new prism (connexant)
Jim Thompson
jim at netgate.com
Wed Jun 16 06:17:08 EDT 2004
On Jun 15, 2004, at 10:43 PM, Denis Vlasenko wrote:
> On Wednesday 16 June 2004 05:52, Jouni Malinen wrote:
>> On Tue, Jun 15, 2004 at 04:35:59PM +0300, Denis Vlasenko wrote:
>>> Isn't 802.1X fatally flawed?
>>
>> Well.. When used without WPA, it allows one more way of kicking a
>> station off the network (i.e., DoS) by sending EAPOL-Logoff. However,
>> this is not really anything new, since the same thing can be done
>> sending a spoofed IEEE 802.11 deauthentication frame. IEEE 802.1X
>
> You are correct.
>
> This proves only that some 802.[a-z0-9]* standards were done
> by incompetent people and have serious security and DoS flaws.
> 802.11 WEP is the most prominent example.
> 802.11 flaws are not an excuse for 802.1X being flawed.
>
> "Good" standard shall close all DoS holes, except maybe
> things like brute-force flooding of wifi with continuous
> stream of garbage packets.
That doesn't mean that 802.1x (or WPA) aren't better than the
alternative.
802.11 has several misfeatures at the MAC layer. If you're going to
apply
your statement to all of 802.11, then I wonder why you're on this list
at all.
802.1x was originally designed for Ethernet networks, where sending a
spoofed EAP-LOGOFF message will
be decidedly non-trival. 802.11 picked up the work and applied it
(with some changes to the 802.1x standard).
DOS attacks are decidedly difficult to defend against. Most protocols
can fall prey to DOS attacks. TCP SYN flooding, anyone?
As for the IEEE being incompetent as a whole... I have no good
response, so I will choose to say nothing.
Jim
More information about the HostAP
mailing list