IETF Logo Mail Archive

Re: Security for the IETF wireless network

Michael Richardson <mcr+ietf@sandelman.ca> Fri, 01 August 2014 13:01 UTC

Return-Path: <mcr@sandelman.ca>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C0C211A0B14 for <ietf@ietfa.amsl.com>; Fri, 1 Aug 2014 06:01:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.047
X-Spam-Level:
X-Spam-Status: No, score=-0.047 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DATE_IN_PAST_06_12=1.543, HOST_MISMATCH_NET=0.311, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JZioYZch9tDB for <ietf@ietfa.amsl.com>; Fri, 1 Aug 2014 06:00:59 -0700 (PDT)
Received: from relay.sandelman.ca (relay.cooperix.net [IPv6:2a01:7e00::f03c:91ff:feae:de77]) by ietfa.amsl.com (Postfix) with ESMTP id 4335D1A049C for <ietf@ietf.org>; Fri, 1 Aug 2014 06:00:59 -0700 (PDT)
Received: from sandelman.ca (unknown [209.87.249.16]) by relay.sandelman.ca (Postfix) with ESMTPS id 7F02B220AF for <ietf@ietf.org>; Fri, 1 Aug 2014 09:00:58 -0400 (EDT)
Received: from sandelman.ca (quigon.sandelman.ca [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id 00591CA0F9 for <ietf@ietf.org>; Fri, 1 Aug 2014 02:45:07 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: ietf@ietf.org
Subject: Re: Security for the IETF wireless network
In-reply-to: <53D25758.2090808@restena.lu>
References: <0FE63216-9BE8-450F-80FB-D1DB6166DFEF@ietf.org> <53D17359.2030505@gmail.com> <53D25758.2090808@restena.lu>
Comments: In-reply-to Stefan Winter <stefan.winter@restena.lu> message dated "Fri, 25 Jul 2014 15:10:48 +0200."
X-Mailer: MH-E 8.2; nmh 1.3; GNU Emacs 23.4.1
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha1"; protocol="application/pgp-signature"
Date: Fri, 01 Aug 2014 02:45:07 -0400
Message-ID: <18820.1406875507@sandelman.ca>
Sender: mcr@sandelman.ca
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/1AwJr1DEvtsthJSUS1Esjtx_KTQ
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Aug 2014 13:01:01 -0000

Stefan Winter <stefan.winter@restena.lu> wrote:
    >> The server "services.meeting.ietf.org" presented a valid certificate
    >> issued by "Starfield Class 2 Certification Authority", but "Starfield
    >> Class 2 Certification Authority" is not configured as a valid trust
    >> anchor for this profile. Further, the server
    >> "services.meeting.ietf.org" is not configured as a valid NPS server to
    >> connect to for this profile.

    > Sure. That's because you should never "just connect" to a IEEE 802.1X
    > network. You configure the security properties you expect *first* (i.e.
    > install/mark as trusted the CA, the expected server name, the EAP types
    > that are supposed to be supported on this network, an anonymous outer
    > identity if you like/need) - and *then* you actually connect, and see
    > if the server you arrived at is the one you expect.

Yeah, it's all for naught in my opinion.
That's way too hard, and I'm a security geek.  
First hop layer-2 security gets me nothing in my opinion.
How does it bind my layer-2 end point to my layer-3 end-point?

I'd rather spend our cycles making SEND deployed than continuing along this
thread.

-- 
Michael Richardson
-on the road-

v2.23.0 | Report a Bug | By Email