An IEEE 802.11k-based topology discovery scheme for centrally managed WLANs.

System architecture

We have implemented a system to collect coverage information from registered users to be used for better planning the operation of the network. For example, such information could be the input to a channel assignment algorithm.

The focus of this work is on the security aspects of this architecture. Our basic assumption is that user-supplied information is not always trustworthy. User authentication and encryption mechanisms are not enough to protect from fake reporting. Therefore, we have designed simple mechanisms to deal with such cases. We try to reuse security components of the IEEE 802.11i architecture to avoid particular attacks and to rely on a strong user authentication scheme, while we apply a reputation-based consensus scheme to evaluate the validity of user-supplied reports.

We implemented a subset of the IEEE 802.11k standard (ratified in 2008) for radio resource measurements in the Linux wireless networking stack, as a standard tool to collect WLAN topology information. To demonstrate that attacks to the reporting mechanism are feasible even if reporting is implemented at a low level (Linux mac80211), we have built a modified version of the mac80211 kernel module that allows for various attacks.

(It should be noted that non-standard methods for requesting and collecting reports are possible. For example, a user could directly report topology information to a server somewhere in the Internet via an application layer scheme. Attacking such a scheme is more straightforward.)

Software components

Modified mac80211: We have added basic IEEE 802.11k support (beacon requests and beacon reports) to the Linux mac80211 framework. Clone the 2.6.38 wireless-testing kernel and apply this patch to enable it. This also enables attacks from userspace: A user can write to proc and either disable reporting functionality, send random fake reports or send a fixed predefined BSS list when requested by an AP.

Modified version of hostapd: The current trend is that MLME functionality is handled in kernel space in STA mode and in user space in master mode. Therefore, we added 11k functionality to hostapd, which you can enable by applying this patch.

11kd: A daemon for receiving beacon reports from STAs associated with a Wi-Fi AP. Instructs hostapd to send beacon requests to associated STAs, receives data from hostapd and sends them to the collecting entity (collectord).Download.

collectord: IEEE 802.11k report collector. It collects BSS coverage information coming from registered users (Wi-Fi stations). This information is requested and received from the 11kd daemon running on the Wi-Fi APs the users are connected to. collectord reads user and AP information from a radius database. From the reports it receives, it builds a coverage graph, where vertices represent APs and edges represent coverage between neighbor APs. This program also evaluates user reports based on their reputation and filters the graph appropriately.Download.

Radius server: User AAA is handled through radius. We use the freeradius server, which should be configured to use a MySQL backend. To keep track of user reputations, a new field needs to be added to the radius database. You need to manually add a field called "reputation" (type: double) at the end of table "radcheck". Also, add a field called "macaddr" at the end of table "nas" (type: VARCHAR(17)). This field is used to identify NAS devices (managed APs).


A detailed HOWTO on installing, configuring and running the system, as well as executing client-side reporting attacks will soon be available. At a high level, the following steps are needed to test the system:

Model and simulator

We have developed an analytical model to calculate our system's topology discovery accuracy for various scenarios and in the presence of reporting attacks. MATLAB sources can be found here. See the README file and comments in the source files to use it.

Also, since our model involves numerical calculation of integrals and there is potential loss of precision due to some approximations, we have implemented a custom simulator to validate our model. In particular, we can simulate a case where attackers act independently (submit random fake AP identifiers) or collude. This version of our simulator works in rounds and user reputations are kept. Each AP has a fixed transmission range (disk of fixed radius centered at the AP). Such parameters (tx range, terrain size, number of clients/APs, probability of attack, etc. can be set in a config file).

To use our simulator, download it, extract it and run make to build it. To execute it, modify the config file and run it: ./wifisim ./wifisim.conf.

Peer-to-Peer Wireless Network Confederation (P2PWNC)

Project website.