Transcript Document

Capacity, QoS, and Security Related
Advances in IEEE 802.11
Kaustubh S. Phanse K. N. Gopinath
AirTight Networks, Inc.
National Conference on Communications (NCC 2008)
Indian Institute of Technology, Bombay
February 1, 2008
www.airtightnetworks.net
Outline
Introduction: 802.11 overview: history and basic concepts
802.11n: MIMO concepts, channelization, frame aggregation, frame
formats, performance
802.11e: Coordination functions for QoS support, service classes
802.11i, 802.11w: Authentication and encryption; protection of
management and broadcast frames
What this tutorial will NOT cover…
 Communication and information theory: modulation and demodulation
techniques, estimation, …
 Details of certain optional features in 802.11 standards
AirTight Networks
IEEE 802.11
Working group established in 1990
First standard in 1997 (already 10 years ago!)




Frequency: 2.4 GHz band
Physical layer: DSSS, FH, IR
MAC layer: CSMA/CA
Data rate: 2 Mbps
AirTight Networks
802.11 protocol suite
AirTight Networks
802.11 MAC and PHY enhancements
Security
802.11i
802.11w
802.11e
Data link
MAC
802.11n
PLCP
802.11n
Physical
PMD
AirTight Networks
QoS
Capacity &
Coverage
Two-slide primer on 802.11 MAC (1/2)
Distributed coordination function (DCF) using carrier sense
multiple access (CSMA/CA)
AirTight Networks
Two-slide primer on 802.11 MAC (2/2)
AirTight Networks
Example of DCF CSMA/CA (1)
AirTight Networks
Example of DCF CSMA/CA (2)
AirTight Networks
Example of DCF CSMA/CA (3)
AirTight Networks
Example of DCF CSMA/CA (4)
AirTight Networks
Example of DCF CSMA/CA (5)
AirTight Networks
Example of DCF CSMA/CA (6)
AirTight Networks
Example of DCF CSMA/CA (7)
AirTight Networks
Motivation for multicarrier modulation
Large delay spread (due to multipath reception) can cause
significant inter-symbol interference (ISI)
 Burst errors
 Limits maximum achievable data rate
τ
τ
AirTight Networks
Multicarrier modulation
Divide a high-rate sequence of symbols into several low-rate
sequences
 Symbol duration (TN) becomes large
Transmit low-rate symbols simultaneously over multiple subchannels or subcarriers
 Total bandwidth B is divided into subchannels each with bandwidth B/N
AirTight Networks
Orthogonal frequency division
multiplexing (OFDM)
Tighter packing of subcarriers than traditional FDM
Subcarriers are orthogonal to enable demodulation
 Spacing ∆f is at least 1/TN
AirTight Networks
OFDM in 802.11
Each 20 MHz channel divided into 52 subcarriers
 Bandwidth of 16.6 MHz actually used for transmission
Subcarriers spaced 312.5 KHz
 48 subcarriers for data transmission
 4 pilot subcarriers for monitoring
AirTight Networks
802.11n PHY Enhancements
AirTight Networks
What is MIMO?
SISO: Single Input (transmit) Single Output (receive)
Tx
Rx
MIMO: Multiple Input Multiple Output
 Spatial diversity (transmitter and receiver)
 Spatial multiplexing
Tx
M x N system
AirTight Networks
Rx
(N >1, M>1)
Spatial diversity
Use multiple independently fading signal paths to reduce the error
probability
 Low probability of independent fading signal paths to simultaneously experience
deep fades
 Need multiple antennas spaced sufficiently apart (~ λ/2)
Maximum diversity gain (D) for M x N system = MN
AirTight Networks
Receiver diversity
r1ejθ1s(t)
a1e-jθ1
x
r2ejθ2s(t)
a2e-jθ2
x
r3ejθ3s(t)
a3e-jθ3
rMejθMs(t)
aNe-jθM
x
x
Σ
Combiner Output
SNR = ηΣ
M
Let noise at each antenna = N0
Combined output SNR ηΣ =
(  a k rk ) 2
k 1
M
N 0  ak
k 1
AirTight Networks
2
Receiver diversity: Selection combining
Choose the branch with the highest SNR
2
r
ηΣ = ηk = k
Nk
 Often implemented as a single receiver that switches to the chosen antenna
branch
Bit stream
DSP
Radio
DSP
Radio
Tx
Rx
 But it is still a single transmit-receive chain (SISO)
AirTight Networks
Bit stream
Receiver diversity: Maximum Ratio
Combining (MRC)
Give higher weights to branches with high SNR and lower weights
to branches with low SNR
Radio
Radio
Bit stream
DSP
DSP
Radio
Radio
Tx
Rx
AirTight Networks
Bit stream
Receiver diversity: MRC
Optimal weight ak =
rk
N0
rk is the energy per symbol =
Es
Then, SNR = E s
N0
ME s
Combined received SNR ηΣ =
N0
Array gain: M-fold increase in SNR versus a SISO system
Maximum array gain (A) for M x N system = MN
AirTight Networks
Transmitter diversity: Channel-aware
Transmitter has knowledge of channel state information (CSI)
 Feedback from receiver
 Assume channel is reciprocal
Similar to receiver diversity with coherent combining, e.g., MRC
 Assign weights to antenna branches depending on channel conditions
AirTight Networks
Transmitter diversity: Channel-unaware
Space-time block codes (STBC): Alamouti scheme
 Assume channel gain is constant over two symbol periods
 Transmit symbols s1 and s2 during first symbol period
 Transmit -s2* and s1* during next symbol period
Radio
DSP
Radio
DSP
Radio
Tx
Let each antenna have a channel gain hk = rkejθk
Received signal is r(t) = 0.5(h1  h 2 )s(t)
Symbol received during first symbol period y1 = h1s1 + h2s2
Symbol received second symbol period y2 = -h1s2* + h2s1*
AirTight Networks
Rx
Transmitter diversity: Alamouti scheme
Let sequence of received symbols be represented as a vector
y = [y1 y2*]T
y=
h1
h2
s1
h2*
-h1*
s2
= Hs
Let z = HHy = HHHs = (|h12| + |h22|)I2s
Then
z1 = h1*z1 + h2z2 = (|h12| + |h22|)s1
z2 = h2*z1 – h1z2 = (|h12| + |h22|)s2
AirTight Networks
Transmitter diversity: Alamouti scheme
(| h1 |  | h 2 |)Es
Received SNR ηk for zk=
2N0
2
2
(| h1 |  | h 2 |)Es
Total SNR ηΣ =
N0
2
2
Array gain = 1
Diversity gain = 2
AirTight Networks
Practical significance: array gain and
diversity gain
Maximum: array gain A = MN, diversity gain D = MN
Diversity
gain
Array
gain
1
For a Rayleigh channel: error probability (Pe) α SNR
For M x N system, Pe α
1
(A x SNR)D
AirTight Networks
Practical significance: array gain and
diversity gain
Pe
Diversity gain determines
the slope of the curve
Array gain shifts the
curve
SNR
AirTight Networks
Spatial multiplexing
Multiplexing
 Time (TDM), frequency (FDM), code (CDM)
 SDM: using space as another dimension to multiplex data
Degrees of freedom
 Rich scattering environment
Transmit unique data streams over separate RF chains
AirTight Networks
Spatial multiplexing
Maximum multiplexing gain = min (M,N)
Use training symbols to estimate channel matrix H
Linear systems theory analogy: min (M,N) variables with min (M,N)
equations
b1
b2
b3
b4
b5
b6
b1 b3 b5
Split
b1 b3 b5
Radio
Radio
DSP
DSP
Radio
Radio
b2 b4 b6
Merge
Rx
Tx
AirTight Networks
b2 b4 b6
b1
b2
b3
b4
b5
b6
Spatial multiplexing gain vs. diversity
gain trade-off
Diversity gain
0, MN
1, (M-1)(N-1)
2, (M-2)(N-2)
k, (M-k)(N-k)
Min(M, N), 0
Spatial multiplexing gain
AirTight Networks
802.11n channels
40 MHz operation (channel bonding)
 Primary channel plus secondary (upper/lower) channel
 Primary for management frames, both channels for data frames
Higher bandwidth, higher data rates!
 …but higher interference
Only one non-overlapping channel in 2.4 GHz
 Implications for legacy WLANs
AirTight Networks
802.11n Modes of Operation
PLCP Enhancements
AirTight Networks
802.11n: Modes of Operation
3 Modes: Non-HT, Mixed, Greenfield (distinguished by their PLCP headers)
Mixed



Greenfield
Full support for legacy clients
Broadcast control frames always in 20 Mhz
Perf degradation for .11n stations
Detection of PPDU,
timing & coarse
freq acquisition



No backward compatibility
Short & more efficient PLCP format
No performance degradation for .11n devices
MIMO estimation: D-LTF 1 per stream providing channel
estimation for data portion of the frame
Staggered preambles (e.g., sounding packets)
Additional optional estimation info for channels
For use of legacy
devices also
Signalling
(See next slide)
AirTight Networks
L-SIG (MM) & HT-SIG (MM & GF)
Always 6 Mbps
Encoded value indicating
Duration of rest of
the packet
L-SIG of Mixed Mode
Refer to next slides
AirTight Networks
HT-SIG
Field Name
Explanation and coding
Modulation
and Coding
Scheme
Index into the MCS table.
CBW 20/40
Set to 0 for 20 MHz or 40 MHz upper/lower
Set to 1 for 40 MHz
Length
The number of octets of data in the PSDU in the range 0-65535
Smoothing
Set to 1 indicates that channel estimate smoothing is allowed
Set to 0 indicates that only per-carrier independent (unsmoothed)
channel estimate is recommended
Not
Sounding
Set to 0 indicates that PPDU is a Sounding PPDU
Set to 1 indicates that the PPDU is not a sounding PPDU
Reserved
Set to 1
Aggregation
Set to 1 to indicate that the PPDU in the data portion of the packet
contains an AMPDU otherwise, set to 0.
STBC
Set to a non-zero number, to indicate the difference between the
number of space time streams (NSTS ) and the number of spatial
streams (NSS) indicated by the MCS.
Set to 00 to indicate no STBC (NSTS = NSS)
AirTight Networks
HT-SIG
Field Name
Explanation and coding
LDPC
coding
Set to 1 for LDPC
Set to 0 for BCC
Short GI
Set to 1 to indicate that the short GI is used after the HT training.
Set to 0 otherwise
Number of
extension
spatial
streams
Indicates the Number of extension spatial streams (NESS).
Set to 0 for no extension spatial stream
Set to 1 for 1 extension spatial stream
Set to 2 for 2 extension spatial streams
Set to 3 for 3 extension spatial streams
CRC
CRC of bits 0-23 in HT-SIG1 and bits 0-9 in HT-SIG2
AirTight Networks
Modulation & Coding Scheme (MCS)
MCS is a compact representation (index) indicating
 Modulation (BPSK, QPSK, QAM,…)
 Coding (1/2, ¾,…)
 Number of Spatial Streams (1,2,3,4)
MCS index can be from 0 to 127
 Mandatory MCS
• MCS 0 to 15 at 20 Mhz (at AP)
• MCS 0 to 7 at 20 Mhz (at client STA)
 Rest all optional
• MCS 16 to 76 are optional
• All MCS at 40 Mhz
 MCS 77 to 127 are reserved for future use
AirTight Networks
Rate Dependent Parameters (20 MHz and
Mandatory MCS)
NSS = 1
NSS = 2
AirTight Networks
Rate Dependent Parameters (40 Mhz &
Mandatory MCS)
NSS = 1
NSS = 2
AirTight Networks
Other Optional MCSs
Other MCSs
 HT Duplicate
• MCS 32
• Useful under very high noise
• Lowest rate of 40 Mhz (bpsk)
• 6.7 Mbps max rate
 MCSs with unequal modulation
• Use with
MCSs with SS=3
 MCS 16 – 23
 Max rate (MCS 23)
• 216.7 Mbps (20 Mhz)
• 450 Mbps (40 Mhz)
MCSs with SS=4
– Tx beamforming
– STBC
 MCS 24 – 31
 Max rate (MCS 23)
• 288.9 Mbps (20 Mhz)
• 600 Mbps (40 Mhz)
• MCS 33 – 38 (4 SS)
– Max rate 495 Mbps
• MCS 39 – 52 (4 SS)
– Max rate 495 Mbps
• MCS 53 – 76 (4 SS)
– Max rate 495 Mbps
AirTight Networks
MAC Enhancements
AirTight Networks
Frame Aggregation
AirTight Networks
Motivation
DCF PLCP
MPDU1
PLCP ACK
DCF PLCP
MPDU2
PLCP ACK
SIFS
DCF PLCP
MPDU
PLCP ACK
Amortize PLCP, MAC overheads by sending bigger packets
Can be implemented in several ways (as discussed next)
AirTight Networks
Physical Level Aggregation (A-MPDU)
Consists of several MPDUs addressed to the same receiver

Identified by the HT SIG PLCP field ‘Aggregation’ of a received packet
Each MPDU embedded in a subframe
Subframes consists of a delimiter followed by an MPDU (and padding in some cases)

Except last subframe, others are padded so that they are multiple of 4 byte octet
Delimiter



Delimiters (ASCII N) useful for recovery during errors
CRC protects reserved and length fields
When an invalid Delimiter is obtained, de-aggregation process skips forward 4 bytes and restarts its search for a
new MPDU
AirTight Networks
Physical Level Aggregation (A-MPDU)
Max Rx Factor(x): 0 to 3 [2^13+x]
Min spacing: 0.25 to 16 usecs
Parameters negotiated using “A-MPDU parameters set” of HT capabilities IE field in a mgmt frame



Max length (64k is the limit)
Min MPDU start spacing
• 0 indicates no restriction
• Else, ranges from 1/4 to 16 usecs
• Realized by using Delimiters with MPDU length 0
Can be limited by a station using its Assoc packet
Examples frames that an A-MPDU can contain




QoS data frames
Block ack
Block ACK req frames
Action management frames of subtype “Action No ACK” (e.g., carrying MIMO info)
AirTight Networks
A-MSDU
A-MSDU consists of multiple subframes
All MSDUs are intended to be received by the same receiver
A-MSDU of length is 4095 – QoS data overheads = 4065 bytes cannot
be Tx in an A-MPDU (as A-MPDU cannot carry fragments)
AirTight Networks
A-MSDU
MAC level aggregation
 Consists of MSDUs belonging to the same TID (QoS class)
Support is mandatory at the reciever when it is carried in a single (i.e.,
non A-MPDU) QoS Data MPDU under Normal Ack policy
 Block Ack agreement determines whether an A-MSDU can be carried in QoS
data frames part of the BA session
A-MSDU lifetime indicates MAX life-time of its constituent MSDUs
 An A-MSDU can be Tx until it’s a-MSDU lifetime expires or is received at the
receiver
 Implicitly means certain MSDUs can be Tx ever after their individual lifetimes
A STA shall not transmit an A-MSDU to a station that exceeds its Max AMSDU length capability
AirTight Networks
Block ACK (BA)
AirTight Networks
Block Ack Packet Exchange
ADDBA Request used to initiate BA
session
ADDBA Response confirms/rejects the
sessions
Frames of a session need NOT be sent
consecutively
 They can be mixed with other frames of
a station
 They can be interleaved with packets
from other stations
 They can be sent in multiple .11e TXOPs
BlockAckReq used to solicit a BlockACK
response frame
DELBA used to terminate a BA session
AirTight Networks
Block ACK Sessions (ADDBA)
Dialog token is some kind of a ID for req/response
Parameter set (defined in next slide)
Status code indicates whether the receiver accepts the request or not
 If not, sender is not supposed to use Block ACK
Timeout indicates the duration (Seconds) for which a session is active
AirTight Networks
Block Ack Parameter Set Field used in
ADDBA Action Management Frames
802.11n
802.11e
Block Ack Parameter set field
 A MSDU may or may not be allowed as a part of this BA session
 Block Ack policy is 1 for immediate ACK, 0 for delayed
• Delayed is sent at a slightly later time after receiving a Block Ack
Req
 TID indicates the .11e Traffic Identifier field (i.e., an ID used to group all frames that
need similar QoS treatment)
 Buffer size indicates buffers
• Recipient controls the buffers that can be supported
AirTight Networks
Immediate BlockAck
Delayed BlockAck
AirTight Networks
Block ACK Sessions (DELBA)
DELBA Parameter set
DELBA used to tear down sessions explicitly
Initiator indicates whether the sender or receiver of QoS data has
initiated DELBA
AirTight Networks
BlockAckReq (BAR)
802.11n
802.11e
AirTight Networks
Fields of BlockAckReq Frame
Interesting note on BA policy
BAR Control
 BA Policy (HT-delayed only)
• Normal ACK
• No ACK
 Multi-TID
• Does BAR consist of
req for different QoS
streams?
 Compressed
• Support for
fragements in BA?
 TID_INFO
• Info about each TID
 .11e defines delayed & immediate BA
policy
 In addition, .11n defines HT immediate
& HT delayed policies
• Negotiated between HT
stations as a part of HT
capabilities
• Extensions for using BA with
802.11n features such as
frame aggregation (AMPDU)
AirTight Networks
BlockAckReq
Encoding
BAR Info Field
-Basic BAR, Compressed BAR
-TID info contains TID for which the
. req has been made
Per TID INFO
-MT BAR
-TID_info contains number of TIDs
-BAR info contains seq number for
that many TIDs
AirTight Networks
BlockAck frame
BlockAck carries ACKs as bitmaps
Exact format depends on the encoding (see next slide)
AirTight Networks
BA Information for each BA encoding
Basic BA
128 byte bitmap
Compressed BA
Mandatory
8 bit bitmap
No support for fragments
MTBA (repeated
For each TID)
AirTight Networks
HT Protection Mechanisms
AirTight Networks
Protection Requirements
-Protection may be required if Non-HT stations are present or Nongreenfield stations are present
-Types of protection that an HT station provides
-RTS/CTS using a legacy rate
-CTS to self using a legacy rate
- Transmit 1st frame in a backward compatible mode
-1st frame Tx using a Non-HT preamble and then switch to
HT mode
-1st frame Tx using a MM preamble and then switch to
greenfield operation
-Setting of L-SIG values in preamble to protect the current
transmission
-L-SIG TxOP (See next slide)
AirTight Networks
L-SIG TxOP Protection
Communication between 2 HT STAs that support this feature (as discussed in HT capabilities IE shortly)
Protecting multiple PSDUs (e.g., DATA+ACK, RTS/CTS) using a larger duration as derived from L-SIG

L-SIG Duration will be derived from the MAC header’s duration value
Non-HT STAs ‘think’ this as a transmission involving single large frame!
Applicable to HT-Mixed mode Tx only
AirTight Networks
HT Parameter Negotiation
Information Elements
AirTight Networks
Advertising HT Capabilities using MAC
Frames
HT Capability Information Element (E.g., Beacon, Probe Response)
Refer to next slides
AirTight Networks
HT Capabilities Info
Subfield
Definition
Encoding
LDPC coding capability
Indicates support for receiving LDPC coded
packets
Set to 0 if not supported
Set to 1 if supported
Indicates which channel widths the STA
supports
Set to 0 if only 20 MHz operation is
supported
Set to 1 if both 20 MHz and 40 MHz
operation is supported
Supported channel width set
Set to 0 for Static SM Power Save
mode
Set to 1 for Dynamic SM Power Save
mode
Set to 3 for SM enabled
SM Power Save
Indicates the Spatial Multiplexing (SM) Power
Save mode.
The value 2 is reserved
Greenfield
Indicates support for the reception of PPDUs
with HT Greenfield format.
Set to 0 if not supported
Set to 1 if supported
Short GI for 20 MHz
Indicates Short GI support for the reception of
20 MHz packets
Set to 0 if not supported
Set to 1 if supported
Short GI for 40 MHz
Indicates Short GI support for the reception of
40 MHz packets
Set to 0 if not supported
Set to 1 if supported
Tx STBC
Indicates support for the transmission of
PPDUs using STBC
Set to 0 if not supported
Set to 1 if supported
AirTight Networks
HT Capabilities Info
Subfield
Rx STBC
Definition
Encoding
Indicates support for the reception of PPDUs
using STBC
Set to 0 for no support
Set to 1 for support of one spatial
stream
Set to 2 for support of one and two
spatial streams
Set to 3 for support of one, two and
three spatial streams
Set to 0 if not supported
Set to 1 if supported
HT-delayed BlockAck
Indicates support for HTdelayed BlockAck
operation.
Support indicates that the STA is able
to accept an ADDBA request for HTdelayed Block Ack
Maximum A-MSDU length
Indicates maximum AMSDU length. See 9.7b
(A-MSDU operation).
Set to 0 for 3839 octets
Set to 1 for 7935 octets
Indicates use of DSSS/CCK mode in a 40 MHz
capable BSS operating in 20/40 MHz mode.
In Beacon, Measurement Pilot and
Probe Response frames:
Set to 0 if the BSS does not allow use
of DSSS/CCK in 40 MHz
Set to 1 if the BSS does allow use of
DSSS/CCK in 40 MHz
Otherwise:
Set to 0 if the STA does not use
DSSS/CCK in 40 MHz
Set to 1 if the STA uses DSSS/CCK
in 40 MHz
DSSS/CCK Mode in 40 MHz
AirTight Networks
HT Capabilities Info
Subfield
Definition
Encoding
In Beacon, Measurement Pilot and
Probe Response frames transmitted
by an AP.
Set to 0 if the AP does not support
PSMP operation
Set to 1 if the AP supports PSMP
operation
In Beacon frames transmitted by a
non-AP STA:
Set to 0
PSMP support
Indicates support for PSMP operation. See
Forty MHz Intolerant
When sent by an AP, indicates whether other
BSSs receiving this information are required to
prohibit 40 MHz transmissions.
When sent by a STA, indicates whether the AP
associated with this STA is required to prohibit
40 MHz transmissions by all members of the
BSS.
Set to 0 by an AP if the AP allows use
of 40 MHz transmissions in
neighboring BSSs.
Set to 1 by an AP if the AP does not
allow use of 40 MHz transmissions in
neighboring BSSs.
Set to 0 by a STA to indicate to its
associated AP that the AP is not
required to restrict the use of 40 MHz
transmissions within its BSS.
Set to 1 by a STA to indicate to its
associated AP that the AP is required
to restrict the use of 40 MHz
transmissions within its BSS.
L-SIG TXOP protection
support
Indicates support for the LSIG TXOP
protection mechanism
AirTight Networks
Set to 0 if not supported
Set to 1 if supported
Example Packet Trace Snippet of a Dlink
AP
HT Capability Info: %0001000001001110
0....... ........ L-SIG TXOP Protection Support: Not Supported
.0...... ........ AP allows use of 40MHz Transmissions In Neighboring BSSs
..0..... ........ Device/BSS does Not Support use of PSMP
...1.... ........ BSS does Allow use of DSSS/CCK Rates @40MHz
....0... ........ Maximal A-MSDU size: 3839 bytes
.....0.. ........ Does Not Support HT-Delayed BlockAck Operation
......00 ........ No Rx STBC Support
........ 0....... Transmitter does Not Support Tx STBC
........ .1...... Short GI for 40 MHz: Supported
........ ..0..... Short GI for 20 MHz: Not Supported
........ ...0.... Device is Not Able to Receive PPDUs with GF Preamble
........ ....11.. Spatial Multiplexing Enabled
........ ......1. Both 20MHz and 40MHz Operation is Supported
........ .......0 LDPC coding capability: Not Supported
AirTight Networks
HT Capabilities Info: Supported MCS Set
Rx MCS Bitmask: bit I = 1 indicates support for that MCS
Tx MCS Set Defined = 0 means both Tx/Rx MCS are equal
Upto 4 max streams can be supported
Tx unequal modulation support (as discussed earlier) may or may not be supported
AirTight Networks
HT Extended Capabilities
PCO: Support for Phased coexistence operation
 Alternate between 20 & 40 Mhz operation
MCS feedback
 Station can provide MCS feedback
RD Responder indicates support for Reverse direction protocol
 Optional feature where in a initiator can elicit a response packet burst from a responder
AirTight Networks
HT Info Element
-Operating mode
-Beacon always sent in non-HT mode
-See next slide for details AirTight Networks
HT Information Element
Channel related parameters




Primary channel
Secondary channel offset
Channel width of a STA (20 or 40)
Dual Beacon
• Does AP Tx beacon in
secondary channel?


Secondary beacon support
Basic MCS Set
RIFS
 Shorter inter packet gaps
 E.g., 2 usecs (compare it with
16 usecs for SIFS)
Tx burst limit
 Burst of GF or RIFS packets
Overlapping BSS protection
Dual CTS protection
• Mandatory MCS for all
STAs in BSS
• Similar to Basic rates of
.11a/b/g
 Send a CTS for STBC & legacy
STAs separately
Full BSS support for L-SIG TXOP
protection
-Phased Coexistence (PCO Parameters)
-PCO Active
-PCO phase (20 or 40 Mhz switch)
AirTight Networks
HT Information element
Operating mode
-Set to 0
-All STAs in BSS are 20/40 Mhz HT
-All STAs in a 20 MHz HT BSS are 20 Mhz
HT
-Set to 1 (non-member protection)
-Some members on the channel (maybe
outside BSS) are non-HT
-Set to 2
-At least one 20 Mhz only STA in a HT BSS
- Set to 3
-MM (at least one legacy STA is present in
BSS)
Protection
-Required for Operating mode 1 & 3
-Protection mechanisms discussed
earlier can be used
- Operating mode can also be
updated dynamically based on BSS
constitution
Non-GF STAs present
-Set to 0
-All associated STAs in BSS are GF
capable
-Set to 1
-Some non-GF STAs present in a BSS
AirTight Networks
Channel Switch & Extended Channel
Switch Elements
Channel Switch

Indicates the secondary channel relative to the primary channel
• Useful for 40 Mhz transmission
• 0 indicates no sec channel, 2 is reserved
• 1 means secondary is above primary, 3 means below


Beacons, Probe Responses
Channel switch announcement frames (Action management frames)
Extended Channel Switch



Switch of to a new channel 20 Mhz or a primary channel (40 Mhz), and regulatory class
Beacons, Probe Responses
Channel switch announcement frames (Action management frames)
AirTight Networks
Overview of advanced .11n features
Optional and/or not yet available today
AirTight Networks
HTControl
AirTight Networks
HT Control: Link adaptation
Field
Meaning
Definition
TRQ
Sounding Request
Set to 1 to request the responder to transmit a
sounding PPDU.
When set to 0, the responder is not requested to
transmit a sounding PPDU.
See 9.17.2 (Transmit beamforming with implicit
feedback).
MAI
MCS request or Antenna
Selection Indication
When set to 14, the MAI field contains an Antenna
Selection Indication
(ASELI).
Otherwise the MAI field is interpreted, as shown in
Figure n3 (MAI field).
MFSI
MFB Sequence Identifier
Set to the received value of MSI contained in the
frame to which the MFB information refers.
Set to 7 for unsolicited MFB
MFB/ASELC
MCS Feedback and
Antenna Selection
Command/Data
When the MAI field is set to the value ASELI, this field
is interpreted as defined in Figure n4 (ASELC
subfield) and Table n3 (The ASEL Command and
ASEL Data parts of the ASELC subfield).
Otherwise, this field contains recommended MCS
feedback.
A value of 127 indicates that no feedback is present.
AirTight Networks
RDP Exchange
AirTight Networks
802.11n MAC Layer Performance: Putting
it altogether
AirTight Networks
Theoretical Maximum Throughput (TMT)
Throughput (Mbps)
MSDU size = 1000 bytes
MCS
AirTight Networks
Bandwidth efficiency
Theoretical bandwidth efficiency
MSDU size (103 bytes)
AirTight Networks
Bandwidth efficiency
Bandwidth efficiency with aggregation
2
3
4
5
6
Aggregated frame size (KB)
AirTight Networks
7
8
Probability
Insights from experiment results
A-MPDU size (KB)
Plain-vanilla
A-MSDU
A-MPDU
TMT
Expt.
TMT
Expt.
TMT
Expt.
43
33.9
92
87.1
120
85.5
AirTight Networks
Plain-vanilla
A-MSDU
A-MPDU
TMT
Expt.
TMT
Expt.
TMT
Expt.
43
33.9
92
87.1
120
85.5
AirTight Networks
IEEE 802.11e
Limitations of DCF
No notion of differentiated service
Designed for fairness
Contention-based
 Inherently lacks service guarantee
AirTight Networks
Limited QoS support using Point
Coordination Function (PCF)
Contention-free and contention periods (CFP and CP)
Centralized polling scheme
Limitations
 Simple round-robin polling only during CFP
 Unknown transmission durations
 Unpredictable beacon delays during polling
AirTight Networks
IEEE 802.11e main features
Four access categories (AC): voice, video, best effort, background
AirTight Networks
IEEE 802.11e main features
Transmission opportunity (TXOP)
Controlled beacon interval
Hybrid coordination function (HCF)
 Enhanced distributed channel access (EDCA)
 HCF controlled channel access (HCCA)
Block ACKs: cumulative acknowledgements
Direct Link Protocol (DLP): station to station communication
AirTight Networks
Enhanced distributed channel access
(EDCA)
Contention based
AIFS
AIFS
Arbitration IFS (AIFS): sense if channel is idle for AIFS
 Each AC has a different AIFS
 PIFS < AIFS [Higher AC] < AIFS [Lower AC]
 AIFS ≥ DIFS
Backoff: contention window (CW)
 CWmin [Higher AC] < CWmin [Lower AC]
 CWmax [Higher AC] < CWmax [Lower AC]
AirTight Networks
HCF controlled channel access (HCCA)
HC should have highest priority to control medium access
 HC uses PIFS as idle time before accessing the channel
 AIFS [Highest AC] = DIFS
“Superframe” defines CP (EDCA TXOPs) and CFP (HCCA TXOPs)
 HC can allocate polled TXOP even during CP
HCCA
Contention period (CP)
EDCA HCCA
EDCA
AirTight Networks
HCCA
EDCA
Beacon
Beacon
Contention-free period (CFP)
Security Enhancements to 802.11
WPA/802.11i & 802.11w D2.0
AirTight Networks
History: WEP Shared Key Authentication
Key K
(40 bit string)
Key K
(40 bit string)
Authentication Request
Challenge text C (random string of 128 bytes)
Response R1
Compute response
R1 = f (C, K)
Compute response
R2 = f (C, K)
Is R1 = R2?
Result (Accept/Reject)
R1 = R2 = C XOR Keystream (K, IV)
AirTight Networks
Note: This is one-way
authentication. AP
authenticates Client,
but not vice versa.
History: WEP Encryption
TRANSMITTER
RECEIVER
(Key K | Initialization Vector IV)
40 bit
24 bit
(Key K | Initialization Vector IV)
RC4 Key Stream
Generator
RC4 Key Stream
Generator
Keystream
Hundreds of bits
Packet P
Keystream
WIRELESS CHANNEL
XOR
IV Encrypted P
XOR
Called ``Stream cipher’’
• Key K is statically programmed in transmitter and receiver
• IV is changed per packet
•ICV is used for integrity protection (part of P)
AirTight Networks
Packet P
History: What went wrong with WEP?
Very easy to beat the Authentication
 P XOR R = C
 P XOR C = R
IV Collision:
 Means two packets encrypted with same IV
• 24 bit IV can quickly wrap around under heavy traffic condition
• Many cards/APs on reset start with IV = 0 and increment from
there
Cipher Text Modification
 ICV Protection can be defeated
Key (K) cracking (Fluhrer, Martin, Shamir –``FMS attack’’)
 Using few packets encrypted with ``Weak IVs’’, key K itself can be cracked
No Mutual Authentication
No Replay Protection
Single shared key used for all users/sessions
AirTight Networks
WPA: A Quick Fix to WEP
Created by WiFi Alliance
 Note: IEEE standardizes WLAN protocols, WiFi Alliance
(www.wifialliance.org) promotes market adoption of WLAN
Constraints:
 No change to XOR based hardware encryption engine
 Something that will work with firmware upgrade to installed base of WLAN
equipment
AirTight Networks
Connection Establishment using WPA
Step 5
Step 4.2
Step 4.1
Step 3
WEP Like Encrypted Data Communication
Dynamic Encryption Key Generation
802.1x (EAP)
Authentication
Pre-shared
Keys (PSK)
Association
Step 2
Open (No)
Authentication
WEP Shared Key
Authentication
Step 1
AP Discovery (SSID, signal strength)
AirTight Networks
Addition of TKIP
EAPOL 4-way handshake
802.1x and PSK
Wireless Link
Wired LAN
Authentication
Server
Access Point
Wireless Client
Open Authentication
Open Controlled
Port allowing only
EAP messages to
pass through.
Association
EAP Identity Request
EAP Identity Response
Generate
Master
Key
RELAY
Authentication Method Handshake
EAP Success
Generate
Transient
Keys
Accept/Provide Master Key
EAPOL 4-Way Handshake
Encrypted Data Exchange
EAPOL Logoff
Identity Proof and
Master Key Generation
Generate
Transient
Keys
Open Uncontrolled
Port allowing data to
pass through.
AirTight Networks
Generate
Master
Key
Advantages of 802.1x
Freedom to choose authentication algorithm
 802.1x is a bearer
 TLS, TTLS, LEAP, PEAP, GTC, MSCHAPv2, Kerberos, SIM, future algorithms can
ride over 802.1x, only requirements being
• Support mutual authentication
• Support derivation of master keys
 Keys and authentication algorithms can be session specific
Ease of management of credentials in central authentication server
Ease of integration with other enterprise security systems (network
authentication)
AirTight Networks
TKIP Encryption
TKIP uses longer IV (48 bit) – twice as much as WEP
Avoids Weak IVs
Prevents IV reuse for any given key
 IV always starts from 0 and counts upwards
Master key generated afresh for each connection attempt – unlike static
WEP keys
 Transient keys generated from master key are used for encryption – refreshed at
regular intervals
AirTight Networks
Connection Establishment using 802.11i
Step 5
Step 4.2
Step 4.1
Step 3
CCMP Encrypted Data Communication
CCMP (Change in h/w
encryption engine)
Dynamic Key Generation
802.1x (EAP)
Authentication
Pre-shared
Keys (PSK)
Association
Step 2
Open (No)
Authentication
WEP Shared Key
Authentication
Step 1
AP Discovery (SSID, signal strength)
AirTight Networks
Addition of
802.1x and PSK
802.11w: Management Frame Protection
WPA/802.11i protect 802.11 data packets only
Management, Control frames are left unprotected
 This can lead to various kinds of DoS attacks on a 802.11 network
 E.g., Deauthentication, Disassociation, Virtual jamming
802.11w DRAFT 2.0 (stil in draft stage) is aimed at extending 802.11i
to protect management frames
AirTight Networks
Management Frames Protected
Robust Management Frames
 Deauthentication
 Disassociation
 Action with category
• Spectrum management
• QoS
• BlockAck
• DLS
Protection
 Protection field in MAC framecontrol set to 1
 Confidentiality for unicast management frames (TKIP or CCMP)
 Integrity for broadcast frames provided
AirTight Networks
Broadcast Frame Integrity
Management MIC Information Element (MMIE)






Provide integrity for deauth and disassoc broadcast frames
Protection against forgery & replay
Length – 26 (for deauth, dissassoc frames) or 16 (other frames in future)
Key ID: which key used to compute the MIC
Replay: Interpreted as a 128 bit key for deauth, dissassoc frames
MIC calculated over SA, DA, priority (or ff) & plaintext data of MAC frame
AirTight Networks
RSN IE: Capabilities field for .11w
negotiation
MFP Supported
 Indicates the capability of a device to support .11w
 Optional
MFP Enabled
 This capability is required for a STA to operate in a BSS
 Mandatory
AirTight Networks
Thank you
{kaustubh.phanse, gopinath.kn}@airtightnetworks.net
AirTight Networks