Sunday, January 2, 2011

Deploying Wireless LANs

Understanding how the 802.11 protocol operates, the behavior of mobile nodes, MAC layer security, and quality of service (QoS) is necessary for making wireless LAN (WLAN) deployment decisions. There is far more to deploying access points (APs) than running cable and ceiling-mounting the devices. The physical aspect of performing a site survey gives an administrator visibility into what coverage area each AP provides, the number of APs required to cover the given area, and channel and transmit power settings. You, as an administrator, must also incorporate
  • Roaming patterns of wireless clients
  • Applications used by wireless clients
These two primary areas shape the decisions you make when determining how many APs to use, the amount of coverage overlap, and the locations of upper-layer devices, such as authentication servers.


WLAN Deployment and Application Impact

WLAN deployments impact application use differently. It is important for you to understand these impacts as you plan your WLAN deployment. The keys are the following:
  • Effective per-client throughput
  • Streaming versus bursty application types
  • Medium contention and application latency

Effective per-client throughput is decreased as each new client joins the base station subsystem (BSS). Although each user is not explicitly guaranteed a specific amount of bandwidth, the distributed coordination function (DCF) medium-access mechanism provides fair access to the wireless medium, suggesting that each client has equal access to (and a portion of) the wireless medium. In a world where switched 10 Mbps and 100 Mbps Ethernet are commonplace, sharing 11 Mbps or even 54 Mbps (802.11b and 802.11a, respectively) among 10 to 25 other clients can be perceived as a step backward.

Given an 11 Mbps data rate for 802.11b networks and a shared, half-duplex medium, it is reasonable to expect no more than 6 Mbps of actual throughput. The total available throughput among 25 clients yields roughly 245 Kbps per client. Extending the same ratio to 802.11a BSSs with a 54 Mbps data rate, a reasonable throughput rate is roughly 22 Mbps, yielding an average throughput rate in the range of 880 Kbps per client. Note that this number is just a reference, assuming all clients are transmitting and receiving equal amounts of data.


WLAN Deployment Planning


There are two general methodologies in deploying WLANs:
  • Coverage oriented
  • Capacity oriented
This section discusses both types using a typical office floor plan, as shown in Figure 8-1.


Coverage-Oriented WLANs

A coverage-oriented WLAN is designed to provide maximum WLAN coverage with the least amount of APs. (A typical coverage-oriented network provides a user to AP ratio of 25 to 1.) Some characteristics of a coverage-oriented deployment include the following:
  • Bursty, low packet rate application types, such as barcode scanning and database queries
  • Low bandwidth requirements, allowing data rate scaling down to lower data rates such as 1 or 2 Mbps
  • Ease of maintenance because of little or no support staff local to the WLAN

In coverage-oriented deployments, the typical applications have low packet rates and low bandwidth requirements. Because of these meager demands on the WLAN, the users can expect effective throughput in these deployments to be quite high.

This setup allows more users to leverage the WLAN while still maintaining adequate performance.

These types of deployments might be common in warehouse environments or retail environments where WLANs are mission critical for inventory control and just-in-time purchasing and where the IT staff is in a central site, with no local support staff to troubleshoot coverage issues.

Also, it might be common for small or medium branch offices to opt for such a deployment as an alternative to installing wired Ethernet. In these cases, the branch offices experience a significant amount of relocation and Category 5 cabling expenses are minimized. A simple-todeploy WLAN provides basic network connectivity such as file and printer sharing.

Figure 8-2 illustrates the example floor plan from Figure 8-1 with a coverage-oriented WLAN deployment.


Capacity-Oriented WLANs

A capacity-oriented WLAN is designed to provide maximum throughput and packet rate for each client in a BSS. Capacity-oriented cell sizes are smaller than coverage-oriented cells, requiring a higher AP density. Capacity-oriented deployments are required for areas that have the following characteristics:
  • High packet rate applications
  • Latency-sensitive applications
  • Smaller-sized subnet deployments (or multiple subnets per coverage area)
  • Dense client population
Figure 8-3 illustrates the same floor plan with a capacity-oriented deployment. Note that there are more than twice as many APs in the capacity-oriented deployment (30 APs versus
14 APs).

Wednesday, October 27, 2010

Radio Frequency Essentials

Radio Basics

The term radio refers to electromagnetic transmission through free space at millimeter wave frequencies and below. It encompasses a wide range of applications, from AM and FM car radios to cellular phone radios and terrestrial digital microwave radios. Some, like AM and FM radios, are one-way or broadcast radios. The electromagnetic transmission occurs in only one direction, and it is often in a one-to-many type configuration. Alternatively, two-way radios allow transmission and reception by all parties; they can either be a point-to-point configuration, which is common in telecommunications backhaul applications, or a point-tomultipoint configuration, such as WLAN and cellular networks.

An important architectural distinction with two-way radio communication is the difference between frequency division duplex (FDD) and time division duplex (TDD). In FDD, you use a different frequency to carry information in each direction, and the two frequencies are separated enough in frequency that they don't interfere. Provided adequate separation is maintained, FDD can significantly simplify the radio and system designer's task, and it allows full-duplex type operation where simultaneous transmission and reception can occur. However, it also suffers the problem that you must allocate spectrum in two bands, and it can be spectrally inefficient because it locks up bandwidth in each direction. The alternative, TDD, does all radio communication on the same channel but with alternating periods of transmitting and listening. Although TDD does create a half-duplex situation at the physical layer and does require the radio to be able to very quickly switch from transmitting to receiving, it can be more spectrally efficient. It allows for easier channelization, and it can provide for time-varying allocation of bandwidth in each direction.

One of the most important characteristics of a radio is power. Specifically, the output power of the radio is presented to the transmission line, cable, or antenna and is usually measured in watts or milliwatts (mW). Comparisons of power values use a logarithmic scale to express the ratio in decibels (dB). The radio manufacturer provides the output power in dBm, which is decibels per 1 mW, or in dBW, which is decibels per 1 W. Table 7-1 provides some sample conversions between powers in watts and decibels.

Antenna Basics

What is an antenna? The IEEE defines an antenna as "that part of a transmitting or receiving system that is designed to radiate or receive electromagnetic waves" (IEEE Standard 145-1993). In other words, it is the antenna that takes the radio frequency (RF) signal that the radio generates and radiates it into the air or that receives or captures electromagnetic waves for the radio. Usually, the transmit and receive properties are reciprocal, meaning that the parameters such as gain or radiation pattern or frequency are the same.

The next question you might ask is, "How does an antenna work?" According to the textbook that most antenna designers learned with—Stutzman and Thiele's Antenna Theory and Design—the key is radiation, a "disturbance in the electromagnetic field that propagates away from the source of the disturbance…disturbance is created by a time-varying current source." So the radio creates a time-varying voltage source at a particular frequency, which induces a time-varying current on the antenna that creates the aforementioned electromagnetic field.

Considerations of antenna performance make a distinction between the near field, close to the antenna, and the far field. In the far field, the distance from the antenna is much larger than the wavelength at which you are operating or much larger than the dimension of the antenna, in contrast to the near field. It is under far-field assumptions that antenna vendors specify the characteristics of the antenna. Keep this point in mind if you ever find yourself operating in the near field of antennas because the characteristics are different.

An important concept to understand is that of an isotropic radiator or antenna. It is a mathematical construct for an idealized lossless antenna that radiates equally in all directions. If you define a sphere with an isotropic radiator in its center, the electromagnetic field will be equal at all points on the surface of the sphere. The isotropic antenna is a useful reference point when we consider different antennas.


Receiver Performance Basics

Radio receivers are characterized by their receiver sensitivity, which is the minimum signal level for the receiver to be able to acceptably decode the information. The acceptability threshold is governed by a particular bit error rate (BER), packet error rate (PER), or frame error ratio (FER). For example, the 802.11a standard specifies that the minimum compliant receiver performance at a 54 Mbps data rate is –65 dBm at a 10 percent PER. Note that the receiver sensitivity is also at a specific data rate because each modulation scheme has its own signal-to-noise ratio (SNR) requirement. In general, the higher the data rate, the higher the SNR required and hence the higher the receiver sensitivity level. The receiver sensitivity of the radio is also governed by the receiver noise figure. All receivers have some base underlying noise level, either from the precision of the digital processing or from the performance of the analog components. This noise level is the noise floor. As the noise floor rises, so too does the receiver sensitivity because the minimum signal level over the noise, SNR, is fixed for the modulation scheme. This concept is depicted in Figure 7-5. To evaluate the performance of a radio, receiver sensitivity is one of the important inputs to your linkbudget calculation that ultimately determines the achievable data rates and ranges. In general, you want the lowest receiver sensitivity that is economically feasible.


802.11b Minimum Radio Performance

To ensure satisfactory system performance between equipment manufactured by different vendors, the 802.11b PHY standard defines minimum radio performance levels that all equipment must satisfy for compliance. At an FER less than .08 with a Physical Layer Convergence Procedure service data unit (PSDU) length of 1024 octets at an 11 Mbps data rate, the minimum receiver sensitivity is –76 dBm at the antenna connector. Under the same conditions, the receiver maximum input level is –10 dBm at the antenna connector, and the adjacent channel rejection of another compliant 802.11b transmitter is 35 dB at the antenna connector. For adjacent channel rejection, the receiver must be able to adequately filter or operate in the presence of an adjacent signal to maintain the 0.08 FER. To test adjacent channel rejection, the desired signal is placed 6 dB over the minimum receiver sensitivity level, and the adjacent channel signal is placed 41 dB over that same level. In the discussion of the 802.11b spectral mask, you will see what the likely resultant channel signal contribution is from the interferer.


802.11a Minimum Radio Performance

Similar to 802.11b, 802.11a also defines minimum radio performance parameters. Table 7-2 provides the minimum receiver sensitivity, adjacent channel rejection, and alternate adjacent channel rejection at the antenna connector for the 802.11a data rates at a PER less than 10 percent with a 1000-byte PSDU length. In the rejection performance, the desired signal is placed 3 dB over the minimum sensitivity level and the interferer at the level given by the ratio indicated.


The receiver maximum input level under the same conditions is –30 dBm. 802.11a also specifies the clear channel assessment (CCA) sensitivity, which states that a compliant radio must indicate busy with 90 percent probability within 4 microseconds if the received level is greater than or equal to –82 dBm during the preamble. If the preamble is missed, then the level is –62 dBm.

Wednesday, June 9, 2010

Challenges for QoS in 802.11 Networks

802.11 networks work well for low-bandwidth, latency-insensitive data applications. Barcode scanners, personal digital assistants (PDAs), or laptops accessing files, web, or e-mail services can do so without the physical constraint of network cables or a significant loss of performance. But as enterprises start to embrace wireless LAN (WLAN) deployments, and as vertical market deployments such as healthcare and retail mature, the need for support of Voice over IP (VoIP) over wireless and video over wireless is mandatory.

If you think about it, it makes a lot of sense. Using VoIP over wireless can reduce the usage of cell phones in the work environment (where the company pays an airtime fee). This reduced use of cell phones gives network administrators a tangible dollar value to develop a return on investment (ROI) for a WLAN deployment.

QoS is a relatively mature technology for wired networks and is generally available on routers, switches, and end devices such as wired IP phones. For 802.11 WLANs, the contrary is true. It is an emerging technology that is hotly debated with the IEEE and the WLAN industry as a whole. The key challenges for a QoS mechanism in 802.11 networks include the following:


Cochannel Overlap

Cochannel overlap is a common occurrence in 2.4 GHz WLAN deployments with more than three APs. Because of the restriction of three nonoverlapping channels, some APs end up adjacent to APs on the same channel. What does this mean for the clients in those BSSs? Figure 6-1 shows a client in a cochannel overlap area. If both APs begin to transmit at the same time, the frames collide and both stations must back off and retransmit.



QoS Mechanism Overview

The 802.11e task group has debated many issues, including those discussed in the previous section. It has devised two proposed solutions for the future of 802.11 MAC. Bear in mind that the proposed specifications are not yet ratified, and changes might occur after this book is printed. The current two proposed solutions are
  • Hybrid coordination function (HCF) with contention operation— More commonly known as Enhanced DCF (EDCF)
  • HCF with polled access operation

HCF in Contention Mode—The EDCF Access Mechanism

The draft 802.11e specification attempts to provide classification for up to eight classes of data. EDCF and HCF polled access leverages these eight classes, known as traffic classes (TC), which map to the eight classes defined in the 802.1D standard, as shown in Table 6-1. Traffic from QoS-enabled clients is categorized into four broader categories known as access categories (AC). ACs 0 to 3 map to the 802.1D priority classes.


Summary: The Challenges Facing EDCF and HCF

At the time of this writing, there are two major obstacles perplexing the IEEE with respect to 802.11e: an effective yet simple admission control for EDCF and the operation performance of HCF. These issues are hotly debated among the various vendors in the working group who endeavor to solve application issues.

DAC still presents performance problems because it does not strictly enforce admissions control. Stations may potentially transmit and negatively impact existing traffic streams. Resolution seems to surround the adoption of parameterized admissions control for EDCF as well (the use of TSPECs to admit or deny EDCF traffic). HCF has its share of issues. Proponents extol the virtues of polled access as the panacea for effectively using the medium and also providing the ability to nearly guarantee service. Detractors believe that practical implementations of HCF will fail, as did early PCF implementations, because of the cochannel overlap issues that plague the 2.4 GHz band. The effectiveness of HCF diminishes quickly with cochannel overlap.


Although the working group has not finalized the 802.11e standard, it continues to strive toward a practical and effective set of tools to extend and expand the implementations of 802.11 WLANs.

Thursday, May 6, 2010

Layer 3 Roaming

Layer 3 mobility is a superset of Layer 2 mobility. An 802.11 client must perform a Layer 2 roam, including AP discovery, before it can begin a Layer 3 roam. This section focuses on issues surrounding Layer 3 roaming, specifically with the IP Protocol and Mobile IP extensions (RFC 2002). It covers the following topics:
  • Roaming between roaming domains
  • A Mobile IP overview

Roaming Between Roaming Domains

As previously discussed, a roaming domain is defined as APs that are in the same broadcast domain and configured with the same SSID. Stated another way, a client can only roam between APs in the same VLAN and with the same SSID. As WLAN deployments expand within an organization, roaming domains might need to scale beyond a single Layer 2 VLAN.

Consider the following scenario: Company A has a four-story building in which it has deployed a WLAN. The initial deployment was small, and the WLAN was a single Class C subnet for the entire building. This setup created a roaming domain across all four floors of the building. As time progressed, the number of users increased to the point that the subnet is full, and performance is degrading because of increased broadcast traffic.

Company A decides to follow its desktop subnet model and use a single subnet per floor for the WLAN. This setup introduces complications because now the roaming domains are restricted to a floor, not the entire building as before. With the new subnet model in place, application persistence when roaming across floors is lost. The application most impacted is Company A's wireless VoIP devices. As users move between the floors (and subnets) on their wireless phones, they drop their calls when they roam. Figure 5-8 illustrates this scenario. In this figure, an 802.11 VoIP phone is connected to a wired VoIP phone. As the user roams from AP1 on Subnet 10 to AP2 on Subnet 20, the session drops because the roaming user is now on a different subnet.


Mobile IP Overview

The scenario described for Company A is common. Many applications require persistent connections and drop their sessions as a result of inter-VLAN roaming. To provide session persistence, you need a mechanism to allow a stsation to maintain the same Layer 3 address while roaming throughout a multi-VLAN network. Mobile IP provides such a mechanism, and it is the standards-based, vendor-interoperable solution to Layer 3 roaming for WLANs.

A Mobile IP–enabled network has these key components:


Agent Discovery

A roaming MN must dtermine that it is on a foreign subnet in a timely manner to minimize delay to running applications. HAs and FAs advertise their services by using the Internet Control Message Protocol (ICMP) Router Discovery Protocol (collectively known as IRDP) messages to send agent advertisements. As the MN establishes connectivity to the subnet it roams to, it listens for the periodic IRDP packets. The packets are sent to either the all-host multicast address (224.0.0.1) or the limited broadcast address (255.255.255.255). The IRDP packets are not sent to the subnet-specific broadcast address because the MN might not be aware of the subnet it has roamed to. In addition to periodic agent advertisements, an MN can solicit for advertisements after it detects that its interface has changed.

The agent advertisement contains two fields that allow the MN to determine whether it has
roamed to a new subnet:
  • The lifetime field from the agent advertisement
  • The prefix-length extension

The lifetime field provides a time value that an agent advertisement is valid for. If no new advertisement has been received before the lifetime reaches zero, the MN should attempt to discover a new agent.

The prefix-length extension indicates the network address value of the advertising agent. A change in prefix length (indicating a change in network address or subnet) shows the MN it should attempt to discover a new agent.

Upon determining it is on a foreign subnet, the MN gleans the CoA from the agent advertisement. The CoA can take two forms:
  • The address of the FA.
  • CCoA (Note that the CCoA is not advertised by the FA, but it is probably acquired by the MN as a Dynamic Host Configuration Protocol [DHCP] option.)

A CoA pointing to the FA forces the FA (usually the subnet router) to handle Mobile IP administration for all foreign MNs on the subnet in addition to handling packet-forwarding duties. The benefit to this situation is that only a single tunnel is required from the HA to each unique FA.

A CoA that is temporarily assigned to the MN places the Mobile IP administrative burden on the MN and forces the HA to establish a unique tunnel to each roaming MN. Figure 5-11 contrasts these two methods.


Monday, March 15, 2010

Layer 2 Roaming

Roaming Algorithms

The mechanism to determine when to roam is not defined by the IEEE 802.11 specification and is, therefore, left to vendors to implement. Although this issue posed an interoperability challenge early on with the first 802.11 products, vendors work together today to ensure basic interoperability. The fact that the algorithms are left to vendor implementation provide vendors an opportunity to differentiate themselves by creating new and better performing algorithms than their competitors. Roaming algorithms become a vendor's "secret sauce," and as a result are kept confidential.

Determining Where to Roam

Finding an AP to roam to is another mechanism that is vendor-specific. In general, there are
two mechanisms for finding APs:
  • Preemptive AP discovery
  • Roam-time AP discovery

Each mechanism can employ one or both of the following mechanisms:
  • Active scanning— The client actively searches for an AP. This process usually involves the client sending probe requests on each channel it is configured to use (channels 1 to 11 in North America) and waiting for probe responses from APs. The client then determines which AP is the ideal one to roam to.
  • Passive scanning— The client does not transmit any frames but rather listens for beacon frames on each channel. The client continues to change channels at a set interval, just as with active scanning, but the client does not send probe requests.
Active scanning is the most thorough mechanism used to find APs because it actively sends out 802.11 probes across all channels to find an AP. It requires the client to dwell on a particular channel for a set length of time, roughly 10 to 20 milliseconds (ms) depending on the vendor, waiting for the probe response.

With passive scanning, the client iterates through the channels slower than active scanning because it is listening for beacons that are sent out by APs at a set rate (usually 10 beacons per second). The client must dwell on each channel for a longer time duration to make sure it receives beacons from as many APs as possible for the given channel. The client looks for different information elements such as SSID, supported rates, and vendor proprietary elements to find an AP. Although it can be a faster mechanism to scan the medium, some elements are not transmitted, depending on AP configuration. For example, an administrator might block the SSID name in the SSID IE from being transmitted in beacons, so the passive scanning client is unable to determine whether the AP is in the same roaming domain.


There is no ideal technique for scanning. Passive scanning has the benefit of not requiring the client to transmit probe requests but runs the risk of potentially missing an AP because it might not receive a beacon during the scanning duration. Active scanning has the benefit of actively seeking out APs to associate to but requires the client to actively transmit probes. Depending on the implementation for the 802.11 client, one might be better suited than the other. For example, many embedded systems use passive scanning as the preferred method, whereas 802.11 Voice over IP (VoIP) phones and PC client cards rely on active scanning.


Preemptive AP Discovery

Preemptive AP Discovery is the function that provides the client the ability to roam to a predetermined AP after the client has made the decision to roam. This process allows for minimal total roaming time, which reduces application impact from roaming. Preemptive roaming does not come without a penalty, however.

Figure 5-3. Preemptive AP Discovery


Roam-Time AP Discovery

The other option for AP discovery is to look for an AP after the decision to roam has been made. This process is similar to the process a client goes through on initiation power up, except that the association message the client sends to the new AP is actually a reassociation frame.

Roam-time AP discovery does not have the overhead of preemptive roaming during on-roaming times, but because the client does not know which AP to reassociate to, there ca be a larger time penalty during the roaming process. Figure 5-4 shows roam-time AP discovery.

Wednesday, February 24, 2010

Characteristics of Roaming

Defining or characterizing the behavior of roaming stations involves two forms:
  • Seamless roaming
  • Nomadic roaming

Seamless roaming is best analogized to a cellular phone call. For example, suppose you are using your cellular phone as you drive your car on the freeway. A typical global system for mobile (GSM) communications or time-division multiple access (TDMA) cell provides a few miles of coverage area, so it is safe to assume that you are roaming between cellular base stations as you drive. Yet as you roam, you do not hear any degradation to the voice call (that is what the cellular providers keep telling us). There is no noticeable period of network unavailability because of roaming. This type of roaming is deemed seamless because the network application requires constant network connectivity during the roaming process.

Nomadic roaming is different from seamless roaming. Nomadic roaming is best described as the use of an 802.11-enabled laptop in an office environment. As an example, suppose a user of this laptop has network connectivity while seated at his desk and maintains connectivity to a single AP. When the user decides to roam, he undocks his laptop and walks over to a conference room. Once in the conference room, he resumes his work. In the background, the 802.11 client has roamed from the AP near the user's desk to an AP near the conference room. This type of roaming is deemed nomadic because the user is not using network services when he roams, but only when he reach his destination.

What happens to application sessions during roaming? Many factors influence the answer to
this question. Consider the following:
  • The nature of roaming in 802.11.
  • The operation of the application. Is the application connection-oriented or connectionless?
  • The roaming domain. Does roaming occur with a single subnet or across multiple subnets?
  • Roaming duration. How long does the roaming process take?

Operation of the Application

The way the application operates directly correlates to its resilience during the roaming process. Connection-oriented applications, such as those that are TCP-based, are more tolerant to packet loss incurred during roams because TCP is a reliable and connectionoriented protocol. TCP requires positive acknowledgments, just as the 802.11 MAC does. This requirement allows any 802.11 data lost during the roaming process to be retransmitted by TCP, as the upper-layer protocol.

Although TCP provides a tidy solution for applications running on 802.11 WLANs, some applications rely on User Datagram Protocol (UDP) as the Layer 4 transport protocol of choice. UDP is a low-overhead, connectionless protocol. Applications such as Voice over IP (VoIP) and video use UDP packets. The retransmission capability that TCP offers does little to enhance packet loss for VoIP applications. Retransmitting VoIP packets proves more annoying to the user than useful. As a result, the data-loss roaming might cause a noticeable impact to UDP-based applications.


Roaming Domain

The distinction between whether a device roams within a roaming domain or between roaming domains has a large impact on application sessions. Figure 5-1 depicts a Layer 2 roaming domain. The roaming user can maintain application connectivity within the roaming domain and as long as its Layer 3 network address is maintained (does not change).


Figure 5-2 illustrates roaming across roaming domains. The roaming user is roaming from an AP on Subnet A to an AP on Subnet B. As a result, the Layer 3 network address must change to maintain Layer 3 connectivity on Subnet B. As the Layer 3 address changes, the station drops all application sessions. This scenario is described later in this chapter in the section, "Mobile IP Overview."


Roaming Duration

Roaming duration is the time it takes for roaming to complete.
  • The probing process
  • The 802.11 authentication process
  • The 802.11 association process
  • The 802.1X authentication process

The cumulative duration of these processes equates to the roaming duration. Some applications, such as VoIP, are extremely delay-sensitive and cannot tolerate large roaming durations.

Tuesday, February 9, 2010

Secure 802.11 WLANs

The WLAN industry recognized the vulnerabilities in 802.11 authentication and data privacy. To provide users with a secure WLAN solution that is scalable and manageable, the IEEE has augmented 802.11 security by developing enhancements to 802.11 authentication and encryption. The changes are being incorporated into the 802.11i draft standard. To date, the 802.11i draft has not been passed as a standard, so the Wi-Fi Alliance has put together an subset of the components of 802.11i called Wi-Fi Protected Access (WPA). This section details and explains 802.11i and WPA components.

Although this chapter has detailed 802.11 security as a combination of Open/Shared Key authentication and WEP encryption so far, many mistakenly believe WEP to be the only component to WLAN security. Wireless security actually consists of four facets:
  • The authentication framework— This facet is the mechanism that accommodates the authentication algorithm by securely communicating messages between the client, AP, and authentication server.
  • The authentication algorithm— This facet is the algorithm that validates the user credentials.
  • The data privacy algorithm— This facet provides data privacy across the wireless medium for data frames.
  • The data integrity algorithm— This facet provides data integrity across the wireless medium to ensure to the receiver that the data frame was not tampered with.

Facet 1: The Authentication Framework

The authentication framework in 802.11 is the 802.11 authentication management frame. The authentication frame facilitates Open and Shared Key authentication algorithms, yet the frame itself does not possess the ability to authenticate a client. Because the shortcomings of 802.11 authentication have already been highlighted, it is important to understand what is needed to provide secure authentication in a WLAN.

802.11 is missing some key components to provide effective authentication:
  • Centralized, user-based authentication
  • Dynamic encryption keys
  • Encryption key management
  • Mutual authentication

User-based authentication is critical for network security. Device-based authentication, such as Open or Shared Key authentication, does not prevent unauthorized users from using
authorized devices. Also, logistical issues, such as lost or stolen devices and employee termination, can force network administrators to manually rekey all 802.11 APs and clients. Centralized, user-based management via an authentication, authorization, and accounting (AAA) server, such as a RADIUS, lets you allow or disallow specific users, regardless of the specific devices they use.

The requirement for user-based authentication has a positive side effect: user-specific encryption keys. Authentication types that support the creation of dynamic encryption keys fit well into the WLAN security and management model. Per user, dynamic keys relieve the network administrator from having to statically manage keys. Encryption keys are dynamically derived and discarded as the user authenticates and disconnects from the network. Should you need to remove a user from the network, you only need to disable her account to prevent her access.

Mutual authentication is two-way authentication. The "two-way" nature comes from not only the network authenticating the client, but also the client authenticating the network. In Open and Shared Key authentication, the AP or network authenticates the client. The client does not know for sure that the AP or network is valid because no mechanism is defined in the 802.11 specification to allow the client to authenticate the network. As a result, a rogue AP or rogue client station can pose as a valid AP and subvert the data on the client's machine. Figure 4-17 diagrams one-way authentication versus mutual authentication.


802.11 WLAN vendors and the IEEE understand the need to augment and replace existing security mechanisms, both in authentication and encryption. Work is currently underway in task group I of the 802.11 working group, and after the changes are complete, the security specifications will be ratified as the 802.11i specification.

The IEEE has addressed the shortcomings of 802.11 authentication by incorporating the 802.1X authentication framework. 802.1X itself is an IEEE standard that provides all 802 link layer topologies with extensible authentication, normally seen in higher layers. 802.1X is based on a Point-to-Point Protocol (PPP) authentication framework known as the Extensible Authentication Protocol (EAP). In oversimplified terms, 802.1X encapsulates EAP messages for use at Layer 2. 802.11i incorporates the 802.1X authentication framework requiring its use for user-based authentication. Figure 4-18 illustrates 802.1X with respect to authentication algorithms and 802 link layer topologies.


EAP (RFC 2284) and 802.1X do not mandate the use of any specific authentication algorithm. The network administrator can use any EAP-compliant authentication type for either 802.1X or EAP authentication. The only requirement is that both the 802.11 client (known as the supplicant) and the authentication server support the EAP authentication algorithm. This open and extensible architecture lets you use one authentication framework in differing environments, where each environment may use a different authentication type. Examples of EAP authentication types include the following:
  • EAP-Transport Layer Security (EAP-PEAP)— Operates similar to Secure Sockets Layer (SSL) at the link layer. Mutual authentication is accomplished via server-side digital certificates used to create a SSL tunnel for the client to securely authenticate to the network.
  • EAP-Message Digest 5 (EAP-MD5)— Similar to the Challenge Handshake Authentication Protocol (CHAP), EAP-MD5 provides a password based, one-way authentication algorithm.
  • EAP-Cisco— Also known as LEAP, EAP-Cisco was the first EAP type defined specifically for use in WLANs. EAP-Cisco is a password-based, mutually authenticating algorithm.
802.1X authentication requires three entities:
  • The supplicant - Resides on the WLAN dient
  • The authenticator— Resides on the AP
  • The authentication server— Resides on the RADIUS server

Wednesday, January 20, 2010

MAC Address Authentication

MAC address authentication is not specified in the 802.11 specification, but it is supported by many vendors. MAC address authentication verifies the client's MAC address against a locally configured list of allowed addresses or against an external authentication server, as shown in Figure 4-11. MAC authentication augments the Open and Shared Key authentications provided by 802.11, potentially reducing the likelihood of unauthorized devices accessing the network. For example, a network administrator might want to limit a particular AP to just three specific devices. If all stations and APs in the BSS have the same WEP keys, it is difficult to use Open or Shared Key authentication to facilitate this scenario. The administrator can configure MAC address authentication to augment 802.11 authentication.


Security Vulnerabilities in the 802.11 Standard

The prior section detailed how 802.11 authentication and encryption operates. It is no secret that security in the 802.11 specification is flawed. Not long after the ratification of 802.11, a number of published papers pinpointed vulnerabilities in 802.11 authentication and WEP encryption.


Open Authentication Vulnerabilities

Open authentication provides no way for the AP to determine whether a client is valid. This lack is a security vulnerability if WEP encryption is not implemented in a WLAN. Even with static WEP enabled on the client and AP, Open authentication provides no means of determining who is using the WLAN device. An authorized device in the hands of an unauthorized user is just as much a network security threat as providing no security at all!


Shared Key Authentication Vulnerabilities

Shared key authentication requires the client to use a preshared WEP key to encrypt challenge text sent from the AP. The AP authenticates the client by decrypting the shared-key response and validating that the challenge text is the same. The process of exchanging the challenge text occurs over the wireless link and is vulnerable to a known plaintext attack. This vulnerability with Shared Key authentication relies on the mathematical principal behind encryption. Earlier in this chapter, encryption was defined as plaintext mixed with a key stream to produce ciphertext. The mixing process is a binary mathematical function known as an exclusive OR (XOR). If plaintext is mixed with corresponding ciphertext, the result of the function is the key stream for the WEP key and IV pair, as shown in Figure 4-12.


An eavesdropper can capture both the plaintext challenge text and the ciphertext response. By simply running the values through an XOR function, an eavesdropper has a valid key stream. The eavesdropper can then use the key stream to decrypt frames matching the same size as the key stream, given that the IV used to derive the key stream is the same as the encrypted frame. Figure 4-13 illustrates how an attacker can eavesdrop on a Shared Key authentication and derive the key stream.


MAC Address Authentication Vulnerabilities

MAC addresses are sent unencrypted in all 802.11 frames, as required by the 802.11 specification. As a result, WLANs that use MAC authentication are vulnerable to an attacker undermining the MAC authentication process by spoofing a valid MAC address.

MAC address spoofing is possible in 802.11 network interface cards (NICs) that allow the universally administered address (UAA) to be overwritten with a locally administered address (LAA). The UAA is the MAC address that is hard-coded on the NIC by the manufacturer. An attacker can use a protocol analyzer to determine a valid MAC address in the BSS and an LAA-compliant NIC to spoof the valid MAC address.


Static WEP Key Management Issues

The 802.11 specification does not specify key-management mechanisms. Although not a specific vulnerability, WEP is defined to support only static, preshared keys. Because 802.11 authentication authenticates a device and not the user of the device, the loss or theft of a wireless adapter becomes a security issue for the network. This issue presents network administrators with the tedious task of manually rekeying all wireless devices in the network when the existing key is compromised because an adapter was lost or stolen.

This risk might be acceptable for small deployments where managing user devices is a simple task. Such a prospect is not scalable for medium and large deployments where the number of wireless users can reach into the thousands. Without a mechanism to distribute or generate keys, administrators must keep close tabs on wireless NIC whereabouts.

Monday, January 4, 2010

Authentication Mechanisms in the 802.11 Standard

The 802.11 specification stipulates two mechanisms for authentication of WLAN clients:
  • Open authentication
  • Shared Key authentication

Open authentication is a null authentication algorithm. The AP grants any request for authentication. It might sound pointless at first to have such an algorithm defined, but Open authentication has its place in 802.11 network authentication. The requirements for
authentication allow devices to quickly gain access to the network.

Access control in Open authentication relies on the preconfigured WEP key on the client and AP. The client and AP must have matching WEP keys to enable them to communicate. If the client and AP do not have WEP enabled, there is no security in the BSS. Any device can join the BSS and all data frames are transmitted unencrypted.

After Open authentication and the association process, the client can begin transmitting and receiving data. If the client is configured with a key that differs from the key on the AP, the client will be unable to encrypt or decrypt data frames correctly, and the frames will be discarded by both the client and the AP. This process essentially provides a means of controlling access to the BSS. It is illustrated in Figure 4-9.


Unlike Open authentication, Shared Key authentication requires that the client station and the AP have WEP enabled and have matching WEP keys. The following summarizes the Shared Key authentication process:

1. The client sends an authentication request for Shared Key authentication to the AP.

2. The AP responds with a cleartext challenge frame.

3. The client encrypts the challenge and responds back to the AP.

4. If the AP can correctly decrypt the frame and retrieve the original challenge, the client is
sent a success message.

5. The client can access the WLAN.


The premise behind Shared Key authentication is similar to that of Open authentication with WEP keys as the access control means. The client and AP must have matching keys. The difference between the two schemes is that the client cannot associate in Shared Key authentication unless the correct key is configured. Figure 4-10 shows the Shared Key authentication process.

Wednesday, December 23, 2009

Encryption in the 802.11 Standard

The 802.11 specification provides data privacy with the WEP algorithm. WEP is based on the
RC4 symmetric stream cipher. The symmetric nature of RC4 requires that matching WEP keys, either 40 or 104 bits in length, must be statically configured on client devices and access points (APs). WEP was chosen primarily because of its low computational overhead. Although 802.11-enabled PCs are common today, this situation was not the case back in 1997. The majority of WLAN devices were application-specific devices (ASDs). Examples of ASDs include barcode scanners, tablet PCs, and 802.11-based phones. The applications that run on ASDs generally do not require much computational power, so as a result, ASDs have meager CPUs. WEP is a simple-to-implement algorithm that you can write in as few as 30 lines of code, in some cases. The low overhead incurred by WEP made it an ideal encryption algorithm to use on ASDs.

To avoid the ECB mode of encryption, WEP uses a 24-bit IV, which is concatenated to the key
before being processed by the RC4 cipher. Figure 4-5 shows a WEP-encrypted frame, including the IV.

The IV must change on a per-frame basis to avoid IV collisions. IV collisions occur when the same IV and WEP key are used, resulting in the same key stream being used to encrypt a
frame. This collision gives attackers a better opportunity to guess the plaintext data by
seeing similarities in the ciphertext. The point of using an IV is to prevent this scenario, so it is important to change the IV often. Most vendors offer per-frame IVs on their WLAN devices.


The 802.11 specification requires that matching WEP keys be statically configured on both
client and infrastructure devices. You can define up to four keys on a device, but you can use only one at a time for encrypting outbound frames. Figure 4-6 shows a Cisco Aironet client configuration screen for WEP configuration.



In addition to data encryption, the 802.11 specification provides for a 32-bit value that functions as an integrity check for the frame. This check tells the receiver that the frame has arrived without being corrupted during transmission. It augments the Layer 1 and Layer 2 frame check sequences (FCSs), which are designed to check for transmission-related errors.

The ICV is calculated against all fields in the frame using a cyclic redundancy check (CRC)-32 polynomial function. The sender calculates the values and places the result in the ICV field. The ICV is included in the WEP-encrypted portion of the frame, so it is not plainly visible to eavesdroppers. The frame receiver decrypts the frame, calculates an ICV value, and compares what it calculates against what has arrived in the ICV field. If the values match, the frame is considered to be genuine and untampered with. If they don't match, the frame is discarded. Figure 4-8 diagrams the ICV operation.