CWNP Blog

CWNP
September 04, 2007

EAP NAK

While it's often not a topic of discussion because EAP types are usually manually configured, supplicants and authentication servers can "negotiate" an EAP authentication protocol type.

In EAP, the initial portion of the frame exchange works like this:

EAPoL-Start (an optional frame that's almost always present) ..... Supplicant > Authenticator
EAPoL-Request/ID (The Authenticator requests the ID of the Supplicant) ..... Authenticator > Supplicant
EAPoL-Response/ID (The Supplicant sends either its real username or a bogus username) ..... Supplicant > Authenticator

CWNP
August 31, 2007

Can My Sniffer Smell 802.11n?

With 802.11n certified devices popping up all over the place (most due to the Wi-Fi Alliance's new certification testing), how long will it be before 802.11n APs become rogues? Well, that's already happened. How do we detect them? Fortunately, backwards compatibility is mandatory in 802.11n devices. DSSS/CCK (when using 2.4 GHz) or clause 17 OFDM rates (when using 5 GHz) are used for Beacons when either 20 MHz mode or 20/40 MHz mode is used. While Space-Time Block Coded (STBC) Beacons are supported (called Secondary Beacons), legacy Beacons still must be transmitted as the primary Beacon.

CWNP
August 30, 2007

Hotspots for Hackers

With the introduction of Apple's iPhone (and all of those other converged cellular/Wi-Fi phones), use of public WLAN hotspots is about to massively increase. Making wVoIP phone calls, instant messaging, browsing, email, and connecting to the corporate office over VPN are just a few things that users will be doing en mass shortly. Certainly hotspots are already a pretty big deal - including those hotspots that aren't really meant to be hotspots - for staying connected. But with the oh-so-sought-after Apple iPhone, all of those skype phones from SOHO vendors, Internet tablets like Nokia's N800, and now all of these new converged phones recently showing up in the market, hotspots are going to be busy busy. Busy hotspots mean busy hackers. It'll be tough for those guys though...you know, deciding between hacking your Wi-Fi phone, tablet PC, or laptop over your bluetooth connection, Wi-Fi connection, infrared port, or any number of other wireless interfaces.

CWNP
August 29, 2007

802.11n 20/40 MHz BSS Mode Rules

Rules for operation in 20/40 MHz BSS:

A 20/40 capable station operating in 20 MHz mode follows the rules for a 20 MHz capable station. A 20/40 capable station is allowed to operate under Phased Coexistance Operation (PCO) where the AP switches back and forth between 20 MHz and 40 MHz operation. Indication of the switching of channel width is done in Beacons, and a 20/40 capable station is allowed to use L-SIG TXOP protection.

CWNP
August 28, 2007

802.11n 20/40 MHz BSS Mode Operation

The 802.11n gives us 20/40 MHz BSS mode, which my Apple Extreme Basestation supports in the 5 GHz band. Oh, can't you feel the joy welling up inside you at the thoughts of this? First, let's get some definitions out of the way.

20/40 MHz Operation:

The following terms are used to describe transmitted PPDU formats:

"40 MHz HT" is a Clause 20 transmission using HT Mixed Mode Format (HT_MF) or HT Greenfield Format (HT_GF) frame formats and 40 MHz channel bandwidth

"20 MHz HT" is a Clause 20 transmission using HT Mixed Mode Format (HT_MF) or HT Greenfield Format (HT_GF) frame formats and 20 MHz channel bandwidth

"DSSS/CCK" is a Clause 15 or Clause 18 transmission

CWNP
August 27, 2007

Reverse Direction (RD) Protocol

The purpose of the 802.11n RD protocol is to more efficiently transfer data between two 802.11 devices during a TXOP by eliminating the need for either device to initiate a new data transfer. Before the RD protocol, each uni-directional data transfer required the initiating station to capture (and possibly reserve time on) a contention-based RF medium. With RD, once the transmitting station has obtained a TXOP, it may essentially grant permission to the other station to send information back during its TXOP. This requires that two roles be defined: RD iniator and RD responder. The RD initiator sends its permission to the RD responder using a Reverse Direction Grant (RDG) in the RDG/More PPDU field of the HT Control field in the MAC frame. This bit is used by the RD initator for granting permission (RDG) to the RD responder, and it is used by the RD responder to signal whether or not it is sending more frames immediately following the one just received (More PPDU). For a more technical walk-through of this functionality, here are some excerpts from the 802.11n-draft2.00 amendment with my occassional input inserted.

CWNP
August 24, 2007

802.11 PPDU Formats

There are three overall PPDU structures possible in an 802.11n network, one of which was previously defined by Clause 17.

CWNP
August 23, 2007

The Certification Game

There is a growing list of Wi-Fi industry organizations and vendors that have developed hardware and software certifications. Let's take a look at some of them.

CWNP
August 22, 2007

802.11 Fast BSS Transition (FT) Part 2 of 2

The IEEE 802.11r amendment introduces a new 3-tier AKM architecture and some new terminology such as Mobility Domain, Key Holders, RICs, and two tiers of Pairwise Master Keys (PMKs). A Mobility Domain is a set of BSSs, within the same ESS, identified by a Mobility Domain Identifier (a numerical value). Fast BSS Transition (FT) is not specified between Mobility Domains. The definition of an authenticator is, under the new amendment, split into two pieces – each being responsible for certain tasks. These two pieces are called the PMK-R0 Key Holder (R0KH) and the PMK-R1 Key Holder (R1KH). These could, in many instances, be considered the WLAN controller (R0KH) and the lightweight AP (R1KH) though this is not a requirement of the amendment.

CWNP
August 21, 2007

802.11 Fast BSS Transition (FT) Part 1 of 2

The 802.11i amendment gave us Preauthentication and Pairwise Master Key (PMK) Caching. Nothing fancy, just the basics. Preauthentication enables supplicants (stations) to authenticate with authenticators (APs or WLAN controllers) to which they may roam. Preauthentication always happens through the AP to which the station is currently associated – over the distribution system (typically an Ethernet network).

Blog

Get the Newest Blog Direct to your Inbox