Vous êtes sur la page 1sur 13

Mobile Networks - Final Exam

Prof. J.-P. Hubaux

June 22, 2011
Duration: 2 hours and 30 minutes
Closed book with an aide-memoire of at most 2 pages hand- or typewritten.

Please write your answers on these sheets.

Extra sheets will be provided if necessary. (Put your name on them).
Please write in a readable way. Unreadable handwriting will not be corrected.
Please write your answers in English.
The total number of points is 50. Your final mark to this exam will be
round{min(6, (1 + exam score + average of the best 5 quiz scores))}.

This document contains 12++ pages.

Student First name:

Last name:



2 Communication Systems
2 Other (please indicate): . . . . . . . . .

2 Master Year 1
2 PhD Student

2 Computer Science

2 Master Year 2
Other (please indicate): . . . . . . . . .

(answers to the questions are shown in italic and blue) (grades in red)


(5 points)


Question 1: Consider a topology in which every two nodes communicate with each other in pair
using IEEE 802.11 MAC protocol. Assume that one of the nodes in each pairs is always the sender
and the other one is the receiver, and the sender always have packets to transmit (i.e., transmits in
full capacity). Assume that there are no hidden nodes (i.e., every node can hear all the others). Draw
the total system throughput when the number of active pairs increases from 1 (i.e., communication
between only 2 nodes) to 10.
Note that the total system throughput when there is only one pair of communicating nodes is
already drawn.



solution: a straight line with negligible decrease as the number of active pairs increases (3 pt)

Question 2: Please justify your answer (in at most two sentences):

The competing nodes share the channel between themselves by doubling their contention window size.
However, some congestion might lead the overall throughput to decrease. (2 pt)

Performance aspects of WLAN

(12 points)

Question 1 - (MAC 1): Consider a number of wireless devices (nodes) that have an infinite number of
packets to send. They share the same medium, and follow a simple MAC protocol whose difference
to the standard IEEE 802.11b (DCF) is that: Every node starts with the contention window of size
1, and the maximum contention window size is 4. The corresponding Markov chain of such MAC
protocol (following the Bianchi model) is illustrated as following: Let p denote the probability of










collision for a packet, and denote the probability of transmitting a packet. We know from the
definition that p = 1 (1 )N 1 . What is the other relation between these two parameters in this
MAC protocol, that can be obtained from the Bianchi model? Compute f (p), where = f (p).
= b0,0
P+ b1,0 + b2,0
b0,0 + 1i=0 b1,i + 3i=0 b2,i = 1
b1,0 = pb0,0 , b2,0 = 1p

1+p+ 1p

1+ 32 p+ 52


(3 pt)

Question 2 - (MAC 2): Lets introduce a new MAC protocol which is more conservative than the one
described in Question 1. Nodes do not go back to state (0, 0) in the case of successful transmission.
Rather, after each successful transmission, they reduce their backoff stage by one, and choose a
backoff timer at random from that stage. Similar to Question 1, compute based on p in this protocol.

= b0,0
P+ b1,0 + b2,0
b0,0 + 1i=0 b1,i + 3i=0 b2,i = 1
p i
bi,0 = ( 1p
) b0,0

+ 25 p 2
1+ 32 1p
1+ 1p

(4 pt)












Question 3: Compare MAC 1 and MAC 2. In which one is the transmission probability higher?
Justify the answer analytically with the results you obtained from Question 1 and 2.
1 =
2 =


1 + 23 p + 52 1p
1 > 2 .

(3 pt)

Question 4: Qualitatively compare MAC 1 and MAC 2 in terms of the probability of collision

between nodes as the number of nodes increases.

The probability of collision in MAC 1 (i.e., p1 ) is always higher than that of MAC 2 (i.e., p2 ). However,
as the number of users increases, the difference between p1 and p2 decreases and goes to 0.
(2 pt)


Cellular Networks

(8 points)

Cell Splitting

Cell splitting is the process of subdividing a congested cell into smaller cells (or microcells), each
with its own base station. Cell splitting increases the capacity of a cellular system since it increases
the number of times that channels are reused per unit area.
Consider the following example. A cellular network shown in Fig. 1 (a) contains cells of radius R.
A young engineer is hired to deploy microcells and is told that the number of cells per cluster is N = 3.
Question 1: Assume microcells use the same frequency-reuse pattern as the one shown in Fig. 1 (a).
Mark the first tier co-channel cells of microcell A in Fig. 1 (b).
See below.



A !




(2 pt)
Question 2: In order to achieve cell splitting, the transmission power of each base station has to be
reduced. Quantify this reduction for the case shown above (assume the path loss exponent is ).

In order to ensure that the frequency reuse plan for new microcells behaves exactly as for original
cells, we should let the received power P r at the new and old cell boundaries be equal. This means
that the transmission powers Pmcell and Pcell should meet the following equation:
cPcell R = cPmcell ( )
= 2


where c is some constant. (2 pt)


Network Capacity

Question 3: Let us consider a single-cell CDMA cellular system. Assume the available bandwidth
W=1.25MHz, bitrate R=9600bps, and a minimum acceptable Eb /N0 be 10dB, please determine the
maximum number of users that can be supported in the system using:
(a) an omnidirectional antenna at the base station
(b) a three-sector antenna at the base station and a duty cycle of = 3/8.
The thermal noise is neglected in both cases.
(a) The network capacity in terms of the number of supported users is:
N =1+

1.25 106
= 1 + 13.02 14
9600 10


(b) The capacity of each sector is:

8 1.25 106
Ns = 1 +
= 35.7
3 9600 10
Hence, the network capacity is 3Ns 107. (4 pt)


Transport Layer over Wireless Networks

(10 points)

The TCP protocol was originally designed to provide reliable and in-order delivery of data packets
over wired Internet connections. Successively, several enhancements have been proposed to improve
its performance over wireless and mobile networks.
Question 1: In case of a packet loss, what is the reaction of TCP Tahoe? Based on which assumptions
does the standard TCP take such a reaction? Why is such a reaction less suited for wireless and mobile
Standard TCP goes into slow start after a packet loss has been detected, either by a timeout or after
receiving a triple ACK. This means that the congestion window is set to 1, and the threshold is set to
half of the congestion window value right before the packet loss has been detected.
The assumptions behind such reaction are: (i) bit errors are rare and (ii) the communication links are
congested if there is a packet loss. (3 pt)

Question 2: Provide at least three main issues introduced by wireless and mobile networks which
led to the enhancements of TCP. Moreover, for each of the three issues, briefly describe a practical
scenario in which they may occur and how these issues would affect the performance of TCP.
Issue 1: Packet (frame) losses due to wireless transmission errors OR high bit-error rates; Scenario
1.1: When there are many wireless stations communicating in a single collision domain, there could
be interference at the receiver (when two or more stations transmit at the same time) which could lead
to frame (or packet) losses, forcing the sender to retrasmit the lost packet(s); Scenario 1.2: When a
wireless device is far from the base station (low SNR), some bits may get corrupted at the receiver,
again requiring the sender to retransmit the corrupted packet(s).
Issue 2: Handoffs OR disconnections; Scenario 2: When a wireless device (with an ongoing TCP
connection) changes its association with a fixed base station, there may be packets that get lost due to
the change of IP address.
Issue 3: Delays; Scenario 3.1: Wireless medium access mechanisms, such as 802.11 MAC, may
introduce significant delays in order to increase the probability of a successful transmission; Scenario
3.2: Extreme distances between the communicating devices and encoding/decoding, such as required
by satellite communications, may severely affect the throughput of TCP due to large RTTs between
the communicating hosts.
(3 pt)

Question 3 One way to increase the performance of TCP over wireless and mobile networks consists
in using split-connection approaches. Assume that a correspondent host (CH) is sending messages
over TCP to a mobile host (MH) through a foreign agent (FA). Consider now I-TCP, Snooping TCP
and M-TCP split-connection approaches. For each of these three approaches, say if they necessarily
require changes in the standard TCP behavior at any of the following entities: CH, MH or FA. What
are these changes (if any) and what is their purpose?

I-TCP: no changes are strictly required; Even the standard TCP could increase its performance thanks
to lower delays.
Snooping TCP: changes are required at the FA; A shorter retransmission interval is used at the FA in
order to retransmit unacknowledged packets directly to the MH before the CH notices the loss.
M-TCP: changes are required at the FA; The FA should throttle down the receiver when the MH
disconnects, by setting the senders window size to 0, which forces the sender to go into persistent
mode, i.e., not changing the senders state for no matter how long the receiver stays disconnected.
(3 pt)

Question 4 What is the purpose of T-TCP? In what communication scenarios is the benefit of using
T-TCP much greater with respect to standard TCP? While using a cellular Internet connection in a
foreign Country (roaming), is it better to use T-TCP or standard TCP? Why?
The purpose of T-TCP is to reduce the number of packets required in order to establish and terminate
a TCP connection containing a small amount of payload data.
Considering cellular networks (such as GPRS), there may be significant delays between the MH and
an Internet host, and therefore T-TCP could reduce the overhead (and waiting times) due to the
establishment and termination of TCP connections contadini only a small amount of payload data
(such as for services based on HTTP).
While abroad and in roaming, it is in principle better to use T-TCP rather then standard TCP because
of the reduced data usage for TCP connections with little amount of payload data. This would usually
result in much lower roaming costs for the subscriber.
(1 pt)

Wireless Security

(9 points)

Authentication protocols are designed to ensure that two communicating hosts can authenticate themselves to the other party. There are mainly two types of authentication protocols: one-way and
two-way authentication. One-way authentication protocols only authenticate one party to the other,
whereas two-way authentication protocols mutually authenticate both parties.
In GSM and 3GPP, for instance, the authentication between a mobile subscriber and the network
is based on different authentication protocols, which may provide one- or two-way authentication.
Consider the simple authentication protocol between two parties A and B shown in the figure
below, where k is a shared secret key (between A and B), r is a random number generated by A, r0 is
a random number generated by B and Ek (r) is the encryption of r using the shared secret key k.

random r

random r

r || Ek(r)


Question 1 Does this protocol provide two-way or one-way authentication? Is it more similar to the
GSM or 3GPP authentication mechanism? Justify each of the two answers with 1 or 2 sentences.
The authentication protocol is a two-way authentication protocol. In the first step, A sends an encrypted challenge r to B, who then sends it back in unencrypted form to A, proving that B indeed
knows the shared secret key k. In the second step, B sends an encrypted challenge to A, who proves
to B in the third step that he/she knows the shared secret key k by sending back the unencrypted challenge r0 back to B. At this point, both A and B have authenticated themselves to the other party.
Therefore, as it is a two-way authentication protocol, it is more similar to 3GPP as opposed to GSM.
(2 pt)

Question 2 Is this authentication protocol vulnerable to replay attack? If yes, provide an example of
an attack. If no, justify your answer.


The authentication protocol is not vulnerable to the replay attack as it is a challenge-response mechanism based on two fresh random numbers r and r0 generated by the two parties A and B respectively.
Even if a recorded message would be sent by an intruder to any of the parties A or B, the authentication would fail because the other party would generate a fresh challenge for the intruder, who will
not be able to reply correctly. (3 pt)

Question 3 Is the authentication protocol vulnerable to intruder-in-the-middle attacks? If no, justify

your answer. If yes, describe an example that shows a successful intruder-in-the-middle attack.
Hint: It is important to look at who initiates the protocol.
The authentication protocol is vulnerable to an intruder-in-the-middle attack, specifically to the interleaving attack, where an intruder starts two interleaved (but separated) authentication sessions with
the two communicating parties A and B. Consider the following example that successfully breaks
the authentication scheme. An intruder H starts a session with B, in which he impersonates A. An
intruder H generates a random number, which is considered to be Ek (r1 ), but the intruder H has
no knowledge of r1 . He sends it to B, who assumes that its source is A. User B decrypts the supposed encrypted random number r1 with the secret key k that he shares with A and he generates a
random number r2 that he encrypts with the same secret key and sends the random number r1 and
the encrypted random number Ek (r2 ) to user A. User A decrypts the encrypted random number r2 ,
generates a new random number r3 and encrypts it. Then he sends r2 and Ek (r3 ) to user B. The
intruder intercepts the message and sends the decrypted random number r2 to B. He then quits the
session with A. User B receives r2 , which is the same as the one he generated, and so he thinks that
he is communicating with user A. Finally, the intruder has untruly authenticated himself as user A to
user B. (4 pt)



(6 points)

Location-Based Services (LBS) are being increasingly used by mobile devices in order to deliver
personalized services to the device owner. As we have seen in the Hands-on Exercise on location
privacy, an eavesdropper can sniff the packets exchanged between the mobile device (MD) and an
infrastructure access point (AP), and it can try to track users movements by observing the content of
such packets.
Assume that an MD wants to send an LBS query over the Internet to an LBS provider. This MD
could use three different localization technologies (GPS, Cell-tower ID and WiFi trilateration), as it is
connected to the cellular network, to a WiFi access point and is in visibility of GPS satellites.

Question 1 In order to obtain his own location, the owner of the MD would like to know what
are the localization technologies that reveal the minimum amount of location information to thirdparty providers (except the LBS provider). In order to help him, you are asked to order the three
localization technologies (GPS, Cell-tower ID and WiFi trilateration) from the best (minimum leakage
of information) to the worst (maximum leakage), and to justify your answers.
The order is the following. The best is GPS, as it is a localization technology that does not require
any communication with a third-party provider, and therefore it does not leak any information while
determining the MDs location because it can determine it locally. Cell-tower ID localization is
the second in terms of information leakage, as it requires communication with an online database
which could be managed by the mobile operator itself, and there are legal contracts between the
mobile subscriber and the operator that shields the former from unauthorized information disclosure;
The worst localization technology, in terms of information leakage, is the WiFi-based trilateration
because it can potentially reveal a very detailed location information (due to the low-range radio
communications), and additionally it uses third-party owned databases (such as SkyHook) in order to
determine the MDs location. (3 pt)

Question 2 In order to protect a users location privacy from malicious adversaries, there are several
mechanisms that can be deployed at different layers of the TCP/IP network stack. You are asked to
a. List three such layers that use uniquely identifiable information, which could be used to track a
users movements or queries.
b. For each of the previously listed layers, specify what information could be used to uniquely link
multiple LBS queries to a single user. Justify your answer with 1 or 2 sentences for each of the
concerned layers.
c. For each of the previously listed layers, specify an effective mechanism that would make it
harder for an adversary to track a users movements. Justify your answer.


Link-layer: MAC address

Network layer: IP address
Application layer: Cookies
Using the same fixed MAC address for multiple LBS queries or any other message exchange could be
used by an adversary in order to track the movements of the corresponding device.
Even if dynamically assigned, an IP address is relatively stable if a mobile device roams to a WiFi
access point with the same IP subnet as the previous one. Therefore, an adversary could use the IP
address to link LBS queries to the same source.
Application-layer cookies are usually assigned to a specific user on a particular machine, and they
could be even used to track a single user on a shared machine. Moreover, they could also be used to
track a single user over different machines if there is some sort of personalized state of the LBS that
is maintained across different sessions for each particular user.
Dynamically changing the identifiers is believed to be an effective means to make it more difficult for
adversaries to link multiple messages to a single user. For instance, changing the MAC address in
a coordinated collaborative way is believed to be an effective means for preserving users location
privacy from local adversaries. Similarly, changing IP address may help if the adversary is a LBS
provider that is accessed over the Internet. Finally, using single-session cookies (present in several
web browsers with the option private browsing mode) could help against both local adversaries
and remote adversaries.
(3 pt)