As someone who is involved in eduroam, I'm curious how many people found the
availability of eduroam at IETF 78 useful.
If you believe that you are eligible to use eduroam - irrespective of whether
you tried it at IETF 78 - please consider completing the form at the following
URL (it's only thr
Hi Phillip,
You can find all you want to know at the website: http://www.eduroam.org,
especially the Service Definition at:
http://www.eduroam.org/downloads/docs/GN2-07-327v2-DS5_1_1-_eduroam_Service_Definition.pdf
you may also want to watch the cartoon at:
http://www.youtube.com/watch?v=TVCm
Any chance of a link to specs showing how it is done?
Might be something that maybe deserves to see wider use.
On Sat, Jul 24, 2010 at 9:19 AM, IETF Chair wrote:
> eduroam (education roaming) is the secure, world-wide roaming access
> service developed for the international research and educatio
> Since we expect a reasonable attendance at IETF from
> eduroam-connected sites, IETF participants with an eduroam account
> configured, should get connected to the wireless network right away
> with their usual credentials.
And it's working flawlessly on my laptop and phone. Thank you to everyon
eduroam (education roaming) is the secure, world-wide roaming access
service developed for the international research and education
community. eduroam allows students, researchers and staff from
participating institutions to obtain Internet connectivity across campus
and when visiting other partici
On 30 jun 2010, at 23:55, IETF Chair wrote:
> To gain access to the IETF network, you will need to provide a
> credential. Your primary credential will be your registration ID. You
> can find your registration ID on the registration web page, in the
> response email confirmation you received from
I should know better than dive back into this discussion...
On 13 jul 2010, at 18:05, Phillip Hallam-Baker wrote:
> Con: There is no cost to generating the cert, the cert can be
> generated after the device ships. Thus there is no degree of
> accountability established in the presentation of a ce
While the fingerprint of the cert can be used as a globally unique
identifier, this approach has advantages and disadvantages.
Pro: There is no cost to generating the cert, the cert can be
generated after the device ships
Con: There is no cost to generating the cert, the cert can be
generated aft
Intel got a bloody nose on that one because they were incompetent and lied.
A few weeks before the launch an Intel person told me about the serial
number scheme as a means of tracking down CPUs stolen during
distribution. Then at the launch we were told how the serial number
was going to enable a
Well maybe if you read the full thread rather than just cherry picking
parts of it you would have understood the point better.
My original argument was that I think the IETF should eat the WiFi
authentication dog-food here because the current product tastes like
poo and the only way things are goi
No, if you read my book you would see the scheme I am proposing.
The problem with current MAC addresses is that they are not
trustworthy. That is accepted. If MAC addresses were not trivially
forged then the existing WiFi scheme would work fine.
What I am saying is that if people got really serio
See belos ...
> On Mon, Jul 12, 2010 at 12:07 PM, Phillip Hallam-Baker
> wrote:
>>
>> No, if you read my book you would see the scheme I am proposing.
>>
>> The problem with current MAC addresses is that they are not
>> trustworthy. That is accepted. If MAC addresses were not trivially
>> forged
On 7/12/10 11:39 AM, Martin Rex wrote:
Personally, I'm heavily opposed to an approach along these lines.
It is a big plus that MAC addresses can be trivially changed,
and I regularly connect with random MACs in public places.
Russ and Ted discussed use of MAC addresses for access. I may ha
Phillip,
I read all of all your emails on this thread before I replied the first time,
just not your book.
We will be and we have been "eat[ing] the WiFi authentication dog-food" at IETF
meetings. And it's gotten easier each time.
You do realize, don't you, that we are offering WPA/WPA2 with e
Phillip Hallam-Baker wrote:
>
> The simplest, cleanest solution to this problem is to either have a
> device cert installed during manufacture or to employ my alternative
> scheme designed for low performance devices that does not require them
> to perform public key cryptography on the end point
On Mon, Jul 12, 2010 at 12:07 PM, Phillip Hallam-Baker wrote:
> No, if you read my book you would see the scheme I am proposing.
>
I hope your book is rather less opaque than your attempts to explain your
technique here.
The problem with current MAC addresses is that they are not
> trustworthy.
Phillip,
In your earlier email, you state:
If the designers had actual brains instead of bits of liver strapped
> round their waist by dogbert then all that would be necessary to
> securely authenticate to the network is to give either the MAC address
> of the computer or the fingerprint of the c
Of course the MAC address is trivially forged. That is the function of
the certificate.
MAC address X is not very interesting
MAC address that party purporting to be CISCO says is X is quite a
bit more interesting
MAC address that party validated as CISCO as X is more interesting still
On 2010-07-06 11:37, Mark Atwood wrote:
That is sadly true. However, it would still be a good idea to do at
the IETF gathering, *because* it is currently a usability nightmare.
There is not enough both real world experience, and exposure of IETF
participant attendees to actual "tip of the spear"
On Tue, Jul 6, 2010 at 2:37 PM, Mark Atwood wrote:
> > As far as using certificates --- sure, it's possible to set up EAP-TLS
> > using client certificates. It can be done on Mac, Windows, and Linux.
> > But the setup of that across multiple operating systems and getting
> > users to correctly s
> As far as using certificates --- sure, it's possible to set up EAP-TLS
> using client certificates. It can be done on Mac, Windows, and Linux.
> But the setup of that across multiple operating systems and getting
> users to correctly set up their certificates, sending a CA signing
> request secu
On Sat, Jul 03, 2010 at 03:13:28PM -0400, Phillip Hallam-Baker wrote:
>
> Any time a user has to think when the computer can think for them is a
> failure. Every WiFi access control system I have ever used has
> required me to configure the computer.
>
> If the designers had actual brains instead
On Sat, Jul 3, 2010 at 3:13 PM, Phillip Hallam-Baker wrote:
> The usability of these systems suck.
>
> Any time a user has to think when the computer can think for them is a
> failure. Every WiFi access control system I have ever used has
> required me to configure the computer.
>
> If the designe
The usability of these systems suck.
Any time a user has to think when the computer can think for them is a
failure. Every WiFi access control system I have ever used has
required me to configure the computer.
If the designers had actual brains instead of bits of liver strapped
round their waist
We've had deployments where we've taken over the hotel's wireless
Infrastructure and as result been expected to serve their customers as well...
Doing so is more or less incompatible with authenticated network access. It
imagine us doing that again sometime...
Joel
Joel's iPad
On Jul 4, 2010,
That is understood, Andrew's comment I seconded was about the
possibility of the change becoming permanent after Beijing.
--
Ciao,
Enrico
Sent from my iPhone
On Jul 3, 2010, at 21:19, "Ole Jacobsen" wrote:
>
> Enrico,
>
> Nobody has suggested there was anything wrong with the old (NUL)
> acces
Enrico,
Nobody has suggested there was anything wrong with the old (NUL)
access method nor that any damage has ever been caused, but that
is entirely orthogonal to the matter at hand. We are (in November)
going to a location where such access is "required" (at least it
seems a good idea from host
Andrew G. Malis wrote:
> IMHO, the best IETF network experiences have been when the IETF took
> over the entire hotel network for the week, including the guest room
> access whether wired or wireless, and allowed free access to all hotel
> guests. I hope that we can return to that model in the futu
On Thu, Jul 1, 2010 at 7:19 PM, Michael StJohns wrote:
> I would expect this (per user login) to fade away after Beijing - unless and
> until the IAOC and IETF agrees that its necessary for the longer term. And I
> don't believe that discussion has been had.
I would like to second this.
IMHO,
On 2 jul 2010, at 2:30, Phillip Hallam-Baker wrote:
> It has taken ten years for WiFi to get to a state where an adequate
> credential mechanism is supported, and it is still clunky.
What are you talking about?? Enterprise type WPA where you authenticate against
a back end server has been around
Hi Ole,
At 11:33 AM 7/2/2010, Ole Jacobsen wrote:
Could you please summarize in one paragraph exactly what problem
you have with this setup?
I do not have any problem with the setup. I support what Ted Hardie
said in the last paragraph of his message.
Regards,
-sm
___
Actually, I wish we had done something in this area sooner in the hope
of creating a forcing function to make the authentication mechanisms
in WiFi more appropriate.
It has taken ten years for WiFi to get to a state where an adequate
credential mechanism is supported, and it is still clunky. And t
Mike,
> Going back to the IAOC, I would ask whether this requirement was known at the
> time of the previous Beijing discussion? If so, why wasn't it brought up at
> that point in time and as part of the discussion on venue acceptability. If
> it was added later, when was it added, and why wa
SM,
Could you please summarize in one paragraph exactly what problem
you have with this setup?
Ole
Ole J. Jacobsen
Editor and Publisher, The Internet Protocol Journal
Cisco Systems
Tel: +1 408-527-8972 Mobile: +1 415-370-4628
E-mail: o...@cisco.com URL: http://www.cisco.com/ipj
_
At 08:26 01-07-10, Fred Baker wrote:
While it is new in IETF meetings, it is far from unusual in WiFi
networks to find some form of authentication. This happens at coffee
shops, college campuses, corporate campuses, and people's
apartments. I think I would need some more data before I concluded
On 7/1/10 8:26 AM, Fred Baker wrote:
While it is new in IETF meetings, it is far from unusual in WiFi networks to
find some form of authentication. This happens at coffee shops, college
campuses, corporate campuses, and people's apartments. I think I would need
some more data before I conclude
On 07/01/2010 11:50 AM, Ole Jacobsen wrote:
You wrote:
"It is clear to people unfamiliar with the IETF that IETF meeting
participants means people who have registered for the IETF meeting."
Correct.
"I have been told that an IETF meeting does not have security guards
at the door to verify wh
Mike:
> Going back to the IAOC, I would ask whether this requirement
> was known at the time of the previous Beijing discussion? If so,
> why wasn't it brought up at that point in time and as part of the
> discussion on venue acceptability. If it was added later, when
> was it added, and why was
Ted:
>> There's a difference, however, between ticking a box and having individual
>> user-attributable credentials. The two techniques are focused on different
>> goals, generically binding users to an AUP, without caring who they are,
>> versus being able to identify individual users on the net
> The issue is not that the IETF and IETF attendees are required to obey
> the laws of the venue, but rather whether or not the IETF chooses to
> hold a meeting in a venue where the law is sufficiently ...
> restrictive, draconian, capricious, ?? ... to require the IETF to
> change its model of ope
At 02:52 PM 7/1/2010, Russ Housley wrote:
>No matter where a meeting is held, we are subject to the laws of that
>location. Nothing new there.
Hi Russ -
I agree with the above statement, but its really beside the point. The issue
is not that the IETF and IETF attendees are required to obey the
Richard:
> Is there a reason that the anonymous IDs are opt-in? Why not have all
> the IDs be anonymous?
Asked and answered. I previously said:
: One reason for using the registration ID was to allow people to
: use the network before they check-in at the IETF registration desk.
: Another reas
We even had AppleTalk at IETF's for a while...
Much hair loss and greying since then. Yikes.
Ole
Ole J. Jacobsen
Editor and Publisher, The Internet Protocol Journal
Cisco Systems
Tel: +1 408-527-8972 Mobile: +1 415-370-4628
E-mail: o...@cisco.com URL: http://www.cisco.com/ipj
__
--On Friday, July 02, 2010 05:09 +0900 Randy Bush
wrote:
>> The use of WLAN started out with a small group of early
>> adopters somewhere around 1996/1997.
>
> earler, i believe. i think i had wlan in s'hoim in 95, and
> ran the dhcp server experimaent on my laptop in the corner.
> but don't
the only hard issue i have heard is log access and retention. it is
clear radius logs, the only logs being used (aside from landings and
take-offs of black helicopters), should be destroyed at the end of the
meeting. but should they be wiped more frequently?
their intended use is solely for de
Russ Housley wrote:
>
> Yes, the slips obtained from the IETF registration desk and the network
> help desk are anonymous. You show your badge, and then you can pick one
> or more slips from the container. The people at the desk will not know
> which registration ID you got.
Thank your for the
> I do remember the guarded terminal rooms in 1995-1998.
the terminals themselves were being guarded, not their use. they were
expensive. now there are no terminals in the terninal room. so the
name was apt. :)
> The use of WLAN started out with a small group of early adopters
> somewhere arou
>> "It is clear to people unfamiliar with the IETF that IETF meeting
>> participants means people who have registered for the IETF meeting."
> ... and their accompanying persons (who can also get a slip).
i see no reason to limit it to persons. what if an attendee has a dog
with wifi, a wifi fifi
> I'm concerned about the correlation between my MAC address and the
> hosts I communicate with.
and how and why would you suggest that be logged? i am not aware radius
does that.
randy
___
Ietf mailing list
Ietf@ietf.org
https://www.ietf.org/mailman/l
It not necessary to log but it is necessary to create either a firewall ACL or
an L2 fib entry at the time of authentication...
Joel's iPad
On Jul 1, 2010, at 12:32 PM, Iljitsch van Beijnum wrote:
> On 1 jul 2010, at 21:20, Russ Housley wrote:
>
>> Again, the use of anonymous registration IDs
On Jul 1, 2010, at 12:32 PM, Iljitsch van Beijnum wrote:
> I'm concerned about the correlation between my MAC address and the hosts I
> communicate with.
Change your MAC address.
Regards,
-drc
___
Ietf mailing list
Ietf@ietf.org
https://www.ietf.org/m
Richard:
Yes, the slips obtained from the IETF registration desk and the network
help desk are anonymous. You show your badge, and then you can pick one
or more slips from the container. The people at the desk will not know
which registration ID you got.
We will use this same approach for IETF
Ole Jacobsen wrote:
>
> > "I have been told that an IETF meeting does not have security guards
> > at the door to verify who has a badge to determine whether the person
> > is registered for the meeting.
>
> > "The fashion in the IETF is to have an open network. There isn't any
> > admission c
On 1 jul 2010, at 21:20, Russ Housley wrote:
> Again, the use of anonymous registration IDs is available to you and
> anyone that wants one. If you are concerned about the logs, then you
> should use one.
I'm concerned about the correlation between my MAC address and the hosts I
communicate wit
Is there a reason that the anonymous IDs are opt-in? Why not have all
the IDs be anonymous?
On Jul 1, 2010, at 3:20 PM, Russ Housley wrote:
Iljitsch:
This is useful, but not quite what I was asking. Clearly, the above
means that the logs exist during the meeting, while we are at the
Iljitsch:
>> This is useful, but not quite what I was asking. Clearly, the above
>> means that the logs exist during the meeting, while we are at the host
>> venue. I think it is safe to say that under some legal regimes, a
>> government could require the delivery of such existing logs to them.
Not totally right. The person with a badge can get one or more slips
with anonymous registration ID/passwords. The badge-holder can then
share the slip with accompanying persons (such as spouse or kids or <
let's not go there ;-) > ).
Russ
On 7/1/2010 1:01 PM, Marshall Eubanks wrote:
>
> On Ju
Richard:
> There's a difference, however, between ticking a box and having
> individual user-attributable credentials. The two techniques are
> focused on different goals, generically binding users to an AUP, without
> caring who they are, versus being able to identify individual users on
> the n
Russ,
Couple of quick questions:
-- Are the anonymous IDs truly anonymous (show existence of badge [not
necessarily name on badge] and get one) or are they tied to a user
identity?
-- Will users be allowed to request multiple anonymous IDs?
-- Will these policies be identical for both IET
Andrew:
>> While it is new in IETF meetings, it is far from unusual in WiFi
>> networks to find some form of authentication. This happens at coffee
>> shops, college campuses, corporate campuses, and people's
>> apartments.
>
> I'd hate to think that the IETF is modelling its networks on dodgy
>
On Thu, Jul 1, 2010 at 8:52 AM, Richard L. Barnes wrote:
> There's a difference, however, between ticking a box and having individual
> user-attributable credentials. The two techniques are focused on different
> goals, generically binding users to an AUP, without caring who they are,
> versus be
On 1 jul 2010, at 19:07, Andrew Sullivan wrote:
> This is useful, but not quite what I was asking. Clearly, the above
> means that the logs exist during the meeting, while we are at the host
> venue. I think it is safe to say that under some legal regimes, a
> government could require the delive
On Thu, Jul 01, 2010 at 09:42:16AM -0700, Joel Jaeggli wrote:
> It has been the documented practice of the ietf meeting network
> operations to limit the amount of pii data collected in operation or
> experimentation and to destroy logs containing pii data if they
> exist (example data collected by
On Jul 1, 2010, at 11:50 AM, Ole Jacobsen wrote:
You wrote:
"It is clear to people unfamiliar with the IETF that IETF meeting
participants means people who have registered for the IETF meeting."
Correct.
... and their accompanying persons (who can also get a slip).
Regards
Marshall
"I
It has been the documented practice of the ietf meeting network operations to
limit the amount of pii data collected in operation or experimentation and to
destroy logs containing pii data if they exist (example data collected by the
IDS or formerly http proxy back when we ran one) after the me
You wrote:
"It is clear to people unfamiliar with the IETF that IETF meeting
participants means people who have registered for the IETF meeting."
Correct.
"I have been told that an IETF meeting does not have security guards
at the door to verify who has a badge to determine whether the perso
There's a difference, however, between ticking a box and having
individual user-attributable credentials. The two techniques are
focused on different goals, generically binding users to an AUP,
without caring who they are, versus being able to identify individual
users on the network (with
On Thu, Jul 01, 2010 at 08:26:35AM -0700, Fred Baker wrote:
> While it is new in IETF meetings, it is far from unusual in WiFi
> networks to find some form of authentication. This happens at coffee
> shops, college campuses, corporate campuses, and people's
> apartments.
I'd hate to think that t
On 7/1/2010 8:26 AM, Fred Baker wrote:
While it is new in IETF meetings, it is far from unusual in WiFi networks to
find some form of authentication. This happens at coffee shops, college
campuses, corporate campuses, and people's apartments. I think I would need
some more data before I conclud
Le 01/07/2010 17:26, Fred Baker a écrit :
> While it is new in IETF meetings, it is far from unusual in WiFi networks to
> find some form of authentication. This happens at coffee shops, college
> campuses, corporate campuses, and people's apartments. I think I would need
> some more data befor
While it is new in IETF meetings, it is far from unusual in WiFi networks to
find some form of authentication. This happens at coffee shops, college
campuses, corporate campuses, and people's apartments. I think I would need
some more data before I concluded this was unreasonable.
On Jul 1, 201
Hello,
At 14:55 30-06-10, IETF Chair wrote:
I am writing to let you know about a change in the IETF meeting network.
At IETF 79 in Beijing, the IETF network will be connected to the open
Internet with absolutely no filtering. However, we have agreed with our
hosts that only IETF meeting particip
I am writing to let you know about a change in the IETF meeting network.
At IETF 79 in Beijing, the IETF network will be connected to the open
Internet with absolutely no filtering. However, we have agreed with our
hosts that only IETF meeting participants will have access to the
network. Followi
73 matches
Mail list logo