Re: Security for the IETF wireless network
Stefan Winter <stefan.winter@restena.lu> Fri, 25 July 2014 13:10 UTC
Return-Path: <stefan.winter@restena.lu>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FA7C1B2831 for <ietf@ietfa.amsl.com>; Fri, 25 Jul 2014 06:10:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.5
X-Spam-Level:
X-Spam-Status: No, score=-0.5 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, RP_MATCHES_RCVD=-0.001, WEIRD_PORT=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 12Rpz3S3IGxb for <ietf@ietfa.amsl.com>; Fri, 25 Jul 2014 06:10:51 -0700 (PDT)
Received: from smptrelay.restena.lu (smtprelay.restena.lu [IPv6:2001:a18:1::62]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C51D71A02DD for <ietf@ietf.org>; Fri, 25 Jul 2014 06:10:50 -0700 (PDT)
Received: from [IPv6:2001:a18:1:8:921b:eff:fe1b:d2e7] (unknown [IPv6:2001:a18:1:8:921b:eff:fe1b:d2e7]) by smptrelay.restena.lu (Postfix) with ESMTPS id 1A36C43A90 for <ietf@ietf.org>; Fri, 25 Jul 2014 15:10:49 +0200 (CEST)
Message-ID: <53D25758.2090808@restena.lu>
Date: Fri, 25 Jul 2014 15:10:48 +0200
From: Stefan Winter <stefan.winter@restena.lu>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: ietf@ietf.org
Subject: Re: Security for the IETF wireless network
References: <0FE63216-9BE8-450F-80FB-D1DB6166DFEF@ietf.org> <53D17359.2030505@gmail.com>
In-Reply-To: <53D17359.2030505@gmail.com>
X-Enigmail-Version: 1.6
OpenPGP: id=8A39DC66; url=http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="h6urJSOMJbFBclXurJwotuqpdjlbQeOuD"
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/J_0lPyJzPoxjCl6NUAgtwQRCCk4
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Jul 2014 13:10:53 -0000
Hi, > This is what I get (Windows 7): > > Radius Server: services.meeting.ietf.org > Root CA: Starfield Class 2 Certification Authority > > The server "services.meeting.ietf.org" presented a valid certificate issued by "Starfield Class 2 Certification Authority", but > "Starfield Class 2 Certification Authority" is not configured as a valid trust anchor for this profile. Further, the server > "services.meeting.ietf.org" is not configured as a valid NPS server to connect to for this profile. Sure. That's because you should never "just connect" to a IEEE 802.1X network. You configure the security properties you expect *first* (i.e. install/mark as trusted the CA, the expected server name, the EAP types that are supposed to be supported on this network, an anonymous outer identity if you like/need) - and *then* you actually connect, and see if the server you arrived at is the one you expect. This is a wholly different security model that website-certificate-TLS. I've been in touch with the NOC earlier about this. The IETF network website really needs to *publish* these expected security details, then you need to *configure* them - and only then is the network secure, and guaranteed to be the genuine IETF one. There are also tools which generate installation programs for these security properties so that unsuspecting users don't have to know or realise what this "CA" thing is in the first place. I run a website which does these things; and am perfectly fine with handing out installers with digital signatures for the IETF network use. If you're curious hop over to https://802.1x-config.org (and particularly the "Take the tour" for explanations: https://802.1x-config.org/tour1.php Thanks for listening to this slightly ad-laden mail. :-) Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
- Re: Security for the IETF wireless network Brian E Carpenter
- Re: Security for the IETF wireless network Stefan Winter
- Re: Security for the IETF wireless network George, Wes
- Re: Security for the IETF wireless network George, Wes
- Hotel networks (Was Re: Security for the IETF wir… Steve Crocker
- Re: Security for the IETF wireless network joel jaeggli
- Re: [90all] Security for the IETF wireless network Randall Gellens
- Re: Security for the IETF wireless network Stefan Winter
- Re: Security for the IETF wireless network Tim Wicinski
- Re: [90all] Security for the IETF wireless network Randy Bush
- Re: Hotel networks (Was Re: Security for the IETF… John C Klensin
- Re: Hotel networks (Was Re: Security for the IETF… Steve Crocker
- Re: Hotel networks (Was Re: Security for the IETF… joel jaeggli
- Re: Hotel networks (Was Re: Security for the IETF… Steve Crocker
- Re: Hotel networks (Was Re: Security for the IETF… George Michaelson
- Re: Hotel networks (Was Re: Security for the IETF… John C Klensin
- Re: Hotel networks (Was Re: Security for the IETF… Stefan Winter
- Re: Security for the IETF wireless network Bill Fenner
- Re: Security for the IETF wireless network George Michaelson
- Re: Security for the IETF wireless network Stefan Winter
- Re: Security for the IETF wireless network Brian E Carpenter
- Re: Security for the IETF wireless network Bill Fenner
- Re: Security for the IETF wireless network Bill Fenner
- Re: Security for the IETF wireless network John Levine
- Re: Security for the IETF wireless network Stefan Winter
- Re: Security for the IETF wireless network Stefan Winter
- Re: Hotel networks (Was Re: Security for the IETF… Samuel Weiler
- Re: Hotel networks (Was Re: Security for the IETF… Randall Gellens
- Re: Hotel networks (Was Re: Security for the IETF… Randall Gellens
- Re: Hotel networks (Was Re: Security for the IETF… Niels Dettenbach (Syndicat IT&Internet)
- Re: Hotel networks (Was Re: Security for the IETF… Stefan Winter
- Re: Hotel networks (Was Re: Security for the IETF… Randall Gellens
- Re: Hotel networks (Was Re: Security for the IETF… Randall Gellens
- Re: Hotel networks (Was Re: Security for the IETF… Melinda Shore
- Re: Security for the IETF wireless network Michael Richardson