[ietf78-tech] Admission Control: Just to be completely clear

Joel Jaeggli joelja at bogus.com
Sun Jun 27 20:43:40 PDT 2010 

Standard ndis drivers for windows xp don't do wpa2 enterprise, some vendors stacks do, That the normal rational for going lower. We are still carrying our dead.

Joel's iPad

On Jun 27, 2010, at 8:27 PM, Randy Bush <randy at psg.com> wrote:

>> At this point, the requested authentication tokens are a simple shared
>> username/password that are distributed to the attendees as they
>> arrive
> 
> i am not hearing that shared is acceptable.  i sent a re-check some
> hours ago.  but you stateside folk are having sunday for some weird
> reason.
> 
>> however we'd like to ensure that per-user authentication is possible
>> should the requirements become more strict.
> 
> indeed.
> 
>> To this end, we'd like to prototype this admission control system for
>> Maastricht, both to validate the system under load and to provide a
>> "heads up" to the attendees that this will be the way things are in
>> Beijing.  This also allows us to disable the admission control if
>> there's a problem, an option not available in Beijing.
> 
> that last is a failure i think we would wish to avoid.
> 
>> -  We're late. We need to socialize what we'll be doing to the IETF
>>   community via Ray (IETF Administrative Director) and Russ (IETF
>>   Chair), so we need to get them information soon.
> 
> russ is not that un-synched
> 
>> - We have people with very limited laptops/devices, so we cannot
>>  assume they can to 802.1x
> 
>    From: Russ Housley <housley at vigilsec.com>
>> I have a personal preference for WPA2 over WPA.  WPA has reached
>> the end of its useful security lifetime.  We designed it for 5
>> years, and that has passed.  It was only supposed to be used as a
>> stop-gap whil new hardware was fielded that could do WPA2.  We're
>> there.
> 
>> - We have some very privacy focused individuals which will undoubtedly
>>  be concerned with anything we do. We simply need to avoid stirring
>>  up the hornets more than we need to.
> 
> awww.  spoilsport.  :)
> 
> this is why the idea of a paper bag of anonymous tokens at the reg desk.
> 
>> - Failure /IS/ an option in Maastricht, but would be very bad in
>>  Beijing
> 
> it would not be good in maastricht.
> 
>> We really need a fleshed out plan ASAP. There an administrative call
>> for the Maastricht IETF early (US) Tuesday morning where we should be
>> able to put details forward.
> 
> yep.  we're all politely waiting.
> 
> this is not a mountain.  we have lots of alternatives.  what is missing
> is consensus on the goals, e.g. individual tokens or shared.  my guess
> on that one is that the threat model is that a shared token can be
> splattered around beijing hackerdom in milliseconds.
> 
> randy
> _______________________________________________
> ietf78-tech mailing list
> ietf78-tech at daedelus.com
> http://www.daedelus.com/mailman/listinfo/ietf78-tech
>

More information about the ietf78-tech mailing list