[78all] Admission Control to the IETF 78 and IETF 79 Networks

[IETF Chair <chair@ietf.org>]

I am writing to let you know about a change in the IETF meeting network.
At IETF 79 in Beijing, the IETF network will be connected to the open
Internet with absolutely no filtering.  However, we have agreed with our
hosts that only IETF meeting participants will have access to the
network.  Following sound engineering practices, we will deploy
admission control mechanisms as part of the IETF 78 meeting network in
Maastricht to ensure that they are working properly before they are
mission critical.

I am writing to let you know what to expect in both Maastricht and Beijing.


ADMISSION CONTROL CREDENTIALS

To gain access to the IETF network, you will need to provide a
credential. Your primary credential will be your registration ID.  You
can find your registration ID on the registration web page, in the
response email confirmation you received from the Secretariat, on your
payment receipt, and on the back of your IETF meeting badge.  Your
Registration ID will be your user name, and it will be used with a
password that will be provided at a later date.  This same password will
be used by all attendees.

We recognize that IETF 78 registration IDs are very easy to guess.  We
expect to use less easily guessed registration IDs for IETF 79.

If for any reason you are uncomfortable using your Registration ID,
there will be a supply of completely anonymous Registration ID/Password
pairs on slips of paper available at the help desk and registration
desk.  You will be asked to show an IETF meeting badge to ensure that
slips are only provided to registered meeting attendees.

Each set of credentials will allow up to three separate MAC addresses on
the network, allowing attendees to use the same credential for their
laptop, phone, or other devices.  The limit is to prevent the leak of a
single credential from undermining the entire system.


GAINING ACCESS TO THE NETWORK

The primary mechanism to gain access to the wireless network will be
either the "ietf.1x" or "ietf-a.1x" SSID.  These will be configured with
WPA1 and WPA2 Enterprise.  You simply provide your credentials to your
supplicant software for authentication to the network.  I personally
encourage you to use WPA2 over WPA1 if your software and hardware
support both.

If your software does not support WPA Enterprise, you can use the
captive portal.  To use this portal, associate with either the
"ietf-portal" or "ietf-a-portal" SSID.  Upon initial connection,
Internet connectivity will be blocked.  Simply open a browser and go to
any web site, just like many hotel networks, and you will be redirected
to a portal page where you can enter your credentials.  Once the
credentials are validated, your MAC address will have unrestricted
access to the network for some period of time.  The portal page will
also have links to the internal wiki page with helpful information as
well as a way to create trouble tickets prior to authentication.

If your small devices does not support WPA Enterprise and does not have
a browser, then you will be able to visit the help desk and register the
device MAC address for access to the network.  If you need to register
your device, please know the MAC address of your device before you show
up at the help desk.


FALLBACK PLAN

Implementing this plan at IETF 78 in Maastricht is important, but
obviously not without risk.  The IEEE 802.1X-based access mechanisms
have been well tested at previous meetings, and this mechanism is not
likely to be a source of trouble.  The captive portal, however, is a
greater unknown.  Please use the WPA SSIDs if at all possible to reduce
the load on the portal machines.  If the portals do experience problems,
the NOC team will implement a backup plan.  The backup plan will only be
used as a last resort as the backup plan will not be an option at IETF
79 in Beijing.


Safe Travel and Best Wishes,
  Russ Housley
  IETF Chair