CTS 161: 802.11ax BSS Coloring

Why is there a need for BSS Coloring? To help a receiving device identify the BSS from which a receiving PPDU originates from so that there’s a reduction in BSS collision reporting a busy medium. 802.11ax allows the medium to be reused more often between OBSSs by identifying those overlapping BSSs. The primary purpose is to improve the efficiency of Wi-Fi in a dense area. BSS Coloring will tackle the issue of frequency re-use.

An AP receives a neighbor report for the purpose of including the HE Operation element of neighboring High Efficienty (HE) APs to determine BSS Color information of those neighbors.

Which frames can you find the BSS Color field? HE Operation element will contain BSS color info which can be found in the Beacon frame, Association/reassociation, Probe response. It’s in the PHY Preamble.

BSS Color within the PHY

The HE Operation Element can be found in the following frames: Beacon, Probe Response and (Re)Association frames.

HE Operation Element – Notice the BSS Color Information Field

BSS color is an identifier of a BSS to assist a receiving device in an identifying BSS from which a PPDU originates for the purposes of channel access, reduce power consumption, or update NAV.

AP selects a value from 1 to 63 which is included in the BSS Color subfield of the HE Operation element or New BSS Color subfield of the BSS Color Change Announcement element.

The device will set the BSS Color subfield of HE Operation element to value indicated in the BSS Color subfield received from the AP. AP sets the parameter for BSS_COLOR of a HE PPDU.

BSS Color field is for the active BSS color. If a device roams to another BSS the value of the active BSS color will be entered in the New BSS Color field as received in the BSS Color Change Announcement element.

Image two BSSs on the same channel, 149. One BSS would use color yellow, and the other would use color blue. The BSS coloring changes channel access methods. Devices could transmit and receive at the same time. Won’t this cause a collision? Yes, if the BSS colors are the same.

Can a collision occur between colors?

An AP can determine if there is a BSS Color collision by receiving frames from an OBSS device or AP containing the same BSS color it has selected. If this occurs, the AP sets the BSS Color Disabled subfield. The subfield is set for a duration of a BSS Color Collision Period.

It is possible to have a BSS color collision with an OBSS. And when detected, AP will set value of BSS Color Disabled subfield within HE Operation element to 1 which informs others that BSS Color is disabled.

AP selects a BSS color and may change it under certain conditions such as detecting an OBSS using the same color. There is no method defined in how selecting a new BSS color should be performed. An AP may take colors used in its surroundings into account.

When AP is changing BSS color a BSS Color Change Announcement is sent in a Beacon, Probe Response and ReAssociation Response frame or using a HE BSS Color Change Announcement frame. What could cause a color change? Another BSS using the same color.

Ultimately, you’ll have SINR.

HE BSS Color Change Announcement

The HE BSS Color Change Announcement is an Action frame. Contains a BSS Color Change Announcement. The AP can change the BSS Color. And when it does so, it sends an announcement to associated devices.

BSS Color Change Announcement element – notice the last two bits.

The BSS Color Change Announcement Element can be found in the following frames: Beacon, Probe Response and (Re)Association response.

Links & Resources

CTS 160: 802.11ax OFDMA Resource Units

802.11ax (Wi-Fi 6) brings OFDMA to wireless. It’s an enhancement over OFDM which was a single-user transmission.  When a signal is sent or received it is done with one device. In OFDMA, it allows multiple access which means simultaneous transmissions to/from multiple devices.

There is a downlink multi-user operation and an uplink multi-user operation.

In OFDMA, a channel is subdivided into smaller channels, or resource units. This is so there can be simultaneous transmissions to different devices. Most transmissions are small frames so it’s an efficient way to send data by using a smaller channel and by making it multiple access we can have more communications at the same time.

These subcarriers (tones), the smaller channels of the main channel, are called resource units. An AP can allocate varying resource units for multi-user communications.

For example, a 20 MHz channel has 242 resource units which can be further split into 2x 106 resource units, 4x 52 resource units, or 9x 26 resource units.

Resource Units in a 20 MHz channel width

OFDMA allows subcarriers to be allocated to different devices for simultaneous transmission to or from those devices.

OFDMA transmissions in DL and UL allow different stations to occupy different RUs in a PPDU. Within that RU it could be SU-MIMO or MU-MIMO.

Resource Units (RUs) are defined for DL and UL transmissions and labeled as different tones. RUs are defined as:

  • 26-tone RU
  • 52-tone RU
  • 106-tone RU
  • 242-tone RU
  • 484-tone RU
  • 996-tone RU
  • 2×996-tone RU

Number of 802.11ax (Wi-Fi 6) OFDMA Resource Units per channel bandwidth:

RU TypeCBW20CBW40CBW80CBW80+80 &
26-tone RU9183774
52-tone RU481634
106-tone RU24816
242-tone RU1248
484-tone RUn/a124
996-tone RUn/an/a12
2×996-tone RUn/an/an/a1

Type of subcarriers:

  • Data subcarriers
  • Pilot subcarriers
  • DC subcarriers
  • Guard subcarriers
  • Null subcarriers

A 26-tone RU consists of 24 data subcarriers and 2 pilot subcarriers.
A 52-tone RU consists of 48 data subcarriers and 4 pilot subcarriers.
A 106-tone RU consists of 102 data subcarriers and 4 pilot subcarriers.
A 242-tone RU consists of 234 data subcarriers and 8 pilot subcarriers.
A 484-tone RU consists of 468 data subcarriers and 16 pilot subcarriers.
A 996-tone RU consists of 980 data subcarriers and 16 pilot subcarriers.

DC subcarriers are used for the subcarriers located in the center of the channel. Depending on the channel width and the number of tone used, the number of DC subcarriers can vary (Ex: 3 or 7 for a 20MHz wide channel). Most of the time it will be 7 for the 20MHz and 80MHz wide channels and 5 for the 40MHz wide channels.

A 20MHz wide channels has 11 guard interval: the first 6 and the last 5 of the channel.

Downlink OFDMA

An AP can transmit frames to different devices by splitting a channel into subchannels or subcarriers or resource units.

Devices tune their radios to the specific resource unit to receive their transmissions. The AP still has to contend for airtime but will allocate resource units for different devices.

Uplink OFDMA

Similar to DL OFDMA, except devices transmit at the same time on different subchannels within the same channel (RUs). The use of trigger frames by the AP must be used in order to coordinate transmissions.

AP solicits simultaneous response frames from multiple HE devices. If a client does not support TRS Control, it will not receive a solicitation for MU UL. For the AP to solicit an HE TB PPDU, it will transmit a PPDU including a trigger frame(s). Within the trigger frame is the AID12 subfield which may contain the client in which it is addressed to or for UL OFDMA-based random access.

AP must follow EDCA procedure 10.22 (HCF), contend for txop. Device in the solicitation, or trigger frame, will respond to AP’s trigger frame. Device responds with its HE TB PPDU.

The Trigger frame from AP contains duration, RU allocation, target RSSI, and MCS for the device’s HE TB PPDU.

Resource Allocations for OFDMA – Multiple Access

Resource Allocation

When an AP transmits, the AP indicates the RU allocation within the HE MU PPDU. It’s ordered from lower frequency to higher frequency.

In UL, there is a trigger frame which indicates RU allocation, duration, target RSSI, and MCS.

Triggered Response Scheduling (TRS)

Used for soliciting an HE TB PPDU which follows the HE PPDU carrying the Control subfield. RU Allocation is contained in the Control Information subfield for TRS Control

Trigger frame

Allocates resources for and solicits one or more HE TB PPDU transmissions.

The User Info field carries some interesting data in the Trigger Frame. Understanding of the AID12 subfield – contains 12 LSBs of the AID of the client that it is intended to.

The AID12 subfield, if within the range of 1 – 2007, then will indicate the RU used by the HE TB PPDU of a client identified in AID12.

The RU Allocation consists of 8 bits that indicates the size of RUs and their placement in the frequency domain. It follows the mapping presented in Table 28-24. There can be up to 9 simultaneous devices.

The RU allocation field is followed by multiple User field which specify station-specific details such as Station ID, number of spatial streams to be used and MCS to be used.

Links & Resources

Will 802.11ax Resource Units bring an impact to wireless? I think so, only if we can solely Wi-Fi 6 clients – ditching all the legacy devices. This is where 6 GHz will be big for Wi-Fi.

What do you think about Resource Units?

CTS 159: Wi-fi 6 (802.11ax) Overview

I decided to finally get myself a little familiar with 802.11ax. I’m not sure why but I’ve pretty much ignored it until now. In this episode, I’m going to provide my overview of 802.11ax, or Wi-Fi 6. This episode will be the start of a mini series diving into detail of the components of 802.11ax.

802.11ax = High Efficiency (HE) and the marketing term for it is Wi-Fi 6.

Currently in draft, there are no devices yet to support 802.11ax. Laptop and Samsung phone coming this year to support 802.11ax draft.

Wi-Fi Alliance has their certifications coming later in 2019 for 802.11ax, Aerohive is shipping 802.11ax APs, and I predict we will see ratification in early 2020.

Main PHY features in 802.11ax (HE) not in 802.11ac (VHT) and 802.11n (HT)

  • Mandatory support for DL & UL OFDMA
  • Mandatory support for DL MU-MIMO
  • Optional support for HE sounding protocol for beam forming
  • Optional support for UL MU-MIMO

Main MAC features in HE not in previous protocols

  • AP has optional support for two NAV operation
  • Client has mandatory support for two NAV operation
  • Mandatory AP support for TWT
  • Optional client support for TWT
  • Optional support for UL OFDMA-based random access
  • Optional support for spatial reuse operation

What are the general topics I’ll talk about in this episode? Here they are in no special order:

Channel access for 802.11ax.
An HE BSS can use RTS and CTS for transmit opportunity. Clients use RTS and CTS to initiate transmit opportunity.

The Multi-user RTS and CTS lets an AP initiate transmit opportunity. The MU-RTS Trigger frame is used to solicit simultaneous CTS responses from multiple 11ax clients.

MU-RTS and CTS from 802.11ax Draft 3.0

MU Operation
HE allows simultaneous downlink transmissions from AP to client in both DL-OFDMA and DL MU-MIMO.

OFDMA is the biggest enhancement in 802.11ax which creates a multi-user version of OFDM.

It may seem like the same definition as MU-MIMO but it isn’t. OFDMA is multiple access for OFDM. In OFDMA, the channel is subdivided into small channels called resource units or RUs. On each channel can be a different transmission hence multiple access.

11ax allows UL MU operation by letting the AP solicit simultaneous responses from one or more 11ax clients. For an AP to use UL MU operation it must follow EDCA HCF procedure.

OFDMA is not new. It is implemented in LTE technologies. We’re simply using it here for Wi-Fi 🙂

In OFDM, the channel was divided into multiple subcarriers. Specifically it was 64 subcarriers in which 52 carried data, 4 subcarriers for pilot, and 8 subcarriers for guard bands. The width of the subcarriers is 312.5 KHz.

When it comes to OFDMA, the subcarriers are now much smaller, 78.125 KHz! That equates to 256 subcarriers for OFDMA. It will maintain the different types of subcarriers for data, pilot, and guard.

Resource Units
Prior to 802.11ax, AP will transmit or receive across the whole OFDM channel, the entire frequency, for a single client.

In OFDMA, the 256 subcarriers are further divided into resource units (RUs). An 802.11ax AP can determine the allocation of RUs used for a client or multiple clients. Yes, the AP can service multiple clients simultaneously using resource units and various resource unit combinations.

BSS Frame Determination
802.11ax introduces BSS colors to determine if a frame is destined for the same BSS or not. The color itself is really a digit for identification. A client receiving a frame will determine if it is part of the BSS if the BSS Color is the same as the BSS the client is joined to. If the BSS Color is not the same as the client, it is not the same BSS.

BSS Coloring
802.11ax introduces a new way of handling co-channel interference, called BSS Color. We know that if an AP operating on channel 149 hears another AP transmitting on the same channel it must defer. Likewise, if a client transmitting on channel 157, any other client or AP operating on that channel and hears that client’s transmission they must defer.

What BSS Color is identifies a BSS with a number. The BSS Color is in the 802.11ax preamble. The color information can be seen in the HE information element subfield for BSS coloring.

How does it work? If a client detects a frame that is the same BSS color as its own, t is part of the same BSS. If the frame is a different BSS color than the client then it is from another BSS. If it is from a different BSS then the frame is ignored and the client or AP can transmit at the same time.

Target Wake Time
802.11ax is to introduce a new power-saving mechanisms by scheduling target wake times for clients in power save mode. The goal of TWT is to optimize how often a client needs to wake up to determine if it has data and keeps the client asleep longer.

The TWT capability is broadcasted in the HE Capabilities element. An HE client will inherit the TWT values from the TWT element advertised by the BSSID and will follow the TWT schedule.

The AP can control when clients contend for air time by scheduling when clients can wake up for transmission. The TWT can be negotiated per client. When the AP sends a scheduled TWT, clients go into a doze state until the next scheduled wake up time.

Two NAVs
A client will need to maintain two NAVs. An HE AP has the option of maintaining two NAVs. The NAVs are: the intra-BSS NAV and a basic NAV.

The basic NAV is updated by an inter-BSS that is not classified as an intra-BSS or inter-BSS.

Benefits of two NAVs may be useful for dense scenarios for protection of clients from other frames transmitted by clients within its BSS and to avoid interference from other clients in neighboring BSS (the inter-BSS).

Links & Resources

CTS 158: 802.11w – Management Frame Protection

802.11w applies to robust management frames protected by Protected Management Frame (PMF).

Wireless environment includes:

  • Rogues
  • Susceptible to eavesdropping
  • Data traffic is usually encrypted
  • Management frame is usually unencrypted

Goal of 802.11w is to protect management frames from forgery or spoofing.

I see it all the time in San Francisco. Deauthentication attacks coming left, right, and center from neighboring wireless networks.

802.11w secures deauthentication and disassociation frames from spoofing to prevent DoS attacks.

Features defined for an RSNA include enhanced cryptographic encapsulation mechanisms for robust Management frames.

Robust management frames are:

  • Dissassocation
  • Deauthentication
  • Action frames

Stations not supporting 802.11w receiving protected robust management frames are discarded.

Key to 802.11w is data origin authenticity. It is being able to guarantee the origin of authenticity of a received protected management frame. This helps prevent spoofing or masquerading from another station of AP.

Within the frame control field is a Protected Frame field. When management frame protection is enabled, the Protected Frame field is set to 1.

A network be broadcasting a network the is Management Frame Protection Capable or Management Frame Protection Required.

If the AP is MFPR but the client is not capable, the AP will reject the association with a status code of Robust Management Frame Protection Violation.

An AP broadcasting MFPC indicates MFP is enabled.

Broadcast/multicast integrity protocol (BIP) provides data integrity and replay protection for group addressed management frames. It is negotiated after the IGTKSA.

MFP applies to multicast/broadcast. Frames are encapsulated and protected using an MGTK.

The BIP is identified in the RSN Information Element under Group Management Cipher Suite

Any frames received without BIP protection are discarded.

BIP within the RSN IE at the bottom of the screenshot

How does this look implemented? In my network I have an AP broadcasting an SSID, Clear To Send. Without Management Frame Protection required, it is susceptible to a DOS attack. Within the RSN Information Element, Management Frame Protection Required and Management Frame Protection Capable is set to No.

How does this look implemented? In my network I have an AP broadcasting an SSID, Clear To Send. Without Management Frame Protection required, it is susceptible to a DOS attack. Within the RSN Information Element, Management Frame Protection Required and Management Frame Protection Capable is set to No.

With another wireless system, I enable containment on my Clear To Send SSID and can gather the deauthentication frames via frame capture. Noticeably, I am disconnected from my network.

Management Frame Protection not set within the RSN IE

Next, I enable Protected Management Frame on my Clear To Send wireless network. With it enabled, the RSN Information Element is changed to Management Frame Protection Required and Management Frame Protection Capable of Yes.

Management Frame Protection enabled and required

With containment still occurring, I am successful in joining my wireless network without being disconnected due to deauthentication frames.

Links & Resources

CTS 157: The effect of rate limiting on Wi-Fi

Welcome to a new episode where we speak with Troy Martin. We’re following his presentation at WLPC Prague, Effects of Rate Limiting on Wi-Fi Flow. We ask Troy to go into more detail about rate limiting and the effect it has on Wi-Fi.

Effect Of Rate Limiting on Wi-Fi

Users often goes around obstacles. What does it mean for guest Wi-Fi with rate limiting? And why are we using rate limiting?

Could it be slow Internet pipes, bandwidth hungry users, bandwidth hungry applications?

Troy talks about his version of the OSI model:

  • Layer 8 – Management
  • Layer 9 – Financial
  • Layer 10 – Aesthetics Committee

Additionally, Troy talks about TCP back off mechanism (window sizes). TCP naturally tries to regulate the traffic for us

Other discussion items during the show:

  • Not disabling high Wi-Fi data rates
  • Channel Utilization
  • Configurations guideline
  • Never tweak MCS rates
  • Leave high data rates on

Links & Resources