cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
413
Views
0
Helpful
5
Replies

Can you encrypt RRM packets (so that WLC IP address is exposed to all)

kfarrington
Level 3
Level 3

Hi Guys,

As RRM packets include the WLC controllers IP address in the payload of the packet (can decode the hex). Is there a way to encryp this so that my freindly wireless neighbors do NOT see the address of my WLCs as explained in this document for OTAP?

http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a008093d74a.shtml

And in this document http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a008072c759.shtml

APs periodically send out Neighbor Messages, sharing information about themselves, their controllers, and their RF Group Name. These neighbor messages can then be authenticated by other APs sharing the same RF Group Name.

Would MFP help in this situation?????

Many thx

Ken

5 Replies 5

jeromehenry_2
Level 3
Level 3

Hi Ken,

OTAP is there to help new access points discover the controllers... encrypting these messages would mean that the APs have a way to decrypt them, therefore already have exchanged a sort of key with the controllers for that purpose... so know the controllers.

OTAP is not encrypted. A good practice is to use OTAP when you need it, during the APs deployment, then turn it off.

Infrastructure MFP definitely helps idemtifying rogues and protecting your network, but it is probably even better not to send information that only your wireless neighbors would listen to once your APs have been deployed... :-)

Thanks Jerome,

We have disabled OTAP as we dont need the feature, but we cant disable RRM otherwise DCA and TPC would not work in the case of an AP failure to correct coverage holes.

So the fact that RRM discloses information like Controller IP addresses and RF group names to the public domain is still (I feel) a bit of a non essential risk?

Could the RRM neighbor packets either not include such information, (would probably have to include the RF group name, but why the controller IP address) or encrypt these packets with the MFP MIC?

I am going to test the Infrastructure MFP this weekend and then perform another RF packet capture to see if the RRM packets between established APs are able to be captured and readable, but if you or anyone else have a definite anwser to MFP encrypting RRM packets that would be good mate :))

All the best and thx for the response my freind :)

Ken

Jerome,

Isn't Cisco getting ready to shut OTAP off in the next release? I heard that from Jake sometime back I think.

Hi Mate :)

Problem is, they cant turn RRM off? and these packets contain what I think is sensitive information unencrypted.

Not an expert, but I hope that turning on Infrastructure MFP will stop the RRM neighbor packets advertising this information in the clear?

Thoughts mate?

Cheers

Ken

I don't think MFP will do the trick here. It simply verifes that the frame received is legitimate and not a counterfit frame from a man in the middle or DoS type attack.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: