2. Characteristics of WLANs
• Advantages
Flexibility, Planning, Design, Robustness, Cost, ...
• Disadvantages
Qos, Proprietary Solutions, Frequency Restrictions, Safety And Security
• Design goals of WLANs
Global Operation, Low Power, License-free Operation, Robust
Transmission Technology, Ad-hoc Operation, Transparency To Higher
Layers, ...
• Transmission technologies in WLAN
Infrared
Radio waves
2
3. IEEE 802.11
• Some Wireless Security Issues:
Radio signals travel through the open atmosphere where they can be
intercepted by individuals who are constantly on the move, making them
difficult to track down.
Wireless solutions are universally dependent on public-shared
infrastructure, where there might be less control and knowledge about
the security discipline used.
Rogue access points can jeopardize everything a company spends on
firewalls, access control, and other security software.
War dialing, also known as war driving, poses a significant problem.
– a technique of using a modem to automatically scan a list of telephone
numbers, usually dialing every number in a local area code to search for
computers (Ref: Wikipedia)
3
4. Characteristics of WLANs
• Infrastructure vs. Ad-hoc Networks
Infrastructure network
AP wired network AP
AP AP
Ad-hoc network
4
5. Characteristics of WLANs
• Architecture of an Infrastructure
Network: 802.11 LAN
802.x LAN
– Station (STA)
• terminal with access mechanisms to the STA1
wireless medium and radio contact to
the access point BSS1
– Basic Service Set (BSS) Portal
• group of stations using the same radio Access
frequency Point
– Access Point (AP) Distribution System (DS)
• station integrated into the wireless LAN
and the distribution system Access
ESS Point
– Portal
• bridge to other (wired) networks BSS2
– Distribution System (DS)
• interconnection network to form one
logical network STA2 STA3
– Extended Service Set (ESS) 802.11 LAN
• comprised of several BSS
5
6. Characteristics of WLANs
802.11 LAN
• Architecture of an Ad-hoc Network:
– Direct communication within a limited STA1 STA3
range
IBSS1
• Station (STA):
– terminal with access mechanisms to STA2
the wireless medium
• Independent Basic Service Set (IBSS):
– group of stations using the same
radio frequency IBSS2
STA5
STA4
802.11 LAN
6
6
8. IEEE 802.11
• IEEE
– Institute of Electrical and Electronics Engineers
• 802.11
– Family of standards set forth by IEEE to define the specifications for
wireless LANs
– Specifications for
• Medium Access Control (MAC)
• Physical Layer (PHY)
• IEEE 802.x ?
– Local, high-speed connectivity for fixed, portable and moving STAs
8
8
9. IEEE 802.11
• IEEE 802.11 vs. IEEE 802.3
– Similarity
• Same LLC -> No difference for upper layer protocols
– Differences
• WLAN is not private
• WLAN is exposed to more environmental problems
• IEEE 802.11 PHY has NO collision detection
» “Hidden Node Problem”
9
9
10. IEEE 802.11
mobile terminal
infrastructure
network
access point
application application
TCP TCP
IP IP
LLC LLC LLC
802.11 MAC 802.11 MAC 802.3 MAC 802.3 MAC
802.11 PHY 802.11 PHY 802.3 PHY 802.3 PHY
10
10
11. IEEE 802.11
• CSMA Medium Access – “CD” (Ethernet)
– If media is sensed idle, transmit
– If media is sensed busy, wait until idle and then transmit immediately
• If a collision is detected, stop transmitting.
• Reschedule transmission according to an exponential back-off
• CSMA Medium Access – “CA” (802.11)
– Would like to use CSMA but cannot use CD!
• Use Collision Avoidance (CA) instead
11
11
12. IEEE 802.11
• CSMA/CA – Access Method
• Station ready to send starts sensing the medium (Carrier Sense
based on CCA, Clear Channel Assessment)
• If the medium is free for the duration of an Inter-Frame Space (IFS),
the station can start sending (IFS depends on service type)
• If the medium is busy, the station has to wait for a free IFS, then the
station must additionally wait a random backoff time (collision
avoidance, multiple of slot-time)(Distributed Coordination Function
(DCF))
• Backoff Time = Random () x aSlotTime
• If another station occupies the medium during the backoff time of the
station, the backoff timer stops (fairness)
12
19
13. IEEE 802.11
contention window
(randomized back-off
DIFS DIFS mechanism)
Medium Busy next frame
Direct Access if t
medium is free ≥ DIFS
slot time
Distributed Co-ordination Function (DCF): DCF employs a CSMA/CA with binary
exponential backoff algorithm.
DCF Interframe Space (DIFS)
DIFS = SIFS (2 * Slot time)
(SIFS: Short Interframe Space (SIFS), is the small time interval
between the data frame and its acknowledgment) 13
20
14. IEEE 802.11
• Hidden Node Problem
STAC STAB STAA
B B
14
21
15. IEEE 802.11
• MAC Layer – Access Mechanisms
– Distributed Coordination Function (DCF) with RTS/CTS handshake
• RTS (Request to Send), CTS (Clear To Send) helps determine who
else is in range or busy (collision avoidance) -> CSMA/CA
• Sender A sends RTS, receiver B sends CTS
– Nodes who hear CTS cannot transmit concurrently with A (red
region)
– Nodes who hear RTS but not CTS can transmit (green region)
– Sender A sends data frame, receiver B sends ACK
– Nodes who hear the ACK can now transmit
15
22
16. IEEE 802.11
802.11 MAC Access Mechanism – RTS/CTS
STAC STAB STAA STAD STAx
X
B
16
17. IEEE 802.11
• DFW MAC - DCF CSMA/CA (Distributed Foundation Wireless MAC)
The Network Allocation Vector (NAV) is virtual Short Inter-Frame Space (SIFS) is the shortest of the interface
carrier sensing mechanism used with wireless spaces. SIFS is used with ACK and CTS frames
network protocols. The NAV may be thought of as
a counter, which counts down to zero at a uniform
rate. When the counter is zero, the virtual CS
indication is that the medium is idle; when nonzero,
the indication is busy. The medium shall be
determined to be busy when the STA is
transmitting.
DIFS
RTS data
sender
SIFS SIFS
SIFS
CTS ACK
receiver
NAV (RTS) DIFS
other data
NAV (CTS)
stations
t
defer access
» contention
station can send RTS with reservation parameter after waiting for DIFS
(reservation determines amount of time the data packet needs the medium)
» acknowledgement via CTS after SIFS by receiver (if ready to receive)
» sender can now send data at once, acknowledgement via ACK
17
» other stations store medium reservations distributed via RTS and CTS
24
18. IEEE 802.11
• MAC Frames
– Types
• control frames, management frames, data frames
– Sequence numbers
• important against duplicated frames due to lost ACKs
– Addresses
• receiver, transmitter (physical), BSS identifier, sender
(logical)
– Miscellaneous
• sending time, checksum, frame control, data
18
25
19. IEEE 802.11
MPDU Format (Fields)
• MAC Frames MAC Control : contains any protocol
control information
• MAC Protocol Data Unit (MPDU) Destination MAC Address
Source MAC Address
MAC Service Data Unit : The data from
the next higher layer
CRC : Cyclic Redundancy Check; also
known as Frame Check Sequence (FCS)
field.
PHY IEEE 802.11 Data CRC
bytes
2 2 6 6 6 2 6 0-2312 4
Frame Address Address Address Sequence Address
Duration/ID Data CRC
Control 1 2 3 Control 4
bits 2 2 4 1 1 1 1 1 1 1 1
Protocol To From More Power More
Type Subtype Retry WEP Order
version DS DS Frag Mgmt Data
19
26
20. IEEE 802.11
• Valid MAC Address Format
Function To From Address 1 Address 2 Address 3 Address 4
DS DS
Ad-hoc 0 0 DA SA BSSID -
From AP 0 1 DA BSSID SA -
To AP 1 0 BSSID SA DA -
Within 1 1 RA TA DA SA
DS
Service Set Identifier (SSID) is the name of a WLAN
Basic Service Set (BSS):
• In infrastructure mode, a single AP together with all associated STAs
is called a BSS
• In ad hoc mode a set of synchronized stations, one of which acts as master,
forms a BSS.
• The most basic BSS consists of one access point and one station.
Basic Service Set Identifier (BSSID):
• Uniquely identifies each BSS
• The BSSID is the MAC address of the wireless access point (WAP). 20
27
22. IEEE 802.11
• MAC Management
– Synchronization
• try to find a LAN, try to stay within a LAN
• timer etc.
– Power management
• sleep-mode without missing a message
• periodic sleep, frame buffering, traffic measurements
– Association/Reassociation
• integration into a LAN
• roaming, i.e. change networks by changing access points
• scanning, i.e. active search for a network
– MIB - Management Information Base
• managing, read, write
22
29
23. IEEE 802.11
• Synchronization
beacon interval
access B B B B
point
busy busy busy busy
medium
value of the timestamp beacon frame t
B
beacon interval
B1 B1
station1
B2 B2
station2
busy busy busy busy
medium
value of the timestamp t 23
B beacon frame random delay
30
24. IEEE 802.11
• MAC Power Management
– Idea: switch the transceiver off if not needed
– States of a station: sleep and awake
– Timing Synchronization Function (TSF)
• stations wake up at the same time
– Infrastructure
• Traffic Indication Map (TIM)
– list of unicast receivers transmitted by AP
• Delivery Traffic Indication Map (DTIM)
– list of broadcast/multicast receivers transmitted by AP
– Ad-hoc
• Ad-hoc Traffic Indication Map (ATIM)
– announcement of receivers by stations buffering frames
– more complicated as there is no central AP
– collision of ATIMs possible (scalability?)
24
31
25. IEEE 802.11
• Power-saving with wake-up pattern
TIM interval DTIM interval
Infrastructure network
access D B T T d D B
point
busy busy busy busy
medium
p d
station
t
T TIM D DTIM awake
data transmission
B broadcast/multicast p Power d to/from the station
Save 25
poll
32
26. IEEE 802.11
• Roaming
– No or bad connection? Then perform:
– Scanning
• scan the environment, i.e., listen into the medium for beacon signals or send
probes into the medium and wait for an answer
– Reassociation Request
• station sends a request to one or several APs
– Reassociation Response
• success: AP has answered, station can now participate
• failure: continue scanning
– AP accepts Reassociation Request
• signal the new station to the DS
• the DS updates its data base (i.e., location information)
• typically, the DS now informs the old AP so it can release resources
26
33
27. IEEE 802.11
• Connection set-up time
• IEEE 802.11b – Connectionless/always on
• Data rate
– 1, 2, 5.5, 11 Mbit/s, depending • Quality of Service
on SNR
– Typical best effort, no
– User data rate max. approx. 6 guarantees (unless polling is
Mbit/s used, limited support in
products)
• Transmission range
– 300m outdoor, 30m indoor • Manageability
– Max. data rate ~10m indoor – Limited (no automated key
distribution, symmetrical
Encryption)
• Frequency
– Free 2.4 GHz ISM-band
• Advantages/Disadvantages
– Advantage: many installed
• Security systems, lot of experience,
– Limited, WEP insecure, SSID available worldwide, free ISM-
band, many vendors, integrated
in laptops, simple system
• Cost – Disadvantage: heavy
– 100€ adapter, 250€ base station, interference on ISM-band, no
dropping service guarantees, slow relative
speed only
• Availability
– Many products, many vendors 27
34
28. IEEE 802.11
• IEEE 802.11a
• Data rate
– 6, 9, 12, 18, 24, 36, 48, 54 Mbit/s, • Connection set-up time
depending on SNR
– User throughput (1500 byte packets): 5.3 – Connectionless/always on
(6), 18 (24), 24 (36), 32 (54) • Quality of Service
– 6, 12, 24 Mbit/s mandatory – Typical best effort, no
guarantees (same as all 802.11
• Transmission range products)
– 100m outdoor, 10m indoor
• Manageability
– Limited (no automated key
• Frequency distribution, symmetrical
Encryption)
– Free 5.15-5.25, 5.25-5.35, 5.725-5.825
GHz ISM-band • Advantages/Disadvantages
• Security – Advantage: fits into 802.x
standards, free ISM-band,
– Limited, WEP insecure, SSID available, simple system, uses
less crowded 5 GHz band
• Cost
– 280€ adapter, 500€ base station – Disadvantage: stronger shading
due to higher frequency, no
• Availability QoS
– Some products, some vendors
28
35
29. IEEE 802.11
• Other IEEE 802.11 flavors
– 802.11d: Regulatory Domain Update
– 802.11e: MAC Enhancements – QoS
• Enhance the current 802.11 MAC to expand support for applications with
Quality of Service requirements, and in the capabilities and efficiency of the
protocol.
– 802.11f: Inter-Access Point Protocol
• Establish an Inter-Access Point Protocol for data exchange via the distribution
system.
– 802.11g: Data Rates > 20 Mbit/s at 2.4 GHz; 54 Mbit/s, OFDM
– 802.11h: Spectrum Managed 802.11a (DCS, TPC)
– 802.11i: Enhanced Security Mechanisms
• Enhance the current 802.11 MAC to provide improvements in security.
– Study Groups
• Radio Resource Measurements
• High Throughput
29
36
30. WLAN Security
• General Methods
MAC Filter
SSID Cloaking
WEP
• General Attacks
30
36
31. Mac Filter
• Filter authorized devices based on MAC-address
(The network card physical address)
• It’s easy to spoof MAC-addresses
The address length is only 12-digit long
Easy to eavesdrop on a wlan connection and find out active hosts
31
32. SSID Cloaking
• Every WLAN network has a associated SSID-name
• By SSID Cloaking the access point will not broadcast its SSID
• Actually the SSID broadcasted from the access point are null
• Host can probe to this null SSID (called active scanning) and then
be-able to find or cloaked networks
• This will NOT give you a hidden WLAN
32
33. Wired Equivalent Privacy (WEP)
• Uses a 64-bit key (some vendors use a 128-bit key but this is not
standardised).
• Uses a data integrity checksum called Integrity Check Value (ICV)
• Uses an Internal Vector IV that has the length of 24-bits
• The 64-bit key are a combination of the IV (24-bits) and a static key
(40 bits)
24-bit IV 40-bit static key
33
34. WEP Weakness
• IV collisions attack
The IV is always sent in clear text and are different in every frame the IV
will eventually repeat over a period of time (every 16 million packet)
When IV collisions occur a cracker can with easy means recover the
secret key
• Weak key attack
Sometimes a weak IV is generated which makes cracking of the secret
key easy
• Re-injection attack
A cracker uses tools to inject packets that accelerate the collisions of
weak IVs
• Bit-flipping attack
Due to problems in the ICV a cracker can tamper with encrypted
packets
With a combination of the first three, existing tools can
crack a “secure” WEP network in 5 minutes 34
35. Dynamic WEP Encryption
• Due to the weakness of static WEP, dynamic WEP were introduced
• Dynamic WEP encryption changes the encryption key (re-keying)
automatically so often that it is harder (impossible?) for a cracker to
gather enough information to make a successful decryption of the
key
• Can be configured and implemented in many ways
Per-user encryption
Per-frame encryption
35
36. Wi-Fi Protected Access - WPA
• Developed in 2004 to be a successor of WEP and cover the flaws
within WEP
• WPA became a standard before the IEEE standard 802.11i where
released
• Supports TKIP/RC4 dynamic encryption
Authentication using ether of
– 802.1X/EAP for Enterprise
– Pre-shared key for SOHO
Link securing using dynamic keys
– Per-link
– Per-frame
36
FREDRIK ERLANDSSON
37. WPA2
• When 802.11i were introduced the WPA2 certification became a
more complete implementation of the 802.11i
• Supports both CCMP/AES and TKIP/RC4
802.1X/EAP for Enterprise
Pre-shared key for SOHO
37
38. Wireless Attacks
• Rouge Access Point
A WiFi access point is installed by a clueless user on the network
Uncontrolled and unmonitored
Provides a open hole for drive by hackers to the internal network
• Peer-to-Peer Attacks
Due to poorly configured endpoints (hosts) two host can connect to each
other and hence no central security policy can be used they can full
access to each others services
• Wireless Hijacking - Man in the middle attack
A cracker uses his computer as a AP and fools users to connect to him
instead of a real AP
The cracker can see all data
• Eavesdropping
Everything sent on a wireless network can be intercepted by anyone
within range.
– Wardriving 38
40. HIPERLAN
• ETSI standard
– European standard, cf. GSM, DECT, ...
– Enhancement of local Networks and interworking with
fixed networks
– integration of time-sensitive services from the early
beginning
• HIPERLAN (HIgh PErformance Radio LAN)
family of standards
– one standard cannot satisfy all requirements
• range, bandwidth, QoS support
• commercial constraints
– HIPERLAN 1 standardized since 1996 – no products!
40
[ET2405 - WLAN] Doru Constantinescu 42
ET2437 - Network Security
FREDRIK ERLANDSSON
41. HIPERLAN
• HIPERLAN Standardization Scope
higher layers
medium access logical link
network layer
control layer control layer
channel access medium access
data link layer
control layer control layer
physical layer physical layer physical layer
IEEE 802.11 layers OSI layers HIPERLAN layers
41
2007-12-17 [ET2405 - WLAN] Doru Constantinescu 43
ET2437 - Network Security
FREDRIK ERLANDSSON
42. HIPERLAN
• HIPERLAN family – An Overview
HIPERLAN 1 HIPERLAN 2 HIPERLAN 3 HIPERLAN 4
access to ATM wireless local point-to-point
Application wireless LAN fixed networks loop wireless ATM
Frequency 5.1 – 5.3 GHz 17.2 – 17.3 GHz
decentralized, cellular, point-to-
Topology ad-hoc/infrastr. centralized multipoint point-to-point
Antenna omni-directional directional
Range 50 m 50 – 100 m 5000 m 150 m
QoS statistical ATM Traffic Classes (VBR, CBR, ABR, UBR)
Mobility < 10 m/s stationary
Interface Conventional LAN ATM networks
Data Rate 23.5 MBit/s > 20 MBit/s 155 MBit/s 42
Power Conservation
2007-12-17 yes
[ET2405 - WLAN] Doru Constantinescu not necessary 44
ET2437 - Network Security
FREDRIK ERLANDSSON
43. HIPERLAN
• HIPERLAN/2
– short range (< 200 m), indoor/campus, 25 Mbit/s user data rate
– access to telecommunication systems, multimedia applications, mobility
(< 10 m/s)
• HIPERACCESS
– wider range (< 5 km), outdoor, 25 Mbit/s user data rate
– fixed radio links to customers (“last mile”), alternative to xDSL or cable
modem, quick installation
– Several (proprietary) products exist with 155 Mbit/s plus QoS
• HIPERLINK – currently no activities
– intermediate link, 155 Mbit/s
– connection of HIPERLAN access points or connection between
HIPERACCESS nodes
43
2007-12-17 [ET2405 - WLAN] Doru Constantinescu 45
ET2437 - Network Security
FREDRIK ERLANDSSON
44. HIPERLAN
• HiperLAN2
– Official name: BRAN HIPERLAN Type 2
• H/2, HIPERLAN/2 also used
– High data rates for users
• More efficient than 802.11a
– Connection oriented
– QoS support
– Dynamic Frequency Selection (DFS)
– Security support
• Strong encryption/authentication
– Mobility support
– Network and application independent
• convergence layers for Ethernet, IEEE 1394, ATM, 3G
– Power save modes
– Plug and Play
44
2007-12-17 [ET2405 - WLAN] Doru Constantinescu 46
ET2437 - Network Security
FREDRIK ERLANDSSON
46. HIPERLAN
• HiperLAN2 - Centralized vs. Direct mode
AP AP/CC
control control
data control
data
MT1 MT2 MT1 MT2 MT1 MT2 + CC
data
control
Centralized Direct
46
2007-12-17 [ET2405 - WLAN] Doru Constantinescu 48
ET2437 - Network Security
FREDRIK ERLANDSSON
47. HIPERLAN
• Protocol stack in HiperLAN2 (in AP)
Higher layers
DLC control DLC user
Convergence layer
SAP SAP
Radio link control sublayer Data link control -
basic data
transport function
Radio DLC
Association
resource connection
control Scope of
control control
HiperLAN2
Error standards
control
Radio link control
Medium access control
Physical layer
47
2007-12-17 [ET2405 - WLAN] Doru Constantinescu 49
ET2437 - Network Security
FREDRIK ERLANDSSON
48. HIPERLAN
• HiperLAN2 MAC Frames
2 ms 2 ms 2 ms 2 ms
TDD,
500 OFDM
MAC frame MAC frame MAC frame MAC frame ... symbols/frame
random
broadcast phase downlink phase uplink phase
access phase
variable variable variable
48
2007-12-17 [ET2405 - WLAN] Doru Constantinescu 50
ET2437 - Network Security
FREDRIK ERLANDSSON
49. HIPERLAN
• HiperLAN2 – DLC
– Six transport channels for data transfers in the different phases
• Broadcast channel (BCH) – 15 bytes
• Frame channel (FCH) – multiple 27 bytes
• Access feedback channel (ACH) – 9 bytes
• Long transport channel (LCH) – 54 bytes
• Short transport channel (SCH) – 9 bytes
• Random channel (RCH) – 9 bytes
49
2007-12-17 [ET2405 - WLAN] Doru Constantinescu 51
ET2437 - Network Security
FREDRIK ERLANDSSON
50. HIPERLAN
• Valid configuration of MAC frames
2 ms 2 ms 2 ms 2 ms
MAC frame MAC frame MAC frame MAC frame ...
random
broadcast downlink uplink access
BCH FCH ACH DL phase DiL phase UL phase RCHs Valid combinations
of MAC frames for
BCH FCH ACH DiL phase UL phase RCHs a single sector AP
BCH FCH ACH DL phase UL phase RCHs
BCH FCH ACH UL phase RCHs
BCH FCH ACH DL phase DiL phase RCHs
BCH FCH ACH DiL phase RCHs
BCH FCH ACH DL phase RCHs
50
BCH FCH ACH RCHs
2007-12-17 [ET2405 - WLAN] Doru Constantinescu 52
ET2437 - Network Security
FREDRIK ERLANDSSON
51. Summary
• All WLANs suffer from limitations but allow for a new
degree of freedom for their users
• Standard insures interoperability!
– WiFi Alliance (Wireless Fidelity) insures interoperability of 802.11
products (former WECA)
• HiperLAN2 comprises many interesting features but no
products are available yet
• Technologies that might influence WLANs
– Wireless Sensor Networks
– Radio Frequency Identification (RFID)
– Ultra Wide Band Technology (UWB)
• Most likely the typical mobile devices of tomorrow will
comprise several technologies
51
2007-12-17 [ET2405 - WLAN] Doru Constantinescu 53
ET2437 - Network Security
FREDRIK ERLANDSSON
52. Overlay Networks – Global goal
Integration of heterogeneous fixed and mobile
networks with varying transmission characteristics
regional
vertical
handover
metropolitan area
campus-based
horizontal
handover
52
2007-12-17 [ET2405 - WLAN] Doru Constantinescu 54
ET2437 - Network Security
FREDRIK ERLANDSSON
53. References
• http://www.ieee802.org/11
• http://grouper.ieee.org/groups/802/11/Reports
• http://www.csrc.nist.gov/encryption/aes
• http://www.hiperlan2.com
• http://www.etsi.org
• IEEE, “Wireless LAN Medium Access Control (MAC) and Physical
Layer (PHY) specifications” IEEE 802.11, IEEE (1999)
• ETSI, “Radio Equipment and Systems (RES), High Performance
Radio Local Area Network (HIPERLAN) Type 1, Functional
specification”, European Telecommunication Standard, ETS 300652,
ETSI (1996)
• Jochen Schiller, “Mobile Communications”, 2:nd Edition, Addison-
Wesley, 2003
53
2007-12-17 [ET2405 - WLAN] Doru Constantinescu 55
ET2437 - Network Security
FREDRIK ERLANDSSON