IETF Logo Mail Archive

Re: Admission Control to the IETF 78 and IETF 79 Networks

Phillip Hallam-Baker <hallam@gmail.com> Mon, 12 July 2010 18:35 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 778C73A69C8 for <ietf@core3.amsl.com>; Mon, 12 Jul 2010 11:35:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.124
X-Spam-Level:
X-Spam-Status: No, score=-1.124 tagged_above=-999 required=5 tests=[AWL=1.475, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sA-awMNpYXs0 for <ietf@core3.amsl.com>; Mon, 12 Jul 2010 11:35:27 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by core3.amsl.com (Postfix) with ESMTP id 19D493A69BB for <ietf@ietf.org>; Mon, 12 Jul 2010 11:35:27 -0700 (PDT)
Received: by iwn38 with SMTP id 38so5141888iwn.31 for <ietf@ietf.org>; Mon, 12 Jul 2010 11:35:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=yPBUfUGZb5rP4vv5nsnHFkB+NVSU+Suw8704e2T4/pg=; b=FJO9aP2Y6vgbb6kh2YvavG/rBVPQ+tCXO3f/ZKAT/dnriSFUGNFKAyE7EWGFHVAqXW O5m71G1CMYO5mqdtxJ9u2zuBs3gSq4Cx8djgfgMEzZsHKnyQ37MNzOhDeRNPAnBPFG8e jXgSbkov3yMmaM5hue7yTASx5UXvX1Tka5IEc=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=AIAhXR7Hqy2AkgCjeJGzIBQ2fdIDxHQjyjCNziCqUGeAA+gPefIm5C7TT1xm/vMNTd UpHTvvnotyqLPxTjzAMF7Qp53ydtLNwdjOyIihoY5ovqtMFSa+gstlHaAyMCJ0T9M69J g04bVYRURmTL58VYFmUUSHga6ZSTqQbZWhL0Y=
MIME-Version: 1.0
Received: by 10.231.146.141 with SMTP id h13mr15724477ibv.1.1278959734909; Mon, 12 Jul 2010 11:35:34 -0700 (PDT)
Received: by 10.231.32.8 with HTTP; Mon, 12 Jul 2010 11:35:34 -0700 (PDT)
In-Reply-To: <AANLkTilCRrRhYVBNKdkaBudacJDCbBx3_48D9_U2RaSM@mail.gmail.com>
References: <CFB08C07-DE90-47BE-ADFF-FC72162BBFA1@daedelus.com> <4C2BBD51.2060605@ietf.org> <6.2.5.6.2.20100701070804.0c26b8a0@resistor.net> <6D6E25E2-057B-4591-9288-1283036D0374@cisco.com> <AANLkTinMFsrGyIy9bu5kzUiZqNmDbf7lpS-eht8h3hvP@mail.gmail.com> <CCD1D0AD-97DC-4CE0-9E27-CC75B5F47C54@muada.com> <AANLkTilVmeg2Tgjgllg2yT3Oc34Y4ZuwXwl9U1ELfjhc@mail.gmail.com> <20100706170631.GK25518@thunk.org> <AANLkTil357pxy8tD49Q9ds9QVlSjo9h3p3akSN9UF1XS@mail.gmail.com> <AANLkTil0YIS9H-vYxIJJS_OC7tAlcCLQQycskFcLE71V@mail.gmail.com> <AANLkTilVAn3j-iXbdytu9en-OWAjlCFQSyQy1jiY1Zq1@mail.gmail.com> <AANLkTilCRrRhYVBNKdkaBudacJDCbBx3_48D9_U2RaSM@mail.gmail.com>
Date: Mon, 12 Jul 2010 14:35:34 -0400
Message-ID: <AANLkTinqiZaI-g042rVX0veLSpsVho0smH3XMkg6E7d_@mail.gmail.com>
Subject: Re: Admission Control to the IETF 78 and IETF 79 Networks
From: Phillip Hallam-Baker <hallam@gmail.com>
To: chelliot@pobox.com
Content-Type: text/plain; charset="ISO-8859-1"
X-Mailman-Approved-At: Tue, 13 Jul 2010 08:33:23 -0700
Cc: Iljitsch van Beijnum <iljitsch@muada.com>, tytso@mit.edu, IETF Discussion <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Jul 2010 18:35:28 -0000

Well maybe if you read the full thread rather than just cherry picking
parts of it you would have understood the point better.

My original argument was that I think the IETF should eat the WiFi
authentication dog-food here because the current product tastes like
poo and the only way things are going to get any better is if a bunch
of network engineers start to see that there is a real problem.


I have also proposed a scheme that would be applicable for use at the
IETF. Basically the shortest distance from where we are to where we
want to be is to use self signed certs and use the fingerprint of the
cert as a unique device ID. But that is only addressing the specifics
of how to make the scheme work at IETF, which is really not very
interesting in the grand scheme of things. What is more interesting
would be a scheme that can be relied on to work anywhere without half
an hour of fiddling and jiggering the configuration - as will be the
Maastricht/Beijing experience.

The first year they started doing this at RSA the help desk had a
pretty long queue and much time was spend debugging crappy code. The
basic experience being that Macs work fine, Windows works fine with
native drivers. But corporate configuration laptops with device
drivers written by the WiFi card provider and/or VPN products were
massively flaky..


On Mon, Jul 12, 2010 at 1:53 PM, Chris Elliott <chelliot@pobox.com> wrote:
> On Mon, Jul 12, 2010 at 12:07 PM, Phillip Hallam-Baker <hallam@gmail.com>
> wrote:
>>
>> No, if you read my book you would see the scheme I am proposing.
>
>
> I hope your book is rather less opaque than your attempts to explain your
> technique here.
>>
>> The problem with current MAC addresses is that they are not
>> trustworthy. That is accepted. If MAC addresses were not trivially
>> forged then the existing WiFi scheme would work fine.
>>
>> What I am saying is that if people got really serious about usability
>> and in particular the WiFi design had been controlled by a Steve Jobs
>> style person who demanded an absolute commitment to a first class
>> usability approach, then we could have a scheme that did not require
>> end-user configuration.
>>
>> Instead every device would have been issued with a device cert to bind
>> the MAC address to a public key during manufacture. This is already a
>> requirement for cable modems. The cost is of the order of cents per
>> device if the certs are installed during manufacture. Maintenance
>> costs get much higher as soon as the device has left the factory.
>>
>> The function of the certificate is to stop the MAC address being
>> trivially forged. OK yes, if you design the protocols wrong then you
>> can end up with Cisco being able to intercept on the wire traffic. But
>> if you do the job right you can prevent interception even if the
>> manufacturer defects.
>
> I thought we were talking about how to do this for the meeting in Maastricht
> and then in Beijing. I agree that manufacturers could make this easier for
> all of us. But some of us live in the real world and must make things work
> today.
> I'd be glad to listen to an explanation of how to make this work with the
> current devices that IETF attendees will be bringing to Maastricht and
> Beijing.
> Chris.
>
>>
>> And as for my waist - yes there does seem to be rather more of it than
>> there should be, but I don't think that is Dogbert's fault. I blame
>> the cookies at IETF break time.
>>
>>
>> On Mon, Jul 12, 2010 at 11:56 AM, Chris Elliott <chelliot@pobox.com>
>> wrote:
>> > Phillip,
>> > In your earlier email, you state:
>> >>
>> >> If the designers had actual brains instead of bits of liver strapped
>> >> round their waist by dogbert then all that would be necessary to
>> >> securely authenticate to the network is to give either the MAC address
>> >> of the computer or the fingerprint of the cert.
>> >
>> > Note that you say "either". Now you state:
>> >>
>> >> Of course the MAC address is trivially forged. That is the function of
>> >> the certificate.
>> >
>> > Maybe you should check your waist.
>> > Chris.
>> >
>> > --
>> > Chris Elliott
>> > chelliot@pobox.com
>>
>> --
>> Website: http://hallambaker.com/
>
>
>
> --
> Chris Elliott
> chelliot@pobox.com
> CCIE # 2013



-- 
Website: http://hallambaker.com/

v2.23.0 | Report a Bug | By Email