Isn't this just a "don't do that, then" scenario? Plugging in a hub
tends to undermine much of the accountability 802.1X is supposed to
provide.
Sure, except that the cost of "don't do that" is rather high -- a switch
port for every host.
Anyway, 802.1X is terminally broken because end users can rewire that
port and bypass security policies (put a laptop with bridging software
onto it, plug in a hub, and so on).
The issue here is not key exchange; it's the lack of data protection.
IEEE 802.11i derives a unique key per STA MAC, using it to key link
layer ciphersuites providing encryption/integrity/replay protection, which
eliminates piggybacking. Yet it relies on 802.1X. My understanding is that
802.1ae/af will also solve the problem, by enabling "virtual ports".
It's very hard to solve this problem at a sub-IP layer
I think the point is that there is a significant need (at least in the
short term) for a transitional solution. Enterprise WPA/WPA2
is being deployed, albeit perhaps more slowly than we'd like. Moving the
problem up a layer doesn't really address expense/deployment
concerns that much, especially since IPsec acceleration chipsets ship in
much lower volumes than say, chipsets supporting 802.11, 802.3 or other
link layer technologies. At the end of the day, there is significant
appeal in being able to roll out solutions that don't require forklift
upgrades.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf