[ietf78-tech] user/device authentication in maastricht

Randy Bush randy at psg.com
Mon Jun 28 08:12:39 PDT 2010 

[ second try.  first, sent 20 mins ago, seems not to have made it to
  list! ]

first, as russ says, we really do not know the requirements for
beijing.  so we are shooting in the dark a bit.

but we never will.  so we 'do the right thing.'  this is actually fairly
normal stuff.  we even did it at a few nanogs.

Q: is there an escape, i.e. if a user can not authenticate, is there an
   ssid they can use for free?  
A: no.  then what would be the purpose of the exercise?

Q: is the authentication per user, i.e. enterprise not personal wpa2?
   or is a global id sufficient?
A: per user or per device.  otherwise one escaped regid lets a horde
   of attackers in; well, out actually.

given the above, then how about the following scheme:

  o id in maastricht is regid.  current practice is that the user gets
    it in their registration web page, in the response email, on their
    receipt, and on the back of their badge.

    for beijing, we should add redundancy within the number so one can
    not just type in an N digit numeric string.  the secretariat needs
    to know this change to regid asap so they can prep systems and
    software for beijing.

  o authentication gets the user through a mac filter at the external
    exit.  without auth the user has access to internal ietf meeting
    net.

  o if the user can easily use wpa2 enterprise, then use IETF/regid as
    the authentication and their device's mac is registered for the
    week.

  o if the user does not have wpa2 enterprise, or for some reason does
    not wish to use it, they can go to an on-site http web portal where
    they enter their regid and the device's mac is registered for the
    week.

  o if user does not remember their regid, wants identity privacy, or
    has multiple devices, they can go to the registration desk and get
    one or more paper slips out of a bag (other containers acceptable)
    with pseudo-regids printed on them.

  o one regid authentication gets one mac allowed.  if the user wishes
    to authenticate multiple devices, they must go to the reg desk and
    draw from the bag.  otherwise, the leak of one regid gives a horde
    of attackers access.

  o the web portal might also be a source of pseudo-regids, parallel to
    the bag of paper slips.  i.e. if the user has a regid, they can get
    more regids for their other devices through the portal.  the problem
    here is that, if one regid escapes to the attackers, then it can be
    leveraged to get many.

randy

More information about the ietf78-tech mailing list