0

First of all sorry about my English, it's not great. Second of all the question:

I want to create a unidirectional Ethernet connection between my laptop and desktop! For that I created a circut like this (Link):

SideA           SideA           HUB PORT
-------         -------         -------
x x r r         x x r r         r r x x
6 3 1 2         6 3 2 1         1 2 3 6
| | | |         | | | |             | |
| +-/ |         | | | \-------------/ |
| |   |    OR   | | \-----------------/
+-|---/         | |             
| |             | |
| |             | |
| |             | |
6 3 2 1         6 3 2 1
r r x x         r r x x
-------         -------
SideB           SideB

It works good but because of some security problems I need a way to isolate SideA and SideB from eachother in physical layer. To do that i think optocouplers are good choices but there are some problem that I face them :

  1. Fast ethernet (100baseTX) uses signal level of -1v 0v and +1v and optocouplers can't cross negative voltages.
  2. Optocouplers bandwidth are limited to maximum 90 Mbps (I saw datasheets and the max was 90 Mbps) and I need 100Mbps. Let me know if higher baudrate is available.

Please share with me any idea can solve this problem. Just consider that main problem is to isolate SideA from SideB in phisical layer to be sure data flow is just form SideA to SideB and not viseversa. selection of optocouplers is just for this; i mean optocouplers are unidirectional because they use light and light just can flow unidirectionally(i'm not sure used a correct word or not!!!)

ALI MOLLAYE
  • 1
  • 2
  • 4
    Optocouplers can't solve security issues. Ethernet is already galvanically isolated, but it is not meant to be split like that. Thus it is unlikely what you propose will work. – Justme Nov 03 '21 at 14:17
  • "*just consider that main problem is isolate SideA from SideB in phisical layer.*" How will the handshakes get back to the sending side? – Transistor Nov 03 '21 at 14:27
  • 3
    XY problem. Optocouplers is not the solution. Define isolate. Isolate as in voltage withstand between them? Isolate as in Ethernet traffic won’t be able to reach some part of the network? – winny Nov 03 '21 at 14:41
  • i mean isolate in way that be sure data flow be unidirectional (from SideA to SideB and not visversa) . for that i think i need isolation in physical layer by optic. i mean when you use light to trnasfer data you can't hack it anyway unless you hack physics!!! – ALI MOLLAYE Nov 03 '21 at 15:06
  • @ALIMOLLAYE You also cannot acknowledge frames, train the link, etc with that optoisolator. If you want hard-physical unidirectional comms (no need to shout or use all caps about it), you can't also take advantage of the benefits of Ethernet. The odd splitting between Side A and the hub also doesn't make a lot of sense. – nanofarad Nov 03 '21 at 15:44
  • Further, the [commercial product](https://www.fend.tech/products) I found *does* use optical isolation, but it doesn't optoisolate Ethernet directly, rather choosing to convert the signal to a better format and then isolate *that*. If you need this specialized feature, consider buying a similar device if you're not willing to do the conversion from Ethernet yourself. – nanofarad Nov 03 '21 at 15:47
  • 2
    I'm pretty sure ethernet can't possibly be unidirectional; I believe it requires bidirectional communication in order to establish communication. – Hearth Nov 03 '21 at 15:49
  • @ALIMOLLAYE Buy something off the shelf for this. If you want passive: https://greatscottgadgets.com/throwingstar/ If you need more than 100 Mbps, you need an active tap: https://www.dualcomm.com/collections/network-tap – Brad Nov 04 '21 at 04:00

5 Answers5

3

The transformers used in the ethernet interface already isolate the signals galvanically.

There are probably no opto-isolators available for the required speed.

Why do you think you need opto-isolators?

Kevin White
  • 32,097
  • 1
  • 47
  • 74
  • thanks for your fast answer. i need to be sure that no data can cross over ethernet form SideB to SideA. accually i try to create a very cheap Data Diode that isolates two side from each other by optic devices and be sure that no file will transfer from sideB to SideA. – ALI MOLLAYE Nov 03 '21 at 14:55
  • Since you have disconnected the Tx lines - it is not possible to send data from B to A. The wires are not there! – Kevin White Nov 03 '21 at 15:28
  • i know that but the problem is that NICs can change the Tx and Rx Connectors programmitically. to be sure Unidirectional is guaranteed we try to create an Isolation in pysical layer by Light (optocouplers) – ALI MOLLAYE Nov 03 '21 at 15:33
3

The simplest way to optically isolate two copper ethernet ports is to use a media converter to change to fiber-optic ethernet.

In a way this is an "XY Problem": You're trying to make sure that the directionality of an ethernet device can't change against your will, but you're asking about optocouplers because you assumed that's the way to solve your problem.

As it turns out, changing to fiber optic ethernet also solves the directionality concern: A fiber ethernet connection uses two strands: a transmit and a receive. Using only one strand guarantees unidirectionality. Not all hardware will support this.

Theodore
  • 2,061
  • 11
  • 23
  • thanks for your answer. NICs can change send and receive ports porgrammitically so if someway someone change the direction of receive ports form SideB then the direction of data can change and this an security problem for unidirectional ethernet. i try to be sure that no data can cross over ethernet from SideB to SideA and for that i want to create a cheap Data Diode and ioslate two side by Optic. – ALI MOLLAYE Nov 03 '21 at 15:01
  • @ALIMOLLAYE I have updated my answer, but this solution is not cheap – Theodore Nov 03 '21 at 19:11
1

You need to understand how ethernet works. It's not a simple piece of wire.

Opto isolation provides galvanic separation but is not the solution to filtering data.

On the physical level, as well as data frames there are synchronisation signals (called FLP, fast link pulse, IIRC) going both ways all the time, that is how the link light and speed detection works. If they are removed the link breaks and the datalink goes down. It is true that you can break the link in one direction and it might work (been there, done that) but it's not the correct solution and will break some chips. (some types of ethernet are half duplex so data travels in both directions on the same wires)

To filter data (which is transferred in frames, completely separate from the synchronisation) you need a Managed Ethernet Switch. I find the cheap ones from Mikrotik very good and easy to use.

Locate a managed switch between the devices that require data isolation. That will allow you to only allow Ethernet Frames in one direction through the management console.

Jay M
  • 3,753
  • 15
  • 30
0

Ethernet requires bi-directional communication to handle handshakes, packet acknowledgement, etc.

enter image description here

Figure 1. Bi-directional TCP traffic. Image source: Geeks for Geeks.

The linked article explains that

TCP provides reliable communication with something called Positive Acknowledgement with Re-transmission(PAR).

This requires the bi-directional communication so your proposal will not work.

Transistor
  • 168,990
  • 12
  • 186
  • 385
  • There is such a thing as [unidirectional ethernet](https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/54sg/configuration/guide/config/unieth.pdf) for things like live video streaming where you continue to transmit without acknowledging receipt of packets. – Theodore Nov 03 '21 at 19:12
  • TCP is a layer 4 protocol, sitting over IP and Ethernet is layer 1 and 2. It is not required that TCP is only over Ethernet so this answer is out of context. Layer 3/4 Ethernet protocols are a thing (I once worked on them)!! – Jay M Nov 04 '21 at 11:50
  • @Theodore you can have unidirectional layer 2 Ethernet (i.e. frames in one direction) but that is not true of layer 1. Some chips need bidirectional layer 1 to work at all. – Jay M Nov 04 '21 at 11:52
  • @JasonM I've never applied unidirectional Ethernet of any kind. In putting together my answer, I encountered a [Whitepaper from Cisco](https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/54sg/configuration/guide/config/unieth.pdf) that mentioned unidirectional ethernet over a single fiber strand, which implies Layer 1. – Theodore Nov 04 '21 at 19:02
0

I'd like to toss my 2 cents in for those reading this at a later date. It's now March 2023.

1.) There are two basic protocols used in modern network communication.

  • TCP and UDP.
  • TCP uses a rigorous firmware method to insure that data is received correctly and without error in the order it was transmitted.
  • While UDP Transmits the data and and only deals with basic data integrity. Data can be out of sequence and if a packet goes missing, no errors are created.

2.) Any time you have a network to hardware connection, such as a file server or even a dedicated data storage device, things still need flow control. For this you require a bi-directional connection also called Full Duplex. This is achieved by using two twisted pairs (or more) of wire, one for transmit, the other for receive. There is a fully recognized Half Duplex Ethernet connection that is, to the best of my knowledge, seldom used, but... read on...

3.) Ethernet started on Half Duplex as it was a wireless UHF connection between computer installations. Like a CB radio, the sender had to initiate a transmit, it could be done using a single twisted pair of wires.

4.) Today - well not today, some time ago actually - a method of using different voltage levels was used to transmit/receive Full Duplex data over a single twisted pair of wires (just 2 wires). It is commonly used in machine control and the automotive industry. It ads a new character to the 100BASE-T format and is called 100BASE-T1.

5.) In a typical 10BASE-T or 100BASE-T configuration, if a user were to convert the twisted pair of wires normally used to transmit data, into a one way optical connection, there is no network protocol or device control instruction that could reverse this to read the data. The interfaces might receive and execute the function, but the optical conversion would still be the same, one way.

But, this would create a series of issues that would eventually prove fatal to accurate and intact data storage.

The most basic issue would be flow control. At the receiving end, you'd need a fault tolerant buffer at least the size of a few hours of required data storage. And, the other issue would be data transmission fault tolerance.

How do you get the system to respond to a lost or corrupted package? You don't, it's gone, possibly skewing/corrupting all the following data. What if your hard drive crashes? All data is destroyed and new data is lost.

========== Other options include a hardware firewall at the receive end, with stateful packet inspection and full administration control where you could setup a channel as receive only (the channel, not the drive). This would prevent any data from being read from the WAN side, but still allow full use of the TCP or UDP protocols. The data would still be available on the LAN side.

Mark
  • 1
  • 1