[ietf78-tech] Admission Control: Just to be completely clear

Randy Bush randy at psg.com
Sun Jun 27 20:27:10 PDT 2010 

> At this point, the requested authentication tokens are a simple shared
> username/password that are distributed to the attendees as they
> arrive

i am not hearing that shared is acceptable.  i sent a re-check some
hours ago.  but you stateside folk are having sunday for some weird
reason.

> however we'd like to ensure that per-user authentication is possible
> should the requirements become more strict.

indeed.

> To this end, we'd like to prototype this admission control system for
> Maastricht, both to validate the system under load and to provide a
> "heads up" to the attendees that this will be the way things are in
> Beijing.  This also allows us to disable the admission control if
> there's a problem, an option not available in Beijing.

that last is a failure i think we would wish to avoid.

> -  We're late. We need to socialize what we'll be doing to the IETF
>    community via Ray (IETF Administrative Director) and Russ (IETF
>    Chair), so we need to get them information soon.

russ is not that un-synched

> - We have people with very limited laptops/devices, so we cannot
>   assume they can to 802.1x

    From: Russ Housley <housley at vigilsec.com>
    > I have a personal preference for WPA2 over WPA.  WPA has reached
    > the end of its useful security lifetime.  We designed it for 5
    > years, and that has passed.  It was only supposed to be used as a
    > stop-gap whil new hardware was fielded that could do WPA2.  We're
    > there.

> - We have some very privacy focused individuals which will undoubtedly
>   be concerned with anything we do. We simply need to avoid stirring
>   up the hornets more than we need to.

awww.  spoilsport.  :)

this is why the idea of a paper bag of anonymous tokens at the reg desk.

> - Failure /IS/ an option in Maastricht, but would be very bad in
>   Beijing

it would not be good in maastricht.

> We really need a fleshed out plan ASAP. There an administrative call
> for the Maastricht IETF early (US) Tuesday morning where we should be
> able to put details forward.

yep.  we're all politely waiting.

this is not a mountain.  we have lots of alternatives.  what is missing
is consensus on the goals, e.g. individual tokens or shared.  my guess
on that one is that the threat model is that a shared token can be
splattered around beijing hackerdom in milliseconds.

randy

More information about the ietf78-tech mailing list