Cisco Cisco 2000 Series Wireless LAN Controller Manual Técnico
The NAV field is the virtual carrier−sense mechanism used to mitigate collisions between hidden terminals
(wireless clients the current wireless client cannot detect when it transmits) in 802.11 transmissions. Hidden
terminals create problems because the access point might receive packets from two clients that can transmit to
the access point but do not receive each other's transmissions. When these clients transmit at the same time,
their packets collide at the access point and this results in the access point receiving neither packet clearly.
(wireless clients the current wireless client cannot detect when it transmits) in 802.11 transmissions. Hidden
terminals create problems because the access point might receive packets from two clients that can transmit to
the access point but do not receive each other's transmissions. When these clients transmit at the same time,
their packets collide at the access point and this results in the access point receiving neither packet clearly.
Whenever a wireless client wants to send a data packet to the access point, it actually transmits a four−packet
sequence called the RTS−CTS−DATA−ACK packet sequence. Each of the four 802.11 frames carries a NAV
field that indicates the number of microseconds that the channel is reserved for by a wireless client. During
the RTS/CTS handshake between the wireless client and access point, the wireless client sends a small RTS
frame that includes a NAV interval large enough to complete the entire sequence. This includes the CTS
frame, the data frame, and the subsequent acknowledgment frame from the access point.
sequence called the RTS−CTS−DATA−ACK packet sequence. Each of the four 802.11 frames carries a NAV
field that indicates the number of microseconds that the channel is reserved for by a wireless client. During
the RTS/CTS handshake between the wireless client and access point, the wireless client sends a small RTS
frame that includes a NAV interval large enough to complete the entire sequence. This includes the CTS
frame, the data frame, and the subsequent acknowledgment frame from the access point.
When the wireless client transmits its RTS packet with the NAV set, the transmitted value is used to set the
NAV timers on all other wireless clients associated to the access point. The access point replies to the RTS
packet from the client with a CTS packet that contains a new NAV value updated to account for the time
already elapsed during the packet sequence. After the CTS packet is sent, every wireless client that can
receive from the access point has updated their NAV timer and defers all transmissions until their NAV timer
reaches 0. This keeps the channel free for the wireless client to complete the process of transmitting a packet
to the access point.
NAV timers on all other wireless clients associated to the access point. The access point replies to the RTS
packet from the client with a CTS packet that contains a new NAV value updated to account for the time
already elapsed during the packet sequence. After the CTS packet is sent, every wireless client that can
receive from the access point has updated their NAV timer and defers all transmissions until their NAV timer
reaches 0. This keeps the channel free for the wireless client to complete the process of transmitting a packet
to the access point.
An attacker might exploit this virtual carrier−sense mechanism by asserting a large time in the NAV field.
This prevents other clients from transmitting packets. The maximum value for the NAV is 32767, or roughly
32 milliseconds on 802.11b networks. So in theory an attacker only needs to transmit roughly 30 packets a
second to jam all access to the channel.
This prevents other clients from transmitting packets. The maximum value for the NAV is 32767, or roughly
32 milliseconds on 802.11b networks. So in theory an attacker only needs to transmit roughly 30 packets a
second to jam all access to the channel.
Related Information
Cisco 4400 Series Wireless LAN Controllers
•
Cisco 4100 Series Wireless LAN Controllers
•
Cisco 2000 Series Wireless LAN Controllers
•
Cisco Intrusion Detection System Signature Engines Version 3.1
•
Technical Support & Documentation − Cisco Systems
•
Contacts & Feedback | Help | Site Map
© 2013 − 2014 Cisco Systems, Inc. All rights reserved. Terms & Conditions | Privacy Statement | Cookie Policy | Trademarks of
Cisco Systems, Inc.
© 2013 − 2014 Cisco Systems, Inc. All rights reserved. Terms & Conditions | Privacy Statement | Cookie Policy | Trademarks of
Cisco Systems, Inc.
Updated: May 11, 2007
Document ID: 69366