eduroam Development VC Minutes 2024-10-22 1530 CEST

Attendance

Attendees

  • Stefan Winter (Restena)
  • Stefan Paetow (Jisc)
  • Anders Nilsson (SUNET) (A Polar Bear in Prague)
  • Halil Adem (GRNET)
  • Derek Eiler (NSHE)
  • Mike Zawacki (Internet2)
  • Janfred Rieckers (DFN)
  • Guy Halse (TENET)
  • Maja Górecka-Wolniewicz (PSNC)
  • Zbigniew Ołtuszyk (PSNC)
  • Paul Dekkers (SURF)
  • Ed Kingscote (CANARIE)
  • János Mohácsi (KIFÜ)
  • Louis Twomey (HEAnet)
  • Fabian Mauchle (Switch)
  • Ed Wincott (Jisc)
  • Tomasz Wolniewicz (PSNC)

Regrets

  • Zenon Mousmoulas (GRNET)

Agenda / Proceedings

  1. Welcome / Agenda Bashing

  2. WPA3 no-transition for eduroam

    • Everyone was invited to test (oldish) devices for their WPA3 compatibility (i.e. support for PMF and no transition mode) … ?
    • Transition Mode spec may have some hurdles that hinder interop
    • advice to use transitioin mode was probably okay at the time; but if there are now interop probs, the cleaner (less breaking) advice may very well be to let go of transition mode
    • Is 5 years of WPA3 spec enough time to conclude that we are not hurting deployed client device base much?
    • Middle way could be to have WPA2-only on 2.4 GHz and WPA3-only on 5+6
    • Devices which have WPA2-only typically do not have 5 GHz either; so this could be a good match.
    • more a policy issue (given that there is no perfect technical solution to suggest) - so discuss in eduroam Europe SG call tomorrow

  3. IETF updates

    • radext interim meeting done
    • RADIUS/(D)TLS draft updated
    • proxying is an issue, but not part of the core RADIUS/TLS spec, so pursued in a different I-D
    • other documents already further in the queue

  4. OpenRoaming / WBA Meeting update

  5. AOB

    • With RADIUS/UDP deprecated: concrete action to take?
    • One could argue that NRO-to-NRO(and TLR) links that replace the transport from UDP to TLS 1:1 (X.509 cert, no dynamic peer discovery) is rather mature
    • This would fix the most “insecure” leg: int’l connectivity
    • NRO’s own network (national network) could be considered a trusted network
    • every implementation has its own rough edges
    • at some point, we need to deploy at a larger scale to learn about and fix issues as they come up
    • this may result in a lower uptime/service availability than good-old RADIUS/UDP provided

  6. Next VC

    • 5 Nov 2024, 1530 CET
  • No labels