[asterisk-users] IEEE 802.1x capable sip phones

[Robert Moskowitz]

Olivier wrote:
>
>     When we were starting on 802.1AE (LinkSec), Norm Finn (a CISCO Fellow
>     and long time worker on 802.1 and other layer 2 standards) said it
>     well:
>
>     Layer 2 security protects and addresses the liablities of the
>     network owner
>     Layer 3 security protects and addresses the liablities of the
>     system owner
>     Layer 4 security protects and addresses the liablities of the
>     application owner
>     Data security (anything above 4) protects and addresses the liablities
>     of the data owner
>
>     Think about it.  You are on a 802.11 phone.  Anyone there
>
>
> That's the point  : at least, you're certain those guys are using the 
> devices you provided them with.
> So, for instance, you don't have an unkown PC spoofing hardphone.
> You know which PC spoofed other devices and that PC user had to 
> authenticate, some times before.
> That's not perfect, mayby not enough, but this is what 802.1X is all 
> about.
That is why we did 802.1X for 802.3.  But Authentication is worthless 
for protection if you do not have per-packet authentication.  On 802.3 
they initially took the stance that there is only one device on the 
wire, so don't worry about session stealing.  Now we have 802.1AE to fix 
this.

With 802.11, 802.1X was worthless without 802.11i (that was the hole of 
802.1X and WEP).

Once you authenticate the device, you MUST authenticate every packet 
from the device.  There was some that just did not get that...