The following sections cover the relevant standards and basic concepts discussed throughout the rest of this book. The IEEE standards are long, detailed, and thorough; for example, the 802.11 document is 528 pages. This chapter highlights the discussions that focus on what you need to know to implement security without bogging you down with details. Of course, these discussions are not a substitute for the actual standard. Also, note that later chapters will cover all the security standards in detail.
This standard, titled "Part 11: Wireless LAN Media Access Control (MAC) and Physical Layer (PHY) Specifications," is the fundamental standard for the WLAN; hence, the WLAN is called the 802.11 WLAN. The standard is extensive and defines the mechanics and mechanisms in detail. It is the authoritative source for the definitions, topologies, and ontology covered in Chapter 1, "Securing WLANs Overview." The messages, choreographies, and other WLAN characteristics are covered in Chapter 4, "WLAN Fundamentals," and beyond, and they are also derived from this specification.
In essence, the 802.11 specification defines the following:
Various services such as association, reassociation, authentication, and privacy
Frame formats, including the MAC and PHY sublayer functionalities
FHSS and DSSS functions, including the frames
WEP algorithm and process for confidentiality
The next few chapters in this book cover these concepts in detail.
This specification, titled "Higher-Speed Physical Layer Extension in the 2.4-GHz Band," details the famous WLAN in the 2.4-GHz band, 5 and 11 Mbps using the Complementary Code Keying (CCK) modulation scheme for the DSSS scheme. The original 802.11 specification supported 1-Mbps and 2-Mbps data rates.
In addition to the HR/DSSS feature, this specification adds some technologies to the WLAN domain. The new features include the following:
Short preamble option (72 bits) in Layer 2 for faster synchronization; the 802.11 specification has the long preamble (144 bits). Of course, the 802.11b specification works with the long preamble, and the short preamble is optional. The preamble is the Physical Layer Convergence Protocol (PLCP) Preamble in the PLCP Protocol Data Unit (PPDU).
Channel agility feature, which counteracts the limitation of the static channel allocation in the 802.11 specification.
The specification, which is approximately 100 pages, covers the PHY and MAC aspects of the high-rate extension, including the message formats, different codes, values, state machines, service primitives' semantics, and choreographies.
It is interesting to see the channel allocation across different countries. In addition to the original 802.11 and 802.11b specifications, 802.11b Corrigendum 1 adds more frequencies as per the Ministry of Public Management, Home Affairs, Post, and Telecommunication (MPHPT) Ordinance for Regulating Radio Equipment, Article 49-20 in Japan. Figure 3-2 shows the combined channel layout in the 2.4-GHz spectrum for different countries.
The IEEE 802.11a specification, titled "Higher-Speed Physical Layer Extension in the 5-GHz Band," defines the artifacts required to support the 5.15-GHz to 5.25-GHz, 5.25-GHz to 5.35-GHz (actual 5.18-GHz to 5.32-GHz), and 5.725-GHz to 5.825-GHz (actual 5.745-GHz to 5.825-GHz) unlicensed National Information Infrastructure (U-NII) spectrum using OFDM modulation scheme and supports the 6-, 9-, 12-, 18-, 24-, 36-, 48-, and 54-Mbps speeds. Figure 3-3 shows the channel plan.
The specification, which is approximately 91 pages, describes in detail the various codes, equations, wave forms, and Layer 2 and Layer 1 implementations for achieving the radio LAN. The 802.11a was named as "Wi-Fi5" to differentiate it from the 802.11b, but the name didn't stick, and as a result, the term "Wi-Fi" includes the .b, .a, and .g.
Although it offers higher bandwidths, the 802.11a technology also results in shorter range. This makes it ideal for places where there is a concentration of many users or many high-bandwidth applications. Another advantage is that the 5-GHz spectrum is a relatively free spectrum in terms of interference from appliances and devices. But the 5-GHz electronic components are costly, and an 802.11a network requires new equipment and is not backward compatible with the more popular 802.11b devices. As a result, even though the 802.11a specification had a lot of promise, it has currently become an intermediate-stage mainstream technology, between the 802.11b and 802.11g technologies. Some think that 802.11a has a future in home networks, especially in audio-video equipment, which requires a high-fidelity bandwidth in a relatively short distance. Others think it is a waste to relegate 802.11a to the home when the extra channels are needed by enterprises, and hence 802.11a will also have long-term application in enterprises in which more channels, small cells, and high bandwidth are design goals. Dual-mode devices are inexpensive and will probably continue to be used for quite some time.
The IEEE 802.11g specification, titled "Amendment 4: Further Higher Data Rate Extension in the 2.4-GHz Band," adds the frame formats, fields, and codes to add the higher rates to the basic 802.11 specification using the DSSS-OFDM modulation scheme in the 2.4-GHz ISM band. The new higher data rates added by this specification are 6, 9, 12, 18, 22, 24, 33, 36, 48, and 54 Mbps. This specification, like its siblings 802.11a and 802.11b, is unassuming and functional, yet it is influential and will be discussed for a long time.
There are discussions about whether 802.11g will be the ultimate specification or a temporary compromise that will give way to a more firm specification. One reason is that the 802.11g is a combination of different technologies and has four modes to satisfy all constituents. It has higher speed, using the OFDM technologies (similar to the 802.11a), in the 2.4-GHz range (similar to the 802.11b) and has only three channels. (The channels are nonoverlapping).
One advantage of 802.11g over the 802.11a specification is that it has backward compatibility (and co-existence); you can still use the older 802.11b CCK modulation scheme, throughputs, and channels?but at the 802.11b speeds, of course.
A recent article pointed out that the throughput of 802.11g implementations goes down if they are supporting mixed 802.11g and 802.11b cards, and the degradation of speed persists even when the 802.11b cards are inactive. This failure happens when the 802.11b cards become inactive after having been active.
Another advantage of the 802.11g specification is the use of the 2.4-GHz spectrum with its less costly electronic components and higher range and penetrability. Of course, it is susceptible to interference from microwaves, cordless phones, and other devices in the 2.4-GHz spectrum.
Titled "IEEE Trial-Use Recommended for Multi-Vendor Access Point Interoperability via an Inter-Access Point Protocol Across Distribution Systems Supporting IEEE 802.11 Operation," the IEEE 802.11f specification defines service primitives and protocols for access points (APs) to exchange information.
This standard is relatively unknown and less complex (as compared to other IEEE 802.11 standards); approximately 78 pages, it details the mechanisms at the higher layers. The Inter-Access Point Protocol (IAPP) can be used not only among the APs but also among switches and bridges that require the exchange of WLAN information. The IAPP uses a distribution service network using TCP and UDP and is, therefore, independent of the WLAN traffic and security mechanisms.
Because the various detailed mechanisms are beyond the scope of this book, this subsection examines the abbreviated features.
The 802.11f specification introduces a higher-layer entity called the Access Point Management Entity (APME), which interacts with the IAPP using a Service Access Point (SAP) layer. The SAP layer has four primitives: requests, confirms (that the request has been completed), responses (to requests), and indications (of events/triggers).
The Remote Authentication Dial-In User Service (RADIUS) protocol provides the security and authentication services. The RADIUS protocol provides the BSSID to IP address resolution of the APs, in addition to key distribution for encrypting the AP-to-AP traffic. Some RADIUS interactions require changes in the RADIUS RFC and are being addressed by an appropriate IETF document (http://www.ietf.org/internet-drafts/draft-moskowitz-radius-client-kickstart-01.txt).
The specification adds capability for faster roaming by proactive caching of STA (STAtion or client) context between neighboring APs. This capability is enhanced by adding the dynamic learning of neighboring AP graphs and caching the graphs. There is a station move process to "move" an STA to a different AP without the STA doing the association process all over again.
The IEEE 802.11e specification, titled "Media Access Control (MAC) Quality of Service (QoS) Enhancements," adds the QoS capability and essential features for multimedia support to WLANs. The QoS functionality is required for audio, voice, and video applications that are highly sensitive to delay and require guaranteed throughput and tight limits on jitter. The specification, affectionately called the Wireless Multimedia Enhancements (WME), is approximately 165 pages. Because of the underlying protocols and transmission medium, the specification does not guarantee deterministic levels of throughput, jitter, delay, or any such properties?the final result is still best effort. Therefore, QoS addressed by the 802.11e provides better effort but is not guaranteed.
The following sections look at some of the most important WME features that are addressed in this specification.
The WME defines QoS in terms of mechanisms and the ability to recognize, classify, and prioritize four access categories and eight traffic streams. The access categories are Voice, Video, Best Effort, and Background. The 802.11e specification adds frame formats, elements, messages, and other artifacts to specify, classify, and distinguish between the various traffic streams.
The WME features are basically implemented at Layer 2 with the ability to set policies at the higher layers. As you have seen, the upper layers set the priorities or traffic categories, and the Layer 2 mechanisms are adjusted appropriately.
The specification provides two mechanisms: EDCA and HCCA. The following is a general description of these two mechanisms:
The Enhanced Distributed Channel Access (EDCA) provides a method to poll a channel more frequently based on user priorities (UP) set by the application layer; higher-priority traffic will have a shorter waiting period. The eight priorities 7 to 0 are as identified in the 802.1D priority tags. Table 3-3 shows the mapping between access categories and the priority designators.
The HCF (Hybrid Coordination Function) Controlled Channel Access (HCCA) is a reservation-based mechanism that is initiated by the voice/video application through management primitives.
Recent research (http://mosquitonet.stanford.edu/software/802.11e/ipc84.pdf) on the characteristics of these mechanisms observed that EDCF provides significant improvements for higher-priority traffic but causes worse performance for lower priorities; the HCCA provides efficient use of the medium when the load is high. Of course, you can expect that when some traffic gets better performance, the rest gets worse because of the limited resource being allocated differently. The point is that these mechanisms are not absolute and would require tuning for different performance characteristics and load conditions.
The QoS traffic-scheduling service and the higher-layer timer-synchronization service are added to implement the QoS functionalities.
The WME specification adds QSTA, QAP, QoS enhanced basic service set (QBSS), and QoS independent basic service set (QIBSS).
QSTA (QoS STAtion) and QAP (QoS Access Point) denote the STA and AP that are capable of performing the QoS facility?message exchange, the ability to handle frame formats, and the ability to selectively handle streams. The basic service set (BSS) and independent basic service set (IBSS) that are capable of QoS are called QIBSS and QBSS, respectively.
The final basic feature is the ability to distinguish and differentiate APs and STAs based on the QoS capabilities during the association process.
The IEEE 802.11k specification, titled "Specification for Radio Resource Measurement," adds the measurement and reporting functionality from an STA. The factors measured include the load, noise, beacons, hidden nodes, medium sensing events, a site report that shows the list of APs that the STA recognizes, and data (voice- and video-related features such as delay, jitter, device processor, and encryption information). This enables the measurement of environment and performance data on the radio substrate. The 802.11k specification not only specifies the information but also the MIB.
As you can see, the rich information that an STA can provide helps a management station make intelligent inferences; an AP with the management function; or a WLAN switch and router with regard to load, QoS, security, and topology. In essence, the radio information (in Layers 1 and 2) is not available at higher layers, so they make decisions based on local (and most probably device-level) optimization. The 802.11k Radio Resource Measurement (RRM) specification makes the lower-level radio data available at higher layers.
Remember that the 802.11k RRM standard provides the means to request and receive the information but does not make specific recommendations about interpreting the data.
The potential impacts of the 802.11k standard include better diagnostics, new services based on the data (such as location-based services), and reconfiguration based on operating context.
Titled "Spectrum and Transmit Power Management Extensions in the 5-GHz Band in Europe," the IEEE 802.11h specification adds the spectrum services to the 802.11 specification. The two spectrum services?Dynamic Frequency Selection (DFS) and Transmit Power Control (TPC)?are required to comply with the ERC/DEC/(99)23 and the EN 301 893.
Even though the 802.11h specification is not of much interest from a security point of view, this brief discussion illustrates how government regulations and international forces influence and affect the WLAN domain. For example, this standard focuses on defining the services requirements for the 5-GHz, OFDM band for the 19- to 20-MHz channels based on European regulations.
National and international standards and opinions do matter; while we were writing this book, a new controversy erupted with respect to WLAN security in China. The country developed a new WLAN security standard and issued a decree to make all products (sold in China) comply with its standard. At least for now, this directive has been relaxed; however, a competing WLAN security standard now exists in China.
The reason for the European standards to incorporate the DFS is twofold: to adjust dynamically to different frequencies to avoid interference (for example, radar systems) and to distribute the load (that is, to "provide aggregate uniform loading of spectrum across all devices").
The European Radiocommunications Office (ERO) is based in Denmark (http://www.ero.dk). In its "ERC Decision of 29 November 1999 on the harmonized frequency bands to be designated for the introduction of High-Performance Radio Local Area Networks (HIPERLANs) (ERC/DEC/(99)23)" (available at http://www.ero.dk/documentation/docs/doc98/official/pdf/DEC9923E.PDF), the ERO mandated that the radio LAN (RLAN) devices should have two features: transmitter power control and a dynamic frequency channel-selection mechanism to spread the load uniformly (and for channel avoidance) in the 5250-MHz to 5350-MHz and 5470-MHz to 5725-MHz spectrum. Figure 3-4 shows the channel plan.
The decision also limits the power of the 5150-MHz to 5350-MHz spectrum to a maximum of 200 mW and restricts this spectrum to indoor. The 5470-Mhz to 5725-MHz spectrum can be used indoors or outdoors, with a maximum power restriction of 1000 mW (1 watt). The directive is 7 pages.
It is interesting to note that the ERC/DEC/(99)23 uses different terminology. Rather than WLANs, it uses the term "HIPERLANs" (High-Performance Radio LANs), which are "intended for connectivity between traditional business products such as PCs, laptops, workstations, servers, printers, and other networking equipment, as well as digital consumer electronic equipment in the wireless home network environment." WLANs are called "cordless LANs" in some recommendations.
The European Telecommunications Standards Institute (ETSI), which develops telecommunication standards for Europe, is based in the hills of Sophia Antipolis, South France. The standards are also referred to and used outside Europe.
The relevant document for this discussion is the ETSI EN 301 893, "Broadband Radio Access Networks (BRAN); 5-GHz high performance RLAN; Harmonized EN covering essential requirements of article 3.2 of the R&TTE (Radio and Telecommunications Terminal Equipment) Directive," which is available at http://webapp.etsi.org/exchangefolder/en_301893v010203p.pdf.
The EN 301 893 is approximately 43 pages. The current version 1.2.3, dated August 2003, includes the following:
Stipulation of the mechanisms and mechanics to perform dynamic frequency selection such as Interference Detection Threshold, Channel Availability Check time, and Uniform Spreading
Definition of the frequencies and channels
Description of the test sites and methods for testing compliance with the requirements
Description of the limits for the Transmit Power Control (TPC)
In 1996, the ERO originally designated the HIPERLAN bands in the ERO/DEC/(96)03. In 1998, the ERO (with ETSI) realized that more spectrum was necessary for multimedia applications. By the decision ERO/DEC/(99)24, the ERO withdrew the ERO/DEC/(96)03 and the EN 301 893, and the ERO became the authoritative standard for the spectrum and the DFS and TPC.
The 802.11h standard defines the choreographies, message formats, and other required elements to implement the European standards in an interoperable way. To achieve this, you must add corresponding services to the WLAN specification. As you might expect, the two spectrum management services?Dynamic Frequency Selection and the Transmit Power Control?have been added to the architecture and the station services clauses.
The Transmit Power Control service adds functionality to associate STAs with APs based on power capability. It also covers methods to specify, select, and manage power of channels based on the respective regulations.
The Dynamic Frequency Selection (DFS) services add functionality to associate STAs with APs based on channels supported, quieting, testing, detecting radar channels, and discontinuing channels based on radar interference.
As a result, the various artifacts added to the 802.11 specification include the following:
Fields such as country code, power constraint, channel selection, quiet, and power are added to the beacon and probe response.
Power capability and supported channels fields are added to the association and reassociation request.
The reason and status codes reflect the state of power and channel attributes.
Elements that reflect the power and channels supported are added.
Messages to start power measurement and report the results are added.
Channel switch announcement is added.
Quiet element to silence a channel to aid interference measurement is added.
The specification also describes the TPC and DFS procedures based on the preceding message types and elements, including selection and announcement of new channels, requesting and getting reports on measurements, quieting channels for testing radar interference, procedures for detecting radars, and discontinuing operations on a channel.
This IETF draft, titled "draft-calhoun-seamoby-lwapp-03.txt," defines the Light Weight Access Point Protocol (LWAPP) to enable routers and switches to manage WLAN access points. This proposal is a little different from other specifications because it treats the AP as a thin device that acts primarily as a collector of 802.11 frames. The frames are transmitted to an access router (AR) in a point-to-point topology, which then manages the frames.
The APs go through a discovery, configuration exchange, and update phase with the AR before starting to work. After the AP-AR pair is enabled, the LWPP encapsulates the 802.11 data and management frames and transports them between the AP and AR. There are also message choreographies and formats for encryption session key update. The keys, of course, are managed by the AR and are updated to the AP as required. The transport layer between the AP and AR can be Layer 2 802.3 frames or Layer 3 UDP.