"A Survey on WiMAX - PDF"
(IJCSIS) International Journal of Computer Science and Information Security, Vol. 8, No. 2, 2010 A Survey on WiMAX Mohsen Gerami The Faculty of Applied Science of Post and Communications Danesh Blv, Jenah Ave, Azadi Sqr, Tehran, Iran. Postal code: 1391637111 e-mail: firstname.lastname@example.org Abstract—This paper describes an overview of WiMAX. The the WiMAX waves, you need a receiver for WiMAX for paper outlines fundamental architectural components for connecting your computer or device. WiMAX and explains WiMAX Security Issues. Furthermore various 802.16 standards, IEEE 802.16 protocol architecture and WiMAX has a range of around 50 km in a circle. Terrain, WiMAX Market will be discussed. weather and buildings affect this range and this often results in many people not receiving signals good enough for a proper Keywords: WiMAX; IEEE 802.16; Security; Protocol; Market; connection. Orientation is also an issue, and some people have to choose to place their WiMAX modems near windows and I. INTRODUCTION turned in certain specific directions for good reception. WiMAX, meaning Worldwide Interoperability for A WiMAX connection is normally non-line-of-sight, which Microwave Access, is a telecommunications technology that means that the transmitter and the receiver need not have a provides wireless transmission of data using a variety of clear line between them. But a line-of-sight version exists, transmission modes, from point-to-multipoint links to portable where performance and stability is much better, since this does and fully mobile internet access. The technology provides up to away with problems associated with terrain and buildings . 10 Mbps broadband speed without the need for cables. The technology is based on the IEEE 802.16 standard (also called II. WIMAX FUNDAMENTAL ARCHITECTURAL COMPONENTS Broadband Wireless Access). The name "WiMAX" was WiMAX has four fundamental architectural components: created by the WiMAX Forum, which was formed in June 2001 to promote conformity and interoperability of the Base Station (BS). The BS is the node that logically standard. The forum describes WiMAX as "a standards-based connects wireless subscriber devices to operator networks. The technology enabling the delivery of last mile wireless BS maintains communications with subscriber devices and broadband access as an alternative to cable and DSL" . governs access to the operator networks. A BS consists of the infrastructure elements necessary to enable wireless As compared to a wireless technology like Wi-Fi, WiMAX communications, i.e., antennas, transceivers, and other is more immune to interference, allows more efficient use of electromagnetic wave transmitting equipment. BSs are bandwidth and is intended to allow higher data rates over typically fixed nodes, but they may also be used as part of longer distances. Because it operates on licensed spectrum, in mobile solutions—for example, a BS may be affixed to a addition to unlicensed frequencies, WiMAX provides a vehicle to provide communications for nearby WiMAX regulated environment and viable economic model for wireless devices. A BS also serves as a Master Relay-Base Station in the carriers. These benefits, coupled with the technology's global multi-hop relay topology. support (e.g., ongoing worldwide deployments, spectrum allocation and standardization), make it the popular choice for Subscriber Station (SS). The SS is a fixed wireless node. quick and cost-effective delivery of super-fast broadband An SS typically communicates only with BSs, except for multi- wireless access to underserved areas around the world . hop relay network operations. SSs are available in both outdoor and indoor models. WiMAX is cheaper than wired DSL because it does not require placing wires around the area to be covered, which Mobile Subscriber (MS). Defined in IEEE 802.16e-2005, represents an enormous investment for the provider. Not MSs are wireless nodes that work at vehicular speeds and requiring this investment opens the door to many service support enhanced power management modes of operation. MS providers who can start retailing out wireless broadband with devices are typically small and self-powered, e.g., laptops, low capital, thereby causing prices to drop due to competition . cellular phones, and other portable electronic devices. As with any wireless technology, the requirements for Relay Station (RS). Defined in IEEE 802.16j-2009, RSs WiMAX are basically a transmitter and a receiver. The are SSs configured to forward traffic to other RSs, SSs, or MSs transmitter is a WiMAX tower, much like a GSM tower. it is in a multi-hop Security Zone . the part of the service provider's facilities. One tower, also called a base station, can provide coverage to an area within a radius of around 50 km. On the other side, in order to receive 352 http://sites.google.com/site/ijcsis/ ISSN 1947-5500 (IJCSIS) International Journal of Computer Science and Information Security, Vol. 8, No. 2, 2010 also improved quality of service (QOS) and certain improvements in the media access control (MAC) layer along with adding support for the HiperMAN European standard. The number of supported physical (PHY) layers was increased. Transport mediums such as IP, Ethernet and asynchronous transfer mode (ATM) were added. At its core, the technology is intended to take a number of best of breed proprietary enhancements that had been made by vendors using the 802.11 standard and combine them together in a very marketable and standardized WiMAX product. For example, older broadband wireless technology such as the Wi-Fi or 802.11b system utilized carrier sense multiple access with collision detection (CSMA/CD) crosstalk methods for base stations and customer premise equipment (CPE) to talk to one another. Basically, this meant that each radio was Figure 1. WiMAX network architectures: (a) PMP mode; (b) mesh mode . constantly talking and creating inefficient overhead. It also resulted, especially at times of high traffic, in increased packet WiMAX devices communicate using two message types: collisions and retransmissions, further exacerbating the management messages and data messages. Data messages problem. Some of the proprietary MAC systems built later transport data across the WiMAX network. Management utilized the base station to define when the CPE would be messages are used to maintain communications between an polled in order to eliminate this problem. In the way of a SS/MS and BS, i.e., establishing communication parameters, permanent cure the 802.16 protocol supports multiple methods exchanging security settings, and performing system of polling that a vendor can choose to use. Some of these registration events (initial network entry, handoffs, etc.) include piggybacking polling requests within overhead traffic, IEEE 802.16 defines frequency bands for WiMAX group polling or dynamic co-opting of bandwidth from another operations based on signal propagation type. In one type, unit by the CPE. The key is that the radios will be WiMAX employs a radio frequency (RF) beam to propagate interchangeable based on the Forum's initial product profile as signals between nodes. Propagation over this beam is highly well as more efficient . sensitive to RF obstacles, so an unobstructed view between nodes is needed. This type of signal propagation, called line-of- A. The various 802.16 standards sight (LOS), is limited to fixed operations and uses the 10–66 802.16a: Licensed Frequency 2 GHz to 11 GHz. The gigahertz (GHz) frequency range. The other type of signal Working IEEE 802.16a operates at the MAC and PHY propagation is called non-line-of-sight (NLOS). NLOS employs specification and specifies the transfer of non-visual advanced RF modulation techniques to compensate for RF connections (NLOS). Frequencies are important for the 3.5 signal changes caused by obstacles that would prevent LOS GHz and 5.8 GHz licensed for royalty-free applications. The communications. NLOS can be used for both fixed WiMAX data is at a channel width of 20 MHz 75 Mbit / s. 802.16a is operations (in the 2–11 GHz range) and mobile operations (in replaced by 802.16-2004. the 2–6 GHz range). NLOS signal propagation is more commonly employed than LOS because of obstacles that Specifications of 802.16 interfere with LOS communications and because of strict 802.16b: Licensed Exempt Frequencies, with a focus on the regulations for frequency licensing and antenna deployment in frequency band of between 5 GHz and 6 GHz. This group also many environments that hinder the feasibility of using LOS . runs under the name Wireless HUMAN (High Speed Unlicensed MAN). III. IEEE 802.16 802.16c: Profiles of transmission frequencies in the The IEEE developed the 802.16 in its first version to frequency range from 10 GHz to 66 GHz. The channel width is address line of sight (LOS) access at spectrum ranges from 10 in the U.S. 25 MHz, 28 MHz in Europe. 802.16c is replaced by GHz to 66 GHz. The technology has evolved through several 802.16-2004. updates to the standard such as 802.16a, 802.16c, the Fixed WiMAX 802.16d (802.16-2004) specification and lastly the 802.16d: Profiles of transmission frequencies in the mobile 802.16e set that are currently commercially frequency range of 2 GHz to 66 GHz. Replaced by 802.16- available. The upcoming 802.16m is still a ways away from 2004. This standard provides visual and non-visual connections ratification. The first update added support for 2 GHz through in the range of 2 GHz to 66 GHz. 11 GHz spectrum with NLOS capability. Each update added 802.16e-2005: Mobile Wireless MAN (WMAN). This additional functionality or expanded the reach of the standard. working group defines a mobile access in the context of IEEE 802.16. Here are ranges of more than 10 Mbps in cells in the For example, the 802.16c revision added support for spectrum range of several kilometers and speeds exceeding 100 kph ranges both licensed and unlicensed from 2 GHz to 10 GHz. It investigated. In addition, 16e-clients between different radio 353 http://sites.google.com/site/ijcsis/ ISSN 1947-5500 (IJCSIS) International Journal of Computer Science and Information Security, Vol. 8, No. 2, 2010 cells can switch, known as roaming. 802.16e is in conjunction TABLE I. SUMMARY OF THE IEEE 802.16 FAMILY OF STANDARDS with DSRC an interesting alternative for telematic and safety services in the automotive technology. 802.16f: MIB management for access networks. 802.16g: Definition of Management Plane. 802.16h: Coexistence of Networks. This Working Group deals with the problems of coexistence of different radio technologies in unlicensed bands transmission. 802.16i: Mobile One Plane Information 802.16j: bridging alternative to 802.11k. This involves Equipment for a mobile relay, which has several communications partner stations can connect. 802.16k: Bridging 802.16m: 802.16m The group is working on the high-speed transmission with up to 1 Gbit / s. 802.16-1: Air Interface for 10 GHz to 66 GHz. 802.16.2: Coexistence of Broadband Wireless Access Systems. This Working Group deals with the coexistence of existing systems. Replaced by 802.16.2-2004. 802.16.2-2004: Combines standards 802.16, 802.16a, B. IEEE 802.16 protocol architecture 802.16c and 802.16d in a standard and regulate the coexistence The IEEE 802.16 protocol architecture is structured into of wireless broadband systems in the range of 10 GHz to 66 two main layers: the Medium Access Control (MAC) layer and GHz. the Physical (PHY) layer, as described in the following table 802.16.2a: Recommended Practice for Coexistence of : Fixed Broadband Wireless Access Systems. This group is the coexistence of PMP systems between 2 GHz and 11 GHz redefine. 802.16.3: Air Interface for Fixed Broadband Wireless Access Systems operating below 11 GHz. In this group are the unlicensed bands, such as the ISM band, the Personal Communications Services (PCS), and MMDS Unii for the use of a high-speed access MAN investigated . The following table provides a summary of the IEEE Figure 2. The IEEE 802.16 Protocol structure 802.16 family of standards . MAC layer consists of three sub-layers. The first sub-layer is the Service Specific Convergence Sub-layer (CS), which maps higher level data services to MAC layer service flow and connections . The second sub-layer is Common Part Sub- layer (CPS), which is the core of the standard and is tightly integrated with the security sub-layer. This layer defines the rules and mechanisms for system access, bandwidth allocation and connection management. The MAC protocol data units are constructed in this sub-layer. The last sub-layer of MAC layer is the Security Sub-layer which lies between the MAC CPS and the PHY layer, addressing the authentication, key establishment and exchange, encryption and decryption of data exchanged between MAC and PHY layers. The PHY layer provides a two-way mapping between MAC protocol data units and the PHY layer frames received and transmitted through coding and modulation of radio frequency signals . 354 http://sites.google.com/site/ijcsis/ ISSN 1947-5500 (IJCSIS) International Journal of Computer Science and Information Security, Vol. 8, No. 2, 2010 IV. WIMAX SECURITY identifiers is used. A 64bit initialization vector (IV) is used for Realizing the sticking point that security has been in the each TEK . widespread adoption of broadband wireless service, the IEEE Public key infrastructure (PKI): The WiMAX standard and the Forum both determined to define a robust security uses the Privacy and Key Management Protocol for securely environment. WiMAX security supports two quality transferring keying material between the base station and the encryptions standards, that of the DES3 and AES, which is mobile station. The privacy key management (PKM) protocol considered leading edge. The standard defines a dedicated is responsible for privacy, key management, and authorizing an security processor on board the base station for starters. There SS to the BS. The initial draft for WiMAX mandates the use of are also minimum encryption requirements for the traffic and PKMv1 , which is a one-way authentication method. for end to end authentication---the latter of which is adapted PKMv1 requires only the SS to authenticate itself to the BS, from the data-over-cable service interface specification which poses a risk for a Man-in-the-middle (MITM) attack. To (DOCSIS) BPI+ security protocol. overcome this issue, PKMv2 was proposed (later adopted by Basically, all traffic on a WiMAX network must be 802.16e), which uses a mutual (two-way) authentication encrypted using Counter Mode with Cipher Block Chaining protocol . Here, both the SS and the BS are required to Message Authentication Code Protocol (CCMP) which uses authorize and authenticate each other. PKMv2 is preventing AES for transmission security and data integrity authentication. from the following : BS and SS impersonations, MITM attack and Key exchange issue. The end-to-end authentication the PKM-EAP (Extensible Authentication Protocol) methodology is used which relies on PKMv2 supports the use of the Rivest-Shamir-Adlerman the TLS standard of public key encryption. At least one chip (RSA) public key cryptography exchange. The RSA public key company designed processors to support this standard of exchange requires that the mobile station establish identity onboard security processor . using either a manufacturer-issued X.509 digital certificate or an operator-issued credential such as a subscriber identity module (SIM) card. The X.509 digital certificate contains the A. WiMAX security solutions mobile station's Public-Key (PK) and its MAC address. The By adopting the best technologies available today, the mobile station transfers the X.509 digital certificate to the WiMAX, based on the IEEE 802.16e standard, provides strong WiMAX network, which then forwards the certificate to a support for authentication, key management, encryption and certificate authority. The certificate authority validates the decryption, control and management of plain text protection certificate, thus validating the user identity. and security protocol optimization. In WiMAX, most of security issues are addressed and handled in the MAC security sub-layer as described in the following figure: Figure 3. MAC Security sub-layer . Source: IEEE Std. 802.16e 2006. Figure 4. Public Key Infrastructure . Two main entities in WiMAX, including Base Station (BS) Once the user identity is validated, the WiMAX network and Subscriber Station (SS), are protected by the following uses the public key to create the authorization key, and sends WiMAX security features: the authorization key to the mobile station. The mobile station Security associations: A security association (SA) is a set and the base station use the authorization key to derive an of security information parameters that a BS and one or more identical encryption key that is used with the advanced of its client SSs share in order to support secure encryption standard (AES) algorithm . communications. Data SA has a 16bit SA identifier, a Cipher Authentication: Authentication is the process of validating (DES in CBC mode) to protect the data during transmission a user identity and often includes validating which services a over the channel and two traffic encryption keys (TEKs) to user may access. The authentication process typically involves encrypt data: one is the current operational key and the other is a supplicant (that resides in the mobile station), an TEK . When the current key expires, TEK a 2bit key 355 http://sites.google.com/site/ijcsis/ ISSN 1947-5500 (IJCSIS) International Journal of Computer Science and Information Security, Vol. 8, No. 2, 2010 authenticator (that may reside in the base station or a gateway), The real test of WiMAX security will come when providers and an authentication server . begin wide-scale network deployments, and researchers and attackers have access to commodity CPE equipment. Other attacks including WiMAX protocol fuzzing may enable attackers to further manipulate BSs or SSs. Until then, the security of WiMAX is limited to speculation . V. GLOBAL WIMAX MARKET World Interoperability for Microwave Access or WiMAX, has been gaining a lot of attention as a wireless broadband alternative, as it provides reliable, secure and high quality broadband access for mobile Internet users. The technology supports bandwidth-heavy applications and User Generated Content (UGC) services that customers want. WiMAX promises a better-performing, less-expensive alternative to many technologies (like DSL, Wi-Fi) that are already available in the market. According to new research report ―Global WiMAX Market Analysis‖, WiMAX has tremendous potential to offer global standardized broadband wireless platform. Many countries across the globe will adopt WiMAX to facilitate rapid economic development. Moreover, the move to WiMAX, a technology that is ready for deployment now, will be preferable Figure 5. EAP-based authentication . to waiting for alternative technologies that may not be available for three or more years. As a result, the number of WiMAX WiMAX uses the Extensible Authentication Protocol users is forecast to grow over 87% between 2010 and 2012. (EAP) to perform user authentication and access control. EAP is actually an authentication framework that requires the use of The research reveals that, by 2012 the Asia-Pacific region "EAP methods" to perform the actual work of authentication. will lead the number of global WiMAX users accounting for The network operator may choose an EAP method such as over 45% of the total user base, followed by North America EAP-TLS (Transport Layer Security), or EAP-TTLS MS- and Europe. Major growth is expected in Asia-Pacific and CHAP v2 (Tunneled TLS with Microsoft Challenge- MEA as these countries are deploying the technology more Handshake Authentication Protocol version 2). The messages rapidly. Moreover, government support and operators' defined by the EAP method are sent from the mobile station to initiatives to provide the region with faster Internet access in an authenticator. The authenticator then forwards the messages remote areas is also fostering growth into the WiMAX market to the authentication server using either the RADIUS or . DIAMETER protocols . The WiMAX market is coming out of the recession period Data privacy and integrity: WiMAX uses the AES to strongly, posting three consecutive quarters of revenue growth produce ciphertext. AES takes an encryption key and a counter for 802.16e equipment and devices. With Clearwire in the U.S. as input to produce a bitstream. The bitstream is then XORed announcing strong quarterly results, Yota in Russia expanding with the plaintext to produce the cipher text. AES algorithm is rapidly, and others such as UQ in Japan being aggressive, the the recommendation of 802.16e security sub-layer, since it can WiMAX business model seems to be working. Though we are perform stronger protection from theft of service and data still in the early days, WiMAX is proving to be a good fit in a across broadband wireless mobile network. Besides CCM- range of broadband segments in developed as well as Mode and ECB-Mode AES algorithm supported in 802.16- developing markets . 2004, 802.16e supports three more AES algorithms: CBC- Mode AES, CTR-Mode AES and AES-Key-Wrap. WIMAX MARKET HIGHLIGHTS • Worldwide vendor revenue from 802.16d and 802.16e B. WiMAX threats WiMAX network equipment and devices hit $1.08 billion in Despite good intentions for WiMAX security, there are 2009, down 19% from 2008, as the market suffered the effects several potential attacks open to adversaries, including: of the recession Rogue Base Stations • However, 4Q09 was the third consecutive quarter of WiMAX equipment and device revenue growth, up 3% from DoS Attacks 3Q09 Man-in-the-Middle Attacks o Quarterly revenue levels remain short of the pre- Network manipulation with spoofed management recession market highs of over $300 million seen in early 2008 frames 356 http://sites.google.com/site/ijcsis/ ISSN 1947-5500 (IJCSIS) International Journal of Computer Science and Information Security, Vol. 8, No. 2, 2010 • The WiMAX market is showing positive signs of REFERENCES steady growth from this year onward, with major rollouts  WiMax Forum - Technology. http://www.wimaxforum.org/technology/. underway in USA, Japan, Russia, and India Retrieved 2008-07-22.  http://www.agilent.com/about/newsroom/tmnews/background/wimax/. • Starting in 2011-2012, 802.16m WiMAX products are Retrieved 2009-11-18. expected to be tested, certified, and commercially available,  Nadeem Unuth, offering speeds comparable to LTE http://voip.about.com/od/mobilevoip/a/UsingWiMAXTechnology.htm. Retrieved 2009-10-12. • For the combined WiMAX equipment and device market, Motorola took the #1 spot in 2009, with 17% of  Karen Scarfone, Cyrus Tibbs, Matthew Sexton, 2009,Guide to Security for WiMAX Technologies, US National Institute of Standards and worldwide revenue, just ahead of Alvarion Technology-Special Publication 800-127(Draft), 46 pages (Sep. 2009) • Huawei showed the biggest growth in WiMAX  David Johnston & Jesse Walker,2009, Overview of IEEE 802.16 security equipment and device market share in 2009  http://slingbroadband.com/wimax/category/wimax-faq// . Retrieved • The number of WiMAX subscribers jumped 75% in 2008-11-28. 2009 to 6.8 million worldwide .  http://www.wifinotes.com/wimax/IEEE-802.16.html  8- Trung Nguyen, 2009, A survey of WiMAX security threats, http://www.cse.wustl.edu/~jain/cse571-09/ftp/wimax2/index.html  http://www.cse.wustl.edu/~jain/cse574-08/  Department University of Bridgeport, Bridgeport, CT. http://www.asee.org/activities/organizations/zones/proceedings/zone1/20 08/Professional/ASEE12008_0022_paper.pdf  http://slingbroadband.com/wimax/category/wimax-faq// . Retrieved 2008-11-28.  J. Hasan, 2006, Security Issues of IEEE 802.16 (WiMAX), School of computer and Information Science, Edith Cowan University, Australia, 2006.  Mitko Bogdanoski, Pero Latkoski, Aleksandar Risteski, Borislav Popovski,,2008,IEEE 802.16Security Issues: A Survey, Faculty of Electrical Engineering and Information Technologies, Ss. Cyril and Methodius University, Skopje, Macedonia.,http://2008.telfor.rs/files/radovi/02_32.pdf  D. Johnston and J. Walker, 2004, Overview of IEEE 802.16 Security, IEEE Security & Privacy, magazine May/June 2004.  S. Adibi, G. B. Agnew,T. Tofigh, 2008,End-to-End (E2E) Security Approach in WiMAX: Security Technical Overview for Corporate Multimedia Applications, 747-758, Handbook of Research on Wireless Security (2 Volumes) Edited By: Yan Zhang, Jun Zheng, Miao Ma, 2008. Figure 6. WiMAX Market Forecast.  S.Adibi, G. B. Agnew, 2008, End-to-End Security Comparisons Between IEEE 802.16e and 3G Technologies, 364 - 378, Handbook of Research on Wireless Security (2 Volumes) Edited By: Yan Zhang, Jun VI. CONCLUSION Zheng, Miao Ma, 2008. WiMAX allows operators to present their subscribers true  S. Adibi, G. B. Agnew, 2008, Extensible Authentication (EAP) Protocol broadband connectivity in fully mobile, all-IP networks. The Integrations in the Next Generation Cellular Networks, 776-789, IEEE 802.16e standard has changed several security Handbook of Research on Wireless Security (2 Volumes) Edited By: Yan Zhang, Jun Zheng, Miao Ma, 2008. mechanisms and need more research on its securities  Joshua Wright, vulnerabilities. WiMAX is a very promising technology for http://www.computerworld.com.au/article/170510/wimax_security_issu delivery of fully mobile personal broadband services. WiMAX es/?fp=16&fpid=1, Network World market presents enormous business opportunities. WiMAX can  Global WiMAX Market Analysis, 2009, be deployed to drive new revenue streams on much shorter http://www.bharatbook.com/Market-Research-Reports/Global-WiMAX- timelines and at much lower capex than FTTx, xDSL, or cable Market-Analysis.html modem alternatives. WiMAX is an opportunity.  Webb Richard, 2010, London, United Kingdom, March 1, 2010— Infonetics Research  WiMAX Equipment, Devices, and Subscribers market share and forecast report,2010, www.infonetics.com 357 http://sites.google.com/site/ijcsis/ ISSN 1947-5500