On Wed, 14 Jun 2000, William Allen Simpson wrote:
> But part of this is a problem with the Lucent design. There is only one
> key for the entire network. Evil. There should be a separate key for
> each user (or card), probably based on the MAC address (the card address).
Hmm, I thought there was (or could be) a separate key per card. Seems to
me I've heard of contracts where per-card keys have been factory-installed
for large customers (how these would be shared with the access points I
don't know).
> I've heard that there is a project to run PPPoE on top of 802.11, to give
> this per user capability. That seems even sillier to me!
You may be referring to the 802.1x initiative, see
http://grouper.ieee.org/groups/802/1/pages/802.1x.html
This describes EAPOL, "extended authentication protocol over LANs", which
uses more or less the EAP scheme defined for use over PPP, but runs it
over plain old LAN framing (ie, Ethernet, in that case, or however 802.11
does framing in its case). This enables the use of any of the (very few)
authentication methods defined for EAP to authenticate two LAN endpoints.
There's a key distribution method included 802.1x, I haven't looked
closely enough to determine its features.
Using the EAP-TLS defined in (experimental) RFC 2716, you could
theoretically establish keys for use with WEP via the usual TLS method.
> What's wrong with the design for IEEE ethernet security, that it cannot
> be used per user?
I don't see that there is inherently anything that makes it so. Why do
you think it can't be done per-user?
- RL "Bob"
