iLab Wireless Networks Florian Wohlfart wohlfart@in.tum.de - - PowerPoint PPT Presentation

iLab

Wireless Networks Florian Wohlfart wohlfart@in.tum.de

Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München

Lab 10 – 16ss

1 / 32

Oral attestations

available dates

◮ Friday, July 15 ◮ Monday, July 18 ◮ Tuesday, July 19 ◮ Wednesday, July 20

Registration will be open from 8 pm today until Friday 2pm.

2 / 32

Outline

Wireless Communication Electromagnetic Spectrum General Problems Wireless LAN (IEEE 802.11) Basics Medium Access Control WLAN Security

3 / 32

Outline

Wireless Communication Electromagnetic Spectrum General Problems Wireless LAN (IEEE 802.11) Basics Medium Access Control WLAN Security

4 / 32

Frequency Spectrum (US, 3KHz – 30 GHz)

source: http://www.ntia.doc.gov/files/ntia/publications/spectrum_wall_chart_aug2011.pdf

5 / 32

Frequency Spectrum (DE, mobile networks)

source: https://www.bundesnetzagentur.de/SharedDocs/Downloads/DE/Allgemeines/Presse/Pressemitteilungen/ 2010/100830VerlosungGraphikFrequenzspektrum_pdf.pdf?__blob=publicationFile&v=3

6 / 32

Frequency Spectrum Summary

Unlicensed Operation

◮ 13.56 MHz NFC, RFID ◮ 2.4 GHz WLAN, Bluetooth, ZigBee, microwave ovens, RFID,

etc.

◮ 5.8 GHz WLAN

Mobile Networks (Germany)

◮ GSM (2G) 900, 1800 MHz ◮ UMTS (3G) 2100 MHz ◮ LTE (4G) 800, 1800, 2600 MHz 7 / 32

Channel Access Methods

Frequency Division Multiple Access (FDMA)

◮ each data stream uses a different frequency band

Time Division Multiple Access (TDMA)

◮ each data stream uses a different time-slot

Code Division Multiple Access (CDMA)

◮ multiplexing based on spreading-codes

Space Division Multiple Access (SDMA)

◮ frequency reuse in different physical areas 8 / 32

Space Division Multiple Access (SDMA)

CC BY-SA 2.5 by Andrew pmk source: https://upload.wikimedia.org/wikipedia/commons/e/ee/Frequency_reuse.svg

9 / 32

Cellular Base Stations in Garching

source: http://emf3.bundesnetzagentur.de/karte/default.aspx

10 / 32

Cellular Base Stations in Munich

source: http://emf3.bundesnetzagentur.de/karte/default.aspx

11 / 32

General Problems in Wireless Data Transmission

◮ half-duplex operation (self interference) ◮ interference – there is only one shared medium ◮ signal strength decreasing quadratically with the distance ◮ multipath propagation due to reflection and refraction

source: http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/82068-omni-vs-direct.html

12 / 32

Recap: Ethernet (IEEE 802.3)

◮ full-duplex, high-speed data transmission ◮ negligible interference ◮ usually no channel access control necessary

switches limit collision domains to only two endpoints

◮ no built-in security 13 / 32

Outline

Wireless Communication Electromagnetic Spectrum General Problems Wireless LAN (IEEE 802.11) Basics Medium Access Control WLAN Security

14 / 32

Wireless Network Types

single-hop multi-hop infrastructure- less WLAN (ad-hoc mode), Bluetooth, ZigBee Mobile ad-hoc networks e.g. car-to-car infrastructure- based WLAN (infrastructre mode), WiMAX Wireless mesh networks

15 / 32

Infrastructure Mode

◮ station wireless host ◮ access point base station ◮ basic service set (BSS)

group of communication partners that use the same channel

◮ extended service set

(ESS) group of multiple interconnected BSS with common service set identifier (SSID)

◮ distribution system

interconnection network

16 / 32

Family of IEEE 802.11 Protocols

Name Frequency

• Max. data rate

Modulation Published 802.11 2.4 GHz 2 Mbit/s CDM 1997 802.11a 5 GHz 54 Mbit/s FDM 1999 802.11b 2.4 GHz 11 Mbit/s CDM 1999 802.11g 2.4 GHz 54 Mbit/s FDM, CDM 2003 802.11n 2.4 + 5 GHz 600 Mbit/s FDM 2009 802.11ac 5 GHz 500 Mbit/s FDM 2013

17 / 32

Link Layer Frames

Management Frames

◮ beacon frame (periodical announcement by the AP, e.g. SSID) ◮ association request frame / association response frame (station

joins the network)

◮ authentication frame

Control Frames

◮ acknowledgement (ACK) frame, reliability ◮ request-to-send (RTS) frame (optional extension) ◮ clear-to-send (CTS) frame (optional extension)

Data Frames

◮ actual data transmission 18 / 32

Datagram Header

15 16 31

ver

type subtype to DS fr DS

... duration / ID address 1 address 1 address 2 address 2 address 3 address 3 sequence control address 4 address 4 data (0–2312 Byte) frame check seq.

19 / 32

Use of Address Fields

◮ (0,0) data frame from station to station (ad-hoc mode,

mgmt/ctrl frames)

◮ (0,1) data frame exiting the DS (infrastructure mode) ◮ (1,0) data frame destined to the DS (infrastructure mode) ◮ (1,1) data frame in the DS from one AP to another AP

(wireless distribution system) to DS from DS A1 A2 A3 A4 RA = DA TA = SA BSSID 1 RA = DA TA = BSSID SA 1 RA = BSSID TA = SA DA 1 1 RA TA DA SA DA = destination address, SA = source address, RA = receiver address, TA = transmitter address, BSSID = AP MAC address

20 / 32

Medium Access Control

◮ collision detection not possible

◮ sensing while sending is difficult ◮ hidden terminal problem

◮ a frame is always fully transmitted ◮ link-layer acknowledgements 21 / 32

Medium Access Control

◮ collision detection not possible

◮ sensing while sending is difficult ◮ hidden terminal problem

◮ a frame is always fully transmitted ◮ link-layer acknowledgements ◮ remember: collision != interference 21 / 32

Carrier Sense Multiple Access / Collision Avoidance (CSMA/CA)

◮ prioritization of control traffic

◮ SIFS (Short Inter Frame Spacing): highest priority for control

frames: e.g. ACK, CTS

◮ DIFS (DCF Interframe Spacing): lower priority (longer

interframe spacing) for data traffic

◮ backoff time tbo = Random([0, CW ]) ∗ SlotTime

source: S. Günther, et al. “Analysis of Injection Capabilities and Media Access of IEEE 802.11 Hardware in Monitor Mode”, NOMS 2014

22 / 32

CSMA/CA – Inter-Frame Spacing Example

source: https://www.cs.purdue.edu/homes/park/cs536-wireless-3.pdf

◮ SIFS = 10µs or 16µs ◮ DIFS = 28µs, 34µs, or 50µs ◮ slot time = 9µs or 20µs ◮ 15 ≤ CW ≤ 1023 23 / 32

Collison Avoidance Algorithm (sending side)

MAC receives frame from upper layer choose random backoff time tbo = Random([0, CW ]) ∗ SlotTime wait until channel is idle for DIFS while tbo > 0: wait for one slot time and decrement tbo transmit frame ACK received before timeout? CW = CW ∗ 2

no yes busy

24 / 32

Collison Avoidance Algorithm (receiving side)

MAC receives frame from the physical layer is received frame ok? wait for SIFS transmit ACK

yes no

25 / 32

CSMA/CA – Backoff Example

source: IEEE Std 802.11-2012, http://standards.ieee.org/getieee802/download/802.11-2012.pdf

26 / 32

Ready-to-Send and Clear-to-Send (CTS / RTS)

◮ optional extension to IEEE 802.11 ◮ before any transmission the sender transmits a request-to-send

(RTS) message contains the expected duration of the transmission

◮ the receiver has to confirm with a clear-to-send (CTS) message

everyone who received the CTS knows that the medium will be busy for the specified duration

◮ solves the hidden terminal problem 27 / 32

Outline

Wireless Communication Electromagnetic Spectrum General Problems Wireless LAN (IEEE 802.11) Basics Medium Access Control WLAN Security

28 / 32

Wireless LAN Security Protocols

WEP

◮ standardized in 1999, first broken in 2001

• N. Borisov et al., Intercepting Mobile Communications: The Insecurity of 802.11, MOBICOM 2001

◮ many design flaws including:

◮ only 40 bit key length ◮ initialization vector is too small (16 million possible values) ◮ integrity check via CRC32 (linear function) ◮ no replay-protection

WPA

◮ standarized in 2003 ◮ stopgap replacement for WEP

WPA2

◮ standardized in 2004 (IEEE 802.11i) ◮ CCMP (CTR mode with CBC-MAC Protocol) encryption

protocol uses AES with 128-bit block size

29 / 32

WPA2 Authentication

Pre-shared Key Mode (WPA-PSK)

◮ 256 bit key derived from 64 hexadecimal digits or an

ASCII-String (8 to 63 characters) using the PBKDF2 key derivation function and the SSID as salt

External Authentication Server (WPA-802.1X)

◮ relies on an external server for authentication ◮ advantages: mutual authentication, centralized authentication

Wi-Fi Protected Setup (WPS)

◮ goal: make adding new devices as simple as possible ◮ assumption: attacker has no physical access to the access point ◮ PIN method (brute-force feasible [1]), push-button method

[1] https://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf

30 / 32

WPA-802.1X

◮ relies on an external server for authentication (via RADIUS or

Diameter protocol)

◮ supplicant (station) negotiates with an authentication server,

the authenticator (access point) acts as a relay

source: https://en.wikipedia.org/wiki/File:802.1X_wired_protocols.png

31 / 32

Conclusion

◮ only trust authenticated hosts and access points ◮ use WPA2 ◮ when using public Wi-Fi hotspots, encrypt your communication

(e.g. VPN)

32 / 32