Data Link Layer Features
The sections that follow describe features that operate at the data link layer.
Bridging takes place at the data link layer and is based on the MAC addresses of the end user equipment. The typical wireless bridge contains a table of MAC addresses and bridge ports. Packets are forwarded to the correct bridge port based on the MAC address table information. Your data link layer feature evaluation includes the following features.
MAC Address Table Size
The MAC address table of a wireless bridge is finite in size. The table might be large enough to contain one or two thousand MAC addresses or small enough to contain only one. In most cases, the MAC address table size is larger than the number of simultaneous end user connections.
Number of Simultaneous Connections
Each wireless AP or bridge is designed to connect to only a specific number of end users at the same time. In general, the more simultaneous users it supports, the higher the cost of the wireless bridge or AP.
Sometimes, an equipment vendor's advertising confuses the MAC address table size with the number of simultaneous end user connections. For example, an advertisement might state that one AP can support up to 1000 users. The ad might fail to mention that only 128 of the users can be connected at the same time. This type of error can be caused by an error on the part of the person preparing the advertisement. This person might be unclear about MAC address table size versus the number of simultaneous connections. If you see claims like this that appear to be excessive or too good to be true, ask the vendor to confirm that the advertised information is correct.
A wireless bridge is designed to support many wireless users, typically from 50 to several hundred. One special type of wireless bridge is called an Ethernet converter. Originally, an Ethernet converter was designed to bridge between one Ethernet port (on one computer) and a wireless WAN. Currently, Ethernet converters are available that support bridging between up to eight computers and the wireless WAN. This expanded Ethernet converter is called a super Ethernet converter (SEC).
Spanning Tree Protocol
Most wireless point-to-point bridges implement the 802.3 Spanning Tree Protocol. In bridged networks, it is important to avoid routing loops (more than one simultaneous path). The 802.3 Spanning Tree Protocol senses the presence of routing loops and disables one route to avoid looping.
Wireless APs occasionally contain a built-in switch. The switch allows Ethernet connectivity from the AP to a number of Ethernet devices without needing to purchase an external switch.
Support for VLAN Tagging
Virtual LAN (VLAN) tagging allows the definition of a VLAN, as opposed to a geographically located LAN. Support for VLAN tagging allows the wireless device to support the operation of a VLAN.
MAC Sublayer Features
The MAC layer is a sublayer of the data link layer (Layer 2) in the OSI reference model. MAC features can be either standards-based or proprietary. In all cases, the primary purpose of the MAC sublayer is to provide reliable data delivery over the inherently noisy and collision-prone wireless medium. The MAC sublayer performs the following general functions:
Error controlThe MAC sublayer implements a frame-exchange protocol with an acknowledgment procedure. This procedure maximizes the chance that every packet is delivered error free across the wireless link.
Congestion managementThe MAC sublayer works to minimize congestion on the wireless medium. The MAC sublayer utilizes several methods to determine which station is allowed to gain access to the wireless medium. The 802.11b MAC specifications contain both a CSMA/CA contention-based access scheme and a polling-based access scheme. Most 802.11b equipment does not implement the polling feature.
Packet aggregation The MAC sublayer can maximize throughput by aggregating several small packets together into one larger packet. This reduces the number of times the wireless equipment must switch back and forth between receive and transmit (the switching time is also called the turnaround time), thereby making more time available to pass data traffic.
Data protectionEncryption (in general) can take place at several different layers; however, WEP encryption takes place at the MAC level. 64-bit and 128-bit WEP encryption schemes are in common use.
Data Link Layer Security Features
The following sections analyze data link layer security features that might be offered by the equipment that you are evaluating.
MAC Address Access Control Lists
When providing wireless Internet access, it is desirable to deny access to any end user whose account is not current or who is not authorized to use your network. Most APs allow you to configure an access control list (ACL). Unless the ACL contains the specific MAC address of an end user, that end user will not be allowed to connect to the AP.
Protocol filtering permits you to deny bridging based on the Layer 2 packet protocol. Protocols such as IPX, NetBEUI, DECNet, or AppleTalk can be denied.
MAC Address Pair Filtering
In bridged networks, it is occasionally desirable to provide filtering for specific address pairs. The filtering can either allow a connection between two specific MAC addresses, or it can deny a connection between two specific MAC addresses.
Authentication is the process that a network uses to determine if an end user is allowed to connect to the network. Authentication schemes require an exchange of management frames between the authenticator (the network) and the end user who is requesting network access. Simple authentication schemes provide minimal security, whereas more complex schemes provide higher levels of security.
Several network layers are typically involved in the authentication process; however, because Layer 2 plays a prominent role, authentication is outlined here.
Open-system authentication is the least secure; it simply requires a station to identify itself to an AP and request that it be granted authentication.
A more secure authentication system is shared-key authentication using WEP. The shared key is distributed to all stations that are authorized to use the network. The stations use the shared key to respond to challenge text sent to them by the AP. If a station responds to the challenge text correctly, the AP grants network access.
A more secure authentication system is based on one of the 802.1x authentication types defined in the Extensible Authentication Protocol (EAP). EAP is defined in RFC 2284 and includes a number of different authentication methods. 802.1x requires using three entities:
A supplicant (the station requesting authentication)
The authenticator (typically the AP)
The authentication server (such as a Remote Authentication Dial-In User Service [RADIUS] server)
EAP implementations typically allocate a new encryption key each time a wireless user begins a new session. A number of wireless vendors provide proprietary authentication features that are based on EAP and 802.1x. In the future, 802.11i wireless standards will likely evolve out of the current 802.1x standards.
Sending an unencrypted packet over the air increases the chances that an unauthorized person could intercept and decode the packet. A variety of encryption schemes make it harder for this to occur. In addition to WEP encryption (already described), other available encryption schemes include the following:
Data Encryption Standard (DES)A 64-bit encryption standard with a user-selected encryption key.
Triple DES (3DES)Uses three 64-bit keys. The first key encrypts the data, the second key decrypts the data, and the third key re-encrypts the data.
Advanced Encryption Standard (AES)The most current U.S. Government-approved encryption standard. It uses a Rijndael (pronounced "rain-doll") algorithm with either a 128-bit, 192-bit, or 256-bit encryption key. AES requires a math coprocessor; therefore, it might not be compatible with existing 802.11b hardware. The upcoming 802.11i standard includes AES.
Data Link Layer Proprietary Security Features
Some currently available wireless products contain a combination of proprietary Layer 2 security features and industry-standard security. It is beyond the scope of this chapter to list these product combinations here; however, they include combinations of encryption, per-session key exchange, and frame authentication to provide high levels of security.