Extending the Range of Bluetooth Piconets by Transparently Tunnelling Communications Over

Extending the Range of Bluetooth Piconets by Transparently Tunnelling Communications Over

Tunnelling Bluetooth over IPDavid Mackie

Research Project ProposalMay 2004

Research Project Proposal

Name of Student:Mackie, D S

Student Number:99M0302

Degree:Masters in Science

Department:Computer Science

Provisional Title of Thesis:

Extending the range of Bluetooth Piconets by transparently tunnelling communications over IP networks.

Type of Masters:Thesis Only

Name/s of Supervisor/s:Professor Peter Clayton

Estimated Date of Submission:Nov 2005

1 Field of Research

Bluetooth, Piconets, Tunnelling

2 Title

Extending the range of Bluetooth Piconets by transparently tunnelling communications over IP networks.

3 Research Context

3.1 Bluetooth

Bluetooth [1] is a specification for a low-cost, low-power, short-range wireless communication technology that provides wireless connectivity between mobile devices such as cellphones, personal digital assistants (PDA) and portable computers. Not only can it be used as a cable replacement on point-to-point bases but can also form ad hoc networks in a master-slave formation called Piconets, allowing users to create Personal Area Networks (PAN) [2] between devices. The Bluetooth Special Interest Group (SIG) [3] is a trade association of over 2000 different companies comprised of the leaders in the telecommunication, networking and computing industries, such as 3Com, Ericsson, IBM, Intel, Lucent, Microsoft, Motorola, Nokia and Toshiba, that are driving the development of Bluetooth.

3.2 Bluetooth Networks

The basic structure of a Bluetooth network is a master-slave relation where a maximum of seven salves nodes connect to a single master forming a Piconet. These networks are very temporal and are formed in an ad hoc manner, with the node that originates the communication usually becoming the master. Nodes can be in more than one Piconet at a time thus forming a Scatternet as shown in Figure 1.

Figure 1: Piconets with a single slave operation (a), a multi-slave operation (b) and a Scatternet operation (c). [1]

Bluetooth operates in the license-free 2.4GHz ISM radio-frequency band with a range of 10 meters. This can be improved to 100 meters with improved transmission power and receiving sensitivity but at the cost of power consumption. For a node to be apart of a Piconet it has to be within range of the master node.

3.3 Tunnelling

What we want to be able to do is to extend this range by offering “Repeater” nodes that are connected to an IP network. These Repeater nodes would allow two Bluetooth nodes to communicated with each other and belong to the same Piconet even though they are not in the vicinity of each other. This is demonstrated in Figure 2, the Master and Slave-1 are in one location and Slave-2 is in another distant enough that Slave-2 can not “see” either of the other two nodes. There are Repeater nodes in both locations connected to an IP network backbone, which pick up broadcasted Bluetooth packets, encapsulate them and tunnel them over the IP network across to the other Repeater , which then broadcasts them as if they where transmitted in the same room.

Figure 2 - Extending Piconet by using tunnelling over IP

4 Goals of Research

4.1 Tunnelling

This project initially will investigate the feasibility of tunnelling of Bluetooth network data across an IP-based network by attempting to encapsulate the Bluetooth packets such as using Generic Routing Encapsulation (GRE) [4]. Subsequently a means to allow remote Bluetooth nodes to interact and join up into Piconets as if they are within range will be investigated. Hopefully this can be done with modification commercially active devices and to what extent can this be achieved. We wish for this tunnelling to be totally transparent to the Bluetooth nodes and issues with latency in the tunnelling and how Repeater nodes can listen on multiple Piconets will need to be investigated

4.2 Security

An investigation into the security aspects will also be done. How the security ideology of Bluetooth is affected by breaking the general assumption that Bluetooth devices only communicate over 10m. Issues such as authentication and authorisation to use the tunnels will need to be looked into and how these can be seamlessly handled, once again without modifying Bluetooth devices.

4.3 Hand Over

Another interesting question is can there be hand over from the logical Piconet, the connection being tunnelled over IP, and its “physical” Piconet. Could multiple repeater nodes be spread through a building allowing for an almost continues coverage of the virtual Piconet? And how can this traffic be managed so as not to flood every location where there is a repeater node with all the traffic at all the other repeater nodes unnecessarily.

5 Research Methodology

The overarching researching methodology for this project is one of Experimental Science. This combines both inductive and deductive reason and is an iterative process where each step is re-evaluated against certain criteria and the process builds on previous steps.

First and foremost an examination of the Bluetooth specifications and architecture will have to be made in order to give an overview map of the different layers and how they all fit together and communicate with one another. What is need to be found out is what layers can be communicated with directly, what API are available for these layers and how far down the layer stacks. Two Open-Source stacks have been identified as hopefuls; the Linux stack, BlueZ [7], and the FreeBSD [8] stack and investigation into their source code will be done.

We will need to investigate if it is possible to pick up raw Bluetooth packets from the ether and more importantly can we inject raw packets back into the ether and prerequisites of doing this such as matching Piconet timing and hops, and addresses spoofing so packets seem to be from originating node. Then implement a basic packet sniffer and packet injector to prove that packets can be picked up on one end, and written out on another.

Once we have raw Bluetooth packets, investigations into an appropriate encapsulating method will need to be found for the tunnelling of the packets across an IP network. A simple system will need to be implemented as a Proof of Concept and testing done. Issues identified earlier such as latency and matching of hopping pattern will need to investigate and if our implementation can handle them. Once a working system has been implemented features can be added and an iterative process of adding features and testing if they meet requirements can be started.

When a working prototype has been constructed security will need to be dealt with in some depth and by this time a through knowledge of Bluetooth security at present is wanted to be known. Ways to deal with authorisation and authentication of Bluetooth nodes with the repeater nodes will be investigated and added to the working implementation.

6 Timeline and Milestones

Departmental milestones are in italics.

6.1 Year 1 (2004)

6.1.1 1st Quarter

  • Comprehensive project proposal and project web page available for feedback.

6.1.2 2nd Quarter

  • Examine the Bluetooth specification document and obtain an understanding of Bluetooth’s architecture and its different protocol layers
  • Investigate what APIs[1] area available and what parts of the protocol layers are accessible with them
  • Find out if raw Bluetooth ‘packets’ are accessible and be picked off the ‘wire’ and implement a basic packet sniffer to prove this.
  • Comprehensive project progress report available on the project web page for evaluation (progress charted against a time line).
  • Work-in-progress paper submitted for publication (SATNAC, SAICS or similar conference - your supervisor will help you choose a suitable forum).

6.1.3 3rd Quarter

  • Find out if packets can be broadcast with forged headers so as to impersonate other Bluetooth devices. Implement a packet ‘injector’ as a proof of concept.
  • Evaluate different means of encapsulating packets. Implement best choice to carry Bluetooth packets between Repeater devices.
  • Comprehensive project progress report available on the project web page for evaluation (progress charted against a time line), outlining progress since the last report.
  • A public presentation should have been made on the work.

6.1.4 4th Quarter

  • Design and program a “proof of concept” application to connect two Bluetooth devices in the same Piconet through the tunnel.
  • Comprehensive project progress report available on the project web page for evaluation (progress charted against a time line), outlining progress since the last report.
  • Demonstration system available for public viewing.
  • Revised project plan, indicating timeline for completion.
  • Summary of write-up structure.

6.2 Year 2 (2005)

6.2.1 1st Quarter

  • Comprehensive project progress report available on the project web page for evaluation (progress charted against a time line).
  • Full draft of the thesis submitted to the supervisor for comment.

6.2.2 2nd Quarter

  • Thesis submitted for examination.
  • Paper outlining the results of the thesis submitted for publication (SATNAC, SAICS or similar conference - your supervisor will help you choose a suitable forum).

6.2.3 3rd Quarter

  • Paper prepared for a recognised journal, taking into account feedback from the previous publication.
  • Polished demonstration system that can be run from the project web page.

6.2.4 4th Quarter

  • All required corrections competed and all conditions for graduating satisfied.
  • Final project presentation or demonstration system completed.
  • Paper submitted to a recognised journal.

7 Tools Needed

  • Bluetooth enabled PDA
  • 3 or so Bluetooth dongles for the “Repeater devices” and base computer
  • A 2nd computer to act as one of the Repeater device

8 References

[1]Bluetooth SIG (2003) “Core specification of the Bluetooth Systems”. Version 1.2

[2]Bluetooth SIG (2003) “Personal Area Networking Profile”. Version 1.0

[3]Bluetooth SIG.

[4]Farinacci, Li et al. (2000) “Generic Routing Encapsulation (GRE)”, RFC 2784, ftp://ftp.rfc-editor.org/in-notes/rfc2784.txt

[5]IEEE 802.11b Working Group,

[6]GSM Association, General Packet Radio Service Platform,

[7]BlueZ, Official Linux Bluetooth protocol stack,

[8]FreeBSD, “Bluetooth”, FreeBSD Handbook,

1

[1] Application Program Interface

Top View