CWAP学习笔记

Table of Contents

CH01 802.11 Overview

OSI model

OSI模型是数据通信的基石,它包含如下几层:

  • Layer 7: Application
  • Layer 6: Presentation
  • Layer 5: Session
  • Layer 4: Transport
  • Layer 3: Network
  • Layer 2: Data-Link
    • LLC sublayer
    • MAC sublayer
  • Layer 1: Physical

Packets, frames, and bits

对于802.11通信来说,最主要的目标是将用户数据从一台计算设备传输到另 一台。

数据从OSI模型上的一层层传下来,最终到达物理层。在物理层是以比特位 形式呈现的。二进制数字是数字通信的基础。一个字节的信息包含8个比特 位。

Data-Link layer

802.11数据链路层分为两个子层:

  • 处于上层的是802.11逻辑链路控制层,跟所有其他的802网络一样。
  • 处于下层的是媒体访问控制子层。802.11标准定义了MAC子层的操作。MAC 子层是下层物理层与逻辑链路控制层之间的接口。

MSDU

当网络层的数据发往数据链路层,数据被传送给逻辑链路子层,称为MAC Service Data Unit (MSDU). MSDU包含IP数据包以及一些LLC层数据。

802.11 2007规范中指出MSDU最大的大小为2304字节。The maximum frame body size is determined by the maximum MSDU size (2,304 octets) plus any overhead from encryption.

MPDU

当LLC将数据发往MAC层,会添加一些MAC头部信息到MSDU,封装成为MAC Protocol Data Unit (MPDU). MPDU就是一个802.11帧。

2016091201.png

Figure 1: 802.11 MPDU

Physical layer

物理层也分为两层: Physical Layer Convergence Procedure (PLCP) 和 Physical Medium Dependent (PMD). PLCP层从MAC拿到数据,为数据传输做 准备,数据打包为PLCP Protocol Data Unit (PPDU)。PMD层进行调制并将 数据按比特位进行传输。

PSDU

都是指802.11帧,只不过是从物理层的视角看待的。

PPDU

PLCP添加了一些前导码和物理层头部信息给PSDU。 前导码用于传输方与接 收方之间的同步。当PPDU创建完后,PMD将拿去传输。

2016091202.png

Figure 2: Data-Link and Physical layers

802.11 architecture

  • distribution system (DS)

    A system used to interconnect a set of basic service sets and integrated local area networks (LANs) to create an extended service set (ESS).

  • distribution system medium (DSM)

    The logical physical medium used by a distribution system for communications between access points and portals of an extended service set. In most cases, the DSM is an 802.3 Ethernet LAN.

802.11 services

Station service

  • Authentication
  • Deauthentication
  • Data confidentiality ( NN encryption)
  • MSDU delivery
  • Dynamic frequency selection (DFS)
  • Transmit power control (TPC)
  • Higher-layer timer synchronization (QoS facility only)
  • QoS traffic scheduling (QoS facility only)

Distribution system service

  • Association
  • Reassociation
  • Disassociation
  • Distribution
  • Integration
  • QoS traffic scheduling (QoS facility only)

    Integration Service is a frame format transfer method.

802.11 frames

Management frames

Management frames are used by wireless stations to join and leave the basic service set.

Another name for an 802.11 management frame is a Management MAC Protocol Data Unit (MMPDU).

There is no MSDU encapsulated in the MMPDU frame body, which carries only layer 2 information fields and information elements.

The following is a list of all 12 management frame subtypes as defined by the 802.11-2007 standard:

  • Association request
  • Association response
  • Reassociation request
  • Reassociation response
  • Probe request
  • Probe response
  • Beacon
  • Announcement traffic indication message (ATIM)
  • Disassociation
  • Authentication
  • Deauthentication
  • Action

Control frames

802.11 control frames assist with the delivery of the data frames.

The following is a list of all eight control frame subtypes as defined by the 802.11 standard:

  • Power Save Poll (PS-Poll)
  • Request to send (RTS)
  • Clear to send (CTS)
  • Acknowledgment (ACK)
  • Contention Free-End (CF-End)
  • CF-End + CF+ACK
  • Block ACK Request (BlockAckReq)
  • Block ACK (BlockAck)

Data frames

Any data frames that do not carry a MSDU payload are not encrypted because a layer 3–7 data payload does not exist.

The following is a list of all 15 data frame subtypes as defined by the 802.11 standard:

  • Data (simple data frame)
  • Null function (no MSDU payload)
  • Data + CF-ACK
  • Data + CF-Poll
  • Data + CF-ACK + CF-Poll
  • CF-ACK (no MSDU payload)
  • CF-Poll (no MSDU payload)
  • CF-ACK + CF-Poll (no MSDU payload)
  • QoS data
  • QoS Null (no MSDU payload)
  • QoS data + CF-ACK
  • QoS data + CF-Poll
  • QoS data + CF-ACK + CF-Poll
  • QoS CF-Poll (no MSDU payload)
  • QoS CF-ACK + CF-Poll (no MSDU payload)

IEEE 802.11-2007 standard and amendments

802.11b

802.11b radio devices support data rates of 1, 2, 5.5, and 11 Mbps. 使用CCK扩频技术。

802.11a

5G OFDM

802.11g

Extended Phsical Rate, support date rates up to 54 Mbps.

802.11n-2009

The 802.11n amendment defines a new operation known as high throughput (HT), which provides PHY and MAC enhancements to provide for data rates potentially as high as 600 Mbps.

Wi-Fi Alliance

The Wi-Fi Alliance’s main task is to ensure the interoperability of WLAN products by providing certification testing.

Review Questions

  1. The information found inside an IP packet is considered the main payload for which of the following?

    A. MPDU

    B. PPDU

    C. PSDU

    D. MSDU

    E. MMPDU

    答案解析

    D. An IP packet comprises layer 3–7 information. The MAC Service Data Unit (MSDU) contains data from the LLC sublayer and/or any number of layers above the Data-Link layer. The MSDU is the payload found inside the body of 802.11 data frames.

  2. Which sublayer of the OSI model’s Data-Link layer is used for communication between 802.11 radios?

    A. LLC

    B. WPA

    C. MAC

    D. FSK

    答案解析

    C. The IEEE 802.11-2007 standard defines communication mechanisms at only the Physical layer and the MAC sublayer of the Data-Link layer of the OSI model. The Logical Link Control (LLC) sublayer of the Data-Link layer is not defined by the 802.11-2007 standard. WPA is a security certification. FSK is a modulation method.

  3. Which of the following contains the same information found with an MPDU?

    A. APDU

    B. PPDU

    C. PSDU

    D. MSDU

    答案解析

    C. The Data-Link layer refers to an 802.11 frame as the MPDU, while the Physical layer refers to this same 802.11 frame as the PLCP Service Data Unit (PSDU).

  4. What are the three main components of an 802.11 MPDU? (Choose the three best answers.)

    A. Frame body

    B. PPDU

    C. MSDU

    D. Trailer

    E. MAC header

    答案解析

    A, D, E. The 802.11 frame contains a layer 2 MAC header, a variable-length frame body, and a trailer, which is a 32-bit CRC known as the frame check sequence (FCS). The frame body contains the MSDU. The PPDU consists of a PSDU, preamble, and PHY header.

  5. Which 802.11 frames are usually encrypted for data privacy reasons?

    A. Management frames

    B. Control frames

    C. QoS data frames with MSDU payload

    D. Data frames without an MSDU payload

    E. MMPDU

    答案解析

    C. Most 802.11 data frames and QoS data frames carry the actual MSDU data that is passed down from the higher-layer protocols. The layer 3–7 MSDU payload is normally encrypted for data privacy reasons. However, some 802.11 data frames carry no MSDU payload at all but do have a specific MAC control purpose within a basic service set (BSS). Any data frames that do not carry an MSDU payload are not encrypted because a layer 3–7 data payload does not exist. Management frames do not carry any upper-layer information. 802.11 management frames have no MSDU encapsulated in the MMPDU frame body, which carries only layer 2 information fields and information elements. 802.11 control frames contain only header information and a trailer. Control frames do not have a frame body.

  6. Which OSI sublayer is responsible for modulation and transmission of data bits?

    A. PLCP

    B. PPTP

    C. MAC

    D. LLC

    E. PMD

    答案解析

    E. The PLCP and PMD are sublayers of layer 1, the Physical layer. The PLCP sublayer adds a preamble and PHY header to the PSDU to create a PPDU. The preamble is used for synchronization between transmitting and receiving 802.11 radios. After the PPDU is created, the PMD sublayer takes the PPDU and modulates the data bits and begins transmitting. The LLC and MAC are sublayers of the layer 2 Data-Link layer.

  7. In what type of WLAN devices can the distribution system services (DSSs) operate? (Choose all that apply.)

    A. Mesh Access point

    B. WLAN controller

    C. Autonomous access point

    D. Laptop client radio

    E. VoWiFi phone

    答案解析

    A, B, C. The IEEE does not define the specifics of DS implementation; the architecture that uses the distribution system services (DSSs) can be used by different types of WLAN architecture including access points and WLAN controllers. Client STAs do not use any of the services of DSS and only use the capabilities of the 802.11 defined station service (SS).

  8. Which service of the DSS is responsible for the transfer of upper layer 3–7 information from an 802.11 frame format to an 802.3 frame format?

    A. Association

    B. Integration

    C. Reassociation

    D. Disassociation

    E. QoS traffic scheduling

    答案解析

    B. All the options are considered distribution system services (DSSs). The integration service (IS) enables delivery of MSDUs between the distribution system (DS) and a non-IEEE-802.11 local area network (LAN), via a portal. A simpler way of defining the integration service is to characterize it as a frame format transfer method. The portal is usually either an access point or a WLAN controller. The payload of a wireless 802.11 data frame is the upper layer 3–7 information known as the MSDU. The eventual destination of this payload usually resides on a wired network infrastructure. Because the wired infrastructure is a different physical medium, an 802.11 data frame payload (MSDU) must be effectively transferred into an 802.3 Ethernet frame.

  9. Which of these services can be characterized by the 802.11 station service (SS)? (Choose all that apply.)

    A. Association

    B. Authentication

    C. Disassociation

    D. Deauthentication

    E. Transmit power control

    答案解析

    B, D, E. Authentication, deauthentication, data confidentiality (encryption), MSDU delivery, dynamic frequency selection (DFS), transmit power control (TPC), higher layer timer synchronization (QoS facility only), and QoS traffic scheduling (QoS facility only) are all considered to be station services that are provided at the MAC sublayer. Association and disassociation are services that also operate at the MAC sublayer; however, they are classified as distribution system services.

  10. Which of these 802.11 frames carry a MAC sublayer payload inside the frame body? (Choose all that apply.)

    A. Beacon

    B. Data frame

    C. Reassociation request

    D. QoS data frame

    E. Probe response

    F. PS-Poll

    答案解析

    A, C, E. Beacon, reassociation request, and probe response frames are all 802.11 management frames. Management frames have a MAC header, a frame body, and a trailer; however, management frames do not carry any upper-layer information. There is no MSDU encapsulated in the MMPDU frame body, which carries only layer 2 information fields and information elements. A PS-Poll frame is an 802.11 control frame. Control frames do not have a frame body. Data and QoS data frames are MPDUs whose frame body contains an MSDU upper-layer 3–7 payload.

  11. In what type of WLAN devices can the stations service (SS) operate? (Choose all that apply.)

    A. Mesh access point

    B. WLAN controller

    C. Autonomous access point

    D. Laptop client radio

    E. VoWiFi phone

    答案解析

    A, B, C, D, E. The station service (SS) is used by all 802.11 client stations including APs. Access points also use station services because they also have STA functionality. The majority of WLAN controller vendors implement what is known as a split MAC architecture. With this type of WLAN architecture, some of the MAC services are handled by the WLAN controller, and some are handled by the controller-based access point. Therefore, the 802.11 station MAC services such as data privacy (encryption) are used by client STAs and other WLAN architecture. However, the distribution system MAC services such as the integration service do not operate with client STAs.

  12. The IEEE 802.11-2007 standard defines communication mechanisms at which layers of the OSI model? (Choose all that apply.)

    A. Network

    B. Physical

    C. Transport

    D. Application

    E. Data-Link

    F. Session

    答案解析

    B, E. The IEEE 802.11-2007 standard only defines communication mechanisms at the Physical layer and MAC sublayer of the Data-Link layer of the OSI model.

  13. Which OSI sublayer is responsible for adding a preamble and PHY header to an MPDU?

    A. PLCP

    B. PPTP

    C. MAC

    D. LLC

    E. PMD

    答案解析

    A. The MAC layer refers to an 802.11 frame as the MPDU, while the Physical layer refers to this same exact 802.11 frame as the PSDU. The PLCP and PMD are sublayers of layer 1, the Physical layer. The PLCP sublayer adds a preamble and PHY header to the PSDU to create a PPDU. The preamble is used for synchronization between transmitting and receiving 802.11 radios. After the PPDU is created, the PMD sublayer takes the PPDU, modulates the data bits, and begins transmitting. The LLC and MAC are sublayers of the layer 2 Data-Link layer.

  14. Which of the following frequency spaces are supported by HT clause 20 radios? (Choose all that apply.)

    A. UNII 5.15–5.25 GHz

    B. UNII 5.25–5.35 GHz

    C. UNII 5.47–5.715 GHz

    D. UNII 5.725–5.825 GHz

    E. ISM 2.4–2.4835 GHz

    答案解析

    A, B, C, D, E. The 802.11n devices (HT clause 20) support the 4 UNII bands (UNII-1, UNII-2, UNII-3, and UNII-2 Extended).

  15. Which of the following devices are classified as 802.11 STA devices? (Choose all that apply.)

    A. Autonomous AP

    B. VoWiFi Telephone

    C. Cellular Telephone

    D. DSSS Barcode Scanner

    答案解析

    A, B, D. The 802.11-2007 standard defines a station (STA) as any device that contains 802.11-compliant MAC and PHY interface to the wireless medium (WM). Although access points are typically specifically referred to as APs, since they contain an 802.11-compliant MAC and PHY interface to the wireless medium, they are technically stations, albeit a special type of station. Cellular telephones do not use 802.11 standards.

  16. Which Wi-Fi Alliance certification validates many of the robust security network (RSN) Which Wi-Fi Alliance certification validates many of the robust security network (RSN) apply.)

    A. WMM

    B. CWG-RF

    C. 802.11k

    D. WMM-PS

    E. WPA2

    答案解析

    E. The Wi-Fi Alliance maintains the Wi-Fi Protected Access 2 (WPA2) certification. WPA2 is based on the robust security network (RSN) mechanisms that were originally defined in the IEEE 802.11i amendment that is now part of the 802.11-2007 standard. Two versions of WPA2 exist: WPA2-Personal defines security for a SOHO environment, and WPA2- Enterprise defines stronger security for enterprise corporate networks. Each certified product is required to support both WPA2-Personal and WPA2-Enterprise.

  17. HT clause 20 radios are backward compatible with which of the following type of 802.11 radios? (Choose all that apply.)

    A. Clause 18 radios (HR-DSSS)

    B. Clause 17 radios (OFDM)

    C. Clause 14 radios (FHSS)

    D. Clause 19 radios (ERP)

    答案解析

    A, B, D. HT clause 20 radios are backward compatible with older clause 18 radios (HRDSSS), clause 17 radios (OFDM), and clause 19 radios (ERP). In other words, 802.11n radios are backward compatible with 802.11b, 802.11a, and 802.11g radios. HT radios are not backward compatible with legacy frequency hopping radios.

  18. Which of these 802.11 frames are considered to be 802.11 control frames? (Choose all that apply.)

    A. ATIM

    B. ACK

    C. CTS

    D. Probe response

    E. PS-Poll

    答案解析

    B, C, E. The ACK, CTS and PS-Poll frames are all 802.11 control frames. The ATIM and probe response frame are 802.11 management frames. 802.11 control frames assist with the delivery of the data frames. Control frames are also used to clear the channel, acquire the channel, and provide unicast frame acknowledgments.

  19. What is the maximum size of the payload of a data frame as defined by the 802.11-2007 standard?

    A. 1500 bytes

    B. 2304 bytes

    C. 1504 bytes

    D. 1518

    E. 1522

    答案解析

    B. One of the differences between 802.3 Ethernet and 802.11 frames is the frame size. 802.3 frames have a maximum size of 1,518 bytes with a maximum data payload of 1,500 bytes. If the 802.3 frames are 802.1Q tagged for VLANs and user priority, the maximum size of the 802.3 frame is 1,522 bytes with data payload of 1,504 bytes. The payload of an 802.11 data frame is the layer 3–7 information found in the MAC Service Data Unit (MSDU). The 802.11-2007 standard states that the maximum size of the MSDU is 2,304 bytes. The maximum 802.11 frame body size is determined by the maximum MSDU size (2,304 octets) plus any overhead from encryption.

  20. How many MAC address fields are found in the MAC header of an 802.11 frame? (Choose all that apply.)

    A. Four

    B. Three

    C. Two

    D. One

    答案解析

    A. A huge difference between 802.3 and 802.11 frames is the MAC addressing fields. 802.3 frames have only a source address (SA) and destination address (DA) in the layer 2 header. 802.11 frames have four address fields in the MAC header. 802.11 frames typically use only three of the MAC address fields. However, an 802.11 frame sent within a wireless distribution system (WDS) requires four MAC addresses. The contents of these four fields can include the following MAC addresses: receiver address (RA), transmitter address (TA), basic service set identifier (BSSID), destination address (DA), and source address (SA). Certain frames may not contain some of the address fields.

CH02 802.11 Physical (PHY) Layer Frame Format

Physical L ayer Operations

不管无线工作站使用的什么物理层实现数据的传输与接收,都有一个共同 点:每个工作站必须等待并监听是否有数据必须接收和处理,或者必须等 待当前信道空闲后再传输数据。

Carrier Sense/Clear Channel Assessment(CS/CCA)

如果当前工作站没有进行数据传输或接收数据,则它一定是在监听和侦 测一个可接收的网络信号的开始部分或是分辩当前信道是否未被占用。

总之,一个工作站有两种状态:空闲或传输数据。空闲的时候,它可以 是在等待信道空闲以便进行数据传输,或是监听并等待接收另一个工作站传 输过来的帧。

Tx

当工作站准备传输一个帧时,它会利用CS/CCA来检测当前信道是否空闲, 只有当信道可用时,才会进行数据传输。

当工作站获得传输机会后,它会立即传输,并进入等待接收状态。当接 收方接收到传输的帧后,会发送一个确认帖(ACK)或者Block ACK确认 多个帧。

Rx

如果CS/CCA判断当前媒介处于忙碌状态,则工作站需要能够判断当前信道忙 碌是否由于其他的工作站在传输数据的缘故。传输帧的工作站会在数据 前面添加一段前导码,这个前导码包含0和1的字符串,接收工作站根据 前导码来辨识和同步,实际上就是通知接收工作站当前l传输的数据已 经到达,请准备接收。前导码也包含起始帧分隔符,接收工作站用于判 断一个帧的开始部分。紧接着前导码是帧头部的长度域,它告诉接收工 作站帧的多长。当整个帧接收完,如果工作站判断当前接收的帧是完整 的,则会回一个Ack。

Physical Layer

物理层被划分为两个子层。位于上半部分的是叫Physical Layer Convergence Procedure(PLCP),下半部分叫做Physical Medium Dependent(PMD)子层。PLCP从MAC层拿到帧,并创建PLCP协议数据单元 (PPDU)。PMD子层然后将数据进行调制并将数据按比特流进行传输。当 MPDU传递到物理层时,它被称为PSDU,PSDU然后被做为PPDU的一部分进行 传输。

PLCP Service Data Unit

PSDU就是物理层进行传输的数据,它与MPDU其实是等价的,只不过是物 理层的称呼。

PLCP Protocol Data Unit

PLCP在PSDU的基础上添加了一个前导码和物理层头部信息。前导码用于 双方之间的同步。

2016092601.png

Figure 3: Data-Link and Physical layers

Physical Medium Dependent

传输时,当PMD从PCLP子层接收到PPDU后,PMD就会负责传输PPDU。 当 接收时,PMD监听RF,将调制过的RF信号解释为1或0信号,然后将接收 到的数据传输到PLCP子层。

PLCP Protocol Data Unit

PLCP Preamble

当传输数据时,工作站通过发送前导码来通知接收的工作站数据传输已 经开始。

IEEE 802.11标准中定义了三种不同的前导码:Long PPDU, short PPDU 以及OFDM PLCP前导码。802.11n定义了另外三种前导码:non-HT legacy PPDU, HT-mixed PPDU, and HT-Greenfi eld PPDU.

  • Long PLCP Preamble

    2016092602.png

    Figure 4: Long PPDU format

    Tx和Rx之间的同步必须发生在SFD(Start of Frame Delimiter)之间。 长前导码使用Differential Binary Phase Shift Keying (DBPSK)来传 输,速率固定为1 Mbps。接收方不一定要接收到整个Sync域,只要接收 到整个SFD就可以了。

  • Short PLCP Preamble

    2016092603.png

    Figure 5: Short PPDU format

  • OFDM PLCP Preamble

    包含10个short symbols和2个long symbols。In the figure, t1 to t10 identify the short training symbols, GI2 is a long guard interval,and T1 and T2 identify the long training symbols. Following the PLCP preamble is the SIGNAL field and the DATA fields, each with a guard interval preceding them. The total training length is 16 μs. A short OFDM training symbol consists of 12 subcarriers while a long OFDM training symbolconsists of 53 subcarriers.

    2016092801.png

    Figure 6: The OFDM training structure (PLCP Preamble)

PLCP Header

Long and Short PLCP Headers are both 48 bits long and contain the following four fields:

  1. Signal(8 bits) 该域的作用是显示传输PSDU使用的调制方法,也即传输MAC帧使用的 调制方法。

    当使用长的PLCP头时,PSDU可以使用如下4种传输速率:1,2,5.5,11 Mbps。 当使用短的PLCP头时,只能使用使用3种速率:2, 5.5, 11 Mbps。

  2. Service(8 bits)
    • 5 out of 8 bits are used
    • Bit 3 to indication modulation method (0 CCK: Complementary Code Keying, 1- PBCC: Packet Binary Convolution Code)
    • Bit 2 to indicate Transmit Frequency & Symbol clock dreived from same clock.
    • Bit 5-7 to resolve data length field ambiguities for ERP-PBCC-11 to ERP-PBCC-33
    • Bit 7 also used to supplement Length field for CCK 11Mpbs.
  3. Length(16 bits) Indicate number of microseconds (μS) that are required to transmit the PSDU.
  4. CRC(16 bits) Provide Protection for other 3 fields (signal, service & length)

802.11n PPDUs

2016092802.png 802.11n引入了三种新的PPDU:

  1. non-HT legacy PPDU
    • Consist of preamble that uses short & long training symbols (10 STF & 2 LTF).
    • Support for non-HT legacy format is mandatory for 802.11n radios.
    • non-HT transmit only in 20MHz channels.(same format used by 802.11a & 802.11g)
  2. HT-mixed PPDU
    • Preamble contain the non-HT short & long training symbol that can be decoded by legacy 802.11a (clause 17) or 802.11g (clause 19)
    • Rest of the HT-mixed preamble & header cannot be decoded by legacy clients.
    • Tranmission can occur both 20MHz & 40MHz.
    • When 40MHz channel is used all broadcast traffic must be sent on legacy 20MHz (for legacy clients)
  3. HT-greenfield PPDU
    • Preamble not compatible with legacy clients.

2.4 Ghz Communications

The 2.4 GHz ISM band is 83.5 MHz wide and spans from 2.4000 GHz to 2.4835 GHz.

每个国家根据自己的管制要求,会制定允许在2.4G中的哪些信道上进行数 据传输。

2.4 GHz Channels

2.4G 各信道的中心频率之间的差值为 5 MHz,如果两个信道之间不重 叠的话,中必频率的差值必须达到 25 MHz。

在2.4频谱中,除了主载波频率,还有边带载波频率,这两种频率信号 强度差值必须达到一定值才不会影响主载波频率信号的传输。

2016092604.png

Figure 7: IEEE 802.11b transmit spectrum mask

5 GHz Communications

Table 1: The 5 GHz UNII bands
Band Name Frequency range Channels
UNII-1 Lower 5.15 to 5.25 GHz 4 channels
UNII-2 Middle 5.25 to 5.35 GHz 4 channels
UNII-2 Extended Extended 5.47 to 5.725 GHz 11 channels
UNII-3 Upper 5.725 to 5.825 GHz 4 channels

5 GHz Channels

5G频率计算公式: 5,000 + 5 × nch (MHz), 其中nch 的值为0到200.

Adjacent, Nonadjacent, and Overlapping Channels

Table 2: Adjacent vs. nonadjacent
  DSSS clause 15 HR-DSSS clause 18 ERP clause 19 OFDM clause 17
  –————+–—————+-————+--------------      
Frequency band 2.4 GHz ISM 2.4 GHz ISM 2.4 GHz ISM UNII bands
Adjacent ≥ 30 MHz ≥ 25 Mhz 等于25 MHz 等于20 MHz
Nonadjacent N/A N/A > 25 MHz > 20 MHz
Overlapping < 30MHz < 25 MHz <25 MHz N/A

Clause 14 FHSS PHY

FHSS means Frequency Hopping spread sepcturm. 提供1,2Mbps RF传输 速率,工作在2.4GHz, 使用79MHz范围内的频率,从2.402GHz到2.480GHz。

  1. Hopping Sequence 以固定的跳跃序列去跳频。
  2. Dwell Time 驻留在某个频率传输数据的时间,时间到了后,会跳到下一个频率去。
  3. Hop Time 从一个频率跳到另一个频率所需要的时间。
  4. Modulation 使用Gaussian Frequency Shift Keying (GFSK)对数据进行编码。

Clause 15 DSSS PHY

HR/DSSS定义在802.11b中,提供了2.4G下5.5, 11 Mbps传输速率。数据传 输固定在某一个信道,数据扩展到构造信道的整个频率范围内传输。编码 过程也就是将数据扩展到整个信道的过程。

  1. DSSS Data Encoding 在数据传输过程中,为了应对干扰,数据中的每个比特位,都被传输 为多个比特位的数据。系统将一个比特位转换成称为chips的一组比特 位。例如: Binary data 1 = 1 0 1 1 0 1 1 1 0 0 0 Binary data 0 = 0 1 0 0 1 0 0 0 1 1 1
  2. Modulation Differential Binary Phase Shift Keying (DBPSK) utilizes two phase shifts, one that represents a 0 chip and another that represents a 1 chip.

    Differential Quadrature Phase Shift Keying (DQPSK)is an enhancement to DBPSK

    Table 3: DSSS encoding and modulation overview
    Data rate (Mbps) Encoding Chip length Bits encoded Modulation
    1 Barker coding 11 1 DBPSK
    2 Barker coding 11 1 DQPSK

Clause 17 OFDM PHY

802.11a, 包含52个子载波,其中48个用于数据传输,其余4个被解调器用于参考相位 和振幅,对扭曲的OFDM信号进行补偿。

2016092803.png

Figure 8: 802.11 channels and OFDM subcarriers

  1. Convolutional Coding 使用卷积编码来应对窄波干扰。使用FEC(Forward error correction) 来侦测和修复破坏的比特位。
    Table 4: 802.11a and 802.11g data rate and modulation comparison chart
    Data rates(Mbps) Modulation method Coded bits per subcarrier Data bits per OFDM symbol Coded bits per OFDM symbol Coding rate(data bits/coded bits)
    6 BPSK 1 24 48 1/2
    9 BPSK 1 36 48 3/4
    12 QPSK 2 48 96 1/2
    18 QPSK 2 72 96 3/4
    24 16-QAM 4 96 192 1/2
    36 16-QAM 4 144 192 3/4
    48 64-QAM 6 192 288 2/3
    54 64-QAM 6 216 288 3/4
  2. Modulation OFDM使用Binary Phase Shift Keying(BPSK)以及Quadrature Phase Shift Keying(QPSK) 针对低速率的数据调制。针对高速率的整数调制, 使用Quadrature amplitude modulation(QAM)。

Clause 18 HR-DSSS PHY

当802.11设备需要使用传输速率5.5,11Mbps进行传输时,需要使用 High-Rate DSSS(HR-DSSS)。

  1. Modulation 使用Complimentary Code Keying(CCK)来对数据进行编码和调制。
    Table 5: HR-DSSS encoding and modulation overview
    Data rate (Mbps) Encoding Chip length Bits encoded Modulation
    5.5 CCK coding 8 4 CCK
    11 CCK Coding 8 8 CCK

Clause 19 ERP PHY

802.11g 物理层必须是ERP-OFDM and ERP-DSSS/CCK. 为了取得更高的数据 传输率,使用了Extended Rate Physical OFDM (ERP-OFDM)。 支持的速率 有:6, 9, 12, 18, 24, 36, 48, and 54 Mbps。为了保持向后兼容,也使 用Extended Rate Physical DSSS来提供较低的传输速率: 1, 2, 5.5, and 11 Mbps.

Table 6: 802.11 amendment comparison
  802.11 Legacy 802.11b 802.11g 802.11a
Frequency 2.4 GHz ISM Band 2.4 GHz ISM band 2.4 GHz ISM Band 5 GHz UNII-1, UNII-2, UNII-2 Extended, and UNII-3 bands.
Spread spectrum technology FHSS or DSSS HR-DSSS, PBCC is optional. ERP: ERP-OFDM and ERP-DSSS/CCK are mandatory ERP-PBCC and DSSS-OFDM are optional. OFDM.
Data rates 1, 2 Mbps DSSS: 1, 2 Mbps HR-DSSS: 5.5 and 11 Mbps ERP-DSSS/CCK: 1, 2, 5.5, and 11 Mbps ERP-OFDM: 6, 12 and 24 Mbps are mandatory. Also supported are 9, 18, 36, 48, and 54 Mbps. ERP-PBCC: 22 and 33 Mbps 6, 12, and 24 Mbps are mandatory. Also supported are 9, 18, 36, 48, and 54 Mbps.
Backward compatibility N/A 802.11 DSSS only 802.11b HRDSSS and 802.11 DSSS None.
Ratified 1997 1999 2003 1999

Clause 20 HT PHY

802.11n

Review Questions

  1. The 802.11-2007 standard requires how much separation between center frequencies for HR-DSSS (clause 18) channels to be considered nonoverlapping?

    A. 22 MHz

    B. 25 MHz

    C. 30 MHz

    D. 35 MHz

    E. 40 MHz

    答案解析

    B. HR-DSSS (clause 18) was introduced under the 802.11b amendment, which states that channels need a minimum of 25 MHz of separation between the center frequencies to be considered nonoverlapping.

  2. The upper portion of the Physical layer is known as the _ , and the lower portion is known as the _ .

    A. PPDU

    B. PMD

    C. PSDU

    D. PLCP

    E. MSDU

    答案解析

    D, B. The upper portion of the Physical layer is known as the Physical Layer Convergence Procedure (PLCP) sublayer, and the lower portion is known as the Physical Medium Dependent (PMD) sublayer.

  3. What three parts make up the PPDU? (Choose all that apply.)

    A. PMD

    B. PLCP Preamble

    C. PLCP Header

    D. PSP

    E. PLCP Service Data Unit (PSDU)

    答案解析

    B, C, E. The PLCP Protocol Data Unit (PPDU) consists of three parts: PLCP Preamble, PLCP Header, and PLCP Service Data Unit (PSDU). When the PLCP layer receives the PSDU from the MAC layer, the appropriate PLCP Preamble and PLCP header are added to the PSDU to create the PPDU.

  4. The Long PPDU includes a _ -bit PLCP Preamble, which consists of a _ -bit Sync field.

    A. 144, 128

    B. 72, 56

    C. 256, 212

    D. 144, 72

    E. 128, 72

    答案解析

    A. The Long PPDU includes a 144-bit PLCP Preamble, which consists of a 128-bit Sync field and a 16-bit Start of Frame Delimiter (SFD).

  5. Both the Long and Short Preambles are transmitted using which modulation technique?

    A. DBPSK

    B. DQPSK

    C. 2GFSK

    D. 4GFSK

    E. 16-QAM

    答案解析

    A. The Long Preamble is transmitted using Differential Binary Phase Shift Keying (DBPSK) at the rate of 1 Mbps. Like the Long PLCP Preamble, the Short PLCP Preamble is also transmitted using DBPSK.

  6. Which of the following fields are contained in the Long and Short PLCP Headers? (Choose all that apply.)

    A. Service

    B. Length

    C. Signal

    D. Preamble

    E. CRC

    答案解析

    A, B, C, E. Long and Short PLCP Headers are both 48 bits long and contain the following four fields: Signal (8 bits), Service (8 bits), Length (16 bits), and CRC (16 bits).

  7. Which PPDUs were defined by the 802.11n amendment? (Choose all that apply.)

    A. Non-HT legacy PPDU

    B. HT PPDU

    C. HT-mixed PPDU

    D. Combined HT Legacy PPDU

    E. HT-greenfield PPDU

    答案解析

    A, D, E. When the 802.11n amendment was ratified, three new PPDUs were defined: non-HT legacy PPDU, HT-mixed PPDU, and HT-greenfield PPDU.

  8. Which of the following define radios that can transmit in the 2.4 GHz ISM band? (Choose all that apply.)

    A. Clause 14

    B. Clause 15

    C. Clause 18

    D. Clause 19

    E. Clause 20

    答案解析

    A, B, C, D, E. The bulk of Wi-Fi radios currently transmit in the 2.4 GHz ISM band, including radios that use the following technologies:

    • 802.11 (FHSS clause 14 radios or DSSS clause 15 radios)
    • 802.11b (HR-DSSS clause 18 radios)
    • 802.11g (ERP clause 19 radios)
    • 802.11n (HT clause 20 radios)
  9. Clause 17 defines communications using which of the following modulation methods? (Choose all that apply.)

    A. DBPSK

    B. BPSK

    C. QPSK

    D. 16-QAM

    E. 64-QAM

    答案解析

    B, C, D, E. Clause 17 (802.11a) defines BPSK for 6 and 9 Mbps transmissions, QPSK for 12 and 18 Mbps transmissions, 16-QAM for 24 and 36 Mbps transmissions, and 64-QAM for 48 and 54 Mbps transmissions.

  10. According to the IEEE, clause 17 and clause 19 require which of the following data rates? (Choose all that apply.)

    A. 6

    B. 9

    C. 12

    D. 18

    E. 24

    F. 54

    答案解析

    A, C, E. Data rates of 6, 9, 12, 18, 24, 36, 48, and 54 Mbps are possible using 802.11a and 802.11g technology, although the IEEE requires only the data rates of 6, 12, and 24 Mbps.

  11. In descending order (moving from the Application layer toward the Physical), list the 4 sublayers that make up the Data-Link and Physical layers.

    A. LLC, MAC, PSDU, PLCP

    B. MAC, LLC, PSDU, PLCP

    C. PMD, PLCP, MAC, LLC

    D. LLC, MAC, PLCP, PMD

    E. MAC, LLC, PLCP, PMD

    答案解析

    D. The Data-Link layer is divided into the upper LLC sublayer and the lower MAC sublayer. The Physical layer is divided into the upper Physical Layer Convergence Procedure (PLCP) sublayer and the lower Physical Medium Dependent (PMD) sublayer.

  12. When a Long PLCP Header is used, what speeds can be used for transmitting the PSDU? (Choose all that apply.)

    A. 1 Mbps

    B. 2 Mbps

    C. 5.5 Mbps

    D. 11 Mbps

    E. 54 mbps

    答案解析

    A, B, C, D. When a Long PLCP Header is used, the PSDU can be transmitted at one of four transmission rates; 1 Mbps, 2 Mbps, 5.5 Mbps, and 11 Mbps.

  13. According to the 802.11n amendment, which of the following PPDU formats is optional?

    A. Long PPDU

    B. Short PPDU

    C. Non-HT legacy PPDU

    D. HT-mixed PPDU

    E. HT-greenfield PPDU

    答案解析

    E. Support for the HT-greenfield format is optional, and the HT radios can transmit by using both 20 MHz and 40 MHz channels.

  14. How wide are the UNII-1, UNII-2, and UNII-3 bands?

    A. 20 MHz

    B. 22 MHz

    C. 11 MHz

    D. 100 MHz

    E. It varies depending upon the specific band.

    答案解析

    D. These 3 UNII bands are 100 MHz wide, and UNII-2 extended is 255 MHz wide.

  15. What are the boundaries of the UNII-2 Extended bands?

    A. 5.470 GHz to 5.725 GHz

    B. 5.5 GHz to 5.75 GHz

    C. 2.4 GHz to 2.4835 GHz

    D. 902 MHz to 928 MHz

    答案解析

    A. The UNII-2 Extended band is 255 MHz wide and spans from 5.470 GHz to 5.725 GHz.

  16. What is the frequency width of each clause 17 subcarrier?

    A. 20 KHz

    B. 22 KHz

    C. 100 KHz

    D. 312.5 KHz

    E. 350 KHz

    答案解析

    D. The frequency width of each OFDM subcarrier is 312.5 KHz. The subcarriers are also transmitted at lower data rates, but because there are so many subcarriers, overall data rates are higher.

  17. Which terms are used to describe the error correction method used by clause 17 devices? (Choose all that apply.)

    A. Cyclic Redundancy Check

    B. Forward error correction

    C. Frame Check Sequence

    D. Convolutional coding

    E. Parity

    答案解析

    B, D. To make OFDM more resistant to narrowband interference, a form of error correction known as convolutional coding is performed. The 802.11-2007 standard defines the use of convolutional coding as the error correction method to be used with OFDM technology. It is a forward error correction (FEC) that allows the receiving system to detect and repair corrupted bits.

  18. Select the coding methods that are used by DSSS devices, along with the coding methods used by HR-DSSS devices. (Choose all that apply.)

    A. Barker code

    B. Convolutional coding

    C. Complementary Code Keying (CCK)

    D. Bitwise coding

    答案解析

    A, C. To help provide the faster speeds of HR-DSSS, a more complex code, Complementary Code Keying (CCK), is utilized instead of the Barker code that is used with DSSS transmissions.

  19. From the perspective of the Physical layer, what are two terms that define the data portion of an 802.11 transmission? (Choose two.)

    A. PSDU

    B. PLCP

    C. MSDU

    D. MPDU

    E. PMD

    答案解析

    A, D. The PLCP Service Data Unit (PSDU) is the data that the PHY transmits. The PSDU is equivalent to the MAC Protocol Data Unit (MPDU) that is passed down from the Data-Link layer.

  20. When a Short PLCP Header is used, what speeds can be used for transmitting the PSDU? (Choose all that apply.)

    A. 1 Mbps

    B. 2 Mbps

    C. 5.5 Mbps

    D. 11 Mbps

    E. 54 Mbps

    答案解析

    B, C, D. When a Short PLCP Header is used, only three data rates are supported: 2 Mbps, 5.5 Mbps, and 11 Mbps.

CH03 802.11 MAC Sublayer Frame Format

General 802.11 frame format

从技术上讲,一个802.11帧就是一个MPDU。一个MPDU主要包含三个基本部 分:

  • MAC Header
  • Frame Body
  • Frame Check Sequence (FCS)

MAC header

MAC头部主要有8个字段,其中4个用于寻址,每个地址字段占用4个字节。 其他4个字段分别是: Frame Control, Duration/ID, Sequence Control, QoS Control,每个字段各占2个字节。如果所有的字段都用到 时的话,一个802.11 MAC头部的最大大小为32字节。802.11n增加了一个新 的字段:HT Control,占4个字节。所以,对于11n设备来说,最大的MAC头 部大小为36字节。不过,通常实际帧的头部大小要小于上述值。

Frame control field

Protocol Version field

占两个比特,主要标识802.11协议的版本,通常值为0.

Type and Sub-type fields

两个字段一起标识了一个帧的功能。Type占用了2个比特,Sub-type占用 了4个比特。

To DS and From DS fields

各占一个比特。 用于改变4个地址的意义。

More Fragments field

占用一个比特,不为0时代表后面还有分片需要接收。

Retry field

占用一个比特,不为0时代表当前帧是一个重传帧。Layer 2发生太多的 重传会导致数据传输的延迟增大,一般重传率应该不大于10%。

Power Management field

占一个比特,表示当前STA是否处于省电状态。

More Data field

当休眠的STA 醒来时,发现AP缓存了发往自己的数据时,通过PS-POLL 向AP获取数据,当该位不为0时,STA需要不断的发送PS-POLL以获取AP 中缓存的数据。

Protected Frame field

占用一个比特,当不为0时,代表当前帧的MSDU部分已经加密。

Order field

占用一个比特,当上层要求一个非QoS的数据帧必须严格按序发送数据 时,该位置为1,其他情况都应该置为0.

Duration/ID field

该字段占用16个比特,主要用于3个不同的目的:

  • Virtual carrier-sense The main purpose of this field is to reset the NAV timer of other stations.
  • Legacy power management PS-Poll frames use the field as an association identifier (AID).
  • Contention-free period The field is used as an indicator that a point coordination function (PCF) process has begun.

MAC layer addressing

802.11 MAC层地址主要分为两类:

  • 单播地址
  • 组地址
    • 广播地址
    • 多播地址

    2016101001.png

    Figure 9: 802.11 MAC addressing

Sequence Control field

占用16比特, 包含两个子字段: Fragment Number(4比特), Sequence Number(12比特)。

Sequence Control Subfields

值的范围为0~4095.

Understanding the Fragmentation Threshold

All 802.11 stations can be configured with a fragmentation threshold. If the fragmentation threshold is set at 300 bytes, any MSDU larger than 300 bytes will be fragmented.

QoS Control field

the QoS control field is only used in the MAC header of QoS data frames.

2016101002.png

Figure 10: QoS Control field

Frame Body

大小可变, 其中控制帧没有帧主体。

The 802.11-2007 standard states that the maximum size of the MSDU is 2,304 bytes.

An 802.11n station using this method of aggregation can have a frame body with a maximum A-MSDU size (3839 or 7935 octets, depending upon the STA’s capability), plus any overhead from encryption.

WEP encryption adds 8 bytes of overhead to the frame body of an 802.11 data frame.

TKIP encryption adds 20 bytes of overhead to an 802.11 MPDU.

CCMP encryption adds 16 bytes of overhead to an 802.11 data frame.

FCS field

包含32比特的CRC,用于验证接收到的帧的完整性。

Review Questions

  1. Based on the 802.11 frame capture shown here, what type of networking communications are occurring?

    2016101201.png

    A. AP to client station

    B. Client station to server

    C. Client station to AP

    D. Server to client station

    E. Mesh backhaul

    答案解析

    E. The graphic displays four MAC addresses. Although 802.11 frames have four address fields in the MAC header, 802.11 frames typically use only three of the MAC address fields. An 802.11 frame sent within a wireless distribution system (WDS) requires all four MAC addresses. Although the standard does not specifically define procedures for using this format, WLAN vendors often implement WDS solutions. Examples of a WDS include WLAN bridges, mesh networks, and wireless repeaters.

  2. CCMP/AES encryption adds an extra __ of overhead to the body of an 802.11 data frame.

    A. 16 bytes

    B. 12 bytes

    C. 20 bytes

    D. 10 bytes

    E. None of the above

    答案解析

    A. CCMP/AES encryption will add an extra 16 bytes of overhead to the body of an 802.11 data frame. Eight bytes are added by the CCMP header, and 8 bytes are added by the MIC. WEP encryption will add an extra 8 bytes of overhead to the body of an 802.11 data frame. When TKIP is implemented, because of the extra overhead from the extended IV and the MIC, a total of 20 bytes of overhead is added to the body of an 802.11 data frame.

  3. Which of the following 802.11 frames carry an MSDU payload that may eventually be transferred by the integration service into an 802.3 Ethernet frame? (Choose all that apply.)

    A. 802.11 management frames

    B. 802.11 control frames

    C. 802.11 data frames

    D. 802.11 power-management frames

    E. 802.11 action frames

    答案解析

    C. Only 802.11 data frames can carry an upper-layer payload (MSDU) within the body of the frame. The MSDU can be as large as 2,304 bytes and usually should be encrypted. 802.11 control frames do not have a body. 802.11 management frames have a body; however, the payload is strictly layer 2 information.

  4. What would cause an 802.11 station to retransmit a unicast frame? (Choose all that apply.)

    A. The transmitted unicast frame was corrupted.

    B. The ACK frame from the receiver was corrupted.

    C. The receiver’s buffer was full.

    D. The transmitting station sent a PS-Poll frame.

    E. The transmitting station sent a retransmit notification.

    答案解析

    A, B. The receiving station may have received the data, but the returning ACK frame may have become corrupted, and the original unicast frame will have to be retransmitted. If the unicast frame becomes corrupted for any reason, the receiving station will not send an ACK.

  5. How does a client station indicate that it is using Power Save mode?

    A. It transmits a frame to the access point with the Sleep field set to 1.

    B. It transmits a frame to the access point with the Power Management field set to 1.

    C. Using DTIM, the access point determines when the client station uses Power Save mode.

    D. It doesn’t need to, because Power Save mode is the default.

    答案解析

    B. When the client station transmits a frame with the Power Management field set to 1, it is enabling Power Save mode. The DTIM does not enable Power Save mode; it only notifies clients to stay awake in preparation for a multicast or broadcast.

  6. Which field in the MAC header of an 802.11 frame resets the NAV timer for all listening 802.11 stations?

    A. NAV

    B. Frame control

    C. Duration/ID

    D. Sequence number

    E. Strictly ordered bit

    答案解析

    C. When the listening radio hears a frame transmission from another station, it looks at the header of the frame and determines whether the Duration/ID field contains a Duration value or an ID value. If the field contains a Duration value, the listening station will set its NAV timer to this value.

  7. What are some the reasons for the existence of the Duration/ID field of the MAC header of an 802.11 MPDU? (Choose all that apply.)

    A. Physical carrier-sense

    B. Fragmentation

    C. Virtual carrier-sense

    D. Integrity check

    E. Power management

    答案解析

    C, E. The Duration/ID field has three possible purposes. The main purpose of this field is to reset the NAV timer of other stations, which is a virtual carrier-sense mechanism. PS-Poll frames use the Duration/ID field as an association identifier (AID) during legacy power management processes. Although never implemented by vendors, the Duration/ID field can also be used to signal that a contention-free period (CFP) process has begun.

  8. What is the maximum amount of microseconds that can be set on the NAV timers of listening stations that hear the transmission of another 802.11 station?

    A. 32,768 μs

    B. 2007 μs

    C. 16,383 μs

    D. 2008 μs

    E. 32,767 μs

    答案解析

    E. The main purpose of the Duration/ID field is to reset the NAV timer of other stations. When bit 15 of the field is zero, the value in bits 140 represent the duration of a frame exchange sequence remaining after the frame in which the Duration value is found. Bits 140 can have a Duration value of 0 to 32,767. The Duration value translates into microseconds when resetting NAV timers of other stations. The other common use of the Duration/ ID field is as an AID in PS-Poll control frames. When bits 15 and 14 have a value of 1, bits 130 can be used to represent an AID in PS-Poll frames from 1 to 2007.

  9. What are some of the negative effects of layer 2 retransmissions? (Choose all that apply.)

    A. Decreased range

    B. Excessive MAC sublayer overhead

    C. Decreased latency

    D. Increased latency

    E. Jitter

    答案解析

    B, D, E. Excessive layer 2 retransmissions adversely affect the WLAN in two ways. First, layer 2 retransmissions increase MAC overhead and therefore decrease throughput. Second, if application data has to be retransmitted at layer 2, the timely delivery of application traffic becomes delayed or inconsistent. Applications such as VoIP depend on the timely and consistent delivery of the IP packet. Excessive layer 2 retransmissions usually result in increased latency and jitter problems for time-sensitive applications such as voice and video.

  10. When an AP sends a unicast frame to VoWiFi client station, which of the other stations will not update their NAV timers based on the Duration value represented in the Duration/ID field in the unicast frame sent by the AP? (Choose all that apply.)

    A. Transmitting access point

    B. Another access point nearby on the same channel

    C. All the other client stations

    D. The VoWiFi client

    E. Any other clients within listening range on the same channel

    答案解析

    A, D. The NAV is not updated when the receiver address (RA) is the same as the receiving station’s MAC address. Therefore, in this scenario, the Duration value did not reset the VoWiFi client’s NAV because it was the receiver. You should also understand that the Duration value of the transmitting station does not reset the transmitting stations NAV timer. The transmitter cannot hear its own transmitted frame. The transmitter’s NAV will be zero after transmitting, just like it was zero before the transmitter gained control of the medium. The AP was the transmitter so the Duration value did not reset its NAV. Any other client or AP stations within hearing range on the same channel will reset their NAV, even if they are not members of the BSS.

  11. Which of these statements regarding the four MAC address fields in the header of a data MPDU are accurate? (Choose all that apply.)

    A. Address 2 is always the transmitter address (TA).

    B. Address 3 is always the transmitter address (TA).

    C. Address 1 is always the basic service set identifier (BSSID).

    D. Address 1 is always the receiver address (RA).

    答案解析

    A, D. Depending on how the To DS and From DS fields are used, the definition of the four MAC fields will change. One constant, however, is that the Address 1 field will always be the receiver address (RA) but may have a second definition as well. The Address 2 field will always be the transmitter address (TA) but also may have a second definition. Address 3 is normally used to additional MAC address information. Address 4 is used only in the case of a WDS.

  12. Which of the following is a possible scenario when the To DS field and the From DS field both have a value of 0? (Choose all that apply.)

    A. The frame transmission is a control frame.

    B. An ad hoc network exists.

    C. The frame transmission is a simple data frame.

    D. Fragmentation is not being used.

    E. The frame transmission is a management frame.

    答案解析

    A, B, E. When both bits are set to 0, several different scenarios exist. The most common scenario is that the frames are either management or control frames. Management and control frames do not have an MSDU payload, and therefore their final destination is never the distribution system (DS). Management and control exist only at the MAC sublayer and therefore have no need to be translated by the integration service (IS) and never are delivered to the distribution system service (DSS). Another scenario is a direct data frame transfer from one STA to another STA within an independent basic service set (IBSS), more commonly known as an ad hoc network. The third scenario involves what is known as a station-to-station link (STSL), which involves a data frame being sent directly from one client station to another client station that belongs to the same BSS, thereby bypassing the AP.

  13. What can you conclude about this frame based on the frame capture graphic shown here?(Choose all that apply.)

    2016101202.png

    A. This is the second fragment of an MSDU.

    B. This is the third fragment of an MSDU.

    C. The AP is using fragmentation.

    D. This is the last transmitted fragment of an MSDU.

    E. The client station is using fragmentation.

    答案解析

    B, C, D. In the Sequence Control field, the Fragment Number subfield contains a 4-bit number assigned to each fragment of an MSDU. The first, or only, fragment of an MSDU is assigned a fragment number of 0. Each successive fragment is assigned a sequentially incremented fragment number. The graphic shows a fragment number of 2, which means it is the third fragment. The More Fragments field indicates a value of 0, which means it is the last transmitted fragment. The To DS field has a value of 0, and the From DS field has a value of 1, which means this is a downstream transmission from an AP to a client station.

  14. What can you conclude about this frame based on the frame capture graphic shown here?Choose all that apply.)

    2016101203.png

    A. The Duration/ID field is an AID.

    B. This is first fragment of a fragmented MSDU.

    C. The AP is buffering the client station’s traffic.

    D. Fragmentation is not being used.

    E. This is a PS-Poll frame.

    答案解析

    C, D. The Power Management field indicates a value of 1, meaning that the client STA is in Power Save mode and that the AP must buffer the client STA’s traffic. Fragmentation is not being used because the frag number in the Sequence Control field has a value of 0 and the More Fragments field also has a value of 0. The Subtype field indicates that this is a Null data frame and not a PS-Poll frame. PS-Poll frames are the only frames that use the Duration/ ID field as an association identifier (AID).

  15. What can you conclude about this frame based on the frame capture graphic shown here?

    2016101204.png

    A. This data frame has no frame body.

    B. CCMP encryption is being used.

    C. This is an IBSS topology.

    D. No data privacy is being provided.

    E. The ACK frame was delivered successfully.

    答案解析

    D. The Protected Frame field has a value of 0, which indicates that the MSDU payload of this simple data frame is not encrypted.

  16. What can you conclude about this frame based on the frame capture graphic shown here?(Choose all that apply.)

    2016101205.png

    A. This is a unicast frame.

    B. The frame check sequence (FCS) of the previous attempt of the same frame failed at the receiving station.

    C. This is a multicast frame.

    D. This is a mesh backhaul transmission.

    E. The ACK frame was delivered successfully.

    答案解析

    A, B. The Retry field indicates a value of 1, meaning this is a retransmission. Every time an 802.11 radio transmits a unicast frame, if the frame is received properly and the cyclic redundancy check (CRC) of the FCS passes, the 802.11 radio that received the frame will reply with an acknowledgment (ACK) frame. If the ACK is received, the original station knows that the frame transfer was successful. All unicast 802.11 frames must be acknowledged. Broadcast and multicast frames do not require an acknowledgment.

    If any portion of a unicast frame is corrupted, the CRC will fail, and the receiving 802.11 radio will not send an ACK frame to the transmitting 802.11 radio. If an ACK frame is not received by the original transmitting radio, the unicast frame is not acknowledged and will have to be retransmitted.

  17. When the To DS field has a value of 0 and the From DS field has a value of 1, which of these statements possibly are accurate? (Choose all that apply.)

    A. The frame transmission is a control frame.

    B. This is a DHCP response packet.

    C. The frame transmission is a data frame.

    D. Client STA is transmitting.

    E. The frame transmission is a management frame.

    答案解析

    B, C. When the To DS bit is set to 0 and the From DS bit is set to 1, this indicates that an 802.11 data frame is being sent downstream from an access point to a client station. The original source of the MSDU payload of the 802.11 data frame is an address that exists on the distribution system medium (DSM). An example is a DHCP server that resides on the 802.3 network forwarding a DHCP response packet through an AP with the final destination being an 802.11 client station.

  18. How many bytes is the frame body of an 802.11 MPDU?

    A. 0-2304

    B. 2304

    C. 2346

    D. 4095

    E. Variable

    答案解析

    E. The frame body is of variable size. The maximum frame body size is determined by the maximum MSDU size (2,304 octets) plus any overhead from encryption. The 802.11n- 2009 HT amendment defines a frame aggregation method called Aggregate MAC Service Data Unit (A-MSDU). An 802.11n station using this method of aggregation can have a frame body with a maximum A-MSDU size (3839 or 7935 octets, depending upon the STA’s capability), plus any overhead from encryption.

  19. How many MAC addresses are found in an 802.3 frame?

    A. Four

    B. Three

    C. Two

    D. One

    E. Zero

    答案解析

    C. 802.3 Ethernet frames have only a source address (SA) and destination address (DA) in the layer 2 header. 802.11 frames have four address fields in the MAC header. The contents of these four fields can include the following MAC addresses: receiver address (RA), transmitter address (TA), basic service set identifier (BSSID), destination address (DA), and source address (SA). In other words, an 802.11 frame can contain as many as four MAC addresses with five different meanings.

  20. How does a transmitting station maintain control of the medium during a fragment burst?(Choose all that apply.)

    A. Random backoff algorithm

    B. Duration

    C. DIFS

    D. Sequence Control

    E. SIFS

    答案解析

    B, E. Fragments are always sent in what is known as a fragment burst. Once the transmitting station gains control of the medium, it maintains control through two mechanisms: Duration values (which set other stations’ NAVs) and SIFS. First, the value of the Duration field in the MAC header of data fragments and ACK frames is used to reserve the medium for the next fragment. As a backup mechanism, SIFS is used between data fragments and ACK frames in order to preempt those stations that are trying to gain control of the medium using DIFS.

CH04 802.11 Management Frames

Management Frame Types

管理帧的结构:

2016101701.png

Figure 16: Management frame structure

管理帧通常标准MAC头部的大小为24字节,拥有三个地址域,当使用802.11n 时,会加入一些HT控制相关的信息,其结构如下:

2016101702.png

Figure 17: Management frame structure: 802.11n

DA是帧的目的地址, 它可以是单播的,也可以是多播的,取决于管理帧的 了类型。 SA是传输该帧的STA的MAC地址, BSSID可能是AP的MAC地址,也可 能是一个通配值。如下是12种管理帧的类型:

Table 7: Management frame subtypes
Subtype bits Subtype description
0000 Association request
0001 Association response
0010 Reassociation request
0011 Reassociation response
0100 Probe request
0101 Probe response
1000 Beacon
1001 Announcement traffic indication message (ATIM)
1010 Disassociation
1011 Authentication
1100 Deauthentication
1101 Action
1110 Action no ack

管理帧总是是MAC层处理,它们不会被传递给上层(for app),另外,它们 的To DS和From DS的值总是为0.

Beacons

MaxChannelTime: defined in each driver MIB, duration of dwelling time on each channel.

Beacon frames are sent periodically, at a time called target beacon transmission time (TBTT) and at a rate defined by the dot11BeaconPeriod parameter in the AP MIB.

dot11BeaconPeriod 这个参数默认是100 TU(time units)。

AP以某个固定的时间间隔发送Beacon帧,并通知下一个Beacon帧发送的时间。 如果当前媒介忙碌,会推迟当前Beacon帧的发送,但是不会影响下一个 Beacon帧的发送,下一个Beacon帧仍然会按照预定的时间进行发送。

2016101703.png

Figure 18: Beacon frame structure

Probe Request / Response

  • Probe Request Frame

    主要用于主动扫描,查找AP信息。

    Table 8: Elements and fields in a probe request frame body
    Order Information Note
    1 Service Set Identifier (SSID)  
    2 Supported Rates  
    3 Request Information Used with 802.11d.
    4 Extended Supported Rates The Extended Supported Rates element is present whenever there are more than eight supported rates; it is optional otherwise.
    5 Vendor Specific One or more vendor-specific information elements may appear in this frame. This information element follows all other information elements.

    STA也可以利用Probe Request来发现某个网络特定的信息。 为了支持这个 目的,Probe Request可以包含一个 Request Information信息, 它们可以 请求一个或多个额外的参数。

    Table 9: Request Information element
    Element ID Length
    Requested element ID 1 Requested element ID 2
    Requested element ID N1 Requested element ID N

    这些IE信息都是可选的。 另外, Probe Request也可以携带一些厂商自定 义的IE信息。

  • Probe Response Frame

    主要回应对方的 Probe Request请求。 携带的信息与Beacon帧类似。与 beacon帧相比,主要有如下一些区别:

    1. The beacon frame contains a TIM field; the probe response does not.
    2. The beacon frame can contain a QoS Capability Information element that announces basic QoS support to the cell.
    3. The probe response also contains the Requested Information elements that may have been requested by the probing station.

Authentication

In all cases, after having performed a network discovery through the probe request/ probe response exchange or by listening to beacons, a station wanting to join a cell goes through an authentication process, exchanging authentication frames with the access point. Unlike the probe and association phases, which use a different frame for the request and the response, there is only one type of authentication frame.

2016101801.png

Figure 19: Authentication frame format

  • Open System

    The initial purpose of the authentication frame is to validate the device type, in other words, verify that the requesting station has proper 802.11 capabilities to join the cell.

    This exchange is based on a simple two-frame dialogue (authentication request, authentication response)

  • WEP Shared Key

    This shared key exchange adds two frames to the default Open System authentication, resulting in a four-frame exchange.

    The Authentication Algorithm number field value describes which authentication system is used (0 for Open System and 1 for Shared Key).

    the 2-byte Authentication Transaction Sequence Number field indicates the current state of progress through the multistep transaction.

    Table 10: Summary of authentication frame fields values and usage
    Authentication algorithm Authentication transaction sequence no. Status code Challenge text
    Open System 1 Reserved Not present
    Open System 2 Status Not present
    Shared Key 1 Reserved Not present
    Shared Key 2 Status Present
    Shared Key 3 Reserved Present
    Shared Key 4 Status Not present

Association Request / Response

  • Association Request Frame

    认证成功后,STA就会进入关联阶段, 这个交互的目的是为了加入这个BSS 并获取一个AID。

    2016101802.png

    Figure 20: Association request frame format

    Table 11: Elements and fields in the association request body
    Order Information Notes
    1 Capability Information  
    2 Listen interval  
    3 SSID  
    4 Supported rates  
    5 Extended Supported Rates 当支持的速率超过8个的时候,会出现该IE,否则是可选的。
    6 Power Capability Used with 802.11h.
    7 Supported Channels Used with 802.11h.
    8 RSN Used with 802.11i.
    9 QoS Capability Used with 802.11e QoS.
    10 RRM Enabled Capabilities Used with 802.11k.
    11 Mobility Domain Used with 802.11r.
    12 Supported Regulatory Classes Used with 802.11r.
    13 HT Capabilities Used with 802.11n.
    14 20/40 BSS Coexistence Used with 802.11n.
    15 Extended Capabilities 只有存在一个IE,就会出现
    Last Vendor Specific 一个或多个厂商相关的IE。

    通过Association Request携带的信息,使AP了解STA的相关能力信息,这样 AP就可以决定如何与该STA进行通信。

  • Association Response Frame

    当AP收到Association Request后,它会检查每一个802.11参数,并与自己 支持的802.11参数进行匹配,如果出现不匹配的情况,AP会看当前的差异 是否属于Bloocking Factor。 如果是的话,AP就会拒绝关联,否则的话, AP就会标记这个差异,并在回Association Response的时候携带自己的 802.11参数。

    2016101803.png

    Figure 21: Association response frame format

    Table 12: The association response frame
    Order Information Notes
    1 Capability Information  
    2 Status Code  
    3 Association ID  
    4 Supported rates  
    5 Extended Supported Rates  
    6 EDCA Parameter Set  
    7 RCPI Used with 802.11k.
    8 RSNI Used with 802.11k.
    9 RRM Enabled Capabilities Used with 802.11k.
    10 Mobility Domain Used with 802.11r.
    11 Fast BSS Transition Used with 802.11r.
    12 DSE Registered Location Used with 802.11y.
    13 Timeout Interval(association comeback time) Used with 802.11w.
    14 HT Capabilities Used with 802.11n.
    15 HT Operation Used with 802.11n.
    16 20/40 BSS Coexistence Used with 802.11n.
    17 Overlapping BSS Scan Parameters Used with 802.11n.
    18 Extended Capabilities  
    Last Vendor Specific  

    AP返回一个状态码,0代表关联成功。 并为STA分配一个AID,它是1~2007(2 字节长,只用到最低的14个Bit,其他位为1.)

Disassociation

通信的任何一方都可以主动发出这个帧。 它的格式如下:

2016101804.png

Figure 22: Disassociation frame format

该帧可能是单播帧,也可能是多播帧。 其IE信息如下:

Table 13: Disassociation Frame
Order Notes
1 Reason code.
2 One or more vendor-specific information elements may appear in this frame.
Last Used with 802.11w.

处于Disassociated状态的STA仍然是处于Authenticated状态,它们可以直接 进行重新关联。

Deauthentication

当双方通信完成,会发送此帧结束会话。 该帧的格式与Disassociation类似。

Reassociation Request / Response

  • Reassociation Request Frame

    该帧只能由STA 发出。 使用场景主要是: 当STA已经关联到一个ESS并想关 联到同一个ESS下的另一个AP上。 也可用于: 当STA短暂离开当前关联的AP 后,重新关联此AP。 也可用于:当Authenticator timer过期后,STA 进行认证和重新关联。已经关联上某个AP的STA也可以通过此帧重新协商一 些参数。

    2016101805.png

    Figure 23: Reassociation request frame format

  • Reassociation Response Frame

    An AP uses the reassociation response frame in response to a reassociation request frame.其格式与Association Response类似。

ATIM Frame

The ATIM frame is specific to IBSS networks and used for distribution of buffered frames to stations in sleep mode in the ad hoc network.

Action Frame

Action frames form the 12th and last type of management frame. They are used to trigger specific actions in the cell.

2016101806.png

Figure 24: Action frame format

Information Elements and Fields

Management Frame Fields

  • Timestamp Field

    8字节长, 通常出现在Beacon帧和Probe Response帧。 the timestamp is a value representing the time on the access point, which is the number of microseconds the AP has been active.

    The stations in the cell use that timestamp value to adjust their own clock(using their Time Synchronization Function).

  • Beacon Interval Field

    2字节长, The Beacon Interval field represents the number of time units between target beacon transmission times (TBTTs).

    The default value is 100 TUs (0.102400 seconds), but the field size allows for any value between 1 and more than 67 seconds!

    这个值不能太长,也不太短。太短的话, STA无法快速地从休眠的 状态下醒来监听Beacon帧。 会导致断线。

  • Capability Information Field

    The Capability Information field contains a number of subfields that are used to indicate requested or advertised optional capabilities.

    2个字节长, Capability Information field exists in several management frames (beacons,probe response, association request, association response, reassociation request, andreassociation response).

    2016101901.png

    Figure 25: Capability Information field

    • ESS/IBSS Subfields

      The ESS bit indicates whether the beacon is coming from an AP (1) or not (0). The IBSS bit indicates whether the beacon is coming from an IBSS station (1) or not (0).

    • Privacy Subfield

      APs set the Privacy subfield to 1 if data confidentiality is required for all data frames exchanged within the BSS. If data confidentiality is not required, the Privacy subfield is set to 0.

      The Privacy field only shows the requirement (or not) for encryption when sending data frames.

    • Short Preamble Subfield

      当为1时, 表示可使用short preamble和long preamble。 为0时, 只允许使用long preamble。

    • Channel Agility Subfield

      Its aim was to offer the possibility for the center channel to shift periodically slightly up and down, in the hopes of avoiding interferences.

      The Channel Agility feature was never widely implemented. It is still present as a possibility in the Capability field, but only for HR/DSSS stations (OFDM does not implement this feature).

    • Spectrum Management Subfield

      related to 802.11h, set this field to reflect that they implement DFS and TPC.

    • QoS Subfield

      this field shows whether the AP supports QoS. The QoS subfield in the Capability Information field simply tells the cell “I can do QoS; look for other QoS fields in my frames.”

    • Short Slot Time Subfield

      Standard slot time used to be 20 μs with 802.11 and 802.11b and was reduced to 9 μs with 802.11g (802.11a also uses 9 μs slot times).

      This subfield determines whether short slot time is allowed in the cell (the Short Slot Time subfield set to 1)

      When AP set this filed, it's a clear sign that the AP is not Supporting 802.11b.

    • APSD Subfield

      When this APSD bit is set to 1, the AP supports the 802.11e APSD feature.

      STA发出的association or reassociation requests该域总是设为 0, 因为它功能是针对整个BSS的,不是单个STA能作出的决定。

    • DSSS-OFDM Subfield

      When this bit is set to 1, the DSSS-OFDM mode is allowed in the cell。

      This bit is always set to 0 for 802.11a networks.

  • Listen Interval Field

    the Listen Interval field is used to indicate to the AP how often a station in Power Save mode wakes to listen to beacon management frames.

    This value is an integer expressed in beacon interval units (for example, a value of 3 indicates that the station wakes up every three beacons). This field is 2 bytes long, which means that the maximum interval could be 65,535.

  • Status Code Field

    The Status Code fi eld is used in a response management frame to indicate the success or failure of a requested operation.

  • Association ID Field

    2个字节, AP为关联上的STA 分配的AID, 值的范围为1~2007.

  • Reason Code Field

    This Reason Code field is used to indicate the reason that an unsolicited notification management frame of type disassociation, deauthentication, DELTS, DELBA, or DLS teardown was generated.

    The Status Code field indicates if a request is successful and details the cause of the failure.

    The Reason Code fi eld is present only when the frames listed earlier are sent to a station without the station asking for any negotiation of any parameter.

Management Frame Information Elements

2016101902.png

Figure 26: Generic information element format

  • Extended Capabilities Element

    对Capability Information field的一个扩展,包含其没有的一些IE 信息。 它出现在以下的类型中: beacons, probe responses, association requests, association responses, reassociation requests, and reassociation responses.

  • SSID Element

    出现在如下一些类型的帧中:beacons, probe requests, probe responses, association requests, and reassociation requests.

    ID为0, SSID字符串的最大长度为32.

    如果AP支持多个SSID, 就会在每个beacon interval 发送相应数量 的beacon帧。

    If your AP is expected to send a beacon every 100 TUs and your AP supports 5 SSIDs, the AP will send one beacon every 20 TU, advertising its capabilities for each SSID in turn.

  • Supported Rates Element

    The Supported Rates element is present in beacons, probe requests, probe responses, and all association frames。

    This element specifies up to eight rates.

    In the Supported Rates field, the length field is encoded as 1 to 8 octets, where each octet describes a single supported rate.

    Each rate is listed over one octet, with the following logic:

    • The last bit (bit 7) is set to 1 if the rate is a basic rate (NN or mandatory rate) and set to 0 if the rate is simply supported.
    • The other seven bits (bits 0 to 6) are set to the data rate, if necessary rounded up to the next 500 Kbps, in units of 500 Kbps.

      For example, a 5.5 Mbps rate contained in the BSSBasicRateSet parameter is encoded

    as 10001011 (10000000 because it is set to Basic Rate, and binary 1011 for decimal 11, because 5.5 Mbps are 11 times 500 kbps); 2 Mbps supported would be 00000100.

    任何一个想加入某个AP的STA必须支持AP指定的基本速率。

  • Extended Supported Rates Element

    The Extended Supported Rates element specifies the supported rates not carried in the Supported Rates element.

    The information element is encoded as 1 to 255 octets where each octet describes a single supported rate.

  • Extended Rate PHY (ERP) Element

    The ERP element is present only on 2.4 GHz networks supporting 802.11g and is present in beacons and probe responses.

  • Robust Security Network (RSN) Information Element

    当使用WPA/WPA2来决定AP的认证和加密机制时,这个IE非常重要。

    RSN的ID是48, 主要存在于beacons, probe responses,association responses, and reassociation responses.其结构如下:

    2016102001.png

    Figure 27: RSN element

    • Version

    总是设为1.

    • Pairwise Cipher Suite Count

    代表支持多少种加密算法。

    • Pairwise Cipher Suite List field Each field is of course 4 bytes long, because each cipher is represented over 4 bytes.

      When a station supports several ciphers, it always chooses the strongest one first (in order: CCMP, TKIP, WEP 104, WEP 40).

      Authentication and Key Management (AKM)

      Now that the ciphers allowed in the cell are defined, you still need to inform potential cell clients about how they are supposed to authenticate in order to join the cell.

      • AKM Suite count the number of methods allowed
      • AKM Suite list displays each individual method. each method is coded over 4 bytes: the first 3 bytes are an OUI, and the last byte is one of the methods supported by the vendor matching the OUI.

        The 802.11i committee defined two methods : 00-0F-AC-1 for 802.1X or PMK caching and 00-0F-AC-2 for PSK

  • Basic Service Set (BSS) Load Element

    This element is used only when QoS is supported. It is often called QBSS Load element.

    从AP的角度提供了网络单元的信息, 通常由AP发出, 接收的STA根 据里面提供的信息决定如何进行漫游。

    2016101002.png

    Figure 28: BSS Load element

    • station count a simple number, showing how many stations are currently associated to the cell.
    • Channel Utilization the percentage of time, normalized to 255, that the AP sensed the medium was busy, as indicated by either the physical or virtual carrier sense mechanism.

      The AP senses the medium, just like any other station, every slot time. At regular intervals

    (every 50 beacons by default, which represents 5.12 seconds if the beacons are sent at 100 TU intervals), the AP looks over the last period and counts how many times the network was seen as busy and how many times the network was seen as idle. The AP then calculates a simple percentage and translates it into a 0 to 255 range.

    This information is used by QoS stations to gauge the space available on several APs in range.

  • Enhanced Distributed Channel Access (EDCA) Parameter Element

    In most QoS-enabled networks, this field is not used, and the same information is provided through the WMM or the WME vendor-specific element.

  • QoS Capability Element

    This element is used only when QoS is supported. It is used as a replacement to the EDCA Parameter element when EDCA Parameter is not present. It is also used by the AP to communicate to the cell the QoS information.

    In most QoS-enabled networks, this field is not used, and the same information is provided through the WMM or the WME vendor-specific element.

  • Direct Sequence Parameter Set Element

    This element is used by both the DSSS and OFDM systems, on both 2.4 GHz and 5 GHz spectrums. It is a very important field that simply indicates the current channel.

    [2016102003.png]

    代表发送方发送数据时所在的Central Channel或Primary Channel 的值。

  • Traffic Indication Map (TIM) Element

    This element is present only in beacons.

    2016102004.png

    Figure 29: TIM element

    The DTIM is not present in all beacons and all TIMs. At regular intervals (usually configurable on the AP), the beacon will contain a TIM that will also be a DTIM. The DTIM purpose is easy to understand. The AP uses the beacon frames Delivery Traffic Indication Message (DTIM) information to inform the cell if it has broadcasts or multicasts frames buffered.

    Stations in low power mode should wake up at least for every beacon that is a DTIM. The DTIM does not have to be in every beacon but can, for example, occur every two to five beacons. The DTIM is contained in the TIM, so in that case it is said that the TIM is also a DTIM.

    • DTIM period

      the number of beacon intervals between successive DTIMs (for example, 3 means every third beacon is a DTIM). Maximum Value is 255, Minimum Value is 1.

    • DTIM Count

      how many beacon frames (including the current frame) appear before the next DTIM.

      A DTIM Count field of 0 indicates that the current TIM is a DTIM. A DTIM count of 1 indicates that the next beacon is a DTIM.

      MAX DTIM Count = DTIM period - 1

    • Bitmap Control field

      The first bit of the bitmap control field is used to announce the presence of multicast or broadcast traffic buffered on the AP.

      The next 7 bits of the Bitmap Control field, along with the virtual bitmap, represent the stations in low power mode for which the AP has traffic buffered.

      The remaining seven bits are the Bitmap Offset, which may have any value between 0 and 127. 通过设置它的值,可以节 省空间。 Partial Virtual Bitmap从开始起的一些字节全为0, 则Bitmap Offset可以显示哪些字节可以被跳过。Bitmap Offset 的值乘以2,结果就是Partial Virtual Bitmap中从第一字节开始 算全为0的字节数。例如,如果AID在1和39之间的STA都没有缓存 的单播帧,则Bitmap Offset的值为2, 则Partial Virtual Bitmap只需要使用一个全零的字节表示,开始的4个字节会认为是 全零。

    • Partial Virtual Bitmap

      The Partial Virtual Bitmap value is just a series of flags (bits set to either a 1 or a 0) indicating whether each associated station has unicast frames buffered at the AP.

      每个分配了AID的STA会对应PartialVirtual Bitmap中的某个比特 位,如果比特位为1,则代表AP有缓存该STA的帧。

  • IBSS Parameter Set Element

    This element is present only on probe responses and beacons of stations in an IBSS.

  • Country Element

    802.11d. The Country field defines the country of operation, along with the allowed channels and maximum transmit power.

    It is not a mandatory field and is typically found on APs that can support several country settings.

  • Power Constraint Element

    802.11h. In the Power Constraint fi eld, the AP indicates how much lower than this maximum power participants should try to go.

  • TPC Report Element

    802.1h. The TPC Report element contains transmit power and link margin information, usually sent in response to a TPC Request element.

  • Channel Switch Announcement Element

    802.1h. When a radar blast is detected, all stations must leave the affected channel. The AP can be set to announce to the cell which is the next channel.

  • Quiet Element

    802.1h. An AP can request a quiet time during which no stations should transmit in order to test the channel for the presence of radars.

  • Vendor-Specific Elements

    Beyond all the options defi ned by the standard or any of its amendments, each vendor can defi ne proprietary options and add them to any management frames’ supporting elements

    2016102005.png

    Figure 30: Vendor-specific element

    Each vendor wanting to implement vendor-specific elements needs to obtain an OUI for this purpose from the IEEE. The vendor will display this OUI in the element header, along with the element ID 221, which identifies a vendor-specific element.

Action Frames

Action frames are a type of management frame used to trigger an action in the cell.

2016102006.png

Figure 31: Action frame structure

The frame body contains three sections:

  • Category Describes the action frame type. Category allows you to know which family the action frame belongs to and which protocol introduced it.
  • Action The action to perform. It is usually a number. You need to know the category to understand which action is called.
  • Element Adds additional information specific to the action.
Table 14: Action frame types (continued)
Category Meaning Action Action description
0 spectrum management 1 Measurement Request Frame
0 spectrum management 2 TPC request
0 spectrum management 3 TPC report
0 spectrum management 4 Channel Switch Announcement frame
1 QoS 0 ADDTS request
1 QoS 1 ADDTS response
1 QoS 2 DELTS
1 QoS 3 Schedule
1 QoS 4-255 Unused/reserved
2 DLS 0 DLS request
2 DLS 1 DLS response
2 DLS 2 DLS teardown
2 DLS 3-255 Unused/reserved
3 Block ack 0 ADDBA request
3 Block ack 1 ADDBA response
3 Block ack 2 DELBA
3 Block ack 3-255 Unused/reserved
4 Public 0 Reserved
4 Public 1 DSE enablement
4 Public 2 DSE deenablement
4 Public 3 DSE registered location announcement
4 Public 4 Extended channel switch announcement
4 Public 5 DSE measurement request
4 Public 6 DSE measurement report
4 Public 7 Measurement pilot
4 Public 8 DSE power constraint
4 Public 9 Vendor specific
4 Public 10-255 Unused/reserved
5 Radio measurement 0 Radio measurement request
5 Radio measurement 1 Radio measurement report
5 Radio measurement 2 Link measurement request
5 Radio measurement 3 Link measurement report
5 Radio measurement 4 Neighbor report request
5 Radio measurement 5 Neighbor report response
5 Radio measurement 6-255 Unused/reserved
6 Fast BSS transition 0 Reserved
6 Fast BSS transition 1 FT request
6 Fast BSS transition 2 FT response
6 Fast BSS transition 3 FT confirm
6 Fast BSS transition 4 FT ack
6 Fast BSS transition 5-255 Unused/reserved
7   0-255 Unused/reserved
8 SA query 0 SA query
8 SA query 1 SA response
8 SA query 2-255 Unused/reserved
9 Protected dual of public action 0 Reserved
9 Protected dual of public action 1 Protected DSE enablement
9 Protected dual of public action 2 Protected DSE deenablement
9 Protected dual of public action 3 Reserved
9 Protected dual of public action 4 Protected extended channel switch announcement
9 Protected dual of public action 5 Protected DSE measurement request
9 Protected dual of public action 6 Protected DSE measurement report
9 Protected dual of public action 7 Reserved
9 Protected dual of public action 8 Protected DSE power constraint
9 Protected dual of public action 9-255 Unused/reserved
10-125     Unused/reserved
126 Vendor-specific protected 0-255 Vendor dependent
127 Vendor specific 0-255 Vendor dependent
128-255 Error 0-255 Unused, returns an error message

Spectrum and Transmit Power Management (802.11h)

DFS & TPC.

  • Channel Switch Announcement

    AP use it to inform the cell that all stations had to move to another channel because a radar was detected on the current frequency. present in beacons and probe responses

    2016102006.png

    Figure 32: Channel Switch Announcement action frame

    The Channel Switch Count segment can be set to 0 to indicate that the change will occur any time after the present beacon was sent. It can be set to 1 to show that the jump will occur just before the next beacon.

  • Measurement Request Frame and Measurement Report Frame

    侦测是否有Radar信号请求,以及报告侦测结果。

  • TPC Request Frame and TPC Report Frame

    用于动态调整功率。

  • Quiet Element

    携带在probe responses和beacons. 告知STA 某段时间内保持沉默, 不允许发送数据。

Admission Control (802.11e)

QoS 按不同优先级传输数据。 traffic stream(TS)

  • ADDTS Request and ADDTS Response Frames

    The ADDTS request is always sent by a station (that is, never by an access point) wanting to add a new TS to the cell.

  • DELTS Frames

    Once a TS is admitted, a station receives the predetermined QoS level negotiated in the ADDTS exchange. After a while, the TS can be removed to free resources from the cell.

  • Schedule Frames

    When a TS is admitted, the schedule frame is transmitted by the AP to the station to announce the schedule of delivery of data and polls (when the station also uses power save).

802.11r and 802.11w

  • Fast BSS Transition (802.11r)

    The 802.11r amendment defines how fast secure roaming can be handled between access points.

  • Protected Management Frames

    In 2009, the 802.11w amendment was published to provide a way to protect management frames

Review Questions

  1. How many management frame types are described by the 802.11-2007 standard?

    A. 4

    B. 11

    C. 12

    D. 13

    答案解析

    C. The 802.11-2007 standard describes 12 management frame types: beacon, probe request, probe response, authentication, association request, association response, reassociation request, reassociation response, disassociation, deauthentication, ATIM, and action frame.

  2. In which frame would you find a timestamp field?

    A. Beacon

    B. Association request

    C. Association response

    D. Authentication

    答案解析

    A. The timestamp is present in beacons and is used by stations associated to the cell as a clock reference. The time synchronization function uses the timestamp to align the stations’ cell clock to the AP clock.

  3. What is the purpose of the Listen Interval field?

    A. To determine the next QoS service period

    B. To organize the detection of radar blasts

    C. To optimize BSS Fast Roaming transition times

    D. To specify when stations in low power mode would wake up

    答案解析

    D. In frames sent from stations to access points (association request, reassociation request), the Listen Interval field is used to indicate to the AP how often a station in Power Save mode wakes to listen to beacon management frames.

  4. In which case would a station send a reassociation frame?

    A. To rejoin an IBSS after a member disconnected

    B. To join a new AP on the same ESS

    C. To rejoin an AP after deauthentication occurred

    D. To reenter the cell after the AP jumped to a new channel

    答案解析

    B. This type of frame can be sent only by a station to an access point and is used when the station is already associated to the ESS and wants to associate to another access point connecting to the same ESS.

  5. How does a QoS station request a quality of service commitment from its AP?

    A. By using the ADDTS frame

    B. By using the TSPEC request frame

    C. By using the QoS BSS Load action frame

    D. By sending the Schedule Request frame

    答案解析

    A. QoS station use the ADDTS frame to ask the AP to add a traffic stream to the cell. The ADDTS contains a TSPEC element describing the traffic specifications. There is no such thing as a TSPEC request frame. The QBSS Load Element is present in the beacon to inform potential client stations about the current load in the cell. Schedule is a frame sent by the AP to determine when the service period will start.

  6. How long do stations have before leaving a channel affected by a radar blast?

    A. 260 milliseconds

    B. 10 seconds

    C. 30 seconds

    D. 60 seconds

    答案解析

    B. Stations detecting a radar blast have 10 seconds from the moment of detection to leave the affected frequency. During this interval, they have the right to still send up to 260 milliseconds worth of frames. Upon getting to a new channel, they can respect a quiet interval to listen for radar blasts on the new frequency. This quiet interval is commonly 60 seconds. Stations cannot return to the affected channel for 30 minutes.

  7. Which of the following is true about the Privacy subfield?

    A. When its value is 1, WEP encryption is in place.

    B. When its value is 1, any encryption may be in place.

    C. Its values can be 0 for no encryption, 1 for WEP, 2 for WPA, and 3 for WPA2.

    D. When its value is 1, the station is in low power mode and not listening to the cell frames.

    答案解析

    B. Although originally designed for WEP, the Privacy subfield today indicates that some form of encryption is in place, WEP, TKIP, or AES.

  8. What is the beacon default interval?

    A. 100 milliseconds

    B. 102.4 TUs

    C. 102.4 milliseconds

    D. 100 TBTTs

    答案解析

    C. A beacon is sent by default every 102.4 milliseconds or 100 TUs (one time unit is 1.024 millisecond). The time at which the next beacon should be sent is the target beacon transmission time (TBTT). The AP tries to send the beacon at each planned TBTT.

  9. Which of the following is the OUI used by the IEEE in the RSN information element?

    A. 00-00-00

    B. 0E-EE-00

    C. 11-11-11

    D. 00-0F-AC

    答案解析

    D. The RSN element uses a cipher suite to describe what encryption should be used for unicast or broadcast/multicast frames. The element is composed of an organization unique identifier representing the cipher vendor and of a cipher number for this vendor. The IEEE uses the OUI 00-0F-AC.

  10. Which amendment uses FT frames?

    A. 802.11i

    B. 802.11n

    C. 802.11r

    D. 802.11w

    答案解析

    C. FT frames are action frames defined by the BSS Fast Transition amendment 802.11r and are used for fast and secure roaming between APs part of the same ESS.

  11. What should a station where an ADDTS request has been refused do next?

    A. Retry the same or a lower TSPEC

    B. Revert back to PCF

    C. Roam to the next AP

    D. Drop the current TS and negotiate the next TS

    答案解析

    A. When an ADDTS is denied by an AP, the station cannot get the QoS level it requested, usually because there was not enough space to accept this TS as requested in the cell. The station can retry, hoping that other TSPEC of the same level got terminated and that space becomes available, or it can revert its ADDTS to a lower QoS level and retry. A station would not leave the cell by default, because roaming takes longer than retry, and would not drop its queued traffic. PCF was never implemented by any vendor.

  12. What information is sent in a TPC report sent from station A to station B?

    A. Link margin as measured by A

    B. Link margin as measured by B

    C. A to B attenuation value

    D. B to A attenuation value

    答案解析

    A. Station A sends its link margin, that is to say what margin it wants B to take when reducing its power. If station A link margin is 5 dB and B calculates that it can send with its power down to 6 dBm, B will send at 11 dBm to respect station A’s link margin request.

  13. What is the category number allocated to QoS-related action frames?

    A. 0

    B. 1

    C. 4

    D. 5

    答案解析

    B. The 802.11e amendment defines several action frames. QoS-related frames are Category 1. Category 0 is allocated to spectrum management frames introduced by the 802.11h amendment. Category 4 is used by public action frames introduced by the 802.11w amendment. Category 5 is used by radio measurement action frames introduced by the 802.11k amendment.

  14. What does ATIM stand for?

    A. Ad Hoc Traffic Indication Message

    B. Announcement Traffic Indication Message

    C. Announcement Traffic Indication Map

    D. Ad Hoc Traffic Indication Map

    答案解析

    B. ATIM stands for Announcement Traffic Indication Message. Don’t confuse this acronym with Traffic Indication Map (TIM) or Delivery Traffic Indication Message (DTIM).

  15. Which information element is a summary of the AP QoS capabilities?

    A. EDCA Parameter Set

    B. TSPEC

    C. QoS Subfield

    D. QoS Capabilities

    答案解析

    D. The QoS Capabilities IE summarizes the AP QoS Capabilities. A more extensive support description is given in the EDCA parameter set. TSPEC element is used by stations (not APs) requesting QoS level through ADDTS Request frames. It can be found in the AP answers but only to describe the original station request, not the AP capabilities. The QoS subfield simply informs whether the AP supports QoS, without details about its capabilities.

  16. How does an AP hide its SSID (SSID not broadcasted in beacons)?

    A. By not sending the SSID information element

    B. By sending an empty SSID information element

    C. By stopping beacon broadcasts

    D. By moving the SSID information element to the vendor-specific section of the beacon

    答案解析

    B. An AP cannot stop broadcasting beacons (most clients would disconnect). The SSID information element has to be present, but its size is not fixed. APs hide the SSID by sending an empty SSID IE. Moving the SSID IE to the vendor-specific section would mean removing the SSID IE from its standard position (order 4 in beacons), which is not allowed by the 802.11 standard.

  17. For which specific conditions does the 802.11 standard describe that the NonERPPresent bit should be set in AP beacons?

    A. 802.11g station associated to the AP

    B. 802.11/802.11b station detected by the AP

    C. 802.11/802.11b station associated to the AP

    D. 802.11/802.11b station authenticated by the AP

    答案解析

    C. The standard describes that the NonERPPresent bit should be set by the AP if a non 802.11g station (that is, 802.11 or 802.11b) is associated to the AP. Many vendors implement this bit as soon as the station is detected by the AP, thus extending the standard requirements.

  18. How do the Supported Rates and Extended Supported Rates information elements specify which rates are mandatory (basic)?

    A. By setting bit 7 to 1 when basic and 0 when supported

    B. By setting mandatory rates in the Supported Rates IE and Supported Rates in the Extended Supported Rates information element

    C. By displaying the six basic rates first and then the supported rates

    D. The distinction between mandatory and supported is set by the 802.11 standard, not by the information elements

    答案解析

    A. Each rate is coded over 8 bits (bits 0 to 7), representing a multiple of 500 Kbps. Bit 7 is set to 1 when the rate is mandatory and to 0 when the rate is supported. Disabled rates are not listed.

  19. Which information element describes support for 40 MHz wide channels?

    A. The Channel Bonding information element

    B. The HT Extended Channel information element

    C. The HT Frequency Slicing information element

    D. The HT Operation element

    答案解析

    D. The HT Operation element describes how 40 MHz channel support is set. The Channel Bonding information element, HT Extended Channel information element, and HT Frequency Slicing information element do not exist.

  20. Which of the following can be identified in an 802.11h measurement report frame?

    A. DSSS signals

    B. OFDM signals

    C. FHSS stations

    D. NonERP stations

    答案解析

    B. The basic measurement report can identify other neighboring cells (BSS), OFDM signals, unidentified signals, or recognized radar signatures (in the sense that a radar matches a specific pattern, which 802.11h-compliant stations must recognize). The CCA measurement can also simply report the RF activity in the cell.

CH05 802.11 Control Frames

控制帧是802.11网络中的“交通警察”, 协助数据帧与管理帧的传送。

Understanding Control Frames

control frames do not have a frame body. In addition to the PHY and preamble,control frames contain only a layer 2 header and trailer. control frames are typically transmitted at one of the defined basic rates.

Type value b3 b2 Type description Subtyupe value b7 b6 b5 b4 Subtype description
01 Control 0000–0110 Reserved
01 Control 0111 Control wrapper
01 Control 1000 Block ack request (BlockAckReq)
01 Control 1001 Block ack (BlockAck)
01 Control 1010 PS-Poll
01 Control 1011 RTS
01 Control 1100 CTS
01 Control 1101 ACK
01 Control 1110 CF-End
01 Control 1111 CF-End and CF-Ack

Carrier Sense

802.11网络进行数据传输前,需要进行载波监听以判断当前媒介是否处于忙 碌状态。 载波监听分为虚拟载波监听与物理载波监听 。

Virtual Carrier Sense

2016102501.png

Figure 33: Virtual carrier sense

The stations that are not transmitting listen and hear the Duration/ID, set a countdown timer (NAV), and wait until their timer hits 0 before they can contend for the medium and eventually transmit on the medium.

A station cannot contend for the medium until its NAV timer is 0, nor can a station transmit on the medium if the NAV timer is set to a nonzero value.

Physical Carrier Sense

Physical carrier sensing is performed constantly by all stations that are not transmitting or receiving.

Physical carrier sense has two purposes:

  1. to determine whether a frame transmission is inbound for a station to receive. If the medium is busy, the radio will attempt to synchronize with the transmission.
  2. to determine whether the medium is busy before transmitting. This is known as the clear channel assessment (CCA).

RTS/CTS Frames

RTS/CTS是对虚拟载波机制的一个增强。STA在发送数据前,会先向对方发出 一个RTS请求,周围设备侦听到RTS的STA会重新调整它们的NAV的值。 接收 方会回一个CTS,周围侦听到CTS的STA也会重新调整它们的NAV的值。这种机 制有效地避免了相互都不能侦听到对方发送数据的STA之间的访问冲突。

2016102701.png

Figure 34: RTS frame

2016102702.png

Figure 35: CTS frame

2016102703.png

Figure 36: RTS/CTS Duration values

CTS-to-Self

CTS-to-self is used strictly as a protection mechanism for mixed-mode environments.

2016102704.png

Figure 37: CTS-to-self frame Duration values

CTS-to-Self相对来说,开销要小些,但是可能会遇到隐藏结点的问题。

Protection Mechanism

For 802.11g, 802.11b stations, and legacy 802.11 DSSS stations to coexist within the same BSS, the 802.11g devices enable what is referred to as the protection mechanism, also known as 802.11g Protected mode.

Many access point vendors offer three confi guration modes for an 802.11g access point:

  1. 802.11b-Only Mode 此种模式下,相当于一个802.11b的AP
  2. 802.11g-Only Mode APs confi gured as g-only will communicate with only 802.11g client stations using ERP-OFDM technology at data rates of 6, 9, 12, 18, 24, 36, 48, and 54 Mbps. Support for DSSS and HR-DSSS is disabled;
  3. 802.11b/g Mode 默认模式,支持DSSS和OFDM。

Preventing Collisions

802.11g设备在发送数据前,会先发送RTS/CTS或CTS-to-self来获得媒介 访问时间,但是发送这些帧的速率必须是802.11b HR-DSSS设备支持的速 率,否则这些设备将不能理解接收的数据帧,从而解析不出Duration的 值出来。

ERP Information Element

ERP IE包含802.11/802.11b的信息,

2016102705.png The element ID field contains the value 42, which identifies the IE as an ERP IE, and the length field contains the value 3. The fields r3 through r7 are reserved and set to 0 by default.

The remaining three fi elds are NonERP_Present, Use_Protection, and Barker_Preamble_Mode When a non-ERP station is associated to the BSS, the Non-ERP_Present bit is set to 1. If one or more associated non-ERP stations are not capable of using short preambles, then the Barker_Preamble_Mode bit is set to 1.

Triggering Protection Mechanism

802.11g AP来决定是否启用保护机制。它在通过Beacon中的包含ERP IE来传达相关信息。 以下几种情况会触发保护机制:

  • an HR-DSSS (802.11b) client association will trigger protection.
  • if an 802.11g AP hears a beacon frame from an 802.11 or 802.11b access point or ad hoc client, the protection mechanism will be triggered.
  • If an ERP AP hears a management frame (other than a probe request) where the supported rate includes only 802.11 or 802.11b rates, the NonERP_Present bit may be set to 1.

    How Does 802.11b Affect 802.11g Throughput?

    影响原因不是因为切换到802.11b的速率,实际上,ERP之间的无线 传输仍然是以ERP-OFDM的速率传输的,而是因为在保护模式下,发 送数据前传送RTS/CTS, CTS-to-self带来的大量的开销。 54Mbps的 速率通常情况下会提供18~24Mbps的聚合吞吐量。 而一旦开启保护 模式,虽然STA仍然会以ERP的速率传输数据,但是实际的聚合吞吐 量则低于13 Mbps甚至低至9 Mbps。

Acknowledgement Frame

802.11速率传输是半双式模式,所以为了确认数据传输成功,每个单播数据 都要一个确认帧,它有14个字节长。

Layer 2 重传率过高是影响WiFi性能的一个重要因素。

Block Acknowledgement Request

802.11e 引入了BA机制,将多个确认帧聚合到一个确认帧中,改进了信道传 输效率。

2016102706.png

Figure 38: BlockAckReq frame

The Multi-TID and Compressed Bitmap subfields determine whether this is a basic Block ACK request, a compressed Block ACK request, or a multi-TID Block ACK request.

Block Acknowledgement

2016102707.png

Figure 39: BlockAck frame

PS-Poll

2016102708.png

Figure 40: PS-Poll frame

2016102709.png

Figure 41: Legacy power management

Control Wrapper

由802.11n中引入, 用于携带其他的控制帧(不包含Control Wrapper帧) 和一些HT控制域。

2016102710.png

Figure 42: Control Wrapper frame format

Contention Free

2016102711.png

Figure 43: CF-End frame format

2016102712.png

Figure 44: CF-End+CF-Ack frame format

Review Questions

  1. ACK and CTS frames follow which interframe space?

    A. EIFS

    B. DIFS

    C. PIFS

    D. SIFS

    E. LIFS

    答案解析

    D. ACK frames and CTS frames may follow a SIFS. LIFS do not exist.

  2. 802.11 collision detection is handled using which technology?

    A. Network allocation vector (NAV)

    B. Clear channel assessment (CCA)

    C. Duration/ID value

    D. Receiving an ACK from the destination station

    E. Positive collision detection cannot be determined

    答案解析

    E. 802.11 technology does not use collision detection. If an ACK frame is not received by the original transmitting radio, the unicast frame is not acknowledged and will have to be retransmitted. This process does not specifically determine whether a collision occurs. Failure to receive an ACK frame from the receiver means that either a unicast frame was not received by the destination station or the ACK frame was not received, but it cannot positively determine the cause. It may be because of collision or other reasons such as a high noise level. All of the other options are used to help avoid collisions.

  3. What would cause an 802.11 station to retransmit a unicast frame? (Choose all that apply.)

    A. The transmitted unicast frame was corrupted.

    B. The ACK frame from the receiver was corrupted.

    C. The receiving station was set to PCF mode.

    D. The transmitting station will attempt to retransmit the data frame.

    E. The transmitting station will send a retransmit notification.

    答案解析

    A, B. The receiving station may have received the data, but the returning ACK frame may have become corrupted, and the original unicast frame will have to be retransmitted. If the unicast frame becomes corrupted for any reason, the receiving station will not send an ACK.

  4. A station has enabled protection mechanism and has to enable RTS/CTS to provide NAV reservation. During this process, which of the following frames are transmitted by the station? (Choose all that apply.)

    A. RTS

    B. CTS

    C. DATA

    D. SIFS

    E. ACK

    答案解析

    A, C. During the RTS/CTS process, the transmitting station will first transmit the RTS. After a SIFS, the intended recipient of the frame will transmit a CTS. After another SIFS, the station will transmit the data frame, and then following another SIFS, the intended recipient will transmit an ACK if the frame was received correctly.

  5. When Power Save mode is enabled, the station uses the TBTT to determine when to awaken so that it can listen for the _ frame, specifically looking to see whether its _ is set in the __ field.

    A. Data, AID, TIM

    B. Data, AID, ATIM

    C. Beacon, AID, TIM

    D. Beacon, AID, ATIM

    E. Beacon, SID, TIM

    F. Data, SID, TIM

    答案解析

    C. When Power Save mode is enabled, the station uses the Target Beacon Transmission Time along with the Beacon frame’s time stamp to know when to awaken prior to the transmission of a Beacon. If the AP has cached frames for the station, it will notify the station by indicating the station’s Association ID (AID) in the Traffic Indication Map (TIM) field.

  6. While performing a packet analysis, you periodically see some CF-End frames along with some CF-End+CF-ACK frames. Why are these frames occurring? (Choose all that apply.)

    A. These are corrupted frames

    B. You are running an IBSS network that has PCF enabled.

    C. You are running a BSS network that has DCF enabled.

    D. These are normal frames in a contention network.

    答案解析

    A. Contention-free (CF) frames occur if a Point Coordination Function (PCF) network is configured; however, to our knowledge, no manufacturers have implemented PCF. If PCF were implemented, it would require an AP to operate as the point coordinator, so PCF could not operate on an IBSS or ad hoc network. Since no manufacturers have implemented PCF, the only way these frames could be displaying in the packet analyzer is if other frames are corrupted and are being misidentified as PCF frames.

  7. Which of the following are protection mechanisms? (Choose all that apply.)

    A. NAV back-off

    B. RTS/CTS

    C. RTS-to-self

    D. CTS-to-self

    E. WEP encryption

    答案解析

    B, D. RTS/CTS and CTS-to-Self provide 802.11g protection mechanisms, sometimes referred to as mixed-mode support. NAV back-off and RTS-to-Self do not exist. WEP encryption provides data security.

  8. Control frames contain which of the following components? (Choose all that apply.)

    A. Layer 2 header

    B. Layer 3 header

    C. Layer 2 trailer

    D. Layer 3 trailer

    E. Frame body

    F. Data

    答案解析

    A, C. Unlike management and data frames, control frames contain only a layer 2 header and trailer.

  9. The Type and Subtype fields are used to identify the function of the frame. The Type field is _ bits long, and the Subtype field is _ bits long.

    A. 2, 2

    B. 2, 4

    C. 4, 4

    D. 4, 8

    E. 8, 8

    答案解析

    B. In any frame, the Type field is 2 bits long and identifies whether the frame is a data frame, management frame, or control frame. The Subtype field is 4 bits long.

  10. During a packet capture, you see that the Barker_Preamble_Mode bit of the ERP information element is set to 1. What is the likely cause?

    A. All nodes support ERP.

    B. A station is not capable of using short preambles.

    C. This is a setting that was manually configured on the AP.

    D. A station is only capable of complementary code keying.

    E. This is the default setting.

    答案解析

    B, C. If one or more associated NonERP stations are not capable of using short preambles, then the BarkerPreambleMode bit is set to 1. This is a setting that can also be manually set on many access points.

  11. Which field in the MAC header of an 802.11 frame resets the NAV timer for all listening 802.11 stations?

    A. NAV

    B. Frame control

    C. Duration/ID

    D. Sequence number

    E. Strictly ordered bit

    答案解析

    C. When the listening radio hears a frame transmission from another station, it looks at the header of the frame and determines whether the Duration/ID field contains a Duration value or an ID value. If the field contains a Duration value, the listening station will set its NAV timer to this value.

  12. Prior to using the Block ACK mechanism to transmit QoS data, which of the following is true? (Choose all that apply.)

    A. The station must first check to see whether the peer station is capable of performing the Block ACK mechanism.

    B. All stations are capable of performing Block ACK, so no validation is required.

    C. Notify the station of the QoS mode being used.

    D. Block ACK cannot be used with QoS data.

    答案解析

    A. When a station intends to use the Block ACK mechanism, it must first check to see whether the peer station is capable of performing the Block ACK mechanism.

  13. A station is operating in a mixed-mode environment and is using RTS/CTS to perform NAV distribution. Assuming that the station is not using block acknowledgements, when the station transmits the RTS frame, the Duration field will include the time necessary for which of the following to occur? (Choose all that apply.)

    A. One SIFS

    B. Two SIFS

    C. Three SIFS

    D. RTS transmission

    E. CTS transmission

    F. ACK transmission

    G. Data transmission

    答案解析

    C, E, F, G. When RTS/CTS is enabled, the RTS frame performs a NAV distribution by setting its Duration field to the time it will take for the following to occur, in this order: SIFS, CTS transmission, SIFS, Data transmission, SIFS, ACK transmission.

  14. What are the two reasons that 802.11 radios use physical carrier sense? (Choose two.)

    A. Synchronize incoming transmissions

    B. Synchronize outgoing transmissions

    C. Reset the NAV

    D. Start the random back-off timer

    E. Assess the RF medium

    答案解析

    A, E. The first purpose is to determine whether a frame transmission is inbound for a station to receive. If the medium is busy, the radio will attempt to synchronize with the transmission. The second purpose is to determine whether the medium is busy before transmitting. This is known as the clear channel assessment (CCA). The CCA involves listening for 802.11 RF transmissions at the Physical layer. The medium must be clear before a station can transmit.

  15. The presence of what type of transmissions can trigger the protection mechanism within an ERP basic service set? (Choose all that apply.)

    A. Association of an HR-DSSS client

    B. Association of an ERP-OFDM client

    C. HR-DSSS beacon frame

    D. ERP beacon frame with the NonERP Present bit set to 1

    E. Association of an FHSS client

    答案解析

    A, C, D. An ERP access point signals for the use of the protection mechanism in the ERP information element in the beacon frame. Three scenarios can trigger protection in an ERP basic service set. If a non-ERP STA associates to an ERP AP, the ERP AP will enable the NonERPPresent bit in its own beacons, enabling protection mechanisms in its BSS. In other words, an HR-DSSS (802.11b) client association will trigger protection. If an ERP AP hears a beacon with an 802.11b or 802.11 supported rate set from another AP or an IBSS STA, it will enable the NonERP_Present bit in its own beacons, enabling protection mechanisms in its BSS. If an ERP AP hears a beacon from another ERP access point with the NonERP_Present bit set to 1, it also will enable protection mechanisms in its BSS.

  16. Which of the following frames will receive an acknowledgment if the transmission is successful? (Choose all that apply.)

    A. Simulcast frames

    B. Multicast frames

    C. Broadcast frames

    D. Unicast frames

    答案解析

    D. Only Unicast frames will be acknowledged.

  17. While performing a packet analysis, after the data transfer is complete, you notice that you captured three data frames and two ACKs. Which of the following can explain this capture? (Choose all that apply.)

    A. One of the ACKs is providing a block acknowledgment for two data frames.

    B. One of the frames was not received properly, so there was no ACK.

    C. All frames were received properly; however, for some reason the packet analyzer did not hear the third ACK.

    D. There is not enough information to explain this occurrence.

    E. This is a normal packet capture.

    答案解析

    B, C. Every data frame needs to receive an ACK to acknowledge that the data was received properly. Since there are three data frames, there should be three ACKs. One possible reason is the one of these data frames was not successfully received by the intended recipient; therefore, there is no ACK. The other possible reason is that all of the data frames were successfully received and acknowledged. However, the station that was performing the packet analysis did not hear one of the ACKs.

  18. A station is participating in a mixed-mode network and wants to transmit data. The station is configured to use CTS-to-self as its protection mechanism. Which of the following frames are transmitted by the station? (Choose all that apply.)

    A. RTS

    B. CTS

    C. Data

    D. ACK

    E. SIFs

    答案解析

    B, C. When CTS-to-self is enabled, the transmitting station will transmit a CTS, wait for a SIFS, and then transmit the data frame. If the frame is received correctly, after another SIFS, the receiving station will transmit an ACK.

  19. ACKs are required for which of the following frames?

    A. Unicast

    B. Broadcast

    C. Multicast

    D. Simulcast

    答案解析

    A. All unicast 802.11 frames must be acknowledged. Broadcast and multicast frames do not require an acknowledgement. Simulcast frames do not exist.

  20. During a basic RTS/CTS transmission, when a station sends. an RTS, the Duration/ID field notifies the other stations that they must set their NAV timers to which of the following values?

    A. 213 microseconds

    B. The time necessary to transmit the DATA and ACK frames, along with one SIFS

    C. The time necessary to transmit the CTS frame

    D. The time necessary to transmit the CTS, DATA, and ACK frames, along with three SIFS

    答案解析

    D. When the RTS frame is sent, the value of the Duration/ID field is equal to the time necessary for the CTS, DATA, and ACK frames to be transmitted, along with a SIFS before each of these frames.

CH06 802.11 Data Frames

Data Subtypes

总共定义了15种数据帧类型。

Table 15: Data frames: valid Type and Subtype combinations
Type value Type Subtype value  
b3b2 description b7 b6 b5 b4 Subtype description
10 Data 0000 Data
10 Data 0001 Data + CF-Ack [PCF only]
10 Data 0010 Data + CF-Poll [PCF only]
10 Data 0011 Data + CF-Ack + CF-Poll [PCF only]
10 Data 0100 Null (no data)
10 Data 0101 CF-Ack (no data) [PCF only]
10 Data 0110 CF-Poll (no data) [PCF only]
10 Data 0111 CF-Ack + CF-Poll (no data) [PCF only]
10 Data 1000 QoS Data [HCF]
10 Data 1001 QoS Data + CF-Ack [HCF]
10 Data 1010 QoS Data + CF-Poll [HCF]
10 Data 1011 QoS Data + CF-Ack + CF-Poll [HCF]
10 Data 1100 QoS Null (no data) [HCF]
10 Data 1101 Reserved
10 Data 1110 QoS CF-Poll (no data) [HCF]
10 Data 1111 QoS CF-Ack + CF-Poll (no data) [HCF]

there is actually a pattern or system to the Subtype bits, with each of the individual bits having a specific meaning. By changing bit 4 (b4) from a 0 to a 1, the data subtype includes +CF-Ack. Changing bit 5 (b5) from a 0 to a 1 will include +CF-Poll. Changing bit 6 (b6) from a 0 to a 1 will indicate that the frame contains no data, specifically, that it contains no Frame Body field. The most significant bit (MSB) of the Subtype field (bit b7) is defined as the quality of service (QoS) subfield, specifying that the frame is a QoS data frame. This pattern or system applies to all subtypes except for 1101, which is Reserved.

QoS and Non-QoS Data Frames

具有QoS能力的STA即可以传输QoS数据帧,也可以传输Non-Qos数据帧。 当 传输QoS数据帧时, 帧控制中的QoS子字段(bit7)为1, 且在帧的头部中 包含一个QoS控制域。

2016110101.png

Figure 45: Data Frame format

当一个BSS中有QoS和Non-QoS数据时, 传输的情况如下:

Table 16: QoS and non-QoS transmissions
Transmitting station Receiving station Data frame subtype used
Non-QoS station Non-QoS station Non-QoS frame
Non-QoS station QoS station Non-QoS frame
QoS station QoS station QoS frame
QoS station Non-QoS station Non-QoS frame
All Broadcast Non-QoS frame, unless the transmitting station knows that all stations in the BSS are QoS capable, in which case a QoS frame would be used
All Multicast Non-QoS frame, unless the transmitting station knows that all stations in the BSS that are members of the multicast group are QoS capable, in which case a QoS frame would be used

Data-carrying versus non-data-carrying frames

几乎一半的数据帧并没有携带数据,其中真正携带数据的数据帧有:

  • Data (simple data frame)
  • Data + CF-Ack
  • Data + CF-Poll
  • Data + CF-Ack + CF-Poll
  • QoS Data
  • QoS Data + CF-Ack
  • QoS Data + CF-Poll
  • QoS Data + CF-Ack + CF-Poll

实际上并没有携带任何数据的数据帧 有:

  • Null
  • CF-Ack
  • CF-Poll
  • CF-Ack + CF-Poll
  • Qos Null
  • QoS CF-Poll
  • QoS CF-Ack + CF-Poll

这些没有携带任何数据的数据帧主要用于传达特殊的控制信息到AP或另外的 STA。

Simple data frames

普通的数据帧,一般携带的上层协议数据MSDU,当上报给上层时,MSDU通常 会被转换为802.3数据帧格式。

Data frame address fields

2016110201.png

Figure 46: Address field contents and usage

Fragmentation

在干扰比较严重的时候,使用分片机制,可以降低重传的开销。但是,在干 扰不是很严重的情况下,分片机制会导致传输开销变大,反而会降低吞吐量。

Data frame aggregation

2016110202.png

Figure 47: A-MSDU frame aggregation

There are some restrictions for aggregating multiple MSDUs into a single MPDU. The MPDU can only contain MSDUs where the DA and SA values map to the same RA and TA values. All of the MSDUs must also have the same priority value.

2016110203.png

Figure 48: A-MPDU frame aggregation

The individual MPDUs within an A-MPDU must all have the same receiver address. Also, the individual MPDUs must all be of the same 802.11e QoS access category. A-MPDU also requires the use of block acknowledgments.

Rate Selection

Multirate support

Every wireless adapter has defined minimum received signal and minimum SNR levels.

2016110204.png

Figure 49: WLAN data cell: vendor recommendations

Basic rates

协议标准中定义了基本速率集,每个STA或AP都必须支持。此外,还可 以支持基本速率集之外的一些速率 。

Dynamic rate selection

随着AP与STA之间的距离发生变化,它们之间传输数据使用的速率也会 动态变化。 一般来讲,当两者距离增加时,速率会逐渐降低。

2016110205.png

Review Questions

  1. In the data subtype field, by changing the bits b7–b4 from a binary 0 to a binary 1, which of the following will be added to the basic data frame? (Choose all that apply.)

    A. +CF-Ack

    B. (no data)

    C. +CF-Poll

    D. +ToS

    E. QoS

    答案解析

    A, B, C, E. The basic data frame is represented by a Subtype of 0 (bits b7–b4 = 0000). By changing any of these Subtype bits, a modification is made to the basic data frame. Most people are not aware that there is actually a pattern or system to the Subtype bits, with each of the individual bits having a specific meaning. By changing bit 4 (b4) from a 0 to a 1, the data subtype includes +CF-Ack. Changing bit 5 (b5) from a 0 to a 1 will include +CF-Poll. Changing bit 6 (b6) from a 0 to a 1 will indicate that the frame contains no data, specifically, that it contains no Frame Body field. The most significant bit (MSB) of the Subtype field (bit b7) is defined as the quality of service (QoS) subfield, specifying that the frame is a QoS data frame. This pattern or system applies to all subtypes except for 1101, which is Reserved. +ToS does not exist.

  2. When a station transmits a multicast frame, what type of data frame subtype is used?

    A. Non-QoS frame always

    B. QoS frame always

    C. Non-Qos frame unless the transmitting station knows that all stations in the BSS are QoS capable, in which case a QoS frame would be used

    D. Two multicast frames are transmitted, one QoS and one non-QoS

    E. Non-QoS frame unless the transmitting station knows that all stations in the BSS that are members of the multicast group are QoS capable, in which case a QoS Frame would be used.

    答案解析

    E. If the transmitting station knows that all stations in the BSS that are members of the multicast group are QoS capable, it will send a QoS frame. If the transmitting station were sending a broadcast frame, then it would send a QoS frame if it knew all stations in the BSS are QoS capable. A QoS station would send a unicast frame only to another QoS station. All other transmissions would be non-QoS.

  3. Which of the following data frames carry data?

    A. Data

    B. CF-Ack

    C. CF-Ack + CF-Poll

    D. QoS Null

    E. QoS CF-Ack + CF-Poll

    答案解析

    A. The only one of these frames that actually carries data is the data frame, also commonly referred to as the simple data frame. The names of all the frames that carry data begin with either Data or QoS Data.

  4. When transmitting a data frame, the values of the To DS and From DS fields designate the contents of the address fields. During a packet capture of a wireless bridge, what are the values of these fields?

    A. To DS = 0, From DS = 0

    B. To DS = 0, From DS = 1

    C. To DS = 1, From DS = 0

    D. To DS = 1, From DS = 1

    E. Not enough information to determine the values

    答案解析

    D. A wireless bridge connection is also referred to as a wireless distribution system. In this case, both the To DS and From DS bits are set to 1.

  5. When looking at a packet capture, which of the following address field statements is false?

    A. The receiver address is always Address 1.

    B. The transmission address is always Address 2.

    C. Address 3 is always the BSSID when the frame is an A-MSDU frame.

    D. Address 4 is the source address when both the To DS and From DS fields are 1.

    E. The source address is always Address 4.

    答案解析

    E. Address 4 is used only when the To DS and From DS bits are 1. Address 1 is always the receiver address, and Address 2 is always the transmission address.

  6. Frame aggregation allows multiple smaller pieces of data to be grouped together into a single frame, reducing the amount of overhead. With the 802.11n amendment, two types of frame aggregation were added. What are the two types? (Choose all that apply.)

    A. A-PPDU

    B. A-PLCP

    C. A-MSDU

    D. A-MPDU

    E. A-MMDU

    答案解析

    C, D. With the ratification of the 802.11n amendment, two types of frame aggregation were added to 802.11: aggregate MAC service data unit (A-MSDU) and aggregate MAC protocol data unit (A-MPDU). Frame aggregation allows multiple smaller MSDUs or MPDUs to be grouped together into a single frame, reducing the amount of overhead that would have been necessary for each individual frame.

  7. When A-MSDU is used to aggregate frames, which of the following is true about encryption?

    A. All of the MSDUs are encrypted together as a single payload.

    B. All of the MPDUs are encrypted together as a single payload.

    C. The MSDUs are encrypted individually, prior to aggregation.

    D. The MPDUs are encrypted individually, prior to aggregation.

    E. A-MSDU does not affect the encryption process.

    答案解析

    A. A-MSDU is an aggregation process that combines multiple MSDUs within a single MPDU. The network layer passes the MSDUs down to the MAC layer. Normally at this point each MSDU would be packaged with its own MPDU. With A-MSDU, two or more MSDUs are placed in an MPDU, and a single MAC and PHY layer header is added to the group of MSDUs. If encryption is enabled, then all the MSDUs are encrypted together as a single payload.

  8. A 2.4 GHz access point is configured with basic rates of 5.5 and 11 Mbps. Which of the following stations could connect to this AP? (Choose all that apply.)

    A. 802.11 station

    B. 802.11b station

    C. 802.11g station

    D. 802.11a station

    E. 802.11n station

    答案解析

    B, C, E. Since the AP is a 2.4 GHz device, the 802.11a station could not connect. Since 802.11 supports only 1 and 2 Mbps, that station could not connect. The basic rate is required in order to connect to the network. Since 802.11b, 802.11g, and 802.11n are all capable of transmitting at 5.5 and 11 Mbps, they can connect.

  9. When referring strictly to the Point Coordination Function (PCF) media access method, which of the following terms do not apply? (Choose all that apply.)

    A. Polling

    B. Contention-free period (CFP)

    C. Contention free (CF)

    D. CSMA/CD

    答案解析

    D. PCF is a central polling method that provides contention-free access. CSMA/CD is a contention method used by wired Ethernet.

  10. A-MSDU is being used for frame aggregation. Which of the following statements is true for this process? (Choose all that apply.)

    A. Two or more MSDUs are placed in an MPDU.

    B. The MPDU can only contain MSDUs that have DA and SA values that map to the same RA and TA values.

    C. If encryption is enabled, the MSDUs are encrypted together as a single payload.

    D. A single MAC and PHY layer header is added to the group of MSDUs.

    E. The MSDUs can have different priority values.

    答案解析

    A, B, C, D. With A-MSDU, two or more MSDUs are placed in an MPDU, and a single MAC and PHY layer header is added to the group of MSDUs. If encryption is enabled, then all the MSDUs are encrypted together as a single payload. There are some restrictions for aggregating multiple MSDUs into a single MPDU. The MPDU can only contain MSDUs that have DA and SA values that map to the same RA and TA values. All of the MSDUs must also have the same priority value.

  11. Which of the following statements is false regarding quality of service (QoS) stations?

    A. When a QoS data frame is transmitted, the frame contains a QoS Control field in the MAC header.

    B. When a non-QoS data frame is transmitted, the QoS Control field in the MAC header is empty.

    C. When a QoS data frame is transmitted, the QoS subfield contains a value of 1.

    D. QoS stations are capable of transmitting both QoS and non-QoS data frames.

    E. It is likely that QoS devices will transmit both QoS and non-QoS data frames in a mixed environment.

    答案解析

    B. Quality of service (QoS) stations are capable of transmitting both QoS and non-QoS data frames. It is not uncommon to have a wireless network that consists of both QoS and non-QoS stations. In this type of mixed environment, it is likely that QoS devices will transmit both QoS data frames and non-QoS data frames depending upon the capabilities of the receiving station. When a QoS data frame is transmitted, the QoS subfield (the b7 bit) contains a value of 1, and the frame contains a QoS Control field in the MAC header. When a non-QoS data frame is transmitted, the QoS subfield (the b7 bit) contains a value of 0, and the QoS Control field is not present in the MAC header.

  12. A wireless 802.11g adapter supports multiple data rates, with the manufacturer specifications showing a minimum received signal of -73 dBm for the 36 Mbps data rate and a minimum signal-to-noise ratio of 18 dB. For the 54 Mbps data rate, which of the following are likely values? (Choose all that apply.)

    A. -71 dBm minimum received signal

    B. -77 dBm minimum received signal

    C. 12 dB minimum signal-to-noise ratio

    D. 25 dB minimum signal-to-noise ratio

    答案解析

    A,D. Since 54 Mbps is a faster data rate than the 36 Mbps, then the minimum received signal needs to be stronger, and the difference between the signal and the noise needs to be greater.

  13. Which of the following are other terms used for dynamic rate selection? (Choose all that apply.)

    A. Dynamic rate shifting

    B. Fast rate selection

    C. Adaptive rate selection

    D. Automatic rate selection

    答案解析

    A, C, D. DRS is also referred to as dynamic rate shifting, adaptive rate selection, and automatic rate selection. All these terms refer to a method of speed fallback on a wireless LAN client as signal quality from the access point decreases.

  14. During the packet capture of a frame from an AP to a station, which of the following statements about the frame header are true if the frame payload originated from a wired-side server? (Choose all that apply.)

    A. To DS = 1, From DS = 0

    B. Address 1 = RA = DA

    C. Address 2 = TA = BSSID

    D. Address 3 = SA

    E. Address 4 = BSSID

    答案解析

    B, C, D. To begin with, Address 1 is always the receiver address, and Address 2 is always the transmitter address. When the frame is transmitted from an AP to a station, the To DS and From DS bits are 01. In this case, the transmitter address is also the address of the BSSID, so Address 2 is also the BSSID address. Since the source of this frame is the AP, then the receiver address and the destination address are the same in Address 1. Address 3 is thus set to the source address, and Address 4 is not used.

  15. Which of the following is true regarding dynamic rate switching? (Choose all that apply.)

    A. The algorithms used are proprietary and defined by the radio card manufacturers.

    B. The 802.11 standard defines limits for when to switch between different rates.

    C. Most vendors base switching upon RSSI thresholds, packet error rates, and retransmissions.

    D. Strict adherence to the 802.11 rate selection algorithms provides consistent roaming across devices.

    答案解析

    A, C. Since the 802.11-2007 standard does not define any specific rate selection algorithm, the algorithms used for dynamic rate switching are proprietary and are defined by radio card manufacturers. Most vendors base DRS on receive signal strength indicator (RSSI) thresholds, packet error rates, and retransmissions. RSSI metrics are usually based on signal strength and signal quality. In other words, a station might shift up or down between data rates based both on received signal strength in dBm and possibly on a signal-to-noise ratio (SNR) value. Because vendors implement DRS differently, you may have two different vendor client cards at the same location, while one is communicating with the access point at 65 Mbps and the other is communicating at 6 Mbps.

  16. A-MSDU is being used for frame aggregation. Which of the following statements is true for this process? (Choose all that apply.)

    A. Two or more MPDUs are placed in a single PPDU.

    B. An MPDU is created for each MSDU.

    C. If encryption is enabled, each MPDU is encrypted individually.

    D. The individual MPDUs must all be of the same 802.11e QoS access category.

    E. Each A-MPDU will receive an ACK.

    答案解析

    A, B, C, D. A-MPDU is an aggregation process that combines multiple MPDUs within a single PPDU. The network layer passes the MSDUs down to the MAC layer, where an MPDU is created for each MSDU. If encryption is enabled, then each MPDU is encrypted individually. The MPDUs are then passed down to the PLCP sublayer where two or more MPDUs are placed in a single PPDU. The individual MPDUs within an A-MPDU must all have the same receiver address. Also, the individual MPDUs must all be of the same 802.11e quality-of-service access category. A-MPDU also requires the use of block acknowledgments.

  17. When A-MSDU is used to aggregate frames, which of the following is true about encryption?

    A. All of the MSDUs are encrypted together as a single payload.

    B. All of the MPDUs are encrypted together as a single payload.

    C. The MSDUs are encrypted individually, prior to aggregation.

    D. The MPDUs are encrypted individually, prior to aggregation.

    E. A-MSDU does not affect the encryption process.

    答案解析

    A. A-MPDU is an aggregation process that combines multiple MPDUs within a single PPDU. The network layer passes the MSDUs down to the MAC layer, where an MPDU is created for each MSDU. If encryption is enabled, then each MPDU is encrypted individually.

  18. For the MSDU or MMPDU fragments to be reassembled, which of the following must be contained in the header of the fragmented frames? (Choose all that apply.)

    A. Frame type

    B. Address of the sender

    C. Destination address

    D. Sequence Control field

    E. More Fragments indicator

    答案解析

    A, B, C, D, E. The header must contain all this information. The Sequence Control field is actually made up of two pieces, the sequence number and the fragment number. The sequence number within this field remains the same for all fragments from the same MSDU or MPDU, while the fragment number within this field is incremented for each individual fragment.

  19. During a packet capture, you notice that there is a series of fragmented frames. These frame fragments can contain what type of frames?

    A. Broadcast

    B. Multicast

    C. Anycast

    D. Unicast

    E. All of the above

    答案解析

    D. The 802.11-2007 standard allows for the fragmentation of unicast addressed frames.

  20. When the To DS bit is 1 and the From DS bit is 0, what is the value of the Address 1 field?

    A. Receiver address

    B. Transmitter address

    C. Destination address

    D. Source address

    E. BSSID

    答案解析

    A, E. To begin with, Address 1 is always the receiver address, and Address 2 is always the transmitter address. When the To DS and From DS bits are 10, then the frame is being sent from a station to the distribution system. In this case, the receiver address is also the address of the BSSID, so Address 1 is also the BSSID address. Since the source of this frame is the station, then the transmitter address and the source address are the same in Address 2. Address 3 is thus set to the destination address, and Address 4 is not used.

CH07 802.11 Medium Contention

CSMA/CA

Distributed Coordination Function

对于non-Qo无线网络,CSM/CA使用DCF来竞争媒介。而对于QoS网络,则 采用hybrid coordination function (HCF),它使用了enhanced distributed channel access (EDCA)。与DCF相比,EDCA主要是增加了 能区分优先级的参数。它是Wi-Fi Multimedia的核心机制。

至于 point coordination function (PCF), HCF使用HCF-controlled channel access (HCCA)来竞争媒介,但并未在真实网络上实现。

An Example of 802.11 Medium Contention

There are two carrier sense protocols used by stations to indicate whether a channel is busy or idle:

  • Physical carrier sense, also known as the clear channel assessment (CCA)
  • Virtual carrier sense, also known as the network allocation vector (NAV)

Interframe Spaces

不同的帧间间隔主要用来差异化媒介的访问。它们的使用规则如下:

  • If the arbitration has been completed, t NN hen a reduced IFS (RIFS) or short IFS (SIFS) will be used. In most cases, the SIFS is used. The RIFS is only used between consecutive frames transmitted by the same 802.11n device.
  • If arbitration has not been determined, then an arbitration IFS (AIFS) or DCF IFS (DIFS) will be used. The AIFS is used for WLANs that support 802.11e QoS, and the DIFS is used for WLANs that do not support 802.11e QoS.
  • If an AP or station has received a corrupted frame—as defined by having an incorrect frame check sequence (FCS)—then an extended IFS (EIFS) will be used.
  • The PCF IFS (PIFS) is part of PCF and therefore not used in the real world.

SIFS

SIFS是其他IFS的基础,它设置为一个静态的长度,它的长度用于决定 其他IFS的长度。根据不同的WLAN类型,SIFS可能会被设置成10ms或 16ms。 对于2.4G下的802.11b/g/n设务,SIFS的值为10ms。 对于5G下 的802.11a/n设备,SIFS的值为16ms。

SIFS是一个使用比较普遍的IFS,它问题用于Arbitration完成后。例外 是,当802.11n设备正在使用MIMO传输数据,且传输的数据属于某次次 CFB(contention-free burst)的一部分,那么就会使用RIFS。

RIFS

RIFS的长度总是2ms。 只用于使用MIMO传输的802.11n设备,它只在数 据帧前面使用。

DIFS

对于non-QoS设备,一般在arbitration完成之前使用。它的时间长度等 于 2*SIFS + 2 * slot times.

对于 802.11a/n , 5G下,slot time的长度为9ms。 对于802.11g/n, 2.4G下,且使用了HT或ERP,slot time的长度为9ms。 对于802.11a/g/n,2.4G下,使用DSSS物理层,slot time的长度为20ms。 当使用长前导码的情况下,开启HT或ERP,则slot time的长度为20ms。 802.11 FHSS使用的slot time为50ms,但从来没有实现过。

EIFS

当检测到Corrupted的帧后,会使用EIFS。

PIFS

等于 1 slot time + 1 SIFS。 用于给AP提供机会发送Beacon来开启一 次CFP。 PIFS比DIFS短。

在现实生活中,PIFS只用于Channel Switch Announcement,它是 802.11h定义的一个Action帧, PIFS使其在Arbitration结束后,马上 进行传输。

Random Backoff

在IFS时间结束后,在传输数据之间,需要进行一次退避算法,退避时间一 般是slot time的整数倍,它的最小值是0,最大值是CW,当传输帧发生错 误时,CW会增大,但是有上限,不同类型的网络上限会有些区别 。

Frame Transmission

发送一包数据,到收到Ack响应,一次传送过程就结束了。然后会开启第二 次传输,所有的STA又会进入一个竞争等待的过程,其中上次退避时间没有 到0的会从上次退避时间开始倒数。

Quality of Service

802.11e定义了HCF功能作为一个新的信道访问方法来改善DCF和PCF。 HCF 引入了两种信道访问方法:

  • HCF controlled channel access(HCCA) Designed to be an improvement for contention-free access (specifically, PCF)
  • Enhanced distributed channel access(EDCA) Designed to be an improvement for contention-based access (specifically, DCF)

QoS BSS划分了4种访问类型,提供访问信道的不同优先级,优先级从高到 低依次为: voice, video, best effort, and background. 总体来说, 对媒介竞争访问的修改主要在如下几点:

  • IFS An AIFS is used instead of a DIFS.
  • CW Different access categories are assigned different CW values.
  • Frame transmission A transmit opportunity (TXOP) is allocated rather than allowing a single frame.

AIFS

802.11e网络下代替DIFS。 AIFS不是静态值,它等于一个SIFS以及可变 的slot time。不同的优先级传输slot time的数量不一样。slot time 的数量也称为arbitration interframe space number (AIFSN). 默认 情况下,不同类别的AIFS的长度值如下:

  • voice and video two slot times
  • best effort three slot times
  • background seven slot times

QoS-Based Random Backoff Timer

这是另外一种区分优先级的情况。 通过设置不同AC下的CWmin和CWmax 的值 。

Table 17: AIFS
Access category Min x CW Min Max x CW Max
Voice 2 3 3 7
Video 3 7 4 15
Best effort 4 15 10 1023
Background 4 15 10 1023

当两个STA传送的数据属于相同的AC时,则与DCF无异。当两个STA传送 的数据不属于相同的AC时,则与DCF差异明显。

2016110801.png

Figure 51: EDCA-based channel access: different ACs

不过,AC级别低的STA还是有可能先获得媒介的访问权。

TXOP

TXOP Limit是为STA和AP分配的一段时间,在这段时间内,它们可以一 直占用信道 连续发送数据,而不用竞争信道的访问权(multiple frames are transmitted without having arbitration before each frame)。

2016110802.png

Figure 52: TXOP

802.11e为每种AC定义了默认的TXOP的值 。

Table 18: Default TXOP limits
Access category DSSS (b,g,n) OFDM (a,g,n) TXOP
Voice 3264 1504
Video 6016 3008
Best Effort 0 0
Background 0 0

802.11n

802.11n adds two features to channel access that improve the efficiency of the data/acknowledgment process: the RIFS and the block acknowledgment.

Block Acknowledgments

The block acknowledgment process is designed to make TXOPs more efficient.

By adding the block acknowledgment, 802.11n stations are able to transmit larger numbers of data frames within a TXOP.

In the real world, the block acknowledgment is used in a different way.

  1. TXOP rarely used. even when the TXOP is used, stations and APs almost never have more than one frame ready for transmission at any given moment.
  2. so 802.11n devices use the block acknowledgment to acknowledge aggregated frames.

RIFS

used when a TXOP, CFB, and block acknowledgment are all in use.

RIFS is defined only in 802.11n.

2016110803.png

Figure 53: RIFS

Review Questions

  1. Which coordination function is an optional method that is not used in real-world 802.11 APs?

    A. ACF mode

    B. DCF mode

    C. ECF mode

    D. PCF mode

    答案解析

    D. PCF mode is the coordination function that involves the AP taking control of the BSS at regular intervals in order to regulate channel access. It is optional in the 802.11 standard and unavailable in APs. DCF mode is the coordination function that involves all 802.11 devices—APs and stations—arbitrating equally for channel access. It is required in the 802.11 standard. ACF mode and ECF mode are not 802.11 coordination functions.

  2. Which of the following will cause a 2.4 GHz 802.11n station to stay quiet even though it has data ready to be transmitted?

    A. An 802.11b station from a nearby BSS is transmitting a data frame, and the received signal is above the ED threshold.

    B. An 802.11b station associated to the same BSS is transmitting a data frame, and the received signal is below the ED threshold.

    C. A Bluetooth pairing has been made and detected on the channel by the AP.

    D. The 2.4 GHz 802.11n station has just chosen zero slot times in the random backoff timer.

    答案解析

    A. APs and stations stay quiet because of the CCA being set to Busy whenever another 802.11 transmission is detected above the ED threshold. In the case of a 2.4 GHz 802.11n station, that means an 802.11b, 802.11g, or 802.11n frame transmission received above the ED threshold will cause the CCA to be set to Busy, no matter which BSS the frame emanates from. If frames are received at a signal below the ED threshold, then stations set the CCA to Idle and frames may be transmitted. Bluetooth transmissions will not set the CCA to Idle in 802.11 stations. When zero slot times have been chosen in the random backoff timer, an 802.11 device immediately transmits a frame.

  3. Which IFS is used only in between frame transmissions by the same AP or station?

    A. AIFS

    B. EIFS

    C. RIFS

    D. SIFS

    答案解析

    C. The RIFS, which was introduced with 802.11n, is used exclusively between frames transmitted during a single CFB. A single CFB is always transmitted by a single station. The AIFS and EIFS are used exclusively between frames transmitted by different stations. The SIFS may be used during a CFB, but it may also be used prior to an acknowledgment, which would place it between frames transmitted by different stations.

  4. When an 802.11n station begins the arbitration process after a failed frame transmission, which IFS is used?

    A. AIFS

    B. DIFS

    C. EIFS

    D. SIFS

    答案解析

    A. Even if the previous frame transmission failed, 802.11n stations will always use the AIFS during arbitration. DIFS is used during the arbitration process for 802.11a/b/g stations that are not using 802.11e QoS if the previous frame seen on the channel was not corrupted. EIFS is used only if the previous frame transmission on the channel was received as corrupted. This is the case for all 802.11a/b/g/n stations. SIFS is never used during arbitration.

  5. Which two access categories use the same default AIFSN values by default? (Choose two.)

    A. Voice

    B. Video

    C. Best effort

    D. Background

    答案解析

    A, B. The voice and video access categories both have default AIFSN values of 2. The best effort access category has a default AIFSN value of 3. The background access category has a default AIFSN value of 7.

  6. Which two access categories use the same default CW values by default?

    A. Voice

    B. Video

    C. Best effort

    D. Background

    答案解析

    C, D. The best-effort and background access categories both have default CWmin values of 15 and default CWmax values of 1023. The voice access category has a default CWmin value of 3 and a default CWmax value of 7. The video access category has a default CWmin value of 7 and a default CWmax value of 15.

  7. An AP without RTS/CTS enabled, a station with an RTS/CTS enabled, and a station with RTS/CTS disabled all have a data frame ready to be transmitted as part of the same BSS. Which device will transmit first?

    A. The station with RTS/CTS enabled will always transmit first.

    B. The AP will always transmit first.

    C. The station without RTS/CTS enabled will be allowed to transmit first only if it chooses the lowest slot time during the random backoff timer.

    D. The station with RTS/CTS enabled will be allowed to transmit first only if it chooses the highest number of slot times during the random backoff timer.

    答案解析

    C. The station or AP that has the lowest amount of time from the combination of the IFS and the random backoff timer will always transmit first. That means a low number of slot times allows a station to transmit first. RTS/CTS settings do not affect which station or AP will gain access to the channel first when multiple devices have data ready to transmit. APs do not have priority over stations when accessing the wireless channel.

  8. In a mixed mode 5 GHz WLAN, which of the following devices would transmit first?

    A. An 802.11n AP with a beacon frame to transmit after choosing two slot times

    B. An 802.11n station with a data frame to transmit after choosing one slot time

    C. An 802.11n station with a data frame to send and RTS/CTS enabled, no matter what number of slot times are chosen

    D. An 802.11a station with a data frame to transmit after choosing zero slot times

    答案解析

    D. The station or AP that chooses the lowest number of slot times during the random backoff timer will always transmit first. Frame type, 802.11a/b/g/n standards support, and RTS/CTS do not affect which station will transmit first when multiple stations have data ready to be transmitted.

  9. What is the minimum CWmin value for an 802.11b AP?

    A. 15

    B. 16

    C. 31

    D. 32

    答案解析

    C. The default CWmin value for 802.11b devices is 31. That is the default CWmin value whenever DSSS frame transmissions are ready to be sent. The default CWmin value for 802.11a/g/n devices is 15. Finally, 16 and 32 are not default CWmin values under any circumstance。

  10. What is the non-QOS CW value for an 802.11g station when it is about to transmit its second retry frame to an 802.11n AP?

    A. 63

    B. 64

    C. 127

    D. 128

    答案解析

    A. An 802.11g station associated to an 802.11n AP will have a default CWmin value of 15. The CW will increase exponentially with each retry. On the first retry, the CW value will be 31, and on the second retry the CW value will be 63. On the third retry from an 802.11g station that is about to transmit to an 802.11n AP, a CW value of 127 will be used. Finally, 64 and 128 are not CW values under any circumstances.

  11. When will an EIFS be used prior to a frame transmission?

    A. When a corrupted frame has been received

    B. When a station is about to send a retransmitted frame

    C. When an 802.11n station is about to transmit on a mixed mode 802.11b/g/n or 802.11a/n BSS

    D. When an 802.11a/b/g station is about to transmit on a mixed mode 802.11b/g/n or 802.11a/n BSS

    答案解析

    A. The EIFS is used only after a corrupted frame has been received. When a station has failed to receive an acknowledgment after a frame transmission, it sends a retransmitted frame. The retransmitted frame will be sent after either DIFS (non-QoS) or AIFS (QoS). Distinctions between 802.11a/b/g/n do not affect whether the EIFS is used prior to a frame transmission.

  12. Which well-known problem is EIFS known to cause?

    A. Hidden node

    B. Mixed mode

    C. Near/Far

    D. Protection mechanism

    答案解析

    C. Near/Far may be caused by EIFS because successful frame transmissions may be seen as corrupted if stations are too far from the AP. The hidden node problem is caused by two stations or APs that cover the same transmission area but cannot hear each other’s transmissions. Mixed mode and protection mechanism are not problems.

  13. Which 802.11e QoS channel access method requires the QoS AP to take control of the wireless channel and manage service periods for associated stations?

    A. DCF mode

    B. PCF mode

    C. HCF mode using EDCA

    D. HCF mode using HCCA

    答案解析

    D. HCF mode using HCCA is a QoS-based channel access method that involves the AP taking control of the wireless channel in order to manage station service periods. DCF mode and HCF mode using EDCA do not involve the AP taking control of the wireless channel. PCF mode does involve the AP taking control of the wireless channel, but it comes from the original 802.11 standard, not the 80211e QoS amendment.

  14. Which IFS is used prior to the random backoff timer when a QoS AP or station is about to transmit a frame and a corrupted frame has just been received?

    A. AIFS

    B. DIFS

    C. EIFS

    D. PIFS

    答案解析

    C. The EIFS is used prior to frame transmission any time a corrupted frame has just been received. The AIFS is used prior to frame transmission when data frames are about to be sent by QoS devices. The DIFS is used prior to frame transmission when data frames are about to be sent by non-QoS devices. The PIFS is used by APs to take control of the wireless channel before a contention-free period when in PCF mode.

  15. By default, what is the AIFSN value for the background access category?

    A. 2

    B. 3

    C. 5

    D. 7

    答案解析

    D. The background AC has a default AIFSN value of 7. Higher AIFSN values give traffic a lower priority, and background is designed to be the lowest-priority AC. Voice and video traffic uses an AIFSN value of 2 by default, and best-effort traffic uses a default AIFSN value of 3. There is no AC with a default AIFSN value of 5.

  16. By default, what is the minimum CW value for the video access category?

    A. 3

    B. 7

    C. 15

    D. 31

    答案解析

    B. The default CWmin value for the video AC is 7. That gives video traffic a lower priority level than voice traffic (which has a default CWmin value of 3) and higher priority than besteffort and background traffic (which both have default CWmin values of 15). 802.11b stations and APs that do not support QoS use the default CWmin value of 31.

  17. If an AP is configured with the TXOP limit for the voice access category left to the default value of 47, how many microseconds will the maximum TXOP be for traffic that uses the voice access category?

    A. 47

    B. 188

    C. 470

    D. 1504

    答案解析

    D. The TXOP limit value is multiplied by 32 to determine the maximum number of microseconds in a TXOP. Therefore, a TXOP limit value of 47 would result in a maximum TXOP of 1504 microseconds.

  18. What protocols are required in 802.11n to make TXOPs more efficient that are not required in 802.11e? (Choose two.)

    A. Block acknowledgments

    B. CFB

    C. CWmax

    D. RIFS

    答案解析

    A, D. Block acknowledgments are optional in 802.11e but required in 802.11n. Block acknowledgments make the channel more efficient by reducing the number of acknowledgment frames on the channel. The RIFS is not part of 802.11e and is required in 802.11n. The RIFS is an interframe space of 2 microseconds, allowing the channel to be more efficient than when the SIFS of 10 or 16 microseconds is used. CFBs were introduced in 802.11e and are required. CFBs do make the channel more efficient by allowing multiple data frames to be transmitted without going through arbitration for each frame. CWmax was part of the 802.11 standard. A low CWmax value could make the wireless channel more efficient because large CW values can cause stations to spend a large amount of time in the random backoff timer before transmitting a frame.

  19. How many frames will be transmitted within a TXOP if the transmitting AP has four frames to send and block acknowledgments are not used?

    A. 4

    B. 6

    C. 8

    D. 10

    答案解析

    C. If block acknowledgments are not used, then one acknowledgment must be received for every data frame sent. That means a total of eight frame transmissions during a TXOP that includes a four-frame CFB. If block acknowledgments were used, a four-frame CFB would result in six total frames being sent during the TXOP.

  20. How long is the RIFS?

    A. 2 microseconds

    B. 10 microseconds

    C. 16 microseconds

    D. 32 microseconds

    答案解析

    A. RIFS is 2 microseconds. SIFS is 10 microseconds for 2.4 GHz 802.11b/g/n devices and 16 microseconds for 5 GHz 802.11a/n devices.

CH08 Power Management

Wireless Radios and Battery Life

一个无线设备会执行如下如下4种活动:

  1. Asleep
  2. Idle and awake
  3. Receiving
  4. Transmitting

这些活动的耗电量依次变大。802.11省电管理就是要让一个无线设备尽量 的处于低耗电量的状态下,尽量减少高耗电量的活动,只在必要的时候才 执行高耗电量的活动(RX & TX)。 另外,也要让 RX & TX执行得更有效率。

Power Save Modes

  1. Active Mode 此状态下STA与AP总是处于准备发送和接收数据的状态。
  2. Power Save Mode 此状态下STA处于休眠状态下,不能接收数据帧。 处于此种状态下的STA并不一定一直保持休眠状态, 只是说明AP会认 为STA处于休眠状态,所以会缓冲发往STA的帧 直到STA发送一个帧 来向AP请求缓存的数据。

Power States

当一个STA处于Power Save Mode,它会在如下两种状态下之间进行切换:

  • Doze State The station is saving the most battery life.
  • Awake State The station may either be idle, receiving, or transmitting.

目前存在有3种802.11省电管理协议,但它们的目标都是一致的:最大 化Doze State的时间,最小化Awake/Idle的时间。

任何一种省电管理方法都会遵循如下步骤:

  1. Before a station goes into the doze state, it sends a frame, usually a null data frame, to the AP indicating that power management is enabled

    2016112801.png

    Figure 54: Station sends a null data frame

  2. Once the station indicates that it is in Power Save mode, the AP begins to buffer all frames destined to that station.

    2016112802.png

    Figure 55: AP buffers data

  3. When the station goes into the awake state (more on that later), it sends a frame to the AP in order to begin the data retrieval process

    2016112803.png

    Figure 56: Station retrieves data

  4. When the AP has finished sending all buffered data to the station, the station goes back into the doze state

    2016112804.png

    Figure 57: Station returns to the doze state

Power Management Structure

到目前为止,在802.11家族中,有三种省电管理方法:

  1. 802.11 power management Legacy Method
  2. Unscheduled automatic power save delivery (U-APSD) from the 802.11e amendment
  3. Power save multi-poll (PSMP) from the 802.11n amendment.

Association Identifier

省电管理始于STA与AP关联成功的最后一步。AP返回的Association Response会分配一个AID(1~2007)给刚关联上的STA。AID为0时,代表有 缓存广播帧。

一旦STA获得了AID,就可以进入省电模式了。STA进入省电状态时,通 常会一个Null数据帧,其中的Power Management位置为1,AP收到该帧 后,会为该STA缓存数据帧。 当STA处于省电模式后,其行为就与各厂 商的实现有关。

STA从休眠状态醒来有三个原因, 第一个原因 是该STA有帧待传。这 咱情况下STA会马上醒来并发送帧。发送完成后,它会进入休眠模式或 者是活跃模式继续发送帧。可通过802.11头部的Power Management位看 出。

Traffic Indication Map

第二个原因 是STA内部的某种机制来唤醒STA。 当STA依赖其内部某种机制定期唤醒的时候,它会计算它们的唤醒时间, 使得在Beacon到达前及时唤醒。因为beacon帧携带了TIM信息列出了哪 些STA需要向AP请求缓存帧。

Delivery Traffic Indication Message

DTIM beacon帧与其他的beacon帧一样,唯一的区别是TIM IE显示的信 息是关于缓存在AP中的广播/多播帧情况。当一个beacon帧是DTIM beacon帧时,如下两个值会受影响:

  • DTIM Count This will always be set to 0.
  • Bitmap Control 使用第一个比特位,如果为1,表示AP有缓存广播/多播帧,为0时, 代表没有。

802.11 Power Management

如下一些方面,使得802.11省电管理与众 不同:

  • Stations Stay in Power Save Mode 在第三步中,STA通过向AP发送一个帧来取数据,其中802.11头部中的 Power Management位置为1.

    在第四步中,当取完数据后,STA不用通知AP就可以进入休眠状态,因 为STA一直处于Power Save模式下。

  • Power Save Poll (PS-Poll) Frames Are Used 在第三步中,STA向AP发送PS-Poll帧来取数据。
  • Stations Transmit Frames While in Power Save Mode STA传输的帧中的Power Management位被置为1.

802.11省电管理有如下一些局限:

  1. 增加了无线信道的开销。 PS-POLL没有包含数据。传输这些帧会降低信道的最大吞吐量。802.11 省电管理中,要求向AP取每笔数据前,都要先发一个PS-POLL帧。
  2. STA花费了太多时间在传输帧 STA处于传输状态是最耗电的。由于在取每笔数据前都要先发一个 PS-POLL帧,增加了传输时间,从而增加了耗电时间。这也是802.11省 电管理在实际上应用很少的原因。

802.11e U-APSD

U-APSD是802.11e修订一部分,也是WMM-Power Save认证中的一部分,同时 也是802.11n STA必需的功能。

整体框架上,U-APSD与802.11省电管理的步骤一样,但有如下一些区别:

  • Stations Vacillate Between Active Mode and Power Save Mode

    在802.11省电管理中,STA始终处于Power Save模式下,只是在Awake和 Doze状态之间来回在切换。

    在第三步中,通常STA会发送一个Null数据帧向AP取Buffered的数据。

    2016112805.png

    Figure 58: Station retrieves data

    在第四步中,STA必须显式地通知AP后,才能进入Doze状态。AP也才会重 新为STA缓存发送的帧。

    2016112901.png

    Figure 59: Station returns to the doze state

  • PS-Poll Frames Are Not Used

    通常使用Null-Data来向AP取数据,并且是一次性取的,不会取一次发一 次Null-Data。

    U-APSD相对802.11省电管理来说,是一种更高级的省电管理机制,任何 时候都应该尽量使用它。由于U-APSD是从802.11e修订引进的,现实中大 量的STA可能并不支持802.11e。 但是许多STA支持U-APSD-esque省电管 理方法。它们取AP的缓存数据时,都只需要发一次null-data数据帧,差 异主要体现在AP发送缓存的单播帧时,当使用U-APSD时,之前缓存的数 据帧是通过一个TXOP来连续发送的,使用较小的SIFS或RIFS(对于 802.11n设备来说)。而non-802.11e模式下,则必须遵循一般的媒介竞争 访问机制,帧间传输需要经历一个DIFS时间以及随机退避时间。

    当一个TXOP时间只允许传输一个帧的话,实际上两者之间就是等同的。

802.11n Power Management

802.11n设备实际上是使用U-APSD,虽然802.11n省电管理包含了 PSMP(power save multi-poll)和SMPS(spatial multiplexing power save)。

SMPS

SMPS involves stations reducing the number of data streams used during spatial multiplexing.

PSMP

基于S-APSD之上的一种Power Management方法,主要应用于使用HCCA 信道访问控制机制的网络 。

IBSS Power Management

The basic structure is the same: stations send a notification before dozing, and then frames get buffered, and finally the dozing stations wake up in order to retrieve their frames. The difference is that there is no central AP to buffer the frames, and there is no need for a TIM or DTIM.

To accommodate the fact that multiple devices may be buffering frames for one dozing station, IBSS power management introduces the use of the announcement traffic indication message (ATIM) frame.

When a station receives an ATIM frame, that formerly dozing station must begin the process of retrieving buffered frames from the station that transmitted the ATIM.

Review Questions

  1. Which one of the following 802.11 amendments defined new power management methods, involving stations entering the doze state, that are used in real-world devices? (Choose all that apply.)

    A. 802.11b

    B. 802.11e

    C. 802.11h

    D. 802.11n

    答案解析

    B, D. 802.11e defined U-APSD and 802.11n defined unscheduled PSMP, which are used in real-world stations and APs that are WMM Power Save certified. 802.11b and 802.11h amendments did not define new power management methods.

  2. Which of the following frame types is typically used by stations to notify an AP of a change in power management mode?

    A. Acknowledgment

    B. Null data

    C. PS-Poll

    D. RTS

    答案解析

    B. Null data frames use the power management flag in the 802.11 header to change between active mode and Power Save mode. Acknowledgment and RTS frames do not play a role in power management. PS-Poll frames are used in power management, but they are typically used to retrieve buffered unicast frames from the AP, not to notify the AP of a change in power state.

  3. Which of the following states drains the most battery life?

    A. Doze

    B. Idle

    C. Receive

    D. Transmit

    答案解析

    D. The transmit state drains the most battery life. The receive state drains the second-most battery life, idle drains the third most, and doze drains the least battery life.

  4. Which of the following states drains the least battery life?

    A. Doze

    B. Idle

    C. Receive

    D. Transmit

    答案解析

    A. The doze state drains the least battery life. The idle state drains the second-least battery life, receive drains the third most, and transmit drains the most battery life.

  5. Which power management method uses the PS-Poll frame?

    A. 802.11 power management

    B. 802.11 power save polling

    C. 802.11e automatic power save delivery

    D. 802.11n power save multi-poll

    答案解析

    A. 802.11 power management is the only power management method that uses the PS-Poll frame. 802.11 power save polling is not a power management method. 802.11e APSD uses null data frames to alternate between power management modes. 802.11n PSMP does not use PS-Poll frames.

  6. If the only station that has buffered unicast frames at the AP was assigned an AID of 27, what will be the value of the Bitmap Offset in the TIM information element?

    A. 1

    B. 2

    C. 3

    D. 4

    答案解析

    A. The Bitmap Offset defines how many 8-bit sequences (octets) may be eliminated from the Partial Virtual Bitmap field because of the stations not having unicast frames buffered at the AP. Each station is assigned an AID, and if the station does not have any unicast frames buffered at the AP, then the value for that station’s AID in the Partial Virtual Bitmap is 0. If an entire byte of AIDs at the start of the bitmap are 0s (AIDs 0–7, 8–15, 16–24, and so on), then a Bitmap Offset value can be set. If the station with an AID of 27 is the first AID with unicast frames buffered at the AP, then a Bitmap Offset value of 1 (meaning that AIDs 0–7 and 8–15 are all set to 0) would be used.

    If the Bitmap Offset were set to 2, then AIDs 0–7, 8–15, 16–23, and 24–31 would all be equal to 0. Since AID 27 is equal to 1 in the Partial Virtual Bitmap, 2 is incorrect.

  7. What is the minimum value of the Length field of the TIM information element?

    A. 4

    B. 5

    C. 6

    D. 7

    答案解析

    A. The Length field defines how many bytes are used by information carrying fields in the TIM information element. The DTIM Count, DTIM Period, Bitmap Control, and Partial Virtual Bitmap are the fields of the TIM, and each field has a minimum length of 1 byte. Therefore, 4 is the lowest possible value for the Length field.

  8. What is the element ID of the TIM information element?

    A. 4

    B. 5

    C. 6

    D. 7

    答案解析

    B. 5 is the element ID for the TIM information element.

  9. Which of the following is false?

    A. Stations must use the PS-Poll frame to retrieve buffered unicast frames from the AP when 802.11 power management is used.

    B. Stations use the DTIM beacon to view information about unicast, multicast, and broadcast frames that are buffered at the AP.

    C. Stations must always be awake when DTIM beacon frames are sent by the AP.

    D. Stations using 802.11e U-APSD will never transmit a PS-Poll frame.

    答案解析

    C. Stations with the Receive DTIMs setting set to false will not wake up for DTIM beacon frames from the AP. 802.11 power management does involve stations retrieving unicast frames from the AP using PS-Poll frames. DTIM beacon frames do carry information about unicast, multicast, and broadcast frames buffered at the AP. U-APSD does not support the use of PS-Poll frames.

  10. Which additional fields are added to the TIM information element in a DTIM beacon frame?

    A. DTIM Count

    B. DTIM Period

    C. Both A and B

    D. Neither A nor B

    答案解析

    D. The DTIM Count and DTIM Period fields are present in all TIM information elements of beacon frames. If a beacon is a DTIM beacon, then the DTIM Count field will be set to 0. The DTIM Period field plays no role in identifying whether a beacon is a DTIM beacon.

  11. Which type of power management frame is used only in an IBSS?

    A. ATIM

    B. DTIM

    C. CF-Poll

    D. PS-Poll

    答案解析

    A. The ATIM is a frame used in IBSS networks to allow a station with frames in its buffer to notify a sleeping station that the frames are ready to be retrieved. DTIM is not a type of frame. CF-Poll and PS-Poll frames are not unique to IBSS networks.

  12. Which type of frame used during power management is a control frame?

    A. ATIM

    B. Beacon

    C. PS-Poll

    D. Null

    答案解析

    C. The PS-Poll is a control frame. The ATIM and beacon frames are management frames. The null frame is a data frame.

  13. When a station sends a PS-Poll frame to the AP, how many frames of buffered unicast data are retrieved?

    A. 0

    B. 1

    C. Enough to fill a single TXOP

    D. All unicast frames in the AP’s buffer

    答案解析

    B. A PS-Poll frame retrieves one unicast frame buffered at the AP. Null data frames retrieve all unicast frames in the AP’s buffer. Frames that are not PS-Poll frames and that have the power management flag in the 802.11 header set to 1 retrieve 0 unicast frames from the AP’s buffer. There is no type of frame that retrieves only a single TXOP’s worth of unicast frames from the AP’s buffer.

  14. When an AP is sending a unicast frame to a station in response to a PS-Poll, which flag in the 802.11 header lets the station know whether there are more frames in the AP’s buffer for the station to retrieve?

    A. From DS

    B. More data

    C. Order

    D. Power management

    答案解析

    B. The More Data flag in the 802.11 header is set to 1 by the AP when additional unicast frames are still in the AP’s buffer. The From DS and Order flags have nothing to do with power management. The Power Management flag is set to 1 by stations as a way of indicating to the AP that frames should be held in the AP’s buffer.

  15. Which field in the TIM information element is used to indicate whether broadcast and/or multicast frames are buffered at the AP?

    A. DTIM Count

    B. DTIM Period

    C. Bitmap Control

    D. Partial Virtual Bitmap

    答案解析

    C. When broadcast and/or multicast frames are buffered at the AP, the first bit of the Bitmap Control field (which corresponds to AID 0) will be set to 1.

    The DTIM Count, DTIM Period, and Partial Virtual Bitmap fields are all present in DTIM beacon frames, but none of them carries the indicator to stations that broadcast and/or multicast frames that are buffered at the AP.

  16. Which of the following are reasons that stations might wake up from the doze state? (Choose two.)

    A. The station has received a frame from the AP.

    B. The station’s NAV timer expires.

    C. The station has a frame ready to be transmitted.

    D. The station expects a DTIM beacon frame to be transmitted by the AP.

    答案解析

    C, D. Stations may wake from the doze state when a frame is ready to be transmitted, if the station expects a DTIM beacon frame or if the station has an internal timer that tells it when to wake up. Receiving a frame from the AP would not affect a dozing station because a station’s radio cannot receive frames when dozing. The NAV timer has nothing to do with power management.

  17. If a station has sent a frame to the AP with the power management flag set to 1, which of the following states may the station go into? (Choose all that apply.)

    A. Doze

    B. Idle

    C. Receive

    D. Transmit

    答案解析

    A, B, C, D. All states may be used by stations that are in Power Save mode. When a station goes into Power Save mode, it causes the AP to buffer frames, but it does not prevent the station from transmitting, receiving, or staying awake and in the idle state.

  18. If a station has sent a frame to the AP with the power management flag set to 0, which of the following states may the station go into? (Choose all that apply.)

    A. Doze

    B. Idle

    C. Receive

    D. Transmit

    答案解析

    B, C, D. The doze state may not be used by a station that is in active mode, because APs will not buffer frames if all stations are in active mode.

  19. Name two reasons why 802.11 power management is considered inefficient.

    A. All buffered unicast frames sent by the AP must be followed by an acknowledgment frame.

    B. All buffered unicast frames sent by the AP must be preceded by a PS-Poll frame.

    C. Too much protocol overhead is caused by the acknowledgment frames that follow retrieved unicast frames from the AP’s buffer.

    D. Too much protocol overhead is caused by the PS-Poll frames that precede retrieved unicast frames from the AP’s buffer.

    答案解析

    B, D. 802.11 power management is inefficient because the transmission of a PS-Poll frame by stations in advance of retrieving buffered unicast frames from the AP causes the station to drain too much battery life and causes too much overhead to be added to the channel. Acknowledgment frames are not added to the network when 802.11 power management is used.

  20. You perform a frame capture on a BSS that has a WMM Power Save–certified AP. You notice in the beacon frames that the Beacon Interval is 100 and the DTIM Period is 3. You also notice that when your station is idle, null data frames are transmitted once every second and that the power management flag alternates between 0 and 1 in those null data frames. What does this mean? (Choose two.)

    A. The Receive DTIMs setting in your station is set to false.

    B. The Receive DTIMs setting in your station is set to true.

    C. The station supports U-APSD.

    D. The station does not support U-APSD.

    答案解析

    A, D. If the Beacon Interval field is 100 and the DTIM Period field is 3, then a DTIM beacon frame is transmitted by the AP every 300 kilomicroseconds (approximately every 300 milliseconds). If the delta time between a station’s transmitted null data frames alternating the power management mode is 1 second (1,000 milliseconds), then that means the station is dozing while DTIM beacon frames are being transmitted by the AP. The only way a station may doze while DTIM beacon frames are being transmitted by the AP is if the Receive DTIMs setting on the station is set to false.

    If the Receive DTIMs setting on the station were set to true, then a station would show a delta time of no more than three tenths of a second if the Beacon Interval is 100 and the DTIM Period is 3.

    The use of null data frames rather than QoS null data frames indicates that the station is not using U-APSD, but rather the non-802.11e power management method that is similar to U-APSD.

CH09 802.11 Security

Authentication

Authentication是WiFi设备连接某个BSS之前所需要进行的两个步骤之一, 并且一定要在Association之前进行。这步其实所做的事情基本类似于将有线网 络插入网卡使得Ethernet网络物理层接通这个操作。 其目的主要就是验证 当前设备是一个合法的802.11无线网络设备。

Open System Authentication

在这种认证模式下,由Client首先发出第一帧Auth包,然后AP回复成功 或失败。WEP加密方式是可选的,且主要是在关联成功后,加密Layer 3 层以上的数据。 不过,目前会采用安全的安全认证方法:802.11i WPA/WPA2, 802.1X/EAP。

Shared Key Authentication

它是一种Pre-RSNA的安全加密方法。交互过程涉及4步,如图所示:

2016121201.png

Figure 60: Shared Key authentication exchange

WLAN Encryption Methods

Layer 2 Encryption Method: Wired Equivalent Privacy (WEP), Temporal Key Integrity Protocol (TKIP), CTR with CBC-MAC Protocol (CCMP). 这些方法主要是保护MSDU,也即Layer 3层以上的数据的安全。

WEP

  • WEP encryption process

    2015121002.png

  • WEP MPDU format

    2016121202.png

TKIP

  • TKIP encryption and data integrity process

    2016121203.png

    TKIP encryption and data integrity process:

    • TTAK = Phase 1 (TK, TA, TSC)
    • WEP seed = Phase 2 (TTAK, TK, TSC)

    Where does the 128-bit temporal key come from?

    the 128-bit temporal key is a dynamically generated key that comes from a 4-Way Handshake creation process. The 128-bit temporal key can either be a pairwise transient key (PTK) used to encrypt unicast traffic or a group temporal key (GTK) used to encrypt broadcast and multicast traffic.

    After the appropriate 128-bit temporal key (pairwise or group) is created, the two-phase key-mixing process begins.

  • TKIP MPDU

    The encrypted frame body consists of five key pieces:

    • IV/Key ID
    • IV/Key ID
    • IV/Key ID
    • MIC
    • ICV

    2016121204.png

CCMP

  • CCMP encryption and data integrity process

    2016121205.png

    2016121206.png

    Figure 66: Additional authentication data (AAD)

  • CCMP MPDU

    2016121207.png

WPA/WPA2

WPA是802.11i规范正式分布前的临时解决方案,它只支持TKIP/RC4动态加 密密钥产生方法。802.11i发布后,WFA修订了WPA形成了WPA2,主要的不 同之处是WPA2采用了CCMP/AES动态加密密钥产生机制。WPA/WPA2都支持 802.1X/EAP、PSK认证机制。

Robust Security Networks (RSN)

802.11i规范正式发布后,被收录进802.11 2007标准规范中,它定义了一 种称为RSN以及RSNA。安全关联是指一系列策略和用于保护住处的密钥。 RSNA(robust security network association)要求两个802.11 STA之间通 过4步握手的过程来建立一系列相互认证,关联以及创建动态加密密钥的过 程。 两个80211 STA之间进行的关联行为称为RSNA。CCMP/AES加密方法的 支持是制性的,而TKIP/RC4加密方法的支持是可选的。

2016121301.png

Figure 68: RSNA within a BSS

2016121302.png

Figure 69: RSNA within an IBSS

RSN网络只允许创建RSNA。 换句话说,在RSN网络中,只存在CCMP/AES或 TKIP/RC4等两种加密方法。如果存在Pre-RSNA支持的加密方法如Dynamic WEP,则该网络称为TSN(transition security network)

2016121303.png

Figure 70: Robust security network

2016121304.png

Figure 71: Transition security network

每个WLAN有一个逻辑名称SSID,以及一个唯一的Layer 2层标识BSSID。 BSSID通常是AP的Mac地址。多数WLAN设备可以创建多个虚拟BSSID的能力。 这样就可以支持创建虚拟WLAN,每个唯一的SSID名可以赋给一个特定的 VLAN,每个VLAN与一个虚拟的BSSID关联。这样,每个VLAN拥有一个SSID和 唯一的虚拟的Layer 2标识BSSID,这样每个WLAN可以被映射到一个唯一的 Layer 3层的VLAN。 每个WLAN可以要求不同的安全关联类型。

2016121305.png

Figure 72: RSN, pre-RSN, and TSN within the same AP cell

RSN Information Element

在一个BSS内部,设备间是通过管理帧携带的RSN IE来获知对方的RSN能力 信息的。RSN IE包含了加密能力信息,是否使用802.1X/EAP,或PSK认证机 制等。

RSN IE信息通常在如下4种802.11管理帧中出现:

  1. beacon management frames
  2. probe response frames
  3. association request frames
  4. reassociation request frames

AP通过Beacon或Probe Response管理帧告知STA有关安全方面的能力信息。

2016121306.png

Figure 73: Access point RSN security capabilities

STA可以通过Association Request和Re-Association Request来向AP表明 自己安全方面的能力信息。如果相关的能力支持不符合AP的要求,则会被 拒绝关联。

2016121307.png

Figure 74: Client station RSN security capabilities

RSN IE的信息截图如下: +CAPTION: RSN Information 2016121308.png

  • group cipher suite 加密广播包的方法
  • pairwise cipher suite 加密单播包的方法
  • AKM suite field 这个表明当前支持的是802.1X还是PSK。

802.1X

802.1X provides an authorization framework that allows or disallows traffic to pass through a port and thereby access network resources.

802.1X可用于无线或有线环境下。

802.1X授权框架包含三个组成部分,使用Layer 2层的EAP认证协议进行交 互,在Layer 2层对用户进行认证。

Supplicant

Supplicant在Layer 2与Authentication Server进行通信。直到被AS 认证前,它都不能在Layer 3以上进行通信。

Authenticator

Authenticator维护两个虚拟端口:一个非受控端口,只允许EAP包通过。 一个受控端口,只有在认证通过的情况下,才允许通过此端口进行通信。

Authentication Server

对Supplicant进行认证。与Supplicant在Layer 2通过EAP进行通信。 并将认证结果告知Authenticator。

EAP

EAP消息是封装在EAPOL帧上的。 Authenticator在送给AS时,会将其转换 成EAP。

2016121601.png

Figure 75: EAPOL messages

802.1X/EAP交互过程始于Layer 2链接成功建立之后,即Association成功 之后 。

2016121602.png

Figure 76: Generic EAP exchange

Strong EAP Protocols

The stronger and more commonly deployed methods of EAP use Transport Layer Security (TLS)–based authentication and/or TLS-tunneled authentication.

使用tunneled认证的EAP方法拥有两个Supplicant标识:外部标识以及 内部标识。

外部标识只是一个伪装的标识,内部标识才是直正的标识。

The whole purpose of tunneled authentication is to provide a secure channel to protect the user identity credentials. The user credentials are encrypted inside the TLS tunnel.

EAP-PEAP

在Supplicant与认证服务器之间建立一个加密的TLS 隧道。

2016121603.png

Figure 77: EAP-PEAP process

4-Way Handshake

Group Key Handshake

FastBSS Transition (FT)   nonexport

Information Elements

FT Initial Mobility Domain Association

Over-the-air Fast BSS Transition

Over-the-DS Fast BSS Transition

802.11w Protected Management Frames

protect Management Frames and Action Framesto prevent DoS attacks.

Review Questions

  1. Laura is attempting to diagnose a WLAN by using a packet analyzer to capture the exchange of frames and packets between a wireless client and the AP. In the process of analyzing the packets, she sees two 802.11 authentication frames, two 802.11 association frames, and DHCP requests and responses, and then she begins to see encrypted data. Which of the following could the client be using? (Choose all that apply.)

    A. Open System authentication

    B. Shared Key authentication

    C. 802.1X/EAP

    D. WEP

    E. PPTP

    F. L2TP/IPsec

    答案解析

    A, E, F. Since there are only two 802.11 authentication frames, Open System authentication is being used. Shared Key authentication would generate four 802.11 authentication frames. If 802.1X/EAP or WEP were being used, then the client would be doing L2 encryption, and the DHCP frames would be encrypted and not visible. Therefore, 802.1X/EAP and WEP are not being used. Both PPTP and L2TP/IPsec perform layer 3 encryption that would allow Laura to see the DHCP exchange and any other IP traffic.

  2. This graphic shows a packet capture of a successful 802.11 authentication. In which of the following types of client connections could this authentication not occur? (Choose all that apply.)

    2016121901.png

    A. 802.1X/EAP

    B. VPN

    C. WEP with Shared Key authentication

    D. WEP with Open System authentication

    E. Open System authentication with WEP

    答案解析

    A, D, E. The graphic shows an 802.11 Shared Key authentication that consists of four authentication frames: an authentication request followed by a clear-text challenge frame, followed by a challenge response with the clear-text data encrypted, and then followed by an authentication response. 802.1X/EAP works together with Open System authentication but cannot be deployed when WEP is used. To use Shared Key authentication, WEP must be enabled. A VPN can be used with Shared Key or Open System authentication. Companies would use a VPN for data privacy because WEP has been cracked, but they often would still use WEP as an added layer of security. Shared Key authentication is optional with WEP, although not recommended.

  3. The graphic shows a packet capture of a successful 802.11 authentication. In which of the following types of client connections could this not occur?

    2016121902.png

    A. 802.1X/EAP

    B. VPN

    C. WEP with Shared Key authentication

    D. WEP with Open System authentication

    E. Unencrypted

    答案解析

    C. The graphic shows a two-frame Open System authentication. 802.1X/EAP works together with Open System authentication. VPN can be configured with either Open System or Shared Key authentication. An unencrypted session uses Open System authentication.

  4. Given that CCMP uses a MIC for data integrity to protect the frame body and portions of the MAC header, what information needs to be constructed to protect certain fields in the MAC header?

    A. Nonce

    B. Extended IV

    C. ICV

    D. AAD

    E. PN

    E. PN

    答案解析

    D. Additional authentication data (AAD) is constructed from portions of the MPDU header. This information is used for data integrity of portions of the MAC header. Receiving stations can then validate the integrity of these MAC header fields. The MIC protects the AAD information and the frame body for data integrity.

  5. How many extra bytes of overhead does TKIP/RC4 encryption add to the body of an 802.11 MPDU?

    A. 16 bytes

    B. 12 bytes

    C. 20 bytes

    D. 10 bytes

    E. None of the above

    答案解析

    C. When TKIP is implemented, because of the extra overhead from the extended IV and the MIC, a total of 20 bytes of overhead is added to the body of an 802.11 MPDU. CCMP/ AES encryption will add an extra 16 bytes of overhead to the body of an 802.11 MPDU. WEP encryption will add an extra 8 bytes of overhead to the body of an 802.11 MPDU.

  6. The TKIP MIC is used for data integrity. Which portions of an 802.11 MPDU does the TKIP MIC protect from being altered? (Choose all that apply.)

    A. MSDU

    B. SA

    C. DA

    D. TA

    E. Frame Control field

    F. MSDU priority bit

    答案解析

    A, B, C. TKIP uses a stronger data integrity check known as the message integrity code (MIC) to mitigate known forgery attacks against WEP. The MIC is often referred to by its nickname of Michael. The MIC can be used to defeat bit-flipping attacks, fragmentation attacks, redirection, and impersonation attacks. The MIC is computed using the destination address (DA), source address (SA), MSDU Priority, and the entire unencrypted MSDU plaintext data. After the MIC is generated, it is appended to the end of the MSDU payload.

  7. What does 802.1X/EAP provide when implemented for WLAN security? (Choose all that apply.)

    A. Access to network resources

    B. Verification of access point credentials

    C. Dynamic authentication

    D. Dynamic encryption-key generation

    E. Verification of user credentials

    答案解析

    A, D, E. The purpose of 802.1X/EAP is authentication of user credentials and authorization to access network resources. Although the 802.1X framework does not require encryption, it highly suggests the use of encryption. A by-product of 802.1X/EAP is the generation and distribution of dynamic encryption keys. Although the encryption process is actually a byproduct of the authentication process, the goals of authentication and encryption are very different. Authentication provides mechanisms for validating user identity while encryption provides mechanisms for data privacy or confidentiality.

  8. View the frame capture of the 4-Way Handshake in the graphic shown here. Which EAPOL-Key message frame is displayed?

    2016121903.png

    A. 4-Way Handshake message 1

    B. 4-Way Handshake message 2

    C. 4-Way Handshake message 3

    D. 4-Way Handshake message 4

    答案解析

    C. The third EAPOL-Key frame of the 4-Way Handshake may also contain a message to the supplicant to install the temporal keys. The frame capture indicates that the temporal key is to be installed. The third EAPOL-Key frame also sends the supplicant the ANonce, the authenticator’s RSN information element capabilities, and a MIC. If a GTK has been generated, the GTK will be inside the third EAPOL-Key frame. The GTK confidentiality is protected because it will be encrypted with the PTK.

  9. What are some of the frames that carry the security capabilities found in the RSN information element? (Choose all that apply.)

    A. Beacon management frame

    B. Probe request frame

    C. Probe response frame

    D. Association request frame

    E. EAPOL-Key frame

    F. Request-to-Send frame

    答案解析

    A, C, D, E. The RSN information element field is found in four different 802.11 management frames: beacon management frames, probe response frames, association request frames, and reassociation request frames. The RSN information element can also be found in the second and third EAPOL-Key frames of the 4-Way Handshake.

  10. In a robust security network (RSN), which 802.11 management frames are used by client stations to inform an access point about the RSNA security capabilities of the client STAs?(Choose all that apply.)

    A. Beacon management frame

    B. Probe request frame

    C. Probe response frame

    D. Association request frame

    E. Reassociation response frame

    F. Reassociation request frame

    G. Association response frame

    答案解析

    D, F. The RSN information element field is found in four different 802.11 management frames: beacon management frames, probe response frames, association request frames, and reassociation request frames. Within a basic service set, an access point and client stations use the RSN information element within these four management frames to communicate with each other about their security capabilities prior to establishing association. Client stations use the association request frame to inform the access point of the client station security capabilities. When stations roam from one access point to another access point, they use the reassociation request frame to inform the new access point of the roaming client station’s security capabilities. The security capabilities include supported encryption cipher suites and supported authentication methods.

  11. After viewing the frame capture shown here, identify the type of authentication method being used.

    2016121904.png

    A. EAP-TTLS

    B. Open System

    C. PSK

    D. EAP-TLS

    E. PEAP

    答案解析

    C. The RSN information element can also be used to indicate what authentication methods are supported. The authentication key management (AKM) suite field in the RSN information element indicates whether the station supports either 802.1X authentication or PSK authentication. If the AKM suite value is 00-0F-AC-01, authentication is negotiated over an 802.1X infrastructure using an EAP protocol. If the AKM suite value is 00-0F-AC-02, then PSK is the authentication method that is being used.

  12. Which of these roaming methods requires the use of FT Action frames?

    A. Over-the-air fast BSS transition

    B. Over-the-WDS fast BSS transition

    C. Over-the-DS fast BSS transition

    D. Over-the-WLS fast BSS transition

    答案解析

    C. The pairwise transient key (PTK) is the third-level key of the FT key hierarchy. The PTK is the final key used to encrypt 802.11 data frames. The PTK is created during either an over-the-air fast BSS transition frame exchange or over-the-DS fast BSS transition frame exchange. In any 802.11 robust security network (RSN), the PTK is used to encrypt the MSDU payload of an 802.11 unicast data frame.

  13. Before an 802.11 client STA can pass traffic through the AP, which two of the following must occur? (Choose two answers.)

    A. 802.1X

    B. EAP

    C. Association

    D. Authentication

    E. WEP keys must match

    答案解析

    C, D. For a client to connect to the WLAN and pass data, the client must authenticate and associate. The other three choices could occur but do not have to do so.

  14. How many extra bytes of overhead does CCMP/AES encryption add to the body of an 802.11 data frame?

    A. 16 bytes

    B. 12 bytes

    C. 20 bytes

    D. 10 bytes

    E. None of the above

    答案解析

    A. CCMP/AES encryption will add an extra 16 bytes of overhead to the body of an 802.11 data frame. Eight bytes are added by the CCMP header and 8 bytes are added by the MIC. WEP encryption will add an extra 8 bytes of overhead to the body of an 802.11 data frame. When TKIP is implemented, because of the extra overhead from the extended IV and the MIC, a total of 20 bytes of overhead is added to the body of an 802.11 data frame.

  15. A data integrity check known as message integrity code (MIC) is used by which of the following?(Choose all that apply.)

    A. WEP

    B. TKIP

    C. CCMP

    D. AES

    E. DES

    答案解析

    B, C. A stronger data integrity check known as a message integrity code (MIC), or by its common name, Michael, was introduced with TKIP to correct some of the weaknesses in WEP. CCMP also uses a MIC. AES and DES are encryption algorithms and are not concerned with message integrity.

  16. How does a RADIUS server communicate with an authenticator? (Choose all that apply.)

    A. UDP ports 1812 and 1813

    B. TCP ports 1645 and 1646

    C. Encrypted TLS tunnel

    D. Encrypted IPsec tunnel

    E. RADIUS IP packets

    F. EAPOL frames

    答案解析

    A, E. The RADIUS protocol uses UDP ports 1812 for RADIUS authentication and 1813 for RADIUS accounting. These ports were officially assigned by the Internet Assigned Number Authority (IANA). However, prior to IANA allocation of UDP ports 1812 and 1813, the UDP ports of 1645 and 1646 (authentication and accounting, respectively) were used as the default ports by many RADIUS server vendors. TCP is not used. All Layer 2 EAP traffic sent between the RADIUS server and the authenticator is encapsulated in RADIUS IP packets. The encrypted TLS tunnel communications are between the supplicant and the authentication server. IPsec is not used.

  17. What must occur in order for dynamic TKIP/RC4 or CCMP/AES encryption keys to be generated? (Choose all that apply.)

    A. Shared Key authentication and 4-Way Handshake

    B. 802.1X/EAP authentication and 4-Way Handshake

    C. Open System authentication and 3-Way Handshake

    D. Open System authentication and 4-Way Handshake

    E. 802.1X/EAP authentication and 3-Way Handshake

    答案解析

    B, D. Open System and Shared Key authentication are legacy authentication methods that do not provide seeding material to generate dynamic encryption keys. However, a four-way Open System authentication must occur prior to the EAP exchange. A robust security network association requires a four-frame EAP exchange known as the 4-Way Handshake that is used to generate dynamic TKIP or CCMP keys.

  18. After viewing the frame capture in the graphic shown here, identify which type of security network is being used.

    2016121905.png

    A. Robust Security Network

    B. Rotund Security Network

    C. Transition Security Network

    D. WPA Security Network

    E. WPA

    答案解析

    C. The frame capture shows an RSN information element field that can be found in a management frame. The RSN information element shows that the group cipher that is being used is WEP. A transition security network (TSN) supports RSN-defined security as well as legacy security such as WEP within the same BSS. Within a TSN, some client stations will use RSNA security using TKIP/RC4 or CCMP/AES for encrypting unicast traffic. However, some legacy stations are still using static WEP keys for unicast encryption. All of the clients will use WEP encryption for the broadcast and multicast traffic. Because all the stations share a single group encryption key for broadcast and multicast traffic, the lowest common denominator must be used for the group cipher.

  19. 802.11w provides protection for which of the following types of frames? (Choose all that apply.)

    A. Unicast

    B. Broadcast

    C. Anycast

    D. Simulcast

    E. Multicast

    答案解析

    A, B, E. 802.11w provides protection for unicast, broadcast, and multicast management frames. These 802.11w frames are referred to as robust management frames. Anycast and simulcast frames do not exist.

  20. 802.11w Protected Management Frames was created to prevent which of the following types of attacks? (Choose all that apply.)

    A. Denial of service

    B. Deauthentication attack

    C. Disassociation attack

    D. Impersonation attack

    E. Bit-flipping attack

    答案解析

    A, B, C. 802.11w was developed to provide security for management frames. This prevents denial-of-service attacks, such as deauthentication attacks and disassociation attacks. It will not prevent bit-flipping attacks. Some impersonation attacks use denial of service prior to performing the impersonation; however, since some do not use DoS attacks, this answer is not always correct.

CH10 802.11n HT Analysis

CH11 Spectrum Analysis

CH12 Protocol Analyzer Operation and Troubleshooting