-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/19/07 2:36 PM, Tonnerre LOMBARD wrote:
quoted text
> Salut,
> 
> On Mon, Nov 19, 2007 at 02:20:54PM -0800, David Newman wrote:
>> There is some layer-2 stuff that happens before layer-3 handshaking
>> begins -- 802.11 association and deassociation, possibly layer-2
>> learning, and 802.1X authentication if that's used. IPSec will not and
>> cannot secure any of this.
> 
> Is there any need to secure that? In my local WLAN, you only have two
> ways of proceeding if you want internet access: a Tor router, or
> IPsec. 

Before either of those processes begin, I can associate like crazy to
your access point. That would ensure you never get Internet access, even
without my flinging a single IP packet at you.

I have a test tool that can associate 500 times to the same AP,
appearing as 500 unique clients. In my experience, most APs crash and
burn a long time before then -- and that's before seeing any IP traffic.

Even if your AP is robust enough to handle a huge number of client
associations, the chatty nature of the 802.11 protocol ensures the
medium will be so full of management frames that you won't be able to
send an IP packet. (I like to think of 802.11 as a technology that
combines the worst aspects of Ethernet and token ring...)

If you come in without IPsec, i.e. you cannot establish the IKE
quoted text
> handshake, and if you don't us the Socks proxy Tor provides, you are
> trapped in a local network where noone except all of the laptops are.
> Sure thing, you can communicate with another unauthenticated laptop,
> but I don't care that much about this scenario, since it does not
> cause me any problems.

Does not cause *you* problems != no leakage at L2

quoted text
>> Wireless LANs are a technology in which sensitive data may go in the
>> clear at L2 before L3 gets started. In this case L2 security mechanisms
>> such as WPA are appropriate, and do not rule out the use of
>> complementary mechanisms like IPSec or SSL.
> 
> What sensitive data do you see me exchange before IPsec connectivity
> is established?

Well, for starters every 802.11 AP broadcasts its availability 10 times
a second. And since 802.11 is a shared-access medium, you'll also see
the first packet of every client's 802.1X auth exchange, as well as
SSIDs of all available stations.

quoted text
> 
>> Even if you don't care about authenticating or encrypting L2 data,
>> there's still the issue of bandwidth and resource consumption at L2.
>> 802.11 is extremely chatty. Using WPA or (if you must) WEP to keep the
>> airwaves free (well, to the extent possible) can help there.
> 
> With a, that's not that much of a problem usually

Probably true for your setup, definitely less true in other (and
arguably most other large-scale) setups.

Most APs consist of a dinky little CPU and a very little bit of memory,
both easily swamped by doing too much work *just at layer 2.*

Further, they have to contend for spectrum with other 802.11 stations,
microwave ovens, Bluetooth devices, cordless phones, ham radios (that's
for the far more popular 2.4-GHz spectrum used by 802.11b/g/n. The
5.8-GHz spectrum used by 802.11a/n is much better, though still hardly
pristine).

Anything you can do to keep your AP's RF section free and clear will
result in a better WLAN experience, where "better" means both "faster"
and "more secure."

dn
iD8DBQFHQhdsyPxGVjntI4IRAiehAJ48mn685Gk0VaQ/ui50Zg07LvpKTQCgsQaW
iEhNeWGoplX7tIAAMCYKKgc=
=/Guk
-----END PGP SIGNATURE-----