Lecture 6.1 Introduction. Giuseppe Bianchi, Ilenia Tinnirello

Transcription

1 PART 6 IEEE Wireless LANs Lecture 6.1 Introduction

2 WLAN History Ł Original goal: Deploy wireless Ethernet First generation proprietary solutions (end 80, begin 90) WaveLAN (AT&T)) HomeRF (Proxim) Abandoned by major chip makers (e.g. Intel: dismissed in april 2001) Ł IEEE Committee formed in 1990 Charter: specification of MAC and PHY for WLAN First standard: june and 2 Mbps operation Reference standard: september 1999 Multiple Physical Layers Two operative Industrial, Scientific & Medical unlicensed bands» 2.4 GHz: Legacy; b/g» 5 GHz : a Ł 1999: Wireless Ethernet Compatibility Alliance (WECA) certification Later on named Wi-Fi Boosted deployment!!

3 WLAN data rates Ł Legacy Work started in 1990; standardized in mbps & 2 mbps Ł The 1999 revolution: PHY layer impressive achievements a: PHY for 5 GHz Published in 1999 Products available since early b: higher rated PHY for 2.4 GHz Published in 1999 Products available since 1999 Interoperability tested (wifi) Ł 2003: extend b g: OFDM for 2.4 GHz Published in june 2003 Products available, though no extensive interoperability testing yer Backward compatiblity with b Wi-Fi Standard Transfer Method legacy FHSS, DSSS, IR b DSSS, HR-DSSS "802.11b+" non-standard DSSS, HR- DSSS, (PBCC) Frequenc y Band 2.4 GHz, IR a OFDM 5.2, 5.5 GHz g DSSS, HR- DSSS, OFDM Data Rates Mbps 1, GHz 1, 2, 5.5, GHz 1, 2, 5.5, 11, 22, 33, 44 6, 9, 12, 18, 24, 36, 48, GHz 1, 2, 5.5, 11; 6, 9, 12, 18, 24, 36, 48, 54

4 Why multiple rates? Adaptive coding/modulation Example: a case

5 PHY distance/rate tradeoffs (open office) Distance (m) GHz OFDM (.11a) 2.4 GHz OFDM (.11g) 2.4 GHz (.11b) Mbps 5.5Mbps 6Mbps 11Mbps 12Mbps 24Mbps 36Mbps 54Mbps

6 Coverage performance Cisco Aironet 350 Access Point 11 Mb/s DSS da ~30 a ~45 metri Configurable TX power: 50, 30, 20, 5, 1 mw (100 mw outside Europe) 5.5 Mb/s DSS da ~45 a ~76 metri 2 Mb/s DSS da ~76 a ~107 metri Greater TX power, faster battery consumptions!!

7 WLAN NIC addresses Ł Same as Ethernet NIC 48 bits = Ł Ethernet & WLAN addresses do coexist Undistinguishable, in a same (Layer-2) network Role of typical AP = bridge» To be precise: when the AP acts as portal in nomenclature 802 IEEE 48 bit address 1 bit = individual/group 1 bit = universal/local 46 bit adress C:> arp a a.e6.f7.03.ad dinamico a dinamico

8 Protocol stack Ł : just another 802 link layer J

9 On which bandwidths? Ł Classical approach: narrow frequency band, much power as possible into the signal (noise reduction based on brute force) Authority must impose rulse on how RF spectrum is used. Licenses restrict frequencies and transmission power Ł However.. Several bands have been reserved for unlicensed use To allow consumer market for home use, bands for industrial, scientific and medical equipment (ISM bands): e.g. 2.4 Ghz, 5 Ghz Limitations only on transmitted power unlicensed does not mean plays well with others

10 The 2.4 (wifi) GHz spectrum Ł 2.4 GHz bandwidth: ,5 Ł Europe (including Italy): 13 channels (each 5 MHz) Channel spectrum: (11 MHz chip clock)

11 DSSS Frequency Channel Plan

12 The 5.0 (OFDM) GHz spectrum Ł US regulation: 3 x 100 MHz channels (40 mw) (200 mw) (800 mw) Operating 20 MHz channels 5.180, 5.200, 5.220, , 5.280, 5.300, , 5.765, 5.785, MHz / 64 subcarriers = MHz per subcarriers (52 used)

13 MAC Data Frame MAC header: -28 bytes (24 header + 4 FCS) or - 34 bytes (30 header + 4 FCS) PHY IEEE Data FCS Frame Control Duration / ID Address 1 Address 2 Address 3 Sequence Control Address Data Frame check sequence Protocol version Type Sub Type info Fragment number Sequence number 4 12 Sub Type To DS From DS More Frag Retry Pwr MNG More Data WEP Order Details and explanation later on!

14 PART 6 IEEE WLAN Lecture 6.2 Wireless LAN Networks and related Addressing

15 Basic Service Set (BSS) group of stations that can communicate with each other Ł Infrastructure BSS or, simply, BSS Stations connected through AP Ł Independent BSS or IBSS Stations connected in ad-hoc mode Network infrastructure AP

16 Frame Forwarding in a BSS Network infrastructure AP BSS: AP = relay function No direct communication allowed! IBSS: direct communication between all pairs of STAs

17 Why AP = relay function? Ł Management: Mobile stations do NOT neet to maintain neighbohr relationship with other MS in the area But only need to make sure they remain properly associated to the AP Association = get connected to (equivalent to plug-in in a wire to a bridge J ) Ł Power Saving: APs may assist MS in their power saving functions by buffering frames dedicated to a (sleeping) MS when it is in PS mode Ł Obvious disadvantage: use channel bandwidth twice

18 Extended Service Set BSS1 AP1 BSS2 BSS3 BSS4 AP2 AP3 AP4 ESS: created by merging different BSS through a network infrastructure (possibly overlapping BSS to offer a continuous coverage area) Stations within ESS MAY communicate each other via Layer 2 procedures APs acting as bridges MUST be on a same LAN or switched LAN or VLAN (no routers in between)

19 The concept of Distribution System Distribution system (physical connectivity + logical service support) AP1 AP2 AP3 MSs in a same ESS need to 1) communicate each other 2) move through the ESS No standard implementation, but set of services: Association, disassociation, reassociation, Integration, distribution Basically. DS role: - track where an MS is registrered within an ESS area - deliver frame to MS

20 Association and DS AP1 AP2 AP3 IAPP IAPP Association Ł Typical implementation (media) Switched ethernet backbone But alternative distribution medium are possible E.g. wireless distribution system (WDS) DS implementation: - an AP must inform other APs of associated MSs MAC addresses - proprietary implementation no interoperability - standardized protocol IAPP (802.11f) in june 2003 Current trend: - Centralized solutions (Cisco, Aruba)- CAPWAP?

21 Wireless Distribution System AP1 AP2 AP3 DS medium: - not necessarily an ethernet backbone! - could be the technology itself Resulting AP = wireless bridge

22 Addresses Ł At least three addresses Receiving station Transmitting station BSS address To make sure a frame is valid within the considered BSS For filtering purpose (filter frame within a BSS)

23 BSSID Ł Address of a BSS Infrastructure mode: AP MAC address Ad-hoc mode: Random value» With universal/local bit set to 1 Generated by STA initiating the IBSS 802 IEEE 48 bit addresses 1 bit = individual/group 1 bit = universal/local 46 bit address

24 Addressing in an IBSS SA DA Frame Control Duration / ID Address 1 DA Address 2 SA Address 3 BSSID Sequence Control Address Data FCS SA = Source Address DA = Destination Address

25 Addressing in a BSS? AP SA X DA

26 Addressing in a BSS! AP Distribution system SA DA Frame must carry following info: 1) Destined to DA 2) But through the AP What is the most general addressing structure?

27 Addressing in a BSS (to AP) AP BSSID Distribution system Address 2 = wireless Tx Address 1 = wireless Rx Address 3 = dest SA DA Frame Control Duration / ID Address 1 BSSID Address 2 SA Address 3 DA Sequence Control Address Data FCS Protocol version Type 2 2 Sub Type 1 0 To DS From DS More Frag Retry Pwr MNG More Data WEP Order

28 Addressing in an ESS Distribution System AP AP BSSID DA DA SA Idea: DS will be able to forward frame to dest (either if fixed or wireless MAC) Frame Control Duration / ID Address 1 BSSID Address 2 SA Address 3 DA Sequence Control Address Data FCS Protocol version Type 2 2 Sub Type 1 0 To DS From DS More Frag Retry Pwr MNG More Data WEP Order

29 Addressing in a BSS (from AP) AP BSSID Distribution system Address 2 = wireless Tx Address 1 = wireless Rx Address 3 = src SA DA Frame Control Duration / ID Address 1 DA Address 2 BSSID Address 3 SA Sequence Control Address Data FCS Protocol version Type 2 2 Sub Type 0 1 To DS From DS More Frag Retry Pwr MNG More Data WEP Order

30 From AP: do we really need 3 addresses? Distribution system AP BSSID SA DA DA correctly receives frame, and send ACK to BSSID (wireless transmitted) DA correctly receives frame, and send higher level ACK to SA (actual transmitter)

31 Addressing within a WDS Wireless Distribution System AP TA AP RA SA Address 4: initially forgotten DA Frame Control Duration / ID Address 1 RA Address 2 TA Address 3 DA Sequence Control Address 4 SA Data FCS Protocol version Type 2 2 Sub Type 1 1 To DS From DS More Frag Retry Pwr MNG More Data WEP Order

32 Addressing: summary Receiver Transmitter Function To DS From DS Address 1 Address 2 Address 3 Address 4 IBSS 0 0 RA = DA SA BSSID N/A From AP 0 1 RA = DA BSSID SA N/A To AP 1 0 RA = BSSID SA DA N/A Wireless DS 1 1 RA TA DA SA Ł Ł Ł Ł Ł BSS Identifier (BSSID) unique identifier for a particular BSS. In an infrastructure BSSID it is the MAC address of the AP. In IBSS, it is random and locally administered by the starting station. (uniqueness) Transmitter Address (TA) MAC address of the station that transmit the frame to the wireless medium. Always an individual address. Receiver Address (RA) to which the frame is sent over wireless medium. Individual or Group. Source Address (SA) MAC address of the station who originated the frame. Always individual address. May not match TA because of the indirection performed by DS of an IEEE WLAN. SA field is considered by higher layers. Destination Address (DA) Final destination. Individual or Group. May not match RA because of the indirection.

33 Service Set IDentifier (SSID) Ł Ł Ł Name of the WLAN network Plain text (ascii), up to 32 char Assigned by the network administrator All BSS in a same ESS have same SSID Typically (but not necessarily) is transmitted in periodic management frames (beacon) Typical: 1 broadcast beacon every 100 ms (configurable by sysadm) Beacon may transmit a LOT of other info Beacon example

34 PART 6 IEEE WLAN Lecture 6.3 Network Management

35 Management Operations Ł Wireless is not always an advantage Medium unreliable, lack of physical boundaries, power consumption Ł How to join, build, connect, move nodes, save energies, All these issues are faced by the management procedures, which can be customized Different vendor offers: very simple products vs. feature-rich products

36 Scanning Ł Before joining a network, you have to find it!! The discovery operation is called scanning Ł Several parameters can be specified by the user BSSType (independent, infrastucture, both) BSSID (individual, Broadcast) SSID (network name) ScanType (active, passive) Channel List Probe Delay (to start the active scanning in each channel) MinChannelTime, MaxChannelTime

37 Passive Scanning Ł Saves battery, since it requires listening only Ł Scanning report based on beacon frames heard while sweeping channel to channel AP2 AP1 Found AP1, AP3 AP3

38 Active Scanning Ł Probe Request Frames used to solicit responses from a network, when the ProbeDelay time expires If the medium is detected busy during the MinChannelTime, wait until the MaxChanneltime expires One station in each BSS is responsible to send Probe Responses (station which transmitted the last beacon frame)

39 Joining Ł A scan report is generated after each scan, reporting BSSID, SSID, BSSType, Beacon Interval DTIM period Timing Parameters (Timestamp) PHY Parameters, BSSBasicRateSet Ł Joing: before associating, select a network (often it requires user action) Ł and after?

40 Authentication Ł What does authentication do? prove the identity of the new node Ł On wired network, it is implicitely provided by phisical access, but everybody can access wireless medium! Ł Two major approaches: Open-system Shared-key

41 Authentication (2) Ł It can work in both ad-hoc and infrastucture modes, but it is not bilateral (mutual) authentication implicitely assumes that access points are under the control of the network administrators and do not have to prove their identity The network is no under obligation to authenticate itself, then man-in-the-middle attacks are possible

42 Open-System Authentication Ł Accept Everybody 2way handshake; the station simply informs about its identity The identity is represented by the MAC address (not by the user) Ł Address filtering Often used with open-system List with authorized MAC addresses provided by the network administrator Better than nothing.. But MAC addresses can be software programmable! Moreover, the authorization lists have to be transferred in all the APs

43 Shared-Key Authentication Ł Can be used only with some products implementing the WEP (Wireless Encryption Protocol) Ł Before accepting the user, the authenticator has to verify that he knows a secret How? Ask for the secret? NO, attackers can listen! Ask for decoding a challenge text and compare the answer (which has to be encrypted) with the local decryption.

44 How does WEP work? Ł very basic ideas.. Symmetric cipher: the same keystream is used for XOR coding and XOR decoding data keystream coded data keystream recovered data

45 Keystream Ł Both the transmitter and the receiver has to know the keystream; long data transfer requires long keystrem Ł How to distribute and manage long totally random keystreams? Keystream = pseudorandom sequence obtained from a short key + Initialization Vector = f( key, IV) Function f is called RC4 and it is an intellectual property no more safe, after 2001! Standard key length of only 40 bits + 24 bit for the IV

46 Is cryptography enough? Ł Not only confidentiality problems, but also integrity problems We do not have only to protect our data against not authorized receivers, but also we have to be sure that nobody changes our data Even if we do not know the keystream, if we change the encrypted payload, we destroy the exact information delivery Ł Integrity-Check-Value: a summary of the payload, appended to the payload for checking the integrity of the data after decrypting Ł E.g. payload = Siamo nel mese di ottobre ICV = snmdo xxxxxx = crypt( siamo nel mese di ottobre snmdo ) decrypt(xxxxyy) = siamo inc qwer di ottobre snmdo snmdo: is not the payload summary!

47 WEP Features Frame header IV Frame body ICV FCS 24 bits Ł extra overhead of bits encrypted 32 bits Ł Since the payload often starts with an LLC frame, whose first byte is known, the first byte of encryption can be understood.. Ł the ICV should be obtained by an hash unpredictable function, but in the WEP definition it is cyclic redundancy check CRC is not cryptographically secure, because single bit alterations can be predicted with high probability Ł Key cannot be considered secure, since they are statically entered, accessible by users and rarely changed

48 Enhanced encryption Ł WEP limits: Manual key setting (shared in the whole network) Limited IV space (24 bits = 2 24 packets = 16.8 M) Ł WPA: Still based on RC4, but with dynamic and automatic key management! IV long 48 bits per-packet key Message Integrity Code (8 bytes) before ICV Ł WPA2: change RC4 with AES

49 WPA/TKIP: Temporal Key Integrity Protocol Ł Still based on RC4 for compatibility reasons WEP: f(secret Key+IV)=keystream TKIP: f(secret Key+IV) = Secret Key Generator Dynamic keys of 128 bits Different keys for each session

50 Other authentication mechanisms Ł 802.1x: does not define its own security protocols, but reuse existing protocols Too many researches with specific standardized functions; Standardizes the protocol messages and operations, in general terms: e.g. consider an ICV, without chosing a fiexd a priori hash function; the hash an cypher functions are negotiated Ł Three principal roles: Supplicant a device requesting access to the controlled port Authenticator the point of attachment to the LAN infrastructure (e.g.,.11 AP) Authentication server verifying the credentials of the supplicant (e.g., RADIUS server) Ł After successful authentication, a controlled port is opened

51 Association Ł After that we choose a network and we authenticate, we can finally send an association message The message is required for tracking the host position in the ESS Not used for ad hoc networks Re-association after hand-over

52 And to be found? Ł It is required to periodically transmit a beacon! In infrastructure: beacon transmissions managed by the AP In ad-hoc: each station contend for the beacon and leave the contention after the first observed beacon Ł The beacon frames are periodically scheduled, but contend as normal frames Deterministic scheduling Random transmission delays

53 What information is carried by beacons? Ł Ł Ł Ł Timestamp (8 bytes): in Transmission Units TU (=1024 us) to synchronize stations Beacon Interval (2 bytes): beacon scheduling interval Capability Info (2 bytes): bit map to activate/deactivate some network features SSID (variable size): network name set by the operators Element ID, Length, Information for every variable size field OPTIONAL: Ł FH ParameterSet (7 bytes) Ł DS ParameterSet (2 bytes) Ł CF ParameterSet (8 bytes) Ł IBSS ParameterSet (4 bytes) Ł Traffic Indicator Map TIM (variable size): to indicate which stations have buffered frames; some TIM are Delivery TIM for broadcast traffic

54 Why Timestamps for Synchronization? "#$% &'

55 PART 6 IEEE WLAN Lecture 6.4 Medium Access Control Protocols: DCF

56 Wireless Ethernet Ł (Ethernet) CSMA/CD Carrier Sense Multiple Access Collision Detect Ł (wireless LAN) CSMA/CA (Distributed Coordination Function) Carrier Sense Multiple Access Collision Avoidance A B C Ł Both A and C sense the channel idle at the same time they send at the same time. Ł Collision can be detected at sender in Ethernet. Ł Why this is not possible in ? 1. Either TX or RX (no simultaneous RX/TX) 2. Large amount of power difference in Tx and Rx (even if simultaneous txrx, no possibility in rx while tx-ing) 3. Wireless medium = additional problems vs broadcast cable!!

57 Hidden Terminal Problem Ł Large difference in signal strength; physical channel impairments (shadowing) It may result that two stations in the same area cannot communicate Ł Hidden terminals A and C cannot hear each other A transmits to B C wants to send to B; C cannot receive A;C senses idle medium (Carrier Sense fails) Collision occurs at B. A cannot detect the collision (Collision Detection fails). A is hidden to C. A B C

58 MAC approach Ł Still based on Carrier Sense: Listen before talking Ł But collisions can only be inferred afterwards, at the receiver Receivers see corrupted data through a CRC error Transmitters fail to get a response Ł Two-way handshaking mechanism to infer collisions DATA-ACK packets TX packet ACK RX

59 Channel Access details Ł A station can transmit only if it senses the channel IDLE for a DIFS time DIFS = Distributed Inter Frame Space Packet arrival TX DIFS DATA RX SIFS ACK What about a station arriving in this frame time? Ł SIFS = Short Inter Frame Space

60 DIFS & SIFS in wi-fi Ł DIFS = 50 s Ł SIFS = 10 s

61 STA1 DIFS Why backoff? DATA SIFS ACK STA2 DIFS STA3 Collision! RULE: when the channel is initially sensed BUSY, station defers transmission; But when it is sensed IDLE for a DIFS, defer transmission of a further random time (BACKOFF TIME)

62 Slotted Backoff STA2 STA3 DIFS w=7 Extract random number in range (0, W-1) Decrement every slot-time w=5 Note: slot times are not physically delimited on the channel! Rather, they are logically identified by every STA Slot-time values: 20s for DSSS (wi-fi) Accounts for: 1) RX_TX turnaround time 2) busy detect time 3) propagation delay

63 Backoff freezing Ł When STA is in backoff stage: It freezes the backoff counter as long as the channel is sensed BUSY It restarts decrementing the backoff as the channel is sensed IDLE for a DIFS period STATION 1 DIFS DATA SIFS ACK DIFS STATION 2 DIFS SIFS ACK 6 5 BUSY medium Frozen slot-time 4 DIFS 3 2 1

64 Backoff rules Ł First backoff value: Extract a uniform random number in range (0,CW min ) Ł If unsuccessful TX: Extract a uniform random number in range (0,2 (CW min +1)-1) Ł If unsuccessful TX: Extract a uniform random number in range (0,2 2 (CW min +1)-1) Ł Etc up to 2 m (CW min +1)-1 Exponential Backoff! CWmin = 31 CWmax = 1023 (m=5)

65 Throughput vs CWmin P=1000 bytes

66 RTS/CTS Ł Request-To-Send / Clear-To-Send Ł 4-way handshaking Versus 2-way handshaking of basic access mechanism Ł Introduced for two reasons Combat hidden terminal Improve throughput performance with long packets

67 RTS/CTS and hidden terminals Packet arrival TX DIFS RTS DATA RX SIFS CTS SIFS SIFS ACK others RX NAV (RTS) NAV (CTS) TX RTS CTS CTS hidden (Update NAV) RTS/CTS: carry the amount of time the channel will be BUSY. Other stations may update a Network Allocation Vector, and defer TX even if they sense the channel idle (Virtual Carrier Sensing)

68 RTS/CTS and performance RTS/CTS cons: RTS/CTS pros: larger overhead reduced collision duration

69 RTS/CTS throughput RTS/CTS convenient with long packets and large number of terminals (collision!);

70 RTS/CTS more robust to number of users and CWmin settings

71 Relation between IFS Parameters b PHY PIFS used by Point Coordination Function - Time-bounded services - Polling scheme PCF Never deployed SIFS (sec) DIFS (sec) Slot Time (sec) CWmin CWmax

72 EIFS

73 Time in microseconds. Update the NAV time in the neighborhood Data Frame formats PHY IEEE Data FCS Frame Control Duration / ID Address 1 Address 2 Address 3 Sequence Control Address Data Frame check sequence Protocol version Type Sub Type info Fragment number Sequence number 4 12 Sub Type To DS From DS More Frag Retry Pwr MNG More Data WEP Order

74 Why NAV (i.e. protect ACK)? TX C RX Station C receives frame from station TX Station C IS NOT in reach from station RX But sets NAV and protects RX ACK

75 Why EIFS (i.e. protect ACK)? TX C RX Station C DOES NOT receive frame from station TX but still receives enough signal to get a PHY.RXEND.indication error Station C IS NOT in reach from station RX But sets EIFS (!!) and protects RX ACK

76 Frame formats DATA FRAME (28 bytes excluded address 4) Frame Control Duration / ID Address 1 Address 2 Address 3 Sequence Control Address 4 Data FCS RTS (20 bytes) Frame Control Duration RA TA FCS CTS / ACK (14 bytes) Frame Control Duration RA FCS

77 S station DCF overhead Frame _ Tx E[ payload] E[ T ] DIFS CW / 2 min T T SIFS T Frame _ Tx MPDU ACK T T SIFS T SIFS T SIFS T Frame _ Tx RTS CTS MPDU ACK T T T T MPDU ACK RTS CTS T T T T PLCP PLCP PLCP PLCP 8(28 L) / 814 / R 8 20/ R 814 / R ACK _ Tx RTS _ Tx CTS _ Tx R MPDU _ Tx

78 DCF overhead (802.11b) RTS/CTS Basic RTS/CTS Basic Tra nsmssion Time (use c ) DIFS Ave Backoff RTS+SIFS CTS+SIFS Payload+SIFS ACK

79 DCF overhead (802.11b) DCF overhead (802.11b)! " # $ % & ' ( ) * + -,.0/ / ,.0/ /

80 Fragmentation Ł Ł Splits message (MSDU) into several frames (MPDU) Same fragment size except the last one Fragmentation burst Fragments separated by SIFS Channel cannot be captured by someone else Each fragment individually ACKed Ł Ł Each fragment reserves channel for next one NAV updated fragment by fragment Missing ACK for fragment x Release channel (automatic) Backoff Restart from transmission of fragment x

81 Why Fragmentation? Ł High Bit Error Rate (BER) Increases with distance The longer the frame, the lower the successful TX probability High BER = high rts overhead & increased rtx delay Backoff window increases: cannot distinguish collisions from tx error!

82 Frame Control Fragment and sequence numbers DATA FRAME (28 bytes excluded address 4) Duration / ID Address 1 Address 2 Address 3 Sequence Control Address 4 Data FCS More Frag Retry 1 1 Ł Ł Ł Ł Fragment number Sequence number 4 12 Fragment number Increasing integer value 0-15 (max 16 fragments since 4 bits available) Essential for reassembly More fragment bit (frame control field) set to: 1 for intermediate fragments 0 for last fragment Sequence Number Used to filter out duplicates Unlike Ethernet, duplicates are quite frequent! Retransmissions are a main feature of the MAC Retry bit: helps to distinguish retransmissions Set to 0 at transmission of a new frame

83 PART 6 IEEE WLAN Lecture 6.4bis Medium Access Control Protocols: PCF

84 PCF vs DCF PCF DCF PHY PCF deployed on TOP of DCF Backward compatibility

85 PCF Ł Token-based access mechanism Polling Ł Channel arbitration enforced by a point Coordinator (PC) Typically the AP, but not necessarily Ł Contention-free access No collision on channel Ł PCF deployment: minimal!! Optional part of the specification As such, almost never deployed But HCCA (PCF extension in e) is getting considerable attention

86 PCF frame transfer SIFS Polling strategy: very elementary!! - send polling command to stations with increasing Association ID value - (regardless whether they might have or not data to transmit)