CIS 551 / TCOM 401

14/3 2006

Lecture 15:

Ethernet (802.3) and Wireless (802.11) Protocols
Scribed by Jaspreet Narula and Nandana Dutt

Collision Domains
Ethernet link is shared. Advantage is that data exchange is easy. Disadvantage is that multiple communications going on the same time might collide with each other and need to be resolved.

CSMACD is the Collision detection technique
Carrier Sense, Multiple Access, with Collision Detection
At the Media Access Layer level( Lower sub-layer of data-link layer)

Ethernet Frame format

Bit format
||---Preamble(64)------Dest(48)------Src(48)-----Type(16)------BODY------CRC(32)-------||

Preamble is a stream of bits to synchronize the reception of incoming signal.

Dest -destination Ethernet Address. The left-most bit in the field indicates whether the address is an individual address , unicast,(indicated by a 0) or a group address, multicast= (indicated by a 1). If all bits are 1, that is a broadcast address, reaching all the computers in the network

Src- Source ethernet address

Type- Identifies higher-level protocol

Body(payload) - Data od n bytes. 46<= n >= 1500

CRC - Cyclic Redundancy Check to check damaged frames

Ethernet Addresses
Every adapter in the world has a unique ethernet address.
- 6 bytes
- Uniqueness ensured by assigning each ethernet card manufacturer a unique 24 bit prefix. The manufacturer ensures suffuxes are unique


Modes for an Ethernet Adapter
- Normal . Receives broadcast frames, frames addressed to its own address and group addresses it has been programmed to listen for.
- Promiscuous. Receives all frames.

CSMACD
Carrier Sense - Listen for the line to go idle.

Multiple access- Adapters may begin transmitting any time they detect that the network is quiet (there is no traffic), after 9.6 Microsecs after the last frame. This might still result in collisions.

Collision Detection - When adapter detects another signal while transmitting its own signal, it immediately sends a 32 bit jamming signal indicating the last transmission maybe garbled and stops transmitting altogther.A 10MBps adapter may need to send 512 bits(51.2µs at 10Mbps) in order to detect a collision in the worst case.

The worst case situation occurs when the two most distant adapters on the network both send a frame and when the second adapter does not begin transmitting until just before the frame from the first adapter arrives. The collision will be detected almost immediately by the second adapter, but it will not be detected by the first adapter until the corrupted signal has propagated all the way back to that adapter. The maximum time that is required to detect such a collision is approximately equal to twice the signal propagation time between the 2 adapters.

Exponential Back-off Algorithm
After a collision occurs, a computer must wait for the cable to become idle again before transmitting a frame. However, if both computers will begin to retransmit the moment the bus becomes idle, there will be another collision. To avoid this situation the Ethernet uses the binary exponential backoff algorithm.
After the nth failed transmission attempt

1. Pick k in 0 .. 2n-1
2. Wait k x 51.2µs (Round trip timeon 2500m + 4 repeaters)
3. Give up after 16 retries

It is seen that this algorithm caps at 10 retries in practice. The round trip time has to be taken instead of the time to cover the diameter of the network because of the worst case explained above


Ethernet Security Issues
Shared link introduces the problem that any ethernet card can be configured to listen to all packets, eg, a packet sniffer.


Wireless - 802.11
Wirless, like Ethernet, has a shared medium so it needs Media Access Control and uses exponential backoff algorithm of Ethernet.But Wireless has not support for collision detection as the senders and receivers are not directly connected.

Hidden Nodes
The problem of hidden nodes arises in a scenario as depicted in a figure in slide 17. The problem is that A & C cannot detect each other (and hence cannot communicate) and cannot cordinate with each other. Hence they cannot detect collisions when sending simultaneously to B.

Exposed Nodes
The problem of exposed nodes arises in a scenario as depicted in a figure in slide 18. The problem is that while B is sending to A, C should be allowed to send to D but not B because that would collide with A-B transmission.

Multiple Access Collision Avoidance
Sender sends a RTS signal to the receiver which includes the length of the data to be transmitted. The receiver replies with CTS in which it echoes the length field and also sends ACK of frame to sender. Any node that sees CTS cant transmit for the duration of the length field as echoed in the CTS. This removes the problem of hidden nodes. As in the figure before, when A sends a RTS to B, B will send a CTS back to A. C will see the CTS of B and will not communicate while A is communicating with B, hence no collisions will occur. Any node that sees a RTS signal but not a CTS signal is not close enough to the receiver to interfere and hence, its free to transmit. This overcomes the problem of exposed nodes. As in the figure before, B sends a RTS to A which D can see but the CTS send by B to A cannot be seen by D, hence D is free to communicate with C.

Wireless Access Points
Distribtution System is the wired infrastructure part of the network, Access Points (AP) are the stationary wireless devices that act as an interface between the roaming wireless hosts and the wired Distribution System.

Active Scanning is that node sends a Probe frame in response to which all APs send a Probe Response frame. The node selects one of the AP and sends Association Request frame and that particular AP responds with Association Response Frame. Passive Scanning is that when AP periodically broadcasts a Beacon frame in response to which the node sends an Association Request frame. The problem with the above is that there is no form of authentication present in the above process. Someone with malicious intent can lie that it is an AP and divert all traffic to itself, leading to a DOS attack.

Security issues
The problem of packet sniffing is worse in Wireless as compared to ethernet as no physical connection is required to the network. The problem is even worsened by the absence of any strong wireless encryption standards. A possible DOS attack has been explained above.

Wireless Equivalent Privacy (WEP)
WEP was designed to provide same security standards as wired ethernet but as it was proved later that it was not effective at all. Even WEP2 which uses a 128-bit key, as compared to 40-bit in WEP, was not a major success. WEP uses shared key authentication where the shared keys are manually configured both at the AP and wireless device. The problem with WEP is that IVs are prublic and its easy to detect their re-use. The protocol doesn't even specify how IV should be picked. If it is initialised to 0 on reset and then increment, then if a machice which restarts everyday (and hence resects the IV to zero everyday), it is easy to monitor the traffic and make an attack. So even if we randomly generate IV randomly per packet, we will exhaust the 24 bit keyspace in less than 12 hours. IF IV ever repeats, and we are using simple XOR to get cipher, it is not hard to guess the plaintext using statistical analysis or known plaintext attacks (as in slide 25). Also, probability that there will be a collison after 4823 packests is greater than 50% as per the "Birthday Paradox".

WEP uses CRC, which is not a hashing algorithm, so an attacker can easily pass off bogus WEP packets as legitimate ones because more than two messages may have the same result after doing CRC.