[ietf78-tech] Admission Control: Just to be completely clear

Jim Martin jim at daedelus.com
Sun Jun 27 20:43:16 PDT 2010 

On Jun 27, 2010, at 8:27 PM, Randy Bush wrote:

>> At this point, the requested authentication tokens are a simple shared
>> username/password that are distributed to the attendees as they
>> arrive
> 
> i am not hearing that shared is acceptable.  i sent a re-check some
> hours ago.  but you stateside folk are having sunday for some weird
> reason.
> 
>> however we'd like to ensure that per-user authentication is possible
>> should the requirements become more strict.
> 
> indeed.

	I'm just repeating what Professor Lee told us in our meeting in Anaheim. The fact that shared credentials are unacceptable are exactly what we were expecting though.


> 
>> To this end, we'd like to prototype this admission control system for
>> Maastricht, both to validate the system under load and to provide a
>> "heads up" to the attendees that this will be the way things are in
>> Beijing.  This also allows us to disable the admission control if
>> there's a problem, an option not available in Beijing.
> 
> that last is a failure i think we would wish to avoid.

	Oh, agreed. This was more about the emphasis that in Beijing failure is not an option. 

> 
>> -  We're late. We need to socialize what we'll be doing to the IETF
>>   community via Ray (IETF Administrative Director) and Russ (IETF
>>   Chair), so we need to get them information soon.
> 
> russ is not that un-synched

	Thanks for making that happen.

> 
>> - We have people with very limited laptops/devices, so we cannot
>>  assume they can to 802.1x
> 
>    From: Russ Housley <housley at vigilsec.com>
>> I have a personal preference for WPA2 over WPA.  WPA has reached
>> the end of its useful security lifetime.  We designed it for 5
>> years, and that has passed.  It was only supposed to be used as a
>> stop-gap whil new hardware was fielded that could do WPA2.  We're
>> there.
> 
>> - We have some very privacy focused individuals which will undoubtedly
>>  be concerned with anything we do. We simply need to avoid stirring
>>  up the hornets more than we need to.
> 
> awww.  spoilsport.  :)

	:-) I'm here to ruin your fun ....

> 
> this is why the idea of a paper bag of anonymous tokens at the reg desk.

	I admit, I'm liking that idea more and more...

	Upon looking at my Anaheim badge, on the back it has my name "Martin, Jim" and a number under the barcode "770459". If we could get a dump of these we could simply say "Use the details on the back of your badge, or if you're concerned about that, come grab a paper slip from the reg desk/help desk"


> 
>> - Failure /IS/ an option in Maastricht, but would be very bad in
>>  Beijing
> 
> it would not be good in maastricht.

	See above. 
> 
>> We really need a fleshed out plan ASAP. There an administrative call
>> for the Maastricht IETF early (US) Tuesday morning where we should be
>> able to put details forward.
> 
> yep.  we're all politely waiting.

	For whom? The decision last monday was the John, Joel, and Rob would work this out and get back to the group with a fleshed out proposal.

> 
> this is not a mountain.  we have lots of alternatives.  what is missing
> is consensus on the goals, e.g. individual tokens or shared.  my guess
> on that one is that the threat model is that a shared token can be
> splattered around beijing hackerdom in milliseconds.

	I think I've stated the goals. Do you disagree with them? Have additions/modifications? 

	We'll bring this to a close (hopefully) on the call tomorrow.

	- Jim

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3675 bytes
Desc: not available
Url : http://www.daedelus.com/pipermail/ietf78-tech/attachments/20100627/99d2f831/attachment.bin

More information about the ietf78-tech mailing list