Wireless Observer wireless technology observer

Wifi comprises several standards developed by the IEEE.
The most notable of these are 802.11a,
802.11b, and 802.11g.

The 802.11 (without the added letters) standard was released in 1997.
Though it was too rudimentary (and too slow) for commercial acceptance and
though it has been superseded by 802.11a, 802.11b, etc., it did lay the
foundation for what has grown into a huge market. It provided fragmentation,
DSSS, FHSS,
diffused infrared,
and most of the essential technology of today’s consumer-grade wireless
computer networks.

802.11a employs a set of radio channels at the frequencies of 5.725 GHz
to 5.850 GHz (in the U-NII
band).

802.11a’s main advantages over the more popular 802.11b
are:

• It offers a higher bandwidth (up to 54 Mbps, compared to 802.11b’s 11
  Mbps.)
• It has more channels — 52 of them — which helps avoid radio and
  microwave interference. It also can support up to eight networks
  simultaneously in an access
  point’s coverage area without conflict (compared to 802.11b which
  can support only three.)

The reasons for its relative unpopularity include:

• It was longer in development, enabling 802.11b products to emerge and
  first and capture market share.
• Due to its higher frequency (5 GHz versus 2.4 GHz) its transmission
  range (distance a signal can reach) is shorter than that of 802.11b (225
  feet versus 375 feet).
• It demands materials that are more expensive: GaAs or SiGe rather than
  CMOS.

The 802.11a standard includes a strategy for falling back to slower
bandwidths when noise is high or signal strength is low. These slower
bandwidths are 48, 36, 24, 18, 12, 9, and 6 Mbps. Some implementations of
802.11a include a proprietary "Turbo" mode (also termed
"2X") of 108 Mbps.

802.11a and 802.11b use the same MAC
layer designs; where they differ is in their PHY
layers. 802.11a achieves its higher bandwidth by using multiplexing and
a more efficient error correction scheme (forward
error correction (FEC)).

802.11a uses the following modulation
techniques:

• At 6 Mbps it uses PSK
  with 125 Kbps for each of its 48 subchannels (125K X 48 = 6M).
• At 12 Mbps it uses QPSK
  with 250 Kbps/channel (250K X 48 = 12M).
• At 24 Mbps it uses 16-QAM.
• At 54 Mbps it uses 64-QAM.

802.11b uses 2.4 GHz (details in table below) and offers a bandwidth of
up to 11 Mbps. 2.4 GHz is a crowded part of the radio spectrum. It is shared
by microwave ovens, cordless phones, medical and scientific equipment, Bluetooth
devices, and many consumer and industrial applications. Here are the exact
frequencies used by 802.11b and 802.11g.

802.11g has a total of fourteen channels (in most of the world) or eleven
(in the USA) but, like 802.11b, only three are non-overlapping, unlike
802.11a’s eight. This enables it to squeeze into a narrower band. There is 5
MHz between each pair of adjacent channels. The centerpoint of the bottom
frequency is 2.412 GHz. Each channel is 22 MHz wide. Hence, the bottom of
the bottom frequency is 2.401 GHz (2.412 GHz minus half of 22 MHz). The
three non-overlapping channels (in practice, the only usable ones) are 1, 6,
and 11.

802.11g has two mandatory modes (every manufacturer must provide these): CCK
and OFDM, and two
optional modes: Packet
Binary Convolutional Coding (PBCC-22) — 22 Mbps — and CCK-OFDM-33
— 33Mbps.

• dynamic frequency selection (DFS)
• transmit power control (TPC)

The device itself consists of:

1. A radio transmitter and receiver
2. An RJ-45 wired network interface
3. Bridging software

Occasionally, access points are used without wired networks. In such
"standalone" wireless networks, access points serve as
communication buffers, for example when communication is attempted with a
laptop that is in standby mode. (Laptop computers enter standby mode to conserve
battery power.) To catch them up on data they missed while standing by,
access points buffer the data for these laptops until they awaken.

• Amplitude modulation (AM) — the voltage (amplitude) of the carrier is
  varied according to the data
• Frequency modulation (FM) — the pitch (frequency) of the carrier is
  varied according to the data
• Phase modulation (PM) — the phase of the carrier is varied according
  to the data; that is, the starting point of the carrier wave is moved
  around. For example, to deliver 3 bits of data, 8 possible phases must
  be used: 0°, 45°, 90°, …, 315°.
• Quadrature amplitude modulation (QAM) — phase modulation (PM)
  combined with two possible voltage levels adds one bit to yield 4 bits
  of data (16 possible values).

• ARAP
• CHAP
• EAP
• MS-CHAP
• MS-CHAPv2
• PAP — Password Authentication Protocol: Passes the user name and
  password in plaintext. It is defined in RFC
  1334.
• PPP — Point-to-Point Protocol: An encapsulation protocol for
  transporting IP traffic over point-to-point links. PPP is also a
  standard for the assignment and management of IP addresses, asynchronous
  (start/stop) and bit-oriented synchronous encapsulation, network
  protocol multiplexing, link configuration, link quality testing, error
  detection, and option negotiation for such capabilities as network layer
  address negotiation and data-compression negotiation. PPP supports these
  functions by providing an extensible Link Control Protocol (LCP) and a
  family of Network Control Protocols (NCPs) to negotiate optional
  configuration parameters and facilities. In addition to IP, PPP supports
  other protocols including Novell’s Internetwork Packet Exchange (IPX)
  and DECnet. (Reference:
  Cisco.)
• SLIP — Serial Line Internet Protocol: Documented in RFC
  1055, was the first protocol for relaying IP packets over dial-up
  lines. It defines an encapsulation mechanism but little else. There is
  no support for dynamic address assignment, link testing, or multiplexing
  different protocols over a single link. SLIP has been largely supplanted
  by PPP.
• Token — Some authentication schemes require a token, possession of a
  physical object such as a key fob or slim card

• Distance between transmitter and receiver
• Absorption by walls, floors and other obstacles
• Scattering due to reflection by irregular surfaces
• Diffraction (bending around objects)
• Refraction (bending of a wave as it passes through an object)
• Multipath
  distortion

These attenuations are more pronounced at higher frequencies, e.g. 5 GHz
signals tend to be attenuated more easily than 2.4 GHz signals.

APIPA is Microsoft’s solution to this problem. It is meant for nonrouted
small home or business environments with up to 25 clients. When a client
boots up, has no static IP address, and cannot find a DHCP server, it uses
APIPA to assign itself an IP address in the 169.254.xxx.xxx block. Since
this block is not routable (Internet routers ignore it) there is no risk of
conflicts with devices on networks elsewhere in the world even if the
isolated network becomes Internet-connected.

The client also configures itself with a default class B subnet mask of
255.255.0.0. It uses the self-configured IP address until a DHCP server
becomes available, checking every five minutes. If it detects a DHCP server
on the network, APIPA stops and the DHCP server replaces the IP address with
a dynamic one.

APIPA is a fairly new solution (available starting with Windows 98.)
Previously, devices received 0.0.0.0 as their default addresses which,
because it was duplicated on several devices, prevented them from
communicating at all.

• Standby
• Sniff/inquire
• Page
• Active
• Park/hold

• CSMA/CA — CSMA with collision avoidance.
  After having made sure the medium is clear (no traffic), all
  transmitters (not just those that have detected traffic) always wait a
  random amount of time before transmitting. The receiver then sends an
  acknowledgement to the sender. If the sender receives no
  acknowledgement, it sends again. Wifi networks use CSMA/CA. CSMA/CD
  wouldn’t work in wifi due to the hidden
  node problem.
• CSMA/CD — CSMA with collision detection.
  Transmitters don’t wait but go ahead and transmit and deal with the
  consequences when collisions occur. If it detects a collision, a
  transmitter waits a random delay time and then attempts to re-transmit
  the message. If the transmitter detects a collision again, it waits
  twice as long to re-transmit. This is called exponential back off.
  Ethernet networks use CSMA/CD.

• RZ — Return-to-zero: voltage spike = 1, no voltage = 0
• NRZ — Non-return-to-zero: voltage high = 1, no voltage = 0
  (hence the name)
• Polar NRZ — Positive voltage = 1, negative voltage = 0
• ASK — Amplitude shift keying: carrier on = 1, carrier off = 0
• FSK — Frequency shift keying
• GFSK
  — Gaussian frequency shift keying
• PSK
  — Phase shift keying

See also modulation
and analog
modulation.

In DSSS, data at the sending station is combined with a fixed bit
sequence called a chipping code. The chipping code divides the data
according to a spreading ratio. It is a redundant bit pattern that is
applied to each bit that is transmitted. This enables error detection and
correction. If a bit is lost or garbled in transmission, thanks to the
redundancy it can be reconstructed at the receiving end without requiring
retransmission.

Several chipping codes have been designed. At transmission rates of 1 or
2 Mbps, DSSS uses one called a Barker code which is four bits in
length. The Barker code is XOR’ed with each data bit. Thus, the number of
bits that must be transmitted is four times the actual amount of data. The
apparent inefficiency of chipping codes is more than compensated by the use
of the spread spectrum. At transmission rates of 5.5 or 11 Mbps, DSSS uses Complementary
Code Keying (CCK) which XORs the data with 64 eight-bit code words.

• Install identical antennas. They must have the same gain and the same
  coverage pattern. When the access point switches between them, the
  coverage pattern must not change.
• Connect them so they have the same polarization.
• Direct them so they have the same coverage area. Don’t use directional
  antennas pointed in different directions nor install omni-directional
  antennas tilted in two different directions.)
• If you disable diversity, be sure to connect the antenna to the active
  antenna port. Without the 50 ohms of resistance an antenna provides, the
  radio would eventually burn up.

An EAP-based protocol is communicated between an access point and an
authentication server such as a RADIUS.
The access point initiates the conversation with the server when it is
contacted by a client (most often a PC) requesting access to the wireless
network. A "back-end" server actually does the authentication
while the access point merely passes through the authentication exchange.
Typically, the server will send an initial Identity Request followed by one
or more Requests for authentication information. The client sends a Response
packet in reply to each Request. The server ends the authentication phase
with a Success or Failure packet.

EAP is not an implementation, it is a framework for implementations. It
is defined in RFC
2284. It supports a variety of authentication mechanisms. Several
implementations have been created and others are under development.
Implementations include:

• EAP-AKA — Authentication and Key Agreement: Mutual authentication in
  UMTS mode and one-way authentication in GSM mode. Includes a description
  of the signaling procedures on the various interfaces for WLAN
  convergence with 3G cellular networks.
• EAP-FAST — Flexible Authentication via Secure Tunneling: Tunneled,
  mutual authentication protocol without PKI certificates. The tunnel is
  established with protected-access credentials provisioned and
  dynamically managed through AAA servers. This protocol was developed by Cisco
  and has been submitted as a draft (proposed standard) to the IETF. Since
  it’s only a draft, it doesn’t have an RFC number. The following succinct
  description is quoted from that draft as of February, 2004, EAP
  Flexible Authentication via Secure Tunneling (EAP-FAST):

  EAP-FAST enables secure communication between a client and a server by
  using the EAP based Transport Layer Security (EAP-TLS) to establish a
  mutually authenticated tunnel. However, unlike current existing
  tunneled authentication protocols, EAP-FAST also enables the
  establishment of a mutually authenticated tunnel by means of symmetric
  cryptography. Furthermore, within the secure tunnel, EAP encapsulated
  methods can ensue to either facilitate further provision of
  credentials, authentication or authorization policies by the server to
  the client.

  Benefits of EAP-FAST include:

   

  • Does not require enforcement of a strong password policy.
  • Does not require digital certificates.
  • Supports a variety of user and password database types.
  • Supports password expiration and change.

   

• EAP-LEAP — Lightweight Extensible Authentication Protocol:
  Cisco-proprietary solution for mutual authentication using dynamic WEP
  keys. Prone to dictionary attack and identity exposure. Can be used only
  with Cisco access
  points. It serves to communicate authentication data between Cisco
  Aironet wireless LAN access points and the Cisco Secure Access Control
  Server. To satisfy the authentication challenge specified by LEAP, the
  PC of the user to be authenticated must first supply a valid user ID and
  later a correct 24 octet MSCHAP response to an 8 octet random MSCHAP
  peer challenge. If it satisfies both tests, the PC receives a session
  key which the Cisco access point recognizes and permits the PC’s the
  session to proceed. LEAP was superceded in 2003 by PEAP.
• EAP-MD5 — Message Digest 5 Challenge Handshake Authentication
  Protocol: Encrypts the authentication credential (password) into an MD5
  hash and compares them at the authentication server. Similar to CHAP and
  prone to identity exposure, dictionary attacks, session hijacking, and
  man-in-the-middle attacks.
• EAP-PEAP — Protected Extensible Authentication Protocol: Tunneled
  authentication protocol using server certificates for mutual
  authentication; supplicant authenticates using MS-CHAP or GTC. Uses one
  PKI certificate at the authentication server. Both Microsoft and Cisco
  offer implementations but they’re not interoperable. PEAP was developed
  by Microsoft, Cisco and RSA Security, and is now an IETF
  draft standard. This EAP implementation uses tunneling (see below)
  between clients and an authentication server. Though PEAP is not
  proprietary, Microsoft’s Windows XP is currently the only operating
  system that supports it.
• EAP-SIM — Subscriber Identity Module: Mutual authentication and
  session key agreement using GSM-SIM. This helps converge WLAN and GSM/GPRS
  cellular networks. It does not provide session independence between
  different sessions.
• EAP-TLS — Transport Layer Security: Authentication based on PKI
  certificates. The server and the supplicant mutually authenticate using
  their respective certificates. This is the most secure authentication
  mechanism. It is resistant to man-in-the-middle attack. However, it
  demands significant complexity on the client side.
• EAP-TTLS — Tunneled
  TLS: Two-phased mutual authentication process: the server authenticates
  to the supplicant with a certificate, then the supplicant authenticates
  using PAP, CHAP, MS-CHAP or GTC. It requires only one PKI certificate at
  the authentication server. It doesn’t prevent identity-hiding. This EAP
  was developed by Funk Software and Certicom and is now an IETF draft
  standard. It is an alternative to PEAP. Without the backing of Microsoft
  and Cisco, its survival is dubious.

• 48 are for data, and
• 4 are for error correction.

The error correction channels carry secondary copies of the data. They
eliminate the need for retransmission in the event of errors.

Fragmentation is a collision-avoidance strategy. A collision
occurs when two transmitters transmit simultaneously. Their transmissions
become garbled. Several strategies have been devised to prevent this;
fragmentation is the one espoused by 802.11.

The underlying principle is that transmssions that are shorter in
duration are less likely to collide with other transmissions. Fragmentation
keeps transmissions brief. Longer transmissions are divided into several
shorter ones. Each of these shorter transmissions is termed a frame.
Smaller frames can be communicated with greater reliability because they
present fewer opportunities for transmission errors.

However, fragmentation comes at a cost. Because each frame must be
acknowledged by the recipient and also has its own header and demands a
complete program cycle to be processed, smaller frames demand more computing
resources for a given amount of data, i.e. are less efficient. The overhead
can be substantial, but in a noisy environment this may be unavoidable.

In orthogonal FHSS, several messages are delivered simultaneously,
each with its own hopping code, none of which use the same frequency
simultaneously.

FHSS has several parameters including:

• Hop time — how long it takes to hop from one frequency to the next
• Dwell time — how long it stays on a frequency once it has hopped

As implemented in 802.11,
FHSS uses channels whose frequencies are separated by 1 MHz, 78 hopping
sequences, minimum hopping distances of 6 MHz, and a minimum hop rate of 2.5
hops/second.

This technique of sharing a medium by first making sure it’s not already
in use belongs to a class of solutions termed carrier sense multiple access
(CSMA).

There are two ways to overcome the hidden node problem: request-to-send
(RTS) protocol and point
coordination function (PCF) (sometimes called polling).

Here is a technical comparison of Hiperlan and 802.11. In the PHY
layer, Hiperlan and 802.11 are the same. The differences are in the link
layer (see OSI).
In Hiperlan’s version of the link layer, two features are added:

• Radio link control
• Logical link control

Like 802.11, Hiperlan has error correction. Unlike 802.11, it has automatic
channel selection (in 802.11 a channel is selected manually at the time of
configuration.) Also unlike 802.11, Hiperlan supports roaming.
In addition to laptop computers, it supports a broad variety of clients
including cell phones, ATM,
and Firewire.

Hiperlan manages media contention differently than 802.11. It does not
use CSMA/CD;
instead, control of the RF medium is centralized at the access
point. The access point informs its clients (called mobile terminals,
MTs) when they may transmit, using a TDMA
algorithm. During transmission, each client has use of the entire frequency
band for a brief time slot. Time slots are allocated dynamically with a
Quality of Service (QoS) priority algorithm. Thus, unlike 802.11, Hiperlan
can reliably deliver time-sensitive data especially audio and video.

Hiperlan has a complete complement of security features, especially
including encryption. Access points and MTs each authenticate the other.

Infrared is more secure than wifi because it is line-of-sight; it cannot
pass through walls or obstacles. Its range is shorter than that of wifi.

• SIFS — short IFS, used for ACK messages
• PIFS — PCF
  IFS (point coordination function, polling)
• DIFS — DCF
  contention

These adresses are usually notated as sequences of hexadecimal digits
such as 00-50-00-7B-D2-77. These are sometimes written with
colons, e.g. 00:50:00:7B:D2:77 instead of dashes. For
broadcasting (sending to all devices on a network) a special MAC address is
reserved: FF-FF-FF-FF-FF-FF.

Mesh network topology is like that of ad
hoc wifi networks. In a full mesh network, each node is connected
directly to each of the others. In a partial mesh topology, nodes are
connected to some but not all of the other nodes. It is able to support
nodes that are mobile (roaming).
Clients may be laptop computers, PDAs, mobile phones, etc. There are also
static nodes that form the infrastructure.

The official IEEE definition of 802.11s:

An IEEE 802.11 Extended Service Set (ESS) Mesh* is a collection of APs
interconnected with wireless links that enable automatic topology learning
and dynamic path configuration. [It is] an extension to the IEEE 802.11
MAC. [It] supports both broadcast/multicast and unicast delivery at the
MAC layer using radio-aware metrics over self-configuring multi-hop
topologies. [It uses] IEEE 802.11i security mechanisms… in which all of
the APs are controlled by a single logical administrative entity.

In wifi with PCF, the access
point acts as "point coordinator". It broadcasts a beacon
frame that tells the clients to shut up for some period of time. Then it
grants exclusive use of the medium to a single client. That client proceeds
to transmit. When it’s done, the client lets the access point know by
transmitting a null data frame.

This technique is especially suited for time-sensitive data such as
video. 802.11
implements PCF in the MAC
sublayer of OSI’s
link layer.

To support this latter power management feature, many access
points buffer data for sleeping clients. When the client awakes and
contacts the access point it then collects its buffered data.

There are several power management modes in which a wireless device may
operate, including:

• Constant Awake Mode (CAM) — the device does no power conservation
• Maximum Power Save (PSP) — the device is completely off the air
• Fast PSP and other intermediate modes (some are vendor-proprietary) in
  which a timer or other algorithm is used to awaken the wireless
  interface occasionally to check for data. First, the client synchronizes
  its clock with that of the access point by means of the access point’s beacon
  frame. Then the device switches off its wireless interface and
  switches it back on periodically (every 100 milliseconds in most
  algorithms) to query for new data. The device listens for the access
  point’s Traffic Indication Map (TIM) that tells which of the clients
  currently known to the access point have buffered data. When the device
  recognizes its own name in the TIM it proceeds to fetch its data. This
  support by access points for client power management is available in BSS
  (infrastructure) mode.

802.11 specifies RTS as part of its MAC
sublayer of OSI’s
link layer. It doesn’t demand that RTS be used at all times, but only for
long (typically over 3000 bytes) data packets. It is preferable to avoid
using RTS when possible because it imposes significant overhead. With short
data packets, the probability of collision is acceptably small. The length
of the packets for which RTS should be used is termed the RTS threshold
(an access point configuration parameter — don’t mess with it unless you
know what you’re doing!) Only packets that are longer than the RTS threshold
are transmitted using RTS. Lowering the RTS threshold can improve
communications when clients are far apart or there are many of them.

Unfortunately, 802.11
does not include such a protocol. Rather, it delegates this service to <
href="/about/#osi">OSI layers 3 (network) and 4 (transport). Hence, it
is a vendor-proprietary feature and not standardized. If you carry your
laptop from one wifi network to another, it’s very likely that your
connection will be dropped.

WiMAX will be deployed in three phases.

• Phase one will see WiMAX technology using the IEEE 802.16d
  specification deployed via outdoor antennas for subscribers in a fixed
  location.
• Phase two will roll out indoor antennas for carriers seeking
  simplified installation at user sites.
• Phase three will launch the IEEE 802.16e specification, in which WiMAX-Certified
  hardware will be available in portable solutions for users who want to
  roam within a service area, enabling more persistent connectivity akin
  to Wi-Fi capabilities today.

(See IEEE
802.16 Backgrounder (24 May 2002) and Intel’s
white paper on Broadband Wireless.)

WEP uses a key (encryption password) that is known at both ends of the
connection (the wirelessly-networked computer and the access point). This is
known as a shared private key. Flaws in WEP’s algorithm are notorious; the
implementation of the algorithm (RC4) is poor, and the 24-bit initialization
vector can be cracked with conventional equipment. Using software that today
is freely available on the Internet, a hacker can deduce a WEP key in under
an hour. Furthermore, good security practice dictates that shared private
keys should be replaced periodically yet network administrators find it
cumbersome to do so. When the key is changed on the access point, all the
wireless computer users must be notified of the new key and they must update
it in their configurations in order to continue to use the WLAN. Even with
access points that can support several keys simultaneously, key management
is difficult and therefore rarely done. Fortunately, new mechanisms are
under development (802.11i)
that will remove the necessity of conducting this onerous task.

WEP is being replaced due to the following flaws:

• Changing keys is a nuisance.
• Its 24-bit initialization vector is not hard to crack. Indeed, there
  are several free programs available on the Internet for this purpose.
• Its implementation of of RC4 encryption is ill-designed.

The IEEE is working on a complete redesign. In the interim, another scheme
is offered and is widely available, named wireless
protected access (WPA). The redesigned security mechanism will be
released as two IEEE standards:

• 802.1x –
  a generic design that will be applicable to networks of all kinds
  including wireless and wired
• 802.11i
  — the security part of 802.11

• IBSS, also
  called ad hoc or peer-to-peer mode
• BSS, also
  called infrastructure mode (uses an access
  point
• EBSS, like
  BSS but using more than one access point

• RADIUS
• For environments without a RADIUS infrastructure, WPA supports the use
  of a preshared key.
• EAP
• TKIP
• Michael
• AES
  (optional because it may not always be possible to add AES support
  through a firmware update to existing wireless equipment, or some
  vendors may choose not to)

802.1x
authentication is required in WPA. In the 802.11 standard, 802.1x
authentication was optional.