This document discusses the 802.11 wireless LAN standards. It provides an overview of 802.11 basics such as the basic service set, distributed coordinated function using CSMA/CA, and point coordinated function. It then discusses the 802.11e amendment which introduced mechanisms for quality of service such as enhanced distributed channel access with prioritized access categories and hybrid coordinated function controlled channel access. The purpose of 802.11e is to provide quality of service capabilities for applications with time-critical traffic over wireless LANs.

1. 802.11 Wireless LANs
Abhishek Karnik,
Dr. Ratan Guha
University Of Central Florida

2. OVERVIEW
• Introduction
• 802.11 Basics
• 802.11e for QoS
• WEP

3. INTRODUCTION
• In 1997 the IEEE adopted IEEE Std. 802.11-1997
• Defines MAC and PHY layers for LAN and wireless connectivity.
• Facilitate ubiquitous communication and location independent
computing
• 802.11b operates at 11Mbps in the 2.4 GHz ISM Band (‘99)
• 802.11a operates at 54Mbps in the 5 GHz Band (’99)
• 802.11g operates at 54Mbps in the 2.4 GHz Band (’02)
• Increased deployment and popularity lead to introduction of QoS
• 802.11e for QoS – Draft Supplement – Nov 2002

4. 802.11 BASICS
• Wireless LAN Station
The station (STA) is any device that contains the functionality of the 802.11
protocol, that being MAC, PHY, and a connection to the wireless media. Typically the
802.11 functions are implemented in the hardware and software of a network interface
card (NIC).
Ex : PC , Handheld , AP (Access Point)
• Basic Service Set (BSS)
802.11 defines the Basic Service Set (BSS) as the basic building block of an
802.11 wireless LAN. The BSS consists of a group of any number of stations.

5. IBSS (Independent Basic Service Set – Ad-hoc Mode)
STA STA
peer-peer connections
STA
STA

6. Infrastructure Basic Service Set
Wired Backbone
AP

7. ESS (Extended Service Set)
Wired Backbone
AP AP
BSS1 BSS2

8. Beacon TBTT
PCF DCF
Super Frame
DCF - Distributed Coordinated Function
(Contention Period - Ad-hoc Mode)
PCF - Point Coordinated Function
(Contention Free Period – Infrastructure BSS)
Beacon - Management Frame
Synchronization of Local timers
Delivers protocol related parameters
TBTT - Target Beacon Transition Time

9. Distributed Coordinated Function (DCF)
• Also known as the Contention Period
• STAs form peer-peer connections. No central authority
• First listen and then speak
• Uses CSMA/CA (Carrier Sense Multiple Access with
Collision Avoidance)
• ACK indicates successful delivery
• Each node has one output buffer

10. Inter-Frame Spacing :
DIFS - 34 µsec
PIFS - 25 µsec ( Used in PCF )
SIFS - 16 µsec
Slot Time - 9 µsec
DIFS = SIFS + (2 * Slot Time)
SIFS required for turn around of Tx to Rx and vice versa

11. Data Transmission from Node A to B
CWA
DIFS
ACK DATAA ACKB
DIFS SIFS
• CW – Contention Window. Starts only after DIFS.
• Random number ‘r’ picked form range ( 0-CW )
• CWmin minimum value of CW
• CWmax maximum value the CW can grow to after collisions
• ‘r’ can be decremented only in CW
• CW doubles after every collision

12. CWA
DIFS
ACK DATAA ACKB
DIFS SIFS
• What if some node C wanted to send data while A was transmitting
data to B ?
• What about during SIFS ?
• What if after ACK, more than one say B,C,D,E nodes are waiting
to transmit data ?

13. Example :
rA = 4 and rC = 6
DIFS
ACK DATAA ACKB DATAC
DIFS SIFS
• What if rA and rC had both been picked as 4 ?
• What if rA and rC has collided and DATAA length was 10 while
DATAC length were 15 ?

14. A Collision between nodes A and C
DATAC
ACK DATAA
DIFS SIFS
DIFS
• Length (DATAA) = 10 Slot times
• Length (DATAC) = 15 Slot times
• CW after Collision 1  0 – 7
• CW after Collision 2  0 – 15
• CW after Collision 3  0 – 31
• CW after Collision 4  0 – 63

15. NAV – Network Allocation Vector
STAA DATA
STAB ACK
STAC ACK
DIFS SIFS
DIFS
NAVB and C

16. Hidden Node Problem and Exposed Node Problem
STAC
STAB
STAA

17. RTS/CTS :
• RTS (Request To Send) - (Approx 20 bytes)
• CTS (Clear To Send) - (Approx 16 bytes)
• Use of RTS/CTS is optional
• Solves two problems :
1. Hidden Node Problem
2. Wastage of time due to collisions
• Maximum MSDU is 2304 bytes

18. Preventing a collision at STAB
RTS CTS
B C
A
CTS
CTS
D

19. DIFS CW SIFS SIFS SIFS DIFS
STAA RTS DATA
STAB CTS ACK
STAC ACK NAV
STAD NAV
New NAV
Node

20. Point Coordinated Function (PCF)
• Also known as the CFP (Contention Free Period)
• Operation in an Infrastructure BSS
• STAs communicate using central authority known as PC
(Point Coordinator) or AP (Access Point)
• No Collisions take place
• AP takes over medium after waiting a period of PIFS
• Starts with issue of a Beacon

21. Beacon
• Management Frame
• Synchronization of Local timers
• Delivers protocol related parameters
• TBTT - Target Beacon Transition Time
Beacon TBTT
PCF DCF
Super Frame

22. AP taking over the Wireless medium using PIFS
PIFS
DATA A B
DIFS SIFS DIFS
DIFS - 34 µsec
PIFS - 25 µsec
SIFS - 16 µsec
Slot Time - 9 µsec
B - Beacon

23. Operation in CFP
CFP CP
B D1 + Poll D2 + ACK + Poll CF_End
U1 + ACK U1 + ACK
SIFS

24. • Admission Control
• Purpose of having separate DCF and PCF
• Different 802.11 Working groups
• 802.11a (54Mpbs in 5GHz Band)
• 802.11b (11 Mbps in 2.4 GHz Band)
• 802.11c Wireless AP Bridge Operations
• 802.11d Internationalization
• 802.11e (QoS)
• 802.11f Inter-vendor AP hand-offs
• 802.11h Power control for 5Ghz region
• 802.11g (54Mbps in 2.4 GHz Band)
• 802.11i (Security)

25. 802.11e for QoS
• QoS (Quality of Service)
• 802.11e for QoS – Draft Supplement – Nov 2002
• Introduction of new QoS mechanism for WLANs

26. HC
PC
( Enhanced Station )
BSS QBSS
(Basic Service Set) (Basic Service Set
for QoS)
PCF DCF HCCA EDCA

27. QoS Support Mechanisms of 802.11e :
EDCA :
• Introduction of 4 Access Categories ( AC ) with 8 Traffic
Classes ( TC )
• MSDU are delivered through multiple back offs
within one station using AC specific parameters.
• Each AC independently starts a back off after
detecting the channel being idle for AIFS
• After waiting AIFS , each back off sets counter from
number drawn from interval [1,CW+1]
• newCW [AC] >= ((oldCW[TC] + 1 ) * PF ) - 1

28. AC_VO [0] AC_VI [1] AC_BE [2] AC_BK [3]
AIFSN 2 2 3 7
CWmin 3 7 15 15
CWmax 7 15 1023 1023
Prioritized Channel Access is realized with the QoS
parameters per TC, which include :
• AIFS[AC]
• CWmin[AC]
• PF[AC]

29. EDCA
TC AC1 AC2 AC3 AC4
Virtual Collision

30. Access Category based Back-offs
AIFS[AC3]
AIFS[AC2]
AIFS[AC1]
AIFS[AC0]
BackOff[AC3] + Frame
BackOff[AC2] + Frame
BackOff[AC1] + Frame
ACK BackOff[AC0] + Frame

31. QoS Parameter Set Element Format
CWmin[AC] CWmax[AC]
Element ID
CWmin[0]….CWmin[3] CWmax[0]….CWmax[3]
AIFSN[AC] TxOPLimit[AC]
AIFSN[0]….AIFSN[3] TxOP[0]….TxOP[3]
AIFS [AC] = AIFSN [AC] * aSlotTime + SIFS

32. HCCA ( Hybrid Coordination Function
Controlled Channel Access )
Extends the EDCA access rules.
CP : TxOP
• After AIFS + Back off
• QoS Poll ; After PIFS
CFP : TxOP
• Starting and duration specified by HC using
QoS Poll .

33. Hybrid Coordinator
HC
PIFS
HCCA EDCA
PIFS
DATA A
DATA
AIFS SIFS AIFS

34. 802.11e Operation in the CFP
• Guaranteed channel access on successful registration
• Each node will receive a TxOP by means of polls granted
to them by the HC
• TxOP based on negotiated Traffic specification (TSPEC) and
observed node activity
• TxOP is at least the size of one Maximum sized MSDU at the
PHY rate.
• Access Point advertises polling list

35. Traffic Specification (TSPEC)
Maximum
Element ID Length TS info Nominal size
MSDU size
(1) (1) (2) MSDU (2)
(2)
Minimum Maximum Inactivity
Minimum Mean Data
Service Service Interval
Data Rate (4) Rate (4)
Interval (4) Interval (4) (4)
Maximum Minimum Surplus
Peak Data Delay Bound
Burst Size PHY Rate Bandwidth
Rate (2) (2)
(4) (4) Allowed (2)

36. Example :
AC[0] AC[1] AC[2]
AIFSN 2 4 7
CWmin 7 10 15
CWmax 7 31 255
PF 1 2 2

37. AIFS[AC] = AIFSN[AC] * aSlotTime + SIFS
PIFS - 25 µsec ( Used in HCCA)
SIFS - 16 µsec
Slot Time - 9 µsec
AIFS[0] = (2 * 9) + 16 = 34 µsec = DIFS
AIFS[1] = (4 * 9) + 16 = 52 µsec  (52 – 34) / 9 = 18/9 = 2 Slots
AIFS[2] = (7 * 9) + 16 = 79 µsec  (79 – 34) / 9 = 45/9 = 5 Slots

38. Back-off Algorithm :
802.11 : CWRANGE = [ 0 , 2 2+i – 1 ]
802.11e : newCW[AC] = [(oldCW[AC] + 1) * PF] - 1
Collision1 Collision2 Collision3
AC[0] [(7+1)*1]-1 = 7 ( 0-7 ) ( 0-7 )
(0-7)
AC[1] [(10+1)*2]-1 = 21 [(21+1)*2]-1 = 43 ( 0 – 31 )
( 0 - 21 ) ( 0 – 31 )
AC[2] [(15+1)*2]-1 = 31 [(31+1)*2]-1 = 63 [(63+1)*2]-1 =
( 0 – 31 ) ( 0 – 63 ) 127
( 0 – 127 )

39. WEP (Wired Equivalent Privacy)
• Optional in WLANS
• Uses the RC4 (Rivest Cipher 4) Stream Cipher generated with a
64bit/128 bit Key
• Key composed of 24 bit IV (Initialization Vector)
• Key = (24 Bit IV, 40 Bit WEP Key) = 64 Bits
• Key = (24 Bit IV, 104 Bit WEP Key) = 128 Bits
• Goal to provide authentication, confidentiality and data integrity
• Secret Key is shared between communicators
• The encrypted packet is generated with a bitwise exclusive OR
(XOR) of the original packet and the RC4 stream.
• 4-byte Integrity Check Value (ICV) is computed on the original
packet and appended to the end which is also encrypted with the
RC4 cipher stream.
• Encryption done only between 802.11 stations.

40. Encrypted WEP Frame
http://www-106.ibm.com/developerworks/security/library/s-wep/

41. Encryption / Decryption :
• M – Original Data Frame
• CRC-32 (c) applied to M to obtain c (M)
• c (M) and M are concatenated to get Plain Text P = (M, c (M))
• WEP produces a Key-stream as a function 24 bit IV and 40-bit WEP Key
using RC4; equal to the length of P.
• Key Stream and the Plaintext are XORed to produce the Cipher Text
• The IV is transmitted in the clear (unencrypted)
• The receiver uses the IV and the shared key to decrypt the message

42. Draw Backs of WEP:
• A number of attacks can be used against WEP
• Passive Attacks based on statistical analysis
• Active Attacks based on known plain text
• WEP relies on a Shared Key to ensure that packets are not
modified in transit.
• There is no discussion on how these keys are distributed and
hence usually a single key is used which is shared amongst
all STA’s and the AP

43. All in a days work :
• Shared Key is long lived – May last a week, month,
even a year or more
• Consider a busy AP which constantly sends packets
of length 1500 bytes at 11Mbps
• Since IV on 24 bits in length and Shared key is
unchanged, IV gets exhausted after
2^24 * (1500 * 8) / (11 * 10^6)
= 18000 secs = 5 hours
• Lucent wireless cards

44. PT  Key  CT CT  Key  PT
XOR :
0 0  0
0 1  1
1 0  1
1 1  0
• XORing a Bit with itself gives 0

45. PASSIVE ATTACK
Sender Receiver
PT K CT CT K PT
0 0  0 0 0  0
0 1  1 1 1  0
1 0  1 1 0  1
1 1  0 0 1  1

46. • IV repeats generating K
• Identical K used to encrypt MSG1 and MSG2
MSG1  K  C ( MSG1 )
MSG2  K  C ( MSG2 )
• Obtain C( MSG1) and C( MSG2) and XOR them
• XORing causes Key Stream to cancel which yields
the XOR of MSG1 and MSG2 i.e. XOR of Plain Text packets
• This XOR can now be used to apply Statistical Analysis

47. Example :
MSG1  0 0 1 1
MSG2  1 0 1 1
MSG1 MSG2
PT1 K CT1 PT2 K CT2
0 0  0 1 0  1
0 1  1 0 1  1
1 0  1 1 0  1
1 1  0 1 1  0

48. CT1 XOR CT2 MSG1 XOR MSG2
CT1 CT2 MSG1 MSG2
0 1  1 0 1  1
1 1  0 0 0  0
1 1  0 1 1  0
0 0  0 1 1  0
Apply Statistical analysis on last three bits and educated
guess on the rest

49. AP Wired Network
xx
Hi
Attacker

50. Active Attack :
• Attacker knows exact plain text for one encrypted packet
• Use this knowledge to construct correct encrypted packet
• Construct a new message , calculate CRC-32 and perform
bit flips on original encrypted packet to change the plaintext
to the new message.