Lewis,

great collection of information!

For now I just som minor points, I have to think about more questions later on:

- AFAIK the "24-bit header" of WEP is called the initialization vector, which should be a random number forr each frame. One of the biggest vulnerabilities of the WEP protocol is that many vendors don't implemment that as a random number, but just count up from zero

- Concering the dynamic 24-bit part and the static part please add a point about "open Systems" and "shared Key Systems", this topic is also referred to "authentication". If set to"shared key" on behalf of the access point,  the client would need to  authenticate itself, unfortunately this is done with the static parts of the keys only (!!!),  without any initialization vector. The drawback of this is that alone this authetication makes the WEP method even more unsafe and easier to crack, so it strangely makes a WEP secured access point more safe when this authetication is turned of or set to "open system".

- as stated in my documentation, please add something like "always use encrpytion when accessing private WLans" and "better use 64-bit or _any_ WEP encryption than none". The user should be told to change the keys periodically. The more data is sent over WEP encrypted WLAN, the quicker it can be cracked. With medium to heavy throughput WEP64 can be cracked after some hours, WEP128 may need some days. For an average user, just surfing a bit in the evening, as a rule of thumb I would suggest a week for a change of WEP128 keys, and half a week for WEP64. I don't do that myself, and I am almost certain that nobody does that, but it is important to know that it is _unsafe_ not to do so. Furthermore, in Germany it is at least illegal to get into a WEP secured private WLAN. If that is the case, it may even make sense to set any key and never change it anymore...

- topic 6: there is a term of "infrastructure mode" and at least another one.I think this would fit in here

- topic 7: I would turn the question around: Is an access point a router ?

- topic 8: SSID is AFAIK also referred to as System Service Identifier

- topic 10: please include that with certain WLAN sniffer software (either Win32 or linux ?) the SSID can still be spyed out even if broadcast is turned off. IMHO this is very important to know, else users would get a false idea of security they would establish. Nevertheless it is still a good idea to turn off  SSID broadcast for a private WLAN AP, to make it not too easy for hackers.

- Please include a section on MAC address filtering. Unfortunately also this can be spyed out by software like stated above for SSID, but also this should be enabled. It makes it at least not possible for a drive-by surfer to instantly get a connection. Isntead, he would need to spy out a MAC address, and come back another time to wait until this is not active while the AP is active, so that he can use this MAC addess.