In this lesson we will delve into the world of wireless networking. The most
important lessons to take away from today are the differences between wired
and wireless networking and how that impacts how we design and use our wireless
Where does wireless fit?
To understand how wireless networks differ from wired networks
(and what their similarities are) it helps to go back to our
It should be pretty obvious that the Physical Layer
will be different with wireless networks: radios instead of
wires. The important point is that the only other layer that
changes is the Link Layer, everything else is the
same. When a host is connected wirelessly, it still has an IP
address, still uses TCP and UDP, still browses the web with HTTP
and resolves hostnames with DNS. In other words:
-same Application -same-
-same- Transport -same-
-same- Internet -same-
e.g. ethernet → Link ← e.g. 802.11n
e.g. cables → Physical ← e.g. radios
WiFi / 802.11
Just as ethernet is the most common physical/link standard
for wired networks, there is a standard called 802.11 that is
the most common standard for wireless networking.
If you've seen the term "WiFi", that refers to 802.11 wireless
networking. So we will restrict our discussion of wireless
networks to 802.11 wireless networks, just as we restricted our
discussion of wired networks to ethernet.
In fact, 802.11 is a family of standards: now encompassing
802.11a, 802.11b, 802.11g, and 802.11n. The standard has
evolved fairly quickly, and the letters further down in the
alphabet are more recent (and faster!) versions.
The next version of the standard, 802.11ac, should be finalized
this year, and become mainstream in the coming years.
802.11 defines two "modes" of operation: ad hoc
Infrastructure mode is most relevant to your experience, so we'll
stick to talking about it and ignore ad hoc mode entirely.
A wireless network: The basic setup
There is some terminology associated with 802.11 wireless
So a base station with a collection of host stations is very
similar to single, isolated wired network with hosts and a
hub/switch. Just as with the wired network, the hosts must
have their IP Address and Subnet masks set.
And just as with the wired network, in order to
communicate with another host on the network, a host has to
label each packet with the MAC address of the recipient
host. And just as with a wired network, without a Gateway
Router there is no communication with other networks.
However, there are a few issues that arise with wireless
networks that we don't have with wired networks.
station: Anything with a radio that can play 802.11.
Note that 802.11 radios have MAC addresses just like ethernet
base station: The base station acts like a hub
in a wireless network. The other stations send any network
traffic to it, which it then broadcasts out for all
stations to receive. (WAP - Wireless Access Point - is more or less a synonym.)
We will refer to the other stations on the network
as host stations.
- BSS: A base station and the hosts stations that are communicating with/through
it is called a BSS (Basic Service Set). The BSS can be uniquely
identified by the MAC address of the base station (this is called
Problem 1 we don't have with wired networks
What if there are multiple
base stations within range of my radio ... which network am I on?
There is no analogous problem in a wired network. What
hub/switch you're plugged into is unambiguous.
The solution to this is to give each wireless network a name,
called it's ESSID, so that a host can identify by name
which wireless network it wants to join when multiple base
stations are within range. You may have seen a dialogue box pop
up to ask you which wireless network you want to join. If so,
what you got to choose from was a list of ESSIDs.
Problem 2 we don't have with wired networks
What if a base station's (or host's) signal strength is
insufficient to allow all the host stations I want on the
network to communicate with the base station?
In the wired world I could just grab a longer cable, but the
maximum range of a base or host's radio is pretty much set.
To solve this,
80211 allows multiple base stations to act as a single network.
So although there are different base stations, they share a
common ESSID and all host stations connected to any one of these
base stations is on the same network.
Conceptually, this works as if we had one super base station, even
if that isn't literally true, so we will continue as if there is
always one base station for a network.
Problem 3 we don't have with wired networks
We can't effectively control who transmits and receives on our
wireless network's frequency, so anyone within range can listen
in on 802.11 traffic or broadcast 802.11 traffic.
This means we can neither
This problem doesn't really exist with wired networks, because
we are so much better able to control what hosts are part of the
network (simply by controlling physical access to rooms and
equipment like switches), and because you have to be part of the
network to monitor traffic. With wireless, however, anyone near
enough to a base station can send and receive.
- control who can join our network, nor
- provide privacy from people who have not joined our
network but are none-the-less snooping (i.e. listening
to the radio traffic).
The most common solution to both these problems is
to encrypt (scramble) the data you broadcast in such a way that
only the people you want on the network can decrypt (unscramble).
To join/scamble/unscramble one needs a "key".
Will learn more about encryption later, but in this
context a bigger key means harder for outsiders to
There are three
common standards for this, from oldest (and weakest) to newest
(and strongest) they are:
WEP (Wired Equivalent Privacy), the oldest of the three
methods. This uses a weak (by today's standards) encryption method
and a 40-bit key. There are free tools and instructions for how to
listen in on a WEP protected network and crack the password. This
should not be your first choice of encryption.
WPA (Wi-Fi Protected Access), which uses the same encryption
method as WEP, but uses a stronger 128-bit key. This is certainly
stronger than WEP, but not an altogether new solution.
WPA2 (Wi-Fi Protected Access 2) is the strongest of the three
encryption methods. This uses a strong 256-bit key for the
encryption and is currently considered the best protection for
Note that this encryption (scrambling) goes on in the
Link Layer, so that all the layers above are unaware
that anything was ever encrypted (scrambled).
Joining the Internet
Finally, we'd like the host stations on our
wireless network to be able to communicate with hosts on other
networks. To do this, the base station needs to be connected
to a router — which will become the gateway router for the
host stations on the network.
- Now, when sending data to a host
outside of the network (Review: How you know when a host is outside your
network?) data is sent via radio to the base station, from there by
wire to the gateway router, and from there things work just as
before: the gateway router uses the IP address on the packet it
receives to send the packet in the direction of the recipient.
When data is sent from outside to a host station, the gateway
router for that host-station's network receives the packet.
Since the gateway is on the same network (connecting to the
base station by a wire rather than wirelessly, but still on
the same network), it associates the recipient host station's IP
address with the host-station's MAC address via its ARP table.
Then, the data is sent to the host-station, addressed by its
MAC address, via the base station. Notice that the base
station acts as a regular wired switch to the gateway router
in this example.
Note that for home use, one typically gets a single box that
acts as router, switch and WiFi base station, all at once.
How does the wireless infrastructure at USNA relate to this lesson?
You might ask how your experience with the Naval Academy's
wireless relates to what we've learned in this lesson?
First of all,
usna-wap is the ESSID of
Second of all, there are a number of base stations
spread throughout the 2nd deck of Michelson that all
belong to the same network: the network with ESSID
The network uses WPA2. You might object that WPA2
should require you to enter some (256-bit) key according
to what we learned, but that you never had to do any
Here's what's actually going on:
your initial communication with the base station
is not encrypted (scrambled) at the link layer using
WPA2, because you don't initially know the key.
However, your laptop and a server in Ward Hall
communicate about your logging on
(i.e. sending/receiving username and password)
using TLS, the same protocol that sits in between
the Application Layer and the Transport Layer
encrypting (scrambling) data to provide HTTPS
(i.e. secure web traffic).
So your PC and the authentication server go through the
logging in process, sending over the wireless
network unencrypted packets that
any snooper can see — but the contents of
those packets are scrambled by TLS. So they see the
IP address of the recipient from the packet, and
they see the data in the packet, but they can't make
sense of the data.
If your credentials (username and password) are OK, the server will send
you back the WPA2 key to use, and the rest of your
session will then be encrypted at the Link Layer
level using WPA2.
Network protocol used by your CAC.
Communication between your CAC and the CAC reader only
requires the Physical and Link layers: the protocol that is used
is ISO/IEC 7816-3. This is analogous to other
Physical/Link-layer protocols like Ethernet (IEE 802.3) and WiFi
Listening to the many 802.11 radios out there!
During class hours on the second floor of Michelson, there are
lots and lots of 802.11 radios broadcasting. It's instructive
to try out some tools that allow you to see how many are
broadcasting, hos strong their signals are, what type of
encryption they're using, and other information of that sort.
One such tool is Xirrus Wi-Fi Inspector
If you download and install and run the tool, you are presented
with a variety of options for visualizing all the Wi-Fi signals
your laptop is receiving.
If you want to try it out, my suggestion is to first click on
the "Networks" button on the "Home" tab. This shows a list of
devices, each with a unique BSSID (MAC Address), along with
their SSID's, signal strength, encryption type, etc. During
class hours on the 2nd floor of Michelson, you'll probably
want to filter out a lot of those entries. It's instructive to
try this out: right-click on the "SSID" column heading and
choose "Filter Editor". Set the filter to
SSID Does not equal <Non-broadcasted>
... to filter out everything except base stations that are
actually broadcasting an SSID — i.e. announcing their
name to the world.