On Sun, 30 Jul 2006 23:44:37 -0700 Jeff Liebermann wrote: | snipped-for-privacy@ipal.net hath wroth: | |>| In the distant past, I recovered approximately 3ea BEFSR41 routers |>| from failed flash updates using tftp. No big deal. | |>Great. So what was reading the TFTP? Not the flashed code that wasn't |>there. Maybe the power on initial ROM code? | | Linksys routers have a two part flash. One part is a permanent part | of the firmware and only deals with running the JTAG port and loading | the flash. The other part is the uploaded flash image. This | arrangment is very common. | | When the router boots, the first part of the flash starts and displays | a prompt on the JTAG port. This is normally not user accessible. It | also fires up a TFTP server and awaits a connection. If it doesn't | get a connection after about 5 seconds, it continues the boot by | loading and running the flash image. You can usually ping the router | for these first 5 seconds at the default IP address. | | It's easy enough to fire up a TFTP client and point it at the router | during bootup to upload a clean flash image.
Sounds like it would be rather easy to unbrick a Linksys, then. Just use the TFTP real fast and no JTAG required.
What you referred to as "permanent part" I referred to as ROM code. But is it truly permanent if it uses flash? Is it a separate flash chip, or just a reserved space in the one? How is it protected from being written over?
|>|>Local point to point file transfer (e.g. not involving the internet) |>|>could conceivably get very close to 1.0 TX time factor. Not that I'm |>|>worried about such a thing. |>| |>| Got a time slot for the ACK's and inter-packet delays? | |>TCP windowing would let a few packets flow before the ACKs are actually |>needed back. So there won't be full trip wait, at least for a while. | | TCP windowing does not apply. 802.11 encapsulates TCP/IP packets. I'm | talking about 802.11 ACK's which do not have a sliding window feature. | 802.11 retransmits immediately after a NACK.
Why NACK it at link layer?
|>The ACKs are short. | | 802.11 ACK's require the full preamble, headers, and small payload. | Short, but not that short. I'm too lazy to lookup the exact times. | |>Inter-packet delays for radio reason? That I |>cannot really say. | | Warning, this is potentially messy. The interframe space (IFS) is | necessary to prevent collisions from reflections. Pretend you have | both a direct and reflected path. The direct packet arrives normally. | The reflected packet arrives a few microseconds later. If the next | packet were sent immediately after sending the previous packet, the | reflected packet would arrive at roughly the same time as the next | packet and they would interfere with each other. In addition, if | there is a collision detected, then the distributed coordination | function (DCF) causes the timing to backoff temporarily, slowing | things down even more. | | Slot Time SIFS PIFS DIFS | 802.11a/g 9 usec 16 usec 25 usec 34 usec | 802.11b 20 usec 10 usec 30 usec 50 usec
Is this just trying to wait out the tail of the reflection before the next frame is sent (by any device)?
|>Of course it's never really as fast as they say it |>will be. | | Or, as far. IFS timing is a serious limitation on very very long | range connections.
Certainly a good cause for setting up such links on a separate channel.
|>| Even with encryption, the MAC addresses are sent in the clear. |>
|>Oooh, now that's dumb. | | How is a client suppose to recognize and connect to an access point if | the MAC addresses and encryption keys are encrypted *BEFORE* the key | exchange can complete? It's a chicken or egg problem.
They already have shared keys. The MAC doesn't have to be encrypted by the session key that gets generated. It only needs to be encrypted by the shared key that is already configured.
|>| Management and flow control frames are NOT encrypted (or |>| authenticated). That's why spoofed deauth and deassociate attacks |>| work on WEP. Even in WPA and 802.11i, management frames are not |>| protected. | |>More dumb. | | How should flow control work if the packets are encrypted? How can | SSID broadcast and such work if they are encrypted?
Only the devices with the same shared key would be able to see the SSID broadcast. Why would you want it any less secure?
|>Everything ... NO exceptions ... should be encrypted when encryption |>is specified. | | Everything? How do you exchange encryption keys if the keys and hash | codes are also encrypted? | | How about the overhead of encrypting single byte flow control packets?
Why is there a link layer flow control? All you need is a send-ready, and that is based on collision detection. End to end flow control should be based at layer 3.
|>If the receiver gets carrier, sync, and data, but does |>not have the key to decrypt it (or more specifically, if the key it |>does have produces garbage as it would certainly see a checksum error), |>it should just discard it and wait for the next event. | | Incidentally, we have the same problem with VPN's. The most common | type of IPSec VPN encrypts only the payloads, not the headers.
VPN is not the same as wireless security. VPN is not link level security. Classic VPN (not IPsec) would wrap a fully encrypted packet or stream in another layer or set of layers. An added layer would have the addressing (which may or may not be the same as the final destination).
If you want to use IPsec, and want to route traffic between a local net on
192.168.20.0/24 in one location to 192.168.30.0/24 in another location, don't expect to get the packets routed with those 192.168 address on the front. And plain NAT won't be enough unless you have as many public IPs. If each end has just one public IP, how will packets for 192.168.30.15 and packets for 192.168.30.45 be routed to the correct destination without those IP addresses in a desination field? The packet would be unwrapped at the destination router, decrypted, and the private IP destination would be exposed. IPsec can be used as the ecnryption in this, but you still have to wrap a new layer in such cases. If you get real public IPs for all machines at each end (or at least the ones that need to talk to the other end) then you can avoid that wrapping. But then someone can sniff the diversity of your traffic, and more can be learned from that than just the traffic alone. Instead of IPsec, I prefer to use encrypted SCTP for VPNs. I may even try to implement that for a WRT54GL.