Access control should be used when you need access control. Sometimes engineers need to step back from solving the problem, and look at whether the problem needs to be solved.
Yes...
What access control do you need for a public drinking fountain?
Today, none, that was different in recent past.
What access control do you need for a public wireless access point?
Depends on the network. If you are a provider of public wireless for a fee, then you want to make sure you can charge the user. Thus you need to beable to identify the user so you can charge them. You need to also prevent theft of service, via false id's or bypassing the id method, etc. For events like a NANOG, et al, given the large number of "different and ad-hoc" systems, identificaion is more a pain. It needs to be balanced between the "cost, hassle factor" and the life of the network. I'd say that mostly this is a rat hole thread. Short lived conference networks will be insecure. Those attending should be told, and expect it. They should prepare accordingly. Show ops should have plans incase someone steals bandwidth, or causes other problems with the "important show net stuff" like multicast feeds. The cost and management requirements to deploy a reasonably secured network for a show are higher than the benifits.... I don't see conferences giving out USB dongles to people with their ID stored, or SecureID cards anytime soon :)
WEP won't keep people from hacking other laptops at Nanog meetings, and won't stop people from sniffing plain-text passwords. Everyone at the meeting will have the key, and a secret shared with 500 people won't stay secret for even two days. For a network with no other access control, what purpose does WEP serve?
As long as we are all on a shared layer two network, we are vulnerable. john brown