eduroam Development VC Minutes 2021-11-23 1530 CET
Attendance
Attendees
- Stefan Winter (Restena)
- Mike Zawacki (Internet2)
- Sara Jeanes (Internet2)
- Janos Mohacsi (KIFU)
- Tomasz Wolniewicz (PSNC)
- Christian Rohrer (SWITCH)
- Geoffroy Arnoud (RENATER)
- Arnaud Lauriou (RENATER)
- Chris Phillips (CANARIE)
- Zbigniew Ołtuszyk (PSNC)
- Dubravko Penezić (Srce)
- Maja Górecka-Wolniewicz (PSNC)
- Louis Twomey (HEAnet)
- Stephanie Cooper (ANYROAM)
- Chad Bauer (ANYROAM)
- Wenche Backman-Kamila (CSC/Funet)
- Stefan Paetow (Jisc)
- Edward Wincott (Jisc)
Regrets
- Zenon Mousmoulas (GRNET)
Agenda / Proceedings
Welcome / Agenda Bashing
MAC Address randomization
Is it useful to make this configurable in CAT?useful insight; https://www.extremenetworks.com/extreme-networks-blog/wi-fi-mac-randomization-privacy-and-collateral-damage/
from above:
" Just so you know, it’s that second hex value in the MAC address that indicates a private (software-generated) address. Any address matching one of the following patterns is considered private:
x2:xx:xx:xx:xx:xx
x6:xx:xx:xx:xx:xx
xA:xx:xx:xx:xx:xx
xE:xx:xx:xx:xx:xx
"
- statistics is losing value as a side-effect - users will count as “new” after a certain amount of time (once every MAC address change on the network)
- old AP hardware might get confused when too many / strange sequences of MACs are around
- “throw away the junk and buy new hardware” is an answer that doesn’t go down well everywhere
- two options: give up privacy, but stuff works everywhere OR insist on newest privacy add-ons, and be DoSed at some hotspots
- Problem is: this can be either on or off for any one network profile - in a global roaming consortium like eduroam that sits on one single SSID, this means: you do it for all the APs on the planet, or not at all.
- Does continued use of old equipment outweigh the privacy loss?
- Also, Apple at least aggressively shows a warning if MAC randomization is off.
- So: brand damage (“privacy nightmare network”) or loss of eduroam SP participants on the tail end
- let the user decide?
- hidden profile (activated by admin) is an option. Give the normal profile out by default, have the admin point users to the hidden one in case they are experiencing problems somewhere
2a. (similarly: Proxy autoconfig)
- there is no correct choice. Any choice breaks a subset of SPs.
- Fixing your own deployment at home is of course the “natural” choice to make but has no overview over how many other sites break with it.
- document the issue in the wiki so people have a permanent reference
- HS 2.0 profle naming in Windows (revisited)
- here we discuss the naming for eduroam RCOI (Passpoint, but “our” eduroam), NOT the OpenRoaming one
- (netsh/XML): if you want to configure an RCOI, you MUST also supply an SSID, but the SSID WILL be ignored.
- leads to two distinct profiles for eduroam: one for the SSID (name “eduroam”), one for the RCOI (name: “Needs-a-second-name!”)
- previously discussed: use “eduroam Hotspot 2.0” to match network nomenclature in Windows (as displayed during network selection)
- Windows 10 uses “Hotspot 2.0”, but 11 uses “Passpoint”
- So maybe scratch the Hotspot 2.0 and Passpoint words anyway, and use “eduroam via partner” instead
- whatever the choice, it is only seen during network selection. Once connected, only SSID is displayed. Windows 11 invented an auxiliary place where the profile name is indeed shown, but unintuitive.
- W10: “eduroam via partner, Hotspot 2.0”
- W11: “eduroam via partner, Passpoint”
- W11: “eduroam via partner” in the shallow network overview
- [the OpenRoaming specific profile is always called “OpenRoaming (realm.tld)”]
- AOB
- profiles not installing properly on
- Android 7 with the eduroamCAT app? Did the IdP check that their server cert has CN and sAN:DNS both inside? They did. Let’s take this offline and investigate more (StefanP to send details to StefanW and Tomasz).
- Next VC
07 dec 2021, 1530 CET