Re: [nycwireless] 802.1x

Sat, 28 Sep 2002 09:53:45 -0700 

Hi,

At 09:47 28/09/2002, evilbunny wrote:
>   Hmm the more I read about 802.1x the less appealing it seems to be,
>   it seems it's an interim solution for wireless until they build math
>   co-processors into AP's to handle AES encryption.

802.1X is used for authentication. AES is for encryption. Those two things 
are quite different, but they complement each other, and any encryption 
method (other than static point-to-point setups maybe) needs some way to 
authenticate users and distribute keys. 802.1X is there for that, and if 
you read current work from 802.11 Task Group i (enhanced security), you'll 
see that 802.1X (and its integration with the rest of 802.11 technologies) 
is definitely part of the picture (along with AES and other fun stuff).

The interim solution is the use of 802.1X just to distribute WEP keys, 
which solves the authentication and key management issue, and brings the 
temporary workaround for WEP flaws that keys can be changed very often. 
Once AES can be used, 802.1X remains for the first two features, and keys 
will not need to be changed that often (however per-session keys that 
change at least once in a while remain a good idea).

>   Currently the best practice for secured connections I can see so far
>   is L2TP over IPSec...

Or L2TP or PPPoE with PPP-level encryption (a la MS-MPPE or other) or just 
IPsec or... But this adds overhead on every packet transmitted, that is 
more difficult to handle in hardware/firmware than 802.11 L2 encryption. 
Also, in the case of IPsec, key management and authentication of individual 
users can still be a nightmare.

>   However for authentication L2TP should suffice...

>   suggestions?
>   comments?

It really depends what you're trying to achieve, who your users are, what 
your requirements are on roaming (both between nodes in your network and 
between networks) and so on. I certainly think 802.1X is still the most 
viable option.

Jacques.


-- Jacques Caron, IP Sector Technologies
    Join the discussion on public WLAN open global roaming:
    http://lists.ipsector.com/listinfo/openroaming

--
NYCwireless - http://www.nycwireless.net/
Un/Subscribe: http://lists.nycwireless.net/mailman/listinfo/nycwireless/
Archives: http://lists.nycwireless.net/pipermail/nycwireless/

Reply via email to