WLAN Infrastructure

Wireless Wireless Data Networks Broadband PCS Broadband PCS Metricom Local Wide Coverage Area Satellite Spread Spectrum Wireless LANs Spread Spectrum Wireless LANs Circuit & Packet Data Cellular, CDPD, RAM, ARDIS Circuit & Packet Data Cellular, CDPD, RAM, ARDIS Narrowband PCS Data Rates 9.6 Kbps 19.6 Kbps 56 Kbps 1 Mbps Mbps Infrared Wireless LANs Infrared Wireless LANs Narrow Band Wireless LANs Narrow Band Wireless LANs Products 54 Mbps

License Free ISM Band Extremely Low Very Low MediumHighVery High Ultra High Super High InfraredVisible Light Ultra- violet X-Rays Audio AM Broadcast Short Wave RadioFM Broadcast Television Infrared wireless LAN Cellular (840MHz) NPCS (1.9GHz) MHz 26 MHz Older Product 5 GHz (IEEE A) HyperLAN HyperLAN2 Future Technology 2.4 – GHz 83.5 MHz (IEEE B) Current Product Notes: Very little spectrum is for unlicensed use.

Channels b Spectrum: 83MHz Channels: Three 22MHz stationary channels. Only 3 non-overlapping. Speeds: 1, 2, 5.5, and 11 Mbps data rate

1 Mbps DSSS 5.5 Mbps DSSS 11 Mbps DSSS 2 Mbps DSSS Coverage

Bandwidth Blue= 11Mb Green=11Mb Red=11Mb Total Bandwidth=33MB

Site Survey Channel Mapping Channel 1 Channel 6 Channel 11 Channel 1 Channel 6 Channel 11 Channel 1 Channel 6 Channel 11

2 Mbps 5.5 Mbps 11 Mbps Site Survey Bandwidth Layout

30mW Cell Size Comparison 30 milli-Watt client and Access Point range capabilities 11 Mbps DSSS feet radius 5.5 Mbps DSSS feet radius 2 Mbps DSSS feet radius

Cell Size Comparison, Cont. Full Antenna Power – 30mW 3 Access Points Reduce Antenna power - 5mW 18 Access Points Fewer users per access point

Antennas Antennas extend range by changing the shape of the signal Different applications call for different antennas Measurements given in “gain” – dBI Cable type/length greatly affects “gain”

Antennas, Cont. Maximum Coverage Autorate Negotiation Wireless for Students DiPole Indoor, Patch Outdoor Class 1Class 3 Hallway 1000’ 850’ Class 4Class 2 AP’s on Isolated LAN with PIX Class 8Class 10Class 11Class 9 Building Courtyard 1000’

Antennas, Cont. Maximum Coverage Autorate Negotiation Cabling Only Available at Store Front Yagi Antennas and DiPole 2000’ 850’

Products Evolving Better radios – better reception, improved bandwidth Better management Easier to deploy (in-line power) More security New standards

Inline Power

100mW Cell Size Comparison 100 milli-Watt client and Access Point range capabilities 11 Mbps DSSS feet radius 5.5 Mbps DSSS feet radius 2 Mbps DSSS feet radius

802.11a (fall?) Spectrum (US*): 50mW from – GHz 250mW from GHz 1W from – GHz Speeds: 6, 12, and 24Mbps for compliances 54Mbps+ expected Channels: 20 MHz channels Vendors?

Wired or Wireless… Wireless pilots encouraged, but would not invest heavily – technology changing Wireless is not a replacement for wired networks at this time

Some Problems

Interference potential b Other Frequency Hopping Bluetooth HomeRF Cordless Phone

Building ABuilding B Problems with just plugging it in –Colliding channel allocations? –How to implement authentication (WEP)? –Coordination between autonomous departments? –Interference with other devices? –On different subnets? –Different accesses policies? –Dueling Access Points? –Signal leakage between buildings? –Building codes? You are not in control.

Wireless Networks are Public  Public networks will be designed, installed, and managed by TIS on department’s behalf (and on departments funding)  Public networks must be authenticated  Installation will be professional, following UT building codes and practices  Spectrum will be allocated/adjudicated by TIS  Public interest will be considered over private interest in wireless conflicts  There are always exceptions

Which Vendor?

Authentication

Authentication Schemes SSIDs (Service Set Identifiers) –Broadcast in clear by unit and clients. Anyone can hear and insert. WEP (Wired Equivalent Privacy) –Uses RC4, problems with exchanging keys. Either sent in clear or have to be manually configured and then exposed on client. MAC (hardware address restrictions) –Restrict based on Ethernet hardware address. Hard to manage across all access points. Any card can pretend to be any MAC address.

Authentication Schemes, Cont. UTEID (home grown) – –UT’s home grown digitally signed fat cookie application. Doesn’t provide encryption, but doesn’t require any custom software and is compatible with all OSes X / EAP / LEAP –Extended Authentication Protocol, Lightweight Extended Authentication Protocol –Solves authentication and key distribution problem. Evolving standard and isn’t supported on some OSes. LEAP doesn’t use same secured mechanisms as EAP- TLS. VPN (Virtual Private Network) –Requires client software. All traffic has to go to VPN gateway and back – obviates local routing/switching.

SSID -Broadcast in clear by AP and client, anyone can add to their client -Must be manually configured on all clients -Provides no encryption of signals -Provides no user authentication/accounting

WEP +Provides some encryption (still vulnerable to same attack as wired networks ala dsniff) -Uses shared key which is exposed to other clients -Key must be manually configured on all clients (or sent in clear) -Has various crypto defects -Provides no user authentication/accounting

MAC -Requires obtaining hardware addresses of all clients -MAC address can be duplicated by any client -Must be maintained on all APs (not scalable) -Provides no encryption -Provides no user authentication/accounting

UT EID +Provides user authentication utilizing well known mechanism (already in use on wired ports) +Requires no additional software and is available on all platforms -Funnels all traffic through central gateway which obviates local switching/routing -No encryption provided -Home grown – unclear how to integrate with new offerings

802.1x/EAP Authentication

EAP over LAN Ethernet Laptop computer 802.1X Authenticator/Bridge Radius Server EAPOL-Start EAP-Request/Identity EAP-Response/Identity EAP-Request Radius-Access-Request Radius-Access-Challenge EAP-Response (cred) Radius-Access-Request EAP-Success Access blocked Port connect Radius-Access-Accept Access allowed RADIUS EAPOL

EAP over Wireless Ethernet Access Point Radius Server EAPOL-Start EAP-Request/Identity EAP-Response/Identity EAP-Request Radius-Access-Request Radius-Access-Challenge EAP-Response (cred) Radius-Access-Request EAP-Success Access blocked Association Radius-Access-Accept RADIUS EAPOW Laptop computer Wireless Associate Access allowed EAPOW-Key (WEP)

Future EAP Client Work ? Microsoft placing EAP Native supplicant in, –Win2K, WinCE What about other Microsoft OSes? –Win9x/WinNT (need LEAP) What about other OSes? –Linux, MacOS (need LEAP)

Steps to Re-association: Adapter listens for beacons from APs. Adapter evaluates AP beacons, selects best AP. Adapter sends association request to selected AP (B). AP B confirms association and registers adapter. Access Point A Access Point B Roaming from Access Point A to Access Point B AP B informs AP A of re-association with AP B. AP A forwards buffered packets to AP B and de-registers adapter. Change AP Association

802.1X/EAP/LEAP + Provides user authentication/accounting in scalable manner +Provides encryption (still vulnerable to same attack as wired networks ala dsniff) -Evolving standard -Requires client software not extant on all platforms -Network equipment more likely to be proprietary -Will require inve$tment in new authentication infrastructure -LEAP doesn’t support same encryption features

VPN + Provides user authentication + Provides encryption -Requires software on all clients -Funnels all traffic through VPN gateway, obviates local switching/routing -Dedicated expen$ive VPN gateway hardware needed at high traffic rates, and new authentication infrastructure

What about other devices? Handheld? EAP (Extensible Authentication Protocol) VPN (IP SEC) PPP (PPTP, PPPOE) LEAP (Lightweight & Efficient Application Protocol) – card drivers, only one time user/password authentication

We don’t decide… UTEID: Already deployed Could transition to VPN from UTEID easily or run in parallel 802.1x would mean flag day for any mechanism and isn’t ready for deployment …see what the industry decides

Multicast Applications Multicast Support is in WLAN infrastructure Multicast has problems when Clients Roam –Router/L2 Switch is unaware of Client move –Router/Switch still sends multicast stream to original AP –Multicast stream terminated when Router/L2 timesout due to non- response to multicast query No IGMP leave is sent by AP or Client