[92all] IETF Wireless Network Changes

Chris Elliott <chelliot@pobox.com> Thu, 19 March 2015 21:03 UTC

Return-Path: <chelliot@gmail.com>
X-Original-To: 92all@ietfa.amsl.com
Delivered-To: 92all@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1FE0C1ACEBD for <92all@ietfa.amsl.com>; Thu, 19 Mar 2015 14:03:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.077
X-Spam-Level:
X-Spam-Status: No, score=-0.077 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_12=0.6, J_CHICKENPOX_21=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LHIUmCLeQ5R7 for <92all@ietfa.amsl.com>; Thu, 19 Mar 2015 14:03:40 -0700 (PDT)
Received: from mail-oi0-x229.google.com (mail-oi0-x229.google.com [IPv6:2607:f8b0:4003:c06::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8BB321ACECF for <92all@ietf.org>; Thu, 19 Mar 2015 14:03:40 -0700 (PDT)
Received: by oifl3 with SMTP id l3so45753756oif.0 for <92all@ietf.org>; Thu, 19 Mar 2015 14:03:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:sender:from:date:message-id:subject:to :content-type; bh=rGo1jnuFx9sbX1qlJxcfJ+Umpq3sWZWQiHgFn8RoDuI=; b=VA6c/mPL1F5mPXO4EbJEC5sQaWdERs9XMFj0AXAX4U/WQ0Q+y+YfmnnR35C+NfOMod Q8t0N7F4M74hi2haAYw8UaOqZgiMkSNwkFWlBLaMKxes8ZBod1xLDFmc+6tpj13yvU+f Vz2lnXjXM1O8M9TOMGDh7QWFZ90WKjFJeBF/yLeo9a+p+lT53UbiXrFka3ZgCc/8rfi8 2iM5f2VSnVFtZRtnDPSFulSSMG8kxkSaaZcNuNU4ts9awtyCZW9HkUKiGlzBKpAiljvh crXZiJIH2G4RWlxb5yP/LJ4mVFNJefMJLOwKMPHWEvS9HnTpA3clLK6tk+oYxNqySdnj +sJw==
X-Received: by 10.202.208.22 with SMTP id h22mr5760649oig.78.1426799020002; Thu, 19 Mar 2015 14:03:40 -0700 (PDT)
MIME-Version: 1.0
Sender: chelliot@gmail.com
Received: by 10.182.207.37 with HTTP; Thu, 19 Mar 2015 14:03:19 -0700 (PDT)
From: Chris Elliott <chelliot@pobox.com>
Date: Thu, 19 Mar 2015 16:03:19 -0500
X-Google-Sender-Auth: 0HfqAWOz-JK8lax-4kftqGt7Pdw
Message-ID: <CAO_Rpc+0yr3B7Qs4OMkKxyXzx9shwKm9BmTD3J0qxUS78P=eGg@mail.gmail.com>
To: 92all@ietf.org
Content-Type: multipart/alternative; boundary="001a113df1eec0d4850511aa88d8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/92all/jp_j2da_nas11-qhqDD3rpMPhuE>
X-Mailman-Approved-At: Thu, 19 Mar 2015 14:33:25 -0700
Subject: [92all] IETF Wireless Network Changes
X-BeenThere: 92all@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: chelliot@pobox.com
List-Id: "Mailing list of all 92 allfor official communication." <92all.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/92all>, <mailto:92all-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/92all/>
List-Post: <mailto:92all@ietf.org>
List-Help: <mailto:92all-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/92all>, <mailto:92all-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Mar 2015 21:03:43 -0000

All,

The NOC team, after much discussion, has deployed some changes (we hope
improvements…) to the IETF 92 network. More details below, but in short:
the main “ietf” wireless network is now encrypted; when prompted for
credentials, enter ietf for both the username and password.

These changes are designed to:


   -

   improve wireless performance,
   -

   further encourage the use of the 5Ghz wireless spectrum,
   -

   encourage the use of layer 2 encryption, and yet,
   -

   provide access for older devices and those that don’t desire layer 2
   encryption.


We will be carefully monitoring the networks and, if issues are found, we
will take appropriate action. We encourage you to send feedback and
suggestions (noc@ietf.org) As this is the IETF, we expect to receive many
conflicting suggestions. The NOC team is ultimately responsible for
bringing a network that works for all IETF attendees, and we will be
evaluating suggestions for possible inclusion at future meetings.

Here’s a quick summary of the new network layout:


SSID

Description

Encrypted

Frequencies

IP versions

ietf

The “default” ietf network

yes

5Ghz only

v4 and v6

ietf-legacy

A network for legacy and unencrypted use

no

2.4 and 5Ghz

v4 and v6

ietf-2.4ONLY

An encrypted network for 2.4Ghz users

yes

2.4Ghz only

v4 and v6

ietf-v6ONLY

For users wanting a pure IPv6

yes

5Ghz only

v6 only

ietf-nat64

For users that want to only use a IPv6 stack, yet be able to reach some
IPv4 resources

yes

5Ghz only

v6 with access to some v4 resources through NAT64 and DNS64

eduroam

For educational users, authenticated against their home institution

yes

2.4 and 5Ghz

v4 and v6

ietf-hotel

A network over the hotel infrastructure with no filtering and utilizing the
IETF uplinks

no

2.4 and (some locations) 5Ghz

v4 and v6

All networks marked as encrypted will offer layer 2 security. This is done
using WPA enterprise with 802.1X (PEAP or TTLS) authentication and AES or
TKIP encryption. As usual, we are all using the same credentials (user
“ietf”, password “ietf”), yet each user will get unique session encryption
keys. Our Radius authentication servers use a certificate that you can
verify by going to this page:
https://www.ietf.org/registration/MeetingWiki/wiki/92net.

The “ietf” SSID (the closest thing we have to a “default” wireless network)
now only will be seen on the 5Ghz spectrum. This network is also now
encrypted.

The new “ietf-legacy” SSID will be open (no authentication or encryption)
and available on both 2.4 and 5Ghz channels. This network is primarily
designed for users of older (“legacy”) devices, but can be used by anyone
for any reason. Obviously, there will be no layer 2 security.

The “ietf-2.4ONLY” SSID will allow you to select the 2.4Ghz band yet get an
encrypted connection. This will be useful for those with devices that
support only 2.4Ghz and those that have some issue with the 5Ghz network
configuration.

The only changes to the “ietf-v6ONLY” and “ietf-nat64” SSIDs are the
addition of encryption and the restriction to just the 5Ghz frequencies.
While we’d like all attendees to use these SSIDs, we also improve the
performance of the 2.4Ghz channels by reducing the number of SSID
announcements. In addition, the majority of users of these networks have
been doing so from 5Ghz-capable devices.

“eduroam” hasn’t changed. Those of you that will be using it will already
be aware of it.

And, finally, the “ietf-hotel” SSID uses the hotel network infrastructure,
yet the uplink is ours. This will give an improved experience for IETF
users in their rooms and public spaces around the hotel not covered by the
IETF wireless network. Note that, as we don’t control this network, we will
need to work with the hotel to resolve any issues found.

As a little background, we (the IETF)  have discussed the layout of
wireless networks here at the IETF several times over the last few years,
most recently in a thread Jari Arkko started on the ietf-announce list,
with followups on the ietf list, July 24th of last summer [1]. In addition,
we (the IETF/IAB and I* things) have published several items in this space,
including BCP 188 [2] and the IAB Statement on Internet Confidentiality
[3]. After careful analysis and testing, the NOC team is now able to deploy
changes in keeping with the above to the IETF 92 network.



[1] “Security for the IETF wireless network“

http://www.ietf.org/mail-archive/web/ietf-announce/current/msg13073.html

https://www.ietf.org/mail-archive/web/ietf/current/msg88796.html


[2] “Pervasive Monitoring Is an Attack“

BCP 188, RFC 7258

https://tools.ietf.org/html/bcp188


[3] “IAB Statement on Internet Confidentiality“

https://www.iab.org/documents/correspondence-reports-documents/2014-2/iab-statement-on-internet-confidentiality/

“The IAB now believes it is important for protocol designers, developers,
and operators to make encryption the norm for Internet traffic.  Encryption
should be authenticated where possible, but even protocols providing
confidentiality without authentication are useful in the face of pervasive
surveillance as described in RFC 7258.”


-- 
Chris Elliott
chelliot@pobox.com

"What the f*ck is a sesame? It's a street...it's a way to open sh*t!"
--Mitch Hedberg