Re: ESSID ietf-v6only at IETF 100

Warren Kumari <warren@kumari.net> Tue, 14 November 2017 06:24 UTC

Return-Path: <warren@kumari.net>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0701129439 for <ipv6@ietfa.amsl.com>; Mon, 13 Nov 2017 22:24:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c8WVqrZVWbvd for <ipv6@ietfa.amsl.com>; Mon, 13 Nov 2017 22:24:56 -0800 (PST)
Received: from mail-wm0-x22a.google.com (mail-wm0-x22a.google.com [IPv6:2a00:1450:400c:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 273E2129438 for <ipv6@ietf.org>; Mon, 13 Nov 2017 22:24:53 -0800 (PST)
Received: by mail-wm0-x22a.google.com with SMTP id z3so19577423wme.5 for <ipv6@ietf.org>; Mon, 13 Nov 2017 22:24:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=H9ifG+7+k8AhLPLAJxpZr6lumCKKCoTHpN/mnvI0R58=; b=fusbsIr/SyjDcd8Kn8fpbidcdARFT8m8DQ4HVveaeJ9H3N2Usx/UtM22/FZo63AtjM HDz7TFUKSnojoei1ui4h5X+OProopjdhPLybStSjAZQQuBTOhzWbv2pXYYqjtAno1MFj Cg5xtwFsUbwG060wQaH3LShTp5KM5BCpGkACaTpyRp9zB+QG0wMSqxckWPvkcA51crlA YlI5OxFpZYNjXmuGI8tl3R137DVAezzIP/YqUUY2/XJ/jHvpIunUkeJnhzhg3gkzr7bV IWL5TT9kSe3FgdrS45F1qYHq7FrnnMV5rFtvQMIqIe4bXp875540zSn6NJnYAi0rvnAp T17Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=H9ifG+7+k8AhLPLAJxpZr6lumCKKCoTHpN/mnvI0R58=; b=AgglUjRFpDWXl5Yyepxn+YqGmBvR8d8Xq+0WQlRkTeqyR3Ua3MbU1GkVLKgHM3TcbJ hCZIOU6fvMAPcwE+MNbzJQd6MWGxR9EUEdoDJa3TRjj+72RDlKOB+mTUdovGJoYUYrrn k4+4bk6+gPi84bDJVCukZDpmxmJL1Zl8LZjSIVhfu9m9isSQ6eDStLeyKqvMbdmBHwVU jYVh9W0By/4yPpWFiKuBXpRMFBc0dkAgnCX571BoU9tKKehFktkIpaUFhaixX8lukpwq vAJS1OGBoxK8s9Y/az/sWGVyV/6igYFyW7AngQNqbynte+mKJzet1s7X5qhh2qKwczG+ M01A==
X-Gm-Message-State: AJaThX60lBW/1ZE1zMLl6IGrlD1v4z0SpJ2fwtnYoGK92EaCaeDPpFpS uNjlFkPV7it8PjOsZGP5K4KbhenSO0jWnihr4GnTKg==
X-Google-Smtp-Source: AGs4zMZheGW7wW6Tp6IhQu6KeoNMYt9MrrJZDMYCrBqz2Mg2gpbshPAyZmFzgoAi5GVJ/98Wz2kaGtgjV4dzyni+Nxc=
X-Received: by 10.28.191.80 with SMTP id p77mr8868526wmf.85.1510640691448; Mon, 13 Nov 2017 22:24:51 -0800 (PST)
MIME-Version: 1.0
Received: by 10.223.160.149 with HTTP; Mon, 13 Nov 2017 22:24:10 -0800 (PST)
In-Reply-To: <acd854c7-8bd2-781e-6d0d-b15bb62c48e2@gmail.com>
References: <acd854c7-8bd2-781e-6d0d-b15bb62c48e2@gmail.com>
From: Warren Kumari <warren@kumari.net>
Date: Tue, 14 Nov 2017 14:24:10 +0800
Message-ID: <CAHw9_iKoYrfuf_UjBeVw+=cCD9Kuc4+zPPsR1kqrxAAza59qXg@mail.gmail.com>
Subject: Re: ESSID ietf-v6only at IETF 100
To: Alexandre Petrescu <alexandre.petrescu@gmail.com>
Cc: IPv6 <ipv6@ietf.org>
Content-Type: multipart/related; boundary="94eb2c074232cc50b7055deb7109"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/UHd1r7en-Vvo8uwFjwC91tlAqjc>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Nov 2017 06:24:59 -0000

On Tue, Nov 14, 2017 at 2:03 PM, Alexandre Petrescu <
alexandre.petrescu@gmail.com> wrote:

> Hi,
>
> I have problems connecting to the IPv6-only ESSID "ietf-v6only".
>
> It is a problem of certificates.
>
> I have this problem on Windows since several IETF meetings; it may not be
> related in particular to IPv6.
>
> The message in the window below says: "The server
> services.meeting.ietf.org presented a certifcate valid emitted by
> Starfield CA, but that is not configured as a valid anchor to approve this
> profile".
>
> I dont thave this kind of certification refusal problem on ietf-legacy100
> ESSID (and all earlier ietf-legacy), neither on ietf-nat64-unencrypted.
>

‚ÄčThat's because the legacy (and unencrypted) SSIDs are unencrypted and you
don't need to talk to a RADIUS server (which presents the certificate)



> This ietf-nat64-unencrypted is now appearing first time at IETF.  I
> suppose people realized there was a problem with certs and created an
> 'unencrypted' version.  That's not a best practice to fix security :-)
>


‚ÄčNope. We have the legacy SSIDs because some people apparently had issues
connecting to encrypted SSIDs (because of old OS / broken wpa_supplicant,
etc) - this wasn't issue with certs, but rather providing a solution for
those who are unable to do WPA enterprise / have old cards, etc.
 There was an assertion made that some people were not using nat64 and were
using ietf-legacy were easier, and so there should be parity, and so the
ietf-nat64-unencrypted was created.
We are changing the name of the ietf-legacyXXX network at each meeting
because we don't people who connected to it at a previous meeting to become
sticky to it and keep joining -- it requires a specific action at each
meeting for the user to choose the unencrypted network -- we'd all prefer
that people use the encrypted network...





> And yes, my VPN FortiClient works ok on ietf-nat64-unencrypted.
>
>
>
>
> Alex
>
>
>
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
>
>


-- 
I don't think the execution is relevant when it was obviously a bad idea in
the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair of
pants.
   ---maf