Why not transfert the wireless-independant AP functionalities onto a central Ethernet-PC ?

Jean Tourrilhes jt
Tue Oct 21 16:47:03 PDT 2003 

On Wed, Oct 22, 2003 at 01:02:06AM +0200, Dominique Blas wrote:
> Le Mardi 21 Octobre 2003 22:22, Jean Tourrilhes a ?crit :
> > Dominique Blas wrote :
> > > as you can see market AP products are evolving so fast that a new
> > > generation appears every 4 months.  I do not speak of 802.11
> > > standards but only about wireless-independant fonctionalities like
> > > WEP, WEP2, TKI, EAP, WEP key distribution, and so on.
> >
> > 	That's why sensible people/companies are deploying IPsec. Just
> > one IPsec gateway to serve any number of APs you want, and IPsec is
> > proven to be secure. Obviously, all the AP vendor want to lock you in
> > their hardware and upgrade cycle, so would rather pretend that IPsec
> > won't work.
> 
> Hi Jean,
> 
> I'm using IPSEC everyday so I know about it.
> 
> But IPSEC is acceptable for closed populations. And is difficult or impossible to deploy on public hotspots !

	You admit defeat even before starting ;-)
	Note that any solution which claim to be easy won't be secure
and vice versa. There is nothing in the IPsec standard that would
prevent it to be deployed easily (and in insecure manner).

> On such a population you are compelled to follow the different recommandations and standards. No way of doing your own things, it doesn't work because you don't know anything about
> the people (and his PC) that lie behind an dynamic IP address and you don't want to change anything on his PC beacause you fear to loose him if things are going wrong.

	Same with WEP/802.1x/WPA, you don't know what the client
support in term of authentication and key size. And each vendor's API
will be different.
	Note that the problem you describe are only implementation
issues, not a problem with the IPsec standard and architecture itself.

> Moreover IPSEC clients are not very easy to install, even for an expert : application, configuration and certificates.

	Again, that's only an implementation issue, not a problem with
the IPsec standard and architecture itself.

> That is why I suggested to transfert this kind of public secure fonctionalities on a PC rather than using the ones insides the APs.

	And this is exactly what IPsec provides.
	The way 802.1x has been designed make it impossible to
separate from the AP because it works at L2 and share some state with
the bridge.

> It's understandable that AP manufacturers (cartel ?) try to lock their customers in their upgrade cycle but we, the hostap community, we know about that system. So why don't we
> upgrade hostapd in order to support this kind of things when running on an Ethernet interface ?

	Why do you need to reinvent the wheel ? IPsec provides exactly
that.
	I'm really amazed that people dismiss IPsec so quickly and are
locked "inside the box". 802.1x/WPA just applies a lot of the same
techniques as IPsec at L2 instead of L3, so in term of features there
is not much that 802.1x/WPA can do that IPsec can't do. And I
personally don't believe that scalability is much different.
	Now, I will agree with you that all current IPsec
implementations are crappy and not designed for wireless. But, that's
not a good excuse to throw away a perfectly good technology.
	Actually, Ericsson was pushing to use IPsec for securing
802.11 and had a complete solution (client and IPsec gateway). Shame
that other didn't follow.

> > 	Now, if we could get IPsec accelerated hardware and proper
> > IPsec integration in the OS, life would be much better.
> 
> db

	Jean

More information about the Hostap mailing list