iLab Wireless Networks Florian Wohlfart wohlfart@in.tum.de - PowerPoint PPT Presentation

iLab Wireless Networks Florian Wohlfart wohlfart@in.tum.de Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München Lab 10 – 16ss 1 / 32

Oral attestations available dates ◮ Friday, July 15 ◮ Monday, July 18 ◮ Tuesday, July 19 ◮ Wednesday, July 20 Registration will be open from 8 pm today until Friday 2pm. 2 / 32

Outline Wireless Communication Electromagnetic Spectrum General Problems Wireless LAN (IEEE 802.11) Basics Medium Access Control WLAN Security 3 / 32

Outline Wireless Communication Electromagnetic Spectrum General Problems Wireless LAN (IEEE 802.11) Basics Medium Access Control WLAN Security 4 / 32

Frequency Spectrum (US, 3KHz – 30 GHz) source: http://www.ntia.doc.gov/files/ntia/publications/spectrum_wall_chart_aug2011.pdf 5 / 32

Frequency Spectrum (DE, mobile networks) source: https://www.bundesnetzagentur.de/SharedDocs/Downloads/DE/Allgemeines/Presse/Pressemitteilungen/ 2010/100830VerlosungGraphikFrequenzspektrum_pdf.pdf?__blob=publicationFile&v=3 6 / 32

Frequency Spectrum Summary Unlicensed Operation ◮ 13.56 MHz NFC, RFID ◮ 2.4 GHz WLAN, Bluetooth, ZigBee, microwave ovens, RFID, etc. ◮ 5.8 GHz WLAN Mobile Networks (Germany) ◮ GSM (2G) 900, 1800 MHz ◮ UMTS (3G) 2100 MHz ◮ LTE (4G) 800, 1800, 2600 MHz 7 / 32

Channel Access Methods Frequency Division Multiple Access (FDMA) ◮ each data stream uses a different frequency band Time Division Multiple Access (TDMA) ◮ each data stream uses a different time-slot Code Division Multiple Access (CDMA) ◮ multiplexing based on spreading-codes Space Division Multiple Access (SDMA) ◮ frequency reuse in different physical areas 8 / 32

Space Division Multiple Access (SDMA) CC BY-SA 2.5 by Andrew pmk source: https://upload.wikimedia.org/wikipedia/commons/e/ee/Frequency_reuse.svg 9 / 32

Cellular Base Stations in Garching source: http://emf3.bundesnetzagentur.de/karte/default.aspx 10 / 32

Cellular Base Stations in Munich source: http://emf3.bundesnetzagentur.de/karte/default.aspx 11 / 32

General Problems in Wireless Data Transmission ◮ half-duplex operation (self interference) ◮ interference – there is only one shared medium ◮ signal strength decreasing quadratically with the distance ◮ multipath propagation due to reflection and refraction source: http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/82068-omni-vs-direct.html 12 / 32

Recap: Ethernet (IEEE 802.3) ◮ full-duplex, high-speed data transmission ◮ negligible interference ◮ usually no channel access control necessary switches limit collision domains to only two endpoints ◮ no built-in security 13 / 32

Outline Wireless Communication Electromagnetic Spectrum General Problems Wireless LAN (IEEE 802.11) Basics Medium Access Control WLAN Security 14 / 32

Wireless Network Types single-hop multi-hop infrastructure- WLAN (ad-hoc mode), Mobile ad-hoc networks less Bluetooth, ZigBee e.g. car-to-car WLAN infrastructure- (infrastructre mode), Wireless mesh networks based WiMAX 15 / 32

Infrastructure Mode ◮ station wireless host ◮ access point base station ◮ basic service set (BSS) group of communication partners that use the same channel ◮ extended service set (ESS) group of multiple interconnected BSS with common service set identifier (SSID) ◮ distribution system interconnection network 16 / 32

Family of IEEE 802.11 Protocols Name Frequency Max. data rate Modulation Published 802.11 2.4 GHz 2 Mbit/s CDM 1997 802.11a 5 GHz 54 Mbit/s FDM 1999 802.11b 2.4 GHz 11 Mbit/s CDM 1999 802.11g 2.4 GHz 54 Mbit/s FDM, CDM 2003 802.11n 2.4 + 5 GHz 600 Mbit/s FDM 2009 802.11ac 5 GHz 500 Mbit/s FDM 2013 17 / 32

Link Layer Frames Management Frames ◮ beacon frame (periodical announcement by the AP, e.g. SSID) ◮ association request frame / association response frame (station joins the network) ◮ authentication frame Control Frames ◮ acknowledgement (ACK) frame, reliability ◮ request-to-send (RTS) frame (optional extension) ◮ clear-to-send (CTS) frame (optional extension) Data Frames ◮ actual data transmission 18 / 32

Datagram Header 0 15 16 31 ... to ver fr duration / ID type subtype DS DS address 1 address 1 address 2 address 2 address 3 sequence control address 3 address 4 address 4 data (0–2312 Byte) frame check seq. 19 / 32

Use of Address Fields ◮ (0,0) data frame from station to station (ad-hoc mode, mgmt/ctrl frames) ◮ (0,1) data frame exiting the DS (infrastructure mode) ◮ (1,0) data frame destined to the DS (infrastructure mode) ◮ (1,1) data frame in the DS from one AP to another AP (wireless distribution system) to DS from DS A1 A2 A3 A4 0 0 RA = DA TA = SA BSSID 0 1 RA = DA TA = BSSID SA 1 0 RA = BSSID TA = SA DA 1 1 RA TA DA SA DA = destination address, SA = source address, RA = receiver address, TA = transmitter address, BSSID = AP MAC address 20 / 32

Medium Access Control ◮ collision detection not possible ◮ sensing while sending is difficult ◮ hidden terminal problem ◮ a frame is always fully transmitted ◮ link-layer acknowledgements 21 / 32

Medium Access Control ◮ collision detection not possible ◮ sensing while sending is difficult ◮ hidden terminal problem ◮ a frame is always fully transmitted ◮ link-layer acknowledgements ◮ remember: collision != interference 21 / 32

Carrier Sense Multiple Access / Collision Avoidance (CSMA/CA) ◮ prioritization of control traffic ◮ SIFS (Short Inter Frame Spacing): highest priority for control frames: e.g. ACK, CTS ◮ DIFS (DCF Interframe Spacing): lower priority (longer interframe spacing) for data traffic ◮ backoff time t bo = Random ([0 , CW ]) ∗ SlotTime source: S. Günther, et al. “Analysis of Injection Capabilities and Media Access of IEEE 802.11 Hardware in Monitor Mode”, NOMS 2014 22 / 32

CSMA/CA – Inter-Frame Spacing Example source: https://www.cs.purdue.edu/homes/park/cs536-wireless-3.pdf ◮ SIFS = 10 µ s or 16 µ s ◮ DIFS = 28 µ s , 34 µ s , or 50 µ s ◮ slot time = 9 µ s or 20 µ s ◮ 15 ≤ CW ≤ 1023 23 / 32

Collison Avoidance Algorithm (sending side) MAC receives frame from upper layer choose random backoff time t bo = Random ([0 , CW ]) ∗ SlotTime wait until channel is idle for DIFS busy while t bo > 0: wait for one slot time and decrement t bo transmit frame no yes CW = CW ∗ 2 ACK received before timeout? 24 / 32

Collison Avoidance Algorithm (receiving side) MAC receives frame from the physical layer yes no wait for SIFS is received frame ok? transmit ACK 25 / 32

CSMA/CA – Backoff Example source: IEEE Std 802.11-2012, http://standards.ieee.org/getieee802/download/802.11-2012.pdf 26 / 32

Ready-to-Send and Clear-to-Send (CTS / RTS) ◮ optional extension to IEEE 802.11 ◮ before any transmission the sender transmits a request-to-send (RTS) message contains the expected duration of the transmission ◮ the receiver has to confirm with a clear-to-send (CTS) message everyone who received the CTS knows that the medium will be busy for the specified duration ◮ solves the hidden terminal problem 27 / 32

Outline Wireless Communication Electromagnetic Spectrum General Problems Wireless LAN (IEEE 802.11) Basics Medium Access Control WLAN Security 28 / 32

Wireless LAN Security Protocols WEP ◮ standardized in 1999, first broken in 2001 N. Borisov et al., Intercepting Mobile Communications: The Insecurity of 802.11, MOBICOM 2001 ◮ many design flaws including: ◮ only 40 bit key length ◮ initialization vector is too small (16 million possible values) ◮ integrity check via CRC32 (linear function) ◮ no replay-protection WPA ◮ standarized in 2003 ◮ stopgap replacement for WEP WPA2 ◮ standardized in 2004 (IEEE 802.11i) ◮ CCMP (CTR mode with CBC-MAC Protocol) encryption protocol uses AES with 128-bit block size 29 / 32

WPA2 Authentication Pre-shared Key Mode (WPA-PSK) ◮ 256 bit key derived from 64 hexadecimal digits or an ASCII-String (8 to 63 characters) using the PBKDF2 key derivation function and the SSID as salt External Authentication Server (WPA-802.1X) ◮ relies on an external server for authentication ◮ advantages: mutual authentication, centralized authentication Wi-Fi Protected Setup (WPS) ◮ goal: make adding new devices as simple as possible ◮ assumption: attacker has no physical access to the access point ◮ PIN method (brute-force feasible [1]), push-button method [1] https://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf 30 / 32

WPA-802.1X ◮ relies on an external server for authentication (via RADIUS or Diameter protocol) ◮ supplicant (station) negotiates with an authentication server, the authenticator (access point) acts as a relay source: https://en.wikipedia.org/wiki/File:802.1X_wired_protocols.png 31 / 32

Conclusion ◮ only trust authenticated hosts and access points ◮ use WPA2 ◮ when using public Wi-Fi hotspots, encrypt your communication (e.g. VPN) 32 / 32