Mapping the 802.11 Protocol

by Matthew Gast, author of 802.11 Wireless Networks: The Definitive Guide, 2nd Edition

As part of the release of the second edition of 802.11 Wireless Networks: The Definitive Guide, I designed a visual map of the relationship between the various components of the 802.11 standard and related security standards. My learning style is visual, so I tend to draw out diagrams to fit complex relationships together. The road to the 802.11 protocol map started a two-year journey from the initial concept to the finished product.


The Beginning: Interop 2003

In May 2003, I was the instructor for the Interop Labs Wireless LAN Security Initiative, and was searching for a way to explain how all of the protocols fit together. Several protocols work together to secure the wireless link, and it is not obvious at first glance how they all fit together and work in concert. As a metaphor for how the security protocols fit together, the class (PDF) used the term "cocktail." It was initially intended in the mixed drink sense, though the analogy to a drug cocktail is also an apt metaphor.

One of the major challenges in teaching wireless LAN security two years ago was to find a way to relate all of the components together. My first effort was a single slide in the presentation, which classified protocols in two ways. In addition to the typical protocol layering on the vertical axis, there was a second classification of protocols into either authentication or encryption.

FIGURE 1. The poster slide Figure 1. The poster slide

Other engineers at the iLabs referred to the slide as "the poster slide" (see Figure 1), which was a great compliment, but I let the comment rattle around in the back of my mind. During the next few months, I tried to enhance the slide in the presentation, but computer screens are read differently from paper, and there is a limit to how dense the information can become before the text becomes too small.

Summer 2003: A Trip to London, Inspiration, and a First Draft

In the summer of 2003, I traveled to the U.K. on business. My younger brother was about to graduate from college, and I wanted to get him a present that would remind him of his college experience, yet still be unmistakably from me. I have been fortunate to spend a great deal of time professionally in London, a city that I love. To my great envy, my brother spent a quarter studying in London, which I had never been able to accomplish.

In search of his present, I visited the London Transport Museum, where I decided on a full-scale map of the London Underground. He already had a copy of the iconic stylized map known to tourists throughout the world, so I purchased a geographic map. While I was browsing at the museum store, I found Ken Garland's gem of a book about the history of the tube map, Mr. Beck's Underground Map (ISBN 1854141686). Through a detailed history complete with many original sketches, the Tube map comes to life.

At this same time, one of my major professional challenges was that link-layer security protocols based on 802.1X were quite new and were not widely understood. I experimented with several different ways to show how the protocols worked together, expanding on the Interop slide to include network traffic. After a few months of considering the major protocol features, I produced a first draft. The first draft built on the security slide by adding a third vertical silo for the 802.11 MAC and PHY, along with higher layer network protocols. (See Figure 2.)

FIGURE 2. First draft Figure 2. First draft

I was generally happy with the first draft, though there is a telltale list of things I wanted to improve upon in the lower-righthand corner. In particular, I thought the physical-layer component in the lower-lefthand corner was a mess. I was trying to show how different physical layers used different radio bands, subject to different rules in different countries. I also tried to offer detailed illustrations of how to select an authentication method by providing details on what authentication methods could be used with different types of databases.

Refining the Draft

During the summer and fall of 2003, I continued to experiment, but failed to find a satisfactory solution to the tangles that would result with the PHY and authentication, and I set the project aside. I resumed work on the second edition of 802.11 Wireless Networks: The Definitive Guide. By mid-2004, the common practice in wireless LAN security was to use 802.1X, so I dropped the higher-layer VPN technologies.

To simplify things, I cut down the organization into four major components. A single vertical silo would carry user data from higher layer protocols down through the MAC layer, and finally to the PHY. As an adjunct to the data flow, authentication traffic would feed keys to MAC-layer encryption.

The network protocol block in the first draft was solid, since its main job was to reflect the need to handle IPX and AppleTalk ARP with a different encapsulation method. Likewise, the PHY section was essentially established, though I decided to use smaller type to communicate regulatory information.

Keying information was expanded dramatically. Rather than a simple line that showed keys flowing from the RADIUS server into encryption protocols, I felt it was important to show how the newer, more secure protocols used a key hierarchy expansion. Putting the link-layer encryption in line with the data flow preserved my desire to keep it as simple as possible.

Simplification was also the key for the authentication block. Rather than try to illustrate the panoply of EAP methods specifically, I decided to focus on the inner stage of tunneling protocols. My recent interest in federated authentication also played into the draft because I decided to illustrate RADIUS proxying much more explicitly.

During a particularly grueling travel month, I sketched out each of the four blocks as I sat on planes. One Saturday morning, I put it all together. To capture the differences in type size for importance, I needed to work on a bigger canvas. Rather than use two pages out of a notebook, I used several full-size sheets of paper and took over my living room floor. Later, I pieced the results together in an image editing program.

 FIGURE 3. Second draft Figure 3. Second draft

The second draft shows how the relative size of components illustrates relative importance. (See Figure 3.) The heart of the diagram is the MAC, and there is a clear flow of network packets from top to bottom.

The Final Version

With a solid draft, the final task was to create a professional-quality product. Randy Comer at O'Reilly took on the thankless task of deciphering my handwriting and rendering the half-developed sketch into something that people might actually want to look at.

Working with Randy was slightly surreal. I had always thought of the poster in graphical terms, and having to write out textual guidelines for the relative importance of visual components that I had sized instinctively felt quite strange.

As part of the final revision, the PHY block changed one last time. Trying to keep track of which regulators allowed radio emissions in the 5GHz band, and adding document references to the rules, just looked too busy. Instead, I divided up the block into three rows for the regulators in the U.S., Europe, and Japan, in the hope that it would work like a chart. The addition of a sidebar listing the relevant standards, many worldwide regulators, and software products and open source projects finished it off. Figure 4 shows the final version.

Figure 4. Final version Click here to download the PDF. Figure 4. Final version. Click here to download the PDF.

In April, 2005, O'Reilly Media, Inc., released 802.11 Wireless Networks: The Definitive Guide, 2nd Edition.

Matthew Gast is the director of product management at Aerohive Networks responsible for the software that powers Aerohive's networking devices.

Return to the Wireless DevCenter