802.

11 Wireless LANs ( WLAN )

A wireless LAN utilizes radio-frequency communication to permit data transmission among
fixed, nomadic, or moving computers.
A wireless LAN is used to avoid the hassle of establishing a wired LAN.
IEEE 802.11 standards : a wireless LAN is a spread spectrum on the unlicensed 2.4, 5 GHz
frequency band
Wireless LANs can be divided into two operational modes:
Ad hoc mode
Infrastructure mode ( Access Point (AP) networks)

9/30/2017 WIRELESS NETWORK SECURITY 31

WLAN
Advantages of radio-frequency wireless LANs
1. High bandwidth: up to hundreds of megabytes .
2. No LOS restriction: Infrared requires LOS for transmission, but radio does not as long as the
frequency in use is not too high
3. Easy to set up and use: The 802.11 protocols are designed to allow almost zero configuration
of the network and the interfaces.

9/30/2017 WIRELESS NETWORK SECURITY 32

 WLAN - Adhoc mode
WLAN wireless network is composed of only stations (802.11 compliant
NICs).
There will not be any access point in the network.
The networked systems i.e. stations communicate directly with one another.
Adhoc mode is suitable for quick wireless connection setup

9/30/2017 WIRELESS NETWORK SECURITY 33

 WLAN - Infrastructure mode
WLAN network is composed of stations as well as one or more access
points(APs).
All the communications between stations will go through AP. Access point
is like a router.
AP provides connectivity between wireless RF network and hardwired LAN
network.
It converts protocol from wireless 802.11 packets to 802.3 Ethernet
packets and vice versa

9/30/2017 WIRELESS NETWORK SECURITY 34

WLAN - Taxonomy
single hop
infrastructure host connects to
(e.g., APs) base station (WiFi,
WiMAX, cellular)
which connects to
larger Internet
no no base station, no
Infrastructure connection to larger
Internet (Bluetooth,
ad hoc nets)
9/30/2017 WIRELESS NETWORK SECURITY
multiple hops
host may have to
relay through several
wireless nodes to
connect to larger
Internet: mesh net
no base station, no
connection to larger
Internet. May have to
relay to reach other
a given wireless node
MANET, VANET
35
 WLAN - Basic Service Sets (BSSs)
 Independent BSSs are also
referred to as Ad Hoc BSSs
 Observe that the AP in an
Infrastructure BSS is the
centralized coordinator and could
be a bottleneck

9/30/2017 WIRELESS NETWORK SECURITY 36

 WLAN - Extended Service Set (ESS)
• BSSs in an ESS communicate
via Distribution System
• A DS has to keep track of
stations within an ESS

9/30/2017 WIRELESS NETWORK SECURITY 37

WLAN - SSID
An SSID (service set identifier) is the primary name associated with an 802.11 wireless local
area network (WLAN) including home networks and public hotspots.
Client devices use this name to identify and join wireless networks.
The SSID is a case-sensitive text string that can be as long as 32 characters consisting of letters
and/or numbers.
Wireless devices like phones and laptops scan the local area for networks broadcasting their
SSIDs and presents a list of names.
A user can initiate a new network connection by picking a name from the list.

9/30/2017 WIRELESS NETWORK SECURITY 38

 WLAN - Architecture and Protocols
IEEE 802.11 standards define two bottom layers of
protocols:
physical layer (PHY)
medium access layer (MAC)

The same interface to the logical link control (LLC) sublayer

of data link as that of a wired LAN.
Physical layer include hardware implementation like spread
spectrum modulation and data rates

WIRELESS NETWORK SECURITY 9/30/2017 39

 WLANS - MAC Access Modes
Distributed Coordination Function (DCF)
Based on Carrier Sense Multiple Access/Collision Avoidance
(CSMA/CA)

 Point Coordination Function (PCF)

 Restricted to Infrastructure BSSs
 Not widely implemented
 Access Point polls stations for medium access

9/30/2017 WIRELESS NETWORK SECURITY 40

WLANS - MAC Access Modes
Interframe Spacing (IFS)
 Short IFS: For atomic exchanges
 PCF IFS: For prioritized PCF access
 DCF IFS: For Normal DCF access
 Extended IFS: For access after error

9/30/2017
WIRELESS NETWORK SECURITY 41
 WLANS - MAC Access Modes
If medium is idle for DIFS interval after a correctly received frame and back off time has expired,
transmission can begin immediately
 If previous frame contained errors, medium must be free for EIFS
 If medium is busy, access is deferred until medium is idle for DIFS and exponential backoff
 Backoff counter is decremented by one if a time slot is determined to be idle
 Unicast data must be acknowledged as part of an atomic exchange
Backoff is performed for R slots: R is randomly chosen integer in the interval [0, CW] where CWmin < CW
< CWmax

9/30/2017
WIRELESS NETWORK SECURITY 42
WLANS - MAC Access Modes

9/30/2017
WIRELESS NETWORK SECURITY 43
 WLAN - PCF
 AP polls stations on its list, and maintains
control of the medium
 Announces CFPMaxDuration in Beacon
 Transmissions are separated by PIFS
 Each CF-Poll is a license for one frame

 PCF falls short of guaranteeing desired QoS

9/30/2017 WIRELESS NETWORK SECURITY 44

WLAN – transmitting problems
Hidden Terminal and Exposed Terminal problems

9/30/2017
WIRELESS NETWORK SECURITY 45
WLAN – transmitting problems
 Sort of coordination of channel use among stations is needed.
 A handshake protocol along using request-to-send (RTS) and clear-to-send (CTS) frames.

9/30/2017
WIRELESS NETWORK SECURITY 46
Quality of Service (802.11e)
Enhancements to the 802.11 MAC to improve the quality of service for time sensitive
applications, such as streaming media and voice over wireless IP.
Enhance the original 802.11 DCF and PCF mechanisms.
Eight traffic classes (TC) or access categories (AC) are defined, each of which can have specific
QoS requirements and receive specific priority for media access.
Enhanced DCF (EDCF) which allows several MAC parameters determining ease of media access
to be specified per traffic class.

9/30/2017 WIRELESS NETWORK SECURITY 47

Quality of Service (802.11e)

9/30/2017 WIRELESS NETWORK SECURITY 48

WLAN - Frame Format
The IEEE 802.11 WLAN specification defines various frame types than Ethernet for wireless
communications, as well as managing and controlling wireless connections.
The types of frames in the IEEE 802.11 specification are:
 Management
 Control
 Data frames

Understanding the different IEEE 802.11 frame types is essential for analyzing and
troubleshooting the operation of WLANs

9/30/2017 WIRELESS NETWORK SECURITY 49

WLAN - Frame Format

9/30/2017 WIRELESS NETWORK SECURITY 50

WLAN - Frame Format
Frame Control field
 Protocol Version:
 zero for 802.11 standard
 Type= frame type:
 data, management, control
 Subtype = frame sub-type:
 ToDS:
When bit is set indicate that destination frame is for DS
 FromDS:
When bit is set indicate frame coming from DS
Retry:
 Set in case of retransmission frame
 More fragments:
 Set when frame is followed by other fragment

WIRELESS NETWORK SECURITY 9/30/2017 51

 WLAN - Frame Format
Frame Control field
Power Management
 bit set when station go Power Save mode (PS)

 More Data:
When set means that AP have more buffered data for a station in Power Save mode

WEP:
When set indicate that in the Frame Body field there are data need to processed by WEP algorithm.

 Order:
When set indicate restrictions for transmission

WIRELESS NETWORK SECURITY 9/30/2017 52

WLAN - Frame Format
Address 1  4 can contain the following Address:
DA = Destination MAC Address
SA = Source MAC Address
RA = Receiver Address indicate MAC Address of intermediate station that have to receive frame
TA = Transmitter Address indicate intermediate station which have transmitted frame
BSSID = uniquely identify each BSS (WLAN)  the BSSID is the MAC address of the access point

9/30/2017 WIRELESS NETWORK SECURITY 53

WLAN - Frame Format
Transmission between station’s in the same BSS

BSSID

SA DA
9/30/2017 WIRELESS NETWORK SECURITY 54
WLAN - Frame Format
Frames to Distribution System

9/30/2017 WIRELESS NETWORK SECURITY 55

WLAN - Frame Format
Frame transmission coming from Distribution System

9/30/2017 WIRELESS NETWORK SECURITY 56

 WLAN - Frame Format
Wireless Distribution System

9/30/2017 WIRELESS NETWORK SECURITY 57

WLAN - Management frames
Subtype
Probe Request (0100)
Probe Response (0101)
Association Request (0000)
Association Response (0001)
Re-association Request (0010)
Re-association Response (0011)
Dis-association (1010)
Authentication (1011)
De-authentication (1100)
Beacon (1000)

9/30/2017 WIRELESS NETWORK SECURITY 58

 WLAN - Management frames
Association Request
The 802.11 association process allows an access point to synchronize and allocate
resources for a wireless adapter.
A wireless adapter begins the process by sending an Association Request frame to an
access point.
Upon receiving the Association Request frame, the access point is considered associated
with the wireless adapter and would allocate an association ID and resources for the
wireless adapter.
An Association Request frame contains information such as the SSID of the WLAN the
wireless client wishes to associate with and the supported data rates

9/30/2017 WIRELESS NETWORK SECURITY 59

WLAN - Management frames
Association Response
An access point would send an Association Response frame containing an acceptance or
rejection notice to the wireless adapter requesting association.
An Association Response frame contains information, eg: the association ID and the supported
data rates.

9/30/2017 WIRELESS NETWORK SECURITY 60

WLAN - Management frames
Re-association Request
When a wireless adapter roams away from its currently associated access point after found
another access point with a stronger beacon signal, the wireless adapter would send a Re-
association Request frame to the new access point.
The new access point would then coordinate with the previous access point to forward the
data frames meant for the wireless adapter that may still be in the buffer of the previous access
point.

9/30/2017 WIRELESS NETWORK SECURITY 61

WLAN - Management frames
Re-association Response
An access point sends a Re-association Response frame containing an acceptance or rejection
notice to a wireless adapter requesting re-association.
Similar to the Association Response frame, the Re-association Response frame contains
information regarding an association – the association ID and the supported data rates.

9/30/2017 WIRELESS NETWORK SECURITY 62

WLAN - Management frames
Disassociation
A wireless station sends a Disassociation frame to another wireless station when it would like
to terminate the association.
Ex: A wireless adapter that is shutting down gracefully can send a
Disassociation frame to notify its associated access point that it is powering off. The access
point can then remove the wireless adapter from the association table and release the allocated
memory resources.

9/30/2017 WIRELESS NETWORK SECURITY 63

WLAN - Management frames
Probe Request
A wireless station sends a Probe Request frame when it would like to obtain information of
another wireless station.

Ex: A wireless adapter sends a Probe Request frame to determine the access points that are
within range.

9/30/2017 WIRELESS NETWORK SECURITY 64

WLAN - Management frames
Probe Response
A wireless station receives a Probe Request frame would respond with a Probe Response frame
that contains capability information, eg: the supported data rates.

9/30/2017 WIRELESS NETWORK SECURITY 65

WLAN - Management frames
Beacon Frame
An access point sends Beacon frames periodically to announce its presence and the services if
offers using SSID, timestamp, and other access point parameters to wireless adapters that are
within range.
Wireless adapters continuously scan all 802.11 radio channels for beacon frames to choose the
best access point to associate with. Beacon frames are also used to logically separate WLANs.

9/30/2017 WIRELESS NETWORK SECURITY 66

 WLAN - Management frames
Authentication Frame
The 802.11 authentication process is where an access point accepts or rejects the identity of a wireless
adapter.
A wireless adapter begins the process by sending an Authentication frame that contains its identity to the
access point.
For open authentication, the access point responds with an Authentication frame as a response to indicate
the acceptance or rejection; while for shared-key authentication, the access point responds with an
Authentication frame containing challenge text, which the wireless client must response with an
Authentication frame containing the encrypted version of the challenge text using the shared-key for the
access point to verify its identity.
WLAN authentication occurs at L2 and is authenticating devices instead of users. The authentication and
association processes are occurred in sequence.
Note: Authentication occurs first and then followed by association

WIRELESS NETWORK SECURITY 9/30/2017 67

WLAN - Management frames
De-authentication frames
A wireless station sends a De-authentication frame to another wireless station in order to
terminate a secure connection

9/30/2017 WIRELESS NETWORK SECURITY 68

WLAN - Management frames

beacon

9/30/2017 WIRELESS NETWORK SECURITY 69

WLAN - control frames
Request to Send (RTS)
A station sends a RTS frame to another station as the 1st phase of the necessary 2-way handshake before
transmitting a data frame.

Clear to Send (CTS)

A station response to a RTS frame with the CTS frame to provide the clearance for the source station to transmit
a data frame.

Acknowledgement (ACK)
A destination station would run an error checking process to detect the presence of errors upon received a data
frame.
The destination station would send an ACK frame to the source station if no errors are found.
The source station will retransmit the frame if it doesn’t receive an ACK for the frame for a certain period of
time.

WIRELESS NETWORK SECURITY 9/30/2017 70

WLAN - Management Operations
Active scanning
Probe Request frame broadcast from H1
Probes response frame sent from APs
Association Request frame sent: H1 to selected AP
Association Response frame sent: H1 to selected AP

WIRELESS NETWORK SECURITY 9/30/2017 71

WLAN - Management Operations
Passive scanning
Beacon frames sent from APs
association Request frame sent: H1 to selected AP
association Response frame sent: H1 to selected AP

WIRELESS NETWORK SECURITY 9/30/2017 72

 802.11 WLAN Standards
WLAN Release Operation Channel Modulatio Data rate Range Antenna
Standards Date Freq. Width n Theoretica
l
802.11a 1999 5 GHz 20MHz OFDM 54 75 1 x 1 SISO

802.11b 1999 2.4 GHz 20MHz DSSS 11 100 1 x 1 SISO

802.11g 2003 2.4GHz 20MHz DSSS 54 75 1 x 1 SISO

/OFDM
802.11n 2009 2.4 or 5 20 /40MHz OFDM 450 125 Up to 4 x 4 MIMO
GHz
802.11ac 2014 5 GHz 20 /40/ 80 OFDM 6.77Gbps 35 Up to 8 x 8 MIMO
/160

9/30/2017 WIRELESS NETWORK SECURITY 73

International Channel Availability for
802.11

9/30/2017 WIRELESS NETWORK SECURITY 74

802.11 WLAN Roaming
Roaming is the process of moving from one cell (BSS) to another without loosing connection.

9/30/2017 WIRELESS NETWORK SECURITY 75

802.11 WLAN Roaming
These steps might take up to several hundred
milliseconds.
Such high delay can degrade a mobile STA
experience running a real-time application over
WLAN

9/30/2017 WIRELESS NETWORK SECURITY 76

ROAMING USING IEEE 802.11r
(802.11r) was established to come up with solutions to minimize the time required for Basic
Service Set (BSS) transition process to support real-time applications
Handshake procedure: IEEE 802.11r minimizes the number of steps required for handshake

9/30/2017 WIRELESS NETWORK SECURITY 77

References
http://www.itcertnotes.com/2011/05/ieee-80211-frame-types.html
http://www.invocom.et.put.poznan.pl/~invocom/C/P1-4/p1-4_en/p1-4_8_2.htm
https://support.metageek.com/hc/en-us/articles/201955754-Understanding-WiFi-Signal-
Strength
Chapter 2 , 3 , 4 Wireless Networking Technology From Principles to Successful
Implementation.
Ahmed, Hassan, and Hossam Hassanein. "A performance study of roaming in wireless local
area networks based on IEEE 802.11 r." Communications, 2008 24th Biennial Symposium on.
IEEE, 2008.

9/30/2017 WIRELESS NETWORK SECURITY 78