Re: Big Temporary Networks

[Jay Ashworth <jra () baylink com>]

----- Original Message -----
> From: "Måns Nilsson" <mansaxel () besserwisser org>

> 05:45:55PM -0400 Quoting Jay Ashworth (jra () baylink com):
> > ----- Original Message -----
> > > At all possible cost, avoid login or encryption for the wireless.
> >
> > Yes, and no.
>
> <snip>
>
> Just keep in mind that every action you make the visitors have to
> perform to get Internet connectivity is a support workload.

I understand entirely.  

That was the reason for my "remember each MAC address for the entire event" 
approach to captive portal.  I forsee the guests entering a code from their 
event badge the first time they use each device.  Unlike most events, I also
forsee a single page "How to use our Internet connectivity" sheet that actually
tells you what you need to know.  :-)

> > (For example, I have no problems blocking outbound port 25 and
> > redirecting
> > recursive DNS -- though I do want a system that permits me to
> > whitelist
> > MACs on request. But I would do those on the guest and dealer nets,
> > and
> > not on the staff one.)
>
> Remember that DNSSEC breaks quite easily if you redirect DNS and since
> this is three years in the future, the uptake on DNSSEC may well have
> hit the point where there is visual feedback on validation in client
> UI.

Good point.
 
> > > While things have become much better, doing 802.1x on conference
> > > wireless probably is a bit daring. OTOH eduroam does it all over
> > > Europe.
> >
> > If I did try to do that, it would probably only be on the staff
> > network; it's a much more contrained environment.
>
> It'll work much better there, and FWIW, will be a little yet perhaps
> effective speedbump for intruders.

Was my plan, yes.  This isn't, really, defcon.  :-)

> > > And get v6.
> >
> > Yeah, I assumed that, though it will be interesting to see how much
> > play it actually gets; these are SF geeks, not networking geeks.
>
> Again, even in North America, the uptake may well have accelerated
> enough that it is To Be Expected. Besides, IME, SF geeks are computer
> savvy more than others.

I've heard that asserted.  I'm not certain to what extent it's actually true.

> > Oh yeah. I'm fond of leases as short as 30 minutes, though if I have
> > a /16, I won't care as much.
>
> A couple hours will get the user over a lunch break if not overnight,
> which means that long TCP sessions survive on Proper Computers (that
> don't tear down TCP on link loss. I'm looking at you, Microsoft!).

Well, I'm a firm believer in Least Recently Used, so as long as my DHCP block 
is larger than my userbase, everyone will have the same address all weekend
anyway.

> This
> is Really Nice. Open up computer from sleep and press enter in xterm
> and ssh session is up. (my personal record is for telnet, an untouched
> connection survived two taxi trips, one night, some NATed wlan at the
> hotel and when i got back to the right network I just plugged the
> cable in
> and continued in the same session. But I cheated and had fixed
> addresses.)

Nice.  :-)
 
Cheers,
-- jra
-- 
Jay R. Ashworth                  Baylink                       jra () baylink com
Designer                     The Things I Think                       RFC 2100
Ashworth & Associates     http://baylink.pitas.com         2000 Land Rover DII
St Petersburg FL USA               #natog                      +1 727 647 1274