Wireless Networking: Physical and Link Layer - PowerPoint PPT Presentation

View by Category
About This Presentation
Title:

Wireless Networking: Physical and Link Layer

Description:

from Zhang_at_UT 02. 12. BlueTooth Choice ... from Zhang_at_UT'02. 30. But We Are Not Living in Vacuum. Reflection (on large obstacles) ... – PowerPoint PPT presentation

Number of Views:51
Avg rating:3.0/5.0
Slides: 85
Provided by: Prasun2
Learn more at: http://www.cs.unc.edu
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Wireless Networking: Physical and Link Layer


1
Wireless Networking Physical and Link Layer
Prasun Dewan
Department of Computer Science University of
North Carolina dewan_at_unc.edu
2
Wired vs. Wireless
  • Wired
  • Can have point to point connection
  • Not a scarce medium
  • Reliable
  • Communicating devices plentiful power
  • Wireless
  • Broadcast medium (within range)
  • Scarce medium
  • Unreliable
  • Communicating devices have scarce power

3
Bluetooth vs IEEE 802.11b
  • Wireless Personal Area Networking
  • Replaces cables between devices
  • Short range (lt 10 m)
  • Low cost
  • Isochronous
  • Cordless telephony/headsets
  • Peer to peer (ad hoc)
  • One device in multiple networks
  • Wireless LAN
  • Replaces Wired LANS
  • LAN-sized distance
  • Higher cost acceptable
  • No flow guarantees
  • Device to (wired) router backbone to device

4
Bluetooth Goals
  • Bluetooth Issues
  • Wireless Personal Area Networking
  • Replaces cables between devices
  • Short range (lt 10 m)
  • Low cost
  • Isochronous
  • Cordless telephony/headsets
  • Peer to peer (ad hoc)
  • Absolute location irrelevant
  • One device in multiple networks
  • Wireless
  • Broadcast medium (within range)
  • Scarce medium
  • Unreliable
  • Communicating devices have scarce power

5
Piconet (from paper)
  • Master connected to lt 7 slaves

6
Topologies (from paper)
7
Topologies (from paper)
  • Contention
  • Multiplexing

8
The Multiplexing Problem
frequency
A wireless channel
(how to divide resource among multiple
recipients?)
time
Analogy a highway shared by many users
from Zhang_at_UT 02
9
Frequency-Division Multiplexing
frequency
user 1
user 2
user 3
user 4
guard-band
time
Analogy a highway has multiple lanes
from Zhang_at_UT 02
10
Time-Division Multiplexing
frequency
user 1
user 2
user 3
user 4
user 1
user 2
guard-band
time
Requirement precise time coordination
from Zhang_at_UT 02
11
Frequency-Time-Division
frequency
time-slot (usually of the same size)
time
Analogy a highway has many cars
from Zhang_at_UT 02
12
BlueTooth Choice
  • Frequency-time division (frequency hopping) for
    reducing inter-piconet interference
  • Static division difficult in dynamic environment.
  • Assume probability of contention is low
  • Issues
  • How to agree on frequency hopping pattern?
  • What to do when there is contention?

13
Frequency Hopping (from paper)
  • Use a well defined hopping pattern sequence for
    each piconet.

14
Hop Selection (from paper)
  • Each Piconet has a master.
  • Master identity chooses sequence
  • Clock chooses index (phase) in sequence.
  • Offset established at connection time

15
Connection Establishment
  • Cellular systems
  • Common control channel
  • Need something for ad hoc systems
  • Must conserve power
  • Wake up sequence
  • 32 unique hops
  • Spans 64Mhz of the 80 Mhz spectrum
  • Pseudo random and unique per device
  • Phase selected by clock
  • Clock schedules wake up event every 10 ms
  • Listens to next frequency for 10 ms and sleeps
    again
  • More the sleep time
  • Less power consumption
  • Slower response time to paging unit (master)

16
Frequency time uncertainty
  • Uncertainty when paged unit will wake up and at
    what frequency
  • Burden on paging unit rather than paged unit
  • to keep idle energy consumption low
  • Paging unit knows identity of paged unit and
    hence wake-up sequence
  • Repeatedly polls for device

17
Polling for Device (from paper)
  • Polls every 1.25 ms
  • Each poll two messages sent and possibly received
  • Consecutive polls use different frequencies
  • In 10ms (sleep period) 16 frequencies visited
    (half sequence)
  • After sleeping period over, tries other 16
    frequencies
  • One frequency in common because device clock
    progresses
  • Maximum delay twice (thrice?) sleeping period

18
Max Wakeup Time
  • Slave wakes up for 10ms
  • In this 10 ms 16 frequencies tried
  • F(i), .. F(i15)
  • Not one of the scan frequencies
  • Device sleeps for 10ms
  • the pager transmits on F(i-15), F(i)
  • Can take 30ms if it wakes up to F(i)

19
Frequency time uncertainty
  • Devices may establish connections repeatedly
  • Use information about device clock from last
    connection
  • Possible drift may have occurred
  • Clock estimate k
  • Hop frequency f(k)
  • In 10 ms sends data at
  • f(k-8), f(k-7), f(k-6), , f(k), f(k1), ,
    f(k8)
  • Assuming accuracy within 250 ppm
  • Clock estimate k useful 5hrs after last
    connection

20
Finding device id
  • Send inquiry message to all devices within range
  • Get back address and clock
  • 32-hop inquiry sequence
  • For return a random backoff algorithm used

21
Connection Establishment (from paper)
22
Media Access
  • To Coordinate Competing Requests (for the same
    resource)
  • MAC from Wired Medium Unsuitable
  • Special Features of Wireless Medium
  • Hidden Terminals, exposed Terminals, Near/Far
    Terminals
  • Example Carrier Sense Multiple Access with
    Collision Detection (CSMA/CD)
  • send as soon as the medium is free, listen into
    the medium if a collision occurs

23
The Hidden Terminal Problem
B
A
C
  • A sends to B, C cannot receive A
  • C wants to send to B
  • If use CSMA/CD
  • C senses a free medium, thus C sends to A
  • Collision at B, but A cannot detect the collision
  • Therefore, A is hidden for C

from Zhang_at_UT 02
24
The Exposed Terminal Problem
B
A
C
D
  • B sends to A, C wants to send to D
  • If use CSMA/CD
  • C senses an in-use medium, thus C waits
  • But A is outside the radio range of C, therefore
    waiting is not necessary
  • Therefore, C is exposed to B

from Zhang_at_UT 02
25
The Near and Far Terminal Problem
B
A
C
  • A and B send to C
  • Friis Law (power decay proportional to distance
    square)
  • B drowns out As signal (at the physical layer),
    so C cannot receive A

26
Addressing Contention
  • Time division multiplexing to prevent
    intra-piconet interference

27
Time Division Multiplexing
  • Alternating master and slave slots
  • Master slot says which slave goes next
  • Master polls slaves for slave-initiated
    communication

28
Addressing Contention
  • Time division multiplexing to prevent
    intra-piconet interference
  • Inter-piconet contention?
  • ack packet at link layer
  • also accounts for errors

29
Radio Propagation
detection of signal communication impossible
communication
The Friis free space propagation model Pr ? 1/d2
transmitter
d
(receiving power is inverse proportional to the
distance square)
receiver
becomes an interference source, background noise
from Zhang_at_UT02
30
But We Are Not Living in Vacuum
Additional Influences to Signal Propagation
Reflection (on large obstacles)
Scattering (on small obstacles)
Diffraction (at edges)
from Zhang_at_UT02
31
Multi-Path Propagation
Signal can take many different paths between
transmitter and receiver due to reflection,
scattering, and diffraction.
signal at receiver
signal at sender
The physical layer is very complicated.
from Zhang_at_UT02
32
Ack/Nacks
  • Between receiving and transmission time (200
    micro sec)
  • Must determine if previous or new packet should
    be sent
  • Determine if received message should be
    acked/nacked
  • Determines size of received packet

33
Multiple packet sizes
  • Can send messages with odd number of slots
  • Because receiving occurs on an odd slot
  • Max packet size 5 slots

34
Packet Structure
  • Type
  • ID only packet (signalling)
  • NULL (Link info)
  • POLL packet
  • Clock synchronization
  • Synchronous and Asynchronous packets
  • Access code identifies master (a la network id)
  • Address identifies slave (max of 7 slaves)
  • ARQN (Automatic Repeat Request)
  • HEC (Header Error Check Code)

35
Guaranteeing Flows
  • Cordless telephony/headsets have real-time
    constraints.
  • Reserve slots for synchronous traffic

36
Supporting Synchronous and Asynchronous
Communication
37
Power Management
  • Idle
  • Before connection established
  • Scans for 10 ms every 1.28 to 3.84s
  • Duty cycle 1
  • Park
  • Piconet established
  • Lower duty cycle
  • Keep resynchronizing clocks periodically
  • SNIFF
  • Wake up every N master-to-slave slots
  • Connected
  • Transmit when useful data
  • Absence of response implies NACK
  • Can send NULL packet for link info
  • If access code does not match go back to sleeping
  • Periodic clock synchronization packets

38
Security
  • Shorter range helps
  • For each set of devices that must work together
  • User must generate a secret key
  • By entering pin at each device
  • Authentication carried out at connection stage
  • Must ensure that result of authentication not
    stored
  • Result depends on a random number
  • Encryption carried out for each message
  • Should prevent replay of messages
  • Random number generated at start of connection
  • Random number and slot used to influence content
    of message

39
Authentication
  • Devices authenticate each other
  • Claimant sends 48 bit address to verifier
  • Verifier sends 128 bit random number as challenge
  • Claimant sends to verifier 32 bit SRES (Secure
    Hash Function) based on
  • Address
  • Random number
  • Secret key
  • Verifier computes its own SRES and compares
  • Claimant also generates 96 bit cipher offset used
    for encryption of messages

40
Security
41
Characteristics
42
Protocol Stack (from paper)
43
Bluetooth vs IEEE 802.11b
  • Wireless Personal Area Networking
  • Replaces cables between devices
  • Short range (lt 10 m)
  • Low cost
  • Isochronous
  • Cordless telephony/headsets
  • Peer to peer (ad hoc)
  • One device in multiple networks
  • Wireless LAN
  • Replaces Wired LANS
  • LAN-sized distance
  • Higher cost acceptable
  • No flow guarantees
  • Device to (wired) router backbone to device

44
Infrastructure Mode (from paper)
Wired Access Point
Wireless User Station
45
802.11 Architecture
Distribution System (DS)
AP
AP
Basic Service Set (BSS)
Basic Service Set (BSS)
station
Ethernet addr
Extended Service Set (ESS)
From Zhang_at_02
46
Ad Hoc Mode (from paper)
Wired User Station
Wireless User Station
47
IEEE 802 Protocol Stack
48
Issues
  • High bandwidth
  • 10MB
  • Contention
  • Roaming
  • Synchronous (time-bound traffic)
  • Power Management
  • Security

49
High Bandwidth
  • Like Bluetooth uses 2.4GHz ISM band
  • Original 802.11 used frequency hopping and
    created 75 1-Mhz sub channels
  • Max speed 2 Mbps
  • 802.11b divides band into 14 22-Mhz channels
    statically assigned to access points
  • 3 of 14 are not overlapping
  • Adjacent access points use non overlapping
    frequencies
  • 5.5 Mbps and 11 Mbps
  • Direct Sequence Signalling

50
Data Rate Specification (from paper)
  • Dynamic rate shifting
  • Data rates adjusted automatically
  • Done in physical layer

51
Frequency Allocation
Adjacent access points use non overlapping
frequencies
52
Contention
  • Has near/far/hidden terminal problem
  • Every packet must be acked at link layer
  • Piggy backing?
  • Data rate much lower than wired LAN
  • Retransmission of large packets an issue
  • A station can ask access point to reserve channel
  • Request to Send/Clear to Send (RTS/CTS)
  • Station sends RTS
  • Access point sends CTS
  • All stations hear CTS
  • Station sends data
  • Ack of access point heard by everyone

53
802.11 MAC Timeline
RTS
data
src
CTS
ACK
dst
contention window open up again
other
defer access
backoff
From Zhang_at_UT 02
54
802.11 MAC Exceptions
  • Broadcast/multicast packet
  • No CTS/RTS
  • No ACK/NAK

From Zhang_at_UT 02
55
Roaming
  • Station chooses access point based on
  • signal strength of beacons
  • error rates
  • Asks access point to accept it
  • Periodically polls access points (probe requests)
  • Allows movement
  • Allows load balancing

56
Roaming
Migrating station
57
Time bounded data
  • Special PCF (Point Coordination Function) mode
  • Time spliced between PCF and CSMA/CA mode
  • In PCF mode access point polls each station
  • Station sends data only when polled
  • A la Bluetooth
  • Guarantee delivery to wired LAN
  • To destination station?

58
Power Management
  • Continuous aware mode
  • Radio always on
  • Power save mode
  • Periodically wakes up
  • Listens to beacon signal from access point
  • Beacon says which stations have data
  • Time-delay data?
  • Easier than Bluetooth
  • No frequency uncertainty
  • No need to poll for masters

59
Security
  • Access control
  • Access point has list of MAC addresses
  • Asymmetric
  • Access point always trusted
  • Data encryption
  • 40-bit shared-key RC4 for data exchange
  • Access point issues encrypted challenge
  • Station encrypts response
  • Encryption an option
  • Scheme does not really work
  • Berkeley paper
  • Higher-level layers can also do security

60
Transmission
  • Message M
  • Checksum c(M)
  • Plaintext P ltM, c(M)gt
  • Key k
  • Initialization Vector v
  • Keystream of Pseudo Random Numbers RC4(v, k)
  • Ciphertext C P ? RC4(v, k)
  • Transmit v, C
  • A ? B v, (P ? RC4(v, k)), where P (ltM, c(M)gt)

61
Message Transmission (from paper)
62
Encryption/Decryption
  • Message M
  • Checksum c(M)
  • Plaintext P ltM, c(M)gt
  • Key k
  • Initialization Vector v
  • Keystream of Pseudo Random Numbers RC4(v, k)
  • Ciphertext C P ? RC4(v, k)
  • Transmit v, C
  • A ? B v, (P ? RC4(v, k)), where P (ltM, c(M)gt)
  • Key k
  • Extract v from message
  • Keystream of Pseudo Random Numbers RC4(v, k)
  • P C ? RC4(v, k))
  • (P ? RC4(v, k))) ? RC4(v, k))
  • P
  • Extract M, c from P
  • Check c c(M)

63
Security Goals
  • Confidentiality prevent eavesdropping
  • Access control Discard (at the link level)
    packets not properly encrypted
  • Data integrity prevent tampering, hence checksum
  • Depends on not being able to guess K
  • 40 bit initially
  • Now 128 bits
  • None of goals attained!

64
Attacker Technology
  • Security handled at physical layer
  • Attacker must be at this layer
  • Needs equipment
  • monitoring 2.4GHz frequency
  • understanding physical layer
  • transmitting at this frequency (active attacks)
  • Passive attacks
  • Off the shelf wavelan cards
  • Changed driver settings
  • Active attacks
  • Firmware needs to be changed
  • Systems allow upgrade of firmware

65
Keystream Reuse Problem
  • C1 P1 ? RC4(v, k))
  • C2 P2 ? RC4(v, k))
  • C1 ? C2 (P1 ? RC4(v, k)) ? (P2 ? RC4(v, k))
  • C1 ? C2 (P1 ? P2)
  • Assume know P1
  • P2 C1 ? C2 ? P1

66
Knowing Plaintext
  • P1 Password prompt
  • P2 actual password
  • Send known mail to user
  • Wait for user check mail over wireless
  • Can search for pairs of P1 and P2
  • Can narrow search based on length of messages
  • Can do this for N pairs of successive messages
  • Can broadcast packet to access point
  • Access point sends it in both encrypted and
    unencrypted form
  • Not every station required to implement security

67
Keystream Reuse
  • Moral do not reuse keystream
  • Per packet v recommended in 802
  • But may use v that collides with earlier value
  • How to select vs undefined
  • Example implementation
  • Set to 0 on initialization
  • Incremented each time
  • Each insertion of card results in initialization
  • Random v?
  • 24 bit v
  • Random v will collide in 5000 packets

68
Key Management
  • In practice all users in network have same key
    assigned by administrator
  • Must trust all users
  • Network admin can configure key themselves
  • Can be reverse engineered

69
Message Modification
  • Reason checksum is a linear function of message
  • CRC Checksum distributes over XOR
  • c (x ? y) c (x) ? c(y)
  • Assume we have intercepted cypthertext
  • A ? (B) ltv, C)
  • We can replace C with an encryption C of M ? ?,
    where M is original message
  • (A) ? B ltv, Cgt
  • Obtaining C
  • C C ? lt?, c(?)gt
  • RC4(v,k) ? ltM, c(M)gt ? lt?, c(?)gt
  • RC4(v,k) ? ltM ? ?, c(M) ? c(?)gt
  • RC4(v,k) ? ltM, c(M? ?)gt
  • RC4(v,k) ? ltM, c(M)gt
  • E.g. to flip bit of M, ? 100000

70
Message Injection
  • Reason checksum is an un keyed function of
    message
  • Assuming adversary has plaintext P
  • Can recover key stream from corresponding C
  • P ? C P ? (P ? RC4(v,k)) RC4(v,k)
  • Can now inject message M
  • (A) ? B ltv, C)
  • C (M, c(M)gt ? RC4(v,k)
  • WEP allows reuse of keys, being conservative in
    what you send and liberal in what you accept
  • No reuse of keys, or
  • Keyed message authentication code (SHA1-HMAC)

71
Authentication Spoofing
  • Authentication
  • Mobile station requests authentication
  • Access point sends it a challenge in clear text
  • Mobile sends back encryption of challenge
  • Attacker monitors this P,C pair
  • Derives key stream
  • Now uses this for the next challenge
  • All challenges are of same length

72
Message Decryption
  • Sniff a packet off the air
  • Change the destination address to host controlled
    by adversary
  • Access point will decrypt it and send to that
    address
  • Changing destination address involved
  • Problem with link-level encryption
  • Or put wireless network outside the firewall

73
Sensor Networking
  • Physical networking layer of Dust Mote?
  • Constraints
  • Small size
  • 1 cubic mm
  • Low power
  • Solar power
  • 1 joule storage in battery
  • 10 micro watts if used in one day

74
RF vs. Optical
  • Radio Frequency
  • Small size ? small antennas ? short wavelength ?
    high power consumption
  • Radio transceivers are complex
  • Modulation/de-modulation
  • Active bandpass filters
  • Multiplexing (time, frequency)
  • Optical
  • Much shorter wavelength ? narrower beam ? small
    size ?
  • Space division multiplexing
  • Different sensors can send beams to different
    regions of base station transceivers
  • Simple baseband analog circuitry
  • No modulation, filters
  • Passive optical transmission possible
  • Line of sight
  • Small size ? less obstruction

75
Space Division Multiplexing
  • Example
  • Base station viewing 17m X 17m sensor area
  • High-speed video camera 256pixel X 256pixel
    imaging array
  • Each pixel views 6.6 cm square area
  • 1700/256 6.6
  • Required sensor separation size of pack of
    cigarettes
  • Can use TDMA for closely packed sensors

76
Passive Optical Transmission
  • Corner cube retro-reflector
  • Three mutually perpendicular mirrors
  • Incident ray of light reflected back to source
  • Restricted to range of angle around diagonal
  • Misaligned mirror ? no retro-reflection
  • Used to modulate incident light
  • Electrostatic deflection
  • Kilohertz rate

77
Implementation
  • Micro fabricated CCR
  • 1 Kbps
  • 150 m range
  • 5-milliwatt illuminating laser

78
Base Station- Sensor Interaction
79
Transmitter/receiver relationship
  • BTS Interrogating beam angular spread should be
    matched to field of view of imaging receiver
  • Does not make sense to interrogate sensor from
    which it cannot receive and vice versa
  • Unless aiming at parts of sensor
  • Interrogating beam and imaging receiver aimed
    (like a binocular) together as a unit
  • But passive transmitter can only receive light
    incident within a narrow angle
  • Small size sensor cannot employ (imaging/non
    imaging) optical transmitter in front of
    photodetector
  • Receiver is omni directional
  • Asymmetric situation!
  • Make sure sensor does not try to answer queries
    that cannot be received.

80
Link Directionality
  • Passive transmitter can only receive light
    incident within a narrow angle
  • Sensor can have multiple CCRs
  • Or one CCR with MEMS aiming
  • Base station can sweep beam regularly in 3
    dimensions
  • Like polling slaves in IEEE 802
  • Should poll in areas where sensor readings are
    changing rapidly
  • To get statistically meaningful samples
  • High-latency communication
  • Active transmitter can guide sweep
  • Sensor uses (high-power) active transmitter to
    send to base station
  • Base station aims in direction from where signal
    came
  • Sensor uses low-power passive transmitter for
    subsequent transmission

81
Line of Sight Problem
  • Communication via base station possible when
  • Line of sight
  • Beam aimed at sensor
  • Increases with sensor density
  • Multi-hop routing
  • Increases latency
  • Need active optical transmitters
  • Laser diode with beam steering
  • Low complexity ? ad hoc routing
  • Base station can keep polling moving sensors
  • Redundant sensors can be employed
  • One of replicated sensors has line of sight to
    base station
  • Increases sensor density

82
Multi-hop Routing Mechanisms
  • Four way handshake A? B
  • A Can you see me
  • B Yes. Can you see me
  • A yes
  • B OK
  • Standard routing tables assume symmteric
    connection
  • Routing tables very dynamic in presence of moving
    sensors

83
Base Station nature
  • On a handheld
  • Aimed like binoculars
  • On a flying vehicle

84
Sensor Applications
  • Record data for research in meteorology,
    geo-physics and planets
  • Semiconductor processing plants
  • Rotating machinery
  • Wind Tunnels
  • Anechoic chambers
  • Monitoring insects
  • Verification of treaty compliance
  • Detection of passing vehicles
  • Detect of chemical/biological agents
About PowerShow.com