Bluetooth and Mobile IP

Bluetooth
Consortium: Ericsson, Intel, IBM, Nokia, Toshiba Scenarios:
o connection of peripheral devices
loudspeaker, joystick, headset

o support of ad-hoc networking

small devices, low-cost

o bridging of networks
e.g., GSM via mobile phone - Bluetooth - laptop

Simple, cheap, replacement of IrDA, low range, lower data rates, low-power
o Worldwide operation: 2.4 GHz o Resistance to jamming and selective frequency fading:
FHSS over 79 channels (of 1MHz each), 1600hops/s

o o o o

Coexistence of multiple piconets: like CDMA Links: synchronous connections and asynchronous connectionless Interoperability: protocol stack supporting TCP/IP, OBEX, SDP Range: 10 meters, can be extended to 100 meters
Wireless Networks Spring 2005

Documentation: over 1000 pages specification: www.bluetooth.com

Bluetooth Application Areas

Data and voice access points
o Real-time voice and data transmissions

Cable replacement
o Eliminates need for numerous cable attachments for connection

Low cost < $5 Ad hoc networking

o Device with Bluetooth radio can establish connection with another when in range

Wireless Networks Spring 2005

Protocol Architecture
Bluetooth is a layered protocol architecture
o Core protocols o Cable replacement and telephony control protocols o Adopted protocols

Core protocols
o o o o o Radio Baseband Link manager protocol (LMP) Logical link control and adaptation protocol (L2CAP) Service discovery protocol (SDP)

Wireless Networks Spring 2005

Protocol Architecture
Cable replacement protocol
o RFCOMM

Telephony control protocol

o Telephony control specification binary (TCS BIN)

Adopted protocols
o o o o PPP TCP/UDP/IP OBEX WAE/WAP

Wireless Networks Spring 2005

Protocol Architecture
BT Radio (2.4 GHZ Freq. Band): Modulation: Gaussian Frequency Shift Keying Baseband: FH-SS (79 carriers), CDMA (hopping sequence from the node MAC address) Audio: interfaces directly with the baseband. Each voice connection is over a 64Kbps SCO link. The voice coding scheme is the Continuous Variable Slope Delta (CVSD) Link Manager Protocol (LMP): link setup and control, authentication and encryption Host Controller Interface: provides a uniform method of access to the baseband, control registers, etc through USB, PCI, or UART HCI Logical Link Control and Adaptation Layer (L2CAP): Audio higher protocols multiplexing, packet segmentation/reassembly, QoS Service Discover Protocol (SDP): protocol of locating services provided by a Bluetooth device Telephony Control Specification (TCS): defines the call control signaling for the establishment of speech and data calls between Bluetooth devices RFCOMM: provides emulation of serial links OBEX: (RS232). Upto 60 connections

Application TCP/UDP PPP

AT Commands

OBEX

RFCOMM L2CAP

TCS

SDP

Link Manager (LMP) Baseband Bluetooth Radio

OBject EXchange (e.g., vCard)

Wireless Networks Spring 2005

Usage Models
File transfer Internet bridge LAN access Synchronization Three-in-one phone Headset

Wireless Networks Spring 2005

Piconets and Scatternets

Piconet
o Basic unit of Bluetooth networking o Master and one to seven slave devices o Master determines channel and phase

Scatternet
o Device in one piconet may exist as master or slave in another piconet o Allows many devices to share same area o Makes efficient use of bandwidth

Wireless Networks Spring 2005

Wireless Network Configurations

Network Topology
Piconet 1 Piconet 2

Slave Master

Master Scatternet

Piconet = set of Bluetooth nodes synchronized to a master node

o The piconet hopping sequence is derived from the master MAC address (BD_ADDR IEEE802 48 bits compatible address)

Scatternet = set of piconet Master-Slaves can switch roles A node can only be master of one piconet. Why?

Wireless Networks Spring 2005

Scatternets
Each piconet has one master and up to 7 slaves Master determines hopping sequence, slaves have to synchronize Participation in a piconet = synchronization to hopping sequence Communication between piconets = devices jumping back and forth between the piconets

piconets
Wireless Networks Spring 2005

Radio Specification
Classes of transmitters
o Class 1: Outputs 100 mW for maximum range
Power control mandatory Provides greatest distance

o Class 2: Outputs 2.4 mW at maximum

Power control optional

o Class 3: Nominal output is 1 mW

Lowest power

Frequency Hopping in Bluetooth

o Provides resistance to interference and multipath effects o Provides a form of multiple access among co-located devices in different piconets

Wireless Networks Spring 2005

Frequency Hopping
Total bandwidth divided into 1MHz physical channels FH occurs by jumping from one channel to another in pseudorandom sequence Hopping sequence shared with all devices on piconet Piconet access:
o Bluetooth devices use time division duplex (TDD) o Access technique is TDMA o FH-TDD-TDMA

Wireless Networks Spring 2005

Frequency Hopping

Wireless Networks Spring 2005

Physical Links
Synchronous connection oriented (SCO)
o Allocates fixed bandwidth between point-to-point connection of master and slave o Master maintains link using reserved slots o Master can support three simultaneous links

Asynchronous connectionless (ACL)

o Point-to-multipoint link between master and all slaves o Only single ACL link can exist

Wireless Networks Spring 2005

Bluetooth Packet Fields

Access code used for timing synchronization, offset compensation, paging, and inquiry Header used to identify packet type and carry protocol control information Payload contains user voice or data and payload header, if present

Wireless Networks Spring 2005

Bluetooth Piconet MAC

Each node has a Bluetooth Device Address (BD_ADDR). The master BD_ADDR determines the sequence of frequency hops
Master Slave 1 Slave 2 f(k) f(k+1) f(k+2) f(k+3) f(k+4) f(k+4) f(k+4) f(k+7)

Types of connections:
Synchronous Connection-Oriented link (SCO) (symmetrical, circuit switched, point-to-point) Asynchronous Connectionless Link (ACL): (packet switched, point-to-multipoint, masterpolls)

Packet Format:
o o Access code: synchronization, when piconet active derived from master Packet header (for ACL): 1/3-FEC, MAC address (1 master, 7 slaves), link type, alternating bit ARQ/SEQ, checksum

72

54

0-2745 payload 1 ARQN 1 SEQN

bits bits

access code packet header 3 MAC address 4 type 1 flow

8 HEC

Wireless Networks Spring 2005

Types of Access Codes

Channel access code (CAC) identifies a piconet Device access code (DAC) used for paging and subsequent responses Inquiry access code (IAC) used for inquiry purposes Preamble+sync+trailer

Wireless Networks Spring 2005

Packet Header Fields

AM_ADDR contains active mode address of one of the slaves Type identifies type of packet
o ACL: Data Medium (DM) or Data High (DH), with different slot lengths (DM1, DM3, DM5, DH1, DH3, DH5) o SCO: Data Voice (DV) and High-quality voice (HV)

Flow 1-bit flow control ARQN 1-bit acknowledgment SEQN 1-bit sequential numbering schemes Header error control (HEC) 8-bit error detection code
Wireless Networks Spring 2005

Payload Format
Payload header
o L_CH field identifies logical channel o Flow field used to control flow at L2CAP level o Length field number of bytes of data

Payload body contains user data CRC 16-bit CRC code

Wireless Networks Spring 2005

Error Correction Schemes

1/3 rate FEC (forward error correction)
o Used on 18-bit packet header, voice field in HV1 packet

2/3 rate FEC

o Used in DM packets, data fields of DV packet, FHS packet and HV2 packet

ARQ
o Used with DM and DH packets

Wireless Networks Spring 2005

ARQ Scheme Elements

Error detection destination detects errors, discards packets Positive acknowledgment destination returns positive acknowledgment Retransmission after timeout source retransmits if packet unacknowledged Negative acknowledgment and retransmission destination returns negative acknowledgement for packets with errors, source retransmits

Wireless Networks Spring 2005

Types of packets
SCO packets: Do not have a CRC (except for the data part of DV) and are never retransmitted. Intended for High-quality Voice (HV). Type Payload FEC CRC max-rate kbps
HV1 HV2 HV3 DV (bytes) 10 20 30 10+(1-10)D 1/3 2/3 No 2/3D No No No Yes D 64 64 64 64+57.6D

ACL packets: Data Medium-rate (DM) and Data High-rate (DH)

Type DM1 DM3 DM5 DH1 DH3 DH5 Payload (bytes) 0-17 0-121 0-224 0-27 0-183 0-339 FEC 2/3 2/3 2/3 No No No CRC Yes Yes Yes Yes Yes Yes Symm. max-rate kbps 108.8 258.1 286.7 172.8 390.4 433.9 Asymm. max-rate (DL/UL) 108.8/108.9 387.2/54.4 477.8/36.3 172.8/172.8 585.6/86.4 723.2/185.6

Wireless Networks Spring 2005

Channel Control
Major states
o Standby default state o Connection device connected

Interim substates for adding new slaves

o Page device issued a page (used by master) o Page scan device is listening for a page o Master response master receives a page response from slave o Slave response slave responds to a page from master o Inquiry device has issued an inquiry for identity of devices within range o Inquiry scan device is listening for an inquiry o Inquiry response device receives an inquiry response
Wireless Networks Spring 2005

State Transition Diagram

Inquiry Procedure
Potential master identifies devices in range that wish to participate
o Transmits ID packet with inquiry access code (IAC) o Occurs in Inquiry state

Device receives inquiry

o Enter Inquiry Response state o Returns FHS (Frequency Hop Synchrnonization) packet with address and timing information o Moves to page scan state

Wireless Networks Spring 2005

Inquiry Procedure Details

Goal: aims at discovering other neighboring devices Inquiring node:
o Sends an inquiry message (packet with only the access code: General Inquiry Access Code: GIAC or Dedicated IAC: DIAC). This message is sent over a subset of all possible frequencies. o The inquiry frequencies are divided into two hopping sets of 16 frequencies each. o In inquiry state the node will send upto NINQUIRY sequences on one set of 16 frequencies before switching to the other set of 16 frequencies. Upto 3 switches can be executed. Thus the inquiry may last upto 10.24 seconds.

To be discovered node:
o Enters an inquiry_scan mode o When hearing the inquiry_message (and after a backoff procedure) enter an inquiry_response mode: send a Frequency Hop Sync (FHS) packet (BD_ADDR, native clock)

After discovering the neighbors and collecting information on their address and clock, the inquiring node can start a page routine to setup a piconet
Wireless Networks Spring 2005

Page Procedure
Master uses devices address to calculate a page frequency-hopping sequence Master pages with ID packet and device access code (DAC) of specific slave Slave responds with DAC ID packet Master responds with its FHS packet Slave confirms receipt with DAC ID Slaves moves to Connection state

Wireless Networks Spring 2005

Page Procedure Details

Goal: e.g., setup a piconet after an inquiry Paging node (master):
o Sends a page message (i.e., packet with only Device Access Code of paged node) over 32 frequency hops (from DAC and split into 2*16 freq.) o Repeated until a response is received o When a response is received send a FHS message to allow the paged node to synchronize

Paged node (slave):

o Listens on its hopping sequence o When receiving a page message, send a page_response and wait for the FHS of the pager

Wireless Networks Spring 2005

Slave Connection State Modes

Active participates in piconet
o Listens, transmits and receives packets

Sniff only listens on specified slots Hold does not support ACL packets
o Reduced power status o May still participate in SCO exchanges

Park does not participate on piconet

o Still retained as part of piconet

Wireless Networks Spring 2005

States of a Bluetooth Device

ACTIVE (connected/transmit): the device is uniquely identified by a 3bits AM_ADDR and is fully participating SNIFF state: participates in the piconet only within the SNIFF interval HOLD state: keeps only the SCO links PARK state (low-power): releases AM_ADDR but stays synchronized with master STANDBY inquiry transmit page connected unconnected connecting active

BT device addressing: PARK HOLD SNIFF low power BD_ADDR (48 bits) AM_ADDR ( 3bits): ACTIVE, HOLD, or SNIFF PM_ADDR (8 bits): PARK Mode address (exchanged with the AM_ADDR when entering PARK mode) AR_ADDR (8 bits): not unique used to come back from PARK to ACTIVE state
Wireless Networks Spring 2005

Bluetooth Audio
Voice encoding schemes:
o Pulse code modulation (PCM) o Continuously variable slope delta (CVSD) modulation

Choice of scheme made by link manager

o Negotiates most appropriate scheme for application

Wireless Networks Spring 2005

Bluetooth Link Security

Elements:
o Authentication verify claimed identity o Encryption privacy o Key management and usage

Security algorithm parameters:

o o o o Unit address Secret authentication key (128 bits key) Secret privacy key (4-128 bits secret key) Random number

Wireless Networks Spring 2005

Link Management
Manages master-slave radio link Security Service: authentication, encryption, and key distribution Clock synchronization Exchange station capability information Mode management:
o switch master/slave role o change hold, sniff, park modes o QoS

Wireless Networks Spring 2005

L2CAP
Provides a link-layer protocol between entities with a number of services Relies on lower layer for flow and error control Makes use of ACL links, does not support SCO links Provides two alternative services to upper-layer protocols
o Connectionless service o Connection-oriented service: A QoS flow specification is assigned in each direction

Exchange of signaling messages to establish and configure connection parameters

Wireless Networks Spring 2005

Flow Specification Parameters

Service type Token rate (bytes/second) Token bucket size (bytes) Peak bandwidth (bytes/second) Latency (microseconds) Delay variation (microseconds)

Wireless Networks Spring 2005

Mobile IP

Wireless Networks Spring 2005

Motivation for Mobile IP

Routing
o based on IP destination address, network prefix (e.g. 129.13.42) determines physical subnet o change of physical subnet implies change of IP address to have a topological correct address (standard IP) or needs special entries in the routing tables

Specific routes to end-systems?

o change of all routing table entries to forward packets to the right destination o does not scale with the number of mobile hosts and frequent changes in the location, security problems

Changing the IP-address?

o adjust the host IP address depending on the current location o almost impossible to find a mobile system, DNS updates take too much time o TCP connections break, security problems
Wireless Networks Spring 2005

Mobile IP Requirements
Transparency
o mobile end-systems keep their IP address o continuation of communication after interruption of link possible o point of connection to the fixed network can be changed

Compatibility
o support of the same layer 2 protocols as IP o no changes to current end-systems and routers required o mobile end-systems can communicate with fixed systems

Security
o authentication of all registration messages

Efficiency and scalability

o only little additional messages to the mobile system required (connection typically via a low bandwidth radio link) o world-wide support of a large number of mobile systems in the whole Internet
Wireless Networks Spring 2005

Terminology
Mobile Node (MN)
o system (node) that can change the point of connection to the network without changing its IP address

Home Agent (HA)

o system in the home network of the MN, typically a router o registers the location of the MN, tunnels IP datagrams to the COA

Foreign Agent (FA)

o system in the current foreign network of the MN, typically a router o forwards the tunneled datagrams to the MN, typically also the default router for the MN

Care-of Address (COA)

o address of the current tunnel end-point for the MN (at FA or MN) o actual location of the MN from an IP point of view o can be chosen, e.g., via DHCP

Correspondent Node (CN)

o communication partner
Wireless Networks Spring 2005

Example network
HA MN
router home network (physical home network for the MN) router (current physical network for the MN) Internet mobile end-system

FA

foreign network

CN
end-system router
Wireless Networks Spring 2005

Data transfer to the mobile

HA

MN

home network Internet

3
FA

receiver foreign network

CN
sender

1. Sender sends to the IP address of MN, HA intercepts packet (proxy ARP) 2. HA tunnels packet to COA, here FA, by encapsulation 3. FA forwards the packet to the MN
Wireless Networks Spring 2005

Data transfer from the mobile

HA

MN

home network Internet

sender

FA

foreign network

CN
receiver

1. Sender sends to the IP address of the receiver as usual, FA works as default router

Wireless Networks Spring 2005

Overview
home network router HA Internet

COA router FA MN foreign network

CN

router

home network

router HA

2.

router FA

3. MN 4. foreign network

Internet

1. CN router

Wireless Networks Spring 2005

Network integration
Agent Advertisement
o HA and FA periodically send advertisement messages into their physical subnets o MN listens to these messages and detects, if it is in the home or a foreign network (standard case for home network) o MN reads a COA from the FA advertisement messages

Registration (always limited lifetime!)

o MN signals COA to the HA via the FA, HA acknowledges via FA to MN o these actions have to be secured by authentication

Advertisement
o HA advertises the IP address of the MN (as for fixed systems), i.e. standard routing information o routers adjust their entries, these are stable for a longer time (HA responsible for a MN over a longer period of time) o packets to the MN are sent to the HA, o independent of changes in COA/FA
Wireless Networks Spring 2005

Agent advertisement
0 7 8 15 16 type #addresses code addr. size router address 1 preference level 1 router address 2 preference level 2 ... type length registration lifetime sequence number R B H F M G V reserved COA 1 COA 2 ... ICMP-Type = 0; Code = 0/16; Extension Type = 16 TTL = 1 Dest-Adr = 224.0.0.1 (multicast on link) or 255.255.255.255 (broadcast) 23 24 checksum lifetime 31 R: registration required B: busy H: home agent F: foreign agent M: minimal encapsulation G: generic encapsulation V: header compression

Wireless Networks Spring 2005

Registration
MN re FA gist requ ration es
t regi s requ tration es t tion istra reg y repl

HA

MN r HA egis requ tration e

st tion

stra regi y repl

tion istra reg y repl

t Goal: inform the home agent of current location of MN (COA-FA or co-located COA) Registration expires automatically (lifetime) Uses UDP port 434

Wireless Networks Spring 2005

Mobile IP registration request

0 type 7 8 15 16 S B DMG V rsv home address home agent COA identification extensions . . . UDP packet on port 343 Type = 1 for registration request S: retain prior mobility bindings B: forward broadcast packets D: co-located address=> MN decapsulates packets 23 24 lifetime 31

Wireless Networks Spring 2005

Encapsulation
original IP header original data

new IP header outer header

new data inner header original data

Wireless Networks Spring 2005

Encapsulation I
Encapsulation of one packet into another as payload
o e.g. IPv6 in IPv4 (6Bone), Multicast in Unicast (Mbone) o here: e.g. IP-in-IP-encapsulation, minimal encapsulation or GRE (Generic Record Encapsulation)

IP-in-IP-encapsulation (mandatory in RFC 2003)

o tunnel between HA and COA

ver.

IHL TOS length IP identification flags fragment offset TTL IP-in-IP IP checksum IP address of HA Care-of address COA ver. IHL TOS length IP identification flags fragment offset TTL lay. 4 prot. IP checksum IP address of CN IP address of MN TCP/UDP/ ... payload
Wireless Networks Spring 2005

Encapsulation II
Minimal encapsulation (optional) [RFC2004]
o avoids repetition of identical fields o e.g. TTL, IHL, version, TOS o only applicable for unfragmented packets, no space left for fragment identification
IHL TOS length IP identification flags fragment offset TTL min. encap. IP checksum IP address of HA care-of address COA lay. 4 protoc. S reserved IP checksum IP address of MN original sender IP address (if S=1) TCP/UDP/ ... payload ver.

Wireless Networks Spring 2005

Optimization of packet forwarding

Triangular Routing
o sender sends all packets via HA to MN o higher latency and network load

Solutions
o o o o sender learns the current location of MN direct tunneling to this location HA informs a sender about the location of MN big security problems!

Change of FA
o packets on-the-fly during the change can be lost o new FA informs old FA to avoid packet loss, old FA now forwards remaining packets to new FA o this information also enables the old FA to release resources for the MN
Wireless Networks Spring 2005

Change of foreign agent

CN request update ACK data data registration update ACK data warning update ACK data data t
Wireless Networks Spring 2005

HA

FAold

FAnew

MN

MN changes location

registration

data

data

Reverse tunneling (RFC 2344)

HA

MN

home network Internet

1
FA

sender

foreign network

CN
receiver

Wireless Networks Spring 2005

1. MN sends to FA 2. FA tunnels packets to HA by encapsulation 3. HA forwards the packet to the receiver (standard case)

Mobile IP with reverse tunneling

Routers accept often only topological correct addresses (firewall)
o a packet from the MN encapsulated by the FA is now topological correct o furthermore multicast and TTL problems solved (TTL in the home network correct, but MN is to far away from the receiver)

Reverse tunneling does not solve

o problems with firewalls, the reverse tunnel can be abused to circumvent security mechanisms (tunnel hijacking) o optimization of data paths, i.e. packets will be forwarded through the tunnel via the HA to a sender (double triangular routing)

The new standard is backwards compatible

o the extensions can be implemented easily and cooperate with current implementations without these extensions
Wireless Networks Spring 2005

Mobile IP and IPv6

security is integrated and not an add-on, authentication of registration is included COA can be assigned via auto-configuration (DHCPv6 is one candidate), every node has address autoconfiguration no need for a separate FA, all routers perform router advertisement which can be used instead of the special agent advertisement MN can signal a sender directly the COA, sending via HA not needed in this case (automatic path optimization) soft hand-over, i.e. without packet loss, between two subnets is supported
o MN sends the new COA to its old router o the old router encapsulates all incoming packets for the MN and forwards them to the new COA o authentication is always granted

Wireless Networks Spring 2005

Problems with Mobile IP

Security
o authentication with FA problematic, for the FA typically belongs to another organization o no protocol for key management and key distribution has been standardized in the Internet o patent and export restrictions

Firewalls
o typically mobile IP cannot be used together with firewalls, special set-ups are needed (such as reverse tunneling)

QoS
o many new reservations in case of RSVP o tunneling makes it hard to give a flow of packets a special treatment needed for the QoS

Security, firewalls, QoS etc. are topics of current research and discussions!

Wireless Networks Spring 2005