Improving Reception in the SparkNet WLAN

Environment

Master of Science in Technology Thesis

University of Turku
Department of Information Technology
Communication Systems
2007
S. Sormunen

Instructors
Seppo Virtanen
Jarkko Paavola
Esa Aarnio
Jens Mach
Index

1. Introduction.............................................................................................................. 1
1.1. SparkNet.................................................................................................... 2
1.1.1. Functionality and Security............................................................. 2
1.1.2. Authentication................................................................................ 2
2. The IEEE 802.11 Standard for Wireless Networks.................................................. 4
2.1. Fundamental Model of the WLAN............................................................ 6
2.2. 802.11 Services.......................................................................................... 8
2.2.1. Distribution System Services............................................................ 8
2.2.2. Station Services.................................................................................9
2.3. Logical Link Control..................................................................................10
2.4. MAC Layer................................................................................................ 11
2.4.1. Data Service Reliability and Error Handling.................................... 11
2.4.2. Access Control.................................................................................. 12
2.4.2.1. Distributed Coordination Function............................................. 12
2.4.2.2. Point Coordination Function....................................................... 15
2.4.3. MAC Frame Format..........................................................................16
2.4.4. MAC Frame Types............................................................................19
2.4.5 Synchronization................................................................................. 21
2.4.6 Security.............................................................................................. 21
2.4.6.1 Authentication.............................................................................. 21
2.4.6.2. WEP............................................................................................ 22
2.4.6.3. 802.11i.........................................................................................23
2.5. Physical Layer............................................................................................ 24
2.5.1. Overview........................................................................................... 24
2.5.2. Spread Spectrum Systems................................................................. 25
2.5.2.1. Frequency-Hopping Spread Spectrum........................................ 25
2.5.2.2. Direct-Sequence Spread Spectrum..............................................26
2.5.3. Orthogonal Frequency Division Multiplexing.................................. 30
2.5.4. Infrared.............................................................................................. 33
2.5.5. Multiple Input Multiple Output OFDM............................................ 34
2.5.6. Convergence of the Physical Layer...................................................35
2.6. Rate Selection.............................................................................................37
2.7. 802.11 Protocol Types............................................................................... 37
2.7.1. 802.11a.............................................................................................. 37
2.7.2. 802.11b............................................................................................. 37
2.7.3. 802.11g..............................................................................................38
2.7.4. 802.11n..............................................................................................39
2.8. 802.11 Hardware........................................................................................ 40
2.9. Interference, Fading, and Signal Blocking.................................................42
3. Systematic Approach to Improving Network Coverage and SNR........................... 44
3.1. Optimal Access Point Lattice.....................................................................44
3.2. Common Problems and Example AP Scenarios........................................ 46
3.2.1. Ekahau Site Survey and Its Simulation Properties.........................46
 3.2.2. Example Scenarios......................................................................... 48
3.3. Case Study: Creating a Well-Functioning WLAN for a Library............... 55
3.3.1. Initial Situation and First Simulation............................................. 55
3.3.2. First Phase of Implementation........................................................64
3.3.3. Second Phase..................................................................................69
3.3.4. Third Phase.....................................................................................75
3.4. Case Study Conclusions and AP Arrangement Guidelines........................79
4. Conclusions............................................................................................................... 81
5. References................................................................................................................. 84
6. Appendix 1. List of Acronyms..................................................................................87
 1

1. Introduction
Building large-scale wireless network (WLAN) systems has become popular in the recent
years due to the growing need for wireless Internet access and the drop in equipment
prices. Such bodies as educational institutions and commercial corporations have
implemented networks where, say, a multi-store penthouse may have a wireless link
access practically everywhere. Some research has so far been done about the optimizing
of such networks, and even a few commercial tools are available. However, often the
staff managing and being responsible for the installation of such systems lack a
methodical approach to constructing one from scratch or honing existing ones.

How to place the access points, so that good signal coverage could be ensured
everywhere? How to minimize interference? Is the system optimal? What is the worst-
case situation? Questions like these may pop up when a new installation is planned.
Nevertheless, often in the end the actual placement of the WLAN access points is done
mostly manually, relying on guesswork and mentality similar to "I have a good feeling it
will work here." This in most cases leads to sub-optimal systems, where interference is
high and link quality poor even when maximum capacity is hardly reached.

The University of Turku employs a WLAN strategy called SparkNet with 802.11b/g
technologies [1]. Up to the date, there has not been a systematic approach to installing the
access points and optimizing the reception. The purpose of this thesis is to propose such
an approach, and give a proof of its efficient functionality through a practical
implementation. Also, the major tool the University of Turku uses for measuring the
various features of wireless signals, Ekahau Site Survey, is put into test as a simulation
tool. The influences of different antenna types and construction materials -- such as walls,
ceilings, etc. -- to signal-to-noise ratio (SNR) and coverage are also considered. A multi-
access, multi-user WLAN system is, after all, a complex entity where everything affects
everything else. Hence it is not sufficient to merely take a theoretical outlook on these
matters, but real-life tests are mandatory in order to suit an 'optimal' solution to non-
optimal circumstances. Real-life environment is always lossy, and it should be
remembered that no theoretically optimal system will likely be able to perform ideally in
such conditions.

The thesis is divided in two parts. Firstly, the theoretical basis for 802.11 systems is
considered. The second part is devoted to proposing, simulating, and implementing an
 2

optimal WLAN system model. The conclusions gathered from this experiment will help
pushing future system installations closer to optimal performance.

1.1. SparkNet

SparkNet is, up to date, the largest wireless network system in Finland. It was established
in April 2003 as a partnership project between the University of Turku and MP-
MasterPlanet Ltd. when they joined their virtual local area network (VLAN) segments.
Hence the foundation for the wireless network was acquired. The first base stations were
connected to the network in the following May, and thereafter SparkNet became
operational. A cooperation agreement was made between the previous counterparts, City
of Turku, and several municipalities (Åbo Akademi, etc.) fall 2003. [2]

As SparkNet's operation increased, new products were introduced spring 2004. MP-
MasterPlanet Ltd. developed novel concepts for different kinds of organizations, which
included for instance SparkNet Enterprise and Business Solution. [2]

The network gained even more range spring 2005, when OpenSpark, a wireless network
for home users, was introduced. First OpenSpark users could only use the specialized
OpenSpark access points and a few public hotspots. Later however the whole
functionality and services of SparkNet were extended to this subsystem. [2]

Currently SparkNet has over 1100 access points, and serves over 100,000 users in both
private and public communications. It supports such applications as video conferencing,
VoIP, document sharing, and WebTV. [2]

1.1.1. Functionality and Security

The SparkNet WLAN solution uses the existing wired backbone networks to establish
either wired or wireless connections, the latter naturally made through a wireless access
point. Virtual network segments have been separated from the backbone, and they have
been combined into a single entity, SparkNet. Two wireless protocols are currently in
use: IEEE 802.11b and 802.11g. This infrastructure network is of the open type, which
means there is no encryption present to shield common data traffic outside SSL-
encrypted websites. If a need for encrypted connections arises, the setting up of a virtual
private network or some other tunneling mechanism is recommended. [1], [3]

1.1.2. Authentication

In order to utilize SparkNet, the user needs a private user ID and a password, which are
automatically supplied by the University of Turku or a collaboration partner if the user
belongs to the staff, student body, or some other privileged collaborator party. Also
purchasable, temporal guest IDs are available for, say, guest lecturers and alike. SparkNet
works both in wired and wireless mode, but in the context of this discussion the emphasis
is on the wireless system. [3]
 3

No additional software installations are necessary on the user's computer; only a

functioning (wireless) network adapter, a suitable cable in the case of a wired connection,
and a web browser are needed in order to connect to the network. The wireless adapter
scans the area for available networks. If a strong enough SparkNet-connected wireless
access point (AP) signal is preset, the user can connect to the network through a login
procedure. The network presents itself always with the service set identifier 'Spark'. [3],
[4]

The login to SparkNet is handled via the web browser. When the network is used for the
first time, the user is directed to a page requiring the choosing of a service provider. This
depends on the user's attachment to the various parties employing the network: for
instance, a user associated with the University of Turku would likely select the University
of Turku. Thereafter the user can proceed to the login page. [3], [4]

The correct password/ID combination is validated, and the client receives an IP address
from a DHCP server. This of course requires that the client has automatic DHCP
addressing enabled. After the connection is established, it is possible to connect to the
internet and use other services provided by the hosts. The lease has to be renewed after
the client has been offline for 20 minutes. [3], [4]
 4

2. The IEEE 802.11 Standard for Wireless Networks

The 802.11 standard can be seen as a part of the Open Systems Interconnection (OSI)
reference model by the International Organization for Standardization (ISO). The OSI
model consists of seven protocol layers (figure 1), whose definitions and functions are as
follows:

• The physical layer defines the mechanical, functional, electrical, and

procedural characteristics of the physical medium (e.g. a network). It is
concerned with the transmission of unstructured bit streams over the
physical medium.
• The data link layer determines the access strategy for sharing the physical
medium. It handles the flow control (synchronization), error control, and
sequencing of data.
• The network layer offers methods to establish, terminate, and maintain
network connections. It also provides upper layers with independence from
routing and switching technologies.
• The transport layer offers reliable and transparent conveying of data
between source and destination. It also has methods for end-to-end error
recovery and flow management.
• The session layer supplies the control mechanism for applications to
exchange data with one another. It has the functions necessary to establish,
manage, and terminate connections between applications.
• The presentation layer handles the compression and encryption of data for
applications and protocol conversions.
• The application layer is the layer where the end-user and end-application
protocols run. It provides entrance to the OSI system and distributed
information services.
[5], [6], [7]
 5

Figure 1. The OSI reference model. [7]

The IEEE (Institute of Electrical and Electronics Engineers) 802.11 standard employs
primarily the physical and data link layers of the OSI model [5]. Hence the upper layers
can be overall omitted in any of the following discussion. The topology of 802.11 does
not completely follow even this small segment of the OSI model structure. In figure 2, a
comparison between the OSI and 802.11 reference models is presented [8]. On the whole,
no dominating network system heretofore has managed to comply perfectly with the OSI
model, even if many useful protocols have been developed based on it [5].

The IEEE 802.11 reference model divides the system into two dominating parts: the
medium access control (MAC) that lies on the data link layer and the physical layer
(PHY). The MAC layer has three functional domains: data delivery reliability, access
control to the shared wireless medium, and security. It is the most important part of the
whole specification. Simply put, MAC manages the transmission of user data, handles the
essential framing operations, and interacts with the wired backbone network. The PHY
layer corresponds to such functions as the encoding and decoding of signals, preample
arrangements for synchronization, and bit transmission and reception. A model for
specifying the transmission medium and topology is included. [5], [8], [9], [10]

The original data link layer in the OSI model is separated into two parts in the 802.11
reference model. Above the MAC layer is the logical link control (LLC) which provides
an interface to access higher layers. It also manages data flow and error controls. Figure 3
presents the 802.11 protocol architecture in further detail. The functions and services of
the layers are explained in greater precision in the upcoming sections. [5], [8]
 6

Figure 2. A comparison between the OSI and 802.11 reference models. [8]

Figure 3. IEEE 802.11 protocol architecture. [10]

2.1. Fundamental Model of the WLAN

Basic service set (BSS) is the elementary unit of the WLAN [11]. This is also the
independent basic service set (IBSS), often called an ad-hoc network [12]. A minimum
amount of stations (a station is defined as any device that contains an IEEE 802.11
compliant MAC and PHY interface) necessary to form a BSS is two. In the range of the
 7

network, the clients recognize one another, and together establish a wireless connection
[11].

To enhance the performance of a BSS, an AP can be added to it. This is a transceiver that
is connected to the existing backbone distribution system (DS), and functions as a bridge.
The DS can be a wired or a wireless network, or even a switch. The discussion in this
thesis concentrates only on the wired-type backbone, and that assumption is used
throughout the text. A BSS where clients communicate through an AP is called an
infrastructure BSS. [5], [11], [12]

When a BSS is connected to the wired network via an AP, the data transfers of the two
independent networks become combined. Clients that use the WLAN build a wireless
connection between one another through the AP, and hence they can also communicate
with stations plugged into the wired network. [12]

The signal range of a single transceiver is limited, and hence mobile clients may roam
outside the connectivity area. To avoid such problems, the perimeter of the wireless
network's coverage can be extended by adding more APs and combining a set of BSSs.
As a result, the arrangement becomes an Extended Service Set (ESS), as there are now
multiple clients and APs united with the DS. The ESS is seen by the LLC as a single
logical LAN entity. Figure 4 shows how the various components of an ESS interact. [5],
[11], [12]

When a client moves inside the ESS, it looks for the strongest AP signal and establishes a
connection with it. When the client enters a spot where the current AP's signal strength is
exceeded by some other AP, it builds a new connection with the more powerful
counterpart. [12]

A BSS can overlap with others of the same kind, and thus it is possible for a station to
belong to more than a single BSS. Dynamic association is used, which enables station
mobility and a possibility for the stations to turn on and off. [11]

Figure 4. The roles of different components in an ESS. STA stands for a station. [11]
 8

2.2. 802.11 Services

The 802.11 standard defines nine services for the different components of the WLAN
architecture. They are obligatory in order to establish functionality equivalent to the
traditional LAN. The services can be divided into two categories according to the service
provider: the station service (SS) and the distribution system service (DSS). Out of the
services six are used to support MAC service data unit (MSDU) transportation between
stations and three to control WLAN access and confidentiality. [11]

2.2.1. Distribution System Services

Distribution services are offered between BSSs. They can be built into APs or in some
other equivalent device plugged to the distribution system. [5]

The distribution service is the fundamental service used by stations. It transports

messages through the DS between stations which are in different BSSs. Say, station A in
BSS1 wishes to send a message via the DS to station B in BSS2. The APs in BSS1 and
BSS2 are different, named for instance AP1 for BSS1 and AP2 for BSS2. AP1 captures
the message sent by station A, and then gives it to the distribution service of the DS.
Next, the distribution service carries the message inside the DS in an appropriate manner,
so that it reaches the desired destination, i.e. AP2 in BSS2 which then forwards it to
station B. If station B had been located in BSS1, the distribution service would have
transported the message from A to B only via AP1 (both source and destination BSS the
same). [5], [11]

The function of the integration service is to enable message exchange between stations
connected to 802.11 and 802.x LANs. Integration here means that a wired LAN is
plugged in to the DS and its stations may be logically connected to the wireless network
through the integration service. Hence, messages obtained from a wired source by the DS
for an 802.11 station will awaken the integration service before the message is passed on
to the distribution service. The former handles any necessary address translation and
media conversion logic obligatory for a successful data exchange. [5], [11]

The association service provides the distribution service the information necessary for
the latter to function correctly. Before a station is permitted to send or receive data
messages through a certain AP, the station must become associated with it. A station
must always associate itself in an infrastructure BSS. The concept of mobility has a
heavy influence on association. [11]

A station that has no transitions is either in a fixed physical state or moves merely inside
the coverage of the current BSS. When a station has BSS-transitions, it moves from one
BSS to another inside the same ESS. The novel placing of the station must be recognized,
so that data can be carried between it and other stations. A station that has ESS-
transitions moves between different ESSs. [5], [11]
 9

The various association services uphold these aforementioned mobility types, aside from
ESS-transitions which are not fully supported and reliability of service cannot be
guaranteed [11]. Simply put, the association service takes care of finding the right AP and
its identity, so that the distribution service can deliver the messages to the 802.11
destination station [5]. The station must build a maintainable association with an AP
belonging to some BSS. This act awakens the association service which gives the station-
to-AP-mapping to the DS, and the routing and delivery of frames should be now done
correctly. A station can be associated with only one AP (whereas an AP can be associated
with several stations) on a certain instant, and the procedure is always initiated by the
mobile station. The plain association service is sufficient for no-transitions mobility [11].

Association in general is handled through the recognition of service set identifier (SSID).
A station willing to enter a certain network can scan the area for suitable networks and
thereafter enter the one with the desired SSID. SSID is sometimes also referred to as the
network name, even though it essentially just stamps a certain BSS with its own
identification (BSSID) belonging to a wider-scale complex. After the association, the AP
adds the MAC address of the client into a table containing the equivalent information of
the other associates. [9], [12]

Reassociation is needed when a mobile station moves from one BSS to another [11]. This
service allows an already established association to be transferred from the current AP to
a new one [5]. Initialized by the mobile station, this service enhances the functionality of
the plain association to support BSS-transition mobility [11].

Disassociation notification terminates any existing association. It is invoked either by a

station or an AP. When a station leaves the network or shuts down, it should attempt
disassociating. The APs may disassociate stations at any time, so that they can be
removed from the network for service or other reasons. [5], [11]

2.2.2. Station Services

Station services are built-in functions in every 802.11 AP and AP station. The MAC
sublayer entities utilize them. [5]

The wireless LAN, as such, lacks certain access and privacy features inherent to the
wired LAN. In the latter, the station is physically connected to the network. This, in itself,
works as a form of authentication and privacy control, as the media is physically
controlled and data delivery is limited only to the stations plugged into the network. This
is not the case of the WLAN, wherein any station within the range of the BSS can
transmit and receive data by solely having a properly tuned antenna (e.g. hear all traffic
within range). Hence, separate authentication and privacy services are needed. The
802.11 standard provides these services as follows. [5]

Authentication services are utilized by all stations that wish to communicate with one
another in the WLAN. Via authentication, a unique identity is established for the station,
so that other stations can recognize it. If no acceptable authentication has been set up
 10

between two stations, association will not occur. A station may be authenticated with
several others concurrently. [11]

There is a support for several authentication schemes (also expansions are possible) in the
standard. No particular arrangement is obligatory, and the authentication may vary from
open system authentication (basically a handshaking system where any station can
become authenticated) to Shared Key authentication with a WEP implementation. The
latter requires a shared encryption key. [5], [11]

Preauthentication may be needed if the used authentication protocol is slow or BSS-

transition mobility is involved (a station has to reassociate between APs). Here, the
authentication service can be awoken independently of the association service.
Preauthentication is usually conducted by a station while bearing an existing association
with an AP. The use of it takes the authentication service overhead out of the time-critical
reassociation operation. The standard does not mandate station-AP preauthentication, but
an authentication is obligatory before an association can be established. [11]

Deauthentication service is launched when an existing authentication is to be

discontinued, and it cannot be refused either by the station or the AP. In an ESS the
station becomes disassociated immediately after the procedure. [11]

Privacy services, as such, are used to prohibit unauthorized stations from listening to the
traffic in the WLAN [5]. The connection of a wireless link without constraints concerning
privacy to an existing wired LAN may be a severe threat to the latter's security. 802.11
contains an optional message encryption service, WEP, to guarantee some data traffic
privacy. It is not designed to be an optimal shield against all threats, but is rather there to
bring the wired network's security aspects to the WLAN [11].

MSDU Delivery service is provided by stations to ensure that the data is delivered to the
correct destination. The MSDU is a data block which is accepted by the current MAC
layer to be transferred to another MAC user. If the block is of unsuitable size, it may be
fragmented and transmitted as several MAC frames. [5]

2.3. Logical Link Control

The LLC is the interface between the MAC layer and the higher layers associated with
the OSI reference model. It defines the means of addressing stations across the medium
and controlling data exchange between two users. Data from the upper layers is passed
down to the LLC. The LLC adds control information to the data in the form of headers.
Thus a LLC protocol data unit (PDU) becomes created. The general meaning of a PDU is
to work as a communication means between layers. This LLC PDU is then handed down
to the MAC layer, where the frame is processed further. [5]

The LLC is mainly responsible for the transmission of link-level PDUs between stations
in a fashion requiring no intermediate switching node. A typical LLC user is some
protocol from the higher layers or a station's network management function. The source
 11

and endpoint of the users must be specified in the addressing. The user addresses are
called service access points. The 802.11 LLC supports multi-access to the link, and has
some of its particulars concerning the functions of link access allocated to the MAC
layer. [5]

The LLC standard is built upon the high-level data link control (HDLC) which is a
synchronous proprietary protocol used by routers to convey data over a serial line
connection. LLC offers three services for the upper layers, and they are offered as
optional for attached equipment using the LLC. The services stand as follows:

• Unacknowledged connectionless service: A datagram-type service, which

offers no flow and error control support, and hence the data delivery is not
fail-safe. Usually a higher-layer application handles the reliability issues.
• Connection-mode service: A logical connection is established between
two users, and error and flow controls are provided.
• Acknowledged connectionless service: A hybrid of the previous two,
where datagrams are acknowledged, yet no prior logical setup is required.
[5], [12]

2.4. MAC Layer

The purpose of the MAC layer is to define data service reliability, access control to the
shared wireless medium, and security services. The LLC sends data down to the MAC
layer which then becomes responsible for executing operations linked to medium access
and data transmission. These functions are wrapped into a PDU, a MAC frame. [5]

2.4.1. Data Service Reliability and Error Handling

Reliable data delivery is a vital feature in any network solution, as they all are vulnerable
to noise, interference, and other propagation factors that may contribute to a significant
loss of MAC frames. Even error-correcting codes may fail in attempting to ensure a
reliable service. It is therefore reasonable to deal with errors at the MAC level. Of course
higher-layer mechanisms, such as TCP, might be utilized. However, due to the slow
timers employed in retransmission in these protocols, efficiency becomes significantly
reduced. [5]

A frame exchange protocol is offered by the 802.11 standard, so that errors can be
handled on the MAC level. In the basic transfer mechanism two frames are exchanged
between stations. When a data frame is received by a station, it sends an
acknowledgement frame (ACK) to the sender. If the source station does not receive an
ACK after some timeout limit, it retransmits the frame. Also a four-frame arrangement
can be used, if better reliability is sought after. This is based on a request to send/clear to
send (RTS/CTS) exchange, which is explained later. [5]
 12

2.4.2. Access Control

The access control mechanisms of 802.11 do not significantly differ from the classic
Ethernet solutions [5]. A carrier-sense multiple access (CSMA) algorithm is used to
control access to the transmission medium. A collision avoidance (CA) function is added
to CSMA, so that, unlike in Ethernet systems where collisions are merely detected, the
collision probabilities can be altogether reduced to spare transmission capacity. This
algorithm is called carrier-sense multiple access with collision avoidance (CSMA/CA)
[9].

The MAC architecture is divided in two layers. The lower part is the distributed
coordination function (DCF), and the upper the point coordination function (PCF). The
centralized PCF algorithm is required for contention-free services (CF, non-asynchronous
traffic), and DCF uses a contention algorithm providing access for all traffic. The
optional centralized control is built directly on top of DCF, and it is provided only in
infrastructure networks. [5], [11]

2.4.2.1. Distributed Coordination Function

The DCF makes use of CSMA/CA. It is employed in all stations, both within ad-hoc and
infrastructure network systems. The station which has data to transmit listens to the
network for other users. If the channel remains quiet, the station can transmit. However,
if the channel is reserved, the station has to wait until the existing transmission ceases.
The stations utilize a random back-off time to prevent them from trying to get access to
the wireless channel immediately when it becomes free. [5], [11]

A virtual CS mechanism known as the network allocation vector (NAV) works as a timer
(milliseconds) to indicate when the medium is reserved. Stations set the NAV to a certain
value, and during the countdown from that value to zero the traffic is expected to be
handled. When the NAV reaches zero, the medium will be free again. With the NAV, it is
guaranteed that uninterruptible traffic remains uniform. The whole CS system utilized in
802.11 networks is a combination of the NAV state, the physical CS, and the station's
transmitter status. Figure 5 depicts how the NAV works in frame exchange and virtual
CS; the rest of the terms and concepts in the figure are explained in the following
discussion. [9], [11]
 13

Figure 5. How the NAV works in virtual carrier sensing. [9]

The DCF contains a set of delays that amount to a priority scheme to secure a reasonable
and fluent functioning for the algorithm [5]. There are four delay schemes pertaining to
the time intervals between frames. The overall technique is called interframe spacing
(IFS). The IFS plays a significant role in managing access to the transmission medium,
and the different spacings generate different priority levels regarding various types of
traffic [11]. High-priority traffic can access the free channel by entering the network
before any lower-priority frames get a chance to try the same [5]. The interframe space is
not dependent on the transmission bitrate, and is a fixed gap of time in order to maximize
interoperability between various bitrates. Different physical layers can yet have non-fixed
interframe space times [9].

Excluding the finer details of the IFS algorithm, the MAC logic works as follows (see
also figure 6):

1. A station that has a frame to send listens to the medium. If the medium is free, it
waits a time equal to IFS to see whether the medium is still free after that time.
The station can transmit straight away, if the condition if fulfilled.
2. If the medium is busy, the station remains in a listening state and does not send
the frame. The medium may be reserved because the station sees it originally
busy, or it becomes busy during the IFS idle time. The station will listen to the
medium until it becomes idle again.
3. The station waits for another IFS when the ongoing transmission is over. If the
medium stays free after the time, the station backs off a random time gap and
listens to the medium again after that. The station can transmit if the medium is
idle. If the medium becomes reserved during the backoff time, the backoff timer
is stopped and starts over when the medium becomes free.
[5]
 14

Figure 6. MAC logic. [9]

The backoff timing utilizes a technique called binary exponential backoff, which helps
the handling of heavy loads in the medium. If there are repeated collisions, a station will
try transmitting still. Yet after each collision, the mean value of the random delay is
doubled. The backoff time gets longer after each unsuccessful transmission attempt,
which smoothens the load. Without the backoff, several stations might try transmitting
and retransmitting concurrently, only causing further collisions and finally a deadlock
situation. [5]

The variants of IFS are based on the aforementioned scheme. The different priority
classes are listed as follows, and figures 5 and 7 represent how they are used in the access
methods.
 15

• Short IFS (SIFS): Used for transmissions which have the highest priority,
such as RTS/CTS frames, ACKs, and poll responses. A station using SIFS
will always precede over stations using PIFS and SIFS in the medium.
• Point coordination function IFS (PIFS): A medium-length IFS used by
the PCF during CF operation. Stations that have frames to send during the
CF period can transmit after the elapsing of the PIFS and preempt any
contention-based traffic.
• Distributed coordination function IFS (DIFS): The longest IFS, used as
the minimum idle time for contention-based traffic.
• Extended IFS (EIFS): Not a fixed-interval IFS. It is used merely upon an
error in the transmission of a frame.
[5], [9], [11]

Figure 7. Basic access method. [11]

2.4.2.2. Point Coordination Function

Point coordination offers CF methods to the network, thus supporting applications that
need almost real-time services. The CF service is only periodical, and it alternates with
the usual DCF methods. The medium access time is hence divided into alternating,
regular-interval contention-free and contention periods. Point coordinators, which are
special functions, are implemented into the APs and they use polling. PIFS is used while
issuing polls, as it is smaller than DIFS. Thus the point coordinator can grab the medium
and close out all asynchronous traffic while it polls and gains responses. [5], [9], [11]

To prevent the point coordinator from devouring all the medium access time for CF
services only (it could do this in a scenario of constant polling), a period called
superframe is used. At the beginning of the superframe, the point coordinator issues polls
to all stations configured for polling by round-robin means. The beginning part may vary
due to the changeable frame size issued by the answering stations. The point coordinator
uses the residual part of the superframe for idle time, thus allowing a contention period.
At the end of the superframe, the point coordinator attempts access to the medium with
PIFS. It gains straight access to the medium if it is free, followed by a full superframe
interval. If the medium is occupied at the end of a superframe, the point coordinator must
 16

wait for the medium to become idle before being able to gain access. The result of this is
a foreshortened superframe interval for the next cycle. Figure 8 explains the
CF/contention period alternation with NAV. [5], [11]

Figure 8. CFP/CP alteration. [11]

2.4.3. MAC Frame Format

A MAC frame is built up from three parts. Firstly, there is a header which consists of
frame control, duration, address, and sequence control information. After that is placed a
variable-length frame body enclosing information explicit to the type of the frame.
Lastly, there is a frame check sequence containing a cyclic redundancy code. [11]

The MAC frame (figure 9) consists of a set of fields that can be found in all frames, even
if they are not used in certain types. Figure 10 presents the frame control field in greater
detail. [5], [11]

Figure 9. MAC frame format. [11]

Figure 10. Frame control field in detail. [11]

 17

Explanations on the individual fields can be found below:

• Frame control: Delivers information about control and the type of the
frame. All subtypes are listed below. If not otherwise mentioned, all fields
are one bit long.
o Protocol version: 802.11 version, 2 bits in length. The current
version is 0, whereas all other values are reserved for further
revisions.
o Type/Subtype: 2/4 bits in length, they recognize together the
purpose of the frame. Three frame types can be identified: data,
management, and control. All the valid combinations are collected
into table 2.
o To/From DS: The field is set to 1 when the frame's
destination/source is the DS. Otherwise it is set to 0. See table 1 for
all combinations.
o More Fragments: Set to 1 in all data or management frames that
have fragments to follow.
o Retry: Set to 1 for any data/management frame which is a
retransmission of a previous one.
o Power Management: This is used to point out the sleeping mode
of a station. The value remains constant in every frame emerging
from a certain station during frame exchange. The value tells the
state in which the station will fall after the ending of an errorless
frame exchange chain. 1 indicates that the station will be put to
sleep. In frames transmitted by an AP the value is always 0.
o More Data: Tells a sleeping station that there is supplementary
data yet to be sent, buffered in the AP. Block data can be sent as a
single frame of as fragments within several frames. When set to 1,
there is at least one frame present for the same station in the AP.
o WEP: If the Frame Body field encloses data that has been
encrypted by the WEP algorithm, the bit is set to 1.
o Order: If a data frame is sent by utilizing the Strictly Ordered
service, the field is set to 1. It informs the receiving station that the
frames need to be processed orderly.
• Duration/ID: 16 bits in length. In certain control frames, the field carries
the association or connection identity of the station that transmitted the
frame. Otherwise, when employed as a duration field, it tells the time (ms)
the channel will be kept open for successful transmission of a MAC frame.
• Addresses: The four fields are employed to point out the BSSID,
destination, source, transmitting station, and receiving station. All frames
do not necessarily contain all these fields. Each address field is 48 bits. The
purpose of a particular address field is determined by the relative position
of the field inside the MAC header. This does not depend on the address's
type.
 18

There are two types of addresses. An individual address belongs to a

certain single station. A group address is a multi-destination address linked
to one or several stations. These are divided further into multicast-group
addresses and broadcast addresses.
• Sequence Control: Contains two subfields, Sequence Number (12 bits)
and Fragment Number (4 bits). The former assigns a sequence number for
a given frame transmitted by a station. The latter indicates the number of
each fragment of a frame.
• Frame Body: A variable-length field containing a MAC service data unit,
MAC management protocol data unit, or a fragment of one.
• FCS: A 32-bit field that contains the cyclic redundancy check (CRC).
[5], [11]

Table 1. To/From DS sets in data frames. [11]

 19

Table 2. Valid type and subtype combinations. [11]

2.4.4. MAC Frame Types

As indicated above, there are three types of MAC frames.

Control frames make sure that the data frames are delivered correctly. Six types can be
listed:

• RTS: When a four-frame exchange scheme is used, this frame is sent first.
With it, the source warns all stations within the reception area to refrain
from simultaneous transmission to avoid collisions, as it is now about to
send a data frame to the destination.
• CTS: The second frame in the four-frame scheme. The station that
received the RTS responds with CTS to the source. The source is now
 20

allowed to hand on the data frame to the destination. The collision

avoidance method of RTS works vice-versa for CTS.
• ACK: Is sent from the destination to the source to tell that any information
was received correctly.
• Power-Save Poll (PS-Poll): With this frame, a station that has previously
been in sleeping mode asks the AP to transmit the frame the AP has
buffered for it during the sleep.
• Contention-Free End (CF-End): This reports the cessation of a
contention-free phase of the PCF.
• CF-End + CF-ACK: This accepts the CF-End. It finishes the phase of
contention freedom. Stations are now stripped off the restrictions that
govern that phase.
[5], [11]

Data frames convey either data or other information from the source to the target. They
are listed as follows. The first four items are frames that transport upper-level data to the
destination from the source station. The last four carry no user data.

• Data: The least complicated type; can be used both during contention and
CF period.
• Data + CF-ACK: This frame conveys both the data and an
acknowledgement about formerly received data. Can be sent merely during
a CF period.
• Data + CF-Poll: With this frame, data is conveyed to a mobile station by a
point coordinator. Any data buffered in the mobile station is also asked to
be sent.
• Data + CF-ACK + CF-Poll: Merges the two previous types into a single
frame.
• Null Function: Delivers the power management bit to the AP to point out
that the station will fall into sleep mode.
• CF-ACK, CF-POLL, CF-ACK + CF-Poll: These have the same purpose
as their corresponding data-carrying frames, but they carry no data.
[5]

Management frames handle information exchange between stations and APs. The
following can be listed:

• Beacon: Transmitted on intervals to permit a mobile station to identify an

AP where to connect.
• Announcement Traffic Indication Message (ATIM): A mobile station
transmits this to put other mobile stations -- which may have been
previously in sleep -- on alert that it has buffered frames waiting to be sent
to the station specified in the frame.
• Association Request: A station requests association from the current
BSS's AP with this. The frame includes capability information, for
example if encryption is to be applied to communication.
 21

• Association Response: The AP returns this upon the previous frame, and
tells the station whether the association request has been accepted or not.
• Disassociation: The station breaks up the association.
• Reassociation Request: When a mobile station arrives at a new BSS from
a former one, it needs to associate itself with the new BSS's AP. It is
requested with this frame, and reassociation is employed, so that the old
AP can forward any data frames to the new one.
• Reassociation Response: The response to the previous, similar to
association response.
• Probe Request: A station acquires information about an AP or some other
station. Also used to locate a BSS.
• Probe Response: Response to the previous.
• Authentication: With several of these used within an exchange procedure,
a station authenticates itself to another.
• Deauthentication: When a station wants to quit secure communications
with another station or AP, this frame is transmitted.
[5], [11]

2.4.5. Synchronization

A common clocking mechanism synchronizes the stations and APs in an 802.11 network.
In an infrastructure scheme, the APs work as the timing masters and run the timing
synchronization function (TSF). The AP sends beacon frames at fixed intervals, and they
contain a copy of the AP's own TSF function. Any station in the same BSS that receives
the timing information has to clock itself to the same timestamp value. [11]

2.4.6. Security

2.4.6.1. Authentication and Privacy

Authentication happens every time a station enters the network. The basic method of
802.11's authentication, as such, should be considered more as an attachment to the
network, since no encryption is used, and the infrastructure network itself does not
necessarily need to authenticate itself separately to the station [9]. In the open system
authentication the client sends a MAC control frame to the receiving station and the
recipient responds with its own authentication frame [5].

There is also an encryption-employing authentication method known as shared key

authentication. Up to the date, it is known to be fraught with vulnerabilities and is
generally not recommended [9]. In this scheme, both sides share a common secret key.
The client first sends a frame that announces its identity and that it uses the shared key
method. The recipient responds with a frame containing a challenge text (128-octet
sequence produced by the WEP PRNG, see chapter 2.4.6.2. for further explanation), and
the client replies to it with an encrypted frame containing the same text. The recipient
decrypts the frame with the shared key. If the key is the correct one, the client is allowed
to enter the network [5].
 22

2.4.6.2. WEP

As mentioned before, WLAN privacy and security issues are a severe concern due to
stations' ability to listen to one another's unencrypted traffic freely. The optional WEP
(wired equivalent privacy) algorithm is provided by the 802.11 standard to include a
modest level of protection to link-level data during wireless transmission. The
fundamental goals of WEP are the prevention of eavesdropping and unauthorized access
to the network, and ensuring data integrity. Figure 11 depicts the concept of a
confidential data channel. [5], [11], [13]

Figure 11. A confidential data channel. [11]

WEP is based on the RC4 cryptographic algorithm. A 40-bit key protects the body
section of a data frame. In the encryption process, the integrity algorithm is the 32-bit
CRC that is attached to the end of the MAC frame. An initialization vector (IV) is
concatenated to the key, and the result is inputted to the pseudorandom number generator
(PRNG). The PNRG generates a keystream that is as long as the MAC frame and its CRC
added together. The ciphertext is obtained by XOR'ing the keystream with the MAC
frame bit-by-bit. The IV is then added to the ciphertext, and the resultant is transmitted.
The IV and the PNRG sequences are changed from time to time. Figure 12 presents a
WEP enciphering diagram. [5], [11]

Figure 12. WEP enciphering diagram. [11]

 23

The receiver reverses the encryption process. The IV is retrieved from the incoming
block of data, and it is concatenated with the key to obtain the same keystream as the
sender used. That is XOR'ed with the data block to acquire the original plaintext. Then
the incoming CRC is compared with the CRC calculated at the receiver's end to check the
message's integrity. [5]

As such, the WEP security scheme contains significant security flaws [9]. Firstly, as the
usage is optional, many systems do not turn it on. Secondly, because the single shared
key is the same for all users in a particular WLAN, it may not be too laborious to pick it
up by accessing the key storage with software. The keys can also be recovered through
crypt analysis, as the WEP uses the RC4 in a non-standard way [14]. The choice of the
32-bit CRC has also been proved to be a poor data integrity algorithm [13], [14]. Other
issues have also surfaced, but they are out of the context of this discussion. Several
improvements over the initial WEP solution have cropped up later. For instance, dynamic
key refreshing was one of the first security enhancements. In that scheme, all stations
share a common key for encrypting broadcast frames, but each station has its own key for
unicast frames [9].

2.4.6.3. 802.11i

A new security standard for WLAN, 802.11i which is also called Wi-Fi Protected Access
2 (WPA2), was ratified 2004. It introduced two new link-layer encryption protocols to
the underlying specifications. [9]

Temporal key integrity protocol (TKIP, also known as WEP2) incorporates a number of
new protocol features to 'patch' WEP's weaknesses in the frames of pre-802.11 hardware
capacities [9], [15]. For instance, TKIP utilizes master keys instead of a single one, and
an exclusive RC4 key is assigned for each frame from the master key in order to lessen
the success of an attack against feeble WEP keys [9], [16]. However, even TKIP was no
profitable solution over WEP, since it remains vulnerable for basically the same flaws as
its predecessor [9], [17].

Counter with Cipher Block Chaining Message Authentication Code Protocol (CCMP)
instead is a security protocol designed from scratch. [9] It is based on the Advanced
Encryption Standard (AES). It encapsulates the basic WEP traffic to mask the existing
vulnerabilities. Both MPDU data field and some parts of the MPDU header are
encrypted, and a 128-bit key is used on a 128-bit block size. A new, temporal key is
required for every session, and so is a unique nonce value for each frame shielded by
encryption. [9], [16]

A set of means to construct a robust security network (RSN) also exists in 802.11i, and
the use of CCMP is stamped as mandatory in it. These means determine the derivation
and distribution of keys, and there are two key categories used in the link layer protocols.
Data transfer between station and AP is protected by pairwise keys, and
multicast/broadcast traffic from AP to clients is shielded by group keys. All the lower-
level keys are derived from a single pairwise master key (PMK), and hence the stations
 24

can easily renew their temporal encryption keys sans breaking up the existing
authentication. A separate authentication server is needed in this strategy, and is mainly
targeted to be used by large infrastructure networks. Figure 13 shows how key exchange
between client and authenticator works in RSN. [9], [16]

Figure 13. Key exchange in RSN. PTK -- pairwise transient key, GTK -- group transient
key, TK -- temporal key. [9]

2.5. Physical Layer

2.5.1. Overview

The physical layer defines how the data is transmitted. The transmission channel can be
either radio frequency (RF) or infrared (IR). [11], [12]

The 802.11 standard originally classified three physical media specifications. However,
there are four currently in use (see also table 3):

• Direct-sequence spread spectrum (DSSS) that operates on the 2.4GHz

industrial-scientific-medical (ISM) RF band.
• Frequency-hopping spread spectrum (FHSS) operating on the same band
as the one above.
• Orthogonal frequency-division multiplexing (OFDM) operating on the 2.4-
5GHz RF band.
• IR operating on a wavelength between 850 and 950 nanometers.
[5], [9], [10], [11], [12]
 25

Table 3. IEEE 802.11 physical layer standards. [10]

2.5.2. Spread Spectrum Systems

In a spread-spectrum system, the transmitted signal energy occupies a larger bandwidth

than the information bitrate, and is also independent of the overall information bitrate. A
narrow-band analog signal to be spread is modulated with a spreading code which is
usually a sequence of pseudorandom digits. Despreading is achieved by correlating the
received signal with a replica of the spreading code. Spread spectrum is used to improve
a communication system's resistance to interference (especially multipath propagation)
and signal jamming. [5], [9]

A wideband spread-spectrum signal is formed from a data-modulated carrier by

modulating the data-modulated carrier a second time by using a very wideband spreading
signal. A DSSS signal is achieved when the spreading is produced by phase modulation.
When the spreading is generated by rapid changing of the carrier frequency, an FHSS
signal is achieved. [18]

2.5.2.1. Frequency-Hopping Spread Spectrum

The FHSS layer, in its essence, is defunct till the date [9]. In 802.11, the medium
achieves data rates of 1Mbps and 2Mbps, where the previous is modulated with two-level
Gaussian frequency shift keying and the latter with four-level [5], [11].

Frequency shift keying (FSK) is a modulation method where the elementary information
unit (binary value) is represented by a signal on a different frequency than the center
frequency. In transmission, the frequency of the carrier is increased or decreased by a
certain deviation. The general form of an M-level FSK signal is as follows:
 26

s i ( t ) = A cos 2 π f i t , where 1 ≤ i ≤ M and

fi = f c + (2i − 1 − M ) f d
f c = carrier frequency
f d = the difference frequency
M = the amount of signals (for example M=2 is used in binary FSK)
L = the number of bits in one signal element. [5], [9]

In the Gaussian variation, a Gaussian filter smooths out frequency deviations, and thus
the emissions are confined to a fairly narrow band spectrum-wise. [11], [19]

FHSS employs a number of carrier frequencies that form channels -- typically 2k where k
is the amount of bits in the spreading signal -- where the signal hops from frequency to
frequency at determined intervals (figure 14) [5], [9]. During this interval, the transmitter
operates 300ms on one channel. The receiver hops in synch with the transmitter, and the
pattern, along which the hopping is made, is determined by the spreading signal [5].

In 802.11, the band is divided into multiple 1MHz channels, whose exact amount varies
depending on the country. Also the hopping sequence, which consists of permutations of
all the frequency channels, is territory-specific. [5], [11]

Figure 14. An FHSS system where the signal hops from frequency to frequency at fixed
time intervals. [9]

2.5.2.2. Direct-Sequence Spread Spectrum

DSSS, unlike FHSS, is an actively employed medium and implemented for instance in
802.11b [9]. Four data rate classes, 1Mbps, 2Mbps, 5.5Mbps, and 11Mbps can be
achieved by using different modulation methods and spreading codes (in this context
called chipping sequence) [5], [20]. The first two utilize Barker sequences of length 11,
and the last two 8-length complementary code keying (CCK). The modulation scheme is
 27

either a binary or quaternary phase shift keying (PSK) with a differential method
included (DPSK) [5].

In PSK modulation, the information content is present in the signal as phase shifts of the
carrier. BPSK shifts the phase by 180 degrees to represent binary 1 and 0. In QPSK, the
shift is 90 degrees, and each signaling element consists of two bits instead of one. QPSK
is used as an 'enhancer' to BPSK in the 2-11Mbps modes, as it allows a more efficient
usage of the bandwidth. In practice, a QPSK signal usually consists of two BPSK signals
modulated at half the data rate of the original input. [5], [9]

A BPSK signal takes the form

s ( t ) = A cos( 2 π f c t ) for binary 1, and
s ( t ) = − A cos( 2 π f c t ) for binary 0. [5]

The DPSK method varies from the basic PSK schemes in the means that it does not rely
on a static reference signal, but places the next phase shift in accordance to the previous
bit transmitted. Changes between consecutive symbols determine what kind of
information will be sent next. Figure 15 shows the DPBSK and figure 16 the DQPSK
encoding schemes. [5], [9]

Figure 15. DBPSK encoding. [9]

 28

Figure 16. DQPSK encoding. [9]

In the 1-2Mbps DS modulation the input signal is spread across the frequency band with
a chipping sequence, so that every bit of the input is extended to multiple bits. One data
bit is encoded with several chips into a series of chips for transmission. Here, an 11-bit
Barker code serves as the spreading code. Generally Barker codes are binary {-1, +1}
sequences with optimal autocorrelation properties, which is naturally important to the
correct reception of the message at the receiver. The Barker code used in 802.11 is {+1, –
1, +1, +1, –1, +1, +1, +1, –1, –1, –1}. Figure 17 shows an example of how encoding can
be done with the Barker word. In the context of the example, -1 is replaced with 0. [5],
[9], [20]
 29

Figure 17. An example of encoding with the 11-bit Barker code. [9]

The DSSS medium has a smaller number of channels than the FHSS one, each of them
being 5MHz wide. The amount of channels allocated depends on the country; in most
European nations this is 13 [5]. In practice, equipment commonly limits the channel
amount to 11, as many WLAN APs are manufactured according to the USA channel
standard (11) [9], [21], [22].

The DSSS has the property that if a signal with a low bitrate has been encoded with a
high chip rate, the signal power becomes spread across a wide band. Most of the energy
concentrates on a 22MHz band around the center frequency, and the side lobes extend
themselves further in multiples of 11MHz (figure 18). This directly correlates with the
possible amount of channels in parallel use: at the highest rate only three channels on the
reserved spectrum can be used (i.e. at least five channels must be put between two
operating networks) so that inter-channel interference could be kept minimal. Yet even
then the -30dBr sidelobes overlap, as figure 19 points out. [9]

Figure 18. A DSSS signal. [9]

 30

Figure 19. Channel separation in networks employing DSSS. [9]

The basic form of the DSSS scheme can operate only on rates 1-2Mbps. For the higher
rates, a modification or an alternate coding scheme is needed. 802.11 uses CCK. It
resembles the 1-2Mbps chipping method, but now the spreading code itself bears also
information, in addition to the fundamental signal spreading. The chip stream is divided
into a sequence of 8-bit complementary code words of the form {1, -1, j, -j} employing
the complex plane, whilst the chipping rate remains 11Mchip/s, thus retaining the same
occupied channel bandwidth as with the lower bitrates. Complementary codes are
characterized by the property that the sum of their autocorrelation sequences is zero at all
points except for the main peak at zero shift. By using a few 8-bit sequences, 4-8 data bits
can be encoded into a single code word. [8], [9], [20], [23], [24]

The following formula is used for both bitrates, and it can be considered as a
generalization of the Hadamard transform encoding:

c = { e j ( ϕ 1 + ϕ 2 + ϕ 3 + ϕ 4 ) , e j (ϕ 1 + ϕ 3 + ϕ 4 ) , e j ( ϕ 1 + ϕ 2 + ϕ 4 ) ,
− e j ( ϕ 1 + ϕ 4 ) , e j ( ϕ 1 + ϕ 2 + ϕ 3 ) , e j (ϕ 1 + ϕ 3 ) , − e j ( ϕ 1 + ϕ 2 ) , e j ϕ 1 }
where C is the codeword and C={c0 to c7}. [20]

The channel specifications presented above in conjunction with the lower rate modulation
apply to the higher rates also [9].

2.5.3. Orthogonal Frequency-Division Multiplexing

The concept of OFDM is to split the input data stream into N symbol streams with a fixed
duration, and the N streams each then again modulate parallel-running synched sub-
carriers [18]. Thereafter the sub-carriers (see figure 20a for a general QAM signal) are
 31

multiplexed into one high-speed channel [9], [25]. The carrier spacing is selected so, that
the sub-carriers maintain spectral orthogonality with one another, i.e. they are arranged
so, that one sub-carrier hits the spectral zero-crossing point of all the other sub-carriers
(figure 20b) [25]. The highest amplitude peak of each sub-carrier encodes information.
The composite waveform is achieved by applying the inverse fast Fourier transform
(IFFT) to the sub-carriers. At the receiving end, the signal is stripped down to its original
components again by performing the regular FFT [9].

Figure 20. (a) An unfiltered QAM signal spectrum, (b) OFDM signal spectrum. [25]

OFDM is robust against such signal disturbance behavior as multipath interference and
intersymbol interference (ISI) caused by it, impulse noise, and so on. ISI occurs when
symbols inside the signal become smeared due to a delayed copy of the same symbol
arriving via a different path and colliding with the previously arrived. However, the
scheme is highly susceptible to a phenomenon called inter-carrier interference (ICI), as
the sub-carriers are densely packed inside the channel and even minor frequency offsets
in the sub-carriers may cause them to interfere with one another. [5], [9], [18]

A prevention means called guard time has been added to OFDM to ward off both ICI and
ISI. The transceiver addresses the first part of the symbol time as guard time and
performs the FFT only on the non-guard time period of the symbol. Usually a cyclic
prefix, which is simply a copy of the last part of the symbol, is attached to the guard time
period. Other safeguard methods in OFDM are convolution coding to correct errors and
windowing to reduce the effects of noise. [9], [25], [26]

The OFDM spectrum is divided into a number of 20MHz channels, which for example on
the 5GHz band can vary from a few tens (USA) to about 250 (Japan). 52 sub-carriers
with 0.3125MHz spacing reside on each channel, out of which four are then again used as
pilot carriers that make channel estimations. The rest are regular data containers. An
example structure of an OFDM channel is presented in figure 21. Sub-carriers -21, -7, 7,
and 21 are used as pilots. [9], [26]
 32

Figure 21. Structure of an OFDM channel. [9]

For sub-carrier modulation, OFDM uses the already familiar BPSK for the data rates of 6
and 9Mbps, and QPSK for 12 and 18Mbps. Quadrature amplitude modulation (QAM) is
applied to the higher rates, 16-QAM for 24 and 36Mbps, and 64-QAM for 48 and
54Mbps. [5], [8]

QAM is a derivation of PSK and amplitude phase keying (ASK). In the latter, two data
values {0, 1} are represented by different amplitudes, usually arranged so that 0 is an
absence of amplitude. QAM sends two different signals parallel on the same carrier by
using a copy of the original carrier and a second one shifted by 90 degrees. Every carrier
is modulated by ASK. Figure 22 shows the constellations used in 802.11 OFDM, except
for 64-QAM. [5], [27]

Figure 22. BPSK, QPSK, and 16-QAM constellations.

 33

As with DSSS, a transmit mask is applied to the symbol so that the transmitted spectral
density falls within reasonable bounds (figure 23). Power leakage is limited to the side
lobes. [27]

Figure 23. OFDM transmit spectrum mask. [27]

2.5.4. Infrared

The 802.11 standard introduces an IR PHY, but no products have been implemented
upon it [9]. The medium is defined as not needing clear line-of-sight (LOS) with an
operation perimeter of 10-20m, indoors only. IR PHY achieves speeds 1 and 2Mbps with
pulse-position modulation (PPM) [11]. PPM is an analog pulse modulation where the
pulse's relative position is being modulated, and retains a constant amplitude and a fixed
duration. N data bits are encoded into one pulse in one of the 2N time slots and the
operation is repeated at regular intervals [28]. Figure 24 shows a typical 802.11 IR pulse
[11].
 34

Figure 24. Basic pulse shape. Quotation from [11], figure 102, page 233. (c) IEEE 1999.

2.5.5. Multiple Input Multiple Output OFDM

Multiple input multiple output (MIMO) OFDM brings the use of multiple antennae into
the wireless system. Several antennae are 'chained' together, the chains thus being able to
receive and transmit data at the same time in spatial streams [9]. In the mechanism, X
transmitters are coupled to Y receivers, and they form an array of N flat-fading channels
out of which each has a dimension of X·Y [30]. For instance, a frame to be sent is split up
and multiplexed across several spatial streams, and it is rebuilt at the receiver end [8],
[29]. Figure 25 shows an example system [30].

The MIMO arrangement uses spatial multiplexing to for example fight signal fading [8],
[29]. The real achievement of a MIMO system depends on the implementation, out of
which three major trends can be considered. Firstly, power efficiency can be enhanced by
maximizing the spatial diversity, and such systems employ delay diversity, space-time
block, and trellis codes. The second means endeavors improving capacity gain by
building itself upon a layered technique. In the third, knowledge on the channel at the
transmitter is exploited to achieve a better capacity gain [30].
 35

Figure 25. An X·Y MIMO-OFDM arrangement, X=input, Y=output. [30]

2.5.6. Convergence of the Physical Layer

Before data can be sent into the network, MAC frames need to be prepared into a proper
format by the physical layer convergence procedure (PLCP). PLCP depends on the actual
PHY implementation. After the preparation, the data is modulated into the RF carrier. [9]

The convergence elements in PHY are twofold. First, PLCP builds headers -- which
contain for example such information as the speed of the transmission -- for the MAC
frame. The headers are joined with the MAC frame, and the whole entity is scrambled.
Thereafter the physical medium dependent layer (PMD) handles the actual data
transmission. Certain parts of the frame ready to be released into the medium, like the
preamble and header, are always sent at fixed speeds and modulation (usually the slowest
forms) not dependent of the equivalent values of the actual data portion. Figure 26 shows
a PLCP framing example, and figure 27 a PMD transceiver. [9]
 36

Figure 26. PLCP framing example for a PHY supporting high-rate DSSS (b, g, n). [9]

Figure 27. Example of a PMD transceiver. This one uses the high-rate DSSS scheme. [9]

A part of 802.11's carrier sense mechanism is specified on the PHY level, and it works
hand in hand with the functions on the MAC layer. In DSSS/FSSS, the scheme is called
carrier sense/clear channel assessment (CS/CCA). The actual implementation again
depends on the protocol, but generally the energy detection thresholds of the medium are
 37

scrutinized to determine whether a channel is busy or not. Above a certain energy limit
the channel is reported as busy, and will remain so for the duration of the intended
transmission. [9], [11]

2.6. Rate Selection

The 802.11 standard does not specify exact word-to-word rules for data rate management
and fallback. Yet infrastructure networks must adapt to the load and other variations in
the environment. The stations may change speed, and the radio link quality may for
example drop unexpectedly due to interference or some other factor. The implementing
of these functions has been largely left to the hardware manufacturers, yet a few generic
rules have been pinned down. For instance, every station must maintain a list which
contains the operational rates that both the BSS and the station support, and every BSS
has to uphold a record of those data rates that must be supported by every client joining
the BSS. Speeds outside these lists will not be used. [9]

When the signal quality decreases, the wireless system performs a fallback, i.e. reduces
the data rate. Typically the algorithm, which decides the data rate, measures the signal
SNR directly or implicitly by studying the frame loss. Conversely, when the signal
quality improves, the data rate can be increased. [9]

2.7. 802.11 Protocol Types

There are currently three functional wireless protocols, 802.11a-g that employ different
characteristics of the aforementioned PHY features (see figure 3 and table 3 earlier).
802.11n is not yet in a stable state, even though draft-compliant hardware has already hit
the market. [9], [10], [31], [32]

2.7.1. 802.11a

The 802.11a protocol operating on the 5GHz frequency band was released 1999. The
OFDM scheme is used with 52 sub-carriers, and the theoretical bitrate maximum is
54Mbps. The protocol requires LOS operation due to the carrier's high frequency and low
material penetration ability. Typical data rates achieved by 802.11a are around 30Mbps.
802.11a equipment is not compatible with b/g, but can be used independently alongside
as a non-interfering network, employing thus the upper frequency band. The protocol
type has not been largely adopted into everyday use due to the parallel existence of the b-
type's cheaper equipment. [9], [27]

2.7.2. 802.11b

Released 1999, 802.11b was the first variant to utilize the DSSS medium, and completely
fulfills the specifications. Its theoretical maximum data rate is 11Mbps with CCK and
QPSK, yet typically becomes downgraded to about 6Mbps due to protocol overhead. [9],
[20]
 38

2.7.2. 802.11g

802.11g was released 2003 as an improvement over 802.11b, providing also some
backwards compatibility. The theoretical maximum rate is 54Mbps, typical 15-25Mbps
depending on the presence of protection. Medium-wise, it is a hybrid between 802.11a
and 802.11b. For speeds that are within the 802.11b specification it uses the same DSSS
and CCK schemes as the latter, and vice versa for the previous, except that the operation
band is now 2.4GHz on the extended rate PHY (ERP-OFDM, which is also the basic
mode of 802.11g). The specifications have also been otherwise modified to support the
co-existence of different modulation methods. One of the most notable alterations to the
OFDM scheme is that there are merely three non-overlapping channels in use. [9], [33]

802.11g can co-exist with the b-type, and hybrid networks of those two protocols are
common. However, if there is none kind of protection between the protocols, the overall
performance becomes downgraded to that of the b-type, as 802.11b cannot understand g's
higher-rate transmissions. 802.11g includes two protection mechanisms to allow the
sending of OFDM frames in a hybrid network, and they are activated whenever it is
necessary to guarantee that b-stations do not cause interference. In the first scheme, the
station sends a CTS frame to itself, which thus forces all the stations within the network
to update their NAVs and listen to CTS frames. In the self-sent CTS the station tells it
will transmit OFDM-modulated content. This CTS is sent by employing modulation that
every station can comprehend. The second method is a full RTS/CTS swap. Both
methods are illustrated in figure 28. The protection frames are sent by using any b-type
means. Overall, the protection mechanism slows down the throughput of the network.
[9]
 39

Figure 28. Overview of protection mechanisms. [9]

2.7.4. 802.11n

Released January 2007 in first-draft form and in second-draft in the subsequent March,
802.11n is still in an incomplete state, and is not expected to achieve a stable state before
2008. There used to be three parallel competitors, WWiSE (World-Wide Spectrum
Efficiency), TGnSync (Task Group N) and MITMOT (Mac and mImo Technologies for
MOre Throughput) proposing different implementations for the protocol, but they
decided to join their proposals July 2005. [31], [34], [35], [36]

The basic new characteristic of 802.11n is that it employs MIMO-OFDM to achieve data
rates up to a theoretical limit of 540Mbps. Like its predecessor 802.11g, it will have
backwards support on two modes and a native mode that works only in a pure n-type
network. A legacy mode operates in a, b, and g. A mixed-state mode adds the n protocol
among them. The channel width is doubled up to 40MHz, and the signal range should
double that of the earlier protocols. [8], [32], [36]
 40

802.11n brings also improvements to the MAC layer to enhance the radio channel's
throughput. In the earlier protocols, the large amount of overhead in transmission usually
reduces the capacity of the PHY to about 60%. Now, frame bursting will be employed to
cut down the number of ACKs. A method called frame aggregation will also be used to
pack small frames together into one large frame to improve the data-to-overhead ratio.
Small frames especially cause poor throughput, since normal frame headers become
attached to them, and often the overhead in such frames tends to take more time than the
data itself. [9], [37]

Any current hardware available, such as Apple's Airport Extreme, is based on 802.11n's
draft specifications [38]. Hardware built upon the stable version is expected to reach
natural bitrates up to 200Mbps, whereas the presently existing ones have been reported to
sustain speeds from 25 to 100Mbps [32], [36], [37]. Obviously, any such 'draft devices'
may cause interoperability issues when the hardware based on the fully approved
standard appears later on the market.

2.8. 802.11 Hardware

Aside from the wired backbone network required in infrastructure systems, the functional
part of a generic 802.11 system consists of an AP, and a wireless network card used by
the client. The outline of a general wireless card together with the associated layers is
illustrated in figure 29. The AP may be a single 'box' embedding both the modem and the
antenna, or a two-piece construction where an external antenna is plugged with a suitable
cable. An external antenna may provide a means to improve the coverage, but has the
drawback that as an appendage to the main transceiver its lossy cable eats up power. In
the end, an external antenna may not provide any improvement to the signal quality, and
in the case of a poor-quality cable it may even deteriorate the original. Also, the
technique of using multiple antennae to extend the signal reach of a single AP has
become somewhat pointless since the cost of an extra antenna is about the same as that of
a whole AP hardware. [9]
 41

Figure 29. Outline of a generic 802.11 wireless card. [9]

The AP's radiation pattern depends on the antenna type and pointing direction. The
University of Turku has mostly acquired omnidirectional vertical antennae. They are the
most usual models on the market, and generate a round, horizontal signal field when they
are, in the typical fashion, installed to protrude vertically from the ceiling. Other crucial
factors that determine the signal's useful coverage are gain and half-power beam width.
The previous is the reach to which an antenna enhances the signal in its desired direction,
and is measured in dBis. The latter decides the breadth of the radiation pattern, calculated
in terms of the points where the radiation's peak value halves itself. [9]

When it comes to large complexes such as the university in question, hardware costs need
to be optimized heavily. With expensive hardware and specialized antennae, far more
dazzling wireless systems compared to the existing ones of course could be built. But
habitually the costs of buying APs in bulk and such factors as the risk of theft push the
possibilities down to cheaper models. Hence, somewhat outdated or bargain hardware
will always be used in institutions with limited supplies. Any further network
optimizations, like the coverage improvement task that is the key issue in the upcoming
practical part, are tied to these limiting factors. Moreover, it would be quite foolish to
start changing existing systems to, say, costly pre-802.11n hardware just because they are
available. Also, when large systems similar to SparkNet grow even broader by time and
their old hardware is still kept functional, for example some AP models may vanish
entirely from the market. The purchasing of new ones or replacements is equally limited
to those available in the supply. Therewith, networks with hybrid configurations emerge
gradually, and the result will be for instance a sub-optimal b/g network. However, when
the situation has changed into such that, say, only a handful of b-type APs are coupled
together with several tens of g-type ones, it would be reasonable to get rid of the b-types.
The costs would be then negligent compared to the increase in efficiency.
 42

2.9. Interference, Fading, and Propagation Losses

With RF signals, interference and fading are key problems. As was shown priorly, both
phenomena can be reduced with suitable modulation techniques. The 2.4GHz band is also
problematic due to its crowded nature. For instance, operational devices such as
Bluetooth may severely degrade the performance of b/g signals if set on a few-meter
distance from the transmitter. The same can be said about the co-existence of the 5GHz
band and ultra-wideband (UWB) networks. At least on the present signaling means these
side-effects have a considerable influence, yet it remains to be seen how the 802.11n
protocol will survive in practice. [9], [39], [40]

The correct placement of APs and channel considerations are some of the most important
aspects when functional, larger-scale wireless networks are constructed, such as inside a
building consisting of several floors. Here, factors such as the reach of the signal, surface
materials of walls, floors, etc. need to be taken seriously into account. [9]

The signal of an AP becomes weaker as the distance to the transceiver grows [9]. This
can be seen in figure 30. Alongside, the SNR and (figure 31) data rate (figure 32) also
diminish. The AP presented in figures 31-33 is a real-life 802.11g AP set in lossy indoors
conditions; the values in question have been measured with Ekahau Site Survey. See
figures 36-38 for color code legends.

When perfect LOS is available, say, in open-space outdoor conditions, the AP's coverage
and throughput remain the most optimal. However, every obstacle appearing on the
effective signal area contributes to attenuation and the diminishing of signal coverage.
Indoor conditions, where walls and other surfaces attenuate, reflect, or completely block
RF signals, are barely comparable to the aforementioned optimum. The area that a single
AP can serve in outdoor conditions may require tens of transceivers in much smaller
indoor environment [9]. Figures 30-32 show the influence of both attenuating and
reflecting/conducting surfaces: on occasion a sharp drop from a brighter green to a more
bluish tint indicates that some obstacle degrades the signal, and further to the left from
the actual AP exist a few stronger signal islands caused by either conduction or signal
amplification via reflection.

Figure 30. How an 802.11g AP's signal strength decreases by the distance.
 43

Figure 31. The drop of SNR by the distance.

Figure 32. The drop of data rate by the distance.

Both an AP and a client's wireless card have certain minimum sensitivity values (-dBm)
for connectivity. If the link's sensitivity falls below the minimum, network connection
cannot be established. [9] For instance, in 802.11g the borderline sensitivity to produce
speeds of 22-32Mbps is -76dBm, and for speeds of 33Mbps and above it is -74dBm. This
however means that lesser speeds, such as 1Mbps are available at much lower sensitivity
values. In some equipment the smallest possible connectivity value is marked as low as -
96dBm, while a usual value seems to hover around -94dBm. Also, the performance of a
wireless network is always twofold: the client can also on its part improve the link by
using a more sensitive wireless card. [9], [21], [22], [33] [41], [42]

Adapter signal strength in itself does not tell the whole truth about the network's
performance. For instance, if two APs operating on channels 1 and 2 are close to one
another, their respective adapter signal strengths remain the same, but the actual link may
be very poor due to strong ICI and thus a low SNR. Hence, SNR is one of the most
important parameters to be considered when a network's overall functionality is studied.
 44

3. Systematic Approach to Improving Network Coverage and

SNR
This section is devoted to studying, simulating, and implementing a systematic means to
install APs so that the coverage could be maximized and interference minimized. It will
also be scrutinized how much power and functionality Ekahau Site Survey, the major tool
used in mapping and measuring the properties of WLAN networks in the University of
Turku, has when a new wireless network setup is designed with it from scratch and then
installed. The comparison will grant valuable information about how much one can rely
on simulations and how much manual planning actually needs to be done.

3.1. Optimal Access Point Lattice

Let us imagine an optimal situation where a wireless network should be set up into an
open office environment with very little attenuation-causing elements around (there may
be some cubicle materials, etc. but their individual attenuation effect is on the scale of 1-
2dB and hence can be regarded as negligible). To ensure the best coverage-SNR relation,
the APs should be arranged into a continuous triangle formation where one triangle is
equilateral, and the channels alternate as 1-6-11 in the vertices, so that two APs operating
on the same channel are never adjacent to one another (see figure 34). This way the
distance to any two same channels becomes maximized and the interference between APs
minimized.

Regarding network systems operating on several floors, the following should be kept in
mind. The floor materials and the possible existence of pipes have a great influence on
how the signals in one floor leak into other floors. In the case of low-to-medium
attenuation surfaces, like dry wall, wood, thin-ish layers of concrete etc. it is perhaps not
even necessary to have a separate AP arrangement in every floor, taking into account the
fact that the frequencies now interfere with one another much easier since the vertical
distance between the APs is much smaller than the horizontal. In cases like this, it is
usually sufficient to build a network into every second floor.

However, when there are thicker layers of concrete, stone, pipes, metal gridding, etc.
present, the signals reaching out from other floors are usually too weak to allow efficient
operation. Or, there may be a few 'pools' of network available in sporadic places if the
floor or ceiling is not uniform, which is usually the case in reality. Here, one must pay
 45

attention to the placing of the APs. The same triangle grouping works, if the surfaces are
homogenous. Nonetheless, some leakage will even so exist, and hence the APs should be
placed so that two overlapping APs never operate on the same channel.

Consider figures 33 and 34 which in this context present two neighboring floors of the
same building (first and second floors, respectively). The floor/ceiling materials between
the floors, in this context, would have so much attenuation effect that the signals coming
from the floor below would not have enough signal strength left in the floor above, but
yet contribute to the interference. To ensure a sufficient SNR, the APs of the second floor
should be arranged as in figure 24. Thereby, the APs should be set up almost on top of
one another to again maximize the distance between two same channels.

Figure 33. Optimal AP arrangement to minimize interference between channels and

maximize the reception coverage.
 46

Figure 34. A second-floor arrangement on top of figure 34's scheme.

The actual distance between two APs operating in the same floor depends very much on
the running network load, architectural details, and of course the purpose of the
arrangement. If there is a need only for a few low-load hotspots in certain strategic places
like clusters of workrooms and no need for continuous connection while a station moves
in-between them, the distance can be 35m and up. Nevertheless, as the network load
increases and there is a direr need to assure a clear coverage (1Mbps and up) everywhere,
the length of the sides of the triangle lattice needs to be reduced.

3.2. Common Problems and Example AP Scenarios

In the following are presented a few scenarios concerning different capacity needs for a
WLAN. As the 1-6-11 channel scheme is not free of interference, the nearer the APs are
at one another, the greater the interference cost.

3.2.1. Ekahau Site Survey and Its Simulation Properties

Ekahau Site Survey is an application that allows making site surveys and planning
802.11a/b/g networks. For the purpose of site surveys, the application usually has to be
installed on a laptop which has a functioning wireless card. The plan of a building or
other site is loaded into the program, and everything else happens on top of this. The
parameters of existing networks can be surveyed by walking around the site the plan
represents, and placing markers on the map at regular intervals. The software catches the
 47

WLAN signals through the wireless card, and records such parameters as interference,
SNR, signal strength, etc. Several kinds of graphs about the network's features can be
output basing on the measurements, for example mutual interference caused by every AP
in the site. All the simulations and on-the-spot measurements in the following sections
are done with this application. [43]

When it comes to designing networks from scratch, the software provides a means to
place simulated APs of various types on the intended plan. Also, a selection of wall
materials can be added in order to simulate attenuation. While trying out the feature, it
cropped up that the program has some kind of bug within that places the material lines
somewhat aside from the intended position. However, the wished-for placing should be
clear. Figure 35 gives an explanation of the material colors and the associated signal
attenuation. Figures 36-38 give color codes for the values of signal strength, bitrate, and
SNR, respectively. [43]

Figure 35. Wall materials for simulation. Application quotation from [43], (c) 2000-2007
Ekahau Inc.

Figure 36. Signal strength legend (-dBm). Application quotation from [43], (c) 2000-
2007 Ekahau Inc.

Figure 37. Bitrate legend (Mbps). Application quotation from [43], (c) 2000-2007 Ekahau
Inc.

Figure 38. SNR legend (dB). Application quotation from [43], (c) 2000-2007 Ekahau Inc.
 48

The strongest signals in the APs used in the upcoming case study are in the range of -30-
40dBm, and 60-65dB SNR-wise. In these (real-life) circumstances, it has been reported
that around -75-80dBm or 15dB the signal becomes too weak to ensure proper
functioning, i.e. frequent disconnections from the network follow. It was discussed before
how some WLAN equipment has much lower sensitivity values, but a more of a worst-
case scenario has to be taken as the borderline sensitivity here. In real life, it also cannot
be taken for granted that all clients joining the network have top-notch wireless cards,
since even the APs are not from the most expensive end.

3.2.2. Example Scenarios

There are a few common mistakes often made when AP schemes are organized. When
an heavy-usage 802.11g/b system under a load of 50% or more is in question, where a
seamless data rate of at least 1Mbps has to be guaranteed almost everywhere, one may be
tempted to place too many transmitters into the one and the same space. In the case of
thick wall materials and abundant amounts of metal structures, this may be an optimal
solution. But in an open office or hall environment with a 'long' LOS and little restraint
elements, attempting to guarantee a strong SNR everywhere soon becomes a high-scale
interference quandary when the network load increases.

Consider the hypothetical case in figure 39. Five APs have been placed into a low-
attenuation environment, and the distance between adjacent APs is about 12m. With
hasty planning, the choice may seem 'good' in the SNR map. The system yet comes at a
high interference cost, and is overall inefficient as the data rate and load grow. In figures
41-44 the system operates at increasing loads, and it can be seen how the SNR suffers at
the cost of a very strong interference.

With current technology, the existence of wired hotspots or a parallel-functioning

802.11a network is mandatory if higher speeds and seamless operability is essential.
Excluding now the wired aids, a much better alternative to the 12m/5 APs arrangement
would be both to increase the AP distance slightly and also drop a few. The scheme in
figures 39-43 also suffers from the fact that AP3 creates a kind of discriminating 'island'
outside which the connection is always poorer. This heavily suggests that one should
always have an even number of all the channels represented in the same overlapping
space to ensure the uniformity of the network everywhere.

In figure 44 it can be seen that with only three transmitters, the throughput under 100%
load at 1Mbps is much better than in the starting situation of the non-optimal one (50%
load at 1Mbps). It is perhaps even a little more efficient under 100% load at 54Mbps, as
seen in figure 45. In practice, this kind of system is not exactly possible and there will
also be more interference than figure 46 would suggest, since real APs always have
signal leakage to other bands as discussed before. In most real environments, there will
also be significantly more attenuation-causing surfaces due to walls and alike. But it
works as a demonstration as of why the number of APs should not be increased too much
in the hopes of a better coverage and why the coefficient of the channel multiples should
be 3, if possible.
 49

Figure 39. 12m system's SNR at 50% load on 1Mbps.

Figure 40. Interference at 50% load.

 50

Figure 41. 12m system's SNR under 100% load at 1Mbps.

Figure 42. 12m system's SNR at 100% load at 54Mbps.

 51

Figure 43. 12m system's interference under 100% load.

Figure 44. 13m system's SNR under 100% load at 1Mbps.

 52

Figure 45. 13m system's SNR under 100% load at 54Mbps.

Figure 46. 13m system's interference under 100% load.

A more lifelike situation is created through a simulation that contains actual wall
materials. The scenario is still more of the optimal nature, but the usefulness of the
triangle scheme and channel arrangement shows its best results here. The surface
materials in this case help decreasing the remaining channel interference with their
inherent attenuation. Hence a robust arrangement that has minimal interference problems
and a strong SNR even in 100% network load is acquired. The distance between each AP
is about 30m. The scheme's functionality is presented in figures 47-50 at various bitrates.
 53

Figure 47. SNR under 100% load at 1Mbps.

Figure 48. SNR under 100% load at 24Mbps.

 54

Figure 49. SNR under 100% load at 54Mbps.

Figure 50. Interference under 100% load.

 55

3.3. Case Study: Creating a Well-Functioning WLAN for a Library

It is here necessary to remark upon the fact that this section has advanced very much
parallel to 4.1. and 4.2., and hence obviously may contain some of the very errors that
should be avoided in AP arrangements and which are listed in the aforementioned
sections.

3.3.1. Initial Situation and First Simulation

In the initial situation a two-floor library inside a larger campus building is equipped with
a few 802.11g APs which here have been marked as 1A-1C for the 1st floor and 2A and
2B for the second. In the pictures, the channel is the last item in the name tag. The APs
have been positioned without much pre-planning merely to create a wireless access to the
most important places. The arrangement is nowhere near optimal, both channel- and
placement-wise. The APs have been installed in the ceiling, wherefrom the antennae poke
out 'upside down'.

The original conditions have been mapped by walking through the rooms with a laptop
with an 802.11b/g compatible wireless network adapter and the Ekahau Site Survey
application. The network load is assumed to be 50% in all cases with at least a data rate
of 1Mbps available in the functional areas of reception. This quite well corresponds to the
'worst-case' scenario, as the average load during the busiest time of the day is about 10%.
The bitrate is not regarded as the most grievous problem here, but the network coverage
and SNR. It is also essential to mention that these spaces encompass only a small part of
the whole building's wireless network, i.e. there are other adapters 'nearby' affecting the
signal spectrum in terms of for example interference. The initial situation of the first floor
is presented in figures 51-54, the second's in figures 55-58, and the channel arrangements
in table 4. As mentioned before, the SNR graphs tell the more accurate truth about the
network's functionality than the signal strength ones.

Table 4. Channel arrangements in the initial situation.

AP 1A 1B 1C 2A 2B
Channel 1 6 11 11 1
 56

Figure 51. Signal Strength.

Figure 52. SNR.

 57

Figure 53. Interference.

Figure 54. Bitrate.

 58

Figure 55. Signal strength.

Figure 56. SNR.

 59

Figure 57. Interference.

Figure 58. Bitrate

There are a few problematic irregularity spots around the library. These kinds of sites are
altogether too common for just about any kind of larger building: elevator shafts,
stairwells, machinery rooms, etc. This brings us back to the question of surface materials
and signal leakage and why they should be seriously taken into account when APs are
positioned.
 60

In the following plan images, the major problem spots have been identified. In the
corresponding SNR and interference maps concentrations of rapid attenuation and
interference can be noticed.

First floor (figure 59):

1. Elevator shaft and stairwell: concrete and metal structures. Some of the signals of
the APs in the floors above (not shown here) leak through the stairwell to the
lower floors, causing interference. The elevator shaft is 'on the way' of 1C's
signal, so that it does not properly reach the rooms in the right and below.
2. An open stairwell connecting the first and the second floor. Both 1B and 2B affect
one another's coverage areas and thus interfere. Overall they have been installed
way too close to one another.
3. Elevator shaft and stairwell. 1B's signal becomes rapidly attenuated and does not
reach the work rooms in the far left.
4. Machinery rooms with multiple metal structures; they block any signals almost
completely.
5. and 6. Areas with tens of bookshelves. A single bookshelf causes about 2dB
attenuation, so the signal fading is gradual but definite nonetheless.

Figure 59. The problem areas of floor 1.

Floor 2 (figure 60):

1. Elevator shaft and stairwell.
2. Thick concrete pillar with possible metal structures within. 2B's effective signal
range reaches about twice as far to the right than to the 'south-west' due to the
blocking effect.
3. Stairwell.
 61

4. Elevator shaft and stairwell.

5. Bookshelf space; gradual attenuation.

Figure 60. The problem areas of floor 2.

A simulation of the optimal AP placing is made. The outside-area APs detected during
the initial measurements are left in the background to create a more natural environment
with actual interference. When a WLAN network is built into a, say, office space in an
apartment, there most likely will be other private WLAN networks in the vicinity
contributing to the total interference. Hence, the conception of 'optimal' will always
become downgraded to 'the configuration that works as well as possible in the
circumstances'.

The issue of outside interference however is not within the scope of this case study, since
the external, non-optimally-configured APs belong to the University of Turku and can be
optimized further later on by the responsible operators. Therefore, the weaker signals left
in the background serve more as a combination of natural background noise, real-life
hardware defects, and further attenuation caused by architectural elements. Also, Site
Survey's virtual APs do not exactly correspond to real ones, since there are no cable
losses or other such signal degradation effects present. However, when the APs are
installed according to the simulations and their properties observed later on, all outside
signals not in the scope of the library will be eliminated.

Attenuation-causing materials have been added to the simulation in the form of

bookshelves and walls. In figures 61-64 the first simulation schemes can be seen. 1C has
been left completely off for now to see whether the rooms below and to the right of it
could be covered otherwise.
It soon becomes clear that a simulation cannot handle everything, as Site Survey has no
proper utilities for vertical areas. The pictures will not give an exactly correct view on
how much for example the APs of the first floor will leak into the second floor. The
ceiling in this case is quite inhomogeneous: There is a concrete layer which is partially
covered with some sort of tiles and partially with a metal grid with pipes crisscrossing
above. It however should have a fairly strong attenuation coefficient, except for the open
stairwell in the middle. The AP arrangement on this particular spot has to be proceeded
mostly with guesswork and manual tryouts.
 62

Presently, 1H has been set into a place wherefrom its signal will likely leak into the
above-lying rooms. However, this has to be tested manually, and it may be necessary to
rearrange the scheme of the second floor completely. The channels used in the first
simulation are listed in table 5.

Table 5. Channel arrangements in the 1st simulation.

AP 1H 1I 1J 1K 1L 2H 2I 2J 2K
Channel 1 11 6 6 11 6 11 1 11

Figure 61. First floor's SNR under 50% load at 1Mbps.

 63

Figure 62. First floor's interference under 50% load.

Figure 63. Second floor's SNR under 50% load at 1Mbps.

 64

Figure 64. Second floor's interference under 50% load.

3.3.2. First Phase of Implementation

The APs are installed as a temporary configuration into the approximate locations pinned
down in the simulation. 100% correctness was not possible due to unsuitable ceiling
elements or a lack of sockets. The situation appears as in figures 65-68 and if not
elsewise mentioned, the worst-case situation (1Mbps under 50% load) is scrutinized.

Figure 65 presents the 1st floor's SNR together with the second floor's APs affecting the
SNR spectrum and figure 69 only the 1st floor's adapters. A few problem spots can be
identified which require manual correction:

• The area between APs edu-kirjasto and edu-kirjasto5 falls into shadow. A
pillar or another blockage probably attenuates Edu-kirjasto's signal --> will
be moved more to the right.
• A similar kind of area appears in-between edu-kirjasto7 and 6. The latter
cannot be moved in this temporary arrangement due to the lack of suitable
ceiling surfaces, so edu-kirjasto7 will be moved more to the left.

The second floor is somewhat more problematic, and did not reach attainable optimality
in the first scheme. When figures 70 and 71 are compared, it can be seen that the 1st
floor's signals leak in a stronger fashion to the 2nd floor than vice versa. The 2nd floor is
also smaller, so any necessary AP replacements to enhance the SNR in both floors are
easier to do in the 2nd floor. Also, a general rule starts forming itself here: it would be a
good idea to place the APs of one floor first, measure the leakages in the next one, and
thereafter plan the placements of the APs to be put below/above.

It could not be known beforehand how strongly edu-kirjasto's signal would be present in
the areas around the 2nd floor's stairwell. By comparing figures 65 and 66 it can be seen
 65

that its signal is not powerful enough to cover the rooms 'above' the stairwell. Also, edu-
kirjasto7 leaks in quite a strong fashion to the second floor, whereas the effect of the one
above it remains considerably weaker. This might be due to a weaker ceiling material.
The network coverage in the middle of the 2nd floor (see figure 67, the darker green area
crossing the floor from 'north' to 'southeast') remains poor, and the space certainly needs
an adapter of its own.

Since only 9 APs were available for the practical implementation, and the 1st floor's
adapters cannot be reduced, the second floor's APs have to be moved so that some
location will fall outside the effective signal field in the next phase. Figure 67 shows that
edu-kirjasto9 covers sufficiently the corridor as-is, so it can be taken out of the current
scheme and used elsewhere, which in this case means using it as the 'missing' AP needed
much nearer the stairwell. The following changes are done:

• Edu-kirjasto4 is moved to the hall in the left 'behind' the rooms.

• Edu-kirjasto9 is moved near the stairwell.
• Edu-aula (former 1C) is enabled in the measurements.
• Edu-kirjasto7 is moved more to the left to see whether the 'thicker' ceiling
would reduce the signal leakage.
• The channels are changed to those listed in table 6.

Table 6. Channel arrangements for the second implementation.

AP e-k e-k2 e-k3 e-k4 e-k5 e-k6 e-k7 e-k8 e-k9 e-a
Channel 1 11 6 6 6 6 11 1 11 11

Figure 65. 1st floor's SNR.

 66

Figure 66. 1st floor's interference.

Figure 67. 2nd floor's SNR.

 67

Figure 68. 2nd floor's interference.

Figure 69. 1st floor's SNR without the influence of the 2nd floor's APs.
 68

Figure 70. 2nd floor's signal leakages in the 1st floor.

Figure 71. 1st floor's signal leakages in the 2nd floor.

 69

Figure 72. 2nd floor's SNR without the influence of the 1st floor's APs.

3.3.3. Second Phase

The aforementioned changes to the implementation are made, and the new arrangement
can be seen in figures 73-78. When the results are compared, it seems that while the
network coverage of the second floor has improved, the first floor has suffered at the cost
of it. The 2nd floor's interference has decreased, but is the opposite case for the 1st floor.
The highest interference concentration has accumulated to the south of the stairwell
(figure 74). It is partly responsible for the large area of poorer SNR extending southward
and unto the far wall. Edu-kirjasto9's channel 11 leaks all too much down from the
second floor, and thus narrows down Edu-kirjasto7's effective signal area (see figures 74,
79-80 ), while it is also sharply attenuated by some architectural element. Edu-kirjasto's
signal does not seem to reach well enough the areas to the left of it, partly due to
interference.
 70

Figure 73. 1st floor's SNR.

Figure 74. 1st floor's interference.

 71

Figure 75. 1st floor's SNR under 10% load.

Figure 76. 2nd floor's SNR.

 72

Figure 77. 2nd floor's interference.

Figure 78. 2nd floor's SNR under 10% load.

 73

Figure 79. 2nd floor's signal leakages in the 1st floor.

Figure 80. 2nd floor's signal leakages in the 1st floor without Edu-kirjasto9.

When the experiments lead to this kind of results, the antenna types and ceiling materials
need to be scrutinized better, in case issues causing further non-optimality might hide
therein. Discarding the effects of Edu-kirjasto9's leakage (see figure 78), it can be seen
from both the first (figures 70-71) and second phase's (figures 80-81) results that the first
floor leaks rather more to the second than in the opposite case. It can only be assumed
that the metal grid partly covering the ceilings works both as a mirror and an attenuator.
The antennae, in the absence of other suitable installation places in this case, had to be
placed to hang down from the grid. While an omnidirectional antenna's signal should
follow the vertically flat doughnut-shape form, it apparently extends itself that much
 74

above the grid that the metal can reflect and amplify it upwards. Signals coming from
above experience the opposite effect.

The antennae can be categorized as follows:

Edu-kirjasto4-9 Buffalo WHR-G54S:

• Nominal Output Power: 19dBm (802.11b), 16dBm (802.11g)
[44]
Edu-kirjasto-3 Buffalo Airstation WBR-type with an external antenna
• Nominal Output Power 15 dBm
• External antenna eats part of the power and weakens the signal
[45]

The WHR antennae are more efficient than those of the latter type. This can be also seen
in figures 82 and 83 where the signal ranges of a WHR and WBR antenna are shown
SNR-wise. The diameter of the effective coverage the WHR antenna is considerably
longer than that of the WBR one.

Figure 81. 1st floor's signal leakages in the 2nd floor.

Figure 82. The SNR and coverage of a WBR antenna.

 75

Figure 83. The SNR and coverage of a WHR antenna.

3.3.4. Third Phase

After analyzing the results of the second phase and considering some details, the
conclusion is that the system might work better with the following adjustments:

• Edu-kirjasto will be disabled regarding the first floor, and shall be moved
to the second floor to serve the empty north-east corridor.
• Edu-kirjasto7 will be moved somewhere in the middle of its original place
and the current one.
• Edu-kirjasto5 will be moved somewhat to the south to see if the coverage
in the areas below it could be improved.
• Edu-kirjasto9 will be moved right above the stairwell, so that its signal
would reach the 1st floor even better. In addition to its major service area,
it thus might be able to handle also the beneath-lying section to such a
degree that no additional APs are needed around the stairwell in the 1st
floor. Figure 84 gives some insight into this. Edu-kirjasto1 is disabled, and
yet there seems to be a sufficient SNR around the stairs, even when edu-
kirjasto9 is not yet directly above the open shaft.
• Edu-kirjasto4 will be moved into the hall outside the actual library. In the
current configuration it is too close to the other APs of the 2nd floor.
• The new channels are listed in table 7.

Table 7. Channel arrangements for the 3rd implementation.

AP e-k e-k2 e-k3 e-k4 e-k5 e-k6 e-k7 e-k8 e-k9 e-a
channel 1 11 6 6 6 6 1 1 11 1

At this point it can be seen that the simulation tools do not really provide that much help,
and the final adjustments need mostly manual tweaking. It is reasonable to believe the
priorly configured systems may also suffer from the 'too many APs' -syndrome. Even one
antenna may deteriorate the SNR considerably.
 76

Figure 84. First floor's SNR. Edu-kirjasto is disabled.

The aforementioned changes are made, along with a few other details that cropped up
along the way:

• Edu-kirjasto was dropped out of the antenna array entirely. After an

installation in the suggested place and some preliminary measurements, it
turned out that the AP's operation itself was poor. Most likely the old
model and a lossy antenna cable were the reasons for this.
• Edu-kirjasto4 was not installed in its intended place, but set to replace edu-
kirjasto in the 2nd floor. Edu-kirjasto9's coverage area is just about large
enough to give a sufficient SNR into the rooms originally under edu-
kirjasto4's dominion. The corridor in the far left provided to be too
cumbersome an area for test installations due to the lack of Ethernet and
power sockets and suitable ceiling materials. Hence, if better SNR or
coverage is desired to the border areas of the library, a separate, permanent
antenna should be installed somewhere in the 2nd floor hall.
• Edu-aula was disabled in the measurements.
• The new channel arrangement is listed in table 8.

Table 8. Channels after the 3rd implementation.

AP e-k2 e-k3 e-k4 e-k5 e-k6 e-k7 e-k8 e-k9

channel 11 6 1 6 6 1 1 11

Figures 85-90 show the corresponding results. Now, it can be seen that reasonable quality
has been reached. The APs are about 8m apart from one another in the horizontal
direction. The overall scheme is also as close as possible to the triangle lattice as
proposed in chapter 4.1., with the exceptions required by non-symmetric building
structures. The SNR is stronger than in any of the previous installations, and the
 77

interference has dropped considerably. A few areas with poorer reception are bound to
remain due to environmental aspects. For instance, the open area to the south-west from
edu-kirjasto5 has plaster tiles with slight vertical protrusion as the ceiling material.
Plaster contains water, which has a strong attenuation factor. For instance figure 86
shows the sharp attenuation edge of edu-kirjasto5's signal. However, due to interference
problems, the particular AP cannot be much moved to the south either. The plaster ceiling
is also responsible of the mid-floor 'canyon' of lesser reception between edu-kirjasto6 and
edu-kirjasto7. The new placement of the latter AP allows the signal to spread somewhat
more freely, so that the attenuation edge is not as sharp as in the previous undertakings.

Figure 85. 1st floor's SNR.

Figure 86. 1st floor's SNR under 10% load.

 78

Figure 87. 1st floor's interference.

Figure 88. 2nd floor's SNR.

 79

Figure 89. 2nd floor's SNR under 10% load.

Figure 90. Second floor's interference.

3.4. Case Study Conclusions and AP Arrangement Guidelines

• The general triangle model should work almost optimally in a symmetrical, one-floor
building or in a multi-store building that has a wireless network installed in only one
floor.
• The general triangle lattice model should function in a symmetric multi-store building
where the floors and ceilings attenuate the signals enough, so that they do not leak to
other floors.
• Use only channels 1,6, and 11, since they non-overlap the least. All interference
cannot be gotten rid of even this way, since real-word hardware lets the sidelobes leak
 80

to the other bands more than in theory. Using the intermediate channels is not
recommended, as it has considerable effect to the increasing of interference.
• If open spaces pierce two or more floors (i.e. a stairwell, high halls), either try to
install the APs as far as possible from the open area, or then try to take advantage of
the vertical LOS and install as few APs as possible as high as possible.
• WHR-type APs are more efficient than those with external antennae.
Discontinued/more inefficient APs can be reused to cover smaller (secluded) areas.
• If possible, avoid hanging APs down from metal-gridded ceiling, since it mirrors the
signals upwards just enough to cause undesirable interference in the floor above.
Sometimes this is not an option, however. Metal grid placed behind any
floor/wall/ceiling element then again hinders the RF signals from leaking outside the
space at hand.
• Corridors, etc. unidirectional spaces joining larger open spaces but yet separated by
thick walls and/or elevator shaft -type constructions from one or more sides usually
need their own AP(s). It is usually most efficient to place one adapter in the middle of
the corridor. If it is a lengthy one, two can be installed so that they are not exactly at
the far ends (at least in the case of the typical omnidirectional antennae, part of the
signal range is 'lost'). Best performance is achieved, if the channels are as far off from
one another as possible (1, 11). Make sure that the nearest signal radiating strongly
from any open space nearby is always at least six channels apart.
• When the planning and configuring of a wireless network is started, simulations may
aid somewhat, especially if wall materials can be added within. Nonetheless, manual,
sporadic planning is always needed. Ekahau Site Survey, in itself, is only a mediocre
simulation tool, as it does not even support multiple floors.
• Pipes, air conditioning shafts, etc. work as conductors, and sometimes they can carry
RF signals into unwanted places. Take these into account in network plans, if
possible.
• A non-homogenous ceiling with vertical protrusions may become an attenuation
factor even in the floor at hand, if APs are installed to hang down from it. Even a few
centimeters' difference may cause undesirable effects. Try to install the antenna to the
lowest part of the ceiling, so that it does not remain inside an 'upside-down cauldron'
where the surrounding layers force the range of the signal to become diminished.
Another option is to attach the antenna some meters away from the border of the two
ceiling materials with different heights. This way, the signal has more room to spread,
and the attenuation becomes less steep. However, always avoid fixing the antenna
right to the joint.
• When APs are placed manually, try to make sure that there is the maximum amount of
LOS everywhere. Obstacles such as pillars and high bookshelves in the close
proximity may cause surprisingly strong blocking effects. Plaster, which is often used
in pillars, is one of the tricky surface materials.
• It may be of best practice to configure one floor first. When the initial floor is done,
proceed to the next by first observing how much the signals leak through the
elements. Also, if the following, yet empty floors are simulated with Ekahau Site
Survey, leaving the signal leakages as existing interference to the background may
help in finding out the best places for further APs.
 81

4. Conclusions
The lack of a systematic approach to building IEEE 802.11 indoor networks, so that
optimality could be reached in both coverage and reception, is a major problem that often
emerges during the installation of new systems or improving existing ones. The correct
placement of the APs and the parallel consideration of architectural details and surface
materials in buildings are crucial to the proper functioning of the network. Yet, often the
APs are placed in a rather random fashion, which may lead to high interference and poor
link quality. The purpose of this thesis was to dig into some of the issues that most often
hinder the proper operation of a WLAN network, and propose a systematic scheme where
both coverage and reception reach optimality. A real-life case study where 802.11g-type
transceivers were used and which followed as closely as possible to the suggested model
was implemented in the frames of SparkNet, the WLAN system employed by the
University of Turku. Ultimately, the approach was proven to grant quasi-optimal
conditions to the functioning of 802.11 systems.

The thesis was divided in two major parts. The first section, which enveloped the preface
and chapter 2, was mainly literature-based. It introduced the system logic and theoretical
properties of IEEE 802.11 protocols. Detailed glimpses into the operations of the MAC
and PHY layers and their interactions with one another were provided. Additionally, such
matters as for example security and future technologies were discussed alongside. A few
sections were devoted to the upcoming 802.11n protocol which will undoubtedly begin
replacing existing technologies in the near future, even if the type is still officially in a
draft state. Its emergence will lead to more complicated kinds of hybrid networks as the
ones currently in existence, and will contribute its own, yet largely unanalyzed share to
the optimization problems.

The second part, chapter 3, concentrated on studying whether an optimal, systematical

AP arrangement could be created, and, if so, how. Likewise, the section can be separated
into a more theory-oriented segment (sections 3.1. and 3.2.) and a practical part (section
3.3.). Firstly, a theoretical basis for the optimal AP placement model was proposed. In
two dimensions, its topology consists of equilateral triangles, where one AP is placed at
each vertex. The geometry can be extended into the third dimension, when the structure
becomes a lattice-type formation composed of three-sided prisms in the vertical direction.
In the text, it was commonly referred to as the 'triangle lattice'. Each AP operates on its
own channel, which is either 1, 6, or 11, and the lattice never allows two same channels
 82

to be adjacent to one another. This maximization of distance minimizes the interference.

The theoretical scheme was simulated with Ekahau Site Survey in various imaginary
indoor spaces with different kinds of wall materials. These made-up conditions used in
the simulations had a theoretically optimal nature, and thus cannot be applied to real-
world settings as such. Also some details relating to how many APs should be used and
the suitable distance between two units were discussed alongside.

The case study, section 3.3., advanced quite much parallel to the theory discussion of
sections 3.1. and 3.2. Hence, a few of the very mistakes that were pointed out in the
preceding section found its way into the practical implementation, and had to be rooted
out on the way. A two-store library with some rather awkward and non-symmetrical
architectural details (an open stairwell piercing the two floors, uneven ceiling with
inhomogeneous building materials, among other particulars) was chosen for the case
study. It had an operational WLAN network in the initial situation, but it was sub-
optimal, and the APs had been installed in the spur of the moment rather than with
careful planning. A simulation of a replacement network, based on the triangle lattice
model and which included wall materials and added interference, was made with Ekahau
Site Survey. Thereafter, the actual implementations began.

However, when the practical part progressed further through trial and error and much
manual corrections, it soon became clear that Site Survey as a simulation application is
rather mediocre. Whereas it performs well as a tool for measuring various properties of
existing RF signals, the simulations could be used only as a partial aid in the case study.
For instance, the application does not support networks in multiple layers. It is a serious
drawback, since APs installed into adjacent floors commonly interfere with one another
till some degree, unless the ceiling material is thick enough not to allow any signal
leakages.

The case study required three installations, where aspects such as the influence of antenna
types to the overall functionality -- in addition to the expected ones concerning
construction materials and signal leakage -- gradually cropped up. Signal leakage and
undesirably attenuating or mirroring surfaces provided nevertheless to be the biggest
problems. The open shaft piercing the floors caused the signals to leak so much to the
different spaces that it was in the end better to take advantage of the LOS and install only
one antenna right above the shaft, whereas in the first attempt two had been used on top
of one another. Regarding surface annoyances, for instance the metal grid ceiling in the
1st floor mirrored the signals to the 2nd floor, and protruding plaster elements caused
sharp attenuation. The latter could be somewhat circumvented by moving the APs away
from the boundaries of such materials and guaranteeing the longest LOS everywhere. The
previous, among other factors, however taught that optimality is relative in real
environments, and that there is no way around every unfavorable detail.

It might have been better if only one floor had been implemented first, and then the
second simulated separately with the existing signal leakages added to the background
interference. Yet, when this was comprehended, it was somewhat too late to start the case
study from scratch any more. The gradual means is however better regarding equivalent
 83

future installations in multi-store environments: plan and simulate one floor first, measure
the signal properties in the current floor and the adjacent ones, and then plan on further.
This guideline, among others, was documented in section 3.4., which contains
conclusions and AP arrangement principles gathered from the results of the case study.

In the third phase of the implementation the arrangement turned out to be very close to
optimality, and resembled as much as possible to the proposed triangle lattice scheme.
Regarding SNR, it would have been better if the APs could have been organized into
perfect multiples of three. Thus the interference would have been evenly distributed.
Even if this particular goal was not achieved, the experiments nevertheless prove that the
suggested WLAN model really is functional. Hence can be used as an outline for
systematic installation of larger-scale WLAN networks, and should furthermore quicken
up planning and aid in achieving better reception and coverage. In homogenous,
symmetric environment it will reach the highest optimum. Real-life buildings yet almost
never fulfill these conditions, so some tweaks are undoubtedly needed case-by-case.
 84

5. References

[1]
http://www.turkusciencepark.com/TSP/www_fi.nsf/SiteMap/D56076A78D9650
D9C2256FE3003ABD05 (accessed 14.3. 2007).
[2] http://www.sparknet.fi/ (accessed 14.3. 2007).
[3] http://www.cc.utu.fi/ (accessed 14.3. 2007).
[4] http://www.masterplanet.fi/sparknet-kayttoohje/kayttoohje_files/frame.htm
(accessed 14.3. 2007).
[5] William Stallings, Wireless Communications and Networks, Prentice Hall,
2002.
[6] Hubert Zimmermann, "OSI Reference Model--The ISO Model of Architecture
for Open Systems Interconnection," in IEEE Transactions on Communications,
vol. com-28, no. 4, April 1980, pp. 425--432.
[7] Neil Briscoe, "Understanding the OSI 7-Layer Model," in PC Network Advisor,
Issue 120 (July 2000), pp. 13--14.
[8] Fernandez et al, "An overview of the security of wireless networks," Nov 19,
2004, http://polaris.cse.fau.edu/~ed/WirelessSecSurv4.pdf (accessed 11.11.
2006).
[9] Matthew S. Gast, 802.11 Wireless Networks: The Definitive Guide, 2nd
Edition, O'Reilly, April 2005.
[10] William Stallings, "IEEE 802.11: Wireless LANs from a to n," in IT Pro Sep-
Oct 2004, Published by the IEEE Computer Society, pp. 32--37.
[11] ANSI/IEEE Std 802.11, 1999 Edition, Part 11: Wireless LAN Medium Access
Control (MAC) and Physical Layer (PHY) specifications, IEEE 1999.
[12] Jeffrey S. Beasley, Networking, Pearson Prentice Hall, 2004.
[13] N. Borisov, I. Goldberg, and D. Wagner, "Intercepting mobile communications:
The insecurity of 802.11," in Proceedings of the International Conference on
Mobile Computing and Networking, July 2001, pp. 180–189.
[14] N. Cam-Winget et al, "Security Flaws in 802.11 Data Link Protocols in
"Communications of the ACM, Vol. 46, No. 5, May 2003, pp. 35--39.
[15] Brandon Brown, "802.11: the security difference between b and i," in
Potentials, IEEE, Vol. 22, No. 4, Oct-Nov. 2003, pp. 23--27.
[16] IEEE Std 802.11i-2004, Part 11: Wireless LAN Medium Access Control
(MAC) and Physical Layer (PHY) specifications, Amendment 6: Medium
Access Control (MAC) Security Enhancements, IEEE 2004.
[17] J. C. Chen, M. C. Jiang, and Y. Liu, "Wireless LAN Security and IEEE
802.11i," in IEEE Wireless Communications, Feb. 2005, pp. 27--36.
[18] Rodger E. Ziemer and Roger L. Peterson, Introduction to Digital
Communication, 2nd edition, Prentice Hall, 2001.
[19] N. Krishnapura et al, "A Baseband Pulse Shaping Filter for Gaussian Minimum
Shift Keying," in Circuits and Systems, Proceedings of the IEEE, Vol. 1, 31
May--3 Jun 1998, pp. 249--252.
[20] IEEE Std 802.11b-1999, Supplement to IEEE Standard for Information
technology, Part 11: Wireless LAN Medium Access Control (MAC) and
 85

Physical Layer (PHY) specifications: Higher-Speed Physical Layer Extension in

the 2.4 GHz Band, IEEE 1999.
[21] http://www.buffalo-technology.com/ (accessed 28.5. 2007).
[22] http://www.cisco.com/ (accessed 28.5. 2007).
[23] R. Sivaswamy, "Multiphase Complementary Codes," in IEEE Transactions on
Information Theory, Vol. IT-24, no. 5, Sep. 1978, pp. 546--552.
[24] Robert L. Frank, "Polyphase Complementary Codes," in IEEE Transactions on
Information theory, Vol. IT-26, no. 6, Nov. 1980, pp. 641--647.
[25] Yiyan Wu and William Y. Zou, "Orthogonal Frequency Division Multiplexing:
A Multi-Carrier Modulation Scheme," in IEEE Transactions on Consumer
Electronics, Vol. 41, no. 3, Aug 1995, pp. 392--399.
[26] S. Coleri et al, "Channel Estimation Techniques Based on Pilot Arrangement in
OFDM Systems", in IEEE Transactions on Broadcasting, Vol. 48, No. 3,
September 2002, pp. 223--229.
[27] IEEE Std 802.11a-1999, Supplement to IEEE Standard for Information
technology, Part 11: Wireless LAN Medium Access Control (MAC) and
Physical Layer (PHY) specifications: High-speed Physical Layer in the 5 GHZ
Band, IEEE 1999.
[28] A. Bruce Carlson, Communication Systems: An Introduction to Signals and
Noise in Electrical Communication, 3rd Edition, McGraw-Hill, 1986.
[29] H. Sampath et al, "A Fourth-Generation MIMO-OFDM Broadband Wireless
System: Design, Performance, and Field Trial Results," in IEEE
Communications Magazine, September 2002, pp. 143-149.
[30] G. L. Stüber et al, "Broadband MIMO-OFDM Wireless Communications," in
Proceedings of the IEEE, Vol. 92, No. 2. Feb. 2004.
[31] Status of the 802.11n standard,
http://grouper.ieee.org/groups/802/11/Reports/tgn_update.htm (accessed 19.3.
2007).
[32] Clint Ecker, "AirPort Extreme 802.11n Wi-Fi Wireless Base Station," in Ars
Technica, February 21, 2007, http://arstechnica.com/reviews/hardware/airport-
n.ars (accessed 19.3. 2007).
[33] IEEE Std 802.11g-2003, Part 11: Wireless LAN Medium Access Control
(MAC) and Physical Layer (PHY) specifications, Amendment 4: Further Higher
Data Rate Extension in the 2.4 GHz Band, IEEE 2003.
[34] Official IEEE 802.11 Working Group Project Timelines - 01/19/07,
http://grouper.ieee.org/groups/802/11/Reports/802.11_Timelines.htm (accessed
29.01.07).
[35] MITMOT IEEE802.11n proposal, http://www.ieee802.org/11/DocFiles/04/11-
04-1369-07-000n-mitmot-tgn-complete-proposal-presentation.ppt (accessed
28.5. 2007).
[36] Eric Bangeman, "802.11n Draft 2.0 gets thumbs up from Working Group," in
Ars Technica, March 13, 2007, http://arstechnica.com/news.ars/post/20070313-
802-11n-draft-2-0-gets-thumbs-up-from-working-group.html (accessed 19.3.
2007).
 86

[37] S. Abraham et al, "802.11n MAC Design and System Performance," in IEEE
International Conference on Communications, 2005, Vol. 5, May 2005, pp.
2957--2961.
[38] http://www.apple.com/airportextreme/specs.html (accessed 5.2. 2007).
[39] Carla F. Chiasserini and Ramesh R. Rao, "Coexistence Mechanisms for
Interference Mitigation between IEEE 802.11 WLANs and Bluetooth," in IEEE
Infocom, Vol. 2 2002, pp. 590--598.
[40] D. K. Borah et al, "Performance Evaluation of IEEE 802.11a Wireless LANs in
the Presence of Ultra-Wideband Interference," in IEEE Wireless
Communications and Networking, Vol. 1. March 2003, pp. 83--87.
[41] http://www.buffalo-technology.com/downloads/WHR-HP-G54_manual_EU.pdf
(accessed 12.4. 2007).
[42]
http://www.cisco.com/application/pdf/en/us/guest/products/ps6521/c1650/cdcco
nt_0900aecd8031c844.pdf (accessed 2007).
[43] Ekahau Site Survey 2.2 User Guide and application, copyright 2000-2007,
Ekahau Inc.
[44] http://www.buffalo-technology.com/downloads/WHR-G54S-Manual_EU.pdf
(accessed 12.4. 2007).
[45] http://www.buffalo-technology.com/downloads/WBRG54Manual.pdf (accessed
12.4. 2007).
 87

6. Appendix 1. List of Acronyms

ACK: acknowledgement ISO: International Organization for

ADC: analog-to-digital converter Standardization
AP: access point IV: initialization vector
ASK: amplitude shift keying LLC: logical link control
BSS: basic service set LOS: line of sight
CA: collision avoidance MAC: medium access
CCA: clear channel assessment MIMO: multiple input multiple output
CCK: complementary code keying MSDU: MAC service data unit
CCMP: Counter with Cipher Block NACK: no acknowledgement
Chaining Message NAV: network allocation vector
Authentication Code Protocol OFDM: orthogonal frequency-division
CF: contention-free multiplexing
CRC: cyclic redundancy check OSI: Open Systems Interconnection
CS: carrier sense PBCC: packet binary convolution
CSMA: carrier-sense multiple access coding
CTS: clear to send PCF: point coordination function
DAC: digital-to-analog converter PIFS: PCF IFS
DCF: distributed coordination PDU: protocol data unit
function PHY: physical layer
DHCP: dynamic host configuration PLCP: physical layer convergence
protocol procedure
DIFS: DCF IFS PPM: pulse-position modulation
DPSK: differential phase shift keying PRNG: pseudorandom number
DS: distribution system generator
DSS: distribution system service PSDU: PLCP service data unit
DSSS: direct sequence spread PSK: phase shift keying
spectrum QAM: quadrature amplitude
EIFS: extended IFS modulation
ESS: extended service set RSN: robust security network
FFT: fast Fourier transform RTS: request to send
FHSS: frequency hopping spread SFD: start of frame delimiter
spectrum SIFS: short interframe spacing
FSK: frequency shift keying SNR: signal-to-noise ratio
HDLC: high-level data link control SS: station service
IBSS: independent basic service set SSID: service set identifier
ICI: inter-carrier interference SSL: secure sockets layer
IEEE: Institute of Electrical and TCP: transmission control protocol
Electronics Engineers TKIP: temporal key integrity protocol
IFFT: inverse fast Fourier transform TSF: timing synchronization
IFS: interframe spacing function
IP: internet protocol UDP: user datagram protocol
IR: infrared UWB: ultra-wideband
ISI: intersymbol interference VLAN: virtual local area network
VoIP: voice over internet protocol
 88

WEP: wired equivalent privacy WPA2: Wi-Fi Protected Access

WLAN: wireless local area network