[ietf78-tech] user/device authentication in maastricht
Randy Bush
randy at psg.com
Mon Jun 28 10:51:41 PDT 2010
authentication scheme for maastricht
o id in maastricht is regid. current practice is that the user gets
it in their registration web page, in the response email, on their
receipt, and on the back of their badge.
for beijing, we should add redundancy within the number so one can
not just type in an N digit numeric string. the secretariat needs
to know this change to regid asap so they can prep systems and
software for beijing.
o authentication gets the user through a mac filter at the external
exit. without auth the user has access to internal ietf meeting
net.
o if the user can easily use wpa2 enterprise, then use regid/IETF as
the userid/passwd authentication and their device's mac is
registered for the week.
o if the user does not have wpa2 enterprise, or for some reason does
not wish to use it, they can go to an on-site http web portal where
they enter their regid and the device's mac is registered for the
week.
o if user does not remember their regid, wants identity privacy, or
has multiple devices, they can go to the registration desk and get
one or more paper slips out of a bag (other containers acceptable)
with pseudo-regids printed on them.
o one regid authentication gets three devices' macs allowed. if the
user wishes to authenticate more devices, they must go to the reg
desk and draw from the bag. otherwise, the leak of one regid gives
a horde of attackers access.
randy
More information about the ietf78-tech
mailing list