1. No category

GuayWeiLinMFKE2007TTT

GUAY WEI LIN
SECURE OPEN WIRELESS LAN USING POINT TO POINT
PROTOCOL
MASTER OF. ENG. (COMPUTER & MICROELECTRONIC SYSTEM)
GUAY WEI LIN
2007 UTM
UNIVERSITI TEKNOLOGI MALAYSIA
PDF processed with CutePDF evaluation edition www.CutePDF.com
iii
To my beloved mother, father and sisters
iv
ACKNOWLEDGEMENT
First of all, I wish to express my sincere appreciation to my supervisor,
Professor Dr. Norsheila binti Fisal, for her encouragement, and guidance.
Besides, I would like thanks to Intel Microelectronics (M) Sdn. Bhd for
funding my part-time Master study. My manager, Intel-University staffs, UTM
School of Postgraduate Study and Faculty of Electrical Engineering staffs also
deserve special thanks for their assistance in providing stable and comfortable
environment for me to focus on my research.
Lastly, I would like to thanks all the lecturers, course mates and friends that
have helped me through during the period on completing this research.
v
ABSTRACT
There are several approaches to achieve secure WLAN access network. One class of
solution which will be commonly used is based on enhanced security within the
IEEE 802.11 and WI-FI. Protected Access (WPA). In another class solution, the
mobile station uses Point-to-Point Protocol (PPP) to establish a point-to-point tunnel
to some devices normally located in the access network. Since PPP provides access
control features independent of network or higher layer protocol and since it is a
mature protocol with support on all major platform, it is also a good candidate for
implementing a NAS in shared WLAN environment. To establish the PPP tunnel in a
LAN environment, techniques such as low level PPP over the Ethernet protocol
(PPPoE), or the higher level Point-to-Point Tunneling Protocol (PPTP) or Layer 2
Tunneling Protocol (L2TP) can be used. This research will be focus on adding an
additional layer on top of WLAN MAC using PPP to increase the security. The work
will be carried out on WLAN testbed connected to the Internet.
.
vi
ABSTRAK
Kaedah pencegahan pencerobohan capaian wireless LAN boleh dikategorikan
kepada beberapa kategori. Satu kaedah umum yang biasa digunakan ialah
menggunkan IEEE 802.11 atau dinamakan sebagai WPA. Selain daripada itu, cara
yang lebih efisyen ialah mengehadkan klien-klien yang ingin mendapat internet perlu
meggunakan PPP (point-to-point Protocol) untuk menjalinkan satu hubungan
sebelum boleh dicapai. Dengan penggunaan kaedah ini yang mengguna semula satu
lagi protokol yang matang antara layer antasan dengan layer bawahan juga boleh
diimplementaikan until NAS. Dalam projek ini, penyelidikan akan dijalankan until
menambahkan satu layer tambahan atas MAC dengan PPP untuk mengekuatkan
keselamatan WLAN.
vii
TABLE OF CONTENTS
CHAPTER
1
2
TITLE
PAGE
DECLARATION
ii
DEDICATION
iii
ACKNOWLEDGEMENTS
iv
ABSTRACT
v
ABSTRAK
vi
TABLE OF CONTENTS
vii
LIST OF FIGURES
xi
LIST OF ABBREVIATIONS
xiii
LIST OF APPENDICES
xiv
INTRODUCTION
1
1.1 Background
1
1.2 Problem Statement
2
1.3 Goals
4
1.4 Objectives
4
1.5 Scope
4
1.6 Project Outline
5
LITERATURE REVIEW
7
2.1 Wireless LAN
7
2.1.1
Overview
7
2.1.2
Type of WLAN configurations
8
2.1.3
Standard of wireless LAN
9
2.1.4
IEEE 802.11b Medium Access
Control Layer
10
viii
2.1.5
802.11 MAC Layer Functions
2.2 Point-to-Point Protocol
3
15
2.2.1
PPP encapsulation packet
16
2.2.2
PPP Link Operation
18
2.3 PPPOE
21
METHODOLOGY
22
3.1 RAD Overview
22
3.2 RAD Life Cycle
24
3.2.1
Requirement Planning
24
3.2.2
User Design
24
3.2.3
Construction
25
3.2.4
Implementation
25
3.3 RAD usage in wireless LAN over PPP
4
12
26
3.3.1
Requirement Planning
26
3.3.2
User Design
27
3.3.2.1
Rapid Construction
28
3.3.2.2
Transition
29
SYSTEM ANALYSIS AND DESIGN
30
4.1 System Architecture Overview
30
4.2 Software Architecture and Design
35
4.2.1
4.2.2
API Implementation
36
4.2.1.1 Interfaces Function
36
4.2.1.2 Main Function
37
4.2.1.3 Data Processing Function
38
GUI Implementation
39
4.2.2.1 JAVAX.SWING Package
39
4.2.2.2 JAVA.LANG.RUNTIME
39
4.3 Environment Screen shot
40
4.4 Graphical User Interface Snap shot
40
4.4.1
Client GUI
41
4.4.2
Server GUI
41
ix
5
4.5 Usage Model
42
IMPLEMENTATION AND RESULT
43
5.1 Configuration Setup
43
5.1.1
Client Perspective Setup
43
5.1.2
Server Perspective Setup
45
5.2 Implementation and Coding
5.2.1
5.2.2
API
45
5.2.1.1
Interface()
46
5.2.1.2
PPPOE main()
50
5.2.1.3
DataProcessing()
53
Graphical User Interface
5.3 Output and Result
6
45
55
56
5.3.1
PPPOE
56
5.3.2
PADI
57
5.3.3
PADO
58
5.3.4
PADR
59
5.3.5
PADS
60
5.3.6
LCP
60
5.3.7
CHAP challenge
61
5.3.7.1
CHAP Challenge
62
5.3.7.2
CHAP Response
63
5.3.7.3
CHAP Message
63
5.4 Summary of PPPOE client
65
CONCLUSION AND FUTURE WORKS
67
6.1 Conclusion
67
6.2 Recommendation for future work
68
REFERENCES
69
Appendices A
70
x
LIST OF FIGURES
FIGURE NO.
TITLE
PAGE
2.1
Wireless MAC packet
14
2.2
PPP packet
15
2.3
PPP link operation
17
2.4
PPPOE layer
20
3.1
Differences between RAD and conventional
SDLC.
22
4.1
Cipher text of WEP
30
4.2
Proposed System Architecture
31
4.3
Actual System Architecture
31
4.4
Proposed OSI Model
32
4.5
Actual OSI Model
32
4.6
Proposed Data Parsing
33
4.7
Actual Data Parsing
33
4.8
Software Architecture diagram
34
4.9
Data structure between the interface & main
Method
.
existing linux kernel data structure from
/sys/net/Ethernet.h
35
4.10
36
4.11
PPPOEConnectionStruct data structure
37
4.12
GNOME X Window
39
4.13
Client PPPOE screen shot
40
xi
4.14
Server PPPOE screen shot
40
4.15
Usage Model
41
5.1
RASPPPOE application
43
5.2
New PPPOE windows client connection
43
5.3
Code snippet for openInterface
45
5.4
Code snippet for calling openInterface
45
5.5
Code Snippet of allocate memory for
sockaddr struct.
45
5.6
The code snippet on getting a socket
Descriptor
46
5.7
The code snippet on fill in the hardware
Address
46
5.8
47
5.9
The code snippet of the data structure of
Ifreq
.
The code snippet for IOCTL utilization
47
5.10
code snippet for bind function
48
5.11
The code snippet for ReceivedPacket
48
5.12
The code snippet for sendPacket
49
5.13
The code snippet for PPPOE main.
50
5.14
The code snippet for session
51
5.15
The code snippet for asyncReadFromEth()
51
5.16
The code snippet for discovery
52
5.17
The 2nd part of discovery
53
5.18
The code snippet for userInterface
54
5.19
PPPOE connection
55
5.20
Summary of the PPPOE connection
56
5.21
PADI packet
56
xii
5.22
PADO packet.
57
5.23
PADR packet.
58
5.24
PADS packet
58
5.25
LCP Packet
59
5.26
CHAP challenge message
60
5.27
CHAP response message
61
5.28
CHAP message to indicate challenge
success or failed
.
Summary of the flow of execution of
PPPOE client
62
5.29
63
xiii
LIST OF ABBREVIATIONS
CHAP
–
Challenge Handshake Authentication Protocol
GUI
–
Graphical User Interface
IOCTL
–
Input/Output Control (System Call)
MAC
–
Medium Access Control
OSI
–
Open System Interconnect
PPP
–
Point to Point Protocol
PPPOE
–
Point to Point over Ethernet
RAD
–
Rapid Application Development
WEP
–
Wired Equivalent Privacy
xiv
LIST OF APPENDICES
APPENDIX
A
TITLE
Gantt Chart
PAGE
68
CHAPTER 1
INTRODUCTION
1.1 Background
WLAN is a wireless local area network, which link two or more computers
without using wires. It uses radio frequencies to accomplish the same functionality
that a wired LAN has. Today, the number of organizations that are deploying the
wireless networks increases tremendously where mostly utilizing the IEEE 802.11x
protocol. Even though wireless LAN provides the luxurious of mobility to the end
user, it has the disadvantages compare with LAN especially the security matter. Due
to the fact that wireless LAN share transmission medium, it is more vulnerable
compare with wired LAN which has a dedicated PHY connection.
Although attempts have been made to secure these networks; the technology used
is intrinsically insecure and still highly susceptible to active attacks and passive
intrusions. Standard tools for monitoring wired networks and ensuring their security
examine only network (layer 3) or higher abstraction layers based on the assumption
that the lower layers are protected by the physical security of the wires. However,
this assumption cannot be extrapolated to wireless networks because of the broadcast
2
nature of such networks. Ideally, an intrusion detection system for wireless networks
should function at the data link layer (layer 2) or even lower if extremely high
security is required.
Thus, in this research, an additional layer will be introduced on top of the
802.11x MAC layer with PPP to increase the security of WLAN.
1.2 Problem statement
Wireless LAN is one of the emerging technologies; however, wireless LAN is
more insecure than the wired LAN. There are seven major risks of wireless LAN
attack which discuss below.
First of all, the most common attack is named as insertion attacks which means
the attacks are based on deploying unauthorized devices or creating new wireless
networks without going through security process and review. For instance,
unauthorized clients or unauthorized access points.
Secondly, interception and unauthorized of wireless traffic is also one of the
popular network hacking cases. The interception happened when the network
intruder intercept the wireless traffic within the range of an access point. Once the
intruder manages to access the network data stream, several methods can be used to
hack into the wireless LAN such as AP clone traffic interception, wireless packet
analysis and broadcast monitoring.
Thirdly, jamming which is the denial of service attacks. This attack also easily
applied to wireless networks, where legitimate traffic cannot reach clients or the
access point because illegitimate traffic overwhelms the frequencies. An attacker
with the proper equipment and tools can easily flood the 2.4 GHz frequency,
3
corrupting the signal until the wireless network ceases to function. In addition,
cordless phones, baby monitors and other devices that operate on the 2.4 GHz band
can disrupt a wireless network using this frequency. These denials of service can
originate from outside the work area serviced by the access point, or can
inadvertently arrive from other 802.11b devices installed in other work areas that
degrade the overall signal.
Fourthly, client-to-Client attack occurred when two wireless clients can talk
directly to each other, bypassing the access point. In this case, all the communication
is out of the access point control.
Fifthly, Brute force attacks against access point passwords. As today, most access
points use a single key or password that is shared with all connecting wireless clients.
Brute force dictionary attacks attempt to compromise this key by methodically
testing every possible password.
Sixthly, the encryption attack against the WEP of the access point is also the root
causes for the insecurity of wireless LAN. 802.11b standard uses an encryption
system called WEP (Wired Equivalent Privacy) while it has known weaknesses
especially on the effective key size only valid for 40 and 104 bit even commercial
claimed key size are 64 and 128 bit. The lesser the key open the gate for the hackers
to crack the key easily.
Lastly, default configuration on the access point, many access points ship in an
unsecured configuration in order to emphasize ease of use and rapid deployment..
For example, the default SSID for linksys AP will is “Linksys”. Both these
The above seven attacks are the major risks of today wireless LAN network
where some of the attacks can be avoided by implementing different type of intrusion
detection approaches. In this research, one of the approach has been carried out
which is using the PPP on the data link layer to enhance the authentication method.
4
1.3 Goals
The major goals of this research will be implement a PPP data link layer over the
wireless LAN MAC layer with the purpose to reduce the vulnerability of existing
IEEE 802.11b network.
1.4 Objectives
The project is carried out based on the following objectives. Below will be the
three main objectives of this project.
Firstly, implement wireless intrusion detection system that builds on the data link
layer. In this case, PPP is the data link layer that has been selected to be added.
Secondly, the purpose of adding the intrusion detection system at the data link
layer is to improve the security of 802.11b wireless network.
Thirdly, reuse the mature protocol, PPP (point-to-point protocol) connection to
integrate with the existing 802.11b to enhance the authentication layer as a way to
avoid the active attack.
1.5 Scope
Based on the availability of the hardware and software, this research has been
narrowed down with the following scopes:
5
The API of this project will develop an additional PPP layer on top of the
existing 802.11b MAC layer regardless using open authentication or
WEP.
The application will be written using C/C++ programming language for
the core API while the GUI is developed using the Java OO programming
language.
The application is based on Intel 2200ABG wireless NIC card drivers,
which is the source forge open source device driver. Other wireless NIC
card can be used as long as the device drivers for LINUX can be obtained.
The application is targeted on Linux environment (Fedora Core 6.0) as the
Fedora core is the development environment.
The application of this research will not improve the performance of RF
signaling/coexistence between RF devices.
This application will not support multilink PPP but it is recommended to
support multilink PPP as a future work.
This project will not judge the throughput comparison between PPPoE
and PPP over wireless LAN.
Assumption has been made that 802.11b PHY is working fine and noisefree where changes are only limited on the Data Link layer as the lowest
layer.
1.6 Project Outline
This report of this project will be divided into 6 main chapters. The first
chapter will discuss the objectives, scope and goals of this project. It discusses
the first stage of the RAD (rapid application development) phase which will be
requirement planning stage. In this stage, the main focus will be on defining the
right objectives, scope and goals.
6
In the chapter 2, it covers the literature review where the study on the existing
specifications and paper such as the RFC PPPOE, RFC CHAP that has been
published on the RFC website. Besides, a thorough discussion on the wireless
LAN has been carried out to provide a details understanding of the main topics,
wireless LAN.
In chapter 3, the report covers the software methodology that has been picked
to develop the application of this project. RAD (Rapid application development)
has been chosen for this project.
In chapter 4, which will be the System Analysis and Design where discusses
on how to design the whole application from the system architecture perspective
as well as the software architecture viewpoint.
In chapter 5, the implementation and result chapter covers the details
explanation of the code that written for the API as well as the GUI. At the second
part of the chapter, the reports illustrate the output trace that has been captured
based on the application that has been developed.
In the last chapter, chapter 6 which will be the summary and conclusion
chapter summarized the entire project and ended with the potential future works
that can be carried out.
7
CHAPTER 2
LITERATURE REVIEW
2.1 Wireless LAN
A wireless local area network (WLAN) is two or more computers joined
together using radio frequency (RF) transmissions. This differs from a wired LAN,
which uses cabling to link together computers in a room, building, or site to form a
network.
2.I.1
Overview
Although WLANs can be independent they are more typically an extension to a
conventional wired network. They can allow users to access and share data,
applications, internet access or other network resources in the same way as wired
networks.
8
Currently, Wireless LAN technology is significantly slower than wired LAN.
Wireless LANs have a nominal data transfer rate of between 11 and 54 Megabits per
second (Mbps) compared to most wired LANs in schools which operate at 100Mbps.
Newly installed wired networks can now operate at up to 1,000Mbps (1Gb).
Wireless LANs are typically used with wireless enabled mobile devices such as
notebook computers, PDAs and Tablet PCs. This allows users to take advantage of
the flexibility, convenience and portability that WLANs can provide.
There are several wireless technologies in existence, but most wireless LANs
use wireless Ethernet technologies based on IEEE 802.11 standards.
The term Wi-Fi (Wireless Fidelity) is often used to refer to 802.11 wireless
networks. It comes from the testing and certification programme run by the Wi-Fi
Alliance (see below) to ensure wireless products from different manufacturers
comply with standards and are interoperable
2.I.2
Type of wireless network configurations
There are two main types of wireless network configuration:
Ad-hoc/Independent BSS mode
Infrastructure BSS mode.
Ad-hoc/Independent BSS networks are the simplest form of wireless network
created by two or more wireless enabled computers communicating with each other
directly. These types of WLANs are useful for creating small dynamic networks.
However, these ad-hoc networks have similar limitations as wired peer to peer
networks and are only really suitable for occasional, small networks of a few
computers. Ad-hoc networks cannot provide the same security as properly
implemented infrastructure mode networks.
9
Infrastructure BSS mode requires one or more access points (APs) through
which the network cards communicate. In a typical wireless LAN, a
transmitter/receiver (transceiver) device, called an access point, is normally
physically connected to the wired network using standard Ethernet cabling. It acts as
a bridge between the wired network and the remote computer(s). At a minimum, the
access point receives, buffers, and transmits data between the wireless LAN and the
wired network infrastructure, using radio frequencies to transmit data to each user.
2.1.3
Standard of Wireless LAN
Below IEEE standard shows the most common 802.11x protocols that design for
wireless connection.
IEEE 802.11a
The 802.11a standard was ratified by the IEEE in 1999 and adopted in the USA and
other parts of the World. However, 802.11a equipment was restricted in the UK and
the rest of Europe because it uses the 5GHz frequency, parts of which are
traditionally used by national governments for defence purposes. This slowed
adoption of the standard, especially with the emergence of 802.11g. 802.11a was
made available without licence in February 2003. Band A for indoor use (5.15GHz to
5.35 GHz, 200mW EIRP) and Band B for indoor and outdoor use (5.47 GHz to 5.725
GHz 1W, EIRP) are open for wireless LAN services. 802.11a has nominal data rate
of 54Mbps with actual rates of between 17-28Mbps and has a signal range of about
50 metres from an access point
IEEE 802.11b
10
802.11b is the most mature and widely deployed wireless network standard. It is also
the standard used by most public wireless “hotspots”. The 802.11b standard derived
from the 802.11 standard, and was ratified by the IEEE in 1999. It operates in the
2.4GHz spectrum and has a nominal data transfer rate of 11Mbps. In practice the
actual data transmission rate is approximately 4-7Mbps, which is shared by all clients
using an access point.
IEEE 802.11g
The 802.11g standard was ratified in June 2003 and the first devices to receive Wi-Fi
approval were announced in July 2003. It is intended to offer the same data rates as
802.11a (54Mbps), whilst working in the same frequency range as 802.11b (2.4GHz)
for backwards compatibility. 802.11g is widely used in consumer wireless equipment
and has also been installed by many organizations. IEEE 802.11g operates in the
2.4GHz spectrum and has nominal data speeds of 54Mbps. In practice, it has actual
data speeds of 18-30Mbps.
2.1.4
IEEE 802.11b Medium Access Control Layer
The 802.11 standard specifies a common medium access control (MAC)
Layer, which provides a variety of functions that support the operation of 802.11based wireless LANs. In general, the MAC Layer manages and maintains
communications between 802.11 stations by coordinating access to a shared radio
channel and utilizing protocols that enhance communications over a wireless
medium. It often viewed as the "brains" of the network; the 802.11 MAC Layer uses
an 802.11 Physical (PHY) Layer, such OFDM, to perform the tasks of carrier
sensing, transmission, and receiving of 802.11 frames.
Medium Access Basics
11
Before transmitting frames, a station must first gain access to the medium, which is a
radio channel that stations share. The 802.11 standard defines two forms of medium
access, distributed coordination function (DCF) and point coordination function
(PCF)
Distribution coordination function
DCF is mandatory and based on the CSMA/CA (carrier sense multiple access with
collision avoidance) protocol. With DCF, 802.11 stations contend for access and
attempt to send frames when there is no other station transmitting. If another station
is sending a frame, stations are polite and wait until the channel is free.
As a condition to accessing the medium, the MAC Layer checks the value of its
network allocation vector (NAV), which is a counter resident at each station that
represents the amount of time that the previous frame needs to send its frame. The
NAV must be zero before a station can attempt to send a frame. Prior to transmitting
a frame, a station calculates the amount of time necessary to send the frame based on
the frame's length and data rate. The station places a value representing this time in
the duration field in the header of the frame. When stations receive the frame, they
examine this duration field value and use it as the basis for setting their
corresponding NAVs. This process reserves the medium for the sending station.
An important aspect of the DCF is a random back off timer that a station uses if it
detects a busy medium. If the channel is in use, the station must wait a random
period of time before attempting to access the medium again. This ensures that
multiple stations wanting to send data don't transmit at the same time. The random
delay causes stations to wait different periods of time and avoids all of them sensing
the medium at exactly the same time, finding the channel idle, transmitting, and
colliding with each other. The back off timer significantly reduces the number of
collisions and corresponding retransmissions, especially when the number of active
users increases.
With radio-based LANs, a transmitting station cannot listen for collisions while
sending data, mainly because the station can't have it's receiver on while transmitting
12
the frame. As a result, the receiving station needs to send an acknowledgement
(ACK) if it detects no errors in the received frame. If the sending station doesn't
receive an ACK after a specified period of time, the sending station will assume that
there was a collision (or RF interference) and retransmit the frame.
Point coordination function
For supporting time-bounded delivery of data frames, the 802.11 standard defines the
optional point coordination function (PCF) where the access point grants access to an
individual station to the medium by polling the station during the contention free
period. Stations can't transmit frames unless the access point polls them first. The
period of time for PCF-based data traffic (if enabled) occurs alternately between
contention (DCF) periods.
The access point polls stations according to a polling list, then switches to a
contention period when stations use DCF. This process enables support for both
synchronous and asynchronous modes of operation.
2.1.5
802.11 MAC Layer Functions
The following summarizes primary 802.11 MAC functions, especially as they relate
to infrastructure wireless LANs:
Scanning: The 802.11 standard defines both passive and active scanning; whereby, a
radio NIC searches for access points. Passive scanning is mandatory where each NIC
scans individual channels to find the best access point signal. Periodically, access
points broadcast a beacon, and the radio NIC receives these beacons while scanning
and takes note of the corresponding signal strengths. The beacons contain
information about the access point, including service set identifier, supported data
13
rates, etc. The radio NIC can use this information along with the signal strength to
compare access points and decide upon which one to use.
Optional active scanning is similar, except the radio NIC initiates the process by
broadcasting a probe frame, and all access points within range respond with a probe
response. Active scanning enables a radio NIC to receive immediate response from
access points, without waiting for a beacon transmission. The issue, however, is that
active scanning imposes additional overhead on the network because of the
transmission of probe and corresponding response frames.
Authentication: Authentication is the process of proving identity, and the 802.11
standard specifies two forms: Open system authentication and shared key
authentication. Open system authentication is mandatory, and it's a two step process.
A radio NIC first initiates the process by sending an authentication request frame to
the access point. The access point replies with an authentication response frame
containing approval or disapproval of authentication indicated in the Status Code
field in the frame body.
Shared key authentication is an optional four step process that bases authentication
on whether the authenticating device has the correct WEP (wired equivalent privacy)
key. The radio NIC starts by sending an authentication request frame to the access
point. The access point then places challenge text into the frame body of a response
frame and sends it to the radio NIC. The radio NIC uses its WEP key to encrypt the
challenge text and then sends it back to the access point in another authentication
frame. The access point decrypts the challenge text and compares it to the initial text.
If the text is equivalent, then the access point assumes that the radio NIC has the
correct key. The access point finishes the sequence by sending an authentication
frame to the radio NIC with the approval or disapproval.
Association: Once authenticated, the radio NIC must associate with the access point
before sending data frames. Association is necessary to synchronize the radio NIC
and access point with important information, such as supported data rates. The radio
NIC initiates the association by sending an association request frame containing
elements such as SSID and supported data rates. The access point responds by
14
sending an association response frame containing an association ID along with other
information regarding the access point. Once the radio NIC and access point
complete the association process, they can send data frames to each other.
RTS/CTS: The optional request-to send and clear-to-send (RTS/CTS) function
allows the access point to control use of the medium for stations activating
RTS/CTS. With most radio NICs, users can set a maximum frame length threshold
whereby the radio NIC will activate RTS/CTS. For example, a frame length of 1,000
bytes will trigger RTS/CTS for all frames larger than 1,000 bytes. The use of
RTS/CTS alleviates hidden node problems, that is, where two or more radio NICs
can't hear each other and they are associated with the same access point.
If the radio NIC activates RTS/CTS, it will first send a RTS frame to access point
before sending a data frame. The access point will then respond with a CTS frame,
indicating that the radio NIC can send the data frame. With the CTS frame, the
access point will provide a value in the duration field of the frame header that holds
off other stations from transmitting until after the radio NIC initiating the RTS can
send its data frame. This avoids collisions between hidden nodes. The RTS/CTS
handshake continues for each frame, as long as the frame size exceeds the threshold
set in the corresponding radio NIC
Power Save Mode: The optional power saving mode that allows a user to turn on or
off enables the radio NIC to conserve battery power when there is no need to send
data. With power save mode on, the radio NIC indicates its desire to enter "sleep"
state to the access point via a status bit located in the header of each frame. The
access point takes note of each radio NIC wishing to enter power save mode, and
buffers packets corresponding to the sleeping station.
In order to still receive data frames, the sleeping NIC must wake up periodically (at
the right time) to receive regular beacon transmissions coming from the access point.
These beacons identify whether sleeping stations have frames buffered at the access
point and waiting for delivery to their respective destinations. The radio NICs having
awaiting frames will request them from the access point. After receiving the frames,
the radio NIC can go back to sleep.
15
Fragmentation: The optional fragmentation function enables an 802.11 station to
divide data packets into smaller frames. This is done to avoid needing to retransmit
large frames in the presence of RF interference. The bits errors resulting from RF
interference are likely to affect a single frame, and it requires less overhead to
retransmit a smaller frame rather than a larger one. As with RTS/CTS, users can
generally set a maximum frame length threshold whereby the radio NIC will activate
fragmentation. If the frame size is larger than the threshold, the radio NIC will break
the packet into multiple frames, with each frame no larger than the threshold value
FC
ID Address 1
(source.)
Address 2
(Dest.)
Address 3
(RX node)
Sequence
Control
Address 4
(TX node)
DATA
FCS
Figure 2.1: The above figure shows the 802.11b MAC packet.
2.2
PPP (Point-to-Point Protocol)
PPP is a standard to transport multi-protocol datagram over point-to-point links. It
can be comprised of 3 main components:
Encapsulating multi-protocol datagram: The PPP encapsulation provides for
multiplexing of different network-layer protocols simultaneously over the same link.
The PPP encapsulation has been carefully designed to retain compatibility with most
commonly used supporting hardware. Only 8 additional octets are necessary to form
the encapsulation when used within the default HDLC-like framing. In environments
where bandwidth is at a premium, the encapsulation and framing may be shortened to
2 or 4 octets. To support high speed implementations, the default encapsulation uses
only simple fields, only one of which needs to be examined for de-multiplexing. The
default header and information field’s fall on 32-bit boundaries, and the trailer may
be padded to an arbitrary boundary.
Link Control Protocol (LCP) to establish, configure and testing the data-link
connection. In order to be sufficiently versatile to be portable to a wide variety of
environments, PPP provides a Link Control Protocol (LCP). The LCP is used to
16
automatically agree upon the encapsulation format options, handle varying limits on
sizes of packets, detect a looped-back link and other common misconfiguration errors,
and terminate the link. Other optional facilities provided are authentication of the
identity of its peer on the link, and determination when a link is functioning properly
and when it is failing.
Network Control Protocol (NCP) to establish and configure different network layer
protocols. Point-to-Point links tend to exacerbate many problems with the current
family of network protocols. For instance, assignment and management of IP
addresses, which is a problem even in LAN environments, is especially difficult over
circuit-switched point-to-point links (such as dial-up modem servers). These
problems are handled by a family of Network Control Protocols (NCPs), which each
manage the specific needs required by their respective network-layer protocols.
2.2.1
PPP encapsulation packet
The PPP encapsulation is used to disambiguate multi protocol datagrams. This
encapsulation requires framing to indicate the beginning and end of the encapsulation.
Figure 2.2: The above figure shows the PPP packet.
High Level Data Link control (no mechanism to mark the beginning or end of a
frame, have to identify the beginning and end of each frames. This is done bya flag.
Begin and end of each frame are with unique pattern of 01111110. The sending and
receiving stations use a process called bit stuffing to avoid loss of synchronization
17
due to arbitrary appearance of the 01111110 bit pattern within the data stream. When
bit stuffing, the sending station add a ‘0’ after the fifth ‘1’ in the non flag bit stream.
If the receiver detects a bit patterns of five ‘1’, it examines the sixth bit. If the sixth
bit is a ‘0’, the receiver deletes it. If the sixth bit is a ‘1’ and the seventh bit a ‘0’, the
receiver accepts it as the end-of-frame flag.
Address Field
Contains a binary sequence of 11111111
Control Field
Contains a binary sequence of 00000011(0x03)
Protocol Field
2 octets (16 bits) in length
The value identified the protocol datagram encapsulated in the information field.
Typical protocol filed values
Value in the 0xC*** range indicates that the datagram belongs to the Link Control
Protocol
Values in 0x8*** range indicates the datagram belongs to the Network Control
Protocol
Values in 0x0*** range identify the network protocol of specific datagram. (0x0021
= IP datagram)
Information Field
Contains the datagram of the protocol specified in the protocol field
Length can be zero or more octets
FCS Field
Frame Check Sequence is a 16-bit cyclic redundancy check (CRC)
18
2.2.2
PPP Link Operation
In order to establish communications over a point-to-point link, each end of
the PPP link MUST first send LCP packets to configure and test the data link. After
the link has been established, the peer MAY be authenticated.Then, PPP MUST send
NCP packets to choose and configure one or more network-layer protocols. Once
each of the chosen network-layer protocols has been configured, datagrams from
each network-layer protocol can be sent over the link.
The link will remain configured for communications until explicit LCP or NCP
packets close the link down, or until some external event occurs
Figure 2.3: The above figure shows the flow diagram of the PPP link operation.
19
Link Dead Phase
The link necessarily begins and ends with this phase. When an external event (such
as carrier detection or network administrator configuration) indicates that the
physical-layer is ready to be used, PPP will proceed to the Link Establishment phase.
During this phase, the LCP automaton (described later) will be in the Initial or
starting states. The transition to the Link Establishment phase will signal an Up event
to the LCP automaton.
Link Establishment Phase
The Link Control Protocol (LCP) is used to establish the connection through an
exchange of Configure packets. This exchange is complete, and the LCP Opened
state entered, once a Configure-Ack packet has been both sent and received. All
Configuration Options are assumed to be at default values unless altered by the
configuration exchange. See the chapter on LCP Configuration Options for further
discussion. It is important to note that only Configuration Options which are
independent of particular network-layer protocols are configured by LCP.
Configuration of individual network-layer protocols is handled by separate Network
Control Protocols (NCPs) during the Network-Layer Protocol phase.
Any non-LCP packets received during this phase MUST be silently discarded. The
receipt of the LCP Configure-Request causes a return to the Link Establishment
phase from the Network-Layer Protocol phase or Authentication phase.
Authentication Phase
On some links it may be desirable to require a peer to authenticate before allowing
network-layer protocol packets to be exchanged. By default, authentication is not
mandatory. If the implementation desires that the peer authenticate with some
specific authentication protocol, then it MUST request the use of that authentication
protocol during Link Establishment phase. Authentication SHOULD take place as
soon as possible after link establishment. However, link quality determination MAY
20
occur concurrently. An implementation MUST NOT allow the exchange of link
quality determination packets to delay authentication indefinitely. Advancement
from the Authentication phase to the Network-Layer Protocol phase MUST NOT
occurs until authentication has completed. If authentication fails, the authenticator
SHOULD proceed instead to the Link Termination phase. Only Link Control
Protocol, authentication protocol, and link quality monitoring packets are allowed
during this phase. All other packets received during this phase MUST be silently
discarded.
Network Layer Protocol Phase
Once PPP has finished the previous phases, each network-layer protocol (such as IP,
IPX, or AppleTalk) MUST be separately configured by the appropriate Network
Control Protocol (NCP). Each NCP MAY be Opened and Closed at any time.
Link Termination Phase
PPP can terminate the link at any time. This might happen because of the loss of
carrier, authentication failure, link quality failure, the expiration of an idle-period
timer, or the administrative closing of the link. LCP is used to close the link through
an exchange of Terminate packets. When the link is closing, PPP informs the
network-layer protocols so that they may take appropriate action. After the exchange
of Terminate packets, the implementation SHOULD signal the physical-layer to
disconnect in order to enforce the termination of the link, particularly in the case of
an authentication failure. The sender of the Terminate-Request should disconnect
after receiving a Terminate-Ack, or after the Restart counter expires. The receiver of
a Terminate-Request SHOULD wait for the peer to disconnect, and MUST NOT
disconnect until at least one Restart time has passed after sending a Terminate-Ack.
PPP SHOULD proceed to the Link Dead phase. Any non-LCP packets received
during this phase MUST be silently discarded.
21
2.3
PPPoE (Point to Point over Ethernet)
Network Layer
IP
Network Access
PPP
PPPoE
Ethernet
Figure 2.4: The above figure shows the PPPoE layer on the TCP/IP suite.
Overview
PPPoE, Point-to-Point Protocol over Ethernet, is a network protocol for
encapsulating PPP frames in Ethernet frames. It is used mainly with ADSL services.
It offers standard PPP features such as authentication, encryption, and compression.
Unfortunately it has an MTU lower than that of standard Ethernet which can
sometimes cause problems with badly configured firewalls. PPPoE is a tunnel
protocol which allows one to layer IP, or other protocols that run over PPP, over a
connection between two Ethernet ports, but with the software features of a PPP link,
so it is used to virtually "dial" to another Ethernet machine and make a point to point
connection with it, which is then used to transport IP packets, based on the features
of PPP. It allows the use of traditional PPP-based software to handle a connection
which does not use a serial line, but a packet-oriented network like Ethernet, to
provide a classical connection with login and password for Internet connection
accounting. Also, the IP address on the other side of the link is only assigned when
the PPPoE connection is open, allowing the dynamic reuse of IP addresses.
PPPoE is the protocol used by Bell Sympatico and many other ADSL carriers for
connecting high-speed modems to the service provider. PPPoE was developed by
UUNET, Redback Networks, and RouterWare. The protocol is specified in RFC
2516.
22
CHAPTER 3
METHODOLOGY
3.1
RAD overview
Rapid application development is a term currently used in association with a
whole range of tools, techniques, methods and information system management
styles. Rapid Application Development refers to a development life cycle designed to
give much faster development and higher quality systems that the traditional life
cycle. It is designed to take advantage of powerful development software like CASE
tools, prototyping tools and code generators. RAD is a people-centered and
incremental development approach. Active user involvement, as well as
collaboration and co-operation between all stack holders are imperative. Testing is
integrated throughout the development life cycle that the system is tested and
reviewed by both developers and users incrementally.
23
Figure 3.1: The above figure shows the differences between RAD and conventional
SDLC.
Rapid Application development is chosen as the methodology for this project due to
the reason below:-
RAD is prototyping application which gives users a tangible description to
determine the critical system requirement
RAD generally incorporates short development cycles
RAD realizes an overall reduction in project risk
RAD help reduce costs of system development
RAD is flexible and adaptable to change.
24
3.2
RAD life cycle
The RAD lifecycle is composed of four main stages.
1) Requirement planning
2) User design
3) Rapid construction
4) Transition
3.2.1
Requirement Planning
The requirement planning stage consists of a review of the areas immediately
associated with the proposal system. The review produces a broad definition of the
system requirements in terms of the functions the system will support.
The deliverables from the requirement planning stages include an outline
system are model (entity and process models) of the area under study, a definition of
the system’s scope and a cost justification for the new system.
3.2.2
User Design
The user design stage consists of a detailed analysis of the business activities
related to the proposed system. Key users, meeting in the workshops, decompose
business functions and define entity types associated with the system. They complete
the analysis by creating action diagrams defining the interaction between processes
25
and data. Following the analysis, the design of the system is outlined. System
procedures are designed and preliminary layout of screen is developed. Prototypes of
critical procedures are built and reviewed. A plan for implementing the system is
prepared.
3.2.3
Construction
In the construction stage, a small team of developers, working directly with
users, finalizes the design and builds the system. The software construction process
consists of a series of “design-and-build” steps in which the users have the
opportunities to fine-tune the requirements and review the resulting software
implementation. This stage also includes preparing for the cutover to production.
In addition to the tested software, construction stage deliverables include
documentation and instructions necessary to operate the new application, and
routines and procedures needed to put the system in operation.
3.2.4
Implementation
The implementation stage involves implementing the new system and
managing the change from the old system environment to the new one. This may
include implementing bridges between existing and new systems, converting data,
and training users. User acceptance is an end point of the implementation stage.
26
3.3
RAD usage in PPP over wireless LAN
Below will be the implementation of RAD methodology in this Project which
pipeline the tasks into 4 main stages.
3.3.1
Stage 1: Requirement planning
In this stage, establishment has been made to get the general understanding of
existing problem which is the vulnerability of 802.11b wireless protocol.
After obtained the general idea of the issue, several components have been
identified that needed in deep understanding will be 802.11b MAC layer, PPPOE,
and PPP protocol.
After getting the understanding of the protocol, identified the major root
cause of the issue. The major concern will be the weakness of 802.11b layer that
causes by the incomplete RC4 encryption algorithm. The weaknesses open the gate
for hackers to perform active and passive attack.
The main tasks of the requirement planning stage can be separated into a few
milestones:
Research Area/Protocol understanding
Firstly, researches have been carried out to understand the RC4 protocol and the
vulnerable of the 802.11b, PPPOE, 802.11b MAC packet and PPP protocols.
Secondly, study on how to setup wireless LAN with 802.11b on the Linux
environment.
27
Define requirements
Drafted out the overall objectives of the project, existing problems and project
scope and reviewed with project supervisor to confirm that the right understanding
and directions have been achieved. After the study on the data link layer of the
802.11b network, PPP specifications and 802.11 MAC specifications have been
reviewed, the requirement has been defined that included the technical considerations
which can affect development and implementation of the software.
Finalize requirement
In this milestone, the targeted OS has been finalized where Linux Operating
System has been picked as it has more flexibility due to the fact that it is an open
source OS.
After that, the initial project schedule has been drafted out using Microsoft
Project and at the same time, determined the estimate cost, time for the whole
project.
Lastly, documentation has been created on the objective, scope and project
schedule.
3.3.2
Stage 2: User Design
In this stage will be the stage where the architecture design has been defined.
Firstly, detailed system area model need to be created that included the block
diagram of the overall OSI layers, software architecture, and system architecture.
28
Secondly, reviewed on the data link layer protocols and compare the defined
system model with the actual implementation that of PPP and 802.11b MAC layer.
Changes needed to be from time to time to make sure the implementation make
sense. As for this project, the initial definition is different from the implementation
definition as another session establishment is added in order for the integration of
PPP with the 802.11b MAC layer.
Thirdly, review back the project scope to ensure the project defines correctly and
does not out of the project scope. After that, outline the System Design.
After the system design has been selected, determines the most appropriate
technique/programming language. For the API, c/c++ is the most appropriate while
for the GUI, Javax.swing has been picked. After the programming language has
been picked, the preliminary screen layout has been design using the Java.
Fourthly, analyzed again the system architecture documentation from previous
stage to confirm technical definitions are correct and consistent. After confirmed that
the technical definitions are correct, system Prototype development is started. The
system protocol starts with the socket programming to connect the systems using
only 802.11. The Ethereal sniffer has been used to confirm that the API written is
working.
3.3.3
Stage 3: Rapid construction
In this stage, the task that completed in this stage is proliferated from the user design
stage.
Firstly, construct the application which proliferated from the prototype of the user
design stage. The additional verification and exception consideration needed to add
29
in this stage. After the development, basic unit testing is performed after every
module.
At the same time, created some debug functions to dump out packets for data
verifications.
Integration also being carried out in this stage after the application is completed.
Test methodology is based on black box and white box testing.
3.3.4
Stage 4: Transition
Transition will be the last stage for this application development
methodology.
Firstly, deploy the application in the Fedora Core 6.0 Operating System. 2 systems
are required as the application require one system to act as the client (laptop) while
another system as the server. System testing will be carried out in this stage where
the testing will be based on Usage Model testing by doing a data transfer between
client and server after established the PPP over wireless LAN.
After the application has been deployed successfully, important snippets as
well as the overall system architecture diagrams have been documented.
30
CHAPTER 4
SYSTEM ANALYSIS AND DESIGN
4.1
System Architecture Overview
The system architecture has been defined after reviewed the technical
specifications of 802.11, PPP and PPPOE. 802.11b security, WEP was initially
developed to give the end users a promising protection that has the similar security
that available on the wired network. WEP is based on RC4 encryption algorithm, a
function that generates a pseudo-random infinitive streaming cyber by supply two
different arguments. The arguments are the actual WEP key which can be 40 and 104
bits long and the Initial Vector that is 24 bits long. Each 802.11 frame payload
contains the IV and cipher text data. The cipher data is obtained by applying XOR
between the RC4 (IV and key). Every single frame that transmitted is based on a new
IV generated, as IV has 224 combination, the number of IV will be exhausted after 5
hours constantly data transmitting. Thus, this proven that one of the main flaws of
the 802.11b protocol will be the key scheduling of RC4 and security layer needed to
be added on the data link layer.
Besides, consideration has been made to place an additional security layer on
the layer 3. However, it raises some concerns. One of the reason will be the use of
DHCP might be disadvantages for the AP to uniquely identify a specific users.
31
Besides, once a malicious user able to obtain the WEP key, DHCP immediately gives
an IP address and network information to the intruder.
On the other hand, another security that used to be placed on the layer 3 gives
disadvantages to the end users. The additional security feature known as the MAC
filtering. This feature allows the AP identify MAC addresses of the network cards
that connected to the AP. However, it brings inconveniences to the end user. Once a
user changes the wireless adapter, the user must contact the network administrator to
add the new MAC address. Secondly, the network card MAC addresses can be easily
changed by malicious users to find out the one with access permissions and gain
access to the wireless LAN.
Thus, from the study above, the best layer to add the authentication layer will
be on the data link layer. Below will be the diagram showing the system architecture
starts with the OSI model and packet transmitting through the data link layer. The
initial system architecture is added in the NCP, LCP and CHAP protocols (PPP) after
the 802.11 MAC, but from the implementation, the connection is fixed between 2
systems with the fixed MAC addresses. Thus, the system architecture has been
redefined with an additional connection establishment layer. The connection
establishment layer is used to establish the connection between client and server and
it is based on the existing stable PPPOE protocol that being used widely by the
ADSL connection establishment. Below will be the diagrams that show the proposed
system architecture and the actual implementation system architecture.
Figure 4.1: The above figure shows the cipher text of the WEP.
32
Figure 4.2: The above figure shows the additional layer on the TCP/IP suite for PPP
over WLAN(Proposed implementation).
The diagram above shows an additional layer on top of the data link layer
which is PPP to enforce the security of the wireless LAN. After the wireless client
and access point established an association, the PPP protocols come in place to
authenticate the point to point connection again before starts transmitting the data.
An API which written by C++ will be created to pass the packet between NCP and
802.11b MAC layer. The details of the code will be discussed in the next chapter.
Figure 4.3: The above figure shows the additional layer on the TCP/IP suite for PPP
over WLAN (actual implementation).
33
Figure 4.4: The above figure shows the layer based protocol from transmitter to
Receiver which including the application layer until physical layer.
Figure 4.5: The above figure an additional connection initialization is required to
establish connection between 2 nodes.
34
Figure 4.6: The above figure shows the overall data passing (packets) from
application until the 802.11b MAC layer
Figure 4.7: The above figure shows the overall data passing (packets) from
application until the 802.11b MAC layer, an additional layer for connection
establishment added.
35
4.2
Software Architecture and Design
Figure 4.8: The above figure shows the system software architecture that combined
OO programming and structure programming.
The above diagram shows the block diagram of the application where it
combines two different programming methodologies (Object orientation and
structure programming). The graphical user interface is using Java while the API is
using c language.
The API is focus on initialized the PPPOE connection based on the reference
of RP-PPPOE open source project. Once the PPPOE has been established, the code
will construct a text message to call the Linux run time PPP deamon to instantiate the
PPP connection.
36
4.2.1
API Implementation
The API source code can be separated in 3 main areas.
i)
Interface functions (interface.c)
ii)
Main function (pppoe.c)
iii)
Data processing function (common.c)
4.2.1.1 Interface functions
The interface file is consists of different functions that are combined to establish a
socket connection between two different nodes. The functions includes getHWaddr(),
etherType(), openInterface(), sendPacket() and receivedPacket(). The
PPPoEPacketStruct will be the data structure to communicate between the main
function and openInterface() method. That data structure also consists of the existing
Ethernet Header structure defined in the Linux kernel. The u_char ethernet type has
been hard coded in the /sys/net/ethernet.h to differentiate between varieties of
Ethernet type.
typedef struct PPPoEPacketStruct {
struct ethhdr ethHdr;
#ifdef PACK_BITFIELDS_REVERSED
unsigned int type:4;
unsigned int ver:4;
#else
unsigned int ver:4;
unsigned int type:4;
#endif
unsigned int code:8;
unsigned int session:16;
unsigned int length:16;
unsigned char payload[ETH_DATA_LEN];
} PPPoEPacket;
Figure 4.9: The above figure shows the major data structure that will pass between
the interface and main function.
37
struct ether_header {
u_char ether_dhost[ETHER_ADDR_LEN];
u_char ether_shost[ETHER_ADDR_LEN];
u_short ether_type;
} __packed;
struct ether_addr {
u_char octet[ETHER_ADDR_LEN];
} __packed;
Figure 4.10: The above figure shows existing linux kernel data structure from
/sys/net/Ethernet.h
4.2.1.2 Main functions
The main file consists of function that starts the application and depends on the
arguments that needed to pass in to run the program. The PPPOEConnectionStruct
data structure is parse between the session () method to determine the packet type
and the info that needed to established the PPPOE connection. Besides, main.c has
function such as session(),sessionDiscoveryPacket() to handle the session of the
PPPOE. The details of the function will be covered in the next chapter.
38
typedef struct PPPoEConnectionStruct {
int discoveryState;
int discoverySocket;
int sessionSocket;
unsigned char myEth[ETH_ALEN];
unsigned char peerEth[ETH_ALEN];
UINT16_t session;
char *ifName;
char *serviceName;
char *acName;
int synchronous;
int useHostUniq;
int printACNames;
int skipDiscovery;
int noDiscoverySocket;
int killSession;
FILE *debugFile;
int numPADOs;
PPPoETag cookie;
PPPoETag relayId;
int PADSHadError;
int discoveryTimeout;
} PPPoEConnection;
Figure 4.11: The above figure shows PPPOEConnectionStruct data structure used to
keep the MAC address and type of PPPOE packet.
4.2.1.3 Data processing functions
Data processing functions will be the files (common.c and discovery.c) that consists
of different method to process different PPPOE packet such as waitForPADO(),
sendPADI(), sendPADR() which used to process the data structure that sent by
session() and sessionDiscoveryPacket() in the main function. The
PPPOEConnectionStruct data structure is still being used to pass between the main.c
and common.c. The details of the function will be shown in the next chapter.
39
4.2.2
Graphical User Interface
The graphical user interface is designed based on the javax.swing package and the
java.lang.Runtime class.
4.2.2.1 javax.swing package
The swing toolkit includes a rich set of components to guild GUIs and adding
interactivity to Java applications. Swing includes all the components for GUI such as
table controls, list controls, tree controls, buttons, and labels. Besides, Swing also
includes the basic user interface primitives such as drag and drop, even handling and
windows management. The details of the GUI code will be covered in the next
chapter.
4.2.2.2 java.lang.Runtime Class
Every Java application has a single instance of class Runtime that allows the
application to interface with the environment in which the application is running. The
current runtime can be obtained from the getRuntime() method. As this application
is targeted on the Linux environment, the runtime will be the application that able to
run at the linux console. The details of the runtime implementation will be covered in
the next chapter.
40
4.3
Environmental setup
Fedora Core 6.0 has been setup with Intel 2200ABG (Open source) drivers installed.
Figure 4.12: Gnome X windows of the Linux Fedora Core.
4.4
Graphical User Interface Snap Shot
The graphical user Interface can be categorized into 2 main area which will be the
client GUI and server GUI.
41
4.4.1
Client GUI
Below diagram show the graphical user interface of the application of the client side.
Username and password is required in order to connect to another end (which act as
the server).
Figure 4.13: The above figure shows the GUI of the PPP over WLAN application as
the client application
4.4.2
Server GUI
Figure 4.14: The above figure shows the GUI of the PPP over WLAN application as
the Server application. The access concentrator and service name is required field to
act as the server.
42
4.5
Usage Model
The ideal usage model of this application is shows in the figure above. The PPPOE
server should be installed in the server or integrated with the Access Point. Once the
client need to connect with the AP on infrastructure BSS, password is required to
establish every single connection. The application that has been developed in this
project will be the prototype that consists of a client and a server where the server is
simulating the application running in the Access Point.
Figure 4.15: The above figure shows the usage model of open secure wireless LAN
using PPP.
43
CHAPTER 5
IMPLEMENTATION AND RESULTS
5.1
Configuration Setup (Using Windows System)
The first experiments that have been carried out will be tried out the entire planned
concept using Windows XP as PPPOE server/client. Windows XP is being used as
the experiment due to the fact that PPPOE is easier to setup in windows environment.
The configuration setup can be categorized into two main area, which will be the
client setup and server setup.
5.1.1
Client perspective Setup
From the client perspective setup, the experiments should be emulating application
which act as the node where established the connection. Below will be steps by steps
on how to create a client PPPOE.
1) Download RASPPPOE (Freeware)
2) Add new protocol and choose the drivers from the directory that
RASPPPOE stored.
44
3) Run RASPPPOE and click on Query available Services based on the
wireless NIC card that located in the same domain with the PPPOE server.
(figure 5.1)
4) A new connection has been created. (figure 5.2)
Figure 5.1: The open source RASPPPOE application to create PPPOE client.
Figure 5.2: The PPPOE connection for client.
45
5.1.2
Server perspective
From the server perspective setup, the experiments should be emulating application
which acts as the node where it started the application as a service where it is waiting
for the client to connect to it. Below will be the step by step to setup the server
PPPOE server.
1) Make new connection -> Setup an Advanced connection
2) Accept incoming connections-> Next
3) The list of connection devices should contain the name of the network
adapter in the system, check all network adapter through the incoming
connection and click Next
4) Select the user account which should be allowed to connect
5) Select networking components to enable the incoming connections.
6) The network and dial-up connections windows will now contain an
additional item named incoming connections
The above experiment shows that PPPOE can be the existing protocol to use on the
wireless connection.
5.2
Implementation & Coding
The implementation and coding can be categorized into two main areas which will be
the API, the core engine and the GUI, the user interface.
5.2.1
API (Application Programming Interface)
As mentioned in the previous chapter, the API is a core engine for this application
that can be categorized into 3 main areas. In this section, details explanation will be
46
covered from line to line on the selected functions on the code implementation. The
API consists of the function to initialize the PPPOE connection and if everything
work out. It will call the PPP deamon to establish the PPP connection.
5.2.1.1 Interface functions (if.c)
The if.c source file consists of several functions to construct socket connection
between the client and server based on the ready network interface in Linux
environment. Thus, in order for these functions to work, open source drivers for Intel
2200BG drivers have been configured properly before start the development.
Open Interface method
int
openInterface(char const *ifname, UINT16_t type, unsigned char *hwaddr)
{
Figure 5.3: The code snippet for OpenInterface method.
conn->discoverySocket =
openInterface(conn->ifName, Eth_PPPOE_Discovery, conn->myEth);
Figure 5.4: The code snippet on calling the openInterface method.
The openInterface() method is an integer function type that will return negative value
if error occurs and it needs three arguments which will be the interface_name,
Ethernet frame types and the MAC address.
struct sockaddr sa;
memset(&sa, 0, sizeof(sa));
Figure 5.5: The code snippet on instantiate and allocate memory for sockaddr struct.
47
Data structure sockaddress is initialized as the functions bind() and
getsockname() use the generic data type structure sockaddress to represent a pointer
to a socket address.
After the data structure has been instantiate, the following memset function
set value “0” in the memory that the sockaddress data structure has been allocated.
domain = PF_PACKET;
stype = SOCK_RAW;
if ((fd = socket(domain, stype, htons(type))) < 0) {
if (errno == EPERM) {
rp_fatal("Cannot create raw socket -- pppoe must be run as root.");
}
fatalSys("socket");
}
if (setsockopt(fd, SOL_SOCKET, SO_BROADCAST, &optval, sizeof(optval)) < 0) {
fatalSys("setsockopt");
}
Figure 5.6: The code snippet on getting a socket descriptor
The socket function is called to create an IP-based socket. Rather than creating a
socket that is specifically for TCP, UDP, ICMP and such, it is told to create a raw
socket that can parse anything. This method is the fundamental of every packet that
we transmits or received.
if (hwaddr) {
strncpy(ifr.ifr_name, ifname, sizeof(ifr.ifr_name));
if (ioctl(fd, SIOCGIFHWADDR, &ifr) < 0) {
fatalSys("ioctl(SIOCGIFHWADDR)");
}
memcpy(hwaddr, ifr.ifr_hwaddr.sa_data, ETH_ALEN);
}
Figure 5.7: The code snippet on fill in the hardware address
The above snippet use the IOCTL of SIOCGIFHWADDR which actually called the
input/output control to obtained the network interface hardware address/MAC
48
address. After obtained the MAC address, it copies the MAC address to the ifreq
structure which is the data structure which has been predefined in the Linux
environment. The ifreq data structure contains the sockaddr data structure that used
to store the MAC address.
struct ifreq {
char ifr_name[IFNAMSIZ]; /* Interface name */
union {
struct sockaddr ifr_addr;
struct sockaddr ifr_dstaddr;
struct sockaddr ifr_broadaddr;
struct sockaddr ifr_netmask;
struct sockaddr ifr_hwaddr;
short
ifr_flags;
int
ifr_ifindex;
int
ifr_metric;
int
ifr_mtu;
struct ifmap ifr_map;
char
ifr_slave[IFNAMSIZ];
char
ifr_newname[IFNAMSIZ];
char *
ifr_data;
};
};
Figure 5.8: The code snippet of the data structure of ifreq.
strncpy(ifr.ifr_name, ifname, sizeof(ifr.ifr_name));
if (ioctl(fd, SIOCGIFMTU, &ifr) < 0) {
fatalSys("ioctl(SIOCGIFMTU)");
}
if (ifr.ifr_mtu < ETH_DATA_LEN) {
char buffer[256];
sprintf(buffer, "Interface %.16s has MTU of %d -- should be %d. You may have
serious connection problems.",
ifname, ifr.ifr_mtu, ETH_DATA_LEN);
printErr(buffer);
}
Figure 5.9: The code snippet for IOCTL utilization in OpenInterface method.
After obtained the MAC address, input/output system call has been utilized again to
get the MTU (Maximum Transfer Unit) of a device.
49
strcpy(sa.sa_data, ifname);
if (bind(fd, (struct sockaddr *) &sa, sizeof(sa)) < 0) {
fatalSys("bind");
}
return fd;
}
Figure 5.10: The code snippet for bind function in openInterface() method.
The bind () function is called to assign the socket address to the socket
descriptor that has been instantiated. The open Interface method end with return the
socket fd will return the integer value to determine whether the openInterface () has
been successfully established the socket.
ReceivedPacket method()
int
receivePacket(int sock, PPPoEPacket *pkt, int *size)
{
if ((*size = recv(sock, pkt, sizeof(PPPoEPacket), 0)) < 0) {
sysErr("recv (receivePacket)");
return -1;
}
Return 0;
}
Figure 5.11: The code snippet for ReceivedPacket method
In the receivePacket function, it requires 3 arguments which are sock – the socket to
read from, pkt – the PPPOEPacket data structure to store the received packet and
lastly size – the size of the packet in bytes. In the receivePacket function, it is
actually a wrapper function for the recv() function to received message from the
connected socket. The recv function will return the buffer length pointed to the pkt
PPPOEPacket data structure.
50
sendPacket function
int
sendPacket(PPPoEConnection *conn, int sock, PPPoEPacket *pkt, int size)
{
struct sockaddr sa;
if (!conn) {
rp_fatal("Linux 2.0 kernels not supported");
}
strcpy(sa.sa_data, conn->ifName);
if (sendto(sock, pkt, size, 0, &sa, sizeof(sa)) < 0) {
sysErr("sendto (sendPacket)");
return -1;
}
return 0;
}
Figure 5.12: The code snippet for sendPacket method
The sendPacket function has similarity with the receivedPacket function where it
needs 3 arguments which are sock – socket to send to, pkt – the packet to transmit
and size – the size of the packet. The sendPacket function is also a wrapper function
for predefined sendto() method to send the message over the connected socket.
5.2.1.2 PPPOE main function (pppoe.c)
The PPPOE main function starts with getting different arguments to start the PPPOE
in a different way.
51
main() method
int
main(int argc, char *argv[])
{
...
case 'd':
optSkipSession = 1;
break;
case 'k':
conn.killSession = 1;
break;
case 'n':
conn.noDiscoverySocket = 1;
break;
...
discovery(&conn);
session(&conn);
}
Figure 5.13: The code snippet for PPPOE main function.
The main function requires several arguments to pass it before starting the
application. Once everything ready, the main function will call the discovery
function that performed the discovery phase of PPPOE. The details of the discovery
function will be covered in section 5.2.1.3.
52
Session method
void
session(PPPoEConnection *conn)
{
...
conn->sessionSocket = openInterface(conn->ifName, Eth_PPPOE_Session, conn>myEth);
memcpy(packet.ethHdr.h_dest, conn->peerEth, ETH_ALEN);
memcpy(packet.ethHdr.h_source, conn->myEth, ETH_ALEN);
packet.ethHdr.h_proto = htons(Eth_PPPOE_Session);
packet.ver = 1;
packet.type = 1;
packet.code = CODE_SESS;
packet.session = conn->session;
initPPP();
...
}
Figure 5.14: The code snippet for session method
After the PPPOE or the connection has been established, the session method is called.
The session method will start with initialized another new session socket. After that,
it will copy the source and destination address that have been identified in the earlier
stage into PPPoEPacket data structure. The initPPP() method is just initiate the PPP
state machine.
if (FD_ISSET(conn->sessionSocket, &readable)) {
do {
if (conn->synchronous) {
syncReadFromEth(conn, conn->sessionSocket, optClampMSS);
} else {
asyncReadFromEth(conn, conn->sessionSocket, optClampMSS);
}
} while (BPF_BUFFER_HAS_DATA);
}
Figure 5.15: The code snippet for asyncReadFromEth() called in the session()
method
53
The syncReadFromEth() method shows in the above snippet is the function to
generate the runtime call to the existing PPPD deamon. The PPP connection is not
created in this application.
5.2.1.3 Data Processing functions (common.c and discovery.c)
The data processing functions are created to handle different PPPOE packet.
discovery method ()
void
discovery(PPPoEConnection *conn)
{
int padiAttempts = 0;
int padrAttempts = 0;
int timeout = conn->discoveryTimeout;
conn->discoverySocket =
openInterface(conn->ifName, Eth_PPPOE_Discovery, conn->myEth);
do {
padiAttempts++;
if (padiAttempts > MAX_PADI_ATTEMPTS) {
if (persist) {
padiAttempts = 0;
timeout = conn->discoveryTimeout;
printErr("Timeout waiting for PADO packets");
} else {
rp_fatal("Timeout waiting for PADO packets");
}
}
sendPADI(conn);
Figure 5.16: The code snippet for discovery method.
In the discovery method, it first started by obtained a socket connection. After
established the connection to the wireless network interface, it will start with
broadcast the PADI packet use the sendPacket() method defined in the if.c. The
54
PADI message will keep attempting until it exceed the predefined timeout that stored
in the PPPoEConnection data structure.
conn->discoveryState = STATE_SENT_PADI;
waitForPADO(conn, timeout);
if (!conn->printACNames) {
timeout *= 2;
}
if (conn->printACNames && conn->numPADOs) {
break;
}
} while (conn->discoveryState == STATE_SENT_PADI);
timeout = conn->discoveryTimeout;
do {
padrAttempts++;
if (padrAttempts > MAX_PADI_ATTEMPTS) {
if (persist) {
padrAttempts = 0;
timeout = conn->discoveryTimeout;
printErr("Timeout waiting for PADS packets");
} else {
rp_fatal("Timeout waiting for PADS packets");
}
}
sendPADR(conn);
} while (conn->discoveryState == STATE_SENT_PADR);
}
Figure 5.17: The 2nd part code snippet for discovery method
After sending the PADI packet, the timer (function loop) will be started to
countdown for timeout on receiving the PADO packet from the server. The timeout
is a predefined value that has been assigned to the discoveryTimeout that resides in
the PPPoEConnection data structure. On the other hand, If PADO packet has been
received; it will send the PADR packet to server to confirm the point to point
connection by calling the sendPADR method. After the discovery phase, the function
call will return to the main function and proceed calling the session method where it
will initiate another socket connection and generate text message to call the existing
runtime PPP deamon.
55
5.2.2
Graphical User Interface
The graphical user interface is created to ease the use of the application and it is
based on the javax.swing package of the Java software development kit API (JSDK).
GUI.java
import javax.swing.*;
public class GUI extends JPanel implements ActionListener {
public GUI() {
super(new GridLayout(1, 1));
...
}
Runtime rtserver = Runtime.getRuntime();
Process procServer = rt.exec(“pppoe-server –C DumbTerminal –S DumbTerminal F”);
Runtime rt = Runtime.getRuntime();
Process proc = rt.exec(“PPPOE-START”);
Figure 5.18: The code snippet for userInterface method
56
5.3
Output and Result
All the output and results is based on trace/packets that captured using the
Ethereal/wire shack freeware application. The result traces of the application matches
the expected output. In order to explain better, the trace captured has been narrowed
down to every single layer.
5.3.1
PPPOE
The below trace captured using ethereal sniffer which shows that the PPPOE
connection has been established between the client (Intel_a7:d6:a2) and server
(cnetTech_23:a4:3e). Besides, the trace captured shows the overall expected output
has been obtained where the packet captured similar with the PPPOE protocol that
start with the PADI, PADO, PADR and PADS before initialized the PPP connection.
Initially, the client with the unique Id, Intel_a7:d6:a2 will broadcast the PADI
packet through the wireless medium with the specific SSID that it has connected. The
broadcast message includes the server name/access concentrator.
Once the message has been broadcast, the nodes that connected to the similar
wireless LAN will receive the message. The receiver will interpret the packet and if
the packet includes access concentrator that belongs to it, the receiver will reply the
PADO message. After that, the client/sender will include the hardware address of the
server and send another request message named as PADR and if the server allows the
connection, it will reply PADS to end the establishment of PPPOE.
57
1
3
2
4
5
6
Figure 5.19: The above figure shows the PPPOE connection has been initialized.
3
4
1
2
5
6
PPP
Figure 5.20: The above figure summarized the PPPOE connection based on the trace
captured.
5.3.2
PADI
The below trace captured zoomed in on the PADI broadcast message. From the
Ethernet frame II includes the MAC address for the client (00:0e:35:a7:d6:a2) but
58
with 0xFFFFFFF destination address as it is a broadcast message. The PADI
message also includes the service-name that will be used by the receiver to determine
on sending the PADO message. Besides, a unique session number also attached in
the PPPOE tags.
Figure 5.21: The above figure shows the details of the PADI packet.
5.3.3
PADO
PADO packet will send by the receiver/server after comparing the service-name and
AC name that located inside the PPPoE tags of PADI packet. In the PADO packet,
the server will include the source hardware address as the destination address from
the broadcast PADI message that it has received.
59
Figure 5.22: The above figure shows the PADO packet.
5.3.4
PADR
PADR packet will be sent by the client once it received the PADO packet from the
server. In this packet, the client will includes the AC name, the destination MAC
address which will be the server MAC address, the unique AC-cookie and the client
unique session Id. The PADR will be the packet that the client request from the
server to establish a point to point connection.
Figure 5.23: The above figure shows the PADR packet.
60
5.3.5
PADS
PADS will the last packet that sent from server to the client to establish the PPPOE
connection. Once the PADR has been received, the server will reply the client to
confirm the establishment and proceed with the PPP connection.
Figure 5.24: The above figure shows the PADS packet.
5.3.6
PPP Link Control Protocol – LCP
Link Control Protocol is the PPP protocol to establish, configure and testing the data
link connection. Besides, LCP echo packet will be exchanged between the server and
client to make sure the link is still alive.
61
The configuration ack and request is used to test the
link
Echo request and reply packets are used to keep the
link alive.
Figure 5.25: The above figure shows the PADS packet
5.3.7
PPP Authentication Protocol - CHAP Protocol
CHAP (Challenge Handshake authentication Protocol) is authentication protocol for
PPP. CHAP will periodically verify the identity of the peer using a 3-way handshake
and this is done upon initial link establishment and will repeat anytime after the link
has been established. The CHAP protocol will be the authentication protocol to avoid
the reply attack.
A replay attack is a form of network attack in which a valid data transmission
is maliciously or fraudulently repeated or delayed. This is carried out either by the
originator or by an adversary who intercepts the data and retransmits it, possibly as
part of a masquerade attack by IP packet substitution (such as stream cipher attack).
For an example, suppose John wants to prove his identity to Bob. Bob is
requesting his password as proof of identity, while John dutifully provides the
encryption password (Hash function). Meanwhile, Kate is eavesdropping the
62
conversation and keeps the password. After the interchange is over, Kate connects to
Bob by posing as John, when asked for proof of identity, Kate sends John’s password
read from the last session.
However, with CHAP authentication where challenge packet will be sent
periodically with randomly generated hash key which password that keeps by Kate
does not works for the next CHAP challenge.
5.3.7.1 CHAP “challenge” message to the Peer
After the link has been established, the authenticator will send a “challenge” message
to the peer which shows on the figure below.
Figure 5.26: The above figure shows the CHAP challenge message
63
5.3.7.2 CHAP Response
Once the peer (client) received the challenge message, it requires to responds with a
value calculated using a “one way hash” function.
Figure 5.27: The above figure shows the CHAP response message
5.3.7.3 CHAP Message
The authenticator checks the response against its own calculation of the expected
hash value. If the value match, the authentication is acknowledged; otherwise, the
connection should be terminated.
64
Figure 5.28: The above figure shows the CHAP message to indicate challenge
success or failed.
65
5.4
Summary of PPPOE Client Application
public void actionPerformed (ActionEvent evt) {
if (evt.getSource == connectBtn) {
call runtime() function
}
}
void runtime() {
//File open to /etc/pppoe/pppoe.conf to overwrite
the username & password
Runtime rtserver = Runtime.getRuntime();
Process procServer = rt.exec”pppoestart”);
}
PPPOE main function()
int
main(int argc, char *argv[])
{
...
case 'd':
optSkipSession = 1;
break;
discovery()
session()
}
Figure 5.29: The summary of the flow of execution of PPPOE client
66
Once the connect button is being pressed, the actionPerformed method will
compare the event whether it is come from the button click. If it is, the
actionPerform() method will modify the /etc/pppoe/pppoe.conf and
/etc/pppoe/chap.secret configuration file by using the File Class predefined method
and call the runtime process to execute the PPPOE main function.
Initially, in the main function will check all the cases to determine the
arguments that have passed in to start the PPPOE. After that, the main function will
call the discovery function to process the PPPOE initialization through the
sendPacket() and receivePacket() function after calling the openInterface() method to
instantiate a unique socket connection with the wireless NIC interface.
If the discovery function is executed without failure, it will call the session
function to generate the text to call the runtime PPP application through runtime until
the PADT packet is sent from either client or server.
67
CHAPTER 6
CONCLUSION AND FUTURE WORKS
6.1 Conclusion
Although a variety of wireless network technologies have or will soon reach
the general business market, wireless LANs based on the 802.11 standard are the
most likely candidate to become widely prevalent in corporate environments. Current
802.11b products operate at 2.4GHz, and deliver up to 11Mbps of bandwidth. On top
of that, with the enhancement of the security of the 802.11b WLAN, undeniably, this
will increase the usability of WLAN and confidence level of the end user toward
802.11x WLAN. Even though, several approaches can be utilized such as VPN and
WPA2, adding PPP over WLAN will absolutely be one of the best solutions.
In this research, the approach will be adding the PPPOE/PPP/CHAP to
establish a point to point connection between the Access point and the laptop
(wireless client). The advantages of this approach can provide protection against
playback attack by the peer through the use of incrementally changing identifier and
a variable challenge value. On the other hand, the disadvantage of this application is
that username and password need to be entered every single time to establish a
connection between client and server.
68
In short, this project has successfully achieved the objectives and scope has
been defined to develop a secure wireless LAN client and server application through
Point to Point connection. However, there are still have a few area of improvement
which can be done to provide a more secure wireless connection which will be
discussed next.
6.2 Recommendation for Future Work
Below will be the area that can be implemented to improve the security of today
wireless connection.
1.
Compare the performances between the PPP over wireless and the normal
wireless connection. If the performance or the latency increases
tremendously after adding the PPP, algorithms of the application need to
be changed.
2.
Adding different optimized protocol such as VPN in the network layer or
SIP in the application layer.
3.
Improve the application to support multi-link PPP.
4.
Integrated this application with the network processor of the Access Point
which provide alternative security feature for today wireless AP.
69
REFENCES
1. Certification Extension and Attributes Supporting Authentication in Point-toPoint Protocol and Wireless Local Area Networks (R. Housley, Vigil Security, T.
Moore, Microsoft , published in February 2006)
2. RFC 1994 – PPP Challenge Handshake Authentication Protocol (W. Simpson
1994)
3. Extensible Authentication Protocol ( RFC working group, published in June
2004)
4. The Point-to-Point Protocol. (W. Simpson, Editor, published in July 1994)
5. James Martin: Rapid Application Development, Macmillan Coll Div, ISBN 0-02376775-8
6. Nikita's talk at the Mac Crypto Workshop (January 30, 2001).
7. A Method for Transmitting PPP over Ethernet ( RFC 2516, published in February
1999)
8. Wireless LAN Security Risk and Defense presentation by PISA’s WLAN
Security professionals (Mr. Alan TAM, Mr. Jim SHEK, Mr. Marco HO,
published on 8 March 2003)
9. Internet Security Systems, Wireless LAN Security 802.11b and corporate
Networks ( copyright © 2001 Internet Security Systems)
10. Institute of Electrical and Electronics Engineer (IEEE): http://www.ieee.org
http://standards.ieee.org/wireless
70
APPENDIX A
PROJECT GANTT CHART
71
Project Schedule

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz