[ietf78-tech] Admission Control: Just to be completely clear

[John Kemp]

On 6/27/2010 8:18 PM, Jim Martin wrote:
> Gentlepeople,
> 	From some of the comments that have flown around here in the last day or so, I'm concerned that we aren't all in sync on what we're trying to do with the admission control project. Here's an attempt to clarify it from my point of view. If anyone disagrees with this, please speak up!
>
> Goal
> ------
> 	The IETF Meeting in Beijing this fall will have a network that is designed to connect to the Internet in a completely unfiltered way. Due to this lack of filtering, we've been asked to ensure that only IETF attendees can gain access to that network. At this point, the requested authentication tokens are a simple shared username/password that are distributed to the attendees as they arrive, however we'd like to ensure that per-user authentication is possible should the requirements become more strict. 
>
> 	To this end, we'd like to prototype this admission control system for Maastricht, both to validate the system under load and to provide a "heads up" to the attendees that this will be the way things are in Beijing.  This also allows us to disable the admission control if there's a problem, an option not available in Beijing. 
>
> Caveats
> -----------
> 	-  We're late. We need to socialize what we'll be doing to the IETF community via Ray (IETF Administrative Director) and Russ (IETF Chair), so we need to get them information soon.
>
> 	- We have people with very limited laptops/devices, so we cannot assume they can to 802.1x
>
> 	- We have some very privacy focused individuals which will undoubtedly be concerned with anything we do. We simply need to avoid stirring up the hornets more than we need to.
>
> 	- The equipment being used in Maastricht is not guaranteed to be the same equipment being used in Beijing. Keeping things as device agnostic as possible is a good thing. 
>
> 	- Failure /IS/ an option in Maastricht, but would be very bad in Beijing
>
>
> Timeline
> ------------
> 	We really need a fleshed out plan ASAP. There an administrative call for the Maastricht IETF early (US) Tuesday morning where we should be able to put details forward.
>
> 	- Jim
>   

Glad you reraised the issue.

If you have a significant number of people who can successfully utilize
authentication on WPA1 and WPA2 networks,
then I think the access control issue becomes almost moot.  Which
suggests to me that you want to make sure that it isn't the
usual PSK setup, but rather, some sort of authentication on the wireless.

Other point was, as was noted by Chris? earlier, a Cisco switch should
be as good a bridge as a Linux bridge.  So from a performance
standpoint, the Cisco switch might be the better hardware to use for the
implementation of any MAC address filtering.  Only issue
I could see here would be if the number of users that can't do WPA1 or
WPA2 is LARGE, then there is the potential for pain, given
that Cisco sometimes codes in arbitrary limits.

So that's kind of where I am thinking.  I would say: 1) force
authentication on WPA1 and WPA2, and we can do something to
create a captive portal, but try to use the Cisco switch as the access
control device.

I have other evil thoughts, but the main one is, seems like pushing WPA1
and WPA2 authentication is the real focus here.

John Kemp (kemp at network-services.uoregon.edu)