www.airtightnetworks.net

Capacity, QoS, and Security Related Advances in IEEE 802.11

Kaustubh S. Phanse K. N. Gopinath

AirTight Networks, Inc.

National Conference on Communications (NCC 2008)Indian Institute of Technology, Bombay

February 1, 2008

AirTight Networks

Outline

Introduction: 802.11 overview: history and basic concepts

802.11n: MIMO concepts, channelization, frame aggregation, frame formats, performance

802.11e: Coordination functions for QoS support, service classes

802.11i, 802.11w: Authentication and encryption; protection of management and broadcast frames

What this tutorial will NOT cover… Communication and information theory: modulation and demodulation

techniques, estimation, … Details of certain optional features in 802.11 standards

AirTight Networks

IEEE 802.11

Working group established in 1990

First standard in 1997 (already 10 years ago!) Frequency: 2.4 GHz band Physical layer: DSSS, FH, IR MAC layer: CSMA/CA Data rate: 2 Mbps

AirTight Networks

802.11 protocol suite

AirTight Networks

802.11 MAC and PHY enhancements

PhysicalPMD

PLCP

MACData link802.11e802.11i

802.11n

802.11n

802.11w

Security QoS

Capacity & Coverage

AirTight Networks

Two-slide primer on 802.11 MAC (1/2)

Distributed coordination function (DCF) using carrier sense

multiple access (CSMA/CA)

AirTight Networks

Two-slide primer on 802.11 MAC (2/2)

AirTight Networks

Example of DCF CSMA/CA (1)

AirTight Networks

Example of DCF CSMA/CA (2)

AirTight Networks

Example of DCF CSMA/CA (3)

AirTight Networks

Example of DCF CSMA/CA (4)

AirTight Networks

Example of DCF CSMA/CA (5)

AirTight Networks

Example of DCF CSMA/CA (6)

AirTight Networks

Example of DCF CSMA/CA (7)

AirTight Networks

Motivation for multicarrier modulation

Large delay spread (due to multipath reception) can cause

significant inter-symbol interference (ISI) Burst errors Limits maximum achievable data rate

τ

τ

AirTight Networks

Multicarrier modulation

Divide a high-rate sequence of symbols into several low-rate

sequences Symbol duration (TN) becomes large

Transmit low-rate symbols simultaneously over multiple sub-

channels or subcarriers Total bandwidth B is divided into subchannels each with bandwidth B/N

AirTight Networks

Orthogonal frequency division multiplexing (OFDM)

Tighter packing of subcarriers than traditional FDM

Subcarriers are orthogonal to enable demodulation Spacing ∆f is at least 1/TN

AirTight Networks

OFDM in 802.11

Each 20 MHz channel divided into 52 subcarriers Bandwidth of 16.6 MHz actually used for transmission

Subcarriers spaced 312.5 KHz 48 subcarriers for data transmission 4 pilot subcarriers for monitoring

AirTight Networks

802.11n PHY Enhancements

AirTight Networks

What is MIMO?

SISO: Single Input (transmit) Single Output (receive)

MIMO: Multiple Input Multiple Output Spatial diversity (transmitter and receiver) Spatial multiplexing

Tx Rx

RxTx

M x N system (N >1, M>1)

AirTight Networks

Spatial diversity

Use multiple independently fading signal paths to reduce the error

probability Low probability of independent fading signal paths to simultaneously experience

deep fades Need multiple antennas spaced sufficiently apart (~ λ/2)

Maximum diversity gain (D) for M x N system = MN

AirTight Networks

Receiver diversity

Let noise at each antenna = N0 Combined output SNR ηΣ =

x x x x

Σ

r1ejθ1s(t) r2ejθ2s(t) r3ejθ3s(t) rMejθMs(t)

a1e-jθ1 a2e-jθ2 a3e-jθ3 aNe-jθM

Combiner Output

SNR = ηΣ

M

1k

2k0

M

1k

2kk

aN

)ra(

AirTight Networks

Receiver diversity: Selection combining

Choose the branch with the highest SNR

ηΣ = ηk =

Often implemented as a single receiver that switches to the chosen antenna branch

But it is still a single transmit-receive chain (SISO)

k

2k

N

r

RadioDSP

Tx

Bit stream Bit streamRadio DSP

Rx

AirTight Networks

Receiver diversity: Maximum Ratio Combining (MRC)

Give higher weights to branches with high SNR and lower weights

to branches with low SNR

Radio

DSP

Tx

Bit stream Bit streamRadio

DSP

Rx

Radio Radio

AirTight Networks

Receiver diversity: MRC

Optimal weight ak =

rk is the energy per symbol =

Then, SNR =

Combined received SNR ηΣ =

Array gain: M-fold increase in SNR versus a SISO system

Maximum array gain (A) for M x N system = MN

0

s

N

E

0

s

N

ME

0

k

N

r

sE

AirTight Networks

Transmitter diversity: Channel-aware

Transmitter has knowledge of channel state information (CSI) Feedback from receiver Assume channel is reciprocal

Similar to receiver diversity with coherent combining, e.g., MRC Assign weights to antenna branches depending on channel conditions

AirTight Networks

Transmitter diversity: Channel-unaware

Space-time block codes (STBC): Alamouti scheme Assume channel gain is constant over two symbol periods Transmit symbols s1 and s2 during first symbol period

Transmit -s2* and s1* during next symbol period

Let each antenna have a channel gain hk = rkejθk

Received signal is r(t) =

Symbol received during first symbol period y1 = h1s1 + h2s2

Symbol received second symbol period y2 = -h1s2* + h2s1*

)s(t)h (h0.5 21

Radio

DSP

Tx

Radio DSP

Rx

Radio

AirTight Networks

Transmitter diversity: Alamouti scheme

Let sequence of received symbols be represented as a vector

y = [y1 y2*]T

y = = Hs

Let z = HHy = HHHs = (|h12| + |h2

2|)I2s

Then

z1 = h1*z1 + h2z2 = (|h12| + |h2

2|)s1

z2 = h2*z1 – h1z2 = (|h12| + |h2

2|)s2

h1 h2

h2* -h1

*

s1

s2

AirTight Networks

Transmitter diversity: Alamouti scheme

Received SNR ηk for zk=

Total SNR ηΣ =

Array gain = 1

Diversity gain = 2

0

s2

22

1

2N

|)Eh| |h(|

0

s2

22

1

N

|)Eh| |h(|

AirTight Networks

Practical significance: array gain and diversity gain

Maximum: array gain A = MN, diversity gain D = MN

For a Rayleigh channel: error probability (Pe) α

For M x N system, Pe α

SNR1

DSNR)x (A1

Array gain

Diversity gain

AirTight Networks

Practical significance: array gain and diversity gain

Pe

SNR

Diversity gain determines the slope of the curve

Array gain shifts the curve

AirTight Networks

Spatial multiplexing

Multiplexing Time (TDM), frequency (FDM), code (CDM) SDM: using space as another dimension to multiplex data

Degrees of freedom Rich scattering environment

Transmit unique data streams over separate RF chains

AirTight Networks

Spatial multiplexing

Maximum multiplexing gain = min (M,N)

Use training symbols to estimate channel matrix H

Linear systems theory analogy: min (M,N) variables with min (M,N)

equations

Radio

DSP

Tx

Radio

DSP

RxRadio

Radio

Split

b1b2b3b4b5b6

b1 b3 b5

b2 b4 b6

Merge

b1 b3 b5

b2 b4 b6

b1b2b3b4b5b6

AirTight Networks

Spatial multiplexing gain vs. diversity gain trade-off

Div

ersi

ty g

ain

Spatial multiplexing gain

0, MN

1, (M-1)(N-1)

2, (M-2)(N-2)

k, (M-k)(N-k)

Min(M, N), 0

AirTight Networks

802.11n channels

40 MHz operation (channel bonding) Primary channel plus secondary (upper/lower) channel Primary for management frames, both channels for data frames

Higher bandwidth, higher data rates! …but higher interference

Only one non-overlapping channel in 2.4 GHz Implications for legacy WLANs

AirTight Networks

802.11n Modes of Operation PLCP Enhancements

AirTight Networks

802.11n: Modes of Operation

For use of legacy devices also

MIMO estimation: D-LTF 1 per stream providing channel estimation for data portion of the frame

Staggered preambles (e.g., sounding packets)Additional optional estimation info for channels

Signalling(See next slide)

3 Modes: Non-HT, Mixed, Greenfield (distinguished by their PLCP headers)

Mixed Full support for legacy clients Broadcast control frames always in 20 Mhz Perf degradation for .11n stations

Greenfield No backward compatibility Short & more efficient PLCP format No performance degradation for .11n devices

Detection of PPDU,timing & coarse freq acquisition

AirTight Networks

L-SIG (MM) & HT-SIG (MM & GF)Encoded value indicatingDuration of rest of the packet

Always 6 Mbps

L-SIG of Mixed Mode

Refer to next slides

AirTight Networks

Field Name Explanation and coding

Modulation and Coding Scheme

Index into the MCS table.

CBW 20/40Set to 0 for 20 MHz or 40 MHz upper/lower Set to 1 for 40 MHz

Length The number of octets of data in the PSDU in the range 0-65535

SmoothingSet to 1 indicates that channel estimate smoothing is allowedSet to 0 indicates that only per-carrier independent (unsmoothed) channel estimate is recommended

Not Sounding

Set to 0 indicates that PPDU is a Sounding PPDUSet to 1 indicates that the PPDU is not a sounding PPDU

Reserved Set to 1

AggregationSet to 1 to indicate that the PPDU in the data portion of the packet contains an AMPDU otherwise, set to 0.

STBC

Set to a non-zero number, to indicate the difference between the number of space time streams (NSTS ) and the number of spatial

streams (NSS) indicated by the MCS.

Set to 00 to indicate no STBC (NSTS = NSS)

HT-SIG

AirTight Networks

Field Name Explanation and coding

LDPC coding

Set to 1 for LDPCSet to 0 for BCC

Short GI Set to 1 to indicate that the short GI is used after the HT training.Set to 0 otherwise

Number of extension spatial streams

Indicates the Number of extension spatial streams (NESS).

Set to 0 for no extension spatial streamSet to 1 for 1 extension spatial streamSet to 2 for 2 extension spatial streamsSet to 3 for 3 extension spatial streams

CRC CRC of bits 0-23 in HT-SIG1 and bits 0-9 in HT-SIG2

HT-SIG

AirTight Networks

Modulation & Coding Scheme (MCS)

MCS is a compact representation (index) indicating Modulation (BPSK, QPSK, QAM,…) Coding (1/2, ¾,…) Number of Spatial Streams (1,2,3,4)

MCS index can be from 0 to 127 Mandatory MCS

• MCS 0 to 15 at 20 Mhz (at AP)• MCS 0 to 7 at 20 Mhz (at client STA)

Rest all optional• MCS 16 to 76 are optional• All MCS at 40 Mhz

MCS 77 to 127 are reserved for future use

AirTight Networks

Rate Dependent Parameters (20 MHz and Mandatory MCS)

NSS = 1

NSS = 2

AirTight Networks

Rate Dependent Parameters (40 Mhz & Mandatory MCS)

NSS = 1

NSS = 2

AirTight Networks

Other Optional MCSs

MCSs with SS=3 MCS 16 – 23 Max rate (MCS 23)

• 216.7 Mbps (20 Mhz)

• 450 Mbps (40 Mhz)

MCSs with SS=4 MCS 24 – 31 Max rate (MCS 23)

• 288.9 Mbps (20 Mhz)

• 600 Mbps (40 Mhz)

Other MCSs HT Duplicate

• MCS 32• Useful under very high noise• Lowest rate of 40 Mhz (bpsk)• 6.7 Mbps max rate

MCSs with unequal modulation• Use with

– Tx beamforming

– STBC

• MCS 33 – 38 (4 SS)– Max rate 495 Mbps

• MCS 39 – 52 (4 SS)– Max rate 495 Mbps

• MCS 53 – 76 (4 SS)– Max rate 495 Mbps

AirTight Networks

MAC Enhancements

AirTight Networks

Frame Aggregation

AirTight Networks

MPDU

Motivation

Amortize PLCP, MAC overheads by sending bigger packets

Can be implemented in several ways (as discussed next)

MPDU1PLCPDCF PLCP ACK MPDU2PLCPDCF PLCP ACK

PLCPDCF PLCP ACK

SIFS

AirTight Networks

Physical Level Aggregation (A-MPDU)

Consists of several MPDUs addressed to the same receiver Identified by the HT SIG PLCP field ‘Aggregation’ of a received packet

Each MPDU embedded in a subframeSubframes consists of a delimiter followed by an MPDU (and padding in some cases)

Except last subframe, others are padded so that they are multiple of 4 byte octetDelimiter

Delimiters (ASCII N) useful for recovery during errors CRC protects reserved and length fields When an invalid Delimiter is obtained, de-aggregation process skips forward 4 bytes and restarts its search for a

new MPDU

AirTight Networks

Physical Level Aggregation (A-MPDU)

Parameters negotiated using “A-MPDU parameters set” of HT capabilities IE field in a mgmt frame Max length (64k is the limit) Min MPDU start spacing

• 0 indicates no restriction• Else, ranges from 1/4 to 16 usecs• Realized by using Delimiters with MPDU length 0

Can be limited by a station using its Assoc packetExamples frames that an A-MPDU can contain

QoS data frames Block ack Block ACK req frames Action management frames of subtype “Action No ACK” (e.g., carrying MIMO info)

Max Rx Factor(x): 0 to 3 [2^13+x]Min spacing: 0.25 to 16 usecs

AirTight Networks

A-MSDU

A-MSDU consists of multiple subframesAll MSDUs are intended to be received by the same receiverA-MSDU of length is 4095 – QoS data overheads = 4065 bytes cannot

be Tx in an A-MPDU (as A-MPDU cannot carry fragments)

AirTight Networks

A-MSDU

MAC level aggregation Consists of MSDUs belonging to the same TID (QoS class)

Support is mandatory at the reciever when it is carried in a single (i.e., non A-MPDU) QoS Data MPDU under Normal Ack policy Block Ack agreement determines whether an A-MSDU can be carried in QoS

data frames part of the BA session

A-MSDU lifetime indicates MAX life-time of its constituent MSDUs An A-MSDU can be Tx until it’s a-MSDU lifetime expires or is received at the

receiver Implicitly means certain MSDUs can be Tx ever after their individual lifetimes

A STA shall not transmit an A-MSDU to a station that exceeds its Max A-MSDU length capability

AirTight Networks

Block ACK (BA)

AirTight Networks

Block Ack Packet Exchange

ADDBA Request used to initiate BA session

ADDBA Response confirms/rejects the sessions

Frames of a session need NOT be sent consecutively They can be mixed with other frames of

a station They can be interleaved with packets

from other stations They can be sent in multiple .11e TXOPs

BlockAckReq used to solicit a BlockACK response frame

DELBA used to terminate a BA session

AirTight Networks

Block ACK Sessions (ADDBA)

Dialog token is some kind of a ID for req/response

Parameter set (defined in next slide)

Status code indicates whether the receiver accepts the request or not If not, sender is not supposed to use Block ACK

Timeout indicates the duration (Seconds) for which a session is active

AirTight Networks

Block Ack Parameter Set Field used in ADDBA Action Management Frames

Block Ack Parameter set field A MSDU may or may not be allowed as a part of this BA session Block Ack policy is 1 for immediate ACK, 0 for delayed

• Delayed is sent at a slightly later time after receiving a Block Ack Req

TID indicates the .11e Traffic Identifier field (i.e., an ID used to group all frames that need similar QoS treatment)

Buffer size indicates buffers• Recipient controls the buffers that can be supported

802.11n

802.11e

AirTight Networks

Immediate BlockAck

Delayed BlockAck

AirTight Networks

Block ACK Sessions (DELBA)

DELBA used to tear down sessions explicitly

Initiator indicates whether the sender or receiver of QoS data has initiated DELBA

DELBA Parameter set

AirTight Networks

BlockAckReq (BAR)

802.11n

802.11e

AirTight Networks

Fields of BlockAckReq Frame

BAR Control BA Policy (HT-delayed only)

• Normal ACK• No ACK

Multi-TID• Does BAR consist of

req for different QoS streams?

Compressed• Support for

fragements in BA? TID_INFO

• Info about each TID

Interesting note on BA policy .11e defines delayed & immediate BA

policy In addition, .11n defines HT immediate

& HT delayed policies• Negotiated between HT

stations as a part of HT capabilities

• Extensions for using BA with 802.11n features such as frame aggregation (A-MPDU)

AirTight Networks

BlockAckReq Encoding

-MT BAR-TID_info contains number of TIDs-BAR info contains seq number for that many TIDs

Per TID INFO

-Basic BAR, Compressed BAR-TID info contains TID for which the . req has been made

BAR Info Field

AirTight Networks

BlockAck frame

BlockAck carries ACKs as bitmaps

Exact format depends on the encoding (see next slide)

AirTight Networks

BA Information for each BA encoding

Basic BA128 byte bitmap

Compressed BA Mandatory8 bit bitmapNo support for fragments

MTBA (repeatedFor each TID)

AirTight Networks

HT Protection Mechanisms

AirTight Networks

Protection Requirements

-Protection may be required if Non-HT stations are present or Non-greenfield stations are present

-Types of protection that an HT station provides-RTS/CTS using a legacy rate-CTS to self using a legacy rate- Transmit 1st frame in a backward compatible mode

-1st frame Tx using a Non-HT preamble and then switch to HT mode-1st frame Tx using a MM preamble and then switch to greenfield operation

-Setting of L-SIG values in preamble to protect the current transmission-L-SIG TxOP (See next slide)

AirTight Networks

L-SIG TxOP Protection

Communication between 2 HT STAs that support this feature (as discussed in HT capabilities IE shortly)Protecting multiple PSDUs (e.g., DATA+ACK, RTS/CTS) using a larger duration as derived from L-SIG

L-SIG Duration will be derived from the MAC header’s duration value Non-HT STAs ‘think’ this as a transmission involving single large frame!Applicable to HT-Mixed mode Tx only

AirTight Networks

HT Parameter NegotiationInformation Elements

AirTight Networks

Advertising HT Capabilities using MAC Frames

HT Capability Information Element (E.g., Beacon, Probe Response)

Refer to next slides

AirTight Networks

Subfield Definition Encoding

LDPC coding capabilityIndicates support for receiving LDPC coded packets

Set to 0 if not supportedSet to 1 if supported

Supported channel width setIndicates which channel widths the STA supports

Set to 0 if only 20 MHz operation is supportedSet to 1 if both 20 MHz and 40 MHz operation is supported

SM Power SaveIndicates the Spatial Multiplexing (SM) Power Save mode.

Set to 0 for Static SM Power Save modeSet to 1 for Dynamic SM Power Save modeSet to 3 for SM enabled

The value 2 is reserved

GreenfieldIndicates support for the reception of PPDUs with HT Greenfield format.

Set to 0 if not supportedSet to 1 if supported

Short GI for 20 MHzIndicates Short GI support for the reception of 20 MHz packets

Set to 0 if not supportedSet to 1 if supported

Short GI for 40 MHzIndicates Short GI support for the reception of 40 MHz packets

Set to 0 if not supportedSet to 1 if supported

Tx STBCIndicates support for the transmission of PPDUs using STBC

Set to 0 if not supportedSet to 1 if supported

HT Capabilities Info

AirTight Networks

Subfield Definition Encoding

Rx STBCIndicates support for the reception of PPDUs using STBC

Set to 0 for no supportSet to 1 for support of one spatial streamSet to 2 for support of one and two spatial streamsSet to 3 for support of one, two and three spatial streams

HT-delayed BlockAckIndicates support for HTdelayed BlockAck operation.

Set to 0 if not supportedSet to 1 if supported

Support indicates that the STA is able to accept an ADDBA request for HT-delayed Block Ack

Maximum A-MSDU lengthIndicates maximum AMSDU length. See 9.7b (A-MSDU operation).

Set to 0 for 3839 octetsSet to 1 for 7935 octets

DSSS/CCK Mode in 40 MHz

Indicates use of DSSS/CCK mode in a 40 MHz capable BSS operating in 20/40 MHz mode.

In Beacon, Measurement Pilot and Probe Response frames:Set to 0 if the BSS does not allow use of DSSS/CCK in 40 MHzSet to 1 if the BSS does allow use of DSSS/CCK in 40 MHzOtherwise:Set to 0 if the STA does not use DSSS/CCK in 40 MHzSet to 1 if the STA uses DSSS/CCK in 40 MHz

HT Capabilities Info

AirTight Networks

Subfield Definition Encoding

PSMP support Indicates support for PSMP operation. See

In Beacon, Measurement Pilot and Probe Response frames transmitted by an AP.Set to 0 if the AP does not support PSMP operationSet to 1 if the AP supports PSMP operation

In Beacon frames transmitted by a non-AP STA:Set to 0

Forty MHz Intolerant

When sent by an AP, indicates whether other BSSs receiving this information are required to prohibit 40 MHz transmissions.When sent by a STA, indicates whether the AP associated with this STA is required to prohibit 40 MHz transmissions by all members of the BSS.

Set to 0 by an AP if the AP allows use of 40 MHz transmissions in neighboring BSSs.Set to 1 by an AP if the AP does not allow use of 40 MHz transmissions in neighboring BSSs.Set to 0 by a STA to indicate to its associated AP that the AP is not required to restrict the use of 40 MHz transmissions within its BSS.Set to 1 by a STA to indicate to its associated AP that the AP is required to restrict the use of 40 MHz transmissions within its BSS.

L-SIG TXOP protection support

Indicates support for the LSIG TXOP protection mechanism

Set to 0 if not supportedSet to 1 if supported

HT Capabilities Info

AirTight Networks

Example Packet Trace Snippet of a Dlink AP

HT Capability Info: %0001000001001110 0....... ........ L-SIG TXOP Protection Support: Not Supported .0...... ........ AP allows use of 40MHz Transmissions In Neighboring BSSs ..0..... ........ Device/BSS does Not Support use of PSMP ...1.... ........ BSS does Allow use of DSSS/CCK Rates @40MHz ....0... ........ Maximal A-MSDU size: 3839 bytes .....0.. ........ Does Not Support HT-Delayed BlockAck Operation ......00 ........ No Rx STBC Support ........ 0....... Transmitter does Not Support Tx STBC ........ .1...... Short GI for 40 MHz: Supported ........ ..0..... Short GI for 20 MHz: Not Supported ........ ...0.... Device is Not Able to Receive PPDUs with GF Preamble ........ ....11.. Spatial Multiplexing Enabled ........ ......1. Both 20MHz and 40MHz Operation is Supported ........ .......0 LDPC coding capability: Not Supported

AirTight Networks

HT Capabilities Info: Supported MCS Set

Rx MCS Bitmask: bit I = 1 indicates support for that MCSTx MCS Set Defined = 0 means both Tx/Rx MCS are equalUpto 4 max streams can be supportedTx unequal modulation support (as discussed earlier) may or may not be supported

AirTight Networks

HT Extended Capabilities

PCO: Support for Phased coexistence operation Alternate between 20 & 40 Mhz operation

MCS feedback Station can provide MCS feedback

RD Responder indicates support for Reverse direction protocol Optional feature where in a initiator can elicit a response packet burst from a responder

AirTight Networks

HT Info Element

-Operating mode-Beacon always sent in non-HT mode-See next slide for details

AirTight Networks

HT Information Element

Channel related parameters Primary channel Secondary channel offset Channel width of a STA (20 or 40) Dual Beacon

• Does AP Tx beacon in secondary channel?

Secondary beacon support Basic MCS Set

• Mandatory MCS for all STAs in BSS

• Similar to Basic rates of .11a/b/g

RIFS Shorter inter packet gaps E.g., 2 usecs (compare it with

16 usecs for SIFS)

Tx burst limit Burst of GF or RIFS packets

Overlapping BSS protectionDual CTS protection

Send a CTS for STBC & legacy STAs separately

Full BSS support for L-SIG TXOP protection

-Phased Coexistence (PCO Parameters)-PCO Active-PCO phase (20 or 40 Mhz switch)

AirTight Networks

HT Information elementOperating mode

Non-GF STAs present

-Set to 0 -All STAs in BSS are 20/40 Mhz HT-All STAs in a 20 MHz HT BSS are 20 Mhz HT

-Set to 1 (non-member protection)-Some members on the channel (maybe outside BSS) are non-HT

-Set to 2-At least one 20 Mhz only STA in a HT BSS

- Set to 3-MM (at least one legacy STA is present in BSS)

-Set to 0-All associated STAs in BSS are GF capable

-Set to 1-Some non-GF STAs present in a BSS

Protection

-Required for Operating mode 1 & 3

-Protection mechanisms discussed earlier can be used

- Operating mode can also be updated dynamically based on BSS constitution

AirTight Networks

Channel Switch & Extended Channel Switch Elements

Channel Switch Indicates the secondary channel relative to the primary channel

• Useful for 40 Mhz transmission • 0 indicates no sec channel, 2 is reserved• 1 means secondary is above primary, 3 means below

Beacons, Probe Responses Channel switch announcement frames (Action management frames)

Extended Channel Switch Switch of to a new channel 20 Mhz or a primary channel (40 Mhz), and regulatory class Beacons, Probe Responses Channel switch announcement frames (Action management frames)

AirTight Networks

Overview of advanced .11n features Optional and/or not yet available today

AirTight Networks

HTControl

AirTight Networks

Field Meaning Definition

TRQ Sounding Request Set to 1 to request the responder to transmit a sounding PPDU.When set to 0, the responder is not requested to transmit a sounding PPDU.See 9.17.2 (Transmit beamforming with implicit feedback).

MAI MCS request or Antenna Selection Indication

When set to 14, the MAI field contains an Antenna Selection Indication(ASELI).Otherwise the MAI field is interpreted, as shown in Figure n3 (MAI field).

MFSI MFB Sequence Identifier Set to the received value of MSI contained in the frame to which the MFB information refers.Set to 7 for unsolicited MFB

MFB/ASELC MCS Feedback and Antenna Selection Command/Data

When the MAI field is set to the value ASELI, this field is interpreted as defined in Figure n4 (ASELC subfield) and Table n3 (The ASEL Command and ASEL Data parts of the ASELC subfield).Otherwise, this field contains recommended MCS feedback.A value of 127 indicates that no feedback is present.

HT Control: Link adaptation

AirTight Networks

RDP Exchange

AirTight Networks

802.11n MAC Layer Performance: Putting it altogether

AirTight Networks

Theoretical Maximum Throughput (TMT)

Throughput (Mbps)

MCS

MSDU size = 1000 bytes

AirTight Networks

Theoretical bandwidth efficiency

Bandwidth efficiency

MSDU size (103 bytes)

AirTight Networks

Bandwidth efficiency with aggregation

Aggregated frame size (KB)

Bandwidth efficiency

2 3 4 5 6 7 8

AirTight Networks

Insights from experiment results

A-MPDU size (KB)

Probability

Plain-vanilla A-MSDU A-MPDU

TMT Expt. TMT Expt. TMT Expt.

43 33.9 92 87.1 120 85.5

AirTight Networks

Plain-vanilla A-MSDU A-MPDU

TMT Expt. TMT Expt. TMT Expt.

43 33.9 92 87.1 120 85.5

IEEE 802.11e

AirTight Networks

Limitations of DCF

No notion of differentiated service

Designed for fairness

Contention-based Inherently lacks service guarantee

AirTight Networks

Limited QoS support using Point Coordination Function (PCF)

Contention-free and contention periods (CFP and CP)

Centralized polling scheme

Limitations Simple round-robin polling only during CFP Unknown transmission durations Unpredictable beacon delays during polling

AirTight Networks

IEEE 802.11e main features

Four access categories (AC): voice, video, best effort, background

AirTight Networks

IEEE 802.11e main features

Transmission opportunity (TXOP)

Controlled beacon interval

Hybrid coordination function (HCF) Enhanced distributed channel access (EDCA) HCF controlled channel access (HCCA)

Block ACKs: cumulative acknowledgements

Direct Link Protocol (DLP): station to station communication

AirTight Networks

Enhanced distributed channel access (EDCA)

Contention based

Arbitration IFS (AIFS): sense if channel is idle for AIFS Each AC has a different AIFS PIFS < AIFS [Higher AC] < AIFS [Lower AC] AIFS ≥ DIFS

Backoff: contention window (CW) CWmin [Higher AC] < CWmin [Lower AC] CWmax [Higher AC] < CWmax [Lower AC]

AIFS

AIFS

AirTight Networks

HCF controlled channel access (HCCA)

HC should have highest priority to control medium access HC uses PIFS as idle time before accessing the channel AIFS [Highest AC] = DIFS

“Superframe” defines CP (EDCA TXOPs) and CFP (HCCA TXOPs) HC can allocate polled TXOP even during CP

Bea

co

n

Bea

co

n

HCCA EDCA HCCA EDCA EDCAHCCA

Contention-free period (CFP) Contention period (CP)

AirTight Networks

Security Enhancements to 802.11WPA/802.11i & 802.11w D2.0

AirTight Networks

History: WEP Shared Key Authentication

Key K (40 bit string)

Key K (40 bit string)

Challenge text C (random string of 128 bytes)

Response R1

Compute response R1 = f (C, K)

Compute response R2 = f (C, K)

Is R1 = R2? Result (Accept/Reject)

Authentication Request

R1 = R2 = C XOR Keystream (K, IV)

Note: This is one-way authentication. AP authenticates Client, but not vice versa.

AirTight Networks

History: WEP Encryption

RC4 Key Stream Generator

(Key K | Initialization Vector IV)

XORPacket P Encrypted PIV

RC4 Key Stream Generator

XOR

(Key K | Initialization Vector IV)

Packet P

TRANSMITTER RECEIVER

WIRELESS CHANNEL

• Key K is statically programmed in transmitter and receiver

• IV is changed per packet

•ICV is used for integrity protection (part of P)

40 bit 24 bit

Hundreds of bits

Keystream Keystream

Called ``Stream cipher’’

AirTight Networks

History: What went wrong with WEP?Very easy to beat the Authentication

P XOR R = C P XOR C = R

IV Collision: Means two packets encrypted with same IV

• 24 bit IV can quickly wrap around under heavy traffic condition• Many cards/APs on reset start with IV = 0 and increment from

thereCipher Text Modification

ICV Protection can be defeatedKey (K) cracking (Fluhrer, Martin, Shamir –``FMS attack’’)

Using few packets encrypted with ``Weak IVs’’, key K itself can be crackedNo Mutual AuthenticationNo Replay ProtectionSingle shared key used for all users/sessions

AirTight Networks

WPA: A Quick Fix to WEP

Created by WiFi Alliance Note: IEEE standardizes WLAN protocols, WiFi Alliance

(www.wifialliance.org) promotes market adoption of WLAN

Constraints: No change to XOR based hardware encryption engine Something that will work with firmware upgrade to installed base of WLAN

equipment

AirTight Networks

Connection Establishment using WPA

AP Discovery (SSID, signal strength)

Association

WEP Shared Key Authentication

Open (No) Authentication

WEP Like Encrypted Data Communication

802.1x (EAP) Authentication

802.1x and PSK

Dynamic Encryption Key Generation

Pre-shared Keys (PSK)

Addition of TKIP

Step 1

Step 2

Step 3

Step 4.1

Step 5

Step 4.2 EAPOL 4-way handshake

AirTight Networks

W ire less C lient Access PointAuthentication

Server

Open Authentication

Association

EAP Identity Request

Open Controlled Port allowing only EAP messages to pass through.

EAP Success

Encrypted Data Exchange

EAPOL Logoff

EAP Identity Response RELAY

Authentication Method Handshake Identity Proof and Master Key Generation

Generate Master Key

Generate Master Key

Accept/Provide Master Key

Generate Transient Keys

EAPOL 4-Way HandshakeGenerate Transient Keys

Open Uncontrolled Port allowing data to pass through.

Wireless Link

Wired LAN

AirTight Networks

Advantages of 802.1xFreedom to choose authentication algorithm

802.1x is a bearer TLS, TTLS, LEAP, PEAP, GTC, MSCHAPv2, Kerberos, SIM, future algorithms can

ride over 802.1x, only requirements being

• Support mutual authentication• Support derivation of master keys

Keys and authentication algorithms can be session specific

Ease of management of credentials in central authentication server Ease of integration with other enterprise security systems (network

authentication)

AirTight Networks

TKIP Encryption

TKIP uses longer IV (48 bit) – twice as much as WEP

Avoids Weak IVs

Prevents IV reuse for any given key IV always starts from 0 and counts upwards

Master key generated afresh for each connection attempt – unlike static

WEP keys Transient keys generated from master key are used for encryption – refreshed at

regular intervals

AirTight Networks

Connection Establishment using 802.11i

AP Discovery (SSID, signal strength)

Association

WEP Shared Key Authentication

Open (No) Authentication

CCMP Encrypted Data Communication

802.1x (EAP) Authentication

Addition of 802.1x and PSK

Dynamic Key Generation

Pre-shared Keys (PSK)

CCMP (Change in h/w encryption engine)

Step 1

Step 2

Step 3

Step 4.1

Step 5

Step 4.2

AirTight Networks

802.11w: Management Frame Protection

WPA/802.11i protect 802.11 data packets only

Management, Control frames are left unprotected This can lead to various kinds of DoS attacks on a 802.11 network E.g., Deauthentication, Disassociation, Virtual jamming

802.11w DRAFT 2.0 (stil in draft stage) is aimed at extending 802.11i to protect management frames

AirTight Networks

Management Frames Protected

Robust Management Frames Deauthentication Disassociation Action with category

• Spectrum management• QoS• BlockAck• DLS

Protection Protection field in MAC framecontrol set to 1 Confidentiality for unicast management frames (TKIP or CCMP) Integrity for broadcast frames provided

AirTight Networks

Broadcast Frame Integrity

Management MIC Information Element (MMIE) Provide integrity for deauth and disassoc broadcast frames Protection against forgery & replay Length – 26 (for deauth, dissassoc frames) or 16 (other frames in future) Key ID: which key used to compute the MIC Replay: Interpreted as a 128 bit key for deauth, dissassoc frames MIC calculated over SA, DA, priority (or ff) & plaintext data of MAC frame

AirTight Networks

RSN IE: Capabilities field for .11w negotiation

MFP Supported Indicates the capability of a device to support .11w Optional

MFP Enabled This capability is required for a STA to operate in a BSS Mandatory

AirTight Networks

Thank you

{kaustubh.phanse, gopinath.kn}@airtightnetworks.net