Friday, March 2, 2018

Chapter 2 - Inter Frame Space (IFS)

Shortest to Longest: RIFS, SIFS, PIFS, DIFS, AIFS, EIFS

Mnemonic to help remember: Really Super Powerful Dog Ate Everything

***EXAM*** The above (Shortest to longest) could be on the exam. The below are notes from my CWDP notes

SIFS (Shortest Inter Frame Space) - Used with all of the coordination functions. SIFS is the shortest of the IFS for 802.11-2007. Used prior to ACK and CTS frames. As well as in between MPDU's of a fragment burst. For 802.11n a shorter IFS (RIFS) was introduced.

RIFS (Reduced Inter Frame Space) - Introduced with 802.11n to help improve efficiency for transmissions that do not require a SIFS to a single receiver. Such as a transmission burst (CFB-Contention Free Burst.) 802.11n uses RIFS and Block ACK. RIFS is *only* used when Block ACK is enabled. When Block ACK are used data frames of a CFB can be sent continuously without stopping for an ACK. At the end of the CFB, the TX STA will send a BAR (Block ACK Request) and will/should receive a single Block ACK (BA)

DIFS (Distributed Inter Frame Space) - When a STA wants to transmit a data frame (MPDU) or a management frame (MMPDU) for the first time in a DCF (Distributed Coordination Function) network, the duration of the DIFS must be observed after the previous frames completion. DIFS are longer than SIFS and PIFS.
DIFS = SIFS + 2x SlotTime
SlotTime for 802.11a/n/ac (5 GHz) = 9μS
SlotTime for 802.11g/n (2.4 GHz – HT or ERP) = 9μS with short preamble
SlotTime for 802.11g/n (2.4 GHz – HT or ERP) = 20μS with long preamble
SlotTime for 802.11b/g/n (2.4 GHz – DSS ) = 20μS

EIFS (Extended Inter Frame Space) - EIFS are used by STA's that have received a frame that contained errors. By using the longer IFS, the transmitting station will have enough time to recognize the frame was no received correctly before the receiving station commences transmission. If, during the EIFS duration the STA receives a frame correctly (regardless of intended recipient), it will resume using DIFS or AIFS, as appropriate. 
 - EIFS does Have a drawback. STA's near to the AP can cause problems for STA's further away from the AP. This is because STA's close to the AP are using higher data rates, and as such higher modulation mechanisms. The STA's further away cannot demodulate these, and due to this interpret it as a corrupted frame. Making it stay quiet for the EIFS. Providing the near STA's to use DIFS or AIFS and giving it priority and getting more opportunity to transmit while the far station will remain quiet.
EIFS (in DCF) = SIFS + DIFS + ACK_Tx_Time
EIFS 802.11b/g/n devices using DSS = 364μS
EIFS 802.11g/n devices using OFDM = 160μS
EIFS 802.11a/n devices (5GHz) = 160μS
EIFS (in EDCA) = SIFS + AIFS[AC] + ACK_Tx_Time

AIFS (Arbitration Inter Frame Space) - The AIFS shall be used by QoS STAs to transmit all data frames (MPDUs), all management frames (MMPDUs), and the following control frames: PS-Poll, RTS, CTS (when not transmitted as a response to the RTS), BlockAckReq, and BlockAck (when not transmitted as a response to the BlockAckReq).
The number of slot times used in the AIFS is called the Arbitration Inter Frame Space Number (AIFSN). 802.11e specifies 4 access categories (AV_VO : Voice, AC_VI : Video, AC_BE : Best Effort & AC_BK : Background). Voice & Videocategory use 2 slottimes by default. Best Effort category use 3 slottimes where as Background traffic use 7 slottimes by default.
Below is the formula to calcluate AIFS for a given Access Category (AC)
AIFS[AC] = AIFSN[AC] × SlotTime + SIFSTime

Chapter 3 - Security Communications Brief

WPA and WPA2

It's important to remember that these are certifications by the WiFi Alliance and not from the 802.11 standard. This means that they validate that a device uses portions of the security that 802.11 provides. They both come in two forms, Personal and Enterprise. Personal is known as Pre Shared Key because it uses a PSK.

WPA has been depreciated and as such its use should be as well. It used TKIP/RC4 and again, as such, TKIP/RC4 should no longer be used either.

The Enterprise version of both WPA and WPA2 both use the 802.1x framework for authentication and key management. This framework has three primary components.
1.) Supplicant (Client STA)
2.) Authenticator (AP or Controller)
3.) Authentication Server (This is normally your RADIUS server)

The EAPoL protocol is used for communication between the Supplicant and Authenticator, and RADIUS is used between the Authenticator and the Authentication Server.

The process looks something like this

  • Client Authenticates and Associates to an AP
  • Open System Authentication takes place
  • EAP Authentication using the RADIUS server
  • 4-way handshake generates encryption keys for STA and AP
  • Encrypted communications commence.
Carpenter, Tom. CWAP: Certified Wireless Analysis Professional: Official study guide: Edition CWAP-402. Certitrek Publishing, 2016.


RADIUS - Remote Authentication Dial-In User Service

RADIUS Process
  1. Access Request - Username/Password or Certificate
  2. Access Challenge
  3. Access Accept/Reject

Chapter 3 - Important 802.11 Frames

We touched a bit on these in the "Type" field but this portion of the chapter goes into them a bit deeper

Beacon Frames - We touched on these in Chapter 2 as well as other assorted places. These are used to announce BSS's for STA's that are looking for something to connect to. Beacons are transmitted (by default) every 100 time units (TU's.) A TU is typically 1024 microseconds which, when you do the math means that every 102.4 milliseconds a Beacon is being transmitted. Remember that a Beacon frame is transmitted for *every* SSID being broadcast. As such, the more SSID's you have, the more Beacon overhead you are creating. Beacon Frames are a Management Frame and as such, use the Management Frame Format. It should be noted that Beacon Frames contain a lot of information about the SSID and radio being used to broadcast it. Some of the most important of this information is the SSID name itself, the capabilities of the device (there are a few things here) and supported rates.

Beacons are sent at a target beacon transmission time (TBTT) which by default is every 100 Tus. That said, with how heavily utilized the wireless medium is, that target is often not possible, and the beacon will be sent as soon as possible after the 100 TU's has passed. It's important to remember that Beacon frames have to wait for the air to be clear before transmission as well.

Beacon filter in wireshark
wlan.fc.type_subtype == 0x08

To filter beacon frames *out* of the display use the Wireshark filter
Wlan.fc.type_subtype != 0x08

Probe Request and Probe Response Frames

Remember in active scanning, a STA will send a Probe Request, which will be answered with a Probe Response by an AP. If the probe request is sent with a broadcast SSID, any and all AP's on that channel being probed will respond with a Probe Response. Thus allowing STA's to quickly gather a view of all of the SSID's available on that channel.

Probe Request and Response Wireshark Filter
Wlan.fc.type_subtype == 0x4 *OR* wlan.fc.type_subtype == 0x5

To filter out Probe Request/Response Frames
Wlan.fc.type_subtype != 0x4 and
Wlan.fc.type_subtype != 0x5

Remember that just because a client is connected does not mean that it will stop probing. Client roaming algorithms will have a certain threshold where they will begin probing for a better AP. For example last I knew Apple iOS devices would start their probe requests at -67dBm. Now that doesn't mean that it will automatically move to something that’s stronger than -67dBm. That could result in flapping from AP to AP. Instead it requires the new AP to have a stronger connection of a certain threshold. In the iOS case (again last I knew) the new AP had to be 8dB stronger than the AP that the STA is currently connected to. That means that even if the STA had a -72dBm connection, it would  not roam unless the new AP had a signal strength of -64dBm or stronger. Unfortunately these roaming algorithms are unique to the devices. So the probing threshold and roaming threshold of each client may vary. Its important to keep this in mind when designing.

Authentication and Deauthentication Frames

Authentication frames are frames used by STA's to enter into the Authenticated State with an AP. To do so, a STA sends a single frame to the AP, which will answer back with a single frame of its own. This is the method that WPA2 uses

Deauthentication frames are used to remove a STA from an authenticated state. This can be done by either the STA or the AP. Remember that an STA cannot be associated if its not authenticated

Wireshark filter for Authentication frames
Wlan.fc.type_subtype == 0xb

To filter them out
Wlan.fc.type_subtype !=0xb

Association and Disassociation Frames

These frames are used for the STA to enter into an associated state after they have been authenticated. It's done through a four-frame exchange
-Authentication request
-Authentication response

From this point if Open System Auth is being used, then the STA can begin to use the network. If they are using 802.1X, then that process will begin at this point.

Disassociation frames will remove STA from an associated state, placing it into an Authenticated not associated state. Disassociation frmaes will include a reason for the disassociation, a smattering of vendor-specific information, and an integrity check if/when management frame protection is in use.

Wireshark Filter
Wlan.fc.type_subtype == 0x0 or 0x1

To filter them out
Wlan.fc.type != 0x0 or 0x1

Reassociation Request and Response Frames

These are used when roaming from one AP to another within the same ESS. They can also be used to reconnect to an AP which the STA was briefly connected. Only if the AP still has authentication information about the STA however. Request frames contain a plethora of information.

Wireshark filters
Wlan.fc.type_subtype == 0x2 or 0x3

To filter them out
Wlan.fc.type_subtype != 0x2 or 0x3

Request to Send (RTS) and Clear to Send (CTS) Frames

These are used to clear the PHY for the transmission of "larger" frames. When a STA wants to send a larger frame it sends a RTS. A CTS is used to respond.

Both frame types include a duration field, which is very important as it lets everyone know how long the air will be busy. The duration of a request field is made up by the data *or* management frame duration + CTS duration + one ACK duration + three SIFS

The CTS response frame also has a duration that’s measured in microseconds made up of the value of the duration field of the RTS frame - CTS duration - one SIFS

CTS-to-Self is a CTS frame that is sent without a RTS frame before it. These frames have the RA field set as their own address. These are helpful because all STAs within range will hear the frame and set their NAV timers using the duration field from the CTS frame. This is made up by the Data or management frame duration + two SIFS + one ACK

Wireshark filters for RTS/CTS frames
Wlan.fc.type_subtype == 0x1b or 0x1c

To filter them out
Wlan.fc.type_subtype != 0x1b or 0x1c

ACK Frames

These are sent to inform the transmitting device that the frame was received and are sent immediatily following data and management frames. If an ACK frame is not returned then the transmitter assumes the frame was lost and will retransmit the frame. With each retransmission the random backoff timer length is increased with a maximum of 1023. This maximum backoff timer length keeps STA's from continuously retransmitting without shifting to a lower data rate. As the book points out, its fair better to send a frame at 54Mbps and have it be received than it is to send it five times at 150Mbps before its received.

An ACK frame is a fairly simple frame. Consisting of only Frame Control, Duration, RA, and FCS subfields. It actually uses the address of the STA that sent the acknowledged frame in the RA subfield and not the address of the STA sending the ACK Frame.

Wireshark Filter
Wlan.fc.type_subtype == 0x1d

To filter them out
Wlan.fc.type_subtype != 0x1d

Null Data and PS-Poll Frames

These are used to notify an AP that the STA is awake and now able to receive frames. These are called Null Data frames since they are simply a Data frame containing no data.

Wireshark filter
Wlan.fc.type_subtype == 0x24

PS-Poll is short for Power Save Poll. These frames are also used to notify the AP that the client is awake and available for buffered frames. These include an AID.

STAs using power management will set their PM bit to 1, meaning that it will go in and out of awake and dozing states. When dozing the AP will buffer any traffic that is destined for the STA.

Client devices have a Listen Interval at the end of which the client will wake up and listen for Beacon Frames. If the client hears a beacon with its AID containing a 1 bit it will send a PS-Poll frame requesting that the AP send it its buffered data. Which it will do one frame at a time. If there is more data the More Data bit will be set to 1. Each time the client will send a new PS-Poll until there are no more buffered frames at which point the Client STA can return to a sleep state.

Rather than send a PS-Poll back to the AP to request each individual frame that is buffered, clients can also flip the PM bit to 0. This will cause the AP to send all of its buffered data down to the STA as if it was a normal client. Once this transmission is complete, it will flip its PM bit back to 1 and go back to sleep. This is *not* a 802.11 standard operation, but is an operation that is used by many client devices which reduced a lot of unnecessary airtime eaten up by the PS-Poll frames.

In a WMM Power Save queue frames are downloaded using a Trigger-and-delivery mechanism. WMM-PS is set for each AC separately. This allows for more frequent data transmission for those applications that require them.

Trigger frames are actually data frames that are ACK'd by the AP. This means that a STA can send data to the AP while at the same time triggering the delivery of any buffered frames that the AP may have for the client device.

If the AP has multiple buffered frames for the client, the AP can send those frames during an EDCA transmit opportunity that has interleaved ACK's. Meaning that a burst of frames can be sent down rather than individual.

PS-Poll Wireshark filter
Wlan.fc.type_subtype == 0x1a

To filter them out
Wlan-fc-type_subtype !=0x1a

Chapter 3 - 802.11 Frame Types

Management Frames - These frames are aptly named since they are used to help manage the air. They do so by announcing  information regarding the WLAN, and also have certain actions that they can perform. Below is a list of management frames and a description to go along with them.
  • Beacon - This is used by the AP to advertise information about the BSS
  • Probe - This is used by clients so that they can actually find a BSS/SSID to connect to.
  • Association - A client uses an association frame to go associate to an AP and therefore start communicating through it.
  • Disassociation - The opposite of association.
  • Reassociation - If a client is already associated to an AP, it can reassociate to another AP on the same ESS.
  • Authentication - These frames come prior to association and are used to authenticate a STA to an AP.
  • Deauthentication - The opposite of authentication.
  • Action - These frames can trigger various actions within the cell they are being broadcast on.

Control Frames - You might be sitting there thinking… wait, whats the difference between Management and Control. Don't those two words mean vaguely the same thing? Well, you're not wrong. But you can differentiate it as - Management frames mangage the WLAN, where Control frames orchestrate the air itself. Take a look at some of the common Control Frame types below and I think you'll understand what I'm saying.
  • ACK - These are your normal ACKs, acknowledging the receipt of a frame
  • RTS - Request To Send
  • CTS - Clear to Send - These frames are used to clear the PHY for the transmission of another frame.
  • BlockAckReq - This is a type of frame used to request a block ACK
  • BlockAck - Rather then send an ACK for every individual frame, a BlockAck can acknowledge multiple frames that were sent in a row.
  • Control Wrapper - These are frames that include an HT Control Frame while carrying other Control Frames as well

Data Frames - For the most part these carry data. They will have a the entire header for whatever MAC/PHY is being used, and then the MSDU. There are however some "Null Data" frames, that quite literally mean there is 0 data contained. These are used for various control functions relating to power management. Further, there are data frames that do not have QoS and use standard DCF, as well as QoS Data frames, which utilize EDCA.

PCF Frames - As we've noted a couple of times, PCF isn't actually in use. However this frame type is documented in the standard. The book calls out the fact that for the exam you should know that the 802.11n standard brought with it the ability to use a CF-End frame to show that despite owning the TxOP it has no more data to send.

Chapter 3 - 802.11ac Frame Fields

802.11ac Frame Format

Carpenter, Tom. CWAP: Certified Wireless Analysis Professional: Official study guide: Edition CWAP-402. Certitrek Publishing, 2016.

Duration/ID - As implied by its name, this field actually has two purposes. The first is that it can contain the duration of the frame itself. The duration is used to set the NAV timer by other clients. The AID is used when PS-Poll frames are transmitted to tell the AP that the transmitting STA is awake and that it can send any buffered frames the STA has waiting.

Address 1, 2, 3, 4 - Depending on if the frame is being transmitted with an IBSS, from an AP to a STA, STA to an AP, or as part of a mesh network, these addresses can indicated different things as shown below.

Carpenter, Tom. CWAP: Certified Wireless Analysis Professional: Official study guide: Edition CWAP-402. Certitrek Publishing, 2016

In the table above RA is the Receiver Address, and DA is the Destination Address. TA is the Transmitting Address, and SA is the Source Address. It may seem like some of these are redundant. However remember that the MAC address of the AP radio is often going to be different than the BSSID. Or in the case of a mesh, the RA is the next "hop" in the mesh, where the DA is the intended final recipient of the frame.

Sequence Control - This is a 16-bit field that’s used to help orchestrate fragmented frames in a transmission to help alleviate duplicate frames in the case that they arrive. It's made up of two parts. First is the 4-bit fragment number and second is a 12-bit sequence number. The sequence number remains the same for every fragmented MSDU, giving each frame making up that fragmented MSDU the same sequence number *but* a different fragment number. This allows the receiving device to know what MSDU the frame is from, and if it has already received that piece of the puzzle and know what order they should go in as sometimes they can be received out of order. The Sequence numbers start at 0, and for every fragmented MSDU that needs breaking up and transmitting, it goes up by 1 until it reaches 4095 and then it just starts again.

QoS Control - This is another 16-bit field that classifies the frames category for queuing. The first three bits in this field map to a value of 0 to 7 which signifies the 802.11e User Priority (UP) for the frame. This field is also called the Traffic Indicator (TID). Remember that the eight UP's map to the 4 Access Cateories (AC) set forth by the WiFi Alliances WMM Certification. Also remember that The lower the number, the lower the priority. For example 1 and 2, are AC_BK (WMM Background) which is the lowest prioity. Fun fact, the lowest of the numbers (0) maps to Best Effort which is a step above Background. This is because in making the mapping, they wanted it to be backwards compatible with non-QoS devices, but not completely hamstring them just because they weren't QoS capable.

HT Control - This 16-it field specifies certain HT and VHT capabilities. Such as antenna selection and beamforming.

Frame Body - This field contains the actual payload (MSDU) that’s being transmitted. When the field is encrypted, it will add overhead to the field. Either 20 or 16 bytes of overhead depending on if TKIP/RC4 (20 bytes) or CCMP/AES (16 bytes) is being used.

FCS - Frame Check Sequence - This field is used to detect if there have been issues in the communication of the frame. A Cyclic Redundancy Check (CRC) is used over the entire MAC Header and Frame Body. The receiving STA will run a CRC and should come up with the same FCS to determine if anything has gone wrong during transmission.

Chapter 3 - 802.11ac Frame Fields - Frame Control

802.11ac Frame Format

Carpenter, Tom. CWAP: Certified Wireless Analysis Professional: Official study guide: Edition CWAP-402. Certitrek Publishing, 2016.

Frame Control - The first part of the frame is the Frame Control field, and understandably since it sets a number of incredibly important parameters about the frame. We'll touch on a the individual fields of the Frame Control field below. First though, here is a picture of what the Frame Control field looks like and what its components are.
 Carpenter, Tom. CWAP: Certified Wireless Analysis Professional: Official study guide: Edition CWAP-402. Certitrek Publishing, 2016.

Protocol Version - This is always set to 00. This is to indicate if there is an incompatible version, but as of right now,  no incompatible versions exist.

Type - This defines the frame type, whether the frame is a management, control, or data frame, and what the subtype is. List of Frame Types and Subtypes are below, along with their associated bits.

Association Request
Association Response
Action NO ACK
Control Wrapper
Block ACK Request
Block ACK Request
Standard Data Frame
Null Data Frame
QoS Data
QoS Null Data Frame

To DS/From DS - These are one bit each and determine where the frame is coming from, and where it is going to. Whether its going from a STA to an AP, or from an AP and destined for a STA, or, in the case of an IBSS, going from one STA to another STA.

Carpenter, Tom. CWAP: Certified Wireless Analysis Professional: Official study guide: Edition CWAP-402. Certitrek Publishing, 2016.

More Fragments - This subfield indicates whether the current frame being transmitted is part of a fragmented frame. Remember that frames can be fragmented if its size is over that of the fragmentation threshold (default of 2346). Basically it takes a large frame and breaks it into smaller pieces. Although this can lower speed and add overhead, it also increases the probability that the frame will actually be received in a dirty RF environment. Further, if a retry does take place, it will normally only have to resend a single fragmented frame. Rather than the entire large frame.

Retry Field - Retries occur when the transmitting station sends a frame, but does not receive an ACK. It will then resend the frame (when it can get back on the air) and this resent frame will have the Retry Field set to 1. This is useful for a number of reasons. For the receiving device it eliminates duplicate frames. It also has the added benefit of being helpful in tracking the amount of retries in the environment to see if there are any issues. A WiFi protocol analyzer will often have a report that can hone in on this bit to provide you reports on the retry amount/percentage.

Power Management Field - When power management is used by a STA, this field is set to 1. Indicating the mode that the STA will be in after if its finished transmitting the frame. With this in mind, AP's will never transmit with this bit on since they don’t enter Power Save mode. When an AP receives a frame from an STA with this bit set to 1 it knows that it needs to buffer subsequent data destined for that STA since it's in a power save mode. Once the STA wakes up, it will transmit all buffered data down to it.

More Data - This could also be called the "STAY AWAKE!" field. When this field is set to 1 it indicates that the AP has more frames buffered for a STA. Therefore the STA doesn't go to sleep before receiving all the data the AP has buffered for it.

Protected Frame Field - If the field is set to 1 it means that the MSDU is encrypted. If it is set to 0 it means that there is no MAC sublayer encryption being used.

Order Field - In a non-QoS Frame this is set to 1 to indicated that the frame includes an MSDU. It is also set to 1 in a QoS data or management frame to show that the frame also contains an HT Control field. This gives HT capable devices the heads up to decode the HT Control field.

Chapter 3 - Ethernet Frame Format Notes

Most Significant Bit (MSB) - Also known as the high order bit. These are the left-most bit, or bits. A great example that the book uses is that in a PS-Poll frame, the Duration/ID field carries either the Duration, or the AID (association identifier.) If the MSB's are set to 11 then the following bits represent the AID. If the single MSB is set to 0 then the following bits will be the duration of the frame.

Least Significant Bit (LSB) - This is the right most bit since its (normally) going to be in the furthest right position. Fun factoid the book points out that I never realized in my years of binary. This is the bit that determines if the value will be even or odd… don't know how I never realized that before.

Most Significant Bit First (MSBF) - Pretty straightforward, when receiving the MSB will come in first and the LSB will be last.

Least Significant Bit First (LSBF) - The opposite of MSBF with the least significant bit coming in first. Which is what 802.11 and 802.3 use

Octet - 8-bit Byte

In an octet the least significant is denoted as b0 and the MSB is denoted as b7

802.3 frame diagram

Carpenter, Tom. CWAP: Certified Wireless Analysis Professional: Official study guide: Edition CWAP-402. Certitrek Publishing, 2016.

Preamble - Just because a frame is getting sent on the wire doesn’t mean that it doesn’t need a preamble. This is to alert the receiving device that a frame is incoming and to synchronize it so that the timing is… well, synchronized. The ethernet preamble is 7 repeating octets of 10101010 - This is how they would be received, which, remember is Least Significant Bit First, so the first bit is actually the left-most bit.

SFD - The SFD comes right after the Preamble is a single octet that’s 10101011. The pattern might look vaguely similar, and its because its basically the same as the preamble pattern, only with its MSB being a 1 rather than a 0. This 11 pattern rather than the preambles 10, tells the receiver that the MAC frame is incoming.

Destination Address (DA) and Source Address (SA) -  These are the MAC addresses of the receiver and the transmitter respectively. You'll notice that above it says that the are 6 octets (48-bits) a piece. Which would make sense since MAC addresses are 48-bits long. However!!! Did you know that really only 46 of those bits are unique? The remaining two are for I/G (individual address or group address) and for U/L (globally administered address or locally administered address)
  • These bits are the two LSB's in the first octet of the MAC address (U/L = b1 and I/G = b0). So when you are looking at a MAC address they are the two right most bits in the first octet which his in the OUI section.
  • Broadcast address consists of the 46-bit address being made up of all ones.

By Inductiveload, modified/corrected by Kju - SVG drawing based on PNG uploaded by User:Vtraveller. This can be found on Wikipedia here., CC BY-SA 2.5-2.0-1.0,

Type/Length Field - Nowadays this is mostly used to dictate the type of client protocol, however it could also specify the length of the MAC Client Data. The most commonly used ethertypes are IPv4, ARP, LLDP, and EAP over LAN

Data Field - This is the actual payload from the upper layers. The maximum payload size is 1500 bytes, however you will see 1518 bytes noted, but this is including the DA/SA, Length/Type, and FCS fields, which all add up to 18 bytes.

FCS - This is used to check the integrity of the frame. It contains a cyclic redundancy check value. Its important to note that the CRC bits in the FCS field (say that 5 times fast) are actually transmitted with the MSB first. Which is different from the rest of the ethernet frame which is transmitted with the LSB first and ending with the MSB.

Extension - This field is used when the frame would be less than a full slot time in the PHY being used. Essentially it adds padding to ensure that a frame fills a slot time.

Chapter 2 - WLAN Architectures

Single MAC Model - This is sometimes called Edge, Autonomous, or Standalone because in this model the AP's are intelligent and can handle all 802.11 services by themselves. AP's in this model are often called "Fat" not due to their weight or girth, but because their brethren below are called "Thin" AP's

Split MAC Model - This architecture requires a controller to handle many of the MAC layer operations. This is why its often called a "Centralized" Model. Because much of the traffic is send back to a "central" controller. As noted above, AP's in this model are often called "thin" AP's. Some may go as far as to say they are "dumb" AP's. But I don't condone bullying.

Chapter 2 - 802.11e and WMM

Wireless networks have become the primary method of network connectivity for many organizations. As such they need to be able to handle the various applications that wired networks have evolved to handle over the years. This includes latency sensitive applications such as voice and video. To this end, the 802.11e amendment was written and implemented. It details various MAC procedures to support these various applications that have QoS requirements

802.11e brought with it two new types of STA's - QoS Access Points and QoS Stations. These are pretty straightforward. Basically what it means is that they are AP's or STA's that can support QoS, but can and will act as a normal (non-QoS) AP or STA if they need to.

QoS STA's must support the following:
  • QoS Functions - Obviously
  • Channel Access Rules - With 802.11e came EDCAF which is a new coordination function for channel access and something I'll go into a bit more in depth in a minute
  • Frame Formats and Frame Exchanges
  • Managed Objects

EDCAF - Enhanced Distributed Channel Access Function - 802.11e brought with it an enhancement to DCF to allow for certain priority levels to be applied to certain types of traffic. This allows traffic with a higher priority to be able to take control of the medium before traffic of a lower priority. It doesn't guarantee it, but it makes it more probable.

EDCAF has eight traffic categories, each with a User Priority (UP) from 0 to 7.

The Wi-Fi Alliance decided at some point that they needed to make a certification before the 802.11e standard was fully ratified. So they created the Wireless Multimedia (WMM) certification which was based on the draft version of 802.11e. It is currently in use for VoWiFi devices.

Chapter 2 - State Machine Story

So let's put this whole thing into a story using some of the metaphors I alluded to in the previous entry regarding State Machine. Imagine if you will, there is a client device. Let's call him Stan (get it? STAn? Nothing? Well anyway…) Stan is walking down the street looking for a place to eat dinner. In this world the restaurants all have a person outside yelling the name of the restaurant and its specialties. (This is the AP's beaconing) Stan hears a restaurant name that he thinks sounds delicious and walks up. The person outside the restaurant asks him what the password is. But poor Stan doesn't know it. So he meanders along. He turns the corner and doesn't hear anyone yelling restaurant names for a minute. So he decides to yell out and ask if any are out there (Active Probing) all of a sudden he's bombarded with restaurants who are answering his call for food. He chooses the one closest to him and walks up to the doorman outside. The doorman says to him that this isn't one of those hoity-toity restaurants that requires a passcode and probably limits the amount of food you can eat. This is a public place, so come in and have your fill. (Open System Authentication) So Stan is allowed (authenticated) into the restaurant. Inside the foyer of the restaurant there is a host who makes sure that Stan meets the bare minimum criteria of eating there. This is an old place with very old and basic requirements, and Stan being a younger up-to-date person easily meets them. The host then allows him on through to the inside of the restaurant. Upon walking through the door, Stan not only feels like he has been Authenticated, but he feels like he has a place he is truly associated to.

Thursday, March 1, 2018

Chapter 2 - 802.11 State Machine

"State Machine" would be a great name for a punk band don’t you think?
There are three states that clients can be in according to the 802.11 standard

  • Unauthenticated/Unassociated
  • Authenticated/Unassociated
  • Authenticated/Associated

The first state, Unauthenticated/Unassociated basically means that the STA is not connected to the WLAN. Any frames sent are not passed on through the AP.

The second state, Authenticated/Unassociated is a rarely seen one. Essentially the client device has already given the doorman the secret handshake and shown him their membership ring and at this point is allowed into the foyer. Normally they are passed quickly through to the next state. However there are times when the AP may be at capacity or some other issue may arise where although they are Authenticated, they are not allowed entrance. At this point they are normally kicked back out to the Unauthenticated state.

The third state Authenticated/Associated means the client has made it past the foyer and has made their way into the wondrous world of the LAN.

Association Response Frame - When the AP sends the association response frame to the client it includes a status code. This is kind of like a college acceptance letter. You know you are going to get a letter of some kind back from the college, but you aren't sure what will be inside. If the status code is a 0 then you're association request was successful, or to further metaphor you were accepted to the college! Congratulations! There are a couple other status codes that indicate that you unfortunately didn’t make the cut for a number of reasons. If it’s a 12, then its something outside the standard. Maybe the admissions persons dog ate your application or something. If it’s a 17, that means that the AP is full and is serving the maximum number of STA's. Basically the college would love to accept you, but the fire warden says that they are full. If its an 18 though… an 18 means that the STA does not support all of the basic rates that the BSS requires. To continue with our metaphor, your SAT scores were too low.

***EXAM*** The above will more than likely be on the exam, so I'm just going to put it quickly here without the metaphor

Status Code 0 - Association request succesful
Status Code 12 - Association rejected due to something outside the standard
Status Code 17 - Association rejected because the AP is full
Status Code 18 - Association rejected because the STA doesn’t support all the minimum requirements

Chapter 2 - Terms from CWNA to Review

Station (STA) - Any 802.11 wireless addressable unit. This could be a client station *or* an AP.

Basic Service Set (BSS) - The basic building block of an 802.11 wireless network. Composed of at least one Station (STA) that has initiated a service set, and possibly more stations have joined that service set. A BSS is usually initiated by an AP and then joined by client stations.

Basic Service Area (BSA) - The area containing the members of a Basic Service Set (BSS). It may contain members of other BSSs. 

Basic Service Set Identifier (BSSID) - The 6-12 octet (12 hex characters) MAC address representation that identifies a BSS. A single AP's radio can support multiple BSSs using a unique BSSID for each. 

Independent Basic Service Set (IBSS) - A Basic Service Set (BSS) that forms a self-contained network, and in which no access to a distribution system (DS) is available. IBSS networks also lack a central coordination point, such as an AP. An IBSS is also often called an Ad Hoc or Peer-to-Peer network.

Extended Service Set (ESS) - A set of one or more interconnected basic service sets (BSS)

Distribution System (DS) - A system used to connect LANs and BSSs to create an ESS. This is normally the ethernet network of the company. 

Distribution System Medium (DSM) - The medium used to communicate between APs and portals of an ESS.

Service Set Identifier (SSID) - The network name of a BSS or ESS as known and identified by users.

Portal - The logical point at which the integration service (translation from one format to another) is provided

Chapter 2 - Scanning Methods

Active Scanning with Probe Request and Probe Response frames

To connect to an AP, you first must find it. To do so, there is a discovery process that needs to take place. Like many things, you can actively look for them, or you can just sort of… find them… passively.

Active Scanning
When STA's actively look for SSID's they send out Probe Requests. These probe requests can specify the SSID that they are looking for, or look for any BSS that is able to hear the request and will answer. Basically "Hey Frank, you there?" versus " Is there anybody out there?"

AP's that hear these requests respond with probe response frames. These are essentially beacon frames, containing almost all of the same information except for the TIM element. If an AP hears a request with a wildcard SSID, it will respond with a probe response containing all of its SSIDs.

There are a couple of important things to note here. Often, a STA will be within "hearing-range" of multiple AP's. So if that STA sends out a probe request *all* of the AP's that can hear it will respond. Also important to remember is that your AP's are all going to be on different, non-overlapping channels. (Right?!?) So to be able to find those AP's the STA will have to broadcast its probe request on all channels its configured to use. However even this is a little bit of an oversimplification. The actual process looks more like this.

1.) STA switches to a channel
2.) It starts a ProbeDelay countdown timer, while this is ticking by it is listening for an incoming frame.
3.) If the ProbeDelay timer expires without the STA hearing a frame. It will gain access to the medium and send a probe request. (Remember even when its just looking for an AP, it still has to be a good steward of the medium and ensure its not being used before broadcasting.)
4.) Wait for the MinChannelTime to pass - If the medium was never busy and nothing responds, then there is no WLAN on the channel and it can move to the next channel and start its search over again. However if the medium was in fact busy at some point it will wait until the MaxChannelTime expires and then will look at any probe response frames that have come in.

Passive Scanning

Remember that Beacons are sent from AP's in regular intervals. So in order to find AP's all a STA needs to do is sit there and listen for beacons to find AP's to connect to. If it hears multiple beacons it will parse through them to determine the AP with the strongest signal and start the authentication and association process.