WiFi Profiler: Cooperative Diagnosis in Wireless LAN Ayah Zirikly

Authors Presented at MobiSys 2006 by Ranveer Chandra Venkata N.Padmanabhan Ming Zhang Microsoft Research

What this paper is presenting: A system in which wireless hosts cooperate to diagnose and resolve network problem in an automated manner. WiFi Profiler

Key observation behind the paper peer-to-peerIf the host is disconnected, it is often in the range of other wireless nodes and is able to communicate with them peer-to-peer, to get access to the information gathered.

Goal of the paper  Creating a shared information plane that enables wireless hosts to exchange a range of information about their network settings.  By aggregating such information across multiple wireless hosts WiFiProfiler infer the likely cause of the problem.

Differences between WiFiProfiler and previous tools Previous tools like the one we saw in the last paper is not automated as it still needs the network administrator to figure out the problem. Do not depend on any special vulnerabilities/characteristics in

Wireless LAN Architecture Wireless Security: ▫MAC filtering: rejecting packets that their MAC address does not belong to a predefined list. ▫WEP: key setting configured manually at the AP and the wireless clients. ▫WPA: key setting configured ▫Automatically using 802.1X ▫Manually (user enter passphrase). DHCP: ▫In addition to giving the client IP address, it provides other configuration information like the IP address of the gateway and LDNS server. Firewall : ▫Port blocking. ▫Others… Application-level proxies.

Causes of Network Problems No AP detected Location/distance HW or SW config. No association Authentication No IP address DHCP server E2E failure Firewall/proxy config. WAN disconnection Poor performance Wireless congestion WAN congestion

No AP detected Location/distance HW or SW config. No association Authentication No IP address DHCP server E2E failure Firewall/proxy config. WAN disconnection Poor performance Wireless congestion WAN congestion Causes of Network Problems

No AP detected The client is not receiving the broadcasted beacons. Reasons:  Out of Range.  Channel noise.  HW/SW incompatibility.

No AP detected Location/distance HW or SW config. No association Authentication No IP address DHCP server E2E failure Firewall/proxy config. WAN disconnection Poor performance Wireless congestion WAN congestion Causes of Network Problems

No association with the AP AP is malfunctioning Client does not have a good consistent signal. Inappropriate MAC Address (MAC filtering). Software Incompatibilities (outdated driver). Hardware Incompatibilities (wireless cards). Wrong WEP Key, or WPA authentication. Other security related issues.

No AP detected Location/distance HW or SW config. No association Authentication No IP address DHCP server E2E failure Firewall/proxy config. WAN disconnection Poor performance Wireless congestion WAN congestion Causes of Network Problems

Inability to obtain an IP address Client side ▫Wrong key (WEP/WPA) ▫Wrong MAC. ▫Configuration problem. AP side ▫Wired interface is malfunctioning or disconnected. DHCP side ▫IP address pool exhausted. ▫Server being down.

No AP detected Location/distance HW or SW config. No association Authentication No IP address DHCP server E2E failure Firewall/proxy config. WAN disconnection Poor performance Wireless congestion WAN congestion Causes of Network Problems

End-to-End communication failure DNS resolution failure:  Incorrect local DNS server settings.  Failure in the DNS infrastructure. Firewall might selectively block communication.  Common FW ports not open The use of application proxies.  Proxy Server down  Inappropriate client proxy settings Disconnected wireless LAN  Equipment Malfunction  Equipment Failure

No AP detected Location/distance HW or SW config. No association Authentication No IP address DHCP server E2E failure Firewall/proxy config. WAN disconnection Poor performance Wireless congestion WAN congestion Causes of Network Problems

Poor performance Lossy wireless link due to:  Weak signal.  Noise. Network Congestion(wireless medium or WAN)  Too many legitimate users consuming network resources.  Misbehaved users.  Combination of both…

Examples of the shared information Plane  Having or not the ability to be connected to a certain wireless network or AP.  The ability or not to obtain IP address.  Experiencing poor performance.

Architecture of WiFi Profiler Components of WiFi Profiler: Sensing Communication Diagnosis

Design and Implementation of WiFiProfiler Sensing : Make local observations of network configurations and health at the individual wireless clients. Communication: Enable peer-to-peer communication among wireless hosts within range Diagnosis: Infer the likely causes of the problems experienced by clients and possible steps for resolution

Sensing Mission: Make passive observations of the network health and network configuration information at the individual wireless clients.

Sensing Wireless layer Wireless (HW/SW) configuration information (Static Information):  NIC model.  NIC name.  Driver version.

▫Information about Wireless network in the vicinity:  BSSID list: (Basic Service set Identifiers) The list of BSSIDs corresponding to the APs from whom beacons have been heard.  SSID list: (Service Set Identity) Name identifies the network. SSID may have multiple BSSIDs that a client can be associated with.  RSSI list: Received signal of the BSSID. Average RSSI reported. Sensing Wireless Layer

Security settings information:  Security protocol:  WEP/WPA key used for authentication or/and encryption.  To avoid exposing the key, only one–way hashing of this information is shared. Sensing Wireless Layer

Information about the state of the wireless channel:  Beacon loss rate:  Based on the number of beacon frames that are not received at a client.  Loss rate of client broadcast UDP beacons (since some drivers do not compute BLR ).  Interface queue length:  Sampling the packet queue length at the wireless interface on a continual basis.  Indicator of the wireless congestion.

Sensing Network layer: Dynamic Information concerns:  IP address/subnet/mask: the IP address, subnet, and netmask corresponding to the wireless interface.  IP mode: whether the client’s IP address is assigned statically or obtained dynamically using DHCP.  DHCP information: the IP address of the DHCP server that lease the address and when the lease happened.  LDNS information: the IP address(es) of the local DNS server(s).

Transport layer: Learn about the E2E network connectivity over the wide-area network that can be affected by firewalls, congestion/disconnection of the WAN link. Information obtained (Dynamic Information):  Failed connection attempts: Number of connection and failed attempts.  Packet retransmission: Number of retransmitted TCP segments.  Server port numbers with successful TCP connections: Successful connection on a certain server port numbers (if not, firewall might blocking access). Sensing

Protocol state example: Sensing Start Establ ished Time -wait Successful Connection Start SYN- SEN T Establ ished Time -wait Connection failed Start SYN- SEN T Establ ished Time -wait time- out SYN-ACK Port blocking

Application layer: Configuration information related to the wireless communication.  Web proxy setting: HTTP proxy has been used??  Host name.  Port number. Sensing

Summarizing Sensing Information: Needed to reduce the overhead of sharing with peers. ▫Configuration information (NIC type, …etc):  Values from the recent snapshots. ▫Dynamic information:  Compute aggregate (average or threshold) metric over: ▫60 seconds for wireless-related information. ▫300 seconds for TCP-related information.  BSSID list, SSID list: ▫Union of the distinct values of the sets. Sensing

Enables wireless client having problems “requester” to obtain information from its peers “responders”. Challenges observed: ▫Requester and responders are not in the same network. ▫Requester is disconnected. Requires responder to disconnect from its current network. WiFiProfiler framework enables exchanging information without the need of disconnecting the responder from its network. Key observation: ▫Disconnected node can initiate AH network with the responders. ▫Responder can connect to the requester’s AH without disconnecting from its network. Communication Can be accomplished using two NICs or virtualWiFi

Each client using WiFiProfiler has two adapters: ▫Primary adapter:  Used for its normal communication. ▫Helper adapter:  Used to exchange information with peers. Communication

Communication protocol Communication Initialize Requester: The client activates the helper network adapter

Communication protocol Communication Start AH Network: Started over the helper network adapter, with the appropriate SSID and IP address.

Communication protocol Communication Initialize Responder: Parses the SSID field to see if it corresponds to a requester. If so, it activates its helper adapter.

Communication protocol Communication Join Network, Send Response: Sets up a socket connection with the corresponding IP address and Port# Then, start sending information to the requester.

Communication protocol Communication Stop Responder: After sending responses Closes socket connection. Stops the helper adapter.

Communication protocol Communication Stop Requester: After sufficient number of responses Shuts down socket. Stops the helper adapter.

Communication protocol steps using VirtualWiFi: ▫Requester activates its helper adapter and configures it with the help SSID. ▫The responder after detecting “Help” request, it activates its helper adapter. ▫VirtualWiFi switches the physical card across the primary and helper adapter. ▫Responder stops VirtualWiFi (unbind helper adapter after sending responses). ▫Requester activates its primary adapter to stop the AH network. Complete within a few milliseconds. Communication

Communication protocol steps using two NICs: ▫WiFiProfiler assigns static IP address to the helper adapter. ▫Requester activates its helper adapter. ▫Primary adapter scans the channels for the requester’s beacons. ▫Responder activates its helper adapter when detecting a requester. ▫The helper adapter scans the channels to locate the requester’s network. ▫Responder joins AH network.. ▫The responder disables its helper adapter after sending responses. Communication

Optimization to keep the overhead on the responder low: ▫Summarizing the sensing information in 1200bytes to fit into a single packet (keep the protocol as simple as possible). ▫Using UDP for the responses giving the responder the ability to send single packet and then leave the AH network. ▫Limit the responding rate for help to provide protection from malicious users. ▫Responders wait for a random time before joining the AH network and responding (useful in the case of large number of potential responders). ▫Responders can cache recently sent responses to send it to current requesters. Communication

Based on the information gathered from the peer nodes. Inability to detect an AP: Reasons: No AP in its vicinity. Beacons are not detected at the current location. HW/SW incompatibility between the client and AP. Client wireless NIC is not working. Diagnosis

Diagnosing steps:  If the client does not hear from any peers it is because: No WiFiProfiler-enabled in its vicinity. NIC is not working.  If a peer with the same NIC type and driver version is able to receive beacons client current location is the cause.  If all the peers has the same NIC type but different driver version NIC driver version or client current location is the cause.  If all the peers have different NIC types. client NIC type, NIC driver version, or current location is the cause. Resolution of the problem: User action: changing NICs, installing a new driver, or changing location. Diagnosis Inability to detect AP

Inability to associate with AP: Reasons: AP uses security mechanisms like MAC filtering, WEP, WPA. Weak wireless link at the client’s current location. Incompatibility between the NIC type or driver and the AP hardware. AP malfunction. Diagnosis

Diagnosing steps:  Client authentication configurations does not match the successfully associated peers (incorrect key) configuration information missing/wrong.  Client has higher BLR/has lower RSSI than its successfully associated peers weak link due to client current location.  If a peer with the same NIC type and driver version is able to associate MAC filtering is applied at the AP. Resolution of the problem: User action: changing authentication key/passphrase, location, NICs, or installing a new driver. Operator action: adding NIC MAC address to the MAC filter list. Diagnosis Inability to associate with AP

Inability to obtain IP address: Reasons: Incorrect WEP key that prevents communication with AP. AP hardware malfunctioning or disconnections that prevents the AP from communicating with DHCP server. DHCP is down or out of addresses and is not responding to the requests. Diagnosis

Diagnosing steps:  Client WEP encryption key does not match its successfully associated peers configuration information missing/wrong.  One or more peer is successfully associated but did not obtain IP address DHCP server or general connectivity problems.  If at least one peer established successful wide-are communication. Failure or address exhaustion at the DHCP. Resolution of the problem: User action: changing authentication key/passphrase, location, NICs, or installing a new driver. Operator action: resolve DHCP server problem or hardware disconnection problem. Diagnosis Inability to obtain IP address

End-to-End Communication Failure: Reasons:  DNS resolution failure:  Incorrect local DNS server setting.  LDNS server is down or unreachable.  General problem with DNS that is not specific to local wireless network.  E2E connectivity problems.  Incorrect application proxy setting.  Application proxy is down or disconnected.  Firewall blocking access.  Connectivity problem between the wireless LAN and the wide- area network. Diagnosis

DNS resolution Failure: Diagnosing steps:  If a peer with a different LDNS setting reports a high success rate while no peer with the same LDNS setting reports it. incorrect LDNS server setting  All peers report a high failure rate for DNS resolution, with no response from the server. LDNS server is down or unreachable.  Otherwise, general DNS problem. Misconfiguration or WAN connectivity issues. Resolution of the problem: User action: changing the client’s LDNS setting. Otherwise, operator intervention needed. Diagnosis E2E communication failure

E2E connectivity problem: Diagnosing steps:  If the client and its peers have failure communication on certain ports and successful on others. firewall blocking communication (port-based).  If one peer has successful communication on a problematic port of the server. unreachable remote host or firewall blocking based on other criteria.  No peer reports successful E2E communication. connectivity problem between WLAN and wide-are network. Resolution of the problem: User action: changing proxy setting. Otherwise, operator intervention needed. Diagnosis E2E communication failure

Poor performance: Reasons:  Client’s weak wireless link.  Wireless medium is congested.  WAN problem (congestion or routing problem). Diagnosis

Diagnosing steps:  If the client’s number of beacons is a lot lower than the highest value reported. weak wireless link to the client.  If more than one peer reports persistent queuing but weak wireless network. wireless medium is congested Resolution of the problem: User action: changing location or switching to a less congested AP or network. Otherwise, operator intervention needed. Diagnosis poor performance

Problems can evolve Possibility of conflicting information. For example, two peers with identical NIC type and driver version. One report association success and the other failure. These two will be ruled out by the requester.

Evaluation Evaluation of sensing Sensing the quality of the wireless link: ▫Examine the relationship between RSSI and BLR:  Place a client at 6 different locations at increasing distance from AP.  Notice that BLR exceeds 5% when the RSSI is less than -80dBm dBm can be a threshold for the lossiness of the wireless link

Evaluation Evaluation of sensing Sensing the quality of the wireless link: ▫TCP throughput:  Throughput drops when the BLR exceeds 5%  Consistent with the threshold concluded that indicates the lossy of the wireless link.

Evaluation Evaluation of sensing Overhead of sensing: ▫Sensing is ongoing process on WiFiProfiler (to reduce diagnosis latency). So, low overhead (in terms of CPU and network performance) is critical.  WiFiProfiler sensing component uses under 1% of the CPU even on 1.33 GHz).  No measurable network performance.

Evaluation Evaluation of communication Impact of Providing Help on the Responder: ▫Case Study: Responder is in the middle of downloading something (worst case). How does providing help affect the time of downloading? Studying the impact in three different cases:  Responder uses two NICs (downloaded time unaffected).  Responder uses virtualWiFi and the AP implements PSM, to ensure no packet loss when switching (longer delay).  Responder uses virtualWiFi but AP does not implement PSM(longest delay). The delay on the download time:  500 ms for small downloads.  2-3 seconds for large downloads.

Evaluation Evaluation of communication End-to-End latency of the Comm. Protocol: Time taken at each of the protocol steps:  Initializing and stopping the requester requires enabling and disabling the helper adapter (few seconds).  Time responder takes to detect the requester AH network (18 seconds).  Time responder takes to enable its helper adapter(5seconds).  Time taken by helper adapter to scan the requester AH network, by the responder to join the AH, and by responder and requester to initialize their network stacks (32 seconds).

Evaluation Evaluation of communication Best results (less time taken), when both requester and responder use VirtualWiFi. Still the biggest overhead is the time to receive data.

Evaluation Evaluation of diagnosing The faults and how WiFiProfiler was able to diagnose them. Faults:  No beacon.  MAC filtering.  Incorrect WEP key for authentication/encryption.  DHCP problem.  Port blocking.  Wireless congestion. They claim that WiFiProfiler is effective in giving the right diagnosis in less than 40 seconds. Even in the situation of multiple simultaneous problems.

Security Issues DoS attacks: By clients pretending to be in trouble: ▫Limiting the frequency a client will help its peers. By clients misleading their peers by reporting fake information: ▫Reporting diagnosis based on information collected by large number of peers. Leaking sensitive information: ▫One-way hash of the key to protect against revealing WEP key. ▫future work: try to share the bare minimum information needed.