Wlan 200308

DYU
CSIE
S. T. LIANG
Wireless Local Area Networks
DYU
CSIE
S. T. LIANG
Department of Computer Science and Information Engineering

Da-Yeh University, Taiwan 515, R.O.C.
Shih Tsung Liang
stliang@mail.dyu.edu.tw
1
DYU
CSIE Table of Content
S. T. LIANG
• Introduction to IEEE 802.11 wireless LAN

• IEEE 802.11 MAC Operation
• IEEE 802.11 MAC Management
• IEEE 802.11 MAC Enhancement for QoS
Support (IEEE 802.11e)
• Inter-Access Point Protocol (IAPP)
(IEEE 802.11F)
2
DYU
CSIE
S. T. LIANG
Introduction to IEEE 802.11 wireless LAN
DYU
CSIE
S. T. LIANG

Shih Tsung Liang
3
DYU
CSIE
Outline
S. T. LIANG
• What a Wireless LAN is ?

• Standardization of Wireless LAN
• IEEE 802.11 Physical Layer Evolutions
• Other IEEE Wireless Projects
• WLAN Driving Factors
• Wireless LAN Applications
• IEEE 802.11 WLAN Architecture
• IEEE 802.11 specified Services
• Services Invoked for a Mobile Station
4
DYU
CSIE What a Wireless LAN is ?
S. T. LIANG
• A WLAN can be considered as a

wireless version of an Ethernet
LAN
• Main WLAN components :
– Wireless Terminals (or
Stations);
– Access Points (linking the
WLAN to other networks)
5
DYU
CSIE Standardization of Wireless LAN
S. T. LIANG
• Wireless networks are standardized by IEEE

• Under 802 LAN MAN standards committee
mobile terminal server fixed terminal
infrastructure network
Application Application
TCP access point TCP
IP IP
LLC LLC LLC
802.11 MAC 802.11 MAC 802.3 MAC 802.3 MAC
802.11 PHY 802.11 PHY 802.3 PHY 802.3 PHY
6
DYU
CSIE Standardization of Wireless LAN
S. T. LIANG
• IEEE 802.11 Adopted in 1997.

Defines:
• MAC sublayer
• MAC management protocols and services
• Three Physical (PHY) layers
– IR: Infra-Red
– FHSS: Frequency Hopping Spread Spectrum radio, 2.4GHz band
– DSSS: Direct Sequence Spread Spectrum radio, 2.4Ghz band
7
DYU
CSIE IEEE 802.11 Physical Layer Evolutions
S. T. LIANG
802.2 Logical Link Control

Data
802.1 Bridging
Link
802.3 802.11 Layer
Medium Access ••• Medium Access
802.3 802.11 802.11b 802.11a 802.11g Physical
Physical ••• Physical Physical Physical Physical Layer
802.11b 802.11a 802.11g

Frequency 2.4GHz 5GHz 2.4GHz
Speed 11Mbps 54Mbps 54Mbps
(Real-world avg) (5Mbps) (28Mbps) (28Mbps)
Range 100+ Feet 60 Feet 100+ Feet
Modulation CCK OFDM OFDM and
DSSS
Compatibility b only a only; b and g,
a and b via possibly a
a+b products compatible
8
DYU
S. T. LIANG
Estimated Throughput
Source: www.80211-planet.com
9
DYU
S. T. LIANG
Pros and cons ─ 802.11b
Pros Cons
• Modest price. • Slowest throughput.
• Mature technology with • Less spectrum.
many products available. • Only 3 channels available
• Throughput is adequate in 2.4GHz band.
for most home and office • Possible interference with
applications. other 2.4GHz devices
• In the best devices, (cordless phones,
throughput fluctuates little, microwaves, garage-door
out to the maximum range. openers)
10
DYU
S. T. LIANG
Pros and cons ─ 802.11a

Pros Cons
• Higher throughput at short • More expensive.
ranges.
• Less mature technology.
• Probably better for
throughput-intensive • Shorter range and greater
multimedia applications throughput fluctuation
than 802.11b. beyond 20 feet.
• 8 channels and OFDM • Require more AP’s
technology, resulting in • Primarily only in North
less interference among
America (b is worldwide)
AP’s and more users.
11
DYU
S. T. LIANG
Pros and cons ─ 802.11g
Pros Cons
• Backwards compatibility. • Unavailable until early
• Throughput will be at least 2003.
double that of 802.11b. • Only 3 channels available
• Range will be at least in 2.4GHz band.
equal that of 802.11b. • Possible interference with
• Will use both DSSS and other 2.4GHz devices
OFDM technologies (cordless phones,
microwaves, garage-door
openers)
12
DYU
CSIE Other IEEE Wireless Projects
S. T. LIANG
• MAC Layer enhancements

– IEEE 802.11e ─ QoS
• Addresses Quality of Service issues
• Will enable differentiated traffic servicing, based on the
requirements of the specific traffic type
– IEEE 802.11i ─ Security
• Higher (user) level authentication
• Advanced security algorithms
• Addresses existing 802.11 security issues
• Multi-Vendor Access Point Interoperability
– IEEE 802.11f ─ IAPP
• Addresses issues with roaming between unrelated (different
networks) Access Points
13
DYU
CSIE
Wireless LAN Driving Factors
S. T. LIANG
• Increased demand for mobile computing

– Productivity increases when the network can be accessed
seamlessly from multiple locations within the premises or around
outside hotspots
• Cost savings comparing to wired networks (for cables, cable
deployment, network installation / administration / maintenance)
• Communication in areas with deployment constraints (e.g., historical
buildings)
• Easiness to set-up temporary, ad-hoc networks (e.g., for meeting
rooms, emergencies)
• No new-wires solution for multimedia Home Networks
(audio/video/data streaming for Set-Top Boxes and/or multimedia
data pad, straightforward network set-up)
• 802.11b has been widespread accepted for usage in corporate

networks, remote working and business travels (hotels, airports,
convention centers). Upgrade to 802.11g and 802.11a will be
expected. 14
DYU
CSIE
Wireless LAN Applications
S. T. LIANG
• Enterprise
– Wired LAN replacement, ad-hoc networks (NICs for PCs, printers, switches, and
other office appliances)
– Multiple cell coverage, high user density, roaming
• Home
– Networking for fixed (Residential Gateways, Set-Top Boxes) portable (Laptops)
and mobile (Notebook) terminals
– Distribution of digital video, Internet broadband access, sharing of PC
peripherals, …
• Education
– Cost effective network access to teachers and students anywhere within the
school from mobile and fixed terminals
• Retail / Manufacturing
– Inventory, prices “management” (labeling, shelf audits, updates), customer aid
for shopping lists, POS/cash register downloads
• Hotels
– Seamless connectivity for guest rooms and meeting rooms
• Public Access Points 15
DYU
CSIE
802.11 WLAN Architecture
S. T. LIANG
infrastructure
network
AP: Access Point
AP
AP wired network
AP
ad-hoc network
16
DYU
CSIE
802.11 Infrastructure Network
S. T. LIANG
•Station (STA)
802.11 LAN – terminal with access mechanisms to
802.x LAN
the wireless medium and radio contact
to the access point
STA1
BSS1
•Basic Service Set (BSS)
Portal – group of stations using the same radio
Access
Point frequency
•Access Point
Distribution System
– station integrated into the wireless LAN
Access and the distribution system
ESS Point
•Portal
BSS2 – bridge to other (wired) networks
•Distribution System
– interconnection network to form one
logical network (EES: Extended
STA2 STA3
802.11 LAN Service Set) based
on several BSS 17
DYU
CSIE
802.11 Ad-hoc Network
S. T. LIANG
802.11 LAN • Direct communication within a

STA1 limited range
STA2
– Station (STA):
terminal with access
IBSS1
mechanisms to the wireless
medium
STA3 – Independent Basic Service
Set (IBSS):
group of stations using the
same radio frequency
STA4
IBSS2 • Single-hop only
STA5
802.11 LAN
18
DYU
CSIE
Services specified by IEEE 802.11
S. T. LIANG
• Station Services (SS)

– Authentication
– De-authentication
– Privacy
– MSDU delivery
• Distribution System Services (DSS)
– Association
– Disassociation
– Re-association *note*
– Distribution 1. All conformant stations (including APs) provide SS
– Integration
2. APs provide access to DSS
19
DYU
CSIE
S. T. LIANG
• Station Services (SS) • Used by all stations to establish

– Authentication their identities to stations with which
– De-authentication they will communicate
– Privacy • IEEE 802.11 provides link-level
– MSDU delivery authentication (not end-to-end)
• Distribution System Services (DSS) • IEEE 802.11 requires mutually

acceptable, successful,
– Association authentication (or no data can be
– Disassociation delivered)
– Re-association • A station may be authenticated with
– Distribution many other stations at any given
– Integration instant
• Preauthentications are allowed
20
DYU
CSIE
S. T. LIANG
• Station Services (SS) • Used to terminate an existing

– Authentication authentication
– De-authentication • Deauthentication shall cause the
– Privacy station to be disassociated
– MSDU delivery • May be invoked by either
• Distribution System Services (DSS) authenticated party (AP or non-AP)
– Association • Deauthentication is not a request but a
– Disassociation notification
– Re-association
– Distribution
– Integration
21
DYU
CSIE
S. T. LIANG

– Authentication
– De-authentication • IEEE 802.11 specifies an optional
privacy algorithm, WEP, to perform the
– Privacy
encryption of message
– MSDU delivery
• WEP stands for Wired Equivalent
• Distribution System Services (DSS) Privacy
– Association
• The default privacy state for all 802.11
– Disassociation stations is “in the clear”
– Re-association
– Distribution
– Integration
22
DYU
CSIE
S. T. LIANG

– Authentication
– Privacy
• To provide reliable delivery of data
– MSDU delivery
frames
– Association
– Disassociation
– Re-association
– Distribution
– Integration
23
DYU
CSIE
S. T. LIANG

– Authentication
– Privacy
– MSDU delivery • Initiated by an mobile station to make
• Distribution System Services (DSS) a logical connection with an AP, so the
AP can accept data frames from/to the
– Association station.
– Disassociation
• At any given instant, a station may be
– Re-association associated with no more than one AP
– Distribution
– Integration
24
DYU
CSIE
S. T. LIANG

– Authentication
– Privacy
– MSDU delivery
– Association • Being invoked whenever an existing
– Disassociation association is to be terminated
– Re-association • AP may invoke disassociation to

inform stations that AP no longer
– Distribution provide the link
– Integration
• Stations shall attempt to disassociate
whenever they leave a network
25
DYU
CSIE
S. T. LIANG

– Authentication
– Privacy
– MSDU delivery
– Association
– Disassociation
– Re-association • Being invoked to “move” a current
– Distribution association from one AP to another
– Integration
26
DYU
CSIE
S. T. LIANG

– Authentication
– Privacy
– MSDU delivery
– Association
– Disassociation
– Re-association • When an AP receives a frame, it
invoke the distribution service to
– Distribution determine the “output” point that
– Integration corresponds to the desired recipient
27
DYU
CSIE
S. T. LIANG

– Authentication
– Privacy
– MSDU delivery
– Association • When the “output” point is determined to be a
portal, the integration function should be invoked
– Disassociation
– Re-association • The integration function is responsible for
accomplishing whatever is needed to deliver a
– Distribution message from (to) the DSM to (from) the
– Integration integrated LAN media
(e.g., frame format translation)
28
DYU
CSIE
Relationships between Services
S. T. LIANG
• A STA keeps two state variables for each STA with which direct
communication via the WM is needed:
– Authentication state
– Association state
• The current state existing between the source and destination
station determine the IEEE 802.11 frame types that may be
exchanged between that pair of STAs
state
authentication association
state
STA0 v
authentication association STA1
STA1 v
STA2 v v state
authentication association
STA0 v v
STA0 (AP) STA2
29
DYU
CSIE
Relationships between Services
S. T. LIANG
Control frames RTS, CTS, ACK, CF-

END+ACK, CF-END State 1:
Class 1
Class 1
Unauthenticated,
Management Probe request/response, Frames
Unassociated
frames Beacon, Authentication,
Deauthentication, ATIM Successful De-Authentication
Data frames ad-hoc transfer only Authentication Notification
Class 1&2 State 2:
Management Association Authenticated,
Frames
Class 2
frames request/response, Unassociated

Reassociation
request/response, Successful Disassociation
Disassociation Association or Notification
Re-association
Class 3
Control frames PS-Poll State 3:

Class 1,2,&3
Data frames Data frames allowed Frames Authenticated, De-Authentication
Associated Notification
30
DYU
CSIE
Services Invoked for a Mobile Station
S. T. LIANG
f
Move
a c
e AP 3
b a. As the station find AP1, it will authenticate and
associate with AP1.
AP 2 b. As the station moves, it may pre-authenticate
AP 1 with AP2
d c. Station may re-associate with AP2
d. The re-association would cause AP2 to notify AP1
of new location of the station
back e. AP2 is disassociated with station
f. The station would need to find AP3 and
authenticate and associate with AP3 31
DYU
CSIE
S. T. LIANG
IEEE 802.11 MAC Operation
DYU
CSIE
S. T. LIANG

Shih Tsung Liang
32
DYU
CSIE
Outline
S. T. LIANG
• MAC Sublayer and OSI Reference Model

• MAC Sublayer Functionality
• MAC Architecture
• DCF
• PCF
• Coexist of PCF and DCF
• MAC Frame Formats
33
DYU
CSIE MAC sublayer and OSI reference model
S. T. LIANG
Success for it is odd !!
Network layer
LLC 802.2 logical link control
802.3 802.5 802.11
Other Data Link layer
MAC CSMA- token wireless
LANs
CD ring LANs
PHY Various physical layers Physical layer
IEEE 802 OSI

34
DYU
CSIE
MAC Sublayer Functionality
S. T. LIANG
• to provide a reliable MSDU delivery

• to control access to wireless medium
– Distributed Coordination Function（DCF）
– Point Coordination Function（PCF）
• to provide authentication and privacy for data
delivery
– MAC provides a privacy service called Wired
Equivalent Privacy（WEP）encryption
35
DYU
CSIE MAC Architecture
S. T. LIANG
Reguired for Contention-Free

services Used for Contention
Services and basis of PCF
Point Coordination
Function (PCF)
MAC
Extent Distribution Coordination Function
（DCF）
Physical
36
DYU
CSIE DCF
S. T. LIANG
• CSMA/CA
• Error Recovery Mechanisms
• DCF Access Procedure
37
DYU
CSIE CSMA/CA
S. T. LIANG
• Why CSMA/CD doesn’t work?

– The hidden terminal problem!
STA1 STA2 STA3
STA1 can communicate with only STA2.

STA2 can communicate with STA1 and STA3.
STA3 can communicate with only STA2.
The frame from STA1 to STA2 can be corrupted by a transmission initiated by STA3.
The STA3 did not know the ongoing transmission from STA1 to STA2
38
DYU
CSIE CSMA/CA
S. T. LIANG
• To cope with the hidden terminal problem

– Medium reservation through the exchange of RTS
and CTS frames prior to the actual data
RTS
STA1 CTS STA2 STA3
Area cleared by Area cleared by

RTS (Request To Send) CTS (Clear To Send)
39
DYU
CSIE CSMA/CA
S. T. LIANG
• MAC-Level Acknowledgement
– Wireless media are noisy and unreliable
– The source needs to make sure the frame has
been correctly received by the destination
– If the source does not receive the ACK, the
source will retransmit the frame
40
DYU
CSIE CSMA/CA
S. T. LIANG
• 4-way MAC frame exchange protocol

Source Destination
RTS
Collision
CTS Protect!!
who protect me?
(size is the key!!)
Data
ACK
41
DYU
CSIE CSMA/CA
S. T. LIANG
• More about 4-way handshake

– RTS and CTS may be disabled by the
dot11RTSThreshold attribute in the MIB
(Management Information Base)
• If frame length > dot11RTSThreshold
→ 4-way frame exchange with RTS and CTS
• If frame length ≤ dot11RTSThreshold
→ frame exchange without RTS and CTS
– The default dot11RTSThreshold is 128
– In environments STAs can hear from each other, a
higher dot11RTSThreshold can reduce the
bandwidth consumption on RTS and CTS
42
DYU
CSIE CSMA/CA
S. T. LIANG
• Carrier Sense Mechanism

– Physical carrier sense
• Physical layer carrier sense
• Similar to 802.3
• Check for Medium status (Idle/Busy)
– Virtual carrier sense
• Mac layer carrier sense
• Network Allocation Vector (NAV)
– A countdown counter to record the amount of time remains
before wireless channel clear
(i.e. NAV=0→clear)
43
DYU
CSIE CSMA/CA
S. T. LIANG
• MAC control logic

Wait for frame Flag=0 NAV=0 ? Flag=1
to transmit
Note:
The period of time immediately Check PHY
following a busy medium is the highest
N probability of collision ccurring.
Many stations may be waiting for the Medium
Y Collision ? medium to become idle and attempt to Idle? N
transmit at the same time. Thus
Y
whenever the station sensing a busy
medium, a random backoff time is Wait IFS
used.
Transmit Frame Flag==0 ? Still Idle ?
Y Y N
N
Random Backoff
Time
44
DYU
CSMA/CA
CSIE
S. T. LIANG
• Random backoff time Example

– Backoff time=Random()*aSlotTime 300 CWmax=255 255
– Random(): a uniform distributed 250
integer randomly selected from 200
[0,CW], where CW is contention 127
150
window 100 CWmin 63
31
– For each unsuccessful frame 50 =15
transmission, CW doubles (from 0
1 2 3 4 5 6
CWmin to CWmax)
– CW Å 2 CW+1 CWmin CWmax
– Reduces the collision probability FHSS 15 1023

DSSS 31 1023
IR 63 1023
45
DYU
CSIE Error Recovery Mechanisms
S. T. LIANG
• Errors (interference, collision)

– STA sends an RTS but not receive the CTS
– STA sends a data frame but not receive the ACK
• Retransmission with retry limit
– shortRetryLimit : frame length ≤ dot11RTSThreshold
– longRetryLimit : frame length > dot11RTSThreshold
46
DYU
CSIE DCF Access procedure
S. T. LIANG
• Interframe space (IFS)

shortest – SIFS: Short InterFrame Space
• Used for immediate response actions (e.g., ACK, CTS)
– PIFS: PCF InterFrame Space
• Used by centralized controller in PCF scheme when using polls
– DIFS: DCF InterFrame Space
• Used by distribution coordination function (DCF) for asynchronous
frames contention
longest – EIFS: Extended InterFrame Space

• Used by the DCF after indication of the erroneous frame (e.g.,
FCS error)
• Reception of an error-free frame during the EIFS causes the
access using EIFS is terminated and normal medium access
(using DIFS) continues
47
DYU
S. T. LIANG
• Basic Access Method
Immediate access when DIFS

medium is free >= DIFS Contention Window
PIFS
DIFS
SIFS
Busy Backoff
Next Frame
Medium Window
Slot Time
Defer Access Select Slot and decrement backoff

as long as medium is idle
48
DYU
S. T. LIANG
• Example of backoff procedure

DIFS
d e
DIFSbackoff=7 DIFS
g
backoff=12 backoff=3
busy
STA 1
backoff=5
busy
STA 2
DIFS c
busy
STA 3
backoff=9 f
backoff=4
busy
STA 4
c After MSDU arriving at MAC, STA 3 senses medium free for DIFS, so it initiates transmission
immediately without backoff interval
d For STA 1,2, and 4, their DIFS intervals are interrupted by STA 3. Thus, the backoff
Intervals for STA 1, 2, and 4, are generated randomly (e.g., 12, 5, and 9, respectively)
e After transmission of STA 2, the remaining backoff interval of STA 1 is (12-5) = 7.
f After transmission of STA 2, the remaining backoff interval of STA 4 is (9-5) = 4.
g After transmission of STA 4, the remaining backoff interval of STA1 is (7-4) = 3. 49
DYU
S. T. LIANG
• Example of backoff procedure (continue)

DIFS backoff=9
d f
DIFS backoff=4 DIFS
STA 1 busy
backoff=5 backoff=20 g backoff=16
busy
STA 2
DIFS c
busy e
STA 3
backoff=5 backoff=18 backoff=14
busy busy
STA 4
c STA 3 senses medium free for DIFS and initiates transmission immediately
d For STA 1,2, and 4, their DIFS intervals are interrupted by STA 3. Thus, the backoff
Intervals for station 1, 2, and 4, are generated randomly (e.g., 9, 5, and 5, respectively)
e Collision occurs between STA 2 and 4.
f After the collision of STA 2 and 4, the remaining backoff interval of station 1 is (9-5) = 4.
g The backoff Intervals for retransmission of STA 2, and 4, are generated randomly (e.g.,
20 and 18, respectively). (tend to be larger the initial attempt) 50
DYU
CSIE PCF
S. T. LIANG
• PCF operation
– Priority-based access for providing contention-free
transmission
– The Point coordinator (PC; always located in AP)
takes control the medium
• Stations request PC to join the polling list
• The PCF uses the PIFS (<DIFS) to seize control of the
medium and then begins a contention-free period (CFP)
• PC regularly polls the stations for traffic via the CF-poll
frame
51
DYU
CSIE PCF
S. T. LIANG
• PCF operation
– At the beginning of CFP, PC sends Beacon frame
– Beacon includes CF parameters
(CFPMaxDuration: length of CF period)
– All stations receive Beacon
• Update NAV with the CFPMaxDuration
• Cannot access the medium until contention-free period end
– PC transmits the CF-End frame to announce the end
of CFP
– All stations receive the CF-END frame reset their
NAVs
52
DYU
CSIE PCF
S. T. LIANG
• Frame types using in PCF

– CF-Poll
– Data+CF-Poll Only sent by PC
– Data+CF-ACK+CF-Poll
– CF-ACK+CF-Poll
– Data •If the STA has no frame to send
– Data+CF-ACK when polled, the response shall be
– CF-ACK a Null frame.
•The null response is required to
– Null distinguish a “no-traffic” condition
from a collision (via overlapping
PCs)
53
DYU
CSIE PCF
S. T. LIANG
• Example of PCF frame transfer
Contention-Free Repetition Interval
Contentio Free Period (CFP) for PCF Contention

SIFS SIFS SIFS Period
Downlink Beacon D1+Poll D2+Ack+Poll CF-End
Uplink U1+Ack U2+Ack

Reset NAV
PIFS SIFS SIFS
NAV
D1,D2 - downlink frames to STA CF_MAX_Duration
U1,U2 - uplink frames from STA

54
DYU
CSIE The coexist of DCF & PCF
S. T. LIANG
• CFP and CP are alternative

• How to prevent DCF stations to access medium?
• Update NAV with the CFPMaxDuration in Beacon
• The interframe space used in PCF is PIFS (<DIFS)
CFP Repetition Interval

CFP CP CFP CP
B PCF DCF B PCF DCF
55
DYU
CSIE MAC Frames
S. T. LIANG
• MAC accepts MSDU from higher layers and

adds header and trailer to create the MPDU
• MAC may fragment a MSDU into several
MPDUs
• MAC frames types: data, control, and
management
56
DYU
CSIE
General Frame Format
S. T. LIANG
Upper layer data
• NAV information
• 2048 byte max
Or
• 256 upper layer header
• Short Id for PS-Poll
Duration Address Address Address Sequence Address Frame

FC FCS
/ID 1 2 3 Control 4 Body
2 2 6 6 6 2 6 0-2312 4 bytes
2 2 4 1 1 1 1 1 1 1 1
Protocol To From More Pwr More
type subtype retry WEP order
version DS DS frag mgt data
0, for Current 00:mgt 0, last frag of the 0, the station is in

data or mgt frame. active mode. 1, the frame body is
version of the 01:control encrypted (only for
standard 10:data Control frames 1, the station will enter
are not fraged. pwr mgt mode. (no data frames or mgt.
11:rsvd frames of subtype
more communication).
1, the frames is a Must be the same authentication)
retransmission. value for a single frame
exchange. (2-way or 4-
way) 57
DYU
CSIE
Frame Subtypes
S. T. LIANG
MANAGEMENT CONTROL DATA

• 0000 Association Request • 0000-1001 rsvd • 0000 Data
• 0001 Association Response • 1010 PS-Poll • 0001 Data+CF-ACK
• 0010 Reassociation Request • 1011 RTS • 0010 Data+CF-Poll
• 0011 Reassociation Response • 1100 CTS • 0011 Data+CF-ACK+CF-Poll
• 0100 Probe Request • 1101 ACK • 0100 Null Function
• 0101 Probe Response • 1110 CF-End • 0101 CF-ACK (nodata)
• 0110-0111 rsvd • 1111 CF-End+ACK • 0110 CF-Poll (nodata)
• 1000 Beacon • 0111 CF-ACK+CF+Poll
• 1001 Announcement Traffic • 1101-1111 rsvd
Indication Message (ATIM)
• 1010 Disassociation
• 1011 Authentication
• 1100 Deauthentication
• 1101-1111 rsvd
58
DYU
CSIE
Subfields: More data & Order
S. T. LIANG
• More data
– It is set to “1” when there is at least one frame buffered at the AP
for the mobile station.
– During the CFP, station (which is polled by the PC) can use this
field to inform the PC that there is at least one additional frame
available for transmission in response to a CF-Poll.
– This field is set to 1 in broadcast/multicast frames transmitted by
the AP when additional broadcast/multicast frames remain to be
sent by the AP.
• Order
– It is set to one when the content of the data frame was provide to
the MAC with a request for strictly ordered service.
Cannot change the delivery order of broadcast and multicast frames,

relative to directed frames, originating from a single source station address
59
DYU
CSIE
Address Types
S. T. LIANG

FC FCS
2 2 6 6 6 2 6 0-2312 4 bytes
• BSSID – BSS Identifier •In infrastructure mode, BSSID is the

MAC addr. of the AP
• TA - Transmitter •In ad-hoc mode, BSSID=01 ^ 46 bit
• RA - Receiver random number
• SA - Source
• DA - Destination
60
DYU
CSIE
Address Fields
S. T. LIANG

FC FCS
2 2 6 6 6 2 6 0-2312 4 bytes
Used for Used to Used to identify: Used only

receive identify the •the source if the frame is for frame
address transmitter of from an AP (SA) sent to
matching the frame •the destination if the frame is wireless
decision (TA) being sent to an AP (DA) DS
(RA) (SA)
61
DYU
CSIE
Address Field Contents
S. T. LIANG
Usage To From Address Address Address Address

DS DS 1 2 3 4
IBSS 0 0 RA=DA TA= BSSID N/A
SA
From AP 0 1 RA=DA TA= SA N/A
BSSID
To AP 1 0 RA= TA= DA N/A
BSSID SA
Wireless DS 1 1 RA TA DA SA
62
DYU
CSIE Example of End-to-End frame exchange
S. T. LIANG
Wireless DS
AP1 AP2
d
c e
STA1 To From Addr. 1 Addr. 2 Addr. 3 Addr. 4

DS DS
STA2
c 1 0 AP1 STA1 STA2
d 1 1 AP2 AP1 STA2 STA1
e 0 1 STA2 AP2 STA1
63
DYU
CSIE Duration/ID
S. T. LIANG

FC FCS
2 2 6 6 6 2 6 0-2312 4 bytes
16 bits in length contains either:

msb bits
•Duration:
•NAV update value for duration<32768 00
•Set as 32768 for frames transmitted during 01
the CFP
or
•Association Identity (AID): 1-2007 11
•used by a station to retrieve incoming frames
which are buffered in the AP
•Only the PS-Poll frame contains AID
64
DYU
CSIE Sequence Control
S. T. LIANG

FC FCS
2 2 6 6 6 2 6 0-2312 4 bytes
Sequence Number Fragment Number
12 bits 4 bits
•Assigned sequentially by •The first or the only fragment

sending station to each MSDU of an MSDU is assigned a
•If MSDU is fragmented, each fragment number of zero
fragment of the MSDU contains •The subsequent fragments
the same sequence number have fragment numbers of
1,2,3….
65
DYU
CSIE FCS
S. T. LIANG

FC FCS
2 2 6 6 6 2 6 0-2312 4 bytes
•FCS: Frame Check Sequence

•Applying theCCITT CRC-32 Polynomial
G(x) = x32 + x26 + x23 + x 22+ x 16+ x12 + x11 + x10 + x8 + x7 + x 5+ x4 + x2 + x + 1
•The FCS is calculated over all the fields of MAC header and the Frame Body field
66
DYU
CSIE
Format of Individual Control Frame
S. T. LIANG
• Six control frame subtypes

2 2 6 6 4
– RTS Frame
RTS control Duration RA TA FCS
– CTS
– ACK •Duration=time to transmit the pending frame,
– PS-Poll CTS frame, and ACK frame + 3*SIFS interval
– CF-End •Duration=duration obtained from RTs –
(time to transmit CTS frame + SIFS interval)
– CF-End+ACK
2 2 6 4
Frame
CTS control Duration RA FCS
67
DYU
CSIE
S. T. LIANG

– RTS •If more flag=0 in the immediately previous received data
•Duration=0
– CTS •else
– ACK •duration obtained from the immediately previous received data –
(time to transmit ACK frame + SIFS interval)
– PS-Poll
– CF-End
2 2 6 4
– CF-End+ACK Frame
ACK control Duration RA FCS
The RA value is copied from

the address 2 field immediately
previous directed data, management,
or PS-Poll frame
68
DYU
CSIE
S. T. LIANG
•The AID is the value assigned to

the STA transmitting the frame by
• Six control frame subtypes the AP in the association
– RTS response frame
– CTS 2 2 6 6 4
Frame
– ACK PS-Poll
control
AID BSSID TA FCS
– PS-Poll SIFS
– CF-End Station (TA) PS-Poll

AP (BSSID) ACK
– CF-End+ACK
•The frame is sent by a station All stations NAV
to request that the AP delivers
the buffered frames for the The NAV value is
station while it was in a power not part of the
PS-Poll frame, but is
saving mode set by every station
69
DYU
CSIE
S. T. LIANG

– RTS
2 2 6 6 4
– CTS CF-End/
Frame
CF-End + CF ACK Duration RA BSSID FCS
control
– ACK
– PS-Poll
– CF-End •The BSSID is the address of the
– CF-End+ACK STA contained in the AP
•The RA is the broadcast group
address
•The Duration field is set to 0
70
DYU
CSIE
Format of Data Frame
S. T. LIANG
Duration Address Address Address Sequence Address

FC data FCS
/ID 1 2 3 Control 4
2 2 6 6 6 2 6 0-2312 4 bytes
•During the CFP

•The duration field is set to 32768
•During the CP
•if address 1 field contains a group address,
the duration field is set to 0
•else if more flag is set to 0,
the duration is set to the time required to send a ACK frame + SIFS interval
else /*more flag is set to 1*/
the duration is set to the time required to send the next fragment and 2 ACK
frames + 3*SIFS
71
DYU
CSIE Transmission of MPDU
S. T. LIANG
• Sending unicast frame without RTS/CTS
DIFS
Source data
SIFS
Destination ACK
DIFS
other data
stations t
NAV(data)
contention
Defer Access
Duration=0 →reset NAV
72
DYU
S. T. LIANG
• Sending unicast frame with RTS/CTS

DIFS
Source RTS data
SIFS SIFS SIFS

Destination CTS ACK
NAV (RTS) DIFS

other NAV (CTS) data
stations NAV (data) t
defer access contention
73
DYU
S. T. LIANG
• Sending fragmented MPDU with RTS/CTS

More flag=1 More flag=0
DIFS
RTS Frag 1 Frag 2
Source
SIFS SIFS SIFS SIFS SIFS
CTS ACK 1 ACK 2
Destination
Duration=0 → reset NAV
NAV (RTS)
Other stations NAV (CTS)
NAV (Frag 1)
NAV (ACK 1)
NAV(Frag2)
74
DYU
CSIE
S. T. LIANG
IEEE 802.11 MAC Management
DYU
CSIE
S. T. LIANG

Shih Tsung Liang
75
DYU
CSIE
Outline
S. T. LIANG
• Why MAC Management

• Authentication
• Privacy (WEP)
• Association and Reassociation
• Power Management
76
DYU
CSIE
Why MAC Management ?
S. T. LIANG
• IEEE 802.11 is the first LAN standard to

include significant management capabilities
• The environment of WLAN is more complex
than wired LAN. (to be dealt with MAC
Management)
– Shared, open media
– Anyone can get to the WLAN
– Mobility
– Power consumption for mobile devices
77
DYU
CSIE
MAC Management Frames
S. T. LIANG
• 11 distinct frame types

– Beacon
– Probe Request and Response
– Authentication and Deauthentication
– Association Request and Response
– Reassociation Request and Response
– Disassociation
– Announcement Traffic Indication Message(ATIM)
78
DYU
CSIE Management Frame Body Components
S. T. LIANG

FC FCS
2 2 6 6 6 2 6 0-2312 4 bytes

00 •Within management frames, frame body

consists of
•Fixed fields: fixed length
•Information elements: variable length
Octects 1 1 Variable length
Information Element Element
Length Information
ID
79
DYU
CSIE MAC sublayer Management Services
S. T. LIANG
• Authentication
• Privacy (WEP)
• Association and Reassociation
• Synchronization
• Power Management
80
DYU
CSIE Authentication
S. T. LIANG
• IEEE 802.11 provides link-level authentication

between IEEE 802.11 STAs
• Two subtypes of authentication service:
– Open System
– Shared Key
• IEEE 802.11 requires mutually acceptable,
successful authentication
– Authentication shall be used between stations and the AP in an
infrastructure BSS
– Authentication may be used between two STAs in an IBSS
81
DYU
CSIE Authentication
S. T. LIANG
• Open System authentication:
Requester Responder
Authentication frame
Authentication Algorithm ID=“Open System”; sequence#=1
Authentication ID=“Open System”; sequence#=2; authentication result
82
DYU
CSIE Authentication
S. T. LIANG
• Shared key authentication

– Require implementation of the (WEP) Option
Requester Responder
Authentication ID=“shared key”; sequence#=1
Authentication ID=“shared key”; sequence#=2; challenge text
Authentication ID=“shared key”; sequence#=3; encrypted challenge text
Authentication ID=“shared key”; sequence#=4; authentication result
83
DYU
CSIE Authentication
S. T. LIANG
• Pre-authentication
– Authentication is required before an association
can be establish
– The use of preauthentication takes the
authentication service overhead out of the time-
critical reassociation process
– A station may authenticate with many stations
– Authentication is initial by Mobile stations
– Rogue AP may adopt the SSID of the ESS and
cause the near mobile stations get a DoS attack
84
Authentication
DYU
CSIE
S. T. LIANG
• Authentication Frame Body

Order Information
1 Authentication algorithm 0 (Open System) 1 (Shared Key)
number (FF)
2 Authentication transaction #1 #2 #1 #2 #3 #4
sequence number (FF)
3 Status code (FF) rsvd status rsvd status rsvd status
4 Challenge text (IE) No No No Yes Yes No
Octects 1 1 Variable length

Information Element Element
Length Information
ID=16
85
Authentication
DYU
CSIE
S. T. LIANG
status Meaning
• Authentication Frame 0 Successful
Body 1 Unspecified failure
2-9 Reserved
Order Information 10 Cannot support all requested capabilities in the
capability information field
1 Authentication algorithm
11 Reassociation denied due to inability to confirm
number (FF) that association algorithm
2 Authentication transaction 13 Responding station does not support the
specified authentication algorithm
sequence number (FF)
15 Authentication rejected because of challenge
3 Status code (FF) failure
16 Authentication rejected due to timeout waiting for
4 Challenge text (IE) next frame in sequence
17 Association denied because AP is unable
to handle additional associated stations
18 Association denied due to requesting
station not supporting all of the data rates
in the BSSBasicRateSet parameter
19 -- Reserved
86
Authentication
DYU
CSIE
S. T. LIANG
• Deauthentication Frame Body

Reason Meaning
Order Information Code
0 Reserved
1 Reson code (FF) 1 Unspecified reason
2 Previous authentication no longer valid

3 Deauthenticated because sending station
2 Octects is leaving (has left) IBSS or ESS
4 Disassociated due to inactivity
5 Disassociated because AP is unable to handle all
currently associated stations
6 Class 2 frame received from nonauthenticated station
7 Class 3 frame received from nonassociated station
8 Dissociated because sending station is leaving (or has
left) BSS
9 Station requesting (re)association is not authenticated
with responding station
10-65535 Reserved
87
DYU
CSIE
WEP privacy
S. T. LIANG
• WEP Frame Body Expansion
Encrypted
IV MSDU ICV
Bytes 4 1-2304 4
Initialization Key
Pad
Vector ID
Bits 24 6 2
ICV: Integrity Check Value
(ICV=CRC32(MSDU))
88
DYU
CSIE WEP Privacy
S. T. LIANG
• Encryption
IV
Initialization
Vector (IV) Seed Key Sequence
|| WEP
Secret Key PRNG Ciphertext
Plaintext
||
Integrity Algorithm
ICV message
89
DYU
CSIE WEP Privacy
S. T. LIANG
• Decryption
Secret Key Seed WEP Key Sequence
|| PRNG
IV
Ciphertext
message Plaintext
Integrity Algorithm
ICV’
ICV=ICV’ ?
ICV
90
DYU
WEP Privacy
CSIE
S. T. LIANG
• The shared key configuration

– Default Key: key selected from a set of 4 default keys
– Key maping: separate WEP key for each RA/TA pair
• Privacy-related MIB attributes
– dot11PrivacyInvoked (True →send frames with encryption)
– dot11WEPDefaultKeys (a four-element vector contains the default keys
to be used)
– dot11WEPDefaultKeyID (a index to dot11WEPDefaultKeys)
– aExcludeUnencrypted (True →unencrypted data frame is ignored)
– dot11WEPKeyMappings (an array indexed by RA/TA address to get the
key mapping key )
MAC WEPOn WEPKey
91
DYU
WEP Privacy
CSIE
S. T. LIANG
• Privacy-related MIB attributes

– dot11WEPExcludedCount
• Increment when receiving a frame with WEP=0 and
aExcludeUnencrypted =T
– dot11UndecryptableCount
• Increment when
– receiving a frame with WEP=1 and dot11PrivacyInvoked=F, or
– receiving a frame with WEP=1 and key does not exist
• Possible Deny of Service attack on going if increase dramatically
– dot11CVErrorCount
• Increment when the decryption of frame results in an unmatched ICV
• Possible Key broking attack on going if increase dramatically
92
DYU
CSIE Assocation
S. T. LIANG
• Association Request
– To be associated with an AP, after authenticated, a
STA initiates an association request (from the station)
including in it its “capabilities” information:
• Data rates, high rate PHY options; contention-free capabilities,
support of WEP and any request for contention-free service.
• The length of time in a low power operating mode.
– AP will decide whether to grant the request
• Policies and algorithms are not part of the standard.
• EX: long periods in low power operation may need excessive
buffer commitments from AP.
• Load balancing factors and availability of other APs nearby
93
DYU
CSIE Assocation
S. T. LIANG
• Association Request Frame Body

10 for AP Set if WEP
01 for STA in IBSS encryption
00 in this case ! is required
Order Information
B0 B1 B2 B3 B4 B5 B15
1 Capability Information (FF) CF CF Poll
ESS IBSS Pollable Request Privacy Reserved
2 Listen interval (FF)
0 0 STA not CF-Pollable
3 SSID (IE) 0 1 STA CF-Pollable, but not requesting
to join the CF-Polling list
4 Supported rates (IE) 1 0 STA CF-Pollable, requesting to join
the CF-Polling list
1 1 STA CF-Pollable, requesting never
For STA usage (not the AP) be polled
94
DYU
CSIE Assocation
S. T. LIANG
• Association Request Frame Body

•2 Octects long
Order Information •Used to indicate to the AP how often an
STA wakes to listen to Beacon
1 Capability Information (FF) management frame (in units of Beacon
Interval)
2 Listen interval (FF) •An AP may use the listen interval
information in determining the life time of
3 SSID (IE) frames that it buffers for an STA
4 Supported rates (IE; ID=1) •Indicates the identity of an ESS (or IBSS)
•A 0 length SSID → the broadcast SSID
•Indicates the supported rates in 1-8

Octects 1 1 0 - 32
otects each describes a single Element
Length SSID
supported rate in unit of 500k bps ID=0
(msb is don’t care)
95
DYU
CSIE Assocation
S. T. LIANG
• Association Response Frame Body

10 for AP
01 for STA in IBSS
10 in this case !
Order Information
B0 B1 B2 B3 B4 B5 B15
1 Capability Information (FF) CF CF Poll
ESS IBSS Pollable Request Privacy Reserved
2 Status code (FF)
0 0 No point coordinator at AP
3 Association ID (AID) (IE) 0 1 Point coordinator at AP for delivery
only (no polling)
4 Supported rates (IE)
1 0 Point coordinator at AP for delivery
and polling
1 1 Reserved
For AP usage (not the STA)
96
DYU
CSIE Assocation
S. T. LIANG
status Meaning
• Association Response 0 Successful
Frame Body 1 Unspecified failure
2-9 Reserved
Orde Information 10 Cannot support all requested capabilities in the
capability information field
r
11 Reassociation denied due to inability to confirm that
1 Capability Information (FF) association algorithm
13 Responding station does not support the specified
2 Status code (FF) authentication algorithm
(2 octects long) 15 Authentication rejected because of challenge failure
3 Association ID (AID) (IE) 16 Authentication rejected due to timeout waiting for

next frame in sequence
4 Supported rates (IE) 17 Association denied because AP is unable to
handle additional associated stations
The AID field is a value assigned 18 Association denied due to requesting station
by an AP during association that not supporting all of the data rates in the
BSSBasicRateSet parameter
represents the 16-bit ID of a STA
19 -- Reserved 97
DYU
CSIE Association
S. T. LIANG
• Association Response
Frame Body
•Indicates the supported rates in 1-8
Order Information otects each describes a single
supported rate in unit of 500k bps
1 Capability Information (FF)
•msb is set to
2 Status code (FF) •1, if the supported rate belongs to
(2 octects long) the BSSBasicRateSet
•0, otherwise
3 Association ID (AID) (IE)
4 Supported rates (IE)
BSSBassicRateSet:
•Set of integers, each in [2,127]
•Set of data rates (in units of 500kbps) that
must be supported by all STAs to join this BSS
98
DYU
CSIE Reassociation
S. T. LIANG
• Reassociation Request
– Used when a STA is moving from the
coverage of an AP to that of a new AP
• Lose contact with the old AP
• Initiate a new association (Reassociation) with
the new AP
– Provides information to DS about the location of the
STA
– Provides also the address of the old AP for the
termination of association with the old AP when the
reassociation is granted
99
DYU
CSIE Reassociation
S. T. LIANG
• Ressociation Request Frame Body
Order Information
1 Capability Information (FF)
2 Listen interval (FF) •The current AP address field

is the MAC address of the AP
3 Current AP address (FF) with which the station is
currently associated
4 SSID (IE; ID=0)
5 Supported rates (IE; ID=1)
100
DYU
Reassociation
CSIE
S. T. LIANG status Meaning
0 Successful
• Ressociation 1 Unspecified failure
Response Frame Body 2-9 Reserved
– Format is identical to the 10 Cannot support all requested
Association Response frame capabilities in the capability
information field
Order Information
11 Reassociation denied due to inability
1 Capability Information (FF) to confirm that association algorithm
13 Responding station does not support the specified
2 Status code (FF) authentication algorithm
15 Authentication rejected because of challenge failure
3 Association ID (AID) (IE) 16 Authentication rejected due to timeout waiting for
next frame in sequence
4 Supported rates (IE) 17 Association denied because AP is unable to handle
additional associated stations
18 Association denied due to requesting station not
supporting all of the data rates in the
BSSBasicRateSet parameter
19 -- Reserved
101
DYU
CSIE Power Management
S. T. LIANG
• Power management in an infrastructure network

– STAs changing Power Management mode shall inform
the AP

FC FCS
2 2 6 6 6 2 6 0-2312 4 bytes

– The AP shall then buffer MSDUs for it and only

transmit them at designated times
102
DYU
Power Management
CSIE
S. T. LIANG

– The AP shall transmit a Beacon every aBeaconPeriod providing
• Timing Synchronization for the entire BSS
• TIM (Traffic Indication Map) notification to STAs with frames buffered
in AP
– STAs operating in power save mode shall periodically listen for
beacons, as determined by the STA’s ListenInterval
– Data frame will remain buffered for a time not less than the STA’s
ListenInterval
– For the station is to receive multicast/broadcast frames, it must be
awake at the beginning of every DTIM (Delivery TIM) Interval
Order Information
Association Request 1 Capability Information (FF)
Frame Body 2 Listen interval (FF)

3 SSID (IE)
103
DYU
S. T. LIANG
• Beacon Frame Body •8 octects long

•This field represents the
Order Information value of TSFTimer (in μs) of
1 Timestamp (FF) a frame’s source
2 Beacon interval (FF) •TSF stands for Timing
Synchronization Function
3 Capability (IE)
4 SSID (IE; ID=0)
5 Supported rates (IE; ID=1) •2 octects long
6 FH Parameter Set (IE; ID=2) •This field represents the
number of time unit (1024
7 DS Parameter Set (IE; ID=3)
μs) between target beacon
8 CF Parameter Set (IE; ID=4)
transmission times (TBTTs)
9 IBSS Parameter Set (IE; ID=6)
10 TIM (IE; ID=5)
104
DYU
S. T. LIANG
• Beacon Frame
•Indicate Body
the •Indicate the •Up to 2008 bits,
number of number of beacon B1 - B2007 are the
beacon intervals intervals between buffered traffic
Order Information indicators for
before the next successive DTIM
1 Timestamp
DTIM(FF) AID=1- 2007
2 Beacon interval (FF) Partial
Element DTIM DTIM Bitmap
3 Capability (IE)ID=5 Length Count Period Control
Virtual
Bitmap
4 SSID (IE; ID=0)
Octects 1 1 1 1 1 1-251
•Buffered traffic indicator for AID=0 Traffic Bitmap
6 FH Parameter Set (IE; ID=2) Indicator Offset
•Set when TDIMCount=0 and there
7 are buffered
DS Parameter Setor
multicast (IE; ID=3)
broadcast B0 B1 – B7
8 frames
CF Parameter Set (IE; ID=4)
•Word offset of the Partial
9 IBSS Parameter Set (IE; ID=6) virtual bitmap to indicate
10 TIM (IE; ID=5) the leading zero words
105
DYU
Power Management
CSIE
S. T. LIANG

– When indicated by TIM that there is at least one
buffered frames, the STA may send PS-Poll control
frame to request the frame
– The AP transmits the requested frame and sets the
more data field to indicate additional buffered frames
are available (Please keep awake!!)
FC FCS
2 2 6 6 6 2 6 0-2312 4 bytes

106
DYU
S. T. LIANG

n TIM interval DTIM Interval Defered Beacon
Beacon
AP p
DTIM Broadcast
TIM Unicast
MH in active
mode Active
q r s
MH in PS
mode oPS-poll
107
DYU
S. T. LIANG

nDTIM interval is consisted of multiple TIM intervals (i.e.
Beacon Intervals).
oMH sends a PS-Poll frame to AP to request the AP to
transmit a buffered frame via unicast.
pMH in PS mode can miss some TIM, but not DTIM.
qAfter receiving DTIM, MH in PS mode awakes for
receiving broadcast data (no polling is needed)
rAfter receiving TIM, MH in active mode transmits
earlier, so MH is PS mode stay awake.
sAfter receiving DTIM, MH in PS mode dozes due to
no broadcast data.
108
DYU
S. T. LIANG
• Power management in an IBSS

– STAs in the PS mode should be awake prior to each
Target Beacon Transmission Time (TBTT) and keep
awake during the ATIM Window
•Based on the power management field
set in the STA’s previous transmission or
historically failed transmission attempts
– In cases when the receiver is “determined” to be in a

PS mode, the sender should first transmit a ATIM
frame during the ATIM Window followed by the
transmission of data frame after the ATIM-ACK is
received
109
DYU
S. T. LIANG

– If a STA receives a directed ATIM frame containing its
individual address, or a multicast ATIM frame during
the ATIM Window, it shall remain in the awake state
until the end of the next ATIM Window
– Directed ATIM frames shall be acknowledged. If no
acknowledgement is received, the ATIM shall be
retransmitted through DCF access
– Multicast ATIM frames should not be acknowledged
110
DYU
S. T. LIANG

Target Beacon Beacon interval Beacon interval
Transmission Time
ATIM ATIM ATIM
Window Window Window
ATIM Frame
Beacon
Active
MH A
ATIM-ACK ACK
MH B
111
DYU
CSIE
S. T. LIANG
802.11 MAC enhancement for

QoS Support (IEEE 802.11e)
DYU
CSIE
S. T. LIANG

Shih Tsung Liang
stliang@aries.dyu.edu.tw
112
DYU
CSIE
Outline
S. T. LIANG
• Problems of Legacy 802.11 MAC

• Characteristics of 802.11e
• 802.11e MAC Mechanism
– Enhanced Distributed Coordination Function
(EDCF)
– Hybrid Coordination Function (HCF)
113
DYU
CSIE Problems of Lagacy MAC
S. T. LIANG
• Restricted polling scheduling

• Superframe with alternating CFP and CF
– Need to be short for short QoS delay bound
• No notion of QoS and related signaling
• Uncontrollable/Unpredictable frame transmission time (colocated AP)
– Delays the transmission of time-bounded traffic
– Unpredictable time delays in each CFP
• Hidden station problem
– Could transmit interfering frames during CFP
PC PC
CF-Poll
Data
Data
Data
Collision
STA1 STA3 STA4
BSS1 BSS2
114
DYU
CSIE Characteristics of 802.11e
S. T. LIANG
• Two types of QoS supported

– Prioritized QoS for Traffic Category (TC)
• Differentiated channel access for frames with different user
priorities
• 8 different priority
– Parameterized QoS for Traffic stream
• QoS is characterized by a set of parameters, called TSPEC
• Parameter values in TSPEC are objectives, not guarantees
• A TS is setup between transmitter and receiver
115
DYU
S. T. LIANG
• Traffic ID (TID)
– Equal to the parameter value provided at the MAC
SAP
– 16 possible TID values
• 8 for traffic categories (TCs)
• 8 for traffic stream identifier (TSIDs)
– TID value is carried in each QoS data frame as part of
QoS Control field in the MAC header
116
DYU
S. T. LIANG
• Two access mechanisms

– Contention-based channel access
• Enhanced Distributed Coordination Function (EDCF)
• for prioritized QoS
• A variation of 802.11 DCF
– Controlled channel access
• Polling mode for parameterized QoS
• Variation of 802.11 PCF
117
DYU
S. T. LIANG
• Transmission Opportunity (TXOP)

– An interval of time when a QoS STA (QSTA) has the
right to initiate transmissions
• Multiple frames (i.e., MSDUs) can be transmitted during a
TXOP with TXOPLimit Duration field in the CF-poll (HCF)
– Two different TXOPs
• EDCF TXOP – acquired by EDCF contention
• Polled TXOP – acquired by being polled by HC
118
DYU
CSIE EDCF
S. T. LIANG
• EDCF access mechanism

– Each AC contends with
• AIFS[AC] (instead of DIFS)
• CWmin[AC] (instead of CWmin)
• CWmax[AC] (instead of CWmax)
AIFS(TC)
AIFS(TC) Low backoff
AIFS(TC) Priority TC
PIFS Medium
backoff
Priority TC
SIFS SIFS
High
Ack Priority TC
RTS
DATA CTS time
Contention Window SIFS
(Counted in slots)
119
DYU
CSIE EDCF
S. T. LIANG
• EDCF access mechanism

High priority Low priority
DCF TC7 TC6 TC5 TC4 TC3 TC2 TC1 TC0
Backoff Backoff Backoff Backoff Backoff Backoff Backoff Backoff Backoff

(AIFS) (AIFS) (AIFS) (AIFS) (AIFS) (AIFS) (AIFS) (AIFS) (AIFS)
Scheduler
Virtual Collision Handler
Transmission Transmission
attempt attempt
AIFS:Arbitration Inter-Frame Space
120
DYU
CSIE EDCF
S. T. LIANG
• EDCF Contention-Free Burst (CFB)

– Within an EDCF TXOP
• Multiple MSDUs can be transmitted with the limit of EDCF
TXOPLimit[AC]
• EDCF TXOPLimit is announced by Beacons
121
DYU
CSIE HCF
S. T. LIANG
• HC channel access rule

– During CFP
• HC assumes the full control over the medium
• Similar to PCF
– During CP
• HC can access channel after a PIFS period of medium idle
– Polled TXOP can exist in both CFP and CP → superframe size needs
not be very small anymore!
CFP(Contention Free Period) CP(Contention Period)

(Polling through HCF) CCI
HC CF-Poll CF-End CF-Poll
STAs Beacon DATA DATA DATA DATA DATA

DATA DATA DATA DATA
TXOP TXOP
122
DYU
CSIE HCF
S. T. LIANG
• Polled TXOP
– QoS CF-Poll specifies the polled TXOPLimit
– During a polled TXOP, the TXOP holder can
determine whatever frames to send
– NAV protects a polled TXOP
SIFS
Slot
Time
HC or AP QoS CF-Poll TXOP granted by QoS CF-Poll
Polled Station Data 1 Data 2
ACK 1 ACK 2
Others NAV set
123
DYU
CSIE HCF
S. T. LIANG
• Implementation-dependent issues
– HC scheduling: mixture of downlink and
polled TXOP scheduling
– QSTA scheduling: during a polled TXOP,
schedule frame transmission
– Admission control by HC: to decide whether
to admit a TS or not
124
DYU
CSIE
S. T. LIANG
Inter-Access Point Protocol (IAPP)

(IEEE 802.11f)
DYU
CSIE
S. T. LIANG

Shih Tsung Liang
125
DYU
CSIE
Outline
S. T. LIANG
• Why IAPP ?
• 802.1D implementations of IAPP
• 802.11f IAPP
• Operation of 802.11f IAPP
• RADIUS Protocol Usage
• IAPP Packet Format
• Roaming in 802.11f IAPP
126
DYU
CSIE
Why IAPP?
S. T. LIANG
802.11 LAN
802.11 LAN
STA4 • IEEE 802.11 does not specify
STA1 DS implementations
BSS1 BSS3
• A number of implementation
Access Access
Point Point approaches cause Physical
AP devices are unlikely to
Distribution System
interoperate across a DS
Access
ESS Point • IAPP aims at providing the
achievement of multi-vendor
BSS2
Access Point interoperability
within the DS
STA2 802.11 LAN STA3

127
DYU
CSIE
802.1D implementations of IAPP
S. T. LIANG
• DSSs in APs function the same as

802.1D bridges
AP z
(3) MOVE-notify
(s,x,y) Bridged LAN
(4) MOVE-response
(5) Layer 2 update (s,x,y)
AP y AP x
(2) reassociation(s, x)
s s
(1) move
128
DYU
CSIE
S. T. LIANG
• Advantages
– less protocol overhead
• IAPP PDU exchanges remain in layer 2
– Possible to combine the Move-notify and the layer 2
update frame as a single frame
• Disadvantages
– Cannot support the cross-network roaming even
when the network layer roaming is implemented, or
– The enforcement in 802.11 that a STA is restricted
to have a single association at a given time is
violated.
129
DYU
CSIE
S. T. LIANG
• Illustration of cross-network roaming

MOVE-notify and layer-2
update frames are blocked
123456789101112 1 2 3 4 5 6 7 8 9 10 11 12
10M100M
ACTACT
PWR UPLINK
COLCOL
SWITCH 131415161718192021222324 13 14 15 16 17 18 19 20 21 22 23 24
Router
To other
layer 2 PWR
10M100M
ACTACT
COLCOL
SWITCH
1 23456 789101112
131415161718192021222324
1 2 3
13 14 15 16
4 5 6 7
17 18 19 20
8 9 10 11 12
21 22 23 24
UPLINK
Hub/Switch Hub/Switch PWR

10M100M
ACTACT
COLCOL
SWITCH
1 23456 789101112
131415161718192021222324
1 2 3
13 14 15 16
4 5 6 7
17 18 19 20
8 9 10 11 12
21 22 23 24
UPLINK
devices
1 234 56 789101112 1 2 3 4 5 6 7 8 9 10 11 12
10M100M
ACTACT
PWR UPLINK
COLCOL
SWITCH 131415161718192021222324 13 14 15 16 17 18 19 20 21 22 23 24
1 234 56 789101112 1 2 3 4 5 6 7 8 9 10 11 12
10M100M
ACTACT
PWR UPLINK
COLCOL
SWITCH 131415161718192021222324 13 14 15 16 17 18 19 20 21 22 23 24
130
DYU
CSIE
802.11f IAPP
S. T. LIANG
• IEEE Draft Recommended practice for

Inter Access Point Protocol
• Addresses issues with MAC layer roaming
between unrelated (different networks) Access
Points
• Using the TCP/IP or UDP/IP to carry IAPP
packets between APs
• Network layer mobility
– RFC3344 IP Mobility Support for IPv4 (Mobile IPv4)
– Mobile IPv6
– Dynamic Host Configuration Protocol (DHCP)
131
DYU
CSIE
802.11f IAPP
S. T. LIANG
• Functions supported by the IAPP

– DS Services, as defined in ISO/IEC 8802-11:1999
– Address mapping of wireless medium address of APs
(their BSSID) to DS network layer addresses (IP
addresses)
– Formation of a DS
– Maintenance of the DS
– Enforcement of the restriction of ISO/IEC 8802-
11:1999 that a STA may have only a single
association at any given time
– Transfer of STA context information between APs
132
DYU
CSIE
802.11f IAPP
S. T. LIANG
• Station and AP Architecture with IAPP

APME
IAPP SAP
IAPP RADIUS Client
WM MLME SME TCP/UDP ESP
MAC
IP
WM PLME
PHY 802.2
DS Services
SME: Station Management Entity
APME: AP Management Entity) WM
WM: Wireless Medium
MLME
DSM MAC MAC
DSM: Distribution System Medium
MLME: MAC Layer Management Entity DSM PHY WM PLME
PLME: Physical Layer Management Entity PHY
133
DYU
CSIE
802.11f IAPP
S. T. LIANG

•The IAPP APME
services are IAPP SAP
accessed by the IAPP RADIUS Client
APME through the TCP/UDP ESP
IAPP SAP
IP
802.2
•Using the TCP/IP or UDP/IP DS Services
to carry IAPP packets between
APs WM MLME
DSM MAC MAC
DSM PHY WM PLME
PHY
134
DYU
CSIE
802.11f IAPP
S. T. LIANG
• Inter-AP Security Risks:

– The IAPP packets are transmitted over IP, they
can be captured for gathering information on the
STA that is roaming
– The Attacker can act as a rogue AP in the ESS
and use bogus MOVE- or ADD-Notify as a
Denial-of-Service attack
135
DYU
CSIE
802.11f IAPP
S. T. LIANG

•The invocation of some IAPP
APME
service primitives relies on the
IAPP SAP
RADIUS protocol to implement
IAPP RADIUS Client
certain functions requested for
the correct and secure operation TCP/UDP ESP
of the IAPP IP
•The RADIUS servers provide 2
802.2
functions:
•Address Mapping of an DS Services
AP’s BSSID to its IP
WM MLME
address on the DSM DSM MAC MAC
•Distributions of keys to the
APs to allow the secure DSM PHY WM PLME
communications between PHY
the APs 136
DYU
CSIE
802.11f IAPP
S. T. LIANG

APME
IAPP SAP
•ESP: IP Encapsulating Security IAPP RADIUS Client
Payload TCP/UDP ESP
•The protection for the MOVEs
IP
can be provided by ESP
(RFC2406) pair-wise Security 802.2
Association DS Services
•The protection for the ADDs
requires a group ESP Security WM MLME
DSM MAC MAC
Association
DSM PHY WM PLME
PHY
137
DYU
CSIE
802.11f IAPP
S. T. LIANG
• Use of ESP with RADIUS for the Key Management

– Provides discovery of Rogue AP
– Prevents a STA from roaming from a Rogue
AP to a valid AP in the ESS
– Blocks the move of the STA context
information to a Rogue AP if the STA roams
to it
*note*
Please keep these in mind and I might want you to tell me
how they works ! (just for sure about your understanding)
138
DYU
CSIE
Operation of 802.11f IAPP
S. T. LIANG
• Initiation of IAPP by APME

• IAPP support 3 protocol sequences following
the
– Invoking the IAPP-ADD.request after the APME receives an
MLME-ASSOCIATE.indication
– Invoking the IAPP-MOVE.request after the APME receives an
MLME-REASSOCIATE.indication
– Invoking the IAPP-CACHE-NOTIFY.request to cache context
in neighboring APs to facilitate fast roaming
• Termination of IAPP by APME
139
DYU
CSIE IAPP Initiation
S. T. LIANG
• Normal initiation of the IAPP protocol

MLME APME IAPP RADIUS Client TCP/UDP
MLME-RESET.request
MLME-RESET.confirm
IAPP-INITIATE.request
Send INITIATE-REQUEST
RADIUS Exchange
RADIUS Exchange
Recv INITIATE-ACCEPT
Open TCP/UDP Ports for IAPP
TCP/UDP Ports Opened for IAPP
IAPP-INITIATE.confirm
MLME-START.request (Status=SUCCESSFUL)
MLME-START.confirm
140
DYU
S. T. LIANG
• Failed initiation of the IAPP Protocol

MLME APME IAPP RADIUS Client TCP/UDP
MLME-RESET.request
MLME-RESET.confirm
Send INITIATE-REQUEST
RADIUS Exchange
RADIUS Exchange
Recv INITIATE-REJECT
(Status=FAILURE)
141
DYU
S. T. LIANG
• Attempted re-initiation of the IAPP protocol

MLME APME IAPP
MLME-RESET.request
MLME-RESET.confirm
(Status=RUNNING)
142
DYU
CSIE IAPP Termination
S. T. LIANG
• Termination of the IAPP protocol

MLME APME IAPP TCP/UDP
MLME-DISASSOCIATE
.request (All Stations)
MLME-DISASSOCIATE
.confirm
MLME-RESET.request
MLME-RESET.confirm
IAPP-TERMINATE
.request
Close TCP/UDP Ports
for IAPP
TCP/UDP Ports closed
for IAPP
IAPP-TERMINATE.confirm
(Status=SUCCESSFUL)
143
DYU
CSIE
IAPP-ADD.request Sequence
S. T. LIANG
• IAPP-ADD.request should be generated by an APME

when the local AP generates an 802.11 MLME-
ASSOCIATE.indication
• The function of this primitive is two fold:
– To cause the forwarding tables of layer 2
internetworking devices, e.g., bridges and switches, to
be updated
– To notify other APs within the multicast domain of the
STA’s new association to allow those APs to clean up
context information left behind
•Why this can happen ?
144
DYU
CSIE
S. T. LIANG
• Normal STA association

Local MLME Local APME Local IAPP Local TCP/UDP Peer TCP/UDP Peer IAPP Peer APME Peer MLME
MLME-ASSOCIATE Start confirm

.indication timeout
IAPP-ADD.request
Send Layer 2
Update Frame
(confirm)
Send ADD-
notify packet
(confirm)
IAPP-ADD.confirm Transport ADD-notify
(Status= packet to peer If station is shown
SUCCESSFUL) Arrival of ADD as being
-notify packet associated at
IAPP-ADD. the peer AP
indication
MLME-
DISASSOCIATE
.request
MLME-
DISASSOCIATE
.confirm
145
DYU
CSIE
S. T. LIANG
• STA association – stale association


.indication timeout
IAPP-ADD.request
Send Layer 2
Update Frame
Send ADD-
notify packet
(Status= packet to peer
Arrival of ADD
SUCCESSFUL) If station is shown
-notify packet IAPP-ADD. as being associated
indication at the peer AP with
IAPP-ADD.reques a newer sequence
t number
Send layer 2
Update Frame
Send ADD-
notify packet
Transport ADD-notify IAPP-ADD.confirm
packet to peer (Status=
Arrival of ADD
SUCCESSFUL)
IAPP-ADD -notify packet
MLME- .indication
DISASSOCIATE
.request
MLME-
DISASSOCIATE
.confirm 146
DYU
CSIE
S. T. LIANG
• STA association – timeout
MLME-ASSOCIATE
.indication
Start confirm
IAPP-ADD.request timeout
Send Layer 2
Update Frame
(confirm)
Send ADD-
notify packet
IAPP-ADD.confirm
(Status=
(confirm)
MLME- TIMEOUT)
Transport ADD-notify
DISASSOCIATE
packet to peer
.request If station is shown
Arrival of ADD as being associated
MLME-
-notify packet at the peer AP with
DISASSOCIATE
.confirm IAPP-ADD. older sequence
indication number
MLME-
DISASSOCIATE
.request
MLME-
DISASSOCIATE
.confirm
147
DYU
CSIE
S. T. LIANG
• STA association - Failure

Local MLME Loacl APME Local IAPP Local TCP/UDP
MLME- Start confirm
ASSOCIATE timeout
.indication IAPP-ADD.request
Send Layer 2
Update Frame
Send ADD-notify
MLME- packet
IAPP-Add.confirm
DISASSOCIATE (Status=FAIL)
.request
MLME-
DISASSOCIATE
.confirm
148
DYU
CSIE
IAPP-MOVE.request Sequence
S. T. LIANG
• IAPP-ADD.request should be issued by the APME when

it receives an 802.11 MLME-REASSOCIATE.indication
from the MLME indicating that an STA has reassociated
with the AP
• The function of this primitive is wo fold:
– To cause the forwarding tables of layer 2 internetworking
devices, e.g., bridges and switches, to be updated
– To notify the old AP the STA’s new association to allow it to
deliver context information to new AP and to clean up context
information left behind
149
DYU
CSIE
S. T. LIANG
• Normal STA reassociation
Local MLME Local APME Local IAPP Local TCP/UDP RADIUS Client
MLME- Start confirm
REASSOCIATE timeout
.indication IAPP-MOVE
.request
Send ACCESS-REQUEST packet or
translate Old AP MAC address to
DSM IP address locally
Receive ACCESS-ACCEPT packet or
return local translation of Old AP
MAC address to DSM IP address
Send Move- Peer TCP/UDP Peer IAPP Peer APME Peer MLME
notify packet If station is shown
Transport Move-notify as being associated
packet to peer Arrival of Move at the peer AP with
-notify packet older sequence
IAPP-MOVE number
.indication
IAPP-MOVE MLME-
.response DISASSOCIATE
(Status= .request
SUCCESSFUL) MLME-
Send Move- DISASSOCIATE
Transport Move- response packet .confirm
response packet
Arrival of Move-
to peer
IAPP-MOVE response packet
.confirm
(Status=
SUCCESSFUL) Send Layer 2
Update Frame
150
DYU
CSIE
S. T. LIANG
• STA reassociation – stale move
Start confirm
MLME-
timeout
REASSOCIATE
.request
notify packet
Transport Move-notify
packet to peer Arrival of Move
-notify packet
IAPP-MOVE If station is shown
.indication as being associated
IAPP-MOVE at the peer AP with
.response a more recent
(Status=STALE sequence number
Send Move-
MOVE)
Transport Move- response packet
response packet
Arrival of Move-
to peer
.confirm
MLME- (Status=STALE
DISASSOCIATE MOVE)
.request
MLME-
DISASSOCIATE
.confirm 151
DYU
CSIE
S. T. LIANG
• STA reassociation – move denied
Start confirm
MLME-
timeout
REASSOCIATE
.request
notify packet
packet to peer Arrival of Move
-notify packet
IAPP-MOVE
.indication
IAPP-MOVE
.response
(Status=MOVE
Send Move-
DENIED)
Transport Move- response packet
response packet
Arrival of Move-
to peer
.confirm
MLME- (Status=MOVE
DISASSOCIATE DENIED)
.request
MLME-
DISASSOCIATE
.confirm 152
DYU
CSIE
S. T. LIANG
• STA reassociation – failure
Local MLME Local APME Local IAPP RADIUS Client

MLME-
REASSOCIATE Start confirm
.indication IAPP-MOVE timeout
.request
Send ACCESS-REQUEST packet
or translate Old AP MAC addr.
to DSM IP addr.locally
Recv. ACCESS-REJECT packet or
IAPP-MOVE
failure to translate address locally
.confirm
MLME-
(Status=FAIL)
DISASSOCIATE
.request
MLME-
DISASSOCIATE
.confirm 153
DYU
CSIE
S. T. LIANG
• STA reassociation – timeout

MLME-
Start confirm
REASSOCIATE
timeout
.request
notify packet Transport Move-notify
packet to peer
IAPP-MOVE Arrival of Move
MLME- .confirm -notify packet IAPP-MOVE
DISASSOCIATE (Status= .indication The IAPP-MOVE.
.request TIMEOUT) response primitive
IAPP-MOVE may be invoked
MLME- with any status
Send Move- .response
DISASSOCIATE value. The STA may
.confirm Transport Move- response packet be disassociated
response packet
Arrival of Move-
to peer
response packet
154
DYU
CSIE IAPP-CACHE-NOTIFY.request Sequence
S. T. LIANG
• IAPP-CACHE-NOTIFY.request is used when

– caching is enabled; and
– the APME receives an MLME-ASSOCIATE.indication or
an MLME-REASSOCIATE.indication from the MLME
indicating that an STA has associated or reassociated with
the AP
• This primitive causes the IAPP entity to send
IAPP CACHE-notify packets to each of the APs
in the neighbor graph requesting the include
context to be procative cached
155
DYU
S. T. LIANG
• neighbor graph
– A neighbor graph is the set of neighbors relative
to a given AP
– This set is kept by an AP for quickly identifying
the neighbors
– It may be dynamically learned and cached by
using proactive cache algorithm
156
DYU
S. T. LIANG
• proactive cache algorithm

Proactive_Cache(STA_MAC, Old_AP_MAC) {
If (Lookup(STA_MAC, Old_AP_MAC)) { /*cache hit*/
send REASSOCIATE.response to STA;}
else { /*cache missÆ inform old AP of move via normal
IAPP*/
send IAPP-MOVE.request to Old AP;
/*context is from IAPP-MOVE.response */
Insert(STA_MAC, Old_AP_MAC, context)}
update_cache(Old_AP_MAC);
For each AP in Neighbors { /*push contex out to
neighbors*/
send IAPP-CACHE-NOTIFY.request to AP;
return;} Lookup(STA_MAC, Old_AP_MAC) {
Insert (STA_MAC, Old_AP_MAC, context) { If (<STA_MAC, Old_AP_MAC> in cache) {
If (STA_MAC in cache) { return contex;}
replace cache line;} else {
else { return NULL;}}
replace_oldest_entry(STA_MAC, Old_AP_MAC, context)}}
157
DYU
CSIE STA association using cache
S. T. LIANG

.indication IAPP-ADD.request timeout
IAPP-CACHE-
NOTIFY.requests
Send Layer 2
Update Frame
(confirm)
Send ADD-
notify packet If station is shown
(confirm)
as being
Send CACHE-notify Arrival of ADD associated at
(Status= packet to peer
IAPP-ADD. the peer AP
SUCCESSFUL) packet to neighbors -notify packet
(confirm) indication MLME-
DISASSOCIATE
.request
Transport ADD-notify MLME-
packet to peer Arrival of CACHE DISASSOCIATE
-notify packet IAPP-CACHE- .confirm
NOTIFY.indication Send successful
IAPP-CACHE-
status notification
Send CACHE- NOTIFY.response
if cache is updates,
Transport CACHE notify packet
Arrival of CACHE notify packet to peer Fail status
IAPP-CACHE- -notify packet otherwise
NOTIFY.confirm
158
DYU
CSIE STA Reassociation Using Cache
S. T. LIANG
Local MLME Local APME Local IAPP Local TCP/UDP Peer TCP/UDP Peer IAPP Peer APME
MLME- On cache hit for
REASSOCIATE reassociating STA
.indication IAPP-CACHE-
Send Layer 2
NOTIFT.request
Update Frame
Send CACHE-
Transport CACHE
notify packet Recv. CACHE
-notify packet IAPP-CACHE-
-notify packet
NOTIFY.indication
IAPP-CACHE-
Send CACHE-
Transport CACHE- NOTIFY.response
Recv. CACHE- response packet
IAPP-CACHE- response packet
response packet
NOTIFY.confirm
IAPP-MOVE Start confirm RADIUS Client
.requests timeout
MAC address to DSM IP address If station is shown
as being associated
Cache hit Send Move-
notify packet
Peer TCP/UDP
Arrival of Move
at the peer AP with
older sequence
packet to peer IAPP-MOVE number
-notify packet
.indication
IAPP-MOVE MLME-
(Status= .request
SUCCESSFUL) MLME-
Transport Move-
Arrival of Move- response packet .confirm
response packet
.confirm to peer
(Status=
SUCCESSFUL) Send Layer 2 159
Update Frame
DYU
CSIE
STA Reassociation Using Cache
S. T. LIANG
MLME- Start confirm
REASSOCIATE timeout
.request
notify packet
Transport Move-notify If station is shown
packet to peer Arrival of Move as being associated
-notify packet at the peer AP with
IAPP-MOVE older sequence
Cache miss .indication
IAPP-MOVE
number
MLME-
(Status= .request
SUCCESSFUL) MLME-
Transport Move-
Arrival of Move- response packet .confirm
response packet
.confirm to peer
(Status=
SUCCESSFUL) Send Layer 2
IAPP-CACHE- Update Frame
NOTIFY.request Send Layer 2
Update Frame
Send CACHE-
Transport CACHE
notify packet Recv. CACHE
-notify packet IAPP-CACHE-
-notify packet
NOTIFY.indication
IAPP-CACHE-
Send CACHE-
Transport CACHE- NOTIFY.response
Recv. CACHE- response packet
IAPP-CACHE-
response packet
response packet 160
NOTIFY.confirm
DYU
CSIE RADIUS Protocol Usage
S. T. LIANG
• For the IAPP entity to function correctly,

RADIUS protocol is recommended for the
discovery of the DSM IP address of the old
BSSID in the ESS given the old BSSID as a
lookup key
• RADIUS is also used to obtain the security
information to secure the communication
between IAPP entities
• This address mapping and security
information may be cached
161
DYU
CSIE RADIUS Protocol Exchange
S. T. LIANG
RADIUS RADIUS
APME IAPP
Client Server
RADIUS Registration Access-Request
RADIUS Registration Access-Accept

IAPP-MOVE.request
RADIUS Access-Request
RADIUS Access-Accept
∙
•Confirms the ESS membership of Old BSSID
∙
•Provides both the old and new AP with appropriate security
∙
information for establishing a secure communication channel 162
DYU
S. T. LIANG
• To register as a valid member of the ESS, the AP sends a RADIUS

Registration Access-Request (Service-Type=IAPP-register)
packet to the RADIUS server
Attribute
Number
BSSID. The BSSID should be represented in ASCII format, with
1 User-Name
octet values separated by a "-". Example: "00-10-A4-23-19-C0".
2 User-Password BSSID Secret, determined by the AP
4 NAS-IP-Address AP’s IP Address
6 Service-Type IAPP-Register (value = 15)
26 Vendor-Specific The following IEEE 802.11 vendor-specific attributes:
The ASCII text SSID which denotes the ESS in which the
26-13277-4 SSID
BSSID is registering
Supported-ESP- The list of ISAKMP ESP Authentication IDs corresponding to
26-13277-5 Authentication- the ESP Authentication algorithms supported by this AP (see
Algorithms Table 12)
Supported-ESP- The list of ISAKMP ESP Transform IDs corresponding to the ESP
26-13277-6
Transforms transforms supported by this AP (See Table 11)
32 NAS-Identifier (optional) AP’s NAS Identifier
80 Message-Authenticator The RADIUS message’s authenticator
163
DYU
S. T. LIANG
• After verifying that the AP is a valid ESS member, the RADIUS
server returns a RADIUS Registration Access-Accept packet
Attribute no Attribute Name Value
1 User-Name BSSID
6 Service-Type IAPP-Register (value = 15)
26 Vendor-Specific The following IEEE 802.11 vendor-specific attributes
(optional):
26-13277-7 ESS-New-ESP-Transform- The ESP Transform key used to encrypt ADD-Notify
Key packets when sending
26-13277-8 ESS-New-ESP- The ESP Authentication key used to authenticate ADD-
Authentication-Key Notify packets when sending
ESS-Old-ESP-Transform- The ESP Transform key that can be used to decrypt ADD-
26-13277-9
Key Notify packets when receiving, if the New-ESP-Transform-
Key does not work
ESS-Old-ESP- The ESP Authentication key that can be used to

26-13277-10
Authentication-Key authenticate ADD-Notify packets when receiving, if the
New-ESP-Authentication-Key does not work
26-13277-11 ESS-ESP-Transform-ID ESP Transform ID of the algorithm to use when
encrypting/decrypting ADD-Notify packets
26-13277-12 ESS-ESP-Authentication-ID ESP Authentication ID of the algorithm to use when
encrypting/decrypting ADD-Notify packets
26-13277-13
ESS-ESP-SPI SPI used to identify ESP group SA
27 Session-Timeout Number of seconds until the AP should reissue the Registration Access-
Request packet to the RADIUS Server to obtain new keying information
80 Message-Authenticator The RADIUS message’s authenticator 164
DYU
S. T. LIANG
• Upon receipt of an IAPP-MOVE.request primitive, the AP sends

a RADIUS Access-Request packet to the RADIUS server
Attribute
Attribute Name Value
Number
Old BSSID. The Old BSSID should be represented in ASCII format, with octet values
1 User-Name
separated by a "-". Example: "00-10-A4-23-19-C0".
2 User-Password NULL
NAS-IP-Address
4 New AP’s IP Address
(optional)
6 Service-Type IAPP-AP-Check (16)
26 Vendor-Specific The following IEEE 802.11 vendor-specific attributes:
IAPP-Liveliness- A32-byte nonce used to ensure liveliness of the secure IAPP traffic. This attribute should not
26-13277-1
Nonce (optional) be included if secure IAPP communications are not required by the AP.
The WM MAC Address of the new BSSID with which the STA is reassociating, in ASCII
format, with octet values separated by a "-". Example: "00-10-A4-23-19-C0". The
30 Called-Station-Id
SSID should be appended to the WM MAC address, separated from the MAC
address with a ":". Example "00-10-A4-23-19-C0:Company WLAN".
NAS-Identifier
32 New BSSID’s NAS Identifier
(optional)
61 NAS-Port-Type IAPP (25)
Message-
80
Authenticator
The RADIUS message’s authenticator 165
DYU
S. T. LIANG
• Upon receipt of an Access-Request form the New BSSID, If the RADIUS server
verifies the old AP is a valid member of the ESS, RADIUS Access-Accept is
responded
Attribute
Attribute Name Value
Number
1 User-Name Old BSSID
8 Framed-IP-Address Old BSSID’s IP Address
The following IEEE 802.11 vendor-specific
26 Vendor-Specific
attributes:
Security Block encrypted using new BSSID’s
New-BSSID-Security-Block
26-13277-2 user-password, to be decrypted and
(optional)
used by the new BSSID
Security Block encrypted using old BSSID’s
Old-BSSID-Security-Block user-password, to be sent via IAPP from
26-13277-3
(optional) the new BSSID to the old BSSID, and
decrypted and used by the old BSSID
80 Message-Authenticator The RADIUS message’s authenticator
166
DYU
S. T. LIANG
• New- and Old-BSSID-Security-Block delievery
Old- RADIUS
BSSID- server
4 Security
Old- -Block
BSSID-
Security Old AP Old- New-
-Block 3 copy 1
BSSID- BSSID-
Security Security-
6 Verify -Block Block
5
New AP
New- 2
BSSID-
Security
-Block
167
DYU
CSIE IAPP Packet Format
S. T. LIANG
• Gereral IAPP Packet Format

– IAPP packets are carried by TCP/IP or UDP/IP (port 3517)
IAPP
Command Identifier Length Data
Version
Octets: 1 1 2 2 0-n
•Current version: 0 Value Command •packet •Content
0 ADD-notify length depend on
1 MOVE-notify command
2 MOVE-response
3 Send-Security-Block
4 ACK-Security-Block •Used to help detect duplicate
5 CACHE-notify requests and responses
6 CACHE-response •request packet: unique id
7-255 Reserved •Response: copy of the request
168
DYU
S. T. LIANG
• ADD-notify packet
– Be sent to the IAPP IP multicast address via UDP (224.0.1.178)
– Reach every device on the DSM local subnet
IAPP Command
Identifier Length Data
Version =0
Octets: 1 1 2 2 0-n
Address Sequence
Reserved MAC Address
Length Number
Octets: 1 1 n=Address Length 2
For aligning the The MAC address Copy from the

MAC address to of the associated Association
word boundary STA Request frame
169
DYU
S. T. LIANG
• Layer 2 update frame

– An 802.2 Type1 LLC Exchange Identifier Update response frame
XID
MAC DA MAC SA Length DSAP SSAP Control Information
Field
Octets: 6 6 2 1 1 1 3
Broadcast The MAC address

MAC address of the associated
STA
170
DYU
S. T. LIANG
• MOVE-notify Packet
– Be sent from the AP directly to the old associated AP via TCP
IAPP Command
Version =1
Octets: 1 1 2 2 0-n
Length of
Address MAC Sequence
Reserved Context Context Block
Length Address Number
Block
n = Address m = Length of
Octets: 1 1 2 2
Length Context Block
Copy from the Information elements

Reassociation transfer between AP
Request frame (should not interpreted
by IAPP)
171
DYU
S. T. LIANG
• MOVE-response Packet
– Be sent in response to MOVE-notify by TCP
IAPP Command
Version =2
Octets: 1 1 2 2 0-n
Address Sequence Length of
Status MAC Address Context Block
Length Number Context Block
Octets: 1 1 2 2
Status Value Definition

0 Successful
1 Move denied
2 Stale move
3-255 Reserved
172
DYU
S. T. LIANG
• CACHE-notify Packet
– Be sent to neighboring AP in anticipation of reassociation by TCP
IAPP Command
Version =5
Octets: 1 1 2 2 0-n
Address MAC Sequence Current Length of Context Context

Reserved
Length Address Number AP Context Block Block Timeout
Octets: 1 1 2 n 2 2
The MAC address of Copy from the Number of seconds the

the STA that has asociation / neighboring AP should
requested reassociation reassociation maintain the STA context
request
173
DYU
S. T. LIANG
• CACHE-response Packet
– Be sent in response to CACHE-notify by TCP
IAPP Command
Version =6
Octets: 1 1 2 2 0-n
Address Length Status MAC Address Sequence Number

Octets: 1 1 n = Address Length 2
Status Definition
Value
0 Successful
1 Stale Cache
2-255 Reserved
174
DYU
S. T. LIANG
• Send-Security-Block packet
– Be sent directly from the AP to old previously associated AP via TCP
IAPP Command
Version =3
Octets: 1 1 2 2 0-n
Initialization Vector Length of Security Block Security Block
Octets:8 2 m = Length of Security Block
First 8 bytes of the •Carry the security information

ACK nonce (e.g., keys) needed by the old
(a 32 bytes random AP to decrypt and encrypt ESP
number generated by packets
the RADIUS server) •Encrypted with the old AP’s
RADIUS BSSID
175
DYU
S. T. LIANG
• ACK-Security-Block packet
– Be sent directly from the old AP to the new AP via TCP
IAPP Command
Version =4
Octets: 1 1 2 2 0-n
An 8-byte value copied Initialization New-AP-ACK-
from the Data/Time Vector Authenticator
stamp Octets: 8 48
•Copy from Send-Secuuity-Block packet Length Information

and write back to the new AP.
8 Date/Time stamp
•Since it is encripted by new AP’s secret key,
32 ACK nonce
it protects the new AP from spoofed
ACK-Security-Block packet 16 HMAC authentication block
176
DYU
CSIE Roaming in 802.11f IAPP
S. T. LIANG
• Reassociation
MOVE-notify can pass
Layer-2 update frame blocked
123456789101112 1 2 3 4 5 6 7 8 9 10 11 12
10M100M
ACTACT
PWR UPLINK
COLCOL
SWITCH 131415161718192021222324 13 14 15 16 17 18 19 20 21 22 23 24
Router
To other
layer 2 PWR
10M100M
ACTACT
COLCOL
SWITCH
1 23456 789101112
131415161718192021222324
1 2 3
13 14 15 16
4 5 6 7
17 18 19 20
8 9 10 11 12
21 22 23 24
UPLINK

10M100M
ACTACT
COLCOL
SWITCH
1 23456 789101112
131415161718192021222324
1 2 3
13 14 15 16
4 5 6 7
17 18 19 20
8 9 10 11 12
21 22 23 24
UPLINK
devices
1 234 56 789101112 1 2 3 4 5 6 7 8 9 10 11 12
10M100M
ACTACT
PWR UPLINK
COLCOL
SWITCH 131415161718192021222324 13 14 15 16 17 18 19 20 21 22 23 24
1 23456 789101112 1 2 3 4 5 6 7 8 9 10 11 12
10M100M
ACTACT
PWR UPLINK
COLCOL
SWITCH 131415161718192021222324 13 14 15 16 17 18 19 20 21 22 23 24
177
DYU
CSIE Roaming in 802.11f IAPP
S. T. LIANG
• Association
ADD-notify and Layer-2
update frame are blocked 10M100M
ACTACT
123456789101112 1 2 3 4 5 6 7 8 9 10 11 12
PWR UPLINK
COLCOL
SWITCH 131415161718192021222324 13 14 15 16 17 18 19 20 21 22 23 24
Router
To other
layer 2 PWR
10M100M
ACTACT
COLCOL
SWITCH
1 23456 789101112
131415161718192021222324
1 2 3
13 14 15 16
4 5 6 7
17 18 19 20
8 9 10 11 12
21 22 23 24
UPLINK

10M100M
ACTACT
COLCOL
SWITCH
1 23456 789101112
131415161718192021222324
1 2 3
13 14 15 16
4 5 6 7
17 18 19 20
8 9 10 11 12
21 22 23 24
UPLINK
devices
1 234 56 789101112 1 2 3 4 5 6 7 8 9 10 11 12
10M100M
ACTACT
PWR UPLINK
COLCOL
SWITCH 131415161718192021222324 13 14 15 16 17 18 19 20 21 22 23 24
1 23456 789101112 1 2 3 4 5 6 7 8 9 10 11 12
10M100M
ACTACT
PWR UPLINK
COLCOL
SWITCH 131415161718192021222324 13 14 15 16 17 18 19 20 21 22 23 24
178
DYU
CSIE Discussion
S. T. LIANG
• Market Products claim that they do

provide cross-subnet roaming
– Is that true?
– If yes, any restriction?
– Or, do they satisfy the enforcement of the
802.11 single association restriction?
179
DYU
CSIE Q&A
S. T. LIANG
THANK YOU !!
180

Wlan 200308

Caricato da

Informazioni sul documento

Descrizione originale:

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Wlan 200308

Caricato da

Copyright:

Formati disponibili

DYU

Wireless Local Area Networks

Department of Computer Science and Information Engineering

• Introduction to IEEE 802.11 wireless LAN

Introduction to IEEE 802.11 wireless LAN

Department of Computer Science and Information Engineering

• What a Wireless LAN is ?

• A WLAN can be considered as a

• Wireless networks are standardized by IEEE

• IEEE 802.11 Adopted in 1997.

802.2 Logical Link Control

802.11b 802.11a 802.11g

Pros and cons ─ 802.11b

Pros and cons ─ 802.11a

Pros and cons ─ 802.11g

• MAC Layer enhancements

• Increased demand for mobile computing

• 802.11b has been widespread accepted for usage in corporate

802.11 LAN • Direct communication within a

• Station Services (SS)

• Station Services (SS) • Used by all stations to establish

• Distribution System Services (DSS) • IEEE 802.11 requires mutually

• Station Services (SS) • Used to terminate an existing

• Station Services (SS)

• Station Services (SS)

• Station Services (SS)

• Station Services (SS)

– Re-association • AP may invoke disassociation to

• Station Services (SS)

• Station Services (SS)

• Station Services (SS)

Control frames RTS, CTS, ACK, CF-

frames request/response, Unassociated

Control frames PS-Poll State 3:

IEEE 802.11 MAC Operation

Department of Computer Science and Information Engineering

• MAC Sublayer and OSI Reference Model

Success for it is odd !!

PHY Various physical layers Physical layer

IEEE 802 OSI

• to provide a reliable MSDU delivery

Reguired for Contention-Free

• Why CSMA/CD doesn’t work?

STA1 STA2 STA3

STA1 can communicate with only STA2.

• To cope with the hidden terminal problem

STA1 CTS STA2 STA3

Area cleared by Area cleared by

• 4-way MAC frame exchange protocol

• More about 4-way handshake

• Carrier Sense Mechanism

• MAC control logic

• Random backoff time Example

– Reduces the collision probability FHSS 15 1023

• Errors (interference, collision)

• Interframe space (IFS)

longest – EIFS: Extended InterFrame Space

• Basic Access Method

Immediate access when DIFS

Defer Access Select Slot and decrement backoff

• Example of backoff procedure

• Example of backoff procedure (continue)