capacity qos and security related advances in ieee 802 11 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Capacity, QoS, and Security Related Advances in IEEE 802.11 PowerPoint Presentation
Download Presentation
Capacity, QoS, and Security Related Advances in IEEE 802.11

Loading in 2 Seconds...

play fullscreen
1 / 109

Capacity, QoS, and Security Related Advances in IEEE 802.11 - PowerPoint PPT Presentation


  • 480 Views
  • Uploaded on

Capacity, QoS, and Security Related Advances in IEEE 802.11. Kaustubh S. Phanse K. N. Gopinath AirTight Networks, Inc. National Conference on Communications (NCC 2008) Indian Institute of Technology, Bombay February 1, 2008. www.airtightnetworks.net. Outline.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Capacity, QoS, and Security Related Advances in IEEE 802.11' - harken


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
capacity qos and security related advances in ieee 802 11

Capacity, QoS, and Security Related Advances in IEEE 802.11

Kaustubh S. Phanse K. N. Gopinath

AirTight Networks, Inc.

National Conference on Communications (NCC 2008)

Indian Institute of Technology, Bombay

February 1, 2008

www.airtightnetworks.net

outline
Outline
  • Introduction: 802.11 overview: history and basic concepts
  • 802.11n: MIMO concepts, channelization, frame aggregation, frame formats, performance
  • 802.11e: Coordination functions for QoS support, service classes
  • 802.11i, 802.11w: Authentication and encryption; protection of management and broadcast frames
  • What this tutorial will NOT cover…
    • Communication and information theory: modulation and demodulation techniques, estimation, …
    • Details of certain optional features in 802.11 standards

AirTight Networks

ieee 802 11
IEEE 802.11
  • Working group established in 1990
  • First standard in 1997 (already 10 years ago!)
    • Frequency: 2.4 GHz band
    • Physical layer: DSSS, FH, IR
    • MAC layer: CSMA/CA
    • Data rate: 2 Mbps

AirTight Networks

802 11 protocol suite
802.11 protocol suite

AirTight Networks

802 11 mac and phy enhancements
802.11 MAC and PHY enhancements

802.11i

Security

QoS

802.11e

MAC

Data link

802.11w

802.11n

Capacity & Coverage

PLCP

802.11n

Physical

PMD

AirTight Networks

two slide primer on 802 11 mac 1 2
Two-slide primer on 802.11 MAC (1/2)
  • Distributed coordination function (DCF) using carrier sense
  • multiple access (CSMA/CA)

AirTight Networks

motivation for multicarrier modulation
Motivation for multicarrier modulation
  • Large delay spread (due to multipath reception) can cause
  • significant inter-symbol interference (ISI)
    • Burst errors
    • Limits maximum achievable data rate

τ

τ

AirTight Networks

multicarrier modulation
Multicarrier modulation
  • Divide a high-rate sequence of symbols into several low-rate
  • sequences
    • Symbol duration (TN) becomes large
  • Transmit low-rate symbols simultaneously over multiple sub-
  • channels or subcarriers
    • Total bandwidth B is divided into subchannels each with bandwidth B/N

AirTight Networks

orthogonal frequency division multiplexing ofdm
Orthogonal frequency division multiplexing (OFDM)
  • Tighter packing of subcarriers than traditional FDM
  • Subcarriers are orthogonal to enable demodulation
    • Spacing ∆f is at least 1/TN

AirTight Networks

ofdm in 802 11
OFDM in 802.11
  • Each 20 MHz channel divided into 52 subcarriers
    • Bandwidth of 16.6 MHz actually used for transmission
  • Subcarriers spaced 312.5 KHz
    • 48 subcarriers for data transmission
    • 4 pilot subcarriers for monitoring

AirTight Networks

802 11n phy enhancements
802.11n PHY Enhancements

AirTight Networks

what is mimo
What is MIMO?
  • SISO: Single Input (transmit) Single Output (receive)
  • MIMO: Multiple Input Multiple Output
    • Spatial diversity (transmitter and receiver)
    • Spatial multiplexing

Tx

Rx

Tx

Rx

M x N system (N >1, M>1)

AirTight Networks

spatial diversity
Spatial diversity
  • Use multiple independently fading signal paths to reduce the error
  • probability
    • Low probability of independent fading signal paths to simultaneously experience deep fades
    • Need multiple antennas spaced sufficiently apart (~ λ/2)
  • Maximum diversity gain (D) for M x N system = MN

AirTight Networks

receiver diversity
Receiver diversity

r1ejθ1s(t)

r2ejθ2s(t)

r3ejθ3s(t)

rMejθMs(t)

  • Let noise at each antenna = N0 Combined output SNR ηΣ =

a1e-jθ1

aNe-jθM

a2e-jθ2

a3e-jθ3

x

x

x

x

Σ

Combiner Output SNR = ηΣ

AirTight Networks

receiver diversity selection combining
Receiver diversity: Selection combining
  • Choose the branch with the highest SNR

ηΣ = ηk =

    • Often implemented as a single receiver that switches to the chosen antenna branch
    • But it is still a single transmit-receive chain (SISO)

Bit stream

Bit stream

DSP

DSP

Radio

Radio

Tx

Rx

AirTight Networks

receiver diversity maximum ratio combining mrc

Radio

Radio

Bit stream

DSP

DSP

Bit stream

Radio

Radio

Tx

Rx

Receiver diversity: Maximum Ratio Combining (MRC)
  • Give higher weights to branches with high SNR and lower weights
  • to branches with low SNR

AirTight Networks

receiver diversity mrc
Receiver diversity: MRC
  • Optimal weight ak =
  • rk is the energy per symbol =
  • Then, SNR =
  • Combined received SNR ηΣ =
  • Array gain: M-fold increase in SNR versus a SISO system
  • Maximum array gain (A) for M x N system = MN

AirTight Networks

transmitter diversity channel aware
Transmitter diversity: Channel-aware
  • Transmitter has knowledge of channel state information (CSI)
    • Feedback from receiver
    • Assume channel is reciprocal
  • Similar to receiver diversity with coherent combining, e.g., MRC
    • Assign weights to antenna branches depending on channel conditions

AirTight Networks

transmitter diversity channel unaware
Transmitter diversity: Channel-unaware
  • Space-time block codes (STBC): Alamouti scheme
    • Assume channel gain is constant over two symbol periods
    • Transmit symbols s1 and s2 during first symbol period
    • Transmit -s2* and s1* during next symbol period
  • Let each antenna have a channel gain hk = rkejθk
  • Received signal is r(t) =
  • Symbol received during first symbol period y1 = h1s1 + h2s2
  • Symbol received second symbol period y2 = -h1s2* + h2s1*

AirTight Networks

transmitter diversity alamouti scheme
Transmitter diversity: Alamouti scheme
  • Let sequence of received symbols be represented as a vector
  • y = [y1 y2*]T
  • y = = Hs
  • Let z = HHy = HHHs = (|h12| + |h22|)I2s
  • Then
  • z1 = h1*z1 + h2z2 = (|h12| + |h22|)s1
  • z2 = h2*z1 – h1z2 = (|h12| + |h22|)s2

AirTight Networks

transmitter diversity alamouti scheme1
Transmitter diversity: Alamouti scheme
  • Received SNR ηk for zk=
  • Total SNR ηΣ=
  • Array gain = 1
  • Diversity gain = 2

AirTight Networks

practical significance array gain and diversity gain
Practical significance: array gain and diversity gain
  • Maximum: array gain A = MN, diversity gain D = MN
  • For a Rayleigh channel: error probability (Pe) α
  • For M x N system,Peα

Diversity gain

Array gain

AirTight Networks

practical significance array gain and diversity gain1
Practical significance: array gain and diversity gain

Pe

Diversity gain determines the slope of the curve

Array gain shifts the curve

SNR

AirTight Networks

spatial multiplexing
Spatial multiplexing
  • Multiplexing
    • Time (TDM), frequency (FDM), code (CDM)
    • SDM: using space as another dimension to multiplex data
  • Degrees of freedom
    • Rich scattering environment
  • Transmit unique data streams over separate RF chains

AirTight Networks

spatial multiplexing1

b1

b1

b3

b3

b5

b5

b2

b2

b4

b4

b6

b6

b1

b1

b2

b2

b3

b3

b4

b4

b5

b5

b6

b6

Spatial multiplexing
  • Maximum multiplexing gain = min (M,N)
  • Use training symbols to estimate channel matrix H
  • Linear systems theory analogy: min (M,N) variables with min (M,N)
  • equations

Radio

Radio

Split

Merge

DSP

DSP

Radio

Radio

Rx

Tx

AirTight Networks

spatial multiplexing gain vs diversity gain trade off
Spatial multiplexing gain vs. diversity gain trade-off

0, MN

1, (M-1)(N-1)

Diversity gain

2, (M-2)(N-2)

k, (M-k)(N-k)

Min(M, N), 0

Spatial multiplexing gain

AirTight Networks

802 11n channels
802.11n channels
  • 40 MHz operation (channel bonding)
    • Primary channel plus secondary (upper/lower) channel
    • Primary for management frames, both channels for data frames
  • Higher bandwidth, higher data rates!
    • …but higher interference
  • Only one non-overlapping channel in 2.4 GHz
    • Implications for legacy WLANs

AirTight Networks

802 11n modes of operation
802.11n: Modes of Operation
  • 3 Modes: Non-HT, Mixed, Greenfield (distinguished by their PLCP headers)
  • Mixed
    • Full support for legacy clients
    • Broadcast control frames always in 20 Mhz
    • Perf degradation for .11n stations
  • Greenfield
    • No backward compatibility
    • Short & more efficient PLCP format
    • No performance degradation for .11n devices

MIMO estimation: D-LTF 1 per stream providing channel

estimation for data portion of the frame

Detection of PPDU,

timing & coarse

freq acquisition

Staggered preambles (e.g., sounding packets)

Additional optional estimation info for channels

For use of legacy

devices also

Signalling

(See next slide)

AirTight Networks

l sig mm ht sig mm gf
L-SIG (MM) & HT-SIG (MM & GF)

Encoded value indicating

Duration of rest of

the packet

Always 6 Mbps

L-SIG of Mixed Mode

Refer to next slides

AirTight Networks

slide39

HT-SIG

AirTight Networks

slide40

HT-SIG

AirTight Networks

modulation coding scheme mcs
Modulation & Coding Scheme (MCS)
  • MCS is a compact representation (index) indicating
    • Modulation (BPSK, QPSK, QAM,…)
    • Coding (1/2, ¾,…)
    • Number of Spatial Streams (1,2,3,4)
  • MCS index can be from 0 to 127
    • Mandatory MCS
      • MCS 0 to 15 at 20 Mhz (at AP)
      • MCS 0 to 7 at 20 Mhz (at client STA)
    • Rest all optional
      • MCS 16 to 76 are optional
      • All MCS at 40 Mhz
    • MCS 77 to 127 are reserved for future use

AirTight Networks

other optional mcss
Other Optional MCSs
  • Other MCSs
    • HT Duplicate
      • MCS 32
      • Useful under very high noise
      • Lowest rate of 40 Mhz (bpsk)
      • 6.7 Mbps max rate
    • MCSs with unequal modulation
      • Use with
        • Tx beamforming
        • STBC
      • MCS 33 – 38 (4 SS)
        • Max rate 495 Mbps
      • MCS 39 – 52 (4 SS)
        • Max rate 495 Mbps
      • MCS 53 – 76 (4 SS)
        • Max rate 495 Mbps
  • MCSs with SS=3
    • MCS 16 – 23
    • Max rate (MCS 23)
      • 216.7 Mbps (20 Mhz)
      • 450 Mbps (40 Mhz)
  • MCSs with SS=4
    • MCS 24 – 31
    • Max rate (MCS 23)
      • 288.9 Mbps (20 Mhz)
      • 600 Mbps (40 Mhz)

AirTight Networks

mac enhancements
MAC Enhancements

AirTight Networks

slide46
Frame Aggregation

AirTight Networks

motivation
Motivation

DCF

PLCP

MPDU1

PLCP

ACK

DCF

PLCP

MPDU2

PLCP

ACK

  • Amortize PLCP, MAC overheads by sending bigger packets
  • Can be implemented in several ways (as discussed next)

SIFS

DCF

PLCP

MPDU

PLCP

ACK

AirTight Networks

physical level aggregation a mpdu
Physical Level Aggregation (A-MPDU)
  • Consists of several MPDUs addressed to the same receiver
    • Identified by the HT SIG PLCP field ‘Aggregation’ of a received packet
  • Each MPDU embedded in a subframe
  • Subframes consists of a delimiter followed by an MPDU (and padding in some cases)
    • Except last subframe, others are padded so that they are multiple of 4 byte octet
  • Delimiter
    • Delimiters (ASCII N) useful for recovery during errors
    • CRC protects reserved and length fields
    • When an invalid Delimiter is obtained, de-aggregation process skips forward 4 bytes and restarts its search for a new MPDU

AirTight Networks

physical level aggregation a mpdu1
Physical Level Aggregation (A-MPDU)
  • Parameters negotiated using “A-MPDU parameters set” of HT capabilities IE field in a mgmt frame
    • Max length (64k is the limit)
    • Min MPDU start spacing
      • 0 indicates no restriction
      • Else, ranges from 1/4 to 16 usecs
      • Realized by using Delimiters with MPDU length 0
    • Can be limited by a station using its Assoc packet
  • Examples frames that an A-MPDU can contain
    • QoS data frames
    • Block ack
    • Block ACK req frames
    • Action management frames of subtype “Action No ACK” (e.g., carrying MIMO info)

Max Rx Factor(x): 0 to 3 [2^13+x]

Min spacing: 0.25 to 16 usecs

AirTight Networks

a msdu
A-MSDU
  • A-MSDU consists of multiple subframes
  • All MSDUs are intended to be received by the same receiver
  • A-MSDU of length is 4095 – QoS data overheads = 4065 bytes cannot be Tx in an A-MPDU (as A-MPDU cannot carry fragments)

AirTight Networks

a msdu1
A-MSDU
  • MAC level aggregation
    • Consists of MSDUs belonging to the same TID (QoS class)
  • Support is mandatory at the reciever when it is carried in a single (i.e., non A-MPDU) QoS Data MPDU under Normal Ack policy
    • Block Ack agreement determines whether an A-MSDU can be carried in QoS data frames part of the BA session
  • A-MSDU lifetime indicates MAX life-time of its constituent MSDUs
    • An A-MSDU can be Tx until it’s a-MSDU lifetime expires or is received at the receiver
    • Implicitly means certain MSDUs can be Tx ever after their individual lifetimes
  • A STA shall not transmit an A-MSDU to a station that exceeds its Max A-MSDU length capability

AirTight Networks

block ack ba
Block ACK (BA)

AirTight Networks

block ack packet exchange
Block Ack Packet Exchange
  • ADDBA Request used to initiate BA session
  • ADDBA Response confirms/rejects the sessions
  • Frames of a session need NOT be sent consecutively
    • They can be mixed with other frames of a station
    • They can be interleaved with packets from other stations
    • They can be sent in multiple .11e TXOPs
  • BlockAckReq used to solicit a BlockACK response frame
  • DELBA used to terminate a BA session

AirTight Networks

block ack sessions addba
Block ACK Sessions (ADDBA)
  • Dialog token is some kind of a ID for req/response
  • Parameter set (defined in next slide)
  • Status code indicates whether the receiver accepts the request or not
    • If not, sender is not supposed to use Block ACK
  • Timeout indicates the duration (Seconds) for which a session is active

AirTight Networks

block ack parameter set field used in addba action management frames
Block Ack Parameter Set Field used in ADDBA Action Management Frames
  • Block Ack Parameter set field
    • A MSDU may or may not be allowed as a part of this BA session
    • Block Ack policy is 1 for immediate ACK, 0 for delayed
      • Delayed is sent at a slightly later time after receiving a Block Ack Req
    • TID indicates the .11e Traffic Identifier field (i.e., an ID used to group all frames that need similar QoS treatment)
    • Buffer size indicates buffers
      • Recipient controls the buffers that can be supported

802.11n

802.11e

AirTight Networks

slide56

Immediate BlockAck

Delayed BlockAck

AirTight Networks

block ack sessions delba
Block ACK Sessions (DELBA)
  • DELBA used to tear down sessions explicitly
  • Initiator indicates whether the sender or receiver of QoS data has initiated DELBA

DELBA Parameter set

AirTight Networks

blockackreq bar
BlockAckReq (BAR)

802.11n

802.11e

AirTight Networks

fields of blockackreq frame
Fields of BlockAckReq Frame
  • Interesting note on BA policy
    • .11e defines delayed & immediate BA policy
    • In addition, .11n defines HT immediate & HT delayed policies
      • Negotiated between HT stations as a part of HT capabilities
      • Extensions for using BA with 802.11n features such as frame aggregation (A-MPDU)
  • BAR Control
    • BA Policy (HT-delayed only)
      • Normal ACK
      • No ACK
    • Multi-TID
      • Does BAR consist of req for different QoS streams?
    • Compressed
      • Support for fragements in BA?
    • TID_INFO
      • Info about each TID

AirTight Networks

blockackreq encoding
BlockAckReq Encoding

BAR Info Field

  • Basic BAR, Compressed BAR
  • TID info contains TID for which the . req has been made

Per TID INFO

  • MT BAR
  • TID_info contains number of TIDs
  • BAR info contains seq number for
  • that many TIDs

AirTight Networks

blockack frame
BlockAck frame
  • BlockAck carries ACKs as bitmaps
  • Exact format depends on the encoding (see next slide)

AirTight Networks

ba information for each ba encoding
BA Information for each BA encoding

Basic BA

128 byte bitmap

Compressed BA

Mandatory

8 bit bitmap

No support for fragments

MTBA (repeated

For each TID)

AirTight Networks

ht protection mechanisms
HT Protection Mechanisms

AirTight Networks

protection requirements
Protection Requirements
  • Protection may be required if Non-HT stations are present or Non-greenfield stations are present
  • Types of protection that an HT station provides
    • RTS/CTS using a legacy rate
    • CTS to self using a legacy rate
    • Transmit 1st frame in a backward compatible mode
      • 1st frame Tx using a Non-HT preamble and then switch to HT mode
      • 1st frame Tx using a MM preamble and then switch to greenfield operation
    • Setting of L-SIG values in preamble to protect the current transmission
    • L-SIG TxOP (See next slide)

AirTight Networks

l sig txop protection
L-SIG TxOP Protection
  • Communication between 2 HT STAs that support this feature (as discussed in HT capabilities IE shortly)
  • Protecting multiple PSDUs (e.g., DATA+ACK, RTS/CTS) using a larger duration as derived from L-SIG
    • L-SIG Duration will be derived from the MAC header’s duration value
  • Non-HT STAs ‘think’ this as a transmission involving single large frame!
  • Applicable to HT-Mixed mode Tx only

AirTight Networks

advertising ht capabilities using mac frames
Advertising HT Capabilities using MAC Frames

HT Capability Information Element (E.g., Beacon, Probe Response)

Refer to next slides

AirTight Networks

slide68

HT Capabilities Info

AirTight Networks

slide69

HT Capabilities Info

AirTight Networks

slide70

HT Capabilities Info

AirTight Networks

example packet trace snippet of a dlink ap
Example Packet Trace Snippet of a Dlink AP
  • HT Capability Info: %0001000001001110
  • 0....... ........ L-SIG TXOP Protection Support: Not Supported
  • .0...... ........ AP allows use of 40MHz Transmissions In Neighboring BSSs
  • ..0..... ........ Device/BSS does Not Support use of PSMP
  • ...1.... ........ BSS does Allow use of DSSS/CCK Rates @40MHz
  • ....0... ........ Maximal A-MSDU size: 3839 bytes
  • .....0.. ........ Does Not Support HT-Delayed BlockAck Operation
  • ......00 ........ No Rx STBC Support
  • ........ 0....... Transmitter does Not Support Tx STBC
  • ........ .1...... Short GI for 40 MHz: Supported
  • ........ ..0..... Short GI for 20 MHz: Not Supported
  • ........ ...0.... Device is Not Able to Receive PPDUs with GF Preamble
  • ........ ....11.. Spatial Multiplexing Enabled
  • ........ ......1. Both 20MHz and 40MHz Operation is Supported
  • ........ .......0 LDPC coding capability: Not Supported

AirTight Networks

ht capabilities info supported mcs set
HT Capabilities Info: Supported MCS Set
  • Rx MCS Bitmask: bit I = 1 indicates support for that MCS
  • Tx MCS Set Defined = 0 means both Tx/Rx MCS are equal
  • Upto 4 max streams can be supported
  • Tx unequal modulation support (as discussed earlier) may or may not be supported

AirTight Networks

ht extended capabilities
HT Extended Capabilities
  • PCO: Support for Phased coexistence operation
    • Alternate between 20 & 40 Mhz operation
  • MCS feedback
    • Station can provide MCS feedback
  • RD Responder indicates support for Reverse direction protocol
    • Optional feature where in a initiator can elicit a response packet burst from a responder

AirTight Networks

ht info element
HT Info Element
  • Operating mode
    • Beacon always sent in non-HT mode
    • See next slide for details

AirTight Networks

ht information element
HT Information Element
  • Channel related parameters
    • Primary channel
    • Secondary channel offset
    • Channel width of a STA (20 or 40)
    • Dual Beacon
      • Does AP Tx beacon in secondary channel?
    • Secondary beacon support
    • Basic MCS Set
      • Mandatory MCS for all STAs in BSS
      • Similar to Basic rates of .11a/b/g
  • RIFS
    • Shorter inter packet gaps
    • E.g., 2 usecs (compare it with 16 usecs for SIFS)
  • Tx burst limit
    • Burst of GF or RIFS packets
  • Overlapping BSS protection
  • Dual CTS protection
    • Send a CTS for STBC & legacy STAs separately
  • Full BSS support for L-SIG TXOP protection
  • Phased Coexistence (PCO Parameters)
    • PCO Active
    • PCO phase (20 or 40 Mhz switch)

AirTight Networks

ht information element1
HT Information element

Operating mode

  • Set to 0
    • All STAs in BSS are 20/40 Mhz HT
    • All STAs in a 20 MHz HT BSS are 20 Mhz HT
  • Set to 1 (non-member protection)
    • Some members on the channel (maybe outside BSS) are non-HT
  • Set to 2
    • At least one 20 Mhz only STA in a HT BSS
  • Set to 3
    • MM (at least one legacy STA is present in BSS)

Protection

  • Required for Operating mode 1 & 3
  • Protection mechanisms discussed earlier can be used
  • Operating mode can also be updated dynamically based on BSS constitution

Non-GF STAs present

  • Set to 0
    • All associated STAs in BSS are GF capable
  • Set to 1
    • Some non-GF STAs present in a BSS

AirTight Networks

channel switch extended channel switch elements
Channel Switch & Extended Channel Switch Elements
  • Channel Switch
    • Indicates the secondary channel relative to the primary channel
      • Useful for 40 Mhz transmission
      • 0 indicates no sec channel, 2 is reserved
      • 1 means secondary is above primary, 3 means below
    • Beacons, Probe Responses
    • Channel switch announcement frames (Action management frames)
  • Extended Channel Switch
    • Switch of to a new channel 20 Mhz or a primary channel (40 Mhz), and regulatory class
    • Beacons, Probe Responses
    • Channel switch announcement frames (Action management frames)

AirTight Networks

htcontrol
HTControl

AirTight Networks

rdp exchange
RDP Exchange

AirTight Networks

theoretical maximum throughput tmt
Theoretical Maximum Throughput (TMT)

MSDU size = 1000 bytes

Throughput (Mbps)

MCS

AirTight Networks

theoretical bandwidth efficiency
Theoretical bandwidth efficiency

Bandwidth efficiency

MSDU size (103 bytes)

AirTight Networks

bandwidth efficiency with aggregation
Bandwidth efficiency with aggregation

Bandwidth efficiency

2

3

4

5

6

7

8

Aggregated frame size (KB)

AirTight Networks

insights from experiment results
Insights from experiment results

Probability

A-MPDU size (KB)

AirTight Networks

limitations of dcf
Limitations of DCF
  • No notion of differentiated service
  • Designed for fairness
  • Contention-based
    • Inherently lacks service guarantee

AirTight Networks

limited qos support using point coordination function pcf
Limited QoS support using Point Coordination Function (PCF)
  • Contention-free and contention periods (CFP and CP)
  • Centralized polling scheme
  • Limitations
    • Simple round-robin polling only during CFP
    • Unknown transmission durations
    • Unpredictable beacon delays during polling

AirTight Networks

ieee 802 11e main features
IEEE 802.11e main features
  • Four access categories (AC): voice, video, best effort, background

AirTight Networks

ieee 802 11e main features1
IEEE 802.11e main features
  • Transmission opportunity (TXOP)
  • Controlled beacon interval
  • Hybrid coordination function (HCF)
    • Enhanced distributed channel access (EDCA)
    • HCF controlled channel access (HCCA)
  • Block ACKs: cumulative acknowledgements
  • Direct Link Protocol (DLP): station to station communication

AirTight Networks

enhanced distributed channel access edca

AIFS

AIFS

Enhanced distributed channel access (EDCA)
  • Contention based
  • Arbitration IFS (AIFS): sense if channel is idle for AIFS
    • Each AC has a different AIFS
    • PIFS < AIFS [Higher AC] < AIFS [Lower AC]
    • AIFS ≥ DIFS
  • Backoff: contention window (CW)
    • CWmin [Higher AC] < CWmin [Lower AC]
    • CWmax [Higher AC] < CWmax [Lower AC]

AirTight Networks

hcf controlled channel access hcca
HCF controlled channel access (HCCA)
  • HC should have highest priority to control medium access
    • HC uses PIFS as idle time before accessing the channel
    • AIFS [Highest AC] = DIFS
  • “Superframe” defines CP (EDCA TXOPs) and CFP (HCCA TXOPs)
    • HC can allocate polled TXOP even during CP

Contention-free period (CFP)

Contention period (CP)

HCCA

EDCA

HCCA

EDCA

HCCA

EDCA

Beacon

Beacon

AirTight Networks

security enhancements to 802 11 wpa 802 11i 802 11w d2 0
Security Enhancements to 802.11 WPA/802.11i & 802.11w D2.0

AirTight Networks

slide96

History: WEP Shared Key Authentication

Key K (40 bit string)

Key K (40 bit string)

Authentication Request

Challenge text C (random string of 128 bytes)

Compute response R1 = f (C, K)

Response R1

Compute response R2 = f (C, K)

Result (Accept/Reject)

Note: This is one-way authentication. AP authenticates Client, but not vice versa.

Is R1 = R2?

R1 = R2 = C XOR Keystream (K, IV)

AirTight Networks

slide97

History: WEP Encryption

TRANSMITTER

RECEIVER

(KeyK | Initialization Vector IV)

(Key K | Initialization Vector IV)

40 bit

24 bit

RC4 Key Stream Generator

RC4 Key Stream Generator

Keystream

Keystream

Hundreds of bits

WIRELESS CHANNEL

XOR

XOR

Packet P

IV

Encrypted P

Packet P

Called ``Stream cipher’’

  • Key K is statically programmed in transmitter and receiver
  • IV is changed per packet
  • ICV is used for integrity protection (part of P)

AirTight Networks

slide98

History: What went wrong with WEP?

  • Very easy to beat the Authentication
    • P XOR R = C
    • P XOR C = R
  • IV Collision:
    • Means two packets encrypted with same IV
      • 24 bit IV can quickly wrap around under heavy traffic condition
      • Many cards/APs on reset start with IV = 0 and increment from there
  • Cipher Text Modification
    • ICV Protection can be defeated
  • Key (K) cracking (Fluhrer, Martin, Shamir –``FMS attack’’)
    • Using few packets encrypted with ``Weak IVs’’, key K itself can be cracked
  • No Mutual Authentication
  • No Replay Protection
  • Single shared key used for all users/sessions

AirTight Networks

slide99

WPA: A Quick Fix to WEP

  • Created by WiFi Alliance
    • Note: IEEE standardizes WLAN protocols, WiFi Alliance (www.wifialliance.org) promotes market adoption of WLAN
  • Constraints:
    • No change to XOR based hardware encryption engine
    • Something that will work with firmware upgrade to installed base of WLAN equipment

AirTight Networks

slide100

Connection Establishment using WPA

WEP Like Encrypted Data Communication

Step 5

Addition of TKIP

Dynamic Encryption Key Generation

EAPOL 4-way handshake

Step 4.2

802.1x (EAP) Authentication

Pre-shared Keys (PSK)

802.1x and PSK

Step 4.1

Step 3

Association

Open (No) Authentication

WEP Shared Key Authentication

Step 2

AP Discovery (SSID, signal strength)

Step 1

AirTight Networks

slide101

Open Authentication

Association

EAP Identity Request

EAP Identity Response

RELAY

Generate Master Key

Generate Master Key

Authentication Method Handshake

Identity Proof and Master Key Generation

EAP Success

Accept/Provide Master Key

EAPOL 4-Way Handshake

Generate Transient Keys

Generate Transient Keys

Encrypted Data Exchange

EAPOL Logoff

Wireless Link

Wired LAN

Open Controlled Port allowing only EAP messages to pass through.

Open Uncontrolled Port allowing data to pass through.

AirTight Networks

slide102

Advantages of 802.1x

  • Freedom to choose authentication algorithm
    • 802.1x is a bearer
    • TLS, TTLS, LEAP, PEAP, GTC, MSCHAPv2, Kerberos, SIM, future algorithms can ride over 802.1x, only requirements being
      • Support mutual authentication
      • Support derivation of master keys
    • Keys and authentication algorithms can be session specific
  • Ease of management of credentials in central authentication server
  • Ease of integration with other enterprise security systems (network authentication)

AirTight Networks

slide103

TKIP Encryption

  • TKIP uses longer IV (48 bit) – twice as much as WEP
  • Avoids Weak IVs
  • Prevents IV reuse for any given key
    • IV always starts from 0 and counts upwards
  • Master key generated afresh for each connection attempt – unlike static WEP keys
    • Transient keys generated from master key are used for encryption – refreshed at regular intervals

AirTight Networks

slide104

Connection Establishment using 802.11i

CCMP Encrypted Data Communication

CCMP (Change in h/w encryption engine)

Step 5

Dynamic Key Generation

Step 4.2

Addition of 802.1x and PSK

802.1x (EAP) Authentication

Pre-shared Keys (PSK)

Step 4.1

Step 3

Association

Open (No) Authentication

WEP Shared Key Authentication

Step 2

AP Discovery (SSID, signal strength)

Step 1

AirTight Networks

802 11w management frame protection
802.11w: Management Frame Protection
  • WPA/802.11i protect 802.11 data packets only
  • Management, Control frames are left unprotected
    • This can lead to various kinds of DoS attacks on a 802.11 network
    • E.g., Deauthentication, Disassociation, Virtual jamming
  • 802.11w DRAFT 2.0 (stil in draft stage) is aimed at extending 802.11i to protect management frames

AirTight Networks

management frames protected
Management Frames Protected
  • Robust Management Frames
    • Deauthentication
    • Disassociation
    • Action with category
      • Spectrum management
      • QoS
      • BlockAck
      • DLS
  • Protection
    • Protection field in MAC framecontrol set to 1
    • Confidentiality for unicast management frames (TKIP or CCMP)
    • Integrity for broadcast frames provided

AirTight Networks

broadcast frame integrity
Broadcast Frame Integrity
  • Management MIC Information Element (MMIE)
    • Provide integrity for deauth and disassoc broadcast frames
    • Protection against forgery & replay
    • Length – 26 (for deauth, dissassoc frames) or 16 (other frames in future)
    • Key ID: which key used to compute the MIC
    • Replay: Interpreted as a 128 bit key for deauth, dissassoc frames
    • MIC calculated over SA, DA, priority (or ff) & plaintext data of MAC frame

AirTight Networks

rsn ie capabilities field for 11w negotiation
RSN IE: Capabilities field for .11w negotiation
  • MFP Supported
    • Indicates the capability of a device to support .11w
    • Optional
  • MFP Enabled
    • This capability is required for a STA to operate in a BSS
    • Mandatory

AirTight Networks

thank you
Thank you
  • {kaustubh.phanse, gopinath.kn}@airtightnetworks.net

AirTight Networks