Upload
fritz-hester
View
49
Download
1
Embed Size (px)
DESCRIPTION
Jigsaw: Solving the Puzzle of Enterprise 802.11 Analysis. Written by Yu-Chung Cheng, John Bellardo, Peter Benko, Alex C. Snoeren, Geoffrey M. Voelker and Stefan Savage. Analysis by Carlos Troncoso CS388 Wireless Security. Common problems in production Wireless Networks. - PowerPoint PPT Presentation
Citation preview
Written by
Yu-Chung Cheng, John Bellardo, Peter Benko, Alex C. Snoeren, Geoffrey M. Voelker and Stefan Savage
Written by
Yu-Chung Cheng, John Bellardo, Peter Benko, Alex C. Snoeren, Geoffrey M. Voelker and Stefan Savage
Jigsaw: Solving the Puzzle of Enterprise 802.11 Analysis
Jigsaw: Solving the Puzzle of Enterprise 802.11 Analysis
Analysis byCarlos Troncoso
CS388 Wireless Security
Analysis byCarlos Troncoso
CS388 Wireless Security
February 28, 2008
Common problems in production Wireless Networks
Common problems in production Wireless Networks
Conflicts with nearby wireless devices Bad AP channel assignments Microwave ovens interference Bad interaction between TCP and 802.11 Rogue access points interference Poor choice of APs (weak signal) Incompatible user software/hardware
Conflicts with nearby wireless devices Bad AP channel assignments Microwave ovens interference Bad interaction between TCP and 802.11 Rogue access points interference Poor choice of APs (weak signal) Incompatible user software/hardware
February 28, 2008
Sounds Familiar?Sounds Familiar?
Helpdesk receives a phone call…
User: “…my Internet connection is flaky… ” Support: “What happened?…” User: “Well Internet got disconnected and now it is very
slow…” Support:“OK, let me check here…” User: “Wait!..wait…it’s working now….”
Helpdesk receives a phone call…
User: “…my Internet connection is flaky… ” Support: “What happened?…” User: “Well Internet got disconnected and now it is very
slow…” Support:“OK, let me check here…” User: “Wait!..wait…it’s working now….”
February 28, 2008
Goal of JigsawGoal of Jigsaw
To develop a deeper understanding of the dynamics and interactions in production wireless networks by reconstructing their
behavior in its entirety.
To develop a deeper understanding of the dynamics and interactions in production wireless networks by reconstructing their
behavior in its entirety.
February 28, 2008
JigsawJigsaw
Provides a single, unified view of all physical, link, network, and transport-layer activity on a 802.11 production network.
Provides a single, unified view of all physical, link, network, and transport-layer activity on a 802.11 production network.
February 28, 2008
Wireless traffic measure challenges:
Wireless traffic measure challenges:
Ambient environmental interference Sender’s transmit power Distance to the receiver Strength of any simultaneous transmissions on nearby
channels heard by the same receiver MAC (Media Access Control) protocol Traffic is based on TCP protocol that carries a set of
complex dynamics
Ambient environmental interference Sender’s transmit power Distance to the receiver Strength of any simultaneous transmissions on nearby
channels heard by the same receiver MAC (Media Access Control) protocol Traffic is based on TCP protocol that carries a set of
complex dynamics
February 28, 2008
MethodologyMethodology
Large-scale monitoring infrastructure deploying hundreds of radio monitors to gather traffic activity over the Wireless network (covering around 1million cubic feet)
These monitors feed the centralized system Jigsaw to produce a precise global picture of the network activity.
Large-scale monitoring infrastructure deploying hundreds of radio monitors to gather traffic activity over the Wireless network (covering around 1million cubic feet)
These monitors feed the centralized system Jigsaw to produce a precise global picture of the network activity.
February 28, 2008
Methodology (continued)Methodology (continued)
Large-scale Synchronization: achieved through a passive algorithm that synchronizes the hundreds of simultaneous traces
Frame Unification: achieved by combining and merging duplicate traces to construct a single trace
Multi-Layer Reconstruction: achieved by reconstructing raw frame data into a complete trace with all link and transport-layer conversations.
Large-scale Synchronization: achieved through a passive algorithm that synchronizes the hundreds of simultaneous traces
Frame Unification: achieved by combining and merging duplicate traces to construct a single trace
Multi-Layer Reconstruction: achieved by reconstructing raw frame data into a complete trace with all link and transport-layer conversations.
February 28, 2008
Media Access ControlMedia Access Control
802.11 protocol uses the CSMA/CA (Carrier Sense Multiple Access with Collision Avoidance) to schedule and retry transmissions
CSMA/CA has the hidden node problem
802.11 protocol uses the CSMA/CA (Carrier Sense Multiple Access with Collision Avoidance) to schedule and retry transmissions
CSMA/CA has the hidden node problem
February 28, 2008
Hidden Node problemHidden Node problem
Creates co-channel interference from other transmitters
Finding: CSMA/CA uses special RTS/CTS
(Request to Send/Clear to Send) frames to handle this problem
Hidden nodes are handled by Jigsaw (with exceptions)
Creates co-channel interference from other transmitters
Finding: CSMA/CA uses special RTS/CTS
(Request to Send/Clear to Send) frames to handle this problem
Hidden nodes are handled by Jigsaw (with exceptions)
A
Laptop
B
A sends data and Laptop sends an ACK
Hidden Node:A sends data, Laptop‘s reception is interfered by B
?
February 28, 2008
Previous Related WorkPrevious Related Work
Researches measured traffic using less monitoring nodes
Previous efforts focused on separate channels, or focused on small number of traces
The Jigsaw approach focuses on large-scale online monitoring and complete multi-layer reconstruction.
Researches measured traffic using less monitoring nodes
Previous efforts focused on separate channels, or focused on small number of traces
The Jigsaw approach focuses on large-scale online monitoring and complete multi-layer reconstruction.
February 28, 2008
Data CollectionData Collection
Environment Hardware Software
Environment Hardware Software
Department of Computer Science and Engineering
University of California, San Diego
February 28, 2008
EnvironmentEnvironment
Study was done at the University’s CS building
4 story building 500 users with
10 to 100 active client connections
Study was done at the University’s CS building
4 story building 500 users with
10 to 100 active client connections
February 28, 2008
HardwareHardware
2.8 GHz Pentium Server with 2 TB of Storage
40 sensor pods used for wireless infrastructure
4 radios in each sensor pod to capture all channels, timestamp, errors, etc.
2.8 GHz Pentium Server with 2 TB of Storage
40 sensor pods used for wireless infrastructure
4 radios in each sensor pod to capture all channels, timestamp, errors, etc.
February 28, 2008
SoftwareSoftware
Pebble Linux and MadWifi driver for each monitor
Driver modified to capture even corrupted frames and physical errors
Jigdump application to manage data capture
Pebble Linux and MadWifi driver for each monitor
Driver modified to capture even corrupted frames and physical errors
Jigdump application to manage data capture
February 28, 2008
Trace MergingTrace Merging
Trace merging is necessary to produce a coherent description of combined traces. Trace merging is necessary to produce a coherent description of combined traces.
February 28, 2008
Trace Merging RequirementsTrace Merging Requirements
Synchronization: monitors timestamps by properly synchronizing all frames to a common reference time
Unification: minimizes duplicate traces Efficiency: trace merging executes faster
than real time radios
Synchronization: monitors timestamps by properly synchronizing all frames to a common reference time
Unification: minimizes duplicate traces Efficiency: trace merging executes faster
than real time radios
February 28, 2008
Bootstrap synchronizationBootstrap synchronization
Method finds set of reference points to synchronize the radios
All clocks run at the same rate and Jigsaw system places each frame into a universal time by adjusting its timestamp
Methodology allows frames on one channel to be related to timestamps on another
Method finds set of reference points to synchronize the radios
All clocks run at the same rate and Jigsaw system places each frame into a universal time by adjusting its timestamp
Methodology allows frames on one channel to be related to timestamps on another
February 28, 2008
UnificationUnification
After bootstrap synchronization, Jigsaw processes traces by time and unifies
duplicate frames (instances) into single data structures called jframes
After bootstrap synchronization, Jigsaw processes traces by time and unifies
duplicate frames (instances) into single data structures called jframes
February 28, 2008
Jigsaw trace: jframeJigsaw trace: jframeMonitors
Time
Received framesReceived, with error
Corrupted data
Traces synchronized
February 28, 2008
Unification (continued)Unification (continued)
Basic unification: a linear scan is performed to group instances with the same timestamp
Clock adjustment: because radio clock’s skew over time, jigsaw takes advantage of the unification method and resynchronizes each trace
Managing skew and drift: if sensors do not detect frames in common, then jigsaw relies in the local clock of the radio sensor to assign a timestamp
Basic unification: a linear scan is performed to group instances with the same timestamp
Clock adjustment: because radio clock’s skew over time, jigsaw takes advantage of the unification method and resynchronizes each trace
Managing skew and drift: if sensors do not detect frames in common, then jigsaw relies in the local clock of the radio sensor to assign a timestamp
February 28, 2008
Link and transport reconstructionLink and transport reconstruction
After constructing a global view of the physical events, the next step is to
reconstruct the link and transport layer traffic.
After constructing a global view of the physical events, the next step is to
reconstruct the link and transport layer traffic.
February 28, 2008
Link-Layer inference L2Link-Layer inference L2
Jigsaw identifies each transmission attempt from the sender and records subsequent responses
MAC address are used to group frames to check whether transmission requests are being delivered successfully or not
Jigsaw uses frame sequence number to reference groups of frames, but also deduces the presence of missing frames based on subsequent behavior of sender and receiver
Jigsaw identifies each transmission attempt from the sender and records subsequent responses
MAC address are used to group frames to check whether transmission requests are being delivered successfully or not
Jigsaw uses frame sequence number to reference groups of frames, but also deduces the presence of missing frames based on subsequent behavior of sender and receiver
February 28, 2008
Transport inference L4Transport inference L4
The transport analysis takes frame exchanges as input and reconstructs TCP flows based on the packet headers
By capturing TCP ACKs, Jigsaw can record even the omitted frames shown in the packet
The transport analysis takes frame exchanges as input and reconstructs TCP flows based on the packet headers
By capturing TCP ACKs, Jigsaw can record even the omitted frames shown in the packet
February 28, 2008
CoverageCoverage
Obtaining effective coverage for all transmissions is an evident challenge
Monitors need to be precisely placed and properly configured to capture ALL data
97% of traffic was covered in this Jigsaw implementation
Obtaining effective coverage for all transmissions is an evident challenge
Monitors need to be precisely placed and properly configured to capture ALL data
97% of traffic was covered in this Jigsaw implementation
February 28, 2008
AnalysisAnalysis
Global perspective provided by the distributed monitors
Trace summary Interference 802.11g protection mode TCP loss rate inference
Global perspective provided by the distributed monitors
Trace summary Interference 802.11g protection mode TCP loss rate inference
February 28, 2008
Trace SummaryTrace Summary
High level characteristics of trace by collecting traffic from active APs
Average of three observations made for every frame in the network
Finding: management traffic (beacon, ARP) consumes 10% of the channel at a given time
High level characteristics of trace by collecting traffic from active APs
Average of three observations made for every frame in the network
Finding: management traffic (beacon, ARP) consumes 10% of the channel at a given time
February 28, 2008
InterferenceInterference
Simultaneous transmission that causes frame lossSimultaneous transmission that causes frame loss
Red color shows an example of physical interference caused by a Microwave oven
Red color shows an example of physical interference caused by a Microwave oven
Instantly detects and tags interferenceInstantly detects and tags interference
February 28, 2008
802.11g Protection mode802.11g Protection mode
Protection policy is extremely conservative Reduces performance Should only be used when 802.11b is
present
Protection policy is extremely conservative Reduces performance Should only be used when 802.11b is
present
February 28, 2008
TCP loss rate inferenceTCP loss rate inference
The TCP reconstruction algorithm is used to assemble all flows that complete a handshake.
TCP loss is dominant over physical traffic
The TCP reconstruction algorithm is used to assemble all flows that complete a handshake.
TCP loss is dominant over physical traffic
February 28, 2008
PresentPresent
Jigsaw is an attempt to attain a high level of detailed analysis
Jigsaw unifies traces from multiple passive wireless monitors to reconstruct a global view of network activity
Jigsaw is only the building block to answer the questions
Why is the network malfunctioning? How do I fix it?
Jigsaw is an attempt to attain a high level of detailed analysis
Jigsaw unifies traces from multiple passive wireless monitors to reconstruct a global view of network activity
Jigsaw is only the building block to answer the questions
Why is the network malfunctioning? How do I fix it?
February 28, 2008
FutureFuture
Real-time system for automated detection and evaluation of poor network performance
Identifies problem flows and isolates potential causes of poor performance
Real-time system for automated detection and evaluation of poor network performance
Identifies problem flows and isolates potential causes of poor performance