Wireless Technologies

Ashok K. AgrawalaDecember 16, 2002

Today…

• Wireless Traffic Characterization/Sniffing

• AP Monitoring

• SIM-based Wireless Security

• Sensor Networks/Adhoc Networking

• RSSI based Location Determination

Wireless Traffic Characterization

Understanding Wireless Traffic Characteristics

• University UMDnet– >1000 Aps

• >300 Now

– Large User population

• Monitoring – Wired Net– AP– Over the Air (Sniffing)

Wireless Traffic Monitoring

• Easy to setup: no interaction with existing infrastructure

• Provide local and global status of network nodes at the same time

• Provide good traces of 802.11 link-level operations

Captured Information

• Physical layer (Prism2 monitor header)– RSSI (Received Signal Strength Indication, SQ (Signal

Quality), Signal strength and Noise (in dBm)

• 802.11 Link layer– Protocol version, frame type(management, control and data),

Duration for NAV(Network Allocation Vector) calculation, BSS Id, Source and Destination address, fragment, sequence numbers

• TCP/IP, application layer info also available

Access Point

DS (Distribution System)

WANWANE

thern

et LA

N

Access Point

Channel-1

Channel-6

802.11 Basic Architecture

Access Point

DS (Distribution System)

WANWANE

thern

et LA

N

Access Point

Channel-1

Channel-6

Ch. 1Sniffer

Ch. 6Sniffer

Sniffing Each Access Point

Wireless Monitoring –Hidden Terminal Problem, Losses

• Hidden Terminal Problem– Difficult for sniffers to detect all the wireless stations.

• Various losses are observed in sniffers– Frame loss– AP loss : Some APs are not correctly detected by some

cards.– Type loss : Control/Management types are not correctly

detected by some cards.

• Loss variability – Due to signal strength variability and card variability

Access Point

DS (Distribution System)

WANWANE

thern

et LA

N

Access Point

Ch. 6Sniffer

Hidden Terminals

Channel-6

Channel-6

Sniffing n APs with m sniffers

• Proper placement of sniffers can improve terminal detection ability and reduce various losses in sniffers.

• Where to place sniffers?– Too close to APs: incur signal saturations.– Too far from APs: cause hidden terminals.

• How many sniffers to place?

Challenges of Wireless Monitoring – Placement of Sniffers

Study to date

• Extensive passive observations on loss and loss variability– Observed hidden terminal problems– Observed frame loss, AP loss and Type loss– Observed loss varies from 0% to 100%

• Active end-to-end delay experiment– Causes of end-to-end delay in wireless network

Methodology

• Location: A.V. Williams Bldg, UMD.– 3 different WLANs (umd, cswireless, nist) – 58 Access Points: 29 Cisco (umd), 12 Lucent

(cswireless), 17 Prism2-based (nist)

• Sniffers– Linux OS 2.4.19– Wireless card driver: orinoco_cs– Capturing tool: libpcap 0.7, ethereal 0.9.6– Wireless cards used: Lucent Orinoco, Linksys, D-

Link etc.

Passive Observations: Hidden Terminals and Losses

• Hidden terminals: vary depending on cards used in sniffers and sniffer locations.

• Loss in sniffers – Frame losses are calculated from 802.11 sequence

numbers.– “From-AP” and “To-AP” losses are noted separately.

• Findings:– More To-AP losses are observed than From-AP. – Most of To-AP losses are caused by a small number of

wireless stations.– Linksys cards cannot detect some APs correctly.– Lucent cards cannot detect ACK/RTS/CTS frames.

Ch.1Ch.1

umd cswireless nist

Passive Sniffing on Ch. 11 with 6 Sniffers

(4th floor, A.V. Williams Bldg)

Ch.11 Ch.11

Ch.1

APs

Sniffers

L S Z

Lucent LinkSys ZoomAir

L3

S3 L2 Z2

L1 Z1

Hidden terminals are observed by 6 sniffers. Detected sets of wireless stations vary depending on sniffer locations and the cards used.

sniffer@locatoin Lucent@4449 ZoomAir@4449 Lucent@4122 ZoomAir@4122 Lucent@4149 Linksys@4149Client MAC address # distinct # distinct # distinct # distinct # distinct # distincted:76 5222109:d9 24777 14414 15862 3d2:b6 5849 1298:1f 173170:d8 2669b:71 200940 5d4:e0 39310ad:fd 173860 202 1641f:e7 37321 761 111 1715:e7 10150 1796 31 42e0:17 23539 51 1203025:19 6934 13d:b0 33543 1469:b8 8443 5d4:eb 8175 4815:a8 122448b:b9 2200 558:6b 2938c:c9 3331ab:db 266 136:a0 7490 941218:29 60090 6628173:fb 2640 33909a:63 1254 1927bd:c0 1569 16290c:a7 20141f:37 3042

Other rows are omittedTotal # distinct frames 82847 16423 314209 8667 78494 94946# detected clients 42 22 50 31 30 33

Loss of AP[2e:36] frames (from sequence #)From AP To AP

# distinct # retrans # miss %loss # distinct # retrans # miss %lossLinksys 2426901 102408 5214 0.21 30155 10109 2043 6.35Lucent 2402377 93297 11755 0.49 32277 9512 155854 82.84

TO AP Client DistributionLinksys Lucent

Client MAC Address # distinct # retrans # miss %loss # distinct # retrans # miss %loss06:f7 12 0 51 80.95 2959 187 150250 98.0769:b8 1 0 0 0.00 166 56 2462 93.68e1:03 20484 6674 1107 5.13 19281 5800 2430 11.1971:f4 6427 108 234 3.51 6379 3132 78 1.21(Other clients omitted)

Total 30155 10109 2043 6.35 32277 9512 155854 82.84Without 06:f7, 69:b8 30142 10109 1992 6.20 29152 9269 3142 9.73

Frame losses calculated by sequence numbers. To-AP frame loss is more than From-AP loss.

Majority of losses are caused by a small number of clients.

Hidden terminals are observed by 6 sniffers. Detected set of wireless stations varies depending on sniffer locations and the cards used.

Linksys (# AP's = 11) Lucent (# AP's = 18)AP BSS id # Frames Percentage # Frames PercentageAP1 (umd, Ch.11) 2583659 84.47% 2550568 41.26%AP2 (nist, Ch. 6) 454630 14.86% 6391 0.10%AP3 (nist, Ch. 11) 18579 0.61% 1172182 18.96%AP4 (unknown) 573 0.02% 568 0.01%AP5 (umd) 369 0.01% 167224 2.70%AP6 (umd) 46 0.00% 91 0.00%AP7 (umd, Ch. 11) 0 1320012 21.35%AP8 (nist, Ch. 11) 11 0.00% 895638 14.49%AP9 (umd) 1 0.00% 55555 0.90%(Other AP's omitted)

Total 3058516 100% 6182077 100.00%

Linksys and Lucent sniffers are set to Ch. 11. Linksys sniffer has AP losses on AP3 and AP7. Linksys detects AP2, whose channel is 6.

Linksys Lucent# Frames Percentage # Frames Percentage

Data 888082 25.94% 1318942 21.33%Beacon 2117923 61.86% 4712323 76.23%Acknowledgement 323674 9.45% 0RTS 34729 1.01% 0CTS 6734 0.20% 0Probe 52447 1.53% 150796 2.44%Power-Save 44 0.00% 0Reassociation 20 0.00% 16 0.00%

Total 3423653 100.00% 6182077 100.00%

Lucent shows Type loss on control frames (ACK, RTS, CTS and Power-Save).

Passive Observation: Loss Variability

• Findings:– Frame loss varies upto 100% during 4-day

passive experiments– “To-AP” shows more loss variability than

“From-AP”– Card/AP compatibility may affect AP loss

variability.

Figure 1. Loss percentage varies from 0% to 100% during 4-day experiment. To-AP loss shows more variability than From-AP loss.

AP From AP To AP(essid, Ch.) Card # distinct # loss %loss # distinct # loss %lossAP1 Linksys 4675 2 0.04 210 16 7.08

(umd, 6) Lucent 4656 17 0.36 223 4 1.76

AP2 Linksys 3109 96 3.00 0 0

(nist, 6) Lucent 3153 51 1.59 0 0

AP3 Linksys 4737 110 2.27 249 114 31.40

(umd, 6) Lucent 4701 144 2.97 381 79 17.17

AP4 Linksys 694 2414 77.67 0 0

(cswireless, 6) Lucent 2840 300 9.55 0 0

AP5 Linksys 3085 78 2.47 0 0(nist, 1) Lucent 1 0 0.00 0 0

AP6 Linksys 2640 509 16.16 0 0(nist, 6) Lucent 2938 209 6.64 0 0

Frame loss varies over the card and the associated AP: All the traffics are measured in the same experiment. Card variability affects frame loss.

Diagnosis on End-to-end Delay

• Active experiment set-up– Use NetDyn on wireless network– Source, echo and sink timestamps are available– Source and sink machines are the same– Sniffers are in between source(sink) and AP

• Objective: infer the causes of high RTT end-to-end delays, using the sniffer traces.

NetDyn

NetDyn Tool Fine-grained RTT measurements

Expose fine-grain characteristics of Networks

S ource

E cho

S ink

Logger

STSSSNETSESNSiTS

STSSSN

SSNETSESN

STS

UDP

UDP

S tructure o f N etD yn

T C P

H ost 1 H ost 2

S TS : S ource T im estam pE TS : E cho T im estam pS iT S : S ink T im estam p

S S N : S ource S equence N um berE S N : E cho S equence N um ber

NetDyn Packet Loss (Average)

Avg loss of both F/B paths < 3%

Avg loss of both F/B paths > 10%

0 12 24 36 48 60 72 84 961224364860728496

0°

22.5°

45°67.5°90°

112.5°135°

157.5°

180°

X

X

X

X

X

X

X

SS S

Problem case 2

Problem case 1

Ch.11

Effect of Weak Signal Strength

• Problem Case 1:RTT(Roundtrip Time) delay of 1 second and 57% packet loss.

• Weak signal strength causes retransmissions between source and the AP.

• Delays occur in the sending buffer in source.

High RTT delays up to 0.8 seconds and 57% packet loss.

Source, echo, sink timestamps (by NetDyn), From-AP, To-AP timestamps (by sniffers). Delays exist between source and echo every 0.5 second periodically. No high delays exist on wireless path.

Signal strength is consistently low, which incurs many retransmissions between source and the AP.

Effect of Signal Strength and Card Variability

• Problem Case 2: RTT delay of 2.2 seconds and 75% packet loss.

• Signal strength variability makes the AP shift the sending data rate (at 11/5.5/2 mbps adaptively).

• Source wireless card fails to receive traffic at lower data rates (due to card implementation variability).

• Delays occur on wireless “From-AP” path due to many retransmissions at lower data rates.

High RTT delays up to 2.3 seconds and 75% packet loss.

Source, echo, sink timestamps. Delays exist between echo and sink.

To-AP/From-AP traffics are captured by the sniffers. Delays may reside on wired echo-AP path or wireless AP-sink path.

RTS/CTS data rates captured by sniffers. AP tries to synchronize its data rate with source consistently.

AP varies data rates at 11, 5.5 and 2 Mbps (From-AP data rate, graph on top). Source but cannot synchronize with the AP, send/receive packets only at 11Mbps (To-AP data rate, graph at bottom).

High variability in signal strength is observed by sniffers, which causes AP to shift data rate adaptively.

Where are we?

• Sniffing in wireless environment is much more difficult than we thought

• Using multiple sniffers we can get a good estimate of wireless traffic

Access Point Monitor(APM)

Kevin Kamel

Jaime Lafleur-Vetter

Why APM?

• Currently Available AP Monitoring Tools– Provided By The Manufacturer

• Closed source• Unsupported

– Functionality• Limited feature set• Not extendable• Difficult to use

• More robust solution needed

Introducing APM

• AP Platform– Soekris NET4521 Board

• 486 133mhz AMD (x86)

• 64MB onboard RAM

• 64MB compact flash

• Prism2 PCMCIA card– In Host AP mode

– External Antenna

• RJ-45 Port for LAN/WAN connectivity

– Operating System• Customized OpenBSD 3.2

APM (Continued)

• AP Patch– Extends open source AP software– Sends event messages to kernel device– System daemon

• Reads and broadcasts events over the wire.• Listens for Admin requests• Sets daemon and AP configuration settings

• Monitor Client– .NET Windows GUI – Listens for broadcasted events from the AP– Displays event information graphically– Sends configuration information

Current Features

• Multiple simultaneous monitor applications that can see multiple APs.

• Station Monitoring– Current state (i.e. Auth, Assoc)– Event history

• AP Diagnostics– Interface counters– Logger

Feature Walkthrough:Initialized View

Feature Walkthrough: Initialized Statistics

Feature Walkthrough:Clients Are Logged In

Feature Walkthrough:Client Disassociates

Feature Walkthrough:Client times out

Feature Walkthrough:AP Interface Statistics

Features Under Development

• Administrative Control– Settings: TX Rate, SSID, MTU, Channel, MAC– Control: Shutdown, Restart– Access: Wireless client ACL support

• On Board Packet Monitoring– Obsoletes traditional wireless packet capture– Traffic log

• User Friendly Addressing– Alias MAC addresses

SIM-based Wireless Security

KoolSpan Approach

The Real Problem…

1. We need to screen users at the Access Point

2. We need to make sure nobody other than legitimate users get onto the wired network

3. We need to guarantee data sent across the WIRELESS segment is safe

Enterprise Network

The point is: the problem exists ONLY between the AP and the clientThe point is: the problem exists ONLY between the AP and the client

Koolspan SolutionA simple, cost-effective solution

Recognize Recognize thisthis is the problem is the problem

• Solution:– Provide a lock at the Access Point– Provide a network access KEY for the

client• Result:

– Nobody gets past Access Point without a valid key

How do we do this?Simply and cost-effectively

• “Padlock”– USB, Serial or Ethernet-based adapter that

secures the Access Point (can only be unlocked with a valid client network key

• “Key Ring”– USB adapter that can hold keys to

numerous networks

Koolspan IQ Key

SIM Chip• Tamper Resistant Physical Token• Secure Token• On-Chip “Crypto Engine”

2,048 bit keys possible Cryptoflex processor uses DES, Triple-DES and

RSA algorithms Can rotate WEP keys fast enough to make WEP

secure AS IS!

• Provides complete authentication security secure storage automatic connections

Physical Identification Adapter

SmartWiFiID Token

USB-adapter

SmartWiFi™• Plug It In – You’re Connected

– Solves security problem

– Solves authentication problem

– Automatic Network Connection

• Advantages– No new servers, no new headaches

– No scalability issues

– Works equally well at home and in the enterprise

• Best of all: Makes Wi-Fi easy to use!

How does it work?

Client NICClient NIC

Wi-FiWi-Fi

SIMSIM

KoolspanKoolspanAccess PointAccess Point

Wi-FiWi-Fi SIMSIM1.1. Client SIM generates random Client SIM generates random

number R1 and encrypts it with its number R1 and encrypts it with its secret Key (NK_UIDs)secret Key (NK_UIDs)

2.2. Client SIM sends client serial Client SIM sends client serial number and encrypted R1 to AP number and encrypted R1 to AP (Packet #1)(Packet #1)

3.3. AP SIM uses Client SIM Serial AP SIM uses Client SIM Serial Number to look up Client SIMs Number to look up Client SIMs secret key.secret key.

4.4. AP SIM decrypts R1 with using AP SIM decrypts R1 with using client’s secret keyclient’s secret key

5.5. AP now generates R2 and encrypts AP now generates R2 and encrypts it with Client’s secret keyit with Client’s secret key

6.6. AP sends Packet #2 back to Client.AP sends Packet #2 back to Client.7.7. Client SIM decrypts R2 from AP Client SIM decrypts R2 from AP

with its secret keywith its secret key8.8. Both AP and Client now use R1 + Both AP and Client now use R1 +

R2 to generate new 256-bit Session R2 to generate new 256-bit Session Key used for all further AES Key used for all further AES transmissions. transmissions.

(2) R1e(2) R1e

(6) R2e(6) R2e

Secret “Network Key” pre-stored in SIMSecret “Network Key” pre-stored in SIMAt Access Point and users PCsAt Access Point and users PCs

Bi-directional AuthenticationBi-directional Authentication

Benefits• Very simple solutionVery simple solution• No Wi-Fi settings necessaryNo Wi-Fi settings necessary• Only two packets are exchanged resulting in bi-directional Only two packets are exchanged resulting in bi-directional

authenticationauthentication• No online server involvedNo online server involved• Very fast authentication (only 2 packets exchanged, no remote Very fast authentication (only 2 packets exchanged, no remote

server)server)• No issues of scaleNo issues of scale• Authentication takes place at edge of the network.Authentication takes place at edge of the network.• Secret Keys pre-stored in SIMs at both ends NEVER leave SIM- Secret Keys pre-stored in SIMs at both ends NEVER leave SIM-

therefore never exposed.therefore never exposed.• Software impact on AP is minimal, easy retrofitSoftware impact on AP is minimal, easy retrofit• SIM token carries SIM token carries useruser credentials in convenient portable device credentials in convenient portable device

Secret “Network Key” pre-stored in SIMSecret “Network Key” pre-stored in SIMAt Access Point and users PCsAt Access Point and users PCs

™™

Koolspan 802.11 Technology

• makes Wi-Fi easy

• solves Wi-Fi security problems

• market flexibility

• provides ‘frictionless’ portability

Adhoc Networking Energy-Efficient Sensor Networks

• Energy is a constrained resource for wireless environments

• Objective: Compute a low energy end-to-end path for reliable communication in multi-hop wireless networks

• Technique: Avoid links with high error rates or large distance

• Studied effects of node mobility and wireless noise

Representative Results

• Grid topology of 49 nodes

• 4 traffic sources• Between corner

nodes

• UDP and TCP sources

Representative Results: Grid Topology

Energy Throughput

• UDP flows, fixed noise• Proposed scheme performs better than existing

techniques

Results Summary

• Significant improvement in energy costs and throughput if link characteristics are modeled in computing paths

• Link properties affected by mobility– Better models needed for link dynamics under

mobility

• Based on Signal Intensity – The intensity of the signal from access points is used

to determine location. – Our current results give location to within about 5-8

feet.

• Based on Arrival Time– PinPoint Technology requires the time-stamping of

the arriving signals with accuracy of 1 ns (in order to achieve an accuracy of 30cms in location).

– Current commercial hardware does not support this function or accuracy. We are currently developing hardware which will achieve this.

Localization Technologies

Signal Strength-based Localization

Localization based on signal strength is a hard problemdue to spatial and temporal variability of the signal

Horus

• At a location X measure distribution of S(X)– Sampling Interval

– Correlation function• Can we eliminate correlation?

– Density function

• Radio Map– How many location?

• Interpolation Function

Signal Strength Chracteristics

0

50

100

150

200

250

300

-95 -85 -75 -65 -55

Average Signal Strength (dbm)

Num

ber o

f Sam

ples

Co

llect

ed

0

0.05

0.1

0.15

0.2

0.25

0.3

Signal Strength (dbm)Pr

obab

ility

Horus: Radio Map and Estimation

• To address noise characteristics– Radio map stores signal-strength distributions from K

strongest access points

(instead of scalar mean/maximum)

• To address scalability and cost of estimation– Clustering techniques for radio map locations

• incremental clustering

• joint clustering

• Outperforms other RF signal strength techniques– significantly better accuracy

– efficient enough to be implemented on PDAs

Temporal Variations:Correlation

Spatial Variations: Large-Scale

-65

-60

-55

-50

-45

-40

-35

-30

0 5 10 15 20 25 30 35 40 45 50 55

Distance (feet)

Sig

nal

Str

eng

th(d

bm

)

Spatial Variations: Small-Scale

Sampling Process

• Active scanning• Send a probe request

• Receive a probe response

• Sample: ,...),( 21 sss

Handling Correlation: Averaging

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1

a

Var(

Y)

0 1 2 3 4 5 6 7 8 9 10

Gaussian Approximation

• Approximate signal strength histograms using Gaussian distribution– Saves space– Smoothes histograms– Analytically tractable– Comparable accuracy

Gaussian Approximation

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18

Distance

CD

F

H G2 G3 G4

AVW Results

FLA-Mind: Ekahau vs Horus

FLA-Mind: Ekahau vs Horus (cont)

Ekahau Horus

Questions??