iLab Wireless Networks Florian Wohlfart wohlfart@in.tum.de Chair of Network Architectures and Services Department of Informatics Technical University of Munich Lab 10 – 17ws 1 / 28
Outline Wireless Communication General Problems Channel Access Methods Types of Wireless Networks Wireless LAN (IEEE 802.11) Physical Layer Data Link Layer Medium Access Control WLAN Security 2 / 28
Outline Wireless Communication General Problems Channel Access Methods Types of Wireless Networks Wireless LAN (IEEE 802.11) Physical Layer Data Link Layer Medium Access Control WLAN Security 3 / 28
General Problems in Wireless Data Transmission ◮ half-duplex operation (self interference) ◮ interference – there is only one shared medium ◮ signal strength decreasing quadratically with the distance ◮ multipath propagation due to reflection and refraction source: http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/82068-omni-vs-direct.html 4 / 28
Recap: Ethernet (IEEE 802.3) ◮ full-duplex, high-speed data transmission ◮ negligible interference ◮ usually no medium access control (CSMA/CD) necessary switches limit collision domains to only two endpoints ◮ no built-in security 5 / 28
Channel Access Methods Frequency Division Multiple Access (FDMA) ◮ each data stream uses a different frequency band Time Division Multiple Access (TDMA) ◮ each data stream uses a different time-slot Code Division Multiple Access (CDMA) ◮ multiplexing based on spreading-codes Space Division Multiple Access (SDMA) ◮ frequency reuse in different physical areas 6 / 28
FDMA: Frequency Spectrum (US, 3KHz – 30 GHz) source: http://www.ntia.doc.gov/files/ntia/publications/spectrum_wall_chart_aug2011.pdf 7 / 28
FDMA: Frequency Spectrum (DE, cellular networks) source: https://www.bundesnetzagentur.de/SharedDocs/Downloads/DE/Allgemeines/Presse/Pressemitteilungen/ 2010/100830VerlosungGraphikFrequenzspektrum_pdf.pdf?__blob=publicationFile&v=3 8 / 28
Frequency Spectrum Summary Unlicensed Operation ◮ 13.56 MHz NFC, RFID ◮ 2.4 GHz WLAN, Bluetooth, ZigBee, microwave ovens, RFID, etc. ◮ 5 GHz WLAN Mobile Networks (Germany) ◮ GSM (2G) 900, 1800 MHz ◮ UMTS (3G) 2100 MHz ◮ LTE (4G) 800, 1800, 2600 MHz 9 / 28
Space Division Multiple Access (SDMA) CC BY-SA 2.5 by Andrew pmk source: https://upload.wikimedia.org/wikipedia/ commons/e/ee/Frequency_reuse.svg Cellular base stations in Munich source: 10 / 28 http://emf3.bundesnetzagentur.de/karte/default.aspx
Types of Wireless Networks single-hop multi-hop infrastructure- WLAN (ad-hoc mode), Mobile ad-hoc networks less Bluetooth, ZigBee e.g. car-to-car WLAN infrastructure- (infrastructre mode), Wireless mesh networks based cellular networks (GSM, WIMAX, LTE) 11 / 28
Outline Wireless Communication General Problems Channel Access Methods Types of Wireless Networks Wireless LAN (IEEE 802.11) Physical Layer Data Link Layer Medium Access Control WLAN Security 12 / 28
Terminology ◮ station wireless host ◮ access point base station ◮ basic service set (BSS) group of communication partners that use the same channel ◮ extended service set (ESS) group of multiple interconnected BSS with common service set identifier (SSID) ◮ distribution system interconnection network 13 / 28
Physical Layer: IEEE 802.11 PHY Standards Name Frequency Max. data rate Published 802.11 2.4 GHz 2 Mbit/s 1997 802.11a 5 GHz 54 Mbit/s 1999 802.11b 2.4 GHz 11 Mbit/s 1999 802.11g 2.4 GHz 54 Mbit/s 2003 802.11n 2.4 + 5 GHz 600 Mbit/s 2009 802.11ac 5 GHz 6.77 Gbit/s 2013 14 / 28
Data Link Layer: Frames Management Frames ◮ beacon frame (periodical announcement by the AP, e.g. SSID) ◮ association request frame / association response frame (station joins the network) ◮ authentication frame Control Frames ◮ acknowledgement (ACK) frame, reliability ◮ request-to-send (RTS) frame (optional extension) ◮ clear-to-send (CTS) frame (optional extension) Data Frames ◮ actual data transmission 15 / 28
Datagram Header 0 15 16 31 ... to ver fr duration / ID type subtype DS DS address 1 address 1 address 2 address 2 address 3 sequence control address 3 address 4 address 4 data (0–2312 Byte) frame check seq. 16 / 28
Use of Address Fields ◮ (0,0) data frame from station to station (ad-hoc mode) ◮ (0,1) data frame from AP to station (infrastructure mode) ◮ (1,0) data frame from station to AP (infrastructure mode) ◮ (1,1) data frame in the DS from one AP to another AP (wireless distribution system) to DS from DS A1 A2 A3 A4 0 0 RA = DA TA = SA BSSID 0 1 RA = DA TA = BSSID SA 1 0 RA = BSSID TA = SA DA 1 1 RA TA DA SA DA = destination address, SA = source address, RA = receiver address, TA = transmitter address, BSSID = AP MAC address 17 / 28
Medium Access Control Carrier Sense Multiple Access / Collision Avoidance (CSMA/CA) ◮ collision detection not possible ◮ sensing while sending is difficult ◮ a collision may only be visible to a part of the nodes ◮ a frame is always fully transmitted ◮ link layer acknowledgements 18 / 28
Medium Access Control Carrier Sense Multiple Access / Collision Avoidance (CSMA/CA) ◮ collision detection not possible ◮ sensing while sending is difficult ◮ a collision may only be visible to a part of the nodes ◮ a frame is always fully transmitted ◮ link layer acknowledgements ◮ remember: collision != interference 18 / 28
CSMA/CA – Inter-Frame Spacing ◮ prioritization of control traffic ◮ SIFS (Short Inter Frame Spacing): highest priority for control frames: e.g. ACK, CTS ◮ DIFS (DCF Interframe Spacing): lower priority (longer interframe spacing) for data traffic ◮ backoff time t bo = Random ([0 , CW ]) ∗ SlotTime source: S. Günther, et al. “Analysis of Injection Capabilities and Media Access of IEEE 802.11 Hardware in Monitor Mode”, NOMS 2014 19 / 28
CSMA/CA – Inter-Frame Spacing Example source: https://www.cs.purdue.edu/homes/park/cs536-wireless-3.pdf ◮ SIFS = 10 µ s or 16 µ s ◮ DIFS = 28 µ s , 34 µ s , or 50 µ s ◮ slot time = 9 µ s or 20 µ s ◮ 15 ≤ CW ≤ 1023 20 / 28
Collison Avoidance Algorithm (sending side) data link layer receives frame from upper layer choose random backoff time t bo = Random ([0 , CW ]) ∗ SlotTime wait until channel is idle for DIFS busy while t bo > 0: wait for one slot time and decrement t bo transmit frame no yes CW = CW ∗ 2 ACK received before timeout? 21 / 28
Collison Avoidance Algorithm (receiving side) data link layer receives frame from the physical layer yes no wait for SIFS is received frame ok? transmit ACK 22 / 28
CSMA/CA – Backoff Example source: IEEE Std 802.11-2012, http://standards.ieee.org/getieee802/download/802.11-2012.pdf ◮ no acknowledgements shown for simplicity 23 / 28
Ready-to-Send and Clear-to-Send (CTS / RTS) ◮ optional extension to IEEE 802.11 ◮ before any transmission the sender transmits a request-to-send (RTS) message contains the expected duration of the transmission ◮ the receiver has to confirm with a clear-to-send (CTS) message everyone who received the CTS knows that the medium will be busy for the specified duration ◮ solves the hidden terminal problem 24 / 28
Outline Wireless Communication General Problems Channel Access Methods Types of Wireless Networks Wireless LAN (IEEE 802.11) Physical Layer Data Link Layer Medium Access Control WLAN Security 25 / 28
Wireless LAN Security Protocols WEP ◮ standardized in 1999, first broken in 2001 N. Borisov et al., Intercepting Mobile Communications: The Insecurity of 802.11, MOBICOM 2001 ◮ many design flaws including: ◮ only 40 bit key length ◮ initialization vector is too small (16 million possible values) ◮ integrity check via CRC32 (linear function) ◮ no replay-protection WPA ◮ standarized in 2003 ◮ stopgap replacement for WEP WPA2 ◮ standardized in 2004 (IEEE 802.11i) ◮ CCMP (CTR mode with CBC-MAC Protocol) encryption protocol uses AES with 128-bit block size 26 / 28
WPA2 Authentication Pre-shared Key Mode (WPA-PSK) ◮ 256 bit key derived from 64 hexadecimal digits or an ASCII-String (8 to 63 characters) using the PBKDF2 key derivation function and the SSID as salt External Authentication Server (WPA-802.1X) ◮ relies on an external server for authentication ◮ advantages: mutual authentication, centralized authentication Wi-Fi Protected Setup (WPS) ◮ goal: make adding new devices as simple as possible ◮ push-button method ◮ assumption: attacker has no physical access to the access point ◮ PIN method is insecure (brute-force attack [1]) [1] https://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf 27 / 28
WPA-802.1X ◮ relies on an external server for authentication (via RADIUS or Diameter protocol) ◮ supplicant (station) negotiates with an authentication server, the authenticator (access point) acts as a relay source: https://en.wikipedia.org/wiki/File:802.1X_wired_protocols.png 28 / 28
Recommend
More recommend
