securing OpenBSD wireless network
Hi gang, So I'm setting up my first wireless network for a small business with OpenBSD acting as internet gateway. I am familiar with OpenBSD as gateway but not in the wireless context. I picked myself up a card that the docs say is supported (Linksys WMP54G) and will be installing 4.2 from my CD this evening. At this point I'm asking myself the obvious question. How do I secure my network? I see the authpf is used a lot but is there anything else I can do? What of VPN? If so, what implementation? My client stations will be Ubuntu Linux. Thank you in advance to any responders, // juan Get a sneak peak at messages with a handy reading pane with All new Yahoo! Mail: http://mail.yahoo.ca
Re: securing OpenBSD wireless network
On Nov 16, 2007 2:39 PM, Juan Miscaro <[EMAIL PROTECTED]> wrote: > Hi gang, > > So I'm setting up my first wireless network for a small business with > OpenBSD acting as internet gateway. I am familiar with OpenBSD as > gateway but not in the wireless context. I picked myself up a card > that the docs say is supported (Linksys WMP54G) and will be installing > 4.2 from my CD this evening. > > At this point I'm asking myself the obvious question. How do I secure > my network? I see the authpf is used a lot but is there anything else > I can do? What of VPN? If so, what implementation? > > My client stations will be Ubuntu Linux. > > Thank you in advance to any responders, > > // juan > > > Get a sneak peak at messages with a handy reading pane with All new > Yahoo! Mail: http://mail.yahoo.ca I combined authpf with OpenVPN, using some big hints from some easily google-able places. Even though WEP and WPA aren't supported by OpenBSD, I still wanted to have authenticated and encrypted traffic. This might be overkill for some but it works for me. After setting up the wireless interface to dhcpd a private netblock, I locked it down with pf: block in on $wlan_if pass in on $wlan_if proto udp to port { bootps, bootpc } pass in on $wlan_if proto udp to ($wlan_if:0) port domain pass in on $wlan_if proto tcp to ($wlan_if:0) port ssh Then I setup authpf to allow authenticated users the ability to connect to the VPN: pass in on $wlan_if proto udp from to ($wlan_if:0) port 1194 Next I configured OpenVPN in routed mode. It hands out IPs from yet another private netblock I have permanently attached to lo1. Finally, I treat the tun0 interface like a semi-trusted wired interface in pf and apply my standard list of allowable client applications: client_if = "{ sk0, tun0 }" pass in on $client_if proto udp to port $udp_client_ports pass in on $client_if proto tcp to port $tcp_client_ports This obviously isn't my full pf.conf, and care must be taken because the rules are highly dependent on order. My initial setup took nearly a full day to configure and troubleshoot, since I had to get pf, authpf, dhcpd, named, and OpenVPN to all cooperate. I found that selectively allowing and denying ICMP was of great assistance while testing pf rules and tcpdump to be essential when I had other services misconfigured. Windows and OS X OpenVPN clients are readily available and configuration is easy if you understood what you were doing when setting up the OpenVPN server. Although I feel like I've got a good handle on all the interactions here, I'm no professional and if there are any gaping holes in this setup, I am eager to hear about them. I plan to investigate IPSEC in the near future, which may be an alternative. --david
Re: securing OpenBSD wireless network
On Nov 17, 2007 8:35 AM, David Higgs <[EMAIL PROTECTED]> wrote: > I combined authpf with OpenVPN, using some big hints from some easily > google-able places. Even though WEP and WPA aren't supported by > OpenBSD, OpenBSD supports WEP. --- Lars Hansson
Re: securing OpenBSD wireless network
Lars Hansson wrote: On Nov 17, 2007 8:35 AM, David Higgs <[EMAIL PROTECTED]> wrote: I combined authpf with OpenVPN, using some big hints from some easily google-able places. Even though WEP and WPA aren't supported by OpenBSD, OpenBSD supports WEP. Does it even matter?
Re: securing OpenBSD wireless network
On Sun, Nov 18, 2007 at 10:51:49PM -0700, Clint Pachl wrote: > > > >OpenBSD supports WEP. > > > > Does it even matter? > Well, if you want to prevent someone from accidentally connecting to your network, yes. Tor
Re: securing OpenBSD wireless network
On Nov 19, 2007 1:51 PM, Clint Pachl <[EMAIL PROTECTED]> wrote: > Does it even matter? If you want to connect to networks that are using WEP, yes. --- Lars Hansson
Re: securing OpenBSD wireless network
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/19/07 3:18 AM, Tor Houghton wrote: > On Sun, Nov 18, 2007 at 10:51:49PM -0700, Clint Pachl wrote: >>> OpenBSD supports WEP. >>> >> Does it even matter? >> > > Well, if you want to prevent someone from accidentally connecting to your > network, yes. WEP keys can be captured is less than one minute: http://eprint.iacr.org/2007/120.pdf http://tapir.cs.ucl.ac.uk/bittau-wep.pdf WEP is certainly better than nothing if all you have is older hardware that doesn't support WPA/WPA2, but that's about all. If your APs and host adapters support WPA, use it, not WEP. dn iD8DBQFHQbLVyPxGVjntI4IRAj8xAKDHZGzDcfW/dPf4o1dnhKsAfMkDYACfc/dZ HIfCGJDx82X8sTsbq0p/rJA= =0EMg -END PGP SIGNATURE-
Re: securing OpenBSD wireless network
Salut, On Mon, Nov 19, 2007 at 07:59:17AM -0800, David Newman wrote: > >>> OpenBSD supports WEP. > >>> > >> Does it even matter? > >> > > > > Well, if you want to prevent someone from accidentally connecting to your > > network, yes. > > WEP keys can be captured is less than one minute: > > http://eprint.iacr.org/2007/120.pdf > http://tapir.cs.ucl.ac.uk/bittau-wep.pdf > > WEP is certainly better than nothing if all you have is older hardware > that doesn't support WPA/WPA2, but that's about all. If your APs and > host adapters support WPA, use it, not WEP. Think of WEP as an encoding. Just like all the others: ASCII, UTF-8, DES[1], MD5, etc. They do not provide any security, as opposed to encryption algorithms, such as AES, Twofish, EBCDIC, et cetera. ;-) Personally, I use IPsec to secure my WLAN, and I can only recommend that to others. It is very effective. Tonnerre [1]: It's called Data Encoding Standard, after all ;-) [demime 1.01d removed an attachment of type application/pgp-signature]
Re: securing OpenBSD wireless network
In my state, WEP is useful as a legal matter -- "borrowing" unsecured wireless connectivity is not illegal, whereas "stealing" secured access is. Sometimes the technical issues are not the only important ones. Marti On Nov 19, 2007 8:59 AM, David Newman <[EMAIL PROTECTED]> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > > On 11/19/07 3:18 AM, Tor Houghton wrote: > > On Sun, Nov 18, 2007 at 10:51:49PM -0700, Clint Pachl wrote: > >>> OpenBSD supports WEP. > >>> > >> Does it even matter? > >> > > > > Well, if you want to prevent someone from accidentally connecting to your > > network, yes. > > WEP keys can be captured is less than one minute: > > http://eprint.iacr.org/2007/120.pdf > http://tapir.cs.ucl.ac.uk/bittau-wep.pdf > > WEP is certainly better than nothing if all you have is older hardware > that doesn't support WPA/WPA2, but that's about all. If your APs and > host adapters support WPA, use it, not WEP. > > dn > iD8DBQFHQbLVyPxGVjntI4IRAj8xAKDHZGzDcfW/dPf4o1dnhKsAfMkDYACfc/dZ > HIfCGJDx82X8sTsbq0p/rJA= > =0EMg > -END PGP SIGNATURE- > > -- Systems Programmer, Principal Electrical & Computer Engineering The University of Arizona [EMAIL PROTECTED] -- Systems Programmer, Principal Electrical & Computer Engineering The University of Arizona [EMAIL PROTECTED]
Re: securing OpenBSD wireless network
Tonnerre LOMBARD wrote: Salut, On Mon, Nov 19, 2007 at 07:59:17AM -0800, David Newman wrote: OpenBSD supports WEP. Does it even matter? Well, if you want to prevent someone from accidentally connecting to your network, yes. WEP keys can be captured is less than one minute: http://eprint.iacr.org/2007/120.pdf http://tapir.cs.ucl.ac.uk/bittau-wep.pdf WEP is certainly better than nothing if all you have is older hardware that doesn't support WPA/WPA2, but that's about all. If your APs and host adapters support WPA, use it, not WEP. Think of WEP as an encoding. Just like all the others: ASCII, UTF-8, DES[1], MD5, etc. They do not provide any security, as opposed to encryption algorithms, such as AES, Twofish, EBCDIC, et cetera. ;-) I have heard rumours that some indian researchers succeed at breaking EBCDIC due to a newly discovered weakness is the orignal scheme. Personally, I use IPsec to secure my WLAN, and I can only recommend that to others. It is very effective. I can only second that. Even when the clients are Windows or Mac OS X. Tonnerre [1]: It's called Data Encoding Standard, after all ;-) [demime 1.01d removed an attachment of type application/pgp-signature]
Re: securing OpenBSD wireless network
On Mon, Nov 19, 2007 at 07:59:17AM -0800, David Newman wrote: > > Well, if you want to prevent someone from accidentally connecting to your > > network, yes. > > WEP keys can be captured is less than one minute: > This fact is immaterial in context of my statement. Tor
Re: securing OpenBSD wireless network
Tor Houghton writes: > On Mon, Nov 19, 2007 at 07:59:17AM -0800, David Newman wrote: > > > > Well, if you want to prevent someone from accidentally connecting to your > > > network, yes. > > > > WEP keys can be captured is less than one minute: > > This fact is immaterial in context of my statement. Very true. The only time I consider turning on WEP is when I notice a neighbor is connecting to my net more often than not. Yes, by accident. Typically because their AP went down and needed to be reset and they hadn't noticed. Maybe one of these days I'll turn it on... // marc
Re: securing OpenBSD wireless network
Marco S Hyman <[EMAIL PROTECTED]> writes: > Very true. The only time I consider turning on WEP is when I notice > a neighbor is connecting to my net more often than not. Yes, by accident. > Typically because their AP went down and needed to be reset and they hadn't > noticed. Not sure what the actual legal status is (to my knowledge nobody as actually been sued over here for using somebody else's WiFI or at least no cases decided yet), but I tend to say WEP is more like a "KEEP OUT" sign. It doesn't stop anybody who's willing to use a tiny bit of energy on getting in, but it signals that you did not intend for all the world to use your equipment. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.datadok.no/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: securing OpenBSD wireless network
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/19/07 8:16 AM, Tonnerre LOMBARD wrote: > Personally, I use IPsec to secure my WLAN, and I can only recommend that > to others. It is very effective. IPSec can be an effective safeguard -- for IP headers and the upper-layer protocols and payloads above them. On the other hand it's a misconception to think IPSec will "secure my WLAN." IPSec doesn't know and doesn't care what link layer it runs over. There is some layer-2 stuff that happens before layer-3 handshaking begins -- 802.11 association and deassociation, possibly layer-2 learning, and 802.1X authentication if that's used. IPSec will not and cannot secure any of this. Wireless LANs are a technology in which sensitive data may go in the clear at L2 before L3 gets started. In this case L2 security mechanisms such as WPA are appropriate, and do not rule out the use of complementary mechanisms like IPSec or SSL. Even if you don't care about authenticating or encrypting L2 data, there's still the issue of bandwidth and resource consumption at L2. 802.11 is extremely chatty. Using WPA or (if you must) WEP to keep the airwaves free (well, to the extent possible) can help there. dn iD8DBQFHQgxFyPxGVjntI4IRAnLAAJ0Ysf5O3t8To4QcUBibQ2Yih6QA1QCfX++A 9su1m/P6DfqsnyNlLCDy0oo= =dfhp -END PGP SIGNATURE-
Re: securing OpenBSD wireless network
Salut, On Mon, Nov 19, 2007 at 02:20:54PM -0800, David Newman wrote: > There is some layer-2 stuff that happens before layer-3 handshaking > begins -- 802.11 association and deassociation, possibly layer-2 > learning, and 802.1X authentication if that's used. IPSec will not and > cannot secure any of this. Is there any need to secure that? In my local WLAN, you only have two ways of proceeding if you want internet access: a Tor router, or IPsec. If you come in without IPsec, i.e. you cannot establish the IKE handshake, and if you don't us the Socks proxy Tor provides, you are trapped in a local network where noone except all of the laptops are. Sure thing, you can communicate with another unauthenticated laptop, but I don't care that much about this scenario, since it does not cause me any problems. > Wireless LANs are a technology in which sensitive data may go in the > clear at L2 before L3 gets started. In this case L2 security mechanisms > such as WPA are appropriate, and do not rule out the use of > complementary mechanisms like IPSec or SSL. What sensitive data do you see me exchange before IPsec connectivity is established? > Even if you don't care about authenticating or encrypting L2 data, > there's still the issue of bandwidth and resource consumption at L2. > 802.11 is extremely chatty. Using WPA or (if you must) WEP to keep the > airwaves free (well, to the extent possible) can help there. With a, that's not that much of a problem usually Tonnerre [demime 1.01d removed an attachment of type application/pgp-signature]
Re: securing OpenBSD wireless network
Marco S Hyman <[EMAIL PROTECTED]> wrote: > Very true. The only time I consider turning on WEP is when I notice > a neighbor is connecting to my net more often than not. Yes, by accident. And downloading his mail with unencrypted POP3 for all to see... You can use IPsec to discourage that, too. The pf configuration on my home WLAN gateway passes *only* ISAKMP negotiation and ESP packets from/to the gateway. ESP packets that don't match an IPsec association are dropped. To get a valid IPsec association, a host needs to sucessfully negotiate with isakmpd. And for that it needs to authenticate (host key or password). Of course stations can still talk on the WLAN itself, but neighbors tend to have little interest in that niche use. -- Christian "naddy" Weisgerber [EMAIL PROTECTED]
Re: securing OpenBSD wireless network
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/19/07 2:36 PM, Tonnerre LOMBARD wrote: > Salut, > > On Mon, Nov 19, 2007 at 02:20:54PM -0800, David Newman wrote: >> There is some layer-2 stuff that happens before layer-3 handshaking >> begins -- 802.11 association and deassociation, possibly layer-2 >> learning, and 802.1X authentication if that's used. IPSec will not and >> cannot secure any of this. > > Is there any need to secure that? In my local WLAN, you only have two > ways of proceeding if you want internet access: a Tor router, or > IPsec. Before either of those processes begin, I can associate like crazy to your access point. That would ensure you never get Internet access, even without my flinging a single IP packet at you. I have a test tool that can associate 500 times to the same AP, appearing as 500 unique clients. In my experience, most APs crash and burn a long time before then -- and that's before seeing any IP traffic. Even if your AP is robust enough to handle a huge number of client associations, the chatty nature of the 802.11 protocol ensures the medium will be so full of management frames that you won't be able to send an IP packet. (I like to think of 802.11 as a technology that combines the worst aspects of Ethernet and token ring...) If you come in without IPsec, i.e. you cannot establish the IKE > handshake, and if you don't us the Socks proxy Tor provides, you are > trapped in a local network where noone except all of the laptops are. > Sure thing, you can communicate with another unauthenticated laptop, > but I don't care that much about this scenario, since it does not > cause me any problems. Does not cause *you* problems != no leakage at L2 >> Wireless LANs are a technology in which sensitive data may go in the >> clear at L2 before L3 gets started. In this case L2 security mechanisms >> such as WPA are appropriate, and do not rule out the use of >> complementary mechanisms like IPSec or SSL. > > What sensitive data do you see me exchange before IPsec connectivity > is established? Well, for starters every 802.11 AP broadcasts its availability 10 times a second. And since 802.11 is a shared-access medium, you'll also see the first packet of every client's 802.1X auth exchange, as well as SSIDs of all available stations. > >> Even if you don't care about authenticating or encrypting L2 data, >> there's still the issue of bandwidth and resource consumption at L2. >> 802.11 is extremely chatty. Using WPA or (if you must) WEP to keep the >> airwaves free (well, to the extent possible) can help there. > > With a, that's not that much of a problem usually Probably true for your setup, definitely less true in other (and arguably most other large-scale) setups. Most APs consist of a dinky little CPU and a very little bit of memory, both easily swamped by doing too much work *just at layer 2.* Further, they have to contend for spectrum with other 802.11 stations, microwave ovens, Bluetooth devices, cordless phones, ham radios (that's for the far more popular 2.4-GHz spectrum used by 802.11b/g/n. The 5.8-GHz spectrum used by 802.11a/n is much better, though still hardly pristine). Anything you can do to keep your AP's RF section free and clear will result in a better WLAN experience, where "better" means both "faster" and "more secure." dn iD8DBQFHQhdsyPxGVjntI4IRAiehAJ48mn685Gk0VaQ/ui50Zg07LvpKTQCgsQaW iEhNeWGoplX7tIAAMCYKKgc= =/Guk -END PGP SIGNATURE-
Re: securing OpenBSD wireless network
Therefore is WEP+IPSec the current secure limit for a wlan with OpenBSD as hostap and Windows-XP clients? --Jairo Souto <[EMAIL PROTECTED]> (38)9968-3447 On Mon, Nov 19, 2007 at 03:08:29PM -0800, David Newman wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 11/19/07 2:36 PM, Tonnerre LOMBARD wrote: > > Salut, > > > > On Mon, Nov 19, 2007 at 02:20:54PM -0800, David Newman wrote: > >> There is some layer-2 stuff that happens before layer-3 handshaking > >> begins -- 802.11 association and deassociation, possibly layer-2 > >> learning, and 802.1X authentication if that's used. IPSec will not and > >> cannot secure any of this. > > > > Is there any need to secure that? In my local WLAN, you only have two > > ways of proceeding if you want internet access: a Tor router, or > > IPsec. > > Before either of those processes begin, I can associate like crazy to > your access point. That would ensure you never get Internet access, even > without my flinging a single IP packet at you. > > I have a test tool that can associate 500 times to the same AP, > appearing as 500 unique clients. In my experience, most APs crash and > burn a long time before then -- and that's before seeing any IP traffic. > > Even if your AP is robust enough to handle a huge number of client > associations, the chatty nature of the 802.11 protocol ensures the > medium will be so full of management frames that you won't be able to > send an IP packet. (I like to think of 802.11 as a technology that > combines the worst aspects of Ethernet and token ring...) > > If you come in without IPsec, i.e. you cannot establish the IKE > > handshake, and if you don't us the Socks proxy Tor provides, you are > > trapped in a local network where noone except all of the laptops are. > > Sure thing, you can communicate with another unauthenticated laptop, > > but I don't care that much about this scenario, since it does not > > cause me any problems. > > Does not cause *you* problems != no leakage at L2 > > >> Wireless LANs are a technology in which sensitive data may go in the > >> clear at L2 before L3 gets started. In this case L2 security mechanisms > >> such as WPA are appropriate, and do not rule out the use of > >> complementary mechanisms like IPSec or SSL. > > > > What sensitive data do you see me exchange before IPsec connectivity > > is established? > > Well, for starters every 802.11 AP broadcasts its availability 10 times > a second. And since 802.11 is a shared-access medium, you'll also see > the first packet of every client's 802.1X auth exchange, as well as > SSIDs of all available stations. > > > > >> Even if you don't care about authenticating or encrypting L2 data, > >> there's still the issue of bandwidth and resource consumption at L2. > >> 802.11 is extremely chatty. Using WPA or (if you must) WEP to keep the > >> airwaves free (well, to the extent possible) can help there. > > > > With a, that's not that much of a problem usually > > Probably true for your setup, definitely less true in other (and > arguably most other large-scale) setups. > > Most APs consist of a dinky little CPU and a very little bit of memory, > both easily swamped by doing too much work *just at layer 2.* > > Further, they have to contend for spectrum with other 802.11 stations, > microwave ovens, Bluetooth devices, cordless phones, ham radios (that's > for the far more popular 2.4-GHz spectrum used by 802.11b/g/n. The > 5.8-GHz spectrum used by 802.11a/n is much better, though still hardly > pristine). > > Anything you can do to keep your AP's RF section free and clear will > result in a better WLAN experience, where "better" means both "faster" > and "more secure." > > dn > iD8DBQFHQhdsyPxGVjntI4IRAiehAJ48mn685Gk0VaQ/ui50Zg07LvpKTQCgsQaW > iEhNeWGoplX7tIAAMCYKKgc= > =/Guk > -END PGP SIGNATURE-
Re: securing OpenBSD wireless network
David Newman <[EMAIL PROTECTED]> wrote: > >> There is some layer-2 stuff that happens before layer-3 handshaking > >> begins -- 802.11 association and deassociation, possibly layer-2 > >> learning, and 802.1X authentication if that's used. IPSec will not and > >> cannot secure any of this. > > > > Is there any need to secure that? In my local WLAN, you only have two > > ways of proceeding if you want internet access: a Tor router, or > > IPsec. > > Before either of those processes begin, I can associate like crazy to > your access point. That would ensure you never get Internet access, even > without my flinging a single IP packet at you. Duh. It's a *radio* network. Of course it can be DoS-ed. WEP doesn't change that. In fact, popular attacks against WEP generate massive L2 traffic. -- Christian "naddy" Weisgerber [EMAIL PROTECTED]
Re: securing OpenBSD wireless network
Does anyone know if there is WPA support for OpenBSD being worked on? This would be nice. David Newman wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/22/07 1:55 PM, Christian Weisgerber wrote: > > David Newman <[EMAIL PROTECTED]> wrote: > > There is some layer-2 stuff that happens before layer-3 handshaking begins -- 802.11 association and deassociation, possibly layer-2 learning, and 802.1X authentication if that's used. IPSec will not and cannot secure any of this. >>> >>> Is there any need to secure that? In my local WLAN, you only have two >>> >>> ways of proceeding if you want internet access: a Tor router, or >>> >>> IPsec. >> >> Before either of those processes begin, I can associate like crazy to >> >> your access point. That would ensure you never get Internet access, even >> >> without my flinging a single IP packet at you. > > > > Duh. It's a *radio* network. Of course it can be DoS-ed. WEP > > doesn't change that. In fact, popular attacks against WEP generate > > massive L2 traffic. > > Yes. WPA is somewhat better (in that the better controller-based systems have rate controls). Other than being better than nothing on really old hardware, WEP is worthless. dn iD8DBQFHRk3LyPxGVjntI4IRApZlAJ44a3Um15XTftC6s7wlHXlWQOr/dwCg8ULI dZSlpbIowhsNSj3aqcCkoT8= =TjLE -END PGP SIGNATURE-
Re: securing OpenBSD wireless network
On Thu, Nov 22, 2007 at 10:05:21PM -0800, David wrote: > Does anyone know if there is WPA support for OpenBSD being worked on? > This would be nice. > pkg_add wpa_supplicant ??? Or did i misunderstand something? --- Andri Braselmann
Re: securing OpenBSD wireless network
David wrote: Does anyone know if there is WPA support for OpenBSD being worked on? This would be nice. There was a thread that I started a month ago unfortunately by mis-spelling WPA as (wap). One of the answers was posted I think by a developer who is currently working on WPA for OpenBSD. The information was rather comprehensive and I would just do harm by trying to repeat it. Best, Predrag David Newman wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/22/07 1:55 PM, Christian Weisgerber wrote: David Newman <[EMAIL PROTECTED]> wrote: There is some layer-2 stuff that happens before layer-3 handshaking begins -- 802.11 association and deassociation, possibly layer-2 learning, and 802.1X authentication if that's used. IPSec will not and cannot secure any of this. Is there any need to secure that? In my local WLAN, you only have two ways of proceeding if you want internet access: a Tor router, or IPsec. Before either of those processes begin, I can associate like crazy to your access point. That would ensure you never get Internet access, even without my flinging a single IP packet at you. Duh. It's a *radio* network. Of course it can be DoS-ed. WEP doesn't change that. In fact, popular attacks against WEP generate massive L2 traffic. Yes. WPA is somewhat better (in that the better controller-based systems have rate controls). Other than being better than nothing on really old hardware, WEP is worthless. dn iD8DBQFHRk3LyPxGVjntI4IRApZlAJ44a3Um15XTftC6s7wlHXlWQOr/dwCg8ULI dZSlpbIowhsNSj3aqcCkoT8= =TjLE -END PGP SIGNATURE-
Re: securing OpenBSD wireless network
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/22/07 1:55 PM, Christian Weisgerber wrote: > David Newman <[EMAIL PROTECTED]> wrote: > There is some layer-2 stuff that happens before layer-3 handshaking begins -- 802.11 association and deassociation, possibly layer-2 learning, and 802.1X authentication if that's used. IPSec will not and cannot secure any of this. >>> Is there any need to secure that? In my local WLAN, you only have two >>> ways of proceeding if you want internet access: a Tor router, or >>> IPsec. >> Before either of those processes begin, I can associate like crazy to >> your access point. That would ensure you never get Internet access, even >> without my flinging a single IP packet at you. > > Duh. It's a *radio* network. Of course it can be DoS-ed. WEP > doesn't change that. In fact, popular attacks against WEP generate > massive L2 traffic. > Yes. WPA is somewhat better (in that the better controller-based systems have rate controls). Other than being better than nothing on really old hardware, WEP is worthless. dn iD8DBQFHRk3LyPxGVjntI4IRApZlAJ44a3Um15XTftC6s7wlHXlWQOr/dwCg8ULI dZSlpbIowhsNSj3aqcCkoT8= =TjLE -END PGP SIGNATURE-
Re: securing OpenBSD wireless network
On Nov 23, 2007 8:25 AM, Predrag Punosevac <[EMAIL PROTECTED]> wrote: > David wrote: > > Does anyone know if there is WPA support for OpenBSD being worked on? > > This would be nice. > > > > > There was a thread that I started a month ago unfortunately by > mis-spelling WPA as (wap). One of the answers was posted > I think by a developer who is currently working on WPA for OpenBSD. The > information was rather comprehensive and > I would just do harm by trying to repeat it. > > Best, > Predrag > > > David Newman wrote: > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA1 > > > > On 11/22/07 1:55 PM, Christian Weisgerber wrote: > > > >>> David Newman <[EMAIL PROTECTED]> wrote: > >>> > >>> > > There is some layer-2 stuff that happens before layer-3 > > > > handshaking > > > > begins -- 802.11 association and deassociation, possibly layer-2 > > learning, and 802.1X authentication if that's used. IPSec will > > > > not and > > > > cannot secure any of this. > > > >>> Is there any need to secure that? In my local WLAN, you only > >>> > > have two > > > >>> ways of proceeding if you want internet access: a Tor router, or > >>> IPsec. > >>> > > Before either of those processes begin, I can associate like crazy to > > your access point. That would ensure you never get Internet > > > > access, even > > > > without my flinging a single IP packet at you. > > > >>> Duh. It's a *radio* network. Of course it can be DoS-ed. WEP > >>> doesn't change that. In fact, popular attacks against WEP generate > >>> massive L2 traffic. > >>> > >>> > > > > Yes. WPA is somewhat better (in that the better controller-based systems > > have rate controls). Other than being better than nothing on really old > > hardware, WEP is worthless. > > > > dn > > iD8DBQFHRk3LyPxGVjntI4IRApZlAJ44a3Um15XTftC6s7wlHXlWQOr/dwCg8ULI > > dZSlpbIowhsNSj3aqcCkoT8= > > =TjLE > > -END PGP SIGNATURE- > > Reyk@ is working on WPA support in the 802.11 stack. They have added the wpa_supplicant port but it can not be used because it lacks some support in the stack. Any donations would probobly help. BR dunceor