330 likes | 469 Vues
Jigsaw: Solving the Puzzle of Enterprise 802.11 Analysis. Written by Yu-Chung Cheng, John Bellardo, Peter Benko, Alex C. Snoeren, Geoffrey M. Voelker and Stefan Savage. Analysis by Carlos Troncoso CS388 Wireless Security. Common problems in production Wireless Networks.
E N D
Jigsaw: Solving the Puzzle of Enterprise 802.11 Analysis Written by Yu-Chung Cheng, John Bellardo, Peter Benko, Alex C. Snoeren, Geoffrey M. Voelker and Stefan Savage Analysis by Carlos Troncoso CS388 Wireless Security
Common problems in production Wireless Networks • Conflicts with nearby wireless devices • Bad AP channel assignments • Microwave ovens interference • Bad interaction between TCP and 802.11 • Rogue access points interference • Poor choice of APs (weak signal) • Incompatible user software/hardware
Sounds Familiar? Helpdesk receives a phone call… • User: “…my Internet connection is flaky… ” • Support: “What happened?…” • User: “Well Internet got disconnected and now it is very slow…” • Support:“OK, let me check here…” • User: “Wait!..wait…it’s working now….”
Goal of Jigsaw To develop a deeper understanding of the dynamics and interactions in production wireless networks by reconstructing their behavior in its entirety.
Jigsaw Provides a single, unified view of all physical, link, network, and transport-layer activity on a 802.11 production network.
Wireless traffic measure challenges: • Ambient environmental interference • Sender’s transmit power • Distance to the receiver • Strength of any simultaneous transmissions on nearby channels heard by the same receiver • MAC (Media Access Control) protocol • Traffic is based on TCP protocol that carries a set of complex dynamics
Methodology • Large-scale monitoring infrastructure deploying hundreds of radio monitors to gather traffic activity over the Wireless network (covering around 1million cubic feet) • These monitors feed the centralized system Jigsaw to produce a precise global picture of the network activity.
Methodology (continued) • Large-scale Synchronization: achieved through a passive algorithm that synchronizes the hundreds of simultaneous traces • Frame Unification: achieved by combining and merging duplicate traces to construct a single trace • Multi-Layer Reconstruction: achieved by reconstructing raw frame data into a complete trace with all link and transport-layer conversations.
Media Access Control • 802.11 protocol uses the CSMA/CA (Carrier Sense Multiple Access with Collision Avoidance) to schedule and retry transmissions • CSMA/CA has the hidden node problem
Hidden Node problem • Creates co-channel interference from other transmitters • Finding: • CSMA/CA uses special RTS/CTS (Request to Send/Clear to Send) frames to handle this problem • Hidden nodes are handled by Jigsaw (with exceptions) B ? Laptop A Hidden Node:A sends data, Laptop‘s reception is interfered by B A sends data and Laptop sends an ACK
Previous Related Work • Researches measured traffic using less monitoring nodes • Previous efforts focused on separate channels, or focused on small number of traces • The Jigsaw approach focuses on large-scale online monitoring and complete multi-layer reconstruction.
Data Collection • Environment • Hardware • Software Department of Computer Science and Engineering University of California, San Diego
Environment • Study was done at the University’s CS building • 4 story building • 500 users with 10 to 100 active client connections
Hardware • 2.8 GHz Pentium Server with 2 TB of Storage • 40 sensor pods used for wireless infrastructure • 4 radios in each sensor pod to capture all channels, timestamp, errors, etc.
Software • Pebble Linux and MadWifi driver for each monitor • Driver modified to capture even corrupted frames and physical errors • Jigdump application to manage data capture
Trace Merging Trace merging is necessary to produce a coherent description of combined traces.
Trace Merging Requirements • Synchronization: monitors timestamps by properly synchronizing all frames to a common reference time • Unification: minimizes duplicate traces • Efficiency: trace merging executes faster than real time radios
Bootstrap synchronization • Method finds set of reference points to synchronize the radios • All clocks run at the same rate and Jigsaw system places each frame into a universal time by adjusting its timestamp • Methodology allows frames on one channel to be related to timestamps on another
Unification After bootstrap synchronization, Jigsaw processes traces by time and unifies duplicate frames (instances) into single data structures called jframes
Monitors Received frames Traces synchronized Received, with error Corrupted data Time Jigsaw trace: jframe
Unification (continued) • Basic unification: a linear scan is performed to group instances with the same timestamp • Clock adjustment: because radio clock’s skew over time, jigsaw takes advantage of the unification method and resynchronizes each trace • Managing skew and drift: if sensors do not detect frames in common, then jigsaw relies in the local clock of the radio sensor to assign a timestamp
Link and transport reconstruction After constructing a global view of the physical events, the next step is to reconstruct the link and transport layer traffic.
Link-Layer inference L2 • Jigsaw identifies each transmission attempt from the sender and records subsequent responses • MAC address are used to group frames to check whether transmission requests are being delivered successfully or not • Jigsaw uses frame sequence number to reference groups of frames, but also deduces the presence of missing frames based on subsequent behavior of sender and receiver
Transport inference L4 • The transport analysis takes frame exchanges as input and reconstructs TCP flows based on the packet headers • By capturing TCP ACKs, Jigsaw can record even the omitted frames shown in the packet
Coverage • Obtaining effective coverage for all transmissions is an evident challenge • Monitors need to be precisely placed and properly configured to capture ALL data • 97% of traffic was covered in this Jigsaw implementation
Analysis Global perspective provided by the distributed monitors • Trace summary • Interference • 802.11g protection mode • TCP loss rate inference
Trace Summary • High level characteristics of trace by collecting traffic from active APs • Average of three observations made for every frame in the network • Finding: management traffic (beacon, ARP) consumes 10% of the channel at a given time
Interference Simultaneous transmission that causes frame loss Red color shows an example of physical interference caused by a Microwave oven Instantly detects and tags interference
802.11g Protection mode • Protection policy is extremely conservative • Reduces performance • Should only be used when 802.11b is present
TCP loss rate inference • The TCP reconstruction algorithm is used to assemble all flows that complete a handshake. • TCP loss is dominant over physical traffic
Present • Jigsaw is an attempt to attain a high level of detailed analysis • Jigsaw unifies traces from multiple passive wireless monitors to reconstruct a global view of network activity • Jigsaw is only the building block to answer the questions • Why is the network malfunctioning? • How do I fix it?
Future • Real-time system for automated detection and evaluation of poor network performance • Identifies problem flows and isolates potential causes of poor performance