In this lesson we will delve into the world of wireless networking. The most important lessons to take away from today are the differences between wired and wireless networking and how that impacts how we design and use our wireless networks.

Where does wireless fit?

To understand how wireless networks differ from wired networks (and what their similarities are) it helps to go back to our network stack:

------------
Application
------------
Transport
------------
Internet
------------
Link
------------
Physical
------------

It should be pretty obvious that the Physical Layer will be different with wireless networks: radios instead of wires. The important point is that the only other layer that changes is the Link Layer, everything else is the same. When a host is connected wirelessly, it still has an IP address, still uses TCP and UDP, still browses the web with HTTP and resolves hostnames with DNS. In other words:

    Wired                          Wireless
                 ------------
    -same        Application        -same-
                 ------------
    -same-       Transport          -same-
                 ------------
    -same-       Internet           -same-
                 ------------
e.g. ethernet →  Link          ←  e.g. 802.11n
                 ------------
  e.g. cables →  Physical      ←  e.g. radios
                 ------------

WiFi / 802.11

Just as ethernet is the most common physical/link standard for wired networks, there is a standard called 802.11 that is the most common standard for wireless networking. If you've seen the term "WiFi", that refers to 802.11 wireless networking. So we will restrict our discussion of wireless networks to 802.11 wireless networks, just as we restricted our discussion of wired networks to ethernet.

In fact, 802.11 is a family of standards: now encompassing 802.11a, 802.11b, 802.11g, and 802.11n. The standard has evolved fairly quickly, and the letters further down in the alphabet are more recent (and faster!) versions. The next version of the standard, 802.11ac, should be finalized this year, and become mainstream in the coming years.

802.11 defines two "modes" of operation: ad hoc and infrastructure. Infrastructure mode is most relevant to your experience, so we'll stick to talking about it and ignore ad hoc mode entirely.

A wireless network: The basic setup

There is some terminology associated with 802.11 wireless networking.

station: Anything with a radio that can play 802.11. Note that 802.11 radios have MAC addresses just like ethernet cards
base station: The base station acts like a hub in a wireless network. The other stations send any network traffic to it, which it then broadcasts out for all stations to receive. (WAP - Wireless Access Point - is more or less a synonym.) We will refer to the other stations on the network as host stations.
BSS: A base station and the hosts stations that are communicating with/through it is called a BSS (Basic Service Set). The BSS can be uniquely identified by the MAC address of the base station (this is called the BSSID)

So a base station with a collection of host stations is very similar to single, isolated wired network with hosts and a hub/switch. Just as with the wired network, the hosts must have their IP Address and Subnet masks set. And just as with the wired network, in order to communicate with another host on the network, a host has to label each packet with the MAC address of the recipient host. And just as with a wired network, without a Gateway Router there is no communication with other networks. However, there are a few issues that arise with wireless networks that we don't have with wired networks.

Problem 1 we don't have with wired networks

What if there are multiple base stations within range of my radio ... which network am I on? There is no analogous problem in a wired network. What hub/switch you're plugged into is unambiguous. The solution to this is to give each wireless network a name, called it's ESSID, so that a host can identify by name which wireless network it wants to join when multiple base stations are within range. You may have seen a dialogue box pop up to ask you which wireless network you want to join. If so, what you got to choose from was a list of ESSIDs.

Problem 2 we don't have with wired networks

What if a base station's (or host's) signal strength is insufficient to allow all the host stations I want on the network to communicate with the base station? In the wired world I could just grab a longer cable, but the maximum range of a base or host's radio is pretty much set. To solve this, 80211 allows multiple base stations to act as a single network. So although there are different base stations, they share a common ESSID and all host stations connected to any one of these base stations is on the same network. Conceptually, this works as if we had one super base station, even if that isn't literally true, so we will continue as if there is always one base station for a network.

Problem 3 we don't have with wired networks

We can't effectively control who transmits and receives on our wireless network's frequency, so anyone within range can listen in on 802.11 traffic or broadcast 802.11 traffic. This means we can neither

control who can join our network, nor
provide privacy from people who have not joined our network but are none-the-less snooping (i.e. listening to the radio traffic).

This problem doesn't really exist with wired networks, because we are so much better able to control what hosts are part of the network (simply by controlling physical access to rooms and equipment like switches), and because you have to be part of the network to monitor traffic. With wireless, however, anyone near enough to a base station can send and receive.

The most common solution to both these problems is to encrypt (scramble) the data you broadcast in such a way that only the people you want on the network can decrypt (unscramble). To join/scamble/unscramble one needs a "key". Will learn more about encryption later, but in this context a bigger key means harder for outsiders to decrypt (unscramble).

There are three common standards for this, from oldest (and weakest) to newest (and strongest) they are:

WEP (Wired Equivalent Privacy), the oldest of the three methods. This uses a weak (by today's standards) encryption method and a 40-bit key. There are free tools and instructions for how to listen in on a WEP protected network and crack the password. This should not be your first choice of encryption.
WPA (Wi-Fi Protected Access), which uses the same encryption method as WEP, but uses a stronger 128-bit key. This is certainly stronger than WEP, but not an altogether new solution.
WPA2 (Wi-Fi Protected Access 2) is the strongest of the three encryption methods. This uses a strong 256-bit key for the encryption and is currently considered the best protection for wireless networks.

Note that this encryption (scrambling) goes on in the Link Layer, so that all the layers above are unaware that anything was ever encrypted (scrambled).

Joining the Internet

Finally, we'd like the host stations on our wireless network to be able to communicate with hosts on other networks. To do this, the base station needs to be connected to a router — which will become the gateway router for the host stations on the network.

Now, when sending data to a host outside of the network (Review: How you know when a host is outside your network?) data is sent via radio to the base station, from there by wire to the gateway router, and from there things work just as before: the gateway router uses the IP address on the packet it receives to send the packet in the direction of the recipient.
When data is sent from outside to a host station, the gateway router for that host-station's network receives the packet. Since the gateway is on the same network (connecting to the base station by a wire rather than wirelessly, but still on the same network), it associates the recipient host station's IP address with the host-station's MAC address via its ARP table. Then, the data is sent to the host-station, addressed by its MAC address, via the base station. Notice that the base station acts as a regular wired switch to the gateway router in this example.

Note that for home use, one typically gets a single box that acts as router, switch and WiFi base station, all at once.

is really

How does the wireless infrastructure at USNA relate to this lesson?

You might ask how your experience with the Naval Academy's wireless relates to what we've learned in this lesson?

First of all, usna-wap is the ESSID of that network.
Second of all, there are a number of base stations spread throughout the 2nd deck of Michelson that all belong to the same network: the network with ESSID usna-wap.
The network uses WPA2. You might object that WPA2 should require you to enter some (256-bit) key according to what we learned, but that you never had to do any such thing. Here's what's actually going on:
1. your initial communication with the base station is not encrypted (scrambled) at the link layer using WPA2, because you don't initially know the key.
2. However, your laptop and a server in Ward Hall communicate about your logging on (i.e. sending/receiving username and password) using TLS, the same protocol that sits in between the Application Layer and the Transport Layer encrypting (scrambling) data to provide HTTPS (i.e. secure web traffic).
3. So your PC and the authentication server go through the logging in process, sending over the wireless network unencrypted packets that any snooper can see — but the contents of those packets are scrambled by TLS. So they see the IP address of the recipient from the packet, and they see the data in the packet, but they can't make sense of the data.
4. If your credentials (username and password) are OK, the server will send you back the WPA2 key to use, and the rest of your session will then be encrypted at the Link Layer level using WPA2.

Network protocol used by your CAC.

Communication between your CAC and the CAC reader only requires the Physical and Link layers: the protocol that is used is ISO/IEC 7816-3. This is analogous to other Physical/Link-layer protocols like Ethernet (IEE 802.3) and WiFi (IEEE 802.11).

Listening to the many 802.11 radios out there!

During class hours on the second floor of Michelson, there are lots and lots of 802.11 radios broadcasting. It's instructive to try out some tools that allow you to see how many are broadcasting, hos strong their signals are, what type of encryption they're using, and other information of that sort. One such tool is Xirrus Wi-Fi Inspector (download). If you download and install and run the tool, you are presented with a variety of options for visualizing all the Wi-Fi signals your laptop is receiving.

If you want to try it out, my suggestion is to first click on the "Networks" button on the "Home" tab. This shows a list of devices, each with a unique BSSID (MAC Address), along with their SSID's, signal strength, encryption type, etc. During class hours on the 2nd floor of Michelson, you'll probably want to filter out a lot of those entries. It's instructive to try this out: right-click on the "SSID" column heading and choose "Filter Editor". Set the filter to

SSID Does not equal <Non-broadcasted>

... to filter out everything except base stations that are actually broadcasting an SSID — i.e. announcing their name to the world.