From: Saliya Wimalaratne (saliya_at_hinet.net.au)
Date: 2002-07-26 03:32:34 UTC
On Thu, 25 Jul 2002, Eric Johanson wrote:
> > a) a wireless node that does not forward packets to other wireless
> > devices (i.e. forces all traffic out the ether port)
> >
> > - that way, the clients don't 'see' each other unless they specifically
> > tell their cards to do so.
>
> This is only obfuscation, not security. Anybody with a sniffer can still
> see these 'hidden' cards. It helps if you have WEP with TKEP/802.1x, but
> it's not completely foolproof (IMHO).
Hi,
Sure; this is more from the perspective of resource allocation than security.
In the service provider environment (where I'm coming from) this is important because the WLAN has limited resources to begin with; so you don't want people 'stealing' them by associating with your AP and then using it to forward packets willy nilly. Sorry I wasn't clear about this...
> > - with a hostAP, you can do this internally :)
>
> hrm; I'm not sure that I follow you here; you could do the same with
> orinoco_cs, yes? Are you talking about filtering 802.11 frames? tcpip
> traffic?
Situation 1: external AP, all traffic forced to ether:
Client <-WLAN-> AP <-Ether-> 'Gateway + IPSec'
Client <-WLAN-> HostAP + IPSec
Don't take my statements as saying 'MSCHAPv2 is a *bad* thing to do' - I'm just saying 'I think IPSec is a better way to do it'.
Regards,
Saliya