1 mac management. 2 outline introduction - authentication, association - address filtering, privacy...
TRANSCRIPT
1
MAC Management
2
Outline
• Introduction - Authentication , Association
- Address filtering, Privacy
- Power Management, Synchronization
• MAC Management frames• Components of the Management Frame Body• Wired Equivalent Privacy (WEP)
3
Why MAC Management?
• The first LAN standard to include significant management capabilities.
• The environment of WLAN is more complex than wired LAN. (to be dealt with MAC Management)
- Shared media (e.g. 2.4GHz, microwave oven)
- Anyone can “connect” to the WLAN
- Mobility
- Power management (mobile devices are run on
batteries)
4
Authentication
• Two authentication schemes: open system and shared key.
- Shared key :
Requestingstation
Respondingstation
Authentication frame
Authentication ID=“shared key"; sequence#=1
Authentication ID=“shared key"; sequence#=2; challenge text
Authentication ID=“shared key"; sequence#=3;encrypted challenge text
Authentication ID=“shared key"; sequence#=4; authentication result
Authentication frame
Authentication frame
Authentication frame
5
Authentication (cont.)
• Pre-authenticate - stations may have no immediate need.
• A station may authenticate with many stations.• AP has higher privilege - mobile station always initiates the authentication
process (e.g. in 3com, AP has the four default keys)
• Rogue AP could adopt the SSID of the ESS - the mobile stations may get a denial-of-service attack.
• Bi-directional authentication? (802.11 working group)
6
Association• Association: a station ”connecting” to an AP ; (after a
successful authentication)
- It starts with an association request (from the station) which includes the “capabilities” of the station.
• data rates, high rate PHY options, contention-free capabilities,
support of WEP and any request for contention-free service.
• the length of time in a low power operating mode.
- AP will decide whether to grant the association. • Policies and algorithms are not part of the standard.
• Ex: long periods in low power operation may need excessive
buffer commitments from AP.
• Load balancing factors and availability of other APs nearby.
7
Association (cont.)Wired LAN
station station
Distributionsystem
Portal Portal
AP1
Station B
Station A
BSS 1
AP2
Station C
BSS 2
8
Re-association
• For a station is moving from AP1 to another AP2:
- lose the contact with AP1
- begins a new association with AP2
• the association provides information to the DS about
the location of the mobile station.
- re-association request (includes address of AP1)
- grants re-association
- association with AP1 is terminated.
9
Address Filtering (MAC function)
• In 802.11, receiver must examine more than the destination address to make correct receive decisions.
• At least three addresses in every data and management frame.
• In making receive decisions, both the destination address and BSSID are used. (to ensure to discard frames from a BSS other than the associated with.)
• Checking BSSID is very important in dealing with the multicast frame.
10
Power Management in IBSS
• The most complex part of the 802.11• Power management in IBSS (no AP) - Before entering a low power operating state, a data frame handshake must be completed (with the power management bit set in the frame header). - In the power saving state, the station must wake up to receive every Beacon transmission. The station must stay awake for a period of time (after the Beacon frame), called ATIM (announcement traffic indication message) window.
11
ATIM
• If sender determines that the receiver is in power saving state, the sender can’t send its frame until it has received an ACK of an ATIM frame from receiver during the ATIM window.
• Multicast frames must be announced by the sender during the ATIM window, but no ACK expected.
• Sender consumes power for sending each ATIM frame.
12
ATIM Window
A
B
C
ATIM window
ATIM window
ATIM window
DATA
ACKATIM-ACK
ATIM
ATIM windowDozing
Beacon interval
Power saving mechanism for DCF: Node A announces a buffered frame for B using an ATIM frame, Node B replies by sending an ATIM-ACK, and both A and B stay awake during the entire beacon interval. The actual data transmission from A to B is completed during the beacon interval. Since C does not have any frame to send or receive ,it dozes after the ATIM window.
13
14
Power management in InfrastructureBSS (with AP)
• Centralized in the AP. Can achieve grater power savings.
- The AP does all the data frames buffering (including multicast frames). - No need to awaken for every Beacon, nor to stay awake for any length of time after the Beacon. - For the station to receive multicast frames, it must be awake at every DTIM (delivery traffic indication map). - DTIM is in the Beacon frame and determined by the AP.
15
Power Management in AP
• Once the AP has frames buffered for a power saving station, this info will be indicated in the traffic indication map (TIM) sent with each Beacon frame.
- Data frame will remain buffered for a time not
less than the number of Beacon periods in the
association request.
- AP can discard the buffered frames older than it is
required to preserve. (aging algorithm)
16
AID and TIM
AID,a special AID, is to indicate the status of buffered
Multicast traffic. The AP will send the TIM(optional),
updated with latest buffer status, with every Beacon.
AP Station
Bitmap control
Partial Virtualbitmap
Association(1)
Assign AID(2)
The bit is set to 1 if there is at least one
frame buffered for the corresponding station
TIM
17
AID and TIM
(1)DTIM interval is consisted of multiple TIM intervals (i.e. Beacon Intervals).(2)MH sends a PS-Poll frame to AP to request the AP to transmit a buffered frame via unicast.(3)MH in PS mode can miss some TIM, but not DTIM.(4)After receiving DTIM, MH in PS mode awakes for receiving broadcast data (no polling is needed)(5)After receiving TIM, MH in active mode transmits earlier, so MH in PS mode stay awake.(6)After receiving DTIM, MH in PS mode dozes due to no broadcast data.
MH in
PS mode
MH in
active mode
Beacon frame
(1)TIM Interval
(2)polling
Active
TIM Unicast
AP(3)
DTIM Interval
(4)
(5) (6)
DTIM Broadcast
18
19
CF-Poll vs. PS-Poll
• CF-Poll– used in PCF– initiated by AP to poll station for data
• PS-Poll– used in power saving mode– initiated by mobile station to poll AP for
buffered data
20
MAC Management Frames
• 11 distinct frame types Beacon, Probe Request and Response, Authentication, De-authentication, A
ssociation Request and Response, Re-association Request and Response, Dis-association and Announcement Traffic Indicatio
n Message(ATIM)
• The frame body carries information in:– Fixed fields and variable length information elements.
Information elements occur in the frame body in order of increasing identifiers.
Information ElementElement ID Length Information
1 byes 1 length
21
Beacon Frame
• Including: ---fixed fields:
– timestamp(64-bit), (i.e. the value of the station’s synchronization timer when the frame was transmitted)
– beacon interval(16-bit), (i.e. the period of beacon transmissions)– and capability information(16-bit).
--- Information elements:
SSID, the supported rates, ore or more PHY parameter sets,
an optional contention-free parameter set, and optional IBSS parameter set, and an optional traffic indication map (TIM).
22
Probe Request and Response• The probe request frame is to locate and WLAN with a particular SS
ID or to locate any WLAN. It contains two information elements :the SSID and the supported rates. (AP will response to the probe requests ; or a station in BBS)
• The probe response frame including(similar to Beacon):– fixed fields:
timestamp(64-bit), beacon interval(16-bit),and capability information(16-bit).
– Information elements: SSID, the supported rates, one or more PHY parameter sets,
and optional contention-free parameter set, and optional IBSS parameter set.
23
Authentication/De-authentication Frames
• Authentication frame includes:– fixed fields:
• the authentication algorithm number• the authentication transaction sequence number• and the status code
– Information elements: Challenge text
• De-authentication frame includes only a single Fixed field: the reason code.
24
Association Request and Response
• Association request frame includes: - fixed fields:
the capability information field and the listen interval
- Information elements:
the SSID and the supported rates.
• Association response frame includes three fixed fields:
The capability information, the status code, and the association ID and one information element, the supported rates.
25
More Management Frames
• Re-association request frame is same as association request frame, with the addition of a current AP address fixed field. Response frame is same as the one in association.
• Dis-association frame includes only a single fixed field, the reason code.
• ATIM does not include any fixed field or information element.
26
Components of Management Frames
• Variable length Information Elements• Ten fixed fields:
– Association ID(AID) (16bits). 1 to 2007 (14 LSBs). The two MSBs must be one. The AID value is used to identify the bit in a TIM. (AP has buffered frames)
– Authentication Algorithm Number(16 bits). “0” for “open system”; “1” for “shared key”.
– Authentication Transaction Sequence Number(16bits). The initial value is “1” (may not be “0”)
– Beacon Interval(16bits). The unit is Time Unit (TU). One TU is 1024 microsecond.
27
Fixed Fields(cont.)
• Capability Information(16bits).
• For an AP: ESS=1; IBSS=0• For a mobile station in an IBSS:ESS=0;IBSS=1.• For WEP: privacy=1• Short Preamble and Channel Agility are options used in 802.11b PH
Y• The PBCC (packet binary convolutional coding) is transmitted by an
AP when using 802.11b PHY.
ESS IBSS CF Pollable CF Poll Request Privacy Short Preamble PBCC Channel Agility Reserved
B0 B1 B7 B15
28
Subfields of Capability Information
• In a Mobile Station
• In an AP
CFPollable
CF-Poll Request
Meaning
0 0 Station is not CF Pollable
0 1 Station is CF pollable, not requesting to be placed on the CF-Polling list
1 0 Station is CF pollable, requesting to be placed on the CF-Polling list
1 1 Station is CF pollable, not requesting never to be placed
CF Pollable
CF-Poll Request
Meaning
0 0 No PC at AP
0 1 PC at AP for delivery only(on polling)
1 0 PC at AP for delivery and on polling
1 1 Reserved
29
Fixed Fields (cont.)
• Current AP Address(6 bytes) - The address of the AP is currently associated with, when the station is
attempting to re-association.
• Listen Interval(16 bits) - For example, a station that wakes only on every tenth Beacon would set this
field to 10.(AP will determine the required resource, may say no, for the association.)
• Reason Code(16 bits) - The reason for an unsolicited notification of disassociation or
deauthentication.
• Status Code(16 bits)
30
Examples of Reason CodeReason Code Meaning
0 Reserved
1 Unspecified reason
2 Previous authentication no longer valid
3 Deauthenticated because sending station is leaving (has left) IBSS or ESS
4 Disassociated due to inactivity
5 Disassociated because AP is unable to handle all currently associated stations
31
Examples of Status CodeReason Code Meaning
0 Successful
1 Unspecified failure
2-9 Reserved
10 Cannot support all requested capabilities in the capability information field
11 Reassociation denied due to inability to confirm that association exists
13 Responding station does not support the specified authentication algorithm.
15 Authentication rejected because of challenge failure
16 Authentication rejected due to timeout waiting for next frame in sequence
17 Association denied because AP is unable to handle additional associated stations.
32
Information Elements
Element ID Information Element Notes
0 Service Set ID Up to 32 bytes; a null-terminated string or a multibyte binary value
1 Supported rates 1-8 bytes of rate information. Each byte shows a rate; unit is 500kbps.
2 FH parameter set 7 bytes long, used for FHSS PHY or 802.11b.
3 DS parameter set 3 bytes long, used for FHSS PHY or 802.11b.
4 CF parameter set 8 bytes long (fixed length), contains CFP count, CFP period, CFP max duration, CFP duration remaining.
5 TIM 6-256 bytes
6 IBSS parameter set Fixed length. ATIM window field is 16 bits. (the length of the window in IBSS)
7-15 Reserved
16 Challenge text Up to 255 bytes long ; the text field<253
17-31 Reserved for challenge text extension
33
WEP Details
• WEP Expansion of the Frame Body
Encrypted
Bytes 4 1-2304 4
Bits 24 6 2
IV MSDU ICV
Initialization Vector Pad KeyID
ICV: Integrity Check Value
34
WEP Details (cont.)
• WEP operations
Frame Body
Plain Text
IntegrityAlgorithm
+
+
Frame Body
Plain Text +ICV
Frame Body
Cipher Text
Bitwise XOR process
Key SequencePseudo-random number generator
Secret key +IV
Integrity Check
Value (ICV)
35
WEP Details(cont.)
• Two mechanisms to select a key– A set of four default keys– “key mapping” between only two stations
• MIB– dot11PrivacyInvoked attribute (true:all frames are sent with
encryption).– dot11ExcludeUnecrypted attribute (true:only encrypted fra
mes will be received; unencrypted one will be discarded).– dot11WEPDefaultKeysTable attribute (not null:a key is ava
ilable); KeyID in the header(Ⅳ) points to the table.– dot11WEPKeyMappingsTable is used get the “key mappin
g” key,if the dot11WEPKeyMappingWEPOn is true for the receiver. (the value of the KeyID is set to zero)
36
WEP Details (cont.)
• Two counters associated with WEP– dot11UndecryptableCount
• Due to the key did not exists or the WEP option is not implemented.
• If this number is increasing rapidly, an attack to deny service may be in progress.
– dot11CVErrorCount• After the frame is decrypted, but the calculated ICV value
value does not mach the ICV received with the frame.• If this number is increasing rapidly, an attack to determine a
key may be in progress.