[ietf78-tech] user/device authentication in maastricht
Randy Bush
randy at psg.com
Mon Jun 28 20:13:04 PDT 2010
>>>> Q: is the authentication per user, i.e. enterprise not personal wpa2?
>>>> or is a global id sufficient?
>>>> A: per user or per device. otherwise one escaped regid lets a horde
>>>> of attackers in; well, out actually.
>>> As we discussed internally within our team, we can accept a global id for
>>> Beijing.
>> i presume the id will be easy to learn. as that means that anyone
>> within wireless range can get to the open net, why bother at all?
> Sorry I didn't make it clear. I meant to mean "global user
> id/password" ...
< free technical opinion, worth what you pay for it >
no confusion. my point was, it will be trivial for an attacker [0] to
learn a single global authentication token set. if it is hard, then it
will also be hard for attendees to learn. so it has to be easy to
learn.
also, the network infrastructure to enforce a globle auth token set is
darned near the same as if it is per-user. i guess one would not need
radius, which is easy to provision, so no real win.
but you are the hosts. it is your decision.
randy
--
[0] - excuse any negative connotations to 'attacker'. it's just
security geek jargon.
More information about the ietf78-tech
mailing list