[asterisk-users] Recommendations for 100 Wifi SIP phone setup

[Robert Moskowitz]

I would like to share some facts about wifi and wifi security vis-a-vis 
wifi phones.

First off, it takes REAL time to negotiate the 4-way-handshake.  Not 
even thinking about the 802.1X authentication.  Thus a person walking at 
a normal rate, going through a door will find themselves disconnected 
from the AP on the one side of the door and trying to connect to the AP 
on the other side.  This can result in a lose of connectivity exceeding 
the ITU's 50ms max outage time (cellular systems have aways targeted 35ms).

This is part of the reason why I added PSKSA caching to the standard 
(yeah, the whole SA nomenclature was my doing, lifting it from my IPsec 
work).  The problem is moving the PSKSA cache around the APs.  802.11F 
was rejected by the vendors as a solution (and I did the security on 
that).  Thus was born thin APs with the security SAs held back in the 
switch and work on the 802.11r addendum (and is that ever a kitchen sink).

So if you want more than WEP, you NEED one of the thin AP solutions for 
mobile devices like phones.  Also you need some good processing power 
and code space (boy did the Spectralink engineer scream).  So, yeah, 
real wireless security is a real problem on handhelds.

Of course, in the end we will need 802.11s for real moblity in a large area.

Oh, and security with DECT is a REAL question.  There is too much 
handwaving and smoke (ie we can't tell you).  So I would not be 
supprised that if you are thinking DECT, don't worry about WEP over WPA.


Push for DTLS for security in mobile devices.  Of course that needs 
Diffie-Hellman and they scream about that.  Though the ECC variant is 
already used for GSM, so there is hope.  And don't even mention RSA 
operations.  But again we do see some of the ECC alogrithms in GSM 
devices; most of the manufactures in the GSM field are willing to pay 
the patent royalties demanded.