Embed Size (px)
Citation preview
1
IEEE 802.11 MAC
2018
รศ. ดร. อนันต์ ผลเพิม่Assoc. Prof. Anan Phonphoem, Ph.D.
Intelligent Wireless Network Group (IWING Lab)
http://iwing.cpe.ku.ac.th
Computer Engineering Department
Kasetsart University, Bangkok, Thailand
Is this the world's smallest computer?
IBM: crypto-anchor chip (March 19, 2018)
• smaller than a grain of salt
• several hundred thousands of transistors into a chip
• cost less than 10 cents
• "tamper-proof digital fingerprints”
• linked to the blockchain
• embedded into products
• tiny solar powered computers
• LED lights to communicate with a network2https://www.techrepublic.com/article/is-this-the-worlds-smallest-computer-ibm-chip-is-no-bigger-than-a-grain-of-salt/
3
MAC Layer
• MAC Layer operation
•Contention & contention-free
• Priority frame transmission
• MAC frame structure
•Create MAC frame
• MAC frame Types
•MAC management, control, and data frame
MAC Layer operation
4
MAC Layer Operations
• Accessing the wireless medium
• IFS
• PCF & DCF
• Joining the network
• Providing authentication and privacy
Joining the network
5
MAC Layer Operations
• Accessing the wireless medium
• Joining the network
• Providing authentication and privacyProviding authentication and privacy
6
Authentication
• Open system authentication
•Default mode
• Shared key authentication
•Higher degree of security
•More rigorous frame exchange
•WEP, WPA
http://www.patentlyapple.com/patently-apple/2009/11/apple-reveals-new-iphone-security-patents.html
7
Open System Authentication
Initiating Station Authenticating Station
Authentication FrameAlgorithm = “Open”
Seq. No. = 1
Authentication FrameAlgorithm = “Open”
Seq. No. = 2Result = accept/Rej
Request
Accept/Reject
8
Shared Key Authentication
Initiating Station Authenticating Station
Algorithm = “Shared Key”
Seq. No. = 1
Algorithm = “Shared Key”
Seq. No. = 2Challenge Text
Algorithm = “Shared Key”
Seq. No. = 3
Enrypt Challenge Text
Algorithm = “Shared Key”
Seq. No. = 4
Authen result
9
Wired Equivalent Privacy
Encryption DecryptionPlain Text Plain Text
Cipher Text
Key Key
Symmetric Encryption
10
WEP - Encryption
IntegrityAlgorithm
Pseudo-RandomNumber Generator
+
BitwiseXOR
Secret Key
Plain Text
Cipher Text
Integrity CheckValue (ICV)
Key SequenceIV
IV
11
WEP Frame
Frame Header
IV Header
Frame BodyICV
TrailerFCS
EncryptedClear Text Clear Text
4 bytes 4 bytes
12
WEP - Decryption
IntegrityAlgorithm
Pseudo-RandomNumber Generator
BitwiseXOR
Secret Key
Cipher Text
Plain Text
Integrity CheckValue (ICV)
Key Sequence
IV
13
MAC Layer
• MAC Layer operation
•Contention & contention-free
• Priority frame transmission
• MAC frame structure/Types
•MAC management, control, and data frame
• Basic process revisit
MAC frame structure/Types
14
MAC Frame Structure
FrameBody
0-2312 bytes
FCS
4 bytes
Address1
Address2
Address3
Address4
SeqControl
2 bytes 2 bytes 6 bytes 6 bytes 6 bytes 2 bytes 6 bytes
FrameControl
Duration
/ID
MAC Header
15
MAC Frame Structure
Control information being sent from station to station
Duration of waiting before the next frame (Ack/Data Period)
Different types of Addresses
Sequence and fragment numbers
PayloadCRC
FrameBody
0-2312 bytes
FCS
4 bytes
Address1
Address2
Address3
Address4
SeqControl
2 bytes 2 bytes 6 bytes 6 bytes 6 bytes 2 bytes 6 bytes
FrameControl
Duration
/ID
16
FrameBody
0-2312 bytes
FCS
4 bytes
Address1
Address2
Address3
Address4
SeqControl
2 bytes 2 bytes 6 bytes 6 bytes 6 bytes 2 bytes 6 bytes
FrameControl
Duration
/ID
Frame Control Fields
SubType
2 Bits 2 Bits 4bits
Proto.Ver
TypeToDS
1 Bit
FromDS
1 Bit
MoreFrag
1 Bit
Retry
1 Bit
PWRMgmt
1 Bit
MoreData
1 Bit
WEP
1 Bit
Order
1 Bit
Framecontrol
17
FrameBody
0-2312 bytes
FCS
4 bytes
Address1
Address2
Address3
Address4
SeqControl
2 bytes 2 bytes 6 bytes 6 bytes 6 bytes 2 bytes 6 bytes
FrameControl
Duration
/ID
SubType
2 Bits 2 Bits 4bits
Proto.Ver
TypeToDS
1 Bit
FromDS
1 Bit
MoreFrag
1 Bit
Retry
1 Bit
PWRMgmt
1 Bit
MoreData
1 Bit
WEP
1 Bit
Order
1 Bit
Framecontrol
Frame Control – Type/subtype
00 Mgmt01 Control Frame10 Data Frame11 Reserved
Type
0000 Association Request0001 Association Response0100 Probe Request1000 Beacon1011 Authentication
SubType
00 Mgmt
18
Probe Request Frame
http://www.cisco.com/warp/public/cc/pd/witc/ao1200ap/prodlit/wswpf_wp.htm
FC Byte#1
FC Byte#2
FrameBody
0-2312 bytes
FCS
4 bytes
Address1
Address2
Address3
Address4
SeqControl
2 bytes 2 bytes 6 bytes 6 bytes 6 bytes 2 bytes 6 bytes
FrameControl
Duration
/ID
SubType
2 Bits 2 Bits 4bits
Proto.Ver
TypeToDS
1 Bit
FromDS
1 Bit
MoreFrag
1 Bit
Retry
1 Bit
PWRMgmt
1 Bit
MoreData
1 Bit
WEP
1 Bit
Order
1 Bit
Framecontrol
• Sent on every channel the client supports• Try to find all access points in range
• match SSID
• client-requested data rates
19
Probe Request Frame
http://www.cisco.com/warp/public/cc/pd/witc/ao1200ap/prodlit/wswpf_wp.htm
FrameBody
0-2312 bytes
FCS
4 bytes
Address1
Address2
Address3
Address4
SeqControl
2 bytes 2 bytes 6 bytes 6 bytes 6 bytes 2 bytes 6 bytes
FrameControl
Duration
/ID
SubType
2 Bits 2 Bits 4bits
Proto.Ver
TypeToDS
1 Bit
FromDS
1 Bit
MoreFrag
1 Bit
Retry
1 Bit
PWRMgmt
1 Bit
MoreData
1 Bit
WEP
1 Bit
Order
1 Bit
Framecontrol
20
Open Authentication Request Frame
http://www.cisco.com/warp/public/cc/pd/witc/ao1200ap/prodlit/wswpf_wp.htm
FrameBody
0-2312 bytes
FCS
4 bytes
Address1
Address2
Address3
Address4
SeqControl
2 bytes 2 bytes 6 bytes 6 bytes 6 bytes 2 bytes 6 bytes
FrameControl
Duration
/ID
SubType
2 Bits 2 Bits 4bits
Proto.Ver
TypeToDS
1 Bit
FromDS
1 Bit
MoreFrag
1 Bit
Retry
1 Bit
PWRMgmt
1 Bit
MoreData
1 Bit
WEP
1 Bit
Order
1 Bit
Framecontrol
21
Open Authentication Request Frame
(snap shot by Wireshark)
22
Independent Basic Service Set (IBSS)
• Stand-alone BSS
• No backbone infrastructure
• At least 2 stations
• Ad hoc Network
• Small areaBasic Service Set
Cell Boundary
23
Extended Service Set (ESS)
• Extending range
• Arbitrary size
• Multiple cells interconnect
• Need Access Point and Distributed system ACTACT
10M100M1 2 3 4
13 14 15 16
5 6 7 8
17 18 19 20
9 10 11 12
21 22 23 24
UPLINK
1 2 3 4 5 6 7 8 9 101112
131415161718192021222324COLCOL
PWR
SWITCH
ACTACT10M100M
1 2 3 4
13 14 15 16
5 6 7 8
17 18 19 20
9 10 11 12
21 22 23 24
UPLINK
1 2 3 4 5 6 7 8 9 101112
131415161718192021222324COLCOL
PWR
SWITCH
ACTACT10M100M
1 2 3 4
13 14 15 16
5 6 7 8
17 18 19 20
9 10 11 12
21 22 23 24
UPLINK
1 2 3 4 5 6 7 8 9 101112
131415161718192021222324COLCOL
PWR
SWITCH
BSS1
BSS2
Distributed System
24
FrameBody
0-2312 bytes
FCS
4 bytes
Address1
Address2
Address3
Address4
SeqControl
2 bytes 2 bytes 6 bytes 6 bytes 6 bytes 2 bytes 6 bytes
FrameControl
Duration
/ID
SubType
2 Bits 2 Bits 4bits
Proto.Ver
TypeToDS
1 Bit
FromDS
1 Bit
MoreFrag
1 Bit
Retry
1 Bit
PWRMgmt
1 Bit
MoreData
1 Bit
WEP
1 Bit
Order
1 Bit
Framecontrol
Frame Control – Address Fields
Add 1 Add 2 Add 3 Add 4
0 0 DA SA BSSID N/A
0 1 DA BSSID SA N/A
1 0 BSSID SA DA N/A
1 1 RA TA DA SADS: Distribution System
ToDS
FromDS
25
Address Example
http://www.cisco.com/warp/public/cc/pd/witc/ao1200ap/prodlit/wswpf_wp.htm
DASA
BSSID
FrameBody
0-2312 bytes
FCS
4 bytes
Address1
Address2
Address3
Address4
SeqControl
2 bytes 2 bytes 6 bytes 6 bytes 6 bytes 2 bytes 6 bytes
FrameControl
Duration
/ID
SubType
2 Bits 2 Bits 4bits
Proto.Ver
TypeToDS
1 Bit
FromDS
1 Bit
MoreFrag
1 Bit
Retry
1 Bit
PWRMgmt
1 Bit
MoreData
1 Bit
WEP
1 Bit
Order
1 Bit
Framecontrol
26
Frame Control Fields
Sender gonna be 1=Sleep (power saving) mode0=Full active mode
1 = retransmit0 = regular
1=Data encrypted0=Other Tx
FrameBody
0-2312 bytes
FCS
4 bytes
Address1
Address2
Address3
Address4
SeqControl
2 bytes 2 bytes 6 bytes 6 bytes 6 bytes 2 bytes 6 bytes
FrameControl
Duration
/ID
SubType
2 Bits 2 Bits 4bits
Proto.Ver
TypeToDS
1 Bit
FromDS
1 Bit
MoreFrag
1 Bit
Retry
1 Bit
PWRMgmt
1 Bit
MoreData
1 Bit
WEP
1 Bit
Order
1 Bit
Framecontrol
27
How to capture WLAN packets?
• To capture WLAN packet in Linux (Ubuntu)• Install Wireshark
•#sudo apt-get install wireshark
• Change your wireless NIC to “monitor” mode• Disable your WLAN card# ifconfig wlan0 down
• Change mode of the wireless NIC card# iwconfig wlan0 mode monitor
• Then up the interface# ifconfig wlan0 up
• Now start the wireshark
• To stop capturing and start using the regular WLAN• Change mode of the wireless NIC card
# iwconfig wlan0 mode managed
Wireless Diagnostics on macOS High Sierra 10.13.3
28
Wireless Diagnostics: Info
29
Wireless Diagnostics: scan
30
Wireless Diagnostics: Performance
31
Wireless Diagnostics: sniffer
32
wireshark
33
34
Capture packetLive Demo
35
MAC Layer
• MAC Layer operation
•Contention & contention-free
• Priority frame transmission
• MAC frame structure/Types
•MAC management, control, and data frame
• Basic process revisitBasic process revisit
36
IEEE 802.11 Basic process
• Authentication
• Association
• Starting an IBSS
•One station is configured to be “initiating station’’
• Starter sends beacons
37
Frame Control – Address Fields
Add 1 Add 2 Add 3 Add 4
0 0 DA SA BSSID N/A
0 1 DA BSSID SA N/A
1 0 BSSID SA DA N/A
1 1 RA TA DA SA
00: All management/control frames 01: Data Frames from AP10: Data Frames to AP11: Data Frames on a wireless bridge
ToDS
FromDS
DS: Distribution System
DA: Destination AddrSA: Source AddrTA: Transmitter AddrRA: Receiver Addr BSSID: BSS ID same as AP
38
Traffic Flow
MAC filters frames based on “Addr1”
• In IBSS:
Traffic is sent directly to the destination in BSSAdd1 = MAC add of the destination station
Add2 = MAC add of the source station
Add3 = BSSID (= MAC add of the initiator of the IBSS)
• In ESS:
Outgoing traffic is sent to Access-Point in BSSAdd1 = MAC add of the Access-Point
Add2 = MAC add of the source station
Add3 = MAC add of the destination station
Add 1 Add 2 Add 3 Add 4
0 0 DA SA BSSID N/A
0 1 DA BSSID SA N/A
1 0 BSSID SA DA N/A
1 1 RA TA DA SA
39
Address Fields (To AP)
Client
ACTACT10M100M
1 2 3 4
13 14 15 16
5 6 7 8
17 18 19 20
9 10 11 12
21 22 23 24
UPLINK
1 2 3 4 5 6 7 8 9 101112
131415161718192021222324COLCOL
PWR
SWITCH
AP
Server
DS
SA/TARA (BSSID)
DA
Add 1 Add 2 Add 3 Add 4
0 0 DA SA BSSID N/A
0 1 DA BSSID SA N/A
1 0 BSSID SA DA N/A
1 1 RA TA DA SA
Client Server
40
Address Fields (From AP)
Client
ACTACT10M100M
1 2 3 4
13 14 15 16
5 6 7 8
17 18 19 20
9 10 11 12
21 22 23 24
UPLINK
1 2 3 4 5 6 7 8 9 101112
131415161718192021222324COLCOL
PWR
SWITCH
AP
Server
DS
RA/DATA (BSSID)
SA
Add 1 Add 2 Add 3 Add 4
0 0 DA SA BSSID N/A
0 1 DA BSSID SA N/A
1 0 BSSID SA DA N/A
1 1 RA TA DA SA
Client Server
41
Address Fields (WDS)
Client
ACTACT10M100M
1 2 3 4
13 14 15 16
5 6 7 8
17 18 19 20
9 10 11 12
21 22 23 24
UPLINK
1 2 3 4 5 6 7 8 9 101112
131415161718192021222324COLCOL
PWR
SWITCH
AP
Server
DS
Add 1 Add 2 Add 3 Add 4
0 0 DA SA BSSID N/A
0 1 DA BSSID SA N/A
1 0 BSSID SA DA N/A
1 1 RA TA DA SA
Client Server
ACTACT10M100M
1 2 3 4
13 14 15 16
5 6 7 8
17 18 19 20
9 10 11 12
21 22 23 24
UPLINK
1 2 3 4 5 6 7 8 9 101112
131415161718192021222324COLCOL
PWR
SWITCH
AP
SA TA
DA
RA
Wireless Bridge
42
Traffic flow inside BSS
Access Point
WaveLAN PC-Card
Association table
Inter-BSS
Relay
Bridge learn
table
STA-1
BSS-A
Associate
STA-2
AssociatePacket for STA-2ACK Packet for STA-2
ACK
STA-1
STA-1
2
STA-2
STA-2 2
From WaveLAN Slide
43
Traffic flow in ESS
STA-1STA-2
BSS-A
BSS-B
Packet for STA-2
ACK
Packet for STA-2
ACK
Access Point - A
WaveLAN PC-Card
Association table
Bridge learn
table
Access Point - B
WaveLAN PC-Card
Association table
Bridge learn
table
STA-1
STA-2 1
STA-1
STA-2
STA-1
2STA-2
2
1
From WaveLAN Slide
44
Traffic flow in WDS
STA-1STA-2
BSS-A
BSS-B
Packet for STA-2
ACK
Packet for STA-2
ACK
Access Point
WaveLAN PC-Card
Association table
Bridge learn
table
Access Point
WaveLAN PC-Card
Association table
Bridge learn
table
STA-1
STA-2 2
STA-1
STA-2
STA-1
2STA-2
2
2
WDS
Relay
WDS
RelayPacket for STA-2
ACK
From WaveLAN Slide
802.11 Frame
45
46
Data Frame
FrameBody
0-2312 bytes
FCS
4 bytes
Address1
Address2
Address3
Address4
SeqControl
2 bytes 2 bytes 6 bytes 6 bytes 6 bytes 2 bytes 6 bytes
FrameControl
Duration
/ID
MAC Header
RTS
CTS
Frame Tx
ACK
SIFS
SIFS
SIFS
St #1
St #2
47
Control Frame : RTS
RA TA FCS
2 bytes 2 bytes 6 bytes 6 bytes 4 bytes
FrameControl
Duration1RTS frame
Duration1 = CTS + Data + ACK + 3SIFSNAV
ACTACT10M100M
1 2 3 4
13 14 15 16
5 6 7 8
17 18 19 20
9 10 11 12
21 22 23 24
UPLINK
1 2 3 4 5 6 7 8 9 101112
131415161718192021222324COLCOL
PWR
SWITCH
AP
SA/TARA (BSSID)
RTS
CTS
Frame Tx
ACK
SIFS
SIFS
SIFS
St #1
St #2
48
Control Frame : CTS
RA FCS
2 bytes 2 bytes 6 bytess 4 bytes
FrameControl
Duration2CTS frame
Duration1 = CTS + Data + ACK + 3SIFS
NAV Duration2 = Duration1 - CTS - SIFS
49
Control Frame : ACK
0
RA FCS
2 bytes 2 bytes 6 bytes 4 bytes
FrameControl
Duration3ACK frame
Frac X
Ack X
Frac X+1
Ack X+1
Duration = (Frac X+1) +3SIFS +2 ACK
SIFS
SIFS
SIFS
St #1
St #2
NAV
50
Management Frame: Beacon
• Announce the existence of a network
• Regular intervals
• Allow network management
• AP is responsible
51
Beacon Frame
52
Power Conservation
• Mobility relies on batteries
• Frequently recharge is undesirable
• How to save the battery ??• Power down the transceiver
• Power down status• Sleep/Doze/Power saving mode
• Power up status•Active/Awake mode
53
Power Saving Goal
• Minimizing time spent in the Awake mode
• No scarify for network connectivity
54
Power conservation in the Infrastructure Mode
• All traffic go through Access Point
• AP is always active (connected to power supply)
• (Associated) Mobile nodes send their status to AP
• AP manages timing for sending data
• AP sends data to the active node
• Periodically announce to sleep nodes if data is waiting (Keep buffering the data)
55
Power consumption
Mode Power Consumption
Awake – Transmit packets 1.65 W *1
Awake – Receive packets 1.40 W *1
Awake – Idle 1.15 W *1
Doze 0.045 W *2
*1Mark Stemm and Randy H. Katz, “Measuring and reducing energy consumption of network interfaces in hand-held devices,” IEICE Transactions on
Communications, special Issue on Mobile Computing, vol. E80-B, no. 8, pp. 1125–31, 1997
*2Havinga P.J.M., Smit G.J.M., “Energy-efficient TDMA medium access control protocol scheduling”, Asian International Mobile Computing Conference (AMOC
2000), Nov. 2000.
56
Power saving
• Doze mode
•Default state
• keep radio off most of the time
•wakeup periodically to check for message
• Sleep mode
• radio in transmit-only standby mode
• radio wake up and send if necessary but cannot receive
57
Sleep time
• Negotiate in the association process
• “Listen Interval” parameter
• #beacon periods
• Long interval
• large buffer needed @AP
• Time up
• AP discards buffered frames
58
Management Frame: TIM
• Traffic Indication Map
• Low-power mode
• TIM is transmitted in the Beacon frame
• AP sends to sleeping station
• data is waiting for the sleeping station
• Each node must wake up to listen for Beacon frame (with TIM included)
59
Traffic Indication Map (TIM)
• A virtual bitmap
• Each bit for each Association ID (AID)
• ”Set” bit = AP has buffered unicast frames for the AID station
• Size = 2,008 bits
60
AP
X
Y
Frame Retrieval Process
TIM(X,Y) TIM(X,Y) TIM(X) TIM(X,Y) TIM(No)
PS-Poll
Beacon Interval
Data
PS-Poll
Data
PS-Poll
Data
X: listen interval = 3Y: listen interval =2
PS = power saving
61
Other TIM
• Delivery TIM (DTIM)
•Multicast and Broadcast frames
• ATIM (Announcement TIM)
• used in IBSS Beacon Frame
•# of time units between ATIM frames
62
Power Management in IBSS
ATIM Window
Beacon Interval
Beacon
Station A
Station B
Transmit ATIM
Receive ACK
Transmit Frame
Receive ACK
Receive ATIM
Transmit ACK
Receive Frame
Transmit ACKSweta Sarkar, 2002
63
More Data
• Mobile node sends a PS-Poll for a buffered frame
• AP sends back data
• Observed the “More Data” bit in Frame Control
• Sending more PS-Poll if More Data ≠ 0
FrameBody
FCSAddress
1Address
2Address
3Address
4Seq
ControlFrameControl
Duration/ID
SubType
2 Bits 2 Bits 4bits
Proto.Ver
TypeToDS
1 Bit
FromDS
1 Bit
MoreFrag
1 Bit
Retry
1 Bit
PWRMgmt
1 Bit
MoreData
1 Bit
WEP
1 Bit
Order
1 Bit
Framecontrol
