Therefore is WEP+IPSec the current secure limit for a wlan with OpenBSD as hostap and Windows-XP clients?
--Jairo Souto <[EMAIL PROTECTED]> (38)9968-3447 On Mon, Nov 19, 2007 at 03:08:29PM -0800, David Newman wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 11/19/07 2:36 PM, Tonnerre LOMBARD wrote: > > Salut, > > > > On Mon, Nov 19, 2007 at 02:20:54PM -0800, David Newman wrote: > >> There is some layer-2 stuff that happens before layer-3 handshaking > >> begins -- 802.11 association and deassociation, possibly layer-2 > >> learning, and 802.1X authentication if that's used. IPSec will not and > >> cannot secure any of this. > > > > Is there any need to secure that? In my local WLAN, you only have two > > ways of proceeding if you want internet access: a Tor router, or > > IPsec. > > Before either of those processes begin, I can associate like crazy to > your access point. That would ensure you never get Internet access, even > without my flinging a single IP packet at you. > > I have a test tool that can associate 500 times to the same AP, > appearing as 500 unique clients. In my experience, most APs crash and > burn a long time before then -- and that's before seeing any IP traffic. > > Even if your AP is robust enough to handle a huge number of client > associations, the chatty nature of the 802.11 protocol ensures the > medium will be so full of management frames that you won't be able to > send an IP packet. (I like to think of 802.11 as a technology that > combines the worst aspects of Ethernet and token ring...) > > If you come in without IPsec, i.e. you cannot establish the IKE > > handshake, and if you don't us the Socks proxy Tor provides, you are > > trapped in a local network where noone except all of the laptops are. > > Sure thing, you can communicate with another unauthenticated laptop, > > but I don't care that much about this scenario, since it does not > > cause me any problems. > > Does not cause *you* problems != no leakage at L2 > > >> Wireless LANs are a technology in which sensitive data may go in the > >> clear at L2 before L3 gets started. In this case L2 security mechanisms > >> such as WPA are appropriate, and do not rule out the use of > >> complementary mechanisms like IPSec or SSL. > > > > What sensitive data do you see me exchange before IPsec connectivity > > is established? > > Well, for starters every 802.11 AP broadcasts its availability 10 times > a second. And since 802.11 is a shared-access medium, you'll also see > the first packet of every client's 802.1X auth exchange, as well as > SSIDs of all available stations. > > > > >> Even if you don't care about authenticating or encrypting L2 data, > >> there's still the issue of bandwidth and resource consumption at L2. > >> 802.11 is extremely chatty. Using WPA or (if you must) WEP to keep the > >> airwaves free (well, to the extent possible) can help there. > > > > With a, that's not that much of a problem usually > > Probably true for your setup, definitely less true in other (and > arguably most other large-scale) setups. > > Most APs consist of a dinky little CPU and a very little bit of memory, > both easily swamped by doing too much work *just at layer 2.* > > Further, they have to contend for spectrum with other 802.11 stations, > microwave ovens, Bluetooth devices, cordless phones, ham radios (that's > for the far more popular 2.4-GHz spectrum used by 802.11b/g/n. The > 5.8-GHz spectrum used by 802.11a/n is much better, though still hardly > pristine). > > Anything you can do to keep your AP's RF section free and clear will > result in a better WLAN experience, where "better" means both "faster" > and "more secure." > > dn > iD8DBQFHQhdsyPxGVjntI4IRAiehAJ48mn685Gk0VaQ/ui50Zg07LvpKTQCgsQaW > iEhNeWGoplX7tIAAMCYKKgc= > =/Guk > -----END PGP SIGNATURE-----
