Hole196

Question

Hole196

ryao opened this issue 6 years ago · 1 comments

Is it too late to point out that there seems to be no discussion of how WPA3 will close hole196? It is a problem for WPA2 Enterprise APs that circumvents VLAN isolation. Those of us who use WPA2 Enterprise in our homes would appreciate a fix for Hole196.

Answer 1 · 2018-06-16T04:22:00.000Z

After doing some digging, it appears that dynamic VLANs cause a different GTK to be set per (SSID,VLAN) tuple. This is only an issue when the clients are not allowed to communicate with one another on the same (SSID,VLAN) tuple. It would still be nice to close completely, but not as bad as I initially thought.