Re: WPA problem and eduroam

[Tomasz Wolniewicz <twoln@xxxxxx>]

Miro,
> Tomasz, all
>
> * we definitely have to change the Policy (I'd say: adjust it to the
> technical development) in the next year or so. The WPA problem is one
> of the those we have to deal with and IMHO should have implication on
> the new version of eduroam technical reqs. So I see it as a normal
> service evolution while your proposal with eduroam2 looks to me as a
> trial to avoid Policy ... and create annother service ... with another
> policy?
avoid - definitely no - extend it - yes. Simply add that a new SSID
eduroam2 is standardised. It MUST be WPA2/AES-only. All other policy
statements remain in place.
>
> * our tools (eduroam database, maps) were designed to help and inform
> users on the cypher mash and provide info on WEP/WPA/TKIP/AES/XYZ. I
> woder why we are not using them to the full potential?
This different problem altogether. The user is attended to, at his home
institution. Here we can set things up for him. About 50% of our users
come to our help-desk for initial configuration. I do not understand why
- we have very good tools and instructions, but they still do. These
users will be totally helpless if eduroam does not work for them at
another site, so they will either return with the opinion that "eduroam
sucks", or will make a nuisance of then to the SP admins.  What good is
it to them that we have some information on the net if they cannot use
the net in the first place? They will not look things up in advance.
eduroam is supposed to work for you and not require that you prepare and
print out specifications before you go.
What about two eduroam institutions in a single city and users roaming
every day? Do we really want to make them use TKIP only where they could
use AES at their own site and TKIP at the other?

TKIP sucks not only because of this recent problem. TKIP has this
strange "countermeasures" idea - if the AP sees something funny from a
single client it is supposed to shut down the transmission for 60
seconds cutting off all the clients. Some vendors are breaking the
standard by allowing the admin to change the 60s to something else or
even disable it completely, but this is not a solution. WPA/TKIP is no
good when the user changes the AP - in spite of what all vendors say,
reauthentication is necessary. With WPA2 we have PMK caching and
preauthentication, so handover can really happen without a fuss.
TKIP has to stay in eduroam  for compatibility, but it should not block
our way forward. If it does, we will have to start building our own
local SSIDs and this WILL be avoiding the policy and creating mess.

Tomasz

-- 
Tomasz Wolniewicz    
          twoln@xxxxxx        http://www.home.umk.pl/~twoln

Uczelniane Centrum Informatyczne   Information&Communication Technology Centre
Uniwersytet Mikolaja Kopernika     Nicolaus Copernicus University,
pl. Rapackiego 1, Torun               pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750     fax: +48-56-622-1850       tel kom.: +48-693-032-576