IETF Logo Mail Archive

Re: [87attendees] IETF wireless

Dan Harkins <dharkins@arubanetworks.com> Thu, 08 August 2013 16:06 UTC

Return-Path: <dharkins@arubanetworks.com>
X-Original-To: 87attendees@ietfa.amsl.com
Delivered-To: 87attendees@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5DFBD21F995E for <87attendees@ietfa.amsl.com>; Thu, 8 Aug 2013 09:06:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[AWL=0.700, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z+NE6JuDHL9b for <87attendees@ietfa.amsl.com>; Thu, 8 Aug 2013 09:06:31 -0700 (PDT)
Received: from sjcbarracuda02.arubanetworks.com (sjcbarracuda02.arubanetworks.com [199.127.104.60]) by ietfa.amsl.com (Postfix) with ESMTP id 5B9F321F8528 for <87attendees@ietf.org>; Thu, 8 Aug 2013 09:06:30 -0700 (PDT)
X-ASG-Debug-ID: 1375977980-03d13446518f9770001-zkFhpE
Received: from ALPINEMEADOWS.arubanetworks.com (alpinemeadows.arubanetworks.com [10.1.8.22]) by sjcbarracuda02.arubanetworks.com with ESMTP id kSnmc9WvfDjfaX0O (version=TLSv1 cipher=AES128-SHA bits=128 verify=NO); Thu, 08 Aug 2013 09:06:20 -0700 (PDT)
X-Barracuda-Envelope-From: dharkins@arubanetworks.com
X-Barracuda-RBL-Trusted-Forwarder: 10.1.8.22
Received: from SQUAWVALLEY.arubanetworks.com ([fe80::7480:7ea2:60b2:c722]) by ALPINEMEADOWS.arubanetworks.com ([::1]) with mapi id 14.02.0283.003; Thu, 8 Aug 2013 09:06:20 -0700
From: Dan Harkins <dharkins@arubanetworks.com>
X-Barracuda-BWL-IP: fe80::7480:7ea2:60b2:c722
To: Stefan Winter <stefan.winter@restena.lu>, "chelliot@pobox.com" <chelliot@pobox.com>
Thread-Topic: [87attendees] IETF wireless
X-ASG-Orig-Subj: Re: [87attendees] IETF wireless
Thread-Index: AQHOkcFxby499SlDk0KR4H9R5sMCTJmG8uAAgAAU6oCABEJWgIAACq2AgABW8ICAAAawgP//zH2A
Date: Thu, 08 Aug 2013 16:06:19 +0000
Message-ID: <CE290E62.1F245%dharkins@arubanetworks.com>
In-Reply-To: <52038ABF.5010201@restena.lu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.2.3.120616
x-originating-ip: [10.1.8.202]
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <DBE1CCFDD01DFC41ADA415E0A396F45A@arubanetworks.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Barracuda-Connect: alpinemeadows.arubanetworks.com[10.1.8.22]
X-Barracuda-Start-Time: 1375977980
X-Barracuda-Encrypted: AES128-SHA
X-Barracuda-URL: http://10.2.1.21:8000/cgi-mod/mark.cgi
X-Virus-Scanned: by bsmtpd at arubanetworks.com
X-Barracuda-BRTS-Status: 1
X-Barracuda-Spam-Score: 0.00
X-Barracuda-Spam-Status: No, SCORE=0.00 using global scores of TAG_LEVEL=1000.0 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=9.0 tests=
X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.2.138045 Rule breakdown below pts rule name description ---- ---------------------- --------------------------------------------------
Cc: "87attendees@ietf.org" <87attendees@ietf.org>
Subject: Re: [87attendees] IETF wireless
X-BeenThere: 87attendees@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <87attendees.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/87attendees>, <mailto:87attendees-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/87attendees>
List-Post: <mailto:87attendees@ietf.org>
List-Help: <mailto:87attendees-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/87attendees>, <mailto:87attendees-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Aug 2013 16:06:36 -0000

On 8/8/13 5:10 AM, "Stefan Winter" <stefan.winter@restena.lu> wrote:

>Hi,
>
>> The cert we are using for the IETF SSIDs authenticated via 802.1X (not
>> including eduroam) is from the same CA that is providing the certs for
>> the rest of the IETF (including web, email, dnssec, and more, I
>> believe). This CA (Starfield Secure Certification Authority) is in most
>> or all recent OSes and browsers root certificate store. Which means most
>> 802.1X supplicants /can/ verify the server cert we supply. It's up to
>> the user to not un-check the "Check server cert" box! Our thought was
>> that that was sufficient.
>
>No! This is a common misconception. The "browser trust" and EAP trust
>are different, and it is insignificant if the CA used is in the browser
>trust store or not.
>
>It may save you the step of installing the PEM file itself, sure, but
>the crucial part is that you need to be able to tell your EAP supplicant
>on the device that the expected server cert comes from *exactly one* CA.
>
>Further to this, contrary to the web browser case, you need to manually
>configure which server name to expect; in the browser, this is
>explicitly input by the user in his URL bar - but no equivalent of that
>exists for EAP.
>
>We have fought for years to get that into our Identity Providers' heads.
>Our official eduroam documentation has an extensive section about all
>the concepts and nits to consider:
>
>https://confluence.terena.org/display/H2eduroam/EAP+Server+Certificate+con
>siderations
>
>If you don't pin the exact CA *and* server name in config, you make
>yourself susceptible to MitM attacks still:
>
>- if you trust all CAs in the "browser trust" store: the MitM gets
>himself an arbitrary certificate from any CA in the trust store and uses
>it for his fraudulent EAP server - your EAP supplicant would trust it,
>even if it has nothing to do with your EAP server.
>
>- if you don't verify the name (but the exact CA): the MitM tries to
>connect to the genuine network once, sees which CA is expected, goes to
>the same CA and gets himself a certificate for an unrelated name (to
>which he is entitled to by say having a corresponding domain name). He
>sets up a fraudulent EAP server with that certificate - your EAP
>supplicant will accept it even if he does the extra step of verifying
>the CA.
>
>> However, we certainly can look into doing as you suggest and publishing
>> more information. Of course, the page we post this to will probably also
>> be verified by this same CA... ;-)
>
>That's the default CA bootstrap problem. You can put the CA's
>fingerprint in a text file, and PGP-sign the file with IETF brass PGP
>keys if you like :-)

  Trust stores... CA bootstrapping.... Maybe we should get some
authentication scheme on the ietf.1x network that doesn't require using
certificates. Maybe RFC 5931 :-) There's none of that "inner method"
nonsense, no need to select a CA, no real identity versus anonymous
identity issues.

  I certainly would not mind eating that brand of dog food.

  Dan.

>In eduroam, we *require* IdPs to "publish all information needed to
>uniquely identify the authentication server"; and we even have an
>automated provisioning tool which sets up supplicants with all the
>correct and secure settings - including the CA installation.
>
>It works everywhere except on Karen O'Donoghue's Mac. ;-)
>
>Greetings,
>
>Stefan Winter
>
>> 
>> Chris.
>> 
>> 
>> On Thu, Aug 8, 2013 at 2:35 AM, Stefan Winter <stefan.winter@restena.lu
>> <mailto:stefan.winter@restena.lu>> wrote:
>> 
>>     Hi,
>> 
>>     > Scary how many are using the unencrypted wifi.
>> 
>>     Don't only count the ietf.1x network. The IETF also provides
>>eduroam,
>>     which is WPA2/AES with 802.1X and - sorry, NOC: actual server
>>     certificate verification, not a "don't verify ours, and we won't
>>verify
>>     yours".
>> 
>>     The Max numbers in the NOC report are
>> 
>>     the 3 "secure" ones: 25+27+37 = 89
>>     the two "edu" ones: 38 53 = 91
>> 
>>     Which makes for a total of 180 max simultaneous encrypted
>>connections.
>> 
>>     Sure, compared to approx. 700 on the open networks it's not so
>>really
>>     great, but still quite a significant portion.
>> 
>>     > A suggestion for next IETF would be to call the 802.1x wifi
>>"IETF" and
>>     > the open one "IETF_UNENCRYPTED".
>> 
>>     Without verifying the server cert of the 802.1x network, you may
>>well
>>     talk to the network encryptedly, but the network might be a MitM
>>who can
>>     decrypt and snoop out your traffic.
>> 
>>     The ietf.1x network is just not as good as it could be - maybe more
>>     people would be inclined to use it if it provides the extra benefit
>>of
>>     being able to identify itself as *the genuine* IETF network.
>>Neither the
>>     open network nor the ietf.1x currently do that.
>> 
>>     The fix would be surprisingly simple: in the Network Information
>>page,
>>     actually *publish* the CA cert and its fingerprint that signs the
>>auth
>>     server, and also publish the server's subject/subjectAltNames. This
>>     allows every user to check whether he's on the real thing when
>>     connecting.
>> 
>>     There are also provisioning tools that can install the CA certs and
>>EAP
>>     settings onto client devices. It's not rocket science.
>> 
>>     Greetings,
>> 
>>     Stefan Winter
>> 
>> 
>> 
>> 
>>     --
>>     Stefan WINTER
>>     Ingenieur de Recherche
>>     Fondation RESTENA - Réseau Téléinformatique de l'Education
>>Nationale et
>>     de la Recherche
>>     6, rue Richard Coudenhove-Kalergi
>>     L-1359 Luxembourg
>> 
>>     Tel: +352 424409 1 <tel:%2B352%20424409%201>
>>     Fax: +352 422473 <tel:%2B352%20422473>
>> 
>> 
>>     _______________________________________________
>>     87attendees mailing list
>>     87attendees@ietf.org <mailto:87attendees@ietf.org>
>>     https://www.ietf.org/mailman/listinfo/87attendees
>> 
>> 
>> 
>> 
>> -- 
>> Chris Elliott
>> chelliot@pobox.com <mailto:chelliot@pobox.com>
>
>
>-- 
>Stefan WINTER
>Ingenieur de Recherche
>Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
>de la Recherche
>6, rue Richard Coudenhove-Kalergi
>L-1359 Luxembourg
>
>Tel: +352 424409 1
>Fax: +352 422473
>

v2.23.0 | Report a Bug | By Email