I’ve tried to condense my notes from the study for CWAP-403 exam. The exam consists of lot of details which need to be learnt if you have not done enough capturing and analyzing 802.11 wireless frames before.
Spectrum Analyzer – comprises of 15% syllabus for CWAP-403 exam. You can roughly expect around 9 questions from this section. Spectrum Analyzers range in price from a few hundred $ to thousands. They are not free to use like in the case of Wireshark etc..
I was unable to source spectrum analyzers easily and ended up not reading thoroughly on this topic My first attempt for CWAP-403 exam did not achieve the required passing score. I scored 44% on this section, hence I am writing this blog post to strengthen my understanding and also for those who are on the lookout for studying and understanding the concepts. The knowledge that is tested around this section comprises mainly around the terminologies related to Spectrum Analyzers and the understanding the patterns in tables/layouts displayed in the application.
The terminologies include Duty Cycle, Sweep Cycle, FFT, Resolution Bandwidth, Utilization, Domains and a few more. An understanding is required to demonstrate that one is able to locate the interfering devices and recognizing patterns using various Spectrum Analyzer applications.
A few known concepts before diving into Spectrum Analysis.
Cycle / Wavelength : A wave form which starts
at the center, climbs in energy to the highest point, called the peak; returns
to the center; then drops to the weakest point, called the trough and then
continues till it finally attenuates and looses the energy. Wavelength is often
measured from peak to the next peak.
Amplitude : Determined by the height, force or
power of the wave.
Frequency: Number of cycles within one second. E.g. 2.4GHz generates 2.4 billion times of cycles every second.
λ = Wavelength C = Speed of light (186000 miles per second) 2.4 GHz = 12.5cm 5 GHz = 6cm
Free Space Path Loss (FPSL) – Loss of signal as
it travels through free space. This is a theoretical value, as in the real
world, there may be many obstacles, reflection, scatter which need to be
accounted when estimating the signal at a location. FPSL is based on inverse
square law, originally developed by Isaac Newton. You don’t need to know below
formula for the exam.
FSPL = 36.6 + (20log10(f)) + (20log10(d)) FSPL = path loss in dB f = frequency in MHz, d = distance in miles between antenna
RF Mathematics
dB is logarithmic
ratio of values
We add gains +3dB = x2
We subtract losses -3dB = /2
We add gains +10dB = x10
We subtract losses -10dB =
/10
dBm is power measurement
relative to 1mW
dBi is the forward gain of an
antenna compared to istropic antenna.
RSSI
RSSI is a metric that is specified by measuring the amount of energy associated with the bits received via wireless NIC.
Noise Floor
Background level of radio energy that exist in a medium on a specific channel which is analyzed.
SNR
SNR can be presented as a dB value or as the difference between the RSSI(signal) and the noise floor(noise). High SNR is better performance.
Receive Sensitivity
Receive Sensitivity refers to the power level of an RF signal required to be successfully received by the receiver radio.
Wireless NICs
Use Antenna and coding filter to keep out of unwanted RF and bits.
Will use some of the specific information gleaned from the RF to bit transition process to actually add info to the wireless frame.
The additional information is added to the receiving station and known as Radiotap Header.
All the info shown on the Radiotap Header is in reference to “receiving station” and “not transferring station”
The Hardware
Mobile / Integrated
Mobile spectrum analyzers like protocol analyzers use the adapters present in laptops.
Integrated spectrum analyzers use APs to monitor the RF.
Popular mobile analyzers include AirMagnet, Spectrum XT, Metageek Wi-Spy DBx etc..
Integrated spectrum example may include Cisco Clean Air software to pull spectrum data from the AP.
The Software
Three popular applications available for mobile analysis, they are AirMagnet Spectrum XT, Metageek Chanalyzer, Cisco Spectrum Expert.
Spectrum Analysis Terminology
Duty Cycle
Duty Cycle indicates the fraction of time a resource is busy.
FFT (Fast Fourier Transform) Duty Cycle measurements are important way to determine potential interference/impact of an RF transmitter on WLAN operations. Duty cycle measures the amount of time in which the amplitude is above some arbitrary threshold. Threshold can vary from each software. (such as -95dBm, or 15dB above noise floor or -75dBm).
Sweep Cycles
In higher end spectrum analysis tools, a sweep is measured as a single scan of the bandwidth span. So if one is measuring 100 MHz of spectrum, a sweep is how long it takes to scan that 100 MHz band a single time.
For e.g. a real-time FFT plot shows amplitude (Y axis) plotted over frequency (X axis). Within the real-time FFT chart, there may be a trace for the maximum amplitude over the last sweep or possibly a “max hold” over all previous sweeps. When the plot updates after the next sweep, the data will be refreshed with new information and will be relative to the previous sweep.
Resolution Bandwidth
RBW is a reference to the smallest frequency that can be resolved by the receiver.
RBW should be low enough to resolve spectral components of the transmission being measured.
Waterfall Plots
Same data from FFT plot but adding the time dimension.
A waterfall plot is a three-dimensional plot in which multiple curves of data, typically spectra, are displayed simultaneously.
Waterfall plot using Chanalyzer
Wi-Fi Integration
As spectrum analysis tools have improved and developed, more emphasize is given on data reporting and analysis have moved tighter integration and correlation with Wi-Fi information.
RF Signature Characteristics
Shape
Patterns
Uniqueness
Frequency
Pulse vs. Constant
Duty Cycle
Frequency Hopping
I have not documented individual interference examples from various sources. This is nicely documented on the metageek website and you can click here for references.
EXAM MOMENT: When locating devices, use a directional antenna to aid in the location of the signal source. Study about Duty Cycles, FFT, Swept Spectrogram and other interference patterns.
This blog
post will be focusing on 802.11ac in particular. We visited the aspects of
802.11n in the last blog post.
802.11ac
introduced the VHT (Very High Throughput) along with some core technological
advancement like MU-MIMO, 256 QAM addition & support for 80MHz/160MHz
channels. One of the key differences also lie in the support of only 5GHz band.
So there is still a dependency on 802.11n for 2.4Ghz support, however the
upcoming 802.11ax will support both 2.4GHz and 5GHz.
Multi-user MIMO
One of the greatest potential of 802.11ac
Prior to this all the 802.11 standards used single user.
If there are two receivers located in sufficiently different directions, a beamformed transmission may be sent to each of them at the same time.
Enables better spatial reuse. As per the below example, the MU-MIMO builds on small-cell approach by enabling even more tightly packed networks. As a result AP can send independent transmissions within its own coverage area. Just as 802.3(Ethernet) reduces collision domains, MU-MIMO intends to reduce spatial contention of transmissions.
802.11ac Wave 1 and 2 – The first wave of 802.11ac products will
be driven by the enthusiasm for higher speeds. APs will typically have three
stream capabilities, but with 802.11ac providing 80 MHz channels and 256-QAM
modulation, the speed will go from 450 Mbps to 1.3 Gbps. The second wave of
802.11ac products will add even wider channels and possibly even multi-user
MIMO support, as outlined in the figure below.
The PHY
#Channels
OFDM based transmission, 802.11ac divides the channel into OFDM sub carriers each 312.5kHz
To increase throughput, 802.11ac introduces two new channel widths. Supports 80MHz and further added 160MHz channel option for even higher speeds.
802.11ac channels have exactly the same shape as previous OFDM channels (802.11a,g,n)
MCS & GI
MCS Index tends to be much simpler than 802.11n. First 7 are mandatory and others are supported.
802.11ac retains the ability to select a shortened OFDM guard interval if both Tx and Rx are capable of processing it. The GI shrinks from 800ns to 400ns, providing a 10% boost in the throughput.
VHT Signal Fields
The
purpose of the Signal Field is to help the receiver decode the data payload,
which is done by describing the parameters used for transmission. 802.11ac
separates into Signal A and Signal B fields. For CWAP purposes this has not
been dealt in depth. There are 2 parts in VHT Signal A field are referred as
VHT-SIG-A1 & VHT-SIG-A2.
SIGNAL A
Bandwidth
0 – 20MHz, 1 – 40MHz, 2- 80MHz & 3 – 160MHz
STBC
If the payload is encoded with STBC (Space-time block coding may be used when the number of radio chains exceed the number of spatial streams, it tx a single data stream across 2 spatial streams.) for extra robust-ness, this field is set to 1, otherwise will be 0.
Group ID
Frames to AP > group ID =0
Frames sent to STA Client > group ID = 63
Number of space-time streams
Starts from 0, e.g. if field is set to 3, then there are 4 space time streams.
Partial AID
Last 9 bits of the BSSID.
Transmit power save forbidden
Field will be 0, if AP in network allows client to power off radios when they have opportunity to transmit frames. Otherwise will be 1.
Short GI – Field set to 1 for 400ns, 0 for otherwise.
Short GI disambiguation – Extra symbol may be required denoting 1 or 0 for not required.
Coding – Field is 0 when convolutional coding is used to protect the data field, 1 when LDPC is used.
LDPC Extra Symbol – Field is set to 1 if extra symbol is required.
MCS – MCS Index value of the payload.
Beamformed – If matrix is applied to the transmission, the bit is set to 1 otherwise set to 0.
CRC – Error correction
Tail – 6 zeros are included to terminate the convolutional coder that protects the Signal A field.
SIGNAL B
Used to setup the data rate, as well as tune in the MIMO reception.
Frame
aggregation was introduced in 802.11n, 802.11ac however adds an interesting new
take on the aggregation. All frames transmitted use the aggregated MPDU
(A-MPDU) format. Even the single frame transmitted in one shot is transmitted
as aggregate frame.
Management
Frames
VHT
Capabilities Information element.
VHT
Operations Information element
NOTE:
Greenfield mode was offered with 802.11n. The
efficiency gains from greenfield mode were often lost because airtime-devouring
CTS-to self
messages were
required before transmitting in the greenfield mode. As a result, greenfield
mode was removed from 802.11ac.
Beamforming Basics
As 802.11ac beamforming is based on explicit channel measurements, both the transmitter and receiver must support it.
Any device that shapes its transmitted frames is called beamformer, receiver of such frames is called beamformee.
The AP initiates frame exchange with the STA, which helps it to measure the channel. The result of the channel measurement is a derivation of the steering matrix.
Steering Matrix describes how to setup each element of transmitter’s antenna system to precisely overlap transmissions to reach farther.
To steer transmissions in a particular direction, a beamformer will subtly alter what is transmitted by each array. A simple phase shift can alter/steer the transmission.
Null Data Packet (NDP) – Standardizes
beamforming methods. 802.11ac method of beamforming is termed as null data
packet sounding. Sounding is the term used to denote the process performed by the transmitter to acquire
channel state information (CSI) from each of the different users by sending
training symbols and waiting for the receivers to provide explicit feedback
containing a measure of the channel.
VHT beamformer shall
initiate a sounding feedback sequence by transmitting VHT NDP announcement
frame followed by a VHT NDP after a SIFS.
SU Beamforming
Begins with the beamformer sending a NDP announcement packet followed by NDP. The NDP has fixed known format. The beamformee receives the NDP, analyzes it and computes back in form of feedback matrix. The feedback matrix is sent in reply to the NDP in the form of compressed beamforming frame (CBF).
MU Beamforming
As opposed to Tx to one device, MU-MIMO Aps are capable of simultaneously transmitting data to multiple device groups.
The key distinction between them is that with MU-MIMO beamforming and beamformer requires a response from all beamformees in order to conclude channel sounding.
The CBF packet is 802.11 action frame which contains a channel matrix that specifies the CSI for each client. The CBF is the largest contributor to the overhead caused by MU-MIMO transmission and is size is determined by
The blog post will cover the topics related to High Throughput Throughput technologies in conjunction with the exam objectives laid down for CWAP-403 exam. 802.11 Frame Exchanges cover 25% of the knowledge domain required for the exam. Analysing HT & VHT transmission methods are one of the sub topics under this section. I will be focusing on the HT/802.11n type in this blog, apparently it has gone a little longer than i thought. There are certain section which might take further reading from 802.11n Survival Guide if you are keen.
Transmit Beamforming (TxBF) – Tx(Transmitter) Radios multiple antenna can transmit in the best direction of the Rx (Receiver).
Spatial Multiplexing (SM) – Tx multiple radios at the same time with each unique stream containing different data.
Space-Time Block Coding(STBC) – Transmitting redundant copies of data stream from different antenna thereby increasing the signal quality.
Antenna Selection (ASEL) – Increase signal diversity by dynamic selection of antennas.
Spatial Multiplexing
Takes advantage of multipath (when signal tends to reflect, scatter, diffract or refract).
Multiple streams follow different paths to the receiver because of the space between the transmitting antenna is known as spatial diversity and is also called as spatial multiplexing.
When using SM, both Tx and Rx should participate and be MIMO systems.
HT Channels
Use 20 MHz OFDM channels.(NON-HT)
Each 20MHz OFDM channel contains 64 subcarriers which are each 312.5 KHz wide and can be separately modulated.
First 6 & Last 5 sub carriers are null as they act like guard band for the channel + center subcarrier is also null. This leaves 52 subcarriers.
Out of 52, 48 transmit data while 4 used in dynamic calibration between Tx and Rx.
20MHz OFDM channels (HT)
Each 20MHz OFDM channel has 56 subcarriers, 52 transmit data, 4 are used for calibration between Tx and Rx.
40 MHz Channels
Use 114 OFDM subcarriers, 108 transmit data, 6 are used for calibration.
A 40MHz channel doubles the frequency bandwidth available for transmission of the data.
A 40MHz channel used by HT radios essentially 2x 20MHz OFDM channels bonded together.
Modulation and Coding Scheme (MCS Index)
Value that describes the number of spatial streams, modulations (BPSK, QPSK, 16-QAM or 64-QAM and further) and error correction code used in Tx.
802.11n supports equal modulation, in which all SS are transmitted in same manner, and unequal modulation, in which the spatial streams may be modulated differently.
802.11n defines 77 different combinations of modulation and coding.
There are 8 mandatory MCS for 20 MHz HT channels.
Guard Interval (GI)
The GI is the space between the symbols being transmitted.
May be confused with IFS, the GI is there to eliminated inter-symbol interference where is referred to as ISI.
ISI happens when echoes from one symbol interfere with another.
A good rule of thumb specifies that GI should be 4x the highest multipath delay spread. When 802.11a was designed, designers used conservative value of 200ns for the delay speed, and choose to make the GI 800ns.
HT PHY
I’ve discussed this topic in details under this blog post.
Wi-Fi Alliance
Before the 802.11n amendment was ratified, the HT technology was already being certified and sold. The Wi-Fi alliance had developed a vendor certification program called Wi-Fi CERTIFIED 802.11n draft 2.0. The Cert Program as name suggested, certified products against the amendment. Draft 2.0 supports a max data rate of 300Mbps which is half max data rate specified in ratified document.
Details about the Wi-Fi certified “n” features can be found here
HT Control Field
The 802.11n amendment adds a new field in 802.11 MAC header, called the HT Control Field. It is 4 octets long and follows QoS control field in 802.11 MAC header.
Any MPDU that contains an HT control field is referred to as +HTC MPDU.
The Order Bit – The 802.11n amendment uses the existing but relatively unused order bit in the Frame Control field of the MAC header to indicate the presence of an HT Control Field in QoS data & management frames. Original purpose of this bit was to indicate that data muse be sent using a strict ordered class of service.
Control Wrapper Frame – is/are described using the carried frame name + HTC, for example RTS+HTC or CTS+HTC
HT Control Field Format – figure below shows the format of HT Control field. (Honestly some of the stuff went way over my head but might have to figure this out by looking at a few pcaps & studying them :|)
Link Adaptation Control (16 bits)
TRQ – Training Request > Set to 1 to request the responder to transmit a sounding PPDU. Set to 0 to indicate that the responder is not requested to transmit a sounding PPDU.
MAI (MCS Request (MRQ) or ASEL Indicator) – When set to “14”, it is an ASEL indicater which indicates that you would interpret the MFB/ASELC subfield as an ASEL command.
MFSI – MCS Feedback Sequence Identifier- A MCS Feedback (MFB) frame is sent in response to a MCS Request.
MFB/ASELC – MCS feedback and Antenna Selection Command -When ASEL indicator is present, the MFB/ASELC subfield interpreted as ASELC subfield. Otherwise it is interpreted as MFB subfield. A value of 127 indicates that no feedback is present
Calibration Position (2 bits)
Set to 0 indicates this is not a calibration frame.
Set to 1 indicates calibration start.
Set to 2 indicates sounding response.
Set to 3 indicates sounding complete.
Calibration Sequence – Each of the four packets within the calibration exchange will have the same sequence number.
CSI/Steering – When using sounding frames to transmit feedback about the channel, the Channel State Information (CSI)/Steering subfield identifies the type of feedback being used.
NDP Announcement – indicates that an NDP will be transmitted after the frame. It is set to 1 to indicate that an NDP will follow; otherwise, it is set to 0. NDP are used to send sounding PPDU when no other data needs to be transmitted. If a frame transmitted that require an immediate response and also has the TRQ=1 (request for sounding PPDU) then receiver can either transmit the MPDU response withing a sounding PPDU or send the response MPDU with the NDP Announcement bit set to 1, indicating that NDP will be transmitted following the current PPDU.
Reverse Direction Protocol – 802.11n amendment which improves the efficiency of data transfer between STAs.
Can be seen in Beacon, Probe Req/Response, Association Req/Response & Reassoc Req/Response.
You can figure out the MCS values supported by the 802.11n AP from this section in the pcap.
Determine A-MPDU parameters
HT Operation Element
STA operation within an HT BSS environment.
Found in Beacon, Reassociation Response, and Probe Response frames transmitted by an AP.
HT information elements
Primary Channel, Secondary Channel Offset and STA channel width. – When the Supported Channel Width Set subfield is equal to 1(as in above), indicating a 20/40 MHz BSS, then the Primary Channel field indicates the primary channel number. – Secondary Channel – Directly above or below the primary channel.
Protection Mechanisms – To ensure backward compatibility with older 802.11 a/b/g radios, an HT access point will operate in one of four protection modes. 00 in above pcap example.
RIFS mode – The 802.11e QoS amendment introduced the capability for a transmitting radio to send a burst of frames during a transmit opportunity (TXOP). (prohibited in above pcap case).
Basic MCS Set – Last in Operations element, similar to MCS set field in HT Capabilities Element.
I have pen down a some troubleshooting scenarios which I’ve come across while studying for CWAP exam.
To begin with,
Management Frames > Foundation of how wireless radios detect, join and operate on WLAN. Control Frames > Frames which control the delivery of Data frames. Data Frames > Carry actual data payload from/to layers 3-7.
Some scenarios which frames can provide an insight for.
Client Roaming Observations – In some cases, there might be some issues with clients not able to perform seamless roaming or the roaming might be delayed when client moves from one AP to another. In some cases we may need to find which type of roaming method are supported by the AP to diagnose other issues. Let’s see how the frames can help.
To find the roaming handoff time from one AP to another we have to examine the frames from type > Reassociation Type to the completion of 4-way handshake. E.g. frame below
Total roaming time can be calculated by subtracting the EAPOL M4 time (0.105180) with Reassociation Request Frame(.003857)= .101323 ~ approx. 101ms
Type of roaming method can be deduced from the Tagged Parameters set in 802.11 Wireless LAN section. Below example uses Over-the-air Fast BSS, value of 1 will denote it using Over-the-DS BSS.
Management Retries – Generally anything under 20% of Management retries in the network is considered OK or acceptable. There is no set vendor recommended management retry. In a prod environment it is bound to have certain % of retries even if the AP or Client placement/AP Tx Power/Interference and Channel settings are set to optimal. In any case anything over constant 20% retries could indicate some concerns in the WLAN environment which need investigation.
We can also check this on the Wireshark IO graphs as below to highlight the management retries. Below network has lot of management retries and needs further investigation
Duration/ID field
16 bits in length, used for virtual carrier-sense, legacy power management & contention-free period.
In the below RTS frame, the duration value is 2048ms. The radio is asking for permission to reserve airtime to pending transmission. The receive radio can allow or deny this request. But higher duration value can indicate the delays it is causing in allowing/denying the request. This can cause some weird behavior in client operation, may also cause disruption in network services. We have to closely check the change log on the WLAN environment. If this is a result of some WLAN controller/AP software update or other updates which may cause the issues. Also NOTE: Please check the device and not always high duration value can be a problem.
Null Data Frames / Power Management
The null
data frames are in fact not null as per their description. They can help in
troubleshooting few WLAN issues. Null data is categorised under control frame.
It is only transmitted from a STA/Client. The sole purpose is to carry power
management frames controlled field. The power management bit will either be set
to 0 or 1. Below are the examples.
STA = 0,
it is informing AP that it(STA) is In active power state (awake) and
transmission of frames from AP to STA should be normal.
STA =1,
is informing AP that it is going offline and any frames that come into the AP
from this STA should be buffered at the AP till the STA returns and sends a
NULL frame of 0, active state.
PSM >
Power Save Mode allows the client STA to go into sleep mode. It can essentially
turn of the NIC functions including the radio thereby consuming less battery
and conserving it. Some devices can benefit from this but there are some which
may have aggressive power save mode options. So one needs to check the client
driver details to troubleshoot any issues relating to client.
Some
known issues with Power Management are described in below links
Another
reason why client STA may inform AP about changing the bit to 1 is when it is
roaming. Suppose client has reached the roaming limits of the AP it was
connected to and wants to switch to the nearby one, in order to to this it may
go off the channel sending the buffer frames signal to AP and resume its
connection.
This blog post will focus on tools I’ve used for performing Wireless Frame Captures. I’ve been largely dependent on Macbook for capturing the wireless frames. I would highly suggest you for sourcing a Macbook for frame capture as Windows PC option involves getting a third party WLAN pcap which is not cheap. Thank you Apple for making it possible to capture frames natively on Mac.
The Hardware
Macbook Pro
Other Utilities Required/Recommended.
Wireshark is available as free tool to download. It is highly recommended to optimize it using the wireless configuration profiles available at Metageek. This is our primary tool for capturing and analyzing the frames.
It is recommended to add (Absolute Time, Relative Time & Delta Time) values on the Wireshark as it is important when analyzing the wireless frame analysis. In roaming scenarios, one may need to acquire the time it took for a client to move between one AP to another.
Airtool is also available for free. This tool is not mandatory but good to have. Since it is free, then why not? It helps capture frames on few mouse clicks and helping you easily move them analyze them on wireshark or via online (Packets)
Packets (Arista) – Phenomenal tool for analyzing the frames. Birds eye view of various frame types in the wireless environment, management retries, problem clients etc. Free account available up to 100MB of pcap (more than sufficient for your CWAP studies).
WiFi Explorer – Highly Recommended if you can purchase, the professional version costs around $20 USD. Can really help with identifying the WLAN discovery and metrics of the environment.
If you own an iPhone or iPad, one can configure Wi-FI Diagnostics on the phone. Thanks for George Stefanick for explaining it so nicely.
802.11 Frame Exchanges section account for 25% of syllabus for CWAP-403 exam. Potentially around 15 questions out of 60 in the exam can be expected from this section. This blog post focuses on the “security” component of 802.11 Frame Exchange. I will be focusing on other sections in the subsequent posts in the next week or two. Let’s begin!
Authentication
1st
step required to connect to 802.11 BSS. Both authentication and association
must occur in order to successfully pass wireless traffic over to the AP and
further. IEEE 802.11i-2004 defines RSNA. Open System & Shared Key
Authentication are Prior to RSNA (Pre-RSNA) methods. The
802.11 authentication merely establishes an initial connection between the
client and the access point, basically validating or authenticating that the
STA is a valid 802.11 device.
Open System Authentication > Allows any device to authenticate and then attempt to communicate with the AP. The STA can communicate only its Wired Equivalent Privacy(WEP) keys match the AP
Shared Key Authentication > Not used anymore. Requires static WEP key configured on STA and AP.
Open
System authentication and association between client STA and AP occurs prior to
802.1x/EAP authentication exchange between client STA and Radius server.
WLAN Encryption Methods
WEP
Pre-RSNA
Weak / Vulnerable / No Protection against replay attacks
Open/Shared Authentication
TKIP (Temporal Key Integrity Protocol) (RSN)
Uses dynamically created encryption keys as opposed to static keys.
128-bit temporal key can either be a pairwise transient key (PTK) or group temporal key (GTK) used to encrypt
WPA-PSK & WPA-Enterprise
Can be vulnerable against certain attacks.
CTR with CBC-MAC Protocol (CCMP) (RSN)
CTR – Counter mode is used for data confidentiality
CBC MAC(Cipher-block chaining message authentication code) is used for integrity.
Used with AES block cipher suite with 128 bit key
SAE (Simultaneous Authentication of Equals)
Uses SAE known as Dragonfly Key Exchange, with forward secrecy feature
WPA3 Personal – 128 Bit SAE, Enterprise – 192 bit SAE
Not Vulnerable to KRACK attacks and offline dictionary attacks.
The info
that is protected by these L2 encryption methods is data found in layers of
3-7. L2 encryption methods are used to provide data privacy for 802.11 data
frames. These methods encrypt MSDU payload of an 802.11 data frame.
Security Protocols
WEP
TKIP (WPA)
CCMP (WPA2)
OWE (Opportunistic Wireless Encryption)
Cipher
RC4
RC4
AES
AES-GCM
& Elliptical Curve Cryptography
Key
40/104
bits
128
bits
128
bits
192
bits
Authentication
N/A
IEEE
802.1X/EAP/PSK
IEEE
802.1X/EAP/PSK
WPA3
Personal / Enterprise
Data
integrity
CRC32
MIC
CCMP
Secure
Hash Algorithm-2 for each input
IV
Length
24 bits
48 bits
48 bits
24 bits
RSNA (Robust Security Network Association) First published & ratified as IEEE 802.11i-2004, defined stronger encryption and better authentication methods. Now part of 802.11-2007 standard. Association between two stations is referred to as RSNA which means the two radios should share dynamic encryption keys that are unique between those two radios. CCMP/AES s mandatory, TKIP RC4 is optional. All client stations have to undergo a unique RSNA process called the 4-way handshake.
The RSN
information element field is found in 4 management frames: beacon, probe,
association request and reassociation request frames. Client STA use the
association request frame & reassociation request (in case of roaming
to/from) to inform the AP about their security capabilities.
RSN
information element – AES(CCMP) used in the below frame example.
802.1X
The
802.1X standard is port-based access control standard which provides an
authorization framework that allows or disallows traffic to pass through port
thereby granting access to the network resources. 802.1X can be implemented in either
wireless/wired environments. The L2 protocol called EAP (Extensible
Authentication Protocol) is used and consists of 3 major components of this
framework.
Supplicant > Client STA
Authenticator > AP or WLAN Controller.
Authentication Server > Usually Radius(NPS), ISE (Cisco)
EAP
Defined
in IETF RFC 2284 and ratified in the IETF RFC 3748, provides support to many
authentication methods.
L2 Protocol
Two way authentication also called as mutual authentication.
EAP messages are encapsulated in EAP over LAN (EAPOL)
Five major types of EAPOL messages as shown below
EAP Protocols
The
stronger and more commonly deployed methods of EAP use TLS (Transport Layer
Security) or TLS-tunneled authentication. EAP-MD5 and EAP-LEAP have only 1
supplicant identity making them weaker EAP types. EAP-TLS uses 2 supplicant
identities – outer and inner identity. The outer identity is effectively a
bogus username and can be seen clear text, and then inner identity is the true
identity protected with TLS tunnel.
Table describes all the protocols with their characteristics.
802.1X EAP TypesFeature / Benefit
MD5—Message Digest 5
TLS—Transport Level Security
TTLS—Tunneled Transport Level Security
PEAP(WIDELY USED)Protected Transport Level Security
Difficult
(because of client certificate deployment)
Moderate
Moderate
Moderate
Moderate
Wi-Fi Security
Poor
Very
High
High
High
High
High when strong passwords are used.
4-Way Handshake
802.11-2007
standard requires EAPOL-Key frames be used to exchange cryptographic
information between STA supplicants and the authenticator, which is usually an
AP. EAPOL key frames are used for the implementation of three different frames
exchanges: 4-way handshake, group key exchange & peerkey handshake. 4 way
handshake is the final process used to generate pairwise transient keys (PMK /
GTK) for the encryption of unicast transmissions and the group temporal key for
encryption of broadcast/multicast transmissions.
The 4-way
handshake uses pseudorandom functions, it hashes various inputs to derive a
value (PRF). The PMK is one of the inputs combined with other inputs to create
the pairwise transient key (PMK). Some of the other inputs used by the PRF are
called nonces. A nonce is a random numerical value that is generated one time
only. In the case of 4-way handshake, a nonce is associated with the PMK. Two nonces are created in 4-way
handshake – authenticator nonce (anonce), supplicant nonce (snonce).
Authenticator sends EAPOL-Key frame containing “anonce” to supplicant
With this info, supplicant have all the necessary input to generate PTK using PRF
M2 –
Message 2
Supplicant sends an EAPOL-Key frame containing “snonce” to the authenticator
Authenticator has all the inputs to create PTK
Supplicant also sends RSN IE capabilities to Authenticator & MIC (message integrity code)
M3 –
Message 3
If necessary, Authenticator will derive GTK from GMK
Authenticator sends EAPOL-key frame containing “anonce”, RSN-IE and a MIC.
GTP (encrypted with PTK) delivered to the supplicant.
Message to supplicant to install temporal keys.
M4 –
Message 4
Supplicant sends final EAPOL-key frame to authenticator to confirm temporal keys have been installed.
Group Key Handshake
The
802.11-2007 standard also defines a two-frame handshake that is used to
distribute a new group temporal key to client STA that have already obtained a
PTK and GTK in a pervious 4-way handshake. The GKH is used only to issue a new
group temporal key to client STA that have previously formed security
associations. Effectively GKH is identical to M3/M4 in 4 way handshake.
Fast BSS Transition (FT)
Published
in 2008, 802.11r – technical name for standardized fast secure roaming. An
Amendment to improve handoff from one AP to another. The handoff is the same
with or without 11r, the device is what ultimately decides when and where to
roam. 802.11r are often discussed in
context with WLAN controller architecture. Mobility domain is a group of AP
that belong to the same ESS where the client STA can roam in a fast and secure
manner. FT BSS transitions can happen over-the-air or over-the-DS (Distribution
System).
FT over-the-air (AP to AP, Same Controller)
Client associates with AP1 and requests to roam to AP2
Client sends a FT authentication request to AP2 and receive FT authentication response from AP2.
Client sends FT reassociation request to AP2 and receives FT re-association response from AP2.
Client completes the roaming from AP1 > AP2
FT over-the-air
(AP-CONTROLLER|CONTROLLER-AP)(Inter-Controller)
Step 1 & 2 similar to above steps.
WLC1 ends PMK and mobility message to WLC-2 about the roaming client that uses mobility infrastructure.
Client completes the roaming from AP1 > AP2
FT over-the-DS (AP to AP, Same Controller)
Client Associates to AP1 and requests to roam to AP2
Client sends a FT authentication request to AP1 and receives a FT authentication response from AP1
The controller sends the pre-authentication info to AP2 as the AP are member of same controller.
Client sends a FT re-association request to AP2 and receives a FT re-association response from AP2.
Client completes its roaming
FT over-the-DS (AP to AP, Different Controller)
Step 1 and 2 are similar to above steps.
WLC-1 sends PMK and mobility message to WLC-2 about the roaming client
I’ve always wanted to write about “Running” as a focus on health/fitness regimen. Running is one of the best forms of cardio exercises which can improve overall health. I’ve been running for the past 10+ years. The maximum i’ve run is 22kms~13.1 miles for a half marathon. I normally don’t run any less than 3-5kms in a given run. Generally make sure that I run 2x 10kms and around 5x 5kms in a month. As they say quite right about ‘Health being the best form of Wealth’ anyone can possess. Running also provides much needed stress relief and provides clarity in thinking helping you with effective decision making.
I’d like to provide some tips which can benefit you with running. This article is aimed at people who starting on the course of their journey to be more fit and improve their overall training which can help with achieving the health/fitness goals.
Always Hold the Vision > If you aim to run tomorrow have the vision of completing it in your mind the night before. Envision the track or the trail and see yourself completing it. I’ve seen this help a lot as its important for your brain assimilate your goals.
Invest in good Running Shoes > I’ve learnt that running shoes play a major role when it comes to running and sustainability. Incorrect shoe size or uncomfortable shoes can lead to short/long term foot injury and issues. Good shoes may cost you at the time of purchase but the benefits outweigh as they provide the much needed comfort while running enabling you to run for longer without any injury and pain.
What to eat and not> Don’t eat a heavy dinner/meal the night before you plan for the run. Green leafy veggies salad with beetroot can help with sustainability and pace for the running. Believe it or not Beetroot can do wonders for running as it is packed with nitrates which can increase the blood flow capacity and lowering the amount of oxygen muscles need. Even if you end up eating other than salad make sure you have it 3 hours before the bedtime. Don’t eat or drink anything new before or during the workout.
Aim to get 6-8hours of Sleep > Sleep is important, especially a longer sleep cycle ensures that your body goes through the REM state enabling your digestion process to complete and making your muscles rest so that they are prepared for the run.
Bowel Clearance > This is an important element, the gut has to be happy so that you can focus on running. Ensure you drink a warm/hot glass of water upon getting up in the morning helping you with clearing the bowel.
What gets measured gets improved > I am sure you have a smart phone or perhaps a smart watch as well. I am not saying this required all the time but it is good to have your run/activity tracked. Tracking helps you know where you stand and helps in improving the performance. I’ve been using Fitbit and Strava for recording the activity.
Utilities – Carry a bottle of water if you are new to running. Hydration is very important for any physical activity. Make sure you put on some sunscreen to block harmful UV if you are running between 9am to 5pm. If you are running for 10+ KMs, might pay to carry a small sack containing a couple of bananas and some peanuts. That’s the best natural energy bar you can have without spending much money. Wear according to the forecast/temperature in your area. Don’t wear too much warm attire/clothing because we tend to warm up soon.
Don’t forget the Warm-up & Stretch > Before commencing the run perform some warm up exercises, this can include some push ups or pull ups. After completing the run/activity make sure you perform some stretching exercises to relieve the muscular tension. I’ve seen that missing the stretching routine can cause leg sprains.
Accounts
for 10% of the CWAP knowledge domain areas, approx. 6/60 questions
Medium Contention :Protocols that allow large number of devices to effectively share the wireless channel. All AP & STAs will contend with each other on a common transmission medium.
CSMA / CA – The AP/STAs (802.11) use carrier
sense multiple access with collision avoidance as opposed to collision
detection used by the Ethernet (802.3) realm.
802.11
devices must avoid multiple devices transmitting simultaneously over a shared
medium which can cause failed transmissions. Wireless mediums cannot detect
collision but find ways to avoid them. Collision handling is not straight
forward and may be time consuming at times. Hence one of the reasons that
802.11(WLANs) have much lower throughput-to-data rate ratio than 802.3(Wired
LANs).
CSMA/CA
uses DCF (Distributed Coordination Function) for non-QoS WLANs & HCF (Hybrid Coordination Function) for QoS
WLANs using EDCA (Enhanced Distributed Channel
Access).
There are
two carrier sense protocols used by the
stations to indicate whether a channel is busy or idle.
Physical Carrier Sense, also known as CCA (Clear Channel Assessment)
Virtual Carrier Sense, also known as NAV (Network Allocation Vector)
Both QoS
& non-QoS use either of the above protocols for transmitting data.
CCA (Layer 1) > Identify
whether the channel is unused and available prior to the packet transmission.
Channel Occupied = State of Busy ~ Energy Detection Levels.
Channel Clear = State of Idle
Apply to
802.11 modulation, if the AP or STA is too far away to detect any transmission
at requisite energy level, the CCA may go into the idle state even though the
channel is still occupied.
NAV (Layer 2) > is a timer that counts down
toward zero(0). When a device has a NAV value greater than zero, the device
says quiet. Once the NAV = 0, the medium is considered clear.
As
discussed earlier, CCA may fail to keep other devices on the channel quiet (Too
far transmitting device, obstruction, interference), the design of the NAV
keeps APs and stations quiet.
Duration
value in the 802.11 header set the NAV values for AP and STAs.
It is
vital for the AP and STA to stay with the RSSI data range in order to
successfully demodulate a transmitted frame so that the Duration/ID field in
the header can be accurately set.
Interframe Spaces
When 2 or
more STAs begin frame transmission at the same time in the idle environment,
collisions are bound to happen. Hence we have additional medium contention
protocols beyond CCA & NAV. These protocols must keeps AP and STAs quiet
like CCA/NAV & also allow differentiated medium access.
IFS is
the quiet period that AP & STA must wait before any 802.11 frame
transmission.
TIPS to
Remember!
If the contention has been completed, then a reduced IFS (RIFS) or short IFS (SIFS) will be used. Most cases it is SIFS but RIFS is only used between consecutive frames transmitted by 802.11n device.
If the contention/arbitration is not determined, then arbitration IFS (AIFS) or DCF IFS (DIFS) will be used. The AIFS is used for WLANs that support 802.11e QoS, and the DIFS is used for WLANs that do not support 802.11e QoS.
If an AP or STA has received a corrupted frame as defined by having an incorrect FCS, then extended IFS will be used.
PCF IFS (PIFS) is part of PCF and therefore not used in real world. (May be ignored for CWAP prep!)
802.11 FHSS network use 50ms slot time.
Steps involved for a STA to go through before starting the frame transmission in the wireless medium (Source : 802.11 Arbitration CWNP White Paper)
SIFS >
Foundation of all IFSs.
10ms for 802.11b/g/n (2.4GHz)
16ms for 802.11a/n (5GHz).
It is used after
contention/arbitration is completed. Exception being 802.11n device using
MIMO to transmit frames then RIFS is used.
RIFS >
Simplest IFS to understand.
Length is always the same 2ms.
Only for devices which use 802.11n/MIMO.
It precedes for only “data” frame.
DIFS >
Designed to force AP and STA with ordinary data in the queue to stay quiet for enough time to allow QoS frames to have access to the channel.
It is used when arbitration process has not yet completed.
DIFS is equal to length of SIFS + 2 slot times. Slot times are quiet periods, similar to IFS.
They are equal to 9ms for 802.11a/n/ac operating in 5GHz and 802.11g/n with 2.4GHz.
The 20ms slot is used if the HT or ERP is used with long preamble and 802.11b/g/n 2.4 GHz DSSS.
The short preamble is default setting when HT or ERP is used.
EIFS >
Designed to give AP and STA a chance to retransmit after a failed frame.
This happens when AP/STA failed to receive ACK after transmission.
EIFS = SIFS + DIFS plus the time taken acknowledge the frame to transmit.
802.11b/g/n(2.4GHz) using DSSS= 364ms, 802.11a/n(5GHz) & 802.11g/n (2.4GHz) = 160ms. EIFS is the longest of the IFS.
Near/Far Problem : STA closer to AP may cause
problem to STA at far. When data is transmitted between AP and nearby STAs they
can use higher data rate than far stations. (This is why STA dynamically switch
their data rates downward when moving away from the AP). The frame therefore
will appear to be corrupt even though it was successfully transmitted. The far
STA have to stay quiet for an EIFS at the beginning of the arbitration process,
while the near STA will be allowed to use the shorter DIFS.
PIFS > Equal to one slot time + 1 SIFS and
it is designed to give AP the chance to send the beacon in order to begin the
CFP (Contention Free Period). In real-world the PIFS is only used with Channel
Switch Announcement frame, which is one of the Action frames from 802.11h.
RANDOM BACKOFF
The
mechanism which prevents collision by differentiating 802.11 channel access is
the Random Backoff. Unlike the IFS, the random backoff is not static. It is the
period of time that changes based on a random number chosen by AP or STA.
AP and
STA stay quiet during the random backoff by randomly choosing a number of slot
times and then counting down until the number of slot times equal to zero.
Transmission resumes after slot time equals zero.
For the random backoff to work, there must be an upper and lower limit to the number of slot times that ca be chosen.
The lower limit is always 0. The upper limit for the random backoff is equal to the contention window (CW).
The CW is derived from the equation 2x – 1, where x is a value that increments with each failed frame. For DSSS-based networks, x starts at 5, which results in a CW of 31. For OFDM-based networks, x starts at 4, which results in a CW value of 15. For both DSSS and OFDM-based networks, the x value stops incrementing at 10, which results in a CW value of 1023.
Failed frames cause the contention window to grow exponentially. More quiet time means a less efficient channel thus causing latency and throughput issues.
QoS FRAMES
AIFS >
Used by QoS enabled STA to transmit all data, management, PS-Poll, RTS, CTS (when not transmitted as response to RTS), Block Ack Req and Block Ack (when not transmitted as a response to Block Ack Req).
Slot times in AIFS is called as AIFSN (slot number).
802.11e specifies Voice (AV_VO), Video (AV_VI), Background (AV_BK) & Best Effort (AV_BE).
Video and Voice = 2 Slot times
Best Effort = 3 Slot times
Background = 7 Slot times
Calculate AIFS for a given Access Category = AIFSN[AC] x Slot Time x SIFSTime
TXOP
Transmit Opportunity or TXOP is the amount of time a STA can send frames when it has won contention for the wireless medium. This is in relation to EDCA (Enhanced Distributed Channel Access).
When a STA sends QoS data, it must first contend for the access to the wireless medium.
STAs perform CCA and determine if the channel is idle. It must have its NAV set to 0. Then it must wait for the appropriate InterFrame Spacing.
Then it would wait for the contention window to complete. CW has 4 categories as discussed in the previous section. Each category has different TXOP.
![< IEEE 802.11ac Figure 22-19—VHT-SIG-A2 structure >
32
83
84-87
SU VHT-MCS/MU[1-3] coding
SU VHT-MCS
eam
Formed
Formed
Rese rved
Variable
818-823
BIO-B17
u
Composite Name
SU Name
MU Name
Bits
8 us
L-STF
BO-BI
Composite Name
SU Name
MU Name
Bits
Coding
OFDM PHY Modulation
MU[2]
Coding
MUC3]
Rese rved
Coding
VHT Modulation
Bus
L-LTF
83
4us
VHT
L-SIG
84 ag
8 us
VHT-SIG-A
NSTS
MUCO]
NSTS
Bus
BIO-B2
NSTS/Partial AID
Partial AID
822
823
MU[I]
NSTS
MU[2]
N STS
MUC3]
N STS
< IEEE 802.1 lac Figure 22-18—
VHT-SIG
-Al structure >](https://i0.wp.com/keepcalmandping.online/wp-content/uploads/2020/02/image-17.png?w=1600&ssl=1)
![FIGURE 10.2
-123456789“
MuItiple spatial streams
мно
-123456789“
ммо
c]ient](https://i1.wp.com/keepcalmandping.online/wp-content/uploads/2020/02/image-8.png?w=1600&ssl=1)
![IEEE 8ø2.11 Request-to-send, Flags: ..... ...C
Type/Subtype: Request—to—send (Oxøølb)
v Frame Control Field: exb40e
. .øø = Version: 0
= Type: Control frame (1)
= Subtype: 11
løll
Flags:
øxoo
. .øø = DS status: Not leaving DS or network is operating in AD—HOC mode (To DS:
ø . — More Fragments: This is the last fragment
— Retry: Frame is not being retransmitted
- PWR MGT: STA wilt stay up
. = More Data: No data buffered
. — Protected flag: Data is not protected
Order flag: Not strictly ordered
.øøø løøø oøøø ooøø -
Duration: 2ß48 microseconds
Receiver address: App 92:ga)
Transmitter address: 7a:8a:2ø:øf:bg:6f
Frame check sequence: øx4d4e67bf (unverified]
[FCS Status: Unverified]
e From DS: e)
(exø)](https://i0.wp.com/keepcalmandping.online/wp-content/uploads/2020/02/image-3.png?w=1600&ssl=1)
