Host based encryption needed with 1X?

Jouni Malinen jkmaline at cc.hut.fi
Thu Jan 9 23:49:14 EST 2003


On Thu, Jan 09, 2003 at 04:08:05PM +0100, Jacques Caron wrote:

> If you are using encryption (which you should, with 802.1X), then host 
> based encryption is needed because there's one key per station, and there 
> is no known interface in the hostap firmware code to tell the card to use 
> different keys for each station.

In addition, IEEE 802.1X requires that EAPOL packets are passed through
unencrypted, which requires host-based encryption with current firmware
versions.

> 802.11i contains a lot more than just 802.1X, and even 802.1X is changing 
> (with 802.1aa), so I think the hostap 802.1X code is more "de facto 
> standard" (mainly Cisco and XP) compliant than anything (the exact way to 
> use 802.1X with 802.11 was/is not defined yet).

I have updated hostapd code to latest 802.1aa draft. However, couple of
changes are commented out since they seem to break key distribution. As
far as I know, it would be fair to say that 802.1X code in hostapd is
mostly standard compliant. As far as 802.1X use with 802.11 is
concerned, yes, it is currently, for many parts, de facto standard.
Anyway, some parts are specified in non-normative Appendix of 802.1X
(and also as an informational Internet-Draft,
draft-congdon-radius-8021x-20.txt).

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the HostAP mailing list