new prism (connexant)

[Jim Thompson]

On Jun 16, 2004, at 8:14 AM, Denis Vlasenko wrote:That doesn't mean 
that 802.1x (or WPA) aren't better than the
>> alternative.
>>
>> 802.11 has several misfeatures at the MAC layer.  If you're going to
>> apply your statement to all of 802.11, then I wonder why you're on 
>> this list
>> at all.
>
> Because I have no resources to design and make alternatives. :(

There are 802.11 cards that will allow you to run your own MAC.  
Unfortunately, they're
not the subject of this list.

>> 802.1x was originally designed for Ethernet networks, where sending a
>> spoofed EAP-LOGOFF message will
>> be decidedly non-trival.
>
> Why? I can send ethernet frame with ANY contents.
> Logoffs should be crypto protected to make this DoS
> practically impossible. Why it wasn't thought of?

It was.  But the existing installed base didn't have the H.P. to deal 
with these, so the
committee didn't allow it through.   IEEE has become a very political 
process.

But trust me, it was though of, and complained about, etc.

Perhaps if you'd do some reading before you start complaining, you 
would understand.

>> 802.11 picked up the work and applied it
>> (with some changes to the 802.1x standard).
>>
>> DOS attacks are decidedly difficult to defend against.  Most protocols
>> can fall prey to DOS attacks.
>
> This isn't a good excuse for making new DoSes possible.

Quit complaining and implement, will ya?

>> TCP SYN flooding, anyone?
>
> SYN cookies. ;)

1) Show me the "standard" (RFC) for SYN Cookies.
2) Now show me how to use large windows with SYN cookies enabled (you 
can't).

Try again?

Jim