The
Current Assessment of Public Nomadic Wireless Computing As of
May 10, 2000
Executive Summary:
This
white paper represents the current assessment of wireless technology,
primarily in its applicability to campus-wide implementation.
This document, as well as other white papers distributed by
ATS and CTS will be reviewed an updated on a regular basis.
A
working group from Communications Technology Services and Academic
Technology Services were tasked with writing a white paper on
campus-wide wireless computing. The paper was distributed in
rough draft to the Campus Computing Cooperative (CCC) and to
the Communications Technical Advisory Group (CTAG) with final
presentation to the campus IT management group for further review
and discussion.
Although
there is a great deal of interest in wireless networks both
here at UCLA and elsewhere, and their deployment is growing
by leaps and bounds, the underlying technology is not without
its problems. There are several classes of issues associated
with the use of IEEE standard 802.11 wireless networking to
support public nomadic wireless computing. This paper discusses
three issues: privacy, interference from other radio services,
and interoperability. It also describes implementations that
are most likely to be successful today.
Privacy:
802.11
defines a shared network, in which users can view other users
traffic. The encryption defined by 802.11 does not address this
issue and is not practical to use in a public environment. Non
standards-based solutions are available, but lock the implementer
into a single vendor solution.
Interference:
The radio frequencies used by 802.11 are shared among a number
of different services that may interfere with each other. The
FCCs regulations explicitly state that no interference protection
is available to part 15 devices such as 802.11.
Interoperability:
The 802.11 specification omits a number of highly important
features. Non standard-based solutions are available, but lock
the network into a single vendor solution. In some cases, parts
of the same vendors product line will not interoperate with
other parts. This will force the institution into either specifying
a single-vendor solution for all of campus, or having islands
of non-interoperable equipment.
We
draw the following conclusions from the above three issues:
802.11
wireless networking can provide privacy and security for public
nomadic networks only if separate-key-per-user encryption is
used. Since WEP (Wired Equivalent Privacy) does not support
this, a single-vendor solution for both access points and remote
connections is necessary. WEP is most likely to be acceptable
for a closed community of users, such as a small department
or a research group.
Several
groups on campus, such as Computer Science and Social Sciences
Computing have already implemented wireless strategies. ATS
plans to conduct a study of the range of the wireless transmission
and the access points location within its department to examine
many of the issues described here.
Today, attempts to generalize this strategy to a campus-wide
solution, no mater how desirable, are likely to be beset by
technical and administrative difficulties. This document more
fully details these issues.
Introduction:
The notion of wireless computing means many different things.
There is the idea of local area wireless, where computers are
located within 50-100' of the network access point or base station.
There may be network of interconnected access points so that,
for instance, a computer may roam between rooms within a department.
802.11 technology is typically thought of as a solution for
such a system.
Another
model is wide area roaming, akin to what consumers are used
to with their cellular phones. Because of various technological
and financial issues , wide area services can probably be provided
only by common carriers, as are today's cellular services, and
802.11 technology is specifically not a solution for this model.
This means, by the way, that there will be almost certainly
be usage charges associated with this class of wireless service.
Because of both charging issues and the fact that cellular frequencies
have limited penetration into buildings, cellular technology
is not a viable solution for the first wireless model above.
MMDS and LMDS typically require a fixed outdoor antenna and
are therefore not easily adaptable to mobile applications.
Yet
another class of wireless computing is envisioned by Computer
Science's iMASH project. In this model, doctors and medical
researchers have wired desktop computers, the ability to roam
freely within the UCLA hospital with limited function handheld
wireless computers, and some ability to roam outside in the
immediate vicinity of the hospital. 802.11 may provide the interior
roaming (although there may be severe interference from medical
devices operating on the same frequencies). It is less clear
whether 802.11 can provide exterior roaming. Also, the CS department
believes that new IP protocols are required to support this
class of roaming computing, and that Mobile IP is not sufficient.
At present, iMASH is a research project, and not a blueprint
for a production system.
Privacy
and Security Issues:
802.11 wireless networks are based on the absence of privacy.
This is because the base station or access point specified in
the 802.11 system uses a network device known as a hub. The
basic nature of the hub is that each device connected to it
receives all packets sent to or from each other device connected
to the hub. Thus, everything that is sent to or from your 802.11-equipped
laptop is sent to every other 802.11 laptop connected to the
same access point. If the network supporting the access point
is hub-based rather than switch-based, as is typical of older
networks, then all traffic from every device on the network
is sent to every other device, including every wireless device.
The dorms and commons areas on campus use network switches to
prevent this privacy compromise.
If someone simply plugs an 802.11 access point into an existing
hub-based network, a major network compromise can result. For
example, if we plugged an access point into our commons network,
then all the userids and passwords created by people using the
new-user signup machine would be broadcast to every 802.11 device,
as would all the traffic from every workstation in the commons.
Many
wireless networking customers are not aware of this absence
of privacy. If you put a wireless network card into your laptop
and connect to a network, you do not immediately see all this
traffic from all the other users -- you have to run a program
to make it visible. Such programs are available free for Windows
and Mac machines, and are provided as a part of UNIX operating
systems. Encrypted traffic, however, while still sent to all
other users, remains encrypted. Familiar examples of encryption
include the SSH form of Telnet, which is now required by a number
of Federally-funded sites, and secure WWW services; most good
WWW servers will enter secure mode before asking for a password
or credit card number, although not all do.
Note
that a wireless user does not have to pass current UCLA authentication
to connect to an 802.11 access point, and that current authentication
can't be used to protect the access point. A user would have
to pass network authentication to access resources off the wireless
LAN, but not just to monitor the LAN. In fact, a sophisticated
hacker could monitor the LAN traffic without actually connecting
to the access point, just by listening to the radio broadcast,
but this is more complex than the simple interception program
mentioned above.
It
is theoretically possible to use only encrypted services on
your laptop, and therefore not to have your privacy compromised
when using 802.11 wireless, but it is not easy, and requires
attention to everything you do. And it requires the discipline
not to access non-encrypted services while you are using wireless.
There is, for example, no current way to access BruinOnline
email with encryption. Being secure over an insecure connection
is so tedious as to be impractical for most people. There is
no solution within the 802.11 framework, but there are non-standards
based solutions. Lucent offers an elegant separate encryption
key per user solution, but this locks the implementer in using
only Lucent access points and laptop cards. One could also use
VPN (virtual private network) technology. This is not vendor
specific, but requires one to set up VPN servers for each network
user, requires the users to have VPN support on their laptop
machines, and requires users to always use the server when accessing
any other service.
The
only security measure available in the 802.11 specification
is something called WEP (Wired Equivalent Privacy). This consists
of a password that is installed on the access point server and
on each mobile computer. All transmissions are then encrypted
with the password. Note that there is one password per network;
the access point and the mobile computers all use the same password.
One problem with WEP is that it addresses only the idea of an
outsider eavesdropping on the network; all network users with
the password still receive all of each other's transmissions
in decrypted form.
Obviously,
the WEP password is not useful in a public wireless system,
since one would have to publish the password. Worse, WEP is
an optional part of 802.11, and therefore is not implemented
by all vendors. This means users with certain vendors' equipment
cannot participate in 802.11 networks that use passwords. In
any roaming situation where individual network operators configured
their access points with unique passwords, mobile users would
have to reconfigure their machines with a new password every
time they moved to a new service area. Clearly, WEP doesn't
work reasonably in this environment either.
In
a WEP-protected system, there is the possibility that a hacker
may steal the password from an unattended machine or talk a
naive user into revealing it, thereby compromising the network.
There are some clever proprietary schemes that make entering
the password a one-way function, so it cannot be retrieved and
stolen. Unfortunately, "proprietary" is the operative word here.
Proprietary means that all users must use particular equipment
from a particular vendor. As mentioned, Lucent has an elegant
solution to the privacy problem, but it requires that all network
users use a particular Lucent card in their laptop in order
to access the network.
Without
WEP, all traffic on the wireless network is broadcast in the
clear, and is available for monitoring by any hacker. With a
directional antenna and scanner, 802.11 networks are detectable
at surprising distances. Someone sitting in a car in one of
UCLA's parking lots could monitor a large part of campus, for
example. Also, WEP is the only existing mechanism for preventing
any passing user with an 802.11 card in his or her laptop from
connecting to one's access point; one can only connect to a
WEP-protected network if one knows the password.
Contrast
this level of security with that of a digital cellular phone.
Digital cellular systems encrypt each conversation with a unique
40-bit key based on the ESN of the user's cell phone. Every
conversation on a digital cellular channel has a different encryption
key. In addition, it is a Federal crime to monitor cellular
frequencies or to manufacture or sell equipment capable of doing
so -- this is not true of the frequencies used by 802.11, which
are unprotected. All in all, digital cellular security is a
reasonable level of security. One can argue that 40-bit keys
are too weak, but as a practical matter, digital cell phones
are more secure than home phones. Best of all, the security
is completely invisible to the end user. He or she just uses
the phone and enjoys full privacy.
802.11
wireless networking can provide sufficient privacy and security
if it is used with WEP enabled, and if the visibility of all
network traffic to each user network is acceptable. These conditions
could be met in a closed user group such as a small department
or research group. Unfortunately, WEP cannot reasonably be used
and trust certainly cannot be assumed in a public nomadic wireless
environment. 802.11 based equipment can also be used if one
is willing to go with a single-vendor solution for both access
points and remotes.
Several major changes need to be made to 802.11 in order to
implement acceptable privacy and security for public nomadic
networks. First, the access point needs to function as a switch
rather than as a hub. This means that mobile computers would
receive only those packets intended for them, and not packets
directed to another mobile device, or to another station on
the network to which the access point is attached. This will
increase transmitted traffic, so careful attention needs to
be paid to handling of broadcast and multicast traffic. Secondly,
traffic to and from a given mobile computer needs to be encrypted
by a key unique to that mobile. This will prevent eavesdropping
both by other mobiles on the access point and by hackers with
scanners. Thirdly, the network key has to be encrypted when
stored on the mobile devices, so it cannot be compromised. Lastly,
privacy protection needs to be fully automatic, like a digital
cell phone, so that the user isn't required to take any action
to enable it.
There
is little if any ongoing work to address the privacy and security
issues inherent in the 802.11 specification by amending the
specification, and therefore one shouldnt expect quick solutions.
What solutions there are will be single-vendor proprietary solutions
for the foreseeable future. Because the reality of 802.11 privacy
is so different from the typical user's expectation -- the user
expects cellphone-like privacy -- anyone implementing an 802.11
system needs to take extreme measures to ensure that all users
of the system understand the lack of privacy.
User
authentication is another nomadic security issue, but the issue
is mostly the same as the current issue of authenticating laptops
in UCLA's commons areas, and whatever solution is found for
that application will work for wireless. As mentioned above,
however, authentication does not address the privacy issue,
and a user with an 802.11 portable can connect to and eavesdrop
on an 802.11 network without authenticating.
Regulatory
Issues:
There
are a number of issues related to the available radio frequencies
allocated for wireless networking, and to the way in which they
are regulated.
Cellular
phones operate on radio spectrum licensed to common carriers
such as Sprint, ATT, and PacBell. When a user uses a cellular
phone, he is doing so under the FCC license held by his service
provider. For the last several years, the FCC has been granting
licenses in these types of services through an auction process.
There are four licenses available for the cellular service in
the Los Angeles area. The auction prices for these licenses
were in the tens of millions of dollars. This has some consequences.
Because of the small number of licenses and the high cost, it
would be extremely difficult for a private entity, such as UCLA,
to obtain a license. (In fact, the FCC requires license holders
in some of these services to be common carriers.) Also, the
license cost (and the costs of all the cellular towers needed
to provide coverage) sets an implicit minimum price on cellular
services. Also, the frequency spacing of the radio channels
in the service, and the allowed emission types, set a limit
of the bandwidth (speed) of data transmissions. There are very
few frequencies currently allocated for mobile high-speed data
transmission. Much of the existing radio spectrum was allocated
in the 1960s and 1970s, when there was no need for this service.
Unfortunately, all the radio spectrum in existence is currently
allocated to some service or other, and we must live with those
allocations for years to come. The only possibilities for new
allocations come from either doubling up on existing allocations,
or from phasing out of existing services.
Secondary
allocations
You
can use this frequency as long as you do not interfere with
the primary licensee. are only possible in limited cases. Maritime
frequencies are sometimes allocated to other services in areas
like Nevada or Utah that are far from oceans and rivers. Point
to point microwave frequencies can be multiply assigned if the
system operators agree to use highly directional antennas.
The
move from standard television to HDTV will result in the old
standard TV frequencies being released for reallocation at some
future date. But this wont occur for a number of years -- there
is the small problem of replacing every television in the US
first. The FCC is loath to take away spectrum from any existing
class of users, even if they are not making particularly effective
use of it. And the FCC estimates that they have 50-100 requests
for new uses for every frequency or group of frequencies they
might make available. Unfortunately, wireless data services
are both channel hungry and bandwidth hungry. There are several
hundred channels allocated to the cellular services, and several
hundred megahertz of spectrum allocated. But these services
are low bandwidth. High-speed wireless networking would need
channels many times as wide as those used for cellular telephones,
and correspondingly more spectrum.
There
are a few frequency bands allocated for experimental and other
miscellaneous uses. These bands are called the ISM bands, from
"Industrial, Scientific, and Medical", which were the first
equipment to use them. Devices operating in these bands are
often called Part 15 devices, from the section number of the
FCC rules which defines them. In the past, these bands have
been used for equipment that creates radio waves as a byproduct
of its operation. For example, the microwave oven is a prime
ISM band user. Typically, these users make poor spectrum neighbors
since they are usually transmit-only applications that have
no sensitivity to interfering with or interference from other
ISM users. The ISM bands are unlicensed, not in the sense that
they are unregulated, but in that users are not required to
have individual licenses to operate ISM equipment. The FCC regulations
specify little more than the maximum radiated power (signal
strength) that devices in this service can generate. Because
it was literally the only radio spectrum available for wireless
networking, the designers of the 802.11 specification picked
the 2.4 Ghz ISM band as the basis for 802.11.
The
unlicensed and experimental nature of the 2.4 Ghz ISM band means
that one has no guarantee that if they build a wireless network,
they will not receive interference from other users of the frequency.
Nor is there any guarantee that an operating network will not
be rendered non-functional when a new user pops up. A common
interference source is the ubiquitous microwave oven, which
operates in the 2.4 Ghz band.
The
802.11 people are not the only people who have decided they
would like to sell wireless consumer equipment. The largest
competitor to 802.11 is a new Intel technology called Bluetooth.
Intel believes there is a vast market for single user short-range
wireless technology that is inexpensive, and it has developed
a very cheap ($10) chipset for this purpose. Typical applications
include portable telephones, CD players with wireless headsets,
and wireless computer peripherals. It is likely that many of
us will have Bluetooth-based devices in our offices within a
couple of years, and that we will commonly see students carrying
Bluetooth devices with them in the future. Unfortunately, 802.11
and Bluetooth devices located in the same vicinity interfere
with each other. The result will be that as one tries to roam
with ones 802.11 laptop, there will be more and more likelihood
of interference from competing technologies. Contrary to our
experience with technology in general, 802.11 wireless will
work less and less well as time passes.
Recently,
HomeRF applied to the FCC for a waver on the emission limitations
on the 2.4 Ghz band so they could market their device, which
needs a wider bandwidth than allowed under current part 15 regulations.
The FCC granted the waver. When the makers of 802.11 and Bluetooth
equipment objected, because HomeRF creates severe interference
to them, the FCC reminded them that the band was experimental,
open to all comers, and offered no protections for existing
services. We can expect to see more and more competing and incompatible
uses of the 2.4 Ghz band, making interference-free 802.11 wireless
more and more difficult to achieve.
The
ISM frequencies are also used by the Amateur Radio service,
which is an FCC licensed radio service. Amateurs can operate
with very high radiated power on the 2.4 Ghz band, on the order
of one million times that of part 15 devices like 802.11. Thus,
amateur radio can cause interference to wireless LANs at long
distances. An amateur radio transmitter located several miles
away could produce the same signal level as an 802.11 remote
at 100 feet away. The FCC has stated emphatically that part
15 devices are entitled to no protection from licensed services.
The
802.11b specification divides the 2.4 Ghz ISM band into three
channels -- the band isn't wide enough for more channels. This
means that any given point in a wireless network coverage area
can be served by a maximum of three access points. Three channels
are the practical minimum required to provide roving coverage.
To provide coverage of a departmental area, access points would
be set up using the three channels in a staggered fashion, so
that at least two access points are reachable at any point in
the coverage. In those cases where a single department is not
the sole occupant of an entire building, department might wish
to have their own wireless networks, but the limited number
of channels doesn't really allow for this. If ATS constructed
a three-channel network in our space, and Math then installed
wireless in their offices on the 5th floor, the two systems
would interfere with each other, quite possibly making both
useless, or drastically reducing the useful range of each. The
cellular phone companies have spent large amounts of effort
attempting to engineer restricted coverage radio systems, but
somehow radio waves just don't understand that they are not
supposed to propagate into adjoining cells.
There
is an open question concerning the maximum number of mobiles
that can connect to a given access point, using one radio channel.
To a very large extent, this number depends on the usage being
made of the network. Watching streaming video has a much heavier
usage pattern than reading email. Nevertheless, this number
is probably small. For example, Apple recommends not more than
10 users per one of its AirPort access point units. It is difficult
to see how a technology with a small number of users per access
point and having only three radio channels available would be
able to support a large classroom of several hundred users.
It may be that 802.11 won't scale to the extent necessary to
support some of the possible applications UCLA might have for
wireless. If one doesnt discover the failure to scale before
committing to the technology, then one may find oneself in a
very tough situation.
Given
the limited spectrum available in the 2.4 Ghz ISM band, there
are numerous possibilities for interference that can make an
802.11 system non-functional. In addition to non-intentional
interference, there exists a clear possibility for intentional
denial of service attacks. Imagine a classroom, which was equipped
with an 802.11 system, used for instruction. A disgruntled student
with a few dollars worth of parts (or a 2.4 Ghz wireless telephone)
could easily render the wireless network non-functional by broadcasting
an interfering signal. Picture the disruption this would cause
if it were done during a critical lecture or during final exams.
Aside from the probability that one could never find such a
device if it were only operated for an hour or two, it might
not even be illegal, given the shared experimental nature of
the ISM band.
Given
the current service regulations under which they operate, 802.11
wireless networks are susceptible to being rendered unusable
at any time by other fixed or portable devices operating on
the same frequency. Wireless network operators must be careful
to constantly keep this limitation of 802.11 in mind.
Some rather draconian measures have been suggested to control
interference. France has recently banned all bluetooth-based
devices (although their concern is with interference to French
military communications rather than 802.11). Closer to home,
Carneigie Mellon University is taking the approach that all
wireless will be controlled by the campus network authority.
They have banned individual departments from establishing wireless
LANs. They require the use of certain vendors equipment, and
have banned other vendors equipment (in particular, Apples AirPort
system). And they are attempting to ban the use of all non-802.11
equipment that operates on the 2.4 Ghz band. Clearly, although
they may have the practical authority to do this, it is quite
likely that the courts will hold that they do not have the legal
authority to do it. They may also not realize the magnitude
of the problem could someone really ban all microwave ovens
from a campus? However, CMU may have a point in that what they
are doing may well be what is necessary to make the current
802.11 technology work.
In order to address the regulatory issues associated with the
current implementation of 802.11, the FCC would need to allocate
a large chuck of radio spectrum to the wireless network service.
It would need to dedicate the new band to wireless use, rather
than making it available to all users. Sufficient free spectrum
for this purpose does not currently exist; probably 200 - 300
Mhz are required. Should it become available, the FCC would
have to be convinced that a new 802.11-like wireless networking
service was the best possible use for the spectrum. They would
also have to be convinced not to auction the license to the
highest bidder. None of this seems likely in the immediate future.
Any
solution to the current shared frequency interference problems
is likely to come with equipment that operates on different
frequencies. This means that if one has invested in 802.11 equipment,
that equipment will have to be replaced to take advantage of
the solution.
Interoperability Issues:
The
point of an IEEE specification like 802.11 is to allow for the
interoperability of equipment from different vendors, and to
enable the cost reductions that competition provides. Unfortunately,
important parts of 802.11 were made optional, thus allowing
vendors to produce components that don't interoperate. As discussed,
WEP is an optional part of 802.11. Also, 802.11 does not specify
how to link access points together to implement the ability
for mobiles to roam around the coverage area, leaving vendors
to implement proprietary solutions, or none at all. Apple, for
example, does not support automatic roaming; Apple users must
manually select the access point they wish to contact whenever
they move.
Worse,
encryption is an optional part of 802.11, and therefore is implemented
differently, or not implemented at all, by different vendors.
This means that users with certain equipment cannot participate
in 802.11 networks that use passwords. Some vendors offer three
versions of the 802.11 network PC card, one that doesn't support
encryption, a more expensive one that supports 40-bit WEP-standard
encryption, and a yet more expensive one that supports 128 non
standards-based encryption. If one chooses to implement vendor-specific
128-bit encryption, two of three models of this vendors own
cards wont work with it. So much for the idea of standards and
interoperability.
