----- Original Message -----
From: "Chris Marget" <chris@marget.com>
You [I] said:
It is OK for an enterprise wifi system to make this sort of attack *on rogue APs which are trying to pretend to be part of it (same ESSID).
I'm curious to hear how you'd rationalize containing a copycat AP under the current rules.
In fact, I remain fuzzy on when spoofed de-auth frames would *ever* be okay when used against unwilling clients within the FCC's jurisdiction given their position that spoofed control frames constitute interference under part 15 rules.
This thread and similar discussions elsewhere contain assertions that enterprise networks "need to defend themselves" in some circumstances, or that "containing" an AP with a copycat SSID would certainly be okay.
I'm not so sure.
The "need to manage our RF space" arguments ring hollow to me. I certainly understand why someone would *want* to manage the spectrum, but that's just not anyone's privilege when using ISM bands. If the need is great enough, get some licensed spectrum and manage that.
I wasn't making that argument. I was making the "if someone tries to pretend to be part of my network, so that my users will inadvertantly attach to them and possibly leak 'classified' data, *then that rogue user is making a 1030 attack on my network*.
A copycat AP is unquestionably hostile, and likely interfering with users, but I'm unconvinced that the hostility triggers a privilege to attack it under part 15 rules. In addition to not being allowed to interfere, we also have:
You're not attacking it, per se; you are defensively disconnecting from it *users who are part of your own network*; these are endpoints *you are administratively allowed to exert control over*, from my viewpoint.
2. This device must accept any interference received, including interference that may cause undesired operation.
Certificate-based authentication would solve that problem anyway, wouldn't it?
Probably. And yes, any system big enough to do this stuff is likely big enough to run 1x as well.
A "rogue" AP plugged into a wired port is best solved at the wired port,
I'm not sure anyone was actually mooting this.
Even large private campuses like oil refineries probably wouldn't be in the clear doing this sort of thing unless they're able to stop law enforcement, delivery drivers, paramedics and firefighters at the gate in order to get them to agree to receive spoofed de-auth frames.
Again: you've shifted topics here from "enterprise rogue protection" (stay off *my* ESSID) to "Marriott Attack" (stay off all ESSIDs that *aren't* mine); different thing entirely. I make a clear distinction (now that it's not 3am :-) between what Marriott is doing, and what enterprises doing rogue protection are doing, as noted above. Still not a lawyer. Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274