Documente Academic
Documente Profesional
Documente Cultură
AUERBACH PUBLICATIONS
www.auerbach-publications.com To Order Call: 1-800-272-7737 Fax: 1-800-374-3401 E-mail: orders@crcpress.com
AUERBACH PUBLICATIONS
A CRC Press Company Boca Raton London New York Washington, D.C.
This edition published in the Taylor & Francis e-Library, 2005. To purchase your own copy of this or any of Taylor & Francis or Routledges collection of thousands of eBooks please go to www.eBookstore.tandf.co.uk.
This book contains information obtained from authentic and highly regarded sources. Reprinted material is quoted with permission, and sources are indicated. A wide variety of references are listed. Reasonable efforts have been made to publish reliable data and information, but the author and the publisher cannot assume responsibility for the validity of all materials or for the consequences of their use. Neither this book nor any part may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, microlming, and recording, or by any information storage or retrieval system, without prior permission in writing from the publisher. The consent of CRC Press LLC does not extend to copying for general distribution, for promotion, for creating new works, or for resale. Specic permission must be obtained in writing from CRC Press LLC for such copying. Direct all inquiries to CRC Press LLC, 2000 N.W. Corporate Blvd., Boca Raton, Florida 33431. Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identication and explanation, without intent to infringe.
Dedication
Being on the faculty of a school of higher education has both privileges and responsibilities. In addition, it provides an author with a human laboratory of inquisitive minds that enable different presentation concepts to be tested and rened. The ability to teach at Georgia College and State University is a truly enjoyable experience. I have been fortunate to have students with a mixture of backgrounds that have provided different views concerning the operation and utilization of both wired and wireless LANs. Recognizing that learning is a two-way process, this book is dedicated to the students at Georgia College and State University as well as the person who provided me with the opportunity to teach there. Thus, to Dr. Harry Glover I would like to both publicly say thank you and dedicate this book to him.
Contents
vii
viii
ix
xi
Address Classes......................................................................................................121 Rationale ...........................................................................................................122 Class Addressing Overview...............................................................................122 Class A Addresses ..............................................................................................123 Class B Addresses..............................................................................................125 Class C Addresses..............................................................................................125 Class D Addresses .............................................................................................126 Class E Addresses ..............................................................................................127 Dotted Decimal Notation ......................................................................................127 Basic Workstation Conguration ...........................................................................128 Reserved Addresses ...............................................................................................131 Subnetting..............................................................................................................133 Overview ..........................................................................................................133 Subnetting Example..........................................................................................133 Host Restrictions...............................................................................................135 The Zero Subnet...............................................................................................136 Internal Versus External Subnet Viewing .........................................................136 Using the Subnet Mask.....................................................................................137 Multiple Interface Addresses .................................................................................139 Address Resolution ................................................................................................140 Ethernet and Token Ring Frame Formats.........................................................141 LAN Delivery ....................................................................................................141 Address Resolution Operation..........................................................................142 ARP Packet Fields .............................................................................................142 Locating the Required Address.........................................................................143 Gratuitous ARP..................................................................................................143 Proxy ARP .........................................................................................................143 RARP .................................................................................................................144 ICMP ...........................................................................................................................144 Overview ...............................................................................................................144 The ICMP Type Field ........................................................................................145 The ICMP Code Field .......................................................................................145 Evolution................................................................................................................145 The Transport Layer ...................................................................................................146 TCP Overview ............................................................................................................148 The TCP Header ....................................................................................................148 Source and Destination Port Fields ..................................................................148 Multiplexing and Demultiplexing.....................................................................149 Port Numbers ...................................................................................................149 Well-Known Ports .............................................................................................150 Registered Ports ................................................................................................150 Dynamic or Private Ports .................................................................................150 Sequence and Acknowledgment Number Fields .............................................151 Hlen Field..........................................................................................................152 Code Bits Field..................................................................................................153 Window Field....................................................................................................153 Checksum Field ................................................................................................154 Urgent Pointer Field .........................................................................................154 Options Field ....................................................................................................154 Padding Field ....................................................................................................154 Connection Establishment .........................................................................................155 Connection Function Calls....................................................................................155
xii
Port Hiding ............................................................................................................155 Passive OPEN.........................................................................................................156 Active OPEN ..........................................................................................................156 The Three-Way Handshake ....................................................................................156 Overview ..........................................................................................................157 Operation..........................................................................................................157 The TCP Window...................................................................................................158 Avoiding Congestion .............................................................................................159 TCP Slow Start..................................................................................................160 The Slow-Start Threshold..................................................................................160 TCP Retransmissions .............................................................................................161 Session Termination...............................................................................................161 UDP ............................................................................................................................162 The UDP Header ...................................................................................................162 Source Port and Destination Port Fields ..........................................................163 Message Length Field........................................................................................163 Checksum Field ................................................................................................163 Operation..........................................................................................................163 Applications ......................................................................................................164 The DNS .....................................................................................................................164 The Domain Name Structure ................................................................................165 The Domain Name Tree ........................................................................................165 The Name Resolution Process ..............................................................................166 Data Flow..........................................................................................................166 Time Consideration ..........................................................................................168 DNS Records..........................................................................................................168 Checking Records..................................................................................................169 Diagnostic Tools .........................................................................................................170 Ping........................................................................................................................170 Operation..........................................................................................................170 Implementation ................................................................................................170 Using Windows NT Ping...................................................................................171 Traceroute..............................................................................................................173 Operation..........................................................................................................174 Using Windows Tracert .....................................................................................174 Tracing a Route.................................................................................................175 Applications ......................................................................................................176 NSLOOKUP............................................................................................................177 Operation..........................................................................................................177 Viewing the SOA Record..................................................................................179 Protecting Server Information..........................................................................179 Finger .....................................................................................................................179 Format...............................................................................................................180 Security Considerations ....................................................................................181 Applications ......................................................................................................181
6 Security........................................................................................................183
Security Risks .............................................................................................................183 Architecture ...........................................................................................................184 The Role of the SSID.............................................................................................184 Insertion Attacks ....................................................................................................186 Monitoring Attacks ................................................................................................186 Masquerade............................................................................................................188
xiii
Broadcast Monitoring ............................................................................................191 Denial-of-Service Attacks........................................................................................192 Other Attack Methods ...........................................................................................193 Exploiting File Sharing .....................................................................................193 SNMP Community Names ................................................................................193 Accessing the Management Console................................................................194 Encryption Attacks............................................................................................194 Theft of Hardware ............................................................................................194 Understanding WEP....................................................................................................196 Overview ...............................................................................................................196 Setup Example.......................................................................................................197 Cipher Operation ..................................................................................................197 RC4 ........................................................................................................................198 Algorithm Operation.........................................................................................198 WEP Key Denition...............................................................................................199 Authentication Methods.............................................................................................200 Open Authentication.........................................................................................200 Shared Key ........................................................................................................200 MAC Address .....................................................................................................201 Vulnerabilities ........................................................................................................201 The IV ...............................................................................................................202 Attack Methods.................................................................................................202 Using the IV......................................................................................................203 Enhancing Wireless Security ......................................................................................204 MAC Address-Based Authentication .......................................................................204 Use Dynamic WEP Keys ........................................................................................204 LEAP Authentication ..............................................................................................205 Using Secure Sockets.............................................................................................206 The VPN Solution ..................................................................................................206 Bar Code Authentication .......................................................................................206 The IEEE 802.1x Standard.....................................................................................207 Overview ..........................................................................................................207 Cisco Implementation ......................................................................................208 Orinoco Implementation..................................................................................209 Router Access Control...........................................................................................209 Shielding ................................................................................................................210
xiv
Advanced Features.................................................................................................227 Card Testing ......................................................................................................228 Link Test ............................................................................................................228 Cisco Aironet ..............................................................................................................231 Aironet Client Utility .............................................................................................231 Conguring the Client...........................................................................................231 System Parameters Tab......................................................................................231 RF Network Tab ................................................................................................233 Home Networking Tab......................................................................................234 Network Security Tab .......................................................................................235 Advanced Settings.............................................................................................236 Interesting Product Features .................................................................................237 Netgear MR314 Wireless Router ................................................................................238 System Settings ......................................................................................................238 System Name ....................................................................................................238 Password ...........................................................................................................238 DDNS ................................................................................................................239 LAN Setup..............................................................................................................239 RIP Support ......................................................................................................243 Wireless LAN Setup ...............................................................................................243 Port Forwarding.....................................................................................................245 Static Route............................................................................................................245 Content Filter ........................................................................................................247 Other Features .......................................................................................................247 SMC Networks Barricade Wireless Router.................................................................247 Router Access ........................................................................................................249 Access Control.......................................................................................................249 Virtual Server .........................................................................................................251 DMZ Host ..............................................................................................................251 Remote Administration Host .................................................................................254 Administrative Timeout..........................................................................................254 Discard Ping ..........................................................................................................254 Nonstandard FTP Port ...........................................................................................254 Interoperability...........................................................................................................256 WEP Key Considerations.......................................................................................256
Index ....................................................................................................................263
Acknowledgments
As the author of several books, I learned a long time ago that the placement of my name on the jacket only tells part of the publication story. The actual publication of a book represents a team effort, rst requiring a publisher to approve an authors proposal. Thus, I would be remiss if I did not once again thank Rich OHanley at Auerbach Publishers for backing another of my proposals. Once a proposal is accepted the major effort begins. No matter how knowledgeable an author is, there is the need to research many topics and to review the latest information concerning evolving technology. This effort must be performed as the author drafts a manuscript, resulting in long evenings and weekends during which information is checked and rechecked and concepts are veried to ensure readers are provided with accurate information. Needless to say, this effort plays havoc with family life. Thus, I would also be remiss if I did not acknowledge the support of my wife, Beverly, during the time I literally went into hibernation to draft the book you are reading. Due to a travel schedule that takes me to many interesting areas around the globe, I learned long ago that no matter what electrical outlet adapter set I purchased, I would more than likely encounter an incompatibility that would result in my notebook battery reaching a discharge state. Based on the preceding, I write my books the old-fashioned way using paper and pen to draft a manuscript and provide rough drawings of illustrations that must then be converted into a professional manuscript. Once again, I am indebted to Linda Hayes and Susan Corbitt for converting my handwritten notes and drawings into a professional manuscript. When a manuscript arrives at a publisher, it is proofed, edited, and typeset. Artwork is set, captions are placed, and galley pages are produced, which after verication form the basis for the book you are reading. Once again, I literally take off my hat to the behind-the-scenes workers at CRC Press whose efforts made this book a reality. Gilbert Held
xv
Introduction
The objective of this book is to provide you with information you can use to efciently and economically construct a wireless ofce. That ofce can range in scope from two computers sharing information over the air, to the interconnection of hundreds to thousands of wired and wireless LAN products. In this book we focus our attention on many key topics associated with the construction of a wireless ofce. Such topics include, but are not limited to, site selection, equipment interoperability, equipment acquisition, and their installation and operation. In addition, we discuss several areas associated with wireless security as well as the use of different products and even some common sense that will minimize the possibility of our communications being literally read by unauthorized parties. This book was written for a wide audience of readers. If you are a small ofce manager, LAN manager, network manager, or even a home computer user and are considering the use of wireless LANs or need to use them more effectively and efciently, this book is for you. In this book we learn how wireless LANs operate, the difference between currently available and emerging products, and why new wireless LANs that operate at higher data rates may not be suitable or cost-effective for many organizations. While the primary focus of this book is on the construction of a wireless ofce, we also examine why the technology may not be suitable for some organizations, based on different operational requirements and operational environments. However, for the majority of readers wireless LANs hold a considerable number of utilization advantages that make this ar ea of communications into a high growth area. As a professional author who has spent a lifetime researching technology and explaining its use, I welcome reader feedback. Please feel free to contact me either through the publisher whose address is on the cover of this book or via email at gil_held@yahoo.com. Let me know if I spent too much or too few words on a particular topic, if I missed a topic of interest, or any other comments you may have concerning the material covered in this book. Your feedback is a valuable source of information that allows me to tailor my research and writing efforts and I truly appreciate your comments.
xvii
Chapter 1
Exhibit 1.
Exhibit 2.
Exhibit 2 illustrates the SMC Networks 2632W EZ Wireless PC Card, which is a stand-alone wireless network adapter fabricated for insertion into a Type II PC Card slot included in just about all modern laptop and notebook computers. The left portion of the PC card is inserted into a Type II slot, resulting in the dark portion of the right of the card that represents the antenna protruding from the slot. If you compare Exhibit 1 to Exhibit 2, you will note that the PCI bus-based network adapter shown in the rst illustration represents the PC card mounted on the PCI bus-based network adapter form factor. The third form factor wireless LAN adapter cards use is fabrication into a housing that has a USB connector. This permits the wireless LAN adapter to be used with some of the more modern computers that have a limited number of available system unit expansion slots but typically include four or ve USB ports. Exhibit 3 illustrates the Agere Systems Orinoco USB client wireless network adapter. By cabling this stand-alone wireless network adapter to a USB port on a desktop or laptop, you can eliminate the necessity to open your desktop computer or obtain the ability to free up a Type II slot on a laptop or notebook for a different type of PC card while converting your computer into a wireless station or participant on a wireless LAN.
Access Point
An access point can be considered to represent a bridge between a wired and wireless network. In fact, the access point functions as a LAN bridge, broadcasting frames that ow on the wired LAN on the air while frames received over the air are transmitted on the wired LAN. Exhibit 4 illustrates the SMC Networks 2655W EZ Connect 11 Mbps wireless access point. Designed for both business and residential use, this access point has a maximum operating range of 1800 feet and can support up to 64 clients or stations. Because the access point obtains power over a wired Ethernet
Exhibit 3.
Exhibit 4.
connection, no separate power cable is required. Thus, as a simple plug-andplay wired to a wireless Ethernet bridge, you only need to cable the access point to your wired infrastructure to extend that infrastructure via RF communications. In examining Exhibit 4, note the dual antennas on the access point. The use of dual antennas permits the better of two signals received to be selected, which can reduce the adverse effects associated with the reection of signals off different types of objects as they propagate toward a receiver.
Types of Networking Two basic types of wireless LAN networking are available ad hoc and infrastructure. In an ad hoc networking environment, two or more clients communicate with one another without having to use an access point. The top portion of Exhibit 5 illustrates an example of ad hoc networking.
Ad Hoc Networking
Client
Client
Access Point
Client Client
Exhibit 5.
The second type of wireless LAN networking is referred to as infrastructure networking. In this networking environment, clients communicate with one another or wired devices through the facilities of an access point. The lower portion of Exhibit 5 illustrates a wireless LAN infrastructure networking conguration. A note must be made about the access point antenna shown in the lower portion of Exhibit 5: while only one antenna is shown on the access point, some wireless devices (to include LAN adapters and access points) have two. The device includes intelligence either in rmware or software that examines the signal received by each antenna and selects the better of the two received signals. The technical name for dual antennas is space diversity.
Wireless Bridge
We previously noted that an access point operates as a gateway between a wireless and wired network. From a technical perspective, an access point actually functions as a bridge; we examine its operation later in this book. Thus, with this fact in mind, you might be a bit perplexed as to how a wireless bridge differs from an access point. We can view a wireless bridge as a wireless gateway between LANs. While similar to an access point, the wireless bridge commonly consists of two components: a base station and a directional antenna. The base station can be considered to represent an access point without an antenna that is cabled to a wired LAN. The base unit is also cabled to a directional antenna, with the latter typically mounted on the outside of a building. Through the use of
6
Directional Antenna Directional Antenna
Hub
Base Unit
Base Unit
Hub
Exhibit 6.
Exhibit 7.
a very sensitive directional antenna, it becomes possible to extend the transmission distance of a wireless LAN. That extension can be from a few thousand feet up to approximately ten miles, with the latter based on obtaining a lineof-sight capability between each wireless bridge antenna. Exhibit 6 illustrates the use of a pair of wireless bridges to interconnect two wired LANs. Perhaps to make the role of a network manager or LAN administrator more interesting, it is worth noting other terms used to reference a wireless bridge. Some vendors refer to this device as an outdoor router or outdoor point-topoint router, while other vendors use the term gateway to reference this functionality. Thus, a detailed examination of a product specication sheet may be in order to determine how a particular product is designed to function.
Wireless Routers
Another wireless LAN networking device we briey discuss in this section is the wireless router. In actuality, the wireless router represents an access point that includes a routing capability and may include a built-in Ethernet switch capability. Exhibit 7 illustrates a schematic of a generic wireless router that includes a three-port Ethernet switch. The box labeled Cable/DSL in Exhibit 7 provides a connection to a cable or DSL modem. That connection is usually accomplished through the use of a 10/100 Mbps Ethernet port; however, some wireless routers may use a USB connection. The three-port Ethernet switch permits the wireless router to be connected to individual computers via an individual Ethernet port or to a
Exhibit 8.
wired LAN. The dual space diversity antennas provide the wireless router with its over-the-air transmission and receptor capability, enabling the device to function as an access point. The light-emitting diodes (LEDs) provide various types of status information concerning the operation of the wireless router as well as its individual ports. Similar to different names being used for wireless bridges, vendors also use different terms to denote a device with the functionality of a router and access point. Exhibit 8 illustrates the Agere Systems Orinoco RG-1000 broadband gateway that combines an access point and several router features to enable the sharing of DSL or cable modem access to the Internet. The RG1000 includes a virtual private networking (VPN) capability that can be used to secure communications through the Internet.
Exhibit 9.
create a double-capacity network. The access server works in tandem with a RADIUS server located on the wired network to provide authentication, authorization, and accounting (AAA). By identifying individual users prior to allowing them to access the network and the periodic change of encryption keys, the AS-2000 signicantly secures a network. This brief examination of wireless hardware devices is included to provide all readers with a minimum level of knowledge concerning the basics of wireless LANs so that we can obtain a better appreciation for the rationale for wireless LANs presented in the next section of this chapter. This brief examination is far from all-inclusive, and, in fact, we probe much deeper into the operation and utilization of different wireless devices throughout this book. That said, we use the preceding information as a foundation to appreciate some of the advantages associated with the use of this evolving technology. Thus, in the next section in this chapter, we turn our attention to the rationale for the use of wireless LANs.
Economics
One of the key advantages associated with the utilization of wireless LANs is economics. A large portion of economic savings associated with the use of this technology results from the ability to use the air instead of having to
B Access Point A
Exhibit 10. Using a Wireless LAN to Move without Requiring Additional Hardware or Software
cable clients to a hub in a wired LAN environment. By minimizing the need for conventional metallic-based twisted pair wiring, you avoid not only the cost of the wire, but also the cost of installing the wire. The latter can represent a signicant expenditure, especially if in an ofce environment you need to install a conduit to run the twisted pair wiring to satisfy building codes.
10
Wired LAN
Access Point
Distribution System
Hub
Hub
Client Roams The two Basic Service Sets (BSSs) linked together by the Distribution System (DS) form an Extended Service Set (ESS).
Exhibit 11. Access Points Communicating with One Another Interconnected via a Wired LAN
Roaming
Exhibit 11 illustrates the installation of a second access point to extend the coverage of a wireless LAN. Each access point has an area of coverage referred to as a basic service area (BSA). Stations that communicate with one another form a basic service set (BSS). Thus, in Exhibit 11, two BSSs and two BSAs are shown. Note that each BSA can be considered an isolated island; however, the wired LAN serves as a mechanism to interconnect the separate BSSs. In doing so, the wired LAN represents a distribution system (DS) and the interconnected BSSs form an extended service set (ESS). The ability of a wireless client to move from being serviced by one access point to another is referred to as roaming. The ability to effect roaming between areas within a building or on a campus depends on the connection of access points to a wired LAN that provides an infrastructure to interconnect access points. By providing organizational employees with the ability to roam throughout an organization, you enhance their productivity. For example, an employee with a notebook working at her desk could pick up her computer and carry it to a colleagues ofce within the building, to the lunchroom, or to another location within the service area of another access point and regain access to the corporate network. Thus, wireless LANs provide a signicant advantage based on their support of roaming. In fact, as we note later in this chapter, you can take your notebook on the road and access your corporate network, check Internet e-mail, or perform other communications functions through the use of public portals in airports and hotels that provide wireless communications access to the Internet. In fact, a few words are in order concerning two vastly different commercial organizations that use wireless LANs the Microsoft Corporation campus and individual Starbucks coffee shops.
11
Microsoft Corporation has networked its Redmond, Washington, campus through the installation of wireless access points at appropriate locations on its campus. Employees can easily move from one ofce or from one building to another with their notebook computer and remain connected to the corporate network, improving employee productivity as they move about the corporate campus. When this book was prepared, Starbucks was in the process of installing combined wireless LAN router/access points in its coffee shops throughout the United States and possibly at some overseas locations. Each store will have a high-speed Internet connection. The wireless router installed in each store will enable customers with a notebook that has a wireless network adapter card to surf the Internet. Thus, it now becomes possible to enjoy a bagel and cappuccino while you surf the Internet at Starbucks.
Proliferation of Standards
A few years ago, only one wireless LAN standard existed: the IEEE 802.11 standard. That standard dened three transmission methods that could be used to construct a wireless LAN at data rates of 1 Mbps or 2 Mbps. Transmission methods dened under the IEEE 802.11 standard are infrared, frequency hopping spread spectrum (FHSS), and direct sequence spread spectrum (DSSS). The latter two methods evolved from military research and spread a signal, which makes it more difcult to jam. In a civilian environment these techniques minimize interference from electrical disturbances, such as electrical magnetic interference created by machinery, lighting ballasts, and even electric pencil sharpeners. The basic 802.11 standard was quickly supplemented by the 802.11b specication that dened the use of DSSS at data rates of 1, 2, 5.5, and 11
12
Mbps. While an 11-Mbps data rate may be sufcient for home or small ofce environments, it is often insufcient if a large number of employees within a given area require wireless connectivity. Thus, another addition to wireless LAN standards was the IEEE 802.11a specication. Under the 802.11a specication, wireless LAN operations now occur in a frequency band that is essentially double that of the prior standards. Because high frequencies attenuate more rapidly than low frequencies, this means that the highest data rate of the 802.11a specication, which is 54 Mbps, is only possible for a signicantly shorter distance than 802.11- and 802.11b-compatible equipment. This also means that to extend wireless coverage over an area equivalent to that supported by the prior standards requires a signicant increase in the number of access points, which increases the cost of wireless coverage. Perhaps recognizing the limitation of the evolving high-speed wireless LAN standard, the IEEE began work on a modication to the 802.11b standard that would boost its data rate to 22 Mbps. Similar to a scene in the movie The Lion in Winter, you are now faced with a task similar to that of the queen played by Katherine Hepburn. The queen, when asked by the king to know the facts, retorted: Which one? There are so many. Although we certainly do not reside in the time of King Arthur, when considering the use of wireless LANs we need to consider the proliferation of standards and the selection of equipment that will satisfy both our immediate and future requirements, topics we describe and discuss later in this book. However, for now, the proliferation of standards makes our decision criteria more difcult and can be considered to represent a disadvantage associated with the use of wireless LANs.
Security
Unlike a wired LAN where illicit monitoring requires a person to obtain a physical connection to a network, wireless LANs communicate over the air. This means that any person with a notebook or desktop computer, wireless LAN adapter card, and appropriate decoding software represents a threat. If you read one of a series of articles published in 2001 in The New York Times or The Wall Street Journal concerning wireless LAN security, you probably became aware of the saga of two men in a van that roamed the parking lots of Silicon Valley corporations. Without requiring anything but off-the-shelf hardware and software, the parking lot duo was able to easily read the communications of many major corporations. The ease by which these gentlemen were able to read the communications of others is based on the fact that, by default, the encryption capability of wireless LANs is disabled. Even if enabled, the encryption that wireless LANs use has been found by several researches to be weak, providing persons with the ability to decrypt intercepted encrypted communications. At the time this book was prepared, several proprietary solutions were available to minimize this problem, and the IEEE was nalizing a new standard, referred to as the 802.1x standard. This standard will provide a mechanism for authenticating wireless clients. Later in this book we examine the security aspects of wireless LANs in detail, but for now we can
13
note that this key area represents a factor that you must consider and that can be considered a disadvantage associated with the use of wireless LANs.
Applications
The diversity of applications that can be supported through the use of wireless LANs represents another rationale for their use. Although we briey described the use of wireless LANs on the Microsoft Corporation campus and in Starbucks coffee shops, lets probe a bit deeper and discuss several additional applications that can provide the rationale for using wireless LANs.
Home Use
At rst thought, not many persons use a wired LAN in a home environment, so it might be a bit difcult to believe that the use of wireless LANs can be a valuable asset in the home. However, when we consider the advantages associated with the use of wireless LANs as well as a few of the features built into wireless routers, this technology becomes well suited for use in a home environment. According to many market research organizations, over 35 million homes in the United States have Internet access. Of that population, only eight million homes have either cable modem or digital subscriber line (DSL) modem access to the Internet, with the remainder and vast majority of current usage based on conventional modem dial-up access. However, projections indicate that cable modem and DSL access will triple over the next few years, while the population of dial-up modem users will decrease. Because over half of all homes with cable or DSL modem access have multiple computers, an economical, easy-to-use mechanism that provides the ability for multiple computers to obtain simultaneous Internet access could nd a ready market. In the past, several methods were developed for in-home computer sharing of peripherals to include modems that provide Internet access. Most of those methods were based on the use of the in-home electrical system or telephone wiring. Due to interference as well as the need for lters, neither method received any signicant degree of acceptance. Recognizing the potential market for an easy-to-use communications system that would allow multiple computers to simultaneously access the Internet via a single cable modem or DSL modem connection resulted in the development of the wireless router or gateway. That router or gateway includes as a minimum a network address translation (NAT) capability and typically includes a variety of additional features. Some features simplify administration of an in-home wireless LAN, while other features typically add a degree of security to home computers accessing the Internet via the wireless router. Exhibit 12 illustrates an example of a wireless router in the kitchen of a home that enables the home user to access the Internet via a computer located in the kitchen as well as via computers in a home ofce and den. Because
14
Computer
Computer
Bedroom
Den
Computer
Exhibit 12.
most Internet service providers (ISPs) either provide a single, nonchanging IP address, referred to as a static IP address, or lease an IP address for a predened amount of time, a mechanism is required to share that static or leased address among multiple computer users. That mechanism is network address translation (NAT), which, when implemented in most wireless LAN environments, enables up to 253 client computers to share one IP address. Later we examine how NAT works and why most implementations provide support for up to 253 clients. In examining Exhibit 12 lets assume the happy homeowner has cable TV and installed a single cable modem in the kitchen. Because three computers are in the home, the ability to obtain high-speed Internet access for each computer would normally require the homeowner to acquire two additional cable modems as well as pay two additional ISP monthly usage fees. This could result in a one-time cost of $400 and a monthly service charge of $80 for the two additional computers, assuming cable TV outlets were available in each room. If not, there would be an additional charge to wire coaxial cable to the den and home ofce. A second option is to install a conventional router and Ethernet hub in the kitchen and wire the computers in the den and home ofce to the hub in the kitchen. This action would require acquiring conventional Ethernet network adapters for all three computers as well as acquiring the router and hub. Assuming each network adapter card costs $100 and the router and hub or a router with three built-in Ethernet ports costs $250, the cost of the hardware would be $550. You would then need to string twisted pair wire from the kitchen to the den and to the home ofce. A third option is the one shown in Exhibit 12, in which a wireless router with one or more built-in Ethernet ports provides communications support for up to 253 computers. A wireless router for use in the home can be expected
15
to cost approximately $250, while each wireless LAN adapter card might cost $100. Because you would need two wireless LAN adapter cards and one wired Ethernet card for the computer in the kitchen, your hardware cost would be $550. Not only is this cost less than the cost of two additional cable modems and a few months of service, in addition, it provides considerably more exibility. For example, assume one evening your son or daughter comes home from college and wants to work upstairs using the home Internet access. All your son or daughter has to do is pick up a computer in the den or home ofce and take it upstairs to his or her room. In comparison, in a wired environment you might spend hours or days recabling your home. Similarly, if one evening you have the urge to send or receive e-mail while in bed, you could once again pick up a computer in the den or home ofce and relocate it. Thus, the use of a wireless LAN in a home environment is both a costeffective mechanism for allowing multiple computers to obtain simultaneous access to the Internet as well as a exible networking method.
Hospital
When I rst commenced my career in information technology, I worked on a clinical laboratory system for use in hospitals. That system was based on the use of a minicomputer, with terminal devices ranging in scope from nowobsolete automatic send receive (ASR) teletypewriters that were the size of a small desk to analog-to-digital (A/D) converters that functioned as sensors for reading the results of different specimens gathered from patients. While the clinical laboratory system provided a mechanism to enhance hospital employee productivity, it never achieved a signicant degree of successful implementation. Perhaps one reason was the fact that as a wired system it was difcult to move terminals to where they could be used. If we fast-forward to the modern era, the use of wireless LANs in a hospital environment provides the capability to move A/D converters and computers to where they are needed. For example, it is now possible for a nurse to move a cart with medications from room to room and use a computer with a wireless LAN adapter on the card to note patient medication as it is dispensed. As that information ows back to a server on the hospital LAN, patient data and billing records can be updated in near-real-time. Updated patient records greatly benet doctors and nurses as they make rounds. In addition, doctors can update patient information using terminal devices they can carry or those available at locations on a hospital oor that use wireless communications to access one or more servers on the wired LAN. We can expect the use of wireless LANs to gain momentum in hospitals.
College Campus
As a technical consultant to a local college I was asked a few years ago to recommend new technologies the college should consider and the applications the technologies could support. At the top of my list was wireless LANs, as
16
their use could signicantly boost productivity of college employees as well as alleviate some awkward and potentially dangerous situations. Let me explain. A few times each year the local college would have a special event that required computers to be placed in the gym for registration. Such events as Parents Day, Alumni Day, and normal semester student registration required cables to be routed from a hub located in the athletic ofce onto the gym oor. Although the cables were taped to the oor, inevitably someone would trip over a cable. In addition, when it came time to remove the cable, a bit of residue would remain on the wood oor, which required some oldfashioned elbow grease to remove. Thus, the installation of a wireless LAN access point in the athletic ofce would permit computers with wireless LAN adapter cards to be installed on the gym oor without requiring any cabling or after-use cleanup. In addition to facilitating registration, the use of wireless LANs provides colleges with the ability to rapidly respond to ad hoc faculty requirements for computer support. For example, assume 20 students register for a course that only 12 were expected to attend. Assuming the course requires hands-on computer access as well as the ability to access the college server or the Internet, the decision criteria might normally be to add cabling to support eight additional computers. However, if a hub does not have eight additional ports, a signicant network upgrade might be required to accommodate the additional computers. This could be both costly and time-consuming. However, if an access point is cabled to the hub, it becomes possible to support not only the eight additional computers, but a signicant additional number as well should it become necessary. By stacking several access points and a few dozen wireless LAN adapter cards, it becomes possible for the college to respond to rapidly evolving networking requirements.
Ofce Support
Suppose you work in an ofce building. In most ofces, networking support is currently provided via conventional wired LANs. This means if your ofce is relocated to another area within the building, it could be hours or even days until network support is provided at your new location. This also means that you would not have any signicant degree of exibility if you picked up your computer and carried it into the conference room or another location and needed to access network resources unless the network manager previously anticipated the need for such access and wired certain areas within the building for LAN support. Even when a building is wired to anticipate the need for local exibility, you can more than likely expect a group of employees from another ofce to periodically attend a conference at your location. When this situation occurs, you may literally nd yourself at the short end of a set of cables when the group of visitors take their notebooks out of their carrying cases and attempt to gain access to the network.
17
Recognizing the previously described problems resulted in some organizations installing wireless LAN access points in conference rooms as well as at strategic locations within a building. This action enables employees who work in the building as well as employees from other locations visiting the building to easily gain access to the local network via wireless transmission from most, if not all, areas within the building. From both an economic and exibility basis, the use of a wireless LAN can be better suited to satisfy expanding network requirements than a wired LAN. However, it is important to note that for many organizations the wireless LAN should be viewed as a supplement for an existing wired LAN and not as a replacement. This is because wireless LANs operate only for relatively short distances at data rates half to approximately one tenth that of Fast Ethernet. For a large organization to migrate from a wired to a wireless environment, the cost may be prohibitive to obtain the same level of service as employees have when using a wired infrastructure. However, if an organization is relocating to a new building that does not have a wired infrastructure, the economics associated in comparing the use of a wired LAN versus a wireless LAN could change. Thus, similar to the use of any technology, you need to carefully examine the current networking situation and perform a study of the environment where networking support will be required. Doing so will allow you to determine if you should use wireless LAN technology as a supplement for the use of a wired LAN infrastructure or if the wireless LAN should represent your organizations local network.
Portals
During 2001, a new type of network infrastructure became part of the vocabulary of some travelers. That network infrastructure is referred to as a portal and can be found in hotels, airports, and many commercial ofces in cities. In fact, the placement of wireless LAN access points in Starbucks coffee houses turns those locations into Web portals, as they provide customers with the ability to wirelessly access the Internet. A wireless portal can be considered to represent a location that supports wireless LAN access and provides a network connection to another network, with the other network most commonly being the Internet. Although most portals are constructed for the use of travelers, a new type of portal was beginning to receive a signicant degree of interest when this book was written. That portal is a free public Internet access portal some communities are establishing in urban areas. For example, an apartment house could entice tenants by establishing a high-speed Internet cable modem or DSL modem connection into the landlords apartment or ofce. By adding a wireless LAN router, support for up to 253 apartment dwellers could be provided, enabling residents to gain high-speed Internet access without having to face another monthly bill. Thus, in the commercial world, free public portals could be used as a selling point that would differentiate one type of apartment or community living from another.
18
Now that we are aware of the applications wireless LANs can support, we conclude this chapter with a preview of the material presented in succeeding chapters. As previously mentioned, you can use this information as is or in conjunction with the Index or Table of Contents to locate information of immediate interest.
Book Preview
This book consists of eight chapters, and although each chapter was written to be as independent as possible from the other chapters, it is recommended that you read the material in the order in which it is presented. This is especially true for readers with a limited background in networking or network technology.
IEEE Standards
Continuing our examination of wireless LANs, Chapter 3 focuses on the IEEE family of LAN standards. Chapter 3 rst discusses the basic methods of networking wireless LANs support. Then it examines several IEEE wireless LAN specications. As we examine each specication, we focus on obtaining an appreciation for the characteristics of equipment that conform to the specication.
19
third party to intercept our network activity. Although we examine the setup and enabling of the Wired Equivalent Privacy (WEP) Protocol in this chapter, we defer a detailed discussion of wireless security until Chapter 6. This will allow you to review the TCP/IP protocol suite and certain key concepts associated with security a wireless LAN.
Security
Chapter 6 examines several methods that can be used to secure our wireless LAN from different threats. It examines the role of WEP and its deciencies, the use of access servers, and other protection methods. In addition, because it is common to use a wireless LAN to obtain shared access to the Internet, it also looks at the use of stand-alone rewalls and built-in rewalls incorporated into wireless routers as a mechanism to secure Internet access.
The Future
No book on an evolving technology would be complete without a peak at the future. Chapter 8 sharpens our crystal ball and peers into the future to obtain a look of what is on the horizon and how we might be able to make use of evolving technology. Now that we have an appreciation for where we are headed, lets begin our journey. Thus, lets turn the page and begin our exploration of wireless LANs by examining the technology and terminology associated with LANs that use the air as the transmission medium.
Chapter 2
Frequency
The term frequency is used to denote the number of periodic oscillations or waves that occur per unit time. Wireless devices, to include wireless LANs, operate at a predened frequency or set of frequencies within a band that is dened by a regulatory agency. In the United States, that regulatory agency is the Federal Communications Commission (FCC). Later in this chapter we describe and discuss its role in regulating wireless LAN communications.
21
22
Exhibit 1.
Frequency
To obtain an understanding of the term frequency, lets visually examine a periodic oscillation or wave. Exhibit 1 illustrates two oscillating waves, each occurring at a different frequency. As a brief reminder for those who never took a course in physics or took the course many years ago, lets discuss the sine wave. A sine wave represents an oscillating wave that varies in height from zero to a maximum value and back to zero for one half of its cycle. Then the wave becomes negative for the second half of the cycle, ranging in value from zero to a minimum value and back to zero. Returning to Exhibit 1, note that the top portion illustrates a sine wave operating at exactly one cycle per second. Thus, over a two-second interval it would have two cycles, over a three-second interval it would have three cycles, etc. Note that the term cycles per second (cps) in general has been replaced by the synonymous term Hertz, abbreviated Hz and used in honor of the German physicist. The lower portion of Exhibit 1 illustrates the same sine wave after its oscillation rate was doubled to 2 Hz. From an examination of Exhibit 1, we can note a relationship between the oscillation rate of a signal and the time required for a signal to be transmitted over a distance of one wavelength. The time required for a signal to be transmitted over a distance of one wavelength is referred to as the period (T) of a signal. From Exhibit 1 we note that the period or duration of a cycle is inversely proportional to the frequency of a wave. That is, as the frequency increases, the period decreases. Similarly, as the frequency decreases, the period or duration of the wave increases. Thus, if T represents the period of a wave and f represents its frequency, the relationship between the two can be denoted as follows: T = 1/f The preceding formula expresses the period of a wave in terms of its frequency. We can also express the frequency of a wave in terms of its period. Doing so, we obtain:
23
f = 1/T The previously presented mathematical relationships, as well as the role of regulatory agencies and a bit of physics, are important for understanding the role of frequency in communications. As previously noted, the FCC regulates the use of frequency in the United States, while other regulatory authorities perform a similar function in other countries. Over the years many bands of frequency were allocated for different purposes, such as AM and FM radio, satellite television, air trafc control, and similar activity. While the operation of communications transmitters are regulated to ensure, for example, that one station does not interfere with another, several frequency bands were set aside for unlicensed activity. Although the FCC and other regulatory authorities limit the power of transmitters in such bands, the fact that they are unlicensed means that any person or organization can purchase equipment for use in those bands without having to obtain a license to use such equipment. These unlicensed bands reside in the very high frequency range, expressed in billions of cycles per second. This means that such waves have very short periods. In addition, because high frequencies attenuate more rapidly than low frequencies, this means that the transmission range of wireless LANs that operate in high-frequency bands are normally limited to short distances. Now that we understand the relationship between the frequency and period of an oscillating signal and some constraints associated with high-frequency signals, lets turn our attention to two related terms: wavelength and bandwidth.
Wavelength
One common term to reference the period of an oscillating signal is wavelength. The wavelength of a signal is usually dened by the use of the Greek letter lambda (). The wavelength of a signal is obtained by dividing the speed of light (3 108 m/sec) by the frequency of a signal in Hertz. The result is the wavelength of an oscillating signal in meters (m). That is, (m) = (3 108)/f (Hz) In the wonderful world of communications, wireless transmission occurs at very high frequencies, resulting in very small wavelengths. As a refresher for those of us who may be a bit rusty remembering prexes for the powers of ten, Exhibit 2 provides a list of seven common prexes and their meanings. As we note later in this chapter, when considering the use or when using wireless LANs, we commonly encounter such terms as megahertz (MHz) representing millions, or 106 Hertz, and gigahertz (GHz) representing billions, or 109 Hertz.
24
Exhibit 2.
Prex
1/1,000,000,000 (billionth) 1/1,000,000 (millionth) 1/1000 (thousandth) 1000 (thousand) 1,000,000 (million) 1,000,000,000 (billion) 1,000,000,000,000 (trillion)
Returning to the previously presented formula for wavelength, it should be apparent that you can adjust the numerator and denominator of the equation. Doing so permits you to compute the wavelength in terms of Hertz, kilohertz, megahertz, and gigahertz. The following example illustrates how we can adjust the numerator and denominator of the equation for wavelength. Note that both the numerator and denominator are adjusted by a factor of 103 as we move from left to right in the following series of equation relationships. (m) = (3 108)/f (Hz) = (3 105)/f (kHz) = 300/f (MHz) = 0.3/f (GHz) As previously noted by the relationship between frequency and period, we can also dene the frequency of a signal in terms of its wavelength. In doing so, we obtain: f (Hz) = (3 108)/ (m) Because we can compute the wavelength in terms of varying frequency, we can also compute frequency in terms of varying the speed of light constant. As we vary the speed of light, we adjust the power of the frequency, which results in frequency dened in terms of Hz, kHz, MHz, and GHz. This is illustrated below: f (Hz) = (3 108)/ (m) f (kHz) = (3 105)/ (m) f (MHz) = 300/ (m) f (GHz) = 0.3/ (m) We can use two rules of thumb to simplify the computation of wavelength based on knowledge of the operating frequency of a device. These rules of thumb are useful as they dene wavelength in terms of frequency in the gigahertz (GHz) range, which is where modern wireless LANs operate. The rst rule of thumb to expedite computations is to estimate the wavelength in centimeters (cm). To do so you would use the following equation:
25
(cm) = 30/f (GHz) To illustrate the use of the preceding relationship, lets consider the frequency of 2.4 GHz, which represents the beginning of one modern wireless LAN communications band of allocated frequencies. Then, the wavelength of the 2.4-GHz signal becomes: (cm) = 30/2.4 (GHz) = 1.24 cm For English measurements, we can estimate the wavelength in units of feet (ft) as follows: (ft) = 1/f (GHz) Returning to the preceding example where the frequency is 2.4 GHz, the wavelength then becomes ~.4 or 0.041 ft. For those not familiar with the metric system, it should be noted that there are 2.54 cm per inch, which results in 1 cm = 0.3937 in. Thus, the wavelength of a 2.4-GHz signal is also equivalent to 1.24 cm 0.3937 in./cm, or 0.488 in. The use of the preceding equations can be used to explain the length of antennas. For example, the U.S. Navy maintains a eet of ballistic missile submarines that can stay submerged for weeks or months. During the time the submarines are submerged, they periodically need to communicate with a base station. To do so, a submarine will unwind a length of wire as an antenna that can be several miles long as underwater communications occurs via a low-frequency transmission system. At very low frequencies, the wavelength is very long, requiring a very long antenna to be deployed. In comparison, wireless LAN devices commonly operate in one of two GHz frequency bands. This results in the oscillating signal having a very short wavelength and explains why such devices can be fabricated with relatively short antennas. In fact, in the wonderful world of antenna design, it is quite common for an antenna wire to be spaced a half wavelength from another antenna to obtain a space diversity capability. This explains why an embedded antenna consisting of several short wires separated by a small distance can reside within the PC card form factor used to fabricate a common type of wireless network adapter card designed for insertion into a Type II slot commonly built into laptop and notebook computers. Later in this chapter, we examine antennas suitable for the bands where wireless LAN devices operate.
Bandwidth
Bandwidth represents a range of frequencies, and not a single frequency. If fH is the high frequency in a band of frequencies and fL is the low frequency, then the bandwidth becomes: B = fH f L
26
Wireless LANs transmit at a predened frequency; however, that frequency can vary based on the modulation method and coding technique employed. Thus, an appreciation of the bandwidth used by wireless LANs requires us to turn our attention to modulation techniques.
Modulation Methods
By itself, a radio frequency oscillating signal, such as a sine wave, conveys no intelligence per se. That is, at a receiver we can note signal continuity as we are receiving a signal; however, other than the fact that the receiver received a signal, we cannot determine any information from the signal. Thus, for the signal to convey information, it must be changed. The process associated with changing a signal to impress information on the signal is known as modulation. Three basic methods are employed to modulate an oscillating signal. That signal, which for illustrative purposes will be a sine wave, is represented mathematically by the following equation: a = A sin(2 ft + 0) where a = instantaneous value of voltage at time t A = maximum amplitude f = frequency 0 = phase The sine wave we will modulate for illustrative purposes will then carry or convey information. Due to this, it is then known as a carrier signal. Thus, the carriers characteristics that can be altered are the carriers amplitude, which results in the process of amplitude modulation; the carriers frequency, which results in the process of frequency modulation; and the carriers phase, which results in the process of phase modulation.
Amplitude Modulation
A simple method of modulation is to vary the magnitude of a signal from a zero or low level to represent a binary zero to a higher peak-to-peak voltage level to represent a binary one. Exhibit 3 illustrates an example of the use of amplitude modulation to encode a digital data stream into an appropriate series of analog signals. In this example, the amplitude-modulated signal is varied from zero to represent a binary 0 to the voltage level Vo to represent a binary 1. Because Exhibit 3 shows a shift between two levels of amplitude, this type of amplitude modulation is also referred to as amplitude shift keying (ASK) as the amplitude shifts from one value to another based on the binary value of data to be amplitude-modulated. Because noise has a greater effect on amplitude than frequency, very rarely is amplitude modulation used by itself to transmit data. Instead, amplitude
27
0 Digital Data
Exhibit 3.
Amplitude Modulation
Exhibit 4.
Frequency Modulation
modulation is commonly used in conjunction with phase modulation, which results in quadrature amplitude modulation (QAM), described later in this chapter. Because frequency modulation is less susceptible to noise impairments, some of the earliest methods used to convey information were based on shifting a signal between two frequencies in tandem with the binary value of data to be modulated, a technique referred to as frequency shift keying.
Frequency Modulation
The process of frequency modulation references how frequently a signal repeats itself at a given amplitude. One of the earliest examples of the use of frequency modulation was in the design of low-speed modems. The resulting design caused the modem to shift operation between two frequencies based on the value of each bit in a digital signal. That is, for each bit set to a value of binary 1, the modem would generate a tone at frequency f1; while for each value of binary 0 in the digital data stream, the modem would generate a tone at frequency f2. This type of frequency modulation under which the frequency is shifted between two tones is referred to as frequency shift keying (FSK). Exhibit 4 illustrates an example of frequency modulation. Because only two frequencies are used and frequency is shifted from one tone to another, Exhibit 4 also illustrates FSK.
28
Time
Exhibit 5.
Phase Modulation
Phase Modulation
A third type of modulation results in the variation of a carrier signal with respect to the origination of its cycle. This type of modulation is referred to as phase modulation. Exhibit 5 illustrates an example of phase modulation. In this example the bottom signal is shown 180 degrees out of phase with the top signal. As you might expect, if only two phases are used for modulation, the process is referred to as phase shift keying (PSK). By altering the phase of a signal, it becomes possible to encode multiple bits into a single signal change. From a technical perspective, the rate of signal change is referred to as the band rate, while the data transmission rate is referred to as the bit rate. Because bandwidth is limited, modem designers looked for methods to encode more bits into a signal change. One of the earliest techniques used to accomplish this was phase modulation. To illustrate the concept of packing more bits into a signal change, lets assume we wish to encode two bits into one signal change, a process referred to as dibit coding. If we change the phase of a signal between one of four values, then each phase value can be used to convey one of four possible dibit values. The top portion of Exhibit 6 illustrates an example of phase angle values to support dibit encoding. If we encode three bits at one time into a single phase change, we would require 23, or 8, distinct phase changes. This type of encoding is referred to as tribit encoding, and the lower portion of Exhibit 6 provides an example of possible phase angles that could support tribit encoding.
29
Exhibit 6. Examples of Phase Modulation Phase Values Used for Dibit and Tribit Encoding
Coding Technique Bits Transmitted Phase Angles
Dibit encoding
Tribit encoding
where B is the baud rate and W is the bandwidth, in Hz. The Nyquist relationship indicates the maximum baud or signaling rate obtainable on a communications channel prior to one signal interfering with another, a process referred to as intersymbol interference. Because the maximum baud rate is a function of bandwidth and available bandwidth for different communications systems are regulated, to enhance the data rate required communications engineers to pack more bits into each signal change. As previously noted, dibit and tribit encoding represent two such methods. Although tribit coding makes more efcient use of bandwidth than dibit coding, we cannot continue to pack more bits per signal change. This is because each time we do so, the 360-degree pie of an oscillating signal gets sliced into more pieces, with each piece or signal change becoming smaller and smaller. This means the receiver circuitry must be more sensitive to detect small signal changes. This also means a slight impairment that causes a signal to be shifted from one phase to another would result in the misinterpretation of the received signal with many bits now being in error. Recognizing the problem associated with very small phase changes resulted in the development of combined modulation techniques. The most popular combined modulation technique combines amplitude and phase modulation and is referred to as quadrature amplitude modulation (QAM).
30
M O
Exhibit 7.
01 state
11 state
00 state
10 state
Exhibit 8.
shifted in-phase 0 degrees, with the amplitude of the signal altered by magnitude M. Thus, the resulting signal, 0, becomes M sin 0 Under a basic QAM technique, 0 is a 90-degree shift so that the carrier signal is altered from one quadrant to another. If two bits are packed per signal change and the carrier signal is rotated among four quadrants, the result is a quadrature phase shift keying (QPSK) modulation technique. An example of QPSK is shown in Exhibit 8. In examining Exhibit 8, note that each phase change represents two bits. This represents what is referred to as a multilevel modulation technique, which while using bandwidth more efciently requires a more complex transmitter and receiver. This is because a cosine carrier wave is either added or subtracted from a sine wave to produce the required phase shift in the form of a modulated sine and cosine wave.
31
0 1 0 1
3 5 3
Under QPSK as illustrated in Exhibit 8, the magnitude is held constant, with the phase varied. To accommodate higher data rates within a limited bandwidth requires the variance of both phase and amplitude. For example, lets assume we develop a QAM technique that encodes four bits at a time into an amplitude and phase change. Lets further assume the rst bit in the group determines the amplitude to be transmitted, while the last three bits determine the phase angle of the resulting signal. The top portion of Exhibit 9 lists the possible phase angle changes for each group of three trailing bits in each quadbit. The lower portion of Exhibit 9 lists the QAM signal construction. In examining the entries for the tribit values in Exhibit 9, note that their sequence forms what is referred to as a Gray code. This code sequence results in the difference between two successive binary numbers being limited to one bit changing its state. Through the use of Gray code encoding, the most likely error during demodulation in which an incorrect adjacent code is selected will result in a one-bit error when decoded at the receiver. Exhibit 10 illustrates an example of a 16-point QAM encoding scheme, which is referred to as 16-QAM. Note that each group of four bits is encoded into an amplitude and phase change, with a total of 16 possible positions. Those positions represent the constellation pattern of the QAM technique.
Differential Modulation
Wireless LANs popularly use two variations of phase modulation. Those variations are differential binary phase shift keying (DBPSK) and differential quadrature phase shift keying (DQPSK). Under DBPSK, two phase changes are
32
225 270
315
Exhibit 10.
Exhibit 11. Differential Phase Shift Keying and Differential Quadrature Phase Shift Keying
Modulation Data Bits Phase Change
DBPSK DQPSK
0 1 00 01 11 10
used, with each data bit mapped into a phase change as denoted in the top portion of Exhibit 11. Under DQPSK, data dibits are mapped into one of four phase changes. The lower portion of Exhibit 11 indicates the mapping of dibits into phase changes under DQPSK. Note that the term differential is due to the fact that the transmitted phase (0n) represents a function of the previous phase (0n 1) and the phase change (0), such that the new phase is as follows: 0n = 0 + 0n 1 Now that we have a basic understanding of modulation methods, lets turn our attention to the signaling method wireless LANs use.
Signaling Methods
Wireless LANs use four primary signaling methods. One signaling method involves infrared technology in which the portion of the electromagnetic spectrum just below visible light is used as the transmission medium. Because infrared transmission has similar properties to visible light, its transmission is
33
not regulated. In comparison, two signaling methods used by wireless LANs, referred to as frequency hopping spread spectrum (FHSS) and direct sequence spread spectrum (DSSS), represent wideband radio frequency signaling methods. These methods were originally developed for military applications. Their use is regulated by the Federal Communications Commission (FCC) in the United States and other regulatory agencies in foreign countries. A third signaling method, referred to as orthogonal frequency division multiplexing (OFDM), also represents a wideband radio frequency communications method whose use is regulated. In this section we briey examine the operation of infrared as well as the three RF signaling methods previously mentioned.
Infrared
Unlike RF signaling, the use of infrared (IR) is at a very high frequency. This makes it extremely difcult to modulate a carrier at IR frequencies. Due to this, IR modulation is commonly based on turning a pulse on and off. Infrared onoff pulse modulation can be achieved by varying the intensity of current in an infrared emitter, such as a light-emitting diode (LED). An infrared detector in the form of photodiode detection generates an electrical current that is proportional to the level of IR power received. In this manner, the pulse-modulated signal is demodulated.
Limitations
In an infrared wireless LAN environment that employs diffused IR, it is common to direct transmission toward the ceiling, with receivers pointed toward the ceiling to detect reected infrared energy. Because a ceiling is not uniform due to lighting xtures, vents, and other areas (perhaps used for return ducts), reected energy can take different paths. This results in multipath reections, requiring the receiver to be able to discriminate the best signal from a series of reections. Although this can require a considerable amount of processing, diffused IR enables one transmitter to communicate with multiple receivers at the same time, resulting in a built-in group broadcasting capability. However,
34
Spread Spectrum
fL
Interference f1 Frequency
fH
Exhibit 12.
Spread-Spectrum Communications
unlike a direct IR system that can be used indoors or outdoors, a diffused IR system can only be used indoors. If you own a laptop or notebook, chances are rather high that your computer has a built-in IR port. Chances are also very high that you never use your IR port or, if you did once, you probably noted that data transfer was rather slow and the IR port had to be carefully aligned toward the other device for the transfer to occur. Although we note later in this book that infrared is one of several types of wireless signaling methods specied by the IEEE, I have not noted its actual implementation by vendors. Thus, our description of infrared wireless LANs in this book is limited in scope.
Operation
Under frequency hopping spread spectrum, transmission occurs over a range of frequencies. The transmitter transmits a short burst of data at one frequency
35
Exhibit 13.
and then hops to another frequency where communications continue. Exhibit 13 illustrates an example of FHSS communications. The process of hopping from one frequency to another is controlled by an algorithm and represents the FHSS hopping pattern. The time spent at each frequency is referred to as the dwell time. The spreading algorithm, frequency channel usage, and dwell time are regulated by the FCC in the United States and by other regulatory agencies in other countries. As we discuss wireless LAN standards later in this book, we examine the channels used by different methods of RF communications.
Operation
Exhibit 14 illustrates the use of a ve-bit spreading code to spread binary 1 and binary 0 data bits. In examining the use of the ve-bit spreading code shown in Exhibit 14, lets rst concentrate our attention on the operation of the transmitter. Note that each data bit (0 or 1) is modulo 2 added to the ve-bit spreading code, resulting in ve data bits having to be modulated instead of a single data bit.
36
Exhibit 14.
Transmitter Spreading code Modulo 2 addition Resulting encoded data Receiver Encoded data Spreading code Modulo 2 subtraction
10110 +1 01001
10110 +0 10110
Thus, each data bit is spread. At the receiver, the encoded spread data is received. The same spreading code is then modulo 2 subtracted from the data to reconstruct the original bit setting. If a ve-bit spreading code is used, the number of set and nonset bits is counted and the majority is used as the value for the received bit. This method of majority rule is used to compensate against the occurrence of one or more bit errors. In an IEEE 802.11 wireless LAN environment, the actual spreading code used is 11 bits in length and is referred to as a Barker code. This means that the chip rate must be 11 times faster than the data rate. When we discuss wireless LAN standards later in this book, we examine DSSS in additional detail.
Evolution
The use of OFDM dates to the 1950s and is not a revolutionary signaling concept. In fact, one of the earliest then-high-speed dial-up modems, which operated at 9600 bps, used OFDM. That modem was the Telebit Trailblazer, whose multiple carriers were referred to as multitone transmission. If we fastforward to the modern era, one popular signaling method used with some digital subscriber line (DSL) modems is referred to as discrete multitone transmission (DMT). DMT is also an orthogonal frequency division multiplexing technique.
37
Frequency
Exhibit 15.
Operation
An example of orthogonal frequency division multiplexing is illustrated in Exhibit 15. Note that each carrier is orthogonal, or at a 90-degree angle, to the other carriers. Because the carriers are spread over a wide frequency and are transmitted simultaneously, the use of multiple carriers represents frequency division multiplexing. Thus, the terms OFDM and multitone transmission are used to denote this signaling method. Under OFDM, each carrier is modulated using a common modulation technique; however, different modulation techniques can be used to modulate all carriers. Commonly used OFDM modulation techniques include several versions of quadrature amplitude modulation, such as 4-QAM, 16-QAM, and 64-QAM. Later in this book we examine how the data transmission rate is affected by the use of different modulation methods under OFDM.
ISM Bands
Although ISM bands are unlicensed, they are not unregulated and a distinction between the two is important. The fact that an ISM band is unlicensed means that organizations can transmit using ISM equipment without having to obtain a license to use such equipment. However, both the power and transmission characteristics of equipment, such as the frequencies and dwell time for FHSS, are regulated for operation in an ISM band. In the United States, the FCC is responsible for such regulation. The rst ISM band dened for use was the 902-MHz to 928-MHz frequency band, which provides 28 MHz of bandwidth. Wireless LAN equipment that operates in this 900-MHz frequency band represents proprietary LAN equipment. Two additional ISM frequency bands are referred to as the 2.4-GHz and
38
Exhibit 16. Location of the Three ISM Bands with Respect to Common RF Applications
Application Frequency
AM radio Analog cordless telephone Television FM radio Television Television Wireless data (to be licensed) RF wireless modem Cellular Digital cordless ISM Nationwide paging Satellite telephone uplink Personal communications ISM Satellite telephone downlinks Large-dish satellite TV ISM Small-dish satellite TV Wireless cable TV
5351635 KHz 4449 MHz 5488 MHz 88108 MHz 174216 MHz 470806 MHz 700 MHz 800 MHz 860890 MHz 900 MHz 902928 MHz 929932 MHz 16101626.5 MHz 18501990 MHz 24002483.5 MHz 2483.52500 MHz 46 GHz 5.155.35 GHz, 5.7255.825 GHz 11.712.7 GHz 2829 GHz
the 5.0-GHz bands. The 2.4-GHz ISM band ranges from 2.4000 to 2.4835 GHz, resulting in 83.5 MHz of available bandwidth. The IEEE 802.11 and 802.11b standards, described later in this book, operate in the 2.4-GHz frequency band. The third ISM band, which is referred to as the 5.0-GHz band, has 300 MHz of spectrum allocated for unlicensed operations. The rst 200 MHz occurs from 5.15 GHz to 5.35 GHz. The last 100 MHz is from 5.725 GHz to 5.825 GHz. The lower 200 MHz consists of two 100-MHz bands. The rst 100 MHz from 5.15 GHz to 5.25 GHz is restricted to a maximum power output of 50 mW. The second 100 MHz, which ranges from 5.25 GHz to 5.35 GHz, has a more generous 250-mW power budget, while the top 100 MHz, which is restricted to outdoor operations, has a maximum 1-W power output.
39
use can vary from country to country. Similarly, the allowable signaling methods, such as the frequencies available for FHSS, can vary among countries. While most modern vendor equipment is now manufactured so that such equipment can be congured for specic operation in different countries, not all equipment is manufactured in this manner. Thus, if you are purchasing equipment in one country for use in another, you may wish to verify its suitability for use prior to purchasing such equipment.
Measurements
Now that we understand the ISM bands in which wireless LANs operate, lets turn our attention to a series of measurements that can be used to qualify the level of received power as well as power gains and losses. In doing so we also review such communications metrics as the bel, decibel, and signal-tonoise ratio.
Power Ratios
One of the earliest communications measurements dates to the development of the telephone system. At that time a need arose to dene the relationship between the received power level of a signal and its original power level. In developing a mathematical relationship, it was recognized that the human ear perceives sound or loudness on a logarithmic scale. Due to this, the initial relationship between the received power of a signal and its original power level was specied in terms of the use of logarithms to the base 10. This relationship was the bel (B), named in honor of Alexander Graham Bell, the inventor of the telephone. Although the bel was used for some time, the need for more precision resulted in the use of the decibel (dB), which represents one tenth of a bel and is now the preferred power measurement. In this section we examine both.
Bel
The bel represents the ratio of power transmitted to power received based on a logarithmic scale, using logarithm B, to the base 10. The resulting gain or loss is given by the following formula: B = log10(P0/PI) where B = power ratio in bels P0 = output or received power PI = input or transmitted power In addition to the human ear hearing sound on a logarithmic scale, a second advantage associated with the use of this type of scale is that gains
40
and losses are simplied and reduced to additions and subtractions. In a telephone environment, an analog signal is boosted by an amplier. Thus, assume a 10-bel signal encounters a 3-bel loss and is then passed through a 6-bel amplier. This would result in a signal strength of 10 3 + 6, or 13 bel. To provide readers not familiar with logarithms with a quick review, you can view logarithms to the base 10 (log10) of a number as being equivalent to how many times 10 is raised to a power equal to the number. For example, log10 10 is 1, log100 100 is 2, log1000 1000 is 3, etc. Because output or received power is normally attenuated or dissipated and is less than input or transmitted power, the denominator of the preceding equation is normally larger than the numerator. To simplify logarithmic computations an important property is shown below: log10(1/X) = log10 X To illustrate the use of the bel for computing the ratio of power received to power transmitted, lets assume the received power is one tenth of the transmitted power. Then, b = log10(1/10)/1 = log10(1/10) As previously noted, an important property of logarithms is: log10(1/X) = log10X Thus, b = log10 10 = 1 In the prior example, the negative value indicates a power loss. In comparison, a positive value would indicate a power gain. Now that we understand how the bel can be used to categorize power gains and losses, lets look at a more precise measurement that for the most part has replaced the use of the bel. That more precise measurement is the decibel (dB).
Decibel
The decibel represents a more precise measurement than the bel as it represents one tenth of the latter. The power measurement in decibels is computed as follows: dB = 10b = 10log1010 (P0 /PI ) where dB = power ratio in decibels P0 = output power or received power PI = input or transmitted power
41
Exhibit 17. Relationship of Watts and Decibel-Milliwatts
Power in Watts Power in dBm
0.1 1 1 1
mW mW W kW
10 0 30 60
Due to the higher precision provided by the use of the decibel, it represents the preferred measurement used to denote power gains and losses. To illustrate the use of the power ratio in decibels, lets return to our prior example in which the output or received power is one tenth of the input or transmitted power. Then, the power ratio in dB becomes: dB = 10 log10(1/10) Because log10 (1/X) = log10X, we obtain: dB = 10 log1010 = 10
Decibel-Milliwatt
The computations for the bel and decibel provide a ratio or comparison between two power values; however, they do not indicate power. As a signal propagates down a medium, the power at the receiver is easily measured. However, it is not as easy to denote what the received value indicates nor to use the received power for comparison purposes unless a standard testing mechanism is employed. In telephone operations, a 1-mW signal is used at a frequency of 800 Hz to test a circuit. To ensure you do not forget that the resulting power measurement occurred with respect to a 1-mW input signal, the term decibel-milliwatt (dBm) is used. Thus, the computation of a received power level in dBm becomes dBm = 10log10 output power/1 mW input power Note that the term dBm reminds you that the output power measurement occurred with respect to a 1-mW test tone. Although in many books, including this one, you will see the term decibel-milliwatt, in actuality a more accurate term is decibel above 1-mW. Thus, 10 dBm represents a signal 10 dB above or bigger than 1 mW, whereas 20 dBm represents a signal 20 dB above 1 mW, etc. You can use the preceding relationships to construct a table that indicates the relationship between power in watts and power in decibel-milliwatts. This relationship is shown in Exhibit 17. To provide an example of the manner by which Exhibit 17 was constructed, lets review the last entry in the table. One
42
Thermal Noise Level
Frequency
Exhibit 18.
kilowatt of power represents 1000 watts. Because dBm = 10 log10 output power/1 mW, we obtain dB = 10 log10(1000 W/0.001) 10 log101,000,000 Because log101,000,000 is 6, then 10 log101,000,000 becomes 60. Now that we have an appreciation for computing the gain or loss in power of a signal as well as its power level, lets turn our attention to one of the most important metrics in communications: the signal-to-noise ratio.
Signal-to-Noise Ratio
One of the most important metrics in the eld of communications is the signalto-noise (S/N) ratio. Simply stated, the S/N ratio indicates the level of signal power (S) to the level of noise (N) in decibels (dB). While you might expect that a higher S/N ratio is preferable to a lower S/N ratio, like life itself this simplistic reality has some constraints. This is because in a wireless environment the amount of permissible radiated power is regulated by the FCC. Unfortunately, you cannot regulate the level of noise. Concerning noise, we need to consider two primary categories of noise thermal and impulse. Thermal noise occurs due to the movement of electrons in a conductor or basic radiation from the sun. This type of noise is characterized by a nearuniform distribution of energy over the frequency spectrum. Exhibit 18 illustrates an example of thermal noise. This type of noise is also referred to as white noise or Gaussian noise. Because thermal noise represents a near-uniform distribution of energy over the frequency spectrum, it can be considered to represent the lower level of sensitivity of a receiver. This is because a receiver must be able to distinguish the signal from the level of noise. The second type of noise that adversely affects communications results from periodic disturbances. Such disturbances can range in scope from acts of God, such as lightning and solar ares or sunspots, to electromagnetic radiation resulting from the operation of certain types of machinery. This type of noise is referred to as impulse noise and is illustrated in Exhibit 19. Through the use of the S/N ratio, we can categorize the quality of transmission. While you always want an S/N ratio above unity for the receiver to
43
Amplitude
Frequency
Exhibit 19.
Impulse Noise
be able to discriminate a signal from thermal noise, there are limits concerning the maximum signal power level that can be transmitted. Those limits are regulated by the FCC and are based on the transmission system employed. As noted earlier in this chapter, the maximum power permitted for use by wireless LANs is 1 W in an outdoor environment, with a lower level of power permitted for indoor use. To obtain an appreciation for what different S/N ratios mean, lets examine a few. First, lets assume we obtain an S/N ratio of zero. The decibel is dened as: 10 log10(Po/PI) This means that to obtain a decibel reading of zero, 10 log0 must be zero. This can only occur if Po = PI , which means that a decibel value of zero can only occur when the input power equals the output power. Thus, an S/N ratio of 0 dB means the signal power and noise are equal. Now lets assume the S/N ratio is 10. This means: 10 = 10 log10(Po /PI ) If the ratio of Po /PI is 10, then log1010 is 1, satisfying the equation. This means that an S/N ratio of 10 equates to a 10-dB level. To facilitate some interesting computations, Exhibit 20 provides a summary of the relationship between two three-dimensional decibel values and their corresponding power or S/N ratios. In examining the entries in Exhibit 20, note that a dB value of 3 corresponds to a power or S/N ratio of 2:1. This means a 3-dB value indicates that the signal power is twice that of the noise.
Channel Capacity
In a classic paper presented during 1949, Professor Claude Shannon at MIT denoted the relationship between the signal-to-noise ratio on a channel, its bandwidth, and the maximum data transmission rate in bits per second (bps). That classic relationship is: C = B log2(1+ S/N)
44
Exhibit 20. Relationship between dB and Power
Decibels S/N
0 1 2 3 4 5 6 7 8 9 10 13 16 19 20 23 26 29 30 33 36 39 40 50
1.0:1 1.2:1 1.6:1 2.0:1 2.5:1 3.2:1 4.0:1 5.0:1 6.4:1 8.0:1 10.0:1 20.0:1 40.0:1 80.0:1 100.0:1 200.0:1 400.0:1 800.0:1 1000.0:1 2000.0:1 4000.0:1 8000.0:1 10000.0:1 100,000.0:1
where C = transmission capacity of a channel, in bps B = bandwidth, in Hz S = signal power, in dB N = noise power, in dB At the time Shannon presented his paper, a voice band channel had a bandwidth of 3000 Hz and an S/N ratio of 30 dB. Using Shannons formula, the transmission capacity of a voice-grade channel during 1949 became: C = 3000 log2 (1 + 103) = 30,000 bps It is worth noting that Shannons capacity formula projected the ability to obtain a 30,000-bps transmission rate over voice-grade channels that at that time were lucky to support a 300-bps modem. Over the years the use of ber optics in the backbone of almost all communications carriers resulted in a
45
higher obtainable S/N ratio; however, it was not until the mid-1990s that modem designers were able to design products that operated at the capacity Shannon indicated was possible almost 45 years earlier. Today, Shannons channel capacity formula is valuable not only for computing the potential bit rate of a channel but also for noting how capacity can be increased. Because capacity is based on both available bandwidth and the S/N ratio, it becomes possible to increase the transmission rate by increasing either or both of the previously mentioned metrics.
Antenna Considerations
No basic discussion of wireless LANs would be complete without describing one of the most important parts of an RF system. That part is the antenna, whose job is to both transmit a signal as well as shape and focus a received signal so that it can be understood. In this section we examine some of the basic parameters associated with antennas and how those parameters affect our equipments ability to transmit and receive signals.
Radiation Pattern
There are many types of antennas, some of which you may notice located on the tops of buildings, mounted on police vehicles, and even protruding from your cell phone or wireless LAN network adapter card. Although each of those antennas may appear different from one another, they all have a radiation pattern. That pattern indicates the power radiated in any direction relative to the direction of maximum radiation. Although the actual radiation pattern of any antenna is a three-dimensional function, when we work with pen and paper the pattern is specied in terms of a two-dimensional/two-dimensional diagram. This two-dimensional/twodimensional pattern illustrates the beam pattern of the antenna with respect to a 360-degree circle. Exhibit 21 illustrates an example of the radiation pattern for a near-directional antenna. Note that most of the antennas radiated power is concentrated in a narrow beam. Also note that the concentric circles radiating outward from the center of the circle indicate the signal strength.
Beamwidth
In the example shown in Exhibit 21, the beam pattern is relatively narrow, which results from the fact that a directional antennas beam pattern is shown. The actual beam pattern results from several factors. Those factors can include the shape of the antenna, the use of a reector behind the antenna to focus its transmitted power, its angle of elevation, and the presence of objects and the ground beneath the antenna. These contributing factors result in the radiated signal consisting of the transmitted signal as well as reected signals. Some of the reections may cancel one another, while other reections can be additive. If you carefully examine Exhibit 21, you will note that reections
46
0 357 dB Power -5 -10 -15 -20 270 3
90
180
Exhibit 21.
from about 3 degrees to 357 degrees rapidly dissipate and the beamwidth, which is shown as 6 degrees, ranging from 357 degrees through 3 degrees, represents the direction of maximum radiation. In actuality, in antenna engineering, another related term known as half-power beamwidth is worth noting. The half-power beamwidth represents the angle between the points on each side of the direction of maximum radiated power at which the intensity of the radiated power falls to half the maximum. In Exhibit 21, the half-power beamwidth is conveniently shown centered around 0 degrees.
Antenna Gain
The ability of an antenna to shape and focus a signal in a particular direction is referred to as the antenna gain. The antenna gain is expressed in terms of how much stronger the focused signal is in the desired direction in comparison to an antenna where a signal is distributed in all possible directions. The latter is referred to as an isotropic antenna and the power relationship is known as decibel isotropic, or dBi. A common omnidirectional stick antenna that is used in a vertical position will typically have a gain of 6 to 8 dBi. From Exhibit 20, 6 dB is equivalent to a power ratio of 4:1, while 8 dB is equivalent to a power ratio of 6.4:1. This means that by redirecting the signal that would otherwise go straight up or down to the horizontal level, between 4 and 6.4 times as much signal can become available horizontally. This also indicates as well as explains why a directional antenna can transmit a higher level of signal power as well as have the ability to receive a lower level of received signal power. In fact, a parabolic reector-based antenna is commonly used by a wireless LAN bridge to obtain an extended line-of-sight transmission distance that can range up to approximately ten miles. This type of antenna can have a gain of 24 dBi, which is equivalent to a power increase of over 200 times that of an omnidirectional antenna.
47
Although a high-gain directional antenna is preferable to a low-gain omnidirectional antenna, you would expect most wireless LAN products to have the rst type of antenna. Unfortunately, omnidirectional stick-type antennas are relatively inexpensive to fabricate, which explains why the majority of wireless LAN antennas either resemble sticks or are built into (embedded) the edge of a LAN adapter card. Concerning the gain of an antenna, it is also worth noting that in order to comply with FCC regulations a wireless LAN device has a maximum amount or level of power it can generate. That power level, which is 1 W in the 2.4-GHz band, results in a 24-dBi antenna having a maximum transmit power of 24 dBm. Because the addition of a reector to an antenna can signicantly improve its gain and directivity, this action allows an unwanted third party to easily monitor wireless LAN trafc from the parking lot of many buildings. When we discuss security as a separate entity later in this book, we also describe how we can minimize the leakage of RF energy from a building in which we are using a wireless LAN that will make it more difcult or impossible for a third party to monitor our communications. Now that we have an appreciation for basic communications concepts that are relevant to the operation of wireless LANs, we conclude this chapter with an overview of the structure of wireless LANs to include the terminology associated with their use.
Architecture
The architecture or network structure of wireless LANs consists of several components and services that enable devices to communicate with one another via the air. In this section we examine how wireless LANs are formed and interconnected to one another.
The Station
The basic component of a wireless LAN is a station, the term used to represent a computer device that has a wireless LAN network adapter card and applicable software. The station can represent a laptop or notebook PC, a desktop computer, or even a PDA. A special type of station is an access point (AP) that functions as a bridge between wired and wireless LANs and whose operation is described in detail later in this section.
48
Station Station
Exhibit 22.
Network Topologies
Wireless LANs support two types of topologies: ad hoc and infrastructure.
Ad Hoc Networking
An ad hoc wireless network occurs when two or more stations are within close proximity, so they can communicate with one another. As the stations communicate with one another in a peer-to-peer manner, the area within which communications occurs is referred to as an independent basic service set (IBBS). Exhibit 22 illustrates a group of stations communicating with one another on a peer-to-peer ad hoc basis that forms an IBBS. As you might surmise, the term independent results from the fact that this type of basic service set operates as an independent entity and has no connection to another ad hoc network or to a wired network. Once a connection occurs, the independent prex is dropped. In examining Exhibit 22, it should be noted that each station operates independently of other stations, communicating on a peer-to-peer basis. This means that it is possible for the three stations to have a total of six peer-topeer sessions if each station needed to communicate with each of the other stations shown in the illustration. Because of transmission-range limitations, it is also possible that each station may not be able to communicate with every other station within the IBBS. Unlike a basic service set (BBS) in which the access point functions as a relay, an IBSS has no relay capability. Thus, all stations need to be within the range of each other to communicate with one another.
Infrastructure Networking
A second type of wireless network structure involves the use of an access point, either by itself or connected to a wired LAN. The use of an access point with one or more client stations results in the formation of a basic service set (BBS). Exhibit 23 illustrates both types of basic service sets.
49
Wireless Infrastructure
Access Point
Access Point
Station
Station
Station
Station
Exhibit 23.
50
from the server and enters it into its port-address table, with the port it was received on being the wired LAN. Now lets assume a station on the wired LAN transmits a frame to the server. When the frame ows to the access point, it checks its port-address table and notes that the destination is on the wired LAN. Therefore, there is no need to forward or to ood the frame, and the access point then lters the frame. Thus, the access port operates on the 3 Fs principle.
CSMA/CA
The method of controlling access to the air used by wireless LANs represents a modication to the familiar Carrier Sense Multiple Access with Collision Detection (CSMA/CD) scheme used by Ethernet. Under the IEEE 802.11 standard, media access control occurs using a variation of Carrier Sense
51
BSS
BSS
Station
AP
AP
Station
Internet
AP
Station
Station
Exhibit 24. Relationship between Basic Service Sets, a Distribution System, and an Extended Service Set
Multiple Access with Collision Avoidance (CSMA/CA). Under CSMA/CA, a station listens to the air to determine if the RF channel is busy. If it is, the station waits not only for the completion of transmission but also for an interval of time after the completion of transmission prior to transmitting a frame.
52
To Send (RTS) frame that requests permission to transmit data. A Clear To Send (CTS) response from the destination station then allows the originating station to proceed. Later in this book, when we examine the IEEE standards in detail, we note how the CSMA/CA protocol works to include the use of RTS and CTS frames to gain access to the medium.
Chapter 3
IEEE Standards
Standards can be considered the glue that facilitates the interoperability of equipment produced by different vendors. In this chapter we turn our attention to a core series of wireless LAN standards developed under the auspices of the Institute of Electronic and Electrical Engineers (IEEE). The IEEE was tasked many years ago by the American National Standards Institute (ANSI) to develop local area networking standards. Standards developed over the past 25 years include Ethernet, Fast Ethernet, Gigabit Ethernet, and Token Ring. During 1997 the IEEE developed its 802.11 standard for wireless LANs. This standard was soon followed by two amendments, referred to as the 802.11b and 802.11a standards. This chapter focuses on all three standards, to include examining the basic architecture associated with the three standards and how that architecture relates to the Open System Interconnection (OSI) Reference Model developed by the International Standards Organization (ISO).
Basic Architecture
The rst wireless LAN standard developed by the IEEE dates back to 1997. That standard, referred to as the 802.11 specication, denes the operation of wireless LANs at the lower two layers of the OSI Reference Model. Subsequent extensions retain the separation of layers, which we now examine.
Layer Separation
Exhibit 1 compares the IEEE 802.11 standard to the lower two layers of the OSI Reference Model. In examining Exhibit 1, note that the 802.11 standard denes the media access control (MAC) and physical (PHY) layers for a LAN with wireless connectivity. In doing so, the initial standard supports three physical layers: infrared, frequency hopping spread spectrum (FHSS), and
53
54
OSI Reference Model
Data Link Layer Media Access Control Direct Frequency Hopping Sequence Spread Spread Spectrum Spectrum
Physical Layer
Infrared
Exhibit 1. Comparing the IEEE 802.11 Standard to the Two Lower Layers of the OSI Reference Model
direct sequence spread spectrum (DSSS). The initial standard denes three signaling methods, of which the two radio frequency methods operate in the 2.4-GHz industrial, scientic, and medical (ISM) band. The rst extension to the 802.11 standard, the 802.11b specication, continues operation in the 2.4GHz ISM band. However, the second extension, the 802.11a specication, operates in the 5-GHz band and uses a completely different signaling technique referred to as orthogonal frequency division multiplexing (OFDM). Although the physical layers differ for each signaling mechanism, they use a common method of media access control. Thus, the frame formats supported by the MAC layer are relevant for each physical layer supported by the basic 802.11 standard as well as each of the extensions to the standard.
Infrared
In Chapter 2 we noted that infrared communications in wireless LANs can be either a line-of-sight (directed) or reective (diffused) method of communications. Under the IEEE 802.11 standard, both 1-Mbps and 2-Mbps operating rates are dened using diffused infrared communications at a wavelength from 850 to 950 nanometers. The basic access rate of 1 Mbps occurs through the use of pulse position modulation (PPM), which uses a symbol period broken into 16 subintervals (16-PPM), while the enhanced access rate of 2 Mbps occurs using 4-PPM. Because the use of either directed or diffused infrared is limited to at most one room, to my knowledge 802.11 equipment using infrared is conspicuous by its absence and is not discussed further in this book.
IEEE Standards
55
Exhibit 2. Frequency Channels and Hopping Patterns for FHSS Operations under the IEEE 802.11 Standard
Minimum Number of Frequency Channels Number of Frequency Channels Actual Sets of Hopping Patterns Number of Hopping Patterns per Set Number of Hopping Patterns
Location
75 20
79 79
3 3
26 26
78 78
20 20 20
23 27 35
3 3 3
4 9 11
12 27 3
Modulation
FHSS channels commence with a center frequency of 2.402 GHz. All subsequent channels are spaced 1 MHz apart, with the separation mandated by the Federal Communications Commission for the use of FHSS in the 2.4-GHz ISM band. At a 1-Mbps operating rate, FHSS employs a two-level Gaussian frequency shift keying (GFSK) modulation method. Under GFSK, a basic 1 is encoded using frequency Fc + f, while a logical 0 is encoded using frequency Fc f, where Fc represents the center frequency of the channel. Because each bit is encoded as a single signal change, a 1-MHz signaling rate results in a data rate of 1 Mbps. A second modulation method used by FHSS is a four-level Gaussian frequency shift keying method under which two bits are encoded within one signaling change. Here, the term Gaussian is used to indicate that the premodulated digital data stream is rst passed through a Gaussian low-pass lter. This premodulation ltering increases spectral efciency by minimizing the shifts in phase. Because four-level GFSK results in a 1-MHz signaling rate with two bits encoded per signal, the data rate becomes 2 Mbps.
Frequency Channels
The number of frequency channels available for use (as well as the minimum number of channels that need to be used) is regulated in the United States by the FCC and in other countries by other regulatory agencies. Exhibit 2
56
indicates the minimum and actual number of 1-MHz frequency channels available at different locations around the globe. This table also indicates the number of sets of hopping patterns, the number of hopping patterns in a set, and the number of hopping patterns available. The number of hopping patterns per set, which is 26 for the United States, indicates that you can install 26 FHSS access points within a basic service set with a minimum of interference. This results from the hopping pattern minimizing the probability of one FHSS access point operating on the same frequency channel as another access point.
Barker Code
Although we illustrated the method of spreading with a ve-bit code in Chapter 2, in actuality an 11-bit Barker code is used to spread data bits. The sequence of the 11-bit Barker code is 1011101000, and each data bit is modulo 2 added to the 11 code bits to spread the data bits, resulting in an 11-Mbps digital data stream that is then modulated onto a carrier frequency.
Modulation
Similar to FHSS, under the initial 802.11 standard, two data rates are supported under DSSS. At a data rate of 1 Mbps, each bit is mapped into one of two phases using differential binary phase shift keying (DBPSK) modulation. To obtain an operating rate of 2 Mbps, differential quadrature phase shift keying (DQPSK) modulation is employed, with two data bits (a dibit) mapped into one of four phases.
Comparison to FHSS
The initial IEEE 802.11 standard denes 13 selectable carrier frequencies in the 2.4-GHz ISM band. Each DSSS channel is 22 MHz wide, which restricts the number of independent access points that can exist within a basic service set to three. This is illustrated in Exhibit 3, which compares the potential frequency utilization of FHSS and DSSS. In comparing FHSS and DSSS in Exhibit 3, the ability to have 26 frequency hopping patterns means it is possible to co-locate 26 FHSS access points without one adversely impacting another. This means that at a 2-Mbps operating rate, FHSS operations provides a maximum support of 26 2 or 52 Mbps within a BSS. In comparison, using DSSS reduces the maximum data transfer support to
IEEE Standards
57
1 MHz Channel
Exhibit 3.
3 2 or 6 Mbps. While you might use this information to decide on using FHSS, lets wait a minute and consider two factors. First, it is doubtful if an organization would want to deploy 26 access points within a BSS. Second, under the 802.11b extension, the data rate of DSSS is increased to 11 Mbps. This means that you can locate three 802.11b DSSS access points and obtain support for a maximum data transfer rate of 3 11 or 33 Mbps within a BSS; however, each station can operate at 11 Mbps instead of a maximum of 2 Mbps under FHSS.
Code Sets
Under the 802.11b extension to the 802.11 standard, two CCK codes sets can be generated. One code set results in an 11-Mbps data rate. The second code set actually represents a subset of the 11-Mbps code set and provides a 5.5Mbps data rate. For both code sets, pairs of bits (dibits) are modulated using differential quadrature phase shift keying (DQPSK). The use of CCK provides high resistance to echoes or multipath reections. Chip sets that support CCK also support the use of the 11-bit Barker spreading code, enabling DSSS to operate at data rates of 1, 2, 5.5, and 11 Mbps under the 802.11b standard.
58
Frequency Allocation
The use of OFDM occurs in the 5-GHz unlicensed national information infrastructure (UNII) frequency band, which represents a third ISM band dened by the FCC. The FCC allocated 300 MHz of frequency for unlicensed operation in the 5-GHz block, 200 MHz of which is at 5.15 to 5.35 GHz. The other 100 MHz is located from 5.725 to 5.825 GHz. The 300-MHz total frequency is subdivided into three bands: the rst 100 MHz is restricted to a maximum power output of 50 mW. The second 100 MHz has a more generous 250-mW power cap, while the last 100 MHz is designated for outdoor applications and has a 1-W power cap. Through the use of OFDM, a 20-MHz channel is subdivided into 52 subchannels, each approximately 300 kHz in width. A total of 48 data and four pilot carriers is used to simultaneously transmit data and reference signals. Several modulation methods are supported for transmitting data under OFDM. Using binary phase shift keying (BPSK) results in a data rate of 125 kbps per channel, or a composite data rate of 6 Mbps. Using quadrature phase shift keying doubles the amount of data encoded per channel to 250 kbps, which yields a composite data rate of 12 Mbps. Using 16-QAM where four bits are encoded per signal change permits a composite data rate of 24 Mbps. When a 64-QAM modulation method is used, a data rate of 1.125 Mbps per 300kHz channel becomes possible, resulting in a composite maximum data rate of 54 Mbps.
Scope of Coverage
Although OFDM provides a range of data rates whose highest rate is approximately ve times that of DSSS signaling, the range of 5-GHz transmission is signicantly less than 2.4-GHz operations. If we sat through a high school or college physics class, we probably heard the expression high frequencies alternate more rapidly than low frequencies. If we remember that expression, it explains the reason why 5-GHz operations have a range less than that of 2.4-GHz operations. What this means is that you have a trade-off between transmission range and operating rate. If you need the higher operating rate afforded by 802.11a equipment that uses OFDM, you may need to install multiple access points in comparison to the use of a single access point when 802.11 or 802.11b equipment is used.
IEEE Standards
59
IEEE 802.11 Standard Physical Layer Convergence Procedure (PLCP) Physical Media Dependent (PMD)
Physical Layer
Exhibit 4.
The 802.11 Standard Subdivides the Physical Layer into Two Sublayers
80 bits Sync
16 bits SFD
12 bits PLW
4 bits PSF
Preamble
PLCP Header
PSDU
Legend SFD Start of Frame Delimiter PLW PSDU Length Word PSF PLCP Signaling Field PSDU Physical Service Data Unit
Exhibit 5.
FHSS
Exhibit 5 illustrates the PLCP used under FHSS. In examining Exhibit 5, note that the Preamble Sync eld consists of an 80-bit eld of alternating binary zeros and ones, transmitted commencing with a zero and ending with a binary one (1). The Start of Frame Delimeter (SFD) eld consists of the 16-bit binary pattern 0000 1100 1011 1101 or hex 0ABD and follows the Sync eld. The PLW (PSDU length word) denes the number of bytes contained in the physical service data unit (PSDU). The four-bit PSF (PLCP Signaling eld) denes the
60
16 bits SFD
8 bits Signal
8 bits Service
16 bits Length
16 bits CRC
Preamble
PLCP Header
PSDU
Exhibit 6.
Signal Field 12 bits Length 4 bits Rate One OFDM Symbol 1 bit 1 bit Reserved Parity 6 bits Tail Service
Preamble
PLCP Header
PSDU
Tail
Pad
Exhibit 7.
transmission rate. Although only rates of 1 Mbps and 2 Mbps are currently supported, this eld permits data rates from 1 Mbps to 4.5 Mbps in 0.5-Mbps increments to be specied. The 16-bit Header Check Error eld, as its name implies, protects the header, while the Physical Service Data Unit (PSDU) transports the MAC frame.
DSSS
Similar to FHSS, DSSS uses a specied PLCP frame format. This format has some distinct differences from the FHSS format and is illustrated in Exhibit 6. In examining Exhibit 6, note that for DSSS the PLCP SYNC eld is 128 bits in length. The Start of Frame Delimiter (SFD) has the bit composition 1111001110100000, or hex F3A0. The Signal eld denes the data rate. Current values include hex 0A for 1 Mbps, hex 14 for 2 Mbps, hex 37 for 5.5 Mbps, and hex 6E for 11-Mbps operations. The Service eld is currently reserved for future use and is thus set to a value of hex 00. The Length eld indicates the length of the payload in bytes.
OFDM
Another PLCP is dened under the IEEE 802.11a standard for orthogonal frequency division multiplexing (OFDM). The PLCP frame format, which is illustrated in Exhibit 7, conveys information for each of the 48 carriers used.
IEEE Standards
61
Exhibit 8. PLCP Rate Field Values for OFDM
Rate Field Setting Data Rate
6 9 12 18 24 36 48 54
2 bytes Duration ID
6 bytes Address 1
6 bytes Address 2
6 bytes
2 bytes
6 bytes
4 bytes FCS
2 bits Type
4 bits
1 bit
1 bit
1 bit Retry
1 bit WEP
1 bit Order
Exhibit 9.
The MAC Layer Frame Format Specied by the IEEE 802.11 Standard
The PLCP preamble consists of a sequence of ten short and two long symbols. The Signal eld includes several subelds, with the Rate subeld used to dene the type of modulation and the coding rate used in the rest of the frame. Exhibit 8 indicates currently dened settings of the Rate eld. Note that the eight dened bit sequences permit another eight data rates to be dened. Also note that because each data rate occurs based on the use of a specic modulation technique, the Rate eld indirectly denes the modulation method used.
Layer 2: Framing
Exhibit 9 illustrates the layer 2 frame format specied by the 802.11 standard. In examining Exhibit 9, note that the top portion of the illustration indicates
62
the full layer 2 frame format, while the lower portion indicates the subelds within the two-byte frame control eld. To obtain an appreciation of how 802.11 wireless LANs operate, we rst become acquainted with the elds of the MAC frame.
ToDS/FromDS Fields
The ToDS and FromDS elds are each one bit in length. The setting of the ToDS eld to a binary 1 indicates that the frame is destined to the distribution system. When a frame exits the distribution system, its FromDS eld value is set to 1. If a frame stays within its basic service set, the values of both the ToDS and FromDS elds are 0.
Retry Field
The purpose of the Retry eld is to denote that the frame is a fragment representing the retransmission of a previously transmitted fragment. The receiving station uses the setting of this one-bit eld to recognize duplicate transmissions that can occur if an Acknowledgment frame should be lost.
IEEE Standards
63
Type and Subtype Field Values
Description Subtype Value Description
Exhibit 10.
Type Value
B3b2 00 00 00 00 00 00 00 00 00 00 00 00 00 01 01 01 01 01 01 01 10 10 10 10 10 10 10 10 10 10
Management Management Management Management Management Management Management Management Management Management Management Management Management Control Control Control Control Control Control Control Data Data Data Data Data Data Data Data Data Data
B7b6b5b4 0000 0001 0010 0011 0100 0101 01000111 1000 1001 1010 1011 1100 11011111 00000001 1010 1011 1100 1101 1110 1111 0000 0001 0010 0011 0100 0101 0110 0111 10001111 00001111
Association request Association request Association request Reassociation request Probe Request Probe request Reserved Beacon ATM Disassociation Authentication Deauthentication Reserved Reserved RS poll RTS CTS ACK CF End CF End + CF ACK Data Data + CF ACK Data + CF poll Data + CF ACK + CF poll Null function (no data) CF ACK (no data) CF poll (no data) CF ACK + CF poll (no data) Reserved Reserved
64
The access point (AP) periodically transmits a beacon frame that indicates the presence of the AP and its capabilities. Included in the beacon frame is an indication of the stations known by the access point to be operating in a Power Save mode that the AP has buffered frames ready for transmission. The receipt of the beacon causes the station to wake up and note that it has a frame stored at the access point awaiting delivery. This result is the station remaining in an Active power state and transmitting a polling message to the access point as a mechanism to inform the AP it is ready to receive buffered frames addressed to the station.
WEP Field
The initial design goal of the 802.11 wireless LAN standard was to provide a level of security equivalent to that of a wired LAN. Hence, the mechanism by which authentication and encryption is enabled or disabled is dened by the Wired Equivalent Privacy (WEP) eld. This one-bit eld denotes whether or not WEP is enabled. Because this eld is only one bit in length, all members within a basic service set must use the same security method. WEP is based on a shared key used by each station to generate a steam cipher. The stream cipher expands the key into an innite pseudo-random key stream, which is modulo 2 added to the data to generate an encrypted data stream. As we note later in this book when we discuss security as a separate entity, several deciencies in the WEP algorithm make it breakable. In addition, by default it is disabled, allowing many third-party persons to simply drive into a parking lot and using a laptop computer with a wireless LAN adapter card and an applicable software program observe most if not all wireless trafc that can be recorded and immediately understood.
Order Field
The last one-bit eld in the Control eld is the Order eld. When set, this eld indicates that the frame is transmitted using a strictly ordered service class. The use of this bit position was included as a mechanism to accommodate the DEC LAT Protocol, which is incapable of accepting a change of ordering between unicast and multicast frames. Because the DEC LAT Protocol is essentially a legacy protocol, for the vast majority of wireless applications this eld is not set. Now that we have an appreciation for the use of the elds within the control eld, lets continue our tour of the MAC data frame.
IEEE Standards
65
Exhibit 11. The Contents of the Address Fields in the MAC Data Frame
ToDS FromDS Address 1 Address 2 Address 3 Address 4
0 0 1 1
Legend:
0 1 0 1
DA DA BSSID RA
SA BSSID SA TA
BSSID SA DA DA
TA = Transmitter address RA = Receiver address SA = Source address BSSID = Basic service set ID
Duration/ID Field
The Duration/ID eld is two bytes in length. The meaning of this eld depends on the type of frame being transmitted. In a Power-Save Poll message, this eld indicates the associated identity (ID) of the transmitting station. For all other types of frames, this eld indicates the time in milliseconds requested to transmit a frame and its interval to the next frame. When we later examine the manner by which media access occurs, we note the role of the Duration eld.
Address Fields
As indicated in Exhibit 9, a frame can transport up to four addresses. Those address elds are labeled Address 1 through Address 4, and their use depends on the setting of the ToDS and FromDS bits in the Control eld. Exhibit 11 indicates the use of the four Address elds based on the setting of the ToDS and FromDS bits. If you examine the addresses listed in Exhibit 11, based on the settings of the ToDS and FromDS bits, you will note that the Address 1 eld always indicates the recipient of the frame. This structure is similar to a wired Ethernet frame in that the destination address in that frame precedes the source address. However, unlike a wired LAN, where the destination address always represents a station whose type does not need to be distinguished from one another, the contents of the Address elds in a wireless environment can vary in meaning. Thus, Address 1 can represent a destination address, a basic service set ID, or a receiver address. If the ToDS bit is set, Address 1 contains the address of an access point. If that bit is not set, the value of the Address 1 eld then contains a station address. All stations lter on the contents of the Address 1 eld, as it represents the recipient of the frame. The Address 2 eld always identies the station transmitting the frame. As indicated in Exhibit 11, the settings of the ToDS and FromDS bits in the Control
66
eld dene what the value of the Address 2 eld represents. When both the ToDS and FromDS bits are set to 0, the Address 2 eld contains the original source address. When the ToDS bit is 0 and the FromDS bit is 1, the Address 2 eld conveys the BSSID. If you carefully examine the possible addresses conveyed in the Address 2 eld in conjunction with the settings of the ToDS and FromDS bits, you will note that when the FromDS bit is set, the value in the Address 2 eld represents an access point address. Otherwise, when the FromDS bit is 0, the Address 2 eld value represents a station address. The six bytes the Address 3 eld transports are also dened by the settings of the ToDS and FromDS elds. When the FromDS bit in the Control eld is set to a binary 1, the Address 3 eld contains the original source address (SA). If the MAC data frame has the ToDS bit set, then the Address 3 eld contains the destination address. The last address eld, Address 4, is only applicable when a wired distribution system is used. In this situation a frame is transmitted from one access point to another. Thus, Address 4 now conveys the source of the DS frame.
CRC Field
The last eld in the MAC data frame is the CRC eld. This eld is 4 bytes in length and contains a 32-bit cyclic redundancy check (CRC) that provides a mechanism for the detection of transmission errors. To accomplish this task, each station uses a xed polynomial to divide the contents of the frames, which for mathematical purposes is treated as a long binary number. Similar to any division process, the result is a quotient and remainder, with the remainder used as the CRC, while the quotient is discarded. The receiving device uses the same polynomial to perform a similar operation on the contents of the frame, resulting in a locally generated CRC. If the locally generated CRC matches the transmitted CRC, the frame is considered to be error-free; otherwise, a transmission error is assumed to have occurred. Now that we have looked at the format of the MAC data frame, lets move on and examine the format of several management and control frames as well as discuss how they are used.
IEEE Standards
67
Timestamp
Beacon Interval
Capability Information
SSID
Exhibit 12.
Timestamp
Beacon Interval
Capability Information
SSID
Exhibit 13.
Management Frames
Two key management frames we examine in this section are the beacon and probe response frames. An access point periodically transmits a beacon frame as a mechanism to denote its presence as well as its capabilities. In comparison, a station can use a probe response frame to inform an access point of its capabilities so it can select the lowest common denominator of capabilities.
68
B0 ESS
B1 IBSS
B2 CF Pollable
B3 CF Poll Request
B4 Privacy
B5 Short Preamble
B6 PBCC
B7 Channel Agility
B15 ...
Legend ESS Extended Service Set IBSS Independent Basic Service Set CF Connection-Free
Exhibit 14.
Interference
Station B
tru ct io n
Station C
O
Station A
Exhibit 15.
Control Frames
A third type of frame supported by IEEE 802.11 LANs is the control frame. One common control frame is the ACK frame, which is used to acknowledge receipt of a data frame. The 802.11 standard includes two control frames whose use is optional. Those control frames are the RTS (Request To Send) and CTS (Clear To Send) frames. Each of these frames is used in pairs, with CTS issued in response to an RTS frame, and is employed as a mechanism to overcome what is referred to as hidden station interference.
Hidden Nodes
To understand what a hidden node is and how it can adversely affect transmission, consider Exhibit 15, which illustrates three stations. In this example it was assumed that an obstruction prevents station A from hearing station B. Thus, if station A has data to transmit, it would listen to the medium and, due to the obstruction, not note the fact that station B was transmitting. The result of this action would be interference at station C, which would hear the transmission from both stations A and B.
bs
IEEE Standards
69
Station
Access Point
Time
Exhibit 16.
2 bytes Duration
4 bytes CRC
Exhibit 17.
70
2 bytes Frame Control 2 bytes Duration 6 bytes Receiver Address 4 bytes CRC
Exhibit 18.
In an RTS frame, the transmitter address represents the address of the station transmitting the frame. Because the CTS frame responds to an RTS frame, in the latter type of frame the receiver address (RA) is copied from the transmitter address (TA) of the received RTS frame. For both RTS and CTS frames, the Receiver Address and Transmitter Address elds are six bytes in length and correspond to the wired LAN MAC address format. In the CTS frame, the value of the Duration eld is obtained from that eld in the RTS frame.
ACK Frame
A third common control frame is the ACK or Acknowledgment frame. This frame is used to acknowledge the receipt of data, and its format is shown in Exhibit 18. Similar to the CTS frame, which has several elds whose values are copied from an RTS frame, the ACK frame has a eld copied from a MAC data frame. That is, the receiver address in the ACK frame is copied from the Address 2 eld in the MAC data frame. Another relationship between a MAC data frame and an ACK frame concerns the setting of the MoreFragment bit in the Frame Control eld of the MAC data frame. If that bit is set to 0, the Duration eld in the ACK frame is set to 0. Otherwise, the value to be used in the ACK Duration eld is obtained from the Duration eld of the previous frame, decremented by the time (in microseconds) required to transmit the ACK and a time interval referred to as the SIFS, which we soon discuss.
Media Access
The media access control method that IEEE 802.11 wireless LANs use represents a variation of Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA); it is referred to as the distributed coordination function (DCF).
Time Gaps
Under the DCF version of CSMA/CA, three different time gaps referred to as interframe spaces (IFS) are dened. The longest interframe space is referred to as a distributed coordination function IFS (DIFS). The DIFS is used as a time delay between packets, in effect extending the period of time that other stations cannot transmit to the duration of an existing packet plus the DIFS. Thus, the DIFS denes the minimum time a station needs to wait after sensing
IEEE Standards
71
the medium is free. As we note soon, the duration of the DIFS depends on the signaling method used. A second type of interframe space is referred to as a short IFS (SIFS). The SIFS represents the minimum waiting time for a station that responds to a control packet. As previously noted, the 802.11 specication denes such control packets as ACK (Acknowledgment), RTS (Request To Send), and CTS (Clear To Send). The use of RTS and CTS frames is optional and is disabled by default. You would enable their use as a mechanism to overcome hidden station interference. Although all 802.11 receivers within a BSS must be congured to support RTS and CTS frames, transmitter support is optional. The third interframe space 802.11 LANs support is the point coordination function IFS (PIFS). The PIFS represents an intermediate time delay that an optional point coordination function (PCF) method of media access uses. Under PCF, an access point is congured as a point coordinator and becomes responsible for assigning priority to each station in a frame. Although vendors had not yet implemented the PCF option when this book was prepared, it represents a valuable mechanism for supporting time-sensitive applications, such as Voice-over-IP and multimedia transmission, because it prioritizes trafc.
DCF Operation
Under DCF, two interframe spaces are used to adjust media access. For transmissions other than ACK frames, a station must wait at least one DCF interframe space (DIFS) prior to transmitting data. If a station with data to transmit senses that the medium is busy, it will select a random backoff period by setting its internal timer to an integer number of slot times. The slot time represents the sum of the time required to perform several functions, such as carrier sensing, transceiver turnaround, and MAC processing, as well as signal propagation. The duration of the slot time depends on the signaling method used. Under FHSS, the slot time is 20 s, while under DSSS the slot time is 50 s. Once the medium is available a station will wait for the DIFS interval to expire and then decrement its timer. If the timer reaches zero, the station listens to the medium and, if it is still not in use, transmit. However, if the medium is seized by another station prior to the timers being decremented to zero, the value of the timer is frozen at the decremented value for a subsequent transmission attempt. Because ACKs have a higher priority than other trafc stations, you should wait one short interframe space (SIFS) after the receipt of a data packet prior to sending an ACK. The device receiving a MAC data frame that wishes to respond with an ACK listens to the medium and, after the SIFS duration, can transmit an ACK if the medium is available. If not, the station that needs to transmit the ACK will select a random backoff period by setting its internal timer to an integer number of slot times. Exhibit 19 illustrates the relationship between the DIFS, SIFS, the transmission of a data frame, and its acknowledgments. Note that the period of time
72
DIFS Source Destination Data SIFS ACK DIFS Deferred Access Time
Exhibit 19. The Relationship between DCF Delay Times and the Transmission of a Data Frame and Its Acknowledgment
from the initial transmission of the data frame through the DIFS following the ACK represents a deferred access period of time. Also note that this version of CSMA/CA is referred to as physical carrier sense as it relies on the fact that stations can hear each other. Because it is possible for a station to be hidden via an obstruction from other stations, it is also possible that another station can listen; not hearing an in-progress transmission transmit data, one or more stations can hear two transmissions, resulting in interference at those stations. This represents the previously described hidden node problem, which is solved by the use of RTS and CTS frames. This optional method of media access is technically referred to as virtual carrier sense. Under virtual carrier sense, a station that needs to transmit data sends an RTS frame to an access point with a value in its Duration eld that indicates the time it is requesting for the medium to be reserved for subsequent transmission. As we note when we review the format of the RTS and CTS frames, the access point responds to the RTS with a CTS frame, which indicates the period of time for which the medium is reserved for use.
PCF Operation
In concluding this chapter we briey discuss the operation of the point coordination function (PCF) method of media access control. Although no products were supporting this option when this book was prepared, its ability to prioritize trafc makes it suitable for supporting Voice-over-IP via wireless communications as well as multimedia applications. Under PCF, DCF access is suppressed for short periods of time. During this suppression period, a contention-free (CF) poll occurs to a station. The station responds with a CF ACK. Assuming the selected station has data to receive, the access point issues a CF poll followed by a data packet (CF poll + data). The receiving station then responds with a CF ACK. Next, the access point issues a CF poll to solicit a response from the selected station. The station responds with a CF data + ACK. The access point then terminates the polling with a CF End. Exhibit 20 illustrates an example of the operation of PCF. Note that the PCF operation only occurs during the repeating contention-free periods.
IEEE Standards
73
Access Point Beacons From AP From Station CF Poll CF ACK CF Poll + Data CF ACK CF Poll CF Data + ACK CF End
ContentionFree Period
Exhibit 20.
Chapter 4
Ad Hoc Networking
Ad hoc networking represents a peer-to-peer networking environment where all stations represent wireless clients. In its most basic use, an ad hoc network enables two PCs with wireless LAN adapter cards to communicate with one another. On a more sophisticated level, you could use an ad hoc network structure in conjunction with Microsoft software available on Windows 98 and later Windows versions to share a common Internet connection. In this section we examine simple le and folder sharing as well as Internet connection sharing. However, prior to doing so, we need to look at the setup of your network adapter cards so that they will operate in an ad hoc networking environment.
75
76
Exhibit 1.
The Link Info Tab on the Wireless LAN Conguration Utility Program
77
Exhibit 2. The Conguration Tab of the SMC Networks Wireless LAN Conguration Utility Program
Ad Hoc Settings
The two ad hoc settings are Ad Hoc and 802.11 Ad Hoc. The rst setting (Ad Hoc) should be used when you are using wireless network adapter cards manufactured by the same vendor. The second setting (802.11 Ad Hoc) should be used when you want to communicate in a peer-to-peer networking environment using wireless LAN network adapter cards produced by different
78
vendors. Of course, the third mode is infrastructure, which should only be used when you want to access an access point. The SSID (service set ID) represents a network name and provides a sort of public password, as it is transmitted in the clear. In an infrastructure environment, the SSID would be set to the network name assigned to the access point. However, the SSID can also be set to a blank or ANY, with the latter shown in Exhibit 2. For peer-to-peer networking to work, you need to set the SSID to a common value of either a blank or ANY on both machines.
TxRate
Continuing our tour of the potential conguration settings in Exhibit 2, the TxRate setting can be used to set an IEEE 802.11b wireless card to a specic operating rate, or you can use the Fully Automatic setting. The latter permits the automatic selection of an appropriate transmit data rate based on the strength of the receiver signal and its signal quality. When conguring stations for peer-to-peer networking, it is probably best to set the TxRate to Fully Automatic instead of a specic rate.
WEP
The WEP (Wired Equivalent Privacy) key that controls security via encryption is shown disabled. While we discuss WEP in detail in Chapter 6, for now it is important to note that if you enable WEP, you need to use the Encryption tab to ensure that the WEP key is the same for each station in the ad hoc network.
PS Mode
The PS Mode setting governs whether or not power sharing is enabled. This setting conserves power when you use a notebook operating on battery power, but it has absolutely nothing to do with establishing a peer-to-peer communications session.
Channel
The last setting in the Conguration tab shown in Exhibit 2 concerns the channel to use. You should ensure that each member of the ad hoc network is set to use the same channel, which is in the process of being reset from 6 to 4 in Exhibit 2. Once you have two wireless network adapter cards correctly congured for ad hoc networking, you will note that the icon typically generated by most vendor manufacturers utility programs turns from red to green to indicate you have an over-the-air connection. If you still have the wireless LAN Conguration Utility program displayed, you may also note that in the Link Information tab the State box indicates a basic service set ID (BSSID) value
79
Exhibit 3.
of hex 00:00:00:00:00:00. This setting indicates that the network adapter card operating in the computer running the utility program hears the other member of the ad hoc network on channel 4. However, because an access point periodically broadcasts beacon frames that contain the SSID of that device, which I turned off, the utility program displays a BSSID value of all zeros. As a refresher, the BSSID represents the MAC address of the access point a station hears when in an infrastructure mode. When the network adapter is in an ad hoc mode, it does not hear beacons that contain the source address of the access point, resulting in the display of the BSSID of all zeros (see Exhibit 3). Because I have ve notebook computers and attempted peer-to-peer networking with a variety of products, I noted some interesting items that warrant sharing. First, some wireless network adapter cards were able to be reset from infrastructure to ad hoc on an appropriate channel setting and, within 30 seconds of clicking on an Apply button, recognized another adapter card in ad hoc mode. Second, after I clicked the Apply button, other adapter cards required me to reboot the platform for the computer and the wireless adapter to respond to the new settings. Now that we know how we would congure utility programs that accompany most vendor wireless LAN network adapter cards, lets turn our attention to the software on your computers that also requires a bit of conguration.
80
Exhibit 4. Verifying the Installation of a Network Adapter and Controlling Access to Shared Resources
Network Software
While peer-to-peer networking in a wireless LAN environment requires the correct conguration of wireless clients, by itself that is not sufcient to transfer information between computers. In a Windows operating system environment, you also need to congure the operating system to support le and print sharing. In this section we examine how this can be accomplished as well as discuss how you can verify that your wireless network adapter was correctly installed.
81
detected and its software drivers were installed. If you do not notice your wireless LAN adapter listed in the window, you will need to reinstall it. However, prior to doing so, you should check the vendors Web site to ensure you have the latest drivers for your version of Windows. Once you verify that your wireless network adapter card is installed, you need to ensure that, as a minimum, either the client for Microsoft Networks or the client for Netware Networks is installed. You will also need NetBEUI, IPX/SPX-compatible protocol, or the TCP/IP protocol suite. If you scroll farther down the window, you may notice the entry Service: File and Printer Sharing for Microsoft Networks. If this entry is not found, it means that you have not enabled le and/or printer sharing. To do so, click on the button labeled File and Print Sharing shown in the left portion of Exhibit 5. This action results in the display of the dialog box shown in the right portion of Exhibit 5. Then click on the appropriate checkboxes and the OK button. After this action, the entry Service: File and Printer Sharing for Microsoft Networks should appear in the window in the Conguration tab of the Network dialog box.
Assigning Identiers
Being able to recognize a computer on a network requires the assignment of a name and workgroup to your system. To accomplish this task, rst click on the Identication tab in the Network dialog box. Exhibit 6 shows the display of the Identication tab of the Network dialog box on a Windows 98-based notebook. Note that this tab provides the ability to enter a computer name, workgroup name, and description. The computer name must be unique for each computer on the network and should be no more than 15 characters in length. For a small network environment, consider using a common workgroup name, which will allow all computers to be visible in the same workgroup when browsing. Once you change a setting in the Identication tab, you will be prompted to restart your computer. For illustrative purposes, I will change the workgroup name to GILSWORKGROUP and the computer name to Compaq. Once this is accomplished, I will defer rebooting until I dene the devices, drives, and folders that should be shared. Thus, another step in the implementation of ad hoc networking is to dene the resources you wish to share.
82
Exhibit 5.
Network Dialog Box and Its File and Print Sharing Option
83
Exhibit 6.
Exhibit 7 illustrates sharing via the use of one of my notebook computers. In this example, after selecting the C drive and right-clicking, I selected the Properties entry from the pop-up menu, resulting in the dialog box being displayed. Note that the Sharing tab is positioned in the foreground and we are in the process of sharing the contents of drive C. You can modify the default access permission. You can also establish a password that can be used to control access to read-only shares. However, because Windows 98 as well as its close relatives Windows 95 and Windows ME do not use the NT le system (NTFS), more sophisticated le sharing is not possible. If you are using a different version of Windows, such as Windows 2000 or Windows XP, the procedures previously discussed will slightly differ. For example, you access the Network and Dial-Up Connections dialog box either via the Start menu or from the Control Panel and simply view the wireless LAN connection icon to verify its installation. If the wireless LAN network adapter is not functioning correctly under Windows XP, a red-colored line will appear through the icon to indicate this fact. If the icon appears normal, rightclick on it to display a pop-up menu whose last entry is Properties. Selecting
84
Exhibit 7.
that entry results in the display of a dialog box for the selected network adapter that indicates the components to be used for the connection. Similar to our earlier discussion concerning Windows 95/98, you want to ensure that the applicable protocols are installed and the File and Print Sharing for Microsoft Network is displayed in the window in the dialog box. If not, you will need to install the applicable protocol(s) and File and Printer Sharing for Microsoft Networks. Once this is accomplished, you can implement the sharing of drives, folders, or printers in several ways. For example, open Windows Explorer and then locate the folder or drive you want to share; then rightclick to bring up a pop-up menu whose last entry is the well-known Properties label in the menu. Exhibit 8 illustrates the use of Windows Explorer on a Windows 2000 system to select drive C and the resulting Properties dialog box with its Sharing tab displayed in the foreground. Under Windows 2000 you can set permissions to dene which users can access your shared components as well as the type of access full control, change, and read. A second method to control sharing when using Windows XP or Windows 2000 is through the use of the Computer Management console. As indicated in Exhibit 9, the console contains a Shared Folders entry. Opening this entry lets you use the Action menu to create new le shares or stop an existing share; the latter operation deletes it from view when you open the list of shared folders.
85
Exhibit 8.
86
Exhibit 9. The Computer Management Console under Windows 2000 and Windows XP
routing capability also function as a DHCP server, permitting wireless stations to obtain a leased IP address when the station adapter is in the infrastructure mode of operation. However, when the adapter is placed in the ad hoc mode of operation, Windows will not inform you that you need to assign an IP address to your station. Thus, you might stare at your computer and observe that while the utility programs display a green light indicating RF communications between peers is occurring, you cannot implement peer-to-peer communications. The solution to this problem is correctly conguring TCP/IP. On a Windows XP computer, double-click on the network icon in the Control Panel to display your wireless connection icon. Right-clicking on that icon and selecting Properties from the pop-up menu result in the display of a dialog box similar to the one shown in the left portion of Exhibit 11. In examining the left portion of Exhibit 11, note that we installed File and Printer Sharing for Microsoft Networks. To set the IP address on the computer, rst select Internet Protocol (TCP/IP) and then click on the button labeled Properties. When you click on the Properties button, a dialog box similar to the one shown in the right portion of Exhibit 11 is displayed. By default, the button to the left of the label Obtain an IP address automatically will be activated. To set a static IP address, you need to click on the button to the left of the label Use the following IP address and then enter an IP address and subnet mask. For peer-to-peer networking purposes, you can enter any IP address as long as you use a correct subnet mask. Because you will be communicating between peers, you do not need to specify a DNS server address.
87
Exhibit 10.
88
Building the Wireless Ofce
Exhibit 11.
89
While you might be tempted to believe we have nally arrived at the point to implement peer-to-peer networking, if you are using Windows XP you need to make one more change. You need to click on the Authentication tab shown in the left portion of Exhibit 11. When you do so, you will note a box checked by default to enable 802.1x authentication, a security technique described in Chapter 6. Leaving this box checked will make the operating system attempt to authenticate the peer-to-peer user, an impossibility because you are not accessing an infrastructure with an authentication server on a wired connection to an access point. Thus, unless you remove the checkmark, your peer-to-peer networking will not work. Now that we have everything in order, it is highly recommended that you reboot both computers to include the XP machine that does not tell you it needs to be rebooted. After rebooting both computers, you can go to Network Neighborhood on one computer and be able to view your other computer in the peer-to-peer network. Double-clicking on the name of the other computer allows you to explore its shares and provides you with the peer-to-peer networking capability you seek.
90
Exhibit 12.
Toshiba-user. To paraphrase my old professor, we have enjoyed viewing the pudding. Now that we understand how ad hoc networking can be established, we may be curious as to what we can do with this feature beyond sharing drives, folders, and les. Once ad hoc networking is established, we have linkage between PCs at the physical layer; however, we need to perform the previously mentioned conguration changes to obtain a data link connection. Once that occurs, we can use the Microsoft Internet Connection Sharing (ICS) feature included in most versions of Windows to share a common Internet connection. Because this can save the home or small business user a considerable monthly Internet connection fee, lets turn our attention to this feature.
91
Exhibit 13.
Windows 98 Second Edition and later Windows versions, one computer can share its existing Internet connection with another through the Internet Connection Sharing software that is now part of modern versions of Windows. To use the Internet Connection Sharing feature of Windows, you need to rst correctly install wireless LAN network adapters in each computer and then set applicable drives and folders for sharing. Then you need to install and congure Internet Connection Sharing.
Installation
The installation of Internet Connection Sharing can be accomplished by selecting Add/Remove Programs from the Control Panel. Once the Add/ Remove Programs Properties dialog box is opened, select the Windows Setup tab as illustrated in the left portion of Exhibit 15. Then click on the Details button to obtain the ability to select Internet Connection Sharing. Clicking on the Details button results in the display of the Internet Tools dialog box, shown in the right portion of Exhibit 15. Once you select Internet Connection
92
Exhibit 14. Viewing the Lotus Directory on a Toshiba Computer from a Compaq Computer via a Peer-to-Peer Wireless Connection
Sharing and click on the OK button, click on the Apply button located in the lower right corner of the Add/Remove Programs Properties dialog box. Depending on the version of Windows you are using, you may need to restart your computer.
Conguration
Once you install Internet Connection Sharing, you need to congure this feature. To do so, select the Internet Options icon in the Control Panel. Once the Internet Options dialog box is displayed, select the Connections tab and select the LAN connection button. An Internet Connection Wizard will permit you to select an applicable adapter for sharing your Internet connection and prompt you for a disk to write conguration software for use by the browser on the sharing computer. The Internet Connection Sharing Wizard will also set the IP address of the connection-sharing computer to 192.168.0.1. The
93
Exhibit 15.
94
other computer on your shared network can then be set to any IP address in the range 192.168.0.2 to 192.168.0.253.
Infrastructure Operations
In this section we review the steps in creating a wireless LAN infrastructure. In doing so, we examine the setup of a typical combined router and access point as well as illustrate the applicable settings required to use a wireless network adapter card from a different vendor. For illustrative purposes, we examine the conguration of a Netgear model MR314 cable/DSL modem wireless router. The Netgear MR314 wireless router includes a four-port Ethernet 10/100 Mbps bulletin switch, which enables a user to connect the router to both a wired and wireless infrastructure. A separate 10/100 Mbps Ethernet port provides a connection to a cable/DSL modem. The Netgear wireless router uses a block of RFC 1918 Class addresses. Those addresses are dynamically issued to both wired and wireless clients. Such addresses are issued to clients through a built-in Dynamic Host Conguration Protocol (DHCP). Although we examine the TCP/IP protocol suite in Chapter 5, we can note that through a network address translation (NAT) capability, the Netgear router can use a single IP address assigned to your cable or DSL connection to support up to 253 additional devices. For those of us not conversant in IP addressing, a Class C address has 256 host values. However, values 0 and 255 cannot be used, because a value of 0 means this network and a value of 255 represents a broadcast address. While this would normally result in 254 (256 2) unique host addresses being available, the router uses one address, resulting in 253 being available for assignment to both wired and wireless clients, and places a cap on the number of clients that can be supported. While this is probably more than sufcient for most small and many medium-sized organizations, larger organizations will probably require multiple Internet connections and the use of multiple routers.
95
Conguring a PC IP Address
Exhibit 16 illustrates the conguration of the IP address of 192.168.0.2 on my PC that was directly cabled to the Netgear wireless router. Note that the left portion of Exhibit 16 shows the selection of the Conguration tab in the foreground, with the integrated 10/100 Ethernet controller highlighted. If you were attempting to congure the router via a wireless connection, you would highlight the wireless Ethernet adapter.
Gateway Conguration
The last setting we need to be concerned about for the PC to talk to the Netgear router as well as to be able to access the Internet is one used to dene the IP address of the gateway. The term gateway represents an old name for a device that routes data from one network to another. Although the more modern term for this device is the router, some things never change and the term gateway is still used as a carryover from the use of rst-generation products that routed data. In any event, the gateway or router we are working with is the Netgear wireless router whose IP address is 192.168.0.1. Thus, we dene that IP address in the Gateway tab in the TCP/IP Properties dialog box. Exhibit 18 illustrates the assignment of the IP address 192.168.0.1 for the gateway. Once this is accomplished, depending on the version of Windows you are using, you may need to reboot your computer for the address and host name assignments to take effect.
96
Exhibit 16.
97
Exhibit 17.
98
Exhibit 18.
Exhibit 19.
99
facility of the device. Due to this, one of the rst things you should do after you set up the wireless router is to change the login default values. Once you enter the applicable user name and password, the Netgear router conguration utility screen window will appear in your browsers page display area. Exhibit 20 illustrates this display. In examining Exhibit 20, note that we entered the IP address of 192.168.0.1 to access the router. Also note that the Netgear router conguration utility supports three options. Those options, which are listed along the left side of Exhibit 20, include a WIZARD SETUP, ADVANCED, and MAINTENANCE options. Because this section focuses on installing an infrastructure wireless LAN, we use the WIZARD SETUP option. However, you would and should use the ADVANCED option to change the password for the router. Later in this book we examine the use of the ADVANCED and MAINTENANCE options when we focus on interoperability in Chapter 7.
100
Building the Wireless Ofce
Exhibit 20.
101
Exhibit 21.
102
Building the Wireless Ofce
Exhibit 22.
103
up. By default, the Netgear wireless router is set to use channel 1. In Exhibit 22 it is shown reset to channel 6.
104
Building the Wireless Ofce
Exhibit 23.
105
Exhibit 24.
Accepting Default Values for the WAN IP and DNS Server Address Assignments
106
Site Selection
In concluding this chapter we briey discuss one additional topic that deserves consideration: site selection for an access point or wireless router. For home users the site selection process is relatively easy, as you would normally install your wireless router within close proximity of your cable or DSL modem connection. In an ofce environment, the site selection process can be a bit more involved because there are more metallic objects in an ofce environment and other surfaces that that can reect radio waves, resulting in a higher degree of multipath reections. Fortunately, most wireless LAN network adapter cards include a utility program that monitors and displays link quality and signal strength. You can use a notebook with a wireless network adapter card to move around an ofce, noting the link quality and signal strength of the access point or wireless router at different locations within a building. Then, if necessary, you could consider moving the access point or router if you need to enhance the quality of the received signal at one or more locations where you anticipate locating wireless stations.
107
Exhibit 25. Accessing the Internet via a Notebook Computer Using an SMC Networks Wireless Network Adapter Communicating with a Netgear Wireless Router
Chapter 5
109
110
datagram. This datagram contains a destination IP address used for routing purposes.
Routing
The actual routing of an IP datagram occurs via a best-effort or connectionless delivery mechanism. This is because IP by itself does not establish a session between the source and destination before it transports datagrams. When IP transports a TCP segment, the TCP header results in a connection-oriented session between two layer 4 nodes transported by IP as a layer 3 network protocol. The importance of IP is noted by the fact that routing between networks is based on IP addresses. As we note later in this chapter, the device that routes data between different IP addressed networks is known as a router. Because it would be extremely difcult, if not impossible, to statically congure every router in a large network to know the route to other routers and networks connected to different routers, routing protocols are indispensable to the operation of a dynamic series of interconnected IP networks. This is because such protocols can automatically convey changes in the ability to reach different networks, thus enabling routers to dynamically adjust their routing tables.
The IP Header
The current version of the Internet Protocol is version 4, resulting in IP being commonly referred to as IPv4. The next generation of the Internet Protocol is IPv6. In this section we focus on IPv4 because all wireless devices support it.
111
Exhibit 1.
Exhibit 2.
Numbers
0 1 through 3 4 5 6 7 8 9 10 through 14 15
Reserved Unassigned IP Streams IPv6 TP/IX P Internet Protocol (PIP) TUBA Unassigned Reserved
Exhibit 1 illustrates the elds contained in the IPv4 header. In examining the IPv4 header illustrated in Exhibit 1, note that the header consists of a minimum of 20 bytes of data, with the width of each eld shown with respect to a 32-bit (4-byte) word. To obtain an appreciation for the operation of IP, let us examine the functions of the elds in the header. As we do so, when appropriate we discuss the relation of certain elds to routing and security, topics that are discussed in detail in later chapters.
Vers Field
The Vers eld is four bits in length and is used to identify the version of the IP used to create an IP datagram. The current version of IP is v4, with the next generation of IP assigned version number 6. The four bits in the Vers eld support 16 version numbers. Under RFC 1700, a listing of Internet version numbers can be obtained; a summary of that listing is included in Exhibit 2. In examining Exhibit 2, note that the reason the next-generation Internet Protocol is IPv6 instead of IPv5 is related to the
112
7 R
Type of Service
Precedence
Where R represents Reserved Precedence provides 8 levels (0 to 7) with 0 normal and 7 the highest Type of Service (ToS) indicates how the datagram is handled: 0000 Default 0001 Minimize Monetary Cost 0010 Maximize Reliability 0100 Maximize Throughput 1000 Minimize Delay 1111 Maximize Security
Exhibit 3.
fact that version 5 was previously assigned to an experimental protocol referred to as the Streams 2 Protocol.
Hlen Field
The length of the IP header can vary due to its ability to support options. To allow a receiving device to correctly interpret the contents of the header from the rest of an IP datagram requires the receiving device to know where the header ends. The HLEN eld, whose value indicates the length of the header, performs this function. The HLEN eld is four bits in length. In examining Exhibit 1, we note that the IP header consists of 20 bytes of xed information followed by options. Because it is not possible to use a four-bit eld to directly indicate the length of a header equal to or exceeding 320 bytes, the value in this eld represents the number of 32-bit words in the header. For example, the shortest IP header is 20 bytes, which represent 160 bits. When divided by 32 bits, this results in a value of 160/32, or 5, which is the value set into the HLEN eld when the IP header contains 20 bytes and no options.
113
handled. The three bits in the Precedence eld allow the transmitting station to indicate to the IP layer the priority for sending a datagram. A value of 000 indicates a normal precedence, while a value of 111 indicates the highest level of precedence and is normally used for network control. The value in the Precedence eld is combined with a setting in the Type of Service eld to indicate how a datagram should be processed. As indicated in the lower portion of Exhibit 3, six settings are dened for the Type of Service eld. To understand how this eld would be used, let us assume that an application is transmitting digitized voice that requires minimal routing delays due to the effect of latency on the reconstruction of digitized voice. By setting the Type of Service eld to a value of 1000, this would indicate to each router in the path between source and destination network that the datagram was delay-sensitive and its processing by the router should minimize delay. In comparison, because routers are designed to discard packets under periods of congestion, an application in which the ability of packets to reach their destination is of primary importance would set the TOS eld to a value of 0010. This setting would denote to routers in the transmission path that the datagram requires maximum reliability. Thus, routers would select other packets for discard prior to discarding a packet with its TOS subeld set to a value of 0010. Although the concept behind including a service-type eld was a good idea, from a practical standpoint it is rarely used. The reason for its lack of use is the need for routers supporting this eld to construct and maintain multiple routing tables. While this is not a problem for small networks, the creation and support of multiple routing tables can signicantly affect the level of performance of routers in a complex network such as the Internet.
114
via an Ethernet network. Token Ring networks that operate at 16 Mbps can transport approximately 18 kilobytes (kB) in their Information eld. In comparison, an Ethernet frame has a maximum-length Information eld of 1500 bytes. This means that datagrams routed between Token Ring networks via an Ethernet network must be subdivided or fragmented into a maximum length of 1500 bytes for an Ethernet to be able to transport the data. The default IP datagram length is referred to as the path MTU, or maximum transmission unit. The MTU is dened as the size of the largest packet that can be transmitted or received through a logical interface. For our previous example of two Token Ring networks connected via an Ethernet network, the MTU would be 1500 bytes. Because it is important to commence transmission with the lowest common denominator packet size that can ow through different networks, and, if possible, adjust the packet size after the initial packet reaches its destination, IP datagrams use a default of 576 bytes when datagrams are transmitted remotely (off the current network). Fragmentation is a most interesting function, as it allows networks capable of transmitting larger packets to do so more efciently. Efciency increases because larger packets have proportionately less overhead. Unfortunately, the gain in packet efciency is not without cost. First, although routers can fragment datagrams, they do not reassemble them, leaving it to the host to perform reassembly. This is because router CPU and memory requirements would considerably expand if they had to reassemble datagrams owing to networks containing hundreds or thousands of hosts. Second, although fragmentation is a good idea for boosting transmission efciency, a setting in the Flags eld, which we cover shortly, can be used to indicate that a datagram should not be fragmented. Because many routers do not support fragmentation, many applications by default set the do not fragment ag bit and use a datagram length that, while perhaps not most efcient, ensures that a datagram can ow end to end, as its length represents the lowest common denominator of the networks it will traverse. When an IP datagram is fragmented, this situation results in the use of three elds in the IP header: Identication, Flags, and Fragment Offset. The Identication eld is 16 bytes in length and is used to indicate which datagram fragments belong together. A receiving device operation at the IP network layer uses the Identication eld as well as the source IP address to determine which fragments belong together. Ensuring fragments are put back together in their appropriate order requires a mechanism to distinguish one fragment from another. That mechanism is provided by the Fragment Offset eld, which indicates the location where each fragment belongs in a complete message. The actual value in the Fragment Offset eld is an integer that corresponds to a unit of eight bytes that indicates the offset from the previous datagram. For example, if the rst fragment is 512 bytes in length, the second fragment would have an offset value that indicates that this IP datagram commences at byte 513. By using the Total Length and Fragment Offset elds, a receiver can easily reconstruct a fragmented datagram.
115
Flags Field
The third eld in the IP header directly associated with fragmentation is the Flags eld. This eld is four bytes in length, with two bits used to denote fragmentation information. The setting of one of those bits is used as a direct fragment control mechanism; a value of 0 indicates the datagram can be fragmented, while a value of 1 indicates not to fragment the datagram. The second fragment bit is used to indicate fragmentation progress. When the second bit is set to a value of 0, it indicates that the current fragment in a datagram is the last fragment. In comparison, a value of 1 in this bit position indicates that more fragments follow.
Protocol Field
While TCP and UDP represent a large majority of layer 4 protocols carried in an IP datagram, they are not the only protocols transported. In addition, even if they were, we would need a mechanism to distinguish one upper layer protocol from another carried in a datagram. The method used to distinguish the upper layer protocol carried in an IP datagram is obtained through the use of a value in the Protocol eld. For example, a value of decimal 6 is used to indicate that a TCP header follows the IP header, while a value of decimal 17 indicates that a UDP header follows the IP header in a datagram.
116
The Protocol eld is eight bits in length, permitting up to 256 protocols to be dened under IPv4. Exhibit 4 lists some examples of the current assignments of Internet Protocol numbers. Note that although TCP and UDP by far represent the vast majority of TCP/IP trafc on the Internet and corporate intranets, other protocols can be transported, and a large block of protocol numbers is currently unassigned.
IP Addressing
Although we normally associate a host with a distinct IP address, in actuality IP addresses are used by the Internet Protocol to identify distinct device interfaces. That is, each interface on a device has a unique IP address. This explains how a router with multiple interfaces can receive communications addressed to the device on different router ports connected to LANs and
117
Exhibit 4.
Decimal
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43
HOPOPT ICMP IGMP GGP IP ST TCP CBT EGP IGP BBN-RCC-MON NVP-II PUP ARGUS EMCON XNET CHAOS UDP MUX DCN-MEAS HMP PRM XNS-IDP TRUNK-1 TRUNK-2 LEAF-1 LEAF-2 RDP IRTP ISO-TP4 NETBLT MFE-NSP MERIT-INP SEP 3PC IDPR XTP DDP IDPR-CMTP TP++ IL IPv6 SDRP IPv6-Route
IPv6 Hop-by-Hop Option Internet Control Message Internet Group Management Gateway-to-Gateway IP in IP (encapsulation) Stream Transmission Control Protocol CBT Exterior Gateway Protocol Any private interior gateway (used by Cisco for its IGRP) BBN RCC Monitoring Network Voice Protocol Version 2 PUP ARGUS EMCON Cross Net Debugger Chaos User Datagram Multiplexing DCN Measurement Subsystems Host Monitoring Packet Radio Measurement XEROX NS IDP Trunk-1 Trunk-2 Leaf-1 Leaf-2 Reliable Data Protocol Internet Reliable Transaction ISO Transport Protocol Class 4 Bulk Data Transfer Protocol MFE Network Services Protocol MERIT Internodal Protocol Sequential Exchange Protocol Third Party Connect Protocol Inter-Domain Policy Routing Protocol XTP Datagram Delivery Protocol IDPR Control Message Transport Protocol TP++ Transport Protocol IL Transport Protocol IPv6 Source Demand Routing Protocol Routing Header for IPv6
118
Exhibit 4.
Decimal
44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87
IPv6-Frag IDRP RSVP GRE MHRP BNA ESP AH I-NLSP SWIPE NARP MOBILE TLSP SKIP IPv6-ICMP IPv6-NoNxt IPv6-Opts CFTP SAT-EXPAK KRYPTOLAN RVD IPPC SAT-MON VISA IPCV CPNX CPHB WSN PVP BR-SAT-MON SUN-ND WB-MON WB-EXPAK ISO-IP VMTP SECURE-VMTP VINES TTP NSFNET-IGP DGP TCF
Fragment Header for IPv6 Inter-Domain Routing Protocol Reservation Protocol General Routing Encapsulation Mobile Host Routing Protocol BNA Encap security Payload for IPv6 Authentication Header for IPv6 Integrated Net Layer Security IP with Encryption NBMA Address Resolution Protocol IP Mobility Transport Layer Security Protocol (using Kryptonet key management) SKIP ICMP for IPv6 No Next Header for IPv6 Destination options for IPv6 Any host internal protocol CFTP Any local network SATNET and Backroom EXPAK Kryptolan MIT Remote Virtual Disk Protocol Internet Pluribus Packet Core Any distributed le system SATNET monitoring VISA Protocol Internet Packet Core Utility Computer Protocol Network Executive Computer Protocol Heart Beat Wang Span Network Packet Video Protocol Backroom SATNET Monitoring SUN ND PROTOCOL-Temporary WIDEBAND Monitoring WIDEBAND EXPAK ISO Internet Protocol VMTP SECURE-VMPT VINES TTP NSFNET-IGP Dissimilar Gateway Protocol TCF
119
Exhibit 4.
Decimal
88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117254 255
EIGRP OSPFIGP Sprite-RPC LARP MTP AX.25 IPIP MICP SCC-SP ETHERIP ENCAP GMTP IFMP PNNI PIM ARIS SCPS QNX A/N IPPCP SNP Compaq-Peer IPX-in-IP VRRP PGM L2TP DDX Reserved
EIGRP OSPFIGP Sprite RPC Protocol Locus Address Resolution Protocol Multicast Transport Protocol AX.25 Frames IP-within-IP Encapsulation Protocol Mobile Internetworking Control Protocol Semaphore Communications Sec. Protocol Ethernet-within-IP Encapsulation Encapsulation header Any private encryption scheme GMTP Ipsilon Flow Management Protocol PNNI over IP Protocol Independent Multicast ARIS SCPS QNX Active Networks IP Payload Compression Protocol Sitara Networks Protocol Compaq Peer Protocol IPX in IP Virtual Router Redundancy Protocol PGM Reliable Transport Protocol Any 0-hop protocol Layer 2 Tunneling Protocol D-II Data Exchange (DDX) Unassigned
WANs. Devices such as hosts, routers, and gateways can have a single or multiple interfaces. When the latter situation occurs, the device is assigned multiple IP addresses, one for each interface. In a wireless environment the network adapter card plugged into a notebook in effect represents an interface that will have an assigned IP address. Because most hosts are connected to a LAN via a single interface, most readers familiar with IP addressing associate a single IP address with a host. Although not as common as host workstations that use a single network connection, some servers and all rewalls and routers have multiple network connections. Exhibit 5 illustrates a network structure used to connect a corporate private network to the Internet. In this example, a demilitarized (DMZ) LAN is used to interconnect the router and rewall. A DMZ LAN is a LAN
120
Internet
Exhibit 5. Several Types of Communications Devices with an IP Address Assigned to Each Interface
without servers or workstations, in effect forcing all communications to and from the Internet to pass through a rewall. Note that both the router and rewall have multiple ports. Thus, in an IP networking environment, each communications device would be assigned two IP addresses, one for each device interface.
121
Network
Host
Under the two-level IP addressing hierarchy, the 32-bit IP address is subdivided into network and host portions. The composition of the first four bits of the 32-bit word specifies whether the network portion is 1, 2, or 3 bytes in length, resulting in the host portion being either 3, 2, or 1 bytes in length.
Exhibit 6. The Two-Level IP Addressing Hierarchy Used for Class A, B, and C Addresses
Although the use of IPv6 will considerably enhance the support of an expanded Internet as well as facilitate various routing operations, it will be many years before the new protocol moves from an experimental status into production. Due to this, we focus on IPv4 addressing in this section.
Address Classes
During the development of the Internet Protocol, it was recognized that hosts would be connected to different networks and that those networks could be interconnected to one another to form a network of interconnected networks, now commonly referred to as the Internet. Thus, in developing an IP addressing scheme, it was also recognized that a mechanism would be required to identify a network as well as a host connected to a network. This recognition resulted in the development of an addressing scheme in which certain classes of IP addresses are subdivided into a two-level addressing hierarchy. Exhibit 6 illustrates the two-level addressing hierarchy used by Class A, B, and C addresses, whose composition and utilization we soon review. In examining the two-level IP addressing scheme shown in Exhibit 6, note that all hosts on the same network are usually assigned the same network prex but must have a unique host address to differentiate one host from another. As we note later in this chapter, it is possible (although little noted) for multiple network addresses to reside on a common network. This is the exception rather than the rule. Similarly, two hosts on different networks should be assigned different network prexes; however, the hosts can have the same host address. If you think about this addressing technique, you can consider it in many ways to be similar to the structure of a telephone number. That is, no one in your area code can have the same phone number as your number. It is very likely that the same phone number exists in one or more different area codes. We can also view Class A, B, and C addresses as having the following general format:
< Network Number, Host Number >
122
where the combined network number and host number have the form xxxx.xxxx.xxxx.xxxx, with each x representing a decimal value. As we probe deeper into IP addressing we will note that the above format uses dotted decimal notation to reference IP addresses.
Rationale
During the IP standardization process, it was recognized that a single method of subdividing the 32-bit address space into network and host portions would be wasteful with respect to the assignment of addresses. For example, assume all addresses were evenly split. This would result in the use of 16 bits for a network number and a similar number of bits for a host number. Without considering host and network addressing restrictions, the use of 16 bits results in a maximum of 65,536 (216) networks, with up to 65,536 hosts per network. Not only would the assignment of a network address to an organization that has only 100 computers result in a waste of 65,436 host addresses that could not be assigned to other organizations, but in addition there could only be 65,536 networks. This limited number of networks would be clearly insufcient in an era where over 50,000 colleges, universities, high schools, and grade schools are now connected to the Internet via LANs, with each LAN having a distinct network address. Recognizing that the use of IP addresses could literally mushroom beyond their expectations, the designers of IP came up with a methodology whereby the 32-bit IP address space was subdivided into different address classes. The result of the IP designers efforts was the denition of ve address classes, referred to as Classes A through E.
123
Bits in Network Address Byte 1 Class A Network Portion Byte 1 Class B Network Portion Byte 1 Class C Network Portion Byte 1 Class D Multicast Address Byte 1 Class E Experimental Byte 2 Byte 3 Byte 4 N/A Byte 2 Byte 3 Host Portion Byte 4 N/A Byte 2 Host Portion Byte 3 Byte 4 21 Byte 2 Host Portion Byte 3 Byte 4 14 Byte 2 Byte 3 Byte 4 7
16
N/A
N/A
Exhibit 7.
IP Address Formats
data within a program. For example, if a 32-bit address is a Class A address due to the rst bit being binary 0, then the next seven bits represent the actual network address, while the remaining 24 bits represent the host address. Similarly, if the rst two bits of the 32-bit address have the value 10, then the next 14 bits represent the actual network address, while the trailing 16 bits represent the host address. To obtain an appreciation of the use of each IP address class, we turn our attention to a detailed examination of each address class. We focus on the composition of the network and host portion of each address for Classes A through C, as well as the manner by which all ve classes are used.
Class A Addresses
As indicated in Exhibit 7, a Class A address has the four-byte form of <network-number.host.host.host>, with seven bits used for the actual network address because the rst bit position must be set to a value of binary 0 to indicate that this is a Class A address. Because seven bits are available for the network address, we would logically assume 28 or 128 Class A networks can be dened. In actuality, networks 0 and 127 are reserved and cannot be used, resulting in Class A addressing supporting 126 networks. Because 24 bits are used for a host identier, each network is capable of supporting up to 224 2, or 16,277,214, hosts; 2 is subtracted from the possible number of
124
Exhibit 8. Stack
hosts because no host can be assigned a value of all 0s or a value of all 1s. A host value of 0 indicates a broadcast address. Because only a small number of Class A networks can be dened, they were used up many years ago. Due to the large number of hosts that can be assigned to a Class A network, Class A addresses were primarily assigned to large organizations and countries that have national networks. One Class A network address that warrants attention results from the setting of all seven bits in the network address to 1s, representing 127 in decimal. A network address of 127.x.x.x is reserved as an internal loopback address and cannot be assigned as a unique IP address to a host. Thus, a question you may have is, why reserve a network address of 127 if it is not usable? The answer to this question is that you can use a network address of 127.x.x.x as a mechanism to determine if your computers local TCP/IP protocol stack is operational. An example of the use of a 127-network address is illustrated in the top of Exhibit 8, which shows the use of the Ping command to query the device at address 127.1.1.1. Because this is a loopback address, this action tests the protocol stack on my computer. Note that in this example Microsofts version of Ping uses the IP address 127.1.1.1 as a loopback. If you enter the address 127.0.0.0 as shown in the lower portion of Exhibit 8, Microsofts implementation of the TCP/IP protocol stack treats the IP address as an invalid address. All TCP/IP protocol stacks should, as a minimum, recognize the IP address 127.0.0.1 as an internal loopback address. Most protocol stacks also consider a prex of 127 for a network address with any nonzero host address as a
125
loopback. Thus, you can normally use 127.1.2.3, 127.4.5.6, and any other combination other than 127.0.0.0 as a loopback.
Class B Addresses
Continuing our exploration of IPv4 address classes, a Class B address has the form <network-number.network-number.host.host> for the four bytes in the address. A Class B network address is dened by setting the two high-ordered bits of an IP address to the binary value 10. Because two bits are used to identify the address, the actual Class B network address is 14 bits in width, while the host portion of the address is two bytes, or 16 bits in width. Thus, a Class B address is capable of supporting 214 or 16,384 networks, with each network capable of supporting up to 216 2, or 65,534, hosts. Due to the manner by which Class B addresses are subdivided into network and host portions, such addresses are normally assigned to relatively large organizations. In addition, through the process of subnetting, which is described later in this chapter, one Class B address can be provided to multiple organizations, with each organization informed as to the correct subnet mask to use to identify the portion of a Class B address provided for its use. If we are familiar with binary, we can easily convert permissible binary values in the rst byte of a Class B address into a range of decimal values. For example, because a Class B address commences with binary values 10, the rst byte must range between 1000000 and 10111111. We can convert to decimal by noting that the value of each position in a byte is as follows:
128 64 32 16 8 4 2 1
Thus, binary 10000000 is equivalent to decimal 128, while binary 10111111 is equivalent to decimal 191. Thus, the rst byte of a Class B address is restricted to the range 128 to 191, with 0 to 255 permitted in the second byte of the network address.
Class C Addresses
A Class C address is identied by the rst three bits in the IP address set to the binary value of 110. This value denotes the fact that the rst three bytes in the 32-bit address identify the network while the last byte identies the host on the network. Because the rst three bits in a Class C address are set to a value of 110, this means 21 bits are available for the network address. Thus, a Class C address permits 221 or 2,097,152 distinct network addresses. Because the host portion of a Class C address is one byte in length, the number of hosts per network is limited to 28 2, or 254. Due to the subdivision of network and host portions of Class C addresses, they are primarily assigned for use by organizations with relatively small networks, such as a single LAN that requires a connection to the Internet. Because it is common for organizations to have multiple LANs, it is also quite common for multiple Class C addresses to be assigned to organizations that require more than 254 host addresses but are not large enough to justify a
126
Class B address. It is also common for an organization with multiple LANs located within close proximity to one another to share one Class C address through subnetting, a topic we cover later. Similar to the manner by which we computed the decimal range of Class B addresses, we can compute the range of permitted Class C addresses. That is, because the rst three bits in the rst byte are set to a value of 110, the binary range of values are 11000000 to 11011111, representing decimals 192 through 223. The second and third bytes in a Class C address range in value from 0 to 255, while the last byte, which represents the host address, ranges in value from 1 to 254, because host values of 0 and 255 are not permitted.
Class D Addresses
Class D IP addresses represent a special type of address referred to as a multicast address. A multicast address is assigned to a group of network devices and allows a single copy of a datagram to be transmitted to a specic group. The members of the group are then able to receive a common sequence of datagrams instead of having individual series of datagrams transmitted to each member on an individual basis, in effect conserving network bandwidth. A Class D address is identied by the assignment of the binary value 1110 to the rst four bits of the address. The remaining 28 bits are then used to create a unique multicast address. Because a Class D address always has the prex 1110, its rst byte varies from 11100000 to 11101111, resulting in the address range 224 through 239. Thus, the multicast address range becomes 224.0.0.0 through 239.255.255.255, with the use of a Class D address enabling approximately 268 million multicast sessions to simultaneously occur throughout the world. To obtain an appreciation for the manner by which Class D addressing conserves bandwidth, consider a digitized audio or video presentation routed from the Internet onto a private network for which users working at 15 hosts on the private network wish to receive the presentation. Without a multicast transmission capability, 15 separate data streams, each containing a repetition of the audio or video presentation, would be transmitted through the Internet onto the private network, with only the destination address in each datagram in one stream differing from the datagram in a different stream. Here, 14 data streams are unnecessary and only function to clog the Internet as well as the private network. In comparison, through the use of multicasting, the 15 users requiring the presentation would join the multicast group, permitting one data stream to be routed through the Internet onto the private network. Common examples of the use of multicast include access to many news organization video feeds that result in a 2-in. by 2-in. television on a computer monitor. With frame refresh rates of 15 or more frames per second, a server of unicast transmissions would consume a relatively large amount of bandwidth. Thus, the ability to eliminate multiple data streams via multicast transmission can prevent networks from being saturated. In addition, this capability reduces the number of datagrams that routers must route. This minimizes the necessity of routers that discard packets when they become saturated.
127
Exhibit 9. IPv4 Address Class First Byte Values
Address Class First Byte Address Range
A B C D E
to to to to to
Class E Addresses
The fth address class dened for IPv4 is Class E. A Class E address is dened by setting the rst four bits in the 32-bit IP address to the binary value of 1111. Thus, a Class E address has a rst byte value between 11110000 and 11111111, or between 240 and 255 decimal. Class E addresses are currently reserved for experimental usage. Because 28 bits in a Class E address can be used to dene unique addresses, this means approximately 268.4 million Class E addresses are available. One common method used to denote Classes A through E addresses is by examining the decimal value of the rst byte of the 32-bit IPv4 address. To facilitate this examination, Exhibit 9 summarizes the range of decimal values for the rst byte of each address class.
128
128
64
32
16
The decimal value of the bit positions in a byte correspond to 2n, where n is the bit position that ranges from 0 to 7.
Exhibit 10.
The rst eight bits that correspond to the rst byte in an IP address have the binary value 01010100. Then, the value of that byte expressed as a decimal number becomes 64 + 16 + 4, or 84. Next, the second bit in the binary string has the binary value of 11001110. From Exhibit 10, the decimal value of the second byte is 128 + 64 + 8 + 4 + 2, or 206. Similarly, the third byte, whose binary value is 11110001, has the decimal value 128 + 64 + 32 + 16 + 1, or 241. The last byte, whose bit value is 00111101, has the decimal value 32 + 16 + 8 + 4 + 1, or 61. Based on this, we would enter the 32-bit address in dotted decimal notation as 84.206.241.61, which is certainly easier to work with than a 32-bit string.
129
Exhibit 11.
three bits are set to binary 110, this denotes a Class C address. If we do not like working with binary, we could then use Exhibit 9 to determine that setting the rst byte to 198 does indeed denote a Class C address. Although we discuss the subnet mask shortly, at the present time we can note that its setting extends the network portion of an address internally within an organization. That is, the set bits in a subnet mask indicate the new length of the network portion of the address. If we examine the subnet mask shown in Exhibit 11 and remember that a value of 255 represents the setting of all bits in a byte to 1, this indicates that the network portion of the address is 24 bits long. Because a Class C address uses three bytes for the network address and one byte for the host address, this also means that a subnet mask of 255.255.255.0 for a Class C address indicates that the network is not subnetted. If we click on the tab labeled Gateway, we can view the manner by which we can add and remove the IP addresses of routers. Exhibit 12 illustrates the TCP/IP Properties dialog box with its Gateway tab selected. In this example we entered the IP address 198.78.46.1 to denote the address of the router that will route datagrams with an IP network address other than 198.78.46.0 off the network.
130
Exhibit 12.
The third IP address used for the conguration of a TCP/IP protocol stack is the address of a DNS that supports your organizations network. You can view the DNS conguration screen by clicking on the tab with that label. Exhibit 13 illustrates the TCP/IP Properties dialog box with its DNS Conguration tab selected. Note that the radio button associated with Enable DNS is selected, and we entered a host name of gil for our computer, which is part of the domain fed.gov. Thus, the complete host name of our computer is gil.fed.gov. Note that we do not have to specify either a host or domain. Doing so results in the IP address previously assigned to our computer along with the host name entered in a record in the DNS. This would then allow someone to access our computer by entering gil.fed.gov instead of the IP address of 198.78.46.8. If no one accesses your computer, you could safely omit the host and domain entries. If your computer is a popularly used server, you would want to include the host name, as it would be easier to remember than a sequence of dotted decimal numbers. The combination of host and domain names is commonly referred to as a fully qualied domain name (FQDN). An FQDN means that the name is unique. In comparison, the host portion of the name (gil) could exist on many
131
Exhibit 13. Specifying the Address of the DNS Server and the Fully Qualied Name of the Host
domains. Similarly, many computers could have a common domain name (fed.gov). Returning to Exhibit 13, note that you can specify up to four DNS server addresses when using Windows 95. Later versions of Windows reduce the number of DNS server addresses you can specify. In addition, you can specify one or more domain sufx search orders where common domain sufxes include gov (government), com (commercial), edu (educational), mil (military), and org (nonprot organization).
Reserved Addresses
We previously noted that the address block 127.0.0.0 through 127.255.255.255 is used for loopback purposes and can thus be considered to represent a block of reserved addresses. When considering IPv4 addressing, three additional blocks of reserved addresses warrant attention. Those address blocks are dened in RFC 1918, titled Address Allocation for Private Internet, and are summarized in Exhibit 14.
132
Exhibit 14. Reserved IP Addresses for Private Internet Use
Address Blocks
The original intention of RFC 19118 addresses was to dene blocks of IP addresses organizations could use on private networks that would be recognized as such. As Internet usage grew, the ability to obtain IP addresses became harder as existing network addresses were assigned to different organizations. This resulted in a second role for RFC 1918 addresses under a process referred to as network address translation (NAT). Under NAT, internal RFC 1918 addresses can be dynamically translated to public IP addresses while reducing the number of public addresses that need to be used. For example, consider an organization with 500 stations that has only one Class C address. One possibility is to use RFC 1918 addresses behind a router connected to the Internet, with the router translating RFC 1918 addresses dynamically into available Class C addresses. Although no more that 254 RFC 1918 addresses could be translated into valid, distinct Class C addresses at any point in time, it is also possible to use TCP and UDP port numbers to extend the translation process so each RFC 1918 address can be simultaneously used and translated. To do so, a router would translate each RFC 1918 address into a Class C address using a different port number, permitting thousands of translations for each Class C address. In Chapter 4 when we examine the use of my home computer to congure a Netgear wireless router, we note the use of a 192.168 network prex. That prex represents an RFC 1918 Class C network address and enables the Netgear router to support up to 253 devices using a single IP address assigned by an Internet service provider. The Netgear router translates RFC 1918 addresses to the ISP-provided address by using high TCP and UDP port numbers to keep track of the address mapping. Another device that can provide address translation is a proxy rewall. In addition to translating addresses, a proxy rewall also hides internal addresses from the Internet community. This address hiding provides a degree of security, as any hacker that attempts to attack a host on a network where a proxy rewall operates must rst attack the rewall. Some wireless routers include a limited rewall capability in the form of packet ltering. In Chapter 7 we examine some of the security features included in wireless routers. Two additional items to note about RFC 1918 addresses are that (1) they cannot be used directly on the Internet, and (2) they are a favorite source address hackers use. RFC 1918 addresses cannot be directly used on the Internet because if one company does so, a second could also do so, resulting in addressing conicts and the unreliable delivery of information. Thus, as discussed, RFC 1918 addresses are translated into Class A, B, or C addresses
133
when a private network using such addresses is connected to the Internet. Concerning hacker use, because routers do not check source IP addresses, it is quite common for a hacker to use an RFC 1918 address as the source address, making it difcult, if not impossible, to locate the hacker. Because it is quite common for hackers to use an RFC 1918 address as their address in conguring a TCP/IP protocol stack, it is also quite common to create a router access list that lters datagrams that have an RFC 1918 address as their source address.
Subnetting
One of the problems associated with the use of IP addresses is the fact that even with the use of classes, their use can be inefcient. For example, consider the use of a Class A network address. Although you can have up to 16,277,214 hosts per Class A network, you can only have 127 such networks. Thus, the assignment of a Class A network address to a large organization with 100,000 workstations would waste over 16 million IP addresses. Similarly, because a single LAN is incapable of supporting 100,000 workstations, you might consider asking for multiple network addresses, which would further waste a precious resource IPv4 addresses. Another problem associated with using more network addresses than required is the fact that routers must note those addresses. This means that the routers in a network that could be the Internet or a private IVP/IP network would have more entries in their routing tables. This, in turn, results in routers requiring a longer time to check the destination address in a datagram against entries in each routers routing table. The solution to the problems of wasted IP address space and unnecessary routing table entries is provided through the process of subnetting.
Overview
Subnetting was standardized in RFC 950 in 1985. This RFC denes a procedure to subnet or divide a single Class A, B, and C network into two or more subnets. Through the process of subnetting, the two-level hierarchy of Class A, B, and C networks previously illustrated in Exhibit 6 is converted into a three-level hierarchy. Exhibit 15 provides a comparison between the two-level hierarchies initially dened for Class A, B, and C networks and the three-level subnet hierarchy. In examining the lower portion of Exhibit 15, note that to convert the two-level hierarchy into a three-level hierarchy, the extension of the network address occurs by taking away a portion of the host address portion of an IPv4 address.
Subnetting Example
Any of the IPv4 A through C address classes can be subnetted. To illustrate the subnet process as well as learn how subnetting facilitates the use of IPv4 address space, let us examine the process. In doing so we discuss the concept
134
Two-Level Hierarchy
Exhibit 15. Comparing the Three-Level Subnet Hierarchy to the Two-Level Network Class Hierarchy
of masking and the use of the subnet mask, both of which are essential to the extension of the network portion of an IP address beyond its predened location. To illustrate the concept of subnetting, let us assume your organization needs to install ve LANs within a building, with each network supporting between 10 and 15 workstations and servers. Let us further assume that your organization was previously assigned the IP Class C network address 198.78.46.0. Although your organization could apply for four additional Class C addresses, doing so would waste precious IPv4 address space because each Class C address supports a maximum of 254 interfaces. In addition, if you anticipate connecting your organizations private networks to the Internet, the use of four additional Class C network addresses would be required in a number of routers in the Internet as well as your organizations internal routers. Instead of asking for four additional Class C addresses, let us use subnetting by dividing the host portion of the 198.78.46.0 IP v4 address into a subnet number and a host number. Because we need to support ve networks, we must use a minimum of three bits from the host portion of the IP address as the subnet number because the number of subnets you can obtain is 2n, where n is the number of bits. When n = 2, this yields four subnets, which is too few. When n = 3, we obtain eight subnets, which provides enough subnets for our example. Because a Class C address uses 24 bits for the network portion and eight bits for the host portion, the use of a three-bit subnet extends the network address such that it becomes 27 bits in length. This also means that a maximum of ve bits (8 3) can be used for the host portion of the address. Exhibit 16 illustrates the creation of the three-level addressing scheme just described. Note that the three-bit subnet permits eight subnets (000 through 111). To the outside world the network portion of the address remains the same. This means that the route from the Internet to any subnet of a given IP network address remains the same. This also means that routers within an organization must be able to differentiate between different subnets; however, routers outside the organization do not consider subnets. To illustrate the creation of ve subnets, let us assume we want to commence subnet numbering at 0 and continue in sequence through subnet 4.
135
Byte 1
Byte 2
Byte 3
Byte 4
Exhibit 16.
Exhibit 17.
Base network: Subnet #0: Subnet #1: Subnet #2: Subnet #3: Subnet #4:
Exhibit 17 illustrates the creation of ve subnets from the 198.78.46.0 network address. Note that the top entry in Exhibit 17, which is labeled Base network, represents the Class C network address with a Host Address Byte eld set to all zeros. Because we previously determined that we would require the use of three bits from the host address portion of the network to function as a subnet identier, the network address is extended into the host byte by three portions.
Host Restrictions
In examining the subnets formed in Exhibit 17, it would appear that the hosts on the rst subnet can range from 0 through 31, while the hosts on the second subnet can range in value from 33 through 63, and so on. In actuality, this is not correct, as several restrictions concern host addresses on subnets. First, you cannot use a base subnet address of all zeros or all ones. Thus, for subnet 0 in Exhibit 17, valid addresses would range from 1 to 30. Similarly for subnet 1, valid addresses would range from 33 to 62. Thus, subnetted host address restrictions are the same as for a regular IP nonsubnetted network. Another host address restriction that requires consideration is the fact that for all classes you must have the ability to place some hosts on each subnet. Thus, as a minimum the last two bit positions into the fourth byte of Class A, B, and C addresses cannot be used in a subnet. Exhibit 18 illustrates the number of bits available for subnetting for Class A, B, and C network addresses.
136
Class A
Class A
Class A
Exhibit 18.
137
Internet Router
Internal Network
Exhibit 19.
destination address in each datagram appears as a 32-bit sequence. Thus, there is no knowledge of dotted decimal numbers except for the conguration of devices because routing occurs by the examination of the network portion of the address in each datagram. Also, each router begins its address examination by rst focusing attention on the rst bit in the destination address to determine if it is a Class A address. If the rst bit position is set to a binary 0, the router knows that it is a Class A address as well as that the rst byte in the 32-bit destination address represents the network address. Similarly, if the rst bit in the destination address is not a binary 0, the router examines the second bit to determine if the address is a Class B address, and so on. Thus, a router can easily determine the address class of the destination address in a datagram that then indicates the length of the network portion of the address. The router can then use this information to search its routing table entries to determine the appropriate port to output the datagram, all without having to consider whether or not the address represents a subnetted address. Although by now we know how to create a subnet and extend the network portion of an IPv4 address, we have not addressed the manner by which a router at the edge of the Internet knows how to route datagrams to their appropriate subnet. In addition, another question we should have is how a station on an internal network can recognize subnet addressing. For example, if an IP datagram arrives at an organizational router with the destination address 198.78.46.38, how does the router know to place the datagram on subnet 1? The answer to these questions is the use of a subnet mask.
138
Exhibit 20.
subnets is 0 to 7. Because this requires the use of three bits, the subnet mask becomes
11111111.11111111.11111111.11100000
Similar to the manner by which IP addresses can be expressed more efciently through the use of dotted decimal notation, we can also express subnet masks using that notation. Because each byte of all set bits has a decimal value of 255, the dotted decimal notation for the rst three bytes of the subnet mask is 255.255.255. Because the rst three bits of the fourth byte are set, its decimal value is 128 + 64 + 32, or 224. Thus, the dotted decimal specication for the subnet mask becomes
255.255.255.244
Because a device can easily determine the address class of the destination address in a datagram, the subnet mask then informs the device of which bits in the address represent the subnet and indirectly which bits represent the host address on the subnet. To illustrate how this is accomplished, let us assume a datagram arrived at a router with the destination IP address of 198.78.46.97 and we previously set the subnet mask to 255.255.255.224. The relationship between the IP address and the subnet mask would then appear as indicated in Exhibit 20. Because the rst two bits in the destination address are set to 11, this indicates the address is a Class C address. The TCP/IP protocol stack knows that a Class C address consists of three bytes used for the network address and one byte used for the host address. Thus, this means that the subnet must be 27 24, or 3, bits in length. This fact tells the router or workstation that bits 25 through 27, which are set to a value of 011 in the IP address, identify the subnet as subnet 3. Because the last ve bits in the subnet mask are set to zero, those bit positions in the IP address identify the host on subnet 3. Since the settings of those ve bits have the value 00001, the IP address of 198.78.46.97 references host 1 on subnet 3 on the IPv4 network 198.78.46.0. To assist readers who need to work with subnets, Exhibit 21 provides a reference to the number of subnets that can be created for Class B and Class C networks, their subnet mask, the number of hosts per network, and the total number of hosts a particular subnet mask supports. In examining the entries in Exhibit 21, you will note that the total number of hosts can vary considerably based on the use of different-length subnet extensions. Thus, carefully consider the effect of a potential subnetting process prior to actually performing the process.
139
Exhibit 21.
Number of Subnet Bits
Class B 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Class C 1 2 3 4 5 6 7 8
255.255.192.0 255.255.224.0 255.255.240.0 255.255.248.0 255.255.252.0 255.255.254.0 255.255.255.0 255.255.255.128 255.255.255.192 255.255.255.224 255.255.255.240 255.255.255.248 255.255.255.252
32,764 49,140 57,316 61,380 63,364 64,260 64,516 64,260 63,364 61,380 57,316 49,140 32,764
2 6 14 30 62
62 30 14 6 2
140
Internet
Router
Network
Network
Exhibit 22.
TCP/IP supports the ability to assign multiple network addresses to a common interface. In fact, TCP/IP also supports the assignment of multiple subnet numbers to a common interface. This can only be accomplished through the use of a router. Exhibit 22 illustrates an example in which three network addresses were assigned to one interface. For low volumes of network trafc this represents an interesting technique to reduce the number of costly router interfaces required. As indicated in Exhibit 22, the router connection to the coaxial cable would result in the assignment of two IP addresses to its interface, one for each network. In this example the addresses 205.131.175.1 and 205.131.176.1 were assigned to the router interface. Conversations between devices on the 205.131.175.0 and 205.131.176.0 networks would require datagrams to be forwarded to the router. Thus, each station of each network would be congured with the gateway IP address that represents an applicable assigned router IP interface address.
Address Resolution
The TCP/IP protocol suite begins at the network layer, with an addressing scheme that identies a network address and a host address for Class A, B, and C addresses. This addressing scheme actually evolved from an ARPAnet scheme that required hosts only to be identied, because that network began as a mechanism to interconnect hosts via serial communications lines. At the same time ARPAnet was being developed, work progressed separately at the Xerox Palo Alto (California) Research Center (PARC) on Ethernet, a technology in which multiple stations were originally connected to a coaxial cable. Ethernet uses a 48-bit address to identify each station on the network. As ARPAnet evolved as a mechanism to interconnect multiple hosts on geographically separated networks, IPv4 addressing evolved into a mechanism to distinguish the network and the host. Unfortunately, the addressing used by
141
Ethernet Frame 1 7
46 to 1500
Start of Destination Source Type/ Information FCS Preamble Frame Address Address Length Delimiter
Start of Routing Destination Source Ending Frame Starting Access Frame Variable Information Information FCS Delimiter Status Delimiter Control Control Address Address Information Delimiter (Optional)
Exhibit 23.
the TCP/IP protocol suite bore no relationship to the MAC address used rst by Ethernet and later by Token Ring.
LAN Delivery
When an IP datagram arrives at a LAN, it contains a 32-bit destination address. To deliver the datagram to its destination, the router must create a LAN frame with an appropriate MAC destination address. Thus, the router needs a mechanism to resolve or convert the IP address into the MAC address of the workstation congured with the destination IP address. In the opposite direction, a workstation may need to transmit an IP datagram to another workstation. In this situation, the workstation must be able to convert a MAC address into an IP address. Both of these address translation requirements are handled by protocols specically developed to provide an address resolution capability. One protocol, referred to as the Address Resolution Protocol (ARP), translates an IP address into a hardware address. A second protocol, the Reverse Address Resolution Protocol (RARP), performs a reverse translation process, converting a hardware layer address into an IP address.
142
0 8 Hardware Type Hardware Length Protocol Length 16
Sender Hardware Address (0 - 3) Sender Hardware Address (4 - 5) Sender IP Address (2 - 3) Sender IP Address (0 - 1) Target Hardware Address (0 - 1)
Exhibit 24.
143
The next-to-last eld is the Target Hardware Address eld. Because the ARP process must discover its value, this eld is originally set to all zeros in an ARP Request. Once a station receives the request and notes it has the same IP address as that in the Target IP Address eld, it places its MAC address in the Target Hardware Address eld. Thus, the last eld, Target IP Address, is set to the IP address the originator needs for a hardware address.
Gratuitous ARP
A special type of ARP referred to as a gratuitous ARP deserves mention. When a TCP/IP stack is initialized, it issues a gratuitous ARP, which represents an ARP request for its own IP address. If the station receives a reply containing a MAC address that differs from its address, it means another device on the network is using its assigned IP address. If this situation occurs, an error message warning of an address conict will be displayed.
Proxy ARP
A proxy is a device that works on behalf of another. Thus, a proxy ARP represents a mechanism that enables a device to answer an ARP request on behalf of another device. The rationale for the development of proxy ARP, which is also referred to as ARP Hack, dates to the early use of subnetting when a LAN could be subdivided into two or more segments. If a station on one segment required the MAC address of a station on another subnet, the router would block the ARP request because it is a layer 2 broadcast, and routers operate at layer 3. Because the router is aware of both subnets, it could answer an ARP Request on one subnet on behalf of other devices on the second subnet by supplying its own MAC address. The originating device then enters the routers MAC
144
IP Header
ICMP
Data
CRC
Type
Code
Exhibit 25.
address in its ARP cache and correctly transmits packets destined for the end host to the router.
RARP
The Reverse Address Resolution Protocol (RARP) was at one time quite popular when diskless workstations were commonly used. In such situations, the workstation would know its MAC address but was forced to learn its IP address from a server on the network. Thus, the client would use the RARP to access a server on the local network; RARP would provide the clients IP address. Similar to ARP, RARP is a layer 2 protocol that cannot normally cross router boundaries. Some router manufacturers implemented RARP, which allows requests and responses to ow between networks. The RARP frame format is the same as ARP. The key difference between the two is the setting of eld values. The RARP lls in the senders hardware address and sets the IP address eld to zeros. Upon receipt of the RARP frame, the RARP server lls in the IP address eld and transmits the frame back to the client, reversing the ARP process.
ICMP
Overview
If we think about the Internet Protocol for awhile, we might note that there is no provision to inform a source of the fact that a datagram encountered some type of problem. This is because one of the functions of the Internet Control Message Protocol (ICMP) is to provide a messaging capability that reports different types of errors that can occur during the processing of datagrams. In addition to providing an error-reporting mechanism, ICMP includes certain types of messages that provide a testing capability. ICMP messages are transmitted within an IP datagram, as illustrated in Exhibit 25. Note that although each ICMP message has its own format, all messages begin with the same three elds. Those elds are an eight-bit Type eld, an eight-bit Code eld, and a 16-bit Checksum eld.
145
We can obtain familiarity with ICMPs capability by examining the use of some of the elds within an ICMP message.
Evolution
Over the years from its rst appearance in RFC 792, ICMP has evolved through the addition of many functions. For example, a Type 4 (Source Quench) represents the manner by which an end station indicates to a messages originator that the host cannot accept the rate at which the originator is transmitting packets. The recipient sends a ow of ICMP Type 4 messages to the originator as a message for the origination to slow down its transmission. When an acceptable ow level is reached, the recipient terminates its generation of source quench messages. Although popularly used many years ago for controlling trafc, the TCP slow-start algorithm has superseded a majority of the use of ICMP Type 4 messages. ICMP message types that warrant discussion are Types 5 and 7. A router generates a Type 5 (Redirect) message when it receives a datagram and determines there is a better route to the destination network. This ICMP message informs the sender of the better route. A Type 7 message (Time Exceeded) indicates that the Time to Live eld value in an IP datagram header was decremented to 0, and the datagram was discarded. ICMP provides a foundation for several diagnostic testing applications. Unfortunately, unscrupulous persons can abuse this testing capability, which results in many organizations ltering ICMP messages so they do not ow from the Internet onto a private network.
146
Exhibit 26.
Type
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 2029 30 31 32 33 34 35 36 37 38 39 40 41255
Echo Reply Unassigned Unassigned Destination Unreachable Source Quench Redirect Alternate Host Address Unassigned Echo Request Router Advertisement Router Selection Time Exceeded Parameter Problem Timestamp Timestamp Reply Information Request Information Reply Address Mask Request Address Mask Reply Reserved (for Security) Reserved (for Robustness Experiment) Traceroute Datagram Conversion Error Mobile Host Redirect IPv6 Where-Are-You IPv6 I-Am-Here Mobile Registration Request Mobile Registration Reply Domain Name Request Domain Name Reply SKIP Photuris Reserved
Now that we have an appreciation for layer 3 protocols in the TCP/IP protocol suite, lets turn our attention to layer 4, the Transport Layer.
147
Exhibit 27.
3 Destination Unreachable 0 Net Unreachable 1 Host Unreachable 2 Protocol Unreachable 3 Port Unreachable 4 Fragmentation Needed and Dont Fragment Was Set 5 Source Route Failed 6 Destination Network Unknown 7 Destination Host Unknown 8 Source Host Isolated 9 Communication with Destination Network Is Administratively Prohibited 10 Communication with Destination Host Is Administratively Prohibited 11 Destination Network Unreachable for Type of Service 12 Destination Host Unreachable for Type of Service 13 Destination Host Unreachable for Type of Service 14 Communication Administratively Prohibited 15 Precedence Cutoff in Effect 5 Redirect 0 Redirect 1 Redirect 2 Redirect 3 Redirect
Network (or subnet) Host Type of Service and Network Type of Service and Host
6 Alternate Host Address 0 Alternate Address for Host 11 Time Exceeded 0 Time to Live Exceeded in Transit 1 Fragment Reassembly Time Exceeded 12 Parameter Problem 0 Point Indicates the Error 1 Missing a Required Option 2 Bad Length 40 Photuris 0 Reserved 1 Unknown Security Parameters Index 2 Valid Security Parameters, but Authentication Failed 3 Valid Security Parameters, but Decryption Failed
TCP and UDP can be identied by setting an applicable value in the IP Header. Although the use of either protocol results in the placement of the appropriate transport layer header behind the IP Header, there are signicant differences between the functionality of each transport protocol. Those
148
Destination Port
Acknowledgment Number HLEN Reserved URG ACK PSH RST SYN FIN Window Urgent Padding
Checksum Options
Exhibit 28.
differences make one protocol more suitable for certain applications than the other protocol, and vice versa.
TCP Overview
The Transmission Control Protocol is a connection-oriented protocol: the protocol will not forward data until a session is established in which the destination acknowledges it is ready to receive data. This also means that the TCP setup process requires more time than when UDP is used as the transport layer protocol. However, because you would not wish to commence certain operations like remote log-on or a le transfer unless you knew the destination was ready to support the appropriate application, the use of TCP is more suitable for certain applications than UDP. Conversely, when we examine UDP, we will note that this transport layer protocol similarly supports certain applications better than other applications. The best way to become familiar with TCP is by rst examining the elds in its header, so let us do so.
149
to zero. The destination port number denes the process or application because an application operating at the receiver normally operates acquiescently, waiting for requests, looking for a specic destination port number to determine the request. The originator sets the Source Port to zero or a value above 1023 because the rst 1023 out of 65,536 available port numbers are standardized with respect to the type of trafc transported via the use of specic numeric values. To illustrate the use of port numbers, let us assume one station wishes to open a Telnet connection with a distant server. Because Telnet is dened as port 23, the application will set the destination port value to that numeric. The Source Port is normally set to a random value above 1023, and an IP Header then adds the destination and source IP addresses for routing the datagram from the client to the server. In some literature you may encounter the term socket, sometimes incorrectly used as a synonym for port. The destination port in the TCP or UDP Header plus the destination IP address cumulatively identify a unique process or application on a host. The combination of port number and IP address is correctly referenced as a socket. At the server, the Destination Port value of 23 identies the application as Telnet. When the server forms a response, it rst reverses source and destination IP addresses. Similarly, the server places the Source Port number in the Destination Port eld, which enables the Telnet originators application to correctly identify the response to its initial datagram.
Port Numbers
The universe of both TCP and UDP port numbers can vary from a value of 0 to 65,535, resulting in a total of 65,535 ports capable of being used by each
150
FTP 21
SNMP 23
Exhibit 29. Multiplexing Multiple Applications via Serial Communications to a Common IP Address
transport protocol. This so-called port universe is divided into three ranges, referred to as well-known ports, registered ports, and dynamic or private ports.
Well-Known Ports
Well-known ports are the most commonly used port values because they represent assigned numeric values that identify specic processes or applications. Ports 0 through 1023 represent the range of well-known ports. These port numbers are assigned by the Internet Assigned Numbers Authority (IANA) and are used to indicate the transportation of standardized processes. Where possible, the same well-known port number assignments are used with TCP and UDP. Ports used with TCP are normally used to provide connections that transport long-term conversations. In some literature, you may encounter wellknown port numbers specied as in the range of values from 0 to 255. While this range was correct many years ago, the modern range for assigned ports managed by the IANA was expanded to cover the rst 1024 port values from 0 to 1023. Exhibit 30 provides a summary of the port value assignments from 0 through 255 for well-known ports, to include the service supported by a particular port and the type of port, TCP or UDP, for which the port number is primarily used. A good source for the full list of assigned port numbers is RFC 1700.
Registered Ports
Registered ports have values ranging from 1024 through 49,151. Although all ports above 1023 can be used freely, the IANA requests vendors to register their application port numbers with them.
151
Exhibit 30.
Keyword
TCPMUX RJE ECHO DAYTIME QOTD CHARGEN FTD-DATA FTP TELNET SMTP MSG-AUTH TIME NAMESERVER NICNAME DOMAIN BOOTPS BOOTPC TFTP FINGER HTTP KERBEROS RTELNET POP2 POP3 NNTP NTP NETBIOS-NS NETBIOS-DGM NETBIOS-SSN NEWS SNMP SNMTTRAP BGP HTTPS RLOGIN TALK
TCP Port Service Multiplexer Remote Job Entry Echo Daytime Quote of the Day Character Generator File Transfer (Default Data) File Transfer (Control) Telnet Simple Mail Transfer Protocol Message Authentication Time Host Name Server Who Is Domain Name Server Bootstrap Protocol Server Bootstrap Protocol Client Trivial File Transfer Protocol Finger World Wide Web Kerberos Remote Telenet Service Post Ofce Protocol Version 2 Post Ofce Protocol Version 3 Network News Transfer Protocol Network Time Protocol NetBIOS Name Server NetBIOS Datagram Service NetBIOS Session Service News Simple Network Management Protocol Simple Network Management Protocol Traps Border Gateway Protocol Secure HTTP Remote Login Talk
TCP TCP TCP and TCP and TCP TCP TCP TCP TCP TCP TCP TCP TCP and TCP TCP and TCP TCP UDP TCP TCP TCP TCP TCP TCP TCP TCP and UDP UDP UDP TCP UDP UDP
UDP UDP
UDP UDP
UDP
1 5 7 13 17 19 20 21 23 25 31 37 42 43 53 67 68 69 79 80 88 107 109 110 119 123 137 138 139 144 161 162 179 413 513 517
152
The actual entry in the Sequence Number eld is based on the number of bytes in the TCP Data eld. That is, because TCP was developed as a byteoriented protocol, each byte in each packet is assigned a sequence number. Because it would be most inefcient for TCP to transmit one byte at a time, groups of bytes, typically 512 or 536, are placed in a segment and one sequence number is assigned to the segment and placed in the Sequence Number eld. That number is based on the number of bytes in the current segment as well as previous segments, as the Sequence Number eld value increments its count until all 16-bit positions are used and then continues via a rollover through zero. For example, assume the rst TCP segment contains 512 bytes and a second segment has the sequence number 1024. The Acknowledgment Number eld, which is also 32 bits in length, is used to verify the receipt of data. The number in this eld also reects bytes. For example, returning to our sequence of two 512-byte segments, when the rst segment is received, the receiver expects the next sequence number to be 513. Therefore, if the receiver were acknowledging each segment, it would rst return an acknowledgment with a value of 513 in the Acknowledgment Number eld. When it acknowledges the next segment, the receiver sets the value in the Acknowledgment Number eld to 1025, and so on. Because it would be inefcient to have to acknowledge each datagram, TCP supports a variable or sliding window. That is, returning an Acknowledgment Number eld value of n + 1 would indicate the receipt of all bytes through byte n. If the receiver has the ability to process a series of multiple segments and each is received without error, it would be less efcient to acknowledge each datagram. Thus, a TCP receiver can process a variable number of segments prior to returning an acknowledgment that informs the transmitter that n bytes were received correctly. To ensure lost datagrams or lost acknowledgments do not place the TCP in an innite waiting period, the originator sets a timer and will retransmit data if it does not receive a response within a predened period of time. The previously described use of the Acknowledgment Number eld is referred to as Positive Acknowledgment Retransmission (PAR). Under PAR, each unit of data must be either implicitly (sending a value of n + 1 to acknowledge receipt of n bytes) or explicitly acknowledged. If a unit of data is not acknowledged by the time the originators time-out period is reached, the previous transmission is retransmitted. When the Acknowledgment Number eld is in use, a ag bit, referred to as the ACK ag in the Code eld, is set. Later we discuss the six bit positions in the Code Bit eld.
HLEN Field
The Header Length (HLEN) eld is four bits in length. This eld, which is also referred to as the Offset eld, contains a value that indicates where the TCP Header ends and the Data eld begins. This value is specied as a number of 32-bit words. It is required due to the fact that the inclusion of options can result in a variable-length header. Because the minimum length of the
153
TCP Header is 20 bytes, the minimum value of the HLEN eld would be 5, denoting ve 32-bit words, which equals 20 bytes.
Window Field
The Window eld is 16 bits in length and provides TCP with the ability to regulate the ow of data between source and destination. Thus, this eld indirectly performs ow control.
154
The Window eld indicates the maximum number of bytes that the receiving device can accept. Thus, it indirectly indicates the available buffer memory of the receiver. Here, a large value can signicantly improve TCP performance as it permits the originator to transmit a number of segments without having to wait for an acknowledgment while permitting the receiver to acknowledge the receipt of multiple segments with one acknowledgment. Because TCP is a full-duplex transmission protocol, both the originator and recipient can insert values in the Window eld to control the ow of data in each direction. By reducing the value in the Window eld, one end of a session in effect informs the other end to transmit less data. Thus, the use of the Window eld provides a bi-directional ow control capability.
Checksum Field
The Checksum eld is 16 bits, or 2 bytes, in length. The function of this eld is to provide an error detection capability for TCP. To do so, this eld is primarily concerned with ensuring that key elds are validated instead of protecting the entire header. Thus, the checksum calculation occurs over what is referred to as a 12-byte pseudo-header. This pseudo-header includes the 32-bit Source and Destination Address elds in the IP Header, the eight-bit Protocol eld, and a Length eld that indicates the length of the TCP header and data transported within the TCP segment. Thus, the primary purpose of the Checksum eld is to ensure data arrived at its correct destination, and the receiver has no doubt about the address of the originator or the length of the header and the type of application data transported.
Options Field
The Options eld, if present, can be variable in length. The purpose of this eld is to enable TCP to support various options, with Maximum Segment Size (MSS) representing a popular TCP option. Because the header must end on a 32-bit boundary, any option that does not do so is extended via pad characters that in some literature is referred to as a Padding eld.
Padding Field
The Padding eld is optional and is included only when the Options eld does not end on a 32-bit boundary. Thus, the purpose of the Padding eld is to ensure that the TCP Header, when extended, falls on a 32-bit boundary.
155
TCP
Passive IP
Passive
Active Open
Exhibit 31.
Let us now examine how TCP establishes a connection with a distant device and its initial handshaking process, its use of sequence and acknowledgment numbers, how the protocol supports ow control, and how the protocol terminates a session.
Connection Establishment
As mentioned earlier, TCP is a connection-oriented protocol that requires a connection between two stations to be established prior to the actual transfer of data. The actual manner by which an application communicates with TCP is through a series of function calls. To understand the manner by which TCP establishes a session, we must rst examine connection function calls applications use, for example, Telnet and FTP.
Port Hiding
One of the little-known aspects of TCP is the fact that some organizations attempt to hide their applications by conguring applications for ports other than well-known ports. For example, assigning Telnet to port 2023 instead of
156
port 23 is an example of port hiding. Although a person with port scanning software would easily be able to discover that port 2023 is being used, the theory behind port hiding is that it reduces the ability of lay personnel to easily discover applications at different network addresses and then attempt to use those applications.
Passive OPEN
Returning to the use of a passive OPEN function call, its use governs the number of connections allowed. That is, while a client usually issues one passive OPEN, a server issues multiple OPENs because it is designed to service multiple session. Another term used for the passive end of the TCP action is responder or TCP responder. Thus, a TCP responder can be thought of as an opening up of connection slots to accept any inbound connection request without waiting for any particular station request.
Active OPEN
A station that needs to initiate a connection to a remote station issues the second type of OPEN call. This type of function call is referred to as an active OPEN. In the example illustrated in Exhibit 31, station X would issue an active OPEN call to station Y. For the connection to be serviced by station Y, that station must have previously issued a passive OPEN request, which, as previously explained, allows incoming connections to be established. To successfully connect, station Xs active OPEN must use the same port number that the passive OPEN used on station Y. In addition to active and passive OPEN calls, other calls include CLOSE (to close a connection), SEND and RECEIVE (to transfer information), and STATUS (to receive information for a previously established connection). Now let us turn our attention to the manner by which TCP segments are exchanged. The exchange of segments enables a session to occur. The initial exchange of datagrams that transport TCP segments is called a three-way handshake. It is important to note how and why this process occurs. It has been used in modied form as a mechanism to create a denial-of-service (DoS) attack.
157
Station Y
SYN Received Transmit SYN = 1 SEQ = 2000 ACK = 101 Connection Established
Exhibit 32.
Overview
A three-way handshake begins with the originator sending a segment with its SYN bit in the Code Bits eld set. The receiving station responds with a similar segment with its ACK bit in the Code Bits eld set. Thus, an alternate name for the three-way handshake is an initial SYN-SYN-ACK sequence.
Operation
To illustrate the three-way handshake, let us continue from our prior example shown in Exhibit 31, in which station X placed an active OPEN call to TCP to request a connection to a remote station and an application on that station. Once the TCP/IP protocol stack receives an active OPEN call, it constructs a TCP header with the SYN bit in the Code Bits eld set. The stack also assigns an initial sequence number and places that number in the Sequence Number eld in the TCP header. Other elds in the header, such as the Destination Port Number, are also set and the segment is then transferred to IP for the formation of a datagram for transmission onto the network. To illustrate the operation of the three-way handshake, consider Exhibit 32, which illustrates the process between stations X and Y. Because the initial sequence number does not have to start at zero, we assume it commenced at 1000 and then further assume that the value was placed in the Sequence Number eld. Thus, the TCP Header owing from station X to station Y is shown with SYN = 1 and SEQ = 1000. Because the IP Header results in the routing of a datagram to station Y, that station strips the IP Header and notes that the setting of the SYN bit in the TCP Header represents a connection request. Assuming station Y can accept a new connection, it will acknowledge the connection request by building a TCP segment. That segment will have its SYN and ACK bits in its
158
Code Bits eld set. In addition, station Y will place its own initial sequence number in the Sequence Number eld of the TCP Header it is forming. Because the connection request had a sequence number of 1000, station Y will acknowledge receipt by setting its Acknowledgment eld value to 1001 (station X sequence number plus 1), which indicates the next expected sequence number. Once station Y forms its TCP segment, the segment has an IP Header added to form a datagram. The datagram ows to station X. Station X receives the datagram, removes the IP Header, and notes via the setting of the XYN and ACK bits and Sequence Number eld value that it is a response to its previously issued connection request. To complete the connection request, station X must, in effect, acknowledge the acknowledgment. To do so, station X will construct a new TCP segment in which the ACK bit will be set and the sequence number will be incremented by 1 to 1001. Station X will also set the acknowledgment number to 2001 and form a datagram that is transmitted to station Y. Once station Y examines the TCP header and conrms the correct values for the Acknowledgment and Sequence Number elds, the connection becomes active. At this point both data and commands can ow between the two endpoints. As this occurs, each side of the connection maintains its own set of tables for transmitted and received sequence numbers. Those numbers are always in ascending order. When the applicable 16-bit eld reaches its maximum value, the settings wrap to 0. In examining the three-way handshake illustrated in Exhibit 32, note that after the originating station establishes a connection with the receiver, it transmits a second TCP initialization segment to the receivers and follows that segment with one or more IP datagrams that transport the actual data. In Exhibit 32, a sequence of three datagrams is transmitted prior to station Ys generating an acknowledgment to the three segments transported in the three datagrams. The actual number of outstanding segments depends on the TCP window, so let us turn our attention to this topic.
159
Sliding Window 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 Data Transmitted and Acknowledged Data Transmitted and Awaiting Acknowledgement Data to be Transmitted Data to be Transmitted
Exhibit 33.
acknowledged; and data waiting to be transmitted. Because this window slides over the three types of data, the window is referred to as a sliding window. Exhibit 33 illustrates the use of the TCP sliding window for ow control purposes. Although the actual TCP segments size is normally 512 bytes, for simplicity of illustration, a condensed sequence of segments with sequence numbers varying by unity is shown. In this example we assume that sequence numbers 10 through 15 have been transmitted to the destination station. The remote station acknowledges receipt of those segments. The source station transmitted datagrams containing segment sequence numbers 16 through 20 but at this point has not received an acknowledgment. Thus, those data represent the second type of data covered by a sliding window. Note that this window will slide up the segments as each datagram is transmitted. The third type of data the sliding window covers is segments. In Exhibit 33, segments 21 through 24 are in the source station awaiting transmission, while segments 25 through 28 are awaiting coverage by the sliding window. If we return to Exhibit 28, which illustrates the TCP Header, we will note a eld labeled Window. That eld value indirectly governs the length of the sliding window. In addition, the setting of that eld provides a ow control mechanism. For example, the Windows eld transmitted by a receiver to a sender indicates the range of sequence numbers, which equates to bytes, the receiver is willing to accept. If a remote station cannot accept any additional data, it would then set the Window eld value to zero. The receiving station continues to transmit TCP segments with the Window eld set to zero until its buffer is emptied a bit, no pun intended, in effect allowing the originator to resume transmission of conveying data. That is, when the transmitting station receives a response with a Window eld value of zero, it replies to the response with an ACK (Code eld ACK bit set to 1) and its Window eld set to a value of zero. This inhibits the ow of data. When sufcient buffer space becomes available at the receiver, it will form a segment with its Window eld set to a nonzero value, indicating that it can again receive data. At this point, the transmission of data goes to the receiver.
Avoiding Congestion
One of the initial problems associated with TCP is the fact that a connection could commence with the originator transmitting multiple segments, up to the
160
Window eld value the receiver returned during the previously described three-way handshake. If slow-speed WAN connections exist between originator and recipient, it is possible for routers to become saturated when a series of transmissions originates at the same time. In such a situation, the router discards datagrams, causing retransmissions that continue the abnormal situation. The solution developed to avoid this situation is referred to as a TCP slow-start process.
161
Let us turn our attention to the congestion avoidance method and to the algorithm it uses. Upon the receipt of ACKs, the Congestion window is increased until its value matches the value saved in the slow-start threshold. When this occurs, the slow-start algorithm terminates and the congestion avoidance algorithm starts. This algorithm multiplies the segment size by 2, divides that value by the Congestion window size, and then continually increases its value based on the previously described algorithm each time an ACK is received. The result of this algorithm is a more linear growth in the number of segments that can be transmitted in comparison to the exponential growth of the slow-start algorithm.
TCP Retransmissions
While it is obvious that the negative acknowledgment of a segment by the receiver returning the same segment number expected indicates a retransmission request, what happens if a datagram is delayed? Because delays across a TCP/IP network depend on the activity of other routers in the network, the number of hops in the path between source and destination, and other factors, it is relatively impossible to have an exact expected delay prior to a stations assuming data are lost and retransmitting. Recognizing this situation, TCP developers included an adaptive retransmission algorithm in the protocol. Under this algorithm, when TCP submits a segment for transmission, the protocol records the segment sequence number and time. When an acknowledgment is received to that segment, TCP also records the time, obtaining a round-trip delay. The TCP uses such timing information to construct an average round-trip delay that a timer uses to denote, when the timer expires, that a retransmission should occur. When a new transmit-response sequence occurs, another round-trip delay is computed that slightly changes the average. Thus, this technique slowly changes the timer value that governs the acceptable delay for waiting for an ACK. Now that we have an appreciation for the manner by which TCP determines when to retransmit a segment, let us conclude our coverage of this protocol by turning our attention to the manner by which it gracefully terminates a session.
Session Termination
If we remember the components of the Code Bits eld, we previously noted that eld has a FIN bit. The purpose of this bit is to enable TCP to gracefully terminate a session. Before TCP terminates a full-duplex communications session, each party to the session must close the session. This means that both the originator and recipient must exchange segments with the FIN bit set in each segment. Exhibit 34 illustrates the exchange of segments to gracefully terminate a TCP connection. In this example, assume station X has completed its transmission and indicates this fact by sending a segment to station Y with the FIN bit set. Station Y acknowledges the segment with an ACK. At this point,
162
Station X SEQ = 200 FIN = 1 Receive ACK Receive FIN and ACK ACK = 251 Station X Done Acknowledged Station Y Done Acknowledged
Station Y
Exhibit 34.
Exhibit 35.
station Y no longer accepts data from station X. Station Y can continue to accept data from its application to transmit to station X. If station Y has no more data to transmit, it will then completely close the connection by transmitting a segment to station X with the FIN bit set in the segment. Station X will then ACK that segment and terminate the connection. If an ACK should be lost in transit, segments with FIN are transmitted and a timer is set. Then either an ACK is received or a time-out occurs, which serves to close the connection.
UDP
The User Datagram Protocol (UDP) is the second transport layer protocol the TCP/IP protocol suite supports. UDP is a connectionless protocol, which means that an application using UDP can have its data transported in the form of IP datagrams without rst having to establish a connection to the destination. This also means that when transmission occurs via UDP, there is no need to release a connection, simplifying the communication process. Other features of UDP include the fact that this protocol has no ordering capability and it does not provide any error detection and correction capability. This, in turn, results in a header that is greatly simplied and is much smaller than TCPs.
163
many of the features of the former. For example, because it does not require the acknowledgment of datagrams or sequence datagrams, there is no need for Sequence and Acknowledgment elds. Similarly, because UDP does not provide a ow control mechanism, the TCP Window eld is removed. The result of UDPs performing a best-effort delivery mechanism is a relatively small transport layer protocol header, with the protocol relatively simple in comparison to TCP. Because the best way to understand the operation of UDP is via an examination of its header, let us do so. Before we do, as a reminder note that similar to TCP, an IP Header will prex the UDP Header, with the resulting message consisting of the IP Header, UDP Header, and user data referred to as a UDP datagram.
Checksum Field
The Checksum eld is two bytes in length. The use of this eld is optional and its value is set to 0 if the application does not require a checksum. If a checksum is required, it is calculated on what is referred to as a pseudoheader. The pseudo-header is a logically formed header that consists of the source and destination addresses and the Protocol eld from the IP Header. By verifying the contents of the two address elds through its checksum computation, the pseudo-header assures that the UDP datagram is delivered to the correct destination network and host on the network. It does not verify the contents of the datagram.
Operation
Because the UDP Header does not include within the protocol an acknowledgment capability or a sequence numbering capability, it is up to the application layer to provide this capability. This enables some applications to add this capability, whereas other applications that run on top of UDP may elect not to include one or both. As previously described, a UDP Header and its data are prexed with an IP Header to form a data frame. Upon receipt
164
of the datagram, the IP layer strips off that header and submits the remainder to UDP software at the transport layer. The UDP layer reads the destination port number as a mechanism to demultiplex and send the data to its appropriate application.
Applications
The UDP is primarily used by applications that transmit relatively short segments and for which the use of TCP would result in a high level of overhead in comparison to UDP. Common examples of applications that use UDP as a transport protocol include the Simple Network Management Protocol (SNMP), Domain Name System (DNS), and the newly emerging series of applications from numerous vendors that transport digitized voice over the Internet and are collectively referred to as Internet telephony. Most implementations of Internet telephony applications use both TCP and UDP. TCP is used for call setup, whereas UDP is used to transport digitized voice once the setup operation is completed. Because real-time voice cannot tolerate more than a fraction of a second of delay, Internet applications do not implement error detection and correction, as retransmissions would add delays that would make reconstructed voice sound awkward. Instead, because voice does not rapidly change, applications may either smooth an error or drop the datagram and generate a small period of noise that cannot affect the human ear. This is because most Internet telephony applications transmit 10-ms or 20-ms slices of digitized voice, making the error or even the loss of one of a few datagrams transmitting such slices of a conversation most difcult to notice.
The DNS
The TCP/IP protocol suite includes a number of built-in diagnostic tools that developers provide as associated applications running under the operation system that supports the suite. Thus, this section primarily focuses on a core set of applications that can be used to obtain an insight into the ow of data across a TCP/IP network. Through the use of the application programs discussed in this section, we can determine if the protocol stack is operating correctly on a host, whether or not a host is reachable via a network, and the delay or latency between different networks with respect to the ow of data from one network to another. Because knowledge of the Domain Name System (DNS) is important to obtain an understanding of the operation and constraints associated with different applications that provide a diagnostic testing capability, we rst obtain an overview of DNS. Once this is accomplished, we turn our attention to the operation and utilization of applications that provide a diagnostic testing capability within the TCP/IP protocol suite. The purpose of the Domain Name System (DNS) is to provide the TCP/ IP community with a mechanism to translate host addresses into IP addresses because all routing is based on an examination of IP addresses. To accomplish this translation process, a series of domain name servers is used to create a
165
"root" .com Widgets ftp www .net .org .edu .int .mil .gov .au .fr .ie
Exhibit 36.
distributed database that contains the names and addresses of all reachable hosts on a TCP/IP network. That network can be a corporate intranet, the portion of the Internet operated by an Internet service provider (ISP), or the entire Internet.
166
if your organization was assigned the domain widgets.com as a commercial organization, an entry indicating the network address for widgets.com and the domain widgets would be placed in the root.com domain name server. If you examine the entry under the .com domain in Exhibit 36, you will note the subdomain labeled Widgets. Under the Widgets entry, you will note two entries, ftp and www. Here ftp and www represent two host names within the Widget subdomain. The fully qualied names of each host then become ftp.widgets.com. Thus, if someone does not know the IP address of the FTP and the Web server operated by widgets.com, he can enter the fully qualied domain name for each server, and DNS will automatically perform the translation, assuming applicable DNS entries exist in a server. Thus, let us turn our attention to the manner by which host names are converted into IP addresses, a process referred to as name resolution.
Data Flow
To illustrate the potential ow of data during the address resolution process, consider Exhibit 37. In Exhibit 37 the user at host gil.smart.edu just entered the host name www.cash.gov into her browser and pressed the Enter key,
167
Top Level Domain = .edu 8 7 DNS 6 Router 5 10 Domain: isp.com 11 4 12 DNS 3 Router Domain: smart.edu 1 DNS 15 gil.smart.edu 2 14 Router 13 Router 9
Exhibit 37.
which in effect commences the resolution process. When the address resolution process begins, a UDP datagram ows to the local DNS on the domain smart.edu as indicated by 1. Assuming that DNS does not have an entry for the network address of the requested host (www.cash.gov), the resolution request ows upward to the next DNS via the use of a pointer record in the local DNS. This is indicated by numbers 2, 3, and 4 in Exhibit 37. Assuming the next DNS, which is shown as serving the domain isp.com, does not have an entry for www.cash.gov, the resolution request continues its ow up the DNS hierarchy until it either reaches a server that can resolve the request or arrives at the top-level DNS for the domain for which the host name is to be resolved. This is indicated by 5, 6, and 7 in Exhibit 37. Once the address is resolved, the resolution does not ow directly back to the original DNS. Instead, the resolution ows back to each DNS in the hierarchy, providing each server with the ability to update its resolution table. This is indicated by 9 through 14 in Exhibit 37. Finally, the local DNS returns the resolved IP address as indicated in 15 in Exhibit 37. At this point the station can now form an IP datagram using a destination IP address obtained from the address resolution process.
168
Exhibit 38.
Record Type
Contains an IP address to be associated with a host name Contains the address of a mail exchange system(s) for the domain Contains the address of the name server(s) for the domain Canonical Name records contains an alias host name to associate with the host names contained in the record Contains a host name to be associated with an IP address in the record The Start of Authority records indicate the administrative name server for a domain as well as administrative information about the server
Time Consideration
If a fully qualied domain name cannot have its IP address resolved by the local DNS, one or more additional servers must be queried. This means that datagrams conveying address resolution information will ow over relatively low-speed WAN connections for which the time delay then depends on the operating rate of those connections and other activity owing on each connection, as well as the processing being performed by routers that form the WAN. Because the DNS resolution process on a host results in the setting of a timer, if too much time occurs during the resolution process, the timer will time-out or expire. When the situation occurs, the protocol stack that the application uses generates an error message. One popular error message generated by a browser informs the user to check the destination name spelling and try again! This message does not mention anything about the address resolution process probably because most persons using browsers have no knowledge of the process and a more descriptive error message might be counterproductive.
DNS Records
Each DNS can contain a series of different types of records as well as multiple records for one or more record types. Exhibit 38 lists some of the more popular types of DNS records. In examining the record types listed in Exhibit 38, note that a domain can have multiple name servers or multiple mail exchange servers. Also note that while the A record provides information necessary for an address resolution process, the PTR record type supports reverse lookups. Exhibit 39 illustrates an example of a UNIX Zone le named smart.edu.zone for the domain smart.edu. We assume that the Class C address 198.78.46.0 was assigned to the domain smart.edu. We further assume that the server name, dns.smart.edu, is the name server, and mail.smart.edu is the name of the mail server. In examining the entries in Exhibit 39, note that the string IN is used to indicate an Internet address and dates from a period where different types of addresses could be placed in a DNS database. Also note that names and host
169
The File smart.edu.zone
Exhibit 39.
;Start of Authority (SOA) record smart.edu. IN SOA dns.smart.edu.owner.smart.edu( 19960105 ;serial#(date format) 10800 ;refresh(3 hours) 3600 ;retry(1 hour) 604800 ;expire(1 week) 86400) ;TTL(1 day) ;Name Server (NS) record smart.edu. IN NS dns.smart.edu. ;Mail Exchange (MX) record smart.edu. IN MX 20 mail.smart.edu ;Address (A) records. router.smart.edu. IN A 198.78.46.1 dns.smart.edu. IN A 198.78.46.2 mail.smart.edu. IN A 198.78.46.3 gil.smart.edu. IN A 198.78.46.30 ;Aliases in canonical Name (CNAME) record www.smart.edu IN CNAME gil.smart.edu.
addresses end with a trailing dot (.) or period to indicate that they are an absolute name or address rather than a relative address. The rst record normally placed in a Zone le for a domain server is the Start of Authority (SOA) record. This record governs the manner by which a domain name server and secondary servers, if any, operate, and the ability to read the contents of this record can provide information about the manner by which another domain operates. We can examine the contents of a domain name server database through the use of the NSLOOKUP application program. The serial number in the SOA record identies the version of the DNS database. Secondary servers can use this value as a metric concerning updating as the number increments whenever the database changes. The refresh value informs the server how often to check for updated information. If the secondary server cannot connect to the primary, it uses the retry value as the time period to wait before retrying. The expire time tells the secondary server when to stop answering queries about the primary when it cannot contact the primary. This value assumes that no answer is better than a bad answer and is set to a week (604,800 seconds) in Exhibit 39.
Checking Records
If we further examine the entries in Exhibit 39, we will note that the router in the 198.78.46.0 network has the host address .1, while the DNS has the host address .2, and the mail server has the address .3. We also note that the host gil.smart.edu has the alias www.smart.edu and that the entry of either host name returns the IP address 198.78.46.30. Thus, by checking the records in a name server, it becomes possible not only to obtain the IP address for
170
a particularly qualied domain name, but also to discover the alias or aliases assigned to one or more hosts in a domain. Now that we have an appreciation for the role and operation of the domain name system and the servers used in the DNS, let us turn our attention to the use of a series of built-in diagnostic tools provided as application programs in most versions of TCP/IP.
Diagnostic Tools
Most operating systems with a TCP/IP protocol stack include several application programs that can be used to obtain information about the state of the network or a particular host. Examples of such applications include Ping, traceroute, NSLOOKUP, and nger. This section covers each of these applications.
Ping
Based on contradictory tales, the name Ping was given to an application because it either resembled the use of radar or functioned as an acronym for the full name, Packet Internetwork Groper. Regardless of whether the function of electronic equipment or the development of an acronym accounted for its name, Ping is one of the most widely used tools, if not the most widely used tool, bundled as an application in TCP/IP software.
Operation
Through the use of the Ping application program, a series of Internet Control Message Protocol (ICMP) Echo type messages are transmitted to a distant host. If the host is both reachable and active, it will respond to each ICMP Echo message with an ICMP Echo Response message. Not only does the use of Ping then tell you that the distant host is both reachable and active, the application also notes the time the echo left the computer and the time the reply was received to compute the round-trip delay time. Because timing can be very critical for such applications as Voice-over-IP and interactive query/ response, the use of Ping may inform you ahead of time whether or not an application is suitable for use on the Internet or a corporate intranet.
Implementation
No standard governs the manner by which Ping is implemented. Different vendor versions, such as UNIX and Windows NT, may slightly differ from one another. One common form of the Ping command to invoke this application is shown below:
ping [-q l-v] [-r] [-c Count] [-I Wait] [-s size] host
171
where q selects quiet mode that only results in the display of summary information at start-up and completion v selects verbose output mode that results in display of ICMP packets received in addition to Echo Requests r selects a route option that displays the route of returned datagrams c species the number of Echo Requests to be sent prior to concluding the test i species the number of seconds to wait between transmitted datagrams containing an Echo Request s species the number of data bytes to be transmitted host species the IP address or host name of the destination to be queried In examining the above options, note that some older implementations of Ping would run until interrupted with a CTRL-C unless a count value was specied through the use of the -c option. Also note that many versions of Ping differ with respect to the default wait time between transmitted Echo Requests. Some implementations may transmit echo requests 250 ms apart as a default, while other implementations may use a default of 500 ms, one second, or another time value. A third item concerning the options listed above concerns the packet size specication variable, -s. This variable is used to specify the number of data bytes transmitted and results in a total packet size becoming the specied packet size plus 8, because there are eight bytes in the ICMP Header. This means that the default on some implementations is 56 bytes, which results in a 64-byte packet. Now let us look at its use within a TCP/IP environment. In doing so we examine the use of the Microsoft Windows version of Ping, which you can access from the command prompt in Windows.
172
Exhibit 40.
To illustrate the use of Ping, let us ping two locations on the Internet. The rst location we will ping is the real White House Web site located at www.whitehouse.gov. The top portion of Exhibit 41 illustrates this operation. If you examine the top potion of Exhibit 41, you will note the response Request timed out displayed four times. Microsofts implementation of Ping results in four Echo Request ICMP packets being transmitted as IP datagrams to the destination specied in the Ping command line. The reason the request timed out has nothing to do with the TTL value. Instead, the White House uses a rewall to block pings because pings are one of a number of weapons unsophisticated hackers like to use. In Chapter 8 we go into more detail concerning how we can block pings. In the lower portion of Exhibit 41, we pinged a commercial site Web server whose address is similar but not the same as the White House. This commercial sites Web address is www.whitehouse.com. Note that Ping automatically resolves the entered host name into an IP address. Also note from the four replies that the round-trip delay varied from a low of 16 ms to a high of 32 ms. This variance is due to the fact that the path between source and destination is subject to random data ows from other users. This can delay the datagrams your host is transmitting that contain ICMP Echo Requests. Although Ping is quite often used to determine round-trip delay, that is not its primary use. Whenever a station is congured and connected to a network, one of the rst things you should do is ping the station. If you obtain a response, this will indicate that the TCP/IP protocol stack is active. In a wireless environment, a common use for Ping is to check your connection between a wireless station and a wireless router or access point. To do so you would ping the IP address assigned to the wireless router or access point. If you receive a response but cannot, for example, access the Internet, you would then focus your attention on the conguration of your browser and the wireless router.
173
Exhibit 41.
Using Ping
In a wired environment, the response to a ping will also mean that the station is properly cabled to a wired network and that its network adapter is operational. Otherwise, the protocol stack, cable, or network adapter may represent a problem. You can check out the protocol stack by pinging the address 127.0.0.1 or any address on the 127.0.0.0 network because this invokes a loopback. If you obtain a valid result, you would then run diagnostics on the network adapter card provided by the vendor and check or swap cables with a device known to work to isolate the problem. In a wireless environment, you could use a utility program provided with many network adapters that will display the signal strength and signal quality of the received signals. If you attempt to ping a host on a different network, it may not be a simple process to walk over to the destination if all you receive is a time-out message. The cause of a lack of response can range in scope from an inoperative router to an inactive destination. Fortunately, you can obtain insight concerning the route to the destination through the use of another program, called traceroute.
Traceroute
Traceroute, as its name implies, traces the route to a specied destination that you will place in the application command line. Similar to Ping, several variations exist concerning the implementation of traceroute. A common form of the traceroute command on a UNIX host is shown below:
traceroute [-t count] [-q count] [-w count] [-p portnumber] host
where
174
t q w p
species the maximum Time to Live (TTL) value, with a default of 30 used species the number of UDP packets transmitted with each TTL setting; usually the default is 3 species the time in seconds to wait for an answer from a router represents an invalid port address at the destination; usually port 33434 is used
Operation
To better understand traceroute options requires an explanation of the manner by which this application operates. Thus, prior to observing the operation of the program and discussing its options, let us focus our attention on how the program operates. Traceroute works by transmitting a sequence of UDP datagrams to an invalid port address on the destination host. Using common default settings, traceroute begins by transmitting three datagrams, each with its TTL eld value set to 1. As soon as the rst router in the path to the destination receives the datagram, it subtracts 1 from the value of its TTL eld and compares the result to zero. Because the value equals zero, the datagram will be considered to have expired, and the router will return an ICMP Time Exceeded Message (TEM) to the originator, indicating the datagram expired. Because the originator noted the time the datagram was transmitted and the time a response was received, it is able to compute the round-trip delay to the rst router. It will also note that the IP address of that router is contained in the datagram transmitting the ICMP TEM message. To locate the second router in the path to the destination, traceroute increments the TTL eld value by 1. Thus, the next sequence of datagrams ows through the rst router, but is discarded by the second router, resulting in another sequence of TEM messages being returned to the originator. This process continues until the datagrams reach the destination or the default TTL value is reached, and the application operating on the source terminates. If the datagrams reach the destination, and because they are attempting to access an invalid port on the destination host, the destination returns a sequence of ICMP Destination Unreachable messages, indicating to the traceroute program that its job is nished. Now that we have an appreciation for the manner by which the program operates, let us examine its use. In doing so, we again use a version included in Microsofts Windows operating system.
175
Exhibit 42.
Microsofts Tracert
the most commonly used option is the -h option, the use of which allows you to change the TTL default of a maximum of 30 hops normally used by the program.
Tracing a Route
To illustrate how tracert can supplement the use of Ping, let us use the former to trace the route from the authors network to the real White House. If you remember our attempt at pinging the White House, our efforts were not successful because each ping returned a time-out message. Exhibit 43 illustrates the use of Microsofts version of traceroute to trace the route to the White House Web server. Note that when the program is rst executed, it performs an address resolution and displays the IP address of the destination. Also note that the program displays the fact that it is tracing the route to the destination using a maximum of 30 hops, which represents the default value of the application. From Exhibit 43 you will note that there were eight routers in the path to the White House, after which you could not access the White House network. The eighth router was located in Herndon, Virginia, and, according to information the router returned, is operated by PSI.net, an Internet service provider. We could not trace the full route into the White House network because the router at the White House Web site was programmed to block both pings and traceroutes. Thus, this resulted in the generation of a destination net unreachable message. In examining the entries in Exhibit 43, you will note that the Microsoft implementation tries three times or more to accurately transmit a sequence of three datagrams with the same TTL eld values. Let us focus our attention on the round-trip delay and router for each route. The rst path, which is
176
Exhibit 43.
from my workstation to the router located at IP address 205.131.175.2, required less than 10 ms for each of three datagrams to reach, and for the computer issuing the tracert to receive a response. The second path was to the router operated by bbnplanet in Atlanta and resulted in a round-trip delay of 31 ms from my computer to that router. If you focus on the router information returned, you will note that some routers provide a description of their location and operator and other identiers, while other routers simply provide their IP address. While all routers in this example returned some information, occasionally some routers will not respond to a TTL eld value of zero condition and will simply throw away the datagram. When this situation occurs, the traceroute programs attempt times out and information for that router hop is denoted through the use of an asterisk (*) as being unavailable.
Applications
As indicated by our use of traceroute, this utility program traces the route to a destination. In doing so, it displays the round-trip delay to each router hop, enabling you to determine if one or more routers are causing an excessive amount of delay on the path to a destination. Many times, traceroute can be a valuable tool in determining where network bottlenecks reside. In addition, you can use this tool as a mechanism to identify, to a degree, where along the path a failure of a communications circuit or hardware occurred if a destination should become unreachable. We say to a degree because if either a circuit becomes inoperative or a router failed, traceroute would not be able to distinguish between the two situations. Before traceroute can be used to isolate the general location of a problem, it is a valuable tool you should consider using either by itself or as a supplement to Ping.
177
Exhibit 44.
NSLOOKUP
A third built-in application program that can be used to provide valuable information is NSLOOKUP. Unlike Ping and traceroute, which are implemented in essentially all versions of TCP/IP software, NSLOOKUP is available in most, but not all, operating systems that support TCP/IP.
Operation
NSLOOKUP is a name server lookup program. You can use this program to examine entries in the DNS database of a particular host or domain. NSLOOKUP can be implemented in several ways, with the most common being an interactive query mode. In the interactive query mode you simply type the command nslookup. The other method nslookup supports is a single-query mode. The general format of the latter is as follows:
nslookup [IP-address\host-name]
If you enter the program name by itself you will be placed in its interactive mode. In the interactive mode the program uses the greater-than sign (>) as a prompt for input. Exhibit 44 illustrates an example of the use of NSLOOKUP. In this example, after you enter the command nslookup, the program responds with the name and address of the default name server. This is the name server whose address is congured in the TCP/IP protocol stack operating on the workstation you are using to run the program. That name server, which is serv1.opm.gov in this example, will be used to resolve each request. In the example shown in Exhibit 44, we next entered the Web server host address for Yale University. Note that NSLOOKUP not only resolved the IP
178
Exhibit 45. NSLOOKUP Set Querytype Values
NSLOOKUP: set q[uerytype] Changes the type of information query. More information about types can be found in Request For Comment (RFC) 1035. (The set type command is a synonym for set querytype.) set q[uerytype] = value Default = A
Parameter Value Description
A ANY CNAME GID HINFO MB MG MINFO MR MX NS PTR SOA TXT UID UINFO WKS
Computers IP address All types of data Canonical name for an alias Group identier of a group name Computers CPU and operating system type Mailbox domain name Mail group member Mailbox or mail list information Mail rename domain name Mail exchanger DNS name server for the named zone Computer name if the query is an IP address, otherwise the pointer to other information DNS domains start-of-authority record Text information User ID User information Well-known service description
address of www.yale.edu, but also provided us with the true name of the Web server because the response indicated that www.yale.edu is an alias. If you turn your attention to the lower portion of Exhibit 44, you will note the prompt in the form of a greater-than sign (>). Because we used the interactive query mode of NSLOOKUP, this prompt indicates that it is waiting for an NSLOOKUP command. Let us give the program a few. Because NSLOOKUP queries a name server, you can use the program to retrieve information about different types of name server records. To do so, you must use the set type = command followed by the record type, and then inform your local DNS server of the distant DNS to be queried. Exhibit 45 provides a list of NSLOOKUP set of query record types you can enter to display a particular type of domain name server record. For example, entering set q = UID would specify a query based on user ID. Exhibit 46 represents a continuation of our querying of the Yale University DNS. In this example, we set the record type to MX and then entered the domain, yale.edu. This resulted in our local DNS springing into action and returning a sequence of information about the mail server used at Yale. If
179
Exhibit 46. Using NSLOOKUP to Retrieve MX Records from the Yale University Name Server
you examine the entries in Exhibit 46, you will note the response to your query resulted in a listing of both mail exchanger and name server host addresses and IP addresses for that university, thus providing signicant information about its network resources.
Finger
Finger is a program that enables a user to obtain information about (1) who is logged onto a distant computer or (2) a specic user. The use of this
180
Exhibit 47. Reading the Start of Authority (SOA) Records at Yale University through NSLOOKUP
Exhibit 48.
command results in a new verb referred to as ngering, which is not a rude gesture, but a query on the Internet.
Format
The general format of the finger command on a UNIX system is shown below:
finger [username] @ {host.name\IP.address}
181
Exhibit 49.
Exhibit 48 illustrates the nger command options under Microsoft Windows operation system. Note that the -l option results in a long display that can provide detailed information about a user or host computer.
Security Considerations
Similar to other network utility programs under the Microsoft operating system, nger runs in the Command Prompt dialog box as a DOS application. Because the use of nger can provide detailed information about a user or host, it is normally blocked by programming a router to bar datagrams that contain the destination port that identies a nger application. An example of nger blocking is shown in Exhibit 49. In this illustration I attempted to nger several domains. First, I ngered ford.com without success. Next, I tried a U.S. Government agency. This was followed by an attempt to nger Yale University and, nally, the Federal Bureau of Investigation. Each of these nger attempts was unsuccessful as those organizations block ngering as a security measure.
Applications
As indicated in Exhibit 49, many organizations block ngering as a security measure. Thus, a logical question is, why discuss its use? The reason is that many organizations will operate ngering internally but block its ow into the network. Then, persons within an organization obtain the ability to query a host or user to determine who is working on the host, his telephone number, the application he is using, and other information that may be of assistance when attempting to solve a problem. As indicated in this section, the TCP/IP protocol suite contains several builtin application programs that can be used to determine information about
182
hosts, the paths between networks, and users on a host. By carefully considering the use of different application programs, you can obtain valuable tools to assist you in ensuring that if problems occur, you can focus your attention on the potential location and perhaps even the cause of the problem.
Chapter 6
Security
Unlike a wired LAN that provides some physical control over access to the infrastructure, its wireless cousin transmits radio frequency signals that are subject to interception. This means that a wireless LAN could have its transmission read by an uninvited third party. Because wireless LANs use the airwaves, this also means they are subject to jamming and other types of interference rarely encountered in a wired environment. Security is therefore a key area of concern for wireless LAN operations and is the focus of this chapter. In this chapter we rst look at the risks associated with the use of wireless LANs. Next we examine the manner by which security was originally incorporated into wireless LANs. That security mechanism is referred to as Wired Equivalent Privacy (WEP). As we discuss how WEP operates, we also note its limitations and the methods used to add additional security to wireless transmission in the form of the IEEE 802.1x standard as well as proprietary vendor techniques. In addition, because many wireless LANs are connected to the Internet via an access point with a built-in routing capability, we also describe and discuss some of the functions and features of this category of wireless equipment. Specically, we note how a wireless access point/router protects wireless stations from persons on the Internet who may not have the best intentions concerning many types of computer-related actions.
Security Risks
As we just noted, the use of the air opens wireless transmission to interception and jamming. We can obtain an appreciation for the details of those and other security risks by reviewing the basic architecture associated with wireless LANs.
183
184
Internet
Intranet Hub
Router
Access Point
Station
Station
Exhibit 1.
Architecture
Exhibit 1 illustrates a wireless LAN infrastructure in which an access point supports communications from a group of stations onto a corporate intranet that is, in turn, connected to the Internet. Stations that want to join the wireless network and gain access to the intranet or Internet must rst be congured correctly. While a majority of the wireless LAN security effort is focused on securing transmission between client stations and access points, it is important to note that security is a literal two-way street: when a wireless LAN provides a connection to another network, such as an intranet or the Internet, you also need to consider protecting stations from attack via other types of networks. While you may not consider an intranet user as a potential threat, if the wireless client employs le sharing, either on purpose or in error, he opens his computer to attack. Similarly, if a connection to the Internet is provided to wireless clients, it becomes possible for the clients to be attacked via the Internet. Thus, the architecture of the network can represent a security risk.
Security
185
Exhibit 2.
Vendor
Exhibit 3.
popular default SSID value settings, which should explain why it would not be too difcult for a person sitting in a van in an organizations parking lot to pull out her trusty notebook computer with a wireless network adapter card and, within a few minutes, be able to correctly guess an appropriate SSID. Exhibit 3 illustrates the use of a wireless LAN conguration utility program bundled with a Netgear wireless LAN 802.11b PC Card network adapter to set the SSID to a value of any. By default, the security method wireless LANs support, known as WEP, is disabled; and when in an unsecure mode of operation stations can connect to an access point using the SSID of the access point, a blank SSID, or an SSID congured to any.
186
Regardless of the setting of WEP, SSIDs ow over the air as cleartext and can be easily captured. Even when WEP is enabled, the use of a default SSID can be considered as an invitation to do harm. Thus, you should consider changing the default SSID value when you set up your access point. Because WEP is disabled by default, and SSIDs are transmitted in the clear, a wireless network is thus open to several types of attacks. Those attacks can be classied into two main categories: insertion attacks and monitoring attacks.
Insertion Attacks
An insertion attack results from an unauthorized station becoming a participant on a wireless network. Accomplishing this is fairly easy because the SSID can be easily guessed or observed via a monitoring attack. In an attempt to prevent insertion attacks, some access points were designed to enable an authorization password to be congured. While this action makes it more difcult for a third party to gain access to the wireless network, it can also be easily overcome through monitoring. Later in this chapter we describe the use of the IEEE 802.1x standard, which adds a signicant degree of access control to both wired and wireless LANs.
Monitoring Attacks
Because wireless LANs communicate using radio frequency, it is possible for a third party to be located anywhere a sufcient level of signed strength is present to monitor in-building communications. In fact, several highly publicized stories in The New York Times and The Wall Street Journal during 2001 described how two men in a van were able to drive from one parking lot to another in Silicon Valley, take out a notebook that was operating a wireless packet-monitoring program, and use a directional antenna to pick up wireless communications occurring in buildings whose RF energy leaked out into parking lots. To provide readers with an indication of the ease by which a third party can monitor a wireless LAN, I used a readily available program to capture trafc. Exhibits 4 through 6 illustrate the use of the AiroPeek wireless LAN monitoring program developed by WildPackets, Inc., formerly known as The AG Group and well known for its EtherPeek program, which monitors and analyzes trafc owing on a wired Ethernet LAN. Exhibit 4 illustrates the overthe-air packet-capturing process when 1018 packets had been captured. In examining the main portion of the screen display shown in Exhibit 4, note that of the 14 packets displayed in the upper window, 13 represent broadcast packets. This high ratio of broadcast-to-data packets occurred because I had set up one access point connected to a wired network and was using two notebook computers equipped with wireless LAN adapter cards. One notebook was used for surng the Web to generate trafc, while the second notebook was running AiroPeek to illustrate the ease with which wireless trafc can be monitored.
Security
187
Exhibit 4.
188
To illustrate the potential danger associated with wireless RF monitoring, I used my notebook to access the Salomon Smith Barney Web site. The packet conveying an initial access request to that site is packet 12. The source IP address of 192.168.123.143 represents an RFC 1918 Class C address dynamically assigned to my notebook by the access point, which was an SMC Networks Barricade broadband router. The Barricade combines a router and access point into a common housing. The destination address of 199.67.185.9 represents the Salomon Smith Barney home page. Thus, prior to any decoding we are able to determine that a wireless station is accessing a nancial Web site. Also note in Exhibit 4 that the program displays the basic service set ID (BSSID). Although I set the SSID of my network adapter to any, that value is replaced by the BSSID of the access point, which explains why it is shown for packet 12 as the same value of each of the broadcast packets. In addition to providing the ability to capture wireless transmission, AiroPeek includes a comprehensive packet decode capability. To decode a packet you only need to double-click on a previously captured entry. Exhibit 5 illustrates the initial portion of the decoding of packet 22, which was selected by scrolling down the packets summarized in Exhibit 4. In examining the top portion of Exhibit 5, you will see that AiroPeek rst displays general information about the decoded packet such as its data rate, the channel used, the packet length, and the signal level. Directly under the display of the signal level, the program begins its decode with the display of the values of the elds within the 802.11 MAC Header. Note that we are observing a data packet as opposed to a control or management packet. The distribution system is sending this packet, which we know because the FromDS eld bit is set. By scrolling down the upper portion of the screen we can view additional information concerning the packet decode, so lets do so. Continuing our observation of the packet decode, Exhibit 6 illustrates the remainder of the MAC header and the initial decode of the following IP header. If you look at the highlight bar located in the packet decode window, you will note it is located on the WEP eld in the 802.11 Control eld, indicating that WEP is disabled, which is its default setting. Thus, with a readily available commercial packet decoder, it becomes possible to monitor, store, and at our leisure decode trafc to include the data transported by packets when WEP is disabled. Many organizations accept default settings, which is why it was relatively easy for the previously mentioned persons to move their van from one parking lot to another in Silicon Valley and read wireless trafc without having to even try to break the WEP encryption scheme. We further discuss this topic later in this chapter.
Masquerade
The previously illustrated packet decode indicates that if you can capture the rst part of a connection session, it becomes possible to detect the user name and password of wireless users accessing servers and other network devices. Once this occurs, a third party then obtains the ability to masquerade as a legitimate user by using the captured users ID and password.
Security
189
Exhibit 5.
190
Building the Wireless Ofce
Exhibit 6.
Additional Information about a Captured Packet in the AiroPeek Packet Decode Window
Security
191
Station
Station
Exhibit 7.
Broadcast Monitoring
Another type of monitoring involves the broadcast of frames from a wired infrastructure onto the wireless infrastructure. This transmission occurs not only when data is destined to a wireless station, but also during the station discovery process, because an access point represents a two-port bridge that operates following the 3 Fs rule. That is, an access point constructs and uses its port-address table via the process of ooding, ltering, and forwarding frames. To illustrate how broadcast monitoring can result in the content of frames destined to other wired stations being broadcast over the air, consider Exhibit 7, which illustrates a simple network infrastructure of an access point connected to a hub. Two stations are connected to the hub with their MAC addresses indicated as A and B for simplicity, while two wireless stations are shown (for ease of illustration) with MAC addresses C and D. When the access point is powered on, its port-address table is empty. Thus, if station A transmits to station B, the frame also ows to the access point. Because the access point does not know where the destination B address resides, it performs a ooding operation, transmitting the frame onto all other ports than the port on which the frame was received. Thus, the frame is broadcast over the air. Because station A transmitted data to station B, the access point notes that address A is on the wired infrastructure. Thus, the initial entry in the access points port-address table becomes
Port Address
Now lets assume station B responds to station A. As the frame from station B ows to the access point, the access point checks the contents of its portaddress table and notes that station A resides on port 1, from where the frame originated. Thus, there is no need to forward the frame and so the access point lters or discards the frame. However, the access point notes that the source address of the frame is A and, because it does not have an entry for
192
frame A in its port-address table, it proceeds to update the contents of that table. Thus, the contents of the access point port-address table now become:
Port Address
1 1
B A
To conclude our examination of the security risk associated with the address learning process, lets assume that station C transmits to station D. Because station C is a wireless device, its transmission can be read as it ows to the access point. And because the access point has not learned where station D resides at this particular point in time, it oods the frame. However, because in an infrastructure mode of operation all communications between wireless devices ow through an access point, the frame is transmitted onto the wired infrastructure as well as over the air. Thus, it becomes possible for a wired network user with a sniffer to capture some frames that are directed to other wireless stations due to the manner in which wireless access points operate. After the access point oods the frame, it updates its port-address table as shown below:
Port Address
1 1 2
B A C
When station D responds to C, the access point consults its port-address table and notes that the destination resides on the wireless LAN. Thus, the access point forwards the frame back onto the air and updates its port-address table because it recognized that station D is on the wireless LAN. The contents of the port-address table are now updated as shown below:
Port Address
1 1 2 2
B A C D
While the risk of frames that should stay on one infrastructure owing onto the other during the learning process is small, periodically the access point updates its tables and old entries are discarded. This means it is possible throughout the day for frames to ow onto an infrastructure where they do not belong. Because by default WEP is disabled, this results in another vulnerability you need to consider.
Denial-of-Service Attacks
Several types of denial-of-service (DoS) attacks can be performed against a wireless LAN infrastructure. First, because the frequencies wireless LANs use
Security
193
Exhibit 8. Other Potential Wireless LAN Attack Methods
Exploiting le sharing Common SNMP community names Accessing the management console Encryption attacks Theft of hardware
are well known, a short trip to Radio Shack or another electronics store can provide a person with equipment that can disrupt 2.4-GHz operations. Second, by observing the SSID, a person could write a script and generate a sufcient level of trafc that could overload the processing capability of an access point. A third denial-of-service method works only when the RTS/CTS option is enabled. In this operating environment, a station could be programmed to continuously transmit RTS packets, which in effect continuously solicit CTS responses and jam the airway. Thus, it is not difcult to deny service to wireless stations by overloading over-the-air transmission.
194
Encryption Attacks
As noted earlier in this chapter, the IEEE 802.11 standard uses an encryption system referred to as Wired Equivalent Privacy (WEP). WEP has several known weaknesses, in addition to the fact that by default it is disabled. We examine WEP in detail to discuss several aws in the algorithm and what those aws mean to the wireless LAN user.
Theft of Hardware
A few years ago, one of the more common airport threats was not terrorists, but crooks who would work in pairs at the airport scanner. One person would go through the scanner, while the second would get in front of a person who put his laptop or notebook computer through the baggage scanner. The second member of the team of crooks would use several delay tactics to impede the computer owner from reclaiming his device in a timely fashion. The delay was typically of sufcient duration that the partner in crime was able to grab the computer and be halfway out the airport before the owner realized what had happened. While airport problems have certainly changed, unfortunately criminals as well as basic thievery have not. If an unauthorized party obtains a laptop or notebook that has a wireless LAN adapter card that was congured for use, that party has also gained knowledge of your WEP key. Thus, the
Security
195
Exhibit 9.
196
Exhibit 10.
computer owner needs to inform the LAN administrator of this fact because it is nearly impossible for the latter to have psychic powers that enable her to detect the theft of equipment outside the organization.
Understanding WEP
The IEEE 802.11 standard includes an optional encryption scheme referred to as Wired Equivalent Privacy (WEP).
Overview
WEP represents a shared key encryption system that requires each station within a BSS to use the same key. Because only one bit in the Control eld of a MAC frame is used as a mechanism to denote whether WEP is enabled or disabled, this design conguration precludes the use of multiple encryption techniques at the MAC layer. When WEP is enabled, all stations must be congured to use the same key. Under the IEEE 802.11 standard, a 40-bit encryption key is specied. That key is used with a 24-bit initialization vector (IV), which we discuss later in this section, to produce what many vendors refer to as a 64-bit key; however, in reality it is a 40-bit key. Optionally, some vendors support a 128-bit encryption key that consists of a 104-bit encryption key and a 24-bit IV.
Security
197
Exhibit 11. Using a Pseudo-Random Bit Stream to Encipher and Decipher Data
Transmitter Plaintext data bits Pseudo-random bit stream Modulo 2 addition Enciphered text Receiver Enciphered text Pseudo-random bit stream Modulo 2 subtraction Deciphered text
Setup Example
Exhibit 10 illustrates the Netgear wireless LAN Conguration Utility programs Encryption tab in the foreground of the dialog box. Note that WEP is disabled by default and a user is then precluded from entering a key. Netgear wireless PC adapter cards support both 64-bit and 128-bit encryption. Once an encryption method is selected, a user can create a passphrase, such as how now the brown cow, to congure a key or manually enter the applicable hex characters for the key. Under the 802.11 standard, up to four default keys can be congured for use by all stations to include clients and access points. Although only one key can be used at a time, the ability to have four predened keys facilitates, for example, moving a notebook to another location.
Cipher Operation
The encryption algorithm expands the WEP key into an innite pseudo-random bit stream. WEP uses the RC4 encryption algorithm, which is technically referred to as a stream cipher because it expands the key into an innite pseudo-random bit stream that is used to encrypt and decrypt data. The pseudo-random bit stream is modulo 2 added to plaintext information to create encrypted data. At the receiver, the same key is used to create the same pseudo-random bit stream whose value is modulo 2 subtracted from the encrypted data stream to restore the plaintext. Exhibit 11 illustrates an example of transmitter and receiver encipher and decipher operations. In examining the entries in Exhibit 11, note that the same pseudo-random bit stream is applied to both plaintext and ciphertext. The pseudo-random bit stream is modulo 2 added to plaintext to generate ciphertext and modulo 2 subtracted from ciphertext to reconstruct the plaintext, which results in deciphered text.
198
Thus, the key to a secure encryption scheme is the manner by which the pseudo-random data stream is generated. Due to this, lets turn our attention to the algorithm WEP uses RC4.
RC4
RC4 dates to 1987 when Ronald Rivest developed the algorithm. Rivest was one of three persons who formed RSA Data Security. RSA maintained RC4 as a trade secret until September 9, 1994, when the algorithm was anonymously posted on the Internet for the public to view. RC4 is a stream cipher that supports the use of a variable-length key between 1 and 257 bytes to initialize a 256-byte state table. The resulting state table generates pseudo-random bytes whose bit stream is XORed or modulo2 added with the plaintext to generate ciphertext. Because of U.S. Government export restrictions, the RC4 key is often limited to 40 bits, although it is capable of using keys from 1 to 2048 bits in length. Because RC4 is a symmetric key algorithm, the same key is used to encrypt and decrypt data. Also, all parties to a conversation with an access point using WEP know the key being used. With this information it becomes possible to use a wireless protocol analyzer that supports the entry of the WEP key, allowing the monitor to both capture and decrypt information owing over the wireless LAN. Another weakness of RC4 concerns its state table. This table is initialized from 1 to 256 bytes, whose contents are used for the subsequent generation of pseudo-random bytes that are XORed with plaintext to generate ciphertext. This means that it becomes possible to skip a brute-force attack and concentrate an attack against the RC4 state table. In doing so, a cryptoanalyst would attempt to identify bytes in the state table that are strongly correlated with a few bytes in the RC4 key. Such bytes in the state table are referred to as having a correlation with a weak key and provide an attack method for determining the key.
Algorithm Operation
The actual operation of the RC4 algorithm is relatively easy to describe once we dene some relevant algorithm components. First, the algorithm uses two indexes. The index i represents the rst known index value, while j represents a second index value, such that: j = (i + j + k [i mod keylength]) mod 256 Thus, j is inuenced by the value of i, the previous value of j, and the key value k [i mod keylength]. Two arrays are also essential for the algorithm. S[256] represents a state array of 256 bytes, each of which can be set from 0 to 255, yielding 256 256 possible states. K[0.256] represents a key array that can contain up to a 256-byte key (2048 bits).
Security
199
The application of the RC4 algorithm represents a ve-step process. First, the key setup requires the allocation of a 256-element array to be used as the state table. Thus, step 1 becomes:
Allocate S[o]S[255]
As a second step we ll the S array with its index value. Thus, step 2 becomes:
S[0] = 0; S[1] = 1;... S[255] = 255
Next we need to use the key. Thus, we ll a second array of the same size, repeating bytes as necessary:
For (i = 0; i <256; i = i+1) S2[i] = key [i mod keylength];
Now that the state table is initialized, we process the input text one byte at a time. To process each text byte, we generate a pseudo-random byte k to be used as follows:
i = j = temp S[i] S[j] t = k = (i+1)mod 256; (j+S[I])mod 256;l = S[i]; = S[j]; = temp; (S[i] + s[j])mod 256; S[t];
Thus, to encrypt a plaintext byte, you would XOR it with the value of k. Similarly, to decrypt a byte of ciphertext, you would XOR the value of k with the byte of ciphertext.
200
security threat also increases. Under the second scheme, each client can establish a key mapping relationship with another station. While this provides a more secure method of communications because fewer stations have an applicable key, the distribution of such keys increases in complexity as the number of stations increases. The most common method or scheme for employing WEP keys is the shared key method. Unfortunately, this method creates a security problem when used in a public portal, such as an airport business-class lounge. For example, consider the business-class traveler who unpacks her laptop, slides in her 802.11 wireless network adapter, and observes the sign The WEP key for today is xyz hanging in the lounge. While transmission within the businessclass lounge may be protected from persons on the outside, all one has to do is purchase a business-class ticket to gain access to the lounge and the WEP key.
Authentication Methods
The IEEE 802.11 standard denes two types of authentication methods, referred to as open and shared key. The authentication method must be set on each client and needs to match that of the access point the station will use.
Open Authentication
By default, the method of authentication used under the 802.11 standard is open authentication. Under open authentication, the entire process occurs in the clear and a station can associate itself with an access point without having to provide a WEP key.
Security
201
Open Authentication Station WEP Key = ABC Access Point WEP Key = CBA
1. Authentication Request 2. Authentication Response Shared Key Authentication Station WEP Key = ABC Access Point WEP Key = ABC
Exhibit 12.
client station has a WEP key that matches the access point, the access point authenticates the client. Because it is a relatively easy process to monitor transmission occurring on a wireless LAN, it is possible for a third party to note both the unencrypted challenge and the encrypted response. By comparing the unencrypted and encrypted text strings, it is even possible to make an educated guess concerning the WEP key.
MAC Address
Due to the ease a shared key can become public knowledge, some vendors support authentication based on the MAC address of clients. While this requires the LAN manager to congure an access point with the clients MAC addresses, it adds a level of access security because the AP will only authenticate clients whose MAC addresses match an address in the access points authentication table.
Vulnerabilities
As previously noted, the 64-bit WEP key is actually a 40-bit key that is added to a 24-bit initialization vector (IV). Similarly, a 128-bit key consists of a 104bit key and a 24-bit IV. To see the reason why WEP is vulnerable to compromise, we need to rst understand how data is encrypted and the encryption algorithm.
202
4 bytes Initialization
6 bits PAD
Exhibit 13.
The IV
Exhibit 13 illustrates the format of a WEP encrypted data frame. The rst 24 bits of the frame are referred to as an initialization vector (IV), which is transmitted as cleartext. The purpose of the IV is to ensure that the same plaintext data frame will never generate the same WEP encrypted data frame. This is accomplished by adding the IV being to the 40-bit key to produce a 64-bit key or by adding a 24-bit IV to a 104-bit key to produce a 128-bit key. To protect against the possible modication of a packet owing over the air, WEP uses an Integrity Check (IC) eld. The IC eld is implemented as a 32bit checksum and becomes part of the encrypted payload of the frame. Although most vendors change the value of the IV on a per-frame basis, the 802.11 standard allows vendors to use their discretion on this issue. Thus, it is possible for two wireless LAN products with 64-bit WEP enabled to fail to interoperate due to differences in the manner by which the IV changes. As we note shortly, many of the issues raised concerning the security of WEP focus on the IV. Because the IV is transmitted in plaintext, it is available for anyone with a monitor to view. In addition, its 24-bit length provides a range of 16,777,216 possible values. This means that when the same IV is used with the same key on an encrypted packet, which results in a condition referred to as an IV collision, a hacker can use captured data frames to reverse-engineer the cleartext. This vulnerability occurs not only due to the IV, but also due to the fact that the WEP key is static. A second shortcoming concerning WEP that was recently publicized concerns the RC4 algorithm. Researchers Fluhrer, Martin, and Shamir found that RC4 could generate a large class of weak IVs. Their published article highlights methods to break the key using certain patterns in the IV. According to their article, it is possible to derive a WEP key in a range of 100,000 to 1,000,000 packets; a subsequent article published by AT&T Laboratory and Rice University indicates that by using the Fluhrer, Martin, and Shamir guidelines they were able to derive a static WEP key by capturing only approximately one million packets.
Attack Methods
During 2001, Nikita Bousov, Ian Goldberg, and David Wagner at the University of California at Berkeley performed an analysis of WEP. In their article, they
Security
203
noted that WEP was found to be vulnerable to four types of attacks. Those attacks include: 1. A passive attack to decrypt trafc based on statistical analysis 2. An active attack that injects new trafc from unauthorized stations based on known plaintext 3. An active attack to decrypt trafc that is based on fooling an access point 4. A dictionary construction attack that uses approximately a days worth of monitored trafc that can be used to automatically decrypt other trafc in real-time We can obtain an appreciation for the potential threats to WEP by discussing the use of the Integrity Check and the IV elds. The 32-bit CRC that WEP uses is linear, making it possible to compute the bit difference of two CRCs based on the bit difference of the messages over which they are used. This also means that ipping bit n in a message produces a deterministic set of bits within the CRC that must also be changed to generate a correct checksum on the altered message. The preceding provides an attacker with the ability to ip bits in an encrypted message and correctly adjust the checksum so that the resulting message appears valid although it is in error. Thus, WEP is vulnerable to having trafc altered without the recipient being able to detect it.
Using the IV
We previously noted that the 24-bit IV is transmitted in the clear. The use of a 24-bit eld in effect guarantees that the same key system will be reused after a period of time. For example, consider a busy access point that is performing a large number of le transfer operations, transmitting maximumlength 1500-byte frames at 11 Mbps. The access point would exhaust its IV space after 1500 bytes 8 bit/byte/(11 Mbps 106) 224, or approximately 18,000 seconds, which is about ve hours of time. Because interactive queries are transported in frames with a Data eld considerably less than 1500 bytes, it is possible for the IVs to repeat even quicker. In any event, because IVs repeat, a person can be patient and eventually collect two or more ciphertexts encrypted with the same key stream. Using this data, an attacker could perform a statistical analysis in an attempt to recover the plaintext. Because all stations use the same key, the end result is an additional number of collisions that facilitates the statistical analysis attack. By XORing two packets that use the same IV, an attacker will obtain the XOR of two plaintext messages. Because IP trafc carried by the 802.11 frame is very predictable (i.e., Version eld set to 4, Header Length eld set to 20), it becomes easy to make an educated guess about the contents of one or both messages. With the capture of more collisions it becomes possible to recover a few messages encrypted with the same key. This will permit the success rate of statistical analysis to increase in tandem with collisions of the same IV. Once an attacker becomes able to recover the plaintext for one message, the plaintext of all
204
other messages with the same IV can be determined. This is because all the pair-wise XORs are known. Thus, the ability to monitor and record trafc can provide a database that can be used to determine the plaintext of encrypted trafc.
Security
205
can operate with a RADIUS server to support user authentication, authorization, and accounting (AAA). While several other hardware vendors have implemented dynamic WEP keys, the fact that they commence operation with a standard shared key means that the loss of a notebook makes the network vulnerable. Thus, while this scheme minimizes the possibility of cleartext recovery from monitored encrypted data, it does not perform any authentication.
LEAP Authentication
In the year 2000, Cisco Systems introduced an authentication method based on the Extensible Authentication Protocol (EAP) but represents a proprietary authentication method. Under LEAP, both clients and access points mutually authenticate one another via the use of a username and password. WEP keys are used on a per-session basis to minimize the potential for a third party to monitor sufcient trafc to derive a key, and the user can dene a WEP session key timeout value. The WEP timeout forces re-authentication, which results in the computation of a new WEP key for the session. The computation of a WEP key timeout value requires consideration of the fact that different applications have different latency and bandwidth requirements. For example, voice-over-IP transmits packets carrying 20 ms of voice, resulting in 50 packets generated per second for a 50 packet-per-second (pps) transfer rate. In comparison, a le transfer or a Web page display uses maximum-length 1500 bytes per frame data elds that at 10 Mbps translates into 812 packets per second. Because IVs are used in tandem with the number of packets transmitted, you also need to consider the number of active users per access point to determine the threshold to change keys prior to a third partys obtaining (via monitoring) sufcient information to derive the WEP key. Because research by AT&T and Rice University determined that a packet count of approximately 1.1 million packets is sufcient, Cisco recommends selecting a timeout value that enables, at most, 550,000 packets to be transferred prior to a key change occurring. While each LAN manager should attempt to determine the pps rate on his LAN, it is worth noting that you can use the fact that 10-Mbps Ethernet has a maximum packet rate of 14,400 pps for a minimum 72-byte packet. Although it is doubtful that all trafc on a wireless LAN would represent minimum-length packets, lets use this for a worst-case scenario. Then, at 11 Mbps, the packet rate becomes 15,840. Because we only want 550,000 packets to ow with the use of a WEP key, prior to its change we need to set the timeout to 550,000/15,840, or 35 seconds. Several weaknesses are associated with LEAP, in addition to the fact that it represents a proprietary scheme. First, the username is transmitted in the clear, which means it can be sniffed. Although the password is protected, a weak hash algorithm is used, meaning it is subject to compromise after a bit of work. A third problem with LEAP is that it requires a proprietary RADIUS server that supports LEAP.
206
Security
207
Enterprise Network
RADIUS - Access - Request RADIUS - Access - Challenge RADIUS - Access - Request RADIUS - Access - Accept
Exhibit 14.
Overview
The 802.1x standard represents a protocol framework for negotiating an authentication method to provide clients with access to wired or wireless LANs. The standard is based on the Extensible Authentication Protocol (EAP),which was dened for WAN operations in RFC 2284 and is commonly referred to as PPP (Point-to-Point-Protocol) EAP. The 802.1x standard extends EAP from PPP operations to a LAN environment so that it becomes extensible to many authentication methods. The top portion of Exhibit 14 illustrates the manner by which a client gains access to a wireless LAN in an 802.1x environment. Similar to the introduction of other standards, the 802.1x standard added several new terms. First, the client is now known as the supplicant, and support for 802.1x is built into some new operating systems to include Windows XP, resulting in many publications referring to a Windows XP client as a supplicant. Second, the term authenticator is used for the facility that
208
controls access to a LAN. In a wired environment this would be a switch port, while in a wireless environment the authenticator is an access point. To gain access to a wired or wireless LAN, the supplicant sends a request to the authenticator. The authenticator requests the identity of the supplicant. Once the identity is received, the authenticator forwards the response to the third major component of the 802.1x standard, an authentication server. The interaction among the authentication server, authenticator, and supplicant then depends on the type of authentication server used. The lower portion of Exhibit 14 shows the interaction among the three devices based on the use of a RADIUS server for authentication. Note that after the RADIUS server accepts the credentials of the supplicant, it is assumed that the access point will not only allow access but will also automatically distribute a WEP key to the supplicant. In actuality, it is left to the vendor to dene authentication and encryption. Thus, one vendor could use a RADIUS server with a user ID/ password combination, while another vendor could support the use of a card token authorization scheme.
Cisco Implementation
If a RADIUS server is used on the wired LAN in a Cisco equipment environment, the sequence of events governing the ability of a client station to access the network is as follows: 1. The wireless client associates itself with an access point using a common SSID. 2. The access point requests the user to identify itself, blocking the client from gaining access to the network. 3. The user on the client provides a user ID/password in a network dialog box to verify its identify to the access point; however, at this time, the client is not considered to be authenticated. 4. Using the 802.1x standard and EAP, the wireless client and a RADIUS server on the wired LAN mutually authenticate one another via the access point. The server transmits a challenge to the client. The client uses a one-way hash of the user-supplied password as a response. The RADIUS server uses its database to create its response to the client as well as compare it to the clients response. After the RADIUS server authenticates the client, the process is reversed, enabling the client to authenticate the server. 5. After the mutual authentication process is completed, the RADIUS server issues a WEP key that the client uses for its session. This key is referred to as a session key. 6. The access point encrypts its broadcast key with the session key and transmits the encrypted broadcast key to the client. 7. The client uses its session key to determine the broadcast key of the access point. 8. The client and access point use the session and broadcast WEP keys to communicate with one another.
Security
209
The authenticator must be congured to correctly access the authenticator server. It needs to be congured with the IP address and port number the server uses. Other information that may be required based on the type of authenticator used can include dening the type of authenticator server and a shared secret key required for the authenticator to communicate with the authenticator server. Concerning the port setting, although most RADIUS servers operate using 1812, it should be noted that Cisco RADIUS servers operate using a port setting of 1645.
Orinoco Implementation
In an Orinoco 802.1x implementation environment, different WEP keys are used. All clients use the up key to transmit to the access point, while the access point uses a down key for communicating with all stations. All clients are forced to re-authenticate at a predened, selectable interval. At that time, new keys are established. In addition to a re-authentication interval, Orinoco supports a separate key rollover scheme. Under this scheme, an interval can be set for which all clients get new keys for up and down paths. Orinoco implements 802.1x in its AP-2000 access point, which can work with a wired LAN RADIUS server. The AP-2000 supports both 802.1x and non802.1x clients, with the latter operating using either no WEP key or a static key. In comparison, 802.1x clients operate using xed up and down keys that can be rolled over. When used with a Windows XP client, the certicate built into the operating system is presented as a mechanism to commence the EAP negotiation process.
210
as a supplement to the ltering capability of a wireless rewall because one or more station users could inadvertently or intentionally change the conguration of their rewall and, in effect, open their computer to an attack that could then spring to other devices. In addition, the setup and maintenance of a large number of personal rewalls are much more time-consuming than conguring the packet-ltering capability of a wireless router.
Shielding
In concluding this chapter, I will literally oat a trial balloon for you to consider. That trial balloon is the use of shielding to minimize RF leakage outside a building where a wireless LAN operates. As a rm believer in wireless LANs and security, I noted the obvious. That is, if a third party has extreme difculty in obtaining a signal, that party will also have extreme difculty in attempting to understand what is being transmitted. Recognizing this fact, I took a drive to my local food store and purchased a large roll of what some people refer to as tin foil, which is not tin but aluminum. Upon returning home, I rst took my laptop computer outside and measured the link quality and signal strength of the wireless signal generated in the form of beacons from the access point installed in my home. Exhibit 15 illustrates the use of an SMC Networks utility program operating on my laptop computer when I was inside my garage, which was located behind the location where the access point was installed in my home. As I walked down my driveway, both the link quality and signal strength decreased, until both were at a zero level when a neighbors home was reached. However, I had to cross the street, which, if I was paranoid, meant that someone could sit in a car parked on the street and monitor my communications. Thus, I decided to determine if a little shielding would mute the RF being leaked from my home. Using the roll of aluminum foil, I lined the wall of my garage for a cost of approximately $6.32, including sales tax. Next, I once again used my laptop computer running the same utility program to determine the result of my shielding effort. The former signal that was observable in my garage had disappeared. In fact, both the signal strength and link quality indicators remained at a zero level as I moved around the outside of the garage side of my home. While it is probably impractical to shield the side of an ofce building facing a parking lot because you would also have to cover every window to be effective, this shielding exercise demonstrated its potential. Thus, at a minimum, you need to consider the location where stations to include access points will be located with respect to RF leakage outside a building. It is possible to use a small amount of shielding to remove at least the initial target of most third parties from view. That target is the beacon frame generated by access points on a periodic basis. Thus, if you locate an access point near the side of a building, it is relatively simple to place aluminum foil behind its antenna or antenna pair to stop RF leakage in an unwanted direction.
Security
211
Exhibit 15.
Although this aluminum backstop results in reections in the opposite direction (inward, into the building), I was not able to notice any adverse effect from multipath radiation as I moved inside my home to test the use of a small area of aluminum behind the antenna of my access point. Because this action completely stopped the observance of beacon frames from outside, it represents another partial low-tech solution to a high-tech security problem. In any event, readers should note that I do not endorse shielding as a total solution to the problem of wireless LAN security. Instead, I recommend shielding as a mechanism to supplement other methods because it makes it more difcult to observe a signal.
Chapter 7
Client Setup
The Orinoco RG-1100 Residential Gateway represents a modern-looking combined access point and gateway that is also illustrated in Chapter 1. A CD that accompanies the kit contains a menu-driven series of instructions for installing hardware and software. Unfortunately, the guide is similar to other
213
214
products in that it is not all-inclusive and may require a call to Orinoco technical support if you use certain communication carrier services. Later in this section we note how you can avoid this call. The Orinoco broadband Residential Gateway (RG) has a single Ethernet RJ-45 connector that receives the jack from your high-speed modem. Once connected to a cable or DSL modem, you need to use a client station to connect the gateway to congure the device for your particular networking requirements. As an alternative, you can use a PC directly cabled via an Ethernet port to congure the RG. However, if you select this option, you will need to acquire an Ethernet crossover cable to correctly access the RG.
Installation Software
Exhibit 1 illustrates a portion of the Orinoco installation software distributed on a CD with the kit. The left portion of Exhibit 1 illustrates the installation screen for the RG, indicating a three-part process that needs to occur. The dialog box shown in the right portion of Exhibit 1 reects the selection of option 2 from the rst screen, indicating the software you need to install and optional software. To correctly access the RG-1100 Residential Gateway you also need to install the client, which was provided in the form of a virtual self-enclosed housing with a USB connector. When I plugged this into my Windows 98 computer, the hardware wizard took over and, after pointing to the CD, was able to locate appropriate drivers that were installed. Although it is a relatively easy process to install the Orinoco client and Residential Gateway, Agere Systems does several things differently from other vendors that can cause compatibility problems between vendors attempting to access the RG. In addition, while the setup of the RG is fairly easy to overlook, some key settings are needed to make it work. Thus, in this section we examine the setup of the Orinoco client and use the client to set up the RG. Unlike other vendor products that by default disable WEP, Orinoco by default enables security. This by itself makes it difcult to congure the RG with another vendor product because the RG uses 128-bit WEP while some other vendor products are limited to supporting 64-bit WEP. During the client setup process you will be asked to enter the network name, which is the SSID. The Orinoco Residential Gateway I used had a sixdigit number on a label afxed to the device that represented its network name. During the client setup process you are prompted to enter the network name. The program then automatically uses the last ve digits of the network name to generate an encryption key.
Client Manager
Once you complete the client setup process you can return and adjust different settings through the use of the Orinoco Client Manager. The Client Manager will be displayed as an icon on the Windows taskbar. Exhibit 2 illustrates both
Exhibit 1.
215
216
Building the Wireless Ofce
Exhibit 2.
217
Exhibit 3.
the icon, which is pointed to by the cursor, as well as the opened Client Manager. In examining the Client Manager you will note that it uses a series of vertical bars to indicate the level of signal strength. Also note that the Client Manager indicates we are connected to network 394896 and the name of the access point is Orinoco RG-1100 394896, which is the Residential Gateway that I installed.
218
Exhibit 4.
Once you select the Edit button, a series of dialog boxes is displayed that guide you through the prole conguration process. The second screen that appears, shown in Exhibit 4, provides you with the ability to select the type of network with which you will use your client station. In examining Exhibit 4, note that Orinoco denes three types of networks an access point, residential gateway, and peer-to-peer group the latter representing an ad hoc network.
Network Name
The next dialog box displayed lets you enter the name of the network with which the client will connect. Because Orinoco places a label with the name of the network at the bottom of its Residential Gateway, you would enter that name into the dialog box. Because the name is actually the SSID, which the access point portion of the RC broadcasts periodically, the dialog box provides you with a mechanism to scan for the name of the network. This feature is indicated in Exhibit 5. Note that selecting the Scan button can be used as a mechanism to discover the network name if the RG is located at a distance from the client or if the label was somehow removed from the Residential Gateway. As we noted in Chapter 6 when we examined security, an access point periodically broadcasts the network name in the form of the SSID. Thus, although you need the
219
Exhibit 5.
Entering the Name of the Network with which the Client Will Connect
correct network name for a client to connect to an access point, the absence of a Scan button on other vendor client software should not be considered as representing more or less security because it is possible to use any wireless protocol analyzer program to easily learn an SSID. In addition, you can also use a blank network name or the network name of any to obtain the ability to connect to many access points.
Security Setting
Unlike most vendor products, which by default disable WEP, Agere Orinoco products enable security. This means that when you power up the RG-1100 Residential Gateway, it will be in its secure mode. This also means that when you congure the client to access the RG, you need to keep its default conguration in which enable data security is set. When you initially install client drivers and sequence through a series of dialog boxes, the setup program uses the last ve digits of the network name as a mechanism to generate the WEP key. This process is performed automatically and enables the user to access the access point in a secure mode of operation. When you subsequently use the Orinoco Client Manager to add or edit a prole, the Set Security dialog box lets you enable security using either alphanumeric or hexadecimal characters.
220
Exhibit 6.
Exhibit 6 illustrates the Set Security dialog box the Orinoco Client Manager generates. Because I previously entered a six-digit network name during the installation of client software, the setup program used the last ve digits as the WEP key. When I returned to the security setting for a new prole, the Edit Conguration screen shown in Exhibit 6 for the Set Security option by default is enabled and set for the use of alphanumeric characters. You would use this screen setting to match the setting of the RG or a different vendor access point. For example, when using the Orinoco client to access a different vendor-combined router and access point, I selected the button prexing the Use Hexadecimal option and entered the hex WEP key that was congured on the third-party device.
Power Management
The dialog box that follows the one concerned about security enables you to control the power management feature of the client station. As indicated earlier in this book, IEEE 802.11-compliant stations can operate in a low-power consumption mode. This mode is suitable for laptop and notebook computers that are operating on battery power. However, because a device operating in a low-power mode needs to have information buffered by an access point (AP) prior to the AP waking, the sleeping client performance will be degraded. Due to this, as well as to the fact that most laptop and notebook computers are used with AC power, power management by default is disabled.
221
Exhibit 7.
Exhibit 7 illustrates the Orinoco Client Manager Edit Conguration screen for power management. Note that the default setting is Off; however, by clicking on the lower button you can easily change the setting to On. As indicated earlier, unlike other vendor products, Orinoco software displays information about different setting options when you use the Client Manager conguration option. The lower portion of Exhibit 7 indicates an example of the display of information concerning a conguration setting. In this case, information displayed concerns the settings available for power management.
TCP/IP Behavior
The nal option you can use to congure a prole when using the Orinoco Client Manager concerns the behavior of TCP/IP. Similar to other gateways, the Orinoco RG uses the Dynamic Host Conguration Protocol (DHCP) to assign or lease RFC 1918 addresses to wireless devices. The use of the TCP/ IP Behavior screen, shown in Exhibit 8, provides you with the ability to control the use of the IP addresses assigned to your station if you change the setting from one prole to another while using the same gateway. If you click on the box to the left of the label Renew IP Address when selecting this prole, the RG renews the lease of the current IP address when you select the prole being congured. Otherwise, the IP address assigned to the client will be changed when you switch to the prole you are conguring.
222
Exhibit 8.
223
Exhibit 9.
RG Identication
The second screen in the RG Setup Utility program requires you to enter the network name. That name is located on a label afxed to the bottom of the device. Exhibit 10 illustrates the Orinoco RG Setup Utility programs RG Identication screen display. Unlike the Client Manager that provides you with the ability to scan the air to locate the network name, this must be entered in the RG Setup Utility program. This is probably due to the fact that the utility program provides you with the ability to congure the RG. Thus, by having to enter the RG network name, you are setting up the correct gateway in the event multiple gateways are operating in the area. If you focus on the right portion of Exhibit 10, you can note the nearpyramid shape of the Orinoco RG-1100 gateway. The rst picture shows the rear of the gateway, with the Ethernet connector shown at the lower portion of the base of the device. Above two reset indented buttons is the power receptacle. The gure to the right of the gateway is its cover, which is removed to connect the device to a high-speed communications facility as well as to connect the power card to the device. Once the connections are made, the cover snaps onto the rear of the gateway.
224
Exhibit 10.
225
Exhibit 11.
automatically, and you do not have to know the layer 2 address of the Residential Gateway.
Settings Summary
Once you complete specifying the appropriate parameters for your Internet connection, clicking on the Continue option results in the display of a summary of your settings. In actuality, this display, shown in Exhibit 12, is deceptive because, for almost one million cable modem users, accepting the summary results in the inability to access the Internet. Let me explain. The rst two descriptions of Internet connection options simply summarize prior settings. Thus, if you want to change the method of Internet access or the type of IP address your ISP assigned, you have to click on the button labeled Back several times to return to the applicable screen. The next group of settings under Wireless Connection rst denotes that by default transmission will occur on channel 1. This predened channel setting should be acceptable for most users and does not need to be changed to resolve the Internet access problem I describe shortly. Similarly, the Security option provides you with the ability to accept or change the default security setting of WEP being enabled. If you are going to use third-party products that do not support extended WEP 128-bit encryption, you would then use the button labeled
226
Exhibit 12.
Change. However, because I am using an Orinoco USB client, there is no need to change the security setting. Thus, this leaves us with the Network Topology option, which is shown as the last option in Exhibit 12. Under the prior sequence of RG Setup Utility program displays, we did not encounter any screen label of Network Topology. Thus, it would be very easy for you to overlook this option and click on the button labeled Finish, which is what I did the rst time through the RG Setup Utility program. When I used my browser I noted that I could not access the Internet. When I returned to the use of the Orinoco Client Manager, shown in Exhibit 2, I noted that my computer was connected to the RG and had a high level of signal strength. Thus, the wireless connection was ne, indicating that one or more parameters necessary to access the Internet required tuning. After cycling through the RG Setup Utility program screens and returning to Exhibit 12, I then noted the Network Topology option and clicked on the Change button to determine what settings the program had assigned and if any options required further effort. Thus, let us turn our attention to the Network Topology options the RG Setup Utility program supports.
Network Topology
If you click on the Change option associated with Network Topology, a dialog box similar to that shown in Exhibit 13 is displayed.
227
Exhibit 13.
Look at the Network Topology dialog box shown in Exhibit 13; note the blank entry for Client ID in the lower right corner of the box. On many cable systems you need to enter the client ID your ISP assigned. On a Cox Communications cable network you will obtain an ID in the form of the letters cx followed by six digits, a dash, and a letter. On other cable networks you would be assigned a similar client ID that would need to be specied. A second network topology option that warrants discussion is the private address range. Unlike some combined router/access points that are limited to issuing an RFC 1918 Class C address, the Orinoco RG can be congured to issue Class A (shown), Class B, or Class C addresses. Thus, the Orinoco Residential Gateway can be used within an existing infrastructure without fear of having overlapping RFC 1918 addresses. When I entered my applicable Client ID into the Network Topology dialog box, within a few clicks of my mouse I was able to access the Internet. Because I accepted the default private address range shown as 10.0.1.x, I decided to perform a bit of experimentation to determine the address of the Residential Gateway. Because most gateways are typically assigned a dot 1 address, I pinged the IP address 10.0.1.1. The Orinoco RG responded very quickly, indicating that the Residential Gateway is similar to other products in that when an applicable block of addresses is assigned, the device will be set to a dot 1 address. Knowing this means that it is relatively easy for any third party to note the address of your residential gateway.
Advanced Features
In concluding our examination of the Orinoco USB client and RG-1100 Residential Gateway, we focus on several advanced features each device provides. Under the Orinoco Client Manager, you obtain the ability to test the
228
operational status of the client being used. That is, the Client Manager works with both PC Card and USB clients.
Card Testing
Through the selection of the Advanced menu from the Orinoco Client Manager, you can test the status of hardware and software required to operate the wireless client. Exhibit 14 illustrates an example of the use of the Orinoco Client Manager to test the USB self-contained client that was connected to my notebook. In examining Exhibit 14, note that testing the wireless card involves checking both the hardware and software. From a software perspective the driver is checked on an individual basis as well as in conjunction with the hardware, rmware, and utility program. In addition, both the hardware and rmware are checked and any errors noted are summarized.
Link Test
In addition to testing the wireless card, the Orinoco Client Manager includes a link test facility. Similar to the card test, the link test is performed by selecting the Action menu from the Client Manager. Exhibit 15 illustrates the display of the Test Results tab from the link test. In examining Exhibit 15, note that the test result display summarizes the transmission between the station operating the Client Manager denoted as This station and the Test partner, which was the Orinoco Residential Gateway. If you carefully examine the rst rectangular box labeled Total messages you will note that 73 messages were sent and 72 received, but none were lost. While these metrics may appear to be questionable, the rst message simply informs the destination of the fact that the link test is initiated and causes the test partner to respond to the following sequence of test messages. Thus, if you examine the blocks labeled This station and Test partner, you will note each received 72 messages. Because the rst message transmitted simply informs the partner of the test, this explains why no messages were lost. The actual link test involves determining the signal-to-noise ratio (SNR), signal level, and noise level. Those three metrics are monitored at both the station performing the test and at the test partner, with the latter returning the metrics to the station operating the Client Manager, where they are displayed. This technique provides you with the ability to note how each station literally hears the other station. By focusing your attention under the bar graphs of the three metrics, you can note the operating rate by which the test messages were received. Although in Exhibit 15 all messages were received at 11 Mbps, if they were received at a lower data rate you could consider repositioning your client station and rerunning the test. Thus, you can use the link test facility as a mechanism to select applicable locations for the gateway and client stations.
229
Exhibit 14.
230
Building the Wireless Ofce
Exhibit 15.
231
For readers that link graphs, clicking on the tab labeled Test History provides you with a mechanism to display one of four parameters over time for both the station operating the Client Manager and its partner. In addition to having the ability to display a graph of the SNR, you can cause a graph of signal/noise, SNR range, signal range, or noise range to be displayed. Thus, the link test capability provides you with a comprehensive series of test measurements you can use to examine the status of the over-the-air link.
Cisco Aironet
Cisco Systems markets a number of wireless products under the Aironet moniker. This section examines the use of the Aironet 340 client manufactured as a PC Card and its utility program called Aironet Client Utility. As we progress viewing a series of screen displays, we note that the Aironet Client Utility program provides us with the ability to congure the wireless card, examine its status and perform a link test, retrieve statistics concerning data transmitted and received, and even perform a site survey.
232
Building the Wireless Ofce
Exhibit 16.
233
Exhibit 17.
as well as the network names for three SSIDs. Although the client utility did not include a Scan button to locate a network, the ability to list three names appears to exceed the capability of other vendor products and might prove to be useful if your organization is operating several networks that a client needs to access. Unlike other products that have an enable and disable feature for the power-saving mode, Cisco supports three settings. The Constantly Awake setting is similar to having the power-saving mode disabled. Where Cisco differs from the other vendors is that it supports two power-saving modes Max and Fast. Whether or not you would need this capability depends on your need for operating a laptop or notebook on battery power. In concluding our examination of the System Parameters tab, note the box on the lower right. The two radio buttons permit you to easily change the network mode from Ad Hoc to Infrastructure, and vice versa. Now that we know of the settings on the System Parameters tab, let us turn our attention to the RF Network tab.
RF Network Tab
The Cisco Client Utility program RF Network tab is displayed in the foreground in Exhibit 18. Note that this tab provides the ability to control the data rate,
234
Exhibit 18.
RF channel to be used, transmit power, data retries, and fragment threshold. While the data rate selection capability is similar to other vendor products I have examined, the other parameters proved more interesting than the settings on other products. For example, not only did the Cisco RF Network tab permit you to change the channel to be used but it also provides you with the frequency of each channel. For some users, this might save a trip to reference material if you need to consider the frequency of each channel. As a refresher, the fragment threshold denotes the size at which packets exceeding that size will be fragmented. When using equipment from multiple vendors, it is important to check this setting as I note that different vendors use different default values. Another interesting parameter is the Transmit Power metric. Here you can select between two transmit power levels. If you are concerned about RF emissions exiting your building, you might consider using the lower level of transmit power.
235
Exhibit 19.
be restricted to operating a single network. Thus, you would only require the ability to enter a single SSID or network name. Exhibit 19 illustrates the display of the Home Networking tab in the foreground. Note that this tab restricts you from entering a single SSID. If you enter any or leave the SSID blank, you will obtain the ability to connect to another access point without having to know the name of the network the AP uses. By default, Cisco enables encryption; however, it uses a blank encryption key. The result of this action is that transmission occurs in the clear. In addition to specifying a WEP key, data rate, network type, and radio channel, the Home Networking tab permits you to load settings from a disk. This action can facilitate obtaining applicable settings among a series of clients, as well as ensuring the omission of typing errors when entering a WEP key that could literally gum up the works by preventing a connection to an access point operating in a secure mode.
236
Exhibit 20.
we noted that Cisco supports several methods beyond WEP. Two Cisco wireless security methods discussed in Chapter 6 were LEAP and EAP. Although software for the Aironet 340 supports LEAP, it does not support EAP based on the version of the program I used. Thus, the radio button for EAP is shown in gray. Because we did not previously set a WEP key, the radio button for Access Point Authentication is shown set to Open Authentication. Otherwise, if a WEP key were set, the Shared Key Authentication option would have been selected.
Advanced Settings
In concluding our examination of the Aironet 340 Properties dialog box, we examine the settings on the Advanced tab. The Advanced tab for Ad Hoc networking is shown in Exhibit 21. Cisco provides you with the ability to control the diversity operation of dual antennas for both transmission and reception of data. The default setting for both transmission and reception of data is Diversity being enabled, indicated by the selection of the top radio buttons on each side of Exhibit 21. The setting for the RTS Threshold by default is 2312, which results in the use of the RTS/CTS sequence being disabled. This also means that the RTS Retry Limit setting is irrelevant unless you set the threshold value to a lower setting.
237
Exhibit 21. Controlling the Clients Antennas and Resetting Various Threshold and Period Values
As another refresher, the RTS Threshold denes the number of bytes that must be in a packet for the RTS/CTS handshake to occur. If you set the value of this eld to the maximum MAC data service unit value, in effect you turn off RTS/CTS handshaking. In comparison, if you set the value of this eld to 0, you turn it on for all packets. Similar to our brief discussion concerning the fragment threshold, Cisco uses a different default RTS Threshold value than some vendors. Thus, in a mixed-vendor environment, this eld setting should be carefully checked. The two additional settings shown in the lower portion of Exhibit 21 enable you to control the period of time required to wake the client and its beaconing period. Both of these settings were not found on a majority of wireless clients produced by other vendors.
238
transmitted do not inform the user of the quality of the link. Thus, you also need to focus your attention on the various received error statistics and compare the error count to the number of packets to compute an error density. Unfortunately, the program does not directly provide an error density computation; however, you can perform this action from the data provided by the statistics display. The Cisco link test by default transmits a sequence of 100 64-byte packets to the IP address of a specied access point. The results of the test are then displayed, providing detailed information concerning the over-the-air connection.
System Settings
The rst entry in the Advanced heading of the Netgear wireless router is System. The System tab contains elds for you to set the system host name that represents the name assigned by your ISP to identify your PC. A second eld in the System tab provides the ability to specify the domain name. The latter represents the extended domain sufx that follows your ISP server names. For example, if your ISPs mail server is mail.macon.myISP.com, then your domain name would be entered as macon.myISP.com.
System Name
While the specication of a domain name is not mandatory, depending on your ISP, the inclusion of a System name can make the difference between being able to access the Internet and feeling frustration by not being able to do so. This is because, as previously discussed during our examination of the Orinoco wireless RG conguration earlier in this chapter, certain ISPs such as Cox Communications issue a host or account name that must be used to gain access to the Internet.
Password
A second tab accessed from the selection of the System settings that warrants discussion is the Password tab. If you select this tab, you obtain the ability to change your Netgear routers management password that controls access
239
to its conguration process. Because the default password of 1234 is published and easily available to third parties, it is highly recommended that you change this password setting. Exhibit 22 illustrates the System tab in the System settings window. Note that the System Name represents the name assigned by Cox Communications to my home PC. The domain name shown in Exhibit 22 represents the extended domain name used by Cox Communications at the time this book was prepared. Because Cox Communications will more than likely exit the use of the at (@) home network operated by Excite, the domain name can be expected to change.
DDNS
One of the more interesting features of the Netgear router is its support of the Dynamic Domain Name Service (DDNS). Under DDNS, an IP registry server provides a public central database where dynamically assigned IP addresses can be both stored and retrieved via a host name lookup process. The DDNS can also be used to store password-protected e-mail addresses and will accept queries based on e-mail addresses. Exhibit 23 illustrates the DDNS tab positioned in the foreground of the System settings display. You would click on the box to the left of Active to enable this feature; however, to use this service you must register with the Dynamic DNS service provider, which will provide you with a password. At the time this book was prepared, the Netgear MR314 router only supported DynDNS (www.dydns.org). In examining Exhibit 23, note that the Host Name represents a static name you would enter to link to your ISPs dynamic IP address. Your e-mail address would be entered for administrative contacts, while the user and password would represent the values assigned by the DDNS when you registered.
LAN Setup
The second feature category under the Advanced heading is LAN Setup. The resulting dialog box, which is shown in Exhibit 24, provides the ability to control the assignment of IP addresses to wired and wireless clients of the router. In addition, the lower portion of the LAN setup display provides the ability to control the setup of TCP/IP parameters for the LAN. By default, the Netgear router is congured to act as a DHCP server, allocating up to 32 IP addresses, commencing with 192.168.0.1. Unlike some other vendor products that enable all RFC 1918 addresses of a particular class to be used, the Netgear router supports a maximum of 32 client addresses. While this is probably a more realistic limit because you would not want to have more than 32 clients accessing a wireless router, the ability to support up to 254 devices on a mixed wired and wireless infrastructure supported by other products may appeal to larger organizations.
240
Building the Wireless Ofce
Exhibit 22.
241
Exhibit 23.
242
Exhibit 24.
243
To have the Netgear router provide the Primary DNS Server address to attached hosts, enter the DNS address in Exhibit 24. Otherwise, the default value of 0.0.0.0 results in the routers assigning its own address as the DNS server. The router then performs a DNS proxy function if it can obtain a DNS address from the ISP. The secondary DNS Server eld permits you to assign a secondary DNS server address to clients. The lower portion of Exhibit 24 contains ve elds for setting up TCP/IP parameters for your LAN. The rst eld, IP Address, provides the ability to either accept the default of 192.168.0.1 or change the LAN interface of the router to a different address. The router will automatically compute and display the subnet mask for the class of IP address you assign. The Netgear router also supports subnetting, permitting larger organizations with special LAN requirements to tailor IP addressing to those requirements.
RIP Support
Because most Internet connections use a semistatic IP address in the form of a long-leased IP address, your router normally will not use a routing protocol. However, unlike some wireless routers that are only designed for static networking, the Netgear router can be used within an organizational network. This is because it supports the Routing Information Protocol (RIP). The RIP Direction eld provides the ability to exchange routing information with other routers. You can set this eld to None (default), In Only, Out Only, or Both. If the eld is set to In Only, the router broadcasts its routing table onto the LAN. A setting of Out Only results in the routers broadcasting its routing table but ignoring any RIP broadcasts that it receives. If the eld is set to Both, the router will broadcast its routing table on the LAN and incorporate RIP broadcasts received from other routers into its routing table. The RIP Version eld allows you to specify the type of RIP message that the router sends. Available options include RIP-1, RIP-2B for RIP-2 messages in broadcast form, and RIP-2M for RIP-2 messages in multicast form. The last eld in the display, Multicast, provides the ability to support multicast transmission from the Internet. By selecting either IGMP-v1 or IGMP-v2, you can send one stream of audio or video to multiple participants on your network.
244
Building the Wireless Ofce
Exhibit 25.
245
the WEP key or manually enter either 10 or 26 characters for 64-bit or 128bit WEP keys, respectively. If you decide to use a passphrase, then prior to entering the phrase you should verify that your clients manufactured by other vendors also support the use of a passphrase. Although the use of a passphrase simplies the entry of data to generate a WEP key, not all vendors support its use. In fact, if you scroll down Exhibit 25, which we do soon, you will note that you can also enter the WEP key in hex. Exhibit 26 illustrates the lower portion of the Netgear Wireless LAN Setup screen. Note that similar to most wireless LAN vendors, Netgear supports the entry of up to four WEP keys. The Netgear wireless router supports the use of the RFC 1918 Class C 192.168.0.0 IP network, using the address of 192.168.0.1 for the router. The Netgear router automatically assigns PCs an IP address between 192.168.0.2 and 192.168.0.31 when you congure your wireless clients for accessing the router. However, if you connect a PC to one of the four switch ports, I found that I had to hard-code an IP address, using 192.168.0.2 to access the router to congure it.
Port Forwarding
Through the network address translation facility of the router, the LAN behind it will appear as a single IP address to the Internet. If you want to assign local servers for access via the Internet, use the Ports setting from the Advanced menu. This menu lets you assign a port number to different RFC 1918 Class C addresses the Netgear router supports. For example, if you want to send Web requests to a server whose IP address on your LAN is 192.168.0.4, enter 80 under the Port Number and 192.168.0.4 for the Server IP Address value. Thereafter packets owing to the ISP IP address assigned to your account destined for port 80 will ow to your server at IP address 192.168.0.4. While port forwarding can provide home and small businesses with the ability to easily operate different types of servers via the use of a single IP address, it may not be legal. This is because many broadband ISP accounts do not permit the customer to operate a server. Thus, when in doubt, it is a good idea to check the legality of operating a server with your ISP.
Static Route
The next-to-last entry in the Advanced Netgear wireless router menu is Static Route. This entry lets you dene alternate routers to a specied IP network address or even a specic host address. The use of static routing enables users that have multiple destinations to use the router to forward packets to each destination. For example, you might use an Internet connection for Web surng and an ISDN connection to access a branch ofce network. If you did not use static routing, attempts to reach the branch ofce network would be directed to your Internet connection, which may or may not reach the branch ofce, depending on whether that
246
Building the Wireless Ofce
Exhibit 26.
247
ofce had an Internet connection and, if so, a rewall allowed access from your location. By dening a static route to the branch ofce via the ISDN connection, you avoid the use of the Internet when accessing your organizations branch ofce.
Content Filter
The last Advanced menu feature governs content ltering. The resulting display, shown in Exhibit 27, includes ve tabs. The E-mail tab, shown in the foreground, allows you to dene the location of an SMTP server as well as to send alerts when access to a blocked site is attempted. Netgear includes a basic mechanism for blocking access to certain types of Web sites. While I could not nd a similar feature included in other wireless routers, persons worried about children at home or employees using the Internet connection to access restricted sites are probably better off installing blocking software on individual PCs. While you can use the Keyword tab to enter domain names or keywords on Web sites that should be blocked, this is an almost neverending task. Thus, I am opposed to individuals attempting to create a blocking list, as there are more relevant and important things to do in life.
Other Features
In concluding our discussion of the Netgear wireless router, two additional features of this device deserve mention. First, it includes a maintenance facility that allows router software to be easily upgraded. A second feature worthy of mention is the ability to back up the conguration of your workstation to your PC as well as to restore its conguration. Backup is highly recommended when you are experimenting with a new conguration, and it minimizes the risk associated with reconguring the router.
248
Building the Wireless Ofce
Exhibit 27.
Blocking Access to Predened Domains or Web Sites That Contain Certain Keywords
249
policy menu that allows you to develop packet ltering similar to but not as sophisticated as a large router. Other interesting features of the SMC Networks Barricade router that we examine in this section include support for special applications, a virtual server capability, remote administration, ping discard, and the ability to use nonstandard FTP ports.
Router Access
Similar to the Netgear router, you access the SMC Networks Barricade wireless router through the use of a browser. The default IP address of the Barricade is 192.168.123.254, and you will initially reach a System Status display at that location similar to the one shown in Exhibit 28. However, to be able to congure the router, you must enter an appropriate system password. Similar to other products, the SMC Networks Barricade is shipped congured with a default password. That default password is admin and is displayed on the left portion of the screen. Thus, a third party does not even have to consult a manual to determine the default password. Therefore, one of the rst functions you should perform, if not the rst, is to change the default password after you log into the router. To change the password, log into the router using the default of admin. When you log in to the router, the left bar on the screen shown in Exhibit 28 changes from the single Status entry to a series of selections. Under Status, nd Toolbag, which, when selected, provides you with the ability to change the password. In examining the entries in the center portion of Exhibit 28, the WAN Status entries reect settings the Barricade automatically learned from its connection to a cable modem. At the bottom of the System Status display, you will note that a Printer is shown with the status of being not ready. The SMC Networks Barricade includes a shared printer port, which allows you to connect a printer to the router. Instead of having to use a PC under Microsofts File and Print Sharing facility, you can now centrally locate a printer adjacent to the wireless router. Now that we have an appreciation for accessing the router, let us turn our attention to some of its more interesting features.
Access Control
Included in the Barricade wireless router is packet-ltering capability. Once you log in to the router, several additional options are displayed on the left portion of your screen. One of those options is Access Control, which lets you assign different rights to different users. Once those rights are assigned, the router lters packets according to the access control settings. Exhibit 29 illustrates the default access control screen. Access rights are dened either as Block or Allow for TCP and UDP port numbers, with users having the ability to dene four groups of access control rights. Three Groups, which are numbered 1 through 3, require you to identify the group members by their RFC 1918 Class C address and port number to the Block
250
Building the Wireless Ofce
Exhibit 28.
251
or Allow Setting eld. In actuality, instead of entering the full IP address, you enter only the host portion of the IP address or a block of host addresses. For example, if you want to block net news (port 119) from being read by hosts within the IP address block from 192.168.123.50 through 192.168.123.75, you would enter 5075 in the Members eld and 119 in the Ports eld. If you want to allow or block multiple ports, you can enter a series of port numbers separated by commas, such as 21,23 for FTP and Telnet. The Router Access Control screen shown in Exhibit 29 allows you to enter control information for three groups of members. However, you can also assign control information to a Default Group at the top of the display. That default group provides access control to all IP addresses other than those specied in dened groups. Thus, the access control feature of the Barricade lets you control the type of information stations behind the router can receive.
Virtual Server
Another feature of the SMC Networks Barricade router that warrants attention is its virtual server capability. SMC uses its virtual server facility as a mechanism to direct all requests to a specic port for the single ISP-assigned IP address to a specied RFC 1918 Class C address on the 192.168.123.0 network. This facility allows you to operate a separate FTP server, Web server, or other services at distinct IP addresses while enabling Internet access to those services via the use of a common IP address your ISP assigned. Exhibit 30 illustrates the SMC Networks Virtual Server screen display. To illustrate the use of this display, let us assume you want to operate a Web server on the host whose RFC 1918 IP address is 192.168.123.6 and a Telnet server on the host whose RFC 1918 IP address is 192.168.123.8. You would then enter 80 for the Service Port and 6 for the Server IP in Exhibit 30, followed by 23 for a second Service Port and 8 for the second Server IP. Once this action is accomplished, any Internet access occurring on your ISP-assigned IP address to port 23 would automatically be directed to the host that was assigned the RFC 1918 address of 192.168.123.8, while any Internet access occurring on your ISP-assigned IP address to port 80 would be directed by the router to the host whose RFC 1918 address is 192.168.123.6. Similar to our discussion when we examined the Netgear router, operating a server may be illegal for certain types of residential service. Thus, prior to using the virtual server capability, you may wish to determine if your ISP contract permits you to do so.
DMZ Host
If you program routers for a living, you are probably familiar with the term demilitarized zone (DMZ). The Barricade has an interesting feature referred to as DMZ host, which allows you to specify one host that will not receive any protection from its rewall capability. Although the Barricade manual
252
Building the Wireless Ofce
Exhibit 29.
253
Exhibit 30.
254
indicates you might wish to use this feature for unrestricted two-way communications for Internet telephony, you can also consider using the feature in conjunction with the routers virtual server capability to operate a public Web site. The top portion of the Barricade wireless routers miscellaneous items screen lets you set the IP address of a DMZ host. This screen, which is shown in Exhibit 31, also contains four additional features that are worthy of discussion. Thus, in the remainder of this section, we examine each of those features.
Administrative Timeout
The third feature you can set on the miscellaneous items screen display is administrative timeout. This setting governs the amount of inactive time that can transpire prior to the router automatically closing a previously opened Administrator session. By default, 600 seconds (or 5 minutes) is set as the timeout period.
Discard Ping
A ping represents an ICMP message. If you are using a fully featured router that can cost thousands of dollars, you would code an access list to block ICMP Echo Request messages. On the SMC Networks Barricade, you can perform a similar function by clicking on the Enable box to the right of the discard Ping from WAN side entry. Note that setting this option still allows stations behind the router to ping hosts on the Internet.
255
Exhibit 31.
256
Interoperability
In concluding this chapter, we briey focus our attention on interoperability. Because each of the products I examined was IEEE 802.11b-compatible, it would appear that conguring different products to interoperate with one another would be fairly easy. For the most part this was true, especially when WEP was disabled. However, when WEP was enabled, the major problem I encountered was the setting of WEP keys.
Chapter 8
The Future
In concluding this book focused on the construction of wireless LANs, we guratively peer into our crystal ball to examine the future. Because the worth of many pundit predictions is less than the paper on which it is printed, I will avoid detailed predictions. Instead, I focus my attention on evolving products and standards that can be expected to signicantly impact the manner by which we communicate at home, in the ofce, and during travel. In this chapter I discuss two products that can be expected to increase in use in wireless LANs. Similarly, I also discuss the potential use of two relatively new wireless LAN standards. Thus, lets dust off our crystal ball and turn our attention to the manner by which evolving wireless LAN products and standards provide the potential for altering the way we operate wireless LANs.
Print Servers
Although wireless communications can be used to link both desktop and notebook computers to a wired infrastructure, most desktops are connected to printers because they represent a relatively stable location. In comparison, most notebooks are used as portable devices. As such, they are rarely cabled to a printer. However, notebook users are similar to desktop users in that on a periodic basis they will require the ability to print different types of documents. Because many notebooks represent a secondary computing device, some users simply save a document to disk and perform a oppy shufe, inserting the disk into their desktop for printing.
257
258
Rationale
While the oppy shufe works for many persons, visiting employees may not be able to use a desktop. In addition, even if one is available, this activity reduces the productivity of employees. Thus, vendors apparently turned to an examination of LAN printer sharing and are now developing this capability for use by wireless stations. Although some readers familiar with Microsofts File and Print Sharing facility may question spending money on a separate print server, the rationale for doing so is simple. If you use Microsofts File and Print Sharing utility, you need to keep a PC available and powered on to use its attached printer. Because a print server capability is included in some wireless routers and can be obtained as a stand-alone device, for a few hundred dollars its use can be more economical than acquiring another PC to effect print sharing via Microsoft software.
Types of Servers
One example of a wireless LAN printer server is the AirStation Wireless Printer Server LPV-WL11, which reached the market during 2001. Manufactured by Buffalo Technology (www.buffalotech.com), this device consists of a wireless network adapter card and a parallel port encased in a common housing. This device enables you to place a parallel printer at any convenient location in your home or ofce and direct print jobs to the printer attached to the LPV-WL11. A second type of wireless print server that is a bit more restrictive concerning location is wireless routers that have a built-in print server capability. One example of the latter is the SMC Networks Barricade broadband router. The built-in printer server in the Barricade is more restrictive because this router needs to be located near your cable or DSL modem. Thus, your printer must be within cabling distance of the router, meaning it must also be in close proximity to the cable or DSL modem. Print servers currently offered both as stand-alone units and built into wireless routers are limited to supporting parallel printer connections. If we shine our crystal ball, it is probably reasonable to predict that wireless print servers that support USP connections should shortly reach the market.
Authentication Server
A second hardware product that we can expect to increase in use is the authentication server. Not only is authentication important for verifying the identity of station users in an ofce environment, but it also can be a most important feature for use in public portals as a person travels.
RADIUS
In an ofce environment, the Remote Authentication Dial-In User Service (RADIUS) server is popularly used for authentication. In Chapter 6 we noted
The Future
259
how the IEEE 802.1x standard could be used in conjunction with an authentication server to verify the identity of wireless stations.
Token Card
Another type of authentication server that can be expected to gain in use is the token card server. In actuality, authentication occurs by issuing a special credit card to employees that contains a six-digit display. Every minute the numbers change based on some predened algorithm built into the card. An employee using a token-generating credit card makes a connection to an authentication server. The server prompts the employee to enter her personal identication number (PIN) and the six-digit number on her token-generating card. The server then executes an algorithm to determine if the six-digit number is correct for the PIN entered. If so, the employee is authenticated. If not, the employee is not authenticated and her ability to access data is blocked. One of the key advantages of a token-based authentication scheme is the fact that it requires both physical and mental numbers. The physical numeric is in the form of the token card provided to employees, while the mental numeric is the PIN assigned to the employee. This means that the loss of the token card should not compromise the system. Similarly, if a person writes his PIN on a paper afxed to his notebook, by itself it will not compromise the authentication system. As the use of different IEEE 802.11 standards proliferates, I expect wireless LAN cards to eventually be built into notebooks in a manner similar to how wired Ethernet adapters are built into the motherboard of many PCs. As the use of wireless LAN technology increases, so will the need to authenticate employees using public portals in airports, hotels, and other locations as a mechanism to access corporate resources. In addition, I also expect the cost of monitoring equipment and high-speed home and small ofce Internet connections to decline. If we really polish our crystal ball, it then becomes possible for persons traveling with a laptop or notebook computer to access their home or ofce not only for e-mail and document sharing but also to access and position Web cams and other devices. Because rational logic would tell us that travelers would prefer some mechanism to verify their identity to gain access to home or ofce equipment, I believe that vendors will eventually target this market with low-cost, token-based systems. Lets turn our attention to a brief discussion of evolving wireless LAN standards.
260
The Future
261
consider the advantages of wireless LANs and think about the potential afforded by the 802.1x and 802.11g standards, as well as the emergence of print servers, authentication tokens, and other products, it is a given that wireless LANs represent the future of networking. While we may not be sure how the technology will evolve, we can be sure that it will evolve. By using 802.11b-compatible equipment, we will have an upgrade path as well as benet from the advantages of wireless networking. As a famous sportscaster would say, The future is now!
Index
A
AAA, see Authentication, authorization, and accounting Access control, 249 Access point (AP), 1, 3, 47, 64, 220 function of, 5 infrastructure topology based on use of, 75 operation, 49 port-address table, 192 stacking of, 16 waking, 220 WEP-enabled, 200 wireless kits consisting of, 90 ACK frame, see Acknowledgment frame Acknowledgment (ACK) frame, 70, 153 Acts of God, 42 Adapter card setup, 76 A/D converters, see Analog-to-digital converters Address(es) assignments, 103, 105 class, 121 Class A, 137, 227 Class B, 125, 227 Class C, 125, 129, 134, 227 Class D, 126 Class E, 127 destination, 126, 137 DNS server, 86, 131 gateway, 98, 130 IP, 98, 116 destination, 138 formats, 123 loopback, 124 setting of, 129 loopback, 124 media access control, 103, 142, 191, 201 multiple interface, 139 receiver, 70 reserved, 131 resolution operation, 142 process, data ow during, 166, 167 source, 66 subnet, 135 transmitter, 70 Address Resolution Protocol (ARP), 109, 116, 141 cache, 142 gratuitous, 143 packet elds, 142 proxy, 143 Ad hoc networking, 4, 48, 75 Administrative console access, 195 ADSL, see Asynchronous Digital Subscriber Line Agere Systems, 213 Orinoco Client Manager, 217, 226, 227, 230 Orinoco RG-1100 Residential Gateway, 213, 215 Orinoco USB Client, 3, 213 Algorithm DifeHellman public-private key, 204 operation, 198 American National Standards Institute (ANSI), 53 Amplitude modulation, 26, 27 shift keying (ASK), 26 Analog-to-digital (A/D) converters, 15 ANSI, see American National Standards Institute
263
264
Antenna considerations, 45 gain, 46 AP, see Access point ARP, see Address Resolution Protocol ARPAnet, development of, 140 ASK, see Amplitude shift keying ASP teletypewriters, see Automatic send receive teletypewriters Associated identity (ID), 65 Asynchronous Digital Subscriber Line (ADSL), 224 AT&T, research by, 205 Attack(s) denial-of-service, 192193 encryption, 194 insertion, 186 methods, 202203 monitoring, 186188 Authentication, 200204 authorization, and accounting (AAA), 8, 205 bar code, 206 LEAP, 205 MAC address, 201, 204 open, 200, 236 server, 208, 258 shared key, 200201 vulnerabilities, 201204 Authenticator, 207, 208 Automatic send receive (ASR) teletypewriters, 15
accessing conguration setup utility, 9799 dening address assignments, 103 system name assignment, 99 using setup wizard, 99 wireless LAN setup parameters, 99103 BSA, see Basic service area BSID, see Basic service set ID Building codes, 9 Built-in rewalls, 19
C
Capability Information eld, 68 Card testing, 228 Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA), 5051, 52, 70 Carrier Sense Multiple Access with Collision Detection (CSMA/CD), 50 Carrier signal, 26 CCK, see Complementary code keying CF poll, see Contention-free poll Channel capacity, 43 Cipher operation, 197 Cisco Systems, 213 Aironet Client utility, 231, 232, 233, 236 encryption, 235 link text, 238 power-saving settings, 233 routers, 136 Clear To Send (CTS) frame(s), 68 formats, 69 use of, 69 response, 52 Code sets, 57 Compaq, 89, 91, 106 Complementary code keying (CCK), 57 Computer Compaq, 89 connection-sharing, 92 laptop, SMC Networks utility program operating on, 210 notebook, Compaq Presario, 106 Toshiba, 89 Windows XP-based, 87 Connection(s) -oriented protocol, 148, 155 WAN, 168 Connection establishment, 155162 active OPEN, 156 avoiding congestion, 159161 connection function calls, 155 passive OPEN, 156 port hiding, 155156
B
Backup, workstation conguration, 247 Band rate, 28 Bandwidth, 25 Bar code authentication, 206 Barker code, 36, 56 Basic service area (BSA), 10, 49 Basic service set (BBS), 48, 49 Basic service set ID (BSSID), 188 BBS, see Basic service set Beacon frames, 67 Beamwidth, 45, 46 Bel, 39, 40 BPSK, 58 Bridge, wireless, 5, 6 Broadcast monitoring, 191 packets, 237 Browser, 194 error message generated by, 168 use, 97105
Index
265
Differential quadrature phase shift keying (DQPSK), 31, 32 DifeHellman public-private key algorithm, 204 DIFS, see DCF interframe space Digital subscriber line (DSL), 13, 36 connection, 94 modem, 213 Digitized voice, transmission of, 113 Direct sequence spread spectrum (DSSS), 11, 33, 34, 35, 54 FHSS and, 56 radio transmission, 57 spreading code used under, 56 Discard Ping, 254 Discrete multitone transmission (DMT), 36 Distributed coordination function (DCF), 70 Distribution system (DS), 10, 50 DMT, see Discrete multitone transmission DMZ, see Demilitarized zone DNS, see Domain Name Service Document sharing, 259 Domain Name Service (DNS), 19, 95, 109, 128, 164170 checking records, 169170 conguration, 95 DNS records, 168169 domain name structure, 165 domain name tree, 165166 name resolution process, 166168 server address, 86, 105, 131 DOS application, 181 DoS attack, see Denial-of-service attack Dotted decimal notation, 127 DQPSK, see Differential quadrature phase shift keying DS, see Distribution system DSL, see Digital subscriber line DSSS, see Direct sequence spread spectrum Dwell time, 35 Dynamic Domain Name Service (DDNS), 239, 241 Dynamic Host Conguration Protocol (DHCP), 85, 221, 247 Dynamic ports, 150
session termination, 161162 TCP retransmissions, 161 window, 158159 three-way handshake, 156158 Connectionless protocol, 162 Content ltering, 247 Contention-free (CF) poll, 72 Control frames, 67 CRC, see Cyclic redundancy check CSMA/CA, see Carrier Sense Multiple Access with Collision Avoidance CSMA/CD, see Carrier Sense Multiple Access with Collision Detection CTS, see Clear To Send Cyclic redundancy check (CRC), 66
D
Data frame, WEP encrypted, 202 retries, 234 Datagram destination address in, 126 transmission, 110 UDP, 109 DBPSK, see Differential binary phase shift keying DCF, see Distributed coordination function DCF interframe space (DIFS), 71 DDNS, see Dynamic Domain Name Service Decibel, 40 -milliwatt, 41 values, three-dimensional, 43 Decoding software, 12 Default workgroup, 85 Demilitarized zone (DMZ), 119, 251 Demultiplexing, 149 Denial-of-service (DoS) attack, 156, 192 Destination address, 126, 137, 138 DHCP, see Dynamic Host Conguration Protocol Diagnostic tools, 170182 built-in, 164 nger, 179182 NSLOOKUP, 177179 Ping, 170173 traceroute, 173176 Dibit encoding, 28, 29 mapping of, 32 Differential binary phase shift keying (DBPSK), 31, 56 Differential modulation, 31
E
EAP, see Extensible Authentication Protocol Electromagnetic radiation, 42 E-mail, 259 Employee productivity, 11 Encryption, 12 attacks, 194 Cisco, 235
266
scheme, WEP, 188 WEP, 225 Equipment vendors, 213 Error message, browser, 168 -reporting mechanism, 144 ESS, see Extended service set ESSID, see Extended service set ID Ethernet bridge, 4 connector, 222 Fast, 17, 53 frame format, 141 Gigabit, 53 hub, 14 Point-to-Point Protocol over, 103 RJ-45 connector, 214 switch, three-port built-in, 6 Xerox Palo Alto Research Center work on, 140 Extended service set (ESS), 10, 50 Extended service set ID (ESSID), 99 Extensible Authentication Protocol (EAP), 205, 207
FSK, see Frequency shift keying FTP port, nonstandard, 254 Fully qualied domain name (FQDN), 130
G
Gateway, 128 address, 98, 130 conguration, 95 Gaussian frequency shift keying (GFSK) modulation, 55 GFSK modulation, see Gaussian frequency shift keying modulation Gigabit Ethernet, 53 Gratuitous ARP, 143 Gray code, 31
H
Hacker, 202 Half-power beamwidth, 46 Handshake process, 155 three-way, 156158 Hardware testing of client, 229 theft, 194 Header Length (HLEN) eld, 152 Hidden nodes, 51, 68 HLEN eld, see Header Length eld Hub Ethernet, 14 shared-media, 9
F
Fast Ethernet, 17, 53 FCC, see Federal Communications Commission Federal Communications Commission (FCC), 21, 23, 33, 43 FHSS, see Frequency hopping spread spectrum File sharing, 80, 82, 193 transfer, 205 FIN bit, 153 Finger, 179 Firewall(s) proxy, 132 stand-alone, 19 Floppy shufe, 257 Four-way wireless handshake, 69 FQDN, see Fully qualied domain name Fragmentation, 114, 115 Framing, 61 Frequency, 21, 22 allocation, 58 channels, 55, 57 hopping spread spectrum (FHSS), 11, 33, 35, 53 data rates supported by, 55 DSSS and, 56 frequencies available for, 39 modulation, 27 shift keying (FSK), 27
I
IAB, see Internet Activities Board IANA, see Internet Assigned Numbers Authority IBBS, see Independent basic service set IBM NetVista PC, 94 ICANN, see Internet Corporation for Assigned Names and Numbers IC eld, see Integrity Check eld ICMP, see Internet Control Message Protocol ICS, see Microsoft Internet Connection Sharing ID, see Associated identity IEEE, see Institute of Electronic and Electrical Engineers IEEE standard(s), 18, 5373 basic architecture, 53 layer separation, 5354 MAC layer operations, 6173 control frames, 6870 framing, 6166
Index
267
Internet Corporation for Assigned Names and Numbers (ICANN), 165 Internet Protocol (IP), 109 address(es), 98, 116 destination, 138 formats, 123 loopback, 124 reserved, 132 setting of, 129 addressing, 116, 121 development of, 121 header, 110116 Flags eld, 115 Header Checksum eld, 116 HLEN eld, 112 Identication and Fragment Offset elds, 113114 Protocol eld, 115116 Service Type eld, 112113 Source and Destination Address elds, 116 Time to Live eld, 115 Total Length eld, 113 Vers eld, 111112 loopback address, 124 numbers, assigned, 117119 standardization process, 122 Voice-over-, 170 Intersymbol interference, 29 IP, see Internet Protocol IPX/SPX-compatible protocol, 81 IR, see Infrared ISM bands, see Industrial, scientic, and medical bands ISO, see International Standards Organization ISP, see Internet service provider IV, see Initialization vector
management frames, 67 media access, 7073 physical layer operation, 5458 direct sequence spread spectrum, 5658 frequency hopping spread spectrum, 5556 infrared, 54 physical layer operations, 5961 DSSS, 60 FHSS, 5960 OFDM, 6061 IEEE 802.1x standard, 207 Cisco implementation, 208209 Orinoco implementation, 209 IEEE 802.11 standard, 50 transmission methods dened under, 11 WEP key denition, 199 IFS, see Interframe space Impulse noise, 43 Independent basic service set (IBBS), 48, 67 Industrial, scientic, and medical (ISM) bands, 37, 38 Infrared (IR), 33, 54 technology, signaling method involving, 32 transmission, types of, 33 Infrastructure networking, 48 Initialization vector (IV), 196, 201, 202, 203 Initial SYN-SYNACK sequence, 157 Insertion attacks, 186 Institute of Electronic and Electrical Engineers (IEEE), 53 Integrity Check (IC) eld, 202 Interframe space (IFS), 70 International Standards Organization (ISO), 53 Internet, see also Internet Protocol access portal, free public, 17 via router, 106 attack from usual sources on, 209 connection sharing, 9094 conguration, 9294 installation, 9192 DSL access to, 7 service provider (ISP), 14, 95, 104, 166, 224 Internet Activities Board (IAB), 120 Internet Assigned Numbers Authority (IANA), 150, 165 Internet Control Message Protocol (ICMP), 109, 144, 170 Code Field, 145, 147 Echo message, 170 evolution, 145 Time Exceeded Message, 174 type eld values, 146
J
Jamming, 183
K
Key mapping, 200
L
LAN(s), see also Wireless LAN operations, basic; Wireless LANs adapter cards, 15 advantages of using wireless, 8, 9 bridge, 3 conguration utility program, 76 delivery, 141
268
demilitarized, 119 disadvantages to using wireless, 11 equipment, placement of, 18 hospital, 15 networking, types of wireless, 5 router ports connected to, 116119 security, 12 setup, 239, 242 wireless gateway between, 5 Laptop PC, 34, 47, 210 LEDs, see Light-emitting diodes Light-emitting diodes (LEDs), 7, 33 Link quality, 210, 211 test, 228, 230, 238 Loopback address, 124
M
MAC, see Media access control Majority rule, method of, 36 Management console access, 194 Masquerade, 188 Maximum Segment Size (MSS), 154 Media access control (MAC), 50 address, 103, 142, 191, 201, 224 header, 188 layer frame format, 6166 Address elds, 6566 CRC eld, 66 Duration/ID eld, 65 Frame Body eld, 66 More Data eld, 64 More Frag eld, 62 Order eld, 64 Power Management eld, 6364 Protocol Version eld, 62 Retry eld, 62 Sequence Control eld, 66 ToDS/FromDS elds, 62 Type and Subtype elds, 62 WEP eld, 64 Message destination net unreachable, 175 error, 168 ICMP Echo, 170 Power-Save Poll, 65 Microsoft Corporation Internet Connection Sharing (ICS), 90, 93 Internet Explorer, 97 Network, sharing for, 84 Point to Point Encryption (MPPE), 206 Windows, 91 95, 130, 131 98, 75, 130
2000, 84 nger help screen under, 180 NT Ping, 171, 172 Tracert, 174 XP, 87, 89, 207 Modem, DSL, 213 Modulation amplitude, 26, 27 differential, 31, 56 frequency, 27 Gaussian frequency shift keying, 55 methods, 26 phase, 28 pulse position, 54 quadrature amplitude, 27, 29, 30 Monitoring attacks, 186 MPPE, see Microsoft Point to Point Encryption MSS, see Maximum Segment Size Multicast examples, 126 packets, 237 Multiple interface addresses, 139 Multiplexing, 149
N
Name server lookup program, 177 query of, 178 NAT, see Network address translation NetBEUI, 81 Netgear, 213 802.11b PC Card network adapter, 185 router, 94 conguration utility, 100 MR324, 238 system setting, 240 wireless LAN setup, 244 wizard, 101 Network address translation (NAT), 13, 14, 94, 132, 247 bandwidth, conserving, 126 bottlenecks, 176 Ethernet, 143 IP nonsubnetted, 135 Microsoft, sharing for, 84 name, 184, 218, 223 peer-to-peer, view of other computer in, 89 service provider (NSP), 166 structure, wireless LAN, 47 support, 16 Token Ring, 113 topology, 48, 226 White House, 175
Index
269
multiple carriers used by, 58 PLCP rate eld values for, 61 Oscillating signal, 26 OSI Reference Model, see Open System Interconnection Reference Model
Network adapter Agere Systems Orinoco USB Client wireless, 3 card, 45 computer running utility program and, 79 utility program included in, 106 wireless kits consisting of, 90 conguring of wireless, 7779 ad hoc settings, 7778 channel, 7879 PS Mode, 78 TxRate, 78 WEP, 78 Netgear wireless LAN 802.11b PC Card, 185 PCI bus-based, 3 SMC Network wireless PC, 76 wireless LAN, 2 Networking ad hoc, 4, 48, 75 exibility, 9 infrastructure, 48 peer-to-peer, 75 conguring stations for, 78 product variation, 79 in Windows operating system environment, 80 types of, 4, 5 Network software, 8089 assigning identiers, 81 le and print sharing, 8081 setting TCP/IP parameters, 8589 sharing network resources, 8184 Nodes, hidden, 68 Noise, impulse, 43 Notebook computer, 34, 47 Compaq, 91, 106 sharing via use of, 83 NSLOOKUP, 177179 NSP, see Network service provider NT le system (NTFS), 83 NTFS, see NT le system Nyquist relationship, 28
P
Packet ltering, 132, 249 Internetwork Groper, see Ping PAR, see Positive Acknowledgment Retransmission PARC, see Xerox Palo Alto Research Center Passphrase, 245 Password, 98, 208, 238 change, 249 default, 249 PC card, wireless LAN adapter fabricated as, 2 PCF, see Point coordination function PCI bus-based network adapter, 3 PDAs, see Personal digital assistants PDUs, see Physical data units Peer-to-peer communications session, establishment of, 78 Peer-to-peer network, view of other computer in, 89 Peer-to-peer networking, 75 conguring stations for, 78 product variation, 79 in Windows operating system environment, 80 Peripherals, in-home computer sharing of, 13 Personal digital assistants (PDAs), 120 Personal identication number (PIN), 259 Phase modulation, 28 shift keying (PSK), 28 Physical data units (PDUs), 61 Physical layer convergence procedure (PLCP), 59 operation, 54 Physical media dependent (PMD) sublayer, 59 Physical service data unit (PSDU), 59 PIFS, see Point coordination function IFS PIN, see Personal identication number Ping (Packet Internetwork Groper), 145, 170 common use for, 172, 173 discard, 254 PLCP, see Physical layer convergence procedure Plug-and-play products, 11 PMD sublayer, see Physical media dependent sublayer
O
OFDM, see Orthogonal frequency division multiplexing Open authentication, 200, 236 Open System Interconnection (OSI) Reference Model, 53 Orthogonal frequency division multiplexing (OFDM), 33, 36, 37, 54, 260 IEEE 802.11a standard for, 60
270
Point coordination function (PCF), 62, 71 IFS (PIFS), 71 operation, 72, 73 Point-to-Point Protocol (PPP), 103 Point-to-Point Tunneling Protocol (PPTP), 103 Port(s) -address table, 49, 192 dynamic, 150 forwarding, 245 hiding, 155156 nonstandard FTP, 254 numbers, 149150 private, 150 registered, 150 well-known, 150 Portals, 17 Positive Acknowledgment Retransmission (PAR), 152 Power ratios, 39, 40 relationship between decibels and, 44 -Save Poll message, 65 PPM, see Pulse position modulation PPP, see Point-to-Point Protocol PPTP, see Point-to-Point Tunneling Protocol Predictions, 257261 evolving wireless LAN products, 257259 authentication server, 258259 print servers, 257258 evolving wireless LAN standards, 259261 802.1x standard, 260 802.11g standard, 260261 Print servers, 257 sharing, 80, 82 Private ports, 150 Probe response frame, 67 Proxy ARP, 143 Proxy rewall, 132 PSDU, see Physical service data unit Pseudo-random bit stream, 197 PSH bit, 153 PSK, see Phase shift keying Public-private key algorithm, DifeHellman, 204 Pulse position modulation (PPM), 54
R
RA, see Receiver address Radiation electromagnetic, 42 pattern, 45 Radio frequency (RF), 2 channel, busy, 51 transmission techniques, 34 RADIUS (Remote Access Dial-In User Service) server, 204, 205, 206 RARP, see Reverse Address Resolution Protocol RC4, 198 Receiver address (RA), 70 Remote Access Dial-In User Service, see RADIUS server Request To Send (RTS) frame, 5152, 68 formats, 69 use of, 69 Residential Gateway (RG), 213, 218, 222 identication, 223 network name, 223 setup utility, 226 Reverse Address Resolution Protocol (RARP), 144 RF, see Radio frequency RG, see Residential Gateway Rice University, research by, 205 RIP, see Routing Information Protocol Roaming, 10 Router(s) access, 95, 249 control, 209 DNS conguration, 95, 97 gateway conguration, 95 PC IP address conguration, 95, 96 Cisco Systems, 136 conguration, 94 password-protected, 98 utility, 100 connection, Ethernet network, 143 default values assigned to wireless, 97 in home environment, 14 interface, assigning multiple network addresses to common, 140 Internet access via, 106 memory requirements, 114 Netgear, 94, 238 packet-ltering capability of wireless, 209 SMC Networks Barricade, 76, 194, 249, 250, 252, 258
Q
QAM, see Quadrature amplitude modulation QPSK, see Quadrature phase shift keying Quadbit, 31 Quadrature amplitude modulation (QAM), 27, 29, 30
Index
271
Shared key authentication, 200201 Shared-media hub, 9 Shielding, 210 Short interframe space (SIFS), 71 SIFS, see Short interframe space Signaling methods, 32 Signal-to-noise (S/N) ratio, 42 Simple Network Management Protocol (SNMP), 164, 193 Slow-start threshold, 160 SMC Networks, 213 Barricade router, 76, 194, 249, 250, 252, 258 utility program, 210 wireless network card, 106 wireless PC network adapter, 76 SNMP, see Simple Network Management Protocol S/N ratio, see Signal-to-noise ratio Software decoding, 12 network, 8089 testing of client, 229 Solar ares, 42 Source address (SA), 66 Speed of light, 24 Spoong, 103 Spread-spectrum communications, 34 SSID, see Service set identier Stand-alone rewalls, 19 Start of Frame Delimeter (SFD), 59, 60 Static routing, 245 Subnetting, 132139 example, 133135 host restrictions, 135 internal versus external subnet viewing, 136137 subnet mask, 137139 zero subnet, 136 Sunspots, 42 SYN bit, 153 System name assignment, 99
Routing Information Protocol (RIP), 243 RTS frame, see Request To Send frame
S
SA, see Source address Secure sockets, 206 Security, 183211 authentication methods, 200204 enhancing wireless security, 204211 bar code authentication, 206 dynamic WEP keys, 204205 IEEE 802.1x standard, 207209 LEAP authentication, 205 MAC address-based authentication, 204 router access control, 209210 shielding, 210211 using secure sockets, 206 VPN solution, 206 risks, 183196 architecture, 184 broadcast monitoring, 191192 denial-of-service attacks, 192193 insertion attacks, 186 masquerade, 188190 monitoring attacks, 186188 other attack methods, 193196 role of SSID, 184186 understanding WEP, 196200 cipher operation, 197198 overview, 196 RC4, 198199 setup example, 197 WEP key denition, 199200 Sequencing protocol, 151 Server(s) authentication, 208, 258 DNS, 86, 105, 131 Dynamic Host Conguration Protocol, 85 information, protection of, 179 name, 178 print, 257 RADIUS, 204, 205, 206 Telnet connection with distant, 149 types of, 258 virtual, 251 wireless access, 7 Service set identier (SSID), 184 predened, 184 role of, 184186 value, setting of, 185 Session key, 208 Setup wizard, 99 SFD, see Start of Frame Delimeter Shannons formula, 44
T
TA, see Transmitter address Table lookups, 110 TCP, see Transmission Control Protocol TCP/IP behavior, 221 Internet trafc, majority of, 116 parameters, setting of, 8589 protocol stacks, IP address recognized by, 124 software, 170, 177
272
TCP/IP protocol suite, 19, 81, 109182 built-in applications, 181 built-in diagnostic tools, 164 connection establishment, 155162 active OPEN, 156 avoiding congestion, 159161 connection function calls, 155 passive OPEN, 156 port hiding, 155156 session termination, 161162 TCP retransmissions, 161 TCP window, 158159 three-way handshake, 156158 diagnostic tools, 170182 nger, 179182 NSLOOKUP, 177179 Ping, 170173 traceroute, 173176 DNS, 164170 checking records, 169170 DNS records, 168169 domain name structure, 165 domain name tree, 165166 name resolution process, 166168 ICMP, 144146 evolution, 145146 overview, 144145 Internet Protocol, 109116 datagrams and datagram transmission, 110 datagrams and segments, 109110 IP header, 110116 routing, 110 IP addressing, 116144 address classes, 121127 address resolution, 140144 basic workstation conguration, 128131 dotted decimal notation, 127128 IP addressing scheme, 120121 multiple interface addresses, 139140 reserved addresses, 131133 subnetting, 133138 TCP overview, 148155 transport layer, 146148 UDP, 162164 Technology and terminology, 2152 architecture, 4750 access point operation, 4950 distribution system, 50 network topologies, 48 station, 47 basic communications concepts, 2126 bandwidth, 2526
frequency, 2123 wavelength, 2325 media access control, 5052 CSMA/CA, 5051 hidden node problem, 5152 modulation methods, 2632 amplitude modulation, 2627 differential modulation, 3132 frequency modulation, 27 phase modulation, 2829 quadrature amplitude modulation, 2931 signaling methods, 3247 direct sequence spread spectrum, 3536 frequency hopping spread spectrum, 3435 frequency spectrum and wireless LANs, 3739 infrared, 3334 measurements, 3947 orthogonal frequency division multiplexing, 3637 wireless LAN terminology, 47 TEM, see Time Exceeded Message Terminology, see Technology and terminology Theft, hardware, 194 Three-way handshake, 156158 Time Exceeded Message (TEM), 174 Time gaps, 70 Time to Live (TTL), 115, 171 Token Ring, 53 format, 141 network, 113 TOS eld, see Type of Service eld Toshiba computer, 89 Traceroute, 173176 applications, 176 operation, 174 route tracing, 175176 using Windows Tracert, 174175 Trailing bits, 31 Transmission Control Protocol (TCP), 146 connection termination, 162 header, 148155 adding eld, 154155 Checksum eld, 154 Code Bits eld, 153 dynamic or private ports, 150 HLEN eld, 152 multiplexing and demultiplexing, 149 Options eld, 154 port numbers, 149150 registered ports, 150 Sequence and Acknowledgment Number elds, 151152
Index
273
client conguration, 231237 interesting product features, 237238 interoperability, 256 Netgear MR324 wireless router, 238247 content lter, 247 LAN setup, 239243 other features, 247 port forwarding, 245 static route, 245247 system settings, 238239 wireless LAN setup, 243245 SMC Networks Barricade wireless router, 247255 access control, 249251 administrative timeout, 254 discard Ping, 254 DMZ host, 251254 nonstandard FTP port, 254 remote administration host, 254 router access, 249 virtual server, 251 Virtual circuit, 110 Virtual private network (VPN), 7, 206 Virtual server, 251 Voice -grade channel, transmission capacity of, 44 -over-IP, 170 transmission of digitized, 113 VPN, see Virtual private network
Source Port ad Destination Port elds, 148149 Urgent Pointer eld, 154 well-known ports, 150 Window eld, 153154 originator, 160 responder, 156 retransmissions, 161 segment, 109 services, well-known, 151 sliding window, 159 slow start, 160 window, 158159 Transmitter address (TA), 70 power, regulation of, 23 Transport layer protocols, 146 Tribit encoding, 28, 29 values, 31 TTL, see Time to Live Type of Service (TOS) eld, 112
U
UDP, see User Datagram Protocol Unicast packets, 237 UNIX Zone le, 168 URG bit, 153 USB connector, 214 User Datagram Protocol (UDP), 146 applications using, 164 datagram, 109 header, 162164 applications, 164 Checksum eld, 163 Message Length eld, 163 operation, 163164 Source Port and Destination Port elds, 163 port numbers, 19 services, well-known, 151 User ID/password combination, 208
W
WAN(s) connections, low-speed, 168 router ports connected to, 116119 Watts, relationship of decibel-milliwatts and, 41 Wave, frequency of, 22 Wavelength computation of, 24 denition of, 23 estimation, 25 Web browser, 194 cams, 259 page display, 205 server, tracing of route to White House, 176 WEP, see Wired Equivalent Privacy White House Web server, 175 Wired Equivalent Privacy (WEP), 183 disabled, 106, 219 -enabled access point, 200 encryption, 188, 202, 225 eld, 64 key(s) considerations, 256
V
Vendor products, working with, 19, 213256 Agere Systems Orinoco wireless kit, 213231 advanced features, 227231 client setup, 213221 setting up of residential gateway, 222227 Cisco Aironet, 231238 Aironet client utility, 231
274
denition, 199 dynamic, 204 set, 236 Protocol, 7, 19 understanding, 196 vulnerability of, 206 Wireless access points, 1 Wireless bridge, 1, 5, 6 Wireless kits, 90 Wireless LAN operations, basic, 75107 adapter card setup, 7694 conguring of wireless network adapter, 7779 Internet connection sharing, 9094 network software, 8089 proof, 8990 ad hoc networking, 75 infrastructure operations, 94 wireless router conguration, 94107 browser use, 97105 Internet access via router, 106 outer access, 9596 site selection, 106 Wireless LANs, 119 book preview, 1819 basic wireless LAN operations, 1819 IEEE standards, 18 security, 19
TCP/IP protocol suite, 19 technology and terminology, 18 working with vendor products, 19 rationale for, 818 adds, moves, and changes, 9 applications, 1318 disadvantages to wireless LANs, 1113 economics, 89 roaming, 1011 wireless networking devices, 18 access point, 35 wireless access server, 78 wireless bridge, 56 wireless LAN network adapters, 23 wireless routers, 67 Workgroup default, 85 name, changing of, 87 Workstation conguration, 128131, 247
X
Xerox Palo Alto Research Center (PARC), 140
Z
Zero subnet, 136