[ietf78-tech] user/device authentication in maastricht

Jim Martin jim at daedelus.com
Tue Jun 29 18:28:13 PDT 2010 

Leon,
	Our goal with the admission control setup for Maastricht is to be able to test the "worst case" scenario of every individual needing a separate set of credentials for their device(s). If the team for Beijing choose to use just a single username and password, it's simply a degenerate case of the setup for Maastricht. 
	
	However, I think Randy's point is very well taken. If our goal is to ensure that non-IETF attendees don't gain access to the unfiltered network, I fear that a simple global username/password would quickly leak out beyond the attendees. I would hate to cause problems for the IETF with the local authorities based upon technical choices we might make.

	- Jim

On Jun 28, 2010, at 8:13 PM, Randy Bush wrote:

>>>>> Q: is the authentication per user, i.e. enterprise not personal wpa2?
>>>>>    or is a global id sufficient?
>>>>> A: per user or per device.  otherwise one escaped regid lets a horde
>>>>>    of attackers in; well, out actually.
>>>> As we discussed internally within our team, we can accept a global id for
>>>> Beijing.
>>> i presume the id will be easy to learn.  as that means that anyone
>>> within wireless range can get to the open net, why bother at all?
>> Sorry I didn't make it clear. I meant to mean "global user
>> id/password" ...
> 
> < free technical opinion, worth what you pay for it >
> 
> no confusion.  my point was, it will be trivial for an attacker [0] to
> learn a single global authentication token set.  if it is hard, then it
> will also be hard for attendees to learn.  so it has to be easy to
> learn.
> 
> also, the network infrastructure to enforce a globle auth token set is
> darned near the same as if it is per-user.  i guess one would not need
> radius, which is easy to provision, so no real win.
> 
> but you are the hosts.  it is your decision.
> 
> randy
> 
> --
> 
> [0] - excuse any negative connotations to 'attacker'.  it's just
>      security geek jargon.
> _______________________________________________
> ietf78-tech mailing list
> ietf78-tech at daedelus.com
> http://www.daedelus.com/mailman/listinfo/ietf78-tech

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3675 bytes
Desc: not available
Url : http://www.daedelus.com/pipermail/ietf78-tech/attachments/20100629/9303f77b/attachment-0001.bin

More information about the ietf78-tech mailing list