----- Original Message ----- > From: "Chris Marget" <ch...@marget.com>
> You [I] said: > > > It is OK for an enterprise wifi system to make this sort of attack > > *on rogue APs which are trying to pretend to be part of it (same ESSID). > > I'm curious to hear how you'd rationalize containing a copycat AP > under the current rules. > > In fact, I remain fuzzy on when spoofed de-auth frames would *ever* be okay > when used against unwilling clients within the FCC's jurisdiction given > their position that spoofed control frames constitute interference under > part 15 rules. > > This thread and similar discussions elsewhere contain assertions that > enterprise networks "need to defend themselves" in some circumstances, > or that "containing" an AP with a copycat SSID would certainly be okay. > > I'm not so sure. > > The "need to manage our RF space" arguments ring hollow to me. I certainly > understand why someone would *want* to manage the spectrum, but that's > just not anyone's privilege when using ISM bands. If the need is great > enough, get some licensed spectrum and manage that. I wasn't making that argument. I was making the "if someone tries to pretend to be part of my network, so that my users will inadvertantly attach to them and possibly leak 'classified' data, *then that rogue user is making a 1030 attack on my network*. > A copycat AP is unquestionably hostile, and likely interfering with users, > but I'm unconvinced that the hostility triggers a privilege to attack it > under part 15 rules. In addition to not being allowed to interfere, we also > have: You're not attacking it, per se; you are defensively disconnecting from it *users who are part of your own network*; these are endpoints *you are administratively allowed to exert control over*, from my viewpoint. > 2. This device must accept any interference received, including > interference that may cause undesired operation. > > Certificate-based authentication would solve that problem anyway, > wouldn't it? Probably. And yes, any system big enough to do this stuff is likely big enough to run 1x as well. > A "rogue" AP plugged into a wired port is best solved at the wired port, I'm not sure anyone was actually mooting this. > Even large private campuses like oil refineries probably wouldn't be in the > clear doing this sort of thing unless they're able to stop law enforcement, > delivery drivers, paramedics and firefighters at the gate in order to get > them to agree to receive spoofed de-auth frames. Again: you've shifted topics here from "enterprise rogue protection" (stay off *my* ESSID) to "Marriott Attack" (stay off all ESSIDs that *aren't* mine); different thing entirely. I make a clear distinction (now that it's not 3am :-) between what Marriott is doing, and what enterprises doing rogue protection are doing, as noted above. Still not a lawyer. Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
