Computer Networking, Copyright © University of Edinburgh 2005

CS4/MScComputer Networking

Lecture 13:

Personal Area Networks – Bluetooth

2

BlueTooth

• Low cost wireless connectivity for Personal Area Networks– PDAs, mobile phones, laptops, audio headsets, printers, scanners, GPS navigators, modems, USB adapters etc.

– 10 metre range for typical power class 2 transmitter

– Low data rate; nominally 1Mbps (3Mbps with v.2 + EDR)

– 2.4GHz ISM radio band; same as 802.11b/g

• Bluetooth Special Interest Group (SIG)– Originated by Ericsson in late 90s

– Promoted by Ericsson, Nokia, IBM, Toshiba, Intel, …

– 500million Bluetooth-enabled devices estimated to be sold in 2005

– IEEE also involved, 802.15.1

• Harald Bluetooth– Danish ruler of Denmark and Norway in late 900AD

– Converted Vikings to Christianity

3

Architecture

• Piconet– The basic unit of a Bluetooth system

– One master node, up to 7 active slaves

– and up to 255 inactive, “parked” nodes

– Independent piconets can co-exist in same area

• Scatternet– Interconnected collection of piconets

– A node can participate in more than 1 piconet» But not as master in both

• Master/slave architecture– Simplified medium access control: the master polls the slaves

– Most characteristics of the communication controlled by master» E.g. freq. hoping sequence, synchronisation clock

– Slaves can only “talk” with master, “respond” to be precise

4

Bluetooth protocol stack

• Core protocols: radio, baseband, LMP, L2CAP, SDP

• Cable replacement and Telephony: RFCOMM, TCS BIN

• Adopted protocols: PPP, IP, OBEX, AT-commands, …

• Profile specification: application support

5

Bluetooth Radio

• Frequency hopping spread spectrum– 79 1MHz physical channels from 2.402GHz to 2.480GHz

– Transmit rate 1M symbols per sec (720kbps max real rate)» 1µs per symbol

– Dwell time 625µs, (called slot time) or 1600 hops/sec

• Hop sequence determined by master, based on its unique 48b ID– Collocated piconets have different masters, hence diff. sequences

• Modulation: Gaussian Frequency Shift Keying (GFSK)– 1 symbol represents 1 bit

• Power classes and power control– Class 1 100mW, 100m

– Class 2 2.4mW, 10m

– Class 3 1mW, few cm

– Power control ensures RF power is not more than required

6

Bluetooth baseband

• Equivalent to the MAC layer– Converts bit stream to frames, defines packet formats, data-link protocols

• Time-Division Duplex (TDD)– Data transmitted in one direction at a time, alternating between directions

– Prevents crosstalk between transmit-receive operations» Simplifies radios, keeps cost low

– Polled slave responds at the slot following master’s transmission

625µs

f(k) f(k+1) f(k+2) f(k+3)

Master

Slave

625µs

f(k) f(k+1) f(k+2) f(k+3)

Master

Slave

7

Multi-slot packets

• At end of transmission time is allowed for radios to stabilize after hopping to the next frequency: ~260 µs

– Leaving only 366bits for transmission including headers

• Multislot packets used for higher efficiency– 1, 3, 5 slot packets defined

• Frequency hopping is suspended while a multihop packet is transmitted– All of the available slot time is used for transmission (except last one)

– At the end of transmission, radios move to the frequency they should be as if they were hopping every 625µs

• Slave does not have to respond with same size packet– Asymmetric transmission

• Note that all packet sizes are odd number of slots– Master always transmits at even slots

– Slave at odd slots

8

Master-slave link types: Synchronous Connection-Oriented

• Point to point synchronous communication link

• Used for time-critical information, e.g. telephone connections– Guaranteed, fixed-rate transmission using slot reservations

– Master sends SCO packets at regular intervals of TSCO slots

– Slave always allowed to respond with SCO packet in the following slot

• SCO packets are never retransmitted

• Forward error correction can be used– 1/3 rate FEC: 3 copies of each bit sent. Receiver does a majority operation

– 2/3 rate FEC: Hamming code. 1 bit corrected, 2 bit detected per codeword

• A master can support up to 3 SCO links– A slave can only support two links if links originate from different masters

9

Master-slave link types: Asynchronous Connectionless (ACL)

• Master exchanges packets with a slave on a per-slot basis– Using SCO’s leftover slots

– Provides a packet-switched connection between master and slave

• Only one ACL link between a particular master/slave pair allowed– in addition to any SCO links between the same pair

– Multiplexing for different flows/applications happens at higher layer

• Broadcasting packets to all active slaves is possible

• A slave is permitted to respond to an ACL packet from a master in the following slot only if it has been specifically addressed in the previous slot

• Packet retransmission applied for most packets to assure data integrity– stop-and-wait ARQ

» Slave gives ACK, NAK for received packet in its reply slot

– 2/3 FEC also available, combined with ARQ

10

Bluetooth packet format

• Access Code – timing synchronisation, paging, inquiry– Channel Access Code: identifies piconet (derived from master’s ID)

– Device Access Code: For paging (derived from paged unit’s ID)

– Inquiry Access Code: For inquiries (discovery of nearby units)

• Header, 18 bits repeated 3 times for error correction– am_addr : active member address– type : packet type including # of slots used– flow : Xon/Xoff type flow control– arqn : ACK, NAK– seqn : 1b sequence number for ARQ– HEC: header checksum

Access Code Header Payload72 54 0 - 2745

am_addr type flow arqn seqn HEC

11

Controller States

Inquiry procedure: potential master scans for units (inquiry state)

• Broadcast ID packet with Inquiry Access Code in 32 wake-up carriers

• Nodes periodically enter the inquiry scan state and scan at least 18 of the 32 wake-up channels

• Interested nodes reply with packets containing their ID and other parameters (FHS packet)

Standby

Connection

Page Page Scan InquiryScan

Inquiry

masterresponse

slaveresponse

inquiryresponse

Paging procedure:

• Master uses Device Access Code ID packets at freq. hop sequence determined by slave’s ID

• Slave replies with copy packet

• Master sends FHS packet

• Slave acks

• Units move to connection state

12

Security

• Inherently quite secure:– Low power transmission, means short range

– Fast frequency hopping with a pseudo-random hop sequence» much lower likelihood of casual eavesdropping

• Standard defines features operating at the link level

• Supports authentication and encryption

• Security Modes:– Mode 1: no security procedures

– Mode 2: enforces security after link establishment at L2CAP level

– Mode 3: enforces controls such as authentication and encryption at the Baseband level before the connection is set up

• Security Levels– Device level: trusted, untrusted devices

– Service level: authentication, authorisation, open to all

13

Link Keys

• Used for authentication and to generate the encryption key– All are 128 bits long

• Initialisation key – used just to get started– Verifier sends plaintext random number

– Both units use shared secret PIN to generate Kinit

• Unit key – semi permanent link key for basic units– Function of random number and device 48b ID

– Send to other unit encrypted (XORed) with Kinit

• Combination key – semi permanent key for each pair of units– Each unit generates a “unit key” based on a local random number

– The random numbers are exchanged encrypted with Kinit

– Each unit generates locally the other unit’s key based on random number

– The two keys are XORed to generate the combination key

14

Authentication and Encryption

• Authentication uses a challenge-response scheme– Only 32 bits of the response are transmitted

E1au_rand

bd_addr

link key

sres’

E1au_rand

bd_addr

link key

sres

au_rand

sresVerifier ClaimantE1

au_rand

bd_addr

link key

sres’

E1au_rand

bd_addr

link key

sres

au_rand

sresVerifier Claimant

E0

clock

en_rand

bd_addr

encr key

key stream

plaintext

cipher text

• Encryption uses a different payload key for each transmission based on– Encryption key derived from link key

– Random number send to receiver in advance

– Current clock

15

L2CAP : Logical Link Control and Adaptation Protocol

• Provides connection-oriented and connectionless services– Support only for ACL links, not SCO links

• Upper layer protocol multiplexing– needs to be able to distinguish between upper layer protocols such as the Service Discovery Protocol (SDP), RFCOMM, Telephony Control etc.

• Segmentation and reassembly of packets up to 64Kb in length

• Quality of Service– Connection establishment allows the exchange of information about QoS

• Three types of logical channels:– Connectionless

» Unidirectional, only one allowed per master-slave pair

– Connection-oriented» Bidirectional, QoS specification for each direction

– Signalling» Handles connection establishment, configuration, etc.

16

Bluetooth profile specification

• Describe the use of Bluetooth to support various applications– Address the problem of the multiplicity of options and parameter values

– Vertical slice through the protocol stack, defining compulsory options, parameters etc for each protocol

» a minimum recipe for building a particular type of device

» which manufacturers can augment in order to distinguish their product

• Facilitates the interoperability of devices» implementation options are reduced so applications share the same features

» parameters are defined so applications operate in similar ways

» user interface guidelines are defined giving uniformity across devices

• If a device implements an end-user function covered by a profile, it mustimplement that profile, for interoperability

17

Profiles

• Built up in layers, each profile relying upon layers beneath

Headset profile

18

Bluetooth extensions: Enhanced Data Rate

• Addendum to v2 of Bluetooth spec, ratified in Nov 04

• Backwards compatible

• Provides for up to 3Mbps transfer rate– No single bluetooth application can currently saturate the 721Kbps available

– But, taking collisions into consideration the available bandwidth of a piconetwill not be enough for simultaneous use of high-quality audio, a few computer peripherals and telephony

• Two new modulation schemes defined– They are applied only to the payload for backward compatibility

• Ten new packet types– Error correction not enabled

19

Reading list

• Tanenbaum 4.6

• Spec