It's Incredible This Works at All a Technical Exploration Into Low Level Wifi Details

It's Incredible This Works At All A technical exploration into low level WiFi details

Steve Yuroff - @swy

Good afternoon, thank you for choosing It’s Incredible This Works at All. In this session, we're gong to explore the low level technical foundations of how WiFi functions- we’re going to dig into the steps and tech that everything from access point laptop Amazon Echo internet connected dishwasher are doing when they're part of a network. We’re going to take some time to appreciate the brilliant engineering that has become an indispensable part of our lives by investigating how some of the magic happens. Steve Yuroff @swy

I am____ and I’m the senior tech in a 2 person IT department at an 85 person creative agency headquartered in Madison, WI. There my comrade and I handle pretty close to everything that runs on electricity, and a few things that don't. WiFi is one of many things I do, and it’s the topic I’ve spent the most of my ﬂexible time with over the last year. Obligatory Dilbert Comic

Enough time that in April of this year I passed the Certiﬁed Wireless Network Administrator exam. CWNA is a vendor-neutral exam from the Certiﬁed Wireless Network Professionals organization. It’s the starting point exam, targeted at those of us who manage wireless networks. As I studied for this test, I found myself fascinated at the beautiful technology that's invisible to us, so I want to share some of the coolest aspects of low level WiFi with you today. Groundwork • 802.11 = IEEE standard for wireless communications

• 802.11b = Old and Busted. 802.11ac = New Hotness

• 802.11n = biggest leap in speed

• 20MHz = base channel width

• Layer 1 = physical layer = PHY

• Layer 2 = frames = “get data from Device A to Device B, using Layer 1”. Data frames hold IP packets

• Only ONE station can transmit at a time

Over the years I’ve seen a few presentations that I felt started too much in the middle of the topic, presuming the audience comes in knowing too much. In an eﬀort to avoid that, I want to review some WiFi groundwork that I hope put us all on a similar starting point.

-An international organization called the Institute of Electrical and Electronics Engineers makes standards for all sorts of electrically engineered stuff, including wireless networking. The original IEEE wireless standard was first ratified in 1997, and was named 802.11. -In the evolution of WiFi, 802.11b is really old, and .ac is current tense. Inbetween, big milestone was 802.11n- we’ll be talking about what was so significant about it. These letters represent amendments to the 802.11 standard that give us ways to do new things, or old things in new ways. 802.11 a/b/g/n/ac marketing attention = speed =sell. Other amendments about how to more efficiently roam between APs on a network, how to make WiFi work for car to car communications to assist in motor vehicle traffic, many different ideas. We’re on .ac because we there are amendments up through 802.11z already, and we’ve wrapped around to double letters. Not all of these amendments have been rolled into standards, some get abandoned, others combined, some are finalized but no manufacturer makes use of them. -The starting point for WiFi channel sizes is 20MHz, which got expanded to 40 in .n and up to a crazy 160Mhz in .ac -WiFi exists to provide the lowest 2 layers of the OSI Model, so we’re going to look at how it provides the replacement for a wire, and how we accomplish a really important task on Layer 2- having all the network participants take turns, where we move data as a frame. -A crucial WiFi fact is that among the clients and the access point they’re connected to, only one can be transmitting at any time, yet we can have a classroom all watching YouTube videos. There's an amazing system to take turns very quickly to give the illusion of continuous connections.

Let’s start at the very lowest levels- with nothing plugged in, how exactly do we use things we can’t see and can’t touch to reliably move data? Simply modulate a carrier wave

https://giphy.com/gifs/mathematics-sin-pi-NKLdcqhwo2f8A https://commons.wikimedia.org/wiki/File:EM-Wave.gif

At the lowest possible level, it comes down to modulating a carrier wave. So what do we mean? Let’s tackle the noun in this sentence first: What is carrier wave? A carrier wave is a pure, unmodified electromagnetic wave. So what are a electromagnetic waves? When a charged particle is accelerated through space (such as from a radio transmitter) it produces an oscillating magnetic and electric field... that's as deep into what a wave is that we need to know... studying wave particle duality is fascinating, out of scope. Obligatory XKCD comic

https://imgs.xkcd.com/comics/electromagnetic_spectrum.png

We're just going to acknowledge that electromagnetic waves are part of the real world, and we have ﬁgured out how to make them work for us. They go from below shortwave radio through visible light through gamma rays. The part we’re going to concern ourselves with are small chunks in the 2.4 and 5ghz neighborhoods, which thankfully are a long way from gamma rays, because we all know this is what slow WiFi does to us.

Wave Characteristics

Wavelength / Frequency

Amplitude Wavelength / Frequency

Amplitude

All of these waves have characteristics that we can measure and use: Amplitude- how high is the peak? If we were looking at sound waves, this would be the volume. Wavelength- distance for a full cycle- anywhere from scale of kilometers to millimeters. If we were looking at sound waves, this would be the pitch. In the 2.4 Ghz band if we could see the WiFi waves, they’d be around this size. The wavelength is in the neighborhood of 4.8 inches. Note that both of these waves have the same wavelength, but their amplitudes diﬀer. If we could see 5ghz, it would look like this -closer to 2 inches Remember that we’re looking at a snapshot- if you could see these waves arriving at a receiver, it would be like standing on the dock at a lake- you can watch the pattern of highs and lows come in.

Frequency is a count of how many full cycles happen every second, and is directly related to wavelength; shorter wavelength= shorter distance between peaks= more peaks in a second. The measure of “cycles per second” is Hertz Giga=billion

So these waves are coming in at about one per second, so 1Hz. If you could be standing on the beach watching WiFi waves come in, you’d be watching at minimum 2 billion, 400 million of them per second, and at the top end of our allowed range, just under 6 BILLION per second.

So we can make radio waves and measure them on a receiver. How do we make them useful? These waves are analog, and we need them to carry digital data. Back to the “modulate a carrier wave” phrase. Wave Modulation- Frequency Shift Keying

0 1 0 1 1 0

Modulate = “to change” How do we need it to change? In this section, we’re starting at the lowest possible levels of a wireless data network- what everything is built upon- Layer 1 in the OSI model. At that lowest possible level, it all boils down to putting a bunch of 1 and 0 in the right order and getting them received at the far side. So we need ways to represent 1 and 0. The simplest way to do that is to deﬁne 2 states of one of the measurable characteristics of our carrier wave, and declare one state represents a 1, the other represents a 0, and change between them (or not) at a declared interval of time, which we call a symbol period

Frequency Shift Keying is one way that can be done. As you can see, we have a frequency for 0 and a frequency for 1, and we can see where they are at each symbol start. Frequency Shift Keying was used in legacy WiFi deployments, but it doesn’t scale up to the speeds we want to have today- we don’t modulate frequency in modern WiFi.

So we’ll have to look at other aspects of the wave to modulate. Amplitude Modulation

0 1 0 1 1 0

Just like in frequency modulation, we can pick 2 states of amplitude of our carrier wave, and these correspond to a 1 or a zero. At every symbol period we evaluate which amplitude we have, and record the value.

There’s one more fact of a wave we can measure, which I haven’t brought up yet. Binary Phase Shift Keying (BPSK)

0 1 0 1 1 0

Phase is a relative term- you have to compare it to something. In this case, we measure it relative to our time interval- the start of a symbol.

In Binary Phase Shift Keying, we can declare our wave starting at 0° to be a 0, but if we start our symbol at the 180°, that's a 1.

Note that the waves are not being evaluated at every 3rd cycle as shown here- we’ll get to talking about how long symbol periods are before we’re done here. Quadrature Phase Shift Keying (QPSK)

0° 00 +90° 01 +180° 10 +270° 11

What if we went beyond starting the wave at 0 or 180°, and threw in 90 and 270 degrees as possible starting points? Now we don’t just have a 1 or 0 at each symbol period, but 00, 01, 10 and 11 : hey, we just doubled our data rate by getting 2 bits instead of 1.

QPSK originally took us up to a data rate of 18Mbps in 802.11a and g. 18Mbps isn’t all that hot… so how do we go faster? Well, we’ve only played with phase so far, and we have another wave aspect we can modulate. Quadrature Amplitude Modulation (QAM) Amplitude

1011 1001 0010 0011

1010 1000 0000 0001

Phase

1101 1100 0100 0110

1111 1110 0101 0111

Quadrature Amplitude Modulation is more conveniently known as kwam. QAM is where we start changing both phase and amplitude, but somehow phase now gets left out of the naming… Amplitude had better lobbyists, I dunno.

Our starting point in QAM is called 16-QAM for the 16 combinations of Amplitude and Phase modulations that we can choose from. Consider each one of these grid centers to be a target amount of phase and amplitude change. Now with each symbol, we can change 2 variables- the 0, 90, 180, 270 degree phase change, AND an amplitude change: up a little, up a lot, down a little, down a lot. 64 QAM

000100 001100 011100 010100 110100 111100 101100 100100

000101 001101 011101 010101 110101 111101 101101 100101

000111 001111 011111 010111 110111 111111 101111 100111

000110 001110 011110 010110 110110 111110 101110 100110

000010 001010 011010 010010 110010 111010 101010 100010

000011 001011 011011 010011 110011 111011 101011 100011

000001 001001 011001 010001 110001 111001 101001 100001

00000 001000 011000 010000 110000 111000 101000 100000

So this is pretty cool… how far can we take it?

At 64 QAM we’re at +/- 4 levels of Phase and Amplitude changes, and representing 6 bits of data with each transmission- This is the top end Modulation for 802.11n 256 QAM

� � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �

In 802.11ac, we gained 256 QAM which takes us to a 16*16 grid, with 8 shifts in each direction for phase and amplitude, and 8 bits per symbol. This is the most complicated data encoding within the WiFi spec today.

QAM isn’t speciﬁc to wireless tech, this is used in dialup modems, cable modems, digital cable and many other places, any internet communications we make has a high chance of being transferred through a system that uses QAM.

So this looks like where we want to be- we get 8 1s or 0s for every symbol, which is much better than the 1 we started out with. Why not just use this all the time? BPSK via NERF

P: 0 1 0 1 0 0 0 0 0 1 S: 0 1 0 1 0 0 1 1 U: 0 1 0 1 0 1 0 1

To answer that, let’s say we wanted to use these concepts to shout out PSU- but of course in binary, since that is what we’re working with at Layer 1. So here we have a wireless receiver. And we wish to transmit some symbols: holds up dart So we need a transmitter… get his/her name Now there’s going to be some interference on our network- something that might keep what we indicated on the transmitter from working out perfectly. turns on fan

Ask questions: Was it particularly challenging to indicate a 1 or 0? Could you have hit the target with a bigger fan interfering? I bet you could have hit those from a few rows back, right?

Downside? slow. Binary PSK is the simplest, but most robust, encoding WiFi uses, So let’s take it up the scale. 16 QAM

1011 1001 0010 0011

1010 1000 0000 0001 P: 0 1 0 1 0 0 0 0 S: 0 1 0 1 0 0 1 1 1101 1100 0100 0110 U: 0 1 0 1 0 1 0 1

1111 1110 0101 0111

Let’s try indicating the same at 16QAM, but now since we get 4 bits per symbol, we only have to use 6 symbols to transfer our data,

Do you think you could you could have hit these targets from as far back as with BPSK?

Smaller margin for error, right?

But we moved data 4 times faster! 256 QAM

� � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � P: 0 1 0 1 0 0 0 0 � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � S: 0 1 0 1 0 0 1 1 � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � U: 0 1 0 1 0 1 0 1 � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �

256QAM is going to take our shout out from 6 symbols to 3, at the price of requiring 4 times as much precision in both amplitude and phase.

Give it a shot. Notably harder, right? a round of applause for ______

This is why you only get the great speeds from the marketing materials in ideal conditions. If WiFi has to go a large distance or through obstacles to get to the receiving side, it’s like having more and bigger fans around: the signal gets altered by the physical environment: while the transmitter will have made a perfect 90° phase change, by the time it goes through a wall to the receiver, it’s 90°-ish. It’s not just walls that aﬀect WiFi: - RF energy Naturally spreads out- weaker: Free Space Path Loss. Throwing a rock into a pond - naturally occurring RF in the universe, EM waves don't come exclusively from radios we made. - Neighbors WiFi (unless woods- then WISP) - Microwave ovens are a classic source of 2.4 ghz interference - Us- we are big bags of water that are quite good at absorbing RF energy Constellation Diagrams

Visualize the received Amplitude and Phase changes as the receiver sees them in a constellation diagram. If every modulation was received exactly as sent, each of the 64 or 256 targets would have a single dot straight in the middle, stacked up inﬁnitely, instead of a cluster, which we want to be close to the center and avoiding the borders.

So what if the receiver sees the signal enough oﬀ the intended value that it is categorized in the wrong space? Maybe the amplitude of this measured value was intended to be in the top target, but it came in low. 000010 -> 001010

Uh oh… We’ve induced a change in our data stream- what we said isn't what was heard. Is this a problem? Is it like interacting with one’s unique body chemistry, where we turn our mild mannered data into

Convolutional Coding

Up to a point, no… here WiFi builds on error detection and correction technologies ﬁrst developed in the 1950s, and used in communications from spacecraft here through digital video broadcasts. Convolutional Coding is a type of Forward Error Correction that adds redundancy and checksums to a data stream, so that the receiving side can verify it got the original stream, and if it did not, and the error rate is not too high, use error correction to reconstruct the intended stream of bits, on the ﬂy. So when our data stream to be transmitted goes through the Convolutional Coding process we end up with more bits to transmit than went in so it can be more robust and tolerate errors. www.mcsindex.com

How many more bits? Standard answer in wireless: "it depends". If too small: mcsindex.com Poorest conditions= half of the bits in the transmission are there for error detection and correction- ideal= 5 out of 6 bits carry data, 1/6 for checksums and corrections. So between the Modulation and Coding Rates, we’re onto a term you may have heard of: the MCS Index: Modulation and Coding Scheme.

MCS values start at 0 for the simplest modulation (BPSK) and lowest Code Rate, to facilitate getting communications to work in rough conditions at the sacriﬁce of speed. At the top end- well, the naming of the top end of MCS rates varies by what vintage of WiFi is in use. We’ll take a look at .n and .ac

In this chart, 802.11n MCS rates are on the left, in yellow. Highest MCS rate on this chart is 23. In blue, on the right, we have 802.11ac. In .ac, this was simpliﬁed to not count every spatial stream as a diﬀerent MCS, so we repeat 0-9. If you don't know what I mean by spatial streams- hang on- they're amazing, and, they're coming up.

Option click WiFi in your menubar, towards the end of the list, in grey you'll see your current MCS and transmit rates. What are we getting? These values are the sweet spot of most complex Modulation and necessary coding required to balance speed and reliability of your connection. So how do the device and the AP determine that sweet spot? Dynamic Rate Switching

The criteria that set the logic for making these rate selections, known as Dynamic Rate Switching or Adaptive Rate Selection are trade secrets- the vendors don’t talk about it. They’re an assessment of signal strength, error rates, retransmissions, noise ﬂoor, and potentially other measurements. How each driver makes its choice of rates is a formula they hold close, because they want to say they’re more optimal than the competition. I’ve seen some device’s decision making process criticized by WiFi folks- in one case, gear accused of staying at inappropriately high MCS, which makes the connection speed look good in your menubar, but a deeper analysis of "how well is this performing?" reveals that despite the convolutional coding, many of the wireless frames aren’t being interpreted properly, which means they have to be resent, which means the actual performance of the network falls below what one would expect for the negotiated MCS rate.

The important thing to know is that it’s expected behavior for devices to shift between the Modulation and coding technologies as they change distance from the AP, and sometimes have to due to environmental changes that we can’t observe, but they have their logic, which they’re not sharing. Watts

0.10 to 60W 14W 8W 0.001W

https://twitter.com/sstephenson/status/522134879316627456

When we’re powering these radio transmitters, how much energy are we putting into them? For prespective, I’m going to employ Apple’s Energy Saver Icon history. As time has progressed, Apple has used an incandescent bulb, a compact ﬂuorescent, and an LED. These real world bulbs probably have outputs of 60, 14 and possibly 8 watts. In WiFi, the highest FCC allowed output measured from the transmitter, before the antenna, is ONE Watt, and that could only be used for outdoor, point to point connections- say links between buildings. We measure WiFi transmitter power in Milliwatts, which are 1/1000th of a Watt. 1 to 100mW are standard output ranges for WiFi transceivers. Multipath

Who remembers analog TV, back before HD? It's a natural occurrence that RF transmissions ﬁnd multiple routes between the transmitter and receiver- besides a direct "line of sight" (when possible) they bounce oﬀ of things. When analog TV found multiple paths to your receiver, it might look something like this- a second "ghost" image appears, shadowing the main image. This happened because the bounce path was a little bit longer, and therefore arrived just a little bit later. WiFi doesn't get an exemption from multipath- it's guaranteed to happen in indoor deployments, which is of course where we use it most. In the early standards, multipath was WiFi's enemy, and a problem to solve for in deployments. MIMO

• Introduced in 802.11n-2009

• Multiple Input, Multiple Output

• Now use up to 4 transmit and receive radios per device

With 802.11n, the engineers turned this multipath problem into an asset, and gave WiFi its single biggest performance leap with the introduction of MIMO- Multiple Input, Multiple Output. Before MIMO, every WiFi AP and mobile thing had a single radio transmitter/receiver in it- Single Input, Single Output. But with MIMO we started using up to 4 radios per device at the same time, on the same channel, to harness multipath for the powers of good.

How does that work? Possible results of multipath

• Upfade: Phase difference of 0-119° -> increase signal strength

• Downfade: 121-179° difference -> decrease signal strength

• Nulling: 180° = total cancellation.

• https://www.geogebra.org/m/BOMfKCIK

When a WiFi transmission is received through multiple paths, there are a number of possible outcomes. The least desirable is when one path is much longer than the other, they’re so far out of sync, their combination cannot be used.

There are 3 other possible results of multipath, all of which we can use to our advantage, in diﬀerent ways: Upfade, aka "Constructive Multipath", where we gain a stronger signal Downfade aka "Destructive Multipath", where the signal is weakened and it can be weakened all the way to nothing, called Nulling Click link! Transmit Beamforming

• Good: Implicit feedback: somewhat like sonar

• Better: Explicit feedback: beamformee does the analysis, makes a steering matrix for beamformer’s use

• Key to MU-MIMO

The ﬁrst way we can use multipath to our advantage is via Transmit beam forming. Goal: get radio waves from 2 or more transmitters in one device to combine constructively at a destination. Let’s say I wish to arrange constructive multipath where you are. How do I know if I’m getting it right? There’s 2 techniques: there’s a good way, and a better way. Good: “implicit feedback”- I would send something called a sounding frame to you, and you would reply. At the beginning of every 802.11 frame are transmissions for calibrating the radios between each other, called training ﬁelds. I’ll hear these in your reply, and analyze them to make an educated guess how to adjust to maximize upfade. Kinda like sending a sonar ping out, hearing how it comes back, and reacting accordingly. This is the only feedback mechanism used in 802.11n

Better: With explicit feedback I send you a frame, and you analyze my training ﬁelds as you hear them, you do calculations, and provide feedback of how they’re received back to me, to inform me how to transmit most eﬀectively. It’s your job to say “based on what I hear, this is what’s going to work best”. This process is called channel sounding. .ac networks only use explicit feedback. Explicit feedback is key to providing Multi-user MIMO Multi-User MIMO

http://chimera.labs.oreilly.com/books/1234000001739/ch04.html#mumimo_implementation

In Multi User MIMO our APs (and it's only for the APs) can transmit to up to 4 clients at the same time… in the fortunate situation that a good number of requirements are met- those requirements include -client support for MU-MIMO, -clients being physically separated in space. In MU-MIMO, a more complicated channel sounding process is used, soliciting explicit feedback from multiple clients, and combining that feedback to make a steering matrix- which deﬁnes transmit parameters at the antennas that will simultaneously strive to make the overlap of waves that hold the laptop’s data arrive as upfade at the laptop exclusively, and as nulls for the phone and PDA. And then arrange the same for the other combinations: transmission for the iPhone arrives up fade at the iPhone, downfade at the 2 others, ect. Better Multipath: Spatial Multiplexing

ABCDEF

What’s usually better than Transmit Beamforming is Spatial Multiplexing. In Spatial Multiplexing, we take data to be transmitted, spread it out among the available radios, and then transmit unique data streams from multiple radios to a speciﬁc client at the same time. While Transmit beamforming might bump us up an MCS rate or 2, you'd rather stick with a slower modulation and double or triple the real data transfer by taking a data to be transmitted, cutting it up and transmitting sections in parallel over multiple radios, like this.

How can this possibly work? This works because our antennas are separated by at least 1/2 of a wavelength, that's enough to ensure the paths from the transmitters to receivers differ. This difference is known as Spatial Diversity. So think about this: if you have an iPhone 6s or higher, (and a number of other devices) you have 2 full WiFi transmit and receive radio systems in your pocket computer, which will transmit on the same channels simultaneously, and use the fact that a signal from the left side radio will take a slightly different path to the AP than the one on the right, because they are physically separated by at least this much space and can use that fact to move twice as much data. Yet these 2 radios don’t interfere with each other.

One of the downsides of Spatial Multiplexing is that individually hearing and recombining the multiple streams into one requires significant computing from a Digital Signal Processor chip. Computing our received signals on that DSP chip has a battery overhead, which is one reason that many mobile devices still have a single radio… there’s always a tradeoff. A middle ground is that most devices can sleep unneeded radios and just operate on one, until it becomes beneficial to have multiple, then bring them up. https://www.youtube.com/watch?v=aqqEYz38ens

A remarkable visualization of just how quickly WiFi signal strength can change by location was done by electrical engineer Chris Lohr on his YouTube channel. He took a WiFi module, hooked up an LED and a battery, and had his computer change the LED color based on the signal strength the module reported at any place in space. The ﬁrst step was to just move it around, and observe how little change in physical location it takes to alter the LED color. You can see that we don’t need to move a WiFi receiver any signiﬁcant distance to make major changes in received signal strength- about every change in position alters what the radios see. http://cnlohr.github.io/voxeltastic/

He then took observing these color changes to the next level, by attaching what he had in his hand to a mill, and having it follow a zig-zag pattern across the horizontal plane, and measuring the signal strength at each point in space. He then repeated this at diﬀerent layers, and composited it all together in a 3D model. This model is of the variations in WiFi reception in a space 14 by 14 by 7 inches.

The denser areas represent the areas where the signal was good, the open areas are where it is less so. You can see how frequently signal quality varies in a small area. Chains and Terminology

• Transmitters x Receivers: Spatial Streams sent or received

• Most common: 2x2:2 and 3x3:3

• 4x4:4 3x3:2 1x1 also exist

When we talk about spatial streams, we often talk about Chains: each unique combination of a radio and its supporting components- ampliﬁer, analog-digital converters, antenna chained together to make a unique transmitter/receiver system, that transmits and receives independently of the others in the device.

The standard terminology format for "how many chains does this device support?" is How Many Transmitters (times) Receivers (colon) How many Spatial Streams the device can handle, where back on the animation ABC and DEF were on separate spatial streams.

So we might have a device that can use 2 or 3 transmitters and receivers at a time, The top end APs available today can support 4 SS, but to my knowledge there's only ONE product on the market to put 4 spatial streams on the user device: Asus makes a PCI card for desktops. It's also possible to have a device with 3 transmitters and 3 receivers, but it's only able to use 2 of them at a time.

If your phone is before the 6s, it's a single stream device. No matter what the capabilities of the AP its associates with are, only 1 stream can be used between that phone and an AP. Likewise, to get full value out of the Asus 4 stream PCI card, it needs to be associated with a 4 stream AP. Bandwidth

108MHz - 88MHz = 20MHz

1700KHz - 530KHz = 1,170KHz = 1.170MHz

So when our WiFi devices transmit, the smallest channel size they use is 20MHz. How big is 20MHz? Let's compare to something we've all had around all our lives- AM and FM broadcast radio. Broadcast FM lives between 88 and 108 Mhz. That's pretty simple math: This means that at a minimum, every WiFi transmission is taking up as much frequency space as the entire broadcast FM band. When we start moving up to 40, 80 and the crazy 160MHz channels, it's 2, 4 and 8 times the size! Broadcast AM radio has an allocation at a much lower frequency range than FM- it spans from 530 to 1700KHz (in the USA) When we do that math, we see that all the AM broadcast stations you can choose from are in a whole 1.17MHz space

So… how are we using from 20 up to 160 Mhz at a time? As we’ve discussed radio waves and how we modify them to transfer data, we’ve talked about the situation as if we’re doing all these phase and amplitude modulations to a single transmission. But we’re not. We’re modifying 48 carrier waves, or even more. Orthogonal Frequency Division Multiplexing and subcarriers

Let’s break down that mouthful of a title here: Easy part are the middle 2 words- Frequency Division: Our 20MHz frequency allocation is divided into 64 channels, called subcarriers. Each subcarrier is on a unique frequency. It’s similar to how the 20Mhz of broadcast FM is broken up into separate stations, each on their own frequency.

Multiplexing: The concept of simultaneous transmission of several messages within a single channel of communication- each subcarrier within the channel. Maybe you’ve heard of a “multiplex theatre?” One cinema, many screens. One channel- many carriers

Orthogonal refers to the spacing of each of these subcarriers. The act of modulating a carrier wave causes harmonics (weak transmissions on other frequencies, in a predictable way), Let’s take a closer look at 4 of our subcarriers, and make them a bit bigger so we can see that the where the harmonics are. Orthogonal Frequency Division Multiplexing and subcarriers

These are spaced so that the values of these harmonics are 0 when other carriers are at their peak- this speciﬁc spacing is what lets all these separate transmissions be good neighbors to each other. Investigate colors max vs mins

So what does this mean? This means that when we transmit data in an OFDM system (all except 802.11b) we’re not doing all that phase and amplitude modulation to 1 carrier wave, we do that to at least 48 unique carriers on their own frequency, and modulate each of those electromagnetic waves. I say “at least” it got bumped up to 52 of the 64 with 802.11n, and when we start bonding channels to 40 and beyond, we start gaining even higher percentages of the subcarriers being modulated, so eﬃciencies go up.

Why not all 64? Some of them, called Pilot Carriers, are used as guide references for baseline phase and amplitude to keep the transmitter and receiver in sync. OFDM also leaves edge subcarriers unused, so the harmonics can trail oﬀ within the allowed space.

Each of these subcarriers is modulated relatively infrequently (at least as compared to the fact that a full wave cycle happens 2.4 Billion times per second!), but because there’s so many of them in use, the aggregate data rate can be high.

So when we say channel 36 is at 5180MHz.... kinda. that's the center. It's really a team of 48 or more frequencies centered around 5180MHz. Guard Intervals

• Symbol: collection of bits modulated onto carrier wave (or Nerf dart)

• 3.2µs = 3.2 millionths of a second. 0.0000032 seconds

• Guard Interval: Standard: 800ns (0.8µs)

• 3.2µs + 0.8µs = 4µs standard symbol length.

• 250,000 symbols/second

• Shorter: 400ns -> 3.6µs symbols -> 277,777 symbols/second

As we discussed, we call every bit or collection of bits modulated onto a carrier waves a symbol. In other words, symbols are the Nerf darts.

The amount of time required to transmit a symbol is mathematically deﬁned by the subcarrier spacing, and the math works out that a WiFi symbol lasts 3.2 microseconds. In other words, each transmission of bits lasts just 3.2 millionths of a second.

But after 3.2 microseconds, we can’t just start straight into the next symbol. Why? We’re back to multipath. Remember that one of our concerns in WiFi is the fact that our radio waves typically take multiple paths between the transmitter and receiver. Those different paths are almost assuredly of different lengths, which means they arrive at different times. If we transmit the next symbol too quickly, we run the risk the following situation: One route of Symbol 1 will be received through the long path. We transmit Symbol 2 too quickly, and the short path transmission of Symbol2 starts arriving before all of Symbol 1 has been received. Yes, we are concerned with transmissions that take 3.2 millionths of a second overlapping! If this happens, we call it Intersymbol Interference

To solve for this, there’s a pause between the symbols: called the Guard Interval- a waiting period to assure that the second symbol heard through the shortest path doesn’t “catch up” . Standard is 800 billionths of a second, or 800 nanoseconds, which is 0.8 microseconds. From here, we can do a little math: 3.2 + 0.8 = 4, meaning we can change symbols every 4 microseconds. That means 250,000 symbol changes/second

There’s also an optional Short Guard interval of 400ns, which ups the symbol rate, and therefore our overall data throughput, by 10%, but increases the the probability of intersymbol interference. Most networks can successfully use the SGI. Taking Turns

We’ve taken a good look at many of the aspects of “how do we transmit data?”, and we’re now going to turn our attention to “when can a station transmit data?” So we’re now going to move our attention up a level in the OSI model, to Layer 2, where we’re no longer working with indicating 1s and 0s, but working with wireless frames- a transmission unit from This Station broadcasted for That Station (or stations).

So ﬁrst: why is “when can a station transmit data?” even a question? While we can have many bees ﬂying through the air at any one moment, we can have only have the transmission from one wireless radio in the air at a particular time, so WiFi needs a way to avoid frames crashing into each other in transit. CSMA / CA

• Carrier Sense Multiple Access with Collision Avoidance

• Carrier Sense: “Is the channel being used?”

• Multiple Access: Every radio gets an equal chance at transmitting

• Collision Avoidance: Collisions are Bad, mkay?

The way WiFi prevents stations from transmitting simultaneously is called Carrier Sense Multiple Access with Collision Avoidance. Let’s break that down: Carrier Sense is about asking the question “is the channel being used?”, b/c as we’ve said, we can only have one transmitting radio at any given moment. Multiple access- every station gets an equal chance at being the one who can go next. Collision Avoidance: just like the bees running into each other, our frames running into each other in the air needs to be avoided, so that’s our goal.

This diﬀers slightly from Ethernet, where we use CSMA/CD: collisions can be detected on Ethernet, but in WiFi, they can’t. Collision Detection

• Sleep OR Receive OR Transmit

• Collision? ¯\_(ツ)_/¯

• Every transmission to a single recipient failed. Only worked if there’s an ACK.

Why can’t we detect collisions? In WiFi, our radios have 3 modes: Sleeping, Receiving and Transmitting. They’re never doing 2 of these at the same time, so if my radio and your radio were to transmit at the same time, neither of us know the other one transmitted (because we can’t hear it), and the end result is that our transmissions make a mess out of each other, and for that little slice of time, no communications were accomplished, which means our network isn’t serving its purpose.

Since WiFi stations can’t detect collisions, there’s a default presumption for every unicast frame (a frame with a single recipient) transmitted on a CSMA/CA network: that something went wrong, and it needs to be resent. When a receiving station gets the frame it calculates a Cyclical Redundancy Check on the received frame, which conﬁrms if it was received properly. If it was, an acknowledgement is sent to the original sender, and only then is the transmission determined successful. If the CRC fails, there's no acknowledgement, and the frame will have to be resent. Distributed Coordination Function

• Interframe space: “Time passes.”

• Duration / ID ﬁeld: “my transmission and ACK will take this much time”

• Carrier sense: “is any other station transmitting RIGHT NOW?”

• NAV: Network Allocation Vector- from other’s Duration / ID

• Physical Carrier Sense: listening to the channel

• Random backoﬀ timer: “generate random time value to wait for”

Distributed Coordination Function is the fundamental access method for 802.11 communications- CSMA/CA tells “what” we have to do, but Distributed Coordination function are the rules about how. It contains 4 terms that we’ll investigate Interframe Spaces: Simply a short pause. These come in different sizes, for different purposes. They help craft what category of frame is transmitted when, such as making sure the acknowledgement is sent after a data frame. Duration / ID field: At the start of every wireless frame, there’s a public announcement of information about that frame, designed for all stations to hear. Amongst that data is an announcement of “here’s how long this transmission is going to keep the channel busy for” Carrier sense: Carrier Sense asks “is anybody else using the network?” and since it’s mandatory to get a “no” on this, we sense for empty airtime in 2 ways: Virtual Carrier Sense resets a timer called the NAV: Network Allocation Vector. This reset comes from hearing a Duration / ID field transmitted by another station. Other stations hear that and say “ok, I know it’s not my turn for that long, I’ll hang out until that time passes” Physical Carrier Sense is listening to hear if there’s any station transmitting Random backoff timer: WiFi transmissions are managed by a random number generator- the station that counts down to 0 gets to go. Beacons

0.002536 seconds!

To give a real world example of how our WiFi stations figure out their turn, we have to first declare some starting point in this continually speaking network. The logical place for that is the Beacon frame, so here I have a captured frame, opened in Wireshark, which is an open source tool for investigating the content of frames and packets. Beacons are the heartbeat of our wireless networks: they’re sent out by the APs at approximately every 100ms, or 10 times/second. They are broadcasts for all stations to hear, and they tell every station key information about the network, including: Network name What channel it’s on What data rates are supported And a whole lot more. And like other frames, the beacon has the duration/ID field, which as we said, is the basis for resetting the NAV timers on other stations. So let’s say we have 2 stations, both wanting to transmit data. They both receive this beacon frame over the air, and because of the duration/ID field, can say “OK, I see that the airtime will be busy for 2536us, I know to hold tight for that long” Now that’s just how long this particular example frame will take, this value varies per frame, but it’s not the shortest or longest frame WiFi might see. BTW, how big is 2536us? Yes, we’re making reservations of time on the 2 and a half one thousandths of a second time scale. Our WiFi radios are continually starting and stopping transmitting on this scale, while giving us the illusion of continuous data transmission. 2536µs passes…

• Interframe Space: Mandatory pause, based on frame type

• Backoﬀ Time: NAV has counted down, let competition begin!

• Pick a random number from the Contention Window

• First attempt? Random value is from 0-15

• Multiply random number * Slot Time, wait that amount of time, while listening for other stations. If no others transmit ﬁrst, you win!

When that time declared in the Duration/ID field has gone by, there’s an additional pause for an Interframe Space After the Interframe space, we’re now in the period called the Backoff Time. Each station generates a random number from a range known as the Contention Window. On the first attempt to send a frame, the contention window is in the range of 0-15. It’s just like rolling a 16 sided die. We then take that random number and multiply it by the Slot Time: which is a set number of microseconds, how many depends on the network type. The result of that multiplication is a number that means “when this much time goes by, and if you haven’t heard any other stations, it’s your turn”. Let’s look at how this could play out in the real world. Wait for Duration time (2536µs) Generate random 70 number 1030 Count down time while listening to channel Channel still clear? Left transmits!

Our AP creates and transmits a beacon, and among the data in it, is the Duration/ID ﬁeld. Our 2 laptops hear this. Due to reading the value in the Duration ﬁeld, both see they must yield to the AP for 2536 microseconds. They pause for that amount of time, plus the Interframe Space. We then generate a random number in range of 0-15, the starting Contention Window. This sets the basis for how long to pause before trying to transmit. Let’s say that here, Left comes up with 7 as its random number, and Right gets 10. Multiply that by the Slot Time, and wait that amount of time. That amount of time goes by, and we’re going to say we haven’t heard any other stations transmit. Now left has counted down to zero. If still true that no other stations are heard, that means that it’s now Left’s turn, and left starts transmitting.

Meanwhile, remember that during this, all stations that are seeking a turn are listening to the channel. So when right has counted down 7 slots, and Left starts transmitting, it hears it, and instantly pauses the countdown timer at 3. What’s one of the ﬁrst things it’ll hear? A fresh Duration/ID ﬁeld from Left, as that’s part of a frame header. “OK, now I’ll wait for Duration length” says Right, and it starts its NAV timer right there. It keeps its countdown timer where it is, at 3, pauses for that Duration time period, while Left transmits for some tiny fraction of a second. Once that NAV timer counts down to 0, plus an interfame space, right resumes listening and counting down. But now we’re resuming from 3. Right counts down 2, 1, and if its still clear when the countdown timer hits zero, now it’s Right’s turn to transmit. No ACK!

So let’s say that this time around, right doesn’t get back an acknowledgment that the frame it sent was properly received. Remember, this is our default expectation: to presume failure, so we’re ready for this. Right goes back to listening to the channel, and the next backoff time, picks a new random amount of time to wait. Except this time around, that number will be selected from a bigger Contention Window : instead of 0-15, it’s now in the 0-31 range. With each successive retry, we double the range of potential values The same rules are applied: Count down time slots, listening for the channel to be used If a station starts transmitting before you hit zero, we pause the timer for the announced duration, then (after the inter frame space) resume counting down, until we finally hit zero, and its our turn. If we get an ACK back, that frame is all good, and we can do it all over again with the next one. If not, pick a new random backoff value from a range that’s twice as big as the last one and start over.

Here we have a system designed to get stations a transmit opportunity as soon as possible, while trying to minimize the probability of 2 stations transmitting simultaneously, because Plan A is to get the transmission right the ﬁrst time. But collisions are expected- it is completely normal that 2 stations on the same channel pick the same random backoﬀ value and collide, requiring a retransmission. 20 frames in 0.018940 seconds

One of the things that impresses me the most about Distributed Coordination Function is the size of the time slices we’re talking about- the random number generation, countdown, listening, then transmitting and receiving an acknowledgement is going down thousands of times per second in this network, right here, right now to allow all these devices to coordinate airtime. This is why we can have a room full of iPads watching youtube, even though only one bit of data for one device can be transmitted at once. Stations don’t need to know if other stations have joined or left the network, how many others are there: CSMA/CA scales very robustly. Sometimes I wish that we could see a light that accurately depicted the length of every transmission, but I think only this guy could actually perceive it. send Barry away

In the section of a Wireshark capture we're zoomed to here, we're looking at 20 frames, where the total airtime spent transmitting them is well under 2/100ths of a second, and this isn't a particularly heavily loaded network.

There's a lot of information in this capture- here we see data frames and acknowledgements, but there's one particularly clever frame exchange I wanted to look at more in depth: the Request to Send / Clear to Send conversation. Request to Send / Clear to Send

• NAV = 0, it’s transmit time!

• Don’t send the data. Instead, send RTS

• RTS NAV = size of RTS + CTS + DATA + ACK

• AP tells all stations how long network will be busy for

• Addresses “hidden node” problems

• Impacts speed, but hopefully less than collisions

So far in our investigation of distributed coordination function, I've said that devices on a network hear each other transmit a duration field, which tells others to be quiet for that long. That works great when everyone can hear each other. But what if one device is at the east end of the AP coverage zone, and the other is in the west, they can talk to the AP and back just fine, but they’re too far away from each other? That means they're ignorant of each other's broadcasts, and we've greatly increased the probability of them trying to transmit simultaneously. The solution to that is to centralize the job of resetting every station's NAV timers through the Access Point. RTS/CTS works like this: A station gets its turn to transmit, according to the rules we discussed. But it doesn’t send the data, it sends a Request To Send frame. This RTS tells the AP how long the station is going to need to transmit its data. The AP then replies with a Clear to Send that all stations can hear, using the NAV data provided by the requesting station, so now all stations on the channel know how long the network will be busy for, and the requesting station then sends its traffic. This addresses a classic WiFi problem called “hidden node”, where a station far away from others leads to many collisions and therefore retried transmissions. Doing this has an impact on the network speed, because while RTS/CTS are short, they take time and add up to affect network performance, but ideally create less overhead than having to resend data frames because collisions. Review!

So that was a lot of stuﬀ… let’s take a minute to review where we’ve been. In Carrier Sense Multiple Access with Collision Avoidance we covered that every single time a station needs to gain airtime to transmit a frame, goes through a period of listening, pausing, and random number generation to determine when it can transmit. When that turn arrives, data is passed to a convolutional coder that adds error detection and correction bits to the stream At a rate deemed appropriate for the network conditions. That data stream is likely separated out to 2 or 3 Spatial streams, in order to increase our data rate. Each of those spatial streams is comprised of modulating at least 48 separate carrier waves (per 20MHz), so the data is spread out amongst those subcarriers, � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �

and a constellation point for that modulation rate is assigned to each, and that much phase and amplitude modulation is applied to that wave. 3.2µs + 0.8µs = 4µs

Guard intervals are used to insure that symbols don’t overlap in the 3.2us transmission time per symbol. Multiple radios might also be used to transmit the same data at ever so diﬀerent timing so that one destination receives them as up fade, but arrive as downfade in another. Using an output power measured in thousandths of a watt. On the receiving side, these phase and amplitude changes are received and interpreted as the groups of 1s and 0 they represent. When multiple streams are used, Digital Signal Processors help clean up the multiple received signals, and focus on the best ones. Forward error correction processes the received data, and ideally the original data stream is reconstructed on the receiving side.

If the data passes the Cyclical Redundancy Check, an acknowledgement frame is sent back, using all the same Layer 1 technologies. No ACK!

If the redundancy check doesn’t pass, no acknowledgement gets sent back, and the frame has to be transmitted again. LDPC Tone Mapping Encryption Service Field Preparation Preamble Construction Inverse Fast Fourier Transformation

Convolutional Code Interleave and Mapping

Pre-FEC scrambling Cyclic Shift

Besides the above, there’s a number of other steps in every transmissions that I couldn’t ﬁt into this presentation And everything I just reviewed might go down in under a thousandth of a second.

I hope you can see why I ﬁnd it incredible that this works at all. Want more of this?

So if you though this was fun, and would like to learn more, I suggest the CWNA program. I’d say it’s equivalent to a serious college level course. Everything you need to know is in this book, so you can study it all on your own. It will teach you a very wide range of WiFi aspects, including network design, security, how to do a site survey, diﬀerences in antenna types, what has been added in each amendment, how devices save battery power (which is super cool) and a lot more.

Matthew Gast has written 2 much smaller texts that I’ve also found very useful for learning WiFi- the 802.11n and ac survival guides Want more of this?

cleartosend.net revolutionwiﬁ.net cwnp.com

I am a big podcast consumer, so if you’re also into them, I recommend putting Clear to send.net in your feed. For blogs, there are of course many, but a great starting place is Andrew VonNagy’s revolutionwiﬁ.net. Andrew has many great posts, and my OFDM illustrations came courtesy of him.

Lastly, the Certiﬁed Wireless Network Professional program is the overarching program that handles industry certiﬁcation in the WiFi world. They sponsor WiFi conferences, have an online forum, and I make sure to hit their WiFi question of the day for a daily WiFi test, to make sure I don’t forget things. Clear to Send Questions!

Feedback wanted! https://bit.ly/psumac2017-175

Although you didn't send an RTS, you're clear to send questions!