Can you encrypt RRM packets (so that WLC IP address is exposed to all)

Unanswered Question
Jun 18th, 2008
User Badges:

Hi Guys,


As RRM packets include the WLC controllers IP address in the payload of the packet (can decode the hex). Is there a way to encryp this so that my freindly wireless neighbors do NOT see the address of my WLCs as explained in this document for OTAP?


http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a008093d74a.shtml




And in this document http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a008072c759.shtml



APs periodically send out Neighbor Messages, sharing information about themselves, their controllers, and their RF Group Name. These neighbor messages can then be authenticated by other APs sharing the same RF Group Name.



Would MFP help in this situation?????


Many thx

Ken





  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jeromehenry_2 Wed, 06/18/2008 - 12:26
User Badges:
  • Silver, 250 points or more

Hi Ken,

OTAP is there to help new access points discover the controllers... encrypting these messages would mean that the APs have a way to decrypt them, therefore already have exchanged a sort of key with the controllers for that purpose... so know the controllers.

OTAP is not encrypted. A good practice is to use OTAP when you need it, during the APs deployment, then turn it off.

Infrastructure MFP definitely helps idemtifying rogues and protecting your network, but it is probably even better not to send information that only your wireless neighbors would listen to once your APs have been deployed... :-)

kfarrington Wed, 06/18/2008 - 23:44
User Badges:

Thanks Jerome,


We have disabled OTAP as we dont need the feature, but we cant disable RRM otherwise DCA and TPC would not work in the case of an AP failure to correct coverage holes.


So the fact that RRM discloses information like Controller IP addresses and RF group names to the public domain is still (I feel) a bit of a non essential risk?


Could the RRM neighbor packets either not include such information, (would probably have to include the RF group name, but why the controller IP address) or encrypt these packets with the MFP MIC?


I am going to test the Infrastructure MFP this weekend and then perform another RF packet capture to see if the RRM packets between established APs are able to be captured and readable, but if you or anyone else have a definite anwser to MFP encrypting RRM packets that would be good mate :))


All the best and thx for the response my freind :)


Ken

dennischolmes Thu, 06/19/2008 - 11:02
User Badges:
  • Gold, 750 points or more

Jerome,


Isn't Cisco getting ready to shut OTAP off in the next release? I heard that from Jake sometime back I think.

kfarrington Thu, 06/19/2008 - 11:06
User Badges:

Hi Mate :)


Problem is, they cant turn RRM off? and these packets contain what I think is sensitive information unencrypted.


Not an expert, but I hope that turning on Infrastructure MFP will stop the RRM neighbor packets advertising this information in the clear?


Thoughts mate?


Cheers

Ken

dennischolmes Thu, 06/19/2008 - 11:11
User Badges:
  • Gold, 750 points or more

I don't think MFP will do the trick here. It simply verifes that the frame received is legitimate and not a counterfit frame from a man in the middle or DoS type attack.

Actions

This Discussion

 

 

Trending Topics - Security & Network