IETF Logo Mail Archive

Re: Hotel networks (Was Re: Security for the IETF wireless network)

Stefan Winter <stefan.winter@restena.lu> Sat, 26 July 2014 10:33 UTC

Return-Path: <stefan.winter@restena.lu>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 650D51A0AB7 for <ietf@ietfa.amsl.com>; Sat, 26 Jul 2014 03:33:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FXOwHw_eBK8S for <ietf@ietfa.amsl.com>; Sat, 26 Jul 2014 03:33:41 -0700 (PDT)
Received: from smtp.restena.lu (legolas.restena.lu [IPv6:2001:a18:1::34]) by ietfa.amsl.com (Postfix) with ESMTP id 2521A1A0141 for <ietf@ietf.org>; Sat, 26 Jul 2014 03:33:40 -0700 (PDT)
Received: from smtp.restena.lu (localhost [127.0.0.1]) by smtp.restena.lu (Postfix) with ESMTP id 313C0F1075; Sat, 26 Jul 2014 12:33:40 +0200 (CEST)
Received: from viper.local (unknown [158.64.15.196]) by smtp.restena.lu (Postfix) with ESMTPSA id BB7CA9DD29; Sat, 26 Jul 2014 12:33:39 +0200 (CEST)
Message-ID: <53D38402.5040407@restena.lu>
Date: Sat, 26 Jul 2014 12:33:38 +0200
From: Stefan Winter <stefan.winter@restena.lu>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Randall Gellens <randy@qti.qualcomm.com>, ietf@ietf.org
Subject: Re: Hotel networks (Was Re: Security for the IETF wireless network)
References: <0FE63216-9BE8-450F-80FB-D1DB6166DFEF@ietf.org> <CFF7BBD1.28A2F%wesley.george@twcable.com> <8B1DA3E3-F195-4CBC-B565-85CAFC31CB1B@shinkuro.com> <3708BC187C6387C727398CBB@JCK-EEE10> <53D25E42.1010903@bogus.com> <4ECAD61D-C3CE-4A6E-B4DE-F3A57EA6601A@shinkuro.com> <CAKr6gn0igB_JwZkkJkTMttQF5+Vuyyimnm3q6mrVh_WrpvOFFw@mail.gmail.com> <53D26553.60200@restena.lu> <p06240612cff85f60303b@[192.168.6.56]>
In-Reply-To: <p06240612cff85f60303b@[192.168.6.56]>
X-Enigmail-Version: 1.6
OpenPGP: id=8A39DC66
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="W7JdSuepp9H48gAmF8HE1hcbiUEI5VDaB"
X-Virus-Scanned: ClamAV
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/zFpF-9PRFAokfxgkAeJY2L3dJiQ
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Jul 2014 10:33:43 -0000

Hi,

>>  Assuming you didn't (because NOC doesn't tell us what to expect),
>> how do
>>  you know you connected to the IETF network, and not some evil twin who
>>  is able to spell "ietf-1x" correctly in his AP config dialog?
>
> Would connecting to this evil twin network be worse than connecting to
> the plain ietf network, perhaps also operated by an evil twin?

Those two choices are equally bad indeed.

The point is that we can do much better, with a few simple steps. And
the IETF network has already gone 90% of the way by enabling 1X with
RADIUS server etc. At that point, *not* going the few last steps doesn't
make much sense.

You don't stop running a marathon one mile before the end, just because
"25 miles is pretty good, I don't need the rest". Or do you?

Thinking about it, maybe the 1X network evil twin is worse than a plain
open network even: when connecting to an open network, people (probably
and rightfully) don't assume any confidence in the network they connect
to. The 1X "enterprise security" label alone can easily make people
think that it is more secure against all kinds of attacks and be more
relaxed in their surfing/usage habits - while it's not, unless you take
all the right steps.

Greetings,

Stefan Winter

v2.23.0 | Report a Bug | By Email