In this lesson we will delve into the world of wireless networking. The most important lessons to take away from today are the differences between wired and wireless networking and how that impacts how we design and use our wireless networks.
Where does wireless fit?
To understand how wireless networks differ from wired networks (and what their similarities are) it helps to go back to our TCP/IP Stack:
It should be pretty obvious that the Physical Layer will be different with wireless networks: radios instead of wires.
The important point is that the only other layer that changes is the Data Link Layer, everything else is the same.
When a host is connected wirelessly, it still has an IP address, still uses TCP and UDP, still browses the web with HTTP and resolves host names with DNS.
In other words:
-same- Application -same-
-same- Transport -same-
-same- Network -same-
e.g. Ethernet → Data Link ← e.g. 802.11n
e.g. cables → Physical ← e.g. radios
Wi-Fi – 802.11
Just as Ethernet
is the most common physical/link standard
for wired networks, there is a standard called 802.11 that is
the most common standard for wireless networking.
If you've seen the term Wi-Fi
, that refers to 802.11 wireless
networking. We will restrict our discussion of wireless
networks to 802.11 wireless networks, just as we restricted our
discussion of wired networks to Ethernet.
In fact, 802.11 is a family of standards: now encompassing
802.11a, 802.11b, 802.11g, and 802.11n. The standard has
evolved fairly quickly, and the letters further down in the
alphabet are more recent (and faster!) versions.
The next version of the standard, 802.11ac, was approved in January 2014, and will likely become mainstream in the coming years.
802.11 defines two "modes" of operation: ad hoc
Infrastructure mode is most relevant to your experience, so we'll
stick to talking about it and ignore ad hoc mode entirely.
A wireless network: The basic setup
There is some terminology associated with 802.11 wireless
station: Anything with a radio that can play 802.11.
Note that 802.11 radios have MAC addresses just like Ethernet
base station: The base station acts like a hub
in a wireless network. The other stations send any network
traffic to it, which it then broadcasts out for all
stations to receive. (WAP - Wireless Access Point - is more or less a synonym.)
We will refer to the other stations on the network
as host stations.
- BSS: A base station and the hosts stations that are communicating with/through
it is called a BSS (Basic Service Set). The BSS can be uniquely
identified by the MAC address of the base station (this is called
So a base station with a collection of host stations is very
similar to a single, isolated wired network with hosts and a
. Just as with the wired network, the hosts must
have their IP Address
and subnet masks
set. And just as with the wired network, in order to
communicate with another host on the network, a host has to
label each packet
with the MAC address of the recipient
host. And just as with a wired network, without a gateway
there is no communication with other networks.
However, there are a few issues that arise with wireless networks that we don't have with wired networks.
Problem 1: Which Network?
What if there are multiple base stations within range of my radio ... which network am I on? There is no analogous problem in a wired network. What hub/switch you're plugged into is unambiguous. The solution to this is to give each wireless network a name, called its Service Set IDentifier (SSID), so that a host can identify by name which wireless network it wants to join when multiple base stations are within range. You may have seen a dialogue box pop up to ask you which wireless network you want to join. If so, what you got to choose from was a list of SSIDs.
Problem 2: Multiple Base Stations Same Network
What if a base station's (or host's) signal strength is insufficient to allow all the host stations I want on the network to communicate with the base station? In the wired world we can just grab a longer cable, but a radio transmission has a maximum detection range based on power output and is affected by environmental factors (just like AM/FM transmissions). To solve this, 802.11 allows multiple base stations to act as a single network. So although there are different base stations, they share a common Extended Service Set Identifier (ESSID), a common SSID, and all host stations connected to any one of these base stations are on the same network. Conceptually, this works as if we had one super base station, even if that isn't literally true, so we will continue as if there is always one base station for a network.
Problem 3: Who Else is in Range?
We can't effectively control who transmits on and receives our
wireless network's frequency, so anyone within range can listen
in on 802.11 traffic or broadcast 802.11 traffic.
This means we can not:
- control who can join our network,
- provide privacy (Confidentiality Pillar of Cyber Security) from people who have not joined our network but are none-the-less snooping (i.e., listening to the radio traffic).
This problem doesn't really exist with wired networks, because we are so much better able to control what hosts are part of the network (simply by controlling physical access to rooms and equipment like switches), and because you have to be part of the network to monitor traffic. With wireless, however, anyone near enough to a base station can send and receive.
The most common solution to both these problems is to encrypt (encode) the data you broadcast in such a way that only the people you want on the network can decrypt (decode). To join/scramble/unscramble one needs a "key". Will learn more about encryption later, but in this context a bigger key means harder for outsiders to decrypt (unscramble).
There are three common standards for this, from oldest (and weakest) to newest (and strongest) they are:
WEP (Wired Equivalent Privacy), the oldest of the three
methods. This uses a weak (by today's standards) encryption method
and a 40-bit key. There are free tools and instructions for how to
listen in on a WEP-protected network and crack the password. This
should not be your first choice of encryption, not even at home.
WPA (Wifi Protected Access), which uses the same encryption
method as WEP, but uses a stronger 128-bit key. This is certainly
stronger than WEP, but not an altogether new solution.
WPA2 (Wifi Protected Access 2) is the strongest of the three
encryption methods. This uses a strong 256-bit key for the
encryption and is currently considered the best protection for
Note that this encryption occurs at the Link Layer, so that all the layers above are unaware that anything was ever encrypted.
Connecting to an internet
Finally, we'd like the host stations on our
wireless network to be able to communicate with hosts on other
networks. To do this, the base station needs to be connected
to a router — which will become the gateway router for the
host stations on the network.
- Now, when sending data to a host
outside of the network (Review: How you know when a host is outside your
network?) data is sent via radio to the base station, from there by
wire to the gateway router, and from there things work just as
before: the gateway router uses the IP address on the packet it
receives to send the packet in the direction of the recipient.
When data is sent from outside to a host station, the gateway
router for that host-station's network receives the packet.
Since the gateway is on the same network (connecting to the
base station by a wire rather than wirelessly, but still on
the same network), it associates the recipient host station's IP
address with the host-station's MAC address via its ARP table.
Then, the data is sent to the host-station, addressed by its
MAC address, via the base station. Notice that the base
station acts as a regular wired switch to the gateway router
in this example.
Note that for home use, one typically gets a single box that
acts as router, switch, and Wi-Fi base station all at once.
How does the wireless infrastructure at USNA relate to this lesson?
You might ask how your experience with the Naval Academy's
wireless relates to what we've learned in this lesson?
First of all,
GNBA-M is the ESSID of
Second of all, there are a number of base stations
spread throughout the 2nd deck of Michelson that all
belong to the same network: the network with ESSID
The network uses WPA2 Enterprise (a version of WPA2 designed for more security conscious organizations). You might wonder why if it is in fact WPA2, then it
should require you to enter some (256-bit) key according
to what we learned, realizing that you never had to do any
Here's what's actually going on:
Your initial communication with the base station
is not encrypted at the Link Layer using
WPA2, because you don't initially have an encryption key.
However, your laptop and a server in Ward Hall
communicate about you logging on
(i.e. securely sending/receiving username and password)
using TLS, the same protocol that provides the secure communications for HTTPS
(i.e. secure web traffic).
So your PC and the authentication server go through the
Authentication process, sending over the wireless
network unencrypted packets that
any snooper can see — but the contents of
those packets are encrypted at the Application Layer as a part of the TLS protocol. So an eavesdropper can see the
IP address of the recipient from the packet, and
they see the data in the packet, but they can't make
sense of the data (Confidentiality maintained).
If your credentials (username and password) are valid, the server will send
you back an encryption key to use, and the rest of your
session will then be encrypted at the Link Layer
level using WPA2.
Network protocol used by your CAC.
Communication between your CAC and the CAC reader only
requires the Physical and Link Layers: the protocol that is used
is ISO/IEC 7816-3. This is analogous to other
Physical/Link Layer protocols like Ethernet (IEEE 802.3) and Wi-Fi
Listening to the many 802.11 radios out there!
During class hours on the second floor of Michelson, there are
lots and lots of 802.11 radios broadcasting. It's instructive
to try out some tools that allow you to see how many are
broadcasting, how strong their signals are, what type of
encryption they're using, and other information of that sort.
One such tool is Xirrus Wifi Inspector
If you run the tool, you are presented
with a variety of options for visualizing all the Wifi signals
your host is receiving.
If you want to try it out, my suggestion is to first click on
button on the Home
tab. This shows a list of
devices, each with a unique BSSID (MAC Address), along with
their SSID's, signal strength, encryption type, etc. During
class hours on the 2nd floor of Michelson, you'll probably
want to filter out a lot of those entries. It's instructive to
try this out: right-click on the SSID
column heading and
choose Filter Editor
. Set the filter to
SSID Does not equal <Non-broadcasted>
... to filter out everything except base stations that are
actually broadcasting an SSID — i.e., announcing their
name to the world.