Introduction

¹

Wireless networks and security might be considered an oxymoron. Indeed it is hard to believe in security when it is so easy to access communication media such as wireless radio media. However, the research community in industry and academia has for many years extended wired security mechanisms or developed new security mechanisms and security protocols to sustain this marriage between wireless/mobile networks and security. Note that the mobile communication market is growing rapidly for different services and not only mobile phone services. This is why securing wireless and mobile communications is crucial for the continuation of the deployment of services over these networks.

Wireless and mobile communication networks have had tremendous success in today’s communication market both in general or professional usage. In fact, obtaining communication services anytime, anywhere and on the move has been an essential need expressed by connected people. This becomes true thanks to the evolution of communication technologies from wired to wireless and mobile technologies, but also the miniaturization of terminals. Offering services to users on the move has significantly improved productivity for professionals and flexibility for general users. However, we cannot ignore the existence of important inherent vulnerabilities of these unwired communication systems, which gives the network security discipline a key role in convincing users to trust the usage of these wireless communication systems supported by security mechanisms.

Since the beginning of the networking era, security was part of the network architectures and protocols design even if it is considered to slow down the communication systems. Actually, network security is just a natural evolution of the security of stand-alone or distributed operating systems dealing with machine/network access control, authorization, confidentiality, etc. Even though the context has changed from wired to wireless networks, we are facing the same issues and challenges regarding security. More precisely, it is about preserving the integrity, confidentiality and availability of resources and the network. Other security issues that are more related to the users such as privacy and anonymity are also important from the user’s point of view today, especially with the new need of tracking criminals, but in this book we are concerned only with network security, and as such, two chapters are included dealing with important security issues and solutions to secure downloaded applications in the mobile operator context and copyright protection by watermarking techniques.

Several security mechanisms have been developed such as authentication, encryption and access control others in order to offer secure communications over the network. According to the network environment, some security mechanisms are more mature than others due to the early stages of certain networking technologies such as wireless networks, ad hoc or sensor networks. However, even with maturity, and even if they are already widely implemented in marketed products, some security mechanisms still need some improvement. It is also important to consider the limited resources of mobile terminals and radio resources to adapt the wired network’s security mechanisms to a wireless context. These limited resources have a direct impact on security design for this type of networks.

Chapter 1 offers a survey on current and emerging wireless and mobile communications coming from the mobile cellular communications such as 2G, 3G, 4G, IEEE wireless communication such as Wi-Fi, Bluetooth, WiMAX, WiMobile and WiRan, and the IP-based mobility communication such as Mobile IP or IMS. Even if security solutions always need to be improved, the deployment of these wireless and mobile networks is already effective and will tend to grow because of the growing needs of users in terms of mobility, flexibility and services. To do so, the industry and academic researchers keep on designing mobile and wireless technologies, with or without infrastructure, providing on the one hand more resources and security, and on the other hand autonomous and more efficient terminals (PDA phones, etc.).

This book is aimed at academics and industrialists, generalists or specialists interested in security in current and emerging wireless and mobile networks. It offers an up-to-date state of the art on existing security solutions in the market or prototype and research security solutions of wireless and mobile networks. It is organized into three parts.

Part 1, Basic Concepts, offers a survey on mobile and wireless networks and the major security basics necessary for understanding the rest of the book. It is essential for novices in the field. In fact, this part describes current and emerging mobile and wireless technologies. It also introduces vulnerabilities and security mechanism fundamentals. It finally presents the vulnerabilities in wireless technology and an adaptation of copyright protection techniques in the wireless and mobile context.

Part 2, Off-the-Shelf Technology, looks at the issue of security of current mobile and wireless networks, namely Wi-Fi, WiMAX, Bluetooth and GSM/UMTS, and concludes with a description of the mechanisms for the protection of downloaded applications in the context of mobile operators.

Part 3, Emerging Technologies, focuses on the security of new communication technologies, namely the new generation of telecommunication networks such as IMS, mobile IP networks, and self-organized ad hoc and sensor networks. This last category of technologies offer very attractive applications but needs more work on the security side in order to be trusted by the users.

Finally, as we can see throughout this book, security solutions for wireless and mobile networks are either an extension of security solutions of unwired networks or a design of specific security solutions for this context. In any case, one thing is sure: at least four major constraints have to be considered in security design for wireless and mobile networks: limited radio and/or terminal resources, expected security and performance level, infrastructure or infrastructure-less architecture, and cost.

¹ Written by Hakima CHAOUCHI.

PART 1

Basic Concepts

Chapter 1

Introduction to Mobile and Wireless Networks ¹

1.1. Introduction

Wireless networks in small or large coverage are increasingly popular as they promise the expected convergence of voice and data services while providing mobility to users. The first major success of wireless networks is rendered to Wi-Fi (IEEE 802.11), which opened a channel of fast and easy deployment of a local network. Other wireless technologies such as Bluetooth, WiMAX and WiMobile also show a very promising future given the high demand of users in terms of mobility and flexibility to access all their services from anywhere.

This chapter covers different wireless as well as mobile technologies. IP mobility is also introduced. The purpose of this chapter is to recall the context of this book, which deals with the security of wireless and mobile networks. Section 1.2 presents a state of the art of mobile cellular networks designed and standardized by organizations such as ITU, ETSI or 3GPP/3GPP2. Section 1.3 presents wireless networks from the IEEE standardization body. Section 1.4 introduces Internet mobility. Finally, the current and future trends are also presented.

1.2. Mobile cellular networks

1.2.1. Introduction

The first generation (1G) mobile network developed in the USA was the AMPS network (Advanced Mobile Phone System). It was based on FDM (Frequency Division Multiplexing). A data service was then added on the telephone network, which is the CDPD (Cellular Digital Packet Data) network. It uses TDM (Time Division Multiplexing). The network could offer a rate of 19.2 kbps and exploit periods of inactivity of traditional voice channels to carry data. The second generation (2G) mobile network is mainly GSM (Global System for Mobile Communications). It was first introduced in Europe and then in the rest of the world. Another second-generation network is the PCS (Personal Communications Service) network or IS-136 and IS-95; PCS was developed in the USA. The IS-136 standard uses TDMA (Time Division Multiple Access) while the IS-95 standard uses CDMA (Code Division Multiple Access) in order to share the radio resource. The GSM and PCS IS-136 employ dedicated channels for data transmission.

The ITU (International Telecommunication Union) has developed a set of standards for a third generation (3G) mobile telecommunications system under the IMT-2000 (International Mobile Telecommunication-2000) in order to create a global network. They are scheduled to operate in the frequency band around 2 GHz and offer data transmission rates up to 2 Mbps. In Europe, the ETSI (European Telecommunications Standards Institute) has standardized UMTS (Universal Mobile Telecommunications Systems) as the 3G network.

The fourth generation of mobile networks is still to come (in the near future) and it is still unclear whether it will be based on both mechanisms of cellular networks and wireless networks of the IEEE or a combination of both. The ITU has stated the flow expected by this generation should be around 1 Gbps static and 100 Mbps on mobility regardless of the technology or mechanism adopted.

The figure below gives an idea of evolving standards of cellular networks. Despite their diversity, their goal has always been the same; to build a network capable of carrying both voice and data respecting the QoS, security and above all reducing the cost for the user as well as for the operator.

Figure 1.1. The evolution of cellular networks

1.2.2. Cellular network basic concepts

a) Radio resource

Radio communication faces several problems due to radio resource imperfection. In fact the radio resource is prone to errors and suffers from signal fading. Here are some problems related to the radio resource:

– Power signal: the signal between the BS and the mobile station must be sufficiently high to maintain the communication. There are several factors that can influence the signal (the distance from the BS, disrupting signals, etc.).

– Fading: different effects of propagation of the signal can cause disturbances and errors. It is important to consider these factors when building a cellular network.

To ensure communication and to avoid interference, cellular networks use signal strength control techniques. Indeed, it is desirable that the signal received is sufficiently above the background noise. For example, when the mobile moves away from the BS, the signal received subsides. In contrast, because of the effects of reflection, diffraction and dispersion, it can change the signal even if the mobile is close to the BS. It is also important to reduce the power of the broadcast signal from the mobile not only to avoid interference with neighboring cells, but also for reasons of health and energy.

As the radio resource is rare, different methods of multiplexing user data have been used to optimize its use:

– FDMA (Frequency Division Multiple Access) is the most frequently used method of radio multiple access. This technique is the oldest and it allows users to be differentiated by a simple frequency differentiation. Indeed, to listen to the user N, the receiver considers only the associated frequency fN. The implementation of this technology is fairly simple. In this case there is one user per frequency.

Figure 1.2. FDMA

– TDMA (Time Division Multiple Access) is an access method which is based on the distribution of the radio resource over time. Each frequency is then divided into intervals of time. Each user sends or transmits in a time interval from which the frequency is defined by the length of the frame. In this case, to listen to the user N, the receiver needs only to consider the time interval N for this user. Unlike FDMA, multiple users can transmit on the same frequency.

Figure 1.3. TDMA

– CDMA (Code Division Multiple Access) is based on the distribution code. It is spread by a code spectrum allocated to each communication. In fact, each user is differentiated from the rest of users with a code N allocated at the beginning of its communication and is orthogonal to the rest of the codes related to other users. In this case, to listen to the user N, the receiver has to multiply the signal received by the code N for this user.

Figure 1.4. CDMA

The traffic uplink and downlink on the radio resource is managed by TDD (Time Division Duplex) or FDD (Frequency Division Duplex) multiplexing methods as the link is symmetric or asymmetric.

– OFDM (Orthogonal Frequency Division Multiplexing) is a very powerful transmission technique. It is based on the idea of dividing a given high-bit-rate datastream into several parallel lower bit-rate streams and modulating each stream on separate carriers, often called subcarriers. OFDM is a spectrally efficient version of multicarrier modulation, where the subcarriers are selected such that they are all orthogonal to one another over the symbol duration, thereby avoiding the need to have non-overlapping subcarrier channels to eliminate intercarrier interference. In order to have multiple user transmissions, a multiple access scheme such as TDMA or FDMA has to be associated with OFDM. In fact, an OFDM signal can be made from many user signals, giving the OFDMA multiple access [STA 05]. The multiple access has a new dimension with OFDMA. A downlink or uplink user will have a time and a subcarrier allocation for each of their communications. However, the available subcarriers may be divided into several groups of subcarriers called subchannels. Subchannels may be constituted using either contiguous subcarriers or subcarriers pseudorandomly distributed across the frequency spectrum. Subchannels formed using distributed subcarriers provide more frequency diversity. This permutation can be represented by Partial Usage of Subcarriers (PUSC) and Full Usage of Subcarriers (FUSC) modes [YAH 08].

b) Cell design

A cellular network is based on the use of a low-power transmitter (~100 W). The coverage of such a transmitter needs to be reduced, so that a geographic area is divided into small areas called cells. Each cell has its own transmitter-receiver (antenna) under the control of a BS. Each cell has a certain range of frequencies. To avoid interference, adjacent cells do not use the same frequencies, as opposed to two non-adjacent cells.

The cells are designed in a hexagonal form to facilitate the decision to change a cell for a mobile node. Indeed, if the distance between all transmitting cells is the same, then it is easy to harmonize the moment where a mobile node should change its cell. In practice, cells are not quite hexagonal because of different topography, propagation conditions, etc.

Another important choice in building a cellular network is the minimum distance between two cells that operate at the same frequency band in order to avoid interference. In order to do so, the cell’s design could follow different schema. If the schema contains N cells, then each of them could use K/N frequencies where K is the number of frequencies allocated to the system.

The value of reusing frequencies is to increase the number of users in the system using the same frequency band which is very important to a network operator.

In the case where the system is used at its maximum capacity, meaning that all frequencies are used, there are some techniques to enable new users in the system. For instance, adding new channels, borrowing frequency of neighboring cells, or cell division techniques are useful to increase system capacity. The general principle is to have micro and pico (very small) cells in areas of high density to allow a significant reuse of frequencies in a geographical area with high population.

c) Traffic engineering

Traffic engineering was first developed for the design of telephone circuit switching networks. In the context of cellular networks, it is also essential to know and plan to scale the network that is blocking the minimum mobile nodes, which means accepting a maximum of communication. When designing the cellular network, it is important to define the degree of blockage of the communications and also to manage incoming blocked calls. In other words, if a call is blocked, it will be put on hold, and then we will have to define what the average waiting time is. Knowing the system’s ability to start (number of channels) will determine the probability of blocking and the average waiting time of blocked requests.

What complicates this traffic engineering in cellular networks is the mobility of users. In fact, a cell will handle, in addition to new calls, calls transferred by neighboring cells. The traffic engineering model becomes more complex. Another parameter that is even more complicating for the model is that the system should accommodate both phone calls as data traffic, knowing that they have very different traffic characteristics.

d) Cellular system’s elements

A cellular network is generally composed of the following:

– BSs: situated at the heart of the cell, a BS includes an antenna, a controller and a number of transmitters and receivers. It allows communications on channels assigned to the cell. The controller allows the management of the call request process between a mobile and the rest of the network. The BS is connected to a mobile switching center (MTSO: Mobile Telephone Switching Office). Two types of channels are established between the mobile and the BS: the data channel and the traffic control channel. The control channels are used for associating the mobile node with the BS nearest to the exchange of information necessary to establish and maintain connections. The traffic channels used to transport the user traffic (voice, data, etc.).

– Mobile switching center (MTSO): a MTSO manages several BSs generally bound by a wired network. It is responsible for making connections between mobiles. It is also connected to the wired telephone network and is thus able to establish connections between mobiles and fixed nodes. The MTSO is responsible for the allocation of channels for each call request and is also responsible for handover and recording the billing information of active call users.

The call process includes the following functions:

– Initializing a mobile: once the mobile node is turned on, it scans the frequency channels, then it selects the strongest control call channel (setup). Each cell regularly controls the information on the band corresponding to its control channel. The mobile node selects the channel whose signal is the most important. Then the phone goes through a phase of identification with the cell (handshake). This phase occurs between the mobile and the MTSO. The mobile is identified following an authentication and its location is recorded. The mobile continues to regularly scan the frequency spectrum and decides to change the BS if it has a stronger signal than the previous cell phone. The mobile node also remains attentive to the call notification.

– Call initiated by a mobile node: the mobile node checks that the call channel is free by checking the information sent by the BS on the downlink control channel. The mobile may then issue the call number on the uplink control channel to the BS that transmits the request to MTSO.

– Call notification: the phone number is received, the switching center tries to connect to BSs concerned by the number and sends a call notification message to the called mobile node (paging). The call notification is retransmitted by BSs in the downlink control channel.

– Acceptance of call: the mobile recognizes its number in the call control channel and then responds to the BS to relay the message to the switch that will establish a circuit between the BSs of the calling and the called nodes. The switch will also select an available traffic channel in each of the two cells involved and sends the information related to that call to the BSs. The phones will then synchronize the traffic channels selected by the BS.

– Active communication: this is the process of exchanging data or voice traffic between the calling and called mobiles. This is assured by both BSs and the switching center.

– Call blocking: if all channels of traffic in a BS are occupied, the mobile will try a number of pre-configured times to repeat the call. In case of failure, an occupied signal tone is returned to the user.

– Call termination: at the end of a communication, the switching center informs the BSs to free channels. This action is also important for billing.

– Abandonment of call: during a communication, if the BS fails to maintain a good level of signal (interference, low signal, etc.) it abandons the channel traffic of the mobile and notifies the switching center.

– Call between a fixed terminal and a mobile node: the switching center being connected to the landline or fixed network, it is then able to establish communication between these two networks. It can also join another mobile switching center through the fixed network.

– Handover (Handoff): when the mobile discovers a control channel where the signal is stronger than its current cell, the network will automatically change to the cell by transferring its mobile channel call to the new cell without the user noticing. The main criterion used to take the decision to transfer the mobile is the measured signal power of the mobile node by the BS. In general, the station calculates an average over a time window to eliminate the rapid fluctuations resulting from multipath effects. Various techniques can be used to determine the moment of transfer of the mobile. In addition, this transfer can be controlled by either the network or the mobile. The simplest technique of handover decision is one that triggers the transfer as soon as the mobile detects a new signal stronger than the cell where it is connected.

1.2.3. First generation (1G) mobile

First generation cellular networks such as CT0/1 (Cordless Telephone) for wireless and AMPS (Advanced Mobile Phone Service) for mobile communications were first characterized by analog communications. The first cellular networks are virtually non-existent today. The AMPS system was the 1st generation of the most widespread used network in the USA up to the 1980s. It has also been deployed in South America, Australia and China. In Northern Europe, the NMT (Nordic Mobile Telecommunications System) was developed. In the UK, the TACS (Total Access Communication System) and Radio France in 2000 were deployed. All these cellular networks were 1G analog and used frequency bands around 450 and 900 MHz.

1.2.4. Second generation (2G) mobile

Cellular networks such as second generation DECT for wireless and mobile phones for mobile were characterized by digital communications networks, unlike the first generation, which were analog. During the 1990s several digital technologies were developed:

– GSM (Global System for Mobile Communication), developed in Europe, operating at 900 MHz.

– DCS 1800 (Digital Cellular System) equivalent to GSM but operating at higher frequencies (1,800 MHz).

– PCS 1900 (Personal Communication System) and D-AMPS (Digital AMPS) developed in the USA.

– Finally, PDC (Pacific Digital Cellular) developed in Japan.

The GSM and D-AMPS (also called IS-136) were based on the TDMA access method while the PCS 1900, also called IS-95 or cdmaOne, was based on CDMA technology.

A simple transmission of data is possible in addition to the voice but the rate remains low with less than 10 kbps and certainly did not make possible the deployment of multimedia services. Thus, HSCSD (High Speed Circuit Switched Data) and GPRS (General Packet Radio Service) are techniques that have helped increase the flow of 2G networks. These technologies are also known as 2.5 generation cellular networks. GPRS, unlike HSCDC, uses packet switching to optimize the radio resource transmission of data traffic that is sporadic in nature. The theoretical speed is 120 kbps while the real flow does not exceed 30 kbps. This generation cannot meet the needs of mobile users who want multimedia services comparable to fixed networks. The evolution of the GPRS network led to EDGE (Enhanced Data rates for GSM Evolution) or Enhanced GPRS (EGPRS), which has improved the reliability and speed of data transmission. It is generally known as 2.75G or 3G depending on its implementation. This is a simple evolution of GSM/GPRS to achieve average speeds of 130 kbps downstream and 60 kbps in transmission, 6 to 10 times greater than GPRS.

Mobility management is usually done using two databases: the HLR (Home Location Register) which maintains the data of the subscriber and the VLR (Visitor Location Register) which manages the customer in the visited cell. Using these two components, the network can manage the location of mobile node to be able to route its calls and also ensure the handover. These networks allow high mobility of the terminal but low personal mobility leading to the possibility of using the SIM (Subscriber Identity Module) in any terminal. Remember that personal mobility is the ability to change terminal while maintaining its working environment or session. We find such mobility for example in UPT (Universal Personal Telecommunication) networks.

1.2.5. Third generation (3G) mobile

3G cellular networks operate around the frequency band of 2 GHz, providing a range of multimedia services to fixed and mobile users with a Quality of Service almost comparable to that of fixed networks. The International Telecommunications Union (ITU) has selected five standards for 3G mobile under the symbol IMT-2000 (International Mobile Telecommunications system for the year 2000). This is the W-CDMA (Wideband CDMA), TD-CDMA and TD-SCDMA standard used in the European UMTS (Universal Mobile Telecommunication System) of CDMA2000, EDGE (Enhanced Data rate for GSM Evolution) and the third generation of DECT. The IMT-2000 are designed to include global roaming, a range of broadband services such as video and the use of a single terminal in different wireless networks (vertical mobility). Another objective is to make fixed services and mobile services compatible in order to be transparent to the user. These networks offer a comprehensive mobility which includes a terminal mobility, personal mobility and service mobility. The concept of VHE (Virtual Home Environment) is developed to support the service mobility. In addition to larger bandwidth, global mobility is another major difference compared to 2G networks.

UMTS based on the W-CDMA access method theoretically allows the transfer rates of 1.920 Mbps, almost 2 Mbps but at the end of 2004 rates offered by operators rarely exceeded 384 kbps. However, this speed is much higher than the base flow of GSM, which is 9.6 kbps. UMTS based on the TDD access method is not compatible with UMTS TD-CDMA. The 3G network development in China is based on a TD-SCDMA (Time Division-Synchronous Code Division Multiple Access) local standard to avoid paying for the rights of other 3G standards.

In the family of CDMA2000 standards, we find CDMA2000 1x, CDMA2000 1xEV-DO and CDMA2000 1xEV-DV which are direct successors of CDMA 2G (cdmaOne, IS-95); these are 3GPP1 standards. CDMA2000 1x, known under the terms 1x, 1xRTT, IS-2000, CDMA2000 1X, 1X and cdma2000 (CDMA lowercase), double the capacity of the voice compared to IS-95. The data transmission could reach 144 kbps. 1xRTT is considered to be 2.5G, 2.75G or 3G under implementation. CDMA2000 3x was specified on another frequency band – this standard has not been deployed. Finally, 1xEV-DO or IS-856 and 1xEV-DV were designed to increase the speed of data transmission and support mobile video. In the HSDPA (High Speed Access Protocol) family which is the evolution of the UMTS to a new wireless broadband network. Data transmission protocols are the HSDPA, HSUPA and HSOPA, which are the successors of UMTS. HSUPA (High-Speed Uplink Packet Access) could bear a rate of 5.76 Mbps. HSDPA (High-Speed Downlink Protocol Access) in the first phase of its development could attain 14 Mbps. In the second phase of its development HSDPA could support up to 28.8 Mbps using MIMO (Multiple Input Multiple Output) technology and beam forming. HSOPA (High Speed OFDM Packet Access), HSDPA’s successor, is also known as 3GPP LTE (Long Term Evolution), the goal of which is to reach 100 Mbps downlink and 50 Mbps on the uplink through access technology OFDMA. It is in direct competition with technologies such as WiMAX IEEE. HSOPA is a new air interface incompatible with W-CDMA and therefore with the previous developments of 3G networks.

1.3. IEEE wireless networks

1.3.1. Introduction

Many standards for wireless communication are being developed day after day and the price of their equipment becomes increasingly attractive. This will contribute to the success of these technologies. In this section, we introduce the standards that are the basis of many wireless networks.

Table 1.1. The different IEEE 802 standards

1.3.2. WLAN: IEEE 802.11

The IEEE 802.11 standard describes the wireless area network characteristics. Wi-Fi (Wireless Fidelity) corresponds initially to the name give to a certification delivered by the Wi-Fi Alliance which is a consortium of separate and independent companies that agrees on a set of common interoperable products based on the family of IEEE 802.11 standards.

The IEEE 802.11 can operate in two modes: infrastructure and ad-hoc. In the ad hoc mode or infrastuctureless mode, two WLAN stations can communicate directly with each other whenever they are in the same range spectrum without the intervention of the access point. Each WLAN station can be considered as an access point and a client station at the same time. However, in the infrastructure mode, the wireless network is controlled by the access point which is equipped with two interface networks:

– One wireless interface by which it receives all the exchanged frames in the cell and over which it retransmits the frames to the destination station in the cell.

– The second interface, which is ethernet, is used for communication with other access points or used for accessing the Internet.

The set of all WLAN stations that can communicate with each other is called the basic service set (BSS). The distribution system (DS) connects more than one BSS and forms an extended service set. The concept of a DS is to increase network coverage through roaming between cells.

Figure 1.5. WLAN-infrastructure mode

a) Wi-Fi architecture

Similarly to all IEEE standards, the IEEE 802.11 specifications address both the Physical (PHY) and Media Access Control (MAC) layers and are tailored to resolve compatibility issues between manufacturers of WLAN equipment. The MAC layer can be a common layer for the different types of physical layer adopted by this standard. This can be done without any modification to the MAC layer.

b) The PHY layer

Three PHY layers were defined initially for IEEE 802.11:

1) DSSS (Direct Sequence Spectrum): the principle of this is to spread a signal on a larger frequency band by multiplexing it with a signature or code to minimize localized interference and background noise. To spread the signal, each bit is modulated by a code. In the receiver, the original signal is recovered by receiving the whole spread channel and demodulating with the same code used by the transmitter. The 802.11 DSSS PHY also uses the 2.4 GHz radio frequency band.

2) FHSS (Frequency Hopping Spread Spectrum): this utilizes a set of narrow channels and hops through all of them in a predetermined sequence. For example, the 2.4 GHz frequency band is divided into 70 channels of 1 MHz each. Every 20 to 400 ms the system hops to a new channel following a predetermined cyclic pattern. The 802.11 FHSS PHY uses the 2.4 GHz radio frequency band, operating at a 1 or 2 Mbps data rate.

3) Infrared: the Infrared PHY utilizes infrared light to transmit binary data either at 1 Mbps (basic access rate) or 2 Mbps (enhanced access rate) using a specific modulation technique for each. For 1 Mbps, the infrared PHY uses a 16-pulse position modulation (PPM). The concept of PPM is to vary the position of a pulse to represent different binary symbols. Infrared transmission at 2 Mbps utilizes a 4 PPM modulation technique.

c) MAC layer and channel access method

The principal function of the MAC layer is to control the access to the medium. The IEEE 802.11 adopted two algorithms of controlling access to the channel: DCF (Distributed Coordination Function) and PCF (Point Coordination Function).

The default method of access is DCF, which is designed to support asynchronous best effort data. Nowadays, the IEEE 802.11 works on this mode only. Fundamentally, the DCF deploys the CSMA/CA (Carrier Sense Multiple Access/Carrier Avoidance) algorithm. The most important part of this algorithm is the process of backoff which is applied before any frame transmission.

Whenever a WLAN station wants to sent data, it first senses the medium. If the later is idle, then the WLAN station will transmit its data, otherwise it changes its transmission. After detecting the medium being idle over a period of time DIFS (Distributed Interframe Spaces), the WLAN station will continue to listen to the medium during a supplementary random time called the backoff period. The frame then will be transmitted if the medium is idle after the expiration of the backoff period.

The duration of backoff is determined by the CW (Contention Window) which has a value bounded by [CWmin, CWmax] maintained separately in each WLAN station in the BSS. A slotted backoff time is generated randomly by each WLAN station in the interval of [0, CW]. If the medium is still idle, the backoff time will be decremented slot by slot and this process will be continued as long as the medium is idle. When the backoff time reaches 0, the WLAN station will transmit the frame. If the medium is occupied during the process of backoff, the countdown to backoff will be suspended. There it restarts with the residual values when the medium is idle for one consecutive DIFS.

Whenever the frame received well by the recipient, the latter will send an acknowledgement (ACK) message to the sender. If the WLAN station does not receive the ACK, it deduces that there were a collision and in order to avoid consecutive collisions, it will retransmit the same frame. The value of the CW will be doubled in the case of transmission failure.

Figure 1.6. Backoff algorithm

The PCF method, also called the controlled access mode, is based on a polling method which is controlled by the access point. A WLAN station cannot transmit if it is not authorized and it cannot receive only if it is selected by the access point. This method is conceived for the real-time applications (voice and video) that demand delay management when transmitting data. This system is reservation-based access. However, this method of operation is optional and not mandatory, just like DCF, and it is applicable only in the infrastructure mode. Thus, the access point controls the access to the medium and authorizes or not the WLAN station to send data. It defines also the Point Coordination (PC) which determines two types of time periods, with or without contention:

– Contention Period (CP): corresponding to a period of time with contention in which the DCF method is used to access the medium.

– Contention Free Period (CFP): corresponding to a period of time without contention in which the PCF method is used to access the medium.

The duration of CFP-MaxDuration is defined by the access point. The CFP periods are initialized when the beacon is emitted by the access point. During CFP-Max, the OCF method will be active, while in the residual time, the DCF method is used. In order to switch between the PCF and DCF method, a super frame is used in order to make it possible to mote the repetition period within the mode without contention (PCF).

– IEEE 802.11a, b, g: the IEEE 802.11 standard is published in four phases. Firstly, it is called 802.11, which included MAC and three specifications of physical layers (two of them operating in the 2.4 GHz band, and one using infrared). The IEEE 802.11b standard was then published. This operates in the 2.4 GHz band with the data rate of 5.5 and 11 Mbit/s. Afterwards, the IEEE 802.11g standard is specified in the 2.4 GHz band, but with a data rate of 54 Mbit/s. The wireless network based on 802.11b and 802.11g is compatible in the uplink direction. Thus, a 802.11g wireless card can be connected to the 802.11b network using the data rate of 11 Mbit/s, while the contrary is not possible. For the physical part, the following propositions are kept for the wireless network based on 802.11a: frequency band of 5 GHz without license use, OFDM with 52 subcarriers, which has a very good performance in terms of multipath resistance and high data rate from 6 to 54 Mbit/s. The higher layer is represented by the MAC layer which controls the CSMA/CA algorithm.

– IEEE 802.11e and f: the IEEE 802.11 standard is intended to support only best effort service; however, IEEE 802.11e introduced basic QoS support by defining four different access categories (ACs), namely AC_VO (voice) with highest priority, AC_VI (video), AC_BE (best effort) and AC_BK (background) with lowest priority. Actually, in CSMA/CA all WLAN stations compete for the channel with the same priority. There is no differentiation mechanism to provide better service for real-time multimedia traffic than for data applications. This is the reason behind introducing the hybrid coordination function in IEEE 802.11e which consists of two different methods of medium access, which uses the concepts of Traffic Opportunity (TXOP), referring to a time duration during which a WLAN station is allowed to transmit a burst of data frames: EDCA (Enhanced Distributed Channel Access) and HCCA (Controlled Channel Access).

The EDCA method is where each AC behaves as a single DCF contending entity with its own contention parameters (CWmin, CWmax, AIFS and TXOP), which are announced by the AP periodically in beacon frames. Basically, the smaller the values of CWmin, CWmax and AIFS[AC], the shorter the channel access delay for the corresponding AC and the higher the priority for access to the medium. In EDCA a new type of IFS is introduced, the Arbitrary IFS (AIFS), instead of DIFS in DCF. Each AIFS is an IFS interval with arbitrary length as follows: AIFS = SIFS + AIFSNx slot time, where AIFSN is called the arbitration IFS number. After sensing the medium has been idle for a time interval of AIFS[AC], each AC calculates its own random backoff time (CWmin[AC] <= backoff time<= CWmax[AC]). The purpose of using different contention parameters for different queues is to give a low priority class a longer waiting time than a high priority class, so the high-priority class is likely to access the medium earlier than the low-priority class.

The polling-based HCCA method is where different traffic classes called traffic streams (TSs) are introduced. Before any data transmission, a TS is first established, and each WLAN station is allowed to have no more than eight TSs with different priorities. In order to initiate a TS connection, a WLAN station sends a QoS request frame containing a traffic specification (TSPEC) to the AP. A TSPEC describes the QoS requirements of a TS, such as mean/peak data rate, mean/maximum frame size, delay bound and maximum Required Service Interval (RSI). On receiving all these QoS requests, the AP scheduler computes the corresponding HCCA-TXOP values for different WLAN stations by using their QoS requests in TSPECs (TXOP1, TXOP2, etc.) and polls them sequentially.

IEEE 802.11f treats the problem of interoperability among access points of different manufacturers. This standard facilitates the handover process of WLAN stations from one access point to another while maintaining the current traffic transmission.

– IEEE 802.11k: this is a proposed standard for how a WLAN should perform channel selection, roaming and transmit power control (TPC) in order to optimize network performance. It is intended to improve the way traffic is distributed within a network. In a WLAN, each device normally connects to the AP that provides the strongest signal. Depending on the number and geographic locations of the subscribers, this arrangement can sometimes lead to excessive demand on one AP and underutilization of others, resulting in degradation of overall network performance. In a network conforming to 802.11k, if the AP having the strongest signal is loaded to its full capacity, a wireless device is connected to one of the underutilized APs. Even though the signal may be weaker, the overall throughput is greater because more efficient use is made of the network resources.

– IEEE 802.11i: also called WP2, this is a standard for WLANs that provides improved encryption for networks that use the popular 802.11a, 802.11b (which includes Wi-Fi) and 802.11g standards. The 802.11i standard requires new encryption key protocols, known as the Temporal Key Integrity Protocol (TKIP) and Advanced Encryption Standard (AES). The 802.11i standard was officially ratified by the IEEE in June 2004 and thereby became part of the 802.11 family of wireless network specifications. The 802.11i specification offers a level of security sufficient to satisfy most government agencies. However, AES requires a dedicated chip, and this may mean hardware upgrades for most existing Wi-Fi networks. Other features of 802.11i are key caching, which facilitates fast reconnection to the server for users who have temporarily gone offline, and pre-authentication, which allows fast roaming and is ideal for use with advanced applications such as Voice-over Internet Protocols (VoIPs).

– IEEE 802.11n: in January 2004, IEEE announced that it would constitute a new working group (TGn) 802.11 for developing a new amendment to the IEEE 802.11 standard for wireless network. They estimated that the data rate would attain 540 Mbit/s. This is done by adding MIMO and channel-bonding/40 MHz operation to the PHY layer, and frame aggregation to the MAC layer. MIMO uses multiple transmitter and receiver antennas to improve system performance. MIMO is a technology which uses multiple antennas to coherently resolve more information than possible using a single antenna. Two important benefits are provided by 802.11n: antenna diversity and spatial multiplexing.

1.3.3. WPAN: IEEE 802.15

The 802.15 WPAN efforts focus on the development of consensus standards for Personal Area Networks or short distance wireless networks. These WPANs address wireless networking of portable and mobile computing devices such as PCs, Personal Digital Assistants (PDAs), peripherals, cell phones, pagers and consumer electronics, allowing these devices to communicate and interoperate with one another in a small range. Initially, this standard was developed in 1999 with an aim of enabling communication over short distances. In this group, three subgroups were initiated in parallel:

1) IEEE 802.15.1, the most well known standard which is the basis of Bluetooth technology.

2) IEEE 802.15.3, which defined UWB technology.

3) IEEE 802.15.4, the basis of Zigbee specification; the aim of this work group was to provide a solution for WPAN with a low data rate also considering the power consumption issue.

a) Bluetooth

Bluetooth was scheduled to operate in environments involving many users. There may be up to eight pieces of equipment which communicate with each other in a small network called piconet. Two or more piconets that include one or more devices participating in more than one piconet are called scatternets. The communication between the peices of equipment is coded and protected against intruders and interference. The Bluetooth equipment uses a 2.4 GHz band, available universally without license in almost all European countries and the USA. A 179 MHz channel is allocated, while only 23 channels are allocated in France, Spain, and Japan. Channel access is made by the FHSS technique with a data rate of 1 Mbps using only one type of modulation, Gaussian-shaped frequency shift keying (GFSK).

Connection scheme

Bluetooth equipment can operate either in master or slave mode. The first connection is to interconnect a maximum of eight pieces of equipment in which seven of them are slaves and one of them is the master. All of them operate together to form a piconet which is the basic and the simplest configuration of a bluetooth network.

The second connection is to interconnect piconets in order to connect one to another, forming a scatternet. The scatternet is a topology in which a multi-hop wireless network can be created. Two piconets can communicate with each other using a common node. A node can be master in a piconet and a slave in another.

Figure 1.7. A complex configuration of a scatternet

Communications

When a piece of equipment (slave) enters the piconet, it waits for an inquiry message from the master node in order to obtain the address of the master and the phase clock, which is used to calculate the hop sequences. The time is divided into slots, with 1,600 slots per second. One slot is 625 ms. A Bluetooth slave uses all the frequency bands in a cyclical manner. The slaves of the same piconet possess the same frequency sequence and when a new slave is connected, it should start knowing the set of frequency hops in order to respect the timing. The master starts its transmissions in the pair slots, while the slaves use the odd slots. Message duration can be between three and five consecutive slots.

Two different types of communications are defined in Bluetooth: asynchronous connectionless links (ACLs) and synchronous connection-oriented links (SCOs). The SCO provides a guaranteed delay and bandwidth. One slave can open three SCOs with the same master or two SCOs with two different masters, while the master can open three SCOs with three different slaves. The SCO provides a symmetric channel with CBR, which is suitable for application with symmetric bandwidth constraints.

SCOs provide a limited reliability; no retransmission is achieved and no CRD is applied on the payload, although they are optionally protected with forward error correction (FEC) of 1/3 or 2/3 and convolutional code. SCOs allow a synchronous data rate of 64 Kbit/s. ACL links are convenient for real time traffic. One slave can exchange a packet with the master according to the scheduling between slaves which is calculated by the master. An ACL can exist only between slaves and the master, which signifies that the application requirements of different parameters of QoS cannot be accommodated. The ACL link can reach 732.2 kbps.

b) UWB and Zigbee

The purpose of IEEE 802.15.3 is to provide low complexity, low cost, low power consumption and high data rate wireless connectivity among devices within or entering the personal operating space. The data rate is high enough (20 Mb/s or more) to satisfy a set of consumer multimedia industry needs for WPAN communications. This standard also addresses the QoS capabilities required to support multimedia data types. This standard is the basis of WiMedia that adopted UWB technology for multimedia personal wireless networks. The objective of Wireless USB is to replace the metallic interface of USB2 with a wireless interface data rate of 480 Mbit/s.

One of the most important characteristics of UWB is to enable the communication among devices that move at a slow speed. The topology of UWB is similar to that of Bluetooth consisting of piconet and scatternets. Also, the UWB can work in ad hoc mode and provide the QoS using the TDMA technique and using determined number of slots for the different simultaneous connections.

The Zigbee network is conceived to consume less energy but only with low mobility, unlike the UWB network. This standard specifies two layers: the physical layer based on DSSS in the frequency band of 868/915 MHz with a data rate of 20 and 40 kbps, and the physical layer based on DSSS in the frequency band of 2.4 GHz with a data rate of 250 kbps.

1.3.4. WMAN: IEEE 802.16

Emerging technologies such as WiMAX (Worldwide Interoperability for Microwave Access) which is based on IEEE 802.16 are profoundly changing the landscape of wireless broadband. This is because providing last mile connectivity to a backbone network (such as the Internet) continues to be a challenge of fundamental importance for the evolution of next generation wireless networks. This is due to the variety of fundamentally different design options. For example, there are multiple physical layer (PHY) choices: a single-carrier-based physical layer called Wireless-MAN-SCa, an OFDM-based physical layer called Wireless MAN-OFDM, and an OFDMA-based physical layer called Wireless-OFDMA. Similarly, there are multiple choices for MAC architecture, duplexing, frequency band of operation, etc.

However, for practical reasons of interoperability, the scope of the standard needs to be reduced, and a smaller set of design choices for implementation need to be defined. The WiMAX Forum does this by defining a limited number of system and certification profiles.

a) The MAC layer

The MAC layer of Mobile WiMAX provides a medium-independent interface to the PHY layer and is designed to support the wireless PHY layer by focusing on efficient radio resource management. The MAC layer supports both Point-to-Multipoint (PMP) and mesh network modes and is divided into three sublayers: the service-specific convergence sublayer, the common part sublayer and the security sublayer. The primary task of the service-specific convergence sublayer is to classify external Service Data Units (SDUs) and associate each of them with a proper MAC service flow (SF) identifier and connection identifier. The common part sublayer function is to (i) segment or concatenate the SDUs received from higher layers into the MAC Protocol Data Units (PDUs), (ii) retransmit MAC PDUs that were received erroneously by the receiver when Automated Repeat Request (ARQ) is used, (iii) provide QoS control and priority handling of MAC PDUs belonging to different data and signaling bearers, and (iv) schedule MAC PDUs over the PHY resources. The security sublayer handles authentication, secure key exchange and encryption.

Channel Access Mechanism

In WiMAX, the MAC layer at the BS is fully responsible for allocating bandwidth to all Mobile Stations (MSs), in both uplink and downlink. It supports several mechanisms by which an MS can request and obtain uplink bandwidth. Depending on the particular QoS and traffic parameters associated with a service, one or more of these mechanisms may be used by the MS. The BS allocates dedicated or shared resources periodically to each MS, which it can use to request bandwidth. This process is called polling. Mobile WiMAX defines a contention access and resolution mechanism for the case when more than one MS attempts to use the shared resource. If it already has an allocation for sending traffic, the MS is not polled. Instead, it is allowed to request more bandwidth by (i) transmitting a standalone bandwidth request or (ii) piggybacking a bandwidth request on generic MAC packets.

Quality of Service

Support for QoS is a fundamental part of the mobile WiMAX MAC layer design strong QoS control is achieved by using a connection-oriented MAC architecture, where all downlink and uplink connections are controlled by the serving BS. Before any data transmission happens, the BS and the MS establish a unidirectional logical link, called a connection, between the two MAC-layer peers. Each connection is identified by a Connection Identifier (CID), which serves as a temporary address for data transmission over the particular link. Mobile WiMAX also defines a concept of a service flow. An SF is a unidirectional flow of packets with a particular set of QoS parameters and is defined by a service flow identifier (SFID). To support a variety of applications, mobile WiMAX defines four SFs:

1) Unsolicited grant services (UGS): this is designed to support fixed-size data packets at a Constant Bit Rate (CBR). Examples of applications that may use this service are T1/E1 emulation and VoIP without silence suppression. The SF parameters that define this service are maximum sustained traffic rate, maximum latency, tolerated jitter and request/transmission policy.

2) Real-time polling services (rtPS): this service is designed to support real-time SFs such as MPEG video, that generate variable-size data packets on a periodic basis. The mandatory SF parameters that define this service are minimum reserved traffic rate, maximum sustained traffic rate, maximum latency and request/transmission policy.

3) Non real-time polling service (nrtPS): this service is designed to support delay-tolerant data streams, such as an FTP, that require variable-size data grants at a minimum guaranteed rate. The mandatory SF parameters to define this service are minimum reserved traffic rate, maximum sustained traffic rate, traffic priority and request/transmission policy.

4) Best-effort (BE) service: this service is designed to support data streams, such as Web browsing, that do not require a minimum service-level guarantee. The mandatory SF parameters to define this service are maximum sustained traffic rate, traffic priority and request/transmission policy.

b) The physical layer

The first characteristic of the physical layer is to have a different structure of channel in the uplink and downlink directions. Since the physical layer is based on Wireless MAN-OFDM A 256-carrier orthogonal-frequency division multiplexing (OFDM) scheme. Thus, the multiple access of different subscriber stations (SSs) is TDMA-DAMA (Time Division Multiple Access-Demand Assignment Multiple Access). With the TDMA-DAMA the allocation of time slots will be achieved dynamically. While in the downlink, the transmission mode will be in two modes: traffic flow continue and sporadic flow. In the first mode, the TDM technique is used for channel access. The mechanism used for duplexing is FDD in order to share resources between downlink and uplink channel. In the second mode, the access to the channel is done using TDMA-DAMA in which three methods are employed for duplexing traffic of downlink and uplink: FDD, FSDD and TDD:

– IEEE 802.16a: after completing the IEEE 802.16 standard, the group started work on extending and modifying it to work in both licensed and license-exempt frequencies in the 2 GHz to 11 GHz range, which would enable NLOS deployments. This amendment, IEEE 802.16a, was completed in 2003, with OFDM schemes added as part of the physical layer for supporting deployment in multipath environments. Besides the OFDM physical layers, 802.16a also specified additional MAC-layer options, including support for OFDMA.

– IEEE 802.16d: this is a revised standard that replaces 802.16, 802.16a and 802.16c with a single standard. Note that this standard offers a variety of fundamentally different design options. For example, there are multiple PHY choices: a single-carrier-based PHY called Wireless-MAN-SCa, an OFDM-based physical layer called Wireless MAN-OFDM, and an OFDMA-based PHY called Wireless-OFDMA. Similarly, there are multiple choices for MAC architecture, duplexing, frequency band of operation, etc. This standard was developed to suit a variety of applications and deployment scenarios, and hence offer a plethora of design choices for system developers. In fact, it could be said that IEEE 802.16 is a collection of standards, not one single interoperable standard. The primary frequency bands suggested by this standard are as follows:

   1) The 10-66 GHz band provides a physical environment where, due to the short wavelength, line-of-sight (LOS) is required and multipath is negligible. The channel bandwidths of 25 MHz or 28 MHz are typical with a raw data rate in excess of 120 Mb/s, which is suited to PMP access mode.

   2) A frequency below 11 GHz provides a physical environment where, due to the longer wavelength, LOS is not necessary: this environment is well suited to the mesh access mode.

   3) License-exempt frequencies below 11 GHz (5-6 GHz) are similar to those of the licensed band described in 2). However, it introduces mechanisms such as dynamic frequency selection to detect and avoid interference.

As a summary, the following table shows the different interfaces introduced by this standard.

Table 1.2. Air interface in IEEE 802.16

– IEEE 802.16e: this is an amendment of the IEEE 802.16-2004 standard that added mobility support. IEEE 802.16e forms the basis for the WiMAX solution for nomadic and mobile applications and is often referred to as mobile WiMAX. It is expected that the mobile WiMAX will not only compete with the broadband wireless market share in urban areas with DSL, cable and optical fibers, but also threaten the hotspot-based Wi-Fi and even the voice-oriented cellular wireless market.

New features are introduced to this standard:

(i) a new scheduling service that builds on the efficiencies of UGS and rtPS. This is called extended real-time polling service (ertPS). In this case, periodic uplink allocations provided for a particular MS can be used either for data transmission or for requesting additional bandwidth. This feature allows ertPS to accommodate data services whose bandwidth requirements change with time;

(ii) three types of handover are introduced: hard handoff, fast BS switching (FBSS) and macro-diversity HO;

(iii) finally, a scalable OFDMA-based physical layer is introduced. In this case, the FFT sizes can vary from 128 bits to 2,048 bits.

1.3.5. WMAN mobile: IEEE 802.20

IEEE 802.20 or MBWA enables worldwide deployment of affordable, ubiquitous, always-on and interoperable multi-vendor MBWA networks that meet the needs of business and residential end-user markets. It specifies physical and MAC layers of an air interface