Perry E.Metzger wrote:
Michael Richardson <mcr(_at_)sandelman(_dot_)ottawa(_dot_)on(_dot_)ca> writes:
"Franck" == Franck Martin <franck(_at_)sopac(_dot_)org> writes:
Franck> My question, how can we deployed WiFi networks in town for global
Franck> roaming with SIP phones when the IETF itself has trouble to
Franck> deploy it...
Franck> Is there something wrong in the WiFi protocol that needs fixing?
Yes, despite all of 802.11i, the beacons are not authenticated.
There are other problems too. The fact that 802.11 tries to be
reliable by doing its own retransmits results in massive congestive
collapse when a protocol like TCP is run over it. The designers did
not read our documents on requirements for link layers. A knob that
allowed you to turn off (or at least tune down) the retransmission on
a network would be very valuable, but I know of no gear that does
that. Also, 11b has a poorly selected set of channels that overlap.
My biggest piece of advice, though, to those setting up such networks
is to deploy monitoring stations in addition to deploying base
stations. That way you'll have some idea of how performance is doing
without needing your users to tell you that there is a problem.
In the presence of ARP spoofing, 802.11i, either with TKIP or CCM will not
provide any guarantees of security.
My advise would be to continue to place your 802.11 networks out in front
of an IPSec gateway.