of each otherto communicate
• Basic Service Set in infrastructure mode – has an Access Point (AP) or Base Station
» to provide a local bridge between stations
– stations communicate via the Access Point in PCF mode» all frames go via the access point» stations do not all need to be in range of each other, just in range of the
access point– communicate directly with each other in DCF mode
A CB
AP
A C
B D
BSS types
11
• A set of infrastructure Basic Service Sets
• Access Points communicate amongst themselves to forward trafficfrom one BSS to another
• Allows movement of stations between BSSs
• Allows access to other networks through portals which connect to other 802 LANs
• ESS appears as single BSS to LLC sublayer
Extended Service Set (ESS)
A2
A1
AP1
BSS AB2
B1AP2
BSS B
Distribution SystemServer Gateway tothe InternetPortal
Portal
12
LAN layers (IEEE 802)
Data linklayer
802.3CSMA-CD
802.5Token Ring
802.2 Logical link control
Physicallayer
MAC
LLC
802.11Wireless
LAN
Network layer Network layer
Physicallayer
OSIIEEE 802
Various physical layers
OtherLANs
13
• Difficult to detect collisions in a radio environment– radios normally half-duplex: either transmit or receive – not both simultaneously– transmit power orders of magnitude greater than receive power
• therefore not possible to abort transmissions that collide– The whole frame time is wasted
• Collisions may not happen at transmitter – the hidden station problem:– two stations both within range of an intermediate station but not of each other– either one cannot hear the transmissions of the other
» so think the channel is idle when the other station is using it» signals may collide at the intermediate station
Data Frame Data FrameAB
C
MAC sublayer: why not use wireless Ethernet (CSMA-CD)?
14
• A station wishing to transmit always senses the medium before it starts– If the medium is busy, the station defers its transmission
– Politeness: no need to destroy other station’s transmission
• When a packet (MPDU) is to be transmitted– Wait for medium to go quiet
– Choose a random extra time to wait
– When the time expires and medium is idle, transmit
– Different stations will select different back-off times, so collisions are avoided
• An ACK is sent for every correctly received packet– A received ACK indicates no collision occurred
– There is no other way of knowing about collisions
MAC sublayer: Collision Avoidance (CSMA-CA)
15
CSMA-CA: Overcoming the hidden station problem
RTSA requests to send
B
C
CTS CTS
A
B
C
B announces A ok to send
Data Frame
A sends
B
C remains quiet
16
• Contention Service: Best effort
• Contention-Free Service: time-bounded transfer
• MAC can alternate between Contention Periods (CPs) & Contention-Free Periods (CFPs)
• MAC also performs fragmentation & reassembly (stop&wait)
Physical
Distribution coordination function(CSMA-CA)
Point coordinationfunction
Contention-free service
Contention service
MAC
MSDUs MSDUs
MAC Services
17
• All stations must wait an Interframe Space (IFS) time
• High-Priority frames wait Short IFS (SIFS)– Typically to complete the exchange in progress
» Only one station can transmit at this time
– ACKs, CTS, data frames of segmented MSDU, etc.
– SIFS calculated to give time for transmitter to switch back to receive mode
• PCF IFS (PIFS) to initiate Contention-Free Periods– used by the base station to gain access to the medium
• DCF IFS (DIFS) to transmit data
DIFS DIFSPIFSSIFS
Contentionwindow
Next frame
Defer access Wait for reattempt time
Time
Busy medium
Distributed Coordination Function
18
• Wait for medium to be idle for a DIFS period
• Choose a random number 0–n of time-slots as the back-off time – For each idle slot, decrement the counter
– For busy slots, freeze the counter
• When the counter becomes 0, transmit– If transmission fails (ack not received), n is doubled (exponential back-off)
• Must be executed :– after each retransmission
– after a successful transmission
medium busy
SIFSPIFS
DIFS
next frame
slot-time
contention window
slot-time defined so that a station can always determine if another station has access the medium at the beginning of the previous slot
Back-Off Procedure
19
• A MAC field tells other stations how long the medium will be used for
• Stations receiving data or RTS or CTS set their Virtual Carrier Sense indicator (NAV or Network Allocation Vector) for the given duration
– use this information with physical carrier sense when sensing the medium
RTS
CTS ACK
NAV
NAV
dataA
B
C
D
Virtual Carrier Sensing
DataDIFS
SIFS
Defer Access
ACK
NAV
Source
Destination
OtherA
BDC
20
• Provides contention-free service through polling
• Point Coordinator (access point) polls other stations asking if they have any frames to send
Point Coordination Function (PCF)
CF End
NAV
PIFS
B D1 + Poll
SIFS
U 1 + ACK
D2+Ack+Poll
SIFS SIFS
U 2 + ACK
SIFS SIFS
Contention-free repetition interval
Contention period
CF_Max_duration
Reset NAV
D1, D2 = frame sent by point coordinatorU1, U2 = frame sent by polled stationTBTT = target beacon transmission timeB = beacon frame
TBTT
21
– Frame types: control, management, data
– Each type has a number of subtypes, e.g. Control: RTS, CTS, ACK
– To, From: determine what the 4 address fields stand for
– More frag: more fragments yet to follow
– Retry: retransmission of previous failed transmissions
– WEP (Wired Equivalent Privacy): set when information has been encrypted
– Sequence: 16 bit sequence number of a fragment» 12 bits to identify the frame» 4 bits to identify the fragment
MAC frame format
Address2
FrameControl
Duration/ID
Address1
Address3
Sequencecontrol
Address4
Framebody CRC
Protocolversion Type Subtype To
DSFromDS
Morefrag Retry Pwr
mgtMoredata WEP Rsvd
2 2 6 6 6 2 6 0-2312 4
2 2
MAC header (bytes)
4 1 1 1 1 1 1 1 1
22
Physicallayer
LLC
Physical layerconvergence
procedure
Physical mediumdependent
MAClayer
PLCPpreamble
LLC PDU
MAC SDUMACheader CRC
PLCPheader PLCP PDU
Physical Layers
• Physical layer split into 2 sub-layers– Physical Layer Convergence Procedure (PLCP) sub-layer
– Physical Medium Dependent (PMD) sub-layer
• PLCP adds– Preample – synchronisation, framing
– Header – bit rate and other settings, CRC
– Different for each 802.11 physical layer
23
• The only 802.11 physical layer using (infrared) light– 0.85µ to 0.95µ wavelength, diffused
• Signal contained by walls, windows– Not operational outdoors
– No interference with networks in other rooms
– Range < 20m
• Pulse position modulation (PPM)– Essentially one-hot encoding
– Slot time is 250ns
– 1Mbps : 4 bit group encoded to 16 bits – 15 zeroes and 1 one
– 2Mbps : 2 bit group encoded to 4 bits – 3 zeroes and 1 one
802.11 Infrared physical layer
24
Spread-Spectrum Communication
• Most of radio spectrum is regulated and licenses are required to use it
• Some bands are left unregulated – 915MHz (902-928)
– 2.4GHz (2.4-2.483)
– 5GHz (5.725-5.825)
• Equipment using these bands must transmit at low power
• Spread-spectrum: increase the bandwidth of the transmitted signal by modulating it using a pseudorandom, spreading code
• This waste of bandwidth has advantages:– Immunity from noise, multipath fading, jamming
– Security – Knowledge of the spreading code is essential to decode the signal
– Several users can use the same frequency without interference
• Two main types: Frequency hoping and Direct Sequence
25
• FHSS hops between frequencies in pseudorandom sequence– All stations need to be synchronised, know the (initial) sequence and the dwell time, the time spent at each frequency
– Limited security – eavesdropper needs to know hop sequence and dwell time
802.11 Frequency Hopping Spread Spectrum (FHSS)
– Available rates: 1Mbps and 2Mbps
– Header always transmitted at 1Mbps, a bit field indicates the rate of the data part of the frame
• 802.11 FHSS physical layer– Uses 79 channels at 2.4GHz band, each 1MHz wide
– Standard defines 78 hopping patterns (3 groups of 26)
– 26 networks can be collocated and operate simultaneously
26
• DSSS transmits a sequence of chips for each information bit
802.11 Direct Sequence Spread Spectrum (DSSS)
11-chip Barker sequence: +1 +1 +1
-1+1 +1+1
-1 -1-1-1To transmit +1, send:
To transmit -1 (0), send:
11 symbol times
+1 +1 +1-1
+1 +1+1-1 -1 -1-1
-1 -1 -1+1
-1 -1 -1+1 +1+1+1
11-chip Barker sequence: +1 +1 +1
-1+1 +1+1
-1 -1-1-1To transmit +1, send:
To transmit -1 (0), send:
11 symbol times
+1 +1 +1-1
+1 +1+1-1 -1 -1-1
-1 -1 -1+1
-1 -1 -1+1 +1+1+1
• The 802.11 DSSS physical layer operates at the 2.4GHz band– A number of overlapping 30MHz channels are defined
– Up to 3 networks can be collocated on non-overlapping channels
– Available rates:» 1Mbps uses Binary Phase Shift Keying modulation (BPSK)» 2Mbps uses Quadrature Phase Shift Keying modulation (QPSK)
27
• Uses orthogonal frequency division multiplexing (OFDM)– Multiple carrier signals at different frequencies
– Similar to FDM but all subchannels dedicated to single source
– ADSL also uses OFDM
• Operates at 5GHz band– Shorter range than 2.4GHz
– Few other systems operate at 5GHz, little interference for now
– 52 frequencies : 48 for data and 4 for synchronisation
• Up to 12 non-overlapping channels available (depends on the country)
• Maximum rate 54Mbps, range of lower rates available– phase-shift keying up to 18Mbps
– quadrature amplitude modulation for higher rates
802.11a
28
• Extension of DSSS physical layer of 802.11– Commonly called WiFi
• 1Mbps, 2Mbps, 5.5Mbps and 11Mbps rates supported– Low speeds (1,2Mbps) use DSSS
– Higher speeds use Complementary Code Keying (CCK)
• Up to 3 non-overlapping channels available (depends on the country)– 14 overlapping channels defined
802.11g• Uses OFDM (as 802.11a) at the 2.4GHz band
• Maximum rate is 54Mbps
• Backwards compatible with 802.11b– If a single 802.11b station is present in the BSS, the rate drops
• Channel availability as for 802.11b
802.11b / 802.11g
29
802.11n• Uses multiple antennas for both AP and mobile stations
• Rates above 100Mbps– Up to ~600Mbps with 4 antennas
– “pre-n” products already available
802.11e• Defines QoS mechanisms for wireless networks
• Not a physical layer extension
• Extend DCF, PCF to differentiate between traffic types
• Enhanced DCF (EDCF) has 8 traffic categories with different IFS times
Forthcoming 802.11 extensions
30
• Distribution services – manage BSS membership– Association – connection to an AP
– Disassociation – disconnection
– Reassociation – change AP
– Distribution – how frames sent to AP are routed to the destination
– Integration – handles connection to other networks
• Station services– Authentication
– Deauthentication
– Privacy – encryption
– Data delivery
The 9 services of 802.11
31
• A station needs to know the SSID of the network it wants to join– SSID : Service Set Identifier – the network’s name– keeping this private offers security against naïve attacks
» SSID broadcast by default in beacon frames and these can be intercepted
• A station needs to get synchronisation information from the base station– by passive scanning: look for beacon frame from the base station– by active scanning: transmits a probe request frame and waits for a probe response frame
• Choice of active or passive up to the station itself
• Station sends an association request (identity, capabilities)• The AP accepts or rejects the request
• Once associated the station must be authenticated before it can transmit or receive data
Joining a BSS - Association
32
• The AP and the station perform mutual authentication– Prevent unauthorised users to access the network– Prevent users from connecting to “rogue” APs
• Authentication process:– Station sends an authentication frame– MAC address filtering:
» if the facility is enabled, the AP looks up MAC address is in its “guest list”
– Open Authentication:» Minimal authentication – just MAC filtering
– Shared Key Authentication:» AP creates an authentication frame containing random challenge text» joining station encrypts the frame with its pre-shared key and sends it back» AP decrypts the frame and checks that the text is correct
Joining a BSS - Authentication
33
• Same security issues face wired LANs as wireless LANs– Unauthorised access and eavesdropping
– Threats to physical security of network e.g. denial of service, sabotage
– Attacks from within an organisation’s authorised user community» e.g. disgruntled current and former employees
• In wireless LANs passive eavesdropping is very easy – Radio waves may be received at ranges beyond the control of thehost organisation, no need to be inside a controlled area
– LAN adapters offer a promiscuous mode every packet can be captured » both wired and wireless
• Wired Equivalent Privacy (WEP)– The 802.11 original security scheme. Proved easy to break
• Wi-Fi Protected Access (WPA)
• WPA2 – full implementation of the 802.11i security upgrade
Security in Wireless LANs
34
• A 40-bit secret key is pre-agreed and pre-shared by the network stations
• A 24-bit Initialisation Vector (IV) is concatenated with secret key– normally a random value but sometimes just successive integer values
• Resulting key is input into the Pseudo-Random Number Generator– using the RC4 algorithm
• Integrity Check Value (ICV) – CRC-32 over the message plaintext
• Plain text, ICV encrypted with key sequence using bitwise XOR
• IV communicated to the peer by placing it, in clear, before the cipher text
WEP encryption
35
• Key Management– synchronising change of keys is tedious and difficult
» keys therefore will tend to be long-lived» probably one single key shared between every station on the network
• Key Size: 40-bit key size is now vulnerable to brute-force attack
• Initialisation Vector reuse – IV is too small, so it is reused frequently– if the key sequence for a given IV is found, an attacker can decrypt subsequent packets that were encrypted with the same IV
– To discover the key sequence, send packets to the station and observe the wireless transmissions, because the content of the packet is known, the key sequence can be deduced
• The use of CRC-32 to produce the Integrity Check Value (ICV) is not appropriate
– Attacker can modify encrypted packet and fix up ICV to be correct
– biggest weakness is that ICV-based attacks are independent of key size
• WEP use of RC4 has known weak keys
• WEP authentication messages can be forged easily
Security Weaknesses of WEP
36
• Temporal Key Integrity Protocol (TKIP) for encryption – Key size is 128 bits
– Keys dynamically generated and distributed by the authentication server
– Key hierarchy and management system, dynamically generates unique data encryption keys to encrypt every data packet
– Message Integrity Check (MIC) greatly improves ICV
• Two flavours for authentication:– Enterprise: uses 802.1X / Extensible Authentication Protocol (EAP)
» Requires the use of an authentication server in the network» E.g. Remote Authentication Dial-In User Service (RADIUS)
– Personal: uses a pre-shared key (common password)
• WPA2 improves the encryption engine by replacing RC4 with AES (Advanced Encryption Standard)
– Implements full 802.11i security update
• Hardware support is needed to handle the higher complexity of the algorithm without suffering a significant speed loss
WiFi Protected Access (WPA)
37
• LGW 6.10
• Tanenbaum 1.1.3, 1.2.4, 4.4
• Stallings 17, 9 (spread spectrum)
Reading
