Comp [34]49 Week 8, Oct 16, LT 412 If you learn one useless thing a day, in a year you'll learn 365 useless things. =========================================================================== News: Elcomsoft WEP/WAP hack on video cards WiMAX rollout for *mobile* STAs (for that matter, even portable STAs) Until recently, WiMAX was limited to STAs at more-or-less fixed locations; it was a wireless substitute for cable. Sprint, Wed, Oct 8 (in partnership with Xohm ("zohm")); see xohm.com =========================================================================== portable v mobile portable: moves around, but not while communicating mobile: need to take doppler shift into account typically there is an upper velocity limit power management built-in support for having the device be quiet except at intervals Signal variation IEEE Fig 4, AbsPg 28: this is an amazing picture. Think of "fast fading". ===================================================================================== Distribution System Services (DSS) Ties all APs of a given ESS (Extended Service Set) together. * Every time a station associates with an AP, its address must be communicated over the DS to all other AP's of the ESS. * same for reassociation; note that if a station STA associates to AP1 and then reassociates to AP2, the reassociation may be the first time that AP1 hears that STA is no longer associated with it. * disassociation: "I can no longer reach STA" * when a packet is addressed to STA by the outside world (or by the WLAN), the DS must be able to find the AP to which the STA is currently associated, and forward the packet to that AP. * ESS forms one logical LAN * direct STA-to-STA communication within a BSS, say between STA1 and STA2, is complicated by the possibility that at some point STA2 will have disassociated from the local AP and moved to another AP; STA1-to-STA2 communication would then have to use the DS and both APs. STA1 has no way of knowing STA2 has left until it gets no ACK. STA-to-STA transmission is experimentally supported, but my understanding is that it is not yet in common use. * switched-Ethernet LANs route packets precisely to their destination. When a STA reassociates from AP1 to AP2, we have a couple options: 1. Have the Ethernet switching infrastructure now route packets addressed to STA to AP2 instead of AP1. 2. Have the Ethernet switching infrastructure route *all* wireless packets to a given entry point EP, which will then encapsulate them and forward them to the appopriate AP. * There is special support for using the WLAN as a DSS. * Note that "Wireless Distribution System" usually means a DS operating with wireless connections between APs, *not* a DS for Wireless _per se_. * However, for cisco, WDS = Wireless Domain Services, which means the usual inter-AP DS. ===================================================================================== cisco WDS: See: http://www.cisco.com/en/US/docs/wireless/access_point/12.2_15_JA/configuration/guide/s15roamg.html#wp1051848 Access points participating in radio management scan the radio environment and send reports to the WDS device on such radio information as **potential rogue access points** .... From http://www.cisco.com/en/US/tech/tk722/tk809/technologies_q_and_a_item09186a00804d4421.shtml#qa4 The WDS and the infrastructure APs communicate over a multicast protocol called the Wireless LAN Context Control Protocol (WLCCP). These multicast messages cannot be routed. Therefore, a WDS and the associated infrastructure APs must be in the same IP subnetwork and on the same LAN segment. ===================================================================================== Authentication v Privacy Loyola uses MAC-addr authentication, and has no support for privacy. (This isn't as dangerous as it seems; users can use SSL or SSH to build encryption on top of the WLAN. This doesn't necessarily work for http (versus https) pages, though.) Order: Probing Authentication (different from negotiating WEP privacy, though same key is used) Association Preauthentication: Once STA has authenticated and associated with AP1, it has the *option* of preauthenticating, to speed up reassociation with AP2, should that be necessary. It also has the option of going through the full authentication step all over again, at the time of reassociation with AP2. The typical application associated with a real need for preauthentication is VoIP. Loyola Netreg model: at the wireless level, you've authenticated and associated. However, you're in an IP sandbox: your ip address is such that you cannot do anything except reach netreg. Your DNS service will resolve *any* domain name to the Netreg IP address. I do not know whether, if you *change* your IP address manually to a valid non-sandboxed one, you will get full service. That would happen, it would seem, unless the DSS had your STA address "marked" for limited distribution. However, cisco WDS does do things *like* that. Standard way to connect without credentials to Loyola-type wireless networks: * monitor for some STA MAC addresses that are associated * when one of those STAs goes away, with MAC addr MADDR1, change your own MAC address to MADDR1. Note that changing a wireless card's MAC addr is officially unsupported, but many cards can do it. IEEE state diagram: Fig 8, AbsPg 37 State 1: unauthenticated State 2: authenticated, not associated State 3: associated Certain types of packets are limited to certain states. But note that in State 1, Data frames are allowed so long as FromDS == ToDS == false IBSS: the only way anyone can reach the outside world is if one station is set up to be an IP router. (One station *could* be set up to be an Ethernet bridge, but this is rare in practice.) Typical 802.1X model (X is a specific workgroup under 801.1, it does *not* mean a placeholder for any of 802.10 ... 802.19) Supplicant (the STA) can interact with the Authenticator (the AP), but cannot access *beyond* the AP (no ToDS,FromDS == 1) until authentication is complete. Authenticator can forward credentials to an Authentication Server, it's just that the STA cannot directly. Once you are authenticated, you are said to be attached to a "port", in the sense of a port on an Ethernet switch (not a TCP/UDP port). ============================================================================== IEEE 11.1.3 and probe requests: AbsPg 138 Passive scanning: usual SCAN Active scanning: sending Probe Request packets, containing ESSID. The ESSID contained in the ProbeRequest *must* match the ESSID of the AP, or else the AP should not answer! At first glance, this might seem to provide additional security for beaconless stations. However, if the ESSID is "BROADCAST", 48 1-bits, then the AP *should* answer. 11.1.3.2.1: STAs, subject to criteria below, receiving Probe Request frames shall respond with a probe response only if the SSID in the probe request is the broadcast SSID or matches the specific SSID of the STA. Sigh. Well, anyone eavesdropping would know the ESSID, so it's not like it's a *real* issue. ProbeRequest frames are pretty minimal: SSID + supported rates (IEEE AbsPg 63) ProbeResponse frames are more substantial: Frequency Hopping info (for FHSS-using WLANs) Direct Sequence info (for DSSS-using WLANs) PCF info, but only if the AP supports having the PCF (contention-free stuff) IBSS info, if it's an independent BSS (= ad hoc) *No* normal AP info is sent in a ProbeResponse! ============================================================================== Duplicate frames In Ethernet, an unsuccessful transmission means a collision; collisions are recognized by both parties. In 802.11, a transmission can be unsuccessful due to receiver being out of range of sender sender being out of range of receiver's ACK collision None of these are recognized by both sides. Therefore, one side may resend even though the packet was received by the other side. Value of ProbeTimer may be smaller than you might think! =========================================================================== =========================================================================== Packet formats, traces Note that "link[0] != 0x80" *does* filter out beacons in real time. It's just that there's lots of other traffic. ================================================================ bluebird_conn.text: look at connecting to bluebird access point, under windoze This is my first tcpdump file. I've manually removed most, but not all, of the beacons. Note that there are both bluebird (a linksys router that happens to be blue) and dlink beacons. 40 00 line 59 in bluebird_conn.text: 0100 0000 bit 6 is set. mgmt frame, subtype=0100: ProbeReq 7654 3210 bcast/laptop5/bcast line 65: 50 00 line 65 mgmt frame, nybble 5 == ProbeResp, laptop5/ap/ap line 73: 40 00 line 73: dup probe request line 79: 50 00 probeResp line 87: ditto line 95: 50 08 ProbeResp, RETRY, laptop5/ap/ap line 103: ditto ditto: 111, 119, 127, 135, 143: beacon 151: probe response from dlink. ???? dlink is on channel 6 and we're on channel 11 (note radio header info) Note source addr 00 1b11 4eaa c7 168: bcast ProbeReq 199: 08 02! Arp who-has; a data packet bcast/ap/gram/aa:aa:03:00:00:00 followed by 08 06: ARP code 301,309,317, ... ProbeResponses sent very close together 431: b0 00 Authentication! ap/laptop5/ap 10110000 76543210 437: Authentication laptop/ap/ap 442: 0000: Assoc request, ap/laptop/ap 450: 10 00 Assoc response: Success 457: gram windoze noise 482: laptop5 591: gram (00 0d87 4fd1 b4) 640: bluebird beacon, dlink beacon (longer!), bluebird beacon 757: Arp answer laptop5/ap/00:60:08:b0:e5:f3/aa:aa:03:00:00:01 ^^^^^^^^^^^^^^^^^asgard (arp server) 793: duplicate, ~ 600 µs later ===================================================== file bluebird2.text: goal is to illustrate connections However, we start with a couple odd frame controls: 1 48 01 0100 1000 7654 3210 The 8 means data, but for mgmt frames the 4 means "probe request" but for data it means "null function (no data)" 6 48 09 11 08 01 TCP syn 19 d4 00 IEEE ACK 1101 0100 4 means "cntl", 1101 means ACK (IEEE AbsPage 51) 7654 3210 ===================================================== bluebird_dis2.text: filtered disconnection Look for "Disassociated" disassociation FC byte 1: A0, see line 184 ===================================================== office1.text: omit office2.text: scan after I connected laptop6 with linux iwconfig wlan0 ap 00:0b:85:70:a2:aa (that's the cisco airo-net outside my office) Note the little trick with tcpdump Still lots of probeRequest, probeResponse LOTS of ReAssoc packets office3.text: line 25: 4801: another null data DeAuthentication: line 30, to me from AP ===================================================== thursday.text: random scan from my office. Line 1157 1923 2025 2132 4036 sing_Services 329166 Peter ============================================================================== ============================================================================== ============================================================================== Spread Spectrum methods: FHSS DSSS OFDM All provide a reason to believe that noise bursts will only affect a limited number of the bits in a packet, and so FEC can save the day. Cell phones use CDMA, which is related to the above but different. Consequence of all of these: band width is *not* particularly tied to data rate. wi-fi allows clients to choose from a long list of data rates. Lower rates might be used in noisy environments, or by "dumb" devices. However, lower rates don't use fewer channels!! What we're usually trying to do is to avoid noise and distortion. Three special issues: impulse noise ("jamming") at a specific frequency multipath distortion and inter-symbol interference (see Fig 5.12) fading ================= FHSS: Lamarr & Antheil (wikipedia.org/wiki/Hedy_Lamarr) basic FHSS: use of pseudonoise generator to have the frequency skip around. Military use: PN generator must be "cryptographically secure" Civilian use: purpose of PN is to avoid random noise. Just how malicious is the universe? Is it TRYING to get you? All you need is for PN *or* the noise to be reasonably random. Fig 7.2: basic idea; actual transmissions might be ASK SSB. Fig 7.4: slow FHSS, using MFSK. PN rate (hop rate) slower than symbol rate. I am not aware of a compelling reason for the different hop bands (marked at the left with "Wd") not to overlap, but that's the way it's often done in practice. The goal is to spread frequency use out over a range, so as to avoid interference on any one frequency, so perhaps that's the reason not to overlap. Fig 7.5: fast FHSS; PN rate faster than symbol rate. Each symbol is sent on two frequencies (in this example). 3 or more frequencies per symbol: can use voting! Tc = PN time; Ts = symbol time; Tc < Ts here. Usually the larger is a multiple of the smaller. Why do this? Calculation of Eb/Nj: Nj = Noise due to jamming (deliberate or, more likely, accidental) Assume jammer bandwidth is Wd. Sj = jammer power. Eb/Nj = Eb*Wd/Sj (Nj = Sj/Wd) Spreading Sj out on 2^k frequencies means power on any one frequency is reduced. *Not* spreading Sj out (as would be the case for most "accidental" jamming) means that only 1/2^k bits are affected. With ECC, we hope to be able to fix these. Note interplay between modulation strategies and ECC. FHSS and impulse noise: skips around a lot. We hit all sources of impulse noise, but each only 1/2^k of the time. FHSS and multipath: next bit is on a completely different frequency! FHSS and fading: fading is likely bad only on some of the frequencies! FHSS hop times are coordinated in 802.11 with other times (beacons, etc) ====================================================== DSSS: xor the data (symbol) sequence with a much-faster spreading-code PN sequence. s(t) = data signal, c(t) = code, taking values +1 & -1 instead of 1 and 0 (this way, * is the same as xor of the data values.) We transmit s(t)*c(t). recovery: c(t)*c(t) = 1, so received(t)*c(t) = (s(t)*c(t))*c(t) = s(t). Analysis on page 169 of noise spikes: noise spike is spread OUT by multiplication by c(t); data signal has bandwidth REDUCED. s_rcvd(t) = s(t) + s_jam(t) + noise(t) The despreader multiplies s_jam(t) by c(t), **spreading its energy out**. Unless it was precisely synchronized with s(t), it is now spread out over a bandwidth of +/- 1/Tc (fig 7.9), while the signal is now confined to +/- 1/T. A bandpass filter removes most of the +/- 1/Tc range. noise(t), on the other hand, is *not* made worse. What should we use for c(t)? To come; see section 7.5. However, resistance of DSSS to ISI does depend somewhat on the PN sequence used; we want the sequence to be relatively immune to "translations" of itself. ====================================================== OFDM, p 337: several slow-modulated FM channels. M here stands for Multiplexing, not Modulation, though that's kind of a persnickety distinction. But we *are* using multiple simultaneous carriers here. Simpler case: non-orthogonal FDM. Then the different frequencies must be protected by "guard bands", and bandwidth efficiency goes down. The advantage of having a slower rate is that it is much more resistant to multipath distortion and ISI (inter-symbol interference). multipath is sometimes measured in terms of how much longer the longest (significant) alternative path is as compared to the LOS (line of sight) path. That translates directly to a delay, which in turn can be translated to bit times (or fractions). 300 meters is a time variation of 1 microsec. At 1mbit/sec all on one channel, each "echo bit" could overlap 100% with the following bit. At 1mbit/sec spread over 10 channels at 0.1mbit each, each bit echo can overlap only 10% of the next bit. IEEE 802.11a: OFDM: 52 carriers with spacing of 312.5 kHz (Stallings describes this on p 338 as being "translated" to the 5 gHz range. However, it takes a fair bit of math to justify this view, and in the end it's the same output signal as if we simply have carriers at fc, fc+fb, fc+2fb, etc) Why "orthogonal"? In the past, we've looked at the frequency spectrum of an ASK-modulated channel somewhat vaguely, as fc +/- data_rate. See Fig 6.12 for another view. However, a more accurate frequency spectrum is the "sinc" function, sin(x)/x. We have most of the energy in the range fc - fb < f < fc + fb, fc = carrier, fb = spacing that depends on data rate. The point is that we have *zero* energy at exactly +/- fb units away from fc. So, if we space two carriers f1 and f2 by fb: f1 = fc, f2=fc+fb, then the ASK interference between them is zero. Such a tight frequency spacing approaches the Nyquist limit. Need complex signal-processing devices to generate! =========================================================================== =========================================================================== Section 7.5: generation of spreading sequences Both FHSS and DSSS use pseudo-noise spreading sequences, c(t). CDMA does too, but the requirements are somewhat different. Stallings material on PN sequences, starting on p 174, is applicable to FHSS and DSSS. Basic rules for PN sequences, p 175: * uniform distribution * a given subsequence of length k should appear about 1/2^k of the time (this takes care of Stallings' Balance property and Run property) * independence: no one value should be inferrable from the others. Obviously, independence FAILS: the sequence is computed, after all! However, "pseudo-independence" is good enough: no one value should be inferrable from the others, unless you happen to have been told the exact PN algorithm. Correlation property: somewhat more "detailed": If a period of length k of the sequence is compared term-by-term with any cyclic shift of itself, the number of places the two are the same differs from the number of places they are different by at most 1. (For k=2r+1 odd, the number of places they are the same is either r or r+1.) Implementation 1: Linear Feedback Shift Register Polynomial X^4 + X + 1 Sequence: 0011 (X^3 and X^2 correspond to the 00) We have 4 bits (N=4). At each clock cycle, 1. Calculate the xor of the bits in the positions marked with 1 in the 0011 sequence 2. shift everything to the right (as in figure 7.13), outputting the rightmost bit. Replace the leftmost bit by the xor from step 1. Example in Fig 7.13 maximal sequences: m-sequences, of period N = 2^n - 1 * there is always at least one generator that yields an m-sequence * any input to that generator (initial state) yields the same m-sequence (but shifted, as in Table 7.2) * different generators may or may not yield different m-sequences: see Table 7.3 * given a generator polynomial P(X), we can find the sequence it generates by 1/P(X), expanded formally or via Taylor series. m-sequences look "especially random"; see the properties on p 180 different starting points yield same sequence: Table 7.2 Some properties