Opened 3 years ago

Closed 3 years ago

#1189 closed request (not broken)

Re: ESSIDs at IETF 100

Reported by: alexandre.petrescu@… Owned by: jim@…
Priority: tbd Milestone: ietf-100
Component: other Keywords:
Cc: My Current Location:
My MAC Address: My OS:


For now I copy tickets @ and remove 6MAN WG list from
subsequent follow-ups.

One ticket: I connected on ietf-v6only some years ago and since then I
got a DNS IPv6 resolver name frozen in my Windows.  That makes that my
computer some times issues IPv6 DNS requests on other networks that are,
err... "IPv4 only".  That is worrying for the network protectors.   I
would like to no longer get such DNS IPv6 address frozen in my Windows
whenever I travel to IETF, thank you.

Second ticket: the IETF ESSIDs are friendly to MAC users and 
non-friendly to Windows users.

Third ticket: security: the steps of "Uncheck Validated Server Sert" and 
of the use of a public ietf/ietf username/password, and the use of a 
binary IETF WiFi manager at unknown to Symantec is highly 

Details below.


Le 14/11/2017 à 08:31, joel jaeggli a écrit :
> On 11/14/17 14:59, Alexandre Petrescu wrote:
>> Le 14/11/2017 à 07:24, Warren Kumari a écrit : [...]
>>> ​Nope. We have the legacy SSIDs because some people apparently
>>> had issues connecting to encrypted SSIDs (because of old OS /
>>> broken wpa_supplicant, etc) - this wasn't issue with certs, but
>>> rather providing a solution for those who are unable to do WPA
>>> enterprise / have old cards, etc.
>> Well - sorry, but all these reasons seem light for me.
>> I have Windows 7 which is not old.  Updated regularly from
>> Microsoft and from employer IT.
> Mainstream support ended January 13, 2015. It works, if you were
> looking for a more streamlined experience, the user experience has
> improved a bit since then, it has not been backported.

It's good to know.

I am more conservative than streamlined in terms of computer use.  Just
as "ls" and "cp" stay same, the Windows experience should stay same.

>> The WPA_supplicant comes from original.  It is widely accepted at
>> many other hotspots.
>> My laptop is very well able to do WPA enterprise, and WPA2
>> Enterprise.
>> The laptop is a Dell E7440, 2 or 3 years old.  I dont accept to
>> call that old.  What makes laptops old is when they break; they
>> often break because of mechanically moving parts like hd, but this
>> one is SSD.
>> Rather, I suspect there is a preference at the Access Point to
>> favorise Macintosh variations of WiFi Clients, rather than
>> Windows.
> There's no obvious basis for that assertion.

See below.  Basically: why the Windows users must do some manipulation
in order to make it work, but the Mac users no?  That's preference.

>> I also wonder why my Windows complains that the cert emmitted by
>> IETF is "not configured as a valid anchor".  Should I manually
>> install that cert?  If so, that is little reasonable to ask.

I think the page needs could be improved.  It does not detail
"ietf-hotel" in the table, it says "5GHz" where it should say "5.4", etc.

The Windows pdf says either "ietf" or "ietf-2.4ONLY".  It does not say 

The Windows pdf says at last page "Click here" on the "Configure next to 
Secured password (EAP-...)" but it does not say you should continue and 
further uncheck "Use Automatically my Windows Username and Password". 
If you dont do that the connection does not work.

The worst is that the Windows pdf says "Uncheck this box 'Validate 
Server Certificate".  And then recommends to use username password 
ietf/ietf published on a public web page.

Is it ok to _not_ validate Server Certificates?

Is it ok to encrypt with a password that everyone knows?

They only ask this manipulation for Windows, not for Mac.  This is a
sign the AP gives preference to Mac users.  BEcause the MAC users dont 
have to do anything about this.

If I were to configure APs at IETF I would give equal preference to 
every OS : no need to update drivers check boxes install software.


Thanks again, I downloaded it.  It's for Windows.  Why not for Mac?

Right after download, my Enterprise anti-virus Symantec claims it has
not enough information to ensure it's good.  Some reputation alert 
saying Symantec never saw this file (attached).  So I dont trust it.

I can trust the logo IETF puts on that page, trust the fact that it 
mixes French and English, but mechanically speaking, the mechanism does 
not inspire confidence.

> Cher utilisateur de IETF,
> Now that you have downloaded and installed a client configurator, all
> you need to do is find a IETF hotspot in your vicinity and enter your
> user credentials (this is our fancy name for 'username and password'
> or 'personal certificate') - and be online!

I dont have a 'personal certificate', where can I get one?

> Quelque soit le problème que vous pourriez éventuellement rencontrer,
> ou pour totu autre renseignement, veuillez contacter le centre de
           ^^^^ tout
> support de IETF. Ils diagnostiqueront le problème ou vous apporteront
> toute autre aide qui pourrait être nécessaire. Vous pouvez les
> joindre en utilisant l'un des moyens décrits ci dessus.

It leads to this

Needs to log in...

(who once got a virus through Bluetooth at an IETF meeting :-)

>> Alex
>>> There was an assertion made that some people were not using
>>> nat64 and were using ietf-legacy were easier, and so there should
>>> be parity, and so the ietf-nat64-unencrypted was created. We are
>>> changing the name of the ietf-legacyXXX network at each meeting 
>>> because we don't people who connected to it at a previous meeting
>>> to become sticky to it and keep joining -- it requires a specific
>>> action at each meeting for the user to choose the unencrypted
>>> network -- we'd all prefer that people use the encrypted
>>> network...
>>> And yes, my VPN FortiClient works ok on ietf-nat64-unencrypted.
>>> Alex
>>> --------------------------------------------------------------------
IETF IPv6 working group mailing list
>>> <> Administrative Requests:
>>> <> 
>>> --------------------------------------------------------------------
>>> I don't think the execution is relevant when it was obviously a
>>> bad idea in the first place. This is like putting rabid weasels
>>> in your pants, and later expressing regret at having chosen those
>>> particular rabid weasels and that pair of pants. ---maf
>> --------------------------------------------------------------------
IETF IPv6 working group mailing list
>> Administrative Requests:
>> --------------------------------------------------------------------


Attachments (1)

Capture-4.JPG (67.8 KB) - added by alexandre.petrescu@… 3 years ago.
Added by email2trac

Download all attachments as: .zip

Change history (4)

Changed 3 years ago by alexandre.petrescu@…

Attachment: Capture-4.JPG added

Added by email2trac

comment:1 Changed 3 years ago by llynch@…

Component: incomingother
Owner: changed from < default > to jim@…
Status: newassigned

comment:2 Changed 3 years ago by jim@…


Thanks for the ticket ... while I don't agree with everything you're saying, it's always useful to get input from the users of the network. I'll take your points one by one...

On the "Frozen DNS Server" topic, we'd be happy to try to help clear it up. Please come visit the help desk in the Terminal Room (Ord/Blundell?) and we'll see what we can do. There's nothing we do that we're aware of that "locks" anything we advertise into your machine.

On things being more Mac friendly and less Windows friendly, I'm not sure I follow your argument. We simply provide standard WPA2 Enterprise based SSIDs, nothing Mac specific. We do provide some instructions to help windows users connect, but that's been driven by the questions we've been asked at the help desk and were provided to help people connect more easily.

On the well known "insecure" WPA2 Enterprise credentials of ietf/ietf. The goal of this is to provide per-association keying, not to limit access. We're happy to let people (IETF or otherwise) on the network, but we don't want your traffic to be visible to the person beside you. Using PSK or Open would make that traffic visible.

Finally, on the topic of the certificate. We provide a properly signed, legitimate certificate, however, because it's associated with a SSID, not a FQDN, it's not verifiable using the same mechanisms that a web site would be. The "blob" we provide will address that issue. If there's a better solution you're aware of, please share it, as we're always open to improving things!

Let us know if you have further questions!

  • Jim

comment:3 Changed 3 years ago by jim@…

Resolution: not broken
Status: assignedclosed

Resolving as IETF 100 is long over. If you see an issue at IETF 101, please submit a new ticket and we'd be happy to help.

  • Jim
Note: See TracTickets for help on using tickets.