www.airtightnetworks.net capacity, qos, and security related advances in ieee 802.11 kaustubh s....
TRANSCRIPT
www.airtightnetworks.net
Capacity, QoS, and Security Related Advances in IEEE 802.11
Kaustubh S. Phanse K. N. Gopinath
AirTight Networks, Inc.
National Conference on Communications (NCC 2008)Indian Institute of Technology, Bombay
February 1, 2008
AirTight Networks
Outline
Introduction: 802.11 overview: history and basic concepts
802.11n: MIMO concepts, channelization, frame aggregation, frame formats, performance
802.11e: Coordination functions for QoS support, service classes
802.11i, 802.11w: Authentication and encryption; protection of management and broadcast frames
What this tutorial will NOT cover… Communication and information theory: modulation and demodulation
techniques, estimation, … Details of certain optional features in 802.11 standards
AirTight Networks
IEEE 802.11
Working group established in 1990
First standard in 1997 (already 10 years ago!) Frequency: 2.4 GHz band Physical layer: DSSS, FH, IR MAC layer: CSMA/CA Data rate: 2 Mbps
AirTight Networks
802.11 protocol suite
AirTight Networks
802.11 MAC and PHY enhancements
PhysicalPMD
PLCP
MACData link802.11e802.11i
802.11n
802.11n
802.11w
Security QoS
Capacity & Coverage
AirTight Networks
Two-slide primer on 802.11 MAC (1/2)
Distributed coordination function (DCF) using carrier sense
multiple access (CSMA/CA)
AirTight Networks
Two-slide primer on 802.11 MAC (2/2)
AirTight Networks
Example of DCF CSMA/CA (1)
AirTight Networks
Example of DCF CSMA/CA (2)
AirTight Networks
Example of DCF CSMA/CA (3)
AirTight Networks
Example of DCF CSMA/CA (4)
AirTight Networks
Example of DCF CSMA/CA (5)
AirTight Networks
Example of DCF CSMA/CA (6)
AirTight Networks
Example of DCF CSMA/CA (7)
AirTight Networks
Motivation for multicarrier modulation
Large delay spread (due to multipath reception) can cause
significant inter-symbol interference (ISI) Burst errors Limits maximum achievable data rate
τ
τ
AirTight Networks
Multicarrier modulation
Divide a high-rate sequence of symbols into several low-rate
sequences Symbol duration (TN) becomes large
Transmit low-rate symbols simultaneously over multiple sub-
channels or subcarriers Total bandwidth B is divided into subchannels each with bandwidth B/N
AirTight Networks
Orthogonal frequency division multiplexing (OFDM)
Tighter packing of subcarriers than traditional FDM
Subcarriers are orthogonal to enable demodulation Spacing ∆f is at least 1/TN
AirTight Networks
OFDM in 802.11
Each 20 MHz channel divided into 52 subcarriers Bandwidth of 16.6 MHz actually used for transmission
Subcarriers spaced 312.5 KHz 48 subcarriers for data transmission 4 pilot subcarriers for monitoring
AirTight Networks
802.11n PHY Enhancements
AirTight Networks
What is MIMO?
SISO: Single Input (transmit) Single Output (receive)
MIMO: Multiple Input Multiple Output Spatial diversity (transmitter and receiver) Spatial multiplexing
Tx Rx
RxTx
M x N system (N >1, M>1)
AirTight Networks
Spatial diversity
Use multiple independently fading signal paths to reduce the error
probability Low probability of independent fading signal paths to simultaneously experience
deep fades Need multiple antennas spaced sufficiently apart (~ λ/2)
Maximum diversity gain (D) for M x N system = MN
AirTight Networks
Receiver diversity
Let noise at each antenna = N0 Combined output SNR ηΣ =
x x x x
Σ
r1ejθ1s(t) r2ejθ2s(t) r3ejθ3s(t) rMejθMs(t)
a1e-jθ1 a2e-jθ2 a3e-jθ3 aNe-jθM
Combiner Output
SNR = ηΣ
M
1k
2k0
M
1k
2kk
aN
)ra(
AirTight Networks
Receiver diversity: Selection combining
Choose the branch with the highest SNR
ηΣ = ηk =
Often implemented as a single receiver that switches to the chosen antenna branch
But it is still a single transmit-receive chain (SISO)
k
2k
N
r
RadioDSP
Tx
Bit stream Bit streamRadio DSP
Rx
AirTight Networks
Receiver diversity: Maximum Ratio Combining (MRC)
Give higher weights to branches with high SNR and lower weights
to branches with low SNR
Radio
DSP
Tx
Bit stream Bit streamRadio
DSP
Rx
Radio Radio
AirTight Networks
Receiver diversity: MRC
Optimal weight ak =
rk is the energy per symbol =
Then, SNR =
Combined received SNR ηΣ =
Array gain: M-fold increase in SNR versus a SISO system
Maximum array gain (A) for M x N system = MN
0
s
N
E
0
s
N
ME
0
k
N
r
sE
AirTight Networks
Transmitter diversity: Channel-aware
Transmitter has knowledge of channel state information (CSI) Feedback from receiver Assume channel is reciprocal
Similar to receiver diversity with coherent combining, e.g., MRC Assign weights to antenna branches depending on channel conditions
AirTight Networks
Transmitter diversity: Channel-unaware
Space-time block codes (STBC): Alamouti scheme Assume channel gain is constant over two symbol periods Transmit symbols s1 and s2 during first symbol period
Transmit -s2* and s1* during next symbol period
Let each antenna have a channel gain hk = rkejθk
Received signal is r(t) =
Symbol received during first symbol period y1 = h1s1 + h2s2
Symbol received second symbol period y2 = -h1s2* + h2s1*
)s(t)h (h0.5 21
Radio
DSP
Tx
Radio DSP
Rx
Radio
AirTight Networks
Transmitter diversity: Alamouti scheme
Let sequence of received symbols be represented as a vector
y = [y1 y2*]T
y = = Hs
Let z = HHy = HHHs = (|h12| + |h2
2|)I2s
Then
z1 = h1*z1 + h2z2 = (|h12| + |h2
2|)s1
z2 = h2*z1 – h1z2 = (|h12| + |h2
2|)s2
h1 h2
h2* -h1
*
s1
s2
AirTight Networks
Transmitter diversity: Alamouti scheme
Received SNR ηk for zk=
Total SNR ηΣ =
Array gain = 1
Diversity gain = 2
0
s2
22
1
2N
|)Eh| |h(|
0
s2
22
1
N
|)Eh| |h(|
AirTight Networks
Practical significance: array gain and diversity gain
Maximum: array gain A = MN, diversity gain D = MN
For a Rayleigh channel: error probability (Pe) α
For M x N system, Pe α
SNR1
DSNR)x (A1
Array gain
Diversity gain
AirTight Networks
Practical significance: array gain and diversity gain
Pe
SNR
Diversity gain determines the slope of the curve
Array gain shifts the curve
AirTight Networks
Spatial multiplexing
Multiplexing Time (TDM), frequency (FDM), code (CDM) SDM: using space as another dimension to multiplex data
Degrees of freedom Rich scattering environment
Transmit unique data streams over separate RF chains
AirTight Networks
Spatial multiplexing
Maximum multiplexing gain = min (M,N)
Use training symbols to estimate channel matrix H
Linear systems theory analogy: min (M,N) variables with min (M,N)
equations
Radio
DSP
Tx
Radio
DSP
RxRadio
Radio
Split
b1b2b3b4b5b6
b1 b3 b5
b2 b4 b6
Merge
b1 b3 b5
b2 b4 b6
b1b2b3b4b5b6
AirTight Networks
Spatial multiplexing gain vs. diversity gain trade-off
Div
ersi
ty g
ain
Spatial multiplexing gain
0, MN
1, (M-1)(N-1)
2, (M-2)(N-2)
k, (M-k)(N-k)
Min(M, N), 0
AirTight Networks
802.11n channels
40 MHz operation (channel bonding) Primary channel plus secondary (upper/lower) channel Primary for management frames, both channels for data frames
Higher bandwidth, higher data rates! …but higher interference
Only one non-overlapping channel in 2.4 GHz Implications for legacy WLANs
AirTight Networks
802.11n Modes of Operation PLCP Enhancements
AirTight Networks
802.11n: Modes of Operation
For use of legacy devices also
MIMO estimation: D-LTF 1 per stream providing channel estimation for data portion of the frame
Staggered preambles (e.g., sounding packets)Additional optional estimation info for channels
Signalling(See next slide)
3 Modes: Non-HT, Mixed, Greenfield (distinguished by their PLCP headers)
Mixed Full support for legacy clients Broadcast control frames always in 20 Mhz Perf degradation for .11n stations
Greenfield No backward compatibility Short & more efficient PLCP format No performance degradation for .11n devices
Detection of PPDU,timing & coarse freq acquisition
AirTight Networks
L-SIG (MM) & HT-SIG (MM & GF)Encoded value indicatingDuration of rest of the packet
Always 6 Mbps
L-SIG of Mixed Mode
Refer to next slides
AirTight Networks
Field Name Explanation and coding
Modulation and Coding Scheme
Index into the MCS table.
CBW 20/40Set to 0 for 20 MHz or 40 MHz upper/lower Set to 1 for 40 MHz
Length The number of octets of data in the PSDU in the range 0-65535
SmoothingSet to 1 indicates that channel estimate smoothing is allowedSet to 0 indicates that only per-carrier independent (unsmoothed) channel estimate is recommended
Not Sounding
Set to 0 indicates that PPDU is a Sounding PPDUSet to 1 indicates that the PPDU is not a sounding PPDU
Reserved Set to 1
AggregationSet to 1 to indicate that the PPDU in the data portion of the packet contains an AMPDU otherwise, set to 0.
STBC
Set to a non-zero number, to indicate the difference between the number of space time streams (NSTS ) and the number of spatial
streams (NSS) indicated by the MCS.
Set to 00 to indicate no STBC (NSTS = NSS)
HT-SIG
AirTight Networks
Field Name Explanation and coding
LDPC coding
Set to 1 for LDPCSet to 0 for BCC
Short GI Set to 1 to indicate that the short GI is used after the HT training.Set to 0 otherwise
Number of extension spatial streams
Indicates the Number of extension spatial streams (NESS).
Set to 0 for no extension spatial streamSet to 1 for 1 extension spatial streamSet to 2 for 2 extension spatial streamsSet to 3 for 3 extension spatial streams
CRC CRC of bits 0-23 in HT-SIG1 and bits 0-9 in HT-SIG2
HT-SIG
AirTight Networks
Modulation & Coding Scheme (MCS)
MCS is a compact representation (index) indicating Modulation (BPSK, QPSK, QAM,…) Coding (1/2, ¾,…) Number of Spatial Streams (1,2,3,4)
MCS index can be from 0 to 127 Mandatory MCS
• MCS 0 to 15 at 20 Mhz (at AP)• MCS 0 to 7 at 20 Mhz (at client STA)
Rest all optional• MCS 16 to 76 are optional• All MCS at 40 Mhz
MCS 77 to 127 are reserved for future use
AirTight Networks
Rate Dependent Parameters (20 MHz and Mandatory MCS)
NSS = 1
NSS = 2
AirTight Networks
Rate Dependent Parameters (40 Mhz & Mandatory MCS)
NSS = 1
NSS = 2
AirTight Networks
Other Optional MCSs
MCSs with SS=3 MCS 16 – 23 Max rate (MCS 23)
• 216.7 Mbps (20 Mhz)
• 450 Mbps (40 Mhz)
MCSs with SS=4 MCS 24 – 31 Max rate (MCS 23)
• 288.9 Mbps (20 Mhz)
• 600 Mbps (40 Mhz)
Other MCSs HT Duplicate
• MCS 32• Useful under very high noise• Lowest rate of 40 Mhz (bpsk)• 6.7 Mbps max rate
MCSs with unequal modulation• Use with
– Tx beamforming
– STBC
• MCS 33 – 38 (4 SS)– Max rate 495 Mbps
• MCS 39 – 52 (4 SS)– Max rate 495 Mbps
• MCS 53 – 76 (4 SS)– Max rate 495 Mbps
AirTight Networks
MAC Enhancements
AirTight Networks
Frame Aggregation
AirTight Networks
MPDU
Motivation
Amortize PLCP, MAC overheads by sending bigger packets
Can be implemented in several ways (as discussed next)
MPDU1PLCPDCF PLCP ACK MPDU2PLCPDCF PLCP ACK
PLCPDCF PLCP ACK
SIFS
AirTight Networks
Physical Level Aggregation (A-MPDU)
Consists of several MPDUs addressed to the same receiver Identified by the HT SIG PLCP field ‘Aggregation’ of a received packet
Each MPDU embedded in a subframeSubframes consists of a delimiter followed by an MPDU (and padding in some cases)
Except last subframe, others are padded so that they are multiple of 4 byte octetDelimiter
Delimiters (ASCII N) useful for recovery during errors CRC protects reserved and length fields When an invalid Delimiter is obtained, de-aggregation process skips forward 4 bytes and restarts its search for a
new MPDU
AirTight Networks
Physical Level Aggregation (A-MPDU)
Parameters negotiated using “A-MPDU parameters set” of HT capabilities IE field in a mgmt frame Max length (64k is the limit) Min MPDU start spacing
• 0 indicates no restriction• Else, ranges from 1/4 to 16 usecs• Realized by using Delimiters with MPDU length 0
Can be limited by a station using its Assoc packetExamples frames that an A-MPDU can contain
QoS data frames Block ack Block ACK req frames Action management frames of subtype “Action No ACK” (e.g., carrying MIMO info)
Max Rx Factor(x): 0 to 3 [2^13+x]Min spacing: 0.25 to 16 usecs
AirTight Networks
A-MSDU
A-MSDU consists of multiple subframesAll MSDUs are intended to be received by the same receiverA-MSDU of length is 4095 – QoS data overheads = 4065 bytes cannot
be Tx in an A-MPDU (as A-MPDU cannot carry fragments)
AirTight Networks
A-MSDU
MAC level aggregation Consists of MSDUs belonging to the same TID (QoS class)
Support is mandatory at the reciever when it is carried in a single (i.e., non A-MPDU) QoS Data MPDU under Normal Ack policy Block Ack agreement determines whether an A-MSDU can be carried in QoS
data frames part of the BA session
A-MSDU lifetime indicates MAX life-time of its constituent MSDUs An A-MSDU can be Tx until it’s a-MSDU lifetime expires or is received at the
receiver Implicitly means certain MSDUs can be Tx ever after their individual lifetimes
A STA shall not transmit an A-MSDU to a station that exceeds its Max A-MSDU length capability
AirTight Networks
Block ACK (BA)
AirTight Networks
Block Ack Packet Exchange
ADDBA Request used to initiate BA session
ADDBA Response confirms/rejects the sessions
Frames of a session need NOT be sent consecutively They can be mixed with other frames of
a station They can be interleaved with packets
from other stations They can be sent in multiple .11e TXOPs
BlockAckReq used to solicit a BlockACK response frame
DELBA used to terminate a BA session
AirTight Networks
Block ACK Sessions (ADDBA)
Dialog token is some kind of a ID for req/response
Parameter set (defined in next slide)
Status code indicates whether the receiver accepts the request or not If not, sender is not supposed to use Block ACK
Timeout indicates the duration (Seconds) for which a session is active
AirTight Networks
Block Ack Parameter Set Field used in ADDBA Action Management Frames
Block Ack Parameter set field A MSDU may or may not be allowed as a part of this BA session Block Ack policy is 1 for immediate ACK, 0 for delayed
• Delayed is sent at a slightly later time after receiving a Block Ack Req
TID indicates the .11e Traffic Identifier field (i.e., an ID used to group all frames that need similar QoS treatment)
Buffer size indicates buffers• Recipient controls the buffers that can be supported
802.11n
802.11e
AirTight Networks
Immediate BlockAck
Delayed BlockAck
AirTight Networks
Block ACK Sessions (DELBA)
DELBA used to tear down sessions explicitly
Initiator indicates whether the sender or receiver of QoS data has initiated DELBA
DELBA Parameter set
AirTight Networks
BlockAckReq (BAR)
802.11n
802.11e
AirTight Networks
Fields of BlockAckReq Frame
BAR Control BA Policy (HT-delayed only)
• Normal ACK• No ACK
Multi-TID• Does BAR consist of
req for different QoS streams?
Compressed• Support for
fragements in BA? TID_INFO
• Info about each TID
Interesting note on BA policy .11e defines delayed & immediate BA
policy In addition, .11n defines HT immediate
& HT delayed policies• Negotiated between HT
stations as a part of HT capabilities
• Extensions for using BA with 802.11n features such as frame aggregation (A-MPDU)
AirTight Networks
BlockAckReq Encoding
-MT BAR-TID_info contains number of TIDs-BAR info contains seq number for that many TIDs
Per TID INFO
-Basic BAR, Compressed BAR-TID info contains TID for which the . req has been made
BAR Info Field
AirTight Networks
BlockAck frame
BlockAck carries ACKs as bitmaps
Exact format depends on the encoding (see next slide)
AirTight Networks
BA Information for each BA encoding
Basic BA128 byte bitmap
Compressed BA Mandatory8 bit bitmapNo support for fragments
MTBA (repeatedFor each TID)
AirTight Networks
HT Protection Mechanisms
AirTight Networks
Protection Requirements
-Protection may be required if Non-HT stations are present or Non-greenfield stations are present
-Types of protection that an HT station provides-RTS/CTS using a legacy rate-CTS to self using a legacy rate- Transmit 1st frame in a backward compatible mode
-1st frame Tx using a Non-HT preamble and then switch to HT mode-1st frame Tx using a MM preamble and then switch to greenfield operation
-Setting of L-SIG values in preamble to protect the current transmission-L-SIG TxOP (See next slide)
AirTight Networks
L-SIG TxOP Protection
Communication between 2 HT STAs that support this feature (as discussed in HT capabilities IE shortly)Protecting multiple PSDUs (e.g., DATA+ACK, RTS/CTS) using a larger duration as derived from L-SIG
L-SIG Duration will be derived from the MAC header’s duration value Non-HT STAs ‘think’ this as a transmission involving single large frame!Applicable to HT-Mixed mode Tx only
AirTight Networks
HT Parameter NegotiationInformation Elements
AirTight Networks
Advertising HT Capabilities using MAC Frames
HT Capability Information Element (E.g., Beacon, Probe Response)
Refer to next slides
AirTight Networks
Subfield Definition Encoding
LDPC coding capabilityIndicates support for receiving LDPC coded packets
Set to 0 if not supportedSet to 1 if supported
Supported channel width setIndicates which channel widths the STA supports
Set to 0 if only 20 MHz operation is supportedSet to 1 if both 20 MHz and 40 MHz operation is supported
SM Power SaveIndicates the Spatial Multiplexing (SM) Power Save mode.
Set to 0 for Static SM Power Save modeSet to 1 for Dynamic SM Power Save modeSet to 3 for SM enabled
The value 2 is reserved
GreenfieldIndicates support for the reception of PPDUs with HT Greenfield format.
Set to 0 if not supportedSet to 1 if supported
Short GI for 20 MHzIndicates Short GI support for the reception of 20 MHz packets
Set to 0 if not supportedSet to 1 if supported
Short GI for 40 MHzIndicates Short GI support for the reception of 40 MHz packets
Set to 0 if not supportedSet to 1 if supported
Tx STBCIndicates support for the transmission of PPDUs using STBC
Set to 0 if not supportedSet to 1 if supported
HT Capabilities Info
AirTight Networks
Subfield Definition Encoding
Rx STBCIndicates support for the reception of PPDUs using STBC
Set to 0 for no supportSet to 1 for support of one spatial streamSet to 2 for support of one and two spatial streamsSet to 3 for support of one, two and three spatial streams
HT-delayed BlockAckIndicates support for HTdelayed BlockAck operation.
Set to 0 if not supportedSet to 1 if supported
Support indicates that the STA is able to accept an ADDBA request for HT-delayed Block Ack
Maximum A-MSDU lengthIndicates maximum AMSDU length. See 9.7b (A-MSDU operation).
Set to 0 for 3839 octetsSet to 1 for 7935 octets
DSSS/CCK Mode in 40 MHz
Indicates use of DSSS/CCK mode in a 40 MHz capable BSS operating in 20/40 MHz mode.
In Beacon, Measurement Pilot and Probe Response frames:Set to 0 if the BSS does not allow use of DSSS/CCK in 40 MHzSet to 1 if the BSS does allow use of DSSS/CCK in 40 MHzOtherwise:Set to 0 if the STA does not use DSSS/CCK in 40 MHzSet to 1 if the STA uses DSSS/CCK in 40 MHz
HT Capabilities Info
AirTight Networks
Subfield Definition Encoding
PSMP support Indicates support for PSMP operation. See
In Beacon, Measurement Pilot and Probe Response frames transmitted by an AP.Set to 0 if the AP does not support PSMP operationSet to 1 if the AP supports PSMP operation
In Beacon frames transmitted by a non-AP STA:Set to 0
Forty MHz Intolerant
When sent by an AP, indicates whether other BSSs receiving this information are required to prohibit 40 MHz transmissions.When sent by a STA, indicates whether the AP associated with this STA is required to prohibit 40 MHz transmissions by all members of the BSS.
Set to 0 by an AP if the AP allows use of 40 MHz transmissions in neighboring BSSs.Set to 1 by an AP if the AP does not allow use of 40 MHz transmissions in neighboring BSSs.Set to 0 by a STA to indicate to its associated AP that the AP is not required to restrict the use of 40 MHz transmissions within its BSS.Set to 1 by a STA to indicate to its associated AP that the AP is required to restrict the use of 40 MHz transmissions within its BSS.
L-SIG TXOP protection support
Indicates support for the LSIG TXOP protection mechanism
Set to 0 if not supportedSet to 1 if supported
HT Capabilities Info
AirTight Networks
Example Packet Trace Snippet of a Dlink AP
HT Capability Info: %0001000001001110 0....... ........ L-SIG TXOP Protection Support: Not Supported .0...... ........ AP allows use of 40MHz Transmissions In Neighboring BSSs ..0..... ........ Device/BSS does Not Support use of PSMP ...1.... ........ BSS does Allow use of DSSS/CCK Rates @40MHz ....0... ........ Maximal A-MSDU size: 3839 bytes .....0.. ........ Does Not Support HT-Delayed BlockAck Operation ......00 ........ No Rx STBC Support ........ 0....... Transmitter does Not Support Tx STBC ........ .1...... Short GI for 40 MHz: Supported ........ ..0..... Short GI for 20 MHz: Not Supported ........ ...0.... Device is Not Able to Receive PPDUs with GF Preamble ........ ....11.. Spatial Multiplexing Enabled ........ ......1. Both 20MHz and 40MHz Operation is Supported ........ .......0 LDPC coding capability: Not Supported
AirTight Networks
HT Capabilities Info: Supported MCS Set
Rx MCS Bitmask: bit I = 1 indicates support for that MCSTx MCS Set Defined = 0 means both Tx/Rx MCS are equalUpto 4 max streams can be supportedTx unequal modulation support (as discussed earlier) may or may not be supported
AirTight Networks
HT Extended Capabilities
PCO: Support for Phased coexistence operation Alternate between 20 & 40 Mhz operation
MCS feedback Station can provide MCS feedback
RD Responder indicates support for Reverse direction protocol Optional feature where in a initiator can elicit a response packet burst from a responder
AirTight Networks
HT Info Element
-Operating mode-Beacon always sent in non-HT mode-See next slide for details
AirTight Networks
HT Information Element
Channel related parameters Primary channel Secondary channel offset Channel width of a STA (20 or 40) Dual Beacon
• Does AP Tx beacon in secondary channel?
Secondary beacon support Basic MCS Set
• Mandatory MCS for all STAs in BSS
• Similar to Basic rates of .11a/b/g
RIFS Shorter inter packet gaps E.g., 2 usecs (compare it with
16 usecs for SIFS)
Tx burst limit Burst of GF or RIFS packets
Overlapping BSS protectionDual CTS protection
Send a CTS for STBC & legacy STAs separately
Full BSS support for L-SIG TXOP protection
-Phased Coexistence (PCO Parameters)-PCO Active-PCO phase (20 or 40 Mhz switch)
AirTight Networks
HT Information elementOperating mode
Non-GF STAs present
-Set to 0 -All STAs in BSS are 20/40 Mhz HT-All STAs in a 20 MHz HT BSS are 20 Mhz HT
-Set to 1 (non-member protection)-Some members on the channel (maybe outside BSS) are non-HT
-Set to 2-At least one 20 Mhz only STA in a HT BSS
- Set to 3-MM (at least one legacy STA is present in BSS)
-Set to 0-All associated STAs in BSS are GF capable
-Set to 1-Some non-GF STAs present in a BSS
Protection
-Required for Operating mode 1 & 3
-Protection mechanisms discussed earlier can be used
- Operating mode can also be updated dynamically based on BSS constitution
AirTight Networks
Channel Switch & Extended Channel Switch Elements
Channel Switch Indicates the secondary channel relative to the primary channel
• Useful for 40 Mhz transmission • 0 indicates no sec channel, 2 is reserved• 1 means secondary is above primary, 3 means below
Beacons, Probe Responses Channel switch announcement frames (Action management frames)
Extended Channel Switch Switch of to a new channel 20 Mhz or a primary channel (40 Mhz), and regulatory class Beacons, Probe Responses Channel switch announcement frames (Action management frames)
AirTight Networks
Overview of advanced .11n features Optional and/or not yet available today
AirTight Networks
HTControl
AirTight Networks
Field Meaning Definition
TRQ Sounding Request Set to 1 to request the responder to transmit a sounding PPDU.When set to 0, the responder is not requested to transmit a sounding PPDU.See 9.17.2 (Transmit beamforming with implicit feedback).
MAI MCS request or Antenna Selection Indication
When set to 14, the MAI field contains an Antenna Selection Indication(ASELI).Otherwise the MAI field is interpreted, as shown in Figure n3 (MAI field).
MFSI MFB Sequence Identifier Set to the received value of MSI contained in the frame to which the MFB information refers.Set to 7 for unsolicited MFB
MFB/ASELC MCS Feedback and Antenna Selection Command/Data
When the MAI field is set to the value ASELI, this field is interpreted as defined in Figure n4 (ASELC subfield) and Table n3 (The ASEL Command and ASEL Data parts of the ASELC subfield).Otherwise, this field contains recommended MCS feedback.A value of 127 indicates that no feedback is present.
HT Control: Link adaptation
AirTight Networks
RDP Exchange
AirTight Networks
802.11n MAC Layer Performance: Putting it altogether
AirTight Networks
Theoretical Maximum Throughput (TMT)
Throughput (Mbps)
MCS
MSDU size = 1000 bytes
AirTight Networks
Theoretical bandwidth efficiency
Bandwidth efficiency
MSDU size (103 bytes)
AirTight Networks
Bandwidth efficiency with aggregation
Aggregated frame size (KB)
Bandwidth efficiency
2 3 4 5 6 7 8
AirTight Networks
Insights from experiment results
A-MPDU size (KB)
Probability
Plain-vanilla A-MSDU A-MPDU
TMT Expt. TMT Expt. TMT Expt.
43 33.9 92 87.1 120 85.5
AirTight Networks
Plain-vanilla A-MSDU A-MPDU
TMT Expt. TMT Expt. TMT Expt.
43 33.9 92 87.1 120 85.5
IEEE 802.11e
AirTight Networks
Limitations of DCF
No notion of differentiated service
Designed for fairness
Contention-based Inherently lacks service guarantee
AirTight Networks
Limited QoS support using Point Coordination Function (PCF)
Contention-free and contention periods (CFP and CP)
Centralized polling scheme
Limitations Simple round-robin polling only during CFP Unknown transmission durations Unpredictable beacon delays during polling
AirTight Networks
IEEE 802.11e main features
Four access categories (AC): voice, video, best effort, background
AirTight Networks
IEEE 802.11e main features
Transmission opportunity (TXOP)
Controlled beacon interval
Hybrid coordination function (HCF) Enhanced distributed channel access (EDCA) HCF controlled channel access (HCCA)
Block ACKs: cumulative acknowledgements
Direct Link Protocol (DLP): station to station communication
AirTight Networks
Enhanced distributed channel access (EDCA)
Contention based
Arbitration IFS (AIFS): sense if channel is idle for AIFS Each AC has a different AIFS PIFS < AIFS [Higher AC] < AIFS [Lower AC] AIFS ≥ DIFS
Backoff: contention window (CW) CWmin [Higher AC] < CWmin [Lower AC] CWmax [Higher AC] < CWmax [Lower AC]
AIFS
AIFS
AirTight Networks
HCF controlled channel access (HCCA)
HC should have highest priority to control medium access HC uses PIFS as idle time before accessing the channel AIFS [Highest AC] = DIFS
“Superframe” defines CP (EDCA TXOPs) and CFP (HCCA TXOPs) HC can allocate polled TXOP even during CP
Bea
co
n
Bea
co
n
HCCA EDCA HCCA EDCA EDCAHCCA
Contention-free period (CFP) Contention period (CP)
AirTight Networks
Security Enhancements to 802.11WPA/802.11i & 802.11w D2.0
AirTight Networks
History: WEP Shared Key Authentication
Key K (40 bit string)
Key K (40 bit string)
Challenge text C (random string of 128 bytes)
Response R1
Compute response R1 = f (C, K)
Compute response R2 = f (C, K)
Is R1 = R2? Result (Accept/Reject)
Authentication Request
R1 = R2 = C XOR Keystream (K, IV)
Note: This is one-way authentication. AP authenticates Client, but not vice versa.
AirTight Networks
History: WEP Encryption
RC4 Key Stream Generator
(Key K | Initialization Vector IV)
XORPacket P Encrypted PIV
RC4 Key Stream Generator
XOR
(Key K | Initialization Vector IV)
Packet P
TRANSMITTER RECEIVER
WIRELESS CHANNEL
• Key K is statically programmed in transmitter and receiver
• IV is changed per packet
•ICV is used for integrity protection (part of P)
40 bit 24 bit
Hundreds of bits
Keystream Keystream
Called ``Stream cipher’’
AirTight Networks
History: What went wrong with WEP?Very easy to beat the Authentication
P XOR R = C P XOR C = R
IV Collision: Means two packets encrypted with same IV
• 24 bit IV can quickly wrap around under heavy traffic condition• Many cards/APs on reset start with IV = 0 and increment from
thereCipher Text Modification
ICV Protection can be defeatedKey (K) cracking (Fluhrer, Martin, Shamir –``FMS attack’’)
Using few packets encrypted with ``Weak IVs’’, key K itself can be crackedNo Mutual AuthenticationNo Replay ProtectionSingle shared key used for all users/sessions
AirTight Networks
WPA: A Quick Fix to WEP
Created by WiFi Alliance Note: IEEE standardizes WLAN protocols, WiFi Alliance
(www.wifialliance.org) promotes market adoption of WLAN
Constraints: No change to XOR based hardware encryption engine Something that will work with firmware upgrade to installed base of WLAN
equipment
AirTight Networks
Connection Establishment using WPA
AP Discovery (SSID, signal strength)
Association
WEP Shared Key Authentication
Open (No) Authentication
WEP Like Encrypted Data Communication
802.1x (EAP) Authentication
802.1x and PSK
Dynamic Encryption Key Generation
Pre-shared Keys (PSK)
Addition of TKIP
Step 1
Step 2
Step 3
Step 4.1
Step 5
Step 4.2 EAPOL 4-way handshake
AirTight Networks
W ire less C lient Access PointAuthentication
Server
Open Authentication
Association
EAP Identity Request
Open Controlled Port allowing only EAP messages to pass through.
EAP Success
Encrypted Data Exchange
EAPOL Logoff
EAP Identity Response RELAY
Authentication Method Handshake Identity Proof and Master Key Generation
Generate Master Key
Generate Master Key
Accept/Provide Master Key
Generate Transient Keys
EAPOL 4-Way HandshakeGenerate Transient Keys
Open Uncontrolled Port allowing data to pass through.
Wireless Link
Wired LAN
AirTight Networks
Advantages of 802.1xFreedom to choose authentication algorithm
802.1x is a bearer TLS, TTLS, LEAP, PEAP, GTC, MSCHAPv2, Kerberos, SIM, future algorithms can
ride over 802.1x, only requirements being
• Support mutual authentication• Support derivation of master keys
Keys and authentication algorithms can be session specific
Ease of management of credentials in central authentication server Ease of integration with other enterprise security systems (network
authentication)
AirTight Networks
TKIP Encryption
TKIP uses longer IV (48 bit) – twice as much as WEP
Avoids Weak IVs
Prevents IV reuse for any given key IV always starts from 0 and counts upwards
Master key generated afresh for each connection attempt – unlike static
WEP keys Transient keys generated from master key are used for encryption – refreshed at
regular intervals
AirTight Networks
Connection Establishment using 802.11i
AP Discovery (SSID, signal strength)
Association
WEP Shared Key Authentication
Open (No) Authentication
CCMP Encrypted Data Communication
802.1x (EAP) Authentication
Addition of 802.1x and PSK
Dynamic Key Generation
Pre-shared Keys (PSK)
CCMP (Change in h/w encryption engine)
Step 1
Step 2
Step 3
Step 4.1
Step 5
Step 4.2
AirTight Networks
802.11w: Management Frame Protection
WPA/802.11i protect 802.11 data packets only
Management, Control frames are left unprotected This can lead to various kinds of DoS attacks on a 802.11 network E.g., Deauthentication, Disassociation, Virtual jamming
802.11w DRAFT 2.0 (stil in draft stage) is aimed at extending 802.11i to protect management frames
AirTight Networks
Management Frames Protected
Robust Management Frames Deauthentication Disassociation Action with category
• Spectrum management• QoS• BlockAck• DLS
Protection Protection field in MAC framecontrol set to 1 Confidentiality for unicast management frames (TKIP or CCMP) Integrity for broadcast frames provided
AirTight Networks
Broadcast Frame Integrity
Management MIC Information Element (MMIE) Provide integrity for deauth and disassoc broadcast frames Protection against forgery & replay Length – 26 (for deauth, dissassoc frames) or 16 (other frames in future) Key ID: which key used to compute the MIC Replay: Interpreted as a 128 bit key for deauth, dissassoc frames MIC calculated over SA, DA, priority (or ff) & plaintext data of MAC frame
AirTight Networks
RSN IE: Capabilities field for .11w negotiation
MFP Supported Indicates the capability of a device to support .11w Optional
MFP Enabled This capability is required for a STA to operate in a BSS Mandatory
AirTight Networks
Thank you
{kaustubh.phanse, gopinath.kn}@airtightnetworks.net