Introduction to IEEE 802.11 Wireless LANs (WLANs)

Introduction to IEEE 802.11
Wireless LANs (WLANs)
Li-Hsing Yen
National University of Kaohsiung

Protocol
802.11
802.11a
802.11b
802.11g
802.11n
802.11y
IEEE 802.11 Family
Release
1997
1999
1999
2003
2009
2008
Frequency
(GHz)
2.4
5
2.4
2.4
2.4 / 5
3.7
Typical
throughput
(Mbps)
0.9
23
4.3
19
74
23
Max. data
rate
(Mbps)
2
54
11
54
600
54
Modulation
IR / FHSS/
DSSS
OFDM
DSSS
OFDM
OFDM
OFDM

802.11 (Legacy Mode)
• Data rate: 1 or 2 Mbps
• One MAC specification
– CSMA/CA
• Three Physical specification
– Radio
• Frequency hopping spread spectrum (FHSS)
• Direct sequence spread spectrum (DSSS)
– Infrared Red (no implementation)

IEEE 802.11b (1999)
• Marketing name: Wi-Fi
• Operates in 2.4 GHz (ISM band)
• MAC: CSMA/CA
• Adaptive Rate Selection: 11, 5.5, 2, 1
Mbps
• Channels are overlapping

802.11b Overlapping Channels

Adaptive Rate Selection
• Performance of the
network will also be
affected by signal
strength and degradation
in signal quality due to
distance or interference.
• As the signal becomes
weaker, Adaptive Rate
Selection (ARS) may be
invoked.

IEEE 802.11a (1999)
• Operates in 5 GHz
• MAC: CSMA/CA
• Multiple data rates: 54, 48, 36, 24, 18,
12, 9, or 6 Mbps
• originally had 11 non-overlapping
channels

IEEE 802.11g (2003)
• Operates in 2.4 GHz (like 802.11b)
• MAC: CSMA/CA
• Supported data rates: 54, 48, 36, 24, 18,
12, 9, or 6 Mbps (like 802.11a)
• hardware is fully backwards compatible
with 802.11b (11, 5.5, 2, 1 Mbps)

IEEE 802.11n (2009)
• Max. data rate: 600 Mbps (currently 300
Mbps)
• based on MIMO (multiple-input multipleoutput)
technology
– multiple transmitter and receiver antennas
• adding Frame Aggregation to MAC:
– Packing multiple data units together to
reduce overheads

Infrastructure Vs. Ad Hoc Mode
• Infrastructure mode
– wireless stations (WSs) are connected to a
wired network through access points (APs)
– all traffic from/to WSs are through APs
• Ad hoc mode
– WSs connect each other directly without
the use of APs

Wireless NIC
• NIC (Network Interface Card)

Access Point (AP)
• Usually connects wireless and
wired networks
– if not wired
• acts as an extension point
(wireless bridge)
• consists of a radio, a wired network interface (e.g.,
802.3), and bridging software conforming to the 802.1d
bridging standard
• Number of clients supported
– device dependent

Wireless network
WS
Application
TCP
IP
802.11 MAC
802.11 PHY
AP as a Bridge
AP
802.11 MAC
802.11 PHY
server
802.3 MAC
802.3 PHY
Fixed
station
infrastructure network
Application
TCP
LLC LLC
LLC
IP
802.3 MAC
802.3 PHY

Basic Service Set (BSS)
An AP and a set of WSs
associated with that AP
BSS
AP
Coordinated
function

Coordinated Functions (MACs)
• Two types of
coordinated functions
– Point Coordinated
Function (PCF)
• Polling based MAC;
no implementation
– Distributed Coordinated
Function (DCF)
• CSMA/CA
Contentionfree
service
PCF
LLC
DCF
Contentionbased
service

Independent Basic Service Set
A BSS without
Access Point
IBSS
Ad hoc mode
(IBSS)

Extended Service Set (ESS)
• ESS: one or more BSSs
interconnected by a Distribution
System (DS)
• Traffic always flows via AP
• allows WSs to seamlessly roam
between APs

Distributed System (DS)
• A thin layer in each AP
– embodied as part of the bridge function
– keeps track of AP-WS associations
– delivers frames between APs
• Three types:
– Integrated: A single AP in a standalone network
– Wired: Using cable to interconnect APs
– Wireless: Using wireless to interconnect APs

ESS:
Single BSS (with integrated DS)
A cell
BSS
AP
91.44 to 152.4 meters

BSS
ESS: BSS’s with Wired
Distribution System (DS)
Distribution
System
20-30% overlap
BSS

BSS
ESS: BSS’s with Wireless
Distribution System (DS)
Distribution
System
BSS

BSSID
• Each BSS has an ID, a 48-bit identifier to
distinguish from other BSS.
• In an infrastructure BSS,
– BSSID = MAC address of the AP.
• In an IBSS, BSSID has
– Universal/Local bit = 1
– Individual/Group bit = 0
– 46 randomly generated bits
48-bit field of the same
format as an IEEE 802
MAC address
• The all-1s BSSID is the broadcast BSSID.

ESSID in an ESS
• ESSID (Extended Service Set
Identification) differentiates one ESS
from another
– All APs within the same ESS must be
configured with the same ESSID
• WS must know the right ESSID to be
able to associate itself with a specific
WLAN

SSID (Service Set Identifier)
• Service set ID used in an IBSS or
ESS
– An IBSS with no APs uses the BSSID
– In an infrastructure wireless network,
the ESSID is used

ESSID

Connecting to a WLAN
WS AP
Active or Passive Scanning
Authentication Request
Authentication Response
Association Request
Association Response
802.1X (Optional)
802.11i (Optional)
Probing
802.11
Authentication
Association
higher-layer
Authentication

Probing Phase
• Find an available AP
• APs may operate at different channels
(11 channels in total in case of 802.11a)
• Should scan a channel at least
MinChannelTime
• If an AP is found, should last
MaxChannelTime

WS
Active Scanning
Probe Request with ESSID
Probe Response
Switch to a
channel and
send Probe Req.
AP
If ESSID
matches
or ESSID
= NULL

WS
Passive Scanning
Beacon with ESSID
Switch to a
channel and
wait for Beacon
AP

WS AP 1
Full Scanning
Scan channel 1
Scan channel 2
Beacon or Probe Resp
Scan channel 3
…
Scan channel 11
AP 2 AP 3
MinChannelTime
MaxChannelTime

Association & Re-association
• Association: The mapping between some
AP’s port and an WS
• Association must exist before network
services can be used
• WLAN Association replaces the physical link
in a wired LAN
• WS may later re-associate to another AP with
higher signal quality (handoff)

802.11 Authentication
802.11 authentication occurs at Layer 2.
It is the process of authenticating the
device not the user.
WS
Authentication request
Authentication response
(Accept or Reject)
AP

802.11 Authentication
Methods
• Open-system Authentication (standard)
• MAC Address filtering (commonly used)
• Shared key authentication (standard)

Open-System Authentication
• The authentication request contain a NULL
authentication protocol. It must have the AP
SSID .
• The AP will grant any request for
authentication
WS
Authentication Request
Authentication response
AP

Open-System Authentication
Open-system
Authentication
實際驗證

MAC Address Filtering
• Not specified in the 802.11 standard, but
supported by many vendors (e.g. Cisco)
• Can be added to open-system and shared
key authentication
WS
(Client)
Auth. Request
Access Point
Access-Request
(MAC sent as RADIUS req.)
Auth. Response (Success/Reject) Access-Success/Reject
RADIUS
Server

Shared Key Authentication
• based on wired equivalent privacy (WEP)
• Requires that the WS configures a static WEP key
Client Access Point
Authentication Request
Authentication response (challenge)
Authentication Request(encrypted challenge)
Authentication response(Success/Failure)

WEP-Based Authentication
• WEP is designed for data encryption
• Used by IEEE 802.11 for authentication
• AP generates a random bit patterns
(challenges) and sends it to client
• The client encrypts the challenges and
returns the result to AP
• If that result matches AP’s local encryption,
the client is authenticated

Initialization
Vector (IV)
WEP Encapsulation
1. P = 〈M || checksum(M)〉 {p=plaintext}
2. KeyStream = RC4 (IV || k) {k=shared-key}
3. C = XOR (P, KeyStream) {c=ciphertext}
4. Transmit (IV, C) {IV=init-vector}
WEP Key k
M
||
RC4 key
CRC-32
RC4
Algorithm
KeyStream
| |
P
Integrity Check Value (ICV)
⊕ C
IV
Ciphertext
Message

IV
(3 octets)
RC4 Algorithm
Secret Key (5 or 13 octets)
RC4 Key
RC4 Algorithm
0100111001…
• Standard: 24 + 40 = 64 bits
• Vendors: 24 + 104 = 128 bits
pseudo-random sequences of bytes
passes all usual randomness tests

WEP Decapsulation
1. KeyStream = RC4 (IV || k)
2. P’ = XOR (C, KeyStream) = 〈M’ || checksum(M)〉
3. If checksum(M’) = (checksum(M))’
Then P’ is accepted
WEP Key
IV
Ciphertext
Message
||
RC4
key
RC4
Algorithm
Key stream
⊕
P’
Plaintext
CRC 32
ICV
M’
ICV’
ICV' = ICV?

802.11 WEP frame
The IV sent with the ciphertext contains
two fields: = IV & KeyID (4 bytes)
802.11
header
IV
KEY ID
Payload
ICV
(FCS)
Unencrypted
Encrypted
ICV is a CRC-32 checksum
over the Payload (802 Header
and the Data)

WEP Key Management
• What is “KeyID”?
– Each entity in the wireless LAN (AP, WS) is
configured with four static WEP keys
• KeyIDs 0,1,2,3
– The keys are shared by an AP and all the
WSs accessing it
– The ID of the key used for
encryption/decryption appears in the
packet WEP header

WEP Configurations
Standard
RC4 key
Secret Key
Key ID
5 octets

Security Flaw in WEP:
Keystream Reuse
• The same keystream is used to encrypt
multiple messages
• Because k is fixed, the same keystream
is derived when IVs collide
• The chance of keystream reuse is
further increased by sharing the key
among multiple WSs and the AP.

Weaknesses of WEP:
Overall Key Space is Too Small
• IV change per packet is OPTIONAL
– If the “IV || key” for RC4 is changed
for every 802.11 packet, repeated
patterns can occur more frequently
– at the rate of 11 Mbps of 1,500
bytes/packet, all key space will be
exhausted in about 5 hours.

Weaknesses of WEP (cont.)
• Poor key management
– WEP uses same key for
authentication/encryption
– Provides no mechanism for session key
refreshing
• one-way authentication:
– has no provision for WSs to
authenticate/verify the integrality of AP

Possible Attack to WEP
• Suppose an attacker have plaintext P 1 and
ciphered text C 1, and he also gets C 2
• He can compute
C 1 ⊕ C 2=(P 1 ⊕ K) ⊕ (P 2 ⊕ K) =(P 1 ⊕ P 2)
where K is the keystream.
• Although the attacker does not know K, he
can get plaintext P 2 anyway.

Wi-Fi Protected Access (WPA)
• WPA addresses the security flaws in WEP
through the following primitives
– Temporal Key Integrity Protocol (TKIP)
– message integrity codes (MICs)
– 802.1x authentication
• yet retains backward compatibility with legacy
WEP devices
– still based on RC4

• TKIP derives the
keystream in a
way different from
WEP
• IV is reset to 0
whenever TK is
changed, then
incremented by
one after each
transmission.
TKIP

802.11 Key Management
• Key Management:
– BKR (broadcast key rotation)
• AP periodically broadcasts WEP shared key
• The initial WEP key only used for registration at
the first time.
– So the WEP key is used less frequently.
– TKIP (temporal key integrity protocol)
• hashing the key before using it for encrypting a
packet

WPA Configurations
WPA

802.1X
• based on EAP (extensible authentication
protocol, RFC 2284), which provides
technology independent framework
– still one-way authentication
– initially, WS is in an unauthorized port
– an “authentication server” exists
– after authorized, the WS enters an
authorized port
– 802.1X.

Three Main Components
– supplicant: usually the client
(WS) software
– authenticator: usually the
access point
– authentication server: usually a
Remote Authentication Dial-In
User Service (RADIUS) server

Extensible Authentication
Protocol (EAP)
• the AP does not provide authentication to the client,
but passes the duties to a more sophisticated device,
possibly a dedicated server, designed for that
purpose.
Authentication
request
Authentication
response
Authentication
request
Authentication
response
Authentication
server

802.1X – How it works
Client
Let me in! (EAP Start)
What’s your ID? (EAP-request identity message)
ID = xxx@yyy.local (EAP Response)
The answer is “47”
Come in. Here is the session key.
http://yyy.local\index.htm
AP
Is xxx@yyy.local OK?
Prove to me that you are
xxx@yyy.local
Auth Server
“RADIUS”
Let him in. Here is the session key.
EAP Challenge/
Authentication
Encrypted
session
network

Step 1
• Initially, WS is in an unauthorized port
– only 802.1X traffic from WS is forwarded.
– Traffics such as Dynamic Host
Configuration Protocol (DHCP), HTTP,
FTP, SMTP and Post Office Protocol 3
(POP3) are all blocked.
• The client then sends an EAP-start
message.

Step 2
• The AP will then reply with an EAP-request
identity message to obtain the client's identity.
– The client's EAP-response packet containing the
client's identity is forwarded to the authentication
server.
• The authentication server is configured to
authenticate clients with a specific
authentication algorithm.
– The result is an accept or reject packet from the
authentication server to the access point.

Steps 3 and 4
• Upon receiving the accept packet, the AP will
transit the client's port to an authorized state,
– then all traffic will be forwarded.
• Notes:
– 802.1X for wireless LANs makes NO mention of
key distribution or management.
• This is left for vendor implementation.
– At logoff, the client will send an EAP-logoff
message to force the AP to transit the client port
to an unauthorized state.

MAC Management Layer
• Synchronization
– Time Synchronization Function (TSF)
• Power Management
– Sleeping without missing any messages
– Power management functions
• Periodic sleeping, frame buffering, traffic
indication map
• Association and reassociation
– Joining a network
– Roaming, moving from one AP to another

Traffic Flow: Inter-BSS
STA-1
Associate
Bridge learn
table
STA-1
2
STA-2 2
2為無線介面
為無線介面
Association table
STA-1
STA-2
Inter-BSS
Relay
ACK
Packet for STA-2 Associate
ACK Packet for STA-2
BSS-A
STA-2

Traffic Flow: ESS Operation
Bridge learn
table
STA-2 1
STA-1
Packet for STA-2
STA-1
2
1為有線介面
為有線介面
Association table
STA-1
ACK
BSS-A
Backbone
Bridge learn
table
STA-2
STA-1
Packet for STA-2
BSS-B
2
1
Association table
STA-2
STA-2
ACK

STA-1
Traffic Flow: WDS Operation
Bridge learn
table
STA-2 2
STA-1
Packet for STA-2
2
ACK
Association table
STA-1
WDS
Relay
BSS-A
Wireless
Backbone
Packet for STA-2
ACK
Bridge learn
table
STA-2
STA-1
2
2
BSS-B
Association table
STA-2
Packet for STA-2
ACK
STA-2
WDS
Relay

Synchronization in 802.11
• All stations maintain a local timer
• Time Synchronization Function
– Keeps timers from all stations in sync
• Timing conveyed by periodic Beacon
transmissions
– Beacon contains Timestamp for the entire
BSS
– Timestamp from Beacons used to calibrate
local clocks

802.11 Time Synchronization
Function (TSF)
• Beacon的產生週期稱為Beacon Period
• 可以傳送Beacon訊息的時間點稱為Target
Beacon Transmission Times (TBTTs)
– 每個TBTT間隔一個Beacon Period的時間
• Beacon transmission may be delayed by
CSMA deferral
• Timestamp contains timer value at transmit
time

Which One Generates Beacons?
• In infrastructure mode,
– APs generate beacon frames
• In ad-hoc mode,
– Any host can generate beacon
frames
– Collisions should be avoided

Avoiding Beacon Collisions in Ad
Hoc Mode
• 當TBTT時間點到時,每個節點並不立即送出
Beacon訊息,而是等待t時槽的時間。t的值由
節點個別從[0, w]之間的整數中隨機選出,其中
w是一個固定的系統參數,稱為Beacon
Contention Window Size。
• 節點等待時同時監聽網路上的訊息。若節點在t
時槽時間內未聽到其他節點送出的Beacon訊
息,則在t時槽時間過後可送出自己的Beacon
訊息。
• 若節點在t時槽時間內聽到別的節點送出的
Beacon訊息,則取消傳送,改為接收此訊息。
• 每個接收到Beacon訊息的節點檢視其中的時間
戳記。若發現Beacon訊息的時間戳記晚於自己
本身時鐘的時間,則將自己的時鐘調整成時間
戳記所示的時間。

Power Management
• Power management is important to mobile devices
that are battery powered.
• Current LAN protocol assumes stations are always
ready to receive
– Idle receive state dominates LAN adaptor power
consumption over time
• 802.11 Power Management Protocol
– allows transceiver to be off as much as possible
– is transparent to existing protocols

Power Management in
Infrastructure Mode
• Allow idle stations to go to sleep
– Station’s power-save mode is stored
in AP
• APs buffer packets for sleeping stations
– AP announces which stations have
frames buffered in beacon frames
– Traffic Indication Map (TIM) sent with
every Beacon

Power Management in
Infrastructure Mode (cont.)
• Power saving WSs wake up periodically
(every aListen_Interval period)
– listen for Beacons
• If it has packets buffered, it then sends a
power-save poll request (PS-POLL) frame to
the AP
• AP will send the buffered frame to the WS
• The WS can sleep again

Power-Saving Mode
• broadcast frame will be sent immediately
after a DTIM (Delivery TIM) without receiving
PS-poll first
AP
WS in
PS mode
Beacon Period
TIM
Data
TIM TIM DTIM TIM
PS-poll
aListen_Interval
Broadcast
msg. arrives
broadcast
power-on
period

Power Management in Ad Hoc
Mode
• Similar to the infrastructure mode
• However, the buffering scheme is achieved
by the sending station (as no AP here)
• Sleeping station also wakes up periodically to
listen to Beacon and ATIM
– If it has data buffered, sends an Ack and
wakes up
– Sending station sends the data to the
sleeping station

Example of Power Saving in Ad
Hoc Mode

Distributed Coordination
Function (DCS): CSMA/CA
• Largely based on MACAW
• CSMA: Carrier Sense Multiple Access
– physical carrier sense: physical layer
– virtual carrier sense: MAC layer
• network allocation vector (NAV)
• CA: Collision Avoidance
– random backoff procedure

Carrier Sensing in 802.11
• Physical Carrier Sensing
– Analyze all detected frames
– Monitor relative signal strength from other sources
• Virtual Carrier Sensing at MAC sublayer
– Source stations informs other stations of
transmission time (in μsec) for a transmission
– Carried in Duration field of RTS & CTS
– Stations adjust Network Allocation Vector (NAV) to
indicate when channel will become idle
• Channel busy if either sensing is busy

DCF: Basic Access
• For an initial transmission
– WS can transmit after the medium is idle
(not busy) for at least DIFS period
– Otherwise perform random backoff
• For a retransmission
– WS can transmit after the medium is idle
for at least EIFS period
– Otherwise perform random bakoff

Random Backoff
• If channel becomes busy before DIFS/EIFS,
then WS must schedule backoff time
– Backoff period is integer # of idle contention time slots
– Waiting station monitors medium & decrements
backoff timer each time an idle contention slot
transpires
– Station can contend when backoff timer expires
• A station that completes a frame transmission is
not allowed to transmit immediately
– Must first perform a backoff procedure

Setting Random Backoff Timer
• When the backoff timer already contains a
non-zero value
– No change (this is a frozen time)
• Otherwise
– Backoff time = CW * aSlotTime
– aCWmin ≦ CW ≦ aCWmax;
– CW = aCWmin initially, doubles after each
retry, and resets to aCWmin when success

Random Backoff Process
busy
DIFS
random 1
contention
window
random 2
data frame
All stations must wait DIFS
after medium becomes idle
random 3
time
The winner

Immediate access when
medium is free >= DIFS
DIFS
Basic Access Method
Busy medium
Defer access
DIFS
PIFS
SIFS
Contention
window
Wait for
reattempt time
Next frame
Decrement backoff timer
as long as medium is dile
Time

DIFS
Priorities Through Interframe
Busy medium
Defer access
Spacing (IFS)
DIFS
PIFS
SIFS
Contention
window
Wait for
reattempt time
• High-Priority frames wait Short IFS (SIFS)
– Typically to complete exchange in progress
– ACKs, CTS, data fragments, etc.
Next frame
Time
• PCF IFS (PIFS) to initiate Contention-Free Periods
• DCF IFS (DIFS) to transmit data & control frames

SIFS: Giving Priority to ACK
Source
busy
Destination
Others
DIFS
SIFS
contention
window
data frame
SIFS
ACK
Defer access
DIFS

Source
busy
Destination
Others
SIFS: Giving Priority to RTS/CTS
RTS
contentions
SIFS SIFS
CTS
data frame
NAV (RTS)
SIFS
NAV (CTS)
ACK
DIFS
contention
window

Timing Relationship

EIFS: Low Priority to
Retransmission
• A sender that fails to receive ACK from
the receiver should retransmit the frame
• The sender should wait at least EIFS >
DIFS period
• This gives low priority to
retransmissions

Source
busy
Destination
Others
EIFS: Low Priority
Retransmission
DIFS
SIFS
contention
window
data frame
DIFS
SIFS
Defer access
EIFS
No
ACK
can
resend
contention

SIFS: Transmitting Fragments
Source
Destination
Others
Fragment 1
SIFS
SIFS
Fragment 2
SIFS
ACK ACK
Defer access
DIFS
SIFS
Contention
Window

RTS/CTS is Optional
• system parameter RTSThread
– RTS/CTS is used only when frame
size ≥ RTS_Threshold

Throughput Issues
• When a source node sends a frame, the
receiving node returns a positive
acknowledgment (ACK).
– This can consume 50% of the available bandwidth.
• This overhead, combined with the collision
avoidance protocol (CSMA/CA) reduces the
actual data throughput to a maximum of 5.0
to 5.5 Mbps on an 802.11b wireless LAN
rated at 11 Mbps.

Point Coordination Function
• An alternative access method
• Shall be implemented on top of the DCF
• A point coordinator (polling master) is used to
determine which station currently has the
right to transmit.
• Shall be built up from the DCF through the
use of an access priority mechanism.
• Different accesses of traffic can be defined
through the use of different values of IFS.

PIFS
SIFS
B
D1+poll
Contention Free Period
SIFS
U1+ack
SIFS
SIFS

IEEE 802.11 Frame Types
• Management Frames:
– Beacon
– Probe Request/Response, Authentication Request/Resp.
• Control Frames:
– CFP-End
– RTS, CTS
– ACK
• Data Frames:
– data frames (in both CFP and CP)
– data frames can be combined with polling and ACK during
CFP

Bytes:
MAC Frame Format
• Each frame consists of three basic components:
Frame
Control
– MAC Header (control information, addressing, sequencing
fragmentation identification, duration, etc.)
– Frame Body (0-2312 bytes)
– IEEE 32-bit CRC
2 2 6 6 6 6
Protocol
Version
Duration
or ID
802.11 MAC Header
2 0-2312 4
Addr 1 Addr 2 Addr 3
Sequence
Control
Addr 4 Frame
Body
CRC
Bits: 2 2 4 1 1 1 1 1 1 1 1
Type SubType
To
DS
DS
From More
Frag
Retry Pwr
Mgt
More
Data
WEP Rsvd

802.11 MAC Header Fields
• Duration/Connection ID
– used to distribute a value (us) that shall update the
Network Allocation Vector in stations receiving the
frame.
– Contention-based data uses duration to indicate the
length of the transmission.
– During the contention-free period, this field may be
replaced with a connection ID field.
• Address Fields
– indicate the BSSID, SA, DA, TA (Transmitter address),
RA (Receiver address), each of 48-bit address.

Protocol
Version
Type Fields Descriptions
Type SubType
To
DS
• Type and subtype identify the function of the frame:
• Type=00 Management Frame
– Beacon (Re)Association
– Probe (De)Authentication
– Power Management
• Type=01 Control Frame
– RTS/CTS ACK
• Type=10 Data Frame
DS
From More
Frag
Retry Pwr
Mgt
More
Data
WEP Rsvd

Address Field Description
Protocol
Version
IBSS Frame
Frame from AP
Frame to AP
WDS Frame
Type SubType
To DS
0
0
1
1
To
Distributed
System
To
DS
From DS
0
1
0
1
From More
DS Frag
From
Distributed
System
Address 1
DA
DA
BSSID
RA
Retry Pwr
Mgt
Address 2
SA
BSSID
SA
TA
More
Data
Address 3
BSSID
SA
DA
DA
WEP Rsvd
DA = Destination Address
SA = Source Address
TA = Transmitter Address
RA = Receiver Address
Address 4
N/A
N/A
N/A
SA
BSSID = AP’s MAC Address

MAC Addr = SA
SSID in IBSS
IBSS Frame
DA
SA
BSSID
ToDS = 0
FromDS = 0
Addr1
Addr2
Addr3
IBSS
MAC Addr = DA

Addr1
Addr2
Addr3
Frame To/From AP
BSSID
SA
DA
MAC Addr = SA
ToDS = 1
FromDS = 0
MAC Addr =
BSSID
DA
BSSID
SA
ToDS = 0
FromDS = 1
Addr1
Addr2
Addr3
MAC Addr = DA

MAC Addr
= TA
TA
SA
DA
MAC Addr = SA
WDS Frame
ToDS = 1
FromDS = 0
WDS
ToDS = 1
FromDS = 1
RA
TA
DA
SA
Addr1
Addr2
Addr3
Addr4
MAC Addr
= RA
ToDS = 0
FromDS = 1
DA
RA
SA
MAC Addr = DA

Other Frame Control Fields
Protocol
Version
Type SubType
• More Flag:
• Retry: Indicates that the frame is a retransmission of
an earlier frame.
• Power Management:
– Active Mode
To
DS
– PS Mode (Power Save)
DS
From More
Frag
Retry Pwr
Mgt
More
Data
WEP Rsvd

Control Frames: RTS Frame
Frame
Control
MAC Header
RTS Frame
Duration RA TA FCS
• RA: the addr. of the STA that is the intended
immediate recipient of the pending directed data or
management frame
• TA: the addr. of the STA transmitting the RTS frame
• Duration: T(pkt.) + T(CTS) + T(ACK) + 3 * SIFS

Control Frames: CTS Frame
MAC Header
CTS Frame
Frame
Control Duration RA FCS
• RA: is taken from the TA field of the
RTS frame.
• Duration: T(pkt.) + T(ACK) + 2 * SIFS

Control Frames: ACK Frame
ACK Frame
MAC Header
Frame
Control Duration RA FCS
• RA: is taken from the address 2 field of the
data, management, or PS-Poll frame

Control Frames: PS-POLL Frame
Frame
Control
PS-Poll Frame
MAC Header
AID BSSID TA FCS
• When a station wakes from a PS mode, it transmits a PS-Poll
to the AP to retrieve any frames buffered while it was in the
PS mode.
• TA: the addr. of the STA transmitting the Poll frame
• AID = association ID (a 2-byte numeric number to identify
this association)
• BSSID = MAC address of the AP

Summary
• IEEE 802.11 Wireless LAN Architecture
• IEEE 802.11 Physical Layer
– DSSS
– Authentication: WEP, 802.1x
• IEEE 802.11 MAC
– CSMA/CA
– PCF