490 likes | 705 Views
IEEE 802.11 Wireless LANs. Presented by Peng Ge September 12, 2001. Wireless LAN v.s. Wired LAN. Similarity From the beginning, 802.11 was designed to look and feel like other IEEE 802 wired LAN 802.11 operates under 802.2 LLC layer (same as 802.3) Difference
E N D
IEEE 802.11 Wireless LANs Presented by Peng Ge September 12, 2001
Wireless LAN v.s. Wired LAN • Similarity • From the beginning, 802.11 was designed to look and feel like other IEEE 802 wired LAN • 802.11 operates under 802.2 LLC layer (same as 802.3) • Difference • using air link (that is, no real link) • Everything around is either a reflector or an attenuate of the signal • location-dependent: some change in position can cause large changes in the received signal strength • security problem: packets broadcast in air • Mobility • protocols to deal with mobility : DHCP, mobile-IP • no fixed physical location, “what is the nearest printer?”
History of IEEE 802.11 • The first version was adopted in 1997 • MAC sub-layer • MAC management protocols and services • Three physical layers: all operate on 1M or 2Mbps • infrared-based PHY • Frequency Hopping Spread Spectrum (FHSS) radio in 2.4GHz • Direct Sequence Spread Spectrum (DSSS) radio in 2.4GHz • Revised in 1999, add 2 new PHY layers • Orthogonal Frequency Domain Multiplexing (OFDM) • 802.11a, radio in UNII bands, delivering up to 54Mbps • extension to DSSS PHY • 802.11b, in 2.4GHz, delivering up to 11Mbps
Overview • IEEE 802.11 Architecture and Services • Medium Access Control • MAC Management • The Physical layer
Component in 802.11 Architecture • Station : mobile/portable/stationary node • provide station-services : • authentication, de-authentication, privacy, and delivery of data • Basic Service Set (BSS) • a group of stations connect to each other • Independent BSS (IBSS) : no connection to wired network • e.g., short-lived ad-hoc network • no relay function in an IBSS(in MAC layer) • when a BSS includes a Access Point (AP) • it’s no longer independent. • called Infrastructure BSS, or BSS
Component in 802.11 Architecture • Access Point (AP) • A station provides distribution services • All mobile stations communicate with AP • AP provides connection to wired LAN if any, and local relay function in BSS • A little waste for local communication • up-link and down-link consume twice of bandwidth • benefits outweigh the cost, such as • buffering at AP when the station is in low power state
Component in 802.11 Architecture • Extended Service Set (ESS) • a set of BSSs while APs communicate among themselves to forward traffic and to facilitate the mobility • Distribution System (DS) : • an abstract medium for the communication among APs • 802.11 didn’t define how to implement DS • APs from different vendors may not be used in one ESS • could be wired LAN (802.3), or purpose-built box • Services • Station services : • authentication, de-authentication, privacy, delivery of data • Distribution services : • association, re-association, de-association, distribution, integration
Station Services • Authentication • to prove the identity of one station to another • De-authentication • to eliminate a previously authorized user from further use • Privacy • to provide an equivalent level of protection for data on WLAN as that provided by Wired network • Delivery of data • similar to other 802 LANs • to provide reliable delivery of data frames in MAC layers, with minimal duplication and minimal reordering.
Distribution Services • Association • to make a logical connection between mobile station and AP • Re-association • similar to association, except including the info about previously associated AP (for roaming, data forwarding, etc.) • De-association • either to force a mobile node to associate or just announce the association is no longer available/required • Distribution • An AP to determine how to deliver the frames • within its own BSS, into DS to another AP, outside WLAN • Integration • translation between 802.11 frames and other LAN frames
Interaction between some services State 1: Unauthenticated, Unassociated Class 1 Frames Successful Authentication De-Authentication Notification State 2: Authenticated, Unassociated Class 1 & 2 Frames Successful Association or Re-Association De-Authentication Notification De-Association Notification State 3: Authenticated, and Associated Class 1, 2 & 3 Frames
Interaction between some services • Each station maintains 2 variables • state of authentication and state of association • A station may be authenticated with many stations simultaneously • A station may be associated with only one other station at a time • Multiple instances of the variables are needed • to maintain a unique copy for each station it communicates • If a station is a part of an IBSS (ad hoc) • it’s allowed to implement data service in state 1 • because neither authentication nor association is used in IBSS, no station can leave state 1 • A station must react to every frame it receives • even if the frame type is not allowed for a particular state • A state 1(2) station will send back de-authentication(de-association) upon receiving an illegal frame, to force the other station transit to proper state
Overview • IEEE 802.11 Architecture and Services • Medium Access Control • MAC Management • The Physical layer
MAC functionality • To provide reliable data delivery service • through a frame exchange protocol at MAC level • Reliability is improved as compared to earlier WLANs • To fairly control access to the wireless medium • Distribution Coordination Function : basic access • Point Coordination Function : centrally controlled access • To protect the data it delivers • a privacy service, Wired Equivalent Privacy (WEP) • the same level of protection the data might have on a wired LAN that prevents unauthorized connection
frame Snd Rcv ACK A B C MAC Frame Exchange Protocol • The minimal protocol has two frames • The two frames are an atomic unit of the MAC protocol • The frame will be retransmitted if ACK is missing • reduce the inherent error rate at the cost of extra bandwidth • more efficient in MAC layer than in higher layer • to determine the lost packet, higher layer timeout is often in seconds • Hidden Node Problem
RTS CTS Snd Rcv frame ACK Area cleared by RTS CTS B C A RTS Area cleared by CTS MAC Frame Exchange Protocol • Two more frames to solve Hidden Node Problem • Request To Send (RTS) and Clear To Send (CTS) • The four frames are an atomic unit • if fails at any point, the station can recover and regain control of the medium in minimum time • To address the Hidden Node Problem
MAC Frame Exchange Protocol • dot11RTSThreshold attribute (0-2339) • The value defines the minimum length of the frame that RTS and CTS are required before sending the frame. • all frames with greater length use 4-way protocol • all frames with equal or less length use 2-way protocol • In some cases, 4-way protocol is unnecessary, such as • low bandwidth demand • concentrated area where everyone can hear the others. • Retry counters • long retry counter and short retry counter • long or short? Compare the frame length with dot11RTSThreshold • each retransmission will increment the corresponding retry counter • the frame has to be discarded if the retry counter reaches the limit • There is also a lifetime timer associate with each frame
MAC Basic Access Mechanism • CSMA/CA with binary exponential backoff • Carrier Sense Multiple Access • partly implemented by a physical sensing mechanism by PHY layer • Network Allocation Vector (NAV) • a value that indicates to a station the amount of time it remains before the medium become available to use • to provide a virtual carrier sensing • a station may avoid transmitting, even when medium seems free • CA(Collision Avoidance) instead of CD(Collision Detection) • Wireless device can hardly send and receive at the same time • Contention Window in Binary Exponential Backoff • When the transmission is deferred because the medium is busy, sender waits a random time within “contention window” • Contention window double its size every time the sender is deferred • Contention window reset to minimal size when transmission succeed
Timing Intervals • 5 timing intervals recognized by 802.11 MAC • 2 basic intervals determined by PHY • Short Inter-Frame Space (SIFS) • Slot Time • SIFS < Slot Time, but they are close. • 3 additional intervals • Priority Inter-Frame Space (PIFS) = Slot Time + SIFS • used in PCF • Distributed Inter-Frame Space (DIFS) = Slot Time + SIFS * 2 • used in DCF • Extended Inter-Frame Space (EIFS) • much larger than any other intervals • used when a frame received by MAC contains error, allowing MAC frame exchange protocol to complete correctly
Next Transmission End of Previous Transmission DIFS Slot time DCF Operation • When MAC is about to send a frame, • it checks if the medium is not in use for an interval of DIFS (EIFS if last frame received contained errors) • if in use, the MAC will • choose a backoff number and double the contention window • increment the appropriate retry counter • Otherwise, every interval of slot time the medium is idle, MAC will decrement the backoff value. • Once backoff interval expires, the frame is transmitted • if no ACK received, assume collision, backoff again • till the transmission is successful or is cancelled.
PCF Operation • PCF uses a “Poll and Response” protocol • to eliminate the possibility of contention for the medium • PCF is built over DCF, they can operate simultaneously • PCF uses PIFS to seize and keep the medium (PIFS < DIFS) • A Point Coordinator (PC) controls PCF • the PC is always located in an AP • stations request PC to register them on a polling list • PC regularly polls the stations for traffic and delivers traffic to • PC begins a Contention-Free Period (CFP) periodically • medium is completely controlled by PC, no DCF allowed • PC sends out a Beacon frame to notify the other stations • the Beacon provided the maximum length of the coming CFP • All stations have to update their NAV so that DCF is prohibited • PC ensures that the interval between frames is no longer than PIFS • another way to prevent DCF from gaining access to the medium
SIFS Data+ CF-Poll Data+ CF-Ack from station 1 Data+ CF-Ack+CF-Poll to station 2 ACK from station 2 CF-Poll to station n Data+CF-Poll to station n+1 CF-End PIFS PCF Operation • PC expects a response frame in SIFS after sending a Poll • If no response in SIFS, PC will send its next frame in PIFS • PC will send a CF-End frame to conclude the CFP • To make the use of the medium more efficient, it’s possible to piggyback both ACK and CF-Poll onto data frames • station to PC: data frame with ACK of last frame received • PC to station: CF-Poll, ACK, and data can be in one frame • After the CF-End is heard, each station reset its NAV • DCF starts working
Control Frame subtypes • 6 control frame subtypes • request to send (RTS) and clear to send (CTS) • 20 bytes for RTS, 14 bytes for CTS • duration information of coming traffic, allow other stations to update their NAV, to prevent the collision • acknowledgement (ACK) 14 bytes • as a receipt, no need of retransmission • in fragmentation, ACK contains the duration information of next fragment, act like a CTS • power save poll (PS-Poll) 20 bytes • to request an AP to deliver a frame buffered when this station was in power-saving mode • contention-free end (CF-End) 20 bytes • to conclude a CFP by PC, let stations to compete the medium • contention-free end plus ACK (CF-End+ACK) 20 bytes • combination of two frame subtypes
Data Frame subtypes • 8 data frame subtypes • variable length frame: 29-2346 bytes • Data • encapsulate the upper layer protocol packet • Data+CF-ACK, Data+CF-Poll, Data+CF-ACK+CF-Poll • sent only during CFP, never used in IBSS • combination of frames, which may target to different stations • Null function (no data) • Zero data length, but needed to complete the frame exchange • The sole purpose of the frame is to carry “power management” BIT • CF-ACK (no data) • more efficient if use ACK control frame (14 bytes v.s. 29 bytes) • CF-Poll (no data), CF-Poll+CF-ACK (no data)
Management Frame subtypes • 11 management frame subtypes • Beacon • transmitted periodically for others to locate and identify a BSS • also convey information of buffered frame for stations • Other information includes • service set identity (SSID), supported rates, PHY parameters,... • Probe Request • transmitted by a mobile station to quickly locate an 802.11 WLAN • either locate a WLAN with a particular SSID, or locate any WLAN • Our SSID is “tsunami” • Probe Response • In IBSS, the station who sent the latest Beacon answers the request • In BSS, AP always answers the Probe Request • A Probe Response is similar to a Beacon
Management Frame subtypes • Authentication • to conduct a multi-frame exchange stations • The ultimately result is the verification of the identity to each other • De-authentication • notify the termination of an authentication relationship • Association Request and Response • for a mobile station to join the BSS, and the result • Re-association Request and Response • Association Request with additional information of current AP • Re-association Response is the same as Association Response • De-association • notify the termination of an association relationship • Announcement Traffic Indication Message (ATIM) • A mobile station in IBSS to notify others that it has frame buffered to a target mobile station who may be in low power mode.
Privacy in IEEE 802.11 MAC • Wired Equivalent Privacy • A wired LAN has to be physically compromised (tap line) • A WLAN can be compromised by anyone with an antenna • WEP provides the same security as wired LAN • The frame body of the data frame is encrypted • by RC4, developed by RSA Data Security, Inc. • a symmetric stream cipher that support variable length key • RC4 supports up to 256 bytes key. 802.11 has chosen 40 bits. • No encryption for frame header and other frame types. • Protect only the content of data frame • Vulnerable to other threats, like traffic analysis • Key distribution or key negotiation is not included in 802.11 • Two ways to select a key for use • up to 4 default keys, or • a station to establish a key-mapping with another station
Source RTS Fragment 0 Fragment 1 ACK 1 Destination ACK 0 CTS SIFS Fragmentation in 802.11 MAC • dot11FragmentationThreshold attribute(256-2338) • Default value is such that no frame will be fragmented • A frame is divided into fragments according to threshold • When a frame is fragmented, “more fragment” bit is used • Subsequent fragment is sent out immediately upon receiving previous fragment’s ACK • no competition for medium, “fragment burst”
General Frame Format • Frame Control field (16bits) • frame type and subtype: control, data, management • To DS bit and From DS bit • 00: direct communication between two mobile stations • 01 or 10: a frame sent from AP to mobile station, or the opposite • 11: wireless DS, sharing the medium with BSS, from AP to AP • Other 1-bit sub-fields • More Data: There is at least one frame buffered here • More Fragment : This isn’t the last fragment in the fragmented frame • Retry: This is the retransmission, instead of first-time transmission • Power management: The station will enter low power mode, and won’t be available • WEP: The frame body is encrypted using WEP algorithm • Order: The content of data frame is provided to MAC with a request of strictly ordered service
General Frame Format • Duration/ID field (16bits) • Association ID (AID) in PS-Poll frame subtype • 0-2007, the ID a mobile station got when Association • A Beacon includes Traffic Indication Map (TIM), up to 256 bytes, to tell who have buffered frame in AP • each bit in TIM corresponding to a mobile station’s AID • Duration Information to update NAV, in other frame types • the length of the time the medium will be used after this frame • 32768 (1 for highest bit, 0 for others) for all frames sent in CFP • No station can interfere with CFP • 0 for all multicast data frames • There is no response in multicast • Address fields (IEEE 48-bit format for each) • up to 4 addresses: source, destination, receiver, transmitter, or BSSID
General Frame Format • Sequence Control field • Sequence Number subfield (12bits) • 0 to 4095 and wrap around. • Incremented after assignment to each MSDU • Fragment Number subfield (4bits) • incremented after assignment to each fragment • Frame Body field • variable length field, can be as long as • 2304 bytes without WEP, 2312 bytes with WEP • 2304 was chosen to allow application send 2048-byte pieces of data • Frame Check Sequence field (32bits) • applying CCITT CRC-32 polynomial to MAC header and frame body • The same used in other IEEE 802 LAN standards
Overview • IEEE 802.11 Architecture and Services • Medium Access Control • MAC Management • The Physical layer
MAC Management • The first in 802.x to include MAC management • 802.11 WLAN has more complex the environment • Many other users to share the medium • Microwave Oven operates in 2.4GHz band (because one excitation frequency of water molecule lies in that band) • Radio frequency ID (RFID) tag uses microwave power, i.e. tracking retail inventory, identify rail cars, … • Other WLANs than 802.11 that share the medium • Other 802.11 WLANs that share the medium • Security: the medium is connectable to anyone • Mobility: to provide the reliable service like wired LAN • Power management: to save the battery life. • Defined MAC management capabilities in 802.11 • Authentication, Association, Address filtering, Privacy, Power management, and Synchronization
MAC Management • Authentication • for one station to prove its identity to another station • frame exchanges: questions, answers, and results • Two authentication algorithm available • Open system authentication • always return “success” as the result • Shared key authentication • depends on both stations share the same WEP key • encrypt and decrypt a “challenge text” to prove it owns the key • There is no limit on the number of authentication. • one station can pre-authenticate with many stations • Usually a AP initiate the authentication to a mobile station • assumed AP has a more privileged position • some subtle security problem • A rogue AP can adopt the SSID, take the place of old AP, and intercept the content of frames in plain text.
MAC Management • Association • to provide transparent mobility to stations • Association is the process of a mobile station “connecting” to AP • only after a successful authentication • Only one association is permitted for each station • Once associated, AP is responsible for forwarding the data frames • The procedure of association • Mobile station send a request, including its information • data rate supported, contention-free abilities, support of WEP … • AP decides to grant or deny the service request • 802.11 doesn’t define what policy the AP should use • Re-association • DS must maintain the location of each mobile station • association request + last AP address • New AP contacts old AP, gets buffered data frame, terminates the old association
MAC Management • Address filtering (MAC function) • more complicated than other 802 LANs • not only based on destination address • each data/management frame has at least 3 addresses • and a BSS identifier (BSSID) • A station must use addresses and BSSID when making receive decisions, according to the standard • Filtering on BSSID is important to minimize the multicast frames with which the station must deal • Privacy (MAC function) • WEP mechanism, as described earlier
MAC Management • Power management • the most complex part in 802.11 standard • allows mobile stations to enter low power modes • turn off receiver and transmitter to conserve power • Two different mechanism for IBSS and BSS, respectively • Independent BSS • The station enters low power state after notifying another station • This station must wake up periodically to receive the beacon, and stay awake for a period after the beacon, called “ad hoc traffic indication message(ATIM) window” • A station who wants to send to a low-power station should use ATIM to inform the targeted receiver • The receiver should acknowledge it and stay awake till next ATIM window • In multicast, no ACK expected, each receiver must stay awake till next ATIM window
MAC Management • Power management • Infrastructure BSS • each station should inform AP, in association request, the number of the beacon periods that the station will be in low power mode • Each beacon includes Traffic Indication Map(TIM) • data frame will remain buffered no less than the number of beacon periods determined in association • for multicast, AP will send out the frame right after the Beacon • a station to join multicast must wake up every beacon period • An AP that is running CFP will use CFP to deliver buffered frames to stations that are CF-Pollable • it may also use CFP to deliver multicast frame • Power saving is deeper in Infrastructure BSS than in IBSS • station is not required to wake up every beacon period • it doesn’t have to stay awake after the beacon
MAC Management • Synchronization • the process of stations in a BSS getting in step to each other • to allow support of PHY layers that use time-based mechanisms • e.g., frequency hopping • the process involves • beaconing, to announce the presence of a BSS, and • scanning, to find a BSS • the process is entirely distributed • Timer Synchronization Fucntion (TSF) • maintains a 64-bit timer running at 1MHz, synchronized by beacons • current TSF timer = the value in beacon + processing time • Independent BSS • each beacon contains the TSF timer of the sender • TSF timer can only be incremented • All stations will synchronize to the fastest timer in BSS, eventually
MAC Management • Synchronization • Infrastructure BSS • only AP sends beacon, so all stations synchronize to AP‘s timer • Beacon frame may not be received by some stations • may be delayed, from competing the medium • The broadcast of beacon may be corrupted, and no retry is attempted • There is no degradation to the WLAN operation • Scanning • passive scanning: switch to a channel, and listen for beacon • save the power, take longer time if no BSS in current channel • active scanning: switch to a channel, send a probe request, and wait for the beacon or probe response • save the time to find a BSS, need more power • Join a BSS • after finding a BSS, synchronize all MAC and PHY parameters with the BSS, and start to use the service
Overview • IEEE 802.11 Architecture and Services • Medium Access Control • MAC Management • The Physical layer
MAC Layer PLCP Sub-layer PHY Layer PMD Sub-layer PHY Layer • To provide 3 levels of functionality • Physical layer convergence procedure (PLCP) sub-layer • controls frame exchange between the MAC and PHY • Physical medium dependent (PMD) sub-layer • transmit data frames over the medium • PHY provides a carrier sense indication back to MAC • to verify the activity on medium
DSSS PHY • Direct Sequence Spread Spectrum • one of three PHY layers defined in IEEE 802.11 • operates at 2.4GHz band • PLCP protocol data unit (PPDU) in DSSS • PLCP preamble and PLCP header: are always sent at 1Mbps • MAC protocol data unit (MPDU) may be sent in 1 or 2Mbps • Each DSSS channel occupies 22MHz of bandwidth • 11 channels available in North America, with 5MHz intervals • At most 3 non-interfering channels spaced 25MHz apart
FHSS PHY • Frequency Hopping Spread Spectrum • one of three PHY layers defined in IEEE 802.11 • operates at 2.4GHz band • PLCP preamble and PLCP header are always sent at 1Mbps • In North America and Europe (excluding Spain and France) • 79 channels are chosen over a span of 84.3MHz • Each channel covers 1MHz bandwidth • 3 Set of hopping sequences • designed to minimize the interference • According to FCC regulation in US • Every second, FHSS radio must hop at least 2.5 hops and 6MHz distance
IR PHY • Infrared • one of three PHY layers defined in IEEE 802.11 • uses near-visible light as the transmission media • restricted to indoor environment, cannot pass through walls • different from DSSS or FHSS • PPDU consists of PLCP preamble, PLCP header, and PSDU • PLCP preamble and PLCP header are always sent at 1Mbps • PSDU can be sent at 1 or 2Mbps
OFDM PHY • Orthogonal Frequency Division Multiplexing • defined in IEEE 802.11a, 1997 • operates at 5GHz U-NII frequency • PLCP preamble and PLCP header are always sent at 1Mbps • PSDU can use 6, 9, 12, 18, 24, 36, 48, 54Mbps • 6, 12, 24MHz are mandatory rates for 802.11a-compliant system
HR/DSSS PHY • High Rate DSSS • defined in IEEE 802.11b, 1997 • extend the PSDU data rates to 5.5 and 11Mbps • provides a rate shift mechanism, which allows 11Mbps networks to fall back to 1 and 2Mbps, and inter-operate with 802.11 PHY layers • Two kind of PLCP preamble • long preamble with 128-bits SYNC field (same as old DSSS PHY) • is backward compatible with existing 802.11 DSSS • sent at 1Mbps, PSDU may be sent at 1, 2, 5.5, and 11Mbps • short preamble with 56-bit SYNC field • sent at 2Mbps, PSDU may be sent at 2, 5.5, and 11Mbps • higher speed than “long preamble” • cannot inter-operate with 802.11 2Mbps network • The same channel allocation with old DSSS