[isf-wifidog] immediate user disconnect feature

[acv]

On Mon, Apr 28, 2008 at 08:12:49PM +0200, Wichert Akkerman wrote:
> 
> I also want to protect against people trying to 'play' with sessions
> from other users. If people get randomly disconnected because someone is
> triggering disconnects I'm going to get support calls and complaints. 

	In wifidog, the unsecured side of the gateway is normally on a
different network interface then the "secured" (internet / lan / dmz)
interface. So normal users can only sniff the activity of the unsecured
network. They do see the token pass by but a token should not be
re-usable.

> Since the login redirect to the gateway will always use http and
> typically an unencrypted wireless network is used I have to assume that
> the IP address, MAC address and token for all users are known.

	Yes. But the token is of no practical use once it has been
"consumed". Or at least that was the assumption back in 2003 when the
protocol was designed. If the token is being overloaded with a further
function such as the disconnect then that is a problem. The disconnect
function must then get an authentication wrapper since the token no
longer provides that. *Prior* to authentication the token is "secure"
and it immediately becomes suspect.

Alex
-------------- section suivante --------------
Une pièce jointe non texte a été nettoyée...
Nom: non disponible
Type: application/pgp-signature
Taille: 187 octets
Desc: non disponible
Url: http://listes.ilesansfil.org/pipermail/wifidog/attachments/20080428/71a1a96a/attachment.pgp