Technical books often can't see the trees for the forest. Describing how the technology works takes a back seat to larger themes, and writing a book takes place on a much slower time scale than the news cycle. In the course of preparing the second edition of 802.11 Wireless Networks: The Definitive Guide, I noticed several myths that repeatedly popped up in popular wireless coverage that I'd like to debunk.
Security is the primary consideration for wireless network architects.
Security is important, but it is not the only design criteria for wireless networks. Now that most laptops come with wireless LAN interfaces, network architects need to design networks with much greater capacity than at any point in the past. Simple coverage blankets just don't cut it.
A significant fraction of early wireless networks were designed primarily as control tools. Wireless network equipment was used to build a suppression network that would disrupt unauthorized networks built by users. Once networks were built to offer service, though, a great deal of the motivation to build "rogue" networks went away.
Mobility constrains the design of your wireless network.
Mobility is an important attribute of wireless networks, but it is not a singularly dominant factor in network architecture. The past three years have seen the development of new products that can offer mobility across almost any type of network topology. Furthermore, mobility today is only important on a local basis. Network addresses must be maintained over local motion, but not necessarily globally. Many university networks have been designed as relatively loose federations. Within buildings or departments, users can maintain network addressing. Between these islands of connectivity, however, there is nothing beyond portability. (Providing true mobility in such an environment is as much a political challenge as a technical one.)
AirSnort is a major threat.
AirSnort recovers WEP keys by using the Fluhrer/Mantin/Shamir (FMS) attack. FMS is based on the use of "weak" initialization vectors (IVs) that leak information about the secret key. The most basic way to blunt AirSnort is to avoid using weak IVs. (AirSnort's
classify() function is useful here.)
Utilizing dynamic WEP keying also does a great deal to mitigate the impact of AirSnort. Weak IVs leak information about the secret key in use. When the key is changed, AirSnort (or any other analysis tool) can only perform off-line attacks with stored data. Defeating the FMS attack was a major design goal of the Temporal Key Integrity Protocol (TKIP), which uses a secret key for only one frame.
Wireless LAN security is just another flavor of remote access.
When security flaws became apparent in early wireless LAN protocols, remote access systems were used to plug the gap. Remote access architectures were a good idea at the time because they used trusted security protocols. However, they also tended to enforce a centralized network plan, and resulted in large backbone reengineering projects to cope with the limited tolerance of mobility in remote access protocols. Many universities found that professional development students needed to use remote access protocols, and mandating an alternative form of remote access was problematic. Larger universities also needed to find a deployment model that would recognize political boundaries within the organization.
802.11g protection forces all data to be transmitted at 802.11b rates.
Protection is the protocol feature the gives 802.11g compatibility with older 802.11b equipment. It does slow down 802.11g stations, but not by forcing them to use slower 802.11b data rates. When an access point activates protection, it "wraps" faster 802.11g transmissions with a slower, backwards-compatible frame. The slowdown comes from the backwards-compatibility wrapper, not a reduction in the data rate of the frame.
Related to this myth is the belief that only allowing 802.11g stations will improve the data rate of an 802.11g network by preventing slower stations from associating and triggering protection. Protection is not activated by associations, however, but by the detection of 802.11b transmissions. All it takes is one 802.11b station in the area. Given the prevalence of 802.11b in the installed base, protection will be active on most networks for the foreseeable future.
802.11g is the same as 802.11a.
Although they both sport a 54Mbps data rate, 802.11g and 802.11a are quite different specifications in practice. 802.11g will almost certainly run slower due to the overhead from protection. For network planners, the more important limit is that there are only three (allegedly) non-overlapping channels, which makes laying out a network much more difficult. In areas of overlap on the same channel, the two networks will coordinate to share radio capacity. Many client devices operate at high transmission power, and may set multiple AP coverage areas as busy. This is one situation where the higher letter doesn't make it any better.
802.11n is imminent.
Multiple-input/multiple-output (MIMO) will almost certainly drive the next dramatic increase in wireless LAN speed. Between deciding to use MIMO for the next PHY and coming up with silicon that implements a specification lies a long, hard slog. Task Group N hasn't picked a draft to start working with, and recent reports suggest that the proposal selection process may open back up at the next meeting. 802.11n will be exciting, but it is probably two years away. There is "pre-N" equipment on the market now, but there is no guarantee that it will be upgradeable to the final standard; at least when "pre-G" equipment flooded the market in 2003, there was a single specification to work from.
TKIP is a high-security protocol.
For the first several years, wireless LAN security was always the story of the next protocol. Initial flaws were dismissed as protected by WEP. More extensive analysis of WEP revealed dramatic flaws, leading to systems based on dynamic keys. Right now, the most secure protocol that is widely implemented is TKIP (perhaps better known as the encryption protocol in the Wi-Fi Alliance's WPA marketing specification). The design of TKIP is a set of "safety belts" around WEP, and it remains an open question as to how much more secure TKIP is than WEP. If you need high security, use CCMP, the AES-based algorithm. (It is often called "WPA2," after the Wi-Fi Alliance marketing term.)
802.1X is too difficult to use.
After an initial bout of skepticism, the world has moved towards 802.1X. The Interop Labs first demonstrated 802.1X interoperability with dynamic WEP in the spring of 2002. In the two subsequent years, the labs ran a test event. Dynamic WEP is now a de rigueur minimum bar for today's networks, and iLabs testing has found that interoperability for dynamic WEP is solid. Although there is a great deal of implementation flexibility with 802.1X, the thicket of EAP methods is in practice fairly narrow, with a straightforward choice for most users.
Building a wireless LAN to carry voice and data is easy, and everybody's doing it.
Combining voice and data on a single wireless LAN infrastructure is at the leading edge. Quality of service standards for wireless LANs are still developing. There's a lot of equipment that implements Spectralink's prioritization for voice, but it is limited in what it can do. End-to-end quality of service across a wireless link and wired backbone is still evolving. Getting more than eight to ten phone calls per AP is beyond the reach of the technology. Even to experiment with voice technology may require a bit of a leap of faith on security: most of the current phones on the market don't support 802.1X or any of the stronger encryption protocols, so you'll be limited to filtering MAC addresses for authentication and static WEP for encryption.
In April, 2005, O'Reilly Media, Inc., released 802.11 Wireless Networks: The Definitive Guide, 2nd Edition.
For more information, or to order the book, click here.
Matthew Gast is the director of product management at Aerohive Networks responsible for the software that powers Aerohive's networking devices.
Return to the Wireless DevCenter
Copyright © 2009 O'Reilly Media, Inc.