Re: [87attendees] IETF wireless
Dan Harkins <dharkins@arubanetworks.com> Thu, 08 August 2013 16:06 UTC
Return-Path: <dharkins@arubanetworks.com>
X-Original-To: 87attendees@ietfa.amsl.com
Delivered-To: 87attendees@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5DFBD21F995E for <87attendees@ietfa.amsl.com>; Thu, 8 Aug 2013 09:06:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[AWL=0.700, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z+NE6JuDHL9b for <87attendees@ietfa.amsl.com>; Thu, 8 Aug 2013 09:06:31 -0700 (PDT)
Received: from sjcbarracuda02.arubanetworks.com (sjcbarracuda02.arubanetworks.com [199.127.104.60]) by ietfa.amsl.com (Postfix) with ESMTP id 5B9F321F8528 for <87attendees@ietf.org>; Thu, 8 Aug 2013 09:06:30 -0700 (PDT)
X-ASG-Debug-ID: 1375977980-03d13446518f9770001-zkFhpE
Received: from ALPINEMEADOWS.arubanetworks.com (alpinemeadows.arubanetworks.com [10.1.8.22]) by sjcbarracuda02.arubanetworks.com with ESMTP id kSnmc9WvfDjfaX0O (version=TLSv1 cipher=AES128-SHA bits=128 verify=NO); Thu, 08 Aug 2013 09:06:20 -0700 (PDT)
X-Barracuda-Envelope-From: dharkins@arubanetworks.com
X-Barracuda-RBL-Trusted-Forwarder: 10.1.8.22
Received: from SQUAWVALLEY.arubanetworks.com ([fe80::7480:7ea2:60b2:c722]) by ALPINEMEADOWS.arubanetworks.com ([::1]) with mapi id 14.02.0283.003; Thu, 8 Aug 2013 09:06:20 -0700
From: Dan Harkins <dharkins@arubanetworks.com>
X-Barracuda-BWL-IP: fe80::7480:7ea2:60b2:c722
To: Stefan Winter <stefan.winter@restena.lu>, "chelliot@pobox.com" <chelliot@pobox.com>
Thread-Topic: [87attendees] IETF wireless
X-ASG-Orig-Subj: Re: [87attendees] IETF wireless
Thread-Index: AQHOkcFxby499SlDk0KR4H9R5sMCTJmG8uAAgAAU6oCABEJWgIAACq2AgABW8ICAAAawgP//zH2A
Date: Thu, 08 Aug 2013 16:06:19 +0000
Message-ID: <CE290E62.1F245%dharkins@arubanetworks.com>
In-Reply-To: <52038ABF.5010201@restena.lu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.2.3.120616
x-originating-ip: [10.1.8.202]
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <DBE1CCFDD01DFC41ADA415E0A396F45A@arubanetworks.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Barracuda-Connect: alpinemeadows.arubanetworks.com[10.1.8.22]
X-Barracuda-Start-Time: 1375977980
X-Barracuda-Encrypted: AES128-SHA
X-Barracuda-URL: http://10.2.1.21:8000/cgi-mod/mark.cgi
X-Virus-Scanned: by bsmtpd at arubanetworks.com
X-Barracuda-BRTS-Status: 1
X-Barracuda-Spam-Score: 0.00
X-Barracuda-Spam-Status: No, SCORE=0.00 using global scores of TAG_LEVEL=1000.0 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=9.0 tests=
X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.2.138045 Rule breakdown below pts rule name description ---- ---------------------- --------------------------------------------------
Cc: "87attendees@ietf.org" <87attendees@ietf.org>
Subject: Re: [87attendees] IETF wireless
X-BeenThere: 87attendees@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <87attendees.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/87attendees>, <mailto:87attendees-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/87attendees>
List-Post: <mailto:87attendees@ietf.org>
List-Help: <mailto:87attendees-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/87attendees>, <mailto:87attendees-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Aug 2013 16:06:36 -0000
On 8/8/13 5:10 AM, "Stefan Winter" <stefan.winter@restena.lu> wrote: >Hi, > >> The cert we are using for the IETF SSIDs authenticated via 802.1X (not >> including eduroam) is from the same CA that is providing the certs for >> the rest of the IETF (including web, email, dnssec, and more, I >> believe). This CA (Starfield Secure Certification Authority) is in most >> or all recent OSes and browsers root certificate store. Which means most >> 802.1X supplicants /can/ verify the server cert we supply. It's up to >> the user to not un-check the "Check server cert" box! Our thought was >> that that was sufficient. > >No! This is a common misconception. The "browser trust" and EAP trust >are different, and it is insignificant if the CA used is in the browser >trust store or not. > >It may save you the step of installing the PEM file itself, sure, but >the crucial part is that you need to be able to tell your EAP supplicant >on the device that the expected server cert comes from *exactly one* CA. > >Further to this, contrary to the web browser case, you need to manually >configure which server name to expect; in the browser, this is >explicitly input by the user in his URL bar - but no equivalent of that >exists for EAP. > >We have fought for years to get that into our Identity Providers' heads. >Our official eduroam documentation has an extensive section about all >the concepts and nits to consider: > >https://confluence.terena.org/display/H2eduroam/EAP+Server+Certificate+con >siderations > >If you don't pin the exact CA *and* server name in config, you make >yourself susceptible to MitM attacks still: > >- if you trust all CAs in the "browser trust" store: the MitM gets >himself an arbitrary certificate from any CA in the trust store and uses >it for his fraudulent EAP server - your EAP supplicant would trust it, >even if it has nothing to do with your EAP server. > >- if you don't verify the name (but the exact CA): the MitM tries to >connect to the genuine network once, sees which CA is expected, goes to >the same CA and gets himself a certificate for an unrelated name (to >which he is entitled to by say having a corresponding domain name). He >sets up a fraudulent EAP server with that certificate - your EAP >supplicant will accept it even if he does the extra step of verifying >the CA. > >> However, we certainly can look into doing as you suggest and publishing >> more information. Of course, the page we post this to will probably also >> be verified by this same CA... ;-) > >That's the default CA bootstrap problem. You can put the CA's >fingerprint in a text file, and PGP-sign the file with IETF brass PGP >keys if you like :-) Trust stores... CA bootstrapping.... Maybe we should get some authentication scheme on the ietf.1x network that doesn't require using certificates. Maybe RFC 5931 :-) There's none of that "inner method" nonsense, no need to select a CA, no real identity versus anonymous identity issues. I certainly would not mind eating that brand of dog food. Dan. >In eduroam, we *require* IdPs to "publish all information needed to >uniquely identify the authentication server"; and we even have an >automated provisioning tool which sets up supplicants with all the >correct and secure settings - including the CA installation. > >It works everywhere except on Karen O'Donoghue's Mac. ;-) > >Greetings, > >Stefan Winter > >> >> Chris. >> >> >> On Thu, Aug 8, 2013 at 2:35 AM, Stefan Winter <stefan.winter@restena.lu >> <mailto:stefan.winter@restena.lu>> wrote: >> >> Hi, >> >> > Scary how many are using the unencrypted wifi. >> >> Don't only count the ietf.1x network. The IETF also provides >>eduroam, >> which is WPA2/AES with 802.1X and - sorry, NOC: actual server >> certificate verification, not a "don't verify ours, and we won't >>verify >> yours". >> >> The Max numbers in the NOC report are >> >> the 3 "secure" ones: 25+27+37 = 89 >> the two "edu" ones: 38 53 = 91 >> >> Which makes for a total of 180 max simultaneous encrypted >>connections. >> >> Sure, compared to approx. 700 on the open networks it's not so >>really >> great, but still quite a significant portion. >> >> > A suggestion for next IETF would be to call the 802.1x wifi >>"IETF" and >> > the open one "IETF_UNENCRYPTED". >> >> Without verifying the server cert of the 802.1x network, you may >>well >> talk to the network encryptedly, but the network might be a MitM >>who can >> decrypt and snoop out your traffic. >> >> The ietf.1x network is just not as good as it could be - maybe more >> people would be inclined to use it if it provides the extra benefit >>of >> being able to identify itself as *the genuine* IETF network. >>Neither the >> open network nor the ietf.1x currently do that. >> >> The fix would be surprisingly simple: in the Network Information >>page, >> actually *publish* the CA cert and its fingerprint that signs the >>auth >> server, and also publish the server's subject/subjectAltNames. This >> allows every user to check whether he's on the real thing when >> connecting. >> >> There are also provisioning tools that can install the CA certs and >>EAP >> settings onto client devices. It's not rocket science. >> >> Greetings, >> >> Stefan Winter >> >> >> >> >> -- >> Stefan WINTER >> Ingenieur de Recherche >> Fondation RESTENA - Réseau Téléinformatique de l'Education >>Nationale et >> de la Recherche >> 6, rue Richard Coudenhove-Kalergi >> L-1359 Luxembourg >> >> Tel: +352 424409 1 <tel:%2B352%20424409%201> >> Fax: +352 422473 <tel:%2B352%20422473> >> >> >> _______________________________________________ >> 87attendees mailing list >> 87attendees@ietf.org <mailto:87attendees@ietf.org> >> https://www.ietf.org/mailman/listinfo/87attendees >> >> >> >> >> -- >> Chris Elliott >> chelliot@pobox.com <mailto:chelliot@pobox.com> > > >-- >Stefan WINTER >Ingenieur de Recherche >Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et >de la Recherche >6, rue Richard Coudenhove-Kalergi >L-1359 Luxembourg > >Tel: +352 424409 1 >Fax: +352 422473 >
- [87attendees] IETF wireless Tim Chown
- Re: [87attendees] IETF wireless Ole Jacobsen
- Re: [87attendees] IETF wireless Warren Kumari
- Re: [87attendees] IETF wireless Tim Chown
- Re: [87attendees] IETF wireless Bob Hinden
- Re: [87attendees] IETF wireless Ray Pelletier
- Re: [87attendees] IETF wireless Mikael Abrahamsson
- Re: [87attendees] IETF wireless Stefan Winter
- Re: [87attendees] IETF wireless Mikael Abrahamsson
- [87attendees] eduroam (Re: IETF wireless) Carsten Bormann
- Re: [87attendees] eduroam (Re: IETF wireless) grenville armitage
- Re: [87attendees] eduroam (Re: IETF wireless) Tim Chown
- Re: [87attendees] eduroam (Re: IETF wireless) Klaas Wierenga
- Re: [87attendees] eduroam (Re: IETF wireless) Chris Elliott
- Re: [87attendees] IETF wireless Chris Elliott
- Re: [87attendees] IETF wireless Stefan Winter
- Re: [87attendees] IETF wireless Chris Elliott
- Re: [87attendees] IETF wireless Carsten Bormann
- Re: [87attendees] IETF wireless Keith Mitchell
- Re: [87attendees] IETF wireless Dan Harkins
- Re: [87attendees] eduroam (Re: IETF wireless) Andrey Lukyanenko
- Re: [87attendees] eduroam (Re: IETF wireless) Stefan Winter
- Re: [87attendees] IETF wireless Stefan Winter
- Re: [87attendees] IETF wireless Stefan Winter
- Re: [87attendees] IETF wireless Jim Gettys
- Re: [87attendees] IETF wireless Chris Elliott
- Re: [87attendees] IETF wireless Jim Gettys
- Re: [87attendees] IETF wireless joel jaeggli
- Re: [87attendees] IETF wireless Jim Gettys
- Re: [87attendees] IETF wireless Mikael Abrahamsson
- Re: [87attendees] IETF wireless Dave Cottlehuber
- Re: [87attendees] IETF wireless joel jaeggli