> Isn't this just a "don't do that, then" scenario? Plugging in a hub > tends to undermine much of the accountability 802.1X is supposed to > provide. Sure, except that the cost of "don't do that" is rather high -- a switch port for every host. > Anyway, 802.1X is terminally broken because end users can rewire that > port and bypass security policies (put a laptop with bridging software > onto it, plug in a hub, and so on). The issue here is not key exchange; it's the lack of data protection. IEEE 802.11i derives a unique key per STA MAC, using it to key link layer ciphersuites providing encryption/integrity/replay protection, which eliminates piggybacking. Yet it relies on 802.1X. My understanding is that 802.1ae/af will also solve the problem, by enabling "virtual ports". >It's very hard to solve this problem at a sub-IP layer I think the point is that there is a significant need (at least in the short term) for a transitional solution. Enterprise WPA/WPA2 is being deployed, albeit perhaps more slowly than we'd like. Moving the problem up a layer doesn't really address expense/deployment concerns that much, especially since IPsec acceleration chipsets ship in much lower volumes than say, chipsets supporting 802.11, 802.3 or other link layer technologies. At the end of the day, there is significant appeal in being able to roll out solutions that don't require forklift upgrades. _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf