Perry E.Metzger wrote:
Michael Richardson <mcr@xxxxxxxxxxxxxxxxxxxxxx> writes:
"Franck" == Franck Martin <franck@xxxxxxxxx> writes:
Franck> My question, how can we deployed WiFi networks in town for global Franck> roaming with SIP phones when the IETF itself has trouble to Franck> deploy it...
Franck> Is there something wrong in the WiFi protocol that needs fixing?
Yes, despite all of 802.11i, the beacons are not authenticated.
There are other problems too. The fact that 802.11 tries to be reliable by doing its own retransmits results in massive congestive collapse when a protocol like TCP is run over it. The designers did not read our documents on requirements for link layers. A knob that allowed you to turn off (or at least tune down) the retransmission on a network would be very valuable, but I know of no gear that does that. Also, 11b has a poorly selected set of channels that overlap.
My biggest piece of advice, though, to those setting up such networks
is to deploy monitoring stations in addition to deploying base
stations. That way you'll have some idea of how performance is doing
without needing your users to tell you that there is a problem.
In the presence of ARP spoofing, 802.11i, either with TKIP or CCM will not provide any guarantees of security.
My advise would be to continue to place your 802.11 networks out in front of an IPSec gateway.