Re: [87attendees] IETF wireless
Chris Elliott <chelliot@pobox.com> Thu, 08 August 2013 12:44 UTC
Return-Path: <chelliot@gmail.com>
X-Original-To: 87attendees@ietfa.amsl.com
Delivered-To: 87attendees@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 311F821E80AE for <87attendees@ietfa.amsl.com>; Thu, 8 Aug 2013 05:44:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.887
X-Spam-Level:
X-Spam-Status: No, score=-1.887 tagged_above=-999 required=5 tests=[AWL=0.090, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HI4xFkR9mDqR for <87attendees@ietfa.amsl.com>; Thu, 8 Aug 2013 05:44:21 -0700 (PDT)
Received: from mail-la0-x231.google.com (mail-la0-x231.google.com [IPv6:2a00:1450:4010:c03::231]) by ietfa.amsl.com (Postfix) with ESMTP id DDDB521E80A5 for <87attendees@ietf.org>; Thu, 8 Aug 2013 05:44:18 -0700 (PDT)
Received: by mail-la0-f49.google.com with SMTP id ev20so2042892lab.36 for <87attendees@ietf.org>; Thu, 08 Aug 2013 05:44:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:sender:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=hgtYTkzReGMHV6IDDUjqFs5AKoPS5AJ+gSks/28aZ3Y=; b=vAzgV57VtF0IleMgOUvhWOKyAY9LPva0KMwp6AAIBPSVCmH7TZHBtH4AE630RgNuz0 pUME1PX1Mh644U4+qKICKM1giy6gcU+ioNnKE63i24IGOMe6RVVHI8sgAAw5savZ64Ea HC7Trtwebsp+MOnBZQleHyogrTeCVtQZ2lBSLZdp6VwiGhzKETbik5b+qeWx+9fCs78v Px8H8oaysBTmhEjPW6PZcpK0CA1nuXw4Ypt+1WBdMJ8B2yizTR3RR2acc+HDbcIzpXiX cTTSel/RqRzpa6hzk/lG7uQIES2629JC6qWpp8meiFXU5X1LMKyzP+OVnmQgxSRbgJBy IBiQ==
MIME-Version: 1.0
X-Received: by 10.112.57.49 with SMTP id f17mr2353791lbq.26.1375965857721; Thu, 08 Aug 2013 05:44:17 -0700 (PDT)
Sender: chelliot@gmail.com
Received: by 10.114.3.44 with HTTP; Thu, 8 Aug 2013 05:44:17 -0700 (PDT)
In-Reply-To: <52038ABF.5010201@restena.lu>
References: <767558DB-5546-4361-862E-0342F02AD435@ecs.soton.ac.uk> <EMEW3|a98bd69aea4959b1596d153ba8019962p74AmS03tjc|ecs.soton.ac.uk|767558DB-5546-4361-862E-0342F02AD435@ecs.soton.ac.uk> <alpine.OSX.2.01.1308050439080.146@173-11-110-132-sfba.hfc.comcastbusiness.net> <EB27A179-6515-43BE-B17B-2B853791788E@kumari.net> <alpine.DEB.2.02.1308080755220.5289@uplift.swm.pp.se> <52033C35.8060707@restena.lu> <CAO_RpcLxTeFvXBNvTJn3Hw0jFDKUzymod7_Siy9V7FseKYUT=g@mail.gmail.com> <52038ABF.5010201@restena.lu>
Date: Thu, 08 Aug 2013 08:44:17 -0400
X-Google-Sender-Auth: -0y4imvrNSPxgR0UmOJh0Ujpqnw
Message-ID: <CAO_RpcJY+e8JXB3t2-rQGVcUzYAYrZGKFx4VkRMacX_+hsWbLQ@mail.gmail.com>
From: Chris Elliott <chelliot@pobox.com>
To: Stefan Winter <stefan.winter@restena.lu>
Content-Type: multipart/alternative; boundary="001a1133eaca2c33f604e36f04b0"
Cc: "87attendees@ietf.org" <87attendees@ietf.org>
Subject: Re: [87attendees] IETF wireless
X-BeenThere: 87attendees@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: chelliot@pobox.com
List-Id: <87attendees.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/87attendees>, <mailto:87attendees-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/87attendees>
List-Post: <mailto:87attendees@ietf.org>
List-Help: <mailto:87attendees-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/87attendees>, <mailto:87attendees-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Aug 2013 12:44:22 -0000
Stefan, Thanks for your feedback. Note that we have little control over attendee's client configs, unlike universities or companies. However, we can certainly provide more information and automated tools like the eduroam community does. As none of us are as expert in this field, doing it part time three times a year on a volunteer basis, we may need further expert advise. The eduroam docs are great, but if we need more we'll contact you. We'll follow up with you on this once the VMs are spun up at their between meetings home and I'm back from vacation--early to mid September. Chris. On Thursday, August 8, 2013, Stefan Winter wrote: > Hi, > > > The cert we are using for the IETF SSIDs authenticated via 802.1X (not > > including eduroam) is from the same CA that is providing the certs for > > the rest of the IETF (including web, email, dnssec, and more, I > > believe). This CA (Starfield Secure Certification Authority) is in most > > or all recent OSes and browsers root certificate store. Which means most > > 802.1X supplicants /can/ verify the server cert we supply. It's up to > > the user to not un-check the "Check server cert" box! Our thought was > > that that was sufficient. > > No! This is a common misconception. The "browser trust" and EAP trust > are different, and it is insignificant if the CA used is in the browser > trust store or not. > > It may save you the step of installing the PEM file itself, sure, but > the crucial part is that you need to be able to tell your EAP supplicant > on the device that the expected server cert comes from *exactly one* CA. > > Further to this, contrary to the web browser case, you need to manually > configure which server name to expect; in the browser, this is > explicitly input by the user in his URL bar - but no equivalent of that > exists for EAP. > > We have fought for years to get that into our Identity Providers' heads. > Our official eduroam documentation has an extensive section about all > the concepts and nits to consider: > > > https://confluence.terena.org/display/H2eduroam/EAP+Server+Certificate+considerations > > If you don't pin the exact CA *and* server name in config, you make > yourself susceptible to MitM attacks still: > > - if you trust all CAs in the "browser trust" store: the MitM gets > himself an arbitrary certificate from any CA in the trust store and uses > it for his fraudulent EAP server - your EAP supplicant would trust it, > even if it has nothing to do with your EAP server. > > - if you don't verify the name (but the exact CA): the MitM tries to > connect to the genuine network once, sees which CA is expected, goes to > the same CA and gets himself a certificate for an unrelated name (to > which he is entitled to by say having a corresponding domain name). He > sets up a fraudulent EAP server with that certificate - your EAP > supplicant will accept it even if he does the extra step of verifying > the CA. > > > However, we certainly can look into doing as you suggest and publishing > > more information. Of course, the page we post this to will probably also > > be verified by this same CA... ;-) > > That's the default CA bootstrap problem. You can put the CA's > fingerprint in a text file, and PGP-sign the file with IETF brass PGP > keys if you like :-) > > In eduroam, we *require* IdPs to "publish all information needed to > uniquely identify the authentication server"; and we even have an > automated provisioning tool which sets up supplicants with all the > correct and secure settings - including the CA installation. > > It works everywhere except on Karen O'Donoghue's Mac. ;-) > > Greetings, > > Stefan Winter > > > > > Chris. > > > > > > On Thu, Aug 8, 2013 at 2:35 AM, Stefan Winter <stefan.winter@restena.lu<javascript:;> > > <mailto:stefan.winter@restena.lu <javascript:;>>> wrote: > > > > Hi, > > > > > Scary how many are using the unencrypted wifi. > > > > Don't only count the ietf.1x network. The IETF also provides eduroam, > > which is WPA2/AES with 802.1X and - sorry, NOC: actual server > > certificate verification, not a "don't verify ours, and we won't > verify > > yours". > > > > The Max numbers in the NOC report are > > > > the 3 "secure" ones: 25+27+37 = 89 > > the two "edu" ones: 38 53 = 91 > > > > Which makes for a total of 180 max simultaneous encrypted > connections. > > > > Sure, compared to approx. 700 on the open networks it's not so really > > great, but still quite a significant portion. > > > > > A suggestion for next IETF would be to call the 802.1x wifi "IETF" > and > > > the open one "IETF_UNENCRYPTED". > > > > Without verifying the server cert of the 802.1x network, you may well > > talk to the network encryptedly, but the network might be a MitM who > can > > decrypt and snoop out your traffic. > > > > The ietf.1x network is just not as good as it could be - maybe more > > people would be inclined to use it if it provides the extra benefit > of > > being able to identify itself as *the genuine* IETF network. Neither > the > > open network nor the ietf.1x currently do that. > > > > The fix would be surprisingly simple: in the Network Information > page, > > actually *publish* the CA cert and its fingerprint that signs the > auth > > server, and also publish the server's subject/subjectAltNames. This > > allows every user to check whether he's on the real thing when > > connecting. > > > > There are also provisioning tools that can install the CA certs and > EAP > > settings onto client devices. It's not rocket science. > > > > Greetings, > > > > Stefan Winter > > > > > > > > > > -- > > Stefan WINTER > > Ingenieur de Recherche > > Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale > et > > de la Recherche > > 6, rue Richard Coudenhove-Kalergi > > L-1359 Luxembourg > > > > Tel: +352 424409 1 <tel:%2B352%20424409%201> > > Fax: +352 422473 <tel:%2B352%20422473> > > > > > > _______________________________________________ > > 87attendees mailing list > > 87attendees@ietf.org <javascript:;> <mailto:87attendees@ietf.org<javascript:;> > > > > https://www.ietf.org/mailman/listinfo/87attendees > > > > > > > > > > -- > > Chris Elliott > > chelliot@pobox.com <javascript:;> <mailto:chelliot@pobox.com<javascript:;> > > > > > -- > Stefan WINTER > Ingenieur de Recherche > Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et > de la Recherche > 6, rue Richard Coudenhove-Kalergi > L-1359 Luxembourg > > Tel: +352 424409 1 > Fax: +352 422473 > > -- Chris Elliott chelliot@pobox.com
- [87attendees] IETF wireless Tim Chown
- Re: [87attendees] IETF wireless Ole Jacobsen
- Re: [87attendees] IETF wireless Warren Kumari
- Re: [87attendees] IETF wireless Tim Chown
- Re: [87attendees] IETF wireless Bob Hinden
- Re: [87attendees] IETF wireless Ray Pelletier
- Re: [87attendees] IETF wireless Mikael Abrahamsson
- Re: [87attendees] IETF wireless Stefan Winter
- Re: [87attendees] IETF wireless Mikael Abrahamsson
- [87attendees] eduroam (Re: IETF wireless) Carsten Bormann
- Re: [87attendees] eduroam (Re: IETF wireless) grenville armitage
- Re: [87attendees] eduroam (Re: IETF wireless) Tim Chown
- Re: [87attendees] eduroam (Re: IETF wireless) Klaas Wierenga
- Re: [87attendees] eduroam (Re: IETF wireless) Chris Elliott
- Re: [87attendees] IETF wireless Chris Elliott
- Re: [87attendees] IETF wireless Stefan Winter
- Re: [87attendees] IETF wireless Chris Elliott
- Re: [87attendees] IETF wireless Carsten Bormann
- Re: [87attendees] IETF wireless Keith Mitchell
- Re: [87attendees] IETF wireless Dan Harkins
- Re: [87attendees] eduroam (Re: IETF wireless) Andrey Lukyanenko
- Re: [87attendees] eduroam (Re: IETF wireless) Stefan Winter
- Re: [87attendees] IETF wireless Stefan Winter
- Re: [87attendees] IETF wireless Stefan Winter
- Re: [87attendees] IETF wireless Jim Gettys
- Re: [87attendees] IETF wireless Chris Elliott
- Re: [87attendees] IETF wireless Jim Gettys
- Re: [87attendees] IETF wireless joel jaeggli
- Re: [87attendees] IETF wireless Jim Gettys
- Re: [87attendees] IETF wireless Mikael Abrahamsson
- Re: [87attendees] IETF wireless Dave Cottlehuber
- Re: [87attendees] IETF wireless joel jaeggli