Wireless LAN,Stations and Access Points, Channels, WEPInfrastructure and Ad Hoc Modes, Frames by gorvam saddar

2.  Wireless LAN Overview

In this section, we give a brief overview of wireless LAN (WLAN) while emphasizing the features that help an attacker.  We assume that the reader is familiar with the TCP/IP suite (see, e.g., [Mateti 2003]).

IEEE 802.11 refers to a family of specifications (www.ieee802.org/11/) developed by the IEEE for over-the-air interface between a wireless client and an AP or between two wireless clients.  To be called 802.11 devices, they must conform to the Medium Access Control (MAC) and Physical Layer specifications. The IEEE 802.11 standard covers the Physical (Layer 1) and Data Link (Layer 2) layers of the OSI Model.  In this article, we are mainly concerned with the MAC layer and not the variations of the physical layer known as 802.11a/b/g.

2.1           Stations and Access Points

A wireless network interface card (adapter) is a device, called a station, providing the network physical layer over a radio link to another station.  An access point (AP) is a station that provides frame distribution service to stations associated with it.  The AP itself is typically connected by wire to a LAN.

The station and AP each contain a network interface that has a Media Access Control (MAC) address, just as wired network cards do. This address is a world-wide-unique 48-bit number, assigned to it at the time of manufacture. The 48-bit address is often represented as a string of six octets separated by colons (e.g., 00:02:2D:17:B9:E8) or hyphens (e.g., 00-02-2D-17-B9-E8). While the MAC address as assigned by the manufacturer is printed on the device, the address can be changed in software.

Each AP has a 0 to 32 byte long Service Set Identifier (SSID) that is also commonly called a network name.  The SSID is used to segment the airwaves for usage. If two wireless networks are physically close, the SSIDs label the respective networks, and allow the components of one network to ignore those of the other. SSIDs can also be mapped to virtual LANs; thus, some APs support multiple SSIDs.  Unlike fully qualified host names (e.g., gamma.cs.wright.edu), SSIDs are not registered, and it is possible that two unrelated networks use the same SSID. 

2.2           Channels

The stations communicate with each other using radio frequencies between 2.4 GHz and 2.5 GHz. Neighboring channels are only 5 MHz apart.  Two wireless networks using neighboring channels may interfere with each other.

2.3           WEP

Wired Equivalent Privacy (WEP) is a shared-secret key encryption system used to encrypt packets transmitted between a station and an AP.  The WEP algorithm is intended to protect wireless communication from eavesdropping. A secondary function of WEP is to prevent unauthorized access to a wireless network.  WEP encrypts the payload of data packets.  Management and control frames are always transmitted in the clear. WEP uses the RC4 encryption algorithm.  The shared-secret key is either 40 or 104 bits long.   The key is chosen by the system administrator.  This key must be shared among all the stations and the AP using mechanisms that are not specified in the IEEE 802.11. 

2.4           Infrastructure and Ad Hoc Modes

A wireless network operates in one of two modes. In the ad hoc mode, each station is a peer to the other stations and communicates directly with other stations within the network.   No AP is involved.  All stations can send Beacon and Probe frames. The ad hoc mode stations form an Independent Basic Service Set (IBSS).

A station in the infrastructure mode communicates only with an AP. Basic Service Set (BSS) is a set of stations that are logically associated with each other and controlled by a single AP. Together they operate as a fully connected wireless network.  The BSSID is a 48-bit number of the same format as a MAC address. This field uniquely identifies each BSS. The value of this field is the MAC address of the AP.

2.5           Frames

Both the station and AP radiate and gather 802.11 frames as needed.  The format of frames is illustrated below. Most of the frames contain IP packets.  The other frames are for the management and control of the wireless connection.

Figure 1 An IEEE 802.11 Frame

There are three classes of frames.   The management frames establish and maintain communications.  These are of Association request, Association response, Reassociation request, Reassociation response, Probe request, Probe response, Beacon, Announcement traffic indication message, Disassociation, Authentication, Deauthentication types.  The SSID is part of several of the management frames. Management messages are always sent in the clear, even when link encryption (WEP or WPA) is used, so the SSID is visible to anyone who can intercept these frames.

The control frames help in the delivery of data.

The data frames encapsulate the OSI Network Layer packets.  These contain the source and destination MAC address, the BSSID, and the TCP/IP datagram.  The payload part of the datagram is WEP-encrypted.