[OpenWireless Tech] On VPNs
"Andy Green (林安廸)"
andy at warmcat.com
Thu Jul 28 12:50:39 PDT 2011
On 07/28/2011 08:25 PM, Somebody in the thread at some point said:
> As others have noted, there are some practical problems with current VPN
> implementations (hard to configure, OSes may send insecure traffic while
> waiting for a VPN to be established).
>
> None of these are /necessary/ problems with VPNs. With work, it should in
> theory be possible to offer easy-to-setup VPNs that protect clients
> against malicious APs. If APs wish to transmit nothing but VPN traffic, it
> could also protect the APs against clients that do questionable things with
> the network.
>
> The big question with VPNs is, can we get cheap enough bulk VPN provision that
> anyone can get a VPN connection that is free or very cheap, and extremely easy
> to configure?
ACK on all of that.
Again while at Openmoko, in Taiwan, it became clear that to get these
new technologies deployed, you had to sell it as a marketable initiative
to the companies making the products.
So provide a reference implementation, a logo programme, and support,
and if they see value in adding it, it will gradually become very widely
available at no extra cost. But the vendors themselves likely wouldn't
take on all the R&D from scratch just for their own products.
However, I think the biggest issue for this and the other solutions
being adopted at a reasonable pace is can current WLAN hardware cope
with both unencrypted and WEP / WPA encrypted packets coming easily
without having to drop back to listening to everything and filtering in
software.
The reason is that if a software solution is overlaid like VPN or some
form of SSL, in fact the raw wireless transport itself is unencrypted
then, the encryption being done at a higher level.
That means weaker devices that only support WPA and not the new SSL type
or VPN solution actually go backwards because the only way they can
connect to the AP is unencrypted alone.
So both these solutions really want the AP hardware to continue to
accept and operate in WPA for compatibility, while accepting unencrypted
connections under tough constraints. Some WLAN hardware is capable of
this (most are able to inject unencrypted TX frames while being in WPA
mode) but I guess some or most are not capable to do it for RX.
-Andy
More information about the Tech
mailing list