38 Introduction to Wireless LAN Security Standards

epgp books

 

 

 

Learning Objectives

  •  To know the various wireless LAN (WLAN) topologies
  •  To learn about 802.11 medium access mechanisms
  •  To learn about 802.11 MAC layer operations
  •  To describe the frame formats for WLAN

39.1 Introduction

 

802.11 WLANs are becoming pervasive in network deployments primarily because they are easy to implement and easy to use. From the perspective of the user, they function and perform exactly like a shared Ethernet LAN. Ironically, the 802.11 architecture is anything but simple. The challenges of an uncontrolled medium are more complex than those of the controlled wired Ethernet medium.

 

The 802.11 MAC must orchestrate an access mechanism that allows fair access to the medium. 802.11 stations do not possess the ability to sense collisions that the carrier sense multiple access/collision detect (CSMA/CD)–based wired Ethernet stations do. As a result, a more robust and scalable MAC is required for medium access with minimized overhead.

39.2 WLAN Topologies

 

802.11 networks are flexible by design. WLAN topologies cane be categorized in to three types:

 

–  Independent basic service sets (IBSSs)

 

–  Basic service sets (BSSs)

 

–  Extended service sets (ESSs)

 

A service set is a logical grouping of devices. WLANs provide network access by broadcasting a signal across a wireless radio frequency (RF) carrier. A receiving station can be within range of a number of transmitters. The transmitter prefaces its transmissions with a service set identifier (SSID). The receiver uses the SSID to filter through the received signals and locate the one it wants to connect.

 

39.2.1 IBSS

 

An IBSS consists of a group of 802.11 stations communicating directly with one another. An IBSS is also referred to as an ad-hoc network because it is essentially a simple peer-to-peer WLAN. Figure 39 -1 illustrates how two stations equipped with 802.11 network interface cards (NICs) can form an IBSS and communicate directly with one another.

 

Independent basic service set (IBSS) network is created when individual client devices form a self-contained network without the use of an access point. These networks do not involve any pre-planning or site survey, so they are usually small and only last long enough for the communication of whatever information needs to be shared. Unlike the case of an ESS, the clients are directly connected to each other, which creates only a single BSS that has no interface to a wired LAN (i.e., no distribution system that is essential to tying BSSs to create an ESS). There is no standards-based limit as to the number of devices that can be in an IBSS.

 

 

39.2.2 BSS

 

A BSS is a group of 802.11 stations communicating with one another. A BSS requires a specialized station known as an access point (AP). The AP is the central point of communications for all stations in a BSS. The client stations do not communicate directly other client stations. Rather, they communicate with the AP, and the AP forwards the frames to the destination stations. The AP might be equipped with an uplink port that connects the BSS to a wired network (for example, an Ethernet uplink). Because of this requirement, a BSS is also referred to as an infrastructure BSS. Figure 39-2 illustrates a typical infrastructure BSS.

 

39.2.3 ESS

 

Multiple infrastructure BSSs can be connected via their uplink interfaces. In the world of 802.11, the uplink interface connects the BSS to the distribution system (DS). The collection of BSSs interconnected via the DS is known as the ESS. Figure 39-3 shows a practical implementation of an ESS. The uplink to the DS does not have to be via a wired connection. The 802.11 specification leaves the potential for this link to be wireless. For the most part, DS links are wired Ethernet.

39.3 802.11 Medium Access Mechanisms

 

802.11-based WLANs use a similar mechanism known as carrier sense multiple access with collision avoidance (CSMA/CA). CSMA/CA is a listen before talk (LBT) mechanism. The transmitting station senses the medium for a carrier signal and waits until the carrier channel is available before transmitting.

Wired Ethernet is able to sense a collision on the medium. Two stations transmitting at the same time increase the signal level on the wire, indicating to the transmitting stations that a collision has occurred. 802.11 wireless stations do not have this capability. The 802.11 access mechanism must make every effort to avoid collisions altogether.

CSMA/CA is more ordered than CSMA/CD. To use the same telephone conference call analogy, you make some changes to the scenario:

Before a participant speaks, she must indicate how long she plans to speak. This indication gives any potential speakers an idea of how long to wait before they have an opportunity to speak.

Participants cannot speak until the announced duration of a previous speaker has elapsed.

Participants are unaware whether their voices are heard while they are speaking, unless they receive confirmation of their speeches when they are done.

If two participants happen to start speaking at the same time, they are unaware they are speaking over each other. The speakers determine they are speaking over each other because they do not receive confirmation that their voices were heard.

The participants wait a random amount of time and attempt to speak again, should they not receive confirmation of their speeches.

The 802.11 implementation of CSMA/CA is manifested in the distributed coordination function (DCF). To describe how CSMA/CD works, it is important to describe some key 802.11 CSMA/CA components first:

 

Carrier sense DCF

 

Acknowledgment frames

 

Request to Send/Clear to Send (RTS/CTS) medium reservation

In addition, two other mechanisms pertain to 802.11 medium access but are not directly tied to CSMA/CA:

  • Frame fragmentation
  • Point coordination function (PCF)

A station that wants to transmit on the wireless medium must sense whether the medium is in use. If the medium is in use, the station must defer frame transmission until the medium is not in use. The station determines the state of the medium using two methods:

  • Check the Layer 1 physical layer (PHY) to see whether a carrier is present.
  • Use the virtual carrier-sense function, the network allocation vector (NAV)

The station can check the PHY and detect that the medium is available. But in some instances, the medium might still be reserved by another station via the NAV. The NAV is a timer that is updated by data frames transmitted on the medium. For example, in an infrastructure BSS, suppose Martha is sending a frame to George (see Figure 39-4). Because the wireless medium is a broadcast-based shared medium, Vivian also receives the frame. The 802.11 frames contain a duration field. This duration value is large enough to cover the transmission of the frame and the expected acknowledgment. Vivian updates her NAV with the duration value and does not attempt transmission until the NAV has decremented to 0.

Note that stations only update the NAV when the duration field value received is greater than what is currently stored in their NAV. Using the same example, if Vivian has a NAV of 10 milliseconds, she does not update her NAV if she receives a frame with a duration of 5 milliseconds. She updates her NAV if she receives a frame with a duration of 20 milliseconds.

 

39.3.1 DCF

 

The IEEE-mandated access mechanism for 802.11 networks is DCF, a medium access mechanism based on the CSMA/CA access method. To describe DCF operation, we first define some concepts. Figure 39-5 shows a time line for the scenario in Figure 39-4.

 

In DCF operation, a station wanting to transmit a frame must wait a specific amount of time after the medium becomes available. This time value is known as the DCF interframe space (DIFS). Once the DIFS interval elapses, the medium becomes available for station access contention

 

The 802.11 specification requires that the receiving station send an acknowledgment frame to the frame sender. This acknowledgment frame allows the sending station to indirectly determine whether a collision took place on the medium. If the sending station does not receive an acknowledgment frame, it assumes that a collision occurred on the medium. Figure 39-6 summarizes the steps a DCF station must iterate through to transmit a frame.

39.3.2 The Acknowledgment Frame

 

A station receiving a frame acknowledges error-free receipt of the frame by sending an acknowledgment frame back to the sending station. Knowing that the receiving station has to access the medium and transmit the acknowledgment frame, you would assume that it is possible for the acknowledgment frame to be delayed because of medium contention. The transmission of an acknowledgment frame is a special case. Acknowledgment frames are allowed to skip the random backoff process and wait a short interval after the frame has been received to transmit the acknowledgment. The short interval the receiving station waits is known as the short interframe space (SIFS). The SIFS interval is shorter than a DIFS interval by two slot times. It guarantees the receiving station the best possible chance of transmitting on the medium before another station does.

Referring to Vivian’s transmission to George, Vivian deferred her transmission attempt for four slot times. The medium was still available, so she transmitted her frame to George, as depicted in Figure 39-7. The AP receives the frame and waits a SIFS interval before sending an acknowledgment frame.

39.3.4 The Hidden Node Problem and RTS/CTS

 

Vivian might be unable to access the medium because of another station that is within range of the AP yet out of range of her station. Figure 2-10 illustrates this situation. Vivian and George are in range of each other and in range of the AP. Yet neither of them is in range of Tony. Tony is in range of the AP and attempts to transmit on the medium as well. The situation is known as the hidden node problem because Tony is hidden to Vivian and George.

Vivian attempts to reserve the medium using a special control frame known as an RTS frame. The RTS frame is sent to the AP and indicates to the AP, and all stations that are within range of Vivian, the expect duration of Vivian’s frame exchange. The frame exchange includes the frame she wants to initially transmit as well as the expected acknowledgment frame.

 

The AP receives Vivian’s RTS frame and reply with a CTS control frame. The CTS frame contains a duration field value long enough to allow Vivian to complete her frame exchange. All stations within range of the AP, including Tony and George, receive the CTS frame and update their NAVs, as illustrated in Figure 39-9

The initial RTS frame that Vivian transmits must go through the DCF process, as would any normal frame. But similar to the acknowledgment frame, the corresponding CTS frame from the AP skips the random backoff procedure and only needs to wait the SIFS interval before being transmitted. Figure 39-10 details Vivian’s RTS frame transmission. Both George and Tony update their NAVs accordingly, but the acknowledgment frame the AP sends back to Vivian does not have to conform to the DCF rules. When George receives the frame, George immediately sends back an acknowledgment frame. Although George’s NAV is nonzero, he still sends an acknowledgment frame back to the AP after a SIFS interval.

39.4 802.11 Frame Fragmentation

 

Frame fragmentation is a MAC layer function that is designed to increase the reliability of frame transmission across the wireless medium. The premise behind fragmentation is that a frame is broken up into smaller fragments, and each fragment is transmitted individually, as depicted in Figure 39-11. The assumption is that there is a higher probability of successfully transmitting a smaller frame fragment across the hostile wireless medium. Each frame fragment is individually acknowledged; therefore, if any fragment of the frame encounters any errors or a collision, only the fragment needs to be retransmitted, not the entire frame, increasing the effective throughput of the medium.

Fragmentation occurs only on unicast frames. Broadcast or multicast frames are transmitted as a whole. Also, the frame fragments are sent as a burst, using a single iteration of the DCF medium access mechanism.

 

Although fragmentation can increase the reliability of frame transmission in a WLAN, it does increase the 802.11 MAC protocol overhead. Every frame fragment includes the 802.11 MAC header information as well as requires a corresponding acknowledgment frame. This increase in MAC overhead decreases the actual wireless station throughput. Fragmentation is a balance between medium reliability and medium overhead.

39.4.1 PCF

 

PCF is an 802.11 optional medium access mechanism that is used in addition to DCF. PCF is an access mechanism that provides contention-free frame delivery to and from the AP. Most vendors do not include PCF support because it increases the protocol overhead of the BSS. As a result, it is not widely deployed. Forthcoming quality-of-service (QoS) enhancements to the 802.11 specification build on PCF to create a more useful mechanism.

 

The Contention Free Period (CFP) is the window of time for PCF operation. The CFP begins at set intervals following a beacon frame containing a delivery traffic indication map (DTIM) information element (described later in the chapter). The frequency of CFPs is determined by the network administrator. Once the CFP begins, the AP assumes the role of the PC (and as such, PCF operation is only supported in infrastructure BSSs). Each 802.11 client sets its NAV to the CFPMaxDuration value. This value is included in the CF parameter set information element (detailed later in the chapter). The CFPMaxDuration defines the time value that is the maximum duration for the CFP. The PC can end the CFP before the CFPMaxDuration time elapses. The AP transmits beacon frames at regular intervals, and beacon frames sent during the CFP contain the CFPDurationRemaining field to update station NAVs of the remaining duration of the CFP. Figure 39-12 depicts the CFP and contention period (CP) as a function of time.

 

Unlike DCF operation, PCF does not allow stations to freely access the medium and transmit data. Stations can only send data (one frame at a time) when the PC polls them. The PC can send frames to stations, poll stations for frame transmission, acknowledge frames requiring MAC-level acknowledgments, or end the CFP.

 

When the CFP begins, the PC must access the medium in the same manner as a DCF station. Unlike DCF stations, the PC attempts to access the medium after waiting an interval of time known as the priority interframe space (PIFS). The PIFS interval is one slot time longer than the SIFS interval and one slot time shorter than the DIFS interval, allowing PCF stations to access the medium before DCF stations yet still allowing control frames such as acknowledgment frames, to have the highest probability of gaining access to the medium. Figure 39-13 Illustrates SIFS, PIFS, DIFS, and Slot Time Relationships

After waiting a PIFS interval, the PC sends the initial beacon frame containing the CF parameter information element. The PC waits for one SIFS interval subsequent to the beacon frame transmission and then sends one of the following to a CF-Pollable station:

  • A data frame
  • A poll frame (CF-Poll)
    • A combination data and poll frame (Data+CF-Poll)
    • A CFP end frame (CF-End)

If the PC has no frames to send and no CF-Pollable stations to poll, the CFP is considered null, and immediately following the beacon frame, the PC sends a CF-End frame terminating the CFP.

39.4.2 PCF Operation Example

 

AP1 sends a beacon frame indicating the start of a CFP. The CFP is set for 20 seconds (sec). Vivian, Martha, and George all update their NAVs to reflect the 20-sec CFP. After waiting a SIFS interval, AP1 sends a frame buffered for Vivian’s station and also sends a poll to Vivian’s station to see whether she has any frames to send using the Data+CF-Poll frame. Vivian receives the Data+CF-Poll frame and sends one data frame and a contention-free acknowledgment (Data+CF-ACK) frame after waiting a SIFS interval. Note that Vivian’s station ignores her NAV setting when transmitting frames in response to a CF-Poll frame.

AP1 iterates through its polling list to Martha’s station. AP1 uses another combination frame to send a data frame to Martha, acknowledge Vivian’s frame, and poll Martha’s station for frame transmission (Data+CF-ACK+CF-Poll). Note that the frame is destined for Martha’s station, yet it acknowledges Vivian’s last frame. The multiple access nature of 802.11 allows for this arrangement. Martha waits a SIFS interval and sends a Data+CF-ACK frame.

 

AP1 finally iterates to George’s station. The AP has no data frames buffered for George’s station, so it sends a CF-Poll frame to see whether George has any frames to send. George has no frames buffered either, so George sends a null data frame. Although the CFP has not exceeded the maximum duration allowed, AP1 sends a CF-End frame to end the CFP and proceed to the CP and normal DCF medium access. Vivian, Martha, and George receive the CF-End frame and reset their NAVs.

39.4.3 MAC Layer Operations

 

Three exchanges take place between the wireless station and the AP:

 

The probe process

 

The authentication process The association process

 

The Probe Process

 

In Figure 39-15, Vivian’s station is in range to three APs. Two of the APs belong to the service set marketing, and the remaining AP belongs to the service set sales. Vivian’s station is configured for the service set marketing.

The client station sends an 802.11 probe request frame. Generally, an 802.11 station sends the probe request frame on every channel it is allowed to use (channels 1 through 11 in North America). This process is not mandated by the 802.11 specification. The probe request frame contains information about an 802.11 wireless station, such as which data rates the station supports and what service set the station belongs to.

The Authentication Process

 

802.11 authentication consists of two authentication modes: open authentication and shared-key authentication. 802.11 authentication is oriented around device authentication and determines whether the device is allowed on the network. For the purposes of this section, authentication is simplified to an authentication request and an authentication response, as depicted in Figure 39-16.

The Association Process

 

The 802.11 association process allows an AP to map a logical port or association identifier (AID) to the wireless station. The association process is initiated by the wireless station with an association request frame containing the capability information of the client and completed by the AP in an association response frame. The association response indicates success or failure as well as a reason code

 

39.4.4 802.11 MAC Frame Formats

 

There are three categories of frames in the 802.11 MAC:

  • Control frames – These frames facilitate the data frames during normal 802.11 data exchanges.
  • Management frames – These frames facilitate WLAN connectivity, authentication, and status.
  • Data frames -These frames carry station data between the transmitter and receiver.
you can view video on Introduction to Wireless LAN Security Standards