IETF Logo Mail Archive

Re: Security for the IETF wireless network

Stefan Winter <stefan.winter@restena.lu> Fri, 25 July 2014 13:10 UTC

Return-Path: <stefan.winter@restena.lu>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FA7C1B2831 for <ietf@ietfa.amsl.com>; Fri, 25 Jul 2014 06:10:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.5
X-Spam-Level:
X-Spam-Status: No, score=-0.5 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, RP_MATCHES_RCVD=-0.001, WEIRD_PORT=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 12Rpz3S3IGxb for <ietf@ietfa.amsl.com>; Fri, 25 Jul 2014 06:10:51 -0700 (PDT)
Received: from smptrelay.restena.lu (smtprelay.restena.lu [IPv6:2001:a18:1::62]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C51D71A02DD for <ietf@ietf.org>; Fri, 25 Jul 2014 06:10:50 -0700 (PDT)
Received: from [IPv6:2001:a18:1:8:921b:eff:fe1b:d2e7] (unknown [IPv6:2001:a18:1:8:921b:eff:fe1b:d2e7]) by smptrelay.restena.lu (Postfix) with ESMTPS id 1A36C43A90 for <ietf@ietf.org>; Fri, 25 Jul 2014 15:10:49 +0200 (CEST)
Message-ID: <53D25758.2090808@restena.lu>
Date: Fri, 25 Jul 2014 15:10:48 +0200
From: Stefan Winter <stefan.winter@restena.lu>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: ietf@ietf.org
Subject: Re: Security for the IETF wireless network
References: <0FE63216-9BE8-450F-80FB-D1DB6166DFEF@ietf.org> <53D17359.2030505@gmail.com>
In-Reply-To: <53D17359.2030505@gmail.com>
X-Enigmail-Version: 1.6
OpenPGP: id=8A39DC66; url=http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="h6urJSOMJbFBclXurJwotuqpdjlbQeOuD"
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/J_0lPyJzPoxjCl6NUAgtwQRCCk4
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Jul 2014 13:10:53 -0000

Hi,

> This is what I get (Windows 7):
> 
> Radius Server:           services.meeting.ietf.org
> Root CA:                 Starfield Class 2 Certification Authority
> 
> The server "services.meeting.ietf.org" presented a valid certificate issued by "Starfield Class 2 Certification Authority", but
> "Starfield Class 2 Certification Authority" is not configured as a valid trust anchor for this profile. Further, the server
> "services.meeting.ietf.org" is not configured as a valid NPS server to connect to for this profile.

Sure. That's because you should never "just connect" to a IEEE 802.1X
network. You configure the security properties you expect *first* (i.e.
install/mark as trusted the CA, the expected server name, the EAP types
that are supposed to be supported on this network, an anonymous outer
identity if you like/need) - and *then* you actually connect, and see if
the server you arrived at is the one you expect.

This is a wholly different security model that website-certificate-TLS.

I've been in touch with the NOC earlier about this. The IETF network
website really needs to *publish* these expected security details, then
you need to *configure* them - and only then is the network secure, and
guaranteed to be the genuine IETF one.

There are also tools which generate installation programs for these
security properties so that unsuspecting users don't have to know or
realise what this "CA" thing is in the first place.

I run a website which does these things; and am perfectly fine with
handing out installers with digital signatures for the IETF network use.

If you're curious hop over to https://802.1x-config.org (and
particularly the "Take the tour" for explanations:
https://802.1x-config.org/tour1.php

Thanks for listening to this slightly ad-laden mail. :-)

Greetings,

Stefan Winter

-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

v2.23.0 | Report a Bug | By Email