[174906] in North American Network Operators' Group
Re: Marriott wifi blocking
daemon@ATHENA.MIT.EDU (Chris Marget)
Sat Oct 4 15:06:09 2014
X-Original-To: nanog@nanog.org
In-Reply-To: <890706.4267.1412448462617.JavaMail.root@benjamin.baylink.com>
Date: Sat, 4 Oct 2014 15:06:01 -0400
From: Chris Marget <chris@marget.com>
To: Jay Ashworth <jra@baylink.com>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Sat, Oct 4, 2014 at 2:47 PM, Jay Ashworth <jra@baylink.com> wrote:
>
> ----- Original Message -----
> > From: "Chris Marget" <chris@marget.com>
>
> > You [I] said:
> >
> > > It is OK for an enterprise wifi system to make this sort of attack
> > > *on rogue APs which are trying to pretend to be part of it (same
ESSID).
> >
> > I'm curious to hear how you'd rationalize containing a copycat AP
> > under the current rules.
> >
> <snip>
>
> > The "need to manage our RF space" arguments ring hollow to me. I
certainly
> > understand why someone would *want* to manage the spectrum, but that's
> > just not anyone's privilege when using ISM bands. If the need is great
> > enough, get some licensed spectrum and manage that.
>
> I wasn't making that argument.
Yes, sorry. I presented two arguments. Only the one about copycat SSIDs is
yours.
> I was making the "if someone tries to pretend to be part of my network,
> so that my users will inadvertantly attach to them and possibly leak
> 'classified' data, *then that rogue user is making a 1030 attack on my
> network*.
>
> > A copycat AP is unquestionably hostile, and likely interfering with
users,
> > but I'm unconvinced that the hostility triggers a privilege to attack it
> > under part 15 rules. In addition to not being allowed to interfere, we
also
> > have:
>
> You're not attacking it, per se; you are defensively disconnecting from
> it *users who are part of your own network*; these are endpoints *you are
> administratively allowed to exert control over*, from my viewpoint.
Okay, so we're not talking about wholesale containment of the copycat AP,
but rather management of our own client devices which, by definition, we
can't interfere with. Because they're ours.
That approach sounds perfectly reasonable. I wonder, absent certificates,
how one can be certain about the identity of the client, and if such a
narrowly scoped containment mechanism is actually implemented by the
various checkboxes available to enterprise wifi administrators.
> I make a clear distinction (now that it's not 3am :-) between what
Marriott
> is doing, and what enterprises doing rogue protection are doing, as noted
> above.
Is it clear exactly what "enterprises going rogue protection" are up to?
I've asked several, gotten wildly different answers. Keeping "my clients"
off "copycat APs" sounds reasonable. More aggressive action might not be.
Thanks.
