eap Mailing List: Re: Issue 286: Security

[Jari Arkko (jari.arkko]

Some further thoughts. You wrote:

> For example, as I understand it in 802.11u, there is a proposal whereby
> the STA would disclose the networks with which it has a relationship in
> the Probe Request, and the AP would respond with the subset of that list
> that it supports in the Probe Response.
>
> The discovery mechanism in this draft is somewhat different:  the AAA
> proxy discloses its roaming relationships to the peer without the peer
> first indicating what networks it supports.

Given that the probe request and response are not authenticated,
it would seem that the security of the two approaches differs only
in terms of requiring active vs. passive attackers, and maybe in
scalability for attackers.

Someone who wants to determine what networks are available
could presumably spoof a Probe Request with a set of potential
victim network names. Or am I missing something? The main
difference appears to be that the attackers have to be
active before they can discover the information. (Passive
attackers may also be able to collect some information
from other client's requests and associated responses.)

The scalability of attacks is also interesting. In theory,
network-side advertisements are nice for attackers, because
they can get a lot of exact information. With client-side
requests, the attackers would have to probe for the information
a few networks at a time. Advertisements are more effective
when there are a lot of interesting networks for the attackers.
If the number of interesting networks is small, the difference
is not that big. Also, the scalability limitations of Farid's
draft limit the difference too; only a handful of networks
can be advertised. This limits the mechanism in practise to
roaming consortiums and few top-level operators. It would
be unthinkable to announce thousands of corporate networks
via this mechanism, for instance.

--Jari