Computer Communications 27 (2004) 1746–1756 www.elsevier.com/locate/comcom
Security performance of loaded IEEE 802.11b wireless networks Nilufar Baghaei, Ray Hunt* Department of Computer Science and Software Engineering, University of Canterbury, Private Bag 4800, Christchurch 8001, New Zealand Available online 6 July 2004
Abstract Existing solutions for wireless LAN networks have been subject to security vulnerabilities and previous study has addressed and evaluated the security performance of IEEE 802.11b wireless networks using single server – client architecture and simple traffic models. This paper describes research into the effect of multiple security mechanisms on the performance of multi-client congested and uncongested networks using a layered security model. It evaluates the interaction between different security layers and their effects on performance (response time and throughput). This research also evaluates the performance effect of different TCP and UDP packet size distributions on secure wireless networks. The benefits of this wireless network study focus on determining ways in which to configure wireless networks such that security requirements can be met in relation to quantifiable performance impact in practical situations. q 2004 Elsevier B.V. All rights reserved. Keywords: Network security performance; IEEE 802.11b; Wireless LAN security
1. Introduction Over recent years, the market for wireless communications has experienced considerable growth. Wireless technologies have found an important place and popularity in business and the computer industry. Wireless LANs have become a very important component of network architecture with the major benefits being increased flexibility and mobility. Unlike a traditional wired LAN, users can access servers with much greater freedom. Mobility in IP architecture as well as mobility between wireless LANs and wireless WANs enhances these benefits even further. Such benefits of mobility and access come with stringent security and performance requirements. The importance of maintaining secure and reliable links between the communicating parties is often underestimated or even ignored. Security risks in wireless networks are equal to the sum of the risk of operating a wired network plus the new risks introduced as a result of the portability of wireless devices [10]. To reduce these risks, organisations need to adopt security measures and practices which lower such risks to a manageable level. This paper describes investigations into the performance of the implementation of the IEEE 802.11b wireless LAN security architectures. In particular it builds upon the earlier work reported in Ref. [6] which is based upon a single client * Corresponding author. Tel.: þ 64-33642347; fax: þ 64-33642569. E-mail address:
[email protected] (R. Hunt). 0140-3664/$ - see front matter q 2004 Elsevier B.V. All rights reserved. doi:10.1016/j.comcom.2004.06.004
and basic traffic models. Although previous research has evaluated TCP and UDP performance over wireless LANs [8,16,20] such work has not taken into account the impact of the different IEEE 802.1x security mechanisms to be outlined in Section 3.2. This paper addresses the interaction between different security mechanisms and their effects on performance (response time and throughput) of congested and uncongested networks in conjunction with contention resulting from the use of multiple clients. In particular Section 2 outlines various wireless LAN security architectures while Section 3 describes the experimental configuration model, traffic generation and statistical analysis of the results. Further, this paper describes the effects of different TCP and UDP packet sizes distributions on network performance, under the different security mechanisms specified by IEEE 802.1x (Section 3.6.3). Section 4 discusses the architectural and operation issues, which potentially affect wireless LAN performance.
2. Security architectures in wireless LANs Wireless networks are frequently categorised into three groups based on their coverage range: † Wireless Wide Area Network (WWAN) † Wireless Local Area Network (WLAN) † Wireless Personal Area Network (WPAN).
N. Baghaei, R. Hunt / Computer Communications 27 (2004) 1746–1756
1747
Fig. 1. Overview of mobility and data rates in wireless networks.
Wireless WANs include wide coverage area technologies such as, Time Division Multiple Access (TDMA), and Code Division Multiple Access (CDMA). Existing secondgeneration (2G) digital cellular systems include Global System for Mobile (GSM) in Europe, and Personal Digital Communication (PDC) in Japan. The 2G to 2.5G wireless WANs provides data rate from 9.6 to 348 Kbps. For thirdgeneration (3G) systems, Universal Mobile Telecommunication System (UMTS) is one of the major systems aiming for higher capacity and data rates with global mobility, and operates around 144 Kbps – 2 Mbps. Wireless LANs provide greater flexibility and portability than do traditional wired LANs. A wireless LAN connects computers and other components to the network via an Access Point (AP). The IEEE 802.11 family is a set of international standards providing transmission speeds ranging from 1 to 54 Mbps in either the 2.4 or 5 GHz frequency bands. Wireless PANs typically provide a maximum range of 10 m, facilitating communication between laptops, cell phones and Personal Digital Assistants (PDAs). The bestknown wireless PAN technology, Bluetooth,1 is based on low power signalling in the 2.4 GHz frequency band similar to the IEEE 802.11b standard, but using a different approach to signal processing. It is intended to provide wireless links between mobile computers, PDAs, cell phones and the Internet. Significant operational differences between Bluetooth and IEEE 802.11b are the bandwidth—1 versus 11 Mbps or higher, and distance—10 versus 100 m or more. IEEE 802.15.1 is another wireless PAN technology that aims at very low power consumption, and operates over about 10 m with data rates less than 1 Mbps. The 802.15 WPAN standard targets interoperability between wireless PAN devices and devices meeting the IEEE 802.11b standard. Fig. 1 illustrates the three main categories of wireless networks and their coverage ranges. The most successful 1
http://www.bluetooth.com.
wireless networking technology thus far has been the IEEE 802.11 family and hence is the main focus of this research. The IEEE 802.11 standard incorporates the IEEE 802.1x authentication protocol (an enhancement for default WEP authentication) which employs port-based network access control. It is used for communication between wireless clients and an AP, while RADIUS operates between an AP and an authentication server. IEEE 802.1x was proposed to address WEP vulnerabilities by providing access control and key distribution to any (wired or wireless) Ethernet port. The link layer security provisions in the IEEE 802.11 standards are all vulnerable to attacks. Therefore in practice, implementations need to deploy additional higher-level security mechanisms such as access control, end-to-end encryption, password protection, authentication, virtual private networks, firewalls, etc. and assume WEP as a very basic layer of security only. The understanding of the security mechanisms associated with each of the IEEE 802.1x options as well as the associated performance issues when typical applications are overlaid, in each case, needs to be carefully quantified. Further work is underway to enhance the IEEE 802.11 security architecture and task group IEEE 802.11i [14] is currently working on enhancements to the encryption and authentication mechanism of the current IEEE 802.11 standard. Their work has resulted in the development of: † addition to the IEEE 802.11 standard with IEEE 802.1x [7] authentication and key management † improvement of the existing WEP with Temporal Key Integrity Protocol (TKIP), also known as WiFi Protected Access (WPA) † Robust Security Network (RSN) architecture with a stronger encryption algorithm such as AES. One of the major security issues with WEP is the challenge of distributing and managing encryption keys. The IEEE 802.1x standard has been introduced to provide a centralised authentication and dynamic key distribution for
1748
N. Baghaei, R. Hunt / Computer Communications 27 (2004) 1746–1756
the IEEE 802.11 architecture using the IEEE 802.1x standard in conjunction with RADIUS [15].
3. IEEE 802.1x performance evaluation studies The objective of this research was to investigate the performance and security issues of IEEE 802.11b wireless LANs with multiple clients, to demonstrate contention in a secure environment. The following issues are addressed in particular: † How do different security mechanisms affect the performance (delay and throughput) of a congested wireless LAN with multiple clients? † What are the effects of different distributions and profiles of packet lengths on the performance of wireless LANs when operating with different security mechanisms? † What is the impact of security on different traffic types resulting from typical applications? † How does the performance of a secure network vary as more clients are added? Many factors affect network performance and some of these interact to provide overall performance results which can vary depending on the choice of hardware devices, software application and network topology. Some of the performance measurements include: response time, throughput, coverage area, mobility, bandwidth, latency, radio signal strength, etc. Response time and throughput were measured in this research to provide a comprehensive view of the network performance.2 They are defined as follows: † Response time: the total time required for traffic to travel between two points. It includes connection establishment, security negotiation time between the server and the clients as well as the actual data transfer time. † Throughput: the total number of bytes transmitted over the network in a given time (response time). 3.1. Experimental configuration The experiments were based upon Windows XP (clients) and W2000 server as both have built-in implementations of the IEEE 802.1x authentication protocol. As shown in Fig. 2, the experiments were conducted using: One server Windows 2000 Advanced server 1.4 GHz, 512 MB RAM, Orinoco AP-2000 software. 2 These two parameters have been measured in other wireless performance studies, such as Ref. [1].
Fig. 2. IEEE 802.1x experimental configuration testbed.
Three clients Windows XP Professional 1.4 GHz, 512 MB RAM, Orinoco USB client and Orinoco Wireless LAN Gold Cards. Access Point (AP) Lucent Orinoco AP-2000. Traffic generator IP Traffic [9] is a Windows-based software-testing tool, designed for both fixed and wireless IP networks. The generator had to be flexible and capable of overloading the network. The specific requirements we had in mind for choosing a traffic generator were: † Suitable for wireless networks † Capable of overloading an IEEE 802.11b wireless LAN † Allowing the user to change the size and inter-packet delay † Allowing the user to select the traffic generation algorithm. The transmission speed was 11 Mbps between the AP and the clients and 100 Mbps between the AP and the server. The Ethereal Network Analyser [4] was used to capture live network statistics and the measurements were collected from the server. 3.2. Security layers The following eight security layers (mechanisms) were chosen to present a hierarchical order of the security mechanisms available from both the IEEE 802.11 and IEEE 802.1x standards: 1. No security: this is the default security setting provided by vendors. 2. MAC address authentication: this layer provides MAC address authentication carried out at the AP. 3. WEP authentication: the shared key authentication method specified in the IEEE 802.11 standard. 4. WEP authentication with 40-bit WEP encryption: this layer adds the RC4 encryption algorithm.
N. Baghaei, R. Hunt / Computer Communications 27 (2004) 1746–1756
1749
Fig. 3. IEEE 802.1x model logical flow.
5. WEP authentication with 128-bit WEP encryption: this layer is the same as above using 128-bit keys. 6. EAP-TLS authentication: this is the PKI-based authentication method supported by IEEE 802.1x, using digital certificates to authenticate the user. 7. EAP-TLS with 40-bit WEP encryption: the combined effect of these tools provides the strongest layer of encryption and authentication using per-session keys. 8. EAP-TLS with 128-bit WEP encryption: this layer is the same as above using 128-bit keys. The first five security layers are consistent with the IEEE 802.11 standard while security layers 6– 8 are provided by the IEEE 802.1x standard.
EAP-SRP, MD5/Wireless CHAP, PEAP, LEAP, EAP-FAST,3 etc. The IEEE 802.1x model does not support end-to-end security, because privacy and confidentiality are only ensured on the wireless link by the WEP, but not enforced on the wired counterparts. Wireless users were treated as if they existed in one subnetwork of an organisation’s intranet. Specific IP addresses were assigned to the wireless users, AP and different components of the server. The RADIUS server and certificate authorities were added to the basic network structure to provide the IEEE 802.1x authentication support (Fig. 4). The RADIUS server supported wireless user signon, and a certificate authority was used to issue certificates to users for EAP-TLS authentication.
3.4. Traffic generation engine 3.3. IEEE 802.1x model implementation The IEEE 802.1x model consists of the IEEE 802.11 access mechanism using open and shared key authentication, WEP encryption and port-based authentication. By combining these protocols (as security layers 6 –8), the model provides a controlled wireless network with user identification, centralised authentication, and dynamic key management. For security layers 6– 8, a RADIUS server was used to provide dynamic key management and centralised authentication (see Fig. 3, where the server and one of the clients are shown). The authentication method chosen for the experiments was EAP-TLS. EAP-TLS was chosen as it provides advanced authentication by way of digital certificates. Other authentication alternatives include:
We were interested in the ability of a wireless LAN to transfer IP packets in a predefined number, size, content and bandwidth in order to measure the variation in performance when security mechanisms are implemented. IP Traffic tool was selected as a traffic generator as it meets all the requirements specified at the beginning of Section 3. IP Traffic is a software-testing tool that is designed for both fixed and wireless IP networks and runs on Windows platforms. It can generate, receive, capture and replay IP traffic, and measure end-to-end performance and Quality of 3
EAP-SRP (Extensible Authentication Protocol-Secure Remote Password), MD5/Wireless CHAP (Message Digest 5/Wireless Challenge Handshake Authentication Protocol), PEAP (Protected EAP), LEAP (Lightweight EAP), EAP-FAST (EAP Flexible Authentication and Secure Tunnelling).
1750
N. Baghaei, R. Hunt / Computer Communications 27 (2004) 1746–1756
Fig. 4. IEEE 802.1x model implementation.
Service over any IP fixed or mobile network. The generator can manage several simultaneous IP connections (Fig. 5); however for practical purposes we only used one active connection from each client. We used the real time statistics generated by IP Traffic as well as the data collected by Ethereal on the server side to evaluate the performance of the wireless network. The following describes and justifies the parameters specified in the generator for the duration of the experiments (Fig. 6). 3.4.1. Total number of packets Ranges between 10,000 and 60,000 were evaluated and preliminary experiments showed that the choice of
the number of packets did not affect the trends observed in the results. Thus, in our experiments 43,000 was selected as an arbitrary value between the two.
3.4.2. Outgoing bandwidth The nominal incoming bandwidth of an IEEE 802.11b AP is 11 Mbps. Since we were interested in the behaviour of networks under congestion, we decided to set the outgoing bandwidth of each client to be 12 Mbps-well in excess of the published IEEE 802.11 maximum required to ensure a congested scenario.
Fig. 5. IP traffic tool on client side.
N. Baghaei, R. Hunt / Computer Communications 27 (2004) 1746–1756
1751
Fig. 6. Parameters specified for each connection.
3.4.3. Traffic type TCP and UDP protocols form the basis of all the applications running on the IP protocol stack and other studies have evaluated the performance of these protocols over wireless networks [8,16,20]. However, none of them took the impact of different security mechanisms into account. 3.4.4. Packet length The packet length was set to be a random integer uniformly distributed over the range of 40 –1500 in the first set of experiments. The main advantage of this traffic model is that it allows exploring the full range of packet sizes. It was decided to choose 40 and 1500 bytes as boundaries of IP packet sizes, because this range represents typical IP packet size limits and distributions. [2,18,20]. Random generation of packet lengths compared with using fixed sizes (in the first set of experiments) provided us with more realistic situation. In the second part of experiments (studying throughput as a function of packet sizes), four fixed packet sizes (i.e. 100, 500, 1000, 1500) were selected and the experiments were conducted using each value at a time. Again, these values were selected as they represent a typical distribution sample of IP packet sizes.
mechanisms and packet sizes on the performance of a congested wireless LAN with multiple clients. In the first set of experiments, the throughput and response times of two traffic types (TCP and UDP) were measured under different security mechanisms. The experiments were then repeated for two and three clients to study the impact of adding more clients. Two different traffic flow rates were defined: 12 Mbps (to represent a congested network) and 500 Kbps (to represent an unsaturated network). The security layers, traffic generator and the system configuration used during the experiments are all detailed in Section 3.1. Fig. 7 illustrates the configuration of the traffic generator on the server side, where the clients’ IP addresses were manually allocated. In the second set of experiments, the throughput was studied as a function of different packet sizes, under different security mechanisms. The experiments were
3.5. Experimental testing procedures As described in the beginning of this section, this research aims to evaluate the effect of different security
Fig. 7. Configuration set up on server side.
1752
N. Baghaei, R. Hunt / Computer Communications 27 (2004) 1746–1756
Fig. 8. Throughput of TCP and UDP traffic in an uncongested network.
conducted using one client and three different security mechanisms,4 and throughput was measured for both TCP and UDP traffic types. The results are discussed in Section 3.6. Each experiment was repeated eight times. To exclude system transients (memory caching, disk paging, etc.), it was decided to discard the first three results. 3.6. Performance of security mechanisms The experiments followed the eight security layers described in Section 3.2. An infrastructure mode of operation and a single cell were used with three clients. Performance measures were gathered by running five repetitive tests at each security configuration. Experiments evaluating the performance of TCP were separated from that of UDP and each set was conducted for a different number of clients. Results were collected through log files generated by the traffic generator and the Ethereal monitoring tool. Data were analysed, at the corresponding 95% confidence interval. 3.6.1. Effect of security mechanisms on performance In the first part of the experiments, the traffic flow rate was set to 500 Kbps to represent a lightly loaded network, Fig. 8 illustrates the throughput of TCP and UDP traffic types against each of the security layers. These results confirmed the general trends reported in Ref. [19], that (in general) the stronger the security mechanism implemented, the poorer the network performance, although the degradation is certainly not linear. Figs. 9 and 10, on the other hand, illustrate the throughput and (per-packet) response times of TCP and UDP traffic types when the network is congested (bandwidth is set to 12 Mbps). As the graphs show, the performance of a congested network at security layers 4, 5, 7 and 8 (WEP encryption in place) is significantly less than the performance of the network at security layers 1, 2, 3 and 6. The results show that the overhead produced by encrypting each individual 4
Chosen from the eight mechanisms, listed in Section 3.2.
packet in congested networks (Fig. 9) is significantly higher than with uncongested networks (Fig. 8). Further, the impact of the application of authentication such as EAP-TLS (implemented at security layer 6) depends upon issues such as frequency of reauthentication as well as the characteristics of the traffic flow. The performance of TCP and UDP can also be compared. Since the TCP protocol uses a congestion control mechanism, it is significantly slower than the UDP protocol in congested networks, especially when WEP encryption is applied. The TCP throughput is 21.6% of UDP throughput averaged over security layers 4, 5, 7 and 8 and 85.5% of UDP throughput averaged over security layers 1, 2, 3 and 6 (Fig. 9). Tables 1 and 2 show the mean and standard deviation of TCP and UDP throughput and response times when the wireless LAN is congested. The security layers significantly differ from each other in their effects on the throughput of the network for TCP (Fð7; 28Þ ¼ 8558:155; p , 0:001) and UDP (Fð7; 28Þ ¼ 14155:207; p , 0:001) traffic types. The security layers also significantly differ from each other in their effects on the response time of the network, for both TCP (Fð7; 28Þ ¼ 2439:143; p , 0:001) and UDP (Fð7; 28Þ ¼ 9103:760; p , 0:001) traffic. 3.6.2. Effect of adding more clients To evaluate the performance of the network in a secure multi-client environment, the experiments were repeated using two and three clients. Table 3 shows the average perstation throughput for UDP traffic. Over all security layers, the average throughput of each station decreased by 49.5% when the experiments were conducted using two clients and 66.5% when using three clients.5 When WEP encryption was not enabled (under security layers 1, 2, 3 and 6), UDP packet loss rates were 3.2%, and 0.6% for TCP traffic. The UDP drop rate increased by 3.6% when WEP encryption was enabled (security layers 4, 5, 7 and 8), while only increasing 0.2% for TCP traffic. On average, the observed results were increased by 0.4% when the number of clients was increased to three. 5
Similar results were observed for TCP traffic.
N. Baghaei, R. Hunt / Computer Communications 27 (2004) 1746–1756
1753
Fig. 9. Throughput of TCP and UDP traffic in a congested network.
Fig. 10. Per-packet response times of TCP, UDP traffic in a congested network.
Our experiments validate the results reported in Ref. [16], which presented an empirical characterisation of the instantaneous throughput of a station in an IEEE 802.11b wireless LAN, as a function of the number of competing stations sharing the AP. The results showed that as the number of stations increases, the overall throughput decreases and its variance increases. However, that study did not take into account the effect of having different security mechanisms6 in place.
4. Results
3.6.3. Effect of various packet sizes on performance As described in Section 3.4.4, four fixed packet sizes, i.e. 100, 500, 1000, 1500 bytes were chosen in order to evaluate their impacts on the throughput of a congested wireless LAN under different security mechanisms. As Fig. 11 shows, the throughput of TCP traffic is maximum when the packet size is 1000 bytes and this is the case for the three security layers chosen (MAC authentication, WEP encryption with 128-bit keys, and WEP encryption combined with 802.1x authentication7). Fig. 12 shows similar results for UDP throughput. The throughput has the highest value when the packet size is set to 1000 bytes, when implementing (i) MAC
Evaluation of the performance impact resulting from implementing various security layers demonstrates some interesting results dependant largely upon the number of clients and the network loading. In the case of a single client testbed [6] although in general the performance degraded with increasing level of security complexity—particularly as IEEE 802.1x functionally was added—it was clear that using WEP functionality such as MAC authentication and WEP encryption had little performance impact thus dispelling the belief that adding any security to a wireless LAN will have a detrimental effect.8 In the case of multiple clients and a congested network, the results are however different where performance
6
As detailed in Section 3.2. Only a selection of three of the eight security layers are shown in Figs. 11 and 12. 7
authentication and (ii) WEP encryption combined with IEEE 802.1x authentication. In the case of WEP encryption alone, packet sizes of 500 and 1000 bytes demonstrate the highest throughput and have almost the same values, with 0.1 Kbps difference (as shown in Table 4).
8
The research and experiments described in Ref. [19] represent a single client, lightly loaded network and thus forms a subset of the work described here.
1754
N. Baghaei, R. Hunt / Computer Communications 27 (2004) 1746–1756
Table 1 The mean and standard deviation of TCP and UDP throughput under different security mechanisms
Table 2 The mean and standard deviation of TCP and UDP response times under different security mechanisms
Security layer
Security layer
1 2 3 4 5 6 7 8
TCP
UDP
Mean
SD
Mean
SD
447.5200 470.7520 464.4460 67.2940 63.7380 454.6480 64.3000 61.5300
7.3095 4.3070 11.5685 1.7635 1.8943 0.4346 2.1949 1.9546
535.6960 535.0120 536.5260 245.4660 245.6100 539.4560 244.3340 245.8260
0.2218 1.0143 4.0540 0.3958 2.0043 5.4398 0.7835 3.2859
decreased in a congested situation when WEP encryption was applied, viz. TCP throughput decreased by 86.1% and the UDP throughput by 54.3% (on average). Three factors contribute to such a change in performance, with the third being the most influential: † WEP encryption: WEP uses an RC4 stream cipher in order to provide confidentially and integrity. The WEP frame body expands by 8 bytes. Four bytes are used for a frame body Initialisation Vector (IV) header, and four are used for the Integrity Check Value (ICV) trailer [5]. These additional eight bytes do not affect the performance in an uncongested network, as reported in Ref. [19] and confirmed in Section 3.6.1. However, when the network is congested, there is not enough bandwidth available and packets can be dropped at the AP. † WEP resynchronisation: The loss of a single bit of a data stream encrypted under RC4 causes the loss of all the data following the lost bit as data loss desynchronises the RC4 encryption and decryption engines [17]. The resynchronisation problem gets worse as more bits become lost. Since most IEEE 802.11b implementations drop entire packets during congestion, they will have to be resent by the clients, which will result in performance degradation in congested networks.9 † Hardware and software implementation: WEP encrypts frames as they traverse the wireless medium [5]. The wireless cards used in the experiments [12], encrypts/decrypts the packets in the firmware while the AP [13], encrypts/decrypts them at the hardware. When there is not enough bandwidth in the network, the buffer at the AP fills up and drops packets. The experimental results demonstrated that the overhead produced by encrypting individual packets in congested networks is significantly higher than with uncongested networks. The performance of TCP and UDP traffic types can also be compared. Packet drop in UDP networks is significantly 9 This highlights the problems associated with using RC4 over IEEE 802.11 networks [5].
1 2 3 4 5 6 7 8
TCP
UDP
Mean
SD
Mean
SD
77.2240 73.5660 75.2880 520.7700 546.7900 76.4840 549.8400 573.6260
0.7888 0.7748 1.9601 13.9539 20.1678 0.0568 20.6787 9.5460
64.4800 64.5200 64.6400 134.0740 134.3780 63.8280 134.7220 131.7140
0.1049 0.2233 0.6479 0.1266 0.9191 0.5364 0.4132 2.0734
higher than with TCP as TCP applies congestion control mechanisms, when the network is congested thus detecting packet drop. As the number of clients increases, the overall throughput decreases, due to the effect of collisions and backoffs. The average throughput of each station decreased by 49.5% when the experiments were conducted using two clients and 66.5% when using three clients. Similar patterns were observed for both TCP and UDP traffic types, under all security layers. Four different packet sizes of 100, 500, 1000, and 1500 bytes were chosen in order to evaluate their impacts on the throughput of the congested wireless LAN under three different security mechanisms (MAC authentication, WEP encryption, and WEP encryption combined with IEEE 802.1x authentication). The packet size of 1000 bytes resulted in the best throughput for both TCP and UDP traffic types under these three security layers (see Section 3.6.3). There are several limitations associated with these experiments as they were conducted in a confined environment, which may not represent some practical operational conditions. Factors such as environmental effects are important in wireless networks, since radio frequency transmission is influenced by other technologies operating in the same frequency band such as microwaves and weather conditions. Additionally, the experimental Table 3 Average per-station throughput for UDP traffic Security layer
1 2 3 4 5 6 7 8
Per-station throughput (Kbps) 1 client
2 clients
3 clients
535.68 535.44 539.37 245.61 245.28 540.13 244.45 248.17
279.55 273.07 269.6 120.37 122.88 273.06 121.73 122.09
176.79 178.97 185.77 78.89 84.14 178.28 79.61 84.78
N. Baghaei, R. Hunt / Computer Communications 27 (2004) 1746–1756
1755
Fig. 11. TCP throughput for different packet sizes.
Fig. 12. UDP throughput for different packet sizes.
setup was confined to a single room. Factors such as wall interference degrade performance in actual wireless networks installed in a building. Further, these experiments were based upon one vendor’s equipment and thus are specific to implementations of packet handling, encryption algorithms and feature sets. Different vendors provide different capabilities, and as prior literature has shown [16], different hardware implementation can affect the performance. The performance effects resulting from adding additional clients cannot be generalised to more than three clients, due to equipment limitation. However, the aim of this research was to evaluate the effect of security on the performance of congested networks. Experimenting with three clients was Table 4 UDP throughput for different packet sizes Packet size (Byte)
MAC authentication
WEP encryption
WEP encryption þ 802.1x authentication
100 500 1000 1500
150.81 443.29 648.82 538.01
147.69 439.7 439.8 375.59
130.18 327.26 434.67 347.54
enough to create congestion, in order for the impact of security to be studied.
5. Conclusions and future work The experiments used EAP-TLS authentication, which employs digital certificates in order to authenticate users. Protected EAP (PEAP) [11], proposed by RSA, Cisco and Microsoft, is another IEEE 802.1x mechanism. It provides mutual authentication and key generation, protects user authentication and supports rapid re-authentication. Further research could be carried out to investigate the effect of PEAP on the performance of congested and uncongested networks. Another area of research would be to evaluate the effect of WiFi Protected Access (WPA)—an extension to IEEE 802.11 RSN [14]—as well as that the performance of software versus hardware implementations of encryption systems. Roaming supports client stations moving freely from one cell (the AP coverage area) to another. When this occurs, the transferring of credentials is necessary to ensure a secure connection. This scenario could involve reinitiating a search for an AP in the same manner as a client does, or by using other methods, such as referencing a table built during
1756
N. Baghaei, R. Hunt / Computer Communications 27 (2004) 1746–1756
the previous association [3]. Current research was limited to a single AP and future work could carry out a set of similar experiments with multiple APs. As mobility increases from wireless LANs to wireless WANs (seamless handoff), further research could be carried out to examine the ability of maintaining a secure connection without reassociation and reauthentication. This research examined one type (the infrastructure mode) of IEEE 802.11, and these results might not be applicable to ad hoc wireless networks. Furthermore, the research focused on IEEE 802.11b networks. Evaluation of the security performance of other IEEE 802.11 standards such as IEEE 802.11g and the use of WPA (WiFi Protected Access) is the subject of ongoing research.
References [1] B. Bing, Measured performance of the IEEE 802.11 wireless LAN, Local Computer Networks LCN’99 (1999) 34–42. [2] L. Chandran-Wadia, S. Mahajan, S. Iyer, Throughput performance of the distributed and point coordination functions of an IEEE 802.11 wireless LAN, K.R. School of Information Technology, Department of Electrical Engineering, Indian Institute of Technology, Bombay, 2002, www.it.iitb.ac.in/~sri/papers/dot11-iccc02.pdf. [3] S. Convery, D. Miller, SAFE: wireless LAN security in depth, version 2. White paper, Cisco Systems, Inc, 2003, http://www.cisco.com/ warp/public/cc/so/cuso/epso/sqfr/safwl_wp.pdf. [4] Ethereal, http://www.ethereal.com/, 2004. [5] M. Gast, Chapter 5: wired equivalent privacy (WEP), 802.11 Wireless Networks: The Definitive Guide, O’Reilly, 2002, ISBN 0-596-00183. [6] R. Hunt, J. Vargo, J. Wong, Impact of security architectures on wireless network performance, 5th IEEE International Conference on Mobile and Wireless Communications Networks (MWCN 2003), Singapore October (2003) 331 –334. [7] IEEE Std. 802.1x, Port-based network access control, IEEE Inc, New York, 2001, ISBN 0-7381-2627-5.
[8] P. Ikkurthy, M.A. Labrador, Characterization of MPEG-4 traffic over IEEE 802.11b wireless LANs, Local Computer Networks, 2002. Proceedings. LCN 27th Annual IEEE Conference November (2002) 421 –427. [9] IP traffic, www.zti-telecom.com/pages/iptraffic-test-measure.htm, 2004. [10] T. Karygiannis, L. Owens, Draft: Wireless Network Security— 802.11, Bluetooth and Handheld Devices, National Institute of Standards and Technology, USA, 2002. [11] A. Palekar, D. Simon, G. Zorn, J. Salowey, H. Zhou, S. Josefsson, Protected EAP protocol (PEAP)v2, Internet draft, Internet Engineering Task Force, 26 October 2003. [12] Proxim: Wi-Fi and Broadband Wireless Networking, ORiNOCO Classic Gold PC Card, http://www.proxim.com/learn/library/ datasheets/gold_pccard.pdf. [13] Proxim: Wi-Fi and Broadband Wireless Networking, ORiNOCO AP2000, http://www.proxim.com/learn/library/datasheets/AP-2000_US. pdf. [14] TGi, Task Group 802.11i, IEEE, Inc., 2002, http://www.ieee802.org/ 11. [15] Task Group i, TGi security Overview, IEEE, Inc., Document number IEEE 802.11-02/114r1, 2002. [16] A. Vasan, A.U. Shankar, An Empirical Characterization of Instantaneous Throughput in 802.11b WLANs, Department of Computer Science, University of Maryland, 2003, http://www.cs.umd.edu/ ~shankar/Papers/802-11b-profile-1.pdf. [17] J.R. Walker, IEEE P802.11 Wireless LANs: unsafe at any key size; an analysis of the WEP encapsulation, Document number IEEE 802.11-00/362, 27 October 2000. [18] C. Williamson, Internet Traffic Measurement, Department of Computer Science, University of Calgary, 2001, http://pages.cpsc. ucalgary.ca/~carey/papers/measurements.pdf. [19] J. Wong, Performance Investigation of Secure 802.11 Wireless LANs: Raising the Security Bar to Which Level?, University of Canterbury, New Zealand, 2002, www.cosc.canterbury.ac.nz/research/reports/ MastTheses/2003/mast_0301.pdf. [20] G. Xylomenos, G.C. Polyzos, TCP and UDP performance over a wireless LAN, INFOCOM’99. Eighteenth Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings. IEEE 2 (21–25) (1999) 439–446.
