802.11 MAC Layer
Unlike other link layer protocol, 802.11 incorporates positive acknowledgements.
All transmitted (unicast) frames in 802.11 must be acknowledged.
The sender of the data frame must receive an acknowledgement, or the frame is considered lost.
However, an 802.11 wireless network handles multicast traffic differently, depending on the configuration of delivery traffic indication message (DTIM), and beacon interval settings.
- If no stations within the BSS are in power save mode, multicast packets are sent immediately when they arrive.
- If there are one or more stations in power save mode, access points then only deliver multicast traffic after each DTIM interval and transmit at one of the supported rates in the basic rate set.
Besides, multicast packets are sent once and are not acknowledged, so they are subject to much higher loss rates.
There are various methods for coping with this, such as choosing to unicast multicast data repeatedly to each client, or requesting ACKs from each client.
Medium Access Control
802.11 defined the following techniques to control the medium access:- Distributed coordination function (DCF) DCF is defined in subclause 9.2 of the IEEE 802.11 standard and is the de facto default setting for Wi-Fi hardware. DCF employs a CSMA/CA with binary exponential backoff algorithm. DCF requires a station wishing to transmit to listen for the channel status for a DIFS interval. If the channel is found busy during the DIFS interval, the station defers its transmission. A period called contention window or backoff window follows the DIFS. This window is divided into slots. Stations pick a random slot and wait for that slot before attempting to access the medium.
- Point coordination function (PCF) It resides in a point coordinator also known as Access Point (AP), to coordinate the communication within the network. The AP waits for PIFS duration rather than DIFS duration to grasp the channel. PIFS is less than DIFS duration and hence the point coordinator always has the priority to access the channel. The PCF is located directly above the Distributed Coordination Function (DCF), in the IEEE 802.11 MAC Architecture. Channel access in PCF mode is centralized and hence the point coordinator sends CF-Poll frame to the PCF capable station to permit it to transmit a frame. In case the polled station does not have any frames to send, then it must transmit null frame. PCF seems to be implemented only in very few hardware devices as it is not part of the Wi-Fi Alliance's interoperability standard.
Wi-Fi Carrier-Sensing
Wi-Fi carrier sense is composed of two separate and distinct functions,
- Clear Channel Assessment (CCA) From a high level perspective, CCA is physical carrier sense which listens to received energy on the radio interface.
- Network Allocation Vector (NAV) NAV is virtual carrier sense which is used by stations to reserve the medium for mandatory frames which must follow the current frame.
- CCA indicates a busy medium for the current frame
- NAV reserves the medium as busy for future frames that are required to be transmitted immediately following the current frame.
Network Allocation Vector (NAV)
In addition to CCA determining the medium idle/busy state for the current frame and noise, the NAV allows stations to indicate the amount of time required for transmission of required frames immediately following the current frame. This is important to reserve the medium as busy for these mandatory frames.
The importance of NAV virtual carrier sense is to ensure medium reservation for frames critical to operation of the 802.11 protocol. Typically these are control frames, but not always. They include 802.11 acknowledgements, subsequent data and acknowledgement frames as part of a fragment burst, and data and acknowledgement frames following an RTS/CTS exchange.
The NAV is carried in the 802.11 MAC header Duration field, stations that are able to decode the 802.11 header extract the Duration field value and use it mark the medium as busy for the amount of time specified (in microseconds). Therefore, the transmitter should follow the strict rules defined in the 802.11 specification for calculation of the NAV value to be sent within frames.
In other words, the NAV is a timer that indicates the amount of time the medium will be reserved. Stations set the NAV to the time which they expect to use the medium.
Interframe Spacing
The Ethernet standards require a minimum spacing between two non-colliding frames. This gives the media time to stabilize after the transmission of the previous frame and time for the devices to process the frame. Referred to as the interframe spacing, this time is measured from the last bit of the FCS field of one frame to the first bit of the Preamble of the next frame.
As with Ethernet, 802.11 uses 4 different interframe spacing. Different type of frames use different interframe spacing. the logic is: high-priority traffic uses shorter interframe spacing.
Fragmentation and Reassembly
Wireless LAN stations may attempt to fragment transmissions so that interference affects only small fragments. Fragmentation takes place when the length of a higher-level packets exceeds the configured fragmentation threshold.
- fragments all have the same sequence number
- fragments have ascending fragment numbers to aid in assembly
- frame control contains a bit to indicate whether the fragments happen
Frame Format
Frame Control Field
Type and subtype fields identify the frame used.| Type | Subtype | Subtype Name |
|---|---|---|
| Management Frames (value=00) | 0000 | Association request |
| 0001 | Association response | |
| 0010 | Reassociation request | |
| 0011 | Reassociation response | |
| 0100 | Probe request | |
| 0101 | Probe response | |
| 1000 | Beacon | |
| 1001 | Announcement traffic indication message(ATIM) | |
| 1010 | Disassociation | |
| 1011 | Authentication | |
| 1100 | Deauthentication | |
| 1101 | Action(for spectrum management with 802.1h or QoS) | |
| Control Frames (value=01) | 1000 | Block acknowledgement request(QoS) |
| 1001 | Block acknowledgement(QoS) | |
| 1010 | Power-save(PS)-Poll | |
| 1011 | RTS | |
| 1100 | CTS | |
| 1101 | Acknowledgement(ACK) | |
| 1110 | Contention-free(CF)-end | |
| 1111 | CF-End+CF-Ack | |
| Data Frames (value=10) | 0000 | Data |
| 0001 | Data+CF-Ack | |
| 0010 | Data+CF-Poll | |
| 0011 | Data+CF-Ack+CF-Poll | |
| 0100 | NULL data(No data) | |
| 0101 | CF-Ack(no data) | |
| 0110 | CF-Poll(no data) | |
| 0111 | CF-Ack+CF-Poll(no data) | |
| 1000 | QoS data | |
| 1001 | QoS data + CF-Ack | |
| 1010 | QoS data + CF-Poll | |
| 1011 | QoS data + CF-Ack + CF-Poll | |
| 1100 | QoS Null | |
| 1101 | QoS CF-Ack(no data) | |
| 1110 | QoS CF-Poll(no data) | |
| 1111 | QoS CF-Ack + CF-Poll(no data) |
Duration / ID Field
This field can be one of the three forms:
- Used as the NAV. All stations must monitor the headers of all frames they receive and update the NAV accordingly. IEEE 802.11 DCF defines two access methods:
- basic access method data packets are transmitted when channel access has been obtained. ACK frames follow successful data packet receptions.
- RTS/ CTS access method RTS (Request To Send) and CTS (Clear To Send) frames are exchanged before Data/ACK packets. RTS and CTS frames contain a duration field that defines the period of time for which the medium is to be reserved to transmit the actual Data frame and the returning ACK frame.
- Used as the contention-free periods. This value 32768 is a large value to avoid interfering with contention-free transmissions.
- Used in the PS-Poll frame to retrieve any buffered frames from the AP.
Address Fields
An 802.11 frame may contain up to 4 address fields. The number of address fields used depends on the type of frame. Most data frames use 3 fields for source, destination and BSSID.
| Function | To DS | From DS | Address 1 Receiver Address | Address 2 Transmitter Address | Address 3 | Address 4 |
| IBSS | 0 | 0 | DA | SA | BSSID | N/A |
| From AP (Infra) | 0 | 1 | DA | BSSID | SA | N/A |
| To AP (Infra) | 1 | 0 | BSSID | SA | DA | N/A |
| WDS(bridge) | 1 | 1 | BSSID#1 | BSSID#2 | DA | SA |
Wi-Fi has two working modes - IBSS (ad-hoc) and BSS (infrastructure mode).
- In ad-hoc mode when station A wants to transmit a frame to station B it just transmits this frame to station B directly.
- In infrastructure mode, station A at first transmits this frame to access-point, and access point retransmits this frame to station B.
- Wi-Fi Direct Ad-hoc mode is also known as “peer-to-peer” mode.
- Wi-Fi Passpoint This Hotspot 2.0 Specification is the technical specification for Wi-Fi Passpoint (Release 2), the Wi-Fi Alliance certification program that provides WPA2 hotspot network access and online sign up.
Wi-Fi Direct may also be referred to as Wi-Fi peer-to-peer or Wi-Fi P2P, as it functions in peer-to-peer mode.
You may already have a device using Wi-Fi Direct.
For example, the Roku 3 comes with a remote control that it communicates with using Wi-Fi Direct rather than using an older IR blaster or Bluetooth connection.
The remote control doesn’t actually connect to your wireless router. Instead, the Roku creates a new Wi-Fi network that the remote control connects to, and the two communicate over their own little network.
Hotspot 2.0 enables a secure, automatic connection experience for users and supports operator goals of leveraging Wi-Fi® technology for data offload of cellular networks.
- The first active ad hoc station (802.11-equipped client device set to ad hoc mode) establishes an IBSS and starts sending beacon frames, which are needed to announce the presence of the ad hoc network and maintain synchronization among the stations.
- Other ad hoc stations can join the network after receiving a beacon and accepting the IBSS parameters (for example, beacon interval) found in the beacon frame.
- Each station that joins the ad hoc network must send a beacon periodically if it does not hear a beacon from another station within a short random delay period after the beacon is supposed to be sent.
Sequence Control Field
It is composed of a 4-bit fragment number and a 12-bit sequence number.
Sequence numbers are not used in control frames so that Sequence Control field is not present in control frames.
The sequence number begins at 0 and increments by 1 for each high-level packet handled by the MAC. If one high-level packet is fragmented, all fragments will have the same sequence number. The 1st fragment is given a fragment number 0 and each successive fragment increments the fragment number by 1.
Frame Check Sequence Field
All fields in the MAC header and the body of the frame are included in the FCS.
On 802.11 networks, frames that pass the integrity check also require the receiver to send an ACK, stations must wait for the ACK timeout before re-transmitting.
Encapsulation of Higher-Layer Protocols within 802.11
ISO/IEC 802.22 standard defines logical link control (LLC) as the upper portion of the data link layer of the OSI Model.
LLC is a software component that provides a uniform interface to the network layer.
The LLC Header consist of:
- DSAP (Destination Service Access Point) an 8-bit long field that represents the logical addresses of the network layer entity intended to receive the message.
- SSAP (Source Service Access Point) an 8-bit long field that represents the logical address of the network layer entity that has created the message.
- Control field 8 or 16 bits
Therefore, data packets that are not 802.2 packets must be formatted to 802.2 with 802.1H or RFC1042.
Both Ethernet encapsulation methods work for 802.11, but RFC1042 can make sure the interoperability because 802.1H is Cisco's proprietary protocol.
When the LLC sends the MSDU to the MAC sublayer, the MAC header information is added to the MSDU. The MSDU is now encapsulated in a MAC Protocol Data Unit (MPDU).
Framing in Detail
- Data frames: pack the data Data frames carry higher-level protocol data in the frame body
- Control frames: works with data frames to deliver data reliably.
- area clearing operations CTS
- channel acquisition RTS
- carrier-sensing maintenance functions
- positive acknowledgment of received data ACK
- Management frames: join/leave WiFi networks and move associations from AP to AP
Management Frames
The MAC header is the same in all management frames.
Management frames use information elements to communicate with other systems.
Address fields
Stations are required to investigate the BSSID after receiving a management frame, only broadcast/multicast frames from the BSSID a station is currently associated with are passed to MAC layers. The one exception to this rule is Beacon frames.APs use the MAC address of the wireless network interface as the BSSID.
Frame body
There are 2 types of field :- fixed parameters: fixed-length fields
- tagged parameters: variable-length fields
Fixed-length Field
Fixed-length fields are often referred to simply as fields.
Fields don't have a header because they have a fixed length and apear in a known order.
Fields don't have a header because they have a fixed length and apear in a known order.
| Name | Length | Value | Meaning |
|---|---|---|---|
| Authentication algorithm number | 2 bytes |
|
|
| Authentication transaction sequence number | 2 bytes | 1 - 65535 | Used to track progress through the authentication exchange. |
| Beacon interval | 2 bytes | The number of time units(TU) between Beacon transmissions, 1TU is about 1 mini-second | |
| Capability information | 2 bytes | Used in Beacon frame to advertise the network's capabilities. Each bit is used as a flag to advertise a particular function of the network:
| |
| Current AP address | 6 bytes | Stations use this to indicate the MAC of AP they are associated | |
| Listen interval | 2 bytes | Dozing station wake up periodically to listen to traffic announcement from AP. This tells AP how long the buffered frame should be kept. | |
| Association ID | 2 bytes | When stations associate with an access point, they are assigned an Association ID to assist with control and management functions. | |
| Timestamp | 8 bytes | Used to synchronize stations in a BSS. The master timekeeper for a BSS periodically transmits it. | |
| Reason code | 2 bytes | To indicate what the sender has done incorrectly. | |
| status code | 2 bytes | Indicate the success or failure of an operation. |
Information Elements (IE)
A generic IE is composed of the following:
- element ID: 1 byte
- length: 1 byte
- content: length bytes
| Element ID | Name | Description |
|---|---|---|
| 0 | SSID | Readable string as the network name. The length is 0-32 bytes. If 0 byte is used, it is called the broadcast SSID and only used in Probe Request frames. |
| 1 | Supported rates | It consists of a string of bytes. Each byte uses 7 low-order bits for the data rate. MSB is used to indicate if this rate is mandatory(1) or optional(0). At most 8 rates can be encoded in this element, the Extended Supported Rate element is used to handle more than 8 rates. |
| 2 | FH parameter set | |
| 3 | DS parameter set | |
| 4 | CF parameter set | |
| 5 | Traffic indication map(TIM) |  |
| 6 | IBSS parameter set | |
| 7 | country(802.11d) | |
| 8 | Hopping pattern parameters(802.11d) | |
| 9 | Hopping pattern table(802.11d) | |
| 10 | request(802.11d) | |
| 16 | challenge text | |
| 17-31 | reserved | |
| 32 | power constraint(802.11h) | |
| 33 | power capability(802.11h) | |
| 34 | transmit power control(TPC) request(802.11h) | |
| 35 | TPC report(802.11h) | |
| 36 | supported channels(802.11h) | |
| 37 | channel switch announcement(802.11h) | |
| 38 | measurement request(802.11h) | |
| 39 | measurement report(802.11h) | |
| 40 | quiet(802.11h) | |
| 41 | IBSS DFS(802.11h) | |
| 42 | ERP information(802.11g) | |
| 45 | HT Capabilities(7.3.2.56, 802.11n) | |
| 48 | robust security network(802.11i) | |
| 50 | extended supported rates(802.11g) | similar to "Supported rates" but allow up to 255 bytes to be supported |
| 61 | HT Operation(7.3.2.57, 802.11n) | |
| 221 | Vendor Specific information element |
The vendor-specific information element is used to carry information not defined in this standard within a single defined format.
Each vendor-specific information element may have a different OUI value. The number of vendor-specific information elements that may appear in a frame is limited only by the maximum frame size. |
Type of Management Frames
Several types of management frames are used for various link-layer maintainance functionsBeacon Frame
Beacon frames are transmitted at regular intervals to announce the existence of a network.Not all of the IEs are present in all Beacons. Optional fields are present only when there is a reason to use them in a network.
Probe Request Frame
Mobile stations use Probe Request frames to scan available 802.11 networks.A Probe Request frame contains 2 fields:
- the SSID
- the rates supported by the mobile station
Probe Response
If a Probe Request reaches a network with compatible parameters, the network sends a Probe Response frame.
The Probe Response frame carries all the parameters in a Beacon frame, which enables mobile stations to match parameters and join the network.
Authentication
At the beginning of 802.11 networking, stations authenticated using a shared key and the authentication process may involve a number of steps (depends on the algorithm), so there is a sequence number for each frame during the authentication exchange.
Association Request
Once mobile stations authenticate a compatible network, they may join the network by sending an Association Request frame.
- Capability Information
- SSID
- Supported Rates
Reassociation Request
The data may include frames that were buffered at the old AP.
Deauthentication and Disassociation
Deauthentication frames are used to end an authentication relationship.
Disassociation frames are used to end an association relationship.
States for Frame Transmission
| Frame Class | Management | Control | Data |
| 1 |
|
| Any frame with ToDS=0 and FromDS=0 |
| 2 |
| ||
| 3 | Deauthentication | PS-Poll | Any frames |
留言
Really thanks for your blog, I got a log knowledge from here.
Especially MAC/Physical layer help me a lots for further interview.
Thanks
Nick