Chan_sip.c:4270 __sip_reliable_xmit: Serious Network Trouble; __sip_xmit Returns Error For Pkt Data8/24/2019
asterisk-users 1.6.0.9 sip.c: 'Serious Network Trouble'?? Sean darcy Sat, 23 May 2009 09:03:58 -0700 I'm trying to upgrade from 1.4.24.1 to 1.6.0.9 over this weekend. I have my local OpenWRT SVN (r21883) source configured with Marvel Kirkwood as the Target System for my Seagate DockStar device. The configurations use the default binutils-2.19.1 and uClibc-0.9.30.1. The compilation process runs just fine to produce an OpenWRT firmware + asterisk-1.6.x and my Seagate DockStar device has no problem to boot the OpenWRT OS off an external USB partition.
Wireless Networking
Newnes Know It All Series PIC Microcontrollers: Know It All Lucio Di Jasio, Tim Wilmshurst, Dogan Ibrahim, John Morton, Martin Bates, Jack Smith, D.W. Smith, and Chuck Hellebuyck ISBN: 978-0-7506-8615-0 Embedded Software: Know It All Jean Labrosse, Jack Ganssle, Tammy Noergaard, Robert Oshana, Colin Walls, Keith Curtis, Jason Andrews, David J. Katz, Rick Gentile, Kamal Hyder, and Bob Perrin ISBN: 978-0-7506-8583-2 Embedded Hardware: Know It All Jack Ganssle, Tammy Noergaard, Fred Eady, Creed Huddleston, Lewin Edwards, David J. Katz, Rick Gentile, Ken Arnold, Kamal Hyder, and Bob Perrin ISBN: 978-0-7506-8584-9 Wireless Networking: Know It All Praphul Chandra, Daniel M. Dobkin, Alan Bensky, Ron Olexa, David A. Lide, and Farid Dowla ISBN: 978-0-7506-8582-5 RF & Wireless Technologies: Know It All Bruce Fette, Roberto Aiello, Praphul Chandra, Daniel M. Dobkin, Alan Bensky, Douglas Miron, David A. Lide, Farid Dowla, and Ron Olexa ISBN: 978-0-7506-8581-8 For more information on these and other Newnes titles visit: www.newnespress.com Wireless Networking Praphul Chandra Daniel M. Dobkin Alan Bensky Ron Olexa David A. Lide Farid Dowla AMSTERDAM • BOSTON • HEIDELBERG • LONDON NEW YORK • OXFORD • PARIS • SAN DIEGO SAN FRANCISCO • SINGAPORE • SYDNEY • TOKYO Newnes is an imprint of Elsevier Cover image by iStockphoto Newnes is an imprint of Elsevier 30 Corporate Drive, Suite 400, Burlington, MA 01803, USA Linacre House, Jordan Hill, Oxford OX2 8DP, UK Copyright © 2008, Elsevier Inc. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of the publisher. Permissions may be sought directly from Elsevier’s Science & Technology Rights Department in Oxford, UK: phone: (000244) 1865 843830, fax: (000244) 1865 853333, E-mail: [email protected] You may also complete your request online via the Elsevier homepage (http://elsevier.com), by selecting “Support & Contact” then “Copyright and Permission” and then “Obtaining Permissions.” Recognizing the importance of preserving what has been written, Elsevier prints its books on acid-free paper whenever possible. Library of Congress Cataloging-in-Publication Data A catalogue record for this book is available from the British Library. British Library Cataloguing-in-Publication Data Chandra, Praphul. Wireless networking / Praphul Chandra, Ron Olexa, Alan Bensky. p. cm. -- (The Newnes know it all series) Includes index. ISBN-13: 978-0-7506-8582-5 (pbk. : alk. paper) 1. Wireless communication systems. I. Olexa, Ron. II. Bensky, Alan, 1939- III. Title. TK5103.2.C447 2007 621.384--dc22 2007029327 ISBN: 978-0-7506-8582-5 For information on all Newnes publications visit our Web site at www.books.elsevier.com 07 08 09 10 10 9 8 7 6 Printed in the United States of America 5 4 3 2 1 Contents About the Authors .......................................................................................................... xi Chapter 1. Basics of Wireless Communications .........................................................................1 1.1 Harmonic Signals and Exponentials..............................................................................1 1.2 Electromagnetic Waves and Multiplexing .....................................................................5 1.3 Modulation and Bandwidth ...........................................................................................9 1.4 Wireless Link Overview: Systems, Power, Noise, and Link Budgets .........................36 1.5 Capsule Summary: Chapter 1 ......................................................................................44 Further Reading ..................................................................................................................44 Chapter 2. Basics of Wireless Local Area Networks ................................................................47 2.1 Networks Large and Small ..........................................................................................47 2.2 WLANs from LANs ....................................................................................................50 2.3 802.11 WLANs ...........................................................................................................52 2.4 HiperLAN and HiperLAN 2........................................................................................81 2.5 From LANs to PANs ...................................................................................................82 2.6 Capsule Summary: Chapter 2 ......................................................................................93 2.7 Further Reading ...........................................................................................................94 Chapter 3. Radio Transmitters and Receivers ...........................................................................97 3.1 Overview of Radios .....................................................................................................97 3.2 Radio Components ....................................................................................................104 3.3 Radio System Design ................................................................................................158 3.4 Examples of Radio Chips and Chipsets ....................................................................165 3.5 Summary ...................................................................................................................177 3.6 Further Reading RFIC ...............................................................................................177 Chapter 4. Radio Propagation .................................................................................................181 4.1 Mechanisms of Radio Wave Propagation ..................................................................181 4.2 Open Field Propagation .............................................................................................183 4.3 Diffraction .................................................................................................................185 4.4 Scattering ...................................................................................................................186 w w w.new nespress.com vi Contents 4.5 Path Loss .................................................................................................................187 4.6 Multipath Phenomena .............................................................................................189 4.7 Flat Fading...............................................................................................................190 4.8 Diversity Techniques ...............................................................................................192 4.9 Noise........................................................................................................................196 4.10 Summary .................................................................................................................198 References ........................................................................................................................199 Chapter 5. Antennas and Transmission Lines .........................................................................201 5.1 Introduction .............................................................................................................201 5.2 Antenna Characteristics...........................................................................................201 5.3 Types of Antennas ...................................................................................................206 5.4 Impedance Matching ...............................................................................................212 5.5 Measuring Techniques.............................................................................................223 5.6 Summary .................................................................................................................226 References ......................................................................................................................227 Chapter 6. Communication Protocols and Modulation...........................................................229 6.1 Baseband Data Format and Protocol .......................................................................229 6.2 Baseband Coding.....................................................................................................237 6.3 RF Frequency and Bandwidth .................................................................................241 6.4 Modulation ..............................................................................................................243 6.5 RFID ........................................................................................................................261 6.6 Summary .................................................................................................................262 References ......................................................................................................................262 Chapter 7. High-Speed Wireless Data: System Types, Standards-Based and Proprietary Solutions .............................................................................................263 7.1 Fixed Networks .......................................................................................................263 7.2 Nomadic Networks ..................................................................................................264 7.3 Mobile Networks .....................................................................................................265 7.4 Standards-Based Solutions and Proprietary Solutions ............................................266 7.5 Overview of the IEEE 802.11 Standard ..................................................................266 7.6 Overview of the IEEE 802.16 Standard ..................................................................271 7.7 10–66 GHz Technical Standards..............................................................................273 7.8 2–11 GHz Standards................................................................................................274 7.9 Overview of the IEEE 802.20 Standard ..................................................................274 7.10 Proprietary Solutions ...............................................................................................275 Chapter 8. Propagation Modeling and Measuring ..................................................................285 8.1 Predictive Modeling Tools.......................................................................................285 8.2 Spreadsheet Models.................................................................................................286 www. ne w n e s p res s .c o m Contents 8.3 8.4 8.5 8.6 8.7 8.8 8.9 8.10 8.11 8.12 8.13 8.14 8.15 vii Terrain-Based Models .............................................................................................287 Effectively Using a Propagation Analysis Program ................................................287 Using a Predictive Model ........................................................................................291 The Comprehensive Site Survey Process ................................................................295 Survey Activity Outline ...........................................................................................296 Identification of Requirements ................................................................................298 Identification of Equipment Requirements .............................................................299 The Physical Site Survey .........................................................................................300 Determination of Antenna Locations ......................................................................301 RF Site Survey Tools ...............................................................................................303 The Site Survey Checklist .......................................................................................305 The RF Survey .........................................................................................................305 Data Analysis ..........................................................................................................308 Chapter 9. Indoor Networks ....................................................................................................313 9.1 Behind Closed Doors ..............................................................................................313 9.2 How Buildings Are Built (with W. Charles Perry, P.E.)..........................................313 9.3 Microwave Properties of Building Materials ..........................................................323 9.4 Realistic Metal Obstacles ........................................................................................331 9.5 Real Indoor Propagation..........................................................................................333 9.6 How Much Is Enough? ............................................................................................341 9.7 Indoor Interferers.....................................................................................................343 9.8 Tools for Indoor Networks ......................................................................................351 9.9 Summary .................................................................................................................356 Further Reading ..............................................................................................................357 Chapter 10. Security in Wireless Local Area Networks .........................................................361 10.1 Introduction .............................................................................................................361 10.2 Key Establishment in 802.11 ...................................................................................362 10.3 Anonymity in 802.11 ...............................................................................................363 10.4 Authentication in 802.11 .........................................................................................364 10.5 Confidentiality in 802.11 .........................................................................................370 10.6 Data Integrity in 802.11...........................................................................................374 10.7 Loopholes in 802.11 Security ..................................................................................376 10.8 WPA ........................................................................................................................377 10.9 WPA2 (802.11i) .......................................................................................................390 Chapter 11. Voice Over Wi-Fi and Other Wireless Technologies...........................................397 11.1 Introduction .............................................................................................................397 11.2 Ongoing 802.11 Standard Work ..............................................................................397 11.3 Wi-Fi and Cellular Networks ..................................................................................402 w w w.new nespress.com viii Contents 11.4 WiMax .....................................................................................................................412 11.5 VoWi-Fi and Bluetooth ............................................................................................413 11.6 VoWi-Fi and DECT .................................................................................................418 11.7 VoWi-Fi and Other Ongoing 802.x Wireless Projects.............................................419 11.8 Conclusion ...............................................................................................................421 References ........................................................................................................................421 Chapter 12. Mobile Ad Hoc Networks ...................................................................................423 12.1 Physical Layer and MAC ........................................................................................425 12.2 Routing in Ad Hoc Networks ..................................................................................437 12.3 Conclusion ...............................................................................................................448 References ........................................................................................................................449 Chapter 13. Wireless Sensor Networks...................................................................................455 13.1 Applications.............................................................................................................455 13.2 Plant Network Layouts ............................................................................................456 13.3 Plant Network Architecture .....................................................................................458 13.4 Sensor Subnet Selection ..........................................................................................458 13.5 Functional Requirements .........................................................................................459 13.6 Technical Tradeoffs and Issues................................................................................461 13.7 Conclusion ...............................................................................................................467 References ........................................................................................................................467 Chapter 14. Reliable Wireless Networks for Industrial Applications .....................................469 14.1 Benefits of Using Wireless ......................................................................................469 14.2 Issues in Deploying Wireless Systems ....................................................................470 14.3 Wireless Formats .....................................................................................................473 14.4 Wireless Mesh Networks .........................................................................................474 14.5 Industrial Applications of Wireless Mesh Networks...............................................476 14.6 Case Study: Water Treatment ..................................................................................478 14.7 Conclusion ...............................................................................................................479 Chapter 15. Applications and Technologies ...........................................................................481 15.1 Wireless Local Area Networks (WLAN) ................................................................481 15.2 Bluetooth .................................................................................................................502 15.3 Zigbee ......................................................................................................................510 15.4 Conflict and Compatibility ......................................................................................516 15.5 Ultra-wideband Technology ....................................................................................521 15.6 Summary .................................................................................................................525 References ........................................................................................................................526 www. ne w n e s p res s .c o m Contents ix Chapter 16. System Planning ..................................................................................................527 16.1 System Design Overview ........................................................................................527 16.2 Location and Real Estate Considerations ................................................................528 16.3 System Selection Based Upon User Needs .............................................................532 16.4 Identification of Equipment Requirements..............................................................534 16.5 Identification of Equipment Locations ....................................................................536 16.6 Channel Allocation, Signal-to-Interference, and Reuse Planning ...........................543 16.7 Network Interconnect and Point-to-Point Radio Solutions .....................................547 16.8 Costs ........................................................................................................................550 16.9 The Five C’s of System Planning ............................................................................550 Index .......................................................................................................................................553 w w w.new nespress.com This page intentionally left blank About the Authors Alan Bensky, MScEE (Chapters 4, 5, 6, and 15), is an electronics engineering consultant with over 25 years of experience in analog and digital design, management, and marketing. Specializing in wireless circuits and systems, Bensky has carried out projects for varied military and consumer applications. He is the author of Short-range Wireless Communication, Second Edition, published by Elsevier, 2004, and has written several articles in international and local publications. He has taught courses and gives lectures on radio engineering topics. Bensky is a senior member of IEEE. Praphul Chandra (Chapters 10, and 11) works as a Research Scientist at HP Labs, India in the Access Devices Group. He joined HP Labs in April 2006. Prior to joining HP he was a senior design engineer at Texas Instruments (USA) where he worked on Voice over IP with specific focus on Wireless Local Area Networks. He is the author of two books – Bulletproof Wireless Security and Wi-Fi Telephony: Challenges and Solutions for Voice over WLANs. He is an Electrical Engineer by training, though his interest in social science and politics has prompted him to concurrently explore the field of Public Policy. He maintains his personal website at www.thecofi.net. Daniel M. Dobkin (Chapter 1, 2, 3, and 9) is the author of RF Engineering for Wireless Networks. He has been involved in the design, fabrication, and characterization of devices and systems used in microwave wireless communications for over two decades. He is currently an independent consultant involved in research and teaching related to RFID and other fields in communications. He has taught numerous introductory short courses in RFID technology in the US and Singapore. Dr. Dobkin received his Ph.D. degree from Stanford University in 1985 and his B.S. from the California Institute of Technology in 1976. He is the author of about 30 technical publications, inventor or co-inventor of six U.S. patents, and has written two technical books: Principles of Chemical Vapor Deposition with Michael Zuraw and RF Engineering for Wireless Networks. Farid Dowla (Chapters 12, 13, and 14) is the editor of Handbook of RF & Wireless Technologies. Dowla received his BS, MS, and PhD in electrical engineering from the Massachusetts Institute of Technology. He joined Lawrence Livermore National Laboratory w w w.new nespress.com xii About the Authors shortly after receiving his doctorate in 1985. His research interests include adaptive filters, signal processing, wireless communication systems, and RF/mobile communication. He currently directs a research team focused on ultra-widebandRFradar and communication systems. Dowla is also an adjunct associate professor of electrical engineering at the University of California at Davis. He is a member of the Institute of Electrical and Electronic Engineers (IEEE) and Sigma Xi. He holds three patents in signal processing area, has authored a book on neural networks for the U.S. Department of Defense, and has edited a book on geophysical signal processing. He contributes to numerous IEEE and professional journals and is a frequent seminar participant at professional conferences. David A. Lide (Chapter 11) is the author of Wi-Fi Telephony. He currently is a Senior Member of the Technical Staff at Texas Instruments and has worked on various aspects of Voice over IP for the past nine years. Prior to that, he has worked on Cable Modem design and on weather satellite ground systems. He lives with his family in Rockville, Maryland. Michael R. Moore (Chapter 13) was a contributor to Handbook of RF & Wireless Technologies. He is a research and development engineer in the Engineering and Science Technology Division at Oak Ridge National Laboratory. He holds a BS and MS in electrical engineering from Mississippi State University in Starkville, Miss. His current research expertise includes 16 years in RF instrumentation, health effects, and communications. He has several years of experience in shielding, generating, and modeling electromagnetic fields and their effects. He is an active member of IEEE SCC28 committee on the biological effects of RF and the IEEE 1451 committee on sensor networking. He currently directs several projects dealing with software radio technologies, specializing in spread-spectrum receivers, and is a communications analyst for the Army’s Future Combat Systems (FCS) network, focusing on system issues, network vulnerability, and combat identification. He has several patents and patents pending in the area of wireless communications. Asis Nasipuri (Chapter 12) was a contributor to Handbook of RF & Wireless Technologies. He is a professor in the department of electrical and computer engineering at the University of North Carolina at Charlotte. He received his BS in electronics and electrical communication engineering from the Indian Institute of Technology in Kharagpur, India in 1987 and his MS and PhD in electrical a computer engineering from the University of Massachusetts at Amherst in 1990 and 1993, respectively. He then joined the Indian Institute of Technology at Kharagpur, India as a faculty member in the Department of Electronics and Electrical Communication Engineering. From 1998 to 2000, he served as a visiting researcher in the Department of Computer Science at the University of Texas at San Antonio. Since 2000, he has been at UNC-Charlotte as an assistant professor of electrical and computer engineering. Nasipuri’s research interests include mobile ad hoc and sensor networks, wireless communications, and statistical signal processing. He has published more than 20 research articles on these topics. www. ne w n e s p res s .c o m About the Authors xiii Ron Olexa (Chapters 7, 8, and 16) is the author of Implementing 802.11, 802.16, and 802.20 Wireless Networks. He is currently President of Horizon Wi-Com, a wireless carrier providing WiMax service to major markets in the Northeast US. He is also the owner of Wireless Implementation LLC, a consulting company that has provided technical support and business planning guidance to project as diverse at satellite communications systems, Cellular network deployments, WiMax and 802.11 hotspot and hotzone implementations. He has previously been CTO at Advanced Radio Telecom and Dialcall, COO of Superconducting Core Technologies, and has held various senior management positions in large wireless communications companies over his 30 year career. Robert Poor (Chapter 14) was a contributor to Handbook of RF & Wireless Technologies. He is chief technology officer for Ember Corporation in Boston. w w w.new nespress.com This page intentionally left blank CHAPTE R 1 Basics of Wireless Communications Daniel M. Dobkin 1.1 Harmonic Signals and Exponentials Before we begin to talk about wireless, we briefly remind the reader of a previous acquaintance with three concepts that are ubiquitous in radio engineering: sinusoidal signals, complex numbers, and imaginary exponentials. The reader who is familiar with such matters can skip this section without harm. Almost everything in radio is done by making tiny changes—modulations—of a signal that is periodic in time. The archetype of a smooth periodic signal is the sinusoid (Figure 1.1), typically written as the product of the angular frequency ω and time t. Both of these functions alternate between a maximum value of 1 and minimum value of 00031; cosine starts at 00021, and sine starts at 0, when the argument is zero. We can see that cosines and sines are identical except for an offset in the argument (the phase): ⎛ π⎞ cos(ω t ) 0004 sin ⎜⎜ ω t 0002 ⎟⎟⎟ ⎜⎝ 2 ⎟⎠ (1.1) v 0004 2pf cos(vt ) sin(vt ) 1 0.5 0 00030.5 00031 Period 00041/f 0 1 2 3 Figure 1.1: Cosine and Sine Functions w w w.new nespress.com 2 Chapter 1 We say that the sine lags the cosine by 90 degrees. (Note that here, following common practice, we write angles in radians but often speak of them in degrees.) The cosine and sine are periodic with a period 0004 (1/f ), where f 0004 ω/2π is the frequency in cycles per second or hertz. Let us now digress briefly to discuss complex numbers, for reasons that will become clear in a page or two. Imaginary numbers, the reader will recall, are introduced to provide square roots of negative reals; the unit is i 0004 (00031). A complex number is the sum of a real number and an imaginary number, often written as, for example, z 0004 a 0002 bi. Electrical engineers often use j instead of i, so as to use i to represent an AC; we shall, however, adhere to the convention used in physics and mathematics. The complex conjugate z* is found by changing the sign of the imaginary part: z* 0004 a 0003 bi. Complex numbers can be depicted in a plane by using the real part as the coordinate on the x- (real) axis, and the imaginary part for the y- (imaginary) axis (Figure 1.2). Operations on complex numbers proceed more or less the same way as they do in algebra, save that one must remember to keep track of the real and imaginary parts. Thus, the sum of two complex numbers can be constructed algebraically by (a 0002 bi) 0002 (c 0002 di) 0004 [a 0002 c] 0002 [b 0002 d]i (1.2) and geometrically by regarding the two numbers as vectors forming two sides of a parallelogram, the diagonal of which is their sum (Figure 1.3). Imaginary axis Complex plane 200023i 3i 2i i 1 2 3 Real axis Figure 1.2: Complex Number Depicted as a Vector in the Plane Multiplication can be treated in a similar fashion, but it is much simpler to envision if we first define the length (also known as the modulus) and angle of a complex number. We define a complex number of length 1 and angle θ to be equal to an exponential with an imaginary www. ne w n e s p res s .c o m Basics of Wireless Communications 3 Imaginary axis Addition a0002 b0004 200024 i b00041 00023 i a 00041 0002i Real axis Figure 1.3: Addition of Complex Numbers Exponential Unit circle (radius 00041) Imaginary axis argument equal to the angle (Figure 1.4). Any complex number (e.g., b in Figure 1.4) can then be represented as the product of the modulus and an imaginary exponential whose argument is equal to the angle of the complex number in radians. 2.2 b 00041 00022 i 00042.2e i 1.1 e i1.1 1.1 radians Real axis Figure 1.4: Imaginary Exponentials and Complex Numbers By writing a complex number as an exponential, multiplication of complex numbers becomes simple, once we recall that the product of two exponentials is an exponential with the sum of the arguments: (ea) 0005 (eb) 0004 e[a0002b] (1.3) The product of two complex numbers is then constructed by multiplying their moduli and adding their angles (Figure 1.5). ( ρ1eiθ ) · ( ρ2eiθ ) 0004 ⎡⎣ρ1ρ2 ⎤⎦ ei[θ 0002θ ] 1 2 1 2 (1.4) w w w.new nespress.com 4 Chapter 1 Multiplication 3.2 a · b0004 000310002 3i 2.2 b 0004 10002 2i 0004 2.2e i(1.1) 0004 3.2e i(1.9) 1.4 a 0004 10002 i 0004 1.4e i (0.8) Multiply lengths Imaginary axis Add angles Real axis Figure 1.5: Multiplication of Complex Numbers We took the trouble to introduce all these unreal quantities because they provide a particularly convenient way to represent harmonic signals. Because the x- and y-components of a unit vector at angle θ are just the cosine and sine, respectively, of the angle, our definition of an exponential with imaginary argument implies eiθ 0004 cos(θ) 0002 i sin(θ) (1.5) Thus, if we use for the angle a linear function of time, we obtain a very general but simultaneously compact expression for a harmonic signal: ei ( ωt 0002φ ) 0004 cos(ω t 0002 φ) 0002 i sin(ω t 0002 φ) 0004 [cos(ω t ) 0002 i sin(ω t )] ⋅ [cos(φ) 0002 i sin(φ)] (1.6) In this notation, the signal may be imagined as a vector of constant length rotating in time, with its projections on the real and imaginary axes forming the familiar sines and cosines (Figure 1.6). The phase offset φ represents the angle of the vector at t 0004 0. In some cases we wish to use an exponential as an intermediate calculation tool to simplify phase shifts and other operations, converting to a real-valued function at the end by either simply taking only the real part or adding together exponentials of positive and negative frequency. (The reader may wish to verify, using equations [1.5] and [1.6], that the sum of exponentials of positive and negative frequencies forms a purely real or purely imaginary sinusoid.) However, in radio practice, a real harmonic signal cos(ωt 0002 φ) may also be regarded as being the product of a real carrier cos(ωt) and a complex number I 0002 iQ 0004 [cos(φ) 0003 i sin(φ)]/2, where the imaginary part is obtained through multiplication with sin(ωt) followed by filtering. (Here I and Q denote “in-phase” and “quadrature,” that is, 90 degrees out of phase, respectively.) We’ll have more to say about the uses of such decompositions when we discuss radios in Chapter 3. www. ne w n e s p res s .c o m Basics of Wireless Communications 5 Harmonic function sin(wt ) re iwt Tim e cos(wt) Figure 1.6: An Imaginary Exponential Can Represent Sinusoidal Voltages or Currents Finally, we note one other uniquely convenient feature of exponentials: differentiation and integration of an exponential with a linear argument simply multiply the original function by the constant slope of the argument: d ax ( e ) 0004 ae ax dx 0002 e ax dx 0004 1 ax e a (1.7) 1.2 Electromagnetic Waves and Multiplexing Now that we are armed with the requisite tools, let us turn our attention to the main topic of our discussion: the use of electromagnetic waves to carry information. An electric current element J at some location [1] induces a potential A at other remote locations, such as [2]. If the current is harmonic in time, the induced potential is as well. The situation is depicted in Figure 1.7. The magnitude of the induced potential falls inversely as the distance and shifts in phase relative to the phase of the current. (The reader may wish to verify that the time dependence of A is equivalent to a delay by r/c.) The induced potential in turn may affect the flow of electric current at position [2], so that by changing a current J[1] we create a delayed and attenuated but still detectable change in current J[2]: we can potentially communicate between remote locations by using the effects of the electromagnetic disturbance A. In principle, every current induces a potential at every location. It is this universality of electromagnetic induction that leads to a major problem in using electromagnetic waves in communications. The potential at our receiver, A, can be regarded as a medium of communications that is shared by every possible transmitter J. How do we detect only the signal we are interested in? The sharing of a communications channel by multiple users is known as multiplexing. There are a number of methods to successfully locate the signals we wish to receive and reject others. w w w.new nespress.com 6 Chapter 1 Induced potential A r Current element Je i wt [1] A 0004 m0J e0003i k r 4p r e iw t [2] w k0004 w 0003 m e 0004 c w 0004 2pf m0 0004 4p 0006 1000037 Henry/meter e 0 0004 8.86 000610000312 Farad / meter Figure 1.7: A Harmonic Current at [1] Induces a Harmonic Potential at [2] A few important examples are the following: • Frequency-division multiplexing: only receive signals with a given periodicity and shape (sinusoidal, of course). • Spatial multiplexing: limit signals to a specific geographical area. Recall that induced potentials fall off as (1/distance) in the ideal case, and in practice attenuation of a signal with distance is often more rapid due to obstacles of various kinds. Thus, by appropriate choice of signal power, location, and sensitivity, one can arrange to receive only nearby signals. • Time-division multiplexing: limit signals to a specific set of time slots. By appropriate coordination of transmitter and receiver, only the contents of the desired time slot will be received. • Directional multiplexing: only listen to signals arriving from a specific angle. This trick may be managed with the aid of antennas of high directivity. • Code-division multiplexing: only listen to signals multiplied by specific code. Rather in the fashion that we can listen to a friend’s remarks even in a crowded and noisy room, in code-division multiplexing we select a signal by the pattern it obeys. In practice, just as in conversation, to play such a trick it is necessary that the desired signal is at least approximately equal to other undesired signals in amplitude or power, so that it is not drowned out before we have a chance to apply our pattern-matching template. www. ne w n e s p res s .c o m Basics of Wireless Communications 7 In real communications systems, some or all of these techniques may be simultaneously used, but almost every modern wireless system begins with frequency-division multiplexing by transmitting its signals only within a certain frequency band. (We briefly examine the major exception to this rule, ultrawideband communications, in section 1.5.) We are so accustomed to this approach that we often forget how remarkable it is: the radio antenna that provides us with music or sports commentary at 105 MHz is also exposed to AM signals at hundreds to around a thousand kHz, broadcast television at various frequencies between 50 and 800 MHz, aeronautical communications at 108–136 MHz, public safety communications at 450 MHz, cellular telephony at 880 and 1940 MHz, and cordless telephones, wireless local area networks (WLANs), and microwave ovens in the 2400-MHz band, to name just a few. All these signals can coexist harmoniously because different frequencies are orthogonal. That is, let us choose a particular frequency, say ωc, that we wish to receive. To extract only the part of an incoming signal that is at the desired frequency, we multiply the incoming unknown signal s(t) by a sine or cosine (or more generally by an exponential) at the wanted frequency ωc and add up the result for some time—that is, we integrate over a time interval T, presumed long compared with the periodicity 1/f (equation [1.8]). The reader may recognize in equation [1.8] the Fourier cosine transform of the signal s over a finite domain. A similar equation may be written for the sine, or the two can be combined using an imaginary exponential. 1 S% (ωc ) 0004 T 0002 s(t) cos(ω t)dt T (1.8) c 0 If s(t) is another signal at the same frequency, the integral will wiggle a bit over each cycle but accumulate over time (Figure 1.8). On the other hand, if the unknown signal is at a different frequency, say (ωc 0002 δ), the test and unknown signals may initially be in phase, producing a positive product, but over the course For f(signal)0004 f(test), the integral grows with time. . . T 16 0004 cos(w ct )cos(w ct )dt 14 0 12 Amplitude 10 8 6 4 Time cos(w ct )cos(w ct ) 2 0 00032 0 5 10 15 20 25 30 35 Figure 1.8: Unknown Signal at the Same Frequency as Wanted Signal w w w.new nespress.com 8 Chapter 1 of some time they will drift out of phase, and the product will change signs (Figure 1.9). Thus, the integral will no longer accumulate monotonically, at least over times long compared with the difference period (1/δ) (Figure 1.10); when we divide by T and allow T to become large, the value of S(ωc) will approach zero. In-phase Out-of-phase In-phase 1.5 Amplitude 1 0 2 4 6 8 10 12 14 16 Time 00031 cos([vc0002d]t) cos(vct ) 00031.5 Figure 1.9: Two Signals at Different Frequencies Do Not Remain in Phase For f(signal)0007 f(test ), the integral oscillates, so after a long time 16 0004{fsignal 0004ftest } >> 8 12 10 6 T Amplitude 0004{fsignal 0007ftest } 14 0004 cos(vct )cos([vc 0002 d]t )dt 0 Time cos(vct )cos([vc 0002 d]t )dt 4 2 0 00032 0 5 10 15 20 25 30 35 Figure 1.10: Unknown Signal at a Different Frequency from Wanted Signal Any signal that is periodic in time can be regarded as being composed of sinusoids of differing frequencies: in more formal terms we can describe a signal either as a function of time or as a function of frequency by taking its Fourier transform (i.e., by performing the integration [1.8] for each frequency ωc of interest.) The orthogonality of those differing frequencies makes it possible to extract the signal we want from a complex mess, even when the wanted signal is small compared with the other stuff. This operation is known generally as filtering. A simple example is shown in Figure 1.11. It is generally very easy when the frequencies are www. ne w n e s p res s .c o m Basics of Wireless Communications 9 widely separated, as in Figure 1.11, but becomes more difficult when frequencies close to the wanted frequency must be rejected. We examine some of the means to accomplish this task for WLAN radios in Chapter 3. As received 1.5 Total signal Frequency Interfering signal Wanted signal Amplitude Amplitude 1 0.5 0 f 5f 0 1 2 3 4 5 6 7 8 9 10 9 10 Time 00030.5 00031 Low-frequency component 00031.5 After filtering and amplification Amplitude 1.5 Amplitude Frequency 1 0.5 0 f 5f 0 1 2 3 4 5 6 7 8 Time 00030.5 00031 00031.5 Figure 1.11: Extraction of a Wanted Signal in the Presence of a Large Unwanted Signal 1.3 Modulation and Bandwidth 1.3.1 Simple Modulations So far the situation appears to be quite rosy. It would appear that one could communicate successfully in the presence of an unlimited number of other signals merely by choosing the appropriate frequency. Not surprisingly, things are not so simple: a single-frequency signal that is always on at the same phase and amplitude conveys no information. To actually transmit data, some aspect of our sinusoidal signal must change with time: the signal must be modulated. We can often treat the modulation as a slowly varying function of time (slow being measured relative to the carrier frequency) multiplying the original signal. “slowly ” varying modulatiion function sinusoidal vibration at carrier frequency (1.9) f (t ) 0004 m(t ) cos( ωc t ) w w w.new nespress.com 10 Chapter 1 A simple example of a modulated signal may be obtained by turning the carrier on and off to denote, for example, 1 and 0, respectively: that is, m(t) 0004 1 or 0. This approach is known as on–off keying or OOK (Figure 1.12). OOK is no longer widely used in wireless communications, but this simple modulation technique is still common in fiber optic signaling. On–Off keying 1.5 m (t ) Amplitude 1 f (t ) 0004 m (t )cos(w ct ) m(t ) 0004 0005 0 1 2 3 4 5 6 7 8 9 10 Time 00021 00031 0 Modulated signal 00031.5 Figure 1.12: Modulation by Turning the Carrier On or Off A key consequence of imposing modulation on a signal at a frequency ωc is the inevitable appearance of components of the signal at different frequencies from that of the original carrier. The perfect orthogonality of every unique frequency present in the case of unmodulated signals is lost when we actually transmit data. Let us examine how this comes about for the particularly simple case of a sinusoidal modulation, m 0004 cos(ωmt). Recall that the orthogonality of two different frequencies arose because contributions to the average from periods when the two signals are in phase are canceled by the periods when the signals are out of phase (Figure 1.9). However, the modulated signal is turned off during the periods when it is out of phase with the test signal at the different frequency (ωc 0002 δ) so the contribution from these periods no longer cancels the in-phase part (Figure 1.13). The modulated carrier at (ωc) is now detected by a filter at frequency (ωc 0002 δ). The astute reader will have observed that this frustration of cancellation will only occur when the frequency offset δ is chosen so as to ensure that only the out-of-phase periods are suppressed. In the case of a periodic modulation, the offset must obviously be chosen to coincide with the frequency of the modulation: | δ | 0004 ωm. In frequency space, a modulated carrier at frequency fc acquires power at sidebands displaced from the carrier by the frequency of the modulation (Figure 1.14). In the case of a general modulating signal m(t), with Fourier transform M(ω), it can be shown that the effect of modulation is to translate the spectrum of the modulating or baseband signal up to the carrier frequency (Figure 1.15). We can now see that (15–20 cm) Door / window Rebar: cutout carbon steel 3/8' to 3/4' dia (1–2 cm) Figure 9.2: A Segment of a Tilt-Up Concrete Exterior Wall Panel The lowest floor of the building is often laid directly on top of a concrete slab foundation. Beams that provide strength for the intermediate floors are themselves supported by ledges built into the tilt-up panels and by saddles attaching them to interior support columns (Figure 9.3). Floor support Exterior wall Floor Floor beam Saddle Tiltup panel Ledge Column Reflective foil insulation Figure 9.3: Intermediate Floors Are Supported at the External Walls and Internal Columns w w w.new nespress.com 316 Chapter 9 The floor beams for small buildings are generally wood or wood laminates, nominally 4 0006 12 inches (10 0006 30 cm) in cross-section, though slightly smaller in actual dimensions. The intermediate floors are typically constructed of panels that rest on the floor beams (Figure 9.4). Each panel is built of plywood (thin layers of wood laminated together with misoriented grain for improved strength), with intermediate nominal 2 0006 4-inch wood support members (joists), hanging from metal joist hangars, between the main floor beams providing local support. The plywood floor may optionally be covered with a thin coating of lightweight concrete, typically reinforced with a coarse wire grid. Optional lightweight concrete cover: 1.5 –3' (3–5 cm) thick wire grid reinforced (600066' centers) Intermediate floor detail Floor panel: plywood, 40006 8 feet (1.200062.4 meter) Floor beam 4 000612' 2 0006 4 support on 24' (0.6 m) centers Reflective foil insulation Conduits and HVAC; lighting boxes T-bar supports Hanging “false” ceiling (cellulose) Figure 9.4: Intermedicat Floor and Structures Supported by the Floor Intermediate floors form the ceiling of the story below them but rarely is this fact visible. A false ceiling, often constructed of pressed cellulose (i.e., paper) about 2–3 cm thick, is generally hung from metal T-bar supports attached to the floor beams to provide an aesthetically pleasing interior. These cellulose panels are easily popped out of their support frames to provide access to the space above. Between the false ceiling and the intermediate floor one will often find metal ductwork that provides heating, ventilation, and air conditioning services for the interior of the building. These ducts are typically constructed of thin sheet steel, though plastic ducting may also be encountered. Both round and rectangular cross-sections are used, and sizes vary from around 10 inches (25 cm) to 30–40 inches (around 1 m). The ducts may be wrapped with fiberglass or other thermal insulation materials. The author has found that these ducts are not always particularly close to where building plans say they are supposed to be; if in doubt, it is a good practice to pop out the ceiling panels and look. Fluorescent lighting panels, typically sheet metal boxes 0.5–2 m wide and 1–3 m long, also hang from the floor beams. www. ne w n e s p res s .c o m Indoor Networks 317 An alternative approach to construction of intermediate floors, with important consequences for microwave propagation, uses a thin corrugated steel deck covered with poured concrete to form the floor surface (Figure 9.5). Open-web steel joists may be used in this case instead of wooden joists, though the beams are still often wood laminates. As we discuss in section 3, conventional plywood/concrete floors cause a modest microwave loss (5–10 dB), whereas a corrugated steel floor in a low-rise building is a very effective shield, such that propagation between floors can be considered negligible. Thus, the type of floor used in a building is an important factor in determining whether neighboring floors represent common or distinct network coverage areas. Corrugated steel flooring Corrugated steel deck Steel pin welded to truss Low-density concrete 6–8' (15–20 cm) Open-web steel joist (with optional fireproof covering) Figure 9.5: Corrugated Steel Intermediate Floor Construction Interior shear (load-bearing) walls, if present, are typically constructed in the same fashion as exterior walls, using tilt-up concrete or hand-laid reinforced masonry. Interior partition walls are generally formed using gypsum (calcium sulfate dihydrate, CaSO4 0005 2H2O) wall boards assembled onto sheet-metal studs (Figure 9.6). Gypsum is popular because it is inexpensive, not readily flammable, and releases moisture upon heating. The gypsum is generally laminated with paper covering, and the wall board is usually painted or covered with patterned paper for aesthetic reasons. Studs are a few centimeters across and laid at 0.4-m (16-inch) intervals, so that they provide some scattering but little impediment to propagation at ISM or Unlicensed Interior wall detail (non-load-bearing) Sheet metal stud (C-channel): Top view Hole Gypsum wall board Insulation Paper Optional thin aluminum coating Fiberglass Insulation Figure 9.6: Interior Wall Construction, Commercial Buildings w w w.new nespress.com 318 Chapter 9 National Information Infrastructure (UNII) bands. Interior walls may be insulated with fiberglass or similar material, typically wrapped in a paper cover. The paper can be coated with a layer of vacuum-deposited aluminum or aluminum foil; roof insulation is always aluminized, but the use of aluminized insulation for exterior walls is less frequent and is optional for interior walls. The thickness of the aluminum appears to vary from about 6 mm (deposited film) to as much as 50 mm (foil). Roof construction is similar to intermediate floor construction (Figure 9.7). Wooden-laminate beams and joists support plywood roof panels, on which is laid a waterproof covering. The latter is typically composed of a layer of protective felt covered with tar-and-gravel-treated paper in commercial construction, though conventional shingled roofs using asphalt, tile, or ceramiccoated steel shingles may also be encountered. Conduits and ducting for heating, venting, and air conditioning may be suspended from the roof in the manner used for lower floors. Roofs are almost always thermally insulated, and aluminized insulation is generally used. Roof detail Plywood roof panel 8' (2.4 m) Nails Roof beam 4' (1.2 m) 2 0006 4 support Reflective foil insulation (conduits and HVAC hang from beams) Figure 9.7: Roof Construction, Low-Rise Commercial Buildings 9.2.3 Mid-Rise and High-Rise Commercial Construction Buildings taller than three floors rarely rely on load-bearing external or internal walls. Instead, structural integrity is provided by a frame composed of welded or bolted steel girders (Figure 9.8). In some structures, reinforced concrete columns are used instead of or in addition to steel framing. A shear tower made of reinforced concrete is often present at or near the center of the building, providing key services such as plumbing access, electrical services, and the elevator shafts and stairways that allow user access. The shear tower provides a relatively fireproof and mechanically robust escape path in the case of emergency. Because the external walls are no longer load bearing, a wide variety of materials may be used in their construction. Interior construction techniques and finishings are generally similar to those used on low-rise buildings; intermediate floor construction is also similar to that described in section 2.2. www. ne w n e s p res s .c o m Indoor Networks Intermediate floors: concrete on plywood or steel; framed with steel beams or open-web steel joists 319 Optional sheer bracing (esp. if no shear tower present) Interior (non-load-bearing) walls as previously Steel support columns Exterior walls: steel joist framing Concrete shear tower: plumbing, electrical, elevator, stairways Gypsum wallboard interior Brick, marble, concrete, glass, stucco facing Figure 9.8: Steel-Framed Mid-Rise Construction (3–15 Stories) Very tall buildings—skyscrapers—use elaborations of the steel framing approach used in midrise construction (Figure 9.9). Very large steel beams greater than 1 m in extent are required at the base of large structures, tapering to a more modest size at the top. Beams in large buildings are always provided with fire protection, either using gypsum or concrete sheathing. Concrete columns, formed from high-density concrete poured around a core of steel reinforcing bars wrapped in a steel confinement structure, are used instead of steel I-beams in some structures. Interior partitions and intermediate floor construction are similar to those used in low-and mid-rise buildings. Exterior walls of tall buildings are often dominated by glass window area. The glass is often coated (glazed) to control insolation and consequent heating of the building interior. A wide variety of films is used. Commonly encountered materials are zinc oxide (ZnO, an insulator), tin oxide (SnO2, a semiconductor with typical conductivity of around 3–10 mΩ-m or 300– 1000 mΩ-cm), Ag, Ti, silicon nitride (Si3N4, an insulator), porous silicon dioxide (SiO2, also an electrical insulator), titanium nitride (TiN, a fair conductor similar to tin oxide), stainless steel, and titanium dioxide (TiO2, a good insulator). An example coating structure uses 40-nm (400 Å) layers of tin oxide separated by 10-nm layers of silver; thus, the whole structure is less than 140 nm (0.14 μm) thick, much less than a skin depth even for a good conductor. It w w w.new nespress.com 320 Chapter 9 Optional shear core Optional K-bracing Taper to 1 foot (0.3 meter) at top Concrete column detail Vertical rods Helical confinement structure Exterior walls: same techniques as low-rise High-density concrete poured in wooden form around core to create column Steel I-beam with gypsum fireproofing OR Steel I-beam embedded in concrete OR concrete column poured around steel reinforcement Up to 4 feet (1.3 meter) diameter at bottom Figure 9.9: High-Rise Construction is reasonable to expect that such windows are modestly reflective at microwave frequencies, but such thin layers should not result in strong absorption within the layer. The author is aware of anecdotal reports of glass coatings specifically designed to provide high absorption at microwave frequencies, purportedly used in airports and other facilities to impede cellular telephony coverage (and thus increase airport revenues through repeater charges), but has not been able to verify these reports to date. 9.2.4 Residential Construction Residential construction practices around the world are more disparate than commercial construction, being more strongly guided by culture, history, and traditional preferences. The discussion here focuses on practices common in the United States. In the United States, small single-family homes and small apartment buildings have traditionally been constructed using wooden frames for structural strength. Wood is also used for studs and rafters to support interior and exterior walls and roofing. Exterior walls are reinforced with plywood facing to improve shear strength of the framing. In seismically active regions like California, additional shear bracing of various kinds is used to ensure structural integrity in the event of an earthquake. Exterior wall materials are chosen for decorative value www. ne w n e s p res s .c o m Indoor Networks 321 and robustness and vary widely. Wood paneling, stucco (about which we have a bit more to say in a moment), brick, and aluminum siding are all common. Brick may be laid unreinforced in seismically stable areas. Interior walls are typically gypsum (dry wall or wall board) over wooden studs. Services (electrical wiring, plumbing, vents) are provided in the interwall spaces. Ceilings are generally constructed of plaster laid over gypsum wall board. Roofs are plywood laid on wooden beams and rafters. Roofs are generally constructed of shingles (individual tiles overlaid so that the point of attachment of the shingle is shielded from rain water). Shingle materials include asphalt mixed with gravel, treated wood, and metal-backed ceramic. Tar-and-gravel roofs are rarely used in residential construction (though they are encountered in “Eichler” homes common in the southern Peninsula region of the San Francisco Bay area, where the author lives). New U.S. construction is moving rapidly to sheet-metal studs and beams for interior and exterior walls, because the cost has fallen to below that of typical wood framing. The studs and beams are configured as C-shaped sheet metal channels as shown in Figure 9.6. Exterior walls are stiffened with metal straps or sheets. The total reinforced area is small because of the excellent tensile strength of metal beams. Metal plates are used at the windows to distribute lateral stresses. The exterior walls are covered with polycarbonate insulation followed by decorative coatings. Interior walls continue to use gypsum wall board to ensure fire resistance. Roof construction practices resemble those used in low-rise commercial construction, with plywood laid over sheet-metal rafters. Plaster exterior wall construction has evolved somewhat over the last century (Figure 9.10). In the early part of the twentieth century, stucco exteriors were formed by laying plaster over Traditional stucco (pre-1920) 1920 through mid-1980’s Stucco support (“chicken”) wire Thin redwood strips Wooden studs Recent construction: EIFS (exterior insulating finishing systems) 1' (25 mm) polyisocyanate Wooden or steel studs Fiberglass mesh 7/8' [20 mm] stucco 7/8' [20 mm] stucco 1' (2.5 cm) Variable thickness stucco overcoat Figure 9.10: Stucco Through the (Modern) Ages w w w.new nespress.com 322 Chapter 9 thin strips of redwood. From about 1920 through the 1980s, it was more common to place a layer of hexagonal stucco support wire as reinforcing material for the plaster layer. In recent construction, exterior insulating finishing systems are generally used. These consist of a polyisocyanate insulating layer on which is laid a fiberglass mesh, forming a bed for the plaster layer. Wire support may still be used for stucco layers of thickness greater than 1 cm (3/8 inch). 9.2.5 An International Flavor Significant differences in construction practices (and construction quality, but that’s another story) exist around the world, conditioned mainly by the local costs of labor and materials. In Russia and Poland, exterior walls are masonry and fill, with masonry interior walls common, because of low local labor cost and excellent thermal insulation properties of masonry. Lightweight concrete walls are becoming popular as well. Intermediate floors and ceilings are often a composite of fired clay tiles, which are shaped to provide conduits for services and ventilation, and reinforced concrete. Western European construction uses brick, masonry, and concrete in internal walls to a much greater extent than is typical in the United States, both in commercial and residential construction. Concrete masonry units are also very popular in Mexican construction. Taiwanese commercial construction is very similar to U.S. practice. Japanese commercial construction uses reinforced concrete extensively for its robustness under seismic stress. Residential construction varies widely. Japanese homes are generally wood framed, often with heavy tiled roofs. Hong Kong folks generally live in large apartment buildings constructed along commercial lines. 9.2.6 Very Large Structures Structures that must have a large unsupported interior span, such as auditoriums, airport terminals, theaters, and convention centers, face special structural problems. The basic challenge is the support of a roof span without intervening columns. Small structures can use cantilevered beams (the term refers to the fact that both the position and slope of the ends of the beam are fixed to minimize sagging), but large structures exceed the shear strength of available materials. Various solutions for large-span roofs exist. Ancient engineers used masonry arches and domes to construct cathedrals and public buildings; these rounded structures effectively convert gravitational forces to compressive stresses in the roof and walls, which stone and masonry are well fit to resist, but at the cost of heavy expensive roofs. Modern solutions often use long-span truss structures, composed of triangles of steel wires or beams arranged in a plane, so that stresses applied to the truss are converted into tensile stress on the members of the constituent triangles. A similar approach uses a space frame, in which tetrahedra formed from steel beams are assembled to fill space with minimal-length structures. Again, shearing www. ne w n e s p res s .c o m Indoor Networks 323 is not possible without tensile stress on the members of the truss. Another approach used for very large structures is to suspend a fabric roof from a network of support cables in the manner of a suspension bridge. Tensile stresses from the weight of the roof must be transferred to the walls. Walls are formed of reinforced concrete or steel columns. In a technique known as infill construction, the space between the columns is taken up with non–load-bearing, decorative, weather-resistant materials such as brick, concrete masonry blocks, or glass blocks. Tilt-up construction is not practical for large structures, nor are wood beams used in modern practice. 9.3 Microwave Properties of Building Materials From our examination of construction practices, it is apparent that the microwave properties of several common materials are needed to understand likely propagation results in indoor environments. We should like to know about the behavior of (at least) concrete, wood, gypsum, glass, and masonry. A number of individual studies of particular materials are available in the literature, but the most complete single examination of building material properties at microwave frequencies the author has been able to obtain was performed by Stone and coworkers at the U.S. National Institute of Standards and Technology’s Gaithersburg laboratories. Stone and colleagues measured attenuation after transmission through varying thicknesses of concrete with and without reinforcement, brick on concrete, concrete masonry units and brick walls, wet and dry soft lumber, plywood, drywall, and glass, all with a fixed test setup. Thus, the data set forms a valuable reference for relative attenuation of a wide variety of materials, measured in a consistent fashion. There are some important limitations of the data that should be mentioned. No attempt was made to measure or correct for reflection from the samples, although the data were time gated to remove any reflections from the ambient around the test setup. Because the measurements were made in normal incidence, reflection coefficients of most materials are less than about 0.5, so the correction is of the order of 2 dB or less for a single interface. A complete correction would involve accounting for multiple reflections from both interfaces, but in the cases where this might be relevant, absorption is also high so that the correction is not of great significance. This correction is thus of modest import except in the case of samples with very little attenuation, where the distinction between absorption and reflection is of modest import in any case. Data were taken using separate systems in the 0.5- to 2-GHz and 3- to 8-GHz range; the low-frequency data appear consistent and sensible, but the higher frequency data show a complex frequency dependence and are quantitatively inconsistent with the lower frequency data. Thus, here we examine only the 0.5- to 2-GHz results, from which we must optimistically extrapolate to the frequency ranges of interest for WLAN applications. w w w.new nespress.com 324 Chapter 9 The low-frequency results of Stone et al. are summarized in Figure 9.11. We can generally conclude that drywall provides minimal attenuation (on the order of 1 dB at normal incidence) and that dry plywood also has very little absorption or reflection. Wet plywood incurs an additional dB of attenuation (and/or reflection). Brick and soft lumber in typical thicknesses involve attenuations of 5–10 dB, dependent on thickness. Again, wet lumber incurs a decibel or two of additional absorption over dry lumber. 40 Concrete 20 cm rebar 7 cm ctr 35 Concrete 20 cm Concrete 20 cm rebar 14 cm ctr Attenuation (dB) 30 25 20 Reinforced concrete 27 cm Rebar 7 cm ctr Brick on concrete 19 cm Concrete (various mixture lots) 10 cm 15 10 Masonry block 20 cm Brick on masonry block 28 cm Wet soft lumber 11 cm Dry soft lumber 11 cm Brick 9 cm Rebar 14 cm ctr Brick 23 cm 5 Float glass 1.3 cm Wet plywood 1.9 cm Dry plywood 1.9 cm 0 1 1.5 2 Drywall 1.3 cm Frequency (GHz) Pena et. al. 2003 Figure 9.11: NIST Study of Attentuation of Various Building Materials at Microwave Frequencies; “Rebar” Denotes the Presence of Reinforcing Steel Bars Within Concrete or the Properties of Grids of Reinforcing Bars in Air (After Stone, 6055) Concrete, by itself or in combination with brick, appears to represent a very strong attenuator, reducing the incoming signal by as much as 35 dB at 2 GHz for a 20-cm-thick layer. The presence or absence of reinforcement (“rebar”) has a modest effect on concrete attenuation. Results are also shown for grids of reinforcing bars in air, using 7- and 14-cm spacings. Recall that a wavelength at 1 GHz is about 30 cm and the rod diameter is about 19 mm, so 7 0003 2 0004 5 cm holes are less than a quarter of a wave at 1 GHz. We see that half-wave grids provide little impediment to propagation, but quarter-wave grids are more significant. The reflection/scattering of the 7-cm grid extrapolated to 2.4 GHz (0.4 λ openings) is still 3 dB larger than that of the 14-cm grid at 1 GHz (also 0:4 l openings), showing that the size of the steel rods is not negligible for the smaller grid. Nevertheless, we can conclude that conductive grids with openings significantly larger than half a wavelength at the frequency of interest introduce only a few decibels of reflection and scattering. Note that the effect of www. ne w n e s p res s .c o m Indoor Networks 325 rebar spacing within concrete is much less than that which would have been expected if the bare grid attenuation was added to that of unreinforced concrete; the large refractive index of the concrete means the wavelength within the medium is less than that in air, thus making the openings larger in terms of local wavelengths. Also shown on the graph are measurements of the properties of brick and concrete obtained by Peña and coworkers in a separate study reported in 2003. These measurements were performed at roughly 900 MHz. The researchers obtained and modeled angle-dependent data, with full correction for reflections, to extract the real and imaginary dielectric constants and thus reflection and absorption behavior of the materials. Their result for a 23-cm brick wall (about 6 dB absorption) is generally consistent with that obtained for a 9-cm brick wall by Stone and coworkers. However, their results for a reinforced concrete wall show much lower (albeit still significant) absorption than that reported by Stone for similar thickness. Recommended attenuation values for transmission through various materials provided by Wireless Valley, Inc., a commercial organization involved in both propagation modeling and installation consulting for indoor networks, are summarized in Table 9.1. These recommendations are generally consistent with the measurements of Stone et al. for glass, wall board (recalling that one wall penetration encounters two layers of drywall), wood, and brick, although Peña et al.’s results for brick suggest rather lower absorption. Reifsneider’s recommendations for concrete walls are generally consistent with the data of Peña et al. (recalling that a 27-cm wall is unusually thick for U.S. construction) but not with that of Stone et al. In the course of some related work, I measured the absorption of a typical tilt-up reinforced concrete wall 20 cm thick at only 5–6 dB at 5.3 GHz. Table 9.1: Recommended Values of Attenuation for Various Interior Structures Obstacle Interior wall (drywall) Brick, concrete, masonry block wall 900 MHz 2 13 1.8 GHz 2.5 14 2.4 GHz 3 15 Cubicle wall 1 1.5 2 Wooden door 2 2.5 3 Glass window Glass window, insolation “doping” 2 10 2.5 10 3 10 From Indoor Networks Training Course, Reifsneider, September 2003. Thus, we can see that multiple sources report more or less consistent results for common materials, but large discrepancies occur in reported behavior of concrete walls. What’s going on? To understand why different authors report such differing behavior for this material in particular, we must undertake a brief examination of the nature of this ubiquitous modern building material. w w w.new nespress.com 326 Chapter 9 Concrete, more formally Portland concrete cement (sometimes abbreviated as PCC), is a mixture of Portland cement and aggregate. The aggregate is crushed stone or other nonreactive material and plays an important role in the physical properties of the material but is probably not particularly microwave active. The cement is a powder consisting of tricalcium silicate 3CaO 0005 SiO2, and dicalcium silicate 2CaO 0005 SiO2, with smaller amounts of tricalcium aluminate 3CaO 0005 Al2O3 and tetracalcium aluminoferrite 4CaO 0005 Al2O3 0005 Fe2O3. When mixed with water, the tricalcium silicate forms a hydrated calcium silica gel, 3CaO 0005 2SiO2 0005 3H2O, and releases Ca0002 and OH0003 ions (Ca(OH)2, which is dissociated in aqueous solution). It is the hydrated gel that provides mechanical strength to the mixture after curing. The reactions that form the gel are complex, and the structure of the result is not well understood. It is well known that in the related process of formation of gels from pure silica, the nearly reversible hydrolysis of water by silica bridge bonds, ˜ Si 0003 O 0003 Si ˜ 0002H 2 O ⇔ ˜ Si 0003 OH 0002 HO 0003 Si ˜ (9.1) (where Si 0003 O denotes a silicon atom attached to three other oxygen atoms, presumably within the bulk of the gel or particle), plays an important role in the formation of gel particles and in the redissolution and merging of particles to form an extended gel. It seems plausible to infer that an analogous set of nearly reversible reactions support the creation of a connected if porous gel from the initial powders during the curing of concrete. It is also well known from research into the interaction of water and silicon dioxide that water in the presence of silica can exist in three forms, distinguishable by their infrared absorption: free water molecules, hydrogen-bonded water, and silanol groups (Figure 9.12). The key relevance is that silanols, although still polar to a similar extent to water molecules, are not free to rotate in response to an electromagnetic potential. The vibrational frequencies of the attaching bonds are greatly in excess of microwave frequencies. Thus, silanol will not contribute to microwave absorption. Hydrogen-bonded water molecules are also relatively unable to move, attached as they are to the fairly rigid silica lattice, and will contribute little absorption at microwave frequencies. Thus, microwave absorption in concrete cement seems likely to be dominated by the residual free water molecules and should slowly fall as the concrete cures and water is taken up into bonded sites. Free water Hydrogen-bonded water H O Silica O O O Si H H Hydrolysis O Si O O Silanol O O O Si H Silanol H O O Si O O O Hydrogen bonds O O O O H Si O Si O Si O O O O Figure 9.12: Interaction of Water With Silica: Silanol Groups Are Produced by Hydrolysis of Bridge Bonds and May Thereafter Form Hydrogen Bonds to Each Other or to Nearby Water Molecules www. ne w n e s p res s .c o m H Indoor Networks 327 This supposition appears to be borne out by the microwave absorption data at 300 MHz obtained by Pokkuluri, shown in Figure 9.13. If we use Stone et al.’s data as a rough guide for the frequency dependence of absorption in concrete, we infer a change of about 20%/GHz, so that we should expect an absorption of about 5 dB/20 cm after 3 years of cure at 2 GHz, in qualitative agreement with the data of Dobkin and Peña (and perhaps also that of Wireless Valley, because they do not provide a reference thickness). Cure time (years) 0.027 90 0.27 2.7 16 80 12 60 50 40 8 30 20 Absorption (dB/20 cm) Absorption (dB/m) 70 4 10 0 1 10 100 0 1000 Cure time (days) Figure 9.13: Microwave Absorption at 300 MHz in Concrete as a Function of Cure Time (Based on Data From Pokkuluri Thesis, Virginia Polytechnic Institute, 1998) More to the point, we find that for samples cured some tens of days, we would expect an attenuation roughly two times higher than observed in samples cured for years, approximately accounting for the discrepancy between the results of Stone et al. and those of other workers. Stone et al.’s data include various mixtures of concrete incorporating differing amounts of the constituents and show significant (30%) variations in absorption resulting. The corresponding variation in fully cured concrete might be expected to be at least as large and perhaps larger, because absorption depends on the residual water available after hydration and thus on details of porosity and stoichiometry, likely to be influenced by initial composition and curing conditions. This supposition is supported by the data of Kharkovsky and coworkers taken on 15-cm-thick samples at 8–12 GHz. They found that two mixtures with water-to-cement ratios of 0.4 and 0.7 had absorption of 16 and 28 dB, respectively, after 6 months of cure. Kharkovsky et al.’s data also show slow continuous changes in absorption at long times: they found about 2 dB/month at 5–6 months of cure, roughly consistent with Pokkuluri’s data at w w w.new nespress.com 328 Chapter 9 much lower frequency. Thus, we can conclude that a typical 20-cm-thick concrete wall is likely to represent about 5–10 dB of absorption at 2.4 GHz and perhaps 2–3 dB more at 5 GHz, with the exact value significantly dependent on composition and curing conditions. The author has been able to find only one brief reference to plaster walls (Ali-Rantala et al.) that suggested the absorption of plaster is slightly less than that of concrete. Referring to Figure 9.10, one can estimate that 2 cm of stucco would represent 0.5–1 dB of absorption, comparable with that of similar layers of plywood or gypsum. The use of wire reinforcement of typical dimensions, noted in Figure 9.10, appears likely to represent little impediment to propagation at 5–6 GHz; the present author has verified that a layer of wire composed of 2-inch (5 cm) hexagons attenuates a 5.3-GHz signal by only about 1.5 dB, and 1-inch (2.5 cm) hexagons impose 3.5 dB attenuation. At 2.4 GHz, 2-inch hexagonal screen represented an almost-insignificant 1.4-dB loss, but 1-inch hexagonal screen caused a decrease of 7.1 dB in signal strength from open space. Because stucco walls are typically very thin, the dielectric effects on wavelength would be expected to be modest, so one might propose that a residential wall using stucco reinforced by the typical support wire can represent as much as 7–8 dB of transmission loss in the 2.4-GHz ISM band. Refractive indices and the corresponding reflectivity at normal incidence for various building materials are summarized in Table 9.2. It is clear that most building materials have refractive indices around 2–3. The reflection coefficient of a real slab of material will vary depending on its thickness if the material absorption is small (e.g., plywood or glass or gypsum in typical thicknesses) due to multiple reflections from the two interfaces. Estimated reflectivity versus Table 9.2: Refractive Index and Reflection at Normal Incidence (From a Single Interface) for Various Building Materials Material Brick n 2 Γ (Normal Incidence) 0.33 Source; Remarks Pena et al. op. cit.1; Landron et al. IEEE Trans Ant Prop 44 p. 341, 1996 Concrete 2.5 0.43 Pena et al. op. cit.1; similar to CRC Handbook value for CaSO4-2H2O of 2.3 Glass 2.5 0.43 CRC Handbook values for Corning 0080, 0120 (soda-lime glass, soda-lead glass) 0.72 Landron et al. op. cit. Coated glass Limestone 2.7 0.46 Landron et al. op. cit. Gypsum 2.2 0.37 Tarng & Liu IEEE Trans Vehic Tech 48, no. 3, 1999 Wood 2.2 0.37 Tarng & Liu op. cit. Pena data allows a range of n 0004 1.7–2.2 for brick and 2.3–2.7 for concrete. 2 Landron data measured on exterior (coated) side, presumably dominated by coating. 1 www. ne w n e s p res s .c o m Indoor Networks 329 slab thickness over the range of refractive index expected is shown in Figure 9.14. For n 0004 2 appropriate for those materials most often used in thin slabs (wood, glass, and gypsum), the reflectivity is at a maximum Γ 000f 0.6 at typical thicknesses of 1.3 to 1.9 cm (0.5–0.75 inches) versus the normal reflectivity from a single interface of about 0.4. Note, however, that even this maximum reflection coefficient only corresponds to a loss in the transmitted signal of about 2 dB (10 log(1 0003 0.62)). Thus, reflection plays a modest role in decreasing transmitted signal strength except at glancing angles of incidence. On the other hand, the high reflection coefficients suggest that reflected signals will be common in indoor environments, leading to multipath delay and fading. 1 0.9 0.8 n0004 3 Reflectivity Γ 0.7 0.6 0.5 0.4 n0004 2 0.3 0.2 0.1 0 0 1 2 3 Thickness (cm) 4 5 Figure 9.14: Reflectivity vs. Slab Thickness for Refractive Index n ⴝ 2 and 3; Slab of Refractive Index n Surrounded by Air (n ⴝ 1) Some empirical data for attenuation resulting from transmission between floors are shown in Figure 9.15. Seidel et al. does not describe the means of construction of the floors studied, but by comparison with the data obtained by the present author, it is reasonable to infer that building 1 used concrete-on-wood or wood floors. The fact that loss does not increase linearly with the number of floors is ascribed to diffraction and/or reflection from neighboring buildings, which are not simply related to the number of floors separating transmitter and receiver. As one might expect, a corrugated steel floor of the type depicted in Figure 9.5 acts as an effective shield, leading to negligible direct propagation between floors. Seidel and coworkers also reported higher losses (on the order of 35 dB for one floor) for a second building, suggesting that they were also working with corrugated steel flooring in some cases. Buildings with steel floors are likely to be readily partitioned into separate WLAN domains by floor; buildings with conventional wooden floors will allow significant propagation between floors. w w w.new nespress.com 330 Chapter 9 Floor-floor attenuation (dB) 50 Dobkin, concrete-on-steel 40 Seidel, building #2 30 Seidel, building #1 20 Dobkin, concrete-on-wood 10 0 0 1 2 3 4 5 Floors Figure 9.15: Attenuation Between Floors of a Building (Data From Seidel, IEEE Vehicular Tech Conf., 1992, p. 814, at 915 MHz; Unpublished Data by the Present Author at 2.4 GHz) We can summarize the discussion of building materials with a few observations: 1. Absorption of materials commonly used in construction at thicknesses typically used can be classified as follows: • • Lossy: thick concrete, masonry, or solid wood; 10–20 dB/wall • Low loss: plywood, glass, wooden doors, cubicle walls, dry wall panels: less than 5 dB/obstacle Modest loss: single-layer brick walls, thin masonry, wooden paneling, stucco walls; 5–10 dB/wall 2. Most materials have refractive indices around 2–3, giving normal incidence reflection around Γ 0004 0.4 for thick layers. • Thin layer reflection depends strongly on thickness, varying from about 0.1 to 0.6; however, even at the peak this represents modest transmission loss of a couple of decibels. • Reflection loss will become significant for vertically polarized radiation on walls at angles of incidence more than 70 degrees. • Reflections from floors and ceilings are subject to Brewster’s angle for vertically polarized antennas. Thus, the received power in most cases will be dominated by the loss and reflection along the direct path between the transmitter and receiver. A first estimate of signal strength www. ne w n e s p res s .c o m Indoor Networks 331 (in the absence of large metal obstacles) can be obtained by counting walls along the direct ray. Glancing-angle wall reflections will subtract significant power from the direct ray and add to average power along long narrow corridors at the cost of increased fading. 9.4 Realistic Metal Obstacles In this section we examine how realistic metallic obstacles affect propagation and compare the results with theoretical predictions. Measurements were performed at 5.216 to 5.228 GHz in an open room with a concrete floor using a microstrip array antenna with approximately 20 dB power gain relative to an isotropic antenna to minimize the effects of reflections from ceiling features, walls, and floor on the results. Two obstacles were tested: a single 19-inch rack 0.65 m wide, 0.56 m deep, and 2 m high and a triple 19-inch rack 1.8 m wide, 0.85 m deep, and 1.6 m high. (These racks are very commonly used to hold server computers and other electronic gear in commercial and industrial facilities and provide representative examples of typically sized metallic obstacles.) The racks were unpopulated and thus consist of frames with sheet-metal front doors perforated by ventilation slots and a mostly open back side with support members crossing the access area at the top and center height. The test arrangement is depicted schematically in Figure 9.16. TX (monopole) Single or triple rack RX (20 dBi patch) Moved laterally (10 cm increments) Concrete floor 15 meters 2.5 meters Figure 9.16: Test Range for Diffraction/Shadowing From Realistic Metallic Obstacles The signal strength at four frequencies was averaged and compared with that obtained in the unobstructed case to produce a measure of shadow depth in decibels for each position of the obstacle. The results are summarized in Figure 9.17 and compared with estimates of signal strength obtained by numerical integration of the scattering equations for ideal flat plates of the same lateral dimensions. It is apparent that the qualitative features of the shadows cast by the racks are well represented by the thin-plate models. The narrow deeply shadowed regions expected from the flat-plate model of the triple rack are not observed in the data; it is not clear if this is an artifact of the limited lateral resolution of the measurements. w w w.new nespress.com 332 Chapter 9 25 Thin-plate model Shadow depth (dB) Measured: single rack 20 Measured: triple rack Thin-plate model 15 10 5 Geometric shadow Geometric shadow 0 50 100 150 Distance (cm) 200 0 50 100 150 Distance (cm) 200 250 Figure 9.17: Shadow Depth vs. Obstacle Position for Single and Triple Racks; Average Over Geometric Shadow: 11.0 dB (Single Rack) and 10.1 dB (Triple Rack) In normalized terms (equation [9.2]) the single rack is uo 0004 2.4 wide at 5 GHz for the given configuration (Rav 00042.1 m) and can be reasonably regarded as tall. Equation [9.3] predicts a shadow depth half-way from the center line of 8 dB, in reasonable agreement with the observed shadow averaged over the geometrically shadowed region. Note, however, that the shadow depth in the central region is 5–7 dB deeper than expected for a flat plate and almost 10 dB deeper than the estimate of equation [9.3], presumably due to the complex actual geometry and finite depth of the rack. u0004 ( S )dB 2 Robsλ ( x or y) ⎛ ⎞ 1 ⎤⎥ ⎟⎟ ⎜⎜ 0.33 ⎡⎢ 1 ≈ 20 log ⎜ 0002 ⎟ ⎜⎜ 2 ⎢⎢ uo,l uo,r ⎥⎥ ⎟⎟⎟⎠ ⎝ ⎣ ⎦ (9.2) (9.3) The triple rack is about 7.4 normalized units wide by 6.6 normalized units high. Equation [9.3] provides shadow estimates of 18.5 and 17.5 dB using, respectively, the width and height of the obstacle. This object cannot be reasonably regarded as a tall rectangular object, and so the approximations of equation [9.3] are suspect. A plausible approximation is to add the received power from two ideal shadowing objects (one very wide and one very tall), with each typical shadow calculated according to equation [9.3]; because the two shadows are comparable, we might as well just add 3 dB of signal power or remove 3 dB from the shadow depth, predicting a typical shadow of about 15 dB, slightly deeper than what is observed half-way from the edge. We can summarize by saying that the observed shadows of complex objects of realistic dimensions are on the order of 10–20 dB deep, as we had predicted based on simple idealized models. The detailed behavior of obstacles of finite depth is not accurately predicted by simple flat-plate models, but the differences are comparable with fade margins of 5 dB that must be www. ne w n e s p res s .c o m Indoor Networks 333 assigned to all estimates of field strength in any case. In practice, the effective shadow depth of obstacles on average will be reduced by the added power due to reflected rays following indirect paths within the indoor environment. 9.5 Real Indoor Propagation We’ve now reviewed the sort of materials and obstacles we might encounter in an indoor environment and what their likely effects on a microwave signal might be. What does all this imply for operating a radio in an indoor environment? We first look at a simplified example of indoor propagation to get some idea of what to expect and then compare the results of the conceptual exercise with real data obtained in real buildings. In Figure 9.18, the indoor propagation cartoon shows some exemplary propagation paths (rays) added. Along each path we’ve added a simplistic loss budget, accounting for 3 dB (reflection and absorption) in passing through interior partition walls, 5- to 7-dB loss upon reflection depending on angle, and 15 dB from thick concrete exterior walls. At the end of the process, each ray has accumulated a certain path loss due to distance traveled (not shown in the figure) and a certain additional delay relative to the direct ray; the result can be plotted on a graph of power versus excess delay, assuming a typical room size, as is done in the inset. (Note that the delay here is much too imprecise to be used to specify the relative phase of the various ray paths, so we can add powers to get an average power, but we can’t specify an actual power with any confidence.) Even though this example appears somewhat complex, it 00037 dB 00033 dB 00033 dB 00033 dB 00033 dB 00037 dB 00033 dB 6 000315 dB 4 00035 dB 2 3 1 40 2 30 3 000315 dB 4 6 20 5 10 0 0 10 20 30 Excess delay (ns) 000315 dB 000315 dB 1 PTX 000315 dB Relative power (dB) 50 000315 dB PRX 000315 dB 5 000315 dB 00033 dB 00033 dB 00037 dB Figure 9.18: Typical Multipath Propagation in a Building With Reflection, Scattering, and Absorption Losses; Power (Arbitrary Units) vs. Delay Is Shown in the Inset w w w.new nespress.com 334 Chapter 9 is hardly realistic: only a few reflected rays and one scattered ray are included, and we have ignored multiple reflections and reflections from the floor and ceiling or obstacles therein. From the inset graph, we can see that the direct ray is the largest contributor to signal power, even though the configuration is hardly line-of-sight (LOS). This is because the large concrete shear wall attenuates the direct and indirect rays equally. The lower power rays will contribute both to fading, as their relative phase varies, and intersymbol interference, the latter being determined by their delay relative to a symbol time. Here, because we have included only a few rays in a small pair of rooms, the maximum delay of 30 nsec would be unobjectionable for 802.11b: the delayed rays would muddy the symbol transitions but have little effect in the middle of the symbol where sampling is typically done. However, we can see that higher symbol rates and higher modulations might start to encounter significant intersymbol interference even in this small propagation example. From this simple example, we tentatively conclude that in a real environment we expect to see a number of rays of decreasing relative power, with characteristic delays set by the path length between the various reflecting and scattering features in the environment. Paths with longer delays will have both more path attenuation and additional loss from reflections and absorptions and so appear at lower relative power. Because buildings used by humans usually are partitioned into human-sized areas of a few meters, we would expect delays to occur in rough multiples of 10–20 nsec (3–6 m or 10–20 feet). When a clear line of sight is present or all indirect and direct rays encounter the same main obstruction, the received power will be dominated by the direct ray, leading to Rician-like distributions of received power; when an indirect path suffers the least absorption, we might see many rays of equal power and expect Rayleigh-like behavior. In Figure 9.19 we show some examples of real indoor propagation data, from Hashemi and coworkers, in a facility described as a medium-sized office building. The qualitative features are similar to those of our simple example, though we see many more rays at low power and long delay, presumably resulting from multiple reflections. There are many fairly distinct peaks, presumably corresponding to discrete ray paths, with characteristic separation of some tens of nanoseconds. Figure 9.19 also depicts the signal-to-noise ratio (S/N) required to demodulate 64 quadrature-amplitude-modulation (QAM) symbols. In clear line of sight, the power is obviously dominated by the direct ray, and a 64QAM symbol would see a multipath delay of about 60 nsec. The non-LOS measurement shows about 18 dB attenuation of the direct path relative to the best indirect path; in this case, because of attenuation of the direct ray, many more indirect rays are comparable in power with the largest ray, and a 64QAM symbol would need to deal with delays up to about 200 nsec. We can also see why Rician-like behavior would seem reasonable in this case for the LOS received power, where the received power is dominated by the direct ray with three or four small rays about 20 dB down, and Rayleigh-like behavior would be reasonable for the non-LOS case where about 11 roughly equal rays (counting down to 20 dB relative attenuation or an amplitude of 0.1) make contributions to the received power. The LOS result has a beam at 15-nsec delay about www. ne w n e s p res s .c o m Indoor Networks 0 0 Line-of-sight Power (dB) Non-line-of-sight 000310 000310 000320 000320 (S/N) for 64 QAM 000330 000330 000340 000340 000350 335 0 100 200 Time (nsec) 300 400 000350 (S/N) for 64 QAM 0 100 200 Time (nsec) 300 400 Figure 9.19: Indoor Power-vs.-Delay Data; Medium-Sized Office Building, 5 m TX-RX (From “The Indoor Radio Channel,” H. Hashemi, Proc. IEEE 81, p. 943 (1993), Data by David Tholl of TR Labs); based on original image © 1993 IEEE 18 dB larger than the largest delayed beams, corresponding to a Rician vm of about 10σ. A gradual decrease in beam power extends out to about 200 nsec, after which very little power is observed: One might guess that this corresponds to the size of the building in which the measurements were taken, with longer delay times resulting only from multiple interior reflections or objects beyond the building walls and thus significantly attenuated. To provide some idea of how delay varies over several different facilities, Table 9.3 shows summarized data at 1900 MHz from several different buildings, measured by Seidel and coworkers. They found characteristic delays of around 100 nsec, similar to the average behavior seen in Figure 9.19. The longest RMS delays, as large as 1500 nsec, were observed when transmitter and receiver were on differing floors; the authors suggested that the long delays are the result of reflections from neighboring buildings. Table 9.3: RMS Delay Spread and Variation in Received Power at Numerous Locations in Three Large Office Buildings Building Maximum RMS Delay Spread (nsec) 440 No. of Locations 1 Median RMS Delay Spread (nsec) 94 2 77 1470 83 3 88 507 61 91 From Seidel et al. (Op. Cit.). The distinction between LOS and non-LOS conditions is not as clear-cut as it may appear. It is apparent from the discussion of section 3 that an interior partition wall made of gypsum wall boards has little effect on signal strength, so that an LOS path may exist between neighboring w w w.new nespress.com 336 Chapter 9 rooms for microwaves even though people cannot see through the relevant walls. On the other hand, as the path length increases, the direct ray becomes less dominant and more variation in signal strength and effective delay may be expected, even when an unobstructed path exists between the transmitter and receiver. This effect is demonstrated in Figure 9.20, where received signal strength is shown for measurements performed in a large nominally open area, with a 5m-wide unobstructed path from transmitter to receiver in all cases. The average received power shows deviations of as much as 8 dB from the free-space prediction for the direct ray. At long distances, the average power appears to be increasing over the free-space prediction due to added power from the floor reflection. The minimum signal as a function of frequency is often much lower than the average power, as shown in detail in the inset at right; locations with lower average power have more variations in power with frequency, suggesting that in those locations near cancellation of the direct ray by reflections from nearby obstacles enables rays with much longer path lengths to significantly contribute to the received power. For example, at 9.15 m, variations of as much as 18 dB are seen in signal power versus frequency. Note that the lateral Ductwork in ceiling area 0.6 m 000335 RX Signal strength (dBm) TX 10 dBm 000330 1m Concrete floor 000320 000340 000345 10.1 m 000350 000355 13.1 m 000360 9.15 m 000365 000370 000375 5.215 11 m 5.22 5.225 Frequency (GHz) 5.23 000340 <signal> <signal> (dBm) Direct 0002 floor 000360 Direct ray Min (signal) 000380 Direct – major rays 0 5 10 Distance (m) 15 20 Figure 9.20: Received Signal Power Averaged over 5.215–5.228 GHz and Minimum Signal Power over Frequency vs. Direct Path Distance Compared with Free-Space Propagation of Direct Ray, Sum of Direct and Floor Reflection Power, and Worst-Case Power Where Major Rays (Floor, Walls, Ceiling) Subtract from Direct Ray; Insets Depict Measurement Configuration and Power vs. Frequency at Several Path Lengths (Indicated by Enlarged Symbols in Signal Power Plot) www. ne w n e s p res s .c o m Indoor Networks 337 resolution of the measurements is inadequate to show small-scale fading that may result from, for example, counterpropagating reflected rays from the walls of the room. The distribution of average signal strength that results from these complex interactions with the indoor environment is shown in Figure 9.21 for a typical small wood-framed residence and in Figure 9.22 for a moderate-sized two-floor tilt-up office building with concrete-over-plywood floors. These data were obtained using an uncalibrated radio card, so relative signal levels may be meaningful but absolute signal power should not be taken too seriously. In the residence data were taken at 1-to 2-m intervals and in the larger building at roughly 5-m intervals; the contours are a smooth interpolation of the measured data points. The reported values at each location average a number of packets, with the measurement position varied over a few tens of centimeters. Turning first to Figure 9.21, in the region where only one internal wall interposes itself between transmitter and receiver (the horizontal dotted arrow), the signal strength is quite close to that expected in free space. In directions where multiple internal and external stucco walls lie on the direct path (the inclined dashed arrow to bottom right), the detected signal strength is as much as 40 dB below the free space value. If we account for the fact that in this direction the direct path may involve as many as three stucco walls (8 dB each) and four internal partition walls, each involving two layers of dry wall (8 0006 2 0004 16 dB loss, for a total Interior wall Window Wood panel Stucco 000342 dBm (free space) at 10.5 m 000349 000342 000342 000335 000349 000321 10.5 m AP 000328 Furnace 3 meters 000342 000370 000349 000377 000349 Tall cabinets 000391 000356 000349 000377 10.5 m 000384 Figure 9.21: Measured Signal Power from Consumer Access Point (Nominal Output ≈ 14 dBm, Marked AP) in Wood-Framed Residence; Boxed Numbers Denote Value at Contour Edge and Dashed Lines Show Circle of Radius 10.5 m from Access Point, at Which Estimated Power for Free Space Propagation Is 000342 dBm w w w.new nespress.com 338 Chapter 9 of about 40 dB excess loss), simple wall counting leads to results in reasonable agreement with observed signal strength. The deep shadow at 000391 dB from a milliwatt (dBm) is plausibly accounted for by a large metal obstacle—a central-heating furnace and associated ductwork. A first approximation to the distribution of signal strength in real complex environments is obtained just by counting losses along the direct path, allowing for diffraction. Figure 9.22 shows similar data for a larger commercial building. On the upper floor, where the access point is located (at about 2 m height above the floor), signal strength through much of the measured area is remarkably close to that expected for free space propagation (to within the limitations of this simplistic measurement). We can infer that the cloth-and-pressboard cubicles that occupy most of the upper floor constitute little impediment to propagation at 2.4 GHz, despite the sheet-metal shelves they are equipped with. The region at upper right of the upper floor shows reduced signal strength due in part to measurement points located within rooms contained in partition walls (appearing as regional reduction in signal strength Upper floor 000349 000344 000344 000354 000339 000339 000363 000349 000344 000349 000344 000339 AP 000325 000330 000335 Nominal 000350 dBm (free space at 25 meters) 000339 Lower floor 000368 000386 000363 000363 000358 000363 000354 000358 000363 000368 000354 000349 000358 000358 000344 000349 000349 000344 000344 Nominal 000350 dBm (free space at 25 meters) Exterior (concrete) wall 10 meters Interior (partition) wall Cubicles Figure 9.22: Measured Signal Power From Enterprise-Grade Access Point (Nominal Output ≈ 100 dBm, Marked AP) in Tilt-Up Two-Floor Commercial Building; Boxed Numbers Denote Value at Contour Edge and Dashed Lines Show Circle of Radius 25 m From Access Point, at Which Estimated Power for Free Space Propagation Is 000350 dBm www. ne w n e s p res s .c o m Indoor Networks 339 on this low-lateral-resolution contour plot) and measurement points at which the direct ray passes through external walls. The lower floor, which is also occupied by cubicles on the right and only some exposed conduit on the left, is also close to free space once one corrects for a floor loss of about 9 dB (measured separately). There is some suggestion of enhanced signal strength near the lower wall, perhaps due to reflections from the partition walls on the upper floor or the concrete external wall. Signal strength is reduced at the upper right where again interior partition walls and exterior walls interpose themselves onto the direct ray from the access point to the measurement point. The interior concrete shear wall at top left of the lower floor leads to modest additional attenuation. Thus, we can generally conclude that attenuation and obstacles along the direct ray once again provide decent guidance to signal strength. A caution to this sanguine conclusion is the deep minimum (86 dBm) at top right, which is not in line with the elevator shaft (striped box) or any other known metallic obstacle and is a bit of a mystery. (Complete access to all the rooms and interior wall spaces was not available.) Incomplete knowledge of building features, a likely circumstance in many cases, provides a limit on one’s ability to model the results: measured data are always needed to complement theory. Figure 9.23 depicts survey data for a much larger facility (a convention center). Convention halls are typically very large open spaces with concrete walls and floors and ceiling height of 000392 000380 50 meters 000386 000386 000371 000380 000371 000371 000365 000371 000380 000386 20 meters 000380 000392 Figure 9.23: Survey of Signal Strength for a Single Access Point on the Trade Show Floor of a Convention Center; Estimated Signal Strength in dBm at Contour Edge Depicted by White Boxes (Image Courtesy of Jussi Kiviniemi, Ekahau Inc.) w w w.new nespress.com 340 Chapter 9 more than 10 m. There are few significant obstacles to propagation in most cases within the open area, because display booths are typically formed mostly of plastic panels with plastic or metal rods for mechanical support, and in any case do not exceed a few meters in height. Note, however, that convention halls may be filled at floor level with mobile microwave absorbers— human beings! For good coverage, an access point ought to be placed several meters above floor level to allow the direct rays to clients to pass through only a few people or obstacles. In this case, the exact location of the access point being monitored is not known and may be on a separate floor from that surveyed, so overly detailed examination of the data is inappropriate. However, it is clear that a region some tens of meters on a side is covered at a very reasonable signal strength of 75 dBm, and signal strength over much of the surveyed area exceeds typical low-rate sensitivity for 802.11 radios and will provide some sort of coverage. Indoor regions of more than a hundred meters in extent can be covered with a single access point. Before we leave the subject of indoor propagation, it is worthwhile to add a few brief remarks on a subject we have heretofore rigorously ignored: propagation exponents. In free space we know that the received power will decrease as (1/r2), where r is the distance between transmitter and receiver. It would certainly be convenient if we could model indoor propagation using the Friis equation in exactly the same fashion, just using a different value for the exponent of r—that is, it would be nice to say indoors that received power is proportional to (1/rn) where n is not necessarily 2. A great deal of work in the literature has been devoted to deriving values of n that fit a particular data set. However, wide variations in the value are seen between different researchers and different data sets: values as small as 1.8 and as large as 5 have appeared in the literature. It is the opinion of this author that such work resembles the old joke about looking for your wedding ring under the lamp post not because you lost it there but because the light is better. It would be nice if indoor data fit a modified exponential model with a substantially invariant value of n, but it doesn’t. It’s quite possible to see why: the dependence of signal on distance is inextricably tied up with what obstacles are encountered as the receiver moves away from the transmitter and thus uniquely dependent on the physical arrangement and construction of a given facility. Trying to force fit such particularized data sets into a modified distance dependence is like trying to evaluate the probability of checkmate in a chess position based on measuring the distance from your queen to your opponent’s king with a ruler: the measurement is perfectly valid and quite irrelevant. Indoor propagation cannot be understood in the absence of knowledge about what is inside the doors. Although it might be possible to specify useful path loss exponents for specific types of room configurations (e.g., drywall partitions spaced 3 m apart with normal incidence), it seems to me much more sensible to start with free space and count walls and other obstacles that subtract from signal strength than to introduce a functional form that has no physical basis. www. ne w n e s p res s .c o m Indoor Networks 341 9.6 How Much Is Enough? Now that we have examined how much signal power one might find available in various sorts of indoor environments, it behooves us to ask how much do we need? The basic answer is that the amount of signal power needed depends inversely on the data rate that is desired. Recall that the (S/N) needed increases as the number of bits per symbol increase and that the absolute noise level is proportional to the bandwidth and thus increases if we increase the rate at which symbols are transmitted. The lower limit on noise is the thermal noise entering the system, modified by the excess noise of the receiver as determined by its noise figure. For bandwidths on the order of 10 MHz, as used in WLAN systems, the thermal noise is around 0003104 dBm, and a typical receiver noise figure of 5–8 dB means that the effective noise floor is about 000398 dBm for the radio chip. Adding a few decibels to account for board and switch losses, we might expect a noise floor of 000395 dBm. To demodulate binary phaseshift keying reliably, we need a S/N of about 9 dB, but recall that for the lowest data rate of 802.11 classic (1 megabit per second [Mbps]), the receiver also benefits from around 10 dB of processing gain, because the true bandwidth of the signal is an order of magnitude less than the received bandwidth. Thus, it seems possible to achieve sensitivities in the mid-90s for 1 Mbps. To demodulate 64QAM, used in the highest rate modes of 802.11a/g, requires an (S/N) of around 26 dB and does not benefit from any spreading gain, so ignoring coding gain we might expect sensitivities of (000395 0002 26) ≈ 000370 dBm at the highest rate of 54 Mbps. Table 9.3 provides published sensitivities for a selection of commercial 802.11 radios, collected through early 2004. The results are in rather good agreement with the primitive estimates of the preceding paragraph. At low rates, the best sensitivity is 000394 dBm and 000391 dBm is a typical number, whereas at 54 Mbps sensitivity of 000365 dBm is typical. Figure 9.24 shows actual measured data rate versus estimated received signal power for a number of commercial 802.11 radios. (The data rates reported in Figure 9.24 are those delivered from one TCP client to another across the wireless link. TCP, transmission control protocol, is the protocol used in Internet data transfers and delivers packets across a data link using Internet protocol, which in turn communicates with the Ethernet drivers that ship bits into the 802.11 clients. Thus, the reported rate includes delays due to overhead within the 802.11 packets and the Ethernet transport mechanism and reflects the true rate at which data can be moved across the link, very roughly 60% of the nominal peak rate for a given 802.11 transport mode.) The signal strength here is estimated from single-frequency measurements at corresponding positions and should be presumed accurate to no better than 3 dB. The data rates behave more or less as one would expect from the sensitivities: orthogonal frequencydivision multiplexing data rates begin to fall for signal power less than 000365 dBm or so as slower modulations must be used, and rates extrapolate to zero at received powers in the mid-90s. w w w.new nespress.com 342 Chapter 9 802.11a: Atheros Gen II 802.11b: D-Link DWL650 Orinoco Gold Cisco Aironet TCP throughput (Mbps) 25 20 15 10 5 0 20 40 60 80 100 Average signal (dBm) 120 Figure 9.24: TCP Throughput vs. Signal Power (Estimated From CW Measurements) for Several Commercial 802.11 Radios (Slightly Edited Version of Data Published in “Correlating Link Loss With Data Throughput,” Dobkin, High Frequency Electronics, January 2003, p. 22, by Permission of WJ Communications) Reported data and measurements support the rule of thumb advanced by Jesse Frankel of AirMagnet that a received signal strength of about 000375 dBm should be adequate to provide high throughput from most commercial 802.11b equipment, with sufficient margin (5–10 dB) to accommodate typical local fading and random variations in signal power. More aggressive guidelines can be used if control over the client population is available. By reference to Table 9.4 one finds that the reported sensitivities vary by as much as 7 dB, so the use of only high-quality clients and access points should allow perhaps another 5 dB of margin. However, system administrators wishing to follow such a path should recall that users are typically enamored of the client they have and would much prefer having it work adequately at their preferred locations than switching to a different client (which after all may create hardware and/or software problems for them). Using these guidelines, we can infer from Figures 9.21 to 9.23 that a single access point with typical output power around 14–16 dBm can be reasonably expected to cover a small residence and that a 100-mW (20 dBm) access point can cover a 25-m radius in an open industrial facility or perhaps 50 m in a large open room. Coverage is strongly affected by obstacles encountered by the direct ray, as noted in the previous section. In the sort of open-area cubicle environment often encountered in modern commercial facilities, the access point should be located high enough from the floor to avoid most obstacles and partitions for optimal coverage. Note also that providing ample power at the corners of an open room with exterior walls using a high-powered centrally located access point will also probably result in significant leakage to the outside world (e.g., see Figure 9.21): if security is an important issue, the use www. ne w n e s p res s .c o m Indoor Networks 343 Table 9.4: Published Sensitivity for Various Commercial 802.11 Radios Radio Sensitivity at 54 Mbps (dBm) Orinoco AP/Gold NIC card Sensitivity at 11 Mbps (dBm) 000382 Sensitivity at 1 Mbps (dBm) 000394 Cisco Aironet 350 000385 000394 D-Link DWL900 AP 000379 000389 D-Link DWL650 NIC 000384 000390 000380 000388 000391 000394 Proxim 8550 AP 000383 000391 Surf’n’sip EL2511 000387 000395 000380 000388 D-Link DCF650 cf D-Link DWLAG650 000373 Bewan USB11 Bewan 54 G 000365 000380 Trendware TEW403 000365 000380 Senao 2511 Summary 000391 000385 000393 000365 000380 000387 000367000b4 000383000b3 000391000b3 Eazix EZWFDU01 Eazix EZWFM5-02 000383 of multiple low-power access points, preferably with inward-pointing directional antennas, is preferred. Such inward-looking access points mounted at the corners of a building, combined with a few centrally located access points, can achieve excellent high-rate coverage in the interior of a large building while keeping exterior leakage very small. Radiating cable can be used to provide supplementary coverage in corridors near exterior walls and for partitioned offices whose walls will cumulatively block coverage from the corner-mounted access points. (Even better security, as well as esthetic and environmental benefits, result from providing extensive evergreen foliage in the areas surrounding the building in question, so that would-be eavesdroppers in distant locations have no clear line of sight. 9.7 Indoor Interferers 9.7.1 Microwave Ovens WLANs and wireless personal area networks mostly operate in the unlicensed bands around 2.4 and 5 GHz. In the United States, radios operating in these unlicensed bands are obligated under Federal Communications Commission (FCC) regulations to accept any interference they encounter, but the users don’t have to be happy about the results. What are the likely sources of such interference? w w w.new nespress.com 344 Chapter 9 High on everyone’s list of suspects is the humble microwave oven. It is remarkably unlikely that microwave ovens will start to use other frequencies than 2.4 GHz, given the huge installed base, vast experience, and the cost-driven nature of consumer markets. Therefore, WLAN users who choose to operate at 2.4 GHz must live with them when they are present. Note that in the United States the FCC does not regulate microwave ovens; they are, however, subject to Food and Drug Administration restrictions that require less than 1 mW/cm2 of equivalent radiated power be detected at 5 cm distance from any location on the oven surface. Averaged spectra and time-dependent spectra for a representative microwave oven interferer are shown in Figure 9.25. Emission peaks at around 2440 MHz, but it is apparent that significant emission is present across about half of the ISM band. Emission is seen to be sporadic in time. The likely explanation is that the oven RF power is actually on for roughly half of each AC cycle of 16.7 msec (making for a simpler power supply). At a scan rate of 500 ms/scan for 500 MHz, the spectrum analyzer spends only 1 msec in each 1-MHz region, and thus on any given scan the analyzer may record peak RF output, reduced power, or nothing at all, even though the average oven peak power is constant from cycle to cycle. 2340 000350 2440 000370 Amplitude – dBm 2514 2200 000390 0003110 2120 ISM band 2620 31 Time – s 0 2120 2620 Frequency – MHz Figure 9.25: Emission Spectrum Due to a Microwave Oven Averaged Over Time (Top) and vs. Time (Bottom, 0.5-sec Scans) (From “Literature Search and Review of Radio Noise and Its Impact on Wireless Communications,” Richard Adler, Wilbur Vincent, George Munsch, and David Middleton, US Naval Postgraduate School, For FCC TAC, 2002) Figure 9.26 shows measured power emitted from a number of standard commercial microwave ovens at distances from 1 to 5.5 m, corrected to a standard distance of 5 m assuming free-space www. ne w n e s p res s .c o m Indoor Networks 345 000320.0 000325.0 Amana 1 1m Amana 1 1m side Amana 2 1m Amana 3 1m Amana 4 1m Amana 4 5.5 m GE 2.4 m Kenmore 2.4 m Power (dBm) (at 5 meters) 000330.0 000335.0 000340.0 000345.0 000350.0 000355.0 2.34 802.11 channels 1 2.36 2.38 6 2.42 2.44 2.4 Frequency (GHz) 11 2.46 2.48 2.5 Figure 9.26: Measured Power at Selected Frequencies for Six Conventional Microwave Ovens; Measurements at 1–5.5 m, Using 2.4-GHz Quarter-Wave Monopole 1 m from Floor, Acquired with a Spectrum Analyzer in Peak-Hold Mode, Corrected to 5 m Assuming Free-Space Propagation propagation. As can be seen in Figure 9.25, the emission spectrum of a microwave oven is complex and contains numerous peaks; the data in Figure 9.26 include only a few of the highest peaks for each oven. Note that different ovens do not have the same power spectrum, though all share the same general features of strong emission around 2.45 GHz. These data also show much stronger emission around 2.35 GHz than seen in Figure 9.25 for several ovens (though that is outside the nominal ISM band and hopefully of little import to 802.11 users). Institute of Electrical and Electronic Engineers (IEEE) 802.11 WLANs divide the ISM band into 14 5-MHz channels centered from 2.412 to 2.484 GHz, though only channels 1, 6, and 11 are normally available as nonoverlapping channels in the United States. From Figure 9.26 it is clear that most ovens will have a modest effect on the low-numbered channels but will interfere significantly with channels 6 through 11. Fortunately, the sporadic nature of microwave oven interference suggests that only modest effects will be felt for short packets. This supposition was confirmed in the work of Chang and coworkers, who found that the same microwave oven interference that caused packet error rates of 30–40% in 400-byte packets for distances up to 20 m from the oven caused less than 5% packet errors in 100-, 200-, and 300-byte packets even when the receiver was only 4 m from the oven. Chang et al. describe their equipment as 802.11 direct-sequence spread spectrum (DSSS); if we assume they were using an 802.11 classic link at 1 Mbps, a 400-byte packet is roughly 3.3 msec (the exact value is unclear, because the authors have not recorded whether the 400-byte total covers only data w w w.new nespress.com 346 Chapter 9 or includes headers). It is difficult to reconcile the measured 50% duty cycle of oven radiated power (e.g., see Unawong et al.) with the sudden threshold for bad packets they found above 300 bytes, but we can still qualitatively conclude that short packets have a good chance of finding their way around oven interference pulses. Because much higher data rates use shorter packets, it is reasonable to expect that their resilience to oven interference will be good. For example, at 11 Mbps, a maximum-length 1500-byte packet will be only a bit more than 1 msec in duration; at least half of the packets will encounter no interference. Note that when interference of this type is limiting performance, backing off to lower rates may actually increase packet error rate. Most control interfaces provide a mechanism for the user to adjust the threshold for packet fragmentation (sometimes known as interference robustness), which is the proper response to problems with oven interference. Chang and coworkers report high bit error rates out to about 22 m from the microwave oven for 400-byte packets, with the radius of disturbance shrinking to about 17 m when a concrete wall was interposed between the oven and the receiver. Unfortunately, they provide no information on transmitter position or received signal strength, so we cannot generalize their results. As a rule of thumb, access points should be positioned so that locations of frequent usage are significantly closer to the nearest access point than to the nearest microwave oven, and ovens should be sequestered behind partition walls (concrete if possible) to further reduce their interference potential. Because the peak received power of 30 dBm or so at 5 m is quite comparable with that of an access point at a similar distance, interference will likely be serious if the oven is closer to the user than the desired access point and may still represent a limitation on high-rate data even when relatively distant. Finally, in view of the typical usage pattern for most microwave ovens in industrial locations, users stuck near an oven should consider breaking for lunch at lunch time. 9.7.2 Other WLAN Devices Multiple access points within a single building or single floor of a large building are likely to provide overlapping regions of coverage. If all the access points are under the control of a single organization, their channels can be arranged so as to reduce interference. In the U.S. ISM band, as noted previously, only three nonoverlapping channels exist (1, 6, and 11): assuming good-quality radios, access points on distinct nonoverlapping channels should not interfere with each other. However, as previously noted, at least four channels are needed to provide a robust tiling of the plane with no adjacent interferers, and seven or more are preferred. The situation is worse if multiple-floor buildings with penetrable floors are present. To design a network that is truly interference free while providing complete coverage, it is desirable to operate in the UNII band where an adequate set of nonoverlapping channels is available. The potential achievability of noninterfering channel allocations is somewhat irrelevant when overlapping access points are not under the control of a single organization, as is likely to be the case in multitenant facilities, particularly when the tenants are separated only by interior www. ne w n e s p res s .c o m Indoor Networks 347 partition walls. Fortunately, 802.11, like other Ethernet-style medium access controls (MACs), is robust to collisions and interference as long as loading is not too heavy. In general, both MACs will detect a packet failure and randomly back off for retransmission, resulting in a modest degradation in performance as long as the collisions are infrequent. However, Armour and coworkers showed that the HiperLAN MAC suffers more degradation in performance from an uncontrolled neighboring access point on the same frequency than does carrier-sense multiple access with collision avoidance (CSMA/CA), because HiperLAN does not expect unscheduled transmissions to overlap its assigned time slots. Even if interference between neighboring access points is eliminated, the shared-medium nature of wireless links ensures the potential of cochannel interference between clients sharing the same access point. Interference between multiple clients is handled by the MAC layer of the protocol; in 802.11, the CSMA/CA MAC treats interference between two users as a dropped packet if it leads to a packet error and resends the packet after random backoff. In practice, this approach provides for up to five to seven simultaneous users, each receiving around 1 Mbps of throughput, in a single 802.11b cell. Because typical users are only occasionally transferring network data, up to 20 workstations or potential users can be accommodated in one access point. In HiperLAN and other centrally coordinated schemes, negligible interference between users in the same domain occurs because each is allocated transmission times. As with microwave ovens, implementation of request to send/clear to send and packet fragmentation will increase robustness to interference from other clients and access points at the cost of reduced peak throughput. Another practical consequence of multiple access points at similar power levels is changes in association state of a client if it is set to associate with the strongest access point signal. Such “flipping” can be very irritating for the user but can be dealt with by requiring association to only the desired BSSID. 9.7.3 Bluetooth vs. Wi-Fi Bluetooth devices transmit in 75 1-MHz channels, randomly selected 1600 times per second. Thus, in any given millisecond, collocated Wi-Fi or 802.11 g and Bluetooth devices can potentially interfere. The extent of the interference is likely to depend both on the ratio of the desired signal (Wi-Fi or Bluetooth depending on whose viewpoint one takes) to the interferer (BT or Wi-Fi): the signal-to-interference ratio (S/I). The (S/I) is in turn determined by two path losses: that from the wanted transmitter to the receiver and that from the interferer to the victim receiver. Interference is a bigger problem when the victim receiver is at the edge of its range. Finally, because Bluetooth is a frequency-hopping protocol and Wi-Fi is not, the frequency separation between channels is another variable; when the separation greatly exceeds the width of the Wi-Fi channel, little interference is likely in either direction. Model results, reviewed by Shelhammer, show that the interference effect on Bluetooth devices of an interfering 802.11b device is mostly confined to the Bluetooth slots within about 6 MHz of w w w.new nespress.com 348 Chapter 9 the Wi-Fi channel. Because there are 75 slots (in the United States) that can be used, this means that about (11/75) 0004 15% of slots are subject to interference. Bluetooth packets are generally (though not always) contained within a single frequency slot, so one can roughly say that the Bluetooth packet loss rate will not exceed 15% even when severe Wi-Fi interference is present. A 10–15% packet error rate has modest impact on data communications but will lead to noticeable degradation in voice quality. Proposed enhancements to the Bluetooth link standards, which provide simple retransmission capability, can nearly eliminate packet loss, but existing Bluetooth devices (of which tens of millions have been shipped) will not benefit from these improvements. Because of the robust Gaussian minimum-shift keying modulation used in Bluetooth, even the central frequency slots with maximum overlap with Wi-Fi will achieve bit error rates of less than 1000033 if (S/I) 5 dB; for a Bluetooth master and slave separated by 1 m, a Wi-Fi client device more than 4 m away from the victim receiver will have modest impact on the Bluetooth device. Note that if the Wi-Fi device in question is lightly used (as most are most of the time), effects will be proportionately smaller. These theoretical results were generally confirmed by the measurements of Karjalainen and coworkers. However, they found that much more severe effects could result if the WLAN and Bluetooth devices were placed together (as if on a single laptop device); in this case, the Bluetooth throughput could be degraded by as much as 80%, presumably due to the strong coupling of even the edges of the WLAN spectrum into the Bluetooth receiver. Changing sides in the debate to become a Wi-Fi proponent, we find that the worst effects are again confined to Bluetooth slots within about 6 MHz of the Wi-Fi center frequency. At 1 Mbps, a Wi-Fi link can tolerate an (S/I) level of 00033 dB (i.e., the Bluetooth signal is 3 dB larger than the Wi-Fi signal) before severe degradation of the bit error rate occurs because of the processing gain of the Barker code, even for the worst Bluetooth channel (which in this case is 1 MHz from the Wi-Fi center frequency). An 11-Mbps complementary code keying link, which has some coding gain but no processing gain, requires (S/I) 00024 dB for the worst Bluetooth channel to ensure unaffected performance (in this case the 0-MHz channel, because the complementary code keying spectrum is a bit different from the Barker spectrum). A Bluetooth client more than about 4 m away from a Wi-Fi device with good (S/N) will have little effect on the latter, though the potential for interference increases when the Wi-Fi device nears the end of its range. Note that just as in the microwave oven case, a Wi-Fi device operating in a high-rate mode will suffer less from the interferer than at 1 Mbps, because the shorter packets are less likely to encounter an interfering Bluetooth slot. An 11-Mbps link will only suffer packet loss of around 4% even in the presence of an adjacent Bluetooth device, whereas the same situation at 1 Mbps produces packet loss of more than 50%. Soltanian and coworkers showed in modeling that adaptive notch filters could be used to remove Bluetooth interference from a direct-sequence 802.11 signal. Orthogonal frequency-division multiplexing packets, used in 802.11 g, are potentially robust to narrow-channel interference, because it is in principle possible for the decoder to recognize and discard contaminated subcarriers. Doufexi and coworkers showed that with such adaptation, the impact of a Bluetooth www. ne w n e s p res s .c o m Indoor Networks 349 interferer is almost negligible even at (S/I) of 000311 dB and quite modest (S/N) ratios. However, because “g” radios must be capable of using direct-sequence preambles audible to older radios, problems with interference would persist. In any case, these advanced capabilities have not yet been incorporated into commercial radios as far as the author can ascertain. Wi-Fi–Bluetooth results are summarized in Table 9.5. The guard radius (the distance at which the interferer has little effect on the victim receiver) therein is only a guideline; for a specific physical arrangement, link loss for both transmitters and thus the (S/I) must be estimated. Table 9.5: Wi-Fi and Bluetooth as Interferers Inteferer Victim Minimum (S/I) for Negligible Interference 00025 dB Worst-Case Packet Loss 15% Guard Radius for Negligible Interference 4m Wi-Fi Bluetooth Bluetooth Wi-Fi 1 Mbps 00033 dB 50% 2.5 m Bluetooth Wi-Fi 11 Mbps 00023 dB 4% 4m From Shelhammer, Figures 14-1–14-6. 9.7.4 Cordless Phones Cordless phones are an extremely popular convenience (though the inconvenience of a misplaced ringing cordless phone sometimes seems to exceed the benefits!) in homes and (somewhat less frequently) in office environments. Most purchasers appear quite comfortable with obtaining handsets and base stations from the same manufacturer, and there is little commercial pressure for interoperability, so cordless phones are generally unique proprietary designs subject only to compliance with regulatory requirements. As a consequence, both frequency-hopping and direct-sequence designs are used. Output power and signal bandwidth also vary noticeably, though the signals are quite narrowband from the view of an 802.11type network, appropriate to the modest data rate (roughly 60 Kbps if uncompressed, as little as 10 Kbps if compression is used) needed for voice. A few representative examples are summarized in Table 9.6. The output power of most of the phones is comparable with or larger than typical consumer (30–50 mW) or enterprise (100 mW) access points. Table 9.6: A Few Representative Cordless Phone Schemes Vendor Uniden Scheme DSSS Power (mW) 10 Bandwidth (MHz) 2.8 V-Tech FHSS 60 Sharp DSSS 100 1.8 Siemens FHSS 200 0.8 1 Source: FCC web site. w w w.new nespress.com 350 Chapter 9 The emissions spectra of portable phones as interferers are shown in Figure 9.27. The received power from these nearby interferers is as large as 30 dBm. The time-dependent results show that the interference is sporadic, so that even if the direct-sequence phone lies on top of the wanted Wi-Fi channel, data transfer will still occur during idle times, but peak data rates will be significantly reduced when the phones are active. Phones are also likely to be used more extensively than microwave ovens in most environments (save perhaps fast-food restaurants), DSSS portable phone FHSS portable phone 000314 000334 000354 dBm 000374 000394 FHSS portable phone 121.1 Time – s 0 2400 2500 Frequency – MHz Figure 9.27: Spectra of a DSSS and Two FHSS Portable Phones Acting as Interferers: (Top) Averaged Power; (Bottom) Time-Dependent Power (Home Office, Davis, CA, 2002; Monopole Antenna ⇒ High Dynamic Range Preamplifier) (From Literature Search and Review of Radio Noise and Its Impact on Wireless Communications, Richard Adler, Wilbur Vincent, George Munsch, and David Middleton, U.S. Naval Postgraduate School, for FCC TAC, 2002) www. ne w n e s p res s .c o m Indoor Networks 351 so they constitute an important source of interference for Wi-Fi. However, the narrowness of the DSSS signals in frequency (so that only a few Bluetooth hops would be affected) and the minimal overlap of two random frequency-hopping spread spectrum (FHSS) patterns imply that cordless phones will not be significant interferers for Bluetooth links. Because cordless phones are after all mobile, unlike most microwave ovens, it is generally impractical to sequester them behind absorbing walls or relegate them to locations more distant from the relevant access point. FHSS phone interferers will resemble Bluetooth interferers, sporadically causing packet errors as they hop onto the Wi-Fi channel, with the effect being less serious for higher data rate packets. The higher power of the phones makes the guard radius much larger than that cited in Table 9.5 for Bluetooth. In simple environments with only one or two access points and one or two DSSS phones (assuming they are under control of one person or organization), it is possible to adjust the Wi-Fi channels and the phone channels to avoid overlap. Phone operating manuals don’t always provide the channel frequencies, but these can be found (with some labor) in the FCC compliance reports. For more complex environments with numerous phones and access points, DSSS phones can be generally set around Wi-Fi channels 3 or 4 and 8 or 9 to minimize overlap with Wi-Fi devices at 1, 6, or 11. In the case of a complex system in which the intermingling of numerous cordless phones and WLAN devices is inevitable, two alternative courses of action still remain. Wi-Fi–based portable phones, using voice-over-Internet-protocol, are becoming widely available. Although these phones are Wi-Fi devices and thus will compete for the same medium as data, the CSMA/CA MAC ensures that coexistence will be more graceful than that of an uncoordinated proprietary interferer. The second approach is to relocate the data network to the 5-GHz band, where very few cordless phones operate today. The UNII band provides more bandwidth and channels and is not subject to interference from microwave ovens or Bluetooth devices. For mission-critical data applications in complex coverage networks subject to unavoidable interferers, 802.11a or dual-band networks should be considered. 9.8 Tools for Indoor Networks 9.8.1 Indoor Toolbox Constructing and managing an indoor WLAN involves a number of tasks related to signals and propagation. Most networks use a number of fixed access points to provide service to a specific area. Planning the locations of the access points to ensure good coverage and minimize cost requires some thought be given to the unique propagation characteristics of the building or campus in question. A first estimate can be derived using building plans and the information presented previously in this chapter, but for complex installations, automated modeling may be helpful and surveying is essential. In multitenant environments, an examination of the interference environment, due to both other access points and clients w w w.new nespress.com 352 Chapter 9 and non-LAN interferers, may be needed to understand what quality of service is achievable. Once the network is installed, ongoing monitoring may be helpful both to ensure that coverage remains acceptable despite the inevitable changes in the propagation environment as people, equipment, and partition walls move and change and to protect against new interferers and “rogue” access points. (Rogue access points are access points connected to the wired network without approval of the corporate or facility authority. Because of the Ethernet-based transparency of the 802.11 standard and the fact that most organizations assume physical security for their internal network and impose little additional access control on its ports, it is easy for an employee or occupant to simply plug a consumer access point into the internal Ethernet network, possibly without even activating Wired Equivalent Privacy encryption. Such an access point provides an open opportunity for any nearby person equipped with a client card to obtain Internet access through the wired network, possibly without the approval of the owners of the network. Many wired networks will also allow a client to see the list of servers available on the LAN with no authentication of any kind, an invitation for industrial espionage if the client is capable of sniffing passwords or other attacks. Thus, rogue access points represent significant security concerns.) Commercial organizations and software change rapidly, particularly in developing fields like wireless networks, and any specific listings and advice provided in a book of this nature are likely to be out of date by the time the reader could take advantage of them. Therefore, with respect to such tools, it is the intention of this section merely to provide examples of equipment and software capabilities that are available at the time of this writing, so that the reader may be apprised of the sort of resources that might be helpful. Nothing herein should be taken as either a review or an endorsement of any particular hardware tool or software package. 9.8.2 Surveying The purpose of surveying is to assess received signal strength as a function of location within (and perhaps beyond) the intended coverage area. Many standards, including the 802.11 standards, require that compliant radios provide some measure of the average power of each received packet (typically known as the received signal strength indication [RSSI]); in consequence, any compliant 802.11 radio can be used as a survey tool. The author has verified that RSSI results for at least a couple of commercial client cards are well correlated with received power of continuous-wave signals measured using a network analyzer; RSSI provides a useful semiquantitative indication of signal strength. The simplest approach to surveying is thus to use any portable device equipped with a client card and software that displays RSSI. Many card vendors provide management utilities that offer access to received signal strength. There are also numerous public-domain and shareware utilities that provide lists of received access point and client signals, including www. ne w n e s p res s .c o m Indoor Networks 353 recent and average signal power: Netstumbler (Windows OS, www.netstumbler.org), Kismet (Linux, www.kismetwireless.net), and Kismac (Mac OS, www.binaervarianz.de/projekte/ programmieren/kismac/) are some examples. A screen shot of a Kismac scan output is depicted in Figure 9.28. Simple surveying can be accomplished by manually recording received power on a facility map. For small facilities and simple installations, such an approach is quite adequate (and low in cost). Figure 9.28: Example of Stumbler Application Scan Result, Showing Most Recent and Average Signal Strength Indicators for Each Access Point Received For more complex installations, involving multiple access points and large multifloor buildings, manual surveys become impractically laborious. Fortunately, software tools are available to automate the process. Current tools allow the import of a graphic background (typically a building plan) on which the user can indicate a starting and stopping point by mouse clicks; data are then acquired at regular intervals as the user walks from the starting to the stopping point, and with the presumption that the walk was performed at a constant rate each data point may be assigned to a location. A thorough survey of a large facility can thus be acquired rapidly without sacrificing the flexibility of handheld portable devices for data acquisition. Surveying tools of this type are available from (at least) ABP Systems, Ekahau Inc., AirMagnet, and Berkeley Varitronics as of this writing. Berkeley Varitronics provides a custom personal digital assistant with calibrated Wi-Fi receiver, so that the absolute signal power is available, whereas the others run as software programs on a Wi-Fi–equipped portable device and are limited to RSSI inputs. Figure 9.29 shows a map of signal strength obtained using Ekahau Site Survey 2.0, superimposed on a building plan and record of the walking path used in acquiring the survey. Maps of other parameters of interest, such as data rate, coverage, S/N or S/I, and strongest access point in each location, are also available. Similar maps and features are available from the other vendors. These tools are much faster than manual surveying for a large facility! w w w.new nespress.com 354 Chapter 9 Figure 9.29: Survey Result for Signal Strength for a Specific Access Point Superimposed on Facility Map; Dashed Lines Indicate Walking Paths Used in Survey; File Management and Access Point List Windows Are Also Shown (Image Courtesy Ekahau Inc.) In addition to the hardware and software needed on the receiving end, when surveying before installation the toolkit should include at least two portable easily installed access points so that candidate locations can be readily tested; two are recommended to allow for real-time examination of the overlap region between each pair. Another useful addition to the toolkit for large facilities is a tall portable support pole for raising a candidate access point close to the facility ceiling when installation there is likely. 9.8.3 Indoor Propagation Modeling From the discussion presented in this chapter, the reader will have gathered that the first step in understanding propagation in a building is to examine the building layout and understand the obstacles to propagation that are present. For any given proposed access point location, a ruler placed over the map will allow a quick if rough evaluation of the likely signal strength, given that the approximate nature of the walls and fixed obstacles is known. www. ne w n e s p res s .c o m Indoor Networks 355 Automated modeling allows the planner to deal with larger more complex installations. Modeling uses ray tracing techniques; rays are launched at a variety of angles, and the obstacles the rays encounter result in the launch of new rays (e.g., due to reflection) and changes in the ray amplitude (due to absorption and partial transmission). The net phase accumulation along the ray can be tracked to attempt to reconstruct the actual received signal amplitude, though as we have noted it is very difficult in practice to know geometries to such precision as to make relative phase data meaningful. In most cases, the relative amplitude of the important rays is sufficient to establish average signal strength within a region. Phase accumulation is of course equivalent to propagation delay, so that power/delay profiles like Figure 9.19 can also be estimated to ensure that they do not exceed the tolerance of the relevant modulation for multipath delay. The algorithmic art of a successful ray-tracing problem for complex environments is in the handling of the interaction of obstacles and rays to minimize the computational burden. The problems encountered are similar to those dealt with in rendering software used to produce computer-graphics images. Considerable ingenuity goes into establishing which obstacles and portions of obstacles are visible after a certain number of reflections and avoiding computation along paths that will never contribute to the received signal. A key choice in determining the size of the problem is the number of obstacle interactions to be evaluated; if one chooses (as we have for the manual approach) to model only absorption along the direct ray, the computational burden is much reduced, and qualitative features are still correctly reproduced in most cases. As with most computational modeling, the problem size increases drastically in progressing from two-dimensional to three-dimensional simulations, and many of the tricks used in other fields to reduce computational time cannot be applied here, because buildings generally do not have axes of symmetry. Diffraction around obstacles is often treated in ray-tracing contexts using the Uniform Theory of Diffraction or the Generalized Theory of Diffraction. These methods attempt to account for the effect of an obstacle through the definition of effective rays emitted at the edges of the obstacle, where the amplitude and phase of these rays are determined by a fit to Fresnel integrals. Such look-up–based approaches are much more computationally efficient than a complex integration when a large number of irregularly shaped obstacles must be handled. Commercial software tools specific to indoor propagation for WLAN systems are available from such vendors as Wireless Valley, Wibhu Technologies, ABP Systems, and Ekahau, among others. Most systems can take a building plan graphic as input but require some manual intervention to mark features as walls of a particular type, so that the appropriate RF properties can be assigned. Multifloor buildings can be simulated. Results generally include maps of signal strength and related properties such as signal to noise and interference. Some vendors have constructed databases of commercial access points and clients and thus can provide expected data rate and throughput for specified clients as a function of location. w w w.new nespress.com 356 Chapter 9 9.9 Summary Buildings in the modern world use a modest repertoire of structural materials, of which steel, concrete, wood, glass, gypsum, and bricks and masonry are most frequently encountered. Small buildings use load-bearing walls of concrete, reinforced masonry, or (for residences) plywood and non–load-bearing partitions of stud-reinforced gypsum. Large buildings rely on steel or reinforced concrete framing and do not use load-bearing walls. Floors may be made of wood or concrete on either wood or steel. At microwave frequencies, typical thicknesses of gypsum, glass, and wood induce only modest absorption. Brick and masonry absorb noticeably. Concrete properties vary depending on mixture and cure state, but thick concrete walls will usually represent significant absorbers. Most common structural materials have refractive indices between 2 and 3 and so reflect significantly, though consequent transmission loss is modest except at glancing angles. Large metal obstacles, including both elements of structures such as columns or ducts and interior objects such as cabinets or server racks, cast shadows 10–20 dB deep lying within their geometric shadow. Floors of concrete on steel act as shields. With these observations in hand, one can construct a first approximation to the average received power at an indoor location by examining the absorption of the direct ray path from transmitter to receiver as it traverses walls, floors, and windows. Real indoor structures show widely varying propagation characteristics that depend critically on what is in the way. Long RMS propagation delays, averaging around 100 nsec and reaching as high as 1000 nsec when exterior reflections are significant, occur because of reflections from interior structures, even when the direct-line distance from transmitter to receiver is small. Open areas have average signal strength close to that obtained in free space (though local fading occurs because of interactions with reflected rays); a different location at the same distance from the transmitter may have 40 dB less signal power due to the interposition of interior and exterior walls. For typical clients, average signal strength of 000375 dBm at the receiver is sufficient to provide reliable high-rate service. If access points can be positioned to avoid most obstacles, interior areas approaching 100 m in span can be covered with a single access point; in the presence of multiple walls, the same access point can be limited to 10 or 15 m. Common indoor interferers include microwave ovens, cordless phones, and rival Wi-Fi or Bluetooth devices. In each case, the time-dependent nature of the interference ensures that some traffic is likely to get through even in the worst cases, but physical configuration and channel planning can also help to achieve reliable high data rates in the presence of interferers. Software and hardware tools are available for modeling and measuring propagation characteristics in indoor environments; use of these tools facilitates installation of complex networks and improves the utility of the result. www. ne w n e s p res s .c o m Indoor Networks 357 Further Reading Building Construction Techniques Building Construction Illustrated (3rd Edition), Francis Ching with Cassandra Adams, Wiley, 2000: Mr. Perry’s favorite pictorial reference; a beautifully illustrated book. Microwave Properties of Construction Materials NISTIR 6055: NIST Construction Automation Program Report No. 3: “Electromagnetic Signal Attenuation in Construction Materials,” William C. Stone, 1997; available from NIST or by web download “Effect of Admixtures, Chlorides, and Moisture on Dielectric Properties of Portland Cement Concrete in the Low Microwave Frequency Range,” K. Pokkuluri (thesis), Virginia Polytechnic Institute, October, 1998 “Different Kinds of Walls and Their Effect on the Attenuation of Radiowaves Indoors,” P. AliRantala, L. Ukkonen, L. Sydanheimo, M. Keskilammi, and M. Kivikoski, 2003 Antennas and Propagation Society International Symposium, vol. 3, p. 1020 “Measurement and Monitoring of Microwave Reflection and Transmission Properties of Cement-Based Specimens,” Kharkovsky et al., IEEE Instrumentation and Meas Tech Conf, Budapest, Hungary, May 21–23, 2001 p. 513 “Measurement and Modeling of Propagation Losses in Brick and Concrete Walls for the 900 MHz band,” D. Peña, R. Feick, H. Hristov, and W. Grote, IEEE Trans Antennas and Propagation 51, p. 31, 2003 “A Comparison of Theoretical and Empirical Reflection Coefficients for Typical Exterior Wall Surfaces in a Mobile Radio Environment,” O. Landron, M. Feuerstein, and T. Rappaport, IEEE Trans Ant Prop 44, p. 341, 1996 “Reflection and Transmission Losses through Common Building Materials”, Robert Wilson, available from Magis Networks, www.magisnetworks.com The Chemistry of Silica, Ralph Iler, Wiley, 1979 Indoor Propagation Studies “The Indoor Propagation Channel,” H. Hashemi, Proceedings of the IEEE, vol. 81, no. 7, p. 943, 1993 “The Impact of Surrounding Buildings on Propagation for Wireless In-Building Personal Communications System Design,” S. Seidel, T. Rappaport, M. Feuerstein, K. Blackard, and L. Grindstaff, 1992 IEEE Vehicular Technology Conference, p. 814 w w w.new nespress.com 358 Chapter 9 “Indoor Throughput and Range Improvements using Standard Compliant AP Antenna Diversity in IEEE 802.11a and ETSI HIPERLAN/2,” M. Abdul Aziz, M. Butler, A. Doufexi, A. Nix, and P. Fletcher, 54th IEEE Vehicular Technology Conference, October 2001, vol. 4, p. 2294 “Outdoor/Indoor Propagation Modeling for Wireless Communications Systems,” M. Iskander, Z. Yun, and Z. Zhang (U Utah), IEEE Antennas and Propagation Society, AP-S International Symposium (Digest), vol. 2, 2001, pp. 150–153 “Effective Models in Evaluating Radio Coverage in Single Floors of Multifloor Buildings,” J. Tarng and T. Liu, IEEE Trans Vehicular Tech, vol. 48, no. 3, May 1999 “Correlating Link Loss with Data Throughput,” D. Dobkin, High Frequency Electronics, January 2003, p. 22 Interference: General “Literature Search and Review of Radio Noise and Its Impact on Wireless Communications,” Richard Adler, Wilbur Vincent, George Munsch, and David Middleton, U.S. Naval Postgraduate School, for FCC TAC, 2002 Interference: Microwave Ovens “A Novel Prediction Tool for Indoor Wireless LAN under the Microwave Oven Interference,” W. Chang, Y. Lee, C. Ko, and C. Chen, available at http://www.cert.org/research/isw/ isw2000/papers/2.pd “Effects of Microwave Oven Interference on the Performance of ISM-Band DS/SS System,” S. Unawong, S. Miyamoto, and N. Morinaga, 1998 IEEE International Symposium on Electromagnetic Compatibility, vol. 1, pp. 51–56 Interference: WLAN Self-interference “The Impact of Power Limitations and Adjacent Residence Interference on the Performance of WLANs for Home Networking Applications,” S. Armour, A. Doufexi, B. Lee, A. Nix, and D. Bull, IEEE Trans. Consumer Electronics, vol. 47, p. 502, 2001 Interference: Bluetooth and WLAN “Coexistence of IEEE 802.11b WLAN and Bluetooth WPAN,” Stephen Shelhammer, Chapter 14 in Wireless Local Area Networks, Bing (op. cit.), Wiley, 2002 “An Investigation of the Impact of Bluetooth Interference on the Performance of 802.11 g Wireless Local Area Networks,” A. Doufexi, A. Arumugam, S. Armour, and A. Nix, 57th IEEE Vehicular Technology Conference, 2003, vol. 1, p. 680 www. ne w n e s p res s .c o m Indoor Networks 359 “The Performance of Bluetooth System in the Presence of WLAN Interference in an Office Environment,” O, Larjalainen, S. Rantala, and M. Kivikoski, 8th International Conference on Communication Systems (ICCS), 2002, vol. 2, p. 628 “Rejection of Bluetooth Interference in 802.11 WLANs,” A. Soltanian, R. Van Dyck, and O. Rebala, Proceedings 56th IEEE Vehicular Technology Conference, 2002, vol. 2, p. 932 Modeling “Propagation Modelling for Indoor Wireless Communications,” W. Tam and V. Tran, Electronics and Communications Engineering Journal, October, 1995, p. 221 “Wideband Propagation Modeling for Indoor Environments and for Radio Transmission into Buildings,” R. Hoppe, P. Wertz, G. Wolfle, and F. Landstorfer, 11th International Symposium on Personal Indoor and Mobile Radio Communications, vol. 1, p. 282 “Efficient Ray-Tracing Acceleration Techniques for Radio Propagation Modeling,” F. Agelet et al., IEEE Trans. Vehicular Tech 49, no. 6 November, 2000 “Improving the Accuracy of Ray-Tracing Techniques for Indoor Propagation Modeling,” K. Remley, H. Anderson, and A. Weisshaar, IEEE Trans Vehicular Tech, vol. 49, no. 6, p. 2350, 2000 Indoor Setup Guidelines “Wireless LAN Design, Part 1: Fundamentals of the Physical Layer,” Jesse Frankel, WiFi Planet, San Jose, CA, fall 2003 w w w.new nespress.com This page intentionally left blank CHAPTE R 10 Security in Wireless Local Area Networks Praphul Chandra 10.1 Introduction The 802.11 security architecture and protocol is called Wired Equivalent Privacy (WEP). It is responsible for providing authentication, confidentiality and data integrity in 802.11 networks. To understand the nomenclature, realize that 802.11 was designed as a “wireless Ethernet.” The aim of the WEP designers was therefore to provide the same degree of security as is available in traditional wired (Ethernet) networks. Did they succeed in achieving this goal? A few years back, asking that question in the wireless community was a sure-fire way of starting a huge debate. To understand the debate, realize that wired Ethernet1 (the IEEE 802.3 standard) implements no security mechanism in hardware or software. However, wired Ethernet networks are inherently “secured” since the access to the medium (wires) which carry the data can be restricted or secured. On the other hand, in “wireless Ethernet” (the IEEE 802.11 standard) there is no provision to restrict access to the (wireless) media. So, the debate was over whether the security provided by WEP (the security mechanism specified by 802.11) was comparable to (as secure as) the security provided by restricting access to the physical medium in wired Ethernet. Since this comparison is subjective, it was difficult to answer this question. In the absence of quantitative data for comparison, the debate raged on. However, recent loopholes discovered in WEP have pretty much settled the debate, concluding that WEP fails to achieve its goals. In this chapter, we look at WEP, why it fails and what is being done to close these loopholes. It is interesting to compare the security architecture in 802.11 with the security architecture in Traditional Wireless Networks (TWNs). Note that both TWNs and 802.11 use the wireless medium only in the access network; that is, the part of the network which connects the enduser to the network. This part of the network is also referred to as the last hop of the network. However, there are important architectural differences between TWNs and 802.11. The aim of TWNs was to allow a wireless subscriber to communicate with any other wireless or wired subscriber anywhere in the world while supporting seamless roaming over large 1 We use 802.3 as a standard of comparison since it is the most widely deployed LAN standard. The analogy holds true for most other LAN standards—more or less. w w w.new nespress.com 362 Chapter 10 geographical areas. The scope of the TWNs, therefore, went beyond the wireless access network and well into the wired network. On the other hand, the aim of 802.11 is only last-hop wireless connectivity. 802.11 does not deal with end-to-end connectivity. In fact, IP-based data networks (for which 802.11 was initially designed) do not have any concept of end-to-end connectivity and each packet is independently routed. Also, the geographical coverage of the wireless access network in 802.11 is significantly less than the geographical coverage of the wireless access network in TWNs. Finally, 802.11 has only limited support for roaming. For all these reasons, the scope of 802.11 is restricted to the wireless access network only. As we go along in this chapter, it would be helpful to keep these similarities and differences in mind. 10.2 Key Establishment in 802.11 The key establishment protocol of 802.11 is very simple to describe—there is none. 802.11 relies on “preshared” keys between the mobile nodes or stations (henceforth Stations (STAs)) and the Access Points (APs). It does not specify how the keys are established and assumes that this is achieved in some “out-of-band” fashion. In other words, key establishment is outside the scope of WEP. 10.2.1 What’s Wrong? Key establishment is one of the toughest problems in network security. By not specifying a key establishment protocol, it seems that the 802.11 designers were side-stepping the issue. To be fair to 802.11 designers, they did a pretty good job with the standard. The widespread acceptance of this technology is a testament to this. In retrospect, security was one of the issues where the standard did have many loopholes, but then again everyone has perfect vision in hindsight. Back to our issue, the absence of any key management protocol led to multiple problems as we discuss below. 1. In the absence of any key management protocol, real life deployment of 802.11 networks ended up using manual configuration of keys into all STAs and the AP that wish to form a Basic Service Set (BSS). 2. Manual intervention meant that this approach was open to manual error. 3. Most people cannot be expected to choose a “strong” key. In fact, most humans would probably choose a key which is easy to remember. A quick survey of the 802.11 networks that I had access to shows that people use keys like “abcd1234” or “12345678” or “22222222” and so on. These keys, being alphanumeric in nature, are easy to guess and do not exploit the whole key space. 4. There is no way for each STA to be assigned a unique key. Instead, all STAs and the AP are configured with the same key. As we will see in section 10.4.4, this means www. ne w n e s p res s .c o m Security in Wireless Local Area Networks 363 that the AP has no way of uniquely identifying a STA in a secure fashion. Instead, the STAs are divided into two groups. Group One consists of stations that are allowed access to the network, and Group Two consists of all other stations (that is, STAs which are not allowed to access the network). Stations in Group One share a secret key which stations in Group Two don’t know. 5. To be fair, 802.11 does allow each STA (and AP) in a BSS to be configured with four different keys. Each STA can use any one of the four keys when establishing a connection with the AP. This feature may therefore be used to divide STAs in a BSS into four groups if each group uses one of these keys. This allows the AP a little finer control over reliable STA recognition. 6. In practice, most real life deployments of 802.11 use the same key across BSSs over the whole extended service set (ESS).2 This makes roaming easier and faster, since an ESS has many more STAs than a BSS. In terms of key usage, this means that the same key is shared by even more STAs. Besides being a security loophole to authentication (see Section 10.4.4), this higher exposure makes the key more susceptible to compromise. 10.3 Anonymity in 802.11 We saw that subscriber anonymity was a major concern in TWNs. Recall that TWNs evolved from the voice world (the PSTN). In data networks (a large percentage of which use IP as the underlying technology), subscriber anonymity is not such a major concern. To understand why this is so, we need to understand some of the underlying architectural differences between TWNs and IP-based data networks. TWNs use IMSI for call routing. The corresponding role in IP-based networks is fulfilled by the IP address. However, unlike the IMSI, the IP address is not permanently mapped to a subscriber. In other words, given the IMSI, it is trivial to determine the identity of the subscriber. However, given the IP address, it is extremely difficult to determine the identity of the subscriber. This difficulty arises because of two reasons. First, IP addresses are dynamically assigned using protocols like DHCP; in other words, the IP address assigned to a subscriber can change over time. Second, the widespread use of Network Address Translation (NAT) adds another layer of identity protection. NAT was introduced to deal with the shortage of IP addresses.3 It provides IP-level access between hosts at a site (local area network (LAN)) and the rest of the Internet without requiring each host at the site to have a globally unique IP address. NAT achieves this by requiring the site to have a single connection to the global Internet and at least one 2 Recall that an ESS is a set of APs connected by a distribution system (like Ethernet). To be accurate, the shortage of IPv4 addresses. There are more than enough IPv6 addresses available but the deployment of IPv6 has not caught on as fast as its proponents would have liked. 3 w w w.new nespress.com 364 Chapter 10 globally valid IP address (hereafter referred to as GIP). The address GIP is assigned to the NAT translator (also known as NAT box), which is basically a router that connects the site to the Internet. All datagrams coming into and going out of the site must pass through the NAT box. The NAT box replaces the source address in each outgoing datagram with GIP and the destination address in each incoming datagram with the private address of the correct host. From the view of any host external to the site (LAN), all datagrams come from the same GIP (the one assigned to the NAT box). There is no way for an external host to determine which of the many hosts at a site a datagram came from. Thus, the usage of NAT adds another layer of identity protection in IP networks. 10.4 Authentication in 802.11 Before we start discussing the details of authentication in 802.11 networks, recall that the concept of authentication and access control are very closely linked. To be precise, one of the primary uses of authentication is to control access to the network. Now, think of what happens when a station wants to connect to a LAN. In the wired world, this is a simple operation. The station uses a cable to plug into an Ethernet jack, and it is connected to the network. Even if the network does not explicitly authenticate the station, obtaining physical access to the network provides at least some basic access control if we assume that access to the physical medium is protected. In the wireless world, this physical-access-authentication disappears. For a station to “connect to” or associate with a wireless local area network (WLAN), the network-joining operation becomes much more complicated. First, the station must find out which networks it currently has access to. Then, the network must authenticate the station and the station must authenticate the network. Only after this authentication is complete can the station connect to or associate with the network (via the AP). Let us go over this process in detail. Access points (APs) in an 802.11 network (Figure 10.1) periodically broadcast beacons. Beacons are management frames which announce the existence of a network. They are used by the APs to allow stations to find and identify a network. Each beacon contains a Service Set Identifier (SSID), also called the network name, which uniquely identifies an ESS. When an STA wants to access a network, it has two options: passive scan and active scan. In the former case, it can scan the channels (the frequency spectrum) trying to find beacon advertisements from APs in the area. In the latter case, the station sends probe-requests (either to a particular SSID or with the SSID set to 0) over all the channels one-by-one. A particular SSID indicates that the station is looking for a particular network. If the concerned AP receives the probe, it responds with a probe-response. A SSID of 0 indicates that the station is looking to join any network it can access. All APs which receive this probe-request and which want this particular station to join their network, reply back with a probe-response. In either case, a station finds out which network(s) it can join. www. ne w n e s p res s .c o m Security in Wireless Local Area Networks ystem ns ibutio Distr 365 (DS) Access point (AP) Station Basic Service Set (BSS) —single cell Extended Service Set (ESS) — multiple cells Figure 10.1: 802.11 System Overview Next, the station has to choose a network it wishes to join. This decision can be left to the user or the software can make this decision based on signal strengths and other criteria. Once a station has decided that it wants to join a particular network, the authentication process starts. 802.11 provides for two forms of authentication: Open System Authentication (OSA) and Shared Key Authentication (SKA). Which authentication is to be used for a particular transaction needs to be agreed upon by both the STA and the network. The STA proposes the authentication scheme it wishes to use in its authentication request message. The network may then accept or reject this proposal in its authentication response message depending on how the network administrator has set up the security requirements of the network. 10.4.1 Open System Authentication This is the default authentication algorithm used by 802.11 (Figure 10.2). Here is how it works. Any station which wants to join a network sends an authentication request to the appropriate AP. The authentication request contains the authentication algorithm that the station the wishes to use (0 in case of OSA). The AP replies back with an authentication 1 2 Access point Station 1. Authentication request : Auth alg0004 0; Trans. num 00041. 2. Authentication resp. : Auth alg0004 0; Trans. num 0004 2; Status 0004 0/* Figure 10.2: 802.11 OSA w w w.new nespress.com 366 Chapter 10 response thus authenticating the station to join the network4 if it has been configured to accept OSA as a valid authentication scheme. In other words, the AP does not do any checks on the identity of the station and allows any and all stations to join the network. OSA is exactly what its name suggests: open system authentication. The AP (network) allows any station (that wishes to join) to join the network. Using OSA therefore means using no authentication at all. It is important to note here that the AP can enforce the use of authentication. If a station sends an authentication request requesting to use OSA, the AP may deny the station access to the network if the AP is configured to enforce SKA on all stations. 10.4.2 Shared Key Authentication SKA is based on the challenge-response system. SKA divides stations into two groups. Group One consists of stations that are allowed access to the network and Group Two consists of all other stations. Stations in Group One share a secret key which stations in Group Two don’t know. By using SKA, we can ensure that only stations belonging to Group One are allowed to join the network. Using SKA requires 1) that the station and the AP be capable of using WEP and 2) that the station and the AP have a preshared key. The second requirement means that a shared key must be distributed to all stations that are allowed to join the network before attempting authentication. How this is done is not specified in the 802.11 standard. Figure 10.3 explains how SKA works in detail. 1 2 3 4 Station Access point 1. Authentication request : Auth alg0004 1; Trans. num 0004 1. 2. Authentication resp : Auth alg0004 1; Trans. num 0004 2; Data 0004 128-byte random number. 3. Authentication resp : Auth alg0004 1; Trans. num 0004 3; Data0004encrypted (128-byte number rcvd in). 4. Authentication resp : Auth alg0004 1; Trans. num 0004 4; Status 0004 0/*. Figure 10.3: 802.11 SKA When a station wants to join a network, it sends an authentication request to the appropriate AP which contains the authentication algorithm it wishes to use (1 in case of SKA). On receiving 4 The authentication request from the station may be denied by the AP for reasons other than authentication failure, in which case the status field will be nonzero. www. ne w n e s p res s .c o m Security in Wireless Local Area Networks 367 this request, the AP sends an authentication response back to the station. This authentication response contains a challenge-text. The challenge text is a 128-byte number generated by the pseudorandom-number-generator (also used in WEP) using the preshared secret key and a random Initialization Vector (IV). When the station receives this random number (the challenge), it encrypts the random number using WEP5 and its own IV to generate a response to the challenge. Note that the IV that the station uses for encrypting the challenge is different from (and independent of) the IV that the AP used for generating the random number. After encrypting the challenge, the station sends the encrypted challenge and the IV it used for encryption back to the AP as the response to the challenge. On receiving the response, the AP decrypts the response using the preshared keys and the IV that it receives as part of the response. The AP compares the decrypted message with the challenge it sent to the station. If these are the same, the AP concludes that the station wishing to join the network is one of the stations which knows the secret key and therefore the AP authenticates the station to join the network. The SKA mechanism allows an AP to verify that a station is one of a select group of stations. The AP verifies this by ensuring that the station knows a secret. This secret is the preshared key. If a station does not know the key, it will not be able to respond correctly to the challenge. Thus, the strength of SKA lies in keeping the shared key a secret. 10.4.3 Authentication and Handoffs If a station is mobile while accessing the network, it may leave the range of one AP and enter into the range of another AP. In this section we see how authentication fits in with mobility (Figure 10.4). Server Figure 10.4: 802.11 Handoffs and Security 5 WEP is described in section 10.5. w w w.new nespress.com 368 Chapter 10 A STA may move inside a BSA (intra-BSA), between two BSAs (inter-BSA) or between two Extended Service Areas (ESAs) (inter-ESAs). In the intra-BSA case, the STA is static for all handoff purposes. Inter-ESA roaming requires support from higher layers (MobileIP for example) since ESAs communicate with each other at Layer 3. It is the inter-BSA roaming that 802.11 deals with. A STA keeps track of the received signal strength (RSS) of the beacon with which it is associated. When this RSS value falls below a certain threshold, the STA starts to scan for stronger beacon signals available to it using either active or passive scanning. This procedure continues until the RSS of the current beacon returns above the threshold (in which case the STA stops scanning for alternate beacons) or until the RSS of the current beacon falls below the break-off threshold, in which case the STA decides to handoff to the strongest beacon available. When this situation is reached, the STA disconnects from its prior AP and connects to the new AP afresh (just as if had switched on in the BSA of the new AP). In fact, the association with the prior-AP is not “carried-over” or “handed-off” transparently to the new AP: the STA disconnects with the old AP and then connects with the new AP. To connect to the new AP, the STA starts the connection procedure afresh. This means that the process of associating (and authenticating) to the new AP is the same as it is for a STA that has just powered on in this BSS. In other words, the prior-AP and the post-AP do not coordinate among themselves to achieve a handoff. 6 Analysis7 has shown that authentication delays are the second biggest contributors to handoff times next only to channel scanning/ probing time. This re-authentication delay becomes even more of a bottleneck for real time applications like voice. Although this is not exactly a security loophole, it is a “drawback” of using the security. 10.4.4 What’s Wrong with 802.11 Authentication? Authentication mechanisms suggested by 802.11 suffer from many drawbacks. As we saw, 802.11 specifies two modes of authentication—OSA and SKA. OSA provides no authentication and is irrelevant here. SKA works on a challenge-response system as explained in section 10.4.2. The AP expects that the challenge it sends to the STA be encrypted using an IV and the pre-shared key. As described in section 10.2.1, there is no method specified in WEP for each STA to be assigned a unique key. Instead all STAs and the AP in a BSS are configured with the same key. This means that even when an AP authenticates a STA using the SKA mode, all it ensures is that the STA belongs to a group of STAs which know the preshared key. There is no way for the 6 To be accurate, the IEEE 802.11 standard does not specify how the two APs should communicate with each other. There do exist proprietary solutions by various vendors which enable inter-AP communication to improve handoff performance. 7 An Empirical Analysis of the IEEE 802.11 MAC layer Handoff Process—Mishra et al. www. ne w n e s p res s .c o m Security in Wireless Local Area Networks 369 AP to reliably determine the exact identity of the STA that is trying to authenticate to the network and access it.8 To make matters worse, many 802.11 deployments share keys across APs. This increases the size of the group to which a STA can be traced. All STAs sharing a single preshared secret key also makes it very difficult to remove a STA from the allowed set of STAs, since this would involve changing (and redistributing) the shared secret key to all stations. There is another issue with 802.11 authentication: it is one-way. Even though it provides a mechanism for the AP to authenticate the STA, it has no provision for the STA to be able to authenticate the network. This means that a rogue AP may be able to hijack the STA by establishing a session with it. This is a very plausible scenario given the plummeting cost of APs. Since the STA can never find out that it is communicating with a rogue AP, the rogue AP has access to virtually everything that the STA sends to it. Finally, SKA is based on WEP, discussed in section 10.5. It therefore suffers from all the drawbacks that WEP suffers from too. These drawbacks are discussed in section 10.5.1. 10.4.5 Pseudo-Authentication Schemes Networks unwilling to use SKA (or networks willing to enhance it) may rely on other authentication schemes. One such scheme allows only stations which know the network’s SSID to join the network. This is achieved by having the AP responding to a probe-request from a STA only if the probe request message contains the SSID of the network. This in effect prevents connections from STAs looking for any wild carded SSIDs. From a security perspective, the secret here is the SSID of the network. If a station knows the SSID of the network, it is allowed to join the network. Even though this is a very weak authentication mechanism, it provides some form of protection against casual eavesdroppers from accessing the network. For any serious eavesdropper (hacker), this form of authentication poses minimal challenge since the SSID of the network is often transmitted in the clear (without encryption). Yet another authentication scheme (sometimes referred to as address filtering) uses the MAC addresses as the secret. The AP maintains a list of MAC addresses of all the STAs that are allowed to connect to the network. This table is then used for admission control into the network. Only stations with the MAC addresses specified in the table are allowed to connect to the network. When a station tries to access the network via the AP, the AP verifies that the station has a MAC address which belongs to the above mentioned list. Again, even though this scheme provides some protection, it is not a very secure authentication scheme since most wireless access cards used by stations allow the user to change their MAC address via 8 MAC addresses can be used for this purpose but they are not cryptographically protected in that it is easy to spoof a MAC address. w w w.new nespress.com 370 Chapter 10 software. Any serious eavesdropper or hacker can find out the MAC address of one of the stations which is allowed access by listening in on the transmissions being carried out by the AP and then change their own MAC address to the determined address. 10.5 Confidentiality in 802.11 WEP uses a preestablished/preshared set of keys. Figure 10.5 shows how WEP is used to encrypt an 802.11 MAC Protocol Data Unit (MPDU). Note that Layer 3 (usually IP) hands over a MAC Service Data Unit (MSDU) to the 802.11 MAC layer. The 802.11 protocol may then fragment the MSDU into multiple MPDUs if so required to use the channel efficiently. Standard WEP encryption IV Shared keyI (key ID I) RC4 RC4 keystream IV/ Key ID MPDU Ciphertext XOR Integrity check algorithm ICV Ciphertext Figure 10.5: WEP The WEP process can be broken down into the following steps. Step 1: Calculate the Integrity Check Value (ICV) over the length of the MPDU and append this 4-byte value to the end of the MPDU. Note that ICV is another name for Message Integrity Check (MIC). We see how this ICV value is generated in section 10.6. Step 2: Select a master key to be used from one of the four possible preshared secret keys. See section 10.2.1 for the explanation of the four possible preshared secret keys. Step 3: Select an IV and concatenate it with the master key to obtain a key seed. WEP does not specify how to select the IV. The IV selection process is left to the implementation. Step 4: The key seed generated in Step 3 is then fed to an RC4 key-generator. The resulting RC4 key stream is then XORed with the MPDU 0002 ICV generated in Step 1 to generate the ciphertext. www. ne w n e s p res s .c o m Security in Wireless Local Area Networks 371 Step 5: A 4-byte header is then appended to the encrypted packet. It contains the 3-byte IV value and a 1-byte key-id specifying which one of the four preshared secret keys is being used as the master key. The WEP process is now completed. An 802.11 header is then appended to this packet and it is ready for transmission. The format of this packet is shown in Figure 10.6. RC4 encrypted 802.11 MAC header Payload IV ICV Key ID byte Figure 10.6: A WEP Packet 10.5.1 What’s Wrong with WEP? WEP uses RC4 (a stream cipher) in synchronous mode for encrypting data packets. Synchronous stream ciphers require that the key generators at the two communicating nodes must be kept synchronized by some external means because the loss of a single bit of a data stream encrypted under the cipher causes the loss of ALL data following the lost bit. In brief, this is so because data loss desynchronizes the key stream generators at the two endpoints. Since data loss is widespread in the wireless medium, a synchronous stream cipher is not the right choice. This is one of the most fundamental problems of WEP. It uses a cipher not suitable for the environment it operates in. It is important to re-emphasize here that the problem here is not the RC4 algorithm.9 The problem is that a stream cipher is not suitable for a wireless medium where packet loss is widespread. SSL uses RC4 at the application layer successfully because SSL (and therefore RC4) operates over TCP (a reliable data channel) that does not lose any data packets and can therefore guarantee perfect synchronization between the two end points. The WEP designers were aware of the problem of using RC4 in a wireless environment. They realized that due to the widespread data loss in the wireless medium, using a synchronous stream cipher across 802.11 frame boundaries was not a viable option. As a solution, WEP attempted to solve the synchronization problem of stream ciphers by shifting synchronization requirement from a session to a packet. In other words, since the synchronization between the end-points is not perfect (and subject to packet loss), 802.11 changes keys for every packet. 9 Though loopholes in the RC4 algorithm have been discovered too. w w w.new nespress.com 372 Chapter 10 This way each packet can be encrypted or decrypted irrespective of the previous packet’s loss. Compare this with SSL’s use of RC4, which can afford to use a single key for a complete TCP session. In effect, since the wireless medium is prone to data loss, WEP has to use a single packet as the synchronization unit rather than a complete session. This means that WEP uses a unique key for each packet. Using a separate key for each packet solves the synchronization problem but introduces problems of its own. Recall that to create a per-packet key, the IV is simply concatenated with the master key. As a general rule in cryptography, the more exposure a key gets, the more it is susceptible to be compromised. Most security architectures therefore try to minimize the exposure of the master key when deriving secondary (session) keys from it. In WEP however, the derivation of the secondary (per-packet) key from the master key is too trivial (a simple concatenation) to hide the master key. Another aspect of WEP security is that the IV which is concatenated with the master key to create the per-packet key is transmitted in cleartext with the packet too. Since the 24-bit IV is transmitted in the clear with each packet, an eavesdropper already has access to the first three bytes of the per-packet key. The above two weaknesses make WEP susceptible to an Fluhrer-Mantin-Shamir (FMS) attack which uses the fact that simply concatenating the IV (available in plain text) to the master key leads to the generation of a class of RC4 weak keys. The FMS attack exploits the fact that the WEP creates the per-packet key by simply concatenating the IV with the master-key. Since the first 24 bits of each per-packet key is the IV (which is available in plain text to an eavesdropper),10 the probability of using weak keys11 is very high. Note that the FMS attack is a weakness in the RC4 algorithm itself. However, it is the way that the per-packet keys are constructed in WEP that makes the FMS attack a much more effective attack in 802.11 networks. The FMS attack relies on the ability of the attacker to collect multiple 802.11 packets which have been encrypted with weak keys. Limited key space (leading to key reuse) and availability of IV in plaintext which forms the first 3 bytes of the key makes the FMS attack a very real threat in WEP. This attack is made even more potent in 802.11 networks by the fact that the first 8 bytes of the encrypted data in every packet are known to be the Sub-Network Access Protocol (SNAP) header. This means that simply XORing the first 2 bytes of the encrypted pay-load with the well known SNAP header yields the first 2 bytes of the generated keystream. In the FMS attack, if the first 2 bytes of enough key-streams are known then the RC4 key can be recovered. Thus, WEP is an ideal candidate for an FMS attack. 10 Remember that each WEP packet carries the IV in plaintext format prepended to the encrypted packet. Use of certain key values leads to a situation where the first few bytes of the output are not all that random. Such keys are known as weak keys. The simplest example is a key value of 0. 11 www. ne w n e s p res s .c o m Security in Wireless Local Area Networks 373 The FMS attack is a very effective attack but is by no means the only attack which can exploit WEP weaknesses. Another such attack stems from the fact that one of the most important requirements of a synchronous stream cipher (like RC4) is that the same key should not be reused EVER. Why is it so important to avoid key reuse in RC4? Reusing the same key means that different packets use a common key stream to produce the respective ciphertext. Consider two packets of plaintext (P1 and P2) which use the same RC4 key stream for encryption. Since C1 0004 P1 ⊕ RC4(key) And C2 0004 P2 ⊕ RC4(key) Therefore C1 ⊕ C2 0004 P1 ⊕ P2 Obtaining the XOR of the two plaintexts may not seem like an incentive for an attack but when used with frequency analysis techniques it is often enough to get lots of information about the two plaintexts. More importantly, as shown above, key reuse effectively leads to the effect of the key stream canceling out! An implication of this effect is that if one of the plaintexts (say P1) is known, P2 can be calculated easily since P2 0004 (P1 ⊕ P2) ⊕ P1. Another implication of this effect is that if an attacker (say, Eve) gets access to the P1, C1 pair,12 simply XORing the two produces the key stream K. Once Eve has access to K, she can decrypt C2 to obtain P2. Realize how the basis of this attack is the reuse of the key stream, K. Now that we know why key reuse is prohibited in RC4, we look at what 802.11 needs to achieve this. Since we need a new key for every single packet to make the network really secure, 802.11 needs a very large key space, or rather a large number of unique keys. The number of unique keys available is a function of the key length. What is the key length used in WEP? Theoretically it is 64 bits. The devil, however, is in the details. How is the 64-bit key constructed? 24 bits come from the IV and 40 bits come from the base-key. Since the 40-bit master key never changes in most 802.11 deployments,13 we must ensure that we use different IVs for each packet in order to avoid key reuse. Since the master key is fixed in length and the IV is only 24 bits long, the effective key length of WEP is 24 bits. Therefore, the key space for the RC4 is 2N where N is the length of the IV. 802.11 specified the IV length as 24. To put things in perspective, realize that if we have a 24 bit IV (→ 224 keys in the key-space), a busy base station which is sending 1500 byte-packets at 11 Mbps will exhaust all keys in the key space in (1500*8)/(11*106*224) seconds or about five hours. On the other hand, RC4 in SSL would use the same key space for 224 (0004107) sessions. Even if the application has 10,000 sessions per day, the key space would last for three years. In other words, an 802.11 BS using RC4 has to reuse the same key in about five hours whereas an application using SSL RC4 can avoid key reuse for about three years. This shows clearly that the fault lies not in the 12 13 This is not as difficult as it sounds. This weakness stems from the lack of a key-establishment or key-distribution protocol in WEP. w w w.new nespress.com 374 Chapter 10 cipher but in the way it is being used. Going beyond an example, analysis of WEP has shown that there is a 50% chance of key reuse after 4823 packets, and there is 99% chance of collision after 12,430 packets. These are dangerous numbers for a cryptographic algorithm. Believe it or not, it gets worse. 802.11 specifies no rules for IV selection. This in turn means that changing the IV with each packet is optional. This effectively means that 802.11 implementations may use the same key to encrypt all packets without violating the 802.11 specifications. Most implementations, however, vary from randomly generating the IV on a per-packet basis to using a counter for IV generation. WEP does specify that the IV be changed “frequently.” Since this is vague, it means that an implementation which generates per-packet keys (more precisely the per-MPDU key) is 802.11-compliant and so is an implementation which re-uses the same key across MPDUs. 10.6 Data Integrity in 802.11 To ensure that a packet has not been modified in transit, 802.11 uses an Integrity Check Value (ICV) field in the packet. ICV is another name for message integrity check (MIC). The idea behind the ICV/MIC is that the receiver should be able to detect data modifications or forgeries by calculating the ICV over the received data and comparing it with the ICV attached in the message. Figure 10.7 shows the complete picture of how WEP and CRC32 work together to create the MPDU for transmission. 40-bit WEP key RC4 algorithm 0002 RC4 key stream X Data ICV 24-bit IV CRC-32 IV header Frame header IV Pad Encrypted Key ID Frame body ICV Data Figure 10.7: Data Integrity in WEP The underlying assumption is that if Eve modifies the data in transit, she should not be able to modify the ICV appropriately to force the receiver into accepting the packet. In WEP, ICV is implemented as a Cyclic Redundancy Check-32 bits (CRC-32) checksum which breaks this assumption. The reason for this is that CRC-32 is linear and is not cryptographically computed, i.e., the calculation of the CRC-32 checksum does not use a key/shared secret. Also, this means that the CRC32 has the following interesting property: CRC(X ⊕ Y) 0004 CRC(X) ⊕ CRC(Y) www. ne w n e s p res s .c o m Security in Wireless Local Area Networks 375 Now, if X represents the payload of the 802.11 packet over which the ICV is calculated, the ICV is CRC(X) which is appended to the packet. Consider an intruder who wishes to change the value of X to Z. To do this, they calculate Y 0004 X ⊕ Z. Then she captures the packet from the air-interface, XORs X with Y and the XORs the ICV with CRC(Y). Therefore, the packet changes from {X, CRC(X)} to {X ⊕ Y, CRC(X) ⊕ CRC(Y)} or simply {X ⊕ Y, CRC(X ⊕ Y)}. If the intruder now retransmits the packets to the receiver, the receiver would have no way of telling that the packet was modified in transit. This means that we can change bits in the payload of the packet while preserving the integrity of the packet if we also change the corresponding bits in the ICV of the packet. Note that an attack like the one described above works because flipping bit x in the message results in a deterministic set of bits in the CRC that must be flipped to produce the correct checksum of the modified message. This property stems from the linearity of the CRC32 algorithm. Realize that even though the ICV is encrypted (cryptographically protected) along with the rest of the payload in the packet, it is not cryptographically computed; that is, calculating the ICV does not involve keys and cryptographic operations. Simply encrypting the ICV does not prevent an attack like the one discussed above. This is so because the flipping of a bit in the ciphertext carries through after the RC4 decryption into the plaintext because RC4(k, X ⊕ Y) 0004 RC4(k, X) ⊕ Y and therefore: RC4(k, CRC(X ⊕ Y)) 0004 RC4(k, CRC(X)) ⊕ CRC(Y) The problem with the message integrity mechanism specified in 802.11 is not only that it uses a linear integrity check algorithm (CRC32) but also the fact that the ICV does not protect all the information that needs to be protected from modification. Recall from Section 10.5 that the ICV is calculated over the MPDU data; in other words, the 802.11 header is not protected by the ICV. This opens the door to redirection attacks as explained below. Consider an 802.11 BSS where an 802.11 STA (Alice) is communicating with a wired station (Bob). Since the wireless link between Alice and the access point (AP) is protected by WEP and the wired link between Bob and access point is not,14 it is the responsibility of the AP to decrypt the WEP packets and forward them to Bob. Now, Eve captures the packets being sent from Alice to Bob over the wireless link. She then modifies the destination address to another node, say C (Charlie), in the 802.11 header and retransmits them to the AP. Since the AP does not know any better, it decrypts the packet and forwards it to Charlie. Eve, therefore, has the AP decrypt the packets and forward them to a destination address of choice. The simplicity of this attack makes it extremely attractive. All Eve needs is a wired station connected to the AP and she can eavesdrop on the communication between Alice and Bob 14 WEP is an 802.11 standard used only on the wireless link. w w w.new nespress.com 376 Chapter 10 without needing to decrypt any packets herself. In effect, Eve uses the infrastructure itself to decrypt any packets sent from an 802.11 STA via an AP. Note that this attack does not necessarily require that one of the communicating stations be a wired station. Either Bob or Charlie (or both) could as easily be other 802.11 STAs which do not use WEP. The attack would still hold since the responsibility of decryption would still be with the AP. The bottom line is that the redirection attack is possible because the ICV is not calculated over the 802.11 header. There is an interesting security lesson here. A system can’t have confidentiality without integrity, since an attacker can use the redirection attack and exploit the infrastructure to decrypt the encrypted traffic. Another problem which stems from the weak integrity protection in WEP is the threat of a replay attack. A replay attack works by capturing 802.11 packets transmitted over the wireless interface and then replaying (retransmitting) the captured packet(s) later on with (or without) modification such that the receiving station has no way to tell that the packet it is receiving is an old (replayed) packet. To see how this attack can be exploited, consider a hypothetical scenario where Alice is an account holder, Bob is a bank and Eve is another account holder in the bank. Suppose Alice and Eve do some business and Alice needs to pay Eve $500. So, Alice connects to Bob over the network and transfers $500 from her account to Eve. Eve, however, is greedy. She knows Alice is going to transfer money. So, she captures all data going from Alice to Bob. Even though Eve does not know what the messages say, she has a pretty good guess that these messages instruct Bob to transfer $500 from Alice’s account to Eve’s. So, Eve waits a couple of days and replays these captured messages to Bob. This may have the effect of transferring another $500 from Alice’s account to Eve’s account unless Bob has some mechanism for determining that he is being replayed the messages from a previous session. Replay attacks are usually prevented by linking the integrity protection mechanism to either timestamps and/or session sequence numbers. However, WEP does not provide for any such protection. 10.7 Loopholes in 802.11 Security To summarize, here is the list of things that are wrong with 802.11 security: 1. 802.11 does not provide any mechanism for key establishment over an unsecure medium. This means key sharing among STAs in a BSS and sometimes across BSSs. 2. WEP uses a synchronous stream cipher over a medium, where it is difficult to ensure synchronization during a complete session. 3. To solve the previous problem, WEP uses a per-packet key by concatenating the IV directly to the preshared key to produce a key for RC4. This exposes the base key or master key to attacks like FMS. www. ne w n e s p res s .c o m Security in Wireless Local Area Networks 377 4. Since the master key is usually manually configured and static and since the IV used in 802.11 is just 24 bits long, this results in a very limited key-space. 5. 802.11 specifies that changing the IV with each packet is optional, thus making key reuse highly probable. 6. The CRC-32 used for message integrity is linear. 7. The ICV does not protect the integrity of the 802.11 header, thus opening the door to redirection attacks. 8. There is no protection against replay attacks. 9. There is no support for a STA to authenticate the network. Note that the limited size of the IV figures much lower in the list than one would expect. This emphasizes the fact that simply increasing the IV size would not improve WEP’s security considerably. The deficiency of the WEP encapsulation design arises from attempts to adapt RC4 to an environment for which it is poorly suited. 10.8 WPA When the loopholes in WEP, the original 802.11 security standard, had been exposed, IEEE formed a Task Group: 802.11i with the aim of improving upon the security of 802.11 networks. This group came up with the proposal of a Robust Security Network (RSN). A RSN is an 802.11 network which implements the security proposals specified by the 802.11i group and allows only RSN-capable devices to join the network, thus allowing no “holes.” The term hole is used to refer to a non-802.11i compliant STA which by virtue of not following the 802.11i security standard could make the whole network susceptible to a variety of attacks. Since making a transition from an existing 802.11 network to a RSN cannot always be a single-step process (we will see why in a moment), 802.11i allows for a Transitional Security Network (TSN) which allows for the existence of both RSN and WEP nodes in an 802.11 network. As the name suggests, this kind of a network is specified only as a transition point and all 802.11 networks are finally expected to move to a RSN. The terms RSN and 802.11i are sometimes used interchangeably to refer to this security specification. The security proposal specified by the Task Group-i uses the Advanced Encryption Standard (AES) in its default mode. One obstacle in using AES is that it is not backward compatible with existing WEP hardware. This is so because AES requires the existence of a new more powerful hardware engine. This means that there is also a need for a security solution which can operate on existing hardware. This was a pressing need for vendors of 802.11 equipment. This is where the Wi-Fi alliance came into the picture. w w w.new nespress.com 378 Chapter 10 The Wi-Fi alliance is an alliance of major 802.11 vendors formed with the aim of ensuring product interoperability. To improve the security of 802.11 networks without requiring a hardware upgrade, the Wi-Fi alliance adopted Temporal Key Integrity Protocol (TKIP) as the security standard that needs to be deployed for Wi-Fi certification. This form of security has therefore come to be known as Wi-Fi Protected Access (WPA). WPA is basically a prestandard subset of 802.11i which includes the key management and the authentication architecture (802.1X) specified in 802.11i. The biggest difference between WPA and 802l.11i (which has also come to be known as WPA2) is that instead of using AES for providing confidentiality and integrity, WPA uses TKIP and MICHAEL respectively. We look at TKIP/WPA in this section and the 802.11i/WPA2 using AES in the next section. TKIP stands for Temporal Key Integrity Protocol. It was designed to fix WEP loopholes while operating within the constraints of existing 802.11 equipment (APs, WLAN cards and so on). To understand what we mean by the “constraints of existing 802.11 hardware,” we need to dig a little deeper. Most 802.11 equipment consists of some sort of a WLAN Network Interface Card (NIC) (also known as WLAN adapter) which enables access to an 802.11 network. A WLAN NIC usually consists of a small microprocessor, some firmware, a small amount of memory and a special-purpose hardware engine. This hardware engine is dedicated to WEP implementation since software implementations of WEP are too slow. To be precise, the WEP encryption process is implemented in hardware. The hardware encryption takes the IV, the base (master) key and the plaintext data as the input and produces the encrypted output (ciphertext). One of the most severe constraints for TKIP designers was that the hardware engine cannot be changed. We see in this section how WEP loopholes were closed given these constraints. 10.8.1 Key Establishment One of the biggest WEP loopholes is that it specifies no key-establishment protocol and relies on the concept of preshared secret keys which should be established using some out-of-band mechanism. Realize that this is a system architecture problem. In other words, solving this problem requires support from multiple components (the AP, the STA and usually also a backend authentication server) in the architecture. One of the important realizations of the IEEE 802.11i task group was that 802.11 networks were being used in two distinct environments: the home network and the enterprise network. These two environments had distinct security requirements and different infrastructure capacities to provide security. Therefore, 802.11i specified two distinct security architectures. For the enterprise network, 802.11i specifies the use of IEEE 802.1X for key establishment and authentication. As we will see in our discussion in the next section, 802.1X requires the use of a backend authentication server. Deploying a back end authentication server is www. ne w n e s p res s .c o m Security in Wireless Local Area Networks 379 not usually feasible in a home environment. Therefore, for home deployments of 802.11, 802.11i allows the use of the “out-of-band mechanism” (read manual configuration) for key establishment. We look at the 802.1X architecture in the next section and see how it results in the establishment of a Master Key (MK). In this section, we assume that the two communicating end-points (the STA and the AP) already share a MK which has either been configured manually at the two end-points (WEP architecture) or has been established using the authentication process (802.1X architecture). This section looks at how this MK is used in WPA. Recall that a major loophole in WEP was the manner15 in which this master key was used which made it vulnerable to compromise. WPA solves this problem by reducing the exposure of the master key, thus making it difficult for an attacker to discover the master key. To achieve this, WPA adds an additional layer to the key hierarchy used in WEP. Recall from Section 6.4 that WEP uses the master key for authentication and to calculate the per-packet key. In effect there is a two-tier key hierarchy in WEP: the master (preshared secret) key and the per-packet key. WPA extends the two-tier key-hierarchy of WEP to a multitier hierarchy (See Figure 10.8). At the top level is still the master key, referred to as the Pair-wise Master Key (PMK) in WPA. The next level in the key hierarchy is the PTK which is derived from the PMK. The final level is the per-packet keys which are generated by feeding the PTK to a key-mixing function. Compared with the two-tier WEP key hierarchy, the three-tier key hierarchy of WPA avoids exposing the PMK in each packet by introducing the concept of PTK. As we saw, WPA is flexible about how the master key (PMK in WPA) is established. The PMK, therefore, may be a preshared16 secret key (WEP-design) or a key derived from an authentication process like 802.1X.17 WPA does require that the PMK be 256 bits (or 32 bytes) long. Since a 32-byte key is too long for humans to remember, 802.11 deployments using preshared keys may allow the user to enter a shorter password which may then be used as a seed to generate the 32-byte key. The next level in the key hierarchy after the PMK are the PTK. WPA uses the PMK for deriving the Pair-wise Transient Keys (PTK) which are basically session keys. The term PTK is used to refer to a set of session keys which consists of four keys, each of which is 128 bits long. These four keys are as follows: an encryption key for data, an integrity key 15 The per-packet key is obtained by simply concatenating the IV with the preshared secret key. Therefore, a compromised per-packet key exposes the preshared secret key. 16 As we saw, this usually means that the keys are manually configured. 17 It is expected that most enterprise deployments of 802.11 would use 802.1X while the preshared secret key method (read manual configuration) would be used by residential users. w w w.new nespress.com 380 Chapter 10 WEP WPA WPA (used with 802.1X) (used without 802.1X) Master-Secret Master-Secret (used by authentication process; certificate; password etc.) (User password) By-product of 802.1X-based authentication process Can be specified by network administrator Master-Key PMK (Pre-shared/manually configured) 40 bits/104 bits (Pair-wise Master Key) 256 bits PRF- 512 (PMK, “Pair-wise Key Expansion”, MACf || MAC2 || Noncef || Nonce2) PTK (Pair-wise Transient Keys) Data encryption-key 128 bits Prepend with IV Data MIC-key 128 bits EAPoL encryption-key 128 bits EAPoL MIC-key 128 bits Phase-1 and phase-2 key mixing Per-packetencryption-key Per-packetencryption-key Figure 10.8: Key Hierachy in 802.11 for data, an encryption key for EAPoL messages and an integration key for EAPoL messages. Note that the term session here refers to the association between a STA and an AP. Every time a STA associates with an AP, it is the beginning of a new session and this results in the generation of a new PTK (set of keys) from the PMK. Since the session keys are valid only for a certain period of time, they are also referred to as temporal keys and the set of four session keys together is referred to as the Pair-wise Transient Keys (PTK). The PTK are derived from the PMK using a Pseudorandom Function (PRF). The PRFs used for derivation www. ne w n e s p res s .c o m Security in Wireless Local Area Networks 381 of PTKs (and nonces) are explicitly specified by WPA and are based on the HMAC-SHA algorithm. PTK 0004 PRF-512(PMK, “Pair-wise key expansion”, AP_MAC || STA_MAC || ANonce || SNonce) Realize that to obtain the PTK from the PMK we need five input values: the PMK, the MAC addresses of the two endpoints involved in the session and one nonce each from the two endpoints. The use of the MAC addresses in the derivation of the PTK ensures that the keys are bound to sessions between the two endpoints and increases the effective key space of the overall system. Realize that since we want to generate a different set of session keys from the same PMK for each new session,18 we need to add another input into the key generation mechanism which changes with each session. This input is the nonce. The concept of nonce is best understood by realizing that it is short for Number-Once. The value of nonce is thus arbitrary except that a nonce value is never used again.19 Basically it is a number which is used only once. In our context, a nonce is a unique number (generated randomly) which can distinguish between two sessions established between a given STA and an AP at different points in time. The two nonces involved in PTK generation are generated, one each, by the two end points involved in the session; i.e., the STA (SNonce) and the AP (ANonce). WPA specifies that a nonce should be generated as follows: ANonce 0004 PRF-256(Random Number, “Init Counter”, AP_MAC || Time) SNonce 0004 PRF-256(Random Number, “Init Counter”, STA_MAC || Time) The important thing to note is that the PTKs are effectively shared between the STA and the AP and are used by both the STA and the AP to protect the data/EAPoLmessages they transmit. It is therefore important that the input values required for derivation of PTK from the PMK come from both the STA and the AP. Note also that the key derivation process can be executed in parallel at both endpoints of the session (the STA and the AP) once the Nonces and the MAC addresses have been exchanged. Thus, both the STA and the AP can derive the same PTK from the PMK simultaneously. The next step in the key hierarchy tree is to derive per-packet keys from the PTK. WPA improves also upon this process significantly. Recall from Section 10.5 that the per-packet key was obtained by simply concatenating the IV with the master key in WEP. Instead of 18 If a STA disconnects from the AP and connects back with an AP at a later time, these are considered two different sessions. 19 To be completely accurate, nonce values are generated such that the probability of the same value being generated twice is very low. w w w.new nespress.com 382 Chapter 10 TSC / IV hi32 TSC / IV lo16 TSC_lo16_hi8 104-bit Per-Packet key MAC address (own) PTK_Data_Enc_Key Phase-1 key mixing PTK_Data_Enc_Key TSC_lo16_lo8 Phase-2 key mixing Figure 10.9: TKIP Encryption simply concatenating the IV with the master key, WPA uses the process shown in Figure 10.9 to obtain the per packet key. This process is known as per-packet key mixing and is shown in Figure 10.9. In phase one, the session data encryption key is “combined” with the high order 32 bits of the IV and the MAC address. The output from this phase is “combined” with the lower order 16 bits of the IV and fed to phase two, which generates the 104-bit per-packet key. There are many important features to note in this process: 1. It assumes the use of a 48-bit IV (more of this in section 10.8.2). 2. The size of the encryption key is still 104 bits, thus making it compatible with existing WEP hardware accelerators. 3. Since generating a per-packet key involves a hash operation which is computation intensive for the small MAC processor in existing WEP hardware, the process is split into two phases. The processing intensive part is done in phase one whereas phase two is much less computation intensive. 4. Since phase one involves the high order 32 bits of the IV, it needs to be done only when one of these bits change; that is, once in every 65,536 packets. 5. The key-mixing function makes it very hard for an eavesdropper to correlate the IV and the per-packet key used to encrypt the packet. 10.8.2 Authentication As we said in the previous section, 802.11i specified two distinct security architectures. For the home network, 802.11i allows the manual configuration of keys just like WEP. For the enterprise network however, 802.11i specifies the use of IEEE 802.1X for key establishment and authentication. We just summarize the 802.1X architecture in this section. www. ne w n e s p res s .c o m Security in Wireless Local Area Networks 383 802.1X is closely architected along the lines of EAPoL (EAP over LAN). Figure 10.10a shows the conceptual architecture of EAPoL and Figure 10.10b shows the overall system architecture of EAPoL. The controlled port is open only when the device connected to the authenticator has been authorized by 802.1x. On the other hand, the uncontrolled port provides a path for extensible authentication protocol over LAN (EAPoL) traffic ONLY. Figure 10.10a shows how access to even the uncontrolled port may be limited using MAC filtering.20 This scheme is sometimes used to deter DoS attacks. Supplicant Authentication server Authenticator Uncontrolled port Supplicant PAE EAPoL EAP Authenticator PAE Authentication server MAC enable/disable Switched or shared ethernet Port authorization Controlled port Authorized LAN resources Figure 10.10a: 802.1X/EAP Port Model Supplicant Authentication server (RADIUS) Switch EAPoL-start EAP-request/identity EAP-response/identity RADIUS access-request EAP-request/OTP RADIUS access-challenge EAP-response/OTP RADIUS access-request EAP-success RADIUS access-accept Port authorized EAPoL-logoff Port unauthorized Figure 10.10b: EAPoL 20 Allowing only STAs with have a MAC address which is “registered” or “known” to the network. w w w.new nespress.com 384 Chapter 10 EAP specifies three network elements: the supplicant, the authenticator and the authentication server. For EAPoverLAN, the end user is the supplicant, the Layer 2 (usually Ethernet) switch is the authenticator controlling access to the network using logical ports, and the access decisions are taken by the backend authentication server after carrying out the authentication process. Which authentication process to use (MD5, TLS and so on) is for the network administrator to decide. EAPoL can be easily adapted to be used in the 802.11 environment as shown in Figure 10.10c. The STA is the supplicant, the AP is the authenticator controlling access to the network, and there is a backend authentication server. The analogy is all the more striking if you consider that an AP is in fact just a Layer 2 switch, with a wireless and a wired interface. 802.1X Entities Supplicant Authenticator Intranet/ LAN – Controlled port File server RADIUS Authentication server Figure 10.10c: EAP Over WLAN There is, however, one interesting piece of detail that needs attention. The 802.1X architecture carries the authentication process between the supplicant (STA) and the backend authentication server.21 This means that the master key (resulting from an authentication process like TLS) is established between the STA and backend server. However, confidentiality and integrity mechanisms in the 802.11 security architecture are implemented between the AP and the STA. This means that the session (PTK) and per packet keys (which are derived from the PMK) are needed at the STA and the AP. The STA already has the PMK and can derive the PTK and the per-packet keys. However, the AP does not yet have the PMK. Therefore, what is needed is a mechanism to get the PMK from the authentication server to the AP securely. Recall that in the 802.1X architecture, the result of the authentication process is conveyed by the authentication server to the AP so that the AP may allow or disallow the STA access to 21 With the AP controlling access to the network using logical ports. www. ne w n e s p res s .c o m Security in Wireless Local Area Networks 385 the network. The communication protocol between the AP and the authentication server is not specified by 802.11i but is specified by WPA to be RADIUS. Most deployments of 802.11 would probably end up using RADIUS. The RADIUS protocol does allow for distributing the key securely from the authentication server to the AP and this is how the PMK gets to the AP. Note that 802.1X is a framework for authentication. It does not specify the authentication protocol to be used. Therefore, it is up to the network administrator to choose the authentication protocol they want to plug in to the 802.1X architecture. One of the most often discussed authentication protocols to be used with 802.1X is TLS. Section 3.3.3 discusses how the TLS protocol is used with EAPoL. Figure 10.10d summarizes how TLS can be used as an authentication protocol in a EAP over WLAN environment. The EAP-TLS protocol is well documented. It has been analyzed extensively and no significant weaknesses have been found in the protocol itself. This makes it an attractive option for security use in 802.1X. However, there is a deployment issue with this scheme. Access point Supplicant Enterprise network Radius server Start EAP authentication EAPoL start EAP request/identity Ask Client for Identity EAP response/identity (userID) RADIUS access request Access request with userID Server-side TLS Perform sequence defined by EAP TLS Client-side TLS Key EAP success RADIUS access success (pass session Key to AP) Key Client derives session key EAPoL-key (multicast) EAPoL-Key (session parameters) Deliver broadcast key encrypted with session key and session parameters Figure 10.10d: 802.1X Network Architecture Note that EAP-TLS relies on certificates to authenticate the network to the clients and the clients to the networks. Requiring the network (the servers) to have certificates is a common theme in most security architectures. However, the requirement that each client be issued w w w.new nespress.com 386 Chapter 10 a certificate leads to the requirement of the wide spread deployment of PKI. Since this is sometimes not a cost effective option, a few alternative protocols have been proposed: EAPTTLS (tunneled TLS) and PEAP. Both of these protocols use certificates to authenticate the network (the server) to the client but do not use certificates to authenticate the client to the server. This means that a client no longer needs a certificate to authenticate itself to the server: instead the clients can use password-based schemes (CHAP, PAP and so on) to authenticate themselves. Both protocols divide the authentication process in two phases. In phase 1, we authenticate the network (the server) to the client using a certificate and establish a TLS tunnel between the server and the client. This secure22 TLS channel is then used to carry out a password-based authentication protocol to authenticate the client to the network (server). 10.8.3 Confidentiality Recall from Section 10.5.1 that the fundamental WEP loophole stems from using a stream cipher in an environment susceptible to packet loss. To work around this problem, WEP designers changed the encryption key for each packet. To generate the per-packet encryption key, the IV was concatenated with the preshared key. Since the preshared key is fixed, it is the IV which is used to make each per-packet key unique. There were multiple problems with this approach. First, the IV size at 24 bits was too short. At 24 bits there were only 16,777,216 values before a duplicate IV value was used. Second, WEP did not specify how to select an IV for each packet.23 Third, WEP did not even make it mandatory to vary the IV on a per-packet basis— realize that this meant WEP explicitly allowed reuse of per-packet keys. Fourth, there was no mechanism to ensure that the IV was unique on a per station basis. This made the IV collision space shared between stations, thus making a collision even more likely. Finally, simply concatenating the IV with the preshared key to obtain a per-packet key is cryptographically unsecure, making WEP vulnerable to the FMS attack. The FMS attack exploits the fact that the WEP creates the per-packet key by simply concatenating the IV with the master-key. Since the first 24 bits of each per-packet key is the IV (which is available in plain text to an eavesdropper),24 the probability of using weak keys25 is very high. First off, TKIP doubles the IV size from 24 bits to 48 bits. This results in increasing the time to key collision from a few hours to a few hundred years. Actually, the IV is increased from 24 bits to 56 bits by requiring the insertion of 32 bits between the existing WEP IV and the start of the encrypted data in the WEP packet format. However, only 48 bits of the IV are used since eight bits are reserved for discarding some known (and some yet to be discovered) weak keys. 22 Secure since it protects the identity of the client during the authentication process. Implementations vary from a sequential increase starting from zero to generating a random IV for each packet. 24 Remember that each WEP packet carries tha IV in plain text format prepended to he encrypted packet. 25 Use of certain key values leads to a situation where the first few bytes of the output are not all that random. Such keys are known as weak keys. The simplest example is a key value of 0. 23 www. ne w n e s p res s .c o m Security in Wireless Local Area Networks 387 Simply increasing the IV length will, however, not work with the existing WEP hardware accelerators. Remember that existing WEP hardware accelerators expect a 24-bit IV as an input to concatenate with a preshared key (40/104-bit) in order to generate the per-packet key (64/128-bit). This hardware cannot be upgraded to deal with a 48-bit IV and generate an 88/156-bit key. The approach, therefore, is to use per-packet key mixing as explained in Section 10.8.1. Using the per-packet key mixing function (much more complicated) instead of simply concatenating the IV to the master key to generate the per-packet key increases the effective IV size (and hence improves on WEP security) while still being compatible with existing WEP hardware. 10.8.4 Integrity WEP used CRC-32 as an integrity check. The problem with this protocol was that it was linear. As we saw in Section 10.6, this is not a cryptographically secure integrity protocol. It does however have the merit that it is not computation intensive. What TKIP aims to do is to specify an integrity protocol which is cryptographically secure and yet not computation intensive so that it can be used on existing WEP hardware which has very little computation power. The problem is that most well known protocols used for calculating a message integrity check (MIC) have lots of multiplication operations and multiplication operations are computation intensive. Therefore, TKIP uses a new MIC protocol—MICHAEL—which uses no multiplication operations and relies instead on shift and add operations. Since these operations require much less computation, they can be implemented on existing 802.11 hardware equipment without affecting performance. Note that the MIC value is added to the MPDU in addition to the ICV which results from the CRC32. It is also important to realize that MICHAEL is a compromise. It does well to improve upon the linear CRC-32 integrity protocol proposed in WEP while still operating within the constraints of the limited computation power. However, it is in no way as cryptographically secure as the other standardized MIC protocols like MD5 or SHA-1. The TKIP designers knew this and hence built in countermeasures to handle cases where MICHAEL might be compromised. If a TKIP implementation detects two failed forgeries (two packets where the calculated MIC does not match the attached MIC) in one second, the STA assumes that it is under attack and as a countermeasure deletes its keys, disassociates, waits for a minute and then re-associates. Even though this may sound a little harsh, since it disrupts communication, it does avoid forgery attacks. Another enhancement that TKIP makes in IV selection and use is to use the IV as a sequence counter. Recall that WEP did not specify how to generate a per-packet IV.26 TKIP explicitly requires that each STA start using an IV with a value of 0 and increment the value by one for each packet that it transmits during its session27 lifetime. This is the reason the IV can also be 26 27 In fact, WEP did not even specify that the IV had to be changed on a per-packet basis. An 802.11 session refers to the association between a STA and an AP. w w w.new nespress.com 388 Chapter 10 used as a TKIP Sequence Counter (TSC). The advantage of using the IV as a TSC is to avoid the replay attack to which WEP was susceptible. TKIP achieves replay protection by using a unique IV with each packet that it transmits during a session. This means that in a session, each new packet coming from a certain MAC address would have a unique number.28 If each packet from Alice had a unique number, Bob could tell when Eve was replaying old messages. WEP does not have replay protection since it cannot use the IV as a counter. Why? Because WEP does not specify how to change IV from one packet to another and as we saw earlier, it does not even specify that you need to. 10.8.5 The Overall Picture: Confidentiality 0002 Integrity The overall picture of providing confidentiality and message integrity in TKIP is shown in Figure 10.10e. TSC/IV hi32 TSC/IV lo16 TSC_lo16_hi8 104-bit per-packet key MAC address (own) PTK_Data_Enc_Key Phase-2 key mixing Phase-1 key mixing Dummy byte (to avoid weak keys) PTK_Data_Enc_Key TSC_lo16_lo8 RC4 RC4 Keystream MPDU For each MPDU MPDU MPDUs Fragmentation + XOR wep icv ICV MICHAEL MSDU MSDU PTK_Data_MIC_Key CRC-32 WEP-block Figure 10.10e: TKIP—The Complete Picture 28 At least for 900 years—that’s when the IV rolls over. www. ne w n e s p res s .c o m IV Encrypted -MPDU Security in Wireless Local Area Networks 389 10.8.6 How Does WPA Fix WEP Loopholes? In section 10.7 we summarized the loopholes of WEP. At the beginning of section 10.8 we said that WPA/TKIP was designed to close these loopholes while still being able to work with existing WEP hardware. In this section, we summarize what WPA/TKIP achieves and how. WEP 29 WPA Relies on preshared (out-of-band) key establishment mechanisms. Usually leads to manual configuration of keys and to key sharing among STAs in a BSS (often ESS). Recommends 802.1X for authentication and key-establishment in enterprise deployments. Also supports preshared key establishment like WEP. Uses a synchronous stream cipher which is unsuitable for the wireless medium. Same as WEP. Generates per-packet key by concatenating the IV directly to the master/preshared key thus exposing the base-key/master-key to attacks like FMS. Solves this problem by (a) introducing the concept of PTK in the key hierarchy and (b) by using a key mixing function instead of simple concatenation to generate per-packet keys. This reduces the exposure of the master key. Static master key 0002 Small size of IV 0002 Method of per-packet key generation → Extremely limited key space. Increases the IV size to 56 bits and uses only 48 of these bits reserving 8-bits to discard weak keys. Also, use of PTK which are generated afresh for each new session increases the effective key space. Changing the IV with each packet is optional → key-reuse highly probable. Explicitly specifies that both the transmitter and the receiver initialize the IV to zero whenever a new set of PTK is established29 and then increment it by one for each packet it sends. Linear algorithm (CRC-32) used for message integrity → Weak integrity protection. Replaces the integrity check algorithm to use MICHAEL which is nonlinear. Also, specifies countermeasures for the case where MICHAEL may be violated. ICV does not protect the integrity of the 802.11 header → Susceptible to Redirection Attacks. Extends the ICV computation to include the MAC source and destination address to protect against Redirection attacks. No protection against replay attacks. The use of IV as a sequence number provides replay protection. No support for a STA to authenticate the network. Use of 802.1X in enterprise deployments allows for this. This usually happens every time the STA associates with an AP. w w w.new nespress.com 390 Chapter 10 10.9 WPA2 (802.11i) Recall from section 10.8 that Wi-Fi protected access (WPA) was specified by the Wi-Fi alliance with the primary aim of enhancing the security of existing 802.11 networks by designing a solution which could be deployed with a simple software (firmware) upgrade and without the need for a hardware upgrade. In other words, WPA was a stepping stone to the final solution which was being designed by the IEEE 802.11i task group. This security proposal was referred to as the Robust Security Network (RSN) and also came to be known as the 802.11i security solution. The Wi-Fi alliance integrated this solution in their proposal and called it WPA2. We look at this security proposal in this section. 10.9.1 Key Establishment WPA was a prestandard subset of IEEE 802.11i. It adopted the key-establishment, key hierarchy and authentication recommendations of 802.11i almost completely. Since WPA2 and 802.11i standard are the same, the key-establishment process and the key hierarchy architecture in WPA and WPA2 are almost identical. There is one significant difference though. In WPA2, the same key can be used for the encryption and integrity protection of data. Therefore, there is one less key needed in WPA2. For a detailed explanation of how the key hierarchy is established see section 10.8.1. 10.9.2 Authentication Just like key establishment and key hierarchy, WPA had also adopted the authentication architecture specified in 802.11i completely. Therefore, the authentication architecture in WPA and WPA2 is identical. For a detailed explanation of how the authentication architecture see section 10.8.2. 10.9.3 Confidentiality In this section we look at the confidentiality mechanism of WPA2 (802.11i). Recall that the encryption algorithm used in WEP was RC4, a stream cipher. Some of the primary weaknesses in WEP stemmed from using a stream cipher in an environment where it was difficult to provide lossless synchronous transmission. It was for this reason that Task Group i specified the use of a block encryption algorithm when redesigning 802.11 security. Since AES was (and still is) considered the most secure block cipher, it was an obvious choice. This was a major security enhancement since the encryption algorithm lies at the heart of providing confidentiality. In addition to specifying an encryption algorithm for providing system security, what is also needed is to specify a mode of operation. To provide confidentiality in 802.11i, AES is used in the counter mode. Counter mode actually uses a block cipher as a stream cipher, thus www. ne w n e s p res s .c o m Security in Wireless Local Area Networks K ctr 0002 n 0003 2 ctr 0002 1 ctr E K E K E 391 ctr 0002 n 0003 1 E K Encryption process ctr 0002 1 ctr E K C1 M1 Mn Cn 0004 1 C2 C1 K Mn 0004 1 M2 M1 ctr 0002 n 0004 2 E K C2 M2 E Cn ctr 0002 n 0004 1 E K Decryption process Cn Cn 0004 1 Mn 0004 1 Mn Figure 10.11: AES Counter Mode combining the security of a block cipher with the ease of use of a stream cipher. Figure 10.11 shows how AES counter mode works. Using the counter mode requires a counter. The counter starts at an arbitrary but predetermined value and is incremented in a specified fashion. The simplest counter operation, for example, would start the counter with an initial value of 1 and increment it sequentially by 1 for each block. Most implementations however, derive the initial value of the counter from a nonce value that changes for each successive message. The AES cipher is then used to encrypt the counter to produce a key stream. When the original message arrives, it is broken up into 128-bit blocks and each block is XORed with the corresponding 128 bits of the generated key stream to produce the ciphertext. Mathematically, the encryption process can be represented as Ci 0004 Mi (0002) Ek(i) where i is the counter. The security of the system lies in the counter. As long as the counter value is never repeated with the same key, the system is secure. In WPA2, this is achieved by using a fresh key for every session (See section 10.8.1.). To summarize, the salient features of AES in counter mode are as follows: 1. It allows a block cipher to be operated as a stream cipher. 2. The use of counter mode makes the generated key stream independent of the message, thus allowing the key stream to be generated before the message arrives. 3. Since the protocol by itself does not create any interdependency between the encryption of the various blocks in a message, the various blocks of the message can be encrypted in parallel if the hardware has a bank of AES encryption engines. w w w.new nespress.com 392 Chapter 10 4. Since the decryption process is exactly the same as encryption,30 each device only needs to implement the AES encryption block. 5. Since the counter mode does not require that the message be broken up into an exact number of blocks, the length of the encrypted text can be exactly the same as the length of the plain text message. Note that the AES counter mode provides only for the confidentiality of the message and not the message integrity. We see how AES is used for providing the message integrity in the next section. Also, since the encryption and integrity protection processes are very closely tied together in WPA2/802.11i, we look at the overall picture after we have discussed the integrity process. 10.9.4 Integrity To achieve message integrity, Task Group i extended the counter mode to include a Cipher Block Chaining (CBC)-MAC operation. This is what explains the name of the protocol: AESCCMP where CCMP stands for Counter-mode CBC-MAC protocol. The CBC-MAC protocol (also known as CBC-residue) is reproduced here in Figure 10.12 where the black boxes represent the encryption protocol (AES in our case). M1 M2 IV h1 K K Mn h2 ••• hn00031 K ••• K Optional K hn 0004 MAC Figure 10.12: AES CBC-MAC As shown in the figure, CBC-MAC XORs a plaintext block with the previous cipher block before encrypting it. This ensures that any change made to any cipher text (for example by a malicious intruder) block changes the decrypted output of the last block and hence changes the residue. CBC-MAC is an established technique for message integrity. What Task Group i did was to combine the counter mode of operation with the CBC-MAC integrity protocol to create the CCMP. 30 XORing the same value twice leads back to the original value. www. ne w n e s p res s .c o m Security in Wireless Local Area Networks 393 10.9.5 The Overall Picture: Confidentiality 0002 Integrity Since a single process is used to achieve integrity and confidentiality, the same key can be used for the encryption and integrity protection of data. It is for this reason that there is one less key needed in WPA2. The complete process which combines the counter mode encryption and CBC-MAC integrity works as follows. In WPA2, the PTK is 384 bits long. Of this, the most significant 256 bits form the EAPoL MIC key and EAPoL encryption key. The least significant 128 bits form the data key. This data key is used for both encryption and integrity protection of the data. Before the integrity protection or the encryption process starts, a CCMP header is added to the 802.11 packet before transmission. The CCMP header is eight bytes in size. Of these eight bytes, six bytes are used for carrying the Packet Number (PN) which is needed for the other (remote) end to decrypt the packet and to verify the integrity of the packet. One byte is reserved for future use and the remaining byte contains the key ID. Note that the CCMP header is prepended to the payload of the packet and is not encrypted since the remote end needs to know the PN before it starts the decryption or the verification process. The PN is a per-packet sequence number which is incremented for each packet processed The integrity protection starts with the generation of an Initialization Vector (IV) for the CBCMAC process. This IV is created by the concatenation of the following entities: flag, priority, source MAC address, a PN and DLen as shown in Figure 10.13. Flag Priority 104-bit Nonce Source address DLen Packet number 128-bit IV for CBC-MAC Figure 10.13: IV for AES CBC-MAC The flag field has a fixed value of 01011001. The priority field is reserved for future use. The source MAC address is self explanatory and the packet number (PN) is as we discussed above. Finally, the last entity DLen indicates the data length of the plaintext. Note that the total length of the IV is 128 bits and the priority, source address and the packet number fields together also form the 104-bit nonce (shaded portion of Figure 10.13) which is required in the encryption process. The 128-bit IV forms the first block which is needed to start the CBC-MAC process described in Section 10.9.4. The CBC-MAC computation is done over the 802.11 header and the MPDU payload. This means that this integrity protection scheme also protects the source and the destination MAC address, the quality of service (QoS) traffic class and the data length. Integrity protecting the header along with the MPDU w w w.new nespress.com 394 Chapter 10 payload protects against replay attacks. Note that the CBC-MAC process requires an exact number of blocks to operate on. If the length of the plaintext data cannot be divided into an exact number of blocks, the plaintext data needs to be padded for the purposes of MIC computation. Once the MAC has been calculated and appended to the MPDU, it is now ready for encryption. It is important to re-emphasize that only the data-part and the MAC part of the packet are encrypted whereas the 802.11 header and the CCMP header are not encrypted. From section 10.9.3, we know that the AES-counter mode encryption process requires a key and a counter. The key is derived from the PTK as we discussed. The counter is created by the concatenation of the following entities: Flag, Priority, Source MAC address, a packet number (PN) and Ctr as shown in Figure 10.14. Flag Priority 104-bit Nonce Source address Packet number Ctr 128-bit counter for AES-counter mode Figure 10.14: Counter for AES Counter Mode Comparing Figure 10.14 with Figure 10.13, we see that the IV for the integrity process and the counter for the encryption process are identical except for the last sixteen bits. Whereas the IV has the last sixteen bits as the length of the plaintext, the counter has the last sixteen bits as Ctr. It is this Ctr which makes the counter a real “counter.” The value of Ctr starts at one and counts up as the counter mode proceeds. Since the Ctr value is sixteen bits, this allows for up to 216 (65,536) blocks of data in a MPDU. Given that AES uses 128-bit blocks, this means that an MPDU can be as long as 223, which is much more than what 802.11 allows, so the encryption process does not impose any additional restrictions on the length of the MPDU. Even though CCMP succeeds in combining the encryption and integrity protocol in one process, it does so at some cost. First, the encryption of the various message blocks can no longer be carried out in parallel since CBC-MAC requires the output of the previous block to calculate the MAC for the current block. This slows down the protocol. Second, CBC-MAC requires the message to be broken into an exact number of blocks. This means that if the message cannot be broken into an exact number of blocks, we need to add padding bytes to it to do so. The padding technique has raised some security concerns among some cryptographers but no concrete deficiencies/attacks have been found against this protocol. www. ne w n e s p res s .c o m Security in Wireless Local Area Networks 395 The details of the overall CCMP are shown in Figure 10.15 and finally the following table compares the WEP, WPA and WPA2 security architectures: MAC header Priority, source address, DLen CCMP header AES counter mode Counter IV PN MPDU Priority, source address Update packet number MPDU MPDU Only shaded part is encrypted. Divide shaded part into blocks 128-bit blocks MIC Divide into blocks MIC MAC CCMP header header MPDU MPDU Add CCMP header MAC CCMP header header MAC header MAC header MSDU Fragmentation PTK_Data_Key For each MPDU 128-bit blocks AES CBC-MAC Figure 10.15: WPA2-The Complete Picture WEP WPA WPA2 Relies on preshared a.k.a. out-of band key establishment mechanisms. Usually leads to manual configuration of keys and to key sharing among STAs in a BSS (often ESS). Recommends 802.1X for authentication and key-establishment in enterprise deployments. Also supports preshared key establishment like WEP. Same as WPA. Uses a synchronous stream cipher which is unsuitable for the wireless medium. Same as WEP. Replaces a stream cipher (RC4) with a strong block cipher (AES). Generates per-packet key by concatenating the IV directly to the master/preshared key thus exposing the base-key/master-key to attacks like FMS. Solves this problem (a) by introducing the concept of PTK in the key hierarchy and (b) by using a key mixing function instead of simple concatenation to generate per-packet keys. This reduces the exposure of the master key. Same as WPA. w w w.new nespress.com 396 Chapter 10 WEP WPA WPA2 Static master key 0002 Small size of IV 0002 Method of per-packet key generation → Extremely limited key space. Increases the IV size to 56 bits and uses only 48 of these bits reserving 8-bits to discard weak keys. Also, use of PTK which are generated afresh for each new session increases the effective key space. Same as WPA. Changing the IV with each packet is optional → key-reuse highly probable. Explicitly specifies that both the transmitter and the receiver initialize the IV to zero whenever a new set of PTK is established31 and then increment it by one for each packet it sends. Same as WPA. Linear algorithm (CRC-32) used for message integrity → Weak integrity protection. Replaces the integrity check algorithm to use MICHAEL which is nonlinear. Also, specifies countermeasures for the case where MICHAEL may be violated. Provides for stronger integrity protection using AES-based CCMP. ICV does not protect the integrity of the 802.11 header → Susceptible to Redirection Attacks. Extends the ICV computation to include the MAC source and destination address to protect against Redirection attacks. Same as WPA. No protection against replay attacks. The use of IV as a sequence number provides replay protection. Same as WPA. No support for a STA to authenticate the network. No explicit attempt to solve this problem but the recommended use of 802.1X could be used by the STA to authenticate the network. Same as WPA. 31 This usually happens every time the STA associates with an AP. www. ne w n e s p res s .c o m CHAPTE R 11 Voice Over Wi-Fi and Other Wireless Technologies Praphul Chandra David A. Lide 11.1 Introduction So far we have been discussing voice over Wi-Fi in the context of pure VoIP technology, running over 802.11a/b/g-based networks. In this chapter we will look at voice over Wi-Fi in conjunction with other wireless technologies, including proposed 802.11 extensions, cellular, WiMax (and other wireless broadband technologies), Bluetooth, and conventional cordless phone systems. The field of telecommunications is in flux. Probably the most often-used word today in telecommunications is convergence. VoIP has been a big step towards the convergence of the voice (PSTN) and data (IP). Till very recently, the C-word was limited to the discussion of wired networks and [cellular] wireless networks, and the discussions were dominated exclusively by voice-oriented wireless networks where IP had not make any significant inroads. With the emergence of Wi-Fi, IP has now gone wireless. Furthermore, the emergence of VoWi-Fi means that industry pundits are talking about the convergence of voice (GSM, 3G) and data (Wi-Fi, WiMax) in the wireless domain too. But what does all this mean? What will the wired and wireless networks of tomorrow look like? Which technology will “win”? We look at these issues in this chapter. 11.2 Ongoing 802.11 Standard Work One characteristic of the 802.11 standard is the ever-present enhancement process. Some of these enhancements are just now coming into the market, but there are others still under specification. This section summarizes the ongoing work and the possible impact on a voice application. Table 11.1 outlines the various 802.11x projects as a reference. 11.2.1 802.11n The 802.11n project is working on techniques to (a) increase the user throughput of 802.11 to over 100 Mbps and (b) increase the range of communication. This will be accomplished w w w.new nespress.com Table 11.1: Summary of 802.11 Projects 802.11 Project Description Status (as of January 2006) Ratified; products in the market. Impact to Voice .a Up to 54 Mbps in the 5-GHz range. Introduces the OFDM modulation technique. .b DSSS transmission rates in the 2-GHZ ISM band. This is the base standard. .c Bridging operation. Not a standalone standard; work merged in to 802.1d. .d Global harmonization. Ratified .e Quality of Service Ratified (Wi-Fi variants WMM and WMM-SA). WMM provides two important features for the voice application: • Prioritization of voice over other traffic • Power save method that is useful for voice traffic .f Inter-AP protocols Ratified, but never really accepted in industry. N/A .g Enhancement of transmission rates to 54 Mbps. Ratified. Higher capacity means more voice calls per AP. .h Regulatory enhancements and spectrum management for .a. Ratified. Some impact to the scanning algorithm. .i Security enhancements. Ratified. Wi-Fi variants: WPA and WPA2. See Chapter 10. .j Japanese Regulatory—defines frequency requirements for 4.9-GHz and 5-GHz deployment in Japan. Ratified. No real impact. .k Measurement enhancements. Under development. Resource Management. Ratified. N/A .l .m 802.11a is important because it adds more available channels and thus increases 802.11 voice-carrying capacity. Some impact to scanning and roaming algorithms. No project. Editorial cleanup of specifications. Ongoing. N/A (Continued) www. ne w n e s p res s .c o m Table 11.1: (continued) 802.11 Project .n Description Status (as of January 2006) Enhancement of transmission rates to wide bands throughputs. Under development. See text below. Wireless access in a vehicular environment. Under development. See text below. .o .p Not a project. .q .r Impact to Voice Not a project. Enhanced roaming. Under development. .s Mesh networking. Under development. See text below. .t Wireless performance prediction and test. Under development. See text below. .u Internetworking with external networks. Under development. See text below. .v Wireless network management. Under development. This project is looking at ways for APs to actively control station radiosettings; for example, through network management protocols such as SNMP. It is closely tied with the 802.11k project. .w Security for management. frames Under development. This project is looking at extending 802.11i to protect management frames. .x .y .z Not a project (.x is used to refer to the entire 802.11 protocol umbrella). 802.11 in the 3.65–3.7-GHz wavelengths (opened up in the US in July 2005). Under development. New spectrum means, of course, more potential capacity for voice traffic. There will also be a roaming/ scanning impact as per mixed 802.11a/b/g solution today. 802.11y will also include a standard mechanism to avoid spectrum interference with other users of the spectrum. This, in theory, will simplify opening up additional frequency bands in the future. No project. w w w.new nespress.com 400 Chapter 11 through the combined use of several technologies. One of the main technologies is the use of multiple input, multiple output (MIMO) antennas for send and receive. With MIMO, the transmitter and receiver can take advantage of the inherent reflections (multipath) that occur during radio transmission instead of being negatively impacted. The sender and receiver essentially generate/receive multiple data streams (up to four, two typically) that are spatially separated. Using sophisticated mathematics, the receiver is able to recover the data streams. The advantage of this approach is that the data rate can be increased and the range enhanced because the receiver can recover the signal better under noisy conditions. 802.11n also includes an improved OFDM modulation technique that can handle wider bandwidth and coding rate. Another technology is the use of wider channels: instead of 20-MHz channels for 802.11 a/b/g, 802.11n can make use of 40-MHz channels. This is an optional feature. Packet aggregation and bursting techniques along with a more sophisticated block acknowledgment scheme and a smaller interframe spacing (RIFS) are also used to minimize the overhead per data packet transmitted. Aggregation is especially important in mixed mode, where 802.11n devices must coexist with legacy 802.11b/g devices. 802.11n also defines an optional mode (Greenfield) where legacy support is not required. It is in this mode where the maximum data rates will be achievable (in mixed mode, for example, an 802.11n device will at a minimum need to bracket each high throughput with a legacy transmission such as RTS/CTS to clear the medium). The standard will also include enhanced power-management techniques in addition to the U-APSD method we discussed in the previous chapter. One important, mandatory technique, referred to as MIMO power save, allows the more power-intensive MIMO mode to be disabled for transmissions that do not require the high throughput—i.e., voice. Without this, MIMO operations, at least for initial chip sets, will be more costly in terms of battery life than mature 802.11b/g solutions. A second, optional technique, power save multi poll (PSMP), uses a microscheduling technique to manage the channel efficiently. PSMP comes in two flavors, scheduled and unscheduled. Scheduled PSPM works in conjunction with scheduled access 802.11e. At a high level, an 802.11n Wi-Fi phone will create a scheduled PSMP traffic stream, via a TSPEC, at the start of a call. A PSMP frame will be sent by the AP according to the service period (i.e., packetization period used in the call), and will be synchronized to the scheduled power save (S-APSD) interval that is being used. PSMP frames are management frames that are sent to a broadcast destination. Each PSMP frame contains multiple station-information fields, where a particular field gives a station ID (AID) and time offsets when the station is allowed to send and receive and for how long. In effect, these frames are minischedules for the medium (up to 8 ms at a time). The Wi-Fi phone will wake up to receive the PSMP frame and then know when to send/receive its voice packets. www. ne w n e s p res s .c o m Voice Over Wi-Fi and Other Wireless Technologies 401 With unscheduled PSMP, the 802.11n Wi-Fi phone will use U-APSD. The U-APSD configuration may or may not have been set up via a TSPEC. In either case, the receipt of a trigger frame will cause the AP to issue a PSMP frame to schedule the transmission of queued frames from its delivery-enabled access category queues. The PSMP will also schedule when the Wi-Fi phone will issue acknowledgments. To further improve both performance and power saving during PSMP, a new acknowledgment scheme known as Multiple TID Block ACK (MTBA) is used. This ACK scheme allows ACKs (a) to be delayed, and (b) combined together so that all packets received in the PSMP period can be acknowledged with one acknowledgment. The impact to the voice-over-Wi-Fi application of 802.11n is obvious. Greater data throughput means more calls can be carried per access point and voice/data can be more easily mixed on the same network. One issue with 802.11n handsets will be reduced battery life due to the higher power requirements for 802.11n functions. The MIMO power-save mode will hopefully alleviate some of this and make the power consumption for 802.11n VoWi-Fi devices comparable to today’s 802.11b/g solutions. 11.2.2 802.11p This IEEE project is looking at the changes necessary for 802.11 to operate in the 5.9-GHz licensed intelligent transportation system band (ITS). The focus is on vehicular applications such as toll collection, safety, and commerce. One aspect of the project that is relevant to voice is the requirement for fast (i.e., vehicle speed) handoffs. The approaches being defi ned in this project may impact the fast roaming work done in 802.11r and vice versa. 11.2.3 802.11s The purpose of this project is to standardize the protocols for an 802.11-based wireless distribution system (WDS). The proposed architecture for this system is a meshed network that is wirelessly connected using 802.11 protocols. Nodes on the network will dynamically discover neighbors, and enhanced routing protocols will be present to facilitate efficient packet routing. 802.11s compliant networks will be self-organizing. A standardized wireless distribution system for 802.11 will increase the coverage capability of 802.11 networks, thus making the applicability of 802.11 voice services even more compelling. Instead of being restricted to disjoint islands of Wi-Fi hot spots, one can envision a 802.11s-based mesh network covering large (cell-phone scale) spaces. However, the 802.11s protocols will need to ensure that the quality of service and security concerns for voice that we have discussed earlier are addressed. Furthermore, the per-[voice] packet latency introduced by a mesh topology will have an impact on the overall quality of service that is achievable. w w w.new nespress.com 402 Chapter 11 11.2.4 802.11t The 802.11t project is concerned with performance measurement. This project will result in recommendations (not standards) in the areas of measurement and test techniques and metrics to be tracked. This project and a related Wi-Fi voice test project are interesting in that they recognize that voice-over-802.11 performance test requirements are very different from traditional data performance. Data-performance testing is mostly concerned with throughput, and the metrics of interest are maximum bits per second that can be transmitted or received under various conditions (such as data packet size). Voice performance, however, is more concerned with the packet loss, latency and jitter that are present under overall BSSS loading. Artificial test and measurement is a difficult problem because to really assess the impact of all three performance areas on a voice call will require incorporating the techniques used in VoIP to mitigate network impacts. For example, VoIP terminals will use a jitter buffer to handle voice packet interarrival variance, and will utilize packet-loss concealment techniques to recover from lost packets. These will need to be factored into the measurement process. Power management and battery life are important 802.11 phone metrics. These are impacted heavily by access-point performance such as beacon interval stability, and ps-poll/null-frame response times. Test methodologies need to be developed for these and other power-related metrics. A final area of voice-unique testing is in the area of roaming. A standardized test methodology to measuring roaming and handoff performance is a highly desirable product of this project. 11.2.5 802.11u The 802.11u project is aimed at adding features to 802.11 that facilitate interoperation in multiple 802.11 network environments. These features include network enrollment, network selection and service advertisement. In general, the results of this project should facilitate the Type C roaming. 802.11u will have some overlap with another IEEE project, 802.21. We will discuss this further below. One important feature being addressed in the 802.11u project is the handling of emergency calling. One proposal being considered is to use a spare bit in the existing TSPEC element to indicate that the requested resources are to be used for an emergency call. A phone could then issue an ADDTS message to the AP with this “emergency service” bit set when a “911” call was placed. 11.3 Wi-Fi and Cellular Networks Wi-Fi/802.11 is, at its basic level, a radio technology. This section will examine how voice over Wi-Fi will interact with the current “reigning” champion of voice/radio technology: today’s cellular networks. www. ne w n e s p res s .c o m Voice Over Wi-Fi and Other Wireless Technologies 403 Wi-Fi and cellular are for the most part complementary technologies. They individually provide solutions to a subset of the wireless space. In particular, Wi-Fi can be used to provide coverage in areas where cellular is less effective: indoors, hospitals, airports, and urban canyons. The inclusion of a voice-over-Wi-Fi capability into a cell-phone handset can be viewed as the ultimate goal for voice over Wi-Fi. There are several reasons for this goal. An obvious one is economy of scale. Economically, a voice-over-Wi-Fi implementation (chip set/software solution) will reap immense benefits from deployment in the 500-million plus cellular-handset market. Such volumes allow for the research and development necessary to create new classes of system on a chip specifically tailored to meet conventional cellular and Wi-Fi requirements. We should expect chip sets in future that include Wi-Fi radios, MAC/Baseband integrated with cellular modems and processors. With this integration comes a reduction in cost that will surely spill over into pure voice-over-Wi-Fi space as well. Secondly, like its parent technology VoIP, voice over Wi-Fi will piggyback on the ongoing improvements to the data networks that are being upgraded to provide enhanced data services to the basic cell phone. Examples of this include the 3G data networks that have been coming online in the past five years. A third factor is the usefulness of Wi-Fi technology to augment areas where cellular technology is lacking. Specifically, areas where cellular coverage is problematic (in doors, airports, hospitals, urban canyons) can be handled by overlapping Wi-Fi networks. The introduction of Wi-Fi-based mesh networks, driven by the maturation of 802.11s, will contribute to this trend. For example, vendor studies have shown that a city-wide, Wi-Fi mesh network can be a more cost-effective approach to providing wireless coverage than deploying 3G (1xEV-DO). A Wi-Fi mesh network could be, for example, situated in street lamp posts (which can be rented cheaply from the city government) as opposed to a cell tower that would require space from an office building or home. A fourth factor is bandwidth. The cellular network providers would love to have the ability to move customers off their precious spectrum wherever possible. For example, when in your broadband-enabled home, why not let the cell phone make calls over the IP-based broadband network, via your in-home Wi-Fi infrastructure? A side effect of this is that cellular providers, riding on top of broadband access, now have a means to get customer phone minutes when he is at home. By providing an integrated access point and VoIP gateway equipment that allows the customer’s conventional home telephony (i.e., POTs phones) to place VoIP calls back to the cellular base network, just like with his dual-mode cell phone, the cellular providers can cut into the traditional home voice-service monopoly held by the local telephone companies. This is one of the key drivers of fixed/mobile convergence, with the goal being to get customers to sign up to an all-inclusive home and mobile phone service from the cellular providers. w w w.new nespress.com 404 Chapter 11 A final factor is the cellular world trend to move to using an SIP-based call-signaling protocol known as IP Multimedia Subsystems, or IMS. We will discuss IMS further below. The use of SIP to control cell-phone call signaling as well as voice-over-Wi-Fi signaling makes it easy (relatively speaking) to architect a unified phone with seamless handoffs between the cell world and the Wi-Fi world. 11.3.1 Dual-Mode Issues There are several issues, however, to overcome before the dual-mode, cellular and Wi-Fi phones become a reality. These include: • Handoffs between the two networks. This is especially a problem if the existing cellular signaling mechanisms are used while on the cellular network and VoIP signaling is used when in Wi-Fi mode. One approach is to simply not allow switchover while a call is in progress. Another is to use the same signaling protocol for both networks. We will look at this case further below. • Billing. Two networks means two billing systems, assuming that the Wi-Fi portion is not free. • Phone integration. Integration of a dual-mode phone is a nontrivial exercise. One area of difficulty is the reuse of key hardware and software components. For example, today’s cell phone utilizes highly optimized systems on a chip, including possibly accelerator hardware for audio codecs, echo cancellation and other number-crunching algorithms that are executed on the voice samples. These may be highly integrated with the cellular voice processing, so reusing them when in voice-over-Wi-Fi mode may be difficult. • Power management. Today’s cell phones achieve their battery life levels through a combination of power-efficient hardware and power-aware protocols. For example, the cell-phone voice-sample processing subsystem (codec, echo canceller, etc.) is closely tied to the cellular network “timeslot” so that the entire phone can wake up out of a low-power state only when needed to process, send and receive samples. A Wi-Fi phone, in contrast, does not have such a close coupling between the voice-processing subsystem and the actual Wi-Fi network. Also, a dual-mode phone will require Wi-Fi channel scanning (and its associated power requirements. • Codec usage. In cellular telephony, the use of codec is very closely tied to the cellular network. For example the GSM-AMR codec rates match the cellular network transmission “time slots” exactly. Thus, an existing voice subsystem for a cellular phone may not be able to easily accommodate “standard” VoIP audio codecs such as G729ab and G723. While RTP profiles for the cellular codecs (GSM, EVRC) are defined for VoIP, not all VoIP devices will implement them due to their complexity and processing requirements. Thus, when in VoIP mode, a dual-mode handset may fail to negotiate a codec for a VoIP call, or may require a transcoder somewhere in the network. www. ne w n e s p res s .c o m Voice Over Wi-Fi and Other Wireless Technologies 405 11.3.2 Convergence Strategies There are two basic strategies for Wi-Fi voice/cellular convergence with several variations being proposed or prototyped. The first basic strategy, an example of which is being proposed for GSM networks, is an approach where the lower-layer cellular protocols are replaced with IP. The higher-layer cellular network protocols are then tunneled over the IP network. A gateway function at the border between the IP network and cellular backbone is provided to terminate the tunnel. In the case of GSM, this approach is known as Unlicensed Mobile Access (UMA). The second strategy, being proposed first for CDMA networks but also applicable to GSM networks, is using IMS as a common signaling protocol for both the pure cellular network signaling and the voice-over-Wi-Fi network. 11.3.2.1 UMA Unlicensed mobile access, as defined in UMA Architecture (Stage 2) R1.0.43 (2005-425-298), is “an extension of GSM/GPRS mobile services into the customer’s premises that is achieved by tunneling certain GSM/GPRS protocols between the customer’s premises and the Core Network over a broadband IP network, and relaying them through an unlicensed radio link inside the customer’s premises.” Under UMA, a dual-mode GSM/Wi-Fi handset uses the GSM network when it is available and no Wi-Fi network is present. When a suitable Wi-Fi network comes into range, however, the phone will switch over to using voice over Wi-Fi. As defined, UMA is not Wi-Fi-specific and is designed, in theory, to use any unlicensed access technology. Wi-Fi and Bluetooth are called out as initial candidates in the UMA Stage 2 specification. In the case of a UMA/Wi-Fi-capable handset, GSM call signaling and voice compression will be used in both the GSM cell network and the Wi-Fi network. When using the GSM spectrum (referred to as GERAN/UTRAN mode), the phone operates as a pure GSM phone with some additional functionality present to enable GSM to do Wi-Fi roaming. We will discuss this additional component a little later. Once a switch to a Wi-Fi network has taken place, the phone will use Wi-Fi to access the Internet and will set up a secure tunnel back to the GSM core network (this is referred to as UMAN mode in the specification). Over this tunnel, pure GSM signaling messages and RTP encapsulated media packets will be sent and received. This is illustrated in Figure 11.1. This tunnel is terminated at a secure gateway (SGW) component of a special network device known as the UMA network controller, or UNC. The UNC/SGW sits at the border between the GSM core network and the Internet, and acts as a gateway between the VoIP and GSM world. On the VoIP side, the UNC looks like the endpoint of a TCP/IP connection. On the GSM side, the UNC looks like a GSM base station. The UNC routes data (call-signaling messages or media packets) between the IP network and GSM networks. There are two kinds w w w.new nespress.com 406 Chapter 11 GSM cellular radio network GSM core network U N C AP IP network Figure 11.1: UMA Overview of UNCs: provisioning UNCs and serving UNCs. The provisioning UNC is used for initial phone bring-up, and will typically redirect the phone to a serving UNC. The FDQN of the provisioning UNC and its associated secure gateway will be typically provisioned into the dual-mode phone. The tunnel between the dual-mode phone and the UNC will be secured using the standard internet security protocol, IPsec. The specification calls for the use of the IPsec Encapsulating Security Protocol (ESP) in tunnel mode with AES encryption (Cipher Block Chaining Mode), and SHA1 authentication. Figure 11.2 illustrates the protocol layering of UMA for voice and signaling, respectively. Codec (GSM, others) Upper GSM signal layers GSM Codec Signal RTP RTP TCP/UDP TCP/UDP IP IP IP network IPsec/IP tunnel IP net UNC IPsec/IP tunnel 802.11 AP – 802.11 Dual-mode phone AP Figure 11.2: UMA Signaling Secure Tunneling www. ne w n e s p res s .c o m T o G S M c o r e Voice Over Wi-Fi and Other Wireless Technologies 407 The IPsec security association is set up via the IKE key-management protocol (v2). UMA defines two IKE profiles, one using EAP-SIM and one using EAP-AKA (authentication and key agreement). Both these profiles allow for fast reauthentication. This is useful to reduce the workload due to full IKE v2 handshaking and to speed up the registration process, especially if the dual-mode, UMA phone has roamed onto a new Wi-Fi network (where its assigned IP address has been changed). It is important to note that this secure tunnel is used for all data between the dual-mode phone and the UNC, including voice traffic. We will have more to say about the bandwidth efficiency of this scheme a little later. The first operation after setting up the tunnel is to register. This may take several steps and additional tunnels, especially if this is the first time that the phone has booted because of the serving UNC discovery procedure. The procedure consists of the following steps: • Discovery of the default serving UNC. This will be provided by the provisioning UNC. • • Registration with the default serving UNC. • In the latter case, the registration will be repeated to the new serving UNC. This will involve setting up another secure tunnel. • The registration is completed by the dual-mode phone sending a Register Accept message. The default serving UNC may accept the registration, or may redirect the phone to use a different serving UNC. The FDQN of the serving UNC/SGW can be saved for subsequent reboots along with the AP BSSID. On subsequent reboots, the phone can attempt to register directly with the serving UNC that it had previously used when connected to this AP. Note that the phone can be redirected to a different serving UNC so that the discover procedure can take place at any time. Also the discovery procedure may be necessary if the phone roams to a new Wi-Fi network where it has not previously operated. Once the secure tunnel is in place, and the dual-mode phone has registered with the UNC, the dual-mode phone can use the tunnel to transport the higher layers of the GSM call-signaling protocols. The UNC gateway function translates between the GSM core network and the secure tunnel. The tunnel is also used for the media traffic flow. While VoIP allows for a variety of codecs to be used, UMA uses the cellular standard GSM AMR or WB-AMR codecs (RFC 3267). This is preferred since a call might have roamed from or may in future roam to the cellular network. w w w.new nespress.com 408 Chapter 11 The codec samples are RTP encapsulated before being transmitted through the secure tunnel. One comment on this is that use of IPsec and secure tunneling introduces substantial overhead to each voice packet. Given that a 20-ms GSM voice frame (at the full AMR rate of 12.2 kbps) will contain 244 bits of speech payload plus 12 bits of frame overhead for a total of 32 bytes, we can compute that a UMA-secure/tunneled RTP packet will effectively be 126 bytes plus layer 2 headers (see Table 11.2). Table 11.2: Effective GSM RTP Packet Size in UMA Tunnel (with AES Encryption in CBC Mode, SHA1 Authentication) Packet Element Frame payload (12.2 kbps rate) Size (bits) 244 CRM 4 Table of contents 6 RTP padding RTP header 2 96 UDP/IP 224 2nd IP header (tunnel) 160 IPsec ESP header IV Padding Trailer Authentication 32 128 0 16 96 Total 1008 % Overhead 321% A dual-mode, UMA phone can be set up in one of four preferences: 1. GSM only (i.e., never use the UMAN mode of operation). 2. GSM preferred (i.e., use GERAN/UTRAN mode where possible, switching to UMAN mode only when the GSM network is not available). 3. UMAN preferred (i.e., use voice over Wi-Fi where possible). 4. UMAN only (i.e., switch to UMAN mode immediately after the phone starts up and registers on the GSM network). The procedure to switch from GERAN/UTRAN mode to UMAN mode (GSM to Wi-Fi handover) is referred to as “rove in” and the reverse procedure is referred to as “rove out.” Unlike the inter-802.11 roaming, these two roaming procedures are of the “make before break” type, meaning that the new mode must be fully established before the old mode is www. ne w n e s p res s .c o m Voice Over Wi-Fi and Other Wireless Technologies 409 disconnected. This is important because, as we have seen before, there are multiple protocol steps in the secure tunnel and registration procedures before voice can actually be delivered to/ from the handset. UMA has the goal of seamless switchover between the two modes. It will be interesting to see if this achievable in practice. One problem area will be the delay introduced by the RTP jitter buffer when in UTRAN mode. When in GERAN mode, the phone will be operating without any jitter buffer (this is not required due to the TDMA protocol used in the GSM network). As soon as the UTRAN mode is enabled, the initial RTP packets from the core network will need to be delayed in the handset so that the handset jitter-buffer can be primed. Thus, the user will potentially hear a gap in the conversation equal to the jitter buffer nominal setting. One way around this, potentially, is to begin with a shallow jitter buffer and let it adapt aggressively if network conditions require a deeper buffer. The corresponding jitter buffer in the UNC will need the same kind of work-around. The UMA specifications include recommendations for the Wi-Fi network that a dual-mode, UMA phone will utilize. These recommendations include: • Use of 802.11 security, WEP or WPA PSK. • QoS: Use of WMM is recommended. The specification suggests “simulating” WMM if the AP does not support the feature, by using a “non-standard,” smaller backoff window and interframe delay. The specification also calls for the dual-mode phone to use link level 802.1D priority markings and/or the IP layer TOS/DCSP value of received packets for outgoing packets. • Power save: The specification calls for the use of 802.11 power save when not in an active call but, interestingly, states that the 802.11 power save should not be used during a call. Presumably this was written before the voice-friendly U-APSD powersave mode was defined by 802.11/Wi-Fi. • Roaming and scanning: The specification calls for background scanning at an un-defined interval, “depending on power conservation strategies.” The specification recommends the use of RSSI as the key metric to determine when to roam. The specification also states that Wi-Fi roaming is to be isolated from the upper layer protocols, unless the IP address has changed as a result of the roam. For inter-BSS roaming, UMA suggests a target of 100 ms for the device to switch to a new AP. • From a hardware capability point of view, the specification requires the physical characteristics shown in Table 11.3. • Finally, the specification recommends the use of “intelligent” packet loss concealment algorithms to mitigate packet loss. On the AP side, the specification recommends a beacon period of 100 ms. w w w.new nespress.com 410 Chapter 11 Table 11.3: Wi-Fi Physical Characteristics Required for UMA Characteristic Specification Transmit power (at antenna) 000217 dBm Receive sensitivity 000387 dBm @ 1 Mbps Antenna gain 00030 dBi UMA, when operating in UMAN mode, has provisions for some amount of RTP session negotiation. UMA allows the following call parameters to be “negotiated,” via information elements in the tunneled signaling packets: • • • • • • RTP port (UDP) RTCP port (UDP) Sample size (VoIP packetization period) Redundancy/mode tables (see below) Initial GSM codec mode to use RTP dynamic payload type to use for the audio codec These parameters can also be changed mid-call through tunneled signaling messages. The GSM codec has a built-in redundancy mode that is applicable to transport over Wi-Fi and over IP in general. UMA has provisions to take advantage of this feature. The feature works as follows: GSM inherently supports various modes of operation (or bit rates), ranging from 4.72 kbps to 12 kbps for the narrowband AMR codec (additional rates are available in the wideband, WB-AMR codec). Any of these rates can be used in a call, and the RTP packing format for GSM AMR includes a field (Codec Mode Request or CMR) with which a receiver can signal the other side that he desires a codec rate change. Furthermore, an RTP GSM AMR packet may contain redundancy in the form of copies of previously transmitted GSM frames. This is referred to as forward error correction. UMA allows a redundancy/mode table to be exchanged via information elements in the tunneled GSM/UMA call-signaling packets. This table gives, for each rate, the desired redundancy level (UMA restricts the options to none, one level or two-level). A separate table can also be present that defines, for each mode, the frame-loss rate threshold and a hysteresis level to control when a receiver should try to switch rates. Armed with these tables, a UMA handset can monitor the frame loss it is seeing and, when configured loss thresholds are hit, the handset can use the CMR field to request a rate/ redundancy change. Similarly, the receiver in the UNC can do the same. As a note, it is unlikely that a rate change alone will accomplish much when in UMAN mode because of the packet protocol and security overhead mentioned above. However, the switch to a lower bit rate with redundancy has the effect of protecting for packet loss without increasing the overall RTP packet size. This is an important consideration for Wi-Fi QoS networks with admission control and also has a slight impact on power consumption when operating in the Wi-Fi network. www. ne w n e s p res s .c o m Voice Over Wi-Fi and Other Wireless Technologies 411 The GSM codec also has a feature known as unequal bit error detection and protection. This is accomplished by organizing the codec payload bits into three classes: A, B and C. Class A bits are the most important bits, Class B are next, and Class C are the least important. For example, in the GSM AMR 12.2-kbps rate, 81 bits out of the total 244 bits in a 20-ms frame are deemed Class A. Thus, in theory, a received packet with corruption in the Class B or C area of the payload could still be used (and not completely dropped). This scheme is, of course, very useful in GSM cellular networks where the packet integrity checks are adjusted to reflect the payload bit classes. Unfortunately, when operating in UMAN mode over a Wi-Fi/IP network, this codec feature is not applicable (although it would be beneficial). The problem is that, first, a UDP checksum covers the entire UDP packet so that UDP checksums would need to be completely disabled for the scheme to work. Even more damaging is the use of the IPsec-protected tunnel. IPsec performs a message authentication check across the entire payload. Thus, bit errors in Class B and C areas would result in the packet being dropped due to authentication failures. Finally, and most damaging, the 802.11 link-level security authentication checks (if enabled) would also fail for the same reason. Using this feature would require “application” knowledge to be propagated down to all layers of the protocol stacks; clearly this is not a feasible approach, at least for the near future. A final area of interest with UMA is its handling of 911 emergency calls. A UMA dualmode phone can first be configured as part of the registration process as to which network is preferred to make emergency calls. Secondly, the UMA call-setup message includes an information element to indicate the type of call. “Emergency” is an option in this IE. Finally, UMA has several options for managing location information: • UMA handsets can send the identifier of their attached AP. The UNC can then use this to “look up” the APs location when an emergency call is placed. This, of course, is only 100% accurate if every possible AP (that UMA allows—UMA has provisions to restrict the APs which the dual-mode phones can use to obtain UMA service) has been registered so that its location is in a back-end database. • UMA handsets can send their own location if they know this from other means— e.g., GPS. 11.3.2.2 IMS The second approach to dual-mode telephony is the use of VoIP in both the cellular and Wi-Fi modes, via IMS. The IP Multimedia Subsystem is a key element of the third generation (3G) architecture. 3G is, briefly, is a collaboration of various standards bodies to define the next (third) generation cellular networks. 3G is a unification of the cellular world and the Internet, and IMS is the mechanism that enables IP-level services. IMS is based on SIP. As we have discussed earlier, SIP is now the main VoIP call-signaling protocol. The reasons for changing from conventional cellular signaling to a system based on w w w.new nespress.com 412 Chapter 11 SIP are beyond the scope of this book. The driving factor is unification of services, with the idea being that IMS-based signaling can facilitate the deployment of voice, video, presence and other services. However, the use of SIP/IMS and VoIP over the existing cellular networks has some interesting technical challenges that, if solved, will play into a pure voice-overWi-Fi scenario as well. One issue is bandwidth. Today’s cellular networks are constrained as to the amount of bandwidth available for a voice call. SIP-based VoIP call signaling utilizes a relatively inefficient, text-based protocol to communicate call signaling information. Furthermore, if you look at a VoIP media packet, a good portion of this packet will be composed of packet header information. Thus, IMS signaling and media will require more bandwidth than the current cellular protocols. In the case of SIP messages, one approach is to use compression techniques such as those defined in RFC 3320. With RFC 3320, a layer that performs lossless compression (e.g., gzip) can be inserted between the application (voice-signaling SIP stack) and the network protocol stack (TCP/IP). On transmission, this layer can run a native implementation of a compression algorithm. However, on reception, this layer makes use of the Universal Decompressor Virtual Machine (UDVM), which is essentially a JAVA-like virtual machine tailored specifically for decompression operations. The instructions or “byte-codes” to be executed are provided by the sender. The advantage of this approach is that the actual compression algorithm can be controlled entirely by the transmit side; it can pick any algorithm desired, perform the compression on a message, and send it along with the UDVM instructions on how to decompress it (the bytes codes would only need to be sent with the first message, assuming the same algorithm is used throughout the signaling session). To tackle the problem with the media packet protocol overhead introduced by the RTP/UDP/ IP headers, an approach is to use a technique called robust header compression (RHOC- RFC 4362). RHOC can work across a link layer (e.g., in 802.11 between the phone and AP). The basic idea behind RHOC and its related header-compression protocols is to define at the start of a packet flow (e.g., at call setup), which fields in the packet headers are static, which fields update according to simple rules (e.g., the RTP timestamp), and which fields need to be sent along with each packet. Once these are set up, the static fields and those that change in a simple way can be stripped before packet transmission. The receiver will then reconstruct the complete header before forwarding the packet. The protocols include mechanisms to recover from delivery problems—for example, if a burst of packets is lost for some reason, the preset header information may need to be changed. 11.4 WiMax WiMax is a new wireless technology, defined by IEEE 802.16x standardts. The core standard, 802.16, defines protocols for a broadband wireless infrastructure, operating in the 10–66 GHz www. ne w n e s p res s .c o m Voice Over Wi-Fi and Other Wireless Technologies 413 frequency range. The basic topology defined in the specification is point-to-multipoint. The targeted data throughput range was 70 Mbits, with a peak rate of 268 Mbps and a typical cell radius of 1–3 miles. This base standard was subsequently enhanced with a suite of amendments known as 802.16a. These added considerations for more spectrum bands (licensed and unlicensed), support for non-line-of-sight architectures, new physical-layer specifications and enhancements to the MAC layer. These later changes included consideration for quality of service and different types of traffic, including voice. A second version of WiMax is currently being defined. This version, based on the 802.16e specification, is addressing mobility and roaming considerations. It will include support for hard and soft handoffs and improved power-saving techniques. It introduces a new PHY layer optimized for mobility. Like 802.11, the 802.16 specifications include multiple physical layers. 802.16a defines three protocols: • • A single-carrier modulation format. • Multiuser OFDM (OFDMA), with a 2048-point transform. Orthogonal Frequency Division Multiplexing (OFDM), with a 256-point transform. This is the same modulation technique used in 802.11g. 802.16 adds a new variant of OFDMA, referred to as SOFDMA (the “S” stands for scalable). The variant provides better performance for multiple users under varying conditions. The media access layer for 802.16 is quite a bit different than for 802.11. It is based closely on the data-over-cable specification (DOCSIS). The relationship between WiMax and Wi-Fi is still to be defined. The conventional school of thought is that WiMax will become a “lastmile” technology, providing an alternative for the currently deployed broadband technology (i.e., DSL, cable, fiber-to-the-home, etc.). A WiMax CPE device, for example, could contain an 802.11 subsystem as well, just like today’s cable and DSL broadband routers. With this architecture, a voice-over-Wi-Fi phone would be another subscriber to the WiMax backbone. 802.16e, with its support for mobility, muddies the waters. Conceivably, 802.16e could be used as a replacement for Wi-Fi in some environments. 11.5 VoWi-Fi and Bluetooth Bluetooth (BT) is radio technology geared at the 2.4–2.5835-GHz ISM unlicensed frequency band just like Wi-Fi (802.11 b/g). Table 11.4 summarizes 802.11/Wi-Fi and Bluetooth technology. There are three classes of BT devices, each with a different maximum output/power and corresponding range profile. These are summarized in Table 11.5. w w w.new nespress.com 414 Chapter 11 Table 11.4: Wi-Fi (b/g) / Bluetooth Comparison Wi-Fi Direct Sequence Spread Spectrum (DSSS). Bluetooth Frequency Hop Spread Spectrum (FHSS). Use only 22 MHz 0006 3 (channel) 0004 66 MHz. Use 1 MHz 0006 79 (channel) 0004 79 MHz. The hop rate is 1600 hops/sec. Power: 1 W (30 dBm). Power: 1 to 100 mW. Data rate: up to 56 Mbps at close ranges, 5.9 Mbps 175 ft, 5.5 Mbps at 250 ft. Max data rate 550 kbps at 250 ft. Range up to 100 meters, depends on power and environment. Power range: 100 meters (class 1), 10 meters (class 2), 10 cm (class 3). Each Wi-Fi network uses 1 channel, max 3 nonoverlapping networks. FCC requires BT devices to hop 0015 75 channels up to max 79 channels. Defined only layer-2 protocols, a common way to access Internet through the AP. Define different layers of protocols. Profiles allow for different voice and data application interworking. Security is in the layer 2 (WEP, WAP, WAP2, etc.). Security is in layer 2 (LMP) and security architecture for different layers. Allow one AP and many stations to bind. Allow one pair of AG (Audio Gateway) and handset or hands-free to pair. Table 11.5: BT Device Power Classes Power Class Class 1 Max Output Power (mW) 100 mW Maximum Range (meters) 100 m Class 2 2.5 mW 10 m Class 3 1 mW 10 cm The current uses of BT (at least in class 2 and 3) make it a complementary technology to Wi-Fi. In the context of a VoWi-Fi phone, a BT subsystem might be present to provide low-rate, closeproximity wireless access to peripherals. The most likely scenario is where a VoWi-Fi phone would have a BT subsystem to allow the use of a BT handset or handsfree device as the end audio transducer. This leads us to the main issue with BT and Wi-Fi: coexistence. In a nutshell, the BT physical layer utilizes a frequency-hopping technique that unfortunately can cause interference in an 802.11 b/g network (and vice versa). As described earlier, Wi-Fi/802.11 b/g standards in North America divide the ISM band into 11 overlapping channels (In Europe and Japan additional channels may be present). Only three channels—1, 6, 11—are nonoverlapping. Each channel utilizes 22 MHz of the ISM band; thus 3 0006 22 0004 66 MHz out of the 88.35-MHz ISM band will be occupied by a fully loaded Wi-Fi deployment. www. ne w n e s p res s .c o m Voice Over Wi-Fi and Other Wireless Technologies 415 Bluetooth, on the other hand, uses a frequency-hopping technique across almost the entire ISM band. Each hop frequency is 1 MHz and up to 79 channels are allowed. Furthermore, BT specifies a hop rate of 1600 hops/sec. This means that transmission from a BT device will definitely overlap with Wi-Fi transmissions if it is in range and the Wi-Fi transmission is long enough. This is shown graphically in Figure 11.3. Channel 1 2 3 4 5 6 7 8 9 5 9 3 8 2 2.4 GHz 11 10 4 1 10 7 11 6 2.441 GHz 2.483 GHz Frequency Figure 11.3: 802.11 b/g Frequency Bands The impact of the interference from BT devices on Wi-Fi equipment is to effectively raise the Wi-Fi channel bit-error rate. A BT device that wants to transmit will be unaware of Wi-Fi activity and will not delay its transmission. If it is in range and its frequency-hopping scheme happens to overlap the Wi-Fi transmission, the Wi-Fi receiver will see a degraded signal and can either miss the packet or detect a CRC error. In either case, the Wi-Fi transmitter will need to resend. Packet retransmission in Wi-Fi typically will lead to a reduction of transmission rate, as the Wi-Fi devices attempt to react to what they perceive as a noisy environment. Thus, data that would be normally transmitted at 54 Mbps may eventually be transmitted at a rate of 11 Mbps. This reduces the overall throughput of the Wi-Fi network and has other side effects for voice such as increased latency and power consumption. Figure 11.4 conceptually illustrates the effect of a BT transmitter on Wi-Fi throughput. The figure plots Wi-Fi throughput versus received signal strength for the cases where the BT w w w.new nespress.com 416 Chapter 11 Wi-Fi throughput 0 No BT BT @ 1 m BT @ 10 m 10 20 .. 100 Received signal power (0003dBm) Figure 11.4: Wi-Fi Throughput vs. Received Signal Strength (AP-STA distance) device is transmitting or not. Received signal strength here is used as a generalization of distance between the Wi-Fi device and its access point. The net effect of a BT transmitter in close proximity is to sharply degrade throughput, even when the Wi-Fi device is close to the AP. The degree of impact of the BT transmitter is correlated to the BT device location to the Wi-Fi device. As an unpleasant side effect, Wi-Fi packets sent at the lower Wi-Fi rates will stay on the air longer and are hence even more likely to experience BT interference. Note that, because of the frequency-hopping technique used in BT, a Wi-Fi transmitter may not be able to detect that a BT transmission is in progress and back off. This in contrast to the case of Wi-Fi channel overlap; in this situation a Wi-Fi device will be more likely to detect the 802.11 energy and can then back off. Before discussing ways for BT and Wi-Fi to coexist, we need to discuss the types of BT connections that can be used. BT has two types of link-level protocols: asynchronous connectionless (also known as ACL), and synchronous connection-oriented (SCO). ACL BT protocols are typically low rate and allow for packet retransmission. SCO connections are higher speed and (in BT 1.0 devices) do not allow for packet retransmission. SCO connections are used, for example, to communicate to BT headsets and hands-free devices. Different coexistence techniques are required for each of these, depending on the type of Wi-Fi traffic. For a VoWi-Fi phone with an adjunct BT handset or hands-free device, we are interested in Wi-Fi voice coexistence with BT voice over an SCO connection. Several coexistence schemes for BT and Wi-Fi are possible. We will discuss some of these below. It is important to recognize that a combination of schemes will be required for a full robust solution. One technique, utilized by Wi-Fi and BT chipset providers such as Texas Instruments, is to provide silicon-level interfaces so that the two chipsets can collaborate to minimize interference. In the Texas Instruments solution, for example, its two chip sets share a coexistence interface www. ne w n e s p res s .c o m Voice Over Wi-Fi and Other Wireless Technologies 417 over which information on when transmission is taking place can be exchanged. If a BT transmission is going on, the Wi-Fi transmission can be delayed and vice versa. This approach works best for Wi-Fi data and BT data (i.e., ACL) coexistence, with a couple of limitations. It is not enough to solve Wi-Fi voice and BT voice (SCO) coexistence problems, however. A second set of techniques comes from the 1.2 version of the BT standard. This update has taken steps to address the coexistence issue by incorporating two new features: adaptive frequency hopping, and an enhance SCO link protocol (ESCO). The BT 1.2 adaptive frequency-hopping scheme allows a BT device that has knowledge of the 802.11 device that it is co-located with to adjust its frequency-hopping scheme accordingly. For example, if a BT device knows that its 802.11 counterpart is operating on Channel 1, it can select frequencies out of the 802.11 channel 1 subband for its hopping sequence. Thus, the BT device would use 57 out of the possible 79 channels. Using this technique in practice for the case of VoWi-Fi and a BT headset/hands-free device has several issues to overcome: • The BT 1.2 specification does not define how the BT device learns the channel use. Typically this would require a software interface between the Wi-Fi and BT chipset/ device driver. • The adaptive frequency-hopping scheme does not help as much in cases where all multiple 802.11 channels are in use, such as would be the case in an enterprise environment. The 1.2 compatible BT devices can skip around the 802.11 channel that the colocated Wi-Fi is actively using, but still may interfere with other Wi-Fi devices as the user roams. • Furthermore, in a multiple AP environment the BT device will need to change its hopping sequence whenever the Wi-Fi device decides to roam. This will most likely result in an interruption in the BT data stream. • There will be impact on the scanning techniques. For example, the use of unicast probes to discover new APs on other channels will be problematic. • A final issue is that a combined Wi-Fi/Bluetooth device will have cost pressures to share a single antenna. The above techniques are appropriate if each subsystem has a dedicated antenna and there is a minimal degree of RF separation between the two. When the antenna is shared, it is unlikely that the frequency-hopping adjustment approach will be effective. ESCO allows for higher speed and retransmission on the SCO links. This will improve the quality of the BT transmissions (e.g., voice to/from a BT handsfree device). In short, coexistence for BT voice and VoWi-Fi is still an open technical challenge. w w w.new nespress.com 418 Chapter 11 11.6 VoWi-Fi and DECT We have left this topic near the end as it is perhaps the most controversial, especially to DECT proponents. Digital Enhanced Cordless Telecommunications is a popular wireless standard, mostly in Europe, that—it can be argued—provides a complete wireless telephony solution today. DECT works in the 1.9-GHz band (some versions are available in the 2.4-GHz band) and utilizes a time-division multiplexing approach to bandwidth allocation. It was primarily geared for cordless telephony. An overview of DECT is given in Table 11.6. Table 11.6: DECT Summary Characteristic Frequency Band DECT 1.9 GHz Access Method TDMA Data Rate 2 Mbps – being expanded to 20 Mbps for data services Range 50 meters indoors, 300 meters outdoors Modulation Gaussian Minimum Shift Keying (GMSK) Voice Codecs G726 (ADPCM) [32 kbps] Voice Signaling ISDN based Handovers/Roaming Built into protocol Security GSM based Cost Approx ½ compatible 802.11 solution Battery Life 000f12 hrs talk, 1000002 standby In this regard, DECT can be considered a competing technology to VoWi-Fi. Let’s identify the advantages touted by DECT adherents (many of these are based on original, 802.11b voiceover-Wi-Fi implementations) • Cost: DECT handsets are cheap! This is based partly on the maturity of the technology, so that highly integrated hardware solutions are available. • Power: DECT was designed upfront to be power efficient. It utilizes a TDMA-based method. DECT receivers can shut off their radios until their time slot occurs. • Handset performance: Again, because of the maturity of the DECT handset market, industrial-strength (shock, temperature, dust, etc.) equipment is available today. • • Handoffs: DECT was designed with handoffs in mind. Range: DECT has inherently better range than 802.11. 802.11 can extend range by adding repeaters or access points, but this adds to cost and has limitations based on the ISM channel bandwidth. www. ne w n e s p res s .c o m Voice Over Wi-Fi and Other Wireless Technologies 419 • Quality of Service: The original DECT objections to Wi-Fi QoS (or lack thereof) were based on 802.11b deployments. • Security: Most DECT objections to Wi-Fi security are based on the WEP implementations. As we have seen, WPA and WPA2 have addressed these concerns. However, as we also have seen, the use of WPA and WPA2 authentication and keydistribution methods makes fast handovers more complex. The bottom line is that, while DECT does have advantages over VoWLAN for pure telephony, these are due primarily to its inherent limitation of being primarily a telephony protocol. As a “telephony-first” protocol, DECT will naturally win in a phone-only environment. But if we add data to the mix, voice over Wi-Fi will be a more attractive solution. Wi-Fi is the clear winner for providing wireless data service. Voice over Wi-Fi, as it runs on top of the data network, will succeed just as pure voice over IP is. The other issue with DECT is how it plays into a VoIP backbone. DECT uses a ADPCM codec between the handset and the base station. This requires ADPCM transcoding if another low bit-rate codec is to be used for the network portion call. Furthermore, DECT uses ISDNbased signaling between the base station and the phone. This will need to be translated into SIP VoIP signaling. We can also look at DECT and Wi-Fi in another light, that of convergence. There are various projects underway to merge DECT and Wi-Fi together. One approach has been to integrate the upper layers of DECT with the 802.11 MAC and PHY. 11.7 VoWi-Fi and Other Ongoing 802.x Wireless Projects In this section we will take a quick look at three ongoing IEEE wireless standards and their potential relationship with VoWi-Fi. 11.7.1 802.20 The mission of the 802.20 project (also referred to as Mobile Broadband Wireless Access or MBWA) is to “develop the specification for an efficient packet based air interface that is optimized for the transport of IP based service.” There is a special emphasis on mobility in this project, with goals of handling subscribers moving at speeds of up to 155 miles per hour (e.g., for high-speed train service). By this definition, there is overlap somewhat with the goals of 802.16e. However, the scope of 802.20 is limited to below the 3.5-GHz band, while 802.16e covers additional spectrum. Also, 802.20 is targeting a much lower data rate (around 1 Mbps) than 802.16. As an IP-based service, 802.20 must deal with similar issues as 802.11 when used to carry VoIP. There is a lot of debate on how 802.20 and WiMax (802.16e) will evolve, since there is a great deal of overlap. It is possible that 802.20 will be restricted to the high-speed domain only. w w w.new nespress.com 420 Chapter 11 11.7.2 802.21 The 802.21 is an interesting project with special relevance to the voice application. Its goal is to “develop standards to enable handover and interoperability between heterogeneous network types including both 802 and non 802 networks.” In other words, the project is involved with standardizing the type C and D roaming. This is also referred to as Media Independent Handoff, or MIH. Among the topics that 802.21 is investigating is the definition of a common interface between various layer 2 (802.11, 802.16, etc.) and layer 3 to facilitate the roaming and handoff process. The draft standard discusses the concept of link-level “triggers.” These are link-level events that can be passed to layer 3 to provide link state information to the roaming decision process. Link-level triggers include such events as link up/down, link quality above or below a defined threshold, link QoS state, perceived link range or throughput, and even network cost. In a pure 802.11 network, the link-level triggers correspond to the VoWi-Fi device’s roaming triggers, such as the RSSI, beacon miss rate, and retransmit rate. However, in 802.11, these triggers were not explicitly called out as such and their use is up to the device manufacturer. The 802.21 project attempts to define these and to provide a framework for their configuration and reporting. One difference in the 802.21 framework is that it includes the idea that triggers can come from the remote side of the connection, as opposed to being generated solely by the local side. In an 802.21-enabled 802.11 network, for example, the AP would be able to use a layer-2 message to send a “suggestion” that the station roam. Another aspect of 802.21 is support for the “make before break” concept. 802.11 today requires that a station disconnect from one AP before connecting to another (“break” before “make”). This approach has some drawbacks, especially for voice, because there will be a period of outage between the “break” and the subsequent “make.” We can mitigate some of this latency in a pure BSS roaming situation through such techniques as WPA2 preauthentication. However, with dissimilar network roaming, the latency in security setup, IP address provisioning, etc. will be too long for the goal of seamless mobility. 802.21 also introduces the idea of a mobility-management service. This is a network-based service that mobile devices can register with to obtain information about other networks that could be roaming candidates. This is somewhat analogous to the proposed 802.11k AP list that we discussed in Chapter 8, but it covers not just APs, but also cellular base stations, WiMax head ends, and so forth. 11.7.3 802.22 The 802.22 project is working on how to use portions of the RF spectrum, currently allocated to television broadcasting, for carrying wireless data services. In particular, the UHF/VHF TV bands between 54 and 862 MHz are being targeted, both specific TV channels as well as www. ne w n e s p res s .c o m Voice Over Wi-Fi and Other Wireless Technologies 421 guard bands (white space). This standard is still under development, but it looks to be based on 802.11 protocols, possibly adding an additional PHY layer and enhancing the MAC layer to deal with longer range. One interesting aspect of proposed 802.22 networks, also referred to as wireless regional area networks (or WRANs), is that they will utilize a new technology known as cognitive radio. The proposed ITU definition of this technology is: “a radio or system that senses and is aware of its operational environment and can dynamically, autonomously, and intelligently adapt its radio operating parameters.” The basic idea is to allow the wireless nodes to manage the spectrum in a distributed fashion, by observing the environment. 11.8 Conclusion This chapter has taken a look at the future of voice over Wi-Fi, and how it may evolve, coexist and interact with other wireless technologies. References [11.1] Camarillo, G. and M. Garcia-Martin, The 3G IP Multimedia Subsystem, John Wiley, 2004. [11.2] Fixed, nomadic, portable and mobile applications for 802.16-2004 and 802.16e WiMAX networks, November 2005, prepared by Senza Fili Consulting on behalf of the WiMAX Forum. [11.3] IEEE Standard 802.16: A Technical Overview of the Wireless MAN™ Air Interface for Broadband Wireless Access. [11.4] Unlicensed Mobile Access (UMA) Protocols (Stage 3), R 1.0.4, 5/2/2005. [11.5] “Global, Interoperable Broadband Wireless Networks: Extending WiMAX Technology to Mobility,” Intel Technology Journal, August 20, 2004. [11.6] “Scalable OFDMA Physical Layer in IEEE 802.16 WirelessMAN,” Intel Technology Journal, August 20, 2004. [11.7] A Generalized model for Link Level Triggers, V. Gupta, et al., [802.21 Contribution] http://www.comsoc.org/oeb/Past_Presentations/CityWiFiMesh_Apr04.pdf [11.8] RFC 3267 Real-Time Transport Protocol (RTP) Payload Format and File Storage Format for the Adaptive Multi-Rate (AMR) and Adaptive Multi-Rate Wideband (AMR-WB) Audio Codecs, J. Sjoberg et al., June 2002. [11.9] RFC 4362 RObust Header Compression (ROHC): A Link-Layer Assisted Profile for IP/ UDP/RTP, L.E. Jonsson et al., December 2005. [11.10] RFC 3320—Signaling Compression (sigcomp), R. Price et al., January 2003. w w w.new nespress.com This page intentionally left blank CHAPTE R 12 Mobile Ad Hoc Networks Farid Dowla Asis Nasipuri A mobile ad hoc network, such as the one shown in Figure 12.1, is a collection of digital data terminals equipped with wireless transceivers that can communicate with one another without using any fixed networking infrastructure. Communication is maintained by the transmission of data packets over a common wireless channel. The absence of any fixed infrastructure, such as an array of base stations, make ad hoc networks radically different from other wireless LANs. Whereas communication from a mobile terminal in an “infrastructured” network, such as a cellular network, is always maintained with a fixed base station, a mobile terminal (node) in an ad hoc network can communicate directly with another node that is located within its radio transmission range. In order to transmit to a node that is located outside its radio range, data packets are relayed over a sequence of intermediate nodes using a store-and-forward “multihop” transmission principle. All nodes in an ad hoc network are required to relay packets on behalf of other nodes. Hence, a mobile ad hoc network is sometimes also called a multihop wireless network. Figure 12.1: A Mobile Ad Hoc Network Since no base stations are required, ad hoc networks can be deployed quickly, without having to perform any advance planning or construction of expensive network infrastructure. w w w.new nespress.com 424 Chapter 12 Hence, such networks are ideally suited for applications where such infrastructure is either unavailable or unreliable. Typical applications include military communication networks in battlefields, emergency rescue operations, undersea operations, environmental monitoring, and space exploration. Because of their “onthe-fly” deployment quality and relatively low cost of implementation, ad hoc networks are also used in places where they are cheaper than their infrastructured counterparts. Examples of these applications consist of a network of laptop computers in conference rooms, network of digital electronic equipment and appliances (e.g., VCR, television, computer, printer, remote control) to form a home area network, networks of mobile robots, and wireless toys [Refs. 12.43, 12.14, 12.49]. Recently, there has been a growing interest of using ad hoc networks of wireless sensors to perform unmanned distributed surveillance and tracking operations [Ref. 12.47]. The design of ad hoc networks faces many unique challenges. Most of these arise due to two principal reasons. The first is that all nodes in an ad hoc network, including the source nodes, the corresponding destinations, as well as the routing nodes forwarding traffic between them, may be mobile. As the wireless transmission range is limited, the wireless link between a pair of neighboring nodes break as soon as they move out of range. Hence, the network topology that is defined by the set of physical communication links in the network (wireless links between all pairs of nodes that can directly communicate with each other) can change frequently and unpredictably. This implies that the multihop path for any given pair of source and destination nodes also changes with time. Mobility also causes unpredictability in the quality of an existing wireless link between neighbors. A second reason that makes the design of ad hoc networks complicated is the absence of centralized control. All networking functions, such as determining the network topology, multiple access, and routing of data over the most appropriate multihop paths, must be performed in a distributed way. These tasks are particularly challenging due to the limited communication bandwidth available in the wireless channel. These challenges must be addressed in all levels of the network design. The physical layer must tackle the path loss, fading, and multi-user interference to maintain stable communication links between peers. The data link layer (DLL) must make the physical link reliable and resolve contention among unsynchronized users transmitting packets on a shared channel. The latter task is performed by the medium access control (MAC) sublayer in the DLL. The network layer must track changes in the network topology and appropriately determine the best route to any desired destination. The transport layer must match the delay and packet loss characteristics specific to such a dynamic wireless network. Even the application layer needs to handle frequent disconnections. Although this area has received a lot of attention in the past few years, the idea of ad hoc networking started in the 1970s when the U.S. Defense Advanced Research Projects Agency (DARPA), sponsored the PRNET (Packet Radio Network) project in 1972 [Ref. 12.26]. This was followed by the SURAN (Survivable Adaptive Radio Network) project in the 1980s www. ne w n e s p res s .c o m Mobile Ad Hoc Networks 425 [Ref. 12.52]. These projects supported research on the development of automatic call setup and maintenance in packet radio networks with moderate mobility. However, interest in this area grew rapidly in the 1990s due to the popularity of a large number of portable digital devices such as laptop and palmtop computers, and the common availability of wireless communication devices. The rising popularity of the Internet added to the interest to develop internetworking protocols for mobile ad hoc networks operating in license-free radio frequency bands (such as the Industrial-Scientific-Military or ISM bands in the United States). In the interest of developing IP-based protocols for ad hoc networking, a working group for Mobile Ad Hoc Networking (MANET) was formed within the Internet Engineering Task Force (IETF) [Ref. 12.20]. The DoD (Department of Defense) also renewed its support on similar research objectives by starting the GloMo (Global Mobile Information Systems) and the NTDR (Near-Term Digital Radio) projects. Spurred by the growing interest in ad hoc networking, a number of commercial standards were developed in the late 1990s. These included the IEEE 802.11 physical layer and MAC protocol in 1995 [Ref. 12.10], which have since then evolved into more updated versions. Today, one can build an ad hoc network by simply plugging in 802.11 PCMCIA cards into laptop computers. Bluetooth [Ref. 12.13] and Hiperlan [Ref. 12.53] are some other examples of related existing products. In this chapter we discuss some of the key challenges, protocols, and future directions of mobile ad hoc networks. 12.1 Physical Layer and MAC The main aspects of designing the physical transmission system are dependent on the characteristics of the radio propagation channel such as path loss, interference (co-channel), and fading. In addition, since mobile terminals usually have limited power resources, the transceiver must be power efficient. These aspects are taken into account while designing the modulation, coding, and power control features in the radio equipment. In principle, the radio equipment in the nodes forming a mobile ad hoc network can use any technology as long as it provides reliable links between neighboring mobile terminals on a common channel. Candidate physical layers that have gained prominence are infrared and spread-spectrum radio. The MAC plays the key role in determining the channel usage efficiency by resolving contention amongst a number of unsupervised terminals sharing the common channel. An efficient MAC protocol would allow the transmissions from independent nodes to be separated in time and space, thereby maximizing the probability of successful transmissions and maintaining fairness among all users. Though research on medium access schemes for wired local area networks (LANs) have been done for many years, the same concepts cannot be directly applied to wireless LANs. In a wired medium, a transmitted signal is received with the same signal strength at all terminals connected to the same shared medium. Hence a terminal in a LAN can avoid contention by sensing the presence of a carrier to determine if any other terminal is using the channel before it starts a transmission. This “listen before transmit” principle has led to a class of efficient random access protocols for wired LANs w w w.new nespress.com 426 Chapter 12 that are generally known as carrier sense multiple access (CSMA) schemes [Ref. 12.28]. A popular example is CSMA/CD (CSMA with collision detection), which is the standard for Ethernet (IEEE 802.3) LANs [Ref. 12.46]. However, designing MAC protocols for wireless networks raises a different set of challenges. Propagation path losses in the wireless channel cause the signal power to decline with distance. This introduces the following problems, which are the main factors that affect the efficiency of the MAC in a mobile ad hoc network: Carrier Sensing Is Location-Dependent: Since the strength of the received signal depends on the distance from the transmitter, the same signal is not heard equally well by all terminals. Hence carrier sensing is not very effective in wireless. Typical problems of using carrier sensing to determine the availability of the wireless channel are: • The hidden terminal problem: a node may be hidden or out of range from a sender but within range of its intended receiver. For instance, in Figure 12.2a, node C is out of range from A, and hence any transmission from C cannot be heard by A. So while C is transmitting to B, node A thinks that the channel is idle and simultaneously transmits a data packet to node B. This causes both packets to be lost at B because of interference, and the packets are considered to have suffered a “collision.” A transmission from A to B will face the same consequence even if C is transmitting to some other node, such as D. • The exposed terminal problem: this is the reverse problem, where a transmitting or “exposed” node is within range of a sender but is out of range of the destination. The problem is illustrated in Figure 12.2b, where node B, which wants to transmit a data packet to A, finds the channel to be busy due to the transmission from C to D. Hence, B might wait for the transmission from C to be over before transmitting to A, which is not necessary as the transmission from B would not interfere at D. D D C C B B A A (a) (b) Figure 12.2: (a) The Hidden Terminal Problem, and (b) The Exposed Terminal Problem. The Dotted Circles Represent the Radio Range of the Transmitters www. ne w n e s p res s .c o m Mobile Ad Hoc Networks 427 Both the hidden terminal and the exposed terminal problems arise due to the fact that carrier sensing is only performed at the transmitter, whereas its effect is determined by the interference power at the receiver, which are usually different due to propagation path loss characteristics. Collision Detection Is Not Possible: A wireless transceiver cannot transmit and receive at the same time as the transmitted signal will always be far stronger than any received signal. Hence a wireless terminal cannot detect if its transmission has been successful. To inform the transmitting node about a successful packet transmission, the receiver sends an ACKNOWLEDGEMENT (ACK) packet back to the transmitter after it receives a data packet. If the transmitter does not receive an ACK within a fixed period of time, it assumes that the transmitted packet has been lost. However, this is learnt only after completing transmission of the data packet and waiting for a further no ACK timeout period. Many different schemes have been designed for reducing these problems in wireless channel access. We first present the IEEE 802.11 standard that is the most popular scheme for wireless LANs, followed by a discussion on additional issues on the design of MAC protocols and current research directions. 12.1.1 IEEE 802.11 The IEEE 802.11 [Ref. 12.10] is an international standard of physical and MAC layer specifications for WLANs. It provides mandatory support for 1 Mb/s data rate with optional support for 2 Mb/s. These original specifications have been upgraded to higher data rates in succeeding versions, with the projected goal of going up to 54 Mb/s for future systems. The standard can be applied to both infrastructure-based WLANs, which use fixed access points for wireless communication with mobile terminals, as well as infrastructureless ad hoc networks. In the following, we discuss the main features of this standard with relation to ad hoc networks. 12.1.1.1 802.11 Physical Layer IEEE 802.11 supports three different physical layers in order to allow designers to match price and performance to applications: one layer is based on infrared and two layers are based on radio transmission in the 2.4-GHz ISM band, an unlicensed band of radio frequencies available worldwide. The infrared specification is designed for indoor use only using line-of-sight and reflected transmissions of light waves in wavelengths from 850 to 950 nm. Both of the two RF specifications are based on spread spectrum, but employ different principles. While one uses frequency hopping (FH), the other is based on direct sequence (DS) spread spectrum. Either one can be used for the physical transmission system in ad hoc networks. Frequency Hopping Spread Spectrum: As the name implies, a frequency-hopping spread spectrum radio hops from one carrier frequency to another during transmission. The transmission at any carrier frequency is narrowband. However, frequency spreading is w w w.new nespress.com 428 Chapter 12 achieved by hopping from one carrier to another over a wide frequency band. The transmitter and receiver use the same sequence of carrier frequencies, which is pseudorandom (i.e., a long random sequence that repeats itself ). The time for which the FH radio dwells in each frequency depends on the application requirements, government regulations, and adherence to standards. A slow FH system has a dwelling time that is longer than a bit period, whereas a fast FH system hops over many carrier frequencies during a single bit period. Since the hopping pattern is random, a FH system may experience interference during a few of the hops but achieve error-free transmission on other hops. One of the advantages of this property is that there is no hard limit on the total number of users that can be accommodated in a particular FH system. Rather, the limitation is decided by the amount of errors caused by multi-user interference that the users are willing to tolerate (known as the soft capacity). Such systems are especially beneficial in interference-limited communication systems, where the transmission capability is constrained by a large number of contending users who are not all active at the same time. The 2.4 GHz ISM band in the United States (i.e., 2.4000 to 2.4835 GHz) has 79 channel frequencies in the hopping set, with a channel spacing of 1 MHz. The specified channel spacing allows a 1 Mb/s transmission rate using two-level Gaussian frequency shift keying (GFSK), which is the modulation scheme specified by the 802.11 standard. To achieve 2 Mb/s transmission rate, four-level GFSK modulation may be used, where two bits are encoded at a time using four frequencies. There are three different hopping sequence sets in the United States, with twenty-six hopping sequences in each set. All the terminals in any given ad hoc network must use the same hopping sequence. However, the availability of multiple sets allows multiple systems or networks to coexist in the same location. Direct Sequence (DS) Spread Spectrum: The DS system achieves frequency spreading by multiplying each data bit by a sequence of chips (00021/00031 symbols that are shorter than a bit) before modulation. This has the effect of artificially increasing the transmission bandwidth. The receiver uses the same chip sequence to correlate the received signal. This technique achieves excellent interference rejection due to the auto-and cross-correlation properties of the random chip sequences. Usually the chip sequences are pseudorandom sequences having a long period. Multiple pairs of transmitters and receivers using different chip sequences can coexist in the same region. A DS system also has a soft capacity and can coexist with other narrowband radio systems without causing significant interference. The IEEE 802.11 standard specifies an 11-chip Barker sequence for spreading each data bit. The modulation scheme is differential binary phase shift keying (DBPSK) for 1 Mb/s data rate, and differential quadrature phase shift keying (DQPSK) for 2 Mb/s. This effectively spreads the data stream over an 11 MHz band. Multiple systems can use different bands of frequencies whose center frequencies are separated by at least 30 MHz. As usual, all terminals of the same ad hoc network must use the same chip sequence (spreading code) for transmission as well as reception. www. ne w n e s p res s .c o m Mobile Ad Hoc Networks 429 12.1.1.2 802.11 MAC The 802.11 MAC is designed to provide mandatory asynchronous data service along with an optional time-bounded service that is only usable in an infrastructured wireless network with access points. The asynchronous data service is usable by both ad hoc networks and infrastructured wireless networks and supports “best effort” packet exchange without delay bounds. The mandatory basic asynchronous service is provided by a method known as carrier sense multiple access with collision avoidance (CSMA/CA) and an optional channel reservation scheme based on a four-way handshake between the sender and receiver nodes. These two methods provide the mechanism for achieving distributed coordination amongst uncoordinated wireless terminals that do not use a fixed access point, and they are known as the distributed coordination function (DCF). A third method, known as the point coordination function (PCF), offers both asynchronous and time-bounded service, but it needs an access point to control medium access and avoid contention. Basic DCF Using CSMA/CA: The basic channel access scheme uses two fundamental ideas to avoid collisions among contending transmitting stations: • Carrier sensing: to determine that the medium is not being used by a neighboring transmitter (channel idle) before accessing the channel • Random backoff: a terminal that senses the channel is busy, then waits for a random period of time to see the channel in the idle state before initiating transmission A terminal that intends to transmit and senses the presence of a carrier (channel busy) waits till the end of the current transmission and considers the channel to be idle only when it detects the absence of the carrier for a certain duration of time, known as the DCF interframe space (DIFS). At the end of the DIFS period, in order to avoid collision with other terminals that might also be waiting for the current transmission to end before transmitting their packets, the terminal does not access the channel immediately. Instead, each terminal starts a backoff timer, which is initiated at a random value and counts down as long as the channel is sensed idle. The backoff timer is frozen whenever the channel is sensed as busy, resuming the countdown again after it goes idle (i.e., senses absence of the carrier for at least the DIFS period). The terminal initiates transmission only when its backoff timer reaches zero. The backoff interval is slotted, and may be expressed as CWrand 0006 slot time, where CWrand is a random integer chosen uniformly between 0 and CW and slot time is a predetermined slot duration. CW is the contention window, which can take one of the following sets of integer values: 7, 15, 31, 63, 127, 255. Initially a node uses the smallest value of CW and uses the next higher value in the set after each unsuccessful transmission. In order to indicate that a transmission has been successful, a receiver transmits an ACK packet after a short inter-frame space (SIFS) period (which is shorter than DIFS) immediately following the reception of the data packet. In case an ACK is not received, the transmitter w w w.new nespress.com 430 Chapter 12 assumes that the transmitted data packet is lost and it schedules a retransmission of the same. This will be continued for a maximum number of allowable retries at the MAC before the data packet is discarded. An illustration of the access control scheme is shown in Figure 12.3. Here, nodes A, B, and C all have data packets to transmit when they find the channel busy (due to a transmission from some node X). After the channel is idle for a DIFS period, each node selects a random backoff period. In this illustration, the backoff timers of A, B, and C are chosen as 4, 1, and 3, respectively. So B’s backoff timer reaches zero first, when it initiates transmission and the timers of both A and C are frozen. The transmissions of the data frames from A and C take place subsequently, as shown in Figure 12.3. Backoff slots Data packet Node X Node A Node B Node C DIFS Figure 12.3: Illustration of the Basic CSMA/CA Protocol According to this scheme, a collision may happen when multiple stations select the same backoff time. A large value CW will ensure a small probability of collision as it results in a smaller probability of two nodes selecting the same backoff time. However, a larger CW may cause a node to wait longer before transmission. When very few nodes are transmitting, a large value of CW causes inefficient usage of the channel. Hence, initially all nodes set the CW to the smallest value of 7. With heavier traffic, some of the transmissions will collide and eventually higher and higher values of CW may be chosen by the nodes to ensure collisionfree transmission. www. ne w n e s p res s .c o m Mobile Ad Hoc Networks 431 CSMA/CA with RTS/CTS Extension: Though the basic CSMA/CA scheme has excellent mechanisms to avoid collisions among a number of uncoordinated nodes that can hear one another, it does not solve problems due to hidden and exposed terminals. In order to address the hidden terminal problem, 802.11 has the option of adding the mechanism of an exchange of request to send (RTS) and clear to send (CTS) control packets between a transmitting and receiving nodes before initiating the transmission of a data packet. The principle behind the use of the RTS and CTS packets can be seen from Figure 12.4. Here, node A, which intends to send a data packet to B, first broadcasts an RTS packet using the basic CSMA/CA scheme. The RTS frame contains the identity of the destination B, and the time that would be required for the entire transmission to complete. If B receives the RTS packet, it replies with a CTS packet after waiting for SIFS. The CTS packet also contains the time required for completion of the intended data exchange and the identity of the transmitting node. Upon receiving the CTS packet from B, A waits for SIFS and then transmits the data packet. When the data packet is received, B sends an ACK packet after SIFS, thus completing one entire data packet transfer protocol. All neighbors of A and B that receive either the RTS or the CTS learn about the intended exchange process and cooperate by remaining silent for the period of time that is required for the data exchange to be over. A RTS CTS RTS D Data Data B CTS ACK C ACK Figure 12.4: CSMA/CA with RTS/CTS Handshake The exchange of RTS and CTS packets serves two purposes: 1. If A receives the CTS, it is ascertained that B is ready to receive and there are no interfering transmissions near node B. This process thus serves as a “virtual carrier sensing” mechanism. 2. All neighboring nodes of the destination, including those hidden from A (such as C), are expected to hear the CTS packet and remain silent for as long as it is required for the data transmission to be over. Neighbors of A (such as D) also remain silent for the period specified by the RTS so that their own transmissions do not experience any interference from the data packet to be transmitted from A. A silent period is implemented in a listening node by setting its net allocation vector (NAV) in accordance to the duration field in the RTS or CTS, which specifies the earliest possible time at which it can access the channel again. Hence, the RTS/CTS exchange effectively reserves the channel for the intended data transmission from A to B. w w w.new nespress.com 432 Chapter 12 Even though the data packets have higher probability of success due to this channel reservation technique enacted by the RTS/CTS exchange, the RTS and CTS packets themselves are susceptible to the same rate of failure as that of the basic CSMA/CA scheme. Many of these control packets may suffer loss due to collisions and require retransmissions before the channel reservation is performed successfully. However, since the RTS and CTS control packets are shorter than the data packets, the scheme usually has a better throughput performance than the basic CSMA/CA in the presence of hidden terminals. Comprehensive analysis of the performance of the DCF under various conditions in mobile ad hoc networks have been reported [Refs. 12.5, 12.7, 12.58]. 12.1.2 Additional Issues on MAC Several concerns with the IEEE 802.11 MAC have motivated researchers to explore newer techniques to improve the channel utilization and throughput in mobile ad hoc networks. The basic access method of the 802.11 MAC protocol is susceptible to inefficiencies due to the hidden and exposed terminal problems. The RTS/CTS option reduces the hidden terminal problem but not the inefficiency caused by the exposed terminal problem. Some other concerns of 802.11 DCF using the RTS/CTS dialog are discussed in the following. 12.1.2.1 Additional Overhead of Control Packets The transmission RTS and CTS control packets consume an additional amount of bandwidth. Usually this is justified when the size of the data packets is large and the advantage gained from channel reservations far outweighs the disadvantage induced by the additional overhead caused by the control packets. However, it has been observed that especially in higher loads and under high mobility, most of the channel bandwidth may be consumed by RTS and CTS transmissions [Ref. 12.21]. 12.1.2.2 Collisions of Control Packets Since the RTS and CTS packets are susceptible to collisions, the channel reservation scheme may fail, leading to loss of data packets as well. Figure 12.5 illustrates such a scenario. Here A starts an RTS-CTS dialog with B before transmitting a data packet to it. The CTS reply from B is received by A correctly, but it is not received by C, due to a collision with an RTS packet sent from D to E. Node A assumes that the channel is successfully reserved and proceeds with transmission of the data packet to B. This data transmission is vulnerable to interference from C, which has not been able to set its NAV accordingly, and may initiate a transmission to any of its neighbors before the data transmission is over. Problems such as these are common because the RTS and CTS packets themselves are sent using the basic CSMA/CA access method, which is prone to the hidden and exposed terminal problems. A technique described by Garces and Garcia-Luna-Aceves [Ref. 12.17] tries to resolve this problem by making the duration of the CTS longer than the RTS packets. This www. ne w n e s p res s .c o m Mobile Ad Hoc Networks 433 E RTS A RTS B D CTS CTS C RTS Figure 12.5: Example Where the Node C that is “Hidden” From A Misses the CTS Packet From B Due to a Collision From an RTS Packet From D ensures that in the event that an RTS packet collides with a CTS at a receiver (such as in C in Figure 12.5), it would still be able to detect a part of the CTS packet. This might allow it to set its NAV to avoid interfering with the data exchange. 12.1.2.3 Radio Interference Since wireless transmission is mostly limited by interference rather than noise, it is important to study the nature of interference and its effect on packet success probability. Figure 12.6 depicts the strengths of signals that would be received at node B from nodes A and C located at distances d1 and d2, respectively. Assuming that both transmitters use the same power Pt, the corresponding signal powers received at B, represented by PrA and PrC, respectively, depend on the path loss characteristics and the corresponding path lengths. The probability of error at the receiver depends on the total signal-to-interference-plus-noise ratio (SINR) of the corresponding packet at the receiver. The receiver noise is usually a constant parameter. The interference power is calculated by adding the powers of all radio signals at the receiver other than the power of the packet in question. The probability of bit error and consequently the Signal from C at B (PrC) Transmitted signal (Pt) Transmitted signal (Pt) Signal from A at B (PrA) A B C Figure 12.6: Effect of Propagation Path Loss on the Wireless Signal w w w.new nespress.com 434 Chapter 12 packet error probability increases with decreasing values of the SINR. The minimum SINR required to correctly receive a packet depends on the radio technology, such as modulation, demodulation, coding, and so forth. A given radio usually has a specified minimum SINR threshold (SNRmin) for correctly receiving a packet. For instance, B will be able to receive the packet from A correctly if PrA SNR min PrC 0002 N (12.1) For a given transmitter and corresponding receiver, the transmission range is defined as the maximum distance at which the received SINR is equal to SINRmin in the absence of any interference, that is, the maximum distance at which reception will be error-free without interference. Usually radio channels are bidirectional, and hence a receiver will be able to receive a packet from a transmitter that is located within the transmission range (alternatively called the radio range). A node determines the busy/idle state of a channel by comparing the strength of the carrier power to a predetermined carrier-sense threshold (TCS). Typically, this threshold is chosen such that the carrier sensing range, or the distance within which all transmissions are detected, is at least as much as the transmission range of the nodes. A lower value of TCS increases the carrier sensing range, but it also reduces frequency reuse by making larger number of nodes wait for their transmissions around a given transmitting node. It is important to note that correct packet reception is not guaranteed whenever the receiver is within the transmission range of a transmitter. It also depends on the total amount of other interfering signals present. Typically, the interference power from a transmitter that is located at a distance less than the transmission range is expected to preclude the reception of any other packet without errors. Hence two simultaneous transmissions from nodes that are within range of a receiving node are said to have met with a “collision”. The term “collision” has been borrowed from wireline networks, where any two simultaneously transmitted packets are lost irrespective of the location of the transmitters. In wireless networks, it relates to packet loss due to interference. In wireless networks, packets may be lost due to interference from even those transmitters that are located outside the radio range of a receiver. An example is shown in Figure 12.7, where the combined interference from several transmitting nodes, all of which are out of range from node B, disrupts the reception of the packet from A to B. 12.1.2.4 Capture Another concept used in wireless packet networks is packet capture, which refers to the mechanism with which a receiver can receive one of two simultaneously arriving packets if their received powers allow it [Ref. 12.31]. For instance, in Figure 12.6, even if both A and C www. ne w n e s p res s .c o m Mobile Ad Hoc Networks 435 Data A B Figure 12.7: Illustration of the “Threat Zone,” an Area Around the Destination B From Where Nodes Cannot Detect its CTS Packet. The Combined Interference From Transmissions From This Zone can Interfere with the Packet Reception at B are transmitting at the same time, B can receive the packet from C as long as its power exceeds that from A by a sufficient margin. This is especially beneficial to the network performance under heavy traffic conditions when there are a large number of packet collisions and some of the collided packets are received successfully. A possible negative effect of the capture phenomena is that it can lead to unfair sharing of the channel. This can be seen in Figure 12.6, where transmitted packets from A will never be successful as long as C is transmitting, whereas the packets sent from C will always be captured at B. 12.1.2.5 Other MAC Protocols Several solutions to these known problems have been suggested by various researchers. In the following, some of the notable concepts for new MAC protocols are summarized. Collision Avoidance Techniques: The principle cause of packet loss in ad hoc networks is collisions, or interference caused by transmissions from hidden terminals. Several MAC protocols have been suggested that have features to avoid such collisions. One such technique is the transmission of a busy tone to indicate an ongoing data exchange process, which was first suggested in Tobagi and Kleinrock [Ref. 12.55]. Here, any node that hears an ongoing data transmission emits an out-of-band tone. A node hearing the busy tone will refrain from transmission, thereby increasing the distance of carrier sensing by a factor of two. Two other MAC protocols, the Dual Busy Tone Multiple Access [Ref. 12.9] and the Receiver Initiated Busy Tone Protocol [Ref. 12.59] also use this concept to avoid collisions. These schemes require additional complexity of narrowband tone detection and the use of separate channels. w w w.new nespress.com 436 Chapter 12 Channel Reservation Techniques: The Multiple Access with Collision Avoidance (MACA) uses channel reservation based on the exchange of RTS and CTS control packets before transmission of the data packet [Ref. 12.27]. This scheme was incorporated in the IEEE 802.11 standard with the addition of a positive acknowledgement packet to indicate successful packet reception. Later, other protocols such as MACA for Wireless LANs (MACAW) [Ref. 12.3], Floor Acquisition Multiple Access (FAMA) [Ref. 12.17], and Collision Avoidance and Resolution Multiple Access (CARMA) [Ref. 12.18] also adopted the reservation scheme employing different variations of control packets. Multiple Channel MAC: The concept of dividing the common medium into multiple orthogonal channels to reduce contention has been explored in [Refs. 12.24, 12.35, 12.38, 12.57]. When multiple channels are available, several concurrent transmissions are possible in the same neighborhood between distinct pairs of senders and receivers (Figure 12.8). If the same bandwidth is divided into N channels, either by frequency division or by using orthogonal CDMA codes, the traffic can be distributed over N channels. However, the transmission rate in each channel will also drop by a factor of N. It has been shown that such multichannel schemes can achieve a higher throughput by using an appropriate channel selection algorithm that allows each node to select the best channel available in its neighborhood. Several schemes for channel selection based on the exchange of RTS and CTS packets and carrier sensing over all channels have been explored [Refs. 12.24, 12.35, 12.38, 12.57]. The use of multiple channels Protocol using a single channel D PAB PCD A Bandwidth B C PCD PEF Time E F Protocol using 3 channels Bandwidth PEF PAB Channel 1 PAB Channel 2 PCD PEF Channel 3 Time Figure 12.8: Illustration of Single-Channel and Multichannel MAC for the Concurrent Transmission of Three Packets: PAB, PCD, and PDE From A to B, C to D, and E to F, Respectively www. ne w n e s p res s .c o m Mobile Ad Hoc Networks 437 increases the hardware complexity, but it improves the throughput performance in the network by distributing the traffic over time as well as over bandwidth. Use of Directional Antennas: Traditional ad hoc networks use omnidirectional antennas, as the direction for transmission and reception is variable. However, use of directional transmission provides several benefits for improving the link performance between a pair of communicating nodes: 1. A directional transmission can reduce the amount of interference to neighboring nodes. This can lead to a higher amount of frequency reuse and packet success probability. 2. A directional antenna can be used for receiving from a desired direction, reducing the amount of interference at the receiving node from adjacent transmitters. This further reduces the packet error probability. 3. Directional antennas have a higher gain due to their directivity. This can allow the transmitters to operate at a smaller transmission power and still maintain adequate SINR at the receiver. It will also reduce the average power consumption in the nodes [Ref. 12.36]. Despite these advantages, the usage of directional antennas in mobile ad hoc networks has additional design challenges. A mechanism for determining the direction for transmission and reception is required so that the mobile nodes can use directional antennas. Moreover, since all ad hoc networking protocols are traditionally designed for omnidirectional antennas, these protocols need to be adapted appropriately for proper functioning and maximizing the advantages that can be derived from directional transmissions and receptions. Many MAC and routing protocols that utilize directional antennas in ad hoc networks have been proposed in recent years [Refs. 12.30, 12.36, 12.37]. A comprehensive discussion on the various aspects of using directional antennas in ad hoc networks is given by Ramanathan [Ref. 12.48]. A central issue that concerns the applicability of directional antennas in mobile ad hoc networks is the comparatively larger size and cost of beam-forming antennas that are ideal for such applications. With advancements in technology and the possibility of shifting towards higherfrequency bands (such as the 5.8 GHz ISM band), it may be possible to design smaller as well as less expensive directional antennas. Hence, there is a growing interest in utilizing directional antennas in ad hoc networks. 12.2 Routing in Ad Hoc Networks Movements of nodes in a mobile ad hoc network cause the nodes to move in and out of range from one another. As a result, there is a continuous making and breaking of links in w w w.new nespress.com 438 Chapter 12 the network, causing the network connectivity (topology) to vary dynamically with time. Since the network relies on multihop transmissions for communication, this imposes major challenges for the network layer to determine the multihop route over which data packets can be transmitted between a given pair of source and destination nodes. Figure 12.9 demonstrates how the movement of a single node (C) changes the network topology, rendering the existing route between A and E (i.e., A–C–E) unusable. The network needs to evaluate the changes in the topology caused by this movement and establish a new route from A to E (such as A–D–C–E). A A C B B E D E D C Figure 12.9: Illustration of the Change in the Route From A to E Due to the Movement of Node C Because of the time-varying nature of the topology of mobile ad hoc networks, traditional routing techniques, such as the shortest-path and link-state protocols that are used in fixed networks, cannot be directly applied to ad hoc networks. A fundamental quality of routing protocols for ad hoc networks is that they must dynamically adapt to variations of the network topology. This is implemented by devising techniques for efficiently tracking changes in the network topology and rediscovering new routes when older ones are broken. Since an ad hoc network is infrastructureless, these operations are to be performed in a distributed fashion with the collective cooperation of all nodes in the network. Some of the desirable qualities of dynamic routing protocols for ad hoc networks are: • Routing overhead: Tracking changes of the network topology requires exchange of control packets amongst the mobile nodes. • These control packets must carry various types of information, such as node identities, neighbor lists, distance metrics, and so on, which consume additional bandwidth for transmission. Since wireless channel bandwidth is at a premium, it is desirable that the routing protocol minimizes the number and size of control packets for tracking the variations of the network. • Timeliness: Since link breakages occur at random times, it is hard to predict when an existing route will expire. The timeliness of adaptation of the routing protocol is crucial. A broken route causes interruption in an ongoing communication until a new www. ne w n e s p res s .c o m Mobile Ad Hoc Networks 439 route is established. Often the newly rediscovered route may be largely disjoint from the older route, which creates problems in rerouting the packets that were already transferred along the route and could not be delivered to the destination. Ideally, a new route should be determined before the existing one is broken, which may not be possible. Alternatively, a new route should be established with minimum delay. • Path optimality: With constraints on the routing overhead, routing protocols for mobile ad hoc networks are more concerned with avoiding interruptions of communication between source and destination nodes rather than the optimality of the routes. Hence, in order to avoid excess transmission of control packets, the network may be allowed to operate with suboptimal (which are not necessarily the shortest) routes until they break. However, a good routing protocol should minimize overhead as well as the path lengths. Otherwise, it will lead to excessive transmission delays and wastage of power. • Loop freedom: Since the routes are maintained in a distributed fashion, the possibility of loops within a route is a serious concern. The routing protocol must incorporate special features so that the routes remain free of loops. • Storage complexity: Another problem of distributed routing architectures is the amount of storage space utilized for routing. Ad hoc networks may be applied to small portable devices, such as sensors, which have severe constraints in memory and hardware. Hence, it is desirable that the routing protocol be designed to require low storage complexity. • Scalability: Routing protocols should be able to function efficiently even if the size of the network becomes large. This is not very easy to achieve, as determining an unknown route between a pair of mobile nodes becomes more costly in terms of the required time, number of operations, and expended bandwidth when the number of nodes increases. Because of its many challenges, routing has been a primary focus of researchers in mobile ad hoc networks. The MANET working group in the IETF has been working on the issue of standardizing an IP-based routing standard for mobile ad hoc networks. Consequently, a large number of dynamic routing protocols applicable to mobile ad hoc networks have been developed. Reviews of prominent routing protocols for mobile ad hoc networks may be found in various references [Refs. 12.4, 12.8, 12.23, 12.50]. Based on when routing activities are initiated, routing protocols for mobile ad hoc networks may be broadly classified in three basic categories: (1) proactive or table-driven protocols, (2) reactive or on-demand routing protocols, and (3) hybrid routing protocols. Some representative examples of each class are shown in Figure 12.10. w w w.new nespress.com 440 Chapter 12 Ad hoc routing protocols Proactive (table-driven) DSDV OLSR Reactive (on-demand) FSR FSLS DSR AODV Hybrid ZRP LANMAR Figure 12.10: Classification and Examples of Ad Hoc Routing Protocols 12.2.1 Proactive Routing Protocols Proactive protocols perform routing operations between all source destination pairs periodically, irrespective of the need of such routes. These protocols stem from conventional link state or distance-vector routing algorithms, and they attempt to maintain shortestpath routes by using periodically updated views of the network topology. These are typically maintained in routing tables in each node and updated with the acquisition of new information. Proactive protocols have the advantage of providing lower latency in data delivery and the possibility of supporting applications that have quality-of-service constraints. Their main disadvantage is due to the wastage of bandwidth in sending update packets periodically even when they are not necessary, such as when there are no link breakages or when only a few routes are needed. 12.2.1.1 Destination-Sequenced Distance-Vector Routing (DSDV) DSDV [Ref. 12.44] is based on the classical Bellman-Ford algorithm [2] with adaptations that are specifically targeted for mobile networks. The Bellman-Ford algorithm uses the distance vector approach, where every node maintains a routing table that records the “next hop” for every reachable destination along the shortest route and the minimum distance (number of hops). Whenever there is any change in this minimum distance, the information is reported to neighboring nodes and the tables are updated as required. To make this algorithm adequate for mobile ad hoc networks, DSDV added a sequence number with each distance entry to indicate the freshness of that entry. A sequence number is originated at the destination node and is incremented by each node that sends an update to its neighbors. Thus, a newer routing table update for the same destination will have a higher sequence number. Routing table updates are periodically transmitted throughout the network, with each node updating its routing table entries based on the latest sequence number corresponding to that entry. If two updates for the same destination have identical sequence numbers but different distances, then the shorter distance is recorded. The addition of sequence numbers removes www. ne w n e s p res s .c o m Mobile Ad Hoc Networks 441 the possibility of long-lived loops and also the “counting-to-infinity” problem, where it takes a large number of update messages to ascertain that a node is not reachable [Ref. 12.44]. 12.2.1.2 Optimized Link-State Routing Protocol (OLSR) OLSR is a comparatively newer proactive routing protocol [Ref. 12.15]. It is an adaptation of conventional link-state routing in which each node tries to maintain information about the network topology. Each node determines the link costs to each of its neighbors by broadcasting HELLO messages periodically. Whenever there is a change in the link costs, the node broadcasts this information to all other nodes. In classical link-state algorithms, this is done by each node flooding the whole network with update packets containing updated link costs. Nodes use this information to apply a shortest-path algorithm (such as Dijkstra’s shortest-path algorithm [Ref. 12.11]) to determine the best route to a specific destination. OLSR optimizes the link-state protocol in two ways. First, it reduces the size of the update packets sent during the broadcasts by including only a subset of links to its neighbors. These are the links to a select set of neighbors known as the multipoint relays (MPR). The set of MPRs of a node consist of the minimum set of one-hop neighbors of that node so that the node can reach all of its two-hop neighbors by using these nodes as relay points. Each node computes its MPR set from the exchange of neighborhood information with all its neighbors. Second, instead of every neighbor broadcasting the update packets sent out by a node, only the MPR nodes participate in broadcasting these packets in OLSR. This minimizes the traffic of control packets during flooding. However, the savings of bandwidth achieved using these two techniques come at a cost of propagating incomplete topology information in the network. The updates include only MPR sets and not the sets of all neighbors of the broadcasting nodes. Hence, a shortest-path algorithm based on this partial topology information will generate routes containing the MPR nodes only. When the network is dense, that is, when each node has many neighbors, OLSR will work out to be efficient due to the reduction of control traffic for updates in the network. 12.2.1.3 Issues in Proactive Routing The key characteristic of proactive routing protocols is that updates are sent periodically irrespective of need. Another issue is that they are table-driven. These two properties cause serious problems for making proactive routing protocols scale with network size. However, these protocols work well under heavy traffic and high mobility conditions as they try to maintain fresh routing information continuously. Several new approaches have been proposed to make proactive protocols more scalable. One example is Fisheye State Routing (FSR) [Ref. 12.41], which is also an adaptation of link-state routing to ad hoc networks. FSR tries to limit routing load by avoiding flooding the network with routing information. Entire link-state information is only transmitted to the first-hop neighbors. In addition, it uses lower update rates for nodes that are located further away. w w w.new nespress.com 442 Chapter 12 Hence, FSR maintains accurate route information on nodes that are close by, but the accuracy degrades with increasing distance of the destination from the source. Overall, this technique saves the volume and size of routing traffic. A similar approach is adopted in the Fuzzy Sighted Link-State algorithm (FSLS) [Ref. 12.51]. As discussed, OLSR reduces routing load by broadcasting incomplete topology information. In general, these sacrifices lead to increased scalability of proactive routing protocols. 12.2.2 Reactive Routing Protocols Reactive protocols are designed to minimize routing overhead. Instead of tracking the changes in the network topology to continuously maintain shortest path routes to all destinations, these protocols determine routes only when necessary. Typically, these protocols perform a route discovery operation between the source and the desired destination when the source needs to send a data packet and the route to the destination is not known. As long as a route is live, reactive routing protocols only perform route maintenance operations and resort to a new route discovery only when the existing one breaks. The advantage of this on-demand operation is that it usually has a much lower average routing overhead in comparison to proactive protocols. However, it has the disadvantage that a route discovery may involve flooding the entire network with query packets. Flooding is wasteful, which can be required quite frequently in case of high mobility or when there are a large number of active sourcedestination pairs. Moreover, route discovery adds to the latency in packet delivery as the source has to wait till the route is determined before it can transmit. Despite these drawbacks, on-demand protocols receive comparatively more attention than proactive routing protocols, as the bandwidth advantage makes them more scalable. 12.2.2.1 Dynamic Source Routing (DSR) DSR is a reactive routing protocol that uses a concept called source routing [Ref. 12.25]. Each node maintains a route cache where it lists the complete routes to all destinations for which the routes are known. A source node includes the route to be followed by a data packet in its header. Routes are discovered on demand by a process known as route discovery. When a node does not have a route cache entry for the destination to which it needs to send a data packet, it initiates a route discovery by broadcasting a route REQUEST or QUERY message seeking a route to the destination. The REQUEST packet contains the identities of the source and the desired destination. Any node that receives a REQUEST packet first checks its route cache for an existing entry to the desired destination. If it does not have such an entry, the node adds its identity to the header of the REQUEST packet and transmits it. Eventually, the REQUEST packet will flood the entire network by traversing to all the nodes tracing all possible paths. When a REQUEST packet reaches the destination, or a node that has a known route to the destination, a REPLY is sent back to the source following the same route www. ne w n e s p res s .c o m Mobile Ad Hoc Networks 443 that was traversed by that REQUEST packet in the reverse direction. This is done by simply copying the sequence of node identities obtained from the header of the REQUEST packet. The REPLY packet contains the entire route to the destination, which is recorded in the source node’s route cache. When an existing route breaks, it is detected by the failure of forwarding data packets on the route. Such a failure is observed by the absence of the link layer acknowledgement expected by the node where the link failure has occurred. On detecting the link failure, the node sends back an ERROR packet to the source. All nodes that receive the ERROR packet, including the source, delete all existing routes from their route caches that contain the specified link. If a route is still needed, a fresh route discovery is initiated. 12.2.2.2 Ad Hoc On-Demand Distance-Vector Routing (AODV) AODV [Ref. 12.42] can be described as an on-demand extension of the DSDV routing protocol. Like DSDV, each route maintains routing tables containing the next hop and sequence numbers corresponding to each destination. However, the routes are created on demand, that is, only when a route is needed for which there is no “fresh” record in the routing table. In order to facilitate the determination of the freshness of routing information, AODV maintains the time since an entry has been last utilized. A routing table entry is “expired” after a certain predetermined threshold of time. The mechanism for creating routes in AODV is somewhat different from that used in DSR. Here, when a node needs a route to some destination, it broadcasts a route REQUEST packet in which it includes the last known sequence number for that destination. The REQUEST packet is forwarded by all nodes that do not have a fresher route (determined by the sequence numbers) to the specified destination. While forwarding the REQUEST packet, each node records the earlier hop taken by the REQUEST packet in its routing table entry for the source (originator of the route discovery). Hence, a propagating REQUEST packet creates reverse routes to the source in the routing tables of all forwarding nodes. When the REQUEST packet reaches the desired destination or a node that knows a fresher route to it, it generates a route REPLY packet that is sent back along the same path that was taken by the corresponding REQUEST packet. The REPLY packet contains the number of hops to the destination as well as the most recent sequence number. Each node that forwards the REPLY packet enters the routing information for the destination node in its routing table, thus creating the forward route to the destination. Routing table entries are deleted when an ERROR packet is received from one of the intermediate nodes on the route forwarding a data packet to the destination. When such an ERROR packet reaches the source, it may initiate a fresh route discovery to determine a fresh route to the destination. w w w.new nespress.com 444 Chapter 12 12.2.2.3 Issues in Reactive Routing Since reactive routing protocols only transmit routing packets when needed, these protocols are comparatively more efficient when there are fewer link breakages, such as under low mobility conditions. In addition, when there are only a few communicating nodes in the network, the routing functions are only concerned with maintaining the routes that are active. Because of these benefits, reactive or on-demand routing protocols have received more attention than proactive protocols for mobile ad hoc networks. The main concern with reactive routing protocols is the need for flooding the entire network in search of a route when needed. Many optimizations have been suggested to reduce the excessive number of routing packets transmitted throughout the network during such flooding operations in reactive protocols. For instance, DSR has the option of broadcasting a nonpropagating request packet for route discovery, which is then broken into two phases. In the first phase, the source broadcasts a nonpropagating route request packet that only queries its first-hop neighbors for a known route to the destination. These packets are not forwarded by the neighbors. If none of the neighbors return a route, the source then proceeds to the second phase where a traditional propagating request packet is sent. The advantage of this scheme is that it avoids a networkwide flood of request packets when the route to the destination is known by one of the first-hop neighbors. A similar scheme is implemented in AODV using the concept of an expanding ring search. Here, increasingly larger neighborhoods, controlled by either hop-or time-constrained request packets, are searched to find the route to the destination. Some other techniques that perform similar optimizations are: salvaging, where an intermediate node in DSR uses an alternative route from its own cache when the original route is broken; and promiscuous listening, in which a node that overhears a packet not addressed to itself finds that it has a shorter route to the same destination and sends a gratuitous reply to the source with this new route. This increases the freshness of the route cache entries without additional route discoveries. 12.2.3 Hybrid Routing Protocols The use of hybrid routing is an approach that is often used to obtain a better balance between the adaptability to varying network conditions and the routing overhead. These protocols use a combination of reactive and proactive principles, each applied under different conditions, places, or regions. For instance, a hybrid routing protocol may benefit from dividing the network into clusters and applying proactive route updates within each cluster and reactive routing across different clusters. Routing schemes that employ proactive route maintenance on top of reactive route discoveries have also been considered. 12.2.3.1 Zone Routing Protocol (ZRP) ZRP [Ref. 12.22] divides the network into zones or clusters of nodes. The nodes within each zone maintain routing information for one another using a proactive algorithm such as a distance vector or link-state protocol. Hence, all nodes maintain updated routing tables www. ne w n e s p res s .c o m Mobile Ad Hoc Networks 445 consisting of routes to all other nodes within the same zone (known as intrazone routing). Each zone also identifies a set of peripheral nodes that are located at the edges of the zone for communication with other zones. When a packet is to be sent to a node for which the source does not have an entry in its routing table, it is assumed that the destination is located in another zone. In that case, the node requests the peripheral nodes to send out a route request packet to all other zones in the networks. This is known as interzone routing, which uses a process that is similar to DSR except that the request packets are only handled by the peripheral nodes in the network. When the request packet reaches a peripheral node of the zone that contains the destination, a reply is sent back to the source. The overhead of flooding in such a route discovery is limited due to the involvement of peripheral nodes only. The proactive protocol in this hybrid framework limits the spread of periodic update packets within each zone. ZRP is especially suitable for large networks; however, the flooding of request packets during interzone route discoveries may still be a cause of concern. 12.2.3.2 Landmark Ad Hoc Routing Protocol (LANMAR) LANMAR is designed for ad hoc networks that have the characteristics of group mobility, such as a group of soldiers moving together in a battlefield. Each group dynamically identifies a specific node within the group to be a landmark node. A proactive link-state routing protocol is used to maintain routing information within the group and a distance vector algorithm is used to do the same amongst all landmark nodes. Hence, each node has detailed topology information for all nodes within the group and distance and routing vector information to all landmarks. No routing information is maintained for nonlandmark nodes belonging to other groups. Packets to be sent to such a destination are forwarded towards the corresponding landmark. When the packet reaches the nodes within the group containing the destination, it is forwarded to the destination, possibly without going through its landmark. This scheme reduces the size of routing tables as well as the overhead of routing traffic forming a two-level routing hierarchy. Hence, it is expected to be more scalable than the so-called flat routing protocols. 12.2.4 Other Concepts in Ad Hoc Routing There is an increasing list of new ideas and protocols for routing in mobile ad hoc networks. The MANET working group in the IETF publishes all significant developments and discussions by the group online in its mailing list [Ref. 12.20], which is the most comprehensive source of up-to-date information on research on ad hoc routing protocols. In addition to the representative protocols in the three broad categories of routing protocols described above, it is worthwhile to look at some of the other concepts that have been applied to routing in mobile ad hoc networks. 12.2.4.1 Geographic Position Aided Routing The fundamental problems of routing in ad hoc networks arise due to the random movements of the nodes. Such movements make topological information stale, and hence, when an w w w.new nespress.com 446 Chapter 12 on-demand routing protocol needs to find the route, it often has to flood the entire network looking for the destination. One of the ways of reducing the wastage of bandwidth in transmitting route request packets to every node in the network is to confine the search using geographical location information. Geographical positioning systems (GPS) can detect the physical location of a terminal using universal satellite-transmitted wireless signals. In recent times, GPS have become smaller, more versatile, and more cost-effective. Hence, several protocols have been proposed that assume the presence of a GPS receiver in each node and utilize the location information in routing [Refs. 12.1, 12.29, 12.39, 12.54]. One of the approaches for utilizing geographic location information in routing is to forward data packets in the direction of the location of the destination node, as proposed in various references [Ref. 12.1, 12.39, 12.54]. It may be required to define geographic location–specific addresses instead of logical node addresses to do that [Ref. 12.39]. An alternative concept is proposed in the Location Aided Routing (LAR) protocol [Ref. 12.29], which uses location information in on-demand routing to limit the spread of request packets for route discoveries. LAR uses information such as the last known location and speed of movements of a destination to determine a REQUEST ZONE, which is defined as a restricted area within which the REQUEST packets are forwarded in order to find the destination. Two different ways of defining REQUEST ZONES have been proposed. The idea is to allow route request packets to be forwarded by only those nodes that lie within the REQUEST ZONE, specified by the source. This limits the overhead of routing packets for route discovery, which would normally be flooded over the whole network. A related protocol that uses spatial locality based on hop counts to confine the spread of request packets was proposed by Castaneda and Das [Ref. 12.6]. This protocol uses the concept that once an existing route is broken, a new route can be determined within a certain distance (measured in number of hops) from the old route. The protocol confines the spread of route request packets while searching for a new route to replace one that is freshly broken. For a new route discovery where no earlier routes were on record, the protocol still uses traditional flooding. However, this query localization technique for rediscovering routes still saves routing overhead. 12.2.4.2 Stability-Based Routing A different approach to improve the performance of routing in mobile ad hoc networks is based on using routes that are selected on the basis of their stability. The Associativity-Based Routing (ABR) protocol [Ref. 12.56] maintains an association stability metric that measures the duration of time for which a link has been stable. While discovering a new route, the protocol selects paths that have a high aggregate-association stability. This is done with the idea that a long-lived link is likely to be stable for a longer interval than a link that has been relatively short-lived. www. ne w n e s p res s .c o m Mobile Ad Hoc Networks 447 Signal Stability-Based Routing (SSR) [Ref. 12.12] uses signal strengths to determine stable links. It allows the discrimination between “strong” and “weak” links when a route request packet is received by a node. The request packet is forwarded by the node if it has been received over a strong link. This allows the selection of routes that are expected to be stable for a longer time. 12.2.4.3 Multipath Routing On-demand or reactive routing protocols suffer from the disadvantage that data packets cannot be transmitted until the route discovery is completed. This delay can be significant under heavy traffic conditions when the REQUEST or the REPLY packet may take a considerable amount of time in traversing its path. This characteristic, along with the fact that each route discovery process consumes additional bandwidth for the transmission of REQUEST and REPLY packets, motivates us to find ways to reduce the frequency of route discoveries in on-demand protocols. One way of doing that is to maintain multiple alternate routes between the same source-destination pair such that when the primary route breaks, the transmission of data packets can be switched over to the next available path in the memory. Under the assumption that multiple paths do not break at the same time, which is most often true if the paths are sufficiently disjoint, the source may delay a fresh route discovery if the alternate paths are usable. As a result, many routing protocols have been designed to maintain multiple paths or routes for each pair of source and destination nodes. The Temporally Ordered Routing Algorithm (TORA) [Ref. 12.40] provides multiple alternate paths by maintaining a “destination oriented” directed acyclic graph from the source. The DSR protocol also has an option of maintaining multiple routes for each destination in the route cache, so that an alternate route can be used upon failure of the primary route. Two multipath extensions of DSR were proposed by Nasipuri, Castaneda, and Das [Ref. 12.34] that aggressively determine multiple disjoint paths for each destination. Here, two different schemes for selecting alternative routes were considered, both benefiting from reducing the frequency of route discoveries caused by link breakages. Several other multipath routing protocols that derive benefits using the same principle have also been proposed [Refs. 12.16, 12.32, 12.45]. 12.2.4.4 Preemptive Routing A purely reactive routing protocol typically does not avoid a multihop communication from being interrupted before the route breaks due to a link failure. Most reactive routing protocols initiate a fresh route discovery when an ERROR packet is received at the source due to a link breakage. This introduces a pause in the communication until a new route is found. The goal of preemptive routing protocols is to avoid such pauses by triggering a route discovery and switching to a new (and, it is hoped, better) route before the existing route breaks. Such protocols can be viewed as a combination of proactive and reactive routing, where the route maintenance is performed proactively but the basic routing framework is reactive. w w w.new nespress.com 448 Chapter 12 The crucial design issue in such protocols is to detect when to initiate a preemptive route discovery to find a “better” route. The protocol proposed by Goff and colleagues [Ref. 12.19] uses the technique of determining this by observing when the signal strength falls below a predetermined threshold. If the wireless channel is relatively static, then this correctly detects the initiation of link failure due to increasing distance between the two nodes in the link. However, multipath fading and shadowing effects might lead to false alarms while using this technique. Alternatively, using a time-to-live parameter was proposed by Nasipuri and colleagues [Ref. 12.33]. In this protocol, a preemptive route discovery is initiated when a route has been in use for a predetermined threshold of time. The preemption obviously makes the route discoveries more frequent than what would be observed in a purely reactive scheme. To keep the routing overhead low, the preemptive routing protocol presented by Nasipuri and colleagues [Ref. 12.33] proposes the use of query localization in the preemptive searches. 12.3 Conclusion The mobile ad hoc network is one of the newest members in the family of wireless networks that span the planet. This chapter has aimed to provide the main issues and an overview of the developments in the MAC and routing protocols for mobile ad hoc networks. Although a vast amount of work has been done on it in the recent past, many questions still remain unanswered. Some of the issues that need further thought include: • MAC: How can we design improved and robust MAC schemes that would dynamically adjust to variations of the wireless link characteristics and simultaneously cater to the need for higher data rates, quality-of-service requirements, and power savings, and that would be crucial in many future applications? • Routing: By far the biggest issue in mobile ad hoc networking research is routing. With the rapid and diverse nature of growth of mobile ad hoc networks, the choice of the routing protocol is likely to depend on the network size, mobility, and application requirements. However, it will be interesting to see if an approach to generate a unified standard for ad hoc routing is achievable. • Transport: The issues of transport layer protocols for mobile ad hoc networks require special attention. A discussion on these issues is outside the scope of this chapter. It is often said that optimizing ad hoc network performance requires a multilayer approach, where design problems at different layers of the protocol stack are addressed together for a unified solution. How can we arrive at such a design solution? • Scalability: Many applications are already being conceived where hundreds of thousands of nodes are being considered for ad hoc networking. How do we design protocols for these large scale networks? www. ne w n e s p res s .c o m Mobile Ad Hoc Networks 449 • Internet connectivity: What is the best paradigm for extending the reach of the Internet to mobile terminals that form a mobile ad hoc network with access points to the Internet? • Security: All wireless networks are susceptible to security problems such as eavesdropping and jamming. How can we provide security to mobile ad hoc networks? • Power: One of the major limitations of portability arises from limitations of battery power. In addition to developing improved battery technology, future ad hoc networking protocols have to be made more power efficient so that the network can survive longer without replacement of batteries. These items are far from comprising a complete list of challenging research problems that ad hoc networking has posed. It is my hope that this chapter will inspire the reader to look into some of these in more detail. References [12.1] S. Basagni, I. Chlamtac, V. R. Syrotiuk, and B. A. Woodward, “A Distance Routing Effect Algorithm for Mobility (DREAM),” Proceedings of the ACM MOBICOM 1998 (October 1998): 76–84. [12.2] D. Bertsekas and R. Gallager, Data Networks, 2nd ed. (Prentice Hall, Upper Saddle River, NJ, 1987). [12.3] V. Bharghavan, A. Demers, S. Shenker, and L. Zhang, “MACAW: A Media Access Protocol For Wireless Lans,” Proceedings of the SIGCOMM 1994 (August 1994): 212–25. [12.4] J. Broch, D. A. Maltz, D. B. Johnson, Y-C. Hu, and J. Jetcheva, “A Performance Comparison Of Multi-Hop Wireless Ad Hoc Network Routing Protocols,” Proceedings of ACM MOBICOM (October 1998): 85–97. [12.5] F. Cali, M. Conti, and E. Gregori, “IEEE 802.11 Wireless LAN: Capacity Analysis and Protocol Enhancement,” Proceedings of IEEE INFOCOM 1998 (March/April 1998): 142–9. [12.6] R. Castaneda and S. R. Das, “Query Localization Techniques for On-Demand Routing Protocols in Ad Hoc Networks,” Proceedings of the 1999 ACM Mobicom Conference (August 1999): 186–94. [12.7] H. S. Chhaya and S. Gupta, “Performance Modeling of Asynchronous Data Transfer Methods of IEEE 802.11MAC Protocol,” Proceedings of IEEE Personal Communications Conference 3 (October 1996): 8–15. [12.8] S. R. Das, R. Castaneda, J. Yan, and R. Sengupta, “Comparative Performance Evaluation of Routing Protocols for Mobile, Ad Hoc Networks,” 7th International Conference on Computer Communications and Networks (IC3N) (October 1998): 153–61. w w w.new nespress.com 450 Chapter 12 [12.9] J. Deng and Z. J. Haas, “Dual Busy Tone Multiple Access (DBTMA): A New Medium Access Control for Packet Radio Networks,” Proceedings of IEEE ICUPS 1998 2 (October 1998): 973–77. [12.10] IEEE Standards Department, Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications, IEEE standard 802.11–1997, 1997. [12.11] E. W. Dijkstra, “A Note on Two Problems in Connection with graphs,” Numerical Mathematics 1 (October 1959): 269–71. [12.12] R. Dube, C. D. Rais, K. Wang, and S. K. Tripathi, “Signal Stability Based Adaptive Routing (SSA) for Mobile Ad Hoc Networks,” IEEE Personal Communication 4 (February 1997): 36–45. [12.13] J. Haarsten, W. Allen, J. Inouye, O. Joeressen, and M. Naghshineh, “Bluetooth: Vision, Goals, and Architecture,” ACM SIGMOBILE Mobile Computing and Communications Review 2 (October 1998): 38–45. [12.14] K. J. Negus, J. Waters, J. Tourilhes, C. Romans, J. Lansford, and S. Hui, “HomeRF and SWAP: Wireless Networking for the Connected Home,” ACM SIGMOBILE Mobile Computing and Communications Review 2 (October 1998): 28–37. [12.15] P. Jacquet, P. Muhlethaler, and A. Qayyum, “Optimized Link State Routing Protocol,” draft-ietf-manet-olsr-05.txt, 2000. IETF Internet Draft. [12.16] D. Ganesan, R. Govindan, S. Shenker, and D. Estrin, “Highly-Resilient, EnergyEfficient Multipath Routing in Wireless Sensor Networks,” Proceedings of ACM/SIGMOBILE MOBIHOC 2001 (October 2001): 295–98. [12.17] R. Garces and J. J. Garcia-Luna-Aceves, “Floor Acquisition Multiple Access with Collision Resolution,” Proceedings of the ACM/IEEE Mobile Computing and Networking Conference (November 1996): 10–12. [12.18] R. Garces and J. J. Garcia-Luna-Aceves, “Collision avoidance and resolution multiple access with transmission queues,” ACM Wireless Networks Journal 5 (February, 1999): 95–109. [12.19] T. Goff, N. B. Abu-Ghazaleh, D. S. Phatak, and R. Kahvecioglu, “Preemptive routing in ad hoc networks,” Proceedings of the ACM MOBICOM2001 (July, 2001): 43–52. [12.20] IETF MANET Working Group. http://www.ietf.org/html.charters/manet-charter.html. [12.21] Z. J. Haas, “On the Performance of a Medium Access Control Scheme for the Reconfigurable Wireless Networks,” Proceedings of IEEE MILCOM 1997 (November 1997). www. ne w n e s p res s .c o m Mobile Ad Hoc Networks 451 [12.22] Z. J. Haas and M. R. Pearlman, “The Performance of Query Control Schemes for the Zone Routing Protocol,” ACM/IEEE Trans. Net. 9 (August 2001): 427–38. [12.23] X. Hong, K. Xu, and M. Gerla, “Scalable Routing for Mobile Ad Hoc Network,” IEEE Network Magazine (July–August, 2002): 11–21. [12.24] N. Jain, S. R. Das, and A. Nasipuri, “A Multichannel MAC Protocol with ReceiverBased Channel Selection for Multihop Wireless Networks,” Proceedings of the IEEE IC3N2001 (October 2001): 432–39. [12.25] D. Johnson and D. Maltz, “Dynamic Source Routing in Ad Hoc Wireless Networks,” in Mobile computing, ed. by T. Imielinski and H. Korth: Kluwer Academic, Dordrecht, The Netherlands, 353 (1996): 153–181. [12.26] J. Jubin and J. D. Tornow, “The DARPA Packet Radio Network Protocols,” Proceedings of the IEEE 75 (January 1987): 21–32. [12.27] P. Karn, “MACA: A New Channel Access Method for Packet Radio,” Proceedings of ARRL /CRRL Amateur Radio 9th Computer Networking Conference (1990): 134–40. [12.28] L. Kleinrock and F. A. Tobagi, “Packet Switching in Radio Channels: Part-i–Carrier Sense Multiple Access Modes and Their Throughput-Delay Characteristics,” IEEE Transactions in Communications COM-23 12 (December, 1975): 1400–16. [12.29] Y. Ko and N. H. Vaidya, “Location-Aided Routing (LAR) in Mobile Ad Hoc Networks,” ACM/IEEE International Conference on Mobile Computing and Networking (MOBICOM) (November 1998): 66–75. [12.30] Y. B. Ko, V. Shankarkumar, and N. H. Vaidya, “Medium-Access Control Protocols Using Directional Antennas in Ad Hoc Networks,” Proceedings of IEEE INFOCOM2000 (March 2000). [12.31] C. T. Lau and C. Leung, “Capture Models for Mobile Packet Radio Networks,” IEEE Transactions on Communications 40 (May, 1992): 917–25. [12.32] S.-J. Lee and M. Gerla, “Split Multipath Routing with Maximally Disjoint Paths in Ad Hoc Networks,” Proceedings of IEEE ICC2001 (2001). [12.33] A. Nasipuri, R. Burleson, B. Hughes, and J. Roberts, “Performance of a Hybrid Routing Protocol for Mobile Ad Hoc Networks,” Proceedings of IEEE International Conference of Computer Communication and Networks (ICCCN 2001) (October 2001): 296–302. [12.34] A. Nasipuri, R. Castaneda, and S. R. Das, “Performance of Multi-path Routing for On-Demand Protocols in Mobile Ad Hoc Networks,” ACM/Baltzer Mobile Networks and Applications (MONET) Journal 6 (August, 2001): 339–49. w w w.new nespress.com 452 Chapter 12 [12.35] A. Nasipuri and S. R. Das, “Multichannel CSMA with Signal Power-Based Channel Selection for Multihop Wireless Networks,” Proceedings of IEEE Fall Vehicular Technology Conference (VTC 2000) (September 2000): 211–18. [12.36] A. Nasipuri, K. Li, and U. R. Sappidi, “Power Consumption and Throughput in Mobile Ad Hoc Networks Using Directional Antennas,” Proceedings of the IEEE International Conference on Computer Communications and Networks (IC3N) (October 2002): 620–26. [12.37] A. Nasipuri, S. Ye, J. You, and R. E. Hiromoto, “A MAC Protocol for Mobile Ad Hoc Networks Using Directional Antennas,” Proceedings of IEEE Wireless Communications and Networking Conference (WCNC 2000) 3 (September 2000): 1214–19. [12.38] A. Nasipuri, J. Zhuang, and S. R. Das, “A Multichannel CSMA MAC Protocol for Multihop Wireless Networks,” Proceedings of IEEE Wireless Communications and Networking Conference (WCNC 1999) 3 (September 1999): 1402–6. [12.39] J. C. Navas and T. Imielinski, “Geographic Addressing and Routing,” Proceedings of the ACM MOBICOM 1997 (1997): 66–76. [12.40] V. Park and S. Corson, “Temporally Ordered Routing Algorithm (TORA) Version 1, Functional Specification,” http://www.ietf.org/internet-drafts/draft-ietf-manet-tora-spec-01.txt (August, 1998). IETF Internet Draft. [12.41] G. Pei, M. Gerla, and T.-W. Chen, “Fisheye State Routing: A Routing Scheme for Ad Hoc Wireless Networks,” Proceedings of the IEEE ICC 1 (June 2000): 70–74. [12.42] C. Perkins and E. Royer, “Ad Hoc On-Demand Distance-Vector (AODV) Routing,” http://www.ietf.org/internet-drafts/draft-ietf-manetaodv-02.txt (November 1998). IETF Internet Draft. [12.43] C. E. Perkins, Ad Hoc Networking: Addison Wesley, Boston, 2002. [12.44] C. E. Perkins and P. Bhagwat, “Highly Dynamic Destination-Sequenced DistanceVector Routing (DSDV) for Mobile Computers,” Proceedings of the ACM SIGCOMM 1994 Conference (August 1994): 234–44. [12.45] D.S. Phatak and T. Goff, “A Novel Mechanism for Data Streaming across Multiple IP Links for Improving Throughput and Reliability in Mobile Environments,” Proceedings of the IEEE INFOCOM 2002 2 (2002): 773–81. [12.46] D. C. Plummer, “An Ethernet Address Resolution Protocol: Or Converting Network Protocol Addresses to 48-Bit Ethernet Addresses for Transmission on Ethernet Hardware,” RFC826, Standard (November 1982). [12.47] G. J. Pottie and W. J. Kaiser, “Wireless Integrated Network Sensors,” Communications of the ACM 43 (May 2000): 51–8. www. ne w n e s p res s .c o m Mobile Ad Hoc Networks 453 [12.48] R. Ramanathan, “On the Performance of Beam-Forming Antennas in Ad Hoc Networks,” Proceedings of ACM/SIGMOBILE MOBIHOC 2001 (October 2001). [12.49] J. Redi and B. Welsh, “Energy Conservation for Tactical Robot Networks,” Proceedings IEEE MILCOM (1999): 1429–33. [12.50] E. M. Royer and C. K. Toh, “A Review of Current Routing Protocols for Ad Hoc Mobile Wireless Networks,” IEEE Personal Communication 6 (April 1999): 46–55. [12.51] C. Santivanez, R. Ramanathan, and I. Stavrakakis, “Making Link-State Routing Scale for Ad Hoc Networks,” Proceedings of 2001 ACM (October 2001): 22–32. [12.52] N. Schacham and J. Westcott, “Future Directions in Packet Radio Architectures and Protocols,” Proceedings of the IEEE 75 (January 1987): 83–99. [12.53] ETSI Secretariat, “Hiperlan Functional Specification,” draft prETS 300 652, 1995. [12.54] I. Stojmenovic and X. Lin, “GEDIR: Loop-Free Location-Based Routing in Wireless Networks,” Proceedings of the International Conference on Parallel and Dist. Comp. Systems (November 1999). [12.55] F. A. Tobagi and L. Kleinrock, “Packet Switching in Radio Channels: Part II—The Hidden Terminal Problem in Carrier Sense Multiple-Access and the Busy-Tone Solution,” IEEE Transactions in Communications COM-23 (December, 1975): 1417–33. [12.56] C.-K. Toh, “Associativity-Based Routing for Ad Hoc Mobile Networks,” Wireless Personal Communications Magazine 4 (1997): 103–39. [12.57] Y.-C. Tseng, S.-L. Wu, C.-Y. Lin, and J.-P. Shen, “A Multichannel MAC Protocol with Power Control for Multihop Mobile Ad Hoc Networks,” Proceedings of the 21st International Conference Distributed Computing Systems (April 2001): 101–110. [12.58] J. Weinmuller, M. Schlager, A. Festag, and A. Wolisz, “Performance Study of Access Control in Wireless Lans IEEE 802.11 DFWMAC and ETSI RES 10 Hiperlan,” Mobile Networks and Applications 2 (June, 1997): 55–67. [12.59] Z. J. Haas, “On the Performance of a Medium Access Control Scheme for the Reconfigurable Wireless Networks,” Proceedings of the IEEE MILCOM 3 (November, 1997): 1558–64. w w w.new nespress.com This page intentionally left blank CHAPTE R 13 Wireless Sensor Networks Farid Dowla Michael R. Moore The purpose of this chapter is to provide a general approach to planning and implementing wireless sensor networks to support the arrays of sensors needed to operate plants, conduct scientific experiments, and test components. Using this brief tutorial, the reader should be able to acquire and organize the various sensor networks into a cohesive system and interface with vendors and subject matter experts as needed. The primary purpose of sensor networks is to: (1) provide timely accurate data about the state of a plant so that the plant can run with maximum efficiency; (2) provide data to scientists as part of a complex experiment; or (3) provide trustworthy data for test and verification of components before they go into operation. Therefore, the final decisions about which kinds of networks to use should be based on the economics of lifetime cost versus the value of the data. Thus, the deployment of sensor networks must necessarily involve business and technical considerations. This chapter will focus mainly on the technical issues, but it will also alert the reader to some issues that especially impact cost. In order to give a context for the subsequent technical discussions, this chapter begins with a very brief description of some of the ways in which sensor networks can be used to increase the efficiency of a plant. 13.1 Applications Currently, many sensor networks are deployed to track the levels of the various vessels in a “tank farm” as part of tracking the inventory of chemicals available for the plant. In some plants, a much more encompassing inventory control system exists that includes radiofrequency identification (RFID) tagging and tracking. Currently, RFID tagging and tracking efforts are starting to be combined with sensor networking to provide total asset visibility [Ref. 13.1]. These networks can be used in conjunction with the purchasing system to provide just-in-time inventory control. Another application area involves agile manufacturing. Many industries are providing more specialized products, therefore customers purchase fewer of each. In order to maintain quality while changing the settings of the process more often, accurate near–real-time measurements of critical product parameters are necessary. This can be accomplished with w w w.new nespress.com 456 Chapter 13 sensor networks that use noninvasive sensors to monitor the quality of the product during the process and communicate the pertinent information back to the control mechanisms that may also be automated. A related application area involves process refinement. Scientists and manufacturing engineers are constantly finding new ways to control materials (e.g., tailored heating profiles, controlled chemical reactions, etc.). Sensor networks can be used to provide the feedback necessary to evaluate and improve these methods. Still another application area involves compliance. For example, many plants have established International Organization for Standardization (ISO) 9000 procedures to be able to sell products in Europe. Compliance invariably involves verifying that operations are repeatable and well documented. This implies among other things that sensors constantly monitor the parameters of the materials and the state of the processes. The data from these sensors must be verified and reliable. Standards such as Institute of Electrical and Electronics Engineers (IEEE) 1451 provide for smart sensors that have an associated transducer electronic data sheet (TEDS). This data sheet can be used to track and update calibration data, correction factors, and other parameters that establish and verify the data from these sensors. Other standards such as IEEE 1588 establish the protocols for distributing time information along with the data that is also necessary for verifying that the sensor data is properly assigned to the concurrent state of the process. 13.2 Plant Network Layouts Figure 13.1 highlights some key portions of the plant that might utilize sensor networks or associated data networks. First of all, a zone for the plant intranet is indicated that would need to be strategically placed, if it is wireless, at a height that is above normal human traffic and large metal structures at floor level, and below the level of overhead beams and cranes. Equivalently, in an office area, antenna repeaters can be placed on the ceilings of large spaces or at hallway intersections. These antennas must have an appropriate radiation pattern that covers most of the hemisphere below the ceiling. Tank farm Plant intranet Product shipping point Raw material entry point Chemical process Assembly area Office area Figure 13.1: Overview of Plant Networks www. ne w n e s p res s .c o m Wireless Sensor Networks 457 Once a plant intranet is established with convenient access points (either wireless or wired), connection locations called access points can be established for the various subnets. These subnets provide tailored networking for data-intensive portions of the plant. That is, parts of the process or plant requiring large amounts of data to be used locally may utilize specialized sensor networks that only pass a subset of the data back through the plant intranet to the company’s databases. This diversification of the network provides several benefits: 1. It allows cost-effective communication nodes to be tailored to their application rather than making all nodes carry the overhead and complexity of being all things to all users. 2. It provides an additional layer of security, especially against internal “hackers.” 3. It makes spectrum management more manageable since each subset of the network can utilize a different portion of the EM spectrum or at least be allocated into regions (called micro-cells) within which only certain modulation schemes or frequency bands are utilized. As shown in Figure 13.2, the material input and product output portals (as well as internal warehousing areas not shown) can be equipped with RFID portals. These portals typically include RF transceivers that irradiate items as they enter or leave the plant (or storeroom). Any items equipped with RFID tags of the proper protocol will be excited and read at the portal. These RFID readers would be typically connected to the plant intranet and thus incorporated into the inventory control databases. Efforts are underway to combine sensing (e.g., temperature) information along with the stored information on the RFID tags. Thus, the RFID systems are becoming a seamless part of the overall sensor networking picture. World Wide Web Gateway & firewall Subnet gateway Wireless access point Subnet controller Sensor node 1 Actuator node 1 Sensor node 2 Test pallet Engineer computer 802 Card Operator Server computer 802 802 Card Card Dedicated F/O Ethernet compatible hardware Access point Subnet gateway Subnet gateway Subnet controller Phoneline interface Sensor node 1 Actuator node 1 Sensor node 2 Sensor node 1 Sensor node 2 Figure 13.2: Plantwide Network Architecture w w w.new nespress.com 458 Chapter 13 13.3 Plant Network Architecture Figure 13.2 gives a generic plant architecture that connects several dedicated subnets into the plants’information infrastructure. In this example, a tethered IEEE 802-based (Ethernet) backbone is shown; however, all or portions of this network could be wireless, as discussed in Chapter 14. Four types of “subnets” are shown, as well as a single Internet Protocol (IP) capable wireless access point. The four subnets are (1) a wireless sensor network, (2) a tethered RF sensor subnet using a dedicated transmission line, (3) an RF sensor network that utilizes the existing phone-line infrastructure, and (4) an RFID portal and associated access point for tracking incoming materials or outgoing products. Whether the plant intranet is tethered or wireless, it will be necessary to locate access points or gateways in the vicinity of individual “subnets” within the plant. These subnets may have a different set of requirements from the wide area networks/metropolitan area networks (WAN/MAN) that connect systems having a range of 1 km or more. For subnets that control or monitor a single process or large production unit (like an airplane wing), there is no need for global connectivity that would imply random access and IP support, but the throughput or synchronization requirements may be more stringent. Depending on how stringent the timing (nanosecond, microsecond, or millisecond) and how high the throughput, a random access standard operating in a controlled fashion may work. If not, a dedicated network with a central controller may be necessary. 13.4 Sensor Subnet Selection The network designer should start by documenting the sensor networking requirements of the plant as well as estimating future areas of planned expansion, as shown in Table 13.1. Once all of the plant’s sensor networking requirements have been established for the various regions of the plant, optimized subnets can be identified, purchased, and installed. One of the key lifetime costs of networks is the integration time and effort necessary to install the initial network as well as updating the hardware and software as the needs of the plant change with time. Therefore, it is my recommendation that open standards having a history of broad industry support such as IEEE 802 (Ethernet, 802.11b, etc.) be utilized for the plant intranet. This allows the network designer to deploy subnets that may or may not utilize IEEE 802 Table 13.1: Example Network Requirements Form Subnet Description # of Sensors Total Estimated Throughput (bps) Range (m) 15 100 2k 6 000f10 k 100 1 100 000f10 M 10 1000035 Tank farm Chemical process Vibration testing www. ne w n e s p res s .c o m Timing Resolution (seconds) 10 Wireless Sensor Networks 459 protocols as long as manufacturers provide access points or bridges that translate the data from the subnet to IEEE 802 protocols. In all of the following discussions, it is assumed that sensor nodes and networks can efficiently connect to the plant intranet. Although this chapter concentrates on the tradeoffs more particular to RF communications, the cost of integrating sensor networks into the plant operations should be a major consideration in the selection process. This cost will typically include most of the following: power cable installation, antenna installation, software driver development, user application software development, operator training, and maintenance. All of these costs must be considered when selecting a particular model of sensor network. 13.5 Functional Requirements There are key functions that sensor networks should provide: safety, security, reliability, throughput, determinism, distributed intelligence, distributed controls, distributed communications, and data synchronization. A brief description of these follows. Safety and security requirements are the most important issues when selecting any information system. Obviously, the safety and security features of the selected sensor network must be commensurate with the needs of the application. For instance, some applications require components and systems that are intrinsically safe. In recent years, the users and developers of supervisory control and data acquisition (SCADA) systems have become increasingly aware of the necessity of securing their data and control links. Securing a wireless transmission may involve both RF signal means as well as bitencryption means. For instance, spread-spectrum signaling makes it harder for a signal to be detected or intercepted, but this does not provide a very high level of data encryption. Any system requiring secure data should also employ message encryption means. Currently, some systems employ wired-equivalent privacy (WEP) encryption. The various encryption means are constantly being upgraded as hackers develop new methods of attacking them. Also, as mentioned earlier, networks must be protected from internal attacks since, “more than 70% of all corporate hacking is from inside the firewall . . . [by] a disgruntled employee” (p. 20) [Ref. 13.2]. This involves access controls and network architecture design. A detailed discussion of these issues is outside the scope of this chapter. The need for reliability cannot be overstated when it comes to information networks. A recent report [Ref. 13.3] listed distrust of reliability as a key reason that more users did not employ wireless equipment: Reliability is a major concern. . . .This concern is not so much regarding failure of the products to work at all, but rather the reliability of the data transmission and reception. Most concern is over the effect of radiation resistance [EMC] . . . [Ref. 13.3]. w w w.new nespress.com 460 Chapter 13 Some typical reliability parameters are shown in Table 13.2. Table 13.2: Some Example Reliability Criteria Bit-error rate Criteria Value 1000035 Probability of uncorrected errors 1000036 Probability of undetected errors 1000039 MTBF 5 years The bit-error rate (BER) is a typical figure of merit for any communication link. It usually indicates the percentage of transmitted bits that are incorrectly received. However, most systems provide some level of error correction or at the very least error detection. The most critical of the three is the probability of undetected errors. Costly and sometimes dangerous electronic decisions can be made if undetected bit errors occur in a control system. The uncompensated BER and uncorrected errors affect the probability of a message getting through in a given amount of time. They also reduce the efficiency of the network, since retransmissions are required to compensate for detected but uncorrected errors. The bottom line is that the probability of undetected errors must be low enough not to cause dangerous or costly situations. Also, the BER and uncorrected error rates must be low enough to allow the network to support the necessary throughput. Mean time between failure (MTBF) is a measure of how often the components fail. This number needs to be high enough that the user can reasonably expect the systems to run without replacement between major system or plant upgrades. Another facet of reliability is the trustworthiness of the source and quality of the data. Even if the probability of undetected bit errors approaches zero and the data has been adequately encrypted, verification of the source and quality of the original data (before transmission) must be addressed. This involves establishing the quality of the sensor, the exact time at which the data was sampled, and sometimes whether or not the correct conversion algorithms were employed. Self-testing, self-calibrating, and the distribution of coordinated clock signals are some of the technical means employed to accomplish this type of reliability. These will be addressed in the next section, “Technical Tradeoffs and Issues.” Related to reliability are throughput and determinism. Throughput is usually quoted in bps (kbps or Mbps). When evaluating systems, the user must be aware of whether the stated values represent signaling rates or usable data rates. For instance, an RF link may have a signaling rate of 10 Mbps that only provides 2 Mbps of useful data bandwidth. This difference is due to the fact that many extra bits are transmitted to provide the necessary “hand-shaking” among www. ne w n e s p res s .c o m Wireless Sensor Networks 461 transmitter and receiver, error correction and detection, and security. Most manufacturers faithfully quote useful data bit rates, but the user must be aware of which of the two parameters they are comparing with their sensor communication needs (as typified by Table 13.1). Determinism indicates that protocols are in place to guarantee that a message gets through within a given time window, or alternatively that the user is alerted if a message ever fails to get through. This figure of merit may be harder to ascertain, but for some applications it is critical. Sometimes average latency or guaranteed worst-case latency may be listed. The last four functional requirements mentioned above—distributed intelligence, controls, and communications and data synchronization—allow interconnected systems to perform tasks that singly-optimized components could not. In general, distributed intelligence means that individual sensor nodes can accommodate algorithms or subroutines that reduce the raw data to key parameters, called feature vectors. This enables the user to obtain the necessary information without loading down the network with all of the “raw” data. Distributed controls, which often require peer-to-peer communications without going through the central computer, use this distributed intelligence to connect sensor nodes with actuator nodes. Distributed communications provides the peer-to-peer protocols and interfaces necessary for distributed controls. Finally, data synchronization enables the coordination of events (sampling of data, actuation of control events, etc.). 13.6 Technical Tradeoffs and Issues This section focuses on the technical issues that must be understood when evaluating whether or not components and systems can achieve the functional requirements discussed above. 13.6.1 Bandwidth and Range The most fundamental parameters for selecting the proper sensor network are bandwidth (or throughput) in bits per second (bps, kbps, Mbps) and range (meters, kilometers, feet, or miles). The physics of RF communications are such that throughput goes down with increased range, assuming all other parameters are held constant. In fact, many 802.11b devices are rated for four different throughputs that increase with decreasing guaranteed range. The tank farm example typically requires a relatively long range for sensor networks (1 km or more) but with a relatively low data rate ( 1 kbps). On the other hand, some experiments performing modal analysis involving arrays of accelerometers may require several Mbps over a range of only a few meters or tens of meters. As mentioned, the user must distinguish between component bandwidth and the throughput rate of useful data. 13.6.2 Number of Sensors per Network Related to the network bandwidth is the number of sensors that would reasonably be attached to a single access point of the plant intranet. In some systems each sensor will have its own w w w.new nespress.com 462 Chapter 13 RF transmitter. In others, a sensor node may multiplex several sensors onto the communications bus. In both instances, the user must be aware of both the bus throughput maximum rates and the individual node/sensor maximum rates. Most busses can accommodate somewhere between 32 and 256 individual nodes. The user must decide which sensors need to be grouped onto a subnet to provide the necessary data coordination or control loops. Based on this the user must determine which subnet technologies support the requirements. 13.6.3 EMC Electromagnetic compatibility (EMC) deals with compatibility in both directions. That is, it deals with limiting the emissions of the component being considered, as well as dealing with the potential susceptibility of the component to emissions from other devices. The Federal Communications Commission (FCC) rules focus mainly on limiting the emissions of electronic equipment such that they will not interfere with other devices. On the other hand, U.S. military standards (MIL-STDs) and European standards (e.g., International Electrotechnical Commission, or IEC) deal with both emissions and susceptibility. First of all, wireless nodes must be selected within the constraints of the overall frequency planning of the facility. Typically, FCC guidelines are utilized as a general overview of which frequencies and power levels are acceptable within the planning of a region’s spectrum use. However, local spectrum management authority must make judgment calls as to where and when various types of radio equipment can be used. For instance, some facilities do not allow handheld radios in the control room. For similar reasons, many hospitals restrict the locations within which cell phones can even be turned on. That is because any cell phone that is turned on is periodically transmitting at least a pilot signal so that it can be associated with a particular cell tower. The determination of the proper use of wireless equipment within a plant is not limited to the knowledge and control of carrier frequencies (spectrum management) but should also include the selection of radio equipment with compatible modulation types (waveforms). In some instances, conventional narrowband transmitters such as handheld radios have interfered with important plant processing equipment, while direct-sequence spread-spectrum radio equipment was utilized in the same area without upsetting the process. This is because directsequence spread-spectrum waveforms “spread” the energy over a wider bandwidth (typically by factors of 10:1 to 1,000:1) such that the effective volts/Hz energy levels are lower. Another modulation type called frequency-hopping spread-spectrum is often used to good effect to overcome jamming signals. It has been used heavily by the military and in some commercial applications.Acurrently popular line of components called Bluetooth utilizes frequency-hopping modulation. In this instance, the dwell time of the carrier is under a few msec; however, during that interval the signal is similar to narrowband transmitters. Frequency-hopping devices have been known to interfere with direct-sequence devices such www. ne w n e s p res s .c o m Wireless Sensor Networks 463 as wireless local area networks (LAN) utilizing IEEE 802.11b protocols. Because of this, some members of the IEEE 802.15 working groups have discussed separating IEEE 802.15.1 devices from direct-sequence devices by at least 6 feet. Vendors should not only document FCC certification of their products, but they should also demonstrate that their units have worked in the presence of other wireless equipment. This wireless equipment should include handheld radios (which are typically narrowband licensed units), microwave ovens (some 2.45 GHz radio units are susceptible to the leakage fields from microwave ovens, even though their emanations are certified to be below permissible health limits), and cell phones. Also, the vendor should be able to show that their units do not upset existing plant equipment, especially other wireless links. Some IEC documents call for the coordination of lightning protection experts, architects, and construction companies when building a plant to ensure that a thorough lightning protection system is in place. Analogously, an EMC expert should be consulted at plant startup and during major upgrades to ensure that all of the plant’s wireless communication devices, equipment such as RF heaters, and other electronics sensitive to EM fields will peacefully coexist. When there were only a few types of wireless devices, EMC was less of an issue than it is now. However, the current proliferation of wireless communication devices will cause intersystem EMC to become a major consideration when selecting wireless equipment. Note that intrasystem EMC is under the purview of the designer of the wireless components and that adhering to FCC rules provides some measure of intersystem EMC. History has proven that good engineering practices and well-planned governmental controls are not enough, however. Some systems will invariably interfere with others; good spectrum management and spatial separation will minimize this interference. The use of directive antennas, direct-sequence spread spectrum, power control, and all other available technical means should be employed to reduce the possibility of EMC problems. 13.6.4 Spectrum Management As just mentioned, all wireless standards must be fully compliant with the government’s FCC rules, especially concerning carrier frequencies and output power. The FCC has established license-free industrial, scientific, and medical (ISM) frequency bands suitable for wirelesssensor systems. One choice to be made in the deployment of wireless sensor networks is in the frequency of transmission. Options include: 1. Licensed bands that require application procedures through the FCC. 2. The use of leased transmission facilities or services from independent providers. w w w.new nespress.com 464 Chapter 13 3. Unlicensed systems restricted to specific ISM and similar bands, including bands around 915 MHz, 2.45 GHz, and 5–6 GHz. When selecting a system utilizing licensed bands, the user must include the cost of obtaining FCC approvals into cost calculations. When utilizing the unlicensed bands, the user must be careful to manage the EMC issues already discussed. 13.6.5 Wireless Networking Standards Table 13.3 [Ref. 13.4] shows a comparison of a few of the wireless networking standards adopted by IEEE 802, as well as by other standards organizations (e.g., IS-95 refers to the cell-phone CDMA standard). The network sizes shown include personal area networks (PANs), local area networks (LANs), and metropolitan area networks (MANs). Table 13.3: Overview of Wireless Standards Std OFDM FHSS IS-95 DSSS GHz Size Mbps x 10002/0003 Cell 1 Bluetooth x 2.45 PAN 0.7 P802.15 x 2.45 PAN 0.7 P802.16b x 5 MAN 54 802.11a x 5 LAN 54 x 2.45 LAN 1, 2 x 2.45 LAN 5.5, 11 802.11 802.11b x As shown in Table 13.3, there are currently three common modulation techniques used in wireless information networks in addition to conventional narrowband techniques. These are frequency-hopping spread spectrum (FHSS), direct-sequence spread spectrum (DSSS), and the newest contender, orthogonal frequency division multiplex (OFDM). In my opinion, OFDM is more optimal for a few nodes streaming lots of data, and DSSS is better suited for lots of nodes handling less data per node [Ref. 13.5]. FHSS is often preferred over DSSS by the military, primarily because DSSS requires careful management of the transmit power of individual mobile nodes to overcome the near/far problem and FHSS does not. 13.6.6 Time Synchronization and Distribution The synchronous sampling of sensors (or the determination of exactly when samples were taken) is also a very necessary component of a sensor-based network. In general, a sensor network must have a more tightly controlled, more deterministic time base than randomaccessed general data networks can typically provide. Any protocol suitable for correlating samples from widely separated sensors must incorporate a highly robust mechanism to www. ne w n e s p res s .c o m Wireless Sensor Networks 465 synchronize various components of the system. For example, the individual transducer-tobus interface modules (TBIMs) and the system bus controller (TBC) in the proposed IEEE P1451.3 standard coordinate their clocks via a dedicated 2 MHz spread-spectrum signal. Time resolutions required for some applications will possibly be in the microsecond range, although many scenarios will be far less demanding. Any sensor network system will need to provide means to achieve this more stringent timing resolution. Two approaches already proposed for system synchronization in the IEEE P1451.3 standard being developed include a dedicated sinusoidal sync signal on the cable and the simultaneous provision for transporting formatted timestamp data from the TBC to the remote TBIMs over the data channels. As mentioned, IEEE 1588 is one of the standards that defines a protocol for time distribution. Time and data associations can be absolute or relative and can be established locally in the sensor node or remotely when the data arrives at the collection node. In high-end sensor nodes, a global positioning system (GPS) receiver or master clock could be used to generate an absolute time and date stamp that is communicated with the data. On the other hand, the sensor node could associate a relative number of clock ticks with the data and let the collection node add the absolute time information. Whether it is relative or absolute time that is necessary, the mechanisms for establishing and distributing precision time must be carefully managed. 13.6.7 Power Another key parameter in many applications is available power. If plant power is not conveniently located, then battery-operated or solar-powered nodes may be an option. While some users prefer battery-powered units, some prefer AC-powered units so that they will not require battery maintenance by plant personnel. When determining the cost of the systems to be installed, the cost of wiring in AC versus battery replacement costs should be compared. For instance, while current IEEE 802.11b-type nodes require too much power to be practical for battery power, some lower throughput nodes—especially those used for shorter ranges—are designed to be battery powered. Thus, the plant intranet (if it is wireless) should probably rely primarily on AC power with battery backup. It is more feasible to use battery power (or alternative power sources) for sensor networks that are used to optimize certain processes but are not critical to the safe and secure operation of the plant. Most plant engineers desire sensor communication nodes that do not need regular maintenance. 13.6.8 Key Smart Sensor Features Through my involvement with sensor networking standards development, I have noted key features that enable sensors to be used in smart sensor networks: unique identification, efficient and standardized communication protocols, automatic networking, self-test and selfcalibration, self-describing (e.g., TEDS), self-locating, and time coordination. w w w.new nespress.com 466 Chapter 13 A universal unique identification (UUID) code that takes the place of the company name, model number, and serial number is critical because the history of the sensor cannot be traced or verified without it; its data would be suspect without an association with a unique identifier. In general, this UUID must be associated with electronic data that may be stored locally or remotely, as will be discussed in a moment. The Auto-ID center, an industry-funded research program headquartered at the Massachusetts Institute of Technology, has established an electronic product code (ePC) that could provide this UUID function. This ePC is intended to replace the UPC barcode that is almost ubiquitous in retail stores, as well as to provide unique identification of components before they become products. This center has also established an Object Name Server (ONS), similar to the Internet’s Domain Name Server (DNS), which provides a link between the ePC and any available electronic database for that item. Appropriate communication protocols are also important because the data is no good if it cannot be communicated. Also, even a well-thought-out protocol that is not widely accepted often demands many expensive hours of interface development. Therefore, a robust, widely accepted protocol is optimal. Automatic networking refers to the sensor node functions of self-discovery, hot-swap, adhoc routing, and other methods that improve a node’s ability to automatically and efficiently assimilate into an existing network. Nodes that can automatically establish themselves as a network and adapt to individual node replacements and even mobile platforms greatly increase the utility and decrease the administration costs of networking the sensors. To the extent possible, the sensors and sensor nodes should have the ability to test their own health and calibration. If not, they should prompt the operators to take necessary actions on a periodic or as-needed basis. All sensors should have some means of communicating their capabilities, as well as describing their unique identity. In IEEE 1451 standards this is described as having an accessible TEDS. The application software must have the appropriate graphic user interface (GUI) that allows the plant engineers (if not the operators) to have access to these parameters. They will be used in establishing the proper associations between the sensor measurements and the plant process. They will also be used to give the user confidence in the accuracy of the data. The TEDS can either be stored locally (embedded TEDS) or on a remote server (virtual TEDS). The ideal sensor will have some means of informing the application layer of its absolute or relative location within the plant. Some manufacturers may choose to put GPS receivers on sensor nodes that will be exposed to satellites. Others may use barcodes or RFID tags to associate sensors with the plant process measurement. Still others may equip their nodes with an ID button that sends a message to the user’s computer when activated. If no electronic means are available, the installers will have to manually enter the sensor-process association and location into the application database. www. ne w n e s p res s .c o m Wireless Sensor Networks 467 13.6.9 Tethered RF Links Although this chapter focuses on wireless data links, the same RF waveforms may be utilized on tethered transmission lines. Many communication networks use one to five pairs of shielded wires to perform networking. These range from Ethernet that uses Category-5 cable to IEEE 1451.3 that uses two of the wires in a conventional phone cord. Other networks use coaxial cable (e.g., cable modems) and even AC wiring as their transmission medium. Since these networks unintentionally radiate some of their energy, they must also follow FCC guidelines. In general, the AC wiring can handle low data-rate communications such as monitoring fluid levels. Data communications over telephone wiring can handle upwards of several Mbps. A consortium named Home Phone-line Networking Association (HomePNA) has developed products that communicate between PCs using existing phone lines. One implementation involves connecting the USB port of the PC to an HPNA box that then connects to another HPNA box via existing phone lines within a home, as shown in Figure 13.2. The HPNA boxes communicate using the CSMA protocol of IEEE 802.3 and their own unique physical layer protocol, which has been adopted as ITU-T G989.1 and ITU-T G989.2. The sensor networking standard IEEE 1451.3 has adopted HPNA as its physical layer. Note that in the case of “piggy-backed” systems, special circuits may be required at junction boxes and switches, since each separate phone number is wired independently and some AC circuits within a plant may be on different phases of the wiring. Because of the uncertain quality of the lines, the utilization of existing phone and AC lines should be limited to noncritical sensor nodes. It can be very cost-effective for collecting reasonable amounts of data from locations that would otherwise require expensive wiring. However, it should not be used for the main “backbone” of the information infrastructure or for the networking data that requires highly critical or deterministic timing. 13.7 Conclusion A general approach to planning and implementing the sensor networks to support the arrays of sensors needed to operate plants, conduct scientific experiments, and test components has been described. Using this brief tutorial, a user should be able to acquire and organize the various sensor networks and interface with vendors and subject matter experts as needed. References [13.1] The InterNational Committee for Information Technology Standards (INCITS), INCITS T20 (Real Time Locating Systems), http://www.autoid.org/INCITS/ncits_t20_2002.htm. [13.2] E. Byres, “Can’t Happen at Your Site?” InTech Magazine (1 February 2002): 20–22. w w w.new nespress.com 468 Chapter 13 [13.3] “The North American Market for Wireless Monitoring and Control in Discrete and Process Manufacturing Applications,” Venture Development Corporate Report (March 2002): 30. [13.4] M. R. Moore, S. F. Smith, and K. Lee, “The Next Step: Wireless IEEE 1451Smart Sensor Networks,” Sensors Magazine 18 (September 2001): 35–43. [13.5] Ibid., p. 41. www. ne w n e s p res s .c o m CHAPTE R 14 Reliable Wireless Networks for Industrial Applications Farid Dowla Robert Poor Existing wired methods of providing communications in a factory or industrial setting have numerous shortcomings: • Factory communication wiring can easily have an installed cost of $5 to $10 per foot. What if expensive communication wiring could be replaced with reliable wireless links? • Productivity programs demand more and more information from smart devices. What if industrial gear could gain more local intelligence by sharing information with nearby sensors? • More and more maintenance systems require remote data acquisition. What if it were possible to continually monitor the condition of all the equipment on the factory floor and predict failures before they happen, instead of locating them after the fact? This chapter will describe various wireless approaches to factory and industrial communications. 14.1 Benefits of Using Wireless An obvious problem that can be addressed with wireless solutions is simple wire replacement, where the radio frequency (RF) communication link emulates wire in an existing system. No changes are made to the system architecture. Rather, wireless links are used to transmit the same data that the physical wire once carried. Consider an instrument connected by a serial cable to a control panel using Modbus as a communication protocol. Wireless RF links can replace the serial cable as the physical layer to carry Modbus packets back and forth, requiring no physical changes to the instrument, the control panel or the underlying software architecture. The serial cable is taken away, and a wireless transceiver is physically connected to the serial port at both the instrument and at the control panel. Neither the control panel nor the instrument can tell that it is not using a cable. w w w.new nespress.com 470 Chapter 14 There are several economic benefits to this approach. Wiring cost can exceed $10 per installed foot. The labor required to run this cable and conduit is not cheap, installation cost is a growing concern for designers and facility managers, and labor rates continue to rise in most parts of the world. Also, if these cables were in a hazardous environment (such as a chemical processing plant), they would have to be isolated from potential contact with chemicals and placed inside conduit run through concrete walls to reach the instrumentation deployed throughout the plant. This would entail additional costs and design problems. Another benefit of wireless is the speed of deployment. Wired systems can take days to weeks to be properly installed, isolated, and commissioned. Wireless networks require only the endpoints to be installed, saving hours or days for each instrument that is installed. Other instruments can be added as required without the need for expensive, disruptive cabling and labor. A further benefit of the wireless system is the ease of reconfiguration and expansion. If there is the need for a plant expansion or relocation of instruments, there is no expensive conduit to be moved or added. If the instruments to be connected to the control panel need to be placed on mobile equipment, such as the mobile batch containers found in biotech, pharmaceutical, and other specialty chemical installations, wireless offers an attractive solution. 14.2 Issues in Deploying Wireless Systems It may seem that using wireless systems to replace common links, like serial cables, is easy and straightforward. That is not often the case. Here are some common problems encountered when replacing wired systems with wireless: 1. RF links are not as dependable as wires. Anyone who has used a cell phone, portable radio, or CB knows firsthand about RF links. The signal is constantly changing as conditions change between the two points. 2. Expanding or moving an RF point is not always as easy as claimed, because a new position on the network may be out of range of the control point for the wireless network. This control point is commonly placed at the control panel in an industrial application. 3. Wireless installers sometimes offer the assistance of professional technicians who perform RF site surveys to determine control points for the wireless network based on planned coverage areas. Although useful, this adds highly skilled labor back into the installation cost and doesn’t address ease of reconfiguration or expansion. 4. Some installations require additional wireless control points (sometimes referred to as wireless access points) in addition to the control panel. This is a very serious set of problems to face when reliability is of prime importance. Thus, despite the increasing popularity of IEEE 802.11 wireless local area network (LAN) systems www. ne w n e s p res s .c o m Reliable Wireless Networks for Industrial Applications 471 and the promise of Blue-tooth systems, wireless communication has yet to be widely adopted in industrial applications. Although wireless systems seem like an obvious solution for industrial applications, in reality the cure can be worse than the disease—due to the fact that solutions based on these standards were not designed with the industrial environment in mind. Industrial users need a network architecture that takes the unique challenges of the industrial environment into account. The ARBORNET research team at the Massachusetts Institute of Technology (MIT) Media Lab examined embedded wireless solutions for smart devices from 1997 to 2001. The study concluded that traditional cell phone-style wireless systems were simply inadequate for industrial applications and could never gain widespread acceptance in their current form, but that a fresh approach was needed and, ultimately, was identified. 14.2.1 Control and Sensing Networks versus Data Networks To understand why standard wireless networks do not work well for industrial applications, it is important to distinguish between control and sensing networks and data networks. Wireless data networks are primarily designed to link together computers, personal digital assistants (PDAs), printers, Internet access points, and other elements where large amounts of data are sent in both directions. In data networks, the emphasis is on speed: faster is better. The design and evolution of 802.11 networks is a good example. 802.11b, one of the first wireless LAN standards to be widely adopted, connects devices at up to 11 Mbps. One of the latest updates to this standard, 802.11a, will allow for data speeds up to 54 Mbps, enabling more rapid downloads of music and video files by end-users. But wireless networks for industrial control and sensing must be, above all, reliable, adaptable, and scalable. Because industrial sensors send only a few of bits of data per second or minute, providing information like temperature, pressure, and flow, data rates of 11 Mbps or even 54 Mbps are rarely needed. Although speed is often the focus for data networks, the primary design objectives for industrial control and sensing networks are reliability, adaptability, and scalability. 14.2.2 Requirement #1: Reliability For most industrial applications, reliability is crucial: wireless systems must be just as reliable as traditional copper wire. Depending on the application, garbled or dropped data can result in anything from a disruptive glitch to a devastating failure. Three factors determine the signal reliability between a radio transmitter and receiver: 1. Path loss 2. RF interference 3. Transmit power w w w.new nespress.com 472 Chapter 14 Consider a conversation between two people. Path loss corresponds to how muted a person’s voice becomes to another, either due to distance or the obstacles between them. The listener will have a hard time understanding the speaker who is too far away or talking through a closed door. RF interference corresponds to ambient noise: it will be difficult for the listener to understand the speaker in a noisy environment. Many other factors—including receiver sensitivity and data encoding technique—affect the reliability of a link. However, between a given radio transmitter and receiver, the path loss, interference, and transmit power determine the biterror rate. The problems of path loss or interference can be overcome by moving closer to the listener or by shouting loud enough to be heard. In the wireless world, this corresponds to repositioning radios or by transmitting with a higher power. Unfortunately, neither of these are generally viable options. Increasing the transmit power creates a situation similar to people shouting over loud music at a party. A sophisticated antenna design that directs the RF signal towards the receiving radio might help. But this is much like using a megaphone to shout at the listener. It does improve the path loss situation, but may fail if the listener or the megaphone moves. 14.2.3 Requirement #2: Adaptability The network should adapt to the existing environment. The environment should not have to be altered to make the system “wireless ready.” For example, if you need a wireless link between a tank level sensor and a data logger, it is not practical to relocate the tank or the data logger just to create a reliable connection. In fact, a wireless link may be unsuitable for connecting tank level sensors and data collection points in preexisting structures as these are often immovable objects. If cables were already being used for this, more wire could always be run, though at a prohibitive cost. In the wireless world, the network should integrate seamlessly with the environment. A key attribute of a good wireless network is that daily work activities and the facility layout are not a concern. It’s not desirable to ask someone to move in order to hear them speak more clearly. Likewise, repositioning radios and equipment in order to increase communication reliability is not always a realistic option. 14.2.4 Requirement #3: Scalability Any network, wired or wireless, should be able to scale gracefully as the number of endpoints increases. Scalability is one of the attractions of fieldbuses over hardwired “home run” systems: once the trunk line is in place, adding new devices is relatively easy. In many multidrop networks, adding a new device is as simple as wiring the device directly into the network cable or a termination block at one end of the network. Eliminating the need to “home run” wire the new device back to the control panel has reduced wiring. www. ne w n e s p res s .c o m Reliable Wireless Networks for Industrial Applications 473 In a wireless system, all of the devices on the network share the airwaves. Simply transmitting with more power can increase the reliability of a single transmit/receive pair, but as soon as multiple devices share the airwaves, this approach may actually decrease overall reliability. This is not unlike being in a large, noisy restaurant where people are speaking loudly to be heard and no one can understand anyone else. Similarly, transmitting with more power in order to increase reliability is not consistent with building scalable networks that support numerous endpoints. 14.3 Wireless Formats 14.3.1 Point-to-Point Links Sometimes referred to as a “wireless bridge,” a point-to-point link serves as a replacement for a single communication cable. A point-to-point link might be used to connect a programmable logic controller (PLC) to a remote monitoring station, as shown in Figure 14.1. PLC Computer Figure 14.1: Point-to-Point Link Point-to-point links can communicate reliably as long as the two endpoints are located sufficiently close to one another to escape the effects of RF interference and path loss. If a reliable connection is not initially achieved, it is sometimes possible to relocate the radios or boost the transmit power to achieve the desired reliability. 14.3.2 Point-to-Multipoint Links Point-to-multipoint wireless systems, such as those based on IEEE 802.11 or Bluetooth, have one base station or access point that controls communication with all of the other wireless nodes in the network. Also referred to as a hub and spoke or star topology, this architecture has similarities to wired “home run” systems, in which all the signals converge on a single terminal block. A point-to-multipoint example is shown in Figure 14.2. Signals in point-to-multipoint networks converge at a single endpoint. The reliability of these networks is set by the quality of the RF link between the central access point and each endpoint. In industrial settings, it can be difficult to find a location for an access point that provides dependable communication with each endpoint. Moving an access point to improve communication with one endpoint will often degrade communication with other endpoints. w w w.new nespress.com 474 Chapter 14 Computer PLC PLC PLC PLC PLC PLC PLC Figure 14.2: Point-to-Multipoint Network Although it may be possible to wire together multiple access points in order to improve reliability, the cost of additional wiring can defeat the original reasons for choosing a wireless solution. 14.4 Wireless Mesh Networks The wireless mesh network topology for industrial control and sensing that was developed by the MIT Media Lab and produced by the Ember Corporation is a “point-to-point-to-point” or “peer-to-peer” system called an ad hoc, multi-hop network. In a mesh network a node can send and receive messages, but it also functions as a router and can relay messages for its neighbors. Through this relaying process, a packet of wireless data will find its way to its ultimate destination, passing through intermediate nodes with reliable communication links. An example of a mesh network appears in Figure 14.3. Figure 14.3: Wireless Mesh Network www. ne w n e s p res s .c o m Reliable Wireless Networks for Industrial Applications 475 There are some important things to notice in Figure 14.3: 1. The resemblance to a map of the Internet is not entirely coincidental. Like the Internet and other router-based communication networks, a mesh network offers multiple redundant communication paths throughout the network. 2. If a single node fails for any reason (including the introduction of strong RF interference), messages will automatically be routed through alternate paths. 3. In a mesh network, the distance between wireless nodes is short, which dramatically increases the link quality between nodes. If you reduce distance by a factor of two, the resulting signal is at least four times more powerful at the receiver. This makes links more reliable without increasing transmitter power in the individual nodes. The advantages of mesh networks over point-to-point and point-to-multipoint configurations include: • More Nodes 0004 Greater Reliability: Notice the addition of freestanding “repeater” nodes in the middle of the network, as shown in Figure 14.3. In a mesh network, it is possible to extend distance, add redundancy, and improve the general reliability of the network simply by adding repeater nodes. • Mesh 0004 Self-Configuring: A network should not need a person to tell it how to get a message to its destination. A mesh network is self-organizing and does not require manual configuration. Because it is both self-configuring and self-healing, adding new gear or relocating existing gear is as simple as plugging in a wireless node and turning it on. The network discovers the new node and automatically incorporates it into the network without the need for a system administrator. A mesh network is not only inherently reliable, it is also highly adaptable. If your tank level sensor and data logger are placed too far apart for a solid RF communication link, you can quickly and easily lay down one or more repeater nodes to fill gaps in the network. • Mesh 0004 Self-Healing: On the Internet, if one router goes down, messages are sent through an alternate path by other routers. Similarly, if a device in a mesh network fails, messages are sent around it via other devices. The subtraction of one or more nodes does not necessarily affect its operation. A mesh network is self-healing because human intervention is not necessary for rerouting of messages. • Mesh 0004 Redundant: The actual meaning of “redundancy” in a real world is a matter of degree and must be carefully specified. In a mesh network, the degree of redundancy is essentially a function of node density. A mesh network can be deliberately w w w.new nespress.com 476 Chapter 14 overdesigned simply by adding extra nodes, so that each device has two or more paths for sending data. This is a much simpler way of obtaining redundancy than is possible in most other types of systems. • Mesh 0004 Scalable to Thousands of Nodes: A mesh is also scalable and can handle hundreds or thousands of nodes. Since the operation of the network does not depend upon a central control point, adding multiple data collection points or gateways to other networks is convenient. It is clear that reliability, adaptability, and scalability are the most important attributes of a wireless network for industrial control and sensing applications. Point-to-point networks can provide reliability, but they do not scale to handle more than one pair of endpoints. Pointto-multipoint networks can handle more endpoints, but the reliability is determined by the placement of the access point and the endpoints. If environmental conditions result in poor reliability, it is difficult or impossible to adapt a point-to-multipoint network to increase the reliability. By contrast, mesh networks are inherently reliable, adapt easily to environmental or architectural constraints, and can scale to handle thousands of endpoints. These attributes are summarized in Table 14.1. Table 14.1: Suitability in Industrial Applications Topology Point-to-Point Reliability High Adaptability Low Scalability None (2 endpoints) Point-to-Multipoint Low Low Moderate (7–30 endpoints) Mesh Networks High High Yes (1000s of endpoints) 14.5 Industrial Applications of Wireless Mesh Networks 14.5.1 Wire Replacement At the beginning of this chapter, I gave an example of a wireless serial link replacement. This is most commonly done with point-to-point or point-to-multipoint technology, but mesh networks still provide complete transparency. The network does not know that copper has been replaced with an RF link, but the mesh network is inherently more reliable, more adaptable, and scalable. 14.5.2 Distributed Control A specific opportunity for wireless, multi-hop, mesh networks is in distributed control systems. There has been a trend in recent years to place more intelligence throughout the control system. The IEEE 1451 standard Smart Transducer Interface for Sensors and www. ne w n e s p res s .c o m Reliable Wireless Networks for Industrial Applications 477 Actuators is evidence of this. Distributed intelligence is naturally served better by wireless multi-hop mesh networks, which do not require a central control topology. The control of the wireless system is distributed throughout the network, allowing intelligent peers to communicate directly to other points on the network without having to be routed through some central point. Modular distributed control systems are easier to install and maintain. Since more of the system logic is at the instrument or subsystem level, clusters of instruments can interact and make local decisions. This is often done with small PLCs, which gather information from nearby instruments or sensors and then provide processing power and decision-making for this local instrument cluster. These clusters can then be connected as a group back into the main control system. The result is a less complex installation because individual instruments and points do not have to be directly connected to the main control panel. 14.5.3 Is Distributed Control Cheaper to Maintain? Proponents insist that modular control systems are easier and less costly to maintain. The rationale is that highly modular control systems enable localized decision-making, which results in faster isolation of problems within the system. These problems can usually be diagnosed back to a single instrument cluster, allowing engineers and maintenance staff to focus their attention on one area of the system. Fast problem-solving means less downtime when something goes wrong. Likewise, when the system is operational, local decision-making by intelligent instruments and small PLCs identifies problems before they impact the entire system and cause bigger problems. Finally, these modular subsystems can be replaced or upgraded without affecting the entire system. These many factors make systems much cheaper and easier to operate and maintain. Matching multi-hop, wireless mesh communication with distributed control facilitates a whole new dimension of interactions between sensors or sensor clusters. Sensors can now communicate directly to other devices on the network. This topology allows a tank level sensor to communicate directly with nearby valves, alerting them to open or close to prevent an overflow situation. Monitoring equipment could take readings from sensors without having to directly access the sensor with wired connections. This is useful in calibration and troubleshooting. 14.5.4 Diagnostic Monitoring A third area of application for wireless, multi-hop mesh networks is in the diagnostic monitoring of devices. This monitoring can occur outside the normal control loop and wireless communication can be sent to notify the system user of any abnormal operation of the device. Take, for instance, the schematic of a sensor control loop shown in Figure 14.4. In this control loop, an additional signal is extracted and analyzed during the course of normal operation of w w w.new nespress.com 478 Chapter 14 Actuate Process Sense Diagnostic monitoring Figure 14.4: Schematic of Typical Sensor-Controlled Loop the sensor. As the sensor operates, the signal is monitored for abnormalities without affecting the sensor’s operation. If an abnormal signal or trend is observed, an alert is triggered. The beauty of using a wireless link for onboard monitoring and alert is that the monitoring link remains independent of the control loop. By using a wireless, multi-hop mesh network, data can be routed dynamically to similar wireless devices. Surrounding devices can respond to the alert from the failing device, even as the alert is being sent to maintenance personnel. Another benefit of wireless is that maintenance personnel can directly connect to the diagnostic output of the sensor, without running wires. This can eliminate a huge task in the case of a tank level sensor in a large storage tank, or a temperature probe at the top of a tower stack at a chemical refinery. In a wireless, multi-hop mesh network, a user can get that data via any wireless node on the network. By using a diagnostic device with additional processing power (e.g., a laptop computer, handheld computer, or handheld diagnostic device), maintenance personnel can check on configuration and other information about any node on the network. This information is a valuable tool for checking and verifying sensor operation when questionable data is received from a sensor through its primary control loop. 14.6 Case Study: Water Treatment In order to validate wireless mesh networks in challenging industrial environments, Ember Corporation deployed a system in a water treatment plant. The environment was typical of such facilities, with significant wireless environment hurdles such as thick reinforced concrete walls segmenting giant tanks of water with large numbers of metal pipes running between tanks. The goal was to connect the instruments in the pipe gallery back to the control panel located in the control room on the third floor of the water filtration plant. Figure 14.5 provides a geographical representation of the instrumentation topology. Figure 14.5 shows the approximate locations of eight instruments in the large pipe gallery along with four instruments in the small pipe gallery. The control room was located on the www. ne w n e s p res s .c o m Reliable Wireless Networks for Industrial Applications 479 Control room using PC for modbus monitoring Large pipe gallery Repeater nodes on three floors Small pipe gallery Figure 14.5: Schematic of Instrument Locations third floor of an attached concrete building. Before wireless communication, a data collection PC in the control room communicated with process instruments over an RS-485 serial bus. The first step in converting this system to wireless networking was to replace this computer’s bus connection with a wireless networking card connected to its serial port. Each process instrument also had bus connections replaced with wireless networking cards, which self-configured on power-up and began attempting to send data to the control room. After all twelve instruments had wireless cards installed, it was possible to analyze the RF network traffic and determine where link reliability was below standards. These areas included spots where RF signals had to pass through reinforced concrete walls and where a single link spanned two flights of metal stairs. Improving these RF links was a simple matter of dropping down additional RF relay points. This step was made possible by the network’s lack of a central wireless control point and each node’s ability to cooperatively relay packets on behalf of its neighbors. After these repeater nodes were placed, the network was complete. The time for complete installation was under 2 hours, compared to approximately 20 hours when each instrument had to be wired back to the control panel. The software on the PC did not discern any difference in the wireless communication network versus the wired serial cable network. The wireless network exhibited less than 0.1% packet loss before any attempt was made to resend lost packets through the network. This was accomplished via the mesh networking algorithms used by the wireless network. Neighboring nodes cooperatively relay packets over the best RF link. 14.7 Conclusion Daily experience with some of the challenges of wireless consumer products, university research, and the commercial industry’s slow adoption of wireless for use in enterprise w w w.new nespress.com 480 Chapter 14 applications are indicators that products based on point-to-point and point-to-multipoint topologies are not well suited for use in industrial enterprise communication. Multi-hop mesh technology, however, is inherently reliable and redundant and can be extended to include thousands of devices. The real-world examples cited in this chapter demonstrate that mesh networks can be installed in hours instead of days or weeks and that these networks are highly dependable. Industrial systems can now benefit from a wireless format that satisfies the multiple conflicting demands of redundancy, distributed communication, flexibility, and reliability. www. ne w n e s p res s .c o m CHAPTE R 15 Applications and Technologies Alan Bensky An important factor in the widespread penetration of short-range devices into the office and the home is the basing of the most popular applications on industry standards. In this chapter, we take a look at some of these standards and the applications that have emerged from them. Those covered pertain to HomeRF, Wi-Fi, HIPERLAN/2, Bluetooth, and Zigbee. In order to be successful, a standard has to be built so that it can keep abreast of rapid technological advancements by accommodating modifications that don’t obsolete earlier devices that were developed to the original version. A case in point is the competition between the WLAN (wireless local area network) standard that was developed by the HomeRF Working Group based on the SWAP (shared wireless access protocol) specification, and IEEE specification 802.11, commonly known as Wi-Fi. The former used frequency-hopping spread-spectrum exclusively, and although some increase of data rate was provided for beyond the original 1 and 2 Mbps, it couldn’t keep up with Wi-Fi, which incorporated new bandwidth efficient modulation methods to increase data rates 50-fold while maintaining compatibility with first generation DSSS terminals. Other reasons why HomeRF lost out to Wi-Fi are given below. Many of the new wireless short-range systems are designed for operation on the 2.4 GHz ISM band, available for license-free operation in North America and Europe, as well as virtually all other regions in the world. Most systems have provisions for handling errors due to interference, but when the density of deployment of one or more systems is high, throughput, voice intelligibility, or quality of service in general is bound to suffer. We will look at some aspects of this problem and methods for solving it in relation to Bluetooth and Wi-Fi. A relatively new approach to short-range communications with unique technological characteristics is ultra-wideband (UWB) signal generation and detection. UWB promises to add applications and users to short-range communication without impinging on present spectrum use. Additionally, it has other attributes including range finding and high power efficiency that are derived from its basic principles of operation. We present the main features of UWB communication and an introduction to how it works. 15.1 Wireless Local Area Networks (WLAN) One of the hottest applications of short-range radio communication is wireless local area networks. While the advantage of a wireless versus wired LAN is obvious, the early versions w w w.new nespress.com 482 Chapter 15 of WLAN had considerably inferior data rates so conversion to wireless was often not worthwhile, particularly when portability is not an issue. However, advanced modulation techniques have allowed wireless throughputs to approach and even exceed those of wired networks, and the popularity of highly portable laptop and handheld computers, along with the decrease in device prices, have made computer networking a common occurrence in multi-computer offices and homes. There are still three prime disadvantages to wireless networks as compared to wired: range limitation, susceptibility to electromagnetic interference, and security. Direct links may be expected to perform at a top range of 50 to 100 meters depending on frequency band and surroundings. Longer distances and obstacles will reduce data throughput. Greater distances between network participants are achieved by installing additional access points to bridge remote network nodes. Reception of radio signals may be interfered with by other services operating on the same frequency band and in the same vicinity. Wireless transmissions are subject to eavesdropping, and a standardized security implementation in Wi-Fi called WEP (wired equivalent privacy), has been found to be breachable with relative ease by persistent and knowledgeable hackers. More sophisticated encryption techniques can be incorporated, although they may be accompanied by reduction of convenience in setting up connections and possibly in performance. Various systems of implementation are used in wireless networks. They may be based on an industrial standard, which allows compatibility between devices by different manufacturers, or a proprietary design. The latter would primarily be used in a special purpose network, such as in an industrial application where all devices are made by the same manufacturer and where performance may be improved without the limitations and compromises inherent in a widespread standard. 15.1.1 The HomeRF Working Group The HomeRF Working Group was established by prominent computer and wireless companies that joined together to establish an open industry specification for wireless digital communication between personal computers and consumer electronic devices anywhere in and around the home. It developed the SWAP specification—Shared Wireless Access Protocol, whose major application was setting up a wireless home network that connects one or more computers with peripherals for the purposes of sharing files, modems, printers, and other electronic devices, including telephones. In addition to acting as a transparent wire replacement medium, it also permitted integration of portable peripherals into a computer network. The originators expected their system to be accepted in the growing number of homes that have two or more personal computers. Following are the main system technical parameters: • • Frequency-hopping network: 50 hops per second Frequency range: www. ne w n e s p res s .c o m 2.4 GHz ISM band Applications and Technologies • • Transmitter power: 100 milliwatt Data rate: 1 Mbps using 2FSK modulation 2 Mbps using 4FSK modulation • • • • • • Range: Covers typical home and yard 483 Supported stations: Up to 127 devices per network Voice connections: Up to 6 full-duplex conversations Data security: Blowfish encryption algorithm (over 1 trillion codes) Data compression: LZRW3-A (Lempel-Ziv) algorithm 48-bit network ID: Enables concurrent operation of multiple co-located networks The HomeRF Working Group ceased activity early in 2003. Several reasons may be cited for its demise. Reduction in prices of its biggest competitor, Wi-Fi, all but eliminated the advantage HomeRF had for home networks—low cost. Incompatibility with Wi-Fi was a liability, since people who used their Wi-Fi equipped laptop computer in the office also needed to use it at home, and a changeover to another terminal accessory after work hours was not an option. If there were some technical advantages to HomeRF, support of voice and connections between peripherals for example, they are becoming insignificant with the development of voice interfaces for Wi-Fi and the introduction of Bluetooth. 15.1.2 Wi-Fi Wi-Fi is the generic name for all devices based on the IEEE specification 802.11 and its derivatives. It is promoted by the Wi-Fi Alliance that also certifies devices to ensure their interoperability. The original specification is being continually updated by IEEE working groups to incorporate technical improvements and feature enhancements that are agreed upon by a wide representation of potential users and industry representatives. 802.11 is the predominant industrial standard for WLAN and products adhering to it are acceptable for marketing all over the world. 802.11 covers the data link layer of lower-level software, the physical layer hardware definitions, and the interfaces between them. The connection between application software and the wireless hardware is the MAC (medium access control). The basic specification defines three types of wireless communication techniques: DSSS (direct sequence spread spectrum), FSSS (frequency-hopping spread spectrum) and IR (infra-red). The specification is built so that the upper application software doesn’t have to know what wireless technique is being used—the MAC interface firmware takes care of that. In fact, application software doesn’t have to know that a wireless connection is being used at all and mixed wired and wireless links can coexist in the same network. w w w.new nespress.com 484 Chapter 15 Wireless communication according to 802.11 is conducted on the 2.400 to 2.4835 GHz frequency band that is authorized for unlicensed equipment operation in the United States and Canada and most European and other countries. A few countries allow unlicensed use in only a portion of this band. A supplement to the original document, 802.11b, adds increased data rates and other features while retaining compatibility with equipment using the DSSS physical layer of the basic specification. Supplement 802.11a specifies considerably higher rate operation in bands of frequencies between 5.2 and 5.8 GHz. These data rates were made available on the 2.4 GHz band by 802.11g that has downward compatibility with 802.11b. 15.1.3 Network Architecture Wi-Fi architecture is very flexible, allowing considerable mobility of stations and transparent integration with wired IEEE networks. The transparency comes about because upper application software layers (see below) are not dependent on the actual physical nature of the communication links between stations. Also, all IEEE LAN stations, wired or wireless, use the same 48-bit addressing scheme so an application only has to reference source and destination addresses and the underlying lower-level protocols will do the rest. Three Wi-Fi network configurations are shown in Figures 15.1 through 15.3. Figure 15.1 shows two unattached basic service sets (BSS), each with two stations (STA). The BSS is the basic building block of an 802.11 WLAN. A station can make ad hoc connections with other stations within its wireless communication range but not with those in another BSS that is outside of this range. In order to interconnect terminals that are not in direct range one with the other, the distributed system shown in Figure 15.2 is needed. Here, terminals that are in range of a station designated as an access point (AP) can communicate with other terminals not in direct range but who are associated with the same or another AP. Two or more such access points communicate between themselves either by a wireless or wired medium, and therefore data exchange between all terminals in the network is supported. The important thing here is that the media connecting the STAs with the APs, and connecting the APs among themselves are totally independent. STA 1 STA 3 STA 2 STA 4 Figure 15.1: Basic Service Set www. ne w n e s p res s .c o m Applications and Technologies 485 AP STA 2 STA 4 STA 1 STA 3 AP Figure 15.2: Distribution System and Access Points A network of arbitrary size and complexity can be maintained through the architecture of the extended service set (ESS), shown in Figure 15.3. Here, STAs have full mobility and may move from one BSS to another while remaining in the network. Figure 15.3 shows another element type—a portal. The portal is a gateway between the WLAN and a wired LAN. It connects the medium over which the APs communicate to the medium of the wired LAN— coaxial cable or twisted pair lines, for example. AP STA 2 STA 4 STA 1 STA 3 STA 5 AP Portal Wired LAN Figure 15.3: Extended Service Set In addition to the functions Wi-Fi provides for distributing data throughout the network, two other important services, although optionally used, are provided. They are authentication and encryption. Authentication is the procedure used to establish the identity of a station as a member of the set of stations authorized to associate with another station. Encryption applies coding to data to prevent an eavesdropper from intercepting it. 802.11 details the implementation of these services in the MAC. Further protection of confidentiality may be provided by higher software layers in the network that are not part of 802.11. w w w.new nespress.com 486 Chapter 15 The operational specifics of WLAN are described in IEEE 802.11 in terms of defined protocols between lower-level software layers. In general, networks may be described by the communication of data and control between adjacent layers of the Open System Interconnection Reference Model (OSI/RM), shown in Figure 15.4, or the peer-to-peer communication between like layers of two or more terminals in the network. The bottom layer, physical, represents the hardware connection with the transmission medium that connects the terminals of the network—cable modem, radio transceiver and antenna, infrared transceiver, or power line transceiver, for example. The software of the upper layers is wholly independent of the transmission medium and in principle may be used unchanged no matter what the nature of the medium and the physical connection to it. IEEE 802.11 is concerned only with the two lowest layers, physical and data link. Logical peer-to-peer links—protocols Application Application Presentation Presentation Session Session Transport Transport Network Network Data link Data link Physical Physical Communication medium Figure 15.4: Open System Interconnection Reference Model IEEE 802.11 prescribes the protocols between the MAC sublayer of the data layer and the physical layer, as well as the electrical specifications of the physical layer. Figure 15.5 illustrates the relationship between the physical and MAC layers of several types of networks www. ne w n e s p res s .c o m Applications and Technologies 487 with upper-layer application software interfaced through a commonly defined logical link control (LLC) layer. The LLC is common to all IEEE local area networks and is independent of the transmission medium or medium access method. Thus, its protocol is the same for wired local area networks and the various types of wireless networks. It is described in specification ANSI/IEEE standard 802.2. Applications Logical link control Profiles MAC MAC MAC Ethernet IEEE 802.3 LAN FHSS DSSS Bluetooth PHY IR CCK OFDM IEEE 802.11,a,b,g WLAN IEEE 802.15.1 WPAN Figure 15.5: Data Link and Physical Layers (PHY) The Medium Access Control function is the brain of the WLAN. Its implementation may be as high-level digital logic circuits or a combination of logic and a microcontroller or a digital signal processor. IEEE 802.11 and its supplements, (which may be generally designated 802.11x), prescribe various data rates, media (radio waves or infrared), and modulation techniques (FHSS, DSSS, CCK, ODFM). These are the principle functions of the MAC: • • • Frame delimiting and recognition, • • • Protection against transmission error, Addressing of destination stations, Transparent transfer of data, including fragmentation and defragmentation of packets originating in upper layers, Control of access to the physical medium, Security services—authentication and encryption. An important attribute of any communications network is the method of access to the medium. 802.11 prescribes two possibilities: DCF (distributed coordination function) and PCF (point coordination function). w w w.new nespress.com 488 Chapter 15 The fundamental access method in IEEE 802.11 is the DCF, more widely known as CSMA/ CA (carrier sense multiple access with collision avoidance). It is based on a procedure during which a station wanting to transmit may do so only after listening to the channel and determining that it is not busy. If the channel is busy, the station must wait until the channel is idle. In order to minimize the possibility of collisions when more than one station wants to transmit at the same time, each station waits a random time-period, called a back off interval, before transmitting, after the channel goes idle. Figure 15.6 shows how this method works. (Transmit if medium free—defer if busy) Previous transmission DIFS DIFS Backoff Transmission Busy medium 1 2 3 4 Slot time Figure 15.6: CSMA/CA Access Method The figure shows activity on a channel as it appears to a station that is attempting to transmit. The station may start to transmit if the channel is idle for a period of at least a duration of DIFS (distributed coordination function interframe space) since the end of any other transmission (Section 1 of the figure). However, if the channel is busy, as shown in Section 2 of the figure, it must defer access and enter a back off procedure. The station waits until the channel is idle, and then waits an additional period of DIFS. Now it computes a time-period called a back off window that equals a pseudo-random number multiplied by a constant called the “slot time.” As long as the channel is idle, as it is in Section 3 of the figure, the station may transmit its frame at the end of the back off window, Section 4. During every slot time of the back off window the station senses the channel, and if it is busy, the counter that holds the remaining time of the back off window is frozen until the channel becomes idle and the back off counter resumes counting down. Actually, the back off procedure is not used for every access of the channel. For example, acknowledgement transmissions and RTS and CTS transmissions (see below), do not use it. Instead, they access the channel after an interval called SIFS (short interframe space) following the transmission to which they are responding. SIFS is shorter than DIFS, so other stations waiting to transmit cannot interfere since they have to wait a longer time, after the previous transmission, and by then the channel is already occupied. In waiting for a channel to become idle, a transmission contender doesn’t have to listen continuously. When one hears another station access the channel, it can interpret the frame www. ne w n e s p res s .c o m Applications and Technologies 489 length field that is transmitted on every frame. After taking into account the time of the acknowledgement transmission that replies to a data transmission, the time that the channel will become idle is known even without physically sensing it. This is called a virtual carrier sense mechanism. The procedure shown in Figure 15.6 may not work well under some circumstances. For example, if several stations are trying to transmit to a single access point, two or more of them may be positioned such that they all are in range of the access point but not of each other. In this case, a station sensing the activity of the channel may not hear another station that is transmitting on the same network. A refinement of the described CSMA/SA procedure is for a station thinking the channel is clear to send a short RTS (request to send) control frame to the AP. It will then wait to receive a CTS (clear to send) reply from the AP, which is in range of all contenders for transmission, before sending its data transmission. If the originating station doesn’t hear the CTS it assumes the channel was busy and so it must try to access the channel again. This RTS/CTS procedure is also effective when not all stations on the network have compatible modulation facilities for high rate communication and one station may not be able to detect the transmission length field of another. RTS and CTS transmissions are always sent at a basic rate that is common to all participants in the network. The PCS is an optional access method that uses a master-slave procedure for polling network members. An AP station assumes the role of master and distributes timing and priority information through beacon management transmissions, thus creating a contention free access method. One use of the PCS is for voice communications, which must use regular time slots and will not work in a random access environment. 15.1.4 Physical Layer The discussion so far on the services and the organization of the WLAN did not depend on the actual type of wireless connection between the members of the network. 802.11 and its additions specify various bit rates, modulation methods, and operating frequency channels, on two frequency bands, which we discuss in this section. 15.1.4.1 IEEE 802.11 Basic The original version of the 802.11 specification prescribes three different air interfaces, each having two data rates. One is infrared and the others are based on frequency-hopping spread spectrum (FHSS) and direct-sequence spread-spectrum, each supporting raw data rates of 1 and 2 Mbps. Below is a short description of the IR and FHSS links, and a more detailed review of DSSS. 15.1.4.2 Infrared PHY Infrared communication links have some advantages over radio wave transmissions. They are completely confined within walled enclosures and therefore eavesdropping concerns w w w.new nespress.com 490 Chapter 15 are greatly relieved, as are problems from external interference. Also, they are not subject to intentional radiation regulations. The IEEE 802.11 IR physical layer is based on diffused infrared links, and the receiving sensor detects radiation reflected off ceilings and walls, making the system independent of line-of-site. The range limit is on the order of 10 meters. Baseband pulse position modulation is used, with a nominal pulse width of 250 nsec. The IR wavelength is between 850 and 950 nM. The 1 Mbps bit rate is achieved by sending symbols representing 4 bits, each consisting of a pulse in one of 16 consecutive 250 nsec slots. This modulation method is called 16-PPM. Optional 4-PPM modulation, with four slots per two-bit symbol, gives a bit rate of 2 Mbps. Although part of the original IEEE 802.11 specification and having what seems to be useful characteristics for some applications, products based on the infrared physical layer for WLAN have generally not been commercially available. However, point-to-point, very short-range infrared links using the IrDA (Infrared Data Association) standard are very widespread (reputed to be in more than 300 million devices). These links work reliably line-of-site at one meter and are found, for example, in desktop and notebook computers, handheld PC’s, printers, cameras and toys. Data rates range from 2400 Bps to 16 Mbps. Bluetooth devices will take over some of the applications but for many cases IrDA embedding will still have an advantage because of its much higher data rate capability. 15.1.4.3 FHSS PHY While overshadowed by the DSSS PHY, acquaintance with the FHSS option in 802.11 is still useful since products based on it may be available. In FHSS WLAN, transmissions occur on carrier frequencies that hop periodically in pseudo-random order over almost the complete span of the 2.4 GHz ISM band. This span in North America and most European countries is 2.400 to 2.4835 GHz, and in these regions there are 79 hopping carrier frequencies from 2.402 to 2.480 GHz. The dwell on each frequency is a system-determined parameter, but the recommended dwell time is 20 msec, giving a hop rate of 50 hops per second. In order for FHSS network stations to be synchronized, they must all use the same pseudo-random sequence of frequencies, and their synthesizers must be in step, that is, they must all be tuned to the same frequency channel at the same time. Synchronization is achieved in 802.11 by sending the essential parameters—dwell time, frequency sequence number, and present channel number—in a frequency parameter set field that is part of a beacon transmission (and other management frames) sent periodically on the channel. A station wishing to join the network can listen to the beacon and synchronize its hop pattern as part of the network association procedure. The FHSS physical layer uses GFSK (Gaussian frequency shift keying) modulation, and must restrict transmitted bandwidth to 1 MHz at 20 dB down (from peak carrier). This bandwidth holds for both 1 Mbps and 2 Mbps data rates. For 1 Mbps data rate, nominal frequency deviation is 160 kHz. The data entering the modulator is filtered by a Gaussian (constant phase delay) www. ne w n e s p res s .c o m Applications and Technologies 491 filter with 3 dB bandwidth of 500 kHz. Receiver sensitivity must be better than 000380 dBm for a 3% frame error rate. In order to keep the same transmitted bandwidth with a data rate of 2 Mbps, four-level frequency shift-keying is employed. Data bits are grouped into symbols of two bits, so each symbol can have one of four levels. Nominal deviations of the four levels are 72 kHz and 216 kHz. A 500 kHz Gaussian filter smoothes the four-level 1 Megasymbols per second at the input to the FSK modulator. Minimum required receiver sensitivity is 000375 dBm. Although development of Wi-Fi for significantly increased data rates has been along the lines of DSSS, FHSS does have some advantageous features. Many more independent networks can be collocated with virtually no mutual interference using FHSS than with DSSS. As we will see later, only three independent DSSS networks can be collocated. However, 26 different hopping sequences (North America and Europe) in any of three defined sets can be used in the same area with low probability of collision. Also, the degree of throughput reduction by other 2.4 GHz band users, as well as interference caused to the other users is lower with FHSS. FHSS implementation may at one time also have been less expensive. However, the updated versions of 802.11—specifically 802.11a, 802.11b, and 802.11g—have all based their methods of increasing data rates on the broadband channel characteristics of DSSS in 802.11, while being downward compatible with the 1 and 2 Mbps DSSS modes (except for 802.11a which operates on a different frequency band). 15.1.4.4 DSSS PHY The channel characteristics of the direct sequence spread spectrum physical layer in 802.11 are retained in the high data rate updates of the specification. This is natural, since systems based on the newer versions of the specification must retain compatibility with the basic 1 and 2 Mbps physical layer. The channel spectral mask is shown in Figure 15.7, superimposed on the simulated spectrum of a filtered 1 Mbps transmission. It is 22 MHz wide at the 000330 dB points. Fourteen channels are allocated in the 2.4 GHz ISM band, whose center frequencies are 5 MHz apart, from 2.412 GHz to 2.484 GHz. The highest channel, number fourteen, is designated for Japan where the allowed band edges are 2.471 GHz and 2.497 GHz. In the US and Canada, the first eleven channels are used. Figure 15.8 shows how channels one, six and eleven may be used by three adjacent independent networks without co-interference. When there are no more than two networks in the same area, they may choose their operating channels to avoid a narrowband transmission or other interference on the band. In 802.11 DSSS, a pseudo-random bit sequence phase modulates the carrier frequency. In this spreading sequence, bits are called chips. The chip rate is 11 megachips per second (Mcps). Data is applied by phase modulating the spread carrier. There are eleven chips per data symbol. The chosen pseudo-random sequence is a Barker sequence, represented as 1,00031,1,1, 00031,1,1,1,00031,00031,00031. Its redeeming property is that it is optimally detected in a receiver by w w w.new nespress.com 492 Chapter 15 802.11 DSSS QPSK 30 25 Reference 0 dBr 20 Power spectrum (dBm) 15 10 5 0 00035 000330 dBr/11 MHz 000310 000315 000320 000350 dBr/22 MHz 000325 000330 000340 000335 000330 000325 000320 000315 000310 00035 0 5 10 15 20 25 30 35 40 Frequency (MHz) Figure 15.7: 802.11 DSSS Spectral Mask 2412 MHz 2437 MHz 2462 MHz Figure 15.8: DSSS Non-interfering Channels a matched filter or correlation detector. Figure 15.9 is one possible implementation of the modulator. The DSSS PHY specifies two possible data rates—1 and 2 Mbps. The differential encoder takes the data stream and produces two output streams at 1 Mbps that represent changes in data polarity from one symbol to the next. For a data rate of 1 Mbps, differential binary phase shift keying is used. The input data rate of 1 Mbps results in two identical output data streams that represent the changes between consecutive input bits. Differential quadrature phase shift keying handles 2 Mbps of data. Each sequence of two input bits creates four permutations on two outputs. The differential encoder outputs the differences from symbol to symbol on the lines that go to the inputs of the exclusive OR gates shown in Figure 15.9. The outputs on the I and Q lines are the Barker sequence of 11 Mcps inverted or sent straight through, at a rate of 1 Msps, according to the differentially encoded data at the exclusive OR gate inputs. These outputs are spectrum shifted to the RF carrier frequency (or an intermediate frequency for subsequent up-conversion) in the quadrature modulator. www. ne w n e s p res s .c o m Applications and Technologies LPF Data 1 or 2 Mbps I Differential encoder LPF Symbol clock 1 Mbps 493 Q Modulated carrier Quadrature modulator Local oscillator Barker sequence 11 Mbps Figure 15.9: DSSS Modulation Reception of DSSS signals is represented in Figure 15.10. The downconverted I and Q signals are applied to matched filters or correlation detectors. These circuits correlate the Barker sequence with the input signal and output an analog signal that represents the degree of correlation. The following differential decoder performs the opposite operation of the differential encoder described above and outputs the 1 or 2 Mbps data. LPF Received signal Matched filter Quadrature demodulator Differential decoder LPF Data out Matched filter Local oscillator Figure 15.10: DSSS Reception The process of despreading the input signal by correlating it with the stored spreading sequence requires synchronization of the receiver with transmitter timing and frequency. To facilitate this, the transmitted frame starts with a synchronization field (SYNC), shown at the beginning of the physical layer protocol data unit in Figure 15.11. Then a start frame delimiter (SFD) marks out the commencement of the following information bearing fields. All bits in the indicated preamble are transmitted at a rate of 1 Mbps, no matter what the subsequent data rate will be. The signal field specifies the data rate of the following fields in the frame so that the receiver can adjust itself accordingly. The next field, SERVICE, contains all zeros for devices that are only compliant with the basic version of 802.11, but some of its bits are used in devices conforming with updated versions. The value of the length field is the length, in microseconds, required to transmit the data-carrying field labeled MPDU (MAC protocol data unit). An error check field, labeled CRC, protects the integrity of the SIGNAL, SERVICE, and w w w.new nespress.com 494 Chapter 15 LENGTH fields. The last field MPDU (MAC protocol data unit) is the data passed down from the MAC to be sent by the physical layer, or to be passed up to the MAC after reception. All bits in the transmitted frame are pseudo-randomly scrambled to ensure even power distribution over the spectrum. Data is returned to its original form by descrambling in the receiver. 128 16 8 8 16 16 Variable SYNC SFD SIGNAL SERVICE LENGTH CRC MPDU (Payload) Preamble Bits PLCP header Figure 15.11: DSSS Frame Format 15.1.4.5 802.11b The “b” supplement to the original 802.11 specification supports a higher rate physical layer for the 2.4 GHz band. It is this 802.11b version that provided the impetus for Wi-Fi proliferation. With it, data rates of 5.5 Mbps and 11 Mbps are enabled, while retaining downward compatibility with the original 1 and 2 Mbps rates. The slower rates may be used not only for compatibility with devices that aren’t capable of the extended rates, but also for fall back when interference or range conditions don’t provide the required signal-to-noise ratio for communication using the higher rates. As previously stated, the increased data rates provided for in 802.11b do not entail a larger channel bandwidth. Also, the narrow-band interference rejection, or jammer resisting qualities of direct sequence spread-spectrum are retained. The classical definition of processing gain for DSSS as being the chip rate divided by the data bandwidth doesn’t apply here. In fact, the processing gain requirement that for years was part of the FCC Rules paragraph 15.247 definition of direct sequence spread-spectrum was deleted in an update from August 2002, and at the same time reference to DSSS was replaced by “digital modulation.” The mandatory high-rate modulation method of 802.11b is called complementary code keying (CCK). An optional mode called packet binary convolutional coding (PBCC) is also described in the specification. Although there are similarities in concept, the two modes differ in implementation and performance. First the general principle of high-rate DSSS is presented below, applying to both CCK and PBCC, then the details of CCK are given. As in the original 802.11, a pseudo-random noise sequence at the rate of 11 Mcps is the basis of high-rate transmission in 802.11b. It is this 11 Mcps modulation that gives the 22 MHz nullto-null bandwidth. However, in contrast to the original specification, the symbol rate when sending data at 5.5 or 11 Mbps is 1.375 Msps. Eight chips per symbol are transmitted instead of eleven chips per symbol as when sending at 1 or 2 Mbps. In “standard” DSSS as used in 802.11, the modulation, BPSK or QPSK, is applied to the group of eleven chips constituting a symbol. The series of eleven chips in the symbol is always the same (the Barker sequence www. ne w n e s p res s .c o m Applications and Technologies 495 previously defined). In contrast, high-rate DSSS uses a different 8-chip sequence in each symbol, depending on the sequence of data bits that is applied to each symbol. Quadrature modulation is used, and each chip has an I value and a Q value which represent a complex number having a normalized amplitude of one and some angle, α, where α 0004 arctangent (Q/I). α can assume one of four values divided equally around 360 degrees. Since each complex bit has four possible values, there are a total of 48 0004 65536 possible 8-bit complex words. For the 11 Mbps data rate, 256 out of these possibilities are actually used—which one being determined by the sequence of 8 data bits applied to a particular symbol. Only 16-chip sequences are needed for the 5.5 Mbps rate, determined by four data bits per symbol. The high-rate algorithm describes the manner in which the 256 code words, or 16 code words, are chosen from the 65536 possibilities. The chosen 256 or 16 complex words have the very desirable property that when correlation detectors are used on the I and Q lines of the received signal, downconverted to baseband, the original 8-bit (11 Mbps rate) or 4-bit (5.5 Mbps rate) sequence can be decoded correctly with high probability even when reception is accompanied by noise and other types of channel distortion. The concept of CCK modulation and demodulation is shown in Figures 15.12 and 15.13. It’s explained below in reference to a data rate of 11 Mbps. The multiplexer of Figure 15.12 takes a block of eight serial data bits, entering at 11 Mbps, and outputs them in parallel, with updates at the symbol rate of 1.375 MHz. The six latest data bits determine 1 out of 64 (26) complex code words. Each code word is a sequence of eight complex chips, having phase angles α1 through α8 and a magnitude of unity. The first two data bits, d0 and d1, determine an angle, α00148 which, in the code rotator (see Figure 15.12), rotates the whole code word relative to α8 of the previous code word. This angle of rotation becomes the absolute angle α8 of the present code word. The normalized I and Q outputs of the code rotator, which after filtering are input to a quadrature modulator for up-conversion to the carrier (or intermediate) frequency, are shown in equation [15.1]: Ii 0004 cos(αi), Serial data 11 Mbps Code word encoder LPF (15.1) I Quadrature modulator 1 1 1.375 MHz chip clock i 0004 1…8 Code rotator 6 Multiplexer Qi 0004 sin(αi) LPF Modulated carrier Q Local oscillator 11 MHz clock chip clock Figure 15.12: High-rate Modulator—11 Mbps w w w.new nespress.com 496 Chapter 15 Data symbol: d0 d1 d2 d3 d4 d5 d6 d7 Phase table j di di00021 0 0 0° 1 0 180° 0 1 90° 1 1 000390° a1 a2 a3 a4 a5 a6 a7 a8 0004 0004 0004 0004 0004 0004 0004 0004 j1 j1 j1 j1 j1 j1 j1 j1 0002 0002 0002 0002 0002 0002 0002 j2 j3 j2 j4 j2 j3 j2 0002 0002 0002 0002 0002 Phase Phase Phase Phase j 3 0002 j4 j4 j4 1800011 j3 (d 0, (d 2, (d 4, (d 6, d 1) d 3) d 5) d 7) 0004 0004 0004 0004 j1 j2 j3 j4 Ii 0004 cos(ai ) Qi 0004 sin(ai ) i 0004 1...8 0002 180° Figure 15.13: Derivation of Code Word Figure 15.13 is a summary of the development of code words a for 11 Mbps rate CCK modulation. High rate modulation is applied only to the payload—MPDU in Figure 15.11. The code word described in Figure 15.13 is used as shown for the first symbol and then every other symbol of the payload. However, it is modified by adding 180º to each element of the code word of the second symbol, fourth symbol, and so on. The development of the symbol code word or chip sequence may be clarified by an example worked out per Figure 15.13. Let’s say the 8-bit data sequence for a symbol is d 0004 d0 … d7 0004 1 0 1 0 1 1 0 1. From the phase table of Figure 15.13 we find the angles ϕ: ϕ1 0004 180º, ϕ2 0004 180º, ϕ3 0004 000390º, ϕ4 0004 90º. Now summing up these values to get the angle αi of each complex chip, then taking the cosine and sine to get Ii and Qi, we summarize the result in the following table: i 1 2 3 4 5 6 7 8 α 0 180 90 90 000390 90 180 180 I 1 00031 0 0 0 0 00031 00031 Q 0 0 1 1 00031 1 0 0 The code words for 5.5 Mbps rate CCK modulation are a subset of those for 11 Mbps CCK. In this case, there are four data bits per symbol which determine a total of 16 complex chip sequences. Four 8-element code words (complex chip sequences) are determined using the last two data bits of the symbol, d2 and d3. The arguments (angles) of these code words are shown in Table 15.1. Bits d0 and d1 are used to rotate the code words relative to the preceding code word as in 11 Mbps modulation and shown in the phase table of Figure 15.13. Code words are modified by 180º every other symbol, as in 11 Mbps modulation. www. ne w n e s p res s .c o m Applications and Technologies 497 Table 15.1: 5.5 Mbps CCK Decoding d3, d2 α1 α2 α3 α4 180º α5 α6 α7 α8 90º 0º 000390º 0º 00 90º 0º 90º 10 000390º 180º 000390º 0º 90º 0º 000390º 0º 01 000390º 0º 000390º 180º 000390º 0º 90º 0º 11 90º 180º 90º 0º 000390º 0º 90º 0º The concept of CCK decoding for receiving high rate data is shown in Figure 15.14. For the 11 Mbps data rate, a correlation bank decides which of the 64 possible codes best fits each received 8-bit symbol. It also finds the rotation angle of the whole code relative to the previous symbol (one of four values). There are a total of 256 (64 0006 4) possibilities and the chosen one is output as serial data. At the 5.5 Mbps rate there are four code words to choose from and after code rotation a total of 16 choices from which to decide on the output data. 6 bit code identifier RF IN I Serial data Downconverter Data demultiplexer Correlation bank Q 2 bit differential phase Figure 15.14: CCK Decoding To maintain compatibility with earlier non high-rate systems, the DSSS frame format shown in Figure 15.11 is retained in 802.11b. The 128-bit preamble and the header are transmitted at 1 Mbps while the payload MPDU can be sent at a high rate of 5.5 or 11 Mbps. The long and slow preamble reduces the throughput and cancels some of the advantage of the high data rates. 802.11b defines an optional short preamble and header which differ from the standard frame by sending a preamble with only 72 bits and transmitting the header at 2 Mbps, for a total overhead of 96 μsec instead of 192 μsec for the long preamble and header. Devices using this option can only communicate with other stations having the same capability. Use of higher data rates entails some loss of sensitivity and hence range. The minimum specified sensitivity at the 11 Mbps rate is 000376 dBm for a frame-error rate of 8% when sending a payload of 1024 bytes, as compared to a sensitivity of 000380 dBm for the same frame-error rate and payload length at a data rate of 2 Mbps. w w w.new nespress.com 498 Chapter 15 15.1.4.6 802.11a and OFDM In the search for ways to communicate at even higher data rates than those applied in 802.11b, a completely different modulation scheme, OFDM (orthogonal frequency division multiplexing) was adopted for 802.11a. It is not DSSS yet it has a channel bandwidth similar to the DSSS systems already discussed. The 802.11a supplement is defined for channel frequencies between 5.2 and 5.85 GHz, obviously not compatible with 802.11b signals in the 2.4 GHz band. However, since the channel occupancy characteristics of its modulation are similar to that of DSSS Wi-Fi, the same system was adopted in IEEE 802.11g for enabling the high data rates of 802.11a on the 2.4 GHz band, while allowing downward compatibility with transmissions conforming to 802.11b. 802.11a specifies data rates of 6, 9, 12, 18, 24, 36, 48, and 54 Mbit/s. As transmitted data rates go higher and higher, the problem of multipath interference becomes more severe. Reflections in an indoor environment can result in multipath delays on the order of 100 nsec but may be as long as 250 nsec, and a signal with a bit rate of 10 Mbps (period of 100 nsec) can be completely overlapped by its reflection. When there are several reflections, arriving at the receiver at different times, the signal may be mutilated beyond recognition. The OFDM transmission system goes a long way to solving the problem. It does this by sending the data partitioned into symbols whose length in time is several times the expected reflected path length time differences. The individual data bits in a symbol are all sent in parallel on separate subcarrier frequencies within the transmission channel. Thus, by sending many bits during the same time, each on a different frequency, the individual transmitted bit can be lengthened so that it won’t be affected by the multipath phenomenon. Actually, the higher bit rates are accommodated by representing a group of data bits by the phase and amplitude of a particular transmitted carrier. A carrier modulated using quadrature phase shift keying (QPSK) can represent two data bits and 64-QAM (quadrature amplitude modulation) can present six data bits as a single data unit on a subcarrier. Naturally, transmitting many subcarriers on a channel of given width brings up the problem of interference between those subcarriers. There will be no interference between them if all the subcarriers are orthogonal—that is, if the integral of any two different subcarriers over the symbol period is zero. It is easy to show that this condition exists if the frequency difference between adjacent subcarriers is the inverse of the symbol period. In OFDM, the orthogonal subcarriers are generated mathematically using the inverse Fourier transform (IFT), or rather its discrete equivalent, the inverse discrete Fourier transform (IDFT). The IDFT may be expressed as shown in equation [15.2]: x (n) 0004 1 N N 00031 ∑ m 00040 www. ne w n e s p res s .c o m X (m)[cos(2π mn / N ) 0002 j ⋅ sin(2π mn / N )] (15.2) Applications and Technologies 499 x(n) are complex sample values in the time domain, n 0004 0 … N 0003 1, and X(m) are the given complex values, representing magnitude and phase, for each frequency in the frequency domain. The IDFT expression indicates that the time domain signal is the sum of N harmonically related sine and cosine waves each of whose magnitude and phase is given by X(m). We can relate the right side of the expression to absolute frequency by multiplying the arguments 2πmn/N by fs/fs to get: x (n) 0004 1 N N 00031 ∑ m 00040 X (m)[cos(2π mf1nts ) 0002 j ⋅ sin(2π mf1nts )] (15.3) where f1 is the fundamental subcarrier and the difference between adjacent subcarriers, and ts is the sample time 1/f1. In 802.11a OFDM, the sampling frequency is 20 MHz and N 0004 64, so f1 0004 312.5 kHz. Symbol time is Nts 0004 64/fs 0004 3.2 μsec. In order to prevent intersymbol interference, 802.11a inserts a guard time of 0.8 μsec in front of each symbol, after the IDFT conversion. During this time, the last 0.8 μsec of the symbol is copied, so the guard time is also called a circular prefix. Thus, the extended symbol time that is transmitted is 3.2 0002 .8 0004 4 μsec. The guard time is deleted after reception and before reconstruction of the transmitted data. Although the previous equation, where N 0004 64, indicates 64 possible subcarriers, only 48 are used to carry data, and four more for pilot signals to help the receiver phase lock to the transmitted carriers. The remaining carriers that are those at the outside of the occupied bandwidth, and the DC term (m 0004 0 in equation (15.3)), are null. It follows that there are 26 ((48 0002 4)/2) carriers on each side of the nulled center frequency. Each channel width is 312.5 kHz, so the occupied channels have a total width of 16.5625 (53 0006 312.5 kHz) MHz. For accommodating a wide range of data rates, four modulation schemes are used—BPSK, QPSK, 16-QAM and 64-QAM, requiring 1, 2, 4, and 6 data bits per symbol, respectively. Forward error correction (FEC) coding is employed with OFDM, which entails adding code bits in each symbol. Three coding rates: 1/2, 2/3, and 3/4, indicate the ratio of data bits to the total number of bits per symbol for different degrees of coding performance. FEC permits reconstruction of the correct message in the receiver, even when one or more of the 48 data channels have selective interference that would otherwise result in a lost symbol. Symbol bits are interleaved so that even if adjacent subcarrier bits are demodulated with errors, the error correction procedure will still reproduce the correct symbol. A block diagram of the OFDM transmitter and receiver is shown in Figure 15.15. Blocks FFT and IFFT indicate the fast Fourier transform and its inverse instead of the mathematically equivalent (in terms of results) discrete Fourier transform and inverse discrete Fourier transform (IFDT) that we used above because it is much faster to implement. Table 15.2 lists the modulation type and coding rate used for each data rate, and the total number of bits per OFDM symbol, which includes data bits and code bits. w w w.new nespress.com 500 Chapter 15 PA Serial data FEC coding Bit to symbol map IFFT Add guard interval Quadrature modulator Local oscillator Data out FEC decoding Symbol to bit demap FFT Remove guard interval Quadrature demodulator LNA Figure 15.15: OFDM System Block Diagram Table 15.2: OFDM Characteristics According to Data Rate Data Rate Mbps Modulation Coding Rate Coded Bits per Subcarrier 6 BPSK 1/2 1 Coded Bits per OFDM Symbol 48 Data Bits per OFDM Symbol 24 9 BPSK 3/4 1 48 36 12 QPSK 1/2 2 96 48 18 QPSK 3/4 2 96 72 24 16-QAM 1/2 4 192 96 36 16-QAM 3/4 4 192 144 48 64-QAM 2/3 6 288 192 54 64-QAM 3/4 6 288 216 The available frequency channels in the 5 GHz band in accordance with FCC paragraphs 15.401–15.407 for unlicensed national information infrastructure (U-NII) devices are shown in Table 15.3. Channel allocations are 5 MHz apart and 20 MHz spacing is needed to prevent co-channel interference. Twelve simultaneous networks can coexist without mutual interference. Power limits are also shown in Table 15.4. Extension of the data rates of 802.11b to those of 802.11a, but on the 2.4 GHz band is covered in supplement 802.11g. The OFDM physical layer defined for the 5 GHz band is applied essentially unchanged to 2.4 GHz. Equipment complying with 802.11g must also have the lower-rate features and the CCK modulation technique of 802.11b so that it will be downward compatible with existing Wi-Fi systems. www. ne w n e s p res s .c o m Applications and Technologies 501 Table 15.3: Channel Allocations and Maximum Power for 802.11a in United States Band Operation Channel Numbers Channel Center Frequencies (MHz) Maximum Power with up to 6 dBi antenna gain (mW) U-NII lower band (5.15–5.25 GHz) 36 40 44 48 5180 5200 5220 5240 40 U-NII middle band (5.25–5.35 GHz) 52 56 60 64 5260 5280 5300 5320 200 U-NII upper band (5.725–5.825 GHz) 149 153 157 161 5745 5765 5785 5805 800 Table 15.4: HIPERLAN/2 Frequency Channels and Power Levels (Reference 15.1, ETSI TS 101 475 V1.3.1 (2001–12)) Center Frequency (MHz) Every 20 MHz from 5180 to 5320 Radiated Power (mean EIRP) (dBm) 23 Every 20 MHz from 5500 to 5680 30 5700 23 15.1.5 HIPERLAN/2 While 802.11b was designed for compliance with regulations in the European Union and most other regions of the world, 802.11a specifically refers to the regulations of the FCC and the Japanese MPT. ETSI (European Telecommunications Standards Institute) developed a high-speed wireless LAN specification, called HIPERLAN/2 (high performance local area network), which meets the European regulations and in many ways goes beyond the capabilities of 802.11a. HIPERLAN/2 defines a physical layer essentially identical to that of 802.11a, using coded OFDM and the same data rates up to 54 Mbps. However, its second layer software level is very different from the 802.11 MAC and the two systems are not compatible. Built-in features of HIPERLAN/2 that distinguish it from IEEE 802.11a are the following: • Quality of service (QOS). Time division multiple access/time division duplex (TDMA/ TDD) protocol permits multimedia communication. • Dynamic frequency selection (DFS). Network channels are selected and changed automatically to maintain communication reliability in the presence of interference and path disturbances. w w w.new nespress.com 502 Chapter 15 • Transmit power control (TPC). Transmission power is automatically regulated to reduce interference to other frequency band users and reduce average power supply consumption. • High data security. Strong authentication and encryption procedures. All of the above features of HIPERLAN/2 are being dealt with by IEEE task groups for implementation in 802.11. Specifically, the features of DFS and TPC are necessary for conformance of 802.11a to European Union regulations. Frequency channels and power levels of HIPERLAN/2 are shown in Table 15.4. 15.2 Bluetooth There are two sources of the Bluetooth specification. One is the Bluetooth Special Interest Group (SIG). The current version at this writing is Version 1.1. It is arranged in two volumes—Core and Profiles. Volume 1, the core, describes the physical, or hardware radio characteristics of Bluetooth, as well as low-level software or firmware which serves as an interface between the radio and higher level specific user software. The profiles in Volume 2 detail protocols and procedures for several widely used applications. The other Bluetooth source specification is IEEE 802.15.1. It is basically a rewriting of the SIG core specification, made to fit the format of IEEE communications specifications in general. Bluetooth is an example of a wireless personal area network (WPAN), as opposed to a wireless local area network (WLAN). It’s based on the creation of ad hoc, or temporary, onthe-fly connections between digital devices associated with an individual person and located in the vicinity of around ten meters from him. Bluetooth devices in a network have the function of a master or a slave, and all communication is between a master and one or more slaves, never directly between slaves. The basic Bluetooth network is called a piconet. It has one master and from one to seven slaves. A scatternet is an interrelated network of piconets where any member of a piconet may also belong to an adjacent piconet. Thus, conceptually, a Bluetooth network is infinitely expandable. Figure 15.16 shows a scatternet made up of three piconets. In it, a slave in one piconet is a master in another. A device may be a master in one piconet only. S M M S S M S S S S Figure 15.16: Bluetooth Scatternet www. ne w n e s p res s .c o m Applications and Technologies 503 The basic RF communication characteristics of Bluetooth are shown in Table 15.5. Table 15.5: Bluetooth Technical Parameters Characteristic Frequency Band Value 2.4 to 2.483 GHz Comment May differ in some countries Frequency Hopping Spread Spectrum (FHSS) 79 1-MHz channels from 2402 to 2480 MHz May differ in some countries Hop Rate 1600 hops per second Channel Bandwidth 1 MHz Modulation Gaussian Frequency Shift Keying (GFSK) Symbol Rate 20 dB down at edges Filter BT 0004 0.5 Gaussian Filter bandwidth 0004 500 kHz Nominal modulation index 0004 0.32 Nominal Deviation 0004 160 kHz 1 Mbps Transmitter Maximum Power Class 1 100 mW Power control required Class 2 2.5 mW Must be at least 0.25 mW Class 3 1 mW No minimum specified Receiver Sensitivity 000370 dBm for BER 0004 0.1% A block diagram of a Bluetooth transceiver is shown in Figure 15.17. It’s divided into three basic parts: RF, baseband, and application software. A Bluetooth chip set will usually include the RF and baseband parts, with the application software being contained in the system’s computer or controller. The user data stream originates and terminates in the application software. The baseband section manipulates the data and forms frames or data bursts for transmission. It also controls the frequency synthesizer according to the Bluetooth frequencyhopping protocol. The blocks in Figure 15.17 are general and various transmitter and receiver configurations are adopted by different manufacturers. The Gaussian low-pass filter block before the modulator, for example, may be implemented digitally as part of a complex signal I/Q modulation unit or it may be a discrete element filter whose output is applied to the frequency control line of a VCO. Similarly, the receiver may be one of several types, as discussed in Chapter 6. If a superheterodyne configuration is chosen, the filter at the output of the downconverter will be a bandpass type. A direct conversion receiver will use low pass filters in complex I and Q outputs of the downconverter. While different manufacturers employ a variety of methods to implement the Bluetooth radio, all must comply with the same strictly defined Bluetooth specification, and therefore the actual configuration used in a particular chipset should be of little concern to the end user. w w w.new nespress.com 504 Chapter 15 Application software PA Baseband TX data Encryption; error correction and detection; scrambling; packet formation BPF Gaussian low pass filter FM modulator Frequency control Frequency synthesizer Reference RX data FM detector Downconverter LNA Control Filter Figure 15.17: Bluetooth Transceiver The Bluetooth protocol has a fixed-time slot of 625 microseconds, which is the inverse of the hop rate given in Table 15.5. A transmission burst may occur within a duration of one, three, or five consecutive slots on one hop channel. As mentioned, transmissions are always between the piconet master and a slave, or several slaves in the case of a broadcast, or pointto-multipoint transmission. All slaves in the piconet have an internal timer synchronized to the master device timer, and the state of this timer determines the transmission hop frequency of the master and that of the response of a designated slave. Figure 15.18 shows a sequence of transmissions between a master and two slaves. Slots are numbered according to the state, or phase, of the master clock, which is copied to each slave when it joins the piconet. Note that master transmissions take place during even numbered clock phases and slave transmissions during odd numbered phases. Transmission frequency depends on the clock phase, and if a device makes a three or five slot transmission (slave two in the diagram), the intermediate f2 f0 f6 Master f1 f7 Slave 1 f3 Slave 2 Slot number 0 1 2 3 4 Figure 15.18: Bluetooth Timing www. ne w n e s p res s .c o m 5 6 7 Applications and Technologies 505 frequencies that would have been used if only single slots were transmitted are omitted (f4 and f5 in this case). Note that transmissions do not take up a whole slot. Typically, a singleslot transmission burst lasts 366 microseconds, leaving 259 microseconds for changing the frequency of the synthesizer, phase locked loop settling time, and for switching the transceiver between transmit and receive modes. There are two different types of wireless links associated with a Bluetooth connection. An asynchronous connectionless link (ACL) is used for packet data transfer while a synchronous connection oriented link (SCO) is primarily for voice. There are two major differences between the two link types. When an SCO link is established between a master and a slave, transmissions take place on dedicated slots with a constant interval between them. Also, unlike an ACL link, transmitted frames are not repeated in the case of an error in reception. Both of these conditions are necessary because voice is a continuous real-time process whose data rate cannot be randomly varied without affecting intelligibility. On the other hand, packet data transmission can use a handshaking protocol to regulate data accumulation and the instantaneous rate is not usually critical. Thus, for ACL links the master has considerable leeway in proportioning data transfer with the slaves in its network. An ARQ (automatic repeat request) protocol is always used, in addition to optional error correction, to ensure the highest reliability of the data transfer. Bluetooth was conceived for employment in mobile and portable devices, which are more likely than not to be powered by batteries, so power consumption is an important issue. In addition to achieving low-power consumption due to relatively low transmitting power levels, Bluetooth incorporates power saving features in its communication protocol. Low average power is achieved by reducing the transmission duty cycle, and putting the device in a lowpower standby mode for as long a period as possible relative to transmit and receive times while still maintaining the minimum data flow requirements. Bluetooth has three modes for achieving different degrees of power consumption during operation: sniff, hold, and park. Even in the normal active mode, some power saving can be achieved, as described below. Active Mode: During normal operation, a slave can transmit in a particular time slot only if it is specifically addressed by the master in the proceeding slot. As soon as it sees that its address is not contained in the header of the master’s message, it can “go to sleep,” or enter a low-power state until it’s time for the next master transmission. The master also indicates the length of its transmission (one, three, or five slots) in its message header, so the slave can extend its sleep time during a multiple slot interval. Sniff Mode: In this mode, sleep time is increased because the slave knows in advance the time interval between slots during which the master may address the slave. If it’s not addressed during the agreed slot, it returns to its low-power state for the same period and then wakes up and listens again. When it is addressed, the slave continues listening during subsequent master transmission slots as long as it is addressed, or for an agreed time-out period. w w w.new nespress.com 506 Chapter 15 Hold Mode: The master can put a slave in the hold mode when data transfer between them is being suspended for a given period of time. The slave is then free to enter a low-power state, or do something else, like participate in another piconet. It still maintains its membership in the original piconet, however. At the end of the agreed time interval, the slave resynchronizes with the traffic on the piconet and waits for instructions from the master. Park Mode: Park has the greatest potential for power conservation, but as opposed to hold and sniff, it is not a directly addressable member of the piconet. While it is outside of direct calling, a slave in park mode can continue to be synchronized with the piconet and can rejoin it later, either on its own initiative or that of the master, in a manner that is faster than if it had to join the piconet from scratch. In addition to saving power, park mode can also be considered a way to virtually increase the network’s capacity from eight devices to 255, or even more. When entering park mode, a slave gives up its active piconet address and receives an 8-bit parked member address. It goes into low-power mode but wakes up from time to time to listen to the traffic and maintain synchronization. The master sends beacon transmissions periodically to keep the network active. Broadcast transmissions to all parked devices can be used to invite any of them to rejoin the network. Parked units themselves can request re-association with the active network by way of messages sent during an access window that occurs a set time after what is called a “beacon instant.” A polling technique is used to prevent collisions. 15.2.1 Packet Format In addition to the data that originates in the high-level application software, Bluetooth packets contain fields of bits that are created in the baseband hardware or firmware for the purpose of acquisition, addressing, and flow control. Packet bits are also subjected to data whitening (randomization), error-correction coding, and encryption as defined for each particular data type. Figure 15.19 shows the standard packet format. Access code Header Payload 72 bits 54 bits 0 to 2745 bits Figure 15.19: Bluetooth Packet The access code is used for synchronization, d-c level compensation, and identification. Each Bluetooth device has a unique address, and it is the address of the device acting as master that is used to identify transmitted packets as belonging to a specific piconet. A 64-bit synchronization word sandwiched between a four-bit header and four-bit trailer, which provide d-c compensation, is based on the master’s address. This word has excellent correlation properties so when it is received by any of the piconet members it provides synchronization and positive identification that the packet of which it is a part belongs to their network. All message packets sent by members of the piconet use the same access code. www. ne w n e s p res s .c o m Applications and Technologies 507 The header contains six fields with link control information. First, it has a three-bit active member address which identifies to which of the up to seven slaves a master’s message is destined. An all zero address signifies a broadcast message to all slaves in the piconet. The next field has four bits that define the type of packet being sent. It specifies, for example, whether one, three, or five slots are occupied, and the level of error correction applied. The remaining fields involve flow control (handshaking), error detection and sequencing. Since the header has prime importance in the packet, it is endowed with forward-error correction having a redundancy of times three. Following the header in the packet is the payload, which contains the actual application or control data being transferred between Bluetooth devices. The contents of the payload field depend on whether the link is an ACL or SCO. The payload of ACL links has a payload header field that specifies the number of data bytes and also has a handshaking bit for databuffering control. A CRC (cyclic redundancy check) field is included for data integrity. As stated above, SCO links don’t retransmit packets so they don’t include a CRC. They don’t need a header either because the SCO payload has a constant length. The previous packet description covers packets used to transfer user data, but other types of packets exist. For example, the minimum length packet contains only the access code, without the four-bit trailer, for a total of 68 bits. It’s used in the inquiry and paging procedures for initial frequency-hopping synchronization. There are also NULL and POLL packets that have an access code and header, but no payload. They’re sent when slaves are being polled to maintain synchronization or confirm packet reception (in the case of NULL) in the piconet but there is no data to be transferred. 15.2.2 Error Correction and Encryption The use of forward error correction (FEC) improves throughput on noisy channels because it reduces the number of bad packets that have to be retransmitted. In the case of SCO links that don’t use retransmission, FEC can improve voice quality. However, error correction involves bit redundancy so using it on relatively noiseless links will decrease throughput. Therefore, the application decides whether to use FEC or not. As already mentioned, there are various types of packets, and the packet type defines whether or not FEC is used. The most redundant FEC method is always used in the packet header, and for the payload in one type of SCO packet. It simply repeats each bit three times, allowing the receiver to decide on the basis of majority rule what data bit to assign to each group of incoming bits. The other FEC method, applied in certain type ACL and SCO packets, uses what’s called a (15, 10) shortened Hamming code. For every ten data bits, five parity bits are generated. Since out of every 15 transmitted bits only ten are retrieved, the data rate is only two-thirds what it w w w.new nespress.com 508 Chapter 15 would be without coding. This code can correct all single errors and detect all double errors in each 15-bit code word. Wireless communication is susceptible to eavesdropping so Bluetooth incorporates optional security measures for authentication and encryption. Authentication is a procedure for verifying that received messages are actually from the party we expect them to be and not from an outsider who is inserting false messages. Encryption prevents an eavesdropper from understanding intercepted communications, since only the intended recipient can decipher them. Both authentication and implementation routines are implemented in the same way. They involve the creation of secret keys that are generated from the unique Bluetooth device address, a PIN (personal identification number) code, and a random number derived from a random or pseudo-random process in the Bluetooth unit. Random numbers and keys are changed frequently. The length of a key is a measure of the difficulty of cracking a code. Authentication in Bluetooth uses a 128-bit key, but the key size for encryption is variable and may range from 8 to 128 bits. 15.2.3 Inquiry and Paging A distinguishing feature of Bluetooth is its ad hoc protocol and connections are often required between devices that have no previous knowledge of their nature or address. Also, Bluetooth networks are highly volatile, in comparison to WLAN for example, and connections are made and dissolved with relative frequency. To make a new connection, the initiator—the master—must know the address of the new slave, and the slave has to synchronize its clock to the master’s in order to align transmit and receive channel hop-timing and frequencies. The inquiry and paging procedures are used to create the connections between devices in the piconet. By use of the inquiry procedure, a connection initiator creates a list of Bluetooth devices within range. Later, desired units can be summoned into the piconet of which the initiator is master by means of the paging routine. As mentioned previously, the access code contains a synchronization word based on the address of the master. During inquiry, the access code is a general inquiry access code (GIAC) formed from a reserved address for this purpose. Dedicated inquiry access codes (DIAC) can also be used when the initiator is looking only for certain types of devices. Now a potential slave can lock on to the master, provided it is receiving during the master’s transmission time and on the transmission frequency. To facilitate this match-up, the inquiry procedure uses a special frequency hop routine and timing. Only 32 frequency channels are used and the initiator transmits two burst hops per standard time slot instead of one. On the slot following the transmission inquiry bursts, the initiator listens for a response from a potential slave on two consecutive receive channels whose frequencies are dependent on the previously transmitted frequencies. www. ne w n e s p res s .c o m Applications and Technologies 509 When a device is making itself available for an inquiring master, it remains tuned to a single frequency for a period of 1.28 seconds and at a defined interval and duration scans the channel for a transmission. At the end of the 1.28-second period, it changes to another channel frequency. Since the master is sending bursts over the whole inquiry frequency range at a fast rate—two bursts per 1250 microsecond interval—there’s a high probability the scanning device will catch at least one of the transmissions while it remains on a single frequency. If that channel happens to be blocked by interference, then the slave will receive a transmission after one of its subsequent frequency changes. When the slave does hear a signal, it responds during the next slot with a special packet called FHS (frequency hop synchronization) in which is contained the slave’s Bluetooth address and state of its internal clock register. The master does not respond but notes the slave’s particulars and continues inquiries until it has listed the available devices in its range. The protocol has provisions for avoiding collisions from more than one scanning device that may have detected a master on the same frequency and at the same time. The master makes the actual connection with a new device appearing in its inquiry list using the page routine. The paging procedure is quite similar to that of the inquiry. However, now the master knows the paged device’s address and can use it to form the synchronization word in its access code. The designated slave does its page scan while expecting the access code derived from its own address. The hopping sequence is different during paging than during inquiry, but the master’s transmission bursts and the slave’s scanning routine are very similar. A diagram of the page state transmissions is given in Figure 15.20. When the slave detects a transmission from the master (Step 1), it responds with a burst of access code based on its own Bluetooth address. The master then transmits the FHS, giving the slave the access code information (based on the master’s address), timing and piconet active member address (between one and seven) needed to participate in the network. The slave acknowledges FHS receipt in Step 4. Steps 5 and 6 show the beginning of the network transmissions which use the normal 79 channel hopping-sequence based on the master’s address and timing. Not received Normal traffic FHS Master Normal traffic Slave Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Figure 15.20: Paging Transmissions w w w.new nespress.com 510 Chapter 15 15.3 Zigbee Zigbee is the name of a standards-based wireless network technology that addresses remote monitoring and control applications. Its promotion and development is being handled on two levels. A technical specification for the physical and data link layers, IEEE 802.15.4, was drawn up by a working group of the IEEE as a low data rate WPAN (wireless personal area network). An association of committed companies, the Zigbee Alliance, is defining the network, security, and application layers above the 802.15.4 physical and medium access control layers, and will deal with interoperability certification and testing. The distinguishing features of Zigbee to which the IEEE standard addresses itself are • • Low data rates—throughput between 10 and 115.2 Kbps • • • Network topology appropriate for multisensor monitoring and control applications Low power consumption—several months up to two years on standard primary batteries Low complexity for low cost and ease of use Very high reliability and security These will lend themselves to wide-scale use embedded in consumer electronics, home and building automation and security systems, industrial controls, PC peripherals, medical and industrial sensor applications, toys and games and similar applications. It’s natural to compare Zigbee with the other WPAN standard, Bluetooth, and there will be some overlap in implementations. However, the two systems are quite different, as is evident from the comparison in Table 15.6. 15.3.1 Architecture The basic architecture of Zigbee is similar to that of other IEEE standards, Wi-Fi and Bluetooth for example, a simplified representation of which is shown in Figure 15.21. On the bottom are the physical layers, showing two alternative options for the RF transceiver functions of the specification. Both of these options are never expected to exist in a single device, and indeed their transmission characteristics—frequencies, data rates, modulation system—are quite different. However, the embedded firmware and software layers above them will be essentially the same no matter what physical layer is applied. Just above the physical layers is the data link layer, consisting of two sublayers: medium access control, or MAC, and the logical link control, LLC. The MAC is responsible for management of the physical layer and among its functions are channel access, keeping track of slot times, and message delivery acknowledgement. The LLC is the interface between the MAC and physical layer and the upper-application software. www. ne w n e s p res s .c o m Applications and Technologies 511 Table 15.6: Comparison of Zigbee and Bluetooth Bluetooth FHSS (Frequency Hopping Spread Spectrum) Zigbee DSSS (Direct Sequence Spread Spectrum) Modulation GFSK (Gaussian Frequency Shift Keying) QPSK (Quadrature Phase Shift Keying) or BPSK (Binary Phase Shift Keying) Frequency Band 2.4 GHz 2.4 GHz, 915 MHz, 868 MHz Raw Data Bit Rate 1 MBPS 250 KBPS, 40 KBPS or 20 KBPS (depends on frequency band) Power Output Maximum 100 mW, 2.5 mW, or 1 mW, depending on class Minimum capability 0.5 mW; maximum as allowed by local regulations Minimum Sensitivity 000370 dBm for 0.1% BER 000385 dBm (2.4 GHz)or 000392 dBm (915/868 MHz) for packet error rate 1% Network topology Master-Slave 8 active nodes Star or Peer-Peer 255 active nodes Transmission Scheme Application layers LLC Logical link control Data link layer Physical layer MAC Medium access control PHY 868/915 MHz PHY 2450 MHz Transmission medium Figure 15.21: Zigbee Architecture w w w.new nespress.com 512 Chapter 15 Application software is not a part of the IEEE 802.15.4 specification and it is expected that the Zigbee Alliance will prepare profiles, or programming guidelines and requirements for various functional classes in order to assure product interoperability and vendor independence. These profiles will define network formation, security, and application requirements while keeping in mind the basic Zigbee features of low power and high reliability. 15.3.2 Communication Characteristics In order to achieve high flexibility of adaptation to the range of applications envisioned for Zigbee, operation is being specified for three unlicensed bands—2.4 GHz, 915 MHz and 868 MHz, the latter two being included in the same physical layer. Those two bands are generally mutually exclusive, their use being determined by geographic location and regional regulations. The following 27 transmitting channels are defined: Channel Number 0 Center Frequency Range 868.3 MHz 1 to 10 906 to 924 MHz 2 MHz 2405 to 2480 5 MHz 11 to 27 Channel Width 600 kHz Data rates and modulation types for each of the bands are shown in Table 15.7. Table 15.7: Data Rates and Modulation PHY (MHz) (MHz) 868/915 Frequency Band (MHz) 868–868.6 902–928 2450 2400–2483.5 Spreading Parameters Chip Rate Modulation (kcps) 300 BPSK 600 BPSK 2000 OffsetQPSK Data Parameters Symbol Symbols Rate (ksps) 20 20 Binary Bit Rate (kbps) 40 250 40 Binary 62.5 16-ary Orthogonal In both physical layers, the modulation is DSSS (direct sequence spread spectrum). The spreading parameters are defined to meet communication authority regulations in the various regions as well as desired data rates. For example, the chip rate of 600 Kbps on the 902–928 band allows the transmission to meet the FCC paragraph 15.247 requirement of minimum 500 kHz bandwidth at 6 dB down for digital modulation. However the chip rate, and with it the data rate, has to be reduced on Channel 0 in order to meet the confines of the 868 to 868.6 MHz channel allowed under ERC recommendation 70–03 and ETSI specification EN 300–220. On the 2400 to 2483.5 MHz band, the bit rate of 250 Kbps allows a throughput, after www. ne w n e s p res s .c o m Applications and Technologies 513 considering the overheads involved in packet transmissions, to attain 115.2 Kbps, a rate used for some PC peripherals for example. The spreading modulation used on the 2450 MHz physical layer has similarity in principle to that used on IEEE 802.11b (high-rate Wi-Fi) to increase the data bit rate without raising the chip rate, thereby achieving a desired carrier bandwidth. Sixteen different, almost orthogonal 32-bit long spreading sequences are available for transmission at 2 Mchips/second. Each consecutive sequence of four data bits determines which of the sixteen spreading sequences is sent. On reception, the receiver can identify the spreading sequence and thus decode the data bits. The modulation used, O-QPSK (offset quadrature phase shift keying) with half-sine wave pulse shaping is essentially equivalent to a form of frequency shift keying, MSK (minimum shift keying). It is fairly easy to generate and has a relatively narrow bandwidth for the given chip rate. This latter feature allows a large number of nonoverlapping channels that can be used, with proper upper layer software, on the crowded 2.4 GHz band to avoid interference. Other physical layer characteristics of Zigbee are output power and receiver sensitivity. The devices must be capable of radiating at least 00033 dBm although output may be reduced to the minimum necessary in order to limit interference to other users. Maximum power is determined by the regulatory authorities. While much higher powers are allowed, it may not be practical to transmit over, say 10 dBm, because of absolute limits on spurious radiation and the general objective of low-cost and low-power consumption. Minimum receiver sensitivity for the 868/915 MHz physical layer is specified as 000392 dBm and 000385 dBm on 2.4 GHz. These limits are for a packet error rate of one percent. 15.3.3 Device Types and Topologies Two device types, of different complexities, are defined. A full function device (FFD) will be able to implement the full protocol set and can act as a network coordinator. Devices capable of minimal protocol implementation are reduced function devices (RFD). Due to the distinction between device types, networks in which most members require only minimum functionality, such as switches and sensors, can be made significantly less costly and have lower power consumption than if all devices were constrained to have maximum capability. Flexibility in network configuration is achieved through two topologies—star and peer-to-peer that are depicted in Figure 15.22. A network may have as many as 255 members, one of which is a PAN (personal area network) coordinator. The function of the PAN coordinator, in addition to any specific application it may have, is to initiate, terminate, or route communication around the network. It also provides synchronization services. In a star network, each device communicates directly with the coordinator. The coordinator must be a FFD, and the others can be FFDs or RFDs. Relatively simple applications, like PC peripherals and toys, would typically use the star topology. w w w.new nespress.com 514 Chapter 15 Star topology Peer-to-peer topology Two way communication link PAN coordinator, FFD FFD RFD or FFD Figure 15.22: Network Topologies In the peer-to-peer topology, any device can communicate with any other device as long as it is in range. RFDs cannot participate, since an RFD can only communicate with a FFD. More complicated structures can be set up as a combination of peer-to-peer groups and star configurations. There is still just one PAN coordinator in the whole network. One example of such a structure is a cluster-tree network shown in Figure 15.23. In this arrangement devices on the network extremities may well be out of radio range of each other, but they can still communicate by relaying messages through the individual clusters. Figure 15.23: Cluster-Tree Topology 15.3.4 Frame Structure, Collision Avoidance, and Reliability Zigbee frame construction and channel access are similar to those of WLAN 802.11 (Wi-Fi) but are less complex. The transmitted packet has the basic construction shown in Figure 15.24. The purpose of the preamble is to permit acquisition of chip and symbol timing. The PHY www. ne w n e s p res s .c o m Applications and Technologies 515 header, which is signaled by a delimiter byte, notifies the baseband software in the receiver of the length of the subsequent data. The PSDU (PHY service data unit) is the message that has been passed down through the higher protocol layers. As shown, it can have a maximum of 127 bytes although monitoring and control applications will typically be much shorter. Included in the PSDU are information on the format of the message frame, a sequence number, address information, the data payload itself, and at the end, two bytes that serve as a frame check sequence. Reliability is assured since the receiver performs an independent calculation of this frame check sequence and compares it with the number received. If any bits have been changed by interference or noise, the numbers will not match. Only if a match occurs, the receiving side returns an acknowledgement to the originator of the message. Lacking an acknowledgement, the transmission will be repeated until it is successfully received. 32 bits 8 bits 8 bits 127 bytes maximum Preamble Start-offrame deliminator Frame length PSDU—PHY service data unit Figure 15.24: Transmission Packet In order to avoid two or more stations trying to transmit at the same time, a carrier sense multiple access with collision avoidance (CSMA-CA) routine is employed, similar to that used in Wi-Fi, IEEE 802.11. The Zigbee receiver monitors the channel and only if it is idle it may initiate a transmission. If the channel is occupied, the terminal must wait a random back off period before it can again attempt access. Acknowledgement messages are sent without using the collision avoidance mechanism. 15.3.5 Zigbee Applications While the promoters of Zigbee aim to cover a very large market for those applications that require relatively low data rates, there will remain applications for which the compromises inherent in a general specification are not acceptable, and producers will continue to develop devices with proprietary specifications and characteristics. However, the open specification and a recognized certification of conformity are an advantage in many situations. For example, a home burglar alarm system would accept wireless sensors produced by different manufacturers, which will facilitate future expansion or allow installers to add sensors of types not available from the original system manufacturer. Use of devices approved according to a recognized standard gives the consumer some security against obsolescence. Although Zigbee claims to be appropriate for most control applications, it will not fit all of them, and will not necessarily take advantage of all the possibilities of the unlicensed device regulations. Its declared maximum range of some 50 to 75 meters will fall short of the w w w.new nespress.com 516 Chapter 15 requirements of many systems. Given the meager maximum power allowed, greater range means reduced bandwidth and reduced data rate. In fact, a great many of the applications envisaged by Zigbee can get by very well with data rates of hundreds or a few thousand bits per second, and by matching receiver sensitivity to these rates, ranges of hundreds of meters can be achieved. One partial answer to the range question is the deployment of the Zigbee network in a clustertree configuration, as previously described. Adjacent nodes serve as repeaters so that large areas can be covered, as long as the greatest distance between any two directly communicating nodes does not exceed Zigbee’s basic range capability. For example, in a multi-floor building, sensors on the top floor can send alarms to the control box in the basement by passing messages through sensors located on every floor and operating as relay stations. No doubt that there will be competition between Bluetooth and Zigbee for use in certain applications, but the overall deployment and the reliability of wireless control systems will increase. The proportion of wireless security and automation systems will increase because the new standard will provide a significant boost in reliability, security, and convenience, as compared to most present solutions. 15.4 Conflict and Compatibility With the steep rise of Bluetooth product sales and the already large and growing use of wireless local area networks, there is considerable concern about mutual interference between Bluetooth-enabled and Wi-Fi devices. Both occupy the 2.4 to 2.4835 GHz unlicensed band and use wideband spread-spectrum modulating techniques. They will most likely be operating concurrently in the same environments, particularly office/commercial but also in the home. Interference can occur when a terminal of one network transmits on or near the receiving frequency of a terminal in another collocated network with enough power to cause an error in the data of the desired received signal. Although they operate on the same frequency band, the nature of Bluetooth and Wi-Fi signals are very different. Bluetooth has a narrowband transmission of 1 MHz bandwidth which hops around pseudo-randomly over an 80 MHz band while Wi-Fi (using DSSS) has a broad, approximately 20 MHz, bandwidth that is constant in some region of the band. The interference phenomenon is apparent in Figure 15.25. Whenever there is a frequency and time coincidence of the transmission of one system and reception of the other, it’s possible for an error to occur. Whether it does or not depends on the relative signal strengths of the desired and undesired signals. These in turn depend on the radiated power outputs of the transmitters and the distance between them and the receiver. When two terminals are very close (on the order of centimeters), interference may occur even when the transmitting frequency is outside the bandwidth of the affected receiver. Bluetooth and Wi-Fi systems are not synchronous and interference between them has to be quantified statistically. We talk about the probability of a packet error of one system caused www. ne w n e s p res s .c o m Applications and Technologies 517 Frequency—MHz 2480 Wi-Fi 20 MHz Wi-Fi 2400 1 1 MHz 2 Bluetooth 3 4 Time—ms Figure 15.25: Wi-Fi and Bluetooth Spectrum Occupation by the other system. The consequence of a packet error is that the packet will have to be retransmitted once or more until it is correctly received, which causes a delay in message throughput. Voice transmissions generally don’t allow packet retransmission because throughput cannot be delayed, so interference results in a decrease in message quality. Following are parameters that affect interference between Bluetooth and Wi-Fi: • Frequency and time overlap. A collision occurs when the interferer transmits at the same time as the desired transmitter and is strong enough to cause a bit or symbol error in the received packet. • Packet length. The longer the packet length of the Wi-Fi system, relative to a constant packet length and hop rate of Bluetooth, the longer the victim may be exposed to interference from one or more collisions and the greater the probability of a packet error. • Bit rate. Generally, the higher the bit rate, the lower the receiver sensitivity and therefore the more susceptible the victim will be to packet error for given desired and interfering signal strengths. On the other hand, higher bit rates usually result in reduced packet length, with the opposite effect. • Use factor. Obviously, the more often the interferer transmits, the higher the probability of packet error. When both communicating terminals of the interferer are in the interfering vicinity of the victim the use factor is higher than if the terminals are further apart and one of them does not have adequate strength to interfere with the victim. • Relative distances and powers. The received power depends on the power of the transmitter and its distance. Generally, Wi-Fi systems use more power than Bluetooth, typically 20 mW compared to 1 mW. Bluetooth Class 1 systems may transmit up to w w w.new nespress.com 518 Chapter 15 100 mW, but their output is controlled to have only enough power to give a required signal level at the receiving terminal. • Signal-to-interference ratio of the victim receiver, SIR, for a specified symbol or frame error ratio. • Type of modulation, and whether error-correction coding is used. A general configuration for the location of Wi-Fi and interfering Bluetooth terminals is given in Figure 15.26. In this discussion, only transmissions from the access point to the mobile terminal are considered. We can get an idea of the vicinity around the Wi-Fi mobile terminal in which operating Bluetooth terminals will affect transmissions from the access point to the mobile terminal by examining the following parameters: CIcc, CIac—Ratio of signal carrier power to co-channel or adjacent channel interfering power for a given bit or packet error rate (probability). PWF, PBT—Wi-Fi and Bluetooth radiated power outputs. PL 0004 Kdr—Path loss which is a function of distance d between transmitting and receiving terminals, and the propagation exponent r. K is a constant. d1—Distance between Wi-Fi mobile terminal and access point. d2—Radius of area around mobile terminal within which an interfering Bluetooth transmitter signal will increase the Wi-Fi bit error rate above a certain threshold. PRWF, PRBT —Received powers from the access point and from the Bluetooth interfering transmitters. BT Bluetooth piconet BT BT d2 AP MT d1 Figure 15.26: Importance of Relative Terminal Location www. ne w n e s p res s .c o m Applications and Technologies 519 d2 as a function of d1 is found as follows, using power in dBm: 1) PRWF 0004 PWF 0003 10 log(Kd1r ); PRBT 0004 PBT 0003 10 log(Kd2r ) 2) CICC 0004 PRWF 0003 PRBT 0004 PWF 0003 10 log(Kd1r ) 0003 PBT 0002 10 log(Kd2r ) (15.4) 3) (CICC 0003 PWF 0002 PBT)/10r 0004 log(d2/d1) 4) d2 0004 d1000510(CICC0003PWF0002PBT)/(10 0005 r) As an example, the interfering area radius d2 is now calculated from equation (15.3) using the following system parameters: CICC 0004 10 dB, PWF 0004 13 dBm, PBT 0004 0 dBm, r00042 (free space) (15.5) In this case, if a Wi-Fi terminal is located 15 meters from an access point, for example, all active Bluetooth devices within a distance of 10.6 meters from it have the potential of interfering. Only co-channel interference is considered. Adjacent channel interference, if significant, would increase packet error probability because many more Bluetooth hop channels would cause symbol errors. However, the adjacent channel CIac is on the order of 45 dB lower than CIcc and would be noticed only when Bluetooth is several centimeters away from the Wi-Fi terminal. The effect of an environment where path loss is greater than in free space can be seen by using an exponent r 0004 3. For the same Wi-Fi range of 15 meters, the radius of Bluetooth interference becomes 11.9 meters. While equation (15.3) does give a useful insight into the range where Bluetooth devices are liable to deteriorate Wi-Fi performance, its development did involve simplifications. It considered that the signal-to-interference ratio that causes the error probability to exceed a threshold is constant for all wanted signal levels, which isn’t necessarily so. It also implies a step relationship between signal-to-interference ratio and performance degradation, whereas the effect of changing interference level is continuous. The propagation law used in the development is also an approximation. 15.4.1 Methods for Improving Bluetooth and Wi-Fi Coexistence By dynamically modifying one or more system operating parameters according to detected interference levels, coexistence between Bluetooth and Wi-Fi can be improved. Some of these methods are discussed below. 15.4.1.1 Power Control Limiting transmitter power to the maximum required for a satisfactory level of performance will reduce interference to collocated networks. Power control is mandatory for Class 1 Bluetooth w w w.new nespress.com 520 Chapter 15 systems, where maximum power is 100 mW. The effect of the power on the interference radius is evident in equation (15.1). For example, in a Bluetooth piconet established between devices located over a spread of distances from the master, the master will use only the power level needed to communicate with each of the slaves in the network. Lack of power control would mean that all devices would communicate at maximum power and the collocated Wi-Fi system would be exposed to a high rate of interfering Bluetooth packets. 15.4.1.2 Adaptive Frequency Hopping Wi-Fi and Bluetooth share approximately 25 percent of the total Bluetooth hop-span of 80 MHz. Probably the most effective way to avoid interference between the two systems is to restrict Bluetooth hopping to the frequency range not used by Wi-Fi. When there is no coordination or cooperation between collocated networks, the Bluetooth piconet master would have to sense the presence of Wi-Fi transmissions and modify the frequency-hopping scheme of the network accordingly. A serious obstacle to this method was lifted by a change to the FCC regulations governing spread-spectrum transmissions in the 2.4 GHz band. Previously, frequency hopping devices were committed to hopping over at least 75 pseudo-randomly selected hop channels. In August 2002, paragraph 15.247, according to which Bluetooth and Wi-Fi devices are regulated, was changed to allow a minimum of 15 nonoverlapping channels in the 2400 to 2483 MHz band. In addition, the regulation allows employing intelligent hopping techniques, when less than 75 hopping frequencies are used, to avoid interference with other transmissions, and also suppression of transmission on an occupied channel provided that there are a minimum of 15 hops. The Bluetooth specification is due to be modified to take advantage of the adaptive frequency hopping method of avoiding interference. There are situations where adaptive frequency hopping may not be effective or may have a negative effect. When two or more adjacent Wi-Fi networks are operating concurrently, they will utilize different 22 MHz sections of the 2.4 GHz band—three nonoverlapping Wi-Fi channels are possible. In this case, Bluetooth may not be able to avoid collisions while using a minimum of 15 hop frequencies. In addition, if there are several Bluetooth piconets in the same area, collisions among themselves will be much more frequent than when the full 79 channel hopping sequences are used. 15.4.1.3 Packet Fragmentation The two interference-avoiding methods described above are applicable primarily for action by the Bluetooth network. One method that the Wi-Fi network can employ to improve throughput is packet fragmentation. By fragmenting data packets and sending more, but shorter transmission frames, each transmission will have a lower probability of collision with a Bluetooth packet. Although reducing frame size increases the percentage of overhead bits in the transmission, when interference is heavy the overall effect may be higher throughput than www. ne w n e s p res s .c o m Applications and Technologies 521 if fragmentation was not used. Increasing bit rate for a constant packet length will also result in a shorter transmitted frame and less exposure to interference. The methods mentioned above for reducing interference presume no coordination between the two different types of collocated wireless networks. However, devices are now being produced, in laptop and notebook computers for example, that include both Wi-Fi and Bluetooth, sometimes even in the same chipset. In this case collaboration is possible in the device software to prevent inter-network collisions. 15.5 Ultra-wideband Technology Ultra-wideband (UWB) technology is based on transmission of very narrow electromagnetic pulses at a low repetition rate. The result is a radio spectrum that is spread over a very wide bandwidth—much wider than the bandwidth used in the spread-spectrum systems previously discussed. Ultra-wideband transmissions are virtually undetectable by ordinary radio receivers and therefore can exist concurrently with existing wireless communications without demanding additional spectrum or exclusive frequency bands. These are some of the advantages cited for ultra-wideband technology: • Very low spectral density—Very low probability of interference with other radio signals over its wide bandwidth, • • High immunity to interference from other radio systems, • • • • High multipath immunity, Low probability of interception/detection by other than the desired communication link terminals, Many high data rate ultra-wideband channels can operate concurrently, Fine range-resolution capability, Relatively simple, low-cost construction, based on nearly all digital architectures. Transmission and reception methods are unique, and are described briefly below. Differing from conventional radio communication systems, which use up conversion and down conversion to pass information signals between baseband and bandpass frequency channels where wireless propagation occurs, UWB signal generation and detection use baseband techniques. An example of a UWB “carrier” is a Gaussian monopulse, shown in Figure 15.27 [Ref. 15.2]. Its power spectrum is shown in Figure 15.28. If the time scale in Figure 15.27 is in nanoseconds, then the width of the pulse is 0.5 nanoseconds and the 3 dB bandwidth of the power spectrum is approximately 3.2 GHz with maximum power density at 2 GHz. w w w.new nespress.com 522 Chapter 15 Amplitude 1 0 00031 00031 0.5 0 0.5 1 Time Figure 15.27: UWB Monopulse 0.1 Power 0.01 100051000033 100051000034 0 1 2 3 4 5 Frequency Figure 15.28: Spectrum of Monopulse In order to pass information over a UWB communication link, trains of pulses must be transmitted with some characteristic of a pulse or group of pulses varied in order to distinguish between “0” and “1.” The time between consecutive pulses should be determined in a pseudorandom manner in order to smooth the energy spikes in the frequency spectrum. Reception of the transmitted pulse train is done by correlating the received signal with a similar sequence of pulses generated in the receiver. A large number of communication links can be maintained simultaneously and independently by using different pseudo-random sequences for each link. A pulse similar to that of Figure 15.27 can be generated by applying an impulse, or perhaps more conveniently a step-voltage or current, to a linear band limited network. Figure 15.29 is a simulation of a sequence of UWB pulses created by stimulating a bandpass filter with a pseudo-randomly spaced sequence of impulses. The figure also shows the power spectrum of www. ne w n e s p res s .c o m Applications and Technologies 523 that sequence. The network that creates the individual UWB pulses includes the transmitter antenna, the propagation channel, and the receiving antenna, whose characteristics, in terms of impulse response or amplitude and phase vs. frequency must be known and accounted for in designing the system. Random data 31 PN [ck] Magnified trace out Single pulse .25 Sequence ck 0 4th Order 3.6–8.4 Hz Bessel bandpass Impulse generator 0003.25 39 39.2 Output 39.6 40 Time (sec) 40.2 40.6 Pulse train .4 .2 0 0003.2 0003.4 0 10 20 30 40 50 60 Time (nsec) Spectrum analyzer display 000310 Spectrum analyzer Power spectral density (dBm/Hz) Output 000320 000330 000340 000350 000360 000370 000380 1 3 5 7 9 11 13 15 Frequency (GHz) Figure 15.29: Simulated Sequence of UWB Pulses There are several ways of representing a UWB pulse as “1” or “0.” One method is to advance or retard the transmitted pulse with respect to the expected time of arrival of the pulse in the receiver according to the agreed pseudo-random time sequence. Another method is to send the pulse with or without inversion. In both cases the correlation of the received pulse with a “template” pulse generated in the receiver will result in a different polarity, depending on whether a “1” or a “0” was transmitted. w w w.new nespress.com 524 Chapter 15 Detection of UWB bits is illustrated in Figure 15.30. A “1” monopulse is represented by a negative line followed by a positive line, and a “0” monopulse by the inverse—a positive line and a negative line. The synchronized sequence generated in the receiver is drawn on the second line and below it the result of the correlation operation ∫ f(t) 0005 g(t) dt where f(t) is the received signal and g(t) is the locally generated sequence. By sampling this output at the end of each bit period and then resetting the correlator, the transmitted sequence is reconstructed in the receiver. Sent 1 0 1 0 0 1 0 1 0 Received signal Local template Correlator output Logic output 0 Figure 15.30: Detection of UWB Bit Sequence As mentioned above, an individual bit can be represented by more than one sequential monopulse. Doing so increases the processing gain by the number of monopulses per bit. Processing gain is also an inverse function of the pulse duty cycle. This is because, for constant average power, the power in the pulses contributing to each bit must be raised by (1/duty-cycle). By gating out the noise except during the interval of the expected incoming pulse, the signalto-noise ratio will only be a function of the power in the pulse, regardless of the duty cycle. An example may make the explanation clearer. Let’s say we are sending data a rate of 10 Mbps. A UWB pulse in the transmitter is 200 picoseconds wide; 20 pulses represent one bit. The time between bits is 1/(10*106) 0004 100 nanoseconds. So the time between pulses is (100 ns)/20 0004 5 ns. The duty cycle is (200 ps)/(5 ns) 0004 25. Now the processing gain attributed to the number of UWB pulses per bit is 10 log(20) 0004 13 dB. That due to the duty cycle is 10 log(25) 0004 14 dB. Total processing gain is 13 0002 14 0004 27 dB. A simplified block diagram of a UWB system is shown in Figure 15.31. A key to the generation of UWB pulses is the ability to create short impulse or step functions with rise www. ne w n e s p res s .c o m Applications and Technologies 525 times on the order of tens or at the most hundreds of picoseconds, and to detect the UWB pulses that result from their application. High speed integrated circuits can be employed or special circuit elements, such as tunnel diodes or step recovery diodes, can be incorporated. Transmitter Pseudo-random delay code Data in Pulse time modulator Pulse generator Shaping network Clock Baseband mixer Receiver Data out Signal processing Acquisition and tracking Sample and hold Pseudo-random delay code Integrator Pulse time modulator Clock Pulse generator Figure 15.31: UWB Simplified Block Diagram Conditions for using UWB in Europe are also being considered by the European Union. Due to the fear of interference with vital wireless services in the wide bandwidths covered by UWB radiation, spectral density limits allowed by the FCC and presumably to be permitted in the European Union are relatively low, on the order of spurious radiation limits for conventional unlicensed transmissions. However, as we have seen, high-processing gains can be achieved with UWB and communication ranges on the order of tens or hundreds of meters at highdata rates can be expected. Also, the FCC has indicated its intention to monitor the effects of UWB transmissions on other services, once equipment has been put into service in significant quantities, and the agency may be expected to modify or make its limits more lenient if interference is found not to be a problem. In any case, the unique characteristics of UWB are attractive enough to make this technology an important part of the offerings for short-range wireless communication in the years to come. 15.6 Summary The annually increasing volumes for Bluetooth and Wi-Fi products, stimulated in a large part by the acceptance of industrial standards by the major manufacturers, are causing prices to fall w w w.new nespress.com 526 Chapter 15 on complex integrated circuits as well as the basic RF components. This trend will open the way for the use of these parts in other short-range applications such as security and medical call systems. Use of sophisticated and proven two-way hardware and link protocols for these and other technically “low end” applications will open them up to much higher usage than they now command. A basic impediment to wireless use will still remain, however, and that is the problem of battery replacement. Reduced voltage and power consumption for integrated circuits will help, as will sophisticated wake-up protocols as are already built-in to Bluetooth. Range limitations may have to be dealt with by a greater use of repeaters than common in today’s systems. Another area where advancements are affecting short-range radio is antennas. Both the use of higher frequencies and new designs are reducing antenna size and eliminating a visual reminder of the difference between wired and wireless devices. The unconventional ultra-wideband technology, since its approval by the FCC, is opening up new civilian applications for short-range wireless, notably in the areas of distance measurement, concealed object location, and high precision positioning systems. Because of its high-interference immunity, and its property of not causing interference, it may successfully compete with and complement other technologies used for short-range radio applications such as personal communications systems, security sensors, and RFID tags. In summary, advances in short-range radio communication developments in one area feeds its expansion in other areas. Overall, short-range radio will continue to play a major part in the ongoing communication revolution. References [15.1] ETSI TS 101 475 V1.3.1 (2001–12) Technical Report, HIPERLAN/2 Physical (PHY) Layer. [15.2] Petroff, Alan and Withington, Paul, “Time Modulated Ultra Wideband (TM-UWB) Overview,” Presented at Wireless Symposium/Portable by Design, Feb 25, 2000, San Jose, California (http://www.time-domain.com). www. ne w n e s p res s .c o m CHAPTE R 16 System Planning Ron Olexa Now that we have reviewed the basics of radio operation, propagation, and predictive and actual performance measurements, it’s time to see how this information is used as part of the design criteria in a system to actually provide services to a customer base. System design must consider far more than just the RF aspects of the system. If the system is to function optimally and be cost effective, such diverse topics as equipment selection, real estate, construction, interconnect, power, and maintenance must be considered. Each of these topics has an initial capital cost and, with the exception of construction, an ongoing cost. 16.1 System Design Overview Because of the myriad interactions you will encounter in designing a system, a flowchart is helpful for identifying the selection criteria for each of the key aspects of system design. Because there are so many different unique business opportunities that can be served with wireless data systems, it’s impossible to review them all in this book. Instead I’ll look at three distinctly different models, and walk through a design exercise for each. The first example system will be a single AP “hotspot” or small office LAN. The second example will be a far more complex MultiAP office LAN or “hotzone” requiring frequency reuse in its implementation. The third system will be a Wireless ISP (WISP) type system that is expected to cover a large outdoor area and provide Internet connectivity to a large, geographically dispersed user base. The WISP system could be composed of a single site covering a small town, or potentially hundreds or thousands of sites covering multiple counties or MSAs. Fundamentally they are all the same, though the complexities and need for managed spectrum grow with the size of the deployment. Regardless of the scale of the system being deployed, there are a number of individual activities that have interaction with each other. For example, selecting locations for installing the radio hardware will be influenced by cost, coverage, and capacity needs of the system. Cost, coverage, and capacity are influenced by the selection of radio hardware and the frequency of operation. So, you can begin to imagine the complexity involved with the design of a large system. Each individual topic surrounding system design has its own associated flowchart which identifies activities and go/no go decision points. As well, each flow chart w w w.new nespress.com 528 Chapter 16 must consider other parallel activities occurring under another separate topic, so that you assure that decisions and compromises made in the pursuit of one area of design do not negatively impact system viability because they ignored key factors of a separate decision matrix that they affected. To simplify the overall decision matrix, I’ll present individual flowcharts for each key activity. These flowcharts will show precursor or parallel activities that will need to be considered or reviewed when making final decisions surrounding individual key activities. After discussion of all the planning criteria, I’ll show how these factors apply to real-world systems by using the flowcharts and decision matrices to plan actual systems, and show some of the trade-offs. 16.2 Location and Real Estate Considerations Of course, the first thing you need to know is where the system will be deployed, what it needs to cover, and how much capacity is needed. In a hotspot or office LAN system, a physical address and suite number are necessary. In addition, a floor plan or other identifying criteria showing the area(s) to be covered should be acquired. Also discover as much about the property as possible. Blueprints, building drawings or other documentation concerning of the type of construction present in the building will be useful in the exercise of estimating coverage. Another key bit of information will be the name and contact information of the building owner, property manager, or other entity that may require coordination or approval of work on the premise. If the system is of the WISP variety, there are additional needs. Since a building no longer defines the coverage, the physical area to be covered should be identified on a map or area image. This area should be inspected for available towers or multistory buildings that could be used to locate equipment and antennas. Latitude/longitude and height of antenna mounting locations of these buildings or towers should be identified. In addition, it is important to ascertain who is the owner or property manager of target buildings or towers. You should also remember that many jurisdictions use zoning and permit processes for any communication facility, regardless of whether it uses licensed or unlicensed spectrum. It is critical to discover and comply with any local zoning or building and safety requirements early in your planning process. Failure to do so may lead to significant delays in deployment or, worst case, the local jurisdiction fining you and forcing you to cease operations and remove the equipment. Because of the area to be covered, numerous possible equipment locations will exist. Determining where to concentrate your efforts requires a rapid assessment of which properties are best from an RF design standpoint. Assuming you have the specific operating characteristics of your equipment, the use of a propagation-modeling tool can prove valuable for assessing coverage from each of the location options. In order to use such a tool, the parameters of the system need to be known, and assumptions need to be made about the conditions present at the CPE location. For example, if the CPE is www. ne w n e s p res s .c o m System Planning 529 to be located indoors near the user’s computer, additional path loss due to the construction of the building in which the CPE resides must be considered. If the CPE can be mounted outside, clear of local obstacles, then the propagation losses will be significantly lower, and the site’s coverage greater. As examples of this, the propagation plots in Figure 16.1 were computer generated using the Longley-Rice propagation model. The plots are based upon the same transmit power output and receive sensitivity. Only antenna gain and placement at the CPE has been changed. Figure 16.1a shows the coverage achieved from the base station or access point (the terms base station and access point can be and are used interchangeably. While the term access point was once unique to 802.11 hardware, it can now be seen referring to any number of base station products supporting wireless data) to a CPE unit using a 0 dBi gain omni antenna at street level, while Figure 16.1b shows the coverage achieved from the same base station to CPE using a 15 dBi antenna mounted at 15 feet elevation (sufficient to clear the roof of a one story home). Figure 16.1a w w w.new nespress.com 530 Chapter 16 Figure 16.1b The Longley-Rice model predicts long-term median transmission loss over irregular terrain relative to free-space transmission loss. The model was designed for frequencies between 20 MHz and 40 GHz and for path lengths between 0.1 km and 2000 km. The Longley-Rice model is used in a number of commercial propagation models that are utilized for analyzing signal propagation in such commercial applications as cellular and PCS communication systems. The model is well known, and accepted by the FCC as a method of predicting coverage of broadcast facilities. The model uses actual terrain data and predicts the median signal strength across this terrain based upon a combination of distance and terrain obstacles. The model also has a generalized morphology (land use) attenuation factor that can be attached to each site. This allows additional attenuation to be added to accommodate such things as building density and foliage. While the coverage plots in this book show coverage by the use of a grey tone to indicate coverage area, the actual plots generated by the software are in full color and consist www. ne w n e s p res s .c o m System Planning 531 of a number of colors, ranging from green to red. Each shade is associated with a 3 dB range of signal strength, with greens being high signal strength and red being low signal strength. To use the prediction plot to design a system, you must determine three factors: • How much fade margin does the system need? • How much building attenuation must be overcome? • Will the client device be externally mounted with a high gain antenna? Since radio propagation is continually effected by multipath, the signal is always in a state of flux. This flux is known as fading. Even a stationary transmitter and receiver will see path fade between them based upon objects like trucks, cars and people moving in the environment. It is good engineering practice to use 8 to 10 dB of fade margin in a system design. If the signal is to be received indoors, the building itself becomes an additional source of attenuation. This can range from 5 to 7 dB for wood frame construction to over 25 dB for office buildings with metallized glass facades. Finally, the above factors need to be subtracted from the baseline receive sensitivity of the client device. In an 802.11b system, receive sensitivity on a high quality card ranges from 000392 dBm for 1 Mbps throughput to 000383 dBm for 11 Mbps throughput. If the client device can make use of a high gain directional antenna, then this gain can be added to the path loss, or to make it simple, just add it to the receive sensitivity. So with a 15 dB gain Yagi antenna the 000392 dBm sensitivity increases to (000392 dBm 0003 15 dB) or 0003107 dBm. You have not really increased the receive sensitivity, but you have added gain to the receive chain, which for all intents accomplishes the same thing. So, a reliable communication link to a base client card at 1 Mbps requires a consistent 000392 dB signal. Because of the fading nature of radio waves, it is necessary to add the fade margin to the 000392 dBm minimum signal. This means that the signal required for a reliable link will need to be (000392 0002 10) or 000382 dBm. This signal level is sufficient to offer outdoor communication, but offers no margin to penetrate buildings. Additional signal is required for this. Again, 5 to 10 dB of additional signal strength will be necessary to penetrate light construction, so the required signal strength rises another 10 dB to 000372 dBm. If the client device makes use of a 15 dB gain antenna located outside above roofline, only the fade margin needs to be considered. Thus, a signal of (000392 dBm 0003 15 dB 0002 10 dB) or 000397 dBm is required for a reliable communication path. w w w.new nespress.com 532 Chapter 16 Looking at the contours and the legend, you can identify the areas that will be served with signals of the strength discussed above. Those points that show sufficient signal strength to meet the minimum requirements will generally be capable of supporting a reliable communications link. Using the modeling tool can allow rapid review of a number of candidate radio site locations, and allow you to select the optimal locations for providing coverage to the target area. As a location is identified, a propagation model should be run with the specifics of that location such as longitude, latitude, and height. This will give you a way to evaluate the anticipated coverage of each location and quickly identify which properties are ideal candidates and which are poor choices. By using the model for first pass identification of the best sites, you can focus your efforts on those sites first. Another key consideration in the real estate realm is the availability of space, power, and interconnect for your system. Often the ideal RF location may be lacking one or more or these elements. Determining what additional costs and complexities are associated with getting the required space, power, and interconnect to the desired location is a critical part of the selection process. The flowchart in Figure 16.2 identifies the critical aspects that should be considered when selecting a site. As with most everything else in a radio-based system, there will rarely be a perfect solution, so compromises on certain factors related to sites will need to be made. For example, the site may not provide optimal coverage, but may be the only site in the area for which a zoning variance can be obtained. As shown in the priority of the flowchart, coverage should be the prime consideration, although often other considerations will dictate the use of a site that is an imperfect solution from a coverage standpoint. The flowchart is best utilized for analyzing a number of different site options. The tradeoffs associated with each can then be used to make the appropriate business decisions about the best location that has been analyzed. 16.3 System Selection Based Upon User Needs The next considerations have to do with subscriber behavior. What form factor is acceptable for CPE? What average capacity requirements and usage characteristics will each user have? What security level will the user expect? And, finally, what is the acceptable initial and ongoing cost of the service? These considerations are primarily driven by the needs of the customer. Meeting them will affect equipment and real estate decisions. For example, in a hotspot the equipment decision might be driven by the following logic: a hotspot serves customers that are using laptop computers or PDAs equipped with wireless access. The hotspot provides these users with short term Internet access. The system is primarily used for web browsing and email type activities. In this case the average use per customer is low, and the connection to the Internet www. ne w n e s p res s .c o m System Planning 533 Identify site in coverage area Is site available for lease? No Yes Does site provide adequate RF coverage? No Yes No Is interconnect available? No Can radio interconnect be used? Yes Yes Is suitable space for equipment and antennas available? No Yes Can site be zoned? No Is lease cost acceptable? No Yes Acceptable site Figure 16.2 w w w.new nespress.com 534 Chapter 16 is probably far slower than the speed of the radio interface, so the radio system is not the capacity bottleneck. In addition, the system must rely on the fact that the user is already equipped with a wireless interface in their computer. In late 2003 this situation calls for the use of 802.11b, since it is the most pervasive nomadic wireless standard available. This will probably not be the case in the future, as 802.11g, 802.11a, and 802.16 begin to permeate the marketplace. For the moment a cheap consumer quality 802.11b AP may be the perfect solution for the hotspot environment because it is inexpensive and includes network functions such as a low-end router, DHCP server, and NAT functionality. Thus it is a one-box solution for this particular environment. In a large office LAN environment, the usage characteristics may be quite different. In addition to Internet and email access, the system will probably be used for transferring files and inter-network communications. In other words, the usage characteristics will be much higher; more like the usage characteristics of a wired LAN. Depending on the density of the users and the users’ need for access to other systems (like a hotspot in a hotel or airport), 802.11a or 802.11g, with their greater throughput, may be better alternatives for serving this situation. The WISP, on the other hand, is probably not best served by a traditional AP, or for that matter, 802.11. The customers will be geographically dispersed, leading to a requirement for large area coverage from a minimum of locations. The user will have usage expectations of this system that are similar to the expectations users have of wired equivalent services, like cable modem and DSL. The need for large area coverage means that the equipment will need to be tailored to high EIRP with high gain antennas, and an access sharing methodology much more robust than the CSMA/CA scheme associated with the 802.11 standard. As of the time this book is being written, 802.16 equipment does not yet exist, so the choices today are either a high gain 802.11 variant, like Vivato or YDI, or one of the purpose built systems from the likes of Motorola, Alvarion, Flarion, Proxim, or Navini. I anticipate that there will be continued development of new equipment to meet the needs of the WISP industry, and that we will see more manufacturers offer equipment tailored to this business. Further expansion of the concept of matching equipment capabilities to the needs of the business and the user can be seen in Figure 16.3. This figure is a matrix that overlays typical user and system characteristics with equipment options. It can assist you in selecting the most appropriate technology to serve a particular user community. 16.4 Identification of Equipment Requirements After gaining an understanding of the customer needs and expectations, the implementer should be able to determine what equipment meets those needs. As described above, the needs of the customer are a key driver of equipment selection, however they are not the only driver. www. ne w n e s p res s .c o m System Planning 535 Equipment characteristics Base station hardware Outdoor Internal antenna External antenna Weather proof AC power Battery External antenna Weather proof AC power DC power High EIRP Standards-based Proprietary Fixed CPE Indoor Subscriber Designed for service coverage type N Y N Y Y Y N Y Y Y ? Y Y Y Nomadic ? ? Y N N N Y Y Y Y ? ? Y Mobile Y Y Y N N N Y Y Y Y Y Y Y N ? Hotspot Y N Y N N N Y ? N Y N N Y N Office LAN Y N Y N N Y Y ? N Y ? N Y N Figure 16.3: User Needs Matrix Size and environmental requirements, cost, manageability, reliability and availability all enter into the equipment decision matrix. In the hotspot system, equipment should be selected that is compatible with the equipment that the users will have previously installed in their computers. This would drive equipment selection toward equipment operating on the prevailing standard adopted by the user base. Additionally, the equipment should integrate most of the network features that will be necessary to interface the equipment to the world, and to manage customers as they connect to the system. The large LAN system will have its equipment selection driven by a more complex set of issues. The standard selected will have to be a balance between the now prevailing technical solution that is ubiquitous and low cost, and whatever standard is currently emerging as the next generation solution. This emergent solution will probably have a higher cost, since it has not yet reached mass appeal, and may also have some developmental wrinkles that still need to be fixed. On the other hand, it will also have greater capacity, greater spectral efficiency, and may offer better coverage and greater flexibility in deployment. Depending on your forecast of future usage demand and the need to allow your users to “roam” to other public or private locations and use their wireless access, one technology will be an appropriate, if not optimal, selection. In this large LAN network, the additional network capabilities that were important to a hotspot are not necessary. Since this equipment will connect to an existing network, it is probable that all the advanced network features will be performed elsewhere on the network, and that the wireless equipment will only need to provide the wireless interface, and provide excellent remote management and fault isolation capabilities. w w w.new nespress.com 536 Chapter 16 The WISP system has even more complex needs. Since standards like 802.11 were designed for wireless LAN type networks, they have not been optimized for serving a large area with dispersed users. While 802.11 has been made to work in these systems, other systems that were designed for use in this type of environment may offer a better technical solution. The trade-off here is cost. Because 802.11 is a mass-market product, equipment is very inexpensive and commonly available. Though a proprietary solution may be technically a better solution, it may be far more costly than using the 802.11 standard equipment. Additionally, because of the nature of a WISP operation, the equipment must be located outside. This means that equipment must withstand the rigors of weather and an outdoor environment. Commonly available hardware designed for home or office use is not capable of surviving in the outdoor environment, so any equipment used in this environment will have to be located in a protected enclosure or will have to be designed for outdoor use. This leads to a set of long term maintenance issues, especially if equipment is mounted on towers: if the active electronics are located atop the tower, then the equipment will need to be removed and taken to the ground for service. Obviously, this is an additional ongoing cost to be considered in deciding the appropriate equipment design as well as the best location for the equipment. Ultimately, any equipment solution has been designed with a set of expectations in mind, and has its appropriate place in the market. You need to understand the requirements of your system and the design intent of the equipment you are considering. Figure 16.4 provides an example of a comparison matrix that can assist with the identification of a solution that closely matches your needs. By completing such an analysis, you can be assured of selecting the manufacturer and solution that is best suited to serving your unique needs. 16.5 Identification of Equipment Locations Now that you’ve narrowed the field of equipment options to a few that appear suitable for your system, we can begin to look at how and where to deploy sites to achieve the coverage and capacity desired in the system. Determining optimal antenna locations is the key to a successful deployment. An optimal location serves a multitude of needs: it provides optimal RF coverage, meaning it can be optimized to provide sufficient coverage of the area without leading to significant interference elsewhere in the system, it has easy access to power, it has easy access to network interconnect facilities, it can be easily installed and secured, and it has reasonable access for future service needs. With the equipment selected, you have a baseline for the RF transmit power, receive sensitivity, and antenna options. These characteristics are used in conjunction with predictive modeling tools or survey tools to determine the area that can be covered with the selected equipment. www. ne w n e s p res s .c o m System Planning Operating band Suitability for serving environment 537 Costs CPE Base station Mobile data WISP Fixed WISP Hotspot Office LAN Unlicensed Licensed 802.11b Traditional AP Y low low 802.11b High power PtP Y high medium 802.11g Y medium medium 802.11a Y medium medium Y high high 802.16 Y 802.16e Y high high 802.20 Y high high CDMA2000 Y high high Proprietary solutions Y high high ? Y LEGEND Optimal Suboptimal, but useful Not optimal Figure 16.4 The first order of business is to evaluate the previously identified available locations for their suitability in providing coverage to the desired area, and so decide which tool is best suited to your need and determine the coverage potential of your sites. By its definition the hotspot is a small open coverage area, so the simple path loss calculation is useable to determine if the system can cover the required area. In fact, in a hotspot system, finding a convenient mounting spot with available power and network connection is probably more important than finding an optimal RF location. Of course, just because I made this statement, your first attempt to build a hotspot will surely be in some unique and bizarre location where there are multiple unknown impediments to RF coverage. Even though the hotspot appears to be a simple deployment, it’s still worth spending a little time validating your assumptions with a field survey. Although the same estimation techniques used in a hotspot can be applied to a hotzone or LAN, determining optimal antenna locations becomes a little more complex. The size of the area to be covered, the user density within the space, and the layout of the space must be considered in order to optimize locations from a capacity and interference standpoint. w w w.new nespress.com 538 Chapter 16 In the LAN environment, the primary usage of the system will be wired LAN replacement, thus the bandwidth requirements per user will be significantly higher than those of the casual user accessing the Internet. Depending on the user density in the covered area, you may find that a single base station may not have sufficient capacity to serve all the users in its coverage area. In this case it may be necessary to reduce power, relocate the base station, or change the antenna to provide a different coverage area that includes fewer users. The first objective in designing such a system is to calculate the per user bandwidth requirements. Because there are so many opinions about how to accomplish this, I will not discuss it here. Use whatever method of calculation you are familiar and comfortable with. Once you know the average usage per user, you can determine the total users per base station by this simple calculation: It /BWuser, where It is the radio information throughput. Do not confuse this with raw device bandwidth. We need to use the achievable device throughput based on the types of traffic on the network. For example in 802.11b the channel is advertised to have 11 Mbps throughput. In reality this is the total channel throughput including all overhead. The information bandwidth of the channel is significantly less, more on the order of 4.5 to 6 Mbps depending on the types of traffic on the network. Also, because the 802.11b channel is a TDD channel, the total throughput is shared by both upstream and downstream traffic, meaning that another derating factor must be applied based on the mix of upstream and downstream capacity requirements. All this means that the real data throughput of an 802.11b system may be as low as 2 Mbps for bidirectional symmetrical usage. BWuser is the average bandwidth requirement. This is not the peak requirement of the user, but either the average usage, or the predetermined lowest bandwidth level available to any user during peak usage periods. For example, in a system with symmetrical uplink and downlink requirements, and an average bandwidth per user requirement of 200 Kbps, an 802.11 system will support only 10 to 15 users per AP (2 to 3 Mbps information throughput/200 Kbps per user). Remember, 802.11 has 4.5–6 MBPS total throughout. Since this example uses symmetrical traffic, the 4.5–6 MBPS is shared by the uplink and downlink traffic, thus leading to 2–3 MBPS available in either direction. Assuming a normal office environment with cubicles and walkways, the average space allocation per employee is 250 square feet. In this environment an 802.11b AP will cover about a 50-foot radius, or about 8000 square feet of area with maximum bandwidth. This area may contain up to 32 users. In this situation the coverage defined area exceeds the capacity defined area. There are several solutions for this. Antenna selection and power reduction can reduce the area covered to one that is more in line with the capacity needs of the users. Alternately, this www. ne w n e s p res s .c o m System Planning 539 may be a situation where 802.11b is not an optimal technology selection. 802.11a or 802.11g may be more suitable protocols because of their higher throughput. Either 802.11g or 802.11a will provide about 5 times more bandwidth than 802.11b, however the area covered by this bandwidth will be smaller than the 802.11b maximum throughput coverage area. In this same environment, 802.11g will probably cover less than 3000 square feet with maximum bandwidth signal levels, while 802.11a may serve only 1000 square feet at maximum bandwidth due to the additional propagation losses associated with its higher operating frequency. Do remember that these technologies rate adapt to lower throughput speeds as the signal strength drops. It is entirely possible that the needs of users can be met over a coverage area associated with one of more of the data sub-rates. This is a case where future growth and changes in usage characteristics should be considered as part of the selection criteria. If capacity needs are expected to increase over time, then a higher bandwidth standard like 802.11a or 802.11g should be considered instead of 802.11b. Now that the capacity versus coverage issues have been addressed, you know how much area should be covered by each radio base station location. Now you can begin to plan the location of hardware to meet the needs of the deployment. Use the drawings, blueprints and other reference data you’ve collected in combination with a physical site review to identify locations where the equipment could be placed giving easy access to power and interconnect, easy access for maintenance, avoidance of utility walls and massive metal objects, as well as located centrally to the desired coverage area of each radio base station. Depending on the physical layout of the space to be covered and the availability of power and interconnect, a number of location options are viable: you could use an omni antenna located on the ceiling in a central location, or you could use a directional antenna located high up in a corner or along an outside wall and pointing toward the space to be covered. You might try drawing shapes consistent with the antenna pattern (circles for omni antennas, cardioids or teardrops for directional antennas) and scaled to an appropriate size to represent the desired coverage on the blueprints. Lay out the shapes on the blueprints, arranging them so as to provide coverage to all the desired locations. Then physically check the locations to assure that power and interconnect are easily available at the locations. If not, see where you need to move it to gain easy access to power and interconnect. As you move the locations to ease deployment, try to keep the spacing between the base stations as even as possible. This will make your frequency planning easier. You may also want to do a site survey on the selected locations. The reason is twofold: you can assure you get the expected coverage and, more importantly, you can determine the maximum coverage and therefore the interference area of each location. Knowing this will be useful when allocating channels to each location. Figure 16.5 shows one possibility for locating equipment to serve an office space. Depending on the unique needs and limitations of the space you are working with, such a solution may or may not be feasible for your deployment. w w w.new nespress.com 540 Chapter 16 Roof 210 212 210 204 200 206 208 209 215 213 211 222 220 201 203 205 207 230 224 211 288 290 286 232 223 225 284 292 234 282 236 240 280 242 238 244 276 294 249 278 274 246 272 251 270 Roof 264 250 252 253 255 262 254 256 258 260 Roof Roof Figure 16.5 The WISP solution has much in common with the LAN system deployment. Coverage and capacity are both critical issues, multiple locations may be required to address coverage or capacity issues, and technology options will need to be considered according to system and cost requirements. The WISP system is designed to cover an extended area of potentially multiple square miles with a complex mix of terrain, morphology, and user locations. The system will be designed to provide Internet access service to residential and/or businesses within the coverage area. In addition, the location of the CPE is a consideration in determining the coverage of each site. If the CPE is located inside a structure, additional losses will be incurred, leading to a smaller reliable coverage area. Alternately, if the CPE can be located outdoors above the roofline, coverage distances will improve substantially. www. ne w n e s p res s .c o m System Planning 541 Because of the size and complexity of the covered area, there is a very real possibility that users will be shielded from one another. This gives rise to problems using equipment that utilizes CSMA/CA, like 802.11-based hardware. Because CSMA/CA works by monitoring the channel prior to transmitting, the algorithm assumes that all users are close enough to each other to be able to hear each other. In the widely distributed WISP system, this is not true. This leads to a problem called the hidden transmitter problem, where users all have a clear path to communicate with the base station, but cannot hear each other. Since they cannot hear each other, they all assume the channel is clear, and try to transmit. The effect of this is that multiple stations to try to access the channel simultaneously, because they all think it’s clear. In reality, the base station hears all the simultaneous users and cannot discriminate one from another. In essence the simultaneous users are all interfering with each other. This behavior can be tamed using a feature in the 802.11 standard called RTS/CTS, or Request to send/Clear to send. This is simply an additional protocol where a user asks the base station for permission to transmit, and waits until it receives permission before beginning its transmission. There are three downsides to this scheme. First, RTS/CTS is not a perfect solution. Collisions can still happen. Multiple stations may be asking permission near simultaneously, then all transmitting based on hearing a CTS belonging to a different user. Second, RTS/CTS takes overhead, because each transaction has to be preceded by a request and acknowledgment, thus leading to a further decrease in real channel data throughput. Third, since closer users have a stronger signal, it is quite common for those close in users to get an unfair share of the available bandwidth. This is because the closer-in users tend to have more signal strength at the base station, and the additional signal is easier to hear than the weak signal from the further-out user. In some cases it is possible for the close-in station to override the weak signal completely, and be the only signal heard by the base station. Conversly, 802.11 equipment is cheap and abundant, so from a cost standpoint it may be the best solution for a particular need. Just be aware that as with any system offering service for hire, a WISP needs to assure that the users have fair and equitable access to the service. Clearly, even though the equipment is inexpensive, the issues surrounding the access methodology need to be given considerable thought. While it may be coerced into working, it is entirely possible that the solution will never be as good as a purpose built solution. There are other systems that have taken the unique needs of large area access into consideration. 802.16 and 802.20 were designed with the needs of wide area coverage and possible mobile access in mind. So have some of the proprietary system standards that have been created by equipment manufacturers. These systems have the benefit of being designed for the express purpose of providing wide area access to multiple geographically diverse users. The downside is cost and/or availability. At the time this book is being written (Sept 2003), there is not yet commercially available 802.16 or 802.20 equipment, and the proprietary equipment that is available costs 5 to 50 times more than 802.11b equipment. w w w.new nespress.com 542 Chapter 16 The wireless data field is still growing. New standards and vendors continue to evolve. I suggest that you carefully review the technologies and vendors available to you at the time you are designing the system. Determine their suitability to your unique business plan, and make your selection based upon your unique mix of cost, capacity, coverage, and spectrum availability requirements. Once a technology has been selected, you need to review the coverage and capacity needs of your system. Because you are covering a large outdoor environment, propagation modeling can be an effective way of estimating coverage area, and assessing the coverage available from specific sites. Since the users cannot be identified by desktop location as they could in the in building LAN system, another method of estimating user density is needed. This is where demographics data can come into play. Such data is available from many sources, and has varying resolution. You can find demographics as coarse as an entire county, or as fine as fractions of a square mile. Use this data to determine how many households and businesses are in the geographic area associated with coverage. Then by using your expected market penetration percentage, you can determine the number of users in the area. You should already have an idea of the expected per user traffic, so you can now use the same formula we used in the LAN example to determine the traffic capacity needed for the area. Once again, determine if the covered area has sufficient capacity to meet user demand. If not, reduce the coverage area and add more radio sites to the system as needed to serve the territory. Once you have determined your site locations, one other consideration you will face is connecting the sites together or to the Internet. Since the sites will have significant distance between them, CAT5 cable, which can only support 300 feet of link distance, is not a viable methodology to connect them together. There are several alternatives for interconnection to the Internet: purchase an individual access facility from a telco, CLEC (Competitive Local Exchange Carrier), or other provider for each of your radio sites, or use point-to-point radio to connect your facilities together and bring all traffic to a common location for delivery to the Internet. The former solution may lead to a more robust system, because a single facility outage isolated only one site and its associated coverage area. It will also be more expensive because you cannot aggregate traffic from multiple sites in order to most effectively use the capacity of the facility you’re paying for. Additionally, there will be more equipment necessary because each site will have to have it’s own network hardware to provide access control, DHCP, maintenance access, and other network and security functions. The latter solution allows all the network equipment to reside at a single location, thus reducing the need for redundant equipment at each site. It also leads to the additional cost of a facility to connect the sites back to the designated central location. This could be accomplished with a leased Telco facility, although you’ll probably be limited to the T-1 or E-1 facility speeds of 1.544 or 2.048 Mbps, or multiples of this. Given that this may be a fraction of the bandwidth of the radio, it may not be an appropriate choice. A better choice may be point-to-point radio facilities. www. ne w n e s p res s .c o m System Planning 543 If the sites in question have clear line of sight to each other or to a central location, this becomes a feasible implementation. There is equipment available in both the licensed and unlicensed bands that can be used to provide this type of connection. Better yet, these radios can be had with an Ethernet output, so they can simply be plugged into your other network equipment without the need for specialized equipment to convert from Ethernet to some other standard like T-1 or E-1. As discussed each of these solutions has tradeoffs. Use the flowchart in Figure 16.6 as a basis to assist in selection of the most appropriate solution based upon your unique environment and needs. 16.6 Channel Allocation, Signal-to-Interference, and Reuse Planning The number of available channels in a system will be predicated on three things: the spectral allocation available to you, the spectral requirements of the equipment you’ve selected, and other users or interferers in the band. When you did the site surveys at your locations, one of the things you noted was the noise floor, and any other users in the band that you noted. If possible, avoid channels with existing users or a high noise floor. In the hotspot system this is simple: pick the quietest channel and implement it as the operating channel of your equipment. Since there is only one radio base station or AP, you’re done. In the office LAN or hotzone, you must consider not only outside interference but also the interference you will self generate when all the sites are active. This means that you must carefully allocate channels in order to minimize interference between locations. In general, get as much physical separation as possible between co-channel locations. As detailed in Chapter 8, the building layout and coverage information collected during the site survey will be invaluable in determining how to allocate the channels based on the actual coverage and overlap of each location. Ideal channel separation, i.e., sufficient so as to cause no interference, is rarely achievable. The best separation that can be designed for is separation sufficient to provide adequate C/I margin to the majority of the coverage area of each base station. The C/I requirements of the system will vary based upon the technology. If the manufacturer does not publish C/I requirements they can generally be thought of as identical to the S/N requirements of the technology, which by the way are normally the published receive sensitivity numbers. The receive sensitivity is nothing more than the amount of signal required for the equipment to perform at a certain threshold level. The reference against which this is measured is thermal noise in the channel. What does this mean to the design? It means that the coverage and/or capacity performance of the network will not be as good as in would have been in an interference free environment. The required signal strength will increase by the number of dB the interference has raised the noise floor. w w w.new nespress.com 544 Chapter 16 Identify location in leased site Acceptable coax run lengths No Yes Power available No Yes Good site ground available No Yes Interconnect available? No Yes Area and equipment can be secured? No Yes Area and equipment safety accessible? No Yes Acceptable equipment location Figure 16.6 For example, the noise floor of a 20-MHz 802.11b channel in the 2.4-MHz band is 0003100.43 dBm as calculated by the thermal noise equation. The published receive sensitivity specifications are based on this noise floor. If interference adds undesired signal (man-made noise) to the coverage area, the noise floor increases above the level contributed by thermal www. ne w n e s p res s .c o m System Planning 545 noise alone. The basic receive sensitivity does not change, but the system performance does. For every dB interference adds to the noise floor, the perceived receive sensitivity will be worsened by an equivalent amount. In the case of an 802.11b device with a published 1 Mbps sensitivity of 000392 dBm, this sensitivity is based on an expected noise floor of 0003100.43 dBm. If interference raised the noise floor to 000398.43 dBm, the device would no longer perform when the signal strength was 000392 dBm. The interference has raised the noise floor by 2 dB, so the new signal requirement would be 000390 dBm for the device to offer the same 1 Mbps performance level. This is another reason why the site survey is a useful system-planning tool. By knowing the signal level contributed by other locations, you can assess how much interference adds to the noise floor. This allows you to estimate the real coverage of locations based on the additional noise level caused by co-channel users in the form of interference. The WISP system requires the same diligence in allocating channels for the same reasons as those in the LAN environment. Interference, regardless of its source, will negatively impact either the coverage potential of a site or its ability to provide maximum throughput over its designated coverage area. Pick the channel with the lowest noise floor, and use antenna aperture, downtilt, and site separation distance to assure sufficient isolation of co-channel signals. Antenna downtilt is another subject that the WISP operator should become familiar with. Because the WISP system is located outside, and is probably located at some elevation above ground, downtilt becomes an important factor in optimizing coverage and minimizing interference. Think about it this way: the antenna you will use has a vertical polarization, and has a main lobe with the highest energy density pointed perpendicular to the antenna orientation. This means that the main beam will be pointed horizontally, 90 degrees shifted from the mounting orientation of the antenna, in other words at the horizon. As you can see in Figure 16.7, the main beam points at the horizon, and it is entirely possible to “miss” the intended service area with the main beam and to end up serving the desired area with side lobe and sub lobe energy. This situation leads to impaired service in both the desired coverage area and surrounding areas, because the main lobe energy misses the target user, and increases interference in adjacent areas because the main lobe energy is pointed toward the horizon, and other potential users. Downtilt corrects both of these situations by pointing the antenna’s main lobe toward the desired coverage area. This can be accomplished two ways: mechanically and electrically. Mechanical downtilt is used only with directional antennas, and is accomplished by physically mounting the antenna in such a way as to tilt it towards the ground by some number of degrees. Electrical downtilt is achieved by the design of the antenna, and can be applied to both directional and omnidirectional antennas. In fact, electrical downtilt is the only way to w w w.new nespress.com 546 Chapter 16 Antenna Main beam, no downtilt Antenna downtilt With downtilt, main beam puts its energy into the desired area. Without downtilt, most energy does not serve the area of interest. Figure 16.7 implement downtilt in an omni antenna. The number of degrees of downtilt is calculated with the simple formula: arctangent (H/D) where H is the effective height and D is the distance to the far edge of the desired coverage area. To keep the calculation simple, the formula is based on calculating the value of the adjacent angle of a right triangle, therefore the effective height is determined as the difference in elevation between the antenna and the area to be covered, and the distance is the physical distance between the antenna and the far edge of coverage in the same units used for height measurement. For example, let’s take a case where the antenna is mounted on a tower, which is on a hill overlooking the coverage area. The ground elevation at the edge of the coverage area is 540 feet, the top of the hill is 650 feet, and the antenna is mounted at the 100-foot level on the tower. In this case, the effective antenna height is (650 0002 100) 0003 540, or 210 feet. If the distance to the far edge of coverage is ½ mile, then atan(210/2640) 0004 4.548 degrees of downtilt. As shown in Figure 16.8, by downtilting the antenna by 4.5 degrees, the center of the main beam is aimed at the users furthest from the site, thus maximizing the energy density in the area furthest from the site. Areas closer to the site have less path loss due to distance, and are effectively served by the lessening energy density of the main lobe and sub lobes of the antenna. The other major benefit of downtilt is interference reduction. Without downtilt, the www. ne w n e s p res s .c o m System Planning 547 Downtilt angle 0004 Arctangent (Effective height/Distance) Height of antenna Effective height Height above target area Distance Figure 16.8 desired coverage area had less than ideal signal, while undesired areas were getting most of the site’s energy. By using downtilt to maximize energy density in the desired coverage area, a side benefit is that this energy no longer gets to places it does not belong, and therefore does not appear as interference in some undesired area. 16.7 Network Interconnect and Point-to-Point Radio Solutions In small venues like a hotspot or small office, network connectivity should not be a significant issue. CAT 5 cable is an inexpensive and readily available solution for connectivity in these small area locations. Even large office spaces can have the radio solution effectively networked using CAT 5 cable. The distance limit for CAT 5 cable is 300 feet per run, which allows quite a large area to be served by cable alone, with no need for intermediate regenerators. If greater distances are needed, it is feasible to divide the network on a floor by floor basis, and run cables to a central point where they are connected using a switch or router, which is in turn connected to the wired network in the building. The decision of how to cable will be dependent on the existing wiring, existing network, and construction of the property. But what about the campus environment, where the space to be served with wireless is in a number of disparate buildings, or the WISP system that covers a community from a number of different sites? In these cases, the distance limits associated with CAT 5 make it unusable. In the campus environment, Ethernet over fiber (10Base-FL and 100Base-FX) connections may be feasible, depending on the availability and cost of duct space between buildings. In the WISP system where such ducts between sites are rarely available, or in the distributed building office environment where no ducts are available, another interconnect option needs w w w.new nespress.com 548 Chapter 16 to be considered. That option is of course radio. Not only can radio-based systems be used for connecting users, they can be used to connect together the disparate locations. Radio facilities such as these are called point-to-point links, and can use a variety of licensed and unlicensed bands for operation. Unlicensed band links commonly offer limited bandwidth (1 to 50 Mbps), while licensed microwave bands can offer links with hundreds of Mbps throughput. When a single central facility is used as a distribution point for a number of remote locations the resulting network is known as a “hub and spoke” configuration. Figure 16.9 illustrates such a network. Hub and spoke Ring Figure 16.9: PTP Links Configured in Hub and Spoke and Ring These links can be designed with the same tools you use for designing the radio networks for the users. The big difference is that there are only two points to connect, they are both known points that do not move, and they should be within line of sight of each other. This eases www. ne w n e s p res s .c o m System Planning 549 the design because you need only consider the coverage at two points in space that can see each other. If the locations have clear Fresnel zones, Free Space losses can be applied; if the Fresnel zone is cluttered then line of sight loss characteristics should be used. Because there are only two locations, highly directional antennas can be used with the radios. This helps overcome the path loss as well as reduce unwanted interference by keeping the energy tightly focused on the other station. In fact, these antennas can have less than two degrees of aperture, depending on their size and frequency of operation. These small apertures mean that mounts must be sturdy, and the antennas must be carefully aimed at each other to assure the stations are initially, and remain, accurately pointed at each other. A new concept to consider on these links is redundancy. Because these links are used to connect traffic-bearing locations together, a failure of one of these links will isolate those traffic-bearing locations from the rest of the network, thus leading to user communication failures. This single point failure can be remedied by making the interconnect links redundant. This can be accomplished in several ways. The first method is the simplest but perhaps most expensive way to accomplish redundancy: use redundant radio equipment. This can be done in two ways, the first being to have two active independent radios each bearing half the total traffic. The advantage is that a failure will not isolate the end site, but may, depending on the total throughput capabilities of the radios, reduce the total traffic capacity that can be handled by the remote site. The disadvantage is that two independent channels are needed, and equipment costs are significantly increased due to the need for two radios. Another redundancy method is “Hot Standby.” In this method, there is still the need for two independent radios, but only one is active at any given time. If the equipment senses a fault, it automatically switches to the standby radio and allows traffic to flow unimpeded. There are two advantages to Hot Standby: only one RF channel is needed, and a failure does not impact traffic flow from the remote site. The disadvantage of cost increase over a single radio still exists in this scenario. Full Redundancy and Hot Standby redundancy are commonly used when only a single remote site is connected, or there are multiple remote sites that cannot be connected to any other location. If more than one remote site needs to be connected and there are multiple choices for paths to connect them, another network topology called a ring should be considered. In the ring network a single site connects to remote site one, remote site one connects to remote site two, and so on. The last remote site connects back to the origin site as shown in Figure 16.9. In this scenario, traffic can flow around the ring in either direction. A single failure cannot isolate a site, because there is an alternate path to route the traffic. There are several disadvantages to this topology: Backhaul facilities need to be large enough to handle the traffic presented by multiple sites, additional network hardware must be configured in each site in order to drop and insert traffic from the site, and to manage the traffic flow on the ring, w w w.new nespress.com 550 Chapter 16 and finally, the locations need to be arranged in such a manner as to accommodate the ring topology. The primary advantage of the ring architecture is cost: one extra radio per ring is needed to achieve redundancy, instead of one extra radio per remote site. Another advantage of a ring architecture is that it can be used to extend the service area far beyond the distance limits of a single radio link. Considering each link as an independent starting point allows you to develop a network that continues to expand outward from each site on the ring. The only limitation is that at some point the network needs to loop back in order to close the ring. From a frequency utilization standpoint, it is best to use different frequencies for the backhaul and network connections than you are using for connecting users to the system. Once again this has to do with potential interference generated by the additional facilities using common channels. Even though the backhaul facilities use directional antennas, there is still a possibility for mutual interference. In fact having backhaul in a completely different band sometimes makes sense because it allows all the channels available in your primary band to be used for providing service to users, thus allowing growth of capacity in the network. Also there may be other bands more suited to the needs of back haul because they have the ability to connect over greater distances or provide greater capacity. 16.8 Costs The last discussion of this chapter might actually be your first consideration: what’s it all going to cost, or looked at another way, how much can I afford to spend and what compromises will be necessary? Costs are largely broken into two categories CAPEX and OPEX. The CAPEX costs are one time costs associated with capital equipment, construction, design and planning, and so forth. OPEX are recurring costs associated with such things as interconnect, leases, utilities, maintenance, and other month-to-month costs. Network design will have an impact on all these cost elements, and the final network design will have to include the trade-offs associated with costs as well as performance. As I’ve said before, there is no free lunch. For example, using cheap equipment to reduce CAPEX may have a serious negative impact on OPEX, because equipment reliability or maintainability suffers. There can be many consequences of CAPEX decisions that in the end have a significantly greater cost effect on OPEX. Be careful when making CAPEX financial decisions and make sure you consider the long-term ownership costs too. You may have to live with the aftermath of your capital decisions for a very long time. 16.9 The Five C’s of System Planning This and previous chapters have discussed elements of system selection, design and performance. They have also mentioned the fact that trade-offs are necessary when selecting a solution or planning a system. All of those discussions have led us to here: the five fundamental aspects of a real-world communication system. In its simplest form, there are five elements www. ne w n e s p res s .c o m System Planning 551 that will affect your decision on what technology to select and implement. Those fundamental elements are Cost, Coverage, Capacity, Complexity, and C/I ratio. Cost includes both initial and ongoing costs of ownership, coverage can be either the total area to be covered or the area covered by a single base station, capacity can be either the necessary capacity or the capacity of an individual channel or base station, complexity can be defined as the overall size of the network (for example how many individual sites and discrete pieces of hardware are necessary to make the system function), and finally C/I or the amount of interference that needs to be tolerated. This interference can come from two sources: it can be internally generated through channel reuse in the system, or it can be generated by other systems over which you have no control. These elements are inextricably interrelated and are almost mutually exclusive. For example, you cannot have a cheap but complex system, nor can you have a simple and inexpensive system that also has great coverage and capacity. The selection of a suitable system solution will be driven by an understanding of the business needs, the user expectations, and area to be served then balancing those needs against a prioritization of the five C’s. This balance will be different in each situation. Always remember that a successful set of trade-offs in one situation may lead to a dismal failure in another situation. Use these five elements when initially formulating your system requirements. Ranking these factors in order of importance to your business helps to organize your selection process by allowing you quickly to eliminate choices that obviously do not fit your hierarchy of need. For example, if low cost and maximum coverage are the most important criteria, a single site high power solution might be the best solution for your need, providing equipment and spectrum for such a system could be obtained. On the other hand, if high capacity and dealing with a limited coverage area and hostile interference environment are most important, then you may need to deal with the additional costs and complexity of a network requiring multiple sites in the coverage area. This of course gives rise to considering the number of channels needed to support the multiple sites and an analysis of whether the reuse required by such a plan can be managed. As you see, the questions and considerations quickly multiply, and each time you make one decision, you may eliminate or severely modify another of your assumptions or requirements. Learning the relationships between the five C’s as driven by your unique system requirements will allow you to make informed decisions and optimize the necessary trade-offs into a system that best suits the financial, user, and operational needs of your particular situation. w w w.new nespress.com This page intentionally left blank Index 2–11 GHz technical standards, 274 10–66 GHz technical standards, 273–274 802.11 standard alphabet soup, 63–65 anonymity, 363–364 architecture, 53–55 authentication, 364–370 classic direct-sequence PHY, 58–63 confidentiality, 370–374 data integrity, 374–376 IEEE 802.11 physical layer, 427–428 key establishment protocol, 362–363 MAC and CSMA/CA, 56–58, 429–432 projects, 398–399 security, 76–81, 376–377 802.11a PHY, 69–74 and OFDM, 498–501 802.11b PHY, 65–69, 494–497 802.11g PHY, 75–76 802.11i standard, 390 802.11n standard, 397–401 802.11p standard, 401 802.11s standard, 401 802.11t standard, 402 802.11u standard, 402 802.15.3 standard, 86–87 802.20 project, 419 802.21 project, 420 802.22 project, 420–421 A Ad hoc networks, routing in, 437 geographic position aided routing, 445–446 hybrid protocols, 444–445 multipath routing, 447 preemptive routing, 447–448 proactive protocols, 440–442 reactive protocols, 442–444 stability-based routing, 446–447 Ad Hoc On-Demand DistanceVector Routing (AODV), 443 Address field, 231–232 Address filtering, 369 Adjacent-channel power ratio (ACPR), 124 Advanced digital modulation, 249–255 Aliasing, 25 Amplifiers, in radio, 109 Amplitude-shift keying (ASK), 12, 243 Analog baseband conditioning, 240–241 Analog communication, 249 Analog-to-digital converters (ADCs), 104–106 Analog transmission, 237 Antenna antenna factor (AF), 206 bandwidth, 205–206 dipole, 207–208 directivity, 202–203 effective area, 204 gain, 203 groundplane, 208 helical, 210–211 impedance, 201–202 impedance matching, 212–223 locations determination, 301–303 loop, 208–210 measuring techniques, 223–226 patch, 211–212 polarization, 204–205 types, 206 Applications and technologies Bluetooth, 502–509 Bluetooth and Wi-Fi, 516–521 ultra-wide band (UWB) technology, 521–525 WLAN, 481 Zigbee, 510–516 Asynchronous transfer mode (ATM), 81 Authentication, in 802.11 standards, 364 drawbacks, 368–369 and handoffs, 367–368 open system, 365–366 pseudo-authentication schemes, 369–370 shared key, 366–367 B Bandwidth of antenna, 205–206, 461 and modulation, 9 and RF frequency, 241–243 Barker sequence, 60 Baseband coding analog systems, 240–241 digital systems, 237–240 Baseband data format and protocol analog transmission, 237 change-of-state source data, 229–232 code-hopping addressing, 233–234 w w w.new nespress.com 554 Index Baseband data format and protocol (continued) continuous digital data, 236 data field, 234–236 Baseband data rate, 234–235 Basic Service Set (BSS), 55 Binary phase-shift keying (BPSK), 14 Biphase modulation, 34 Bipolar junction transistors (BJTs), 110, 111 Bluetooth, 82–86, 502 error correction and encryption, 507–508 inquiry and paging, 508–509 packet format, 506–507 and VoWi-Fi, 413–417 vs. Wi-Fi devices, 347–349, 516–521 Buildings construction basics, 313–314 high-rise commercial construction, 318–320 international flavor, 322 large structures, 322–323 low-rise commercial construction, 314–318 material properties, at microwave frequencies, 323–331 mid-rise commercial construction, 318–320 residential construction, 320–322 C Carrier sense multiple access (CSMA) schemes, 426 Carrier sense multiple access with collision avoidance (CSMA/CA), 56, 429 Carrier sensing, 50 Cascaded amplifiers, 113 CBC-residue, 392 Change-of-state source data, 229–232 Chips and chipsets, of radio, 165–176 Clipping distortion, 129 Cochannel distortion, 129 www. ne w n e s p res s .c o m Code-division multiplexing, 6 Code-Hopping addressing, 233–234 Coding gain, 67 COFDM, 21 Cognitive radio, 421 Collision detection, 50 Communication protocols and modulation baseband coding, 237–241 baseband data format, 229–237 RF frequency and bandwidth, 241–243 RFID, 261–262 Complementary code keying (CCK), 66 Confidentiality in 802.11, 370–374 in 802.11i, 390–392 and integrity, 393–396 in TKIP, 388 in WEP, 386–387 Control and sensing networks versus data networks, 471 Control packets additional overhead, 432 capture, 434–435 collisions, 432–433 radio interference, 433–434 Conversion loss, 133 Convolutional code, 67, 68 Cordless phones, 349–351 Crest factor, 130 Cross polarization, 205 Current-steering DAC, 108 D Data field, of baseband data format, 234–236 Data integrity in 802.11, 374–376 in 802.11i, 392 in WPA, 387–388 DCF inter-frame space (DIFS), 429 Decision feedback equalizer, 90 Destination-Sequenced DistanceVector Routing (DSDV), 440–441 Differential binary phase-shift keying (DBPSK), 61, 62 Diffraction, 185–186 Digital Enhanced Cordless Telecommunications (DECT), 418–419 Digital Event Communication, 243–245 Digital modulation methods, 246–248 Digital systems, of baseband coding, 237–240 Digital-to-analog converters (DACs), 106–109 Dipole, 207–208 Direct-conversion radios, 102 Direct-sequence spread-spectrum (DSSS), 53, 59, 259–260 DSSS PHY, 491–494 Directional bridge see Return loss bridge Directional multiplexing, 6 Distributed coordination function (DCF), 429 Dithering, 34 Diversity techniques, 192 frequency diversity, 194 diversity implementation, 194–196 polarization diversity, 194–195 space diversity, 193–194 statistical performance measure, 196 Dynamic Source Routing (DSR), 442–443 E Electromagnetic compatibility (EMC), 462–463 Electromagnetic waves and multiplexing, 5–9 Elliptical polarization, 205 Error vector magnitude (EVM), 128 Ethernet, 50 Extended Service Set (ESS), 55 F Fading, 190, 531 Fast Fourier Transform (FFT), 25 Index Field-effect transistors (FETs), 110, 111 Filters, 148–155 Fixed networks, 263–264 Flash ADC, 106 Flat fading, 190–192 Forward error correction, 52, 410 Fragmentation, 57 Frame, 53 Free space waves, 182 Frequency conversion, 132–144 Frequency diversity, in radios, 194 Frequency-division multiplexing, 6 Frequency Hopping (FH), 53, 59, 258–259 Frequency hopping spread spectrum (FHSS), 257 FHSS PHY, 490–491 Frequency planning, 158 Frequency selective fading, 190 G Gaussian minimum-shift keying (GMSK), 84 Geographic position aided routing, 445–446 GERAN/UTRAN mode, 405 Gilbert cell mixer, 142–144 Globally valid IP address (GIP), 364 Grid dip meter, 224 Ground waves, 181–182 Groundplane, 208 Guard interval, 24 Guassian minimum-shift keying (GMSK), 84 H Harmonic signals and exponentials, 1–5 Helical antenna, 210–211 Hidden station problem, 56 High-electron-mobility transistors (HEMTs), 111 High-rise commercial construction, 318–320 High-speed wireless data 2–11 GHz standards, 274 10–66 GHz technical standards, 273–274 fixed networks, 263–264 IEEE 802.11 standard, 266–271 IEEE 802.16 standard, 271–273 IEEE 802.20 standard, 274–275 mobile networks, 265 nomadic networks, 264–265 proprietary solutions, 266, 275–283 standard-based solutions, 266 HiperLAN, 81 HIPERLAN/2, 81, 501–502 Hub and spoke configuration, 548 Hub and spoke topology, 473 Hybrid routing protocols LANMAR, 445 ZRP, 444–445 I IEEE 802.11 standard, 266–271, 427 IEEE 802.16 standard, 271–273 IEEE 802.20 standard, 274–275 Image-reject mixer (IRM), 138 Impedance of antenna, 201–202 matching, 212–223 Impedance bridge see Return loss bridge Indoor interferers Bluetooth versus Wi-Fi, 347–349 cordless phones, 349–351 microwave ovens, 343–346 WLAN devices, 346–347 Indoor networks building materials, microwave properties of, 323–331 buildings, 313–323 indoor interferers, 343–351 metal obstacles, 331–333 real indoor propagation, 333–340 signal power, 341–343 tools, 351–355 Infrared link physical layer, 53 Infrared PHY, 489–490 Insertion loss, 151 555 Institute of Electrical and Electronics Engineers (IEEE), 49 Inter-Access Point Protocol (IAPP), 55 Interzone routing, 445 Intrazone routing, 445 IP Multimedia Subsystems (IMS), 411–412 Isotropic antenna, 202 Isotropic path loss, 187–189 K Key establishment protocol, 362 L Landmark Ad Hoc Routing Protocol (LANMAR), 445 Large networks, 47, 49 Latency, 47 Links, 49 Load-bearing walls, 313 Local area networks (LANs), 48 Loop antenna, 208–210 Low-noise amplifier (LNA), 113 Low-rise commercial construction, 314–318 M M-ary biorthogonal keying (MBOK), 90 Maximum ratio combining, 194 Media Independent Handoff, 420 Medium Access Control (MAC) layer, 49, 56 additional issues, 432–437 consequences, 58 and IEEE 802.11, 427, 429–432 and physical layers, 425 Memoryless distortion, 114 MESFETs, 112 Metal obstacles, 331–333 MEtal-Semiconductor FETs (MESFETs), 112 Metropolitan area networks (MANs), 48 Microstrip worksheet, 223 Microwave ovens, 343–346 w w w.new nespress.com 556 Index Mid-rise commercial construction, 318–320 MIMO power save, 400 Mixers, in radio, 132–144 Mobile ad hoc networks, 423 physical layer and MAC, 425–437 routing, 437–448 Mobile Broadband Wireless Access (MBWA), 419 Mobile networks, 265 Modulation analog communication, 249 and bandwidth, 9 continuous digital communication, 245–246 for digital event communication, 243–245 digital methods, comparison, 246–248 Nyquist bandwidth, 249–255 spread spectrum, 255–261 Modulus, 2 Multipath phenomena, 189–190 Multipath Routing, 447 Multipoint relays (MPR), 441 N NAT box, 364 Near-zero IF (NZIF), 102 Network allocation vector (NAC), 56 Noise, 196–198 Noise factor, 42, 113 Nomadic networks, 264–265 Nyquist bandwidth, 249 O Offset QPSK, 130 On–off keying (OOK), 10, 243 Open field propagation, 183–185 Open system authentication, 365–366 Open Systems Interconnect (OSI) protocol, 49 Optimized Link-State Routing (OLSR) protocol, 441 Orthogonal frequency-division multiplexing (OFDM), 20–30 and 802.11a, 498–500 www. ne w n e s p res s .c o m P Packet binary convolutional coding (PBCC), 67, 494 Pair-wise Master Key (PMK), 379 Pair-wise Transient Key (PTK), 380 Parity bit field, 234 Partition walls, 313 Passive mixers, 136 Patch antenna, 211–212 Per-packet key mixing, 381–382 Personal area networks (PANs), 48 Phase Shift Keying (PSK), 245–246 Physical site survey, 300–301 Piconet, 83 Pipelined ADC, 106–107 Plant network architecture, 458 Plant network layouts, 456–457 Point coordination function (PCF), 429 Polarization of antenna, 204–205 diversity, 194 Power, 465 Predictive modeling, 291–295 tools, 285–286 Preemptive Routing, 447–448 Proactive routing protocols DSDV, 440–441 issues in, 441–442 OLSR, 441 Propagation analysis program, 287–291 Propagation modeling and measuring antenna locations, determination, 301–303 comprehensive site survey process, 295–296 data analysis, 308–311 equipment requirements, identification, 299–300 indoor networks, 354–355 physical site survey, 300–301 predictive model, 291–295 predictive modeling tools, 285–286 propagation analysis program, 287–291 requirements, identification of, 298–299 RF site survey tools, 303–304 RF survey, 305–308 site survey checklist, 305 spreadsheet models, 286–287 survey activity outline, 296–298 terrain-based models, 287 Proprietary solutions, 266, 275–283 Pseudo-authentication schemes, 369–370 Pseudomorphic HEMTs, 111 Pulse-code modulation, 33 Pulse-position modulation, 33 Q Quadrature-amplitude-modulation (QAM), 15 Quaternary phase-shift keying (QPSK), 15 R Radio architectures, 99–102 Radio chips and chipsets, 165–176 Radio components amplifiers, 109–132 analog-to-digital converters (ADCs), 104–106 digital-to-analog converters (DACs), 106–109 filters, 148–155 frequency conversion, 132–144 mixers, 132–144 synthesizers, 144–148 Radio frequency (RF) and bandwidth, 241–243 site survey tools, 303–304 survey, 305–308 Radio frequency identification (RFID), 261–262 Radio link, 36–39 Radio problem, 97–99 Radio propagation diffraction, 185–186 diversity techniques, 192–196 flat fading, 190–192 mechanisms, 181–183 Index multipath phenomena, 189–190 noise, 196–198 open field, 183–185 path loss, 187–189 scattering, 186–187 Radio transmitters and receivers components, 104 overview, 97 radio chips and chipsets, 165–176 system design, 158 Rake receiver, 35, 90 Random backoff, 50 Rate 1/2 code, 67 Rayleigh fading, 190–192 Reactive routing protocols AODV, 443 dynamic source routing (DSR), 442–443 issues in, 444 Real indoor propagation, 333–340 Received signal strength indication (RSSI), 352 Reconstructed data, 229 Reflection coefficient, 213, 218 REQUEST ZONE, 446 Residential construction practices, 320–322 Return loss, 218 Return loss bridge, 224–226 Robust Security Network (RSN), 390 S Scattering, 186–187 Second-order distortion, 115 Secure Sockets Layer (SSL), 77 Security, in WLAN, 51, 76, 361 anonymity, 363–364 authentication, 364–370 confidentiality, 370–374 data integrity, 374–376 key establishment protocol, 362–363 loopholes, 376–377 WPA, 377 WPA2 (802.11i), 390–396 Sensor networks see Wireless sensor networks Sensor subnet selection, 458–459 Shared key authentication, 366–367 Shear walls, 313 Short interframe space (SIFS), 57 Sigma-delta ADC, 107 Signal constellation, 14 Signal strength, variation, 189 Simple modulation technique, 9–20 Simple switch mixer, 133 Single-carrier modulations, 20 Site survey checklist, 305 Site survey process, 295–296 Sky wave propagation, 182 Small networks, 47, 49 Smart sensor networks, 465–466 Smith Chart, 219–223 SOFDMA, 413 Source data, 229 Space diversity, 193–194 Spatial multiplexing, 6 Spectrum management, 463–464 Spread spectrum, 255–261 Spreading gain, 59, 60 Spreadsheet models, 286–287 Stability-based routing, 446–447 Standards-based solutions, 266 Standing wave ratio, 217–218 Star topology, 473 Statistical performance measure, 196 Subsampling mixer, 105 Supervision, in data field, 235–236 Survey activity outline, 296–298 Surveying, 352–354 Switches, in radio, 155–158 Symmetric key system, 77 Synthesizers, 144–148 System planning channel allocation, 543 costs, 550 equipment locations identification, 536–543 equipment requirements identification, 534–536 five C’s, 550–551 location and real estate considerations, 528–532 557 network interconnect and point-to-point radio solutions, 547–550 overview, 527–528 reuse, 545 signal-to-interference, 543–545 system selection, 532–534 T Technical alarms, 230 Technical tradeoffs and issues bandwidth and range, 461 EMC, 462–463 number of sensors per network, 461–462 power, 465 smart sensor networks, 465–466 spectrum management, 463–464 tethered RF links, 467 time synchronization and distribution, 464–465 wireless standards, 464 Temporal Key Integrity Protocol, 80 Terrain-based models, 287 Tethered RF links, 467 Third-order distortion, 115 Tilt-up construction, 314 Time delay spread, 190 Time-division multiplexing, 6 Time synchronization and distribution, 464–465 Tools, for indoor networks indoor toolbox, 351–352 propagation modeling, 354–355 surveying, 352–354 Transmission lines, 216–219 Transmission range, 434 Transmitter output impedance, 216 Trellis-coded modulation (TCM), 86 U Ultrawideband (UWB) technology, 30–36 applications, 521–525 UWB PANs, 88–93 w w w.new nespress.com 558 Index UMA network controller (UNC), 405 UMAN mode, 405 Unlicensed Mobile Access (UMA), 405–411 Unlicensed National Information Infrastructure (UNII) band, 69 U.S. Federal Communications Commission (FCC), 52 V Vector analyzer, 223–224 Virtual private network (VPN), 77 Voltage controlled oscillator (VCO), 145 Volterra series, 119 VoWi-Fi and Bluetooth, 413–417 W Weak keys, 372 Wi-Fi, 483–484 802.11 standard work, 397–402 versus Bluetooth, 516–521 and cellular networks, 402–412 convergence strategies, 405 dual mode issues, 404 IMS, 411–412 UMA, 405–411 VoWi-Fi and 802.x wireless projects, 419–421 VoWi-Fi and Bluetooth, 413–417 VoWi-Fi and DECT, 418–419 WiMax, 412–413 Wi-Fi Protected Access (WPA), 80, 378, 377 authentication, 382–386 confidentiality, 386–387 confidentiality and integrity, 388 www. ne w n e s p res s .c o m integrity, 387–388 key establishment, 378–382 WEP loopholes fixing, 389 Wide area networks (WANs), 49 WiMax, 412–413 Wired Equivalent Privacy (WEP), 77 Wireless bridge, 473 Wireless communications benefits, 469–470 electromagnetic waves, 5 harmonic signals and exponentials, 1–5 industrial applications, 469 issues in deployment, 470–473 modulation and bandwidth, 9 multiplexing, 5 radio link, elements of, 36 validation, 478–479 Wireless formats point-to-multipoint links, 473–474 point-to-point links, 473 Wireless link, 36 Wireless local area networks (WLANs), 481 802.11 WLANs, 52 architecture, 484–489 from LANs, 50–52 HiperLAN and HiperLAN 2, 81 HIPERLAN/2, 501–502 HomeRF Working group, 482–483 large and small networks, 47–50 physical layer, 489–501 radio, 103–104 Wi-Fi, 483–484 WLAN adapter, 378 and WPANs, 82 Wireless mesh networks diagnostic monitoring, 477–478 distributed control systems, 476–477 water treatment, 478–479 wire replacement, 476 Wireless networking standards, 464 Wireless regional area networks (WRANs), 421 Wireless sensor networks applications, 455–456 functional requirements, 459–461 plant architecture, 458 plant layouts, 456–457 sensor subnet selection, 458–459 tradeoffs, 461–467 Wireless systems deployment adaptability, 472 control and sensing networks versus data networks, 471 reliability, 471–472 scalability, 472–473 WPA2 (8021.11i), 378 authentication, 390 confidentiality, 390–392, 393–396 integrity, 392, 393–396 key establishment, 390 WPAN, 82 Z Zigbee applications, 515–516 architecture, 510–512 collision avoidance, 515 communication characteristics, 512–513 device types and topologies, 513–514 frame structure, 514–515 reliability, 515 Zone Routing Protocol (ZRP), 444–445 Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |