Re: Wireless Network in Public Places Options

From: Jeff Liebermann (jeffl_at_comix.santa-cruz.ca.us)
Date: 02/13/05 

Date: Sun, 13 Feb 2005 10:30:37 -0800

On Sun, 13 Feb 2005 01:58:05 -0900, floyd@barrow.com (Floyd L.
Davidson) wrote:

>If you *can't* get the AP to bridge, then all this esoteric
>techie "commentary" of yours means nothing.

We may be arguing semantics here. To the best of my knowledge, a
wireless router (such as the WRT54G) is a wireless bridge (also known
as an access point) with an ethernet router hung on one of the
switched ports. (A switch is a multi-port bridge). Therefore, if I
ignore the router section of the wireless router, the WRT54G is
nothing more than an access point, which does bridging. However, I
will concede that the manner in which it bridges can be affected by
replacement firmware. I will NOT concede that tweaking the router,
that's not even in the data path, will do anything useful to affect
the bridging between wireless clients.

>The appropriate
>hardware *is* available, your point is has no merit, and all you
>are saying is that installing the wrong equipment will provide
>the wrong results. That's not news, and not interesting to me
>or probably to the OP either.

Well, I admitted that I didn't have a specific recommendation for
specific hardware. I also indicated that I was posting how I though
it should work. If this is deemed useless drivel, then I'll stop and
blunder onward to something else. Had I known it this discussion
would grow to acrimonious levels, I probably would have simply found a
commerical product with Google, and offered a ready to run solution.
However, I'm weird and prefer technical debates to product searches.

>>I'm not sure how the WRT54G works.
>So I noticed.

Well, I have a WRT54G v1.1 sitting in the office that I could test.
I'm not thrilled with the time it takes to replace the firmware, but
I'm willing if I can find the time. There are also a few hot spots
running in the area:
  http://www.thirdbreak.org/hotspots.html
which are running mostly WRT54G hardware with alternative firmware. I
guess this would be easier than modifying my own. I'll let you know
what I find. It's gonna be weird walking in with two laptops, but
I've done stranger things in the past. I'll also ask on their mailing
list.

>>The problem is finding a location that can hear both the access point
>>and the client at the same time in order to capture both sides of the
>
>Which is even less critical than locating the above "access
>point simulator". You can't argue one is easy and the other is
>not easier.

Ok, you're correct. I've done some sniffing and found it to be rather
difficult. However, that was sniffing point to point links and not in
a cafe hot spot. Sniffing inside a hot spot is easy. From outside,
it's tricky, again depending upon location.

>>Got it. Wifi absorbant wallpaper:
>> http://www.newscientist.com/article.ns?id=dn6240
>
>Now we are down to where every hotel conference room needs to be
>Tempest proof... ;-)

Well, I just thought it might be an "interesting" solution. I showed
it to a few of my customers and was asked to get details and quotes.
However, they wanted it for the cafeteria in the hope that the
microwave oven leakage could be reduced. I told them cleaning the
door seals would be cheaper and more useful.

>> "Warning. Unencrypted WiFi may be dangerous to your security".
>I'm sure the hotel's General Counsel would approve, once another
>line is added:
> "The customer is responsible for their own data encryption."

Most sane hotspot operators have already done that. For example:
  http://selfcare.hotspot.t-mobile.com/security.htm
  
>>Well, a simple traceroute will usually detect the extra hop.
>Traceroute won't even show that the WRT54G is there, never mind
>an intruder.

Oops, you're half right. With a man in the middle attack, the extra
(laptop) router in the path will show up only if set to respond to
ICMP or UDP pings. I guess that can be disabled. However, it would
still show up as a "hop" in traceroute, although no info would be
returned.

>>Sigh. AP's don't route...they bridge. AP's don't have routers. AP's
>Sigh. The WRT54G is an AP that routes. Probably others do to.

I don't suppose it would help if I repeat myself once more. An access
point is a wireless bridge, not a wireless router. Can we agree on
the terminology? Your "...AP that routes" is a wireless router or an
box with an access point and a router.

>Think wrong equipment, get wrong results. Don't install a
>bridge, install a router. (Get one with an AP built in... :-)

My contention is that by installing a wireless router, you end up with
the equivalent of a wireless access point, and a router, in one
package. The bridge part still functions as a bridge or access point,
when the router is not being used. I think what we're arguing about
is what is how the access point part of the puzzle works.

>>It's possible that your customized firmware WRT54G firmware does it
>>correctly. However, I'm suspicious. It's easy enough to test.
>
>I'm suspicious myself. That's why I checked to see if your
>analysis was correct, by testing it for myself. The difference
>is that I did the testing *before* I started writing...

If I'm wrong, I'll gladly admit it. I trip to the local hot spot
should be sufficient. I'll do it today and see. I wasn't aware that
there was a point of contention when I first replied and therefore
didn't verify my statements with prior testing. I agree that it's a
good idea to test before one posts, but that's also impractical and
time consuming.

>What do you mean "Nope."??? I described hardware that *does* do
>exactly that. The number of _other_ equipments that you've
>looked at which do not, has no significance.

If you're right, I'll admit I'm wrong, apologize, and go away and
sulk. (I hate being wrong). We can then live happily ever after.
However, I wanna do my own testing first.

>>Sorry. I missed the example. How do you control broadcasts by
>>routing? Without a destination address, there's no way to direct
>>broadcasts anywhere. That's why it had to be done on Layer 2 with
>>VLAN 802.1q.
>
>So tell us what happens when the broadcast packet hits a router?
>Is that done in Layer 2, according to VLAN 802.1q???

With a VLAN, there's a few extra bytes tacked onto each packet that
labels the virtual LAN in which the packet belongs. It's all layer 2.
The tags are also attached to broadcasts, so that the switch knows
which VLAN the packets need to stay inside. It's really kinda cool
with wireless as it cuts down on excessive broadcast traffic. Here's
a wireless VLAN implementation.
  http://www.cpx.com/whitepapers/Compex%20Psuedo%20VLAN.pdf

>You responded to the OP's summary dismissal of your technically
>_useless_ detail with a rebuke, which you claimed would "sting".
>Yet you don't seem willing to read the *pertinent* technical
>details provided to demonstrate where your analysis was
>incomplete.

Guilty as charged. How would you feel if I had replied to your long
posting detailing your offered WRT54G solution to the hotel hot spot
problem with a one line summary judgment? That, combined with some
current personal problems tend to ruin what little diplomacy I have
left.

>>How did you test?
>>Could the clients "see" each other?
>>Could you ping other clients? (No fair using personal firewalls).
>
>See above.

I was hoping a for a bit more detail. In:
  87u0okjj7z.fld@barrow.com
you describe the use of two VLAN's, one for the ethernet, and one for
the wireless as in the edited ifconfig output below (lo and WDS
deleted):

 br0 Link encap:Ethernet HWaddr 00:12:17:27:FE:B8
        inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0

 eth0 Link encap:Ethernet HWaddr 00:12:17:27:FE:B8

 eth1 Link encap:Ethernet HWaddr 00:12:17:27:FE:BA

 vlan0 Link encap:Ethernet HWaddr 00:12:17:27:FE:B8

 vlan1 Link encap:Ethernet HWaddr 00:12:17:27:FE:B9
        inet addr:192.168.0.3 Bcast:192.168.255.255 Mask:255.255.0.0

I agree that you can use the VLAN feature to isolate the two ethernet
VLAN's from each other and possibly from the br0 (wireless) port.
What I'm asking is if the same mechanism can be used to isolate
individual users on br0 from each other. Methinks not or there would
be multiple VLAN's showing on the wireless side.

With all due respect, I just re-read *ALL* your previous postings in
this thread and cannot find any comments where you've stated that two
wireless clients cannot ping (or "see") each other. I may have missed
something. You've stated that you've tested your WRT54G, but I can't
find how or what application was used for testing. I'm not looking
for a detailed procedure. Just a simple question: Can two wireless
clients ping each other? Extra credit for using arping to ping by MAC
address. If so, I'm correct. If not, I'm wrong. 

-- 
Jeff Liebermann    jeffl@comix.santa-cruz.ca.us
150 Felker St #D   http://www.LearnByDestroying.com
Santa Cruz CA 95060    AE6KS  831-336-2558
Loading