Order Tray | Contact Us | Home | SIG Lists

[Ham-80211] Access control suggestions

dubose at texas.net dubose at texas.net
Tue Nov 2 14:07:44 UTC 2004


Please don't get "overly" concerned about access restrictions.

Rmember that just as repeaters are open...they are however on amateur radio
frequencies...this does not prevent someone who is not licensed from
transmitting on that frequency.  You take normal precautions against improper use.

With 802.11b you are sharing the frequency with un-licensed individuals so you
need to make a reasonable attempt to restrict access to you AP/network.you rig
is any of these are operating under Part 97.

MAC, IPs in the 44. domain or a published WEP are a reasonable attempt to keep
unauthorized access to your Part 97 operation.  Clearly if you see unauthorized
operation as the station controller, you take appropriate action but other than
that, if you believe that you have taken reasonable care to prevent unauthorized
access, then that solves the problem....but feel free to lock it down as tight
as you please.

I have chosen to use the Public WEP key published on the ARRL/HSMM web pages.

Walt/K5YFW


> On Mon, Nov 01, 2004 at 09:31:28AM -0800, Steven Phillips wrote:
> > That still leaves one question open.  The AP is still
> > being used under part 97 rules.  Is using static IP
> > assignments under AMPERNET sufficient access
> > restriction?  Part 15 users can still connect to the
> > AP, but they will not get any network access and can't
> > do anything beyond connecting to the AP.  This is
> > because they will not have an IP address.  The only
> > exception I can think of is if the general public
> > discovers the AMPRNET IP scheme and assigns themselves
> > an IP address?  Simple solution.  When a person
> > applies for access to the network, require them to
> > provide the unique MAC address of their WLAN card(s)
> > and do a MAC check during authentication.  If a person
> > does spoof an IP, they still won't have access because
> > they do not have an authorized MAC address.
> > 
> > So, there's my $20 worth.  Let me know what you think
> > and if you have any thoughts about my suggestions.
> > 
> 
> Steve,
> 
> MAC authentication is very weak.  One need only eavesdrop on your AP to
> find out the authorized MACs.  Ditto IP address authentication.
> 
> Keep in mind that for a person to "operate" your Part 97 AP, their
> computer needs only to send your AP an 802.11 packet.  Virtually any
> 802.11 management request (Probe, Authentication, Association) will induce
> your AP to send a response.  Also, your AP will probably produce a CTS
> response to any RTS packet, regardless the RTS-sender's authentication
> status.  Sending your AP a data packet will likewise yield an 802.11 ACK,
> or even a Deauthenticate response.  As a matter of course, your Part 97 AP
> is going to receive Probe Requests from 802.11 stations that are scanning
> for APs.  A clever and malicious person may be able to make your Part
> 97 AP send a flood of packets all day long, without ever authenticating.
> 
> Dave
> 
> -- 
> David Young             OJC Technologies
> dyoung at ojctech.com      Urbana, IL * (217) 278-3933
> 
> _______________________________________________
> ham-80211 mailing list
> ham-80211 at lists.tapr.org
> https://lists.tapr.org/cgi-bin/mailman/listinfo/ham-80211
> 






More information about the ham-80211 mailing list