Chapter 18: Wireless Networks

1

• Chapter 18 Wireless Networks
• Provide network access without wires to reduce
  cost of wiring,
• support inherently mobile devices palms,
  laptops, PDAs.
• Use unconstrained media (e.g., radio) for
  transmission no wires
• Three major system classes
• Wide Area Networks (WAN) worldwide (global)
  in extent
• Local Area Networks (LAN) campus-wide in
  extent
• Personal Area Networks (PAN) office-wide in
  extent
• Relatively new technologies first developed in
  the mid-80s
• Strongly support personal mobility locally to
  globally
• Many protocols, technologies, and
  implementations (new)
• Standards relatively immature
• Many security problems at all levels theory,
  standards,
• implementation

2
Wireless Threats Denial of Service radio
frequency jamming or message flooding. Intercepti
on eavesdrop since the signals are broadcast
over the air. Manipulation changing messages.
Masquerading posing as a legitimate user to
enter a network. Awireless system should protect
against these threats in the system design,
implementation, and operational
environment. Some do well, others are in bad
shape!
3
Wireless Networks - Fundamentals
Mobile Devices
Radio Transmission Path
Cell Phone
Network
Palm Pilot
Destination Network (wired or wireless)
Access Point
Wire Transmission Path
Laptop
4
Wireless Wide Area Networks (WAN)

• Started with cellular phones (U.S.,1982)
• 1G, 2G, 3G, 4G
• Protocols - many
• AMPS, TDMA, CDMA, GSM, CDPD, GPRS,UMT-2000,
• Rapid Growth By 2002, wireless phones
  worldwide will outnumber TVs and PCs combined.
• Strategic News Service

WANWide Area Network(National/Global)
Licensed, 800-900 Mhz, 1.8-1.9 Ghz
5

• Wireless Wide Area Networks (WAN)
• Started with cell phones many technologies
  standards.
• Progressed through multiple generations
• Analog voice phones,
• Digital voice phones, and
• Web-enabled phones.
• Despite multiple generations, technology is
  still immature and
• changing dynamically (e.g., web access from a
  cell phone).
• Many providers crowded market.
• Interoperability a mixed bag some good, some
  bad.
• Some very differentiated products (voice-only,
  data only, mixed).
• Dont expect convergence anytime soon.

6
Wireless Devices and Selected Characteristics
NetworkBandwidth(kbps)
PurchaseCost ()
Network Service(/device-yr)
WirelessDevice
Key Features
Access PointPalm VIIBlackberryDigital
PhoneCDPD Modem
na500500125500
From fees240400360480
661919
carrier ownedno Outllook, coverageOutlook,
coveragevoice, CDPD-WAPgood coverage
WAN
7
Blackberry Handheld Devices Single Purpose
Device Wireless e-mail using Microsoft Exchange
8
Blackberry Real-time Messaging
1. Colleague sends urgent message. 2. Sent to
Exchange servers. 3. Received at your desktop
PC (if on). 4. Encrypted and sent through the
Internet. 5. Transmitted by Blackberry
network. 6. Blackberry receives and decrypts
message.
4
5
Internet
Blackberry Network
6
You
2
3
YourOffice
Colleague's Office
Firewall
1
Outlook/ExchangeServers
9
Blackberry Architecture
Blackberry Server
Exchange Server
Users Desktop
Internet
Blackberry Handheld
Wireless Network Access Point
Firewall
10

• Blackberry Architecture How It Works
• Mail arrives at the users desktop in the usual
  way.
• Software is installed on the users desktop and
  configured
• according to user-specified filtering/forwarding
  rules.
• Messages are compressed, encrypted,forwarded to
  server that
• maintains an outbound connection to the
  Blackberry network.
• Messages are forwarded and displayed on the
  Blackberry handheld.
• Similarly, messages can be originated on the
  handheld, sent back to the
• users desktop and sent out over the mail
  connection.
• Can operate in two modes
• Wireless LAN mode - as described above.
• Directly between two handheld devices
  (peer-to-peer).

11

• Blackberry Protection
• Peer-to-peer mode is not secure (scrambled, but
  not encrypted).
• Wireless network mode
• Symmetric encryption-key shared between desktop
  handheld.
• 3 DES encryption, key exchange while handheld is
  docked.
• Server behind firewall only supports outbound
  connections,
• followed by out-bound/in-bound communications.

Unsecured Path
Secured Path
Blackberry Users
Desktop Another
User
12
Wireless Local Area Network (LAN)
WANWide Area Network(National/Global)
Local Area Network (LAN)

• IEEE Standards
• 802.11, 1998 (2 Mbps)
• 802.11b, 1999 (11 Mbps)
• 802.11a, 1999 (54 Mbps)
• 802.11g, 2000 (54 Mbps)
• Interface Prices
• 500 1997 (2 Mbps)
• 160 2000 (11 Mbps)
• Wireless Options Today
• Laptops - Apple, Dell, Gateway, IBM, Compaq,
  Acer

LANLocal Area Network(Campus/Building)
Unlicensed, 900 Mhz, 2.4 Ghz, 5 Ghz
13
Wireless Local Area Network (LAN)

• Work un-tethered.
• Improve productivity by saving time (use idle
  time, minimize meeting prep time).
• Have real-time access for urgent messages and key
  information.

Lab/Conference Room
You
Wireless Access Point
YourOffice
LAN
14

• Local Area Networks (LAN)
• Function wireless equivalent to Ethernet Local
  Area Network.
• Based on IEEE standard 802.11 series.
• 802.11 1997, data rates to 2 Mb/s
  (outdated).
• 802.11b - 1999, data rates to 11 Mb/s
  (available now).
• 802.11g - 2000, data rates to 22 Mb/s
  (available 2002-2003).
• 802.11a - emerging, data rates to 54 Mb/s
  (available late 2001).
• 802.11b is dominant technology being implemented.
• Part of the specification is the Wired Equivalent
  Protocol (WEP)
• designed to protect link layer (over-the-air)
  traffic from
• eavesdropping and other attacks (according to
  IEEE specification).

15
IEEE 802.11 Standard The standard describes the
Medium Access Control (MAC) and Physical Layer
(PHY) specifications. 802.11 is one part of the
802 Specification as shown below.
802.2 Logical Link Control
802.1 Bridging
Data Link Layer
802.3 Meduim Access 802.3 Physical
802.4 Meduim Access 802.4 Physical
802.5 Meduim Access 802.5 Physical
802.6 Meduim Access 802.6 Physical
802.9 Meduim Access 802.9 Physical
802.11 Meduim Access 802.11 Physical
802.12 Meduim Access 802.12 Physical
Physical Layer
Ethernet Token Token Dual
Integrated Wireless Demand
Bus Ring Bus Services
Priority
16
IEEE 802.11a,b,g Alphabet Soup 802.11a Data
Rate 54Mbps physical channel31Mbps actual(due
to protocol overhead). Further reduced if there
is interference/errors (common in radio). Error
Rate Reduction Reduced rates -(48/36/24/18/12/9/6
Mbps). Range 80 Meters 263 feet (antenna
design can increase). Modulation Orthogonal
Frequency Division Multiplexing (OFDM). Channel
bandwidth 25 MHz. Frequency band 5GHz. Number
of Channels 12 (in the USA), 4 (Asia) 0
(EU). Quality of Service No. Availability Now.
17
IEEE 802.11a,b,g Alphabet Soup 802.11b Data
Rate 11Mbps physical channel 6Mbps actual(due
to protocol overhead). Also further reduced if
there is interference/errors. Error Rate
Reduction Reduced rates - (5.5/2/1 Mbps). Range
100 Meters 328 feet. Modulation Direct
Sequence Spread Spectrum (DSSS). Channel
bandwidth 25 MHz. Frequency band
2.4GHz. Number of Channels 3 (in the USA), 3
(Asia), 3 (EU). Quality of Service
No. Availability Now.
18
IEEE 802.11a,b,g Alphabet Soup 802.11g Data
Rate 54Mbps physical channel 31Mbps
actual. Range 150 Meters 492
feet. Modulation Orthogonal Frequency Division
Multiplexing (OFDM) and Discrete Sequence Spread
Spectrum (DSSS). Channel bandwidth 25
MHz. Frequency band 2.4GHz. Number of Channels
3 (in the USA), 3 (Asia), 4 (EU). Quality of
Service No. Availability Late 2002 early
2003.
19
IEEE 802.11a,b,g Some Comparisons Data Rate
a g at 54Mbps win over 11 Mbs for b. Range g
_at_150m, b _at_ 100m, a _at_ 80m. Number of Channels 12
for a, 3 for b g. Interference a _at_ 5Ghz has
little competition, 2.5GHz is loaded
with competitors (e.g., cell phones, microwave
ovens, Bluetooth).
20
IEEE 802.11a,b,g Competing Technologies HomeRF2
Developer HomeRF Working Group ( 70
members). Data Rate 10Mbps physical channel
6Mbps actual. Range 50 Meters 164
feet. Modulation Frequency Hopping Spread
Spectrum (FSSS). Channel bandwidth 5
MHz. Frequency band 2.4GHz. Number of Channels
15 (in the USA), 15 (Asia), 0 (EU). Quality of
Service Yes. Availability Now.
21
IEEE 802.11a,b,g Competing Technologies HiperLA
N2 Developer Euro. Telecommunication Standards
Institute (ETSI). Data Rate 54Mbps physical
channel 31Mbps actual. Range 80 Meters
262 feet. Modulation Orthogonal Frequency
Division Multiplexing (OFDM). Channel bandwidth
25 MHz. Frequency band 5GHz. Number of
Channels 12 (in the USA), 4 (Asia), 15
(EU). Quality of Service Yes. Availability
2003.
22
IEEE 802.11a,b,g Competing Technologies 5-UP
(5GHz Unified Protocol) Developer Joint
project of IEEE and ETSI. Data Rate 108Mbps
physical channel 72Mbps actual. Range 80
Meters 262 feet. Modulation Orthogonal
Frequency Division Multiplexing (OFDM). Channel
bandwidth 50MHz. Frequency band 5GHz. Number
of Channels 6 (in the USA), 2 (Asia), 7
(EU). Quality of Service Yes. Availability
2003. Note Merges 802.11a HiperLAN2 into a
single protocol.
23
IEEE 802.11d,e,f,h,i,and j Some
Variations These are not complete
specifications, but rather enhancements
of 802.11a, b, and g. 802.11d IEEE Purpose
Versions of 802.11b that operate on other
frequencies Suitable in parts of the world where
2.4 GHz is not available. Status May not be
required since the International
Telecommunications Union (ITU) and most
countries are freeing up the required spectrum.
24
IEEE 802.11d,e,f,h,i,and j Some
Variations 802.11f IEEE Purpose Improves the
handover mechanism in 802.11 so users
can maintain a connection while moving between
two different switched network segments or two
different access points attached to two
different networks. 802.11h IEEE Purpose
Adds better control over transmission power and
radio channel selection to 802.11a. This and
802.11e could make the standard acceptable to
the EU.
25
IEEE 802.11d,e,f,h,i,and j Some
Variations IEEE 802.11i Purpose Replaces WEP
with a new standard based on the Advanced
Encryption Standard (AES). Also deals with an
authentication standard. IEEE 802.11j
Purpose To make 802.11a and HiperLAN networks
co-exist on the same frequencies bands.
26

• 802.11 Wireless Local Area Network (LAN)
• Three (3) possible physical layers are
  specified
• Infared (short range line of sight),
• Frequency Hopping Spread spectrum (FHSS), and
• Direct Sequence Spread Spectrum (DSSS).
• Three frequency bands are used 900 MHz, 2.4
  GHz, and 5 GHz.
• 802.11b uses DSSS and the 2.4 GHz frequency
  band.
• This is the unregulated Industrial, Scientific,
  and Medical (ISM) band.
• Range is a few 100 - 300 feet multiple access
  points provide campus
• coverage (like cell phones).
• 802.11b data rate is 11 Mb/s, but performance
  varies as a function of
• distance between the mobile device and the
  nearest access point.
• The specified protocol is Carrier Sense Multiple
  Access with Collision
• Avoidance (CSMA/CA).

27
High Level Architecture
Wireless Application Servers
To additional Network Segments
Wired Network
R
Access Point
Access Point
Wireless Handheld (WinCE or Palm)
28
High Level Architecture Text Mobile device
(Personal Digital Assistant, laptop, Palm Pilot,
etc.) requires a radio frequency
transmitting/receiving modem and client software
compatible with the IEEE standard. Access point
is a bridge between the backside wired network
and the frontside wireless network. It sends and
receives wireless frames, does error control,
authenticates and authorizes users, encrypts
wireless traffic, interfaces to the wired
network
Laptop modem
Access point
29
Objectives of 802.11 Secuirty - WEP Reasonably
strong security not perfect, but
adequate. Self-Synchronizing Signal strength
varies, so it must be able to synchronize.
Computationally efficient Important for small
(cheap) mobile devices. Exportable Must meet
U. S. export control requirements (now
eased). Optional WEP is an optional
requirement of the standard.
30

• Wired Equivalent Privacy (WEP) 802.11 Security
• According to the standard, particular attention
  was paid to
• Defeating an adversaries ability to eavesdrop
  on wireless transmissions in
• order to preserve confidentiality by
  encrypting the channel traffic,
• Providing integrity assurance that a message
  has not been modified in
• transit, and
• Authenticating users over an encrypted channel.
• We will discuss each of these capabilities.

31

• Eavesdropping 802.11 Security
• The problem in-air broadcast signals can be
  always be intercepted.
• Methods are different depending on the physical
  layer.
• Infared - interception is difficult because of
  line-of-sight and short
• distance requirements. Line of sight
  interception is difficult, but not
• impossible (location issue).
• The difficulty of recovering Frequency Hopping
  Spread Spectrum (FHSS)
• and Direct Sequence Spread Spectrum (DSSS) is
  attributed to the
• psuedo-random nature of the signal spreading.
• Reality - any device designed to
  receive/transmit 802.11 signals can
• intercept signals. Requires only simple
  modifications to drivers and/or
• flash memory to operate in promiscuous mode.
  Basic
• assumption adversaries have access to all
  signals transmitted!

32

• Eavesdropping Solution - Encrypt 802.11
  Transmissions
• Eavesdropping is mitigated if signals are not
  intelligible 802.11 encrypts
• transmissions using RC4 developed in 1987 by Ron
  Rivest at MIT. RC4 is
• considered a secure cipher. Background on Rons
  Code 4 (RC4)
• RC4 was kept secret for the first 7 years, but
  was anonymously posted
• to the Cypherpunks mailing list in 1994 and
  became public knowledge.
• RC4 is a symmetric cipher and can use several
  different key lengths. The
• 802.11 specification allows for 40 bit (export
  controlled) and longer
• (typically 128 bit) lengths although specific
  lengths and implementations
• vary by vendor.
• RC4 is generally considered a strong cipher by
  cryptographers. The 802.11
• implementation operates in Output Feedback
  (OFB) mode.

33
RC4 Operated in Output Feedback Mode
Ij
Oj-1
Oj-1
Ij
IV
IV
E
E-1
Key
Key
Leftmost r bits
Leftmost r bits
Oj
Oj
?
?
Plaintext pj
Plaintext pj
Ciphertext cj
34
RC4 Text description RC4 uses three (3)
inputs a random initialing vector IV, a random
secret key k, and the plaintext P. The IV is
input to E, the RC4 encryption algorithm, along
with the key. E produces a random keystream that
is sent to the output box O. The output box
shifts the keystream out a Byte at a time and
each Byte is combined with a Byte of plaintext
under the Exclusive OR function. The output of E
(the keystream) is also fed back to the I stage
where it is combined with the IV to produce a
new input to E. This causes the keystream to
vary as a complex function of IV, K, and E.
Reversed at the receiver. Both IV and K must be
known to the receiver. K is passed securely
(e.g., manually), IV is passed in clear text.
35
RC4 more The secret key is initially
distributed to the access point and the mobile
device. The method is not specified in IEEE
802.11, but should be secret. The IV which
changes for each session, is sent in the clear as
part of the Initial handshake. Does not have to
be secret since the strength of the encryption
is derived from the algorithm and key secrecy,
not IV secrecy. Integrity of the IV must be a
maintained between the transmitter and receiver
or encryption/decryption wont work. Also, the IV
should not be re-used with the same key
schedule. Consider 2 messages C1 P1 ?
RC4(IV1, K1) C2 P2 ? RC4(IV1, K1) C1 ? C2
(P1 ? RC4(IV1, K1)) ? (P2 ? RC4(IV1, K1)) The
EXOR of 2 ciphertexts produces the EXOR of the
two plaintexts. Cs are known - If one of the
plaintexts is known, the second is revealed.
36

• Authentication in 802.11
• Two basic levels of authentication
• Open System Authentication the default that
  authenticates
• any device requesting authentication
  essentially none
• Shared-Key Authentication The mobile device
  is authenticated OR
• both the mobile devices and the access point
  mutually authenticate
• to each other. Authentication is a three-state
  process
• Unauthenticated unassociated.
• Authenticated and unassociated.
• Authenticated and associated.
• Involves messages between a mobile station and an
  access point.

37
Authentication Messages
Access Points send beacon messages, then
Initiator (STA)
Responder (AP)
Authentication Request Sequence 1
Authentication Challenge Sequence 2
Authentication Response Sequence 3
Authentication Result Sequence 4
Challenge is a psuedo-random number, must be
re-played by the initiator. If successful, the
process is repeated in reverse (i.e., mutual
authentication).
38
Integrity Assurance No change in transit An
integrity checksum is computed for each message
exchanged between a station and an access point.
It is re-computed and tested when received. If
the computed checksum does not match the appended
checksum as received, the packet is discarded
and re-transmission requested. All of this
sounds reasonable on the surface. Certainly the
goals of authentication, integrity, and
confidentiality are the appropriate ones to
implement for protecting the information. Sohow
does the standard and its implementation stack
up? TERRIBLE!!!!!!!!!!!
39
The Problems High Level There are many attacks
that reveal the secret key. It is easy to mount
a known plaintext attack to recover
keys. Integrity is not cryptographically assured
messages can be modified without the
modification being readily detected. Many
wireless networks are being operated using open
authentication (i.e., no authentication or
encryption). They are optional parts of the
standard, not mandatory. Only the weak checksum
is mandatory. So.How do we break such a
network?
40

• Authentication Breaks
• Using the 4 message exchange, the break works
  like this
• Frame 1 is sent in the clear to request
  authentication thats Ok.
• The challenge response is returned by the AP
  the challenge is not
• encrypted. The challenge is generated by
  combining a random number,
• an IV, and the shared key and is sent in
  the clear (128B message).
• The responding station, extracts the challenge,
  puts it into a response
• frame, encrypts it with the shared key
  using a new IV (sent in the
• clear) and sends it back.
• The AP decrypts, checks integrity and compares
  the challenge to the
• original if same, authentication of the
  station is successful.
• An adversary can capture the clear text challenge
  and the ciphertext
• challenge response. Knowing the IV, the attacker
  can derive the
• keystream. The adversary can now create a valid
  response to a
• new challenge and join the network.

41
Authentication Breaks - More That is The
responding station has created CHECK THIS OUT
BOB BUT, the bad guy still does not have the
shared secret key. (s)he has only been
authenticated, so this attack is not of great
value. What is required to go further is to
discover the value of the shared secret key. As
we shall see this can also be accomplished
relatively easily.
42
WEP Encryption The WEP encryption model
IV
IV
RC4
Ciphertext Message
Keystream
EXOR
Secret Key
Plaintext Message
Combine
Integrity Check Algorithm
ICV
Transmitted Message
43
WEP Decryption The WEP decryption model
Received Message
Secret Key
RC4
Combine
IV
Ciphertext Message
Compute IVC (CRC-32) on plaintext message
attached IVC. If remainder is 0, Pass, Else
fail.
Keystream
EXOR
Integrity Check Algorithm
Plaintext Message
44

• Encryption Breaks
• One of the issues with Output FeedBack (OFB) mode
  stream encryption
• is that encrypting two messages under the same IV
  and key can reveal
• Information about both the IV and key.
• The IV is transmitted in the clear, so it is
  available. If the IV is a good
• random number and not re-used, it is protected.
  Trouble is the IV
• Is initialized to 0 in some implementations (no
  standard requirement)
• It is only 24 bits long. If initialized to 0,
  then it wraps around mod 24.
• Doing the math 224 x 2346 B/packet 40GB
  (320 Gb).
• The network has a capacity to do about 432 Gb
  per day
• The adversary can send a message to the network
  (known plaintext)
• and sniff the ciphertext since the network will
  encrypt it for him (her).

45
Encryption Breaks - contd Then the adversary
sniffs the network for another instance of the
same IV used for the known plaintext message and
recovers that ciphertext. Now the adversary has
a known plaintext/ciphertext pair encrypted with
the same secret key and can recover the
key. Since the keys are shared and typically
manually distributed, they dont change very
often. That in itself is a problem multiple
users with the same key and difficulty in
manually distributing keys tend to influence long
time key use.
46

• Encryption Breaks - Recap
• Send a plaintext message to a user on the
  wireless network and sniff
• the network for the message. Moderate difficulty,
  trivial with insider help.
• 2. Capture the IV (sent in the clear) and
  ciphertext.
• 3. Sniff the network for another instance of the
  same IV with the original
• message. Not difficult, but may require
  significant storage space.
• 4. On a hit, the adversary has
• Original plaintext/ciphertext pair encrypted with
  the secret key.
• IV and new ciphertext encrypted with the same
  key.
• C1 P1 ? RC4(IV1, K1) C2 P2 ? RC4(IV1, K1)
• C1 ? C2 (P1 ? RC4(IV1, K1)) ? (P2 ? RC4(IV1,
  K1))
• C1, C2, P1, and certainty that the same IV key
  were used.
• Then C1 ? C2 ? P1 P2

47
Encryption Breaks - Recap Test Does C1 ? C2 ?
P1 P2? Assume P1 0010, P2 0100 Keystream
for IV, K 1100, then C1 0010 ? 1100
1110 C2 0100 ? 1100 1000 C1 ? C2 ? P1 1110
? 1000 ? 0010 0100 --- QED.
48
Integrity Assurance The standard uses the
following format
Message
CRC 32
?
Exclusive OR
Keystream
IV Input

Ciphertext
IV
Transmitted Data Stream
49
802.11 Frame Formats
Octets 2 2
6 6 6
2 0 2312
4
Seq. No.
Frame Control
Dest. Address
Source Address
Duration
BSSID
Frame Body
FCS
Frame Control Version Frame type
(control,data, management) sub-type and
numerous flags Duration Destination
Address Source Address BSSID Sequence
Number Frame Body FCS
50
Improving Wireless Security IEEE 802.1x In
802.11 users authenticate to access points and
this is subject to the flaws we have already
discussed. IEEE 802.1x describes an
authentication method that is much
stronger. Even better, it applies to wired
networks as well as wireless networks. The
authentication method is called Extensible
Authentication Protocol (EAP) Over LANs
(EAP-OL). It is an extension of EAP that was
originally defined for dial-up authentication Usin
g the Point-to-Point Protocol PPP (see RFC 2284).
It is also know as port authentication.
51
Wired Wireless Access Authentication Consider
the following wired and wireless network
connections
Wired Link
Port
HUB
Wireless Access Point (WAP)
Wireless Link
Port
Hub Ethernet hub/switch with wired connections
to desktop machines. WAP Wireless Access Point
with wireless connections to wireless- equipped
Devices (e.g., laptops, PDAS, etc.). Authenticati
on Provided by the port device or by a service
called by the port device.
52
Wired Wireless Authentication In an Ethernet
wired network and a Windows environment, a system
enters the network at bootup, by sending a
request to the local network segment domain
controller (found in the system configuration
files). The domain controller prompts the
system for authentication credentials (e.g., a
username password pair). On success, the system
is authenticated. In 802.1 wireless, the system
associates with an access point and the access
point authenticates the wireless system and
allows/denies entry. As we have seen, the
wireless method is easily defeated. IEEE 802.1x
provides a method to call a stronger
authenticator and will work with either a wired
or wireless network.
53
IEEE 802.1X Authentication
User
Hub or Access Point (AP)
Authentication Server (AS)
1
2
3
4
Step 1 Using EAP, the user requests
authentication. The Hub or AP forwards the
request to the AS. Step 2 The AS issues a
request for an authenticator (e.g.,
password,etc.). Step 3 The user presents the
authenticator. Step 4 The AS authenticates/denies
the access request and sends the result back to
the AP and the user. If authentication succeeds,
the AP opens a port for the user. All traffic
is encrypted. AS creates/distributes session keys
used by the user and AP.
54
IEEE 802.1X Authentication The Authentication
Server is specified in the standard as a RADIUS
server. RADIUS Remote Authentication Dial-In
User Service RADIUS is the subject of two RFCs,
2138 and 2865. RFC 2865 is the current RFC and
it describes the operations and protocols
supported by a RADIUS server.
55
References Wi-Fi forum at www.wi-fi.org
HiperLAN forum at www.hiperlan2.com HomeRF
working group at www.homerf.org Dornan, A.,
LANS with No Wires, but Strings Still Attached,
Network Magazine, February 2002, pp. 44-47.