IETF Logo Mail Archive

Re: [93attendees] "ietf - The wireless network appears to have been compromised and will be disabled for about a minute."

"Henderickx, Wim (Wim)" <wim.henderickx@alcatel-lucent.com> Mon, 20 July 2015 12:37 UTC

Return-Path: <wim.henderickx@alcatel-lucent.com>
X-Original-To: 93attendees@ietfa.amsl.com
Delivered-To: 93attendees@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D9AAB1A7D82 for <93attendees@ietfa.amsl.com>; Mon, 20 Jul 2015 05:37:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.909
X-Spam-Level:
X-Spam-Status: No, score=-6.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ExEPaxKyXM3O for <93attendees@ietfa.amsl.com>; Mon, 20 Jul 2015 05:37:00 -0700 (PDT)
Received: from smtp-fr.alcatel-lucent.com (fr-hpgre-esg-01.alcatel-lucent.com [135.245.210.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7AFF21A871D for <93attendees@ietf.org>; Mon, 20 Jul 2015 05:36:52 -0700 (PDT)
Received: from fr711usmtp1.zeu.alcatel-lucent.com (unknown [135.239.2.122]) by Websense Email Security Gateway with ESMTPS id 26BD1178A9CCE; Mon, 20 Jul 2015 12:36:48 +0000 (GMT)
Received: from FR711WXCHHUB02.zeu.alcatel-lucent.com (fr711wxchhub02.zeu.alcatel-lucent.com [135.239.2.112]) by fr711usmtp1.zeu.alcatel-lucent.com (GMO) with ESMTP id t6KCamBR018479 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 20 Jul 2015 14:36:48 +0200
Received: from FR711WXCHMBA07.zeu.alcatel-lucent.com ([169.254.3.17]) by FR711WXCHHUB02.zeu.alcatel-lucent.com ([135.239.2.112]) with mapi id 14.03.0195.001; Mon, 20 Jul 2015 14:36:47 +0200
From: "Henderickx, Wim (Wim)" <wim.henderickx@alcatel-lucent.com>
To: "chelliot@pobox.com" <chelliot@pobox.com>, Yoav Nir <ynir.ietf@gmail.com>
Thread-Topic: [93attendees] "ietf - The wireless network appears to have been compromised and will be disabled for about a minute."
Thread-Index: AQHQwuDFB7LSGGgCIkG74TT+8F9lF53kGr2AgAACl4CAAAKQgIAABduAgAAl9wA=
Date: Mon, 20 Jul 2015 12:36:47 +0000
Message-ID: <A34C0D51-22E8-47C1-ACA5-0D99B276AB60@alcatel-lucent.com>
References: <1E0A8B96-3E39-4C47-8F14-FC97EAF93D21@live555.com> <CAD62q9VVFYUhyd-8US_hnvhErTS1jx902Z-QJEX-Kmr2o+LqJw@mail.gmail.com> <55ACE093.9030707@jive.com> <854C271A-EB9B-453B-99F4-38EF5F820790@gmail.com> <CAO_RpcJtPDsxSL_z6OG3dFH1THAFC8kDX1sONoYfKNtNprbfxA@mail.gmail.com>
In-Reply-To: <CAO_RpcJtPDsxSL_z6OG3dFH1THAFC8kDX1sONoYfKNtNprbfxA@mail.gmail.com>
Accept-Language: nl-BE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/0.0.0.150701
x-originating-ip: [135.239.27.39]
Content-Type: multipart/alternative; boundary="_000_A34C0D5122E847C1ACA50D99B276AB60alcatellucentcom_"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/93attendees/JibfvQxpP8jjBS7yMLH2e-JhTt8>
Cc: Aaron Falk <aaron.falk@gmail.com>, Simon Perreault <sperreault@jive.com>, Ross Finlayson <finlayson@live555.com>, "93attendees@ietf.org" <93attendees@ietf.org>
Subject: Re: [93attendees] "ietf - The wireless network appears to have been compromised and will be disabled for about a minute."
X-BeenThere: 93attendees@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Mailing list of IETF 93 attendees that have opted in on this list. " <93attendees.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/93attendees>, <mailto:93attendees-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/93attendees/>
List-Post: <mailto:93attendees@ietf.org>
List-Help: <mailto:93attendees-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/93attendees>, <mailto:93attendees-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jul 2015 12:37:03 -0000

Works for me now, stable for about 15 min :-)

From: 93attendees on behalf of Chris Elliott
Reply-To: "chelliot@pobox.com<mailto:chelliot@pobox.com>"
Date: Monday 20 July 2015 14:20
To: Yoav Nir
Cc: Aaron Falk, Simon Perreault, Ross Finlayson, "93attendees@ietf.org<mailto:93attendees@ietf.org>"
Subject: Re: [93attendees] "ietf - The wireless network appears to have been compromised and will be disabled for about a minute."

All,

We've modified the wireless config so that this issue should not reoccur. Please let us know if you see it again.

We continue to monitor our logs, as we saw the issue first there at 10:50am today. I finished configuring the APs at 1:44pm and haven't seen it since. We don't believe that this problem can happen again, despite possible misbehaving clients.

A few details, summarized from my memory. Feel free to correct if you feel inclined!

Wifi can use several different encryption methods--WEP, TKIP, and AES. We stopped using WEP many years ago. However, the first version of WPA modified WEP to add a temporal key and a MIC to check if the packet had been modified in flight. This protocol included draconian measures if the access point detected an incorrect MIC, as the thought was that TKIP was weak and there needed to be strong measures to prevent repeated attacks that might reveal the key. It turned out that the standards organization underestimated the strength of TKIP, so these draconian measures weren't really necessary.

We have had a feature enabled on our APs that should avoid any packet corruption from triggering said draconian measures. However, for the first time in several years, we're once again seeing the APs reacting badly. While we don't know for sure why the APs are doing this, we did determine the few to none of our attendees are using TKIP. Therefore we have now disabled TKIP throughout the IETF network and all encrypted networks are WPA2/AES only. This seems to have mitigated the issue.

We continue to monitor the network to determine if there are any other effects of whatever caused this problem.

As usual, feel free to open a ticket with the NOC if you have any issues on the IETF network.

Enjoy!
Chris.

On Mon, Jul 20, 2015 at 1:59 PM, Yoav Nir <ynir.ietf@gmail.com<mailto:ynir.ietf@gmail.com>> wrote:

> On Jul 20, 2015, at 1:50 PM, Simon Perreault <sperreault@jive.com<mailto:sperreault@jive.com>> wrote:
>
> Le 2015-07-20 13:41, Aaron Falk a écrit :
>> Already a ticket on this.  See https://tickets.meeting.ietf.org/ticket/951.
>
> https://tickets.meeting.ietf.org/ticket/950
>
> Do I win? ;)

Not quite:
  https://tickets.meeting.ietf.org/ticket/949
  https://tickets.meeting.ietf.org/ticket/948
  https://tickets.meeting.ietf.org/ticket/947
  https://tickets.meeting.ietf.org/ticket/946
  https://tickets.meeting.ietf.org/ticket/945 (probably, Does Brian use a Mac?)
  https://tickets.meeting.ietf.org/ticket/944
  https://tickets.meeting.ietf.org/ticket/943 (probably)

_______________________________________________
93attendees mailing list
93attendees@ietf.org<mailto:93attendees@ietf.org>
https://www.ietf.org/mailman/listinfo/93attendees



--
Chris Elliott
chelliot@pobox.com<mailto:chelliot@pobox.com>

v2.23.0 | Report a Bug | By Email