890 likes | 1.05k Views
Ch. 2 – 802.11 and NICs Part 2 – 802.11 MAC. Cisco Fundamentals of Wireless LANs version 1.1 Rick Graziani Cabrillo College Spring 2005. 802.11 Overview and MAC Layer. Part 1 – 802.11 MAC and Cisco Client Adapters (Separate Presentation) 2.1 Online Curriculum 802.11 Standards
E N D
Ch. 2 – 802.11 and NICsPart 2 – 802.11 MAC Cisco Fundamentals of Wireless LANs version 1.1 Rick Graziani Cabrillo College Spring 2005
802.11 Overview and MAC Layer Part 1 – 802.11 MAC and Cisco Client Adapters • (Separate Presentation) • 2.1 Online Curriculum • 802.11 Standards • Overview of WLAN Topologies • IBSS • BSS • ESS • Access Points • 802.11 Medium Access Mechanisms • DCF Operations • Hidden Node Problem • RTS/CTS • Frame Fragmentation • 2.4 – 2.6 Online Curriculum • Client Adapters • Aironet Client Utility (ACU) • ACU Monitoring and Troubleshooting Tools Part 2 – 802.11 MAC • 802.11 Data Frames and Addressing • 802.11 MAC Layer Operations • Station Connectivity • Power Save Operations • 802.11 Frame Formats • Non-standard devices (Brief) Rick Graziani graziani@cabrillo.edu
Recommended Reading and Sources for this Presentation • To understand WLANs it is important to understand the 802.11 protocols and their operations. • These two books do an excellent job in presenting this information and is used throughout this and other presentations. Pejman Roshan Jonathan Leary ISBN: 1587050773 Matthew S. Gast ISBN: 0596001835 Rick Graziani graziani@cabrillo.edu
Acknowledgements • Thanks to Pejman Roshan and Jonathan Leary at Cisco Systems, authors of 802.11 Wireless LAN Fundamentals for allowing me to use their graphics and examples for this presentation. • Also thanks to Matthew Gast for author of 802.11 Wireless Networks, The Definitive Guide for allowing me to use their graphics and examples for this presentation. Rick Graziani graziani@cabrillo.edu
802.11 Frames – This isn’t Ethernet! 802.11 Frames • Data Frames (most are PCF) • Data • Null data • Data+CF+Ack • Data+CF+Poll • Data+CF+Ac+CF+Poll • CF-Ack • CF-Poll • CF-Cak+CF-Poll • Control Frames • RTS • CTS • ACK • CF-End • CF-End+CF-Ack • Management Frames • Beacon • Probe Request • Probe Response • Authentication • Deauthentication • Association Request • Association Response • Reassociation Request • Reassociation Response • Disassociation • Announcement Traffic Indication Rick Graziani graziani@cabrillo.edu
802.11 Data Frames and Addressing Helps to understand this because it is not dependent upon the 802.11 Physical layer.
Ethernet MAC Addressing X xxx Y yyy Distribution System (DS) Access Point 1 Access Point 2 B C A D xxx yyy Pseudo MAC address of hosts xxx yyy IP Packet Rick Graziani graziani@cabrillo.edu
802.11 MAC Addressing • Four address fields • The number and function of the address fields is dependent upon the source and destination for the 802.11 frame. • Before we look at how these addresses are used, lets look at the different source and destination options. • Address 4 is optional and not commonly used, except for WDS (wireless distribution system, bridge to bridge). The LLC encapsulation will be explained later in this presentation. General 802.11 Frame Rick Graziani graziani@cabrillo.edu
802.11 MAC Addressing - DS • Distribution System (DS) • “The distribution system is the logical component of 802.11 used to forward frames to their destination. 802.11 does not specify any particular technology for the distribution system.” Matthew Gast • The DS is the exiting network from the AP. (For purposes of this discussion.) • It can be a wired network (Ethernet) or a wireless network (wireless bridge) or something else. • We will assume it is a wired network for these discussions. X Y Distribution System (DS) Access Point 1 Access Point 2 C A B D Rick Graziani graziani@cabrillo.edu
802.11 MAC Addressing – Frame Control Field General 802.11 Frame • To DS: indicates if frame is destined for the DS or AP (1 bit). • From DS: indicates if frame is sourced from the DS or AP (1bit). Rick Graziani graziani@cabrillo.edu
802.11 MAC Addressing – Frame Control Field General 802.11 Frame Function ToDS FromDS IBSS (no AP) 0 0 To AP 1 0 From AP 0 1 Wireless bridge to bridge 1 1 Note: Some documentation is misleading stating that the ToDS is set to 1 only when the destination is on the wired side of the AP. Rick Graziani graziani@cabrillo.edu
802.11 MAC Addressing – Frame Control Field Rick Graziani graziani@cabrillo.edu
802.11 MAC Addressing • Let’s look at these options: • Host A to Host B • Host A to Host X • Host X to Host A • Frames to and from a BSS (Basic Service Set) must go via the access point. • The access point is a layer 2 bridge (translation bridge) between the 802.11 network and the 802.3 network. X xxx Y Distribution System (DS) Access Point 1 Access Point 2 111 C A D B aaa bbb aaa bbb 111 Pseudo MAC address of hosts and BSSID of AP1 Rick Graziani graziani@cabrillo.edu
X 802.11 MAC Addressing xxx Y Distribution System (DS) • Each BSS is assigned a BSSID. • Not to be confused with SSID or ESSID. • BSSID – 48 bit identifier which distinguishes it from other BSSs in the network, used for filtering. • In a BSS, the BSSID is the MAC address of the wireless interface. • Remember, normal switches (bridges) may have MAC addresses, but these addresses are only used for management purposes and not for layer 2 frame forwarding (addressing). The BSSID Access Point 1 Access Point 2 111 C A D B aaa General 802.11 Frame bbb Rick Graziani graziani@cabrillo.edu
X 802.11 MAC Addressing xxx Y Distribution System (DS) • Besides the BSSID MAC address, the access point has a MAC address for other interfaces. • Ethernet (LAN) • Ethernet (WAN) • 802.11a for dual mode APs The BSSID Access Point 1 Access Point 2 111 C A B D aaa General 802.11 Frame bbb Rick Graziani graziani@cabrillo.edu
BSSID – Cisco 1200 MAC address for AP’s IP address (ARP tables) BSSID BSSID for 802.11a WLAN Rick Graziani graziani@cabrillo.edu
Linksys WRT54G Router Information • IP Address: (received via DHCP) • MAC Address: 00:0F:66:09:4E:10 Local Network • MAC Address: 00:0F:66:09:4E:0F • IP Address: 192.168.1.1 Wireless • MAC Address: 00:0F:66:09:4E:11 • SSID: GuidoNet2 • DHCP Server: Enabled • Channel: 11 • Encryption Function: Enabled MAC address for AP’s IP address BSSID Rick Graziani graziani@cabrillo.edu
X 802.11 MAC Addressing xxx Y Distribution System (DS) • Address 1 – Receiver address • Address 2 – Transmitter address • Address 3 – Ethernet/wireless SA, Ethernet/wireless DA, or BSSID • Transmitter: Sends a frame on to the wireless medium, but may not be the original source (didn’t necessarily create the frame), i.e. AP • Receiver: Receives a frame on the wireless medium, but may not be the final destination, i.e. AP Host A to Host B Access Point 1 Access Point 2 111 C A D B aaa General 802.11 Frame bbb Rick Graziani graziani@cabrillo.edu
X 802.11 MAC Addressing xxx Y Distribution System (DS) • Address 1 – Receiver address • Address 2 – Transmitter address • Address 3 – Ethernet/wireless SA, Ethernet/wireless DA, or BSSID Host A to Host B Access Point 1 Access Point 2 111 C A D B aaa Host A to AP 1 Rec. Trans. DA bbb 111 aaa bbb 1 0 Rec. Trans. SA AP1 to Host B bbb 111 aaa 0 1 Rick Graziani graziani@cabrillo.edu
802.11 MAC Addressing • Access Points are translation bridges. • From 802.11 to Ethernet, and from Ethernet to 802.11 • The “data/frame body” is re-encapsulated with the proper layer 2 frame (Ethernet or 802.11). • Certain addresses are copied between the two types of frames. Distribution System (DS) IP Packet General 802.11 Frame IP Packet LLC Rick Graziani graziani@cabrillo.edu
X 802.11 MAC Addressing xxx Y Distribution System (DS) Host A to Host X Access Point 1 Access Point 2 111 C A D aaa B Host A to AP 1 Rec. Trans. DA bbb 802.11 Frame 111 aaa xxx 1 0 copied Host A to AP 1 xxx aaa • The Ethernet DA and SA are the source and destination addresses just like on traditional Ethernet networks. • Destination Address – Host X • Source Address – Host A Rick Graziani graziani@cabrillo.edu
X 802.11 MAC Addressing xxx Y Distribution System (DS) Host A to Host X Access Point 1 Access Point 2 111 C A D B aaa Host A to AP 1 bbb Rec. Trans. DA 802.11 Frame 111 aaa xxx copied 1 0 xxx aaa Host A to AP 1 • The AP (bridge) knows which MAC address on on its wireless interface and maintains a table with those MAC addresses. (from the Association process – later) • When the AP receives an 802.11 frame, it examines the Address 3 address. • If Address 3 is not in its table of wireless MACs it knows it needs to translate the frame to an Ethernet frame. • The AP copies the Address 3 address to the Ethernet Destination Address, and Address 2 (Transmitter address) is copied to the Ethernet Source Address. Rick Graziani graziani@cabrillo.edu
802.11 MAC Addressing Host X to Host A X xxx Y Distribution System (DS) 111 Access Point 1 Access Point 2 C A B D bbb aaa Rick Graziani graziani@cabrillo.edu
X 802.11 MAC Addressing xxx Y Distribution System (DS) Host X to Host A Access Point 1 Access Point 2 111 C A D B aaa Host X to AP 1 bbb aaa xxx Destination Address – Host X Source Address – Host A copied AP 1 to Host A Rec. Trans. SA 802.11 Frame aaa 111 xxx 0 1 Rick Graziani graziani@cabrillo.edu
X 802.11 MAC Addressing xxx Y Distribution System (DS) Host X to Host A Access Point 1 Access Point 2 111 C A D aaa B Host X to AP 1 bbb aaa xxx Destination Address – Host X Source Address – Host A AP 1 to Host A copied Rec. Trans. SA 802.11 Frame aaa 111 xxx 0 1 • The AP (bridge) knows which MAC address on on its wireless interface and maintains a table with those MAC addresses. (via Association process – later) • When the AP receives an Ethernet frame, it examines the Destination address. • If Destination Address is in its table of wireless MACs it knows it needs to translate the frame to an 802.11 frame. • The AP copies the Destination address to the 802.11 Address 1, and Ethernet Source is copied to the Address 3 address (SA in this case). (Flood out all ports unless in Source Address Table.) Rick Graziani graziani@cabrillo.edu
802.11 MAC Addressing • So how do Ethernet switches know where the wireless stations are? • Just like wired stations – using the source address of frames that came from the wireless station via the access point. • Here the switch learns from the incoming Ethernet frame that Source Address aaa is on port 2 and enters that in its MAC address table. • Any frames coming into the switch (ex. port 1) with a Destination Address of aaa, the switch knows to forward those frames out port 2 (towards the AP). xxx 1 2 xxx aaa 111 aaa Rick Graziani graziani@cabrillo.edu
LLC – Logical Link Control • The IP Packet is in an LLC frame which is encapsulated in a MAC frame. • 802.11 does not include a protocol type field. • An 8 byte SNAP field is added to the LLC to indicate the layer 3 data being carried in the data field. • The rest of the information within the LLC is not really relevant. General 802.11 Frame IP Packet LLC Rick Graziani graziani@cabrillo.edu
LLC – Logical Link Control • The only word of caution is that there are two types of LLC encapsulation, RFC 1042 and 802.1h. • On a rare occasion, you might find a problem with a client associating to an AP when their LLCs do not match. Rick Graziani graziani@cabrillo.edu
LLC – Logical Link Control Rick Graziani graziani@cabrillo.edu
802.11 Overview and MAC Layer Part 1 – 802.11 MAC and Cisco Client Adapters • (Separate Presentation) • 2.1 Online Curriculum • 802.11 Standards • Overview of WLAN Topologies • IBSS • BSS • ESS • Access Points • 802.11 Medium Access Mechanisms • DCF Operations • Hidden Node Problem • RTS/CTS • Frame Fragmentation • 2.4 – 2.6 Online Curriculum • Client Adapters • Aironet Client Utility (ACU) • ACU Monitoring and Troubleshooting Tools Part 2 – 802.11 MAC • 802.11 Data Frames and Addressing • 802.11 MAC Layer Operations • Station Connectivity • Power Save Operations • 802.11 Frame Formats • Non-standard devices Rick Graziani graziani@cabrillo.edu
802.11 MAC Layer Operations Station Connectivity Power Save Operations 802.11 Frame Formats
Station Connectivity Rick Graziani graziani@cabrillo.edu
Station Connectivity • Earlier we stated, at a minimum a client station and the access point must be configured to be using the same SSID. • How does the client find these APs? • Before connecting to any network, you must find it. • Ethernet, the cable does that for you, but of course there is no cable with wireless. • There are various applications and utilities that will do it, but what is actually happening in the 802.11 MAC operations? • Let’s take a look… Rick Graziani graziani@cabrillo.edu
Station Connectivity Successful Authentication Successful Association • Station connectivity is a explanation of how 802.11 stations select and communicate with APs. State 1 Unauthenticated Unassociated State 2 Authenticated Unassociated State 3 Authenticated Associated Deauthentication Disassociation Rick Graziani graziani@cabrillo.edu
Station Connectivity • We will look at three processes: • Probe Process (or scanning) • The Authentication Process • The Association Process • Only after a station has both authenticated and associated with the access point can it use the Distribution System (DS) services and communicate with devices beyond the access point. Probe process Authentication process Association process Successful Authentication Successful Association State 1 Unauthenticated Unassociated State 2 Authenticated Unassociated State 3 Authenticated Associated Deauthentication Disassociation Rick Graziani graziani@cabrillo.edu
Station Connectivity – Probe Process • The Probe Process (Scanning) done by the wireless station • Passive - Beacons • Active – Probe Requests • Depends on device drive of wireless adapter or the software utility you are using. • Cisco adapters do active scanningwhen associating, but use passive scanning for some tests. • In either case, beacons are still received and used by the wireless stations for other things besides scanning (coming). Rick Graziani graziani@cabrillo.edu
Station Connectivity – Passive Scanning • Passive Scanning • Saves battery power • Station moves to each channel and waits for Beacon frames from the AP. • Records any beacons received. • Beacon frames allow a station to find out every thing it needs to begin communications with the AP including: • SSID • Supported Rates • Kismet/KisMAC uses passive scanning Rick Graziani graziani@cabrillo.edu
Station Connectivity – Passive Scanning Rick Graziani graziani@cabrillo.edu
Station Connectivity – Passive Scanning Note: Most of these beacons are received via normal operations and not through passive scanning. Rick Graziani graziani@cabrillo.edu
Station Connectivity – Passive Scanning • Passive scans, carried out by listening to Beacons from APs, are not usually displayed by a network analyzer (Ethereal, Airopeek, etc.) but can be. • Microsecond – millionth of a second • Millisecond – thousandth of a second • A common beacon interval is 100 time units. • Beacon interval is the number of time units between beacon transmissions. • One unit of time is 1,024 microseconds or about 1 millisecond. • A beacon interval of 100 is equivalent to 100 milliseconds or 0.1 seconds. • That would be 10 beacons per second. Rick Graziani graziani@cabrillo.edu
Setting the beacon interval on an AP (later) Rick Graziani graziani@cabrillo.edu
Station Connectivity – Passive Scanning • AP features (options) • The SSID can be “hidden” or “cloaked” in the beacon frame (can be done on Cisco APs) • Do not send AP broadcast beacons (not an option with Cisco APs) • From some mailing lists: • “SSID cloaking and beacon hiding isn't necessarily a bad thing, but too many places use it as the only protection because it leads to a false sense of security.” • “Obscurity != security. Too many companies blindly trust that no beaconing or hiding their SSID means they're automatically safe.” Rick Graziani graziani@cabrillo.edu
Station Connectivity – Active Scanning • Active Scanning: Probe Request • This process is not mandatory on with 802.11. • A Probe Request frame is sent out on every channel (1 – 11) by the client. • APs that receive Probe Requests must reply with a Probe Response frame if: • SSID matches or • Probe Request had a broadcast SSID (0 byte SSID) • NetStumber uses active scanning From the client Rick Graziani graziani@cabrillo.edu
From the client Source address is the client (host) The SSID can also be a broadcast SSID which triggers a Probe Response from all APs in the area. Rick Graziani graziani@cabrillo.edu
Station Connectivity – Active Scanning • Active Scanning: Probe Response • On BSSs the AP is responsible for replying to Probe Requests withProbe Responses. • Probe Responses are unicast frames. • Probe Responses must be ACKnowledged by the receiver (client). • Like a beacon, Probe Response frames allow a station to find out every thing it needs to begin communications with the AP including: • SSID • Supported Rates 1 3 2 From the AP Rick Graziani graziani@cabrillo.edu
From the AP Destination Address is the client who issued the Probe Request Source address is the AP (same as the BSSID) • The beacon contains certain information that lets a station know if it can continue to attempt to join this network: • SSID • Supported Rates • Privacy: • WEP • None (open) Rick Graziani graziani@cabrillo.edu
Capturing the Probe Response Rick Graziani graziani@cabrillo.edu
Station Connectivity – Multiple APs • How a station chooses an AP is not specified in 802.11. • It is left up to the vendor. • It could be, Matching SSIDs, Signal Strength, Supported data rates. Most likely Vivian will communicate with AP 2, which matches her SSID and has the stronger signal strength. Rick Graziani graziani@cabrillo.edu
Station Connectivity Hey, I didn’t do anything and I am on the Internet! • Access Points can be configured whether or not to allow clients with broadcast SSIDs to continue the connectivity process. • If there is no authentication on the AP, then the client will most likely “associate” and be on their network! • Cisco APs use a default SSID of tsunami known as the “guest mode”SSID. (coming) • Unless this feature is disabled or authentication is enabled, anyone can easily associate with your AP and access your network (or the Internet). No SSID Probe Request Broadcast (no) SSID Probe Response SSID = tsunami ACK Rick Graziani graziani@cabrillo.edu