SHA2017 Wiki - User contributions [en]

Network/802.1X client settings

2017-08-04T03:12:44Z

Bitlair.nl-ak47: /* Android */

== Android ==
You can use our Android App to configure the correct WiFi settings on your Android device. Download it here:

* From Google Playstore: [https://play.google.com/store/apps/details?id=nl.eventinfra.wifisetup]

== Network Manager ==

You can use the following config file:

Please note that some versions of NM are buggy and will only work with
802.1X using MSCHAPv2, or not at all.
If that affects you, it may be easiest to use wpa_supplicant.

'''/etc/NetworkManager/system-connections/SHA2017''':

[connection]
id=SHA2017
uuid=c80101e2-7b99-4511-846b-2388eb86a5ad
type=wifi
permissions=
secondaries=

[wifi]
mac-address=42:23:42:23:42:23 <- !! Please change this !!
mac-address-blacklist=
mode=infrastructure
seen-bssids=
ssid=SHA2017

[wifi-security]
auth-alg=open
group=
key-mgmt=wpa-eap
pairwise=
proto=

[802-1x]
altsubject-matches=DNS:radius.sha2017.org
ca-cert=/etc/ssl/certs/DST_Root_CA_X3.pem
eap=ttls;
identity=SHA2017
password=SHA2017
phase2-altsubject-matches=
phase2-auth=pap

[ipv4]
dns-search=
method=auto

[ipv6]
dns-search=
method=auto

== WICD ==
You need an additional crypto setting for WiCD. Put this file into '''/etc/wicd/encryption/templates/eap-ttls''' (debian systems, might be different with other *nix flavours):

name = EAP-TTLS SHA2017
author = Felicitus
require identity *Identity password *password
-----
ctrl_interface=/var/run/wpa_supplicant
network={
ssid="SHA2017"
scan_ssid=$_SCAN
identity="edward"
password="snowden"
proto=WPA2
key_mgmt=WPA-EAP
group=CCMP
pairwise=CCMP
eap=TTLS
ca_cert="/etc/ssl/certs/DST_Root_CA_X3.pem"
altsubject_match="DNS:radius.sha2017.org"
anonymous_identity="$_ANONYMOUS_IDENTITY"
phase2="auth=PAP"
#priority=2
}

Edit '''/etc/wicd/encryption/templates/active''' to include the '''eap-ttls''' config template. Restart the WiCD daemon, choose the proper encryption (EAP-TTLS SHA2017) and enter a random username/password.

== Jolla/connman ==
/var/lib/connman/SHA2017wifi.config :

[service_SHA2017]
Type=wifi
Name=SHA2017-legacy
EAP=ttls
Phase2=PAP
Identity=edward
Passphrase=snowden

== wpa_supplicant.conf ==
/etc/wpa_supplicant/wpa_supplicant.conf :

network={
ssid="SHA2017"
key_mgmt=WPA-EAP
eap=TTLS
identity="edward"
password="snowden"
# ca path on debian 7.x, modify accordingly
ca_cert="/etc/ssl/certs/DST_Root_CA_X3.pem"
# ca path on FreeBSD (install ca_root-nss package)
#/usr/local/share/certs/ca-root-nss.crt
altsubject_match="DNS:radius.sha2017.org"
phase2="auth=PAP"
}

== interfaces ==
As an alternative, you can specify the wpa_supplicant config options directly in /etc/network/interfaces:

iface wlan0 inet dhcp
wpa-ssid SHA2017
wpa-identity edward
wpa-password snowden
wpa-proto WPA2
wpa-key_mgmt WPA-EAP
wpa-group CCMP
wpa-pairwise CCMP
wpa-eap TTLS
wpa-phase2 "auth=PAP"
wpa-ca_cert "/etc/ssl/certs/DST_Root_CA_X3.pem"
wpa-altsubject_match DNS:radius.sha2017.org

== netctl ==
Description='SHA2017 secure WPA2 802.1X config'
Interface=wls1
Connection=wireless
Security=wpa-configsection
IP=dhcp
ESSID=SHA2017
WPAConfigSection=(
'ssid="SHA2017"'
'proto=RSN WPA'
'key_mgmt=WPA-EAP'
'eap=TTLS'
'identity="edward"'
'password="snowden"'
'ca_cert="/etc/ssl/certs/DST_Root_CA_X3.pem"'
'altsubject_match="DNS:radius.sha2017.org"'
'phase2="auth=PAP"'
)

== Apple MacOS / iOS ==
You can use one of these profiles for the correct WiFi-settings for Apple MacOS / iOS:

* [[https://eventinfra.org/sha2017/sha2017.mobileconfig SHA2017]] (5GHz only)
* [[https://eventinfra.org/sha2017/sha2017-legacy.mobileconfig SHA2017-legacy]] (2.4GHz only)

== Windows ==
Import one of these profiles for the correct WiFi-settings for Windows

* [[https://eventinfra.org/sha2017/SHA2017.xml SHA2017]] (5GHz only)
* [[https://eventinfra.org/sha2017/SHA2017-legacy.xml SHA2017-legacy]] (2.4GHz only)

To import and connect follow these steps:

# Open a command prompt and execute: netsh wlan add profile filename=SHA2017.xml
# Connect to the SHA2017 or SHA2017-legacy network; use "sha2017/sha2017" as the username/password when prompted.

Network

2017-07-29T08:33:39Z

Bitlair.nl-ak47: /* Supporters */

<div style="float:right;padding-left:10px">__TOC__</div>
[https://orga.sha2017.org/index.php/Team:NOC Team:NOC] has tried to build and support the fastest network for you: a network comparable to a medium sized ISP, built up in just a couple of days. It might not be perfect all the time. We will be providing blanket wireless coverage and wired network access to both venues and camping tents. If you have any questions, please contact the NOC helpdesk located at the infodesk tent.
== TL;DR ==
* To use the camp WiFi on most modern devices, connect to the '''SHA2017''' network with a username of '''sha2017''' and a password of '''sha2017'''.
* If you want a wired connection to the network, lay your own cable neatly from your tent back to the nearest datenklo (Data Toilet) and leave ~3m of slack coiled on the floor in front of it.
* You have a public IPv4 & IPv6 address and there is no network firewall or filtering.

== Rules of Conduct ==
* Be fair! Do not do to others what you do not wish done to yourself!
* We cannot be held responsible for any damage your computer may face due to attachment to our network. Be reminded that both internet access and the local network are unfirewalled and unfiltered. Even well-maintained systems can be attacked and get hacked, even more so at a hacker event.
* Do not operate your own WiFi access point. This causes a major slow-down for everybody else.
* If you are operating anything else in the 2.4GHz or the 5GHz spectrum, please clear the frequencies in advance with us.
* Do not run your own DHCP server! Doing so is harmful.
* Do not send IPv6 Router Advertisements.
* Do not ARP spoof or otherwise impede the operation of the network!
* If you are connecting an embedded device to the network please make sure it is using a unique MAC address. Many of the code examples for such devices use an identical MAC address and this will cause problems - if you aren't sure contact us.
* You are only allowed one uplink from your switch to our network - do not attempt to connect multiple cables or to connect to multiple datenklos! The datenklo switchport allows for a maximum of 64 stations.
* While we are generally quite able to find and disconnect you in case of network misuse if necessary, we still prefer to not have to do so and that everybody respects the other visitors.
* Think twice before you do something that affects others! If you hack someone, you might be prosecuted. Be aware that we cannot prevent law enforcement from acting within or related to our network.
* For special requests please contact NOC via noc-requests@sha2017.org.

== Uplink ==
We are planning for a 100 Gbps uplink to our router in Amsterdam. From there we will have various transits to the rest of the world, supplied by various [[#Supporters|supporters]].

== Wireless ==
The whole field has been covered with many wireless access points to ensure the best possible coverage and to allow you to roam seamlessly without interruption. Naturally, there is additional coverage in popular areas such as the talk tents. The following wireless networks will be available:

; SHA2017
: This is 5GHz and should you should use this one in preference, if you can see it. The username is "sha2017" with password "sha2017". This is the most secure, WPA2-Enterprise.
; SHA2017-legacy
: This is 2.4GHz and less resistant to interference, use it only if you have to. The username is "sha2017" with password "sha2017". This is also WPA2-Enterprise.
; SHA2017-insecure
: '''Warning: insecure''' This is both 5GHz and 2.4GHz, and is for older devices that don't support WPA2-Enterprise. It's unencrypted, and people will likely intercept your traffic.
; spacenet
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your hackerspace offers [https://spacefed.net/ spacenet].
; eduroam
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your university/college/school is offering eduroam. More information can be found at [https://www.eduroam.org/ eduroam.org].

Even if you are using an encrypted network, you should still encrypt your connection to prevent snooping. Although some SSIDs offer encryption, it is only over-the-air.

We have airtime fairness configured on our wireless controllers, so if you wish to download large files please use a wired connection (there will be plenty about).

=== WPA2 802.1X, encryption ===
Due to popular demand (and with security in mind) we provide WPA2 802.1X. This will encrypt your traffic, preventing attackers from sniffing your data. Keep in mind that this won't protect you from other network attacks and you should still be aware that you are at a hacker conference! Your link layer should be secure if you do certificate checking (see below).

You might think: "WTF!? Do I need to register a user and password blah, blah". Fortunately not. You can '''use any username/password combination using EAP-TTLS with PAP to login''' (example: "user: fbhfbhiaf pass: bgufwbnkqo" is valid), because we don't care who logs in and who you are. We just want to encrypt your data.

Users which use MSCHAPv2 (like Windows users with default 802.1X supplicant) should use a fixed username and password. You can use "sha2017/sha2017" or "guest/guest" as "username/password".

==== Client Settings ====
Also see [[Network/802.1X client settings]] for a list of OS-specific client settings.

SSID: SHA2017 or SHA2017-legacy

EAP-TTLS:

Phase 1: EAP-TTLS
Phase 2: PAP

PEAP:

Phase 1: PEAP
Phase 2: MSCHAPv2 or EAP-MSCHAPv2 or PAP

CN = radius.sha2017.org
CA = DST Root CA X3
SHA256 Fingerprint = 20:CE:02:90:2E:2A:79:8E:B5:40:8D:BD:0A:E4:18:A1:AD:5A:C0:BD:6A:09:02:17:A8:F4:46:99:79:A0:B9:C8

Make sure '''you check the certificate''' in order to know you are connecting to the correct network (you should check on both the CN/SAN and the CA). Check [[Network/RADIUS_certificate|here]] for the complete certificate.

== Wired ==
All camping areas will be within 40m of a datenklo (Data Toilet), please bring around 50-70m of Cat5e/Cat6/Cat7 cable to make sure you have some slack in the cable. '''We do not supply you with a cable'''.

Lay your own cable neatly from your tent back to the nearest datenklo, and leave 3m of slack coiled on the floor in front of it. And please lay it so that it can be clearly seen that it needs to be plugged in - or you risk having your cable overlooked. At regular intervals a member of the NOC helpdesk will connect it up.

To be disconnected at the end of the event, leave the whole cable coiled outside the datenklo, and we'll unplug it when we next visit.

All of our access ports are 1Gbit/s (1000BASE-T) or 100Mbit/s (100BASE-TX), plus Auto-MDIX. If you want to connect something else, please contact the NOC-team beforehand at noc-requests@sha2017.org.

We do not support 10Mbit/s. It might work on a few devices, but there is no guarrantee. If you need it for old or embedded things please bring a switch to convert.

== FAQ ==
=== Can I bring a server? ===
Sure! You should host your server in your tent/village and connect to the nearest datenklo.

There will be no public-colocation facility available.

=== Can I use the 2.4GHz/5GHz-band for non-wifi projects? ===
The following channels are available for adhoc/mesh/other wireless stuff:

* 2.4GHz: Channel 1 (20 MHz centered on 2412 MHz; 2402 MHz->2424 MHz)
* 5GHz: Channel 140 (5690->5730 MHz) or channels 149-165 (5735->5835 MHz), if supported (max 25mW EIRP allowed in The Netherlands)

We cannot force you to use these channels, but we are trying to build a functional wireless network for the other attendees too. So please, don't do any experiments on other channels.

=== Can I bring an access point? ===
Please don't.

If you are operating a village (using an SHA2017-supplied tent) that has poor coverage, we may be able to arrange to put an access point in it during the event to improve coverage. Stop by the NOC helpdesk and ask.

=== Can I bring a switch? ===
Yes. You are however only allowed one uplink from your switch to our network - do not attempt to connect multiple cables or to connect to multiple datenklos! The datenklo switchport allows for a maximum of 64 stations.

== Supporters ==
We'd like to extend special thanks to the following people and organisations who have been instrumental in making SHA2017 Network happen:

* [http://www.juniper.net/ Juniper Networks] (Routers for uplink)
* [https://us.ntt.net/ NTT Communications] (100GE + 10GE transit)
* [http://www.core-backbone.com/ Core-Backbone] (100GE transit)
* [https://cumulusnetworks.com/ Cumulus Networks] (Distribution switches & software)
* [https://www.flexoptix.net Flexoptix] (Transceivers)
* [https://surfnet.nl/ SURFnet] (10GE transit & IP-space & ASN)
* [https://www.bit.nl/ BIT] (UTP/fibre splicer)
* [https://public.nl-ix.net/ NL-ix] (10GE Peering & transit)
* [https://unet.nl/ UNET] (Dark-fibre uplink)
* [http://www.arubanetworks.com/ Aruba Networks] (WiFi gear)
* [http://www.edge-core.com/ Edgecore Networks] (Networking gear)
* [https://www.babiel.com/en Babiel] (Server hardware)
* [http://ccc.de The Chaos Computer Club]
* [https://www.emfcamp.org/ EMF]
* [http://eventinfra.org EventInfra] (Network equipment loan)

== Twitter ==
The SHA2017 NOC team has a Twitter account: [https://twitter.com/sha2017noc @sha2017noc]

{{MapObject|Handle = 0xC352}}

Network

2017-07-29T08:32:14Z

Bitlair.nl-ak47: /* Supporters */

<div style="float:right;padding-left:10px">__TOC__</div>
[https://orga.sha2017.org/index.php/Team:NOC Team:NOC] has tried to build and support the fastest network for you: a network comparable to a medium sized ISP, built up in just a couple of days. It might not be perfect all the time. We will be providing blanket wireless coverage and wired network access to both venues and camping tents. If you have any questions, please contact the NOC helpdesk located at the infodesk tent.
== TL;DR ==
* To use the camp WiFi on most modern devices, connect to the '''SHA2017''' network with a username of '''sha2017''' and a password of '''sha2017'''.
* If you want a wired connection to the network, lay your own cable neatly from your tent back to the nearest datenklo (Data Toilet) and leave ~3m of slack coiled on the floor in front of it.
* You have a public IPv4 & IPv6 address and there is no network firewall or filtering.

== Rules of Conduct ==
* Be fair! Do not do to others what you do not wish done to yourself!
* We cannot be held responsible for any damage your computer may face due to attachment to our network. Be reminded that both internet access and the local network are unfirewalled and unfiltered. Even well-maintained systems can be attacked and get hacked, even more so at a hacker event.
* Do not operate your own WiFi access point. This causes a major slow-down for everybody else.
* If you are operating anything else in the 2.4GHz or the 5GHz spectrum, please clear the frequencies in advance with us.
* Do not run your own DHCP server! Doing so is harmful.
* Do not send IPv6 Router Advertisements.
* Do not ARP spoof or otherwise impede the operation of the network!
* If you are connecting an embedded device to the network please make sure it is using a unique MAC address. Many of the code examples for such devices use an identical MAC address and this will cause problems - if you aren't sure contact us.
* You are only allowed one uplink from your switch to our network - do not attempt to connect multiple cables or to connect to multiple datenklos! The datenklo switchport allows for a maximum of 64 stations.
* While we are generally quite able to find and disconnect you in case of network misuse if necessary, we still prefer to not have to do so and that everybody respects the other visitors.
* Think twice before you do something that affects others! If you hack someone, you might be prosecuted. Be aware that we cannot prevent law enforcement from acting within or related to our network.
* For special requests please contact NOC via noc-requests@sha2017.org.

== Uplink ==
We are planning for a 100 Gbps uplink to our router in Amsterdam. From there we will have various transits to the rest of the world, supplied by various [[#Supporters|supporters]].

== Wireless ==
The whole field has been covered with many wireless access points to ensure the best possible coverage and to allow you to roam seamlessly without interruption. Naturally, there is additional coverage in popular areas such as the talk tents. The following wireless networks will be available:

; SHA2017
: This is 5GHz and should you should use this one in preference, if you can see it. The username is "sha2017" with password "sha2017". This is the most secure, WPA2-Enterprise.
; SHA2017-legacy
: This is 2.4GHz and less resistant to interference, use it only if you have to. The username is "sha2017" with password "sha2017". This is also WPA2-Enterprise.
; SHA2017-insecure
: '''Warning: insecure''' This is both 5GHz and 2.4GHz, and is for older devices that don't support WPA2-Enterprise. It's unencrypted, and people will likely intercept your traffic.
; spacenet
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your hackerspace offers [https://spacefed.net/ spacenet].
; eduroam
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your university/college/school is offering eduroam. More information can be found at [https://www.eduroam.org/ eduroam.org].

Even if you are using an encrypted network, you should still encrypt your connection to prevent snooping. Although some SSIDs offer encryption, it is only over-the-air.

We have airtime fairness configured on our wireless controllers, so if you wish to download large files please use a wired connection (there will be plenty about).

=== WPA2 802.1X, encryption ===
Due to popular demand (and with security in mind) we provide WPA2 802.1X. This will encrypt your traffic, preventing attackers from sniffing your data. Keep in mind that this won't protect you from other network attacks and you should still be aware that you are at a hacker conference! Your link layer should be secure if you do certificate checking (see below).

You might think: "WTF!? Do I need to register a user and password blah, blah". Fortunately not. You can '''use any username/password combination using EAP-TTLS with PAP to login''' (example: "user: fbhfbhiaf pass: bgufwbnkqo" is valid), because we don't care who logs in and who you are. We just want to encrypt your data.

Users which use MSCHAPv2 (like Windows users with default 802.1X supplicant) should use a fixed username and password. You can use "sha2017/sha2017" or "guest/guest" as "username/password".

==== Client Settings ====
Also see [[Network/802.1X client settings]] for a list of OS-specific client settings.

SSID: SHA2017 or SHA2017-legacy

EAP-TTLS:

Phase 1: EAP-TTLS
Phase 2: PAP

PEAP:

Phase 1: PEAP
Phase 2: MSCHAPv2 or EAP-MSCHAPv2 or PAP

CN = radius.sha2017.org
CA = DST Root CA X3
SHA256 Fingerprint = 20:CE:02:90:2E:2A:79:8E:B5:40:8D:BD:0A:E4:18:A1:AD:5A:C0:BD:6A:09:02:17:A8:F4:46:99:79:A0:B9:C8

Make sure '''you check the certificate''' in order to know you are connecting to the correct network (you should check on both the CN/SAN and the CA). Check [[Network/RADIUS_certificate|here]] for the complete certificate.

== Wired ==
All camping areas will be within 40m of a datenklo (Data Toilet), please bring around 50-70m of Cat5e/Cat6/Cat7 cable to make sure you have some slack in the cable. '''We do not supply you with a cable'''.

Lay your own cable neatly from your tent back to the nearest datenklo, and leave 3m of slack coiled on the floor in front of it. And please lay it so that it can be clearly seen that it needs to be plugged in - or you risk having your cable overlooked. At regular intervals a member of the NOC helpdesk will connect it up.

To be disconnected at the end of the event, leave the whole cable coiled outside the datenklo, and we'll unplug it when we next visit.

All of our access ports are 1Gbit/s (1000BASE-T) or 100Mbit/s (100BASE-TX), plus Auto-MDIX. If you want to connect something else, please contact the NOC-team beforehand at noc-requests@sha2017.org.

We do not support 10Mbit/s. It might work on a few devices, but there is no guarrantee. If you need it for old or embedded things please bring a switch to convert.

== FAQ ==
=== Can I bring a server? ===
Sure! You should host your server in your tent/village and connect to the nearest datenklo.

There will be no public-colocation facility available.

=== Can I use the 2.4GHz/5GHz-band for non-wifi projects? ===
The following channels are available for adhoc/mesh/other wireless stuff:

* 2.4GHz: Channel 1 (20 MHz centered on 2412 MHz; 2402 MHz->2424 MHz)
* 5GHz: Channel 140 (5690->5730 MHz) or channels 149-165 (5735->5835 MHz), if supported (max 25mW EIRP allowed in The Netherlands)

We cannot force you to use these channels, but we are trying to build a functional wireless network for the other attendees too. So please, don't do any experiments on other channels.

=== Can I bring an access point? ===
Please don't.

If you are operating a village (using an SHA2017-supplied tent) that has poor coverage, we may be able to arrange to put an access point in it during the event to improve coverage. Stop by the NOC helpdesk and ask.

=== Can I bring a switch? ===
Yes. You are however only allowed one uplink from your switch to our network - do not attempt to connect multiple cables or to connect to multiple datenklos! The datenklo switchport allows for a maximum of 64 stations.

== Supporters ==
We'd like to extend special thanks to the following people and organisations who have been instrumental in making SHA2017 Network happen:

* [http://www.juniper.net/ Juniper Networks] (Routers for uplink)
* [https://us.ntt.net/ NTT Communications] (100GE + 10GE transit)
* [http://www.core-backbone.com/ Core-Backbone] (100GE transit)
* [https://cumulusnetworks.com/ Cumulus Networks] (Distribution switches & software)
* [https://www.flexoptix.net Flexoptix] (Transceivers)
* [https://surfnet.nl/ SURFnet] (10GE transit & IP-space & ASN)
* [https://www.bit.nl/ BIT] (UTP/fibre splicer)
* [https://public.nl-ix.net/ NL-ix] (10GE Peering & transit)
* [https://unet.nl/ UNET] (Dark-fibre uplink)
* [http://www.arubanetworks.com/ Aruba Networks] (WiFi gear)
* [http://www.edge-core.com/ Edgecore Networks] (Networking gear)
* [https://www.babiel.com/en Babiel] (Server hardware)
* [http://ccc.de The Chaos Computer Club]
* [http://eventinfra.org EventInfra] (Network equipment loan)

== Twitter ==
The SHA2017 NOC team has a Twitter account: [https://twitter.com/sha2017noc @sha2017noc]

{{MapObject|Handle = 0xC352}}

Network

2017-07-29T08:31:56Z

Bitlair.nl-ak47: /* Supporters */

<div style="float:right;padding-left:10px">__TOC__</div>
[https://orga.sha2017.org/index.php/Team:NOC Team:NOC] has tried to build and support the fastest network for you: a network comparable to a medium sized ISP, built up in just a couple of days. It might not be perfect all the time. We will be providing blanket wireless coverage and wired network access to both venues and camping tents. If you have any questions, please contact the NOC helpdesk located at the infodesk tent.
== TL;DR ==
* To use the camp WiFi on most modern devices, connect to the '''SHA2017''' network with a username of '''sha2017''' and a password of '''sha2017'''.
* If you want a wired connection to the network, lay your own cable neatly from your tent back to the nearest datenklo (Data Toilet) and leave ~3m of slack coiled on the floor in front of it.
* You have a public IPv4 & IPv6 address and there is no network firewall or filtering.

== Rules of Conduct ==
* Be fair! Do not do to others what you do not wish done to yourself!
* We cannot be held responsible for any damage your computer may face due to attachment to our network. Be reminded that both internet access and the local network are unfirewalled and unfiltered. Even well-maintained systems can be attacked and get hacked, even more so at a hacker event.
* Do not operate your own WiFi access point. This causes a major slow-down for everybody else.
* If you are operating anything else in the 2.4GHz or the 5GHz spectrum, please clear the frequencies in advance with us.
* Do not run your own DHCP server! Doing so is harmful.
* Do not send IPv6 Router Advertisements.
* Do not ARP spoof or otherwise impede the operation of the network!
* If you are connecting an embedded device to the network please make sure it is using a unique MAC address. Many of the code examples for such devices use an identical MAC address and this will cause problems - if you aren't sure contact us.
* You are only allowed one uplink from your switch to our network - do not attempt to connect multiple cables or to connect to multiple datenklos! The datenklo switchport allows for a maximum of 64 stations.
* While we are generally quite able to find and disconnect you in case of network misuse if necessary, we still prefer to not have to do so and that everybody respects the other visitors.
* Think twice before you do something that affects others! If you hack someone, you might be prosecuted. Be aware that we cannot prevent law enforcement from acting within or related to our network.
* For special requests please contact NOC via noc-requests@sha2017.org.

== Uplink ==
We are planning for a 100 Gbps uplink to our router in Amsterdam. From there we will have various transits to the rest of the world, supplied by various [[#Supporters|supporters]].

== Wireless ==
The whole field has been covered with many wireless access points to ensure the best possible coverage and to allow you to roam seamlessly without interruption. Naturally, there is additional coverage in popular areas such as the talk tents. The following wireless networks will be available:

; SHA2017
: This is 5GHz and should you should use this one in preference, if you can see it. The username is "sha2017" with password "sha2017". This is the most secure, WPA2-Enterprise.
; SHA2017-legacy
: This is 2.4GHz and less resistant to interference, use it only if you have to. The username is "sha2017" with password "sha2017". This is also WPA2-Enterprise.
; SHA2017-insecure
: '''Warning: insecure''' This is both 5GHz and 2.4GHz, and is for older devices that don't support WPA2-Enterprise. It's unencrypted, and people will likely intercept your traffic.
; spacenet
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your hackerspace offers [https://spacefed.net/ spacenet].
; eduroam
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your university/college/school is offering eduroam. More information can be found at [https://www.eduroam.org/ eduroam.org].

Even if you are using an encrypted network, you should still encrypt your connection to prevent snooping. Although some SSIDs offer encryption, it is only over-the-air.

We have airtime fairness configured on our wireless controllers, so if you wish to download large files please use a wired connection (there will be plenty about).

=== WPA2 802.1X, encryption ===
Due to popular demand (and with security in mind) we provide WPA2 802.1X. This will encrypt your traffic, preventing attackers from sniffing your data. Keep in mind that this won't protect you from other network attacks and you should still be aware that you are at a hacker conference! Your link layer should be secure if you do certificate checking (see below).

You might think: "WTF!? Do I need to register a user and password blah, blah". Fortunately not. You can '''use any username/password combination using EAP-TTLS with PAP to login''' (example: "user: fbhfbhiaf pass: bgufwbnkqo" is valid), because we don't care who logs in and who you are. We just want to encrypt your data.

Users which use MSCHAPv2 (like Windows users with default 802.1X supplicant) should use a fixed username and password. You can use "sha2017/sha2017" or "guest/guest" as "username/password".

==== Client Settings ====
Also see [[Network/802.1X client settings]] for a list of OS-specific client settings.

SSID: SHA2017 or SHA2017-legacy

EAP-TTLS:

Phase 1: EAP-TTLS
Phase 2: PAP

PEAP:

Phase 1: PEAP
Phase 2: MSCHAPv2 or EAP-MSCHAPv2 or PAP

CN = radius.sha2017.org
CA = DST Root CA X3
SHA256 Fingerprint = 20:CE:02:90:2E:2A:79:8E:B5:40:8D:BD:0A:E4:18:A1:AD:5A:C0:BD:6A:09:02:17:A8:F4:46:99:79:A0:B9:C8

Make sure '''you check the certificate''' in order to know you are connecting to the correct network (you should check on both the CN/SAN and the CA). Check [[Network/RADIUS_certificate|here]] for the complete certificate.

== Wired ==
All camping areas will be within 40m of a datenklo (Data Toilet), please bring around 50-70m of Cat5e/Cat6/Cat7 cable to make sure you have some slack in the cable. '''We do not supply you with a cable'''.

Lay your own cable neatly from your tent back to the nearest datenklo, and leave 3m of slack coiled on the floor in front of it. And please lay it so that it can be clearly seen that it needs to be plugged in - or you risk having your cable overlooked. At regular intervals a member of the NOC helpdesk will connect it up.

To be disconnected at the end of the event, leave the whole cable coiled outside the datenklo, and we'll unplug it when we next visit.

All of our access ports are 1Gbit/s (1000BASE-T) or 100Mbit/s (100BASE-TX), plus Auto-MDIX. If you want to connect something else, please contact the NOC-team beforehand at noc-requests@sha2017.org.

We do not support 10Mbit/s. It might work on a few devices, but there is no guarrantee. If you need it for old or embedded things please bring a switch to convert.

== FAQ ==
=== Can I bring a server? ===
Sure! You should host your server in your tent/village and connect to the nearest datenklo.

There will be no public-colocation facility available.

=== Can I use the 2.4GHz/5GHz-band for non-wifi projects? ===
The following channels are available for adhoc/mesh/other wireless stuff:

* 2.4GHz: Channel 1 (20 MHz centered on 2412 MHz; 2402 MHz->2424 MHz)
* 5GHz: Channel 140 (5690->5730 MHz) or channels 149-165 (5735->5835 MHz), if supported (max 25mW EIRP allowed in The Netherlands)

We cannot force you to use these channels, but we are trying to build a functional wireless network for the other attendees too. So please, don't do any experiments on other channels.

=== Can I bring an access point? ===
Please don't.

If you are operating a village (using an SHA2017-supplied tent) that has poor coverage, we may be able to arrange to put an access point in it during the event to improve coverage. Stop by the NOC helpdesk and ask.

=== Can I bring a switch? ===
Yes. You are however only allowed one uplink from your switch to our network - do not attempt to connect multiple cables or to connect to multiple datenklos! The datenklo switchport allows for a maximum of 64 stations.

== Supporters ==
We'd like to extend special thanks to the following people and organisations who have been instrumental in making SHA2017 Network happen:

* [http://www.juniper.net/ Juniper Networks] (Routers for uplink)
* [https://us.ntt.net/ NTT Communications] (100GE + 10GE transit)
* [http://www.core-backbone.com/ Core-Backbone] (100GE transit)
* [https://cumulusnetworks.com/ Cumulus Networks] (Distribution switches & software)
* [https://www.flexoptix.net Flexoptix] (Transceivers)
* [https://surfnet.nl/ SURFnet] (10GE transit & IP-space & ASN)
* [https://www.bit.nl/ BIT] (UTP/fibre splicer)
* [https://public.nl-ix.net/ NL-ix] (Peering & transit)
* [https://unet.nl/ UNET] (Dark-fibre uplink)
* [http://www.arubanetworks.com/ Aruba Networks] (WiFi gear)
* [http://www.edge-core.com/ Edgecore Networks] (Networking gear)
* [https://www.babiel.com/en Babiel] (Server hardware)
* [http://ccc.de The Chaos Computer Club]
* [http://eventinfra.org EventInfra] (Network equipment loan)

== Twitter ==
The SHA2017 NOC team has a Twitter account: [https://twitter.com/sha2017noc @sha2017noc]

{{MapObject|Handle = 0xC352}}

Network

2017-07-29T08:31:39Z

Bitlair.nl-ak47: /* Supporters */

<div style="float:right;padding-left:10px">__TOC__</div>
[https://orga.sha2017.org/index.php/Team:NOC Team:NOC] has tried to build and support the fastest network for you: a network comparable to a medium sized ISP, built up in just a couple of days. It might not be perfect all the time. We will be providing blanket wireless coverage and wired network access to both venues and camping tents. If you have any questions, please contact the NOC helpdesk located at the infodesk tent.
== TL;DR ==
* To use the camp WiFi on most modern devices, connect to the '''SHA2017''' network with a username of '''sha2017''' and a password of '''sha2017'''.
* If you want a wired connection to the network, lay your own cable neatly from your tent back to the nearest datenklo (Data Toilet) and leave ~3m of slack coiled on the floor in front of it.
* You have a public IPv4 & IPv6 address and there is no network firewall or filtering.

== Rules of Conduct ==
* Be fair! Do not do to others what you do not wish done to yourself!
* We cannot be held responsible for any damage your computer may face due to attachment to our network. Be reminded that both internet access and the local network are unfirewalled and unfiltered. Even well-maintained systems can be attacked and get hacked, even more so at a hacker event.
* Do not operate your own WiFi access point. This causes a major slow-down for everybody else.
* If you are operating anything else in the 2.4GHz or the 5GHz spectrum, please clear the frequencies in advance with us.
* Do not run your own DHCP server! Doing so is harmful.
* Do not send IPv6 Router Advertisements.
* Do not ARP spoof or otherwise impede the operation of the network!
* If you are connecting an embedded device to the network please make sure it is using a unique MAC address. Many of the code examples for such devices use an identical MAC address and this will cause problems - if you aren't sure contact us.
* You are only allowed one uplink from your switch to our network - do not attempt to connect multiple cables or to connect to multiple datenklos! The datenklo switchport allows for a maximum of 64 stations.
* While we are generally quite able to find and disconnect you in case of network misuse if necessary, we still prefer to not have to do so and that everybody respects the other visitors.
* Think twice before you do something that affects others! If you hack someone, you might be prosecuted. Be aware that we cannot prevent law enforcement from acting within or related to our network.
* For special requests please contact NOC via noc-requests@sha2017.org.

== Uplink ==
We are planning for a 100 Gbps uplink to our router in Amsterdam. From there we will have various transits to the rest of the world, supplied by various [[#Supporters|supporters]].

== Wireless ==
The whole field has been covered with many wireless access points to ensure the best possible coverage and to allow you to roam seamlessly without interruption. Naturally, there is additional coverage in popular areas such as the talk tents. The following wireless networks will be available:

; SHA2017
: This is 5GHz and should you should use this one in preference, if you can see it. The username is "sha2017" with password "sha2017". This is the most secure, WPA2-Enterprise.
; SHA2017-legacy
: This is 2.4GHz and less resistant to interference, use it only if you have to. The username is "sha2017" with password "sha2017". This is also WPA2-Enterprise.
; SHA2017-insecure
: '''Warning: insecure''' This is both 5GHz and 2.4GHz, and is for older devices that don't support WPA2-Enterprise. It's unencrypted, and people will likely intercept your traffic.
; spacenet
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your hackerspace offers [https://spacefed.net/ spacenet].
; eduroam
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your university/college/school is offering eduroam. More information can be found at [https://www.eduroam.org/ eduroam.org].

Even if you are using an encrypted network, you should still encrypt your connection to prevent snooping. Although some SSIDs offer encryption, it is only over-the-air.

We have airtime fairness configured on our wireless controllers, so if you wish to download large files please use a wired connection (there will be plenty about).

=== WPA2 802.1X, encryption ===
Due to popular demand (and with security in mind) we provide WPA2 802.1X. This will encrypt your traffic, preventing attackers from sniffing your data. Keep in mind that this won't protect you from other network attacks and you should still be aware that you are at a hacker conference! Your link layer should be secure if you do certificate checking (see below).

You might think: "WTF!? Do I need to register a user and password blah, blah". Fortunately not. You can '''use any username/password combination using EAP-TTLS with PAP to login''' (example: "user: fbhfbhiaf pass: bgufwbnkqo" is valid), because we don't care who logs in and who you are. We just want to encrypt your data.

Users which use MSCHAPv2 (like Windows users with default 802.1X supplicant) should use a fixed username and password. You can use "sha2017/sha2017" or "guest/guest" as "username/password".

==== Client Settings ====
Also see [[Network/802.1X client settings]] for a list of OS-specific client settings.

SSID: SHA2017 or SHA2017-legacy

EAP-TTLS:

Phase 1: EAP-TTLS
Phase 2: PAP

PEAP:

Phase 1: PEAP
Phase 2: MSCHAPv2 or EAP-MSCHAPv2 or PAP

CN = radius.sha2017.org
CA = DST Root CA X3
SHA256 Fingerprint = 20:CE:02:90:2E:2A:79:8E:B5:40:8D:BD:0A:E4:18:A1:AD:5A:C0:BD:6A:09:02:17:A8:F4:46:99:79:A0:B9:C8

Make sure '''you check the certificate''' in order to know you are connecting to the correct network (you should check on both the CN/SAN and the CA). Check [[Network/RADIUS_certificate|here]] for the complete certificate.

== Wired ==
All camping areas will be within 40m of a datenklo (Data Toilet), please bring around 50-70m of Cat5e/Cat6/Cat7 cable to make sure you have some slack in the cable. '''We do not supply you with a cable'''.

Lay your own cable neatly from your tent back to the nearest datenklo, and leave 3m of slack coiled on the floor in front of it. And please lay it so that it can be clearly seen that it needs to be plugged in - or you risk having your cable overlooked. At regular intervals a member of the NOC helpdesk will connect it up.

To be disconnected at the end of the event, leave the whole cable coiled outside the datenklo, and we'll unplug it when we next visit.

All of our access ports are 1Gbit/s (1000BASE-T) or 100Mbit/s (100BASE-TX), plus Auto-MDIX. If you want to connect something else, please contact the NOC-team beforehand at noc-requests@sha2017.org.

We do not support 10Mbit/s. It might work on a few devices, but there is no guarrantee. If you need it for old or embedded things please bring a switch to convert.

== FAQ ==
=== Can I bring a server? ===
Sure! You should host your server in your tent/village and connect to the nearest datenklo.

There will be no public-colocation facility available.

=== Can I use the 2.4GHz/5GHz-band for non-wifi projects? ===
The following channels are available for adhoc/mesh/other wireless stuff:

* 2.4GHz: Channel 1 (20 MHz centered on 2412 MHz; 2402 MHz->2424 MHz)
* 5GHz: Channel 140 (5690->5730 MHz) or channels 149-165 (5735->5835 MHz), if supported (max 25mW EIRP allowed in The Netherlands)

We cannot force you to use these channels, but we are trying to build a functional wireless network for the other attendees too. So please, don't do any experiments on other channels.

=== Can I bring an access point? ===
Please don't.

If you are operating a village (using an SHA2017-supplied tent) that has poor coverage, we may be able to arrange to put an access point in it during the event to improve coverage. Stop by the NOC helpdesk and ask.

=== Can I bring a switch? ===
Yes. You are however only allowed one uplink from your switch to our network - do not attempt to connect multiple cables or to connect to multiple datenklos! The datenklo switchport allows for a maximum of 64 stations.

== Supporters ==
We'd like to extend special thanks to the following people and organisations who have been instrumental in making SHA2017 Network happen:

* [http://www.juniper.net/ Juniper Networks] (Routers for uplink)
* [https://us.ntt.net/ NTT Communications] (100GE + 10GE transit)
* [http://www.core-backbone.com/ Core-Backbone] (100GE transit)
* [https://cumulusnetworks.com/ Cumulus Networks] (Distribution switches & software)
* [https://www.flexoptix.net Flexoptix] (Transceivers)
* [https://surfnet.nl/ SURFnet] (10GE transit & IP-space & ASN)
* [https://www.bit.nl/ BIT] (UTP & transit)
* [https://public.nl-ix.net/ NL-ix] (Peering & transit)
* [https://unet.nl/ UNET] (Dark-fibre uplink)
* [http://www.arubanetworks.com/ Aruba Networks] (WiFi gear)
* [http://www.edge-core.com/ Edgecore Networks] (Networking gear)
* [https://www.babiel.com/en Babiel] (Server hardware)
* [http://ccc.de The Chaos Computer Club]
* [http://eventinfra.org EventInfra] (Network equipment loan)

== Twitter ==
The SHA2017 NOC team has a Twitter account: [https://twitter.com/sha2017noc @sha2017noc]

{{MapObject|Handle = 0xC352}}

Network

2017-07-29T08:31:24Z

Bitlair.nl-ak47: /* Supporters */

<div style="float:right;padding-left:10px">__TOC__</div>
[https://orga.sha2017.org/index.php/Team:NOC Team:NOC] has tried to build and support the fastest network for you: a network comparable to a medium sized ISP, built up in just a couple of days. It might not be perfect all the time. We will be providing blanket wireless coverage and wired network access to both venues and camping tents. If you have any questions, please contact the NOC helpdesk located at the infodesk tent.
== TL;DR ==
* To use the camp WiFi on most modern devices, connect to the '''SHA2017''' network with a username of '''sha2017''' and a password of '''sha2017'''.
* If you want a wired connection to the network, lay your own cable neatly from your tent back to the nearest datenklo (Data Toilet) and leave ~3m of slack coiled on the floor in front of it.
* You have a public IPv4 & IPv6 address and there is no network firewall or filtering.

== Rules of Conduct ==
* Be fair! Do not do to others what you do not wish done to yourself!
* We cannot be held responsible for any damage your computer may face due to attachment to our network. Be reminded that both internet access and the local network are unfirewalled and unfiltered. Even well-maintained systems can be attacked and get hacked, even more so at a hacker event.
* Do not operate your own WiFi access point. This causes a major slow-down for everybody else.
* If you are operating anything else in the 2.4GHz or the 5GHz spectrum, please clear the frequencies in advance with us.
* Do not run your own DHCP server! Doing so is harmful.
* Do not send IPv6 Router Advertisements.
* Do not ARP spoof or otherwise impede the operation of the network!
* If you are connecting an embedded device to the network please make sure it is using a unique MAC address. Many of the code examples for such devices use an identical MAC address and this will cause problems - if you aren't sure contact us.
* You are only allowed one uplink from your switch to our network - do not attempt to connect multiple cables or to connect to multiple datenklos! The datenklo switchport allows for a maximum of 64 stations.
* While we are generally quite able to find and disconnect you in case of network misuse if necessary, we still prefer to not have to do so and that everybody respects the other visitors.
* Think twice before you do something that affects others! If you hack someone, you might be prosecuted. Be aware that we cannot prevent law enforcement from acting within or related to our network.
* For special requests please contact NOC via noc-requests@sha2017.org.

== Uplink ==
We are planning for a 100 Gbps uplink to our router in Amsterdam. From there we will have various transits to the rest of the world, supplied by various [[#Supporters|supporters]].

== Wireless ==
The whole field has been covered with many wireless access points to ensure the best possible coverage and to allow you to roam seamlessly without interruption. Naturally, there is additional coverage in popular areas such as the talk tents. The following wireless networks will be available:

; SHA2017
: This is 5GHz and should you should use this one in preference, if you can see it. The username is "sha2017" with password "sha2017". This is the most secure, WPA2-Enterprise.
; SHA2017-legacy
: This is 2.4GHz and less resistant to interference, use it only if you have to. The username is "sha2017" with password "sha2017". This is also WPA2-Enterprise.
; SHA2017-insecure
: '''Warning: insecure''' This is both 5GHz and 2.4GHz, and is for older devices that don't support WPA2-Enterprise. It's unencrypted, and people will likely intercept your traffic.
; spacenet
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your hackerspace offers [https://spacefed.net/ spacenet].
; eduroam
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your university/college/school is offering eduroam. More information can be found at [https://www.eduroam.org/ eduroam.org].

Even if you are using an encrypted network, you should still encrypt your connection to prevent snooping. Although some SSIDs offer encryption, it is only over-the-air.

We have airtime fairness configured on our wireless controllers, so if you wish to download large files please use a wired connection (there will be plenty about).

=== WPA2 802.1X, encryption ===
Due to popular demand (and with security in mind) we provide WPA2 802.1X. This will encrypt your traffic, preventing attackers from sniffing your data. Keep in mind that this won't protect you from other network attacks and you should still be aware that you are at a hacker conference! Your link layer should be secure if you do certificate checking (see below).

You might think: "WTF!? Do I need to register a user and password blah, blah". Fortunately not. You can '''use any username/password combination using EAP-TTLS with PAP to login''' (example: "user: fbhfbhiaf pass: bgufwbnkqo" is valid), because we don't care who logs in and who you are. We just want to encrypt your data.

Users which use MSCHAPv2 (like Windows users with default 802.1X supplicant) should use a fixed username and password. You can use "sha2017/sha2017" or "guest/guest" as "username/password".

==== Client Settings ====
Also see [[Network/802.1X client settings]] for a list of OS-specific client settings.

SSID: SHA2017 or SHA2017-legacy

EAP-TTLS:

Phase 1: EAP-TTLS
Phase 2: PAP

PEAP:

Phase 1: PEAP
Phase 2: MSCHAPv2 or EAP-MSCHAPv2 or PAP

CN = radius.sha2017.org
CA = DST Root CA X3
SHA256 Fingerprint = 20:CE:02:90:2E:2A:79:8E:B5:40:8D:BD:0A:E4:18:A1:AD:5A:C0:BD:6A:09:02:17:A8:F4:46:99:79:A0:B9:C8

Make sure '''you check the certificate''' in order to know you are connecting to the correct network (you should check on both the CN/SAN and the CA). Check [[Network/RADIUS_certificate|here]] for the complete certificate.

== Wired ==
All camping areas will be within 40m of a datenklo (Data Toilet), please bring around 50-70m of Cat5e/Cat6/Cat7 cable to make sure you have some slack in the cable. '''We do not supply you with a cable'''.

Lay your own cable neatly from your tent back to the nearest datenklo, and leave 3m of slack coiled on the floor in front of it. And please lay it so that it can be clearly seen that it needs to be plugged in - or you risk having your cable overlooked. At regular intervals a member of the NOC helpdesk will connect it up.

To be disconnected at the end of the event, leave the whole cable coiled outside the datenklo, and we'll unplug it when we next visit.

All of our access ports are 1Gbit/s (1000BASE-T) or 100Mbit/s (100BASE-TX), plus Auto-MDIX. If you want to connect something else, please contact the NOC-team beforehand at noc-requests@sha2017.org.

We do not support 10Mbit/s. It might work on a few devices, but there is no guarrantee. If you need it for old or embedded things please bring a switch to convert.

== FAQ ==
=== Can I bring a server? ===
Sure! You should host your server in your tent/village and connect to the nearest datenklo.

There will be no public-colocation facility available.

=== Can I use the 2.4GHz/5GHz-band for non-wifi projects? ===
The following channels are available for adhoc/mesh/other wireless stuff:

* 2.4GHz: Channel 1 (20 MHz centered on 2412 MHz; 2402 MHz->2424 MHz)
* 5GHz: Channel 140 (5690->5730 MHz) or channels 149-165 (5735->5835 MHz), if supported (max 25mW EIRP allowed in The Netherlands)

We cannot force you to use these channels, but we are trying to build a functional wireless network for the other attendees too. So please, don't do any experiments on other channels.

=== Can I bring an access point? ===
Please don't.

If you are operating a village (using an SHA2017-supplied tent) that has poor coverage, we may be able to arrange to put an access point in it during the event to improve coverage. Stop by the NOC helpdesk and ask.

=== Can I bring a switch? ===
Yes. You are however only allowed one uplink from your switch to our network - do not attempt to connect multiple cables or to connect to multiple datenklos! The datenklo switchport allows for a maximum of 64 stations.

== Supporters ==
We'd like to extend special thanks to the following people and organisations who have been instrumental in making SHA2017 Network happen:

* [http://www.juniper.net/ Juniper Networks] (Routers for uplink)
* [https://us.ntt.net/ NTT Communications] (100GE + 10GE transit)
* [http://www.core-backbone.com/ Core-Backbone] (100GE transit)
* [https://cumulusnetworks.com/ Cumulus Networks] (Distribution switches & software)
* [https://www.flexoptix.net Flexoptix] (Transceivers)
* [https://surfnet.nl/ SURFnet] (10GE transit & IP-space)
* [https://www.bit.nl/ BIT] (UTP & transit)
* [https://public.nl-ix.net/ NL-ix] (Peering & transit)
* [https://unet.nl/ UNET] (Dark-fibre uplink)
* [http://www.arubanetworks.com/ Aruba Networks] (WiFi gear)
* [http://www.edge-core.com/ Edgecore Networks] (Networking gear)
* [https://www.babiel.com/en Babiel] (Server hardware)
* [http://ccc.de The Chaos Computer Club]
* [http://eventinfra.org EventInfra] (Network equipment loan)

== Twitter ==
The SHA2017 NOC team has a Twitter account: [https://twitter.com/sha2017noc @sha2017noc]

{{MapObject|Handle = 0xC352}}

Network

2017-07-29T08:30:19Z

Bitlair.nl-ak47:

<div style="float:right;padding-left:10px">__TOC__</div>
[https://orga.sha2017.org/index.php/Team:NOC Team:NOC] has tried to build and support the fastest network for you: a network comparable to a medium sized ISP, built up in just a couple of days. It might not be perfect all the time. We will be providing blanket wireless coverage and wired network access to both venues and camping tents. If you have any questions, please contact the NOC helpdesk located at the infodesk tent.
== TL;DR ==
* To use the camp WiFi on most modern devices, connect to the '''SHA2017''' network with a username of '''sha2017''' and a password of '''sha2017'''.
* If you want a wired connection to the network, lay your own cable neatly from your tent back to the nearest datenklo (Data Toilet) and leave ~3m of slack coiled on the floor in front of it.
* You have a public IPv4 & IPv6 address and there is no network firewall or filtering.

== Rules of Conduct ==
* Be fair! Do not do to others what you do not wish done to yourself!
* We cannot be held responsible for any damage your computer may face due to attachment to our network. Be reminded that both internet access and the local network are unfirewalled and unfiltered. Even well-maintained systems can be attacked and get hacked, even more so at a hacker event.
* Do not operate your own WiFi access point. This causes a major slow-down for everybody else.
* If you are operating anything else in the 2.4GHz or the 5GHz spectrum, please clear the frequencies in advance with us.
* Do not run your own DHCP server! Doing so is harmful.
* Do not send IPv6 Router Advertisements.
* Do not ARP spoof or otherwise impede the operation of the network!
* If you are connecting an embedded device to the network please make sure it is using a unique MAC address. Many of the code examples for such devices use an identical MAC address and this will cause problems - if you aren't sure contact us.
* You are only allowed one uplink from your switch to our network - do not attempt to connect multiple cables or to connect to multiple datenklos! The datenklo switchport allows for a maximum of 64 stations.
* While we are generally quite able to find and disconnect you in case of network misuse if necessary, we still prefer to not have to do so and that everybody respects the other visitors.
* Think twice before you do something that affects others! If you hack someone, you might be prosecuted. Be aware that we cannot prevent law enforcement from acting within or related to our network.
* For special requests please contact NOC via noc-requests@sha2017.org.

== Uplink ==
We are planning for a 100 Gbps uplink to our router in Amsterdam. From there we will have various transits to the rest of the world, supplied by various [[#Supporters|supporters]].

== Wireless ==
The whole field has been covered with many wireless access points to ensure the best possible coverage and to allow you to roam seamlessly without interruption. Naturally, there is additional coverage in popular areas such as the talk tents. The following wireless networks will be available:

; SHA2017
: This is 5GHz and should you should use this one in preference, if you can see it. The username is "sha2017" with password "sha2017". This is the most secure, WPA2-Enterprise.
; SHA2017-legacy
: This is 2.4GHz and less resistant to interference, use it only if you have to. The username is "sha2017" with password "sha2017". This is also WPA2-Enterprise.
; SHA2017-insecure
: '''Warning: insecure''' This is both 5GHz and 2.4GHz, and is for older devices that don't support WPA2-Enterprise. It's unencrypted, and people will likely intercept your traffic.
; spacenet
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your hackerspace offers [https://spacefed.net/ spacenet].
; eduroam
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your university/college/school is offering eduroam. More information can be found at [https://www.eduroam.org/ eduroam.org].

Even if you are using an encrypted network, you should still encrypt your connection to prevent snooping. Although some SSIDs offer encryption, it is only over-the-air.

We have airtime fairness configured on our wireless controllers, so if you wish to download large files please use a wired connection (there will be plenty about).

=== WPA2 802.1X, encryption ===
Due to popular demand (and with security in mind) we provide WPA2 802.1X. This will encrypt your traffic, preventing attackers from sniffing your data. Keep in mind that this won't protect you from other network attacks and you should still be aware that you are at a hacker conference! Your link layer should be secure if you do certificate checking (see below).

You might think: "WTF!? Do I need to register a user and password blah, blah". Fortunately not. You can '''use any username/password combination using EAP-TTLS with PAP to login''' (example: "user: fbhfbhiaf pass: bgufwbnkqo" is valid), because we don't care who logs in and who you are. We just want to encrypt your data.

Users which use MSCHAPv2 (like Windows users with default 802.1X supplicant) should use a fixed username and password. You can use "sha2017/sha2017" or "guest/guest" as "username/password".

==== Client Settings ====
Also see [[Network/802.1X client settings]] for a list of OS-specific client settings.

SSID: SHA2017 or SHA2017-legacy

EAP-TTLS:

Phase 1: EAP-TTLS
Phase 2: PAP

PEAP:

Phase 1: PEAP
Phase 2: MSCHAPv2 or EAP-MSCHAPv2 or PAP

CN = radius.sha2017.org
CA = DST Root CA X3
SHA256 Fingerprint = 20:CE:02:90:2E:2A:79:8E:B5:40:8D:BD:0A:E4:18:A1:AD:5A:C0:BD:6A:09:02:17:A8:F4:46:99:79:A0:B9:C8

Make sure '''you check the certificate''' in order to know you are connecting to the correct network (you should check on both the CN/SAN and the CA). Check [[Network/RADIUS_certificate|here]] for the complete certificate.

== Wired ==
All camping areas will be within 40m of a datenklo (Data Toilet), please bring around 50-70m of Cat5e/Cat6/Cat7 cable to make sure you have some slack in the cable. '''We do not supply you with a cable'''.

Lay your own cable neatly from your tent back to the nearest datenklo, and leave 3m of slack coiled on the floor in front of it. And please lay it so that it can be clearly seen that it needs to be plugged in - or you risk having your cable overlooked. At regular intervals a member of the NOC helpdesk will connect it up.

To be disconnected at the end of the event, leave the whole cable coiled outside the datenklo, and we'll unplug it when we next visit.

All of our access ports are 1Gbit/s (1000BASE-T) or 100Mbit/s (100BASE-TX), plus Auto-MDIX. If you want to connect something else, please contact the NOC-team beforehand at noc-requests@sha2017.org.

We do not support 10Mbit/s. It might work on a few devices, but there is no guarrantee. If you need it for old or embedded things please bring a switch to convert.

== FAQ ==
=== Can I bring a server? ===
Sure! You should host your server in your tent/village and connect to the nearest datenklo.

There will be no public-colocation facility available.

=== Can I use the 2.4GHz/5GHz-band for non-wifi projects? ===
The following channels are available for adhoc/mesh/other wireless stuff:

* 2.4GHz: Channel 1 (20 MHz centered on 2412 MHz; 2402 MHz->2424 MHz)
* 5GHz: Channel 140 (5690->5730 MHz) or channels 149-165 (5735->5835 MHz), if supported (max 25mW EIRP allowed in The Netherlands)

We cannot force you to use these channels, but we are trying to build a functional wireless network for the other attendees too. So please, don't do any experiments on other channels.

=== Can I bring an access point? ===
Please don't.

If you are operating a village (using an SHA2017-supplied tent) that has poor coverage, we may be able to arrange to put an access point in it during the event to improve coverage. Stop by the NOC helpdesk and ask.

=== Can I bring a switch? ===
Yes. You are however only allowed one uplink from your switch to our network - do not attempt to connect multiple cables or to connect to multiple datenklos! The datenklo switchport allows for a maximum of 64 stations.

== Supporters ==
We'd like to extend special thanks to the following people and organisations who have been instrumental in making SHA2017 Network happen:

* [http://www.juniper.net/ Juniper Networks] (Routers for uplink)
* [https://us.ntt.net/ NTT Communications] (100GE transit)
* [http://www.core-backbone.com/ Core-Backbone] (100GE transit)
* [https://cumulusnetworks.com/ Cumulus Networks] (Distribution switches & software)
* [https://www.flexoptix.net Flexoptix] (Transceivers)
* [https://surfnet.nl/ SURFnet] (10GE transit & IP-space)
* [https://www.bit.nl/ BIT] (UTP & transit)
* [https://public.nl-ix.net/ NL-ix] (Peering & transit)
* [https://unet.nl/ UNET] (Dark-fibre uplink)
* [http://www.arubanetworks.com/ Aruba Networks] (WiFi gear)
* [http://www.edge-core.com/ Edgecore Networks] (Networking gear)
* [https://www.babiel.com/en Babiel] (Server hardware)
* [http://ccc.de The Chaos Computer Club]
* [http://eventinfra.org EventInfra] (Network equipment loan)

== Twitter ==
The SHA2017 NOC team has a Twitter account: [https://twitter.com/sha2017noc @sha2017noc]

{{MapObject|Handle = 0xC352}}

Network

2017-07-20T22:08:01Z

Bitlair.nl-ak47: Skipping SHA2017-PSK

<div style="float:right;padding-left:10px">__TOC__</div>
[https://orga.sha2017.org/index.php/Team:NOC Team:NOC] has tried to build and support the fastest network for you: a network comparable to a medium sized ISP, built up in just a couple of days. It might not be perfect all the time. We will be providing blanket wireless coverage and wired network access to both venues and camping tents. If you have any questions, please contact the NOC helpdesk located at the infodesk tent.
== TL;DR ==
* To use the camp WiFi on most modern devices, connect to the '''SHA2017''' network with a username of '''sha2017''' and a password of '''sha2017'''.
* If you want a wired connection to the network, lay your own cable neatly from your tent back to the nearest datenklo (Data Toilet) and leave ~3m of slack coiled on the floor in front of it.
* You have a public IPv4 & IPv6 address and there is no network firewall or filtering.

== Rules of Conduct ==
* Be fair! Do not do to others what you do not wish done to yourself!
* We cannot be held responsible for any damage your computer may face due to attachment to our network. Be reminded that both internet access and the local network are unfirewalled and unfiltered. Even well-maintained systems can be attacked and get hacked, even more so at a hacker event.
* Do not operate your own WiFi access point. This causes a major slow-down for everybody else.
* If you are operating anything else in the 2.4GHz or the 5GHz spectrum, please clear the frequencies in advance with us.
* Do not run your own DHCP server! Doing so is harmful.
* Do not send IPv6 Router Advertisements.
* Do not ARP spoof or otherwise impede the operation of the network!
* If you are connecting an embedded device to the network please make sure it is using a unique MAC address. Many of the code examples for such devices use an identical MAC address and this will cause problems - if you aren't sure contact us.
* You are only allowed one uplink from your switch to our network - do not attempt to connect multiple cables or to connect to multiple datenklos! The datenklo switchport allows for a maximum of 64 stations.
* While we are generally quite able to find and disconnect you in case of network misuse if necessary, we still prefer to not have to do so and that everybody respects the other visitors.
* Think twice before you do something that affects others! If you hack someone, you might be prosecuted. Be aware that we cannot prevent law enforcement from acting within or related to our network.
* For special requests please contact NOC via noc-requests@sha2017.org.

== Uplink ==
We are planning for a 100 Gbps uplink to our router in Amsterdam. From there we will have various transits to the rest of the world, supplied by various [[#Supporters|supporters]].

== Wireless ==
The whole field has been covered with many wireless access points to ensure the best possible coverage and to allow you to roam seamlessly without interruption. Naturally, there is additional coverage in popular areas such as the talk tents. The following wireless networks will be available:

; SHA2017
: This is 5GHz and should you should use this one in preference, if you can see it. The username is "sha2017" with password "sha2017". This is the most secure, WPA2-Enterprise.
; SHA2017-legacy
: This is 2.4GHz and less resistant to interference, use it only if you have to. The username is "sha2017" with password "sha2017". This is also WPA2-Enterprise.
; SHA2017-insecure
: '''Warning: insecure''' This is both 5GHz and 2.4GHz, and is for older devices that don't support WPA2-Enterprise. It's unencrypted, and people will likely intercept your traffic.
; spacenet
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your hackerspace offers [https://spacefed.net/ spacenet].
; eduroam
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your university/college/school is offering eduroam. More information can be found at [https://www.eduroam.org/ eduroam.org].

Even if you are using an encrypted network, you should still encrypt your connection to prevent snooping. Although some SSIDs offer encryption, it is only over-the-air.

We have airtime fairness configured on our wireless controllers, so if you wish to download large files please use a wired connection (there will be plenty about).

=== WPA2 802.1X, encryption ===
Due to popular demand (and with security in mind) we provide WPA2 802.1X. This will encrypt your traffic, preventing attackers from sniffing your data. Keep in mind that this won't protect you from other network attacks and you should still be aware that you are at a hacker conference! Your link layer should be secure if you do certificate checking (see below).

You might think: "WTF!? Do I need to register a user and password blah, blah". Fortunately not. You can '''use any username/password combination using EAP-TTLS with PAP to login''' (example: "user: fbhfbhiaf pass: bgufwbnkqo" is valid), because we don't care who logs in and who you are. We just want to encrypt your data.

Users which use MSCHAPv2 (like Windows users with default 802.1X supplicant) should use a fixed username and password. You can use "sha2017/sha2017" or "guest/guest" as "username/password".

==== Client Settings ====
Also see [[Network/802.1X client settings]] for a list of OS-specific client settings.

SSID: SHA2017 or SHA2017-legacy

EAP-TTLS:

Phase 1: EAP-TTLS
Phase 2: PAP

PEAP:

Phase 1: PEAP
Phase 2: MSCHAPv2 or EAP-MSCHAPv2 or PAP

CN = radius.sha2017.org
CA = DST Root CA X3
SHA256 Fingerprint = 20:CE:02:90:2E:2A:79:8E:B5:40:8D:BD:0A:E4:18:A1:AD:5A:C0:BD:6A:09:02:17:A8:F4:46:99:79:A0:B9:C8

Make sure '''you check the certificate''' in order to know you are connecting to the correct network (you should check on both the CN/SAN and the CA). Check [[Network/RADIUS_certificate|here]] for the complete certificate.

== Wired ==
All camping areas will be within 40m of a datenklo (Data Toilet), please bring around 50-70m of Cat5e/Cat6/Cat7 cable to make sure you have some slack in the cable. '''We do not supply you with a cable'''.

Lay your own cable neatly from your tent back to the nearest datenklo, and leave 3m of slack coiled on the floor in front of it. And please lay it so that it can be clearly seen that it needs to be plugged in - or you risk having your cable overlooked. At regular intervals a member of the NOC helpdesk will connect it up.

To be disconnected at the end of the event, leave the whole cable coiled outside the datenklo, and we'll unplug it when we next visit.

All of our access ports are 1Gbit/s (1000BASE-T) or 100Mbit/s (100BASE-TX), plus Auto-MDIX. If you want to connect something else, please contact the NOC-team beforehand at noc-requests@sha2017.org.

We do not support 10Mbit/s. It might work on a few devices, but there is no guarrantee. If you need it for old or embedded things please bring a switch to convert.

== FAQ ==
=== Can I bring a server? ===
Sure! You should host your server in your tent/village and connect to the nearest datenklo.

There will be no public-colocation facility available.

=== Can I use the 2.4GHz/5GHz-band for non-wifi projects? ===
The following channels are available for adhoc/mesh/other wireless stuff:

* 2.4GHz: Channel 1 (20 MHz centered on 2412 MHz; 2402 MHz->2424 MHz)
* 5GHz: Channel 140 (5690->5730 MHz) or channels 149-165 (5735->5835 MHz), if supported (max 25mW EIRP allowed in The Netherlands)

We cannot force you to use these channels, but we are trying to build a functional wireless network for the other attendees too. So please, don't do any experiments on other channels.

=== Can I bring an access point? ===
Please don't.

If you are operating a village (using an SHA2017-supplied tent) that has poor coverage, we may be able to arrange to put an access point in it during the event to improve coverage. Stop by the NOC helpdesk and ask.

=== Can I bring a switch? ===
Yes. You are however only allowed one uplink from your switch to our network - do not attempt to connect multiple cables or to connect to multiple datenklos! The datenklo switchport allows for a maximum of 64 stations.

== Supporters ==
We'd like to extend special thanks to the following people and organisations who have been instrumental in making SHA2017 Network happen:

* [http://www.juniper.net/ Juniper Networks] (Routers for uplink)
* [https://us.ntt.net/ NTT Communications] (100GE transit)
* [http://www.core-backbone.com/ Core-Backbone] (100GE transit)
* [https://cumulusnetworks.com/ Cumulus Networks] (Distribution switches & software)
* [https://www.flexoptix.net Flexoptix] (Transceivers)
* [https://surfnet.nl/ SURFnet] (10GE transit & IP-space)
* [https://www.bit.nl/ BIT] (UTP & transit)
* [https://public.nl-ix.net/ NL-ix] (Peering & transit)
* [https://unet.nl/ UNET] (Dark-fibre uplink)
* [http://www.arubanetworks.com/ Aruba Networks] (WiFi gear)
* [http://www.edge-core.com/ Edgecore Networks] (Networking gear)
* [http://ccc.de The Chaos Computer Club]
* [http://eventinfra.org EventInfra] (Network equipment loan)

== Twitter ==
The SHA2017 NOC team has a Twitter account: [https://twitter.com/sha2017noc @sha2017noc]

{{MapObject|Handle = 0xC352}}

Network

2017-07-09T14:31:57Z

Bitlair.nl-ak47: /* Can I bring a server? */

<div style="float:right;padding-left:10px">__TOC__</div>
[https://orga.sha2017.org/index.php/Team:NOC Team:NOC] has tried to build and support the fastest network for you: a network comparable to a medium sized ISP, built up in just a couple of days. It might not be perfect all the time. We will be providing blanket wireless coverage and wired network access to both venues and camping tents. If you have any questions, please contact the NOC helpdesk located at the infodesk tent.
== TL;DR ==
* To use the camp WiFi on most modern devices, connect to the '''SHA2017''' network with a username of '''sha2017''' and a password of '''sha2017'''.
* If you want a wired connection to the network, lay your own cable neatly from your tent back to the nearest datenklo (Data Toilet) and leave ~3m of slack coiled on the floor in front of it.
* You have a public IPv4 & IPv6 address and there is no network firewall or filtering.

== Rules of Conduct ==
* Be fair! Do not do to others what you do not wish done to yourself!
* We cannot be held responsible for any damage your computer may face due to attachment to our network. Be reminded that both internet access and the local network are unfirewalled and unfiltered. Even well-maintained systems can be attacked and get hacked, even more so at a hacker event.
* Do not operate your own WiFi access point. This causes a major slow-down for everybody else.
* If you are operating anything else in the 2.4GHz or the 5GHz spectrum, please clear the frequencies in advance with us.
* Do not run your own DHCP server! Doing so is harmful.
* Do not send IPv6 Router Advertisements.
* Do not ARP spoof or otherwise impede the operation of the network!
* If you are connecting an embedded device to the network please make sure it is using a unique MAC address. Many of the code examples for such devices use an identical MAC address and this will cause problems - if you aren't sure contact us.
* You are only allowed one uplink from your switch to our network - do not attempt to connect multiple cables or to connect to multiple datenklos! The datenklo switchport allows for a maximum of 64 stations.
* While we are generally quite able to find and disconnect you in case of network misuse if necessary, we still prefer to not have to do so and that everybody respects the other visitors.
* Think twice before you do something that affects others! If you hack someone, you might be prosecuted. Be aware that we cannot prevent law enforcement from acting within or related to our network.
* For special requests please contact NOC via noc-requests@sha2017.org.

== Uplink ==
We are planning for a 100 Gbps uplink to our router in Amsterdam. From there we will have various transits to the rest of the world, supplied by various [[#Supporters|supporters]].

== Wireless ==
The whole field has been covered with many wireless access points to ensure the best possible coverage and to allow you to roam seamlessly without interruption. Naturally, there is additional coverage in popular areas such as the talk tents. The following wireless networks will be available:

; SHA2017
: This is 5GHz and should you should use this one in preference, if you can see it. The username is "sha2017" with password "sha2017". This is the most secure, WPA2-Enterprise.
; SHA2017-legacy
: This is 2.4GHz and less resistant to interference, use it only if you have to. The username is "sha2017" with password "sha2017". This is also WPA2-Enterprise.
; SHA2017-insecure
: '''Warning: insecure''' This is both 5GHz and 2.4GHz, and is for older devices that don't support WPA2-Enterprise. It's unencrypted, and people will likely intercept your traffic.
; SHA2017-PSK
: WPA2 PSK, shared private SSID for SHA2017 teams/projects using non-802.1X capable devices, 2.4GHz
; spacenet
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your hackerspace offers [https://spacefed.net/ spacenet].
; eduroam
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your university/college/school is offering eduroam. More information can be found at [https://www.eduroam.org/ eduroam.org].

Even if you are using an encrypted network, you should still encrypt your connection to prevent snooping. Although some SSIDs offer encryption, it is only over-the-air.

We have airtime fairness configured on our wireless controllers, so if you wish to download large files please use a wired connection (there will be plenty about).

=== WPA2 802.1X, encryption ===
Due to popular demand (and with security in mind) we provide WPA2 802.1X. This will encrypt your traffic, preventing attackers from sniffing your data. Keep in mind that this won't protect you from other network attacks and you should still be aware that you are at a hacker conference! Your link layer should be secure if you do certificate checking (see below).

You might think: "WTF!? Do I need to register a user and password blah, blah". Fortunately not. You can '''use any username/password combination using EAP-TTLS with PAP to login''' (example: "user: fbhfbhiaf pass: bgufwbnkqo" is valid), because we don't care who logs in and who you are. We just want to encrypt your data.

Users which use MSCHAPv2 (like Windows users with default 802.1X supplicant) should use a fixed username and password. You can use "sha2017/sha2017" or "guest/guest" as "username/password".

==== Client Settings ====
Also see [[Network/802.1X client settings]] for a list of OS-specific client settings.

SSID: SHA2017 or SHA2017-legacy

EAP-TTLS:

Phase 1: EAP-TTLS
Phase 2: PAP

PEAP:

Phase 1: PEAP
Phase 2: MSCHAPv2 or EAP-MSCHAPv2 or PAP

CN = radius.sha2017.org
CA = DST Root CA X3
SHA256 Fingerprint = 20:CE:02:90:2E:2A:79:8E:B5:40:8D:BD:0A:E4:18:A1:AD:5A:C0:BD:6A:09:02:17:A8:F4:46:99:79:A0:B9:C8

Make sure '''you check the certificate''' in order to know you are connecting to the correct network (you should check on both the CN/SAN and the CA). Check [[Network/RADIUS_certificate|here]] for the complete certificate.

== Wired ==
All camping areas will be within 40m of a datenklo (Data Toilet), please bring around 50-70m of Cat5e/Cat6/Cat7 cable to make sure you have some slack in the cable. '''We do not supply you with a cable'''.

Lay your own cable neatly from your tent back to the nearest datenklo, and leave 3m of slack coiled on the floor in front of it. And please lay it so that it can be clearly seen that it needs to be plugged in - or you risk having your cable overlooked. At regular intervals a member of the NOC helpdesk will connect it up.

To be disconnected at the end of the event, leave the whole cable coiled outside the datenklo, and we'll unplug it when we next visit.

All of our access ports are 1Gbit/s (1000BASE-T) or 100Mbit/s (100BASE-TX), plus Auto-MDIX. If you want to connect something else, please contact the NOC-team beforehand at noc-requests@sha2017.org.

We do not support 10Mbit/s. It might work on a few devices, but there is no guarrantee. If you need it for old or embedded things please bring a switch to convert.

== FAQ ==
=== Can I bring a server? ===
Sure! You should host your server in your tent/village and connect to the nearest datenklo.

There will be no public-colocation facility available.

=== Can I use the 2.4GHz/5GHz-band for non-wifi projects? ===
The following channels are available for adhoc/mesh/other wireless stuff:

* 2.4GHz: Channel 1 (20 Mhz centered on 2412 Mhz; 2402 Mhz->2424 Mhz)
* 5GHz: Channel 140 (5690->5730 Mhz) or channels 149-165 (5735->5835 Mhz), if supported (max 25mW EIRP allowed in The Netherlands)

We cannot force you to use these channels, but we are trying to build a functional wireless network for the other attendees too. So please, don't do any experiments on other channels.

=== Can I bring an access point? ===
Please don't.

If you are operating a village (using an SHA2017-supplied tent) that has poor coverage, we may be able to arrange to put an access point in it during the event to improve coverage. Stop by the NOC helpdesk and ask.

=== Can I bring a switch? ===
Yes. You are however only allowed one uplink from your switch to our network - do not attempt to connect multiple cables or to connect to multiple datenklos! The datenklo switchport allows for a maximum of 64 stations.

== Supporters ==
We'd like to extend special thanks to the following people and organisations who have been instrumental in making SHA2017 Network happen:

* [http://www.juniper.net/ Juniper Networks] (Routers for uplink)
* [https://us.ntt.net/ NTT Communications] (100GE transit)
* [http://www.core-backbone.com/ Core-Backbone] (100GE transit)
* [https://cumulusnetworks.com/ Cumulus Networks] (Distribution switches & software)
* [https://www.flexoptix.net Flexoptix] (Transceivers)
* [https://surfnet.nl/ SURFnet] (10GE transit & IP-space)
* [https://www.bit.nl/ BIT] (UTP & transit)
* [https://public.nl-ix.net/ NL-ix] (Peering & transit)
* [https://unet.nl/ UNET] (Dark-fibre uplink)
* [http://www.arubanetworks.com/ Aruba Networks] (WiFi gear)
* [http://www.edge-core.com/ Edgecore Networks] (Networking gear)
* [http://ccc.de The Chaos Computer Club]
* [http://eventinfra.org EventInfra] (Network equipment loan)

== Twitter ==
The SHA2017 NOC team has a Twitter account: [https://twitter.com/sha2017noc @sha2017noc]

{{MapObject|Handle = 0xC352}}

Network

2017-07-09T14:31:49Z

Bitlair.nl-ak47: /* Can I bring a server? */

<div style="float:right;padding-left:10px">__TOC__</div>
[https://orga.sha2017.org/index.php/Team:NOC Team:NOC] has tried to build and support the fastest network for you: a network comparable to a medium sized ISP, built up in just a couple of days. It might not be perfect all the time. We will be providing blanket wireless coverage and wired network access to both venues and camping tents. If you have any questions, please contact the NOC helpdesk located at the infodesk tent.
== TL;DR ==
* To use the camp WiFi on most modern devices, connect to the '''SHA2017''' network with a username of '''sha2017''' and a password of '''sha2017'''.
* If you want a wired connection to the network, lay your own cable neatly from your tent back to the nearest datenklo (Data Toilet) and leave ~3m of slack coiled on the floor in front of it.
* You have a public IPv4 & IPv6 address and there is no network firewall or filtering.

== Rules of Conduct ==
* Be fair! Do not do to others what you do not wish done to yourself!
* We cannot be held responsible for any damage your computer may face due to attachment to our network. Be reminded that both internet access and the local network are unfirewalled and unfiltered. Even well-maintained systems can be attacked and get hacked, even more so at a hacker event.
* Do not operate your own WiFi access point. This causes a major slow-down for everybody else.
* If you are operating anything else in the 2.4GHz or the 5GHz spectrum, please clear the frequencies in advance with us.
* Do not run your own DHCP server! Doing so is harmful.
* Do not send IPv6 Router Advertisements.
* Do not ARP spoof or otherwise impede the operation of the network!
* If you are connecting an embedded device to the network please make sure it is using a unique MAC address. Many of the code examples for such devices use an identical MAC address and this will cause problems - if you aren't sure contact us.
* You are only allowed one uplink from your switch to our network - do not attempt to connect multiple cables or to connect to multiple datenklos! The datenklo switchport allows for a maximum of 64 stations.
* While we are generally quite able to find and disconnect you in case of network misuse if necessary, we still prefer to not have to do so and that everybody respects the other visitors.
* Think twice before you do something that affects others! If you hack someone, you might be prosecuted. Be aware that we cannot prevent law enforcement from acting within or related to our network.
* For special requests please contact NOC via noc-requests@sha2017.org.

== Uplink ==
We are planning for a 100 Gbps uplink to our router in Amsterdam. From there we will have various transits to the rest of the world, supplied by various [[#Supporters|supporters]].

== Wireless ==
The whole field has been covered with many wireless access points to ensure the best possible coverage and to allow you to roam seamlessly without interruption. Naturally, there is additional coverage in popular areas such as the talk tents. The following wireless networks will be available:

; SHA2017
: This is 5GHz and should you should use this one in preference, if you can see it. The username is "sha2017" with password "sha2017". This is the most secure, WPA2-Enterprise.
; SHA2017-legacy
: This is 2.4GHz and less resistant to interference, use it only if you have to. The username is "sha2017" with password "sha2017". This is also WPA2-Enterprise.
; SHA2017-insecure
: '''Warning: insecure''' This is both 5GHz and 2.4GHz, and is for older devices that don't support WPA2-Enterprise. It's unencrypted, and people will likely intercept your traffic.
; SHA2017-PSK
: WPA2 PSK, shared private SSID for SHA2017 teams/projects using non-802.1X capable devices, 2.4GHz
; spacenet
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your hackerspace offers [https://spacefed.net/ spacenet].
; eduroam
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your university/college/school is offering eduroam. More information can be found at [https://www.eduroam.org/ eduroam.org].

Even if you are using an encrypted network, you should still encrypt your connection to prevent snooping. Although some SSIDs offer encryption, it is only over-the-air.

We have airtime fairness configured on our wireless controllers, so if you wish to download large files please use a wired connection (there will be plenty about).

=== WPA2 802.1X, encryption ===
Due to popular demand (and with security in mind) we provide WPA2 802.1X. This will encrypt your traffic, preventing attackers from sniffing your data. Keep in mind that this won't protect you from other network attacks and you should still be aware that you are at a hacker conference! Your link layer should be secure if you do certificate checking (see below).

You might think: "WTF!? Do I need to register a user and password blah, blah". Fortunately not. You can '''use any username/password combination using EAP-TTLS with PAP to login''' (example: "user: fbhfbhiaf pass: bgufwbnkqo" is valid), because we don't care who logs in and who you are. We just want to encrypt your data.

Users which use MSCHAPv2 (like Windows users with default 802.1X supplicant) should use a fixed username and password. You can use "sha2017/sha2017" or "guest/guest" as "username/password".

==== Client Settings ====
Also see [[Network/802.1X client settings]] for a list of OS-specific client settings.

SSID: SHA2017 or SHA2017-legacy

EAP-TTLS:

Phase 1: EAP-TTLS
Phase 2: PAP

PEAP:

Phase 1: PEAP
Phase 2: MSCHAPv2 or EAP-MSCHAPv2 or PAP

CN = radius.sha2017.org
CA = DST Root CA X3
SHA256 Fingerprint = 20:CE:02:90:2E:2A:79:8E:B5:40:8D:BD:0A:E4:18:A1:AD:5A:C0:BD:6A:09:02:17:A8:F4:46:99:79:A0:B9:C8

Make sure '''you check the certificate''' in order to know you are connecting to the correct network (you should check on both the CN/SAN and the CA). Check [[Network/RADIUS_certificate|here]] for the complete certificate.

== Wired ==
All camping areas will be within 40m of a datenklo (Data Toilet), please bring around 50-70m of Cat5e/Cat6/Cat7 cable to make sure you have some slack in the cable. '''We do not supply you with a cable'''.

Lay your own cable neatly from your tent back to the nearest datenklo, and leave 3m of slack coiled on the floor in front of it. And please lay it so that it can be clearly seen that it needs to be plugged in - or you risk having your cable overlooked. At regular intervals a member of the NOC helpdesk will connect it up.

To be disconnected at the end of the event, leave the whole cable coiled outside the datenklo, and we'll unplug it when we next visit.

All of our access ports are 1Gbit/s (1000BASE-T) or 100Mbit/s (100BASE-TX), plus Auto-MDIX. If you want to connect something else, please contact the NOC-team beforehand at noc-requests@sha2017.org.

We do not support 10Mbit/s. It might work on a few devices, but there is no guarrantee. If you need it for old or embedded things please bring a switch to convert.

== FAQ ==
=== Can I bring a server? ===
Sure! You should host your server in your tent/village and connect to the nearest datenklo.

There will be no public-colocation facility available.

=== Can I use the 2.4GHz/5GHz-band for non-wifi projects? ===
The following channels are available for adhoc/mesh/other wireless stuff:

* 2.4GHz: Channel 1 (20 Mhz centered on 2412 Mhz; 2402 Mhz->2424 Mhz)
* 5GHz: Channel 140 (5690->5730 Mhz) or channels 149-165 (5735->5835 Mhz), if supported (max 25mW EIRP allowed in The Netherlands)

We cannot force you to use these channels, but we are trying to build a functional wireless network for the other attendees too. So please, don't do any experiments on other channels.

=== Can I bring an access point? ===
Please don't.

If you are operating a village (using an SHA2017-supplied tent) that has poor coverage, we may be able to arrange to put an access point in it during the event to improve coverage. Stop by the NOC helpdesk and ask.

=== Can I bring a switch? ===
Yes. You are however only allowed one uplink from your switch to our network - do not attempt to connect multiple cables or to connect to multiple datenklos! The datenklo switchport allows for a maximum of 64 stations.

== Supporters ==
We'd like to extend special thanks to the following people and organisations who have been instrumental in making SHA2017 Network happen:

* [http://www.juniper.net/ Juniper Networks] (Routers for uplink)
* [https://us.ntt.net/ NTT Communications] (100GE transit)
* [http://www.core-backbone.com/ Core-Backbone] (100GE transit)
* [https://cumulusnetworks.com/ Cumulus Networks] (Distribution switches & software)
* [https://www.flexoptix.net Flexoptix] (Transceivers)
* [https://surfnet.nl/ SURFnet] (10GE transit & IP-space)
* [https://www.bit.nl/ BIT] (UTP & transit)
* [https://public.nl-ix.net/ NL-ix] (Peering & transit)
* [https://unet.nl/ UNET] (Dark-fibre uplink)
* [http://www.arubanetworks.com/ Aruba Networks] (WiFi gear)
* [http://www.edge-core.com/ Edgecore Networks] (Networking gear)
* [http://ccc.de The Chaos Computer Club]
* [http://eventinfra.org EventInfra] (Network equipment loan)

== Twitter ==
The SHA2017 NOC team has a Twitter account: [https://twitter.com/sha2017noc @sha2017noc]

{{MapObject|Handle = 0xC352}}

Network

2017-06-21T16:17:56Z

Bitlair.nl-ak47: Core Backbone also 100GE transit

<div style="float:right;padding-left:10px">__TOC__</div>
[https://orga.sha2017.org/index.php/Team:NOC Team:NOC] has tried to build and support the fastest network for you: a network comparable to a medium sized ISP, built up in just a couple of days. It might not be perfect all the time. We will be providing blanket wireless coverage and wired network access to both venues and camping tents. If you have any questions, please contact the NOC helpdesk located at the infodesk tent.
== TL;DR ==
* To use the camp WiFi on most modern devices, connect to the '''SHA2017''' network with a username of '''sha2017''' and a password of '''sha2017'''.
* If you want a wired connection to the network, lay your own cable neatly from your tent back to the nearest datenklo (Data Toilet) and leave ~3m of slack coiled on the floor in front of it.
* You have a public IPv4 & IPv6 address and there is no network firewall or filtering.

== Rules of Conduct ==
* Be fair! Do not do to others what you do not wish done to yourself!
* We cannot be held responsible for any damage your computer may face due to attachment to our network. Be reminded that both internet access and the local network are unfirewalled and unfiltered. Even well-maintained systems can be attacked and get hacked, even more so at a hacker event.
* Do not operate your own WiFi access point. This causes a major slow-down for everybody else.
* If you are operating anything else in the 2.4GHz or the 5GHz spectrum, please clear the frequencies in advance with us.
* Do not run your own DHCP server! Doing so is harmful.
* Do not send IPv6 Router Advertisements.
* Do not ARP spoof or otherwise impede the operation of the network!
* If you are connecting an embedded device to the network please make sure it is using a unique MAC address. Many of the code examples for such devices use an identical MAC address and this will cause problems - if you aren't sure contact us.
* You are only allowed one uplink from your switch to our network - do not attempt to connect multiple cables or to connect to multiple datenklos! The datenklo switchport allows for a maximum of 64 stations.
* While we are generally quite able to find and disconnect you in case of network misuse if necessary, we still prefer to not have to do so and that everybody respects the other visitors.
* Think twice before you do something that affects others! If you hack someone, you might be prosecuted. Be aware that we cannot prevent law enforcement from acting within or related to our network.
* For special requests please contact NOC via noc-requests@sha2017.org.

== Uplink ==
We are planning for a 100 Gbps uplink to our router in Amsterdam. From there we will have various transits to the rest of the world, supplied by various [[#Supporters|supporters]].

== Wireless ==
The whole field has been covered with many wireless access points to ensure the best possible coverage and to allow you to roam seamlessly without interruption. Naturally, there is additional coverage in popular areas such as the talk tents. The following wireless networks will be available:

; SHA2017
: This is 5GHz and should you should use this one in preference, if you can see it. The username is "sha2017" with password "sha2017". This is the most secure, WPA2-Enterprise.
; SHA2017-legacy
: This is 2.4GHz and less resistant to interference, use it only if you have to. The username is "sha2017" with password "sha2017". This is also WPA2-Enterprise.
; SHA2017-insecure
: '''Warning: insecure''' This is both 5GHz and 2.4GHz, and is for older devices that don't support WPA2-Enterprise. It's unencrypted, and people will likely intercept your traffic.
; SHA2017-PSK
: WPA2 PSK, shared private SSID for SHA2017 teams/projects using non-802.1X capable devices, 2.4GHz
; spacenet
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your hackerspace offers [https://spacefed.net/ spacenet].
; eduroam
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your university/college/school is offering eduroam. More information can be found at [https://www.eduroam.org/ eduroam.org].

Even if you are using an encrypted network, you should still encrypt your connection to prevent snooping. Although some SSIDs offer encryption, it is only over-the-air.

We have airtime fairness configured on our wireless controllers, so if you wish to download large files please use a wired connection (there will be plenty about).

=== WPA2 802.1X, encryption ===
Due to popular demand (and with security in mind) we provide WPA2 802.1X. This will encrypt your traffic, preventing attackers from sniffing your data. Keep in mind that this won't protect you from other network attacks and you should still be aware that you are at a hacker conference! Your link layer should be secure if you do certificate checking (see below).

You might think: "WTF!? Do I need to register a user and password blah, blah". Fortunately not. You can '''use any username/password combination using EAP-TTLS with PAP to login''' (example: "user: fbhfbhiaf pass: bgufwbnkqo" is valid), because we don't care who logs in and who you are. We just want to encrypt your data.

Users which use MSCHAPv2 (like Windows users with default 802.1X supplicant) should use a fixed username and password. You can use "sha2017/sha2017" or "guest/guest" as "username/password".

==== Client Settings ====
Also see [[Network/802.1X client settings]] for a list of OS-specific client settings.

SSID: SHA2017 or SHA2017-legacy

EAP-TTLS:

Phase 1: EAP-TTLS
Phase 2: PAP

PEAP:

Phase 1: PEAP
Phase 2: MSCHAPv2 or EAP-MSCHAPv2 or PAP

CN = radius.sha2017.org
CA = DST Root CA X3
SHA256 Fingerprint = 20:CE:02:90:2E:2A:79:8E:B5:40:8D:BD:0A:E4:18:A1:AD:5A:C0:BD:6A:09:02:17:A8:F4:46:99:79:A0:B9:C8

Make sure '''you check the certificate''' in order to know you are connecting to the correct network (you should check on both the CN/SAN and the CA). Check [[Network/RADIUS_certificate|here]] for the complete certificate.

== Wired ==
All camping areas will be within 40m of a datenklo (Data Toilet), please bring around 50-70m of Cat5e/Cat6/Cat7 cable to make sure you have some slack in the cable. '''We do not supply you with a cable'''.

Lay your own cable neatly from your tent back to the nearest datenklo, and leave 3m of slack coiled on the floor in front of it. And please lay it so that it can be clearly seen that it needs to be plugged in - or you risk having your cable overlooked. At regular intervals a member of the NOC helpdesk will connect it up.

To be disconnected at the end of the event, leave the whole cable coiled outside the datenklo, and we'll unplug it when we next visit.

All of our access ports are 1Gbit/s (1000BASE-T) or 100Mbit/s (100BASE-TX), plus Auto-MDIX. If you want to connect something else, please contact the NOC-team beforehand at noc-requests@sha2017.org.

We do not support 10Mbit/s. It might work on a few devices, but there is no guarrantee. If you need it for old or embedded things please bring a switch to convert.

== FAQ ==
=== Can I bring a server? ===
Sure! You should host your server in your tent/village and connect to the nearest datenklo.

We have not yet decided if there will be a public-colocation facility though. Please get in touch with us if you want to help out running such a facility.

=== Can I use the 2.4GHz/5GHz-band for non-wifi projects? ===
The following channels are available for adhoc/mesh/other wireless stuff:

* 2.4GHz: Channel 1
* 5GHz: Channel 140 or channels 149-165 if supported (max 25mW EIRP allowed in The Netherlands)

We cannot force you to use these channels, but we are trying to build a functional wireless network for the other attendees too. So please, don't do any experiments on other channels.

=== Can I bring an access point? ===
Please don't.

If you are operating a village (using an SHA2017-supplied tent) that has poor coverage, we may be able to arrange to put an access point in it during the event to improve coverage. Stop by the NOC helpdesk and ask.

=== Can I bring a switch? ===
Yes. You are however only allowed one uplink from your switch to our network - do not attempt to connect multiple cables or to connect to multiple datenklos! The datenklo switchport allows for a maximum of 64 stations.

== Supporters ==
We'd like to extend special thanks to the following people and organisations who have been instrumental in making SHA2017 Network happen:

* [http://www.juniper.net/ Juniper Networks] (Routers for uplink)
* [https://us.ntt.net/ NTT Communications] (100GE transit)
* [http://www.core-backbone.com/ Core-Backbone] (100GE transit)
* [https://cumulusnetworks.com/ Cumulus Networks] (Distribution switches & software)
* [https://www.flexoptix.net Flexoptix] (Transceivers)
* [https://surfnet.nl/ SURFnet] (10GE transit & IP-space)
* [https://www.bit.nl/ BIT] (UTP & transit)
* [https://public.nl-ix.net/ NL-ix] (Peering & transit)
* [https://unet.nl/ UNET] (Dark-fibre uplink)
* [http://www.arubanetworks.com/ Aruba Networks] (WiFi gear)
* [http://www.edge-core.com/ Edgecore Networks] (Networking gear)
* [http://ccc.de The Chaos Computer Club]
* [http://eventinfra.org EventInfra] (Network equipment loan)

== Twitter ==
The SHA2017 NOC team has a Twitter account: [https://twitter.com/sha2017noc @sha2017noc]

{{MapObject|Handle = 0xC352}}

Network

2017-06-17T22:47:36Z

Bitlair.nl-ak47:

<div style="float:right;padding-left:10px">__TOC__</div>
[https://orga.sha2017.org/index.php/Team:NOC Team:NOC] has tried to build and support the fastest network for you: a network comparable to a medium sized ISP, built up in just a couple of days. It might not be perfect all the time. We will be providing blanket wireless coverage and wired network access to both venues and camping tents. If you have any questions, please contact the NOC helpdesk located at the infodesk tent.
== TL;DR ==
* To use the camp WiFi on most modern devices, connect to the '''SHA2017''' network with a username of '''sha2017''' and a password of '''sha2017'''.
* If you want a wired connection to the network, lay your own cable neatly from your tent back to the nearest datenklo (Data Toilet) and leave ~3m of slack coiled on the floor in front of it.
* You have a public IPv4 & IPv6 address and there is no network firewall or filtering.

== Rules of Conduct ==
* Be fair! Do not do to others what you do not wish done to yourself!
* We cannot be held responsible for any damage your computer may face due to attachment to our network. Be reminded that both internet access and the local network are unfirewalled and unfiltered. Even well-maintained systems can be attacked and get hacked, even more so at a hacker event.
* Do not operate your own WiFi access point. This causes a major slow-down for everybody else.
* If you are operating anything else in the 2.4GHz or the 5GHz spectrum, please clear the frequencies in advance with us.
* Do not run your own DHCP server! Doing so is harmful.
* Do not send IPv6 Router Advertisements.
* Do not ARP spoof or otherwise impede the operation of the network!
* If you are connecting an embedded device to the network please make sure it is using a unique MAC address. Many of the code examples for such devices use an identical MAC address and this will cause problems - if you aren't sure contact us.
* You are only allowed one uplink from your switch to our network - do not attempt to connect multiple cables or to connect to multiple datenklos! The datenklo switchport allows for a maximum of 64 stations.
* While we are generally quite able to find and disconnect you in case of network misuse if necessary, we still prefer to not have to do so and that everybody respects the other visitors.
* Think twice before you do something that affects others! If you hack someone, you might be prosecuted. Be aware that we cannot prevent law enforcement from acting within or related to our network.
* For special requests please contact NOC via noc-requests@sha2017.org.

== Uplink ==
We are planning for a 100 Gbps uplink to our router in Amsterdam. From there we will have various transits to the rest of the world, supplied by various [[#Supporters|supporters]].

== Wireless ==
The whole field has been covered with many wireless access points to ensure the best possible coverage and to allow you to roam seamlessly without interruption. Naturally, there is additional coverage in popular areas such as the talk tents. The following wireless networks will be available:

; SHA2017
: This is 5GHz and should you should use this one in preference, if you can see it. The username is "sha2017" with password "sha2017". This is the most secure, WPA2-Enterprise.
; SHA2017-legacy
: This is 2.4GHz and less resistant to interference, use it only if you have to. The username is "sha2017" with password "sha2017". This is also WPA2-Enterprise.
; SHA2017-insecure
: '''Warning: insecure''' This is both 5GHz and 2.4GHz, and is for older devices that don't support WPA2-Enterprise. It's unencrypted, and people will likely intercept your traffic.
; SHA2017-PSK
: WPA2 PSK, shared private SSID for SHA2017 teams/projects using non-802.1X capable devices, 2.4GHz
; spacenet
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your hackerspace offers [https://spacefed.net/ spacenet].
; eduroam
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your university/college/school is offering eduroam. More information can be found at [https://www.eduroam.org/ eduroam.org].

Even if you are using an encrypted network, you should still encrypt your connection to prevent snooping. Although some SSIDs offer encryption, it is only over-the-air.

We have airtime fairness configured on our wireless controllers, so if you wish to download large files please use a wired connection (there will be plenty about).

=== WPA2 802.1X, encryption ===
Due to popular demand (and with security in mind) we provide WPA2 802.1X. This will encrypt your traffic, preventing attackers from sniffing your data. Keep in mind that this won't protect you from other network attacks and you should still be aware that you are at a hacker conference! Your link layer should be secure if you do certificate checking (see below).

You might think: "WTF!? Do I need to register a user and password blah, blah". Fortunately not. You can '''use any username/password combination using EAP-TTLS with PAP to login''' (example: "user: fbhfbhiaf pass: bgufwbnkqo" is valid), because we don't care who logs in and who you are. We just want to encrypt your data.

Users which use MSCHAPv2 (like Windows users with default 802.1X supplicant) should use a fixed username and password. You can use "sha2017/sha2017" or "guest/guest" as "username/password".

==== Client Settings ====
Also see [[Network/802.1X client settings]] for a list of OS-specific client settings.

SSID: SHA2017 or SHA2017-legacy

EAP-TTLS:

Phase 1: EAP-TTLS
Phase 2: PAP

PEAP:

Phase 1: PEAP
Phase 2: MSCHAPv2 or EAP-MSCHAPv2 or PAP

CN = radius.sha2017.org
CA = DST Root CA X3
SHA256 Fingerprint = 20:CE:02:90:2E:2A:79:8E:B5:40:8D:BD:0A:E4:18:A1:AD:5A:C0:BD:6A:09:02:17:A8:F4:46:99:79:A0:B9:C8

Make sure '''you check the certificate''' in order to know you are connecting to the correct network (you should check on both the CN/SAN and the CA). Check [[Network/RADIUS_certificate|here]] for the complete certificate.

== Wired ==
All camping areas will be within 40m of a datenklo (Data Toilet), please bring around 50-70m of Cat5e/Cat6/Cat7 cable to make sure you have some slack in the cable. '''We do not supply you with a cable'''.

Lay your own cable neatly from your tent back to the nearest datenklo, and leave 3m of slack coiled on the floor in front of it. And please lay it so that it can be clearly seen that it needs to be plugged in - or you risk having your cable overlooked. At regular intervals a member of the NOC helpdesk will connect it up.

To be disconnected at the end of the event, leave the whole cable coiled outside the datenklo, and we'll unplug it when we next visit.

All of our access ports are 1Gbit/s (1000BASE-T) or 100Mbit/s (100BASE-TX), plus Auto-MDIX. If you want to connect something else, please contact the NOC-team beforehand at noc-requests@sha2017.org.

We do not support 10Mbit/s. It might work on a few devices, but there is no guarrantee. If you need it for old or embedded things please bring a switch to convert.

== FAQ ==
=== Can I bring a server? ===
Sure! You should host your server in your tent/village and connect to the nearest datenklo.

We have not yet decided if there will be a public-colocation facility though. Please get in touch with us if you want to help out running such a facility.

=== Can I use the 2.4GHz/5GHz-band for non-wifi projects? ===
The following channels are available for adhoc/mesh/other wireless stuff:

* 2.4GHz: Channel 1
* 5GHz: Channel 140 or channels 149-165 if supported (max 25mW EIRP allowed in The Netherlands)

We cannot force you to use these channels, but we are trying to build a functional wireless network for the other attendees too. So please, don't do any experiments on other channels.

=== Can I bring an access point? ===
Please don't.

If you are operating a village (using an SHA2017-supplied tent) that has poor coverage, we may be able to arrange to put an access point in it during the event to improve coverage. Stop by the NOC helpdesk and ask.

=== Can I bring a switch? ===
Yes. You are however only allowed one uplink from your switch to our network - do not attempt to connect multiple cables or to connect to multiple datenklos! The datenklo switchport allows for a maximum of 64 stations.

== Supporters ==
We'd like to extend special thanks to the following people and organisations who have been instrumental in making SHA2017 Network happen:

* [http://www.juniper.net/ Juniper Networks] (Routers for uplink)
* [https://us.ntt.net/ NTT Communications] (100GE transit)
* [https://cumulusnetworks.com/ Cumulus Networks] (Distribution switches & software)
* [https://www.flexoptix.net Flexoptix] (Transceivers)
* [https://surfnet.nl/ SURFnet] (10GE transit & IP-space)
* [https://www.bit.nl/ BIT] (UTP & transit)
* [http://www.core-backbone.com/ Core-Backbone] (10GE transit)
* [https://public.nl-ix.net/ NL-ix] (Peering & transit)
* [https://unet.nl/ UNET] (Dark-fibre uplink)
* [http://www.arubanetworks.com/ Aruba Networks] (WiFi gear)
* [http://www.edge-core.com/ Edgecore Networks] (Networking gear)
* [http://ccc.de The Chaos Computer Club]
* [http://eventinfra.org EventInfra] (Network equipment loan)

== Twitter ==
The SHA2017 NOC team has a Twitter account: [https://twitter.com/sha2017noc @sha2017noc]

{{MapObject|Handle = 0xC352}}

Network

2017-06-17T22:46:59Z

Bitlair.nl-ak47: /* Wired */

<div style="float:right;padding-left:10px">__TOC__</div>
[https://orga.sha2017.org/index.php/Team:NOC Team:NOC] has tried to build and support the fastest network for you: a network comparable to a medium sized ISP, built up in just a couple of days. It might not be perfect all the time. We will be providing blanket wireless coverage and wired network access to both venues and camping tents. If you have any questions, please contact the NOC helpdesk located at the infodesk tent.
== TL;DR ==
* To use the camp WiFi on most modern devices, connect to the '''SHA2017''' network with a username of '''sha2017''' and a password of '''sha2017'''.
* If you want a wired connection to the network, lay your own cable neatly from your tent back to the nearest datenklo (Data Toilet) and leave ~6m of slack coiled on the floor in front of it.
* You have a public IPv4 & IPv6 address and there is no network firewall or filtering.

== Rules of Conduct ==
* Be fair! Do not do to others what you do not wish done to yourself!
* We cannot be held responsible for any damage your computer may face due to attachment to our network. Be reminded that both internet access and the local network are unfirewalled and unfiltered. Even well-maintained systems can be attacked and get hacked, even more so at a hacker event.
* Do not operate your own WiFi access point. This causes a major slow-down for everybody else.
* If you are operating anything else in the 2.4GHz or the 5GHz spectrum, please clear the frequencies in advance with us.
* Do not run your own DHCP server! Doing so is harmful.
* Do not send IPv6 Router Advertisements.
* Do not ARP spoof or otherwise impede the operation of the network!
* If you are connecting an embedded device to the network please make sure it is using a unique MAC address. Many of the code examples for such devices use an identical MAC address and this will cause problems - if you aren't sure contact us.
* You are only allowed one uplink from your switch to our network - do not attempt to connect multiple cables or to connect to multiple datenklos! The datenklo switchport allows for a maximum of 64 stations.
* While we are generally quite able to find and disconnect you in case of network misuse if necessary, we still prefer to not have to do so and that everybody respects the other visitors.
* Think twice before you do something that affects others! If you hack someone, you might be prosecuted. Be aware that we cannot prevent law enforcement from acting within or related to our network.
* For special requests please contact NOC via noc-requests@sha2017.org.

== Uplink ==
We are planning for a 100 Gbps uplink to our router in Amsterdam. From there we will have various transits to the rest of the world, supplied by various [[#Supporters|supporters]].

== Wireless ==
The whole field has been covered with many wireless access points to ensure the best possible coverage and to allow you to roam seamlessly without interruption. Naturally, there is additional coverage in popular areas such as the talk tents. The following wireless networks will be available:

; SHA2017
: This is 5GHz and should you should use this one in preference, if you can see it. The username is "sha2017" with password "sha2017". This is the most secure, WPA2-Enterprise.
; SHA2017-legacy
: This is 2.4GHz and less resistant to interference, use it only if you have to. The username is "sha2017" with password "sha2017". This is also WPA2-Enterprise.
; SHA2017-insecure
: '''Warning: insecure''' This is both 5GHz and 2.4GHz, and is for older devices that don't support WPA2-Enterprise. It's unencrypted, and people will likely intercept your traffic.
; SHA2017-PSK
: WPA2 PSK, shared private SSID for SHA2017 teams/projects using non-802.1X capable devices, 2.4GHz
; spacenet
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your hackerspace offers [https://spacefed.net/ spacenet].
; eduroam
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your university/college/school is offering eduroam. More information can be found at [https://www.eduroam.org/ eduroam.org].

Even if you are using an encrypted network, you should still encrypt your connection to prevent snooping. Although some SSIDs offer encryption, it is only over-the-air.

We have airtime fairness configured on our wireless controllers, so if you wish to download large files please use a wired connection (there will be plenty about).

=== WPA2 802.1X, encryption ===
Due to popular demand (and with security in mind) we provide WPA2 802.1X. This will encrypt your traffic, preventing attackers from sniffing your data. Keep in mind that this won't protect you from other network attacks and you should still be aware that you are at a hacker conference! Your link layer should be secure if you do certificate checking (see below).

You might think: "WTF!? Do I need to register a user and password blah, blah". Fortunately not. You can '''use any username/password combination using EAP-TTLS with PAP to login''' (example: "user: fbhfbhiaf pass: bgufwbnkqo" is valid), because we don't care who logs in and who you are. We just want to encrypt your data.

Users which use MSCHAPv2 (like Windows users with default 802.1X supplicant) should use a fixed username and password. You can use "sha2017/sha2017" or "guest/guest" as "username/password".

==== Client Settings ====
Also see [[Network/802.1X client settings]] for a list of OS-specific client settings.

SSID: SHA2017 or SHA2017-legacy

EAP-TTLS:

Phase 1: EAP-TTLS
Phase 2: PAP

PEAP:

Phase 1: PEAP
Phase 2: MSCHAPv2 or EAP-MSCHAPv2 or PAP

CN = radius.sha2017.org
CA = DST Root CA X3
SHA256 Fingerprint = 20:CE:02:90:2E:2A:79:8E:B5:40:8D:BD:0A:E4:18:A1:AD:5A:C0:BD:6A:09:02:17:A8:F4:46:99:79:A0:B9:C8

Make sure '''you check the certificate''' in order to know you are connecting to the correct network (you should check on both the CN/SAN and the CA). Check [[Network/RADIUS_certificate|here]] for the complete certificate.

== Wired ==
All camping areas will be within 40m of a datenklo (Data Toilet), please bring around 50-70m of Cat5e/Cat6/Cat7 cable to make sure you have some slack in the cable. '''We do not supply you with a cable'''.

Lay your own cable neatly from your tent back to the nearest datenklo, and leave 3m of slack coiled on the floor in front of it. And please lay it so that it can be clearly seen that it needs to be plugged in - or you risk having your cable overlooked. At regular intervals a member of the NOC helpdesk will connect it up.

To be disconnected at the end of the event, leave the whole cable coiled outside the datenklo, and we'll unplug it when we next visit.

All of our access ports are 1Gbit/s (1000BASE-T) or 100Mbit/s (100BASE-TX), plus Auto-MDIX. If you want to connect something else, please contact the NOC-team beforehand at noc-requests@sha2017.org.

We do not support 10Mbit/s. It might work on a few devices, but there is no guarrantee. If you need it for old or embedded things please bring a switch to convert.

== FAQ ==
=== Can I bring a server? ===
Sure! You should host your server in your tent/village and connect to the nearest datenklo.

We have not yet decided if there will be a public-colocation facility though. Please get in touch with us if you want to help out running such a facility.

=== Can I use the 2.4GHz/5GHz-band for non-wifi projects? ===
The following channels are available for adhoc/mesh/other wireless stuff:

* 2.4GHz: Channel 1
* 5GHz: Channel 140 or channels 149-165 if supported (max 25mW EIRP allowed in The Netherlands)

We cannot force you to use these channels, but we are trying to build a functional wireless network for the other attendees too. So please, don't do any experiments on other channels.

=== Can I bring an access point? ===
Please don't.

If you are operating a village (using an SHA2017-supplied tent) that has poor coverage, we may be able to arrange to put an access point in it during the event to improve coverage. Stop by the NOC helpdesk and ask.

=== Can I bring a switch? ===
Yes. You are however only allowed one uplink from your switch to our network - do not attempt to connect multiple cables or to connect to multiple datenklos! The datenklo switchport allows for a maximum of 64 stations.

== Supporters ==
We'd like to extend special thanks to the following people and organisations who have been instrumental in making SHA2017 Network happen:

* [http://www.juniper.net/ Juniper Networks] (Routers for uplink)
* [https://us.ntt.net/ NTT Communications] (100GE transit)
* [https://cumulusnetworks.com/ Cumulus Networks] (Distribution switches & software)
* [https://www.flexoptix.net Flexoptix] (Transceivers)
* [https://surfnet.nl/ SURFnet] (10GE transit & IP-space)
* [https://www.bit.nl/ BIT] (UTP & transit)
* [http://www.core-backbone.com/ Core-Backbone] (10GE transit)
* [https://public.nl-ix.net/ NL-ix] (Peering & transit)
* [https://unet.nl/ UNET] (Dark-fibre uplink)
* [http://www.arubanetworks.com/ Aruba Networks] (WiFi gear)
* [http://www.edge-core.com/ Edgecore Networks] (Networking gear)
* [http://ccc.de The Chaos Computer Club]
* [http://eventinfra.org EventInfra] (Network equipment loan)

== Twitter ==
The SHA2017 NOC team has a Twitter account: [https://twitter.com/sha2017noc @sha2017noc]

{{MapObject|Handle = 0xC352}}

Network

2017-06-17T22:22:55Z

Bitlair.nl-ak47: /* Camping area and workshops */

<div style="float:right;padding-left:10px">__TOC__</div>
[https://orga.sha2017.org/index.php/Team:NOC Team:NOC] has tried to build and support the fastest network for you: a network comparable to a medium sized ISP, built up in just a couple of days. It might not be perfect all the time. We will be providing blanket wireless coverage and wired network access to both venues and camping tents. If you have any questions, please contact the NOC helpdesk located at the infodesk tent.
== TL;DR ==
* To use the camp WiFi on most modern devices, connect to the '''SHA2017''' network with a username of '''sha2017''' and a password of '''sha2017'''.
* If you want a wired connection to the network, lay your own cable neatly from your tent back to the nearest datenklo (Data Toilet) and leave ~6m of slack coiled on the floor in front of it.
* You have a public IPv4 & IPv6 address and there is no network firewall or filtering.

== Rules of Conduct ==
* Be fair! Do not do to others what you do not wish done to yourself!
* We cannot be held responsible for any damage your computer may face due to attachment to our network. Be reminded that both internet access and the local network are unfirewalled and unfiltered. Even well-maintained systems can be attacked and get hacked, even more so at a hacker event.
* Do not operate your own WiFi access point. This causes a major slow-down for everybody else.
* If you are operating anything else in the 2.4GHz or the 5GHz spectrum, please clear the frequencies in advance with us.
* Do not run your own DHCP server! Doing so is harmful.
* Do not send IPv6 Router Advertisements.
* Do not ARP spoof or otherwise impede the operation of the network!
* If you are connecting an embedded device to the network please make sure it is using a unique MAC address. Many of the code examples for such devices use an identical MAC address and this will cause problems - if you aren't sure contact us.
* You are only allowed one uplink from your switch to our network - do not attempt to connect multiple cables or to connect to multiple datenklos! The datenklo switchport allows for a maximum of 64 stations.
* While we are generally quite able to find and disconnect you in case of network misuse if necessary, we still prefer to not have to do so and that everybody respects the other visitors.
* Think twice before you do something that affects others! If you hack someone, you might be prosecuted. Be aware that we cannot prevent law enforcement from acting within or related to our network.
* For special requests please contact NOC via noc-requests@sha2017.org.

== Uplink ==
We are planning for a 100 Gbps uplink to our router in Amsterdam. From there we will have various transits to the rest of the world, supplied by various [[#Supporters|supporters]].

== Wireless ==
The whole field has been covered with many wireless access points to ensure the best possible coverage and to allow you to roam seamlessly without interruption. Naturally, there is additional coverage in popular areas such as the talk tents. The following wireless networks will be available:

; SHA2017
: This is 5GHz and should you should use this one in preference, if you can see it. The username is "sha2017" with password "sha2017". This is the most secure, WPA2-Enterprise.
; SHA2017-legacy
: This is 2.4GHz and less resistant to interference, use it only if you have to. The username is "sha2017" with password "sha2017". This is also WPA2-Enterprise.
; SHA2017-insecure
: '''Warning: insecure''' This is both 5GHz and 2.4GHz, and is for older devices that don't support WPA2-Enterprise. It's unencrypted, and people will likely intercept your traffic.
; SHA2017-PSK
: WPA2 PSK, shared private SSID for SHA2017 teams/projects using non-802.1X capable devices, 2.4GHz
; spacenet
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your hackerspace offers [https://spacefed.net/ spacenet].
; eduroam
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your university/college/school is offering eduroam. More information can be found at [https://www.eduroam.org/ eduroam.org].

Even if you are using an encrypted network, you should still encrypt your connection to prevent snooping. Although some SSIDs offer encryption, it is only over-the-air.

We have airtime fairness configured on our wireless controllers, so if you wish to download large files please use a wired connection (there will be plenty about).

=== WPA2 802.1X, encryption ===
Due to popular demand (and with security in mind) we provide WPA2 802.1X. This will encrypt your traffic, preventing attackers from sniffing your data. Keep in mind that this won't protect you from other network attacks and you should still be aware that you are at a hacker conference! Your link layer should be secure if you do certificate checking (see below).

You might think: "WTF!? Do I need to register a user and password blah, blah". Fortunately not. You can '''use any username/password combination using EAP-TTLS with PAP to login''' (example: "user: fbhfbhiaf pass: bgufwbnkqo" is valid), because we don't care who logs in and who you are. We just want to encrypt your data.

Users which use MSCHAPv2 (like Windows users with default 802.1X supplicant) should use a fixed username and password. You can use "sha2017/sha2017" or "guest/guest" as "username/password".

==== Client Settings ====
Also see [[Network/802.1X client settings]] for a list of OS-specific client settings.

SSID: SHA2017 or SHA2017-legacy

EAP-TTLS:

Phase 1: EAP-TTLS
Phase 2: PAP

PEAP:

Phase 1: PEAP
Phase 2: MSCHAPv2 or EAP-MSCHAPv2 or PAP

CN = radius.sha2017.org
CA = DST Root CA X3
SHA256 Fingerprint = 20:CE:02:90:2E:2A:79:8E:B5:40:8D:BD:0A:E4:18:A1:AD:5A:C0:BD:6A:09:02:17:A8:F4:46:99:79:A0:B9:C8

Make sure '''you check the certificate''' in order to know you are connecting to the correct network (you should check on both the CN/SAN and the CA). Check [[Network/RADIUS_certificate|here]] for the complete certificate.

== Wired ==
All camping areas will be within 40m of a datenklo (Data Toilet), please bring around 50-70m of Cat5e/Cat6/Cat7 cable to make sure you have some slack in the cable. '''We do not supply you with a cable'''.

Lay your own cable neatly from your tent back to the nearest datenklo, and leave 6m of slack coiled on the floor in front of it. And please lay it so that it can be clearly seen that it needs to be plugged in - or you risk having your cable overlooked. At regular intervals a member of the NOC helpdesk will connect it up.

To be disconnected at the end of the event, leave the whole cable coiled outside the datenklo, and we'll unplug it when we next visit.

All of our access ports are 1Gbit/s (1000BASE-T) or 100Mbit/s (100BASE-TX), plus Auto-MDIX. If you want to connect something else, please contact the NOC-team beforehand at noc-requests@sha2017.org.

We do not support 10Mbit/s. It might work on a few devices, but there is no guarrantee. If you need it for old or embedded things please bring a switch to convert.

== FAQ ==
=== Can I bring a server? ===
Sure! You should host your server in your tent/village and connect to the nearest datenklo.

We have not yet decided if there will be a public-colocation facility though. Please get in touch with us if you want to help out running such a facility.

=== Can I use the 2.4GHz/5GHz-band for non-wifi projects? ===
The following channels are available for adhoc/mesh/other wireless stuff:

* 2.4GHz: Channel 1
* 5GHz: Channel 140 or channels 149-165 if supported (max 25mW EIRP allowed in The Netherlands)

We cannot force you to use these channels, but we are trying to build a functional wireless network for the other attendees too. So please, don't do any experiments on other channels.

=== Can I bring an access point? ===
Please don't.

If you are operating a village (using an SHA2017-supplied tent) that has poor coverage, we may be able to arrange to put an access point in it during the event to improve coverage. Stop by the NOC helpdesk and ask.

=== Can I bring a switch? ===
Yes. You are however only allowed one uplink from your switch to our network - do not attempt to connect multiple cables or to connect to multiple datenklos! The datenklo switchport allows for a maximum of 64 stations.

== Supporters ==
We'd like to extend special thanks to the following people and organisations who have been instrumental in making SHA2017 Network happen:

* [http://www.juniper.net/ Juniper Networks] (Routers for uplink)
* [https://us.ntt.net/ NTT Communications] (100GE transit)
* [https://cumulusnetworks.com/ Cumulus Networks] (Distribution switches & software)
* [https://www.flexoptix.net Flexoptix] (Transceivers)
* [https://surfnet.nl/ SURFnet] (10GE transit & IP-space)
* [https://www.bit.nl/ BIT] (UTP & transit)
* [http://www.core-backbone.com/ Core-Backbone] (10GE transit)
* [https://public.nl-ix.net/ NL-ix] (Peering & transit)
* [https://unet.nl/ UNET] (Dark-fibre uplink)
* [http://www.arubanetworks.com/ Aruba Networks] (WiFi gear)
* [http://www.edge-core.com/ Edgecore Networks] (Networking gear)
* [http://ccc.de The Chaos Computer Club]
* [http://eventinfra.org EventInfra] (Network equipment loan)

== Twitter ==
The SHA2017 NOC team has a Twitter account: [https://twitter.com/sha2017noc @sha2017noc]

{{MapObject|Handle = 0xC352}}

Network

2017-06-17T21:29:41Z

Bitlair.nl-ak47: change intro

<div style="float:right;padding-left:10px">__TOC__</div>
[https://orga.sha2017.org/index.php/Team:NOC Team:NOC] has tried to build and support the fastest network for you: a network comparable to a medium sized ISP, built up in just a couple of days. It might not be perfect all the time. We will be providing blanket wireless coverage and wired network access to both venues and camping tents. If you have any questions, please contact the NOC helpdesk located at the infodesk tent.
== TL;DR ==
* To use the camp WiFi on most modern devices, connect to the '''SHA2017''' network with a username of '''sha2017''' and a password of '''sha2017'''.
* If you want a wired connection to the network, lay your own cable neatly from your tent back to the nearest datenklo (Data Toilet) and leave ~6m of slack coiled on the floor in front of it.
* You have a public IPv4 & IPv6 address and there is no network firewall or filtering.

== Rules of Conduct ==
* Be fair! Do not do to others what you do not wish done to yourself!
* We cannot be held responsible for any damage your computer may face due to attachment to our network. Be reminded that both internet access and the local network are unfirewalled and unfiltered. Even well-maintained systems can be attacked and get hacked, even more so at a hacker event.
* Do not operate your own WiFi access point. This causes a major slow-down for everybody else.
* If you are operating anything else in the 2.4GHz or the 5GHz spectrum, please clear the frequencies in advance with us.
* Do not run your own DHCP server! Doing so is harmful.
* Do not send IPv6 Router Advertisements.
* Do not ARP spoof or otherwise impede the operation of the network!
* If you are connecting an embedded device to the network please make sure it is using a unique MAC address. Many of the code examples for such devices use an identical MAC address and this will cause problems - if you aren't sure contact us.
* You are only allowed one uplink from your switch to our network - do not attempt to connect multiple cables or to connect to multiple datenklos! The datenklo switchport allows for a maximum of 64 stations.
* While we are generally quite able to find and disconnect you in case of network misuse if necessary, we still prefer to not have to do so and that everybody respects the other visitors.
* Think twice before you do something that affects others! If you hack someone, you might be prosecuted. Be aware that we cannot prevent law enforcement from acting within or related to our network.
* For special requests please contact NOC via noc-requests@sha2017.org.

== Uplink ==
We are planning for a 100 Gbps uplink to our router in Amsterdam. From there we will have various transits to the rest of the world, supplied by various [[#Supporters|supporters]].

== Wireless ==
The whole field has been covered with many wireless access points to ensure the best possible coverage and to allow you to roam seamlessly without interruption. Naturally, there is additional coverage in popular areas such as the talk tents. The following wireless networks will be available:

; SHA2017
: This is 5GHz and should you should use this one in preference, if you can see it. The username is "sha2017" with password "sha2017". This is the most secure, WPA2-Enterprise.
; SHA2017-legacy
: This is 2.4GHz and less resistant to interference, use it only if you have to. The username is "sha2017" with password "sha2017". This is also WPA2-Enterprise.
; SHA2017-insecure
: '''Warning: insecure''' This is both 5GHz and 2.4GHz, and is for older devices that don't support WPA2-Enterprise. It's unencrypted, and people will likely intercept your traffic.
; SHA2017-PSK
: WPA2 PSK, shared private SSID for SHA2017 teams/projects using non-802.1X capable devices, 2.4GHz
; spacenet
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your hackerspace offers [https://spacefed.net/ spacenet].
; eduroam
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your university/college/school is offering eduroam. More information can be found at [https://www.eduroam.org/ eduroam.org].

Even if you are using an encrypted network, you should still encrypt your connection to prevent snooping. Although some SSIDs offer encryption, it is only over-the-air.

We have airtime fairness configured on our wireless controllers, so if you wish to download large files please use a wired connection (there will be plenty about).

=== WPA2 802.1X, encryption ===
Due to popular demand (and with security in mind) we provide WPA2 802.1X. This will encrypt your traffic, preventing attackers from sniffing your data. Keep in mind that this won't protect you from other network attacks and you should still be aware that you are at a hacker conference! Your link layer should be secure if you do certificate checking (see below).

You might think: "WTF!? Do I need to register a user and password blah, blah". Fortunately not. You can '''use any username/password combination using EAP-TTLS with PAP to login''' (example: "user: fbhfbhiaf pass: bgufwbnkqo" is valid), because we don't care who logs in and who you are. We just want to encrypt your data.

Users which use MSCHAPv2 (like Windows users with default 802.1X supplicant) should use a fixed username and password. You can use "sha2017/sha2017" or "guest/guest" as "username/password".

==== Client Settings ====
Also see [[Network/802.1X client settings]] for a list of OS-specific client settings.

SSID: SHA2017 or SHA2017-legacy

EAP-TTLS:

Phase 1: EAP-TTLS
Phase 2: PAP

PEAP:

Phase 1: PEAP
Phase 2: MSCHAPv2 or EAP-MSCHAPv2 or PAP

CN = radius.sha2017.org
CA = DST Root CA X3
SHA256 Fingerprint = 20:CE:02:90:2E:2A:79:8E:B5:40:8D:BD:0A:E4:18:A1:AD:5A:C0:BD:6A:09:02:17:A8:F4:46:99:79:A0:B9:C8

Make sure '''you check the certificate''' in order to know you are connecting to the correct network (you should check on both the CN/SAN and the CA). Check [[Network/RADIUS_certificate|here]] for the complete certificate.

== Camping area and workshops ==
All camping areas will be within 40m of a datenklo (Data Toilet), please bring around 50-70m of Cat5e/Cat6/Cat7 cable to make sure you have some slack in the cable. '''We do not supply you with a cable'''.

Lay your own cable neatly from your tent back to the nearest datenklo, and leave 6m of slack coiled on the floor in front of it. And please lay it so that it can be clearly seen that it needs to be plugged in - or you risk having your cable overlooked. At regular intervals a member of the NOC helpdesk will connect it up.

If you wish to be removed from a datenklo early, contact the NOC helpdesk directly.

All of our access ports are 1Gbit/s (1000BASE-T) or 100Mbit/s (100BASE-TX), plus Auto-MDIX. If you want to connect something else, please contact the NOC-team beforehand at noc-requests@sha2017.org.

We do not support 10Mbit/s. It might work on a few devices, but there is no guarrantee. If you need it for old or embedded things please bring a switch to convert.

== FAQ ==
=== Can I bring a server? ===
Sure! You should host your server in your tent/village and connect to the nearest datenklo.

We have not yet decided if there will be a public-colocation facility though. Please get in touch with us if you want to help out running such a facility.

=== Can I use the 2.4GHz/5GHz-band for non-wifi projects? ===
The following channels are available for adhoc/mesh/other wireless stuff:

* 2.4GHz: Channel 1
* 5GHz: Channel 140 or channels 149-165 if supported (max 25mW EIRP allowed in The Netherlands)

We cannot force you to use these channels, but we are trying to build a functional wireless network for the other attendees too. So please, don't do any experiments on other channels.

=== Can I bring an access point? ===
Please don't.

If you are operating a village (using an SHA2017-supplied tent) that has poor coverage, we may be able to arrange to put an access point in it during the event to improve coverage. Stop by the NOC helpdesk and ask.

=== Can I bring a switch? ===
Yes. You are however only allowed one uplink from your switch to our network - do not attempt to connect multiple cables or to connect to multiple datenklos! The datenklo switchport allows for a maximum of 64 stations.

== Supporters ==
We'd like to extend special thanks to the following people and organisations who have been instrumental in making SHA2017 Network happen:

* [http://www.juniper.net/ Juniper Networks] (Routers for uplink)
* [https://us.ntt.net/ NTT Communications] (100GE transit)
* [https://cumulusnetworks.com/ Cumulus Networks] (Distribution switches & software)
* [https://www.flexoptix.net Flexoptix] (Transceivers)
* [https://surfnet.nl/ SURFnet] (10GE transit & IP-space)
* [https://www.bit.nl/ BIT] (UTP & transit)
* [http://www.core-backbone.com/ Core-Backbone] (10GE transit)
* [https://public.nl-ix.net/ NL-ix] (Peering & transit)
* [https://unet.nl/ UNET] (Dark-fibre uplink)
* [http://www.arubanetworks.com/ Aruba Networks] (WiFi gear)
* [http://www.edge-core.com/ Edgecore Networks] (Networking gear)
* [http://ccc.de The Chaos Computer Club]
* [http://eventinfra.org EventInfra] (Network equipment loan)

== Twitter ==
The SHA2017 NOC team has a Twitter account: [https://twitter.com/sha2017noc @sha2017noc]

{{MapObject|Handle = 0xC352}}

Network

2017-06-16T22:34:33Z

Bitlair.nl-ak47: /* TL;DR */

<div style="float:right;padding-left:10px">__TOC__</div>
[https://orga.sha2017.org/index.php/Team:NOC Team:NOC] is trying their best to deliver a fast and stable network during the event. If you have any questions, please contact the NOC helpdesk located at the infodesk tent.
== TL;DR ==
* To use the camp WiFi on most modern devices, connect to the '''SHA2017''' network with a username of '''sha2017''' and a password of '''sha2017'''.
* If you want a wired connection to the network, lay your own cable neatly from your tent back to the nearest datenklo (Data Toilet) and leave ~6m of slack coiled on the floor in front of it.
* You have a public IPv4 & IPv6 address and there is no network firewall or filtering.

== Rules of Conduct ==
* Be fair! Do not do to others what you do not wish done to yourself!
* We cannot be held responsible for any damage your computer may face due to attachment to our network. Be reminded that both internet access and the local network are unfirewalled and unfiltered. Even well-maintained systems can be attacked and get hacked, even more so at a hacker event.
* Do not operate your own WiFi access point. This causes a major slow-down for everybody else.
* If you are operating anything else in the 2.4GHz or the 5GHz spectrum, please clear the frequencies in advance with us.
* Do not run your own DHCP server! Doing so is harmful.
* Do not send IPv6 Router Advertisements.
* Do not ARP spoof or otherwise impede the operation of the network!
* If you are connecting an embedded device to the network please make sure it is using a unique MAC address. Many of the code examples for such devices use an identical MAC address and this will cause problems - if you aren't sure contact us.
* You are only allowed one uplink from your switch to our network - do not attempt to connect multiple cables or to connect to multiple datenklos! The datenklo switchport allows for a maximum of 64 stations.
* While we are generally quite able to find and disconnect you in case of network misuse if necessary, we still prefer to not have to do so and that everybody respects the other visitors.
* Think twice before you do something that affects others! If you hack someone, you might be prosecuted. Be aware that we cannot prevent law enforcement from acting within or related to our network.
* For special requests please contact NOC via noc-requests@sha2017.org.

== Uplink ==
We are planning for a 100 Gbps uplink to our router in Amsterdam. From there we will have various transits to the rest of the world, supplied by various [[#Supporters|supporters]].

== Wireless ==
The whole field has been covered with many wireless access points to ensure the best possible coverage and to allow you to roam seamlessly without interruption. Naturally, there is additional coverage in popular areas such as the talk tents. The following wireless networks will be available:

; SHA2017
: This is 5GHz and should you should use this one in preference, if you can see it. The username is "sha2017" with password "sha2017". This is the most secure, WPA2-Enterprise.
; SHA2017-legacy
: This is 2.4GHz and less resistant to interference, use it only if you have to. The username is "sha2017" with password "sha2017". This is also WPA2-Enterprise.
; SHA2017-insecure
: '''Warning: insecure''' This is both 5GHz and 2.4GHz, and is for older devices that don't support WPA2-Enterprise. It's unencrypted, and people will likely intercept your traffic.
; SHA2017-PSK
: WPA2 PSK, shared private SSID for SHA2017 teams/projects using non-802.1X capable devices, 2.4GHz
; spacenet
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your hackerspace offers [https://spacefed.net/ spacenet].
; eduroam
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your university/college/school is offering eduroam. More information can be found at [https://www.eduroam.org/ eduroam.org].

Even if you are using an encrypted network, you should still encrypt your connection to prevent snooping. Although some SSIDs offer encryption, it is only over-the-air.

We have airtime fairness configured on our wireless controllers, so if you wish to download large files please use a wired connection (there will be plenty about).

=== WPA2 802.1X, encryption ===
Due to popular demand (and with security in mind) we provide WPA2 802.1X. This will encrypt your traffic, preventing attackers from sniffing your data. Keep in mind that this won't protect you from other network attacks and you should still be aware that you are at a hacker conference! Your link layer should be secure if you do certificate checking (see below).

You might think: "WTF!? Do I need to register a user and password blah, blah". Fortunately not. You can '''use any username/password combination using EAP-TTLS with PAP to login''' (example: "user: fbhfbhiaf pass: bgufwbnkqo" is valid), because we don't care who logs in and who you are. We just want to encrypt your data.

Users which use MSCHAPv2 (like Windows users with default 802.1X supplicant) should use a fixed username and password. You can use "sha2017/sha2017" or "guest/guest" as "username/password".

==== Client Settings ====
Also see [[Network/802.1X client settings]] for a list of OS-specific client settings.

SSID: SHA2017 or SHA2017-legacy

EAP-TTLS:

Phase 1: EAP-TTLS
Phase 2: PAP

PEAP:

Phase 1: PEAP
Phase 2: MSCHAPv2 or EAP-MSCHAPv2 or PAP

CN = radius.sha2017.org
CA = DST Root CA X3
SHA256 Fingerprint = 20:CE:02:90:2E:2A:79:8E:B5:40:8D:BD:0A:E4:18:A1:AD:5A:C0:BD:6A:09:02:17:A8:F4:46:99:79:A0:B9:C8

Make sure '''you check the certificate''' in order to know you are connecting to the correct network (you should check on both the CN/SAN and the CA). Check [[Network/RADIUS_certificate|here]] for the complete certificate.

== Camping area and workshops ==
All camping areas will be within 40m of a datenklo (Data Toilet), please bring around 50-70m of Cat5e/Cat6/Cat7 cable to make sure you have some slack in the cable. '''We do not supply you with a cable'''.

Lay your own cable neatly from your tent back to the nearest datenklo, and leave 6m of slack coiled on the floor in front of it. And please lay it so that it can be clearly seen that it needs to be plugged in - or you risk having your cable overlooked. At regular intervals a member of the NOC helpdesk will connect it up.

If you wish to be removed from a datenklo early, contact the NOC helpdesk directly.

All of our access ports are 1Gbit/s (1000BASE-T) or 100Mbit/s (100BASE-TX), plus Auto-MDIX. If you want to connect something else, please contact the NOC-team beforehand at noc-requests@sha2017.org.

We do not support 10Mbit/s. It might work on a few devices, but there is no guarrantee. If you need it for old or embedded things please bring a switch to convert.

== FAQ ==
=== Can I bring a server? ===
Sure! You should host your server in your tent/village and connect to the nearest datenklo.

We have not yet decided if there will be a public-colocation facility though. Please get in touch with us if you want to help out running such a facility.

=== Can I use the 2.4GHz/5GHz-band for non-wifi projects? ===
The following channels are available for adhoc/mesh/other wireless stuff:

* 2.4GHz: Channel 1
* 5GHz: Channel 140 or channels 149-165 if supported (max 25mW EIRP allowed in The Netherlands)

We cannot force you to use these channels, but we are trying to build a functional wireless network for the other attendees too. So please, don't do any experiments on other channels.

=== Can I bring an access point? ===
Please don't.

If you are operating a village (using an SHA2017-supplied tent) that has poor coverage, we may be able to arrange to put an access point in it during the event to improve coverage. Stop by the NOC helpdesk and ask.

=== Can I bring a switch? ===
Yes. You are however only allowed one uplink from your switch to our network - do not attempt to connect multiple cables or to connect to multiple datenklos! The datenklo switchport allows for a maximum of 64 stations.

== Supporters ==
We'd like to extend special thanks to the following people and organisations who have been instrumental in making SHA2017 Network happen:

* [http://www.juniper.net/ Juniper Networks] (Routers for uplink)
* [https://us.ntt.net/ NTT Communications] (100GE transit)
* [https://cumulusnetworks.com/ Cumulus Networks] (Distribution switches & software)
* [https://www.flexoptix.net Flexoptix] (Transceivers)
* [https://surfnet.nl/ SURFnet] (10GE transit & IP-space)
* [https://www.bit.nl/ BIT] (UTP & transit)
* [http://www.core-backbone.com/ Core-Backbone] (10GE transit)
* [https://public.nl-ix.net/ NL-ix] (Peering & transit)
* [https://unet.nl/ UNET] (Dark-fibre uplink)
* [http://www.arubanetworks.com/ Aruba Networks] (WiFi gear)
* [http://www.edge-core.com/ Edgecore Networks] (Networking gear)
* [http://ccc.de The Chaos Computer Club]
* [http://eventinfra.org EventInfra] (Network equipment loan)

== Twitter ==
The SHA2017 NOC team has a Twitter account: [https://twitter.com/sha2017noc @sha2017noc]

{{MapObject|Handle = 0xC352}}

Network

2017-06-16T22:32:16Z

Bitlair.nl-ak47: /* TL;DR */

<div style="float:right;padding-left:10px">__TOC__</div>
[https://orga.sha2017.org/index.php/Team:NOC Team:NOC] is trying their best to deliver a fast and stable network during the event. If you have any questions, please contact the NOC helpdesk located at the infodesk tent.
== TL;DR ==
* To use the camp WiFi on most modern devices, connect to the '''SHA2017''' network with a username of '''sha2017''' and a password of '''sha2017'''.
* If you want a wired connection to the network, lay your own cable neatly from your tent back to the nearest datenklo and leave ~6m of slack coiled on the floor in front of it.
* You have a public IPv4 & IPv6 address and there is no network firewall or filtering.

== Rules of Conduct ==
* Be fair! Do not do to others what you do not wish done to yourself!
* We cannot be held responsible for any damage your computer may face due to attachment to our network. Be reminded that both internet access and the local network are unfirewalled and unfiltered. Even well-maintained systems can be attacked and get hacked, even more so at a hacker event.
* Do not operate your own WiFi access point. This causes a major slow-down for everybody else.
* If you are operating anything else in the 2.4GHz or the 5GHz spectrum, please clear the frequencies in advance with us.
* Do not run your own DHCP server! Doing so is harmful.
* Do not send IPv6 Router Advertisements.
* Do not ARP spoof or otherwise impede the operation of the network!
* If you are connecting an embedded device to the network please make sure it is using a unique MAC address. Many of the code examples for such devices use an identical MAC address and this will cause problems - if you aren't sure contact us.
* You are only allowed one uplink from your switch to our network - do not attempt to connect multiple cables or to connect to multiple datenklos! The datenklo switchport allows for a maximum of 64 stations.
* While we are generally quite able to find and disconnect you in case of network misuse if necessary, we still prefer to not have to do so and that everybody respects the other visitors.
* Think twice before you do something that affects others! If you hack someone, you might be prosecuted. Be aware that we cannot prevent law enforcement from acting within or related to our network.
* For special requests please contact NOC via noc-requests@sha2017.org.

== Uplink ==
We are planning for a 100 Gbps uplink to our router in Amsterdam. From there we will have various transits to the rest of the world, supplied by various [[#Supporters|supporters]].

== Wireless ==
The whole field has been covered with many wireless access points to ensure the best possible coverage and to allow you to roam seamlessly without interruption. Naturally, there is additional coverage in popular areas such as the talk tents. The following wireless networks will be available:

; SHA2017
: This is 5GHz and should you should use this one in preference, if you can see it. The username is "sha2017" with password "sha2017". This is the most secure, WPA2-Enterprise.
; SHA2017-legacy
: This is 2.4GHz and less resistant to interference, use it only if you have to. The username is "sha2017" with password "sha2017". This is also WPA2-Enterprise.
; SHA2017-insecure
: '''Warning: insecure''' This is both 5GHz and 2.4GHz, and is for older devices that don't support WPA2-Enterprise. It's unencrypted, and people will likely intercept your traffic.
; SHA2017-PSK
: WPA2 PSK, shared private SSID for SHA2017 teams/projects using non-802.1X capable devices, 2.4GHz
; spacenet
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your hackerspace offers [https://spacefed.net/ spacenet].
; eduroam
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your university/college/school is offering eduroam. More information can be found at [https://www.eduroam.org/ eduroam.org].

Even if you are using an encrypted network, you should still encrypt your connection to prevent snooping. Although some SSIDs offer encryption, it is only over-the-air.

We have airtime fairness configured on our wireless controllers, so if you wish to download large files please use a wired connection (there will be plenty about).

=== WPA2 802.1X, encryption ===
Due to popular demand (and with security in mind) we provide WPA2 802.1X. This will encrypt your traffic, preventing attackers from sniffing your data. Keep in mind that this won't protect you from other network attacks and you should still be aware that you are at a hacker conference! Your link layer should be secure if you do certificate checking (see below).

You might think: "WTF!? Do I need to register a user and password blah, blah". Fortunately not. You can '''use any username/password combination using EAP-TTLS with PAP to login''' (example: "user: fbhfbhiaf pass: bgufwbnkqo" is valid), because we don't care who logs in and who you are. We just want to encrypt your data.

Users which use MSCHAPv2 (like Windows users with default 802.1X supplicant) should use a fixed username and password. You can use "sha2017/sha2017" or "guest/guest" as "username/password".

==== Client Settings ====
Also see [[Network/802.1X client settings]] for a list of OS-specific client settings.

SSID: SHA2017 or SHA2017-legacy

EAP-TTLS:

Phase 1: EAP-TTLS
Phase 2: PAP

PEAP:

Phase 1: PEAP
Phase 2: MSCHAPv2 or EAP-MSCHAPv2 or PAP

CN = radius.sha2017.org
CA = DST Root CA X3
SHA256 Fingerprint = 20:CE:02:90:2E:2A:79:8E:B5:40:8D:BD:0A:E4:18:A1:AD:5A:C0:BD:6A:09:02:17:A8:F4:46:99:79:A0:B9:C8

Make sure '''you check the certificate''' in order to know you are connecting to the correct network (you should check on both the CN/SAN and the CA). Check [[Network/RADIUS_certificate|here]] for the complete certificate.

== Camping area and workshops ==
All camping areas will be within 40m of a datenklo (Data Toilet), please bring around 50-70m of Cat5e/Cat6/Cat7 cable to make sure you have some slack in the cable. '''We do not supply you with a cable'''.

Lay your own cable neatly from your tent back to the nearest datenklo, and leave 6m of slack coiled on the floor in front of it. And please lay it so that it can be clearly seen that it needs to be plugged in - or you risk having your cable overlooked. At regular intervals a member of the NOC helpdesk will connect it up.

If you wish to be removed from a datenklo early, contact the NOC helpdesk directly.

All of our access ports are 1Gbit/s (1000BASE-T) or 100Mbit/s (100BASE-TX), plus Auto-MDIX. If you want to connect something else, please contact the NOC-team beforehand at noc-requests@sha2017.org.

We do not support 10Mbit/s. It might work on a few devices, but there is no guarrantee. If you need it for old or embedded things please bring a switch to convert.

== FAQ ==
=== Can I bring a server? ===
Sure! You should host your server in your tent/village and connect to the nearest datenklo.

We have not yet decided if there will be a public-colocation facility though. Please get in touch with us if you want to help out running such a facility.

=== Can I use the 2.4GHz/5GHz-band for non-wifi projects? ===
The following channels are available for adhoc/mesh/other wireless stuff:

* 2.4GHz: Channel 1
* 5GHz: Channel 140 or channels 149-165 if supported (max 25mW EIRP allowed in The Netherlands)

We cannot force you to use these channels, but we are trying to build a functional wireless network for the other attendees too. So please, don't do any experiments on other channels.

=== Can I bring an access point? ===
Please don't.

If you are operating a village (using an SHA2017-supplied tent) that has poor coverage, we may be able to arrange to put an access point in it during the event to improve coverage. Stop by the NOC helpdesk and ask.

=== Can I bring a switch? ===
Yes. You are however only allowed one uplink from your switch to our network - do not attempt to connect multiple cables or to connect to multiple datenklos! The datenklo switchport allows for a maximum of 64 stations.

== Supporters ==
We'd like to extend special thanks to the following people and organisations who have been instrumental in making SHA2017 Network happen:

* [http://www.juniper.net/ Juniper Networks] (Routers for uplink)
* [https://us.ntt.net/ NTT Communications] (100GE transit)
* [https://cumulusnetworks.com/ Cumulus Networks] (Distribution switches & software)
* [https://www.flexoptix.net Flexoptix] (Transceivers)
* [https://surfnet.nl/ SURFnet] (10GE transit & IP-space)
* [https://www.bit.nl/ BIT] (UTP & transit)
* [http://www.core-backbone.com/ Core-Backbone] (10GE transit)
* [https://public.nl-ix.net/ NL-ix] (Peering & transit)
* [https://unet.nl/ UNET] (Dark-fibre uplink)
* [http://www.arubanetworks.com/ Aruba Networks] (WiFi gear)
* [http://www.edge-core.com/ Edgecore Networks] (Networking gear)
* [http://ccc.de The Chaos Computer Club]
* [http://eventinfra.org EventInfra] (Network equipment loan)

== Twitter ==
The SHA2017 NOC team has a Twitter account: [https://twitter.com/sha2017noc @sha2017noc]

{{MapObject|Handle = 0xC352}}

Network

2017-06-16T22:31:08Z

Bitlair.nl-ak47: /* TL;DR */

<div style="float:right;padding-left:10px">__TOC__</div>
[https://orga.sha2017.org/index.php/Team:NOC Team:NOC] is trying their best to deliver a fast and stable network during the event. If you have any questions, please contact the NOC helpdesk located at the infodesk tent.
== TL;DR ==
* To use the camp WiFi on most modern devices, connect to the '''SHA2017''' network with a username of '''sha2017''' and a password of '''sha2017'''.
* If you want a wired connection to the network, lay your own cable neatly from your tent back to the nearest datenklo - the porta-potties with all the wires coming out of them -, and leave ~6m of slack coiled on the floor in front of it. At regular intervals volunteers walk around the terrain to check the datenklos and patch your UTP.
* You have a public IPv4 & IPv6 address and there is no network firewall or filtering.

== Rules of Conduct ==
* Be fair! Do not do to others what you do not wish done to yourself!
* We cannot be held responsible for any damage your computer may face due to attachment to our network. Be reminded that both internet access and the local network are unfirewalled and unfiltered. Even well-maintained systems can be attacked and get hacked, even more so at a hacker event.
* Do not operate your own WiFi access point. This causes a major slow-down for everybody else.
* If you are operating anything else in the 2.4GHz or the 5GHz spectrum, please clear the frequencies in advance with us.
* Do not run your own DHCP server! Doing so is harmful.
* Do not send IPv6 Router Advertisements.
* Do not ARP spoof or otherwise impede the operation of the network!
* If you are connecting an embedded device to the network please make sure it is using a unique MAC address. Many of the code examples for such devices use an identical MAC address and this will cause problems - if you aren't sure contact us.
* You are only allowed one uplink from your switch to our network - do not attempt to connect multiple cables or to connect to multiple datenklos! The datenklo switchport allows for a maximum of 64 stations.
* While we are generally quite able to find and disconnect you in case of network misuse if necessary, we still prefer to not have to do so and that everybody respects the other visitors.
* Think twice before you do something that affects others! If you hack someone, you might be prosecuted. Be aware that we cannot prevent law enforcement from acting within or related to our network.
* For special requests please contact NOC via noc-requests@sha2017.org.

== Uplink ==
We are planning for a 100 Gbps uplink to our router in Amsterdam. From there we will have various transits to the rest of the world, supplied by various [[#Supporters|supporters]].

== Wireless ==
The whole field has been covered with many wireless access points to ensure the best possible coverage and to allow you to roam seamlessly without interruption. Naturally, there is additional coverage in popular areas such as the talk tents. The following wireless networks will be available:

; SHA2017
: This is 5GHz and should you should use this one in preference, if you can see it. The username is "sha2017" with password "sha2017". This is the most secure, WPA2-Enterprise.
; SHA2017-legacy
: This is 2.4GHz and less resistant to interference, use it only if you have to. The username is "sha2017" with password "sha2017". This is also WPA2-Enterprise.
; SHA2017-insecure
: '''Warning: insecure''' This is both 5GHz and 2.4GHz, and is for older devices that don't support WPA2-Enterprise. It's unencrypted, and people will likely intercept your traffic.
; SHA2017-PSK
: WPA2 PSK, shared private SSID for SHA2017 teams/projects using non-802.1X capable devices, 2.4GHz
; spacenet
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your hackerspace offers [https://spacefed.net/ spacenet].
; eduroam
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your university/college/school is offering eduroam. More information can be found at [https://www.eduroam.org/ eduroam.org].

Even if you are using an encrypted network, you should still encrypt your connection to prevent snooping. Although some SSIDs offer encryption, it is only over-the-air.

We have airtime fairness configured on our wireless controllers, so if you wish to download large files please use a wired connection (there will be plenty about).

=== WPA2 802.1X, encryption ===
Due to popular demand (and with security in mind) we provide WPA2 802.1X. This will encrypt your traffic, preventing attackers from sniffing your data. Keep in mind that this won't protect you from other network attacks and you should still be aware that you are at a hacker conference! Your link layer should be secure if you do certificate checking (see below).

You might think: "WTF!? Do I need to register a user and password blah, blah". Fortunately not. You can '''use any username/password combination using EAP-TTLS with PAP to login''' (example: "user: fbhfbhiaf pass: bgufwbnkqo" is valid), because we don't care who logs in and who you are. We just want to encrypt your data.

Users which use MSCHAPv2 (like Windows users with default 802.1X supplicant) should use a fixed username and password. You can use "sha2017/sha2017" or "guest/guest" as "username/password".

==== Client Settings ====
Also see [[Network/802.1X client settings]] for a list of OS-specific client settings.

SSID: SHA2017 or SHA2017-legacy

EAP-TTLS:

Phase 1: EAP-TTLS
Phase 2: PAP

PEAP:

Phase 1: PEAP
Phase 2: MSCHAPv2 or EAP-MSCHAPv2 or PAP

CN = radius.sha2017.org
CA = DST Root CA X3
SHA256 Fingerprint = 20:CE:02:90:2E:2A:79:8E:B5:40:8D:BD:0A:E4:18:A1:AD:5A:C0:BD:6A:09:02:17:A8:F4:46:99:79:A0:B9:C8

Make sure '''you check the certificate''' in order to know you are connecting to the correct network (you should check on both the CN/SAN and the CA). Check [[Network/RADIUS_certificate|here]] for the complete certificate.

== Camping area and workshops ==
All camping areas will be within 40m of a datenklo (Data Toilet), please bring around 50-70m of Cat5e/Cat6/Cat7 cable to make sure you have some slack in the cable. '''We do not supply you with a cable'''.

Lay your own cable neatly from your tent back to the nearest datenklo, and leave 6m of slack coiled on the floor in front of it. And please lay it so that it can be clearly seen that it needs to be plugged in - or you risk having your cable overlooked. At regular intervals a member of the NOC helpdesk will connect it up.

If you wish to be removed from a datenklo early, contact the NOC helpdesk directly.

All of our access ports are 1Gbit/s (1000BASE-T) or 100Mbit/s (100BASE-TX), plus Auto-MDIX. If you want to connect something else, please contact the NOC-team beforehand at noc-requests@sha2017.org.

We do not support 10Mbit/s. It might work on a few devices, but there is no guarrantee. If you need it for old or embedded things please bring a switch to convert.

== FAQ ==
=== Can I bring a server? ===
Sure! You should host your server in your tent/village and connect to the nearest datenklo.

We have not yet decided if there will be a public-colocation facility though. Please get in touch with us if you want to help out running such a facility.

=== Can I use the 2.4GHz/5GHz-band for non-wifi projects? ===
The following channels are available for adhoc/mesh/other wireless stuff:

* 2.4GHz: Channel 1
* 5GHz: Channel 140 or channels 149-165 if supported (max 25mW EIRP allowed in The Netherlands)

We cannot force you to use these channels, but we are trying to build a functional wireless network for the other attendees too. So please, don't do any experiments on other channels.

=== Can I bring an access point? ===
Please don't.

If you are operating a village (using an SHA2017-supplied tent) that has poor coverage, we may be able to arrange to put an access point in it during the event to improve coverage. Stop by the NOC helpdesk and ask.

=== Can I bring a switch? ===
Yes. You are however only allowed one uplink from your switch to our network - do not attempt to connect multiple cables or to connect to multiple datenklos! The datenklo switchport allows for a maximum of 64 stations.

== Supporters ==
We'd like to extend special thanks to the following people and organisations who have been instrumental in making SHA2017 Network happen:

* [http://www.juniper.net/ Juniper Networks] (Routers for uplink)
* [https://us.ntt.net/ NTT Communications] (100GE transit)
* [https://cumulusnetworks.com/ Cumulus Networks] (Distribution switches & software)
* [https://www.flexoptix.net Flexoptix] (Transceivers)
* [https://surfnet.nl/ SURFnet] (10GE transit & IP-space)
* [https://www.bit.nl/ BIT] (UTP & transit)
* [http://www.core-backbone.com/ Core-Backbone] (10GE transit)
* [https://public.nl-ix.net/ NL-ix] (Peering & transit)
* [https://unet.nl/ UNET] (Dark-fibre uplink)
* [http://www.arubanetworks.com/ Aruba Networks] (WiFi gear)
* [http://www.edge-core.com/ Edgecore Networks] (Networking gear)
* [http://ccc.de The Chaos Computer Club]
* [http://eventinfra.org EventInfra] (Network equipment loan)

== Twitter ==
The SHA2017 NOC team has a Twitter account: [https://twitter.com/sha2017noc @sha2017noc]

{{MapObject|Handle = 0xC352}}

Network/802.1X client settings

2017-06-16T21:21:43Z

Bitlair.nl-ak47: /* Windows */

== Android ==
You can use our Android App to configure the correct WiFi settings on your Android device. Download it here:

* TODO


== Network Manager ==

You can use the following config file:

Please note that some versions of NM are buggy and will only work with
802.1X using MSCHAPv2, or not at all.
If that affects you, it may be easiest to use wpa_supplicant.

'''/etc/NetworkManager/system-connections/SHA2017''':

[connection]
id=SHA2017
uuid=c80101e2-7b99-4511-846b-2388eb86a5ad
type=wifi
permissions=
secondaries=

[wifi]
mac-address=42:23:42:23:42:23 <- !! Please change this !!
mac-address-blacklist=
mode=infrastructure
seen-bssids=
ssid=SHA2017

[wifi-security]
auth-alg=open
group=
key-mgmt=wpa-eap
pairwise=
proto=

[802-1x]
altsubject-matches=DNS:radius.sha2017.org
ca-cert=/etc/ssl/certs/DST_Root_CA_X3.pem
eap=ttls;
identity=SHA2017
password=SHA2017
phase2-altsubject-matches=
phase2-auth=pap

[ipv4]
dns-search=
method=auto

[ipv6]
dns-search=
method=auto

== WICD ==
You need an additional crypto setting for WiCD. Put this file into '''/etc/wicd/encryption/templates/eap-ttls''' (debian systems, might be different with other *nix flavours):

name = EAP-TTLS SHA2017
author = Felicitus
require identity *Identity password *password
-----
ctrl_interface=/var/run/wpa_supplicant
network={
ssid="SHA2017"
scan_ssid=$_SCAN
identity="edward"
password="snowden"
proto=WPA2
key_mgmt=WPA-EAP
group=CCMP
pairwise=CCMP
eap=TTLS
ca_cert="/etc/ssl/certs/DST_Root_CA_X3.pem"
altsubject_match="DNS:radius.sha2017.org"
anonymous_identity="$_ANONYMOUS_IDENTITY"
phase2="auth=PAP"
#priority=2
}

Edit '''/etc/wicd/encryption/templates/active''' to include the '''eap-ttls''' config template. Restart the WiCD daemon, choose the proper encryption (EAP-TTLS SHA2017) and enter a random username/password.

== Jolla/connman ==
/var/lib/connman/SHA2017wifi.config :

[service_SHA2017]
Type=wifi
Name=SHA2017-legacy
EAP=ttls
Phase2=PAP
Identity=edward
Passphrase=snowden

== wpa_supplicant.conf ==
/etc/wpa_supplicant/wpa_supplicant.conf :

network={
ssid="SHA2017"
key_mgmt=WPA-EAP
eap=TTLS
identity="edward"
password="snowden"
# ca path on debian 7.x, modify accordingly
ca_cert="/etc/ssl/certs/DST_Root_CA_X3.pem"
altsubject_match="DNS:radius.sha2017.org"
phase2="auth=PAP"
}

== interfaces ==
As an alternative, you can specify the wpa_supplicant config options directly in /etc/network/interfaces:

iface wlan0 inet dhcp
wpa-ssid SHA2017
wpa-identity edward
wpa-password snowden
wpa-proto WPA2
wpa-key_mgmt WPA-EAP
wpa-group CCMP
wpa-pairwise CCMP
wpa-eap TTLS
wpa-phase2 "auth=PAP"
wpa-ca_cert "/etc/ssl/certs/DST_Root_CA_X3.pem"
wpa-altsubject_match DNS:radius.sha2017.org

== netctl ==
Description='SHA2017 secure WPA2 802.1X config'
Interface=wls1
Connection=wireless
Security=wpa-configsection
IP=dhcp
ESSID=SHA2017
WPAConfigSection=(
'ssid="SHA2017"'
'proto=RSN WPA'
'key_mgmt=WPA-EAP'
'eap=TTLS'
'identity="edward"'
'password="snowden"'
'ca_cert="/etc/ssl/certs/DST_Root_CA_X3.pem"'
'altsubject_match="DNS:radius.sha2017.org"'
'phase2="auth=PAP"'
)

== Apple MacOS / iOS ==
You can use one of these profiles for the correct WiFi-settings for Apple MacOS / iOS:

* [[https://eventinfra.org/sha2017/sha2017.mobileconfig SHA2017]] (5GHz only)
* [[https://eventinfra.org/sha2017/sha2017-legacy.mobileconfig SHA2017-legacy]] (2.4GHz only)

== Windows ==
Import one of these profiles for the correct WiFi-settings for Windows

* [[https://eventinfra.org/sha2017/SHA2017.xml SHA2017]] (5GHz only)
* [[https://eventinfra.org/sha2017/SHA2017-legacy.xml SHA2017-legacy]] (2.4GHz only)

To import and connect follow these steps:

# Open a command prompt and execute: netsh wlan add profile filename=SHA2017.xml
# Connect to the SHA2017 or SHA2017-legacy network; use "sha2017/sha2017" as the username/password when prompted.

Network/802.1X client settings

2017-06-16T21:21:22Z

Bitlair.nl-ak47: /* Windows */

== Android ==
You can use our Android App to configure the correct WiFi settings on your Android device. Download it here:

* TODO


== Network Manager ==

You can use the following config file:

Please note that some versions of NM are buggy and will only work with
802.1X using MSCHAPv2, or not at all.
If that affects you, it may be easiest to use wpa_supplicant.

'''/etc/NetworkManager/system-connections/SHA2017''':

[connection]
id=SHA2017
uuid=c80101e2-7b99-4511-846b-2388eb86a5ad
type=wifi
permissions=
secondaries=

[wifi]
mac-address=42:23:42:23:42:23 <- !! Please change this !!
mac-address-blacklist=
mode=infrastructure
seen-bssids=
ssid=SHA2017

[wifi-security]
auth-alg=open
group=
key-mgmt=wpa-eap
pairwise=
proto=

[802-1x]
altsubject-matches=DNS:radius.sha2017.org
ca-cert=/etc/ssl/certs/DST_Root_CA_X3.pem
eap=ttls;
identity=SHA2017
password=SHA2017
phase2-altsubject-matches=
phase2-auth=pap

[ipv4]
dns-search=
method=auto

[ipv6]
dns-search=
method=auto

== WICD ==
You need an additional crypto setting for WiCD. Put this file into '''/etc/wicd/encryption/templates/eap-ttls''' (debian systems, might be different with other *nix flavours):

name = EAP-TTLS SHA2017
author = Felicitus
require identity *Identity password *password
-----
ctrl_interface=/var/run/wpa_supplicant
network={
ssid="SHA2017"
scan_ssid=$_SCAN
identity="edward"
password="snowden"
proto=WPA2
key_mgmt=WPA-EAP
group=CCMP
pairwise=CCMP
eap=TTLS
ca_cert="/etc/ssl/certs/DST_Root_CA_X3.pem"
altsubject_match="DNS:radius.sha2017.org"
anonymous_identity="$_ANONYMOUS_IDENTITY"
phase2="auth=PAP"
#priority=2
}

Edit '''/etc/wicd/encryption/templates/active''' to include the '''eap-ttls''' config template. Restart the WiCD daemon, choose the proper encryption (EAP-TTLS SHA2017) and enter a random username/password.

== Jolla/connman ==
/var/lib/connman/SHA2017wifi.config :

[service_SHA2017]
Type=wifi
Name=SHA2017-legacy
EAP=ttls
Phase2=PAP
Identity=edward
Passphrase=snowden

== wpa_supplicant.conf ==
/etc/wpa_supplicant/wpa_supplicant.conf :

network={
ssid="SHA2017"
key_mgmt=WPA-EAP
eap=TTLS
identity="edward"
password="snowden"
# ca path on debian 7.x, modify accordingly
ca_cert="/etc/ssl/certs/DST_Root_CA_X3.pem"
altsubject_match="DNS:radius.sha2017.org"
phase2="auth=PAP"
}

== interfaces ==
As an alternative, you can specify the wpa_supplicant config options directly in /etc/network/interfaces:

iface wlan0 inet dhcp
wpa-ssid SHA2017
wpa-identity edward
wpa-password snowden
wpa-proto WPA2
wpa-key_mgmt WPA-EAP
wpa-group CCMP
wpa-pairwise CCMP
wpa-eap TTLS
wpa-phase2 "auth=PAP"
wpa-ca_cert "/etc/ssl/certs/DST_Root_CA_X3.pem"
wpa-altsubject_match DNS:radius.sha2017.org

== netctl ==
Description='SHA2017 secure WPA2 802.1X config'
Interface=wls1
Connection=wireless
Security=wpa-configsection
IP=dhcp
ESSID=SHA2017
WPAConfigSection=(
'ssid="SHA2017"'
'proto=RSN WPA'
'key_mgmt=WPA-EAP'
'eap=TTLS'
'identity="edward"'
'password="snowden"'
'ca_cert="/etc/ssl/certs/DST_Root_CA_X3.pem"'
'altsubject_match="DNS:radius.sha2017.org"'
'phase2="auth=PAP"'
)

== Apple MacOS / iOS ==
You can use one of these profiles for the correct WiFi-settings for Apple MacOS / iOS:

* [[https://eventinfra.org/sha2017/sha2017.mobileconfig SHA2017]] (5GHz only)
* [[https://eventinfra.org/sha2017/sha2017-legacy.mobileconfig SHA2017-legacy]] (2.4GHz only)

== Windows ==
Import one of these profiles for the correct WiFi-settings for Windows

* [[https://eventinfra.org/sha2017/SHA2017.xml SHA2017]] (5GHz only)
* [[https://eventinfra.org/sha2017/SHA2017-legacy.xml SHA2017-legacy)]] (2.4GHz only)

To import and connect follow these steps:

# Open a command prompt and execute: netsh wlan add profile filename=SHA2017.xml
# Connect to the SHA2017 or SHA2017-legacy network; use "sha2017/sha2017" as the username/password when prompted.

Network/802.1X client settings

2017-06-16T21:20:53Z

Bitlair.nl-ak47: /* Apple MacOS / iOS */

== Android ==
You can use our Android App to configure the correct WiFi settings on your Android device. Download it here:

* TODO


== Network Manager ==

You can use the following config file:

Please note that some versions of NM are buggy and will only work with
802.1X using MSCHAPv2, or not at all.
If that affects you, it may be easiest to use wpa_supplicant.

'''/etc/NetworkManager/system-connections/SHA2017''':

[connection]
id=SHA2017
uuid=c80101e2-7b99-4511-846b-2388eb86a5ad
type=wifi
permissions=
secondaries=

[wifi]
mac-address=42:23:42:23:42:23 <- !! Please change this !!
mac-address-blacklist=
mode=infrastructure
seen-bssids=
ssid=SHA2017

[wifi-security]
auth-alg=open
group=
key-mgmt=wpa-eap
pairwise=
proto=

[802-1x]
altsubject-matches=DNS:radius.sha2017.org
ca-cert=/etc/ssl/certs/DST_Root_CA_X3.pem
eap=ttls;
identity=SHA2017
password=SHA2017
phase2-altsubject-matches=
phase2-auth=pap

[ipv4]
dns-search=
method=auto

[ipv6]
dns-search=
method=auto

== WICD ==
You need an additional crypto setting for WiCD. Put this file into '''/etc/wicd/encryption/templates/eap-ttls''' (debian systems, might be different with other *nix flavours):

name = EAP-TTLS SHA2017
author = Felicitus
require identity *Identity password *password
-----
ctrl_interface=/var/run/wpa_supplicant
network={
ssid="SHA2017"
scan_ssid=$_SCAN
identity="edward"
password="snowden"
proto=WPA2
key_mgmt=WPA-EAP
group=CCMP
pairwise=CCMP
eap=TTLS
ca_cert="/etc/ssl/certs/DST_Root_CA_X3.pem"
altsubject_match="DNS:radius.sha2017.org"
anonymous_identity="$_ANONYMOUS_IDENTITY"
phase2="auth=PAP"
#priority=2
}

Edit '''/etc/wicd/encryption/templates/active''' to include the '''eap-ttls''' config template. Restart the WiCD daemon, choose the proper encryption (EAP-TTLS SHA2017) and enter a random username/password.

== Jolla/connman ==
/var/lib/connman/SHA2017wifi.config :

[service_SHA2017]
Type=wifi
Name=SHA2017-legacy
EAP=ttls
Phase2=PAP
Identity=edward
Passphrase=snowden

== wpa_supplicant.conf ==
/etc/wpa_supplicant/wpa_supplicant.conf :

network={
ssid="SHA2017"
key_mgmt=WPA-EAP
eap=TTLS
identity="edward"
password="snowden"
# ca path on debian 7.x, modify accordingly
ca_cert="/etc/ssl/certs/DST_Root_CA_X3.pem"
altsubject_match="DNS:radius.sha2017.org"
phase2="auth=PAP"
}

== interfaces ==
As an alternative, you can specify the wpa_supplicant config options directly in /etc/network/interfaces:

iface wlan0 inet dhcp
wpa-ssid SHA2017
wpa-identity edward
wpa-password snowden
wpa-proto WPA2
wpa-key_mgmt WPA-EAP
wpa-group CCMP
wpa-pairwise CCMP
wpa-eap TTLS
wpa-phase2 "auth=PAP"
wpa-ca_cert "/etc/ssl/certs/DST_Root_CA_X3.pem"
wpa-altsubject_match DNS:radius.sha2017.org

== netctl ==
Description='SHA2017 secure WPA2 802.1X config'
Interface=wls1
Connection=wireless
Security=wpa-configsection
IP=dhcp
ESSID=SHA2017
WPAConfigSection=(
'ssid="SHA2017"'
'proto=RSN WPA'
'key_mgmt=WPA-EAP'
'eap=TTLS'
'identity="edward"'
'password="snowden"'
'ca_cert="/etc/ssl/certs/DST_Root_CA_X3.pem"'
'altsubject_match="DNS:radius.sha2017.org"'
'phase2="auth=PAP"'
)

== Apple MacOS / iOS ==
You can use one of these profiles for the correct WiFi-settings for Apple MacOS / iOS:

* [[https://eventinfra.org/sha2017/sha2017.mobileconfig SHA2017]] (5GHz only)
* [[https://eventinfra.org/sha2017/sha2017-legacy.mobileconfig SHA2017-legacy]] (2.4GHz only)

== Windows ==
Import one of these profiles for the correct WiFi-settings for Windows



* TODO

To import and connect follow these steps:

# Open a command prompt and execute: netsh wlan add profile filename=SHA2017.xml
# Connect to the SHA2017 or SHA2017-legacy network; use "SHA2017/SHA2017" as the username/password when prompted.

Network/802.1X client settings

2017-06-16T21:17:35Z

Bitlair.nl-ak47: /* Android */

== Android ==
You can use our Android App to configure the correct WiFi settings on your Android device. Download it here:

* TODO


== Network Manager ==

You can use the following config file:

Please note that some versions of NM are buggy and will only work with
802.1X using MSCHAPv2, or not at all.
If that affects you, it may be easiest to use wpa_supplicant.

'''/etc/NetworkManager/system-connections/SHA2017''':

[connection]
id=SHA2017
uuid=c80101e2-7b99-4511-846b-2388eb86a5ad
type=wifi
permissions=
secondaries=

[wifi]
mac-address=42:23:42:23:42:23 <- !! Please change this !!
mac-address-blacklist=
mode=infrastructure
seen-bssids=
ssid=SHA2017

[wifi-security]
auth-alg=open
group=
key-mgmt=wpa-eap
pairwise=
proto=

[802-1x]
altsubject-matches=DNS:radius.sha2017.org
ca-cert=/etc/ssl/certs/DST_Root_CA_X3.pem
eap=ttls;
identity=SHA2017
password=SHA2017
phase2-altsubject-matches=
phase2-auth=pap

[ipv4]
dns-search=
method=auto

[ipv6]
dns-search=
method=auto

== WICD ==
You need an additional crypto setting for WiCD. Put this file into '''/etc/wicd/encryption/templates/eap-ttls''' (debian systems, might be different with other *nix flavours):

name = EAP-TTLS SHA2017
author = Felicitus
require identity *Identity password *password
-----
ctrl_interface=/var/run/wpa_supplicant
network={
ssid="SHA2017"
scan_ssid=$_SCAN
identity="edward"
password="snowden"
proto=WPA2
key_mgmt=WPA-EAP
group=CCMP
pairwise=CCMP
eap=TTLS
ca_cert="/etc/ssl/certs/DST_Root_CA_X3.pem"
altsubject_match="DNS:radius.sha2017.org"
anonymous_identity="$_ANONYMOUS_IDENTITY"
phase2="auth=PAP"
#priority=2
}

Edit '''/etc/wicd/encryption/templates/active''' to include the '''eap-ttls''' config template. Restart the WiCD daemon, choose the proper encryption (EAP-TTLS SHA2017) and enter a random username/password.

== Jolla/connman ==
/var/lib/connman/SHA2017wifi.config :

[service_SHA2017]
Type=wifi
Name=SHA2017-legacy
EAP=ttls
Phase2=PAP
Identity=edward
Passphrase=snowden

== wpa_supplicant.conf ==
/etc/wpa_supplicant/wpa_supplicant.conf :

network={
ssid="SHA2017"
key_mgmt=WPA-EAP
eap=TTLS
identity="edward"
password="snowden"
# ca path on debian 7.x, modify accordingly
ca_cert="/etc/ssl/certs/DST_Root_CA_X3.pem"
altsubject_match="DNS:radius.sha2017.org"
phase2="auth=PAP"
}

== interfaces ==
As an alternative, you can specify the wpa_supplicant config options directly in /etc/network/interfaces:

iface wlan0 inet dhcp
wpa-ssid SHA2017
wpa-identity edward
wpa-password snowden
wpa-proto WPA2
wpa-key_mgmt WPA-EAP
wpa-group CCMP
wpa-pairwise CCMP
wpa-eap TTLS
wpa-phase2 "auth=PAP"
wpa-ca_cert "/etc/ssl/certs/DST_Root_CA_X3.pem"
wpa-altsubject_match DNS:radius.sha2017.org

== netctl ==
Description='SHA2017 secure WPA2 802.1X config'
Interface=wls1
Connection=wireless
Security=wpa-configsection
IP=dhcp
ESSID=SHA2017
WPAConfigSection=(
'ssid="SHA2017"'
'proto=RSN WPA'
'key_mgmt=WPA-EAP'
'eap=TTLS'
'identity="edward"'
'password="snowden"'
'ca_cert="/etc/ssl/certs/DST_Root_CA_X3.pem"'
'altsubject_match="DNS:radius.sha2017.org"'
'phase2="auth=PAP"'
)

== Apple MacOS / iOS ==
You can use one of these profiles for the correct WiFi-settings for Apple MacOS / iOS:



* TODO

== Windows ==
Import one of these profiles for the correct WiFi-settings for Windows



* TODO

To import and connect follow these steps:

# Open a command prompt and execute: netsh wlan add profile filename=SHA2017.xml
# Connect to the SHA2017 or SHA2017-legacy network; use "SHA2017/SHA2017" as the username/password when prompted.

Network/802.1X client settings

2017-06-16T21:05:27Z

Bitlair.nl-ak47:

== Android ==
You can use our Android App to configure the correct WiFi settings on your Android device. Download it here:



* TODO

== Network Manager ==

You can use the following config file:

Please note that some versions of NM are buggy and will only work with
802.1X using MSCHAPv2, or not at all.
If that affects you, it may be easiest to use wpa_supplicant.

'''/etc/NetworkManager/system-connections/SHA2017''':

[connection]
id=SHA2017
uuid=c80101e2-7b99-4511-846b-2388eb86a5ad
type=wifi
permissions=
secondaries=

[wifi]
mac-address=42:23:42:23:42:23 <- !! Please change this !!
mac-address-blacklist=
mode=infrastructure
seen-bssids=
ssid=SHA2017

[wifi-security]
auth-alg=open
group=
key-mgmt=wpa-eap
pairwise=
proto=

[802-1x]
altsubject-matches=DNS:radius.sha2017.org
ca-cert=/etc/ssl/certs/DST_Root_CA_X3.pem
eap=ttls;
identity=SHA2017
password=SHA2017
phase2-altsubject-matches=
phase2-auth=pap

[ipv4]
dns-search=
method=auto

[ipv6]
dns-search=
method=auto

== WICD ==
You need an additional crypto setting for WiCD. Put this file into '''/etc/wicd/encryption/templates/eap-ttls''' (debian systems, might be different with other *nix flavours):

name = EAP-TTLS SHA2017
author = Felicitus
require identity *Identity password *password
-----
ctrl_interface=/var/run/wpa_supplicant
network={
ssid="SHA2017"
scan_ssid=$_SCAN
identity="edward"
password="snowden"
proto=WPA2
key_mgmt=WPA-EAP
group=CCMP
pairwise=CCMP
eap=TTLS
ca_cert="/etc/ssl/certs/DST_Root_CA_X3.pem"
altsubject_match="DNS:radius.sha2017.org"
anonymous_identity="$_ANONYMOUS_IDENTITY"
phase2="auth=PAP"
#priority=2
}

Edit '''/etc/wicd/encryption/templates/active''' to include the '''eap-ttls''' config template. Restart the WiCD daemon, choose the proper encryption (EAP-TTLS SHA2017) and enter a random username/password.

== Jolla/connman ==
/var/lib/connman/SHA2017wifi.config :

[service_SHA2017]
Type=wifi
Name=SHA2017-legacy
EAP=ttls
Phase2=PAP
Identity=edward
Passphrase=snowden

== wpa_supplicant.conf ==
/etc/wpa_supplicant/wpa_supplicant.conf :

network={
ssid="SHA2017"
key_mgmt=WPA-EAP
eap=TTLS
identity="edward"
password="snowden"
# ca path on debian 7.x, modify accordingly
ca_cert="/etc/ssl/certs/DST_Root_CA_X3.pem"
altsubject_match="DNS:radius.sha2017.org"
phase2="auth=PAP"
}

== interfaces ==
As an alternative, you can specify the wpa_supplicant config options directly in /etc/network/interfaces:

iface wlan0 inet dhcp
wpa-ssid SHA2017
wpa-identity edward
wpa-password snowden
wpa-proto WPA2
wpa-key_mgmt WPA-EAP
wpa-group CCMP
wpa-pairwise CCMP
wpa-eap TTLS
wpa-phase2 "auth=PAP"
wpa-ca_cert "/etc/ssl/certs/DST_Root_CA_X3.pem"
wpa-altsubject_match DNS:radius.sha2017.org

== netctl ==
Description='SHA2017 secure WPA2 802.1X config'
Interface=wls1
Connection=wireless
Security=wpa-configsection
IP=dhcp
ESSID=SHA2017
WPAConfigSection=(
'ssid="SHA2017"'
'proto=RSN WPA'
'key_mgmt=WPA-EAP'
'eap=TTLS'
'identity="edward"'
'password="snowden"'
'ca_cert="/etc/ssl/certs/DST_Root_CA_X3.pem"'
'altsubject_match="DNS:radius.sha2017.org"'
'phase2="auth=PAP"'
)

== Apple MacOS / iOS ==
You can use one of these profiles for the correct WiFi-settings for Apple MacOS / iOS:



* TODO

== Windows ==
Import one of these profiles for the correct WiFi-settings for Windows



* TODO

To import and connect follow these steps:

# Open a command prompt and execute: netsh wlan add profile filename=SHA2017.xml
# Connect to the SHA2017 or SHA2017-legacy network; use "SHA2017/SHA2017" as the username/password when prompted.

Network

2017-06-16T21:01:20Z

Bitlair.nl-ak47:

<div style="float:right;padding-left:10px">__TOC__</div>
[https://orga.sha2017.org/index.php/Team:NOC Team:NOC] is trying their best to deliver a fast and stable network during the event. If you have any questions, please contact the NOC helpdesk located at the infodesk tent.
== TL;DR ==
* To use the camp WiFi on most modern devices, connect to the '''SHA2017''' network with a username of '''sha2017''' and a password of '''sha2017'''.
* You have a public IPv4 & IPv6 address and there is no network firewall or filtering.

== Rules of Conduct ==
* Be fair! Do not do to others what you do not wish done to yourself!
* We cannot be held responsible for any damage your computer may face due to attachment to our network. Be reminded that both internet access and the local network are unfirewalled and unfiltered. Even well-maintained systems can be attacked and get hacked, even more so at a hacker event.
* Do not operate your own WiFi access point. This causes a major slow-down for everybody else.
* If you are operating anything else in the 2.4GHz or the 5GHz spectrum, please clear the frequencies in advance with us.
* Do not run your own DHCP server! Doing so is harmful.
* Do not send IPv6 Router Advertisements.
* Do not ARP spoof or otherwise impede the operation of the network!
* If you are connecting an embedded device to the network please make sure it is using a unique MAC address. Many of the code examples for such devices use an identical MAC address and this will cause problems - if you aren't sure contact us.
* You are only allowed one uplink from your switch to our network - do not attempt to connect multiple cables or to connect to multiple datenklos! The datenklo switchport allows for a maximum of 64 stations.
* While we are generally quite able to find and disconnect you in case of network misuse if necessary, we still prefer to not have to do so and that everybody respects the other visitors.
* Think twice before you do something that affects others! If you hack someone, you might be prosecuted. Be aware that we cannot prevent law enforcement from acting within or related to our network.
* For special requests please contact NOC via noc-requests@sha2017.org.

== Uplink ==
We are planning for a 100 Gbps uplink to our router in Amsterdam. From there we will have various transits to the rest of the world, supplied by various [[#Supporters|supporters]].

== Wireless ==
The whole field has been covered with many wireless access points to ensure the best possible coverage and to allow you to roam seamlessly without interruption. Naturally, there is additional coverage in popular areas such as the talk tents. The following wireless networks will be available:

; SHA2017
: This is 5GHz and should you should use this one in preference, if you can see it. The username is "sha2017" with password "sha2017". This is the most secure, WPA2-Enterprise.
; SHA2017-legacy
: This is 2.4GHz and less resistant to interference, use it only if you have to. The username is "sha2017" with password "sha2017". This is also WPA2-Enterprise.
; SHA2017-insecure
: '''Warning: insecure''' This is both 5GHz and 2.4GHz, and is for older devices that don't support WPA2-Enterprise. It's unencrypted, and people will likely intercept your traffic.
; SHA2017-PSK
: WPA2 PSK, shared private SSID for SHA2017 teams/projects using non-802.1X capable devices, 2.4GHz
; spacenet
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your hackerspace offers [https://spacefed.net/ spacenet].
; eduroam
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your university/college/school is offering eduroam. More information can be found at [https://www.eduroam.org/ eduroam.org].

Even if you are using an encrypted network, you should still encrypt your connection to prevent snooping. Although some SSIDs offer encryption, it is only over-the-air.

We have airtime fairness configured on our wireless controllers, so if you wish to download large files please use a wired connection (there will be plenty about).

=== WPA2 802.1X, encryption ===
Due to popular demand (and with security in mind) we provide WPA2 802.1X. This will encrypt your traffic, preventing attackers from sniffing your data. Keep in mind that this won't protect you from other network attacks and you should still be aware that you are at a hacker conference! Your link layer should be secure if you do certificate checking (see below).

You might think: "WTF!? Do I need to register a user and password blah, blah". Fortunately not. You can '''use any username/password combination using EAP-TTLS with PAP to login''' (example: "user: fbhfbhiaf pass: bgufwbnkqo" is valid), because we don't care who logs in and who you are. We just want to encrypt your data.

Users which use MSCHAPv2 (like Windows users with default 802.1X supplicant) should use a fixed username and password. You can use "sha2017/sha2017" or "guest/guest" as "username/password".

==== Client Settings ====
Also see [[Network/802.1X client settings]] for a list of OS-specific client settings.

SSID: SHA2017 or SHA2017-legacy

EAP-TTLS:

Phase 1: EAP-TTLS
Phase 2: PAP

PEAP:

Phase 1: PEAP
Phase 2: MSCHAPv2 or EAP-MSCHAPv2 or PAP

CN = radius.sha2017.org
CA = DST Root CA X3
SHA256 Fingerprint = 20:CE:02:90:2E:2A:79:8E:B5:40:8D:BD:0A:E4:18:A1:AD:5A:C0:BD:6A:09:02:17:A8:F4:46:99:79:A0:B9:C8

Make sure '''you check the certificate''' in order to know you are connecting to the correct network (you should check on both the CN/SAN and the CA). Check [[Network/RADIUS_certificate|here]] for the complete certificate.

== Camping area and workshops ==
All camping areas will be within 40m of a datenklo (Data Toilet), please bring around 50-70m of Cat5e/Cat6/Cat7 cable to make sure you have some slack in the cable. '''We do not supply you with a cable'''.

Lay your own cable neatly from your tent back to the nearest datenklo, and leave 6m of slack coiled on the floor in front of it. And please lay it so that it can be clearly seen that it needs to be plugged in - or you risk having your cable overlooked. At regular intervals a member of the NOC helpdesk will connect it up.

If you wish to be removed from a datenklo early, contact the NOC helpdesk directly.

All of our access ports are 1Gbit/s (1000BASE-T) or 100Mbit/s (100BASE-TX), plus Auto-MDIX. If you want to connect something else, please contact the NOC-team beforehand at noc-requests@sha2017.org.

We do not support 10Mbit/s. It might work on a few devices, but there is no guarrantee. If you need it for old or embedded things please bring a switch to convert.

== FAQ ==
=== Can I bring a server? ===
Sure! You should host your server in your tent/village and connect to the nearest datenklo.

We have not yet decided if there will be a public-colocation facility though. Please get in touch with us if you want to help out running such a facility.

=== Can I use the 2.4GHz/5GHz-band for non-wifi projects? ===
The following channels are available for adhoc/mesh/other wireless stuff:

* 2.4GHz: Channel 1
* 5GHz: Channel 140 or channels 149-165 if supported (max 25mW EIRP allowed in The Netherlands)

We cannot force you to use these channels, but we are trying to build a functional wireless network for the other attendees too. So please, don't do any experiments on other channels.

=== Can I bring an access point? ===
Please don't.

If you are operating a village (using an SHA2017-supplied tent) that has poor coverage, we may be able to arrange to put an access point in it during the event to improve coverage. Stop by the NOC helpdesk and ask.

=== Can I bring a switch? ===
Yes. You are however only allowed one uplink from your switch to our network - do not attempt to connect multiple cables or to connect to multiple datenklos! The datenklo switchport allows for a maximum of 64 stations.

== Supporters ==
We'd like to extend special thanks to the following people and organisations who have been instrumental in making SHA2017 Network happen:

* [http://www.juniper.net/ Juniper Networks] (Routers for uplink)
* [https://us.ntt.net/ NTT Communications] (100GE transit)
* [https://cumulusnetworks.com/ Cumulus Networks] (Distribution switches & software)
* [https://www.flexoptix.net Flexoptix] (Transceivers)
* [https://surfnet.nl/ SURFnet] (10GE transit & IP-space)
* [https://www.bit.nl/ BIT] (UTP & transit)
* [http://www.core-backbone.com/ Core-Backbone] (10GE transit)
* [https://public.nl-ix.net/ NL-ix] (Peering & transit)
* [https://unet.nl/ UNET] (Dark-fibre uplink)
* [http://www.arubanetworks.com/ Aruba Networks] (WiFi gear)
* [http://www.edge-core.com/ Edgecore Networks] (Networking gear)
* [http://ccc.de The Chaos Computer Club]
* [http://eventinfra.org EventInfra] (Network equipment loan)

== Twitter ==
The SHA2017 NOC team has a Twitter account: [https://twitter.com/sha2017noc @sha2017noc]

{{MapObject|Handle = 0xC352}}

Network

2017-06-16T21:00:55Z

Bitlair.nl-ak47:

<div style="float:right;padding-left:10px">__TOC__</div>
[https://orga.sha2017.org/index.php/Team:NOC Team:NOC] is trying their best to deliver a fast and stable network during the event. If you have any questions, please contact the NOC helpdesk located at the infodesk tent.
== TL;DR ==
* To use the camp WiFi on most modern devices, connect to the ''''SHA2017'''' network with a username of ''''sha2017'''' and a password of ''''sha2017''''.
* You have a public IPv4 & IPv6 address and there is no network firewall or filtering.

== Rules of Conduct ==
* Be fair! Do not do to others what you do not wish done to yourself!
* We cannot be held responsible for any damage your computer may face due to attachment to our network. Be reminded that both internet access and the local network are unfirewalled and unfiltered. Even well-maintained systems can be attacked and get hacked, even more so at a hacker event.
* Do not operate your own WiFi access point. This causes a major slow-down for everybody else.
* If you are operating anything else in the 2.4GHz or the 5GHz spectrum, please clear the frequencies in advance with us.
* Do not run your own DHCP server! Doing so is harmful.
* Do not send IPv6 Router Advertisements.
* Do not ARP spoof or otherwise impede the operation of the network!
* If you are connecting an embedded device to the network please make sure it is using a unique MAC address. Many of the code examples for such devices use an identical MAC address and this will cause problems - if you aren't sure contact us.
* You are only allowed one uplink from your switch to our network - do not attempt to connect multiple cables or to connect to multiple datenklos! The datenklo switchport allows for a maximum of 64 stations.
* While we are generally quite able to find and disconnect you in case of network misuse if necessary, we still prefer to not have to do so and that everybody respects the other visitors.
* Think twice before you do something that affects others! If you hack someone, you might be prosecuted. Be aware that we cannot prevent law enforcement from acting within or related to our network.
* For special requests please contact NOC via noc-requests@sha2017.org.

== Uplink ==
We are planning for a 100 Gbps uplink to our router in Amsterdam. From there we will have various transits to the rest of the world, supplied by various [[#Supporters|supporters]].

== Wireless ==
The whole field has been covered with many wireless access points to ensure the best possible coverage and to allow you to roam seamlessly without interruption. Naturally, there is additional coverage in popular areas such as the talk tents. The following wireless networks will be available:

; SHA2017
: This is 5GHz and should you should use this one in preference, if you can see it. The username is "sha2017" with password "sha2017". This is the most secure, WPA2-Enterprise.
; SHA2017-legacy
: This is 2.4GHz and less resistant to interference, use it only if you have to. The username is "sha2017" with password "sha2017". This is also WPA2-Enterprise.
; SHA2017-insecure
: '''Warning: insecure''' This is both 5GHz and 2.4GHz, and is for older devices that don't support WPA2-Enterprise. It's unencrypted, and people will likely intercept your traffic.
; SHA2017-PSK
: WPA2 PSK, shared private SSID for SHA2017 teams/projects using non-802.1X capable devices, 2.4GHz
; spacenet
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your hackerspace offers [https://spacefed.net/ spacenet].
; eduroam
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your university/college/school is offering eduroam. More information can be found at [https://www.eduroam.org/ eduroam.org].

Even if you are using an encrypted network, you should still encrypt your connection to prevent snooping. Although some SSIDs offer encryption, it is only over-the-air.

We have airtime fairness configured on our wireless controllers, so if you wish to download large files please use a wired connection (there will be plenty about).

=== WPA2 802.1X, encryption ===
Due to popular demand (and with security in mind) we provide WPA2 802.1X. This will encrypt your traffic, preventing attackers from sniffing your data. Keep in mind that this won't protect you from other network attacks and you should still be aware that you are at a hacker conference! Your link layer should be secure if you do certificate checking (see below).

You might think: "WTF!? Do I need to register a user and password blah, blah". Fortunately not. You can '''use any username/password combination using EAP-TTLS with PAP to login''' (example: "user: fbhfbhiaf pass: bgufwbnkqo" is valid), because we don't care who logs in and who you are. We just want to encrypt your data.

Users which use MSCHAPv2 (like Windows users with default 802.1X supplicant) should use a fixed username and password. You can use "sha2017/sha2017" or "guest/guest" as "username/password".

==== Client Settings ====
Also see [[Network/802.1X client settings]] for a list of OS-specific client settings.

SSID: SHA2017 or SHA2017-legacy

EAP-TTLS:

Phase 1: EAP-TTLS
Phase 2: PAP

PEAP:

Phase 1: PEAP
Phase 2: MSCHAPv2 or EAP-MSCHAPv2 or PAP

CN = radius.sha2017.org
CA = DST Root CA X3
SHA256 Fingerprint = 20:CE:02:90:2E:2A:79:8E:B5:40:8D:BD:0A:E4:18:A1:AD:5A:C0:BD:6A:09:02:17:A8:F4:46:99:79:A0:B9:C8

Make sure '''you check the certificate''' in order to know you are connecting to the correct network (you should check on both the CN/SAN and the CA). Check [[Network/RADIUS_certificate|here]] for the complete certificate.

== Camping area and workshops ==
All camping areas will be within 40m of a datenklo (Data Toilet), please bring around 50-70m of Cat5e/Cat6/Cat7 cable to make sure you have some slack in the cable. '''We do not supply you with a cable'''.

Lay your own cable neatly from your tent back to the nearest datenklo, and leave 6m of slack coiled on the floor in front of it. And please lay it so that it can be clearly seen that it needs to be plugged in - or you risk having your cable overlooked. At regular intervals a member of the NOC helpdesk will connect it up.

If you wish to be removed from a datenklo early, contact the NOC helpdesk directly.

All of our access ports are 1Gbit/s (1000BASE-T) or 100Mbit/s (100BASE-TX), plus Auto-MDIX. If you want to connect something else, please contact the NOC-team beforehand at noc-requests@sha2017.org.

We do not support 10Mbit/s. It might work on a few devices, but there is no guarrantee. If you need it for old or embedded things please bring a switch to convert.

== FAQ ==
=== Can I bring a server? ===
Sure! You should host your server in your tent/village and connect to the nearest datenklo.

We have not yet decided if there will be a public-colocation facility though. Please get in touch with us if you want to help out running such a facility.

=== Can I use the 2.4GHz/5GHz-band for non-wifi projects? ===
The following channels are available for adhoc/mesh/other wireless stuff:

* 2.4GHz: Channel 1
* 5GHz: Channel 140 or channels 149-165 if supported (max 25mW EIRP allowed in The Netherlands)

We cannot force you to use these channels, but we are trying to build a functional wireless network for the other attendees too. So please, don't do any experiments on other channels.

=== Can I bring an access point? ===
Please don't.

If you are operating a village (using an SHA2017-supplied tent) that has poor coverage, we may be able to arrange to put an access point in it during the event to improve coverage. Stop by the NOC helpdesk and ask.

=== Can I bring a switch? ===
Yes. You are however only allowed one uplink from your switch to our network - do not attempt to connect multiple cables or to connect to multiple datenklos! The datenklo switchport allows for a maximum of 64 stations.

== Supporters ==
We'd like to extend special thanks to the following people and organisations who have been instrumental in making SHA2017 Network happen:

* [http://www.juniper.net/ Juniper Networks] (Routers for uplink)
* [https://us.ntt.net/ NTT Communications] (100GE transit)
* [https://cumulusnetworks.com/ Cumulus Networks] (Distribution switches & software)
* [https://www.flexoptix.net Flexoptix] (Transceivers)
* [https://surfnet.nl/ SURFnet] (10GE transit & IP-space)
* [https://www.bit.nl/ BIT] (UTP & transit)
* [http://www.core-backbone.com/ Core-Backbone] (10GE transit)
* [https://public.nl-ix.net/ NL-ix] (Peering & transit)
* [https://unet.nl/ UNET] (Dark-fibre uplink)
* [http://www.arubanetworks.com/ Aruba Networks] (WiFi gear)
* [http://www.edge-core.com/ Edgecore Networks] (Networking gear)
* [http://ccc.de The Chaos Computer Club]
* [http://eventinfra.org EventInfra] (Network equipment loan)

== Twitter ==
The SHA2017 NOC team has a Twitter account: [https://twitter.com/sha2017noc @sha2017noc]

{{MapObject|Handle = 0xC352}}

Network

2017-06-16T21:00:43Z

Bitlair.nl-ak47:

<div style="float:right;padding-left:10px">__TOC__</div>
[https://orga.sha2017.org/index.php/Team:NOC Team:NOC] is trying their best to deliver a fast and stable network during the event. If you have any questions, please contact the NOC helpdesk located at the infodesk tent.
{{MapObject|Handle = 0xC352}}

== TL;DR ==
* To use the camp WiFi on most modern devices, connect to the ''''SHA2017'''' network with a username of ''''sha2017'''' and a password of ''''sha2017''''.
* You have a public IPv4 & IPv6 address and there is no network firewall or filtering.

== Rules of Conduct ==
* Be fair! Do not do to others what you do not wish done to yourself!
* We cannot be held responsible for any damage your computer may face due to attachment to our network. Be reminded that both internet access and the local network are unfirewalled and unfiltered. Even well-maintained systems can be attacked and get hacked, even more so at a hacker event.
* Do not operate your own WiFi access point. This causes a major slow-down for everybody else.
* If you are operating anything else in the 2.4GHz or the 5GHz spectrum, please clear the frequencies in advance with us.
* Do not run your own DHCP server! Doing so is harmful.
* Do not send IPv6 Router Advertisements.
* Do not ARP spoof or otherwise impede the operation of the network!
* If you are connecting an embedded device to the network please make sure it is using a unique MAC address. Many of the code examples for such devices use an identical MAC address and this will cause problems - if you aren't sure contact us.
* You are only allowed one uplink from your switch to our network - do not attempt to connect multiple cables or to connect to multiple datenklos! The datenklo switchport allows for a maximum of 64 stations.
* While we are generally quite able to find and disconnect you in case of network misuse if necessary, we still prefer to not have to do so and that everybody respects the other visitors.
* Think twice before you do something that affects others! If you hack someone, you might be prosecuted. Be aware that we cannot prevent law enforcement from acting within or related to our network.
* For special requests please contact NOC via noc-requests@sha2017.org.

== Uplink ==
We are planning for a 100 Gbps uplink to our router in Amsterdam. From there we will have various transits to the rest of the world, supplied by various [[#Supporters|supporters]].

== Wireless ==
The whole field has been covered with many wireless access points to ensure the best possible coverage and to allow you to roam seamlessly without interruption. Naturally, there is additional coverage in popular areas such as the talk tents. The following wireless networks will be available:

; SHA2017
: This is 5GHz and should you should use this one in preference, if you can see it. The username is "sha2017" with password "sha2017". This is the most secure, WPA2-Enterprise.
; SHA2017-legacy
: This is 2.4GHz and less resistant to interference, use it only if you have to. The username is "sha2017" with password "sha2017". This is also WPA2-Enterprise.
; SHA2017-insecure
: '''Warning: insecure''' This is both 5GHz and 2.4GHz, and is for older devices that don't support WPA2-Enterprise. It's unencrypted, and people will likely intercept your traffic.
; SHA2017-PSK
: WPA2 PSK, shared private SSID for SHA2017 teams/projects using non-802.1X capable devices, 2.4GHz
; spacenet
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your hackerspace offers [https://spacefed.net/ spacenet].
; eduroam
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your university/college/school is offering eduroam. More information can be found at [https://www.eduroam.org/ eduroam.org].

Even if you are using an encrypted network, you should still encrypt your connection to prevent snooping. Although some SSIDs offer encryption, it is only over-the-air.

We have airtime fairness configured on our wireless controllers, so if you wish to download large files please use a wired connection (there will be plenty about).

=== WPA2 802.1X, encryption ===
Due to popular demand (and with security in mind) we provide WPA2 802.1X. This will encrypt your traffic, preventing attackers from sniffing your data. Keep in mind that this won't protect you from other network attacks and you should still be aware that you are at a hacker conference! Your link layer should be secure if you do certificate checking (see below).

You might think: "WTF!? Do I need to register a user and password blah, blah". Fortunately not. You can '''use any username/password combination using EAP-TTLS with PAP to login''' (example: "user: fbhfbhiaf pass: bgufwbnkqo" is valid), because we don't care who logs in and who you are. We just want to encrypt your data.

Users which use MSCHAPv2 (like Windows users with default 802.1X supplicant) should use a fixed username and password. You can use "sha2017/sha2017" or "guest/guest" as "username/password".

==== Client Settings ====
Also see [[Network/802.1X client settings]] for a list of OS-specific client settings.

SSID: SHA2017 or SHA2017-legacy

EAP-TTLS:

Phase 1: EAP-TTLS
Phase 2: PAP

PEAP:

Phase 1: PEAP
Phase 2: MSCHAPv2 or EAP-MSCHAPv2 or PAP

CN = radius.sha2017.org
CA = DST Root CA X3
SHA256 Fingerprint = 20:CE:02:90:2E:2A:79:8E:B5:40:8D:BD:0A:E4:18:A1:AD:5A:C0:BD:6A:09:02:17:A8:F4:46:99:79:A0:B9:C8

Make sure '''you check the certificate''' in order to know you are connecting to the correct network (you should check on both the CN/SAN and the CA). Check [[Network/RADIUS_certificate|here]] for the complete certificate.

== Camping area and workshops ==
All camping areas will be within 40m of a datenklo (Data Toilet), please bring around 50-70m of Cat5e/Cat6/Cat7 cable to make sure you have some slack in the cable. '''We do not supply you with a cable'''.

Lay your own cable neatly from your tent back to the nearest datenklo, and leave 6m of slack coiled on the floor in front of it. And please lay it so that it can be clearly seen that it needs to be plugged in - or you risk having your cable overlooked. At regular intervals a member of the NOC helpdesk will connect it up.

If you wish to be removed from a datenklo early, contact the NOC helpdesk directly.

All of our access ports are 1Gbit/s (1000BASE-T) or 100Mbit/s (100BASE-TX), plus Auto-MDIX. If you want to connect something else, please contact the NOC-team beforehand at noc-requests@sha2017.org.

We do not support 10Mbit/s. It might work on a few devices, but there is no guarrantee. If you need it for old or embedded things please bring a switch to convert.

== FAQ ==
=== Can I bring a server? ===
Sure! You should host your server in your tent/village and connect to the nearest datenklo.

We have not yet decided if there will be a public-colocation facility though. Please get in touch with us if you want to help out running such a facility.

=== Can I use the 2.4GHz/5GHz-band for non-wifi projects? ===
The following channels are available for adhoc/mesh/other wireless stuff:

* 2.4GHz: Channel 1
* 5GHz: Channel 140 or channels 149-165 if supported (max 25mW EIRP allowed in The Netherlands)

We cannot force you to use these channels, but we are trying to build a functional wireless network for the other attendees too. So please, don't do any experiments on other channels.

=== Can I bring an access point? ===
Please don't.

If you are operating a village (using an SHA2017-supplied tent) that has poor coverage, we may be able to arrange to put an access point in it during the event to improve coverage. Stop by the NOC helpdesk and ask.

=== Can I bring a switch? ===
Yes. You are however only allowed one uplink from your switch to our network - do not attempt to connect multiple cables or to connect to multiple datenklos! The datenklo switchport allows for a maximum of 64 stations.

== Supporters ==
We'd like to extend special thanks to the following people and organisations who have been instrumental in making SHA2017 Network happen:

* [http://www.juniper.net/ Juniper Networks] (Routers for uplink)
* [https://us.ntt.net/ NTT Communications] (100GE transit)
* [https://cumulusnetworks.com/ Cumulus Networks] (Distribution switches & software)
* [https://www.flexoptix.net Flexoptix] (Transceivers)
* [https://surfnet.nl/ SURFnet] (10GE transit & IP-space)
* [https://www.bit.nl/ BIT] (UTP & transit)
* [http://www.core-backbone.com/ Core-Backbone] (10GE transit)
* [https://public.nl-ix.net/ NL-ix] (Peering & transit)
* [https://unet.nl/ UNET] (Dark-fibre uplink)
* [http://www.arubanetworks.com/ Aruba Networks] (WiFi gear)
* [http://www.edge-core.com/ Edgecore Networks] (Networking gear)
* [http://ccc.de The Chaos Computer Club]
* [http://eventinfra.org EventInfra] (Network equipment loan)

== Twitter ==
The SHA2017 NOC team has a Twitter account: [https://twitter.com/sha2017noc @sha2017noc]

Network

2017-06-16T20:25:40Z

Bitlair.nl-ak47: /* Camping area and workshops */

<div style="float:right;padding-left:10px">__TOC__</div>
[https://orga.sha2017.org/index.php/Team:NOC Team:NOC] is trying their best to deliver a fast and stable network during the event. If you have any questions, please contact the NOC helpdesk located at the infodesk tent.
{{MapObject|Handle = 0xC352}}
== Rules ==

* Be nice and friendly! Do not do to others what you do not wish done to yourself.
* There is no NAT and no firewall. Please make sure you have some kind of security on your end device. The organisation cannot be held responsible for someone hacking your system(s). If you don't know how you can secure your system(s), please go to the helpdesk.
* Do not operate your own WiFi access point. This causes a major slow-down for everybody else.
* If you are operating anything else in the 2.4GHz or the 5GHz spectrum, please clear the frequencies in advance with us.
* Do not attempt to run a DHCP or RA server. You will be found and named and shamed!
* You are not allowed to cross roads or fire lanes with your network cable. Please use the Datenklo that is assigned for your terrain.
* If you are connecting a Nanode / Arduino Ethernet / other microcontroller to the network please make sure it is using a unique MAC address. Many of the code examples for such devices use an identical MAC address and this will cause problems - if you aren't sure contact us.
* If you are connecting a switch, you need to contact the NOC if you are connecting more than 64 stations. You are only allowed one uplink from your switch to our network - do not attempt to connect multiple cables or to multiple DKs!
* For special requests please contact NOC via noc-requests@sha2017.org.

If you break these rules, we will track you down or triangulate you, but we'd rather spend the time maintaining the smooth operation of the network, so please don't waste our time.

== Uplink ==
We are planning for a 100 Gbps uplink to our router in Amsterdam. From there we will have various transits to the rest of the world, supplied by various [[#Supporters|supporters]].

== Wireless ==
The whole field has been covered with many wireless access points to ensure the best possible coverage and to allow you to roam seamlessly without interruption. Naturally, there is additional coverage in popular areas such as the talk tents. The following wireless networks will be available:

; SHA2017
: This is 5GHz and should you should use this one in preference, if you can see it. The username is "sha2017" with password "sha2017". This is the most secure, WPA2-Enterprise.
; SHA2017-legacy
: This is 2.4GHz and less resistant to interference, use it only if you have to. The username is "sha2017" with password "sha2017". This is also WPA2-Enterprise.
; SHA2017-insecure
: '''Warning: insecure''' This is both 5GHz and 2.4GHz, and is for older devices that don't support WPA2-Enterprise. It's unencrypted, and people will likely intercept your traffic.
; spacenet
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your hackerspace offers [https://spacefed.net/ spacenet].
; eduroam
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your university/college/school is offering eduroam. More information can be found at [https://www.eduroam.org/ eduroam.org].

Use of the 5GHz SSIDs is recommended if your device supports them. 802.11b is disabled as it slows everyone else down.

Even if you are using an encrypted network, you should still encrypt your connection to prevent snooping. Although some SSIDs offer encryption, it is only over-the-air.

We have airtime fairness configured on our wireless controllers, so if you wish to download large files please use a wired connection (there will be plenty about).

For proper wireless support under linux, you should have a kernel newer than 2.6.39.2. There is also a kernel panic with brcmsmac on linux 3.10.3 that can be fixed by downgrading to kernel 3.10.2.

=== WPA2 802.1X, encryption ===

Due to popular demand (and with security in mind) we provide WPA2 802.1X. This will encrypt your traffic, preventing attackers from sniffing your data. Keep in mind that this won't protect you from other network attacks and you should still be aware that you are at a hacker conference! Your link layer should be secure if you do certificate checking (see below).

You might think: "WTF!? Do I need to register a user and password blah, blah". Fortunately not. You can '''use any username/password combination using EAP-TTLS with PAP to login''' (example: "user: fbhfbhiaf pass: bgufwbnkqo" is valid), because we don't care who logs in and who you are. We just want to encrypt your data.

Users which use MSCHAPv2 (like Windows users with default 802.1X supplicant) should use a fixed username and password. You can use "sha2017/sha2017" or "guest/guest" as "username/password".

==== Client Settings ====
Also see [[Network/802.1X client settings]] for a list of OS-specific client settings.

SSID: SHA2017 or SHA2017-legacy

EAP-TTLS:

Phase 1: EAP-TTLS
Phase 2: PAP

PEAP:

Phase 1: PEAP
Phase 2: MSCHAPv2 or EAP-MSCHAPv2 or PAP

CN = radius.sha2017.org
CA = DST Root CA X3
SHA256 Fingerprint = 20:CE:02:90:2E:2A:79:8E:B5:40:8D:BD:0A:E4:18:A1:AD:5A:C0:BD:6A:09:02:17:A8:F4:46:99:79:A0:B9:C8

Make sure '''you check the certificate''' in order to know you are connecting to the correct network (you should check on both the CN and the CA). Check [[Network/RADIUS_certificate|here]] for the complete certificate.

=== Services / VLANs ===
TODO

== Camping area and workshops ==
All camping areas will be within 40m of a Datenklo (Data Toilet), please bring around 50-70m of Cat5e/Cat6/Cat7 cable to make sure you have some slack in the cable. '''We do not supply you with a cable'''.

Lay your own cable neatly from your tent back to the nearest Datenklo, and leave 6m of slack coiled on the floor in front of it. And please lay it so that it can be clearly seen that it needs to be plugged in - or you risk having your cable overlooked. At regular intervals a member of the NOC helpdesk will connect it up.

If you wish to be removed from a Datenklo early, contact the NOC helpdesk directly.

All of our access ports are 1Gbit/s (1000BASE-T) or 100Mbit/s (100BASE-TX), plus Auto-MDIX. If you want to connect something else, please contact the NOC-team beforehand at noc-requests@sha2017.org.

We do not support 10Mbit/s. It might work on a few devices, but there is no guarrantee. If you need it for old or embedded things please bring a switch to convert.

== Static IPs ==

If you need a static IP on the wired network, drop by the NOC helpdesk in the Infodesk-tent.

== IPv6 ==

Naturally, IPv6 is available throughout the network and should "just work" for you. Team:NOC does not recommend disabling IPv6 if you have problems, instead try to understand the problem you are experiencing and get educated in the new world order. Contact the NOC Helpdesk if you need help.

== Services ==
TODO

== Security ==

=== Recent vulnerabilities ===

'''WARNING: Bring a recent DHCP Client'''. If your OS uses ISC DHCP dhclient make sure you don't run a vulnerable version. https://www.kb.cert.org/vuls/id/410676

=== Encryption ===

Please treat the network as wide open and full of attackers.

The following mechanisms should be safe:
* Anything that goes through a VPN
* Any website that uses HTTPS
* Any application that uses SSL
** In the case of email, you need to have SSL enabled for both receiving mail (POP, IMAP) and sending it (SMTP)
* ssh and scp
* Where possible, use One-time passwords.

The following are almost always unsafe:

* FTP with login/password (are almost always sent in the clear)
* Telnet with login/password
* Email if you don't use SSL
* Webmail that doesn't use HTTPS
** Someone could trigger a password reminder and then intercept your email
* Websites that use HTTP (not HTTPS) where you need to fill in a password in the page itself

Possibly unsafe, make sure that you understand what you're doing:

* Websites where you need to fill in a password and your ''browser'' (not the website!) tells you it's going to be sent securely
* Websites that require an account but remember you're logged in
** The password ''may'' be protected but not the content or cookies that automatically log you in
* Any time your browser or other application brings up ''anything'' to do with a certificate
* Anything not protected with SSL: someone could be faking DNS answers to impersonate certain sites

=== Firewall ===

There is none. Bring your own! A router which is just doing NAT is not a firewall!

== FAQ ==

=== Can I bring a server? ===
Sure! You should host your server in your tent/village and connect to the nearest datenklo.

We have not yet decided if there will be a public-colocation facility though. Please get in touch with us if you want to help out running such a facility.

=== Can I use the 2.4GHz band for non-wifi projects? ===

The following channels are available for adhoc/mesh/other wireless stuff:

* 2.4GHz: Channel 1
* 5GHz: Channel 136, 140

We cannot force you to use these channels, but we are trying to build a functional wireless network for the other attendees too. So please, don't do any experiments on other channels.

=== Can I bring an access point? ===

No!

If you are operating a village (using an SHA2017-supplied tent) that has poor coverage, we may be able to arrange to put an access point in it during the event to improve coverage. Stop by the Helpdesk and ask.

=== Can I bring a switch? ===

Yes, but for stability purposes all edge ports are limited to 64 MAC addresses at a time. If you want to connect more, you need to stop by the helpdesk and ask us to raise the port-security on your port. If you do this, you need to convince us that you know what you're doing and promise not to do anything that may harm the network - in particular, you must not connect the switch to our network by more than 1 cable (not even to a different DK).

=== My port goes up and down every couple of minutes ===

You have probably tripped port security. Most likely scenario is that you have connected more than 64 stations without consulting us (see answer to previous question). Contact the helpdesk if you can't figure it out.

== Supporters ==
We'd like to extend special thanks to the following people and organisations who have been instrumental in making SHA2017 Network happen:

* [http://www.juniper.net/ Juniper Networks] (Routers for uplink)
* [https://us.ntt.net/ NTT Communications] (100GE transit)
* [https://cumulusnetworks.com/ Cumulus Networks] (Distribution switches & software)
* [https://www.flexoptix.net Flexoptix] (Transceivers)
* [https://surfnet.nl/ SURFnet] (10GE transit & IP-space)
* [https://www.bit.nl/ BIT] (UTP & transit)
* [http://www.core-backbone.com/ Core-Backbone] (10GE transit)
* [https://public.nl-ix.net/ NL-ix] (Peering & transit)
* [https://unet.nl/ UNET] (Dark-fibre uplink)
* [http://www.arubanetworks.com/ Aruba Networks] (WiFi gear)
* [http://www.edge-core.com/ Edgecore Networks] (Networking gear)
* [http://ccc.de The Chaos Computer Club]
* [http://eventinfra.org EventInfra] (Network equipment loan)

Network/RADIUS certificate

2017-06-16T20:24:54Z

Bitlair.nl-ak47:

<pre>-----BEGIN CERTIFICATE-----
MIIFBzCCA++gAwIBAgISA8k7/LTmEoVNp/WGubfUt75AMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzA2MTQwNzAyMDBaFw0x
NzA5MTIwNzAyMDBaMB0xGzAZBgNVBAMTEnJhZGl1cy5zaGEyMDE3Lm9yZzCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANuQOxOgb7JRkKCpV0q3/vqkmOw2
5jA8FMilpsa/DFRz5zkJ2rD+eR+o8cQ3jwyTnoTlWvgL28V0B9iehPsQKYp+4v9m
rgFftNg/j3DCL3ZLEONB0Abqc82vxOV2ud0Rs8vb7EvELEpEGAvV+FhaEifevADj
FcPG/RXv1O2YpVEDTDMmQ/g+aP+tz9DpWoyoFzaTlg9aRD8zDnsDq5YY1Gg9f4yq
hKUriOkEbydKYovF8Qizav+tYxjIuuFZZeshcB6aCgSuZLtWE0IBwwvZyHm14iiw
htU3xWGPFN++5uSGaYJNQfVsPdGdpL/2WcmNblVpdYkZU5u4IXz19K93MK0CAwEA
AaOCAhIwggIOMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU7HDsBFLA+B5ddZE15frv
SB2/r8cwHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYIKwYBBQUH
AQEEYzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5
cHQub3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2VuY3J5
cHQub3JnLzAdBgNVHREEFjAUghJyYWRpdXMuc2hhMjAxNy5vcmcwgf4GA1UdIASB
9jCB8zAIBgZngQwBAgEwgeYGCysGAQQBgt8TAQEBMIHWMCYGCCsGAQUFBwIBFhpo
dHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYBBQUHAgIwgZ4MgZtUaGlz
IENlcnRpZmljYXRlIG1heSBvbmx5IGJlIHJlbGllZCB1cG9uIGJ5IFJlbHlpbmcg
UGFydGllcyBhbmQgb25seSBpbiBhY2NvcmRhbmNlIHdpdGggdGhlIENlcnRpZmlj
YXRlIFBvbGljeSBmb3VuZCBhdCBodHRwczovL2xldHNlbmNyeXB0Lm9yZy9yZXBv
c2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAdkd7mIBkkrEWk26I1feydZruagN2
DxoW6BrXSlxD1Z7eF9Rx6/+x27Yrp6sFDUYCICgA1zf61yCrqWyzjnVdsCxlJ8QL
P+fHCEQHdkLZ9SENk8ERhJsVFo+eR8XZ+qnB98Vzdw9X92ltF4INSgAuUW4tfsWG
e8BkNOthJsr2uMuh5ccAfw+CU3GXVAktXW08h+lAONkqhHbPe3dJ8rLpB3tgQuFd
TCk/T4HizKlDbdWVv0dnJu23x5hYGWCGMpnJeStWgAMoNkfp6ZwHOPcNgeL2LVCn
O1yh8EhQVT5zn3dKGiPfxN4wWQfcIMlXj44YH56hoHi0+rsm04fMjgPBCw==
-----END CERTIFICATE-----
</pre>

Network

2017-06-16T20:24:24Z

Bitlair.nl-ak47: /* Client Settings */

<div style="float:right;padding-left:10px">__TOC__</div>
[https://orga.sha2017.org/index.php/Team:NOC Team:NOC] is trying their best to deliver a fast and stable network during the event. If you have any questions, please contact the NOC helpdesk located at the infodesk tent.
{{MapObject|Handle = 0xC352}}
== Rules ==

* Be nice and friendly! Do not do to others what you do not wish done to yourself.
* There is no NAT and no firewall. Please make sure you have some kind of security on your end device. The organisation cannot be held responsible for someone hacking your system(s). If you don't know how you can secure your system(s), please go to the helpdesk.
* Do not operate your own WiFi access point. This causes a major slow-down for everybody else.
* If you are operating anything else in the 2.4GHz or the 5GHz spectrum, please clear the frequencies in advance with us.
* Do not attempt to run a DHCP or RA server. You will be found and named and shamed!
* You are not allowed to cross roads or fire lanes with your network cable. Please use the Datenklo that is assigned for your terrain.
* If you are connecting a Nanode / Arduino Ethernet / other microcontroller to the network please make sure it is using a unique MAC address. Many of the code examples for such devices use an identical MAC address and this will cause problems - if you aren't sure contact us.
* If you are connecting a switch, you need to contact the NOC if you are connecting more than 64 stations. You are only allowed one uplink from your switch to our network - do not attempt to connect multiple cables or to multiple DKs!
* For special requests please contact NOC via noc-requests@sha2017.org.

If you break these rules, we will track you down or triangulate you, but we'd rather spend the time maintaining the smooth operation of the network, so please don't waste our time.

== Uplink ==
We are planning for a 100 Gbps uplink to our router in Amsterdam. From there we will have various transits to the rest of the world, supplied by various [[#Supporters|supporters]].

== Wireless ==
The whole field has been covered with many wireless access points to ensure the best possible coverage and to allow you to roam seamlessly without interruption. Naturally, there is additional coverage in popular areas such as the talk tents. The following wireless networks will be available:

; SHA2017
: This is 5GHz and should you should use this one in preference, if you can see it. The username is "sha2017" with password "sha2017". This is the most secure, WPA2-Enterprise.
; SHA2017-legacy
: This is 2.4GHz and less resistant to interference, use it only if you have to. The username is "sha2017" with password "sha2017". This is also WPA2-Enterprise.
; SHA2017-insecure
: '''Warning: insecure''' This is both 5GHz and 2.4GHz, and is for older devices that don't support WPA2-Enterprise. It's unencrypted, and people will likely intercept your traffic.
; spacenet
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your hackerspace offers [https://spacefed.net/ spacenet].
; eduroam
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your university/college/school is offering eduroam. More information can be found at [https://www.eduroam.org/ eduroam.org].

Use of the 5GHz SSIDs is recommended if your device supports them. 802.11b is disabled as it slows everyone else down.

Even if you are using an encrypted network, you should still encrypt your connection to prevent snooping. Although some SSIDs offer encryption, it is only over-the-air.

We have airtime fairness configured on our wireless controllers, so if you wish to download large files please use a wired connection (there will be plenty about).

For proper wireless support under linux, you should have a kernel newer than 2.6.39.2. There is also a kernel panic with brcmsmac on linux 3.10.3 that can be fixed by downgrading to kernel 3.10.2.

=== WPA2 802.1X, encryption ===

Due to popular demand (and with security in mind) we provide WPA2 802.1X. This will encrypt your traffic, preventing attackers from sniffing your data. Keep in mind that this won't protect you from other network attacks and you should still be aware that you are at a hacker conference! Your link layer should be secure if you do certificate checking (see below).

You might think: "WTF!? Do I need to register a user and password blah, blah". Fortunately not. You can '''use any username/password combination using EAP-TTLS with PAP to login''' (example: "user: fbhfbhiaf pass: bgufwbnkqo" is valid), because we don't care who logs in and who you are. We just want to encrypt your data.

Users which use MSCHAPv2 (like Windows users with default 802.1X supplicant) should use a fixed username and password. You can use "sha2017/sha2017" or "guest/guest" as "username/password".

==== Client Settings ====
Also see [[Network/802.1X client settings]] for a list of OS-specific client settings.

SSID: SHA2017 or SHA2017-legacy

EAP-TTLS:

Phase 1: EAP-TTLS
Phase 2: PAP

PEAP:

Phase 1: PEAP
Phase 2: MSCHAPv2 or EAP-MSCHAPv2 or PAP

CN = radius.sha2017.org
CA = DST Root CA X3
SHA256 Fingerprint = 20:CE:02:90:2E:2A:79:8E:B5:40:8D:BD:0A:E4:18:A1:AD:5A:C0:BD:6A:09:02:17:A8:F4:46:99:79:A0:B9:C8

Make sure '''you check the certificate''' in order to know you are connecting to the correct network (you should check on both the CN and the CA). Check [[Network/RADIUS_certificate|here]] for the complete certificate.

=== Services / VLANs ===
TODO

== Camping area and workshops ==
All camping areas will be within 40m of a Datenklo (Data Toilet), please bring around 50-70m of CAT5 cable to make sure you have some slack in the cable. '''We do not supply you with a cable'''.

Lay your own cable neatly from your tent back to the nearest Datenklo, and leave 6m of slack coiled on the floor in front of it. And please lay it so that it can be clearly seen that it needs to be plugged in - or you risk having your cable overlooked. At regular intervals a member of the NOC helpdesk will connect it up.

If you wish to be removed from a Datenklo early, contact the NOC helpdesk directly.

All of our access ports are 1Gbit/s (1000BASE-T) or 100Mbit/s (100BASE-TX), plus Auto-MDIX. If you want to connect something else, please contact the NOC-team beforehand at noc-requests@sha2017.org.

We do not support 10Mbit/s. It might work on a few devices, but there is no guarrantee. If you need it for old or embedded things please bring a switch to convert.

== Static IPs ==

If you need a static IP on the wired network, drop by the NOC helpdesk in the Infodesk-tent.

== IPv6 ==

Naturally, IPv6 is available throughout the network and should "just work" for you. Team:NOC does not recommend disabling IPv6 if you have problems, instead try to understand the problem you are experiencing and get educated in the new world order. Contact the NOC Helpdesk if you need help.

== Services ==
TODO

== Security ==

=== Recent vulnerabilities ===

'''WARNING: Bring a recent DHCP Client'''. If your OS uses ISC DHCP dhclient make sure you don't run a vulnerable version. https://www.kb.cert.org/vuls/id/410676

=== Encryption ===

Please treat the network as wide open and full of attackers.

The following mechanisms should be safe:
* Anything that goes through a VPN
* Any website that uses HTTPS
* Any application that uses SSL
** In the case of email, you need to have SSL enabled for both receiving mail (POP, IMAP) and sending it (SMTP)
* ssh and scp
* Where possible, use One-time passwords.

The following are almost always unsafe:

* FTP with login/password (are almost always sent in the clear)
* Telnet with login/password
* Email if you don't use SSL
* Webmail that doesn't use HTTPS
** Someone could trigger a password reminder and then intercept your email
* Websites that use HTTP (not HTTPS) where you need to fill in a password in the page itself

Possibly unsafe, make sure that you understand what you're doing:

* Websites where you need to fill in a password and your ''browser'' (not the website!) tells you it's going to be sent securely
* Websites that require an account but remember you're logged in
** The password ''may'' be protected but not the content or cookies that automatically log you in
* Any time your browser or other application brings up ''anything'' to do with a certificate
* Anything not protected with SSL: someone could be faking DNS answers to impersonate certain sites

=== Firewall ===

There is none. Bring your own! A router which is just doing NAT is not a firewall!

== FAQ ==

=== Can I bring a server? ===
Sure! You should host your server in your tent/village and connect to the nearest datenklo.

We have not yet decided if there will be a public-colocation facility though. Please get in touch with us if you want to help out running such a facility.

=== Can I use the 2.4GHz band for non-wifi projects? ===

The following channels are available for adhoc/mesh/other wireless stuff:

* 2.4GHz: Channel 1
* 5GHz: Channel 136, 140

We cannot force you to use these channels, but we are trying to build a functional wireless network for the other attendees too. So please, don't do any experiments on other channels.

=== Can I bring an access point? ===

No!

If you are operating a village (using an SHA2017-supplied tent) that has poor coverage, we may be able to arrange to put an access point in it during the event to improve coverage. Stop by the Helpdesk and ask.

=== Can I bring a switch? ===

Yes, but for stability purposes all edge ports are limited to 64 MAC addresses at a time. If you want to connect more, you need to stop by the helpdesk and ask us to raise the port-security on your port. If you do this, you need to convince us that you know what you're doing and promise not to do anything that may harm the network - in particular, you must not connect the switch to our network by more than 1 cable (not even to a different DK).

=== My port goes up and down every couple of minutes ===

You have probably tripped port security. Most likely scenario is that you have connected more than 64 stations without consulting us (see answer to previous question). Contact the helpdesk if you can't figure it out.

== Supporters ==
We'd like to extend special thanks to the following people and organisations who have been instrumental in making SHA2017 Network happen:

* [http://www.juniper.net/ Juniper Networks] (Routers for uplink)
* [https://us.ntt.net/ NTT Communications] (100GE transit)
* [https://cumulusnetworks.com/ Cumulus Networks] (Distribution switches & software)
* [https://www.flexoptix.net Flexoptix] (Transceivers)
* [https://surfnet.nl/ SURFnet] (10GE transit & IP-space)
* [https://www.bit.nl/ BIT] (UTP & transit)
* [http://www.core-backbone.com/ Core-Backbone] (10GE transit)
* [https://public.nl-ix.net/ NL-ix] (Peering & transit)
* [https://unet.nl/ UNET] (Dark-fibre uplink)
* [http://www.arubanetworks.com/ Aruba Networks] (WiFi gear)
* [http://www.edge-core.com/ Edgecore Networks] (Networking gear)
* [http://ccc.de The Chaos Computer Club]
* [http://eventinfra.org EventInfra] (Network equipment loan)

Network

2017-06-13T20:56:40Z

Bitlair.nl-ak47: /* Camping area and workshops */

<div style="float:right;padding-left:10px">__TOC__</div>

[https://orga.sha2017.org/index.php/Team:NOC Team:NOC] is trying their best to deliver a fast and stable network during the event. If you have any questions, please contact the NOC helpdesk located at the infodesk tent.

== Rules ==

* Be nice and friendly! Do not do to others what you do not wish done to yourself.
* There is no NAT and no firewall. Please make sure you have some kind of security on your end device. The organisation cannot be held responsible for someone hacking your system(s). If you don't know how you can secure your system(s), please go to the helpdesk.
* Do not operate your own WiFi access point. This causes a major slow-down for everybody else.
* If you are operating anything else in the 2.4GHz or the 5GHz spectrum, please clear the frequencies in advance with us.
* Do not attempt to run a DHCP or RA server. You will be found and named and shamed!
* You are not allowed to cross roads or fire lanes with your network cable. Please use the Datenklo that is assigned for your terrain.
* If you are connecting a Nanode / Arduino Ethernet / other microcontroller to the network please make sure it is using a unique MAC address. Many of the code examples for such devices use an identical MAC address and this will cause problems - if you aren't sure contact us.
* If you are connecting a switch, you need to contact the NOC if you are connecting more than 64 stations. You are only allowed one uplink from your switch to our network - do not attempt to connect multiple cables or to multiple DKs!
* For special requests please contact NOC via noc-requests@sha2017.org.

If you break these rules, we will track you down or triangulate you, but we'd rather spend the time maintaining the smooth operation of the network, so please don't waste our time.

== Uplink ==
We are planning for a 100 Gbps uplink to our router in Amsterdam. From there we will have various transits to the rest of the world, supplied by various [[#Supporters|supporters]].

== Wireless ==
The whole field has been covered with many wireless access points to ensure the best possible coverage and to allow you to roam seamlessly without interruption. Naturally, there is additional coverage in popular areas such as the talk tents. The following wireless networks will be available:

; SHA2017
: This is 5GHz and should you should use this one in preference, if you can see it. The username is "sha2017" with password "sha2017". This is the most secure, WPA2-Enterprise.
; SHA2017-legacy
: This is 2.4GHz and less resistant to interference, use it only if you have to. The username is "sha2017" with password "sha2017". This is also WPA2-Enterprise.
; SHA2017-insecure
: '''Warning: insecure''' This is both 5GHz and 2.4GHz, and is for older devices that don't support WPA2-Enterprise. It's unencrypted, and people will likely intercept your traffic.
; spacenet
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your hackerspace offers [https://spacefed.net/ spacenet].
; eduroam
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your university/college/school is offering eduroam. More information can be found at [https://www.eduroam.org/ eduroam.org].

Use of the 5GHz SSIDs is recommended if your device supports them. 802.11b is disabled as it slows everyone else down.

Even if you are using an encrypted network, you should still encrypt your connection to prevent snooping. Although some SSIDs offer encryption, it is only over-the-air.

We have airtime fairness configured on our wireless controllers, so if you wish to download large files please use a wired connection (there will be plenty about).

For proper wireless support under linux, you should have a kernel newer than 2.6.39.2. There is also a kernel panic with brcmsmac on linux 3.10.3 that can be fixed by downgrading to kernel 3.10.2.

=== WPA2 802.1X, encryption ===

Due to popular demand (and with security in mind) we provide WPA2 802.1X. This will encrypt your traffic, preventing attackers from sniffing your data. Keep in mind that this won't protect you from other network attacks and you should still be aware that you are at a hacker conference! Your link layer should be secure if you do certificate checking (see below).

You might think: "WTF!? Do I need to register a user and password blah, blah". Fortunately not. You can '''use any username/password combination using EAP-TTLS with PAP to login''' (example: "user: fbhfbhiaf pass: bgufwbnkqo" is valid), because we don't care who logs in and who you are. We just want to encrypt your data.

Users which use MSCHAPv2 (like Windows users with default 802.1X supplicant) should use a fixed username and password. You can use "sha2017/sha2017" or "guest/guest" as "username/password".

==== Client Settings ====
Also see [[Network/802.1X client settings]] for a list of OS-specific client settings.

SSID: SHA2017 or SHA2017-legacy

EAP-TTLS:

Phase 1: EAP-TTLS
Phase 2: PAP

PEAP:

Phase 1: PEAP
Phase 2: MSCHAPv2 or EAP-MSCHAPv2 or PAP

CN = radius.sha2017.org
CA = DST Root CA X3
SHA1 Fingerprint = TODO

Make sure '''you check the certificate''' in order to know you are connecting to the correct network (you should check on both the CN and the CA). Check [[Network/RADIUS_certificate|here]] for the complete certificate.

=== Services / VLANs ===
TODO

== Camping area and workshops ==
All camping areas will be within 40m of a Datenklo (Data Toilet), please bring around 50-70m of CAT5 cable to make sure you have some slack in the cable. '''We do not supply you with a cable'''.

Lay your own cable neatly from your tent back to the nearest Datenklo, and leave 6m of slack coiled on the floor in front of it. And please lay it so that it can be clearly seen that it needs to be plugged in - or you risk having your cable overlooked. At regular intervals a member of the NOC helpdesk will connect it up.

If you wish to be removed from a Datenklo early, contact the NOC helpdesk directly.

All of our access ports are 1Gbit/s (1000BASE-T) or 100Mbit/s (100BASE-TX), plus Auto-MDIX. If you want to connect something else, please contact the NOC-team beforehand at noc-requests@sha2017.org.

We do not support 10Mbit/s. It might work on a few devices, but there is no guarrantee. If you need it for old or embedded things please bring a switch to convert.

== Static IPs ==

If you need a static IP on the wired network, drop by the NOC helpdesk in the Infodesk-tent.

== IPv6 ==

Naturally, IPv6 is available throughout the network and should "just work" for you. Team:NOC does not recommend disabling IPv6 if you have problems, instead try to understand the problem you are experiencing and get educated in the new world order. Contact the NOC Helpdesk if you need help.

== Services ==
TODO

== Security ==

=== Recent vulnerabilities ===

'''WARNING: Bring a recent DHCP Client'''. If your OS uses ISC DHCP dhclient make sure you don't run a vulnerable version. https://www.kb.cert.org/vuls/id/410676

=== Encryption ===

Please treat the network as wide open and full of attackers.

The following mechanisms should be safe:
* Anything that goes through a VPN
* Any website that uses HTTPS
* Any application that uses SSL
** In the case of email, you need to have SSL enabled for both receiving mail (POP, IMAP) and sending it (SMTP)
* ssh and scp
* Where possible, use One-time passwords.

The following are almost always unsafe:

* FTP with login/password (are almost always sent in the clear)
* Telnet with login/password
* Email if you don't use SSL
* Webmail that doesn't use HTTPS
** Someone could trigger a password reminder and then intercept your email
* Websites that use HTTP (not HTTPS) where you need to fill in a password in the page itself

Possibly unsafe, make sure that you understand what you're doing:

* Websites where you need to fill in a password and your ''browser'' (not the website!) tells you it's going to be sent securely
* Websites that require an account but remember you're logged in
** The password ''may'' be protected but not the content or cookies that automatically log you in
* Any time your browser or other application brings up ''anything'' to do with a certificate
* Anything not protected with SSL: someone could be faking DNS answers to impersonate certain sites

=== Firewall ===

There is none. Bring your own! A router which is just doing NAT is not a firewall!

== FAQ ==

=== Can I bring a server? ===
Sure! You should host your server in your tent/village and connect to the nearest datenklo.

We have not yet decided if there will be a public-colocation facility though. Please get in touch with us if you want to help out running such a facility.

=== Can I use the 2.4GHz band for non-wifi projects? ===

The following channels are available for adhoc/mesh/other wireless stuff:

* 2.4GHz: Channel 1
* 5GHz: Channel 136, 140

We cannot force you to use these channels, but we are trying to build a functional wireless network for the other attendees too. So please, don't do any experiments on other channels.

=== Can I bring an access point? ===

No!

If you are operating a village (using an SHA2017-supplied tent) that has poor coverage, we may be able to arrange to put an access point in it during the event to improve coverage. Stop by the Helpdesk and ask.

=== Can I bring a switch? ===

Yes, but for stability purposes all edge ports are limited to 64 MAC addresses at a time. If you want to connect more, you need to stop by the helpdesk and ask us to raise the port-security on your port. If you do this, you need to convince us that you know what you're doing and promise not to do anything that may harm the network - in particular, you must not connect the switch to our network by more than 1 cable (not even to a different DK).

=== My port goes up and down every couple of minutes ===

You have probably tripped port security. Most likely scenario is that you have connected more than 64 stations without consulting us (see answer to previous question). Contact the helpdesk if you can't figure it out.

== Supporters ==
We'd like to extend special thanks to the following people and organisations who have been instrumental in making SHA2017 Network happen:

* [http://www.juniper.net/ Juniper Networks] (Routers for uplink)
* [https://us.ntt.net/ NTT Communications] (100GE transit)
* [https://cumulusnetworks.com/ Cumulus Networks] (Distribution switches & software)
* [https://www.flexoptix.net Flexoptix] (Transceivers)
* [https://surfnet.nl/ SURFnet] (10GE transit & IP-space)
* [https://www.bit.nl/ BIT] (UTP & transit)
* [http://www.core-backbone.com/ Core-Backbone] (10GE transit)
* [https://public.nl-ix.net/ NL-ix] (Peering & transit)
* [https://unet.nl/ UNET] (Dark-fibre uplink)
* [http://www.arubanetworks.com/ Aruba Networks] (WiFi gear)
* [http://www.edge-core.com/ Edgecore Networks] (Networking gear)
* [http://ccc.de The Chaos Computer Club]
* [http://eventinfra.org EventInfra] (Network equipment loan)

Network

2017-06-13T18:34:26Z

Bitlair.nl-ak47: /* Supporters */

<div style="float:right;padding-left:10px">__TOC__</div>

[https://orga.sha2017.org/index.php/Team:NOC Team:NOC] is trying their best to deliver a fast and stable network during the event. If you have any questions, please contact the NOC helpdesk located at the infodesk tent.

== Rules ==

* Be nice and friendly! Do not do to others what you do not wish done to yourself.
* There is no NAT and no firewall. Please make sure you have some kind of security on your end device. The organisation cannot be held responsible for someone hacking your system(s). If you don't know how you can secure your system(s), please go to the helpdesk.
* Do not operate your own WiFi access point. This causes a major slow-down for everybody else.
* If you are operating anything else in the 2.4GHz or the 5GHz spectrum, please clear the frequencies in advance with us.
* Do not attempt to run a DHCP or RA server. You will be found and named and shamed!
* You are not allowed to cross roads or fire lanes with your network cable. Please use the Datenklo that is assigned for your terrain.
* If you are connecting a Nanode / Arduino Ethernet / other microcontroller to the network please make sure it is using a unique MAC address. Many of the code examples for such devices use an identical MAC address and this will cause problems - if you aren't sure contact us.
* If you are connecting a switch, you need to contact the NOC if you are connecting more than 64 stations. You are only allowed one uplink from your switch to our network - do not attempt to connect multiple cables or to multiple DKs!
* For special requests please contact NOC via noc-requests@sha2017.org.

If you break these rules, we will track you down or triangulate you, but we'd rather spend the time maintaining the smooth operation of the network, so please don't waste our time.

== Uplink ==
We are planning for a 100 Gbps uplink to our router in Amsterdam. From there we will have various transits to the rest of the world, supplied by various [[#Supporters|supporters]].

== Wireless ==
The whole field has been covered with many wireless access points to ensure the best possible coverage and to allow you to roam seamlessly without interruption. Naturally, there is additional coverage in popular areas such as the talk tents. The following wireless networks will be available:

; SHA2017
: This is 5GHz and should you should use this one in preference, if you can see it. The username is "sha2017" with password "sha2017". This is the most secure, WPA2-Enterprise.
; SHA2017-legacy
: This is 2.4GHz and less resistant to interference, use it only if you have to. The username is "sha2017" with password "sha2017". This is also WPA2-Enterprise.
; SHA2017-insecure
: '''Warning: insecure''' This is both 5GHz and 2.4GHz, and is for older devices that don't support WPA2-Enterprise. It's unencrypted, and people will likely intercept your traffic.
; spacenet
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your hackerspace offers [https://spacefed.net/ spacenet].
; eduroam
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your university/college/school is offering eduroam. More information can be found at [https://www.eduroam.org/ eduroam.org].

Use of the 5GHz SSIDs is recommended if your device supports them. 802.11b is disabled as it slows everyone else down.

Even if you are using an encrypted network, you should still encrypt your connection to prevent snooping. Although some SSIDs offer encryption, it is only over-the-air.

We have airtime fairness configured on our wireless controllers, so if you wish to download large files please use a wired connection (there will be plenty about).

For proper wireless support under linux, you should have a kernel newer than 2.6.39.2. There is also a kernel panic with brcmsmac on linux 3.10.3 that can be fixed by downgrading to kernel 3.10.2.

=== WPA2 802.1X, encryption ===

Due to popular demand (and with security in mind) we provide WPA2 802.1X. This will encrypt your traffic, preventing attackers from sniffing your data. Keep in mind that this won't protect you from other network attacks and you should still be aware that you are at a hacker conference! Your link layer should be secure if you do certificate checking (see below).

You might think: "WTF!? Do I need to register a user and password blah, blah". Fortunately not. You can '''use any username/password combination using EAP-TTLS with PAP to login''' (example: "user: fbhfbhiaf pass: bgufwbnkqo" is valid), because we don't care who logs in and who you are. We just want to encrypt your data.

Users which use MSCHAPv2 (like Windows users with default 802.1X supplicant) should use a fixed username and password. You can use "sha2017/sha2017" or "guest/guest" as "username/password".

==== Client Settings ====
Also see [[Network/802.1X client settings]] for a list of OS-specific client settings.

SSID: SHA2017 or SHA2017-legacy

EAP-TTLS:

Phase 1: EAP-TTLS
Phase 2: PAP

PEAP:

Phase 1: PEAP
Phase 2: MSCHAPv2 or EAP-MSCHAPv2 or PAP

CN = radius.sha2017.org
CA = DST Root CA X3
SHA1 Fingerprint = TODO

Make sure '''you check the certificate''' in order to know you are connecting to the correct network (you should check on both the CN and the CA). Check [[Network/RADIUS_certificate|here]] for the complete certificate.

=== Services / VLANs ===
TODO

== Camping area and workshops ==

All camping areas will be within 40m of a Datenklo (Data Toilet), please bring around 50-70m of CAT5 cable to make sure you have some slack in the cable. '''We do not supply you with a cable'''.

Lay your own cable neatly from your tent back to the nearest Datenklo, and leave 6m of slack coiled on the floor in front of it. And please lay it so that it can be clearly seen that it needs to be plugged in - or you risk having your cable overlooked. At regular intervals a member of the NOC team will connect it up and enable the port.

If you wish to be removed from a Datenklo again, contact the helpdesk directly.

All of our edge ports are 1Gbit/s, plus Auto-MDX.

We do not support 10Mbit. It might work on a few devices, but there is no guarrantee. - if you need it for old or embedded things please bring a switch to convert.

== Static IPs ==

If you need a static IP on the wired network, drop by the NOC helpdesk in the Infodesk-tent.

== IPv6 ==

Naturally, IPv6 is available throughout the network and should "just work" for you. Team:NOC does not recommend disabling IPv6 if you have problems, instead try to understand the problem you are experiencing and get educated in the new world order. Contact the NOC Helpdesk if you need help.

== Services ==
TODO

== Security ==

=== Recent vulnerabilities ===

'''WARNING: Bring a recent DHCP Client'''. If your OS uses ISC DHCP dhclient make sure you don't run a vulnerable version. https://www.kb.cert.org/vuls/id/410676

=== Encryption ===

Please treat the network as wide open and full of attackers.

The following mechanisms should be safe:
* Anything that goes through a VPN
* Any website that uses HTTPS
* Any application that uses SSL
** In the case of email, you need to have SSL enabled for both receiving mail (POP, IMAP) and sending it (SMTP)
* ssh and scp
* Where possible, use One-time passwords.

The following are almost always unsafe:

* FTP with login/password (are almost always sent in the clear)
* Telnet with login/password
* Email if you don't use SSL
* Webmail that doesn't use HTTPS
** Someone could trigger a password reminder and then intercept your email
* Websites that use HTTP (not HTTPS) where you need to fill in a password in the page itself

Possibly unsafe, make sure that you understand what you're doing:

* Websites where you need to fill in a password and your ''browser'' (not the website!) tells you it's going to be sent securely
* Websites that require an account but remember you're logged in
** The password ''may'' be protected but not the content or cookies that automatically log you in
* Any time your browser or other application brings up ''anything'' to do with a certificate
* Anything not protected with SSL: someone could be faking DNS answers to impersonate certain sites

=== Firewall ===

There is none. Bring your own! A router which is just doing NAT is not a firewall!

== FAQ ==

=== Can I bring a server? ===
Sure! You should host your server in your tent/village and connect to the nearest datenklo.

We have not yet decided if there will be a public-colocation facility though. Please get in touch with us if you want to help out running such a facility.

=== Can I use the 2.4GHz band for non-wifi projects? ===

The following channels are available for adhoc/mesh/other wireless stuff:

* 2.4GHz: Channel 1
* 5GHz: Channel 136, 140

We cannot force you to use these channels, but we are trying to build a functional wireless network for the other attendees too. So please, don't do any experiments on other channels.

=== Can I bring an access point? ===

No!

If you are operating a village (using an SHA2017-supplied tent) that has poor coverage, we may be able to arrange to put an access point in it during the event to improve coverage. Stop by the Helpdesk and ask.

=== Can I bring a switch? ===

Yes, but for stability purposes all edge ports are limited to 64 MAC addresses at a time. If you want to connect more, you need to stop by the helpdesk and ask us to raise the port-security on your port. If you do this, you need to convince us that you know what you're doing and promise not to do anything that may harm the network - in particular, you must not connect the switch to our network by more than 1 cable (not even to a different DK).

=== My port goes up and down every couple of minutes ===

You have probably tripped port security. Most likely scenario is that you have connected more than 64 stations without consulting us (see answer to previous question). Contact the helpdesk if you can't figure it out.

== Supporters ==
We'd like to extend special thanks to the following people and organisations who have been instrumental in making SHA2017 Network happen:

* [http://www.juniper.net/ Juniper Networks] (Routers for uplink)
* [https://us.ntt.net/ NTT Communications] (100GE transit)
* [https://cumulusnetworks.com/ Cumulus Networks] (Distribution switches & software)
* [https://www.flexoptix.net Flexoptix] (Transceivers)
* [https://surfnet.nl/ SURFnet] (10GE transit & IP-space)
* [https://www.bit.nl/ BIT] (UTP & transit)
* [http://www.core-backbone.com/ Core-Backbone] (10GE transit)
* [https://public.nl-ix.net/ NL-ix] (Peering & transit)
* [https://unet.nl/ UNET] (Dark-fibre uplink)
* [http://www.arubanetworks.com/ Aruba Networks] (WiFi gear)
* [http://www.edge-core.com/ Edgecore Networks] (Networking gear)
* [http://ccc.de The Chaos Computer Club]
* [http://eventinfra.org EventInfra] (Network equipment loan)

Network

2017-06-11T20:05:56Z

Bitlair.nl-ak47: /* Uplink */

<div style="float:right;padding-left:10px">__TOC__</div>

[https://orga.sha2017.org/index.php/Team:NOC Team:NOC] is trying their best to deliver a fast and stable network during the event. If you have any questions, please contact the NOC helpdesk located at the infodesk tent.

== Rules ==

* Be nice and friendly! Do not do to others what you do not wish done to yourself.
* There is no NAT and no firewall. Please make sure you have some kind of security on your end device. The organisation cannot be held responsible for someone hacking your system(s). If you don't know how you can secure your system(s), please go to the helpdesk.
* Do not operate your own WiFi access point. This causes a major slow-down for everybody else.
* If you are operating anything else in the 2.4GHz or the 5GHz spectrum, please clear the frequencies in advance with us.
* Do not attempt to run a DHCP or RA server. You will be found and named and shamed!
* You are not allowed to cross roads or fire lanes with your network cable. Please use the Datenklo that is assigned for your terrain.
* If you are connecting a Nanode / Arduino Ethernet / other microcontroller to the network please make sure it is using a unique MAC address. Many of the code examples for such devices use an identical MAC address and this will cause problems - if you aren't sure contact us.
* If you are connecting a switch, you need to contact the NOC if you are connecting more than 64 stations. You are only allowed one uplink from your switch to our network - do not attempt to connect multiple cables or to multiple DKs!
* For special requests please contact NOC via noc-requests@sha2017.org.

If you break these rules, we will track you down or triangulate you, but we'd rather spend the time maintaining the smooth operation of the network, so please don't waste our time.

== Uplink ==
We are planning for a 100 Gbps uplink to our router in Amsterdam. From there we will have various transits to the rest of the world, supplied by various [[#Supporters|supporters]].

== Wireless ==
The whole field has been covered with many wireless access points to ensure the best possible coverage and to allow you to roam seamlessly without interruption. Naturally, there is additional coverage in popular areas such as the talk tents. The following wireless networks will be available:

; SHA2017
: This is 5GHz and should you should use this one in preference, if you can see it. The username is "sha2017" with password "sha2017". This is the most secure, WPA2-Enterprise.
; SHA2017-legacy
: This is 2.4GHz and less resistant to interference, use it only if you have to. The username is "sha2017" with password "sha2017". This is also WPA2-Enterprise.
; SHA2017-insecure
: '''Warning: insecure''' This is both 5GHz and 2.4GHz, and is for older devices that don't support WPA2-Enterprise. It's unencrypted, and people will likely intercept your traffic.
; spacenet
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your hackerspace offers [https://spacefed.net/ spacenet].
; eduroam
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your university/college/school is offering eduroam. More information can be found at [https://www.eduroam.org/ eduroam.org].

Use of the 5GHz SSIDs is recommended if your device supports them. 802.11b is disabled as it slows everyone else down.

Even if you are using an encrypted network, you should still encrypt your connection to prevent snooping. Although some SSIDs offer encryption, it is only over-the-air.

We have airtime fairness configured on our wireless controllers, so if you wish to download large files please use a wired connection (there will be plenty about).

For proper wireless support under linux, you should have a kernel newer than 2.6.39.2. There is also a kernel panic with brcmsmac on linux 3.10.3 that can be fixed by downgrading to kernel 3.10.2.

=== WPA2 802.1X, encryption ===

Due to popular demand (and with security in mind) we provide WPA2 802.1X. This will encrypt your traffic, preventing attackers from sniffing your data. Keep in mind that this won't protect you from other network attacks and you should still be aware that you are at a hacker conference! Your link layer should be secure if you do certificate checking (see below).

You might think: "WTF!? Do I need to register a user and password blah, blah". Fortunately not. You can '''use any username/password combination using EAP-TTLS with PAP to login''' (example: "user: fbhfbhiaf pass: bgufwbnkqo" is valid), because we don't care who logs in and who you are. We just want to encrypt your data.

Users which use MSCHAPv2 (like Windows users with default 802.1X supplicant) should use a fixed username and password. You can use "sha2017/sha2017" or "guest/guest" as "username/password".

==== Client Settings ====
Also see [[Network/802.1X client settings]] for a list of OS-specific client settings.

SSID: SHA2017 or SHA2017-legacy

EAP-TTLS:

Phase 1: EAP-TTLS
Phase 2: PAP

PEAP:

Phase 1: PEAP
Phase 2: MSCHAPv2 or EAP-MSCHAPv2 or PAP

CN = radius.sha2017.org
CA = DST Root CA X3
SHA1 Fingerprint = TODO

Make sure '''you check the certificate''' in order to know you are connecting to the correct network (you should check on both the CN and the CA). Check [[Network/RADIUS_certificate|here]] for the complete certificate.

=== Services / VLANs ===
TODO

== Camping area and workshops ==

All camping areas will be within 40m of a Datenklo (Data Toilet), please bring around 50-70m of CAT5 cable to make sure you have some slack in the cable. '''We do not supply you with a cable'''.

Lay your own cable neatly from your tent back to the nearest Datenklo, and leave 6m of slack coiled on the floor in front of it. And please lay it so that it can be clearly seen that it needs to be plugged in - or you risk having your cable overlooked. At regular intervals a member of the NOC team will connect it up and enable the port.

If you wish to be removed from a Datenklo again, contact the helpdesk directly.

All of our edge ports are 1Gbit/s, plus Auto-MDX.

We do not support 10Mbit. It might work on a few devices, but there is no guarrantee. - if you need it for old or embedded things please bring a switch to convert.

== Static IPs ==

If you need a static IP on the wired network, drop by the NOC helpdesk in the Infodesk-tent.

== IPv6 ==

Naturally, IPv6 is available throughout the network and should "just work" for you. Team:NOC does not recommend disabling IPv6 if you have problems, instead try to understand the problem you are experiencing and get educated in the new world order. Contact the NOC Helpdesk if you need help.

== Services ==
TODO

== Security ==

=== Recent vulnerabilities ===

'''WARNING: Bring a recent DHCP Client'''. If your OS uses ISC DHCP dhclient make sure you don't run a vulnerable version. https://www.kb.cert.org/vuls/id/410676

=== Encryption ===

Please treat the network as wide open and full of attackers.

The following mechanisms should be safe:
* Anything that goes through a VPN
* Any website that uses HTTPS
* Any application that uses SSL
** In the case of email, you need to have SSL enabled for both receiving mail (POP, IMAP) and sending it (SMTP)
* ssh and scp
* Where possible, use One-time passwords.

The following are almost always unsafe:

* FTP with login/password (are almost always sent in the clear)
* Telnet with login/password
* Email if you don't use SSL
* Webmail that doesn't use HTTPS
** Someone could trigger a password reminder and then intercept your email
* Websites that use HTTP (not HTTPS) where you need to fill in a password in the page itself

Possibly unsafe, make sure that you understand what you're doing:

* Websites where you need to fill in a password and your ''browser'' (not the website!) tells you it's going to be sent securely
* Websites that require an account but remember you're logged in
** The password ''may'' be protected but not the content or cookies that automatically log you in
* Any time your browser or other application brings up ''anything'' to do with a certificate
* Anything not protected with SSL: someone could be faking DNS answers to impersonate certain sites

=== Firewall ===

There is none. Bring your own! A router which is just doing NAT is not a firewall!

== FAQ ==

=== Can I bring a server? ===
Sure! You should host your server in your tent/village and connect to the nearest datenklo.

We have not yet decided if there will be a public-colocation facility though. Please get in touch with us if you want to help out running such a facility.

=== Can I use the 2.4GHz band for non-wifi projects? ===

The following channels are available for adhoc/mesh/other wireless stuff:

* 2.4GHz: Channel 1
* 5GHz: Channel 136, 140

We cannot force you to use these channels, but we are trying to build a functional wireless network for the other attendees too. So please, don't do any experiments on other channels.

=== Can I bring an access point? ===

No!

If you are operating a village (using an SHA2017-supplied tent) that has poor coverage, we may be able to arrange to put an access point in it during the event to improve coverage. Stop by the Helpdesk and ask.

=== Can I bring a switch? ===

Yes, but for stability purposes all edge ports are limited to 64 MAC addresses at a time. If you want to connect more, you need to stop by the helpdesk and ask us to raise the port-security on your port. If you do this, you need to convince us that you know what you're doing and promise not to do anything that may harm the network - in particular, you must not connect the switch to our network by more than 1 cable (not even to a different DK).

=== My port goes up and down every couple of minutes ===

You have probably tripped port security. Most likely scenario is that you have connected more than 64 stations without consulting us (see answer to previous question). Contact the helpdesk if you can't figure it out.

== Supporters ==
We'd like to extend special thanks to the following people and organisations who have been instrumental in making SHA2017 Network happen:

* [http://www.juniper.net/ Juniper Networks] (Routers for uplink)
* [https://us.ntt.net/ NTT Communications] (100GE transit)
* [https://cumulusnetworks.com/ Cumulus Networks] (Distribution switches & software)
* [https://www.flexoptix.net Flexoptix] (Transceivers)
* [https://surfnet.nl/ SURFnet] (10GE transit & IP-space)
* [https://www.bit.nl/ BIT] (UTP & transit)
* [http://www.core-backbone.com/ Core-Backbone] (10GE transit)
* [https://public.nl-ix.net/ NL-ix] (Peering & transit)
* [https://unet.nl/ UNET] (Dark-fibre uplink)
* [http://www.arubanetworks.com/ Aruba Networks] (WiFi gear)
* [http://ccc.de The Chaos Computer Club]
* [http://eventinfra.org EventInfra] (Network equipment loan)

Network

2017-06-11T20:05:44Z

Bitlair.nl-ak47: /* Uplink */

<div style="float:right;padding-left:10px">__TOC__</div>

[https://orga.sha2017.org/index.php/Team:NOC Team:NOC] is trying their best to deliver a fast and stable network during the event. If you have any questions, please contact the NOC helpdesk located at the infodesk tent.

== Rules ==

* Be nice and friendly! Do not do to others what you do not wish done to yourself.
* There is no NAT and no firewall. Please make sure you have some kind of security on your end device. The organisation cannot be held responsible for someone hacking your system(s). If you don't know how you can secure your system(s), please go to the helpdesk.
* Do not operate your own WiFi access point. This causes a major slow-down for everybody else.
* If you are operating anything else in the 2.4GHz or the 5GHz spectrum, please clear the frequencies in advance with us.
* Do not attempt to run a DHCP or RA server. You will be found and named and shamed!
* You are not allowed to cross roads or fire lanes with your network cable. Please use the Datenklo that is assigned for your terrain.
* If you are connecting a Nanode / Arduino Ethernet / other microcontroller to the network please make sure it is using a unique MAC address. Many of the code examples for such devices use an identical MAC address and this will cause problems - if you aren't sure contact us.
* If you are connecting a switch, you need to contact the NOC if you are connecting more than 64 stations. You are only allowed one uplink from your switch to our network - do not attempt to connect multiple cables or to multiple DKs!
* For special requests please contact NOC via noc-requests@sha2017.org.

If you break these rules, we will track you down or triangulate you, but we'd rather spend the time maintaining the smooth operation of the network, so please don't waste our time.

== Uplink ==
We are planning for a 100 Gbps uplink to our router in Amsterdam. From there we will have various transits to the rest of the world, supplied by various [[#Supporters|supporters].

== Wireless ==
The whole field has been covered with many wireless access points to ensure the best possible coverage and to allow you to roam seamlessly without interruption. Naturally, there is additional coverage in popular areas such as the talk tents. The following wireless networks will be available:

; SHA2017
: This is 5GHz and should you should use this one in preference, if you can see it. The username is "sha2017" with password "sha2017". This is the most secure, WPA2-Enterprise.
; SHA2017-legacy
: This is 2.4GHz and less resistant to interference, use it only if you have to. The username is "sha2017" with password "sha2017". This is also WPA2-Enterprise.
; SHA2017-insecure
: '''Warning: insecure''' This is both 5GHz and 2.4GHz, and is for older devices that don't support WPA2-Enterprise. It's unencrypted, and people will likely intercept your traffic.
; spacenet
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your hackerspace offers [https://spacefed.net/ spacenet].
; eduroam
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your university/college/school is offering eduroam. More information can be found at [https://www.eduroam.org/ eduroam.org].

Use of the 5GHz SSIDs is recommended if your device supports them. 802.11b is disabled as it slows everyone else down.

Even if you are using an encrypted network, you should still encrypt your connection to prevent snooping. Although some SSIDs offer encryption, it is only over-the-air.

We have airtime fairness configured on our wireless controllers, so if you wish to download large files please use a wired connection (there will be plenty about).

For proper wireless support under linux, you should have a kernel newer than 2.6.39.2. There is also a kernel panic with brcmsmac on linux 3.10.3 that can be fixed by downgrading to kernel 3.10.2.

=== WPA2 802.1X, encryption ===

Due to popular demand (and with security in mind) we provide WPA2 802.1X. This will encrypt your traffic, preventing attackers from sniffing your data. Keep in mind that this won't protect you from other network attacks and you should still be aware that you are at a hacker conference! Your link layer should be secure if you do certificate checking (see below).

You might think: "WTF!? Do I need to register a user and password blah, blah". Fortunately not. You can '''use any username/password combination using EAP-TTLS with PAP to login''' (example: "user: fbhfbhiaf pass: bgufwbnkqo" is valid), because we don't care who logs in and who you are. We just want to encrypt your data.

Users which use MSCHAPv2 (like Windows users with default 802.1X supplicant) should use a fixed username and password. You can use "sha2017/sha2017" or "guest/guest" as "username/password".

==== Client Settings ====
Also see [[Network/802.1X client settings]] for a list of OS-specific client settings.

SSID: SHA2017 or SHA2017-legacy

EAP-TTLS:

Phase 1: EAP-TTLS
Phase 2: PAP

PEAP:

Phase 1: PEAP
Phase 2: MSCHAPv2 or EAP-MSCHAPv2 or PAP

CN = radius.sha2017.org
CA = DST Root CA X3
SHA1 Fingerprint = TODO

Make sure '''you check the certificate''' in order to know you are connecting to the correct network (you should check on both the CN and the CA). Check [[Network/RADIUS_certificate|here]] for the complete certificate.

=== Services / VLANs ===
TODO

== Camping area and workshops ==

All camping areas will be within 40m of a Datenklo (Data Toilet), please bring around 50-70m of CAT5 cable to make sure you have some slack in the cable. '''We do not supply you with a cable'''.

Lay your own cable neatly from your tent back to the nearest Datenklo, and leave 6m of slack coiled on the floor in front of it. And please lay it so that it can be clearly seen that it needs to be plugged in - or you risk having your cable overlooked. At regular intervals a member of the NOC team will connect it up and enable the port.

If you wish to be removed from a Datenklo again, contact the helpdesk directly.

All of our edge ports are 1Gbit/s, plus Auto-MDX.

We do not support 10Mbit. It might work on a few devices, but there is no guarrantee. - if you need it for old or embedded things please bring a switch to convert.

== Static IPs ==

If you need a static IP on the wired network, drop by the NOC helpdesk in the Infodesk-tent.

== IPv6 ==

Naturally, IPv6 is available throughout the network and should "just work" for you. Team:NOC does not recommend disabling IPv6 if you have problems, instead try to understand the problem you are experiencing and get educated in the new world order. Contact the NOC Helpdesk if you need help.

== Services ==
TODO

== Security ==

=== Recent vulnerabilities ===

'''WARNING: Bring a recent DHCP Client'''. If your OS uses ISC DHCP dhclient make sure you don't run a vulnerable version. https://www.kb.cert.org/vuls/id/410676

=== Encryption ===

Please treat the network as wide open and full of attackers.

The following mechanisms should be safe:
* Anything that goes through a VPN
* Any website that uses HTTPS
* Any application that uses SSL
** In the case of email, you need to have SSL enabled for both receiving mail (POP, IMAP) and sending it (SMTP)
* ssh and scp
* Where possible, use One-time passwords.

The following are almost always unsafe:

* FTP with login/password (are almost always sent in the clear)
* Telnet with login/password
* Email if you don't use SSL
* Webmail that doesn't use HTTPS
** Someone could trigger a password reminder and then intercept your email
* Websites that use HTTP (not HTTPS) where you need to fill in a password in the page itself

Possibly unsafe, make sure that you understand what you're doing:

* Websites where you need to fill in a password and your ''browser'' (not the website!) tells you it's going to be sent securely
* Websites that require an account but remember you're logged in
** The password ''may'' be protected but not the content or cookies that automatically log you in
* Any time your browser or other application brings up ''anything'' to do with a certificate
* Anything not protected with SSL: someone could be faking DNS answers to impersonate certain sites

=== Firewall ===

There is none. Bring your own! A router which is just doing NAT is not a firewall!

== FAQ ==

=== Can I bring a server? ===
Sure! You should host your server in your tent/village and connect to the nearest datenklo.

We have not yet decided if there will be a public-colocation facility though. Please get in touch with us if you want to help out running such a facility.

=== Can I use the 2.4GHz band for non-wifi projects? ===

The following channels are available for adhoc/mesh/other wireless stuff:

* 2.4GHz: Channel 1
* 5GHz: Channel 136, 140

We cannot force you to use these channels, but we are trying to build a functional wireless network for the other attendees too. So please, don't do any experiments on other channels.

=== Can I bring an access point? ===

No!

If you are operating a village (using an SHA2017-supplied tent) that has poor coverage, we may be able to arrange to put an access point in it during the event to improve coverage. Stop by the Helpdesk and ask.

=== Can I bring a switch? ===

Yes, but for stability purposes all edge ports are limited to 64 MAC addresses at a time. If you want to connect more, you need to stop by the helpdesk and ask us to raise the port-security on your port. If you do this, you need to convince us that you know what you're doing and promise not to do anything that may harm the network - in particular, you must not connect the switch to our network by more than 1 cable (not even to a different DK).

=== My port goes up and down every couple of minutes ===

You have probably tripped port security. Most likely scenario is that you have connected more than 64 stations without consulting us (see answer to previous question). Contact the helpdesk if you can't figure it out.

== Supporters ==
We'd like to extend special thanks to the following people and organisations who have been instrumental in making SHA2017 Network happen:

* [http://www.juniper.net/ Juniper Networks] (Routers for uplink)
* [https://us.ntt.net/ NTT Communications] (100GE transit)
* [https://cumulusnetworks.com/ Cumulus Networks] (Distribution switches & software)
* [https://www.flexoptix.net Flexoptix] (Transceivers)
* [https://surfnet.nl/ SURFnet] (10GE transit & IP-space)
* [https://www.bit.nl/ BIT] (UTP & transit)
* [http://www.core-backbone.com/ Core-Backbone] (10GE transit)
* [https://public.nl-ix.net/ NL-ix] (Peering & transit)
* [https://unet.nl/ UNET] (Dark-fibre uplink)
* [http://www.arubanetworks.com/ Aruba Networks] (WiFi gear)
* [http://ccc.de The Chaos Computer Club]
* [http://eventinfra.org EventInfra] (Network equipment loan)

Network

2017-06-11T20:04:40Z

Bitlair.nl-ak47: Add colocation details

<div style="float:right;padding-left:10px">__TOC__</div>

[https://orga.sha2017.org/index.php/Team:NOC Team:NOC] is trying their best to deliver a fast and stable network during the event. If you have any questions, please contact the NOC helpdesk located at the infodesk tent.

== Rules ==

* Be nice and friendly! Do not do to others what you do not wish done to yourself.
* There is no NAT and no firewall. Please make sure you have some kind of security on your end device. The organisation cannot be held responsible for someone hacking your system(s). If you don't know how you can secure your system(s), please go to the helpdesk.
* Do not operate your own WiFi access point. This causes a major slow-down for everybody else.
* If you are operating anything else in the 2.4GHz or the 5GHz spectrum, please clear the frequencies in advance with us.
* Do not attempt to run a DHCP or RA server. You will be found and named and shamed!
* You are not allowed to cross roads or fire lanes with your network cable. Please use the Datenklo that is assigned for your terrain.
* If you are connecting a Nanode / Arduino Ethernet / other microcontroller to the network please make sure it is using a unique MAC address. Many of the code examples for such devices use an identical MAC address and this will cause problems - if you aren't sure contact us.
* If you are connecting a switch, you need to contact the NOC if you are connecting more than 64 stations. You are only allowed one uplink from your switch to our network - do not attempt to connect multiple cables or to multiple DKs!
* For special requests please contact NOC via noc-requests@sha2017.org.

If you break these rules, we will track you down or triangulate you, but we'd rather spend the time maintaining the smooth operation of the network, so please don't waste our time.

== Uplink ==
We are planning for a 100 Gbps uplink to our router in Amsterdam. From there we will have various transits to the rest of the world.

== Wireless ==
The whole field has been covered with many wireless access points to ensure the best possible coverage and to allow you to roam seamlessly without interruption. Naturally, there is additional coverage in popular areas such as the talk tents. The following wireless networks will be available:

; SHA2017
: This is 5GHz and should you should use this one in preference, if you can see it. The username is "sha2017" with password "sha2017". This is the most secure, WPA2-Enterprise.
; SHA2017-legacy
: This is 2.4GHz and less resistant to interference, use it only if you have to. The username is "sha2017" with password "sha2017". This is also WPA2-Enterprise.
; SHA2017-insecure
: '''Warning: insecure''' This is both 5GHz and 2.4GHz, and is for older devices that don't support WPA2-Enterprise. It's unencrypted, and people will likely intercept your traffic.
; spacenet
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your hackerspace offers [https://spacefed.net/ spacenet].
; eduroam
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your university/college/school is offering eduroam. More information can be found at [https://www.eduroam.org/ eduroam.org].

Use of the 5GHz SSIDs is recommended if your device supports them. 802.11b is disabled as it slows everyone else down.

Even if you are using an encrypted network, you should still encrypt your connection to prevent snooping. Although some SSIDs offer encryption, it is only over-the-air.

We have airtime fairness configured on our wireless controllers, so if you wish to download large files please use a wired connection (there will be plenty about).

For proper wireless support under linux, you should have a kernel newer than 2.6.39.2. There is also a kernel panic with brcmsmac on linux 3.10.3 that can be fixed by downgrading to kernel 3.10.2.

=== WPA2 802.1X, encryption ===

Due to popular demand (and with security in mind) we provide WPA2 802.1X. This will encrypt your traffic, preventing attackers from sniffing your data. Keep in mind that this won't protect you from other network attacks and you should still be aware that you are at a hacker conference! Your link layer should be secure if you do certificate checking (see below).

You might think: "WTF!? Do I need to register a user and password blah, blah". Fortunately not. You can '''use any username/password combination using EAP-TTLS with PAP to login''' (example: "user: fbhfbhiaf pass: bgufwbnkqo" is valid), because we don't care who logs in and who you are. We just want to encrypt your data.

Users which use MSCHAPv2 (like Windows users with default 802.1X supplicant) should use a fixed username and password. You can use "sha2017/sha2017" or "guest/guest" as "username/password".

==== Client Settings ====
Also see [[Network/802.1X client settings]] for a list of OS-specific client settings.

SSID: SHA2017 or SHA2017-legacy

EAP-TTLS:

Phase 1: EAP-TTLS
Phase 2: PAP

PEAP:

Phase 1: PEAP
Phase 2: MSCHAPv2 or EAP-MSCHAPv2 or PAP

CN = radius.sha2017.org
CA = DST Root CA X3
SHA1 Fingerprint = TODO

Make sure '''you check the certificate''' in order to know you are connecting to the correct network (you should check on both the CN and the CA). Check [[Network/RADIUS_certificate|here]] for the complete certificate.

=== Services / VLANs ===
TODO

== Camping area and workshops ==

All camping areas will be within 40m of a Datenklo (Data Toilet), please bring around 50-70m of CAT5 cable to make sure you have some slack in the cable. '''We do not supply you with a cable'''.

Lay your own cable neatly from your tent back to the nearest Datenklo, and leave 6m of slack coiled on the floor in front of it. And please lay it so that it can be clearly seen that it needs to be plugged in - or you risk having your cable overlooked. At regular intervals a member of the NOC team will connect it up and enable the port.

If you wish to be removed from a Datenklo again, contact the helpdesk directly.

All of our edge ports are 1Gbit/s, plus Auto-MDX.

We do not support 10Mbit. It might work on a few devices, but there is no guarrantee. - if you need it for old or embedded things please bring a switch to convert.

== Static IPs ==

If you need a static IP on the wired network, drop by the NOC helpdesk in the Infodesk-tent.

== IPv6 ==

Naturally, IPv6 is available throughout the network and should "just work" for you. Team:NOC does not recommend disabling IPv6 if you have problems, instead try to understand the problem you are experiencing and get educated in the new world order. Contact the NOC Helpdesk if you need help.

== Services ==
TODO

== Security ==

=== Recent vulnerabilities ===

'''WARNING: Bring a recent DHCP Client'''. If your OS uses ISC DHCP dhclient make sure you don't run a vulnerable version. https://www.kb.cert.org/vuls/id/410676

=== Encryption ===

Please treat the network as wide open and full of attackers.

The following mechanisms should be safe:
* Anything that goes through a VPN
* Any website that uses HTTPS
* Any application that uses SSL
** In the case of email, you need to have SSL enabled for both receiving mail (POP, IMAP) and sending it (SMTP)
* ssh and scp
* Where possible, use One-time passwords.

The following are almost always unsafe:

* FTP with login/password (are almost always sent in the clear)
* Telnet with login/password
* Email if you don't use SSL
* Webmail that doesn't use HTTPS
** Someone could trigger a password reminder and then intercept your email
* Websites that use HTTP (not HTTPS) where you need to fill in a password in the page itself

Possibly unsafe, make sure that you understand what you're doing:

* Websites where you need to fill in a password and your ''browser'' (not the website!) tells you it's going to be sent securely
* Websites that require an account but remember you're logged in
** The password ''may'' be protected but not the content or cookies that automatically log you in
* Any time your browser or other application brings up ''anything'' to do with a certificate
* Anything not protected with SSL: someone could be faking DNS answers to impersonate certain sites

=== Firewall ===

There is none. Bring your own! A router which is just doing NAT is not a firewall!

== FAQ ==

=== Can I bring a server? ===
Sure! You should host your server in your tent/village and connect to the nearest datenklo.

We have not yet decided if there will be a public-colocation facility though. Please get in touch with us if you want to help out running such a facility.

=== Can I use the 2.4GHz band for non-wifi projects? ===

The following channels are available for adhoc/mesh/other wireless stuff:

* 2.4GHz: Channel 1
* 5GHz: Channel 136, 140

We cannot force you to use these channels, but we are trying to build a functional wireless network for the other attendees too. So please, don't do any experiments on other channels.

=== Can I bring an access point? ===

No!

If you are operating a village (using an SHA2017-supplied tent) that has poor coverage, we may be able to arrange to put an access point in it during the event to improve coverage. Stop by the Helpdesk and ask.

=== Can I bring a switch? ===

Yes, but for stability purposes all edge ports are limited to 64 MAC addresses at a time. If you want to connect more, you need to stop by the helpdesk and ask us to raise the port-security on your port. If you do this, you need to convince us that you know what you're doing and promise not to do anything that may harm the network - in particular, you must not connect the switch to our network by more than 1 cable (not even to a different DK).

=== My port goes up and down every couple of minutes ===

You have probably tripped port security. Most likely scenario is that you have connected more than 64 stations without consulting us (see answer to previous question). Contact the helpdesk if you can't figure it out.

== Supporters ==
We'd like to extend special thanks to the following people and organisations who have been instrumental in making SHA2017 Network happen:

* [http://www.juniper.net/ Juniper Networks] (Routers for uplink)
* [https://us.ntt.net/ NTT Communications] (100GE transit)
* [https://cumulusnetworks.com/ Cumulus Networks] (Distribution switches & software)
* [https://www.flexoptix.net Flexoptix] (Transceivers)
* [https://surfnet.nl/ SURFnet] (10GE transit & IP-space)
* [https://www.bit.nl/ BIT] (UTP & transit)
* [http://www.core-backbone.com/ Core-Backbone] (10GE transit)
* [https://public.nl-ix.net/ NL-ix] (Peering & transit)
* [https://unet.nl/ UNET] (Dark-fibre uplink)
* [http://www.arubanetworks.com/ Aruba Networks] (WiFi gear)
* [http://ccc.de The Chaos Computer Club]
* [http://eventinfra.org EventInfra] (Network equipment loan)

Network

2017-06-07T15:49:16Z

Bitlair.nl-ak47: /* Supporters */

<div style="float:right;padding-left:10px">__TOC__</div>

[https://orga.sha2017.org/index.php/Team:NOC Team:NOC] is trying their best to deliver a fast and stable network during the event. If you have any questions, please contact the NOC helpdesk located at the infodesk tent.

== Rules ==

* Be nice and friendly! Do not do to others what you do not wish done to yourself.
* There is no NAT and no firewall. Please make sure you have some kind of security on your end device. The organisation cannot be held responsible for someone hacking your system(s). If you don't know how you can secure your system(s), please go to the helpdesk.
* Do not operate your own WiFi access point. This causes a major slow-down for everybody else.
* If you are operating anything else in the 2.4GHz or the 5GHz spectrum, please clear the frequencies in advance with us.
* Do not attempt to run a DHCP or RA server. You will be found and named and shamed!
* You are not allowed to cross roads or fire lanes with your network cable. Please use the Datenklo that is assigned for your terrain.
* If you are connecting a Nanode / Arduino Ethernet / other microcontroller to the network please make sure it is using a unique MAC address. Many of the code examples for such devices use an identical MAC address and this will cause problems - if you aren't sure contact us.
* If you are connecting a switch, you need to contact the NOC if you are connecting more than 64 stations. You are only allowed one uplink from your switch to our network - do not attempt to connect multiple cables or to multiple DKs!
* For special requests please contact NOC via noc-requests@sha2017.org.

If you break these rules, we will track you down or triangulate you, but we'd rather spend the time maintaining the smooth operation of the network, so please don't waste our time.

== Uplink ==
We are planning for a 100 Gbps uplink to our router in Amsterdam. From there we will have various transits to the rest of the world.

== Wireless ==
The whole field has been covered with many wireless access points to ensure the best possible coverage and to allow you to roam seamlessly without interruption. Naturally, there is additional coverage in popular areas such as the talk tents. The following wireless networks will be available:

; SHA2017
: This is 5GHz and should you should use this one in preference, if you can see it. The username is "sha2017" with password "sha2017". This is the most secure, WPA2-Enterprise.
; SHA2017-legacy
: This is 2.4GHz and less resistant to interference, use it only if you have to. The username is "sha2017" with password "sha2017". This is also WPA2-Enterprise.
; SHA2017-insecure
: '''Warning: insecure''' This is both 5GHz and 2.4GHz, and is for older devices that don't support WPA2-Enterprise. It's unencrypted, and people will likely intercept your traffic.
; spacenet
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your hackerspace offers [https://spacefed.net/ spacenet].
; eduroam
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your university/college/school is offering eduroam. More information can be found at [https://www.eduroam.org/ eduroam.org].

Use of the 5GHz SSIDs is recommended if your device supports them. 802.11b is disabled as it slows everyone else down.

Even if you are using an encrypted network, you should still encrypt your connection to prevent snooping. Although some SSIDs offer encryption, it is only over-the-air.

We have airtime fairness configured on our wireless controllers, so if you wish to download large files please use a wired connection (there will be plenty about).

For proper wireless support under linux, you should have a kernel newer than 2.6.39.2. There is also a kernel panic with brcmsmac on linux 3.10.3 that can be fixed by downgrading to kernel 3.10.2.

=== WPA2 802.1X, encryption ===

Due to popular demand (and with security in mind) we provide WPA2 802.1X. This will encrypt your traffic, preventing attackers from sniffing your data. Keep in mind that this won't protect you from other network attacks and you should still be aware that you are at a hacker conference! Your link layer should be secure if you do certificate checking (see below).

You might think: "WTF!? Do I need to register a user and password blah, blah". Fortunately not. You can '''use any username/password combination using EAP-TTLS with PAP to login''' (example: "user: fbhfbhiaf pass: bgufwbnkqo" is valid), because we don't care who logs in and who you are. We just want to encrypt your data.

Users which use MSCHAPv2 (like Windows users with default 802.1X supplicant) should use a fixed username and password. You can use "sha2017/sha2017" or "guest/guest" as "username/password".

==== Client Settings ====
Also see [[Network/802.1X client settings]] for a list of OS-specific client settings.

SSID: SHA2017 or SHA2017-legacy

EAP-TTLS:

Phase 1: EAP-TTLS
Phase 2: PAP

PEAP:

Phase 1: PEAP
Phase 2: MSCHAPv2 or EAP-MSCHAPv2 or PAP

CN = radius.sha2017.org
CA = DST Root CA X3
SHA1 Fingerprint = TODO

Make sure '''you check the certificate''' in order to know you are connecting to the correct network (you should check on both the CN and the CA). Check [[Network/RADIUS_certificate|here]] for the complete certificate.

=== Services / VLANs ===
TODO

== Camping area and workshops ==

All camping areas will be within 40m of a Datenklo (Data Toilet), please bring around 50-70m of CAT5 cable to make sure you have some slack in the cable. '''We do not supply you with a cable'''.

Lay your own cable neatly from your tent back to the nearest Datenklo, and leave 6m of slack coiled on the floor in front of it. And please lay it so that it can be clearly seen that it needs to be plugged in - or you risk having your cable overlooked. At regular intervals a member of the NOC team will connect it up and enable the port.

If you wish to be removed from a Datenklo again, contact the helpdesk directly.

All of our edge ports are 1Gbit/s, plus Auto-MDX.

We do not support 10Mbit. It might work on a few devices, but there is no guarrantee. - if you need it for old or embedded things please bring a switch to convert.

== Static IPs ==

If you need a static IP on the wired network, drop by the NOC helpdesk in the Infodesk-tent.

== IPv6 ==

Naturally, IPv6 is available throughout the network and should "just work" for you. Team:NOC does not recommend disabling IPv6 if you have problems, instead try to understand the problem you are experiencing and get educated in the new world order. Contact the NOC Helpdesk if you need help.

== Services ==
TODO

== Security ==

=== Recent vulnerabilities ===

'''WARNING: Bring a recent DHCP Client'''. If your OS uses ISC DHCP dhclient make sure you don't run a vulnerable version. https://www.kb.cert.org/vuls/id/410676

=== Encryption ===

Please treat the network as wide open and full of attackers.

The following mechanisms should be safe:
* Anything that goes through a VPN
* Any website that uses HTTPS
* Any application that uses SSL
** In the case of email, you need to have SSL enabled for both receiving mail (POP, IMAP) and sending it (SMTP)
* ssh and scp
* Where possible, use One-time passwords.

The following are almost always unsafe:

* FTP with login/password (are almost always sent in the clear)
* Telnet with login/password
* Email if you don't use SSL
* Webmail that doesn't use HTTPS
** Someone could trigger a password reminder and then intercept your email
* Websites that use HTTP (not HTTPS) where you need to fill in a password in the page itself

Possibly unsafe, make sure that you understand what you're doing:

* Websites where you need to fill in a password and your ''browser'' (not the website!) tells you it's going to be sent securely
* Websites that require an account but remember you're logged in
** The password ''may'' be protected but not the content or cookies that automatically log you in
* Any time your browser or other application brings up ''anything'' to do with a certificate
* Anything not protected with SSL: someone could be faking DNS answers to impersonate certain sites

=== Firewall ===

There is none. Bring your own! A router which is just doing NAT is not a firewall!

== FAQ ==

=== Can I bring a server? ===
Sure! However, we do not offer a colocation for your hardware. You will have to keep it with you.

=== Can I use the 2.4GHz band for non-wifi projects? ===

The following channels are available for adhoc/mesh/other wireless stuff:

* 2.4GHz: Channel 1
* 5GHz: Channel 136, 140

We cannot force you to use these channels, but we are trying to build a functional wireless network for the other attendees too. So please, don't do any experiments on other channels.

=== Can I bring an access point? ===

No!

If you are operating a village (using an SHA2017-supplied tent) that has poor coverage, we may be able to arrange to put an access point in it during the event to improve coverage. Stop by the Helpdesk and ask.

=== Can I bring a switch? ===

Yes, but for stability purposes all edge ports are limited to 64 MAC addresses at a time. If you want to connect more, you need to stop by the helpdesk and ask us to raise the port-security on your port. If you do this, you need to convince us that you know what you're doing and promise not to do anything that may harm the network - in particular, you must not connect the switch to our network by more than 1 cable (not even to a different DK).

=== My port goes up and down every couple of minutes ===

You have probably tripped port security. Most likely scenario is that you have connected more than 64 stations without consulting us (see answer to previous question). Contact the helpdesk if you can't figure it out.

== Supporters ==
We'd like to extend special thanks to the following people and organisations who have been instrumental in making SHA2017 Network happen:

* [http://www.juniper.net/ Juniper Networks] (Routers for uplink)
* [https://us.ntt.net/ NTT Communications] (100GE transit)
* [https://cumulusnetworks.com/ Cumulus Networks] (Distribution switches & software)
* [https://www.flexoptix.net Flexoptix] (Transceivers)
* [https://surfnet.nl/ SURFnet] (10GE transit & IP-space)
* [https://www.bit.nl/ BIT] (UTP & transit)
* [http://www.core-backbone.com/ Core-Backbone] (10GE transit)
* [https://public.nl-ix.net/ NL-ix] (Peering & transit)
* [https://unet.nl/ UNET] (Dark-fibre uplink)
* [http://www.arubanetworks.com/ Aruba Networks] (WiFi gear)
* [http://ccc.de The Chaos Computer Club]
* [http://eventinfra.org EventInfra] (Network equipment loan)

Network

2017-06-06T20:30:56Z

Bitlair.nl-ak47:

<div style="float:right;padding-left:10px">__TOC__</div>

[https://orga.sha2017.org/index.php/Team:NOC Team:NOC] is trying their best to deliver a fast and stable network during the event. If you have any questions, please contact the NOC helpdesk located at the infodesk tent.

== Rules ==

* Be nice and friendly! Do not do to others what you do not wish done to yourself.
* There is no NAT and no firewall. Please make sure you have some kind of security on your end device. The organisation cannot be held responsible for someone hacking your system(s). If you don't know how you can secure your system(s), please go to the helpdesk.
* Do not operate your own WiFi access point. This causes a major slow-down for everybody else.
* If you are operating anything else in the 2.4GHz or the 5GHz spectrum, please clear the frequencies in advance with us.
* Do not attempt to run a DHCP or RA server. You will be found and named and shamed!
* You are not allowed to cross roads or fire lanes with your network cable. Please use the Datenklo that is assigned for your terrain.
* If you are connecting a Nanode / Arduino Ethernet / other microcontroller to the network please make sure it is using a unique MAC address. Many of the code examples for such devices use an identical MAC address and this will cause problems - if you aren't sure contact us.
* If you are connecting a switch, you need to contact the NOC if you are connecting more than 64 stations. You are only allowed one uplink from your switch to our network - do not attempt to connect multiple cables or to multiple DKs!
* For special requests please contact NOC via noc-requests@sha2017.org.

If you break these rules, we will track you down or triangulate you, but we'd rather spend the time maintaining the smooth operation of the network, so please don't waste our time.

== Uplink ==
We are planning for a 100 Gbps uplink to our router in Amsterdam. From there we will have various transits to the rest of the world.

== Wireless ==
The whole field has been covered with many wireless access points to ensure the best possible coverage and to allow you to roam seamlessly without interruption. Naturally, there is additional coverage in popular areas such as the talk tents. The following wireless networks will be available:

; SHA2017
: This is 5GHz and should you should use this one in preference, if you can see it. The username is "sha2017" with password "sha2017". This is the most secure, WPA2-Enterprise.
; SHA2017-legacy
: This is 2.4GHz and less resistant to interference, use it only if you have to. The username is "sha2017" with password "sha2017". This is also WPA2-Enterprise.
; SHA2017-insecure
: '''Warning: insecure''' This is both 5GHz and 2.4GHz, and is for older devices that don't support WPA2-Enterprise. It's unencrypted, and people will likely intercept your traffic.
; spacenet
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your hackerspace offers [https://spacefed.net/ spacenet].
; eduroam
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your university/college/school is offering eduroam. More information can be found at [https://www.eduroam.org/ eduroam.org].

Use of the 5GHz SSIDs is recommended if your device supports them. 802.11b is disabled as it slows everyone else down.

Even if you are using an encrypted network, you should still encrypt your connection to prevent snooping. Although some SSIDs offer encryption, it is only over-the-air.

We have airtime fairness configured on our wireless controllers, so if you wish to download large files please use a wired connection (there will be plenty about).

For proper wireless support under linux, you should have a kernel newer than 2.6.39.2. There is also a kernel panic with brcmsmac on linux 3.10.3 that can be fixed by downgrading to kernel 3.10.2.

=== WPA2 802.1X, encryption ===

Due to popular demand (and with security in mind) we provide WPA2 802.1X. This will encrypt your traffic, preventing attackers from sniffing your data. Keep in mind that this won't protect you from other network attacks and you should still be aware that you are at a hacker conference! Your link layer should be secure if you do certificate checking (see below).

You might think: "WTF!? Do I need to register a user and password blah, blah". Fortunately not. You can '''use any username/password combination using EAP-TTLS with PAP to login''' (example: "user: fbhfbhiaf pass: bgufwbnkqo" is valid), because we don't care who logs in and who you are. We just want to encrypt your data.

Users which use MSCHAPv2 (like Windows users with default 802.1X supplicant) should use a fixed username and password. You can use "sha2017/sha2017" or "guest/guest" as "username/password".

==== Client Settings ====
Also see [[Network/802.1X client settings]] for a list of OS-specific client settings.

SSID: SHA2017 or SHA2017-legacy

EAP-TTLS:

Phase 1: EAP-TTLS
Phase 2: PAP

PEAP:

Phase 1: PEAP
Phase 2: MSCHAPv2 or EAP-MSCHAPv2 or PAP

CN = radius.sha2017.org
CA = DST Root CA X3
SHA1 Fingerprint = TODO

Make sure '''you check the certificate''' in order to know you are connecting to the correct network (you should check on both the CN and the CA). Check [[Network/RADIUS_certificate|here]] for the complete certificate.

=== Services / VLANs ===
TODO

== Camping area and workshops ==

All camping areas will be within 40m of a Datenklo (Data Toilet), please bring around 50-70m of CAT5 cable to make sure you have some slack in the cable. '''We do not supply you with a cable'''.

Lay your own cable neatly from your tent back to the nearest Datenklo, and leave 6m of slack coiled on the floor in front of it. And please lay it so that it can be clearly seen that it needs to be plugged in - or you risk having your cable overlooked. At regular intervals a member of the NOC team will connect it up and enable the port.

If you wish to be removed from a Datenklo again, contact the helpdesk directly.

All of our edge ports are 1Gbit/s, plus Auto-MDX.

We do not support 10Mbit. It might work on a few devices, but there is no guarrantee. - if you need it for old or embedded things please bring a switch to convert.

== Static IPs ==

If you need a static IP on the wired network, drop by the NOC helpdesk in the Infodesk-tent.

== IPv6 ==

Naturally, IPv6 is available throughout the network and should "just work" for you. Team:NOC does not recommend disabling IPv6 if you have problems, instead try to understand the problem you are experiencing and get educated in the new world order. Contact the NOC Helpdesk if you need help.

== Services ==
TODO

== Security ==

=== Recent vulnerabilities ===

'''WARNING: Bring a recent DHCP Client'''. If your OS uses ISC DHCP dhclient make sure you don't run a vulnerable version. https://www.kb.cert.org/vuls/id/410676

=== Encryption ===

Please treat the network as wide open and full of attackers.

The following mechanisms should be safe:
* Anything that goes through a VPN
* Any website that uses HTTPS
* Any application that uses SSL
** In the case of email, you need to have SSL enabled for both receiving mail (POP, IMAP) and sending it (SMTP)
* ssh and scp
* Where possible, use One-time passwords.

The following are almost always unsafe:

* FTP with login/password (are almost always sent in the clear)
* Telnet with login/password
* Email if you don't use SSL
* Webmail that doesn't use HTTPS
** Someone could trigger a password reminder and then intercept your email
* Websites that use HTTP (not HTTPS) where you need to fill in a password in the page itself

Possibly unsafe, make sure that you understand what you're doing:

* Websites where you need to fill in a password and your ''browser'' (not the website!) tells you it's going to be sent securely
* Websites that require an account but remember you're logged in
** The password ''may'' be protected but not the content or cookies that automatically log you in
* Any time your browser or other application brings up ''anything'' to do with a certificate
* Anything not protected with SSL: someone could be faking DNS answers to impersonate certain sites

=== Firewall ===

There is none. Bring your own! A router which is just doing NAT is not a firewall!

== FAQ ==

=== Can I bring a server? ===
Sure! However, we do not offer a colocation for your hardware. You will have to keep it with you.

=== Can I use the 2.4GHz band for non-wifi projects? ===

The following channels are available for adhoc/mesh/other wireless stuff:

* 2.4GHz: Channel 1
* 5GHz: Channel 136, 140

We cannot force you to use these channels, but we are trying to build a functional wireless network for the other attendees too. So please, don't do any experiments on other channels.

=== Can I bring an access point? ===

No!

If you are operating a village (using an SHA2017-supplied tent) that has poor coverage, we may be able to arrange to put an access point in it during the event to improve coverage. Stop by the Helpdesk and ask.

=== Can I bring a switch? ===

Yes, but for stability purposes all edge ports are limited to 64 MAC addresses at a time. If you want to connect more, you need to stop by the helpdesk and ask us to raise the port-security on your port. If you do this, you need to convince us that you know what you're doing and promise not to do anything that may harm the network - in particular, you must not connect the switch to our network by more than 1 cable (not even to a different DK).

=== My port goes up and down every couple of minutes ===

You have probably tripped port security. Most likely scenario is that you have connected more than 64 stations without consulting us (see answer to previous question). Contact the helpdesk if you can't figure it out.

== Supporters ==
We'd like to extend special thanks to the following people and organisations who have been instrumental in making SHA2017 Network happen:

* [http://www.juniper.net/ Juniper Networks] (Routers for uplink)
* [https://us.ntt.net/ NTT Communications] (100GE transit)
* [https://cumulusnetworks.com/ Cumulus Networks] (Distribution switches & software)
* [https://www.flexoptix.net Flexoptix] (Transceivers)
* [https://surfnet.nl/ SURFnet] (10GE transit & IP-space)
* [http://www.core-backbone.com/ Core-Backbone] (10GE transit)
* [https://public.nl-ix.net/ NL-ix] (Peering & transit)
* [https://unet.nl/ UNET] (Dark-fibre uplink)
* [http://www.arubanetworks.com/ Aruba Networks] (WiFi gear)
* [http://ccc.de The Chaos Computer Club]
* [http://eventinfra.org EventInfra] (Network equipment loan)

Network

2017-06-06T20:22:00Z

Bitlair.nl-ak47: /* Services */

<div style="float:right;padding-left:10px">__TOC__</div>

[https://orga.sha2017.org/index.php/Team:NOC Team:NOC] is trying their best to deliver a fast and stable network during the event. If you have any questions, please contact the NOC helpdesk located at the infodesk tent.

== Rules ==

* Be nice and friendly! Do not do to others what you do not wish done to yourself.
* There is no NAT and no firewall. Please make sure you have some kind of security on your end device. The organisation cannot be held responsible for someone hacking your system(s). If you don't know how you can secure your system(s), please go to the helpdesk.
* Do not operate your own WiFi access point. This causes a major slow-down for everybody else.
* If you are operating anything else in the 2.4GHz or the 5GHz spectrum, please clear the frequencies in advance with us.
* Do not attempt to run a DHCP or RA server. You will be found and named and shamed!
* You are not allowed to cross roads or fire lanes with your network cable. Please use the Datenklo that is assigned for your terrain.
* If you are connecting a Nanode / Arduino Ethernet / other microcontroller to the network please make sure it is using a unique MAC address. Many of the code examples for such devices use an identical MAC address and this will cause problems - if you aren't sure contact us.
* If you are connecting a switch, you need to contact the NOC if you are connecting more than 64 stations. You are only allowed one uplink from your switch to our network - do not attempt to connect multiple cables or to multiple DKs!
* For special requests please contact NOC via noc-requests@sha2017.org.

If you break these rules, we will track you down or triangulate you, but we'd rather spend the time maintaining the smooth operation of the network, so please don't waste our time.

== Uplink ==
We are planning for a 100 Gbps uplink to our router in Amsterdam. From there we will have various transits to the rest of the world.

== Wireless ==
The whole field has been covered with many wireless access points to ensure the best possible coverage and to allow you to roam seamlessly without interruption. Naturally, there is additional coverage in popular areas such as the talk tents. The following wireless networks will be available:

; SHA2017
: This is 5GHz and should you should use this one in preference, if you can see it. The username is "sha2017" with password "sha2017". This is the most secure, WPA2-Enterprise.
; SHA2017-legacy
: This is 2.4GHz and less resistant to interference, use it only if you have to. The username is "sha2017" with password "sha2017". This is also WPA2-Enterprise.
; SHA2017-insecure
: '''Warning: insecure''' This is both 5GHz and 2.4GHz, and is for older devices that don't support WPA2-Enterprise. It's unencrypted, and people will likely intercept your traffic.
; spacenet
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your hackerspace offers [https://spacefed.net/ spacenet].
; eduroam
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your university/college/school is offering eduroam. More information can be found at [https://www.eduroam.org/ eduroam.org].

Use of the 5GHz SSIDs is recommended if your device supports them. 802.11b is disabled as it slows everyone else down.

Even if you are using an encrypted network, you should still encrypt your connection to prevent snooping. Although some SSIDs offer encryption, it is only over-the-air.

We have airtime fairness configured on our wireless controllers, so if you wish to download large files please use a wired connection (there will be plenty about).

For proper wireless support under linux, you should have a kernel newer than 2.6.39.2. There is also a kernel panic with brcmsmac on linux 3.10.3 that can be fixed by downgrading to kernel 3.10.2.

=== WPA2 802.1X, encryption ===

Due to popular demand (and with security in mind) we provide WPA2 802.1X. This will encrypt your traffic, preventing attackers from sniffing your data. Keep in mind that this won't protect you from other network attacks and you should still be aware that you are at a hacker conference! Your link layer should be secure if you do certificate checking (see below).

You might think: "WTF!? Do I need to register a user and password blah, blah". Fortunately not. You can '''use any username/password combination using EAP-TTLS with PAP to login''' (example: "user: fbhfbhiaf pass: bgufwbnkqo" is valid), because we don't care who logs in and who you are. We just want to encrypt your data.

Users which use MSCHAPv2 (like Windows users with default 802.1X supplicant) should use a fixed username and password. You can use "sha2017/sha2017" or "guest/guest" as "username/password".

==== Client Settings ====
Also see [[Network/802.1X client settings]] for a list of OS-specific client settings.

SSID: SHA2017 or SHA2017-legacy

EAP-TTLS:

Phase 1: EAP-TTLS
Phase 2: PAP

PEAP:

Phase 1: PEAP
Phase 2: MSCHAPv2 or EAP-MSCHAPv2 or PAP

CN = radius.sha2017.org
CA = DST Root CA X3
SHA1 Fingerprint = TODO

Make sure '''you check the certificate''' in order to know you are connecting to the correct network (you should check on both the CN and the CA). Check [[Network/RADIUS_certificate|here]] for the complete certificate.

=== Services / VLANs ===
TODO

== Camping area and workshops ==

All camping areas will be within 40m of a Datenklo (Data Toilet), please bring around 50-70m of CAT5 cable to make sure you have some slack in the cable. '''We do not supply you with a cable'''.

Lay your own cable neatly from your tent back to the nearest Datenklo, and leave 6m of slack coiled on the floor in front of it. And please lay it so that it can be clearly seen that it needs to be plugged in - or you risk having your cable overlooked. At regular intervals a member of the NOC team will connect it up and enable the port.

If you wish to be removed from a Datenklo again, contact the helpdesk directly.

All of our edge ports are 1Gbit/s, plus Auto-MDX.

We do not support 10Mbit. It might work on a few devices, but there is no guarrantee. - if you need it for old or embedded things please bring a switch to convert.

== Static IPs ==

If you need a static IP on the wired network, drop by the NOC helpdesk in the Infodesk-tent.

== IPv6 ==

Naturally, IPv6 is available throughout the network and should "just work" for you. Team:NOC does not recommend disabling IPv6 if you have problems, instead try to understand the problem you are experiencing and get educated in the new world order. Contact the NOC Helpdesk if you need help.

== Services ==
TODO

== Security ==

=== Recent vulnerabilities ===

'''WARNING: Bring a recent DHCP Client'''. If your OS uses ISC DHCP dhclient make sure you don't run a vulnerable version. https://www.kb.cert.org/vuls/id/410676

=== Encryption ===

Please treat the network as wide open and full of attackers.

The following mechanisms should be safe:
* Anything that goes through a VPN
* Any website that uses HTTPS
* Any application that uses SSL
** In the case of email, you need to have SSL enabled for both receiving mail (POP, IMAP) and sending it (SMTP)
* ssh and scp
* Where possible, use One-time passwords.

The following are almost always unsafe:

* FTP with login/password (are almost always sent in the clear)
* Telnet with login/password
* Email if you don't use SSL
* Webmail that doesn't use HTTPS
** Someone could trigger a password reminder and then intercept your email
* Websites that use HTTP (not HTTPS) where you need to fill in a password in the page itself

Possibly unsafe, make sure that you understand what you're doing:

* Websites where you need to fill in a password and your ''browser'' (not the website!) tells you it's going to be sent securely
* Websites that require an account but remember you're logged in
** The password ''may'' be protected but not the content or cookies that automatically log you in
* Any time your browser or other application brings up ''anything'' to do with a certificate
* Anything not protected with SSL: someone could be faking DNS answers to impersonate certain sites

=== Firewall ===

There is none. Bring your own! A router which is just doing NAT is not a firewall!

== FAQ ==

=== Can I bring a server? ===
Sure! However, we do not offer a colocation for your hardware. You will have to keep it with you.

=== Can I use the 2.4GHz band for non-wifi projects? ===

The following channels are available for adhoc/mesh/other wireless stuff:

* 2.4GHz: Channel 1
* 5GHz: Channel 136, 140

We cannot force you to use these channels, but we are trying to build a functional wireless network for the other attendees too. So please, don't do any experiments on other channels.

=== Can I bring an access point? ===

No!

If you are operating a village (using an SHA2017-supplied tent) that has poor coverage, we may be able to arrange to put an access point in it during the event to improve coverage. Stop by the Helpdesk and ask.

=== Can I bring a switch? ===

Yes, but for stability purposes all edge ports are limited to 64 MAC addresses at a time. If you want to connect more, you need to stop by the helpdesk and ask us to raise the port-security on your port. If you do this, you need to convince us that you know what you're doing and promise not to do anything that may harm the network - in particular, you must not connect the switch to our network by more than 1 cable (not even to a different DK).

=== My port goes up and down every couple of minutes ===

You have probably tripped port security. Most likely scenario is that you have connected more than 64 stations without consulting us (see answer to previous question). Contact the helpdesk if you can't figure it out.

Network

2017-06-06T20:21:52Z

Bitlair.nl-ak47: /* Static IPs */

<div style="float:right;padding-left:10px">__TOC__</div>

[https://orga.sha2017.org/index.php/Team:NOC Team:NOC] is trying their best to deliver a fast and stable network during the event. If you have any questions, please contact the NOC helpdesk located at the infodesk tent.

== Rules ==

* Be nice and friendly! Do not do to others what you do not wish done to yourself.
* There is no NAT and no firewall. Please make sure you have some kind of security on your end device. The organisation cannot be held responsible for someone hacking your system(s). If you don't know how you can secure your system(s), please go to the helpdesk.
* Do not operate your own WiFi access point. This causes a major slow-down for everybody else.
* If you are operating anything else in the 2.4GHz or the 5GHz spectrum, please clear the frequencies in advance with us.
* Do not attempt to run a DHCP or RA server. You will be found and named and shamed!
* You are not allowed to cross roads or fire lanes with your network cable. Please use the Datenklo that is assigned for your terrain.
* If you are connecting a Nanode / Arduino Ethernet / other microcontroller to the network please make sure it is using a unique MAC address. Many of the code examples for such devices use an identical MAC address and this will cause problems - if you aren't sure contact us.
* If you are connecting a switch, you need to contact the NOC if you are connecting more than 64 stations. You are only allowed one uplink from your switch to our network - do not attempt to connect multiple cables or to multiple DKs!
* For special requests please contact NOC via noc-requests@sha2017.org.

If you break these rules, we will track you down or triangulate you, but we'd rather spend the time maintaining the smooth operation of the network, so please don't waste our time.

== Uplink ==
We are planning for a 100 Gbps uplink to our router in Amsterdam. From there we will have various transits to the rest of the world.

== Wireless ==
The whole field has been covered with many wireless access points to ensure the best possible coverage and to allow you to roam seamlessly without interruption. Naturally, there is additional coverage in popular areas such as the talk tents. The following wireless networks will be available:

; SHA2017
: This is 5GHz and should you should use this one in preference, if you can see it. The username is "sha2017" with password "sha2017". This is the most secure, WPA2-Enterprise.
; SHA2017-legacy
: This is 2.4GHz and less resistant to interference, use it only if you have to. The username is "sha2017" with password "sha2017". This is also WPA2-Enterprise.
; SHA2017-insecure
: '''Warning: insecure''' This is both 5GHz and 2.4GHz, and is for older devices that don't support WPA2-Enterprise. It's unencrypted, and people will likely intercept your traffic.
; spacenet
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your hackerspace offers [https://spacefed.net/ spacenet].
; eduroam
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your university/college/school is offering eduroam. More information can be found at [https://www.eduroam.org/ eduroam.org].

Use of the 5GHz SSIDs is recommended if your device supports them. 802.11b is disabled as it slows everyone else down.

Even if you are using an encrypted network, you should still encrypt your connection to prevent snooping. Although some SSIDs offer encryption, it is only over-the-air.

We have airtime fairness configured on our wireless controllers, so if you wish to download large files please use a wired connection (there will be plenty about).

For proper wireless support under linux, you should have a kernel newer than 2.6.39.2. There is also a kernel panic with brcmsmac on linux 3.10.3 that can be fixed by downgrading to kernel 3.10.2.

=== WPA2 802.1X, encryption ===

Due to popular demand (and with security in mind) we provide WPA2 802.1X. This will encrypt your traffic, preventing attackers from sniffing your data. Keep in mind that this won't protect you from other network attacks and you should still be aware that you are at a hacker conference! Your link layer should be secure if you do certificate checking (see below).

You might think: "WTF!? Do I need to register a user and password blah, blah". Fortunately not. You can '''use any username/password combination using EAP-TTLS with PAP to login''' (example: "user: fbhfbhiaf pass: bgufwbnkqo" is valid), because we don't care who logs in and who you are. We just want to encrypt your data.

Users which use MSCHAPv2 (like Windows users with default 802.1X supplicant) should use a fixed username and password. You can use "sha2017/sha2017" or "guest/guest" as "username/password".

==== Client Settings ====
Also see [[Network/802.1X client settings]] for a list of OS-specific client settings.

SSID: SHA2017 or SHA2017-legacy

EAP-TTLS:

Phase 1: EAP-TTLS
Phase 2: PAP

PEAP:

Phase 1: PEAP
Phase 2: MSCHAPv2 or EAP-MSCHAPv2 or PAP

CN = radius.sha2017.org
CA = DST Root CA X3
SHA1 Fingerprint = TODO

Make sure '''you check the certificate''' in order to know you are connecting to the correct network (you should check on both the CN and the CA). Check [[Network/RADIUS_certificate|here]] for the complete certificate.

=== Services / VLANs ===
TODO

== Camping area and workshops ==

All camping areas will be within 40m of a Datenklo (Data Toilet), please bring around 50-70m of CAT5 cable to make sure you have some slack in the cable. '''We do not supply you with a cable'''.

Lay your own cable neatly from your tent back to the nearest Datenklo, and leave 6m of slack coiled on the floor in front of it. And please lay it so that it can be clearly seen that it needs to be plugged in - or you risk having your cable overlooked. At regular intervals a member of the NOC team will connect it up and enable the port.

If you wish to be removed from a Datenklo again, contact the helpdesk directly.

All of our edge ports are 1Gbit/s, plus Auto-MDX.

We do not support 10Mbit. It might work on a few devices, but there is no guarrantee. - if you need it for old or embedded things please bring a switch to convert.

== Static IPs ==

If you need a static IP on the wired network, drop by the NOC helpdesk in the Infodesk-tent.

== IPv6 ==

Naturally, IPv6 is available throughout the network and should "just work" for you. Team:NOC does not recommend disabling IPv6 if you have problems, instead try to understand the problem you are experiencing and get educated in the new world order. Contact the NOC Helpdesk if you need help.

== Services ==

tbd

== Security ==

=== Recent vulnerabilities ===

'''WARNING: Bring a recent DHCP Client'''. If your OS uses ISC DHCP dhclient make sure you don't run a vulnerable version. https://www.kb.cert.org/vuls/id/410676

=== Encryption ===

Please treat the network as wide open and full of attackers.

The following mechanisms should be safe:
* Anything that goes through a VPN
* Any website that uses HTTPS
* Any application that uses SSL
** In the case of email, you need to have SSL enabled for both receiving mail (POP, IMAP) and sending it (SMTP)
* ssh and scp
* Where possible, use One-time passwords.

The following are almost always unsafe:

* FTP with login/password (are almost always sent in the clear)
* Telnet with login/password
* Email if you don't use SSL
* Webmail that doesn't use HTTPS
** Someone could trigger a password reminder and then intercept your email
* Websites that use HTTP (not HTTPS) where you need to fill in a password in the page itself

Possibly unsafe, make sure that you understand what you're doing:

* Websites where you need to fill in a password and your ''browser'' (not the website!) tells you it's going to be sent securely
* Websites that require an account but remember you're logged in
** The password ''may'' be protected but not the content or cookies that automatically log you in
* Any time your browser or other application brings up ''anything'' to do with a certificate
* Anything not protected with SSL: someone could be faking DNS answers to impersonate certain sites

=== Firewall ===

There is none. Bring your own! A router which is just doing NAT is not a firewall!

== FAQ ==

=== Can I bring a server? ===
Sure! However, we do not offer a colocation for your hardware. You will have to keep it with you.

=== Can I use the 2.4GHz band for non-wifi projects? ===

The following channels are available for adhoc/mesh/other wireless stuff:

* 2.4GHz: Channel 1
* 5GHz: Channel 136, 140

We cannot force you to use these channels, but we are trying to build a functional wireless network for the other attendees too. So please, don't do any experiments on other channels.

=== Can I bring an access point? ===

No!

If you are operating a village (using an SHA2017-supplied tent) that has poor coverage, we may be able to arrange to put an access point in it during the event to improve coverage. Stop by the Helpdesk and ask.

=== Can I bring a switch? ===

Yes, but for stability purposes all edge ports are limited to 64 MAC addresses at a time. If you want to connect more, you need to stop by the helpdesk and ask us to raise the port-security on your port. If you do this, you need to convince us that you know what you're doing and promise not to do anything that may harm the network - in particular, you must not connect the switch to our network by more than 1 cable (not even to a different DK).

=== My port goes up and down every couple of minutes ===

You have probably tripped port security. Most likely scenario is that you have connected more than 64 stations without consulting us (see answer to previous question). Contact the helpdesk if you can't figure it out.

Network

2017-06-06T20:21:22Z

Bitlair.nl-ak47: /* Client Settings */

<div style="float:right;padding-left:10px">__TOC__</div>

[https://orga.sha2017.org/index.php/Team:NOC Team:NOC] is trying their best to deliver a fast and stable network during the event. If you have any questions, please contact the NOC helpdesk located at the infodesk tent.

== Rules ==

* Be nice and friendly! Do not do to others what you do not wish done to yourself.
* There is no NAT and no firewall. Please make sure you have some kind of security on your end device. The organisation cannot be held responsible for someone hacking your system(s). If you don't know how you can secure your system(s), please go to the helpdesk.
* Do not operate your own WiFi access point. This causes a major slow-down for everybody else.
* If you are operating anything else in the 2.4GHz or the 5GHz spectrum, please clear the frequencies in advance with us.
* Do not attempt to run a DHCP or RA server. You will be found and named and shamed!
* You are not allowed to cross roads or fire lanes with your network cable. Please use the Datenklo that is assigned for your terrain.
* If you are connecting a Nanode / Arduino Ethernet / other microcontroller to the network please make sure it is using a unique MAC address. Many of the code examples for such devices use an identical MAC address and this will cause problems - if you aren't sure contact us.
* If you are connecting a switch, you need to contact the NOC if you are connecting more than 64 stations. You are only allowed one uplink from your switch to our network - do not attempt to connect multiple cables or to multiple DKs!
* For special requests please contact NOC via noc-requests@sha2017.org.

If you break these rules, we will track you down or triangulate you, but we'd rather spend the time maintaining the smooth operation of the network, so please don't waste our time.

== Uplink ==
We are planning for a 100 Gbps uplink to our router in Amsterdam. From there we will have various transits to the rest of the world.

== Wireless ==
The whole field has been covered with many wireless access points to ensure the best possible coverage and to allow you to roam seamlessly without interruption. Naturally, there is additional coverage in popular areas such as the talk tents. The following wireless networks will be available:

; SHA2017
: This is 5GHz and should you should use this one in preference, if you can see it. The username is "sha2017" with password "sha2017". This is the most secure, WPA2-Enterprise.
; SHA2017-legacy
: This is 2.4GHz and less resistant to interference, use it only if you have to. The username is "sha2017" with password "sha2017". This is also WPA2-Enterprise.
; SHA2017-insecure
: '''Warning: insecure''' This is both 5GHz and 2.4GHz, and is for older devices that don't support WPA2-Enterprise. It's unencrypted, and people will likely intercept your traffic.
; spacenet
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your hackerspace offers [https://spacefed.net/ spacenet].
; eduroam
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your university/college/school is offering eduroam. More information can be found at [https://www.eduroam.org/ eduroam.org].

Use of the 5GHz SSIDs is recommended if your device supports them. 802.11b is disabled as it slows everyone else down.

Even if you are using an encrypted network, you should still encrypt your connection to prevent snooping. Although some SSIDs offer encryption, it is only over-the-air.

We have airtime fairness configured on our wireless controllers, so if you wish to download large files please use a wired connection (there will be plenty about).

For proper wireless support under linux, you should have a kernel newer than 2.6.39.2. There is also a kernel panic with brcmsmac on linux 3.10.3 that can be fixed by downgrading to kernel 3.10.2.

=== WPA2 802.1X, encryption ===

Due to popular demand (and with security in mind) we provide WPA2 802.1X. This will encrypt your traffic, preventing attackers from sniffing your data. Keep in mind that this won't protect you from other network attacks and you should still be aware that you are at a hacker conference! Your link layer should be secure if you do certificate checking (see below).

You might think: "WTF!? Do I need to register a user and password blah, blah". Fortunately not. You can '''use any username/password combination using EAP-TTLS with PAP to login''' (example: "user: fbhfbhiaf pass: bgufwbnkqo" is valid), because we don't care who logs in and who you are. We just want to encrypt your data.

Users which use MSCHAPv2 (like Windows users with default 802.1X supplicant) should use a fixed username and password. You can use "sha2017/sha2017" or "guest/guest" as "username/password".

==== Client Settings ====
Also see [[Network/802.1X client settings]] for a list of OS-specific client settings.

SSID: SHA2017 or SHA2017-legacy

EAP-TTLS:

Phase 1: EAP-TTLS
Phase 2: PAP

PEAP:

Phase 1: PEAP
Phase 2: MSCHAPv2 or EAP-MSCHAPv2 or PAP

CN = radius.sha2017.org
CA = DST Root CA X3
SHA1 Fingerprint = TODO

Make sure '''you check the certificate''' in order to know you are connecting to the correct network (you should check on both the CN and the CA). Check [[Network/RADIUS_certificate|here]] for the complete certificate.

=== Services / VLANs ===
TODO

== Camping area and workshops ==

All camping areas will be within 40m of a Datenklo (Data Toilet), please bring around 50-70m of CAT5 cable to make sure you have some slack in the cable. '''We do not supply you with a cable'''.

Lay your own cable neatly from your tent back to the nearest Datenklo, and leave 6m of slack coiled on the floor in front of it. And please lay it so that it can be clearly seen that it needs to be plugged in - or you risk having your cable overlooked. At regular intervals a member of the NOC team will connect it up and enable the port.

If you wish to be removed from a Datenklo again, contact the helpdesk directly.

All of our edge ports are 1Gbit/s, plus Auto-MDX.

We do not support 10Mbit. It might work on a few devices, but there is no guarrantee. - if you need it for old or embedded things please bring a switch to convert.

== Static IPs ==

If you need a static IP on the wired network, drop by the [[Team:InfoDesk]].

== IPv6 ==

Naturally, IPv6 is available throughout the network and should "just work" for you. Team:NOC does not recommend disabling IPv6 if you have problems, instead try to understand the problem you are experiencing and get educated in the new world order. Contact the NOC Helpdesk if you need help.

== Services ==

tbd

== Security ==

=== Recent vulnerabilities ===

'''WARNING: Bring a recent DHCP Client'''. If your OS uses ISC DHCP dhclient make sure you don't run a vulnerable version. https://www.kb.cert.org/vuls/id/410676

=== Encryption ===

Please treat the network as wide open and full of attackers.

The following mechanisms should be safe:
* Anything that goes through a VPN
* Any website that uses HTTPS
* Any application that uses SSL
** In the case of email, you need to have SSL enabled for both receiving mail (POP, IMAP) and sending it (SMTP)
* ssh and scp
* Where possible, use One-time passwords.

The following are almost always unsafe:

* FTP with login/password (are almost always sent in the clear)
* Telnet with login/password
* Email if you don't use SSL
* Webmail that doesn't use HTTPS
** Someone could trigger a password reminder and then intercept your email
* Websites that use HTTP (not HTTPS) where you need to fill in a password in the page itself

Possibly unsafe, make sure that you understand what you're doing:

* Websites where you need to fill in a password and your ''browser'' (not the website!) tells you it's going to be sent securely
* Websites that require an account but remember you're logged in
** The password ''may'' be protected but not the content or cookies that automatically log you in
* Any time your browser or other application brings up ''anything'' to do with a certificate
* Anything not protected with SSL: someone could be faking DNS answers to impersonate certain sites

=== Firewall ===

There is none. Bring your own! A router which is just doing NAT is not a firewall!

== FAQ ==

=== Can I bring a server? ===
Sure! However, we do not offer a colocation for your hardware. You will have to keep it with you.

=== Can I use the 2.4GHz band for non-wifi projects? ===

The following channels are available for adhoc/mesh/other wireless stuff:

* 2.4GHz: Channel 1
* 5GHz: Channel 136, 140

We cannot force you to use these channels, but we are trying to build a functional wireless network for the other attendees too. So please, don't do any experiments on other channels.

=== Can I bring an access point? ===

No!

If you are operating a village (using an SHA2017-supplied tent) that has poor coverage, we may be able to arrange to put an access point in it during the event to improve coverage. Stop by the Helpdesk and ask.

=== Can I bring a switch? ===

Yes, but for stability purposes all edge ports are limited to 64 MAC addresses at a time. If you want to connect more, you need to stop by the helpdesk and ask us to raise the port-security on your port. If you do this, you need to convince us that you know what you're doing and promise not to do anything that may harm the network - in particular, you must not connect the switch to our network by more than 1 cable (not even to a different DK).

=== My port goes up and down every couple of minutes ===

You have probably tripped port security. Most likely scenario is that you have connected more than 64 stations without consulting us (see answer to previous question). Contact the helpdesk if you can't figure it out.

Network

2017-06-06T20:19:48Z

Bitlair.nl-ak47:

<div style="float:right;padding-left:10px">__TOC__</div>

[https://orga.sha2017.org/index.php/Team:NOC Team:NOC] is trying their best to deliver a fast and stable network during the event. If you have any questions, please contact the NOC helpdesk located at the infodesk tent.

== Rules ==

* Be nice and friendly! Do not do to others what you do not wish done to yourself.
* There is no NAT and no firewall. Please make sure you have some kind of security on your end device. The organisation cannot be held responsible for someone hacking your system(s). If you don't know how you can secure your system(s), please go to the helpdesk.
* Do not operate your own WiFi access point. This causes a major slow-down for everybody else.
* If you are operating anything else in the 2.4GHz or the 5GHz spectrum, please clear the frequencies in advance with us.
* Do not attempt to run a DHCP or RA server. You will be found and named and shamed!
* You are not allowed to cross roads or fire lanes with your network cable. Please use the Datenklo that is assigned for your terrain.
* If you are connecting a Nanode / Arduino Ethernet / other microcontroller to the network please make sure it is using a unique MAC address. Many of the code examples for such devices use an identical MAC address and this will cause problems - if you aren't sure contact us.
* If you are connecting a switch, you need to contact the NOC if you are connecting more than 64 stations. You are only allowed one uplink from your switch to our network - do not attempt to connect multiple cables or to multiple DKs!
* For special requests please contact NOC via noc-requests@sha2017.org.

If you break these rules, we will track you down or triangulate you, but we'd rather spend the time maintaining the smooth operation of the network, so please don't waste our time.

== Uplink ==
We are planning for a 100 Gbps uplink to our router in Amsterdam. From there we will have various transits to the rest of the world.

== Wireless ==
The whole field has been covered with many wireless access points to ensure the best possible coverage and to allow you to roam seamlessly without interruption. Naturally, there is additional coverage in popular areas such as the talk tents. The following wireless networks will be available:

; SHA2017
: This is 5GHz and should you should use this one in preference, if you can see it. The username is "sha2017" with password "sha2017". This is the most secure, WPA2-Enterprise.
; SHA2017-legacy
: This is 2.4GHz and less resistant to interference, use it only if you have to. The username is "sha2017" with password "sha2017". This is also WPA2-Enterprise.
; SHA2017-insecure
: '''Warning: insecure''' This is both 5GHz and 2.4GHz, and is for older devices that don't support WPA2-Enterprise. It's unencrypted, and people will likely intercept your traffic.
; spacenet
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your hackerspace offers [https://spacefed.net/ spacenet].
; eduroam
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your university/college/school is offering eduroam. More information can be found at [https://www.eduroam.org/ eduroam.org].

Use of the 5GHz SSIDs is recommended if your device supports them. 802.11b is disabled as it slows everyone else down.

Even if you are using an encrypted network, you should still encrypt your connection to prevent snooping. Although some SSIDs offer encryption, it is only over-the-air.

We have airtime fairness configured on our wireless controllers, so if you wish to download large files please use a wired connection (there will be plenty about).

For proper wireless support under linux, you should have a kernel newer than 2.6.39.2. There is also a kernel panic with brcmsmac on linux 3.10.3 that can be fixed by downgrading to kernel 3.10.2.

=== WPA2 802.1X, encryption ===

Due to popular demand (and with security in mind) we provide WPA2 802.1X. This will encrypt your traffic, preventing attackers from sniffing your data. Keep in mind that this won't protect you from other network attacks and you should still be aware that you are at a hacker conference! Your link layer should be secure if you do certificate checking (see below).

You might think: "WTF!? Do I need to register a user and password blah, blah". Fortunately not. You can '''use any username/password combination using EAP-TTLS with PAP to login''' (example: "user: fbhfbhiaf pass: bgufwbnkqo" is valid), because we don't care who logs in and who you are. We just want to encrypt your data.

Users which use MSCHAPv2 (like Windows users with default 802.1X supplicant) should use a fixed username and password. You can use "sha2017/sha2017" or "guest/guest" as "username/password".

==== Client Settings ====
Also see [[Network/802.1X client settings]] for a list of OS-specific client settings.

SSID: SHA2017 or SHA2017-legacy

EAP-TTLS:

Phase 1: EAP-TTLS
Phase 2: PAP

PEAP:

Phase 1: PEAP
Phase 2: MSCHAPv2 or EAP-MSCHAPv2 or PAP

CN = radius.sha2017.org
CA = DST Root CA X3
SHA1 Fingerprint = TODO

Make sure '''you check the certificate''' in order to know you are connecting to the correct network (you should check on both the CN and the CA). Check [[Network/RADIUS_certificate|here]] for the complete certificate.

== Camping area and workshops ==

All camping areas will be within 40m of a Datenklo (Data Toilet), please bring around 50-70m of CAT5 cable to make sure you have some slack in the cable. '''We do not supply you with a cable'''.

Lay your own cable neatly from your tent back to the nearest Datenklo, and leave 6m of slack coiled on the floor in front of it. And please lay it so that it can be clearly seen that it needs to be plugged in - or you risk having your cable overlooked. At regular intervals a member of the NOC team will connect it up and enable the port.

If you wish to be removed from a Datenklo again, contact the helpdesk directly.

All of our edge ports are 1Gbit/s, plus Auto-MDX.

We do not support 10Mbit. It might work on a few devices, but there is no guarrantee. - if you need it for old or embedded things please bring a switch to convert.

== Static IPs ==

If you need a static IP on the wired network, drop by the [[Team:InfoDesk]].

== IPv6 ==

Naturally, IPv6 is available throughout the network and should "just work" for you. Team:NOC does not recommend disabling IPv6 if you have problems, instead try to understand the problem you are experiencing and get educated in the new world order. Contact the NOC Helpdesk if you need help.

== Services ==

tbd

== Security ==

=== Recent vulnerabilities ===

'''WARNING: Bring a recent DHCP Client'''. If your OS uses ISC DHCP dhclient make sure you don't run a vulnerable version. https://www.kb.cert.org/vuls/id/410676

=== Encryption ===

Please treat the network as wide open and full of attackers.

The following mechanisms should be safe:
* Anything that goes through a VPN
* Any website that uses HTTPS
* Any application that uses SSL
** In the case of email, you need to have SSL enabled for both receiving mail (POP, IMAP) and sending it (SMTP)
* ssh and scp
* Where possible, use One-time passwords.

The following are almost always unsafe:

* FTP with login/password (are almost always sent in the clear)
* Telnet with login/password
* Email if you don't use SSL
* Webmail that doesn't use HTTPS
** Someone could trigger a password reminder and then intercept your email
* Websites that use HTTP (not HTTPS) where you need to fill in a password in the page itself

Possibly unsafe, make sure that you understand what you're doing:

* Websites where you need to fill in a password and your ''browser'' (not the website!) tells you it's going to be sent securely
* Websites that require an account but remember you're logged in
** The password ''may'' be protected but not the content or cookies that automatically log you in
* Any time your browser or other application brings up ''anything'' to do with a certificate
* Anything not protected with SSL: someone could be faking DNS answers to impersonate certain sites

=== Firewall ===

There is none. Bring your own! A router which is just doing NAT is not a firewall!

== FAQ ==

=== Can I bring a server? ===
Sure! However, we do not offer a colocation for your hardware. You will have to keep it with you.

=== Can I use the 2.4GHz band for non-wifi projects? ===

The following channels are available for adhoc/mesh/other wireless stuff:

* 2.4GHz: Channel 1
* 5GHz: Channel 136, 140

We cannot force you to use these channels, but we are trying to build a functional wireless network for the other attendees too. So please, don't do any experiments on other channels.

=== Can I bring an access point? ===

No!

If you are operating a village (using an SHA2017-supplied tent) that has poor coverage, we may be able to arrange to put an access point in it during the event to improve coverage. Stop by the Helpdesk and ask.

=== Can I bring a switch? ===

Yes, but for stability purposes all edge ports are limited to 64 MAC addresses at a time. If you want to connect more, you need to stop by the helpdesk and ask us to raise the port-security on your port. If you do this, you need to convince us that you know what you're doing and promise not to do anything that may harm the network - in particular, you must not connect the switch to our network by more than 1 cable (not even to a different DK).

=== My port goes up and down every couple of minutes ===

You have probably tripped port security. Most likely scenario is that you have connected more than 64 stations without consulting us (see answer to previous question). Contact the helpdesk if you can't figure it out.

Network

2017-06-06T20:16:32Z

Bitlair.nl-ak47:

<div style="float:right;padding-left:10px">__TOC__</div>

[https://orga.sha2017.org/index.php/Team:NOC Team:NOC] is trying their best to deliver a fast and stable network during the event. If you have any questions, please contact the NOC helpdesk located at the infodesk tent.

== Rules ==

* Be nice and friendly! Do not do to others what you do not wish done to yourself.
* There is no NAT and no firewall. Please make sure you have some kind of security on your end device. The organisation cannot be held responsible for someone hacking your system(s). If you don't know how you can secure your system(s), please go to the helpdesk.
* Do not operate your own WiFi access point. This causes a major slow-down for everybody else.
* If you are operating anything else in the 2.4GHz or the 5GHz spectrum, please clear the frequencies in advance with us.
* Do not attempt to run a DHCP or RA server. You will be found and named and shamed!
* You are not allowed to cross roads or fire lanes with your network cable. Please use the Datenklo that is assigned for your terrain.
* If you are connecting a Nanode / Arduino Ethernet / other microcontroller to the network please make sure it is using a unique MAC address. Many of the code examples for such devices use an identical MAC address and this will cause problems - if you aren't sure contact us.
* If you are connecting a switch, you need to contact the NOC if you are connecting more than 64 stations. You are only allowed one uplink from your switch to our network - do not attempt to connect multiple cables or to multiple DKs!
* For special requests please contact NOC via noc-requests@sha2017.org.

If you break these rules, we will track you down or triangulate you, but we'd rather spend the time maintaining the smooth operation of the network, so please don't waste our time.

==WiFi==
There will be WiFi coverage on most of the terrain. You can connect to the WiFi SSID "SHA2017" with username "sha2017" and password "sha2017". Eduroam & spacenet authentication will also be available on the terrain. The WiFi will use both the 2.4 and the 5GHz network.

Please don't set up your own WiFi. This will cause issues on such a high dense terrain. We are actively scanning for rogue accesspoints.

== IP ==
Every device will receive an IPv4 and IPv6 WAN address.

== Uplink ==

We are planning to give you a 100 Gbps uplink to our router in Amsterdam. From there we will have several peerings to the rest of the world.

== Wireless ==

The whole field has been covered with many wireless access points to ensure the best possible coverage and to allow you to roam seamlessly without interruption. Naturally, there is additional coverage in popular areas such as the talk tents. The following wireless networks will be available:

; SHA2017
: This is 5GHz and should you should use this one in preference, if you can see it. The username is "sha2017" with password "sha2017". This is the most secure, WPA2-Enterprise.
; SHA2017-legacy
: This is 2.4GHz and less resistant to interference, use it only if you have to. The username is "sha2017" with password "sha2017". This is also WPA2-Enterprise.
; SHA2017-insecure
: '''Warning: insecure''' This is both 5GHz and 2.4GHz, and is for older devices that don't support WPA2-Enterprise. It's unencrypted, and people will likely intercept your traffic.
; spacenet
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your hackerspace offers [https://spacefed.net/ spacenet].
; eduroam
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your university/college/school is offering eduroam. More information can be found at [https://www.eduroam.org/ eduroam.org].

Use of the 5GHz SSIDs is recommended if your device supports them. 802.11b is disabled as it slows everyone else down.

Even if you are using an encrypted network, you should still encrypt your connection to prevent snooping. Although some SSIDs offer encryption, it is only over-the-air.

We have airtime fairness configured on our wireless controllers, so if you wish to download large files please use a wired connection (there will be plenty about).

For proper wireless support under linux, you should have a kernel newer than 2.6.39.2. There is also a kernel panic with brcmsmac on linux 3.10.3 that can be fixed by downgrading to kernel 3.10.2.

=== WPA2 802.1X, encryption ===

Due to popular demand (and with security in mind) we provide WPA2 802.1X. This will encrypt your traffic, preventing attackers from sniffing your data. Keep in mind that this won't protect you from other network attacks and you should still be aware that you are at a hacker conference! Your link layer should be secure if you do certificate checking (see below).

You might think: "WTF!? Do I need to register a user and password blah, blah". Fortunately not. You can '''use any username/password combination using EAP-TTLS with PAP to login''' (example: "user: fbhfbhiaf pass: bgufwbnkqo" is valid), because we don't care who logs in and who you are. We just want to encrypt your data.

Users which use MSCHAPv2 (like Windows users with default 802.1X supplicant) should use a fixed username and password. You can use "sha2017/sha2017" or "guest/guest" as "username/password".

==== Client Settings ====
Also see [[Network/802.1X client settings]] for a list of OS-specific client settings.

SSID: SHA2017 or SHA2017-legacy

EAP-TTLS:

Phase 1: EAP-TTLS
Phase 2: PAP

PEAP:

Phase 1: PEAP
Phase 2: MSCHAPv2 or EAP-MSCHAPv2 or PAP

CN = radius.sha2017.org
CA = DST Root CA X3
SHA1 Fingerprint = TODO

Make sure '''you check the certificate''' in order to know you are connecting to the correct network (you should check on both the CN and the CA). Check [[Network/RADIUS_certificate|here]] for the complete certificate.

== Camping area and workshops ==

All camping areas will be within 40m of a Datenklo (Data Toilet), please bring around 50-70m of CAT5 cable to make sure you have some slack in the cable. '''We do not supply you with a cable'''.

Lay your own cable neatly from your tent back to the nearest Datenklo, and leave 6m of slack coiled on the floor in front of it. And please lay it so that it can be clearly seen that it needs to be plugged in - or you risk having your cable overlooked. At regular intervals a member of the NOC team will connect it up and enable the port.

If you wish to be removed from a Datenklo again, contact the helpdesk directly.

All of our edge ports are 1Gbit/s, plus Auto-MDX.

We do not support 10Mbit. It might work on a few devices, but there is no guarrantee. - if you need it for old or embedded things please bring a switch to convert.

== Static IPs ==

If you need a static IP on the wired network, drop by the [[Team:InfoDesk]].

== IPv6 ==

Naturally, IPv6 is available throughout the network and should "just work" for you. Team:NOC does not recommend disabling IPv6 if you have problems, instead try to understand the problem you are experiencing and get educated in the new world order. Contact the NOC Helpdesk if you need help.

== Services ==

tbd

== Security ==

=== Recent vulnerabilities ===

'''WARNING: Bring a recent DHCP Client'''. If your OS uses ISC DHCP dhclient make sure you don't run a vulnerable version. https://www.kb.cert.org/vuls/id/410676

=== Encryption ===

Please treat the network as wide open and full of attackers.

The following mechanisms should be safe:
* Anything that goes through a VPN
* Any website that uses HTTPS
* Any application that uses SSL
** In the case of email, you need to have SSL enabled for both receiving mail (POP, IMAP) and sending it (SMTP)
* ssh and scp
* Where possible, use One-time passwords.

The following are almost always unsafe:

* FTP with login/password (are almost always sent in the clear)
* Telnet with login/password
* Email if you don't use SSL
* Webmail that doesn't use HTTPS
** Someone could trigger a password reminder and then intercept your email
* Websites that use HTTP (not HTTPS) where you need to fill in a password in the page itself

Possibly unsafe, make sure that you understand what you're doing:

* Websites where you need to fill in a password and your ''browser'' (not the website!) tells you it's going to be sent securely
* Websites that require an account but remember you're logged in
** The password ''may'' be protected but not the content or cookies that automatically log you in
* Any time your browser or other application brings up ''anything'' to do with a certificate
* Anything not protected with SSL: someone could be faking DNS answers to impersonate certain sites

=== Firewall ===

There is none. Bring your own! A router which is just doing NAT is not a firewall!

== FAQ ==

=== Can I bring a server? ===
Sure! However, we do not offer a colocation for your hardware. You will have to keep it with you.

=== Can I use the 2.4GHz band for non-wifi projects? ===

The following channels are available for adhoc/mesh/other wireless stuff:

* 2.4GHz: Channel 1
* 5GHz: Channel 136, 140

We cannot force you to use these channels, but we are trying to build a functional wireless network for the other attendees too. So please, don't do any experiments on other channels.

=== Can I bring an access point? ===

No!

If you are operating a village (using an SHA2017-supplied tent) that has poor coverage, we may be able to arrange to put an access point in it during the event to improve coverage. Stop by the Helpdesk and ask.

=== Can I bring a switch? ===

Yes, but for stability purposes all edge ports are limited to 64 MAC addresses at a time. If you want to connect more, you need to stop by the helpdesk and ask us to raise the port-security on your port. If you do this, you need to convince us that you know what you're doing and promise not to do anything that may harm the network - in particular, you must not connect the switch to our network by more than 1 cable (not even to a different DK).

=== My port goes up and down every couple of minutes ===

You have probably tripped port security. Most likely scenario is that you have connected more than 64 stations without consulting us (see answer to previous question). Contact the helpdesk if you can't figure it out.

Network/802.1X client settings

2017-06-06T20:12:44Z

Bitlair.nl-ak47:

== Android ==
You can use our Android App to configure the correct WiFi settings on your Android device. Download it here:



* TODO

== Network Manager ==

You can use the following config file:

Please note that some versions of NM are buggy and will only work with
802.1X using MSCHAPv2, or not at all.
If that affects you, it may be easiest to use wpa_supplicant.

'''/etc/NetworkManager/system-connections/SHA2017''':

[connection]
id=SHA2017
uuid=c80101e2-7b99-4511-846b-2388eb86a5ad
type=wifi
permissions=
secondaries=

[wifi]
mac-address=42:23:42:23:42:23 <- !! Please change this !!
mac-address-blacklist=
mode=infrastructure
seen-bssids=
ssid=SHA2017

[wifi-security]
auth-alg=open
group=
key-mgmt=wpa-eap
pairwise=
proto=

[802-1x]
altsubject-matches=DNS:radius.c3noc.net
ca-cert=/etc/ssl/certs/DST_Root_CA_X3.pem
eap=ttls;
identity=SHA2017
password=SHA2017
phase2-altsubject-matches=
phase2-auth=pap

[ipv4]
dns-search=
method=auto

[ipv6]
dns-search=
method=auto

== WICD ==
You need an additional crypto setting for WiCD. Put this file into '''/etc/wicd/encryption/templates/eap-ttls''' (debian systems, might be different with other *nix flavours):

name = EAP-TTLS SHA2017
author = Felicitus
require identity *Identity password *password
-----
ctrl_interface=/var/run/wpa_supplicant
network={
ssid="SHA2017"
scan_ssid=$_SCAN
identity="edward"
password="snowden"
proto=WPA2
key_mgmt=WPA-EAP
group=CCMP
pairwise=CCMP
eap=TTLS
ca_cert="/etc/ssl/certs/DST_Root_CA_X3.pem"
altsubject_match="DNS:radius.c3noc.net"
anonymous_identity="$_ANONYMOUS_IDENTITY"
phase2="auth=PAP"
#priority=2
}

Edit '''/etc/wicd/encryption/templates/active''' to include the '''eap-ttls''' config template. Restart the WiCD daemon, choose the proper encryption (EAP-TTLS SHA2017) and enter a random username/password.

== Jolla/connman ==
/var/lib/connman/SHA2017wifi.config :

[service_SHA2017]
Type=wifi
Name=SHA2017-legacy
EAP=ttls
Phase2=PAP
Identity=edward
Passphrase=snowden

== wpa_supplicant.conf ==
/etc/wpa_supplicant/wpa_supplicant.conf :

network={
ssid="SHA2017"
key_mgmt=WPA-EAP
eap=TTLS
identity="edward"
password="snowden"
# ca path on debian 7.x, modify accordingly
ca_cert="/etc/ssl/certs/DST_Root_CA_X3.pem"
altsubject_match="DNS:radius.c3noc.net"
phase2="auth=PAP"
}

== interfaces ==
As an alternative, you can specify the wpa_supplicant config options directly in /etc/network/interfaces:

iface wlan0 inet dhcp
wpa-ssid SHA2017
wpa-identity edward
wpa-password snowden
wpa-proto WPA2
wpa-key_mgmt WPA-EAP
wpa-group CCMP
wpa-pairwise CCMP
wpa-eap TTLS
wpa-phase2 "auth=PAP"
wpa-ca_cert "/etc/ssl/certs/DST_Root_CA_X3.pem"
wpa-altsubject_match DNS:radius.c3noc.net

== netctl ==
Description='SHA2017 secure WPA2 802.1X config'
Interface=wls1
Connection=wireless
Security=wpa-configsection
IP=dhcp
ESSID=SHA2017
WPAConfigSection=(
'ssid="SHA2017"'
'proto=RSN WPA'
'key_mgmt=WPA-EAP'
'eap=TTLS'
'identity="edward"'
'password="snowden"'
'ca_cert="/etc/ssl/certs/DST_Root_CA_X3.pem"'
'altsubject_match="DNS:radius.c3noc.net"'
'phase2="auth=PAP"'
)

== Apple MacOS / iOS ==
You can use one of these profiles for the correct WiFi-settings for Apple MacOS / iOS:



* TODO

== Windows ==
Import one of these profiles for the correct WiFi-settings for Windows



* TODO

To import and connect follow these steps:

# Open a command prompt and execute: netsh wlan add profile filename=SHA2017.xml
# Connect to the SHA2017 or SHA2017-legacy network; use "SHA2017/SHA2017" as the username/password when prompted.

Network/802.1X client settings

2017-06-06T20:12:03Z

Bitlair.nl-ak47: Created page with "== Android == You can use our Android App to configure the correct WiFi settings on your Android device. Download it here: <!-- * From Google Playstore: [https://play.google...."

== Android ==
You can use our Android App to configure the correct WiFi settings on your Android device. Download it here:



* TODO

== Network Manager ==

You can use the following config file:

Please note that some versions of NM are buggy and will only work with
802.1X using MSCHAPv2, or not at all.
If that affects you, it may be easiest to use wpa_supplicant.

'''/etc/NetworkManager/system-connections/33C3''':

[connection]
id=SHA2017
uuid=c80101e2-7b99-4511-846b-2388eb86a5ad
type=wifi
permissions=
secondaries=

[wifi]
mac-address=42:23:42:23:42:23 <- !! Please change this !!
mac-address-blacklist=
mode=infrastructure
seen-bssids=
ssid=SHA2017

[wifi-security]
auth-alg=open
group=
key-mgmt=wpa-eap
pairwise=
proto=

[802-1x]
altsubject-matches=DNS:radius.c3noc.net
ca-cert=/etc/ssl/certs/DST_Root_CA_X3.pem
eap=ttls;
identity=SHA2017
password=SHA2017
phase2-altsubject-matches=
phase2-auth=pap

[ipv4]
dns-search=
method=auto

[ipv6]
dns-search=
method=auto

== WICD ==
You need an additional crypto setting for WiCD. Put this file into '''/etc/wicd/encryption/templates/eap-ttls''' (debian systems, might be different with other *nix flavours):

name = EAP-TTLS SHA2017
author = Felicitus
require identity *Identity password *password
-----
ctrl_interface=/var/run/wpa_supplicant
network={
ssid="SHA2017"
scan_ssid=$_SCAN
identity="edward"
password="snowden"
proto=WPA2
key_mgmt=WPA-EAP
group=CCMP
pairwise=CCMP
eap=TTLS
ca_cert="/etc/ssl/certs/DST_Root_CA_X3.pem"
altsubject_match="DNS:radius.c3noc.net"
anonymous_identity="$_ANONYMOUS_IDENTITY"
phase2="auth=PAP"
#priority=2
}

Edit '''/etc/wicd/encryption/templates/active''' to include the '''eap-ttls''' config template. Restart the WiCD daemon, choose the proper encryption (EAP-TTLS SHA2017) and enter a random username/password.

== Jolla/connman ==
/var/lib/connman/SHA2017wifi.config :

[service_SHA2017]
Type=wifi
Name=SHA2017-legacy
EAP=ttls
Phase2=PAP
Identity=edward
Passphrase=snowden

== wpa_supplicant.conf ==
/etc/wpa_supplicant/wpa_supplicant.conf :

network={
ssid="SHA2017"
key_mgmt=WPA-EAP
eap=TTLS
identity="edward"
password="snowden"
# ca path on debian 7.x, modify accordingly
ca_cert="/etc/ssl/certs/DST_Root_CA_X3.pem"
altsubject_match="DNS:radius.c3noc.net"
phase2="auth=PAP"
}

== interfaces ==
As an alternative, you can specify the wpa_supplicant config options directly in /etc/network/interfaces:

iface wlan0 inet dhcp
wpa-ssid SHA2017
wpa-identity edward
wpa-password snowden
wpa-proto WPA2
wpa-key_mgmt WPA-EAP
wpa-group CCMP
wpa-pairwise CCMP
wpa-eap TTLS
wpa-phase2 "auth=PAP"
wpa-ca_cert "/etc/ssl/certs/DST_Root_CA_X3.pem"
wpa-altsubject_match DNS:radius.c3noc.net

== netctl ==
Description='SHA2017 secure WPA2 802.1X config'
Interface=wls1
Connection=wireless
Security=wpa-configsection
IP=dhcp
ESSID=SHA2017
WPAConfigSection=(
'ssid="SHA2017"'
'proto=RSN WPA'
'key_mgmt=WPA-EAP'
'eap=TTLS'
'identity="edward"'
'password="snowden"'
'ca_cert="/etc/ssl/certs/DST_Root_CA_X3.pem"'
'altsubject_match="DNS:radius.c3noc.net"'
'phase2="auth=PAP"'
)

== Apple MacOS / iOS ==
You can use one of these profiles for the correct WiFi-settings for Apple MacOS / iOS:



* TODO

== Windows ==
Import one of these profiles for the correct WiFi-settings for Windows



* TODO

To import and connect follow these steps:

# Open a command prompt and execute: netsh wlan add profile filename=SHA2017.xml
# Connect to the SHA2017 or SHA2017-legacy network; use "SHA2017/SHA2017" as the username/password when prompted.

Network/RADIUS certificate

2017-06-06T20:06:59Z

Bitlair.nl-ak47: Created page with "<pre>TODO</pre>"

Network

2017-06-06T20:06:02Z

Bitlair.nl-ak47:

<div style="float:right;padding-left:10px">__TOC__</div>

[https://orga.sha2017.org/index.php/Team:NOC Team:NOC] is trying their best to deliver a fast and stable network during the event. If you have any questions, please contact the NOC helpdesk located at the infodesk tent.

= Rules =

* Be nice and friendly! Do not do to others what you do not wish done to yourself.
* There is no NAT and no firewall. Please make sure you have some kind of security on your end device. The organisation cannot be held responsible for someone hacking your system(s). If you don't know how you can secure your system(s), please go to the helpdesk.
* Do not operate your own WiFi access point. This causes a major slow-down for everybody else.
* If you are operating anything else in the 2.4GHz or the 5GHz spectrum, please clear the frequencies in advance with us.
* Do not attempt to run a DHCP or RA server. You will be found and named and shamed!
* You are not allowed to cross roads or fire lanes with your network cable. Please use the Datenklo that is assigned for your terrain.
* If you are connecting a Nanode / Arduino Ethernet / other microcontroller to the network please make sure it is using a unique MAC address. Many of the code examples for such devices use an identical MAC address and this will cause problems - if you aren't sure contact us.
* If you are connecting a switch, you need to contact the NOC if you are connecting more than 64 stations. You are only allowed one uplink from your switch to our network - do not attempt to connect multiple cables or to multiple DKs!
* For special requests please contact NOC via noc-requests@sha2017.org.

If you break these rules, we will track you down or triangulate you, but we'd rather spend the time maintaining the smooth operation of the network, so please don't waste our time.

=General=

==WiFi==
There will be WiFi coverage on most of the terrain. You can connect to the WiFi SSID "SHA2017" with username "sha2017" and password "sha2017". Eduroam & spacenet authentication will also be available on the terrain. The WiFi will use both the 2.4 and the 5GHz network.

Please don't set up your own WiFi. This will cause issues on such a high dense terrain. We are actively scanning for rogue accesspoints.

== IP ==
Every device will receive an IPv4 and IPv6 WAN address.

== Uplink ==

We are planning to give you a 100 Gbps uplink to our router in Amsterdam. From there we will have several peerings to the rest of the world.

== Wireless ==

The whole field has been covered with many wireless access points to ensure the best possible coverage and to allow you to roam seamlessly without interruption. Naturally, there is additional coverage in popular areas such as the talk tents. The following wireless networks will be available:

; SHA2017
: This is 5GHz and should you should use this one in preference, if you can see it. The username is "sha2017" with password "sha2017". This is the most secure, WPA2-Enterprise.
; SHA2017-legacy
: This is 2.4GHz and less resistant to interference, use it only if you have to. The username is "sha2017" with password "sha2017". This is also WPA2-Enterprise.
; SHA2017-insecure
: '''Warning: insecure''' This is both 5GHz and 2.4GHz, and is for older devices that don't support WPA2-Enterprise. It's unencrypted, and people will likely intercept your traffic.
; spacenet
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your hackerspace offers [https://spacefed.net/ spacenet].
; eduroam
: This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your university/college/school is offering eduroam. More information can be found at [https://www.eduroam.org/ eduroam.org].

Use of the 5GHz SSIDs is recommended if your device supports them. 802.11b is disabled as it slows everyone else down.

Even if you are using an encrypted network, you should still encrypt your connection to prevent snooping. Although some SSIDs offer encryption, it is only over-the-air.

We have airtime fairness configured on our wireless controllers, so if you wish to download large files please use a wired connection (there will be plenty about).

For proper wireless support under linux, you should have a kernel newer than 2.6.39.2. There is also a kernel panic with brcmsmac on linux 3.10.3 that can be fixed by downgrading to kernel 3.10.2.

=== WPA2 802.1X, encryption ===

Due to popular demand (and with security in mind) we provide WPA2 802.1X. This will encrypt your traffic, preventing attackers from sniffing your data. Keep in mind that this won't protect you from other network attacks and you should still be aware that you are at a hacker conference! Your link layer should be secure if you do certificate checking (see below).

You might think: "WTF!? Do I need to register a user and password blah, blah". Fortunately not. You can '''use any username/password combination using EAP-TTLS with PAP to login''' (example: "user: fbhfbhiaf pass: bgufwbnkqo" is valid), because we don't care who logs in and who you are. We just want to encrypt your data.

Users which use MSCHAPv2 (like Windows users with default 802.1X supplicant) should use a fixed username and password. You can use "sha2017/sha2017" or "guest/guest" as "username/password".

==== Client Settings ====
Also see [[Network/802.1X client settings]] for a list of OS-specific client settings.

SSID: SHA2017 or SHA2017-legacy

EAP-TTLS:

Phase 1: EAP-TTLS
Phase 2: PAP

PEAP:

Phase 1: PEAP
Phase 2: MSCHAPv2 or EAP-MSCHAPv2 or PAP

CN = radius.sha2017.org
CA = DST Root CA X3
SHA1 Fingerprint = TODO

Make sure '''you check the certificate''' in order to know you are connecting to the correct network (you should check on both the CN and the CA). Check [[Network/RADIUS_certificate|here]] for the complete certificate.

== Camping area and workshops ==

All camping areas will be within 40m of a Datenklo (Data Toilet), please bring around 50-70m of CAT5 cable to make sure you have some slack in the cable. '''We do not supply you with a cable'''.

Lay your own cable neatly from your tent back to the nearest Datenklo, and leave 6m of slack coiled on the floor in front of it. And please lay it so that it can be clearly seen that it needs to be plugged in - or you risk having your cable overlooked. At regular intervals a member of the NOC team will connect it up and enable the port.

If you wish to be removed from a Datenklo again, contact the helpdesk directly.

All of our edge ports are 1Gbit/s, plus Auto-MDX.

We do not support 10Mbit. It might work on a few devices, but there is no guarrantee. - if you need it for old or embedded things please bring a switch to convert.

== Static IPs ==

If you need a static IP on the wired network, drop by the [[Team:InfoDesk]].

== IPv6 ==

Naturally, IPv6 is available throughout the network and should "just work" for you. Team:NOC does not recommend disabling IPv6 if you have problems, instead try to understand the problem you are experiencing and get educated in the new world order. Contact the NOC Helpdesk if you need help.

== Services ==

tbd

== Security ==

=== Recent vulnerabilities ===

'''WARNING: Bring a recent DHCP Client'''. If your OS uses ISC DHCP dhclient make sure you don't run a vulnerable version. https://www.kb.cert.org/vuls/id/410676

=== Encryption ===

Please treat the network as wide open and full of attackers.

The following mechanisms should be safe:
* Anything that goes through a VPN
* Any website that uses HTTPS
* Any application that uses SSL
** In the case of email, you need to have SSL enabled for both receiving mail (POP, IMAP) and sending it (SMTP)
* ssh and scp
* Where possible, use One-time passwords.

The following are almost always unsafe:

* FTP with login/password (are almost always sent in the clear)
* Telnet with login/password
* Email if you don't use SSL
* Webmail that doesn't use HTTPS
** Someone could trigger a password reminder and then intercept your email
* Websites that use HTTP (not HTTPS) where you need to fill in a password in the page itself

Possibly unsafe, make sure that you understand what you're doing:

* Websites where you need to fill in a password and your ''browser'' (not the website!) tells you it's going to be sent securely
* Websites that require an account but remember you're logged in
** The password ''may'' be protected but not the content or cookies that automatically log you in
* Any time your browser or other application brings up ''anything'' to do with a certificate
* Anything not protected with SSL: someone could be faking DNS answers to impersonate certain sites

=== Firewall ===

There is none. Bring your own! A router which is just doing NAT is not a firewall!

== FAQ ==

=== Can I bring a server? ===
Sure! However, we do not offer a colocation for your hardware. You will have to keep it with you.

=== Can I use the 2.4GHz band for non-wifi projects? ===

The following channels are available for adhoc/mesh/other wireless stuff:

* 2.4GHz: Channel 1
* 5GHz: Channel 136, 140

We cannot force you to use these channels, but we are trying to build a functional wireless network for the other attendees too. So please, don't do any experiments on other channels.

=== Can I bring an access point? ===

No!

If you are operating a village (using an SHA2017-supplied tent) that has poor coverage, we may be able to arrange to put an access point in it during the event to improve coverage. Stop by the Helpdesk and ask.

=== Can I bring a switch? ===

Yes, but for stability purposes all edge ports are limited to 64 MAC addresses at a time. If you want to connect more, you need to stop by the helpdesk and ask us to raise the port-security on your port. If you do this, you need to convince us that you know what you're doing and promise not to do anything that may harm the network - in particular, you must not connect the switch to our network by more than 1 cable (not even to a different DK).

=== My port goes up and down every couple of minutes ===

You have probably tripped port security. Most likely scenario is that you have connected more than 64 stations without consulting us (see answer to previous question). Contact the helpdesk if you can't figure it out.

User:Bitlair.nl-ak47

2017-06-06T19:51:10Z

Bitlair.nl-ak47: Created page with "{{UserInfo |NickName=AK47 |Languages=English, Nederlands |Team=NOC |HackerSpace=Bitlair |E-Mail=arjan@koopen.net |Jabber=2 |Dect=2547 }} NOC co-team lead. Contact info: * ak4..."

{{UserInfo
|NickName=AK47
|Languages=English, Nederlands
|Team=NOC
|HackerSpace=Bitlair
|E-Mail=arjan@koopen.net
|Jabber=2
|Dect=2547
}}
NOC co-team lead. Contact info:

* ak47@sha2017.org
* AK47 @ IRC
* arjan_k @ Twitter