Re: WPA problem and eduroam

[Tomasz Wolniewicz <twoln@xxxxxx>]

Miroslav Milinovic wrote:
> I do acknowledge the "cypher mash" problem you're pointing to but may
> position is that we should not introduce new mash (SSID based:
> eduroam, eduroam2, eduroam3, ... eduroamx, eduroan-ng?) to resolve the
> current one. That is just closing one and opening another (IMO bigger)
> problem.
This is exactly where we differ and there is no telling which one of us
is right, except that you are the one who is running the service :).
I realise I am wasting everyone's time but I will repeat myself once
again. I want to provide a good wireless service for our users. eduroam
is our only local network. There are a lot of good reasons to keep it
that way. If I add WPA2/AES then I am screwing up connectivity for some
devices, making roaming more difficult for some of our users, keeping
old users on TKIP and what is worst of all, my AES users who visit TKIP
sites will return and stay as TKIP clients. In short - adding WPA2/AES
does some harm and brings very little in return.
So what other option do I have?  Just one - start a local AES-only
network, and this is exactly what I would want to avoid.
But, perhaps a local network is the best solution? See how it solves all
the problems - no problem of user not knowing which network he is in, no
network overlap problem, no eduroam policy restrictions, AES-only
network if I like. Just one little problem - eduroam is becoming the
second grade solution for our users. If I was just a local admin, then I
would not care, but as the Polish country coordinator, I would not want
this to happen.

>
> I do fear that by introducing eduroam2 we are making big step back
> when it comes to the usability of the service. In time eduroam2 will
> be common thing, eduroam SSID will "die", and WPA/AES will have a
> successor ... what to do then (with SSIDs)?
DOS, DOS 2.0, ... DOS 6.0, ... Windows 3.11, Windows 95, 98, 2000, XP,
Vista ....,
Peugeot 404, 5, 6, 7, 8 ....., IPv4, IPv6, WPA, WPA2 :)

This is something people are used to. Higher number - better service.
"Our new washing powder does even better job".
eduroam2 is better then eduroam, and eduroam8 in 2050 will be MUCH
better. :).
After all Internet2 did not chose the name without a reason.
But, seriously - eduroam3 may not be needed. Perhaps the technology will
get so good that our current problems will go away. You could argue the
same about eduroam2 and you would be right, except that it will take
several years before we have something really working.
>
> On the other hand I do not fear to propose more constrains in the
> policy or least write that WPA/AES is in the "SHOULD status". If at
> least 50% of our users have the equipment that will work Ok with
> WPA/AES then IMHO we should start serious thinking on progressing in
> that area. We'll never be able to satisfy the ones with old or exotics
> clients - the realistic goal is to reduced that number as much as
> possible.
We can do that, and probably will, but we will not chance a clean
solution this way.
Would it really be such a big thing to add to the Policy:
"Service providers MAY additionally deploy the SSID "eduroam2". This
SSID MUST be protected by WPA2/AES encryption."


Tomasz

-- 
Tomasz Wolniewicz    
          twoln@xxxxxx        http://www.home.umk.pl/~twoln

Uczelniane Centrum Informatyczne   Information&Communication Technology Centre
Uniwersytet Mikolaja Kopernika     Nicolaus Copernicus University,
pl. Rapackiego 1, Torun               pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750     fax: +48-56-622-1850       tel kom.: +48-693-032-576