What is EduRoam

- Posted in Uncategorized by

What is EduRoam?

EduRoam or Education Roaming is a global wireless network access service developed for the international research and education community. It allows students, researchers and staff to obtain internet connectivity across campus. When visiting other participating institution, they can easily connect to the internet by opening their laptop and use their home institution credentials.

EduRoam uses the IEEE 802.1X protocol (WPA2-enterprise) and a system of interconnected RADIUS servers, with the main U.S. node operated by Internet2 in collaboration with the global Eduroam community.

Why do you need EduRoam?

We live in the world where WIFI access is a necessity in institutions, businesses or campuses. With Eduroam, this will make your venue more attractive for meetings or conferences as it allows participants to access network without assistance.

EduRoam is secured and can give an access to thousands of participating hotspots globally.

The cost of implementing and maintaining EduRoam is fair and acceptable. It can help reduce cost and workload for IT Department such as the need to supply temporary accounts to visiting users. Less work can mean less headaches for your IT or Administrative people.

The log-ins are secured which means that passwords are kept private at all times and misbehaving user can be always identified with the help of their home institution.

Overall, EduRoam makes it possible for visiting students, staff and researchers use their EduRoam credentials to access secured WIFI quickly and easily without (or at the most minimum) assistance and support.

How do you deploy EduRoam?

The basic process to set up EduRoam is as follows:

  • The school or school district registers with EduRoam and verifies identity and domain control.

  • Once registered they are given credentials to an administration page which allows them to associate their domain with an IP address for their RADIUS server. They are also given a pre-shared secret for their RADIUS server to authenticate to the EduRoam RADIUS servers.

  • The internal RADIUS server needs to handle three scenarios of clients authenticating on the EduRoam SSID. o A local user is attempting to authenticate - no need to involve EduRoam's RADIUS' servers.

    o An external EduRoam visitor is on-campus attempting to authenticate. Authentication is sent to EduRoam's RADIUS servers, expect return response.

    o A local user is visiting or "roaming" off-campus. Authentication attempt is received from EduRoam's RADIUS servers, need to authenticate and return response.

Who Ya Gonna Call?

- Posted in Uncategorized by

Who ya gonna call?

When there's something bad and it doesn't look good. Who ya gonna call? You contact the manufacturer. Nothing gets resolved. This blog entry is about ten WiFi puzzles we've been invited into over the last year or so. I leave the names out. A few of them aren't even our regular customers.

Case 1: School A, no address disclosed, has a problem with Chromebooks using a shared PSK SSID. Some of the kids can get on. Some can't. All other devices seem to be fine. Diagnosis: the manufacturer's wireless intrusion prevention saw many different devices logging in with the same ID and password and shut them down, thinking that they were massing an attack. Resolution: Disable WIP for this case.

Case 2: School B, no certain address, most kids can't Zoom, can't stream. But some are fine. Diagnosis: school had installed a new LED lighting system over the summer. Non-802.11 communications or noise (makes no difference to the WiFi clients) spiked across the upper part of the 5 GHz spectrum at arbitrary times. Resolution: enable DFS channels and move 5 GHz traffic away from the lighting system.

enter image description here

Case 3: School C, address withheld, can't stream reliably, can't Zoom reliably--all devices affected. Short sessions 'appeared' to be okay. Diagnosis: another vendor had increased the basic WiFi rates and minimum negotiated rates too high. This caused clients to hang onto sessions that were unsustainable and led to high frame loss. Resolution: relax the basic and negotiated rates to make the network useful again. Raising rates is just voodoo, anyway; clients roam when RSSI gets low, not when there's no lower rate choice available.

Case 4: School D, location unknown, WiFi was no good on the second floor. Diagnosis: this was a small school with two floors in a crowded city environment. Resolution: enable band-steering for the 5GHz band and disable 2.4 GHz upstairs.

Case 5: School E, name changed for security, lost WiFi connectivity in some areas of the school every day at the same time. Diagnosis: a manufacturer update had enabled DFS channels. This school was on the glide path to a large airport. One particular 5 GHz channel was re-abandoned every day at the same time as a daily flight came in. Resolution: Disable DFS channels.

Case 6: School F, not the same address as the last one, lost WiFi connectivity every day at the same time. Diagnosis: inspection of AP logs showed that access points lost contact with their controller two or three times a day. Resolution: we found a loop in an MDF that caused a broadcast storm on the wired network. This caused the APs to lose contact with the controller. Not sure why nobody noticed everything else grinding to a halt...

Case 7: School G, address confidential, had 'spinning' WiFi in certain parts of the building. Diagnosis: during a renovation, builders were to remove all of the old access points (and pretty much everything else). They missed a few. When the renovations were complete, and the new switching was installed, the old APs found the controller and began advertising SSIDs. The problem was that these APs weren't supposed to exist, and the networks they were offering weren't trunked to them (these were bridged SSIDs; not tunneled). Students could connect at Layer-2, but that was it. Resolution: shutdown the old APs.

Case 8: School H, address also withheld, had student WiFi that was unable to reach the Internet for some, not all, students. Diagnosis: This was a small school. The wired LAN was bridged to the WiFi network (by design). One day, a teacher had plugged a consumer-grade WiFi router into the wired network. This router began handing out 192.168.0.x DHCP assignments to students as they joined the 10.x WiFi network. Resolution: Unplug the router.

Case 9: School J, address unknown, had bad WiFi in the auditorium. Diagnosis: the auditorium had an impossible number of interfering access points, all with omni-directional antennas. Resolution: shut some of them off and think about partitioning the space with directed coverage for wireless access.

Case 10: School K, wouldn't want me to disclose their address, had "bad WiFi". People "had to reboot," etc. Diagnosis: school had multiple, uncoordinated DHCP servers handing out overlapping network addresses from the same scope. Resolution: Really?! C'mon! Who ya gonna call?

What is Outdoor WIFI

- Posted in Uncategorized by

enter image description hereWhat is Outdoor WiFi or Long-Range WiFi Network?

Outdoor WiFi are low-cost setups that can help improve your internet connection throughout your property; This set up gives you the ability to access a network from miles away - whether it’s to share the internet connection with another building or simply extend the WiFi signal outside.

To provide outdoor WIFI to an area adjacent a building, there are two approaches:

1) exterior, weatherproof, purpose-built access points, mounted on the outside of the building.

2) interior access points mated with exterior antennas. The AP is inside the building; the antenna is outside.

Often, you will choose an AP or antenna with a sector radiation pattern that directs coverage away from the building and out into an open space.

The AP or sector antenna might create a 30, 45, 60, 90, or 120 degree horizontal wedge. The narrower the antenna pattern, more concentrated the power from the transmitter. This concentration is expressed as the antenna's gain factor. An antenna with a narrow sector pattern can provide service for many miles over a smaller coverage area.

In the US, the effective radiated power output is limited to 100 milliwatts, by law. When you pair an antenna with an access point, you will have to program a gain factor for the antenna. This will be provided by the antenna manufacturer. The gain value tells the transmitter to reduce output power to remain within the law.

Antenna extension cables and connectors can cause losses between the transmitter and the antenna. With long antenna cables, you may have to reduce the programmable gain to make up for the losses. It is better to extend the Cat5e or Cat6 data cable that provides data and power to the access point than to extend the antenna leads.

When choosing a location for an exterior antenna or AP, it is best that there be line-of-sight between the antenna and the area to be covered. Trees and other structures will attenuate radio signals, particularly for the 5 GHz bands.

It is also very important that the near-field of the signal be unobstructed. Roof edges, building overhangs and corners can interfere with the radiation pattern.

Picture a pebble dropped into the water. Ripples will radiate evenly in all directions. Now, picture the same pebble dropped into water with rocks. The ripple pattern will be disturbed by the reflections from the obstructions. We want to avoid the same kind of reflections with WiFi.

To cover an open space with many access points, such as a quadrangle, it is better to mount the antennas high and aim them downward, toward the ground. This is the same approach that one would take if installing outdoor lighting, careful to light each area independently.

To provide WiFi to locations far away, a wireless bridge or mesh may be desired. An access point located on a building can create a back-haul link to a distant access point or access points.

When there is one access point at the far end of the back-haul link, we call this a point-to-point connection or bridge. When there are several, we call this point-to-multipoint or mesh. The distant access points may provide local service as if they were wired.

Often, with a dual-radio access point, one radio is used for the back-haul network. The other is used to provide WiFi access. Sometimes, you will use a high gain antenna for the back-haul radio and an omni-directional antenna for user WIFI. You may also let down a wired connection for a camera or switch.

There must be electrical power available at the far end of the link. This can be hard-wired AC power or provided by a power injector depending on the AP and the application. A typical access point plus camera installation will include two power injectors--one for the AP and one for the camera.

In an WiFi infrastructure, APs that form the bridge or mesh are managed by a wireless controller or cloud just as the campus APs are. Sometimes, instead, an inexpensive third-party bridge can be used to extend the campus network. Devices located at the far end, including access points, will not be aware of the third-party wireless bridge.

A typical bridge or mesh configuration will use a 5 GHz link for back-haul and 2.4 GHz for local service. The expected speed in a nearby, line-of-sight application is often just over 100 mbit/S.

Bridge and mesh products that use 24 GHz or 60 GHz radios are also available. These feature back-haul speeds that in the 1 gbit/S range. The wavelength of a 60 GHz signal is just 5mm, which is less than the width of a large raindrop or a snowflake. Because of this, 24 GHz and 60 GHz transmissions are subject to 'fade' or failure in rain, snow or fog. For this reason, 60 and 24 GHz bridges are often packaged with 5 GHz fall-back radios.

A bridge built from 900 MHz radios can penetrate trees and weather much better than a 5 GHz radio, but with much narrower channel width, measured in 100s of kbits/S.

Local outdoor coverage, bridges or meshed links--Atlantic has been providing commercial WiFi for 15 years. Call us for your next project. - Kevin Dowd

Bitcoin in 2021

- Posted in Uncategorized by

enter image description hereThere is a limit to the number of bitcoins--21 million in total, with about 2 million left to be mined. Presently, there are about 900 new bitcoins per day. As more are found, the hash target becomes increasing harder to hit and it becomes asymptotically harder to find additional bitcoins. It will be the year 2140 before the last one is finally found. There's investment and reward in the effort: Russia just took delivery of a 70 MW crypto mining farm. It is said that almost 65% of the cryptomining resources are in China. Bitcoin broke $50,000 on Tuesday. Elon Musk bought $1.3 billion in bitcoin a couple weeks ago, when it was already over $40,000. Projections are for $500,000 per bitcoin.

The US dollar has been the world's reserve currency for a century, even as the US has heaped on debt for wars and social programs. Other alternatives--the euro or the Yuan each have problems that continue to favor the dollar; the Euro zone is crumbly and has debts, too; China's currency has been tightly controlled by the government and there is a trust deficit for Chinese policy. This past year, with the United States' COVID 19 response, the US debt became larger than its economy. This makes the dollar just a little bit more risky as a reserve currency.

In January, it became illegal for you to personally trade in cryptocurrencies if you are a resident of Nigeria. The ban expands a list that includes China, Iran, Bolivia, Nepal, Bangladesh, Ecuador and Morocco. Cryptocurrency trading is still allowed in the US, but you are now required to indicate whether you have traded in cryptocurrencies on your tax return. The public argument against cryptocurrencies is that crypto is tender for criminal activities, and that it is difficult to track and tax. Alternative Central Bank Digital Currencies are likely to be introduced and sanctioned instead. They can be tracked. They will be centrally managed, unlike Bitcoin. They're digital fiat money. Bitcoin isn't.

Why do China, Russia, North Korea, (possibly) the United States want to be dabbling in Bitcoin? As is the case for you and me, there's a speculative upside. But there is also a possibility that Bitcoin will become a bona fide reserve currency--a place to park value. The prices will stabilize. Fiat currencies will weaken as money is converted into crypto. Like a game of musical chairs, when the music stops, some countries and individuals will have larger shares of the reserve currency. And if Bitcoin becomes that important, the effort spent gathering up Bitcoins today will affect the wealth of nations tomorrow.

Crypto trading rides on top of digital networks, and these are subject to tampering. I will address the network vulnerabilities for crypto trading in a future blog entry.

-Kevin Dowd

AI in your Network

- Posted in Uncategorized by

AI in your network

There's a scene in "Mars Attacks" where Pierce Brosnan, playing the scientist, dissects one of the dead Martians. He pulls some red jelly from the brain and says "Curious." It captures one of the problems with what we're calling AI today because like the components of an AI, though the jelly can do amazing things, you really can't look at it and say why.

The term Artificial Intelligence has changed its meaning many times over the last 50 years. It currently refers to systems that can do feature correlation and extraction from training data sets--often very large ones. For example, training a system to recognize a face (like your phone does) is an exercise in presenting exemplar data to the system along with reinforcing feedback when a face is dsiplayed. This is called supervised training. After seeing enough faces and getting the green light for each one, the system can learn a correlation and provide the green light on its own when a new face is presented.

enter image description here

The systems and theory for this kind of AI have been around since the 1960s--even the 1950s. A well-known example is called a multi-layer perceptron, or neural network. The original objective was to imitate the way neurons interconnect and to reinforce pathways in the presence of specific stimuli. The neural network would be made of two or often three layers--an input layer, a hidden layer and an output layer. Inputs to a given layer would add or subtract from one another in accordance with weights (multipliers). The weights would be "learned" during the training process. They were the jelly in the Martian's brain.

The neural network is an analog model of how neurons might work, and some analog implementations have been created. On a digital computer, however, it is represented by matrix arithmetic. Matrix arithmetic can often be parallelized so that multiple operations occur at the same time. This makes it fast—very fast--given suitable hardware.

In the last ten years, supercomputers have been teased up, not from liquid-cooled Crays or hypercubes, but from very small-featured computing devices like field-programmable gate arrays or graphics cards. In fact, Nvidia--the company that makes the some of the best graphics hardware--is also the world's leader in supercomputers. That's because Nvidia graphics cards are hyper-parallel, and they can be programmed to do AI just as well as to perform pixel-based ray tracing. Nvidia is currently building what will be the world's largest supercomputer in Britain.

In the network business, you see "AI" being applied to network analytics, intrusion detection and diagnostics. The systems are the product of supervised and unsupervised training that look to correlate events and to recognize unique patterns—such as a network intruder. Part of the reason why vendors are pushing the cloud so vigorously is in addition to being the customer, you are part of the product; your network experiences contribute the training sets for "AI" analytics. They need you to participate in the cloud, too.

Given copious compute power, the quest to make AIs more capable is correlated with making them deeper--adding more layers, more sophisticated back-propagation and weight adjustment. "Deep learning" makes the AI more powerful, but it also makes it subject to pitfalls that are endemic to higher order curve-fitting. That is, when the input is similar to training data, the results can be excellent. In the face of unfamiliar input, deep AI can be wildly unpredictable. "Curious," as Pierce Brosnan would say. And it’s coming to your network.

-Kevin Dowd

Why is Data Security Information so Noisy?

- Posted in Uncategorized by

Why is DATA SECURITY so noisy?

We’re always hoping for an easy score. But network traffic is the manifestation of intents; the traffic is there because someone or something has a goal. It might be exchanging email, sharing data or hacking you. In almost all cases, determining the goal by looking at the traffic requires a priori knowledge or assumptions about what the traffic means; it requires information that isn’t found in the traffic itself.

The object of a Security Event Manager (SEM) or an IDS/IPS is to derive knowledge from traffic data, and then reduce it to a score. The less knowledge in the process, the less valuable the score will be, which is the reason that administrators have to investigate false positives from network intelligence devices. Heuristics and signatures are two approaches to draw knowledge from data. Anomaly detection pulls patterns from data with little increase in knowledge.

Heuristics

Let’s say that you own a restaurant, and it has a security system. You get notified that the front door is open. What can you reasonably infer?

enter image description here

To make the simple observation that there might be a break-in in progress, we apply heuristics to data; we have derived knowledge. In the end, we can say that someone is probably breaking it.

Signatures

Signatures simplify event recognition for known patterns. They condense multivariate input—essentially the meat of heuristics—into a decision that creates the score. For the restaurant, a signature that said:

“the door is open and it is after hours”

would provide the same result as heuristics. Heuristics are more flexible, but signatures are efficient to process; they’re quick. Of all the possible ways to apply knowledge to complex events, signature recognition probably has the most going for it. But if a signature isn’t sufficiently specific, it can generate noise. Too specific and it might not fire.

Anomalies

Anomaly detectors watch patterns in traffic to see if they look different than training data. The more complex the input, the more complex the model, and the less sanguine its approximation will be when presented with a novel situation; higher order curve-fitting is prone to false positives by its nature.

enter image description here

The Semantic Gap

Semantic derivation is the process of increasing knowledge about the event. Semantic reduction is how we produce the score. When we combine anomaly detection, signatures and heuristics and semantically reduce them, the worst of the uncertainty in each comes out. This suggests that the more semantic reduction system that takes place in a SEM, the noisier the results will be.

What does provide reliable results? Simple metrics such as checksums on files and recognition of unplanned reboots unambiguously tell you something significant has happened, albeit late. A SEM will highlight activity you would have otherwise missed. But one can never eliminate the noise; there are semantic gaps between what is happening on the network, what the SEM understands, and the indication you receive on back-end; you’re much smarter than your network intelligence tools can ever be.

Reducing the Semantic Gap

Newer, AI-based anomaly detection systems (trained and untrained) improve the opportunities for nuanced event detection, and also for more false positives. Improvements come from coupling the output to intent, thereby reducing the semantic gap. The Mitre ATT&CK knowledge base provides a working framework for this approach. If one views the events that a SEM collects as the manifestations of intent, one can understand a breach for what it is. For instance:

  1. There is anomalous traffic from an internal computer
  2. The computer makes an outbound connection (command and control)
  3. The computer is probing the internal network; the outbound connection remains active

The numbered events, taken together, show a pattern of activity that predicts this machine has been compromised. Each one of them would be reason enough to wake the security guy in the middle of the night. Recognizing what they mean in combination reduces the semantic gap, and gives the security guy (or an IDS/IPS) a higher quality assessment of the circumstances.

Vectra

Vectra, a company out of California, provides a product that combines AI with higher-level intelligence to reduce the semantic gap. It rides on top of network taps, within cloud deployments and even inside Office365. Vectra’s Network Detection and Response platform, Cognito, has been demonstrating superior results in red team testing. Recognizing the importance of reducing the semantic gap, Atlantic is helping bring Vectra to its customers. Visit vectra.ai for more information on the products or contact Atlantic Computing (www.atlantic.com).

Copyright © 2021, Atlantic Computing Technology Corporation

Aruba AOS10

- Posted in Uncategorized by

Previous enterprise Aruba operating environments AOS 6.5 and AOS 8 were controller-based. Controller-based access points are the product of a time when APs were radio heads, capturing and producing wireless packets and ferrying them to a central controller. Little data processing was done at the access point—particularly in tunnel mode. Radio management, authentication and encryption were all performed centrally, at the controller.

Because of the increasing complexity of wireless networking protocols, the increasing speeds of wireless connections, and the increasing capability of access points, it is becoming advantageous to let the AP perform all of the processing and bridge traffic to the network at wire speed.

This is giving controllers the diminutive role of configuration and reporting. Configuration and reporting are less demanding than wireless network termination, and require much less bandwidth. Accordingly, it is possible to place portal anywhere, including out on the Internet.

Under Aruba AOS10, each access point is a controller. It gets it configuration from Aruba AOS10 Central. It acts in tandem with its neighboring access points to create a seamless wireless experience.

enter image description here

The picture above shows the components of an Aruba AOS10 network.

Access points (and switches) communicate with Aruba Central for configuration and logging. Each AP bridges traffic directly onto the network natively, via VLANs or both. Each AP communicates with its neighbors as far as several hops away. This enables roaming and forwarding of firewall state.

ClearPass, when in use, provides advanced authentication and security services, role-based access, network awareness and UEBA. ClearPass Policy Manager communicates with the access points directly, implementing RADIUS-based user access and Aruba firewall policies.

Controllers are not required, but they can be included in AOS10 for users who wish to have tunneled SSIDs or tunneled node 802.1x-based switch port access. The benefits of tunneled traffic are that data traverse the network fully encrypted and tunnels make it possible to extend access to remote layer-2 networks. Central on Prem(ises) duplicates the cloud-based AOS10 Central management capability onsite. It is offered particularly for those enterprises that, by choice or regulation, prefer to manage the network from within their own network.

  • Kevin Dowd

What is OFDMA, and how it will affect your WiFi?

- Posted in Uncategorized by

The capabilities of infrastructure WiFi reliably precede the capabilities of the devices that use it, including laptops and phones. A previous major standard for WiFi, 802.11ac, included mechanics for Multi-User MIMO, or MU-MIMO. It provided a way to send data to two clients at once by adjusting power on multiple antennas. The signal that reached first client would be canceled for the other, and vice versa; one transmission, two different interpretations.

The access point that can craft a MU-MIMO transmission is a functionally a supercomputer. The transmission is the product of matrix calculations that factor in gains and the constructive/destructive interferences experienced at each client. MU-MIMO is uber-cool, except that there are still very few clients for it (five years later), and the opportunity to employ it comes only once-in-a-while.

Access points you would buy today are based on next standard, 802.11ax or WiFi 6. MU-MIMO is still part of the mix, but there is a much more interesting multi-user capability in the standard, called Orthogonal Frequency-Division Multiple Access (OFDMA). It works by sharing sub-carriers in a transmission between multiple client devices.

What are sub-carriers? At WiFi’s higher modulation rates, transmitted data are conveyed in multiple, bonded streams which are transmitted at neighboring frequencies. These are reassembled on receipt. Sub-carriers are orthogonal, meaning that the transmission of one does not interfere with the transmission of another. Sub-carriers provide a way to slice WiFI bandwidth into resilient pieces of modest width. Narrower bands can be demodulated and bonded more easily than if the whole channel were taken altogether at once. Fatal interference within a sub-carrier doesn’t necessarily ruin the transmission.

In WiFi 6, the sub-carriers can be shared so that some are destined for this client; some are for that client. This means that in one transmission, an access point can talk to multiple clients. That would be significant enough, but the real performance benefit comes from the elimination of overhead.

To make a single transmission, a modern access point has to perform channel assessment (to see if the air is busy). It has to insert guard bands (dead air) to allow for response turnaround. And, an access point has to contend with overlapped transmission, back-off and retry. The overhead time associated with acquiring the channel can be much greater than the data transmission window. This makes the air-time efficiency of a very fast access point with typical client data be about 10%. That’s low! By combining the data for multiple clients on multiple subcarriers, the efficiency can increase dramatically. The same amount of channel acquisition time can be shared among multiple users. The problem, as ever, is that there are few clients for OFDMA as of yet.

-Kevin Dowd

The Death of the Heat Map

- Posted in Uncategorized by

The Death of the Heat Map

Fifteen years ago, when organizations were just beginning to experiment with 802.11 wireless networks, the WiFi heat map was considered a good, splotchy plan to show where wireless would be available, and how good it might be. Wifi can travel pretty far under the right conditions. Back then, we built networks for coverage, not necessarily capacity. So any signal was a good signal.

enter image description here

A few years later, we began building WiFi networks for capacity. The object was/is to provide good connections to a community of users across the whole campus. For a good experience, one needs to make an association with an access point that is nearby. Generally, the closer the AP, the better the signal and thus the higher the negotiated data rate. In short: nearby AP good; far-away AP bad.

Consider this, though: if every client is going to be near an AP, then every AP is probably going to be near other APs. That means that there will be overlapped WiFi. Here is an example of what we find in the air is a typical busy campus. This data, in fact, is associated with the heat map above:

enter image description here

The list shows that from the location where the measurement was taken, the client could hear 28 unique access points and 43 radios! Moreover, many of them were on same channels. There were, in fact, so many APs in this space that the amount of bandwidth available for users was being cannibalized by WiFi management frames. This was particularly true in the 2.4 GHz band, where slow beacons transmitted by every radio, every 100 ms could consume the lion’s share of the channel in a kind of death of a thousand cuts. So, in this case, pretty heat map; bad WiFi.

Dense WiFi networking depends on lots of APs running at low power, near their clients. The WiFi infrastructure can play many roles in encouraging clients to choose AP associations wisely. And the latest current WiFi standard, 802.11ax, provides extra features for managing overlapped APs. WiFi has advanced to reach blazing speeds and high densities in the last fifteen years, but the heat map doesn’t tell you much more than it did back then.

  • Kevin Dowd

BSS Coloring in WiFi 6

- Posted in Uncategorized by

BSS Coloring in WiFi 6

If you’ve ever used a two-way radio or walkie-talkie, you’ve probably had the experience where the person you’re listening to gets “stepped on” by somebody else’s transmission. You may have also noticed times when the person you’re listening to “steps on” someone else’s transmission, overpowering it.

WiFi networks have long dealt with the same issues, avoiding the “stepped on” transmission by performing channel assessments and signaling intent to use a channel. This coordination and cooperation even happens between WiFi networks that otherwise have no connection to one another. If the barber shop runs an AP on channel 53 and the tire store also runs on channel 53, the two are going to share the channel. The tire store AP has its clients; the barber ship AP has its clients. Their access points and clients will each listen for the transmissions on channel 53, yielding access if the power of any transmission is above a modest -82 dbm.

In each case, the AP and its clients form a Basic Service Set, or BSS. To make better use of shared channels, WiFi 6 (802.11ax), introduces the notion of BSS coloring. The ‘color’ is a small integer in the transmission preamble. For the sake of our discussion, lets say that the integers actually correspond to colors; the BSS of the AP and all of the WiFi clients in the barber shop is blue; the tire store BSS is red. BSS color makes it immediately possible for all WiFi devices to tell whether a transmission is meant for the tire store or the barber shop.

enter image description here

BSS coloring facilitates “stepping on” another BSS’s traffic. If the AP in the tire store (red) wishes to transmit while a device in the barber shop is talking (blue), it can make a decision to broadcast over the ongoing transmission, even if the power is as high as -62 dbm. The reason this will work is that each BSS and its clients are in proximity to one another and the interference caused by its neighbors is dynamically judged to be low enough to permit the simultaneous transmission to succeed. One channel; two transmissions.

The benefit of BSS Coloring is that we can build denser WiFi networks with more channel overlap. BSS Coloring is one of the powerful new capabilities in WiFi 6.

  • Kevin Dowd
Page 1 of 2