- 1 Introduction
- 2 Basic Concepts
- 3 Security
- 4 Architecture Patterns
This describes a network architecture to provide emergency network infrastructure using 802.11 wireless radios. The architecture consists of a series of modular patterns, which can be interconnected using TCP/IP to cover a variety of geographical areas. The underlying concepts are well known and are based on the practical constraints of current technology. To validate the architecture, a reference design was implemented using commercial, off the shelf components.
In this architecture, wireless devices can be deployed to provide two basic types of services. First, the devices can provide wireless, local area network connectivity between a PC and the network. This eliminates (or significantly reduces) the cabling requirements. However, because of encryption requirements, PC configurations may be more complicated. Second, wireless devices can provide back bone services by connecting local area networks together. This link is known as a 'backhaul,' which allows for quick deployment in harsh environments.
Backhaul links are configured as either point-to-point or in a common mesh. Point-to-point links are used when there are only two nodes in the network or over long distance links. Link distances are very dependent on a number of system variables. (e.g. power, antenna gain, obstructions, frequency)Obstructions, such as trees and buildings, will significanlty reduce the possible link distances. If 'line of sight' is available, point to point links may be as long as 20-25 miles.
Mesh networks consist of three or more, commonly connected wireless nodes. All the nodes within a mesh operate on the same frequency and use the same mode. For example, they may be 802.11a nodes, using channel 40 and configured as 'ad hoc.'
A mesh can provide local area network services, but throughput can be severely degraded, if the mesh is not implemented correctly. In this architecture, a mesh network is only used to provide backbone/backhaul services.
802.11 technology relies on carrier sense, multiple access with collision detection, which means the transmitter listens for a clear channel before it transmits. If two radios transmit at the same time, the receiver can't detect either transmission and no information is passed. Normally, this isn't a problem because the radios within a common mesh network are within range of each other and collisions are handled by adjusting the retransmission timers.
However, if one radio can't recieve the other signals within a mesh (obstruction,) the radio will continue to transmit without knowing another radio is transmitting. The collisions will continue and the retransmission timers won't work. This 'hidden transmitter' problem severly degrades network throughput.
802.11 uses spread spectrum modulation techniques, which helps, but it doesn't solve the probem. The limit is about 3 hidden nodes. Any more and the network is unuseable. Therefore, it's best to design a network where radios within a common mesh can receive each other.
Node Stack Design
Each node within the network consists of one or more modules. A module contains a single radio or wired network. Modules are interconnected using TCP/IP. In most cases, multiple modules exist within a single device. For example, a node may consist of a 2.4GHz radio, 5.0 GHz radio and ethernet router.
Each module within the node stack is equivalent to a network interface. All the TCP/IP routing rules and behavior apply.
Because the hidden transmitter problem can degrade throughput, implementations of this architecture should follow a few basic rules.
- LAN wireless service areas should not overlap.
- Use different channels for different service areas.
- All nodes within a backhaul mesh should be able to hear all transmitters within the mesh.
- Use lower frequencies for longer links
Mesh Network Routing Protocol
This architecture uses the Optimized Link State Routing (OLSR) protocol because it is the most commonly used protocol for wireless mesh networks. OLSR floods the network with link statements as nodes are added or deleted from the mesh. Gateway nodes advertise default routes to the Internet automatically.
Encryption and Authentication
Security is limited to WiFi Protected Access with Pre-Shared Keys (WPA2-PSK.) Since this network does not support classified transmissions, this security mode should be sufficient. They key lengths should be greater than 20 characters and consist of random ascii characters.
If higher security is required, WPA2 with 802.1x authentication will be required. This significantly increases the complexity of the network.
Any network services, such as file servers, must be password protected and require user authentication for access.
In general, firewalls are not used within the mesh network because the mesh is considered 'inside' the perimeter. Each node contains firewall code. If a specific subnet requires additional security, the firewall code can be implemented to limit access accordingly.
Firewalls are used to connect the mesh network to external networks and must be configured to prevent unauthorized entry into the network. No public services will be offered from this network.
Network Address Translation
All addresses on the wireless network are RFC-1918 compliant, private addresses. Therefore, NAT must be used on the Internet gateway to provide external connectivity.
Virtual Private Networks
The Internet gateway can provide VPN tunnels to the cooporate network using IPSEC. This encrypts the communications between the home network and the wireless network. In some cases, special software may be required to bypass proxy devices installed at the remote location.
VPN clients, which are NAT aware, may be used from the wireless network to provide connectivity to cooporate resources.
One-to-one and/or inbound mappings are not provided.
Certification and Accreditation
The architecture is 'type accredited' using the reference design. Deployments which use the same design (or very similar) are covered under this C&A. Vendors may provide service covered under the C&A, however, they must show proof of key security configurations before deployment.
- All wireless links use a minimum of WPA-PSK with random keys longer than 20 characters.
- Connections to external networks must be done through a gateway device, which provides no incoming services to the general public.
- Devices are password protected.
Purpose: Connects the wireless mesh network to the Internet. Provides Network Address Translation, Firewall protection and Virtual Private Networking services.
Purpose: Provides connectivity between the Internet gateway router and backhaul network. Includes a local area network to host file servers and other critical services. Backhaul services should be on different frequency band than user service areas. (e.g. 5GHz/802.11a)
Service Node - LAN+Backhaul
Purpose: Connects a local area network (LAN) to a wireless mesh network. Backhaul services should be on different frequency band than user service areas. (e.g. 5GHz/802.11a)
Service Node - LAN/WLAN+Backhaul
Purpose: Connects a local area network to the mesh network. Provides an 802.11 b/g wireless network for local users. Service area network and LAN are separate subnets to allow for firewall rules. Backhaul services should be on different frequency band than user service areas. (e.g. 5GHz/802.11a)
Service Node - WLAN+Backhaul
Purpose: Provides wireless LAN services for local users on 802.11b/g and connects the network to the mesh backhaul. Backhaul services should be on different frequency band than user service areas. (e.g. 5GHz/802.11a)