From [EMAIL PROTECTED] Tue Mar 11 16:52:11 2003
X-Original-To: [EMAIL PROTECTED]
Date: Tue, 11 Mar 2003 16:51:56 -0800 (PST)
From: Joel Jaeggli <[EMAIL PROTECTED]>
X-X-Sender: [EMAIL PROTECTED]
To: Jim Thompson <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED], <[EMAIL PROTECTED]>
Subject: Re: [BAWUG] t-mobile security strategy
In-Reply-To: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Tue, 11 Mar 2003, Jim Thompson wrote:
> your tunnel won't protect you from a MIM attack that starts by de-authing
your client.
sure if you if you're talking about mtm attacks on tunneled authentication
protocols.
How about IPSEC tunnels?
mtm attacks against ssh clients where you already have all the hosts dsa
keys is quite another matter. you're going to be able to detect it.
You're assuming something a lot like certs (so you can sign the key exchange). Yes,
this is a solution.
But VPNs don't always employ these.
> 802.11i with secured management frames is the way to fix this.
I'd vastly prefer transport independant end-to-end encryption in almost
every circumstance.
"almost"?
> if you want to run VPN on top of that, the choice is yours. Encryption
isn't free.
> At a minimum, it costs in latency.
well sure, but when your laptop is a 1.7ghz p4 it can do about 6MB/s worth
of 128bit idea, which isn't to shabby... people in the ipsec business
have $10 fpgas doing it at 1.2Gb/s
You seem to support what I said. Even if the gates aren't free, you still pay in
latency. Key scheduling,
and moving the data, will bite, if nothing else gets in the way.
and your 1.2Gbps is with big packets, I'll bet...
and I haven't seen an IPSEC implmentation that fits in a $10 fpga (those are pretty
tiny).
$10 ASICs, on the other hand...
Jim
--
general wireless list, a bawug thing <http://www.bawug.org/>
[un]subscribe: http://lists.bawug.org/mailman/listinfo/wireless
