AU1271 FMFrame Page i Monday, July 15, 2002 8:57 PM
AU1271 FMFrame Page ii Monday, July 15, 2002 8:57 PM
AU1271 FMFrame Page iii Monday, July 15, 2002 8:57 PM
<Title Page>
AU1271 FMFrame Page iv Monday, July 15, 2002 8:57 PM
Library of Congress Cataloging-in-Publication Data Held, Gilbert, 1943Building a wireless office / Gilbert Held. p. cm. Includes index. ISBN 0-8493-1271-X (alk. paper) 1. Wireless LANs. I. Title. TK5105.78 .H4497 2002 004.6'8--dc21 2002071209
This book contains information obtained from authentic and highly regarded sources. Reprinted material is quoted with permission, and sources are indicated. A wide variety of references are listed. Reasonable efforts have been made to publish reliable data and information, but the author and the publisher cannot assume responsibility for the validity of all materials or for the consequences of their use. Neither this book nor any part may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, microfilming, and recording, or by any information storage or retrieval system, without prior permission in writing from the publisher. The consent of CRC Press LLC does not extend to copying for general distribution, for promotion, for creating new works, or for resale. Specific permission must be obtained in writing from CRC Press LLC for such copying. Direct all inquiries to CRC Press LLC, 2000 N.W. Corporate Blvd., Boca Raton, Florida 33431. Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation, without intent to infringe.
Visit the Auerbach Publications Web site at www.auerbach-publications.com © 2003 by CRC Press LLC Auerbach is an imprint of CRC Press LLC No claim to original U.S. Government works International Standard Book Number 0-8493-1271-X Library of Congress Card Number 2002071209 Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 Printed on acid-free paper
AU1271 FMFrame Page v Monday, July 15, 2002 8:57 PM
Dedication
Being on the faculty of a school of higher education has both privileges and responsibilities. In addition, it provides an author with a human laboratory of inquisitive minds that enable different presentation concepts to be tested and refined. The ability to teach at Georgia College and State University is a truly enjoyable experience. I have been fortunate to have students with a mixture of backgrounds that have provided different views concerning the operation and utilization of both wired and wireless LANs. Recognizing that learning is a two-way process, this book is dedicated to the students at Georgia College and State University as well as the person who provided me with the opportunity to teach there. Thus, to Dr. Harry Glover I would like to both publicly say “thank you” and dedicate this book to him.
v
AU1271 FMFrame Page vi Monday, July 15, 2002 8:57 PM
AU1271 FMFrame Page vii Monday, July 15, 2002 8:57 PM
Contents
Introduction ............................................................................................... xvii
1 Introduction to Wireless LANs ....................................................................1 Wireless Networking Devices ........................................................................................1 Wireless LAN Network Adapters...............................................................................2 Access Point ..............................................................................................................3 Types of Networking ............................................................................................4 Wireless Bridge ..........................................................................................................5 Wireless Routers........................................................................................................6 Wireless Access Server ..............................................................................................7 Rationale for Wireless LANs ...........................................................................................8 Economics .................................................................................................................8 Adds, Moves, and Changes.........................................................................................9 Roaming...................................................................................................................10 Disadvantages to Wireless LANs..............................................................................11 Learning New Technology..................................................................................11 Proliferation of Standards ...................................................................................11 Security ...............................................................................................................12 Applications.............................................................................................................13 Home Use ...........................................................................................................13 Hospital...............................................................................................................15 College Campus ..................................................................................................15 Office Support ....................................................................................................16 Portals .................................................................................................................17 Book Preview ...............................................................................................................18 Technology and Terminology ..................................................................................18 IEEE Standards .........................................................................................................18 Basic Wireless LAN Operations ...............................................................................18 The TCP/IP Protocol Suite.......................................................................................19 Security ....................................................................................................................19 Working with Vendor Products ...............................................................................19 The Future ...............................................................................................................19
vii
AU1271 FMFrame Page viii Monday, July 15, 2002 8:57 PM
viii
Building a Wireless Office
2 Technology and Terminology ...................................................................21 Basic Communications Concepts ................................................................................21 Frequency ................................................................................................................21 Wavelength ..............................................................................................................23 Bandwidth ...............................................................................................................25 Modulation Methods ....................................................................................................26 Amplitude Modulation.............................................................................................26 Frequency Modulation.............................................................................................27 Phase Modulation ....................................................................................................28 The Nyquist Relationship ...................................................................................28 Quadrature Amplitude Modulation..........................................................................29 Differential Modulation ...........................................................................................31 Signaling Methods ........................................................................................................32 Infrared ....................................................................................................................33 Types of Infrared Transmission...........................................................................33 Limitations ..........................................................................................................33 Frequency Hopping Spread Spectrum....................................................................34 Rationale for Spread Spectrum...........................................................................34 Operation............................................................................................................34 Direct Sequence Spread Spectrum .........................................................................35 Operation............................................................................................................35 Orthogonal Frequency Division Multiplexing ........................................................36 Evolution.............................................................................................................36 Operation............................................................................................................37 The Frequency Spectrum and Wireless LANs.........................................................37 ISM Bands ...........................................................................................................37 Where Wireless LANs Reside..............................................................................38 Measurements..........................................................................................................39 Power Ratios .......................................................................................................39 Bel .......................................................................................................................39 Decibel................................................................................................................40 Decibel-Milliwatt .................................................................................................41 Signal-to-Noise Ratio ...........................................................................................42 Channel Capacity................................................................................................43 Antenna Considerations......................................................................................45 Radiation Pattern ................................................................................................45 Beamwidth..........................................................................................................45 Antenna Gain ......................................................................................................46 Wireless LAN Terminology ...........................................................................................47 Architecture..................................................................................................................47 The Station ..............................................................................................................47 Network Topologies ................................................................................................48 Ad Hoc Networking............................................................................................48 Infrastructure Networking..................................................................................48 Access Point Operation ...........................................................................................49 The Distribution System..........................................................................................50 The Extended Service Set...................................................................................50 Media Access Control...................................................................................................50 CSMA/CA .................................................................................................................50 The Hidden Node Problem .....................................................................................51
AU1271 FMFrame Page ix Monday, July 15, 2002 8:57 PM
ix
3 IEEE Standards .............................................................................................53 Basic Architecture.........................................................................................................53 Layer Separation ...........................................................................................................53 Physical Layer Operation .............................................................................................54 Infrared ....................................................................................................................54 Frequency Hopping Spread Spectrum....................................................................55 Modulation..........................................................................................................55 Frequency Channels ...........................................................................................55 Direct Sequence Spread Spectrum .........................................................................56 Barker Code ........................................................................................................56 Modulation..........................................................................................................56 Comparison to FHSS...........................................................................................56 Complementary Code Keying ............................................................................57 Code Sets ............................................................................................................57 Orthogonal Frequency Division Multiplexing....................................................58 Frequency Allocation ..........................................................................................58 Scope of Coverage..............................................................................................58 Physical Layer Operations ............................................................................................59 FHSS .........................................................................................................................59 DSSS .........................................................................................................................60 OFDM ......................................................................................................................60 MAC Layer Operations .................................................................................................61 Layer 2: Framing ......................................................................................................61 Protocol Version Field.........................................................................................62 Type and Subtype Fields ....................................................................................62 ToDS/FromDS Fields ...........................................................................................62 More Frag Field...................................................................................................62 Retry Field ..........................................................................................................62 Power Management Field ...................................................................................63 More Data Field ..................................................................................................64 WEP Field............................................................................................................64 Order Field..........................................................................................................64 Duration/ID Field................................................................................................65 Address Fields .....................................................................................................65 Sequence Control Field ......................................................................................66 Frame Body Field ................................................................................................66 CRC Field ............................................................................................................66 Management Frames................................................................................................67 The Beacon Frame..............................................................................................67 The Probe Response Frame................................................................................67 Control Frames ........................................................................................................68 Hidden Nodes .....................................................................................................68 Use of RTS and CTS Frames ...............................................................................69 RTS and CTS Frame Formats ..............................................................................69 ACK Frame..........................................................................................................70 Media Access............................................................................................................70 Time Gaps...........................................................................................................70 DCF Operation....................................................................................................71 PCF Operation ....................................................................................................72
AU1271 FMFrame Page x Monday, July 15, 2002 8:57 PM
x
Building a Wireless Office
4 Basic Wireless LAN Operations .................................................................75 Ad Hoc Networking .....................................................................................................75 Adapter Card Setup......................................................................................................76 Configuring a Wireless Network Adapter................................................................77 Ad Hoc Settings ..................................................................................................77 TxRate.................................................................................................................78 WEP.....................................................................................................................78 PS Mode ..............................................................................................................78 Channel...............................................................................................................78 Network Software....................................................................................................80 Enabling File and Print Sharing ..........................................................................80 Assigning Identifiers ...........................................................................................81 Sharing Network Resources ...............................................................................81 Setting TCP/IP Parameters ..................................................................................85 The Proof Is in the Pudding....................................................................................89 Internet Connection Sharing...................................................................................90 Installation ..........................................................................................................91 Configuration ......................................................................................................92 Infrastructure Operations.............................................................................................94 Wireless Router Configuration.....................................................................................94 Access the Router ...................................................................................................95 Configuring a PC IP Address ..............................................................................95 Configuring the DNS ..........................................................................................95 Gateway Configuration .......................................................................................95 Using Your Browser .................................................................................................97 Accessing the Configuration Setup Utility .........................................................97 Using the Setup Wizard ......................................................................................99 System Name Assignment...................................................................................99 Wireless LAN Setup Parameters .........................................................................99 Defining the Wired Connection .......................................................................103 Defining Address Assignments ..........................................................................103 Internet Access via the Router..............................................................................106 Site Selection .........................................................................................................106
5 TCP/IP Protocol Suite ...............................................................................109 The Internet Protocol ................................................................................................109 Datagrams and Segments.......................................................................................110 Datagrams and Datagram Transmission.................................................................110 Routing ..................................................................................................................110 The IP Header .......................................................................................................111 Vers Field ..........................................................................................................111 Hlen Field..........................................................................................................111 Service Type Field.............................................................................................112 Total Length Field .............................................................................................113 Identification and Fragment Offset Fields........................................................113 Flags Field .........................................................................................................115 Time to Live Field.............................................................................................115 Protocol Field....................................................................................................115 Header Checksum Field....................................................................................116 Source and Destination Address Fields.............................................................116 IP Addressing ..............................................................................................................116 The IP Addressing Scheme ....................................................................................120
AU1271 FMFrame Page xi Monday, July 15, 2002 8:57 PM
xi Address Classes......................................................................................................121 Rationale ...........................................................................................................122 Class Addressing Overview...............................................................................122 Class A Addresses ..............................................................................................123 Class B Addresses..............................................................................................125 Class C Addresses..............................................................................................125 Class D Addresses .............................................................................................126 Class E Addresses ..............................................................................................127 Dotted Decimal Notation ......................................................................................127 Basic Workstation Configuration ...........................................................................128 Reserved Addresses ...............................................................................................131 Subnetting..............................................................................................................133 Overview ..........................................................................................................133 Subnetting Example..........................................................................................133 Host Restrictions...............................................................................................135 The Zero Subnet...............................................................................................136 Internal Versus External Subnet Viewing .........................................................136 Using the Subnet Mask.....................................................................................137 Multiple Interface Addresses .................................................................................139 Address Resolution ................................................................................................140 Ethernet and Token Ring Frame Formats.........................................................141 LAN Delivery ....................................................................................................141 Address Resolution Operation..........................................................................142 ARP Packet Fields .............................................................................................142 Locating the Required Address.........................................................................143 Gratuitous ARP..................................................................................................143 Proxy ARP .........................................................................................................143 RARP .................................................................................................................144 ICMP ...........................................................................................................................144 Overview ...............................................................................................................144 The ICMP Type Field ........................................................................................145 The ICMP Code Field .......................................................................................145 Evolution................................................................................................................145 The Transport Layer ...................................................................................................146 TCP Overview ............................................................................................................148 The TCP Header ....................................................................................................148 Source and Destination Port Fields ..................................................................148 Multiplexing and Demultiplexing.....................................................................149 Port Numbers ...................................................................................................149 Well-Known Ports .............................................................................................150 Registered Ports ................................................................................................150 Dynamic or Private Ports .................................................................................150 Sequence and Acknowledgment Number Fields .............................................151 Hlen Field..........................................................................................................152 Code Bits Field..................................................................................................153 Window Field....................................................................................................153 Checksum Field ................................................................................................154 Urgent Pointer Field .........................................................................................154 Options Field ....................................................................................................154 Padding Field ....................................................................................................154 Connection Establishment .........................................................................................155 Connection Function Calls....................................................................................155
AU1271 FMFrame Page xii Monday, July 15, 2002 8:57 PM
xii
Building a Wireless Office
Port Hiding ............................................................................................................155 Passive OPEN.........................................................................................................156 Active OPEN ..........................................................................................................156 The Three-Way Handshake ....................................................................................156 Overview ..........................................................................................................157 Operation..........................................................................................................157 The TCP Window...................................................................................................158 Avoiding Congestion .............................................................................................159 TCP Slow Start..................................................................................................160 The Slow-Start Threshold..................................................................................160 TCP Retransmissions .............................................................................................161 Session Termination...............................................................................................161 UDP ............................................................................................................................162 The UDP Header ...................................................................................................162 Source Port and Destination Port Fields ..........................................................163 Message Length Field........................................................................................163 Checksum Field ................................................................................................163 Operation..........................................................................................................163 Applications ......................................................................................................164 The DNS .....................................................................................................................164 The Domain Name Structure ................................................................................165 The Domain Name Tree ........................................................................................165 The Name Resolution Process ..............................................................................166 Data Flow..........................................................................................................166 Time Consideration ..........................................................................................168 DNS Records..........................................................................................................168 Checking Records..................................................................................................169 Diagnostic Tools .........................................................................................................170 Ping........................................................................................................................170 Operation..........................................................................................................170 Implementation ................................................................................................170 Using Windows NT Ping...................................................................................171 Traceroute..............................................................................................................173 Operation..........................................................................................................174 Using Windows Tracert .....................................................................................174 Tracing a Route.................................................................................................175 Applications ......................................................................................................176 NSLOOKUP............................................................................................................177 Operation..........................................................................................................177 Viewing the SOA Record..................................................................................179 Protecting Server Information..........................................................................179 Finger .....................................................................................................................179 Format...............................................................................................................180 Security Considerations ....................................................................................181 Applications ......................................................................................................181
6 Security ........................................................................................................183 Security Risks .............................................................................................................183 Architecture ...........................................................................................................184 The Role of the SSID.............................................................................................184 Insertion Attacks ....................................................................................................186 Monitoring Attacks ................................................................................................186 Masquerade............................................................................................................188
AU1271 FMFrame Page xiii Monday, July 15, 2002 8:57 PM
xiii Broadcast Monitoring ............................................................................................191 Denial-of-Service Attacks........................................................................................192 Other Attack Methods ...........................................................................................193 Exploiting File Sharing .....................................................................................193 SNMP Community Names ................................................................................193 Accessing the Management Console................................................................194 Encryption Attacks............................................................................................194 Theft of Hardware ............................................................................................194 Understanding WEP....................................................................................................196 Overview ...............................................................................................................196 Setup Example.......................................................................................................197 Cipher Operation ..................................................................................................197 RC4 ........................................................................................................................198 Algorithm Operation.........................................................................................198 WEP Key Definition...............................................................................................199 Authentication Methods.............................................................................................200 Open Authentication.........................................................................................200 Shared Key ........................................................................................................200 MAC Address .....................................................................................................201 Vulnerabilities ........................................................................................................201 The IV ...............................................................................................................202 Attack Methods.................................................................................................202 Using the IV......................................................................................................203 Enhancing Wireless Security ......................................................................................204 MAC Address-Based Authentication .......................................................................204 Use Dynamic WEP Keys ........................................................................................204 LEAP Authentication ..............................................................................................205 Using Secure Sockets.............................................................................................206 The VPN Solution ..................................................................................................206 Bar Code Authentication .......................................................................................206 The IEEE 802.1x Standard.....................................................................................207 Overview ..........................................................................................................207 Cisco Implementation ......................................................................................208 Orinoco Implementation..................................................................................209 Router Access Control...........................................................................................209 Shielding ................................................................................................................210
7 Working with Vendor Products ..............................................................213 Agere Systems Orinoco Wireless Kit..........................................................................213 Client Setup ...........................................................................................................213 Installation Software .........................................................................................214 Client Manager..................................................................................................214 Adjusting the Configuration .............................................................................217 Network Name .................................................................................................218 Security Setting .................................................................................................219 Power Management ..........................................................................................220 TCP/IP Behavior ...............................................................................................221 Setting Up the Residential Gateway......................................................................222 The Welcome Screen ........................................................................................222 RG Identification...............................................................................................223 Specifying the Internet Connection.................................................................224 Settings Summary .............................................................................................225 Network Topology ............................................................................................226
AU1271 FMFrame Page xiv Monday, July 15, 2002 8:57 PM
xiv
Building a Wireless Office
Advanced Features.................................................................................................227 Card Testing ......................................................................................................228 Link Test ............................................................................................................228 Cisco Aironet ..............................................................................................................231 Aironet Client Utility .............................................................................................231 Configuring the Client...........................................................................................231 System Parameters Tab......................................................................................231 RF Network Tab ................................................................................................233 Home Networking Tab......................................................................................234 Network Security Tab .......................................................................................235 Advanced Settings.............................................................................................236 Interesting Product Features .................................................................................237 Netgear MR314 Wireless Router ................................................................................238 System Settings ......................................................................................................238 System Name ....................................................................................................238 Password ...........................................................................................................238 DDNS ................................................................................................................239 LAN Setup..............................................................................................................239 RIP Support ......................................................................................................243 Wireless LAN Setup ...............................................................................................243 Port Forwarding.....................................................................................................245 Static Route............................................................................................................245 Content Filter ........................................................................................................247 Other Features .......................................................................................................247 SMC Networks Barricade Wireless Router.................................................................247 Router Access ........................................................................................................249 Access Control.......................................................................................................249 Virtual Server .........................................................................................................251 DMZ Host ..............................................................................................................251 Remote Administration Host .................................................................................254 Administrative Timeout..........................................................................................254 Discard Ping ..........................................................................................................254 Nonstandard FTP Port ...........................................................................................254 Interoperability...........................................................................................................256 WEP Key Considerations.......................................................................................256
8 The Future ..................................................................................................257 Evolving Wireless LAN Products ................................................................................257 Print Servers ..........................................................................................................257 Rationale ...........................................................................................................258 Types of Servers ...............................................................................................258 Authentication Server............................................................................................258 RADIUS .............................................................................................................258 Token Card .......................................................................................................259 Evolving Wireless LAN Standards ...............................................................................259 The 802.1x Standard .............................................................................................260 The 802.11g Standard ...........................................................................................260
Index ....................................................................................................................263
AU1271 FMFrame Page xv Monday, July 15, 2002 8:57 PM
Acknowledgments
As the author of several books, I learned a long time ago that the placement of my name on the jacket only tells part of the publication story. The actual publication of a book represents a team effort, first requiring a publisher to approve an author’s proposal. Thus, I would be remiss if I did not once again thank Rich O’Hanley at Auerbach Publishers for backing another of my proposals. Once a proposal is accepted the major effort begins. No matter how knowledgeable an author is, there is the need to research many topics and to review the latest information concerning evolving technology. This effort must be performed as the author drafts a manuscript, resulting in long evenings and weekends during which information is checked and rechecked and concepts are verified to ensure readers are provided with accurate information. Needless to say, this effort plays havoc with family life. Thus, I would also be remiss if I did not acknowledge the support of my wife, Beverly, during the time I literally went into hibernation to draft the book you are reading. Due to a travel schedule that takes me to many interesting areas around the globe, I learned long ago that no matter what electrical outlet adapter set I purchased, I would more than likely encounter an incompatibility that would result in my notebook battery reaching a discharge state. Based on the preceding, I write my books the old-fashioned way — using paper and pen to draft a manuscript and provide rough drawings of illustrations that must then be converted into a professional manuscript. Once again, I am indebted to Linda Hayes and Susan Corbitt for converting my handwritten notes and drawings into a professional manuscript. When a manuscript arrives at a publisher, it is proofed, edited, and typeset. Artwork is set, captions are placed, and galley pages are produced, which after verification form the basis for the book you are reading. Once again, I literally take off my hat to the behind-the-scenes workers at CRC Press whose efforts made this book a reality. Gilbert Held
xv
AU1271 FMFrame Page xvi Monday, July 15, 2002 8:57 PM
AU1271 FMFrame Page xvii Monday, July 15, 2002 8:57 PM
Introduction
The objective of this book is to provide you with information you can use to efficiently and economically construct a wireless office. That office can range in scope from two computers sharing information over the air, to the interconnection of hundreds to thousands of wired and wireless LAN products. In this book we focus our attention on many key topics associated with the construction of a wireless office. Such topics include, but are not limited to, site selection, equipment interoperability, equipment acquisition, and their installation and operation. In addition, we discuss several areas associated with wireless security as well as the use of different products and even some common sense that will minimize the possibility of our communications being literally “read” by unauthorized parties. This book was written for a wide audience of readers. If you are a small office manager, LAN manager, network manager, or even a home computer user and are considering the use of wireless LANs or need to use them more effectively and efficiently, this book is for you. In this book we learn how wireless LANs operate, the difference between currently available and emerging products, and why new wireless LANs that operate at higher data rates may not be suitable or cost-effective for many organizations. While the primary focus of this book is on the construction of a wireless office, we also examine why the technology may not be suitable for some organizations, based on different operational requirements and operational environments. However, for the majority of readers wireless LANs hold a considerable number of utilization advantages that make this ar ea of communications into a high growth area. As a professional author who has spent a lifetime researching technology and explaining its use, I welcome reader feedback. Please feel free to contact me either through the publisher whose address is on the cover of this book or via email at
[email protected]. Let me know if I spent too much or too few words on a particular topic, if I missed a topic of interest, or any other comments you may have concerning the material covered in this book. Your feedback is a valuable source of information that allows me to tailor my research and writing efforts and I truly appreciate your comments. xvii
AU1271 FMFrame Page xviii Monday, July 15, 2002 8:57 PM
AU1271Ch01Frame Page 1 Monday, July 15, 2002 8:56 PM
Chapter 1
Introduction to Wireless LANs The objective of this chapter is threefold. First, we focus on obtaining a basic knowledge of the structure and components associated with wireless networking. Second, we use that information to become acquainted with the rationale for considering the use of wireless LANs in a home or office environment. In doing so we examine the advantages and disadvantages associated with the use of wireless LAN technology to ensure we obtain balanced information concerning the use of this rapidly evolving technology. Included in our review of wireless technology is an examination of a number of applications that can benefit from the use of wireless LANs. Third, we turn our attention to obtaining a preview of the material presented in succeeding chapters in this book. This preview can be used as is or in conjunction with the Table of Contents and Index to locate one or more areas of immediate interest. That said, grab your Coke, Pepsi, or another favorite beverage, perhaps a few munchies, and join me in exploring the wonderful world of evolving wireless LAN technology.
Wireless Networking Devices We need to become familiar with certain devices in a wireless LAN environment. Those devices include wireless LAN adapter cards, wireless access points, wireless bridges, and wireless routers. By obtaining an appreciation for the general functionality of wireless LAN hardware devices, we can also obtain an appreciation for the manner by which wireless LAN networking can be accomplished.
1
AU1271Ch01Frame Page 2 Monday, July 15, 2002 8:56 PM
2
Exhibit 1.
Building the Wireless Office
The SMC Networks 2602W Wireless PCI Card
Wireless LAN Network Adapters A wireless LAN network adapter represents the hardware device that turns a notebook or desktop computer into a participant, or station, on a wireless LAN. The term “station” is commonly used to refer to a computer communicating via a wireless LAN network adapter. The wireless LAN network adapter can be obtained in one of three basic form factors. First, the wireless LAN adapter can be obtained mounted on a PCI bus-based adapter card designed for insertion into the system unit of a desktop computer. Exhibit 1 illustrates the SMC Networks 2602 wireless PC card mounted on a PCI bus adapter card. In examining Exhibit 1, note the edge connectors at the top of the photograph that actually represent the bottom of the card, which is inserted into a PCI bus expansion slot in the system unit of a desktop computer. The right edge of the PC card will protrude from the rear of the system expansion slot and represents the antenna of the wireless PC card that enables transmission and reception of radio frequency (RF) communications. Once the PCI adapter card is inserted into a desktop and appropriate software is installed, the computer can be considered to represent a wireless LAN station. The second form factor used for the fabrication of a wireless LAN adapter is the PC card. When fabricated as a PC card, the wireless LAN adapter resembles a Type II PC Card inserted into a Type II slot in a notebook. Typically, the wireless LAN adapter card fabricated as a PC card includes a built-in antenna that protrudes from the slot into which the card is inserted.
AU1271Ch01Frame Page 3 Monday, July 15, 2002 8:56 PM
Introduction to Wireless LANs
Exhibit 2.
3
The SMC Networks 2632W Wireless PC Card
Exhibit 2 illustrates the SMC Networks 2632W EZ Wireless PC Card, which is a stand-alone wireless network adapter fabricated for insertion into a Type II PC Card slot included in just about all modern laptop and notebook computers. The left portion of the PC card is inserted into a Type II slot, resulting in the dark portion of the right of the card that represents the antenna protruding from the slot. If you compare Exhibit 1 to Exhibit 2, you will note that the PCI bus-based network adapter shown in the first illustration represents the PC card mounted on the PCI bus-based network adapter form factor. The third form factor wireless LAN adapter cards use is fabrication into a housing that has a USB connector. This permits the wireless LAN adapter to be used with some of the more modern computers that have a limited number of available system unit expansion slots but typically include four or five USB ports. Exhibit 3 illustrates the Agere Systems’ Orinoco USB client wireless network adapter. By cabling this stand-alone wireless network adapter to a USB port on a desktop or laptop, you can eliminate the necessity to open your desktop computer or obtain the ability to free up a Type II slot on a laptop or notebook for a different type of PC card while converting your computer into a wireless station or participant on a wireless LAN.
Access Point An access point can be considered to represent a bridge between a wired and wireless network. In fact, the access point functions as a LAN bridge, broadcasting frames that flow on the wired LAN on the air while frames received over the air are transmitted on the wired LAN. Exhibit 4 illustrates the SMC Networks 2655W EZ Connect 11 Mbps wireless access point. Designed for both business and residential use, this access point has a maximum operating range of 1800 feet and can support up to 64 clients or stations. Because the access point obtains power over a wired Ethernet
AU1271Ch01Frame Page 4 Monday, July 15, 2002 8:56 PM
4
Building the Wireless Office
Exhibit 3.
The Agere Systems Orinoco USB Client
Exhibit 4.
The SMC Networks 2655W EZ Connect 11 Mbps Wireless Access Point
connection, no separate power cable is required. Thus, as a simple plug-andplay wired to a wireless Ethernet bridge, you only need to cable the access point to your wired infrastructure to extend that infrastructure via RF communications. In examining Exhibit 4, note the dual antennas on the access point. The use of dual antennas permits the better of two signals received to be selected, which can reduce the adverse effects associated with the reflection of signals off different types of objects as they propagate toward a receiver.
Types of Networking Two basic types of wireless LAN networking are available — ad hoc and infrastructure. In an ad hoc networking environment, two or more clients communicate with one another without having to use an access point. The top portion of Exhibit 5 illustrates an example of ad hoc networking.
AU1271Ch01Frame Page 5 Monday, July 15, 2002 8:56 PM
5
Introduction to Wireless LANs
Ad Hoc Networking
Client
Client
Infrastructure Networking Hub
Wired LAN
Access Point
Client Client
Exhibit 5.
Basic Types of Wireless LAN Networking
The second type of wireless LAN networking is referred to as infrastructure networking. In this networking environment, clients communicate with one another or wired devices through the facilities of an access point. The lower portion of Exhibit 5 illustrates a wireless LAN infrastructure networking configuration. A note must be made about the access point antenna shown in the lower portion of Exhibit 5: while only one antenna is shown on the access point, some wireless devices (to include LAN adapters and access points) have two. The device includes intelligence either in firmware or software that examines the signal received by each antenna and selects the better of the two received signals. The technical name for dual antennas is space diversity.
Wireless Bridge We previously noted that an access point operates as a gateway between a wireless and wired network. From a technical perspective, an access point actually functions as a bridge; we examine its operation later in this book. Thus, with this fact in mind, you might be a bit perplexed as to how a wireless bridge differs from an access point. We can view a wireless bridge as a wireless gateway between LANs. While similar to an access point, the wireless bridge commonly consists of two components: a base station and a directional antenna. The base station can be considered to represent an access point without an antenna that is cabled to a wired LAN. The base unit is also cabled to a directional antenna, with the latter typically mounted on the outside of a building. Through the use of
AU1271Ch01Frame Page 6 Monday, July 15, 2002 8:56 PM
6
Building the Wireless Office
Directional Antenna
Hub
Exhibit 6.
Directional Antenna
Base Unit
Base Unit
Hub
Using Wireless Bridges to Interconnect Wired LANs Dual Space Diversity Antennas LEDs
Cable/ DSL Ethernet Switch
Exhibit 7.
A Generic Wireless Router with a Three-Port Built-In Ethernet Switch
a very sensitive directional antenna, it becomes possible to extend the transmission distance of a wireless LAN. That extension can be from a few thousand feet up to approximately ten miles, with the latter based on obtaining a lineof-sight capability between each wireless bridge antenna. Exhibit 6 illustrates the use of a pair of wireless bridges to interconnect two wired LANs. Perhaps to make the role of a network manager or LAN administrator more interesting, it is worth noting other terms used to reference a wireless bridge. Some vendors refer to this device as an outdoor router or outdoor point-topoint router, while other vendors use the term “gateway” to reference this functionality. Thus, a detailed examination of a product specification sheet may be in order to determine how a particular product is designed to function.
Wireless Routers Another wireless LAN networking device we briefly discuss in this section is the wireless router. In actuality, the wireless router represents an access point that includes a routing capability and may include a built-in Ethernet switch capability. Exhibit 7 illustrates a schematic of a generic wireless router that includes a three-port Ethernet switch. The box labeled Cable/DSL in Exhibit 7 provides a connection to a cable or DSL modem. That connection is usually accomplished through the use of a 10/100 Mbps Ethernet port; however, some wireless routers may use a USB connection. The three-port Ethernet switch permits the wireless router to be connected to individual computers via an individual Ethernet port or to a
AU1271Ch01Frame Page 7 Monday, July 15, 2002 8:56 PM
Introduction to Wireless LANs
Exhibit 8.
7
The Agere Systems Orinoco RG-1000 Broadband Gateway
wired LAN. The dual space diversity antennas provide the wireless router with its over-the-air transmission and receptor capability, enabling the device to function as an access point. The light-emitting diodes (LEDs) provide various types of status information concerning the operation of the wireless router as well as its individual ports. Similar to different names being used for wireless bridges, vendors also use different terms to denote a device with the functionality of a router and access point. Exhibit 8 illustrates the Agere Systems’ Orinoco RG-1000 broadband gateway that combines an access point and several router features to enable the sharing of DSL or cable modem access to the Internet. The RG1000 includes a virtual private networking (VPN) capability that can be used to secure communications through the Internet.
Wireless Access Server The last wireless product we note in this section is one that is gaining a significant degree of interest due to security problems associated with the Wired Equivalent Privacy (WEP) Protocol used to provide security in IEEE 802.11 networks. While we describe security in considerable detail later in this book, it is important to note that by default WEP is disabled, which means that many organizations that take products out of the box and do not configure them are literally operating naked. In addition, WEP is a shared key system, which uses a common key for both encryption and authentication. Because the basic key is only 40 bits in length, it is relatively easy to break, which means authentication then literally goes down the proverbial “tube.” Perhaps recognizing this, several vendors introduced access points that use much more sophisticated authentication methods. One example of an access server worth noting is the Agere Systems’ Orinoco AS-2000 access server, illustrated in Exhibit 9. This device represents a two-slot access point users can use to
AU1271Ch01Frame Page 8 Monday, July 15, 2002 8:56 PM
8
Exhibit 9.
Building the Wireless Office
The Agere Systems Orinoco AS-2000 Access Server
create a double-capacity network. The access server works in tandem with a RADIUS server located on the wired network to provide authentication, authorization, and accounting (AAA). By identifying individual users prior to allowing them to access the network and the periodic change of encryption keys, the AS-2000 significantly secures a network. This brief examination of wireless hardware devices is included to provide all readers with a minimum level of knowledge concerning the basics of wireless LANs so that we can obtain a better appreciation for the rationale for wireless LANs presented in the next section of this chapter. This brief examination is far from all-inclusive, and, in fact, we probe much deeper into the operation and utilization of different wireless devices throughout this book. That said, we use the preceding information as a foundation to appreciate some of the advantages associated with the use of this evolving technology. Thus, in the next section in this chapter, we turn our attention to the rationale for the use of wireless LANs.
Rationale for Wireless LANs The key advantage associated with the use of wireless LANs is based on the name of this technology. That is, a wireless LAN represents a communications network formed without the use of wires. While the preceding statement is a bit obvious, what may not be as obvious are some of the benefits that can accrue due to the ability to form a network based on the transmission medium becoming the ether instead of metallic twisted pair wire. Thus, let’s turn our attention to the advantages associated with being able to form a communications network that uses the air as the transmission medium.
Economics One of the key advantages associated with the utilization of wireless LANs is economics. A large portion of economic savings associated with the use of this technology results from the ability to use the air instead of having to
AU1271Ch01Frame Page 9 Monday, July 15, 2002 8:56 PM
9
Introduction to Wireless LANs
B Access Point A
Exhibit 10. Using a Wireless LAN to Move without Requiring Additional Hardware or Software
cable clients to a hub in a wired LAN environment. By minimizing the need for conventional metallic-based twisted pair wiring, you avoid not only the cost of the wire, but also the cost of installing the wire. The latter can represent a significant expenditure, especially if in an office environment you need to install a conduit to run the twisted pair wiring to satisfy building codes.
Adds, Moves, and Changes Another major advantage associated with the use of wireless LANs is networking flexibility. This flexibility provides the network manager or LAN administrator with the ability to react quicker to client requirements because the installation of a wireless LAN adapter into a desktop or notebook is the only hardware required at the client site. This means the client does not have to wait for the routing of a cable to his work area. This also means the client will not be captive to the availability of a port on a shared-media hub or LAN switch. When a client relocates, a wireless LAN may continue to provide additional flexibility. If the client relocates to and from locations served by the same access point, the relocation can be accomplished without any hardware or software changes. An example of this type of situation is illustrated in Exhibit 10. In this example, client A relocates from location 1 to location 2. Note that the radiated signal from location 2 can also reach the same access point. Thus, no additional hardware or software is required. When a wireless client relocates beyond the range of the access point currently providing service, the client needs to obtain the services of another access point. In a worst-case situation, a new access point must be installed. If the access points are connected to a wired LAN, this will require the installation of a second access point as well as its cabling to a hub on the wired LAN. Although this action can be more expensive than simply cabling the client to a hub, if several clients are to be relocated, once again the economics associated with the use of wireless LANs over wired LANs will prevail.
AU1271Ch01Frame Page 10 Monday, July 15, 2002 8:56 PM
10
Building the Wireless Office
Basic Service Area
Access Point
Wired LAN
Distribution System
Hub
Hub
Client Client
Access Point
Client Roams The two Basic Service Sets (BSSs) linked together by the Distribution System (DS) form an Extended Service Set (ESS).
Exhibit 11. Access Points Communicating with One Another Interconnected via a Wired LAN
Roaming Exhibit 11 illustrates the installation of a second access point to extend the coverage of a wireless LAN. Each access point has an area of coverage referred to as a basic service area (BSA). Stations that communicate with one another form a basic service set (BSS). Thus, in Exhibit 11, two BSSs and two BSAs are shown. Note that each BSA can be considered an isolated island; however, the wired LAN serves as a mechanism to interconnect the separate BSSs. In doing so, the wired LAN represents a distribution system (DS) and the interconnected BSSs form an extended service set (ESS). The ability of a wireless client to move from being serviced by one access point to another is referred to as “roaming.” The ability to effect roaming between areas within a building or on a campus depends on the connection of access points to a wired LAN that provides an infrastructure to interconnect access points. By providing organizational employees with the ability to roam throughout an organization, you enhance their productivity. For example, an employee with a notebook working at her desk could pick up her computer and carry it to a colleague’s office within the building, to the lunchroom, or to another location within the service area of another access point and regain access to the corporate network. Thus, wireless LANs provide a significant advantage based on their support of roaming. In fact, as we note later in this chapter, you can take your notebook on the road and access your corporate network, check Internet e-mail, or perform other communications functions through the use of public portals in airports and hotels that provide wireless communications access to the Internet. In fact, a few words are in order concerning two vastly different commercial organizations that use wireless LANs — the Microsoft Corporation campus and individual Starbucks coffee shops.
AU1271Ch01Frame Page 11 Monday, July 15, 2002 8:56 PM
Introduction to Wireless LANs
11
Microsoft Corporation has networked its Redmond, Washington, campus through the installation of wireless access points at appropriate locations on its campus. Employees can easily move from one office or from one building to another with their notebook computer and remain connected to the corporate network, improving employee productivity as they move about the corporate campus. When this book was prepared, Starbucks was in the process of installing combined wireless LAN router/access points in its coffee shops throughout the United States and possibly at some overseas locations. Each store will have a high-speed Internet connection. The wireless router installed in each store will enable customers with a notebook that has a wireless network adapter card to surf the Internet. Thus, it now becomes possible to enjoy a bagel and cappuccino while you surf the Internet at Starbucks.
Disadvantages to Wireless LANs While we note a number of advantages associated with the use of wireless LANs, we would be remiss if we did not mention the other side of the coin and discuss some of the disadvantages associated with the use of this technology. Three basic disadvantages are associated with the use of wireless LANs. Those disadvantages include the time, cost, and effort required to learn a new technology; the proliferation of wireless LAN standards; and security.
Learning New Technology Wireless LAN devices are commonly described as “plug-and-play” products. While this is true to a degree, similar to most technologies the use of wireless LANs requires a learning curve. Even after employees are far along the learning curve, it can require a degree of effort to set up an access point as well as configure wireless routers and wireless clients. Thus, the introduction of wireless LANs can be expected to consume some time and effort.
Proliferation of Standards A few years ago, only one wireless LAN standard existed: the IEEE 802.11 standard. That standard defined three transmission methods that could be used to construct a wireless LAN at data rates of 1 Mbps or 2 Mbps. Transmission methods defined under the IEEE 802.11 standard are infrared, frequency hopping spread spectrum (FHSS), and direct sequence spread spectrum (DSSS). The latter two methods evolved from military research and spread a signal, which makes it more difficult to jam. In a civilian environment these techniques minimize interference from electrical disturbances, such as electrical magnetic interference created by machinery, lighting ballasts, and even electric pencil sharpeners. The basic 802.11 standard was quickly supplemented by the 802.11b specification that defined the use of DSSS at data rates of 1, 2, 5.5, and 11
AU1271Ch01Frame Page 12 Monday, July 15, 2002 8:56 PM
12
Building the Wireless Office
Mbps. While an 11-Mbps data rate may be sufficient for home or small office environments, it is often insufficient if a large number of employees within a given area require wireless connectivity. Thus, another addition to wireless LAN standards was the IEEE 802.11a specification. Under the 802.11a specification, wireless LAN operations now occur in a frequency band that is essentially double that of the prior standards. Because high frequencies attenuate more rapidly than low frequencies, this means that the highest data rate of the 802.11a specification, which is 54 Mbps, is only possible for a significantly shorter distance than 802.11- and 802.11b-compatible equipment. This also means that to extend wireless coverage over an area equivalent to that supported by the prior standards requires a significant increase in the number of access points, which increases the cost of wireless coverage. Perhaps recognizing the limitation of the evolving high-speed wireless LAN standard, the IEEE began work on a modification to the 802.11b standard that would boost its data rate to 22 Mbps. Similar to a scene in the movie The Lion in Winter, you are now faced with a task similar to that of the queen played by Katherine Hepburn. The queen, when asked by the king to “know the facts,” retorted: “Which one? There are so many.” Although we certainly do not reside in the time of King Arthur, when considering the use of wireless LANs we need to consider the proliferation of standards and the selection of equipment that will satisfy both our immediate and future requirements, topics we describe and discuss later in this book. However, for now, the proliferation of standards makes our decision criteria more difficult and can be considered to represent a disadvantage associated with the use of wireless LANs.
Security Unlike a wired LAN where illicit monitoring requires a person to obtain a physical connection to a network, wireless LANs communicate over the air. This means that any person with a notebook or desktop computer, wireless LAN adapter card, and appropriate decoding software represents a threat. If you read one of a series of articles published in 2001 in The New York Times or The Wall Street Journal concerning wireless LAN security, you probably became aware of the saga of two men in a van that roamed the parking lots of Silicon Valley corporations. Without requiring anything but off-the-shelf hardware and software, the parking lot duo was able to easily read the communications of many major corporations. The ease by which these gentlemen were able to read the communications of others is based on the fact that, by default, the encryption capability of wireless LANs is disabled. Even if enabled, the encryption that wireless LANs use has been found by several researches to be weak, providing persons with the ability to decrypt intercepted encrypted communications. At the time this book was prepared, several proprietary solutions were available to minimize this problem, and the IEEE was finalizing a new standard, referred to as the 802.1x standard. This standard will provide a mechanism for authenticating wireless clients. Later in this book we examine the security aspects of wireless LANs in detail, but for now we can
AU1271Ch01Frame Page 13 Monday, July 15, 2002 8:56 PM
Introduction to Wireless LANs
13
note that this key area represents a factor that you must consider and that can be considered a disadvantage associated with the use of wireless LANs.
Applications The diversity of applications that can be supported through the use of wireless LANs represents another rationale for their use. Although we briefly described the use of wireless LANs on the Microsoft Corporation campus and in Starbucks coffee shops, let’s probe a bit deeper and discuss several additional applications that can provide the rationale for using wireless LANs.
Home Use At first thought, not many persons use a wired LAN in a home environment, so it might be a bit difficult to believe that the use of wireless LANs can be a valuable asset in the home. However, when we consider the advantages associated with the use of wireless LANs as well as a few of the features built into wireless routers, this technology becomes well suited for use in a home environment. According to many market research organizations, over 35 million homes in the United States have Internet access. Of that population, only eight million homes have either cable modem or digital subscriber line (DSL) modem access to the Internet, with the remainder and vast majority of current usage based on conventional modem dial-up access. However, projections indicate that cable modem and DSL access will triple over the next few years, while the population of dial-up modem users will decrease. Because over half of all homes with cable or DSL modem access have multiple computers, an economical, easy-to-use mechanism that provides the ability for multiple computers to obtain simultaneous Internet access could find a ready market. In the past, several methods were developed for in-home computer sharing of peripherals to include modems that provide Internet access. Most of those methods were based on the use of the in-home electrical system or telephone wiring. Due to interference as well as the need for filters, neither method received any significant degree of acceptance. Recognizing the potential market for an easy-to-use communications system that would allow multiple computers to simultaneously access the Internet via a single cable modem or DSL modem connection resulted in the development of the wireless router or gateway. That router or gateway includes as a minimum a network address translation (NAT) capability and typically includes a variety of additional features. Some features simplify administration of an in-home wireless LAN, while other features typically add a degree of security to home computers accessing the Internet via the wireless router. Exhibit 12 illustrates an example of a wireless router in the kitchen of a home that enables the home user to access the Internet via a computer located in the kitchen as well as via computers in a home office and den. Because
AU1271Ch01Frame Page 14 Monday, July 15, 2002 8:56 PM
14
Building the Wireless Office
Wireless Router Bedroom
Home Office
Cable Modem Kitchen
Computer
Bedroom
Computer
Den
Computer
Exhibit 12.
Using a Wireless Router in a Home Environment
most Internet service providers (ISPs) either provide a single, nonchanging IP address, referred to as a static IP address, or lease an IP address for a predefined amount of time, a mechanism is required to share that static or leased address among multiple computer users. That mechanism is network address translation (NAT), which, when implemented in most wireless LAN environments, enables up to 253 client computers to share one IP address. Later we examine how NAT works and why most implementations provide support for up to 253 clients. In examining Exhibit 12 let’s assume the happy homeowner has cable TV and installed a single cable modem in the kitchen. Because three computers are in the home, the ability to obtain high-speed Internet access for each computer would normally require the homeowner to acquire two additional cable modems as well as pay two additional ISP monthly usage fees. This could result in a one-time cost of $400 and a monthly service charge of $80 for the two additional computers, assuming cable TV outlets were available in each room. If not, there would be an additional charge to wire coaxial cable to the den and home office. A second option is to install a conventional router and Ethernet hub in the kitchen and wire the computers in the den and home office to the hub in the kitchen. This action would require acquiring conventional Ethernet network adapters for all three computers as well as acquiring the router and hub. Assuming each network adapter card costs $100 and the router and hub or a router with three built-in Ethernet ports costs $250, the cost of the hardware would be $550. You would then need to string twisted pair wire from the kitchen to the den and to the home office. A third option is the one shown in Exhibit 12, in which a wireless router with one or more built-in Ethernet ports provides communications support for up to 253 computers. A wireless router for use in the home can be expected
AU1271Ch01Frame Page 15 Monday, July 15, 2002 8:56 PM
Introduction to Wireless LANs
15
to cost approximately $250, while each wireless LAN adapter card might cost $100. Because you would need two wireless LAN adapter cards and one wired Ethernet card for the computer in the kitchen, your hardware cost would be $550. Not only is this cost less than the cost of two additional cable modems and a few months of service, in addition, it provides considerably more flexibility. For example, assume one evening your son or daughter comes home from college and wants to work upstairs using the home Internet access. All your son or daughter has to do is pick up a computer in the den or home office and take it upstairs to his or her room. In comparison, in a wired environment you might spend hours or days recabling your home. Similarly, if one evening you have the urge to send or receive e-mail while in bed, you could once again pick up a computer in the den or home office and relocate it. Thus, the use of a wireless LAN in a home environment is both a costeffective mechanism for allowing multiple computers to obtain simultaneous access to the Internet as well as a flexible networking method.
Hospital When I first commenced my career in information technology, I worked on a clinical laboratory system for use in hospitals. That system was based on the use of a minicomputer, with terminal devices ranging in scope from nowobsolete automatic send receive (ASR) teletypewriters that were the size of a small desk to analog-to-digital (A/D) converters that functioned as sensors for reading the results of different specimens gathered from patients. While the clinical laboratory system provided a mechanism to enhance hospital employee productivity, it never achieved a significant degree of successful implementation. Perhaps one reason was the fact that as a wired system it was difficult to move terminals to where they could be used. If we fast-forward to the modern era, the use of wireless LANs in a hospital environment provides the capability to move A/D converters and computers to where they are needed. For example, it is now possible for a nurse to move a cart with medications from room to room and use a computer with a wireless LAN adapter on the card to note patient medication as it is dispensed. As that information flows back to a server on the hospital LAN, patient data and billing records can be updated in near-real-time. Updated patient records greatly benefit doctors and nurses as they make rounds. In addition, doctors can update patient information using terminal devices they can carry or those available at locations on a hospital floor that use wireless communications to access one or more servers on the wired LAN. We can expect the use of wireless LANs to gain momentum in hospitals.
College Campus As a technical consultant to a local college I was asked a few years ago to recommend new technologies the college should consider and the applications the technologies could support. At the top of my list was wireless LANs, as
AU1271Ch01Frame Page 16 Monday, July 15, 2002 8:56 PM
16
Building the Wireless Office
their use could significantly boost productivity of college employees as well as alleviate some awkward and potentially dangerous situations. Let me explain. A few times each year the local college would have a special event that required computers to be placed in the gym for registration. Such events as Parents’ Day, Alumni Day, and normal semester student registration required cables to be routed from a hub located in the athletic office onto the gym floor. Although the cables were taped to the floor, inevitably someone would trip over a cable. In addition, when it came time to remove the cable, a bit of residue would remain on the wood floor, which required some oldfashioned elbow grease to remove. Thus, the installation of a wireless LAN access point in the athletic office would permit computers with wireless LAN adapter cards to be installed on the gym floor without requiring any cabling or after-use cleanup. In addition to facilitating registration, the use of wireless LANs provides colleges with the ability to rapidly respond to ad hoc faculty requirements for computer support. For example, assume 20 students register for a course that only 12 were expected to attend. Assuming the course requires hands-on computer access as well as the ability to access the college server or the Internet, the decision criteria might normally be to add cabling to support eight additional computers. However, if a hub does not have eight additional ports, a significant network upgrade might be required to accommodate the additional computers. This could be both costly and time-consuming. However, if an access point is cabled to the hub, it becomes possible to support not only the eight additional computers, but a significant additional number as well should it become necessary. By stacking several access points and a few dozen wireless LAN adapter cards, it becomes possible for the college to respond to rapidly evolving networking requirements.
Office Support Suppose you work in an office building. In most offices, networking support is currently provided via conventional wired LANs. This means if your office is relocated to another area within the building, it could be hours or even days until network support is provided at your new location. This also means that you would not have any significant degree of flexibility if you picked up your computer and carried it into the conference room or another location and needed to access network resources — unless the network manager previously anticipated the need for such access and wired certain areas within the building for LAN support. Even when a building is wired to anticipate the need for local flexibility, you can more than likely expect a group of employees from another office to periodically attend a conference at your location. When this situation occurs, you may literally find yourself at the short end of a set of cables when the group of visitors take their notebooks out of their carrying cases and attempt to gain access to the network.
AU1271Ch01Frame Page 17 Monday, July 15, 2002 8:56 PM
Introduction to Wireless LANs
17
Recognizing the previously described problems resulted in some organizations installing wireless LAN access points in conference rooms as well as at strategic locations within a building. This action enables employees who work in the building as well as employees from other locations visiting the building to easily gain access to the local network via wireless transmission from most, if not all, areas within the building. From both an economic and flexibility basis, the use of a wireless LAN can be better suited to satisfy expanding network requirements than a wired LAN. However, it is important to note that for many organizations the wireless LAN should be viewed as a supplement for an existing wired LAN and not as a replacement. This is because wireless LANs operate only for relatively short distances at data rates half to approximately one tenth that of Fast Ethernet. For a large organization to migrate from a wired to a wireless environment, the cost may be prohibitive to obtain the same level of service as employees have when using a wired infrastructure. However, if an organization is relocating to a new building that does not have a wired infrastructure, the economics associated in comparing the use of a wired LAN versus a wireless LAN could change. Thus, similar to the use of any technology, you need to carefully examine the current networking situation and perform a study of the environment where networking support will be required. Doing so will allow you to determine if you should use wireless LAN technology as a supplement for the use of a wired LAN infrastructure or if the wireless LAN should represent your organization’s local network.
Portals During 2001, a new type of network infrastructure became part of the vocabulary of some travelers. That network infrastructure is referred to as a “portal” and can be found in hotels, airports, and many commercial offices in cities. In fact, the placement of wireless LAN access points in Starbucks coffee houses turns those locations into Web portals, as they provide customers with the ability to wirelessly access the Internet. A wireless portal can be considered to represent a location that supports wireless LAN access and provides a network connection to another network, with the other network most commonly being the Internet. Although most portals are constructed for the use of travelers, a new type of portal was beginning to receive a significant degree of interest when this book was written. That portal is a free public Internet access portal some communities are establishing in urban areas. For example, an apartment house could entice tenants by establishing a high-speed Internet cable modem or DSL modem connection into the landlord’s apartment or office. By adding a wireless LAN router, support for up to 253 apartment dwellers could be provided, enabling residents to gain high-speed Internet access without having to face another monthly bill. Thus, in the commercial world, free public portals could be used as a selling point that would differentiate one type of apartment or community living from another.
AU1271Ch01Frame Page 18 Monday, July 15, 2002 8:56 PM
18
Building the Wireless Office
Now that we are aware of the applications wireless LANs can support, we conclude this chapter with a preview of the material presented in succeeding chapters. As previously mentioned, you can use this information as is or in conjunction with the Index or Table of Contents to locate information of immediate interest.
Book Preview This book consists of eight chapters, and although each chapter was written to be as independent as possible from the other chapters, it is recommended that you read the material in the order in which it is presented. This is especially true for readers with a limited background in networking or network technology.
Technology and Terminology The second chapter in this book, which is entitled “Technology and Terminology,” covers both topics with respect to wireless LANs. Commencing with a description of frequency, bandwidth, baud, and other technical terms, the chapter first allows us to obtain an appreciation for the manner by which wireless LAN communications occurs. Once that is accomplished, we turn our attention to obtaining an appreciation of the various components that can be used to create a wireless LAN. In doing so we go beyond the initial examination of wireless components in this introductory chapter.
IEEE Standards Continuing our examination of wireless LANs, Chapter 3 focuses on the IEEE family of LAN standards. Chapter 3 first discusses the basic methods of networking wireless LANs support. Then it examines several IEEE wireless LAN specifications. As we examine each specification, we focus on obtaining an appreciation for the characteristics of equipment that conform to the specification.
Basic Wireless LAN Operations Using the information presented in the first three chapters as a foundation of knowledge allows us to examine basic wireless operations in detail in Chapter 4. This chapter covers both the hardware and software required to set up a wireless LAN. It examines a topic that to my knowledge has yet to be fully addressed: determining the appropriate placement of equipment. There are trade-offs among the placement of wireless LAN equipment, the signal strength received by other devices due to the placement of such equipment, and security. Concerning the latter, all wireless transmission is subject to thirdparty interception. Thus, we must consider the placement of wireless equipment and even the potential use of shielding to make it more difficult for a
AU1271Ch01Frame Page 19 Monday, July 15, 2002 8:56 PM
Introduction to Wireless LANs
19
third party to intercept our network activity. Although we examine the setup and enabling of the Wired Equivalent Privacy (WEP) Protocol in this chapter, we defer a detailed discussion of wireless security until Chapter 6. This will allow you to review the TCP/IP protocol suite and certain key concepts associated with security a wireless LAN.
The TCP/IP Protocol Suite Chapter 5 looks at the TCP/IP protocol suite, becoming familiar with IP addressing, the role of the domain name service (DNS), and the identification of applications by their TCP and UDP port numbers. This information will provide a foundation for probing deeper into wireless LAN security, which is the focus of the next chapter.
Security Chapter 6 examines several methods that can be used to secure our wireless LAN from different threats. It examines the role of WEP and its deficiencies, the use of access servers, and other protection methods. In addition, because it is common to use a wireless LAN to obtain shared access to the Internet, it also looks at the use of stand-alone firewalls and built-in firewalls incorporated into wireless routers as a mechanism to secure Internet access.
Working with Vendor Products Because the key to success in constructing a wireless office resides in the correct configuration of equipment, Chapter 7 covers this topic. It examines the configuration settings required to install products from different vendors and ensure those products interoperate. This will provide the ability to consider products from multiple vendors without having to be locked into a single source. Because it is quite natural to desire to obtain the best equipment to satisfy our application requirements, this chapter also discusses acquisition sources. In many instances the traditional sources for networking equipment are now supplemented by other sources we can consider.
The Future No book on an evolving technology would be complete without a peak at the future. Chapter 8 sharpens our crystal ball and peers into the future to obtain a look of what is on the horizon and how we might be able to make use of evolving technology. Now that we have an appreciation for where we are headed, let’s begin our journey. Thus, let’s turn the page and begin our exploration of wireless LANs by examining the technology and terminology associated with LANs that use the air as the transmission medium.
AU1271Ch01Frame Page 20 Monday, July 15, 2002 8:56 PM
AU1271Ch02Frame Page 21 Monday, July 15, 2002 8:55 PM
Chapter 2
Technology and Terminology This chapter has two main purposes. First, it focuses on basic communications concepts that will provide us with knowledge concerning the manner by which wireless LANs transport information. The information it covers ranges in scope from a basic discussion of frequency, bandwidth, and wavelength to modulation methods and antenna design and performance parameters. The second portion of this chapter focuses on the terminology associated with wireless LANs. In addition, as we explore the operation of various wireless LAN devices, we probe deeper into the technology that makes them work. Now that we have a game plan for where we are headed, let’s go there, first turning our attention toward obtaining knowledge of basic communications concepts.
Basic Communications Concepts In this section we obtain an appreciation of wireless communications as a mechanism to better understand the technology associated with the operation and utilization of wireless LANs. Because wireless communications use the air as the transmission medium, we commence our efforts by examining the relationship between frequency, wavelength, and bandwidth, three parameters used throughout this book to describe the operation of wireless LANs.
Frequency The term “frequency” is used to denote the number of periodic oscillations or waves that occur per unit time. Wireless devices, to include wireless LANs, operate at a predefined frequency or set of frequencies within a band that is defined by a regulatory agency. In the United States, that regulatory agency is the Federal Communications Commission (FCC). Later in this chapter we describe and discuss its role in regulating wireless LAN communications. 21
AU1271Ch02Frame Page 22 Monday, July 15, 2002 8:55 PM
22
Building the Wireless Office
One Cycle per Second (1 cps = 1 Hz)
Two Cycles per Second (2 cps = 2 Hz)
Exhibit 1.
Frequency
To obtain an understanding of the term “frequency,” let’s visually examine a periodic oscillation or wave. Exhibit 1 illustrates two oscillating waves, each occurring at a different frequency. As a brief reminder for those who never took a course in physics or took the course many years ago, let’s discuss the sine wave. A sine wave represents an oscillating wave that varies in height from zero to a maximum value and back to zero for one half of its cycle. Then the wave becomes negative for the second half of the cycle, ranging in value from zero to a minimum value and back to zero. Returning to Exhibit 1, note that the top portion illustrates a sine wave operating at exactly one cycle per second. Thus, over a two-second interval it would have two cycles, over a three-second interval it would have three cycles, etc. Note that the term “cycles per second” (cps) in general has been replaced by the synonymous term “Hertz,” abbreviated Hz and used in honor of the German physicist. The lower portion of Exhibit 1 illustrates the same sine wave after its oscillation rate was doubled to 2 Hz. From an examination of Exhibit 1, we can note a relationship between the oscillation rate of a signal and the time required for a signal to be transmitted over a distance of one wavelength. The time required for a signal to be transmitted over a distance of one wavelength is referred to as the period (T) of a signal. From Exhibit 1 we note that the period or duration of a cycle is inversely proportional to the frequency of a wave. That is, as the frequency increases, the period decreases. Similarly, as the frequency decreases, the period or duration of the wave increases. Thus, if T represents the period of a wave and f represents its frequency, the relationship between the two can be denoted as follows: T = 1/f The preceding formula expresses the period of a wave in terms of its frequency. We can also express the frequency of a wave in terms of its period. Doing so, we obtain:
AU1271Ch02Frame Page 23 Monday, July 15, 2002 8:55 PM
23
Technology and Terminology
f = 1/T The previously presented mathematical relationships, as well as the role of regulatory agencies and a bit of physics, are important for understanding the role of frequency in communications. As previously noted, the FCC regulates the use of frequency in the United States, while other regulatory authorities perform a similar function in other countries. Over the years many bands of frequency were allocated for different purposes, such as AM and FM radio, satellite television, air traffic control, and similar activity. While the operation of communications transmitters are regulated to ensure, for example, that one station does not interfere with another, several frequency bands were set aside for unlicensed activity. Although the FCC and other regulatory authorities limit the power of transmitters in such bands, the fact that they are unlicensed means that any person or organization can purchase equipment for use in those bands without having to obtain a license to use such equipment. These unlicensed bands reside in the very high frequency range, expressed in billions of cycles per second. This means that such waves have very short periods. In addition, because high frequencies attenuate more rapidly than low frequencies, this means that the transmission range of wireless LANs that operate in high-frequency bands are normally limited to short distances. Now that we understand the relationship between the frequency and period of an oscillating signal and some constraints associated with high-frequency signals, let’s turn our attention to two related terms: wavelength and bandwidth.
Wavelength One common term to reference the period of an oscillating signal is wavelength. The wavelength of a signal is usually defined by the use of the Greek letter lambda (λ). The wavelength of a signal is obtained by dividing the speed of light (3 × 108 m/sec) by the frequency of a signal in Hertz. The result is the wavelength of an oscillating signal in meters (m). That is, λ (m) = (3 × 108)/f (Hz) In the wonderful world of communications, wireless transmission occurs at very high frequencies, resulting in very small wavelengths. As a refresher for those of us who may be a bit rusty remembering prefixes for the powers of ten, Exhibit 2 provides a list of seven common prefixes and their meanings. As we note later in this chapter, when considering the use or when using wireless LANs, we commonly encounter such terms as megahertz (MHz) representing millions, or 106 Hertz, and gigahertz (GHz) representing billions, or 109 Hertz.
AU1271Ch02Frame Page 24 Monday, July 15, 2002 8:55 PM
24
Building the Wireless Office
Exhibit 2.
Common Prefixes of Powers of Ten
Prefix
Meaning
nano micro milli kilo mega giga penta
1/1,000,000,000 (billionth) 1/1,000,000 (millionth) 1/1000 (thousandth) 1000 (thousand) 1,000,000 (million) 1,000,000,000 (billion) 1,000,000,000,000 (trillion)
Returning to the previously presented formula for wavelength, it should be apparent that you can adjust the numerator and denominator of the equation. Doing so permits you to compute the wavelength in terms of Hertz, kilohertz, megahertz, and gigahertz. The following example illustrates how we can adjust the numerator and denominator of the equation for wavelength. Note that both the numerator and denominator are adjusted by a factor of 103 as we move from left to right in the following series of equation relationships. λ (m) = (3 × 108)/f (Hz) = (3 × 105)/f (kHz) = 300/f (MHz) = 0.3/f (GHz) As previously noted by the relationship between frequency and period, we can also define the frequency of a signal in terms of its wavelength. In doing so, we obtain: f (Hz) = (3 × 108)/λ (m) Because we can compute the wavelength in terms of varying frequency, we can also compute frequency in terms of varying the speed of light constant. As we vary the speed of light, we adjust the power of the frequency, which results in frequency defined in terms of Hz, kHz, MHz, and GHz. This is illustrated below: f (Hz) = (3 × 108)/λ (m) f (kHz) = (3 × 105)/λ (m) f (MHz) = 300/λ (m) f (GHz) = 0.3/λ (m) We can use two rules of thumb to simplify the computation of wavelength based on knowledge of the operating frequency of a device. These rules of thumb are useful as they define wavelength in terms of frequency in the gigahertz (GHz) range, which is where modern wireless LANs operate. The first rule of thumb to expedite computations is to estimate the wavelength in centimeters (cm). To do so you would use the following equation:
AU1271Ch02Frame Page 25 Monday, July 15, 2002 8:55 PM
25
Technology and Terminology
λ (cm) = 30/f (GHz) To illustrate the use of the preceding relationship, let’s consider the frequency of 2.4 GHz, which represents the beginning of one modern wireless LAN communications band of allocated frequencies. Then, the wavelength of the 2.4-GHz signal becomes: λ (cm) = 30/2.4 (GHz) = 1.24 cm For English measurements, we can estimate the wavelength in units of feet (ft) as follows: λ (ft) = 1/f (GHz) Returning to the preceding example where the frequency is 2.4 GHz, the wavelength then becomes ~.4 or 0.041 ft. For those not familiar with the metric system, it should be noted that there are 2.54 cm per inch, which results in 1 cm = 0.3937 in. Thus, the wavelength of a 2.4-GHz signal is also equivalent to 1.24 cm × 0.3937 in./cm, or 0.488 in. The use of the preceding equations can be used to explain the length of antennas. For example, the U.S. Navy maintains a fleet of ballistic missile submarines that can stay submerged for weeks or months. During the time the submarines are submerged, they periodically need to communicate with a base station. To do so, a submarine will unwind a length of wire as an antenna that can be several miles long as underwater communications occurs via a low-frequency transmission system. At very low frequencies, the wavelength is very long, requiring a very long antenna to be deployed. In comparison, wireless LAN devices commonly operate in one of two GHz frequency bands. This results in the oscillating signal having a very short wavelength and explains why such devices can be fabricated with relatively short antennas. In fact, in the wonderful world of antenna design, it is quite common for an antenna wire to be spaced a half wavelength from another antenna to obtain a space diversity capability. This explains why an embedded antenna consisting of several short wires separated by a small distance can reside within the PC card form factor used to fabricate a common type of wireless network adapter card designed for insertion into a Type II slot commonly built into laptop and notebook computers. Later in this chapter, we examine antennas suitable for the bands where wireless LAN devices operate.
Bandwidth Bandwidth represents a range of frequencies, and not a single frequency. If fH is the high frequency in a band of frequencies and fL is the low frequency, then the bandwidth becomes: B = fH − f L
AU1271Ch02Frame Page 26 Monday, July 15, 2002 8:55 PM
26
Building the Wireless Office
Wireless LANs transmit at a predefined frequency; however, that frequency can vary based on the modulation method and coding technique employed. Thus, an appreciation of the bandwidth used by wireless LANs requires us to turn our attention to modulation techniques.
Modulation Methods By itself, a radio frequency oscillating signal, such as a sine wave, conveys no intelligence per se. That is, at a receiver we can note signal continuity as we are receiving a signal; however, other than the fact that the receiver received a signal, we cannot determine any information from the signal. Thus, for the signal to convey information, it must be changed. The process associated with changing a signal to impress information on the signal is known as modulation. Three basic methods are employed to modulate an oscillating signal. That signal, which for illustrative purposes will be a sine wave, is represented mathematically by the following equation: a = A sin(2 π ft + 0) where a = instantaneous value of voltage at time t A = maximum amplitude f = frequency 0 = phase The sine wave we will modulate for illustrative purposes will then carry or convey information. Due to this, it is then known as a carrier signal. Thus, the carrier’s characteristics that can be altered are the carrier’s amplitude, which results in the process of amplitude modulation; the carrier’s frequency, which results in the process of frequency modulation; and the carrier’s phase, which results in the process of phase modulation.
Amplitude Modulation A simple method of modulation is to vary the magnitude of a signal from a zero or low level to represent a binary zero to a higher peak-to-peak voltage level to represent a binary one. Exhibit 3 illustrates an example of the use of amplitude modulation to encode a digital data stream into an appropriate series of analog signals. In this example, the amplitude-modulated signal is varied from zero to represent a binary 0 to the voltage level Vo to represent a binary 1. Because Exhibit 3 shows a shift between two levels of amplitude, this type of amplitude modulation is also referred to as amplitude shift keying (ASK) as the amplitude shifts from one value to another based on the binary value of data to be amplitude-modulated. Because noise has a greater effect on amplitude than frequency, very rarely is amplitude modulation used by itself to transmit data. Instead, amplitude
AU1271Ch02Frame Page 27 Monday, July 15, 2002 8:55 PM
27
Technology and Terminology
0
0
1
1
0
1
0
Digital Data
Vo Amplitude Modulated 0 Signal
Exhibit 3.
Amplitude Modulation
0
0
1
1
0
Digital Data Source
Frequency Modulated Signal f1
Exhibit 4.
f2
f1
Frequency Modulation
modulation is commonly used in conjunction with phase modulation, which results in quadrature amplitude modulation (QAM), described later in this chapter. Because frequency modulation is less susceptible to noise impairments, some of the earliest methods used to convey information were based on shifting a signal between two frequencies in tandem with the binary value of data to be modulated, a technique referred to as frequency shift keying.
Frequency Modulation The process of frequency modulation references how frequently a signal repeats itself at a given amplitude. One of the earliest examples of the use of frequency modulation was in the design of low-speed modems. The resulting design caused the modem to shift operation between two frequencies based on the value of each bit in a digital signal. That is, for each bit set to a value of binary 1, the modem would generate a tone at frequency f1; while for each value of binary 0 in the digital data stream, the modem would generate a tone at frequency f2. This type of frequency modulation under which the frequency is shifted between two tones is referred to as frequency shift keying (FSK). Exhibit 4 illustrates an example of frequency modulation. Because only two frequencies are used and frequency is shifted from one tone to another, Exhibit 4 also illustrates FSK.
AU1271Ch02Frame Page 28 Monday, July 15, 2002 8:55 PM
28
Building the Wireless Office
Time
180 degrees out of phase
Exhibit 5.
Phase Modulation
Phase Modulation A third type of modulation results in the variation of a carrier signal with respect to the origination of its cycle. This type of modulation is referred to as phase modulation. Exhibit 5 illustrates an example of phase modulation. In this example the bottom signal is shown 180 degrees out of phase with the top signal. As you might expect, if only two phases are used for modulation, the process is referred to as phase shift keying (PSK). By altering the phase of a signal, it becomes possible to encode multiple bits into a single signal change. From a technical perspective, the rate of signal change is referred to as the band rate, while the data transmission rate is referred to as the bit rate. Because bandwidth is limited, modem designers looked for methods to encode more bits into a signal change. One of the earliest techniques used to accomplish this was phase modulation. To illustrate the concept of packing more bits into a signal change, let’s assume we wish to encode two bits into one signal change, a process referred to as dibit coding. If we change the phase of a signal between one of four values, then each phase value can be used to convey one of four possible dibit values. The top portion of Exhibit 6 illustrates an example of phase angle values to support dibit encoding. If we encode three bits at one time into a single phase change, we would require 23, or 8, distinct phase changes. This type of encoding is referred to as tribit encoding, and the lower portion of Exhibit 6 provides an example of possible phase angles that could support tribit encoding.
The Nyquist Relationship Under dibit encoding the baud rate is one half the data rate. Similarly, under tribit encoding the data rate is one third the baud rate. The desire to make a more efficient signaling or baud rate results from the Nyquist therom, which denotes the relationship between the bandwidth and baud rate. That relationship is shown below: B = 2W
AU1271Ch02Frame Page 29 Monday, July 15, 2002 8:55 PM
29
Technology and Terminology
Exhibit 6. Examples of Phase Modulation Phase Values Used for Dibit and Tribit Encoding Coding Technique
Bits Transmitted
Phase Angles
Dibit encoding
00 01 10 11 000 001 010 011 100 101 110 111
0 90 180 270 0 45 90 135 180 225 270 315
Tribit encoding
where B is the baud rate and W is the bandwidth, in Hz. The Nyquist relationship indicates the maximum baud or signaling rate obtainable on a communications channel prior to one signal interfering with another, a process referred to as intersymbol interference. Because the maximum baud rate is a function of bandwidth and available bandwidth for different communications systems are regulated, to enhance the data rate required communications engineers to pack more bits into each signal change. As previously noted, dibit and tribit encoding represent two such methods. Although tribit coding makes more efficient use of bandwidth than dibit coding, we cannot continue to pack more bits per signal change. This is because each time we do so, the 360-degree pie of an oscillating signal gets sliced into more pieces, with each piece or signal change becoming smaller and smaller. This means the receiver circuitry must be more sensitive to detect small signal changes. This also means a slight impairment that causes a signal to be shifted from one phase to another would result in the misinterpretation of the received signal with many bits now being in error. Recognizing the problem associated with very small phase changes resulted in the development of combined modulation techniques. The most popular combined modulation technique combines amplitude and phase modulation and is referred to as quadrature amplitude modulation (QAM).
Quadrature Amplitude Modulation Quadrature amplitude modulation results in the variance of the phase and amplitude of a signal based on the composition of each group of bits in a digital signal. We can obtain an appreciation for the manner by which QAM operates by examining Exhibit 7. Under QAM, the quadrature component of the carrier is
AU1271Ch02Frame Page 30 Monday, July 15, 2002 8:55 PM
30
Building the Wireless Office
M O
Q = MSinO Where M = Modulation O = Phase
Exhibit 7.
Exhibit 8.
Quadrature Amplitude Modulation
01 state
11 state
00 state
10 state
Quadrature Phase Shift Keying
shifted in-phase 0 degrees, with the amplitude of the signal altered by magnitude M. Thus, the resulting signal, 0, becomes M sin 0 Under a basic QAM technique, 0 is a 90-degree shift so that the carrier signal is altered from one quadrant to another. If two bits are packed per signal change and the carrier signal is rotated among four quadrants, the result is a quadrature phase shift keying (QPSK) modulation technique. An example of QPSK is shown in Exhibit 8. In examining Exhibit 8, note that each phase change represents two bits. This represents what is referred to as a multilevel modulation technique, which while using bandwidth more efficiently requires a more complex transmitter and receiver. This is because a cosine carrier wave is either added or subtracted from a sine wave to produce the required phase shift in the form of a modulated sine and cosine wave.
AU1271Ch02Frame Page 31 Monday, July 15, 2002 8:55 PM
31
Technology and Terminology
Exhibit 9. Constructing a Quadrature Amplitude Modulation Encoding Scheme Trailing Three-Bit Tribit Values
001 000 010 011 111 110 100 101
0 45 90 135 180 225 270 315
Absolve Phase
First Bit
9, 90, 180, 270
0 1 0 1
45, 135, 225, 315
Phase Change
Relative Signal Element Amplitude
3 5 3
Under QPSK as illustrated in Exhibit 8, the magnitude is held constant, with the phase varied. To accommodate higher data rates within a limited bandwidth requires the variance of both phase and amplitude. For example, let’s assume we develop a QAM technique that encodes four bits at a time into an amplitude and phase change. Let’s further assume the first bit in the group determines the amplitude to be transmitted, while the last three bits determine the phase angle of the resulting signal. The top portion of Exhibit 9 lists the possible phase angle changes for each group of three trailing bits in each quadbit. The lower portion of Exhibit 9 lists the QAM signal construction. In examining the entries for the tribit values in Exhibit 9, note that their sequence forms what is referred to as a Gray code. This code sequence results in the difference between two successive binary numbers being limited to one bit changing its state. Through the use of Gray code encoding, the most likely error during demodulation in which an incorrect adjacent code is selected will result in a one-bit error when decoded at the receiver. Exhibit 10 illustrates an example of a 16-point QAM encoding scheme, which is referred to as 16-QAM. Note that each group of four bits is encoded into an amplitude and phase change, with a total of 16 possible positions. Those positions represent the constellation pattern of the QAM technique.
Differential Modulation Wireless LANs popularly use two variations of phase modulation. Those variations are differential binary phase shift keying (DBPSK) and differential quadrature phase shift keying (DQPSK). Under DBPSK, two phase changes are
AU1271Ch02Frame Page 32 Monday, July 15, 2002 8:55 PM
32
Building the Wireless Office
90 135
45
3 3 2
1 2
180
1
225
3
5
0 Obsolete
315 270
Exhibit 10.
A 16-QAM Encoding Method
Exhibit 11. Differential Phase Shift Keying and Differential Quadrature Phase Shift Keying Modulation
DBPSK DQPSK
Data Bits
Phase Change
0 1 00 01 11 10
0 180 0 90 180 270
used, with each data bit mapped into a phase change as denoted in the top portion of Exhibit 11. Under DQPSK, data dibits are mapped into one of four phase changes. The lower portion of Exhibit 11 indicates the mapping of dibits into phase changes under DQPSK. Note that the term “differential” is due to the fact that the transmitted phase (0n) represents a function of the previous phase (0n − 1) and the phase change (∈0), such that the new phase is as follows: 0n = ∈0 + 0n − 1 Now that we have a basic understanding of modulation methods, let’s turn our attention to the signaling method wireless LANs use.
Signaling Methods Wireless LANs use four primary signaling methods. One signaling method involves infrared technology in which the portion of the electromagnetic spectrum just below visible light is used as the transmission medium. Because infrared transmission has similar properties to visible light, its transmission is
AU1271Ch02Frame Page 33 Monday, July 15, 2002 8:55 PM
Technology and Terminology
33
not regulated. In comparison, two signaling methods used by wireless LANs, referred to as frequency hopping spread spectrum (FHSS) and direct sequence spread spectrum (DSSS), represent wideband radio frequency signaling methods. These methods were originally developed for military applications. Their use is regulated by the Federal Communications Commission (FCC) in the United States and other regulatory agencies in foreign countries. A third signaling method, referred to as orthogonal frequency division multiplexing (OFDM), also represents a wideband radio frequency communications method whose use is regulated. In this section we briefly examine the operation of infrared as well as the three RF signaling methods previously mentioned.
Infrared Unlike RF signaling, the use of infrared (IR) is at a very high frequency. This makes it extremely difficult to modulate a carrier at IR frequencies. Due to this, IR modulation is commonly based on turning a pulse on and off. Infrared on–off pulse modulation can be achieved by varying the intensity of current in an infrared emitter, such as a light-emitting diode (LED). An infrared detector in the form of photodiode detection generates an electrical current that is proportional to the level of IR power received. In this manner, the pulse-modulated signal is demodulated.
Types of Infrared Transmission Wireless LANs use two general types of infrared transmission: direct and diffused. A direct IR system requires a line of sight between the transmitter and receiver. When I began my career working with data communications systems I encountered several proprietary types of directed infrared LANs. Such LANs required transmitters and receivers to be mounted literally on poles within an office to provide a line-of-sight transmission capability between different devices. The second type of infrared wireless LAN is based upon diffuse or reflective technology. Diffused IR does not require a direct line of sight between transmitter and receiver. Instead, infrared signals can be directed at a surface where they are reflected toward one or more receivers.
Limitations In an infrared wireless LAN environment that employs diffused IR, it is common to direct transmission toward the ceiling, with receivers pointed toward the ceiling to detect reflected infrared energy. Because a ceiling is not uniform due to lighting fixtures, vents, and other areas (perhaps used for return ducts), reflected energy can take different paths. This results in multipath reflections, requiring the receiver to be able to discriminate the best signal from a series of reflections. Although this can require a considerable amount of processing, diffused IR enables one transmitter to communicate with multiple receivers at the same time, resulting in a built-in group broadcasting capability. However,
AU1271Ch02Frame Page 34 Monday, July 15, 2002 8:55 PM
34
Building the Wireless Office
Spread Spectrum
fL
Interference f1
fH
Frequency
Exhibit 12.
Spread-Spectrum Communications
unlike a direct IR system that can be used indoors or outdoors, a diffused IR system can only be used indoors. If you own a laptop or notebook, chances are rather high that your computer has a built-in IR port. Chances are also very high that you never use your IR port or, if you did once, you probably noted that data transfer was rather slow and the IR port had to be carefully aligned toward the other device for the transfer to occur. Although we note later in this book that infrared is one of several types of wireless signaling methods specified by the IEEE, I have not noted its actual implementation by vendors. Thus, our description of infrared wireless LANs in this book is limited in scope.
Frequency Hopping Spread Spectrum Frequency hopping spread spectrum (FHSS) represents one of two radio frequency (RF) transmission techniques originally developed for military communications as a mechanism to overcome jamming. The other RF method originally developed for military applications, which we also discuss in this chapter, is direct sequence spread spectrum (DSSS).
Rationale for Spread Spectrum Both FHSS and DSSS result in a signal being spread over a range of frequencies. In a military environment, this action makes it difficult for the enemy to jam communications. In a commercial environment, the spreading of communications makes it difficult for interference to adversely affect communications. This is illustrated in Exhibit 12, which indicates electromagnetic interference occurring from machinery, electrical fluorescent ballasts, or another source at frequency f1. Because spread-spectrum communication uses frequencies f1 to fH, then an impairment at f1, where f1 < f1 < fn can be overcome by using a large band of frequencies. Now that we have an appreciation for the rationale for spread-spectrum communications in a commercial environment, let’s return our focus to FHSS.
Operation Under frequency hopping spread spectrum, transmission occurs over a range of frequencies. The transmitter transmits a short burst of data at one frequency
AU1271Ch02Frame Page 35 Monday, July 15, 2002 8:55 PM
35
Technology and Terminology
f10 f9 Frequency
f8 f7 f6 f5 f4 f3 f2 f1 t1
t2
t3
t4
t5
t6
t7
t8
t9
Time
Exhibit 13.
Frequency Hopping Spread Spectrum
and then hops to another frequency where communications continue. Exhibit 13 illustrates an example of FHSS communications. The process of hopping from one frequency to another is controlled by an algorithm and represents the FHSS hopping pattern. The time spent at each frequency is referred to as the dwell time. The spreading algorithm, frequency channel usage, and dwell time are regulated by the FCC in the United States and by other regulatory agencies in other countries. As we discuss wireless LAN standards later in this book, we examine the channels used by different methods of RF communications.
Direct Sequence Spread Spectrum A second spread-spectrum RF communications method that wireless LANs use is referred to as direct sequence spread spectrum (DSSS). Under DSSS, each data bit to be transmitted is mapped into a common pattern of bits based on a spreading code. The spreading code consists of a fixed number of bits that are known to the transmitter and receiver, with each bit in the code called a chip. The term “chip” is used to denote the fact that each bit in the spreading code forms part of the actual data bit. Although the sequence of chips within the spreading code is based on a pseudo-random sequence, the same sequence is repeated from spreading code to spreading code. Thus, the spreading code is not truly random.
Operation Exhibit 14 illustrates the use of a five-bit spreading code to spread binary 1 and binary 0 data bits. In examining the use of the five-bit spreading code shown in Exhibit 14, let’s first concentrate our attention on the operation of the transmitter. Note that each data bit (0 or 1) is modulo 2 added to the five-bit spreading code, resulting in five data bits having to be modulated instead of a single data bit.
AU1271Ch02Frame Page 36 Monday, July 15, 2002 8:55 PM
36
Building the Wireless Office
Exhibit 14.
Using a Five-Bit Spreading Code Binary 1
Binary 0
Transmitter Spreading code Modulo 2 addition Resulting encoded data
10110 +1 01001
10110 +0 10110
Receiver Encoded data Spreading code Modulo 2 subtraction
01001 10110 11111
10110 10110 00000
Thus, each data bit is spread. At the receiver, the encoded spread data is received. The same spreading code is then modulo 2 subtracted from the data to reconstruct the original bit setting. If a five-bit spreading code is used, the number of set and nonset bits is counted and the majority is used as the value for the received bit. This method of “majority rule” is used to compensate against the occurrence of one or more bit errors. In an IEEE 802.11 wireless LAN environment, the actual spreading code used is 11 bits in length and is referred to as a Barker code. This means that the chip rate must be 11 times faster than the data rate. When we discuss wireless LAN standards later in this book, we examine DSSS in additional detail.
Orthogonal Frequency Division Multiplexing Orthogonal frequency division multiplexing (OFDM) represents a transmission scheme under which multiple carrier waves are used instead of just one carrier. Each carrier transmits a small portion of a message, and the use of multiple carriers enables a message to be transmitted faster than when a single carrier is used. However, OFDM requires additional bandwidth because the series of carriers represent separate subchannels that carry modulated tones and must be separated from one another to minimize potential interference.
Evolution The use of OFDM dates to the 1950s and is not a revolutionary signaling concept. In fact, one of the earliest then-high-speed dial-up modems, which operated at 9600 bps, used OFDM. That modem was the Telebit Trailblazer, whose multiple carriers were referred to as multitone transmission. If we fastforward to the modern era, one popular signaling method used with some digital subscriber line (DSL) modems is referred to as discrete multitone transmission (DMT). DMT is also an orthogonal frequency division multiplexing technique.
AU1271Ch02Frame Page 37 Monday, July 15, 2002 8:55 PM
37
Technology and Terminology
Frequency
Exhibit 15.
Orthogonal Frequency Division Multiplexing
Operation An example of orthogonal frequency division multiplexing is illustrated in Exhibit 15. Note that each carrier is orthogonal, or at a 90-degree angle, to the other carriers. Because the carriers are spread over a wide frequency and are transmitted simultaneously, the use of multiple carriers represents frequency division multiplexing. Thus, the terms “OFDM” and “multitone transmission” are used to denote this signaling method. Under OFDM, each carrier is modulated using a common modulation technique; however, different modulation techniques can be used to modulate all carriers. Commonly used OFDM modulation techniques include several versions of quadrature amplitude modulation, such as 4-QAM, 16-QAM, and 64-QAM. Later in this book we examine how the data transmission rate is affected by the use of different modulation methods under OFDM.
The Frequency Spectrum and Wireless LANs The frequency spectrum ranges from very low frequencies at 1 Hz to gamma rays at 1023 Hz. Within that very large range of frequencies are three frequency bands used for wireless LANs. Those three bands are collectively referred to as industrial, scientific, and medical (ISM) bands, and to a large extent these three bands represent unlicensed frequency bands on a worldwide basis.
ISM Bands Although ISM bands are unlicensed, they are not unregulated and a distinction between the two is important. The fact that an ISM band is unlicensed means that organizations can transmit using ISM equipment without having to obtain a license to use such equipment. However, both the power and transmission characteristics of equipment, such as the frequencies and dwell time for FHSS, are regulated for operation in an ISM band. In the United States, the FCC is responsible for such regulation. The first ISM band defined for use was the 902-MHz to 928-MHz frequency band, which provides 28 MHz of bandwidth. Wireless LAN equipment that operates in this 900-MHz frequency band represents proprietary LAN equipment. Two additional ISM frequency bands are referred to as the 2.4-GHz and
AU1271Ch02Frame Page 38 Monday, July 15, 2002 8:55 PM
38
Building the Wireless Office
Exhibit 16. Location of the Three ISM Bands with Respect to Common RF Applications Application
Frequency
AM radio Analog cordless telephone Television FM radio Television Television Wireless data (to be licensed) RF wireless modem Cellular Digital cordless ISM Nationwide paging Satellite telephone uplink Personal communications ISM Satellite telephone downlinks Large-dish satellite TV ISM Small-dish satellite TV Wireless cable TV
535–1635 KHz 44–49 MHz 54–88 MHz 88–108 MHz 174–216 MHz 470–806 MHz 700 MHz 800 MHz 860–890 MHz 900 MHz 902–928 MHz 929–932 MHz 1610–1626.5 MHz 1850–1990 MHz 2400–2483.5 MHz 2483.5–2500 MHz 4–6 GHz 5.15–5.35 GHz, 5.725–5.825 GHz 11.7–12.7 GHz 28–29 GHz
the 5.0-GHz bands. The 2.4-GHz ISM band ranges from 2.4000 to 2.4835 GHz, resulting in 83.5 MHz of available bandwidth. The IEEE 802.11 and 802.11b standards, described later in this book, operate in the 2.4-GHz frequency band. The third ISM band, which is referred to as the 5.0-GHz band, has 300 MHz of spectrum allocated for unlicensed operations. The first 200 MHz occurs from 5.15 GHz to 5.35 GHz. The last 100 MHz is from 5.725 GHz to 5.825 GHz. The lower 200 MHz consists of two 100-MHz bands. The first 100 MHz from 5.15 GHz to 5.25 GHz is restricted to a maximum power output of 50 mW. The second 100 MHz, which ranges from 5.25 GHz to 5.35 GHz, has a more generous 250-mW power budget, while the top 100 MHz, which is restricted to outdoor operations, has a maximum 1-W power output.
Where Wireless LANs Reside To obtain an appreciation for where the three ISM frequency bands reside with respect to other applications, let’s examine a few frequencies associated with different applications. Exhibit 16 lists the allocation of 20 general frequency blocks to different applications based on an examination of FCC frequency allocations in the United States. It should be noted that the range of frequencies for a particular ISM band is available in most countries; however, the actual frequencies available for
AU1271Ch02Frame Page 39 Monday, July 15, 2002 8:55 PM
39
Technology and Terminology
use can vary from country to country. Similarly, the allowable signaling methods, such as the frequencies available for FHSS, can vary among countries. While most modern vendor equipment is now manufactured so that such equipment can be configured for specific operation in different countries, not all equipment is manufactured in this manner. Thus, if you are purchasing equipment in one country for use in another, you may wish to verify its suitability for use prior to purchasing such equipment.
Measurements Now that we understand the ISM bands in which wireless LANs operate, let’s turn our attention to a series of measurements that can be used to qualify the level of received power as well as power gains and losses. In doing so we also review such communications metrics as the bel, decibel, and signal-tonoise ratio.
Power Ratios One of the earliest communications measurements dates to the development of the telephone system. At that time a need arose to define the relationship between the received power level of a signal and its original power level. In developing a mathematical relationship, it was recognized that the human ear perceives sound or loudness on a logarithmic scale. Due to this, the initial relationship between the received power of a signal and its original power level was specified in terms of the use of logarithms to the base 10. This relationship was the bel (B), named in honor of Alexander Graham Bell, the inventor of the telephone. Although the bel was used for some time, the need for more precision resulted in the use of the decibel (dB), which represents one tenth of a bel and is now the preferred power measurement. In this section we examine both.
Bel The bel represents the ratio of power transmitted to power received based on a logarithmic scale, using logarithm B, to the base 10. The resulting gain or loss is given by the following formula: B = log10(P0/PI) where B = power ratio in bels P0 = output or received power PI = input or transmitted power In addition to the human ear hearing sound on a logarithmic scale, a second advantage associated with the use of this type of scale is that gains
AU1271Ch02Frame Page 40 Monday, July 15, 2002 8:55 PM
40
Building the Wireless Office
and losses are simplified and reduced to additions and subtractions. In a telephone environment, an analog signal is boosted by an amplifier. Thus, assume a 10-bel signal encounters a 3-bel loss and is then passed through a 6-bel amplifier. This would result in a signal strength of 10 – 3 + 6, or 13 bel. To provide readers not familiar with logarithms with a quick review, you can view logarithms to the base 10 (log10) of a number as being equivalent to how many times 10 is raised to a power equal to the number. For example, log10 10 is 1, log100 100 is 2, log1000 1000 is 3, etc. Because output or received power is normally attenuated or dissipated and is less than input or transmitted power, the denominator of the preceding equation is normally larger than the numerator. To simplify logarithmic computations an important property is shown below: log10(1/X) = –log10 X To illustrate the use of the bel for computing the ratio of power received to power transmitted, let’s assume the received power is one tenth of the transmitted power. Then, b = log10(1/10)/1 = log10(1/10) As previously noted, an important property of logarithms is: log10(1/X) = –log10X Thus, b = –log10 10 = –1 In the prior example, the negative value indicates a power loss. In comparison, a positive value would indicate a power gain. Now that we understand how the bel can be used to categorize power gains and losses, let’s look at a more precise measurement that for the most part has replaced the use of the bel. That more precise measurement is the decibel (dB).
Decibel The decibel represents a more precise measurement than the bel as it represents one tenth of the latter. The power measurement in decibels is computed as follows: dB = 10b = 10log1010 (P0 /PI ) where dB = power ratio in decibels P0 = output power or received power PI = input or transmitted power
AU1271Ch02Frame Page 41 Monday, July 15, 2002 8:55 PM
41
Technology and Terminology
Exhibit 17. Relationship of Watts and Decibel-Milliwatts Power in Watts
0.1 1 1 1
mW mW W kW
Power in dBm
10 0 30 60
dBm dBm dBm dBm
Due to the higher precision provided by the use of the decibel, it represents the preferred measurement used to denote power gains and losses. To illustrate the use of the power ratio in decibels, let’s return to our prior example in which the output or received power is one tenth of the input or transmitted power. Then, the power ratio in dB becomes: dB = 10 log10(1/10) Because log10 (1/X) = –log10X, we obtain: dB = 10 log1010 = –10
Decibel-Milliwatt The computations for the bel and decibel provide a ratio or comparison between two power values; however, they do not indicate power. As a signal propagates down a medium, the power at the receiver is easily measured. However, it is not as easy to denote what the received value indicates nor to use the received power for comparison purposes unless a standard testing mechanism is employed. In telephone operations, a 1-mW signal is used at a frequency of 800 Hz to test a circuit. To ensure you do not forget that the resulting power measurement occurred with respect to a 1-mW input signal, the term “decibel-milliwatt” (dBm) is used. Thus, the computation of a received power level in dBm becomes dBm = 10log10 output power/1 mW input power Note that the term dBm reminds you that the output power measurement occurred with respect to a 1-mW test tone. Although in many books, including this one, you will see the term decibel-milliwatt, in actuality a more accurate term is “decibel above 1-mW.” Thus, 10 dBm represents a signal 10 dB above or bigger than 1 mW, whereas 20 dBm represents a signal 20 dB above 1 mW, etc. You can use the preceding relationships to construct a table that indicates the relationship between power in watts and power in decibel-milliwatts. This relationship is shown in Exhibit 17. To provide an example of the manner by which Exhibit 17 was constructed, let’s review the last entry in the table. One
AU1271Ch02Frame Page 42 Monday, July 15, 2002 8:55 PM
42
Building the Wireless Office
Thermal Noise Level
Frequency
Exhibit 18.
Thermal or White Noise
kilowatt of power represents 1000 watts. Because dBm = 10 log10 output power/1 mW, we obtain dB = 10 log10(1000 W/0.001) – 10 log101,000,000 Because log101,000,000 is 6, then 10 log101,000,000 becomes 60. Now that we have an appreciation for computing the gain or loss in power of a signal as well as its power level, let’s turn our attention to one of the most important metrics in communications: the signal-to-noise ratio.
Signal-to-Noise Ratio One of the most important metrics in the field of communications is the signalto-noise (S/N) ratio. Simply stated, the S/N ratio indicates the level of signal power (S) to the level of noise (N) in decibels (dB). While you might expect that a higher S/N ratio is preferable to a lower S/N ratio, like life itself this simplistic reality has some constraints. This is because in a wireless environment the amount of permissible radiated power is regulated by the FCC. Unfortunately, you cannot regulate the level of noise. Concerning noise, we need to consider two primary categories of noise — thermal and impulse. Thermal noise occurs due to the movement of electrons in a conductor or basic radiation from the sun. This type of noise is characterized by a nearuniform distribution of energy over the frequency spectrum. Exhibit 18 illustrates an example of thermal noise. This type of noise is also referred to as white noise or Gaussian noise. Because thermal noise represents a near-uniform distribution of energy over the frequency spectrum, it can be considered to represent the lower level of sensitivity of a receiver. This is because a receiver must be able to distinguish the signal from the level of noise. The second type of noise that adversely affects communications results from periodic disturbances. Such disturbances can range in scope from acts of God, such as lightning and solar flares or sunspots, to electromagnetic radiation resulting from the operation of certain types of machinery. This type of noise is referred to as impulse noise and is illustrated in Exhibit 19. Through the use of the S/N ratio, we can categorize the quality of transmission. While you always want an S/N ratio above unity for the receiver to
AU1271Ch02Frame Page 43 Monday, July 15, 2002 8:55 PM
43
Amplitude
Technology and Terminology
Frequency
Exhibit 19.
Impulse Noise
be able to discriminate a signal from thermal noise, there are limits concerning the maximum signal power level that can be transmitted. Those limits are regulated by the FCC and are based on the transmission system employed. As noted earlier in this chapter, the maximum power permitted for use by wireless LANs is 1 W in an outdoor environment, with a lower level of power permitted for indoor use. To obtain an appreciation for what different S/N ratios mean, let’s examine a few. First, let’s assume we obtain an S/N ratio of zero. The decibel is defined as: 10 log10(Po/PI) This means that to obtain a decibel reading of zero, 10 log0 must be zero. This can only occur if Po = PI , which means that a decibel value of zero can only occur when the input power equals the output power. Thus, an S/N ratio of 0 dB means the signal power and noise are equal. Now let’s assume the S/N ratio is 10. This means: 10 = 10 log10(Po /PI ) If the ratio of Po /PI is 10, then log1010 is 1, satisfying the equation. This means that an S/N ratio of 10 equates to a 10-dB level. To facilitate some interesting computations, Exhibit 20 provides a summary of the relationship between two three-dimensional decibel values and their corresponding power or S/N ratios. In examining the entries in Exhibit 20, note that a dB value of 3 corresponds to a power or S/N ratio of 2:1. This means a 3-dB value indicates that the signal power is twice that of the noise.
Channel Capacity In a classic paper presented during 1949, Professor Claude Shannon at MIT denoted the relationship between the signal-to-noise ratio on a channel, its bandwidth, and the maximum data transmission rate in bits per second (bps). That classic relationship is: C = B log2(1+ S/N)
AU1271Ch02Frame Page 44 Monday, July 15, 2002 8:55 PM
44
Building the Wireless Office
Exhibit 20. Relationship between dB and Power Decibels
0 1 2 3 4 5 6 7 8 9 10 13 16 19 20 23 26 29 30 33 36 39 40 50
S/N
1.0:1 1.2:1 1.6:1 2.0:1 2.5:1 3.2:1 4.0:1 5.0:1 6.4:1 8.0:1 10.0:1 20.0:1 40.0:1 80.0:1 100.0:1 200.0:1 400.0:1 800.0:1 1000.0:1 2000.0:1 4000.0:1 8000.0:1 10000.0:1 100,000.0:1
where C = transmission capacity of a channel, in bps B = bandwidth, in Hz S = signal power, in dB N = noise power, in dB At the time Shannon presented his paper, a voice band channel had a bandwidth of 3000 Hz and an S/N ratio of 30 dB. Using Shannon’s formula, the transmission capacity of a voice-grade channel during 1949 became: C = 3000 × log2 (1 + 103) = 30,000 bps It is worth noting that Shannon’s capacity formula projected the ability to obtain a 30,000-bps transmission rate over voice-grade channels that at that time were lucky to support a 300-bps modem. Over the years the use of fiber optics in the backbone of almost all communications carriers resulted in a
AU1271Ch02Frame Page 45 Monday, July 15, 2002 8:55 PM
Technology and Terminology
45
higher obtainable S/N ratio; however, it was not until the mid-1990s that modem designers were able to design products that operated at the capacity Shannon indicated was possible almost 45 years earlier. Today, Shannon’s channel capacity formula is valuable not only for computing the potential bit rate of a channel but also for noting how capacity can be increased. Because capacity is based on both available bandwidth and the S/N ratio, it becomes possible to increase the transmission rate by increasing either or both of the previously mentioned metrics.
Antenna Considerations No basic discussion of wireless LANs would be complete without describing one of the most important parts of an RF system. That part is the antenna, whose job is to both transmit a signal as well as shape and focus a received signal so that it can be understood. In this section we examine some of the basic parameters associated with antennas and how those parameters affect our equipment’s ability to transmit and receive signals.
Radiation Pattern There are many types of antennas, some of which you may notice located on the tops of buildings, mounted on police vehicles, and even protruding from your cell phone or wireless LAN network adapter card. Although each of those antennas may appear different from one another, they all have a radiation pattern. That pattern indicates the power radiated in any direction relative to the direction of maximum radiation. Although the actual radiation pattern of any antenna is a three-dimensional function, when we work with pen and paper the pattern is specified in terms of a two-dimensional/two-dimensional diagram. This two-dimensional/twodimensional pattern illustrates the beam pattern of the antenna with respect to a 360-degree circle. Exhibit 21 illustrates an example of the radiation pattern for a near-directional antenna. Note that most of the antenna’s radiated power is concentrated in a narrow beam. Also note that the concentric circles radiating outward from the center of the circle indicate the signal strength.
Beamwidth In the example shown in Exhibit 21, the beam pattern is relatively narrow, which results from the fact that a directional antenna’s beam pattern is shown. The actual beam pattern results from several factors. Those factors can include the shape of the antenna, the use of a reflector behind the antenna to focus its transmitted power, its angle of elevation, and the presence of objects and the ground beneath the antenna. These contributing factors result in the radiated signal consisting of the transmitted signal as well as reflected signals. Some of the reflections may cancel one another, while other reflections can be additive. If you carefully examine Exhibit 21, you will note that reflections
AU1271Ch02Frame Page 46 Monday, July 15, 2002 8:55 PM
46
Building the Wireless Office 0 357
3
dB Power -5 -10 -15 -20 270
90
180
Exhibit 21.
The Radiation Pattern for a Directional Antenna
from about 3 degrees to 357 degrees rapidly dissipate and the beamwidth, which is shown as 6 degrees, ranging from 357 degrees through 3 degrees, represents the direction of maximum radiation. In actuality, in antenna engineering, another related term known as “half-power beamwidth” is worth noting. The half-power beamwidth represents the angle between the points on each side of the direction of maximum radiated power at which the intensity of the radiated power falls to half the maximum. In Exhibit 21, the half-power beamwidth is conveniently shown centered around 0 degrees.
Antenna Gain The ability of an antenna to shape and focus a signal in a particular direction is referred to as the antenna gain. The antenna gain is expressed in terms of how much stronger the focused signal is in the desired direction in comparison to an antenna where a signal is distributed in all possible directions. The latter is referred to as an isotropic antenna and the power relationship is known as decibel isotropic, or dBi. A common omnidirectional “stick” antenna that is used in a vertical position will typically have a gain of 6 to 8 dBi. From Exhibit 20, 6 dB is equivalent to a power ratio of 4:1, while 8 dB is equivalent to a power ratio of 6.4:1. This means that by redirecting the signal that would otherwise go straight up or down to the horizontal level, between 4 and 6.4 times as much signal can become available horizontally. This also indicates as well as explains why a directional antenna can transmit a higher level of signal power as well as have the ability to receive a lower level of received signal power. In fact, a parabolic reflector-based antenna is commonly used by a wireless LAN bridge to obtain an extended line-of-sight transmission distance that can range up to approximately ten miles. This type of antenna can have a gain of 24 dBi, which is equivalent to a power increase of over 200 times that of an omnidirectional antenna.
AU1271Ch02Frame Page 47 Monday, July 15, 2002 8:55 PM
Technology and Terminology
47
Although a high-gain directional antenna is preferable to a low-gain omnidirectional antenna, you would expect most wireless LAN products to have the first type of antenna. Unfortunately, omnidirectional “stick”-type antennas are relatively inexpensive to fabricate, which explains why the majority of wireless LAN antennas either resemble sticks or are built into (embedded) the edge of a LAN adapter card. Concerning the gain of an antenna, it is also worth noting that in order to comply with FCC regulations a wireless LAN device has a maximum amount or level of power it can generate. That power level, which is 1 W in the 2.4-GHz band, results in a 24-dBi antenna having a maximum transmit power of 24 dBm. Because the addition of a reflector to an antenna can significantly improve its gain and directivity, this action allows an unwanted third party to easily monitor wireless LAN traffic from the parking lot of many buildings. When we discuss security as a separate entity later in this book, we also describe how we can minimize the leakage of RF energy from a building in which we are using a wireless LAN that will make it more difficult or impossible for a third party to monitor our communications. Now that we have an appreciation for basic communications concepts that are relevant to the operation of wireless LANs, we conclude this chapter with an overview of the structure of wireless LANs to include the terminology associated with their use.
Wireless LAN Terminology In Chapter 1, which provided an introduction to this book, we briefly examined two basic types of wireless LANs as well as the manner by which separate islands of such networks can be interconnected via a wired infrastructure. In this section we probe deeper into wireless LANs while becoming acquainted with the terminology associated with their use.
Architecture The architecture or network structure of wireless LANs consists of several components and services that enable devices to communicate with one another via the air. In this section we examine how wireless LANs are formed and interconnected to one another.
The Station The basic component of a wireless LAN is a station, the term used to represent a computer device that has a wireless LAN network adapter card and applicable software. The station can represent a laptop or notebook PC, a desktop computer, or even a PDA. A special type of station is an access point (AP) that functions as a bridge between wired and wireless LANs and whose operation is described in detail later in this section.
AU1271Ch02Frame Page 48 Monday, July 15, 2002 8:55 PM
48
Building the Wireless Office
Station Station
Station Independent Basic Service Set
Exhibit 22.
An Independent Basic Service Set (IBBS)
Network Topologies Wireless LANs support two types of topologies: ad hoc and infrastructure.
Ad Hoc Networking An ad hoc wireless network occurs when two or more stations are within close proximity, so they can communicate with one another. As the stations communicate with one another in a peer-to-peer manner, the area within which communications occurs is referred to as an independent basic service set (IBBS). Exhibit 22 illustrates a group of stations communicating with one another on a peer-to-peer ad hoc basis that forms an IBBS. As you might surmise, the term “independent” results from the fact that this type of basic service set operates as an independent entity and has no connection to another ad hoc network or to a wired network. Once a connection occurs, the “independent” prefix is dropped. In examining Exhibit 22, it should be noted that each station operates independently of other stations, communicating on a peer-to-peer basis. This means that it is possible for the three stations to have a total of six peer-topeer sessions if each station needed to communicate with each of the other stations shown in the illustration. Because of transmission-range limitations, it is also possible that each station may not be able to communicate with every other station within the IBBS. Unlike a basic service set (BBS) in which the access point functions as a relay, an IBSS has no relay capability. Thus, all stations need to be within the range of each other to communicate with one another.
Infrastructure Networking A second type of wireless network structure involves the use of an access point, either by itself or connected to a wired LAN. The use of an access point with one or more client stations results in the formation of a basic service set (BBS). Exhibit 23 illustrates both types of basic service sets.
AU1271Ch02Frame Page 49 Monday, July 15, 2002 8:55 PM
49
Technology and Terminology
Wireless Infrastructure
Wireless to Wired Infrastructure To Wired Network Hub
Access Point
Station
Exhibit 23.
Access Point
Station
Station
Basic Service Set
Station
A Basic Service Set
Access Point Operation When an access point is used by itself without a connection to a wired LAN, the device functions as a basic repeater. The access point periodically broadcasts a beacon frame, which informs all stations within receiving distance of the presence of the AP and its capabilities. Client stations then communicate with the access point in order to reach other stations, with the AP in effect relaying data between stations. The area of coverage of the BSS is referred to as the basic service area (BSA). Because communications occur through the access point, another name for the BBS is an infrastructure BSS; however, to avoid confusion with an independent BSS, we will not abbreviate the former. The right portion of Exhibit 23 illustrates a BSS in which an access point provides a connection to a wired LAN. In doing so, the access point functions as a wireless to wired LAN bridge. Similar to a conventional bridge, the access point works on the 3 Fs rule: filtering, forwarding, and flooding frames. The access point constructs a port-address table. However, instead of multiple wired ports, the access point typically works with one wired port, with the wireless over the air transmission representing a second port. Initially the port-address table is empty when the access point is powered on. As a frame reaches the access point, the AP notes its source address and enters that address in its port-address table. Because the destination address is not initially known, the access point floods the frame, sending it onto the wired port as well as over the air. Let’s now assume that the first frame was directed to a server on the wired LAN and the server responds, transmitting a frame with the destination address being the source address of a wireless station. The frame flows to the access point, which examines its port-address table and notes that the destination is “on the air.” Thus, the access point transmits the frame on the air, which in effect represents its second port. At the same time, the access point notes the source address of the frame received
AU1271Ch02Frame Page 50 Monday, July 15, 2002 8:55 PM
50
Building the Wireless Office
from the server and enters it into its port-address table, with the port it was received on being the wired LAN. Now let’s assume a station on the wired LAN transmits a frame to the server. When the frame flows to the access point, it checks its port-address table and notes that the destination is on the wired LAN. Therefore, there is no need to forward or to flood the frame, and the access point then filters the frame. Thus, the access port operates on the 3 Fs principle.
The Distribution System A BSS can be viewed as an island of wireless communications. Although an access point can be cabled to a wired LAN, unless additional BSSs are also connected to a wired infrastructure, each will function as a separate entity. When two or more access points are cabled to a common wired infrastructure, the wired infrastructure functions as a distribution system (DS). The DS provides a connectivity mechanism by which one access point communicates with another to exchange frames within their respective basic service sets, as well as forward frames as a station moves or roams from one BSS to another.
The Extended Service Set The connection of two or more BSSs by a distribution system results in the formation of an extended service set (ESS). Exhibit 24 illustrates the relationship between three BSSs, a DS, and the formed ESS. The formation of an extended service set results in two or more access points communicating among themselves to forward traffic from one BSS to another. While the IEEE 802.11 standard does not require a wired LAN to function as a distribution system, for all practical purposes that is usually the case due to the extensive wired infrastructure that exists within most organizations.
Media Access Control One important aspect concerning the operation of wireless LANs is obtaining a mechanism to control access to the media. Known as media access control (MAC), the MAC technique used by wireless LANs is designed to minimize the probability of two or more stations transmitting at the same time.
CSMA/CA The method of controlling access to the air used by wireless LANs represents a modification to the familiar Carrier Sense Multiple Access with Collision Detection (CSMA/CD) scheme used by Ethernet. Under the IEEE 802.11 standard, media access control occurs using a variation of Carrier Sense
AU1271Ch02Frame Page 51 Monday, July 15, 2002 8:55 PM
51
Technology and Terminology
BSS
BSS
AP
Station
Station
AP
Router Station
Station Distribution System Router
Internet
BSS
AP
Station
Station
Extended Service Set
Exhibit 24. Relationship between Basic Service Sets, a Distribution System, and an Extended Service Set
Multiple Access with Collision Avoidance (CSMA/CA). Under CSMA/CA, a station listens to the air to determine if the RF channel is busy. If it is, the station waits not only for the completion of transmission but also for an interval of time after the completion of transmission prior to transmitting a frame.
The Hidden Node Problem Unlike a wired network where frames can flow to every station, in a wireless LAN environment it is possible for obstructions such as walls, trucks, and even desks and people walking from room to room to hide one station from another. When this situation occurs it becomes possible for one station to be communicating with another while a third station listens to the channel and, thinking it is available, begins to transmit. In this situation it becomes possible for dual transmissions to adversely affect the ability of other stations to receive data. The solution to this “hidden node” problem is the use of a special Request
AU1271Ch02Frame Page 52 Monday, July 15, 2002 8:55 PM
52
Building the Wireless Office
To Send (RTS) frame that requests permission to transmit data. A Clear To Send (CTS) response from the destination station then allows the originating station to proceed. Later in this book, when we examine the IEEE standards in detail, we note how the CSMA/CA protocol works to include the use of RTS and CTS frames to gain access to the medium.
AU1271Ch03Frame Page 53 Monday, July 15, 2002 8:54 PM
Chapter 3
IEEE Standards Standards can be considered the glue that facilitates the interoperability of equipment produced by different vendors. In this chapter we turn our attention to a core series of wireless LAN standards developed under the auspices of the Institute of Electronic and Electrical Engineers (IEEE). The IEEE was tasked many years ago by the American National Standards Institute (ANSI) to develop local area networking standards. Standards developed over the past 25 years include Ethernet, Fast Ethernet, Gigabit Ethernet, and Token Ring. During 1997 the IEEE developed its 802.11 standard for wireless LANs. This standard was soon followed by two amendments, referred to as the 802.11b and 802.11a standards. This chapter focuses on all three standards, to include examining the basic architecture associated with the three standards and how that architecture relates to the Open System Interconnection (OSI) Reference Model developed by the International Standards Organization (ISO).
Basic Architecture The first wireless LAN standard developed by the IEEE dates back to 1997. That standard, referred to as the 802.11 specification, defines the operation of wireless LANs at the lower two layers of the OSI Reference Model. Subsequent extensions retain the separation of layers, which we now examine.
Layer Separation Exhibit 1 compares the IEEE 802.11 standard to the lower two layers of the OSI Reference Model. In examining Exhibit 1, note that the 802.11 standard defines the media access control (MAC) and physical (PHY) layers for a LAN with wireless connectivity. In doing so, the initial standard supports three physical layers: infrared, frequency hopping spread spectrum (FHSS), and 53
AU1271Ch03Frame Page 54 Monday, July 15, 2002 8:54 PM
54
Building the Wireless Office
OSI Reference Model
IEEE 802.11 Standard Logical Link Control
Data Link Layer Media Access Control
Physical Layer
Infrared
Direct Frequency Hopping Sequence Spread Spread Spectrum Spectrum
Exhibit 1. Comparing the IEEE 802.11 Standard to the Two Lower Layers of the OSI Reference Model
direct sequence spread spectrum (DSSS). The initial standard defines three signaling methods, of which the two radio frequency methods operate in the 2.4-GHz industrial, scientific, and medical (ISM) band. The first extension to the 802.11 standard, the 802.11b specification, continues operation in the 2.4GHz ISM band. However, the second extension, the 802.11a specification, operates in the 5-GHz band and uses a completely different signaling technique referred to as orthogonal frequency division multiplexing (OFDM). Although the physical layers differ for each signaling mechanism, they use a common method of media access control. Thus, the frame formats supported by the MAC layer are relevant for each physical layer supported by the basic 802.11 standard as well as each of the extensions to the standard.
Physical Layer Operation As indicated in Exhibit 1, the basic IEEE 802.11 standard supports three physical layer signaling methods: infrared and two radio frequency methods referred to as frequency hopping spread spectrum (FHSS) and direct sequence spread spectrum (DSSS). Because we noted the basic manner by which signaling methods operated in Chapter 2, we only briefly examine them in this chapter.
Infrared In Chapter 2 we noted that infrared communications in wireless LANs can be either a line-of-sight (directed) or reflective (diffused) method of communications. Under the IEEE 802.11 standard, both 1-Mbps and 2-Mbps operating rates are defined using diffused infrared communications at a wavelength from 850 to 950 nanometers. The basic access rate of 1 Mbps occurs through the use of pulse position modulation (PPM), which uses a symbol period broken into 16 subintervals (16-PPM), while the enhanced access rate of 2 Mbps occurs using 4-PPM. Because the use of either directed or diffused infrared is limited to at most one room, to my knowledge 802.11 equipment using infrared is conspicuous by its absence and is not discussed further in this book.
AU1271Ch03Frame Page 55 Monday, July 15, 2002 8:54 PM
55
IEEE Standards
Exhibit 2. Frequency Channels and Hopping Patterns for FHSS Operations under the IEEE 802.11 Standard
Location
United States Europe (except as noted below) Spain France Japan
Minimum Number of Frequency Channels
Number of Frequency Channels
Actual Sets of Hopping Patterns
Number of Hopping Patterns per Set
Number of Hopping Patterns
75 20
79 79
3 3
26 26
78 78
20 20 20
23 27 35
3 3 3
4 9 11
12 27 3
Frequency Hopping Spread Spectrum Frequency hopping spread spectrum (FHSS) supports data rates of 1 Mbps and 2 Mbps. FHSS operates in the 2.4-GHz ISM band, with 79 hopping channels specified for the hopping set in the United States.
Modulation FHSS channels commence with a center frequency of 2.402 GHz. All subsequent channels are spaced 1 MHz apart, with the separation mandated by the Federal Communications Commission for the use of FHSS in the 2.4-GHz ISM band. At a 1-Mbps operating rate, FHSS employs a two-level Gaussian frequency shift keying (GFSK) modulation method. Under GFSK, a basic 1 is encoded using frequency Fc + f, while a logical 0 is encoded using frequency Fc – f, where Fc represents the center frequency of the channel. Because each bit is encoded as a single signal change, a 1-MHz signaling rate results in a data rate of 1 Mbps. A second modulation method used by FHSS is a four-level Gaussian frequency shift keying method under which two bits are encoded within one signaling change. Here, the term “Gaussian” is used to indicate that the premodulated digital data stream is first passed through a Gaussian low-pass filter. This premodulation filtering increases spectral efficiency by minimizing the shifts in phase. Because four-level GFSK results in a 1-MHz signaling rate with two bits encoded per signal, the data rate becomes 2 Mbps.
Frequency Channels The number of frequency channels available for use (as well as the minimum number of channels that need to be used) is regulated in the United States by the FCC and in other countries by other regulatory agencies. Exhibit 2
AU1271Ch03Frame Page 56 Monday, July 15, 2002 8:54 PM
56
Building the Wireless Office
indicates the minimum and actual number of 1-MHz frequency channels available at different locations around the globe. This table also indicates the number of sets of hopping patterns, the number of hopping patterns in a set, and the number of hopping patterns available. The number of hopping patterns per set, which is 26 for the United States, indicates that you can install 26 FHSS access points within a basic service set with a minimum of interference. This results from the hopping pattern minimizing the probability of one FHSS access point operating on the same frequency channel as another access point.
Direct Sequence Spread Spectrum The second type of RF signaling method defined under the IEEE 802.11 standard is direct sequence spread spectrum (DSSS). As indicated in Chapter 2, under DSSS a spreading code is used to map each data bit into a sequence of bits that are modulated over a wide frequency spectrum.
Barker Code Although we illustrated the method of spreading with a five-bit code in Chapter 2, in actuality an 11-bit Barker code is used to spread data bits. The sequence of the 11-bit Barker code is 1011101000, and each data bit is modulo 2 added to the 11 code bits to spread the data bits, resulting in an 11-Mbps digital data stream that is then modulated onto a carrier frequency.
Modulation Similar to FHSS, under the initial 802.11 standard, two data rates are supported under DSSS. At a data rate of 1 Mbps, each bit is mapped into one of two phases using differential binary phase shift keying (DBPSK) modulation. To obtain an operating rate of 2 Mbps, differential quadrature phase shift keying (DQPSK) modulation is employed, with two data bits (a dibit) mapped into one of four phases.
Comparison to FHSS The initial IEEE 802.11 standard defines 13 selectable carrier frequencies in the 2.4-GHz ISM band. Each DSSS channel is 22 MHz wide, which restricts the number of independent access points that can exist within a basic service set to three. This is illustrated in Exhibit 3, which compares the potential frequency utilization of FHSS and DSSS. In comparing FHSS and DSSS in Exhibit 3, the ability to have 26 frequency hopping patterns means it is possible to co-locate 26 FHSS access points without one adversely impacting another. This means that at a 2-Mbps operating rate, FHSS operations provides a maximum support of 26 × 2 or 52 Mbps within a BSS. In comparison, using DSSS reduces the maximum data transfer support to
AU1271Ch03Frame Page 57 Monday, July 15, 2002 8:54 PM
57
IEEE Standards
DSSS 22 MHz Channel
22 MHz Channel
22 MHz Channel
31 32
58
FHSS 1
2
22
52
79
1 MHz Channel
Exhibit 3.
Frequency Channels for 2.4-GHz DSSS and FHSS
3 × 2 or 6 Mbps. While you might use this information to decide on using FHSS, let’s wait a minute and consider two factors. First, it is doubtful if an organization would want to deploy 26 access points within a BSS. Second, under the 802.11b extension, the data rate of DSSS is increased to 11 Mbps. This means that you can locate three 802.11b DSSS access points and obtain support for a maximum data transfer rate of 3 × 11 or 33 Mbps within a BSS; however, each station can operate at 11 Mbps instead of a maximum of 2 Mbps under FHSS.
Complementary Code Keying As a mechanism to increase the data rate of wireless LANs, a proposal developed by Lucent Technologies and Harris Semiconductor was presented to the IEEE during 1998. This proposal defined the use of a special coding scheme known as complementary code keying (CCK) for use in direct sequence spread-spectrum radio transmission. CCK was adopted for use in the 802.11b specification. CCK represents a binary complementary sequence consisting of a pair of finite-length sequences having the property that the number of pairs of like elements with any given separation in one series is equal to the number of pairs of unlike elements with the same separation in the other pair. This complementary code is then used as a spreading code; however, its code length is eight bits. This results in the use of a symbol rate of 1.375 MHz to generate an 11-Mbps data rate that occupies approximately the same bandwidth as a 2-Mbps DSSS signal under the original 802.11 standard.
Code Sets Under the 802.11b extension to the 802.11 standard, two CCK codes sets can be generated. One code set results in an 11-Mbps data rate. The second code set actually represents a subset of the 11-Mbps code set and provides a 5.5Mbps data rate. For both code sets, pairs of bits (dibits) are modulated using differential quadrature phase shift keying (DQPSK). The use of CCK provides high resistance to echoes or multipath reflections. Chip sets that support CCK also support the use of the 11-bit Barker spreading code, enabling DSSS to operate at data rates of 1, 2, 5.5, and 11 Mbps under the 802.11b standard.
AU1271Ch03Frame Page 58 Monday, July 15, 2002 8:54 PM
58
Building the Wireless Office
Orthogonal Frequency Division Multiplexing Unlike spread-spectrum communications, which use a single carrier, orthogonal frequency division multiplexing (OFDM) uses multiple carriers spread over a range of frequencies. OFDM is defined as the signaling method used by equipment that conforms to the IEEE 802.11a standard. Unlike equipment that conforms to the 802.11 and 802.11b standards, equipment that is 802.11acompatible operates in a higher unlicensed frequency band.
Frequency Allocation The use of OFDM occurs in the 5-GHz unlicensed national information infrastructure (UNII) frequency band, which represents a third ISM band defined by the FCC. The FCC allocated 300 MHz of frequency for unlicensed operation in the 5-GHz block, 200 MHz of which is at 5.15 to 5.35 GHz. The other 100 MHz is located from 5.725 to 5.825 GHz. The 300-MHz total frequency is subdivided into three bands: the first 100 MHz is restricted to a maximum power output of 50 mW. The second 100 MHz has a more generous 250-mW power cap, while the last 100 MHz is designated for outdoor applications and has a 1-W power cap. Through the use of OFDM, a 20-MHz channel is subdivided into 52 subchannels, each approximately 300 kHz in width. A total of 48 data and four pilot carriers is used to simultaneously transmit data and reference signals. Several modulation methods are supported for transmitting data under OFDM. Using binary phase shift keying (BPSK) results in a data rate of 125 kbps per channel, or a composite data rate of 6 Mbps. Using quadrature phase shift keying doubles the amount of data encoded per channel to 250 kbps, which yields a composite data rate of 12 Mbps. Using 16-QAM where four bits are encoded per signal change permits a composite data rate of 24 Mbps. When a 64-QAM modulation method is used, a data rate of 1.125 Mbps per 300kHz channel becomes possible, resulting in a composite maximum data rate of 54 Mbps.
Scope of Coverage Although OFDM provides a range of data rates whose highest rate is approximately five times that of DSSS signaling, the range of 5-GHz transmission is significantly less than 2.4-GHz operations. If we sat through a high school or college physics class, we probably heard the expression “high frequencies alternate more rapidly than low frequencies.” If we remember that expression, it explains the reason why 5-GHz operations have a range less than that of 2.4-GHz operations. What this means is that you have a trade-off between transmission range and operating rate. If you need the higher operating rate afforded by 802.11a equipment that uses OFDM, you may need to install multiple access points in comparison to the use of a single access point when 802.11 or 802.11b equipment is used.
AU1271Ch03Frame Page 59 Monday, July 15, 2002 8:54 PM
59
IEEE Standards
Exhibit 4.
OSI Reference Model
IEEE 802.11 Standard
Physical Layer
Physical Layer Convergence Procedure (PLCP) Physical Media Dependent (PMD)
The 802.11 Standard Subdivides the Physical Layer into Two Sublayers
80 bits
16 bits
Sync
SFD
Preamble
12 bits PLW
4 bits
16 bits
PSF
Header Check Error
PLCP Header
PSDU
Legend SFD Start of Frame Delimiter PLW PSDU Length Word PSF PLCP Signaling Field PSDU Physical Service Data Unit
Exhibit 5.
FHSS Physical Layer Convergence Procedure Frame Format
Physical Layer Operations Under the IEEE 802.11 standard, the physical layer is subdivided into two sublayers: the physical layer convergence procedure (PLCP) sublayer and the physical media dependent (PMD) sublayer. Exhibit 4 illustrates this subdivision. The physical layer convergence procedure sublayer is responsible for mapping the 802.11 physical sublayer service data units (PSDU) into a framing format suitable for transmitting and receiving information via the physical media. In comparison, the physical media dependent (PMD) sublayer defines the manner by which data are transmitted and received via the wireless medium when two or more stations use the same modulation system.
FHSS Exhibit 5 illustrates the PLCP used under FHSS. In examining Exhibit 5, note that the Preamble Sync field consists of an 80-bit field of alternating binary zeros and ones, transmitted commencing with a zero and ending with a binary one (1). The Start of Frame Delimeter (SFD) field consists of the 16-bit binary pattern 0000 1100 1011 1101 or hex 0ABD and follows the Sync field. The PLW (PSDU length word) defines the number of bytes contained in the physical service data unit (PSDU). The four-bit PSF (PLCP Signaling field) defines the
AU1271Ch03Frame Page 60 Monday, July 15, 2002 8:54 PM
60
Building the Wireless Office
182 bits
16 bits
8 bits
8 bits
16 bits
16 bits
Sync
SFD
Signal
Service
Length
CRC
Preamble
Exhibit 6.
PLCP Header
PSDU
The PLCP Frame Format for DSSS
Signal Field 12 bits
4 bits
Length
Rate
Preamble
Exhibit 7.
One OFDM Symbol 1 bit 1 bit Reserved
PLCP Header
PSDU
6 bits
Parity
Tail
Tail
Service
Pad
PLCP Frame Format for OFDM
transmission rate. Although only rates of 1 Mbps and 2 Mbps are currently supported, this field permits data rates from 1 Mbps to 4.5 Mbps in 0.5-Mbps increments to be specified. The 16-bit Header Check Error field, as its name implies, protects the header, while the Physical Service Data Unit (PSDU) transports the MAC frame.
DSSS Similar to FHSS, DSSS uses a specified PLCP frame format. This format has some distinct differences from the FHSS format and is illustrated in Exhibit 6. In examining Exhibit 6, note that for DSSS the PLCP SYNC field is 128 bits in length. The Start of Frame Delimiter (SFD) has the bit composition 1111001110100000, or hex F3A0. The Signal field defines the data rate. Current values include hex 0A for 1 Mbps, hex 14 for 2 Mbps, hex 37 for 5.5 Mbps, and hex 6E for 11-Mbps operations. The Service field is currently reserved for future use and is thus set to a value of hex 00. The Length field indicates the length of the payload in bytes.
OFDM Another PLCP is defined under the IEEE 802.11a standard for orthogonal frequency division multiplexing (OFDM). The PLCP frame format, which is illustrated in Exhibit 7, conveys information for each of the 48 carriers used.
AU1271Ch03Frame Page 61 Monday, July 15, 2002 8:54 PM
61
IEEE Standards
Exhibit 8. PLCP Rate Field Values for OFDM Rate Field Setting
Data Rate
1011 1111 1010 1110 1001 1101 1000 1100
6 9 12 18 24 36 48 54
2 bytes
2 bytes
6 bytes
6 bytes
6 bytes
Frame Control
Duration ID
Address 1
Address 2
Address Sequence Address 3 Control 4
2 bits Protocol Version
Exhibit 9.
2 bits Type
4 bits
1 bit
1 bit
Subtype ToDS FromDS
1 bit More Frag
2 bytes
6 bytes
0 - 2312 bytes Frame Body
4 bytes FCS
1 bit
1 bit
1 bit
1 bit
1 bit
Retry
Power Mgmt
More Data
WEP
Order
The MAC Layer Frame Format Specified by the IEEE 802.11 Standard
The PLCP preamble consists of a sequence of ten short and two long symbols. The Signal field includes several subfields, with the Rate subfield used to define the type of modulation and the coding rate used in the rest of the frame. Exhibit 8 indicates currently defined settings of the Rate field. Note that the eight defined bit sequences permit another eight data rates to be defined. Also note that because each data rate occurs based on the use of a specific modulation technique, the Rate field indirectly defines the modulation method used.
MAC Layer Operations The MAC layer is responsible for two key functions. First, it takes physical data units (PDUs) from the higher layers in the protocol stack and frames such data for delivery over the physical media. The second key function the MAC layer performs is providing access to the media. In this section we examine both functions.
Layer 2: Framing Exhibit 9 illustrates the layer 2 frame format specified by the 802.11 standard. In examining Exhibit 9, note that the top portion of the illustration indicates
AU1271Ch03Frame Page 62 Monday, July 15, 2002 8:54 PM
62
Building the Wireless Office
the full layer 2 frame format, while the lower portion indicates the subfields within the two-byte frame control field. To obtain an appreciation of how 802.11 wireless LANs operate, we first become acquainted with the fields of the MAC frame.
Protocol Version Field The Protocol Version field is two bits in length. The function of this field is to identify the version of the 802.11 standard being used. The initial value of the Protocol Version field is 0, and all other bit values are currently reserved.
Type and Subtype Fields The Type and Subtype fields are two and four bits in length, respectively. These two fields work together to identify the function and type of the frame. Currently, three types of frames are defined: data, control, and management. Thus, the two-bit Type field has one available pair of bits reserved for future use, while the other three pairs denote currently defined types of frames. Exhibit 10 indicates the presently defined Type and Subtype field values. In examining the entries in Exhibit 10, note that the two Type bits define the basic function of a frame, such as management, control, or data. In comparison, the Subtype bits define the actual function of the frame. In examining the subtype descriptions, note that CF represents “contention-free,” which represents frames used for an access control method referred to as point coordination function (PCF) and described in this section.
ToDS/FromDS Fields The ToDS and FromDS fields are each one bit in length. The setting of the ToDS field to a binary 1 indicates that the frame is destined to the distribution system. When a frame exits the distribution system, its FromDS field value is set to 1. If a frame stays within its basic service set, the values of both the ToDS and FromDS fields are 0.
More Frag Field The purpose of the More Frag field is to indicate if a following frame contains a fragment associated with the media PDU. If so, the MoreFragment subfield bit position is set to 1.
Retry Field The purpose of the Retry field is to denote that the frame is a fragment representing the retransmission of a previously transmitted fragment. The receiving station uses the setting of this one-bit field to recognize duplicate transmissions that can occur if an Acknowledgment frame should be lost.
AU1271Ch03Frame Page 63 Monday, July 15, 2002 8:54 PM
63
IEEE Standards
Exhibit 10.
Type and Subtype Field Values
Type Value
Description
Subtype Value
Description
B3b2 00 00 00 00 00 00 00 00 00 00 00 00 00 01 01 01 01 01 01 01 10 10 10 10 10 10 10 10 10 10
Management Management Management Management Management Management Management Management Management Management Management Management Management Control Control Control Control Control Control Control Data Data Data Data Data Data Data Data Data Data
B7b6b5b4 0000 0001 0010 0011 0100 0101 0100–0111 1000 1001 1010 1011 1100 1101–1111 0000–0001 1010 1011 1100 1101 1110 1111 0000 0001 0010 0011 0100 0101 0110 0111 1000–1111 0000–1111
Association request Association request Association request Reassociation request Probe Request Probe request Reserved Beacon ATM Disassociation Authentication Deauthentication Reserved Reserved RS poll RTS CTS ACK CF End CF End + CF ACK Data Data + CF ACK Data + CF poll Data + CF ACK + CF poll Null function (no data) CF ACK (no data) CF poll (no data) CF ACK + CF poll (no data) Reserved Reserved
Power Management Field Each wireless LAN station can operate in one of two power modes: Power Save or Active. Thus, the Power Management bit permits a station to indicate its power state. In the wonderful world of wireless LANs, an access point uses the setting of the Power Management field to note which stations are in a Power Save mode of operation. The access point will buffer frames addressed to stations in a Power Saving mode until such stations specifically request frames via the transmission of a polling request or the station changes its power state. A station in a Power Save mode of operation will listen to the air to determine if the access point has buffered frames addressed to the station.
AU1271Ch03Frame Page 64 Monday, July 15, 2002 8:54 PM
64
Building the Wireless Office
The access point (AP) periodically transmits a beacon frame that indicates the presence of the AP and its capabilities. Included in the beacon frame is an indication of the stations known by the access point to be operating in a Power Save mode that the AP has buffered frames ready for transmission. The receipt of the beacon causes the station to wake up and note that it has a frame stored at the access point awaiting delivery. This result is the station remaining in an Active power state and transmitting a polling message to the access point as a mechanism to inform the AP it is ready to receive buffered frames addressed to the station.
More Data Field The More Data field represents another one-bit field. This field is set to a value of binary 1 when more frames follow the current frame. Thus, the access point would set the value of this field to 1 when it transmits an initial buffered frame and has another frame buffered for the same destination address.
WEP Field The initial design goal of the 802.11 wireless LAN standard was to provide a level of security equivalent to that of a wired LAN. Hence, the mechanism by which authentication and encryption is enabled or disabled is defined by the Wired Equivalent Privacy (WEP) field. This one-bit field denotes whether or not WEP is enabled. Because this field is only one bit in length, all members within a basic service set must use the same security method. WEP is based on a shared key used by each station to generate a steam cipher. The stream cipher expands the key into an infinite pseudo-random key stream, which is modulo 2 added to the data to generate an encrypted data stream. As we note later in this book when we discuss security as a separate entity, several deficiencies in the WEP algorithm make it breakable. In addition, by default it is disabled, allowing many third-party persons to simply drive into a parking lot and — using a laptop computer with a wireless LAN adapter card and an applicable software program — observe most if not all wireless traffic that can be recorded and immediately understood.
Order Field The last one-bit field in the Control field is the Order field. When set, this field indicates that the frame is transmitted using a strictly ordered service class. The use of this bit position was included as a mechanism to accommodate the DEC LAT Protocol, which is incapable of accepting a change of ordering between unicast and multicast frames. Because the DEC LAT Protocol is essentially a legacy protocol, for the vast majority of wireless applications this field is not set. Now that we have an appreciation for the use of the fields within the control field, let’s continue our tour of the MAC data frame.
AU1271Ch03Frame Page 65 Monday, July 15, 2002 8:54 PM
65
IEEE Standards
Exhibit 11. The Contents of the Address Fields in the MAC Data Frame ToDS
FromDS
Address 1
Address 2
Address 3
Address 4
0 0 1 1
0 1 0 1
DA DA BSSID RA
SA BSSID SA TA
BSSID SA DA DA
N/A N/A N/A N/A
Legend: TA = Transmitter address RA = Receiver address SA = Source address BSSID = Basic service set ID
Duration/ID Field The Duration/ID field is two bytes in length. The meaning of this field depends on the type of frame being transmitted. In a Power-Save Poll message, this field indicates the associated identity (ID) of the transmitting station. For all other types of frames, this field indicates the time in milliseconds requested to transmit a frame and its interval to the next frame. When we later examine the manner by which media access occurs, we note the role of the Duration field.
Address Fields As indicated in Exhibit 9, a frame can transport up to four addresses. Those address fields are labeled Address 1 through Address 4, and their use depends on the setting of the ToDS and FromDS bits in the Control field. Exhibit 11 indicates the use of the four Address fields based on the setting of the ToDS and FromDS bits. If you examine the addresses listed in Exhibit 11, based on the settings of the ToDS and FromDS bits, you will note that the Address 1 field always indicates the recipient of the frame. This structure is similar to a wired Ethernet frame in that the destination address in that frame precedes the source address. However, unlike a wired LAN, where the destination address always represents a station whose type does not need to be distinguished from one another, the contents of the Address fields in a wireless environment can vary in meaning. Thus, Address 1 can represent a destination address, a basic service set ID, or a receiver address. If the ToDS bit is set, Address 1 contains the address of an access point. If that bit is not set, the value of the Address 1 field then contains a station address. All stations filter on the contents of the Address 1 field, as it represents the recipient of the frame. The Address 2 field always identifies the station transmitting the frame. As indicated in Exhibit 11, the settings of the ToDS and FromDS bits in the Control
AU1271Ch03Frame Page 66 Monday, July 15, 2002 8:54 PM
66
Building the Wireless Office
field define what the value of the Address 2 field represents. When both the ToDS and FromDS bits are set to 0, the Address 2 field contains the original source address. When the ToDS bit is 0 and the FromDS bit is 1, the Address 2 field conveys the BSSID. If you carefully examine the possible addresses conveyed in the Address 2 field in conjunction with the settings of the ToDS and FromDS bits, you will note that when the FromDS bit is set, the value in the Address 2 field represents an access point address. Otherwise, when the FromDS bit is 0, the Address 2 field value represents a station address. The six bytes the Address 3 field transports are also defined by the settings of the ToDS and FromDS fields. When the FromDS bit in the Control field is set to a binary 1, the Address 3 field contains the original source address (SA). If the MAC data frame has the ToDS bit set, then the Address 3 field contains the destination address. The last address field, Address 4, is only applicable when a wired distribution system is used. In this situation a frame is transmitted from one access point to another. Thus, Address 4 now conveys the source of the DS frame.
Sequence Control Field Between Addresses 3 and 4 is a two-byte Sequence Control field. This field consists of two subfields: a Fragment Number and a Sequence Number. Thus, this field functions as a mechanism that indicates the order of different fragments that are part of a common frame.
Frame Body Field The function of the Frame Body field is to transport data between stations. As indicated in Exhibit 9, this field can vary in length up to 2312 bytes.
CRC Field The last field in the MAC data frame is the CRC field. This field is 4 bytes in length and contains a 32-bit cyclic redundancy check (CRC) that provides a mechanism for the detection of transmission errors. To accomplish this task, each station uses a fixed polynomial to divide the contents of the frames, which for mathematical purposes is treated as a long binary number. Similar to any division process, the result is a quotient and remainder, with the remainder used as the CRC, while the quotient is discarded. The receiving device uses the same polynomial to perform a similar operation on the contents of the frame, resulting in a locally generated CRC. If the locally generated CRC matches the transmitted CRC, the frame is considered to be error-free; otherwise, a transmission error is assumed to have occurred. Now that we have looked at the format of the MAC data frame, let’s move on and examine the format of several management and control frames as well as discuss how they are used.
AU1271Ch03Frame Page 67 Monday, July 15, 2002 8:54 PM
67
IEEE Standards
Timestamp
Exhibit 12.
Capability Information
SSID
IBSS Supported Parameter Set Parameter TIM Rates FH DS CF Set
Beacon Frame Body
Timestamp
Exhibit 13.
Beacon Interval
Beacon Interval
Capability Information
SSID
IBSS Supported Parameter Set Parameter Rates FH DS CF Set
Probe Response Frame Body
Management Frames Two key management frames we examine in this section are the beacon and probe response frames. An access point periodically transmits a beacon frame as a mechanism to denote its presence as well as its capabilities. In comparison, a station can use a probe response frame to inform an access point of its capabilities so it can select the lowest common denominator of capabilities.
The Beacon Frame Exhibit 12 illustrates the beacon frame body. In examining Exhibit 12, note that the parameter set information element is present within beacon frames generated by stations using an applicable signaling technique, such as the DS parameter set information element included when direct sequence spread spectrum is the signaling method used. Here, the DS parameter set would specify the DSSS channel used. Similarly, the independent basic service set (IBBS) parameter set information is only present within beacon frames generated by stations in an IBSS, while the TIM information element is only present within beacon frames generated by APs.
The Probe Response Frame Exhibit 13 illustrates the body of a probe response frame. Similar to the beacon frame, the presence of a particular parameter set for a signaling method depends on the use of the signaling method at the physical layer. Because the Capability Information field is common to both the beacon and probe frames, we now turn our attention to this field. Exhibit 14 illustrates the format of the two-byte Capability Information field. Note that at the present time this field consists of eight defined one-bit fields while the second byte is currently reserved for future use. The function of the Capability Information field is to indicate requested or advertised capabilities. APs as well as stations use this field to exchange capability information.
AU1271Ch03Frame Page 68 Monday, July 15, 2002 8:54 PM
68
Building the Wireless Office
B0 ESS
B1
B2
B3
IBSS
CF Pollable
CF Poll Request
B4
B5
Privacy
Short Preamble
B6
B7
B15
PBCC
Channel Agility
...
Legend ESS Extended Service Set IBSS Independent Basic Service Set CF Connection-Free
Exhibit 14.
The Capability Information Field
Interference
Station C
O
bs
tru ct io n
Station B
Station A
Exhibit 15.
An Obstruction Hiding a Node
Control Frames A third type of frame supported by IEEE 802.11 LANs is the control frame. One common control frame is the ACK frame, which is used to acknowledge receipt of a data frame. The 802.11 standard includes two control frames whose use is optional. Those control frames are the RTS (Request To Send) and CTS (Clear To Send) frames. Each of these frames is used in pairs, with CTS issued in response to an RTS frame, and is employed as a mechanism to overcome what is referred to as hidden station interference.
Hidden Nodes To understand what a hidden node is and how it can adversely affect transmission, consider Exhibit 15, which illustrates three stations. In this example it was assumed that an obstruction prevents station A from hearing station B. Thus, if station A has data to transmit, it would listen to the medium and, due to the obstruction, not note the fact that station B was transmitting. The result of this action would be interference at station C, which would hear the transmission from both stations A and B.
AU1271Ch03Frame Page 69 Monday, July 15, 2002 8:54 PM
69
IEEE Standards
Station
Data
Access Point
CTS Data A ck
Time
Exhibit 16.
The Four-Way Wireless Handshake
2 bytes Frame Control
Exhibit 17.
2 bytes
6 bytes
6 bytes
4 bytes
Duration
Receiver Address
Transmitter Address
CRC
Common RTS and CTS Frame Format
Use of RTS and CTS Frames The use of RTS and CTS frames is designed to protect against the hidden station interference problem. The use of RTS and CTS frames is optional and is disabled by equipment I use. Under this option a transmitting node first sends an RTS frame to an access point requesting a fixed amount of time necessary to transmit a MAC data frame of a given length. Once the medium becomes available, the access point broadcasts a CTS message. All stations within the BSS will hear the CTS, which indicates the duration of time allocated to the transmission. Upon receipt of the CTS, the requesting station transmits its MAC data frame, and the access point responds with an ACK frame. Exhibit 16 illustrates the relationship between the previously mentioned four frames, which are sometimes referred to as a four-way handshake. Now that we know the manner by which the RTS, CTS, and ACK frames can be used, let’s examine their composition.
RTS and CTS Frame Formats Exhibit 17 illustrates the format of both the RTS and CTS control frames, as they share a common frame format. When the frame is an RTS frame, the Duration field contains the time (in microseconds) required to transmit the next data or management frame plus one CTS frame, one ACK frame, and three interval periods between frames. Later in this chapter when we examine the access method wireless LANs support, we also examine the interval period between frames.
AU1271Ch03Frame Page 70 Monday, July 15, 2002 8:54 PM
70
Building the Wireless Office
2 bytes Frame Control
Exhibit 18.
2 bytes
6 bytes
4 bytes
Duration
Receiver Address
CRC
The ACK Frame Format
In an RTS frame, the transmitter address represents the address of the station transmitting the frame. Because the CTS frame responds to an RTS frame, in the latter type of frame the receiver address (RA) is copied from the transmitter address (TA) of the received RTS frame. For both RTS and CTS frames, the Receiver Address and Transmitter Address fields are six bytes in length and correspond to the wired LAN MAC address format. In the CTS frame, the value of the Duration field is obtained from that field in the RTS frame.
ACK Frame A third common control frame is the ACK or Acknowledgment frame. This frame is used to acknowledge the receipt of data, and its format is shown in Exhibit 18. Similar to the CTS frame, which has several fields whose values are copied from an RTS frame, the ACK frame has a field copied from a MAC data frame. That is, the receiver address in the ACK frame is copied from the Address 2 field in the MAC data frame. Another relationship between a MAC data frame and an ACK frame concerns the setting of the MoreFragment bit in the Frame Control field of the MAC data frame. If that bit is set to 0, the Duration field in the ACK frame is set to 0. Otherwise, the value to be used in the ACK Duration field is obtained from the Duration field of the previous frame, decremented by the time (in microseconds) required to transmit the ACK and a time interval referred to as the SIFS, which we soon discuss.
Media Access The media access control method that IEEE 802.11 wireless LANs use represents a variation of Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA); it is referred to as the distributed coordination function (DCF).
Time Gaps Under the DCF version of CSMA/CA, three different time gaps referred to as interframe spaces (IFS) are defined. The longest interframe space is referred to as a distributed coordination function IFS (DIFS). The DIFS is used as a time delay between packets, in effect extending the period of time that other stations cannot transmit to the duration of an existing packet plus the DIFS. Thus, the DIFS defines the minimum time a station needs to wait after sensing
AU1271Ch03Frame Page 71 Monday, July 15, 2002 8:54 PM
IEEE Standards
71
the medium is free. As we note soon, the duration of the DIFS depends on the signaling method used. A second type of interframe space is referred to as a short IFS (SIFS). The SIFS represents the minimum waiting time for a station that responds to a control packet. As previously noted, the 802.11 specification defines such control packets as ACK (Acknowledgment), RTS (Request To Send), and CTS (Clear To Send). The use of RTS and CTS frames is optional and is disabled by default. You would enable their use as a mechanism to overcome hidden station interference. Although all 802.11 receivers within a BSS must be configured to support RTS and CTS frames, transmitter support is optional. The third interframe space 802.11 LANs support is the point coordination function IFS (PIFS). The PIFS represents an intermediate time delay that an optional point coordination function (PCF) method of media access uses. Under PCF, an access point is configured as a point coordinator and becomes responsible for assigning priority to each station in a frame. Although vendors had not yet implemented the PCF option when this book was prepared, it represents a valuable mechanism for supporting time-sensitive applications, such as Voice-over-IP and multimedia transmission, because it prioritizes traffic.
DCF Operation Under DCF, two interframe spaces are used to adjust media access. For transmissions other than ACK frames, a station must wait at least one DCF interframe space (DIFS) prior to transmitting data. If a station with data to transmit senses that the medium is busy, it will select a random backoff period by setting its internal timer to an integer number of slot times. The slot time represents the sum of the time required to perform several functions, such as carrier sensing, transceiver turnaround, and MAC processing, as well as signal propagation. The duration of the slot time depends on the signaling method used. Under FHSS, the slot time is 20 µs, while under DSSS the slot time is 50 µs. Once the medium is available a station will wait for the DIFS interval to expire and then decrement its timer. If the timer reaches zero, the station listens to the medium and, if it is still not in use, transmit. However, if the medium is seized by another station prior to the timer’s being decremented to zero, the value of the timer is frozen at the decremented value for a subsequent transmission attempt. Because ACKs have a higher priority than other traffic stations, you should wait one short interframe space (SIFS) after the receipt of a data packet prior to sending an ACK. The device receiving a MAC data frame that wishes to respond with an ACK listens to the medium and, after the SIFS duration, can transmit an ACK if the medium is available. If not, the station that needs to transmit the ACK will select a random backoff period by setting its internal timer to an integer number of slot times. Exhibit 19 illustrates the relationship between the DIFS, SIFS, the transmission of a data frame, and its acknowledgments. Note that the period of time
AU1271Ch03Frame Page 72 Monday, July 15, 2002 8:54 PM
72
Building the Wireless Office
DIFS Data
Source
SIFS ACK
Destination
DIFS Deferred Access Time
Exhibit 19. The Relationship between DCF Delay Times and the Transmission of a Data Frame and Its Acknowledgment
from the initial transmission of the data frame through the DIFS following the ACK represents a deferred access period of time. Also note that this version of CSMA/CA is referred to as physical carrier sense as it relies on the fact that stations can hear each other. Because it is possible for a station to be hidden via an obstruction from other stations, it is also possible that another station can listen; not hearing an in-progress transmission transmit data, one or more stations can hear two transmissions, resulting in interference at those stations. This represents the previously described hidden node problem, which is solved by the use of RTS and CTS frames. This optional method of media access is technically referred to as virtual carrier sense. Under virtual carrier sense, a station that needs to transmit data sends an RTS frame to an access point with a value in its Duration field that indicates the time it is requesting for the medium to be reserved for subsequent transmission. As we note when we review the format of the RTS and CTS frames, the access point responds to the RTS with a CTS frame, which indicates the period of time for which the medium is reserved for use.
PCF Operation In concluding this chapter we briefly discuss the operation of the point coordination function (PCF) method of media access control. Although no products were supporting this option when this book was prepared, its ability to prioritize traffic makes it suitable for supporting Voice-over-IP via wireless communications as well as multimedia applications. Under PCF, DCF access is suppressed for short periods of time. During this suppression period, a contention-free (CF) poll occurs to a station. The station responds with a CF ACK. Assuming the selected station has data to receive, the access point issues a CF poll followed by a data packet (CF poll + data). The receiving station then responds with a CF ACK. Next, the access point issues a CF poll to solicit a response from the selected station. The station responds with a CF data + ACK. The access point then terminates the polling with a CF End. Exhibit 20 illustrates an example of the operation of PCF. Note that the PCF operation only occurs during the repeating contention-free periods.
AU1271Ch03Frame Page 73 Monday, July 15, 2002 8:54 PM
73
IEEE Standards
Access Point Beacons
ContentionFree Period
From AP From Station CF Poll CF ACK CF Poll + Data CF ACK CF Poll CF Data + ACK CF End
Exhibit 20.
Point Coordination Function Operations during Contention-Free Periods
AU1271Ch03Frame Page 74 Monday, July 15, 2002 8:54 PM
AU1271Ch04Frame Page 75 Monday, July 15, 2002 8:54 PM
Chapter 4
Basic Wireless LAN Operations The objective of this chapter is to examine how to set up a wireless LAN. We focus on three key items: hardware, software, and equipment location. Because you can set up two types of wireless LANs — ad hoc and infrastructure — we examine each separately. As most home and office users of wireless LANs more than likely use an infrastructure topology based on the use of an access point, the primary focus in this chapter is on the latter. However, because the use of an ad hoc network under certain circumstances permits you to share Internet access without the need for an access point, we note that, to paraphrase Mark Twain, “the demise of ad hoc networking is exaggerated.”
Ad Hoc Networking Ad hoc networking represents a peer-to-peer networking environment where all stations represent wireless clients. In its most basic use, an ad hoc network enables two PCs with wireless LAN adapter cards to communicate with one another. On a more sophisticated level, you could use an ad hoc network structure in conjunction with Microsoft software available on Windows 98 and later Windows versions to share a common Internet connection. In this section we examine simple file and folder sharing as well as Internet connection sharing. However, prior to doing so, we need to look at the setup of your network adapter cards so that they will operate in an ad hoc networking environment.
75
AU1271Ch04Frame Page 76 Monday, July 15, 2002 8:54 PM
76
Exhibit 1.
Building the Wireless Office
The Link Info Tab on the Wireless LAN Configuration Utility Program
Adapter Card Setup In working with several vendor products it became apparent that a user could spend literally hours investigating the setup of an ad hoc environment, which should actually be a relatively easy task. Thus, in this section I share some of my findings in the hope that they not only permit you to easily configure your wireless network adapters for ad hoc networking, but also save you the effort involved in looking for certain information that may be difficult to locate. Exhibit 1 illustrates the Link Info tab on the wireless LAN Configuration Utility program bundled with an SMC Network wireless PC network adapter. Note that the adapter is in a scanning state currently set to channel 11. This adapter was previously configured for operation in an infrastructure mode as it was used in a notebook computer to access the Internet via an SMC Network Barricade Broadband router connected to my cable modem. Because I turned off the Barricade, which functions as an access point and router, no link quality or signal strength information was observed. To configure the wireless LAN adapter card for peer-to-peer networking, when working with the SMC utility program select the Configuration tab.
AU1271Ch04Frame Page 77 Monday, July 15, 2002 8:54 PM
Basic Wireless LAN Operations
77
Exhibit 2. The Configuration Tab of the SMC Networks Wireless LAN Configuration Utility Program
Configuring a Wireless Network Adapter Configuring a wireless LAN adapter for peer-to-peer networking should require a few quick changes to factory default settings. Unfortunately, as we soon note, a reboot is also warranted or you might stare at your screen for a long time. Exhibit 2 illustrates the Configuration tab of the wireless LAN Configuration Utility program in the foreground of the screen. Note that the mode is set to “Ad Hoc.” Another ad hoc setting exists, and the next section describes both settings.
Ad Hoc Settings The two ad hoc settings are Ad Hoc and 802.11 Ad Hoc. The first setting (Ad Hoc) should be used when you are using wireless network adapter cards manufactured by the same vendor. The second setting (802.11 Ad Hoc) should be used when you want to communicate in a peer-to-peer networking environment using wireless LAN network adapter cards produced by different
AU1271Ch04Frame Page 78 Monday, July 15, 2002 8:54 PM
78
Building the Wireless Office
vendors. Of course, the third mode is infrastructure, which should only be used when you want to access an access point. The SSID (service set ID) represents a network name and provides a sort of public password, as it is transmitted in the clear. In an infrastructure environment, the SSID would be set to the network name assigned to the access point. However, the SSID can also be set to a blank or “ANY,” with the latter shown in Exhibit 2. For peer-to-peer networking to work, you need to set the SSID to a common value of either a blank or ANY on both machines.
TxRate Continuing our tour of the potential configuration settings in Exhibit 2, the TxRate setting can be used to set an IEEE 802.11b wireless card to a specific operating rate, or you can use the “Fully Automatic” setting. The latter permits the automatic selection of an appropriate transmit data rate based on the strength of the receiver signal and its signal quality. When configuring stations for peer-to-peer networking, it is probably best to set the TxRate to Fully Automatic instead of a specific rate.
WEP The WEP (Wired Equivalent Privacy) key that controls security via encryption is shown disabled. While we discuss WEP in detail in Chapter 6, for now it is important to note that if you enable WEP, you need to use the Encryption tab to ensure that the WEP key is the same for each station in the ad hoc network.
PS Mode The PS Mode setting governs whether or not power sharing is enabled. This setting conserves power when you use a notebook operating on battery power, but it has absolutely nothing to do with establishing a peer-to-peer communications session.
Channel The last setting in the Configuration tab shown in Exhibit 2 concerns the channel to use. You should ensure that each member of the ad hoc network is set to use the same channel, which is in the process of being reset from 6 to 4 in Exhibit 2. Once you have two wireless network adapter cards correctly configured for ad hoc networking, you will note that the icon typically generated by most vendor manufacturers’ utility programs turns from red to green to indicate you have an “over-the-air” connection. If you still have the wireless LAN Configuration Utility program displayed, you may also note that in the Link Information tab the “State” box indicates a basic service set ID (BSSID) value
AU1271Ch04Frame Page 79 Monday, July 15, 2002 8:54 PM
Basic Wireless LAN Operations
Exhibit 3.
79
Operating on Channel 4 with BSSID Value Set to All Zeros
of hex 00:00:00:00:00:00. This setting indicates that the network adapter card operating in the computer running the utility program hears the other member of the ad hoc network on channel 4. However, because an access point periodically broadcasts beacon frames that contain the SSID of that device, which I turned off, the utility program displays a BSSID value of all zeros. As a refresher, the BSSID represents the MAC address of the access point a station hears when in an infrastructure mode. When the network adapter is in an ad hoc mode, it does not hear beacons that contain the source address of the access point, resulting in the display of the BSSID of all zeros (see Exhibit 3). Because I have five notebook computers and attempted peer-to-peer networking with a variety of products, I noted some interesting items that warrant sharing. First, some wireless network adapter cards were able to be reset from infrastructure to ad hoc on an appropriate channel setting and, within 30 seconds of clicking on an Apply button, recognized another adapter card in ad hoc mode. Second, after I clicked the Apply button, other adapter cards required me to reboot the platform for the computer and the wireless adapter to respond to the new settings. Now that we know how we would configure utility programs that accompany most vendor wireless LAN network adapter cards, let’s turn our attention to the software on your computers that also requires a bit of configuration.
AU1271Ch04Frame Page 80 Monday, July 15, 2002 8:54 PM
80
Building the Wireless Office
Exhibit 4. Verifying the Installation of a Network Adapter and Controlling Access to Shared Resources
Network Software While peer-to-peer networking in a wireless LAN environment requires the correct configuration of wireless clients, by itself that is not sufficient to transfer information between computers. In a Windows operating system environment, you also need to configure the operating system to support file and print sharing. In this section we examine how this can be accomplished as well as discuss how you can verify that your wireless network adapter was correctly installed.
Enabling File and Print Sharing In a Windows 95/98 environment, right-click on Network Neighborhood, which results in a pop-up menu appearing similar to the one shown in Exhibit 4. Then select the last entry in the menu, which is labeled Properties. This action results in the display of a dialog box labeled “Network” that contains three tabs: Configuration, Identification, and Access Control. The Network dialog box is shown with its Configuration tab in the foreground. Note that the window in the dialog box lists the network components previously installed on your computer. If you have a number of installed network components, you may need to use the scrollbar to the right of the window to reach the applicable entry for your wireless LAN network adapter card. If the adapter card appears in the window, this will indicate that it was properly
AU1271Ch04Frame Page 81 Monday, July 15, 2002 8:54 PM
Basic Wireless LAN Operations
81
detected and its software drivers were installed. If you do not notice your wireless LAN adapter listed in the window, you will need to reinstall it. However, prior to doing so, you should check the vendor’s Web site to ensure you have the latest drivers for your version of Windows. Once you verify that your wireless network adapter card is installed, you need to ensure that, as a minimum, either the client for Microsoft Networks or the client for Netware Networks is installed. You will also need NetBEUI, IPX/SPX-compatible protocol, or the TCP/IP protocol suite. If you scroll farther down the window, you may notice the entry “Service: File and Printer Sharing for Microsoft Networks.” If this entry is not found, it means that you have not enabled file and/or printer sharing. To do so, click on the button labeled File and Print Sharing shown in the left portion of Exhibit 5. This action results in the display of the dialog box shown in the right portion of Exhibit 5. Then click on the appropriate checkboxes and the OK button. After this action, the entry “Service: File and Printer Sharing for Microsoft Networks” should appear in the window in the Configuration tab of the Network dialog box.
Assigning Identifiers Being able to recognize a computer on a network requires the assignment of a name and workgroup to your system. To accomplish this task, first click on the Identification tab in the Network dialog box. Exhibit 6 shows the display of the Identification tab of the Network dialog box on a Windows 98-based notebook. Note that this tab provides the ability to enter a computer name, workgroup name, and description. The computer name must be unique for each computer on the network and should be no more than 15 characters in length. For a small network environment, consider using a common workgroup name, which will allow all computers to be visible in the same workgroup when browsing. Once you change a setting in the Identification tab, you will be prompted to restart your computer. For illustrative purposes, I will change the workgroup name to GILSWORKGROUP and the computer name to Compaq. Once this is accomplished, I will defer rebooting until I define the devices, drives, and folders that should be shared. Thus, another step in the implementation of ad hoc networking is to define the resources you wish to share.
Sharing Network Resources Although we previously enabled file and print sharing, we need to specify what resources we want to share. To do so, first double-click on the My Computer icon to display the drives your computer recognizes as well as folders for the Control Panel, Printers, and Dial-Up Networking. Then select a drive, folder, or printer that you want to share with the members of your workgroup that reside on the network by right-clicking on the item you wish to share. Then click on the sharing item on the pop-up menu.
AU1271Ch04Frame Page 82 Monday, July 15, 2002 8:54 PM
Network Dialog Box and Its File and Print Sharing Option
Building the Wireless Office
Exhibit 5.
82
AU1271Ch04Frame Page 83 Monday, July 15, 2002 8:54 PM
Basic Wireless LAN Operations
Exhibit 6.
83
The Identification Tab in the Network Dialog Box
Exhibit 7 illustrates sharing via the use of one of my notebook computers. In this example, after selecting the C drive and right-clicking, I selected the Properties entry from the pop-up menu, resulting in the dialog box being displayed. Note that the Sharing tab is positioned in the foreground and we are in the process of sharing the contents of drive C. You can modify the default access permission. You can also establish a password that can be used to control access to read-only shares. However, because Windows 98 as well as its close relatives Windows 95 and Windows ME do not use the NT file system (NTFS), more sophisticated file sharing is not possible. If you are using a different version of Windows, such as Windows 2000 or Windows XP, the procedures previously discussed will slightly differ. For example, you access the Network and Dial-Up Connections dialog box either via the Start menu or from the Control Panel and simply view the wireless LAN connection icon to verify its installation. If the wireless LAN network adapter is not functioning correctly under Windows XP, a red-colored line will appear through the icon to indicate this fact. If the icon appears normal, rightclick on it to display a pop-up menu whose last entry is Properties. Selecting
AU1271Ch04Frame Page 84 Monday, July 15, 2002 8:54 PM
84
Exhibit 7.
Building the Wireless Office
Permitting Folders and Drives to Be Shared
that entry results in the display of a dialog box for the selected network adapter that indicates the components to be used for the connection. Similar to our earlier discussion concerning Windows 95/98, you want to ensure that the applicable protocols are installed and the File and Print Sharing for Microsoft Network is displayed in the window in the dialog box. If not, you will need to install the applicable protocol(s) and File and Printer Sharing for Microsoft Networks. Once this is accomplished, you can implement the sharing of drives, folders, or printers in several ways. For example, open Windows Explorer and then locate the folder or drive you want to share; then rightclick to bring up a pop-up menu whose last entry is the well-known Properties label in the menu. Exhibit 8 illustrates the use of Windows Explorer on a Windows 2000 system to select drive C and the resulting Properties dialog box with its Sharing tab displayed in the foreground. Under Windows 2000 you can set permissions to define which users can access your shared components as well as the type of access — full control, change, and read. A second method to control sharing when using Windows XP or Windows 2000 is through the use of the Computer Management console. As indicated in Exhibit 9, the console contains a Shared Folders entry. Opening this entry lets you use the Action menu to create new file shares or stop an existing share; the latter operation deletes it from view when you open the list of shared folders.
AU1271Ch04Frame Page 85 Monday, July 15, 2002 8:54 PM
Basic Wireless LAN Operations
Exhibit 8.
85
Initiating File, Folder, and Drive Sharing Using Windows Explorer
Setting TCP/IP Parameters Although it might appear that we are ready to begin ad hoc networking, we need to consider one more item: setting certain TCP/IP parameters. Because Windows XP represents the latest version of the Microsoft series of Windows operating systems, we turn our attention to this version of the operating system to illustrate not only the setting of appropriate TCP/IP parameters but also where the workgroup and computer names are displayed and where those items are changed. To view or change the computer name and workgroup name under Windows XP, first activate the System Properties dialog box and click on the Computer Name tab. The result of this action is shown in the left portion of Exhibit 10. By clicking on the Change button, you obtain the ability to change the name and membership of the computer. For illustrative purposes, we change the default workgroup of “WORKGROUP” to “GILSWORKGROUP.” Now that we know how to change the computer and workgroup names under Windows XP, let’s look at ensuring ad hoc networking will work. To do so, you need to note that, by default, when you install most wireless LAN network adapter cards, they are set to obtain an IP address from a Dynamic Host Configuration Protocol (DHCP) server. Most access points that have a
AU1271Ch04Frame Page 86 Monday, July 15, 2002 8:54 PM
86
Building the Wireless Office
Exhibit 9. The Computer Management Console under Windows 2000 and Windows XP
routing capability also function as a DHCP server, permitting wireless stations to obtain a leased IP address when the station adapter is in the infrastructure mode of operation. However, when the adapter is placed in the ad hoc mode of operation, Windows will not inform you that you need to assign an IP address to your station. Thus, you might stare at your computer and observe that while the utility programs display a green light indicating RF communications between peers is occurring, you cannot implement peer-to-peer communications. The solution to this problem is correctly configuring TCP/IP. On a Windows XP computer, double-click on the network icon in the Control Panel to display your wireless connection icon. Right-clicking on that icon and selecting Properties from the pop-up menu result in the display of a dialog box similar to the one shown in the left portion of Exhibit 11. In examining the left portion of Exhibit 11, note that we installed File and Printer Sharing for Microsoft Networks. To set the IP address on the computer, first select Internet Protocol (TCP/IP) and then click on the button labeled Properties. When you click on the Properties button, a dialog box similar to the one shown in the right portion of Exhibit 11 is displayed. By default, the button to the left of the label “Obtain an IP address automatically” will be activated. To set a static IP address, you need to click on the button to the left of the label “Use the following IP address” and then enter an IP address and subnet mask. For peer-to-peer networking purposes, you can enter any IP address as long as you use a correct subnet mask. Because you will be communicating between peers, you do not need to specify a DNS server address.
AU1271Ch04Frame Page 87 Monday, July 15, 2002 8:54 PM
Changing the Workgroup Name on a Windows XP-Based Computer
87
Exhibit 10.
Basic Wireless LAN Operations
AU1271Ch04Frame Page 88 Monday, July 15, 2002 8:54 PM
The Local Area Connection Properties Dialog Box
Building the Wireless Office
Exhibit 11.
88
AU1271Ch04Frame Page 89 Monday, July 15, 2002 8:54 PM
Basic Wireless LAN Operations
89
While you might be tempted to believe we have finally arrived at the point to implement peer-to-peer networking, if you are using Windows XP you need to make one more change. You need to click on the Authentication tab shown in the left portion of Exhibit 11. When you do so, you will note a box checked by default to enable 802.1x authentication, a security technique described in Chapter 6. Leaving this box checked will make the operating system attempt to authenticate the peer-to-peer user, an impossibility because you are not accessing an infrastructure with an authentication server on a wired connection to an access point. Thus, unless you remove the checkmark, your peer-to-peer networking will not work. Now that we have everything in order, it is highly recommended that you reboot both computers to include the XP machine that does not tell you it needs to be rebooted. After rebooting both computers, you can go to Network Neighborhood on one computer and be able to view your other computer in the peer-to-peer network. Double-clicking on the name of the other computer allows you to explore its shares and provides you with the peer-to-peer networking capability you seek.
The Proof Is in the Pudding A favorite expression of one of my professors was “the proof of the pudding is in the eating.” To illustrate the fact that we can use two computers in a wireless ad hoc networking environment based on the previously noted hardware and software settings, we will examine a series of three screen images that literally provides the proof of the pudding. Working on my Compaq notebook, we will use the Network Neighborhood capability to view the contents of the C drive on the Toshiba notebook. Exhibit 12 illustrates the initial display of the entire network that occurred when the Network Neighborhood icon was double-clicked. Note that we see the group name GILSWORKGROUP. Exhibit 13 illustrates the Network Neighborhood view on my Compaq computer. Note that in addition to the Entire Network entry, the names of the computers in the network are shown. The last entry is “Toshiba-user,” which represents the Toshiba notebook the Compaq computer “hears” via peer-topeer networking through the establishment of an ad hoc network between the two computers. Continuing our adventure in exploring peer-to-peer networking, let’s “open” the Toshiba computer by clicking on its computer name shown in Exhibit 13. After we perform that operation, we view the shared C drive. However, to illustrate a bit more information, let’s select a folder on drive C. Exhibit 14 illustrates the display of the contents of the Lotus folder on the Toshiba computer as viewed from my Compaq computer. The Address area in the display in Exhibit 14 contains the address \\Toshiba-user\c\lotus. The dual backward slashes represent a prefix for a computer name. Thus, this address tells us that we are viewing the Lotus directory on drive C on the computer
AU1271Ch04Frame Page 90 Monday, July 15, 2002 8:54 PM
90
Exhibit 12.
Building the Wireless Office
Showing the Workgroup that Was Created
Toshiba-user. To paraphrase my old professor, we have enjoyed viewing the pudding. Now that we understand how ad hoc networking can be established, we may be curious as to what we can do with this feature beyond sharing drives, folders, and files. Once ad hoc networking is established, we have linkage between PCs at the physical layer; however, we need to perform the previously mentioned configuration changes to obtain a data link connection. Once that occurs, we can use the Microsoft Internet Connection Sharing (ICS) feature included in most versions of Windows to share a common Internet connection. Because this can save the home or small business user a considerable monthly Internet connection fee, let’s turn our attention to this feature.
Internet Connection Sharing While it is quite common to encounter “wireless kits” consisting of an access point and one or more wireless network adapter cards bundled together, many home and small business owners may not need the access point. Under
AU1271Ch04Frame Page 91 Monday, July 15, 2002 8:54 PM
Basic Wireless LAN Operations
Exhibit 13.
91
Viewing the Network Neighborhood on the Compaq Notebook
Windows 98 Second Edition and later Windows versions, one computer can share its existing Internet connection with another through the Internet Connection Sharing software that is now part of modern versions of Windows. To use the Internet Connection Sharing feature of Windows, you need to first correctly install wireless LAN network adapters in each computer and then set applicable drives and folders for sharing. Then you need to install and configure Internet Connection Sharing.
Installation The installation of Internet Connection Sharing can be accomplished by selecting Add/Remove Programs from the Control Panel. Once the Add/ Remove Programs Properties dialog box is opened, select the Windows Setup tab as illustrated in the left portion of Exhibit 15. Then click on the Details button to obtain the ability to select Internet Connection Sharing. Clicking on the Details button results in the display of the Internet Tools dialog box, shown in the right portion of Exhibit 15. Once you select Internet Connection
AU1271Ch04Frame Page 92 Monday, July 15, 2002 8:54 PM
92
Building the Wireless Office
Exhibit 14. Viewing the Lotus Directory on a Toshiba Computer from a Compaq Computer via a Peer-to-Peer Wireless Connection
Sharing and click on the OK button, click on the Apply button located in the lower right corner of the Add/Remove Programs Properties dialog box. Depending on the version of Windows you are using, you may need to restart your computer.
Configuration Once you install Internet Connection Sharing, you need to configure this feature. To do so, select the Internet Options icon in the Control Panel. Once the Internet Options dialog box is displayed, select the Connections tab and select the LAN connection button. An Internet Connection Wizard will permit you to select an applicable adapter for sharing your Internet connection and prompt you for a disk to write configuration software for use by the browser on the sharing computer. The Internet Connection Sharing Wizard will also set the IP address of the connection-sharing computer to 192.168.0.1. The
AU1271Ch04Frame Page 93 Monday, July 15, 2002 8:54 PM
Installing Internet Connection Sharing
93
Exhibit 15.
Basic Wireless LAN Operations
AU1271Ch04Frame Page 94 Monday, July 15, 2002 8:54 PM
94
Building the Wireless Office
other computer on your shared network can then be set to any IP address in the range 192.168.0.2 to 192.168.0.253.
Infrastructure Operations In this section we review the steps in creating a wireless LAN infrastructure. In doing so, we examine the setup of a typical combined router and access point as well as illustrate the applicable settings required to use a wireless network adapter card from a different vendor. For illustrative purposes, we examine the configuration of a Netgear model MR314 cable/DSL modem wireless router. The Netgear MR314 wireless router includes a four-port Ethernet 10/100 Mbps bulletin switch, which enables a user to connect the router to both a wired and wireless infrastructure. A separate 10/100 Mbps Ethernet port provides a connection to a cable/DSL modem. The Netgear wireless router uses a block of RFC 1918 Class addresses. Those addresses are dynamically issued to both wired and wireless clients. Such addresses are issued to clients through a built-in Dynamic Host Configuration Protocol (DHCP). Although we examine the TCP/IP protocol suite in Chapter 5, we can note that through a network address translation (NAT) capability, the Netgear router can use a single IP address assigned to your cable or DSL connection to support up to 253 additional devices. For those of us not conversant in IP addressing, a Class C address has 256 host values. However, values 0 and 255 cannot be used, because a value of 0 means “this network” and a value of 255 represents a broadcast address. While this would normally result in 254 (256 – 2) unique host addresses being available, the router uses one address, resulting in 253 being available for assignment to both wired and wireless clients, and places a cap on the number of clients that can be supported. While this is probably more than sufficient for most small and many medium-sized organizations, larger organizations will probably require multiple Internet connections and the use of multiple routers.
Wireless Router Configuration Once you connect your Netgear router to your cable or DSL connection and turn on the router, you will need to configure the device. While we defer a detailed examination of wireless router configuration methods until we review TCP/IP in Chapter 5 and security in Chapter 6, we examine enough basic information in this section to enable us to get the device up and running as well as use it via wireless access from a wireless station using a network adapter card manufactured by a different vendor. To illustrate the configuration of the Netgear MR314 wireless router, I unplugged my IBM NetVista PC that was initially cabled to a cable modem and plugged the computer into a port on the Netgear wireless router. Then it became necessary to configure the PC to access the wireless router.
AU1271Ch04Frame Page 95 Monday, July 15, 2002 8:54 PM
Basic Wireless LAN Operations
95
Access the Router Because the Netgear wireless router is preconfigured with the IP address 192.168.0.1, you can use any address in the Class C address block from 192.168.0.2 to 192.168.0.253 for a PC IP address. For this example, the IP address of 192.168.0.2 was used.
Configuring a PC IP Address Exhibit 16 illustrates the configuration of the IP address of 192.168.0.2 on my PC that was directly cabled to the Netgear wireless router. Note that the left portion of Exhibit 16 shows the selection of the Configuration tab in the foreground, with the integrated 10/100 Ethernet controller highlighted. If you were attempting to configure the router via a wireless connection, you would highlight the wireless Ethernet adapter.
Configuring the DNS Once you configure the IP address for the PC, you need to configure the applicable settings for the Domain Name Service (DNS) Configuration tab shown in the TCP/IP Properties dialog box located in the right portion of Exhibit 16. Exhibit 17 illustrates the DNS Configuration screen I employed to use my IBM PC that was wired to the Netgear wireless router. The host name, which is shown as cx831839-a, was assigned by my Internet service provider (ISP). Because the router automatically learns the domain name, it was left blank. Similarly, because the Netgear wireless router is preconfigured to use the RFC1918 Class C address 198.168.0.1, that address was entered as the DNS Server address because the wireless router provides an address translation between the ISP’s facilities and wired and wireless clients behind the router.
Gateway Configuration The last setting we need to be concerned about for the PC to talk to the Netgear router as well as to be able to access the Internet is one used to define the IP address of the gateway. The term “gateway” represents an old name for a device that routes data from one network to another. Although the more modern term for this device is the “router,” some things never change and the term “gateway” is still used as a carryover from the use of first-generation products that routed data. In any event, the gateway or router we are working with is the Netgear wireless router whose IP address is 192.168.0.1. Thus, we define that IP address in the Gateway tab in the TCP/IP Properties dialog box. Exhibit 18 illustrates the assignment of the IP address 192.168.0.1 for the gateway. Once this is accomplished, depending on the version of Windows you are using, you may need to reboot your computer for the address and host name assignments to take effect.
AU1271Ch04Frame Page 96 Monday, July 15, 2002 8:54 PM
Configuring an IP Address to Access the Netgear Wireless Router
Building the Wireless Office
Exhibit 16.
96
AU1271Ch04Frame Page 97 Monday, July 15, 2002 8:54 PM
Basic Wireless LAN Operations
Exhibit 17.
97
Configuring DNS Settings
Using Your Browser To configure the Netgear router, you need to use a browser such as Microsoft Internet Explorer. Enter the address of the browser as http://192.168.0.0 to connect to the router. Upon connection to the router, you will be prompted to enter your user name and password, as illustrated in Exhibit 19.
Accessing the Configuration Setup Utility Netgear is similar to other wireless equipment manufacturers in that it assigns default values to its wireless router for administrative purposes. The default user name is “admin” while the default password is “1234.” The “Realm” of “MR314” defines that we are working with a Netgear router. Thus, it is a relatively simple task for a person with a wireless network card installed in a notebook to locate the address of a router and use prior knowledge of default settings to gain access to the Netgear wireless router. The reason this is a relatively simple process results from the fact that most vendors’ wireless access point and wireless router manuals are available via the Internet. Such manuals indicate many default device settings, such as the IP address of the device and its password. Using such information, it is a rather simple process for an unauthorized third party to locate and break into the configuration
AU1271Ch04Frame Page 98 Monday, July 15, 2002 8:54 PM
98
Building the Wireless Office
Exhibit 18.
Assigning the IP Address of the Netgear Router as the Gateway Address
Exhibit 19.
Netgear Wireless Router’s Configuration Setup Is Password-Protected
AU1271Ch04Frame Page 99 Monday, July 15, 2002 8:54 PM
Basic Wireless LAN Operations
99
facility of the device. Due to this, one of the first things you should do after you set up the wireless router is to change the login default values. Once you enter the applicable user name and password, the Netgear router configuration utility screen window will appear in your browser’s page display area. Exhibit 20 illustrates this display. In examining Exhibit 20, note that we entered the IP address of 192.168.0.1 to access the router. Also note that the Netgear router configuration utility supports three options. Those options, which are listed along the left side of Exhibit 20, include a “WIZARD SETUP,” “ADVANCED,” and “MAINTENANCE” options. Because this section focuses on installing an infrastructure wireless LAN, we use the “WIZARD SETUP” option. However, you would and should use the “ADVANCED” option to change the password for the router. Later in this book we examine the use of the “ADVANCED” and “MAINTENANCE” options when we focus on interoperability in Chapter 7.
Using the Setup Wizard While in many instances you may be able to make a connection to the Netgear wireless router with some effort such as reading its 109-page manual included on a CD provided with the router, a few simple entries in the wizard can suffice for those interested in a fast setup who will attack advanced settings later in the day.
System Name Assignment Exhibit 21 illustrates the first utility screen display generated by the Netgear wizard. Note that this screen prompts you to enter the system name your ISP assigned to your account. You can locate your system or host name by opening the Network dialog box on your PC (the one originally connected to your cable or DSL modem connection) and selecting the Identification tag in the dialog box. Then enter that name into the System Name bar, as illustrated in Exhibit 21.
Wireless LAN Setup Parameters The second page of the Netgear wizard requires you to review and possibly reset information concerning wireless LAN setup parameters. Exhibit 22 illustrates the display of the second page generated by the Netgear wizard. Note that, by default, the router sets the extended service set ID (ESSID) to “Wireless.” This ESSID represents the SSID that other wireless stations use as a password to gain access to the router. If your wireless stations have network adapters produced by different vendors, you need to change the router’s ESSID value to the value your network adapter cards use, or vice versa. However, because “Wireless” represents a well-known default value, you should consider changing the ESSID from that value to one you make
AU1271Ch04Frame Page 100 Monday, July 15, 2002 8:54 PM
The Netgear Router Configuration Utility
Building the Wireless Office
Exhibit 20.
100
AU1271Ch04Frame Page 101 Monday, July 15, 2002 8:54 PM
First Page of the Netgear Wizard
101
Exhibit 21.
Basic Wireless LAN Operations
AU1271Ch04Frame Page 102 Monday, July 15, 2002 8:54 PM
Changing the Default ESSID and Channel Settings
Building the Wireless Office
Exhibit 22.
102
AU1271Ch04Frame Page 103 Monday, July 15, 2002 8:54 PM
Basic Wireless LAN Operations
103
up. By default, the Netgear wireless router is set to use channel 1. In Exhibit 22 it is shown reset to channel 6.
Defining the Wired Connection Continuing our examination of the use of the Netgear MR314 wireless router setup wizard, Exhibit 23 illustrates the third page the wizard program displays. This page lets you define the type of connection your ISP provides. In Exhibit 23 the connection method is labeled “Encapsulation” and is set for “Ethernet.” Other encapsulation methods the Netgear MR314 wireless router supports include Point-to-Point Protocol (PPP) over Ethernet and the Pointto-Point Tunneling Protocol (PPTP). The “Service Type” field shown as the second ISP parameter in Exhibit 23 defines the service provider used. If your service provider is Road Runner and you are required to run a Road Runner login program, set the “Service Type” to either RR-Toshiba or RR-Manager. (Select RR-Toshiba if using a Toshiba cable modem; otherwise select RRManager.) For either “RR” selection, you are then able to specify the user name and password your ISP provided. If Road Runner provided an authentication server address, enter it for the “Login Server IP” address. However, if you do not use Road Runner, life is a bit simpler and you simply set the “Service Type” value to “Standard.”
Defining Address Assignments The last screen the Netgear wizard displays concerns the WAN IP, DNS, and MAC address assignments. Exhibit 24 illustrates this screen. For most ISP customers, you will use the router default values, which are shown set in Exhibit 24. Those values assume that the ISP provides you with IP and DNS addresses that can change. Thus, you would select the “Get automatically from ISP” setting for the WAN IP and DNS Server address assignments. If your ISP assigned a fixed IP address to your Internet connection, you would then select the “Use Fixed IP address” and “DNS IP Fixed Address” buttons and enter the appropriate addresses for each entry. The last entry in Exhibit 24, “WAN MAC address,” should only be reset from the factory default if your ISP allows access by one specific Ethernet media access control (MAC) address. If this occurs, you would then click on the radio button to the left of “Spoof this PC’s MAC address.” Once the settings on the screen shown in Exhibit 24 are set, scroll down to select a button labeled “Next” that generates a screen telling you that if you made changes to the ESSID, you need to make the same changes to your wireless PC card configurations after you click on the Finish button. In actuality, as we shortly note, the display that informs you to reset the ESSID on your PC network adapter cards, while true, is a bit misleading. To prove this, click on the Finish button and access the Netgear wireless router using an SMC Network wireless network adapter card.
AU1271Ch04Frame Page 104 Monday, July 15, 2002 8:54 PM
ISP Parameters for Internet Access Screen
Building the Wireless Office
Exhibit 23.
104
AU1271Ch04Frame Page 105 Monday, July 15, 2002 8:54 PM
Accepting Default Values for the WAN IP and DNS Server Address Assignments
105
Exhibit 24.
Basic Wireless LAN Operations
AU1271Ch04Frame Page 106 Monday, July 15, 2002 8:54 PM
106
Building the Wireless Office
Internet Access via the Router Exhibit 25 illustrates the use of my Compaq Presario notebook computer using an SMC Networks EZ Connect wireless network adapter card to access the Internet via a Netgear MR314 wireless router. In examining Exhibit 25, note that the browser displays the Yahoo! main Web page in the background, while the utility program bundled with the SMC Networks wireless network card is shown in the foreground of the display. In examining the Configuration tab settings, note that the value of the SSID is set to “ANY.” This represents an exception to the previously mentioned Netgear router wizard screen that informs users to set the configuration for their wireless cards to match the Netgear default of “Wireless” or the value it was changed to. The reason “ANY” works is because that setting, along with a blank setting, functions as a mechanism that allows an access point and wireless network adapter card to communicate with one another regardless of the SSID setting on the other device. As a famous radio announcer would say, “Now you know the rest of the story.” In examining Exhibit 25, note that the mode on the Configuration tab is set to “Infrastructure” because we are accessing an access point. Also note that Wired Equivalent Privacy (WEP), which represents the security scheme associated with wireless LANs, is disabled. Because the purpose of this chapter is to introduce you to peer-to-peer and infrastructure operations, we are not concerned about security although it is an extremely important consideration. Chapter 6 focuses on security, providing a foundation for examining interoperability among different vendor equipment in Chapter 7 to include various security aspects. Thus, while here we examine the basic settings required to become operational “over the air,” it is important to note that we are literally doing so “naked” until we turn on WEP.
Site Selection In concluding this chapter we briefly discuss one additional topic that deserves consideration: site selection for an access point or wireless router. For home users the site selection process is relatively easy, as you would normally install your wireless router within close proximity of your cable or DSL modem connection. In an office environment, the site selection process can be a bit more involved because there are more metallic objects in an office environment and other surfaces that that can reflect radio waves, resulting in a higher degree of multipath reflections. Fortunately, most wireless LAN network adapter cards include a utility program that monitors and displays link quality and signal strength. You can use a notebook with a wireless network adapter card to move around an office, noting the link quality and signal strength of the access point or wireless router at different locations within a building. Then, if necessary, you could consider moving the access point or router if you need to enhance the quality of the received signal at one or more locations where you anticipate locating wireless stations.
Basic Wireless LAN Operations
Exhibit 25. Accessing the Internet via a Notebook Computer Using an SMC Networks Wireless Network Adapter Communicating with a Netgear Wireless Router
AU1271Ch04Frame Page 107 Monday, July 15, 2002 8:54 PM
107
AU1271Ch04Frame Page 108 Monday, July 15, 2002 8:54 PM
AU1271Ch05Frame Page 109 Monday, July 15, 2002 8:52 PM
Chapter 5
TCP/IP Protocol Suite The rationale for the inclusion of a chapter covering basic TCP/IP information in a book covering wireless LANs results from the need to understand the configuration and security settings of many wireless products. Because most wireless LAN products are used in a TCP/IP communications environment, the information presented in this chapter should be beneficial to readers. The first sections of this chapter cover the Internet Protocol, IP addressing, and the role of the Address Resolution Protocol (ARP) and the Internet Message Control Protocol (ICMP). Then we literally go up the protocol suite one layer and examine the two key transport protocols supported by the protocol suite: TCP and UDP. In concluding this chapter, we examine the operation of the Domain Name Service (DNS) and several built-in diagnostic tools included in most TCP/IP protocol suites.
The Internet Protocol The Internet Protocol (IP) represents the network layer of the TCP/IP protocol suite. IP was developed as a mechanism to interconnect packet-switched TCP/ IP-based networks to form an internet. Here, the term “internet” with a lowercase “i” is used to represent the connection of two or more TCP/IPbased networks.
Datagrams and Segments The Internet Protocol transmits blocks of data referred to as datagrams. IP receives upper layer protocol data containing either a TCP or UDP header, referred to as a TCP segment or UDP datagram. The prefix of an IP header to the TCP segment or UDP datagram results in the formation of an IP
109
AU1271Ch05Frame Page 110 Monday, July 15, 2002 8:52 PM
110
Building the Wireless Office
datagram. This datagram contains a destination IP address used for routing purposes.
Datagrams and Datagram Transmission To alleviate potential confusion between datagrams and an obsolete transmission method referred to as datagram transmission, a few words are in order. When the ARPAnet evolved, two methods of packet transmission were experimented with. One method was referred to as datagram transmission and avoided the use of routers to perform table lookups. Under datagram transmission, each node in a network transmits a received datagram onto all ports other than the port on which the datagram was received. While this technique avoids the need for routing table lookup operations, it can result in duplicate datagrams being received at certain points within a network. This results in the necessity to develop software to discard duplicate datagrams, adding an additional level of complexity to networking. Thus, datagram transmission was soon discarded in favor of the creation of virtual circuits that represent a temporary path established between source and destination. In the remainder of this chapter when we refer to datagram transmission, we are actually referencing the transmission of datagrams via a virtual circuit created between source and destination.
Routing The actual routing of an IP datagram occurs via a best-effort or connectionless delivery mechanism. This is because IP by itself does not establish a session between the source and destination before it transports datagrams. When IP transports a TCP segment, the TCP header results in a connection-oriented session between two layer 4 nodes transported by IP as a layer 3 network protocol. The importance of IP is noted by the fact that routing between networks is based on IP addresses. As we note later in this chapter, the device that routes data between different IP addressed networks is known as a router. Because it would be extremely difficult, if not impossible, to statically configure every router in a large network to know the route to other routers and networks connected to different routers, routing protocols are indispensable to the operation of a dynamic series of interconnected IP networks. This is because such protocols can automatically convey changes in the ability to reach different networks, thus enabling routers to dynamically adjust their routing tables.
The IP Header The current version of the Internet Protocol is version 4, resulting in IP being commonly referred to as IPv4. The next generation of the Internet Protocol is IPv6. In this section we focus on IPv4 because all wireless devices support it.
AU1271Ch05Frame Page 111 Monday, July 15, 2002 8:52 PM
111
TCP/IP Protocol Suite 0
4 Vers
8 HLEN
16
31
Service Type
Identification
Total Length Flags
Time to Live Protocol
Header
Fragment Offset Checksum
Source IP Address Destination IP Address Options + Padding
Exhibit 1.
The IPv4 Header
Exhibit 2.
Assigned Internet Version Numbers
Numbers
Assignment
0 1 through 3 4 5 6 7 8 9 10 through 14 15
Reserved Unassigned IP Streams IPv6 TP/IX P Internet Protocol (PIP) TUBA Unassigned Reserved
Exhibit 1 illustrates the fields contained in the IPv4 header. In examining the IPv4 header illustrated in Exhibit 1, note that the header consists of a minimum of 20 bytes of data, with the width of each field shown with respect to a 32-bit (4-byte) word. To obtain an appreciation for the operation of IP, let us examine the functions of the fields in the header. As we do so, when appropriate we discuss the relation of certain fields to routing and security, topics that are discussed in detail in later chapters.
Vers Field The Vers field is four bits in length and is used to identify the version of the IP used to create an IP datagram. The current version of IP is v4, with the next generation of IP assigned version number 6. The four bits in the Vers field support 16 version numbers. Under RFC 1700, a listing of Internet version numbers can be obtained; a summary of that listing is included in Exhibit 2. In examining Exhibit 2, note that the reason the next-generation Internet Protocol is IPv6 instead of IPv5 is related to the
AU1271Ch05Frame Page 112 Monday, July 15, 2002 8:52 PM
112
Building the Wireless Office
7 R
6
5
4
3
Type of Service
2
1
0
Precedence
Where R represents Reserved Precedence provides 8 levels (0 to 7) with 0 normal and 7 the highest Type of Service (ToS) indicates how the datagram is handled: 0000 Default 0001 Minimize Monetary Cost 0010 Maximize Reliability 0100 Maximize Throughput 1000 Minimize Delay 1111 Maximize Security
Exhibit 3.
The Service Type Field
fact that version 5 was previously assigned to an experimental protocol referred to as the Streams 2 Protocol.
Hlen Field The length of the IP header can vary due to its ability to support options. To allow a receiving device to correctly interpret the contents of the header from the rest of an IP datagram requires the receiving device to know where the header ends. The HLEN field, whose value indicates the length of the header, performs this function. The HLEN field is four bits in length. In examining Exhibit 1, we note that the IP header consists of 20 bytes of fixed information followed by options. Because it is not possible to use a four-bit field to directly indicate the length of a header equal to or exceeding 320 bytes, the value in this field represents the number of 32-bit words in the header. For example, the shortest IP header is 20 bytes, which represent 160 bits. When divided by 32 bits, this results in a value of 160/32, or 5, which is the value set into the HLEN field when the IP header contains 20 bytes and no options.
Service Type Field The Service Type field is an eight-bit field commonly referred to as a Type of Service (TOS) field. The initial development of IP assumed that applications would use this field to indicate the type of routing path they would like. Routers along the path of a datagram would examine the contents of the Service Type byte and attempt to comply with the setting in this field. Exhibit 3 illustrates the format of the Service Type field. This field consists of two subfields: Type of Service and Precedence. The Type of Service subfield consists of bit positions that, when set, indicate how a datagram should be
AU1271Ch05Frame Page 113 Monday, July 15, 2002 8:52 PM
TCP/IP Protocol Suite
113
handled. The three bits in the Precedence field allow the transmitting station to indicate to the IP layer the priority for sending a datagram. A value of 000 indicates a normal precedence, while a value of 111 indicates the highest level of precedence and is normally used for network control. The value in the Precedence field is combined with a setting in the Type of Service field to indicate how a datagram should be processed. As indicated in the lower portion of Exhibit 3, six settings are defined for the Type of Service field. To understand how this field would be used, let us assume that an application is transmitting digitized voice that requires minimal routing delays due to the effect of latency on the reconstruction of digitized voice. By setting the Type of Service field to a value of 1000, this would indicate to each router in the path between source and destination network that the datagram was delay-sensitive and its processing by the router should minimize delay. In comparison, because routers are designed to discard packets under periods of congestion, an application in which the ability of packets to reach their destination is of primary importance would set the TOS field to a value of 0010. This setting would denote to routers in the transmission path that the datagram requires maximum reliability. Thus, routers would select other packets for discard prior to discarding a packet with its TOS subfield set to a value of 0010. Although the concept behind including a service-type field was a good idea, from a practical standpoint it is rarely used. The reason for its lack of use is the need for routers supporting this field to construct and maintain multiple routing tables. While this is not a problem for small networks, the creation and support of multiple routing tables can significantly affect the level of performance of routers in a complex network such as the Internet.
Total Length Field The Total Length field indicates the total length of an IP datagram in bytes. This length indicates the length of the IP header to include options followed by a TCP or UDP header or another type of header we shortly discuss, as well as the data that follows that header. The Total Length field is 16 bits in length, resulting in an IP datagram having a maximum defined length of 216, or 65,535 bytes.
Identification and Fragment Offset Fields Unlike some types of clothing where one size fits all, an IP datagram can range up to 65,535 bytes in length. Because some networks only support a transport frame that can carry a small portion of the theoretical maximum length IP datagram, it can become necessary to fragment the datagram for transmission between networks. One example of this would be the routing of a datagram from a Token Ring network to another Token Ring network
AU1271Ch05Frame Page 114 Monday, July 15, 2002 8:52 PM
114
Building the Wireless Office
via an Ethernet network. Token Ring networks that operate at 16 Mbps can transport approximately 18 kilobytes (kB) in their Information field. In comparison, an Ethernet frame has a maximum-length Information field of 1500 bytes. This means that datagrams routed between Token Ring networks via an Ethernet network must be subdivided or fragmented into a maximum length of 1500 bytes for an Ethernet to be able to transport the data. The default IP datagram length is referred to as the path MTU, or maximum transmission unit. The MTU is defined as the size of the largest packet that can be transmitted or received through a logical interface. For our previous example of two Token Ring networks connected via an Ethernet network, the MTU would be 1500 bytes. Because it is important to commence transmission with the lowest common denominator packet size that can flow through different networks, and, if possible, adjust the packet size after the initial packet reaches its destination, IP datagrams use a default of 576 bytes when datagrams are transmitted remotely (off the current network). Fragmentation is a most interesting function, as it allows networks capable of transmitting larger packets to do so more efficiently. Efficiency increases because larger packets have proportionately less overhead. Unfortunately, the gain in packet efficiency is not without cost. First, although routers can fragment datagrams, they do not reassemble them, leaving it to the host to perform reassembly. This is because router CPU and memory requirements would considerably expand if they had to reassemble datagrams flowing to networks containing hundreds or thousands of hosts. Second, although fragmentation is a good idea for boosting transmission efficiency, a setting in the Flags field, which we cover shortly, can be used to indicate that a datagram should not be fragmented. Because many routers do not support fragmentation, many applications by default set the do not fragment flag bit and use a datagram length that, while perhaps not most efficient, ensures that a datagram can flow end to end, as its length represents the lowest common denominator of the networks it will traverse. When an IP datagram is fragmented, this situation results in the use of three fields in the IP header: Identification, Flags, and Fragment Offset. The Identification field is 16 bytes in length and is used to indicate which datagram fragments belong together. A receiving device operation at the IP network layer uses the Identification field as well as the source IP address to determine which fragments belong together. Ensuring fragments are put back together in their appropriate order requires a mechanism to distinguish one fragment from another. That mechanism is provided by the Fragment Offset field, which indicates the location where each fragment belongs in a complete message. The actual value in the Fragment Offset field is an integer that corresponds to a unit of eight bytes that indicates the offset from the previous datagram. For example, if the first fragment is 512 bytes in length, the second fragment would have an offset value that indicates that this IP datagram commences at byte 513. By using the Total Length and Fragment Offset fields, a receiver can easily reconstruct a fragmented datagram.
AU1271Ch05Frame Page 115 Monday, July 15, 2002 8:52 PM
TCP/IP Protocol Suite
115
Flags Field The third field in the IP header directly associated with fragmentation is the Flags field. This field is four bytes in length, with two bits used to denote fragmentation information. The setting of one of those bits is used as a direct fragment control mechanism; a value of 0 indicates the datagram can be fragmented, while a value of 1 indicates not to fragment the datagram. The second fragment bit is used to indicate fragmentation progress. When the second bit is set to a value of 0, it indicates that the current fragment in a datagram is the last fragment. In comparison, a value of 1 in this bit position indicates that more fragments follow.
Time to Live Field The Time to Live (TTL) field is eight bits in length. The setting in this field is used to specify the maximum amount of time that a datagram can exist. It is used to prevent a misaddressed datagram from endlessly wandering the Internet or a private IP network, similar to the manner by which a famous American folk hero was noted in a song to wander the streets of Boston. Because an exact time is difficult to measure, the value placed into the TTL field is actually a router hop count. That is, routers decrement the value of the TTL field by one as a datagram flows between networks. If the value of this field reaches zero, the router will discard the datagram and, depending on the configuration of the router, generate an ICMP message that informs the datagram’s originator that the TTL field expired and the datagram, in effect, was sent to the great bit bucket in the sky. Many applications set the TTL field value to default of 32, which should be more than sufficient to reach most destinations in a very complex network, to include the Internet. In fact, one popular application referred to as traceroute issues a sequence of datagrams commencing with a value of 1 in the TTL field to obtain a sequence of router-generated ICMP messages that enables the path from source to destination to be noted. Later in this chapter we examine the operation of the traceroute application and note how it can be used as a diagnostic tool.
Protocol Field While TCP and UDP represent a large majority of layer 4 protocols carried in an IP datagram, they are not the only protocols transported. In addition, even if they were, we would need a mechanism to distinguish one upper layer protocol from another carried in a datagram. The method used to distinguish the upper layer protocol carried in an IP datagram is obtained through the use of a value in the Protocol field. For example, a value of decimal 6 is used to indicate that a TCP header follows the IP header, while a value of decimal 17 indicates that a UDP header follows the IP header in a datagram.
AU1271Ch05Frame Page 116 Monday, July 15, 2002 8:52 PM
116
Building the Wireless Office
The Protocol field is eight bits in length, permitting up to 256 protocols to be defined under IPv4. Exhibit 4 lists some examples of the current assignments of Internet Protocol numbers. Note that although TCP and UDP by far represent the vast majority of TCP/IP traffic on the Internet and corporate intranets, other protocols can be transported, and a large block of protocol numbers is currently unassigned.
Header Checksum Field The Header Checksum field contains a 16-bit cyclic redundancy check (CRC) character. The CRC represents a number generated by treating the data in the IP header field as a long binary number and dividing that number by a fixed polynomial. The result of this operation is a quotient and remainder, with the remainder placed into the 16-bit Checksum field by the transmitting device. When a receiving station reads the header, it also performs a CRC operation on the received data, using the same fixed polynomial. If the computed CRC does not match the value of the CRC in the Header Checksum field, the receiver assumes the header is in error and the packet is discarded. Thus, the header checksum, as its name implies, provides a mechanism for ensuring the integrity of the IP header.
Source and Destination Address Fields Both the Source and Destination Address fields are 32 bits in length under IPv4. The source address represents the originator of the datagram, while the destination address represents the recipient. Under IPv4, there are five classes of IP addresses, referred to as Class A through Class E. Classes A, B, and C are subdivided into a network portion and a host portion and represent addresses used on the Internet and private IP-based networks. Classes D and E represent two special types of IPv4 network addresses. Because it is extremely important to understand the composition and formation of IP addresses to correctly configure devices connected to an IP network as well as to design and modify such networks, we now turn our attention to this topic. Once we obtain an appreciation of IP addressing, we then examine the use of the Address Resolution Protocol (ARP), noting how ARP is used to enable layer 3 IP datagrams that use 32bit IP addresses to be correctly delivered by LANs using 48-bit layer 2 MAC addresses.
IP Addressing Although we normally associate a host with a distinct IP address, in actuality IP addresses are used by the Internet Protocol to identify distinct device interfaces. That is, each interface on a device has a unique IP address. This explains how a router with multiple interfaces can receive communications addressed to the device on different router ports connected to LANs and
AU1271Ch05Frame Page 117 Monday, July 15, 2002 8:52 PM
117
TCP/IP Protocol Suite
Exhibit 4. Decimal
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43
Assigned Internet Protocol Numbers Keyword
Protocol
HOPOPT ICMP IGMP GGP IP ST TCP CBT EGP IGP
IPv6 Hop-by-Hop Option Internet Control Message Internet Group Management Gateway-to-Gateway IP in IP (encapsulation) Stream Transmission Control Protocol CBT Exterior Gateway Protocol Any private interior gateway (used by Cisco for its IGRP) BBN RCC Monitoring Network Voice Protocol Version 2 PUP ARGUS EMCON Cross Net Debugger Chaos User Datagram Multiplexing DCN Measurement Subsystems Host Monitoring Packet Radio Measurement XEROX NS IDP Trunk-1 Trunk-2 Leaf-1 Leaf-2 Reliable Data Protocol Internet Reliable Transaction ISO Transport Protocol Class 4 Bulk Data Transfer Protocol MFE Network Services Protocol MERIT Internodal Protocol Sequential Exchange Protocol Third Party Connect Protocol Inter-Domain Policy Routing Protocol XTP Datagram Delivery Protocol IDPR Control Message Transport Protocol TP++ Transport Protocol IL Transport Protocol IPv6 Source Demand Routing Protocol Routing Header for IPv6
BBN-RCC-MON NVP-II PUP ARGUS EMCON XNET CHAOS UDP MUX DCN-MEAS HMP PRM XNS-IDP TRUNK-1 TRUNK-2 LEAF-1 LEAF-2 RDP IRTP ISO-TP4 NETBLT MFE-NSP MERIT-INP SEP 3PC IDPR XTP DDP IDPR-CMTP TP++ IL IPv6 SDRP IPv6-Route
AU1271Ch05Frame Page 118 Monday, July 15, 2002 8:52 PM
118 Exhibit 4.
Building the Wireless Office
Assigned Internet Protocol Numbers (Continued)
Decimal
Keyword
Protocol
44 45 46 47 48 49 50 51 52 53 54 55 56
IPv6-Frag IDRP RSVP GRE MHRP BNA ESP AH I-NLSP SWIPE NARP MOBILE TLSP
57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87
SKIP IPv6-ICMP IPv6-NoNxt IPv6-Opts
Fragment Header for IPv6 Inter-Domain Routing Protocol Reservation Protocol General Routing Encapsulation Mobile Host Routing Protocol BNA Encap security Payload for IPv6 Authentication Header for IPv6 Integrated Net Layer Security IP with Encryption NBMA Address Resolution Protocol IP Mobility Transport Layer Security Protocol (using Kryptonet key management) SKIP ICMP for IPv6 No Next Header for IPv6 Destination options for IPv6 Any host internal protocol CFTP Any local network SATNET and Backroom EXPAK Kryptolan MIT Remote Virtual Disk Protocol Internet Pluribus Packet Core Any distributed file system SATNET monitoring VISA Protocol Internet Packet Core Utility Computer Protocol Network Executive Computer Protocol Heart Beat Wang Span Network Packet Video Protocol Backroom SATNET Monitoring SUN ND PROTOCOL-Temporary WIDEBAND Monitoring WIDEBAND EXPAK ISO Internet Protocol VMTP SECURE-VMPT VINES TTP NSFNET-IGP Dissimilar Gateway Protocol TCF
CFTP SAT-EXPAK KRYPTOLAN RVD IPPC SAT-MON VISA IPCV CPNX CPHB WSN PVP BR-SAT-MON SUN-ND WB-MON WB-EXPAK ISO-IP VMTP SECURE-VMTP VINES TTP NSFNET-IGP DGP TCF
AU1271Ch05Frame Page 119 Monday, July 15, 2002 8:52 PM
119
TCP/IP Protocol Suite
Exhibit 4.
Assigned Internet Protocol Numbers (Continued)
Decimal
Keyword
Protocol
88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117–254 255
EIGRP OSPFIGP Sprite-RPC LARP MTP AX.25 IPIP MICP SCC-SP ETHERIP ENCAP
EIGRP OSPFIGP Sprite RPC Protocol Locus Address Resolution Protocol Multicast Transport Protocol AX.25 Frames IP-within-IP Encapsulation Protocol Mobile Internetworking Control Protocol Semaphore Communications Sec. Protocol Ethernet-within-IP Encapsulation Encapsulation header Any private encryption scheme GMTP Ipsilon Flow Management Protocol PNNI over IP Protocol Independent Multicast ARIS SCPS QNX Active Networks IP Payload Compression Protocol Sitara Networks Protocol Compaq Peer Protocol IPX in IP Virtual Router Redundancy Protocol PGM Reliable Transport Protocol Any 0-hop protocol Layer 2 Tunneling Protocol D-II Data Exchange (DDX) Unassigned
GMTP IFMP PNNI PIM ARIS SCPS QNX A/N IPPCP SNP Compaq-Peer IPX-in-IP VRRP PGM L2TP DDX Reserved
WANs. Devices such as hosts, routers, and gateways can have a single or multiple interfaces. When the latter situation occurs, the device is assigned multiple IP addresses, one for each interface. In a wireless environment the network adapter card plugged into a notebook in effect represents an interface that will have an assigned IP address. Because most hosts are connected to a LAN via a single interface, most readers familiar with IP addressing associate a single IP address with a host. Although not as common as host workstations that use a single network connection, some servers and all firewalls and routers have multiple network connections. Exhibit 5 illustrates a network structure used to connect a corporate private network to the Internet. In this example, a demilitarized (DMZ) LAN is used to interconnect the router and firewall. A DMZ LAN is a LAN
AU1271Ch05Frame Page 120 Monday, July 15, 2002 8:52 PM
120
Building the Wireless Office
Internet
Router DMZ LAN
Firewall Corporate Private Network
Exhibit 5. Several Types of Communications Devices with an IP Address Assigned to Each Interface
without servers or workstations, in effect forcing all communications to and from the Internet to pass through a firewall. Note that both the router and firewall have multiple ports. Thus, in an IP networking environment, each communications device would be assigned two IP addresses, one for each device interface.
The IP Addressing Scheme As previously mentioned, IPv4 uses 32-bit binary numbers to identify the source and destination addresses in each datagram. The use of 32-bit numbers provides an address space that supports 232 or 2,294,967,296 distinct addressable interfaces. While this number probably exceeded the world’s population when the Internet was initially developed as a mechanism to interconnect research laboratories and universities, the proliferation of personal computers and the development of the Web significantly expanded the role of the “mother of all networks.” Recognizing that many individuals would eventually use personal digital assistants (PDAs), and even all phones to access the Web, as well as the fact that hundreds of millions of Chinese and Indians would eventually be connected to the Internet, it became obvious that IP address space would eventually be depleted. In 1992, the Internet Activities Board (IAB) began work on a replacement for the current version of IP. Although the efforts of the IAB were primarily concerned with the addressing limitations of IPv4, it also examined the structure of IP and the inability of the current version of the protocol to easily indicate different options within the header. The result of the IAB effort was a new version of IP that is referred to as IPv6. IPv6 was finalized during 1995 and is currently being evaluated on an experimental portion of the Internet. Under IPv6, source and destination addresses were expanded to 128 bits, and the IP header was considerably altered, with only the VER field retaining its position in the IPv6 header.
AU1271Ch05Frame Page 121 Monday, July 15, 2002 8:52 PM
121
TCP/IP Protocol Suite
1 byte 1byte 1byte 1byte Class A Class B Class C
N N N
H N N
Network
H H N
H H H
Host
Under the two-level IP addressing hierarchy, the 32-bit IP address is subdivided into network and host portions. The composition of the first four bits of the 32-bit word specifies whether the network portion is 1, 2, or 3 bytes in length, resulting in the host portion being either 3, 2, or 1 bytes in length.
Exhibit 6. The Two-Level IP Addressing Hierarchy Used for Class A, B, and C Addresses
Although the use of IPv6 will considerably enhance the support of an expanded Internet as well as facilitate various routing operations, it will be many years before the new protocol moves from an experimental status into production. Due to this, we focus on IPv4 addressing in this section.
Address Classes During the development of the Internet Protocol, it was recognized that hosts would be connected to different networks and that those networks could be interconnected to one another to form a network of interconnected networks, now commonly referred to as the Internet. Thus, in developing an IP addressing scheme, it was also recognized that a mechanism would be required to identify a network as well as a host connected to a network. This recognition resulted in the development of an addressing scheme in which certain classes of IP addresses are subdivided into a two-level addressing hierarchy. Exhibit 6 illustrates the two-level addressing hierarchy used by Class A, B, and C addresses, whose composition and utilization we soon review. In examining the two-level IP addressing scheme shown in Exhibit 6, note that all hosts on the same network are usually assigned the same network prefix but must have a unique host address to differentiate one host from another. As we note later in this chapter, it is possible (although little noted) for multiple network addresses to reside on a common network. This is the exception rather than the rule. Similarly, two hosts on different networks should be assigned different network prefixes; however, the hosts can have the same host address. If you think about this addressing technique, you can consider it in many ways to be similar to the structure of a telephone number. That is, no one in your area code can have the same phone number as your number. It is very likely that the same phone number exists in one or more different area codes. We can also view Class A, B, and C addresses as having the following general format: < Network Number, Host Number >
AU1271Ch05Frame Page 122 Monday, July 15, 2002 8:52 PM
122
Building the Wireless Office
where the combined network number and host number have the form xxxx.xxxx.xxxx.xxxx, with each x representing a decimal value. As we probe deeper into IP addressing we will note that the above format uses dotted decimal notation to reference IP addresses.
Rationale During the IP standardization process, it was recognized that a single method of subdividing the 32-bit address space into network and host portions would be wasteful with respect to the assignment of addresses. For example, assume all addresses were evenly split. This would result in the use of 16 bits for a network number and a similar number of bits for a host number. Without considering host and network addressing restrictions, the use of 16 bits results in a maximum of 65,536 (216) networks, with up to 65,536 hosts per network. Not only would the assignment of a network address to an organization that has only 100 computers result in a waste of 65,436 host addresses that could not be assigned to other organizations, but in addition there could only be 65,536 networks. This limited number of networks would be clearly insufficient in an era where over 50,000 colleges, universities, high schools, and grade schools are now connected to the Internet via LANs, with each LAN having a distinct network address. Recognizing that the use of IP addresses could literally mushroom beyond their expectations, the designers of IP came up with a methodology whereby the 32-bit IP address space was subdivided into different address classes. The result of the IP designers’ efforts was the definition of five address classes, referred to as Classes A through E.
Class Addressing Overview Class A addresses were developed for use by organizations with extremely large networks or for assignments to countries. Class B addresses are for use by organizations with large networks, while Class C addresses are for organizations with small networks. Two additional address classes are Classes D and E. Class D addresses are used for IP multicasting, a technique where a single message is distributed to a group of hosts dispersed across a network. Class E addresses are reserved for experimental use. Unlike Classes A through C, which incorporate a two-level IP addressing structure, Classes D and E use a single addressing structure. Exhibit 7 illustrates the structure or format of the five defined IP address classes. In examining the entries in Exhibit 7, note that an address identifier of variable length is the prefix to each address class. The address identifier prefix is a single “0” bit for a Class A address, the bits “10” for a Class B address, and so on. Because each address identifier is unique, it becomes possible to examine one or more bits in the address identifier portion of the address to determine the address class. Once an address class is identified, the subdivision of the remainder of the address into the network and host address portions can easily be obtained from a table lookup or from predefined
AU1271Ch05Frame Page 123 Monday, July 15, 2002 8:52 PM
123
TCP/IP Protocol Suite
Bits in Network Address Byte 1
Byte 2
Byte 3
Byte 4
Class A Network Portion Byte 1
Byte 2
Byte 3
Network Portion
24
14
16
21
8
N/A
N/A
N/A
N/A
Byte 4
Host Portion
Byte 2
Byte 3
Byte 4
Class C Network Portion Byte 1
7 Host Portion
Class B
Byte 1
Bits in Host Address
Byte 2
Host Portion Byte 3
Byte 4
Class D Multicast Address Byte 1
Byte 2
Byte 3
Class E
Byte 4
Experimental
Exhibit 7.
IP Address Formats
data within a program. For example, if a 32-bit address is a Class A address due to the first bit being binary 0, then the next seven bits represent the actual network address, while the remaining 24 bits represent the host address. Similarly, if the first two bits of the 32-bit address have the value “10,” then the next 14 bits represent the actual network address, while the trailing 16 bits represent the host address. To obtain an appreciation of the use of each IP address class, we turn our attention to a detailed examination of each address class. We focus on the composition of the network and host portion of each address for Classes A through C, as well as the manner by which all five classes are used.
Class A Addresses As indicated in Exhibit 7, a Class A address has the four-byte form of , with seven bits used for the actual network address because the first bit position must be set to a value of binary 0 to indicate that this is a Class A address. Because seven bits are available for the network address, we would logically assume 28 or 128 Class A networks can be defined. In actuality, networks 0 and 127 are reserved and cannot be used, resulting in Class A addressing supporting 126 networks. Because 24 bits are used for a host identifier, each network is capable of supporting up to 224 – 2, or 16,277,214, hosts; 2 is subtracted from the possible number of
AU1271Ch05Frame Page 124 Monday, July 15, 2002 8:52 PM
124
Exhibit 8. Stack
Building the Wireless Office
Using an IP Loopback Address to Verify the Status of the TCP/IP Protocol
hosts because no host can be assigned a value of all 0s or a value of all 1s. A host value of 0 indicates a broadcast address. Because only a small number of Class A networks can be defined, they were used up many years ago. Due to the large number of hosts that can be assigned to a Class A network, Class A addresses were primarily assigned to large organizations and countries that have national networks. One Class A network address that warrants attention results from the setting of all seven bits in the network address to 1s, representing 127 in decimal. A network address of 127.x.x.x is reserved as an internal loopback address and cannot be assigned as a unique IP address to a host. Thus, a question you may have is, “why reserve a network address of 127 if it is not usable?” The answer to this question is that you can use a network address of 127.x.x.x as a mechanism to determine if your computer’s local TCP/IP protocol stack is operational. An example of the use of a 127-network address is illustrated in the top of Exhibit 8, which shows the use of the Ping command to query the device at address 127.1.1.1. Because this is a loopback address, this action tests the protocol stack on my computer. Note that in this example Microsoft’s version of Ping uses the IP address 127.1.1.1 as a loopback. If you enter the address 127.0.0.0 as shown in the lower portion of Exhibit 8, Microsoft’s implementation of the TCP/IP protocol stack treats the IP address as an invalid address. All TCP/IP protocol stacks should, as a minimum, recognize the IP address 127.0.0.1 as an internal loopback address. Most protocol stacks also consider a prefix of 127 for a network address with any nonzero host address as a
AU1271Ch05Frame Page 125 Monday, July 15, 2002 8:52 PM
TCP/IP Protocol Suite
125
loopback. Thus, you can normally use 127.1.2.3, 127.4.5.6, and any other combination other than 127.0.0.0 as a loopback.
Class B Addresses Continuing our exploration of IPv4 address classes, a Class B address has the form for the four bytes in the address. A Class B network address is defined by setting the two high-ordered bits of an IP address to the binary value “10.” Because two bits are used to identify the address, the actual Class B network address is 14 bits in width, while the host portion of the address is two bytes, or 16 bits in width. Thus, a Class B address is capable of supporting 214 or 16,384 networks, with each network capable of supporting up to 216 – 2, or 65,534, hosts. Due to the manner by which Class B addresses are subdivided into network and host portions, such addresses are normally assigned to relatively large organizations. In addition, through the process of subnetting, which is described later in this chapter, one Class B address can be provided to multiple organizations, with each organization informed as to the correct subnet mask to use to identify the portion of a Class B address provided for its use. If we are familiar with binary, we can easily convert permissible binary values in the first byte of a Class B address into a range of decimal values. For example, because a Class B address commences with binary values 10, the first byte must range between 1000000 and 10111111. We can convert to decimal by noting that the value of each position in a byte is as follows: 128 64 32 16 8 4 2 1
Thus, binary 10000000 is equivalent to decimal 128, while binary 10111111 is equivalent to decimal 191. Thus, the first byte of a Class B address is restricted to the range 128 to 191, with 0 to 255 permitted in the second byte of the network address.
Class C Addresses A Class C address is identified by the first three bits in the IP address set to the binary value of 110. This value denotes the fact that the first three bytes in the 32-bit address identify the network while the last byte identifies the host on the network. Because the first three bits in a Class C address are set to a value of 110, this means 21 bits are available for the network address. Thus, a Class C address permits 221 or 2,097,152 distinct network addresses. Because the host portion of a Class C address is one byte in length, the number of hosts per network is limited to 28 – 2, or 254. Due to the subdivision of network and host portions of Class C addresses, they are primarily assigned for use by organizations with relatively small networks, such as a single LAN that requires a connection to the Internet. Because it is common for organizations to have multiple LANs, it is also quite common for multiple Class C addresses to be assigned to organizations that require more than 254 host addresses but are not large enough to justify a
AU1271Ch05Frame Page 126 Monday, July 15, 2002 8:52 PM
126
Building the Wireless Office
Class B address. It is also common for an organization with multiple LANs located within close proximity to one another to share one Class C address through subnetting, a topic we cover later. Similar to the manner by which we computed the decimal range of Class B addresses, we can compute the range of permitted Class C addresses. That is, because the first three bits in the first byte are set to a value of 110, the binary range of values are 11000000 to 11011111, representing decimals 192 through 223. The second and third bytes in a Class C address range in value from 0 to 255, while the last byte, which represents the host address, ranges in value from 1 to 254, because host values of 0 and 255 are not permitted.
Class D Addresses Class D IP addresses represent a special type of address referred to as a multicast address. A multicast address is assigned to a group of network devices and allows a single copy of a datagram to be transmitted to a specific group. The members of the group are then able to receive a common sequence of datagrams instead of having individual series of datagrams transmitted to each member on an individual basis, in effect conserving network bandwidth. A Class D address is identified by the assignment of the binary value 1110 to the first four bits of the address. The remaining 28 bits are then used to create a unique multicast address. Because a Class D address always has the prefix 1110, its first byte varies from 11100000 to 11101111, resulting in the address range 224 through 239. Thus, the multicast address range becomes 224.0.0.0 through 239.255.255.255, with the use of a Class D address enabling approximately 268 million multicast sessions to simultaneously occur throughout the world. To obtain an appreciation for the manner by which Class D addressing conserves bandwidth, consider a digitized audio or video presentation routed from the Internet onto a private network for which users working at 15 hosts on the private network wish to receive the presentation. Without a multicast transmission capability, 15 separate data streams, each containing a repetition of the audio or video presentation, would be transmitted through the Internet onto the private network, with only the destination address in each datagram in one stream differing from the datagram in a different stream. Here, 14 data streams are unnecessary and only function to clog the Internet as well as the private network. In comparison, through the use of multicasting, the 15 users requiring the presentation would join the multicast group, permitting one data stream to be routed through the Internet onto the private network. Common examples of the use of multicast include access to many news organization video feeds that result in a 2-in. by 2-in. television on a computer monitor. With frame refresh rates of 15 or more frames per second, a server of unicast transmissions would consume a relatively large amount of bandwidth. Thus, the ability to eliminate multiple data streams via multicast transmission can prevent networks from being saturated. In addition, this capability reduces the number of datagrams that routers must route. This minimizes the necessity of routers that discard packets when they become saturated.
AU1271Ch05Frame Page 127 Monday, July 15, 2002 8:52 PM
127
TCP/IP Protocol Suite
Exhibit 9. IPv4 Address Class First Byte Values Address Class
Class Class Class Class Class
A B C D E
First Byte Address Range
1 128 192 224 240
to to to to to
126 191 223 239 255
Class E Addresses The fifth address class defined for IPv4 is Class E. A Class E address is defined by setting the first four bits in the 32-bit IP address to the binary value of 1111. Thus, a Class E address has a first byte value between 11110000 and 11111111, or between 240 and 255 decimal. Class E addresses are currently reserved for experimental usage. Because 28 bits in a Class E address can be used to define unique addresses, this means approximately 268.4 million Class E addresses are available. One common method used to denote Classes A through E addresses is by examining the decimal value of the first byte of the 32-bit IPv4 address. To facilitate this examination, Exhibit 9 summarizes the range of decimal values for the first byte of each address class.
Dotted Decimal Notation Although we previously only briefly examined how to convert the binary value of a byte into decimal, we did not discuss the rationale for the use of decimal numbers in IP addresses, so let us do so now. Because humans do not like to work with strings of 32-bit binary addresses, IP developers looked for a technique that would be easier for specifying IPv4 addresses. The resulting technique is referred to as “dotted decimal notation” in recognition of the fact that a 32-bit IP number can be subdivided into four 8-bit bytes. Because of this, it is possible to specify a 32-bit IPv4 address via the use of four decimal numbers in the range 0 through 255, with each number separated from another number by a decimal point. To review the formation of a dotted decimal number, let us first focus on the decimal relationship of the bit positions in a byte. Exhibit 10 indicates the decimal values of the bit positions within an eight-bit byte. Note that the decimal value of each bit position corresponds to 2n, where n is the bit position in the byte. Using the decimal values of the bit positions shown in Exhibit 10, let us assume you want to convert the following 32-bit binary address into dotted decimal notation: 01010100110011101111000100111101
AU1271Ch05Frame Page 128 Monday, July 15, 2002 8:52 PM
128
Building the Wireless Office
128
64
32
16
8
4
2
1
The decimal value of the bit positions in a byte correspond to 2n, where n is the bit position that ranges from 0 to 7.
Exhibit 10.
Decimal Values of Bit Positions in a Byte
The first eight bits that correspond to the first byte in an IP address have the binary value 01010100. Then, the value of that byte expressed as a decimal number becomes 64 + 16 + 4, or 84. Next, the second bit in the binary string has the binary value of 11001110. From Exhibit 10, the decimal value of the second byte is 128 + 64 + 8 + 4 + 2, or 206. Similarly, the third byte, whose binary value is 11110001, has the decimal value 128 + 64 + 32 + 16 + 1, or 241. The last byte, whose bit value is 00111101, has the decimal value 32 + 16 + 8 + 4 + 1, or 61. Based on this, we would enter the 32-bit address in dotted decimal notation as 84.206.241.61, which is certainly easier to work with than a 32-bit string.
Basic Workstation Configuration The use of dotted decimal notation can be appreciated when we examine the configuration of a workstation. If you are using Microsoft Windows 95 or Windows 98, go to Start>Control Panel>Network and double-click on the TCP/ IP entry in the Configuration tab to assign an applicable series of dotted decimal values to configure a host on an IP network. Correctly configuring a host on a TCP/IP network requires the entry of three dotted decimal addresses and a subnet mask, the latter also specified as a dotted decimal number. The three addresses you must specify include the IP address of the host you are configuring, the IP address of a gateway, and the IP address of a domain name saver (DNS). The term “gateway” dates from the early days of ARPAnet when a device that routed datagrams between networks was called that name. Today we refer to this device as a router; however, in the wonderful world of TCP/IP configuration, the term “gateway” is still used. The second new device is the DNS that resolves (a fancy name for “translates”) host names into IP addresses; its operation is described in more detail later in this book. At the present time, we simply note that the DNS allows us to enter addresses to Web browsers, such as www.whitehouse.com, and allows the TCP/IP protocol stack to perform the translation into an applicable IP address. All routing in an IP network occurs via an examination of IP addresses. Exhibit 11 illustrates setting the IP Address tab in the TCP/IP Properties dialog box on my personal computer. Note that the button labeled “Specify an IP address” is selected, which indicates to the Windows operating system that a fixed IP address will be assigned to the computer. In Exhibit 11 that address is 198.78.46.8, for which, if you convert 198 into binary rather than glancing at Exhibit 9, you will note a value of 11000000. Because the first
AU1271Ch05Frame Page 129 Monday, July 15, 2002 8:52 PM
TCP/IP Protocol Suite
Exhibit 11.
129
Setting the IP Address and Subnet Mask
three bits are set to binary 110, this denotes a Class C address. If we do not like working with binary, we could then use Exhibit 9 to determine that setting the first byte to 198 does indeed denote a Class C address. Although we discuss the subnet mask shortly, at the present time we can note that its setting “extends” the network portion of an address internally within an organization. That is, the set bits in a subnet mask indicate the new length of the network portion of the address. If we examine the subnet mask shown in Exhibit 11 and remember that a value of 255 represents the setting of all bits in a byte to 1, this indicates that the network portion of the address is 24 bits long. Because a Class C address uses three bytes for the network address and one byte for the host address, this also means that a subnet mask of 255.255.255.0 for a Class C address indicates that the network is not subnetted. If we click on the tab labeled “Gateway,” we can view the manner by which we can add and remove the IP addresses of routers. Exhibit 12 illustrates the TCP/IP Properties dialog box with its Gateway tab selected. In this example we entered the IP address 198.78.46.1 to denote the address of the router that will route datagrams with an IP network address other than 198.78.46.0 off the network.
AU1271Ch05Frame Page 130 Monday, July 15, 2002 8:52 PM
130
Exhibit 12.
Building the Wireless Office
Configuring the Gateway Address under Windows 95/98
The third IP address used for the configuration of a TCP/IP protocol stack is the address of a DNS that supports your organization’s network. You can view the DNS configuration screen by clicking on the tab with that label. Exhibit 13 illustrates the TCP/IP Properties dialog box with its DNS Configuration tab selected. Note that the radio button associated with Enable DNS is selected, and we entered a host name of “gil” for our computer, which is part of the domain fed.gov. Thus, the complete host name of our computer is gil.fed.gov. Note that we do not have to specify either a host or domain. Doing so results in the IP address previously assigned to our computer along with the host name entered in a record in the DNS. This would then allow someone to access our computer by entering gil.fed.gov instead of the IP address of 198.78.46.8. If no one accesses your computer, you could safely omit the host and domain entries. If your computer is a popularly used server, you would want to include the host name, as it would be easier to remember than a sequence of dotted decimal numbers. The combination of host and domain names is commonly referred to as a fully qualified domain name (FQDN). An FQDN means that the name is unique. In comparison, the host portion of the name (gil) could exist on many
AU1271Ch05Frame Page 131 Monday, July 15, 2002 8:52 PM
TCP/IP Protocol Suite
131
Exhibit 13. Specifying the Address of the DNS Server and the Fully Qualified Name of the Host
domains. Similarly, many computers could have a common domain name (fed.gov). Returning to Exhibit 13, note that you can specify up to four DNS server addresses when using Windows 95. Later versions of Windows reduce the number of DNS server addresses you can specify. In addition, you can specify one or more domain suffix search orders where common domain suffixes include gov (government), com (commercial), edu (educational), mil (military), and org (nonprofit organization).
Reserved Addresses We previously noted that the address block 127.0.0.0 through 127.255.255.255 is used for loopback purposes and can thus be considered to represent a block of reserved addresses. When considering IPv4 addressing, three additional blocks of reserved addresses warrant attention. Those address blocks are defined in RFC 1918, titled Address Allocation for Private Internet, and are summarized in Exhibit 14.
AU1271Ch05Frame Page 132 Monday, July 15, 2002 8:52 PM
132
Building the Wireless Office
Exhibit 14. Reserved IP Addresses for Private Internet Use Address Blocks
10.0.0.0 – 10.255.255.255 172.16.0.0 – 172.31.255.255 192.168.0.0 – 192.168.255.255
The original intention of RFC 19118 addresses was to define blocks of IP addresses organizations could use on private networks that would be recognized as such. As Internet usage grew, the ability to obtain IP addresses became harder as existing network addresses were assigned to different organizations. This resulted in a second role for RFC 1918 addresses under a process referred to as network address translation (NAT). Under NAT, internal RFC 1918 addresses can be dynamically translated to public IP addresses while reducing the number of public addresses that need to be used. For example, consider an organization with 500 stations that has only one Class C address. One possibility is to use RFC 1918 addresses behind a router connected to the Internet, with the router translating RFC 1918 addresses dynamically into available Class C addresses. Although no more that 254 RFC 1918 addresses could be translated into valid, distinct Class C addresses at any point in time, it is also possible to use TCP and UDP port numbers to extend the translation process so each RFC 1918 address can be simultaneously used and translated. To do so, a router would translate each RFC 1918 address into a Class C address using a different port number, permitting thousands of translations for each Class C address. In Chapter 4 when we examine the use of my home computer to configure a Netgear wireless router, we note the use of a 192.168 network prefix. That prefix represents an RFC 1918 Class C network address and enables the Netgear router to support up to 253 devices using a single IP address assigned by an Internet service provider. The Netgear router translates RFC 1918 addresses to the ISP-provided address by using high TCP and UDP port numbers to keep track of the address mapping. Another device that can provide address translation is a proxy firewall. In addition to translating addresses, a proxy firewall also hides internal addresses from the Internet community. This address hiding provides a degree of security, as any hacker that attempts to attack a host on a network where a proxy firewall operates must first attack the firewall. Some wireless routers include a limited firewall capability in the form of packet filtering. In Chapter 7 we examine some of the security features included in wireless routers. Two additional items to note about RFC 1918 addresses are that (1) they cannot be used directly on the Internet, and (2) they are a favorite source address hackers use. RFC 1918 addresses cannot be directly used on the Internet because if one company does so, a second could also do so, resulting in addressing conflicts and the unreliable delivery of information. Thus, as discussed, RFC 1918 addresses are translated into Class A, B, or C addresses
AU1271Ch05Frame Page 133 Monday, July 15, 2002 8:52 PM
TCP/IP Protocol Suite
133
when a private network using such addresses is connected to the Internet. Concerning hacker use, because routers do not check source IP addresses, it is quite common for a hacker to use an RFC 1918 address as the source address, making it difficult, if not impossible, to locate the hacker. Because it is quite common for hackers to use an RFC 1918 address as their address in configuring a TCP/IP protocol stack, it is also quite common to create a router access list that filters datagrams that have an RFC 1918 address as their source address.
Subnetting One of the problems associated with the use of IP addresses is the fact that even with the use of classes, their use can be inefficient. For example, consider the use of a Class A network address. Although you can have up to 16,277,214 hosts per Class A network, you can only have 127 such networks. Thus, the assignment of a Class A network address to a large organization with 100,000 workstations would waste over 16 million IP addresses. Similarly, because a single LAN is incapable of supporting 100,000 workstations, you might consider asking for multiple network addresses, which would further waste a precious resource — IPv4 addresses. Another problem associated with using more network addresses than required is the fact that routers must note those addresses. This means that the routers in a network that could be the Internet or a private IVP/IP network would have more entries in their routing tables. This, in turn, results in routers’ requiring a longer time to check the destination address in a datagram against entries in each router’s routing table. The solution to the problems of wasted IP address space and unnecessary routing table entries is provided through the process of subnetting.
Overview Subnetting was standardized in RFC 950 in 1985. This RFC defines a procedure to subnet or divide a single Class A, B, and C network into two or more subnets. Through the process of subnetting, the two-level hierarchy of Class A, B, and C networks previously illustrated in Exhibit 6 is converted into a three-level hierarchy. Exhibit 15 provides a comparison between the two-level hierarchies initially defined for Class A, B, and C networks and the three-level subnet hierarchy. In examining the lower portion of Exhibit 15, note that to convert the two-level hierarchy into a three-level hierarchy, the extension of the network address occurs by taking away a portion of the host address portion of an IPv4 address.
Subnetting Example Any of the IPv4 A through C address classes can be subnetted. To illustrate the subnet process as well as learn how subnetting facilitates the use of IPv4 address space, let us examine the process. In doing so we discuss the concept
AU1271Ch05Frame Page 134 Monday, July 15, 2002 8:52 PM
134
Building the Wireless Office
Two-Level Hierarchy
Network Host Address Address Portion Portion
Three-Level Subnet Hierarchy
Network Subnet Host Address Address Address Portion Portion Portion
Exhibit 15. Comparing the Three-Level Subnet Hierarchy to the Two-Level Network Class Hierarchy
of masking and the use of the subnet mask, both of which are essential to the extension of the network portion of an IP address beyond its predefined location. To illustrate the concept of subnetting, let us assume your organization needs to install five LANs within a building, with each network supporting between 10 and 15 workstations and servers. Let us further assume that your organization was previously assigned the IP Class C network address 198.78.46.0. Although your organization could apply for four additional Class C addresses, doing so would waste precious IPv4 address space because each Class C address supports a maximum of 254 interfaces. In addition, if you anticipate connecting your organization’s private networks to the Internet, the use of four additional Class C network addresses would be required in a number of routers in the Internet as well as your organization’s internal routers. Instead of asking for four additional Class C addresses, let us use subnetting by dividing the host portion of the 198.78.46.0 IP v4 address into a subnet number and a host number. Because we need to support five networks, we must use a minimum of three bits from the host portion of the IP address as the subnet number because the number of subnets you can obtain is 2n, where n is the number of bits. When n = 2, this yields four subnets, which is too few. When n = 3, we obtain eight subnets, which provides enough subnets for our example. Because a Class C address uses 24 bits for the network portion and eight bits for the host portion, the use of a three-bit subnet extends the network address such that it becomes 27 bits in length. This also means that a maximum of five bits (8 – 3) can be used for the host portion of the address. Exhibit 16 illustrates the creation of the three-level addressing scheme just described. Note that the three-bit subnet permits eight subnets (000 through 111). To the outside world the network portion of the address remains the same. This means that the route from the Internet to any subnet of a given IP network address remains the same. This also means that routers within an organization must be able to differentiate between different subnets; however, routers outside the organization do not consider subnets. To illustrate the creation of five subnets, let us assume we want to commence subnet numbering at 0 and continue in sequence through subnet 4.
AU1271Ch05Frame Page 135 Monday, July 15, 2002 8:52 PM
135
TCP/IP Protocol Suite
Byte 1
Byte 2
Byte 3
Network Extended Network
Exhibit 16.
Byte 4
sub net Host
Creating a Class C Three-Level Addressing Scheme
Exhibit 17.
Creating Extended Network Prefixes via Subnetting
Base network:
11000110.01010000.00101110.00000000 = 198.78.46.0
Subnet #0:
11000110.01010000.00101110.00000000 = 198.78.46.0
Subnet #1:
11000110.01010000.00101110.00100000 = 198.78.46.0
Subnet #2:
11000110.01010000.00101110.01000000 = 198.78.46.0
Subnet #3:
11000110.01010000.00101110.01100000 = 198.78.46.0
Subnet #4:
11000110.01010000.00101110.10000000 = 198.78.46.0
Exhibit 17 illustrates the creation of five subnets from the 198.78.46.0 network address. Note that the top entry in Exhibit 17, which is labeled “Base network,” represents the Class C network address with a Host Address Byte field set to all zeros. Because we previously determined that we would require the use of three bits from the host address portion of the network to function as a subnet identifier, the network address is extended into the host byte by three portions.
Host Restrictions In examining the subnets formed in Exhibit 17, it would appear that the hosts on the first subnet can range from 0 through 31, while the hosts on the second subnet can range in value from 33 through 63, and so on. In actuality, this is not correct, as several restrictions concern host addresses on subnets. First, you cannot use a base subnet address of all zeros or all ones. Thus, for subnet 0 in Exhibit 17, valid addresses would range from 1 to 30. Similarly for subnet 1, valid addresses would range from 33 to 62. Thus, subnetted host address restrictions are the same as for a regular IP nonsubnetted network. Another host address restriction that requires consideration is the fact that for all classes you must have the ability to place some hosts on each subnet. Thus, as a minimum the last two bit positions into the fourth byte of Class A, B, and C addresses cannot be used in a subnet. Exhibit 18 illustrates the number of bits available for subnetting for Class A, B, and C network addresses.
AU1271Ch05Frame Page 136 Monday, July 15, 2002 8:52 PM
136
Building the Wireless Office
Class A
7 bits up to 22 subnet bits available
Class A
14 bits for network address up to 14 subnet bits available
Class A
21 bits for network address up to 6 subnet bits available
Exhibit 18.
Available Bit Positions for Subnet Formation
The Zero Subnet Another item concerning subnetting that warrants attention is the fact that at one time the Internet community considered the zero subnet anathema, and its use was — and to a degree still is — discouraged. While this viewpoint has somewhat fallen from favor, it is important to note that some devices will not support the use of subnet zero and will not allow you to configure their interface address as being on a zero subnet. The reason for this restriction results because confusion can arise between a network and a subnet that have the same address. For example, assume network address 129.110.0.0 is subnetted as 255.255.255.9. This would result in subnet zero being written as 129.110.0.0, which is the same as the network address. When configuring TCP/IP devices, it is important to note that some devices that support a zero subnet must be explicitly configured to do so. For example, the most popular manufacturer of routers is Cisco Systems. Although all Cisco routers support the use of subnet zero, you must use the router command ip subnet-zero to configure a Cisco router to do so. If you attempt to configure a subnet zero, you will receive an “inconsistent network mask” error message.
Internal Versus External Subnet Viewing Returning to our subnetting example in which we created five subnets from one Class C network address, we can easily denote the reason why subnetting saves router table entries. We can see this from Exhibit 19, which illustrates an internal intranet view of the use of subnets versus a view from the Internet for our prior example. In examining Exhibit 19, note that all five subnets appear as the IP network address 198.78.46.0 to routers on the Internet. This means that each router must have knowledge of one IP network address. At the router connected to the Internet, that device becomes responsible for examining each inbound datagram and determining the appropriate subnet where the datagram should be routed. To do so, this router uses a subnet mask whose composition and use we review soon. First we need to comment on the use of the base network address 198.78.46.0. To each router the
AU1271Ch05Frame Page 137 Monday, July 15, 2002 8:52 PM
137
TCP/IP Protocol Suite
Internet Router
Internal Network
Exhibit 19.
Internet versus Internal Network View of Subnets
destination address in each datagram appears as a 32-bit sequence. Thus, there is no knowledge of dotted decimal numbers except for the configuration of devices because routing occurs by the examination of the network portion of the address in each datagram. Also, each router begins its address examination by first focusing attention on the first bit in the destination address to determine if it is a Class A address. If the first bit position is set to a binary 0, the router knows that it is a Class A address as well as that the first byte in the 32-bit destination address represents the network address. Similarly, if the first bit in the destination address is not a binary 0, the router examines the second bit to determine if the address is a Class B address, and so on. Thus, a router can easily determine the address class of the destination address in a datagram that then indicates the length of the network portion of the address. The router can then use this information to search its routing table entries to determine the appropriate port to output the datagram, all without having to consider whether or not the address represents a subnetted address. Although by now we know how to create a subnet and extend the network portion of an IPv4 address, we have not addressed the manner by which a router at the edge of the Internet knows how to route datagrams to their appropriate subnet. In addition, another question we should have is how a station on an internal network can recognize subnet addressing. For example, if an IP datagram arrives at an organizational router with the destination address 198.78.46.38, how does the router know to place the datagram on subnet 1? The answer to these questions is the use of a subnet mask.
Using the Subnet Mask The subnet mask provides a mechanism that enables devices to determine the separation of an IPv4 address into its three-level hierarchy of network, subnet, and host addresses. To accomplish this task, the subnet mask consists of a sequence of bits set to 1 that denote the length of the network and subnet portions of the IPv4 network address associated with a network. That is, the subnet mask indicates the internal extended network address. To illustrate the use of the subnet mask, let us again assume our network address is 198.78.46.0. Let us further assume that we want to create a subnet mask that a router or workstation can use to note that the range of permissible
AU1271Ch05Frame Page 138 Monday, July 15, 2002 8:52 PM
138
Building the Wireless Office
IP Address: Subnet Mask: Extended Network Address
Exhibit 20.
Examining the Relationship between an IP Address and a Subnet Mask
subnets is 0 to 7. Because this requires the use of three bits, the subnet mask becomes 11111111.11111111.11111111.11100000
Similar to the manner by which IP addresses can be expressed more efficiently through the use of dotted decimal notation, we can also express subnet masks using that notation. Because each byte of all set bits has a decimal value of 255, the dotted decimal notation for the first three bytes of the subnet mask is 255.255.255. Because the first three bits of the fourth byte are set, its decimal value is 128 + 64 + 32, or 224. Thus, the dotted decimal specification for the subnet mask becomes 255.255.255.244
Because a device can easily determine the address class of the destination address in a datagram, the subnet mask then informs the device of which bits in the address represent the subnet and indirectly which bits represent the host address on the subnet. To illustrate how this is accomplished, let us assume a datagram arrived at a router with the destination IP address of 198.78.46.97 and we previously set the subnet mask to 255.255.255.224. The relationship between the IP address and the subnet mask would then appear as indicated in Exhibit 20. Because the first two bits in the destination address are set to 11, this indicates the address is a Class C address. The TCP/IP protocol stack knows that a Class C address consists of three bytes used for the network address and one byte used for the host address. Thus, this means that the subnet must be 27 – 24, or 3, bits in length. This fact tells the router or workstation that bits 25 through 27, which are set to a value of 011 in the IP address, identify the subnet as subnet 3. Because the last five bits in the subnet mask are set to zero, those bit positions in the IP address identify the host on subnet 3. Since the settings of those five bits have the value 00001, the IP address of 198.78.46.97 references host 1 on subnet 3 on the IPv4 network 198.78.46.0. To assist readers who need to work with subnets, Exhibit 21 provides a reference to the number of subnets that can be created for Class B and Class C networks, their subnet mask, the number of hosts per network, and the total number of hosts a particular subnet mask supports. In examining the entries in Exhibit 21, you will note that the total number of hosts can vary considerably based on the use of different-length subnet extensions. Thus, carefully consider the effect of a potential subnetting process prior to actually performing the process.
AU1271Ch05Frame Page 139 Monday, July 15, 2002 8:52 PM
139
TCP/IP Protocol Suite
Exhibit 21. Number of Subnet Bits
Class B and Class C Subnet Mask Reference Subnet Mask
Number of Subnetworks
Hosts/Subnet
Total Number of Hosts
Class B 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
— 255.255.192.0 255.255.224.0 255.255.240.0 255.255.248.0 255.255.252.0 255.255.254.0 255.255.255.0 255.255.255.128 255.255.255.192 255.255.255.224 255.255.255.240 255.255.255.248 255.255.255.252 — —
— 2 6 14 30 62 126 254 510 1,022 2,046 4,094 8,190 16,382 — —
— 16,382 8,190 4,094 2,046 1,022 510 254 126 62 30 14 6 2 — —
— 32,764 49,140 57,316 61,380 63,364 64,260 64,516 64,260 63,364 61,380 57,316 49,140 32,764 — —
Class C 1 2 3 4 5 6 7 8
— 255.255.255.192 255.255.255.224 255.255.255.240 255.255.255.248 255.255.255.252 — —
— 2 6 14 30 62 — —
— 62 30 14 6 2 — —
— 124 180 196 170 124 — —
Multiple Interface Addresses One of the lesser-known aspects of IP addressing is the fact that it is possible to assign multiple logical network addresses to one physical network. Prior to examining how this occurs, you probably want to understand the rationale for doing this. Thus, let us assume your organization originally operated a 10BASE-5 network with 100 users and wants to construct a distributed network within a building that will consist of 250 workstations and servers. Let us further assume that your organization’s previously installed 10BASE-5 coaxialbased backbone will be used by adding 10BASE-T hubs to the backbone, with a single router providing a connection to the Internet. If your organization previously obtained a Class C address when it operated a 10BASE-5 network, adding 250 stations means that you would normally require a second router interface and two networks because each Class C address supports a maximum of 254 hosts.
AU1271Ch05Frame Page 140 Monday, July 15, 2002 8:52 PM
140
Building the Wireless Office
Internet
Router
Network
Network
Conversations between networks require datagrams to be transmitted to the router.
Exhibit 22.
Assigning Multiple Network Addresses to a Common Router Interface
TCP/IP supports the ability to assign multiple network addresses to a common interface. In fact, TCP/IP also supports the assignment of multiple subnet numbers to a common interface. This can only be accomplished through the use of a router. Exhibit 22 illustrates an example in which three network addresses were assigned to one interface. For low volumes of network traffic this represents an interesting technique to reduce the number of costly router interfaces required. As indicated in Exhibit 22, the router connection to the coaxial cable would result in the assignment of two IP addresses to its interface, one for each network. In this example the addresses 205.131.175.1 and 205.131.176.1 were assigned to the router interface. Conversations between devices on the 205.131.175.0 and 205.131.176.0 networks would require datagrams to be forwarded to the router. Thus, each station of each network would be configured with the “gateway” IP address that represents an applicable assigned router IP interface address.
Address Resolution The TCP/IP protocol suite begins at the network layer, with an addressing scheme that identifies a network address and a host address for Class A, B, and C addresses. This addressing scheme actually evolved from an ARPAnet scheme that required hosts only to be identified, because that network began as a mechanism to interconnect hosts via serial communications lines. At the same time ARPAnet was being developed, work progressed separately at the Xerox Palo Alto (California) Research Center (PARC) on Ethernet, a technology in which multiple stations were originally connected to a coaxial cable. Ethernet uses a 48-bit address to identify each station on the network. As ARPAnet evolved as a mechanism to interconnect multiple hosts on geographically separated networks, IPv4 addressing evolved into a mechanism to distinguish the network and the host. Unfortunately, the addressing used by
AU1271Ch05Frame Page 141 Monday, July 15, 2002 8:52 PM
141
TCP/IP Protocol Suite
Ethernet Frame 1 7
6
6
2
46 to 1500
4
Start of Destination Source Type/ Information FCS Preamble Frame Address Address Length Delimiter
Token Ring Frame 1 1
1
1
1
6
4
1
1
Start of Routing Destination Source Starting Access Frame Ending Frame Variable Information Information FCS Address Address Delimiter Control Control Delimiter Status Information Delimiter (Optional)
Exhibit 23.
Ethernet and Token Ring Frame Formats
the TCP/IP protocol suite bore no relationship to the MAC address used first by Ethernet and later by Token Ring.
Ethernet and Token Ring Frame Formats We previously observed the addressing structure of IP. Exhibit 23 illustrates the frame formats for Ethernet and Token Ring. Note that the IEEE standardized both types of LANs and uses six-byte (48-bit) source and destination addresses. The IEEE assigns blocks of addresses six hex characters in length to vendors. Those six hex characters represent the first 24 bits of the 48-bit field used to uniquely identify a network adapter card. The vendor then encodes the remaining 24 bits or six hex character positions to identify the adapter card manufactured by the vendor. Thus, each Ethernet and Token Ring adapter has a unique hardware burnt-in identifier that denotes both the manufacturer and the adapter number produced by the manufacturer.
LAN Delivery When an IP datagram arrives at a LAN, it contains a 32-bit destination address. To deliver the datagram to its destination, the router must create a LAN frame with an appropriate MAC destination address. Thus, the router needs a mechanism to resolve or convert the IP address into the MAC address of the workstation configured with the destination IP address. In the opposite direction, a workstation may need to transmit an IP datagram to another workstation. In this situation, the workstation must be able to convert a MAC address into an IP address. Both of these address translation requirements are handled by protocols specifically developed to provide an address resolution capability. One protocol, referred to as the Address Resolution Protocol (ARP), translates an IP address into a hardware address. A second protocol, the Reverse Address Resolution Protocol (RARP), performs a reverse translation process, converting a hardware layer address into an IP address.
AU1271Ch05Frame Page 142 Monday, July 15, 2002 8:52 PM
142
Building the Wireless Office
0
8
16
31 Protocol Type
Hardware Type Hardware Length
Protocol Length
Operation
Sender Hardware Address (0 - 3) Sender Hardware Address (4 - 5)
Sender IP Address (0 - 1)
Sender IP Address (2 - 3)
Target Hardware Address (0 - 1)
Target Hardware Address (2 - 5) Target IP Address
Exhibit 24.
The ARP Packet Format
Address Resolution Operation The address resolution operation begins when a device needs to transmit a datagram. First, the device checks its memory to determine if it previously learned the MAC address associated with a particular destination IP address. This memory location is referred to as an ARP cache. Because the first occurrence of an IP address means its associated MAC address will not be in the ARP cache, it must learn the MAC address. To do so, the device will broadcast an ARP packet to all devices on the LAN. Exhibit 24 illustrates the format of an ARP packet. Note that the numbers shown in some fields in the ARP packer indicate the byte numbers in a field when a field spans a four-byte boundary.
ARP Packet Fields To illustrate the operation of ARP, let us examine the fields in the ARP packet. The 16-bit Hardware Type field indicates the type of network adapter, such as 10 Mbps Ethernet (value = 1), IEEE 802 network (value = 6), and so on. The 16-bit Protocol Type field indicates the protocol for which an address resolution process is being performed. For IP, the Protocol Type field has a value of hex 0800. The Hardware Length field defines the number of bytes in the hardware address. Thus, the ARP packet format can be varied to accommodate different types of address resolutions beyond IP and MAC addresses. Because Ethernet and Token Ring have the same MAC length, the value of this field is 6 for both. The Protocol Length field indicates the length of the address for the protocol to be resolved. For IPv4, the value of this field is set to 4. The Operation field indicates the operation to be performed and has a value of 1 for an ARP Request. When a target station responds, the value of this field is changed to Z to denote an ARP Reply. The Sender Hardware Address field indicates the hardware addresses of the station generating the ARP Request or ARP Reply. This field is six bytes in length and is followed by a four-byte Sender IP Address field. The latter indicates the IP address of the datagram’s originator.
AU1271Ch05Frame Page 143 Monday, July 15, 2002 8:52 PM
TCP/IP Protocol Suite
143
The next-to-last field is the Target Hardware Address field. Because the ARP process must discover its value, this field is originally set to all zeros in an ARP Request. Once a station receives the request and notes it has the same IP address as that in the Target IP Address field, it places its MAC address in the Target Hardware Address field. Thus, the last field, Target IP Address, is set to the IP address the originator needs for a hardware address.
Locating the Required Address To put the pieces together, let us assume a router receives a datagram from the Internet with the destination address of 205.131.175.5. Let us further assume that the router has a connection to an Ethernet network, and one station on that network has that IP address. The router needs to determine the MAC address associated with the IP address so it can construct a frame to deliver the datagram. Assuming there is no entry in its ARP cache, the router creates an ARP frame and transmits the frame using a MAC broadcast address of FFFFFFFFFFFF. Because the frame was broadcast to all stations on the network, each device reads the frame. The station that has its protocol stack configured to the same IP address as that of the Target IP Address field in the ARP frame would respond to the ARP Request. When it does, it will transmit an ARP Reply in which its physical MAC address is inserted into the ARP Target Hardware Address field that was previously set to zero. The ARP standard includes provisions for devices on a network to update their ARP table with the MAC and IP address pair of the sender of the ARP Request. Thus, as ARP Requests flow on a LAN, they contribute to the building of tables that reduce the necessity of additional broadcasts.
Gratuitous ARP A special type of ARP referred to as a “gratuitous ARP” deserves mention. When a TCP/IP stack is initialized, it issues a gratuitous ARP, which represents an ARP request for its own IP address. If the station receives a reply containing a MAC address that differs from its address, it means another device on the network is using its assigned IP address. If this situation occurs, an error message warning of an address conflict will be displayed.
Proxy ARP A proxy is a device that works on behalf of another. Thus, a proxy ARP represents a mechanism that enables a device to answer an ARP request on behalf of another device. The rationale for the development of proxy ARP, which is also referred to as ARP Hack, dates to the early use of subnetting when a LAN could be subdivided into two or more segments. If a station on one segment required the MAC address of a station on another subnet, the router would block the ARP request because it is a layer 2 broadcast, and routers operate at layer 3. Because the router is aware of both subnets, it could answer an ARP Request on one subnet on behalf of other devices on the second subnet by supplying its own MAC address. The originating device then enters the router’s MAC
AU1271Ch05Frame Page 144 Monday, July 15, 2002 8:52 PM
144
Building the Wireless Office
IP Header
ICMP
Type
Data
CRC
Code
Checksum Sequence Number Optional ICMP Data
Exhibit 25.
ICMP Messages Transported via Encapsulation within an IP Datagram
address in its ARP cache and correctly transmits packets destined for the end host to the router.
RARP The Reverse Address Resolution Protocol (RARP) was at one time quite popular when diskless workstations were commonly used. In such situations, the workstation would know its MAC address but was forced to learn its IP address from a server on the network. Thus, the client would use the RARP to access a server on the local network; RARP would provide the client’s IP address. Similar to ARP, RARP is a layer 2 protocol that cannot normally cross router boundaries. Some router manufacturers implemented RARP, which allows requests and responses to flow between networks. The RARP frame format is the same as ARP. The key difference between the two is the setting of field values. The RARP fills in the sender’s hardware address and sets the IP address field to zeros. Upon receipt of the RARP frame, the RARP server fills in the IP address field and transmits the frame back to the client, reversing the ARP process.
ICMP Overview If we think about the Internet Protocol for awhile, we might note that there is no provision to inform a source of the fact that a datagram encountered some type of problem. This is because one of the functions of the Internet Control Message Protocol (ICMP) is to provide a messaging capability that reports different types of errors that can occur during the processing of datagrams. In addition to providing an error-reporting mechanism, ICMP includes certain types of messages that provide a testing capability. ICMP messages are transmitted within an IP datagram, as illustrated in Exhibit 25. Note that although each ICMP message has its own format, all messages begin with the same three fields. Those fields are an eight-bit Type field, an eight-bit Code field, and a 16-bit Checksum field.
AU1271Ch05Frame Page 145 Monday, July 15, 2002 8:52 PM
TCP/IP Protocol Suite
145
We can obtain familiarity with ICMP’s capability by examining the use of some of the fields within an ICMP message.
The ICMP Type Field The purpose of the ICMP Type field is to define the meaning of the message as well as its format. Two of the most popular ICMP messages use type values of 0 and 8. A Type field value of 8 represents an Echo Request, while a Type field value of 0 denotes an ECMP Echo Reply. Although their official names are Echo Request and Echo Reply, most people are more familiar with the term “Ping,” which is used to reference both the request and the reply. Exhibit 26 lists ICMP Type field values that currently identify specific types of ICMP messages.
The ICMP Code Field The ICMP Code field provides additional information about a message defined in the Type field. The Code field may not be meaningful for certain ICMP messages. For example, both Type field values of 0 (Echo Reply) and 8 (Echo Request) always have a Code field value of 0. In comparison, a Type field value of 3 (Destination Unreachable) can have one of 16 possible Code field values, which further defines the problem. Exhibit 27 lists the Code field values presently assigned to ICMP messages based on their Type field values.
Evolution Over the years from its first appearance in RFC 792, ICMP has evolved through the addition of many functions. For example, a Type 4 (Source Quench) represents the manner by which an end station indicates to a message’s originator that the host cannot accept the rate at which the originator is transmitting packets. The recipient sends a flow of ICMP Type 4 messages to the originator as a message for the origination to slow down its transmission. When an acceptable flow level is reached, the recipient terminates its generation of source quench messages. Although popularly used many years ago for controlling traffic, the TCP slow-start algorithm has superseded a majority of the use of ICMP Type 4 messages. ICMP message types that warrant discussion are Types 5 and 7. A router generates a Type 5 (Redirect) message when it receives a datagram and determines there is a better route to the destination network. This ICMP message informs the sender of the better route. A Type 7 message (Time Exceeded) indicates that the Time to Live field value in an IP datagram header was decremented to 0, and the datagram was discarded. ICMP provides a foundation for several diagnostic testing applications. Unfortunately, unscrupulous persons can abuse this testing capability, which results in many organizations filtering ICMP messages so they do not flow from the Internet onto a private network.
AU1271Ch05Frame Page 146 Monday, July 15, 2002 8:52 PM
146
Building the Wireless Office
Exhibit 26.
ICMP Type Field Values
Type
Name
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20–29 30 31 32 33 34 35 36 37 38 39 40 41–255
Echo Reply Unassigned Unassigned Destination Unreachable Source Quench Redirect Alternate Host Address Unassigned Echo Request Router Advertisement Router Selection Time Exceeded Parameter Problem Timestamp Timestamp Reply Information Request Information Reply Address Mask Request Address Mask Reply Reserved (for Security) Reserved (for Robustness Experiment) Traceroute Datagram Conversion Error Mobile Host Redirect IPv6 Where-Are-You IPv6 I-Am-Here Mobile Registration Request Mobile Registration Reply Domain Name Request Domain Name Reply SKIP Photuris Reserved
Now that we have an appreciation for layer 3 protocols in the TCP/IP protocol suite, let’s turn our attention to layer 4, the Transport Layer.
The Transport Layer The purpose of this section is to acquaint you with the two transport layer protocols that the ICP/IP suite supports. Those protocols are the Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP).
AU1271Ch05Frame Page 147 Monday, July 15, 2002 8:52 PM
147
TCP/IP Protocol Suite
Exhibit 27.
ICMP Code Field Values Based on Message Type
3 Destination Unreachable 0 Net Unreachable 1 Host Unreachable 2 Protocol Unreachable 3 Port Unreachable 4 Fragmentation Needed and Don’t Fragment Was Set 5 Source Route Failed 6 Destination Network Unknown 7 Destination Host Unknown 8 Source Host Isolated 9 Communication with Destination Network Is Administratively Prohibited 10 Communication with Destination Host Is Administratively Prohibited 11 Destination Network Unreachable for Type of Service 12 Destination Host Unreachable for Type of Service 13 Destination Host Unreachable for Type of Service 14 Communication Administratively Prohibited 15 Precedence Cutoff in Effect 5 Redirect 0 Redirect 1 Redirect 2 Redirect 3 Redirect
Datagram Datagram Datagram Datagram
for for for for
the the the the
Network (or subnet) Host Type of Service and Network Type of Service and Host
6 Alternate Host Address 0 Alternate Address for Host 11 Time Exceeded 0 Time to Live Exceeded in Transit 1 Fragment Reassembly Time Exceeded 12 Parameter Problem 0 Point Indicates the Error 1 Missing a Required Option 2 Bad Length 40 Photuris 0 Reserved 1 Unknown Security Parameters Index 2 Valid Security Parameters, but Authentication Failed 3 Valid Security Parameters, but Decryption Failed
TCP and UDP can be identified by setting an applicable value in the IP Header. Although the use of either protocol results in the placement of the appropriate transport layer header behind the IP Header, there are significant differences between the functionality of each transport protocol. Those
AU1271Ch05Frame Page 148 Monday, July 15, 2002 8:52 PM
148
Building the Wireless Office
Source Port
Destination Port Sequence Number
HLEN Reserved
Exhibit 28.
URG ACK PSH RST SYN FIN
Acknowledgment Number Window
Checksum
Urgent
Options
Padding
The TCP Header
differences make one protocol more suitable for certain applications than the other protocol, and vice versa.
TCP Overview The Transmission Control Protocol is a connection-oriented protocol: the protocol will not forward data until a session is established in which the destination acknowledges it is ready to receive data. This also means that the TCP setup process requires more time than when UDP is used as the transport layer protocol. However, because you would not wish to commence certain operations like remote log-on or a file transfer unless you knew the destination was ready to support the appropriate application, the use of TCP is more suitable for certain applications than UDP. Conversely, when we examine UDP, we will note that this transport layer protocol similarly supports certain applications better than other applications. The best way to become familiar with TCP is by first examining the fields in its header, so let us do so.
The TCP Header The TCP Header consists of 12 fields, as Exhibit 28 illustrates. When we examine the UDP Header later in the chapter, we note by comparing the two that the TCP header is far more complex. This additional complexity results from the fact that TCP not only is a connection-oriented protocol but also supports error detection and correction as well as packet sequencing, with the latter used to note the ordering of packets to include determining if one or more packets are lost.
Source Port and Destination Port Fields The Source Port and Destination Port fields are each 16 bits in length. Each field denotes a particular process or application. In actuality, most applications use the destination port number to denote a particular process or application and set the Source Port field value to a random number greater than 1024 or
AU1271Ch05Frame Page 149 Monday, July 15, 2002 8:52 PM
TCP/IP Protocol Suite
149
to zero. The destination port number defines the process or application because an application operating at the receiver normally operates acquiescently, waiting for requests, looking for a specific destination port number to determine the request. The originator sets the Source Port to zero or a value above 1023 because the first 1023 out of 65,536 available port numbers are standardized with respect to the type of traffic transported via the use of specific numeric values. To illustrate the use of port numbers, let us assume one station wishes to open a Telnet connection with a distant server. Because Telnet is defined as port 23, the application will set the destination port value to that numeric. The Source Port is normally set to a random value above 1023, and an IP Header then adds the destination and source IP addresses for routing the datagram from the client to the server. In some literature you may encounter the term “socket,” sometimes incorrectly used as a synonym for port. The destination port in the TCP or UDP Header plus the destination IP address cumulatively identify a unique process or application on a host. The combination of port number and IP address is correctly referenced as a socket. At the server, the Destination Port value of 23 identifies the application as Telnet. When the server forms a response, it first reverses source and destination IP addresses. Similarly, the server places the Source Port number in the Destination Port field, which enables the Telnet originator’s application to correctly identify the response to its initial datagram.
Multiplexing and Demultiplexing Port numbers play an important role in TCP/IP as they enable multiple applications to flow between the same pair of stations or from multiple nonrelated stations to a common station. This flow of multiple applications to a common address is referred to as multiplexing. Upon receipt of a datagram, the removal of the IP and TCP Headers requires the remaining portion of the packet to be routed to its correct process or application based on the Destination Port number in the TCP Header. This process is referred to as demultiplexing. Both TCP and UDP use port numbers to support the multiplexing of different processes or applications to a common IP address. An example of this multiplexing and demultiplexing of packets is illustrated in Exhibit 29. The top left portion of Exhibit 29 illustrates how both Telnet and FTP, representing two TCP applications, could be multiplexed into a stream of IP datagrams that flow to a common IP address. In comparison, the top right portion of Exhibit 29 illustrates how, through port numbering, UDP ports permit a similar method of multiplexing of applications.
Port Numbers The “universe” of both TCP and UDP port numbers can vary from a value of 0 to 65,535, resulting in a total of 65,535 ports capable of being used by each
AU1271Ch05Frame Page 150 Monday, July 15, 2002 8:52 PM
150
Building the Wireless Office
Telnet 23
FTP 21
DNS 53
Port TCP
SNMP 23 Port UDP
TCP (6) UDP (17) IP
Exhibit 29. Multiplexing Multiple Applications via Serial Communications to a Common IP Address
transport protocol. This so-called port universe is divided into three ranges, referred to as well-known ports, registered ports, and dynamic or private ports.
Well-Known Ports Well-known ports are the most commonly used port values because they represent assigned numeric values that identify specific processes or applications. Ports 0 through 1023 represent the range of well-known ports. These port numbers are assigned by the Internet Assigned Numbers Authority (IANA) and are used to indicate the transportation of standardized processes. Where possible, the same well-known port number assignments are used with TCP and UDP. Ports used with TCP are normally used to provide connections that transport long-term conversations. In some literature, you may encounter wellknown port numbers specified as in the range of values from 0 to 255. While this range was correct many years ago, the modern range for assigned ports managed by the IANA was expanded to cover the first 1024 port values from 0 to 1023. Exhibit 30 provides a summary of the port value assignments from 0 through 255 for well-known ports, to include the service supported by a particular port and the type of port, TCP or UDP, for which the port number is primarily used. A good source for the full list of assigned port numbers is RFC 1700.
Registered Ports Registered ports have values ranging from 1024 through 49,151. Although all ports above 1023 can be used freely, the IANA requests vendors to register their application port numbers with them.
Dynamic or Private Ports The third range of port numbers is from 49,152 through 65,535. This port number range is associated with dynamic or private ports. This port range is usually used by new applications that remain to be standardized, such as Internet telephony.
AU1271Ch05Frame Page 151 Monday, July 15, 2002 8:52 PM
151
TCP/IP Protocol Suite
Exhibit 30.
Well-Known TCP and UDP Services and Port Use
Keyword
Service
Port Type
Port Number
TCPMUX RJE ECHO DAYTIME QOTD CHARGEN FTD-DATA FTP TELNET SMTP MSG-AUTH TIME NAMESERVER NICNAME DOMAIN BOOTPS BOOTPC TFTP FINGER HTTP KERBEROS RTELNET POP2 POP3 NNTP NTP NETBIOS-NS NETBIOS-DGM NETBIOS-SSN NEWS SNMP SNMTTRAP
TCP Port Service Multiplexer Remote Job Entry Echo Daytime Quote of the Day Character Generator File Transfer (Default Data) File Transfer (Control) Telnet Simple Mail Transfer Protocol Message Authentication Time Host Name Server Who Is Domain Name Server Bootstrap Protocol Server Bootstrap Protocol Client Trivial File Transfer Protocol Finger World Wide Web Kerberos Remote Telenet Service Post Office Protocol Version 2 Post Office Protocol Version 3 Network News Transfer Protocol Network Time Protocol NetBIOS Name Server NetBIOS Datagram Service NetBIOS Session Service News Simple Network Management Protocol Simple Network Management Protocol Traps Border Gateway Protocol Secure HTTP Remote Login Talk
TCP TCP TCP and TCP and TCP TCP TCP TCP TCP TCP TCP TCP TCP and TCP TCP and TCP TCP UDP TCP TCP TCP TCP TCP TCP TCP TCP and UDP UDP UDP TCP UDP UDP
1 5 7 13 17 19 20 21 23 25 31 37 42 43 53 67 68 69 79 80 88 107 109 110 119 123 137 138 139 144 161 162
BGP HTTPS RLOGIN TALK
UDP UDP
UDP UDP
UDP
TCP TDP TCP TCP and UDP
179 413 513 517
Sequence and Acknowledgment Number Fields TCP is a byte-oriented sequencing protocol. Thus, a sequence field is necessary to ensure that missing or misordered packets are noted or identified. That field is 32 bits in length and provides the mechanism for ensuring that missing or misordered packets are noted or identified.
AU1271Ch05Frame Page 152 Monday, July 15, 2002 8:52 PM
152
Building the Wireless Office
The actual entry in the Sequence Number field is based on the number of bytes in the TCP Data field. That is, because TCP was developed as a byteoriented protocol, each byte in each packet is assigned a sequence number. Because it would be most inefficient for TCP to transmit one byte at a time, groups of bytes, typically 512 or 536, are placed in a segment and one sequence number is assigned to the segment and placed in the Sequence Number field. That number is based on the number of bytes in the current segment as well as previous segments, as the Sequence Number field value increments its count until all 16-bit positions are used and then continues via a rollover through zero. For example, assume the first TCP segment contains 512 bytes and a second segment has the sequence number 1024. The Acknowledgment Number field, which is also 32 bits in length, is used to verify the receipt of data. The number in this field also reflects bytes. For example, returning to our sequence of two 512-byte segments, when the first segment is received, the receiver expects the next sequence number to be 513. Therefore, if the receiver were acknowledging each segment, it would first return an acknowledgment with a value of 513 in the Acknowledgment Number field. When it acknowledges the next segment, the receiver sets the value in the Acknowledgment Number field to 1025, and so on. Because it would be inefficient to have to acknowledge each datagram, TCP supports a variable or “sliding” window. That is, returning an Acknowledgment Number field value of n + 1 would indicate the receipt of all bytes through byte n. If the receiver has the ability to process a series of multiple segments and each is received without error, it would be less efficient to acknowledge each datagram. Thus, a TCP receiver can process a variable number of segments prior to returning an acknowledgment that informs the transmitter that n bytes were received correctly. To ensure lost datagrams or lost acknowledgments do not place the TCP in an infinite waiting period, the originator sets a timer and will retransmit data if it does not receive a response within a predefined period of time. The previously described use of the Acknowledgment Number field is referred to as Positive Acknowledgment Retransmission (PAR). Under PAR, each unit of data must be either implicitly (sending a value of n + 1 to acknowledge receipt of n bytes) or explicitly acknowledged. If a unit of data is not acknowledged by the time the originator’s time-out period is reached, the previous transmission is retransmitted. When the Acknowledgment Number field is in use, a flag bit, referred to as the ACK flag in the Code field, is set. Later we discuss the six bit positions in the Code Bit field.
HLEN Field The Header Length (HLEN) field is four bits in length. This field, which is also referred to as the Offset field, contains a value that indicates where the TCP Header ends and the Data field begins. This value is specified as a number of 32-bit words. It is required due to the fact that the inclusion of options can result in a variable-length header. Because the minimum length of the
AU1271Ch05Frame Page 153 Monday, July 15, 2002 8:52 PM
TCP/IP Protocol Suite
153
TCP Header is 20 bytes, the minimum value of the HLEN field would be 5, denoting five 32-bit words, which equals 20 bytes.
Code Bits Field As indicated in Exhibit 28, six individual one-bit fields are within the Code Bits field. Each bit position functions as a flag to indicate whether or not a function is enabled or disabled. Thus, to obtain an appreciation for the use of the Code Bits field we need to examine each bit position in that field: URG bit. The Urgent (URG) bit or flag is used to denote an urgent or priority activity. When such a situation occurs, an application will set the URG bit position, which acts as a flag and results in TCP immediately transmitting everything it has for the connection instead of waiting for additional characters. An example of an action that could result in an application’s setting the Urgent flag would be a user pressing the CTRL–BREAK key combination. A second meaning resulting from the setting of the Urgent bit or flag is that it also indicates the Urgent Pointer field is in use. Here, the Urgent Pointer field indicates the offset in bytes from the current sequence number where the urgent data is located. ACK bit. The setting of the ACK bit indicates that the segment contains an acknowledgment to a previously transmitted datagram or series of datagrams. Then the value in the Acknowledgment Number field indicates the correct receipt of all bytes through byte n by having the byte number n + 1 in the field. PSH bit. The third bit position in the Code Bit field is the Push (PSH) bit. This one-bit field is set to request the receiver to immediately deliver data to the application and flags any buffering. Normally, the delivery of urgent information would result in setting both the URG and PSH bits in the Code Bits field. RST bit. The fourth bit position in the Code Bits field is the Reset (RST) bit. This bit position is set to reset a connection. By responding to a connection request with the RST bit set, this bit position can also be used as a mechanism to decline a connection request. SYN bit. The fifth bit in the Code Bits field is the Synchronization (SYN) bit. This bit position is set at start-up during what is referred to as a three-way handshake (covered later). FIN bit. The sixth and last bit position in the Code Bits field is the Finish (FIN) bit. The sender sets this bit position to indicate that it has no additional data and the connection should be released.
Window Field The Window field is 16 bits in length and provides TCP with the ability to regulate the flow of data between source and destination. Thus, this field indirectly performs flow control.
AU1271Ch05Frame Page 154 Monday, July 15, 2002 8:52 PM
154
Building the Wireless Office
The Window field indicates the maximum number of bytes that the receiving device can accept. Thus, it indirectly indicates the available buffer memory of the receiver. Here, a large value can significantly improve TCP performance as it permits the originator to transmit a number of segments without having to wait for an acknowledgment while permitting the receiver to acknowledge the receipt of multiple segments with one acknowledgment. Because TCP is a full-duplex transmission protocol, both the originator and recipient can insert values in the Window field to control the flow of data in each direction. By reducing the value in the Window field, one end of a session in effect informs the other end to transmit less data. Thus, the use of the Window field provides a bi-directional flow control capability.
Checksum Field The Checksum field is 16 bits, or 2 bytes, in length. The function of this field is to provide an error detection capability for TCP. To do so, this field is primarily concerned with ensuring that key fields are validated instead of protecting the entire header. Thus, the checksum calculation occurs over what is referred to as a 12-byte pseudo-header. This pseudo-header includes the 32-bit Source and Destination Address fields in the IP Header, the eight-bit Protocol field, and a Length field that indicates the length of the TCP header and data transported within the TCP segment. Thus, the primary purpose of the Checksum field is to ensure data arrived at its correct destination, and the receiver has no doubt about the address of the originator or the length of the header and the type of application data transported.
Urgent Pointer Field The Urgent Pointer field is one byte in length. The value in this field acts as a pointer to the sequence number of the byte following the urgent data. As previously noted, the URG bit position in the Code field must be set for the data in the Urgent pointer field to be interpreted.
Options Field The Options field, if present, can be variable in length. The purpose of this field is to enable TCP to support various options, with Maximum Segment Size (MSS) representing a popular TCP option. Because the header must end on a 32-bit boundary, any option that does not do so is extended via pad characters that in some literature is referred to as a Padding field.
Padding Field The Padding field is optional and is included only when the Options field does not end on a 32-bit boundary. Thus, the purpose of the Padding field is to ensure that the TCP Header, when extended, falls on a 32-bit boundary.
AU1271Ch05Frame Page 155 Monday, July 15, 2002 8:52 PM
155
TCP/IP Protocol Suite
TCP
Passive
Passive
Passive OPEN for Receiver
IP Datalink LAN Media Station X
Exhibit 31.
Station Y
Active Open
Using Function Calls to Establish a TCP Connection
Let us now examine how TCP establishes a connection with a distant device and its initial handshaking process, its use of sequence and acknowledgment numbers, how the protocol supports flow control, and how the protocol terminates a session.
Connection Establishment As mentioned earlier, TCP is a connection-oriented protocol that requires a connection between two stations to be established prior to the actual transfer of data. The actual manner by which an application communicates with TCP is through a series of function calls. To understand the manner by which TCP establishes a session, we must first examine connection function calls applications use, for example, Telnet and FTP.
Connection Function Calls Exhibit 31 illustrates the use of the OPEN connection function calls during the TCP connection establishment process. This process commences when an application requires a connection to a remote station. At that time, the application requests TCP to place an OPEN function call. There are two types of OPEN function calls, referred to as passive and active. A passive OPEN function call represents a call to allow connections to be accepted from a remote station. This type of call is normally issued upon application start-up, informing TCP that, for example, FTP or Telnet is active and ready to accept connections originating from other stations. TCP then notes that the application is active and also notes its port assignment. The TCP then allows connections on that port number.
Port Hiding One of the little-known aspects of TCP is the fact that some organizations attempt to hide their applications by configuring applications for ports other than well-known ports. For example, assigning Telnet to port 2023 instead of
AU1271Ch05Frame Page 156 Monday, July 15, 2002 8:52 PM
156
Building the Wireless Office
port 23 is an example of port hiding. Although a person with port scanning software would easily be able to discover that port 2023 is being used, the theory behind port hiding is that it reduces the ability of lay personnel to easily discover applications at different network addresses and then attempt to use those applications.
Passive OPEN Returning to the use of a passive OPEN function call, its use governs the number of connections allowed. That is, while a client usually issues one passive OPEN, a server issues multiple OPENs because it is designed to service multiple session. Another term used for the passive end of the TCP action is “responder” or “TCP responder.” Thus, a TCP responder can be thought of as an opening up of connection slots to accept any inbound connection request without waiting for any particular station request.
Active OPEN A station that needs to initiate a connection to a remote station issues the second type of OPEN call. This type of function call is referred to as an active OPEN. In the example illustrated in Exhibit 31, station X would issue an active OPEN call to station Y. For the connection to be serviced by station Y, that station must have previously issued a passive OPEN request, which, as previously explained, allows incoming connections to be established. To successfully connect, station X’s active OPEN must use the same port number that the passive OPEN used on station Y. In addition to active and passive OPEN calls, other calls include CLOSE (to close a connection), SEND and RECEIVE (to transfer information), and STATUS (to receive information for a previously established connection). Now let us turn our attention to the manner by which TCP segments are exchanged. The exchange of segments enables a session to occur. The initial exchange of datagrams that transport TCP segments is called a “three-way handshake.” It is important to note how and why this process occurs. It has been used in modified form as a mechanism to create a denial-of-service (DoS) attack.
The Three-Way Handshake Ensuring that the sender and receiver are ready to commence the exchange of data requires both parties for the exchange to be synchronized. Thus, during the TCP initialization process, sender and receiver exchange a few control packets for synchronization purposes. This exchange is referred to as a three-way handshake. This functions as a mechanism to synchronize each endpoint at the beginning of a TCP connection with a sequence number and an acknowledgment number.
AU1271Ch05Frame Page 157 Monday, July 15, 2002 8:52 PM
157
TCP/IP Protocol Suite
Station X Transmit SYN = 1 SEQ = 1000
Received SYN = 1 ACK = 1 Connection with Receiver Established
Station Y
SYN Received Transmit SYN = 1 SEQ = 2000 ACK = 101 Connection Established
Transmit Data Acknowledge Receipt of Data
Exhibit 32.
The Three-Way Handshake
Overview A three-way handshake begins with the originator sending a segment with its SYN bit in the Code Bits field set. The receiving station responds with a similar segment with its ACK bit in the Code Bits field set. Thus, an alternate name for the three-way handshake is an “initial SYN-SYN-ACK” sequence.
Operation To illustrate the three-way handshake, let us continue from our prior example shown in Exhibit 31, in which station X placed an active OPEN call to TCP to request a connection to a remote station and an application on that station. Once the TCP/IP protocol stack receives an active OPEN call, it constructs a TCP header with the SYN bit in the Code Bits field set. The stack also assigns an initial sequence number and places that number in the Sequence Number field in the TCP header. Other fields in the header, such as the Destination Port Number, are also set and the segment is then transferred to IP for the formation of a datagram for transmission onto the network. To illustrate the operation of the three-way handshake, consider Exhibit 32, which illustrates the process between stations X and Y. Because the initial sequence number does not have to start at zero, we assume it commenced at 1000 and then further assume that the value was placed in the Sequence Number field. Thus, the TCP Header flowing from station X to station Y is shown with SYN = 1 and SEQ = 1000. Because the IP Header results in the routing of a datagram to station Y, that station strips the IP Header and notes that the setting of the SYN bit in the TCP Header represents a connection request. Assuming station Y can accept a new connection, it will acknowledge the connection request by building a TCP segment. That segment will have its SYN and ACK bits in its
AU1271Ch05Frame Page 158 Monday, July 15, 2002 8:52 PM
158
Building the Wireless Office
Code Bits field set. In addition, station Y will place its own initial sequence number in the Sequence Number field of the TCP Header it is forming. Because the connection request had a sequence number of 1000, station Y will acknowledge receipt by setting its Acknowledgment field value to 1001 (station X sequence number plus 1), which indicates the next expected sequence number. Once station Y forms its TCP segment, the segment has an IP Header added to form a datagram. The datagram flows to station X. Station X receives the datagram, removes the IP Header, and notes via the setting of the XYN and ACK bits and Sequence Number field value that it is a response to its previously issued connection request. To complete the connection request, station X must, in effect, acknowledge the acknowledgment. To do so, station X will construct a new TCP segment in which the ACK bit will be set and the sequence number will be incremented by 1 to 1001. Station X will also set the acknowledgment number to 2001 and form a datagram that is transmitted to station Y. Once station Y examines the TCP header and confirms the correct values for the Acknowledgment and Sequence Number fields, the connection becomes active. At this point both data and commands can flow between the two endpoints. As this occurs, each side of the connection maintains its own set of tables for transmitted and received sequence numbers. Those numbers are always in ascending order. When the applicable 16-bit field reaches its maximum value, the settings wrap to 0. In examining the three-way handshake illustrated in Exhibit 32, note that after the originating station establishes a connection with the receiver, it transmits a second TCP initialization segment to the receivers and follows that segment with one or more IP datagrams that transport the actual data. In Exhibit 32, a sequence of three datagrams is transmitted prior to station Y’s generating an acknowledgment to the three segments transported in the three datagrams. The actual number of outstanding segments depends on the TCP window, so let us turn our attention to this topic.
The TCP Window TCP is a connection-oriented protocol that includes a built-in capability to regulate the flow of information, a function referred to as flow control. TCP manages the flow of information by increasing or decreasing the number of segments that can be outstanding at any point in time. For example, under periods of congestion when a station is running out of available buffer space, the receiver may indicate it can only accept one segment at a time and delay its acknowledgment to ensure it can service the next segment without losing data. Conversely, if a receiver has free and available buffer space, it may allow multiple segments to be transmitted to it and quickly acknowledge the segments. TCP forms segments sequentially in memory. Each segment of memory waits for an IP header to be added to form a datagram for transmission. A “window” is placed over this series of datagrams that structures three types of data: data transmitted and acknowledged; data transmitted, but not yet
AU1271Ch05Frame Page 159 Monday, July 15, 2002 8:52 PM
159
TCP/IP Protocol Suite
Sliding Window 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 Data Transmitted and Acknowledged
Exhibit 33.
Data Transmitted and Awaiting Acknowledgement
Data to be Transmitted
Data to be Transmitted
Flow Control and the TCP Sliding Window
acknowledged; and data waiting to be transmitted. Because this “window” slides over the three types of data, the window is referred to as a “sliding window.” Exhibit 33 illustrates the use of the TCP sliding window for flow control purposes. Although the actual TCP segments size is normally 512 bytes, for simplicity of illustration, a condensed sequence of segments with sequence numbers varying by unity is shown. In this example we assume that sequence numbers 10 through 15 have been transmitted to the destination station. The remote station acknowledges receipt of those segments. The source station transmitted datagrams containing segment sequence numbers 16 through 20 but at this point has not received an acknowledgment. Thus, those data represent the second type of data covered by a sliding window. Note that this window will slide up the segments as each datagram is transmitted. The third type of data the sliding window covers is segments. In Exhibit 33, segments 21 through 24 are in the source station awaiting transmission, while segments 25 through 28 are awaiting coverage by the sliding window. If we return to Exhibit 28, which illustrates the TCP Header, we will note a field labeled “Window.” That field value indirectly governs the length of the sliding window. In addition, the setting of that field provides a flow control mechanism. For example, the Windows field transmitted by a receiver to a sender indicates the range of sequence numbers, which equates to bytes, the receiver is willing to accept. If a remote station cannot accept any additional data, it would then set the Window field value to zero. The receiving station continues to transmit TCP segments with the Window field set to zero until its buffer is emptied a bit, no pun intended, in effect allowing the originator to resume transmission of conveying data. That is, when the transmitting station receives a response with a Window field value of zero, it replies to the response with an ACK (Code field ACK bit set to 1) and its Window field set to a value of zero. This inhibits the flow of data. When sufficient buffer space becomes available at the receiver, it will form a segment with its Window field set to a nonzero value, indicating that it can again receive data. At this point, the transmission of data goes to the receiver.
Avoiding Congestion One of the initial problems associated with TCP is the fact that a connection could commence with the originator transmitting multiple segments, up to the
AU1271Ch05Frame Page 160 Monday, July 15, 2002 8:52 PM
160
Building the Wireless Office
Window field value the receiver returned during the previously described three-way handshake. If slow-speed WAN connections exist between originator and recipient, it is possible for routers to become saturated when a series of transmissions originates at the same time. In such a situation, the router discards datagrams, causing retransmissions that continue the abnormal situation. The solution developed to avoid this situation is referred to as a TCP slow-start process.
TCP Slow Start Slow start represents an algorithm procedure added to TCP that implicitly uses a new window, referred to as the Congestion window. This window is not contained as a field in the TCP Header. Instead, it becomes active through the algorithm that defined the slow-start process. That is, when a new connection is established, the Congestion window is initialized to a size of one segment, typically 512 or 536 bytes. Each time an ACK is received, the Congestion window’s length is increased by one segment. The originator can transmit any number of segments up to the minimum value of the Congestion window or the Window field value (Advertised Window). Note that the transmitter imposes flow control in one direction through the Congestion window, while it is imposed in the other direction by the receiver’s Advertised Window field value. Although slow start commences with a congestion window of one segment, it builds up exponentially until it reaches the Advertised Window size. That is, it is incremented by subsequent ACKs from 1 to 2, then it is increased to 4, 8, 16, and so on until it reaches the Advertised Window size. Once this occurs, segments are transferred using the Advertised Window size for congestion control and the slow-start process is terminated.
The Slow-Start Threshold In addition to working at initiation, slow start returns upon the occurrence of one of two conditions: duplicate ACKs or a time-out condition where a response is not received within a predefined period of time. When either situation occurs, the originator commences another algorithm referred to as the “congestion control algorithm.” When congestion occurs, a comparison is initiated between the Congestion window size and the current Advertised Window size. The smaller number is halved and saved in a variable referred to as a slow-start threshold. The minimum value of the slow-start threshold is two segments unless congestion occurred via a time-out, with the Congestion window then set to a value of 1, the same as a slow-start process. The TCP originator has the option of using the slow-start start-up or congestion avoidance. To determine which method to use, the originator compares the congestion value to the value of the slow-start threshold. If the congestion value matches the value of the slowstart threshold, the congestion avoidance algorithm is used. Otherwise, the originator uses the slow-start method.
AU1271Ch05Frame Page 161 Monday, July 15, 2002 8:52 PM
TCP/IP Protocol Suite
161
Let us turn our attention to the congestion avoidance method and to the algorithm it uses. Upon the receipt of ACKs, the Congestion window is increased until its value matches the value saved in the slow-start threshold. When this occurs, the slow-start algorithm terminates and the congestion avoidance algorithm starts. This algorithm multiplies the segment size by 2, divides that value by the Congestion window size, and then continually increases its value based on the previously described algorithm each time an ACK is received. The result of this algorithm is a more linear growth in the number of segments that can be transmitted in comparison to the exponential growth of the slow-start algorithm.
TCP Retransmissions While it is obvious that the negative acknowledgment of a segment by the receiver returning the same segment number expected indicates a retransmission request, what happens if a datagram is delayed? Because delays across a TCP/IP network depend on the activity of other routers in the network, the number of hops in the path between source and destination, and other factors, it is relatively impossible to have an exact expected delay prior to a station’s assuming data are lost and retransmitting. Recognizing this situation, TCP developers included an adaptive retransmission algorithm in the protocol. Under this algorithm, when TCP submits a segment for transmission, the protocol records the segment sequence number and time. When an acknowledgment is received to that segment, TCP also records the time, obtaining a round-trip delay. The TCP uses such timing information to construct an average round-trip delay that a timer uses to denote, when the timer expires, that a retransmission should occur. When a new transmit-response sequence occurs, another round-trip delay is computed that slightly changes the average. Thus, this technique slowly changes the timer value that governs the acceptable delay for waiting for an ACK. Now that we have an appreciation for the manner by which TCP determines when to retransmit a segment, let us conclude our coverage of this protocol by turning our attention to the manner by which it gracefully terminates a session.
Session Termination If we remember the components of the Code Bits field, we previously noted that field has a FIN bit. The purpose of this bit is to enable TCP to gracefully terminate a session. Before TCP terminates a full-duplex communications session, each party to the session must close the session. This means that both the originator and recipient must exchange segments with the FIN bit set in each segment. Exhibit 34 illustrates the exchange of segments to gracefully terminate a TCP connection. In this example, assume station X has completed its transmission and indicates this fact by sending a segment to station Y with the FIN bit set. Station Y acknowledges the segment with an ACK. At this point,
AU1271Ch05Frame Page 162 Monday, July 15, 2002 8:52 PM
162
Building the Wireless Office
Station X
Station Y
SEQ = 200 FIN = 1
Station X Done
Receive ACK Receive FIN and ACK ACK = 251
Exhibit 34.
Exhibit 35.
Acknowledged Station Y Done Acknowledged
ACK = 201 FIN = 1 SEQ = 250 ACK = 201 Connection Closed
Terminating a TCP Connection
Source Port
Destination Port
Message Length
Checksum
The User Datagram Protocol Header
station Y no longer accepts data from station X. Station Y can continue to accept data from its application to transmit to station X. If station Y has no more data to transmit, it will then completely close the connection by transmitting a segment to station X with the FIN bit set in the segment. Station X will then ACK that segment and terminate the connection. If an ACK should be lost in transit, segments with FIN are transmitted and a timer is set. Then either an ACK is received or a time-out occurs, which serves to close the connection.
UDP The User Datagram Protocol (UDP) is the second transport layer protocol the TCP/IP protocol suite supports. UDP is a connectionless protocol, which means that an application using UDP can have its data transported in the form of IP datagrams without first having to establish a connection to the destination. This also means that when transmission occurs via UDP, there is no need to release a connection, simplifying the communication process. Other features of UDP include the fact that this protocol has no ordering capability and it does not provide any error detection and correction capability. This, in turn, results in a header that is greatly simplified and is much smaller than TCP’s.
The UDP Header Exhibit 35 illustrates the composition of the UDP Header. This header consists of 64 bytes followed by actual user data. In comparing the TCP and UDP Headers, it is easy to note the relative simplicity of the latter because it lacks
AU1271Ch05Frame Page 163 Monday, July 15, 2002 8:52 PM
TCP/IP Protocol Suite
163
many of the features of the former. For example, because it does not require the acknowledgment of datagrams or sequence datagrams, there is no need for Sequence and Acknowledgment fields. Similarly, because UDP does not provide a flow control mechanism, the TCP Window field is removed. The result of UDP’s performing a best-effort delivery mechanism is a relatively small transport layer protocol header, with the protocol relatively simple in comparison to TCP. Because the best way to understand the operation of UDP is via an examination of its header, let us do so. Before we do, as a reminder note that similar to TCP, an IP Header will prefix the UDP Header, with the resulting message consisting of the IP Header, UDP Header, and user data referred to as a UDP datagram.
Source Port and Destination Port Fields The Source Port and Destination Port fields are each 16 bits or two bytes in length and function in a manner similar to their counterparts in the TCP Header. That is, the Source Port field is optionally used, with a value either randomly selected or filled in with zeros when not in use, while the Destination Port field contains a numeric that identifies the destination application or process.
Message Length Field The Message Length field indicates the length of the UDP datagram to include header and user data that follow the header. This two-byte field has a minimum value of eight that represents a UDP Header without data.
Checksum Field The Checksum field is two bytes in length. The use of this field is optional and its value is set to 0 if the application does not require a checksum. If a checksum is required, it is calculated on what is referred to as a pseudoheader. The pseudo-header is a logically formed header that consists of the source and destination addresses and the Protocol field from the IP Header. By verifying the contents of the two address fields through its checksum computation, the pseudo-header assures that the UDP datagram is delivered to the correct destination network and host on the network. It does not verify the contents of the datagram.
Operation Because the UDP Header does not include within the protocol an acknowledgment capability or a sequence numbering capability, it is up to the application layer to provide this capability. This enables some applications to add this capability, whereas other applications that run on top of UDP may elect not to include one or both. As previously described, a UDP Header and its data are prefixed with an IP Header to form a data frame. Upon receipt
AU1271Ch05Frame Page 164 Monday, July 15, 2002 8:52 PM
164
Building the Wireless Office
of the datagram, the IP layer strips off that header and submits the remainder to UDP software at the transport layer. The UDP layer reads the destination port number as a mechanism to demultiplex and send the data to its appropriate application.
Applications The UDP is primarily used by applications that transmit relatively short segments and for which the use of TCP would result in a high level of overhead in comparison to UDP. Common examples of applications that use UDP as a transport protocol include the Simple Network Management Protocol (SNMP), Domain Name System (DNS), and the newly emerging series of applications from numerous vendors that transport digitized voice over the Internet and are collectively referred to as Internet telephony. Most implementations of Internet telephony applications use both TCP and UDP. TCP is used for call setup, whereas UDP is used to transport digitized voice once the setup operation is completed. Because real-time voice cannot tolerate more than a fraction of a second of delay, Internet applications do not implement error detection and correction, as retransmissions would add delays that would make reconstructed voice sound awkward. Instead, because voice does not rapidly change, applications may either “smooth” an error or drop the datagram and generate a small period of noise that cannot affect the human ear. This is because most Internet telephony applications transmit 10-ms or 20-ms slices of digitized voice, making the error or even the loss of one of a few datagrams transmitting such slices of a conversation most difficult to notice.
The DNS The TCP/IP protocol suite includes a number of built-in diagnostic tools that developers provide as associated applications running under the operation system that supports the suite. Thus, this section primarily focuses on a core set of applications that can be used to obtain an insight into the flow of data across a TCP/IP network. Through the use of the application programs discussed in this section, we can determine if the protocol stack is operating correctly on a host, whether or not a host is reachable via a network, and the delay or latency between different networks with respect to the flow of data from one network to another. Because knowledge of the Domain Name System (DNS) is important to obtain an understanding of the operation and constraints associated with different applications that provide a diagnostic testing capability, we first obtain an overview of DNS. Once this is accomplished, we turn our attention to the operation and utilization of applications that provide a diagnostic testing capability within the TCP/IP protocol suite. The purpose of the Domain Name System (DNS) is to provide the TCP/ IP community with a mechanism to translate host addresses into IP addresses because all routing is based on an examination of IP addresses. To accomplish this translation process, a series of domain name servers is used to create a
AU1271Ch05Frame Page 165 Monday, July 15, 2002 8:52 PM
165
TCP/IP Protocol Suite
"root" .com
.net
.org
.edu
.int
.mil
.gov
.au
.fr
.ie
Widgets ftp
Exhibit 36.
www
The Domain Name Tree
distributed database that contains the names and addresses of all reachable hosts on a TCP/IP network. That network can be a corporate intranet, the portion of the Internet operated by an Internet service provider (ISP), or the entire Internet.
The Domain Name Structure Internet host names employ a hierarchical address structure. This address structure consists of a top-level domain, subdomain, and host names. Initially, top-level domain names such as .com, .gov, and .edu, as well as IP addresses, were assigned and maintained by the Internet Assigned Numbers Authority (IANA), which was responsible for the overall coordination and management of the DNS. Controversy about the IANA’s having sole control of top-level domains occurred during the past few years, with the result that the Internet Corporation for Assigned Names and Numbers (ICANN) was formed as a nonprofit organization to take over responsibility for the allocation of IP address space as well as for DNS and root server management. The prior controversy resulted because DNS management and IP address allocation occur on a global basis, while most of those functions were previously performed under U.S. Government contract by IANA and were not globally representative. Today, ICANN is responsible for the top-level domains and the management of root servers that operate at the top of each defined domain. In comparison, domain administrators where a domain can be assigned to a government agency, university, or commercial enterprise are responsible for host names and IP address assignments within their domains.
The Domain Name Tree Exhibit 36 illustrates a portion of the domain name tree, with the top-level domains consisting of either three-letter top-level domains or two-letter toplevel domains. The two-letter top-level domains represent country domains, such as France (fr), Israel (il), and so on. Currently, seven top-level threeletter domains exist, as indicated in Exhibit 36. In comparison, there are over 100 two-letter country identifier domains. When an organization applies for an IP address and domain name, both entries are added to the appropriate server at the domain root. For example,
AU1271Ch05Frame Page 166 Monday, July 15, 2002 8:52 PM
166
Building the Wireless Office
if your organization was assigned the domain widgets.com as a commercial organization, an entry indicating the network address for widgets.com and the domain widgets would be placed in the root.com domain name server. If you examine the entry under the .com domain in Exhibit 36, you will note the subdomain labeled “Widgets.” Under the Widgets entry, you will note two entries, ftp and www. Here ftp and www represent two host names within the Widget subdomain. The fully qualified names of each host then become ftp.widgets.com. Thus, if someone does not know the IP address of the FTP and the Web server operated by widgets.com, he can enter the fully qualified domain name for each server, and DNS will automatically perform the translation, assuming applicable DNS entries exist in a server. Thus, let us turn our attention to the manner by which host names are converted into IP addresses, a process referred to as “name resolution.”
The Name Resolution Process An IP network must have a local DNS or employ the facilities of another organization’s domain name server. For either situation, when you enter a fully qualified host name in a TCP/IP application, the application looks up the IP address of the DNS previously configured for the protocol stack to use. Your local computer then transmits an address resolution request using UDP on port 53 to the IP address of the DNS. That IP address could be a DNS on the local network or the DNS operated by your organization’s ISP. Upon receipt of the address resolution request, the DNS first checks its cache memory in an attempt to determine if the IP address was previously resolved. If so, it responds to your computer’s request with the host’s associated IP address, allowing your computer to use the destination host IP address to create an IP datagram that a router can route. If the DNS did not previously learn the IP address and is not responsible for the domain where the fully qualified domain name host resides, it will forward the request to a higher level in the DNS hierarchy. To do so requires the DNS to have a pointer record that literally points to the address of the next-level DNS. For example, a DNS on a local network would have a pointer record to the DNS operated by the Internet service provider (ISP) that provides the organization with access to the Internet. If the ISP’s DNS does not have an entry for the requested host, another pointer record will be used to route the address resolution request to a “higher authority.” That higher authority could be a network service provider (NSP) and eventually the top-level DNS for the domain of the fully qualified host name.
Data Flow To illustrate the potential flow of data during the address resolution process, consider Exhibit 37. In Exhibit 37 the user at host gil.smart.edu just entered the host name www.cash.gov into her browser and pressed the Enter key,
AU1271Ch05Frame Page 167 Monday, July 15, 2002 8:52 PM
167
TCP/IP Protocol Suite
Top Level Domain = .edu 8 7 DNS
Router 6
9
Router 5 10 11
Domain: isp.com
4 12 DNS
Router 3
13
Router 2
Domain: smart.edu 1 DNS
14
15 gil.smart.edu
Exhibit 37.
Potential Dataflow during the Address Resolution Process
which in effect commences the resolution process. When the address resolution process begins, a UDP datagram flows to the local DNS on the domain smart.edu as indicated by 1. Assuming that DNS does not have an entry for the network address of the requested host (www.cash.gov), the resolution request flows upward to the next DNS via the use of a pointer record in the local DNS. This is indicated by numbers 2, 3, and 4 in Exhibit 37. Assuming the next DNS, which is shown as serving the domain isp.com, does not have an entry for www.cash.gov, the resolution request continues its flow up the DNS hierarchy until it either reaches a server that can resolve the request or arrives at the top-level DNS for the domain for which the host name is to be resolved. This is indicated by 5, 6, and 7 in Exhibit 37. Once the address is resolved, the resolution does not flow directly back to the original DNS. Instead, the resolution flows back to each DNS in the hierarchy, providing each server with the ability to update its resolution table. This is indicated by 9 through 14 in Exhibit 37. Finally, the local DNS returns the resolved IP address as indicated in 15 in Exhibit 37. At this point the station can now form an IP datagram using a destination IP address obtained from the address resolution process.
AU1271Ch05Frame Page 168 Monday, July 15, 2002 8:52 PM
168 Exhibit 38.
Building the Wireless Office
Examples of DNS Record Types
Record Type
Description
A MX NS CNAME
Contains an IP address to be associated with a host name Contains the address of a mail exchange system(s) for the domain Contains the address of the name server(s) for the domain Canonical Name records contains an alias host name to associate with the host names contained in the record Contains a host name to be associated with an IP address in the record The Start of Authority records indicate the administrative name server for a domain as well as administrative information about the server
PTR SOA
Time Consideration If a fully qualified domain name cannot have its IP address resolved by the local DNS, one or more additional servers must be queried. This means that datagrams conveying address resolution information will flow over relatively low-speed WAN connections for which the time delay then depends on the operating rate of those connections and other activity flowing on each connection, as well as the processing being performed by routers that form the WAN. Because the DNS resolution process on a host results in the setting of a timer, if too much time occurs during the resolution process, the timer will time-out or expire. When the situation occurs, the protocol stack that the application uses generates an error message. One popular error message generated by a browser informs the user to “check the destination name spelling and try again!” This message does not mention anything about the address resolution process probably because most persons using browsers have no knowledge of the process and a more descriptive error message might be counterproductive.
DNS Records Each DNS can contain a series of different types of records as well as multiple records for one or more record types. Exhibit 38 lists some of the more popular types of DNS records. In examining the record types listed in Exhibit 38, note that a domain can have multiple name servers or multiple mail exchange servers. Also note that while the A record provides information necessary for an address resolution process, the PTR record type supports reverse lookups. Exhibit 39 illustrates an example of a UNIX Zone file named “smart.edu.zone” for the domain smart.edu. We assume that the Class C address 198.78.46.0 was assigned to the domain smart.edu. We further assume that the server name, dns.smart.edu, is the name server, and mail.smart.edu is the name of the mail server. In examining the entries in Exhibit 39, note that the string “IN” is used to indicate an Internet address and dates from a period where different types of addresses could be placed in a DNS database. Also note that names and host
AU1271Ch05Frame Page 169 Monday, July 15, 2002 8:52 PM
169
TCP/IP Protocol Suite
Exhibit 39.
The File smart.edu.zone
;Start of Authority (SOA) record smart.edu. IN SOA dns.smart.edu.owner.smart.edu( 19960105 ;serial#(date format) 10800 ;refresh(3 hours) 3600 ;retry(1 hour) 604800 ;expire(1 week) 86400) ;TTL(1 day) ;Name Server (NS) record smart.edu. IN NS dns.smart.edu. ;Mail Exchange (MX) record smart.edu. IN MX 20 mail.smart.edu ;Address (A) records. router.smart.edu. IN A 198.78.46.1 dns.smart.edu. IN A 198.78.46.2 mail.smart.edu. IN A 198.78.46.3 gil.smart.edu. IN A 198.78.46.30 ;Aliases in canonical Name (CNAME) record www.smart.edu IN CNAME gil.smart.edu.
addresses end with a trailing dot (.) or period to indicate that they are an absolute name or address rather than a relative address. The first record normally placed in a Zone file for a domain server is the Start of Authority (SOA) record. This record governs the manner by which a domain name server and secondary servers, if any, operate, and the ability to read the contents of this record can provide information about the manner by which another domain operates. We can examine the contents of a domain name server database through the use of the NSLOOKUP application program. The serial number in the SOA record identifies the version of the DNS database. Secondary servers can use this value as a metric concerning updating as the number increments whenever the database changes. The refresh value informs the server how often to check for updated information. If the secondary server cannot connect to the primary, it uses the retry value as the time period to wait before retrying. The expire time tells the secondary server when to stop answering queries about the primary when it cannot contact the primary. This value assumes that no answer is better than a bad answer and is set to a week (604,800 seconds) in Exhibit 39.
Checking Records If we further examine the entries in Exhibit 39, we will note that the router in the 198.78.46.0 network has the host address .1, while the DNS has the host address .2, and the mail server has the address .3. We also note that the host gil.smart.edu has the alias www.smart.edu and that the entry of either host name returns the IP address 198.78.46.30. Thus, by checking the records in a name server, it becomes possible not only to obtain the IP address for
AU1271Ch05Frame Page 170 Monday, July 15, 2002 8:52 PM
170
Building the Wireless Office
a particularly qualified domain name, but also to discover the alias or aliases assigned to one or more hosts in a domain. Now that we have an appreciation for the role and operation of the domain name system and the servers used in the DNS, let us turn our attention to the use of a series of built-in diagnostic tools provided as application programs in most versions of TCP/IP.
Diagnostic Tools Most operating systems with a TCP/IP protocol stack include several application programs that can be used to obtain information about the state of the network or a particular host. Examples of such applications include Ping, traceroute, NSLOOKUP, and finger. This section covers each of these applications.
Ping Based on contradictory tales, the name “Ping” was given to an application because it either resembled the use of radar or functioned as an acronym for the full name, Packet Internetwork Groper. Regardless of whether the function of electronic equipment or the development of an acronym accounted for its name, Ping is one of the most widely used tools, if not the most widely used tool, bundled as an application in TCP/IP software.
Operation Through the use of the Ping application program, a series of Internet Control Message Protocol (ICMP) Echo type messages are transmitted to a distant host. If the host is both reachable and active, it will respond to each ICMP Echo message with an ICMP Echo Response message. Not only does the use of Ping then tell you that the distant host is both reachable and active, the application also notes the time the echo left the computer and the time the reply was received to compute the round-trip delay time. Because timing can be very critical for such applications as Voice-over-IP and interactive query/ response, the use of Ping may inform you ahead of time whether or not an application is suitable for use on the Internet or a corporate intranet.
Implementation No standard governs the manner by which Ping is implemented. Different vendor versions, such as UNIX and Windows NT, may slightly differ from one another. One common form of the Ping command to invoke this application is shown below: ping [-q l-v] [-r] [-c Count] [-I Wait] [-s size] host
AU1271Ch05Frame Page 171 Monday, July 15, 2002 8:52 PM
TCP/IP Protocol Suite
171
where q — selects quiet mode that only results in the display of summary information at start-up and completion v — selects verbose output mode that results in display of ICMP packets received in addition to Echo Requests r — selects a route option that displays the route of returned datagrams c — specifies the number of Echo Requests to be sent prior to concluding the test i — specifies the number of seconds to wait between transmitted datagrams containing an Echo Request s — specifies the number of data bytes to be transmitted host — specifies the IP address or host name of the destination to be queried In examining the above options, note that some older implementations of Ping would run until interrupted with a CTRL-C unless a count value was specified through the use of the -c option. Also note that many versions of Ping differ with respect to the default wait time between transmitted Echo Requests. Some implementations may transmit echo requests 250 ms apart as a default, while other implementations may use a default of 500 ms, one second, or another time value. A third item concerning the options listed above concerns the packet size specification variable, -s. This variable is used to specify the number of data bytes transmitted and results in a total packet size becoming the specified packet size plus 8, because there are eight bytes in the ICMP Header. This means that the default on some implementations is 56 bytes, which results in a 64-byte packet. Now let us look at its use within a TCP/IP environment. In doing so we examine the use of the Microsoft Windows version of Ping, which you can access from the command prompt in Windows.
Using Windows NT Ping Exhibit 40 illustrates the Windows NT Ping Help menu that is displayed when you enter the name of the application without options. In examining the help screen shown in Exhibit 40, note that the -t option results in the Ping application’s continuously transmitting Echo Request packets until interrupted. Unfortunately, this is a favorite attack method unsophisticated hackers use. We discuss its use later in this chapter and in more detail in Chapter 8 when we discuss security in detail. Also note that Microsoft supports several route options as well as a Time to Live (TTL) option. Typically, most applications set a TTL default value of 250 to prevent a datagram from infinitely wandering the Internet or a private intranet. As the datagram is received by a router, it decrements the TTL value by 1 and compares the result to zero. If the value is greater than zero, it forwards the datagram; otherwise, it places the datagram into the “great bit bucket in the sky.” By setting the TTL value higher than the default, you may then obtain the capability to reach a host that requires routing through a large number of routers that might otherwise be unreachable from your location.
AU1271Ch05Frame Page 172 Monday, July 15, 2002 8:52 PM
172
Exhibit 40.
Building the Wireless Office
Microsoft Windows Ping Options
To illustrate the use of Ping, let us ping two locations on the Internet. The first location we will ping is the real White House Web site located at www.whitehouse.gov. The top portion of Exhibit 41 illustrates this operation. If you examine the top potion of Exhibit 41, you will note the response “Request timed out” displayed four times. Microsoft’s implementation of Ping results in four Echo Request ICMP packets being transmitted as IP datagrams to the destination specified in the Ping command line. The reason the request timed out has nothing to do with the TTL value. Instead, the White House uses a firewall to block pings because pings are one of a number of weapons unsophisticated hackers like to use. In Chapter 8 we go into more detail concerning how we can block pings. In the lower portion of Exhibit 41, we pinged a commercial site Web server whose address is similar but not the same as the White House. This commercial site’s Web address is www.whitehouse.com. Note that Ping automatically resolves the entered host name into an IP address. Also note from the four replies that the round-trip delay varied from a low of 16 ms to a high of 32 ms. This variance is due to the fact that the path between source and destination is subject to random data flows from other users. This can delay the datagrams your host is transmitting that contain ICMP Echo Requests. Although Ping is quite often used to determine round-trip delay, that is not its primary use. Whenever a station is configured and connected to a network, one of the first things you should do is ping the station. If you obtain a response, this will indicate that the TCP/IP protocol stack is active. In a wireless environment, a common use for Ping is to check your connection between a wireless station and a wireless router or access point. To do so you would ping the IP address assigned to the wireless router or access point. If you receive a response but cannot, for example, access the Internet, you would then focus your attention on the configuration of your browser and the wireless router.
AU1271Ch05Frame Page 173 Monday, July 15, 2002 8:52 PM
TCP/IP Protocol Suite
Exhibit 41.
173
Using Ping
In a wired environment, the response to a ping will also mean that the station is properly cabled to a wired network and that its network adapter is operational. Otherwise, the protocol stack, cable, or network adapter may represent a problem. You can check out the protocol stack by pinging the address 127.0.0.1 or any address on the 127.0.0.0 network because this invokes a loopback. If you obtain a valid result, you would then run diagnostics on the network adapter card provided by the vendor and check or swap cables with a device known to work to isolate the problem. In a wireless environment, you could use a utility program provided with many network adapters that will display the signal strength and signal quality of the received signals. If you attempt to ping a host on a different network, it may not be a simple process to walk over to the destination if all you receive is a time-out message. The cause of a lack of response can range in scope from an inoperative router to an inactive destination. Fortunately, you can obtain insight concerning the route to the destination through the use of another program, called “traceroute.”
Traceroute Traceroute, as its name implies, traces the route to a specified destination that you will place in the application command line. Similar to Ping, several variations exist concerning the implementation of traceroute. A common form of the traceroute command on a UNIX host is shown below: traceroute [-t count] [-q count] [-w count] [-p portnumber] host
where
AU1271Ch05Frame Page 174 Monday, July 15, 2002 8:52 PM
174
t q w p
Building the Wireless Office
— specifies the maximum Time to Live (TTL) value, with a default of 30 used — specifies the number of UDP packets transmitted with each TTL setting; usually the default is 3 — specifies the time in seconds to wait for an answer from a router — represents an invalid port address at the destination; usually port 33434 is used
Operation To better understand traceroute options requires an explanation of the manner by which this application operates. Thus, prior to observing the operation of the program and discussing its options, let us focus our attention on how the program operates. Traceroute works by transmitting a sequence of UDP datagrams to an invalid port address on the destination host. Using common default settings, traceroute begins by transmitting three datagrams, each with its TTL field value set to 1. As soon as the first router in the path to the destination receives the datagram, it subtracts 1 from the value of its TTL field and compares the result to zero. Because the value equals zero, the datagram will be considered to have expired, and the router will return an ICMP Time Exceeded Message (TEM) to the originator, indicating the datagram expired. Because the originator noted the time the datagram was transmitted and the time a response was received, it is able to compute the round-trip delay to the first router. It will also note that the IP address of that router is contained in the datagram transmitting the ICMP TEM message. To locate the second router in the path to the destination, traceroute increments the TTL field value by 1. Thus, the next sequence of datagrams flows through the first router, but is discarded by the second router, resulting in another sequence of TEM messages being returned to the originator. This process continues until the datagrams reach the destination or the default TTL value is reached, and the application operating on the source terminates. If the datagrams reach the destination, and because they are attempting to access an invalid port on the destination host, the destination returns a sequence of ICMP Destination Unreachable messages, indicating to the traceroute program that its job is finished. Now that we have an appreciation for the manner by which the program operates, let us examine its use. In doing so, we again use a version included in Microsoft’s Windows operating system.
Using Windows Tracert The Microsoft Windows version of traceroute is named tracert. This application program is similar to Ping in that it is operated from the command prompt within Windows. Exhibit 42 illustrates the use of the tracert program without any parameters to display a Help screen for the program. In examining Exhibit 42, note that the Microsoft implementation of traceroute supports four options. Probably
AU1271Ch05Frame Page 175 Monday, July 15, 2002 8:52 PM
TCP/IP Protocol Suite
Exhibit 42.
175
Microsoft’s Tracert
the most commonly used option is the -h option, the use of which allows you to change the TTL default of a maximum of 30 hops normally used by the program.
Tracing a Route To illustrate how tracert can supplement the use of Ping, let us use the former to trace the route from the author’s network to the real White House. If you remember our attempt at pinging the White House, our efforts were not successful because each ping returned a time-out message. Exhibit 43 illustrates the use of Microsoft’s version of traceroute to trace the route to the White House Web server. Note that when the program is first executed, it performs an address resolution and displays the IP address of the destination. Also note that the program displays the fact that it is tracing the route to the destination using a maximum of 30 hops, which represents the default value of the application. From Exhibit 43 you will note that there were eight routers in the path to the White House, after which you could not access the White House network. The eighth router was located in Herndon, Virginia, and, according to information the router returned, is operated by PSI.net, an Internet service provider. We could not trace the full route into the White House network because the router at the White House Web site was programmed to block both pings and traceroutes. Thus, this resulted in the generation of a “destination net unreachable” message. In examining the entries in Exhibit 43, you will note that the Microsoft implementation tries three times or more to accurately transmit a sequence of three datagrams with the same TTL field values. Let us focus our attention on the round-trip delay and router for each route. The first path, which is
AU1271Ch05Frame Page 176 Monday, July 15, 2002 8:52 PM
176
Exhibit 43.
Building the Wireless Office
Tracing the Route to the White House Web Server
from my workstation to the router located at IP address 205.131.175.2, required less than 10 ms for each of three datagrams to reach, and for the computer issuing the tracert to receive a response. The second path was to the router operated by bbnplanet in Atlanta and resulted in a round-trip delay of 31 ms from my computer to that router. If you focus on the router information returned, you will note that some routers provide a description of their location and operator and other identifiers, while other routers simply provide their IP address. While all routers in this example returned some information, occasionally some routers will not respond to a TTL field value of zero condition and will simply throw away the datagram. When this situation occurs, the traceroute program’s attempt times out and information for that router hop is denoted through the use of an asterisk (*) as being unavailable.
Applications As indicated by our use of traceroute, this utility program traces the route to a destination. In doing so, it displays the round-trip delay to each router hop, enabling you to determine if one or more routers are causing an excessive amount of delay on the path to a destination. Many times, traceroute can be a valuable tool in determining where network bottlenecks reside. In addition, you can use this tool as a mechanism to identify, to a degree, where along the path a failure of a communications circuit or hardware occurred if a destination should become unreachable. We say “to a degree” because if either a circuit becomes inoperative or a router failed, traceroute would not be able to distinguish between the two situations. Before traceroute can be used to isolate the general location of a problem, it is a valuable tool you should consider using either by itself or as a supplement to Ping.
AU1271Ch05Frame Page 177 Monday, July 15, 2002 8:52 PM
TCP/IP Protocol Suite
Exhibit 44.
177
Using Microsoft’s NSLOOKUP to Query the Yale University Server
NSLOOKUP A third built-in application program that can be used to provide valuable information is NSLOOKUP. Unlike Ping and traceroute, which are implemented in essentially all versions of TCP/IP software, NSLOOKUP is available in most, but not all, operating systems that support TCP/IP.
Operation NSLOOKUP is a name server lookup program. You can use this program to examine entries in the DNS database of a particular host or domain. NSLOOKUP can be implemented in several ways, with the most common being an interactive query mode. In the interactive query mode you simply type the command nslookup. The other method nslookup supports is a single-query mode. The general format of the latter is as follows: nslookup [IP-address\host-name]
If you enter the program name by itself you will be placed in its interactive mode. In the interactive mode the program uses the greater-than sign (>) as a prompt for input. Exhibit 44 illustrates an example of the use of NSLOOKUP. In this example, after you enter the command nslookup, the program responds with the name and address of the default name server. This is the name server whose address is configured in the TCP/IP protocol stack operating on the workstation you are using to run the program. That name server, which is serv1.opm.gov in this example, will be used to resolve each request. In the example shown in Exhibit 44, we next entered the Web server host address for Yale University. Note that NSLOOKUP not only resolved the IP
AU1271Ch05Frame Page 178 Monday, July 15, 2002 8:52 PM
178 Exhibit 45.
Building the Wireless Office
NSLOOKUP Set Querytype Values
NSLOOKUP: set q[uerytype] Changes the type of information query. More information about types can be found in Request For Comment (RFC) 1035. (The set type command is a synonym for set querytype.) set q[uerytype] = value Default = A Parameter Value Description
A ANY CNAME GID HINFO MB MG MINFO MR MX NS PTR SOA TXT UID UINFO WKS
Computer’s IP address All types of data Canonical name for an alias Group identifier of a group name Computer’s CPU and operating system type Mailbox domain name Mail group member Mailbox or mail list information Mail rename domain name Mail exchanger DNS name server for the named zone Computer name if the query is an IP address, otherwise the pointer to other information DNS domain’s start-of-authority record Text information User ID User information Well-known service description
address of www.yale.edu, but also provided us with the true name of the Web server because the response indicated that www.yale.edu is an alias. If you turn your attention to the lower portion of Exhibit 44, you will note the prompt in the form of a greater-than sign (>). Because we used the interactive query mode of NSLOOKUP, this prompt indicates that it is waiting for an NSLOOKUP command. Let us give the program a few. Because NSLOOKUP queries a name server, you can use the program to retrieve information about different types of name server records. To do so, you must use the set type = command followed by the record type, and then inform your local DNS server of the distant DNS to be queried. Exhibit 45 provides a list of NSLOOKUP set of query record types you can enter to display a particular type of domain name server record. For example, entering set q = UID would specify a query based on user ID. Exhibit 46 represents a continuation of our querying of the Yale University DNS. In this example, we set the record type to MX and then entered the domain, yale.edu. This resulted in our local DNS springing into action and returning a sequence of information about the mail server used at Yale. If
AU1271Ch05Frame Page 179 Monday, July 15, 2002 8:52 PM
TCP/IP Protocol Suite
179
Exhibit 46. Using NSLOOKUP to Retrieve MX Records from the Yale University Name Server
you examine the entries in Exhibit 46, you will note the response to your query resulted in a listing of both mail exchanger and name server host addresses and IP addresses for that university, thus providing significant information about its network resources.
Viewing the SOA Record We can continue our quest for knowledge about Yale University by changing the record type to SOA and again entering yale.com as the domain name. Exhibit 47 illustrates the resulting display from the previously described operations. In examining the entries in Exhibit 47, note that Yale University operates four name servers. Also note that we just obtained the IP address for each server.
Protecting Server Information One common method of hacker attack is to obtain information about one or more users by listing A records. Due to this, many organizations will block the ability of those records to be retrieved. Thus, if you set the record type to “A” and again enter the domain yale.com, you would not obtain a listing of A records because Yale blocks their retrieval by foreign name servers.
Finger Finger is a program that enables a user to obtain information about (1) who is logged onto a distant computer or (2) a specific user. The use of this
AU1271Ch05Frame Page 180 Monday, July 15, 2002 8:52 PM
180
Building the Wireless Office
Exhibit 47. Reading the Start of Authority (SOA) Records at Yale University through NSLOOKUP
Exhibit 48.
The Finger Help Screen under Microsoft Windows
command results in a new verb referred to as “fingering,” which is not a rude gesture, but a query on the Internet.
Format The general format of the finger command on a UNIX system is shown below: finger [username] @ {host.name\IP.address}
AU1271Ch05Frame Page 181 Monday, July 15, 2002 8:52 PM
TCP/IP Protocol Suite
Exhibit 49.
181
Organizations Blocking Fingering as a Security Measure
Exhibit 48 illustrates the finger command options under Microsoft Windows operation system. Note that the -l option results in a long display that can provide detailed information about a user or host computer.
Security Considerations Similar to other network utility programs under the Microsoft operating system, finger runs in the Command Prompt dialog box as a DOS application. Because the use of finger can provide detailed information about a user or host, it is normally blocked by programming a router to bar datagrams that contain the destination port that identifies a finger application. An example of finger blocking is shown in Exhibit 49. In this illustration I attempted to finger several domains. First, I fingered ford.com without success. Next, I tried a U.S. Government agency. This was followed by an attempt to finger Yale University and, finally, the Federal Bureau of Investigation. Each of these finger attempts was unsuccessful as those organizations block fingering as a security measure.
Applications As indicated in Exhibit 49, many organizations block fingering as a security measure. Thus, a logical question is, “why discuss its use?” The reason is that many organizations will operate fingering internally but block its flow into the network. Then, persons within an organization obtain the ability to query a host or user to determine who is working on the host, his telephone number, the application he is using, and other information that may be of assistance when attempting to solve a problem. As indicated in this section, the TCP/IP protocol suite contains several builtin application programs that can be used to determine information about
AU1271Ch05Frame Page 182 Monday, July 15, 2002 8:52 PM
182
Building the Wireless Office
hosts, the paths between networks, and users on a host. By carefully considering the use of different application programs, you can obtain valuable tools to assist you in ensuring that if problems occur, you can focus your attention on the potential location and perhaps even the cause of the problem.
AU1271Ch06Frame Page 183 Monday, July 15, 2002 8:51 PM
Chapter 6
Security Unlike a wired LAN that provides some physical control over access to the infrastructure, its wireless cousin transmits radio frequency signals that are subject to interception. This means that a wireless LAN could have its transmission read by an uninvited third party. Because wireless LANs use the airwaves, this also means they are subject to jamming and other types of interference rarely encountered in a wired environment. Security is therefore a key area of concern for wireless LAN operations and is the focus of this chapter. In this chapter we first look at the risks associated with the use of wireless LANs. Next we examine the manner by which security was originally incorporated into wireless LANs. That security mechanism is referred to as Wired Equivalent Privacy (WEP). As we discuss how WEP operates, we also note its limitations and the methods used to add additional security to wireless transmission in the form of the IEEE 802.1x standard as well as proprietary vendor techniques. In addition, because many wireless LANs are connected to the Internet via an access point with a built-in routing capability, we also describe and discuss some of the functions and features of this category of wireless equipment. Specifically, we note how a wireless access point/router protects wireless stations from persons on the Internet who may not have the best intentions concerning many types of computer-related actions.
Security Risks As we just noted, the use of the air opens wireless transmission to interception and jamming. We can obtain an appreciation for the details of those and other security risks by reviewing the basic architecture associated with wireless LANs.
183
AU1271Ch06Frame Page 184 Monday, July 15, 2002 8:51 PM
184
Building the Wireless Office
Internet
Intranet
Router
Hub
Access Point
Station
Exhibit 1.
Station
A Wireless LAN Connected to a Wired Infrastructure
Architecture Exhibit 1 illustrates a wireless LAN infrastructure in which an access point supports communications from a group of stations onto a corporate intranet that is, in turn, connected to the Internet. Stations that want to join the wireless network and gain access to the intranet or Internet must first be configured correctly. While a majority of the wireless LAN security effort is focused on securing transmission between client stations and access points, it is important to note that security is a literal “two-way street”: when a wireless LAN provides a connection to another network, such as an intranet or the Internet, you also need to consider protecting stations from attack via other types of networks. While you may not consider an intranet user as a potential threat, if the wireless client employs file sharing, either on purpose or in error, he opens his computer to attack. Similarly, if a connection to the Internet is provided to wireless clients, it becomes possible for the clients to be attacked via the Internet. Thus, the architecture of the network can represent a security risk.
The Role of the SSID During the installation of a software driver for a wireless LAN network adapter card, you may be asked to specify the service set identifier (SSID); otherwise, a predefined SSID is used. The SSID, which some wireless hardware vendors refer to as a “network name” or “domain,” functions as a network password that allows clients to communicate with an applicable access point. Only stations with an SSID setting that matches the access point SSID can communicate with one another. Because each station and the access point need to be configured with the same SSID, it can be considered to represent a shared password. Some vendor products set the SSID value to a string of blanks, whereas other vendors set the SSID value to a predefined setting. Exhibit 2 lists seven
AU1271Ch06Frame Page 185 Monday, July 15, 2002 8:51 PM
185
Security
Exhibit 2.
Exhibit 3.
Commonly Used Default SSIDs
Vendor
SSID
3 Com Cisco Compaq Intel Linksys Netgear Other popular defaults
101 tsunami Compaq intel Linksys blank Wireless, SSID
Setting the SSID Value to “any”
popular default SSID value settings, which should explain why it would not be too difficult for a person sitting in a van in an organization’s parking lot to pull out her trusty notebook computer with a wireless network adapter card and, within a few minutes, be able to correctly guess an appropriate SSID. Exhibit 3 illustrates the use of a wireless LAN configuration utility program bundled with a Netgear wireless LAN 802.11b PC Card network adapter to set the SSID to a value of “any.” By default, the security method wireless LANs support, known as WEP, is disabled; and when in an unsecure mode of operation stations can connect to an access point using the SSID of the access point, a blank SSID, or an SSID configured to “any.”
AU1271Ch06Frame Page 186 Monday, July 15, 2002 8:51 PM
186
Building the Wireless Office
Regardless of the setting of WEP, SSIDs flow over the air as cleartext and can be easily captured. Even when WEP is enabled, the use of a default SSID can be considered as an invitation to do harm. Thus, you should consider changing the default SSID value when you set up your access point. Because WEP is disabled by default, and SSIDs are transmitted in the clear, a wireless network is thus open to several types of attacks. Those attacks can be classified into two main categories: insertion attacks and monitoring attacks.
Insertion Attacks An insertion attack results from an unauthorized station becoming a participant on a wireless network. Accomplishing this is fairly easy because the SSID can be easily guessed or observed via a monitoring attack. In an attempt to prevent insertion attacks, some access points were designed to enable an authorization password to be configured. While this action makes it more difficult for a third party to gain access to the wireless network, it can also be easily overcome through monitoring. Later in this chapter we describe the use of the IEEE 802.1x standard, which adds a significant degree of access control to both wired and wireless LANs.
Monitoring Attacks Because wireless LANs communicate using radio frequency, it is possible for a third party to be located anywhere a sufficient level of signed strength is present to monitor in-building communications. In fact, several highly publicized stories in The New York Times and The Wall Street Journal during 2001 described how two men in a van were able to drive from one parking lot to another in Silicon Valley, take out a notebook that was operating a wireless packet-monitoring program, and use a directional antenna to pick up wireless communications occurring in buildings whose RF energy leaked out into parking lots. To provide readers with an indication of the ease by which a third party can monitor a wireless LAN, I used a readily available program to capture traffic. Exhibits 4 through 6 illustrate the use of the AiroPeek wireless LAN monitoring program developed by WildPackets, Inc., formerly known as The AG Group and well known for its EtherPeek program, which monitors and analyzes traffic flowing on a wired Ethernet LAN. Exhibit 4 illustrates the overthe-air packet-capturing process when 1018 packets had been captured. In examining the main portion of the screen display shown in Exhibit 4, note that of the 14 packets displayed in the upper window, 13 represent broadcast packets. This high ratio of broadcast-to-data packets occurred because I had set up one access point connected to a wired network and was using two notebook computers equipped with wireless LAN adapter cards. One notebook was used for surfing the Web to generate traffic, while the second notebook was running AiroPeek to illustrate the ease with which wireless traffic can be monitored.
Using the WildPackets AiroPeek Program to Capture Wireless LAN Traffic
Security
Exhibit 4.
AU1271Ch06Frame Page 187 Monday, July 15, 2002 8:51 PM
187
AU1271Ch06Frame Page 188 Monday, July 15, 2002 8:51 PM
188
Building the Wireless Office
To illustrate the potential danger associated with wireless RF monitoring, I used my notebook to access the Salomon Smith Barney Web site. The packet conveying an initial access request to that site is packet 12. The source IP address of 192.168.123.143 represents an RFC 1918 Class C address dynamically assigned to my notebook by the access point, which was an SMC Networks Barricade broadband router. The Barricade combines a router and access point into a common housing. The destination address of 199.67.185.9 represents the Salomon Smith Barney home page. Thus, prior to any decoding we are able to determine that a wireless station is accessing a financial Web site. Also note in Exhibit 4 that the program displays the basic service set ID (BSSID). Although I set the SSID of my network adapter to “any,” that value is replaced by the BSSID of the access point, which explains why it is shown for packet 12 as the same value of each of the broadcast packets. In addition to providing the ability to capture wireless transmission, AiroPeek includes a comprehensive packet decode capability. To decode a packet you only need to double-click on a previously captured entry. Exhibit 5 illustrates the initial portion of the decoding of packet 22, which was selected by scrolling down the packets summarized in Exhibit 4. In examining the top portion of Exhibit 5, you will see that AiroPeek first displays general information about the decoded packet such as its data rate, the channel used, the packet length, and the signal level. Directly under the display of the signal level, the program begins its decode with the display of the values of the fields within the 802.11 MAC Header. Note that we are observing a data packet as opposed to a control or management packet. The distribution system is sending this packet, which we know because the FromDS field bit is set. By scrolling down the upper portion of the screen we can view additional information concerning the packet decode, so let’s do so. Continuing our observation of the packet decode, Exhibit 6 illustrates the remainder of the MAC header and the initial decode of the following IP header. If you look at the highlight bar located in the packet decode window, you will note it is located on the WEP field in the 802.11 Control field, indicating that WEP is disabled, which is its default setting. Thus, with a readily available commercial packet decoder, it becomes possible to monitor, store, and at our leisure decode traffic to include the data transported by packets when WEP is disabled. Many organizations accept default settings, which is why it was relatively easy for the previously mentioned persons to move their van from one parking lot to another in Silicon Valley and read wireless traffic without having to even try to break the WEP encryption scheme. We further discuss this topic later in this chapter.
Masquerade The previously illustrated packet decode indicates that if you can capture the first part of a connection session, it becomes possible to detect the user name and password of wireless users accessing servers and other network devices. Once this occurs, a third party then obtains the ability to “masquerade” as a legitimate user by using the captured user’s ID and password.
The Settings of the Fields within the Wireless Control Field
Security
Exhibit 5.
AU1271Ch06Frame Page 189 Monday, July 15, 2002 8:51 PM
189
Additional Information about a Captured Packet in the AiroPeek Packet Decode Window
190
Exhibit 6.
AU1271Ch06Frame Page 190 Monday, July 15, 2002 8:51 PM
Building the Wireless Office
AU1271Ch06Frame Page 191 Monday, July 15, 2002 8:51 PM
191
Security
Hub
A
B
Access Point
Station
Exhibit 7.
Station
Transmitting Frames from the Wired Infrastructure “over the Air”
Broadcast Monitoring Another type of monitoring involves the broadcast of frames from a wired infrastructure onto the wireless infrastructure. This transmission occurs not only when data is destined to a wireless station, but also during the station discovery process, because an access point represents a two-port bridge that operates following the 3 Fs rule. That is, an access point constructs and uses its port-address table via the process of flooding, filtering, and forwarding frames. To illustrate how broadcast monitoring can result in the content of frames destined to other wired stations being broadcast over the air, consider Exhibit 7, which illustrates a simple network infrastructure of an access point connected to a hub. Two stations are connected to the hub with their MAC addresses indicated as A and B for simplicity, while two wireless stations are shown (for ease of illustration) with MAC addresses C and D. When the access point is powered on, its port-address table is empty. Thus, if station A transmits to station B, the frame also flows to the access point. Because the access point does not know where the destination B address resides, it performs a flooding operation, transmitting the frame onto all other ports than the port on which the frame was received. Thus, the frame is broadcast “over the air.” Because station A transmitted data to station B, the access point notes that address A is on the wired infrastructure. Thus, the initial entry in the access point’s port-address table becomes Port
Address
1
A
Now let’s assume station B responds to station A. As the frame from station B flows to the access point, the access point checks the contents of its portaddress table and notes that station A resides on port 1, from where the frame originated. Thus, there is no need to forward the frame and so the access point filters or discards the frame. However, the access point notes that the source address of the frame is A and, because it does not have an entry for
AU1271Ch06Frame Page 192 Monday, July 15, 2002 8:51 PM
192
Building the Wireless Office
frame A in its port-address table, it proceeds to update the contents of that table. Thus, the contents of the access point port-address table now become: Port
Address
1 1
B A
To conclude our examination of the security risk associated with the address learning process, let’s assume that station C transmits to station D. Because station C is a wireless device, its transmission can be read as it flows to the access point. And because the access point has not learned where station D resides at this particular point in time, it floods the frame. However, because in an infrastructure mode of operation all communications between wireless devices flow through an access point, the frame is transmitted onto the wired infrastructure as well as over the air. Thus, it becomes possible for a wired network user with a sniffer to capture some frames that are directed to other wireless stations due to the manner in which wireless access points operate. After the access point floods the frame, it updates its port-address table as shown below: Port
Address
1 1 2
B A C
When station D responds to C, the access point consults its port-address table and notes that the destination resides on the wireless LAN. Thus, the access point forwards the frame back onto the air and updates its port-address table because it recognized that station D is on the wireless LAN. The contents of the port-address table are now updated as shown below: Port
Address
1 1 2 2
B A C D
While the risk of frames that should stay on one infrastructure flowing onto the other during the learning process is small, periodically the access point updates its tables and old entries are discarded. This means it is possible throughout the day for frames to flow onto an infrastructure where they do not belong. Because by default WEP is disabled, this results in another vulnerability you need to consider.
Denial-of-Service Attacks Several types of denial-of-service (DoS) attacks can be performed against a wireless LAN infrastructure. First, because the frequencies wireless LANs use
AU1271Ch06Frame Page 193 Monday, July 15, 2002 8:51 PM
193
Security
Exhibit 8. Other Potential Wireless LAN Attack Methods Exploiting file sharing Common SNMP community names Accessing the management console Encryption attacks Theft of hardware
are well known, a short trip to Radio Shack or another electronics store can provide a person with equipment that can disrupt 2.4-GHz operations. Second, by observing the SSID, a person could write a script and generate a sufficient level of traffic that could overload the processing capability of an access point. A third denial-of-service method works only when the RTS/CTS option is enabled. In this operating environment, a station could be programmed to continuously transmit RTS packets, which in effect continuously solicit CTS responses and jam the airway. Thus, it is not difficult to deny service to wireless stations by overloading over-the-air transmission.
Other Attack Methods You need to consider additional attack methods, some of which are relevant only to certain types of equipment. Exhibit 8 lists five additional wireless LAN attack methods that we briefly discuss.
Exploiting File Sharing If a person discovers the SSID and the WEP is disabled, any wireless stations in the BSS that enable file sharing are subject to compromise. Thus, similar to a wired environment, wireless clients are open to being exploited when they activate file sharing.
SNMP Community Names High-end wireless access points as well as some combined access point/routers support the Simple Network Management Protocol (SNMP). In doing so, they include an SNMP agent that a manager can query to obtain statistics about the operation of the access point as well as possibly supporting the reconfiguration of the device. By default, most SNMP agents are read-and-write accessible using the community name “public.” Thus, it may not require a rocket scientist to use an SNMP manager program via a wireless LAN-capable station to determine the configuration of an access point and change one or more of its parameters. This could result in an interesting situation if a hacker enabled WEP with a new password.
AU1271Ch06Frame Page 194 Monday, July 15, 2002 8:51 PM
194
Building the Wireless Office
Accessing the Management Console Another attack method worth noting is the use of a Web browser or Telnet program to access the management console of an access point. Most access points include a management console capability that enables a person to view and modify the configuration of the access point. Typically on high-end access points, you can use a serial port, SNMP, a Web browser, and possibly Telnet to access the management capability of the device. Because most access points support DHCP, they use a block of RFC 1918 addresses. As most access points by default use a predefined RFC 1918 address, they are not too difficult to locate. In fact, if you point your browser to the SMC Networks Web site, you can view its product manuals and note the default IP addresses assigned to different products. By default, the RFC Class C IP address 192.168.123.254 is assigned to the Barricade wireless router. Even if a user changes that address, because the product only supports 192.168.123.0 network addresses, all a third party has to do is start at dot 1 (.1) and scan addresses up to 192.168.123.254 to locate the wireless router console. Exhibit 9 illustrates the use of a Web browser with an RCF 1918 Class C address of 192.168.123.254 that immediately provided access to an SMC Networks Barricade Broadband router. As previously noted, the Barricade represents a combined access point and router. Note on the left side of Exhibit 9 that the default system password is “admin.” Thus, if the administrator did not change this password, you have all the information you need to break into this access point.
Encryption Attacks As noted earlier in this chapter, the IEEE 802.11 standard uses an encryption system referred to as Wired Equivalent Privacy (WEP). WEP has several known weaknesses, in addition to the fact that by default it is disabled. We examine WEP in detail to discuss several flaws in the algorithm and what those flaws mean to the wireless LAN user.
Theft of Hardware A few years ago, one of the more common airport threats was not terrorists, but crooks who would work in pairs at the airport scanner. One person would go through the scanner, while the second would get in front of a person who put his laptop or notebook computer through the baggage scanner. The second member of the team of crooks would use several delay tactics to impede the computer owner from reclaiming his device in a timely fashion. The delay was typically of sufficient duration that the partner in crime was able to grab the computer and be halfway out the airport before the owner realized what had happened. While airport problems have certainly changed, unfortunately criminals as well as basic thievery have not. If an unauthorized party obtains a laptop or notebook that has a wireless LAN adapter card that was configured for use, that party has also gained knowledge of your WEP key. Thus, the
Accessing the Administrative Console of an SMC Networks Barricade Router
Security
Exhibit 9.
AU1271Ch06Frame Page 195 Monday, July 15, 2002 8:51 PM
195
AU1271Ch06Frame Page 196 Monday, July 15, 2002 8:51 PM
196
Exhibit 10.
Building the Wireless Office
The Netgear Wireless LAN Configuration Utility Program
computer owner needs to inform the LAN administrator of this fact because it is nearly impossible for the latter to have psychic powers that enable her to detect the theft of equipment outside the organization.
Understanding WEP The IEEE 802.11 standard includes an optional encryption scheme referred to as Wired Equivalent Privacy (WEP).
Overview WEP represents a shared key encryption system that requires each station within a BSS to use the same key. Because only one bit in the Control field of a MAC frame is used as a mechanism to denote whether WEP is enabled or disabled, this design configuration precludes the use of multiple encryption techniques at the MAC layer. When WEP is enabled, all stations must be configured to use the same key. Under the IEEE 802.11 standard, a 40-bit encryption key is specified. That key is used with a 24-bit initialization vector (IV), which we discuss later in this section, to produce what many vendors refer to as a 64-bit key; however, in reality it is a 40-bit key. Optionally, some vendors support a 128-bit encryption key that consists of a 104-bit encryption key and a 24-bit IV.
AU1271Ch06Frame Page 197 Monday, July 15, 2002 8:51 PM
197
Security
Exhibit 11. Using a Pseudo-Random Bit Stream to Encipher and Decipher Data Transmitter Plaintext data bits Pseudo-random bit stream Modulo 2 addition Enciphered text Receiver Enciphered text Pseudo-random bit stream Modulo 2 subtraction Deciphered text
10011 _____ 00101
00101 10011 _____ 10110
Setup Example Exhibit 10 illustrates the Netgear wireless LAN Configuration Utility program’s Encryption tab in the foreground of the dialog box. Note that WEP is disabled by default and a user is then precluded from entering a key. Netgear wireless PC adapter cards support both 64-bit and 128-bit encryption. Once an encryption method is selected, a user can create a passphrase, such as “how now the brown cow,” to configure a key or manually enter the applicable hex characters for the key. Under the 802.11 standard, up to four default keys can be configured for use by all stations to include clients and access points. Although only one key can be used at a time, the ability to have four predefined keys facilitates, for example, moving a notebook to another location.
Cipher Operation The encryption algorithm expands the WEP key into an infinite pseudo-random bit stream. WEP uses the RC4 encryption algorithm, which is technically referred to as a “stream cipher” because it expands the key into an infinite pseudo-random bit stream that is used to encrypt and decrypt data. The pseudo-random bit stream is modulo 2 added to plaintext information to create encrypted data. At the receiver, the same key is used to create the same pseudo-random bit stream whose value is modulo 2 subtracted from the encrypted data stream to restore the plaintext. Exhibit 11 illustrates an example of transmitter and receiver encipher and decipher operations. In examining the entries in Exhibit 11, note that the same pseudo-random bit stream is applied to both plaintext and ciphertext. The pseudo-random bit stream is modulo 2 added to plaintext to generate ciphertext and modulo 2 subtracted from ciphertext to reconstruct the plaintext, which results in deciphered text.
AU1271Ch06Frame Page 198 Monday, July 15, 2002 8:51 PM
198
Building the Wireless Office
Thus, the key to a secure encryption scheme is the manner by which the pseudo-random data stream is generated. Due to this, let’s turn our attention to the algorithm WEP uses — RC4.
RC4 RC4 dates to 1987 when Ronald Rivest developed the algorithm. Rivest was one of three persons who formed RSA Data Security. RSA maintained RC4 as a trade secret until September 9, 1994, when the algorithm was anonymously posted on the Internet for the public to view. RC4 is a stream cipher that supports the use of a variable-length key between 1 and 257 bytes to initialize a 256-byte state table. The resulting state table generates pseudo-random bytes whose bit stream is XORed or modulo2 added with the plaintext to generate ciphertext. Because of U.S. Government export restrictions, the RC4 key is often limited to 40 bits, although it is capable of using keys from 1 to 2048 bits in length. Because RC4 is a symmetric key algorithm, the same key is used to encrypt and decrypt data. Also, all parties to a conversation with an access point using WEP know the key being used. With this information it becomes possible to use a wireless protocol analyzer that supports the entry of the WEP key, allowing the monitor to both capture and decrypt information flowing over the wireless LAN. Another weakness of RC4 concerns its state table. This table is initialized from 1 to 256 bytes, whose contents are used for the subsequent generation of pseudo-random bytes that are XORed with plaintext to generate ciphertext. This means that it becomes possible to skip a brute-force attack and concentrate an attack against the RC4 state table. In doing so, a cryptoanalyst would attempt to identify bytes in the state table that are strongly correlated with a few bytes in the RC4 key. Such bytes in the state table are referred to as having a correlation with a weak key and provide an attack method for determining the key.
Algorithm Operation The actual operation of the RC4 algorithm is relatively easy to describe once we define some relevant algorithm components. First, the algorithm uses two indexes. The index i represents the first known index value, while j represents a second index value, such that: j = (i + j + k [i mod keylength]) mod 256 Thus, j is influenced by the value of i, the previous value of j, and the key value k [i mod keylength]. Two arrays are also essential for the algorithm. S[256] represents a state array of 256 bytes, each of which can be set from 0 to 255, yielding 256 × 256 possible states. K[0.256] represents a key array that can contain up to a 256-byte key (2048 bits).
AU1271Ch06Frame Page 199 Monday, July 15, 2002 8:51 PM
199
Security
The application of the RC4 algorithm represents a five-step process. First, the key setup requires the allocation of a 256-element array to be used as the state table. Thus, step 1 becomes: Allocate S[o]…S[255]
As a second step we fill the S array with its index value. Thus, step 2 becomes: S[0] = 0; S[1] = 1;... S[255] = 255
Next we need to use the key. Thus, we fill a second array of the same size, repeating bytes as necessary: For (i = 0; i