Wi-Fi 7 in Depth
Wi-Fi 7 in Depth
The authors and publisher have taken care in the preparation of this book,
but make no expressed or implied warranty of any kind and assume no
responsibility for errors or omissions. No liability is assumed for incidental
or consequential damages in connection with or arising out of the use of
the information or programs contained herein.
For information about buying this title in bulk quantities, or for special
sales opportunities (which may include electronic versions; custom cover
designs; and content particular to your business, training goals, marketing
focus, or branding interests), please contact our corporate sales
department at [email protected] or (800) 382-3419.
https://www.pearson.com/report-bias.html.
Hoboken, NJ
ISBN-13: 978-0-13-532361-8
ISBN-10: 0-13-532361-4
$PrintCode
Soo Kang
Brett Bartow
Executive Editor
Nancy Davis
Development Editor
Christopher Cleveland
Managing Editor
Sandra Schroeder
Production Editor
Mary Roth
Copy Editor
Jill Hobbs
Indexer
Timothy Wright
Proofreader
Donna E. Mulder
Technical Reviewer
Samuel Clements
Interior Designer
codeMantra
Cover Designer
Chuti Prasertsith
Contents at a Glance
1. 1 Wi-Fi Fundamentals
9. 9 Future Directions
10. Index
Contents
1. Scanning Procedures
2. DCF-Based Access
5. Summary
1. Next-AP Discovery
2. 802.11k
3. 802.11v
1. ADDTS
3. Coexistence Challenges
1. ERP Protection
2. 802.11n Protection
2. Shared Key
5. Summary
2. Multiuser Transmissions
3. Preamble Puncturing
4. HE PPDU Format
2. Functional Improvements
2. BSS Coloring
4. Summary
3. Video-Conferencing
4. AR/VR/MR/XR
5. Promising Directions
6. Challenged Directions
1. Link Aggregation/Diversity
2. SLA Management
3. Summary
1. Wi-Fi7 in a Nutshell
1. Revolution
2. Evolution
2. Multi-Link Operation
4. Small-Size Multi-RUs
5. 4096-QAM
2. Extra EHT-LTFs
3. Packet Extension
8. Summary
1. MLO Architecture
1. Evolution to MLO
2. Multi-Link Devices
3. MLO Functions Support
1. MLD Discovery
2. Multi-Link Association
3. MLO Security
4. MLO Modes
5. ML Reconfiguration
6. Link Management
1. TID-To-Link Mapping
1. ML Power Management
8. Summary
3. Preamble Puncturing
4. EHT Sounding
2. Enhanced SCS
3. Restricted TWT
6. Wi-Fi 7 Security
3. Multiband Challenges
7. Summary
3. Cell Capacity
3. Summary
1. Wi-Fi 8 Directions
4. Security
3. The Hybrid AP
3. A Privacy-Respecting 802.11
2. 802.11aq
3. 802.11bh
4. 802.11bi
4. Summary
10. Index
Foreword
The authors of this book have been at the forefront of Wi-Fi’s evolution.
Their leadership in innovative development and contributions to standards
has been nothing short of amazing. They have not only witnessed but also
shaped the transformation of Wi-Fi, infusing the industry with their vision
and expertise. Through their work, they have ensured that Wi-Fi remains a
vital, dynamic force in the technological landscape.
As you embark on this journey through the pages of this book, you are
invited to explore the intricacies of Wi-Fi 7, to understand its significance,
and to appreciate the dedication of those who have brought it to life.
Whether you are a network engineer, a product manager, a researcher, or
simply a technology enthusiast, this book will serve as an invaluable
resource, illuminating the path to a more connected and capable world.
—Matt MacPherson
In many ways, this century resembles Wi-Fi. Every few years, new
developments fundamentally change the way we work and communicate.
Each time we look back a few years, we realize that today we have more
information to absorb and more new technologies at our disposal. What
was once concluded to be impossible is now experimented with or
achieved sooner and faster than we thought. The development of Wi-Fi
seems to follow the same trends. Six years separated Wi-Fi 4 (802.11n)
from Wi-Fi 5 (802.11ac), but then 802.11ac Wave 2, Wi-Fi 6 (802.11ax),
Wi-Fi 6E, and now Wi-Fi 7 followed each other at intervals of just a few
years. Each time, it seems that the next generation solves major problems
that the previous generations surprisingly ignored. This fast pace means
that some features that were heralded as fundamental changes end up
being barely adopted by the vast majority of the market actors.
Wi-Fi 7, and its underlying standard IEEE 802.1be, have been caught up in
this trend. Wi-Fi 6E made news by bringing 802.11 to a new, legacy-free
segment of the spectrum. This was the largest spectrum addition in the
history of Wi-Fi, and the absence of legacy devices in this new band
allowed Wi-Fi to implement a multiplicity of efficient features. Reading the
press reports, it might seem as if, by contrast, Wi-Fi 7 is just about adding
Multi-Link Operations (MLO). This ability to establish multiple active links
to an AP device is certainly nice, but limited to a single AP device. It also
resembles the “dual connection” feature that many vendors had been
enabling for several years.
This reading of the merits of each generation misses the forest for a few
(headline-worthy) trees. Wi-Fi has now established itself as the access
technology of choice. All year round, new trends, new challenges, and new
possibilities are presented to the IEEE Wireless Next Generation (WNG)
Standing Committee. Each issue that seems to become mainstream is
selected to be solved as part of the next 802.11 amendment. The
802.11be project was started at a time when myriad new applications
were appearing on the market, such as wireless Time-Sensitive
Networking (TSN) in the industrial Internet of Things (IoT), cloud gaming,
and the trio of augmented reality (AR), virtual reality (VR), and extended
reality (XR). These applications not only require high bandwidth, but also
are very sensitive to delay and jitter (the variation in delays between two
subsequent frames or packets). No Wi-Fi system could reasonably claim to
support such applications, especially at the high-density scale of 30 or
more headsets connected to the same access point in a classroom. At the
same time, video-conferencing had become common, and new IoT
applications—self-driving robots and the like—promised better efficiency,
albeit at the cost of a near-zero tolerance for packet losses. The 802.11
standard, designed during the years when the main philosophy was “best
effort,” could readily accept retry rates of 10%, but was widely
incompatible with any industrial requirements.
In other words, 802.11be and Wi-Fi 7 can be complex, and their successful
implementation requires a deep dive into the details. As we were finalizing
the last elements of Wi-Fi 7, we concluded that a book was necessary—
one that would explain the main features of 802.11be; detail what Wi-Fi 7
certification includes and what it leaves aside; and offer sufficient
technical background and information to help you master each aspect of
802.11be and Wi-Fi 7, while recognizing both their potential and their
limitations, and providing insights into why those limitations exist.
This book is about 802.11be and Wi-Fi 7. Although the early chapters
provide the fundamental information necessary to understand the 802.11
background upon which 802.11be is built, you still need to be familiar with
802.11 basics and the core ideas behind the 802.11be precursor
amendments (802.11n, 802.11ac, and 802.11ax). You should also be
familiar with Wi-Fi deployments, or at least the process of deploying
access points and achieving satisfactory coverage.
The primary audience for this book is networking professionals who work
with Wi-Fi and need to understand 802.11be and Wi-Fi 7 in detail, so as to
integrate Wi-Fi 7 devices into an existing wireless network or to manage a
Wi-Fi 7 network. If your task is to design or deploy a Wi-Fi 7 network,
either as an overlay to an existing network or as a brand-new (greenfield)
deployment, this book will provide the information you need to be
successful. If you are a technical person and just curious about the inner
workings of 802.11 (and, in particular, the 802.11be generation), this book
will give you ample information on the key processes that make Wi-Fi work
the way it works, from a small home to a large enterprise or industrial
network. If you are working with 802.11 and unsatisfied by the prospect of
reading countless resources that paraphrase the standard without truly
explaining it, this book should bring your smile back: We took care, while
explaining the main 802.11 features, to detail the context in which they
were designed, so you can see the intentions and constraints as you read
about the chosen mechanism.
Structure
The goal of Chapter 4, “The Main Ideas in 802.11be and Wi-Fi 7,” looks
into the main ideas of 802.11be and Wi-Fi 7 is not to provide details of the
frames and the exchanges, but rather to give you a clear view of the
context, the challenges that 802.11be attempted to solve, and the
solution that became part of the Wi-Fi 7 program.
Chapter 7, “EHT MAC Operation and Key Features,” then examines the
other MAC features in 802.11be and Wi-Fi 7, including the critical QoS and
priority scheduling mechanisms. Each of them could have been the
subject of a separate chapter, but in combination the elements in Chapter
4 (context and goals), Chapter 5 (PHY aspects), and this chapter should
give you all the information you need to understand them in depth.
The many new elements and mechanisms brought forward by 802.11be
raise questions about the coverage model. Can you design a Wi-Fi 7
network the way you designed Wi-Fi 6 and earlier networks? How do you
measure the performance of a Wi-Fi 7 device? Chapter 8, “Wi-Fi 7 Network
Planning,” dives into these questions, helping you become comfortable
with Wi-Fi network planning, surveys, deployment, and performance
assessment.
Although 802.11be brings forward many features, its designers were well
aware that some questions would be left unanswered. Chapter 9, “Future
Directions,” examines where the standard stopped and provides a glimpse
into where the conversations are going for the next generation after
802.11be. This chapter will give you an idea of what Wi-Fi 8 might look
like.
Copycopy
Copy
Highlighthighlight
Get Link
Acknowledgments
This book would not have been possible without the whole Pearson team
supporting us, the authors. We are grateful to Nancy Davis, who gave us
the opportunity to work on this project. We know that a big challenge for
such a book is in the choice of authors. The publisher needs to trust that,
although they probably have the technical expertise needed, those
authors will also be able to convey the intent and the complexities of the
technology and protocols in a way that can be used by readers in need of
precise yet practical information.
Jill Hobbs then took the time to scrutinize each sentence, each expression,
and each table. She made sure that their meaning would be accurate and
understandable without ambiguity, irrespective of the cultural and
language background of the reader.
Behind these people, many others invested time and effort to make this
book possible and accessible. Pearson team, thank you for giving us the
tools to share what we learned!
About the Authors
Brian Hart is a Principal Engineer in the Cisco Wireless group. Brian has
been working in wireless since 1996, after graduating with a PhD in
wireless physical layer signal processing from the University of
Canterbury, New Zealand. He authored many peer-reviewed research
papers on receiver design for time-varying channels while working as a
Research Fellow and Fellow at the Institute of Advanced Studies at the
Australian National University. In 2000, he joined the pioneering Wi-Fi
startup Radiata Communications, which was acquired by Cisco in 2001. At
Cisco, Brian was the PHY systems engineer for the pioneering 802.11a/b/g
baseband processing ASIC used in Cisco’s AP1131 and AP1252 Wi-Fi APs.
Brian has been an IEEE 802.11 Working Group voting member since 2006
and has made hundreds of contributions across tens of groups, including
802.11ac, 802.11ax, and 802.11be. He was elected co-chair of the VHT
PHY and HE MAC ad hoc groups. He is also active at the Wi-Fi Alliance on
related feature selection and certification activities. Brian has performed
detailed simulation modeling of most 802.11 PHY generations, with
selected prototyping, and helped productize advanced location
algorithms. He is based in the San Francisco Bay Area in California.
Wi-Fi Fundamentals
basic service set: [BSS] A set of stations (STAs) that have successfully
synchronized using the MLME-JOIN.request service primitive and one STA
that has used the MLME-START.request primitive.
802.11-2020, Clause 3
From its very beginning, the IEEE 802.11be project toyed with concepts
that questioned the very foundations of Wi-Fi. For example, how can a
single client device associate to two Access Point (AP) devices’ radios?
How do the AP and client devices manage the security of the association
in that case? How would frames be reassembled if they are split over
several, unsynchronized radio links? The answers to these questions are
not obvious, because they have to be built upon six previous generations
of a Wi-Fi standard that takes backward compatibility as a serious
requirement.
To help you understand the design decisions that will be exposed further
in Chapter 4, “The Main Ideas in 802.11be and Wi-Fi 7,” and later (and in
some way, in Chapter 3, “Building on the Wi-Fi 6 Revolution,” as well), this
chapter introduces the fundamental concepts of 802.11 and Wi-Fi—at
least those that are relevant to a clear understanding of 802.11be and Wi-
Fi 7. Some of the ideas summarized in the sections that follow will
undoubtedly sound very familiar to you, but you might find yourself
coming back to these paragraphs as you read the chapters on Wi-Fi 7, as
these fundamental concepts create strict constraints that limited the
freedom of the 802.11be designers.
Project Amendment
TG Code
Start Publication Some Key Improvements
Name
Year Year
TABLE 1-2 Other 802.11 Task Groups of Interest for This Book
streams
From its very inception, 802.11 defined the station (STA) as the core entity
behind 802.11 exchanges. A STA is not a physical device, but rather a
logical entity that can be addressed uniquely (i.e., it has a single and
unique MAC address) and that provides 802.11 physical (PHY) and Medium
Access Control (MAC) functions. The STA can be positioned inside a regular
client device (e.g., laptop, smartphone), but the STA (in the 802.11 sense)
is not the device itself.
STAs can communicate with each other directly. This direct communication
is useful in multiple scenarios, in particular those in which the STAs have a
special relationship (when your smartwatch needs to communicate with
your smartphone, for example). The relationship is, of course, not limited
to a pair: A single STA can communicate with two or more other STAs. This
example supposes that the STAs are in range and can communicate with
each other—in other words, that each STA sends 802.11 signals that can
be successfully received (demodulated and decoded) by the intended
other STA(s). The set of STAs that can communicate with each other form
a Basic Service Set (BSS), and the area their signals cover forms a Basic
Service Area (BSA). When more than two STAs are in the BSS, it is not
necessary that all STAs should be able to communicate with all other STAs
of the BSS. For example, some STAs may be out of range of other STAs.
These exchanges among STAs are limited to the 802.11 wireless space
and medium. To allow STAs to communicate beyond that space, a
common practice is to implement in the BSS a STA that incorporates a
connection to the Local Area Network (LAN). The system and interface
allowing such connection is called a Distribution System (DS). The LAN is
defined by 802 standards as a network of devices covering a limited
geographic area. In most implementers’ minds, the LAN is a wired network
(e.g., Ethernet), but there is no such requirement in the 802.11 definition
of the DS. As long as the DS allows for the extension of the
communication beyond the BSS, it fulfills its purpose. Practically, the DS is
a logical concept, connecting the STA to a portal behind which a wider
network operates. A STA that implements an interface to the DS and
allows other STAs in the BSS to access the DS is called an Access Point
(AP). Figure 1-1 illustrates the BSS, non-AP STA, and AP concepts.
1 In this chapter and beyond, these references point to the clause of the
802.11-2020 standard 4.3.5.2, where you can find more details, or the
exact text, of the concept discussed here.
Over its 20-plus years, the 802.11 standard has been defined to operate in
many bands: 54/790 MHz,2 860/900 MHz, 2.4 GHz, 3.6 GHz, 4.9 GHz, 5
GHz, 5.9 GHz, 6 GHz, 45 GHz, and 60 GHz Some of them are widely used,
and will be the primary focus of this book.
DSSS Transmissions
DSSS transmissions are allowed in the 2.4 GHz band, with data rates of 1,
2, 5.5, and 11 Mbps. This mode is of limited interest for efficient Wi-Fi
operations in general (it provides only slow data rates, compared to more
recent transmission modes and techniques) and for Wi-Fi 7. However,
backward-compatibility requirements mean that newer transmission
techniques in 2.4 GHz must account for the possible presence of DSSS
devices, and the simplicity and long range of DSSS transmissions make
them attractive even for recent devices (in particular, Internet of Things
[IoT] devices) whose primary target is not throughput, but rather
transmission robustness (with limited battery consumption). For this
reason, DSSS is not obsoleted, despite its 20-plus years of existence.
At its core, DSSS works by spreading the signal across a wider bandwidth
than what is minimally required for transmitting the data. After
modulating each 1 or 2 bits of data into Binary Phase Shift Keying (BPSK)
or Quadrature Phase Shift Keying (QPSK) constellation points at a 1 MHz
rate, each constellation point (BPSK or QPSK) is replicated 11 times. Each
copy is then multiplied by “chipping code” or “spreading code”—and
specifically the Barker sequence (+1, –1, +1, +1, -1, +1, +1, +1, –1, –1, –
16)—to produce 11 chips. These chips are sent rapidly in sequence, 11
times faster than the stream of constellation points, or 11 Mchip/s
(spreading the signal 11 times wider in the frequency domain). As no or
minimal pulse shaping is employed, the resulting signal consumes 22 MHz
of bandwidth, but is very resistant to interference given the 11-fold
repetition.
OFDM Transmissions
The tones can be viewed as spirals along the time axis, which, when
viewed side-on or top-down with the time axis running from left to right,
look like a sinusoid or co-sinusoid versus time. The frequency of rotation
of each spiral tone is 20 MHz/64 = 312.5 kHz apart from its neighbor, so
1/312.5 kHz = 3.2 μs always contains an integer number of cycles of the
spiral. The transmitter modulates each tone by a constellation point (or
symbol) for 3.2 μs, plus a little extra time, so that the receiver can soak up
both the direct signal from the transmitter and the delayed copies
(echoes), as some rays of the transmitted data take an indirect (longer)
path by first bouncing off walls and other scatterers before reaching the
receiver. This extra time is called the cyclic extension or guard interval,
and in 802.11a/g it was 0.8 μs in length. This combination of elements (an
integer number of cycles per 3.2 μs, the 0.8 μs cyclic extension, and the
receiver processing just 3.2 μs out of the received signal every 4 μs)
enables each subcarrier to be extracted at the receiver as a distinct
(orthogonal) signal and be processed (to a large degree) without regard to
interference from the other subcarriers.
The constellation point (or symbol) incorporates multiple coded bits, using
either BPSK, QPSK, or Quadrature Amplitude Modulation (QAM). With
BPSK, the spiral tone is rotated 0 or 180 degrees around the time axis to
represent the carried data (1 or 0, respectively). With QPSK, blocks of 2
bits, [B0B1], are encoded together, and the spiral tone is rotated –135,
+135, –45, or +45 degrees to represent the dibits 00, 01, 10, or 11,
respectively. With QAM, the two non-time dimensions (called in-phase and
quadrature) of the spiral are separately scaled by a discrete signed
number. For example, for 16-QAM, the in-phase axis of the spiral tone is
scaled by one of 4 values {±1, ±3}. Similarly, the quadrature axis of the
spiral tone is scaled by one of these 4 values, too; that gives 4 × 4 = 16
different constellation points in total to select from. A common
representation of that effect is the idea that the tone peak seems to hit a
virtual target, as shown in Figure 1-3, whose position represents a 4-bit
value (0000, 0001, …, 1111), for a total of 16 possible values. 64-QAM
involves 8 scale factors for each of the in-phase and quadrature axes, or
64 different constellation points in total to pick from.
FIGURE 1-3 QAM Transmission
The terms used to describe the 802.11 frame leverage and augment the
Open System Interconnection (OSI) model. In the OSI model, as the
application sends data to the network stack, that data may be segmented
by the Transport layer (Layer 4). The segment (data with L4 header) is
then sent to the Network layer (Layer 3), which applies the matching
header, making the segment a packet. The packet is then sent to the Data
Link layer (Layer 2, where 802.2 and subsequently 802.11 operate), where
a local header is applied, making the packet a frame. The frame is then
transmitted as a waveform by the Physical layer (Layer 1, also addressed
by 802.11).
The Data Link and Physical layers are further subdivided by functions. The
top of the Data Link layer includes the Logical Link Control (LLC) sublayer,
which is in charge of interfacing the 802.11 stack with the upper layers.
The LLC for 802.11 is defined by the 802.2 set of standards. It takes the
packet received from the Network layer, and validates whether the packet
can be carried by the medium or needs to be fragmented. The result of
that decision is the payload that will be transmitted to the lower part of
the Data Link layer. That payload is called a MAC Service Data Unit
(MSDU). Its name comes from the fact that the lower part of the Data Link
layer is called the Medium Access Control (MAC) sublayer. The MAC takes
the MSDU and encapsulates into a frame (i.e., adds a MAC header and a
trailer to the payload). The result is called the MAC Protocol Data Unit
(MPDU). The MPDU is then passed onto the Physical layer (PHY). From the
MAC layer viewpoint, the MSDU is the payload, and the MPDU is the final
product. However, from the PHY viewpoint, the MPDU is the payload; thus,
in the PHY layer, it is called the PHY Service Data Unit (PSDU). The PHY
first adds the PHY header, which consists of a preamble and additional
information (detailed later in this section). The result is the Physical
Protocol Data Unit (PPDU), which is what is actually transmitted over the
medium.
The MSDU, and therefore the PPDU, carry a single data payload in legacy
802.11. The 802.11n amendment introduced a key improvement, which all
later amendments leverage: the ability to aggregate. Several MSDUs can
be aggregated into a single A-MSDU. A common PHY and MAC header
starts the frame, and the payload consists of one or more subframes, each
with its own LLC, IP headers, and payload (and possibly additional padding
so the subframe size is a multiple of 8 octets). The subframe LLC header,
using 802.2, can include the Source Service Access Point (SSAP) and the
Destination Service Access Point (DSAP), which can represent the logical
addresses of the Network layer entities that created or are intended to
receive the message. “Access point” in this context is unrelated to the
802.11 AP, and the LSAP and DSAP are usually protocol names. Therefore,
a constraint of the A-MSDU (with a single common PHY and MAC header)
is that all payloads need to be intended for the same destination MAC
address (which would respond with a single ACK frame for the entire A-
MSDU; see the “DCF-Based Access” section later in this chapter).
The MAC sublayer and the PHY layer perform functions that are useful to
better understand the operations introduced by Wi-Fi 7 and are described
in detail in Chapter 6, “EHT MAC Enhancements for Multi-Link Operations,”
and Chapter 7, “MAC Improvements of Wi-Fi 7 and 802.11be.” The PHY
layer inserts a preamble. With OFDM, the preamble starts with a (Legacy)
Short Training Field (L-STF),12 which is a known signal sent on a small
selection of the available subcarriers. The receiver can use this field to
gain an awareness that a PPDU is arriving, and also align its receive
function with the transmitted signal (i.e., find the channel center
frequency). The L-STF lasts for 8 μs, and is followed by a second field, the
Legacy Long Training Field (L-LTF). The L-LTF also lasts 8 μs, but is a known
signal sent over more subcarriers than the L-STF, thus allowing the
receiver to perform finer synchronization and timing alignment with the
transmitted signal.
The Legacy Signal Field (L-SIG), which follows the L-LTF, contains crucial
information about the PPDU. In particular, the SIG field mentions the data
rate at which the payload (Data field) is modulated as well as its length.
This field has evolved considerably over the Wi-Fi generations: First, it was
the explicit octet count (for 11a/g), then an “FYI” of the PPDU duration (for
11n) and finally an essential signal of the PPDU duration (for 11ac
onward). These fields, illustrated in Figure 1-5, are encoded and
modulated with the strongest technique available—in most cases, 6 Mbps,
with a BPSK rate of ½. As new amendments were developed, new PHY
header fields were inserted (either as part-replacement of the legacy
preamble described earlier or in a greenfield scenario [i.e., the little-used
11n HT-GF PHY format]) or, more commonly, added behind the legacy
header and before the payload field (when backward compatibility was
required).
The PHY preamble is followed by the MAC header. The MAC header
structure can change depending on the type of frame to be transmitted,
and detailing all possibilities is beyond the scope of this chapter. However,
some fields are always present, and others are present in most frames.
In particular, all frames begin with a Frame Control field, 13 which reports
the frame type (management, control, or data) and subtype. 14 The field
also indicates whether the frame is sent toward the DS (ToDS) or is
forwarded from the DS (FromDS). The retry bit indicates whether the
(unicast) frame was attempted before but its expected acknowledgment
was not received by the sender (see the “DCF-Based Access” section in
this chapter). The power management bit indicates whether the sending
STA will stay available after this frame or will go in dozing mode.
13 See 802.11-2020, clause 9.2.4.1
All frames also include a Duration/ID field. 15 In most data frames, this field
is used to indicate the expected remaining duration of the exchange.
The header can then include three or four MAC addresses. This section is
key for Wi-Fi 7, as it is intended to represent the Source Address (SA; the
STA that initially sent that MSDU), the Transmitter Address (TA; the STA
that is transmitting this frame with the included MSDU), the Receiver
Address (RA; the intended target of this transmitted frame), and the
Destination Address (DA; the expected final destination of the MSDU).
When one of these addresses is the AP MAC address of the BSS, that
address is called the Basic Service Set Identifier (BSSID). The fourth
address is not always used. More specifically, it is used only when
transiting between two APs over the 802.11 medium (e.g., in mesh
networks). The fourth address is not present when not used. The three or
four addresses have different meanings, depending on which entity is
sending the frame to which other entity (in particular, to or from an AP-
STA, or to and from a non-AP STA). This direction is represented by the
value of the ToDS from FromDS bit, as displayed in Table 1-3.
TABLE 1-3 Values of the Four Addresses in the 802.11 MAC Header
Address Address
To DS From DS Address 1 Address 2
3 4
0 0 RA = DA TA = SA BSSID N/A
0 1 RA = DA TA = BSSID SA N/A
1 0 RA = BSSID TA = SA DA N/A
1 1 RA TA DA SA
Another field of interest follows the third address field: the Sequence
Control field.16 It is a critical field, because all data frames (and also
management frames) need to be assigned a sequence number. This
requirement is important for duplicate detection and recovery. 17 A unicast
frame (or an A-MSDU or A-MPDU) needs to be acknowledged by its
receiver as part of the channel access rules (discussed later). But when
the acknowledgment (ACK) for a unicast frame is not received by the
frame transmitter, that failure may occur because the frame was not
received by the intended receiver, or because the ACK was not properly
detected by the transmitter of the unicast frame. Retransmission is
possible, and can happen many times. It is therefore crucial for the
receiver to determine whether the current frame is a duplicate. The retry
bit alone is not sufficient to make this determination; instead, the
sequence number is used for that purpose. Strict rules apply regarding
how the sequence number should be set by the transmitter and used by
the receiver. One of the outcomes of a properly set sequence number (in
combination with timestamps) is the ability for the receiver to reassemble
fragmented MSDUs18 that are transmitted across individual frames.
Naturally, this requirement establishes rigid constraints on the possibility
of sending MSDUs across two different links with MLD (see Chapter 6).
As Figure 1-6 illustrates, in data frames, the header can—and most always
does nowadays—also include a QoS Control field. 19 The primary purpose of
this field (in the context of this book) is to carry the Traffic ID (TID)
indicating the QoS category associated with the transmitted payload
(see Chapter 2).
The header can also extend into the payload space and include more
fields, especially when encryption is used. For example, with the Counter
Mode Cipher Block Chaining Message Authentication Code Protocol
(Counter Mode CBC-MAC Protocol) or CCM Mode Protocol (CCMP), an 8-
octet CCMP header includes a packet number (PN), an Ext IV, and a key
ID. The PN is incremented at each subsequent frame. The MAC header is
then followed by the carried payload, and a Frame Check Sequence (FCS)
field,20 which is a 32-bit CRC used to validate that the frame did not
become corrupted somewhere between its transmission and its reception.
Scanning Procedures
The active scanning procedure is faster than the passive method, but is
also noisier. A single STA, sending two or more probe requests, can cause
each AP device on a channel to send two or more probe responses at
short intervals, with no other value than providing the STA with
information about the AP—which the STA would have learned about if it
had waited for the next beacon or had listened to other STA probe
exchanges. The 802.11ai-2016 amendment (detailed in the “FILS” section
of Chapter 2) attempted to streamline this procedure, by allowing two
enhancements:
Before sending a probe request, a STA setting its receiver on the
channel should wait a short duration27 (20 ms). That gives it a
chance to hear potential broadcast probe exchanges (in which case
the STA should not send a probe request, as it already heard the
answer it needed), and perhaps the AP’s next beacon. In the FILS
probe request, the STA also indicates a maximum timer (the
ActiveScanningTimer28) within which it expects a response.
31 802.1X was also published in 2004. The standard was later updated in
2010 and 2020. IEEE 802.11, in its 2020 version, refers to the 2010
update.
33 https://www.rfc-editor.org/rfc/rfc3748
35 802.11 describes only RADIUS, but 802.1X also allows EAPOL and
Diameter/RFC 3588.
Through their dialog, the AS validates the identity of the STA supplicant
(and in most cases, the STA also validates the identity of the AS). Then,
each on their side, they derive the same Master Session Key (MSK). The
AS then passes the MSK to the authenticator 36 (the AP). The AP and the
STA select the first n bits37 of the MSK, and use them as the Pairwise
Master Key (PMK). The AP and the STA then undergo a 4-frame exchange
(called a 4-way handshake) to generate a common Pairwise Transient Key
(PTK) used to encrypt unicast exchanges between them. The AP also
passes a Group Transient Key (GTK) to the STA, which is used to encrypt
multicast and broadcast frames. Both the PTK and the GTK can be
changed during the session. Once the 4-way handshake completes, the
STA’s and the AP’s respective controlled ports become authorized, and
can start passing data to their MAC function: the STA to send data frames
toward the AP, and the AP to forward frames for the STA to and from the
DS.
The ideas behind collision avoidance are simple. First, Listen Before Talk
(LBT). If another transmission is detected, then wait until that
transmission completes.
Third, after transmission, confirm that collision did not occur, whenever
possible. These principles apply equally to each transmitter in the BSS—in
other words, they apply to the AP in the same way as to each individual
STA.
This idea of time (random or not) implies that the STAs must operate at
about the same pace. Although the clocks implemented in 802.11 devices
are not calibrated (and thus may operate at different speeds), each
subsequent generation of PHY defined an inaccuracy tolerance to bound
the differences within an acceptable range.38 Then, each PHY defines a
few key timers. One of them is an interval value, called aSlotTime, which
is the speed at which the STAs are expected to count. Then, many of the
time-based operations in 802.11 are expressed in aSlotTime units (in
combination with the few other key timers). Most PHYs of interest for this
book use a transmission technique built upon OFDM, defined in clause 17,
and use an aSlotTime value of 9 μs. This number is not chosen at random,
but rather is the result of an agreement among 802.11 experts on the
time it takes for a receiving circuit to perform channel sensing
(aCCATime), process what was detected (aMACProcessingDelay), and
possibly switch from a receiving mode to a transmitting mode
(aRxTxTurnaroundTime), as well as the time needed for any emitted signal
to then reach another receiver in the BSS (aAirPropagationTime). 39 Thus,
the aSlotTime is the minimum time that another STA in the BSS is
expected to need to sense the channel, conclude that it is free of other
transmissions, and start its own transmission.
The first method, called Signal Detect (SD) and sometimes preamble
detect, is to effectively detect other 802.11 transmissions. While awake,
the STA is required to listen continually for a transmission and detect it
almost as soon as it starts. “Detect” in this context needs to be qualified.
At its core, detection means that the STA receiver is set to the target
channel. Each clause defines, for each channel width, the minimum
receiving sensitivity expected for each modulation (BPSK, QPSK, QAM). For
OFDM and 20 MHz, –82 dBm is the expected minimum receiving
sensitivity. As the PPDU’s preamble includes the L-STF (sent over 20 MHz),
with symbols that are always modulated at using BPSK, a STA should,
when listening to the channel, be able to detect an L-STF that marks the
beginning of a transmission, if the preamble is received at –82 dBm or
more. The STA should thus detect the signal, process it, and within a short
delay (now implementation-dependent but traditionally set to 4 μs, or
about half the aSlotTime) conclude that a transmission is starting. 42 Once
the 11a/g Signal field is reached (and/or the HT-SIG or RLSIG for later PHY
generations), if the Signal/SIG field is correctly decoded, then the PPDU
duration is known and the CCA busy indication is elongated for the
duration of the PPDU. Alternatively, if no transmission is detected as
starting, the STA can repeat the process for the next aSlotTime. This
requirement expects that the STA will be able to detect a preamble, not
the transmission of the payload of the frame. In practice, the Signal field is
modulated at the lowest possible data rate. In contrast, the MAC header
and the frame payload can be modulated at one of many available
Modulation and Coding Schemes (MCSs)—namely, the one deemed by the
STA to be the most efficient (least amount of consumed airtime for
maximum amount of reliably transmitted data, based on the current RF
conditions). A receiving STA may be able to demodulate the PHY header,
but not the rest of the PPDU (and thus it would only perceive energy for
those fields). Therefore, the ability to detect the preamble is critical for
proper 802.11 operations.
It should be noted that –82 dBm is the minimum threshold here. A device
with better receiving sensitivity may apply a different threshold. For
example, enterprise APs often have a receiving sensitivity much greater
than the minimum threshold. As a result, they may be able to detect an
OFDM preamble, and thus a transmission, as low as –95 dBm, and even –
100 dBm or weaker for DSSS BPSK signals.
The 802.11 standard also recognizes that many of the bands where
802.11 is found are allocated for Industrial, Scientific, and Medical (ISM)
operations, and that other (non-802.11) devices may be operating on the
same channel. Other bands are allowed for 802.11 (unlicensed) use, but
may have other incumbent technologies using the same frequencies. A
STA would not be able to detect an 802.11 preamble from these
transmitters, yet their energy may be sufficient to prevent 802.11 frame
reception from being successful. When energy is detected on the channel
with a power at least 20 dB above the STA minimum receiving sensitivity
thresholds, the STA can use a technique called Energy Detect
(ED).43 Practically, this means that the STA will deem the channel busy if
an energy of at least –62 dBm (20 dB above the –82 dBm minimum) is
detected. Just as with signal detection, the STA needs to make that
conclusion typically within 4 μs after sensing the channel.
The CCA technique works well and is sufficient for individual PPDUs.
However, one critical transmission in 802.11 is the response to a previous
transmission. This response is key to enable or conclude a dialog (without
which transmissions are often not successful). Therefore, the standard
also requires a virtual Carrier Sense (CS) function, by which the STA
determines that there is an ongoing transmission. Several methods may
be used to make this determination.44 For example, the STA might read a
MAC header that includes the Duration field. The STA might also detect a
Request-to-Send/Clear-to-Send (RTS/CTS) exchange, or a CTS-to-self
exchange, and deduce the intended duration of the exchange.
In all cases, the STA should wait for the channel to be idle, as identified by
direct PHY measurements of energy on the medium, the indicated length
of any ongoing PPDUs, and the Duration field in the MAC header of any
ongoing TXOPs. Only then should it initiate its backoff procedure.
DCF-Based Access
When the STA (in this section, understood as AP or non-AP STA) listens to
a channel, it should not take more than 4 μs to conclude that the channel
is busy. Likewise, the STA should take the same amount of time to
conclude that the channel is idle. The STA should not decide to then
transmit immediately. Some exchanges require an immediate answer (an
ACK frame, for example), and priority should be given to those responses
over new transmissions. Thus, the standard identifies different silence
durations for which a STA should wait before beginning its transmission. If
it is answering a frame with an ACK, for example, that is highest priority
and the STA should wait the shortest possible time. This duration is called
the Short InterFrame Space (SIFS), referenced as aSIFSTime and defined
(for OFDM in 5 GHz) as 16 μs.45 If a STA needs to start a new transmission,
it should first wait for a Distributed Interframe space (DIFS), whose
duration is DIFS = 1 × aSIFSTime + 2 × aSlotTime 46 (thus 34 μs for OFDM
in 5 GHz).
After that DIFS, the channel is available for a new transmission. If the
medium was busy when an MSDU reached the transmitting STA, the STA
still needs to wait a random time, by picking up a random number (called
the random backoff count) in a range.47 The range selection might seem
exotic on first encounter. Practically, each PHY determines the bounds of
the range, called the Contention Window (CW), with CWMin and CWMax.
The CWMin and CWMax default values, called aCWMin and aCWMax, are
15 and 1023 aSlotTimes,48 respectively, for OFDM in 5 GHz. Thus, CWMin
≤ CW ≤ CWMax. Then, the STA picks the random backoff count, randomly,
in the range [0, CW]; in other words, the STA can randomly pick 0 or CW,
or any number in between. The standard also expresses that, for the first
attempt for a given frame transmission, CW = CWMin; thus, the STA picks
the number in the range [0, CWMin]. The STA then counts down from that
number, sensing the channel at each aSlotTime count. If, at any point in
the countdown, the channel is busy, the STA waits until the channel is idle
again for at least one DIFS, then resumes its countdown from where it had
stopped it. When the STA reaches 0, it sends its frame. 49
The DCF mechanism54 provides equal opportunities for all STAs in the BSS
to transmit (the AP is a STA). This opportunity appears in the form of
equality of statistical access to the medium (two STAs competing for the
medium would end up, on average and over time, accessing the medium
50% of the time each), but not in terms of access interval. Again, if two
STAs compete for the medium and send PPDUs of the same size, as they
end up accessing the medium 50% of the time, the PPDU duration (and
the number of competing STAs) will end up dictating how often a STA can
send its PPDUs. However, if one STA’s PPDUs are much larger than the
other STA’s, the STA with the larger PPDUs uses the medium
comparatively more often than the STA with smaller PPDUs.
54 Another mechanism created at the same time as the DCF is the point
coordination function (PCF). It is rarely, if ever, used, so it is ignored for
the purposes of this section.
Note
This effect soon found its limitation when the 802.11 designers realized
that different traffic types had different sensitivities to delays (in this
context, absolute channel access delay for a given frame) and jitter (the
variation of delays). For example, voice packets are usually small (e.g.,
160 bytes for a G711 codec), but expected at very regular intervals (e.g.,
one packet every 20 ms). The receiving end has a buffer that permits a
tolerance to delay and jitter, but to the scale of one or a few hundreds of
milliseconds: As the number increases, the perceived quality of the call
decreases. By comparison, the quality of reception of an email does not
suffer if it is delayed, even by 500 ms or longer. Thus, providing equal
access opportunities to STAs without accounting for the traffic they sent
soon proved suboptimal, especially in enterprise contexts. 802.11e-2005
introduced (among others) provisions to solve this limitation, by
introducing a Hybrid Coordination Function (HCF) in addition to DCF. HCF
comes in two flavors, but only one is widely used and of interest for our
discussion: Enhanced Distributed Channel Access (EDCA).
Each AC operates under different channel access rules. The CS and CCA
mechanisms are the same as before, but the backoff timers change. Each
AC is allocated an Arbitrated Interframe Space Number, AIFSN[AC]. Then,
instead of waiting one DIFS (remember, DIFS = 1 × aSIFSTime + 2 ×
aSlotTime) before declaring the channel idle and available for the next
transmission, the STA needs to wait one AIFS[AC] = 1 × aSIFSTime +
AIFSN[AC] × aSlotTime.57
Table 1-4 summarizes the differences between the ACs, and between
EDCA and DCF.
TXOP
AC CWMin CWMax AIFSN
Limit
*This table assumes OFDM in 5 GHz. Times are in aSlotTime units. See
802.11-2020, Table 9-155, for other PHYs.
Summary
802.11-2020, Clause 3
The long history of 802.11 has led the standard to incorporate new
scenarios and new mechanisms as it grew in maturity and complexity. But
each time a new possibility emerged, it had to be balanced with the need
to “not break what was already there.” A new device, incorporating new
methods for better and faster services, could be positioned near an older
device; however, that older device should not be stripped of its ability to
operate for the sole benefit of the newcomer.
From its first versions, the 802.11 standard included the notion of an
Extended Service Set (ESS), because it was designed around the idea of
mobility. A STA should be able to roam—that is, to move from one Basic
Service Set (BSS) to another (supporting the same Service Set Identifier
[SSID]). However, the standard did not describe how the STA would
determine that it is reaching the Basic Service Area (BSA) edge, and would
choose to go to this AP instead of the next AP. In some ways, the discovery
of the next AP was considered the same problem as the discovery of the
first AP: The STA would scan (see Chapter 1, “Wi-Fi Fundamentals”), then
would select the next AP in the same way it selected the first one.
This approach soon proved insufficient, and observing a STA perform this
operation is enough to understand why. As the STA moves away from the
AP, its data rate shifts downward. The STA has no idea of distance to the
AP. The STA examines specific messages from the AP (usually the
beacons), and has a vendor-defined threshold below which it considers
that the Received Signal Strength Indicator (RSSI) of these messages
indicates the edge of the BSA. At that point, the STA is set to move to a
discovery mode for the next AP. In parallel, the STA exchanges data
frames through the AP. This operation is usually different from the BSA
edge and discovery processes. In some implementations, a rapid
degradation of the message exchange performances (caused by fast rate
down-shifting, fast increase of retry counts, or failure to receive an
acknowledgment for a certain number of transmissions attempts at the
lowest possible rate) can also trigger the roaming process.
Next-AP Discovery
In all cases, the STA needs to start discovering other BSSs for the same
SSID, which usually means leaving the current channel. However, the AP
may be sending frames to the STA while it is away. There is no mechanism
in 802.11 for the STA to tell the AP, “Please wait; I am scanning other
channels”—even if this is a natural operation for all STAs, in all BSSs, of all
Wi-Fi networks on the planet.1 A common workaround for STA
implementations is to send a null frame,2 whose purpose is to provide
updated parameters to the AP. In the null frame header, the power
management bit3 is set, indicating that the STA should go into power save
mode and, therefore, be unavailable to receive frames from the AP. At that
point, the STA can leave the channel and start exploring (scanning) other
channels for other APs. Once it has assessed the presence of other APs on
all channels, the STA can return to its active channel and send another
null frame, this time with the power management bit unset. The unset bit
indicates to the AP that the STA is out of the power save mode, and can
receive frames if the AP has any to send.
In some cases, the STA might be in the middle of an exchange when this
scanning process needs to start, or it might receive frames in its buffer
(from the operating system) while it is scanning on other channels. These
contradictory requirements—scan other channels, or stay on the channel
to exchange with the AP—can lead the STA to make only short incursions
on other channels, then come back briefly to the active channel to send or
receive one or a few frames, before going away again to explore a few
more channels. This back-and-forth can happen multiple times. The whole
scanning process can then take several seconds, especially in bands with
multiple channels (in the FCC domain, the traditional 5 GHz band includes
25 channels). This scenario becomes all the more difficult when the STA is
searching for a better AP. Having reached the edge of the current BSA, the
STA’s data rate is likely low (so each segment of data takes a long time to
send), and its retry rate high (increasing even more the time needed to
successfully transmit each data frame). These constraints mean that the
STA should maximize its time on the channel to prevent its buffer (or that
of the AP) from overflowing with untransmitted packets (which come in
faster than the radio can successfully transmit). Yet this is the time when
the STA is asked to leave the channel for a prolonged period of time. The
whole process does not seem efficient.
802.11k
The 802.11 designers realized early on that the roaming process needed
to be improved. In 2002, they created the 802.11k group, tasked with
working on radio resource management exchanges. These exchanges
could be used to help the STA and the AP “see through each other’s eyes,”
by asking one side to perform some measurements and report to the
other.
One such report is the Neighbor Report. The STA starts by asking the AP
(to which it is associated) for a neighbor report. 4 This request indicates the
SSID in which the STA is interested; it is typically the SSID the STA is
using, but the process allows in theory any SSID value, or a null value to
ask for “any” SSID. The AP then sends a neighbor report response, 5 which
includes zero or more neighbor report elements. 6 Each element describes
an AP of the ESS, with (among others) its BSSID, its channel, and whether
the AP is reachable (i.e., likely in range of the STA, because it is in range of
the reporting AP). The standard does not say how the AP builds this list. In
many implementations, the APs detect each other over the air by a form
of radio resource management process that prompts each AP to
occasionally scan other channels and, over time, discover its AP neighbors
within beacon signal detection range.
Note
The 802.11k neighbor report was designed to be useful for the STA
roaming scenario. Instead of scanning possibly tens of channels, the STA
would receive only a subset of BSSIDs and channels of interest (e.g., half a
dozen), which would speed up its discovery process. One difficulty lies in
the idea of trajectory. Imagine 5 APs in a line (e.g., in a long corridor),
named sequentially (AP1, AP2, …, AP5). If the STA associates to AP3 and
asks for a neighbor report, AP3 might indicate AP1, AP2, AP4, and AP5.
However, if the user of the STA is moving along the corridor toward AP4
(and then AP5), providing information about AP1 is not very useful; neither
is information about AP2, from which the STA might have roamed. It is also
possible that AP3, positioned on the ceiling, would detect AP6 in another
room, which the STA, near the floor level, might not detect. It is also
possible that the STA might detect an AP7 that AP3 might not detect from
its position.
In other words, the 802.11k neighbor report mechanism might shorten the
discovery process in a roaming scenario, provided that the AP and the STA
have the same view of the RF environment, and provided that the AP has
some form of knowledge of the STA movements. Theoretically, the AP
could receive a neighbor report request, respond with a beacon report
request, collect the view of the STA, and then know what the STA sees
from its position. This process would, of course, defeat the purpose of the
neighbor report: The STA does not need the AP’s help once it has scanned
by itself to produce the beacon report. The AP could also use the beacon
report from one STA to infer the view of another STA at the same position.
However, this process would require the AP to sacrifice a first STA, by
asking it to produce a beacon report when all the STA wants to do is to
regain good connectivity. The process also presumes that the STAs would
be willing to share their location. Notably, 802.11k allows the exchange of
location information, but this process has privacy implications that make
its support uncommon on STAs.
802.11v
The 802.11v-2011 amendment was developed to improve the BSS
management functions. The standard defines a series of elements that
one side (the STA or the AP) may provide that could be useful to the other
side. Among them, BSS Transition Management (BTM) exchanges allow an
AP to instruct a STA to roam to a specific AP, or an AP in a set of preferred
APs. The initial goal was load balancing, to improve the overall throughput
(or QoS) of the ESS, by moving some STAs from one BSS to the other.
Some of the explicit targets were sticky clients—that is, STAs that move
away from one AP, get closer to a second AP that can provide a much
better connection, yet stay associated to the first AP for a variety of
reasons (see Chapter 4, “The Main Ideas in 802.11be and Wi-Fi 7”). The AP
could instruct that sticky client to move to the other AP. As the STA has no
reason to comply, the BTM message can include a disconnection timer
(i.e., “If you have not roamed to that AP within x TUs, I’ll disconnect you”).
The 802.11v BTM process allows for an exchange, 7 in which a STA can first
send a BTM query, asking the AP for the list of preferred next APs (in case
the STA needs to transition to another BSS). The AP responds with a BTM
Request, indicating the list of preferred APs to roam to, optionally with a
maximum delay by which the STA should have roamed. In many cases,
this list consists of a single target AP. The STA can respond with a BTM
Response that indicates whether the STA will roam. If the STA intends to
roam (within the delay mentioned in the request), then it can indicate to
which AP (if the request list includes more than one AP). If the STA does
not intend to roam, it can indicate why: 8 Perhaps the STA did not find the
target AP(s) on the indicated channels, or perhaps these APs did not have
the capacity to add the STA to their BSS. The STA can then indicate
whether it prefers its session to be terminated (accepting that the AP
would disassociate the STA), or whether it requests the AP for a bit more
time.
When 802.11be was in its design phase, the issue of QoS also became a
more prevalent concern. Well-known categories of applications like voice
and video had been in use for many years, but new applications were
making an appearance and demanded specific treatments. For example,
how does one distinguish an enterprise Wi-Fi network video-conferencing
for a business-relevant application from a video call on a personal
application? Both send voice and video, but if congestion occurs, the
business-relevant application should be prioritized over the personal
application. The same issue occurs with newer applications. How should
the video flows sent by an augmented reality (AR)/virtual reality (VR)
headset, which demands very low delay rates (users get headaches if the
delay between motion and AR/VR screen refresh is too long; see Chapter
4), be treated, in comparison to a video-conference flow? The AR/VR
demands 20 ms delay, while video conference tolerates 200 ms delay—
yet both belong to the video category.
ADDTS
Recall from Chapter 1 that Enhanced Distributed Channel Access (EDCA)
defines four access categories (AC).9 All ACs use the same medium access
principles, but different countdown numbers. As a result, AC_VO obtains a
statistically better access to the medium than the others, followed by
AC_VI, A_BE, and AC_BK (in descending order of advantaged access to the
medium). The treatment of congestion should not be the same for all ACs,
because different types of traffic have different needs.
With policing, traffic that enters the interface buffer in excess of the
service rate is simply dropped (deleted). This approach is useful for traffic
that should not be delayed. A typical example is real-time voice. When a
voice packet is delayed, there is no guarantee that it will reach the
intended recipient in time to be played. When a voice packet is missing on
the receiver side, the application usually plays an intermediate sound
between the previous packet and the next packet. As each packet is
typically a short segment of audio (e.g., 10 ms or 20 ms), the user does
not perceive any issue, at least not until multiple consecutive packets are
missing. If the missing packet arrives later, it cannot be played and is
deleted at the receiver anyway. Therefore, there is no point in delaying the
packet transmission with shaping. If packets arrive in a sequence in
excess of the service rate, they are deleted; the receiver is then in charge
of filling the gap.
When ACM is enabled (e.g., for AC_VO), any STA that intends to send
traffic in that AC needs to request admission from the AP. The STA first
sends an ADDTS request action frame12 that describes the intended traffic
with a Traffic Specification (TSPEC) element13 and zero or more optional
Traffic Class (TCLAS) elements.14 The TSPEC indicates elements such as
the MSDU minimum and maximum sizes; the service intervals (the pace
at which these MSDUs are expected); and the minimum, peak, and
maximum data rates. The TCLAS elements, when present, can add further
information helping to classify the flow, such as the source and destination
IP addresses and ports, the DSCP value, and more. Using this information,
the AP (or a network management platform behind the AP) validates
whether the flow is authorized and is within the maximum admissible
volume; it then returns an ADDTS response action frame 15 that either
allows or declines the flow. When the flow is declined, the STA can request
admission to another AC (if that other AC also uses ACM), or send the
traffic to an AC that does not implement admission.
This scheme was efficient in 2005. At that time, the Wi-Fi devices that
supported voice were specialized Wi-Fi IP phones, and network designers
would implement voice-specific SSIDs. Unfortunately (for the ACM design),
a few years later, the smartphone explosion brought voice support to
most Wi-Fi devices, as over-the-top (OTT) voice apps (allowing free or
cheap calls over the data network) started to appear for mobile phones,
tablets, and laptops. In that environment, two difficulties emerged:
Another direction that emerged was the smart use of User Priorities (UPs).
It is often surprising to read that there are eight UPs, but that the AC
determines the access to the medium. Why, then, are there eight UPs and
not four (in essence, one per AC)? The question is valid, and the answer
comes from the history of 802.11. When the EDCA system was designed
(between 2000 and 2005, with the development of 802.11e-2005), QoS
was undergoing deep transformations in all standard bodies. Specifically,
it was evolving from a mechanism where one traffic stream would be
given precedence over all others, to a method where classes would be
defined, each with its own characteristics and needs. The IEEE 802.1p
group, which was active at the end of the 1990s, had improved several of
the 802.1 standards with the idea that different types of traffic should
receive different types of treatments in network nodes.
Note
Recall that the IEEE 802.1 working group is concerned with topics like
general 802 LAN/MAN architecture, and internetworking between 802
LANS, MANs, and WANs. The group can produce documents that other
groups, such as the 802.11 group, can leverage for the needs of the
particular medium they work with.
The 802.11e TG then adopted the 802.1D seven categories, plus an eighth
category (spare) that was listed in 802.1D but not defined. The spare
category was used as an additional queue for traffic that would need
specific treatment, and that would not be described in one of the other
seven categories. This eighth queue was useful for 802.11e, intending to
use 3 bits18 to encode the user priority value (3 bits allow 8 binary values,
with the decimal equivalent of 0 to 7). This 802.1D system translates into
the series of values displayed in Table 2-1.
1 Background BK
2 Spare —
3 Excellent Effort EE
4 Controlled Load CL
5 Video VI
User Priority Traffic Type Acronym
6 Voice VO
7 Network Control NC
This clubbing of UPs, two by two, into their respective ACs created
philosophical challenges even in the early days of 802.11e. Nevertheless,
the general idea that ACs would be the maximum level of granularity
allowed the group to continue their work without resolving these
challenges. However, these challenges re-emerged soon after—first in
802.1, and then in 802.11. They stem from the very definitions of the
802.1D traffic categories:
Network Control is intended for traffic that is needed for the network
to operate (e.g., router-to-router exchanges). This traffic type makes
sense on an Ethernet network, through which network nodes may
communicate about paths to various destinations. But 802.11 is
primarily an access technology, connecting end-devices to DSs via
APs. It is very uncommon to see network traffic sent over this type
of medium. Other specifications19 make it clear that UP7 should
never be used for data (user) traffic. Therefore, the UP exists in
802.11, but the value is by definition likely to be never used, outside
of very specific cases (e.g., mesh backhauls connecting routers).
So, from its inception, 802.11e came with eight UPs, of which two (UP7
and UP2) could not really be used. This issue was raised when the
802.11aa group (formed in 2008) was looking at video transport streams.
The group was working on the observation that some flows in a given AC
(video in particular) could be of the same general nature (i.e., both might
be video flows) but of different importance. The group then recognized
that most implementations used only a single UP in each AC (UP6 in
AC_VO, UP5 in AC_VI, UP0 in AC_BE, and UP1 in AC_BK). The 802.11aa TG
then created the notion of an alternative queue, to allow a flow to use the
second UP in each AC, as a way to signal that the matching flow was
special in the category.
For example, all videos would be marked UP5, but the CEO video would be
marked the special UP4. The special marking would appear in the QoS
field of the frame header, but could also be communicated between the
STA and the AP in an intra-access category priority element. 20 This
exchange would allow a STA, requesting the admission of an upstream
traffic (see the “Stream Classification Service” section in this chapter), to
signal to the AP that the flow would be special. This mechanism is present
in the 802.11 standard, but underlines additional difficulties:
20 See 802.11-2020, clause 9.4.2.120
Thus, the alternative queue could really be used only for videos, with
severe semantic limitations, and the ability to flag just “normal” versus
“special,” without any further details. At the time of the 802.11be design
work, it was clear that the UP system was not by itself a sufficient vehicle
to properly distinguish AR/VR from video-conferencing, or personal video
from business-critical video.
The SCS process is a great direction because it allows the STA to express
that one or more applications require special treatment. One difficulty,
however, relates to the identification of that application. The TCLAS
elements might describe the application with IP addresses, ports, or other
elements, but it is not guaranteed that the AP will be able to recognize the
application from these elements alone. This recognition has to happen for
the AP to decide whether the request is accepted or rejected, as well as
for the AP to identify incoming flows (from the DS) and mark them
accordingly. This issue was not easily solved at the time when the
802.11be design work started.
Note
This problem proved so dire that, in the 802.11-2020 revision of the
standard, the Mirrored Stream Classification Service28 (MSCS) was added.
With MSCS, the STA sends a request with an MSCS Descriptor element,
similar in principle to that of SCS. But the STA simply tells the AP, “When
you see this stream in reverse (coming back from the DS), just mark it
with this UP.” The AP does not need to recognize the application—just
identify the application parameters (e.g., server IP address and port) in its
incoming flow to mark it properly.
Coexistence Challenges
ERP Protection
802.11n Protection
This protection scheme is much more efficient than the previous RTS/CTS-
only method, but still not perfect. In particular, 802.11n allows operations
over 40 MHz-wide channels, whereas previous versions of the standard
allowed operations only over 20 MHz channels. Therefore, collisions could
happen. For example, suppose an 802.11n AP is operating on channels
{36, 40}, and a nearby 802.11a AP is operating on channel 40. The
802.11n AP could perform a CCA and conclude that both channels are free
(because it is too far from the neighbor AP), even though the neighboring
AP is actively sending and receiving on channel 40. The 802.11n AP could
then send a frame over 40 MHz to a STA that, being closer to the 802.11a
AP, would properly receive the transmission only on channel 36. The part
on channel 40 would be undecodable due to a collision with the
neighboring AP transmission. This scenario might not be extremely
common, but it does happen. The legacy header did nothing to prevent
this new issue.
Such a structure may have made sense in the construction of the channel,
but it ensures that small interferences can have dramatic effects on the
channel width available to all STAs. The 802.11be designers were well
aware of these limitations, but redesigning the channel design would
cause massive backward incompatibilities. Instead, they would have to
explore other solutions.
802.11 Security
Open System is the original method defined in the first 802.11 standard,
and authentication is truly a link-level operation there: It validates that the
STA is an 802.11 device, and does not introduce additional security
concepts associated with identity validation. In the exchange, the STA
starts by sending an 802.11 Authentication frame, 34 which is a
management frame with 3 fields of particular interest: an Authentication
Algorithm field (set to 0, for Open System); an Authentication Sequence
field, indicating the position of the frame in the exchange (set to 1, for the
first frame in the exchange); and a Status Code (set to 0 for success,
although the field has no real meaning when sent in that frame).
The AP validates that it can read the frame and, if successful, responds
with an Authentication frame. The format is identical to the Authentication
frame sent by the STA, but this time the Authentication Sequence field is
set to 2, indicating the second frame in the exchange. The Authentication
Algorithm is still set to 0 (Open System). The Status Code, still set to 0
(success), now indicates that the transaction completed successfully.
The AP examines the request and the capabilities expressed by the STA,
and responds with an Association Response frame. 37 The AP indicates in
the response its own capabilities and support for various features; it is
particularly useful if the STA suggests support for redundant schemes, and
the AP selects one of them. The AP also adds a Status Code, confirming
whether the STA association was successful (status 0) or not (non-zero
status). The standard does not define the criteria by which an AP should
accept or reject the association, as each AP administrator and/or their
vendor might have different conditions for making that decision. However,
it is clear that a mismatch in critical features can lead to such a rejection.
If the association is successful, the AP provides to the STA an Association
Identifier (AID), an integer uniquely identifying the STA in the BSS.
Part of the capability exchange indicates the two parties’ support for
security schemes. If none was indicated by either side, the RSN scheme is
not in use, the AP and STA ports are uncontrolled, and both can start
exchanging data frames as soon as the successful association frame
response is received and acknowledged by the STA. If both the STA and
the AP indicated support for RSN, the AP and STA ports are controlled and
unauthorized. Part of this exchange then indicates support for an
Authentication and Key Management (AKM) suite, representing the type of
authentication algorithm to use, and a Cipher Suite, representing the type
of encryption to use. In home networks, the AKM may be set to Pre-
Shared Key (PSK), referring to a passphrase configured on the AP and on
the STA. In that case, the PSK is derived from the passphrase, 38 the PMK is
the PSK,39 and the STA and AP move to a 4-way handshake.
Note
802.1X capabilities may also be useful in home networks. It is considered
more robust than PSK, because the keying material does not need to be
changed on all devices if a single device is lost. Unfortunately, support for
802.1X on home equipment is not very common.
Either side can proceed to the next step, but typically the STA triggers the
dialog by sending an EAP-START frame. The AP continues with an EAP
identity request frame, to which the STA responds with an EAP identity
response frame. This exchange aims primarily to confirm which
authentication method, within the EAP wrapper, the STA and the AS
accept. The rest of the procedure depends on the method chosen. At the
end of the procedure, both the STA and the AS will have generated the
same MSK. The AS sends an access accept message to the AP as well as
the MSK, and the AP forwards the success response to the STA to indicate
an EAP success. At this point, the AP and the STA have the PMK, and
continue to the 4-way handshake.
The 4-way handshake40 is started by the AP, under the assumption that
both sides have the same PMK. The AP sends message 1, 41 which is a
management frame (subtype EAPOL-key) that contains, among other
things, an identifier for the PMK (PMKID) and a random number, called
Authenticator Number Once (ANonce).
Note
The PMKID can be used by either side in the future to reference the same
PMK (e.g., during reassociation), thereby avoiding the need to reprocess
the full PMK derivation.
Upon receiving message 2, the AP now has the SNonce (in addition to the
ANonce and the PMK it already had). At this point, the AP can compute the
PTK and use it to validate the MIC. The AP also verifies that the frame
sequence number signaled by the STA matches its own—in case frames 1
or 2 had to be re-sent, or in case an attacker attempts to replay these
frames. Moreover, the AP verifies that the cipher suite and AKM suite
values, inserted in message 2, match the values that the STA signaled in
its association request, as mandated in 8.5.3.3. This validation is not
without consequences, because it means that the STA cannot use a
security mechanism other than the one it requested in the association
request frame, even if it discovered (e.g., in the AP association response)
that another/more robust scheme was possible.
After these verification steps are completed, and if the MIC validation is
successful, the AP installs the PTK and is ready to use it for unicast
exchanges with the STA. The AP confirms this installation to the STA by
sending message 345 (type management, subtype EAPOL-key). Message 3
also includes the GTK, encrypted with the PTK. 46 The frame is protected by
a MIC as well.
Upon receiving message 3, the STA validates the MIC. If the verification is
successful, the STA installs the PTK and GTK, and sends a confirmation
response to the AP with message 447 (type management, subtype EAPOL-
key). The message is also protected by a MIC. Figure 2-3 illustrates this
choreography.
Shared Key
Shared Key authentication was a 4-frame exchange: The STA would start
with an Authentication Request, receive a challenge from the AP in frame
2, respond to the challenge in frame 3, and conclude a successful
authentication with a positive response from the AP in frame 4. This 4-
frame exchange was followed by an association exchange similar to that
of Open System. The STA and the AP could then start exchanging data
frames immediately (no controlled port). Each data frame header would
include elements that would allow the other side to deduce the key used
to encrypt the payload, and therefore successfully decrypt the content.
Unfortunately, an observer accumulating enough frames could also
deduce the temporal and permanent keying material. The shared key
scheme was declared deprecated in 802.11-2012.
This requirement mandates that the key exchange must occur before
association completes, whereas the standard scheme performs the 4-way
handshake key exchange only after completion of a successful
association. A direct consequence is that the STA needs to know if the
next AP (here, called AP2 for simplicity) is able to retrieve key material
from the current AP (here, AP1). This capability is expressed in both APs’
probe responses and beacons, in the form of a Mobility Domain
Information element50 (MDE) that contains a unique 2-octet value
identifying all APs in the ESS that can communicate keying material over
the DS. The APs also express their support for FT, and also an FT policy,
indicating whether FT negotiations should happen over the air or over the
DS.
Naturally, sharing the same key over many APs presents a security risk.
For this reason, FT implements a key hierarchy, with two levels. Each side
implements both levels: the STA, called the Supplicant (S), and the
infrastructure, called the authenticator or Resource (R). The first level is
level 0, and the second is level 1.
As the STA associates to its first AP, the classical 802.1X process
implemented in 802.11 sees a dialog between a STA/supplicant and an
AP/authenticator, which results in a PMK on both sides. With FT, the dialog
takes place between those same entities, but the outcome is a PMK of
rank 0 (PMK-R0). Therefore, the STA/supplicant is also a PMK Key Holder,
on the Supplicant side, of rank 0 (S0KH). Similarly, the AP/authenticator is
a PMK Key Holder, but on the Resource side, of rank 0 (R0KH).
In the initial exchange (between a STA and its first AP), the first
authentication exchange is Open System. The STA then indicates in the
association request the MDE (it detected during the scanning phase) and a
request for FT mode (in the AKM). In its response, the AP repeats the MDE
for confirmation, and also indicates other key FT parameters (R0KH-ID and
R1KH-ID).
At this point, both sides have a local PMK. The logical next step is a 4-way
handshake to generate the PTK. This exchange is similar to the one used
with Open System and RSN, with the difference being that message 2
includes the same MDE and FTE values that the STA mentioned in the
association. Message 3 from the AP includes these values as well. In a
timeout interval element,54 message 3 also provides a reassociation
deadline or a key lifetime value, which informs the STA on how long this
and other APs in the MDE will cache the keying material. Within that delay,
the STA can start a FT process with another AP, then reassociate there.
Beyond the delay time span, the FT exchange performed with another AP
will have timed out, and the STA will need to perform the association steps
from scratch. Figure 2-4 illustrates the FT initial association exchanges.
Directly Over The Air (OTA) with AP2. AP2 will then contact the R0KH
to be able to generate a PMK-R1 (specific to AP2).
Through AP1. AP1 will then establish a dialog with AP2 over the DS,
pointing it to the R0KH and enabling it again to obtain a PMK-R1.
Both mechanisms competed with each other in the early days of the
802.11r group, and ended up being adopted together. Each of them has
theoretical advantages and limitations:
The OTA method allows the STA to pick an AP of its choice and
directly start the dialog. It is therefore a logical consequence of the
STA scanning function—that is, pick the best AP after scanning,
likely the one with the strongest signal, and start the OTA dialog.
However, the STA is still associated to another AP, probably on
another channel. Any millisecond that the STA spends away from
the channel where data communication happens may be
detrimental for the STA’s time-sensitive traffic. This concern might
be particularly important when the STA asks AP2 to generate the
PMK-R1, and then has to wait an unspecified time until AP2 responds
(while AP2 contacts the R0KH).
The over-the-DS method does not require the STA to leave its active
channel. It can continue its data traffic while interleaving FT
negotiations for the next AP roam through its current AP. However,
the STA supposes that, because both APs have the same MDE value,
they can reach each other. The STA also supposes that AP2, which
was discovered through scanning, is still the best next AP as the FT
exchange completes (even if the user is moving). However, being on
AP1 channel, the STA has no good way of ensuring that AP2 is still
the best next AP.
AP2 uses these elements to locate R0KH to build PMK-R1. Meanwhile, AP2
also responds with an Authentication Response. Its algorithm number is
also FT. The frame also includes an RSN element with the PMKR0Name,
the MDE, and an FTE with the ANonce, the SNonce that the STA sent (for
confirmation and to avoid session hijacking), R1KH-ID, and R0KH-ID. 56
56 All of these elements are either seen in the STA first authentication
message or generated locally on AP2. Thus, AP2 can send this response
even before it has reached R0KH.
At this point, both sides have the core elements needed to build the
keying material, with two restrictions:
AP2 needs to contact R0KH and provide its R1KH-ID so that R0KH
can build AP2’s PMK-R1. Meanwhile, the STA, knowing both PMK-R0
and STA2’s R1KH-ID, can derive AP2’s PMK-R1 directly.
Once the STA is ready to roam to AP2, it can terminate its connection to
AP1, then send a Reassociation Request to AP2. In addition to the
elements present with the Open System, the request includes, in the
RSNE, what the STA thinks the PMKR1Name is. The PMKR1Name is derived
from the PMKR0Name, the R1KH-ID, and the S1KH-ID—all elements that
the STA obtained during the authentication exchange. If the STA is correct,
as it can compute not only the PMK-R1 value, but also the PTK from the
PMK-R1 and ANonce, it is ready to install the PTK. The request also
includes the MDE and an FTE, which contains the ANonce and the SNonce
that the STA received and sent (respectively) and used for the PTK
generation, as well as the R1KH-ID and the R0KH-ID, all protected by a
MIC.
AP2 validates these elements, generates and installs the PTK, and
responds with a Reassociation Response. This response contains the
PMKR1Name in the RSNE, the MDE, and the FTE with the same elements
as in the association response (ANonce, SNonce, R1KH-ID, R0KH-ID), and
the GTK, all encrypted and protected by a MIC.
At this point, both sides have a PTK, and the 802.1X controlled port is
unblocked. The STA and AP2 can start exchanging data frames. You can
see this sequence of exchanges in Figure 2-5.
The over-the-DS process is similar in spirit, with the major difference being
that the STA engages in dialog through AP1. Thus, it cannot send an
authentication frame, because AP1 would not know if the goal is to relay
the frame to another AP or to authenticate on AP1 again. Instead, the STA
sends to AP1 an action frame called an FT Request. This frame includes
the target AP MAC address, the STA MAC address (to be used as S1KH-ID),
the RSNE with the PMKR0Name, the MDE, and the FTE that includes the
R0KH-ID and a SNonce.
AP1 uses the target AP MAC to identify AP2, and relays the FT Request,
through the DS, to AP2. The standard does not describe how this relaying
happens or is secured, as it is not in the 802.11 realm (and is usually
vendor-specific). AP2 receives and processes the request. It then responds
with another action frame, the FT Response, that includes the STA MAC, its
own MAC57 (target AP MAC), the RSNE with the PMKR0Name, the MDE, and
the FTE with the ANonce, the SNonce the STA sent, and R1KH-ID and
R0KH-ID. AP1 relays this frame to the STA.
57 In case the radio MAC would be different from the Ethernet MAC, and
AP1 would be dialoguing with several candidate roaming APs for the STA.
At this point, the STA can compute PMK-R1 from PMK-R0 and R1KH-ID, and
can compute the PTK from PMK-R1 and the nonces. Just as with the OTA
method, the STA needs to decide to roam to AP2 within the reassociation
deadline time. When doing so, the STA terminates its connection to AP1,
then sends a Reassociation Request directly to AP2. This request, just like
the AP2 Reassociation Response, is similar to the OTA case. Figure 2-
6 illustrates the over-the-DS FT exchange.
When the STA roams with FT (OTA or over the DS), it can use the
Reassociation Request frame to include, in the FTE, a Resource
Information Container (RIC) Request. The RIC request includes a TSpec
and one or more TCLAS elements describing the traffic that the STA would
like to send through AP2. In the FTE of its Reassociation Response, AP2
provides a RIC Response with its conclusion for each intended traffic flow
(accept/deny). In theory, AP2 can reject the association if it cannot
accommodate the STA’s traffic. In addition, in theory, STA2 can conclude
that AP2 is not the best candidate if it rejects its service request. In
practice, the RIC Request is done late (in the reassociation exchange), so
it comes too late for the STA to find a better AP candidate on the spot; to
do so, it would have to restart the scanning/FT authentication from
scratch, with another AP. At the same time, the RIC exchange cannot be
done earlier, because the AP cannot guarantee, at the time of the FT
authentication exchange, that the resources that it has available at that
time will still be available when the STA decides to roam, which may
possibly be much later. In practice, however, the RIC process is seldom
used.
59 Hence the name—the protocol does not fix the “initiator” and
“responder” roles, and any side can start the exchange.
Each side can then use the knowledge of the password and the data sent
by the other side to compute the same number. For example, the AP
knows PE, knows b, and received from the STA Sa and elementA. The AP
can compute a new value, ss, defined with these numbers as ss =
(PE^(Sa) × elementA)^(b). A simple algebraic decomposition shows that
this complicated expression can be simplified. As elementA is PE^(–A), ss
can be expressed as follows:
ss=(PE∧(Sa)×PE∧(−A))∧b
ss=(PE∧(a+A−A)∧b)=PE∧(ab)
As the AP knows PE and b, it can then easily find a, and therefore A. Thus,
it can verify that the STA, when it provided elementA, did really know the
password hash PE, so the STA really knows the password.
The STA performs the same operation in reverse. It knows a and PE, and
received PE^(–B) and Sb, so it can compute the same ss value, with the
following combination:
ss=(PE∧(Sb)×PE∧(−B))∧a=(PE∧(b+B−B)∧a=PE∧(ab)
At the end of the commit phase, and after their computation, each side
knows that the other side has the right password. But they can do more,
and use the result of the computation they just ran to derive a session
key.
They share that confirmation in the next two Authentication frames. 65 The
STA first sends a second SAE Authentication message, this time of type
Confirm (the Authentication Algorithm is still 3, SAE, but now the
Authentication Sequence is 2, to indicate Confirm) and with the status set
to success. This message also contains a Send-Confirm field and a Confirm
field, whose values are the output of another function. 66 The other side
can use the result to generate a new session key. 67 The AP responds with a
message of similar structure and its own confirm value.
67 Each side uses an expansion of the PSK, derived from the password,
called the key confirmation key (KCK), and described in 802.11-2020,
clause 12.7.1.3. For example, the STA computes and sends ConfirmA =
Hash(KCK | scalarA | a | elementA | elementB), while the AP computes and
sends ConfirmB = hash(KCK | scalarB | b | elementB | elementA). Each
side uses the other side’s commit, along with the PE, to generate a
session key, which becomes the PMK. The operation details are explained
in 802.11-2020, clause 12.4.5.4.
FILS can be used to validate that the STA has a valid password 69 or a valid
certificate (in a PKI context). The AP might not be able to verify these
elements alone, so it can turn to a Trusted Third Party (TTP) for this
validation. The TTP is expected to be connected to the AP securely over
the DS, and to be close enough that the exchange will be fast. As 802.11ai
was developed in the 2010s, the idea that observing many authentication
exchanges could be sufficient to run a statistical attack and find the static
password had become widespread. The standard allows for more
advanced mechanisms in which the STA and the AP (or TTP) first generate
temporal certificates to protect their exchanges, and never exchange
anything directly built from the shared password. Compromising the
password would therefore not allow an attacker to attack current sessions.
This process is called Perfect Forward Secrecy (PFS).
Note
The IEEE standard uses the acronym PFS for perfect forward secrecy, but
sometimes incorrectly expands it (e.g., in clause 4.10.3.6.1) as perfect
forward security. Perfect forward secrecy is a property of some key
agreement protocols by which compromising a long-term secret does not
also compromise the (shorter-term) session key. In the context of FILS, this
is achieved by using a Diffie–Hellman exchange to derive a session-unique
key from the long-term shared key. In other words, the AP and the STA
derive ephemeral private/public key pairs (from nonces and other domain
parameters) as part of their initial exchange, and pass the public part to
the other side, which is then used to protect further exchanges. The
operation is computationally complex, which means that an attacker
obtaining the long-term shared key cannot easily recompute the particular
session public/private keys that were derived by the STA or the AP.
PFS is optional for shared key authentication, but is always used with
public key–based authentication. In the latter case, the exchange relies on
finite cyclic groups algorithms. To limit password exposure (with or without
PFS), the shared key process verifies that a returning STA either has a
valid PMK that is still cached on the AP, or has a Reauthentication Root
Key (rRK) that was derived from the MSKSNonce as defined in IETF RFC
6696. When the AP queries the TTP for validation, it uses EAP-RP as
defined in IETF RFC 5295.
In that scheme, the STA starts with an 802.11 Authentication frame (of
FILS type), whose format depends on the FILS subflavor in use: shared key
without Perfect Forward Secrecy, Shared Key with Perfect Forward
Secrecy, or public key with Perfect Forward Secrecy. 71 In all cases, the
frame includes the Authentication Algorithm field (set to 4 for shared key
without Perfect Forward Secrecy, 5 for Shared Key with perfect forward
secrecy, and 6 for Public Key with Perfect Forward Secrecy), the
Authentication Sequence field (set to 1 for the first frame in the
exchange), and the Status Code (set to 0 for success). When using Shared
Key without Perfect Forward Secrecy, the frame can then also include a
nonce (in a FILS Nonce element) and a random FILS Session value (in the
FILS Session element). If the STA is coming back to an AP to which it
associated before (and for which it has a cached key), it adds a
FILS Wrapped Data field that contains an encoded version of the EAP-
initiate/reauth packet (by which the STA signals that it is returning and
identifies its previous security association ID). When using the shared key
with PFS and public key with PFS schemes, the STA adds a Finite Cyclic
Group field that indicates which finite group the STA is targeting, and the
ephemeral public key, encoded in the Finite Field Element field. 72
The AP forwards the STA material to the TTP (if applicable), which in turn
generates a response. The AP waits for that response before sending its
Authentication Response to the STA (this is why the TTP is expected to be
close to the AP). At this point, the AP has concluded the STA
authentication (in a security sense) with a single exchange with the TPP
(or the validation of the STA certification). Upon receiving the response
from the TTP, the AP is ready to use the material transmitted by the STA to
establish session keys.
Naturally, data communication is not just a PHY and MAC layer problem.
The STA also needs upper-layer elements—for example, an IP address. To
address this concern, the association request can include a FILS IP Address
Assignment element,75 in which the STA can either indicate the IPv4 or
IPv6 address it is requesting to use (for static IP address assignment and
returning STAs that want to reuse their previously allocated address) or
request a new address. The Association Response can also include the
FILS IP Address Assignment, through which the AP accepts or declines the
STA request (when the STA requests a specific address), or else returns an
IP address to the STA (when the STA requests a new address). In the
second case, the AP can indicate other parameters, such as the network
mask, gateway, or DNS server IP addresses.
The Association Request can also include one or more FILS HLP (Higher
Layer Protocol) Container elements,76 containing source and destination
MAC addresses, and an HLD packet field. The AP is expected to forward
this element to the DS, and from there to the target destination MAC (the
STA is expected to be the source MAC). This process ensures that a server
providing an upper-layer service (beyond DHCP) can respond and provide
the elements that the STA needs. Figure 2-8 illustrates the FILS
authentication exchange, in the case where no PFS is used.
One key difficulty with the HLP and DHCP containers is that upper-layer
services, in standard networks, are usually applications running on
servers. These applications need to receive queries, queue them, process
them, and then answer—all operations that take time. In most
implementations, the timeout value for a server nonresponse is expressed
in seconds, a time scale incompatible with a STA expecting to receive an
Association Response within a few hundred milliseconds. 77 Therefore,
these upper-layer functions assume either the presence of fast servers,
close to the AP, or the ability for the AP to cache some information (e.g.,
some IP addresses) for onboarding STAs. Collectively, these requirements
make the adoption of FILS more difficult.
Summary
Meanwhile, the 802.11 group’s long quest for optimal secure mechanisms
for all environments has led to the development of four (and one obsolete)
security schemes: some Open System schemes implementing the 802.1X
technique for robust authentication and key derivation; a Fast Transition
scheme that efficiently passes the keying material from one AP to the next
at roaming time; a Fast Initial Link Setup that accelerates the initial secure
onboarding of STAs entering the 802.11 domain; and a Secure
Authentication of Equals scheme that offers a modern and robust scheme
for password and PKI-based networks. All of these schemes needed to be
incorporated into the 802.11be design.
Chapter 3
overlapping basic service Set (OBSS): A basic service set (BSS) operating
on the same channel as the station’s (STA’s) BSS and within (either partly
or wholly) its basic service area (BSA).
802.11-2020, Clause 3
IEEE 802.11ax, and its associated Wi-Fi Alliance certification, Wi-Fi6, paved
the way for the improvements made possible with 802.11be. At its heart,
802.11ax aims at improving Wi-Fi performance in hyper-density scenarios,
where many STAs compete for airtime. By allowing multiple concurrent
uplink transmissions, and by designing a denser, yet more efficient carrier
structure, 802.11ax ensured that throughput could increase, even in these
high-density scenarios.
Note
This protection relates to the delay spread. Recall from the section on
OFDM transmission in Chapter 1, “Wi-Fi Fundamentals,” that signals can
bounce against obstacles before hitting the receiver slightly after the main
(line of sight) signal. This additional delay reaches a maximum value that
depends on the distance to the farthest likely obstacle, and is called delay
spread. An interval between symbols maximizes the chances that the
reflected signal will reach the receiver at a time when no useful symbol is
being received.
Now that the tones are 4 times denser in the frequency domain, it is
necessary to expand the core of the OFDM symbol duration by a
commensurate factor of 4, so as to preserve the orthogonality of the
tones. Even so, given the relatively fewer guard tones and pilot tone, the
change is a net win because this subcarrier density is more efficient than
the previous 64-tone per 20 MHz channel scheme. There is another
benefit as well: Because the time spread of the wireless echoes between
the transmitter and receiver is a function of the geometry and RF
characteristics of the environment, the absolute length of the required
cyclic extension (or guard interval) of each OFDM symbol does not need to
increase. With the longer core OFDM symbol period, the relative overhead
of the cyclic extension is smaller.
Modul
20 20 40 40 80 80 160 160
ation
MCS MH MH MH MH MH MH MH MH
and
Rate z1 z8 z1 z8 z1 z8 z1 z8
Code
SS SS SS SS SS SS SS SS
Rate
MCS BPSK 8.6 68. 17. 137 36. 288 72. 576
0 ½ 8 2 .6 0 .2 0 .0
MCS QPSK 17. 137 34. 275 72. 576 144 115
1 ½ 2 .6 4 .3 1 .5 .0 2.0
As you can see from Table 3-1, the tone densification strategy pays off.
Even at MCS 0 on a 20 MHz channel, 802.11ax can achieve 8.6 Mbps,
whereas 802.11ac allowed for only 6.5 Mbps.
802.11ax also introduces the idea of Resource Units (RUs). RUs are useful
in multiuser transmission schemes because they allow the AP to group a
subset of the total available tones and allocate each group to a STA (see
the next section, “Multiuser Transmissions”). Each RU has its own pilot
tones—for example, 2 pilots for a 26-tone RU, 4 pilots for a 52- or 106-
tone RU, 8 pilots for a (20 MHz) 242-tone RU, 16 pilots for a (40 MHz) 484-
tone or (80 MHz) 996-tone RU, and 32 pilots for a (160 MHz) 1992-tone
RU.
Multiuser Transmissions
In all cases, there was a single target receiver and a single transmitter.
Thus, the term was later renamed Single User MIMO (SU-MIMO).
MU-MIMO
The 802.11ac MU-MIMO scheme was limited to downlink traffic (AP to STA,
DL-MU-MIMO). A primary reason behind this limitation was the difficulty of
coordinating uplink transmissions. If several STAs were to send at the
same time (toward the AP), their clocks should be accurate enough that
they could synchronize exactly the time at which they would all start
transmitting together. In the same way, their carrier frequencies needed
to be tightly aligned. In an 802.11ac context, meeting these requirements
was challenging.
As an example, consider two users, one with a lot of data and one with a
little, both otherwise similar in terms of optimal MCS and maximum
supported number of spatial streams. The AP can allocate the maximum
number of spatial streams and optimal MCS to the first user, and calculate
the duration of the Data field for its data—but then the AP cannot allocate
less resources to the second user than one spatial stream. In this case, the
second STA, which does not need the full Data field, still has to pad the
remainder of the Data field with non-useful octets. As multiple STAs need
to send simultaneously, each STA that does not need the full data field of
the PPDU has to pad the remainder of the data field with non-useful data.
OFDMA
3 See mentor.ieee.org/802.11/dcn/10/11-10-0317-01-00ac-dl-ofdma-for-
mixed-clients.ppt
Also notice in the figure that larger RUs are constructed from smaller RUs,
such as the 106-tone RU being built from four 26-tone RUs. This example
shows the reason for the null subcarriers: 2 null subcarriers must be
added to the 4 × 26 tones to reach 106 tones. It is also interesting to note
that the 80 MHz HE PPDU includes contiguous null subcarriers. Both
examples in Figure 3-2 include 7 DC subcarriers at the channel center.
However, this is not the only possibility. A 20 MHz HE PPDU with a 242-
tone RU would include not only 3 DC tones at the channel center, but also
6 + 5 guard tones at the edges of the channel, but no other null
subcarriers within the channel. These adjustments are necessary to
harmonize the subcarrier count for a given RU width, but they also make
the structure quite complex.
To help visualize the structures, Table 3-2 summarizes examples of the null
and RU structures for the various channel widths defined in
802.11ax.5 This table does not show all the mix-and-match possibilities,
such as one 106-tone RU, one 52-tone RU, and three 26-tone RUs in 20
MHz. Keep in mind that these more complex combinations are technically
allowed, as long as the total number of used RUs matches the number of
available RUs. However, they add to the AP channel plan complexity, and
many APs may not implement them.
52 (32), 7 12, 11
26 (10)
106 7 12, 11
(16), 25
(10)
TABLE 3-3 Data and Pilot Subcarrier Count for Each RU Type
26 24 2
52 48 4
106 102 4
242 234 8
484 468 16
RU Size (Subcarriers) Data Subcarrier Count Pilot Count
996 980 16
Preamble Puncturing
Note
802.11ax adds certain constraints on the possible puncturing. This
possibility arises because the user assignment information of 40 MHz and
wider PPDUs is split across odd and even 20 MHz subchannels. Thus, at
least one odd and one even subchannel within the primary 80 MHz must
be unpunctured.
HE PPDU Format
The new structure of the PPDU, with its narrower subcarrier separation,
naturally means that 802.11ax transmissions cannot be understood by
pre-802.11ax receivers. As usual, the protection mechanism consists of
starting the transmission of most PPDUs7 with a pre-HE modulated PHY
header, with a Legacy Short Training field8 (L-STF), a Legacy Long Training
field (L-LTF), and a Legacy Signal field (L-SIG). This is followed by a
repeated L-SIG (RL-SIG9) field, whose purpose is to differentiate the HE
PPDU from all other non-HE PPDUs. (The latter also start with the L-STF, L-
LTF, and L-SIG fields, but their next preamble field is quite unlike a
repeated L-SIG.) The preamble continues with the HE-SIG-A field and
sometimes the HE-SIG-B field, too. These two fields are modulated with
pre-HE data rates, but include the information needed to interpret the rest
of the HE PPDU. In addition to the MCS used in the payload, the fields
indicate whether the PPDU is uplink or downlink, is trigger-based or not,
and uses dual carrier modulation or not (see the “Scheduling and
Multiuser Operations” section). They also provide the BSS color (see the
“BSS Coloring” section), the approximate duration of the TXOP, and the
Spatial Reuse Parameters (SRP). After the HE-SIG-A/B fields, and beginning
with the HE-STF field, the PPDU modulation switches to HE modulation,
which is used for the remainder of the PPDU. Figure 3-4 illustrates this
structure.
7 Exceptions at 2.4/5/6 GHz include the 1, 2, 5.5, and 11 Mbps PPDUs and
the little-used HT-GF format, which is deprecated for modern devices. In
the following discussions, these PHY formats are ignored for simplicity.
Some PPDUs do not follow this exact format. In fact, 802.11ax defines four
PPDU format types: the HE Single User PPDU (HE SU PPDU), the HE
multiuser PPDU (HE MU PPDU), a Trigger-Based PPDU for UL MU-MIMO or
UL-OFDMA (HE TB PPDU), and an Extended Range Single User PPDU (ER
SU PPDU). All PPDUs include the same legacy header and RL-SIG. The HE
SU PPDU includes an 8 μs HE-SIG-A field, followed by a 4 μs HE-STF field.
By contrast, the HE MU PPDU shown in Figure 3-4 also includes the 8 μs
HE-SIG-A field, which is followed by a 4 μs (per symbol) HE-SIG-B field, and
then the 4 μs HE-STF field. The HE TB PPDU does not include the HE-SIG-B
field, and its HE-STF field lasts for 8 μs (instead of 4 μs, as in the HE SU
PPDU). Lastly, the HE ER SU PPDU has a longer HE-SIG-A field (16 μs), no
HE-SIG-B field, and a regular (4 μs) HE-STF. All four HE PPDU format types
end with the HE-LTF, Data field and a (possibly zero-length) PE field.
In the HE-modulated part of the payload, recall that the core of each
OFDM symbol lasts 12.8 μs. At the same time, 802.11ax allows for three
core HE-LTF durations: 3.2 μs, 6.4 μs, and 12.8 μs. A longer HE-LTF allows
for a better channel estimation, at the cost of a longer overhead.
802.11ax also allows three different guard intervals (GI): 0.8 μs, 1.6 μs,
and 3.2 μs. The 800 ns GI is the most commonly used for indoor
transmissions. The longer ones are available for the following purposes:
Functional Improvements
The HE channel, with its high subcarrier density, allows for an increase in
the PHY rate with minimal downsides. The RU structure also allows
multiple concurrent transmissions via OFDMA (frequency-domain
aggregation). MU-MIMO is another path to multiple concurrent
transmissions via spatial-domain aggregation. Quite naturally, this
organization works only if there is a form of coordination between
potential senders. As you might expect, the PHY improvements are also
accompanied by MAC improvements that allow for the HE orchestration.
Sounding Procedure
Trigger Frames
0 Basic
2 MU-BAR
3 MU-RTS
5 GCR MU-BAR
8–15 Reserved
Note
You will find many references naming a field within another field with the
term “subfield.” This semantic choice is absolutely correct. However, the
802.11 designers have noted that a subfield is a field, and in many cases
do not bother with the underlying “sub” indicating that the field is within
another field.
The User Info List11 contains zero or more User Info fields. Each of these
fields allocates RUs and/or spatial streams to target STAs (identified by
their AID) that are expected to transmit. The field also mentions the power
at which all these joint transmissions are expected to be received at the
AP level (see the “Spatial Reuse Techniques” section for details on its
goal). A User Info field can also include a Trigger Dependent User Info
field, whose content depends on the trigger type.
Note
The presence of the term “info” in the names of many fields nested into
other fields also named “info” may be confusing if you do not look
carefully at the field hierarchy. The Common Info field may include a
Trigger Dependent Common Info field. The User Info List includes 0 or
more User Info fields. Each User Info field may include a Trigger
Dependent User Info field.
If the AP were to query each STA in turn to determine which ones have
traffic to send, it would consume a considerable amount of airtime, would
in many cases be unable to receive a response (if the target STA is
dozing), and would list STAs in need of uplink scheduling that, by the time
the AP round of querying is finished, would have long sent their traffic in
an unscheduled manner. Most of the time, the AP’s questions are simple,
and can be answered with a single bit: Are you awake? (yes/no). Do you
need uplink transmission scheduling? (yes/no).
The AP can change the values of the MU EDCA Parameter Set at will. In
particular, the element includes a version number that allows the STA to
know if it has the latest values, and the AP can also send to the STA a MU
EDCA reset frame to refresh the values for the STA. The MU EDCA
Parameter Set also allows the AP to dynamically change the rules at any
time, by causing the previously scheduled STAs to pause their
transmissions. This second and more drastic mechanism is triggered by
the AP setting, in the MU EDCA Parameter Set, the AIFSN value for one (or
more) particular AC(s) to be 0 and communicating this new parameter set
to the STA. If a STA receives the AIFSN[AC] = 0 message for an AC for
which the STA was scheduled, it must pause its EDCA function (and so
stop contending for channel access) for the duration of the MU EDCA
timer. The STA can resume its normal operations at the end of the MU
EDCA timer period. Figure 3-8 illustrates these MU EDCA contention
principles.
BSR
17 See 802.11-2020, Table 9-10. The first 3 bits indicate the TID/UP, and in
most cases the fourth bit is not significant.
A second possibility is for the STA to send a BSR for all ACs. In that
scenario, the STA also sends a QoS frame, a QoS Null frame, or a
management frame to the AP. The frame header includes an HT Control
field. When the first two bits of the HT Control field are set to 1, the field
becomes HE variant and includes an A-Control field. The A-Control field
can include a BSR Control field.19 In that case, the BSR Control field
includes a Control Information field, which indicates the number of TIDs (1
to 7) contained in the report. An Access Category Index (ACI) Bitmap field
represents the four ACs, and a Delta TID field further indicates which
TID/UP in each AC has buffered traffic. The report is coarse, because it
does not provide the buffer details for each individual TID. Instead, an ACI
High field can point to the TID of highest importance (likely the one
requiring urgent scheduling). A Queue Size High field indicates the depth
of that critical queue. Another field, Queue Size All, represents the queue
depth of the other queues (either their mean depth or the depth of the
deepest queue, depending on the implementation). A Scaling Factor field
indicates the octet units in use, thus allowing for an indication of up to
64,768 octets. Figure 3-9 illustrates this Control Information field.
BSS Coloring
Suppose that STA1 is associated to AP1 (STA2, STA3, and STA4 are
associated to AP2), and that both AP1 and AP2 are on the same channel.
When AP2 transmits a broadcast frame or a unicast frame to STA2, STA1
detects that transmission and (because of CCA21) refrains from sending to
AP1 at the same time.
Other STAs, like STA4, might be too far from STA1 to prevent STA1 from
sending at the same time; however, the AP2/STA2 scenario is common.
802.11ax helps mitigate this issue with a multilayered spatial reuse
mechanism. Spatial reuse allows two or more neighboring systems—BSSs
in this case—to use the same medium by identifying signals from the
overlapping system and applying interference management techniques.
Note
The AP then mentions its color value in the HE Operation element in the
beacon and probe responses. Each STA that associates to the AP adopts
that color. For any frame sent in the BSS, the transmitter then indicates in
the SIG-A field of the PHY header the BSS color associated to that BSS.
The collision detection event occurs when an AP detects a frame sent from
a STA in an OBSS (i.e., another AP, or a STA that is not associated to the
local AP) with the same color as its own. However, the AP is at the center
of the BSA and may or may not detect the OBSS traffic. STAs that are
closer to the other system are better reporters. Therefore, 802.11ax also
allows a STA to report a color collision. Similar to the AP detection, the STA
might detect a transmission with a SIG-A field matching its own BSS’s
color, but where none of the three addresses in the MAC header matches
the BSSID with which the STA is associated. In that case, the STA can
report the color collision with an Event Report frame. 23 This frame is an
action frame inherited from 802.11v-2011 and enhanced for BSS coloring
operations; it includes an Event Report element with an Event Report field
that indicates the BSS color collision.
Upon concluding that a BSS color collision has occurred, the AP can start
by disabling its own color for a while by setting the BSS Color Disabled bit
in the HE Operation element to 1 (in beacons, association responses, and
probe responses). All its associated STAs, upon receiving this beacon,
would then understand that the current color is no longer valid. The AP
can subsequently send a BSS Color Change Announcement, an
information element that can be carried in beacons, probe responses,
reassociation responses, or a specific HE BSS Color Change announcement
action frame. The element contains the value of the new color, but also a
color switch countdown value that indicates when (in units of TBTT) the
new color will come into effect. As the message is repeated in each
beacon (and the TBTT is a beacon interval), the color switch countdown
acts as a countdown timer. When it reaches 0, the AP starts announcing
the new color. At that time, the old color is no longer mentioned, and the
BSS color disabled bit in the HE Operation element is set back to 0.
After this operation, neighboring BSSs should operate with different color
values. The next element in the spatial reuse mechanism is to apply
interference mitigation techniques. Two techniques are implemented
together: a technique to ignore the transmissions of the OBSS system (if
they are below some target threshold), thereby allowing the STA to
transmit while another OBSS is also transmitting, and a technique to
reduce the transmit power, so as to minimize the disruptions to the
neighboring OBSS. These two techniques come in two flavors: a
parameter-free spatial reuse flavor and a parameterized spatial reuse
flavor.
TPref={21dBmforSTAs21dBmforAPswith2orlessSS25dBmforAPswith3ormor
eSS
The transmit power of the STA (TPSTA) must then be chosen to satisfy the
following constraints, where log10(BW) is the bandwidth of the PPDU to
transmit (20, 40, 80, or 160 MHz):
From this equation, you can see that a STA that sets its OBSS PD
sensitivity at, for example, –78 dBm (thus ignoring only OBSS STAs that
would be fairly far away) can send a 20 MHz signal at 17 dBm. However, a
STA that set its OBSS PD threshold at –70 dBm (thus ignoring
transmissions that are fairly close by) should set its power (for a 20 MHz
signal) at 9 dBm. In other words, the STA decreases its transmit power as
it ignores OBSS systems that are closer, which limits the STA’s negative
effect on the neighboring system. Just as in human communications in a
quiet setting, the STA speaks more quietly if another conversation is
occurring nearby, and it can speak more loudly (at normal volumes) if the
other conversation is farther away. The neighboring system will likely
operate in the same way. As a result, STAs that are between APs and
strongly affected by the OBSS issue, such as STA1 and STA3 in Figure 3-6,
will reduce their transmit power while ignoring the OBSS interference as
much as possible. In contrast, STAs located farther away and potentially
less affected by the OBSS issue, such as STA2, will reduce their transmit
power only a little bit as they detect STA1 in the distance. Meanwhile,
STAs on the other side of the OBSS issue, such as STA4, will not change
their power, because they are not affected.
Within those limits, each STA can choose the OBSS PD value that best
suits its needs, given that a STA usually aims at maximizing its access to
the medium. The AP can also set some boundaries and prevent the STAs
from setting their OBSS PD thresholds too high (too close to the –62 dBm
OBSS PDmax value), by announcing a non-SRG OBSS PDmax value in the
field of the same name, within the Spatial Reuse Parameter Set element in
the beacons and association response frames.
The trigger frame sent by the AP includes a Common Info field. Recall that
this field includes the AP Tx power and the bandwidth of the expected
uplink frames that the STAs will send in response to the trigger. The field
also includes, in its bits 37 to 52 (16 bits), the UL Spatial Reuse field,
which indicates up to four PSR values,26 called PSRinput. Depending on the
bandwidth of the upcoming uplink frame (20, 40, 80, or 80 + 80 MHz), one
to four of these PSRinput values will contain a number. The STAs in the BSS
do not use these PSRinput values directly. Instead, the STAs receive these
PSRinput values, and simply indicate them in the HE SIG-A field of the uplink
frame they generate in response to the trigger frame. The real targets of
these values are the STAs in the OBSSs.
26 See 802.11ax-2021, Table 17-21, for the individual values of these PSR
values.
PSRinput=AP_TXpower+IAP
A STA receiving such trigger frame might observe that the sending AP is
not the AP of the STA’s BSS (i.e., the sender is a neighboring AP in an
OBSS scenario). It can then use the signal level at which the trigger frame
was received, along with the AP_TXpower and the PSRinput values, to
determine the maximum power at which it would be allowed to transmit
over the upcoming uplink frame. At that point, based on its OBSS PD
parameter, the STA can decide whether transmission at that power is
useful (or not).
TWT Setup Command is set to request when the STA indicates that
the AP should decide on the best TWT parameters.
TWT Setup Command is set to suggest when the STA suggests some
parameters, but may accept some variation suggested by the AP.
TWT Setup Command is set to demand when the STA provides strict
parameters and cannot accept different values.
As you might expect, the AP, in response, can accept the parameters sent
by the STA, provide alternative parameters, or flatly reject the request (in
which case the dialog stops). In practice, more than one TWT setup
exchange may be needed before the STA and the AP agree on a set of
parameters. The result of this individual negotiation is that the AP can
have multiple TWT agreements, each with a different STA. The service
periods may then overlap, causing the STAs to have to contend with each
other for channel access using the usual contention methods.
The AP can also have a shared TWT session with a group of STAs. This
second mode is called Broadcast TWT. In this case, the AP creates one or
more broadcast TWT schedules and specifies their parameters, and
advertises each group identifier (the Broadcast TWT ID) and the matching
TWT parameters in a TWT element of the beacon frames. A STA that
wants to join one of the advertised broadcast TWT schedules makes that
request by sending a TWT setup action frame that contains, in the TWT
element, the Negotiation Type field set to 3 (broadcast) and the broadcast
TWT ID. Here again, the AP can accept or reject the request, or suggest an
alternative broadcast TWT schedule. During the setup phase, the STA can
also optionally negotiate the next target beacon and the listen interval;
that is, it can determine which beacons the STA should listen to, so that it
can stay updated on the group TWT parameters. At any time, the STA can
leave the broadcast TWT schedule by sending a TWT teardown
frame.30 The AP can send this frame to tear down either the STA
membership to the group or an individual TWT agreement. The AP can
create new broadcast TWT schedules (with different TWT parameters) or
tear down existing groups as its scheduling, load, configuration, or other
parameters require. However, the AP cannot delete a group that still has
active STA members.
To accommodate all types of STAs and APs (those with high-quality clocks
—and the others), TWT SPs can operate in different modes:
Figure 3-12 illustrates individual and broadcast TWT agreements for the
implicit and unannounced modes.
FIGURE 3-12 Individual and Broadcast TWT Agreements for the Implicit
and Unannounced Modes
As you might expect, the 6 GHz band was not a totally unused space
before 802.11 was authorized there. Several other systems were
operating in various segments of this band. Authorizing 802.11 implied
making sure that Wi-Fi would not disrupt the transmissions of the
incumbents. Different regulatory domains had different incumbents. As a
result, the 6 GHz band looks today like the 5 GHz band in the early days of
802.11 operations in that band. Some segments are allowed in some
regulatory domains but not in others, and the power rules are not the
same in all segments. These segments also have different names and
designations depending on the regulatory domain. This book uses the FCC
naming convention, because it seems to be defined clearly enough that
any local nomenclature can be found from the FCC names.
Spectrum
In the FCC world, the 6 GHz band is divided in four segments of interest
where each segment includes channels positioned 20 MHz from each
other:
At the time that this chapter was written (mid-2024), not all channels were
allowed in all regulatory domains. The FCC, followed by the regulatory
bodies of several other countries, including Saudi Arabia, Brazil, Argentina,
Peru, Colombia, and Canada, authorized the entire band in Figure 3-13,
albeit with different power rules (standard, low, or very low power). Most
of the ETSI countries and Australia have authorized the 5.925–6.425 GHz
range, and are considering the adoption of the 6.425–7.125 GHz range.
Other countries, including Russia, Sweden, Mexico, South Africa, Namibia,
Kenya, Turkey, and many central European countries, have adopted the
5.925–6.425 GHz band but decided against allowing the upper part of the
band (6.425–7.115 GHz). Still other countries continue to debate the
adoption of one or more segments of the 6 GHz band. The difference
between regulatory domains is important: In the United States, 59 new 20
MHz channels are accessible; in the ETSI domain, “only” 24 new 20 MHz
channels are accessible. In all cases where 6 GHz is allowed, however, the
spectrum available to Wi-Fi at least doubles, and sometimes triples.
Note
The Wi-Fi Alliance keeps track of the current state of authorization for
every country, at this page: www.wi-fi.org/countries-enabling-wi-fi-in-6-
ghz-wi-fi-6e.
802.11 operations in the 6 GHz band come with interesting new power
rules. In the 2.4 GHz and 5 GHz bands, the rules about maximum allowed
power are built on the concept of effective isotropic radiated power (EIRP),
a measure of the total quantity of energy radiated by the antenna of the
transmitter (non-AP STA or AP STA). The maximum EIRP is fixed for 2.4
GHz and each sub-band of 5 GHz. This limitation means that an 802.11
STA transmitting a signal over an 80 MHz channel cannot transmit more
energy overall than the same STA transmitting over a 20 MHz channel in
the same band. As a result of this rule, the energy transmitted over each
megahertz of a 80 MHz transmission is lower than the energy transmitted
over each megahertz of a 20 MHz transmission. This idea might sound
strange, but it is similar to the idea of the output of a water hose. Suppose
your hose is allowed to deliver 1.5 liters of water per second. It will spray
less water per unit of surface (square inches or square centimeters) if you
spread the jet over a 5-meter-wide circular area than if you focus the jet,
power-washer style, over a small (e.g., 1 square centimeter or 0.5 square
inch) surface.
This constraint was taken into consideration during the debate over the
authorization of 802.11 in the 6 GHz band. The regulatory bodies that
have authorized operations in the 6 GHz band have so far adopted
another method for computing power, the maximum power spectral
density (PSD). In this system, the maximum amount of energy that a
transmitter can emit is regulated on a per unit of spectrum basis (i.e., per
hertz). In the water hose analogy, the regulation would limit the amount of
water spread per unit of surface, rather than the total amount of water
sent by the hose. Practically, this rule means that a transmitter can send
the same amount of energy over each megahertz irrespective of the
channel width. As such, the 20 MHz transmission has the same useful
range as the 80 MHz transmission. A natural consequence is that the total
amount of energy sent over a 80 MHz transmission is larger than the total
amount of energy sent over a 20 MHz transmission, at least for a frame of
the same duration.
One key factor driving the various 6 GHz adoption decisions of the
different regulatory bodies is that the different segments of the band were
already used by existing entities (the incumbents). In some cases, these
entities had stopped using the band for historical reasons. In other cases,
the entities were still actively using the band, and authorizing 802.11
meant ensuring a peaceful coexistence with these incumbents, by
regulating the power that 802.11 entities could use.
Operation in LPI mode is allowed only indoors. Practically, this means that
an AP leveraging LPI cannot be weatherized. The AP also cannot have an
external antenna, a restriction meant to ensure that the gain of the
antenna will not cause the AP to exceed the EIRP limits.
As you might expect, if the AP power is regulated, the non-AP STA power is
regulated as well. One difficulty is that the non-AP STA cannot know if it is
indoors or outdoors; by contrast, an AP is fixed, and an admin deploying
the AP knows if the AP is deployed indoors or outdoors. Therefore, the
non-AP STA is always designated as a client under the control of an access
point. The non-AP STA must contact an AP first, before knowing if it can
operate at the SP or LPI level. In both cases, the non-AP STA power limit is
6 dB below the AP maximum in the FCC domain, but the same level as
the AP in the ETSI domain. If the AP is not at maximum power in the FCC
domain, it might be possible that the STA happens to operate at the same
power as the AP. Even if it is at maximum power, the AP typically has
highly sensitive antennas. As a result, the 6 dB difference might not cause
dramatic asymmetry issues between DL and UL transmissions.
The ETSI has allowed, and the FCC is considering, a Very Low Power (VLP)
mode, indoors and outdoors, with a PSD of –8 dBm/MHz and a maximum
EIRP, for the AP and the non-AP STA, of 14 dBm. This mode is primarily
intended for client-to-client communications (e.g., a smartphone to a
smartwatch) or small mobile systems (e.g., a phone acting as an AP to
connect a Wi-Fi laptop to the phone cellular network).
SP FCC 36 30 11 5
LPI FCC 30 24 5 –1
ETSI 23 23 10 10
Max Tx Power EIRP Max PSD EIRP
Mod
Domain
e
AP Client AP Client
(dBm) (dBm) (dBm) (dBm)
AFC Rules
Looking at the different segments of the 6 GHz band, the FCC concluded
that there would be two key types of incumbents: some static (non-
mobile) systems (e.g., person-to-person [P2P] radio links, from public
safety dispatch to cell tower backhaul, but also satellite links) in U-NII-5
and U-NII-7 and some mobile systems (e.g., a TV news truck sending feeds
back to the main station) in U-NII-6 and U-NII-8. Limiting interferences to
mobile systems is very difficult, because these systems can appear
anywhere, at any point in time. Therefore, the FCC decided to forbid
802.11 outdoors, as well as indoors operations at power beyond LPI, in U-
NII-6 and U-NII-8. In U-NII-5 and U-NII-7, coexistence with non-mobile
systems might be possible. Thus, the FCC allowed outdoors and indoors
operations at the SP level, but with the conditions that an AP would not
radiate energy upward (beyond 21 degrees above the horizon, to avoid
disrupting satellite services) and that it would not use SP power on a
particular channel before making sure that no incumbent (operating on
that channel) would be in range.
32 See these FCC documents: FCC 20–51; 35 FCC Rcd 3852 (2020); 85 FR
31390 (May 26, 2020).
The AP can then operate normally at SP. The nonmobile systems are not
expected to move. However, it is possible that new systems might be
deployed, and these incumbents have spectrum access priority over
802.11. Therefore, at least every 24 hours (and each time it reboots), the
AP needs to query the AFC again.
Beyond the power complexity, a great advantage of the 6 GHz band for
802.11 is that it constitutes a greenfield. As no previous version of Wi-Fi
was deployed in this band, there is no need for constraining backward-
compatibility. Therefore, optimizations are possible that would not be
allowed in other bands.
One element that had been bothering 802.11 designers for a long time is
the issue of AP discovery. APs send beacons at regular intervals (typically
every 102.4 ms or 100 TUs) to signal the BSS characteristics. The beacons
contain a lot of information, so a beacon is considered as a frame that
occupies a lot of airtime. Meanwhile, when a STA tunes onto a channel to
discover APs, having to wait more than 100 ms to make sure that it hears
all the beacons33 is not desirable. A delay of 100 ms is a long time,
especially if the STA has to scan more than 20 channels (in the 5 GHz
band) or close to 60 channels (in the 6 GHz band in the FCC domain). A
one-pass-per-channel scan operated at that scale will consume close to 10
seconds—an unacceptable delay. In the traditional spectrum (2.4 GHz and
5 GHz), there is no easy solution to this problem. Increasing the frequency
of beacons would mean increasing the overhead on the channel.
33 In practice, the STA may even need to wait for two beacon intervals, to
make sure to get the second-time beacons it may have missed the first
time.
One solution was to allow APs to send, between regular beacons, shorter
beacons containing the minimum information that a STA needs to
determine whether it wants to wait for the full beacon or move on to
another channel. (See the “Scanning Procedures” section in Chapter 1,
“Wi-Fi Fundamentals.”) Another solution was to allow active scanning. In
this approach, a STA sends a probe request, instead of waiting for the next
beacon. The probe response includes the same information (in the context
of AP discovery) as the beacon. However, many STAs performing probe
exchanges end up adding to the channel overhead, ultimately consuming
as much time as it would take if the AP were to send more beacons. In the
6 GHz spectrum, with 59 potential channels, the 802.11ax designers
decided to implement new and more efficient discovery mechanisms.
Out-of-Band Discovery
One such mechanism relies on the idea that many AP devices operating in
the 6 GHz band will be multi-radio, and also operate in another band (2.4
GHz or 5 GHz). A STA discovering APs will also scan the 2.4 GHz and 5 GHz
bands—and will likely scan these bands first for the foreseeable future, as
the STA has today more chances to find an AP in 2.4 GHz or 5 GHz than in
6 GHz. Therefore, Wi-Fi 6E mandates that multi-radio AP devices operating
in 6 GHz and at least one other band must advertise their 6 GHz BSS in
the other band(s). This advertisement uses an element of the beacon or
the probe response called the Reduced Neighbor Report (RNR)
element.34 In its initial intent, this element informs the STA about neighbor
APs in a compact form in a field called TBTT Information Set. This field
identifies each channel where the STA can find other APs, the TBTT offset
that indicates the neighbor AP’s beacon period offset with that of the local
AP, and some optional information like the neighbors’ SSIDs or BSSIDs.
Note
In the RNR, the SSID is the short SSID, a 4-octet hash of the SSID. Using
the hash instead of the full SSID (which can be up to 32 octets long)
makes the field shorter while still carrying relevant information the same
way.
In Wi-Fi 6E, the RNR element is used by the 2.4 or 5 GHz AP to inform STAs
about the 6 GHz AP. In that version of the RNR, the TBTT Information Set
field still includes the TBTT offset (allowing the STA to know when to jump
to the other channel with a minimum wait time before hearing the other
AP beacon) and the optional BSSID/SSID fields. However, it adds a new
BSS Parameters field (shown in Figure 3-11), with the following additional
elements:
In addition to the BSS Parameter field, the TBTT Information field includes
a 20 MHz PSD field, which indicates the PSD of the 6 GHz AP. This
information helps the STA determine whether the AP is operating in VLP,
LPI, or SP mode (and therefore the maximum PSD of the STA when
operating on that 6 GHz channel). Figure 3-14 illustrates the TBTT
Information field in the RNR element.
With these elements, the STA knows the main characteristics of the 6 GHz
AP. It can go to the indicated channel, immediately send unicast directed
probe requests to the 6 GHz AP, and obtain in the probe response all the
operating parameters needed for the association.
Efficient Probing
The unicast probe request is not just a consequence of the RNR
mechanism. In fact, Wi-Fi 6E does not allow a STA to browse each channel
of the 6 GHz band and send its broadcast probe requests at will. The STA
must obey scanning rules. First, a STA is allowed to send a unicast probe
request on a 6 GHz channel. Such a message means that the STA knows
the AP BSSID (the RA in the unicast probe request), and either is returning
to the AP or has discovered the AP by other means (e.g., via an RNR in 2.4
or 5 GHz).
The unicast probe request method works well for multi-radio AP devices.
Unfortunately, there are also 6 GHz-only APs, and those cannot be
discovered through a 2.4/5GHz RNR. Therefore, broadcast probe requests
may be necessary, but scanning 59 channels does not seem efficient.
Summary
Designed during the years of the mobile phone explosion, 802.11ax (and
its associated certifications, Wi-Fi 6 and Wi-Fi 6E) introduced many
features aiming at solving high-density problems. A new carrier structure
enabled narrower and more numerous subcarriers, with an associated
throughput increase. OFDMA allowed simultaneous transmissions on
subsegments (RUs) of the channel. Multiuser transmissions became
possible for uplink flows. All of these features significantly reduced
collisions, improving both throughout and latency for the BSS as a whole
and for latency-sensitive applications in particular. At the same time,
OBSS coloring and clever spatial reuse mitigated the issue of high-AP-
density deployments with large channels, where neighboring BSS would
overlap. Finally, operations in the 6 GHz band brought the opportunity for
increased efficiency.
802.11-2020, Clause 3
Each new generation of Wi-Fi both creates new market opportunities and
solves challenges in existing deployments and previous Wi-Fi versions.
Advances in the electronics design and manufacturing sector tend to drive
market growth, with the need and the capability to achieve higher client
density, higher throughput, smaller form factors, and lower power
consumption. The previous chapters have touched on limitations of
previous 802.11 generations. Some of these challenges were technical, as
advances in some areas surfaced limitations in other areas. Others were
operational, with needs for seamless roaming or higher QoS capabilities
that were not answered fully by Wi-Fi 6 or the previous generations (“a Wi-
Fi that just works, without the user needing to think about it because it
just limited the user experience in some ways,” as many protocol
designers say). This chapter reviews the main drivers behind Wi-Fi 7, the
directions that were explored, those that were retained, and those that
were abandoned (at least temporarily).
This chapter, like the others, uses the terms Wi-Fi 7 and 802.11be
interchangeably when the context is not about the IEEE or the WFA work
(e.g., “the Wi-Fi 7 era”). It uses 802.11be and Wi-Fi 7 specifically when
referring to the amendment text (802.11be) or the certification program
(Wi-Fi 7), noting that some elements of the amendment are not in the
certification programs.
The main drivers that brought about 802.11ax and Wi-Fi 6 revolved
around the idea of densification. As more and more networks adopted Wi-
Fi as their primary access technology (including for business-critical
operations, such as real-time production management or video-
conferencing), the number of connecting devices and their overall
throughput needs skyrocketed. The increasing deployment of Wi-Fi–based
IoT solutions (for building management, safety, smart homes, and many
other use cases) exacerbated the densification trend even more. Wi-Fi 6,
which is based on 802.11ax (rightfully called, in its early IEEE inception,
the High Efficiency Wireless [HEW] study group), met that demand with
higher efficiency at scale. The 802.11ax amendment allowed for an
increased number of supported clients per BSS, with technologies like
orthogonal frequency-division multiple access (OFDMA), through which
multiple clients could share the same uplink transmission time segments.
Uplink scheduling also increased the density of data in each BSS, by
reducing the risks of collisions or individual STA starvation. These
mechanisms complemented, for the upstream, a densification effort that
had started, for the downstream, in the Wi-Fi 5 generation. At the same
time, 802.11ax allowed for denser AP deployments by limiting the
detrimental effects of neighboring APs’ operation on the same channel.
With BSS coloring, adjacent APs (on the same channel) can detect each
other, and suggest to their clients to partially ignore the noise coming
from the neighboring BSS’s traffic. Denser BSSs, more STAs per BSS—
802.11ax “high efficiency” was primarily about “high density.”
These trends are still valid in the Wi-Fi 7 era (Figure 4-1), and the need for
densification continues. The accelerating growth of IoT devices and
machine-to-machine (M2M) connections at home, in the office, and in the
manufacturing/warehouse space, as well as the increasing need for virtual
collaboration with traditional 2D or 3D virtual reality (VR) meetings, is
bound to accentuate the requirement for denser and faster Wi-Fi.
Whether the application is for the home, office, home office, or your
favorite warehouse, the same trends that drove Wi-Fi 6 continue apace
and need to be addressed by the next generation: Wi-Fi 7. More capacity
(and use of more spectrum) is needed for the continued growth of IoT and
mobile offload traffic. Determinism, or at least better reliability, is needed
to tackle the emerging AR/VR and IIoT/OT applications with specific low
bounds on latency. Higher capacity can be achieved with improved data
rates, larger channels, and enhanced usage of the 6 GHz spectrum,
especially via multi-link operation (MLO). Determinism, or reliability, can
be solved with QoS enhancements that better allocate the transmission
opportunities available in the BSS, to ensure that delay-sensitive
applications are served within the bounds they tolerate.
Video-Conferencing
Historically, the solution to this kind of QoS problem has been for an
endpoint to mark its voice and video traffic appropriately with
Differentiated Services Code Point (DSCP) and User Priority (UP) values.
Each UP is then mapped to an AC, thereby providing access to prioritized
Wi-Fi Enhanced Distributed Channel Access (EDCA) queues and allowing
the STA (and AP) to prioritize these delay-sensitive flows.
AR/VR/MR/XR
Augmented reality (AR) was just the subject of market experiments at the
time of Wi-Fi 6’s development. But when the specification was officially
released, many large companies had already started producing AR or VR
headsets. Today, the world of augmented, mixed, and virtual reality
(AR/MR/VR), which is collectively referred to as extended reality (XR),
includes a wide range of applications with various levels of capabilities
and complexity (Figure 4-4). The top left photo in Figure 4-4 pictures a
simple heads-up display (HUD) application of AR in which an image is
displayed on glass in the user’s HMD, reflecting the state of one or more
apps (e.g., machine monitoring app status, but also meeting notifications,
today’s weather, and so on). In general, these images have a low
resolution and do not change much with respect to the HMD’s orientation
(or the user’s pose). To reduce the compute complexity of the glass itself,
the image rendering may be performed on a companion device (e.g.,
phone, watch) and then transferred to the glass via peer-to-peer (P2P) Wi-
Fi.
In the top right photo, a more immersive form of AR is shown, in which the
image is full glass: It occupies the user’s entire field-of-view (FOV) and is
overlayed onto the real environment. In this scenario, the content shown
is relative to the HMD orientation and location. Applications such as
indoor/outdoor waypoint-based navigation and context-aware operations
management are typical illustrations of this case. Just as in the previous
case, rendering may be performed by a companion device, then
transferred to the glass with P2P Wi-Fi.
Promising Directions
However, the challenges brought by the fast growth of the IoT, the
explosion of real-time video calls (especially in the COVID and post-COVID
worlds), and the apparition of XR applications with near-zero-delay
requirements could not be solved only with the addition of more spectrum.
One core reason is that a massive shift of all Wi-Fi clients to 6 GHz is
unlikely to occur. The original 802.11 standard (in 1997) was released
solely for the 2.4 GHz band. The 802.11a amendment of 1999 introduced
the 5 GHz spectrum. Yet it took more than 10 years for 5 GHz to become
mainstream and commonly supported on STAs and APs. The adoption of 6
GHz is likely to follow a different curve, because most vendors have been
eagerly hoping for this spectrum addition. Nevertheless, for the
foreseeable future, devices will still operate in the 2.4 GHz and 5 GHz
bands. In other words, 6 GHz will be an augmentation, not a replacement.
Given this reality, the limitations of Wi-Fi 6 in the 2.4 GHz and 5 GHz
bands still need to be solved.
A more elegant approach was needed. The most natural direction ended
up being a dialog between the STA and the AP. Wi-Fi 7 adopted a QoS
management methodology in which each application on the STA can
explicitly indicate its name, or parameters sufficient for the AP to identify
it, using low-complexity (non-DPI) methods. This traffic classification
(TCLAS) method allows the AP to know which traffic flows (e.g., IP tuples)
belong to key applications and to schedule them properly (for upstream
flows). An extension of this method, implemented in one of the Wi-Fi
Alliance’s QoS management programs, allows the AP to also instruct the
STA on how to properly mark (DSCP and UP) that key traffic (or the other
traffic). Thus, the critical applications can be marked as needed to benefit
from the services they need, while the other applications will access the
medium on a best-effort basis.
This new signaling method was a great step forward. However, the class,
or category, is just one element of QoS. Another key consideration is the
type of scheduling structure (or performance) that the application needs
to perform optimally. For example, two applications might use interactive
video streams as part of their multimedia service; under Wi-Fi 6, both of
them would be classified and queued as video, with the same mapping to
the AC_VI access category. However, one of those applications is web
conferencing and the other is a VR application with head tracking. The VR
application has a very strict latency requirement, because delays between
the head motion, reported back to the server, and the matching new
landscape view, sent and played back to the headset, may cause nausea
or headaches in the user. Both applications belong to the video general
category, but have very different requirements from a delay point of view.
A 100- to 200-ms delay might be acceptable for the web conferencing
application, but the AR/VR application requires a delay closer to 10 to 20
ms. Unfortunately, Wi-Fi 6 does not include any reliable mechanism to
signal the differences between these applications.
A typical illustration is a hospital, where doctors and nurses may use real-
time applications for patient care operations. Meanwhile, a patient
(connected to the same AP, possibly a guest SSID, but still on the same
channel) might want to play an online VR game. The patient headset
might provide an SCS request with a description of the VR traffic. If there
is enough airtime in the BSS, the AP can then allocate the requested slots.
Every few seconds, the STA and the AP exchange updates on the VR flow.
Then, a nurse starts a flow from a work application that needs a real-time
exchange (e.g., a video-conference exchange with a specialist). The nurse
device also makes the SCS request to the AP. As the nurse’s traffic is
business-critical, it gets the scheduling it needs, and the AP updates the
first STA that the VR traffic will soon receive less bandwidth. The VR
headset has the time to downsize to a more conservative codec and
negotiate a new schedule with the AP.
The QoS requirements are not limited to a single AP. The very nature of
Wi-Fi is based on mobility. However, a STA often has very limited
knowledge about its environment. The mobile device is torn between the
need to conserve energy as much as it can (so your phone battery lasts
one day instead of one hour) and the need to continuously scan the RF
environment to find the best AP. As a result, even the simplest Wi-Fi
deployment (e.g., multi-AP home or branch office) suffers from client
stickiness challenges, where the STA does not roam to the next AP when
that AP provides a better signal than the previous AP. The issue of
underperforming roaming is experienced daily by almost all Wi-Fi users.
This infamous “sticky client” issue is a form of “coverage anxiety.” The
STA attached to an AP does not know if it should let go and seek a
potentially better AP, for fear of dropping the connection and
inconveniencing the user.
So, the STA will most likely detect the AP 2.4 GHz radio first, and then try
to associate with this AP radio while entering the Wi-Fi coverage area,
such as when transitioning from outside to inside a building. If so
configured, the AP will likely simply accept the association. The STA will be
served as best as possible, given the inherent performance limitations of
2.4 GHz channels, such as their limited capacity and low data rates. Once
the STA is associated, and keeps approaching closer, the 2.4 GHz signal
becomes even stronger, while the 5 GHz radios, then the 6 GHz radios
start to appear to the STA scanning (if it chooses to scan). The STA can
then choose to leave this strong 2.4 GHz channel and change to the new
AP (and channel). However, this choice must be weighed against the risks
—namely, the necessary process of de-association (from the old 2.4 GHz
radio) and the re-association (with the new 5/6 GHz radio). Such a change
will cause a definite connectivity outage, even with the fastest 802.11
roaming scheme, and a possible failure, possibly leading to a hand-back to
the cellular system. The STA doesn’t actually know if it can be
accommodated on the other radio. The STA also does not know whether
the other radio service is better. The STA just knows that the 2.4 GHz
signal is strong and the 5 GHz signal is weaker. This is the classic “break
before make” problem of wireless.
It is worth noting that the APs will advertise the other AP radios (e.g., the
5 and 6 GHz radios) over the current radio (2.4 GHz) so the STA at least
knows which channels to scan. Nevertheless, for a single-radio STA, the
“scan” process itself is disruptive to traffic flows and might be prohibited
under certain scenarios, such as when a voice call is in progress. Figure 4-
8 illustrates this discontinuity, where, even with the fastest roaming
protocol (Fast Transition [FT]), the client needs to periodically start a
connectivity-impacting scan before the roam itself.
In the more complex multi-AP scenario, the problem deepens, as now the
STA faces a multitude of radios from a multitude of distinct APs. Just as in
the single-AP case, each of the APs can advertise the radios of the other,
non–co-located AP radios, over any of the other radios. This way, the STA
detects a first AP radio, and can exchange with that AP to learn the
channels (and BSSIDs) of all other surrounding AP radios. But the STA
typically does not know at that stage which AP radios it will detect from its
position, and at what levels their signals will be. The STA also does not
know the type of service it can expect from each of these neighbors, or if
connection will even be possible. A single-radio STA can still perform only
sequential scanning—albeit at a risk to the current active data connection,
as the STA radio needs to leave the current channel. In all cases, these
refinements help in theory, but the simplest STAs will prefer to stay on the
AP that they know is functional, even if it is not optimal.
For these reasons, the 802.11 designers could not simply loosen the “no
association to more than one AP” rule. They had to invent new
mechanisms—so they designed the 802.11be/Wi-Fi 7’s multi-link device
(MLD) architecture.
You will find the details of MLD in Chapter 6, “EHT MAC Enhancements for
Multi-Link Operations.” In essence, in the MLD architecture, a client station
(called the non-AP STA MLD) can be simultaneously associated with all of
the APs in a single co-located AP MLD (i.e., its 2.4, 5, and 6 GHz links).
Note that the non-AP STA MLD and the AP MLD are different entities from
the STA and the AP. The non-AP STA MLD (or AP MLD) exists in the upper
part of the MAC layer, above the STA and AP functions. Thus, the non-AP
STA MLD associates with the AP MLD (and could not associate to just “an
AP”). The AP and the STA still exist at the link level—for example, one STA
for the 2.4 GHz link, one STA for the 5 GHz link, and both under the same
STA MLD entity. The AP MLD, by accepting the multi-link (ML) association,
ensures that the STA will be accommodated. The AP MLD that cannot
accommodate the STA and its multi-connection can reject the MLD
association, causing the STA to directly consider alternative APs (instead
of failing on the re-association to the other AP radio, before Wi-Fi 7). This
dual/tri-association then makes it possible to seamlessly move (or steer)
traffic from one link to another without ever disconnecting from the AP.
There is no more “coverage anxiety” or “sticky client” issue (at least
within the same physical AP).
You can see this behavior in Figure 4-10, where an inactive radio of the
MLD can be used to scan for a new link to add while the active link still
serves traffic. Then, seamlessly, the new link is added to the MLD and
traffic can flow over both.
Even in the simplest non-AP MLD implementations, where the client has
only one physical radio, the movement between the AP’s radios is
seamless—simply a matter of selecting the active link using real-time
signaling. For the majority of Wi-Fi deployments, the MLD concept will be
invaluable.
The AP MLD resides in the upper part of the MAC layer, which means that
both radios need to be within a single AP device. In Wi-Fi 7, you cannot
have an AP MLD residing across two physical APs. In a multi-AP scenario,
this limitation seems to offer no benefit for the classical roaming problem
—that is, a STA moving from one AP radio to another physical AP radio.
However, the expected design of Wi-Fi 7 clients might bring additional
benefits for this scenario. As many clients start to support Wi-Fi 7, they will
come with two or more radios that can be active at the same time, which
may dramatically reduce the proportion of single radio clients on the
market. Recall that the barrier to discovering or hearing a candidate AP for
roaming is scanning (off channel), which requires sending the current,
active radio off the current active channel. With a single Wi-Fi radio, a
client needs to decide whether it can afford to drop potentially time-
sensitive (e.g., voice) or mission-critical (e.g., robotics control) traffic in an
effort to find a better AP. With a Wi-Fi 7 MLD-capable device, the client can
associate to an AP MLD, temporarily use a single link for its data
communication, and simply use its second radio to scan for candidate APs
without interrupting the flow of important traffic—hence, roaming or
handoffs can finally be made more predictable! Figure 4-11 illustrates this
concept.
This evolution meant that more bandwidth was needed for the next Wi-Fi
generation. Quite clearly, MLD was designed with this requirement in
mind. If your STA connects to both the 5 GHz and 2.4 GHz (or 5 GHz and 6
GHz) radios, the bandwidth available to the STA increases. It does not
directly “double,” as the 2.4 GHz channel is typically narrower than the 5
GHz channel. Even when the connection is in the 5 GHz and 6 GHz bands,
the presence of legacy devices in 5 GHz is likely to slow down the overall
throughput. But in most cases, a double connection increases the STA
throughput, if it needs it. Indeed, even before Wi-Fi 7 emerged, some
vendors had started implementing proprietary solutions. That is,
connecting a STA of brand X to an AP of the same brand would allow the
user to enable a high-speed mode (designated with names like Dual-Band,
Dual-Wi-Fi, and Turbo-Wi-Fi), by which the user’s STA would establish a
connection to the AP’s 2.4 GHz radio and another connection to the 5 GHz
radio. This mode was different from MLD, in that it would literally require
two connections. The STA has one connection, one IP address, and one
stream to a server through the 2.4 GHz radio, and another connection,
another IP address, and another stream (possibly to the same server)
through the 5 GHz radio. When the connection was to a single server, the
server application needed to support this special mode for packet
reassembly. By contrast, MLD is inscribed in the upper MAC layer, and the
STA has only a single IP address (above the MLD). But both the proprietary
mode and MLD were designed based on the idea that STA could consume
more bandwidth than a single radio link could provide.
As the world of video continued to evolve, it became clear that the dual
connection might be just a short- to mid-term solution. The designers
knew that, in the 802.11 world, there are three ways to increase the
available bandwidth:
Increase the channel width: Recall from Chapter 1 that when the
channel width increases from 20 MHz to 40 MHz, the bandwidth
more than doubles, because the number of pilot tones decreases
and the tones at the edge of the two merged channels are reused.
As the channel width increases beyond 80 MHz, this additional gain
disappears. In 802.11ax, a 160 MHz-wide channel is a set of two 80
MHz-wide channels. They are used together, not merged into a
larger channel. However, the bandwidth of a 160 MHz channel is
twice that of a 80 MHz channel, which is a great improvement.
Naturally, the next step was to increase the width to 320 MHz. This
was impossible in 2.4 GHz (because the whole band is 83.5 MHz
wide), but also proved challenging in the 5 GHz band. In most
regulatory domains, it proved impossible to find 320 MHz continuous
segments in that band (see Chapter 5 for details). These
considerations led the 802.11be designers to abandon the idea of a
320 MHz channel in 5 GHz. But in 6 GHz, such segments can be
found. Therefore, in 6 GHz, 802.11be allows 320 MHz-wide channels.
Three 320 MHz channels are possible in the regions that support the
6 GHz spectrum over 1200 MHz. The channel is made of two
adjacent 160 MHz-wide channels in all cases, and can be centered
on channels 31, 95, and 159. This set of 3 channels is called 320
MHz-1 channelization. Alternatively, the channels can be centered
on channels 63, 127, and 191. This set is called 320 MHz-2
channelization.3 Figure 4-12 illustrates the 6 GHz band 320 MHz-1
and 320 MHz-2 positions.
Table 4-1 showcases the maximum single-link achievable data rates for
typical IoT devices (with one antenna and one spatial stream [SS]),
consumer mobile devices with two SS, standard APs with four SS, and
mesh APs with eight SS. For simplicity, the table considers only the 6 GHz
band and use of up to 320 MHz channels, as well as the smallest guard
interval (GI) of 800 ns suitable for indoor use.
TABLE 4-1 Maximum Data Rates for Typical 6 GHz Use Cases
Channel BW 1 SS 2 SS 4 SS 8 SS
(MHz) (IoT) (Mobile) (Indoor AP) (Mesh AP)
With the introduction of the 6 GHz spectrum, the channel sizes can be
very large (160 MHz in Wi-Fi 6E and 320 MHz in Wi-Fi 7). Large channels
are attractive because they carry a lot of traffic. In particular, with MU-
MIMO or OFDMA, traffic can be sent to and from multiple STAs
simultaneously, which improves the efficiency of the BSS. However, the
presence of an interferer or an incumbent in any segment of the large
channel forces the AP to abandon it. In some cases, the AP can look for
another part of the spectrum where a large channel is available. However,
in most high-density cases, such channels are few and far between, and
the AP is forced to reduce the channel width, sometimes dramatically—to
40 MHz or 20 MHz. The impact on the Wi-Fi network efficiency is
significant, especially for APs next to airports or military facilities where
the need to vacate happens often and on all channels. The issue is all the
more frustrating because the interference, or the incumbent signal, might
affect only a small segment of the large channel. For example, the AP
could be on 160 MHz channel 47 (in UNII-5, composed of the 20 MHz
channels 33, 37, 41, 45, 49, 53, 57, and 61). An incumbent, or an
interference, in channel 43 can force the AP to abandon all channels and
fold back to channel 33, switching suddenly from 160 MHz to 20 MHz.
With Wi-Fi 6, the AP would select a subset of STAs and a set of RU sizes. It
would then allocate one RU per STA for the next downlink or uplink
transmission.
With 802.11be and the multiple RU (MRU) capability, an individual STA can
be assigned two contiguous RUs of small size (e.g., 52 + 26-tone) or two
or more possibly noncontinuous RUs of large size (e.g., 484 + 242-tone) in
the same transmission to maximize utilization and, therefore, spectral
efficiency. In the former case, better spectral efficiency is possible,
especially for smaller channel bandwidths (e.g., 20 MHz) where under Wi-
Fi 6 it might have been difficult to find the optimal size of RU for each STA.
But in the latter case, the ability to allocate discontinuous RUs provides
spectral diversity and hence reliability to wide channels (e.g., 320 MHz).
High-Performance Channels
This type of requirement can be fulfilled with specialized SSIDs: one SSID
for each type of traffic, and each SSID only in one particular band.
Unfortunately, sooner or later, in one location or another, this type of
design ends up with all SSIDs needing to be supported on a given channel.
For example, perhaps the 6 GHz band is not available in this location, and
laptops and robots have to coexist in the 5 GHz band. If multiple SSIDs
share the same channel, there is no longer any benefit in separating them
for channel efficiency purposes. Therefore, a more common model is to
attempt to use a single SSID (which also simplifies the WLAN management
tasks), and steer the devices to the band that matches their needs.
In the 802.11 original design, any STA that has the right credentials can
access the SSID on the radio of their choice. Recall from Chapter 1 that an
AP must respond with a probe response to a probe request. Once a STA
knows that the SSID is available on a given band, there is no good
mechanism in 802.11 to convince the STA to join instead on another band.
There are proprietary mechanisms—for example, the AP can reject the
association when it occurs on the “wrong” band. However, those
mechanisms are not standardized, and therefore ambiguous. In
consequence, the STA might misunderstand the rejection and simply
attempt to rejoin on the same channel in an endless loop until the user
opens a support case with the label “can’t connect.”
A good vehicle turned out to be Target Wake Time (TWT). This system was
designed at the time of 802.11ah (published in 2016, but in development
since 2010) and also inserted into 802.11ax. With TWT, the STA and the
AP can exchange on the time at which the STA is expected to wake up.
This initial design solves a density problem. 802.11ah was conceived with
the idea of a large field of IoT devices (e.g., sensors) waking up at
intervals to report some value through the AP. A single BSS would be large
(as these devices use simple and far-reaching modulations) and could
include up to 4000 clients. If they were left to wake up at random
intervals, the transmissions of these devices would collide with those of
other devices waking up at about the same time. In large BSSs, they
might not even detect these collisions—but they would occur at the AP,
placed at the center of the BSS. To reduce this risk, TWT in 802.11ah
allowed the STAs to signal to the AP the time (or interval) at which they
need to wake up. In turn, the AP could divide the BSS in quadrants, and
instruct the STAs in each quadrant to use a certain wake-up time matching
the interval they need. This way, only a subset of STAs would be awake at
any given time, and collisions would be avoided.
This scheme is also useful in a standard indoor BSS and for IoT devices,
but also for non-IoT STAs. In many cases, STAs that do not have much
data to send prefer to go into dozing (sleep) mode to conserve their
battery life. However, 802.11 includes the notion of session timeout. A STA
might have many reasons to stop exchanging (become “idle”) with the AP.
The STA might be sleeping, or it might have moved to other channels to
scan or perform other operations. The STA might also have left the BSS
without saying goodbye (disassociation frame). To avoid the burden of
keeping in memory states for STAs that have left, 802.11 allows the AP to
simply remove the entry (and AID) for a STA that has not been heard for
too long. The definition of “too long” is implementation-dependent, and
802.11v-20114 introduced a mechanism for the AP to tell the STAs what
this interval would be (a BSS maximum idle period IE inserted into the AP
association response). To avoid being removed from the AP memory, a STA
would need to send keepalive messages at intervals smaller than this
maximum idle period value. This requirement can be burdensome for STAs
that do not need to send data very often. Having to wake up just to send
an “I am still here” message is a waste of power.
To deal with this issue, the 802.11ax designers adopted the 802.11ah TWT
mechanism. It allows a STA to negotiate with the AP an interval at which
the STA will wake up irrespective of the BSS maximum idle period value.
The general concepts of quadrants and collision avoidance from 802.11ah
are irrelevant in this approach: Client battery consumption optimization
becomes the primary target.
Challenged Directions
If you read papers on Wi-Fi 7 written in the early years of the development
process, you might see great ideas that are not covered in this book.
802.11be, just like most other 802.11 amendments, started with a Topic
Interest Group (TIG). The goal of a TIG is to study the use cases that the
next generation of 802.11 protocols could solve. Its conclusions are used
to form a Study Group (SG), whose goal is to explore how these use cases
might be solved. Once the group has a general idea of whether 802.11
could offer solutions, a Task Group (TG; 802.11be, in this case) is formed
to define the exact mechanisms necessary to solve these use cases.
At each step of the path, difficulties might arise that lead the group to
conclude that this or that direction cannot be part of the envisioned
update, at least for the time being. Thus, the initial phases of 802.11be
explored many more directions than the ones that ended up being in the
final standard. Most of these discussions stayed within the realm of the
802.11 TIG, SG, or TG; others seemed strong enough that early papers
brought them up as likely features, although they ended up not being
adopted in the 802.11 standard.
Multi-AP MLD
This idea was tempting and explored in detail in the early phase of the
802.11be group. Undoubtedly, the idea of a STA connecting to both radios
of a dual radio-AP sounded like a first step, because this procedure would
have the merits of increasing the throughput of the STA as well as
improving the robustness of the transmission. That is, if one link turned
out to be congested, the STA could move some or all of its traffic to the
other link. However, as this first case was studied in depth, building up to
the multi-AP device case, a lot of questions arose, which proved
challenging to solve.
Up to this point, an AP had been a function (see Chapter 1) that informed
the DS about the location of the non-AP STA. Over 20 years of standard
development, the AP had taken on multiple roles and functions that were
still connected to its official function, but that also relied on the underlying
idea that the AP was associated with a single physical device. For
example, after association, the AP gives the STA an association identifier
(AID). This AID is used in many scenarios where the AP needs to distribute
buffered traffic or call out a list of STAs for group operations. If the STA (as
a device) connects to one AP (as a device) with two radios, should it have
two AIDs? Two AIDs would mean two identities, and likely a duplication of
packets that need to be sent to each STA (though still as a device). In
contrast, if the STA is seen as a single device with a single AID, which AP
radio allocates that AID?6 If the connection is spread over two APs, the
problem becomes even more complex each time a non-AP STA joins an AP
(seen in its 802.11 sense, as a function). In this scenario, the AP would
need to query other APs to check whether the STA would be known
elsewhere, so as not to allocate two AIDs. But what happens if the AID is
already assigned by another AP, and the AID is another STA on the local
AP? When the association happens (and then the MLD is an entity sitting
above two physical APs), how do these APs share security keying
material? How do they even generate the material that is supposed to be
generated using (among other parameters) the AP MAC address value?
How do they reconcile the frames that both receive from the STA? If one
AP becomes congested, how would the other AP know? How would that
second AP allow the STA to switch some of its flow to the second AP? 7
Full Duplex
The idea of full duplex operations keeps coming back in 802.11. Recall
from Chapter 1 that 802.11 is half duplex: A STA can transmit or receive,
but it cannot do both at the same time. This idea makes sense
conceptually. It seems difficult to imagine that a STA, while sending a
signal at 20 dBm or more, would be able to hear at the same time a signal
at –60 or –70 dBm, which is a billion times weaker than the signal the STA,
transmits. However, the progress in electronics allows for better self-
interference cancellations, which operate with a logic similar to noise-
canceling headphones. Right before reaching the antenna, the transmitted
signal could be forwarded to a circuit that applies this exact signal
in reverse to the receiving circuit entrance, “perfectly” nulling the emitted
signal and allowing the STA to receive a signal at the same time. 9
In short, the full duplex scenario introduces a lot of complexity. The idea
might be attractive, but the group ended up deciding that the design
should be focused on mechanisms that could provide similar gains, but at
a lower complexity cost.
Outdoor Networks
Today, most network traffic transits through Wi-Fi networks at the access
layer. Wi-Fi is almost ubiquitous indoors. For example, when you walk out
of your home and then drive from your house to your office, your phone
likely switches from Wi-Fi to cellular during the transit, before switching
back to Wi-Fi at the office. The data volume exchanged over the cellular
network matches the time you spend away from a place that is familiar to
you, and where you likely can connect your phone to a Wi-Fi network.
Just as the cellular world tries to extend its coverage to the indoor case,
the Wi-Fi world often debates outdoor coverage. Several solutions exist,
from Wi-Fi mesh networks (in 802.11s-2011) to long-range Wi-Fi in the TV
whitespace10 (802.11af-2013). Therefore, with each generation of Wi-Fi,
the case of outdoor networks is brought to the discussion table.
Wi-Fi 6 and 802.11ax did consider the outdoor case, and implemented
several features that could be useful for longer-range communications—in
particular, for low-power IoT devices. For example, OFDMA allowed for a
slower symbol pace transmission, increasing the usable range of the
message. Dual Carrier Modulation (DCM) allowed a message to be
repeated on different segments of the channel, increasing the chance that
noise or interference would not prevent proper reception of the message.
It was logical to think that 802.11be should also implement mechanisms
for outdoor transmissions, and many use cases and directions for this
extension were presented.11 However, as noted in the previous sections,
the main ideas dealt with Extremely High Throughput (EHT)—the very
name of the TIG that led to the 802.11be group formation. In the end, the
outdoor case proved to be less important than the indoor one. This
prioritization pushed the designers, in the time they were given to develop
802.11be, to focus primarily on indoor scenarios and only marginally on
outdoor issues.
Sharing Knowledge
One key goal of the AP is to provide the best possible service to the
largest possible percentage of the associated STAs. However, each STA
operates independently and somehow “suffers in silence” when it does
not receive the service its needs. In most cases, this issue is not the AP’s
fault. More often, the problem is that the AP does not know that the STA’s
needs have suddenly changed or are no longer being fulfilled. Over the
years, successive generations of 802.11 amendments have introduced
mechanisms for the STA to express these needs in a series of
request/response exchanges. One recent proposal appeared in 802.11ax.
It allowed the STA to express the amount of traffic sitting in its buffer and
waiting to be transmitted toward the AP. With this buffer status report
(BSR), the AP could allocate more airtime to the STA in the form of uplink
scheduling.
However, these mechanisms are essentially reactive. The STA must first
have a need, try to fulfill it, conclude there is a failure without the AP’s
help, and finally send a request to the AP for additional support. The BSR
case is particularly illustrative. In an ideal scenario, a STA application
sends a packet to the transmission layer (“socket call”); the 802.11 layer
then receives the packet and transmits it to the medium without delay
(beyond the usual random countdown). If the medium is busy and the STA
has more frames to transmit than its access to the medium allows, the
STA’s buffers start filling up. At some point in time, the situation becomes
so dire that the STA needs to access the medium—not to send that data
that has now been waiting for a while, but instead to tell the AP that its
buffers are very full. During this exchange, the traffic in the buffer
continues to wait even longer. One major reason for creating the SCS QC
process in 802.11be was to make this process more proactive, by allowing
the STA to tell the AP in advance about the volume of traffic expected for
the next few seconds.
In essence, the issue comes from the AP being unaware of the STA’s
internal states. If the AP had a better view of the STA’s experience in the
BSS, then the AP could anticipate the STA’s needs and fulfill them before
the STA starts suffering. Elements that are locally experienced, such as
those indicating whether transmissions are successful (if a STA sends a
frame that the AP fails to acknowledge until the sixth attempt, the AP
might not even know that the first five attempts occurred) or how often
the channel is busy from the STA’s perspective (especially when it needs
to send some traffic) could be very useful for the AP infrastructure to
watch the experience degradation of individual STAs and proactively
allocate more airtime where needed.12
Unfortunately, this problem is real but touches the delicate field of the STA
automatically sharing information that may be used to infer the activity of
the user of the STA. There are obvious benefits, but also risks in the field
of privacy, if not implemented safely. In the end, the fear of privacy
violations proved too dire for this direction to be explored in depth.
However, the issues persist, and the dialog will likely continue for the next
Wi-Fi generation.
Link Aggregation/Diversity
Those that would have two or more radios, but that would be too
close to allow simultaneous operations (enhanced MLSR)
The performances that you can expect from an MLO STA will depend on its
hardware, and its ability to support one mode or the other.
Another important practical component of Wi-Fi 7 MLO is the ability for the
AP to advertise which links are available to the STAs. The default mapping
of “any TID to any link” allows the STA and AP to use any link for any TID.
While this is very flexible, it can lead to unintended consequences:
Link imbalance: If all or many STAs use the same preferred link
(e.g., 6 GHz for its expected higher bandwidth, or 2.4 GHz for its
expected higher RSSI), then this link can easily be congested while
other links may be under-utilized.
SLA Management
Recall that the Stream Classification Service (SCS) allows a STA (client) to
request a QoS treatment for specific flows sent from the AP. For example,
the STA could request that all video traffic (marked as IP DSCP 34) from a
certain web server be classified as video (TID = 5, AC_VI) when
transmitted from the AP. In Wi-Fi 7/802.11be, this SCS capability is
extended to specify a service level agreement (SLA) between the STA and
AP. The STA and AP agree upon the required traffic characteristics,
described by the QoS Characteristics (QC) element, for traffic flows such
that the AP is able to explicitly schedule resources accordingly.
You will learn more details about the mechanics of this enhanced SCS
in Chapter 7, “EHT MAC Operations and key features.” Two of the key
parameters in the QC element are the minimum and maximum service
intervals (Min SI/Max SI), which specify the time between expected
channel access for a specific traffic flow for uplink or downlink. This flow-
specific knowledge allows the AP to schedule its downlink flow, and also
schedule the access for the STA via trigger-based OFDMA for the uplink
flow. The 802.11be amendment does not specify how the STA should
make these requests, how the AP should schedule these transmissions, or
how it should orchestrate multiple requests from multiple STAs. The
process is simple on paper, but can be tricky in real-life scenarios.
Summary
The 802.11be project started in the first part of the 2010 decade, a time
when video-conferencing and video calls were becoming mainstream, and
when the first AR/VR applications were coming to market. Both signaled
the need for higher bandwidth, but also higher efficiency, a reduced loss
rate, and a better controlled delay bound. In short, capabilities were
needed to remove these occasional perfect storms where sudden
congestion events destroy the user experience, even on the best-designed
Wi-Fi network. The 802.11be group studied multiple possible directions,
and retained several features for higher efficiency:
The ability to connect a STA to more than one AP radio (with MLO)
Not all ideas that were explored ended up being retained. Notably, multi-
AP MLO was removed, as was the idea of full duplex operations, which
would enable the AP to know the STA state and better anticipate its needs.
A total of 16 spatial streams also fell out of the planned amendment.
However, the ideas that were selected are expected to bring remarkable
improvements in the user experience. Of course, the difficulty is not in
creating the general idea, but rather lies in settling the details. In the next
chapters, you will learn how these ideas operate, from the PHY to the MAC
layer, and what they imply in terms of WLAN design.
Chapter 5
The unit of data exchanged between PHY entities to provide the PHY data
service.
802.11-2020, Clause 3
Wi-Fi7 in a Nutshell
This section highlights the major features of the Wi-Fi 7 PHY. If you are new
to the last few generations of the 802.11 PHY, you can revisit this section
after reading the other sections of this chapter in depth, since it provides
the key points.
Revolution
Wi-Fi 7 brings five main PHY features, and a host of minor enhancements 1:
The MLO feature requires changes across both MAC and PHY, and the MAC
aspects are described in detail in Chapter 6.
In addition, some features that never took off or whose adoption has fallen
off in recent Wi-Fi generations are not continued in 802.11be. These
abandoned features include the following:
A dedicated Single-User (SU) PPDU format, which is replaced by the
MU PPDU format for simplicity
The following features are defined in 802.11be but (at time of this book’s
writing) do not seem to be gaining much traction in the market:
Evolution
Ever since the wise choices made in the 802.11a amendment, all
subsequent mainstream Wi-Fi generations have evolved and expanded
rather than being started over. Accordingly, the following characteristics
are inherited and maintained by the Wi-Fi 7 PHY 2:
Two types of FEC codes: binary convolution coding (BCC) and low-
density parity checking (LDPC) coding (see the “Construction of the
Data Field” section later in this chapter). In 802.11be, LDPC is the
superior technique and is the only choice if any of the following
events occur: the RU is 484 tones or wider, the number of spatial
streams is 5 or more, or the MCS is 10, 11, 12, 13, or 14.
OFDMA with one user per resource unit (RU), where the total
number of tones (equal to data + pilot tones) for the defined RUs
are 26 (24 + 2), 52 (48 + 4), 106 (102 + 4), 242 (234 + 8), 484 (468
+ 16), 996 (980 + 16), and 2 × 996 or 1992 (1960 + 32)
subcarriers.
Before diving into the PHY features of Wi-Fi 7 in detail, it is useful to take a
step back. In this section, we’ll provide a short review of the PHY design
goals.
As you saw in Chapter 4, “The Main Ideas in 802.11be and Wi-Fi 7,” the
wireless PHY data rate is the product of the three parameters—data bits
per constellation point (via denser constellations), bandwidth (more
constellation points sent in the same amount of time), and number of
spatial streams via additional antennas (more highway lanes for the
constellation points). Thus, higher data rates are achieved by increasing
one or more of these parameters.
The physics cost of the doubled data rate is a relatively modest 29%
reduction in range: Given the same transmit energy, each constellation
point is sent with only half as much energy as it would on a channel half
as wide, and has a reach scaled by the square root of a half
(approximately 0.71).
Finally, another possibility is increasing the number of spatial streams.
This increase comes with clear costs in terms of extra RF hardware, such
as antennas and connectors, extra transceiver paths in the RF, and
nonlinearly more complicated baseband signal processing. For instance,
an 8 × 8 MIMO equalizer requires 8 times more compute power than a 4 ×
4 MIMO equalizer. Additionally, to increase the number of spatial streams,
each antenna needs to be adequately separated from its neighbors, and a
rich scattering environment is needed around and between the
transmitter and receiver to afford each spatial stream a relative
independence from the other spatial streams. A perverse side effect of
more antennas is the need for more training, which expands the preamble
length.3 Of course, extra antennas are valuable in any event, as they can
be repurposed for improved reliability during the receive operation and
more effective beamforming during the transmit operation.
Efficiency is another key means to increase the data rate. PHY overheads
come from the preamble, the cyclic extension, and subcarriers that don’t
carry data. Figure 5-2 summarizes these overheads. In the figure, green
indicates data-bearing, and red/pink indicates overheads; the figure
assumes EHTTB PPDU format, EHTLTF × 2 with two OFDM symbols, 0.8 μs
GI, 15 OFDM symbols of data, 16 μs PE, and 16μs SIFS.
As data rates increase, it is important that the total preamble and post-
amble duration continue to be dwarfed by the payload duration. This vital
observation motivated key 802.11 features such as the following:
Note
Notice the use of “user” rather than “STA.” The PHY is not aware of
whether a payload that the PHY transmits is for one STA (unicast) or more
STAs (groupcast), so the term “user” is employed to accommodate both
scenarios.
The 802.11be Extremely High Throughput (EHT) PPDU has two formats:
multiuser (MU) and trigger-based (TB). Both PHY formats closely follow
their respective 802.11ax/HE MU and TB PPDU formats, as shown in Figure
5-3.
FIGURE 5-3 Multiuser (MU) and Trigger-Based (TB) PHY Formats for EHT
and HE10
EHT SIG field16: found in MU PPDUs, but not TB PPDUs. This field
has the most complicated definition, because it is responsible for
compactly defining the remaining format of the PPDU: the use of
OFDMA and MU-MIMO, which users’ content is included, which
frequency and spatial resources are allocated to each user, and
each user’s MCS. In TB PPDUs, the EHT SIG field is not needed
because the same information was sent immediately beforehand by
the AP in its Trigger frames. Note that 20 MHz PPDUs have a single
content channel, whereas PPDUs with bandwidth 40 MHz and wider
support two parallel content channels per 80 MHz to increase the
data rate: Each 80 MHz frequency subblock of the EHTSIG comprises
a contiguous pair of 20 MHz content channels, which are frequency-
domain duplicated up to the 80 MHz bandwidth. The content
channels are encoded either in a compact manner for non-OFDMA
PPDUs or in a more generic manner for everything else. Each
content channel starts with a Common field for U-SIG overflow (i.e.,
for signaling USIG overflow bits) and, if the PPDU uses OFDMA, the
RU/MRU allocation and the number of User fields per RU/MRU. The
Special User Info, if present, is next and carries extended common
information. After that, User fields are sent, where each User field is
22 bits long and contains the STA-ID of the recipient user (i.e., the
LSBs of the STA’s AID), the MCS, how many and which spatial
streams are intended for the user, whether BCC or LDPC coding is
used, and whether the RU/MRU is beamformed. Broadcast RUs are
signaled via a STA-ID equal to 0 (or somewhat higher in the case of
multiple BSSIDs) or 2047. CRC and Tail fields are regularly
interspersed to increase the decoding reliability. Figure 5-5 shows
the format of the EHT SIG field for a 160 MHz PPDU. The number of
OFDM symbols of the EHT SIG field is signaled in the preceding U-
SIG field.
Data field19: Carries the payload, termed the PHY Service Data
Unit(s) [PSDU(s)].
A Wi-Fi 7 device must also support Wi-Fi 6 and prior generations, so the
PHY receiver must perform PHY format detection on each received PPDU,
as shown in Figure 5-4. The acronyms and notation in this figure are Q-
BPSK and QBPSK (quadrature BPSK), HTGF (HT greenfield PHY format),
HTSIGAx (OFDM symbol x of the HT-SIG-A field), HEMU (HE multiuser PHY
format), HEER (HE extended range PHY format), HESU (HE single-user PHY
format), HETB (HE trigger-based PHY format), EHTMU (EHT multiuser PHY
format), EHTTB (EHT trigger-based PHY format), HTMF (HT mixed-format
PHY format), VHTSIGAx (OFDM symbol x of the VHT-SIG-A field), DataX
(OFDM symbol X of the Data field), HESIGAx (OFDM symbol x of the HE-
SIG-A field), VHTSTF (VHT Short Training Field), USIGAx (OFDM symbol x of
the USIG field), [x] (bit x), [x:y] (bits x to y inclusive).
This section describes the construction of the Data field. In large part, the
SIG fields are merely special cases of the Data field. The important
simplifications for the SIG fields are described in the next section. The
Data field processing is designed in an evolutionary manner with respect
to past Wi-Fi generations. Figure 5-6 shows the major processing blocks
used to generate the Data field.
FIGURE 5-6 BCC and LDPC Processing21
For the simple case of no DCM and for one user (in total or one of many),
the process is as follows:
1. For the Data field, the user’s payload from the MAC (i.e., the PHY
Service Data Unit [PSDU]) is prefixed by the SERVICE field and
postfixed by 0–7 pre-FEC padding bits (and a 7-bit tail in the case of
BCC) so that it exactly aligns with the space available for the user’s
data bits in the Data field. If more than 7 bits of padding is required,
the padding is provided by the MAC.22
4. To support MIMO, the coded data must be split into multiple spatial
streams. For this purpose, the stream parser27 splits the coded data
bits into blocks of s bits, equal to the number of coded bits per
constellation axis, then allocates each block sequentially to one of
the user’s spatial streams in turn. As some spatial streams are likely
to be more reliable than others, this parsing arrangement is
designed to distribute the LDPC parity bits across all the spatial
streams while enabling certain hardware optimizations. The same
stream parser is used with the 802.11 binary convolutional code
(BCC), where the coded bits for each data bit are distributed across
all the spatial streams, too.
8. For 802.11n/Wi-Fi 4, interleaving for LDPC, unlike for BCC, was not
included because the parity bits in an LDPC codeword are already
calculated over widely spread data bits and the multipath diversity
gains over 20 or 40 MHz were not appreciable. However, as the
constellation sizes increases, a given LDPC codeword, without
interleaving, is confined to a narrower range of subcarriers and
becomes more susceptible to multipath fading. Moreover, the wider
80 MHz frequency sub-block provides greater opportunities for
frequency diversity. For this reason, the LDPC Tone Mapper
block31 was introduced in 802.11ax/Wi-Fi 6. It also behaves like a
block interleaver for each OFDM symbol, but operates on
constellation points rather than individual bits. By doing so, it
spreads the constellation points of an LDPC codeword widely in each
frequency sub-block to capture the available frequency diversity. Wi-
Fi 7 retains this new performance-enhancing capability.
[10011001]/2and[10010000],respectively
Each parsed constellation point per spatial stream per OFDM symbol is
intended for a different subcarrier, so the processed constellation points
are really defined in the frequency domain. For this reason, every OFDM
symbol, for every spatial stream, the Inverse Discrete Fourier Transform
(IDFT) block converts a vector of parsed constellation points into time-
domain samples.36 For instance, for an RU spanning 320 MHz, given a
subcarrier spacing of 20 MHz/256 = 78.125 kHz (used for Wi-Fi 6 and Wi-Fi
7), the vector comprises 320/0.078125 = 4096 entries. The IDFT block is
typically implemented as an inverse fast Fourier transform (IFFT)
algorithm. In addition, to simplify time-domain filtering, the IFFT is
typically over-sized by a factor of between 2 and 4 (inclusive), with the
higher frequency subcarriers set to zero. In the time domain, this leads to
oversampling by the same factor.
36 See P802.11be D5.0, clauses 36.3.13.12, 36.3.10, and 36.3.11.
In this section we describe the PHY features that offer a marked benefit for
Wi-Fi 7 devices: 320 MHz (for increased speed), multi-link operation
(which, according to implementation, can provide one or more benefits—
increased speed, lower latency, or increased reliability), large-size multi-
RUs and preamble puncturing (for interference avoidance), small-size
multi-RUs (for scheduling efficiency), and 4096-QAM (for increased speed
at short range).
The 40 MHz PPDU design does not nicely align with channels 1, 6,
and 11. For instance, the two 20 MHz preamble copies in a 40 MHz
PPDU can be centered at channels 1 and 5, or 2 and 6, or 6 and 10,
or 7 and 11, but none of these pairs line up with channels 1 and
6. Thus 40 MHz systems cannot coexist well with traditional 20 MHz
Wi-Fi systems operating at channels 1, 6, and 11.
If one Wi-Fi system occupies 40 MHz at 2.4 GHz, nearby Wi-Fi
systems cannot have their own separate 40 MHz channel, raising
fairness questions.
At 5 GHz, similar issues come into play when the bandwidth gets much
higher than 160 MHz. The FCC allocates 200 MHz at 5150–5350 MHz and
425 MHz at 5470–5895 GHz. However, the second spectrum block was
allocated in multiple tranches, and the 802.11 channel assignment for
each tranche was individually optimized (mainly) for 20 MHz channel
bandwidths. This process led to discontinuous channel numbering.
Specifically, there is a 25 MHz gap between the uppermost channel center
defined for the 255 MHz of spectrum at 5470–5725 MHz and the
lowermost channel center defined for the 170 MHz of spectrum at 5725–
5895 MHz. With these limitations in mind, the 802.11ac amendment
defined a trio of 160 MHz channels38 (channel 50 centered at 5250 MHz
within 5150–5350 MHz, channel 114 centered at 5570 MHz within 5470–
5725 MHz, and channel 163 centered at 5815 MHz within 5725–5895
MHz), where none of these are adjacent (i.e., separated by 160 MHz or a
channel number of 160 MHz/5 MHz = 32) and suitable for aggregation.
Therefore, the 160 MHz bandwidth channels at 5 GHz cannot be bundled
together to form 320 MHz–wide channels. Even if this bundling were
possible, there is insufficient 5 GHz spectrum allocated to support three
320 MHz channels (which again is the accepted good practice).
The 320 MHz bandwidth is expected to be used mainly in the home. For
single-family dwellings, the number of neighboring houses is relatively
small, and the attenuation from two external walls is likely to create
strong RF separation between devices in different houses. Thus, each
house is likely to get relatively clean access to a single 320 MHz channel,
where a typical use case is to deliver streaming video traffic to multiple
devices via 320 MHz with orthogonal frequency division multiple access
(OFDMA).39
For enterprise venues, the requirement for robust coverage means strong
overlap between adjacent APs. In turn, APs are likely to be operating at
bandwidths lower than 320 MHz so that adjacent APs are not co-channel.
Even so, the 320 MHz bandwidth is a very important and valuable feature,
because it accelerates the uptake of the new and vastly important 6 GHz
spectrum. As a commercial imperative, a leading-edge product must
support the highest data rate available, at least until the costs become
unreasonable. The inclusion of more antennas quickly adds to the silicon
area and volume requirements, whereas the impact of increased
bandwidth is much more modest. Thus, any client system or silicon
vendor in the smartphone or laptop market needs to support 320 MHz and
thence 6 GHz. In a very real way, 320 MHz is the vehicle by which 6 GHz
becomes a mainstream Wi-Fi band. Certainly, this same tactic was used to
good effect by 802.11ac/Wi-Fi 5 to drive broad adoption of 5 GHz, as that
was the only band at the time that supported 80 and 160 MHz
bandwidths.
TABLE 5-1 Evolution of the Percentage of Data Tones with Wider PPDU
Bandwidths
802.11a/g 20 48 64 75
Wi-Fi Bandwidth Number of Number of Percentage of
Generation (MHz) Data Tones IFFT Tones Data Tones
A key aspect of the wider bandwidths is that often they are used for
transmission to multiple users via OFDMA, instead of a single user.
802.11be defines many RUs (and MRUs; see the “Large-Size MRUs and
Preamble Puncturing” section and the “Small-Size Multi-RUs” section that
follow), as shown in Figure 5-7. A 320 MHz PPDU can be assigned to a
single user with a 4 × 996 tone RU, or two users each with a 2 × 996 tone
RU, or another configuration taken from the vast array of other allowed
combinations according to the available traffic. For example, a 320 MHz
PPDU can carry six 26-tone RUs, three 52-tone RUs, two 106-tone RUs,
and two 242-tone RUs in one 80 MHz frequency sub-block, plus two 484-
tone RUs in a second 80 MHz frequency sub-block and one 2 × 996-tone
RU in the remaining two 80 MHz frequency sub-blocks. Enterprise AP
implementations typically support dozens of users in a single PPDU.
FIGURE 5-7 OFDMA for RUs of a 320 MHz PPDU40
To support the traditional MAC protection modes such as RTS + CTS and
CTS-to-self, a non-HT duplicate mode is defined for 320 MHz. 41 This mode
replicates 16 times the 20 MHz 802.11a PHY format. Each duplicate is
subject to semi-controlled rotations to reduce the peak-to-average power
ratio.42 Given that the original 802.11a PHY format had no knowledge of
channel bonding and the 2-bit backward-compatible bandwidth signaling
mechanism introduced in Wi-Fi 5 supported signaling 20/40/80/160 MHz
only,43 an updated signaling scheme was required for 320 MHz. As 320
MHz is used exclusively in 6 GHz spectrum, certain legacy issues do not
arise. Thus, it is possible to employ bit 7 of the Service field as an extra
most-significant bit of the bandwidth signaling field, thereby converting it
from a 2-bit field to a 3-bit field, where the newly defined value 4 indicates
320 MHz (and bit 7 of the Service field is set to 1). 44
Multi-Link Operation
After the 320 MHz feature and the way it motivates support for 6 GHz
communications, the next most important feature in Wi-Fi 7 is multi-link
operation. In part, multi-link operation can be considered a standardized
way to better harness the available hardware sources at both the AP
device and the client device:
The first defense is the transmit spectral mask, where 802.11 requires at
least 40 dB of suppression by the alternate adjacent channel. Most
implementations achieve much greater suppression of the skirts of a 2.4
GHz signal at farther carrier frequencies, such as the 5 GHz band, and vice
versa. Beyond this mask, other suppression techniques are applied:
separate antennas with reasonable distance separation or polarization
separation, frequency-dependent antenna inefficiency, and/or RF filters.
However, these other techniques are especially challenging for small-
form-factor and low-cost clients. For this reason, traditionally concurrent
operation has been mostly confined to APs.
The multi-link operation feature takes a new and more valuable approach:
It allows for independent contention and potentially independent
transmission on each radio.
For illustrative purposes, consider an AP MLD with four affiliated IEEE APs,
operating on 2.4, 5 GHz low, 5 GHz high, and 6 GHz, and a non-AP MLD
with four affiliated non-AP STAs. When the non-AP MLD associates to the
AP MLD, the non-AP MLD can set up one, two, three, or (in theory) even
four links with the AP MLD, where each link connects one affiliated STA of
the non-AP MLD with one affiliated AP of the AP MLD.
The benefits of multi-link operation with STR clients include the following
outcomes:
Relative to Wi-Fi 5 and Wi-Fi 6 clients, Wi-Fi 7 clients in MLSR mode offer
the following benefits:
In the middle of these extremes, three other modes are defined 45 that also
avoid the need for antenna separation or RF filtering:
45 See Chapter 6 for more details on multi-link operation modes and their
operations.
Non-STR (NSTR): This mode is introduced merely to note that it is
a somewhat complicated mode and is expected to see little
adoption.
For AP-initiated TXOPs in EMLSR operation, one of the affiliated APs must
first warn the EMLSR non-AP MLD that the client’s high-capability
transmitter or receiver is required by sending the non-AP MLD an initial
control frame (ICF) padded to a minimum length. Upon receiving the ICF,
the non-AP MLD in EMLSR mode transmits a control response frame via
the low-complexity radio and uses this time to wake up the non-AP MLD’s
high-capability transmitter (if triggered) or receiver (otherwise) and tune it
to the affiliated AP’s channel. At the end of the TXOP on one channel, after
a timeout, the high-capability radio is again available for operation on any
of the N links.
AP HW Multi-Link
Client HW Resources
Resources Operation
In the large proportion of the world where 6 GHz spectrum is allocated for
Wi-Fi, a typical AP device or STR client supports 2.4 + 5 GHz + 6 GHz, with
RF filters required between the 5 and 6 GHz bands. Unfortunately, China
does not currently allocate any 6 GHz spectrum for Wi-Fi, so natural AP
device designs in that country are 2.4 + 5 GHz or 2.4 + low 5 GHz + high
5 GHz. STR typically requires RF filters between the low 5 GHz and high 5
GHz sub-bands.
Along with preamble puncturing for OFDMA, EHT provides for single-
user and non-OFDMA MU-MIMO preamble puncturing and multi-RUs
with certain edge and interior spectral gaps.
Recall that a PPDU can be split into two parts: the early part of the
preamble, which comprises, almost exclusively, duplicated 20 MHz signals
(the pre-HE/EHT modulated fields), and then the HE/EHT STF, HE/EHT LTF,
Data field, and PE (the HE/EHT modulated fields). Providing EHT PPDUs
with the ability to transmit around other wireless systems must address
both PPDU parts, as well as the problem of sounding feedback. The
solution is puncturing:
Puncturing
Preamble Puncturing Options
Signaled
1111 No puncturing
3. For the EHT-modulated fields, it may be desirable for one user to use
the entirety of the unpunctured channel, or at least a large swathe
of it. That is, instead of using OFDMA and having some users
transmit below the punctured spectrum and other users transmit
above the punctured spectrum (which is all that Wi-Fi 6 offered), the
802.11be designers chose to join multiple RUs together, via
extensions to the BCC interleaving block, the LDPC coded-bit
calculations, and the segment parsing block. When formed as
multiples of 20 MHz, these multi-RUs are called large-size multi-RUs.
They enable transmission across 80, 160, or 320 MHz bandwidth
channels except for one or two punctured portions of the bandwidth.
The available options are rich yet somewhat more limited than the
preamble puncturing options, as you can see in Table 5-4 (for non-
OFDMA PPDUs) and Table 5-5 (for OFDMA PPDUs). In non-OFDMA
PPDUs, one multi-RU is used per PPDU. In OFDMA PPDUs, the AP can
mix and match between RUs and/or MRUs, and the punctured
spectrum is achieved by selecting the RUs/MRUs such that no user
is assigned an RU/MRU that overlaps the punctured spectrum.
PPDU
Bandwidth MRU Options Description of Puncturing
(MHz)
160 MHz aligned with 484-tone 120 MHz: any single 40 MHz, on a
the 160 MHz + 996- 40 MHz boundary, punctured out
boundaries of a tone of the 160 MHz
160/320 MHz PPDU
320 MHz of a 320 MHz 484-tone 200 MHz: any single 80 MHz, on a
PPDU +2× 80 MHz boundary, plus any single
996-tone 40 MHz, on a 40 MHz boundary,
punctured out of the 320 MHz
Figures 5-9 through Figure 5-1251 show examples of these large-size RUs
and multi-RUs.
Small-Size Multi-RUs
2. Defer the sending of some MPDUs, when there were multiple MPDUs
to send, in the AMPDU in this PPDU, with increased delay for those
MPDUs
The Wi-Fi 7 designers also included small-size RUs, which bond 26-tone
and 52-tone RUs, or 26-tone and 106-tone RUs, into an MRU. 54 Small-size
MRUs use the same technology as large-size MRUs.
Figure 5-14 shows the available small-size 26 + 52-tone RUs, while Figure
5-15 shows the available small-size 26 + 106-tone RUs. An important side
benefit of the design of these small-size MRUs is that each central 26-tone
RU (the one at the middle of nine in each 20 MHz subchannel and the one
that surrounds the DC tones of the 20 MHz subchannel) can be bonded to
an adjacent and wider RU, such that FEC coding across all the MRU’s
tones can dilute any DC-related receiver-side impairments arising from the
central 26-tone RU.
4096-QAM
Since the first OFDM Physical layer (802.11a), 802.11 has evolved from
supporting up to 64-QAM (i.e., the constellation comprises an 8 × 8 grid of
constellation points) to 256-QAM (a 16 × 16 grid) to 1024-QAM (a 32 × 32
grid) in Wi-Fi 6, and to 4096-QAM (a 64 × 64 grid) in Wi-Fi 7. This evolution
is depicted in Figure 5-16.
FIGURE 5-16 QAM Constellations Defined for 802.11be, with the Same
Relative Amount of Noise Added to Show the Reduced Tolerance of the
Denser Constellations to Noise
Two code rates are defined for 4K-QAM: rate ⅔ and ⅚. This leads to the
numbers of data bits per (grouped) constellation point for the different
MCSs shown in Table 5-6.
0 BPSK-r1/2 0.5
1 QPSK-r1/2 1
2 QPSK-r3/4 1.5
3 16-QAM-r1/2 2
Constellation and Code Data Bits per
MCS
Rate Grouped* Constellation Point(s)
4 16-QAM-r3/4 3
5 64-QAM-r2/3 4
6 64-QAM-r3/4 4.5
7 64-QAM-r5/6 5
8 256-QAM-r3/4 6
9 256-QAM-r5/6 6.667
10 1024-QAM-r3/4 7.5
11 1024-QAM-r5/6 8.333
12 4096-QAM-r3/4 9
13 4096-QAM-r5/6 10
*
DCM “groups” two constellation points; DCM with duplication “groups”
four constellation points.
#
MCS 14 and MCS 15 are longer-range modes and can be considered as
MCS 2 and MCS 1, respectively; but they are not being certified by the Wi-
Fi Alliance.
The number of data bits per constellation point are reasonably well
spaced. This is a desirable property for rate selection. As a rule of thumb
especially at higher constellation densities, 1 extra data bit requires a 3
dB better SINR, so the rate selection algorithm always has a rate available
that achieves close to the maximum data rate.
Friis Equation
where c is the speed of light in units of meters per second, fc is the carrier
frequency in units of Hz, and d is the distance in units of meters.
For MCS 13, the standard requires that STAs achieve a 10% PER at a
received signal level of between –46 dBm (20 MHz) and –34 dBm (320
MHz).56 Because the highest MCSs require a very clean signal, conducted
power is typically lowered compared to other MCSs. So, we assume 10 to
18 dBm conducted power, 4 dBi antenna gain at the AP, and 0 dBi
antenna gain at the client, where the Friis equation reports 48.7 dB
distance-based attenuation at 1 meter (for the mid 6 GHz band). Then, the
pathloss budget for 20 MHz to 320 MHz is from 19.3 to –0.7 dB. Having 2
or 4 times more receiving antennas than transmitted spatial streams (e.g.,
2 or 1 spatial streams received by 4 antennas, respectively) provides a 3
dB or 6 dB link budget improvement, respectively, and is often vital to
achieve a useful range with MCS 13.
3. The quantized phi and psi values and/or the CQI values are sent
back to the beamformer.
Finally, the beamformer uses the explicit sounding feedback to calculate
beamforming matrices (and the CQI feedback is used to help select the
MCS) for subsequent transmission to the beamformee.
Sounding for partial bandwidths for (1) any of the RUs that are at
least as wide as 20 MHz and (2) any of the large-size MRUs—that is,
at a 20 MHz resolution. Partial bandwidth sounding is well matched
to the needs of the preamble puncturing feature and can
considerably lower the overheads of beamforming for OFDMA.
Extra EHT-LTFs
Packet Extension
The Packet (i.e., PPDU) Extension (PE) field is a necessary evil. The PE field
carries no data, but provides the receiver with extra time, beyond SIFS, to
complete processing of the end of the PPDU. The PE field is a raw
waveform that is undefined except for the constraint that its power
spectral density (PSD) must closely track the PSD of the Data field so that
other wireless devices continue to perceive that the wireless medium is
busy.
Because EHT introduces 320 MHz and MCS 12 and MCS 13, the receiver
needs extra time to process the increased data load at the end of the
PPDU. Accordingly, EHT newly defines a nominal packet padding of 20 μs,
in addition to the existing values of 0, 8, and 16 μs.
Recall that the final OFDM symbol in the Data field has the usual length
but is considered as four quarters (four symbol segments). One, two,
three, or four of the symbol segments carry coded data, and the
remaining symbol segments are filled with undefined post-FEC padding
bits. A final OFDM symbol with just one quarter of the usual number of
coded bits still takes the same time for the FFT and for MIMO equalization,
but the time taken for decoding should be reduced by approximately a
factor of 4. More broadly, given that the OFDM symbol duration is 16 μs or
nearly so, each symbol segment containing post-FEC padding bits
nominally reduces the required decoding time by 4 μs.
APs and clients declare their PHY capabilities as part of the EHT
Capabilities element in several management frames. Figure 5-17 lists
these PHY capability fields, organized into themes.
Most capabilities bits are Booleans (is the feature supported or not), and
their meaning is self-explanatory. A few capability fields merit further
explanation, as follows, where [letter] refers to the tag added at the end
of the field or theme name in Figure 5-17:
[A]: This field equals the maximum number of spatial streams sent
by a single-user (SU) beamformer in an EHT sounding NDP, minus 1.
[C]: The phi and psi angles in the sounding feedback can be lightly
compressed (mandatory) or heavily compressed (optional, with
support indicated here).
[F]: This field equals the maximum number of spatial streams that a
STA can receive in an EHT sounding NDP or in a DL MU-MIMO
transmission.
[G]: This field enables a non-AP STA to indicate whether it has the
same, or lowered, capability to transmit and/or receive MCS 10–13
on RU/MRUs with fewer than 242 tones.
Summary
In this chapter, you have learned about the major revolutionary and
evolutionary features of the 802.11be PHY layer. You have seen MU PPDU
format and the TB PPDU format, and the fields therein. This chapter also
traced through the major processing blocks used when generating the
Data field of EHT PPDUs. Finally, you have reviewed the major PHY
innovations in Wi-Fi 7:
MLO Architecture
Before diving deep into the design aspects of specific features and
procedures for MLO, it is useful to first highlight the motivation that led to
the development of MLO (see Chapter 4, “The Main Ideas in 802.11be and
Wi-Fi 7,” for more details) and to explore the new MLD architecture
defined in 802.11be. This section provides a brief overview of MAC layer
evolution to support MLO and introduces the MLD architecture.
Evolution to MLO
Before MLO, an “AP device” would expose each of these radio bands as a
separate AP. So, a typical Wi-Fi 6E AP device would host three separate
APs—one on each of the 2.4, 5, and 6 GHz bands. The STA would pick one
of these APs to associate, with the selection typically being based on
signal strength (RSSI), congestion (such as the AP’s advertised BSS load),
and/or local device configuration (such as an internal scanning and
preference algorithm developed by the device manufacturer). If the radio
conditions deteriorated on that band, then the STA would scan to find
another AP on the same or a different band (presumably providing better
radio conditions) and establish connection with that AP. Given that the
process of scanning and reassociation is disruptive to data connectivity,
most clients exhibit sticky client behavior; that is, they stick to their
current AP even when it is not providing the best Wi-Fi performance. For
example, a STA would stick to 2.4 GHz band even when a high-performing
5 or 6 GHz band is available from the same AP device (see the “Client
Roaming and Stickiness: Coverage Discontinuity” section in Chapter 4 for
more explanation of the reasons for that stickiness). This behavior leads to
increased congestion (on bands where most clients decide to stick) and
suboptimal utilization of the network capacity, because other bands may
not be utilized fully. The net result is sub-par Wi-Fi performance and
undesirable end-user experiences.
With MLO, the 802.11be designers aimed to address these two key issues:
(1) the need to associate again when STA is moving across radio bands
(i.e., classic break-before-make behavior leading to connection disruption)
and (2) the suboptimal use of the overall network bandwidth offered
across multiple radio bands. The 802.11be amendment introduced the
MLD architecture, which enables a STA to seamlessly and dynamically
switch between radio bands offered by an AP device without needing to
associate again, which facilitates best use of all the radio bands
(according to STA capability) to achieve improved network utilization. This
amendment enables a STA to simultaneously connect over multiple bands
based on its capabilities and the multi-link (ML) modes supported (see the
“MLO Modes” section later in this chapter). As described in Chapter 5,
“EHT Physical Layer Enhancements,” each of the radios (typically but not
necessarily in different bands) offered by an AP device is referred to as
a link in 802.11be—hence the term multi-link device (MLD).
The MLO feature allows seamless operation over multiple links between
the AP and the client devices. It defines authentication, association, and
establishment of multiple links between an AP MLD entity and a non-AP
MLD entity (described in the next section), and enables simultaneous
channel access and frame exchanges across multiple links (based on
client device capability).
Multi-Link Devices
In an MLD (both the AP MLD and the non-AP MLD), the MAC layer functions
are split across two sublayers1: an MLD Upper MAC sublayer, which
provides common MLD upper MAC functions across all the links of the
MLD, and an MLD Lower MAC sublayer, which provides link-specific MAC
functions for each of the MLD links (as shown in Figure 6-1) for an MLD
with two links (e.g., on 2.4 and 5 GHz). The MLD Upper MAC presents a
single MAC data service that encompasses all links and exposes a single
MAC Service Access Point (SAP), which is the MLD MAC SAP to the upper
layer (the LLC sublayer of the Data Link layer as detailed in Chapter 1,
“Wi-Fi Fundamentals”). The MLD upper and lower MAC functions are
coordinated and managed by the STA Management Entity (SME) using
MAC Layer Management Entity (MLME) primitives. The MLD Lower MAC for
a given link interfaces with the PHY layer (via the PHY SAP) corresponding
to that link to exchange A-MPDUs/PSDUs over that link (see Chapter 5 for
details of PHY layer functions).
Each affiliated STA (AP or a non-AP STA) in an MLD has its own STA MAC
address assigned, denoted as the STA MAC addresses x and y in Figure 6-
1. Another MLD MAC address is assigned to the MLD itself, denoted as the
MLD MAC address m in Figure 6-1. A separate MLD MAC address is used to
establish MLD-level authentication, association, and generation of MLD-
specific security key material. An associated non-AP MLD is registered with
the DS network using the non-AP MLD MAC address, independent of how
many links are established between the non-AP MLD and the AP MLD. An
AP MLD, with which a non-AP MLD associates, establishes at the
Distribution System (DS) the mapping of that non-AP MLD to the AP MLD
for the proper delivery of data frames targeted for that non-AP MLD.
FIGURE 6-1 MLD MAC Architecture. SAP = Service Access Point, PLME =
PHY Layer Management Entity, MLME = MAC (Sub)Layer Management
Entity.
Note
The MLD MAC address may differ from the affiliated STA MAC addresses.
However, the architecture allows the MLD MAC address to be the same as
one of the STA MAC addresses of that MLD.
On the AP MLD, the MLD Upper MAC exposes a single MAC SAP interface
to the DS, as shown in Figure 6-2. All the data frames destined for an
associated non-AP MLD (identified by the non-AP MLD MAC address) are
delivered by the DS through the single (MLD) MAC SAP to that AP MLD.
The AP MLD then determines which of the associated links (one or more) it
will use to deliver the data frames to that non-AP MLD, and TID-To-Link
mapping becomes relevant in this context (as will be explained in the
“Link Management” section later in this chapter).
In the AP MLD, the individual affiliated APs on each of the links continue to
support association for non-AP STAs that do not support MLO functions;
such STAs are called non-MLD STAs. Each affiliated AP of an AP MLD also
has a non-MLD Upper MAC sublayer to provide connectivity for such non-
MLD STAs, as shown in Figure 6-2. The non-MLD Upper MAC layer also
provides link-specific encryption/decryption of groupcast traffic and power
save buffering of groupcast frames.
Each of the affiliated APs advertises a BSS that can provide connectivity
for both the non-AP MLDs and the legacy non-MLD STAs. Such
architectural flexibility is important because most deployments will have a
mix of MLD and non-MLD client devices and the desired goal is to provide
connectivity across all such devices.
A non-AP MLD with two affiliated STAs is shown in Figure 6-3. Each
affiliated STA consists of an MLD Upper MAC layer, an MLD Lower MAC
layer, and a PHY layer. The non-AP MLD architecture is designed such that
either a client device can connect to an AP MLD and establish an MLD-
level association to enable use of multiple links, or it can connect with a
single AP (with a pre-802.11be, non-MLO, association) using one of the
non-AP STAs over a specific link. For a non-MLO association, the MLD
Upper MAC and MLD Lower MAC together provide MAC layer functionality
and expose a MAC SAP to the upper layer. Such architectural flexibility is
important for Wi-Fi 7 clients to be able to operate across both Wi-Fi 7 and
other network deployments supporting Wi-Fi 6 and earlier generations of
Wi-Fi.
The MLD Upper MAC sublayer provides MLD-level functions and services
across the multiple links of the AP MLD. These include authentication,
(re)association, management of security context (pairwise keys and group
keys), and exchange of MLD-level management information (e.g., multi-
link elements) via the MLD Lower MACs. On the transmission data path,
the MLD Upper MAC provides encryption/decryption for individually
addressed frames, selection of appropriate link(s) for (re)transmission of
MPDUs, and, if needed, power-save buffering for MPDUs on the AP MLD.
On the reception data path, the MLD Upper MAC supports merging of
MPDUs across links and manages Block Ack scoreboarding across links for
individually addressed frames. It also performs reordering and de-
duplication of frames, then de-aggregation of A-MSDUs before MSDU
delivery to the upper layer.
Support for the MLO feature is mandatory for both AP and client devices
that aim to obtain the Wi-Fi Alliance’s Wi-Fi 7 certification. The 802.11be
amendment also mandates support for MLO for AP devices. For devices
supporting the MLO feature, multiple MLO functions and related
procedures are defined in 802.11be. In addition, the amendment specifies
optional or mandatory support of these procedures for the AP and the STA
side. The key MLO procedures and their mandatory/optional requirement
in 802.11be amendment are as follows:
MLO involves the discovery of AP MLD(s) by the non-AP MLD and then
establishing MLD-level authentication, association, and security context to
allow exchange of data frames across multiple links. This section reviews
these basic MLO functions.
MLD Discovery
Before a non-AP MLD can establish an association over multiple links with
an AP MLD, it needs to discover the AP MLD and its affiliated APs. Recall
from Chapter 1 that the 802.11 standard defines passive scanning
(listening to beacons) and active scanning (Probe Request/Response frame
exchange) for a STA to discover APs. MLO requires extensions to these
802.11 discovery procedures to accomplish discovery of information for
the multiple links of an AP MLD. The following MLO-related discovery
enhancements are defined on top of the existing AP discovery procedure:
The Basic ML element can also include one or more Per-STA Profile
subelements to provide link-specific information for each affiliated STA of
an MLD, including the Link ID, the STA MAC Address, and a partial or
complete list of information elements applicable for that affiliated STA in
the STA Profile field. Figure 6-4 captures the Basic ML element showing
some key fields. The Link ID for the affiliated AP transmitting the Basic ML
element is provided in the Common Info field.
FIGURE 6-4 Basic Multi-Link Element (Showing Key Fields)
The Basic ML element is used by the non-AP MLD to indicate its MLD-level
capabilities in management frames including the Probe Request,
Authentication, and (Re)Association Request frames, as discussed later in
the section on multi-link association.
Multiple BSSID and Transmitted/Nontransmitted BSSIDs
In MLO, given that all affiliated APs of an AP MLD belong to the same ESS
(same SSID), only one of the APs of a multiple BSSID set is part of an AP
MLD. If the affiliated AP of an AP MLD is a transmitted BSSID of a multiple
BSSID set, then it advertises Beacon and Probe Response frames and
includes the Basic ML element in those frames. If the affiliated AP of an AP
MLD is a nontransmitted BSSID of a multiple BSSID set, then the AP
corresponding to the transmitted BSSID of that multiple BSSID set
advertises a Basic ML element for that AP MLD in a Nontransmitted BSSID
Profile element in the Beacon and Probe Response frames.
The AP MLD ID and the Link ID information discovered from the RNR can
be used by a non-AP MLD when sending the multi-link probe request to
discover detailed profile information for the affiliated APs of an AP MLD.
Note
The non-AP MLD can select one or more of the following methods to
discover information about affiliated APs of an AP MLD:
Figure 6-7 shows these methods for AP MLD discovery by a non-AP MLD
that has three affiliated non-AP STAs (on 2.4, 5, and 6 GHz) and is
discovering an AP MLD that has three affiliated APs (on 2.4, 5, and 6 GHz).
With passive scanning, each affiliated non-AP STA scans (i.e., sets its
receiver to the channel and listens) the corresponding link of the AP MLD
and receives Beacon frames, which provide complete information about
that affiliated AP. As an example in Figure 6-7, the non-AP STA operating
on 2.4 GHz performs passive scanning to receive beacons from the AP
operating on the 2.4 GHz link. Similarly, the non-AP STAs operating on 5
GHz and 6 GHz would perform passive scanning to receive beacons from
APs operating on those links. With active scanning, each of the non-AP
STAs sends a (non-ML) Probe Request frame on the corresponding link to
receive the (non-ML) Probe Response frame from the affiliated AP on that
link, which provides the complete information about that affiliated AP.
In Figure 6-7, the non-AP STAs operating on 2.4, 5, and 6 GHz each send a
Probe Request frame to, and receive the Probe Response frame from, the
APs operating on those links. Both the passive and active scanning
methods of AP MLD discovery involves off-channel scanning to discover AP
MLD information, which is disruptive to the client’s current operation,
especially for single-radio non-AP MLDs.
FIGURE 6-7 AP MLD Discovery Methods
With the ML Probe Request/Response method, one of the non-AP STAs can
send an ML Probe Request frame to receive information for all affiliated
APs of an AP MLD without performing any off-channel scanning. For
example, in Figure 6-7, the non-AP STA operating on 2.4 GHz sends an ML
Probe Request frame, and AP1 responds with an ML Probe Response frame
that provides information for all three affiliated APs of the AP MLD. This
method of AP MLD discovery is preferred over the other two methods,
because it does not require going off-channel for scanning and hence is
the least disruptive to connectivity on the current link.
Multi-Link Association
The AP MLD may accept all or a subset of requested links for the ML
(re-)setup. In some cases, such as a capabilities mismatch, the AP MLD
may end up rejecting all the requested links for the ML (re-)setup. In the
(Re)Association Response frame, the AP MLD indicates the list of
requested links that are accepted and that are rejected for the ML
(re-)setup in the Basic ML element. For each link, the corresponding Per-
STA Profile subelement in the Basic ML element in the response frame
provides capabilities and operational parameters information for the AP
operating on that link, and the Status Code field indicates the accepted or
rejected status for that link for ML (re-)setup. The (Re)Association
Response frame is transmitted by the same affiliated AP that received the
(Re)Association Request frame. In addition, the (Re)Association Request
and Response frames are exchanged on the same link where the
Authentication frames are exchanged before the ML (re-)setup. An ML
(re-)setup cannot be successful if the link over which the (Re)Association
Request was sent cannot be accepted in the (Re)Association Response
(e.g., for the parameters mismatch failure reason). So, after a successful
ML (re-)setup, the current link where the ML (re-)setup was executed is
always part of the setup links for the non-AP MLD.
Note
After the ML (re-)setup establishes one or more links between the non-AP
MLD and the AP MLD, the 4-way handshake is executed between the peer
MLDs to establish the PTK (Pairwise Transient Key) and exchange link-
specific group keys. The MLO security aspects are explored in more detail
in the “MLO Security” section of this chapter.
Figure 6-9 shows the end-to-end flow for the ML (re-)setup operation
between a non-AP MLD and an AP MLD, including the ML authentication,
the ML association establishing three links, the 802.1X/EAP authentication
(if applicable), and the 4-way handshake establishing security keys. Note
that the 802.11be amendment requires that all the management frames
for ML (re-)setup operations be exchanged on the same link. This means
that the 4-way handshake must be executed on the same link where the
(Re)Association Request/Response frames were exchanged. After the
successful 4-way handshake, UL/DL data exchange is enabled on all links
set up between the peer MLDs. Initially, all other links are in PS mode
except the link where ML (re-)setup is completed.
Either of the peer MLDs in an MLD-level association can tear down all the
setup links by sending a Disassociation frame through one of the affiliated
STAs of the MLD. After disassociation, the non-AP MLD and all its affiliated
non-AP STAs are in an unassociated state. Either of the peer MLDs can
also send a Deauthentication frame that tears down all setup links and
changes the MLD state to state 1 (unauthenticated and unassociated).
MLO Association Myths
Myth 1: The client device associates with the AP device on each link.
Reality: This is not the case. Rather, a single (Re)Association Request and
(Re)Association Response exchange is performed on one link. The pair of
association frames includes the requisite information for all links. The
information in the association frames is exchanged between the non-AP
MLD and the AP MLD entities.
Myth 3: The link on which the client sends the (Re)Association Request
frame is a special, main, or anchor link.
Reality: This is not the case. The client can use any link to send the
(Re)Association Request frame to the AP MLD to establish the ML
association. The AP MLD sends the (Re)Association Response frame on the
same link.
MLO Security
For MLO, the PMK security association (PMKSA) and the PTKSA security
context used for the protection of individually addressed frames are
established at the MLD level. The group keys (GTK, IGTK, and BIGTK 11) are
established at the link level for each link of the MLD.
11 GTK: group temporal key; IGTK: integrity group temporal key; BIGTK:
beacon integrity group temporal key.
For MLO, the PTK generation uses the same KDF as for the non-MLO case,
except that the addresses used are the MLD MAC addresses. The PTK
generation (for the case when authentication is not FT or FILS) is shown
here,12 highlighting that the PTK generation is tied to the AP MLD and the
non-AP MLD MAC addresses:
where AA = AP MLD MAC address, SPA = non-AP MLD MAC address, and
“||” indicates concatenation.
The MLD architecture splits the data plane handling for individually
addressed data frames over the MLD Lower MAC and MLD Upper MAC
sublayers, as explained in the “Multi-Link Device” section earlier in this
chapter. The following enhancements and new functions are added for
supporting the delivery of individually addressed data frames between
MLDs:
The MLD Upper MAC sublayer adds the new functionality of mapping
MPDUs to link(s). This is done by considering the TID-To-Link
mapping, the per-link power management indications, and likely
other implementation-specific factors (e.g., preferentially selecting
the 6 GHz link for TIDs carrying low-latency traffic).
The MLD Upper MAC sublayer adds new functionality for merging
the MPDUs of a TID received over multiple links.
Block Ack agreements are established at the MLD level between the
MLD Upper MAC sublayers. The Block Ack scoreboard context is
maintained both at the MLD Lower MAC sublayer (link-level BA
scoreboard) and the MLD Upper MAC sublayer (unified BA
scoreboard).
Figure 6-10 shows the Block Ack procedure between an AP MLD and a non-
AP MLD. After a BA agreement has been established for a TID between the
MLDs using the ADDBA Request/Response exchange, the Block Ack
session applies across all links of the MLD. If the non-AP MLD is capable of
exchanging frames simultaneously over multiple links (STR operation; see
the “MLO Modes” section), the A-MPDUs for that TID can be transmitted by
the AP MLD over multiple links and acknowledged by the non-AP MLD
using Block Ack frames. The Block Ack frame on each link, at a minimum,
acknowledges the reception of MPDUs successfully sent on that link. An A-
MPDU containing MPDUs with sequence number (SN) = 1, 2, and 3 is sent
on Link 1 by AP1, and another A-MPDU containing MPDUs with SN = 4, 5,
and 6 is sent on Link 2 by AP 2. The Block Ack sent by STA 1 on Link 1
acknowledges MPDUs with SN = 1, 2, and 3, and the Block Ack sent by
STA 2 on Link 2 acknowledges MPDUs with SN = 4, 5, and 6.
FIGURE 6-10 Block Ack Procedure Between MLDs
The Tx and Rx functions for the MLD data plane for individually addressed
MPDUs are shown in Figure 6-11.13 On the Tx/transmission data path, the
MLD Upper MAC sublayer receives one or more MSDUs through the MAC
SAP from the LLC layer. A-MSDU aggregation may be applied across
multiple MSDUs. The SN is assigned to the MPDU, followed by a packet
number (PN) for encryption and replay detection. The MPDU is encrypted
and integrity protected (by adding a MIC) through the PTK; the same PTK
is used for all links. The MPDU is then mapped to one or more links
based on the mapping of TIDs to links (per TTLM) and sent to one or more
MLD Lower MAC sublayers for delivery. In the lower MAC, the MPDU header
and CRC are added to the MPDU payload and A-MPDU aggregation is
applied. The MPDU or the A-MPDU is then sent to the PHY layer over the
PHY SAP for transmission over a link. If an MPDU is sent to multiple MLD
Lower MAC sublayers for delivery, when that MPDU is delivered
successfully on one of the links, that MPDU is immediately retired at the
other links. Additionally, if the transmission of an MPDU (of a specific TID)
is unsuccessful on a specific link, the MLD may attempt retransmission of
that data frame on any of the links over which that TID is mapped (per
TID-To-Link mapping).
FIGURE 6-11 MLD MAC Data Plane Functions for Individually Addressed
Data Frames
13 See P802.11be D5.0, clause 5.1.5.1.
On the Rx/receive data path, when the MLD Lower MAC sublayer receives
a PSDU from a PHY SAP, the PSDU first goes through the process of A-
MPDU de-aggregation and then the MPDU header and CRC fields are
validated. The Address 1–based filtering, using the station MAC address of
the link, is performed to ensure that the MPDU is relevant to the receiving
STA. These functions are the same as the data plane handling for the non-
MLO case. The link-level BA scoreboard context for a TID is maintained by
the MLD Lower MAC sublayer. The MLD Upper MAC sublayer maintains the
common unified BA scoreboard for a TID across the multiple links that the
TID is mapped to. The MLD Upper MAC sublayer receives MPDUs for a TID
from the lower MACs of multiple affiliated APs; it then merges these
MPDUs for duplicate detection and frame reordering based on their SN.
Next, the MPDU is decrypted using the PTK, and replay detection is
performed based on the PN. Lastly, the upper MAC performs A-MSDU de-
aggregation (if MSDU aggregation was applied by the transmitter).
MLO Modes
In MLO, each affiliated STA of an MLD operating on one of the setup links
contends for the channel access independently of other affiliated STAs
operating on other setup links. The 802.11be amendment defines several
modes of operation for MLO (shown in Table 6-1) based on the differing
hardware capabilities of devices, and specifically whether they are single-
radio– or multi-radio–capable non-AP MLDs. An AP MLD is required to
support simultaneous operation across the set of multiple links it supports.
Number
MLO Mode of Radios Functionality Requirements
Required
Both the AP MLD and the non-AP MLD signal their MLD-level capabilities
and operation parameters in the Basic ML element as follows:
The client devices that have only a single full-capability radio can support
just the first two modes of operation (MLSR and EMLSR). The last three
MLO modes (STR, NSTR, and EMLMR) are multi-link multi-radio (MLMR)
modes of operation and can be supported only by client devices that have
multiple radios capability.
The last column in Table 6-1 specifies the requirements for MLO modes
defined in the 802.11be amendment. This amendment mandates AP MLDs
to support the MLSR and STR modes of operation and requires that non-AP
MLDs, at a minimum, support the MLSR mode. The Wi-Fi Alliance’s
certification for Wi-Fi 7 mandates further requirements for the support of
these MLO modes.
The most important MLO modes are MLSR, EMLSR, and STR. In the Wi-Fi
Alliance’s Wi-Fi 7 certification program, AP MLD devices are required to
support these three MLO operation modes. Non-AP MLD devices are
required to support MLSR, and either the EMLSR or STR mode of operation
as per the next condition stated. If a non-AP MLD supports both two
spatial streams and a 160 MHz channel width on at least one of the links,
then the non-AP MLD is required to support either the EMLSR or STR
operation mode.
In the MLSR mode, a non-AP MLD indicates that it is in power save mode
(PM = 1) on all its setup links except one link, using the existing power
management signaling (see Chapter 1). The non-AP MLD can contend for
and access the channel on the link that is not in power save mode (PM =
0) for UL transmissions, and can receive DL transmissions from the AP on
that link. If it wishes to use another link (e.g., when the current link
becomes congested) or if it wants to access another preferred link (e.g., a
6 GHz link), then the non-AP MLD indicates that it is in power save mode
(PM = 1) on the previous link and not in power save mode (PM = 0) on the
new link to the AP MLD, using existing power management signaling.
Thus, in the MLSR mode, the active link has the PM = 0 setting and all
other links have the PM = 1 setting. The AP MLD transmits to the non-AP
MLD only on the one link where the non-AP MLD is not in power save
mode.
Figure 6-12 shows MLSR operation between a non-AP MLD and an AP MLD
that have set up three links in their ML association (2.4, 5, and 6 GHz
links). Initially, the non-AP MLD is in active mode (PM = 0) on the 5 GHz
link, and it is in power save mode (PM = 1) on the other two links. All UL
and DL transmissions are happening on the 5 GHz link. Then, the non-AP
MLD decides to access the 6 GHz link (e.g., for low-latency traffic or
because the 5 GHz link becomes congested) and switches its power save
mode. It first enters power save mode on the 5 GHz link by indicating PM
= 1 to the 5 GHz AP. It then becomes active on the 6 GHz link by
indicating PM = 0 to the 6 GHz AP.
Switching links in the MLSR operation using the power save indication (PM
bit) enables flexibility for the client to use and quickly switch to any one of
the associated links. The MLSR mode can offer improved latency and
reliability by enabling the client to use a less congested link.
Support for EMLSR operation is indicated by the non-AP MLD and the AP
MLD in the EML Capabilities field in each of their transmitted Basic ML
elements. After ML (re-)setup, the non-AP MLD is in power save mode on
all links except the current link [where the ML (re-)setup was completed]
and EMLSR mode is disabled by default on the setup links. A non-AP MLD
sends an EML Operating Mode Notification (EML OMN) frame to explicitly
enable the EMLSR mode for the links indicated by the EMLSR Link Bitmap
field in the frame. In response, the AP MLD transmits an EML OMN frame
to the non-AP MLD when it is ready to serve the non-AP MLD in the EMLSR
mode and within the transition timeout period indicated in the EML
Capabilities field. The non-AP MLD enters the EMLSR mode after it
receives the EML OMN frame response from the AP MLD or after the
transition timeout period, whichever happens first. 15
Once the EMLSR mode is enabled, the non-AP MLD listens in limited Rx
capability mode (i.e., NSS of 1, bandwidth of 20 MHz, and support for only
low MCS rates of 6, 12, or 24 Mbps) on the indicated set of EMLSR links
(which could be just one EMLSR link). The AP MLD sends an initial control
frame (ICF) on one of the EMLR links to start the frame exchange
sequence with the non-AP MLD. A padding delay is applied to the ICF to
allow the non-AP MLD enough time to switch all its radio resources to the
link where the ICF is received for full-capability Tx and Rx exchange on
that link. The ICF can be either an MU-RTS Trigger frame or a BSRP Trigger
frame. In turn, the non-AP MLD sends the corresponding control frame
response to the ICF. The link where the ICF frame is sent and a control
response is sent back by the non-AP MLD can then perform Tx and Rx with
full capability (with NSS ≥ 2), and the other EMLSR links become inactive.
After the data exchange is completed on that EMLSR link, the non-AP MLD
goes back to the listening mode on all links of its EMLSR link set, after a
transition delay.
In the STR mode of operation, an MLD device contains multiple radios, and
each radio is capable of operating independently of the other radios. Each
radio has its own set of antennas, and the radios are sufficiently isolated
from each other inside the device that the activity of one radio does not
create unsurmountable EMF interferences on the other co-located radio.
The channels used across the multiple links of the MLD have enough
separation that these links can operate independently without any self-
interference within the device. The AP MLD is required to support STR
operation for each pair of links that it supports. However, support for STR
operation is not mandated for client devices in the 802.11be amendment,
because client devices targeted for different market segments have
different hardware and cost constraints. In contrast, the Wi-Fi Alliance’s
Wi-Fi 7 certification requires that client devices support STR mode (see the
earlier sidebar on certification for MLO modes). STR mode enables devices
to achieve higher throughput (with link aggregation by simultaneously
sending data over multiple links; e.g., 5 + 6 GHz links) and improved
reliability and lower latency (with diversity gains by using any of the
available links; e.g., 2.4 + 5 GHz diversity).
An STR link pair is a pair of links on which MLD operates in STR mode and
can simultaneously transmit and receive on the two links. This implies that
the MLD can be transmitting on one link of the STR link pair and
simultaneously receiving on the other link, or that the MLD can be
simultaneously transmitting or receiving on the two STR links. As
previously described, all pairs of links for an AP MLD (that is not an NSTR
mobile AP MLD) are required to be STR link pairs. For an MLD (AP MLD or a
non-AP MLD) that supports STR operation on a pair of links, access to the
wireless medium is accomplished independently on each of those
links.16 The MLD operates asynchronously and in full-capability mode on
each of the links of the STR link pair.
For the NSTR mode of operation, the following modified channel access
rules are defined:
A non-AP MLD identifies a set of NSTR link pairs at the time of association
with an AP MLD in the NSTR Indication Bitmap field in the Basic ML
element. Support for the NSTR mode of operation is optional for both the
AP MLD and the non-AP MLD. An AP or a non-AP STA affiliated with an MLD
can choose to not initiate transmission after gaining channel access if that
transmission would cause interference to the non-AP STA operating on one
of the links of an NSTR link pair.
Support for the EMLMR mode is specified by the non-AP MLD and the AP
MLD in the EML Capabilities field in each of their transmitted Basic ML
elements by setting the EMLMR Mode field to 1. During the ML (re-)setup,
a multi-radio non-AP MLD indicates its support for STR link pairs. The
EMLMR mode is disabled by default on the setup links. A non-AP MLD
sends an EML Operating Mode Notification (EML OMN) frame to explicitly
enable the EMLMR mode. A non-AP MLD specifies the set of MCS, NSS, and
channel widths that it supports during EMLMR operation on any of the
EMLMR links via the EML OMN frame (using the EMLMR Supported MCS
and NSS Set field and the MCS Map Count field). The EMLMR Link Bitmap
field in the frame indicates the set of links on which the EMLMR mode is
being enabled. In response, the AP MLD transmits an EML OMN frame to
the non-AP MLD when it is ready to serve the non-AP MLD in the EMLMR
mode and within the transition timeout period indicated in the EML
Capabilities field. The non-AP MLD enters EMLMR mode after it receives
the EML OMN frame response from the AP MLD or after the transition
timeout period, whichever happens first.19
EMLMR operation adds further complexity to the STR operation for a non-
AP MLD. It may not offer significant benefits over STR operation due to the
overhead added by the ICF and response frame. Hence, the EMLMR mode
is not being certified by the Wi-Fi Alliance and is unlikely to see wider
adoption in the market.
ML Reconfiguration
An AP MLD can add a new affiliated AP to the AP MLD at any point in time,
triggered by the STA Management Entity (SME) layer. The new affiliated AP
gets announced in the Beacon and Probe Response frames transmitted by
all other affiliated APs of the AP MLD, as well as in its own Beacon and
Probe Response frames. In the Basic ML element, the Maximum Number
Of Simultaneous Links field is incremented by 1 when an affiliated AP is
added to the AP MLD. The RNR element also includes a new TBTT
Information field carrying MLD parameters for the newly added AP. 20
A non-AP MLD identifies that a new AP has been added to its associated
AP MLD from the Basic ML element or RNR element in the Beacon and
Probe Response frames. If desired, the non-AP MLD can then initiate the
link reconfiguration procedure to add a new link with the new AP in its
setup links if that feature is supported on both of the peer MLDs (see the
“Link Reconfiguration for Add/Delete Links” section).
If a non-AP MLD has only one setup link and it was on the link of the AP
being removed, then the non-AP MLD is disassociated from the AP MLD
when the affiliated AP is removed. If a non-AP MLD has multiple setup links
with the AP MLD, then the non-AP MLD remains associated with the AP
MLD on the remaining setup links after the AP is removed.
Figure 6-18 illustrates the process of link reconfiguration for an add link
operation. Initially, Links 1 and 2 are established for the non-AP MLD as
part of its setup links. The non-AP MLD then sends a Link Reconfiguration
Request frame to the AP MLD requesting to add Link 3 to its setup links.
The AP MLD accepts the add link operation and sends a Link
Reconfiguration Response frame indicating success. After the successful
link reconfiguration, the non-AP MLD now has three links (links 1, 2, and 3)
set up with the AP MLD.
In other cases, a non-AP MLD may perform both add and delete links
operations simultaneously with its associated AP MLD (e.g., when an AP
MLD recommends that a non-AP MLD change its set of associated links), or
the non-AP MLD may seek to delete one of its links for better link
management. Figure 6-19 illustrates the link reconfiguration for
simultaneous add link and delete link operations. Initially, Links 1 and 2
are established for the non-AP MLD as part of its setup links. The non-AP
MLD then sends a Link Reconfiguration Request frame to the AP MLD
requesting to add Link 3 to its setup links and delete Link 2 from its setup
links. The AP MLD accepts these operations, and sends a Link
Reconfiguration Response frame indicating success for both operations.
After successful link reconfiguration for the add link and delete link
operations, the non-AP MLD has two links (links 1 and 3) established as
part of its setup links with the AP MLD. Note that the protocol allows a
non-AP MLD to also send a Link Reconfiguration Request frame requesting
to just delete one or more links.
FIGURE 6-19 Link Reconfiguration for Add Link and Delete Link
Operations
Note
Link Management
To better optimize use of links across all associated STAs, an AP MLD can
spread out (i.e., load balance) all the non-AP MLDs’ traffic across two or
more available links. For example, it might take this step to avoid one link
becoming overly congested or to provide a less congested link for high-
priority or low-latency traffic. An AP MLD has the best knowledge of traffic
conditions across multiple links, whereas a non-AP MLD may have only
limited understanding of the congestion level for each link, especially if it
routinely operates in power save mode. The AP MLD can provide
assistance to non-AP MLDs to load-balance traffic across available links so
that it can offer the most desirable link conditions to its associated set of
non-AP MLDs.
TID-To-Link Mapping
The TTLM negotiation is performed between peer MLDs using the TID-To-
Link Mapping Request/Response exchange. Either the AP MLD or the non-
AP MLD can initiate this negotiation. The initiator MLD sends a TID-To-Link
Mapping Request frame, which includes one or two TID-To-Link Mapping
elements specifying the requested TTLM (two elements are included if
different TTLMs are suggested for the DL and UL). The responder MLD can
accept or reject the proposed TTLM in the request frame; it sends a TID-To-
Link Mapping Response frame indicating its decision. If it rejects a request
for TTLM negotiation, the responder MLD’s response can identify its
preferred TTLM by including one or two TID-To-Link Mapping elements. An
MLD can also send an unsolicited TID-To-Link Mapping Response frame to
suggest a preferred TTLM to its peer MLD. Additionally, the TTLM
negotiation can be done as part of the (Re)Association Request/Response
exchange between peer MLDs by including a TID-To-Link Mapping element
in the (Re)Association Request.
Class 1 frames are permitted to be exchanged from within all four states.
They include four types of management frames (Beacon, Probe
Request/Response, Authentication, and Deauthentication frames) as well
as three types of control frames (RTS/CTS, ACK, and CF-End frames).
Note that these classes also include other frame types that are legacy or
irrelevant for this chapter—for example, frames used for independent BSS
(IBSS) or for personal BSS (PBSS).
After the Expected Duration counts down to 0 and the previously disabled
AP link is re-enabled, the corresponding TID-To-Link Mapping element is no
longer included in the Beacon and Probe Response frames. In some cases,
when an AP MLD disables multiple links at different points in time, it will
replace a current advertised TTLM with another advertised TTLM for the
future. There are then two advertised TTLM elements in the Beacon and
Probe Response frames: One element indicates a currently effective
advertised TTLM, and the other element indicates a TTLM that will become
effective in the future (per the indicated Mapping Switch Time). Note that
when a mandatory TTLM is being advertised by an AP MLD and applies to
all the associated non-AP MLDs, a non-AP MLD can still engage in an
individual TTLM negotiation with the AP MLD if the individually negotiated
TTLM does not conflict with the advertised and mandatory TTLM.
ML Power Management
Each non-AP STA affiliated with a non-AP MLD maintains its own power
management mode and power state (awake or doze state). Frames can be
exchanged on a setup link between the peer MLDs if the non-AP STA is in
the awake state on that link.
When a non-AP MLD is in power save mode on all the links where TID
traffic can be delivered, then the AP MLD buffers that TID traffic for the
non-AP MLD. The status of buffered individually addressed data for a non-
AP MLD is indicated in the partial virtual bitmap of the TIM element by
setting the AID bit corresponding to that non-AP MLD to 1. In the typical
case when all TIDs are mapped to all links (i.e., the default TTLM mode) or
a subset of links (i.e., TTLM mode 1), the bit corresponding to the non-AP
MLD will be set in the TIM element transmitted on all enabled links for that
non-AP MLD. The non-AP MLD can then detect that it has buffered traffic
on one of the links from the TIM element and use the currently defined
power-saving mechanism (e.g., PS-Poll or U-APSD) to fetch the buffered
data on any of the enabled links.
Note
For MLO, the listen interval operation, which is used for power-saving
purposes by clients, is defined at the MLD level. Specifically, the non-AP
MLD sets the Listen Interval field in the (Re)Association Request frame at
the MLD level. After a successful ML (re-)setup, the AP MLD uses the listen
interval that gets agreed during the (Re)Association Request/Response
exchange to determine how long to buffer frames for that non-AP MLD. At
least one of the affiliated non-AP STAs of the non-AP MLD must transition
to the awake state to receive the Beacon frame within the negotiated
(MLD level) listen internal.
The AP MLD also applies the Ma Idle Period at the MLD level. If no frames
are received from the non-AP MLD on any of the setup links within the
MLD-level Max Idle Period, then the AP MLD can consider the non-AP MLD
as idle for making disassociation decisions. Similarly, the Wireless Network
Management (WNM) sleep mode feature, which enables an extended
power save mode for client devices (typically IoT devices), works at the
MLD level between the peer MLDs.
The BSS parameters critical update is achieved using the BSS Parameters
Change Count (BPCC) field, which is maintained separately for each
affiliated AP.30 The BPCC field for an affiliated AP is initialized to 0, and is
incremented by 1 whenever a critical update occurs to BSS parameters of
that AP. The 802.11 standard had already defined a set of BSS parameter
updates as critical updates, but the 802.11be amendment added more
BSS parameter updates to that set.31 The BPCC field for each of the other
affiliated APs of the AP MLD is carried in the MLD Parameters of the RNR
element corresponding to that AP, identified by the Link ID field (refer
back to Figure 6-5). The BPCC field for other affiliated APs of an AP MLD is
also included in the (Re)Association Response frame in the Per-STA Profile
subelement of the Basic ML element. The BPCC field of the reporting AP is
included in the Common Info field of the Basic ML element (refer back
to Figure 6-4).
The BPCC field is updated for any AP affiliated with the same AP
MLD as the reporting AP.
When a non-AP MLD detects that the CUF field is set to 1, it can use that
indication to take actions to retrieve information for critical update events
just listed. A non-AP MLD maintains the record of the last received BPCC
value for each affiliated AP of the AP MLD it is associated with. When it
detects that the latest received BPCC value for an affiliated AP differs from
the last recorded BPCC value, the non-AP MLD attempts to receive a
Beacon or Probe Response frame from that AP. There is one exception to
this rule: When the latest received BPCC value for an affiliated AP is equal
to the last recorded BPCC value plus 1 and the All Updates Included field
in the MLD Parameters in the RNR element is also set to 1, then the non-
AP MLD does not need to take any action because the received frame
already includes the updated elements.
For MLO, the BSS transition management procedure applies at the MLD
level between the AP MLD and the non-AP MLD. The BSS Transition
Management (BTM) Request frame has been enhanced so that it can
provide a recommendation for AP MLDs or a subset of their affiliated
APs.32 To achieve MLD-level recommendation, the Neighbor Report
element carried in the BTM Request frame includes a Basic ML element.
When the AP MLD is providing a recommendation for a reported AP MLD
(and not recommending a subset of APs of that AP MLD), it includes a
Neighbor Report element for one of the affiliated APs of the reported AP
MLD and includes a Basic ML element in the Neighbor Report. The Basic
ML element does not include any optional field in the Common Info field;
likewise, it does not include any Per-STA Profile subelement in the Basic
ML element.
Summary
extremely high throughput (EHT) basic service set (BSS): [EHT BSS] A BSS
in which the transmitted Beacon frame includes an EHT Operation
element.
This chapter describes MAC layer operation and other MAC feature
enhancements for 802.11be, also called Extremely High Throughout
(EHT). These enhancements complement those described in Chapter 6,
“EHT MAC Enhancements for Multi-Link Operations,” which dealt with
multi-link operation (MLO). First, we will review basic operation of EHT APs
and EHT non-AP STAs within an EHT BSS. Next, we will explore some of the
key MAC features and related procedures defined in 802.11be, including
enhanced stream classification service (SCS) with QoS characteristics,
restricted target wake time (R-TWT), triggered TXOP sharing, and
Emergency Preparedness Communications Service (EPCS) priority access.
The last section of this chapter describes the Wi-Fi security aspects unique
to Wi-Fi 7.
A STA (an AP STA or a non-AP STA) that supports (mandatory and possibly
optional) features defined in the 802.11be amendment is an EHT STA.
Each affiliated AP of an AP MLD is an EHT AP, and each non-AP STA
affiliated with a non-AP MLD is an EHT non-AP STA. For BSS operation, the
AP first needs to start the BSS and start advertising the BSS’s operation
parameters in beacon and probe responses. For EHT, the Station
Management Entity (SME) manages starting each of the affiliated (EHT)
APs of the AP MLD, through MLME primitives defined to start an AP (MLME-
START.request). Calling the MLME primitive for an AP initiates the process
of creating an EHT BSS for that AP. The MLME primitive provides all the
operation parameters needed to start the BSS. Once the EHT BSS is
created, the MAC layer notifies the SME about the result by sending an
MLME-START.confirm primitive to the SME. The SME then initiates the
MLME-START.request primitive for each affiliated AP of the AP MLD, which
tells it to start the EHT BSS for that AP. Once started, an EHT BSS can
provide connectivity for EHT non-AP STAs; it also provides connectivity for
HE, VHT, and HT non-AP STAs based on the operating radio band of that
EHT BSS. After the affiliated APs BSS are started, the non-AP MLD can then
associate with the AP MLD using the ML setup after scanning and
discovery.
Each generation of Wi-Fi defines a set of operation parameters specific to
that generation in an operation element defined for that generation. An
EHT AP indicates EHT-specific operation parameters for its EHT BSS in an
EHT Operation element. The EHT Operation element of an AP is advertised
in the Beacon and Probe Response frames and provided in the
(Re)Association Response frames. In addition to the EHT Operation
element, the operation of an EHT BSS is controlled by a combination of
HT, VHT, and/or HE Operation elements, depending on the operating radio
of the EHT AP:
Note
An EHT STA operating in the 2.4 GHz band is also an HE STA and an HT
STA. An EHT STA operating in the 5 GHz band is also a VHT STA. An EHT
STA operating in the 6 GHz band is also an HE STA.
The EHT AP announces its BSS operating channel width in the Channel
Bandwidth field in the EHT operation information if it is announcing a
different bandwidth for the EHT STAs than the non-EHT STAs. If no
separate EHT channel bandwidth is announced, then the operating
bandwidth of EHT BSS is determined based on the HE, VHT, and/or HT
operating bandwidth announced in the respective operation element, per
the radio band of the EHT BSS. If an EHT channel bandwidth is announced,
then the operating channel center frequency (CCF) is indicated through
the CCFS0 and CCFS1 parameters.
The set of supported EHT MAC features is identified in the EHT MAC
Capabilities Information field by both the AP and the non-AP STA, as shown
in Figure 7-2. Capabilities related to new EHT MAC features include SCS
traffic description support, restricted TWT support, triggered TXOP sharing
feature-related capabilities, and capabilities related to EPCS priority
access. These MAC features are described later in this chapter. The
maximum MPDU length that can be supported for 2.4 GHz is indicated by
the Maximum MPDU Length field. For the 5 GHz and 6 GHz bands, the
maximum MPDU length supported is the same as that indicated in the
VHT Capabilities and HE Capabilities elements, respectively. Some other
capabilities are signaled in fields shown under the miscellaneous category
in Figure 7-2; the names of these fields are self-explanatory (OM =
operating mode, TRS = triggered response scheduling, BQR = bandwidth
query report).
FIGURE 7-2 EHT MAC Capabilities
Besides the basic set of <EHT-MCS, NSS> tuples that must be supported
by all the non-AP STAs connecting to an EHT BSS, an EHT STA can support
other combinations of <EHT-MCS, NSS> at different bandwidths. This
capability is indicated by the Supported EHT-MCS and NSS Set field in the
EHT Capabilities element. As shown in Figure 7-3, the Supported EHT-MCS
and NSS Set field indicates the supported combination of <EHT-MCS,
NSS> at different PPDU bandwidths: 20 MHz only for the 20 MHz-only STA,
and ≤ 80 MHz, 160 MHz, and 320 MHz for reception (Rx) and transmission
(Tx). For each channel width, the EHT STA indicates support for a
maximum NSS for different EHT MCSs for Rx and Tx in the corresponding
EHT MCS Map field for that channel width. For example, for 80 MHz, the
STA indicates support for its maximum NSS for MCS 12 and MCS 13 for
reception in the Rx Max NSS That Supports EHT-MCS 12–13 field. Similarly,
it indicates support for its maximum NSS for MCS 12 and MCS 13 for
transmission in the Tx Max NSS That Supports EHT-MCS 12–13 field. Both
are included in the EHT-MCS Map (BW <= 80 MHz) field. A 20 MHz-only
STA supports the basic <EHT-MCS, NSS> set. The EHT PPE Thresholds field
provides the nominal packet padding for an EHT PPDU (see Chapter 5 for
details).
FIGURE 7-3 Supported EHT-MCS and NSS Set in EHT Capabilities Element
An EHT STA determines the maximum receive NSS for an EHT-MCS that
can be supported by a peer EHT STA (corresponding to different PPDU
bandwidths) as the smaller of the values indicated in the Supported EHT-
MCS and NSS Set and the maximum receive NSS indicated through the
operating mode update procedure3 by that STA. An EHT STA uses the
maximum Rx NSS determined for a peer STA and its own maximum Tx
NSS to determine the maximum NSS to be used for transmitting EHT
PPDUs to that STA. Similarly, an EHT STA determines the maximum
transmit NSS for an EHT-MCS that can be supported by a peer STA as the
smaller of the values indicated in the Supported EHT-MCS and NSS Set
and the maximum transmit NSS (Tx NSTS) indicated through the OMI
update (see the “Operating Mode Updates” section).
In EHT, the OMI mechanism is extended to add support for signaling the
320 MHz channel width as well as support for dynamic updates for the
operating mode. EHT adds a new EHT OM Control field that works in
conjunction with the HE OM Control field to indicate an EHT STA’s channel
width plus its receive and transmit NSS.
Preamble Puncturing
80 MHz 20 MHz
An EHT AP signals the punctured channels of the BSS in the EHT Operation
element. The AP indicates the set of 20 MHz subchannels that are
punctured in the Disabled Subchannel Bitmap field in the EHT Operation
element, which the AP transmits in Beacon and Probe Responses. The EHT
STAs in the BSS do not use the set of punctured 20 MHz channels
advertised by the AP for any PPDU transmissions within the BSS. In some
scenarios, an EHT STA may also puncture other subchannels, besides the
subchannels indicated in the Disabled Subchannel Bitmap, in an EHT MU
PPDU or a non-HT duplicate PPDU as per the rules defined in the 802.11be
amendment.4 An EHT AP updates the advertised puncturing pattern in the
EHT Operation element if the BSS’s set of punctured subchannels
changes.
EHT Sounding
As described in the “Sounding Procedure” section in Chapter 3, transmit
beamforming and DL MU-MIMO operations require the AP to have
knowledge of the channel state, so that it can organize its downstream
transmissions and optimize the signal for each receiver. To that end,
sounding allows a beamformer (typically the AP) to send a sounding PPDU
—a null data packet (NDP)—to one or more beamformees (typically a STA
or a group of STAs). The receiving STAs respond with compressed steering
matrices that indicate the state of the channel for a subset of the tones.
(The “Sounding and Beamforming” section in Chapter 5 provides PHY-
related details for the sounding exchange and the returned steering
matrix.)
The goals of sounding are the same in 802.11be as in 802.11ax, with the
addition of two use cases:
The general structure of the EHT sounding NDP is similar to that of the
previous generation’s (802.11ax) sounding NDP, including the L-STF, L-
LTF, L-SIG, and RL-SIG fields; the PE field; and a variable number of
protocol-specific LTFs. However, whereas 802.11ax included the HE-SIG-A,
HE-STF, and HE-LTFs fields, 802.11be includes the U-SIG, EHT-SIG, EHT-
STF, and EHT-LTFs fields:
The U-SIG field indicates that the NDP is EHT (802.11be) and
identifies the NDP bandwidth. 802.11ax allowed up to 160 MHz
transmissions, and 802.11be adds the 320 MHz option for the 6 GHz
band. The U-SIG field also carries a Punctured channel Indication
field, which indicates if some of the RUs are punctured. The field
includes a code (a number between 0 and 24, depending on the
NDP bandwidth5) that represents which 20 MHz, 40 MHz, and/or 80
MHz RU(s) or MRU(s) is/are punctured (when applicable). There is no
puncturing for 20 MHz or 40 MHz transmissions. The 80 MHz
bandwidth allows for one 20 MHz puncture; a code from 1 to 4
indicates which 20 MHz segment is punctured. The 160 MHz
bandwidth allows for 20 MHz or 40 MHz punctures, so in this case
the codes range from 1 to 12 (one of 8 possible 20 MHz segments,
or one of 4 possible 40 MHz segments). The 320 MHz bandwidth
allows for 40 MHz, 80 MHz, or concurrent 80 MHz and 40 MHz
puncturing (24 possibilities).6
6 See Chapter 5, Table 5-3 and Table 5-4, for the list of codes and their
puncturing representation.
The EHT-STF has the same role as the STF in previous generations,
albeit this time in an 802.11be transmission context: It is intended
to improve the automatic gain control estimation in a MIMO
transmission.
The upper part of Figure 7-6 illustrates this scenario, for non-triggered
sounding, where the compressed beamforming/CQI is sent directly after
the EHT sounding NDP. Naturally, there is an alternative where multiple
non-EMLSR STAs can participate in the conversation. In this case, the MU-
RTS is first sent to the STAs in EMLSR mode. Each of the STAs then
switches its main radio to that channel and replies with a CTS. Next, the
AP sends the subsequent EHT NDPA frame, then the EHT sounding NDP, to
the group. At that point, the STAs are triggered and reply with their
individual EHT compressed beamforming/CQI information.
Many other sounding scenarios are possible with EMLSR operations. The
main requirement is the presence of an initial control frame to ensure that
the EMLSR STAs are operating in full-capability mode before they receive
the EHT NDPA frame. At the bottom of Figure 7-6, you can see an example
where n STAs are in the EMLSR mode, and other STAs (n + 1 to x) are not
in the EMLSR mode. The initial control frame is a BSRP trigger frame; this
frame brings clients 1 to n to operate with full-capability radio on the
channel. It is followed by the corresponding PPDUs transmission by those
STAs. This transmission is then followed by the EHT NDPA. The AP can also
group the STAs (e.g., STAs in EMLSR mode in one group and non-EMLSR
STAs in another) when it triggers the group with the BFRP Trigger frame to
retrieve the STAs sounding matrices, as shown in Figure 7-6.
Enhanced SCS
Around the time frame when the 802.11be amendment was being
developed, adoption of some existing applications accelerated and some
new applications and use cases began emerging across different vertical
segments (enterprise, home, industrial) that demanded more predictable
and lower latency and improved reliability. Use of video collaboration
applications across enterprises exploded during the COVID pandemic and
post-COVID era, adding requirements for more consistent latency and
jitter so that users could achieve better productivity during these sessions.
Industrial IoT applications of robotics saw increasing growth at
warehouses and factories—for example, with automated guided vehicles
(AGVs) and autonomous mobile robot (AMR) devices, which required more
determinism. The emergence of extended reality (XR) devices and
experiences—including virtual reality (VR), augmented reality (AR), and
mixed reality (MR) capabilities—required end-to-end low latency of
approximately 20 ms to meet the target motion-to-photon latency for VR
experiences and avoid VR-induced sickness. In many environments,
requirements for these applications could not be met with the existing
QoS mechanism adopted from 802.11e with four access categories
(AC_VO, AC_VI, AC_BE, and AC_BK). See Chapter 4, “The Main Ideas in
802.11be and Wi-Fi 7,” for more details on the challenges related to
meeting QoS for these existing and emerging applications.
One of the goals of the EHT project in IEEE 802.11 was to define at least
one mode of operation that offered improved latency and jitter, so as to
address the QoS requirements for applications that demanded improved
QoS. The 802.11be designers started by evaluating the existing protocols
and mechanisms that could be leveraged to achieve improved QoS.
Previously, the 802.11e amendment had defined a TSPEC (traffic
specification) element7 that provided a way for a STA to signal traffic
requirements for its flows to the AP using the ADDTS request/response
exchange. The flow classification was done using one or more TCLAS
elements in the ADDTS exchange that specified the admission control for
these flows. Although this mechanism was defined in 802.11e in 2005, the
use of TSPEC to signal the traffic flow requirements was never widely
adopted by Wi-Fi STAs because of the complicated set of parameters that
had to be provided in the TSPEC element. All the parameters shown
in Figure 7-7 were required to be provided in a TSPEC element, and it was
extremely hard (if not impossible) for an application to characterize all
these parameters for its flow. Due to the complexity involved, the TSPEC
and ADDTS request/response mechanism was not much used outside
single-function devices.
FIGURE 7-7 TSPEC Element Definition
Well aware of these limitations and challenges faced by the TSPEC and
ADDTS mechanisms in the past, the 802.11be designers sought to
develop a new scheme for QoS improvements that would be much simpler
to implement and, therefore, would have a higher chance of being
adopted for Wi-Fi devices. After the 802.11e amendment, the IEEE 802.11
group had proposed some further enhancements to improve multimedia
streaming performance as part of the 802.11aa amendment. This included
defining intra-access category prioritization and the stream classification
service (SCS) to enable prioritization of DL flows at the AP. SCS turned out
to be a good fit for adding QoS-related enhancements in 802.11be, as you
will learn next.
The 802.11 standard defines mapping of user priority (UP) received from
the upper layer to ACs and the two transmit queues (primary and
alternate), as shown in Table 7-2. For VI, UP 4 is mapped to the alternate
queue (A_VI) and UP 5 is mapped to the primary queue (VI). Frames with
UP 5 are served with higher probability than frames with UP 4, which
made sense in terms of low to high priority order for UPs. However, for VO,
the mapping is reversed; that is, the lower UP 6 is mapped to the primary
queue and the higher UP 7 (used for network control traffic per the 802.1D
designation) is mapped to the alternate queue. Hence, for VO, frames with
UP 6 are served with higher probability than frames with UP 7. This seems
counterintuitive, but there was a good reason for mapping them this way.
Given that UP 7 in 802.1D is used for network control traffic (e.g., switch-
to-switch traffic) and such traffic is rarely sent over Wi-Fi, UP 7 is hardly
used but was kept in 802.11. The most frequently occurring voice traffic is
mapped to UP 6, so it made sense to use the primary voice queue to
prioritize the most prevalent voice traffic. In fact, no differentiation can be
provided for voice traffic with the alternate A_VO queue because the
common voice traffic is not mapped to UP 7. This was a limitation of the
alternate queuing scheme (see Chapter 2 for more details).
TABLE 7-2 UP-to-AC-to-Tx Queue Mapping
Tx Tx Queue with
Priority UP AC Designation
Queue IACP
2 AC_BK BK BK Background
5 AC_VI VI VI Video
(primary)
6 AC_VO VO VO Voice
(primary)
The second QoS feature defined in the 802.11aa amendment was the
stream classification service (SCS). The main functionality provided by this
feature was to enable STAs to request specific QoS treatment from the AP
for downlink flows. This allows a STA to indicate to the AP that certain
application flows desire specific QoS mapping in the downlink to meet
their QoS requirements. For an application, it is desirable to retain the QoS
markings (e.g., DSCP in the IP header) as the packets traverse the
Internet, so that prioritization can happen on each network node along the
way. To achieve equivalent prioritization within Wi-Fi, the AP needs to have
the correct QoS marking when packets arrive from the DS. However, one
of the challenges for achieving end-to-end QoS was that the DSCP QoS
marking was typically reset by routers along the way (due to trust
reasons), resulting in packets being marked as “best effort.” Hence, when
the packets reach the Wi-Fi AP, their DSCP markings are typically not
intact (as intended by the application), so the packets are delivered using
the AC_BE category over Wi-Fi. SCS signaling from the STA addressed this
issue. For example, a STA could request marking of a video-conferencing
flow in DL to the UP 5 (AC_VI) category, independent of how the packets
coming from the DS for that flow are tagged.
As shown in Figure 7-9, the SCS Request frame includes one or more SCS
Descriptor elements,8 each requesting specific DL QoS treatment for a
traffic flow. The key information provided in the SCS Descriptor element
includes the SCS ID (assigned by the STA; identifies the SCS stream), the
Request Type (for Adding, Changing, or Removing an SCS stream), the
Intra-Access Category Priority element, one or more TCLAS elements, and
optionally a TCLAS Processing element. The Intra-Access Category Priority
element9 specifies the user priority (UP) to be used for mapping the DL
frames for the specific SCS stream. The Alternate Queue field indicates
whether the primary or alternate queue should be used for the SCS
stream. The Drop Eligibility field, when set to 1, indicates that, in case of
insufficient resources, the packets for this stream can be dropped in
preference to other SCS streams that have their Drop Eligibility field set to
0. An AP can accept or reject a request for each SCS stream based on its
policy, resources, and/or identification of the SCS stream. For example, an
enterprise AP might have a network policy to accept only SCS requests for
DL QoS mapping for flows that are considered high priority/critical in that
given deployment. The AP then indicates the accept or reject status for
each request, identified by its SCS ID, in the SCS Response frame, as
shown in Figure 7-9.
The SCS protocol also provides flexibility by allowing either endpoint (the
AP or the STA) to terminate an already established SCS stream. For
example, a STA should remove an SCS stream if the application flow is no
longer active, and an AP may terminate an SCS stream if its policy
changes so that it no longer prioritizes that particular traffic flow. To
remove an SCS stream, either the AP or the STA can send an SCS Request
frame with a “Remove” request type for that SCS ID. This terminates the
flow classification and special QoS treatment for the DL flow.
As you might expect, the SCS feature for DL traffic classification and
prioritization is an optional feature in the 802.11 standard for both the AP
and the STA. The Wi-Fi Alliance’s QoS Management (Release 2)
certification program also includes this feature as an optional feature,
which enhances the market visibility and adoption opportunities for this
feature, particularly in the enterprise AP market segments.
Although the SCS feature from 802.11aa was a promising direction for
providing prioritized treatment for DL traffic, some challenges remained
unaddressed. Specifically, the SCS did not address the issue of
differentiating between flows that fall into the same UP/AC but require
different treatments based on their unique traffic characteristics (e.g.,
latency, data rate, burst size). Also, Wi-Fi 6 introduced trigger-based
scheduling for the UL. The AP had to perform BSR polling (BSRP) to learn
BSR information from STAs to determine how to schedule STAs for the UL
using UL OFDMA. Constant BSRP/BSR exchanges added overhead to the
network. It became clear that the SCS mechanism defined in 802.11aa
needed to be enhanced to address these issues.
The Control Info field includes key control information. This field specifies
the direction for the flow and indicates whether the flow is uplink,
downlink, or direct link (for peer-to-peer [P2P] flows). The TID and User
Priority fields are set to indicate the TID and UP of the data frames for the
flow, respectively. (The TID field is set to the same value as the User
Priority field in the 802.11be amendment.) The presence of optional traffic
parameters in the QC element is signaled using the Presence Bitmap field.
Also, when the QC element is specified for a direct link, the link ID
indicates the link of the AP MLD upon which the direct link transmission
will happen.
Note
An often-asked question is why both the TID and User Priority fields are
needed in the QC element, given that both fields are set to the same
value. The answer is to accommodate any possible future expansion of
the TID space in use, beyond the current eight TIDs (0–7). Having two
separate fields would allow for carrying a TID value independent of the UP
value of the flow.
11 For periodic traffic, the Minimum Service Interval and the Maximum
Service Interval can be set to the same value.
Minimum Data Rate: Specifies the lowest data rate at the MAC
SAP, in kilobits per second (kbps), for the traffic flow. For a direct
link, this parameter may be unspecified by setting the value to 0.
The QC element also includes eight optional traffic parameters. A STA may
provide none, some, or all of these parameters for an application flow,
based on its knowledge of the application. These parameters are as
follows:
Service Start Time Link ID: Indicates the link identifier of the link
for which the TSF timer is used to indicate the Service Start Time.
Mean Data Rate: Specifies the average data rate at the MAC SAP,
in kbps, for the traffic flow.
For a DL SCS stream (with a QC element for downlink), the DL traffic flow
continues to be identified using the TCLAS element(s) (and optionally
TCLAS Processing element) as was defined in 802.11aa. However, the use
of SCS for indicating the requirements for an UL traffic flow, by signaling a
QC element for the uplink, was introduced in 802.11be for the first time.
For an UL SCS stream, the 802.11be amendment mandates that no TCLAS
element(s) are provided in the SCS Request frame. This means that the AP
cannot identify the traffic flows (and corresponding application) for which
STA is requesting UL resources in the SCS Request frame. This limitation
made it difficult to apply the network policy at the AP to the UL SCS
streams. This was recognized as a gap in the 802.11be TG, but the group
did not reach consensus on supporting TCLAS element(s) for UL SCS
streams.
The AP’s scheduling behavior differs for DL versus UL traffic flows. For a
DL traffic flow, an SCS exchange based on the QoS Characteristics
element is illustrated in Figure 7-13. The SCS Request frame requests an
SCS stream for one or more flows, each with a DL TCLAS element (or DL
TCLAS elements + TCLAS Processing element) and a QC element with its
Direction field set to downlink. At a minimum, the following set of traffic
characteristics must be provided: the minimum and maximum service
interval, minimum data rate, and delay bound. Note that the minimum
and maximum service interval parameters are not required for DL
scheduling and can be set to unspecified. The AP decides whether to
accept or reject the SCS request based on its policy and resource
availability.13 In the example, AP accepts the request and sends an SCS
Response frame with Success status. The AP then processes the matching
DL MSDUs for that traffic flow, taking into account the DL traffic
characteristics indicated in the QC element. For example, the AP’s DL
scheduling logic attempts to meet the delay bound and minimum data
rate requirements specified for the DL flow.
A STA can send a single SCS Request frame with two SCS Descriptor
elements to request resources for both the downlink and uplink flows.
Thus, the SCS exchanges depicted in Figure 7-13 and Figure 7-14 can also
be performed via a single SCS request/response exchange.
Restricted TWT
Recall from the “Target Wake Time” section in Chapter 3 that 802.11ax/Wi-
Fi 6 adopted the TWT feature from the 802.11ah amendment mainly for its
power-saving benefits. The 802.11be amendment built on top of that
feature by defining a new feature called restricted TWT to provide more
predictable latency performance for latency-sensitive traffic flows. This
section first provides an overview of relevant TWT aspects from 802.11ax
(see the “Target Wake Time” section in Chapter 3 for more details), and
then covers the motivation behind and design aspects for the new
restricted TWT feature.
One of the main goals of the TWT feature from 802.11ax was to provide
power-saving benefits to the STA when the STA’s traffic patterns can be
predictable. TWT enabled a STA and the AP to agree on time durations
called TWT service periods (SPs), during which the STA will be awake for
DL and UL traffic exchanges; the STA will likely be dozing outside those
SPs to save power. TWT also enables better management of a STA’s
activity within the BSS and minimizes contention by scheduling STAs to
operate at different times through different TWT SPs. The AP can manage
and influence when STAs are awake as part of the negotiation of TWT SPs.
The negotiation to establish TWT SPs (also called a TWT agreement) is
done by exchanging a TWT element between the STA and the AP using
TWT Setup frames.14 Negotiation of a TWT agreement can be initiated by
either the STA or the AP. The STA or AP sends a TWT Setup frame with the
TWT Request field set to 1, indicating a TWT request. The 802.11ax
amendment also allows for a mode in which an AP can send an unsolicited
TWT Setup frame to a STA to establish a TWT agreement by implementing
the Accept TWT command in the setup frame.
Note
The restricted TWT feature is built on top of the broadcast TWT mode of
TWT operation. It is important to first understand the details of the
signaling and procedures for the broadcast TWT mode of operation, if we
are to better appreciate the enhancements added for the restricted TWT
feature. For a broadcast TWT, an AP can create a sequence of TWT SPs
(the TWT schedule) and advertise that TWT schedule in Beacon frames
using a TWT element. This broadcast TWT schedule can be shared by a
group of STAs associated with the AP. A STA can send a TWT Setup frame
(with the Negotiation Type field set to 3) to request to join the advertised
broadcast TWT schedule. If the STA receives a TWT Setup frame from the
AP with success status, then the STA becomes a member of the broadcast
TWT schedule. A STA can also send a TWT Setup frame to request the
creation of a new broadcast TWT schedule with specified TWT parameters,
and the AP can accept or reject this request. The AP can also allocate a
broadcast TWT schedule to a STA by sending an unsolicited TWT response
to the STA (using the Accept TWT setup command), which makes that STA
a member of the broadcast TWT schedule.
Note
A STA can use TWT to negotiate the wake TBTT of the first Beacon frame
and the wake interval between subsequent Beacon frames it intends to
receive. This negotiation is performed using a TWT request/response
exchange between the STA and the AP, where the Negotiation Type field is
set to a value of 1. After successful negotiation, the STA can go to doze
state until the next negotiated wake TBTT.16
The Broadcast TWT Info field holds the Broadcast TWT ID, an identifier for
the broadcast TWT. The Broadcast TWT Persistence field identifies the
number of TBTTs during which the corresponding broadcast TWT SPs are
present.17 The reserved bits in the Broadcast TWT Info field are extended
for the restricted TWT feature, as you will learn soon.
17 A value of 255 in the Broadcast TWT Persistence field indicates that the
corresponding broadcast TWT SPs are present until explicitly terminated.
The R-TWT feature provides the following key enhancements on top of the
broadcast TWT mechanism18:
18 See P802.11be D5.0, clause 35.8.
As shown in Figure 7-16, the broadcast TWT element has been enhanced
for R-TWT.19 First, the Broadcast TWT Parameter Set has been enhanced to
indicate that the parameter set corresponds to an R-TWT. This is achieved
by using a new value for the Broadcast TWT Recommendation field (value
= 4) to indicate an R-TWT schedule, and such a Broadcast TWT Parameter
Set is referred to as a Restricted TWT Parameter Set. Next, a new
Restricted TWT Traffic Info field has been added to indicate the UL and DL
TIDs (referred to as R-TWT UL/DL TIDs) of the traffic flows that must be
prioritized during the R-TWT SPs. The R-TWT UL/DL TIDs are specified using
the Restricted TWT DL TID Bitmap and Restricted TWT UL TID Bitmap
fields. The Restricted TWT Traffic Info field is included only in the
individually addressed TWT Setup frames for establishing an R-TWT
schedule to negotiate the set of R-TWT UL and/or DL TIDs. This information
is not included in the R-TWT schedules that are advertised in the TWT
element in its Beacon frames. The presence of the new Restricted TWT
Traffic Info field is indicated by the Restricted TWT Traffic Info Present field
in the Broadcast TWT Info.
Restricted TWT
Schedule Info Description
Field Value
*
The Beacon frame of an AP corresponding to the transmitted BSSID of a
multiple BSSID set also advertises any R-TWT schedules for the
nontransmitted BSSIDs of the same multiple BSSID set, because the
nontransmitted BSSIDs do not transmit any Beacon frames. Based on the
same logic, the advertised R-TWT schedules in the Beacon frames of an AP
also include any R-TWT schedule corresponding to any co-hosted BSSIDs
of that AP.
Note
Figure 7-17 shows an example operation for R-TWT. Three STAs are
associated with AP 1 (STA 1, STA 2, and STA 3), and all are R-TWT–
supporting STAs. STA 1 establishes an R-TWT schedule with AP 1 by
sending a TWT request (a TWT Setup frame with the TWT Request field set
to 1). AP 1 responds with a TWT response (a TWT Setup frame with the
TWT Request field set to 0) indicating Accept TWT; this response
establishes the R-TWT schedule between AP 1 and STA 1. This R-TWT
schedule is advertised in the Beacon frame in the TWT element. STA 2
learns about the R-TWT schedule from the Beacon frame and sends a TWT
request to AP 1 to become a member of that R-TWT schedule. The AP
accepts the TWT request from STA 2 by sending a TWT response. The R-
TWT schedule now has both STA 1 and STA 2 as members. Note that the
membership information of an R-TWT schedule is not advertised in the
Beacon frame—which is the same behavior as for broadcast TWTs. STA 3
determines the start time of each R-TWT SP from the advertised R-TWT
schedule and ends its current TXOP based on the start time of the R-TWT
SP to comply with the SP Start Time Protection rule of R-TWT. Within the R-
TWT SP, the AP sends a Basic Trigger frame to trigger both STA 1 and STA
2 to send their UL data. AP 1 then initiates MU DL data transmissions to
both STA 1 and STA 2. During the R-TWT SP, the data exchanges for R-TWT
UL and DL TIDs are prioritized by AP 1, STA 1, and STA 2.
One of the key differences between the TXS feature and the triggered UL
access mechanism (which was first introduced in 802.11ax) is that, in TXS,
the STA exchanges non-TB PPDUs. In contrast, in triggered UL access, a
STA transmits TB-PPDUs in response to the Trigger frame from the AP.
Triggered TXOP sharing is initiated by the MU-RTS Trigger frame, whereas
Triggered UL access is initiated by the Basic Trigger frame.
The 802.11ax defined the MU-RTS Trigger frame to allow the AP to protect
the medium for a DL or UL multiuser (MU) exchange with associated STAs
(see the “Trigger Frames” section in Chapter 3 for details on the MU-RTS
Trigger frame). The duration field in the MU-RTS Trigger frame is set to the
duration of the frame exchanges to be protected, and the frame is sent as
a non-HT duplicate PPDU on each 20 MHz subchannel of the expected
transmission. The MU-RTS Trigger frame includes one or more User Info
fields. Each of these fields contains the AID value for a STA that is
expected to respond with a CTS (if the channel is clear at the STA) in the
allocated RU, which is identified in the RU Allocation field of the User Info
field. All STAs that have an AID specified in the User Info field and whose
channels are clear will respond with a CTS in parallel, at SIFS duration
after receiving the PPDU containing the MU-RTS Trigger frame.
For the TXS feature, the AP uses a variant of the MU-RTS Trigger frame
called the MU-RTS TXS Trigger frame to allocate a portion of its TXOP to an
associated STA. Figure 7-18 shows the format for the MU-RTS TXS Trigger
frame, which is largely the same as that for the MU-RTS Trigger frame. 21
The Common Info field in the MU-RTS TXS Trigger frame includes a
Triggered TXOP Sharing Mode field. The values for this field (shown
in Table 7-4) are used to specify the mode for triggered TXOP sharing. An
MU-RTS Trigger frame that has the Triggered TXOP Sharing Mode field set
to a non-zero value is referred to as an MU-RTS TXS Trigger frame.
3 Reserved.
The User Info List in the frame contains a single User Info field that
indicates the AID for the associated STA to which the AP is allocating the
portion of the TXOP. The 802.11be amendment defines two variants of the
User Info field for the MU-RTS TXT Trigger frame: an HE-variant User Info
field and an EHT-variant User Info field (Figure 7-18). The EHT-variant User
Info field must be used if the channel bandwidth of the MU-RTS TXS
Trigger frame is 320 MHz or the channel bandwidth is punctured.
Otherwise, the AP can choose to use either variant of the User Info field.
The STA to which the portion of the TXOP is allocated is identified by the
AID12 field within the User Info field. The RU Allocation field indicates the
RU allocated for the transmission of the CTS frame in response to the MU-
RTS TXS frame. The Allocation Duration field specifies the TXOP time
allocated to the associated STA in units of 16 ms. The PS160 field is set to
1 to indicate a 320 MHz channel bandwidth.
Note
When the allocated time ends, if the AP has a non-zero amount of TXOP
time remaining, then it can transmit a PPDU to another STA during that
time. When doing so, it follows these rules:
If the last PPDU transmitted by the STA to the AP did not solicit an
immediate response from the AP and ended less than a PIFS
duration before the end of the allocated time, then the AP can
transmit SIFS after the end of that last PPDU.
When a STA receives an MU-RTS TXS Trigger frame from its associated AP
with the Triggered TXOP Sharing Mode field value equal to 1 (mode 1), the
STA can use the allocated time for transmitting one or more non-TB PPDUs
addressed to the AP. Figure 7-19 shows an example of TXS operation for
mode 1. Before starting the TXOP sharing, the AP has the option of
sending a CTS-to-self transmission to protect the duration of its acquired
TXOP. The AP then sends an MU-RTS TXS Trigger frame with the Triggered
TXOP Sharing Mode field equal to 1. The AID of STA 1 is indicated in the
User Info field of the Trigger frame. Accordingly, STA 1 responds with a
CTS frame. STA 1 then performs data transmission via a non-TB PPDU to
the AP. As shown in the figure, STA 1 sends a second non-TB PPDU to the
AP. At that point, STA 1 has finished with its transmissions. The AP detects
that the medium is idle PIFS after transmitting the Block Ack to STA 1’s
second non-TB PPDU. The AP then transmits data to another associated
STA during the remaining portion of its TXOP.
When a STA receives an MU-RTS TXS Trigger frame from its associated AP
with the Triggered TXOP Sharing Mode field value equal to 2 (mode 2), it
can use the allocated time for transmitting one or more non-TB PPDUs
addressed to the AP or to another STA. Figure 7-20 shows an example of
TXS operation for mode 2. Similar to the mode 1 example, before starting
the TXOP sharing, the AP may send an optional CTS-to-self transmission to
protect the duration of its acquired TXOP. The AP then sends an MU-RTS
TXS Trigger frame with the Triggered TXOP Sharing Mode field equal to 2.
The AID of STA 1 is indicated in the User Info field of the trigger frame. In
response, STA 1 sends a CTS frame. As shown in the figure, STA 1 next
performs data transmission in a non-TB PPDU to the AP and, in return,
receives a BA from the AP. At that point, STA 1 sends data to STA 2 in a
non-TB PPDU and, in return, receives a BA from STA 2. The AP determines
that the medium is idle at the end of the allocated time, and it transmits a
PPDU to another associated STA at a PIFS duration after the end of the
allocated time, in the remaining portion of the TXOP.
With many years of continuous and rapid growth, Wi-Fi acquired the
reputation of being ubiquitous indoors. The ubiquity argument may be an
exaggeration, but it is true that Wi-Fi is present in many buildings,
including in locations where cellular coverage is limited or unavailable. In
that context, there has been a long history of pushing the 802.11 standard
to integrate provisions to facilitate emergency services communications.
The 802.11be amendment allows an automatic connection for EPCS
802.11-capable devices using the EPCS priority access feature.
One goal of 802.11u was to allow for automatic and secure connection to
the hotspot network without the need to have hotspot-specific local
credentials. The 802.11 device would be configured with one or more
general credentials (e.g., with the smartphone’s cellular operator). The
hotspot owner would create connection agreements with various identity
providers. Then, as a visitor’s 802.11 device discovered the hotspot
network, 802.11u would allow the device and the AP to perform
exchanges through a general mechanism called the generic
advertisement service (GAS). GAS frames can carry Access Network Query
Protocol (ANQP) messages, through which the network can announce the
identity providers it supports. The visitor’s device could then recognize a
provider for which it has credentials, and authenticate through the hotspot
network with the identity provider. In turn, the identity provider would
send to the hotspot a PMK for the visitor’s device. This is just like the
standard 802.1X/EAP process,22 except that the RADIUS server is not local
or managed by the local network provider. Figure 7-21 illustrates this
process.
Foreign visitors may not know the local emergency call number. The
STA can query the AP for its support of interworking services. Upon
receiving a positive response, it can query the AP for the Emergency
Call Number ANQP element to receive the local emergency number.
Foreign visitors may not have global credentials for the local
network. For example, if a visitor’s identity provider is the visitor’s
cellular network service provider with national coverage (e.g.,
“ABC”), and the visitor wants to connect to a new hotspot on the
other side of the world, the local hotspot may have no knowledge of,
and no agreement with, a foreign service provider called ABC. In
that case, the visitor’s device may not have any credentials to
connect. If the visitor’s device cannot connect, they cannot place
emergency calls over Wi-Fi. The 802.11u amendment allows the STA
to query the AP for the emergency network access identifier (NAI).
The emergency NAI is another ANQP element, which a STA can learn
about (before association) and retrieve through the 802.11u GAS
exchange carrying the ANQP protocol. The emergency NAI realm
element carries temporary credentials, which a STA needing to place
an emergency call can use to automatically and securely connect to
the local hotspot network. In the ANQP protocol, the AP has a policy
(not defined by the 802.11 standard) that limits the activity of
devices connecting with the NAI emergency realm credentials,
ensuring that their credentials are used to place emergency calls
and for nothing else.
At the time when 802.11be was developed, the 802.11 standard included
strong provisions to allow users to receive EAS messages, learn the local
emergency telephone number, and automatically connect to a local
hotspot network to place emergency calls, even when the device did not
have preconfigured credentials. However, one aspect of the emergency
exchange was ignored: the case of emergency responders rushing to a
location to provide assistance. Just like individuals calling about an
emergency, responders may need to provide assistance in places where
the cellular network provides insufficient service or is not available, or
where cellular network operation has been disrupted. To solve this part of
the equation, 802.11be introduced a prioritized access mechanism for the
devices of emergency service personnel, part of a group of devices
requiring what 802.11 calls the Emergency Preparedness Communication
Service (EPCS). This is an umbrella term that, for instance, maps to the
National Security and Emergency Preparedness (NS/EP) service in the
United States.
An AP MLD and a non-AP MLD declare their support for EPCS priority
access in the EHT Capabilities element. An AP MLD advertises its EPCS
priority access support in its Beacon and Probe Response frames.
Naturally, any device that is requesting EPCS privileged access needs to
be authorized for such access, so as to avoid abuse of this mechanism.
During the (re)association process for a non-AP MLD that indicates support
for EPCS priority access, the AP MLD acquires the information to verify the
authorization of that non-AP MLD to use this feature. The AP MLD may
acquire the information from a government entity or have other methods
to acquire the information to validate the authorization of EPCS priority
access for devices—for example, it may obtain the necessary information
from a service provider supporting EPCS. The 802.11be amendment (and
the Wi-Fi 7 program) clarifies that this validation for EPCS device identity
and authorization for EPCS priority access for non-AP MLDs belongs to the
upper layers and is the responsibility of other standardization efforts.
Note
The validation of the EPCS device’s identity and authorization for EPCS
priority access is crucial and was the subject of intense debates in and
around the 802.11be task group. As soon as a device is given privileged
conditions in the BSS, the risk of abuse needs to be considered. If 20
emergency responders’ devices connect to the BSS, and all of them use
EPCS privileges, is it acceptable if other (non-EPCS) devices in the BSS see
their performance severely degraded to the point of being unusable? A
spontaneous answer may be “yes.” However, a closer look at the details
reveals that, once privileged access is granted, the AP does not verify the
type of traffic sent by the EPCS device (all traffic is given privileged
access). One can imagine a scenario in which EPCS devices are given
privileged access and then send noncritical traffic, even as a non-EPCS
device is denied access to make an emergency call. Therefore, 802.11be
allows EPCS devices to have EPCS privileged access only during specific
periods when EPCS priority access is explicitly enabled, and not beyond
that time span.
Once a non-AP MLD is associated with an AP MLD, the non-AP MLD can
initiate setup of the EPCS priority access when triggered by a higher layer.
The non-AP MLD sends, through any of its affiliated STAs, an EPCS Priority
Access Enable Request frame (an action frame) requesting that EPCS
priority access be enabled. The receiving AP MLD validates the
authorization for the non-AP MLD to use the EPCS priority based on locally
stored information (previously obtained during the association) or based
on information obtained from a service provider or government entity. At
that point, the AP MLD returns an EPCS Priority Access Enable Response
frame, which provides a success or failure status for the EPCS priority
access setup.
EPCS priority access can also be enabled by an AP MLD, which can send
an EPCS Priority Access Enable Request frame to a non-AP MLD in an
unsolicited way. The AP MLD first verifies that the non-AP MLD is
authorized to use EPCS priority access before initiating the unsolicited
setup. For example, this situation might happen because the non-AP MLD
was identified as an EPCS device and authorized for EPCS priority access
based on higher-layer triggers received at the AP MLD.
During the EPCS priority access setup, the AP MLD provides an EPCS
Priority Access Multi-Link element to the non-AP MLD in the EPCS Priority
Access Enable Response frame (if the setup was initiated by the non-AP
MLD) or in the EPCS Priority Access Enable Request frame (if the setup
was initiated by the AP MLD). The EPCS Priority Access Multi-Link element
specifies the EDCA (and optionally MU EDCA) parameters that the non-AP
MLD can use on each of the setup links (AIFSN, CWMin, CWMax, TXOP
Limit, or MU EDCA Timer for each of the four ACs) during the EPCS priority
access. The values of these EDCA and MU EDCA parameters are left to AP
implementations. In most cases, the values will provide prioritized access
to the EPCS STA for some or all of the ACs. Here again, the local network
would know which type of traffic EPCS STAs are likely to require and may
prioritize the matching ACs (and not the other ACs) accordingly.
The EPCS general procedure is illustrated in Figure 7-23. The non-AP MLD
and the AP MLD enable EPCS priority access by exchanging EPCS Priority
Access Enable Request/Response frames. The AP MLD determines whether
the non-AP MLD is authorized for EPCS priority access during the
association procedure. The EPCS traffic exchange happens using the EDCA
and/or MU EDCA parameters for EPCS priority access specified by the AP
MLD. The AP MLD then updates the EPCS EDCA or MU EDCA parameters
by sending an unsolicited EPCS Priority Access Enable Response frame.
The subsequent EPCS traffic exchange uses the updated EDCA and/or MU
EDCA parameters. At the end, the non-AP MLD tears down the EPCS
priority access by sending an EPCS Priority Access Teardown frame, which
changes the EPCS state to “torn down” at both the non-AP MLD and the AP
MLD.
Wi-Fi 7 Security
WPA3 was released in 2018 and offered several improved Wi-Fi security
schemes relative to WPA2. Notably, compared to its predecessor, it
included stronger encryption, more robust password-based authentication,
protection of management frames, and security for open public networks.
As noted in Chapter 2, Wi-Fi security relies on an authentication
component (802.1X, or a pre-shared key) intended both to verify that the
STA and AP have valid credentials, and to generate keying material that
allows them to encrypt their communications. In some scenarios, the STA
and AP need to confirm that they are in possession of a specific key value
(e.g., the PMK identified by a PMKID) or need to send a value that should
not be tampered with between sender and receiver. The Hash-Based
Message Authentication Code (HMAC) allows the sender to produce a hash
of the value that is then presented to the other side for verification.
The 802.11 standard supports several different types of algorithms for the
encryption and the hashing tasks. The AP signals the combination(s) it
supports in its beacon and probe responses in the Robust Security
Network element (RSNE), expressed in the form of authentication and key
management (AKM) suites and cipher suites for group data and pairwise
encryption.25 WPA2 authorized two modes: enterprise (with 802.1X
authentication) and personal (with a pre-shared key). WPA2-Enterprise
mode mandates the use of 802.1X for the authentication process, AES-
CCMP (128 bits) for the encryption algorithm, and SHA-1 for the HMAC;
this combination forms AKM:1. WPA2-Personal leverages the same
encryption and HMAC, but uses a pre-shared key; this combination forms
AKM:2.
The Wi-Fi 7 program mandates support for WPA3, including AKM:24 (in
addition to AKM:8 in personal mode). The AP and STA must also support
the Wi-Fi Alliance’s Enhanced Open scheme based on opportunistic
wireless encryption (OWE) when operating in open networks. Enhanced
Open is defined in RFC 8110 (and labeled as AKM:18) and was released at
the same time as the WPA3 program. The Enhanced Open mode is
designed to provide encryption and privacy for non-password-protected
open networks in public places. Wi-Fi 7 (and the 802.11be amendment)
also mandate support for the GCMP-256 cipher for the encryption of both
pairwise individually addressed frames (as the pairwise cipher suite) and
group data frames (as the group data cipher suite), as a means to
promote stronger encryption. In addition, Wi-Fi 7 devices are required to
support GMAC-256 for the group management cipher.
Additionally, Wi-Fi 7 requires beacon protection for both the AP and the
STA. The Beacon frame includes a management MIC element (MME),
which holds a message integrity code (MIC) generated over the Beacon
frame using the BIGTK key. The STA is required to validate the MIC in the
Beacon frame. Beacon protection ensures that the Beacon frames cannot
be forged by an attacker trying to impersonate a legitimate AP.
With MLO, security needs to be established across all the links of a multi-
link association. As noted in the “MLO Security” section in Chapter 6, for
MLO the security context (PMKSA and PTKSA) used for the protection of
individually addressed frames is established at the MLD level using the
MLD MAC address, and the same context applies for all the setup links
established between peer MLDs. The group keys (GTK, IGTK, and BIGTK)
are still established at the link level for each link of the MLD.
Multiband Challenges
WPA3 provides increased security, and MLO is easily integrated into the
WPA3 scheme. However, the integration of MLO with existing Wi-Fi 6 and
6E deployments, along with the requirement for backward compatibility
(or at least coexistence), create new challenges. The mandate for Wi-Fi 7
APs and STAs to support WPA3 does not mean that they cannot support
WPA2. In fact, all Wi-Fi 7 devices will support WPA2, as support for Wi-Fi 6,
802.11ac (Wi-Fi 5), and 802.11n (Wi-Fi 4) is mandated for Wi-Fi 7. It might
be logical to suppose that a Wi-Fi 7 AP will be configured exclusively for
WPA3 (which offers better protection than WPA2), as WPA3 is required.
However, the reality of operations may be more complicated. On the one
hand, some non-Wi-Fi 7 and non-Wi-Fi 6 clients may need to associate to
the AP. These older clients may not support WPA3. In such a hybrid client
scenario, it is tempting for the network owner to configure the clients for
WPA2 or WPA3/WPA2 transition mode. Some networks may also include
pre-Wi-Fi 6 APs, which do not support WPA3. In such hybrid deployments, a
Wi-Fi 7 client cannot perform fast roaming (FT) between an MLO AP with
WPA3 and another AP (pre-Wi-Fi 6 or Wi-Fi 6 AP) that offers WPA2 only. The
same is true when a Wi-Fi 7 client is moving in the other direction, from an
AP that supports only WPA2 to a Wi-Fi 7 AP that supports WPA3. In both of
these scenarios, the client would need to perform full authentication and
establish a new association when moving across the APs.
Summary
This chapter reviewed the basic operation of EHT APs and EHT non-AP
STAs within an EHT BSS. Topics covered included EHT operation
parameters and EHT capability signaling, the selection of EHT operation
parameters, EHT operating mode updates, preamble puncturing, and the
EHT sounding procedure.
Wi-Fi 7 security aspects were explored, too. These include the requirement
to support WPA3 (same as for Wi-Fi 6E at 6 GHz), along with the
mandatory support for GCMP-256 and for Beacon protection. Despite
these updates, network operators continue to face deployment and
roaming challenges in Wi-Fi 7 brownfield deployments.
In summary, Wi-Fi 7 supports much higher throughput (in keeping with its
name—Extremely High Throughput) through the MLO aggregation, 320
MHz, and 4096-QAM features. It also brings the benefits of lower latency
and improved reliability through MLO diversity, SCS with QoS
characteristics, and restricted TWT. Collectively, these features can be
harnessed to promote better and more deterministic QoS for existing and
emerging applications (e.g., video-conferencing, AR/VR/XR, and robotics).
Chapter 8
link margin: ratio of the received signal power to the minimum required by
the STA.
802.11-2020, Clause 3
802.11be and Wi-Fi 7 bring along many new features that promise to
improve the efficiency of 802.11 deployments. The 6 GHz band adds new
constraints and opens up new possibilities that apply to Wi-Fi 6E, but that
most designers have waited for Wi-Fi 7 to address. This chapter is
dedicated to the professionals tasked with making Wi-Fi real, whether it be
at home, at work, or at play. Designing and deploying Wi-Fi networks can
be a daunting task, filled with unexpected discoveries. However, with the
aid of proven practices and a little math, radio planning is more in the
field of science than a black art. This chapter covers the general principles
of 802.11 WLAN design, and includes the key elements you need to
successfully incorporate Wi-Fi 7 requirements and new features into your
design.
Note
The term BSA has been used in other chapters of this book, and the
term cell will be used in this chapter as if they were virtually
interchangeable. The cell terminology dates back to the early days of
outdoor cellular network design. In that era, the coverage of a radio base-
station (the cellular equivalent of an access-point device) was logically
constrained (or geo-fenced) to a hexagonal area generally considered to
approximate a naturally circular area (because RF generally propagates
omnidirectionally in the horizontal azimuth plane). The term cell has since
become commonly used when referring to the design of the BSS (primarily
focusing on the AP configuration), its associated BSA (the physical area
resulting from the configuration choices, such as the data rates
enabled/disabled and the power of the AP radio), and the logical
combination of multiple BSSs next to each other.
Which channel width can the equipment support (the STAs and the
planned APs)? Which channel width would your deployment
support? In other words, what level of co-channel-interference (CCI)
is acceptable?
Once you have an idea of the device mix and expected count, you can
look at the peak or desired data rate for each of these clients. A
reasonable approach is to evaluate the required throughput of the most
demanding application that each device is likely to run, and apply a ratio
to that throughput. For example, you might determine that the most
demanding application is AR/VR for some devices (with a nominal
bandwidth of 25 Mbps for a 4K display), and video-conferencing for other
devices (with a nominal bandwidth of 12 Mbps). Each device might run
other processes in the background, so that overall it consumes 1.5 times
the nominal bandwidth. At the same time, you might estimate that only
20% of the devices expected in the cell will be using the peak application
at any point in time, with most other devices being idle or running lower-
bandwidth applications (e.g., web browsing, with an average bandwidth of
800 kbps). Those numbers are, of course, projections, and each design will
lead to project-specific numbers. Even so, these numbers can help you
estimate the desirable throughput for each expected device.
The achievable data rate and throughput decrease as the distance to the
AP increases. This decrease occurs because the minimum received signal
strength (RSS) and the signal to noise ratio (SNR) requirements are higher
for complex (high MCS, high throughput) modulations than for simpler
modulations.
As a designer, once you have listed the expected devices and their
characteristics, the next step is to evaluate the minimum target data rate
that should be achieved by all devices. You can then design the “useful
part of the cell” to stop at that point. Beyond that point, devices can still
connect and communicate with the AP, but another AP in the neighboring
cell offers this minimum data rate, allowing each client to roam if needed
to maintain a consistent throughput.
Determining the minimum data rate achievable at the edge of the cell
presupposes knowledge of each client’s physical characteristics, and of
the protocols the client supports. Fortunately, the 802.11 standard
mandates minimum sensitivity levels for each MCS. Each new-generation
802.11 amendment with new PHY capabilities incorporates the
requirements from previous versions of the standard, adding the
requirements of the added PHY. Therefore, the 802.11be draft 2 is a good
source in which to find the minimum sensitivity for all amendments since
802.11n.
Most clients, and almost all APs, can achieve better performance than
these target minimums.3 If you know the characteristics of the APs and
the clients expected in your network, use the devices’ spec sheets instead
of this table, basing your design on the weakest element (the device with
the lowest performance). If you expect unknown devices in your WLANs,
the values in Table 8-2 are a prudent choice, as you know that all devices
will at least achieve these sensitivity numbers.
The figures in Table 8-2 refer to the received signal. The RF engineering
practice uses a link budget to determine whether the signal quality or the
signal to interference plus noise ratio (SINR) is high enough at either the
AP (uplink) or the STA (downlink) to achieve the desired data rate. Table 8-
2 supposes a low level of background noise (–94 dBm). In general, the
noise component is a result of background RF activity, rather than being
specifically related to the WLAN itself.
For reasons that will become clear later in this chapter, designers
generally ignore the other Wi-Fi cells’ co-channel interference component
of the link budget. The focus is on the simpler signal to noise ratio (SNR)
case that considers only the noise in the general environment, and not the
noise from other APs in the ESS. Factors that influence SNR include the
following:
Antenna gain (in dBi) for the receiver (GRX) and/or the transmitter
(GTX). Both increase the signal level and thus the SNR, if the
environmental noise is constant.
Pathloss (PL) between the AP and the STA (in dB). The PL increases
with the distance, and the presence of obstacles, between the
transmitter and the receiver.
Shadow fade (F) loss margin (in dB). The SNR decreases as the fade
loss margin increases.
Noise figure (NF), the noise inherent to the receiver circuit (in dB).
The SNR decreases as the noise figure decreases.
SNRdB=TXP+GTX−PL−F−N+GRX−NF
SNRA and SNRD
The link budget SNR is measured from the point of view of the device’s
digital modem (i.e., post RF processing based on the MCS), because it
includes the receiver’s noise figure (NF). The version of the link budget
SNR is often referred to as SNRD (signal to noise and distortion ratio). This
is distinct from the RSSI or SNR as measured or estimated by an analog RF
planning tool, which is often referred as SNR A (analog SNR).
So, if a virtual site survey predicted the RSSI and SNR at a certain distance
or range from the AP, this prediction would be the SNR A, but would not tell
you the associated supported data rate. You would need to deduct the NF
from SNRA to arrive at SNRD and estimate the actual data rate supported
by the device. This is one reason that “SNR” and “RSSI” requirements for
various minimum cell edge data rates can vary significantly from design
tool to design tool, based on which definition is used. Unless stated
otherwise, this chapter refers to the SNRD when mentioning “SNR.”
4 The receiver evaluates the power of each frame preamble, and produces
an RSSI result that evaluates this power over all radio chains that received
the signal. Variations in the multipath can easily change the power
received at each radio chain, and/or cause some of the radio chains to
receive one preamble but not another one.
NdBm=10log10(1000KBTB)
20 –100.92
40 –97.91
80 –94.90
160 –91.89
320 –88.88
N=10log10(1000)(1.380649×10−23)(20+273.15)(20×106))=−100.91797
Although temperature affects the noise figure, the effect is not very strong
in the range of normal indoor temperatures (say, 62–77°F, or 17–25°C).
However, you can calculate that at 86°F (30° C), the noise power for 20
MHz reaches –100.77 dBm.
PLdB=γ*10*log10(d)+20*log10(f)−147.55
where d is distance (m) and f is the center frequency (Hz) of the signal
(the channel). The pathloss exponent (γ) depends on the environment: It
is 2 in free-space or pure line-of-sight (LOS) environments, and between
3.3 and 3.8 for indoor environments.
These figures, and Table 8-2, suppose a single spatial stream (1SS). It is
common to consider that separating 2SS requires 3 dB. Therefore, MCS 0
with 2SS may double the data rate (to 13 Mbps instead of 6.5 Mbps), but
at the cost of a higher minimum sensitivity level (e.g., –79 dBm instead of
–82 dBm). The same logic applies as you add more spatial streams. In
contrast, if MIMO and the closely related beamforming and maximum ratio
combining (MRC) techniques can be used to increase the effective link
speed, the SNR can be lowered to achieve the same rate. When two or
more spatial streams are combined, the SNR required to reach a given
MCS is lower than the SNR needed in a single spatial stream
scenario. Table 8-4 provides an example of the SNR needed to achieve
1Gbps (MCS 6), based on the number of spatial streams that the STA and
the AP enable, in the case of an uplink transmission.
1 2 36 dB
2 2 30 dB
1 4 27 dB
2 4 22 dB
STA MIMO AP MIMO SNR for MCS 6 (160 MHz)
3 4 21 dB
Cell Capacity
The design goal of the first cell is not to provide a minimum data rate for a
single target device, but rather to provide that minimum required data
rate to all intended clients. This goal is commonly called designing the cell
capacity. The cell capacity design answers a practical question: Given a
mix of devices and their capabilities (e.g., 802.11ax versus 802.11ac), and
given backward compatibility (an 802.11ax is capable of communicating
at 802.11ac MCS if 802.11ax data rates are not achievable), what
percentage of clients will achieve what type of data rate in which area of
the cell? To answer this question, you need to consider the following
objectives and parameters:
From these objectives, you can determine the BSA size (and hence the AP
density) from a combination of equipment provider performance
specifications and site characteristics (from a virtual or physical site
survey). Different types of antennas will result in different coverage areas.
If you increase the AP power, the coverage area increases in tandem. But
before focusing on the AP power, you should start from the mix of clients
and their data rate requirements, as described in the “User Device
Requirements” section earlier in this chapter. Next, you should validate
the type of cell capacity that each channel width can offer. You can then
compare this cell capacity projection to your needs, and choose the
channel width design that will fulfill your clients’ throughput requirements.
The cell capacity is the average of the data rates available to the majority
of users in the BSS. For example, if only one STA is connected at 1 Gbps
(2SS, MCS 6 in 160 MHz), then the capacity of the cell is 1 Gbps. However,
if a second STA is added to the same BSS and is able to achieve only 500
Mbps (2SS, MCS 4 in 160 MHz) while the achievable data rate of the first
STA stays unchanged, then the cell capacity is 750 Mbps (([1 × 1000] + [1
× 500])/2).
The achievable data rate depends on the distance of each STA to the AP,
as well as the number of clients in the cell. In most cases, it is difficult to
guess the future number of STAs in the cell, and where they will be
positioned, with any accuracy. Even so, several methods are frequently
used to estimate the area capacity, including integral methods and Monte
Carlo simulation. Both have the advantage of assuming that a
theoretically infinite number of potential users are evenly distributed
through the cell area (represented as a circle). The data rate of each STA,
based on the RSSI and SNR at each position, is estimated to compute the
average capacity. Although your BSSs will not have “an infinity” of STAs,
the conclusions from these mathematical methods can be used to
estimate the average capacity of the cell—for example, to compute the
data rate that will be available to 50% or more of the users in the BSS.
Table 8-5 shows the percentage of STAs that operate at each MCS, based
on an ideal circular cell in an indoor environment and a cell-edge
requirement of MCS 0. You can use this table as quick reference. Note that
the ratios are the same regardless of the transmit power and the cell size.
If you increase the AP power, the cell area also increases. However, if the
edge of the cell stays at MCS 0, then the percentage of clients achieving
each MCS (given that some are at the edge of the cell, whereas others are
closer to the AP) is the same—all that matters is the choice of the cell-
edge data rate (in this case, MCS 0). The limit of this model is naturally
when the number of clients exceed the AP capacity, which will be
addressed later in this chapter.
0 100%
1 67%
2 52%
3 35%
4 21%
5 12%
6 11%
MCS Percentage of Cell
7 9%
8 5%
9 4%
10 3%
11 2%
12 1%
13 1%
From Table 8-5, you can see that the rate available to 50% or more of the
users in the BSS is MCS 2. Therefore, you can conclude that the cell mean
capacity is MCS 2.
One important observation is that the highest MCSs (MCS 12 and MCS13,
with 802.11be 4K QAM) are viable in only 1% of the cell. Very few users
will likely benefit from these MCSs in the cell. Instead, the majority of STAs
will operate at MCS 2 or less. If you want to improve the overall cell
capacity, you should choose a higher cell-edge MCS. A direct consequence
of that choice is a higher average data rate throughout the cell, but also a
smaller cell (BSA). For example, if the cell-edge requirement is a 1 Gbps
minimum data rate (MCS 6, 160 MHz, 2SS), supposing at least a 29 dB
SNR at the cell, or roughly –65 dBm RSSI, then the call capacity and the
data rate distribution are approximately shown in Table 8-6.
6 100%
MCS Percentage of Cell
7 88%
8 45%
9 35%
10 24%
11 18%
12 12%
13 8%
In this indoor small cell case, 1 Gbps (MCS6) is available throughout the
cell and the peak data rate, 2.882 Gbps (MCS 13), is now available
throughout 10% of the cell area, for an average data rate (and thus a cell
capacity) of approximately 1.3 Gbps (MCS 8). The cell size (–65 dBm)
corresponds roughly to a 2500 sq ft cell with a 14 dBm AP transmit power.
Beyond the useful area of the BSA, the AP beacons may still be detected,
and STAs may still be able to associate at lower MCSs (unless you disable
lower MCSs, which is generally not a good idea 7). However, the STAs
should also be able to find neighboring APs at an equivalent or better
signal level to associate to.
7 Legacy data rates (6, 12, 18, 24, 36, 48, and 54 Mbps) could be
configured to be Basic (mandatory support), Supported, or Disabled on the
AP, and the AP would communicate these requirements to associating
STAs. In the early days of Wi-Fi, this system allowed vendors to manage
client support for various modulations (BPSK, QPSK, QAM). This method
was not carried forward with the introduction of MCSs in 802.11n, and
then 802.11ac/ax/be. Practically, this means that you can disable an MCS
on the AP, but the STA can still use that MCS to communicate with the AP.
The AP just cannot answer at that MCS. This setting tends to create more
cell asymmetry than cell area control and is in most cases not
recommended.
The values in Tables 8-5 and 8-6 were derived by computing the SNR delta
between the edge MCS and each higher MCS, and then using a pathloss
equation with a pathloss exponent (y) to estimate the range of each
concentric circle that represents the coverage area of that MCS. In indoor
environments, y = 3.5 is a good choice. For example, if your starting point
is an edge MCS 0, you should first determine from Table 8-2 that this MCS
requires an SNR of 12 dB for a 20 MHz channel (–82 dBm RSSI, supposing
a –94 dBm noise floor; see the “Link Budget and Cell-Edge Data Rate”
section). As this MCS is available from the edge of the cell and all the way
to the AP, 100% of STAs in the BSA can achieve that MCS (provided they
have the capability). The next possible MCS is 1, which has an SNR target
of 15 dB (3 dB more than the SNR required for MCS 0). This delta (d)
results in a relative cell coverage area of
[10(−d10.y)]2
The same logic is applied to each of the other cell MCS targets (2–13),
comparing each target MCS SNR to the SNR required for the cell-edge MCS
(MCS 0, in this example). Table 8-7 shows the cell capacities matching
different cell-edge MCSs.
M
1 1 1
C 0 1 2 3 4 5 6 7 8 9
0 1 2
S
0 1
0
0
%
1 6 1
7 0
% 0
%
M
1 1 1
C 0 1 2 3 4 5 6 7 8 9
0 1 2
S
2 5 7 1
2 7 0
% % 0
%
3 3 5 8 1
5 2 8 0
% % % 0
%
4 2 3 5 5 1
1 1 2 9 0
% % % % 0
%
5 1 1 3 3 5 1
2 8 5 5 9 0
% % % % % 0
%
6 1 1 2 3 5 8 1
1 6 4 1 2 8 0
% % % % % % 0
%
7 9 1 1 2 4 7 8 1
% 4 8 7 5 7 8 0
% % % % % % 0
%
8 5 7 1 1 2 4 4 5 1
% % 2 4 4 0 5 2 0
M
1 1 1
C 0 1 2 3 4 5 6 7 8 9
0 1 2
S
% % % % % % 0
%
9 4 6 8 1 1 3 3 4 7 1
% % % 1 8 1 5 0 7 0
% % % % % % 0
%
1 3 4 6 7 1 2 2 2 5 6 1
0 % % % % 2 1 4 7 2 7 0
% % % % % % 0
%
1 2 3 4 6 9 1 1 2 4 5 7 1
1 % % % % % 6 8 1 0 2 7 0
% % % % % % 0
%
1 1 2 3 4 6 1 1 1 2 3 5 6 1
2 % % % % % 1 2 4 7 5 2 7 0
% % % % % % % 0
%
1 1 1 2 3 6 7 8 9 1 2 3 4 6
3 % % % % % % % % 8 4 5 5 7
% % % % %
In this table, the cell-edge MCS target is indicated in the top row, and the
percentage of area coverage by each MCS, up to and including that target
MCS, is shown in the matching column. For example, if the cell-edge
target is MCS 8, then column with the MCS 8 header contains the
coverage area for each MCS from 8 up to the last MCS of 13. In that
example, you can see that MCS 13 is achievable in 18% of the cell area,
and the mean cell capacity is MCS 10.
These tables assume there is a uniform type of STAs—that is, that all STAs
have the same support for MCS and spatial streams. In a practical design,
you will likely design for different types of STAs. For each of them, you
would then perform the same evaluation (cell-edge minimum data rate,
then percentage of the cell available to each MCS). You can then apply the
device mix distribution (e.g., x% of device type A, y% of devices type B) to
calculate the average cell capacity. For example, if you estimate that 40%
of the STAs will support 576.5 Mbps on average (i.e., MCS 5 is available in
50% or more of the BSA for these devices that support 2SS) and 60% of
the STAs will support 864.7 Mbps (MCS 2 is available in 50% or more of
the BSA for these devices that support 8SS), then the cell capacity is
749.42 Mbps [(40 × 576.5 + 60 × 864.7)/100]. You can apply the same
mix-logic calculation to each other area and percentages of the BSA.
At this point, you have written down the requirements for your different
clients and key target applications, established the minimum data rate
required at the edge of the cell for these clients and applications, and
computed the cell capacity for the entire population of clients in your cell.
Cell Size
You also know that the physical size of the cell depends on the power at
which the STAs and the AP transmit (larger power = larger cell). It may be
tempting to set the AP to maximum power, in the hope of maximizing the
useful part of the BSA. However, such maximum power presents two
major downsides:
10 The AP likely has a better receive sensitivity than the client, allowing
for some difference between the AP and the client EIRP.
Channel Reuse
At this point, you have also noted that the minimum data rate at the edge
of the cell increases with the channel width. It may be tempting to use
wide channels to achieve the largest possible cell-edge data rate. This
intent is counterbalanced by the limited number of channels. Recall that
the term cell comes from cellular designs, where the equivalent of the BSA
is represented by a hexagon, as the simplified representation of a circle.
This approximation was useful because hexagons contain almost the same
area as a circle with similar diameter, but can be arranged as a repeating
geometric pattern (Figure 8-2). The same logic can be applied to other
wireless deployments, including 802.11. However, given that most 802.11
installations are located in indoor buildings with rather rectangular or
square-like dimensions, it is often easier to design and deploy while using
square cells as the best representation of the intended coverage area.
However, the square design is not a very good representation of a circle
area. The overlap between cells may be large along the square’s edges,
and small (or nonexistent) around the corners.
FIGURE 8-2 Cell Types
FIGURE 8-3 Valid Reuse Factor (Left) and Invalid Reuse Factor (Right)
On the right side of Figure 8-3, you can see an invalid reuse pattern. You
can form a cluster with five channels and repeat the cluster pattern
infinitely (this is relatively easy with hexagonal shapes), deciding on a
reuse factor of ⅕. However, a cell on a given channel does not have other
cells on the same channel at equal distances in all directions. Take the
center cell on channel A, for example. You can find other cells on the same
channels three cells away in some directions, but two cells away in other
directions.
It may seem challenging to find valid reuse factors. With hexagons, reuse
factors formulae borrow from the geometry of hexagons. If i is the first
channel (thus i = 0, 1, 2, etc.) and j the next channel (j > i), the number of
channels you can group in a cluster is defined by the
equation: N = i2 + ij + j2. When substituting i and j with 0, 1, 2, and so on,
you find that the possible values of N are 1, 3, 4, 7, 9, 12, 13, 16, 19, and
so on. This result means that you can form valid clusters of cells on 3
channels (as you saw in Figure 8-3), 4 channels, 7 channels, and so on,
with a channel reuse factor of ⅓, ¼, , and so on.
The logic is somewhat similar when the cells are represented as squares.
However, the geometry of squares is usually more familiar to the human
mind than the geometry of hexagons. As soon as you can form a square
with cells on different channels, you have a pattern that can be duplicated
infinitely. You can see two valid examples in Figure 8-4: on the left, a
cluster of 4 (2 × 2) with a reuse factor of ¼, then on the right a cluster of
9 (3 × 3) with a reuse factor of . You can extend this logic to form a
pattern of 16 cells (4 × 4), 25 cells (5 × 5), and so on.
FIGURE 8-4 Valid Reuse Factors for Square Cell Representation with a
Reuse Factor of ¼ (Left) and (Right)
“Invalid” does not mean that you are not allowed to use that particular
reuse factor. Each deployment and its constraints tend to lead to
deployment decisions that are best in that particular context. However,
“invalid” means that your design is unbalanced, with reused channels that
are closer in some directions than in some others, and with the likelihood
that you could use a smaller reuse factor (and thus larger channels) with
the same co-channel interference outcome.
As the number of cells between APs on the same channel increases, this
CCI risk declines. However, the number of channels you can use on a
given band is limited. As the width of the channel in each cell increases,
the number of available channels is reduced, limiting the reuse factor to a
smaller range.
1000 sq ft / 92 36 ft / 11 m 18 ft / 5.5 m
m2
1200 sq ft / 111 40 ft / 12 m 20 ft / 6 m
m2
Wi-Fi 7 does not change the transmit power or the channels of 802.11ax
(Wi-Fi 6) and earlier radios. Wi-Fi 7 introduces 4096-QAM in all bands. As
we have seen in Chapter 5, “EHT Physical Layer Enhancements,” and in
this chapter, this modulation has a short range. The main two features
that 802.11be introduces and that have an impact on coverage and
capacity are access to 320 MHz channels in the 6 GHz band on the one
hand, and multi-link operations (MLO) on the other hand. You can choose
to include or exclude these new features based on the future device mix
(and spectrum availability).
The first key consideration for Wi-Fi 7 site planning is that it is much like
Wi-Fi 6E (for 6 GHz) or Wi-Fi 5/6 (for 5 GHz). In other words, the Wi-Fi 7
coverage area will be similar, if not identical, to that of those previous
generations (for the same minimum data rate, channel bandwidth, and so
on). So, unless you are engineering a new high-density (HD) venue, a
high-speed Wi-Fi direct link, or a long-range metropolitan point-to-point
(pt-to-pt) link exploiting the highest or lowest 802.11 data rates available,
you can be reasonably confident in placing similar Wi-Fi 7 APs in the same
locations as their Wi-Fi 6, Wi-Fi 6E, or Wi-Fi 5 counterparts (i.e., those with
broadly similar antenna gains and pattern). This equivalence means that a
Wi-Fi 6–oriented site survey is a reasonably good predictor of a Wi-Fi 7
deployment. Therefore, whether you are integrating Wi-Fi 7 APs into a pre–
Wi-Fi 7 existing WLAN (brownfield deployment) or designing a new
deployment (greenfield deployment), the design considerations are
approximatively the same. For many users, the primary objective when
choosing Wi-Fi 7 is to exploit the new 6 GHz spectrum that was first
supported by the 802.11ax-based Wi-Fi 6E standard.
Home: A few APs cover a residence or small office with Internet and
consumer IoT access.
Like previous Wi-Fi generations, Wi-Fi 7 increases the peak rates through
wider channels (320 MHz versus 160 MHz)) and higher-complexity
modulation and coding schemes (4096-QAM versus 1024-QAM). This
results in a peak spectral efficiency of 12 bps/Hz—that is, 2.882 Gbps per
spatial stream in a 320 MHz channel. These capabilities lead to impressive
theoretical performances, as you can see in Table 8-9.
Channel Bandwidth
1SS (IoT) 2SS (Mobile) 4SS (Indoor AP)
(MHz)
The goal of a WLAN design is to achieve the right data rate and latency
(and performance requirements) for all STAs, not to ensure that each STA
reaches the latest 802.11 standard peak data rate at all times. Reaching
the design goal typically means that the peak data rate may or may not
be reached, but that all STAs can successfully operate in the BSS, and
between BSSs (either neighboring AP devices, or co-located AP radios on
different bands).
The number of channels available per AP cluster (i.e., a set of APs with
unique channels) is based on the selected channel bandwidth in the band
of operation. In 2.4 GHz, you typically have only three or four 20 MHz
channels, so 20 MHz is the maximum recommended bandwidth in that
band. For 5 GHz and 6 GHz, more channels of various sizes are available.
The Wi-Fi 7 design starts from the 6 GHz band, because it is the band
where the most performance can be achieved. This band has the largest
number of channels, as indicated in Table 8-9, and the least effects from
legacy devices.
TABLE 8-9 5 GHz and 6 GHz Channels in the FCC and ETSI Domains
5 20 24 23
GHz
40 11 10
Channel Number of FCC Number of ETSI
Band
Width Channels Channels
80 7 6
160 3 2
6 20 59 24
GHz
40 29 12
80 14 6
160 7 3
320 3 1
The AP, and its WLAN, must be indoors. The AP cannot be deployed
outdoors or cover an outdoors area, and the AP cannot be
weatherized (i.e., set in a weather-protective enclosure with the
intention of providing outdoors coverage).
The maximum power is 5 dBm/MHz (see Chapter 3), and the STA
maximum EIRP is 6 dB below the AP maximum EIRP. Therefore, you
likely do not want to set the AP to its maximum power (see the “Cell
Size” section in this chapter).
These elements are important, because you should start your design from
the 6 GHz band, if it is allowed in your regulatory domain. The 6 GHz band
offers less interference and does not suffer from the legacy compatibility
requirements as the 5 GHz and 2.4 GHz bands do.
PrPt=GTXGRX(γ/(4πd))2
The AP power in 6 GHz (using LPI) may be different from the AP power in 5
GHz, as you can see in Table 8-10. This table uses the FCC domain as an
illustrative example. Refer to Table 3-5 (in Chapter 3) for more values.
TABLE 8-10 5 GHz U-NII-2-C and 6 GHz U-NII-5 EIRP Versus Bandwidth
20 40 80 160 320
Device
MHz MHz MHz MHz MHz
If you set your APs to the maximum power (e.g., because all of your
clients are laptops), then the 5 GHz BSA is larger than the 6 GHz BSA. In
that case, you are designing the WLAN for 5 GHz, with the property that
cells will have a smaller inner zone where 6 GHz will be available. The
difference between the 5 GHz and the 6 GHz BSAs may be considerable.
In the free pathloss equation, a 6 dB difference represents twice the
distance. Thus, if your channel is 20 MHz wide, and your useful BSA for 5
GHz stops 2d feet (or meters) away from the AP, then you need to walk
halfway to the AP (to d feet/meters) for your 6 GHz BSA to be available, as
illustrated in Figure 8-6.
FIGURE 8-6 6 dB Difference Between an Inner 6 GHz BSA and a Larger
and Stronger 6 dB, 5 GHz BSA
The primary challenge when designing a WLAN for wide channels (320
MHz, but also 160 MHz) is channel reuse. For example, there is only one
320 MHz channel in the ETSI domain, and three 320 MHz channels in the
FCC domain. A channel reuse factor of ⅓ (as shown on the left part
of Figure 8-3) is possible, and a reuse factor of (all neighboring cells on
the same channel) is certainly valid. However, in both cases (very
probably with the ⅓ scheme, and almost certainly with the scheme),
you will have to manage overlapping BSS interferences. If your design is
intended for an environment with a lot of obstacles (walls), then that
design may work without too much CCI. When you are designing a small
network (e.g., home, hotspot), you may not need to install more than one
(or three) APs, and the CCI considerations do not apply—at least if you do
not have, or do not worry about, neighboring WLANs. In most cases where
your network includes more than three APs, the 320 MHz design is difficult
to realize in practice. The interferences from neighboring cells on the
same channel will reduce the throughput of the 320 MHz cell to a point
that will negate the wide channel benefit.
If you set your AP to LPI, then the EIRP will limit the AP power. The
regulatory limits in the FCC domain (5 dBm/MHz and 30 dBm EIRP) mean
that a 320 MHz signal will exceed the maximum EIRP of 30 dBm if set at
the PSD maximum of 5 dBm/MHz. When the AP is set to 320 MHz at
maximum LPI power (30 dBm), each 20 MHz segment must operate well
below 5 dBm/MHz, which obviously limits the size of the BSA. Adaptive APs
sent the narrower frames (including beacons and probe responses) at
optimal power (typically 18 dBm for 20 MHz, as shown in Table 8-8), but
the full 320 MHz channel will be available only at low power. The ETSI
regulations also recognize LPI, but allow this mode only in U-N-II-5 and U-
N-II-6, and with a limit of 10 dBm/MHz and 23 dBm as the AP maximum
EIRP. Therefore, the AP should also be set at 23 dBm maximum for a 40
MHz, 80 MHz, or 160 MHz channel. Practically, this means that the PSD
rule finds its limit in the ETSI domain at 23 dBm EIRP. As a consequence, if
you design 320 MHz channels, high data rates (high RSSI, high SNR) will
be achieved only near the AP, regardless of the domain.
For all these reasons, a channel width of 320 MHz may be more commonly
used in small networks. In enterprise deployments, 80 MHz is likely to be
the common width in 6 GHz, which is also the assumption behind the
preferred scanning channel (PSC) design.
When MLO is enabled, the MLO-capable STA may be using capacity on two
(or more) AP radios. This link consumption affects the coverage and
capacity plans significantly. In some cases, the STA has the same volume
of traffic to send as it would have in a single-radio case. The STA then
splits its traffic between the links, appearing as a lower-bandwidth device
on each band. In other cases, the STA applications are limited by the
single-link bandwidth, and the multi-link availability allows the STA to send
more traffic. In this situation, the applications might possibly consume up
to the peak bandwidth designed for each STA on each band. A single client
device then appears as two STAs, each consuming the expected peak
bandwidth. This phenomenon may double the number of STAs in the
WLAN.
STR: Capable of 2.4 GHz + 5 GHz, 2.4 GHz + 6 GHz, 5 GHz + 6 GHz,
or in some cases dual 6 GHz simultaneously.
The STR case is the simplest to plan for. You simply double (or triple)
count each MLO-STR–capable device, counting it once in each of the
bands it can operate under for both coverage (minimum data rate) and
capacity purposes. Because the links are expected to be active
simultaneously, you can design the cells with a minimum data rate on
each band suitable for this device type. In theory, if all STAs were STR in 5
GHz and 6 GHz, you could treat 5 GHz as a backup link and set the 5 GHz
radio to a narrow channel (e.g., 40 MHz), making it more reliable (due to
reduced CCI) albeit with lower capacity. However, in most deployments,
not all Wi-Fi 7 STAs are expected to be STR, and legacy 5 GHz devices may
need to be accommodated. STR does have an advantage in that either
link can be used at any time. Both 5 GHz and 6 GHz links could be
deployed with the same reuse factor. This design typically results in the 6
GHz channel being twice the channel width of the 5 GHz channel due to
the relative amount of spectrum in each band.
The NSTR case is similar in effect to STR, with the only notable
performance difference being that a 5 GHz + 6 GHz NSTR device will
experience reduced throughput and possibly higher latency due to the
need for the STA and AP to coordinate the transmission across both bands
so that both frames end at the same time on both links (see Chapter 6,
“EHT MAC Enhancements for Multi-Link Operations,” for details). This may
mean either padding one transmission to force end-of-frame alignment
(reducing throughput) or deferring transmission until the frames are the
same size (increasing latency). However, the RF planning considerations
are generally the same as for STR with one caveat: The NSTR STA can also
be an STR STA if there is sufficient frequency separation between the 5
GHz and 6 GHz operation channels (e.g., 200 MHz). Given this issue, it
may be advantageous to explicitly plan this separation, and to override
RRM if necessary.
The eMLSR case is more complex, as the STA can receive control on any of
its two connected links, but will transmit/receive on only one at any given
time. These exchanges are controlled by the AP in the downlink and by
the STA in the uplink. The factors for link selection are not specified by Wi-
Fi 7 or 802.11be, but the motivation for eMLSR is to achieve power
savings on the STA. Thus, it is advantageous for the STA to use the least
amount of airtime to transmit a frame and to use the fastest link. The STA
would use the slower link only if the faster link became unavailable. This
behavior assumes that the coverage is available on each band. The
eMLSR STA will likely “camp out” on the higher-speed link (usually 6 GHz
for indoor) and most of the time will not leverage the other bands. When
designing your WLAN, you could consider the eMLSR STA as a 6 GHz-only
STA, which occasionally happens to use the 5 GHz link. But if the 6 GHz
coverage is sufficient, the 5 GHz exchanges will be rare and can be
ignored in the design.
Irrespective of the mode that the clients are expected to use, MLO is
useful only if all three bands (2.4, 5, and 6 GHz) have sufficient link RSSI
to allow proper STA operations. This requirement dictates a 6 GHz-driven
cell size selection, as the 6 GHz link is likely to be the weakest in the SP
and LPI modes. Although you may be able to design different coverages
for the 5 GHz and 6 GHz bands, with different cell-edge MCS/data rate
selections, such a mismatch is not recommended for MLOs. When this
design is used for MLO, the link selection may be biased on a semi-
permanent basis, resulting in low utilization of one of the bands.
The fate of 2.4 GHz may also be called into question with Wi-Fi 7 MLO.
Historically, this band was used as either a coverage channel (e.g., for
low-power IoT) or a backup channel for 5 GHz. Now, however, with 6 GHz
as the likely primary channel, 5 GHz may serve as a fast-backup channel;
that is, switching back and forth will occur automatically and transparently
to the user applications. In this context, the utility of 2.4 GHz is
diminished. If your WLAN has no legacy IoT devices, you might consider
eventually decommissioning the 2.4 GHz radios. You might also decide to
deploy the 2.4 GHz channels only at the edge of the network for
onboarding. For example, they could be deployed in the lobby of a
building, from where the 2.4 GHz signal may reach far into the parking
area, and allow for auto-association before users enter the building.
The protocols used by P2P are based on 802.11, but some unique P2P
group discovery and topology formation protocols have also been
standardized by the Wi-Fi Alliance’s Wi-Fi Direct program that are required
for interoperability. A P2P network consists of two or more devices a user
has near their person, such as a smartwatch, a smartphone, or AR
glasses. These devices connect to each other and share updates,
synchronize state, and may possibly stream live video/audio as needed.
An emerging use case is as a replacement for a wired HDMI cable (i.e.,
wireless HDMI) where high-rate raw or semi-compressed video/audio is
exchanged continuously between a video/audio source (e.g., laptop, PC)
and a display device (e.g., smart glasses or AV/VR headset). Unlike a
smartwatch, the wireless HDMI link has the potential to consume
significant airtime and, therefore, may degrade the infrastructure BSS
performance, if both the BSS and the P2P link are on the same channel.
The P2P group leader (e.g., a smartphone) may also be associated with
the infrastructure AP via another link/radio or the same link/radio (e.g.,
alternating between them) and perform an associated function such as
cloud data access.
P2P networks may appear in the WLAN. If so, you need to decide how to
best accommodate them. If the P2P link is used for critical real-time
services such as high-rate video/audio transport (e.g., wireless HDMI, VR),
then you should explicitly consider their throughput and latency targets in
your design. Given the distance between the P2P devices (e.g., a few feet,
one or a few meters), it is reasonable to assume the higher Wi-Fi 7
modulation schemes (specifically Wi-Fi 7’s 4096-QAM) are achievable at
least for one or two spatial streams. This would lead to a 1.4–2.8 Gbps
peak data rate on 80 MHz channels. In this scenario, the challenge is
predicting how much bandwidth the P2P link can acquire, free of CCI from
the infrastructure AP, if operating on the same channel. If the anticipated
load (channel utilization) on the AP is low (e.g., 10%), then this
coexistence likely does not present a problem. However, if the anticipated
AP load is high (e.g., 50%), then the P2P exchanges may cause noticeable
interference to the AP BSS, and vice versa. To avoid the excessive
interference issue, Wi-Fi 7 offers two specific mechanisms:
In the channel usage approach, an AP, with the assistance of some radio
resource management (RRM) software, selects a preferred channel and
bandwidth on which the P2P groups should operate. It then advertises this
channel to all the STAs via the beacon. The P2P group leader (whether
associated to the AP or not) can then receive the beacon and instruct its
group members to consider changing to the recommended channel (e.g.,
after scanning). For this channel-usage method to work best, the AP
should act as follows:
2. Coordinate with other APs via RRM to create available P2P channels,
and keep them free from AP BSS traffic.
In the time-based TXOP sharing scheme, the AP and P2P group operate
together on the same channel, and the AP grants channel access to the
associated P2P group leader for transmissions between group members.
This methodology is more complex because the AP must account for the
specific needs of the P2P application. Fortunately, the SCS QoS
Characteristics IE (QC) allows the P2P group leader to express the needs
of the group in terms of periodicity (e.g., every 35 ms a video frame is
sent from the iPhone to the AR glass) and time duration (e.g., 100 μs for a
10KB frame at MCS11). The real-time duration is difficult to estimate given
that the actual data rate between the P2P STA and P2P group leader is
dynamic. Therefore, a very conservative estimate is usually needed, which
can be wasteful in terms of airtime.
Owing to this waste risk and the scheme’s complexity, the time-based
TXOP sharing approach may not see wide adoption. However, you should
be aware of this capability and potentially disable the feature if it is
enabled and the expected airtime consumed by the P2P group is
excessive.
One approach to solve the CCI problem is to reduce the AP power, which
also decreases the useful part of the BSA. However, STAs at the edge of
the cell may transmit at high power—possibly at the same power as the
AP. AP power control is efficient only if it is coupled with techniques to
ensure that the STAs stay close to the AP, and then, when getting to the
edge of the useful part of the BSA, roam to another AP.
The higher MCSs introduced by 802.11be (MCS 12 and MCS 13, with 4K
QAM) allow for the possibility of very small cells with high data rates.
Suppose a design is based on 6 GHz/80 MHz channels, an AP EIRP of 24
dBm, and 18 dBm for STAs in U-NII-5. In this context, MCS 12 and 13
correspond to 647 and 720 Mbps, respectively, with 45 dB and 48 dB SNR
required, respectively (see Table 8-2). A design goal could be to ensure at
least MCS 12 everywhere in the useful part of the BSA. Suppose that the
AP includes a 4 dBi antenna with a noise figure of 6 dB, that the typical
STA transmit power is 12 dBm, and that the system comes with an
antenna of –2 dBi and a noise figure of 10 dB. Then the link budget
equation (see the “Link Budget and Cell-Edge Data Rate” section earlier in
this chapter) allows you to envision different possible power settings on
the AP. You can also use this equation to evaluate the distance at which a
STA in a neighboring BSS can start detecting the AP (based on the signal
at that distance, and the minimum sensitivity requirements in Table 8-2),
the distance at which MCS 12 can be achieved, and the distance at which
a STA in a neighboring cell can be detected. In these open-space
environments, the AP-to-AP (i.e., ceiling to ceiling) and AP-to-STA (i.e.,
ceiling to ground) links can be approximated as LOS, with only the STA-to-
OBSS STA link experiencing NLOS (i.e., ground level to ground level).
Therefore, the pathloss equation can be used directly, without
incorporating the effect of obstacles. Table 8-11 displays these different
ranges for MCS 12 and different power settings on the AP.
8 11 14 17 20 23
AP EIRP
dBm dBm dBm dBm dBm dBm
AP CCA 8m 11 m 15 m 21 m 28 m 39 m
If you design your 6 GHz band with 80 MHz-wide channels, you can plan
for a reuse factor of 13, and therefore 4 entire cells of separation (each of
width “twice the radius of one cell” plus the radius of the originating cell)
for 4 × 2 + 1 = 9 radii of separation. If each cell has a radius of 19 ft, then
the distance from each AP to the nearest STA in the OBSS is 9 × 19 = 171
ft, which is enough to avoid CCA-based contention from the AP (calculated
in Table 8-11 as 39 m/128 ft). Figure 8-7 illustrates this scenario.
To enable low bounded latency (determinism) for these control loops, you
can use two Wi-Fi 7 capabilities designed for such operations. The first
capability, the stream classification service (SCS) with QoS characteristics
(QC), allows the endpoint (STA) to describe the time-critical flows, such as
periodic position reports followed by a command. The second capability,
restricted target wake time (R-TWT),11 allows the STA to specify a series of
time-slots during which only it is allowed to communicate with the AP;
other STAs in the BSS may not transmit during these timespans. Taken
together, these features allow the timely AP scheduled delivery of the
position and command messages and ensure that other STAs in the same
BSS do not send at the same time.
11 For more details on SCS and r-TWT, see Chapter 7, “EHT MAC Operation
and Key Features.”
In this IIoT use case, the STA could request, for example, two SCS flows
from the AP as follows:
The key is that the application packet generation times and the SCS
service schedule are synchronized via the start-time. The alternative
method (not explicitly defined in 802.11be/Wi-Fi 7) is that the R-TWT
session is synchronized to the traffic generation times (via the TWT start-
time and periodicity), which are used by the AP for uplink and downlink
STA scheduling.
We can envision more IIoT or wireless TSN (WYSN) use cases being
supported in this way—for example, wireless PLCs, safety controllers, and
similar deterministic applications. The ability to schedule time-sensitive
traffic is unique to Wi-Fi 7 and is not supported in previous 802.11 and Wi-
Fi generations.
Summary
You now have many of the building blocks required to design Wi-Fi 7
networks. All 802.11 designs start from the same foundation: collecting
the clients’ characteristics and the WLAN requirements. With that
information, you can design your first cell, making sure that each device
can get the minimum data rate needed, right from the edge of the cell.
Fulfilling requirements usually means choosing the channel width for each
BSS. Then, the power at which each AP is set drives the size of the BSA.
Next, you need to extend the design to the multi-cell scenario, and choose
a channel reuse factor that combines channels as wide as needed with the
requirement to limit co-channel interference. These considerations are
valid for any 802.11 design, but Wi-Fi 7 design commonly starts from the 6
GHz band and expands to 5 GHz, and possibly 2.4 GHz. In most cases, it is
difficult to design for 320 MHz, and most multi-AP networks will end with
narrower channels (e.g., 80 MHz). Designing for MLO may compel you to
adjust your AP power and BSA size. You may also need to account for
special cases, such as incorporating P2P exchanges in your WLAN,
designing small WLANs that require high data rates, or accommodating
time-sensitive networking traffic.
Future Directions
802.11-2020, Clause 3
As 802.11be is being published and the Wi-Fi Alliance completes its Wi-Fi 7
release 2 program, the industry continues thinking about the future of Wi-
Fi. The technology has proved to be immensely successful, and new use
cases, new scenarios, and their cohort of challenges are being brought to
the IEEE 802.11 Working Group every day. Multiple groups are constantly
in operation—some that started when 802.11be was active, and others
that follow 802.11be to continue what the HE group started. This
concluding chapter aims to give you an insider’s view of these different
streams that will define what ends up being called Wi-Fi 8.
Wi-Fi 8 Directions
This section reviews the likely (and some less likely) directions for 802.11
as the industry stretches toward Wi-Fi 8: distributed resource units, better
roaming, multi-AP coordination, and a security evolution. Other
innovations are likely to mature at the same time and may well be part of
the Wi-Fi 8 products, such as client privacy, client location, and client
sensing.
Wi-Fi 8 is the Wi-Fi Alliance’s presumed brand name for the generation of
Wi-Fi after Wi-Fi 7. At time of writing, the effort to build it is well under way
at IEEE, with a great flowering of ideas and scores of topics and subtopics
being explored. Based on past experience, many of these will be whittled
down during the standardization process, with the strongest and most
implementable ideas being preserved—and perhaps and some others, too.
At IEEE, the process began in earnest with the Ultra High Reliability (UHR)
Study Group, which paved the way for the UHR Task Group, 802.11bn. The
UHR Study Group recognized the limited opportunities for a PHY speed
increase (discussed later in this section) and so identified reliability as the
key theme for Wi-Fi 8. The Project Authorization Request (PAR) and Criteria
for Standards Development (CSD) explicitly mentioned the following use
cases as targets for the next major generation of 802.11:
Highly reliable and consistent Wi-Fi connection with predictable
timing and delivery of data packets for AR/VR immersive
experiences and the metaverse
No Speed Increase
The idea of 480 or 640 MHz PPDU bandwidths was canvassed early in the
UHR discussions. As described in Chapter 4, “The Main Ideas in 802.11be
and Wi-Fi 7,” widening the bandwidth is the best way to achieve greater
single-link throughput. However, China has no allocated spectrum, such as
6 GHz, that can support these bandwidths, and Europe’s 6 GHz spectrum
allocation can support only a single 480 MHz channel. Even the 1200 MHz
available in countries such as the United States restricts this to one 640
MHz channel and one 480 MHz channel. Usage of this bandwidth by one
AP makes high reliability much harder to achieve by other nearby Wi-Fi
networks and wireless systems. Given these challenges, the 802.11
members backed away from this proposal.
Other approaches to increase PHY data rates are even less appealing.
More than eight RF transceivers in a band, for up to three bands, is hard to
justify given the cost, power, and small number of devices capable of
handling eight spatial streams in the market today. The investment
required to deliver 16384-QAM (16K QAM) outweighs the limited customer
benefits from such a short-range technology.
Distributed RUs
The Distributed Resource Unit (DRU) is a technology that follows the LPI
regulations as issued, yet is still able deliver higher power. The LPI
regulations limit the transmit power spectral density to, say, –1 dBm EIRP
per 1 MHz for clients. Wi-Fi 6 and Wi-Fi 7 have 12.8 subcarriers per 1 MHz,
on average, and the resource units are (almost exclusively) made up of
contiguous subcarriers. In such cases, the –1 dBm transmit power
allowance during the UHR-modulation portion of a PPDU (including the
Data field) is shared across the 12 to 13 subcarriers of a client in any 1
MHz. DRUs adopt an alternative way to define RUs: Each STA’s tones are
semi-regularly distributed across the PPDU bandwidth (or a portion of it, in
the case of very wideband PPDUs) such that each STA is energizing many
fewer than 12 to 13 subcarriers per MHz. You can see the difference
between traditional RUs and distributed RUs in Figure 9-1.
FIGURE 9-1 Comparison of Traditional RUs (Upper) and Distributed RUs
(Lower) for Nine 26-Tone RUs over 20 MHz
DRUs increase the power available to the transmitter. For instance, 2 STAs
transmitting 484-tone RUs distributed over 80 MHz can each transmit 3 dB
more under the current regulations; 4 STAs transmitting 242-tone RUs
have 6 dB more, and 8 STAs transmitting 106-tone RUs have 9 dB more.
However, 16 STAs transmitting 52-tone RUs do not quite get 12 dB more
because, in each 1 MHz, 802.11 is limited to 12 to 13 subcarriers.
Take advantage of Wi-Fi 7’s MLO. If and when the 60 GHz link is
blocked by obstacles, switch over to another link at 2.4/5/6 GHz.
Take advantage of the lower bands (like 2.4/5/6 GHz) to assist with
the discovery of APs operating at 60 GHz.
However, these ideas were not accepted as part of the 802.11bn scope.
Accordingly, the Integrated MilliMeter Wave (IMMW) Study Group is
pursuing a separate track at 802.11, with a separate Task Group, and with
the goal of being ready in time for Wi-Fi 8 revision 2. The integrated
millimeter wave approach will still have cost and power implications for
products, and is liable to be initially confined to higher-end devices.
Exotic Ideas
Many other ideas are under consideration and are publicly available on
the IEEE 802.11 document server under UHR SG or TGbn. 1 A few of these
topics are highlighted here:
Better support for a mix of older and new clients via a frequency-
domain aggregate of PPDU formats.
The early phase of a Task Group is usually focused on translating the use
cases surfaced in the Topic Interest Group and the Study Group (UHR, in
the case 802.11bn) into requirements. However, it is also a great time to
present new solutions or possibilities for the next generation of Wi-Fi.
Some of these ideas are very new, and will require a lot of discussion
before they are considered feasible, interesting, and in scope for the
802.11bn TG. No doubt, some of these ideas will make it to Wi-Fi 8.
Better Roaming
One approach under discussion is most suited to the home, where the
traditional AP would be disaggregated into a single “upper MAC” device
connected to multiple “lower MAC, baseband, and RF” devices distributed
in different rooms around the home. To a client, the system would appear
to be very similar to a single AP MLD with many links per band. Only the
“upper MAC” device would have subnet connectivity.
Given that the Wi-Fi PHY already supports multi-gigabit per second
speeds, achieving higher quality of service (QoS) for flows is the next
natural goal. In general, achieving this goal requires lower and more
predictable latency and jitter.
Wi-Fi 7 has already made major QoS strides, as described in previous
chapters. Nevertheless, some potential gaps remain, which the features
described in the sections that follow attempt to address.
Multi-AP Coordination
This mutuality is relatively straightforward when all APs are part of the
same administrative domain, but comes with some caveats in other
circumstances. Fortunately, the former same-domain case is a common
occurrence, and solutions for it can be used judiciously with the latter
cross-domain case.
Complexi
Flavor Mechanism Advantages
ty
enables: reliability
On the downlink,
high-scale
distributed (i.e.,
multi-radiohead)
beamforming and
MU-MIMO with
collision
avoidance
On the uplink,
high-scale
distributed
diversity and UL-
MU-MIMO with
collision
resolution
Dynamically and
locally picking one
of these modes,
or something
simpler, such as
pathloss-based
spatial reuse
A key question for priority is which applications are key to the deployment
and its users. The QoS features in Wi-Fi 7 are somewhat pragmatically
defined:
The resolution of the SCS (QC) protocol for the uplink is limited to a
TID.
Buffering at the client might be per AC rather than per TID or per
SCS flow.
To ensure QoS policies are achieved with greater precision (and so free up
wireless resources for other flows), protocols can be enhanced with TID-
level or flow-level (i.e., SCS ID level) singalongs and behaviors.
L4S
Each network node along the way observes its transmission buffer. If
the buffer (toward the next node) is congested, the node marks the
passing L4S packet with a flag that indicates congestion. In its
acknowledgment back to the packet source, the end consumer (e.g.,
your laptop or phone) indicates that congestion was signaled,
causing the server to reduce its flow a little bit. This way the flow is
always tailored to the near real-time capacity of the entire network,
including its weakest link.
Given the previous function, L4S packets should not accumulate in
any node, waiting for other L4S packets ahead of them to be
transmitted. Because of this property (and because non-L4S packets
do not display this property), L4S does not build queues. Instead,
L4S-enabled nodes implement a queue that is parallel to the regular
queue and entirely dedicated to L4S traffic. This queue is relatively
shallow—only a few packets in the queue are sufficient to trigger the
“congestion” flag. However, because of the near real-time
adaptation of L4S to the network conditions, the queue is usually
almost empty, ensuring that traversing L4S packets do not get
delayed.
In combination, these two properties make L4S well suited for delay-
sensitive traffic whose volume can be modulated, such as traffic in
AR/VR/XR applications. However, L4S is a Layer 3 technology. When the
last (or the first) nodes in the chain are an AP and a STA, the L3 principles
may need to be extended to Layer 2. For uplink packets, the STA needs to
signal to the AP the L4S nature of a flow, so that the AP schedules the STA
at undelayed intervals. The AP, for uplink and downlink flows, needs to
know (at Layer 2) that they are L4S, so that the AP can direct the packets
accordingly in an Ethernet (uplink) or 802.11 (downlink) shallow queue.
Unlike an Internet router, the AP is not a L3 object. Thus, when congestion
occurs, the AP needs to be able to signal congestion in an L2 or L2 signal.
In-Device Coexistence
Although this kind of signaling can require the AP to reschedule its traffic
“on a dime,” it is possible with minimal protocol changes because Wi-Fi is
inherently resilient to unexpected events. However, oftentimes the Wi-Fi
traffic is more urgent than the client has planned for. To deal with this
situation, there are complementary proposals to enable each side to
report the priority of planned traffic as well as absences, with the
possibility that a reported absence could be canceled to ensure that the
higher-priority traffic is transferred in a timely manner.
P2P Coordination
Ideas to resolve this dilemma have been developed in Wi-Fi 7 and the
achievable features are seeing deployment. It is anticipated that
refinements will continue to happen in 802.11bn, and that broader
adoption will become possible now that the protocol implications are
understood in greater detail.
Not all clients can operate at 320 MHz, and some clients with sporadic
traffic (e.g., IoT devices) may operate at lower bandwidths, such as 20
MHz. As a result, the primary 20/40/80 MHz of a wideband BSS is often
more occupied than the secondary 80/160 MHz. Rather than the AP
scheduler leaving such secondary channels idle, the dynamic sub-band
operation (DSO) proposal is intended to mitigate this scenario by
providing the AP with the means to direct clients, on a per-TXOP basis, to
the secondary channels to receive their intended RUs/MRUs/DRUs.
AP Power Save
In the 802.11 architecture, APs are always awake and ready to serve
clients. This state consumes power even in the absence of clients or when
there is little client traffic, such as late at night. In the Wi-Fi Alliance’s Wi-Fi
Direct specification, an AP would have the ability to sleep periodically if
the attached client(s) are also Wi-Fi Direct capable.
The solution to both problems is similar, but the adoption cycle for them in
the traditional AP case will take longer. Proposals for AP power save
include the following options:
The AP and the client(s) negotiate a mutual sleep cycle with regular
on and off periods.
The AIML TIG found many examples where AIML could help 802.11, but
concluded that the AIML effort would likely not entail the development of
an amendment, where use cases are found and the protocol is improved
to solve these use cases. With AIML, new problems that AIML can help
solve are expected to surface on an ongoing basis. For these reasons, the
TIG became a Standing Committee—that is, a group focused on a topic
(AIML) and operating for many years (until the 802.11 chair declares their
work complete or no longer useful). Problems and ideas related to
machine learning in 802.11 can be brought to this committee, before
being suggested to one or several active Task Groups for further
development.
Security
Major updates in Wi-Fi security are often discussed both in the 802.11
forums and in the Wi-Fi Alliance. Therefore, it is common that
improvements are proposed at the start and during the development of
each new 802.11 effort.
Several fields in the MAC header are masked out when the frame body
protection is calculated, and therefore are not protected. This design was
because these fields change (or may change) during retries, but the
packet number (PN) of a frame should not change.
Block Ack Request and Block Ack frames, because (in the absence of
client mitigations or the protected Block Ack feature) an attacker
could cause the victim to advance its starting sequence number
beyond the current operating range. This would make retries
ineffective and/or cause a gap in accepted frames at the receiver.
Post Quantum
802.11 has been such a successful technology that most buildings come
with their sets of AP devices and STA devices, ranging from laptops to
phones, IoT, and more. As the number of devices grows, it becomes useful
to keep an inventory of these objects, and to know their individual
location. In turn, the presence of Wi-Fi in many buildings has inspired
many protocol designers to use Wi-Fi for navigation as well. 2 Both
functions—asset localization and navigation—are on the verge of being
realized, and new applications are emerging that use the raw 802.11
signals to track non-802.11 objects.
The idea of using 802.11 signals to locate3 a STA has been within the
scope of Wi-Fi since its very beginning. Since the early days of 802.11,
infrastructure companies have proposed services in which a set of APs,
using the RSSI and modified free pathloss equations, would convert the
signal of a STA probe request into an estimated distance to the queried AP.
The proposed method was crude, because any environmental factor (e.g.,
walls, but also reflections) would affect the received signal strength and
lead to a misleading distance estimation. For example, a simple plaster
wall between the STA and the AP could be enough to reduce the signal by
6 dB, but in the free pathloss equation, that 6 dB reduction of the signal
translates to twice the distance. This issue could somewhat be mitigated
with multiple APs and multilateration techniques, but accuracy stayed in
the 10–20 meter range in most cases. The fact that the STA location could
be computed as a side effect from the standard 802.11 SSID discovery
mechanism (i.e., without the STA willful cooperation) also caused privacy
concerns (see the “A Privacy-Respecting 802.11” section later in this
chapter). Additionally, this location possibility was just a clever use of the
802.11 mechanisms and was not intended or described in the 802.11
standard.
The first standardization of the process of ranging into 802.11 came in the
802.11-2012 revision, albeit as a side effect of another mechanism. At
that time, the IEEE 802.1 Working Group (defining IEEE 802 architectures)
had chartered a Time Sensitive Network (TSN) Task Group, whose goal
was to design protocols that would allow time-sensitive traffic to traverse
network nodes without being delayed behind other queued traffic. One
possible mechanism for achieving this goal is to know in advance the time
at which each TSN packet is expected to enter a given node, and to make
sure that the node has an empty queue ready for that traffic traversal.
Knowing the time of arrival implies synchronizing times between nodes,
and also knowing the travel time between one node and the next. When
this process is extended to 802.11, and one node is the AP and the next
node a STA, there needs to be a process to estimate the travel time from
the AP to the STA.
A few other improvements were needed to make this process usable for
location purposes. For example, timing measurement is limited to a STA
and its associated AP. Location requires measurements of the distance to
multiple APs to allow for multilateration6 calculation. Therefore, the
improved mechanism needed to allow for ranging to APs to which the STA
has no association. The AP also needs to transmit its location to the STA,
so the STA can convert position (relative to the AP) to location
(latitude/longitude coordinates). The 802.11 designers then refined the TM
protocol and introduced7 into 802.11-20168 its Fine Timing Measurement
(FTM) variant.9
7 As a direct insertion into the revised 802.11 standard, without being the
result of a dedicated Task Group work.
In both TM and FTM, the STA has the initiative of starting the dialog, and is
also the only site to obtain all four timers (t1, t2, t3, t4). The AP is merely
responding. As a consequence, the infrastructure has no direct ranging-
related benefit to the transaction. This key factor limited the adoption of
FTM in the early years of its availability. In addition, the time of arrival (t2
or t4) is computed by the receiver by observing the start of the frame
preamble on the circuit behind the antenna. The exact time of its arrival is
not always accurate. Recall from Chapter 1, “Wi-Fi Fundamentals,” that a
STA should be able to detect an incoming preamble within 4 μs of the
signal true arrival time. But in the span of 4 μs, light has traveled 300
meters (close to 1000 feet). This type of accuracy is, of course,
unacceptable for ranging, and many 802.11 chipsets could do much
better (often with a ranging accuracy down to 2 to 4 meters).
FTM also introduced, in the initial FTM request from the STA, the idea that
the STA could negotiate with the AP multiple bursts of multiple
measurements, to maximize the number of samples the STA would work
from. However, the ranging accuracy of FTM was limited by the laws of
physics and the ability of a receiver to detect a preamble fast enough.
To improve and modernize FTM operations, the 802.11az Task Group was
created in 2015 and was in full operation at the time 802.11be was
designed (the 802.11az amendment was published in 2022). The
802.11az amendment introduced many improvements, of which four are
of particular interest for our purposes:
10 The reasoning behind this principle is complex, but a short and simple
explanation is that the STA samples a 40 MHz channel twice as fast as it
samples a 20 MHz channel. Therefore, the STA needs half the time to
detect that a new signal is incoming. The same factor of 2 repeats for 40
MHz to 80 MHz channels, and for 80 MHz to 160 MHz channels.
With 802.11az, the STA can share back to the AP its timers or its
computed range (with the Location Measurement Report [LMR]). In
some cases (e.g., enterprise managed assets), the AP can mandate
this sharing. In (most) other cases, sharing is optional, meaning it is
under the control of the STA and its user. This mechanism allows the
infrastructure to benefit from the exchange—for example, enabling
a store to offer private navigation to its customers, but also track
the store’s assets (e.g., barcode scanners).
11 The publication date for the 802.11bk amendment is the end of 2024.
802.11bk enables all the modes that 802.11az allows: passive mode in
high-density public areas, such as conference centers, airports, and alike;
and LMR for corporate assets. Meanwhile, 320 MHz offers the possibility of
sub-meter ranging accuracy, advancing the location services in 802.11
from general zone accuracy (10–20 meters, with RSSI), to visual accuracy
(2–4 meters, with 802.11-2016 FTM), to body accuracy (1–2 meters, with
802.11az), to sub-body accuracy (less than 1 meter, with 802.11bk). At
that scale, the location engine can tell if the barcode scanner is in your
left hand or right hand, and in a hardware store, your navigation
application can tell you that the box holding the 1-inch nails that you are
looking for is on the shelf 30 cm (one foot) to your right.
The Hybrid AP
The idea of locating a device using 802.11 signals has always involved a
hybrid scenario. In some cases, the goal is really to locate the 802.11
transmitter, but in most scenarios, the 802.11 device is a proxy for
something else. Perhaps the 802.11 card is in a personal device (e.g., a
smartphone), and the location of the card is the same as the location of
the phone, and both are proxies for the location of the person. Even when
802.11 radio frequency identifier (RFID) tags are used that emit specific
802.11 messages for asset tracking, the tag is merely a proxy for the
object to which it is attached.
This idea of locating something or someone with 802.11 signals has many
implications, because it suggests that an 802.11 AP device can be used
for more than just connecting STAs to a network. After more than 25 years
of existence, Wi-Fi has become so ubiquitous that AP devices are expected
in most indoor venues at intervals of a few tens of meters (50–100 feet at
most). The AP device has become an element of the indoor landscape, an
expected element of furniture, with the unique property of being
connected to a network and to a source of power. This presence
empowers the AP to perform new functions, and ranging for location
purposes is one of them.
These needs have led AP vendors to leverage the FTM technology for the
benefit of the infrastructure itself. By making the APs perform FTM ranging
between each other, infrastructure management systems can learn the
relative distances of AP pairs. If the positions of a few of these APs are
known, the management platform can build a graph with the likely
locations of all detected APs in the building. When an AP is removed, it
stops responding to FTM messages, and can be identified as such. Any
new AP can be reported by the others and, if it supports FTM, positioned
accurately on the graph. If the new AP does not support FTM, the
knowledge of the other APs’ positions helps put the new AP’s rough
location on the map.
In some cases, however, relying on the known positions of a few APs is too
much to ask. To facilitate the location process, GNSS receivers can be
installed inside AP device enclosures. Depending on the AP device’s
location in the building, it may receive enough GNSS signal to learn its
own location.13 As the GNSS receiver is connected to the AP device
operating system, the AP can then report its location to the network
management platform. Once the locations for a few of these AP devices
are known, FTM enables the management system to learn the locations of
all the other APs on the floor.
At this point, the AP device potentially includes a GNSS receiver, plus UWB
and BLE transceivers. Such an AP device is now well beyond the 802.11
AP functions. These other radio technologies can, of course, be used for
their own merit. UWB is primarily used to ensure accurate ranging, but the
BLE radio can also be used to manage BLE tags.
RF Sensing
Radars are well known, and for that reason are the first point of
comparison for 802.11 practitioners learning about 802.11 sensing.
However, the mechanisms used in Wi-Fi sensing and in most radars (e.g.,
airport radars) have major differences.
For example, airport radars measure the time difference between the
emitted signal and the reflected echo (the round-trip time of the radar
signal) to estimate the aircraft’s distance from the airport. The radar
signal itself does not carry any timestamp. If a pulse is sent at t0 and
comes back 0.5 ms later, the reflecting object must be (300,000 × 0.5)
about 150 km (93 miles) away. Measuring a change in this round-trip time
allows the system to calculate the aircraft speed. If the next pulse comes
back in 0.45 ms, then the object is now 134 km (83 miles) away, and thus
16 km (10 miles) closer. The time between pulses allows the system to
calculate the aircraft’s speed.
Airport radars are also very directional. You may have seen these
antennas, which look like large satellite dish antennas, continuously
rotating above airport installations. If you were able to slow their
movement down and see the RF signals, you would observe that the
antenna sends a signal in a narrow direction (with a width of just a few
degrees), receives the possible echo from that direction, and then rotates
slightly and repeats the operation. When an airplane is detected, the
progressive change of direction at which the plane is detected from one
rotation to the next provides to the system the plane’s angular speed. The
angular change is then combined with the round-trip time change to
calculate the true speed of the aircraft.
Systems based on 802.11 also use RF signals, which are affected by the
environment. Recall that the effect of the environment on the 802.11
signals is one reason why transmitters, at a given distance from the
receiver, may dynamically change their data rate (or MCS) over time.
Radars, for example, send very short pulses separated by silences. This
mechanism allows the receiving system to be silent when the reflected
signal returns, switching very rapidly between the Tx and Rx functions.
Sometimes radars include one transmitter and one receiver in the same
unit to avoid this Tx/Rx switching. Such a system, measuring the echo of
its own signal, is called monostatic, because a single (mono) static
(nonmobile) system performs both transmission and echo measurement.
By contrast, 802.11 systems send long frames instead of short pulses, and
are half duplex (no dual Tx/Rx functions). It is therefore difficult for an
802.11 device to send a signal and measure its reflection on objects of the
environment. By the time the frame transmission is completed, the Wi-Fi
transceiver needs to switch to Rx mode, which takes some time. As a
result, the Wi-Fi system cannot properly measure the reflection of the end
part of the frame. Circuits that switch very rapidly between Tx and Rx are
certainly feasible, but are much more costly—more than most Wi-Fi users
are ready to pay for their AP or STA device.
Sensing with 802.11, in most cases, requires bistatic or multistatic
systems. With bistatic systems, one device sends a signal (e.g., a static
printer, a Wi-Fi thermostat on the wall), and a second system (e.g., the AP)
receives and measures the signal. With multistatic systems, two or more
devices receive the same signal, and then a central system compares the
reported signals to conclude something about the environment.
With a bistatic (or multistatic) system, you cannot really measure the time
between the transmitted signal and its echo—because there is no echo.
You also cannot reliably measure the time of flight between the
transmitter and the receiver, unless the frame carries a very precise
timestamp (802.11 frames do not) and unless the receiver and the
transmitter times are very carefully synchronized (802.11 systems are
usually not carefully time-synchronized). The only measurement that can
be reliably made in such bistatic/multistatic systems is the differences
between one received signal and the next one, which reflect general
changes in the environment itself. The main conclusion that 802.11
sensing can make about the environment is therefore movement,
including the presence of an object that was not there before or the
absence of an object that was there earlier.
If you were to plot these representations (for each tone, the amplitude
and angle of the OFDM transmission), you would see that the plot for one
frame training field overlaps almost perfectly with the plot for the next
frame training field. The word “almost” applies here, because subtle
power and therefore amplitude variations may occur during the
transmission. For example, such variations may be evident when the
power amplifiers (PAs) at the transmitter incrementally warm up during a
transmission. You can see this near-perfect overlap on the left side
of Figure 9-4. Each of the four plots represents the amplitude of the
received signal. The horizontal axis is the frequency: The channel center
frequency at index 0 and 40 MHz on each side combine to form an 80 MHz
channel. The vertical axis represents the amplitude of the signal at the
given frequency.15 Each of the four plots represents the signal of a STA as
it was measured on each of the 4 radio chains of an AP. Each line across
the plot is one frame, and the first 200 frames are shown. As you can see,
the lines for each frame almost perfectly overlap.
In this way, 802.11 signals can be used to detect presence (or absence)
and movement. Sudden presence (or absence) is easy to measure. The
amplitude of the movement that can be detected is another area where
802.11 differs from other technologies. All RF signals obey the same laws
of physics, which limit the resolution (the amplitude of the movement that
can be detected) to a ratio of the signal bandwidth, similar in principle to
the idea of a faster sampling rate on larger channels (see the discussion of
802.11az in this chapter). For sensing, the size of the movement that can
be detected follows the equation s = c/2BW, where s is the smallest
movement size that can be measured, c is the speed of light, and BW is
the bandwidth of the signal. You can see that a 20 MHz signal can
measure movements of 7.5 meters and larger. So, if you introduce a
human body into the environment, the amplitude graph will immediately
reflect the presence of the new object. If the human body stays at the
same position for a while, the amplitude graph will stabilize, producing in
the end a pattern similar to the left side of Figure 9-4. If the human moves
a bit, the graph will still stay stable. The human needs to move by 7.5
meters or more for the graph to reflect a change that will expose the
movement with certainty. Even large channels, like 80 MHz, allow only
measurements of movements close to 2 meters. Therefore, traditional
802.11 can detect movements (like a human walking), but not much
more. Some complex systems can be set to measure the movement of an
arm, but such granularity approaches the limit of what is possible with
such channel information and requires a complex setup (e.g., multiple
antennas). As soon as more than a few objects are present and moving,
the movement is lost.
Larger channels allow for a better resolution. For example, 6 GHz offers
320 MHz channels (see Chapter 5, “EHT Physical Layer Enhancements”),
with a possible resolution of about 50 cm (less than 2 feet). 802.11 was
also defined in the 57–71 GHz range (the millimeter wave range of the
spectrum), with channels of 1.76 GHz width that can be bonded to even
larger channels. At a 1.76 GHz bandwidth, the resolution reaches 17 cm
(about 5 inches), albeit at the cost of a shorter range than is possible with
a 2.4/5/6 GHz signal. When the channels are bonded, smaller movements
become detectable, such as the movements of your fingers in the air
(over a phone screen, for example), or even small movements like those
of your chest when your heart beats or when you breathe. New use cases
become possible: You can control applications on your 802.11 device by
just moving your fingers (e.g., swiping in the air left or right), your head,
or some muscles of your face (e.g., frown or smile to lock or unlock your
computer).
As yet, most APs and most client devices do not incorporate these kinds of
millimeter wave radios. Until such radios become common, the main use
case of 802.11 will be in the 2.4/5/6 GHz bands, for presence and
movement detection. This use case is still very beneficial. When multiple
receivers are present, comparison of changes in the signal on the
receivers, processed with clever algorithms (e.g., machine learning), can
be used to recognize patterns. The system can, for example, recognize
that someone is entering your home (even if the 802.11 systems are not
at the entrance, but rather in your living room and/or bedroom), climbing
a stair, or entering or leaving a room. The 802.11 system can also
differentiate one person from two or more people. In a professional
setting, this mechanism allows users to know whether a meeting room in
an office building is occupied. In schools, this presence detection can be
coupled with HVAC systems to turn the heating (or air conditioning) off
when a classroom is empty. In factories, the movement of robots or
workers can be followed and alarms triggered in case of an anomaly (e.g.,
“man down,” presence in hazardous areas).
802.11bf
The sensing initiator is the device (STA or AP) that starts the RF
sensing measurement exchange. In most cases, it is also the device
that needs the sensing measurement report. For example, an AP is
connected to some presence detection application, and wants to
sense the environment to report to that application.
The sensing initiator and sensing responder define who is starting the
sensing dialog, and who is responding. However, 802.11 is not just about
“wanting to perform sensing,” but also about “performing sensing.” This
second action also requires at least two participants:
The sensing receiver is the other entity (STA or AP). It receives the
sensing PPDU sent by the transmitter, and measures the amplitude
and angle of each subcarrier. In this way, it evaluates the effect of
the environment on the preamble sent by the sensing transmitter.
As the receiver cares about only the preamble, the PPDU is usually a null
data PPDU. Such a PPDU carries a PHY header but no Data field.
These different roles for the sensing function are defined for both the AP
and the STA. This flexibility allows the sensing functions to be activated in
multiple ways. As you might expect, at association time, the STA and the
AP exchange capabilities that signal their ability to perform sensing, and
to fulfill one or more of the four roles. Once this exchange is complete,
some application somewhere needs some sensing function. Note that
802.11bf does not define how this communication happens, as it is usually
proprietary and, if the application is on a server behind the AP, probably
occurs over a wired connection anyway. There can be more than one
application in need of sensing—for example, presence detection in each
meeting room of an enterprise building during the day, and movement at
the entrance of the building and the windows during the night.
Each application receives the list of STAs and APs supporting sensing and
each role, and selects the actors that are useful for the application goals.
In practice, you may help the application by positioning the devices on a
map and configuring the sensing operations. At that point, a first set of
action frames allows a sensing initiator and a sensing responder to
establish a sensing session. This exchange may be somewhat complicated
if both are STAs, as their communication needs to transit through the AP.
The exchange will be simpler if one of them is the AP. In all cases, the
initiator sends an action frame to the responder, inviting the responder to
a sensing session (with its associated ID). It also suggests session
parameters (called measurement setup parameters), such as the mode
(e.g., VHT or HE), the number of radio streams that should be involved in
the transmission, and the number of participating antennas for the
receiving side, among others. A given STA (or AP) that supports the
responder role might be invited by one or more initiators to one or more
sessions, depending on the underlying requesting applications, which is
why the session ID is useful. The responder can accept the parameters or
suggest new ones.
At this point, the actors are selected and ready to operate. Once sensing
is needed, the initiator sends a new action frame establishing a new
session instance. The instance includes an instance ID, but also mentions
the session ID. Now, the exchange depicted in Figure 9-5 occurs. There
can be multiple instances in a given session, with a given setup. Once the
instances complete, the session can be either terminated or maintained
as enabled, if more instances are expected.
These exchanges are almost fully integrated with 802.11, as the 802.11bf
amendment considered the principles of 802.11be.16 This means that MLO
and MU-MIMO procedures are part of the 802.11bf choreography. You can
imagine an 802.11bf AP using the DL-MU-MIMO or OFDMA procedure, or
sending a trigger (e.g., NDPA) to a group of STAs to get these STAs to send
NDPU sensing messages in an UL-MU-MIMO frame. The integration is
partial, because at the time this book was written, MLO sensing still
needed to happen on a per-link basis (pretty much like non-MLO). Yet, it
could be useful to fully integrate the idea of the MLD, so as to range on
two bands at the same time, with each band providing its own accuracy
and view of the environment.
16 Each 802.11 Task Group is provided with an order number, based on its
expected publication date. As 802.11bf is expected to be published after
802.11be, it is the responsibility of the 802.11bf participants to consider
each new draft version of 802.11be, and to integrate its mechanisms (if
applicable) into the 802.11bf draft. This way, a new amendment always
considers the other amendments that were published earlier, avoiding
parallel developments in a vacuum (with the risk of gaps or contradictions
between amendments that are developed in parallel).
Even without full MLO support, the integration of 802.11 sensing into APs
and STAs is likely to change our interactions with 802.11 objects. In
particular, 802.11 objects can become more efficient. For example, your
phone can know if you are nearby and it should be in light sleep mode, or
if it is in a drawer and can enter a deep sleep mode that will keep the
battery at full charge for a very long time. If your home or office 802.11
AP can know when you are here, the whole notion of a smart home or
smart building is transformed. The IoT sensors (e.g., door, window) can be
deactivated automatically when the AP knows that you are there, and
activated when you leave, without the need for presence sensors in all
rooms. Your laptop, knowing that you are not around, can start an update
that is likely to take 30 minutes, but save that task for later if you are
around. In other words, the 802.11 objects around us can become
assistants of human life, beyond their strict 802.11 functions.
The idea that the energy of 802.11 frames could be used to sense the
environment also led to the idea that this energy could be harvested. In
the world of IoT, many sensors require battery power, which also defines
the lifetime of the IoT object. The designers of IoT protocols are always
looking for ways to reduce the energy consumption of battery-equipped
objects, but also realize that, in a world where Wi-Fi is omnipresent, the
802.11 energy could potentially be harvested to recharge the batteries.
After all, an AP sends a beacon about every 100 ms, day and night, even if
there are no STAs to receive it. Most of the time, this energy is wasted.
Similarly, any frame is usually an energy wave received by many devices
(all STAs in the BSA). The receiver consumes the frame data, and the
others simply ignore it. None of these frames (beacons or others)
represent a lot of energy, but they could still be collected and used by
harvesting objects.
The group also determined that there are two types of AMP objects:
Some objects are entirely passive. They typically use a coil that
can be configured before deployment, similar in concept to the anti-
theft tags that are often attached to books. When the object
receives enough energy, the coil radiates back that energy. In some
cases, the radiation is always the same message. As an example,
imagine an AMP tag attached to a fire extinguisher and radiating the
date of its last maintenance check. In other cases, a passive
mechanism allows the object to radiate information that depends on
environmental conditions. As an example, imagine that the coil is
partially obfuscated by a piece of fabric that shrinks or expands
depending on the temperature or the humidity; the sequence
radiated back reflects the length of the coil that is exposed to the RF
signal, and thus can be made to reflect the current temperature or
humidity level.
The passive AMP devices only radiate energy. Practically, this limitation
means that their signal happens only while another object is also sending
energy (in the case of 802.11, a STA or AP is sending a frame). One
interesting property of these objects is that the radiation can be offset. In
other words, the 802.11 transmission may occur on one channel, whereas
the reflected energy utilizes a slightly different frequency, thereby
avoiding direct interference with the 802.11 transmission. The semi-
passive AMP objects can generate their own frames, and so can be set to
transmit at a time when no other 802.11 object is transmitting. Practically,
however, the requirement to perform CCA consumes energy, and using a
frequency offset may be an interesting way to remove this requirement.
Because these objects are very simple, they have no or very limited
computing capability. In consequence, the modulation they send must be
simplified to the maximum extent possible. There is no hope that these
objects would be able to transmit with OFDM in the near future, but they
could send a DSSS signal (i.e., use the legacy 802.11 transmission
structure). Their transmission would not be very powerful, and would
depend on the amount of energy collected. The AMP TIG found that lower
frequencies carry more energy than higher frequencies. 17 Proof-of-
concepts showed AMP devices could receive energy from an AP (10
meters away) and radiate it back (or emit their own signal), and that a
receiver on a smartphone (placed 10 meters away from the object) could
read and understand the radiated message.
In the face of these strong results, the AMP TIG became a SG, then the
802.11bp TG in early 2024. The goal of the group is to define protocols
and mechanisms for operations of ambient powered (i.e., energy
harvesting) devices in the 2.4 GHz and sub-1 GHz bands. The group is
targeted to complete its work in 2028. By that time, you may start seeing
IoT objects that can be installed anywhere (e.g., door sensors, or sensors
you attach to any object in your environment), that will never need to be
recharged, and whose information you can read directly on your
smartphone.
A Privacy-Respecting 802.11
Note
This practice was labeled with different names, especially as vendors tried
to make the process appear to be a vendor-specific innovation, giving the
feature names like “private address” and the like. The privacy community
—in the IETF, then in the 802E Recommended Practices for Privacy, and
then in the 802.11 Working Group and its Task Groups—ended up calling
the feature “randomized and changing MAC address” (RCM), with the
understanding that the RCM address is always a local address, as
explained further in this section.
This initiative caused quite a stir, because it was done without considering
the possible effects of such changes on the device experience in 802.11
networks. In fact, the rotation of the associated MAC address immediately
broke the principles of many hotels’ guest Wi-Fi networks, which charge
customers for Wi-Fi and use the MAC address to ensure that the same user
is not charged multiple times for the same device. The operating system
vendors argued that the random MAC address was chosen within the
scope allowed by the 802 umbrella standard.18 Indeed, the standard
defines the formats of a MAC address, and indicates that the MAC address
can be universal or local. A universal MAC address is unique. A company
receives from the IEEE a company ID for part of the MAC address—for
example, the 24, 28, or 36 most significant bits of the 48-bit address,
depending on whether the company asks for a MAC address large (MA-L),
medium (MA-M), or small (MA-S) block.19 The company then has exclusive
use of the remaining 24, 20, or 12 bits of the block, and can allocate a
unique individual value for each individual device it produces. The
advantage is that the device can appear in any network on the planet,
while remaining confident that its Layer 2 identifier is unique and that no
collision with other addresses will occur.
The local address is defined (in the 802 standard) based on the idea that
some devices may never leave their native network. As such, there is no
risk of collision with another device, if the administrator plans their MAC
addressing structure properly (e.g., assigning local addresses to virtual
machines and virtual servers). To eliminate the need for an organization to
purchase an address block from the IEEE in that case, the 802 standard
allows an address to have only a local value, which means that two
different networks might potentially have overlapping local MAC
addresses. As the matching devices are supposed to never leave their
native network, there is no risk of collision. Therefore, an administrator
can set the U/L bit, and then unset the I/G bit to associate the address to a
single device. The rest of the address can be set to any value of the
administrator’s choice20 (even a random value), as the address is only
locally significant.
Vendors used this local address structure when assigning RCM addresses.
For iOS devices, a key idea was that as long as the STA did not require any
service from the AP (i.e., the RCM is used for probing, not for association)
beyond basic discovery, collisions did not matter. For Windows devices, a
key idea was that the risk of collision in any given network was minuscule,
and could therefore be ignored.
802.11aq
The 802.11aq group was the first to look into the RCM address problem.
The 802.11aq amendment (published in 2018) focused on pre-association
discovery of services,21 so this was a key group to look at the effect of
using a random local MAC address (before association occurs) for such
discovery. Combing through the 3500 pages of the 802.11-2016 standard
was out of scope (and a difficult endeavor), so the 802.11aq group
focused on only pre-association scenarios.
21 Your laptop could, for example, check whether a printer or other key
service that an application on the laptop is seeking is available on this
network, before deciding to associate.
The group concluded that there was no harm in using RCM addresses, pre-
association, provided some conditions were met. Specifically, the group
concluded that a STA could use a randomized local MAC address 22 (built
from 802C or not, and with the U/L bit set), but should keep the same
address when a transaction is started on the AP, and when a state is set
on the AP for the STA. For example, a STA could use one RCM address for a
first probe request, and then another RCM address for the next probe
request. However, for each probe request, the STA creates a transaction
on the AP: The STA asks a question to the AP, to which the STA expects a
response. During that time, the STA must keep the address it started the
transaction with. Practically, this means that if the STA sends a probe
request using address A, the STA should be able to properly receive a
response from the AP sent to address A.
23 Chapter 1 explains why the ESS carries the STA state between APs.
802.11bh
Note
This concern came to be known as the J-Lo effect, although the name is a
misnomer. The general idea is that paparazzi spend time at airports to
track trips taken by celebrities such as Jennifer Lopez, J-Lo. However,
maintaining such a presence is time-consuming. It would be much easier
to eavesdrop on the celebrity’s home and catch their phone’s MAC
address. After installing a small and hidden AP at the airport, and
observing the MAC addresses attempting to discover the AP’s SSID (or
attempting to connect), a paparazzo can place a small script that causes
the AP to send a message when key MAC addresses are detected. This
way, the paparazzo gets automatic messages when known celebrities
(and their phones) are detected as moving through the airport.
However, due to the adoption of RCM, this mechanism has not worked for
years, especially since Android 10 (in 2019) adopted the pre-association
RCM scheme. Therefore, paparazzi have changed their approaches. Their
preferred practice today is to hide an AP that advertises the same SSID as
the celebrity’s home SSID. Any MAC that attempts to connect to that
particular SSID is obviously configured to connect to the celebrity home’s
SSID and must be the celebrity or someone living in the same home. This
detection is called the J-Lo effect. RCM does not solve this problem (which
is why the name is incorrect): The personal device will try to connect
automatically, even when changing the MAC address, causing the
celebrity’s returning presence to be detected even when RCM is
implemented.
Celebrities are special cases. For most non-celebrity people, RCM and a
new MAC address are sufficient to expect that an observer will not be able
to identify the returning user.
In public venues, users may want to be recognized. The case of hotels that
charge guests for Wi-Fi access based on the device MAC address is
obvious. Suppose a guest connects to the hotel Wi-Fi and pays for the
access or for premium service that will be valid for the entire stay. In the
morning, the guest leaves the hotel to go to work or meetings. When they
return in the evening, their device picks a new RCM for a new association
—and then the guest needs to pay again for the same service.
24 There are, of course, many other cases where a STA may not want to
be recognized upon returning to the same network.
To deal with this issue, the 802.11bh group was created in 2021. Its goal is
to find solutions for these scenarios where a STA, using RCM, needs to be
recognized by the AP at its next (new) association. The 802.11bh designed
two mechanisms, which can be used independently or jointly: one
mechanism where the STA chooses its identifier, and another mechanism
where the AP allocates an identifier to the STA.
The first mechanism is called Identifiable Random MAC address (IRM). The
IRM is an RCM address, and thus a local address. At the beginning of the
procedure, a STA associates to the AP with some MAC address. As you
would expect, both the STA and the AP express support for IRM with bits
set in the Capabilities field of their initial exchanges. The expectation is
that the network will implement one of the five forms of security (see the
“802.11 Security” section in Chapter 2). As an example, we will consider
the open with encryption form here. At the end of the association, the STA
engages in a four-way handshake with the AP. In the last message of the
four-way handshake (sent from the STA to the AP, at a stage where
encryption key exchange is complete), the STA includes an IRM Key Data
Encapsulation element (KDE) that includes an (encrypted) IRM address. By
doing so, the STA indicates to the AP “this is the MAC address I will use
next time I come to you.” The AP can reject the IRM if that IRM is already
known by the AP—perhaps because by coincidence (although the collision
space is small) another station has already indicated because another STA
has already indicated its intention to use this IRM, or because the other
STA is currently using that MAC. The STA then generates a new IRM and
sends it in a new attempt of the same message.
The AP stores the IRM, along with the current STA MAC address. After the
session completes, when it returns to the same AP, and if it wants to be
recognized, the STA uses as its MAC address the IRM it indicated in the
previous association. This IRM could even be used before association,
such as for probing, FTM ranging, or other exchanges where the STA may
want to be recognized by the AP. Using that IRM as its address, the STA
then sends a new IRM in the fourth message of the four-way handshake,
indicating its address for the next session. These IRM exchange principles
are illustrated on the left side of Figure 9-7.
FIGURE 9-7 The IRM Procedure (Left) and the Device ID Procedure (Right)
in 802.11bh
The IRM scheme is flexible, giving all the power to the STA to choose its
next MAC address, and to decide whether it wants to be recognized. The
risk of collisions exists, but is usually small in most settings. That risk
increases in large settings, however. Suppose, for example, on a large
university campus with 60,000 students,25 each student carries at least a
phone and a laptop (possibly other 80.11 devices such as tablets, game
consoles, and the like). Such a campus connects 120,000 to 150,000
devices. If each device changes its MAC address daily, and if the network
management system keeps track of each MAC address for a week (for
troubleshooting, liability, or statistical purposes), the risk of collision at the
scale of the campus is 1:35.26 That means that several collisions will be
reported each week. Each event does not necessarily mean that a STA
(IRM-generated) MAC address will collide with the active MAC address of
another device in the same BSS—but it does mean that the management
system will receive the declaration of an IRM that is the known MAC
address of another STA (that MAC address may currently be active or not),
causing the management system to confuse two STAs.
To avoid this issue, and also accommodate enterprise scenarios where the
infrastructure controls the behavior of the enterprise assets, 802.11bh
allows another mechanism, called device ID. The logic of device ID is
similar to that of IRM, but the process is reversed. To illustrate this
mechanism, we will again take the open with encryption scheme as an
example. The STA first associates using some MAC address. Then, in the
third message of the four-way handshake (recall from Chapter 2 that at
this point the AP has installed the keys), the AP sends an encrypted
Device ID KDE as an identifier for the STA. Unlike in IRM, where the IRM is
a MAC address, the device ID can be any type of value—a MAC address, a
string, or any other structure that the local network wants to use to
identify STAs. The STA continues its session with the MAC address it had
started using at the authentication phase. Here again, just as with IRM, it
follows the 802.11-2020 requirement (derived from 802.11aq-2018) that a
STA must not change its MAC address as soon as it has caused a state to
be created on the AP.
At some point, the STA ends its session. The next time it comes back to
the AP, probably using a new MAC address, in the second message of the
four-way handshake, the STA (if it wants to be recognized) indicates in a
Device ID KDE the device ID it had received in the previous session. This
allows the AP to recognize the STA and map the new MAC back to the
previous MAC address. In the third (encrypted) message, the AP assigns to
the STA a new device ID, for the next session. The AP can also just
reassign the same device ID if it so desires. These mechanisms are
illustrated on the right side of Figure 9-7. The second message of the four-
way handshake is not encrypted, so any observer can see the Device ID
KDE. However, seeing this element does not help an eavesdropper. The
observer does not know which MAC address the STA used in the previous
session. The only conclusion that can be drawn from the Device ID KDE
observation is that the STA is returning, and was assigned this device ID
before.
One major difference between IRM and the device ID approach is that the
device ID value is exchanged after association in most cases. 27 Therefore,
the returning STA cannot be recognized when it sends messages before
association. 802.11 includes an unauthenticated mechanism for a STA to
create a secured tunnel to an AP before association, known as the Pre-
Association Security Negotiation (PASN) protocol. 28 With PASN, the STA
and the AP exchange public keys, which are then used to encrypt the
traffic they exchange. That is, the STA uses the AP public key to encrypt
traffic sent to the AP, and the AP uses the STA public key to encrypt traffic
sent to the STA. If the AP and the STA are not part of the same key
infrastructure, the procedure can be unauthenticated, in the sense that
the traffic is encrypted, but the STA has no guarantee that the AP is
genuinely part of the infrastructure. When the returning STA and the AP
are part of the same organization, this uncertainty is eliminated. In any
case, the device ID mechanism allows the STA to indicate its device ID
value in the first PASN frame it sends to the AP, allowing the pair to
exchange (e.g., FTM ranging messages) while the AP knows the identity of
the STA.
802.11bi
To address the issue of 802.11 privacy, the IEEE 802.11 Working Group
also created the 802.11bi Task Group in 2021. It is working in parallel to
the 802.11bh group, but has the broader and longer goal of improving the
privacy of 802.11 networks.
As this book was being written, the 802.11bi group was still in its early
phases, but had already made important progress. One finding is that
“privacy” may refer to the exchanges of the STA, but also to the frames
received or sent by the AP (e.g., in your home, or for the virtual AP on
your phone when set to tethering mode). The AP problem is very different
from the STA problem. The AP sets the tempo, and acts as the stable point
of the BSS. Hiding the AP identity implies changing its MAC address often,
which creates all sort of issues for STAs. Therefore, the 802.11bi group has
defined two concepts: (1) client privacy enhancements (CPE), sets of
features that aim to improve the non-AP STA privacy, and (2) BSS privacy
enhancements (BPE), sets of features that aim to improve the privacy of
both the AP and the non-AP STA. BPE is more difficult than CPE to
accomplish, so the group first focused on the latter.
One key difficulty remains in regard to the pace at which the MAC address
changes. If all STAs change their OTA MAC at a fast pace (e.g., at each
TXOP), then the collision risk mentioned earlier in this chapter becomes a
collision certainty. In the university campus example, a rotation per TXOP
would cause the management system to see more than 200 million new
MAC addresses every hour, making collisions unavoidable. At the same
time, if there are only a few STAs in the BSS, changing the OTA MAC at a
fast pace is the best way to provide an impression of mass (a BSS with
many STAs) and make the STA tracking task more difficult. In contrast,
changing the OTA MAC requires computation on both the AP and the STA.
Some STAs may have limited computational ability, such as an IoT device
with a very basic CPU and the requirement to conserve battery energy.
The AP may also be limited in the number of its own OTA MACs and the
STAs’ OTA MACs that it can compute per unit of time. Lastly, some STAs
may have strong privacy requirements (e.g., your smartphone), whereas
others may have more relaxed privacy requirements (e.g., a smart light).
To accommodate all these needs, the 802.11bi protocol allows for three
rotation schemes:
An automated rotation scheme is the default. At association time (at
the end of the four-way handshake), the AP agrees with the STA on
the rotation scheme to use, and informs the STA of the rotation pace
—that is, the duration for which an OTA MAC can be used before
being changed. This duration, called an epoch, can last anywhere
from one TBTT (beacon interval time) to many hours. In most cases,
the epoch duration will depend on the network type, and will be
configured by the local network administrator. For example, in a
public network (airport, coffee shop, or other hotspot), where
eavesdroppers are possible, the rotation pace may be fast, with the
epoch lasting only a few seconds. In an enterprise network, where
eavesdropping risks are limited, the epoch may last a few minutes
or a few hours. The STA acknowledges the epoch structure and
starts following the OTA MAC rotation pace.
If the STA does not like the default value and does not find a group
whose rotation pace it likes, it can ask for an individual epoch
structure. The AP can refuse the proposal if the structure contradicts
the AP’s policy or causes too much computation complexity for the
AP. If the AP accepts, then the STA gets its own epoch structure. If
two or more STAs happen to request the same individual structure,
then the individual structure can become a new group.
Summary
Numerics
5 GHz band, 7
o AP discovery
out-of-band, 94–96
short beacons, 94
o channels, 88–89
o indoor/outdoor operation, 92
802.1Q, 35
802.1X, 312
802.11
o 6 GHz band, 88
channels, 88–89
short beacons, 94
o architecture, 4
o authentication, 17
o beacon report, 28
o ESS, 5–6
o frame, 11–12
Duration/ID field, 13
PHY preamble, 13
o sensing, 321–323
o STA (station), 4
non-AP, 5
amendment, 4
maintenance group, 4
802.11a, 107
802.11ac, 39–40
802.11ai, 53–54
802.11aq, 331
802.11ax, 39–40, 58
o densification, 99–100
o multiuser operations, 70
o multiuser transmissions, 61
o scheduling, 70
o sounding, 70–72
o AP, 222–223
ML setup, 189–191
modes, 198–200
o PPDU
o sounding, 229–231
802.11bf, 323–327
802.11bh, 331–335
802.11bi, 336–338
802.11bk, 316–317
802.11e, 34–35
802.11g, 38
802.11n, 39
4096-QAM, 165–168
A
AC (access categories), 31, 33
amendment, 4
o 802.11a, 107
o 802.11aq, 331
o 802.11az, 315–316
o 802.11bf, 323–327
o 802.11bh, 331–335
o 802.11bi, 336–338
o 802.11bk, 316–317
o 802.11i, 18
o 802.11K, 28–29
o 802.11n-2009, 10
o 802.11v, 29–30
o 802.11, 320
o authentication
o density, 107
o device, 177
o EHT, 222–223
o hybrid, 317–319
o indoor, 92
ML reconfiguration, 207–208
multi-AP, 125–126
o roaming, 26–27
o scanning, 15–16
active, 16–17
passive, 16
o short beacons, 94
o sounding, 62–63
applications
o critical, 110
o video-conferencing, 103
aSlotTime, 19
o re-, 207
association frame, 41
o 802.11, 17
o MLD-level, 193–194
bandwidth
o increasing, 117–118
o Wi-Fi, 103
o Wi-Fi 7, 137
Barker sequence, 8
beacon report, 28
block acknowledgment, 12
broadcast TWT, 86
neighbor AP detection, 80
o EHT, 222–223
o overlapping, 79
o roaming, 26–27
o 802.11ax, 66
o aSlotTime, 19
o delay, 19
o SD (signal detect), 20
cell, 269
o capacity, 276–280
o size, 280–281
o high-performance, 123–125
o reuse, 281–284
o smoothing, 170
o steering, 123–124
o wide, 288–289
o width, 117–119
coexistence, 37
o 802.11n protection, 39
o ERP protection, 38
BSS-wide mechanism, 38
cyclic extension, 9
data rate
o Wi-Fi 7, 136–139
determinism, 100–101
o multiuser, 76–77
ERP protection, 38
o BSS-wide mechanism, 38
frame/s
o 802.11, 11
Duration/ID field, 13
PHY preamble, 13
o association, 41
o association response, 41
o Beacon, 264
o null, 27
o probe request, 16
o SCS request, 36
BFRP, 74
BSRP, 88
o TWT setup, 85
o TWT teardown, 86
guard interval, 9
hardware retries, 22
IEEE 802.11be, 2
indoor API, 92
infrastructure BSS, 15
IoT, 107
o power, 327
J-K-L
jitter, 23
o 802.11be/EHT, 225
o Wi-Fi 8, 303
L4S, 308
roaming, 303–304
maintenance group, 4
marking, 104
o 802.11ax, 60
o multiuser, 61–63
o single-user, 61
o multi-AP, 125–126
o ML reconfiguration, 207–208
o ML setup, 189–191
o mode, 198–200
o large-size, 160–164
o small-size, 164
non-AP STA, 5
o EHT, 222–223
null frame, 27
overlapping BSSs, 79
passive scanning, 16
PHY, 11–12, 13
o Wi-Fi 7
bandwidth, 137
o Wi-Fi 8, 300
PHY preamble, 13
pixelization, 106
policing, 31
power
o IoT, 327
PPDU
o EHT, 139–149
o EHT, 228–229
o static, 121–122
o marking, 104
o policing, 31
enhanced, 233
o shaping, 31
o Wi-Fi 8, 304
RF sensing, 320–323
roaming, 26–27
o Wi-Fi 8, 303–304
RSN (robust security network), 18
o 802.11ax, 63–66
o large-size, 161–164
o optimization, 121–123
o small-size, 164–165
o active, 16–17
o passive, 16
o enhanced, 233
SD (signal detect), 20
security, 40
o 802.1X, 312
o 802.11bf, 323–327
o RF, 320–323
shaping, 31
short beacons, 94
o 802.11ax, 70–72
o EHT, 229–231
spatial reuse
o parameter-free, 81–83
o parameterized, 83–84
SSID, 5, 123
o AP discovery
out-of-band, 94–96
short beacons, 94
aSlotTime, 19
delay, 19
SD (signal detect), 20
o dozing mode, 85
o MLD-affiliated, 178
o non-AP, 5
o non-MLD, 179
o roaming, 26–27
active, 16–17
passive, 16
subfield, 73
o 802.11az, 315–316
o 802.11be, 328–329
o 802.11bi, 336
o 802.11bk, 316
o 802.11bn, 298–299
o 802.11bp, 328
o 802.11, 2–3
o amendment, 4
o maintenance group, 4
throughput, 103, 308. See also data rate
o AIML, 310–311
trajectory, 28–29
o 802.11ah, 124–125
o restricted, 245–251
video
applications, 103
QoS, 104
o delay, 101
o pixelization, 106
o real-time, 107
o streaming, 116–117
Wi-Fi
o incumbency, 120
Wi-Fi 6, 58
o densification, 99–100
Wi-Fi 7, 99
o 4096-QAM, 165–168
o antennas, 138
o capacity, 100–101
o determinism, 100–101
o device growth, 99–100
o PHY
bandwidth, 137
characteristics, 135–136
o QoS, 108
Wi-Fi 8, 298–299
L4S, 308
o QoS, 304
o security
o timeline, 299
o Wi-Fi 7, 284
X-Y-Z