TCP007: IEEE 802.11(WI-FI) 

Wi-Fi is based on the IEEE 802.11 standard, which is essentially the wireless version of Ethernet, allowing devices to communicate over radio waves instead of physical cables.

It provides inexpensive and convenient Internet access for a wide range of devices, including laptops, smartphones, tablets, and IoT devices like smart thermostats, cameras, and wearable gadgets.

Wi-Fi is ubiquitous in both public and private environments. You’ll commonly find it in coffee shops, airports, hotels, libraries, and classrooms, and it’s widely deployed in homes and enterprise networks for seamless connectivity.

📊 Key Components

• Access Points (APs): Devices that broadcast the Wi-Fi signal and allow wireless devices to connect to the network.

• Wireless Clients: Devices like laptops, smartphones, and IoT gadgets that connect to Wi-Fi networks.

• Wireless Controller (optional in enterprise networks): Manages multiple APs, optimizes coverage, and handles roaming between APs.

• SSID (Service Set Identifier): The network name that devices see and connect to.

• Security Protocols: WPA3, WPA2, and other encryption methods that protect data on wireless networks.

⚡ Modes of Operation

Infrastructure Mode

• The most common mode of Wi-Fi operation.

• Access Points (APs) connect stations (STAs) to a Distribution System (DS), usually a wired network backbone.

• Provides Internet access, centralized management, and coordinated communication between multiple devices.

Ad Hoc Mode (IBSS – Independent Basic Service Set)

• Operates without an AP or DS.

• Devices communicate directly peer-to-peer, forming a temporary network.

• Ideal for small or short-term networks, such as file sharing between laptops in a meeting.

 ✅ Key Takeaway

Wi-Fi (IEEE 802.11) networks are built from stations (STAs) organized into Basic Service Sets (BSSs):

• With APs and a DS → they form an Extended Service Set (ESS), identified by an ESSID (the Wi-Fi network name you connect to).

• Without APs → they form an IBSS (ad hoc network).

This flexible architecture makes Wi-Fi easy to deploy in homes, enterprises, and public hotspots, supporting both centralized and peer-to-peer communication seamlessly.

IEEE 802.11 FRAMES (WI-FI)

All IEEE 802.11 networks share a common overall frame structure, but not all frames look the same. 

Different frame types include different fields, depending on what the frame is trying to do.

At a high level, 802.11 frames serve three distinct purposes:

• Managing the wireless network

• Controlling access to the shared medium

• Carrying user data

I. High-Level Frame Structure

An 802.11 transmission consists of three major parts:

1. Preamble

2. PLCP Header

3. MAC Protocol Data Unit (MPDU)

Only the MPDU is comparable to an Ethernet frame; the preamble and PLCP header exist to support wireless transmission.

II. Preamble

The preamble is used for:

• Synchronization

• Signal detection

• Timing recovery

The exact preamble format depends on the specific 802.11 variant (a/b/g/n/ac/etc.).

III. PLCP Header

The Physical Layer Convergence Procedure (PLCP) header provides PHY-related information in a mostly PHY-independent way.

Key characteristics:

• Usually transmitted at a lower data rate

• Improves reliability (lower rates tolerate noise better)

• Ensures compatibility with legacy devices

• Helps protect transmissions from interference

This is one reason Wi-Fi networks slow down when older devices are present.

IV. MAC PDU (MPDU)

The MPDU is the MAC-layer frame and is conceptually similar to an Ethernet frame, but with additional complexity.

Reasons for extra fields:

• Wireless medium is shared and unreliable

• Stations may move

• Frames may traverse an access point and a distribution system (DS)

• QoS and aggregation features must be supported

V. Frame Control and Frame Types

At the start of every MPDU is the Frame Control field.

This field includes a 2-bit Type subfield, which determines the frame’s purpose.

There are three main frame types:

1. Management frames

2. Control frames

3. Data frames

Each type has multiple subtypes, which define the exact format and behavior of the frame.

VI. Management Frames

Management frames are responsible for creating, maintaining, and terminating relationships between stations and access points.

They handle:

• Discovery of networks

• Association and disassociation

• Authentication

• Capability exchange

Without management frames, Wi-Fi simply cannot function.

VII. What Management Frames Carry

Management frames convey information such as:

• Network name (SSID / ESSID)

• Supported transmission rates

• Security capabilities (encryption, authentication)

• Timing information for synchronization

• Power-saving parameters

These frames are essential during network discovery and association.

Before a station can join a Wi-Fi network, it must scan for available access points.

There are two scanning methods:

I. Passive Scanning

The station listens on each channel

Access points periodically broadcast beacon frames

Beacons advertise:

• SSID

• Capabilities

• Timing information

This method is quiet and safe but slower.

II. Active Scanning

• The station sends a probe request management frame

• Access points respond with probe responses

• Faster discovery, but more traffic

Active probing is regulated to ensure Wi-Fi devices do not interfere with non-802.11 systems
(e.g., medical or radar equipment).

EXAMPLE: MANUAL SCAN ON LINUX

A scan can be triggered manually on Linux:

The output reveals discovered access points and their properties, including:

• MAC address of the AP

• Operating mode (e.g., infrastructure / master)

• ESSID

• Channel and frequency

• Signal quality and strength

• Supported bit rates

• Encryption and authentication methods

• Time synchronization information (TSF)

I. Interpreting Scan Results (Conceptually)

From scan output, a station learns:

• Which networks exist

• How well they can be received

• What security mechanisms are required

• What data rates are supported

The TSF (Timing Synchronization Function) value provides the AP’s notion of time, which is used for:

• Coordinating transmissions

• Supporting power-saving modes

Association and Access Control

Once a network is discovered:

• A station may attempt to associate with the access point

• After association, additional configuration (e.g., IP setup) is usually performed

Some access points:

• Broadcast their SSID openly

• Others hide the SSID as a weak deterrent

Hiding the SSID provides minimal security, since it can be inferred or guessed.

Real security comes from:

• Encryption

• Authentication

• Strong credentials

These mechanisms are discussed in later sections.

Big Picture Takeaway

802.11 frames are more complex than Ethernet frames because Wi-Fi must handle:

• Mobility

• Interference

• Shared medium access

• Network discovery

• Security negotiation

The division into management, control, and data frames reflects this reality.

Understanding management frames and scanning explains:

• How devices find networks

• How they decide whether to join

• Why Wi-Fi behaves the way it does in crowded environments

Unlike wired Ethernet, Wi-Fi operates over a shared, unreliable medium. 

Stations cannot always hear each other, interference is common, and collisions are harder to detect. 

To cope with this, 802.11 uses control frames to coordinate access to the channel and ensure reliable delivery.

The two most important control mechanisms are:

1. RTS/CTS (Request to Send / Clear to Send) — flow control and collision avoidance

2. ACKs (Acknowledgments) — reliable delivery and retransmission

I. Why Control Frames Are Needed in Wi-Fi

In wired Ethernet, a lack of collision usually implies successful delivery.

In wireless networks:

Frames can be lost due to:

• Interference

•  Weak signal strength

•  Hidden terminals

•  Noise and fading

Because of this, Wi-Fi must explicitly coordinate transmissions and confirm successful reception.

II. RTS/CTS: Coordinated Access to the Medium

RTS/CTS is an optional mechanism used to moderate transmissions and avoid collisions.

How RTS/CTS Works

Before sending a data frame:

1. The sender transmits an RTS (Request to Send) frame

2. If the receiver is ready, it replies with a CTS (Clear to Send) frame

3. The CTS specifies a time window during which the sender may transmit

4. The sender transmits one or more data frames

5. ach successful transmission is acknowledged

This exchange reserves the wireless channel temporarily, preventing interference.

III. Solving the Hidden Terminal Problem

The hidden terminal problem occurs when:

• Two stations cannot hear each other

• Both can hear the access point

• Both transmit simultaneously, causing a collision at the AP

RTS/CTS helps by:

• Broadcasting transmission intent

• Informing all nearby stations when they must remain silent

• Preventing simultaneous transmissions from hidden nodes

Because RTS and CTS frames are short, they waste much less airtime than losing large data frames to collisions.

IV. When RTS/CTS Is Used

RTS/CTS is typically enabled only for large frames.

• Access points use a packet size (RTS) threshold

• Frames larger than the threshold trigger an RTS/CTS exchange

• Default thresholds are often around 500 bytes

This balances:

• Reduced collision cost for large frames

• Avoiding unnecessary overhead for small frames

Configuring RTS/CTS (Linux Example)

On Linux, the RTS threshold can be configured with:

Lower values:

• More RTS/CTS exchanges

• More overhead

• Fewer collisions

Higher values:

• Less overhead

• Higher collision risk

In small, well-contained WLANs where hidden terminals are unlikely, RTS/CTS can often be disabled by setting the threshold very high (e.g., ≥1500 bytes).

V. ACKs: Reliable Delivery in Wi-Fi

Because wireless delivery is unreliable, 802.11 uses explicit acknowledgments.

How ACKs Work

• Every unicast frame requires an ACK

• The receiver sends an ACK after successful reception

• If the sender does not receive an ACK within a timeout, the frame is retransmitted

This applies to:

• Individual frames (802.11a/b/g)

• Groups of frames using block ACKs (802.11n, 802.11e)

Why Broadcast and Multicast Frames Are Different

Broadcast and multicast frames do not use ACKs.

Reason:

• Multiple receivers would respond

• This would cause ACK implosion

Instead, these frames are sent without confirmation and may be lost.

VI. Retransmissions and Duplicate Frames

With retransmissions, duplicate frames can occur.

To handle this:

Retransmitted frames have the Retry bit set in the Frame Control field

Receivers maintain a small cache of recently seen frames

Frames with duplicate:

• Source address

• Sequence number

• Fragment number are discarded

This ensures reliability without delivering duplicates to higher layers.

VII. Timing, Distance, and ACK Timeouts

The time allowed for receiving an ACK depends on:

• Distance between stations. 

• Slot time, a basic timing unit of the 802.11 MAC.

• For typical home and office networks, default values are sufficient.

For long-distance Wi-Fi links:

• ACK timeout and slot time may need adjustment

• Otherwise, valid ACKs may arrive too late and be misinterpreted as lost

VIII. Practical Insight

RTS/CTS and ACKs represent a classic engineering tradeoff:

• More control → more overhead

• Less control → more collisions and retransmissions

Modern Wi-Fi uses:

• RTS/CTS selectively

• Block ACKs for efficiency

• Adaptive retransmission strategies

IX. Big Picture Takeaway

Control frames are what make Wi-Fi work in the real world.

• RTS/CTS reduces collisions and handles hidden terminals

• ACKs provide reliability over an unreliable medium

• Together, they turn a noisy shared channel into a usable network

Ethernet assumes reliability. Wi-Fi has to earn it.

Most common frame type on Wi-Fi networks (IEEE 802.11).

Used to carry actual user data (web traffic, email, video, etc.).

Carry payloads for higher-layer protocols such as IP, TCP, UDP.

There is typically a one-to-one mapping between an 802.11 data frame and an LLC frame, meaning each logical network-layer packet is usually encapsulated inside one Wi-Fi frame.

Data frames are responsible for transporting information between devices (stations and access points).

📊 Fragmentation

Fragmentation is a reliability mechanism in 802.11.

Purpose → Split a large frame into smaller pieces (fragments) before transmission.

Each fragment includes:

• Its own MAC header (addressing + control info).

• Its own CRC (FCS) trailer for error detection.

Sequence Control field contains:

• 12-bit sequence number (identifies the original frame).

• 4-bit fragment number (identifies fragment order).

Maximum of 15 fragments per original frame.

More Frag bit → indicates whether additional fragments follow.

The destination device buffers and reassembles fragments in the correct order before passing the data up the stack.

✅ Benefits of Fragmentation

Improves reliability in noisy channels (high Bit Error Rate, BER).

Smaller frames are statistically less likely to contain errors.

If an error occurs, only the corrupted fragment must be retransmitted, not the entire large frame.

Example:

❌ Drawbacks of Fragmentation

Adds overhead:

1. Extra MAC headers

2. Extra CRC fields:

• Too much fragmentation increases total airtime usage.

• Requires tuning (fragmentation threshold setting).

• Poor configuration can reduce performance instead of improving it.

Typically disabled by default (set to high thresholds) in modern Wi-Fi because modern PHY layers already include strong error correction.

📊 Aggregation (Introduced in 802.11n and later)

Aggregation was introduced to improve efficiency, especially for high-speed Wi-Fi standards.

Instead of breaking frames into smaller pieces (like fragmentation), aggregation combines multiple frames into a larger transmission unit to reduce overhead.

🧩 A-MSDU (Aggregated MAC Service Data Unit)

How it works → Multiple Ethernet (802.3) frames are packed into a single 802.11 frame.

Uses:

• One MAC header

• One FCS (CRC) for the entire aggregate

Efficiency gains →

• Ethernet header ≈ 14 bytes

• 802.11 MAC header can be up to 36 bytes

• Aggregation avoids repeating the larger 802.11 header multiple times.

Maximum size → Up to 7935 bytes total aggregate.

Best suited for →

• Clean, low-error environments

• Many small packets (e.g., VoIP, web browsing traffic)

Drawback →

If any part of the aggregate is corrupted, the entire A-MSDU must be retransmitted, because only one FCS protects the whole frame.

🧩 A-MPDU (Aggregated MAC Protocol Data Unit)

How it works → Multiple full 802.11 frames (MPDUs) are transmitted together in rapid succession as one transmission burst.

✅ Structure:

In this structure, each subframe contains its own MAC header, allowing it to be individually identified and processed. Additionally, every subframe includes its own Frame Check Sequence (FCS) to ensure error detection. 

The subframes are separated by delimiters, which clearly mark the boundaries between them and help the receiving device distinguish one subframe from another.

Efficiency →

• Each MPDU can be up to 4095 bytes

• Up to 64 MPDUs per aggregate

• Total aggregate size ≈ 64 KB

Error handling →

• Uses Block Acknowledgment (Block ACK)

• Receiver acknowledges multiple MPDUs at once

• Only corrupted subframes are retransmitted

Best suited for →

• Noisy/error-prone networks

• Larger packets

• Mixed traffic types

• High-throughput Wi-Fi (802.11n/ac/ax)

✅ Key Takeaway

Fragmentation →

• Improves reliability by breaking large frames into smaller pieces.

• Best for high-error environments.

Aggregation →

• Improves efficiency by bundling multiple frames into one transmission.

• Best for high-throughput modern networks.

• Modern Wi-Fi primarily relies on aggregation for performance gains, while fragmentation is rarely used unless operating in very noisy conditions.

Together, these mechanisms allow Wi-Fi networks to balance:

• Error resilience

• Throughput efficiency

• Airtime optimization

• Performance in different radio environments

⚡ Comparison

✅ Key Takeaway

• A-MSDU → technically more efficient, but fragile (one error → retransmit all).

• A-MPDU → less efficient per byte, but far more robust thanks to block ACKs and selective retransmission.

In practice, A-MPDU aggregation performs better in real-world Wi-Fi networks, especially with interference.

Wi-Fi devices (stations, STAs) often operate on battery power (phones, tablets, IoT devices, laptops).

The radio receiver consumes significant energy because it must continuously listen for incoming frames. 

Even when no data is being transmitted, the radio must stay active to detect potential traffic.

Power Save Mode (PSM) reduces this energy usage by allowing the radio to periodically power down instead of listening all the time.

HOW PSM WORKS

PSM is coordinated between the station (STA) and the Access Point (AP).

Step 1 – STA Enters Power Save Mode

When a station wants to enter PSM:

• It sets the Power Management bit in the Frame Control field of outgoing frames.

• This informs the AP that it will begin sleeping periodically.

Step 2 – AP Buffers Frames

• The AP notices the Power Management bit.

• Any frames destined for that STA are buffered (stored temporarily) instead of being immediately transmitted.

Step 3 – STA Wakes Up for Beacons

Stations wake up at the next beacon interval to check for buffered data.

Beacon frames are:

• Periodically broadcast management frames sent by the AP

• Used for synchronization and network information

The beacon contains a Traffic Indication Map (TIM), indicates which sleeping stations have buffered frames waiting.

Step 4 – STA Retrieves Data

If the TIM shows pending data:

• The STA sends a request to retrieve buffered frames.

• The AP transmits the stored data.

After receiving the frames, the STA may return to sleep.

Key Idea

• The station’s radio is off most of the time, waking only at scheduled intervals to:

• Check for pending traffic

• Receive buffered data

• Transmit queued frames

• This significantly reduces energy consumption compared to continuous listening.

CAVEATS OF USING PSM

While PSM saves energy, it is not perfect.

🔋 Limited Battery Savings

• The Network Interface Card (NIC) is not the only power consumer.

• Displays, CPUs, memory, and storage often consume more power than Wi-Fi.

• Therefore, total device battery life improvement may be moderate rather than dramatic.

📉 Throughput Reduction

Because the STA sleeps:

• Data cannot be delivered instantly.

• There may be delays until the next beacon interval.

Idle periods and sleep/wake transitions introduce:

• Increased latency

• Reduced real-time throughput

• Potential performance issues for delay-sensitive applications (e.g., gaming, VoIP)

PSM is therefore a trade-off between power savings and performance.

Time Synchronization Function (TSF)

For PSM to work correctly, stations must wake up at precisely the right time to receive beacon frames.

This is handled by the Time Synchronization Function (TSF).

How TSF Works

• Each station maintains a 64-bit timer counter.

• The counter increments in microseconds (µs).

• This provides very high timing precision.

Synchronization Process:

• A station receives a beacon containing the AP’s TSF timestamp.

• It compares the received TSF value with its own counter.

• If the received value is larger, the station updates its clock forward.

Important rule:

Clocks are never set backward, they only move forward.

Why TSF Is Important

TSF ensures:

• All stations share a consistent time reference

• Stations wake up exactly at beacon intervals

• Buffered traffic is not missed

• Sleep scheduling is precise

• Precision: TSF clocks are synchronized within 4 microseconds plus physical propagation delay, which is extremely accurate for wireless coordination.

Enhancements in Modern Wi-Fi

Later Wi-Fi standards introduced improved power-saving mechanisms to increase efficiency and reduce latency.

1. Automatic Power Save Delivery (APSD) – 802.11e (QoS)

Introduced with Quality of Service (QoS) enhancements.

How APSD Improves PSM:

• Stations do not need to wake up at every beacon.

• Buffered frames can be delivered in batches.

• Stations can choose longer sleep intervals.

• Instead of periodic beacon-based retrieval, the STA can trigger delivery when needed.

Benefits:

• Reduces unnecessary wake-ups

• Improves battery life

• Reduces latency for voice/video traffic

Particularly useful for:

• Smartphones

• IoT devices

• Low-power embedded systems

2. Spatial Multiplexing Power Save Mode – 802.11n (MIMO)

Introduced with MIMO (Multiple-Input Multiple-Output) systems.

Devices may have multiple antennas and radio chains.

Each radio chain consumes additional power.

Power Saving Technique:

• Only one radio chain may remain active.

• Other antennas/radios are powered down until higher throughput is required.

This allows:

• Energy savings

• Dynamic performance scaling

• Efficient use of MIMO capability

This mode balances throughput and power efficiency.

3. Power Save Multi-Poll (PSMP)

PSMP coordinates scheduled communication between AP and STA.

How It Works:

The AP schedules transmission windows for:

• AP → STA traffic

• STA → AP traffic

Both directions are handled during planned wake intervals.

Benefits:

• Fewer wake/sleep transitions

• Reduced idle listening

• Improved channel efficiency

• Lower latency compared to basic PSM

PSMP is designed for tighter coordination and improved overall efficiency.

4. Summary Table

Think of PSM as Wi-Fi nap mode: the device sleeps, the AP babysits your frames, and TSF is the alarm clock that wakes you just in time. 

APSD, spatial PSM, and PSMP are smarter alarms that let you sleep longer or more efficiently.

✅ Overall Concept

Power Save Mode in 802.11 is built around:

• Buffered delivery at the AP

• Precise time synchronization

• Controlled wake/sleep scheduling

Modern enhancements improve:

• Battery efficiency

• Latency performance

• Throughput balance

• Scalability for advanced Wi-Fi standards

THE CHALLENGE OF WIRELESS MAC

The wireless MAC layer faces unique challenges compared to wired Ethernet (802.3). In wired networks, collision detection is relatively straightforward because devices can transmit and listen at the same time. 

However, in wireless environments, this is much harder to achieve. The communication medium is effectively simplex, meaning a station cannot transmit and listen simultaneously. As a result, detecting collisions directly is not feasible.

To address this limitation, wireless networks use protocols designed to coordinate transmissions and minimize the chances of collisions rather than detect them after they occur. These protocols rely on careful timing, listening before transmitting, and sometimes reserving the channel in advance.

In IEEE 802.11, three main MAC approaches are used to manage access to the shared wireless medium. Each of these approaches is designed to reduce transmission overlap, improve efficiency, and ensure fair access among devices, even in environments with many competing stations.

📊 Three MAC Approaches in 802.11

DCF is the fundamental MAC access mechanism in IEEE 802.11 Wi-Fi.

Based on CSMA/CA (Carrier Sense Multiple Access with Collision Avoidance).

Designed for a shared wireless medium where multiple stations compete for access.

Unlike Ethernet (CSMA/CD), Wi-Fi cannot detect collisions while transmitting, so it tries to avoid them instead.

HOW DCF WORKS

Stations must check that the channel is free before transmitting.

I. Wait for DIFS

A station waits for DIFS (Distributed Inter-Frame Space) after the medium becomes idle.

DIFS ensures that higher-priority frames (like ACKs using SIFS) go first.

II. Channel Busy?

If the channel is busy:

• The station defers transmission.

• It waits until the channel becomes idle again.

III. Random Backoff

If the channel is idle after DIFS:

• The station chooses a random backoff value.

• It counts down while the channel remains idle.

• If the channel becomes busy, the countdown pauses.

This randomization reduces the probability that multiple stations transmit at the same time.

IV. Transmission + ACK

The station transmits when the backoff timer reaches zero.

The receiver replies with an ACK after SIFS (Short Inter-Frame Space).

If no ACK is received → transmission is assumed to have failed.

EIFS (Extended Inter-Frame Space)

Used after a failed transmission or corrupted frame.

Longer than DIFS.

Helps prevent immediate retransmissions that could cause further collisions.

Carrier Sense in Wi-Fi

Wi-Fi uses two types of carrier sensing:

📡 Physical Carrier Sense

The radio listens for energy on the channel.

Implemented through Clear Channel Assessment (CCA).

Detects:

• Signal energy above threshold

• Valid Wi-Fi preambles

🥅 Virtual Carrier Sense

Uses the Network Allocation Vector (NAV).

NAV is a timer set based on Duration fields in frames.

If NAV > 0 → the station assumes the channel is busy.

A station can only transmit when:

• Physical carrier sense says idle

• NAV = 0

📊 HCF (Hybrid Coordination Function)

HCF extends DCF by adding Quality of Service (QoS) features.

Introduced in 802.11e.

Adds support for prioritized traffic.

Introduces TXOPs (Transmission Opportunities):

• Reserved time intervals

• Allow a station to send multiple frames without recontending

This improves performance for:

• Voice (VoIP)

• Video streaming

• Real-time applications

✅ Key Takeaway

DCF (CSMA/CA) → Foundation of Wi-Fi MAC, ensures fair access.

PCF → Centralized polling (rarely used).

HCF → QoS-aware extension for multimedia.

Together, these mechanisms balance:

• Fairness

• Efficiency

• QoS support

• Collision avoidance

Virtual Carrier Sense, RTS/CTS, and NAV in 802.11

In wireless networks, collision avoidance is harder than wired Ethernet because:

Stations may not hear each other.

The medium is shared and half-duplex.

Wi-Fi therefore combines virtual carrier sense and physical carrier sense.

I. Virtual Carrier Sense

Duration Field

• Present in RTS, CTS, and data frames.

• Specifies how long the medium will be reserved.

Network Allocation Vector (NAV)

• Each station maintains a NAV timer.

• NAV counts down according to the Duration field.

• If NAV > 0 → medium is considered busy.

• NAV resets to 0 when expected exchange (e.g., ACK) completes.

👉 Even stations not involved in communication defer transmission if they overhear the Duration field.

II. RTS/CTS (Request to Send / Clear to Send)

An optional handshake used before data transmission.

How It Works:

1. Sender sends RTS (includes Duration).

2. Receiver replies with CTS (also includes Duration).

3. Other stations update NAV accordingly.

Purpose:

Reduces collisions for large frames.

Solves the hidden node problem:

• Two stations cannot hear each other

• Both are within range of the receiver

• RTS/CTS ensures coordinated silence

III. Physical Carrier Sense (CCA) 📡 

Each PHY must implement Clear Channel Assessment (CCA). Detects channel state using:

• Energy detection

• Preamble recognition

• Signal decoding

Transmission allowed only if:

• CCA says idle

• NAV = 0

✅ Key Takeaway

• NAV → logical reservation mechanism.

• RTS/CTS → announces reservation to others.

• CCA → hardware-level channel sensing.

Together, they minimize collisions in complex wireless environments.

Wireless stations cannot transmit and listen simultaneously.

Collisions cannot be reliably detected while transmitting.

Therefore, Wi-Fi uses collision avoidance with randomized backoff.

Steps in the DCF Backoff Procedure

1. Channel Check

• Use physical carrier sense (CCA) + NAV.

• If idle after DIFS → proceed.

2. Random Backoff

3. Transmission Attempt

• If countdown reaches zero → transmit.

• If medium becomes busy → pause countdown.

4. ACK Handling

• Receiver sends ACK after SIFS (shorter than DIFS).

• Ensures ACK priority.

• If ACK received → success.

• If not → assume failure.

5. Failure Handling

• Increase CW.

• Retry transmission.

• Stop after retry limit.

⚡ Key Timing Intervals

• SIFS → shortest, used for ACK and CTS (highest priority).

• DIFS → used before normal transmissions.

• EIFS → used after failed transmissions (longest wait).

Priority order: SIFS < DIFS < EIFS

✅ Key Takeaway

• DCF = CSMA/CA + exponential backoff.

• Randomization prevents synchronized collisions.

• ACK + SIFS ensures reliable delivery.

This is the core of Wi-Fi fairness and efficiency.

802.11e / Wi-Fi QoS Overview

The 802.11e amendment (integrated into later standards) adds Quality of Service (QoS).

Purpose:

• Support multimedia traffic such as:

• VoIP

• Video streaming

• Interactive applications

• Low-latency traffic

• QoS becomes especially important during network congestion.

QoS-Capable Devices

• QSTA → QoS-capable station

• QAP → QoS-capable access point

• QBSS → QoS-enabled Basic Service Set

High Throughput (HT) 802.11n devices automatically support QoS features.

HYBRID COORDINATION FUNCTION (HCF)

HCF is the core QoS mechanism introduced in 802.11e.

It supports two channel access methods:

I. EDCA (Enhanced Distributed Channel Access)

Contention-based (like DCF).

More widely used in real deployments.

Uses different priority queues (voice, video, best effort, background).

Higher-priority traffic gets:

• Smaller contention windows

• Shorter inter-frame spaces

• Higher chance of accessing medium

II. HCCA (HCF Controlled Channel Access)

📊 HCCA: The Reservation System

While standard Wi-Fi is a bit of a free-for-all, HCCA (HCF Controlled Channel Access) acts like a high-end restaurant with a strict reservation book.

• Polling/reservation-based: Instead of every device trying to shout at once, the system is built on a specific schedule. The Access Point (AP) takes total control and asks each device one by one if it has something to send.

• AP Centrally Allocates Transmission Times: The AP acts as the Hybrid Coordinator (HC). It grants Transmission Opportunities (TXOPs) to specific stations. It says, You have exactly 10 milliseconds to send your data—starting now. This eliminates the risk of two devices talking at the same time.

• Provides Stricter QoS Guarantees: Because the AP knows exactly who is talking and for how long, it can prioritize things like a VoIP call or a 4K video stream with zero jitter. It guarantees that the time-sensitive data won't have to wait for a background file download.

• Less Common Due to Complexity: You won't find HCCA in most home routers. It requires complex scheduling logic in both the AP and the client devices. Because of this overhead and the difficulty of implementation, most consumer gear sticks to the simpler, competitive style of Wi-Fi.

⚙️ The Hybrid Factor

• HCF can combine EDCA and HCCA for hybrid operation: The Hybrid Coordination Function (HCF) is the umbrella that makes modern Wi-Fi (802.11e) smart. It can run both systems at once:

• EDCA: Handles the standard best-effort traffic (browsing the web, checking email) by letting devices compete for airtime.

• HCCA: Steps in to manage the VIP traffic (streaming or voice) by using the reservation system during specific controlled windows.

🤔 Why this matters for you

As a reverse engineer, if you were sniffing traffic and saw a device transmitting data without the typical backoff or contention period, you'd be looking at HCCA in action. 

It's rare, but in specialized industrial or medical environments, it’s how they ensure critical machines never lose their connection.

✅ Overall Concept

• Wi-Fi medium access combines:

• CSMA/CA (DCF) → fairness

• RTS/CTS + NAV → collision reduction

• Exponential backoff → congestion control

• HCF (EDCA/HCCA) → QoS prioritization

Together, these mechanisms allow Wi-Fi to operate efficiently in a shared, interference-prone wireless medium while supporting both best-effort and real-time traffic.

III. EDCA – Enhanced Distributed Channel Access

EDCA is the smart version of the standard way Wi-Fi works. Instead of every packet waiting in the same line, it creates different lanes for different types of data.

Foundation: It builds on the standard DCF (Distributed Coordination Function), which is the basic contention mechanism used in older Wi-Fi.

Access Categories (ACs): It introduces four specific categories to prioritize traffic:

• AC_VO (Voice): Highest priority; minimizes delay for calls.

• AC_VI (Video): High priority; ensures smooth streaming.

• AC_BE (Best Effort): Standard priority for general web browsing.

• AC_BK (Background): Lowest priority for things like print jobs or file syncs.

The Mechanism:

• Each category competes for TXOPs (Transmit Opportunities)—a specific duration where a station can send as many frames as possible.

• Adjustable Parameters: To favor high-priority traffic, MAC settings like DIFS (waiting time) and CWmin/CWmax (the random backoff timer range) are shortened for Voice and Video.

• Result: Urgent traffic statistically wins the race to talk more often, reducing jitter.

Analogy: Think of EDCA like a highway with HOV or Express lanes. While the background traffic is stuck in the slow lanes, the voice and video traffic have dedicated lanes to bypass the congestion.

Builds on the standard DCF (Distributed Coordination Function).

Introduces Access Categories (ACs) for prioritizing traffic:

Mechanism:

• Each AC contends for TXOPs (Transmit Opportunities).

• MAC parameters (e.g., DIFS, aCWmin, aCWmax) are adjustable per AC.

• High-priority traffic is favored in contention, reducing delay and jitter.

Analogy: Think of EDCA like multiple lanes in traffic; some lanes are fast lanes for urgent traffic (voice/video), others are slower for background traffic.

IV. HCCA – HCF Controlled Channel Access

HCCA is the more authoritarian sibling of EDCA. It doesn't leave anything to chance or competition; the Access Point (AP) is the boss.

Foundation: Based on the older PCF (Point Coordination Function) but heavily optimized for modern Quality of Service (QoS).

Polling-Based System:

•  A Hybrid Coordinator (HC) (usually built into the AP) manages the airtime.

• TSPEC (Traffic Specification): Stations send a formal request to the HC, essentially saying, I need exactly this much bandwidth and this much latency.

•  Priorities: It uses UP values 8–15 for these specific, reserved streams.

Admission Control: If the network is already at 90% capacity, the HC can deny new TSPEC requests. This prevents the network from becoming so congested that everyone's call drops.

Analogy: HCCA is like a motorcade with a police escort. The traffic controller blocks off the intersections (reserved TXOPs) so the VIP vehicle moves through without ever hitting a red light.

V. EDCA vs HCCA

Networks can run both simultaneously, with EDCA providing best-effort traffic and HCCA providing reserved access.

VI. Additional Notes

• Admission control prevents congestion by rejecting TSPEC requests under heavy load.

• EDCA parameters are communicated to QSTAs via management frames.

• In ad hoc networks, there is no HC, so HCCA is not supported; only EDCA contention is used.

• EDCA user priorities are compatible with 802.1D priority tags, allowing integration with VLAN-based QoS.

VII. Summary:

802.11e/n QoS improves support for multimedia traffic.

HCF coordinates access with two methods:

• EDCA for prioritized contention-based access.

• HCCA for guaranteed, reserved access.

High-priority traffic (voice/video) gets faster and more reliable access, while background traffic uses leftover capacity.

If you're analyzing a suspicious device and notice it's bypassing the standard exponential backoff (the random wait time after a collision), it might be using HCCA, or it might be a malicious firmware modified to cheat the Wi-Fi contention and DoS other devices!

The 802.11 family has grown through multiple amendments, each adding new modulation techniques, frequency bands, and channel options. Here’s the big picture:

🔑 Key Standards & Characteristics

⚙️ Practical Consequences

The flavor of Wi-Fi determines which radio frequency it uses. This changes everything from how far the signal travels to how easily it can be jammed or snooped.

• 802.11b/g: These operate strictly in the 2.4 GHz ISM band. Because this band is used by microwaves, baby monitors, and Bluetooth, it is incredibly crowded.

• 802.11a: This one stays in the 5 GHz U-NII band. It was the high-speed alternative to 802.11b back in the day, but it couldn't penetrate walls very well.

• 802.11n: This was the first dual-band standard. It can operate in both 2.4 GHz and 5 GHz. If it isn't deployed carefully, it can interfere with almost every other wireless device in the building.

• 802.11y: This is a bit of an outlier, it’s for licensed use in the 3.65–3.70 GHz band and is specific to the U.S. It’s for high-power, long-range outdoor use.

✅ Key Takeaway

Understanding the trade-offs between these bands is vital for network design and signal analysis.

2.4 GHz (b/g/n): 

• Pros: Longer range; the waves are larger and pass through walls and floors easily.

• Cons: Extremely crowded. With only 3 non-overlapping channels (1, 6, and 11), interference is a constant battle.

5 GHz (a/n): 

• Pros: Much higher speeds and dozens of non-overlapping channels. It’s the quiet part of the spectrum.

• Cons: Shorter range; these signals are easily blocked by solid objects like brick or concrete.

802.11n Breakthroughs: This standard introduced MIMO (Multiple Input, Multiple Output), using multiple antennas to send different streams of data at once. It also used frame aggregation, which is like packing multiple small boxes into one large shipping crate to save on overhead.

Deployment Strategy: In mixed environments (like a lab where you're running 802.11n alongside older gear), you have to be careful about cross-band interference. A misconfigured n router can shout over your older g devices, causing them to drop packets constantly.

If you're ever doing Blue Teaming (defensive security) and you see unexpected traffic on the 5 GHz band in an office that only uses 2.4 GHz, you might have found a rogue access point or a backdoor device trying to exfiltrate data on a quieter frequency.

WI-FI CHANNELS AND FREQUENCIES

Wi-Fi operates in licensed and unlicensed frequency bands, regulated by authorities like the FCC (USA) or equivalent bodies in other countries.

I. Channel Numbering and Center Frequency

Why are channels numbered? Wi-Fi uses channels to allow multiple devices to communicate simultaneously. 

Think of them as roads on a highway – they allow different vehicles (devices) to travel at different speeds.

Center frequency formula (example for 5 GHz): 

5 MHz Steps: Wi-Fi uses a system of 5-MHz steps between center frequencies. This means that the frequency at which a channel transmits a signal is calculated as: Center Frequency = 5 * (Frequency / 1000)

Example: 5 GHz Channel 36 → 5000 + (36 × 5) = 5180 MHz – This is a very simple example of how to calculate the center frequency for a specific channel. It means the channel transmits at 5000 MHz, and then adds 36 * 5 = 180 MHz. So, the center frequency is 5000 + 180 = 5180 MHz.

Channel Widths (MHz): The width of a channel (e.g., 22 MHz, 20 MHz, 5 MHz) determines how much of the radio spectrum a channel occupies. The wider the channel, the more data it can carry. Here's a breakdown of how these widths generally look:

• 802.11b/g/n: Typically 22 MHz. This is the most common width.

• 802.11a/n/y: 20 MHz. 40 MHz is used for 802.11n via channel bonding.

• Other options: 5 MHz, 10 MHz – These are used in specific situations, like narrower channels for things like IoT (Internet of Things) devices.

Overlap: This is a critical concept. When two channels are used simultaneously in a given area, they can overlap. When they overlap, the signal strength weakens. This is why it’s important to avoid overlapping channels. 

For example:

• Channel 1 overlaps with Channel 2, 3, 4, 5

• Non-overlapping channels (as in the USA) are 1, 6, 11.

II. 2.4 GHz Band (802.11b/g/n)

Frequency Range: 2.4 GHz is a common frequency used for Wi-Fi, and it's a relatively wide band, generally between 2.4 GHz and 2.5 GHz. 

This range is part of the unlicensed spectrum, meaning it can be used by various devices without needing special permits. 

The total bandwidth of approximately 100 MHz is what we divide into individual channels.

• Number of Channels: There are 14 channels in the 2.4 GHz band, divided into 2 groups:

• USA: 1-11: The FCC (Federal Communications Commission) restricts the available channels to these 11 to prevent interference with other licensed services operating nearby.

• Europe: 1-13: European regulations allow for a wider set of channels compared to the US.

• Japan: 1-14: Japan permits the use of channel 14, but it is typically only used for 802.11b networks and is rarely supported by modern consumer devices.

• Channel Overlap: This is where things get a bit more complex and important for Wi-Fi performance.

• Example: Channel 1 overlaps with Channel 2, 3, 4, 5. This means they share the same frequency range and can interfere with each other. 

• Each channel is 22 MHz wide, but they are spaced only 5 MHz apart. 

• This spacing is why neighboring channels inevitably overlap, as the width is greater than the gap between them.

• Non-overlapping channels (USA): 1, 6, 11. These channels are designed to minimize interference. Because they are spaced sufficiently apart, their frequency ranges do not intersect. 

• In Europe, channels 1, 6, and 13 are typically considered the three non-overlapping channels.

• The key idea is that there are virtual channels created by the overlap. This means that even if an Access Point is set to a specific channel, it effectively uses a broader slice of the frequency spectrum that includes parts of adjacent channels.

Practical Rule: To maximize the efficiency of the 2.4 GHz band, it's best practice to use non-overlapping channels for multiple Access Points (APs) in the same area. This makes the signal spread out and less likely to interfere with each other. 

By strategically assigning channels 1, 6, and 11 to different APs, you can create a network where they operate without stepping on each other's signals, much like three separate, non-interfering highways.

802.11n: Channel Bonding - The 802.11n standard allows the use of 40 MHz channels. However, this is only possible without overlap. 

Channel bonding essentially combines two standard 20 MHz channels into one wider 40 MHz channel to double the data rate. 

In the crowded 2.4 GHz band, finding enough contiguous space for a 40 MHz channel without causing significant interference is very difficult, which is why 40 MHz channels are more commonly used and recommended in the less congested 5 GHz band.

In simple terms: Wi-Fi uses channels to transmit data. The 2.4 GHz band is a common choice due to its good range and ability to penetrate obstacles like walls, but careful planning is needed to avoid interference between channels. Understanding these concepts is essential for setting up a good Wi-Fi network.

III. 5 GHz Band (802.11a/n/y)

Range: The 5 GHz band is wider than 2.4 GHz, spanning roughly 5 to 6 GHz. It’s divided into several U-NII (Unique Identifier) bands, each with specific usage patterns.

Channels: Channels are 20 MHz wide. The 802.11n standard allows for 40 MHz bonding, meaning you can use a 40 MHz channel while still having multiple channels available.

Advantages: This band offers several key benefits over the 2.4 GHz band:

More Non-Overlapping Channels: The biggest advantage is a significantly higher number of available channels. In many countries, the USA uses 12 unlicensed 20 MHz channels. Europe uses 13, and Japan uses 14. This dramatically reduces interference.

Less Interference: Because of the higher channel density, it tends to be a less crowded spectrum.

IV. Channel Assignment – A Strategic Approach

Infrastructure Mode: When setting up a Wi-Fi network (AP and stations), the network infrastructure (AP) determines which channel to use during installation.

Client-Driven: Clients (devices connecting to the network) follow the AP's channel selection.

Considerations – Key to Success:

• Regulatory Limits: There are limitations on how many channels can be used in a given area. These limits are set by government regulations to ensure fair use of the spectrum.

• Hardware & Driver Support: The network hardware (AP and client devices) need to be designed to support the chosen channel.

• Interference Mitigation: Careful channel selection is vital to minimize interference with other devices in the same area.

 V. Practical Tips – Maximizing Performance

• 2.4 GHz – Always Non-Overlapping: When possible, always use non-overlapping 2.4 GHz channels.

• High-Density Deployments: In areas with many devices, coordinate channel selection between APs to reduce congestion.

• 802.11n Channel Bonding: Using 40 MHz bonding in 802.11n can boost throughput, but it reduces the total number of available non-overlapping channels.

VI. Channel 5 GHz Band (802.11a/n/y) – Recap & Key Takeaways

• Range: A wide band, covering frequencies from 5 GHz to 6 GHz.

• Channels: 20 MHz wide.

• Key Advantage: More non-overlapping channels than 2.4 GHz, leading to less interference.

• Important Note: This band is particularly useful for devices needing higher data rates than the 2.4 GHz band.

VII. Summary – A Quick Recap of the Key Points

• Frequency & Channel Width: Crucial for interference and performance.

• Channel Density: A larger number of channels reduces congestion.

• Strategic Channel Assignment: Network infrastructure and client devices must be configured to ensure proper channel selection.

• Practical Considerations: Coordinated channel selection is vital in high-density deployments.

802.11N / HIGHER-THROUGHPUT WI-FI

I. What is 802.11n?

Standardized Late 2009: 802.11n is a standard that defines how Wi-Fi networks should work. It’s a specification that allows different devices to communicate with each other over a wireless network. It's like a rulebook for Wi-Fi.

Amendment to 802.11-2007: This is important. 802.11n builds upon the older 802.11-2007 standard, which established the foundational principles of Wi-Fi.

II. The Core Goal: Higher Throughput

Why More Robust? The primary goal of 802.11n was to significantly increase the data transfer rate (throughput) compared to its predecessors. 802.11a, b, and g were all reaching a limit in how much data they could reliably send. 802.11n aimed to break through that limit.

Key Features – How Does it Achieve This?

a) MIMO (Multiple Input, Multiple Output):

• What it is: This is the most crucial innovation. MIMO allows a Wi-Fi router to simultaneously transmit and receive data streams. Think of it as having multiple antennas sending and receiving data simultaneously.

• How it Works: It’s like having two radio stations broadcasting the same song. Each antenna works independently, increasing the overall data rate.

• Up to 4 Spatial Streams: A single channel can support up to 4 spatial streams (data streams) at any given moment. This is a massive increase in capacity.

• Example: In a 20MHz channel, 802.11n could theoretically support 40MHz of data, effectively doubling the bandwidth.

b) Wider Channels (40MHz)

• Conventional Wi-Fi (20MHz): Older Wi-Fi standards (802.11a, b, and g) used channels of 20 MHz. This was the standard bandwidth for those protocols.

• 802.11n's Channel Width: 802.11n expanded the channel width to 40 MHz. This doubles the available bandwidth per channel, which dramatically increases the theoretical maximum data rate.

c) Improved PHY Efficiency (OFDM with more subcarriers)

• OFDM (Orthogonal Frequency-Division Multiplexing): This is a technique used in Wi-Fi to transmit multiple data streams simultaneously over a single channel. It's like having multiple radio signals traveling over the same channel.

• 20MHz Channel: With 20 MHz channels, 802.11n used 52 data subcarriers.

• 40MHz Channel: With 40 MHz channels, 802.11n used 108 data subcarriers.

• Why this matters: More subcarriers per channel make it easier to separate data streams, reducing interference and increasing overall throughput. It's a more efficient way to transmit data.

FEC (Forward Error Correction) Improvements

What it is: FEC is a method of error correction. It adds redundant information to the data stream so that if a bit is lost, the receiver can still decode it correctly.

Code Rate Up to 5/6: 802.11n's FEC was significantly better than older standards. It achieved a higher code rate (the ratio of transmitted data to the amount of data lost), leading to reduced error correction needs.

Shorter Guard Interval (GI):

• Legacy GI: 800 ns – This was a relatively long guard interval, making it more prone to idle time between symbols (packets of data). This meant the Wi-Fi network could experience some latency (delay) and dropped packets.

• 802.11n GI: 400 ns – This reduced idle time, leading to a better overall throughput.

In essence, 802.11n was a crucial step in improving Wi-Fi performance by leveraging multiple antennas (MIMO), wider channels, and more efficient error correction, ultimately making the Wi-Fi network faster and more reliable.

I. Modulation and Coding (MCS) – The Heart of the Upgrade

77 Combinations: 802.11n introduced a vastly expanded range of modulation and coding schemes compared to its predecessors. This is the core of the increased throughput.

Modulation Schemes:

• Single Stream: The simplest, transmitting a single stream of data. (8 options)

• Equal Modulation: Each channel transmits the same data stream. (24 options)

• Unequal Modulation: Different channels transmit different data streams (43 options). This is the most complex and allows for maximum data rate, but introduces more potential for error.

MCS (Modulation and Coding Scheme): This is a crucial metric. It describes how efficiently data is transmitted. Higher MCS values generally translate to higher throughput.

• BPSK (Binary Phase Shift Keying): Sends only 1 bit of data per symbol. Very simple, but easily corrupted.

• QPSK (Quadrature Phase Shift Keying): Sends two bits per symbol. Slightly more robust than BPSK.

• 16-QAM (16-Quadrature Amplitude Modulation): Sends 16 bits per symbol. Allows for a higher data rate than QPSK, but is more susceptible to noise.

• 64-QAM (64-Quadrature Amplitude Modulation): Sends 64 bits per symbol. The highest data rate, but also most sensitive to interference.

II. Operation Modes – Choosing the Right Approach

• Greenfield Mode: This is the most efficient mode for 802.11n. It’s designed for maximum performance without legacy compatibility. This means devices can use the full capabilities of the new standard.

• HT Mixed Mode: This mode is a compromise. It allows devices that are both legacy and 802.11n compatible to work together. It adds a layer of protection against interference, minimizing the impact on legacy devices. It does slightly reduce peak performance for 802.11n devices.

• Non-HT Mode: This is the fallback mode. It disables 802.11n features and provides a basic, legacy-only experience.

III. Deployment Considerations – Getting It Working

• Channel Width: Crucially important. 802.11n used 40 MHz channels – a significant improvement over the 20 MHz used by 802.11a, b, and g. A wider channel offers more bandwidth.

• Power Requirements: 802.11n APs require more power than legacy APs. Standard PoE (15W) might be insufficient, necessitating PoE+ (30W) or external power.

IV. Key Takeaways

• Throughput Boost: 802.11n significantly increased throughput through a combination of enhanced modulation and coding, wider channels, and a more efficient system.

• Legacy Compatibility: The design of 802.11n involves a trade-off between maximizing performance and maintaining interoperability with existing devices.

• Strategic Deployment: Careful channel planning, power supply, and coexistence strategies are vital to ensure optimal 802.11n performance in a real-world environment.

I. WEP (Wired Equivalent Privacy) – A Legacy Approach

Encryption: Uses the RC4 stream cipher – a widely known, but relatively weak, encryption algorithm.

Key Management: Relies on Pre-Shared Keys (PSK). This means a secret key is exchanged between the client and router before the connection begins.

Authentication: The PSK (Pre-Shared Key) acts as the primary authentication method. The router essentially broadcasts the key to the device.

Weaknesses:

• Easy to Crack: RC4 is notoriously vulnerable to brute-force attacks and modern decryption techniques.

• No Per-Frame Key Variation: The same PSK is used for every connection, making it vulnerable to attacks where the attacker can slightly alter the key to bypass security.

Status: Essentially obsolete. It’s been superseded by more secure protocols.

II. WPA (Wi-Fi Protected Access) – A Significant Improvement

• Encryption: Uses the TKIP (Temporal Key Integrity Protocol) – a more complex encryption scheme than WEP, but still considered weaker.

• Key Management: Generates a unique encryption key for each frame transmitted. This is a critical change from WEP, which used a single key for all connections.

• Authentication: Typically uses a PSK or 802.1X/EAP (Enterprise mode) for authentication. 802.1X is a more robust authentication method.

• Purpose: Designed to provide a secure Wi-Fi connection starting with WEP-capable devices. It serves as a temporary security layer while the user’s Wi-Fi network is configured.

• Limitations: RC4-based TKIP is still less secure than modern AES encryption.

III. WPA2 / 802.11i (Robust Security Network – RSN): Major Advancement

• Encryption: Employs Advanced Encryption Standard (AES) – a much stronger encryption algorithm than TKIP. AES uses 128-bit keys and 128-bit blocks.

• Key Management: Utilizes CCMP (Counter Mode with CBC-MAC) – a more advanced encryption method that provides higher security.

• Authentication: Uses PSK or 802.1X/EAP (Enterprise mode) for authentication. 802.1X is more secure than a simple PSK.

• TKIP: While older, the optional TKIP component still adds a layer of protection, though it’s largely deprecated in favor of AES.

• Status: The current standard for secure Wi-Fi. It represents a significant leap forward in security and robustness.

IV. Authentication & Key Management – The Foundation of Security

• • Pre-Shared Keys (PSK): Simple, small network setups where a single secret key is exchanged between the client and router.

  • 802.1X / EAP (Enterprise): A more sophisticated approach to authentication.

  • Port-based Access Control: Focuses on securing individual access points (ports) rather than the entire network.

  • EAPOL Protocol: The EAPOL (Ethernet Authentication Protocol over Link) protocol carries EAP (Enterprise Authentication Protocol) within the IEEE 802.11 network.

  • Multiple Authentication Methods: Allows for multiple authentication strategies (certificates, tokens, passwords) to enhance security.

V. Benefits:

• Centralized Authentication: Allows for authentication to be managed centrally on a router, simplifying administration.

• Fine-Grained Access Control: Provides granular control over who can connect to which network.

• Enhanced Security: The combination of encryption, authentication, and access control significantly improves security.

Home WiFi usually just asks for a single password (WPA2/WPA3 Personal). 

This is what you see in offices or universities where you have to log in with a username and password or a digital certificate. 

The evolution of Wi-Fi security has been driven by the need to address vulnerabilities and increase network resilience. From the easily vulnerable WEP to the robust AES-based WPA2/WPA3 standards, each generation has brought improvements in encryption and authentication, ultimately creating a more secure Wi-Fi experience. The shift towards 802.1X/EAP has been a crucial step in enhancing network security.

V. Summary Table

Key point: WPA2 with CCMP and 802.1X/EAP is considered the robust modern standard, while TKIP/WEP are insecure and obsolete.

802.11S is a significant upgrade to Wi-Fi that moves beyond just connecting devices to acting as a data-forwarding agent. 

It’s designed to improve coverage and resilience by intelligently routing traffic between wireless stations (often called Mesh Stations).

KEY CONCEPTS

I. Mesh Stations as Data-Forwarders: 

Traditionally, Mesh Wi-Fi stations just receive data from devices. 802.11S takes a step further. Mesh Stations can actively forward data between each other. Think of it as multiple wireless nodes working together.

II. How it Works - AP Forwarding: 

The core of 802.11S is the ability for a Mesh Station to detect and forward data packets from one station to another. This is similar to how a traditional AP (Access Point) works, but it does so intelligently and dynamically.

III. Multi-Hop Networks: 

Because it forwards data between stations, 802.11S creates multi-hop wireless networks. This is particularly useful in larger spaces or areas where a single wired connection isn’t feasible. The Mesh Stations essentially jump through each other to reach their destination.

IV. Goal: Extend Coverage & Resilience: 

The primary goals of 802.11S are:

• Extended Coverage: It allows you to extend your Wi-Fi signal farther than traditional mesh systems.

• Increased Resilience: It makes your network more robust. If one station goes down, the other stations can still relay the data, maintaining connectivity.

In short, 802.11S is about making Wi-Fi networks more intelligent and adaptable, capable of creating a more robust and expansive wireless infrastructure.

V. Analogy:

• Imagine a city with many roads. Traditional Wi-Fi is like a single, long road. 

• 802.11S is like a network of interconnected roads (Mesh Stations) that can dynamically route traffic around congestion.

VI. Key Components

VII. 802.11S: A Smart Mesh Network

• Core Idea: 802.11S is a dynamic Wi-Fi network architecture that moves beyond simple client-server communication. It’s fundamentally about intelligent routing between wireless stations (Mesh Nodes).

• How it Works: It uses a hybrid routing protocol – a combination of AODV (Ad-Hoc On-Demand Distance Vector) and OLSR (Optimized Link State Routing) – to intelligently choose paths based on airtime and data traffic. It establishes a multi-hop network.

VIII. 802.11S - The Key Components:

• HWRP (Hybrid Wireless Routing Protocol): This is mandatory for all nodes in a compliant 802.11S setup. It dictates how nodes choose routes based on airtime.

• Mesh Node Routing: Mesh nodes can utilize other routing protocols as well but rely heavily on HWRP for efficient path selection.

• Coordination: EDCA (Enhanced Distributed Channel Access) is used for QoS (Quality of Service) – ensuring fair allocation of resources. Optional mesh deterministic access is also possible.

IX. Security - SAE Authentication

SAE (Simultaneous Authentication of Equals): This is a major security improvement. Instead of traditional initiator/responder models, SAE treats stations as equals.

Peer-to-Peer Security: SAE provides strong security because it’s decentralized and doesn’t rely on rigid roles. Stations can initiate authentication, or both can initiate simultaneously. This makes it more resistant to attacks.

I. What is PPP? – The Flexible Workhorse

• Definition: PPP is a versatile link-layer protocol that enables IP data to be carried over point-to-point serial links – ranging from old dial-up modems to modern DSL and optical networks.

• Versatile: It’s designed to handle both IPv4 and IPv6, and can even support non-IP protocols. This makes it incredibly adaptable to various network environments.

II. Core Features of PPP

RFCs (Request for Comments): The protocol is defined by a series of RFCs (Request for Comments). These are essentially documents that detail the specifications and implementation of PPP. The most important ones are:

• RFC 1661: Basic PPP features.

• RFC 1662: Security enhancements within PPP.

• RFC 2153: Support for multiple network layers (IP, IPv6, and others).

• Extended RFCs – many more detail specific aspects of the protocol.

Flexibility: This is a key strength. PPP's design allows it to be used for a wide variety of connections.

Widely Used: Because of its versatility, PPP is frequently employed by DSL providers. They use it for both connecting to the internet (the link) and for the parameters that control how that connection is set up (like IP addresses, DNS, etc.).

III. PPP vs. Wi-Fi Security – A Simplified Comparison

• PPP: It’s about how the connection is established – ensuring both ends are on the same page. It's a foundational layer.

• Wi-Fi: It’s about how the wireless channel is secured. It uses sophisticated encryption (AES-based CCMP) to protect data transmitted over the wireless medium.

IV. PPP Authentication – Link Establishment

To verify that the two endpoints are legitimate and authorized to communicate.

Methods:

1) PAP (Password Authentication Protocol): Simple and insecure – only used for basic authentication.

2) CHAP (Challenge Handshake Authentication Protocol): More secure – it involves a challenge and response, making it harder for attackers to spoof the connection.

3) 802.1X/EAP: A more robust authentication mechanism, often used with enterprise networks, that integrates with other security systems.

V. PPP - Module Breakdown (LCP, NCPs, Authentication)

LCP (Link Control Protocol): This is the heart of PPP's functionality. It's the initial handshake, ensuring both ends agree on the initial parameters (like the link’s state) of the connection. Think of it as the agreement phase.

NCPs (Network Control Protocols): These protocols are nested within LCP and configure the network-layer-specific details once the link is established. They handle things like IP addresses, routing, and other network-level configurations. This adds a layer of sophistication to PPP.

Authentication: The critical aspect of PPP's security. It provides multiple ways to verify the identity of the devices:

• PAP: Basic authentication – simple, but easily bypassed.

• CHAP: More secure – uses a challenge/response process.

• 802.1X/EAP: Advanced authentication – more robust, integrating with other security systems.

VI. Key Takeaway – PPP's Modular Design

• LCP – Link Setup: The initial, foundational part.

• NCPs – Layer-Specific Configuration: Handles the details of each layer (IP, IPv6, etc.)

• Authentication – Secure Access: Ensures the connection is legitimate and secure.

VII. Framing Basics (HDLC Style)

• PPP borrows its framing from older HDLC protocol. HDLC was a standard for reliable data transfer, and PPP used a similar structure. 

• HDLC is a robust protocol used in IBM SNA and the LLC standard (802.2) to enable secure and reliable communication. 

• PPP adopted HDLC’s framing, demonstrating its evolutionary design.

• In essence, PPP is a sophisticated, highly adaptable protocol that’s been crucial for connecting IP networks for decades. Its modularity, combined with its multiple security features, has made it a foundational element of networking.

VIII. PPP Frame Format (Simplified)

IX. Dealing with Flag Characters (0x7E - 0x7D)

The Core Concept: PPP uses character stuffing to handle the frame's start/end markers (flags) within the data. This is a crucial design choice for security.

The Two Methods:

• Asynchronous Links: When the flag value is inside the data, it’s handled differently. It uses a character stuffing method. This means the flag character (e.g., 0x7E) is replaced with a sequence of characters (0x7D, 0x7D, 0x7D) to prevent the receiver from accidentally recognizing the flag as a valid frame boundary. This ensures the receiver always sees the start/end markers correctly.

• Synchronous Links: When the flag value is outside the data, a 0 bit is inserted after five consecutive 1 bits. This ensures the flag pattern (01111110) only appears at the start and end of the frame, making it difficult for the receiver to interpret the flag as part of the data itself. Essentially, it creates a mask to prevent the receiver from interpreting the flag.

Why it Matters: This mechanism is vital for security because it obscures the flag's presence from potential attackers who might try to manipulate the data.

X. Address & Control Fields

• Address: Always 0xFF (one destination). This is a fundamental requirement for PPP; it signifies that only one destination is allowed.

• Control: Always 0x03 (no HDLC sequencing). PPP doesn’t require the sophisticated sequencing and retransmissions found in HDLC protocols.

• ACFC (Address & Control Field Compression): This is optionally included to reduce the number of fields. It’s a smart optimization. This means the sender can save space by removing these fields. It's often enabled to save on bandwidth, but not always.

• Ethernet Retries: Ethernet typically retries data packets automatically. PPP usually doesn’t do this automatically; it’s often skipped.

XI. Protocol Field

What it Indicates: The Protocol field describes the type of data the PPP frame is carrying.

• Protocol Numbers (0x0000-0x7FFF): These represent different network protocols (IP, for example).

• Low-Volume Protocols (0x4000-0x7FFF): Used for less frequent data transfer.

• NCP (Control Protocol): The protocol field represents the Control protocol. It's used for control messages in PPP.

• LCP (Link Control Protocol): The LCP packet uses the 2-byte format.

XII. Error Checking (FCS)

• FCS (Frame Check Sequence): A crucial error-detection mechanism.

• Default CRC (16-bit): 10001000000100001. This is a standard CRC used for error detection.

• Optional 32-bit CRC: A safety upgrade that adds extra protection (same as Ethernet). It helps in detecting errors even further.

• Importance: The FCS is always applied before any data or byte stuffing. It acts as the final defense against errors during transmission.

XIII. Quick Recap

• LCP: The link setup and management layer for PPP.

• Frames: PPP data is structured as a sequence of layers – LCP, data, payload, FCS, and potentially other fields.

• Stuffing: Used to protect the flag patterns – it’s how the receiver knows to look for start/end markers.

• Address/Control: Fixed fields, can be compressed.

• Protocol: Specifies the type of data being transmitted (IP, LCP, etc.).

• FCS: Error detection – the final check before data transmission.

In short, PPP is a sophisticated protocol that balances security with efficiency, employing various techniques to ensure data integrity throughout the process.

WHAT IS LCP’S ROLE?

LCP’s primary job is to establish a link connection between two endpoints. Think of it as a starting point for communication. It’s not about transmitting data directly, it’s about agreeing on how the connection will work – things like:

Which network layer is used: Is it IPv4 or IPv6?

What initial parameters are set: IP addresses, ports, and other basic configurations.

Authentication: Verifying that both endpoints are authorized to communicate.

I. Key functions and How it works:

a) Establish the Link: LCP's main purpose is to initiate the connection process. It acts as the intermediary that ensures both ends understand the parameters of the connection.

b) Minimal Requirements: LCP has a set of very simple requirements:

• Two-way communication: Both ends need to be able to send and receive data.

• Asynchronous or synchronous: The connection can be established in various ways – either the sending side waits for the receiving side to start transmitting, or vice versa.

• Basic link status: LCP confirms the link is active and ready for communication.

c) Layer-Specific Information: LCP doesn’t handle all protocol details. It primarily focuses on the initial setup – establishing the link's basic state.

II. How does it fit into the bigger picture (PPP)?

• LCP as the Foundation: LCP is the very first protocol that PPP uses to initiate the connection. It's the handshake that starts the communication.

• PPP’s Layered Approach: PPP is built on top of LCP. Each layer (IP, IPv6, etc.) has its own protocols and configuration, but LCP provides the initial agreement and authorization before any data is exchanged.

III. Key Elements Within LCP (and why it’s important):

• Authentication: LCP is responsible for the initial security of the connection, using protocols like PAP, CHAP, and 802.1X. This is vital for preventing unauthorized access.

• Link State Discovery: LCP helps establish a link state. This means the two endpoints agree on the link’s current state – is it up, is it connected, are there any problems?

IV. Why is LCP so important in PPP?

• Efficiency: By handling the initial handshake, LCP reduces the amount of data that needs to be exchanged during the connection process, making PPP more efficient.

• Reliability: The initial establishment of the link through LCP ensures the connection is not lost.

• Standardization: LCP acts as a fundamental standard, promoting interoperability between different network devices and protocols.

• Analogy: Think of LCP as the meeting at the beginning of a party. It sets the stage – who's there, where are they, and what the rules are – before the real event (data transmission) can begin.

PURPOSE OF LCP

LCP is part of PPP (Point-to-Point Protocol) and is used to:

1. Establish a basic point-to-point link between two peers.

2. Negotiate options for the link (like maximum frame size, authentication, etc.).

3. Maintain and test the link while active.

4. Terminate the link cleanly when done.

It is general-purpose, meaning its structure forms the basis for other network control protocols in PPP.

I. LCP Packet Structure

II. Key LCP Messages – The Core of the Protocol

LCP (Link Control Protocol) is a crucial protocol used in PPP (Point-to-Point Protocol) to manage the lifecycle of a link connection. 

It’s designed to provide a flexible and robust way for PPP peers to communicate and coordinate actions related to a link. The messages involved are vital for establishing, maintaining, and terminating connections. Let's look at each one:

• Configure-Request: This message is sent by the PPP peer to the other peer. It initiates the process of defining the link's characteristics – things like the Maximum Route Value (MRU), authentication settings, and other necessary parameters. Think of it as saying, Hey, I want to establish this link and how it should work.

• Configure-ACK: This message is sent from the PPP peer to the other peer. It acknowledges the configuration request. It signifies that the peer has received and understood the configuration details. It essentially says, I agree to the settings you've proposed.

• Configure-NACK: This message is sent from the PPP peer to the other peer. It rejects the configuration request. Importantly, it also suggests alternative options or configurations. It's a way of saying, I can't agree to your settings. Here's a different approach.

• Configure-REJECT: This message is sent from the PPP peer to the other peer. It completely rejects the configuration request. It's a strong signal that the peer is not going to agree to the current proposed configuration.

Key Role of These Messages: These messages act as a conversation starter. They’re the foundation of how PPP peers coordinate their actions on a link.

III. LCP Operation Timeline – How it Works

The LCP protocol operates in a specific sequence

1. Link Detection: The underlying protocol starts by signaling the presence of a link. This is a fundamental indicator that a connection has begun.

2. Link Establishment: This is the heart of LCP – it involves a series of messages:

• Exchange Configure-Request/ACK/NACK/REJECT: The PPP peer sends Configure-Request, Configure-ACK, Configure-NACK, and Configure-REJECT messages to the other peer. These messages contain the parameters that define the link – things like the MRU (Maximum Route Value – a critical parameter determining the maximum possible route value for the link), authentication settings, and other relevant data.

• Agree on Options: Upon receiving these messages, the peers essentially agree on the parameters for the link. This agreement is often achieved through a mechanism involving authentication.

3. Authentication (Optional): If the agreement involves security (like authentication), an optional authentication process is initiated. This usually uses PAP or CHAP – a standard protocol for secure communication. This is a critical security step.

4. Link Maintenance: This phase focuses on ensuring the link remains active. The key actions here are:

• Periodic Echo-Request/Reply: The PPP peer sends Echo-Request messages to the other peer, requesting a response. This keeps the link alive and confirms the peer's responsiveness.

• Discard/Time-Remaining Messages (Optional): The PPP peer can send Discard or Time-Remaining messages to the other peer to signal a period of inactivity or a deadline.

5. Link Termination: This is the final step where the PPP peer terminates the link. It involves:

• Terminate-Request: The PPP peer sends Terminate-Request.

• Peer Responds with Terminate-ACK: The other peer responds with Terminate-ACK.

• Carrier Loss Indication: The underlying link layer immediately indicates that the link has lost communication. This signal is critical for the other peer to react appropriately.

IV. Key Points: Understanding the Protocol

• Flexibility: LCP allows for highly flexible link negotiation. It’s not just about what parameters are agreed upon, but how those parameters are defined.

• Loop Prevention: The magic number check is a core feature. It's a way to ensure the link is loop-free – a crucial aspect of network stability.

• Administrative and Performance Functions: LCP provides a solid foundation for more complex protocols by incorporating features like identification (knowing the system type), discard (to signal inactivity), and time remaining (to manage link lifespan).

• Foundation for Higher-Level Protocols: LCP serves as the groundwork for protocols like NCP, which are crucial for network management.

V. LCP Operation Timeline – A Visual Recap

Link Detection

When a physical connection becomes available (for example, modem or serial cable), PPP detects that the link is active.

Link Establishment

LCP sends Configure-Request packets to negotiate link parameters such as:

• Maximum frame size (MRU)

• Authentication protocol (PAP or CHAP)

• Compression options

The other side replies with:

• Configure-Ack (accept)

• Configure-Nak (suggest changes)

• Configure-Reject (deny option)

• Authentication (if required)

If authentication is negotiated, PPP uses protocols like:

• Password Authentication Protocol (PAP)

• Challenge-Handshake Authentication Protocol (CHAP)

• This verifies identity before allowing network-layer communication.

Link Maintenance

LCP monitors the link using Echo-Request and Echo-Reply messages to ensure it is still functioning properly.

Link Termination

When communication needs to end, one side sends a Terminate-Request.

Terminate-ACK

The other side replies with Terminate-Ack, confirming the link is closed.

Carrier Lost

If the physical connection drops unexpectedly, LCP detects the failure and closes the link automatically.

Page 170 Topic 3....LCP Options...