Wi-Fi Transmission and Enhancement
Contents
1.
Overview of WiFi transmission
WiFi encapsulation in OSI
802.11 frame types
Management frame
Control frame
Data frame
Medium access control
2.
Case study
Lab WiFi environment
3.
STA and AP retransmit so much in low RSSI condition
WiFi enhancement
Physical layer enhancement
MAC layer enhancement
WiFi encapsulation in OSI
The IEEE 802.11-2007 standard defines communication mechanisms only at the Physical layer and MAC sublayer of the Data-Link layer of the OSI model.
By design, the 802.11 standard does not address the upper layers of the OSI model
When capturing wireless frames, if wireless encryption is implemented, all of the layer 3 through layer 7 information will be grouped and displayed as the
encrypted payload
802.11 frame types
There are 3 major type of frame and further subdivided into multiple subtypes:
Management frames are used by wireless stations to join and leave the basic service set
Control frames assist with the delivery of the data frames 802.11
Data frames carry the actual MSDU data that is passed down from the higher layer protocols
Management frame
Association request
Association response
Reassociation request
Reassociation response
Probe request
Probe response
Beacon
ATIM
Disassociation
Authentication
Deauthentication
Control frame subtypes
Power Save Poll (PS-Poll)
Request to send (RTS)
Clear to send (CTS)
Acknowledgment (ACK)
Contention Free-End (CF-End)
CF-End + CF+ACK
Block ACK Request (BlockAckReq)
Block ACK (BlockAck)
Data frame subtypes
Data (simple data frame)
Null function (no MSDU payload)
Data + CF-ACK
Data + CF-Poll
Data + CF-ACK + CF-Poll
CF-ACK (no MSDU payload)
CF-Poll (no MSDU payload)
CF-ACK + CF-Poll (no MSDU payload)
QoS data
QoS Null (no MSDU payload)
QoS data + CF-ACK
QoS data + CF-Poll
QoS data + CF-ACK + CF-Poll
QoS CF-Poll (no MSDU payload)
MAC Sublayer Frame Format
802.11 MAC Protocol Data Unit (MPDU)
Management frame
Management Frame structure
Management frames always have a standard 24-byte-long MAC header with three
addresses, followed by a body of variable size. When 802.11n is in use, the header is
extended 4 byte of the HT Control section
Subtype
bits
Subtype description
0000
Association request
0001
Association response
0010
Reassociation request
0011
Reassociation response
0100
Probe request
0101
Probe response
1000
Beacon
1001
Announcement traffic indication message (ATIM)
1010
Disassociation
The SA field is the MAC address of the station transmitting the frame
1011
Authentication
The BSSID can be the AP BSSID or a wildcard value
1100
Deauthentication
The size and content of the body depend on the management frame subtype
1101
Action
1110
Action no ack
Duration/ID field can be used for virtual Carrier Sense – This is the main purpose
which used to reset the NAV timer of the other stations
The DA field is the destination address of the frame. It can be broadcast or unicast
depending on the frame subtype
Management frame
Beacon Frame
Connection establishment
Beacon frames are used by the access points (and stations in an IBSS) to communicate
throughout the serviced area the characteristics of the connection offered to the cell
members
Beacon frames are sent periodically, at a time called target beacon transmission time
(TBTT), this unit is 1,024 microseconds normally
All stations in the cell use the AP beacon as a time reference
Management frame
Beacon Frame example
Timestamp Field represent the time on the access point, which is the
number of microseconds the AP has been active
Capability Information Field contains number of subfields that are used to
indicate requested or advertised optional capabilities
Short Slot Time Subfield determines whether short slot time is allowed in
the cell
Supported Rates at least one mandatory rate must be set by AP & any
station wanting to join the cell must support all basic rates
Control frame
Valid Type and Subtype combinations
Frame Control fields
Data frame
Data frames: valid Type and Subtype combinations
QoS and Non-QoS Data Frames
Transmitting
station
Receiving
station
Non-QoS station
Non-QoS
station
Non-QoS frame
Non-QoS station
QoS station
Non-QoS frame
QoS station
QoS station
QoS frame
QoS station
Non-QoS
station
Non-QoS frame
All
Broadcast
Non-QoS frame, unless the transmitting station knows that all stations in
the BSS are QoS capable, in which case a QoS frame would be used
Multicast
Non-QoS frame, unless the transmitting station knows that all stations in
the BSS that are members of the multicast group are QoS capable, in
which case a QoS frame would be used
All
Data frame subtype used
Data-Carrying vs. Non-Data-Carrying Frames
Medium access control
These are the steps a station go through prior to transmit a
frame to the wireless medium
1. STAs use a physical carrier sense (Clear Channel
Assessment—CCA) to determine if the wireless medium is
busy.
2. STAs use virtual carrier sense (Network Allocation Vector—
NAV) to detect if the medium is busy. When the virtual timer
(NAV) reaches zero, STAs may proceed.
3. If conditions 1 and 2 are met, STAs wait the necessary IFS
interval, as prescribed by the protocol.
4. If conditions 1 and 2 are met through the duration of condition
3, STAs generate a random backoff number in accordance
with the range of allowed values.
5. STAs begin decrementing the backoff timer by one for every
slot time duration that the wireless medium is idle.
6. After decrementing the backoff value to zero, with an idle
medium, a STA may transmit the allotted frame exchange, in
accordance with the parameters of the obtained transmission
opportunity (TXOP).
7. If another STA transmits before Step 6 is completed, STAs
observe steps 1, 2, 3, and 5 until the backoff timer is equal to
zero.
8. After a successful transmission, repeat as needed. Below
diagram show the flow of the above steps
Medium access control
Physical Carrier Sense
The CCA is set to busy if a high enough level of energy is detected coming from valid, modulated 802.11 bits
If modulated bits are detected at those energy levels, the CCA will go busy for 15 microseconds if DSSS modulation is being used or for 4 microseconds if
OFDM modulation is being used
Interference from non-802.11 devices does not cause the CCA to go into a busy state
CCA may not keep all devices within a BSS quiet. If an AP or station is too far away to detect data transmissions at the requisite energy level, the CCA may
go into the idle state even though the channel is still occupied
Virtual Carrier Sense
The network allocation vector is the virtual carrier sense mechanism for 802.11 APs and stations. The NAV is a timer that counts down toward zero. When a
device has a NAV value greater than zero, the device stays quiet. Once the NAV value reaches zero, the wireless medium is considered clear
APs and stations set their NAV values according to the Duration value inside the 802.11 header
If an 802.11 device lacks the ability to receive a high-quality signal from another device on the channel because of distance, obstructions, or interference, the
two devices will not be able to read each other’s Duration/ID fields and therefore will not have their NAV values set properly
Interframe Spaces
The IFS is a quiet period that APs and stations must wait before any 802.11 frame transmission. There are several different IFS times
Shorter IFS times are used before transmissions with higher priority to the channel. The idea is that if APs and stations wait for a shorter quiet period before
transmitting, they will gain access to the channel while other devices are still staying quiet
Medium access control
SIFS (Shortest Inter Frame Space) is used prior to ACK and CTS frames as well as the second or subsequent MPDUs of a fragment burst
SIFS for 802.11b/g/n (2.4 GHz) = 10μS
SIFS for 802.11a/n/ac (5 GHz) = 16μS
RIFS (Reduced Inter Frame Space)
802.11n standard use RIFS & Block Acknowledgement (mandatory in 802.11n). RIFS is used only when Block ACK is enabled
Improve efficiency for transmissions to the same receiver in which a SIFS-separated response is not required, such as a transmission burst (CFB-Contention
Free Burst)
RIFS = 2μS
DIFS (Distributed Inter Frame Space)
DIFS = SIFS + 2x SlotTime
SlotTime for 802.11a/n/ac (5 GHz) = 9μS
SlotTime for 802.11g/n (2.4 GHz – HT or ERP) = 9μS with short preamble
SlotTime for 802.11g/n (2.4 GHz – HT or ERP) = 20μS with long preamble
SlotTime for 802.11b/g/n (2.4 GHz – DSS ) = 20μS
EIFS (Extended Inter Frame Space)
The EIFS value is used by STAs that have received a frame that contained errors. By using this longer IFS, the transmitting station will have enough time to
recognize that the frame was not received properly before the receiving station commences transmission
EIFS (in DCF) = SIFS + DIFS + ACK_Tx_Time
EIFS 802.11b/g/n devices using DSS = 364μS
EIFS 802.11g/n devices using OFDM = 160μS
EIFS 802.11a/n devices (5GHz)
= 160μS
Medium access control
PIFS (PCF Inter Frame Spaces)
PIFS are used by STAs during the contention-free period
(CFP) in PCF mode
Because PCF has not been implemented in 802.11 devices,
you will not see PIFS used for this purpose
PIFS = SIFS + SlotTime
Summarize SIFS,DIFS,PIFS & SlotTime values
Medium access control
Random backoff
The random backoff is a quiet period before a frame transmission, It is a period of time that changes based on a random number chosen by each AP or station
APs and stations stay quiet during the random backoff by randomly choosing a number of slot times and then counting down until the number of slot times
equals zero. Once the number of slot times hits zero, an AP or station is allowed to transmit a frame
As soon as one device exhausts its slot times, it will transmit, thus turning the CCA to a busy state in all other devices on the channel
The lower limit for the random backoff is always 0. The upper limit for the random backoff is always equal to the contention window (CW)
The contention window (CW) parameter takes the initial value CWmin and effectively doubles on each unsuccessful MPDU transmit, for example each time
an ACK response is not received for a data frame. If the CW reaches CWmax it remains at that value until it is reset. The CW is reset to CWmin after every
successful MPDU transmit
Medium access control
Random backoff procedure
To begin the random backoff procedure, the station selects a random backoff count in the range [0, CW]. All backoff slots occur following a DIFS during which
the medium is determined to be idle.
During each backoff slot the station continues to monitor the medium. If the medium goes busy during a backoff slot then the backoff procedure is suspended.
The backoff count is resumed when the medium goes idle again for a DIFS period
When multiple stations are deferring and go into random backoff, then the station selecting the smallest backoff count (STA 3) will win the contention and
transmit first
The remaining stations suspend their backoff and resume DIFS after the medium goes idle again
The station with the next largest backoff count will win next (STA 4) and then eventually the station with the longest backoff count (STA 2)
A station that begins a new access (STA 1 again) will select a random backoff from the full contention window and will thus tend to select a larger count than
the remaining backoff for stations (such as STA 2) that have already suspended their backoff from a previous access attempt
Case study
STA and AP restransitted so much in low RSSI
condition for which happen with all ONT’s
vendor
WiFi Lab environment
Case study
STA and AP restransitted so much in low RSSI condition for which happen with all ONT’s vendor
Physical layer enhancement
1 Short Preamble is not allowed in Beacon
1.1 Standard
SlotTime for 802.11g/n (2.4 GHz – HT or ERP) = 9μS with short
preamble
SlotTime for 802.11g/n (2.4 GHz – HT or ERP) = 20μS with long
preamble
STA and AP need longer time to calculate DIFS and Backoff
algorithm
1.3 Next action
RnD please build the firmware which support to allow short
preamble bit
Refer to BMS ID: H660x:5360
VTAC test again at Lab
1.2 Beacon packet capture
Physical layer enhancement
2 Reduce Interframe Spacing (RIFS) is prohibitted
1.1 Standard
RIFS were introduced with 802.11n to improve efficiency for
transmissions to the same receiver in which a SIFS-separated
response is not required
802.11n standard use RIFS & Block Acknowledgement (mandatory
in 802.11n). RIFS is used only when Block ACK is enabled
RIFS = 2μS
1.3 Next action
RnD please build the firmware which support to permit RIFS
Refer to BMS ID: H660x:5361
VTAC test again at Lab
1.2 Beacon packet capture
Physical layer enhancement
3 Include VHT information of 802.11 ac in management frame of 802.11n
1.1 Standard
Some packets including Beacon, Probe response, association response
increase hearder packets, it make longer time to transmit the packets
in WiFi medium
1.3 Next action
RnD please build the firmware which support to don’t include info
of 802.11ac in some management packets of 802.11n
Refer to BMS ID: H660x:5362
VTAC test again at Lab
1.2 Beacon packet capture
MAC layer enhancement
1 Modify MCS set parameters
1.1 Standard
Non-HT radios that used OFDM
technology (802.11a/g) defined data
rates of 6 Mbps to 54 Mbps based on
the modulation that was used
HT radios, however, define data rates
based on numerous factors including
modulation, the number of spatial
streams, channel size, and guard
interval
The 802.11n amendment defines 77
MCSs that are represented by an MCS
index from 0–76. The eight mandatory
MCSs for 20 MHz channels are
comparable to basic (required) rates
MAC layer enhancement
1 Modify MCS set parameters
1.3 Next action
If the TX MCS Set Defined subfield is set to 0, it indicates the STA is
not specifying a TX MCS set
When the TX MCS Set Defined subfield is set to 1 and the TX RX
MCS Set Not Equal subfield is set to 0, the STA is indicating it will
use the same MCS set defined by the RX MCS Bitmask subfield
=> Request to set Tx MCS set is defined to be equal to the Rx MCS set.
1.2 Beacon packet capture
MAC layer enhancement
2 Support A-MSDU and A-MPDU
1.1 Standard
1.2 Action packet capture
An 802.11n access point using A-MSDU would receive multiple
802.3 frames, remove the 802.3 headers and trailers, and then wrap
the multiple MSDU payloads into a single 802.11 frame for
transmission\
The size of an A-MSDU must not exceed the maximum A-MSDU
size that a STA is capable of receiving. An STA can support one of
two maximum lengths: Maximum A-MSDU Length = 0 (3839
Bytes) or = 1 (7935 Bytes)
The individual MSDUs must all be of the same 802.11e QoS
access category
1.3 Next action
=> Support A-MSDU with maximum length is 3839 Bytes
MAC layer enhancement
2 Support U-APSD (Unschedule Automatic Power Save Delivery)
1.1 Standard
Every power management method that is used in the real world works from the same basic power management structure, as illustrated in the following steps and
figures:
Step 1: Before a station goes into the doze state, it sends a frame, usually a null data frame, to the AP indicating that power management is enabled
Step 2: Once the station indicates that it is in Power Save mode, the AP begins to buffer all frames destined to that station
Step 3: When the station goes into the awake state (more on that later), it sends a frame to the AP in order to begin the data retrieval process
Step 4: When the AP has finished sending all buffered data to the station, the station goes back into the doze state
There are three methods of power management that are used today in the 802.11 family:
802.11 power management
Unscheduled automatic power save delivery (U-APSD) from the 802.11e amendment
Power save multi-poll (PSMP) from the 802.11n amendment.
802.11e Unscheduled Automatic Power Save Delivery
Third Step: When U-APSD is used, the station typically sends null data frames in order to retrieve buffered unicast frames from the AP
Fourth Step: When U-APSD is used, stations must notify the AP that they are going back into Power Save mode by sending a frame