Re: Security for the IETF wireless network

Brian E Carpenter <> Thu, 24 July 2014 20:58 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 0999B1A035D for <>; Thu, 24 Jul 2014 13:58:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id eN0tgGjC9WYe for <>; Thu, 24 Jul 2014 13:58:02 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:400c:c00::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id CF7A31A03BD for <>; Thu, 24 Jul 2014 13:58:01 -0700 (PDT)
Received: by with SMTP id l18so3299661wgh.25 for <>; Thu, 24 Jul 2014 13:57:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=message-id:date:from:organization:user-agent:mime-version:to :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=WscjEwlXImCcby2YKLPsEfWv94F+ixW8I2sRoXtMAdI=; b=n6N8iNH3NKxAdGT5msilYKDhC90+MyRdu49gt5Uw048QrK7+omuMhBO1GHC1UR0Q9T PLVOUOGzoTKfA4ept2G9Ya4cMktt5oL0ZIaemxwSM0IsUCFsNRtU8zUxhQpe6zhXuVoQ wMT8hVP0MmCED2QmBnK60+e9bwcwMKOBcr8Aw7yqrjRExRFn+TFEc7ugyz17t53JiD/F C6vxpP6nRS3ceU9jWJnQkDVFM//QEhArKBXWDGxwSrR1vZJ48/PT1jblJpL+Wd3o/WPd iVO5rv0LpCCC1A12OZetO2XaV9+0/Zw35p+344Ttk7BjfzjYOtWyd85fTK2Dd7t3MPbe otKw==
X-Received: by with SMTP id n7mr16193927wjy.58.1406235479360; Thu, 24 Jul 2014 13:57:59 -0700 (PDT)
Received: from [] ( []) by with ESMTPSA id w6sm18989285wjr.4.2014. for <> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 24 Jul 2014 13:57:58 -0700 (PDT)
Message-ID: <>
Date: Fri, 25 Jul 2014 08:58:01 +1200
From: Brian E Carpenter <>
Organization: University of Auckland
User-Agent: Thunderbird (Windows/20070728)
MIME-Version: 1.0
Subject: Re: Security for the IETF wireless network
References: <>
In-Reply-To: <>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 24 Jul 2014 20:58:07 -0000

Well, since you had a reply-to to this unmoderated list :-)...

This is what I get (Windows 7):

Radius Server: 
Root CA:                 Starfield Class 2 Certification Authority

The server "" presented a valid certificate issued by "Starfield Class 2 Certification Authority", but
"Starfield Class 2 Certification Authority" is not configured as a valid trust anchor for this profile. Further, the server
"" is not configured as a valid NPS server to connect to for this profile.


On 25/07/2014 08:38, IETF Chair wrote:
> While many of us have been working on improved transport and other security mechanisms, I’d like to observe that the default wireless network we are using here in Toronto is unencrypted over the air.  I am not sure how good practice that is. And it is probably not a good example either.
> Could we consider making 802.1X the default, for instance, starting in Honolulu meeting? At least in the sense of the ietf SSID providing security and perhaps ietf-nosec providing the current behaviour?
> It would also be helpful if you try it now. The two SSIDs, ietf.1x and ietf-a.1x are available now, we recommend you use them and we would appreciate your reporting any problems. The user ID and password are both 'ietf' (sans quotes).
> Jari Arkko
> IETF Chair
> (with input from some NOC people)