Chapter3 Wireless
Chapter3 Wireless
Chapter3 Wireless
Communications
Outline
Overview
MAC
Routing
Wireless TCP
Wireless in real world
Leverage broadcasting nature
Wireless security
2
From Wired to Wireless
3
The Difference: # 1
4
The Difference #2
5
Unicast vs. Broadcast
6
Why?
signal - to - noise - ratio
Interference
Your signal is noise to others
Broadcast nature
7
Existing Wireless Networks
Wireless Metropolitan Area Network (WMAN)
Cellular/Wireless Wide Area Network (WWAN) (GSM, WCDMA, EV-DO)
Wireless Local Area Network (WLAN)
Wireless Personal Area Network
(WPAN)
Ad hoc networks
Sensor networks
Emerging networks (variations of ad
hoc networks
Info-stations
Vehicular networks
Cognitive Radio Networks
IEEE 802.22 8
Data Rate
9
Transmission Range
10
Power Dissipation
11
Network Architectures
12
Ad hoc networks Sensor networks
no infrastructure cost no guarantee Energy limited, low processing power
Challenges in Cellular Networks
Explosion of mobile phones, 1.5billion users (2004)
Scalability issues (particularly at radio network controller)
Better architecture design
Lack of bandwidth (we need mobile TV)
Give us more spectrum
13
IEEE 802.11 - Architecture of an
Infrastructure Network
Station (STA)
Terminal with access mechanisms to
the wireless medium and radio
contact to the access point
Basic Service Set (BSS)
Group of stations using the same
radio frequency
Access Point
Station integrated into the wireless
LAN and the distribution system
Portal
bridge to other (wired) networks
Distribution System
Interconnection network to form
one logical network
14
Challenges in WiFi
Again, explosion of users, devices
Interference, interference, interference
Heavy interference /contention when accessing the AP, no QoS
support
Inter-AP interference
Interference from other devices (microwave, cordless phones) in
the same frequency band
Mobility support
Seamless roaming when users move between APs
Normally low speed (3-10mph)
15
Challenges in Ad-hoc Networks
A flexible network infrastructure
Peer-to-peer communications
No backbone infrastructure
Routing can be multi-hop
Topology is dynamic
Challenges
Devices need to self-manage to survive
Manage interference (similar to WiFi but without AP, much harder)
Manage connectivity and routing (node mobility and unreliable links)
Transmission, access, and routing strategies for ad-hoc networks are
generally ad-hoc
User collaboration is a good direction but there are always selfish / 16
malicious users
How does Wireless affect
Networking?
Wireless access is different from Ethernet access
Wireless routing is different from IP routing
Wireless security is different from wired security
17
Wireless Access vs. Ethernet Access
Ethernet: fixed connection, always on, stable, fixed rate
Wireless: unreliable connection, competition based,
fading/unreliable, dynamic rate, limited bandwidth
Critical: how to coordinate among devices to avoid interference
Cellular: centralized, base station tells each device when and how to
send/receive data
WLAN + Ad hoc: distributed, CSMA, compete and backoff
Mobility
neighbor discovery + topology control
Rate adaptations
18
Wireless Routing vs. Wired Routing
Aside from traditional multi-hop routing
Mobility: route discovery and maintenance
Interference, interference, interference
Multi-hop interference mitigation
Spectrum assignment, multi-channel networks
19
Why is Security more of a Concern
in Wireless?
No inherent physical protection
Physical connections between devices are replaced by logical
associations
Sending and receiving messages do not need physical access to the
network infrastructure (cables, hubs, routers, etc.)
Broadcast communications
Wireless usually has a broadcast nature
Transmissions can be overheard by anyone in range
Anyone can generate transmissions,
which will be received by other devices in range
which will interfere with other nearby transmissions and may prevent
their correct reception (jamming)
20
Wireless Attacks
Eavesdropping is easy
Injecting bogus messages into the network is easy
Replaying previously recorded messages is easy
Illegitimate access to the network and its services is easy
Denial of service is easily achieved by jamming
21
So far
Understand why wireless data rate is lower than wired
Understand different types of wireless networks:
WPAN, WLAN, WWAN, WMAN and their challenges
Understand the difference between infrastructure and ad hoc
networks
Understand the challenges in MAC, networking and security
areas
22
Outline
Overview
MAC
Routing
Wireless TCP
Wireless in real world
Leverage broadcasting nature
Wireless security
23
Why Control Medium Access
Wireless channel is a shared medium
When conflict, interference disrupts communications
Medium access control (MAC)
Avoid interference
Provide fairness
Utilize channel variations to improve throughput
Independent link variations
24
MAC Categories
25
Random Access
Random Access vs. Controlled Access
No fixed schedule, no special node to coordinate
Distributed algorithm to determine how users share channel,
when each user should transmit
Protocol components:
How to detect and avoid collisions
How to recover from collisions
26
Examples
Slotted ALOHA
Pure ALOHA
CSMA, CSMA/CA, CSMA/CD
27
The Trivial Solution
A B C
collision
28
The Simple Fix Dont
transmit
A B C
When collision:
Entire packet transmission
time wasted
Note:
Role of distance & propagation delay
in determining collision probability
30
CSMA/CD (Collision Detection)
If (Transmitted_Signal !=
Sensed_Signal)
Sender knows its a Collision
ABORT
31
Two Observations on CSMA/CD
Transmitter can send/listen concurrently
If (Sensed - received = null)? Then success
Because
33
Wireless Medium Access Control
C D
A B
Signal
power
SINR threhold
34
Distance
Wireless Media Disperse Energy
A cannot send and listen in parallel
C D
A B
Signal
power
Distance
Collision Detection Difficult
B
A C
D
36
Calculating SINR
A B
C
D
C D
X A B
Signal
power
SINR threhold
38
Distance
Important: C has not heard A, but can interfere at receiver B
C is the hidden terminal to A
C D
X A B
Signal
power
SINR threhold
39
Distance
Important: X has heard A, but should not defer transmission to Y
Y X is the exposed terminal to A
C D
X A B
Signal
power
SINR threhold
40
Distance
Exposed Terminal Problem (ETP)
Dont know whether two transmissions will conflict or not
C wants to transmit to D but hears B; C defers transmission to
D although it wont disturb the transmission from B to A
42
CSMA/CA-Avoiding Collisions
Idea: allow sender to reserve channel rather than random
access of data frames: avoid collisions of long data frames
Sender first transmits small request-to-send (RTS) packets to BS using
CSMA
BS broadcasts clear-to-send CTS in response to RTS
RTS heard by all nodes
Sender transmits data frame
Other stations defer transmissions
44
Multiple Channel Motivation
Ways to avoid interference
Time
Space
Frequency/channel
How to coordinate 45
among users which
channel to use?
MultiChannel Hidden Terminals
A sends RTS
46
MultiChannel Hidden Terminals
B sends CTS
C does not hear CTS because C is listening on channel 2
47
MultiChannel Hidden Terminals
49
Solution 1: Add a Control Radio
Each user has two radios
Radio 1: control radio; users exchange control information
which channel to use for their data radio
Radio 2: data radio; transmit packets
Pro:
Simple; instantaneous coordination
Con:
Need an extra radio; bandwidth wasted..
50
Wus Protocol [Wu00ISPAN]
Assumes 2 transceivers per host
One transceiver always listens on control channel
Negotiate channels using RTS/CTS/RES
RTS/CTS/RES packets sent on control channel
Sender includes preferred channels in RTS
Receiver decides a channel and includes in CTS
Sender transmits RES (Reservation)
Sender sends DATA on the selected data channel
52
An example of Solution 2: MMAC
Assumptions
Each node is equipped with a single transceiver
The transceiver is capable of switching channels
Channel switching delay is approximately 250us
Per-packet switching not recommended
Occasional channel switching not too expensive
Multi-hop synchronization is achieved by other means
54
Channel Negotiation
55
Channel Negotiation
56
Channel Negotiation
57
Channel Negotiation
58
QUESTION:
WHAT IS THE LIMITATION OF
MMAC??
59
MMAC
MMAC Basic idea:
Periodically rendezvous on a fixed channel to decide the next channel
Issues
Packets to multiple destinations high delays
Control channel congestion 60
Outline
Overview
MAC
Routing
Wireless TCP
Wireless in real world
Leverage broadcasting nature
Wireless security
61
Assumptions of Wireless Routing
Inherent mobility
Nodes are not static
Transmission properties
Classically assumed as unit-disc model
All or nothing range R
Symmetric reception
62
Scenarios
63
GOAL
Minimize control overhead
Minimize processing overhead
Multi-hop path routing capability
Dynamic topology maintenance
No routing loops
Self-starting
64
Brief Review of Internet Routing
Intra-AS routing
Link-state
Distance vector
Distance vector
Neighbors periodically exchange routing information with
neighbors
<destination IP addr, hop count>
Nodes iteratively learn network routing info and compute routes
to all destinations
Suffer from problems like counting-to-infinity
65
Review Cont.
Link State
Nodes flood neighbor routing information to all nodes in network
<neighbor IP Addr, cost>
Once each node knows all links in network, can individually
compute routing paths
Use Dijkstra for example
Minimize routing cost
Supports metrics other than hop count, but is more complex
66
Review Cont.
Examples of routing protocols
Distance vector: RIP
Link state: OSPF
What do these have in common?
Both maintain routes to all nodes in network
67
Approaches to Wireless Routing
Proactive Routing
Based on traditional distance-vector and link-state protocols
Nodes proactively maintains route to each other
Periodic and/or event triggered routing update exchange
Higher overhead in most scenarios
Longer route convergence time
Examples: DSDV, TBRPF, OLSR
68
Approaches Cont.
Reactive (on-demand) Routing
Source build routes on-demand by flooding
Maintain only active routes
Route discovery cycle
Typically, less control overhead, better scaling properties
Drawback??
Route acquisition latency
Example: AODV, DSR
69
WIRELESS ROUTING PROTOCOLS (1):
REACTIVE PROTOCOLS
70
Dynamic Source Routing (DSR)
[Johnson96]
When node S wants to send a packet to node D, but does not
know a route to D, node S initiates a route discovery
71
Route Discovery in DSR
Y
Z
S E
F
B C M L
J
A G
H D
K
I N
Z
S [S,E]
E
F
B C M L
J
A [S,C] G
H D
K
I N
Z
S E
F [S,E,F]
B C M L
J
A G
H D
[S,C,G] K
I N
Z
S E
F [S,E,F,J]
B C M L
J
A G
H D
K
I [S,C,G,K] N
Z
S E
[S,E,F,J,M]
F
B C M L
J
A G
H D
K
I N
78
Route Reply in DSR
Y
Z
S RREP [S,E,F,J,D]
E
F
B C M L
J
A G
H D
K
I N
79
Represents RREP control message
Route Reply in DSR
Route Reply can be sent by reversing the route in Route Request
(RREQ) only if links are guaranteed to be bi-directional
To ensure this, RREQ should be forwarded only if it received on a link
that is known to be bi-directional
If IEEE 802.11 MAC is used to send data, then links have to be bi-
directional (since Ack is used)
80
Dynamic Source Routing (DSR)
81
Data Delivery in DSR
Y
DATA [S,E,F,J,D] Z
S E
F
B C M L
J
A G
H D
K
I N
82
Packet header size grows with route length
When to Perform a Route
Discovery
When node S wants to send data to node D, but does not
know a valid route node D
83
DSR Optimization: Route Caching
Each node caches a new route it learns by any means
When node S finds route [S,E,F,J,D] to node D, node S also
learns route [S,E,F] to node F
When node K receives Route Request [S,C,G] destined for
node, node K learns route [K,G,C,S] to node S
When node F forwards Route Reply RREP [S,E,F,J,D], node F
learns route [F,J,D] to node D
When node E forwards Data [S,E,F,J,D] it learns route [E,F,J,D]
to node D
A node may also learn a route when it overhears Data
packets
84
Use of Route Caching
When node S learns that a route to node D is broken, it uses
another route from its local cache, if such a route to D exists
in its cache. Otherwise, node S initiates route discovery by
sending a route request
Z
[P,Q,R] Represents cached route at a node 86
(DSR maintains the cached routes in a tree format)
Use of Route Caching:
Can Speed up Route Discovery
[S,E,F,J,D]
[E,F,J,D]
S E [F,J,D],[F,E,S]
F [J,F,E,S]
B C [G,C,S] M L
J
A [C,S] G
H D
[K,G,C,S] K
I RREP N
RREQ
Z
When node Z sends a route request
for node C, node K sends back a route 87
reply [Z,K,G,C] to node Z using a locally
cached route
Use of Route Caching:
Can Reduce Propagation of Route Requests
[S,E,F,J,D] Y
[E,F,J,D]
S E [F,J,D],[F,E,S]
F [J,F,E,S]
B C [G,C,S] M L
J
A [C,S] G
H D
[K,G,C,S] K
I RREP N
RREQ
Z
Assume that there is no link between D and Z. 88
Route Reply (RREP) from node K limits flooding of RREQ.
In general, the reduction may be less dramatic.
Route Error (RERR)
Y
RERR [J-D] Z
S E
F
B C M L
J
A G
H D
K
I N
J sends a route error to S along route J-F-E-S when its attempt to forward the
data packet S (with route SEFJD) on J-D fails 89
Nodes hearing RERR update their route cache to remove link J-D
Route Caching: Beware!
Stale caches can adversely affect performance
A sender host may try several stale routes (obtained from local
cache, or replied from cache by other nodes), before finding a
good route
91
Dynamic Source Routing:
Disadvantages
Packet header size grows with route length due to source
routing
Flood of route requests may potentially reach all nodes in the
network
Care must be taken to avoid collisions between route requests
propagated by neighboring nodes
insertion of random delays before forwarding RREQ
Increased contention if too many route replies come back due
to nodes replying using their local cache
Route Reply Storm problem
Reply storm may be eased by preventing a node from sending
RREP if it hears another RREP with a shorter route 92
Dynamic Source Routing:
Disadvantages
An intermediate node may send Route Reply using a stale
cached route, thus polluting other caches
93
Flooding of Control Packets
94
Location-Aided Routing (LAR)
[Ko98Mobicom]
Exploits location information to limit scope of route request
flood
Location information may be obtained using GPS
96
Expected Zone
Request Zone in LAR
Network Space
Request Zone
X
r
B Y
A
S 97
LAR
Only nodes within the request zone forward route requests
Node A does not forward RREQ, but node B does (see previous
slide)
98
LAR
Only nodes within the request zone forward route requests
99
LAR Variations: Adaptive Request
Zone
Each node may modify the request zone included in the
forwarded request
B
Request zone adapted by B 100
S
Request zone defined by sender S
LAR Variations: Implicit Request
Zone
In the previous scheme, a route request explicitly specified a
request zone
101
Location-Aided Routing
The basic proposal assumes that, initially, location information
for node X becomes known to Y only during a route discovery
This location information is used for a future route discovery
Each route discovery yields more updated information which is
used for the next discovery
Variations
Location information can also be piggybacked on any message
from Y to X
Y may also proactively distribute its location information
Similar to other protocols discussed later (e.g., DREAM, GLS)
102
Location Aided Routing (LAR)
Advantages
reduces the scope of route request flood
reduces overhead of route discovery
Disadvantages
Nodes need to know their physical locations
Does not take into account possible existence of obstructions for
radio transmissions
103
Query Localization
[Castaneda99Mobicom]
Limits route request flood without using physical information
Route requests are propagated only along paths that are close
to the previously known route
104
Query Localization
B C B C
Permitted routes
with k = 2
A D A
Initial route
from S to D 106
S S
Query Localization
Advantages:
Reduces overhead of route discovery without using physical
location information
Can perform better in presence of obstructions by searching for
new routes in the vicinity of old routes
Disadvantage:
May yield routes longer than LAR
(Shortest route may contain more than k new nodes)
107
Broadcast Storm Problem
[Ni99Mobicom]
When node A broadcasts a route query, nodes B and C both
receive it
B and C both forward to their neighbors
B and C transmit at about the same time since they are reacting
to receipt of the same message from A
This results in a high probability of collisions
B C
108
A
Broadcast Storm Problem
Redundancy: A given node may receive the same route
request from too many nodes, when one copy would have
sufficed
Node D may receive from nodes B and C both
B C
109
A
Solutions for Broadcast Storm
Probabilistic scheme: On receiving a route request for the first
time, a node will re-broadcast (forward) the request with
probability p
110
Solutions for Broadcast Storms
Counter-Based Scheme: If node E hears more than k neighbors
broadcasting a given route request, before it can itself forward
it, then node E will not forward the request
Intuition: k neighbors together have probably already
forwarded the request to all of Es neighbors
E
B C
F 111
A
Solutions for Broadcast Storms
Distance-Based Scheme: If node E hears RREQ broadcasted by
some node Z within physical distance d, then E will not re-
broadcast the request
Intuition: Z and E are too close, so transmission areas covered
by Z and E are not very different
if E re-broadcasts the request, not many nodes who have not already
heard the request from Z will hear the request
E <d
Z
112
Summary: Broadcast Storm
Problem
Flooding is used in many protocols, such as Dynamic Source
Routing (DSR)
Z
S E
F
B C M L
J
A G
H D
K
I N
Z
S E
F
B C M L
J
A G
H D
K
I N
Z
S E
F
B C M L
J
A G
H D
K
I N
Z
S E
F
B C M L
J
A G
H D
K
I N
120
Reverse Path Setup in AODV
Y
Z
S E
F
B C M L
J
A G
H D
K
I N
Z
S E
F
B C M L
J
A G
H D
K
I N
122
Represents links on path taken by RREP
Route Reply in AODV
An intermediate node (not the destination) may also send a
Route Reply (RREP) provided that it knows a more recent path
than the one previously known to sender S
Z
S E
F
B C M L
J
A G
H D
K
I N
126
Link Failure Reporting
A neighbor of node X is considered active for a routing table
entry if the neighbor sent a packet within
active_route_timeout interval which was forwarded using
that entry
When the next hop link in a routing table entry breaks, all
active neighbors are informed
127
Route Error
When node X is unable to forward packet P (from node S to
node D) on link (X,Y), it generates a RERR message
129
Link Failure Detection
Hello messages: Neighboring nodes periodically exchange
hello message
130
Why Sequence Numbers in AODV
To avoid using old/broken routes
To determine which route is newer
A B C D
E
Assume that A does not know about failure of link C-D because RERR
sent by C is lost
Now C performs a route discovery for D. Node A receives the RREQ
(say, via path C-E-A)
Node A will reply since A knows a route to D via node B
Results in a loop (for instance, C-E-A-B-C ) 131
Why Sequence Numbers in AODV
A B C D
Loop C-E-A-B-C
132
Optimization: Expanding Ring
Search
Route Requests are initially sent with small Time-to-Live (TTL)
field, to limit their propagation
DSR also includes a similar optimization
133
Summary: AODV
135
Proactive Protocols
136
Link State Routing [Huitema95]
137
Optimized Link State Routing (OLSR)
[Jacquet00ietf, Jacquet99Inria]
The overhead of flooding link state information is reduced by
requiring fewer nodes to forward the information
B F J
A E H
C K
G
D
139
B F J
A E H
C K
G
D
140
B F J
A E H
C K
G
D
141
142
Destination-Sequenced Distance-
Vector (DSDV) [Perkins94Sigcomm]
Each node maintains a routing table which stores
next hop towards each destination
a cost metric for the path to each destination
a destination sequence number that is created by the destination
itself
Sequence numbers used to avoid formation of loops
X Y Z
Let S(X) and S(Y) denote the destination sequence number for
node Z as stored at node X, and as sent by node Y with its
routing table to node X, respectively
144
Destination-Sequenced Distance-
Vector (DSDV)
Node X takes the following steps:
X Y Z
If S(X) < S(Y), then X sets Y as the next hop to Z, and S(X) is
updated to equal S(Y)
145
WIRELESS ROUTING PROTOCOLS (1):
HYBRID PROTOCOLS
146
Zone Routing Protocol (ZRP)
[Haas98]
Zone routing protocol combines
147
ZRP
148
ZRP
149
ZRP: Example with Zone Radius = d
=2
S performs route
discovery for D
B
S
A C
D
E
F
150
Denotes route request
ZRP: Example with d = 2
S performs route
discovery for D
B
S
A C
D
E
F
B
S
A C
D
E
F
152
Denotes route taken by Data
Landmark Routing (LANMAR) for MANET
with Group Mobility [Pei00Mobihoc]
A landmark node is elected for a group of nodes that are likely
to move together
G
C D
A B E F
154
LANMAR Routing to Nodes Outside
Scope
Routing from node A to F which is outside As scope
Let H be the landmark node for node F
H
G
C D
A B E F
G
C D
A B E F
157
We have a route, Now What ?
TCP
TCP
NETWORK
In other words,
as a middle man, dont attempt to do it, if you cannot do it completely.
Let the end point handle it completely !!
Question is: Who is the end point ? TCP ? Application layer ? Human user ? 159
the debate goes on
The Control Problem
Two main components in TCP
Flow Control and Congestion Control
Flow Control
If receivers bucket filling up, pour less water
Congestion Control
Dont pour too much if there are leaks in intermediate pipes
Regulate your flow based on how much is leaking out
Aggressive pouring calls for retransmission of lost packets
Conservative pouring lower e2e capacity
Why ? 160
The TCP Protocol (in a nutshell)
T transmits few packets, waits for ACK
Called slow start
162
Renewed Challenge
Key assumption in TCP
A packet loss is indicative of network congestion
Source needs to regulate flow by reducing CW
163
The Problem Model
TCP connection
Wireline
wireless 164
Impact of Misclassification
2.0E+06
Best possible
Sequence number (bytes)
5.0E+05
0.0E+00
0 10 20 30 40 50 60
Time (s) 165
166
LINK LAYER MECHANISMS
167
Link Layer Mechanisms
Forward error corrections (FEC)
Add redundancy in the packets to correct bit-errors
TCP retransmissions can be alleviated
168
Issues with Link Layer Mechanisms
Link layer cannot guarantee reliability
Have to drop packets after some finite limit
What is the retransmission limit (??)
170
SPLIT CONNECTION APPROACH
171
1 TCP = TCP + (TCP or XXX)
Per-TCP connection state
172
Base wireless
Station
Splitting Approaches
Indirect TCP [Baker97]
Fixed host (FH) to base station (BS) uses TCP
BS to mobile host (MH) uses another TCP connection
175
Snoop
Link layer at BS buffers un-acknowledged packets
176
Snoop : Example
35 TCP state
maintained at
36
link layer
37
38
40 39 38 37
FH BS MH
34 36
36
37
38
41 40 39 38
34 36
178
Snoop : Example
37 40
38
39
42 41 40 39
36 36
dupack
37 40
38 41
39
43 42 41 40
36 36 36
Duplicate acks
180
Snoop : Example
37 40
38 41
39 42
44 43 37 41
FH BS MH
36 36
Discard
Dupack triggers retransmission dupack
of packet 37 from base station 36
181
38 41
39 42
45 44 42 37
36 36
36
182
36
Snoop : Example
37 40 43
38 41 44
39 42
46 45 43 42
36 41
183
36
Snoop : Example
37 40 43
38 41 44
39 42 45
47 46 44 43
41
184
36 36
Snoop : Example
42 45
43 46
44
48 47 45 44
FH BS MH
41 43
36 36
185
36 36
Snoop [Balakrishnan95acm]
2000000
1600000
bits/sec
400000
0
16K
32K
64K
128K
256K
no error
1/error rate (in bytes)
186
2 Mbps Wireless link
Issues with Snoop
Link layer needs to be TCP aware
Smelling cross layer
Link layer needs to buffer and perform sliding window
187
Quick look at other schemes
TCP-unaware schemes
Explicit notification
Receiver-based
188
TCP-Unaware, ELN
Delayed DupACKs
Receiver waits for sometime before sending DupACK
If link retransmission solves problem
Then TCP sender does not send redundant packet
12 11 10
FH BS MH
T
12 10
FH BS MH
11 When is this
Congestion loss Mechanism a
2T Big problem ?
12 11 10
Error loss 190
FH BS MH
Closing Thoughts
Reliable and in-order packet delivery important
TCP aims to support these features
Implements congestion control and flow control
192
Wireless in the Real World
193
Wireless Challenges
Force us to rethink many assumptions
Need to share airwaves rather than wire
Dont know what hosts are involved
Host may not be using same link technology
Mobility
Other characteristics of wireless
Noisy lots of losses
Slow
Interaction of multiple transmitters at receiver
Collisions, capture, interference
Multipath interference 194
Overview
IEEE 802.11
Deployment patterns
Reaction to interference
Interference mitigation
Mesh networks
Architecture
Measurements
195
Characterizing Current Deployments
Datasets
Place Lab: 28,000 APs
MAC, ESSID, GPS
Selected US cities
www.placelab.org
Wifimaps: 300,000 APs
MAC, ESSID, Channel, GPS (derived)
wifimaps.com
Pittsburgh Wardrive: 667 APs
MAC, ESSID, Channel, Supported Rates, GPS
196
AP Stats, Degrees: Placelab
(Placelab: 28000 APs, MAC, ESSID, GPS)
#APs Max.
degree 50 m
(i.e., # neighbors)
Portland 8683 54
San
3037 85
Francisco 1 2 1
Boston 2551 39 197
Degree Distribution: Place Lab
198
Unmanaged Devices
WifiMaps.com
(300,000 APs, MAC, ESSID, Channel)
Channel %age
6 51
Other 802.11
200
What do We Expect?
Throughput to decrease
linearly with interference
There to be lots of options for
802.11 devices to tolerate
Throughput (linear)
interference
Bit-rate adaptation
Power control
FEC
Packet size variation
Spread-spectrum processing
Transmission and reception
diversity Interferer power 201
(log-scale)
Key Questions
How damaging can a low-power and/or narrow-band
interferer be?
202
What We See
Effects of interference
more severe in
practice
Throughput (linear)
Caused by hardware
limitations of
commodity cards,
which theory doesnt
model Interferer power
(log-scale) 203
Experimental Setup
Access
Point
UDP flow
802.11 Interferer
802.11
Client
204
802.11 Receiver Path
PHY PHY MAC
MAC
To RF Amplifiers
Amplifier control
RF AGC
Signal ADC Data
Analog Timing Barker
Demodulator Descrambler
Correlator (includes
signal 6-bit
Recovery beacons)
samples Preamble Detector/
Header CRC-16 Checker
Receiver
PHY header
1000
(microseconds)
interferer
800
Latency
100 Throughput
Log-scale 600
10
400
Latency
1
200
0.1 0 206
-20 -12 -2 0 8 12 15 20
Spectrum management
Channel hopping 802.11 effective at mitigating some
performance problems [Sigcomm07]
Coordinated spectrum use based on RF sensor network
10000
15MHz separation
1000
Throughput (kbps)
10MHz separation
5MHz separation
(good performance)
100 Same channel
(poor performance)
10
0.1 208
-20 -12 0 8 12 15 20
General idea:
Observe channel conditions like SNR (signal-to-noise
ratio), bit errors, packet errors
Pick a transmission rate that will get best goodput
There are channel conditions when reducing the bitrate can
greatly increase throughput e.g., if a decrease in bitrate
gets you from 90% loss to 10% loss.
212
Simple Rate Adaptation Scheme
Watch packet error rate over window (K packets or T seconds)
If loss rate > threshhigh (or SNR <, etc)
Reduce Tx rate
If loss rate < threshlow
Increase Tx rate
Most devices support a discrete set of rates
802.11 1, 2, 5.5, 11Mbps, etc.
213
Challenges in Rate Adaptation
Channel conditions change over time
Loss rates must be measured over a window
SNR estimates from the hardware are coarse, and dont always
predict loss rate
May be some overhead (time, transient interruptions, etc.) to
changing rates
214
Power and Rate Selection Algorithms
Rate Selection
Auto Rate Fallback: ARF
Estimated Rate Fallback: ERF
802.11
Deployment patterns
Reaction to interference
Interference mitigation
Mesh networks
Architecture
Measurements
217
Community Wireless Network
Share a few wired Internet connections
Construction of community networks
Multi-hop network
Nodes in chosen locations
Directional antennas
Require well-coordination
Access point
Clients directly connect
Access points operates independently
Do not require much coordination
218
Roofnet
Goals
Operate without extensive planning or central management
Provide wide coverage and acceptable performance
Design decisions
Unconstrained node placement
Omni-directional antennas
Multi-hop routing
Optimization of routing for throughput in a slowly changing
network
219
Roofnet Design
Deployment
Over an area of about four square kilometers in Cambridge,
Messachusetts
Most nodes are located in buildings
3~4 story apartment buildings
8 nodes are in taller buildings
Each Rooftnet node is hosted by a volunteer user
Hardware
PC, omni-directional antenna, hard drive
802.11b card
RTS/CTS disabled
Share the same 802.11b channel
Non-standard pseudo-IBSS mode
Similar to standard 802.11b IBSS (ad hoc)
Omit beacon and BSSID (network ID)
220
Roofnet Node Map
221
1 kilometer
Roofnet
222
Typical Rooftop View
223
A Roofnet Self-Installation Kit
226
Evaluation
Method
Multi-hop TCP
15 second one-way bulk TCP transfer between each pair of Roofnet
nodes
Single-hop TCP
The direct radio link between each pair of routes
Loss matrix
The loss rate between each pair of nodes using 1500-byte broadcasts
Multi-hop density
TCP throughput between a fixed set of four nodes
Varying the number of Roofnet nodes that are participating in
routing
227
Evaluation
Basic Performance (Multi-hop TCP)
The routes with low hop-count have much higher
throughput
Multi-hop routes suffer from inter-hop collisions
228
Evaluation
No problem in
interactive sessions
Evaluation
Link Quality and Distance (Single-hop TCP, Multi-hop TCP)
Most available links are between 500m and 1300m and 500 kbits/s
(most cases)
Srcr
Use almost all of the links faster than 2 Mbits/s and ignore majority of
the links which are slower than that
Fast short hops are the best policy
a small number of links a few hundred meters long with throughputs
of two megabits/second or more, and a few longer high-throughput
links
Evaluation
Link Quality and Distance (Multi-hop TCP, Loss matrix)
Median delivery probability is 0.8
231
Evaluation Comparison against communication over a direct
radio link to a gateway (Access-point Network)
Architectural Alternatives
Maximize the number of additional nodes with non-zero throughput to
some gateway
Ties are broken by average throughput
233
Roofnet Summary
The networks architectures favors
Ease of deployment
Omni-directional antennas
Self-configuring software
Link-quality-aware multi-hop routing
Evaluation of network performance
Average throughput between nodes is 627kbits/s
Well served by just a few gateways whose position is determined
by convenience
Multi-hop mesh increases both connectivity and throughput
234
Roofnet Link Level Measurements
Analyze cause of packet loss
Neighbor Abstraction
Ability to hear control packets or No Interference
Strong correlation between BER and S/N
RoofNet pairs communicate
At intermediate loss rates
Temporal Variation
Spatial Variation
neighbor abstraction is a
poor approximation of reality
235
Lossy Links are Common
236
Delivery Probabilities are Uniformly
Distributed
237
Delivery vs. SNR
238
SNR not a good predictor
Is it Bursty Interference?
May interfere but not impact SNR measurement
239
Two Different Roofnet Links
Top is typical of bursty interference, bottom is not
Most links are like the bottom
240
Is it Multipath Interference?
241
A Plausible Explanation
242
Key Implications
Lack of a link abstraction!
Links arent on or off sometimes in-between
243
Outline
Overview
MAC
Routing
Wireless TCP
Wireless in real world
Leverage broadcasting nature
Wireless security
244
Taking Advantage of Broadcast
245
Initial Approach: Traditional Routing
packet packet
A B
A B
A B
src dst
packet
src N1 N2 N3 N4 N5 dst
75%
50%
25%
N1
N2
src dst
N3
N4
Traditional Routing:
One path followed from source to destination
All packets sent along that path
Co-operative Diversity:
Broadcast of packets by all nodes
Destination chooses the best one
ExOR:
Broadcast packets to all nodes
Only one node forwards the packet
Basic idea is delayed forwarding
251
ExOR Batching
rx: 40
0
rx: 57
85
N2 tx: 0
tx:
100
9 tx: 57 -23 N4 rx: 22
0
src 24 dst
rx: 88
99 rx: 53
23
N1 N3 tx: 23
tx: 8
N1 N3
The remaining forwarders transmit tx: {1, 6, 7 ... 91, 96, 99}
in order, but only send packets which were
not acknowledged in the batch maps of
batch map: {1, 6, 7 ... 91, 96, 99}
higher priority nodes.
N2 N4
src dst
N1 N3
Node Gateway
Proxy ExOR Batches (not TCP) Web
Proxy
ExOR
256
Outline
257
Background
Famous butterfly example:
Relay
Require 4 transmissions
259
Background
Bob and Alice
Relay
XOR
XOR XOR
Require 3 transmissions
260
Coding Gain
Coding gain = 4/3
1 1+3
261
Throughput Improvement
UDP throughput improvement ~ a factor 2 > 4/3 coding gain
1 1+3
262
Coding Gain: more examples
2
1 5
3 Opportunistic Listening:
Every node listens to all
4 packets
It stores all heard
1+2+3+4+5 packets for a limited
time
How to decode?
Upon receiving a packet encoded with n native packets
find n-1 native packets from its queue
XOR these n-1 native packets with the received packet to extract the
new packet
267
Prevent Packet Reordering
Packet reordering due to async acks degrade TCP performance
Ordering agent
Deliver in-sequence packets immediately
Order the packets until the gap in seq. no is filled or timer expires
268
Summary of Results
Improve UDP throughput by a factor of 3-4
Improve TCP by
wo/ hidden terminal: up to 38% improvement
w/ hidden terminal and high loss: little improvement
270
Outline
Overview
MAC
Routing
Wireless TCP
Wireless in real world
Leverage broadcasting nature
Wireless security
271
Overview
Understand
Attacks
Stimulate Detect
cooperation Attacks
Defend
272
Attacking Wireless Networks
273
Attack 1: CSMA Selfish Behaviors
Carrier sense: When a node wishes to transmit a packet, it
first waits until the channel is idle
Backoff Interval: used to reduce collision probability
When transmitting a packet, choose a backoff interval
in the range [0,cw]: cw is contention window
Count down the backoff interval when medium is idle
Count-down is suspended if medium becomes busy
When backoff interval reaches 0, transmit
IEEE 802.11 DCF: contention window cw is chosen
dynamically depending on collision occurrence 274
Binary Exponential Backoff
275
Attack 1: CSMA Selfish Behaviors
jammer
I cant
decode
my data
277
Attack 3: Injecting Bogus Information
278
Introduction
Traditionally, Denial of Service (DoS) attacks involve filling
receiving buffers and/or bringing down servers
In the wireless domain, DoS is more fundamentally linked with
the medium
MAC misbehavior or
Preventing nodes from even communicating (i.e., jamming)
279
Roadmap
Advanced
Detection
Mechanisms
Basic
Detection
Mechanisms
Jamming
Models
280
What is a Jammer?
A jammer is purposefully trying to interfere with
the physical transmit/receive
281
Jammers -- Hardware
Cell phone jammer unit
Block every cellular phone!!!
Signal generator
Conventional devices
282
Goal of Jammer
Interference
Prevent a sender from sensing out packets
Prevent a receiver from receiving legitimate packets
How to measure their effectiveness:
Packet Send Ratio (PSR):
Ratio of actual # of packets sent out versus # of packets
intended
Packet Delivery Ratio (PDR):
Ratio of # of successfully delivered packets versus # of packets
sent out
Measured at sender [ACKs] or receiver [CRC check]
283
Jammer Attack Models
Need to Need to
send m send m
Is No
Is No
channel Backoff channel Backoff
idle? idle?
Yes Yes
start to start to
send m send m
Jamming Models
Constant Jammer
Continuously emits radio signal (random bits, no MAC-etiquette)
Deceptive Jammer
Continuously sends regular packets (preamble bits) without gaps
in transmission
Targeting sending
Random Jammer
Alternates between sleeping and jamming states.
Takes energy conservation into consideration
Reactive Jammer:
Reacts to a sent message
Targeting reception;
285
Harder to detect
Constant Jammer
-60
CBR
-80
-60
-100 CBR
-80
-60
-100 MaxTraffic
-80
-60
-100 MaxTraffic
-80
-60
-100 Constant Jammer
-80
-60
(dBm)
-60
-100
RSSI
Deceptive Jammer
-80
-60
RSSI
-80
-100
-60
-100
-60 Deceptive Jammer
-80
Constant Jammer
-80
-100
-60
-100 Reactive Jammer
-80
Deceptive
-100
-80
-60
Jammer - constantly injects regular packets
Deceptive Jammer
-60
with no gap between packets. A normal
-100
-80
device
Random will
Jammer
-60
remain
-100 in the receive state and cannot switch
0 200 400 600 800 1000 1200 Reactive
1400
to the send
Jammer
1600
-80
state
-100
because of the sample
constant stream
sequence number of incoming packets.
-60
Random Jammer
-80
-100
0 200 400 600 800 1000 1200 1400 1600
sample sequence number
-100
-60
MaxTraffic
-80
-100
-100
0
-60 200 400 600 800 1000 1200 1400 1600
-80 sample sequence number Deceptive Jammer
-100
-60
Random
-80 Jammer - alternates between sleeping and
Reactive Jammer
-100
jamming.
-60 Can act as constant or deceptive when
Random Jammer
jamming.
-80 Takes energy conservation into consideration.
-100
0 200 400 600 800 1000 1200 1400 1600
sample sequence number
-60
CBR
-80
-100
-60
-60 Constant Jammer
-80
RSSI (dBm)
CBR
-80
-100
-100
-60
-60 Deceptive Jammer
-80 MaxTraffic
-80
-100
-100
-60
-60
Reactive
Constant Jammer
Jammer
-80
-80
RSSI (dBm)
-100
-100
-60
-60
Deceptive
Random Jammer
Jammer
-80
-80
Reactive
-100
-100
-600 Jammer
200 400
- other
600
three
800
are active
1000 1200
this is1600
1400
not. It
stays
-80 quiet until there is activity
sample on theReactive
sequence number Jammer
channel. This
-100
targets
-60 the reception of a message. This style does not
Random Jammer
conserve
-80
energy however it may be harder to detect.
-100
0 200 400 600 800 1000 1200 1400 1600
sample sequence number
Basic Jamming Detection
290
Detection 1: Analyzing Signal Strength
292
Experiment Setup
Involving three parties: Receiver B
Normal nodes: Sender A
Sender A
Receiver B
Jammer X
Parameters
Four jammers model dAB
Distance dXB
Let dXB = dXA
Fix dAB at 30 inches
dXA
Power
PA = PB = P X = -4dBm
Jammer X
Signal Strength
CBR: 20 packets per second
The average values for the
constant jammer and the
MaxTraffic source are roughly
equal
The constant jammer and
deceptive jammer have
roughly the same average
values
The signal strength average
from a CBR source does not
differ much from the reactive
jammer scenario
These results suggest that we
may not be able to use simple
statistics such as average
signal strength to identify
jamming
Signal-Strength: Higher Order Crossing
We can not distinguish the reactive or random jammer from normal
traffic
A reactive or random jammer will alternate between busy and idle in the
same way as normal traffic behaves
HOC will work for some jammer scenarios but are not powerful enough
to detect all jammer scenarios
Not working well.
295
Detection 2: Analyzing Carrier Sensing Time
A jammer can prevent a legitimate source from sending out
packets channel might appear constantly busy to the
source
Keep track of the amount of time it spends waiting for the
channel to become idle (carrier sensing time)
Compare it with the sensing time during normal traffic
operations to determine whether it is jammed
Only true if MAC protocol employs a fixed signal strength
threshold to determine whether channel is busy
Determine when large sensing times are results of jamming
by setting a threshold
Threshold set conservatively to reduce false positive 296
Detection 2: Analyzing Carrier Sensing Time
298
MaxTraffic
Sender
Basic Statistics Summary
299
Solution: Consistency Checks
PDR is relatively good
Normal scenario:
High signal strength high PDR
Low signal strength low PDR
Low PDR in real life
Poor channel quality
Jamming attacks high signal strength
Consistency check
Look at transmissions from neighbors
If at least one neighbor has high PDR
If all have low PDR check signal strength high I am being
jammed! 300
Location-Based Consistency Check
Concept:
Close neighbor nodes high PDR
Far neighbor nodes lower PDR
If all nearby neighbors exhibit low PDR
jammed!
301
PRD/Signal Strength Consistency
PDR< Threshold
No
Yes
Sample Signal
Not
Strength
Jammed
PDR Yes
consistent
with SS
No
Jammed
Results
Observed Normal
relationships
High signal strength yields
a high PDR
Low signal strength yields
a low PDR
Jammed scenario: a high
signal strength but a low
PDR
The Jammed region has
above 99% signal
strength confidence
intervals and whose PDR
303
is below 65%
What Happens After Detection??
This work has identified jamming models and described a
means of detection
Prevention? Reaction?
Channel surfing and spatial retreats
SSCH
304
Our Jammers
MAC-layer Jammer
Mica2 Motes (UC Berkeley)
8-bit CPU at 4MHz
512KB flash, 4KB RAM
916.7MHz radio
OS: TinyOS
Disable the CSMA
Keep sending out the preamble
PHY-layer Jammer
Waveform Generator
Tune frequency to 916.7MHz
305
Escaping From Jamming Attacks
Channel Surfing
Utilize frequency hopping if a node detects that it is being
jammed it just switches to another channel
Inspired by frequency hopping techniques, but operates at the link
layer
System Issues: Must have ability to choose multiple
orthogonal channels
Practical Issue: PHY specs do not necessarily translate into correct
orthogonal channels
Example: MICA2 Radio recommends: choose separate channels
with a minimum spacing of 150KHz but..
306
Throughput VS. Channel Assignment
Sender sends the packet as fast as it
can
Receiver counts the packet and
calculates the throughput
The radio frequency of the sender
and receiver was fixed at 916.7MHz
Increased the interferers
communication frequency by 50kHz
each time
When the Jammers communication
frequency increases to 917.5MHz,
there is almost no interference
307
Is Channel Surfing Feasible??
308
Escaping From Jamming Attacks
Orthogonal channels
The fact is that we need at least 800KHz to escape the
interference
Therefore, explicit determination of the amount of
orthogonal channels is important
Channel Surfing
Target: maximize the delay before the attacker finds the new
channel
Solution: use a (keyed) pseudo-random channel assignment
between nodes
309
Escaping from Jamming Attacks
Spatial Retreats:
If a node is jammed move spatially (physically) to another
location
When a node changes location, it needs to move to a new
location where it can avoid being jammed but minimize
network degradation
Sometimes a spatial retreat will cause a network partition
Two different strategies to defend against jamming
Channel-surfing: changing the transmission frequency to a
range where there is no interference from the attacker
Spatial retreat: moving to a new location where there is no
interference 310
Jammers will be Punished
A man skilled in the operation of commercial wireless
Internet networks was sentenced for intentionally bringing
down wireless Internet services across the region of
Vernal, Utah.
Ryan Fisher, 24, was sentenced to 24 months in prison to
be followed by 36 months of supervised release, and to
pay $65,000 in restitution.
In total, more than 170 customers lost Internet service,
some of them for as long as three weeks
311
Sustaining Cooperation in
Multi-Hop Wireless Networks
312
Motivation
Free riding in multi-hop wireless networks
less contribution to the group
consume more than their fair share of a resource
Routing protocols assume that nodes are well behaved
Need for a system which discourages
selfish behavior
313
Problem Definition
315
Catch !!
Fear of punishment !
316
Main Idea
317
Problems in doing this??
Distinguishing between Selfish nodes and Transmission errors
Announcing the presence of free-rider to all, even if he/she is
your only link to the outside world
318
Power of Anonymity
319
Solution..
Anonymous Challenge and Watchdogs
To distinguish deliberate packet dropping from wireless errors
Anonymous Neighbor Verification
To inform all other testers of the free-rider to isolate him
320
Anonymous Challenges
A watchdog is used
All Testers regularly but unpredictably send an anonymous
challenge to Testee for it to rebroadcast
A cryptographic hash of a randomly generated token
Even a selfish testee must depend on at least one of its
testers to forward its packets if it is to stay connected
Any tester, without hearing the rebroadcast of its
challenge Flag Testee as a Free Rider, refuses to
forward packets
321
Anonymous Neighbor Verification
Once free-rider is detected, other testers must
also be informed
Challenge: the only path must be via the testee
Anonymous neighbor verification (ANV) sub-
protocol is defined
322
Anonymous Neighbor Verification
First phase ANV Open
Each tester sends cryptographic hash of a random token to the
testee to rebroadcast
All others take note
Second phase ANV Close
If satisfied, release token to testee for it to rebroadcast
If senders dont receive tokens for all hash messages
infer that testee is free riding
323
Evaluation
15 PCs equipped with 802.11b
Operating in the ad-hoc mode
Diameter is between 3 and 5
hops
Length of one epoch is set to
one minute
There are 15 anonymous ACM
messages per epoch
324
Evaluation
325
Evaluation
Three nodes: the second one acts as free-rider
The number of epochs required to detect free-riders in the
testbed versus the fraction of packets a free-rider dropped
327
328