Difference between revisions of "Network"

From Electromagnetic Field
Jump to navigation Jump to search
 
(15 intermediate revisions by 4 users not shown)
Line 19: Line 19:
 
* emfcamp-legacy
 
* emfcamp-legacy
 
** This is 2.4GHz and less resistant to interference, use it only if you have to. The username and password are "emf". This is also WPA2-Enterprise.
 
** This is 2.4GHz and less resistant to interference, use it only if you have to. The username and password are "emf". This is also WPA2-Enterprise.
* emfcamp-insecure '''Warning: less secure'''
+
* emfcamp-insecure '''Warning: insecure'''
** This is both 5GHz and 2.4GHz, and is for older devices that don't support WPA2-Enterprise. It's basic WPA2-PSK and the password is "emfcamp2014".
+
** This is both 5GHz and 2.4GHz, and is for older devices that don't support WPA2-Enterprise. It's unencrypted.
 
* spacenet
 
* spacenet
** This is 2.4GHz + 5GHz. We have not yet determined whether [https://spacefed.net/ Spacenet] will be supported. This is also WPA2-Enterprise.
+
** This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your hackerspace is offering spacenet. More information can be found at [https://spacefed.net/ spacefed.net].
 +
* eduroam
 +
** This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your university/college/school is offering eduroam. More information can be found at [https://www.eduroam.org/ eduroam.org].
  
 
Use of the 5GHz SSIDs is recommended if your device supports them. 802.11b is disabled as it slows everyone else down.
 
Use of the 5GHz SSIDs is recommended if your device supports them. 802.11b is disabled as it slows everyone else down.
Line 31: Line 33:
  
 
For proper wireless support under linux, you should have a kernel newer than 2.6.39.2. There is also a kernel panic with brcmsmac on linux 3.10.3 that can be fixed by downgrading to kernel 3.10.2.
 
For proper wireless support under linux, you should have a kernel newer than 2.6.39.2. There is also a kernel panic with brcmsmac on linux 3.10.3 that can be fixed by downgrading to kernel 3.10.2.
 +
 +
=== WPA2 802.1X, encryption ===
 +
Due to popular demand (and with security in mind) we provide WPA2 802.1X. This will encrypt your traffic, preventing attackers from sniffing your data. Keep in mind that this won't protect you from other network attacks and you should still be aware that you are at a hacker conference! Your link layer should be secure if you do certificate checking (see below).
 +
 +
You might think: "WTF!? Do I need to register a user and password blah, blah". Fortunately not. You can '''use any username/password combination using EAP-TTLS with PAP to login''' (example: "user: fbhfbhiaf pass: bgufwbnkqo" is valid), because we don't care who logs in and who you are. We just want to encrypt your data.
 +
 +
Users which use MSCHAPv2 (like Windows users with default 802.1X supplicant) should use a fixed username and password. You can use "emf/emf" or "guest/guest" as "username/password".
 +
 +
==== Client Settings ====
 +
SSID: emfcamp or emfcamp-legacy
 +
Phase 1: EAP-TTLS or PEAP
 +
Phase 2: MSCHAPv2 or EAP-MSCHAPv2 or PAP
 +
 +
CN = radius.emf.camp
 +
CA = GeoTrust Global CA
 +
Fingerprint = 5E:A7:65:99:25:14:46:A4:0A:CD:2D:22:27:C1:1B:70:AA:A0:CC:1F
 +
 +
Make sure '''you check the certificate''' in order to know you are connecting to the correct network (you should check on both the CN and the CA).
  
 
== Camping area and workshops ==
 
== Camping area and workshops ==
Line 44: Line 64:
 
== Static IPs ==
 
== Static IPs ==
  
If you need a static IP on either the wired or wireless network, drop by the [[Team:InfoDesk]]. If you are given a static IP on the wireless, connect to the regular SSID, but instead of using the login emf/emf, use static/static.
+
If you need a static IP on the wired network, drop by the [[Team:InfoDesk]].
  
 
== Rules ==
 
== Rules ==
Line 65: Line 85:
 
== Multicast ==
 
== Multicast ==
  
In 2012 we ran multicast with a feed from the BBC. This worked quite well; you could simply open your media player and browse multicast streams (e.g. in VLC "Local Network -> Network Streams (SAP)"). We'll try to do the same again this year, details will appear here.
+
We have a TV & radio multicast feed from the BBC. Simply open your media player and browse multicast streams (e.g. in VLC's main window, go to the sidebar "Local Network -> Network Streams (SAP)").
 +
 
 +
This is currently working on both the wired and wireless network; you will have some expected packet loss if you use wireless though.
 +
 
 +
Don't forget to turn on deinterlacing to get a proper picture (press 'd' in VLC).
 +
 
 +
== Services ==
 +
 
 +
* DNS: 78.158.87.11 and 78.158.87.12
 +
* NTP: 78.158.87.11 and 78.158.87.12 (ntp1.emf.camp and ntp2.emf.camp)
 +
* Nearest Debian mirror: http://debian.mirror.uk.sargasso.net
 +
* Content distribution server - for use by speakers to upload their content to an on-site server - http://content.emf.camp/ . Speakers please contact noc@ to get an account.
  
 
== Security ==
 
== Security ==
Line 110: Line 141:
 
There is no network firewall. We operate an unfiltered network that is wide open to the Internet. There is no NAT, and everybody has a public IP address. This is our definition of "network neutrality" - a network that doesn't do anything whatsoever to your IP connection.
 
There is no network firewall. We operate an unfiltered network that is wide open to the Internet. There is no NAT, and everybody has a public IP address. This is our definition of "network neutrality" - a network that doesn't do anything whatsoever to your IP connection.
  
If you are used to feeling secure just because you've been sitting behind a NAT router, think again. You are now wide open to the whole Internet. Ensure your personal firewall is enabled and that you have applied all security updates to your OS and applications.
+
If you are used to feeling secure just because you've been sitting behind a NAT router, think again. You are now wide open to the whole Internet. Ensure your personal firewall is enabled and set to "Public Network" and that you have applied all security updates to your OS and applications.
  
 
== FAQ ==
 
== FAQ ==
Line 128: Line 159:
  
 
We cannot force you to use these channels, but we are trying to build a functional wireless network for the other attendees too. So please, don't do any experiments on other channels.
 
We cannot force you to use these channels, but we are trying to build a functional wireless network for the other attendees too. So please, don't do any experiments on other channels.
 +
 +
=== Can I bring an access point? ===
 +
 +
No, this is strictly prohibited! We need all available channels to provide good quality coverage for the rest of the attendees. Please do not be selfish here as you will degrade performance for everyone else, and we WILL track you down.
 +
 +
If you are operating a village (using an EMF-supplied tent) that has poor coverage, we may be able to arrange to put an access point in it during the event to improve coverage. Stop by the NOC and ask.
 +
 +
=== Can I bring a switch? ===
 +
 +
Yes, but for stability purposes all edge ports are limited to 3 MAC addresses at a time. If you want to connect a switch, you need to stop by the NOC and ask us to lift the port-security on your port. If you do this, you need to convince us that you know what you're doing and promise not to do anything that may harm the network - in particular, you must not connect the switch to our network by more than 1 cable (not even to a different DK).
 +
 +
=== My port goes up and down every couple of minutes ===
 +
 +
You have probably tripped port security. Most likely scenario is that you have connected a switch without consulting us (see answer to previous question).
  
 
== Team Internet ==
 
== Team Internet ==
  
[[User:Jasperw]]
+
[[User:JasperWallace]]
 
[[User:Will-h]]
 
[[User:Will-h]]
 
[[User:Davidc]]
 
[[User:Davidc]]

Latest revision as of 16:32, 30 August 2014

Network

Team:NOC has tried to build and support the fastest network for you, a network comparable to a medium sized ISP built up in just a couple of days. It might not be perfect all the time. If you experience any outage please report them to the helpdesk.

We will be providing a high speed onsite network with blanket wireless coverage and wired network access to both venues and camping tents.

Uplink

Uplink from the campsite is currently being arranged. Details will be announced when firm.

Wireless

The whole field has been covered with many wireless access points to ensure the best possible coverage and to allow you to roam seamlessly without interruption. Naturally, there is additional coverage in popular areas such as the talk tents.

The following SSIDs will be available:

  • emfcamp
    • This is 5GHz and should you should use this one in preference, if you can see it. The username and password are "emf". This is the most secure, WPA2-Enterprise.
  • emfcamp-legacy
    • This is 2.4GHz and less resistant to interference, use it only if you have to. The username and password are "emf". This is also WPA2-Enterprise.
  • emfcamp-insecure Warning: insecure
    • This is both 5GHz and 2.4GHz, and is for older devices that don't support WPA2-Enterprise. It's unencrypted.
  • spacenet
    • This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your hackerspace is offering spacenet. More information can be found at spacefed.net.
  • eduroam
    • This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your university/college/school is offering eduroam. More information can be found at eduroam.org.

Use of the 5GHz SSIDs is recommended if your device supports them. 802.11b is disabled as it slows everyone else down.

Even if you are using an encrypted network, you should still encrypt any sensitive traffic sent over the air end-to-end to prevent snooping. Although some SSIDs offer encryption, it is only over-the-air.

We have airtime fairness configured on our wireless controllers, so if you wish to download large files please use a wired connection (there will be plenty about).

For proper wireless support under linux, you should have a kernel newer than 2.6.39.2. There is also a kernel panic with brcmsmac on linux 3.10.3 that can be fixed by downgrading to kernel 3.10.2.

WPA2 802.1X, encryption

Due to popular demand (and with security in mind) we provide WPA2 802.1X. This will encrypt your traffic, preventing attackers from sniffing your data. Keep in mind that this won't protect you from other network attacks and you should still be aware that you are at a hacker conference! Your link layer should be secure if you do certificate checking (see below).

You might think: "WTF!? Do I need to register a user and password blah, blah". Fortunately not. You can use any username/password combination using EAP-TTLS with PAP to login (example: "user: fbhfbhiaf pass: bgufwbnkqo" is valid), because we don't care who logs in and who you are. We just want to encrypt your data.

Users which use MSCHAPv2 (like Windows users with default 802.1X supplicant) should use a fixed username and password. You can use "emf/emf" or "guest/guest" as "username/password".

Client Settings

SSID: emfcamp or emfcamp-legacy
Phase 1: EAP-TTLS or PEAP
Phase 2: MSCHAPv2 or EAP-MSCHAPv2 or PAP

CN = radius.emf.camp
CA = GeoTrust Global CA
Fingerprint = 5E:A7:65:99:25:14:46:A4:0A:CD:2D:22:27:C1:1B:70:AA:A0:CC:1F

Make sure you check the certificate in order to know you are connecting to the correct network (you should check on both the CN and the CA).

Camping area and workshops

All camping areas will be within 60m of a Datenklo (Data Toilet), please bring around 60-70m of CAT5 cable. Unless a sponsor comes forward for it, we will be unable to supply cable on site. We will be budgeting only for the infrastructure requirements and necessary spares to deal with issues.

Lay your own cable neatly from your tent back to the nearest Datenklo, and leave 6m of slack coiled on the floor in front of it. And please lay it so that it can be clearly seen that it needs to be plugged in - or you risk having your cable overlooked. At regular intervals a member of the NOC team will connect it up and enable the port.

If you wish to be removed from a Datenklo again, contact the helpdesk directly.

All of our edge ports are at least 10/100, some support PoE (802.3af), plus Auto-MDX.

Static IPs

If you need a static IP on the wired network, drop by the Team:InfoDesk.

Rules

  • Be nice and friendly! Do not do to others what you do not wish done to yourself.
  • Protect your computer! We cannot be taken responsible or held accountable for any damage your devices might sustain due to security problems, power spikes and other such perils.
  • Please do not operate your own WiFi access point, our wireless solution includes 'CleanAir' technology and has rogue access point detection.
  • If you are operating anything else in the 2.4GHz spectrum, please clear the frequencies in advance with us.
  • Do not attempt to run a DHCP or RA server. You will be found and named and shamed!
  • Cabling from your tent to the data toilets must not cross any roads.
  • If you are connecting a Nanode / Arduino Ethernet / other microcontroller to the network please make sure it is using a unique MAC address. Many of the code examples for such devices use an identical MAC address and this will cause problems - if you aren't sure contact the helpdesk.
  • If you are connecting a switch, you need to contact the NOC to enable this on your port. You are only allowed one uplink from your switch to our network - do not attempt to connect multiple cables or to multiple DKs!

If you break these rules, we will track you down or triangulate you, but we'd rather spend the time maintaining the smooth operation of the network, so please don't waste our time. And if you think Team:NOC cannot locate you just because you're wireless - think again. ;-)

IPv6

Naturally, IPv6 is available throughout the network and should "just work" for you. Team:NOC does not recommend disabling IPv6 if you have problems, instead try to understand the problem you are experiencing and get educated in the new world order. Contact the NOC helpdesk if you need help.

Multicast

We have a TV & radio multicast feed from the BBC. Simply open your media player and browse multicast streams (e.g. in VLC's main window, go to the sidebar "Local Network -> Network Streams (SAP)").

This is currently working on both the wired and wireless network; you will have some expected packet loss if you use wireless though.

Don't forget to turn on deinterlacing to get a proper picture (press 'd' in VLC).

Services

  • DNS: 78.158.87.11 and 78.158.87.12
  • NTP: 78.158.87.11 and 78.158.87.12 (ntp1.emf.camp and ntp2.emf.camp)
  • Nearest Debian mirror: http://debian.mirror.uk.sargasso.net
  • Content distribution server - for use by speakers to upload their content to an on-site server - http://content.emf.camp/ . Speakers please contact noc@ to get an account.

Security

Recent vulnerabilities =

WARNING: Bring a recent DHCP Client. If your OS uses ISC DHCP dhclient make sure you don't run a vulnerable version. https://www.kb.cert.org/vuls/id/410676

Encryption

Please treat the network as wide open and full of attackers. Although Team:NOC themselves will not monitor the network, always assume that Alice flirting with Bob will be spied upon by The Third Party.

Any sensitive information including passwords must therefore be encrypted. Please make sure you don't use any software or web applications that send sensitive data or passwords in the clear.

The following mechanisms should be safe:

  • Anything that goes through a VPN
  • Any website that uses HTTPS
  • Any application that uses SSL
    • In the case of email, you need to have SSL enabled for both receiving mail (POP, IMAP) and sending it (SMTP)
  • ssh and scp
  • Where possible, use One-time passwords. Real tokens work best, many of those should be compatible with open source radius servers. Here is a simple Perl radius server implementation for RFC6238 tokens that works with ssh and other stuff on linux.

The following are almost always unsafe:

  • FTP with login/password (are almost always sent in the clear)
  • Telnet with login/password
  • Email if you don't use SSL
  • Webmail that doesn't use HTTPS
    • Someone could trigger a password reminder and then intercept your email
  • Websites that use HTTP (not HTTPS) where you need to fill in a password in the page itself

Possibly unsafe, make sure that you understand what you're doing:

  • Websites where you need to fill in a password and your browser (not the website!) tells you it's going to be sent securely
  • Websites that require an account but remember you're logged in
    • The password may be protected but not the content or cookies that automatically log you in
  • Any time your browser or other application brings up anything to do with a certificate
  • Anything not protected with SSL: someone could be faking DNS answers to impersonate certain sites

Remember: if you're being stupid someone may feel the need to teach you a security lesson in a not so subtle way! (No, that doesn't mean it's ok to hack people just to see if their security is in order.)

Firewall

There is no network firewall. We operate an unfiltered network that is wide open to the Internet. There is no NAT, and everybody has a public IP address. This is our definition of "network neutrality" - a network that doesn't do anything whatsoever to your IP connection.

If you are used to feeling secure just because you've been sitting behind a NAT router, think again. You are now wide open to the whole Internet. Ensure your personal firewall is enabled and set to "Public Network" and that you have applied all security updates to your OS and applications.

FAQ

Can I bring a server?

Yes, though we would rather these were stored centrally in our NOC. This allows us to provision power easily and you also get the added benefit of connecting directly to our core and having UPS backup. If you intend to bring a server please email noc@emfcamp.org so we can fully understand your requirements prior to the event.

We have not yet determined whether we will be able to provide colocation space for servers, but we would like to in order to save bandwidth on the extensive site network. If this will be helpful for you, please e-mail noc@emfcamp.org so we can gauge demand.

Can I use the 2.4GHz band for non-wifi projects?

The following channels are available for adhoc/mesh/other wireless stuff:

  • 2.4Ghz: Channel 1
  • 5Ghz: Channel 136, 140

We cannot force you to use these channels, but we are trying to build a functional wireless network for the other attendees too. So please, don't do any experiments on other channels.

Can I bring an access point?

No, this is strictly prohibited! We need all available channels to provide good quality coverage for the rest of the attendees. Please do not be selfish here as you will degrade performance for everyone else, and we WILL track you down.

If you are operating a village (using an EMF-supplied tent) that has poor coverage, we may be able to arrange to put an access point in it during the event to improve coverage. Stop by the NOC and ask.

Can I bring a switch?

Yes, but for stability purposes all edge ports are limited to 3 MAC addresses at a time. If you want to connect a switch, you need to stop by the NOC and ask us to lift the port-security on your port. If you do this, you need to convince us that you know what you're doing and promise not to do anything that may harm the network - in particular, you must not connect the switch to our network by more than 1 cable (not even to a different DK).

My port goes up and down every couple of minutes

You have probably tripped port security. Most likely scenario is that you have connected a switch without consulting us (see answer to previous question).

Team Internet

User:JasperWallace User:Will-h User:Davidc