[OPSEC] leaf device network configuration format (was draft-winter-opsawg-eap-metadata)
Stefan Winter <stefan.winter@restena.lu> Thu, 17 March 2016 11:49 UTC
Return-Path: <stefan.winter@restena.lu>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 23E3012D566; Thu, 17 Mar 2016 04:49:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, WEIRD_PORT=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mScGijoglRSE; Thu, 17 Mar 2016 04:49:28 -0700 (PDT)
Received: from smtprelay.restena.lu (smtprelay.restena.lu [158.64.1.62]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7002A12D525; Thu, 17 Mar 2016 04:49:28 -0700 (PDT)
Received: from aragorn.restena.lu (aragorn.restena.lu [IPv6:2001:a18:1:8::155]) by smtprelay.restena.lu (Postfix) with ESMTPS id EDDA543AE8; Thu, 17 Mar 2016 12:49:26 +0100 (CET)
To: IETF OOPSAWG <opsawg@ietf.org>, IETF OPSEC <opsec@ietf.org>
From: Stefan Winter <stefan.winter@restena.lu>
Openpgp: id=AD3091F3AB24E05F4F722C03C0DE6A358A39DC66; url=http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Message-ID: <56EA99C6.2080600@restena.lu>
Date: Thu, 17 Mar 2016 12:49:26 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="6vTkxpWimfBruok3Mm49lgL7jaDpKdkUx"
Archived-At: <http://mailarchive.ietf.org/arch/msg/opsec/sUE81sMolT8DBDtc79VaBJe7oD8>
Subject: [OPSEC] leaf device network configuration format (was draft-winter-opsawg-eap-metadata)
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Mar 2016 11:49:31 -0000
Hello, over the past few IETFs, I talked about draft-winter-opsawg-eap-metadata. In a nutshell: end users get EAP configuration wrong because it's too complex, and as a result they are vulnerable to many badnesses out there in the Wi-Fi world. A common config format would settle all the complex pieces automatically for them, and make the internet a safer place for them. I got many good comments on the mic regarding the draft. I recall Hannes Tschofenig commenting that the scope should be larger than EAP properties: it should also configure the actual network context around the EAP credentials, namely the SSID etc., along with its various properties to fully configure (encryption level...). Phillip Hallam-Baker commented that the file format should be usable across all kinds of devices, like a smartwatch, for those devices do not have a good UI to configure manually. I've factored in all this and am going to submit a draft with a new name just before the cut-off (when else :-) ). It's probably going to be draft-winter-opsec-netconfig-metadata-00 because I believe that opsec is the better place to discuss this: it has an operations dimension - config needs to be moved around - but it also has a security dimension because failure to get a good config may make it appear like things work, while actually putting users at risk (e.g. if server certs are not checked while they should be). With the previous, EAP-only approach we already have very good results in our EAP-based Wi-Fi roaming consortium eduroam: there's an Android app that can consume the settings, and it makes the security posture change from Android's default "don't validate, don't bother user, just send password" to the gold-standard "validate cert chain, server name, pin EAP method". People are using it, and happily so (within the limitations of Android; talk to me for anecdotes :-) ). There is also a Linux app that can consume the same file format. With the expansion of scope to actual network defs, the file format becomes much more useful, and I believe this has a real chance of becoming more wide-spread. So, even though I haven't been to opsec before - I'd like to request a meeting slot for IETF95 there to discuss this new draft. All this with the hope for WG adoption of course :-) Please let me know if it's possible to allocate, say, 10 minutes for the draft? Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
- [OPSEC] leaf device network configuration format … Stefan Winter
- Re: [OPSEC] [OPSAWG] leaf device network configur… Alan DeKok