----- Original Message ----- > From: "Måns Nilsson" <mansa...@besserwisser.org>
> 05:45:55PM -0400 Quoting Jay Ashworth (j...@baylink.com): > > ----- Original Message ----- > > > At all possible cost, avoid login or encryption for the wireless. > > > > Yes, and no. > > <snip> > > Just keep in mind that every action you make the visitors have to > perform to get Internet connectivity is a support workload. I understand entirely. That was the reason for my "remember each MAC address for the entire event" approach to captive portal. I forsee the guests entering a code from their event badge the first time they use each device. Unlike most events, I also forsee a single page "How to use our Internet connectivity" sheet that actually tells you what you need to know. :-) > > (For example, I have no problems blocking outbound port 25 and > > redirecting > > recursive DNS -- though I do want a system that permits me to > > whitelist > > MACs on request. But I would do those on the guest and dealer nets, > > and > > not on the staff one.) > > Remember that DNSSEC breaks quite easily if you redirect DNS and since > this is three years in the future, the uptake on DNSSEC may well have > hit the point where there is visual feedback on validation in client > UI. Good point. > > > While things have become much better, doing 802.1x on conference > > > wireless probably is a bit daring. OTOH eduroam does it all over > > > Europe. > > > > If I did try to do that, it would probably only be on the staff > > network; it's a much more contrained environment. > > It'll work much better there, and FWIW, will be a little yet perhaps > effective speedbump for intruders. Was my plan, yes. This isn't, really, defcon. :-) > > > And get v6. > > > > Yeah, I assumed that, though it will be interesting to see how much > > play it actually gets; these are SF geeks, not networking geeks. > > Again, even in North America, the uptake may well have accelerated > enough that it is To Be Expected. Besides, IME, SF geeks are computer > savvy more than others. I've heard that asserted. I'm not certain to what extent it's actually true. > > Oh yeah. I'm fond of leases as short as 30 minutes, though if I have > > a /16, I won't care as much. > > A couple hours will get the user over a lunch break if not overnight, > which means that long TCP sessions survive on Proper Computers (that > don't tear down TCP on link loss. I'm looking at you, Microsoft!). Well, I'm a firm believer in Least Recently Used, so as long as my DHCP block is larger than my userbase, everyone will have the same address all weekend anyway. > This > is Really Nice. Open up computer from sleep and press enter in xterm > and ssh session is up. (my personal record is for telnet, an untouched > connection survived two taxi trips, one night, some NATed wlan at the > hotel and when i got back to the right network I just plugged the > cable in > and continued in the same session. But I cheated and had fixed > addresses.) Nice. :-) Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
