bambit

802.11 Infrastructure Mode

In infrastructure mode, there is at least one wireless AP and one wireless client. The wireless client uses the wireless AP to access the resources of a traditional wired network. The wired network can be an organization intranet or the Internet, depending on the placement of the wireless AP. An extended service set (ESS) is shown in the following figure.

802.11 Infrastructure Mode

802.11 Ad Hoc Mode

In ad hoc mode, wireless clients communicate directly with each other without the use of a wireless AP, as shown in the following figure.

802.11 Wireless Clients in Ad Hoc Mode

Ad hoc mode is also called peer-to-peer mode. Wireless clients in ad hoc mode form an independent basic service set (IBSS). One of the wireless clients, the first wireless client in the IBSS, takes over some of the responsibilities of the wireless AP. These responsibilities include the periodic beaconing process and the authentication of new members. This wireless client does not act as a bridge to relay information between wireless clients. Ad hoc mode is used to connect wireless clients together when there is no wireless AP present. The wireless clients must be explicitly configured to use ad hoc mode. There can be a maximum of nine members in an ad hoc 802.11 wireless network.

The IEEE 802 standards committee defines two separate layers, the Logical Link Control (LLC) and media access control, for the Data-Link layer of the OSI model. The IEEE 802.11 wireless standard defines the specifications for the physical layer and the media access control (MAC) layer that communicates up to the LLC layer, as shown in the following figure.

802.11 and OSI Model

All of the components in the 802.11 architecture fall into either the media access control (MAC) sublayer of the data-link layer or the physical layer.

802.11 MAC Frame

The 802.11 MAC frame, as shown in the following figure, consists of a MAC header, the frame body, and a frame check sequence (FCS). The numbers in the following figure represent the number of bytes for each field.

802.11 MAC Frame Format

Frame Control Field

The Frame Control field, shown in the following figure, contains control information used for defining the type of 802.11 MAC frame and providing information necessary for the following fields to understand how to process the MAC frame. The numbers in the following figure represent the number of bits for each field.

Frame Control Field

A description of each Frame Control field subfield are as follows:

• Protocol Version provides the current version of the 802.11 protocol used. Receiving STAs use this value to determine if the version of the protocol of the received frame is supported.
  
  
• Type and Subtype determines the function of the frame. There are three different frame type fields: control, data, and management. There are multiple subtype fields for each frame type . Each subtype determines the specific function to perform for its associated frame type.
  
  
• To DS and From DS indicates whether the frame is going to or exiting from the DS (distributed system), and is only used in data type frames of STAs associated with an AP.
  
  
• More Fragments indicates whether more fragments of the frame, either data or management type, are to follow.
  
  
• Retry indicates whether or not the frame, for either data or management frame types, is being retransmitted.
  
  
• Power Management indicates whether the sending STA is in active mode or power-save mode.
  
  
• More Data indicates to a STA in power-save mode that the AP has more frames to send. It is also used for APs to indicate that additional broadcast/multicast frames are to follow.
  
  
• WEP indicates whether or not encryption and authentication are used in the frame. It can be set for all data frames and management frames, which have the subtype set to authentication.
  
  
• Order indicates that all received data frames must be processed in order.
  
  

Duration/ID Field

This field is used for all control type frames, except with the subtype of Power Save (PS) Poll, to indicate the remaining duration needed to receive the next frame transmission. When the sub-type is PS Poll, the field contains the association identity (AID) of the transmitting STA.

Address Fields

Depending upon the frame type, the four address fields will contain a combination of the following address types:

• BSS Identifier (BSSID). BSSID uniquely identifies each BSS. When the frame is from an STA in an infrastructure BSS, the BSSID is the MAC address of the AP. When the frame is from a STA in an IBSS, the BSSID is the randomly generated, locally administered MAC address of the STA that initiated the IBSS.
  
  
• Destination Address (DA). DA indicates the MAC address of the final destination to receive the frame.
  
  
• Source Address (SA). SA indicates the MAC address of the original source that initially created and transmitted the frame.
  
  
• Receiver Address (RA). RA indicates the MAC address of the next immediate STA on the wireless medium to receive the frame.
  
  
• Transmitter Address (TA). TA indicates the MAC address of the STA that transmitted the frame onto the wireless medium.
  
  

For more information about the address types and the contents of the address fields in the 802.11 MAC header, see the IEEE 802.11 standard at the IEEE Web site.

Sequence Control

The Sequence Control field contains two subfields, the Fragment Number field and the Sequence Number field, as shown in the following figure.

Sequence Control Field

A description of each Sequence Control field subfield are as follows:

• Sequence Number indicates the sequence number of each frame. The sequence number is the same for each frame sent for a fragmented frame; otherwise, the number is incremented by one until reaching 4095, when it then begins at zero again.
  
  
• Fragment Number indicates the number of each frame sent of a fragmented frame. The initial value is set to 0 and then incremented by one for each subsequent frame sent of the fragmented frame.
  
  

Frame Body

The frame body contains the data or information included in either management type or data type frames.

Frame Check Sequence

The transmitting STA uses a cyclic redundancy check (CRC) over all the fields of the MAC header and the frame body field to generate the FCS value. The receiving STA then uses the same CRC calculation to determine its own value of the FCS field to verify whether or not any errors occurred in the frame during the transmission.

802.11 PHY Sublayer

At the physical (PHY) sublayer, IEEE 802.11 defines a series of encoding and transmission schemes for wireless communications, the most common of which are the Frequency Hopping Spread Spectrum (FHSS), Direct Sequence Spread Spectrum (DSSS), and Orthogonal Frequency Division Multiplexing (OFDM) transmission schemes. The following figure shows the 802.11, 802.11b, 802.11a, and 802.11g standards that exist at the PHY sublayer. These standards are described in the sections that follow.

Standards for 802.11 at the PHY Layer

IEEE 802.11

The bit rate for the original IEEE 802.11 standard is 2 Mbps using the FHSS transmission scheme and the S-Band Industrial, Scientific, and Medical (ISM) frequency band, which operates in the frequency range of 2.4 to 2.5 GHz. However, under less-than-ideal conditions, a lower bit rate speed of 1 Mbps is used.

802.11b

The major enhancement to IEEE 802.11 by IEEE 802.11b is the standardization of the physical layer to support higher bit rates. IEEE 802.11b supports two additional speeds, 5.5 Mbps and 11 Mbps, using the S-Band ISM. The DSSS transmission scheme is used in order to provide the higher bit rates. The bit rate of 11 Mbps is achievable in ideal conditions. In less-than-ideal conditions, the slower speeds of 5.5 Mbps, 2 Mbps, and 1 Mbps are used.

Note

• 802.11b uses the same frequency band as that used by microwave ovens, cordless phones, baby monitors, wireless video cameras, and Bluetooth devices.
  
  

802.11a

IEEE 802.11a (the first standard to be ratified, but just now being widely sold and deployed) operates at a bit rate as high as 54 Mbps and uses the C-Band ISM, which operates in the frequency range of 5.725 to 5.875 GHz. Instead of DSSS, 802.11a uses OFDM, which allows data to be transmitted by subfrequencies in parallel and provides greater resistance to interference and greater throughput. This higher-speed technology enables wireless LAN networking to perform better for video and conferencing applications.

Because they are not on the same frequencies as other S-Band devices (such as cordless phones), OFDM and IEEE 802.11a provide both a higher data rate and a cleaner signal. The bit rate of 54 Mbps is achievable in ideal conditions. In less-than-ideal conditions, the slower speeds of 48 Mbps, 36 Mbps, 24 Mbps, 18 Mbps, 12 Mbps, and 6 Mbps are used.

802.11g

IEEE 802.11g operates at a bit rate as high as 54 Mbps, but uses the S-Band ISM and OFDM. 802.11g is also backward-compatible with 802.11b and can operate at the 802.11b bit rates and use DSSS. 802.11g wireless network adapters can connect to an 802.11b wireless AP, and 802.11b wireless network adapters can connect to an 802.11g wireless AP. Thus, 802.11g provides a migration path for 802.11b networks to a frequency-compatible standard technology with a higher bit rate. Existing 802.11b wireless network adapters cannot be upgraded to 802.11g by updating the firmware of the adapter — they must be replaced. Unlike migrating from 802.11b to 802.11a (in which all the network adapters in both the wireless clients and the wireless APs must be replaced at the same time), migrating from 802.11b to 802.11g can be done incrementally.

Like 802.11a, 802.11g uses 54 Mbps in ideal conditions and the slower speeds of 48 Mbps, 36 Mbps, 24 Mbps, 18 Mbps, 12 Mbps, and 6 Mbps in less-than-ideal conditions.

The IEEE 802.1X standard defines port-based, network access control used to provide authenticated network access for Ethernet networks. This port-based network access control uses the physical characteristics of the switched LAN infrastructure to authenticate devices attached to a LAN port. Access to the port can be denied if the authentication process fails. Although this standard was designed for wired Ethernet networks, it has been adapted to 802.11 wireless LANs.

Components of 802.1X

IEEE 802.1X defines the following terms, as described in the following sections:

• Port access entity. A LAN port, also known as port access entity (PAE), is the logical entity that supports the IEEE 802.1X protocol that is associated with a port. A PAE can adopt the role of the authenticator, the supplicant, or both.
  
  
• Authenticator. An authenticator is a LAN port that enforces authentication before allowing access to services accessible using that port. For wireless connections, the authenticator is the logical LAN port on a wireless AP through which wireless clients in infrastructure mode gain access to other wireless clients and the wired network.
  
  
• Supplicant. The supplicant is a LAN port that requests access to services accessible on the authenticator. For wireless connections, the supplicant is the logical LAN port on a wireless LAN network adapter that requests access to the other wireless clients and the wired network by associating with and then authenticating itself to an authenticator.
  
  Whether for wireless connections or wired Ethernet connections, the supplicant and authenticator are connected by a logical or physical point-to-point LAN segment.
  
  
• Authentication server. To verify the credentials of the supplicant, the authenticator uses an authentication server, which checks the credentials of the supplicant on behalf of the authenticator and then responds to the authenticator, indicating whether or not the supplicant is authorized to access the authenticator's services.
  
  

The following figure shows these components for a wireless LAN network.

Components of IEEE 802.1X Authentication

The authentication server can be the following:

• A component of the access point. In this case, the AP must be configured with the sets of user credentials corresponding to the supplicants that will be attempting to connect (it is typically not implemented for wireless APs).
  
  
• A separate entity. In this case, the AP forwards the credentials of the connection attempt to a separate authentication server. Typically, a wireless AP uses the Remote Authentication Dial-In User Service (RADIUS) protocol to send a connection request message to a RADIUS server.
  
  

Controlled and Uncontrolled Ports

The authenticator's port-based access control defines the following different types of logical ports that access the wired LAN by means of a single physical LAN port:

• Uncontrolled Port. The uncontrolled portallows an uncontrolled exchange between the authenticator (the wireless AP) and other networking devices on the wired network — regardless of any wireless client's authorization state. Frames sent by the wireless client are never sent using the uncontrolled port.
  
  
• Controlled Port. The controlled portallows data to be sent between a wireless client and the wired network only if the wireless client is authorized by 802.1X. Before authentication, the switch is open and no frames are forwarded between the wireless client and the wired network. When the wireless client is successfully authenticated using IEEE 802.1X, the switch is closed, and frames can be sent between the wireless client and nodes on the wired network.
  
  

The different types of ports are shown in the following figure.

Controlled and Uncontrolled Ports for IEEE 802.1X

On an authenticating Ethernet switch, the wired Ethernet client can send Ethernet frames to the wired network as soon as authentication is complete. The switch identifies the traffic of a specific wired Ethernet client using the physical port to which the Ethernet client is connected. Typically, only a single Ethernet client is connected to a physical port on the Ethernet switch.

Because multiple wireless clients contend for access to the same frequency channel and send data using the same channel, an extension to the basic IEEE 802.1X protocol is required to allow a wireless AP to identify the secured traffic of a particular wireless client. The wireless client and wireless AP do this through the mutual determination of a per-client unicast session key. Only authenticated wireless clients have knowledge of their per-client unicast session key. Without a valid unicast session key tied to a successful authentication, a wireless AP discards the traffic sent from the wireless client.

To provide a standard authentication mechanism for IEEE 802.1X, the Extensible Authentication Protocol (EAP) was chosen. EAP is a Point-to-Point Protocol (PPP)-based authentication mechanism that was adapted for use on point-to-point LAN segments. EAP messages are normally sent as the payload of PPP frames. To adapt EAP messages to be sent over Ethernet or wireless LAN segments, the IEEE 802.1X standard defines EAP over LAN (EAPOL), a standard encapsulation method for EAP messages.

WEP provides data confidentiality services by encrypting the data sent between wireless nodes. Setting a WEP flag in the MAC header of the 802.11 frame indicates that the frame is encrypted with WEP encryption. WEP provides data integrity by including an integrity check value (ICV) in the encrypted portion of the wireless frame.

WEP defines two shared keys:

• Multicast/global key. The multicast/global key is an encryption key that protects multicast and broadcast traffic from a wireless AP to all of its connected wireless clients.
  
  
• Unicast session key. The unicast session key is an encryption key that protects unicast traffic between a wireless client and a wireless AP and multicast and broadcast traffic sent by the wireless client to the wireless AP.
  
  

WEP encryption uses the RC4 symmetric stream cipher with 40-bit and 104-bit encryption keys. Although 104-bit encryption keys are not specified in the 802.11 standard, many wireless AP vendors support them.

Note

• Some implementations that advertise the use of 128-bit WEP encryption keys are just adding a 104-bit encryption key to the 24-bit initialization vector (IV) and calling it a 128-bit key. The IV is a field in the header of each 802.11 frame that is used during the encryption and decryption process.
  
  

WEP Encryption

The WEP encryption process is shown in the following figure.

WEP Encryption Process

To encrypt the payload of an 802.11 frame, the following process is used:

1. A 32-bit integrity check value (ICV) is calculated for the frame data.
   
   
2. The ICV is appended to the end of the frame data.
   
   
3. A 24-bit initialization vector (IV) is generated and appended to the WEP encryption key.
   
   
4. The combination of initialization vector and WEP encryption key is used as the input of a pseudo-random number generator (PRNG) to generate a bit sequence that is the same size as the combination of data and ICV.
   
   
5. The PRNG bit sequence, also known as the key stream, is bit-wise exclusive ORed (XORed) with the combination of data and ICV to produce the encrypted portion of the payload that is sent between the wireless access point (AP) and the wireless client.
   
   
6. To create the payload for the wireless MAC frame, the IV is added to the front of the encrypted combination of the data and ICV, along with other fields.
   
   

WEP Decryption

The WEP decryption process is shown in the following figure.

WEP Decryption Process

To decrypt the 802.11 frame data, the following process is used:

1. The initialization vector (IV) is obtained from the front of the MAC payload.
   
   
2. The IV is appended to the WEP encryption key.
   
   
3. The combination of initialization vector and WEP encryption key is used as the input of the same PRNG to generate a bit sequence of the same size as the combination of the data and the ICV. This process produces the same key stream as that of the sending wireless node.
   
   
4. The PRNG bit sequence is XORed with the encrypted combination of the data and ICV] to decrypt the combined data and ICV portion of the payload.
   
   
5. The ICV calculation for the data portion of the payload is run, and its result is compared with the value included in the incoming frame. If the values match, the data is considered to be valid (sent from the wireless client and unmodified in transit). If they do not match, the frame is silently discarded.
   
   

The main problem with WEP is that the determination and distribution of WEP encryption keys are not defined. WEP keys must be distributed by using a secure channel outside of the 802.11 protocol. In practice, WEP keys are text strings that must be manually configured using a keyboard for both the wireless AP and wireless clients. However, this key distribution system does not scale well to an enterprise organization and is not secure.

Additionally, there is no defined mechanism for changing the WEP encryption keys either per authentication or periodically for an authenticated connection. All wireless APs and clients use the same manually configured WEP key for multiple sessions. With multiple wireless clients sending a large amount of data, an attacker can remotely capture large amounts of WEP ciphertext and use cryptanalysis methods to determine the WEP key.

The lack of a WEP key management protocol is a principal limitation to providing 802.11 security, especially in infrastructure mode with a large number of stations. Some examples of this type of network include corporate and educational institutional campuses and public places such as airports and malls. The lack of automated authentication and key determination services also affects operation in ad hoc mode, in which users might want to use in peer-to-peer collaborative communication in areas such as conference rooms.

Although 802.1X addresses many of the security issues of the original 802.11 standard, issues still exist with regard to weaknesses in the WEP encryption and data integrity methods. The long-term solution to these problems is the IEEE 802.11i standard, which is currently in draft form.

Until the IEEE 802.11i standard is ratified, wireless vendors have agreed on an interoperable interim standard known as Wi-Fi Protected Access (WPA). The goals of WPA are the following:

• To require secure wireless networking. WPA requires secure wireless networking by requiring 802.1X authentication, encryption, and unicast and multicast/global encryption key management.
  
  
• To address WEP issues with a software upgrade. The implementation of the RC4 stream cipher within WEP is vulnerable to known plaintext attacks. Additionally, the data integrity provided with WEP is relatively weak. WPA solves all the remaining security issues with WEP, yet only requires firmware updates in wireless equipment and an update for wireless clients. Existing wireless equipment is not expected to require replacement.
  
  
• To provide a secure wireless networking solution for small office/home office (SOHO) wireless users. For the SOHO, there is no RADIUS server to provide 802.1X authentication with an EAP type. SOHO wireless clients must use either shared key authentication (highly discouraged) or open system authentication (recommended) with a single static WEP key for both unicast and multicast traffic. WPA provides a pre-shared key option intended for SOHO configurations. The pre-shared key is configured on the wireless AP and each wireless client. The initial unicast encryption key is derived from the authentication process, which verifies that both the wireless client and the wireless AP have the pre-shared key.
  
  
• To be compatible with the upcoming IEEE 802.11i standard. WPA is a subset of the security features in the proposed IEEE 802.11i standard. All the features of WPA are described in the current draft of the 802.11i standard.
  
  
• To be available today. WPA upgrades to wireless equipment and for wireless clients were available beginning in February 2003.
  
  

WPA Security Features

Wireless Auto Configuration dynamically selects the wireless network to which a connection is attempted, based either on configured preferences or default settings. This process includes automatically selecting and connecting to a more preferred wireless network when it becomes available. If none of the preferred wireless networks is found nearby, Wireless Auto Configuration configures the wireless adapter so that there is no accidental connection until the wireless client roams within the range of a preferred network.

Wireless Auto Configuration corresponds to the Wireless Configuration service in Windows Server 2003 and the Wireless Zero Configuration service in Windows XP. You can use the Services snap-in (available in the Administrative Tools folder) to view the current status of (as well as stop, start, and restart) either service. You can also manage either service from the command prompt by using the net command. For example, to stop either service, type net stop wzcsv at a command prompt.

Wireless Auto Configuration minimizes the configuration that is required to access wireless networks and allows you to travel to different wireless networks without reconfiguring the network connection settings on your computer for each location. For the initial scan of available wireless networks, Wireless Auto Configuration performs the following process:

1. Wireless Auto Configuration attempts to connect to the preferred networks that appear in the list of available networks in the preferred networks preference order.
   
   
2. If there are no successful connections, Wireless Auto Configuration attempts to connect to the preferred networks that do not appear in the list of available networks in the preferred networks preference order. Thus, it can connect even when the wireless APs are configured to suppress the beaconing of the SSID of the wireless network.
   
   
3. If there are no successful connections and there is an ad hoc network in the list of preferred networks that is available, Wireless Auto Configuration tries to connect to it.
   
   
4. If there are no successful connections, and there is an ad hoc network in the list of preferred networks that is not available, Wireless Auto Configuration configures the wireless network adapter to act as the first node in the ad hoc network.
   
   
5. If there are no successful connections to preferred networks, and there are no ad hoc networks in the list of preferred networks, Wireless Auto Configuration determines the Automatically Connect To Non-Preferred Networks setting (located on the Wireless Networks tab of the wireless network connection).
   
   
6. If the Automatically Connect To Non-Preferred Networks setting is disabled, Wireless Auto Configuration creates a random network name and places the wireless network adapter in infrastructure mode.
   
   This behavior prevents the Windows XP wireless client from accidentally connecting to a wireless network that does not appear in the list of preferred networks. You then see the One Or More Wireless Networks Are Available message in the notification area. The wireless adapter is not connected to any wireless network, but continues to scan for preferred wireless networks every 60 seconds.
   
   
7. If the Automatically Connect To Non-Preferred Networks setting is enabled, Wireless Auto Configuration attempts to connect to the available networks in the order in which the wireless adapter sensed them.
   
   If all connection attempts fail, Wireless Auto Configuration creates a random network name and places the wireless network adapter in infrastructure mode. You then see the One Or More Wireless Networks Are Available message in the notification area.
   
   

For subsequent scans, Wireless Auto Configuration determines whether there are any changes in the wireless environment that require switching the connection. If the Windows wireless client is already connected to a wireless network and there is no other preferred network higher in the preference list that has not been attempted already, Wireless Auto Configuration maintains the existing connection. If the Windows wireless client is already connected to a wireless network, but a more preferred wireless network becomes available, Wireless Auto Configuration disconnects from the currently connected wireless network and attempts to connect to the more preferred wireless network.

The operation of Wireless Auto Configuration provides the following:

• The first time a wireless adapter is added to a computer running Windows XP or Windows Server 2003 and a wireless network is available, Wireless Auto Configuration prompts you with the One Or More Wireless Networks Are Available message in the notification area, which leads you to select a wireless network in the Connect To Wireless Network dialog box.
  
  After you select a wireless network and the connection is successful, the selected network is automatically added as a preferred network, and you are no longer prompted whenever you are within range of it. For an organization, this is the typical process for configuring the initial connection to a private wireless network. After the initial configuration, Wireless Auto Configuration connects (and then maintains the connection) to the organization’s wireless network.
  
  When you take your portable computer to your home wireless network, to an airport, or to another location with public wireless access, Wireless Auto Configuration first attempts to connect to your preferred network. When that connection attempt fails, you are prompted again to connect to your home wireless network or to the public access wireless network.
  
  
• If there are two preferred wireless networks, and the most preferred one is not initially available, Wireless Auto Configuration configures a wireless connection to the next most preferred network. When the most preferred network eventually becomes available, Wireless Auto Configuration automatically switches the wireless client connection to it after the next scan.
  
  
• If there are no preferred networks in the list of those available, Wireless Auto Configuration attempts to configure connections to the preferred networks in their configured order, in case the wireless APs for the wireless network are configured to prohibit the beaconing of their SSID.