IETF Logo Mail Archive

Re: Admission Control to the IETF 78 and IETF 79 Networks

Chris Elliott <chelliot@pobox.com> Tue, 06 July 2010 19:12 UTC

Return-Path: <chelliot@gmail.com>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 931493A6901 for <ietf@core3.amsl.com>; Tue, 6 Jul 2010 12:12:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.976
X-Spam-Level:
X-Spam-Status: No, score=-1.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vvfujfhOvE4e for <ietf@core3.amsl.com>; Tue, 6 Jul 2010 12:12:44 -0700 (PDT)
Received: from mail-pw0-f44.google.com (mail-pw0-f44.google.com [209.85.160.44]) by core3.amsl.com (Postfix) with ESMTP id E7CF33A688F for <ietf@ietf.org>; Tue, 6 Jul 2010 12:12:42 -0700 (PDT)
Received: by pwj1 with SMTP id 1so1528845pwj.31 for <ietf@ietf.org>; Tue, 06 Jul 2010 12:12:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:sender:reply-to:received :in-reply-to:references:date:x-google-sender-auth:message-id:subject :from:to:cc:content-type; bh=Go3F1/dd1W5ev7PWtVaY87lzZFMBiMu1i63iiQBAnoc=; b=j2ftsULnyOBpsgQukWYg+4HFMFvVG2y5fJMhkZ0mqJ44vwL5bT0lBdeg4ByIRorrsu ct/fCiDamjNAvjCiktnYMKqtlGh/yt/taikH2KZFcaNe2yWy4jUtfpXSHVu2Vnm+nkQN 7ZiUrz8z7FjsjNt3ueZDNrNxBwx0e3TloN8Vw=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:reply-to:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; b=ZXKwzfwhMn5Q8Ukl1b8TS9+6pCQ1jStzLL+s0VrZJIeHt+WCS2/LbJarK8Xm7CkNLk 5a2YAtD/MfV1oODgaOj2n9kvrBVA2tut/B2sCzoGNOuIHF7QZHuLlowEPwE38EMHYgVs T8LSbHOpPa5qPBAauUHC1LGOej4nAuus3OMxk=
MIME-Version: 1.0
Received: by 10.142.199.20 with SMTP id w20mr5986329wff.253.1278443546098; Tue, 06 Jul 2010 12:12:26 -0700 (PDT)
Sender: chelliot@gmail.com
Received: by 10.231.113.34 with HTTP; Tue, 6 Jul 2010 12:12:25 -0700 (PDT)
In-Reply-To: <AANLkTim4y4Q0eJeLU6VDtkl0yAESUpzklwyaqTDUv7bO@mail.gmail.com>
References: <CFB08C07-DE90-47BE-ADFF-FC72162BBFA1@daedelus.com> <4C2BBD51.2060605@ietf.org> <6.2.5.6.2.20100701070804.0c26b8a0@resistor.net> <6D6E25E2-057B-4591-9288-1283036D0374@cisco.com> <AANLkTinMFsrGyIy9bu5kzUiZqNmDbf7lpS-eht8h3hvP@mail.gmail.com> <CCD1D0AD-97DC-4CE0-9E27-CC75B5F47C54@muada.com> <AANLkTilVmeg2Tgjgllg2yT3Oc34Y4ZuwXwl9U1ELfjhc@mail.gmail.com> <20100706170631.GK25518@thunk.org> <AANLkTim4y4Q0eJeLU6VDtkl0yAESUpzklwyaqTDUv7bO@mail.gmail.com>
Date: Tue, 06 Jul 2010 15:12:25 -0400
X-Google-Sender-Auth: ypyA2NWlmdPKlm2j4IaCJsIFQBA
Message-ID: <AANLkTilyRmis4UI0EH7bZbF31UQcZDYwA0G4PGk_oX1K@mail.gmail.com>
Subject: Re: Admission Control to the IETF 78 and IETF 79 Networks
From: Chris Elliott <chelliot@pobox.com>
To: Mark Atwood <mra@pobox.com>
Content-Type: multipart/alternative; boundary="000e0cd2588270953c048abcd53e"
Cc: Phillip Hallam-Baker <hallam@gmail.com>, Iljitsch van Beijnum <iljitsch@muada.com>, tytso@mit.edu, IETF Discussion <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: chelliot@pobox.com
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Jul 2010 19:12:48 -0000

On Tue, Jul 6, 2010 at 2:37 PM, Mark Atwood <mra@pobox.com> wrote:

> > As far as using certificates --- sure, it's possible to set up EAP-TLS
> > using client certificates.  It can be done on Mac, Windows, and Linux.
> > But the setup of that across multiple operating systems and getting
> > users to correctly set up their certificates, sending a CA signing
> > request securely to a central system, configuring their client WiFi
> > system to deal with EAP-TLS, etc., is a usability nightmare.
>
> That is sadly true.  However, it would still be a good idea to do at
> the IETF gathering, *because* it is currently a usability nightmare.
> There is not enough both real world experience, and exposure of IETF
> participant attendees to actual "tip of the spear" usability of
> interesting use cases like this.
>
> If lots of smart and networking aware people all get the chance to do
> this kind of "interop and usability" "testing" all at once, then a lot
> of useful knowledge, tips, howtos, bug discovery, and application
> feedback will happen, which I believe can only be a good thing towards
> fixing the usability bottleneck that client certs are today.
>

This can be done in the context of what we are setting up to do
authentication for the next two meetings, but will take a fair amount of
work, and will add to the complexity of getting on the network for
attendees.

We will be using 802.1X and portal software (users can choose which they
wish to use--either or both) to communicate authentication information with
users. Both will be using Radius on the back end. Supporting an additional
EAP method (TLS) for 802.1X is trivial. Supporting TLS for the portal is
likely to be fairly easy as well.

However, this would require the IETF have a certificate infrastructure.
Which does not exist. And a mechanism for users to request certs securely.
So, right there, we have the chicken and egg issue--what do users use to
authenticate themselves before they have a cert? I'd suggest that the same
method we are planning on using to authenticate users (reg ID or anonymous
ID obtained by IETF badge holders from the reg desk) can be used. This means
that we've just required a whole series of additional steps to be done by
attendees. So I don't see the NOC team taking this on.

I would support an experiment, if someone or some group is willing to run
with it, that would do the above. I believe that the changes needed to
support such an experiment (supporting TLS for authentication) could be done
by the NOC team without too much additional effort. However, this person or
group would have to take on setting up the CA infrastructure, integrating it
with the FreeRADIUS server we will be using, and instructing attendees on
how to participate in the experiment.

Note that this is not a typical environment for certs. We are trying to
authenticate that users are a member of a group (IETF attendees) while
(optionally) preserving anonymity for users. I would suggest that a
certificate experiment try to replicate these same criteria, which may or
may not make it a useful experiment for the usage of user certs in general.

So, if you, or anyone, is interested in running an experiment please put in
your request. We support various experiments on the IETF networks most
meetings, and this could be a useful, or at least educational, one.

Chris.


> ..m
> _______________________________________________
> Ietf mailing list
> Ietf@ietf.org
> https://www.ietf.org/mailman/listinfo/ietf
>


-- 
Chris Elliott
chelliot@pobox.com
CCIE # 2013

v2.23.0 | Report a Bug | By Email