wifi for 600, alex
Perry Lorier
perry at coders.net
Wed Jan 24 03:56:20 UTC 2007
> An observation I would make is that the number of mac addresses per
> person at the tech heavy meeting has climbed substantially over 1 (not
> to 2 yet) so it's not so much that everyone brings a laptop... it's that
> everyone brings a laptop, a pda and a phone, or two laptops. In a year
> or two we'll be engineering around 2 radio's per person in five years
> who knows.
We did the wireless network at LCA '06. Due to abuse at LCA '05 we
required everyone to register their mac address to their registration
code before we let them onto the network. This means we have a nice
database of MAC's <-> people.
We saw:
199 people with 1 MAC address registered
102 people with 2 MAC addresses registered
9 people with 3 MAC addresses registered
5 people with 4 MAC addresses registered
1 person with 6 mac addresses registered
We did have a lot of problems with devices that didn't have a web
browser (so had to ask us to add their macs manually, there were 11
people who had this that aren't accounted above). Mostly voip phones,
but it's amazing how many people have random bits of hardware that will
do wifi!
This is perhaps biased as there was also wired ethernet available to
some people in their rooms (about 50 rooms IIRC), so some of those 102
people would have a MAC for their wireless and a seperate MAC for their
wired access.
We also ran soft AP's on soekris boxes running Linux, so we could hook
into the AP at a fairly low level. We firewalled all DHCP replies
inside the AP so it wouldn't forward any DHCP replies received from the
wireless to another client on the AP or onto the physical L2[1]
As an experiment we firewalled *all* arp inside the AP's so ARP spoofing
was impossible. ARP queries were snooped and an omapi query was sent to
the DHCP server asking who owned the lease, and an ARP reply was unicast
back to the original requester[2]. This reduced the amount of
multicast/broadcast (which wireless sends at basic rate) on the network,
as well as preventing people from stealing IPs and ARP spoofing.
To stop people from spoofing someone elses MAC, we also had lists of
which AP a MAC was associated with, if a MAC was associated with more
than one AP we could easily blacklist it and visit people in the area
with a baseball bat.
We didn't see much abuse, (and didn't have people complain about abuse
so I guess it's not just that they hid it from us), I think mostly
because people knew that we had IP<->MAC<->name mappings, and abusers
knew they could easily be tracked down.
One of the more interesting things was that during the daytime we were a
net importer of traffic as people did their usual web surfing, but at
about 10pm at night we suddenly became a net exporter as people started
uploading all their photos to flikr.
----
[1]: All client to client traffic in managed mode is relayed via the AP.
[2]: Amusing story, one of the developers had written a patch to detect
if someone else was using the same IP on the same L2 and produce a
warning. He tried it on our network and found that it didn't work.
After much head scratching he discovered what we were doing :)
More information about the NANOG
mailing list