ie8 fix
madison

Real World IT

George Ou
Home / News & Blogs / Real World IT

Why VPN can't replace Wi-Fi security

By | May 12, 2007, 7:14pm PDT

Summary: This entry is also available as a PDF download. Every time the subject of wireless LAN security comes up, people ask me about VPN as a solution for securing Wi-Fi. (Wi-Fi is the common marketing name for 802.11 wireless LANs).  I’ve always told people that VPN security shouldn’t be a substitute for good Wi-Fi security, and [...]

This entry is also available as a PDF download.

Every time the subject of wireless LAN security comes up, people ask me about VPN as a solution for securing Wi-Fi. (Wi-Fi is the common marketing name for 802.11 wireless LANs).  I’ve always told people that VPN security shouldn’t be a substitute for good Wi-Fi security, and I even posted a comprehensive guide to enterprise wireless LAN security, but a loyal group of VPN-only supporters has always argued for a VPN-only alternative.  I’m going to explain VPN and Wi-Fi security as best I can and why there is a right time and right place for each architecture.

The VPN-only camp
The VPN-only camp consists of companies that have a vested interest in selling VPN solutions and some individuals who are more familiar with VPN than Wi-Fi security so therefore everything looks like a VPN-type problem because that’s within their comfort range.  It’s a classic case of when all you have is a hammer, everything looks like a nail.  They’ll tell you to not worry about Wi-Fi security and just use VPN. The typical argument from the VPN-only camp is that the IEEE 802.11 standards body can’t be trusted to come up with a good solution for Wi-Fi security.  To bolster their claims that Wi-Fi can’t be trusted, the VPN-only camp will cite the example of the WEP debacle and/or they’ll even point out how “WPA is cracked.”

Was WPA really cracked?
Anyone who states that “WPA was cracked” doesn’t really understand what WPA is or what cracked means.  What they’re actually referring to is the fact that a certain simple mode of WPA (designed primarily for home use), which uses PSK (pre-shared keys), can be cracked when a simple, easy-to-guess PSK is in use.  But that’s only an example of a poor deployment of WPA-PSK. A simple 10-character alpha-numeric random PSK (or greater) will make it impractical to crack with dictionary attacks.  I can just as easily point out that the same mistakes can be made in certain VPN deployments that also make use of pre-shared keys.

Is WEP a permanent indictment of IEEE 802.11?
There is no question that WEP is completely broken beyond redemption.  802.11 WEP encryption was designed during the late 90s during a time of strict U.S. export restrictions, when good cryptography was considered advanced munitions. I’ve had sources familiar with that process tell me that stronger encryption algorithms were shunned for fear of Wi-Fi products being banned for export.  Not surprisingly, it took less than two years for the cryptographic researchers (Fluhrer-Mantin-Shamir) to demonstrate serious flaws with WEP.  But something designed in the late 90s for exportability should not be a permanent indictment of Wi-Fi security or the competence of the IEEE 802.11 standards body.  If that’s the standard we’re going to judge by, we can pretty much shun everything on the Internet.  Moving beyond the WEP debacle, the Wi-Fi industry couldn’t wait for the IEEE to fix the standard, so they adopted TKIP (a patched version of WEP) with the WPA industry standard.

Bad implementations should be shunned, not entire categories
There are other bad implementations of VPN and Wi-Fi that have poorly designed authentication mechanisms.  ASLEAP, for example, is a tool that will easily crack both LEAP Wi-Fi 802.1x authentication and PPTP VPN authentication in nearly identical fashion, yet both protocols are (unfortunately) very popular.  The argument should be made against poor cryptographic implementations, not against Wi-Fi security in general.

<Next page - Wi-Fi and VPN security defined>

More from “Real World IT”

Topics

WPA, VPN, Network, Wi-Fi, Authentication, Wi-Fi Security, George Ou

Disclosure

George Ou

http://blogs.zdnet.com/Ou/?page_id=557

Biography

George Ou

George Ou, a former ZDNet blogger, is an IT consultant specializing in Servers, Microsoft, Cisco, Switches, Routers, Firewalls, IDS, VPN, Wireless LAN, Security, and IT infrastructure and architecture.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
70
Comments
Add Your Opinion

Join the conversation!

Just In

www.strongvpn.com
oakweb 21st Dec 2007
www.strongvpn.com is good too
View in thread
0 Votes
+ -
Er ah, What?
D T Schmitz 12th May 2007
Seriously, this is probably 'George Ou' at his best.
0 Votes
+ -
Thanks, and I thought you were going to rip my head off for not suggesting
georgeou 12th May 2007
Thanks, and I thought you were going to rip my head off for not suggesting SSH happy.
0 Votes
+ -
O'Reilly Press: Virtual Private Networks, 2nd Ed.
D T Schmitz 13th May 2007
A book worth acquiring

It dedicates Chapter 8 to SSH, which can be just as effective as some of the more expensive VPN solutions, e.g., ppp over ssh is practicable.

Thanks again George wink
0 Votes
+ -
You can pretty much tunnel over anything
georgeou 13th May 2007
You can pretty much tunnel over anything. There are even ways to tunnel over DNS or ICMP. SSH is one of the more common home-grown solutions out there because anyone with a Linux/FreeBSD box can do it.
0 Votes
+ -
totally agree
zzz1234567890 12th May 2007
As always, George, your blogs are a great read.
0 Votes
+ -
Thanks - nt
georgeou 12th May 2007
nt
0 Votes
+ -
hmm.
utternerd 12th May 2007
George Ou must speak with some really stupid people.
0 Votes
+ -
You mean people who say VPN is the only way to go?
georgeou 12th May 2007
You mean people who say VPN is the only way to go? Ah they're extremely common. In fact they're probably the ones that voted this blog down.
0 Votes
+ -
Anonymous voting ...
MGP2 13th May 2007
You know, I've always thought the "anonymous voting" feature was kind of dumb, not to mention cowardly. Anyone can set up 30 separate ZDNet accounts and vote an issue up or down based on their own opinion. What would be a better idea would be to have all users choose a reply category of either "agree", "disagree", or "neutral" when commenting on blog entries. That would be a truer measure (moreso than anonymous, anyway) of whether a blog entry was considered worthwhile. It could also save the blogger (and other commenters) some time by sorting, reviewing, and replying to the comments by category.

Just a thought...
MGP
0 Votes
+ -
Yeah but even that lets them vote anonymously
georgeou 13th May 2007
They can still create 30 accounts and type in their messages as if they were different people. Everyone that posts here is essentially anonymous.
0 Votes
+ -
But it would be more work...
MGP2 13th May 2007
It would be more time consuming for them to have to type even the shortest message than to just click the up or down vote.

On the other hand, wouldn't you like every subject line like this recorded with a vote? "George, I've admired your blogs you've posted, and I agree with you." happy

MGP
0 Votes
+ -
George, I've admired your blogs you've posted, and I agree with you.
Grayson Peddie 12th May 2007
I don't buy into rumors who claimed VPN is a better solution to security than Wi-Fi. Either (well, no offense to them) they don't understand how Wi-Fi security works or they don't have Wi-Fi access points/routers and put security encryption (I'll suggest WPA2-AES with strongest LEAP and non-dictionary password, if possible) into work with wireless adapters that support the strongest WPA2-AES encryption.
0 Votes
+ -
LEAP should be banned
georgeou 12th May 2007
LEAP should be banned because it's impossible to have human-usable passwords that can withstand a 45-million password/sec dictionary attack. There's no "salt" implemented in LEAP (MSCHAPv2) and there's only a few rounds of hashing which makes the offline attack extremely fast. WPA-PSK mode is susceptible to offline attacks but the "salt" makes pre-computed tables unlikely and the hundred rounds of SHA makes offline password cracking extremely slow. If I had my choice, I'd ban any system that permitted offline cracking though WPA-PSK is about as good as it gets.

Even EAP-FAST should be shunned because it almost always defaults to using anonymous server certificates because that's how Cisco markets it. LEAP and EAP-FAST are proprietary lockins. The Cisco client doesn't support machine-authentication and even Cisco tells you to use the Microsoft client if you want that. You also can't do group policy management of the Cisco client and it's limited in hardware support.

If you want an open and secure solution, EAP-TLS, PEAP, or EAP-TTLS are the only ways to go. PEAP is probably the most universally supported and it's supported in the Microsoft client which permits easy management and machine-authentication.
0 Votes
+ -
I was about to mention EAP-TLS, PEAP, or EAP-TTLS
Grayson Peddie 13th May 2007
instead of LEAP but didn't remember those... Far too many of them to remember like EAP-TLS--heh.

So after WEP and LEAP is banned and LEAP-FAST should be banned, hmmmm... I wonder what's next?

I didn't advocate using LEAP, though...
0 Votes
+ -
The default EAP-FAST is the big problem
georgeou 13th May 2007
The default EAP-FAST is the big problem. Unfortunately that's how people tend to deploy it because it's so easy to use anonymous server certificates. Their other ways of deploying EAP-FAST are unusable. The other reason is that it's a proprietary Cisco technology that locks you in to their Access Points. Why in the world would you want to lock yourself in? The Cisco client also doesn't support machine logon or group policy management.
0 Votes
+ -
Seems this is the reason for me to not trust Cisco...
Grayson Peddie 13th May 2007
I wouldn't lock-in to LEAP-FAST...

I thought about building a server with Windows Server Longhorn (Server Core) installed and put in a wireless access point PCI card. I can trust Windows for network management.

Even though I have some network experience, I'm a hobbyist and I use a computer at home, so I don't see any sense of building a RADIUS server (it'll be unusual if I do that) and that WPA2-AES is good enough for me.
0 Votes
+ -
Cisco produces fine hardware and they helped invent PEAP
georgeou 13th May 2007
Cisco produces fine hardware and they helped invent PEAP along with Microsoft and RSA. Nothing wrong with using Cisco wireless gear, just be sure to avoid LEAP or EAP-FAST and use open PEAP which Cisco fully supports.

The same applies to Cisco routers. You should avoid using their proprietary routing protocols like EIGRP and stick with OSPF so you can be more interoperable.
0 Votes
+ -
EIGRP Rocks...
pazmanpro 14th May 2007
I only wish that Cisco would standardise it and release it to the public as an open standard.

Either that or improve OSPF performance and load-balancing.
0 Votes
+ -
You have a point there
georgeou 14th May 2007
Some Cisco stuff like EIGRP or their alternative to 802.1q trunking is quite good unlike LEAP and EAP-FAST which have no redeming value. However, I prefer to standardize if possible with OSPF and dot1q.
0 Votes
+ -
Passwords, dictionary attacks
sysop-dr 14th May 2007
Hi, my 2 cents. Passwords and most security in general is like a lock on a house door. They are there only to keep honest people honest.(I can here the wtfs already, getting there.)
Someone wants to break into your house. You locked the door. They break the window reach through and in they go. So what do you do? You put in alarms and cameras and leave a hungry/mad Doberman in the living room.
So on a computer/network you have passwords. Someone who is intent on getting in will get in. So you make the passwords harder. instead of words use the first letters from a phrase or line of poetry or something. Substitute look-alike numbers for some letters, Use Caps on words that are stressed when you say the phrase, throw in some random punctuation and stuff. They can still crunch the password if they have enough time and patience.
So what next, IDS, Honey pots, kill bots, read your log files!

Passwords are there to keep honest people honest, for real security you have to be willing to invest the same amount of time that your attacker is willing to invest. When one side invests more time then the other that one will win every time.

Having any opening into the network without at least password protection is like locking the front door but leaving the basement door open. Yes it's around the back of the house and there is a bush growing in front of it but as we always say, obscurity is not security.
0 Votes
+ -
Extremely Useful
Spatha@... 13th May 2007
Even if someone disagrees with you (and I don?t) your article clearly identifies, justifies and explains the issues as you see them. The 6 bullets under ?Forcing a VPN-only topology? show how more than security issues need to be considered in an implementation.

The last bullet, ?Allow the hacker to get on to your open Wi-Fi network and probe your network and Wi-Fi clients for weaknesses?, is especially important because a common justification of a VPN-only solution is to support co-existence with open Wi-Fi access to the Internet, for guests such as vendors. At the same time, authenticated users can access those portions of the internal network accessible from the Internet via VPN.

In light of your last bullet, would you recommend a separate and isolated solution for open Wi-Fi access to the Internet?
0 Votes
+ -
Very good questions
georgeou 13th May 2007
1. Security is worthless if it cannot be implemented by the masses. Security must be deployable and enforceable. Rijndael was chosen as the AES algorithm not only because of its strength, but because it's also lightning fast. In fact it's faster than DES encryption from what I understand. Wi-Fi security has a lower overhead and more universal support than VPN solutions and that makes it more appropriate on the LAN. I knew a lot of people somehow believe that VPN is superior to Wi-Fi Security, but they simply don?t realize that it?s the implementation of strong encryption and strong authentication that makes a solution secure.

2. Guest access VPN should be a separate network and it's relatively easy to create a VLAN for it. Read this article http://articles.techrepublic.com.com/5100-1035-6112367.html which shows you how guest VLANs can be created. Guest VLANs actually make your production network more secure because your employees are not tempted to give guests access to your production network.
0 Votes
+ -
Thanks again for all the good info
Spatha@... 14th May 2007
Thanks again for all the good info, including the TechRepublic article.
0 Votes
+ -
VLans are also a security risk...
TSGlassey 15th May 2007
G.O.
VLANs are also a security risk based on the quality of the virtualizer code in the Route/Switch Service Processor doing the header management for the packets it.

In many instances, where key logging is required we in fact intentionally use hubs or FDDI type rings since they do what SSP's cant and that is mirror all communications in a transaction network to all the appropriate servers in a key zone. Cisco's port spanning being ineffective for our security levels.

TSG/
0 Votes
+ -
VLANs are fine IF they're deployed correctly
georgeou 15th May 2007
VLANs are fine IF they're deployed correctly.
0 Votes
+ -
Public and Private WiFi that co-exists on same LAN
AppealsIT 16th May 2007
We use a product from Extreme Networks called the WM100, Wireless Manager. In it we are able to set up different wireless domains with different security/ authentication requirements. We can then assign those domains to the access points. With in the wireless domians, there is a firewall that allows you to define which resources and destinations that the wireless clients can access.

So for us, the private networks uses a radius server tied to Novell e-dir and PEAP and TTLS etc.. and once authenticated you log into the network; the public user has no authentication or encryption, but is routed straight out to the internet only, with a few exeptions for public sites and resources inside the network.

The WM100 by Extreme Networks allows us to have 2 separate networks sharing the same AP's and infrastructure.
0 Votes
+ -
This is a very common feature on enterprise Wi-Fi
georgeou 16th May 2007
For example, I show you how to do this on a $350 Cisco Router.
http://articles.techrepublic.com.com/5100-1035-6112367.html
0 Votes
+ -
It's not VPN or WPA ... they are both required in some scenarios
paul@... 14th May 2007
It's not a issue of WiFi or VPN. They both have their place. Local connectivity to an Enterprise LAN can be provided by WiFi security (WPA). Remote access must be provided by VPN (IPsec).

Layer two attacks exist that really require layer 2 security. ARP spoofing, BOOTP and DHCP must be protected at the link layer by WiFi security.

Paul A. Lambert
0 Votes
+ -
And I never said VPN wasn't needed
georgeou 14th May 2007
That's why I say the hybrid approach is best and specifically drew in the VPN solution.
0 Votes
+ -
So companies are using VPN on their WLANs for access?
nix_hed 14th May 2007
It just seems that, to me, leaving a router unsecured (even with 128-bit WEP, the casual user won't crack it) is just asking for issues. I remember dealing with Cisco VPN before, and I know that it's possible (with some work) to use a VPN-connected computer as a network bridge between a local network and corporate.

BTW George, 11/10. This is the best blog article I've seen you put together in a while.
0 Votes
+ -
Thanks, I think you're referring to split tunneling
georgeou 15th May 2007
Thanks, I think you're referring to split tunneling. The Cisco client can be configured from the Cisco VPN concentrator to permit or allow split tunneling centrally. Even so, split tunneling isn't easily or likely turned in to a back door. The problem with split tunneling is open Wi-Fi hotspots where your traffic going to the Internet is in the clear in a very dangerous place.
0 Votes
+ -
Use both.
Resuna 14th May 2007
Or.. all three, or four.

1. Limit the range of the signal as much as possible. If people complain they can't use your Wifi in the company parking lot, you're doing it right.
2. Use the best Wifi security you can.
3. Still don't trust the WLAN any more than you have to.

Treat the WLAN like you would a dial-in pool, a wired conference room, or a DMZ. Provide services inside it that are appropriate for the level of security it has, and make people set up tunnels to get further in.
0 Votes
+ -
I don't think you get it
georgeou 14th May 2007
Limit signal? Signal suppression is one of the urban legends.

These myths just won't die.
http://blogs.zdnet.com/Ou/?p=454
0 Votes
+ -
Help for the Helpless?
mollenhourb@... 14th May 2007
I have a WiFi access point at home that I use to connect my work computer to our office. Our office uses VPN for connections to their network for remote users.

So, what do I do if implementing anything OTHER than WEP on my home access point keeps my computer from reaching our VPN server for authentication? Granted, I live in the sticks and the possibility of anybody getting close enough to my home to break into the WiFi is limited, I'd still like to know that I'm secure (from a network perspective, not psychologically.
0 Votes
+ -
Simple, WPA-PSK with more than 10 random alpha-numeric passphrases
georgeou 14th May 2007
Simple, WPA-PSK with more than 10 random alpha-numeric passphrases. That's all you need to know for the home.
0 Votes
+ -
Hard-coded IP addresses
JPMcE3 14th May 2007
My WiFi router can restrict to specific IP4 physical addresses. Is that adequate for a small home network? JP3
0 Votes
+ -
Depends on your definition of adequate is ....
mrlinux 14th May 2007
Prevent your neighbor from accidentally connecting to your router yes. However anyone can sniff the traffic and figure out your IP address and then use it to connect to your router.
0 Votes
+ -
See Wireless LAN myths that won't die
georgeou 14th May 2007
http://blogs.zdnet.com/Ou/?p=454
0 Votes
+ -
IP filtering....
DCMann 15th May 2007
...will keep a non-technical or lazy neighbor off you network, but it's very easy for someone that really wants on to get a valid IP address off the channel and spoof it.
0 Votes
+ -
IPv6 is the ultimate fix
mel@... 14th May 2007
George,

I'm a long-time WiFi deployer and lived through the hacks and crashes of the WEP
debacle. At that time VPN was the ONLY secure solution. Even early versions of
WPA were laughably insecure, both due to algorithmic gaffs and the difficulty of
correctly configuring LEAP and PEAP.

WPA2 is FINALLY secure, but still a major pain to deploy correctly. It suffers from
one serious problems that you didn't mention: the load encryption places on
winky little WiFi access point processors. The advantage of VPN WiFi protection is
that decryption is distributed to the end-user computers and a central VPN
concentrator with dedicatd encryption hardware capable of handling hundreds of
simultaneous IPSec sessions.

Contrary to your statement that IPSec and WiFi encryption have different
missions, they actually don't. The mission is the same, but only one generic
mechanism works for both: IPSec.

The ultimate fix to both the WiFi and VPN security misama is IPv6, which
incorporates IPSec at the TCP session level, making it possible to encrypt all
traffic, including LAN traffic (increasingly the target of illicit eavesdropping). Many
operating systems (e.g., Windows and MacOSX) support IPv6 today, and many
more are piling on as the government-mandated 2008 deadline for internal IPv6
looms.

-mel
0 Votes
+ -
Again, you're confusing the issue
georgeou 14th May 2007
WPA was never insecure. WPA/WPA2 with PSK can be insecure when improperly deployed with an easy-to-guess password. Same can be said with easy-to-guess pre-shared keys in VPN.

LEAP was never a good solution to begin with, but EAP-TLS has been around just as long and extremely secure. The fact that you don't know how to deploy it says more about you than it does about the technology. As for "load on Access Points", I haven't seen a single Access Point that slowed down by any significant measure with WPA/WPA2 TKIP or AES turned on. Some of the older ones slowed down a little for AES but none of the ones sold since 2003 have had an issue with AES.

IPv6 has nothing to do with the discussion. By the way, the 2008 mandate has been delayed to 2012. It will get delayed again after that.
0 Votes
+ -
IPv6 is more than relevant to this discussion. It's essential.
mel@... 15th May 2007
IPv6 is highly germane, because it is currently the only available mechanism for
convergence of encryption in the enterprise. Your claim that the government's
IPv6 mandate has been delayed until 2012 is wrong. I don't know where you got
that information, but nothing has been delayed, and many agencies and vendors
are well on their way to IPv6 deployment.

Perhaps you are confused because the year 2012 is expected date of IPv4 IP
addresses exhaustion (the most optimistic date; a more realistic deadline is 2010).
We're all going to have to contend with IPv6 within the next 24 months, making
IPv6 an important factor in WiFi security planning.

Enterprises are bogging down in the mire of administering multiple encryption
domains, and each new domain opens new vulnerabilities. IPv6 has IPSec built in
at the session level, providing application-to-application encryption. IPv6 also
obsolete's NAT, so secure point-to-point connections will be simple and
ubiquitous across any media, including wireless.

Regarding AP encryption CPU loads, recent tests by IXEA on a wide range of
WPA2-enabled APs showed that throughput drops to less thatn 50% when
encryption is enabled, even with AES hardware assist. So the problem of AP
encryption is real, measured, and not improving. The AP is the wrong place to do
encryption.

And WPA is in fact crackable, due to fundamental flaws in the key exchange
mechanisms. See "An Initial Analysis of the 802.1x Security Standard", Mishra A.
et al, 2002 (http://www.cs.umd.edu/~waa/1x.pdf). WiFi PSK and IPSec PSK are two
completely different mechanisms; WiFi PSK (and 802.1x) are much more
vulnerable to cracking than IPSec PSK, due to the flawed key exchange
mechansims.

-mel
0 Votes
+ -
You're just wrong on all counts
georgeou 16th May 2007
IPv6 will most certainly not be implemented by next year by the Government. IPv4 will not run out in 2010, 2012 or 2020.

WPA2 with AES does not drop throughputs to 50%. You MIGHT be able to find some obscure product that does that, but not any I have ever seen.

The paper you're citing about 802.1x was dated 2002. Nothing practical ever came of it.
0 Votes
+ -
Referenced to back up my claims
mel@... 17th May 2007
>IPv6 will most certainly not be implemented by next year by the Government.
>IPv4 will not run out in 2010, 2012 or 2020.

The U.S. National Institute of Standards and Technology (NIST) has an
announcement on their front page (http://www.antd.nist.gov/) , dated today,
announcing the draft IPv6 profile in support of the 2008 mandate. Presumably
NIST, tasked with managing IPv6 technical rollout, would know of a postponement
of the OBM 2008 mandate.

Incidentally, saying "IPv6 most certainly will not be implemented neext year by
the Government" is a straw-man argument. I never said it would be, and that's not
what the mandate calls for. The mandate calls for IPv6 internal backbones and
vendor interoperability by then.

Here are several papers where the expected exhaustion is between 2009 and 2016
(with data converging on 2012 with current IP address growth rates):

http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_8-3/
ipv4.html
http://www.nic.ad.jp/en/research/IPv4exhaustion_trans-pub.pdf
http://www.potaroo.net/ispcol/2005-11/numerology.html

>WPA2 with AES does not drop throughputs to 50%. You MIGHT be able
>to find some obscure product that does that, but not any I have ever seen.

I have tested WPA2/AES using the following IXEA methodology on enterprise APs
from Cisco, Sonicwall, D-Link, Netgear, and Aruba. All of these have AES hardware
assist. With 20 simultaneous users, throughput drops 50% with encryption
enabled. Perhaps you are only testing one user?
http://www.ixiacom.com/library/test_plans/display?
skey=testing_enterprise_wireless_lans

>The paper you're citing about 802.1x was dated 2002. Nothing practical
>ever came of it.

This paper is widely cited as the reason WPA was abandoned for WPA2. That's
pretty practical. I found 35 citations of this paper in WiFi security research
publications through January 2007 in one minute on Google.

I'd like to see your references for the postponement of the 2008 IPv6 mandate,
IPv4 lasting beyond 2020, and WPA2/AES throughput tests with realistic user
loads (not just one or two uses). Can you share them?
0 Votes
+ -
You're changing your position
georgeou 17th May 2007
We're good for another 16 years on IPv4.
http://news.zdnet.com/2100-1009_22-1020653.html
http://blogs.zdnet.com/Ou/?p=367
You can't believe what vendors say about IPv6 since they're trying to drive up demand for new IPv6 gear. Vendors are salivating over IPv6 because it?s a massive change that will mean a lot of money.

About the AES performance, I have not seen any performance hit on the gear you cited.

Again, there's no difference between WPA and WPA2 other than the fact that AES is mandated. The paper you cite is about 802.1x which has little to do with WPA versus WPA2 and nothing ever came of that. I spoke with Dr. Arbaugh about it a few years ago and he said it was some problems with Microsoft's default RADIUS configuration and some problem with EAP-TLS. I asked him a few years later about EAP-TLS and he really couldn't clarify what was changed with EAP-TLS. I'm not saying his research is faulty, just that it was never clarified on what changes it made.
0 Votes
+ -
Outdated reference
mel@... 17th May 2007
I assume you're abandoning your position that the US 2008 IPv6 mandate has
been postponed to 2012.

Your claim, though, that we have 16 more years of IPv4 addresses is based on a
four-year old APNIC article that APNIC itself has recanted. APNIC's own Internet
Research Scientist, Geoff Huston, produces the update-daily IPv4 Report (http://
www.potaroo.net/tools/ipv4/) that currently predicts IP exhaustion in 2010.

The 2003 editorial you cite assumed linear consumption of 5% of the remaining
address space per year. But in the intervening four years, consumption has hit 10%
of that 2003 pool per year. Today less than half of the IP addresses availabling in
2003 (which was supposed to last us twenty years) remains unallocated.

I'm citing up-to-the-minute current statistics that anyone can verify. I'm open to
refutation. The allocation rates and pool sizes are public knowledge, and the math
is not hard. Show me how IPv4 addresses won't run out by 2010 (or even 2012).
Barring an economic collapse or mathematical miracle, Huston's predictions are
hard to deny.

Regarding AES encryption performance, it sounds like you haven't conducted any
serious tests with repeatable data sets and significant numbers of users. At least,
if you have, you haven't said so.

-mel
0 Votes
+ -
You keep mentioning reputable sources but you link to non-reputable
georgeou 17th May 2007
You keep mentioning reputable sources but you link to non-reputable sources. Which is it? The government will not switch to IPv6 by 2008 nor will it complete it by 2012.

You keep citing AES figures but the link you point to have nothing that backs up your claim. Either back up your claims with some hard numbers and research or please stop wasting my time.
0 Votes
+ -
Interesting real-time IPv4 exhastion report
mel@... 17th May 2007
Readers may be interested in the Geoff Huston's real-time IPv4 address report,
updated daily with the latest IP v4 allocation information:

http://www.potaroo.net/tools/ipv4/

The report currently predicts Oct 10, 2010 as the the world runs out of
unallocated IPv4 addresses. It uses real-time data from Internet registries and
routing tables to quantify IP address growth and extend that growth to the
projected exhaustion point. The report is completely transparent, providing direct
access to all intermediate measurements and calculations, so that any reasonably
intelligent technologist can verify the report's methodology.

The author fairly considers many possible mitigating factors, which makes his
predicitions almost certainly overly optimistic. For example, he computes the
possible ameliorating effects of users reclaiming previously allocated but currently
unused IP space (a very expensive process). Conversely, he specifically excludes
the "ip address rush" likely to occur as exhaustion nears -- the hording
phenomenon seen in virtually every free market economy when supply goes to
zero.

The same author also has a fascinating presentation entitled "The Oracle Bones of
IPv4", given at the 2005 APNIC conference:

http://www.apnic.net/meetings/22/docs/plenary-pres-huston-ipv4.pdf

-mel
0 Votes
+ -
Utterly ridiculous
georgeou 17th May 2007
See my other reply. We're good for another 16 years at current rate.
0 Votes
+ -
www.strongvpn.com
oakweb 21st Dec 2007
www.strongvpn.com is good too

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix