IETF Logo Mail Archive

Re: Admission Control to the IETF 78 and IETF 79 Networks

Douglas Otis <dotis@mail-abuse.org> Tue, 13 July 2010 03:05 UTC

Return-Path: <dotis@mail-abuse.org>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AA8643A68C5 for <ietf@core3.amsl.com>; Mon, 12 Jul 2010 20:05:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.927
X-Spam-Level:
X-Spam-Status: No, score=-5.927 tagged_above=-999 required=5 tests=[AWL=0.072, BAYES_00=-2.599, J_CHICKENPOX_64=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZAPoGiTvhfgp for <ietf@core3.amsl.com>; Mon, 12 Jul 2010 20:05:34 -0700 (PDT)
Received: from harry.mail-abuse.org (harry.mail-abuse.org [168.61.5.27]) by core3.amsl.com (Postfix) with ESMTP id D409B3A68E7 for <ietf@ietf.org>; Mon, 12 Jul 2010 20:05:34 -0700 (PDT)
Received: from sjc-office-nat-210.mail-abuse.org (gateway1.sjc.mail-abuse.org [168.61.5.81]) by harry.mail-abuse.org (Postfix) with ESMTP id DFC4FA94519 for <ietf@ietf.org>; Tue, 13 Jul 2010 03:05:40 +0000 (UTC)
Message-ID: <4C3BD804.1050609@mail-abuse.org>
Date: Mon, 12 Jul 2010 20:05:40 -0700
From: Douglas Otis <dotis@mail-abuse.org>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.10) Gecko/20100512 Thunderbird/3.0.5
MIME-Version: 1.0
To: ietf@ietf.org
Subject: Re: Admission Control to the IETF 78 and IETF 79 Networks
References: <201007121839.o6CIdSRq011779@fs4113.wdf.sap.corp>
In-Reply-To: <201007121839.o6CIdSRq011779@fs4113.wdf.sap.corp>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jul 2010 03:05:35 -0000

On 7/12/10 11:39 AM, Martin Rex wrote:
> Personally, I'm heavily opposed to an approach along these lines.
> It is a big plus that MAC addresses can be trivially changed,
> and I regularly connect with random MACs in public places.
>    
Russ and Ted discussed use of MAC addresses for access.   I may have 
missed or misunderstood their point, although such a scheme is often 
used (and easily defeated) in typical coffee-shop settings.  I may be 
wrong, and this is a good list for learning such things.

When security is desired, something like WPA2 Enterprise EAP-TTLS seems 
more realistic.  Perhaps other options need to be included to overcoming 
third-party software for versions of Windows.  This approach would keep 
information and privacy better secured, and systems less exposed to 
various exploits, since some attendees may actually need protection in 
the big city. :^)

Better security can be found with 802.1X-2010 that resolves some 
vulnerabilities by using MACSec 802.1AE to encrypt data between logical 
ports.  This suffers a drawback of deploying client certs, of poor 
coverage, along with the anxiety that EAP-TPM might cause.
> Personally, I'm somewhat less concerned about a unique or fixed ID in
> my DSL-router.  I have only one DSL subscription with one single ISP,
> and I need to authenticate to my ISP with userid&pass -- which makes
> we wonder why should there be a unique/fixed ID in that device,
> it is absolutely unnecessary.
>    
Securing wireless must detect MitM attack. Using a cert at the server 
when making changes seems a small price.

-Doug

v2.23.0 | Report a Bug | By Email