Rev. 14.0 © dBrn Associates, Inc. 2006

The (New) Basics of Wireless LANs

Michael F. FinnerandBrn Associates, Inc.(516) 569-4557Mfinneran@att.net

2

What We’ll Cover …

• This mini-tutorial offers an overview WLANs, and what’s required to make them work for voice.

• It will cover the most important terms and technologies, including key elements of radio frequency (RF) engineering and the 802.11 wireless LAN (WLAN) standards.

• Explain how the inherent limitations affect voice quality over WLANs.

3

Key Questions…

• What are the key issues around coverage, channel capacity, interference, bandwidth and powering for WLANs and wireless voice?

• What must be done to deliver acceptable-quality voice over a WLAN?

• How much WLAN security is achievable? How much is enough?

• What has to happen for WLANs and cellular networks to interwork?

4

Session Outline

1. State of the WLAN Market2. Security Issues3. WLAN Infrastructure

Capacity/Quality of ServiceHandoffsManagement

4. VoWLAN HandsetsProprietarySIP-basedWLAN/Cellular Options

5. Planning Recommendations

Rev. 14.0 © dBrn Associates, Inc. 2006

Section 1

State of the WLAN Market

6

State of the Market

• WLAN Equipment Sales topped $2.87 Billion in 2005Growth rates vary by segment but average around 15%The market for WLAN switches is growing more than 30%There are roughly 60 million 802.11-compatible devices in use, though less than 1% of those are voice devices

• Consumer/Small Office Segment:In 1Q05, SOHO/Consumer sales still represented 51% of the WLAN equipment market

• Enterprise Segment:Large organizations are now moving to pervasive WLAN coverageAs they do, the trend is away from standalone access points to centrally controlled Wireless LAN switches

7

VoWLAN Architecture Options

• Shared NetworkVoice and data users share the same WLANCheapest to deploy, but requires QoS to prioritize voice

• Dual Overlay NetworkBuild separate WLANs for voice and data

A 2.4 GHz b/g network for data users (legacy)A 5 GHz a network for voice users

No interference between the two networksDual channel access points help reduce the costDifferent radio coverage plans required for 2.4 GHz versus 5 GHz signal loss

Rev. 14.0 © dBrn Associates, Inc. 2006

Section 2

Security Issues

9

Wi-Fi Security

• Security is the most often cited reason why enterprise customers defer the installation of wireless LANs

• Three generations of WLAN security:Pre-Security:

Wired Equivalent Privacy (WEP) is badly flawed and should not be used as the sole means of protecting a networkThe VLAN/VPN security “work around” is still widely used-

… It is not an option for voice!Current Best Practices:

Wi-Fi Protected Access (WPA) for privacy using TKIPIEEE 802.1x Authentication (Extensible Authentication Protocol)

Emerging Security Solutions:IEEE 802.11i privacy based on the Advanced Encryption StandardRequires a hardware upgrade so most client devices will not be upgradeable (some APs have the required hardware and only need new firmware)Beginning in '06, new Wi-Fi Certified devices must have 802.11i

10

Major Areas of WLAN Security Exposure

• Radio LeakageWLAN networks often provide excellent coverage in the parking lotExposure for eavesdropping and unauthorized network access

• Clear Text HeadersWhile the content of a WLAN frame may be encrypted, the header fields are sent in the clearHackers get a head start on strategies like MAC spoofing

• Denial of ServiceAttacks on the WLAN association protocols (not to mention "Radio Jamming") can be added to the list of DoS strategies

• WLAN hacking tools are readily available:NetStumbler (www.netstumbler.com): Locates NetworksAirSnort (www.airsnort.shmoo.com): Cracks WEP KeysPringles Antenna (www.arwain.net/evan/pringles.htm): Improves receptionVOMIT Voice Decoder (http://vomit.xtdnet.nl/)

11

Special Challenges for WLAN Voice

• Many existing handsets can only support WEPMonitoring phone calls would be a relatively simple matter

• Unauthorized access can allow for toll fraudHackers could make calls on your account

• The requirement to support for legacy devices can limit your available options

Many early devices like bar code scanners are not upgradeable to WPA, much less WPA2Using multiple virtual APs (i.e. Virtual WLANs) on the same radio channel may address the problemCompatibility with the installed base is not an issue if a separate WLAN is deployed for voice

12

Security Conclusion

• WLAN security tools are more than adequate if we use strong 802.1x authentication and 802.11i/WPA2

• WPA is also an acceptable solution, though many enterprise users have bypassed it based on its use of RC4-based encryption

• Existing VoWLAN handsets are a generation behind in security, but the new generation handsets should incorporate the necessary security features

• We still face the same range of threats as with other WLAN and VoIP solutions

Rev. 14.0 © dBrn Associates, Inc. 2006

Section 3

WLAN Infrastructure

14

Infrastructure Issues

• Management: WLAN Switch Configuration

• Capacity: Radio Link Options- 802.11b, g, a, and n

• Quality of Service:802.11eProprietary QoS Solutions

• Handoffs802.11rProprietary Solutions

15

Network Issues for VoWLAN

Shared Media LANs are not recommended for voiceChannel sharing inevitably introduces variable delay into the path-

“Non-isochronous” service

Major Issues in WLAN Voice:1. Capacity/Quality of Service

Impacts latency and the incidence of dropped packets2. Hand-off Capability

Required Timeframe: 50 msec or less3. Security

Typically a generation behind data devices4. Battery Life

16

A large-scale wireless LAN is essentially an indoor cellular network.

Traditional WLAN Problems:1. Network Layout:

Manual site planning required to insure capacity and coverage2. Channel Assignment:

Channel assignment and manual power adjustment needed to insure coverage while limiting co-channel interference

3. Security:Defined in each access point creating a security exposure if

an access point is stolen.4. Hand-off Capability

Far too slow for voice applications5. Detecting Rogue/Malicious APs and Ad Hoc Networks:

Requires RF monitoring system (e.g. AirDefense, AirMagnet) or periodic manual sweep with a test set

Wireless LAN Switches

WLAN switches were designed to address the requirements of large-scale, enterprise-grade wireless LANs

17

LAN Switch

“Thin”Access Point

WirelessLAN Controller

Wireless LAN Controller:Centralize the security and network management functions and use a relatively “dumb” access point(Cisco also has a controller [WLSM] for its "fat" Aironet APs)

“Thin”Access Point

Wireless LAN Switch Solution

Client device associates with the central controller

18

• RF Management/Power AdjustmentAutomatically selects channels and adjusts power levels on installation or when new cells are added to the networkGreatly simplifies site survey and RF coverage planning

• Centralize Authentication and EncryptionUsers associate with the switch rather than the access pointStealing a Thin AP creates no security vulnerabilitySome can control remote office or home APs as well

• Hand-off CapabilityUser connections can be handed-off from one access point to another in <50 msec

• Rogue/Spoofed Access Point DetectionThe WLAN switch will recognize any transmissions that are not from its access pointsSome will launch attacks to disable them

• Rogue/Spoofed Access Point LocationMost products provide tools to assist in locating rogues

Wireless LAN Switch Capabilities

19

Major Vendors (Alphabetical Order)

• Aruba- www.arubanetworks.com• Cisco (Airespace Product Line)- www.cisco.com• Meru Networks- www. merunetworks.com• Siemens: http://communications.usa.siemens.com/home.html• Trapeze- www.trapezenetworks.com• Xirrus- www.xirrus.com

20

IEEE 802.11 Radio Link Specifications

Channels are half-duplex, shared media, and operate in the 2.4 G or 5 GHz unlicensed bands (no protection from interference)

Standard802.11b

802.11g

802.11a

802.11n

ModulationDSSS

OFDM

OFDM

OFDM

Max Rate11 Mbps

54 Mbps

54 Mbps

289 Mbps(20 MHz)

Channels3

3

23

26

Band2.4 GHz

2.4 GHz

5 GHz

2.4 & 5 GHz

LicensedNo

No

No

No

• Cellular Configuration: Each standard supports a number of independent, non-interfering channels

All users in range of the access point share one radio channelChannels cannot be reused in adjacent cellsData rate declines with distance, obstructions, and interference

21

Shared 802.11b/g Networks

• Good News:802.11b and g users can share a single network

• Bad News:When a single 802.11b device joins the network, all 802.11g devices shift to the RTS/CTS transmission mode reducing throughput for g devices by 50%802.11b users operate at a lower rate and will take longer to send frames802.11g devices must use the longer waiting intervals and back-off ranges defined for 802.11b

• The Fix:The fastest performance improvement in WLANs is to get rid of all legacy 802.11b devices

22

Pro's and Con's for 802.11a

• Number of Channels:The biggest factor in favor of 802.11a is that the 5 GHz band provides 23 channels versus 3 for the 2.4 GHz band, greatly simplifying channel assignment High capacity enterprise WLANs, particularly those supporting voice, will likely migrate to 802.11a Dual overlay network: A "b/g" network for data and an "a" network for voice

• Range/Network Layout: Higher frequency 5 GHz radio signals lose more power, and have poorer wall penetration so more access points will be neededThe 802.11a devices do transmit at a higher level, partially offsetting those factors

• Interference:For the moment there are fewer interference sources in the 5 GHz band, but that advantage will likely disappear over time

• Cost: There is a 15% to 20% premium for 802.11a today, but that is declining while equipment availability is improving

• Installed Base: 802.11b represents the vast majority of the installed base and most current NICs combine 802.11b and g, not b and a.

23

802.11n- Multiple Input-Multiple Output (MIMO)

• Major development in radio systems to improve rate, range and reliability (The "3-R's")Bit stream is divided into multiple (up to 4 in 802.11n) transmit "chains" Separate antennas used to send each transmit signal; all operate in the same radio bandwidth!Multiple receive antennas capture each transmit chain and combine the received power. The individual transmit chains can be identified by the unique radio "fingerprint" (i.e. spatial diversity")Complex receive signal processing is now becoming cost effective!

RadioTransmitter

Switch

or

Antenna Diversity

RadioTransmitter

MIMO System

RadioTransmitter

RadioReceiver

RadioReceiver

Processor

24

802.11n Modulation/Coding Options802.11n Data Rates in 20 MHz Channel

Data Rate (Mbps)1 Stream 2 Streams 3 Streams 4 StreamsModulation FEC

800ns 400ns 800ns 400ns 800ns 400ns 800ns 400nsBPSK 1/2 6.5 7.2 13.0 14.44 19.5 21.7 26.0 28.9QPSK 1/2 13.0 14.4 26.0 28.89 39.0 43.3 52.0 57.8QPSK 3/4 19.5 21.7 39.0 43.33 58.5 65.0 78.0 86.7

16-QAM 1/2 26.0 28.9 52.0 57.78 78.0 86.7 104.0 115.616-QAM 3/4 39.0 43.3 78.0 86.67 117.0 130.0 156.0 173.364-QAM 2/3 52.0 57.8 104.0 115.56 156.0 173.3 208.0 231.164-QAM 3/4 58.5 65.0 117.0 130.00 175.5 195.0 234.0 260.064-QAM 5/6 65.0 72.2 130.0 144.44 195.0 216.7 260.0 288.9

802.11n Data Rates in 40 MHz ChannelData Rate (Mbps)

1 Stream 2 Streams 3 Streams 4 StreamsModulation FEC800ns 400ns 800ns 400ns 800ns 400ns 800ns 400ns

BPSK 1/2 13.5 15.0 27.0 30.0 40.5 45.0 54.0 60.0QPSK 1/2 27.0 30.0 54.0 60.0 81.0 90.0 108.0 120.0QPSK 3/4 40.5 45.0 81.0 90.0 121.5 135.0 162.0 180.0

16-QAM 1/2 54.0 60.0 108.0 120.0 162.0 180.0 216.0 240.016-QAM 3/4 81.0 90.0 162.0 180.0 243.0 270.0 324.0 360.064-QAM 2/3 108.0 120.0 216.0 240.0 324.0 360.0 432.0 480.064-QAM 3/4 121.5 135.0 243.0 270.0 364.5 405.0 486.0 540.064-QAM 5/6 135.0 150.0 270.0 300.0 405.0 450.0 540.0 600.0

The 802.11n Standard is scheduled to be ratified in September 2007, but upgrading to 802.11n will require new hardware (APs and NICs)

25

WLAN Quality of Service- IEEE 802.11e

IEEE 802.11e, a new MAC protocol option to provide WLAN Quality of Service (QoS) capabilities

Two options:1. Enhanced Distributed Control Access (EDCA)

2. Hybrid Controlled Channel Access (HCCA)

• Wi-Fi Certification BeginningWi-Fi Multimedia (WMM) was the Wi-Fi Alliance's short-term fix

• Backwards compatible with existing devices and should require only a software upgrade

26

Option 1: Enhanced Distributed Control Access (EDCA)

Enhanced Distributed Control Access (EDCA):The most likely implementation of 802.11eContention-based protocol with 4-level priority ("Access Categories")

VoiceVideoBest Effort (Same priority as current WLAN traffic)Background Data

Provides priority channel access, not consistent delayArbitrated Inter-Frame Spacing (AIFS): Shorter Inter-frame spacing and back-off range (CWmin and CWmax) for higher priority stations

• StreamingThe ability for a voice device to send all of the packets constituting a speech burst before relinquishing the channel

• EDCA Result: Priority Access, Not Consistent DelayWith EDCA, voice and video transmitters have higher-priority access to the shared channel…but, all voice users are vying for the channel with the same priority

27

Option 2: HCF Controlled Channel Access (HCCA)

• Hybrid Controlled Channel Access- (HCCA)HCF defines a mechanism to support isochronous serviceThe AP takes control of the network by broadcasting a message that causes all stations to set their NAVs (waiting timers). At other times stations use EDCA access.Some enhancements over PCF:

Stations will have a profile defining their requirements for bandwidth, latency, and jitter (TSpec)The AP will reply with a”Busy Signal” if it cannot meet the profileDuring that reserved contention-free period, the AP polls stations that require time-sensitive serviceBackwards compatibility may be a problem as older APs will have to respond with a “Service Not Available” message when a client requests Polled Service.

28

Meru Networks' QoS Solution

• Meru Networks- Contention ManagementUsing the NAV timer capability, the Meru WLAN switch can cause client devices to transmit in specific time slots

By reducing collisions, they can support 30 simultaneous voice conversations on an 802.11b networkThe network uses a special configuration of overlapping AP coverage areas

Source: Meru Networks

29

WLANs Impact on Latency

• Network Latency has been the major complaint with packet voice systems

• Requirement: One-way latency <150 msec

Hardwired IPG.711 (64 K)G.729A (8 K)

WLANG.711 (64 K)G.729A (8 K)

Difference

AlcatelOMNI PCX

57 msec42 msec

81 msec87 msec

24-45 msec

AvayaS8700/G650

67 msec76 msec

92 msec89 msec

13-25 msec

CiscoIP Com Sys

54 msec71 msec

90 msec92 msec

21-36 msec

SiemensHiPath 4000

54 msec81 msec

N/AN/A

--

ShoreTelShoreTel5

47 msec55 msec

N/AN/A

--

Source:Miercom, Business Communications ReviewJanuary 2005

30

Hand-off Options

Voice devices will be far more mobile than data devices, so the ability to hand-off calls between APs will be critical

• IEEE 802.11rDeveloping standard for fast, secure WLAN handoffsStandard not expected before late-2006!!

• Vendor Proprietary Options- WLAN SwitchMost WLAN switches can provide fast (<50 msec), secure handoffsTypically use a Pre-Authentication mechanism that eliminates the traditional reassociation processWe may loath vendor-proprietary solutions, but this is the only available option in the near term

31

Voice Capacity Considerations

• A significant portion of the transmission time is taken up waiting or sending control messages

• What About Voice?Voice channels supported:

6- to 8- simultaneous calls on an 11 Mbps channel20 simultaneous calls on a 54 Mbps channel

• Impact of 802.11e QoSNot more calls, just "better" calls

• Call access control, neighbor reporting, and load balancing will also be required to insure adequate performance

If the network can only support 8 simultaneous calls and you let 12 calls get set-up, you don't get 8 "good ones" and 4 "bad ones"You get 12 "bad ones"!

• WLANs also increase transit delay by 20- to 40-msec

Rev. 14.0 © dBrn Associates, Inc. 2006

Section 4

VoWLAN Handsets

33

Section Outline

• Major TypesProprietarySIP-basedWLAN/Cellular Options

• Required Features• Other Issues

Form FactorBattery Life

34

Standard VoWLAN Configuration

• Proprietary VoWLAN Handsets: Cisco, SpectraLink, Siemens, RIM, Vocera• Server/Gateway: Manages connections for VoWLAN Handsets• Wireless LAN: WLAN Infrastructure described earlier

Access Points

VoWLAN ServerIP TelephonyServer

WiredIP Telephones

802.11 EquippedHandsets

35

SIP-based VoWLAN Configuration

• SIP-compatible VoWLAN Handsets• SIP Server• Wireless LAN

Access Points

SIP Server

WiredIP Telephones

802.11 EquippedHandsets

36

• Cisco: 7920

• RIM BlackberryBlackberry 7270

• Spectralink:NetLink e340- General OfficeNetLink h340- HealthcareNetLink i640- Ruggedized

• SiemensoptiPoint WL1optiPoint WL2

• VoceraCommunications Badge

• Prices start at around $350

SpectraLink H340

Vocera Communications Badge

Siemens optiPoint WL2

Voice over WLAN Handsets

37

VoWLAN Handset Comparison

Cisco7920

802.11b

G.711G.729A

WEP/WPA

802.1x LEAP

Blackberry7270

802.11b

G.711

WEP

802.1x LEAP

SpectraLinke340

802.11b

G.711G.729A

WPA/WEP

802.1x LEAP

SiemensoptiPoint WL2

802.11b/g

G.711G.729A/723

WEP/WPA

802.1x LEAPEAP-TLS

VoceraComms Badge

802.11b

G.711Prop. 8K

WEP

802.1x LEAP

WLAN

VoiceCoding

Encryption

Authen-tication

38

Required Features

• What to look for in buying VoWLAN handsets:Radio Link: 802.11 a (802.11g as a minimum)Security: 802.11i/WPA2 (WPA as a minimum)Quality of Service: 802.11e QoS (EDCA as a minimum)Battery Life: WMM Power Save Control: Call access control and AP load sharing capabilitiesMonitoring and Maintenance: Tools to recognize capacity problems and provide fast, accurate troubleshooting

39

Form Factor

• Most VoWLAN handsets are ugly!• In dealing with lower-level personnel (e.g. nurses,

warehouse personnel, etc.), handset appearance is not a factor

• As VoWLAN moves up the organizational chart, we'll need something better:

Flip phonesIntegrated WLAN/Cellular HandsetsHeadsets: Wired and BluetoothSmart phones/PDA Phones

40

Battery Life- WMM Power Save Function

• Wi-Fi voice handsets may get 3 hours of talk time (less than half what you get on a cell phone)

• The original 802.11 Power Save featureClient turns on its receiver to read each Beacon Frame (100 msec interval) and sends a polling message to retrieve each frame from the AP

• Wi-Fi Multi-Media's Power Save feature (required in client and AP)Power save option can be negotiated or set for each WMM access category (i.e. Legacy or WMM Power Save)The client sends a "Trigger Frame" to the AP at any time to initiate a burst-mode download (recommended interval 20 msec )Client sends one message to retrieve all stored frames The AP uses a bit to indicate "last frame" and the client can return to "sleep" stateCan improve power consumption 15- to 40%, and it improves latency (i.e. the client is looking for traffic every 20 msec versus 100 msec)

• More work needs to be done on the power consumption problem

41

WLAN/Cellular Integration

There are two major strategies for integrating WLANs and cellular services:

1. Dual Mode Wi-Fi/Cellular Handset with No Service Integration2. PBX Coordinated Solution

The customer installs a server on their private network that coordinates the transfer of calls from the WLAN to the cellular networkWhile the carrier does not have to make any changes to their network, they still must certify the handsets (i.e. they can still block the implementation!)

3. Carrier Coordinated SolutionThe carrier installs a special server in their network and essentially treats the WLAN or VoIP network as a peer

42

"Seamless Convergence"

First Workable Wi-Fi/Cellular Convergence System• Avaya:

IP PBX SystemThe Avaya Communication Manager

• Proxim (acquired by Terabeam): Wireless LAN Switching SystemMay have been a bad choice!

• Motorola:CN620 WLAN/802.11 Handset Wireless Services Manager

Avaya/Motorola have abandoned the plan, but other suppliers like DiVitas Networks are introducing similar offerings

43

PBX Coordinated Solution

Wireless ServicesManager

(Monitors Availability of Users on the WLAN Network)

IntegratedGSM/802.11 Handset(<100 msec Handoff)

WiredIP Telephones

Call Transfer

ControlLink

Conference connections, then drop one

IntegratedGSM/802.11 Handset(<100 msec Handoff)

GSM Cellular Network

44

"Dragged In" Call

The Wireless ServicesManager can see the user has entered the WLAN coverage

area, but it has no way to transfer the call!

WiredIP Telephones

GSM Cellular NetworkNo Call Transfer

ControlLink

1. Call Received through the Cellular Network

2. User enters the WLAN coverage area, but the call continues on the Cellular

Network

45

Carrier Coordinated Solutions

• A more functional though more difficult to implement solutionThe carrier installs a "mobility server" as part of their networkThe installation involves a connection to the cellular network, the signaling infrastructure, and a gateway to the other network(s)Any call can be handed off in either direction!

• Long Term Solution:IP Multimedia Subsystem (IMS):

Next generation network signaling system from the ITU, the people who brought you ISDN, ATM, and the Intelligent Network!

• Short Term:Several Available Products

Kineto Wireless, BridgePort Networks, etc

46

Carrier Controlled Solution

HomeMobile Switching

Center (MSC)

Home LocationRegister

(Authentication Info)

Visitors LocationRegister

Other Cellular Carriers

CellularSignaling Network

(IS-41C/MAP)VoIP

Network

WLAN/CellularHandset

PBX withWLAN Network

WLAN Server Monitors Availability of Users on the WLAN Network

47

What do the Cellular Carriers Have to Lose?

• Revenue and Customer Control:No longer "something special", just another part of the customer's call handling system

• Pricing Control:How will the service be billed?Will the cellular carrier get any revenue for WLAN calls?

• Quality Control:Is the cellular carrier responsible for WLAN screw-ups?

• SecurityWill the WLAN security difficulties introduce a security vulnerability in the cellular network?

Rev. 14.0 © dBrn Associates, Inc. 2006

Section 5

Planning Recommendations

49

General Observations

• WLAN voice is still in its infancy• Pervasive WLAN coverage will be essential for voice• Acceptable voice quality will require a sound network design that

insures both coverage and sufficient network capacity• QoS techniques will provide priority handling for voice packets

… but QoS does not create capacity, it merely manages scarcity! • Call access control must also be used to limit the number of voice

calls that can be established through an AP• Current VoWLAN handset products are not up to the task!

50

Shopping Recommendations

• What to look for in emerging WLAN voice products:Support for 802.11 a and g radio links (get rid of all 802.11b devices if possible!)Security based on 802.11i/WPA2 or WPA as a minimumSupport for 802.11e QoS using EDCANeighbor reporting, call access control, and AP load sharing capabilitiesWMM Power Save for Improved Battery LifeMonitoring and Maintenance: Better tools to recognize capacity problems and provide fast, accurate troubleshootingHand-offs: Even though we might like a standards-based solution for hand-offs, the only available near-term option is a WLAN switch