Therefore is WEP+IPSec the current secure limit for a wlan
with OpenBSD as hostap and Windows-XP clients?

--Jairo Souto <[EMAIL PROTECTED]> (38)9968-3447


On Mon, Nov 19, 2007 at 03:08:29PM -0800, David Newman wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 11/19/07 2:36 PM, Tonnerre LOMBARD wrote:
> > Salut,
> > 
> > On Mon, Nov 19, 2007 at 02:20:54PM -0800, David Newman wrote:
> >> There is some layer-2 stuff that happens before layer-3 handshaking
> >> begins -- 802.11 association and deassociation, possibly layer-2
> >> learning, and 802.1X authentication if that's used. IPSec will not and
> >> cannot secure any of this.
> > 
> > Is there any need to secure that? In my local WLAN, you only have two
> > ways of proceeding if you want internet access: a Tor router, or
> > IPsec. 
> 
> Before either of those processes begin, I can associate like crazy to
> your access point. That would ensure you never get Internet access, even
> without my flinging a single IP packet at you.
> 
> I have a test tool that can associate 500 times to the same AP,
> appearing as 500 unique clients. In my experience, most APs crash and
> burn a long time before then -- and that's before seeing any IP traffic.
> 
> Even if your AP is robust enough to handle a huge number of client
> associations, the chatty nature of the 802.11 protocol ensures the
> medium will be so full of management frames that you won't be able to
> send an IP packet. (I like to think of 802.11 as a technology that
> combines the worst aspects of Ethernet and token ring...)
> 
> If you come in without IPsec, i.e. you cannot establish the IKE
> > handshake, and if you don't us the Socks proxy Tor provides, you are
> > trapped in a local network where noone except all of the laptops are.
> > Sure thing, you can communicate with another unauthenticated laptop,
> > but I don't care that much about this scenario, since it does not
> > cause me any problems.
> 
> Does not cause *you* problems != no leakage at L2
> 
> >> Wireless LANs are a technology in which sensitive data may go in the
> >> clear at L2 before L3 gets started. In this case L2 security mechanisms
> >> such as WPA are appropriate, and do not rule out the use of
> >> complementary mechanisms like IPSec or SSL.
> > 
> > What sensitive data do you see me exchange before IPsec connectivity
> > is established?
> 
> Well, for starters every 802.11 AP broadcasts its availability 10 times
> a second. And since 802.11 is a shared-access medium, you'll also see
> the first packet of every client's 802.1X auth exchange, as well as
> SSIDs of all available stations.
> 
> > 
> >> Even if you don't care about authenticating or encrypting L2 data,
> >> there's still the issue of bandwidth and resource consumption at L2.
> >> 802.11 is extremely chatty. Using WPA or (if you must) WEP to keep the
> >> airwaves free (well, to the extent possible) can help there.
> > 
> > With a, that's not that much of a problem usually
> 
> Probably true for your setup, definitely less true in other (and
> arguably most other large-scale) setups.
> 
> Most APs consist of a dinky little CPU and a very little bit of memory,
> both easily swamped by doing too much work *just at layer 2.*
> 
> Further, they have to contend for spectrum with other 802.11 stations,
> microwave ovens, Bluetooth devices, cordless phones, ham radios (that's
> for the far more popular 2.4-GHz spectrum used by 802.11b/g/n. The
> 5.8-GHz spectrum used by 802.11a/n is much better, though still hardly
> pristine).
> 
> Anything you can do to keep your AP's RF section free and clear will
> result in a better WLAN experience, where "better" means both "faster"
> and "more secure."
> 
> dn
> iD8DBQFHQhdsyPxGVjntI4IRAiehAJ48mn685Gk0VaQ/ui50Zg07LvpKTQCgsQaW
> iEhNeWGoplX7tIAAMCYKKgc=
> =/Guk
> -----END PGP SIGNATURE-----

Reply via email to