ch. 2 – 802.11 and nics part 2 – 802.11 mac

Ch. 2 – 802.11 and NICsPart 2 – 802.11 MAC

Cisco Fundamentals of Wireless LANs version 1.1

Rick Graziani

Cabrillo College

Spring 2005

Rick Graziani [email protected] 2

802.11 Overview and MAC Layer

Part 1 – 802.11 MAC and Cisco Client Adapters

• (Separate Presentation)• 2.1 Online Curriculum

– 802.11 Standards• Overview of WLAN Topologies

– IBSS– BSS– ESS– Access Points

• 802.11 Medium Access Mechanisms– DCF Operations– Hidden Node Problem– RTS/CTS– Frame Fragmentation

• 2.4 – 2.6 Online Curriculum– Client Adapters– Aironet Client Utility (ACU)– ACU Monitoring and

Troubleshooting Tools

Part 2 – 802.11 MAC

• 802.11 Data Frames and Addressing

• 802.11 MAC Layer Operations– Station Connectivity– Power Save Operations– 802.11 Frame Formats

• Non-standard devices (Brief)


Recommended Reading and Sources for this Presentation

• To understand WLANs it is important to understand the 802.11 protocols and their operations.

• These two books do an excellent job in presenting this information and is used throughout this and other presentations.

Matthew S. Gast

ISBN: 0596001835

Pejman Roshan Jonathan Leary

ISBN: 1587050773


Acknowledgements

• Thanks to Pejman Roshan and Jonathan Leary at Cisco Systems, authors of 802.11 Wireless LAN Fundamentals for allowing me to use their graphics and examples for this presentation.

• Also thanks to Matthew Gast for author of 802.11 Wireless Networks, The Definitive Guide for allowing me to use their graphics and examples for this presentation.


802.11 Frames – This isn’t Ethernet!

802.11 Frames

• Data Frames (most are PCF)

– Data

– Null data

– Data+CF+Ack

– Data+CF+Poll

– Data+CF+Ac+CF+Poll

– CF-Ack

– CF-Poll

– CF-Cak+CF-Poll

• Control Frames

– RTS

– CTS

– ACK

– CF-End

– CF-End+CF-Ack

• Management Frames

– Beacon

– Probe Request

– Probe Response

– Authentication

– Deauthentication

– Association Request

– Association Response

– Reassociation Request

– Reassociation Response

– Disassociation

– Announcement Traffic Indication

802.11 Data Frames and Addressing

Helps to understand this because it is not dependent upon the 802.11 Physical layer.


Ethernet MAC Addressing

Distribution System (DS)

A CD

Access Point 1 Access Point 2

XY

xxx

yyy

yyy Pseudo MAC address of hosts

xxx

B

IP Packet

yyyxxx


802.11 MAC Addressing

• Four address fields• The number and function of the address fields is dependent upon the

source and destination for the 802.11 frame.• Before we look at how these addresses are used, lets look at the

different source and destination options.• Address 4 is optional and not commonly used, except for WDS

(wireless distribution system, bridge to bridge).

General 802.11 Frame

The LLC encapsulation will be explained later in this presentation.


802.11 MAC Addressing - DS

• Distribution System (DS)– “The distribution system is the logical component of 802.11 used to

forward frames to their destination. 802.11 does not specify any particular technology for the distribution system.” Matthew Gast

– The DS is the exiting network from the AP. (For purposes of this discussion.)

– It can be a wired network (Ethernet) or a wireless network (wireless bridge) or something else.

– We will assume it is a wired network for these discussions.


A BC

D


XY


802.11 MAC Addressing – Frame Control Field

• To DS: indicates if frame is destined for the DS or AP (1 bit).• From DS: indicates if frame is sourced from the DS or AP (1bit).




Function ToDS FromDSIBSS (no AP) 0 0To AP 1 0From AP 0 1Wireless bridge to bridge 1 1


Note: Some documentation is misleading stating that the ToDS is set to 1 only when the destination is on the wired side of the AP.



• Let’s look at these options:– Host A to Host B– Host A to Host X– Host X to Host A

• Frames to and from a BSS (Basic Service Set) must go via the access point.• The access point is a layer 2 bridge (translation bridge) between the 802.11

network and the 802.3 network.


AB

CD


XY

aaa bbb 111 Pseudo MAC address of hosts and BSSID of AP1

aaa

bbb

xxx

111



• Each BSS is assigned a BSSID. – Not to be confused with SSID or ESSID.

• BSSID – 48 bit identifier which distinguishes it from other BSSs in the network, used for filtering.

• In a BSS, the BSSID is the MAC address of the wireless interface.• Remember, normal switches (bridges) may have MAC addresses, but

these addresses are only used for management purposes and not for layer 2 frame forwarding (addressing).


AB

CD


XY

General 802.11 Frame aaabbb

xxx

The BSSID111



• Besides the BSSID MAC address, the access point has a MAC address for other interfaces.– Ethernet (LAN)– Ethernet (WAN)– 802.11a for dual mode APs


A BC

D


XY

General 802.11 Frame aaa bbb

xxx

The BSSID111


BSSID – Cisco 1200

BSSID

MAC address for AP’s IP address (ARP tables)

BSSID for 802.11a WLAN


Linksys WRT54G

Router Information

• IP Address: (received via DHCP)

• MAC Address: 00:0F:66:09:4E:10

Local Network

• MAC Address: 00:0F:66:09:4E:0F

• IP Address: 192.168.1.1

Wireless

• MAC Address: 00:0F:66:09:4E:11

• SSID: GuidoNet2

• DHCP Server: Enabled

• Channel: 11

• Encryption Function: Enabled

MAC address for AP’s IP address

BSSID



• Address 1 – Receiver address

• Address 2 – Transmitter address

• Address 3 – Ethernet/wireless SA, Ethernet/wireless DA, or BSSID

• Transmitter: Sends a frame on to the wireless medium, but may not be the original source (didn’t necessarily create the frame), i.e. AP

• Receiver: Receives a frame on the wireless medium, but may not be the final destination, i.e. AP


AB

CD


XY


Host A to Host B

aaabbb

xxx

111



• Address 1 – Receiver address

• Address 2 – Transmitter address

• Address 3 – Ethernet/wireless SA, Ethernet/wireless DA, or BSSID


AB

CD


XY

Host A to Host B

aaabbb

aaa111 bbbHost A to AP 1

AP1 to Host B111bbb aaa

xxx

Trans.Rec.

Rec. Trans.

DA

SA

111

1 0

0 1



• Access Points are translation bridges.• From 802.11 to Ethernet, and from Ethernet to 802.11• The “data/frame body” is re-encapsulated with the proper layer 2 frame

(Ethernet or 802.11).• Certain addresses are copied between the two types of frames.



IP Packet

IP PacketLLC




AB

CD


XY

Host A to Host X

aaa

bbbaaa111 xxx

Host A to AP 1

Host A to AP 1

aaaxxx

802.11 Frame

• The Ethernet DA and SA are the source and destination addresses just like on traditional Ethernet networks.– Destination Address – Host X– Source Address – Host A

xxx

Rec. Trans. DA

copied

111

1 0




AB

CD


XY

Host A to Host X

aaa

bbb

• The AP (bridge) knows which MAC address on on its wireless interface and maintains a table with those MAC addresses. (from the Association process – later)

• When the AP receives an 802.11 frame, it examines the Address 3 address. • If Address 3 is not in its table of wireless MACs it knows it needs to translate the

frame to an Ethernet frame. • The AP copies the Address 3 address to the Ethernet Destination Address, and

Address 2 (Transmitter address) is copied to the Ethernet Source Address.

xxx

aaa111 xxx

Host A to AP 1

802.11 FrameRec. Trans. DA

Host A to AP 1aaaxxx

copied

111

1 0




A B CD


XY

Host X to Host A

aaa bbb

xxx

111




AB

CD


XY

Host X to Host A

aaabbb

aaa 111 xxx

AP 1 to Host A

802.11 Frame

Destination Address – Host X

Source Address – Host A

xxx

Host X to AP 1

aaa xxx

SARec. Trans.

copied

111

0 1




AB

CD


XY

Host X to Host A

aaa

bbb

aaa 111 xxx

AP 1 to Host A

802.11 Frame

Destination Address – Host X

Source Address – Host A

xxx

Host X to AP 1

aaa xxx

SARec. Trans.copied

• The AP (bridge) knows which MAC address on on its wireless interface and maintains a table with those MAC addresses. (via Association process – later)

• When the AP receives an Ethernet frame, it examines the Destination address. • If Destination Address is in its table of wireless MACs it knows it needs to translate the frame

to an 802.11 frame.• The AP copies the Destination address to the 802.11 Address 1, and Ethernet Source is

copied to the Address 3 address (SA in this case). (Flood out all ports unless in Source Address Table.)

111

0 1



• So how do Ethernet switches know where the wireless stations are?• Just like wired stations – using the source address of frames that came

from the wireless station via the access point.• Here the switch learns from the incoming Ethernet frame that Source

Address aaa is on port 2 and enters that in its MAC address table.• Any frames coming into the switch (ex. port 1) with a Destination Address

of aaa, the switch knows to forward those frames out port 2 (towards the AP).

aaa

xxx

aaaxxx2

1

111


LLC – Logical Link Control

• The IP Packet is in an LLC frame which is encapsulated in a MAC frame.

• 802.11 does not include a protocol type field.

• An 8 byte SNAP field is added to the LLC to indicate the layer 3 data being carried in the data field.

• The rest of the information within the LLC is not really relevant.

General 802.11 FrameIP PacketL

LC



• The only word of caution is that there are two types of LLC encapsulation, RFC 1042 and 802.1h.

• On a rare occasion, you might find a problem with a client associating to an AP when their LLCs do not match.










Part 2 – 802.11 MAC



• Non-standard devices

802.11 MAC Layer Operations

Station Connectivity

Power Save Operations

802.11 Frame Formats



• Earlier we stated, at a minimum a client station and the access point must be configured to be using the same SSID.

• How does the client find these APs?• Before connecting to any network, you must find it.• Ethernet, the cable does that for you, but of course there is no cable

with wireless.• There are various applications and utilities that will do it, but what is

actually happening in the 802.11 MAC operations?• Let’s take a look…



• Station connectivity is a explanation of how 802.11 stations select and communicate with APs.

State 1 Unauthenticated

Unassociated

State 2 Authenticated Unassociated

State 3 Authenticated

Associated

Successful Authentication

Successful Association

Deauthentication Disassociation



• We will look at three processes:– Probe Process (or scanning)– The Authentication Process– The Association Process

• Only after a station has both authenticated and associated with the access point can it use the Distribution System (DS) services and communicate with devices beyond the access point.


Unassociated



Associated




Probe process

Authentication process

Association process


Station Connectivity – Probe Process

• The Probe Process (Scanning) done by the wireless station– Passive - Beacons– Active – Probe Requests

• Depends on device drive of wireless adapter or the software utility you are using.

• Cisco adapters do active scanning when associating, but use passive scanning for some tests.

• In either case, beacons are still received and used by the wireless stations for other things besides scanning (coming).


Station Connectivity – Passive Scanning

• Passive Scanning– Saves battery power– Station moves to each channel and

waits for Beacon frames from the AP.

– Records any beacons received.• Beacon frames allow a station to find

out every thing it needs to begin communications with the AP including:– SSID– Supported Rates

• Kismet/KisMAC uses passive scanning



Note: Most of these beacons are received via normal operations and not through passive scanning.



• Passive scans, carried out by listening to Beacons from APs, are not usually displayed by a network analyzer (Ethereal, Airopeek, etc.) but can be.

• Microsecond – millionth of a second• Millisecond – thousandth of a second• A common beacon interval is 100 time units.• Beacon interval is the number of time units between beacon

transmissions.– One unit of time is 1,024 microseconds or about 1 millisecond.– A beacon interval of 100 is equivalent to 100 milliseconds or 0.1

seconds.– That would be 10 beacons per second.


Setting the beacon interval on an AP (later)



• AP features (options)– The SSID can be “hidden” or “cloaked” in the beacon frame (can

be done on Cisco APs)– Do not send AP broadcast beacons (not an option with Cisco APs)

• From some mailing lists:– “SSID cloaking and beacon hiding isn't necessarily a bad thing, but too

many places use it as the only protection because it leads to a false sense of security.”

– “Obscurity != security. Too many companies blindly trust that no beaconing or hiding their SSID means they're automatically safe.”


Station Connectivity – Active Scanning

• Active Scanning: Probe Request

– This process is not mandatory on with 802.11.

– A Probe Request frame is sent out on every channel (1 – 11) by the client.

– APs that receive Probe Requests must reply with a Probe Response frame if:

• SSID matches or

• Probe Request had a broadcast SSID (0 byte SSID)

• NetStumber uses active scanning

From the client


Source address is the client (host)

The SSID can also be a broadcast SSID which triggers a Probe Response from all APs in the area.

From the client


Station Connectivity – Active Scanning

• Active Scanning: Probe Response– On BSSs the AP is responsible for

replying to Probe Requests with Probe Responses.

– Probe Responses are unicast frames.– Probe Responses must be

ACKnowledged by the receiver (client).• Like a beacon, Probe Response frames

allow a station to find out every thing it needs to begin communications with the AP including:– SSID– Supported Rates

1

2

3

From the AP


From the AP

Destination Address is the client who issued the Probe Request

Source address is the AP (same as the BSSID)

• The beacon contains certain information that lets a station know if it can continue to attempt to join this network:– SSID– Supported Rates– Privacy:

– WEP – None (open)


Capturing the Probe Response


• How a station chooses an AP is not specified in 802.11.

• It is left up to the vendor.

• It could be, Matching SSIDs, Signal Strength, Supported data rates.

Station Connectivity – Multiple APs

Most likely Vivian will communicate with AP 2, which matches her SSID and has the stronger signal strength.



• Access Points can be configured whether or not to allow clients with broadcast SSIDs to continue the connectivity process.– If there is no authentication on the AP, then the client will most likely

“associate” and be on their network! • Cisco APs use a default SSID of tsunami known as the “guest mode” SSID.

(coming) • Unless this feature is disabled or authentication is enabled, anyone can easily

associate with your AP and access your network (or the Internet).

Probe Request Broadcast (no) SSID Probe Response

SSID = tsunamiACK

No SSID

Hey, I didn’t do anything and I am on the Internet!



• Station connectivity processes:– Probe Process (or scanning)– The Authentication Process– The Association Process



Unassociated



Associated




Probe process


Association process


Authentication Process

• On a wired network, authentication is implicitly provided by the physical cable from the PC to the switch.

• Authentication is the process to ensure that stations attempting to associate with the network (AP) are allowed to do so.

• 802.11 specifies two types of authentication:– Open-system– Shared-key (makes use of WEP)


Authentication Process – Open-System

• Open-system authentication really “no authentication”.

• Open-system authentication is the only method required by 802.11– You could buy an AP that doesn’t support Shared-key

• The client and the station exchange authentication frames.


• The client: – Sets the Authentication Algorithm Number to 0 (open-system)– Set Authentication Transaction Sequence Number to 1

• The AP:– Sets the Authentication Algorithm Number to 0 (open-system)– Set Authentication Transaction Sequence Number to 2– Status Code set to 0 (Successful)

Frame Control omitted in this Authentication Response


Authentication Process – Shared-Key

• Shared-key authentication uses WEP (Wired Equivalent Privacy) and can only be used on products that support WEP.

• WEP is a Layer 2 encryption algorithm based on the RC4 algorithm.• 802.11 requires any stations that support WEP to also support shared-key

authentication.• WEP and WPA will be examined more closely when we discuss security.• For now both the client and the AP must have a shared-key, password.


Authentication Process – Shared-Key

• The client: – Sets the Authentication Algorithm Number to 1 (shared-key)– Set Authentication Transaction Sequence Number to 1

• The AP:– Sets the Authentication Algorithm Number to 1 (shared-key)– Set Authentication Transaction Sequence Number to 2– Status Code set to 0 (Successful)– Challenge Text (later)

• The client: – Sets the Authentication Algorithm Number to 1 (shared-key)– Set Authentication Transaction Sequence Number to 3– Challenge Text (later)

• The AP:– Sets the Authentication Algorithm Number to 1 (shared-key)– Set Authentication Transaction Sequence Number to 4– Status Code set to 0 (Successful)



• We’ll look at the configuration of the client and AP later!

• Example of open-system authentication.

• Note: On “some” systems you can configure authentication (WEP) and WEP encryption separately. On the ACU you can have open-system authentication and also have WEP encryption. However, if you have Shared-key (WEP) authentication, you must use WEP encryption.



• Authentication– Open-System– Shared-Key (WEP)

• Encryption– None– WEP

oronly



• If not configured specifically to look for a network, some client utilities will automatically join the network that meets their vendor’s criteria (not specified in 802.11) such as signal strength and open-system authentication.

• How a station chooses an AP is not specified in 802.11.

• Or just find the open-system network and join.

Authentication Request

Beacon SSID = tsunami

Hey, I REALLY didn’t do

anything and I am on the Internet!

Authentication Response (Open-system)



• Station connectivity processes:– Probe Process (or scanning)– The Authentication Process– The Association Process



Unassociated



Associated




Probe process


Association process


Association Process

• The association process is logically equivalent to plugging into a wired network.

• Once this process is completed, the wireless station can use the DS and connect to the network and beyond.

• A wireless station can only associate with one AP (802.11 restriction)• During the 802.11 association process the AP maps a logical port

known as the Association Identifier (AID) to the wireless station.– The AID is equivalent to a port on a switch and is used later in

Power Save Options.• The association process allows the DS to keep track of frames

destined for the wireless station, so they can be forwarded.

1. Association Request

2. Association Response


Association Process

• Association Request Frame (From client)

– Listen Interval – This value is used by the Power Save Operation (later). Informs AP how often it will wake-up to receive buffered

frames.

– Supported Rates – What data rates the client station supports.

• Association Response Frame (From AP)

– Status Code – Indicates success or reason for failure.

– AID – A value assigned to this station for the Power Save Operation (later).

– Supported Rates - What data rates the AP supports.


Association Process

• Association Request Frame (From client)– At this point the AP adds the source address of the wireless client

to its Source Address Table.– This is how the AP knows to forward frames destined to the client

out the wireless interface (802.11) and not the wired interface (802.3/Ethernet).

– The AP usually learns the wireless client’s Source Address sooner, either in the Probe Request or Authentication Request frames, but this is where is “officially” adds the wireless client to it MAC table.



• Traffic can now flow between the client and the AP.

• Disassociation and deauthentication can be due to:– Inactivity– The AP cannot handle all currently associated stations– Station has left BSS – etc.


Unassociated



Associated




Probe process


Association process


Labs and Station Connectivity

• In the lab we will need to take steps to make sure you are configuring and connected to the AP that you think you are!

• We will first connect via a wired interface, change the SSID and IP addressing on the AP, different from what the labs show.

AP1

AP2

Hey, what happened to my settings on AP2!

Configuring AP1 is easy!










Part 2 – 802.11 MAC



• Non-standard devices


Power Save (PS) Operations

• A key factor in wireless is mobility, which implies batteries.

• To preserve battery power the 802.11 specification provides for power saving operations on the wireless clients.

• 802.11 categories for power savings refer to:– Unicast frames– Broadcast/Multicast frames



• The Cisco ACU has three options for Power Saving:– CAM (Constantly Awake Mode)– MAX PSP (Max Power Savings)– Fast PSP (Fast Power Saving Mode)

• More on this later.



• A client enters low-power mode by turning off its radio.• The AP buffers (holds) frames destined for that station while it is in PS

mode.• At a certain interval the client wakes up to listen for a beacon from the

AP.• The beacon contains information on whether or not there are frames

for this station at the AP.• If there are no frames buffered for this station it can return to PS mode.

beacon

I’m awake. Let me listen for a beacon to see if there is

any traffic for me.If not, I can go back to sleep.



The basics:

• If there are frames buffered for this station it will poll the AP for those frames.

• The AP will then send the frames to the station.

Beacon (frames buffered)

There are frames for me! Please send them to me.

PS-Poll (send them to me)

Frame 1

ACK


Unicast Power Save Operations

• When a client associates with an AP it specifies listen interval.• Listen interval – The number of beacons the client waits while in sleep mode

before transitioning to active (awake) mode.• The number of beacons per second may vary between APs, but the beacon

frame has told the client how often those beacons are sent with the beacon interval, so the client knows when it needs to wake up.


2. Association Response


Unicast Power Save Operations

• For example: – If the listening interval on the client is 200 the client wakes up every

200 beacons.– If the AP beacon interval is 100 (10 beacons per second)– The client will wake up every 20 seconds.to see if there are any frames

buffered for it.

Beacon (frames buffered)

There are frames for me! Please send them to me.


Frame 1

ACK



• How does an AP know if a station is in PS mode?• Various frames contain this information, from the Station Connectivity

Process, PS-Polling and Data Frames as the user may change this status any time.

• This information is contained in the Power Management sub-field of the Frame Control field which is in most 802.11 frames.– 0 = Active mode, 1 = Power Save Mode– Frames from AP always have a value of 0 (it cannot sleep)


FYI – A little more detail on Unicast PS Operations

• Remember the Association Identifier (AID) in the Association Response, equivalent to a port on a switch.

• Each station receives a unique AID during the association phase.• The TIM (Time Indication Map) in the beacon tells the station if there

are any frames buffered for it in the AP.• If the “flag” = 0 there are no frames buffered, “flag” = 1 there are

frames being buffered.


2. Association Response AID = 29

The AP tells me I am AID

29.


• The station sends a PS-Poll with is AID to get the frames.

• Much of the detail has been left out and if you are interested, see the two books I recommended at the beginning of the presentation.


2. Association Response AID = 29

The AP told me I am AID 29. I see in the beacon that there are frames waiting for me. Let me

ask for them.


Frame 1

ACK


Beacon

During Assoc. Process



• You won’t find an exact match here between the protocol decode and the TIM.

• See the Cisco Press book 802.11 Wireless LAN Fundamentals if you are interested in how this works.


Broadcast/Multicast Power Save Operations

• Broadcast and multicast traffic is buffered at the AP for all stations (including non-PS stations) when at least one associated station is in PS mode.

• The network administrator defines the interval for the client to wake up to receive broadcast and multicast traffic.

• A special TIM, known as a DTIM (Delivery Traffic Indication Map) indicates whether or not there is broadcast/multicast traffic buffered on the AP.

• If the TIM’s, DTIM Count field is 0, the AP has broadcast/multicast frames.• DTIM information is not sent in every beacon, but on every DTIM count period

(10th beacon in this example), and “getting in sync” depends on vendor.• Rest of details can be found in Matthew Gast’s book if you are interested.

802.11 Frame Formats


802.11 Frame Formats (Some of them)

• The following diagrams are FYI and from Cisco Press book 802.11 Wireless LAN Fundamentals by Pejman Roshan and Jonathan Leary.

802.11 Frames

• Data Frames (most are PCF)– Data– Null data– Data+CF+Ack– Data+CF+Poll– Data+CF+Ac+CF+Poll– CF-Ack– CF-Poll– CF-Cak+CF-Poll

• Control Frames– RTS– CTS– ACK– CF-End– CF-End+CF-Ack

• Management Frames– Beacon– Probe Request– Probe Response– Authentication– Deauthentication– Association Request– Association Response– Reassociation Request– Reassociation Response– Disassociation – Announcement Traffic Indication


802.11 Data Frame

Non-standard 802.11 Devices


Non-standard 802.11 devices

• These devices either extend or fall outside the 802.11 standard and will be discussed in more detail in later sections:– Repeater APs– Universal Clients

(Workgroup Bridges)– Wireless Bridges

Ch. 2 – 802.11 and NICsPart 2 – 802.11 MAC

Cisco Fundamentals of Wireless LANs version 1.1

Rick Graziani

Cabrillo College

ch. 2 – 802.11 and nics part 2 – 802.11 mac

Documents

mac layerpart

wireless networks

wireless lan fundamentals

framesdata frames

wired network ethernet

frame control fieldto

matthew gastthe ds

access point 2xy802