On Sat, 21 Sep 2002, Martin J. Levy wrote:
I agre security is sadly lacking, but it is probably impossible to implement in a conference environment.
Look this is a very simple issue. Sean's first post really pointed out that it's "bad form" for a set of operators to run an insecure network. I would believe that it's "good form" to at least try. It was stated that the network was not run by the "operators". OK, I accept that, but it's run by people with great (actually fantastic) connections to real operators (ie: us).
I feel like a Rorschach Test. Is the Nanog confernce network really insecure for its purpose? Some security experts may claim it is, but I'm not certain they are correct. Do you put a biometric reader and armed guard next to a public drinking fountain? What is the risk of someone stealing the water? Its possible, even likely, an unauthorized person will take a drink but what is the loss versus the cost of more security for the drinking fountain? Yes, some security consulting firm issuing press releases about the dangers of war-chalking, war-driving, war-pr may claim the network is insecure. Its great for generating publicity. The Nanog conference wireless network a semi-public, unauthenticated network used by several hundred competitors for a few days. It is about as secure as the wired network, the hotel in-room cable, cellular telephones or most other available means of communication at a convention center. Users can take appropriate measures to secure their communications based on their risk acceptance. I don't see much of a need to rely on a volunteer network operator to provide what I think is the appropriate level of security for my communications. Heck, even if Nanog used the latest, greatest network security whiz-bang gadgets to secure the network; I still wouldn't rely on it.
WEP may not be a good protocol, but it's better than nothing. If people thing it's hard to configure, then run two networks.. one without WEP and one with WEP.
Link-layer encryption always sounds like a "simple" security solution. But when using other people's networks, you are usually better off with a different security solution. How many people use modems with encryption to dial into their local ISP? How many use link-layer encryption with their NIC cards on their wired networks?
Security is a relative thing... Normally security at the door to the nanog conference hall is "low", but that does not seem to bother many people. (Hence security at a "wired" locations within the conference is "low" making the WEP issue mute).
ICANN had armed guards at its meeting to keep the rif-raff out. I don't think NANOG requires that level of security (yet). We still run the network cable down the hallways, and "hide" the wireless access points in the potted palms next to the bar.