new prism (connexant)

Denis Vlasenko vda at port.imtp.ilyichevsk.odessa.ua
Wed Jun 16 01:43:11 EDT 2004


On Wednesday 16 June 2004 05:52, Jouni Malinen wrote:
> On Tue, Jun 15, 2004 at 04:35:59PM +0300, Denis Vlasenko wrote:
> > Isn't 802.1X fatally flawed?
>
> Well.. When used without WPA, it allows one more way of kicking a
> station off the network (i.e., DoS) by sending EAPOL-Logoff. However,
> this is not really anything new, since the same thing can be done
> sending a spoofed IEEE 802.11 deauthentication frame. IEEE 802.1X

You are correct.

This proves only that some 802.[a-z0-9]* standards were done
by incompetent people and have serious security and DoS flaws.
802.11 WEP is the most prominent example.
802.11 flaws are not an excuse for 802.1X being flawed.

"Good" standard shall close all DoS holes, except maybe
things like brute-force flooding of wifi with continuous
stream of garbage packets.

> authentication itself is fine, assuming the EAP method is selected
> properly, i.e., use something with tunneled encryption, e.g., EAP-PEAP
> or EAP-TTLS; or EAP-TLS if you have infrastructure for client
> certificates.
-- 
vda



More information about the HostAP mailing list