Slashdot Mirror
IPhones Flooding Wireless LAN At Duke
coondoggie sends us to a Network World story, as is his wont, about network problems at Duke University in Durham, N.C. that seem to be related to the iPhone. "The Wi-Fi connection on Apple's recently released iPhone seems to be the source of a big headache for network administrators at Duke. The built-in 802.11b/g adapters on several iPhones periodically flood sections of the school's wireless LAN with MAC address requests, temporarily knocking out anywhere from a dozen to 30 wireless access points at a time. Campus network staff are talking with Cisco, the main WLAN provider, and have opened a help-desk ticket with Apple. But so far, the precise cause of the problem remains unknown. 'Because of the time of year for us, it's not a severe problem,' says Kevin Miller, assistant director, communications infrastructure, with Duke's Office of Information Technology. 'But from late August through May, our wireless net is critical. My concern is how many students will be coming back in August with iPhones? It's a pretty big annoyance, right now, with 20-30 access points signaling they're down, and then coming back up a few minutes later. But in late August, this would be devastating.'" So far, the communication with Apple has been "one-way."
coondoggie sends us to a Network World story, as is his wont,
At least the editors admit that coondoggie is filling the queue up with network world stories. Maybe they'll do something about it at some point
-Bucky
He states now it's not a big problem, (guessing because it's summer and not as many students there). Then expecting it to be a BIG problem once students arrive. So to me this says that the iPhones using their service aren't students at all. If this is the case, buckle down the AP settings so they're not open or easily accessible via iPhone and require students to anti up their MAC addresses to connect to the wireless network.
But from late August through May, our wireless net is critical.
Wireless? Critical? Dumb.
I don't respond to AC's.
No wonder there is no answer... Apple people weren't able to receive any network package with all those iPhones around.
Rethinking email
"I don't believe it's a Cisco problem in any way, shape, or form," he says firmly"
How do they know that?
...it's their network. Why are we only hearing about it here? They probably have a loop in their network or some kind of ARP forwarding active they don't understand. You would think something like this would get caught early on in testing with the iPhone, this kind of problem tends to stand out. I also doubt the iPhone has enough horsepower to pump out 10Mbps of ARP requests, sounds like a networking device is sourcing these packets.
Sounds like they are having some issues with arp-whois being propagated across the subnets. Knowing Apple, each time these iPhones try to 'rendezvous' with all the Macs or iTuned PCs they refresh their ARP tables off the entire campus. Something is fucked up with their network machines if the arp boroadcasts are seen by the entire campus (hence the 30 access points going at once).
What they need is an AP isolation: the connected client should not (easily) see other subnets and should definitely not be able to spam ARP broadcasts across subnets.
Some BOFH admin really screwed up his net config.
I'm sorry, but there's something a little OFF here. No wireless hardware requests a MAC address. It may use MAC to authenticate to a table, but it goes for a DHCP lease.
Slashdot...sigh...
I can take out a cisco WLAN controller with thin APs and aironet APs with an arp flood for a non-existent IP. Are they even in the same subnet? Is the whole wifi network from one building to another layer2? Or is the problem arising because it is actually layer3 from building to building and the APN name doesn't change.
Judging by the statement that they can exhibit the behavior after being handed from one access point to another kind of nullifies the theory that they may be trying to re associate with the users home network. They're trying to get back to the old AP, which arping wont do because it's on a different VLAN.
Mystery solved, now what can cisco do about it. I don't really care that it's an iPhone bug. I just think its one more DoS vector to patch up. Maybe de-associate the phone and drop traffic until it acts right? Set a threshold or something? You might still have a source of noise, hopefully it would realize it was dropped though. No link layer, no arp right?
Any non-secured network (either where users can plug into the lan or over wireless) where a device is able to bring down the network should be considered defective. I've seen places were the entire lan was flat with users connecting on cisco's management vlan and could bring down the whole company by plugging in a device that advertised a new route to the internet (legit or not). To a similar point, if a device on a wireless network is able to flood the network, then the access points need to be tuned. Sure, they can jam the airwaves, and there's nothing you can do to stop that DoS. But, you don't have to turn 18,000 requests per second into something that broadcasts across the rest of the network. Every firewall app that I've worked with includes throttling and I would hope these APs do as well.
This doesn't mean that apple released a product without a defect. But if your network crashes because of a defective device, then you should fix your network first.
Umm, a bunch of ARP Requests by a few mobile devices shouldn't be knocking out a Cisco router. These AP's are supposed to be able to withstand much worse than a few of these things.
I call bullshit. I say it's their IT/Computing Department is blaming their poor infrastructure on iPhone.
I want to request a mac address from my access point. Anyone want to post a HOW-TO?
Disclaimer: Disregard the above post.
Not to mention that there are several hundred wireless access points on the Apple campus, and several hundred (possibly thousands) of iPhones on the same campus. You'd have thought that any inherent problem with the phone and networking would have been caught, isolated, patched, and distributed by now...
I'd lay odds there's something screwed with their network...
I'm a net engineer for one of the major US cable isps.. A VERY common issue I see with the Apple Airport Extremes is a problem with them declining offered leases infinitely. When this happens the DHCP server marks the lease as temporarily unavailable, the end result is a single offending Airport extreme can eat all the available addresses. The work around is to configure the dhcp server to ignore declines from the client. Regardless it's very annonying (and I'm typing this post on a Macbook so I'm not anti-Apple).
For all you saying "It's Duke's fault! Secure the network!" maybe you should consider that Duke provides wireless access to something like 15,000 undergrads, grads, faculty, etc. Duke's network is set up so that you can connect to a pool of internal IPs with no authentication, but before you can actually go to any sites other than the network registration site, you have to type in your Duke ID and password.
This is an effective solution. Can you imagine if Duke locked down APs with MAC filtering? You'd have 10,000 "authorize my MAC" requests between August 15 and 30 each year on an already-overwhelmed IT staff, and you can spoof MACs anyways. How many people actually know what a MAC is and how to find it? Sure, they could provide a tool that automatically detects your MAC, but how are you going to download it if you can't get on in th first place?
Also, please don't suggest WEP/WPA, because distributing a password/passkey amoung that number of users is as good as not having one at all. And a more complex solution, like PKI or smartcards, is going to create more headaches than it's worth when deployed to this number of users.
So, who cares? So he submits stories from Network World. He probably works for Network World. Does that fact alone make the story less valuable or interesting? If someone else had submitted the same story, it would be OK then? Slashdot has editors and a moderation system. There's nothing inherently deceptive in submitting your company's (or your own) stories.
Breakfast served all day!
.........but why should tuition be a barrier for anyone in a society as wealthy as ours?.......
You are a fountain of ignorance, at least concerning your diatribe against Duke. Instead of being wealthy and pay tuition, you can also simply be smart and hard working. My daughter just graduated from Duke, from which she had gotten a full scholarship. Without that, there would have been no way she could have afforded to study there. Many Colleges and Universities give scholarships to exceptional young people who do NOT come from wealthy homes. Most likely, someone like you wouldn't get such a scholarship, especially in view of your ignorant rant.
All theory is gray
spend thousands of dollars on expensive Cisco AP equipment, a factor above consumer grade systems, and something goes wrong, the extra instrumentation doesn't help and the vendor just blames somebody else? Is this a good reason not to go with expensive equipment, or just colossal incompetence of the administrator who configured everything?
Say what? The last time I saw something equally screwy it was a Cisco LightStream 1010 (ATM switch) running LANE (LAN Emulation) that played no part in layer 3 at all, yet it was still building up an ARP table of every IP datagram that flowed through it (and wondered why it kept running out of memory).
If you send out an ARP for an "unknown address", you'll get no response - it's not up to the router to respond on behalf of "non-local packets", it's up to the client to determine that the destination is non-local (by using the network and mask together) then picking a suitable gateway (usually default) for sending the packet on its way.
Therefore, the client already knows it needs to send the non-local/unknown-addressed packet through the router so it explicitly ARPs for the router's MAC address (if not already cached) - nothing to do with trying to get the MAC of the remote destination.
The Real WTF is - wireless at Starbucks isn't free, you have to pay through T-Mobile.
I'm going to guess the one who has to work to put himself through school, because he realizes the cost of the education, and is more willing to dedicate himself to it. The rich kid who has his school handed to him generally looks at the education as a given, and doesn't put in the effort. In both my undergraduate and graduate studies, that was often the case. Of course, there are rich, smart, dedicated students, but your assertion that the rich kids who don't have to work do better in school has been very false in my experience.
http://bgcommonsense.blogspot.com
>> First, it's entirely possible to go to a perfectly respectable in-state school for just a few grand a year.
Where have you been living? I have financed the education of two children who were good students and went to good state schools (U of Oklahoma, and University of Buffalo.) Both approach $15K per year with tuition, room, board, and books. That is more that "a few thousand."
Back in the dark ages before the flood when I went to Florida State (B.S. 1977) and UMass (Ph.D. 1982) I could attend a good state school for about $2.5K. I could earn about 1/3 to 1/2 of that in a summer. Today's students can't do that anymore. I would also point out that much financial aid these days is in the form of loans. It is easy for a student at a state university to finish an undergraduate education with $50K in debt. An education at a private U can leave a debt load at least 2X...
No. I don't care who pays too much for a phone.
Anybody who is smart and accomplished can go to to a good school, if not Duke in particular. You can always borrow the money. Many, many, if not all good schools now have need-blind admissions. Anyways, everyone knows it's really the middle class that get screwed over on aid anyways, not poor folks.
*Some* people with connections can get in even if they are not so smart, or really accomplished is the more accurate term, as grades count. You don't have to be rich, mind you, just related to somebody. These people, while deriving much less benefit from the education than the smart kids, also go on to pay for the whole deal for the next generation (along with the qualified students of course.)
Without wealthy donors, the whole system breaks down, and it's just a matter of how you create them. You can tax the unwilling, maintain a huge alumni base, and bet that students will stay closer to the school, thus more likely to donate. In case you don't get the hint, I'm talking about state schools. (Smaller) private schools need to ensure a larger proportion of wealthy alums, and allowing family connections to count makes that easier, not to mention the good will from the alumni.
BTW you just proved the point I made here. Thank you for that.
Okay if this is really the case, no DHCP network, then why does this same thing not happen when Laptops looking for DHCP addresses come in range of duke? For example, I would imagine that whenever there's a conference or perhaps when the student show up in september that all the laptops on campus are set to hunt for DHCP by default (since that's how one usually sets up wireless networks). Seems like you'd have the same sort of storm.
Some drink at the fountain of knowledge. Others just gargle.
He mentioned scholarships, though it was in an offhand way. You're certainly free to disagree with what he's saying, but insulting him twice in six sentences while "refuting" him with a point he already made is absolutely wrong on any level.
Besides which, your own point is really no gem either. Your advice to get a scholarship is to be smart and hard working? It's half true, sure. Colleges do give scholarships to people with good grades--though often you also need extra-curricular activities to put you ahead even though that really has nothing to do with intelligence or hard work, merely interest in organized activities--but those are limited. If every student in the nation suddenly became smart and hard working, it would still help only an exceptionally small percentage of them receive a scholarship. In fact, since Duke is a good school you can be relatively sure that the vast majority of students who are accepted there are already smart and hard working, so even in your limited example
I happen to think the way the OP handled himself was flamebait, but the question he raised about free education is a debate worth having. Preferably without insults.
Congratulations to your daughter for getting in, getting money and getting through--but just because she did doesn't mean everybody else can, even those equally smart and hard working.
Do you assume that "higher education" (past high school) is necessary for employment?
Further, do you assume that everyone is capable of making use of such "higher education"?
We seem to be pointed down this road in the US today and the truth is the answers to the two questions above are "no" and "oh my". So far, we're pretty far down the road of importing non-outsourceable low-skill jobs and moving everything else somewhere else so all the low-skill jobs don't exist for Americans. This isn't a long-term sustainable model because some people just aren't going to make it as "knowledge workers". Are these folks supposed to sit at home and collect welfare while illegal immigrants do the low-skill work?
An interesting factoid on this, though a little OT: iPhones do not appear to implement rendezvous/bonjour/zeroconf. I can't connect to any of my Mac zeroconf hosts by connecting through the *.local domain names that bonjour usually sets up, and I've read others are unable to do this as well.
Don't blame me, I voted for Baltar.
How the hell did you get modded informative with that god-awful collection of misunderstandings and poor comprehension of clearly understood concepts? the ARP standard is unclear enough that it's undefined what the response should be for an ARP request to an unknown destination should be Umm, what?!?!?!
There's nothing unclear about the standard, except when you apply it incorrectly.
To begin with, there is no such thing as an "unknown destination" - if the address is unknown, how the hell do you send a request for it?!?! (You ever call 411 and say "Hi, I need the phone number for someone, but I don't know who they are, where they live, what they do, or anything about them.")
Now, if you're clumsily trying to say "there's no way to answer: what is the MAC address of an IP address that is unassigned", then that's simple - there is no answer (nobody responds, so therefore there is no answer - which means that the IP address is unassigned.)
However, if you're trying to say "what is the MAC address of an IP address that resides on a different network" then the answer is the same - there (again) will only be a reply if
a machine with that IP address exists on the network. IP networks are virtual - you can have many different IP networks residing on the same wire. If a machine hears an ARP request for an address that is not on it's network, it just doesn't answer (the inherit assumption is that there is another IP network on the same wire, and the request is ignored.)
ARP doesn't know anything about IP network layout - basically, machines just respond if they hear a request for their IP address. Theoretically, every packet that you send needs an ARP entry, which means that every packet sent to something that isn't in your machine's ARP table would generate an ARP request. No - every packet you send needs a DESTINATION (either broadcast, unicast, or multicast). Unicast packets (which is what we're talking about here) require a destination MAC address, but these destinations don't have to be resolved using ARP - it's quite possible to have some or all of them in a static table, if you like. However, it looks like you're just confused, because of... In reality, it seems that your router tends to substitute its own MAC address for non-local ARP entries (since all non-local packets go through the router, you really don't have to know what the real MAC address is) You are confusing IP and Ethernet (802.3, 802.11, etc.) networks. To ethernet, there is no such thing as a "non-local" packet - all packets are local.
When you want to send to an *IP* address that is not on the local link, you look up the IP address for the router(s) to that network, ARP for it (if you don't already know it's MAC address) and send the packet to it - there is no 'substitution' involved. You never ask for the MAC address of the destination IP address, you ask for the MAC address of your router, then send it the packet for forwarding.
There is a standard called proxy arp that does essentially this. In essence the router will start responding to arps for IP addresses on it's other interfaces. The valid use cases for it are virtually all bizarre and it can cause all sorts of horrific problems.
Wait, I think I know what you're suggesting here: You're saying that more than one IP network is being used within a single broadcast domain, and all of the clients connected to that broadcast domain receive the ARP request since it is a layer 2 broadcast. I think that's irrelevant, but it does makes sense, and you would hope that VLANs would help with this problem. VLANs probably ARE helping considering that only certain segments are going down and not the whole thing. Presumably only VLANs with iPhones connected are being DoSed. I think this is clearly an iPhone problem; It shouldn't be flooding a network asking for information it already has and/or is unable to get. Now that I think about it, what you say is happening is probably true, but is completely unavoidable, by design. The only way to limit layer 2 broadcasts is to split up broadcast domains with VLANs and use layer 3 routing. You can't vlan the clients on a wireless access point because a WAP is effectively a hub. In theory any malicious person would be able to join the wireless lan and spew layer 2 garbage addressed to FF:FF:FF:FF:FF and there's nothing anyone could do.
Beware he who would deny you access to information, for in his heart he dreams himself your master. -Anonymous
But that's exactly the problem. The iPhone handshakes with a "How are you gentlemen." and asks for a MAC address, at which point the WLAN's response is "What you say !!" and it goes downhill from there...
Violence is the last refuge of the incompetent. Polar Scope Align for iOS
If Apple can't make hardware that works, and/or won't own up to their problems and fix them, then ban all iPhones from connecting to the university WiFi network via their MAC vendor and device ID portions. After all that is what the structure of a MAC is for - so the network admins know what kind of devices are being used.
Banning iPhones campus wide because they are faulty would trigger some nice nasty press for Apple and piss off a lot of owners of the device - I imagine they would fix the problem much faster (or at least respond to the ticket!)
He probably meant "adress request" as in "Your place or mine?"
Least I hope he did, or he was really missing out!
I never spellcheck and I freely admit it. Save your karma for more worthwhile "lol erorrs" replies
I've been living in Iowa, financing my own education -- I just finished ugrad in 2005, and I'm now working and starting my grad degree. I'm not just making this up.
8 .html
l
This fall total tuition and fees for most majors at Iowa State is $3080.66 / semester:
http://www.iastate.edu/~registrar/fees/tuition070
Minnesota: $4705 / semester
http://admissions.tc.umn.edu/costsaid/tuition.htm
Wisconsin: $3365 / semester
http://www.admissions.wisc.edu/costs.php
Those figures don't include "Room & Board" because you need "Room & Board" whether you're in school or not, so it's a little silly to pretend that it's a cost related to your education. Even if you include R&B, which is on the order of $6k/year at those schools, you could make that much working a student-wage job for an annual average of 20 hours/week (or 14 hours/week if you work full-time for 12 weeks in the summer).
you actually can separate out traffic into VLAN's from a WAP, you would just have to have an AP that could run a trunk back to a switch and then you could run a RADIUS server or something to do the segmenting (either based on a user login or by MAC address). In fact they could create a separate, dead-end VLAN on all their AP's that all iPhones are "switched" to if the iPhones' MAC addresses have enough in common to sort them out (without dead-ending a bunch of MacBooks or something).
Except a WAP is a hub. You can't segment it. Everything gets broadcast over the same medium if it is a broadcast packet or not.
Beware he who would deny you access to information, for in his heart he dreams himself your master. -Anonymous