Hi. I'm new on the list. Some of the issues you're discussing on this thread are being addressed by an IEEE 802 ECSG on link security (you can subscribe to the mailing list by sending "subscribe stds-802-linksec your-email" to [EMAIL PROTECTED]
IMO, if they can fix .11i, the best they'll be able to do is to really approach wired equivalent security, which will not do away with the need for VPNs or other end-to-end protection. Peter -----Original Message----- From: Jim Thompson [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 11, 2003 7:35 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [BAWUG] t-mobile security strategy From [EMAIL PROTECTED] Tue Mar 11 16:52:11 2003 X-Original-To: [EMAIL PROTECTED] Date: Tue, 11 Mar 2003 16:51:56 -0800 (PST) From: Joel Jaeggli <[EMAIL PROTECTED]> X-X-Sender: [EMAIL PROTECTED] To: Jim Thompson <[EMAIL PROTECTED]> Cc: [EMAIL PROTECTED], <[EMAIL PROTECTED]> Subject: Re: [BAWUG] t-mobile security strategy In-Reply-To: <[EMAIL PROTECTED]> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII On Tue, 11 Mar 2003, Jim Thompson wrote: > your tunnel won't protect you from a MIM attack that starts by de-authing your client. sure if you if you're talking about mtm attacks on tunneled authentication protocols. How about IPSEC tunnels? mtm attacks against ssh clients where you already have all the hosts dsa keys is quite another matter. you're going to be able to detect it. You're assuming something a lot like certs (so you can sign the key exchange). Yes, this is a solution. But VPNs don't always employ these. > 802.11i with secured management frames is the way to fix this. I'd vastly prefer transport independant end-to-end encryption in almost every circumstance. "almost"? > if you want to run VPN on top of that, the choice is yours. Encryption isn't free. > At a minimum, it costs in latency. well sure, but when your laptop is a 1.7ghz p4 it can do about 6MB/s worth of 128bit idea, which isn't to shabby... people in the ipsec business have $10 fpgas doing it at 1.2Gb/s You seem to support what I said. Even if the gates aren't free, you still pay in latency. Key scheduling, and moving the data, will bite, if nothing else gets in the way. and your 1.2Gbps is with big packets, I'll bet... and I haven't seen an IPSEC implmentation that fits in a $10 fpga (those are pretty tiny). $10 ASICs, on the other hand... Jim -- general wireless list, a bawug thing <http://www.bawug.org/> [un]subscribe: http://lists.bawug.org/mailman/listinfo/wireless -- general wireless list, a bawug thing <http://www.bawug.org/> [un]subscribe: http://lists.bawug.org/mailman/listinfo/wireless
