IETF Logo Mail Archive

Re: Admission Control to the IETF 78 and IETF 79 Networks

Chris Elliott <chelliot@pobox.com> Mon, 12 July 2010 17:53 UTC

Return-Path: <chelliot@gmail.com>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BE6193A69E2 for <ietf@core3.amsl.com>; Mon, 12 Jul 2010 10:53:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.976
X-Spam-Level:
X-Spam-Status: No, score=-1.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1aiRVRWi4hM2 for <ietf@core3.amsl.com>; Mon, 12 Jul 2010 10:53:35 -0700 (PDT)
Received: from mail-pz0-f44.google.com (mail-pz0-f44.google.com [209.85.210.44]) by core3.amsl.com (Postfix) with ESMTP id 760D83A6BE0 for <ietf@ietf.org>; Mon, 12 Jul 2010 10:53:35 -0700 (PDT)
Received: by pzk6 with SMTP id 6so1393185pzk.31 for <ietf@ietf.org>; Mon, 12 Jul 2010 10:53:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:sender:reply-to:received :in-reply-to:references:date:x-google-sender-auth:message-id:subject :from:to:cc:content-type; bh=Galcerua/bXmWT1Grf6uQfM3TO9tD16cQaRF9mVYnQI=; b=MVWM/bWsKQfpTGtiHrNu3GCXT64PUciRmjGhu8SPsIyvSQjTnSKbV6XbGGybkiWSML wm9+JH9Y75L6JVQj2S4ikVcnp3qyYNzk5u1BGmfHHNkokBZKUzjN3TzK7q8Hj+WGq+Y5 IA0yuBfe50uMlAnakVveH6AZFInuOIn1FcLeY=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:reply-to:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; b=DC9gDEzb22SMNQnEjruujRMy4SMWPYmazfGMMkBxKL5Ol2O8xqoqyXBaeWBTqJJWXm IyyLeYqBYOX/lW7wogSCYVinmLT3nYvVrPb9U2wHgirjGgag/4SQ6YJe0XL0UO1InFQ4 fnQ7zrtC515bW4V4/xCmPiRoLYoLlgGtWw47Q=
MIME-Version: 1.0
Received: by 10.114.36.6 with SMTP id j6mr16560641waj.158.1278957220474; Mon, 12 Jul 2010 10:53:40 -0700 (PDT)
Sender: chelliot@gmail.com
Received: by 10.231.113.34 with HTTP; Mon, 12 Jul 2010 10:53:40 -0700 (PDT)
In-Reply-To: <AANLkTilVAn3j-iXbdytu9en-OWAjlCFQSyQy1jiY1Zq1@mail.gmail.com>
References: <CFB08C07-DE90-47BE-ADFF-FC72162BBFA1@daedelus.com> <4C2BBD51.2060605@ietf.org> <6.2.5.6.2.20100701070804.0c26b8a0@resistor.net> <6D6E25E2-057B-4591-9288-1283036D0374@cisco.com> <AANLkTinMFsrGyIy9bu5kzUiZqNmDbf7lpS-eht8h3hvP@mail.gmail.com> <CCD1D0AD-97DC-4CE0-9E27-CC75B5F47C54@muada.com> <AANLkTilVmeg2Tgjgllg2yT3Oc34Y4ZuwXwl9U1ELfjhc@mail.gmail.com> <20100706170631.GK25518@thunk.org> <AANLkTil357pxy8tD49Q9ds9QVlSjo9h3p3akSN9UF1XS@mail.gmail.com> <AANLkTil0YIS9H-vYxIJJS_OC7tAlcCLQQycskFcLE71V@mail.gmail.com> <AANLkTilVAn3j-iXbdytu9en-OWAjlCFQSyQy1jiY1Zq1@mail.gmail.com>
Date: Mon, 12 Jul 2010 13:53:40 -0400
X-Google-Sender-Auth: XWD88Uotg1TcHcof-ozm9Nz_EcI
Message-ID: <AANLkTilCRrRhYVBNKdkaBudacJDCbBx3_48D9_U2RaSM@mail.gmail.com>
Subject: Re: Admission Control to the IETF 78 and IETF 79 Networks
From: Chris Elliott <chelliot@pobox.com>
To: Phillip Hallam-Baker <hallam@gmail.com>
Content-Type: multipart/alternative; boundary="00163645857ecf3149048b346ea6"
Cc: Iljitsch van Beijnum <iljitsch@muada.com>, tytso@mit.edu, IETF Discussion <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: chelliot@pobox.com
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Jul 2010 17:53:36 -0000

On Mon, Jul 12, 2010 at 12:07 PM, Phillip Hallam-Baker <hallam@gmail.com>wrote:

> No, if you read my book you would see the scheme I am proposing.
>

I hope your book is rather less opaque than your attempts to explain your
technique here.

The problem with current MAC addresses is that they are not
> trustworthy. That is accepted. If MAC addresses were not trivially
> forged then the existing WiFi scheme would work fine.
>
> What I am saying is that if people got really serious about usability
> and in particular the WiFi design had been controlled by a Steve Jobs
> style person who demanded an absolute commitment to a first class
> usability approach, then we could have a scheme that did not require
> end-user configuration.
>
> Instead every device would have been issued with a device cert to bind
> the MAC address to a public key during manufacture. This is already a
> requirement for cable modems. The cost is of the order of cents per
> device if the certs are installed during manufacture. Maintenance
> costs get much higher as soon as the device has left the factory.
>
> The function of the certificate is to stop the MAC address being
> trivially forged. OK yes, if you design the protocols wrong then you
> can end up with Cisco being able to intercept on the wire traffic. But
> if you do the job right you can prevent interception even if the
> manufacturer defects.
>

I thought we were talking about how to do this for the meeting in Maastricht
and then in Beijing. I agree that manufacturers could make this easier for
all of us. But some of us live in the real world and must make things work
today.

I'd be glad to listen to an explanation of how to make this work with the
current devices that IETF attendees will be bringing to Maastricht and
Beijing.

Chris.


> And as for my waist - yes there does seem to be rather more of it than
> there should be, but I don't think that is Dogbert's fault. I blame
> the cookies at IETF break time.
>
>
> On Mon, Jul 12, 2010 at 11:56 AM, Chris Elliott <chelliot@pobox.com>
> wrote:
> > Phillip,
> > In your earlier email, you state:
> >>
> >> If the designers had actual brains instead of bits of liver strapped
> >> round their waist by dogbert then all that would be necessary to
> >> securely authenticate to the network is to give either the MAC address
> >> of the computer or the fingerprint of the cert.
> >
> > Note that you say "either". Now you state:
> >>
> >> Of course the MAC address is trivially forged. That is the function of
> >> the certificate.
> >
> > Maybe you should check your waist.
> > Chris.
> >
> > --
> > Chris Elliott
> > chelliot@pobox.com
>
> --
> Website: http://hallambaker.com/
>



-- 
Chris Elliott
chelliot@pobox.com
CCIE # 2013

v2.23.0 | Report a Bug | By Email