11 Network Operations
Network Operations
From the outset, 802.11 was designed to be just another link layer to higher-layer protocols. Network administrators familiar with Ethernet will be immediately comfortable with 802.11. The shared heritage is deep enough that 802.11 is sometimes referred to as "wireless Ethernet."
The core elements present in Ethernet are present in 802.11. Stations are identified by 48-bit IEEE 802 MAC addresses. Conceptually, frames are delivered based on the MAC address. Frame delivery is unreliable, though 802.11 incorporates some basic reliability mechanisms to overcome the inherently poor qualities of the radio channels it uses.[*]
[*] I don't mean "poor" in an absolute sense. But the reliability of wireless transmission is really not comparable to the reliability of a wired network.
From a user's perspective, 802.11 might just as well be Ethernet. Network administrators, however, need to be conversant with 802.11 at a much deeper level. Providing MAC-layer mobility while following the path blazed by previous 802 standards requires a number of additional services and more complex framing.
Network Services
One way to define a network technology is to define the services it offers and allow equipment vendors to implement those services in whatever way they see fit. 802.11 provides nine services. Only three of the services are used for moving data; the remaining six are management operations that allow the network to keep track of the mobile nodes and deliver frames accordingly.
The services are described in the following list and summarized in Table 2-1:
Distribution
This service is used by mobile stations in an infrastructure network every time they send data. Once a frame has been accepted by an access point, it uses the distribution service to deliver the frame to its destination. Any communication that uses an access point travels through the distribution service, including communications between two mobile stations associated with the same access point.
Integration
Integration is a service provided by the distribution system; it allows the connection of the distribution system to a non-IEEE 802.11 network. The integration function is specific to the distribution system used and therefore is not specified by 802.11, except in terms of the services it must offer.
Association
Delivery of frames to mobile stations is made possible because mobile stations register, or associate, with access points. The distribution system can then use the registration information to determine which access point to use for any mobile station. Unassociated stations are not "on the network," much like workstations with unplugged Ethernet cables. 802.11 specifies the function that must be provided by the distribution system using the association data, but it does not mandate any particular implementation. When robust security network protocols are in use, association is a precursor to authentication. Prior to the completion of authentication, an access point will drop all network protocol traffic from a station.
Reassociation
When a mobile station moves between basic service areas within a single extended service area, it must evaluate signal strength and perhaps switch the access point with which it is associated. Reassociations are initiated by mobile stations when signal conditions indicate that a different association would be beneficial; they are never initiated directly by the access point. (Some APs will kick stations off in order to force a client into being the reassociation process; in the future, reassociation may be more dependent on the infrastructure with the development of better network management standards.)
After the reassociation is complete, the distribution system updates its location records to reflect the reachability of the mobile station through a different access point. As with the association service, a robust security network will drop network protocol traffic before the successful completion of authentication.
Disassociation
To terminate an existing association, stations may use the disassociation service. When stations invoke the disassociation service, any mobility data stored in the distribution system is removed. Once disassociation is complete, it is as if the station is no longer attached to the network. Disassociation is a polite task to do during the station shutdown process. The MAC is, however, designed to accommodate stations that leave the network without formally disassociating.
Authentication
Physical security is a major component of a wired LAN security solution. Network attachment points are limited, often to areas in offices behind perimeter access control devices. Network equipment can be secured in locked wiring closets, and data jacks in offices and cubicles can be connected to the network only when needed. Wireless networks cannot offer the same level of physical security, however, and therefore must depend on additional authentication routines to ensure that users accessing the network are authorized to do so. Authentication is a necessary prerequisite to association because only authenticated users are authorized to use the network.
Authentication may happen multiple times during the connection of a client to a wireless network. Prior to association, a station will perform a basic identity exchange with an access point consisting of its MAC address. This exchange is often referred to as "802.11" authentication, which is distinct from the robust cryptographic user authentication that often follows.
Deauthentication
Deauthentication terminates an authenticated relationship. Because authentication is needed before network use is authorized, a side effect of deauthentication is termination of any current association. In a robust security network, deauthentication also clears keying information.
Confidentiality
Strong physical controls can prevent a great number of attacks on the privacy of data in a wired LAN. Attackers must obtain physical access to the network medium before attempting to eavesdrop on traffic. On a wired network, physical access to the network cabling is a subset of physical access to other computing resources. By design, physical access to wireless networks is a comparatively simpler matter of using the correct antenna and modulation methods.
In the initial revision of 802.11, the confidentiality service was called privacy, and provided by the now-discredited Wired Equivalent Privacy (WEP) protocol. In addition to new encryption schemes, 802.11i augments the confidentiality service by providing user-based authentication and key management services, two critical issues that WEP failed to address.
MSDU delivery
Networks are not much use without the ability to get the data to the recipient. Stations provide the MAC Service Data Unit (MSDU) delivery service, which is responsible for getting the data to the actual endpoint.
Transmit Power Control (TPC)
TPC is a new service that was defined by 802.11h. European standards for the 5 GHz band require that stations control the power of radio transmissions to avoid interfering with other users of the 5 GHz band. Transmit power control also helps avoid interference with other wireless LANs. Range is a function of power; high transmit power settings make it more likely that a client's greater range will interfere with a neighboring network. By controlling power to a level that is "just right," it is less likely that a station will interfere with neighboring stations.
Dynamic Frequency Selection (DFS)
Some radar systems operate in the 5 GHz range. As a result, some regulatory authorities have mandated that wireless LANs must detect radar systems and move to frequencies that are not in use by radar. Some regulatory authorities also require uniform use of the 5 GHz band for wireless LANs, so networks must have the ability to re-map channels so that usage is equalized.
Service |
Station or distribution service? |
Description |
---|---|---|
Distribution |
Distribution |
Service used in frame delivery to determine destination address in infrastructure networks |
Integration |
Distribution |
Frame delivery to an IEEE 802 LAN outside the wireless network |
Association |
Distribution |
Used to establish the AP which serves as the gateway to a particular mobile station |
Reassociation |
Distribution |
Used to change the AP which serves as the gateway to a particular mobile station |
Disassociation |
Distribution |
Removes the wireless station from the network |
Authentication |
Station |
Establishes station identity (MAC address) prior to establishing association |
Deauthentication |
Station |
Used to terminate authentication, and by extension, association |
Confidentiality |
Station |
Provides protection against eavesdropping |
MSDU delivery |
Station |
Delivers data to the recipient |
Transmit Power Control (TPC) |
Station/spectrum management |
Reduces interference by minimizing station transmit power |
Dynamic Frequency Selection (DFS) |
Station/spectrum management |
Avoids interfering with radar operation in the 5 GHz band |
Station services
Station services are part of every 802.11-compliant station and must be incorporated by any product claiming 802.11 compliance. Station services are provided by both mobile stations and the wireless interface on access points. Stations provide frame delivery services to allow message delivery, and, in support of this task, they may need to use the authentication services to establish associations. Stations may also wish to take advantage of confidentiality functions to protect messages as they traverse the vulnerable wireless link.
Distribution system services
Distribution system services connect access points to the distribution system. The major role of access points is to extend the services on the wired network to the wireless network; this is done by providing the distribution and integration services to the wireless side. Managing mobile station associations is the other major role of the distribution system. To maintain association data and station location information, the distribution system provides the association, reassociation, and disassociation services.
Confidentiality and access control
Confidentiality and access control services are intertwined. In addition to secrecy of the data in transit, the confidentiality service also proves the integrity of frame contents. Both secrecy and integrity depend on shared cryptographic keying, so the confidentiality service necessarily depends on other services to provide authentication and key management.
Authentication and key management (AKM)
Cryptographic integrity is worthless if it does not prevent unauthorized users from attaching to the network. The confidentiality service depends on the authentication and key management suite to establish user identity and encryption keys. Authentication may be accomplished through an external protocol, such as 802.1X, or with pre-shared keys.
Cryptographic algorithms
Frames may be protected by the traditional WEP algorithm, using 40- or 104-bit secret keys, the Temporal Key Integrity Protocol (TKIP), or the Counter Mode CBC-MAC Protocol (CCMP). All of these algorithms are discussed in detail in Chapters 5 and 7.
Origin authenticity
TKIP and CCMP allow the receiver to validate the sender's MAC address to prevent spoofing attacks. Origin authenticity protection is only available for unicast data.
Replay detection
TKIP and CCMP protect against replay attacks by incorporating a sequence counter that is validated upon receipt. Frames which are "too old" to be valid are discarded.
External protocols and systems
The confidentiality service depends heavily on external protocols to run. Key management is provided by 802.1X, which together with EAP carries authentication data. 802.11 places no constraint on the protocols used, but the most common choices are EAP for authentication, and RADIUS to interface with the authentication server.
Spectrum management services
Spectrum management services are a special subset of station services. They are designed to allow the wireless network to react to conditions and change radio settings dynamically. Two services were defined in 802.11h to help meet regulatory requirements.
The first service, transmit power control (TPC), can dynamically adjust the transmission power of a station. Access points will be able to use the TPC operations to advertise the maximum permissible power, and reject associations from clients that do not comply with the local radio regulations. Clients can use TPC to adjust power so that range is "just right" to get to the access point. Digital cellular systems have a simliar feature designed to extend the battery life of mobile phones.[*] Lower transmit power also will have some benefit in the form of increased battery life, though the extent of the improvement will depend on how much the transmit power can be reduced from what the client would otherwise have used.
[*] Power control also helps to simplify the electronics in the base station because all signals will be received at roughly the same signal.
The second service, dynamic frequency selection (DFS), was developed mainly to avoid interfering with some 5 GHz radar systems in use in Europe. Although originally developed to satisfy European regulators, the underlying principles have been required by other regulators as well. DFS was key to the U.S. decision to open up more spectrum in the 5 GHz band in 2004.[
images/ent/U2020.GIF border=0>] The decision was made in November 2003, and released as FCC 03-287. The text of the decision is available at http://hraunfoss.fcc.gov/edocs_public/attachmatch/FCC-03-287A1.pdf. Although the spectrum has been allocated, test procedures were still in development as of this writing, so no FCC-certified devices are yet able to use the new spectrum.