[ietf78-tech] Admission Control: Just to be completely clear

Joel Jaeggli joelja at bogus.com
Sun Jun 27 20:51:59 PDT 2010 

John and Joel mostly slouch moodily at each other and Alice I did not contact this week. One of many thing for which I am blameworthy.

I have faith in our ability to implement it once like drunks we admit that we have a problem and the if we had been able to boil the ocean  with 802.1x we would have done so already.

Joel's iPad

On Jun 27, 2010, at 8:43 PM, Jim Martin <jim at daedelus.com> wrote:

> 
> On Jun 27, 2010, at 8:27 PM, Randy Bush wrote:
> 
>>> At this point, the requested authentication tokens are a simple shared
>>> username/password that are distributed to the attendees as they
>>> arrive
>> 
>> i am not hearing that shared is acceptable.  i sent a re-check some
>> hours ago.  but you stateside folk are having sunday for some weird
>> reason.
>> 
>>> however we'd like to ensure that per-user authentication is possible
>>> should the requirements become more strict.
>> 
>> indeed.
> 
> 	I'm just repeating what Professor Lee told us in our meeting in Anaheim. The fact that shared credentials are unacceptable are exactly what we were expecting though.
> 
> 
>> 
>>> To this end, we'd like to prototype this admission control system for
>>> Maastricht, both to validate the system under load and to provide a
>>> "heads up" to the attendees that this will be the way things are in
>>> Beijing.  This also allows us to disable the admission control if
>>> there's a problem, an option not available in Beijing.
>> 
>> that last is a failure i think we would wish to avoid.
> 
> 	Oh, agreed. This was more about the emphasis that in Beijing failure is not an option. 
> 
>> 
>>> -  We're late. We need to socialize what we'll be doing to the IETF
>>>  community via Ray (IETF Administrative Director) and Russ (IETF
>>>  Chair), so we need to get them information soon.
>> 
>> russ is not that un-synched
> 
> 	Thanks for making that happen.
> 
>> 
>>> - We have people with very limited laptops/devices, so we cannot
>>> assume they can to 802.1x
>> 
>>   From: Russ Housley <housley at vigilsec.com>
>>> I have a personal preference for WPA2 over WPA.  WPA has reached
>>> the end of its useful security lifetime.  We designed it for 5
>>> years, and that has passed.  It was only supposed to be used as a
>>> stop-gap whil new hardware was fielded that could do WPA2.  We're
>>> there.
>> 
>>> - We have some very privacy focused individuals which will undoubtedly
>>> be concerned with anything we do. We simply need to avoid stirring
>>> up the hornets more than we need to.
>> 
>> awww.  spoilsport.  :)
> 
> 	:-) I'm here to ruin your fun ....
> 
>> 
>> this is why the idea of a paper bag of anonymous tokens at the reg desk.
> 
> 	I admit, I'm liking that idea more and more...
> 
> 	Upon looking at my Anaheim badge, on the back it has my name "Martin, Jim" and a number under the barcode "770459". If we could get a dump of these we could simply say "Use the details on the back of your badge, or if you're concerned about that, come grab a paper slip from the reg desk/help desk"
> 
> 
>> 
>>> - Failure /IS/ an option in Maastricht, but would be very bad in
>>> Beijing
>> 
>> it would not be good in maastricht.
> 
> 	See above. 
>> 
>>> We really need a fleshed out plan ASAP. There an administrative call
>>> for the Maastricht IETF early (US) Tuesday morning where we should be
>>> able to put details forward.
>> 
>> yep.  we're all politely waiting.
> 
> 	For whom? The decision last monday was the John, Joel, and Rob would work this out and get back to the group with a fleshed out proposal.
> 
>> 
>> this is not a mountain.  we have lots of alternatives.  what is missing
>> is consensus on the goals, e.g. individual tokens or shared.  my guess
>> on that one is that the threat model is that a shared token can be
>> splattered around beijing hackerdom in milliseconds.
> 
> 	I think I've stated the goals. Do you disagree with them? Have additions/modifications? 
> 
> 	We'll bring this to a close (hopefully) on the call tomorrow.
> 
> 	- Jim
> 
> _______________________________________________
> ietf78-tech mailing list
> ietf78-tech at daedelus.com
> http://www.daedelus.com/mailman/listinfo/ietf78-tech

More information about the ietf78-tech mailing list