new prism (connexant)
vda at port.imtp.ilyichevsk.odessa.ua
Wed Jun 16 11:14:13 EDT 2004
> >> On Tue, Jun 15, 2004 at 04:35:59PM +0300, Denis Vlasenko wrote:
> >>> Isn't 802.1X fatally flawed?
> >> Well.. When used without WPA, it allows one more way of kicking a
> >> station off the network (i.e., DoS) by sending EAPOL-Logoff. However,
> >> this is not really anything new, since the same thing can be done
> >> sending a spoofed IEEE 802.11 deauthentication frame. IEEE 802.1X
> > You are correct.
> > This proves only that some 802.[a-z0-9]* standards were done
> > by incompetent people and have serious security and DoS flaws.
> > 802.11 WEP is the most prominent example.
> > 802.11 flaws are not an excuse for 802.1X being flawed.
> > "Good" standard shall close all DoS holes, except maybe
> > things like brute-force flooding of wifi with continuous
> > stream of garbage packets.
> That doesn't mean that 802.1x (or WPA) aren't better than the
> 802.11 has several misfeatures at the MAC layer. If you're going to
> your statement to all of 802.11, then I wonder why you're on this list
> at all.
Because I have no resources to design and make alternatives. :(
> 802.1x was originally designed for Ethernet networks, where sending a
> spoofed EAP-LOGOFF message will
> be decidedly non-trival.
Why? I can send ethernet frame with ANY contents.
Logoffs should be crypto protected to make this DoS
practically impossible. Why it wasn't thought of?
> 802.11 picked up the work and applied it
> (with some changes to the 802.1x standard).
> DOS attacks are decidedly difficult to defend against. Most protocols
> can fall prey to DOS attacks.
This isn't a good excuse for making new DoSes possible.
> TCP SYN flooding, anyone?
SYN cookies. ;)
More information about the HostAP