420 likes | 576 Views
WLAN Infrastructure. 802.11 Products. Spread. Spread. Spectrum. Spectrum. Wireless. Wireless. LANs. LANs. Wireless. 54. Mbps. 10. Mbps. 4. Mbps. Wireless Data. Infrared. Infrared. 2. Mbps. Wireless. Wireless. Networks. LANs. LANs. Data Rates. 1. Mbps. Broadband.
E N D
802.11 Products Spread Spread Spectrum Spectrum Wireless Wireless LANs LANs Wireless 54 Mbps 10 Mbps 4 Mbps Wireless Data Infrared Infrared 2 Mbps Wireless Wireless Networks LANs LANs Data Rates 1 Mbps Broadband PCS Broadband PCS 56 Kbps Metricom Metricom Circuit & Packet Data Circuit & Packet Data 19.6 Kbps Cellular, CDPD, RAM, ARDIS Cellular, CDPD, RAM, ARDIS Satellite Satellite 9.6 Kbps Narrow Band Narrow Band Narrowband PCS Narrowband PCS Wireless LANs Wireless LANs Local Coverage Area Wide
2.4 – 2.4835 GHz 83.5 MHz (IEEE 802.11B) 902-928 MHz 26 MHz 5 GHz (IEEE 802.11A) HyperLAN HyperLAN2 Future Technology Older Product License Free ISM Band Short Wave Radio FM Broadcast Infrared wireless LAN AM Broadcast Television Audio Cellular (840MHz) NPCS (1.9GHz) Extremely Low Very Low Low Medium High Very High Ultra High Super High Infrared Visible Light Ultra- violet X-Rays Notes: Very little spectrum is for unlicensed use. Current Product
6 7 9 3 10 5 11 1 4 8 2 2483 2400 Channels- 802.11b Spectrum: 83MHz Channels: Three 22MHz stationary channels. Only 3 non-overlapping. Speeds: 1, 2, 5.5, and 11 Mbps data rate
Coverage 1 Mbps DSSS 2 Mbps DSSS 5.5 Mbps DSSS 11 Mbps DSSS
Bandwidth Blue= 11Mb Total Bandwidth=33MB Green=11Mb Red=11Mb
Channel 1 Channel 11 Channel 6 Channel 11 Channel 6 Channel 6 Channel 1 Channel 11 Channel 1 Channel 11 Site Survey Channel Mapping
2 Mbps 2 Mbps 2 Mbps 2 Mbps 2 Mbps 5.5 Mbps 5.5 Mbps 5.5 Mbps 5.5 Mbps 5.5 Mbps 11 Mbps 11 Mbps 11 Mbps 11 Mbps 11 Mbps 11 Mbps 11 Mbps 11 Mbps 11 Mbps 11 Mbps 5.5 Mbps 5.5 Mbps 5.5 Mbps 5.5 Mbps 5.5 Mbps 2 Mbps 2 Mbps 2 Mbps 2 Mbps 2 Mbps Site Survey Bandwidth Layout
30mW Cell Size Comparison 11 Mbps DSSS 80-100 feet radius 5.5 Mbps DSSS 100-200 feet radius 2 Mbps DSSS 200-275 feet radius 30 milli-Watt client and Access Point range capabilities
Cell Size Comparison, Cont. • Full Antenna Power – 30mW • 3 Access Points 1 1 6 11 2 • Reduce Antenna power - 5mW • 18 Access Points • Fewer users per access point 1 11 6 1 11 6 6 1 11 6 1 11 11 6 1 11 6 1
Antennas • Antennas extend range by changing the shape of the signal • Different applications call for different antennas • Measurements given in “gain” – dBI • Cable type/length greatly affects “gain”
Antennas, Cont. Maximum Coverage Autorate Negotiation Wireless for Students DiPole Indoor, Patch Outdoor AP’s on Isolated LAN with PIX 11 1 6 Class 1 Class 2 Class 3 Class 4 850’ Hallway Class 8 Class 9 Class 10 Class 11 1 6 1 Courtyard Building 1000’ 1000’
Antennas, Cont. Maximum Coverage Autorate Negotiation Cabling Only Available at Store Front Yagi Antennas and DiPole 1 11 6 850’ 11 6 1 2000’
Products Evolving • Better radios – better reception, improved bandwidth • Better management • Easier to deploy (in-line power) • More security • New standards
100mW Cell Size Comparison 11 Mbps DSSS 100-150 feet radius 5.5 Mbps DSSS 150-250 feet radius 2 Mbps DSSS 250-350 feet radius 100 milli-Watt client and Access Point range capabilities
802.11a (fall?) Spectrum (US*): 50mW from 5.150 – 5.250 GHz 250mW from 5.250 - 5.350 GHz 1W from 5.725 – 5.825 GHz Speeds: 6, 12, and 24Mbps for compliances 54Mbps+ expected Channels: 20 MHz channels Vendors? 8 - 15
Wired or Wireless… • Wireless pilots encouraged, but would not invest heavily – technology changing • Wireless is not a replacement for wired networks at this time
Other Frequency Hopping 802.11b Bluetooth HomeRF Cordless Phone Interference potential
Colliding channel allocations? How to implement authentication (WEP)? Coordination between autonomous departments? Interference with other devices? On different subnets? Different accesses policies? Dueling Access Points? Signal leakage between buildings? Building codes? Problems with just plugging it in Building A Building B • You are not in control.
Wireless Networks are Public • Public networks will be designed, installed, and managed by TIS on department’s behalf (and on departments funding) • Public networks must be authenticated • Installation will be professional, following UT building codes and practices • Spectrum will be allocated/adjudicated by TIS • Public interest will be considered over private interest in wireless conflicts • There are always exceptions
Authentication Schemes • SSIDs (Service Set Identifiers) • Broadcast in clear by unit and clients. Anyone can hear and insert. • WEP (Wired Equivalent Privacy) • Uses RC4, problems with exchanging keys. Either sent in clear or have to be manually configured and then exposed on client. • MAC (hardware address restrictions) • Restrict based on Ethernet hardware address. Hard to manage across all access points. Any card can pretend to be any MAC address.
Authentication Schemes, Cont. • UTEID (home grown) • http://www.tis.utexas.edu/network/pubaccess/ • UT’s home grown digitally signed fat cookie application. Doesn’t provide encryption, but doesn’t require any custom software and is compatible with all OSes. • 802.1X / EAP / LEAP • Extended Authentication Protocol, Lightweight Extended Authentication Protocol • Solves authentication and key distribution problem. Evolving standard and isn’t supported on some OSes. LEAP doesn’t use same secured mechanisms as EAP-TLS. • VPN (Virtual Private Network) • Requires client software. All traffic has to go to VPN gateway and back – obviates local routing/switching.
SSID - Broadcast in clear by AP and client, anyone can add to their client - Must be manually configured on all clients • Provides no encryption of signals • Provides no user authentication/accounting
WEP + Provides some encryption (still vulnerable to same attack as wired networks ala dsniff) - Uses shared key which is exposed to other clients • Key must be manually configured on all clients (or sent in clear) • Has various crypto defects • Provides no user authentication/accounting
MAC • Requires obtaining hardware addresses of all clients • MAC address can be duplicated by any client • Must be maintained on all APs (not scalable) • Provides no encryption • Provides no user authentication/accounting
UT EID + Provides user authentication utilizing well known mechanism (already in use on wired ports) + Requires no additional software and is available on all platforms - Funnels all traffic through central gateway which obviates local switching/routing • No encryption provided • Home grown – unclear how to integrate with new offerings
EAP over LAN 802.1X Authenticator/Bridge Radius Server Ethernet Laptop computer Port connect Access blocked EAPOL EAPOL-Start RADIUS EAP-Request/Identity Radius-Access-Request EAP-Response/Identity Radius-Access-Challenge EAP-Request Radius-Access-Request EAP-Response (cred) Radius-Access-Accept EAP-Success Access allowed
EAP over Wireless Wireless Access Point Radius Server Ethernet Laptop computer Association Access blocked 802.11 Associate 802.11 RADIUS EAPOL-Start EAPOW EAP-Request/Identity Radius-Access-Request EAP-Response/Identity Radius-Access-Challenge EAP-Request Radius-Access-Request EAP-Response (cred) Radius-Access-Accept EAP-Success EAPOW-Key (WEP) Access allowed
Future EAP Client Work ? • Microsoft placing 802.11 EAP Native supplicant in, • Win2K, WinCE • What about other Microsoft OSes? • Win9x/WinNT (need LEAP) • What about other OSes? • Linux, MacOS (need LEAP)
Access Point A Access Point B Adapter listens for beacons from APs. Adapter evaluates AP beacons, selects best AP. Adapter sends association request to selected AP (B). AP B confirms association and registers adapter. AP B informs AP A of re-association with AP B. AP A forwards buffered packets to AP B and de-registers adapter. Roaming from Access Point A to Access Point B Change AP Association Steps to Re-association:
802.1X/EAP/LEAP + Provides user authentication/accounting in scalable manner + Provides encryption (still vulnerable to same attack as wired networks ala dsniff) • Evolving standard • Requires client software not extant on all platforms • Network equipment more likely to be proprietary • Will require inve$tment in new authentication infrastructure • LEAP doesn’t support same encryption features
VPN + Provides user authentication + Provides encryption • Requires software on all clients • Funnels all traffic through VPN gateway, obviates local switching/routing • Dedicated expen$ive VPN gateway hardware needed at high traffic rates, and new authentication infrastructure
What about other devices?Handheld? • EAP (Extensible Authentication Protocol) • VPN (IP SEC) • PPP (PPTP, PPPOE) • LEAP (Lightweight & Efficient Application Protocol) – card drivers, only one time user/password authentication
We don’t decide… UTEID: • Already deployed • Could transition to VPN from UTEID easily or run in parallel • 802.1x would mean flag day for any mechanism and isn’t ready for deployment …see what the industry decides
Multicast Applications • Multicast Support is in WLAN infrastructure • Multicast has problems when Clients Roam • Router/L2 Switch is unaware of Client move • Router/Switch still sends multicast stream to original AP • Multicast stream terminated when Router/L2 timesout due to non-response to multicast query • No IGMP leave is sent by AP or Client