Faculté des Sciences de Bizerte Département Informatique

Université de Carthage MP-TRT-1

WLAN, WPAN and IOT

Emna Ben Salem
Master of Telecommunications and Networks
2019/2020
Outline

Chapter 1: WLAN : IEEE 802.11x Standard

Chapter 2: WPAN : ZigBee, Bluetooth

Chapter 3: LPWA : LoRaWAN

Chapter 4: IoT

2
 Introduction

- Designing an IoT Network involves multiple and

different Standards
3
Chapter 1
WLAN : IEEE 802.11x
 WLAN Architecture and Services
 Physical and Data Link Layers
 Access , Handover, Security

4
Definition of WLAN

 A wireless local area network (WLAN) is a wireless distribution

method for two or more devices that use radio or infrared signals
instead of traditional network cabling.

 A WLAN allows users to move around the coverage area, often a home
or small office, while maintaining a network connection.

5
Characteristics of WLANs

 Advantages
Flexible deployment, Mobility, Robustness, Cost, ...

 Disadvantages
Qos, Proprietary Solutions, Frequency Restrictions, Safety And
Security

 Design goals of WLANs

Global Operation, Low Power, License-free Operation, Robust
Transmission Technology, Ad-hoc Operation, Transparency To Higher
Layers, ...

 Transmission technologies in WLAN

- Infrared
- Radio waves 2

6
WLAN Architecture Components

• Station (STA):
− Any device that contains an 802.11
conformant MAC and PHY interface to
the wireless medium ESS

• Basic Service Set (BSS): STA 1 BSS 2

− A set of STAs controlled by a single CF BSS 1 STA 2 STA4
(Coordination Function) AP
STA 3

AP
• Independent BSS (IBSS) as an Ad Hoc DS
Network:
− A set of STAs which are directly
connected
• Access Point (AP):
− An AP is a STA which provides access
to the DS by providing DS services in
addition to Station Services.

7
WLAN Architecture Components
• Extended Service Set (ESS):
– A set of interconnected BSSs
– Stations within an ESS can
communicate and mobile stations may
move from one BSS to another (within ESS
the same ESS)
• Distribution System (DS): STA 1 BSS 2
– A system used to interconnect a set of BSS 1 STA 2 STA4
STA 3
BSSs to create an ESS. It is used in AP
AP
Infrastructure Network
DS
• Basic Service Area (BSA):
– The area within which members of a
BSS can communicate

• Extended Service Area (ESA):

– The area within which members of an
ESS can communicate
8
WLAN Architecture Components

• To integrate the 802.11 architecture with

a traditional wired LAN, a logical
STA 1
architecture component is introduced : STA 4
Portal STA 2 STA 3
BSS 1
AP AP BSS 2

• All data from non-802.11 LANs enters

the 802.11 architecture via the portal DS

Portal
• The portal must also consider the
dynamic membership of BSSs and the
mapping of address and location
IEEE 802.X
required by mobility

• Physically, a portal may, or may not,

include bridging functionality depending
on the physical implementation of the
DS

9
Logical Services
• 802.11 specifies two categories of services are defined: Station Service
(SS) and Distribution System Service (DSS)
• Station Services (SS):
– The set of services that support transport of MSDUs (MAC Service Data
Units) between Stations within a BSS
– Present in every 802.11 station, including APs
– Are specified for use by MAC layer entities
– The SS subset is:
» Authentication
» De-authentication
» Privacy
» MSDU delivery
• Distribution System Services (DSS):
– The set of services provided by the DS which enable the MAC to transport
MSDUs between BSSs within an ESS
– The DSS subset is:
» Association and disassociation
» Distribution and integration
» Re-association
10
Authentication and De-authentication
• An open system example:
(a) Assertion: I'm station 1
(b) Challenge: Null
(c) Response: Null
(d) Result: Station becomes Authenticated

• A password based example:

(a) Assertion: I'm station 1
(b) Challenge: Prove your identity
(c) Response: Here is my password
(d) Result: If password OK, station becomes Authenticated

• A Cryptographic challenge/response based example:

(a) Assertion: I'm station 1
(b) Challenge: Here is some information (X) I encrypted with your
public key, what is it ?
(c) Response: The contents of the challenge is X (only station 1's
private key could have recovered the challenge contents)
(d) Result: OK, I believe that you are station 1
11
Privacy and MSDU Delivery

• The privacy service, applying to all data frames and some

authentication management frames, is based on the 802.11 Wired
Equivalent Privacy (WEP)
• The WEP algorithm performs encryption of MSDU
• 802.11 provides for an Authentication mechanism
– To aid in access control
– Has provisions for OPEN Shared Key or proprietary authentication
extensions
• Optional (WEP) Privacy mechanism defined by 802.11
– Limited for Station-to-Station traffic, so not “end to end”
– Embedded in the MAC entity

12
Association and Disassociation

Association:
• The service which establishes an initial Association between a station
and an access point
• Before a STA is allowed to send via an AP, it must first become
associated with the AP
• At any given time, a mobile STA may be associated with no more than
one AP. This ensures that the DS can determine which AP is serving a
specified STA
• Association is always initiated by the mobile STA
Reassociation:
• The service which enables an established Association (of a STA) to be
transferred from one AP to another AP (within an ESS)
• Reassociation is always initiated by the mobile STA
Disassociation:
• The service which deletes an existing Association
• The Disassociation can be invoked by either party to an Association
(mobile STA or AP)
13
 Distribution and Integration Services
Distribution:
 The service which (by using Association
information) delivers MSDUs within the
DS distribution
 Consider a data message being sent
from STA1 to STA4 via STA2 (Input AP) STA 1

and STA3 (Output AP). The input AP STA 4

gives the message to the Distribution BSS 1 STA 2 STA 3

Service of the DS AP AP BSS 2

DS
Integration:
 The service which enables delivery of
Portal
MSDUs between the DS and an existing
integration
network
IEEE 802.X
 If the Distribution Service determines that
the intended recipient of a message is a
member of an integrated LAN, the
"output" point would be a Portal instead
of an AP
14
802.11 Layers
 The 802.11 standards cover definitions for both MAC (Medium
Access Control) and Physical Layer
 The standard currently defines a single MAC which interacts
with four PHYs

Logic Link Control (LLC)

Point Coordination Function (PCF)

MAC
Layer Distributed Coordination Function (DFC)

802.11a 802.11b 802.11g

802.11 802.11
Physical 802.11 5 GHz 2.4 GHz 2.4 GHz
2.4 GHz 2.4 GHz
Layer Infrared OFDM DSSS DSSS
FHSS DSSS
OFDM

15
Physical Layer Architecture
The architecture of the Physical layer comprises of the two sub
layers for each station

 Physical Layer Convergence Procedure (PLCP):

− Responsible for the Carrier Sense (CS) part of the Carrier
Sense Multiple Access/Collision Avoidance (CSMA/CA) protocol
− Prepares the MPDU for transmission
− Delivers the incoming frames from the wireless medium to the
MAC layer

 Physical Medium Dependent (PMD):

− Transmission and reception of physical layer entities between
stations through the wireless media
− Provides the modulation/demodulation of the transmission

16
 Physical Layer Architecture
Sender Receiver

MAC Protcol Data MAC Protcol Data

MAC Unit (MPDU) Unit (MPDU)

PHY
PLCP PLCP
MPDU MPDU
header header
Physical Media
PMD layer
Dependent (PMD) layer

Frequency Hopping Direct Sequence Spread Infrared (IR)

Spread Spectrum (FHSS) Spectrum (DSSS) PHY PHY 1,2 Mbps
PHY 1,2 Mbps
1, 2 Mbps Orthogonal Frequency Division
Multiplexing (OFDM) PHY
Higher rate (DSSS OFDM) High rate (DSSS) PHY 6,9,12,18,24,36,48,54 Mbps
PHY 20+ Mbps 11, 5.5 Mbps 802.11a
802.11g 802.11b

17
2.4 GHz 5 GHz
DSSS PMD Sublayer

 Signal symbol is spreaded with 11 chip sequence 10110111000

-1
+1

+1 -1 +1 +1 -1 +1 +1 +1 -1 -1 -1

 Wider Bandwidth, less power density

 Modulation : DBPSK, DQPSK (Differential Binary/Quadrature
Phase Shift Keying)
 DSSS channel: The DSSS PHY has 14 channels
– In the 2.4-GHz band, each band is shitted by 5 MHz.
– Channel 1 is placed at 2.412 GHz, channel 2 at 2.417 GHz, and so on
up to channel 13 at 2.472 GHz
 Data Rate : 1 and 2 Mbps (IEEE 802.11) 5.5 and 11 Mbps (IEEE
802.11b) 22 and 33 Mbps (IEEE 802.11g)
 DSSS Transmitter/Receiver

Signal (Bits)
DQPSK
Encoder X Modulator
Power
Density
Transmitter
Code Power Density
generater after spreading

Signal numérique (Bits)

DQPSK
Demodulator
X Decoder
Power
Power Density Density

Receiver
Code
generater

19
 FHSS PMD Sublayer
 Each available frequency band is divided into sub-frequencies.
 Signals rapidly change hop by shifting carriers across numerous
channels with pseudorandom sequence which is already
known to the sender and receiver
 802.11 Frequency Hopping PHY uses 79 hopping channels
(2.402-2.480GHz) with 1 MHz channel spacing
 Every frequency is GFSK modulated with channel width of 1MHz
and rates defined as 1 Mbps and 2 Mbps respectively

20
FHSS Transmitter/Receiver

Transmitter

Receiver

21
OFDM PMD Sublayer

 20 MHz/64 subcarriers per channel, subcarriers spacing 312.5 KHz

 52 subcarriers (Data and Pilot) occupy 16,6 MHz
 12 additional subcarriers are used to normalized the average power
of OFDM symbol
 Bandwidth and Data Rate
– 2.4 GHz band (IEEE 802.11g)
– 5 GHz band (IEEE 802.11a)
– 6, 9, 12, 18, 24, 36, 48 and 54 Mbps
– BPSK(6,9Mbps), QPSK(12,18Mbps), 16-QAM(24,36Mbps), 64-QAM(48,54Mbps)
 The symbol duration is 4μs
 The standard symbol guard interval used in IEEE 802.11 OFDM is
0.8μs (TFFT/4)

22
OFDM Transmitter/Receiver

Mapping Transmitter

Mapping

IFFT
S/P

Guard RF
Interval Modulator

Mapping

Decision

Decision

FFT

P/S
RF
S/P
GI
Demodulator

Receiver Decision

23
Channelization
• 8 independent channels in 5.15GHz-5.35GHz
• 4 independent channels in 5.725-5.825GHz

24
Infrared Transmission
 Diffused infrared physical PMD translates the binary signal of
the frame into light pulses that are used for transmission
 1 and 2 Mbps transmission with 6-PPM and 4-PPM
(PPM:Pulse Position Modulation)
 PHY operates only in indoor environments

25
PLCP Frame Formats (IEEE 802.11b)
Two different preamble and header formats

– Long PLCP PPDU format (Mandatory in 802.11b)

» 144-bit preamble : 1Mbps DBPSK
» 48-bit header : 1Mbps DBPSK
» Spend 192us
» PSDU : 1, 2, 5.5, 11Mbps
» Compatible with 1 and 2 Mbps

– Short PLCP PPDU format (Optional in 802.11b)

» Minimize overhead, maximize data throughput
» 72-bit preamble : 1Mbps DBPSK
» 48-bit header : 2Mbps DQPSK
» Spend 96us
» PSDU : 2, 5.5, 11 Mbps

26
Long PLCP Frame Format

SYNC SFD SIGNAL SERVICE LENGTH CRC

128 bits 16 bits 8 bits 8 bits 16 bits 16 bits

Long PLCP Preamble Long PLCP Header PSDU/MPDU

144 bits in 1 Mbps 48 bits in 1 Mbps 1, 2, 5.5, 11 Mbps

1Mbps DBPSK
1Mbps DBPSK
PPDU 2Mbps DQPSK
5.5, 11Mbps DQPSK

 SYNC : Used for receiver to clock on to the signal

 SFD : Start Frame Delimiter 16 bit field (F3A0) used for bit synchronization
 SIGNAL : Rate indication (0A: 1Mb/s DBPSK, 14: 2Mb/s DQPSK, 37: 5.5Mb/s
CCK or PBCC, 6E: 11Mbps CCK or PBCC)
 SERVICE : Reserved for future use (00 compatible IEEE802.11)
 LENGTH : Indicates the number of microseconds to be transmitted
 CRC-16 : Cyclic Redundancy Check protects Signal, Service and Length Field
27
Short PLCP Frame Format

1Mbps DBPSK 2Mbps DQPSK

SYNC SFD SIGNAL SERVICE LENGTH CRC
56 bits 16 bits 8 bits 8 bits 16 bits 16 bits

96us

Short PLCP Preamble Short PLCP Header PSDU/MPDU

72 bits in 1 Mbps 48 bits in 2 Mbps 2, 5.5, 11 Mbps

2Mbps DQBSK
PPDU 5.5/11Mbps CCK

 SYNC : 56 zero bits (‘0’)

 SFD : 16 bit field (05CF) used for bit synchronization
 SIGNAL : Rate indication
- 14 2Mb/s DQPSK
- 37 5.5Mb/s CCK or PBCC
- 6E 11Mbps CCK or PBCC
28
802.11 MAC Sublayer

 In 802.11 wireless LANs, “seizing channel” does not exist as in 802.3

wired Ethernet
 Two additional problems:
– Hidden Terminal Problem (figure a)
– Exposed Station Problem (figure b)
 To deal with these two problems 802.11 supports two modes of operation
in its MAC sublayer

29
 MAC Architecture
 All implementations must support DCF, but PCF is optional
 Distributed Coordination Function (DCF)
– The fundamental access method for the 802.11 MAC is Carrier Sense
Multiple Access with Collision Avoidance CSMA/CA
 Point Coordination Function (PCF)
– Shall be implemented on top of the DCF
– A point coordinator : is used to determine which station currently has
the right to transmit
– Shall be built up from the DCF through the use of an access priority
mechanism

Point
Coordination Required for Contention
Function Free Services
(PCF)
MAC
extension Distributed Used for Contention
Coordination Function Services and basis for PCF
(DCF)
30
PHY
Distributed Coordination Function

 Allows for automatic medium sharing between similar and

dissimilar PHYs through the use of CSMA/CA and a random
backoff time following a busy medium condition

 A station shall determine that the medium is free through the

use of carrier sense function for the interval specified

 Physical Carrier Sense Mechanism : A physical carrier sense

mechanism shall be provided by the PHY

 Virtual Carrier Sense Mechanism : Provided by the MAC,

named Net Allocation Vector (NAV)

 Positive Acknowledgment: To allow detection of a lost or

errored frame an ACK frame shall be returned immediately.
The gap between the received frame and ACK frame shall be
SIFS
31
 Distributed Coordination Function -
Inter-Frame Space (IFS)
• Distributed and centralized control can co-exist using Inter Frame Spacing
• Short-IFS (SIFS)
– is the time waited between packets in an ongoing dialog (RTS, CTS,
data, ACK, next frame)
– Any STA intending to send only these frame types shall be allowed to
transmit after the SIFS time has elapsed following a busy medium
• PCF-IFS (PIFS)
– Shall be used only by the PCF to send any of the Contention Free
Period frames
– when no SIFS response, base station can issue beacon or poll
• DCF-IFS (DIFS)
– Shall be used by the DCF to transmit asynchronous MPDUs
– A STA using the DCF is allowed to transmit after it detects the medium
free for the period DIFS, as long as it is not in a backoff period
• Extended IFS (EIFS) lowest priority interval used to report bad or
unknown frame

32
Distributed Coordination Function -
Inter-Frame Space (IFS)

33
 CSMA/CA
Free access when medium
is free longer than DIFS DIFS
Contention Window
PIFS
DIFS
SIFS
Busy Medium Backoff Next Frame
Slot time

Defer Access Select Slot and Decrement Backoff as long as medium is idle.

 Reduce collision probability

– Stations are waiting for medium to become free
– Select Random Backoff after a Defer, resolving contention to
avoid collisions
 If busy medium, the STA shall defer until after a DIFS gap is detected,
and then generate a random backoff period for an additional deferral
time (resolve contention)

34
Physical Channel Sensing in CSMA/CA
DIFS

Source Data
SIFS

Destination Ack
DIFS Contention Window

Other Next MPDU

Defer Access Backoff after Defer

 Defer access based on Carrier Sense function in PHY called

Clear Channel Assessment (CCA)
 Direct access when medium is sensed free longer then DIFS,
otherwise defer and backoff
 Receiver of directed frames to return an ACK immediately
when CRC correct
 When no ACK received then retransmit frame after a random
backoff
35
Virtual Channel Sensing in CSMA/CA

The use of virtual channel sensing using CSMA/CA.

 C (in range of A) receives the RTS and based on information
in RTS creates a virtual channel busy NAV (Network
Allocation Vector)
 D (in range of B) receives the CTS and creates a shorter NAV

36
Point Coordination Function

 It resides in an AP to coordinate the communication within the

network
 PCF uses a base station to poll other stations to see if they have
frames to send
 The PCF waits for PIFS duration rather than DIFS duration to grasp
the channel
 PIFS is less than DIFS duration and hence the point coordinator
always has the priority to access the channel
 Channel access in PCF mode is centralized and hence the point
coordinator sends CF-Poll frame to the station to permit it to
transmit a frame
 Base station can tell another station to sleep to save on batteries
and base stations holds frames for sleeping station
 No collisions occur

37
Fragmentation in IEEE 802.11

 High wireless error rates  long packets have less probability of

being successfully transmitted

 Solution: MAC layer fragmentation with stop-and-wait protocol

on the fragments

38
MAC Frame Types

 There are nine services specified by 802.11. Six to support

MSDU delivery between stations, and three to control 802.11
access and confidentiality

 Each of the services is supported by one or more MAC frames

 Some of the services are supported by MAC Management

messages and some by MAC Data messages

 802.11 MAC layer uses three types of messages:

– Data : handled via the MAC data service path
– Management: handled via the MAC Management Service
data path
– Control

39
 MAC Frame Formats
 Each frame should consist of three basic components:
– A MAC Header, which includes control information, addressing,
sequencing fragmentation identification, duration and QoS
information
– A variable length Frame Body, which contains information
specify to the frame type
– A frame check sequence (FCS), which contains an IEEE 32-
bit cyclic redundancy code (CRC)

Octets: 2 2 6 6 6 2 6 0-2312 4
Frame Duration
Addr 1 Addr 2 Addr 3 Sequence Addr 4 Frame
CRC
Control ID Control Body
802.11 MAC Header

Bits: 2 2 4 1 1 1 1 1 1 1 1

Protocol To From More Pwr More

Type SubType Retry WEP Order
Version DS DS Frag Mgt Data
40
Frame Control Fields
 Protocol Version : the value of the protocol version is zero
 Type and Subtype : used to identify the function of the frame
 To DS : is set to 1 in data type frames destined for the DS via AP
 From DS : is set to 1 in data type frames existing the DS
 More Fragment : is set to 1 if there has another fragment of the current
MSDU
 Retry : Indicates that the frame is a retransmission of an earlier frame
 Power Management : A value of 1 indicates that the STA will be in power-
save mode. A value of 0 indicates that the STA will be in active mode.
This field is always set to 0 in frames transmitted by an AP
 More Data: is used to indicate to a STA in power-save mode that more
MSDUs are buffered for that STA at the AP; or indicate that at least one
additional MSDU buffered at STA available for transmission in response
to a subsequent CF-Poll
 WEP: It is set to 1 if the Frame Body field contains information that has
been processed by the WEP algorithm
 Order: is set to 1 in any data type frame that contains an MSDU, or
fragment, which is being transferred using the Strictly Ordered service
class
41
Address Field Description

To DS From DS Address 1 Address 2 Address 3 Address 4

0 0 DA SA BSSID N/A
0 1 DA BSSID SA N/A
1 0 BSSID SA DA N/A
1 1 RA TA DA SA

 Address 1 : All stations filter on this address. Receiver Address

 Address 2 : Transmitter Address (TA). Identifies transmitter to
address the ACK frame to
 Address 3 : Dependent on To and From DS bits
 Address 4 : Only needed to identify the original source of WDS
(Wireless Distribution System) frames
 BSSID
– infrastructure : AP MAC address
– Ad Hoc : 01 + 46-bit random number (may set as ‘1’)

42
Frame Fields

 Duration or Connection ID : Used to distribute a value (us) that

shall update the Network Allocation Vector in stations receiving
the frame.
 Address Fields : Indicate the BSSID, SA, DA, TA (Transmitter
address), RA (Receiver address), each of 48-bit address.
 Sequence Control
– Sequence Number (12-bit): An incrementing value. The same value
shall be used for all fragments of the same MSDU.
– Fragment Number (4-bit): Indicates the number of each individual
fragment.
 Frame Body : 0 – 2312(2310) bytes.
 CRC (4 octets)

43
Format of Individual Frame Types

 Control Frames
– Immediately previous frame, the reception of which
concluded within the prior SIFS interval.
 RTS Frame Format
– In an infrastructure LAN, the DA shall be the address of the AP with which
the station is associated. In an ad hoc LAN, the DA shall be the destination
of the subsequent data or management frame.
 CTS Frame Format
– The DA shall be taken from the source address field of the RTS frame to
which the CTS is a response.
 ACK Frame Format
– The DA shall be the address contained in the Address 2 field of the
immediately previous Data or Management frame.
 PS-Poll Frame Format
– The BSS ID shall be the address of the AP. The AID shall be the value
assigned by the AP in the Association Response frame. The AID value
always has its two significant bits set to 1.

44
Format of Individual Frame Types : control
frames
MAC Header
Bit : 7654
Frame
Subtype: 1011 Control
Duration RA TA FCS
RTS Frame

MAC Header

Subtype: 1100 Frame

Control
Duration RA FCS CTS Frame

MAC Header

Frame
Subtype: 1101 Control
Duration RA FCS
ACK Frame

MAC Header

Frame
Subtype: 1010 Control
AID BSS ID TA FCS PS-Poll Frame

45
Format of Individual Frame Types :
Management frames
– The BSSID : The AP address, if the station is an AP or associated with
an AP or The BSSID of the ad hoc LAN, if the station is a member of
an ad hoc LAN
– The Frame body shall be the information elements :

MAC Header

Frame Sequence
Duration DA SA BSSID Frame Body CRC
Control Control

– Information elements depends on frame type : BEACON Frame,

Probe Request Frame, Association Request Frame, Association
Response Frame, Authentication Frame, …
– Example : In Authentication Frame information elements are
Authentication algorithm number (0:Open system 1: Shared Key),
Authentication transaction sequence number, Status code (if
reserved, set to 0), and Challenge text (facultatif)

46
Privacy and Access Control

 Privacy : The service used to prevent the contents of

messages from being reading by other than the intended
recipient

 A mutually acceptable privacy algorithm must be agreed upon

before an Association can be established

 The default privacy algorithm for all 802.11 stations is in the

clear. If the privacy service is not invoked to set up a privacy
algorithm, all messages will be sent unencrypted

 802.11 specifies an optional privacy algorithm that is designed

to satisfy the goal of wired LAN "equivalent" privacy : Wired
Equivalent Privacy (WEP)

47
Privacy and Access Control

 Two techniques of Authentication are associated to WEP: Open

System Authentication and shared Key Authentication
– To aid in access control
– Has provisions for OPEN Shared Key or proprietary authentication
extensions
 Optional (WEP) Privacy mechanism defined by 802.11
– Limited for Station-to-Station traffic, so not “end to end”
» Embedded in the MAC entity
– Only implements Confidentiality function
– Uses RC4 PRNG algorithm based on:
» a 40-bit secret key (No Key distribution standardized)
» a 24-bit IV that is send with the data
» 40+24 = 64-bit PRNG seed
» includes an ICV to allow integrity check
– Only payload of Data frames are encrypted
» Encryption on per MPDU basis

48
 Privacy Mechanism
WEP encipherment WEP decipherment
Secret
Key seed
Initialization WEP Key Sequence
seed Key IV IV
Vector (IV) PRNG
WEP Sequence
PRNG
TX + Plaintext
Secret Key Ciphertext
Ciphertext
Plaintext Integrity Alg ICV'
ICV'=ICV?
Integrity Alg ICV ICV ICV

Preamble PLCP Header MAC Header Payload CRC

Encrypted

IV (4) Cyphertext ICV (4)

Init. Vector Pad Key ID

(3) (6 bits) (2 bits)

 WEP bit in Frame Control Field indicates WEP used

– Each frame can have a new IV, or IV can be reused for a limited
time.
– If integrity check fails then frame is ACKed but discarded.
49
 Authentication Process

 Shared key requires the STA and the AP to have the same WEP
key
 An AP using Shared Key Authentication sends a challenge text
packet to the station
 If the STA has the wrong key or no key, it will fail this portion of the
authentication process : The STA will not be allowed to associate to
the AP
 WEP is an encryption algorithm, not a method of authentication 50
 Authentication Process : Frame Format

• The STA:
– Sets the Authentication Algorithm Number to 1 (shared-key)
– Set Authentication Transaction Sequence Number to 1
• The AP:
– Sets the Authentication Algorithm Number to 1 (shared-key)
– Set Authentication Transaction Sequence Number to 2
– Status Code set to 0 (Successful)
– Challenge Text (later)
• The STA :
– Sets the Authentication Algorithm Number to 1 (shared-key)
– Set Authentication Transaction Sequence Number to 3
– Challenge Text (later)
• The AP:
– Sets the Authentication Algorithm Number to 1 (shared-key)
– Set Authentication Transaction Sequence Number to 4
– Status Code set to 0 (Successful) 51
Channel Scanning
 Scanning required for many functions
– finding and joining a network
– finding a new AP while roaming
– initializing an Independent BSS (ad hoc) network
 A STA shall operate in either a Passive Scanning mode or an
Active Scanning mode
 For Passive scanning, the STA shall scan for Beacon frames
containing the desired SSID (or broadcast SSID)
 For Active scanning, the STA shall transmit Probe request
containing the desired SSID (also can use broadcast SSID): On
each channel Send a Probe, Wait for a Probe Response
 Beacon or Probe Response contains information necessary to join
new network
 If a STA’s scanning does not result in finding a BSS with the
desired SSID, or does not result in finding any BSS, the STA may
start an IBSS
52
 Active Scanning Example

Steps to Association:
Station sends Probe
Access Point A Access Point C
APs send Probe Response
Station selects best AP
Station sends Association
Request to selected AP
AP sends Association
Response.

 Initial connection to an Access Point

 Reassociation follows a similar process
53
Active Scanning Example
 Scanning STA send a Probe request with the broadcast
destination, SSID, and broadcast BSSID
 Start a ProbeTimer
 If the response has not been received before the
Min_Probe_Response_time, then clear NAV and
scan the next channel, else when ProbeTimer reaches
Max_Probe_response_time, process all received probe
responses and scan the next channel

Min_Probe_Response_Time Max_Probe_Response_Time

PROBE ACK ACK

Scanning STA

P RESPONSE
Responder
1
DIFS
Responder P RESPONSE
2
DIFS SIFS SIFS
54
Roaming Approach

Access Point B

Station 1 Station 2 Station 6

Station 5

Access Point A Access Point C

Station 4
Station 7
Station 3

Each Station is Associated with a particular AP

– Stations 1, 2, and 3 are associated with Access Point A
– Stations 4 and 5 are associated with Access Point B
– Stations 6 and 7 are associated with Access Point C
55
Roaming Approach

Access Point B

Station 2 Station 6
Station 5

Access Point A Access Point C

Reassocication
Station 4
Station 3

Station 7

Station 1

 Mobile stations may move

– beyond the coverage area of their Access Point
– but within range of another Access Point
 Reassociation allows station to continue operation
56
 Roaming Approach
 Station decides that link to its current AP is poor

 Station uses scanning function to find another AP or uses

information from previous scans

 Station sends Reassociation Request to new AP. If Reassociation

Response is successful
– then station has roamed to the new AP
– else station scans for another AP

 If AP accepts Reassociation Request

– AP indicates Reassociation to the Distribution System
– Distribution System information is updated
– normally old AP is notified through Distribution System

57
802.11 Wireless LAN Characteristics

58
Chapter 2
WPAN : Bluetooth, ZigBee
 Architectural Overview of Bluetooth
 Introduction To ZigBee

59
Architectural Overview of
Bluetooth
 Bluetooth Characteristics and Specifications
 Protocol Stack
 Network Topology
 Functional Overview

60
Applications

61
Bluetooth Characteristics
Background
 1997 - Designed by Ericsson
 1998 - Established the Special Interest Group (SIG)
Ericsson, Nokia, IBM, Toshiba, Intel
 2002 - IEEE 802.15 WPAN
 IEEE 802.15.1 Wireless Personal Area Networks (Bluetooth)

 IEEE 802.15.2 Coexistence

 IEEE 802.15.3 WPAN Higher Rate (Ultra Wideband)

 IEEE 802.15.4 WPAN Low Rate (ZigBee)

Bluetooth Characteristics
 Low cost Market consideration
 Low power consumption
 Unlicensed Used ISM band used
 Mixed voice and data
 Sized 0.5 square inches
62
Bluetooth Specifications
 2.4 GHz ISM Unlicensed band
 FHSS : Frequency Hopping Spread Spectrum
– Avoid interference
– 23/79 channels
– 1 MHz per channel
– 1 Mbps link rate (GFSK modulation frequency deviation Between
140kHz and 175kHz)
– Fast frequency hopping and short data packets avoids
interference
» Nominally hops at 1600 times a second (vs. 2.5 hops/sec in
IEEE 802.11)
» 625us per hop (366us for data only)
» 3200 times a second during inquiry and paging modes
 Transmit power and range
- Power 1mW (class 3, 3% power of cellular phone)
• 10 m of transmission distance
- Power 100 mW (class 1)
• 100 m of transmission distance
63
Bluetooth Protocol stack

64
Bluetooth network topology

 Radio designation
– Connected radios can be master or
slave S M

– Radios are symmetric (same radio can P

be master or slave)
 Piconet S
sb
S

– Master can connect to 7 simultaneous

slaves per piconet P
– Each piconet has maximum capacity of P
1 Mbps
sb
– Unique hopping pattern /ID M

 Scatternet S

– Piconets can coexist in time and space

65
 Functional Overview

 Standby : Waiting to Unconnected Standby

join a piconet Standby

 Inquire : Ask about

h
tac
radios to connect to Ttypical=2s

De
Connecting Inquiry Page
States
 Page : Connect to a
specific radio Ttypical=0.6s

Transmit
Active Connected
data
AMA
 Connected : Actively States AMA

on a piconet (master or
Ttypical=2 ms Ttypical=2 ms
slave)

Releases
 Park/Hold : Low Power Low Power AMA
PARK
PMA
HOLD
AMA
States Address
connected states

66
Page and Inquire Scans

 Inquiry scan :
– 32 channels (of 79 channels) are assigned for inquiry
procedure
– 32 channels are divided as 2 trains (Trains A and B), each
one contains 16 channels.
 Page scan :
– 32 channels (of 79 channels) are assigned for page
procedure
– 32 channels are divided as 2 trains (Trains A and B), each
one contains 16 adjacent channels.
– Train A : f(k-8), f(k-7), … f(k), f(k+1), … , f(k+7)
– Train B : f(k-16), f(k-15), … f(k-9), f(k+8), … , f(k+15)
 3200 hop/sec
 Broadcast ID packet

67
Page and Inquire Scans
 Inquiring radio Issues inquiry packet with Inquire ID (dedicated
or general access code GIAC or DIAC)
 Any radio doing an Inquire scan will respond with an FHS packet
– FHS packet gives Inquiring radio information to page
» Device ID IDa
» Clock
– If there is a collision then radios wait a random number of
slots before responding to the page inquire
 After process is done, Inquiring radio has Device IDs and Clocks
of all radios in range
 Slave listens one of 16 channels for sufficient time (18 slots =
11.25 ms)

68
The Piconet
IDa
IDd IDd

IDa D IDa P

A M
IDe
IDe
sb
E
IDa
IDb B IDb S IDa
IDc C IDc S

 All devices in a piconet hop together

– To form a piconet: master gives slaves its clock and device ID
» Hopping pattern determined by device ID (48-bit)
» Phase in hopping pattern determined by Clock
 Non-piconet devices are in standby
 Piconet Addressing
– Active Member Address (AMA, 3-bits)
– Parked Member Address (PMA, 8-bits) 69
The Scatternet : Inter-connected Piconets

Access Point
master
slave
LAN master/slave

Mobile Phone
Headset

Printer

Mouse
Laptop Laptop

70
Device Addressing

 BD_ADDR (Bluetooth Device Address)

− every Bluetooth device has unique 48-bit
− is used to control the system functions (Hopping sequence, Channel access
code, Encryption key)
 The BD_ADDR contains 3 parts:
– 24-bit Lower Address Part (LAP)
» Used to identify unique BT device (reduce overhead)
– 8-bit Upper Address Part (UAP)
» Used to determine the hopping sequence
– 16-bit Non-significant Address Part (NAP)
 AM_ADDR (Active Member Address)
– Each slave is assigned a 3-bit address
– 000 : for broadcasting packets
 PM_ADDR (Parked Member Address)
– Slaves that enter the park mode will obtain a 8-bit PM_ADDR
– At most 256 slaves are in park mode in a piconet
71
 Basic Baseband Protocol
Frame (1.25 ms) Frame

fk fk+1 fk fk+1

Master
One
Slot
Master Three Slot Packet

Packet

One
One Slave Slot
Slave Slot
Packet
Packet

625 us
625 us
One Slot
One Slot

 Spread spectrum frequency hopping radio

– Hops every packet
» Packets are 1, 3 or 5 slots long
– Frame consists of two packets
» Transmit followed by receive
– Nominally hops at 1600 times a second (1 slot packets)
72
Baseband link types
 Polling-based (TDD) frame transmissions
 1 slot: 0.625msec (max 1600 slots/sec)

 master/slave slots (even-/odd-numbered slots)

 Synchronous connection-oriented (SCO) link

 periodic single-slot frame assignment

 symmetric 64Kbps full-duplex

 Asynchronous connection-less (ACL) link

 Frame switching

 asymmetric bandwidth

 variable frame size (1-5 slots)

 max. 721 kbps (57.6 kbps return channel)

73
Time Division Duplex (TDD)

 Master : even numbered slots

 Slave : odd numbered slots

f(2k) f(2k+1) f(2k+2)

Master

+/-10 s 220 s

Slave
guard Packet
time
time
even (625s) odd (625s) even slot

Access code/Header Payload Guard time

74
 Multi-slot Packets

Different packet overhead will result in different throughput

– DH1 : 172.8Kbps in Sym. and Asyn. modes
– DH3 : 390.4Kbps in Sym. mode; 387.2 and 54.4Kbps in Asyn. Mode
– DH5 : 433.9Kbps in Sym. mode; 721 and 57.6Kbps in Aysn.

1-slot f(2k) f(2k+1) f(2k+2) f(2k+3) f(2k+4)

Packet
(DH1)

3-slot f(2k) f(2k+1) f(2k+2) f(2k+3) f(2k+4)

Packet
(DH3)

5-slot f(2k) f(2k+1) f(2k+2) f(2k+3) f(2k+4)

Packet
(DH5)
even (625s) odd (625s) even (625s) odd (625s)
75
Bluetooth Baseband Format

76
Bluetooth Frame Fields
 Access code : Timing synchronization, offset compensation, paging,
and inquiry
– Preamble
0101 if LSB of sync word is 0
1010 if LSB of synch word is 1
– Sync word 64 bits
– Trailer
0101 if MSB of sync word is 1
1010 if MSB of sync word is 0
 Header : used to identify frame type and carry protocol control
information
− AM_ADDR : contains “active mode” address of one of the slaves
− Type : identifies type of frame
− Flow : 1-bit flow control
− ARQN : 1-bit acknowledgment
− SEQN : 1-bit sequential numbering schemes
− Header error control (HEC) : 8-bit error detection code
 Payload : contains user voice or data
77
Overview to Zigbee
 ZigBee Characteristics
 Protocol Stack
 Network Topology
 Functional Overview

78
 ZigBee Characteristics

 IEEE approved the standard for the Low Rate

WPAN (LR WPAN) in 2003
 Low cost
 Low power consumption 5 mA
 Low data rate
 Relatively short transmission range 100 m
 Scalability
 Reliability
 Flexible protocol design suitable for many
applications
 Incompatible with TCP/IP Network

79
 Applications

 Monitors  TV VCR
 Sensors  DVD/CD
 Automation  Remote control
control

INDUSTRIAL & CONSUMER

 Monitors COMMERCIAL ELECTRONICS
 Diagnostics
sensors ZigBee
LOW DATA-RATE
RADIO DEVICES
PERSONAL PC &  Mouse
HEALTH CARE PERIPHERALS  Keyboard
 Joystick

 Consoles
 Portables TOYS & HOME  Security
GAMES AUTOMATION  Lighting
educational
 Closures

80
ZigBee Protocol Stack

APL  The zigbee stack forms the upper

layers of the IEEE 802.15.4 PHY
and MAC sub-layer specifications
SSP
 ZigBee stack layers include a
network layer an application layer
APS ZDO and a security service provider SSP

 It realizes the network layer NWK

and in the application support sub-
layer APS and the ZigBee device
object ZDO

 In the framework are added the

user defined application objects

2.4 GHz 868 MHz 915 MHz

81
Network Topologies

Star Topology Mesh Topology

– Advantage – Advantage
» Easy to
synchronize » Multihop communication
» Low latency » More flexible
– Disadvantage » Lower latency
» Small scale Star – Disadvantage Mesh
» Needs storage for
routing table
» High routing cost

Cluster Tree
– Advantage
» Low routing cost PAN coordinator
» Multihop communication Full Function Device
– Disadvantage
Reduced Function Device
» Route reconstruction is
costly
» Latency may be quite
Cluster Tree long
82
Network Topologies
Device Classes
 Full function device (FFD)
− Can function in any topology
− Capable of being Network coordinator
− Can talk to any other device (FFD/RFD)
 Reduced function device (RFD)
− Limited to star topology
− Cannot become network coordinator

Star network formation

 An FFD may establish its own network and become the PAN
coordinator
 All star networks operate independently
 Choosing a PAN identifier, which is not currently used by any other
network within the radio sphere of influence
 Both FFDs and RFDs may join the network

Mesh network formation

 Each device is capable of communicating with any other device
 One FFD device will be nominated as the PAN coordinator
83
MAC/PHY Functions
 PHY functionalities
– Activation and deactivation of the radio transceiver
– Energy detection within the current channel
– Link quality indication for received packets
– Clear channel assessment for CSMA-CA
– Channel frequency selection
– Data transmission and reception

 MAC functionalities
− beacon management channel access (slotted or unslotted
CSMA/CA)
− guarantee time slot management (QoS)
− frame validation acknowledged
− frame delivery association disassociation
− security mechanisms (AES)
84
Operating frequency bands
The standard specifies two PHYs :
– 868 MHz/915 MHz direct sequence spread spectrum (DSSS) PHY (11
channels)
» 1 channel (20Kb/s) in 868MHz band
» 10 channels (40Kb/s) in 915 (902-928)MHz ISM band

868MHz/ Channel 0 Channels 1-10

2 MHz
915MHz
PHY

868.3 MHz 902 MHz 928 MHz

– 2450 MHz direct sequence spread spectrum (DSSS) PHY (16 channels)
» 16 channels (250Kb/s) in 2.4GHz band

2.4 GHz Channels 11-26

PHY 5 MHz

2.4 GHz 2.4835 GHz 85

PHY Specifications
The standard specifies two PHYs :

PHY Frequency Modulation Bit Rate Number

MHz Band Of Channel
868-868.6 BPSK 20 Kbit/s 1
868/915
902-928 BPSK 40 Kbit/s 10
2450 2400-2483.5 O-QPSK 250 Kbit/s 16

PHY frame structure

– Preamble (32 bits) – synchronization
– Start of packet delimiter (8 bits) shall be formatted as “11100101”
– PHY header (8 bits) –PSDU length
– PSDU (0 to 127 bytes) – data field

Sync Header PHY Header PHY Payload

Start of Frame Reserve PHY Service
Preamble Packet Length (1 bit) Data Unit (PSDU)
Delimiter (7 bit)

4 bytes 1 bytes 1 bytes

0-127 Bytes 86
MAC Specifications
 Address
– All devices must have 64 bit IEEE addresses
– Short (16 bit) addresses can be allocated to reduce packet size

 Frame Types
– Data Frame : used for all transfers of data
– Beacon Frame : used by a coordinator to transmit beacons
– Acknowledgment Frame : used for confirming successful frame
reception
– MAC Command Frame : used for handling all MAC peer entity
control transfers

 Operating Mode
– Slotted (Beacon enable mode ) : Periodic data and Repetitive
low latency data using
– Un-slotted (Non-Beacon enable mode) : Intermittent data using
87
Operating Modes

Non-Beacon Mode
 ZigBee devices are continuously active
 Requires a more robust power supply
 A simple, traditional multiple access system

Beacon Mode
 ZigBee Routers transmit periodic beacons to confirm their
presence to other network nodes
 Controlling power consumption and extending battery life
 Allows all devices in the network the ability to know when to
communicate with each other
 Beacon intervals depend on data rate
 15.36 ms to 251.68 s at 250 kbit/s
 24 ms to 393.21 s at 40 kbit/s
 48 ms to 786.43 s at 20 kbit/s

88
 MAC Frames
Bytes 2 1 0-20 variable 2

Frame Sequence Adress Info Payload Frame Check Data Frame

Control Number Sequence
Frame Sequence Frame Check ACK
Control Number
Frame Sequence Adress Info Command type Frame Check MAC command
MAC Control Number Payload Frame
Sublayer
Frame Sequence Adress Info Beacon Frame Check Beacon Frame
Control Number Payload

MAC Header MSDU MAC Footer

MAC Protocol Data Unit (MPDU)

Bytes 5 1 Max 127

Synchronization PHY PSDU

PHY
Layer
Header Header
PHY Protocol Data Unit (PPDU)
89
Chapter 3
LPWAN : LoRaWAN
 LoRa Specifications
 LoRaWAN Topology
 Protocol Stack
 Security

90
Introduction
Two types of radio communication
− High-range networks: a few hundred meters to several tens
of kilometers: traditional cellular networks: GSM, GPRS, LTE,
etc
 High cost
 High power consumption
 High throughput
 Large infrastructure : Oversized for IoT applications
− Short-range networks: from a few centimeters to a few
hundred meters maximum: Bluetooth, RFID, NFC, ZigBee,
WiFi, etc
 Low cost
 Low power comsumption
 Low throughput
 Short transmission range

LPWAN (LowPower Wide Area Networks) is an answer

adapted to the world of IoT with wide range but low energy
consumption 91
Introduction
Many LPWAN technologies :
 Sigfox: It was deployed in France in 2017. It's operating in 36
countries. It claims to work for 10 years on a single AA battery Holder
 NB-IoT: This is a cellular-based network optimized for low power and
long-range communication
 LoRa: network coming to fruition in the U.S
− LoRaWAN defines the communication protocol and system
architecture for the network (LoRa physical layer enables the long-
range communication link)

92
LoRa Specifications

Europe North America

Frequency Band 867-869 MHz 902-928 MHz
Channels 10 64+8+8
Channel BW Up 125/250 kHz 125/500 kHz
Channel BW Dn 125 kHz 500 kHz

TX Power Up +14 dBm +20 dBm

TX Power Dn +14 dBm +27 dBm
SF Up 7-12 7-10
Data Rate 250 bps-50 kbps 980 bps-21.9 kbps
Link Budget Up 155dB 154dB
Link Budget Dn 155dB 157dB

93
LoRaWAN Network Architecture
 Long Range Star Topology: Preserving battery lifetime when
long-range connectivity is achieved
 Data transmitted by End-Device (ED) is received by multiple
gateways
 Each gateway (BS) forward the received packet to the cloud-
based network server via some links (Cellular, Ethernet, Wi-Fi,…)

94
Devices classes
 Bi-directional EDs (Class A)
− Each ED’s uplink transmission is followed by two short downlink windows
− The transmission slot scheduled by the ED is based on ALOHA-type
protocol
 Bi-directional EDs with scheduled receive slots (Class B)
− ED opens extra receive windows at scheduled times that’s why it receives
a time-synchronized beacon from the gateway
 Bi-directional EDs with maximal receive slots (Class C)
− EDs have almost continuously open receive windows

95
LoRa Modulation
 LoRa is a spread spectrum modulation scheme that uses
wideband linear frequency modulated pulses whose frequency
increases or decreases over a certain amount of time to encode
information
 The main advantages of this approach are twofold:
 A substantial increase in receiver sensitivity due to the
processing gain of the spread spectrum technique
 A high tolerance to frequency misalignment between receiver and
transmitter

96
LoRaWAN Protocol Stack
 LoRa physical layer enables the long-range communication link
 The protocol and network architecture have the most influence in
determining
- the battery lifetime of a node,
- the network capacity
- the quality of service
- the security

97
LoRa Frame Format
Frame Format

98
LoRaWAN Security

 LoRaWAN utilizes two layers of security: one for the network and
one for the application

 The network security ensures authenticity of the node in the network

while the application layer of security ensures the network operator
does not have access to the end user’s application data

 AES encryption is used with the key exchange utilizing an IEEE

EUI64 identifier

 There are trade-offs in every technology choice but the LoRaWAN

features in network architecture, device classes, security, scalability
for capacity, and optimization for mobility address the widest variety
of potential IoT applications

99
Chapter 4
IoT
 IoT Applications and technologies
 IoT Architecture
 IoT Platform
 IoT Security and Privacy

100
 What is the “Internet of Things”?

 IoT is a new revolution in the capabilities of the endpoints that

are connected to the internet
 The Scope of IoT is not limited to just connecting things (device,
appliances, machines) to the Internet : IoT allows these things to
communicate and exchange data (control& information)
 It’s about enabling connectivity and embedded intelligence in
devices
 Not strictly machine-to-machine (M2M) – also machine-to-people,
people-to-machine, machine-to-objects, people-to-objects
 Creates the ability to collect data from a broad range of devices
 Data can be accessed via the cloud and analyzed using “big
data” techniques

101
Internet of Things Hierarchy

102
IoT Application Segments

103
IoT Technologies

104
 IoT Architecture

Integrated
Application Smart Grid Green Building Smart Transport Env. Monitor

Information
Processing
Big Data Search Engine IA Security Data Mining

Network and
WWAN
Communications WMAN

Internet
WPAN and LPWAN WLAN

Sensing
105
GPS Smart Device RFID Sensor Camera
 IoT Platform
IEEE 802.15.4
2.4GHz RF
User/Environment sensors System

Sensors and
Actuators XM1000

Device
level “Thing”

Communications

Network

Network Gateway
level

The The
Internet Internet

Servers
106
Sensors and Actuators
Sensors: Input components That sense and collect surrounding
information
 Basically three types:
 Passive, omnidirectional (e.g. mic)
 Passive, narrow-beam sensor (e.g. PIR)
 Active sensors (e.g. sonar, radar, etc.)

Actuators: Output component That alter the surrounding

 Some examples:
 Adding lighting, heat, sound, etc.
 Controlling motors to move objects
 Displaying messages and others…
Things

 We can turn almost every object into a “thing”. A thing still looks
much like an embedded system currently

 A thing generally consists of four main parts:

– Sensors & actuators
– Microcontroller
– Communication unit
– Power supply

 A “thing” has the following properties:

– Limited source of energy
– Small in size and low in cost (limits their computing capability)
– It doesn’t usually perform complicated tasks

 Power consumption is the main design issue

108
Communications

 A “thing” always feature communications for “team working”

 The Role of Communications
– Providing a data link between two nodes
 Communication type:
– Wireline (e.g. copper wires, optical fibers)
– Wireless (e.g. RF, IR). RF-based communication is the most popular
choice
 Popular RF-based communication solutions:
– IEEE 802.15.4
– IEEE 802.11 (or Wifi)
– Bluetooth
– Near Field Communication (NFC), e.g. RFID
– LoRa
– ZigBee

109
Networks
 The Roles of Networks
– Managing nodes (discovery, join, leave, etc)
– Relaying data packets from the source to the destination node in the
network

 All nodes need to perform networking related tasks

 RF-based Network in IoT is usually a Wireless Multi-hop Network

Some examples:
– Wireless Sensor Networks (WSNs)
– Mobile Wireless Ad hoc Networks (MANETs)
– Wireless Mesh Networks (WMNs)
– Vehicular Ad Hoc Networks (VANETs)
– and others...

 Main concern: Reliability & Performance

110
Internet
 The Internet serves as a wide area networking for a local network

 The Internet uses TCP/IP : this implies that things must also
support TCP/IP

 Gateway (or sink)

– For a practical deployment, a gateway is often needed in a
network
– It offers relaying packets between the network and the
Internet

111
Protocol Stack
Thing Thing
Application Application

TCP/UDP TCP/UDP

Network (IP) Network (IP)

IEEE 802.15.4 IEEE 802.15.4
Wireless
PHY/MAC PHY/MAC Medium

Server
Application
Gateway
TCP/UDP

Network (IP) Network (IP)

IEEE 802.3 IEEE 802.3 IEEE 802.15.4

(Ethernet) The (Ethernet) PHY/MAC
Internet
112
IoT Security and Privacy

 Are they important?

 What is the risk?

 What are the challenges?

– Device level
– Network level
– System level
– User level

 Solutions?

113