| Re: Re: [Issue 200] channel binding threats | <– Date –> <– Thread –> |
From: Jari Arkko (jari.arkko piuha.net)
|
|
| Date: Mon, 1 Dec 2003 06:08:40 -0600 (CST) | |
Bernard Aboba wrote:
Right.
--Jari
It seems to me that the "false SSID" attack brought up by Michael Richardson as part of the "network selection" thread is another variation on the "channel binding" attack that is discussed in Issue 200. That is, the AP advertises an SSID to the user, but presumably does not include this SSID in the Called-Station-Id sent to the AAA server.
Right.
Can someone take a look at the proposed resolution of Issue 200 and determine whether the issue is being adequately handled? My understanding is that including an exchange of SSIDs within the EAP method would allow the station and AAA server to determine that the AP had launched this attack.
I think it is adequately handled by the resolution which is given at drizzle.com. (It might have made sense to add a specific example of the SSID lying. But its not so important. Or perhaps that could be done in AUTH48 if we get there with 2284bis.)
Michael: the issue 200 text is at http://www.drizzle.com/~aboba/EAP/eapissues.html#Issue%20200
--Jari
-
Re: [Issue 200] channel binding threats Bernard Aboba, November 30 2003
- Re: Re: [Issue 200] channel binding threats Jari Arkko, December 1 2003
Results generated by Tiger Technologies using MHonArc.