new prism (connexant)

Denis Vlasenko vda at port.imtp.ilyichevsk.odessa.ua
Wed Jun 16 11:55:58 EDT 2004


On Wednesday 16 June 2004 18:31, Jim Thompson wrote:
> On Jun 16, 2004, at 8:14 AM, Denis Vlasenko wrote:That doesn't mean
> that 802.1x (or WPA) aren't better than the
>
> >> alternative.
> >>
> >> 802.11 has several misfeatures at the MAC layer.  If you're going to
> >> apply your statement to all of 802.11, then I wonder why you're on
> >> this list
> >> at all.
> >
> > Because I have no resources to design and make alternatives. :(
>
> There are 802.11 cards that will allow you to run your own MAC.
> Unfortunately, they're
> not the subject of this list.

Atheros :)

> >> 802.1x was originally designed for Ethernet networks, where sending a
> >> spoofed EAP-LOGOFF message will
> >> be decidedly non-trival.
> >
> > Why? I can send ethernet frame with ANY contents.
> > Logoffs should be crypto protected to make this DoS
> > practically impossible. Why it wasn't thought of?
>
> It was.  But the existing installed base didn't have the H.P. to deal
> with these, so the committee didn't allow it through.
> IEEE has become a very political process.

That explains things.

> But trust me, it was though of, and complained about, etc.
> Perhaps if you'd do some reading before you start complaining, you
> would understand.

> >> 802.11 picked up the work and applied it
> >> (with some changes to the 802.1x standard).
> >>
> >> DOS attacks are decidedly difficult to defend against.  Most protocols
> >> can fall prey to DOS attacks.
> >
> > This isn't a good excuse for making new DoSes possible.
>
> Quit complaining and implement, will ya?

I am shifting all my work towards protocols which are
_completely_ secure (modulo bugs). SSH, SSL-wrapped mail, OpenVPN, etc.
I just caught and tracked down a bug in OpenVPN 2.0 beta2.
Whether this amounts to "not just complaining" is for you to decide.

> >> TCP SYN flooding, anyone?
> >
> > SYN cookies. ;)
>
> 1) Show me the "standard" (RFC) for SYN Cookies.

AFAIK SYN cookies do not violate TCP. Connection initiator
will not even notice that SYN it received from server
is sent by SYNcookie-enabled machine.

> 2) Now show me how to use large windows with SYN cookies enabled (you
> can't).

You're right, syncookies are an afterthought, they have drawbacks.
--
vda




More information about the HostAP mailing list