Implement send-only (one-way) Ethernet cable

Question

I want to build a unidirectional comminucation. In transportation layer of this device, it needs a one-way media to send data from side A to side B.

All commercial products use SFP. I tested some SFP devices but they have negotiation between the two sides and cutting RX fiber is not possible.
Is it possible to implement One-way connection with CAT5 cable?

SideA { tx --> rx } SideB

Even if your device only sends data, what harm does it do to still connect the RX pair from the ethernet switch to this device for negociation purposes? — dim, Jan 09 '17 at 08:36
You can certainly do that with cat5/6 cable, although you will need to configure both ends to disable auto negotiation. May be limited to 100mbit. — pjc50, Jan 09 '17 at 08:54
Well, you don't actually define what a data diode is. You can't make up a term and assume we'll understand it. Anway, it seems you need a device that allows only one-way ethernet communication, and drops all packets going in the wrong direction. This probably can't by done at the physical layer, since it will mess up with the link detection pulses and autonegotiation. One way to design this would probably be to connect two PHY chips back-to-back (making a simple ethernet transceiver), and, on one side, pull all the TX-related pins of the MAC interface to ground. — dim, Jan 09 '17 at 08:54
And I think just disabling the autonegotiation won't suffice, since the link detection pulses won't be allowed to travel both ways. So the link integrity test will fail. — dim, Jan 09 '17 at 08:55
What protocol are you going to use? If TCP/IP, then you **need** the return path for ACK/NACK, the protocol won't work without them. I have seen papers published on the design of protocol for 'data diodes' for connecting secure systems to unsecure ones, and they spent most of the time proving that the data leak rate in the 'other' direction assuming a worst case compromised system could not exceed some system specified limit, in this case for their protocol it was <= 0.1 baud reverse based on acknowleding 10s packets of forward data, which was deemed low enough for US govt use at the time. — Neil_UK, Jan 09 '17 at 09:11
It's easy to implement a one way connection over CAT5. Use RS232 and only connect the transmit and ground wires. Since you don't state a required protocol or data rate only a physical cable that meets all the requirements given in your question. If you want to use some form of ethernet then you'll almost certainly have to do the filtering at a higher level in software. — Andrew, Jan 09 '17 at 11:01
@Neil_UK I'm pretty sure he's not going to use TCP, since one-way communication and guaranteed delivery are mutually exclusive by definition. — Dmitry Grigoryev, Jan 09 '17 at 12:36
@Neil_UK the Only protocol that can be used in Data Diode between two side is UDP. — M-Razavi, Jan 09 '17 at 13:05
@Razavi If you want data to only flow in one direction, why use ethernet at all? I mean, it's a **network** protocol... — Marcus Müller, Jan 09 '17 at 13:33
@MarcusMüller One reason would be to reuse existing communication stack software, instead of investing hundreds of man-hours into writing and debugging your own. — Dmitry Grigoryev, Jan 09 '17 at 14:21
@MarcusMüller It's possible to use UART,USART, I2C ,... but implementing each of them needs much more time and data rate speed is important. — M-Razavi, Jan 09 '17 at 14:33
Wanting to force one-way communication is an unusual thing to do. I only know of a few cases where it would be desirable. In every one of those cases, there is some externally provided set of requirements that you are being given as to what "one way communication" means to the entity giving you those requirements. For example, if they accept the OSI model, they may specify what layer the one-way behavior must be at. What requirements do you have to work to? — Cort Ammon, Jan 09 '17 at 14:52
@Razavi thanks for the confirmation. Yes, it'll be hard to implement a high-speed unidirectional link on your own, especially when it's meant to be used as a transport for network data, anyway. — Marcus Müller, Jan 09 '17 at 15:00
Specifically state the nature of the tx data, the data rate required and any Rx decoding required. This can be done quite simply but there are a lot of confusing thoughts going on here so, @Razavi, clear all this up and state specifically what you require so that an answer can be given instead of opinions and thoughts. If you can't provide further information then please explain why. It seems to me that you want a point-to-point data send system. — Andy aka, Jan 10 '17 at 09:28

Dmitry Grigoryev · Accepted Answer · 2017-12-21T09:39:30.167

One-way Ethernet cables won't work with Gigabit network equipment and later, because without a return path the autonegotiation sequence will never complete. You'll see a "Network cable unplugged" or an equivalent message on both devices if you try to use such a cable.

Older Ethernet devices won't work with simple one-way cables either, but can be fooled to do so. This website has practical instructions for building suitable cables. In the essence, you'll have to do something like this:

SideA           SideA           HUB PORT
-------         -------         -------
x x r r         x x r r         r r x x
6 3 1 2         6 3 2 1         1 2 3 6
| | | |         | | | |             | |
| +-/ |         | | | \-------------/ |
| |   |    OR   | | \-----------------/
+-|---/         | |             
| |             | |
| |             | |
| |             | |
6 3 2 1         6 3 2 1
r r x x         r r x x
-------         -------
SideB           SideB

The extra Hub port is needed to provide voltage over the RX pair of SideA, to fool it into believing there's a transmitter on the other end.

If none of the above works, or you cannot disable auto-negotiation, the next best thing is to implement two Ethernet-enabled devices with a one-way data path between them. For example, a couple of Ethernet PICs with a unidirectional UART in between should be able to do the trick.

One thing you should ask yourself before you proceed is whether you really need a data diode. Here's what the experts say:

Most organizations don’t need a new protection technology like data diodes. [...] Assuming the [firewall] rules only allow inside-out, UDP-based communication, and there is no misconfiguration in the firewall, I can’t recall a firewall exploit that would allow an external attacker to gain access into the CCA perimeter.

@Razavi How exactly did it not work? Do you have auto-negotiation enabled on your NICs? — Dmitry Grigoryev, Jan 11 '17 at 08:44
@Razavi I have also added a second circuit variant, but if anything, it's even less sure to work (albeit simpler to make). You can try it out, but I suggest debugging the original 3-headed cable. — Dmitry Grigoryev, Jan 11 '17 at 09:04

Olin Lathrop · Answer 2 · 2017-01-09T12:22:37.870

If you want "one way data direction", you have to do it at a higher level. Various things assume bi-directional communication at the low levels, even if app-level data is only flowing one way.

For example, even if you send data in only one direction over a TCP connection, there will still be packets going back and forth in both directions. You can get away with one-way packets for data by using UDP, but depending on what you're doing it may take bi-directional communication to set up a connection.

You may think you'll just stick to UDP, but many protocols are layered on TCP, which absolutely requires sending packets both directions. Examples include HTTP (web browsing) and SMTP (email).

Ethernet also assumes some bi-directional communication between the two endpoints, even if higher level data is only carried one way. There a link pulses, and possibly some auto-negotiation of low level communication parameters.

To get what you want, you basically have to make your own router (although it can much more stripped down than a arbitrary "router"). Your device still needs to send and receive packets to/from the network. It interprets some of these packets and passes data in only one direction over the other port. Note that this most likely requires bi-directional communication at the low levels again at the other side of the router, even with application-level data flowing only one way.

If one keeps bidirectional cables in the setup, one could simply install a firewall on SideB which rejects all outgoing packets except TCP acknowledgements. — Dmitry Grigoryev, Jan 09 '17 at 12:20
@Dmitry: I'm not sure it's exactly that simple, but yes, that's what I meant by making your own router. It takes logic at that level to implement one-way data, while still receiving and sending the necessary low level packets. — Olin Lathrop, Jan 09 '17 at 12:24
The point of a data diode is to *absolutely guarantee* no data goes in one direction... when you start to allow acknowledgements back, then there's no point in calling it a diode, it's just a firewall. — user253751, Jun 14 '17 at 06:48
@immi: Neither the question nor may answer say anything about a "data diode". — Olin Lathrop, Jun 14 '17 at 10:46

score 5 · Answer 3 · answered Feb 05 '17 at 09:23

It is possible on 10BASE-T and 100BASE-TX, but not on 1000BASE-T because the latter uses bidirectional transmission on each pair.

To enable such a mode, you need an MDIO/MDC (management) access to the PHY at least at the TX side of the one-way link, to configure it like the following:

disable AUTONEG
force 100BASE-TX (or 10BASE-T, but not 1000BASE-T)
force full duplex
disable FAR END FAULT signaling

Configuring the RX PHY is optional but may help depending on the hardware specifics. If used, the RX PHY configuration is the same as the TX PHY.

It is equipment specific, but many managed switches (with SFPs or not) provide the user with an ability to manually configure the Ethernet ports via Web interface and/or console. You need to examine the datasheets on your equipment first and then trial on it.

What about other answers, @Dmitry's left scheme may fail because neither 100BASE-TX nor 10BASE-T is intended to be used on single pair from the box, while his right scheme is closer to what you need but where we could get a true hub (not switch) today? and also, a hub works only with 10BASE-T.

Meanwhile @Olin speaks about something (higher level) else but not about the (physical, medium-restricted) data diode you ask on.

score 0 · Answer 4 · answered Jul 17 '17 at 13:41

Works only at 10/100mbps . If you fix port speed at 100mbps. Loop back Tx+ to Rx+ (and optionally Tx- to Rx-) on the sender and parallelly connect Tx+ and Tx- of transmitter to Rx + and Rx- of reciever. I have observed that Rx should recieve a voltage for the port to be considered enabled. While this is not a problem with the reciever as receiver s rx is connected to sender's TX. The transmitter on other hand has his receive legs free. You can possiblly connect a battery here??!. But simpler solution is to loopback from its own tx.

UDP broadcast is a good option..assuming you are transmitting blindly..and obviously cannot see anything at the other end of the wire responding due to one way setup.multiple transmission of same packets can help in case of packet loss??? Thats for you to figure

score 0 · Answer 5 · edited Oct 14 '17 at 09:00

0

There is a solution and it was designed for data diode applications. It is the unmanaged media converter, modified to use in pairs and support one way traffic from B+B SmartWorx. 856-10730-RX and 856-10730-TX

edited Oct 14 '17 at 09:00

M-Razavi

163
1
3
8

answered Oct 13 '17 at 18:15

susan stanley

1

Did you compare the cost of these tow method costs??? – M-Razavi Oct 14 '17 at 07:02
1

You should compare the costs - it is your funds or budget not ours or hers.... @Razavi – Solar Mike Oct 14 '17 at 09:03

score 0 · Answer 6 · answered Aug 20 '21 at 21:48

First, for those that don't know what a data diode is or what its uses are, you should start here. There are many VERY good reasons for implementing this type of solution.

https://en.wikipedia.org/wiki/Unidirectional_network

As for how to handle this, you have a number of options. You could purchase an off-the-shelf solution. Some of these solutions are very expensive and come with NSA certification. Other, simpler solutions cost less and will meet your needs, but you'd have to search around. Here is an example of a cheaper solution.

https://www.canarycom.com/index5.html

If you're a bit savvy with copper network cabling, you could try the trick Dimitry points to. Or, if you want to try and use fiber, you could try a similar trick by connecting two "low-side" devices together (Tx to Rx) to keep the Tx of the second device active. I've seen this done with two CAT-to-FO converters and it worked perfectly. I've not tried it on a computer NIC.

Also, for those who are speculating about the transmission protocols, that's what UDP is for. Works wonders when you don't need or expect a response.

Implement send-only (one-way) Ethernet cable

6 Answers6

Linked