Network: Difference between revisions

From Electromagnetic Field 2022
Jump to navigation Jump to search
m (→‎IPv6: fix internal link)
mNo edit summary
 
(One intermediate revision by the same user not shown)
Line 1: Line 1:
<div style="float:right;">__TOC__</div>
[[Team:NOC]] has tried to build and support the fastest network for you: a network comparable to a medium sized ISP, built up in just a couple of days. It might not be perfect all the time. We will be providing blanket wireless coverage and wired network access to both venues and camping tents.
[[Team:NOC]] has tried to build and support the fastest network for you: a network comparable to a medium sized ISP, built up in just a couple of days. It might not be perfect all the time. We will be providing blanket wireless coverage and wired network access to both venues and camping tents.


Line 4: Line 5:


* To use the camp WiFi on most modern devices, connect to the '''emfcamp''' network with a username of '''emf''' and a password of '''emf'''.
* To use the camp WiFi on most modern devices, connect to the '''emfcamp''' network with a username of '''emf''' and a password of '''emf'''.
* You have a public IP address and there is limited network firewalling or filtering. [[#Security|Keep safe!]]
* If you're using a modern Android phone (Android 10 or above), the '''emfcamp-insecure22''' network is easier to configure, and it will be encrypted (despite the name).
* Don't set up your own wireless access point. This is a serious problem in such a dense event and [[Network/Rogue Access Points|here's why]].
* Don't set up your own wireless access point. This is a serious problem in such a dense event and [[Network/Rogue Access Points|here's why]].


Line 26: Line 27:
{| class="wikitable"
{| class="wikitable"
! emfcamp
! emfcamp
| This is 2.4GHz + 5GHz and should you should use this one in preference, if you can see it. This is the most secure, WPA2-Enterprise.
| This is 2.4GHz + 5GHz and should you should use this one in preference, if you can see it. This is the most secure, WPA2-Enterprise. However, it's a pain to configure on Android devices.
|-
|-
! style="white-space: nowrap" | emfcamp-insecure22
! style="white-space: nowrap" | emfcamp-insecure22
| '''Warning: insecure''' This is both 5GHz and 2.4GHz, and is for older devices that don't support WPA2-Enterprise. It's unencrypted, and people will likely intercept your traffic. Filtered connection with public IP address. Inbound connections from the rest of the campsite are possible, inbound connections from the Internet are blocked.
| '''Warning: insecure on some devices''' This is both 5GHz and 2.4GHz, and can be used for older devices that don't support WPA2-Enterprise. If your device supports [https://en.wikipedia.org/wiki/Opportunistic_Wireless_Encryption Opportunistic Wireless Encryption], such as Android 10 or above, this is encrypted, although not quite as secure as the '''emfcamp''' SSID. Otherwise, it's unencrypted, and people will likely intercept your traffic. Inbound connections from the rest of the campsite are possible, inbound connections from the Internet are blocked.
|-
|-
! spacenet
! spacenet
Line 89: Line 90:
[[File:Ubuntu network settings.png|thumb|Ubuntu network settings]]
[[File:Ubuntu network settings.png|thumb|Ubuntu network settings]]
On Ubuntu/Debian based distros the certificate file can be found in /etc/ssl/certs/ISRG_Root_X1.pem
On Ubuntu/Debian based distros the certificate file can be found in /etc/ssl/certs/ISRG_Root_X1.pem


'''Android'''
'''Android'''

Latest revision as of 20:59, 1 June 2022

Team:NOC has tried to build and support the fastest network for you: a network comparable to a medium sized ISP, built up in just a couple of days. It might not be perfect all the time. We will be providing blanket wireless coverage and wired network access to both venues and camping tents.

Key points

  • To use the camp WiFi on most modern devices, connect to the emfcamp network with a username of emf and a password of emf.
  • If you're using a modern Android phone (Android 10 or above), the emfcamp-insecure22 network is easier to configure, and it will be encrypted (despite the name).
  • Don't set up your own wireless access point. This is a serious problem in such a dense event and here's why.

Wireless

Network Name (SSID)
emfcamp
Username
emf
Password
emf

The whole field has been covered with many wireless access points to ensure the best possible coverage and to allow you to roam seamlessly without interruption. Please note that your device will be reachable by anyone on the internet, please take suitable precautions such as turning on a firewall, and making sure your software is up to date.

You should not bring your own wireless access point, its unlikely to provide better service than the camp ones, and it makes the network worse for everyone else. Any rogue access points will be hunted down and disconnected from the network - see Network/Rogue_Access_Points if you want to know why. If you have a project that needs to provide its own AP for some reason please contact the NOC and we will find an alternative solution.

Here is the complete list of wireless networks (SSIDs) available:

emfcamp This is 2.4GHz + 5GHz and should you should use this one in preference, if you can see it. This is the most secure, WPA2-Enterprise. However, it's a pain to configure on Android devices.
emfcamp-insecure22 Warning: insecure on some devices This is both 5GHz and 2.4GHz, and can be used for older devices that don't support WPA2-Enterprise. If your device supports Opportunistic Wireless Encryption, such as Android 10 or above, this is encrypted, although not quite as secure as the emfcamp SSID. Otherwise, it's unencrypted, and people will likely intercept your traffic. Inbound connections from the rest of the campsite are possible, inbound connections from the Internet are blocked.
spacenet This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your hackerspace offers.
eduroam This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your university/college/school is offering eduroam. More information can be found at eduroam.org.

When connecting to any of the WPA2-Enterprise password, which require a username and password, you can use the following (case-sensitive):

Username Password Result
emf emf Filtered connection with public IP address. Inbound connections from the rest of the campsite are possible, inbound connections from the Internet are blocked.
allowany allowany Unfiltered connection with public IP address
outboundonly outboundonly Filtered connection with public IP address. Inbound connections from the Internet or camp-site are not possible.

Use of the 5GHz SSIDs is recommended if your device supports them. 802.11b is disabled as it slows everyone else down.

Even if you are using an encrypted network, you should still encrypt any sensitive traffic sent over the air end-to-end to prevent snooping. Although some SSIDs offer encryption, it is only over-the-air.

We have airtime fairness configured on our wireless controllers, so if you wish to use a lot of bandwidth (e.g. stream videos or download large files), please use a wired connection.


Client Settings

Also see Network/802.1X client settings for a list of OS-specific client settings.

SSID: emfcamp

EAP-TTLS:

Phase 1: EAP-TTLS
Phase 2: PAP

PEAP:

Phase 1: PEAP
Phase 2: MSCHAPv2 or EAP-MSCHAPv2 or PAP

CN = radius.emf.camp
CA = ISRG Root X1
SHA256 Fingerprint = B8:3B:F9:39:C4:F2:BF:D0:87:D7:93:5C:A0:DD:18:F3:31:7B:DD:B1:EC:88:3B:22:E0:B2:39:CB:7C:F8:FD:43

Make sure you check the certificate in order to know you are connecting to the correct network (you should check on both the CN and the CA). Check here for the complete certificate.

Ubuntu network settings

On Ubuntu/Debian based distros the certificate file can be found in /etc/ssl/certs/ISRG_Root_X1.pem

Android

This app will help you get set up: https://play.google.com/store/apps/details?id=nl.eventinfra.wifisetup. Or follow these instructions to do it manually.

Wired Ethernet

All camping areas are within 60m of a datenklo (or data toilet), where you can connect to the network. If you intend to do so please bring 60-70m of CAT5 cable as we are unable to provide any.

Lay your own cable neatly from your tent back to the nearest Datenklo, and leave 6m of slack coiled on the floor in front of it. And please lay it so that it can be clearly seen that it needs to be plugged in - or you risk having your cable overlooked. At regular intervals a member of the NOC team will connect it up and enable the port.

If you wish to be removed from a Datenklo again on Sunday or Monday, leave your entire cable coiled outside the DK and we will disconnect it. If you need to leave before then, contact the helpdesk directly.

All of our edge ports are at least 100 Mbps or 1 Gbps, auto-negotiate, auto-MDX. We are unlikely to have PoE ports for general use.


Static IPs

If you need a static IP on the wired network, contact the NOC.

IPv6

Naturally, IPv6 is available throughout the network and should "just work" for you. Team:NOC does not recommend disabling IPv6 if you have problems, instead try to understand the problem you are experiencing and get educated in the new world order. Contact the NOC helpdesk if you need help.

Services


Security

Encryption

Please treat the network as wide open and full of attackers. Although Team:NOC themselves will not monitor the network, always assume that Alice flirting with Bob will be spied upon by The Third Party.

Any sensitive information including passwords must therefore be encrypted. Please make sure you don't use any software or web applications that send sensitive data or passwords in the clear.

The following mechanisms should be safe:

  • Anything that goes through a VPN
  • Any website that uses HTTPS
  • Any application that uses SSL
    • In the case of email, you need to have SSL enabled for both receiving mail (POP, IMAP) and sending it (SMTP)
  • ssh and scp
  • Where possible, use One-time passwords. Real tokens work best, many of those should be compatible with open source radius servers. Here is a simple Perl radius server implementation for RFC6238 tokens that works with ssh and other stuff on linux.

The following are almost always unsafe:

  • FTP with login/password (are almost always sent in the clear)
  • Telnet with login/password
  • Email if you don't use SSL
  • Webmail that doesn't use HTTPS
    • Someone could trigger a password reminder and then intercept your email
  • Websites that use HTTP (not HTTPS) where you need to fill in a password in the page itself

Possibly unsafe, make sure that you understand what you're doing:

  • Websites where you need to fill in a password and your browser (not the website!) tells you it's going to be sent securely
  • Websites that require an account but remember you're logged in
    • The password may be protected but not the content or cookies that automatically log you in
  • Any time your browser or other application brings up anything to do with a certificate
  • Anything not protected with SSL: someone could be faking DNS answers to impersonate certain sites

Remember: if you're being stupid someone may feel the need to teach you a security lesson in a not so subtle way! (No, that doesn't mean it's ok to hack people just to see if their security is in order.)

Firewall

On the wired network there is no network firewall and on the WiFi network there is limited firewalling in place. We operate an unfiltered network that is wide open to the Internet. There is no NAT, and everybody has a public IP address. This is our definition of "network neutrality" - a network that doesn't do anything whatsoever to your IP connection.

If you are used to feeling secure just because you've been sitting behind a NAT router, think again. You are now wide open to the whole Internet. Ensure your personal firewall is enabled and set to "Public Network" and that you have applied all security updates to your OS and applications.

By default the WiFi network allows inbound connections from the rest of the campsite, but inbound connections from the Internet are blocked. If you want to ensure no inbound connections are possible towards your WiFi device, use the "outboundonly"-login.

In case you want to enable inbound connections towards your WiFi-device, use the "allowany"-login.

FAQ

Can I bring a server?

Sure. You can host a server anywhere on the network, and the long DHCP lease time will effectively give you a static IP address.

If you would like to house your server in our data centre (NOC-DC), please contact us before the event by e-mail to noc@. 1 Gbps copper ports are standard; if you require a 10 Gbps port, you'll need to supply a DAC or SFPs (our end Arista-coded) with fibre.

Is there a server I can use to host data on site?

Due to lack of demand at the last event, this will not be provided this time.

Can I use the 2.4GHz band for non-wifi projects?

The following channels are available for adhoc/mesh/other wireless stuff:

  • 2.4GHz: Channel 1
  • 5GHz: Channel 136, 140

We cannot force you to use these channels, but we are trying to build a functional wireless network for the other attendees too. So please, don't do any experiments on other channels.

Can I bring an access point?

No, this is strictly prohibited! We need all available channels to provide good quality coverage for the rest of the attendees. Please do not be selfish here as you will degrade performance for everyone else, and we WILL track you down.

If you think you can ignore this rule because one little access point can't hurt anyone, think again. This page has the calculations on just how huge a problem it is for an event of our size: Network/Rogue Access Points.

If you are operating a village (using an EMF-supplied tent) that has poor coverage, we may be able to arrange to put an extra access point in it during the event to improve coverage. Stop by the NOC and ask.

Can I bring a switch?

Yes, but for stability purposes all edge ports are limited to 10 MAC addresses at a time. If you want to connect a switch with more stations, you need to stop by the NOC and ask us to raise the port-security on your port. If you do this, you need to convince us that you know what you're doing and promise not to do anything that may harm the network - in particular, you must not connect the switch to our network by more than 1 cable (not even to a different DK). Make sure that you disable STP and other protocols on your switch which try to be intelligent.

My port goes up and down every couple of minutes

You have probably tripped port security. Most likely scenario is that you have connected more than 10 stations without consulting us (see answer to previous question). To reduce support calls, the port will automatically be re-enabled after a few minutes. But if you haven't fixed the problem, it will immediately be shut down again.

Supporters

We'd like to extend our immense gratitude to the following people and organisations who have been instrumental in making the EMF network and uplink happen through their donations and sponsorship: