[ietf78-tech] auth token

Jim Martin jim at daedelus.com
Sat Jun 26 13:05:06 PDT 2010 

    Sigh.... Because this is the IETF and we have research-types with antiquated hardware, corporate types with locked down hardware, etc. We /MUST/ provide a solution that doesn't rely on the client being able to do .1x.

- Jim

On Jun 26, 2010, at 12:55 PM, Chris Elliott <chelliot at pobox.com> wrote:

> Why put more hardware in the data path? And use a known insecure method?
> 
> Let's use WPA/WPA2 with 802.1X and Radius. Obviously the AP's support this. The switches also support this on wired, although I don't think we need to authenticate wired as long as we check badges for folks coming into the terminal room.
> 
> Chris.
> 
> 
> --
> Chris Elliott
> 
> 
> On Jun 26, 2010, at 3:45 PM, John Kemp <kemp at network-services.uoregon.edu> wrote:
> 
>> 
>> I guess I should say "hello!", since the demon has now been invoked.
>> My name is not Hans Kuhn, but we have been known to share a beer now
>> and again...
>> 
>> To Randy's question, I thought that sounded like a simple and
>> efficient idea, i.e. token exists already.
>> 
>> Same phone/codes as you used for the other phone meeting?
>> US: +1 650 625 2888 ... ???
>> 
>> My plan for this week is to proof-of-concept and performance
>> test MAC address filtering and redirection using ebtables and
>> broute.  So that's what I'm working on.  Idea is that there are
>> two nics on the box, multiple vlans in trunk on each side, matching
>> multiple interfaces defined on the nics on the box,
>> and two bridge interfaces carrying whichever vlans are chosen, any
>> designated as "filtered" or designated as "clear".  So that's the
>> general concept.  Bridging + mac address filtering.  Let me know
>> if that sounds approximately correct for the requirements???
>> 
>> John Kemp (kemp at network-services.uoregon.edu)
>> 
>> 
>> On 06/25/2010 11:24 PM, Jim Martin wrote:
>>>   Sorry Randy ... just too much real life this week. Actually, John, Joel and Rob Nagy are working together on a first cut plan. I expect to discuss their results on the monday call so we can have something for Ray on the Tuesday admin call.
>>> 
>>>   - Jim
>>> 
>>> On Jun 25, 2010, at 10:48 PM, Randy Bush wrote:
>>> 
>>>>> of course we are too late to have the maastricht registration process
>>>>> issue a token set we can use as auth.  but ...
>>>>> 
>>>>> as part of reg process, everyone is issued a reg number.  they get this
>>>>> on their reg web page, on their email receipt, on the paper receipt they
>>>>> get when they get their badge, ...
>>>>> 
>>>>> so, straw proposal
>>>>> 
>>>>> o use reg number for maastricht and, optionally, plan to issue our own
>>>>>  reg token for beijing
>>>>> 
>>>>> o have paper bag full of reg numbers at the reg desk for those who
>>>>>  lost theirs, want privacy, or whatever
>>>> 
>>>> i noticed the stunning response to this.  am i off the wall as usual?
>>>> is there a better/easier/sexier hack?  as russ/ray will need to start
>>>> socializing this with the users, we should come to some sort of plan.
>>>> 
>>>> randy
>>>> _______________________________________________
>>>> ietf78-tech mailing list
>>>> ietf78-tech at daedelus.com
>>>> http://www.daedelus.com/mailman/listinfo/ietf78-tech
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> ietf78-tech mailing list
>>> ietf78-tech at daedelus.com
>>> http://www.daedelus.com/mailman/listinfo/ietf78-tech
>> 
>> _______________________________________________
>> ietf78-tech mailing list
>> ietf78-tech at daedelus.com
>> http://www.daedelus.com/mailman/listinfo/ietf78-tech
> _______________________________________________
> ietf78-tech mailing list
> ietf78-tech at daedelus.com
> http://www.daedelus.com/mailman/listinfo/ietf78-tech

More information about the ietf78-tech mailing list