new prism (connexant)

Jim Thompson jim
Wed Jun 16 03:17:08 PDT 2004


On Jun 15, 2004, at 10:43 PM, Denis Vlasenko wrote:

> On Wednesday 16 June 2004 05:52, Jouni Malinen wrote:
>> On Tue, Jun 15, 2004 at 04:35:59PM +0300, Denis Vlasenko wrote:
>>> Isn't 802.1X fatally flawed?
>>
>> Well.. When used without WPA, it allows one more way of kicking a
>> station off the network (i.e., DoS) by sending EAPOL-Logoff. However,
>> this is not really anything new, since the same thing can be done
>> sending a spoofed IEEE 802.11 deauthentication frame. IEEE 802.1X
>
> You are correct.
>
> This proves only that some 802.[a-z0-9]* standards were done
> by incompetent people and have serious security and DoS flaws.
> 802.11 WEP is the most prominent example.
> 802.11 flaws are not an excuse for 802.1X being flawed.
>
> "Good" standard shall close all DoS holes, except maybe
> things like brute-force flooding of wifi with continuous
> stream of garbage packets.

That doesn't mean that 802.1x (or WPA) aren't better than the 
alternative.

802.11 has several misfeatures at the MAC layer.  If you're going to 
apply
your statement to all of 802.11, then I wonder why you're on this list 
at all.

802.1x was originally designed for Ethernet networks, where sending a 
spoofed EAP-LOGOFF message will
be decidedly non-trival.   802.11 picked up the work and applied it 
(with some changes to the 802.1x standard).

DOS attacks are decidedly difficult to defend against.  Most protocols 
can fall prey to DOS attacks.   TCP SYN flooding, anyone?

As for the IEEE being incompetent as a whole...   I have no good 
response, so I will choose to say nothing.

Jim





More information about the Hostap mailing list