18 Apr
2014
18 Apr
'14
11:28 a.m.
On Fri, Apr 18, 2014 at 12:35 AM, Cory (NQ1E) <cory(a)nq1e.hm> wrote:
(Please trim inclusions from previous messages)
_______________________________________________
Unfortunately, none of the wifi security protocols (including WPA with
802.1x) support an authentication-only mode. They all require the traffic
to be encrypted as private and unreadable to others. There's also not a
whole lot we can do about that since these protocols are baked into the
actual wifi chipsets and cannot be modified without a great deal of
resources.
However if rule 97.105 applies, this shouldn't matter as it would be deemed
necessary to "maintain control of your station".
Since there is no ideal way to both secure layer 2 and
remain legal, HamWAN
solves this problem at layer 3 by taking advantage of the
authentication-only features of IPSec called IPSec(AH) or Authentication
Header. When two routers are connected to each other over an RF link, they
use the link-local non-routable address space (169.254.0.0/16) on the air
so they can speak to just each other. However, those IPs only listen for
IPSec(AH) traffic when authenticated with a valid certificate. They can
then create a cleartext non-private "VPN" tunnel that allows them to pass
traffic for the real network between themselves. Anyone can monitor this
traffic, which is good. However, it cannot be successfully altered in
transit or spoofed by pirates, which is also good. :)
Totally get this idea and it's not bad at all as it lends to transparency.
AH would be the minimum required for authentication for 97.105 but
stacking SSL for websites probably would run contrary to the 97.113 rule.