WiFi Profiler: Cooperative Diagnosis in Wireless LAN Ayah Zirikly

WiFi Profiler: Cooperative Diagnosis in Wireless LAN

Ayah Zirikly

Authors

Presented at MobiSys 2006 by

• Ranveer Chandra• Venkata N.Padmanabhan• Ming Zhang

Microsoft Research

What this paper is presenting:

• A system in which wireless hosts cooperate to diagnose and resolve network problem in an automated manner.

WiFi Profiler

Key observation behind the paper

• If the host is disconnected, it is often in the range of other wireless nodes and is able to communicate with them peer-to-peerpeer-to-peer, to get access to the information gathered.

Goal of the paper

Creating a shared information plane that enables wireless hosts to exchange a range of information about their network settings.

By aggregating such information across multiple wireless hosts WiFiProfiler infer the likely cause of the problem.

Differences between WiFiProfiler and previous tools

• Previous tools like the one we saw in the last paper is not automated as it still needs the network administrator to figure out the problem.

• Do not depend on any special vulnerabilities/characteristics in 802.11

Wireless LAN Architecture• Wireless Security:

▫ MAC filtering: rejecting packets that their MAC address does not belong to a predefined list.

▫ WEP: key setting configured manually at the AP and the wireless clients.

▫ WPA: key setting configured▫Automatically using 802.1X▫Manually (user enter passphrase).

• DHCP: ▫ In addition to giving the client IP address, it provides other

configuration information like the IP address of the gateway and LDNS server.

• Firewall:▫ Port blocking.▫ Others…

• Application-level proxies.

Causes of Network Problems

No AP detected

Location/distance

HW or SW config.


No AP detected

The client is not receiving the broadcasted beacons.

Reasons:

Out of Range.Channel noise.HW/SW incompatibility.

No AP detected

Location/distance

HW or SW config.

No association Authentication

No IP addressDHCP server


No association with the AP

• AP is malfunctioning• Client does not have a good consistent signal.• Inappropriate MAC Address (MAC filtering).• Software Incompatibilities (outdated driver).• Hardware Incompatibilities (wireless cards).• Wrong WEP Key, or WPA authentication.• Other security related issues.

No association Authentication


Inability to obtain an IP address

• Client side▫ Wrong key (WEP/WPA)▫ Wrong MAC.▫ Configuration problem.

• AP side ▫ Wired interface is malfunctioning or disconnected.

• DHCP side▫ IP address pool exhausted.▫ Server being down.


End-to-End communication failure• DNS resolution failure:

Incorrect local DNS server settings. Failure in the DNS infrastructure.

• Firewall might selectively block communication. Common FW ports not open

• The use of application proxies. Proxy Server down Inappropriate client proxy settings

• Disconnected wireless LAN Equipment Malfunction Equipment Failure


Poor performance

• Lossy wireless link due to: Weak signal. Noise.

• Network Congestion(wireless medium or WAN) Too many legitimate users consuming network

resources. Misbehaved users. Combination of both…

Examples of the shared information PlaneHaving or not the ability to be connected to a certain

wireless network or AP.

The ability or not to obtain IP address.

Experiencing poor performance.

Architecture of WiFi Profiler

•Components of WiFi Profiler:

Sensing

Communication

Diagnosis

Design and Implementation of WiFiProfiler• Sensing :

Make local observations of network configurations and health at the individual wireless clients.

• Communication:Enable peer-to-peer communication among wireless hosts within range

• Diagnosis:Infer the likely causes of the problems experienced by clients and possible steps for resolution

Sensing

Mission:

Make passive observations of the network health and network configuration information at the individual

wireless clients.

Sensing•Wireless layer

Wireless (HW/SW) configuration information (Static Information):

NIC model. NIC name. Driver version.

Sensing Wireless Layer

Security settings information:

Security protocol: WEP/WPA key used for authentication or/and

encryption. To avoid exposing the key, only one–way hashing

of this information is shared.

Sensing Wireless Layer

Sensing Wireless Layer• Information about the state of the wireless channel:

Beacon loss rate: Based on the number of beacon frames that are not

received at a client. Loss rate of client broadcast UDP beacons (since some

drivers do not compute BLR ).

Interface queue length: Sampling the packet queue length at the wireless

interface on a continual basis. Indicator of the wireless congestion.

Sensing• Network layer:

Dynamic Information concerns: IP address/subnet/mask: the IP address, subnet, and

netmask corresponding to the wireless interface.

IP mode: whether the client’s IP address is assigned statically or obtained dynamically using DHCP.

DHCP information: the IP address of the DHCP server that lease the address and when the lease happened.

LDNS information: the IP address(es) of the local DNS server(s).

• Transport layer:

Learn about the E2E network connectivity over the wide-area network that can be affected by firewalls, congestion/disconnection of the WAN link.

Information obtained (Dynamic Information): Failed connection attempts:

Number of connection and failed attempts. Packet retransmission:

Number of retransmitted TCP segments. Server port numbers with successful TCP

connections:Successful connection on a certain server

port numbers (if not, firewall might blocking access).

Sensing

• Protocol state example:

Sensing

Start

Establishe

d

Time-

wait

Successful Connection

Start

SYN-SEN

T

Establishe

d

Time-

wait

Connection failed

Start

SYN-SEN

T

Establishe

d

Time-

wait

time- out

SYN-ACK

Port blocking

Sensing

• Summarizing Sensing Information:Needed to reduce the overhead of sharing with peers.▫ Configuration information (NIC type, …etc):

Values from the recent snapshots.

▫ Dynamic information: Compute aggregate (average or threshold) metric

over:▫ 60 seconds for wireless-related information.▫ 300 seconds for TCP-related information.

BSSID list, SSID list:▫ Union of the distinct values of the sets.

Sensing

• Enables wireless client having problems “requester” to obtain information from its peers “responders”.

• Challenges observed:▫ Requester and responders are not in the same network.▫ Requester is disconnected.

• Requires responder to disconnect from its current network.

• WiFiProfiler framework enables exchanging information without the need of disconnecting the responder from its network.

• Key observation:▫ Disconnected node can initiate AH network with the

responders.▫ Responder can connect to the requester’s AH without

disconnecting from its network.

Communication

Can be accomplished using two NICs or virtualWiFi

• Each client using WiFiProfiler has two adapters:

▫ Primary adapter: Used for its normal communication.

▫ Helper adapter: Used to exchange information with peers.

Communication

• Communication protocol

Communication

Initialize Requester:The client activates the helper network adapter


Communication

Start AH Network:Started over the helper network adapter, with the appropriate SSID and IP address.


Communication

Initialize Responder:Parses the SSID field to see if it corresponds to a requester. If so, it activates its helper adapter.


Communication

Join Network, Send Response:Sets up a socket connection with the corresponding IP address and Port#Then, start sending information to the requester.


Communication

Stop Responder:

After sending responses•Closes socket connection.•Stops the helper adapter.

•Communication protocol

Communication

Stop Requester:

After sufficient number of responses•Shuts down socket.•Stops the helper adapter.

Communication protocol steps using VirtualWiFi:

▫ Requester activates its helper adapter and configures it with the help SSID.

▫ The responder after detecting “Help” request, it activates its helper adapter.

▫ VirtualWiFi switches the physical card across the primary and helper adapter.

▫ Responder stops VirtualWiFi (unbind helper adapter after sending responses).

▫ Requester activates its primary adapter to stop the AH network.

Complete within a few milliseconds.

Communication

Communication protocol steps using two NICs:

▫ WiFiProfiler assigns static IP address to the helper adapter.

▫ Requester activates its helper adapter. ▫ Primary adapter scans the channels for the requester’s

beacons.▫ Responder activates its helper adapter when detecting a

requester. ▫ The helper adapter scans the channels to locate the

requester’s network. ▫ Responder joins AH network..▫ The responder disables its helper adapter after sending

responses.

Communication

• Optimization to keep the overhead on the responder low:▫ Summarizing the sensing information in 1200bytes to fit into a

single packet (keep the protocol as simple as possible).

▫ Using UDP for the responses giving the responder the ability to send single packet and then leave the AH network.

▫ Limit the responding rate for help to provide protection from malicious users.

▫ Responders wait for a random time before joining the AH network and responding (useful in the case of large number of potential responders).

▫ Responders can cache recently sent responses to send it to current requesters.

Communication

• Based on the information gathered from the peer nodes.

Inability to detect an AP:

Reasons:

• No AP in its vicinity.• Beacons are not detected at the current location.• HW/SW incompatibility between the client and AP.• Client wireless NIC is not working.

Diagnosis

Diagnosing steps: If the client does not hear from any peers it is because:

• No WiFiProfiler-enabled in its vicinity.• NIC is not working.

If a peer with the same NIC type and driver version is able to receive beacons client current location is the cause.

If all the peers has the same NIC type but different driver version NIC driver version or client current location is the cause. If all the peers have different NIC types. client NIC type, NIC driver version, or current location is the

cause.

Resolution of the problem:

User action: changing NICs, installing a new driver, or changing location.

Diagnosis Inability to detect AP

Inability to associate with AP:

Reasons:

• AP uses security mechanisms like MAC filtering, WEP, WPA. • Weak wireless link at the client’s current location.• Incompatibility between the NIC type or driver and the AP

hardware.• AP malfunction.

Diagnosis

Diagnosing steps: Client authentication configurations does not match the

successfully associated peers (incorrect key) configuration information missing/wrong.

Client has higher BLR/has lower RSSI than its successfully associated peers weak link due to client current location.

If a peer with the same NIC type and driver version is able to associate MAC filtering is applied at the AP.


User action: changing authentication key/passphrase, location, NICs, or installing a new driver.

Operator action: adding NIC MAC address to the MAC filter list.

Diagnosis Inability to associate with AP

Inability to obtain IP address:

Reasons:

• Incorrect WEP key that prevents communication with AP. • AP hardware malfunctioning or disconnections that prevents

the AP from communicating with DHCP server.• DHCP is down or out of addresses and is not responding to the

requests.

Diagnosis

Diagnosing steps: Client WEP encryption key does not match its successfully

associated peers configuration information missing/wrong. One or more peer is successfully associated but did not obtain IP

address DHCP server or general connectivity problems. If at least one peer established successful wide-are

communication. Failure or address exhaustion at the DHCP.


User action: changing authentication key/passphrase, location, NICs, or installing a new driver.Operator action: resolve DHCP server problem or hardware disconnection problem.

Diagnosis Inability to obtain IP address

End-to-End Communication Failure:Reasons:

DNS resolution failure: Incorrect local DNS server setting. LDNS server is down or unreachable. General problem with DNS that is not specific to local

wireless network. E2E connectivity problems.

Incorrect application proxy setting. Application proxy is down or disconnected. Firewall blocking access. Connectivity problem between the wireless LAN and the

wide-area network.

Diagnosis

DNS resolution Failure:Diagnosing steps: If a peer with a different LDNS setting reports a high success

rate while no peer with the same LDNS setting reports it. incorrect LDNS server setting

All peers report a high failure rate for DNS resolution, with no response from the server.

LDNS server is down or unreachable. Otherwise, general DNS problem.

Misconfiguration or WAN connectivity issues.


User action: changing the client’s LDNS setting.Otherwise, operator intervention needed.

Diagnosis E2E communication failure

E2E connectivity problem:Diagnosing steps: If the client and its peers have failure communication on certain

ports and successful on others. firewall blocking communication (port-based). If one peer has successful communication on a problematic port of

the server. unreachable remote host or firewall blocking based on

other criteria. No peer reports successful E2E communication.

connectivity problem between WLAN and wide-are network.


User action: changing proxy setting.Otherwise, operator intervention needed.

Diagnosis E2E communication failure

Poor performance:

Reasons:

Client’s weak wireless link. Wireless medium is congested. WAN problem (congestion or routing problem).

Diagnosis

Diagnosing steps: If the client’s number of beacons is a lot lower than the highest

value reported. weak wireless link to the client.

If more than one peer reports persistent queuing but weak wireless network.

wireless medium is congested


User action: changing location or switching to a less congested AP or network.Otherwise, operator intervention needed.

Diagnosis poor performance

Problems can evolve

Possibility of conflicting information.

For example, two peers with identical NIC type and driver version. One report association success and the other failure. These two will be ruled out by the requester.

Evaluation Evaluation of sensing

• Sensing the quality of the wireless link:▫ Examine the relationship between RSSI and BLR:

Place a client at 6 different locations at increasing distance from AP.

Notice that BLR exceeds 5% when the RSSI is less than -80dBm.-80 dBm can be a threshold for the lossiness of

the wireless link


• Sensing the quality of the wireless link:▫ TCP throughput:

Throughput drops when the BLR exceeds 5% Consistent with the threshold concluded that indicates the

lossy of the wireless link.


• Overhead of sensing:▫ Sensing is ongoing process on WiFiProfiler (to reduce

diagnosis latency). So, low overhead (in terms of CPU and network performance) is critical.

WiFiProfiler sensing component uses under 1% of the CPU even on 1.33 GHz).

No measurable network performance.

Evaluation Evaluation of communication• Impact of Providing Help on the Responder:

▫ Case Study: Responder is in the middle of downloading something (worst case).

How does providing help affect the time of downloading? Studying the impact in three different cases:

Responder uses two NICs (downloaded time unaffected).Responder uses virtualWiFi and the AP implements 802.11

PSM, to ensure no packet loss when switching (longer delay).

Responder uses virtualWiFi but AP does not implement PSM(longest delay).

The delay on the download time: 500 ms for small downloads. 2-3 seconds for large downloads.

Evaluation Evaluation of communicationEnd-to-End latency of the Comm. Protocol:Time taken at each of the protocol steps:

Initializing and stopping the requester requires enabling and disabling the helper adapter (few seconds).

Time responder takes to detect the requester AH network (18 seconds).

Time responder takes to enable its helper adapter(5seconds). Time taken by helper adapter to scan the requester AH network,

by the responder to join the AH, and by responder and requester to initialize their network stacks (32 seconds).

Evaluation Evaluation of communication

Best results (less time taken), when both requester and responder use VirtualWiFi .

Still the biggest overhead is the time to receive data.

Evaluation Evaluation of diagnosing

The faults and how WiFiProfiler was able to diagnose them.Faults:

No beacon. MAC filtering. Incorrect WEP key for authentication/encryption. DHCP problem. Port blocking. Wireless congestion.

They claim that WiFiProfiler is effective in giving the right diagnosis in less than 40 seconds. Even in the situation of multiple simultaneous problems.

Security IssuesDoS attacks:• By clients pretending to be in trouble:

▫ Limiting the frequency a client will help its peers.

• By clients misleading their peers by reporting fake information:▫ Reporting diagnosis based on information collected by large

number of peers.

• Leaking sensitive information:▫ One-way hash of the key to protect against revealing WEP key. ▫ future work: try to share the bare minimum information

needed.

Documents

WiFi Profiler: Cooperative Diagnosis in Wireless LAN Ayah Zirikly