Re: Marriott wifi blocking

[Jay Ashworth <jra () baylink com>]

----- Original Message -----
> From: "Chris Marget" <chris () marget com>

> You [I] said:
>
> > It is OK for an enterprise wifi system to make this sort of attack
> > *on rogue APs which are trying to pretend to be part of it (same ESSID).
>
> I'm curious to hear how you'd rationalize containing a copycat AP
> under the current rules.
>
> In fact, I remain fuzzy on when spoofed de-auth frames would *ever* be okay
> when used against unwilling clients within the FCC's jurisdiction given
> their position that spoofed control frames constitute interference under
> part 15 rules.
>
> This thread and similar discussions elsewhere contain assertions that
> enterprise networks "need to defend themselves" in some circumstances,
> or that "containing" an AP with a copycat SSID would certainly be okay.
>
> I'm not so sure.
>
> The "need to manage our RF space" arguments ring hollow to me. I certainly
> understand why someone would *want* to manage the spectrum, but that's
> just not anyone's privilege when using ISM bands. If the need is great
> enough, get some licensed spectrum and manage that.

I wasn't making that argument. 

I was making the "if someone tries to pretend to be part of my network,
so that my users will inadvertantly attach to them and possibly leak 
'classified' data, *then that rogue user is making a 1030 attack on my
network*.

> A copycat AP is unquestionably hostile, and likely interfering with users,
> but I'm unconvinced that the hostility triggers a privilege to attack it
> under part 15 rules. In addition to not being allowed to interfere, we also
> have:

You're not attacking it, per se; you are defensively disconnecting from
it *users who are part of your own network*; these are endpoints *you are
administratively allowed to exert control over*, from my viewpoint.

> 2. This device must accept any interference received, including
> interference that may cause undesired operation.
>
> Certificate-based authentication would solve that problem anyway,
> wouldn't it?

Probably.  And yes, any system big enough to do this stuff is likely
big enough to run 1x as well.

> A "rogue" AP plugged into a wired port is best solved at the wired port,

I'm not sure anyone was actually mooting this.

> Even large private campuses like oil refineries probably wouldn't be in the
> clear doing this sort of thing unless they're able to stop law enforcement,
> delivery drivers, paramedics and firefighters at the gate in order to get
> them to agree to receive spoofed de-auth frames.

Again: you've shifted topics here from "enterprise rogue protection" (stay off *my* ESSID) to "Marriott Attack" (stay 
off all ESSIDs that *aren't* mine); 
different thing entirely.

I make a clear distinction (now that it's not 3am :-) between what Marriott
is doing, and what enterprises doing rogue protection are doing, as noted
above.

Still not a lawyer.

Cheers,
-- jra
-- 
Jay R. Ashworth                  Baylink                       jra () baylink com
Designer                     The Things I Think                       RFC 2100
Ashworth & Associates       http://www.bcp38.info          2000 Land Rover DII
St Petersburg FL USA      BCP38: Ask For It By Name!           +1 727 647 1274