new prism (connexant)

Denis Vlasenko vda at port.imtp.ilyichevsk.odessa.ua
Wed Jun 16 11:14:13 EDT 2004


> >> On Tue, Jun 15, 2004 at 04:35:59PM +0300, Denis Vlasenko wrote:
> >>> Isn't 802.1X fatally flawed?
> >>
> >> Well.. When used without WPA, it allows one more way of kicking a
> >> station off the network (i.e., DoS) by sending EAPOL-Logoff. However,
> >> this is not really anything new, since the same thing can be done
> >> sending a spoofed IEEE 802.11 deauthentication frame. IEEE 802.1X
> >
> > You are correct.
> >
> > This proves only that some 802.[a-z0-9]* standards were done
> > by incompetent people and have serious security and DoS flaws.
> > 802.11 WEP is the most prominent example.
> > 802.11 flaws are not an excuse for 802.1X being flawed.
> >
> > "Good" standard shall close all DoS holes, except maybe
> > things like brute-force flooding of wifi with continuous
> > stream of garbage packets.
>
> That doesn't mean that 802.1x (or WPA) aren't better than the
> alternative.
>
> 802.11 has several misfeatures at the MAC layer.  If you're going to
> apply
> your statement to all of 802.11, then I wonder why you're on this list
> at all.

Because I have no resources to design and make alternatives. :(

> 802.1x was originally designed for Ethernet networks, where sending a
> spoofed EAP-LOGOFF message will
> be decidedly non-trival.

Why? I can send ethernet frame with ANY contents.
Logoffs should be crypto protected to make this DoS
practically impossible. Why it wasn't thought of?

> 802.11 picked up the work and applied it
> (with some changes to the 802.1x standard).
>
> DOS attacks are decidedly difficult to defend against.  Most protocols
> can fall prey to DOS attacks. 

This isn't a good excuse for making new DoSes possible.

> TCP SYN flooding, anyone?

SYN cookies. ;)
--
vda




More information about the HostAP mailing list