Wireless LAN

CE-TE-MC
Suvarna Chaure
Assistant Professor
Dept. of Computer Engineering,
SIES Graduate School of Technology
Outline
• Overview of wireless LAN
• Bluetooth
• IEEE 802.11
• Wi-Fi Security

2
Characteristics of wireless LANs
Advantages
• Flexibility: very flexible within the reception area
• Planning: Ad-hoc networks without previous planning possible
• Design: (almost) no wiring difficulties (e.g. historic buildings, firewalls)
• Robustness: more robust against disasters like, e.g., earthquakes, fire - or users pulling a plug...
• Cost

Disadvantages
• Quality of Service: typically very low bandwidth compared to wired networks
(1-10 Mbit/s)
• Proprietary Solutions: many proprietary solutions, especially for higher bit-rates, standards
take their time (e.g. IEEE 802.11)
• Restrictions: products have to follow many national restrictions if working wireless, it takes a
vary long time to establish global solutions like, e.g., IMT-2000
• Safety and Security
Design goals for wireless LANs

• Global, seamless operation

• Low power for battery use
• License free operations: no special permissions or licenses needed to use the LAN
• Robust transmission technology
• Simplified spontaneous cooperation at meetings
• Easy to use for everyone, simple management
• Protection of investment in wired networks
• Safety and Security: security (no one should be able to read my data), privacy (no one should
be able to collect user profiles), safety (low radiation)
• Transparency concerning applications and higher layer protocols, but also location awareness
if necessary
Comparison: infrared vs. radio transmission
 Infrared
• uses IR diodes, diffuse light, multiple
reflections (walls, furniture etc.)
Advantages
• simple, cheap, available in many mobile
devices
• no licenses needed
• simple shielding possible
Disadvantages
• interference by sunlight, heat sources etc.
• many things shield or absorb IR light
• low bandwidth
• Can not penetrate through walls
• Example
• IrDA (Infrared Data Association) interface
available everywhere
 Radio
• typically using the license free ISM band at
2.4 GHz
Advantages
• experience from wireless WAN and mobile
phones can be used
• coverage of larger areas possible (radio can
penetrate walls, furniture etc.)
• Higher transmission rates.
Disadvantages
• Very limited license free frequency bands
• Shielding more difficult
• Interference with other electrical devices
• Example
• WaveLAN, HIPERLAN, Bluetooth
Infrastructure vs. Ad hoc WLANs
infrastructure
network
AP: Access Point
AP

AP wired network
AP

ad-hoc network

6
Source: Schiller
Infrastructure vs. Ad hoc WLANs

6
 Mobile Communication Technology according to IEEE
WiFi
Local wireless networks 802.11a 802.11h
WLAN 802.11 802.11i/e/…/w
802.11b 802.11g

ZigBee
Personal wireless nw 802.15.4 802.15.4a/b
WPAN 802.15 802.15.5
802.15.1 802.15.2 802.15.3 802.15.3a/b
Bluetooth
Wireless distribution networks
WMAN 802.16 (Broadband Wireless Access) WiMAX
+ Mobility
802.20 (Mobile Broadband Wireless Access)
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/
 Bluetooth
Idea
 Universal radio interface for ad-hoc wireless connectivity
 Interconnecting computer and peripherals, handheld devices, PDAs, cell phones –
replacement of IrDA
 Embedded in other devices, goal: 5€/device (2005: 40€/USB bluetooth)
 Short range (10 m), low power consumption, license-free 2.45 GHz ISM
 Voice and data transmission, approx. 1 Mbit/s gross data rate

One of the first modules (Ericsson).

Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS05 7.9

 Bluetooth
History
 1994: Ericsson (Mattison/Haartsen), “MC-link” project
 Renaming of the project: Bluetooth according to Harald “Blåtand” Gormsen [son of Gorm],
King of Denmark in the 10th century
 1998: foundation of Bluetooth SIG, www.bluetooth.org (was: )
 1999: erection of a rune stone at Ercisson/Lund ;-)
 2001: first consumer products for mass market, spec. version 1.1 released
 2005: 5 million chips/week

Special Interest Group

 Original founding members: Ericsson, Intel, IBM, Nokia, Toshiba
 Added promoters: 3Com, Agere (was: Lucent), Microsoft, Motorola
 > 2500 members
 Common specification and certification of products

Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS05 7.10

 History and hi-tech…

1999:
Ericsson mobile
communications AB reste
denna sten till minne av
Harald Blåtand, som fick
ge sitt namn åt en ny
teknologi för trådlös, mobil
kommunikation.

Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS05 7.11

 Characteristics
4. GHz ISM band, 79 (23) RF channels, 1 MHz carrier spacing
 Channel 0: 2402 MHz … channel 78: 2480 MHz
 G-FSK modulation, 1-100 mW transmit power
FHSS and TDD
 Frequency hopping with 1600 hops/s
 Hopping sequence in a pseudo random fashion, determined by a master
 Time division duplex for send/receive separation

Voice link – SCO (Synchronous Connection Oriented)

 FEC (forward error correction), no retransmission, 64 kbit/s duplex, point- to-point, circuit
switched
Data link – ACL (Asynchronous ConnectionLess)
 Asynchronous, fast acknowledge, point-to-multipoint, up to 433.9 kbit/s symmetric or
723.2/57.6 kbit/s asymmetric, packet switched
Topology
Prof. Dr.-IO
ngv. e
Jorlcahp
enpiSncghilp
leirc, o
htntpe:/t/sww
(swt.ajorcsh)efnosrcm
hililn
erg a/
.de scatternet MC SS05 7.81
 Piconet
Collection of devices connected in an ad hoc fashion

P
S
One unit acts as master and the others as slaves for the
lifetime of the piconet S
M P
Master determines hopping pattern, slaves have to
synchronize SB S
P SB
Each piconet has a unique hopping pattern

Participation in a piconet = synchronization to hopping

sequence M=Master P=Parked
S=Slave SB=Standby
Each piconet has one master and up to 7 simultaneous
slaves (> 200 could be parked)

Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS05 7.13

 Forming a piconet
All devices in a piconet hop together
 Master gives slaves its clock and device ID
 Hopping pattern: determined by device ID (48 bit, unique worldwide)
 Phase in hopping pattern determined by clock

Addressing
 Active Member Address (AMA, 3 bit)
 Parked Member Address (PMA, 8 bit) P
S
SB
SB
S
SB M P
SB SB
SB S
SB SB P SB
SB SB

Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS05 7.14

 Scatternet
Linking of multiple co-located piconets through the sharing of common master or
slave devices
 Devices can be slave in one piconet and master of another
Communication between piconets
 Devices jumping back and forth between the piconets Piconets
(each with a
P capacity of
S S 720 kbit/s)
S
P
P
M
M
SB S
M=Master P SB SB
S=Slave
P=Parked S
SB=Standby
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS05 7.15
 Bluetooth protocol stack
audio apps. NW apps. vCal/vCard telephony apps. mgmnt. apps.
TCP/UDP OBEX
AT modem
IP
commands SDP
TCS BIN
BNEP PPP Control
RFCOMM (serial line interface)

Audio Logical Link Control and Adaptation Protocol (L2CAP) Host

Controller
Link Manager Interface
Baseband

Radio
AT: attention sequence OBEX: SDP: service discovery protocol
object exchange RFCOMM: radio frequency comm.
TCS BIN: telephony control protocol specification – binary
BNEP: Bluetooth network encapsulation protocol
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS05 7.16
 Frequency selection during data transmission
625 µs

fk fk+1 fk+2 fk+3 fk+4 fk+5 fk+6

M S M S M S M
t

fk fk+3 fk+4 fk+5 fk+6

M S M S M
t

fk fk+1 fk+6

M S M
t

Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS05 7.17

 Baseband link types
Polling-based TDD packet transmission
 625µs slots, master polls slaves
SCO (Synchronous Connection Oriented) – Voice
 Periodic single slot packet assignment, 64 kbit/s full-duplex, point-to-point
ACL (Asynchronous ConnectionLess) – Data
 Variable packet size (1,3,5 slots), asymmetric bandwidth, point-to-multipoint

Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS05 7.18

Baseband Physical link types
synchronous Cconnection Oriented(SCO) payload
types payload (30)

HV1 audio (10) FEC (20)

HV2 audio (20) FEC (10)

HV3 audio (30)

DV audio (10) header (1) payload (0-9) 2/3 FEC CRC (2)

(bytes)

Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS05 7.19

 Baseband link types

SCO ACL SCO ACL S CO ACL SCO A8 CL

MASTER f0 f4 f6 f8 f12 f14 f18
f20

SLAVE 1
f1 f7 f9 f13 f19

SLAVE 2
f5 f17 f21

Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS05 7.20

 Robustness
Slow frequency hopping with hopping patterns determined by a master
 Protection from interference on certain frequencies
 Separation from other piconets (FH-CDMA)
Retransmission Error in payload
 ACL only, very fast
(not header!)
Forward Error Correction
NAK ACK
 SCO and ACL

MASTER A C C F H

SLAVE 1 B D E

SLAVE 2 G G

Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS05 7.21

 Example: Power consumption/CSR BlueCore2
Typical Average Current Consumption (1)
VDD=1.8V Temperature = 20°C
Mode
SCO connection HV3 (1s interval Sniff Mode) (Slave) 26.0 mA
SCO connection HV3 (1s interval Sniff Mode) (Master) 26.0 mA
SCO connection HV1 (Slave) 53.0 mA
SCO connection HV1 (Master) 53.0 mA
ACL data transfer 115.2kbps UART (Master) 15.5 mA
ACL data transfer 720kbps USB (Slave) 53.0 mA
ACL data transfer 720kbps USB (Master) 53.0 mA
ACL connection, Sniff Mode 40ms interval, 38.4kbps UART 4.0 mA
ACL connection, Sniff Mode 1.28s interval, 38.4kbps UART 0.5 mA
Parked Slave, 1.28s beacon interval, 38.4kbps UART 0.6 mA
Standby Mode (Connected to host, no RF activity) 47.0 µA
Deep Sleep Mode(2) 20.0 µA
Notes:
(1) Current consumption is the sum of both BC212015A and the flash.
(2) Current consumption is for the BC212015A device only.
(More: www.csr.com )

Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS05 7.22

 Example: Bluetooth/USB adapter (2002: 50€)

Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS05

7.91
 L2CAP - Logical Link Control and Adaptation Protocol
Simple data link protocol on top of baseband

Connection oriented, connectionless, and signalling channels Protocol

multiplexing
 RFCOMM, SDP, telephony control

Segmentation & reassembly

 Up to 64kbyte user data, 16 bit CRC used from baseband

QoS flow specification per channel

 Follows RFC 1363, specifies delay, jitter, bursts, bandwidth

Group abstraction
 Create/close group, add/remove member
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS05 7.24
 Security
User input (initialization)
PIN (1-16 byte) Pairing PIN (1-16 byte)

Authentication key generation

E2 (possibly permanent storage) E2

link key (128 bit) Authentication link key (128 bit)

Encryption key generation

E3 (temporary storage) E3

encryption key (128 bit) Encryption encryption key (128 bit)

Keystream generator Keystream generator

payload key Ciphering payload key

Cipher data
Data Data

Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS05 7.25

 SDP – Service Discovery Protocol
Inquiry/response protocol for discovering services
 Searching for and browsing services in radio proximity
 Adapted to the highly dynamic environment
 Can be complemented by others like SLP, Jini, Salutation, …
 Defines discovery only, not the usage of services
 Caching of discovered services
 Gradual discovery

Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS05 7.26

 Additional protocols to support legacy protocols/apps.
RFCOMM
 Emulation of a serial port (supports a large base of legacy applications)
 Allows multiple ports over a single physical channel

Telephony Control Protocol Specification (TCS)

 Call control (setup, release)
 Group management

OBEX
 Exchange of objects, IrDA replacement

WAP
 Interacting with applications on cellular phones

Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS05 7.27

 Profiles
Represent default solutions for a certain usage model App lications
 Vertical slice through the protocol stack
 Basis for interoperability

Protocol
Generic Access Profile
Service Discovery Application Profile

s
Cordless Telephony Profile
Headset Profile
Profiles
Dial-up Networking Profile Fax Additional Profiles Advanced
Audio Distribution PAN
Profile
Audio Video Remote Control Basic
LAN Access Profile
Printing
Generic Object Exchange Profile
Basic Imaging
Object Push Profile Extended Service Discovery Generic
File Transfer Profile Audio Video Distribution Hands Free
Synchronization Profile Hardcopy Cable Replacement

Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS05 7.28

 802.11 - Architecture of an infrastructure network
Station (STA)
802.11 LAN
802.x LAN  terminal with access mechanisms to the
wireless medium and radio contact to the
access point
STA1
BSS 1 Basic Service Set (BSS)
Access Portal  group of stations using the same radio
Point frequency
Distribution System Access Point
Access  station integrated into the wireless LAN
ESS Point and the distribution system
Portal
BSS 2
 bridge to other (wired) networks
Distribution System
 interconnection network to form one
STA2 802.11 LAN STA3 logical network (EES: Extended Service
Set) based on several BSS
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS05 7.2
9
 802.11 - Architecture of an ad-hoc network
Direct communication within a limited range
802.11 LAN
 Station (STA):
terminal with access mechanisms to the
wireless medium
STA1
IBSS1 STA3  Independent Basic Service Set (IBSS):
group of stations using the same radio
frequency

STA2

IBSS2

STA5

STA4 802.11 LAN

Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS05 7.3

0
Wireless v/s Wired networks
• Regulations of frequencies
Limited availability, coordination is required
useful frequencies are almost all occupied
• Bandwidth and delays
Low transmission rates
few Kbps to some Mbps.
Higher delays
several hundred milliseconds
Higher loss rates
susceptible to interference, e.g., engines, lightning
• Always shared medium
Lower security, simpler active attacking
radio interface accessible for everyone
Fake base stations can attract calls from mobile phones
secure access mechanisms important

31
Difference Between Wired and Wireless

Ethernet LAN Wireless LAN

B
A B C
A C

If both A and C sense the channel to be idle at the same

time, they send at the same time.
Collision can be detected at sender in Ethernet.
Half-duplex radios in wireless cannot detect collision at
sender.

32
Effect of mobility on protocol stack
Application
new applications and adaptations
Transport
congestion and flow control
Network
addressing and routing
Link
media access and handoff
Physical
transmission errors and interference

33
 802.11-based Wireless LANs
Architecture and Physical Layer
802.11- in the TCP/IP stack
fixed terminal
mobile terminal

server

infrastructure network

access point

application application
TCP TCP
IP IP
LLC LLC LLC
802.11 MAC 802.11 MAC 802.3 MAC 802.3 MAC
802.11 PHY 802.11 PHY 802.3 PHY 802.3 PHY

35
802.11 - Layers and functions
PLCP Physical Layer Convergence Protocol
clear channel assessment signal (carrier sense)
MAC
access mechanisms, fragmentation, PMD
encryption Physical Medium Dependent modulation, coding
MAC Management
synchronization, roaming, MIB, power PHY Management
management channel selection, MIB

Station Management
coordination of all management functions

LLC
DLC

Management
MAC MAC Management

PLCP

Station
PHY

PHY Management
PMD

36
IEEE 802.11

Wireless LAN standard defined in the unlicensed spectrum (2.4 GHz and 5
GHz U-NII bands)

λ 33cm 12cm 5cm

26 MHz 83.5 MHz 200 MHz

902 MHz 2.4 GHz 5.15 GHz

928 MHz 2.4835 GHz 5.35 GHz

Standards covers the MAC sublayer and PHY layers

Three different physical layers in the 2.4 GHz band
FHSS, DSSS and IR
OFDM based Phys layer in the 5 GHz band (802.11a)
37
802.11 - Physical layer
3 versions of spread spectrum: 2 radio (typ. 2.4 GHz), 1 IR data rates 1 or 2 Mbps
FHSS (Frequency Hopping Spread Spectrum)
• spreading, despreading, signal strength, typically 1 Mbps min. 2.5 frequency hops/s
(USA), two-level GFSK modulation

DSSS (Direct Sequence Spread Spectrum)

• DBPSK modulation for 1 Mbps (Differential Binary Phase Shift Keying), DQPSK for 2
Mbps (Differential Quadrature PSK)
• preamble and header of a frame is always transmitted with 1 Mbps, rest of
transmission 1 or 2 Mbps
• chipping sequence: +1, -1, +1, +1, -1, +1, +1, +1, -1, -1, -1 (Barker code)
• max. radiated power 1 W (USA), 100 mW (EU), min. 1mW

Infrared
• 850-950 nm, diffuse light, typ. 10 m range
• carrier detection, energy detection, synchronization
38
FHSS PHY packet format
• Synchronization
synch with 010101... pattern
• SFD (Start Frame Delimiter)
0000110010111101 start pattern
• PLW (PLCP_PDU Length Word)
length of payload incl. 32 bit CRC of payload, PLW < 4096
• PSF (PLCP Signaling Field)
data of payload (1 or 2 Mbit/s)
• HEC (Header Error Check)
CRC with x16+x12+x5+1

80 16 12 4 16 variable bits
synchronization SFD PLW PSF HEC payload

PLCP preamble PLCP header

DSSS PHY packet format
• Synchronization
synch., gain setting, energy detection, frequency offset compensation
• SFD (Start Frame Delimiter)
1111001110100000
• Signal
data rate of the payload (0A: 1 Mbit/s DBPSK; 14: 2 Mbit/s DQPSK)
• Service Length
future use, 00: 802.11 compliant length of the payload
• HEC (Header Error Check)
protection of signal, service and length, x16+x12+x5+1

128 16 8 8 16 16 variable bits

synchronization SFD signal service length HEC payload

PLCP preamble PLCP header

Hardware
Original WaveLAN card (NCR)
914 MHz Radio Frequency
Transmit power 281.8 mW
Transmission Range ~250 m (outdoors) at 2Mbps
SNRT 10 dB (capture)
WaveLAN II (Lucent)
2.4 GHz radio frequency range
Transmit Power 30mW
Transmission range 376 m (outdoors) at 2 Mbps (60m indoors)
Receive Threshold = - 81dBm
Carrier Sense Threshold = -111dBm
Many others….Agere, Cisco,………

21
802.11-based Wireless LANs
MAC functional spec - DCF
802.11 - MAC layer I - DFWMAC
Traffic services
• Asynchronous Data Service (mandatory)
exchange of data packets based on “best-effort”
support of broadcast and multicast
• Time-Bounded Service (optional)
implemented using PCF (Point Coordination Function)
Access methods
• DFWMAC-DCF CSMA/CA (mandatory)
collision avoidance via randomized „back-off“ mechanism
minimum distance between consecutive packets
ACK packet for acknowledgements (not for broadcasts)
• DFWMAC-DCF w/ RTS/CTS (optional)
Distributed Foundation Wireless MAC
avoids hidden terminal problem
• DFWMAC- PCF (optional)
access point polls terminals according to a list
802.11 - MAC layer II
 Priorities
• defined through different inter frame spaces
• no guaranteed, hard priorities
 SIFS (Short Inter Frame Spacing)
• highest priority, for ACK, CTS, polling response
 PIFS (PCF IFS)
• medium priority, for time-bounded service using PCF
 DIFS (DCF, Distributed Coordination Function IFS)
• lowest priority, for asynchronous data service

DIFS DIFS
PIFS
SIFS
medium busy contention next frame
t
direct access if
medium is free ≥ DIFS
 contention window
802.11 - CSMA/CA access method I (randomized back-off mechanism)

DIFS DIFS

medium busy next frame

direct access if t
medium is free ≥ DIFS slot time

• station ready to send starts sensing the medium (Carrier Sense based on CCA,
Clear Channel Assessment)
• if the medium is free for the duration of an Inter-Frame Space (IFS), the station can
start sending (IFS depends on service type)
• if the medium is busy, the station has to wait for a free IFS, then the station must
additionally wait a random back-off time (collision avoidance, multiple of slot-time)
• if another station occupies the medium during the back-off time of the station, the
back-off timer stops (fairness)
802.11 - competing stations - simple version
DIFS DIFS DIFS DIFS
boe bor boe bor boe busy
station1

boe busy
station2

busy
station3

boe busy boe bor

station4

boe bor boe busy boe bor

station5
t

busy medium not idle (frame, ack etc.) boe elapsed backoff time

packet arrival at MAC bor residual backoff time

802.11 - CSMA/CA access method II
• Sending unicast packets
• station has to wait for DIFS before sending data
• receivers acknowledge at once (after waiting for SIFS) if the packet was received
correctly (CRC)
• automatic retransmission of data packets in case of transmission errors

DIFS
data
sender
SIFS
ACK
receiver
DIFS
other data
stations
t
waiting time contention
802.11 - DFWMAC
• Sending unicast packets
• station can send RTS with reservation parameter after waiting for DIFS (reservation
determines amount of time the data packet needs the medium)
• acknowledgement via CTS after SIFS by receiver (if ready to receive)
• sender can now send data at once, acknowledgement via ACK
• other stations store medium reservations distributed via RTS and CTS

DIFS
RTS data
sender
SIFS SIFS SIFS
CTS ACK
receiver

NAV (RTS) DIFS

other NAV (CTS) data
stations
t
defer access contention
Fragmentation

DIFS
RTS frag1 frag2
sender
SIFS SIFS SIFS SIFS SIFS
CTS ACK1 ACK2
receiver

NAV (RTS)
NAV (CTS)
NAV (frag1) DIFS
other NAV (ACK1) data
stations
t
contention
WLAN 29/09/20

30
• cannot guarantee a maximum access delay or minimum transmission bandwidth
• To provide a time-bounded service, the standard specifies a point coordination function
(PCF) on top of the standard DCF mechanisms. Using PCF requires an access point that
controls medium access and polls the single nodes.
• Ad-hoc networks cannot use this function so, provide no QoS but ‘best effort’ in IEEE 802.11
WLANs.
• The point co-ordinator in the access point splits the access time into super
frame periods A super frame comprises a contentionfree period and a contention
period.
Point Coordination Function (PCF)
• Alternative access method implemented on top of DCF
• Polling by centralized polling master (point coordinator)
• Uses PIFS when issuing polls
• PIFS smaller than DIFS
• Can seize medium and lock out all asynchronous traffic while it issues polls and
receives responses
E.g. wireless network configured so number of stations with time-sensitive traffic
controlled by point coordinator
• Remaining traffic contends for access using CSMA
• Point coordinator polls in round-robin to stations configured for polling
• When poll issued, polled station may respond using SIFS
• If point coordinator receives response, it issues another poll using PIFS
• If no response during expected turnaround time, coordinator issues poll
Superframe
• Point coordinator would lock out asynchronous traffic by issuing polls
• Superframe interval defined
• During first part of superframe interval, point coordinator polls round-robin to all stations
configured for polling
• Point coordinator then idles for remainder of superframe
• Allowing contention period for asynchronous access
• At beginning of superframe, point coordinator may seize control and issue polls for given
period
• Time varies because of variable frame size issued by responding stations
• Rest of superframe available for contention-based access
• At end of superframe interval, point coordinator contends for access using PIFS
• If idle, point coordinator gains immediate access
• Full superframe period follows
• If busy, point coordinator must wait for idle to gain access
• Results in foreshortened superframe period for next cycle
DFWMAC-PCF I

t0 t1
SuperFrame

medium busy PIFS SIFS SIFS

D1 D2
point
coordinator SIFS SIFS
U1 U2
wireless
stations

stations‘ NAV
NAV
DFWMAC-PCF II

t2 t3 t4

PIFS SIFS
D3 D4 CFend
point
coordinator SIFS
U4
wireless
stations

stations‘ NAV
NAV contention free period t
contention
period
802.11 - Frame format
• Types
control frames, management frames, data frames
• Sequence numbers
important against duplicated frames due to lost ACKs
• Addresses
receiver, transmitter (physical), BSS identifier, sender (logical)
• Miscellaneous
sending time, checksum, frame control, data

bytes 2 2 6 6 6 2 6 0-2312 4
Frame Duration Address Address Address Sequence Address
Data CRC
Control ID 1 2 3 Control 4

version, type, fragmentation, security, ...

MAC Frame Fields
• Frame Control:
Type of frame
Control, management, or data
Provides control information
Includes whether frame is to or from DS, fragmentation information, and privacy information
• Duration/Connection ID:
If used as duration field, indicates time (in µs) channel will be allocated for successful
transmission of MAC frame
In some control frames, contains association or connection identifier
• Addresses:
Number and meaning of address fields depend on context
Types include source, destination, transmitting station, and receiving station
MAC address format
scenario to DS from address 1 address 2 address 3 address 4
DS
ad-hoc network 0 0 DA SA BSSID -
infrastructure 0 1 DA BSSID SA -
network, from AP
infrastructure 1 0 BSSID SA DA -
network, to AP
infrastructure 1 1 RA TA DA SA
network, within DS

DS: Distribution System

AP: Access Point
DA: Destination Address
SA: Source Address
BSSID: Basic Service Set Identifier
RA: Receiver Address
TA: Transmitter Address
MAC Frame Fields
• Sequence Control:
4-bit fragment number subfield
For fragmentation and reassembly
12-bit sequence number
Number frames between given transmitter and receiver
• Frame Body:
MSDU (or a fragment of)
LLC PDU or MAC control information
• Frame Check Sequence:
32-bit cyclic redundancy check
Control Frames
• Assist in reliable data delivery
• Power Save-Poll (PS-Poll)
Sent by any station to station that includes AP
Request AP transmit frame buffered for this station while station in power-saving mode
• Request to Send (RTS)
First frame in four-way frame exchange
• Clear to Send (CTS)
Second frame in four-way exchange
Acknowledgment (ACK)
• Contention-Free (CF)-end
Announces end of contention-free period part of PCF
• CF-End + CF-Ack:
Acknowledges CF-end
Ends contention-free period and releases stations from associated restrictions
Data Frames – Data Carrying
• Eight data frame subtypes, in two groups
• First four carry upper-level data from source station to destination station
• Data
Simplest data frame
May be used in contention or contention-free period
• Data + CF-Ack
Only sent during contention-free period
Carries data and acknowledges previously received data
• Data + CF-Poll
Used by point coordinator to deliver data
Also to request station send data frame it may have buffered
• Data + CF-Ack + CF-Poll
Combines Data + CF-Ack and Data + CF-Poll
Data Frames – Not Data Carrying
• Remaining four data frames do not carry user data
• Null Function
Carries no data, polls, or acknowledgments
Carries power management bit in frame control field to AP
Indicates station is changing to low-power state
• Other three frames (CF-Ack, CF-Poll, CF-Ack + CF-Poll)
same as corresponding frame in preceding list (Data + CF-Ack, Data + CF-Poll,
Data + CF-Ack + CF-Poll) but without data
Management Frames
• Used to manage communications between stations and Aps
• E.g. management of associations
Requests, response, reassociation, dissociation, and authentication
802.11 - MAC management
• Synchronization
• try to find a LAN, try to stay within a LAN
• timer etc.
• Power management
• sleep-mode without missing a message
• periodic sleep, frame buffering, traffic measurements
• Association/Reassociation
• integration into a LAN
• roaming, i.e. change networks by changing access points
• scanning, i.e. active search for a network
• MIB - Management Information Base
• managing, read, write
Synchronization using a Beacon (infrastructure)

beacon interval

B B B B
access
point
busy busy busy busy
medium
t
value of the timestamp B beacon frame

TSF:Timing Synchronization Function

Synchronization using a Beacon (ad-hoc)

beacon interval

B1 B1
station1

B2 B2
station2

busy busy busy busy

medium
t
value of the timestamp B beacon frame random delay

The standard random backoff algorithm is applied to the beacon frames so only
one beacon wins.
Power management
• Idea: switch the transceiver off if not needed
• States of a station: sleep and awake
• Timing Synchronization Function (TSF)
stations wake up at the same time
• Infrastructure
• Traffic Indication Map (TIM)
list of unicast receivers transmitted by AP
• Delivery Traffic Indication Map (DTIM)
list of broadcast/multicast receivers transmitted by AP
• Ad-hoc
• Ad-hoc Traffic Indication Map (ATIM)
announcement of receivers by stations buffering frames
more complicated - no central AP
collision of ATIMs possible (scalability?)
Power saving with wake-up patterns (infrastructure)

TIM interval DTIM interval

D B T T d D B
access
point
busy busy busy busy
medium

p d
station
t
T TIM D DTIM awake

data transmission
B broadcast/multicast p PS poll d
to/from the station
Power saving with wake-up patterns (ad-hoc)
ATIM
window beacon interval

B1 A D B1
station1

B2 B2 a d
station2

t
B beacon frame random delay A transmit ATIM D transmit data

awake a acknowledge ATIM d acknowledge data

802.11 - Roaming
No or bad connection? Then perform:
• Scanning
scan the environment, i.e., listen into the medium for beacon signals or send
probes into the medium and wait for an answer
• Reassociation Request
station sends a request to one or several AP(s)
• Reassociation Response
success: AP has answered, station can now participate
failure: continue scanning
• AP accepts Reassociation Request
signal the new station to the distribution system
the distribution system updates its data base (i.e., location information)
typically, the distribution system now informs the old AP so it can release
resources
 WLAN: IEEE 802.11b
Data rate Connection set-up time
 1, 2, 5.5, 11 Mbit/s, depending on SNR  Connectionless/always on
 User data rate max. approx. 6 Mbit/s Quality of Service
 Typ. Best effort, no guarantees (unless
Transmission range polling is used, limited support in
 300m outdoor, 30m indoor products)
 Max. data rate ~10m indoor Manageability
Frequency  Limited (no automated key
distribution, sym. Encryption)
 Free 2.4 GHz ISM-band
Special Advantages/Disadvantages
Security
 Advantage: many installed systems, lot of
 Limited, WEP insecure, SSID experience, available worldwide, free ISM-
Availability band, many vendors, integrated in laptops,
simple system
 Many products, many vendors
 Disadvantage: heavy interference on ISM-
band, no service guarantees, slow relative
speed only

Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS05 7.71

 Channel selection (non-overlapping)
Europe (ETSI)

channel 1 channel 7 channel 13

2400 2412 2442 2472 2483.5

22 MHz [MHz]
US (FCC)/Canada (IC)

channel 1 channel 6 channel 11

2400 2412 2437 2462 2483.5

22 MHz [MHz]

Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS05 7.72

 WLAN: IEEE 802.11a
Data rate Connection set-up time
 6, 9, 12, 18, 24, 36, 48, 54 Mbit/s,  Connectionless/always on
depending on SNR
Quality of Service
 User throughput (1500 byte packets): 5.3 (6), 18
(24), 24 (36), 32 (54)  Typ. best effort, no guarantees (same as all 802.11
 6, 12, 24 Mbit/s mandatory products)
Transmission range Manageability
 100m outdoor, 10m indoor  Limited (no automated key distribution, sym.
 E.g., 54 Mbit/s up to 5 m, 48 up to 12 m, 36 up to 25 Encryption)
m, 24 up to 30m, 18 up to 40 m, 12 up to 60 m
Special Advantages/Disadvantages
Frequency
 Free 5.15-5.25, 5.25-5.35, 5.725-5.825  Advantage: fits into 802.x standards, free ISM-
GHz ISM-band band, available, simple system, uses less crowded
5 GHz band
Security
 Disadvantage: stronger shading due to higher
 Limited, WEP insecure, SSID
frequency, no QoS
Availability
 Some products, some vendors

Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS05 7.73

 WLAN: IEEE 802.11 – future developments (03/2005)
802.11c: Bridge Support
 Definition of MAC procedures to support bridges as extension to 802.1D
802.11d: Regulatory Domain Update
 Support of additional regulations related to channel selection, hopping sequences
802.11e: MAC Enhancements – QoS
 Enhance the current 802.11 MAC to expand support for applications with Quality of Service
requirements, and in the capabilities and efficiency of the protocol
 Definition of a data flow (“connection”) with parameters like rate, burst, period…
 Additional energy saving mechanisms and more efficient retransmission
802.11f: Inter-Access Point Protocol
 Establish an Inter-Access Point Protocol for data exchange via the distribution system
 Currently unclear to which extend manufacturers will follow this suggestion
802.11g: Data Rates > 20 Mbit/s at 2.4 GHz; 54 Mbit/s, OFDM
 Successful successor of 802.11b, performance loss during mixed operation with 11b
802.11h: Spectrum Managed 802.11a
 Extension for operation of 802.11a in Europe by mechanisms like channel measurement for dynamic
channel selection (DFS, Dynamic Frequency Selection) and power control (TPC, Transmit Power
Control)
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS05 7.74
 WLAN: IEEE 802.11– future developments (03/2005)
802.11i: Enhanced Security Mechanisms
 Enhance the current 802.11 MAC to provide improvements in security.
 TKIP enhances the insecure WEP, but remains compatible to older WEP systems
 AES provides a secure encryption method and is based on new hardware
802.11j: Extensions for operations in Japan
 Changes of 802.11a for operation at 5GHz in Japan using only half the channel width at larger
range
802.11k: Methods for channel measurements
 Devices and access points should be able to estimate channel quality in order to be able to choose a
better access point of channel
802.11m: Updates of the 802.11 standards
802.11n: Higher data rates above 100Mbit/s
 Changes of PHY and MAC with the goal of 100Mbit/s at MAC SAP
 MIMO antennas (Multiple Input Multiple Output), up to 600Mbit/s are currently feasible
 However, still a large overhead due to protocol headers and inefficient mechanisms
802.11p: Inter car communications
 Communication between cars/road side and cars/cars
 Planned for relative speeds of min. 200km/h and ranges over 1000m
 Usage of 5.850-5.925GHz band in North America
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS05 7.75
802.11 current status
802.11i LLC
security
WEP
MAC
802.11f MAC Mgmt
Inter Access Point Protocol

802.11e MIB
PHY
QoS enhancements
DSSS FH IR

OFDM
802.11b
5,11 Mbps
802.11a
6,9,12,18,24
802.11g 36,48,54 Mbps
20+ Mbps

56
Wi-Fi Security
Wi-Fi security is about keeping your wireless internet, like Wi-Fi, safe from hackers or
unauthorized users. It uses passwords and special encryption methods to make sure
only allowed people can access it and that the data sent over it is protected. This helps
prevent outsiders from stealing or seeing your information, like your messages or what
websites you visit.
Wi-Fi Security
How Does Wireless Security Work?
Wireless security works by using passwords and encryption to protect your internet
connection. There are different types of encryption, like WPA2 or WPA3, which are just
methods to make the data more secure. Such protocols work by implementing security
measures like encryption and authentication.

•Encryption: Makes wireless communication unintelligible to anyone but those with

the right encryption keys.

•Authentication: Ensures that only those users and devices whose identities have been
properly verified can join the network.
Types of Wireless Security Protocols
Wireless security protocols play a crucial role in protecting sensitive information and
ensuring privacy when connected to the internet using WiFi. In this section, we are
taking a close look at the most commonly used wireless security protocols (WEP, WPA)
WEP(Wired Equivalent Privacy)
• WEP, or wired equivalent privacy, is a security algorithm presented by the Institute of
Electrical and Electronics Engineers (IEEE) as part of the IEEE 802.11 internet standard
that was ratified in 1997.
• WEP was created to secure and ensure data confidentiality at the same level that a
traditional wired network offered. Wireless connections transmit data through radio
waves, which can be intercepted. WEP was designed to encrypt this data so that even if it
were to be intercepted, such as through a MiiM attack, the threat actor would not be able
to decipher its contents.
• Due to U.S. government-imposed restrictions on the exportation of cryptographic
technology, WEP key sizes were initially limited to a 40-bit key (called WEP-40) for the
64-bit WEP protocol. As these restrictions were lifted, the extended 128-bit WEP
protocol using the 104-bit key (WEP-104) was introduced. WEP uses the RC4 stream
cipher for confidentiality and the CRC-32 checksum for integrity.
WEP(Wired Equivalent Privacy)
• The 64-bit WEP key uses a string of 10 hexadecimal (base 16) alphanumeric
characters with each character representing 4 bits, while the 128-bit WEP key uses a
string of 26 hexadecimal alphanumeric characters. These characters are either numbers
between 0 and 9 or letters between A and F.
• Using WEP, all traffic is encrypted as a single key, meaning that it uses a static key. This
key is used to connect computers to a wireless-security-enabled network. Computers
connected to this network can exchange encrypted messages.
Problems with WEP
WPA(Wi-Fi Protected Access)
• WPA was a significant enhancement over WEP, but as the core components were made
so they could be rolled out through firmware upgrades on WEP-enabled devices, they
still relied onto exploited elements.
• WPA, just like WEP, after being put through proof-of-concept and applied public
demonstrations turned out to be pretty vulnerable to intrusion. The attacks that posed
the most threat to the protocol were however not the direct ones, but those that were
made on Wi-Fi Protected Setup (WPS) — auxiliary system developed to simplify the
linking of devices to modern access points.
WPA(Wi-Fi Protected Access)
Security Issues with WPA
• Key shared ahead of time If users rely on a weak password or passphrase, WPA and
WPA2 are still susceptible to password cracking attempts.
• Insufficient upfront secrecy
• Due to the lack of forward secrecy offered by WPA and WPA2, an adversary may be able
to passively and covertly gather all packets encrypted with that PSK transmitted in the
past and even in the future once they ascertain the pre-shared key.
• Tactics known as denial of service, in which an attacker overloads the network with
messages, impairing the availability of network resources
• Eavesdropping is the practice of unauthorised third parties intercepting data being
transferred across secure networks. Spoofing and session hijacking are methods by
which an attacker obtains access to network resources and data by impersonating a
legitimate user.
Difference Between WEP and WPA
Wireless LAN Threats
• Wireless security issues are considered as the primary security issues of mobile computing.
These are related to wireless networks. These issues occur when the hackers intercept the
radio signals. Most wireless networks are dependent on other private networks, which are
managed by others, so after these issues, the users have less control of security procedures.
These security issues are:
• Denial of Service (DOS) attacks
• Traffic Analysis
• Eavesdropping
• Session Interception and Messages Modification
• Spoofing
Securing Wireless Network
• The biggest issue in mobile computing is the credential verification of users. Because the
users share the username and passwords, it may become a significant threat to security. Due
to this sensitive issue, most companies are very reluctant to implement mobile computing.
Some recommendations can be followed by companies or mobile users to keep their mobile
devices and the data stored in the devices secure.
•The company should hire qualified personnel.
•You should install security hardware and software.
•You should ensure that the data stored in the mobile devices are encrypted and audited.
•Educate the users on proper mobile computing ethics and security issues.
•You must ensure that the mobile devices are configured with a power-on authentication to
prevent unauthorized access if lost or stolen.
•You must ensure that anti-virus software is installed on mobile devices.
•Make sure that the firewall client is installed on mobile devices.
•Make your mobile devices encrypted with a strong password.
•Encrypt your data stored in the secondary storage devices such as Memory Sticks, Data card,
removable USB etc.
•Ensure that the Bluetooth, Wi-Fi, etc. enabled mobile devices are turned off when you are not
using them.
•Make periodic backups of your mobile devices on a data server.
Thank You!
([email protected])

97