IETF Logo Mail Archive

Re: Admission Control to the IETF 78 and IETF 79 Networks

Phillip Hallam-Baker <hallam@gmail.com> Sun, 11 July 2010 19:33 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 020A23A6960 for <ietf@core3.amsl.com>; Sun, 11 Jul 2010 12:33:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.172
X-Spam-Level:
X-Spam-Status: No, score=0.172 tagged_above=-999 required=5 tests=[AWL=0.357, BAYES_40=-0.185]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9W5z6TF6-OP4 for <ietf@core3.amsl.com>; Sun, 11 Jul 2010 12:32:55 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by core3.amsl.com (Postfix) with ESMTP id 22F9E3A6A02 for <ietf@ietf.org>; Sun, 11 Jul 2010 12:32:49 -0700 (PDT)
Received: by iwn38 with SMTP id 38so4129627iwn.31 for <ietf@ietf.org>; Sun, 11 Jul 2010 12:32:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=Q4UnqouLFpOSUXBoe6Z4zTA2D6bzv8iC8648bzMPJpw=; b=aclTeoUsoL1DHTR0hbe3Riv4YJZOnBWLquBPAfhUvjdc5V3+OeDdbzOcm7Fs3KpcNf uqeJKSbZFQAyw9/xR34SVwT3ChUc5K1jtdWKjQVbjKgqaa6xWFSvnQKUDtS12Fr94Bg1 J9BNAqQTXCWO+q2GqwVzj3TkcHm4REURUUQsc=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=HUJKP0x4uDb/AztwWffcZfKEbqJ08JB1Ij6GuBbP0/zIaDF0nrPxsPbi06A5lncyw5 b+PtqufM4ozGFRuWu43lC986cyneyYLiw7iPo/WarxSeMZb7oP7rWPfJ7OtuolWfpOQY dQXWPmM1pWG2sEOyU9C8MHLAWTZg1qbS/jWzA=
MIME-Version: 1.0
Received: by 10.231.32.134 with SMTP id c6mr12845029ibd.156.1278876775182; Sun, 11 Jul 2010 12:32:55 -0700 (PDT)
Received: by 10.231.32.8 with HTTP; Sun, 11 Jul 2010 12:32:55 -0700 (PDT)
In-Reply-To: <20100706170631.GK25518@thunk.org>
References: <CFB08C07-DE90-47BE-ADFF-FC72162BBFA1@daedelus.com> <4C2BBD51.2060605@ietf.org> <6.2.5.6.2.20100701070804.0c26b8a0@resistor.net> <6D6E25E2-057B-4591-9288-1283036D0374@cisco.com> <AANLkTinMFsrGyIy9bu5kzUiZqNmDbf7lpS-eht8h3hvP@mail.gmail.com> <CCD1D0AD-97DC-4CE0-9E27-CC75B5F47C54@muada.com> <AANLkTilVmeg2Tgjgllg2yT3Oc34Y4ZuwXwl9U1ELfjhc@mail.gmail.com> <20100706170631.GK25518@thunk.org>
Date: Sun, 11 Jul 2010 15:32:55 -0400
Message-ID: <AANLkTil357pxy8tD49Q9ds9QVlSjo9h3p3akSN9UF1XS@mail.gmail.com>
Subject: Re: Admission Control to the IETF 78 and IETF 79 Networks
From: Phillip Hallam-Baker <hallam@gmail.com>
To: tytso@mit.edu
Content-Type: text/plain; charset="ISO-8859-1"
X-Mailman-Approved-At: Mon, 12 Jul 2010 08:16:43 -0700
Cc: Iljitsch van Beijnum <iljitsch@muada.com>, IETF Discussion <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Jul 2010 19:33:00 -0000

Of course the MAC address is trivially forged. That is the function of
the certificate.

MAC address XXXXX is not very interesting
MAC address that party purporting to be CISCO says is XXXXX is quite a
bit more interesting
MAC address that party validated as CISCO as XXXXX is more interesting still.

Now this is not getting us to a point where nobody can possibly break
the system. But we have got to a point where the expected losses are a
couple orders of magnitude lower than we can expect through current
approaches.


On the issues involved using client certificates for wireless access,
I agree that the current practice falls far short of what is
acceptable. That is the reason why I think it would be helpful for the
IETF to spend some time eating the dog food (even if a different
brand, we can do better).

Now in theory, this is a problem that PKI should make easier to solve.
But instead it seems that it gives people too much scope to create
incompatible variations.


The simplest, cleanest solution to this problem is to either have a
device cert installed during manufacture or to employ my alternative
scheme designed for low performance devices that does not require them
to perform public key cryptography on the end point device (patent
pending, all rights reserved).


I do not see the value of client certificates for this type of network
access. They work in the enterprise context as the selection of the
certificate is unambiguous. But here we have a situation where we are
not really looking to become part of the IETF network specifically, we
just want a uniform identifier.

I would prefer to use client certs for VPN layer security and a device
cert for WiFi authentication. The user is not a device, conflating the
two is bad.

By a device cert, I mean an authentication credential that permits
authentication of the device without disclosure of the authentication
secret, is linked to a globally unique identifier and never expires.

The simplest solution for this in my view would be for everyone to
independently generate a self-signed cert and use the fingerprint to
mediate access. They can then in theory use the same cert in any
similar environment.


One (yucky) way we could do this is to each enter the fingerprint of
the cert(s) for each device when we register.

A much better way to achieve the same effect would be to configure the
network so that any computer that presents any certificate can access
the network registration page (just like in a hotel network) but
leaving that area is only possible after the user has authenticated
and the fingerprint of the cert is entered into the auth database.

v2.23.0 | Report a Bug | By Email