Saturday, 9 December 2023

Why Wi-Fi for RTLS?

Choosing the right tool can significantly save time, money, and enhance efficiency. Just as an adjustable wrench excels at tightening nuts but falters at driving nails, the choice of technology matters for specific tasks.
 
Wi-Fi technology, popular for its affordability and widespread manufacturer support, undoubtedly excels in home and office networking. However, when it comes to industrial applications, it might not always be the optimal solution. While Wi-Fi can be applied, its efficiency in these scenarios is akin to driving nails with an adjustable wrench.
 
In my next blog posts I want to describe applications where I would not use the Wi-Fi.

Real Time Location System

The RTLS is the good example of application where I would not use Wi-Fi as the technology. Wi-Fi-based RTLS faces two significant problems:
  • Low Accuracy: Location accuracy typically ranges from 3 to 10 meters with a 90% probability.
  • Slow System Response: The system response time can take minutes.


Location Accuracy

Wi-Fi-based RTLS encounters challenges in achieving precise location accuracy due to several inherent technological limitations. These factors contribute to the degradation of location accuracy:
  • Logarithmic Nature of RF Propagation. The use of Received Signal Strength Indicator (RSSI) relies on the logarithmic decrease of RF waveform amplitude with distance. The logarithmic nature of Free Space Path Loss causes accuracy to degrade as the distance between the client and Access Points (APs) increases. Increasing accuracy by densifying APs escalates project costs and introduces Co-Channel Interference.
  • RF Fluctuations. Natural fluctuations in every RF environment lead to random changes in signal levels, making it challenging to predict accurate location information.
  • Nonlinear Frequency Response of Antenna Systems. Each antenna system can be perceived as a broadband filter, and the smaller the implementation of the filter, the more challenging it is to maintain a constant frequency response across the spectrum. Consequently, the Equivalent Isotropic Radiated Power (EIRP) for Wi-Fi clients varies depending on the channel, causing two APs at the same distance to the client but on different channels to measure different received signal strength (RSS).
  • Inconstant RF-Environment. Any changes in the room, such as alterations in occupancy or rearrangement of furniture, lead to fluctuations in RF signal propagation. The measured RSS in an empty room and in a crowded room will differ due to these environmental changes.
  • Lack of Calibration. APs are not measuring devices, and they lack calibration. Each Wi-Fi AP measures RSS in its unique way. Wi-Fi engineers conducting site surveys using multiple Ekahau Wi-Fi dongles can attest to the fact that each dongle measures different RSS values.
These factors collectively contribute to the challenges faced by Wi-Fi-based RTLS in achieving consistent and accurate location information. 

System Response

The slow system response arises from the communication behaviour between clients and APs. As clients communicate solely with connected APs, neighbouring APs on different channels cannot measure the client's signal. The only frame, which every client broadcast on all channels it the prob request frame. The interval of probing depends on communication conditions, and it can be up to 5 minutes is the client stay close to the AP. This resulting in a slow system response time.

To improve system response, reducing the number of enabled channels is an option, but it comes at the cost of degrading WLAN performance.

Summary

Wi-Fi proves ineffective for positioning in RTLS compared to alternatives like BLE and UWB, primarily due to its inherent limitations in accuracy and system response time. Understanding these limitations is crucial when evaluating the suitability of Wi-Fi for applications that demand high precision in real-time location tracking.


Sunday, 11 December 2022

iPCF Frame format

This is the second post about the iPCF protocol from Siemens. In the first one I described the working principle and operation modes. I also tried to show the difference between the iPCF and the PCF. In this topic I will go deeper into the iPCF packet format.

 Below is the example of the iPCF communication. I used additional coloring rules to mark the iPCF frames in green.


According to pcap file, the Siemens iPCF use only six types of frames for communication:


The IPCF pool (data) frame, S1G Beacon, the iPCF Association Request, and the iPCF Association Response are belong to the Frame Type 3 (Extension frame)

iPCF frames

Common fields of i

PCF Frames

All iPCF frames have similar frame format:

The iPCF frame consist of:
  • Frame control field. All subfields of the Frame Control field are same as in the standard Wi-Fi frame.
  • Duration field. (Same meaning as in standard Wi-Fi)
  • Receiver MAC Address (only one field)
  • Frame body (except the ACK Frame)
  • FCS
Actually, the format of the MAC header is very similar to the ACK Frame. The iPCF header has only one MAC address field.

S1G Beacon


The frame rate is about 30 frames per second. The number of tags in the payload is variable.
Unlike the S1G Beacon frame, the standard Beacon in the iPCF mode is broadcasted at one frame per second and has fixed tag fields.

According to the standard PCF protocol, the Beacon must announce the start of the Contention Free communication. In the iPCF neither the Beacon no S1G Beacon have information about the Contention Free time slot. In case an iPCF and a DCF wireless devices are sharing the same medium it can cause collisions.

Pool frame / Data Frame

As mentioned before, the Data Frame has the same format as the ACK frame, and it has the receiver address only.
The Frame has the Frame Type 3, and the Subtype 2.


Association Request

The Association Request has very simple MAC header with only one MAC field. It has also frame body, but the Wireshark cannot decode this information.

Below is the example of the Association iPCF Request Frame.

The example of the Frame Body of the Association Request Frame:

Association Response

Like all iPCF frames, the Association Response frame has very simple MAC header. As with an association request, the frame body of an association response cannot be decoded.

Below is the example of the Association Response Frame


Client Connection

You know that there are four mandatory steps if the wireless client what to connect to a BSSID.
  1. Active Probing (two-frame handshake)
  2. Authentication (two-frame handshake)
  3. 802.11 Association (two-frame handshake)
  4. Robust Security Network Association (RSNA) (at least four-frame handshake)

The iPCF use only the Association for client connection. The client sends an Association request, and the AP replies with the Association response. The transmitter confirms the successful receiving of an Association Frame with an ACK frame.

Client Roaming

The roaming procedure of the proprietary Siemens wireless LAN protocol is completely different. 
In the standard Wi-Fi the wireless client uses the Reassociation Frame to inform the target access point about the previous connection. This information can be used to speed up authentication and receive buffered data packets from the first access point. 

Siemens access points are standalone and the is not any cooperation protocol for exchanging information about clients.

The main thing, if we are talking about the roaming, is that it is always the client's decision. The trigger of the roaming depends on the Wi-Fi mode:
  • In the iPCF mode the client stay connected to the first access point even the connection is bad. The client goes to the out-of-band passive scanning only if it loses the connection.
  • In the iPCF-MC mode the client periodically goes to the MC channel for the passive scanning. If the signal strength of the neighbour access point is higher than the signal strength of the current access point, the client decides to roam. All access points in the iPCF-MC design have two radios in 5 GHz band. 
    • One for management communication (MC). All access points use the same MC channel
    • Another one is for data communication (DC) is used for data plane.
So, in the iPCF mode the trigger for the roaming is the lost of the signal from the access point; in the iPCF-MC it is the signal level of Beacons on the MC channel.

Data / Pooling

Each client uses its timeslot for uplink and downlink communication with the access point.
The following is an example of communication when two iPCF clients are connected to the same access point.

The I/O graph show us that each client uses about 1300 frames per second to communicate with the access point. 

If we look at the Airtime graph below, we can see that each client requires about 8% of Airtime. 


Conclusions

Traditionally let me summarise all information in a few key points.

  1. Not all in formation of iPCF frames can be decoded by standard Wi-Fi radio. This can course problems in mix operation of the iPCF and the DCF Wi-Fis. I recommend using different frequency domains for different systems.
  2. Use the iPCF mode for RCoax antennas only. Otherwise, it can course roaming issues.
  3. Take in account that the coverage of the MC channel should be the same or even a bit less than the coverage of the DC channel.
  4. Avoid DFS channels to protect your Wi-Fi from the radar interference.



Friday, 19 August 2022

Siemens iPCF vs 802.11 PCF

This blog post will explain basic working principle and operation modes of the Siemens iPCF and compared to 802.11 PCF medium access technologies. The next post will take a detailed look at the iPCF frame format.

Before we go deeper into the Siemens iPCF Wi-Fi, let’s review what we know about the PCF technology.

PCF

The PCF is short for Point Coordination Function. It is the medium access control (MAC) technology for a deterministic Wi-Fi communication. Two well-known Wi-Fi coordination techniques are DCF (Distributed coordination function) and EDCA (Enhanced Multimedia Distributed Control Access). Both this medium access technologies are based on CSMA/CA (Carrier-sense multiple access with collision avoidance) access method to coordinate the access to the RF-medium. In other words, all Wi-Fi devices are making the “transmit or not transmit” decision based on CSMA/CA rules. It is very important to understand that the main idea of the distributed coordination – there is no decision-making device. All participants are equal. The downside of this model is that it impossible to predict who will be the next.

Unlike DCF and EDCA, in a PCF access point coordinates the communication within the Basic Service Set (BSS). Like in the TDM (Time-division multiplexing), every client device has a time slot in the communication cycle. It means that every Wi-Fi client, connected to the AP in the PCF mode get a predicted chance to communicate with the AP.

The PCF has higher priority over the common DCF/EDCA Wi-Fi because the PIFS (Point coordination function interframe spacing) duration is shorter as than DIFS or AIFS.

Fig.1 interframe spacing

The Access Point announces in the Beacon two intervals: one for Contention Free (or PCF) and another one for Contention Based (or DCF) communication. The CF intervals begins right after the beacon and ends after the CF-End frame. During the CF time, no station is allowed to transmit without getting CF-Pool frame. The AP sends the CF-Poll frame to the PCF capable station to permit it to transmit a frame.



Fig2. PCF cycle

The PCF is less efficient compared to DCF, but the PCF has other advantages. This technology is more suitable for low data rate, low latency, low Jitter communication. 

Comparison of PCF and DCF Wi-Fi:

Despite its advantages, PCF was newer implemented in the real world. 
  • Wait! What about the iPCF from Siemens? 
  • No. Honestly, the iPCF has nothing to do with PCF except time slots. Well, let’s go deeper into the iPCF from Siemens.

iPCF

iPCF is the proprietary Wi-Fi protocol from Siemens for real time deterministic wireless communication. The typical use case of the iPCF is not WLAN, but WSN (Wireless Sensor Network). The iPCF is very good compatible with the industrial Ethernet-based protocol PROFINET IO for communication between PLC and I/O stations. The main difference between the Siemens iPCF and classical WSN based on IEEE 802.15.4 Standard is the bandwidth. The 802.15.4 based communication uses 2 or 5 MHz channels and has the throughput up to 250 kbps (PHY). The iPCF has 19 Mbps (PHY). Besides this, the iPCF use channels in the 5 GHz frequency band. The 802.15.4 is designed for Sub-1GHz and 2.4 GHz frequencies.  Thus, in some cases, iPCF can be more useful and more stable than the WSN based on 802.15.4, especially if clients have no power limitation.

iPCF medium access

In opposite to the PCF, the iPCF does not support the Contention Based communication.
When an iPCF client joins an iPCF access point, it is given a time slot in the iPCF cycle. It is up to AP in which order the client will be served. 
There are two cycle types: the fixed cycle time and the flexible (not fixed) cycle time.

iPCF with fixed cycle time

The duration of the fixed cycle time can be 8, 16, 32, 64, or 128ms. Every client get about 2ms time slot. It means that no more than 4 clients can be connected to the iPCF with the fixed cycle 8ms, no more than 8 clients per 16ms cycle, and so on. If less clients are connected as the cycle time allows, than some clients get additional time slot per cycle. The figure illustrates how the 8ms cycle looks like if three clients are connected. Note that there is a slot in the middle of the cycle, which is reserved for Broadcast and Multicast traffic.
Fig3. iPCF fixed cycle


The iPCF with fixed cycle has more practical application because the compatibility with the PROFINET protocol. 
The iPCF cycle cannot be more than the PROFINET cycle.

iPCF with flexible cycle time

The iPCF with the flexible cycle time works different. The duration of the cycle is theoretically unlimited (I did not check it) and is equal the sum of time slots for all clients connected to the AP. In our example it is equal to 6ms. If a new Client joins the Access Point, the duration of the cycle is 2ms more.


Fig4. iPCF flexible cycle

There is the time slot 1ms for broadcast and multicast after every third cycle.

NOTE: In my lab I have tested only one client with one Access Point. It would be interesting to test the iPCF in case at last two Access Points use the same channel. 

Conclusions & Suggestions

PCF vs iPCF

  • PCF and DCF can co-exist. iPCF cannot operate simultaneously with DCF.
  • the PCF cycle is divided into two intervals: contention based and contention free. The iPCF support only contention free communication.
  • The iPCF is proprietary Siemens protocol.

Suggestions

  • Avoid busy channels. Remember, the iPCF is not compatible with standard Wi-Fi!
  • I would avoid U-NII-1 channels from 36 to 48 for following reason:
    •  The channel 36 is the default channel for most Wi-Fi vendors. The 80 MHz channel width is very oft the default value. The likelihood that someone will put their mobile phone into hotspot mode and the channel will be 36@80 is very high.
    • In case a standard Wi-Fi access point measures a radar signal it must change the channel. Some vendors use the channel 36 as the default
  • Never, never, never use 2,4 GHz channels for iPCF!
  • Do not use DFS channels (U-NII-2C band). 
  • Siemens does not have a RRM feature. Use static channel design.
  • I would recommend using of U-NII-3 channels. In most cases this band is free. Remember about EIRP limitations for this band. It is 14dBm only

References


















Thursday, 6 January 2022

Wi-Fi Security Standards and Certifications

Wenn I learn something new, the most difficult and important point for me is to understand the whole picture and create a short description or a pivot table for the topic. While preparing for the CWSP exam I took a lot of notes and now is a good time for the final part.
I took as a basis the table 1.2 Security Standards and Certifications at the page 20 of the book CWSP Certified Wireless Security Professional Study Guide: Exam CWSP-205, 2nd Edition (ISBN-10: 1119211085). 
The main reason why I decided to create a new table is that I didn't find in the Internet similar table with include information about the WPA3. So simple is that.

Security Standards

The history of Wi-Fi security standards can be divided into two parts: pre-RSNA (before the the 802.11i was established) and RSNA (IEEE 802.11i) 
The RSNA stands for Robust Security Network Association. Don’t confuse the 802.11 Association and the RSN Association. The 802.11 Association is the compatibility check between two STAs. The 802.11 Association is like the green LED of the switch port for a wired network. The successful 802.11 Association means that the transport protocols are up and working and both STAs can transmit data frames to each other.
The RSN Association is as an extension over the legacy 802.11 security. The RSNA provides data encryption with secure integrity protocols TKIP, CCMP and GCMP, a secure STA’s authentication and association, and creation and management of dynamic encryption keys. If the RSNA is done, both STAs have been authenticated and can securely transmit data to each other.
Key points of the RSNA are:
  • Key hierarchy: MSK (Master Session Key); Master Keys for unicast (PMK) and multicast (GMK) derivative; and encryption keys for unicast (PTK) and multicast (GTK)
  • The 4-way handshake and the group key handshake to establish PTK and GTK
  • dynamic keys

Wi-Fi Security Certification

Whereas IEEE standards describe technologies, Wi-Fi Protected Access (WPA) certifications specify mandatory and optional requirements to be met by any certified device.
At this moment the Wi-Fi Alliance developed three generation of the certification programs – WPA, WPA2, and WPA3. Each program consists of at least one Personal and at least one Enterprise certification. 

  • WPA is based on the draft of the IEEE 802.11i. It was a temporary solution to cover security risks of the WEB. The reason for the designing of the temporary solution was that in most cases it could be implemented through a firmware update. The WPA implements the Temporal Key Integrity Protocol (TKIP).
  • WPA2 is an implementation of the full version of the IEEE 802.11i. The WPA2 includes mandatory support for CCMP, an AES-based encryption mode
  • WPA3 replaces direct derivation from PSK through SAE key generation and provides more secure encryption protocol GCMP and cypher modes for Enterprise deployments. The WPA3-Enterprise 192 uses the Cipher Suite B (AES-256 in GCM mode with SHA-384 as HMAC). Also, all WPA3 certifies devises have to support the Protected Management Frames (PMF) standard, which was described in the IEEE 802.11w. 

802.11 authentication

As you know there are two mandatory steps in case a client wants to join the wireless network: the 802.11 authentication and the 802.11 association. 
The 802.11 authentication is like physically plug in to a switch port for a wired network. There are fore types of the 802.11 authentication:
  • Open System – means a NULL authentication. There are three use cases for this type of authentication:
    • You have an open network and use neither identity verification no wireless traffic encryption or you authenticate users over a WEB portal only.
    • You have an upper layer security, for example VPN.
    • You have a Robust Security Network (RSN) for identity verification, data privacy and key management.
  • Shared WEP key authentication (SK) – four-way 802.11 authentication frame exchange. Due to the WEP authentication sends the challenge text in clear and in hashed text within the handshake, the passphrase can be easily cracked.
  • Fast BSS Transition authentication. It is used for fast roaming. Since it is not used for initial authentication, it is not listed in the table.
  • The Simultaneous Authentication of Equals (SAE) Authentication. The SAE was originally designed for use between peers (for instance for MESH networks) and later was adopted for the WPA3-Personal security standard. The biggest advantage of the SAE that password isn’t used as a credential in the authentication. As a result, the SAE has high protection against dictionary and/or brute‐force attacks. Unlike WPA/WPA2 the PMK is secretly calculated by both parties without sharing key data used in the process.

RSN Authentication

The Robust Security Network support three authentications:
  • Pre-shared key (PSK) authentication. Do not confuse the WPA2-PSK authentication with the SK authentication for the WEP. In both cases the authentication is used to check that both the client and access point possess the correct pre-shared password. Both authentications use the 4-frame exchange. But:
    • The WPA-PSK use open 802.11 Authentication and the 4-Way Handshake for authentication and key generation.
    • The WPA-PSK generate unique dynamic encryption keys for the session between WLAN devices, while the WEP use static keys
    • Encryption keys of WPA-PSK are secretly calculated by both parties without sharing key data, unlike in WEP
    • The WPA-PSK passkey is not used to encrypt the frame, unlike in WEP.
  • Extended Authentication Protocol (EAP) described in the IEEE 802.1X standard. The EAP authentication requires a RADIUS server to check client identity.
  • Simultaneous Authentication of Equals (SAE) was first described in the IEEE 802.11s standard and then became part of the WPA3-Personal certification.

Encryption Protocols and Cipher Suite

I have tried to put all information I have about this topic into one table.
The WEP and TKIP should not be used in wireless RSN design.


The CCMP and GCMP are secure protocols used to provide authentication and data confidentiality. More information about these protocols you will find in the my blog post: CCMP vs GCMP

Monday, 31 May 2021

CCMP vs GCMP

Abbreviations and acronyms

  • CCMcombines CBC-MAC (Cipher Block Chaining Message Authentication Code) technique for constructing a message authentication code from a block cipher with Counter Mode of encryption
  • GCMcombines the Galois Mode of authentication with Counter Mode of encryption.
  • TK (Temporal key) is used to accomplish all encryption processes. Both WPA2, and WPA3 Personal use AES with a 128-bit key. WPA3 Enterprise uses 192-bit session key. TK can be:
    • PTK - pairwise transient key for unicast
    • GTK - group temporal key for multicast
  • PN (Packet Number) - 48-bit is much like a TKIP sequence number (protects from replay and injection attacks). The PN shall never repeat for a series of encrypted MPDUs using the same temporal key.
  • ADD (Additional authentication data) is Constructed from portions of the MPDU header, this information is used for data integrity of portions of the MAC header.
    • All of the MAC addresses
    • FC – MPDU Frame Control field: (green)- protected; (yellow) – set to 0; (blue) – set to 1
    • Sequence Control Field:
      • 4 bits fragment number is not modified
      • 12 bits sequence number is masked to 0
    • QoS Control field
      • QC TID is used
      • remaining QC fields are set to 0

Encryption / data integrity process

CCMP/GCMP  encryption & data integrity processes are looking similar:


1. Increment the PN, to obtain a fresh PN for each MPDU
2. Create AAD
3. Create Nonce
  • CCM  nonce block:  13 Octets (Nonce = QoS + A2 + PN):
    • 1 Octet: Priority field
      • = 0, in case no QoS Control field in MPDU
      • = (bits 0 to 3 = TID) + (bits 4 to 7 = 0)
    • 6 Octets = MPDU address A2 field
    • 6 Octets = Packet Number (PN)
  • GCM nonce block: - 12 Octets: (Nonce = A2 + PN)
    • 6 Octets = MPDU address A2 field
    • 6 Octets = Packet Number (PN)
4. Construct the 8-octet CCMP / GCMP header (identical to the 8-octet TKIP header). It includes:
  • the Key ID 
  • the Packet Number (PN)
5. CCM/GCM originator processing of the temporal key, the nonce, the AAD, and the plaintext data
  • to create an 8-byte MIC.
  • to encrypt the MSDU payload of the frame body and the MIC
6 Creating the final MPDU, which consists of:
  • the original MAC header 
  • the CCMP / GCMP header, 
  • the encrypted MSDU, 
  • the encrypted MIC, and 
  • a frame check sequence (FCS) is calculated over all of the fields of the header and entire frame body. The resulting 32-bit CRC is then placed in the FCS field.

CCMP / GCMP MPDU Format

The frame body consists of:
  • the CCMP / GCMP header (is not encrypted), - 8 bytes (compared to the 4 octets in WEP header)
    • the Key ID and 
    • the packet number (PN), which is divided into 6 octets
  • the MSDU upper-layer payload (encrypted) 
  • the MIC (encrypted) - 8 bytes
  • Note that CCMP / GCMP does not use the WEP ICV
In other words, CCMP / GCMP encryption adds 16 bytes of overhead to an 802.11 MPDU.

Advantages of AES-GCM cipher

  • AES-GCM is a more secure
    • The AES-GCM does not use the XOR operation for each block with the previous block as it do the AES-CBC.  As a result GCM is not susceptible to counter attacks like the bit flipping.
    • Message authentication (via GMAC/GHASH) is done on the ciphertext (in CBC-MAC on the plaintext)
  • AES-GCM is faster
    • Instead 2 x AES operations per block in AES-CBC, it uses 1 x AES operation and 1 x GHASH per block (GHASH generally faster than AES, so GCM is faster)
    • each 
    • Each block with AES-GCM can be encrypted independently

Links