On Mon, Jun 28, 2010 at 10:57 AM, Randy Bush <span dir="ltr"><<a href="mailto:randy@psg.com">randy@psg.com</a>></span> wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
first, as russ says, we really do not know the requirements for<br>
beijing. so we are shooting in the dark a bit.<br>
<br>
but we never will. so we 'do the right thing.' this is actually fairly<br>
normal stuff. we even did it at a few nanogs.<br>
<br>
Q: is there an escape, i.e. if a user can not authenticate, is there an<br>
ssid they can use for free?<br>
A: no. then what would be the purpose of the exercise?<br></blockquote><div><br></div><div>Yes, for Maastricht--with logging so we can track failures. No, for Beijing.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Q: is the authentication per user, i.e. enterprise not personal wpa2?<br>
or is a global id sufficient?<br>
A: per user or per device. otherwise one escaped regid lets a horde<br>
of attackers in; well, out actually.<br>
<br>
given the above, then how about the following scheme:<br>
<br>
o id in maastricht is regid. current practice is that the user gets<br>
it in their registration web page, in the response email, on their<br>
receipt, and on the back of their badge.<br>
<br>
for beijing, we should add redundancy within the number so one can<br>
not just type in an N digit numeric string. the secretariat needs<br>
to know this change to regid asap so they can prep systems and<br>
software for beijing.<br>
<br>
o authentication gets the user through a mac filter at the external<br>
exit. without auth the user has access to internal ietf meeting<br>
net.<br>
<br>
o if the user can easily use wpa2 enterprise, then use IETF/regid as<br>
the authentication and their device's mac is registered for the<br>
week.<br>
<br>
o if the user does not have wpa2 enterprise, or for some reason does<br>
not wish to use it, they can go to an on-site http web portal where<br>
they enter their regid and the device's mac is registered for the<br>
week.<br>
<br>
o if user does not remember their regid, wants identity privacy, or<br>
has multiple devices, they can go to the registration desk and get<br>
one or more paper slips out of a bag (other containers acceptable)<br>
with pseudo-regids printed on them.<br>
<br>
o one regid authentication gets one mac allowed. if the user wishes<br>
to authenticate multiple devices, they must go to the reg desk and<br>
draw from the bag. otherwise, the leak of one regid gives a horde<br>
of attackers access.<br></blockquote><div><br></div><div>I'd argue for at least two mac addresses per. Most laptops have wireless and wired and many of our users will use both.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
o the web portal might also be a source of pseudo-regids, parallel to<br>
the bag of paper slips. i.e. if the user has a regid, they can get<br>
more regids for their other devices through the portal. the problem<br>
here is that, if one regid escapes to the attackers, then it can be<br>
leveraged to get many.<br>
<br>
randy<br>
_______________________________________________<br>
ietf78-tech mailing list<br>
<a href="mailto:ietf78-tech@daedelus.com">ietf78-tech@daedelus.com</a><br>
<a href="http://www.daedelus.com/mailman/listinfo/ietf78-tech" target="_blank">http://www.daedelus.com/mailman/listinfo/ietf78-tech</a><br>
</blockquote></div><br><br clear="all"><br>-- <br>Chris Elliott<br><a href="mailto:chelliot@pobox.com">chelliot@pobox.com</a><br><br>