[ietf78-tech] user device authentication in maastricht

Chris Elliott chelliot at pobox.com
Mon Jun 28 08:51:25 PDT 2010 

On Mon, Jun 28, 2010 at 10:57 AM, Randy Bush <randy at psg.com> wrote:

> first, as russ says, we really do not know the requirements for
> beijing.  so we are shooting in the dark a bit.
>
> but we never will.  so we 'do the right thing.'  this is actually fairly
> normal stuff.  we even did it at a few nanogs.
>
> Q: is there an escape, i.e. if a user can not authenticate, is there an
>   ssid they can use for free?
> A: no.  then what would be the purpose of the exercise?
>

Yes, for Maastricht--with logging so we can track failures. No, for Beijing.


> Q: is the authentication per user, i.e. enterprise not personal wpa2?
>   or is a global id sufficient?
> A: per user or per device.  otherwise one escaped regid lets a horde
>   of attackers in; well, out actually.
>
> given the above, then how about the following scheme:
>
>  o id in maastricht is regid.  current practice is that the user gets
>    it in their registration web page, in the response email, on their
>    receipt, and on the back of their badge.
>
>    for beijing, we should add redundancy within the number so one can
>    not just type in an N digit numeric string.  the secretariat needs
>    to know this change to regid asap so they can prep systems and
>    software for beijing.
>
>  o authentication gets the user through a mac filter at the external
>    exit.  without auth the user has access to internal ietf meeting
>    net.
>
>  o if the user can easily use wpa2 enterprise, then use IETF/regid as
>    the authentication and their device's mac is registered for the
>    week.
>
>  o if the user does not have wpa2 enterprise, or for some reason does
>    not wish to use it, they can go to an on-site http web portal where
>    they enter their regid and the device's mac is registered for the
>    week.
>
>  o if user does not remember their regid, wants identity privacy, or
>    has multiple devices, they can go to the registration desk and get
>    one or more paper slips out of a bag (other containers acceptable)
>    with pseudo-regids printed on them.
>
>  o one regid authentication gets one mac allowed.  if the user wishes
>    to authenticate multiple devices, they must go to the reg desk and
>    draw from the bag.  otherwise, the leak of one regid gives a horde
>    of attackers access.
>

I'd argue for at least two mac addresses per. Most laptops have wireless and
wired and many of our users will use both.


>  o the web portal might also be a source of pseudo-regids, parallel to
>    the bag of paper slips.  i.e. if the user has a regid, they can get
>    more regids for their other devices through the portal.  the problem
>    here is that, if one regid escapes to the attackers, then it can be
>    leveraged to get many.
>
> randy
> _______________________________________________
> ietf78-tech mailing list
> ietf78-tech at daedelus.com
> http://www.daedelus.com/mailman/listinfo/ietf78-tech
>



-- 
Chris Elliott
chelliot at pobox.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.daedelus.com/pipermail/ietf78-tech/attachments/20100628/5aa8b7ec/attachment-0001.html

More information about the ietf78-tech mailing list