IPhones Flooding Wireless LAN At Duke

coondoggie sends us to a Network World story, as is his wont, about network problems at Duke University in Durham, N.C. that seem to be related to the iPhone. "The Wi-Fi connection on Apple's recently released iPhone seems to be the source of a big headache for network administrators at Duke. The built-in 802.11b/g adapters on several iPhones periodically flood sections of the school's wireless LAN with MAC address requests, temporarily knocking out anywhere from a dozen to 30 wireless access points at a time. Campus network staff are talking with Cisco, the main WLAN provider, and have opened a help-desk ticket with Apple. But so far, the precise cause of the problem remains unknown. 'Because of the time of year for us, it's not a severe problem,' says Kevin Miller, assistant director, communications infrastructure, with Duke's Office of Information Technology. 'But from late August through May, our wireless net is critical. My concern is how many students will be coming back in August with iPhones? It's a pretty big annoyance, right now, with 20-30 access points signaling they're down, and then coming back up a few minutes later. But in late August, this would be devastating.'" So far, the communication with Apple has been "one-way."

Interesting problem

[jshriverWVU]

He states now it's not a big problem, (guessing because it's summer and not as many students there). Then expecting it to be a BIG problem once students arrive. So to me this says that the iPhones using their service aren't students at all. If this is the case, buckle down the AP settings so they're not open or easily accessible via iPhone and require students to anti up their MAC addresses to connect to the wireless network.

Re:Interesting problem

[Osty]

If this is the case, buckle down the AP settings so they're not open or easily accessible via iPhone and require students to anti up their MAC addresses to connect to the wireless network.

While not mentioned explicitly in the article, I assumed that's what they were already doing. Then the problem would be that the iPhone doesn't know when to shut up when the AP denies its MAC (I mean really, who would deny an iPhone? They're so cool!). I'm not sure what more they can do about it if there's no forthcoming patch from Apple. Ignoring the packets at the AP would still require some bandwidth, because you'd have to look to see the MAC address prior to dropping it.

Cisco

[zymano]

"I don't believe it's a Cisco problem in any way, shape, or form," he says firmly"

How do they know that?

Re:Nothing new here

[Anonymous Coward]

Sounds like they are having some issues with arp-whois being propagated across the subnets. Knowing Apple, each time these iPhones try to 'rendezvous' with all the Macs or iTuned PCs they refresh their ARP tables off the entire campus. Something is fucked up with their network machines if the arp boroadcasts are seen by the entire campus (hence the 30 access points going at once).

What they need is an AP isolation: the connected client should not (easily) see other subnets and should definitely not be able to spam ARP broadcasts across subnets.

Some BOFH admin really screwed up his net config.

No problem for us

[SuperKendall]

We have a number of WAP's at work. We also have a number of people who have bought iPhones, and we have not seen any wireless nodes go down from iPhone traffic.

Taking out Cisco Router with ARP Floods?

[xRelisH]

Umm, a bunch of ARP Requests by a few mobile devices shouldn't be knocking out a Cisco router. These AP's are supposed to be able to withstand much worse than a few of these things.

I call bullshit. I say it's their IT/Computing Department is blaming their poor infrastructure on iPhone.

Re:Critical?

[Citius]

The number of students who use a wireless network for basic needs is rapidly growing at Duke. As a recent Duke graduate, I've been in a number of classes where tests are administered over the WLAN using Blackboard (burn BB to hell!). If a WLAN AP goes down, and that's during a test, you've got the grades - and unhappiness - of 40+ people/class on your head. Given that we're a rather nitpicky bunch over our grades, grade unhappiness doesn't end well for those who cause it... So yes. Wireless is critical at Duke.

So when you

[phoebe]

spend thousands of dollars on expensive Cisco AP equipment, a factor above consumer grade systems, and something goes wrong, the extra instrumentation doesn't help and the vendor just blames somebody else? Is this a good reason not to go with expensive equipment, or just colossal incompetence of the administrator who configured everything?

Re:Bet you 10 to 1...

[blindbat]

Actually I was in an Apple store last Thursday and they were having the same problem. I was trying to connect to their network with another non apple device and finally connected on third attempt. The store employees were all aware that their phones were having trouble connecting and staying connected to the wireless. Many of the phones were having to connect through ATT.

Re:Economic class and higher education

[Lost Engineer]

No. I don't care who pays too much for a phone.

Anybody who is smart and accomplished can go to to a good school, if not Duke in particular. You can always borrow the money. Many, many, if not all good schools now have need-blind admissions. Anyways, everyone knows it's really the middle class that get screwed over on aid anyways, not poor folks.

*Some* people with connections can get in even if they are not so smart, or really accomplished is the more accurate term, as grades count. You don't have to be rich, mind you, just related to somebody. These people, while deriving much less benefit from the education than the smart kids, also go on to pay for the whole deal for the next generation (along with the qualified students of course.)

Without wealthy donors, the whole system breaks down, and it's just a matter of how you create them. You can tax the unwilling, maintain a huge alumni base, and bet that students will stay closer to the school, thus more likely to donate. In case you don't get the hint, I'm talking about state schools. (Smaller) private schools need to ensure a larger proportion of wealthy alums, and allowing family connections to count makes that easier, not to mention the good will from the alumni.

BTW you just proved the point I made here [slashdot.org]. Thank you for that.

Re:MAC filtering is not a solution

[mr_matticus]

Oh come on. MAC registrations are almost wholly automated at any given large university--including Stanford, Berkeley, UBC, UC Davis, and Penn, where I have had personal experience. All you do is login with your staff (or I suppose student) account information and head to a page where you enter the MAC address(es) of your computer(s) along with your employee number and birthday or some other personally identifying information they already have on file. You click submit, and within 30 minutes you get an email saying your computers have been authorized.

The only downside is that some schools require this must be done from an authorized computer, so you have to head to a computer lab or classroom the first time you do it. Other schools allow you to get into the system from any Internet-connected computer, which is the ideal solution, since it's behind a two-part authentication system anyway.

Re:Interesting problem

[ccollao]

But I guess it's not only the iPhone. Last night I set up mac address restriction in my home wlan, and I put uncorrectly the Ibook's Mac address.

So after I rebooted the base, My Ibook started to try on and on repeatedly (heavily repeatedly) to connect to my wireless base.
Just now, when I read this thread I realized that the iBook got my wireless network bombarded by requests.
Nothing really happened into my base, since I only had 2 computers at that time, but I can see what happens when an avalanche of those requests gets into a base.

Re:Economic class and higher education

[cdrguru]

Do you assume that "higher education" (past high school) is necessary for employment?

Further, do you assume that everyone is capable of making use of such "higher education"?

We seem to be pointed down this road in the US today and the truth is the answers to the two questions above are "no" and "oh my". So far, we're pretty far down the road of importing non-outsourceable low-skill jobs and moving everything else somewhere else so all the low-skill jobs don't exist for Americans. This isn't a long-term sustainable model because some people just aren't going to make it as "knowledge workers". Are these folks supposed to sit at home and collect welfare while illegal immigrants do the low-skill work?

Re:Nothing new here

[iluvcapra]

An interesting factoid on this, though a little OT: iPhones do not appear to implement rendezvous/bonjour/zeroconf. I can't connect to any of my Mac zeroconf hosts by connecting through the *.local domain names that bonjour usually sets up, and I've read others [duncandavidson.com] are unable to do this as well.

Re:MAC address REQUEST?

[afidel]

Actually, it's probably really an ARP request. They probably have a very large, flat network and when the iPhones does an ARP broadcast request the AP gets overloaded by the results. This was a known problem with the old Aironet AP's, one of the senior software guys at Cisco/Aironet produced a one off patch for a large university client for the old VxWorks based AP's when I supported them back around the 2001 timeframe. It was actually one of the best examples of object oriented code I had ever seen, he changed the definition of the ARP buffer in one place, recompiled and everywhere that ARP was used the code was updated, very slick.

Re:Economic class and higher education

[Anonymous Coward]

Are these folks supposed to sit at home and collect welfare while illegal immigrants do the low-skill work?

You aren't looking at the situation with the right frame of mind. You assume that a business has some inherent sense of right and wrong. They do not. That's not to say they are bad or good, just amoral. A business earns profits. A business does not decide to hire illegal immigrants unless it will positively affect profits in the short run. If illegal aliens are cheaper than Americans, then they're going to hire illegal aliens. A business does not often contemplate the effects of its actions other than the effect on the quarterly earnings report.

Most illegal aliens, and legal ones, are accustomed to a lower standard of living than are Americans. That's why they are happy to work for less than an equally qualified American will. Just like when you first buy a big screen television and it seems huge at first but over time less and less so, so to do immigrants (legal and illegal) become accustomed to American standards of living. They demand more pay and better working conditions with time. As soon as it costs more to continue employing them than more recent immigrants, it means they've been "Americanized" and there is a need to replace them with "fresh" immigrants who have not been so corrupted. Over time the cumulative effect of this is that the expectations of the American working class slowly trends downward. It's not because we want less, or are more lazy, but because each successive wave of immigrants undercuts the expectations of the previous one in a never-ending spiral. Instead of playing along with the market forces of supply and demand, American companies are choosing to make an end run around the market by importing supply from other markets.

To answer your question, no business hiring illegals cares what unskilled Americans are supposed to do.

Re:MAC filtering is not a solution

[mr_matticus]

You make the mistaken assumption that the goal of MAC address restrictions on university campuses is to crack down with an iron fist. It's not. Since the networks are so large and fluid, with tens of thousands of users and machines, it's pointless to expend tremendous funds to lock down the Internet like a Defense Department project.

MAC address filtering is simply a roadblock to keep the general public off the network. This need must be balanced with the high number of legitimate visitors on campuses (for presentations, symposiums, conferences, guest lectures, and all sorts of other purposes) which need to have a way to access the Internet (simple using preconfigured authentication tokens).

The students and staff are not the concern at all. Their MAC address spoofing and playing around is simply a matter of course. It's people outside the campus community that they want kept out. A combination of authentication and MAC filtering pretty much takes care of that. Even if they do successfully spoof a valid MAC, they don't have a username/password to get past the login screen. If they've gotten all of that, there's really nothing practical that will stop them from gaining access. It's also irrelevant for that handful of people. There's little point to waste any time or money tracking them down or even trying to find those isolated incidents unless a crime or breach occurred as a result.

Just ban the Apple iPhone MAC addresses then

[brunes69]

If Apple can't make hardware that works, and/or won't own up to their problems and fix them, then ban all iPhones from connecting to the university WiFi network via their MAC vendor and device ID portions. After all that is what the structure of a MAC is for - so the network admins know what kind of devices are being used.

Banning iPhones campus wide because they are faulty would trigger some nice nasty press for Apple and piss off a lot of owners of the device - I imagine they would fix the problem much faster (or at least respond to the ticket!)

Re:Apple DHCP client

[Anonymous Coward]

I work for a major university, and one of my projects has a few dozen Macs...I'm not a network engineer just an educator that uses a lot of technology, but I can configure a router and have had to build my own routing tables in the past :-) This may also be considered under NDA even though I've never signed anything and wouldn't work anywhere I needed to do anything but protect my own clients privacy, so I will be posting this anonymously.

*BUT* on my campus we switched up to Cisco a few years ago from another major manufacturer. The Macs worked perfectly on the other manu, and if there weren't that many on the network, we could get a few running on the Cisco. I bring an entire class in? Nope.

For months, we worked with Apple and Cisco, with Apple claiming they use the standards as provided, while Cisco claiming WE ARE THE STANDARDS. Without giving too much information (again, NDA) we have some killer network engineers. One of the engineers running some linux based laptops noticed that everytime he hooked up, it took considerable resources away from the Cisco routers. Of course, this was a month or two into the pissing-fest. He used that particular network stack as it was 'clean'...or some other bullshit (this is what he did for a living, he needed his tools to work perfectly). This was the clue that there was something not right and it wasn't on Apple's side.

From what I understand (and I could be completely wrong), it came out that Cisco was targeting some Windows quirk in their networking and expecting everything that connected to it to contain that same quirk. If it wasn't nonstandard, things were a little wonky. Supposedly, a robust router could deal with it as if it were nothing, but when 'certain manufacturers' tried to optimize speed based around this, it caused problems with the ones that followed the rules. Now, one of the reasons people go with Cisco is that they will offer you custom patches or other services. Thats what they did for my university and things have been perfect since them.

Again, this is what was reported back to me. It could be complete bullshit. I know as the routers were upgraded, I had no problems getting my Macs to connect wirelessly after that. Entire mobile classrooms were no problem. Most of the conversations were way over my head and maybe they oversimplified things for me. Fuck if I know.

I wouldn't be surprised if this were the case with the iPhone...but from an ever more mobile perspective.