Figure 29 BSS transition

An ESS transition refers to the movement from one ESS to a second distinct ESS 802.11 does not support this type of transition, except to allow the station to associate with an access point in the second ESS once it leaves the first. Higher-layer connections are almost guaranteed to be interrupted. It would be fair to say that 802.11 supports ESS transitions only to the extent that it is relatively easy to attempt associating with an access point in the new extended service area. Maintaining...

Understanding the LLC header

To multiplex higher-level protocol data over the wireless link, 802.11 uses the LLC SNAP encapsulation. (SNAP encapsulation was described at the end of Chapter 3.) 802.11 does not include a protocol field, so receivers cannot discriminate between different types of network protocols. To allow multiple protocols, an 8-byte SNAP header is added. The SNAP header is decoded in Ethereal's tree view, as shown in Figure 16-8. Highlighting the LLC header in the tree view shows the corresponding 8-byte...

Characteristics of the DS PHY

Table 10-8 shows the values of a number of parameters in the DS PHY. In addition to the parameters in the table, which are standardized, the DS PHY has a number of parameters that can be adjusted to balance delays through various parts of an 802.11 direct-sequence system. It includes variables for the latency through the MAC, the PLCP, and the transceiver, as well as variables to account for variations in the transceiver electronics. One other item of note is that the total aggregate throughput...

The ISM bands

In Table 1-1, there are three bands labeled ISM, which is an abbreviation for industrial, scientific, and medical. ISM bands are set aside for equipment that, broadly speaking, is related to industrial or scientific processes or is used by medical equipment. Perhaps the most familiar ISM-band device is the microwave oven, which operates in the 2.4-GHz ISM band because electromagnetic radiation at that frequency is particularly effective for heating water. I pay special attention to the ISM...

Type code 13 TLS

In its initial form, EAP does not protect transmissions from eavesdropping. In a way, this is an understandable posture, given the origins of the protocol. When EAP is used over dial-up or dedicated links, there is a small chance of interception, but many administrators feel comfortable that the link is reasonably protected against eavesdropping. For some links, however, assuming the existence of security may not be appropriate. RFC 2716 describes the use of Transport Layer Security (TLS) for...

Backoff with the DCF

Contention Window

After frame transmission has completed and the DIFS has elapsed, stations may attempt to transmit congestion-based data. A period called the contention window or backoff window follows the DIFS. This window is divided into slots. Slot length is medium-dependent higher-speed physical layers use shorter slot times. Stations pick a random slot and wait for that slot before attempting to access the medium all slots are equally likely selections. When several stations are attempting to transmit, the...

Conducting the Site Survey

When working on the site survey, you must duplicate the actual installation as much as possible. Obstacles between wireless LAN users and access points decrease radio strength, so make an effort to replicate exactly the installation during the site survey. If access points need to be installed in wiring closets, make sure the door is closed while testing so the survey accounts for the blocking effect of the door on radio waves. Antennas should be installed for the test exactly as they would be...

Framing and scrambling

Unlike the other physical layers, two options exist for the PLCP framing. Both are shown in Figure 10-26. The long frame format is identical to the classic DS PLCP format and must be supported. For efficiency and improved throughput, stations may also support the optional short PLCP format. Naturally, the optional short format may be used only if all stations support it. To prevent networks configured for the short format from disappearing, 802.11b requires that stations answering Probe...

Fragmentation and Reassembly

Higher-level packets and some large management frames may need to be broken into smaller pieces to fit through the wireless channel. Fragmentation may also help improve reliability in the presence of interference. The primary sources of interference with 802.11 LANs are microwave ovens, with which they share the 2.4-GHz ISM band. Electromagnetic radiation is generated by the magnetron tube during its ramp-up and ramp-down, so microwaves emit interference half the time.121 2 In the US,...

Figure 21 The IEEE 802 family and its relation to the OSI model

IEEE 802 specifications are focused on the two lowest layers of the OSI model because they incorporate both physical and data link components. All 802 networks have both a MAC and a Physical (PHY) component. The MAC is a set of rules to determine how to access the medium and send data, but the details of transmission and reception are left to the PHY. Individual specifications in the 802 series are identified by a second number. For example, 802.3 is the specification for a Carrier Sense...

Traffic Indication Map TIM

Access points buffer frames for mobile stations sleeping in low-power mode. Periodically, the access point attempts to deliver buffered frames to sleeping stations. A practical reason for this arrangement is that much more power is required to power up a transmitter than to simply turn on a receiver. The designers of 802.11 envisioned battery-powered mobile stations the decision to have buffered frames delivered to stations periodically was a way to extend battery life for low-power devices....

Characteristics of the Hrdsss Phy

Table 10-13 shows the values of a number of parameters in the HR DSSS PHY. Like the DS PHY, the HR DSSS PHY has a number of parameters that can be adjusted to compensate for delays in any part of a real system. Table 10-13 shows the values of a number of parameters in the HR DSSS PHY. Like the DS PHY, the HR DSSS PHY has a number of parameters that can be adjusted to compensate for delays in any part of a real system. The SIFS is used to derive the value of the other interframe spaces (DIFS,...

A31 The dot11Operations Table

The main table in the station management tree is the global configuration table, dot11OperationTable, which is shown in Figure A-6. All entries in the station configuration table start with the prefix 2.1.1 and are indexed by a system interface This object is the MAC address of the station. By default, it is the globally unique address assigned by the manufacturer. It may, however, be overridden by a local manager. dot11RTSThreshold integer, range 0-2,347 default value is 2,347 Any unicast data...

Wvlancs driver parameters

Several options can be passed to the wvlan cs module by cardmgr when it is loaded into the kernel. These options are most easily set in etc pcmcia config.opts. See Table 13-5. Table 13-5. wvlan_cs driver parameters Specifies interrupts that may be used by driver. Sets network type to infrastructure 1 , wireless distribution system 2 , or ad hoc network 3 . Sets station name defaults to card setting. Configures name for ad hoc network or name of target infrastructure network. Channel number...

Reassociation Procedure

Reassociation is the process of moving an association from an old access point to a new one. Over the air, it is almost the same as an association on the backbone network, however, access points may interact with each other to move frames. When a station moves from the coverage area of one access point to another, it uses the reassociation process to inform the 802.11 network of its new location. The procedure is shown in Figure 7-8. The mobile station begins the procedure associated with an...

Figure 430 Status Code field

Requested capability set is too broad and cannot be supported Reassociation denied prior association cannot be identified and transferred Association denied for a reason not specified in the 802.11 standard Requested authentication algorithm not supported Unexpected authentication sequence number Authentication rejected the response to the challenge failed Authentication rejected the next frame in the sequence did not arrive in the expected window Association denied the access point is...

Figure 1113 Signal field of Ofdm Plcp frame

0 I 2 3 4 5 6 7 9 10 11 12 ti 14 IS 16 17 18 19 20 1 22 23 0 I 2 3 4 5 6 7 9 10 11 12 ti 14 IS 16 17 18 19 20 1 22 23 1 1 1 1 r 1- l r T T I 1 l 1 1 l Signal tail 0 , 0 , 0 , G , Q , 0 Four bits encode the data rate. Table 11-2 shows the bits used to encode each of the data rates. See Section 11.4 for details on the encoding and modulation scheme used for each data rate. Twelve bits encode the number of bytes in the embedded MAC frame. Like most fields, it is transmitted least-significant bit...

Differential binary phase shift keying DBPSK

Differential Binary Phase Shift Keying

The simplest form of PSK uses two carrier waves, shifted by a half cycle relative to each other. One wave, the reference wave, is used to encode a 0 the half-cycle shifted wave is used to encode a 1. Table 10-6 summarizes the phase shifts, and Figure 10-19 illustrates the encoding as a phase difference from a preceding sine wave. To stick with the same example, encoding the letter M 1001101 in binary is a matter of dividing up the time into seven symbol times then transmitting the wave with...

Complementary Code Keying

802.11 direct-sequence systems use a rate of 11 million chips per second. The original DS PHYs divided the chip stream up into a series of 11-bit Barker words and transmitted 1 million Barker words per second. Each word encoded either one bit or two bits for a corresponding data rate of 1.0 Mbps or 2.0 Mbps, respectively. Achieving higher data rates and commercial utility requires that each code symbol carry more information than a bit or two. Straight phase shift encoding cannot hope to carry...

EAPOL Encapsulation

The basic format of an EAPOL frame is shown in Figure 6-7. EAPOL encapsulation is now analyzed by many popular network analyzers, including Ethereal. The frame's components are Figure 6-7 shows the encapsulation on a wired Ethernet, so the MAC header consists of the destination MAC address and the source MAC address. On a wireless network, the MAC header would be the 24- to 30-byte header described in Chapter 3. As with any other Ethernet frame, the Ethernet Type field contains the two-byte...

Frame Control Header

ACK frames are used to send the positive acknowledgments required by the MAC and are used with any data transmission, including plain transmissions frames preceded by an RTS CTS handshake and fragmented frames see Figure 4-17 . Three fields make up the MAC header of an ACK frame Frame Control The frame subtype is set to 1101 to indicate an ACK frame. Duration The duration may be set in one of two ways, depending on the position of the ACK within the frame exchange. ACKs for complete data frames...

CSCCA for the DS PHY

802.11 allows the CS CCA function to operate in one of three modes Mode 1 When the energy exceeds the energy detection ED threshold, it reports that the medium is busy. The ED threshold depends on the transmit power. Implementations using Mode 2 must look for an actual DSSS signal and report the channel busy when one is detected, even if the signal is below the ED threshold. Mode 3 combines Mode 1 and Mode 2. A signal must be detected with sufficient energy before the channel is reported busy...

Figure 429 Reason Code field

Station has left the basic service area or extended service area and is deauthenticated Inactivity timer expired and station was disassociated Disassociated due to insufficient resources at the access point Incorrect frame type or subtype received from unauthenticated station Incorrect frame type or subtype received from unassociated station Station has left the basic service area or extended service area and is disassociated Association or reassociation requested before authentication is...

Figure 445 Reassociation Request frame

Association and Reassociation Requests differ only in that a Reassociation Request includes the address of the mobile station's current access point. Including this information allows the new access point to contact the old access point and transfer the association data. The transfer may include frames that were buffered at the old access point.

Few Words on 80211 Hardware

As with other devices running under Linux, the more you know about the hardware, the better off you are. Only a handful of 802.11 chipset manufacturers exist. Most vendors use chipsets produced by Intersil http www.intersil.com, formerly known as Harris Semiconductor . Intersil's industry-leading position is the result of the success of its PRISM chipset. The initial PRISM, whose name is an acronym for Programmable Radio in the ISM band, was a common solution for vendors seeking a 2-Mbps DSSS...

Sample 8021x Exchange

EAPOL exchanges look almost exactly like EAP exchanges. The main difference is that supplicants can issue EAPOL-Start frames to trigger the EAP exchange, and they can use EAPOL-Logoff messages to deauthorize the port when the station is done using the network. The examples in this section assume that a RADIUS server is used as the backend authentication server, and therefore they show the authenticator performing translation from EAP on the front end to RADIUS on the back end. EAP...

EAP Packet Format

Eap Packet Format

Figure 6-2 shows the format of an EAP packet. When used on PPP links, EAP is carried in PPP frames with a protocol number of 0xC227. There is no strict requirement that EAP run on PPP the packet shown in Figure 6-2 can be carried in any type of frame. The fields in an EAP packet are The Code field, the first field in the packet, is one byte long and identifies the type of EAP packet. It is used to interpret the Data field of the packet. The Identifier field is one byte long. It contains an...

Figure 151 Standard wireless LAN deployment topology

Wireless Backbone Topology

Some deployments may look like multiple instances of Figure 15-1. The topology shown in the figure provides seamless mobility between the access points connected to the access point backbone network. In very large deployments, such as a campus-wide deployment across a large number of buildings, it may be desirable to limit the coverage areas in which seamless roaming is provided. One common strategy is to provide seamless mobility within individual buildings, but not provide roaming between...

WEP Data Processing

Confidentiality and integrity are handled simultaneously, as illustrated in Figure 5-3. Before encryption, the frame is run through an integrity check algorithm, generating a hash called an integrity check value ICV . The ICV protects the contents against tampering by ensuring that the frame has not changed in transit. The frame and the ICV are both encrypted, so the ICV is not available to casual attackers. WEP specifies the use of a 40-bit secret key. The secret WEP key is combined with a...

Sequence Control Field

Fragment Number Sequence Control

This 16-bit field is used for both defragmentation and discarding duplicate frames. It is composed of a 4-bit fragment number field and a 12-bit sequence number field, as shown in Figure 3-12. Higher-level frames are each given a sequence number as they are passed to the MAC for transmission. The sequence number subfield operates as a modulo-4096 counter of the frames transmitted. It begins at 0 and increments by 1 for each higher-level packet handled by the MAC. If higher-level packets are...

Figure 87 CFEnd frame

When the contention-free period ends, the access point transmits a CF-End frame to release stations from the PCF access rules and then begins contention-based service using the DCF. If the access point must also acknowledge receipt of data, it may simultaneously end the contention-free period and acknowledge the previous frame by using the CF-End CF-Ack frame, which combines both functions. The format of the CF-End CF-Ack frame is shown in Figure 8-8. Four fields make up the MAC header of the...

Tx attempt prior to association frame dropped error message

This message is quite self-explanatory a frame was queued for transmission before the station successfully associated with an access point. Several things might cause this error If the desired SSID is not found, no association is made. Authentication is a precondition of association. If the authentication type is mismatched or the WEP key used for authentication is incorrect, the association fails. Resource conflicts can interfere with the sending and receiving of frames, which may cause...

Figure 73 Active scanning procedure and medium access

Active Scanning

In Figure 7-3 a, a mobile station transmits a probe request to which two access points respond. The activity on the medium is shown in Figure 7-3b. The scanning station transmits the Probe Request after gaining access to the medium. Both access points respond with a Probe Response that reports their network's parameters. Note that the second Probe Response is subject to the rules of the distributed coordination function and must wait for the congestion window to elapse before transmitting. The...

Probe Request

802 Probe Request Frame

Mobile stations use Probe Request frames to scan an area for existing 802.11 networks. The format of the Probe Request frame is shown in Figure 4-40. All fields are mandatory. A Probe Request frame contains two fields the SSID and the rates supported by the mobile station. Stations that receive Probe Requests use the information to determine whether the mobile station can join the network. To make a happy union, the mobile station must support all the data rates required by the network and must...

Listen Interval

When stations associate with an access point, one of the parameters specified is the listen interval, which is the number of Beacon intervals between instances when the station wakes up to received buffered traffic. Longer listen intervals enable a station to power down the transceiver for long periods. Long power-downs save a great deal of power and can dramatically extend battery life. Each station may have its own listen interval. Lengthening the listen interval has two drawbacks. Access...

Level GFSK

Level Gfsk

Using a scheme such as this, there are two ways to send more data use a higher symbol rate or encode more bits of information into each symbol. 4-level GFSK 4GFSK uses the same basic approach as 2GFSK but with four symbols instead of two. The four symbols 00, 01, 10, and 11 each correspond to a discrete frequency, and therefore 4GFSK transmits twice as much data at the same symbol rate. Obviously, this increase comes at a cost 4GFSK requires more complex transmitters and receivers. Mapping of...

Figure 165 An 80211 header in tree view

Compared to Control and Data frames, 802.11 Management frames have a great deal of structure. Ethereal decodes Management frames into two parts. Fixed Parameters in the tree view pane correspond to the fixed fields of 802.11 management frames. Tagged Parameters are the variable fields and are decoded in the tree view pane. Table 16-2 shows the fixed fields that can be searched on in Ethereal, as well as the capability flags. Table 16-2. Fixed Management frame components Authentication...

Characteristics of the FH PHY

Table 10-4 shows the values of a number of parameters in the FH PHY. In addition to the parameters in the table, which are standardized, the FH PHY has a number of parameters that can be adjusted to balance delays through various parts of an 802.11 frequency-hopping system. It includes variables for the latency through the MAC, the PLCP, and the transceiver, as well as variables to account for variations in the transceiver electronics. One other item of note is that the total aggregate...

Appendix A 80211 MIB

802.11 contains extensive management functions to make the wireless connection appear much like a regular wired connection. The complexity of the additional management functions results in a complex management entity with dozens of variables. For ease of use, the variables have been organized into a management information base MIB so that network managers can benefit from taking a structured view of the 802.11 parameters. The formal specification of the 802.11 MIB is Annex D of the 802.11...

PRISM monitoring header

Prismcapture

The modifications to libpcap add a PRISM pseudo-header to any captured frames. Some of the information in this header corresponds to the information that would be kept in the PLCP header. Figure 16-7 shows the pseudo-header on a frame. Figure 16-7. PRISM monitoring header Figure 16-7. PRISM monitoring header Four fields of note are reported by the PRISM capture A timestamp added by the MAC counter to each received frame. Indicates the signal strength of the received packet. Quantifies...

Frame Check Sequence

As with Ethernet, the 802.11 frame closes with a frame check sequence FCS . The FCS is often referred to as the cyclic redundancy check CRC because of the underlying mathematical operations. The FCS allows stations to check the integrity of received frames. All fields in the MAC header and the body of the frame are included in the FCS. Although 802.3 and 802.11 use the same method to calculate the FCS, the MAC header used in 802.11 is different from the header used in 802.3, so the FCS must be...

WEP keying

To protect traffic from brute-force decryption attacks, WEP uses a set of up to four default keys, and it may also employ pairwise keys, called mapped keys, when allowed. Default keys are shared among all stations in a service set. Once a station has obtained the default keys for its service set, it may communicate using WEP. Key reuse is often a weakness of cryptographic protocols. For this reason, WEP has a second class of keys used for pairwise communications. These keys are shared only...

Interframe spacing and priority

Atomic operations start like regular transmissions they must wait for the DIFS before they can begin. However, the second and any subsequent steps in an atomic operation take place using the SIFS, rather than during the DIFS. This means that the second and subsequent parts of an atomic operation will grab the medium before another type of frame can be transmitted. By using the SIFS and the NAV, stations can seize the medium for as long as necessary. In Figure 3-5, for example, the short...

Figure 436 Traffic Indication Map information element

The meat of the traffic indication map is the virtual bitmap, a logical structure composed of 2,008 bits. Each bit is tied to the Association ID. When traffic is buffered for that Association ID, the bit is 1. If no traffic is buffered, the bit tied to the Association ID is 0. Four fields make up the body of the TIM information element This one-byte field is the number of Beacons that will be transmitted before the next DTIM frame. DTIM frames indicate that buffered broadcast and multicast...

On the Naming of Access Points

Many institutions have naming policies that may dictate DNS names for wireless LAN access points. Device names should be as descriptive as possible, within reason. Companies that provide network service to other users, such as a hot spot provider, may wish to keep information about the detailed location of access points secret from users to keep the physical location of access points secret. Figure 15-7 illustrates a DNS naming convention in which the secrecy of access point locations is not a...

Clear channel assessment

Like the original DS PHY, high-rate implementers have three choices for the CS CCA operation mode. All the direct-sequence CCA modes are considered to be part of the same list. Mode 1 is identical to the DS PHY's CCA Mode 1, and Modes 2 and 3 are used exclusively by the original DS PHY. Modes 4 and 5 are the HR DSSS-specific CCA modes. When the energy exceeds the energy detection ED threshold, the medium is reported busy. The ED threshold depends on the transmit power used. This mode is also...

PCF Operation

Dcf And Pcf

Figure 8-1 shows a transfer using the PCF. When the PCF is used, time on the medium is divided into the contention-free period CFP and the contention period. Access to the medium in the former case is controlled by the PCF, while access to the medium in the latter case is controlled by the DCF and the rules from Chapter 7. The contention period must be long enough for the transfer of at least one maximum-size frame and its associated acknowledgment. Alternating periods of contention-free...