Monday, August 24, 2015

802.11 Legacy Power Save

Key Points:

  • AP buffers frames for the stations. 
  • After buffering frames, stations are notified using TIM IE present inside the beacon frames. Stations do not poll for checking buffered frames as that would involve transmitting by stations which is not power efficient. 
  • Stations inform AP that they are going is sleep mode by sending a NULL data frame with "Power Management Bit" inside the frame control flags to 1.
  • During association, station specifies Listen Interval (inside association request) which is the number of beacons which station will not listen while sleeping. It means AP should be capable of buffering frames for that much time. However, AP is free to discard frames beyond listen interval. 
  • No limit on listen interval, observed it 0xe1 with one of wireless adapter. 
  • Station goes to sleep mode again if it find that during the expiry of listen interval AP does not have any buffered frame for it.  
  • Each station gets an association ID (1-2007) after association. Association ID of 0 is reserved for indication multicast and broadcast frames.
  • Virtual bitmap is 2008 bits long value with each bit representing corresponding association. 
  • Since, all clients do not to power save mode simultaneously the Virtual bitmap is send partially (to reduce length of Beacon frame) and is called "Partial Virtual Bitmap". PVM picks window of certain association IDs from Virtual Bitmap and drops leading and trailing zeros of that window.
  • Any frame sent by station in up-link direction WILL inform AP that station is in active state (no NULL frame required). e.g when a ping request is send by the station, AP assumes that station is in active state, hence the ping reply will not be buffered and will be send as it comes. After this frame exchange, the station remains in active state. Station needs to send new NULL frame to AP if it wants to enter in Power Save state.
  • Station waits for certain time(~200 msec) for data frames and if there is no data frame during that period it goes to sleep state and informs AP by sending a NULL frame with "Power Management Bit" set.
  • Collecting Uni-cast Traffic:
    • PS-Poll Method (less efficient): To retrieve each frame from AP, station send a PS-Poll frame (acknowledged by AP). It keeps on doing it until there is no other frame left on AP (which is indicated by setting more data flag to zero in the data frame). 
    • Active State Method (more efficient): Station sends a null frame with "Power Management Bit" set as 0 which indicates that station has got into active state. After this frame, AP sends all the buffered frames to the station.
  • Indication of Legacy Power Save Support: No special fields, lacks of WMM power save is indication of legacy power save.
  • Format of TIM IE


  • Finding association IDs present in "Partial Virtual Bitmap" needs length field, bitmap offset field & "Partial Virtual Bitmapcheck here
  • Collecting Multicast & Broadcast Traffic [DTIM Period & DTIM Interval]
    • Every beacon contains DTIM period and DTIM Count. 
    • DTIM count is important to synchronize stations to collect multicast / broadcast traffic.
    • Beacon frame with DTIM count as zero can be referred to special DTIM beacon. After this DTIM beacon, AP will transmit broadcast and multicast traffic. 
    • DTIM period is decided by AP. A value of 2 indicates every second beacon is DTIM beacon and a value of 3 indicates that beacon after two normal beacons is DTIM beacon. DTIM period remains fixed in all beacons. 
    • DTIM count starts from DTIM period - 1 and decremented every beacon.
    • DTIM interval is decided by AP, if a station with large  listen interval (> DTIM Interval) connects, will it increase the latency in the delivery of multicast frames?
      • Ans: No as delivery of multicast & broadcast is linked to DTIM interval not with listen interval. However, because of the low DTIM interval, even stations with high listen interval needs to wake up regularly for multicast & broadcast which negates the effect of power save. To avoid this some features are implemented:
        • Proxy-ARP: As most frequent Broadcast traffic is ARP requests to clients which can be avoided with the usage of proxy-arp feature where AP responds to ARP requests from the distributed network. Supported by Cambium APs.
        • Another thing which can be done is converting Multicast to Unicast packets something which Aruba calls it "Battery Boost".

Tuesday, August 4, 2015

User Space & Kernel Space Wireless Code Blocks


  • Proprietary implementation (umac) contains AP MLME code as well as Station MLME code. However, mac80211 contains only station MLME and relies on user space (hostapd) for AP MLME.

Monday, August 3, 2015

802.11w: Protected Management Frame Service

  • Encryption is done on LLC data + L3 frame + MIC but for management packet there is no LLC & L3 data, hence only MIC is protected. 
  • Purpose of 11w is to prevent spoofed disconnect (hence L2 DoS) which can be caused by spoofing Deauth, Disassoc, association or re-association request. However, other L2 DoS attacks are not prevented with 11w. 
  • 11w use keys generated after 4 way handshake hence management frames used before 4 way handshake are not protected. 
  • Beacons, Probe request and response, authentication frame, association request and response, re-association request and response are not protected.
  • CMAC is considered better than CBC-MAC(used in CCMP) hence broadcast management frames MIC is calculated using CMAC. Hence, BIP is used instead of CCMP for these frames. 
  • Usage of transient keys:
    • IGTK for broadcast/multicast management packets 
    • GTK for broadcast/multicast data packets
    • PTK for unicast management and data packets
  • IGTK is delivered to station in the 3rd step of 4 way handshake. 
  • Frames modified to reflect the support of 11w (frames similar to RSN IE):
    • Beacon & Probe response on AP
    • Association/Re-association requests from client.
  • Checking MIC is sufficient to detect if frame is sent by trusted source or not. But to accommodate reboot of either AP or client SA query mechanism was introduced. Refer cases here
  • 11w not applicable to WEP mode. It will work with WPA or WPA2. However, WPA standalone is rarely used and its used only in mixed mode.
  • Possible attacks taken care by 11w are:
    • Deauth / Disassoc notification to AP
    • Deauth / Disassoc notification to client
    • Association / Reassoc request to AP on behalf of client. Note: assoc and reassoc frames are not protected. 
    • Channel switch announcement to AP
  • RSN IE
UPDATE:

  • Broadcast management frames:
    • Probe Request
    • Disassociation / Deauth frames with broadcast Destination (sent by AP to disconnect all clients in one go). source
  • Treatment of Broadcast Management frames: (source)
    • Cannot be encrypted otherwise non 11w clients will not be able to decode the broadcast management frames.
    • Hence, only sequence number (for replay protection) and MIC (for forgery protection) is added in the broadcast management frames and for that we use IGTK.
  • AKM suite:
    • With optional mode of 11w, AKM suite contains SHA1 (PSK/1x) and SHA256.
    • With mandatory mode of 11w, AKM suite contains SHA256 only.


Wireless 802.11 Basic Points

  • Wireless Timeline

  • Sequence Number (12 bit)
    • Sequence numbers are not assigned to control frames, as the Sequence Control field is not present. 
    • Sequence number does not differentiate between data & management frames.
    • AP maintains sequence number per client for unicast packets.
    • Common counter for all broadcast / multicast packets across all VAPs [irrespective of whether its data frame or management frame]. Check sequence number of Beacon frames of different VAPs but on same device. 
  • CCMP PN Number
    • Valid only for data frames as they are the one which are encrypted.
    • For uni-cast packets, PN number per client is maintained.
    • Common number for broadcast packets for all clients.
    • Tracked as CCMP Ext. Initialization vector
  • Decryption using wireshark
    • Support WPA/WPA2 Personal
    • Generate PSK from SSID & Pass-phrase using this tool
    • Install keys in Edit->Preferences->Protocols->IEEE80211
    • For decryption, traffic must have 4 way handshake procedure. 
  • 11a rates start from 6 Mbps and hence, even beacon in 5 GHz goes out @ 6 Mbps.
  • Its the Association request which contains the connection parameters not the association response.
  • Broadcast packets from clients (such as DHCP discover) are send to AP (RA address is that of AP) with Destination as broadcast. Hence, other wireless nodes will not receive the broadcast packet. 
  • De-authentication Reason Codes:  http://www.aboutcher.co.uk/2012/07/linux-wifi-deauthenticated-reason-codes
  • Rates: 
    • Supported Rates & Extended Supported Rates IEs contain non HT rates supported by the device.Some of the rates are marked as Basic / Mandatory.
    • Control Frames (RTS / CTS / ACK) are send out @ one of the rate marked as Basic / Mandatory. Preference is to send them at best Basic / Mandatory rate.
    • Management frames such as Beacons, Probe Request / Response, Association / Re-association Request / Response are send @ lowest Basic / Mandatory rate.
    • Broadcast & Multicast Data frames are send out @ one of the rate marked as Basic / Mandatory. Preference is to send them at best Basic / Mandatory rate.
    • If a station sends out a packet that the receiver does not have in its supported rates then it will drop the packet.  


  • RSSI vs Range