Re: ESSID ietf-v6only at IETF 100 - security

Alexandre Petrescu <alexandre.petrescu@gmail.com> Tue, 14 November 2017 06:59 UTC

Return-Path: <alexandre.petrescu@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 026FF129470 for <ipv6@ietfa.amsl.com>; Mon, 13 Nov 2017 22:59:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.633
X-Spam-Level:
X-Spam-Status: No, score=-2.633 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_CUSTOM_MED=0.001, FREEMAIL_FROM=0.001, NML_ADSP_CUSTOM_MED=0.9, RCVD_IN_DNSWL_MED=-2.3, SPF_SOFTFAIL=0.665] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N4vl-vkADxbC for <ipv6@ietfa.amsl.com>; Mon, 13 Nov 2017 22:59:13 -0800 (PST)
Received: from oxalide-smtp-out.extra.cea.fr (oxalide-smtp-out.extra.cea.fr [132.168.224.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A9337127977 for <ipv6@ietf.org>; Mon, 13 Nov 2017 22:59:12 -0800 (PST)
Received: from pisaure.intra.cea.fr (pisaure.intra.cea.fr [132.166.88.21]) by oxalide-sys.extra.cea.fr (8.14.7/8.14.7/CEAnet-Internet-out-4.0) with ESMTP id vAE6xAU1189730; Tue, 14 Nov 2017 07:59:10 +0100
Received: from pisaure.intra.cea.fr (localhost [127.0.0.1]) by localhost (Postfix) with SMTP id 38C3720118E; Tue, 14 Nov 2017 07:59:10 +0100 (CET)
Received: from muguet1.intra.cea.fr (muguet1.intra.cea.fr [132.166.192.6]) by pisaure.intra.cea.fr (Postfix) with ESMTP id 2B8FF200B5D; Tue, 14 Nov 2017 07:59:10 +0100 (CET)
Received: from [132.166.84.60] ([132.166.84.60]) by muguet1.intra.cea.fr (8.15.2/8.15.2/CEAnet-Intranet-out-1.4) with ESMTP id vAE6x7GM017704; Tue, 14 Nov 2017 07:59:09 +0100
Subject: Re: ESSID ietf-v6only at IETF 100 - security
To: Warren Kumari <warren@kumari.net>
Cc: IPv6 <ipv6@ietf.org>
References: <acd854c7-8bd2-781e-6d0d-b15bb62c48e2@gmail.com> <CAHw9_iKoYrfuf_UjBeVw+=cCD9Kuc4+zPPsR1kqrxAAza59qXg@mail.gmail.com>
From: Alexandre Petrescu <alexandre.petrescu@gmail.com>
Message-ID: <88d14301-f417-da89-a526-954f44149af8@gmail.com>
Date: Tue, 14 Nov 2017 07:59:07 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <CAHw9_iKoYrfuf_UjBeVw+=cCD9Kuc4+zPPsR1kqrxAAza59qXg@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: fr
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/1uybNhFyJ7Q2k75eXc5FYP4fhjQ>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Nov 2017 06:59:15 -0000


Le 14/11/2017 à 07:24, Warren Kumari a écrit :
[...]

> ​Nope. We have the legacy SSIDs because some people apparently had 
> issues connecting to encrypted SSIDs (because of old OS / broken 
> wpa_supplicant, etc) - this wasn't issue with certs, but rather 
> providing a solution for those who are unable to do WPA enterprise / 
> have old cards, etc.

Well - sorry, but all these reasons seem light for me.

I have Windows 7 which is not old.  Updated regularly from Microsoft and 
from employer IT.

The WPA_supplicant comes from original.  It is widely accepted at many 
other hotspots.

My laptop is very well able to do WPA enterprise, and WPA2 Enterprise.

The laptop is a Dell E7440, 2 or 3 years old.  I dont accept to call 
that old.  What makes laptops old is when they break; they often break 
because of mechanically moving parts like hd, but this one is SSD.

Rather, I suspect there is a preference at the Access Point to favorise 
Macintosh variations of WiFi Clients, rather than Windows.

I also wonder why my Windows complains that the cert emmitted by IETF is 
"not configured as a valid anchor".  Should I manually install that 
cert?  If so, that is little reasonable to ask.

Alex

>   There was an assertion made that some people were not using nat64 and 
> were using ietf-legacy were easier, and so there should be parity, and 
> so the ietf-nat64-unencrypted was created.
> We are changing the name of the ietf-legacyXXX network at each meeting 
> because we don't people who connected to it at a previous meeting to 
> become sticky to it and keep joining -- it requires a specific action at 
> each meeting for the user to choose the unencrypted network -- we'd all 
> prefer that people use the encrypted network...
> 
> 
> 
>     And yes, my VPN FortiClient works ok on ietf-nat64-unencrypted.
> 
> 
> 
> 
>     Alex
> 
> 
> 
>     --------------------------------------------------------------------
>     IETF IPv6 working group mailing list
>     ipv6@ietf.org <mailto:ipv6@ietf.org>
>     Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>     <https://www.ietf.org/mailman/listinfo/ipv6>
>     --------------------------------------------------------------------
> 
> 
> 
> 
> -- 
> I don't think the execution is relevant when it was obviously a bad idea 
> in the first place.
> This is like putting rabid weasels in your pants, and later expressing 
> regret at having chosen those particular rabid weasels and that pair of 
> pants.
>     ---maf