Re: ESSID ietf-v6only at IETF 100

Warren Kumari <> Tue, 14 November 2017 06:24 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D0701129439 for <>; Mon, 13 Nov 2017 22:24:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id c8WVqrZVWbvd for <>; Mon, 13 Nov 2017 22:24:56 -0800 (PST)
Received: from ( [IPv6:2a00:1450:400c:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 273E2129438 for <>; Mon, 13 Nov 2017 22:24:53 -0800 (PST)
Received: by with SMTP id z3so19577423wme.5 for <>; Mon, 13 Nov 2017 22:24:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=H9ifG+7+k8AhLPLAJxpZr6lumCKKCoTHpN/mnvI0R58=; b=fusbsIr/SyjDcd8Kn8fpbidcdARFT8m8DQ4HVveaeJ9H3N2Usx/UtM22/FZo63AtjM HDz7TFUKSnojoei1ui4h5X+OProopjdhPLybStSjAZQQuBTOhzWbv2pXYYqjtAno1MFj Cg5xtwFsUbwG060wQaH3LShTp5KM5BCpGkACaTpyRp9zB+QG0wMSqxckWPvkcA51crlA YlI5OxFpZYNjXmuGI8tl3R137DVAezzIP/YqUUY2/XJ/jHvpIunUkeJnhzhg3gkzr7bV IWL5TT9kSe3FgdrS45F1qYHq7FrnnMV5rFtvQMIqIe4bXp875540zSn6NJnYAi0rvnAp T17Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=H9ifG+7+k8AhLPLAJxpZr6lumCKKCoTHpN/mnvI0R58=; b=AgglUjRFpDWXl5Yyepxn+YqGmBvR8d8Xq+0WQlRkTeqyR3Ua3MbU1GkVLKgHM3TcbJ hCZIOU6fvMAPcwE+MNbzJQd6MWGxR9EUEdoDJa3TRjj+72RDlKOB+mTUdovGJoYUYrrn k4+4bk6+gPi84bDJVCukZDpmxmJL1Zl8LZjSIVhfu9m9isSQ6eDStLeyKqvMbdmBHwVU jYVh9W0By/4yPpWFiKuBXpRMFBc0dkAgnCX571BoU9tKKehFktkIpaUFhaixX8lukpwq vAJS1OGBoxK8s9Y/az/sWGVyV/6igYFyW7AngQNqbynte+mKJzet1s7X5qhh2qKwczG+ M01A==
X-Gm-Message-State: AJaThX60lBW/1ZE1zMLl6IGrlD1v4z0SpJ2fwtnYoGK92EaCaeDPpFpS uNjlFkPV7it8PjOsZGP5K4KbhenSO0jWnihr4GnTKg==
X-Google-Smtp-Source: AGs4zMZheGW7wW6Tp6IhQu6KeoNMYt9MrrJZDMYCrBqz2Mg2gpbshPAyZmFzgoAi5GVJ/98Wz2kaGtgjV4dzyni+Nxc=
X-Received: by with SMTP id p77mr8868526wmf.85.1510640691448; Mon, 13 Nov 2017 22:24:51 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Mon, 13 Nov 2017 22:24:10 -0800 (PST)
In-Reply-To: <>
References: <>
From: Warren Kumari <>
Date: Tue, 14 Nov 2017 14:24:10 +0800
Message-ID: <>
Subject: Re: ESSID ietf-v6only at IETF 100
To: Alexandre Petrescu <>
Cc: IPv6 <>
Content-Type: multipart/related; boundary="94eb2c074232cc50b7055deb7109"
Archived-At: <>
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 14 Nov 2017 06:24:59 -0000

On Tue, Nov 14, 2017 at 2:03 PM, Alexandre Petrescu <> wrote:

> Hi,
> I have problems connecting to the IPv6-only ESSID "ietf-v6only".
> It is a problem of certificates.
> I have this problem on Windows since several IETF meetings; it may not be
> related in particular to IPv6.
> The message in the window below says: "The server
> presented a certifcate valid emitted by
> Starfield CA, but that is not configured as a valid anchor to approve this
> profile".
> I dont thave this kind of certification refusal problem on ietf-legacy100
> ESSID (and all earlier ietf-legacy), neither on ietf-nat64-unencrypted.

‚ÄčThat's because the legacy (and unencrypted) SSIDs are unencrypted and you
don't need to talk to a RADIUS server (which presents the certificate)

> This ietf-nat64-unencrypted is now appearing first time at IETF.  I
> suppose people realized there was a problem with certs and created an
> 'unencrypted' version.  That's not a best practice to fix security :-)

‚ÄčNope. We have the legacy SSIDs because some people apparently had issues
connecting to encrypted SSIDs (because of old OS / broken wpa_supplicant,
etc) - this wasn't issue with certs, but rather providing a solution for
those who are unable to do WPA enterprise / have old cards, etc.
 There was an assertion made that some people were not using nat64 and were
using ietf-legacy were easier, and so there should be parity, and so the
ietf-nat64-unencrypted was created.
We are changing the name of the ietf-legacyXXX network at each meeting
because we don't people who connected to it at a previous meeting to become
sticky to it and keep joining -- it requires a specific action at each
meeting for the user to choose the unencrypted network -- we'd all prefer
that people use the encrypted network...

> And yes, my VPN FortiClient works ok on ietf-nat64-unencrypted.
> Alex
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> Administrative Requests:
> --------------------------------------------------------------------

I don't think the execution is relevant when it was obviously a bad idea in
the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair of