Ch. 2

1
Ch. 2 802.11 and NICsPart 2 802.11 MAC

• This presentation was originally developed by
  Prof. Rick Graziani, and modified by Prof Yousif

2
802.11 Overview and MAC Layer

• Part 1 802.11 MAC and Cisco Client Adapters
• (Separate Presentation)
• 2.1 Online Curriculum
• 802.11 Standards
• Overview of WLAN Topologies
• IBSS
• BSS
• ESS
• Access Points
• 802.11 Medium Access Mechanisms
• DCF Operations
• Hidden Node Problem
• RTS/CTS
• Frame Fragmentation

• 2.4 2.6 Online Curriculum
• Client Adapters
• Aironet Client Utility (ACU)
• ACU Monitoring and Troubleshooting Tools
• Part 2 802.11 MAC
• 802.11 Data Frames and Addressing
• 802.11 MAC Layer Operations
• Station Connectivity
• Power Save Operations
• 802.11 Frame Formats
• Non-standard devices (Brief)

3
Recommended Reading and Sources for this
Presentation
Matthew S. Gast ISBN 0596001835
Pejman Roshan Jonathan Leary ISBN 1587050773

• To understand WLANs it is important to understand
  the 802.11 protocols and their operations.
• These two books do an excellent job in presenting
  this information and is used throughout this and
  other presentations.

4
Acknowledgements

• Thanks to Pejman Roshan and Jonathan Leary at
  Cisco Systems, authors of 802.11 Wireless LAN
  Fundamentals for allowing me to use their
  graphics and examples for this presentation.
• Also thanks to Matthew Gast for author of 802.11
  Wireless Networks, The Definitive Guide for
  allowing me to use their graphics and examples
  for this presentation.

5
802.11 Frames This isnt Ethernet!

• 802.11 Frames
• Data Frames (most are PCF)
• Data
• Null data
• DataCFAck
• DataCFPoll
• DataCFAcCFPoll
• CF-Ack
• CF-Poll
• CF-CakCF-Poll
• Control Frames
• RTS
• CTS
• ACK
• CF-End
• CF-EndCF-Ack

• Management Frames
• Beacon
• Probe Request
• Probe Response
• Authentication
• Deauthentication
• Association Request
• Association Response
• Reassociation Request
• Reassociation Response
• Disassociation
• Announcement Traffic Indication

6
802.11 Data Frames and Addressing
7
802.11 MAC Addressing
X
Y
xxx
Distribution System (DS)
111
Access Point 1
Access Point 2
C
A
B
D
aaa
bbb
aaa
bbb
111
Pseudo MAC address of hosts and AP1

• Lets look at these options
• Host A to Host B
• Host A to Host X
• Host X to Host A
• Frames to and from a BSS must go via the access
  point.
• The access point is a layer 2 bridge (translation
  bridge) between the 802.11 network and the 802.3
  network.

8
802.11 MAC Addressing
X
Y
xxx
Distribution System (DS)
111
The BSSID
Access Point 1
Access Point 2
C
A
B
D
bbb
aaa
General 802.11 Frame

• Each BSS is assigned a BSSID.
• Not to be confused with SSID or ESSID.
• BSSID 48 bit identifier which distinguishes it
  from other BSSs in the network.
• Some BSSs may overlap and the APs need to know
  which AP the frame is for.
• In a BSS, the BSSID is the MAC address of the
  wireless interface, I.e. the MAC address of the
  AP - wireless (translating) bridge.
• Remember, normal switches (bridges) may have MAC
  addresses, but these addresses are only used for
  management purposes and not for layer 2 frame
  forwarding (addressing).

9
802.11 MAC Addressing
X
Y
xxx
Distribution System (DS)
111
Host A to Host B
Access Point 1
Access Point 2
C
A
B
D
bbb
aaa
General 802.11 Frame

• Address 1 Receiver address
• Address 2 Transmitter address
• Address 3 Ethernet SA, Ethernet DA, or BSSID
• Transmitter Sends a frame on to the wireless
  medium, but doesnt necessarily create the frame.
• Receiver Receives a frame on the wireless
  medium, but may not be the destination, i.e. may
  be the access point.

10
802.11 MAC Addressing
X
Y
xxx
Distribution System (DS)
111
Host A to Host B
Access Point 1
Access Point 2
C
A
B
D
bbb
aaa
Host A to AP 1
Trans.
Rec.
DA
aaa
111
bbb
0
0
Rec.
Trans.
SA
AP1 to Host B
111
bbb
aaa
0
0

• Address 1 Receiver address
• Address 2 Transmitter address
• Address 3 Ethernet SA, Ethernet DA, or BSSID

11
802.11 MAC Addressing
X
Y
xxx
Distribution System (DS)
111
Host A to Host X
Access Point 1
Access Point 2
C
A
B
D
aaa
bbb
Host A to AP 1
Rec.
Trans.
DA
802.11 Frame
aaa
111
xxx
1
0
copied
Host A to AP 1
aaa
xxx

• The Ethernet DA and SA are the source and
  destination addresses just like on traditional
  Ethernet networks.
• Destination Address Host X
• Source Address Host A

12
802.11 MAC Addressing
X
Y
xxx
Distribution System (DS)
111
Host A to Host X
Access Point 1
Access Point 2
C
A
B
D
aaa
bbb
Host A to AP 1
Rec.
Trans.
DA
802.11 Frame
aaa
111
xxx
copied
1
0
Host A to AP 1
aaa
xxx

• The AP (bridge) knows which MAC address on on its
  wireless interface and maintains a table with
  those MAC addresses. (from the Association
  process later)
• When the AP receives an 802.11 frame, it examines
  the Address 3 address.
• If Address 3 is not in its table of wireless MACs
  it knows it needs to translate the frame to an
  Ethernet frame.
• The AP copies the Address 3 address to the
  Ethernet Destination Address, and Address 2
  (Transmitter address) is copied to the Ethernet
  Source Address.

13
802.11 MAC Addressing
Host X to Host A
X
Y
xxx
Distribution System (DS)
111
Access Point 1
Access Point 2
C
A
B
D
bbb
aaa
14
802.11 MAC Addressing
X
Y
xxx
Distribution System (DS)
111
Host X to Host A
Access Point 1
Access Point 2
C
A
B
D
bbb
aaa
Host X to AP 1
aaa
xxx
Destination Address Host X Source Address
Host A
copied
AP 1 to Host A
SA
Rec.
Trans.
802.11 Frame
aaa
111
xxx
0
1
15
802.11 MAC Layer Operations

• Station Connectivity
• Power Save Operations

16
Station Connectivity

• Earlier we stated, at a minimum a client station
  and the access point must be configured to be
  using the same SSID.
• How does the client find these APs?
• Before connecting to any network, you must find
  it.
• Ethernet, the cable does that for you, but of
  course there is no cable with wireless.
• There are various applications and utilities that
  will do it, but what is actually happening in the
  802.11 MAC operations?
• Lets take a look

17
Station Connectivity
Successful Authentication
Successful Association
State 1 Unauthenticated Unassociated
State 2 Authenticated Unassociated
State 3 Authenticated Associated
Deauthentication
Disassociation

• Station connectivity is an explanation of how
  802.11 stations select and communicate with APs.

18
Station Connectivity
Probe process
Authentication process
Association process
Successful Authentication
Successful Association
State 1 Unauthenticated Unassociated
State 2 Authenticated Unassociated
State 3 Authenticated Associated
Deauthentication
Disassociation

• We will look at three processes
• Probe Process (or scanning)
• The Authentication Process
• The Association Process
• Only after a station has both authenticated and
  associated with the access point can it use the
  Distribution System (DS) services and communicate
  with devices beyond the access point.

19
Station Connectivity Probe Process

• The Probe Process (Scanning) done by the wireless
  station
• Passive - Beacons
• Active Probe Requests
• Depends on device drive of wireless adapter or
  the software utility you are using.
• Cisco adapters do active scanning when
  associating, but use passive scanning for some
  tests.
• In either case, beacons are still received and
  used by the wireless stations for other things
  besides scanning (coming).

20
Station Connectivity Passive Scanning

• Passive Scanning
• Saves battery power
• Station moves to each channel and waits for
  Beacon frames from the AP.
• Records any beacons received.
• Beacon frames allow a station to find out every
  thing it needs to begin communications with the
  AP including
• SSID
• Supported Rates
• Kismet/KisMAC uses passive scanning

21
Station Connectivity Passive Scanning
22
Station Connectivity Passive Scanning
Note Most of these beacons are received via
normal operations and not through passive
scanning.
23
Station Connectivity Passive Scanning

• Passive scans, carried out by listening to
  Beacons from APs, are not usually displayed by a
  network analyzer (Ethereal, Airopeek, etc.) but
  can be.
• Microsecond millionth of a second
• Millisecond thousandth of a second
• A common beacon interval is 100 time units.
• Beacon interval is the number of time units
  between beacon transmissions.
• One unit of time is 1 millisecond.
• A beacon interval of 100 is equivalent to 100
  milliseconds or 0.1 seconds.
• That would be 10 beacons per second.

24
Station Connectivity Passive Scanning

• AP features (options)
• The SSID can be hidden or cloaked in the
  beacon frame (can be done on Cisco APs)
• From some mailing lists
• SSID cloaking and beacon hiding isn't
  necessarily a bad thing, but too many places use
  it as the only protection because it leads to a
  false sense of security.
• Obscurity ! security. Too many companies
  blindly trust that no beaconing or hiding their
  SSID means they're automatically safe.

25
Station Connectivity Active Scanning

• Active Scanning Probe Request
• A Probe Request frame is sent out on every
  channel (1 11) by the client.
• APs that receive Probe Requests must reply with a
  Probe Response frame if
• SSID matches or
• Probe Request had a broadcast SSID (0 byte SSID)
• NetStumbler uses active scanning

From the client
26
Station Connectivity Active Scanning

• Active Scanning Probe Response
• On BSSs the AP is responsible for replying to
  Probe Requests with Probe Responses.
• Probe Responses are unicast frames.
• Probe Responses must be ACKnowledged by the
  receiver (client).
• Like a beacon, Probe Response frames allow a
  station to find out every thing it needs to begin
  communications with the AP including
• SSID
• Supported Rates

1
3
2
From the AP
27
Station Connectivity
Hey, I didnt do anything and I am on the
Internet!
No SSID
Probe Request Broadcast (no) SSID
Probe Response SSID tsunami
ACK

• Access Points can be configured whether or not to
  allow clients with broadcast SSIDs to continue
  the connectivity process.
• If there is no authentication on the AP, then the
  client will most likely associate and be on
  their network!
• Cisco APs use a default SSID of tsunami known as
  the guest mode SSID. (coming)
• Unless this feature is disabled or authentication
  is enabled, anyone can easily associate with your
  AP and access your network (or the Internet).

28
Authentication Process

• On a wired network, authentication is implicitly
  provided by the physical cable from the PC to the
  switch.
• Authentication is the process to ensure that
  stations attempting to associate with the network
  (AP) are allowed to do so.
• 802.11 specifies two types of authentication
• Open-system
• Shared-key (makes use of WEP)

29
Authentication Process Open-System

• Open-system authentication really no
  authentication.

30
Authentication Process Shared-Key

• Shared-key authentication uses WEP (Wired
  Equivalent Privacy) and can only be used on
  products that support WEP.
• WEP is a Layer 2 encryption algorithm bsed on the
  RC4 algorithm.
• 802.11 requires any stations that support WEP to
  also support shared-key authentication.
• WEP will be examined more closely when we discuss
  security.
• For now both the client and the AP must have a
  shared-key, password.

31
Authentication Process

• Well look at the configuration of the client and
  AP later!
• Example of open-system authentication.
• Note On some systems you can configure
  authentication (WEP) and WEP encryption
  separately. On the ACU you can have open-system
  authentication and also have WEP encryption.
  However, if you have Shared-key (WEP)
  authentication, you must use WEP encryption.

32
Authentication Process

• Authentication
• Open-System
• Shared-Key (WEP)
• Encryption
• None
• WEP

only
or
33
Association Process
1. Association Request
2. Association Response

• The association process is logically equivalent
  to plugging into a wired network.
• Once this process is completed, the wireless
  station can use the DS and connect to the network
  and beyond.
• A wireless station can only associate with one AP
  (802.11 restriction)
• During the 802.11 association process the AP maps
  a logical port known as the Association
  Identifier (AID) to the wireless station.
• The AID is equivalent to a port on a switch and
  is used later in Power Save Options.
• The association process allows the DS to keep
  track of frames destined for the wireless
  station, so they can be forwarded.

34
Association Process

• At this point the AP adds the source address of
  the wireless client to its Source Address Table.
• This is how the AP knows to forward frames
  destined to the client out the wireless interface
  (802.11) and not the wired interface
  (802.3/Ethernet).
• The AP usually learns the wireless clients
  Source Address sooner, either in the Probe
  Request or Authentication Request frames, but
  this is where it officially adds the wireless
  client to it MAC table.