Network

From SHA2017 Wiki
Jump to: navigation, search

Team:NOC is trying their best to deliver a fast and stable network during the event. If you have any questions, please contact the NOC helpdesk located at the infodesk tent. {{MapObject|Handle = 0xC3

Rules

  • Be nice and friendly! Do not do to others what you do not wish done to yourself.
  • There is no NAT and no firewall. Please make sure you have some kind of security on your end device. The organisation cannot be held responsible for someone hacking your system(s). If you don't know how you can secure your system(s), please go to the helpdesk.
  • Do not operate your own WiFi access point. This causes a major slow-down for everybody else.
  • If you are operating anything else in the 2.4GHz or the 5GHz spectrum, please clear the frequencies in advance with us.
  • Do not attempt to run a DHCP or RA server. You will be found and named and shamed!
  • You are not allowed to cross roads or fire lanes with your network cable. Please use the Datenklo that is assigned for your terrain.
  • If you are connecting a Nanode / Arduino Ethernet / other microcontroller to the network please make sure it is using a unique MAC address. Many of the code examples for such devices use an identical MAC address and this will cause problems - if you aren't sure contact us.
  • If you are connecting a switch, you need to contact the NOC if you are connecting more than 64 stations. You are only allowed one uplink from your switch to our network - do not attempt to connect multiple cables or to multiple DKs!
  • For special requests please contact NOC via noc-requests@sha2017.org.

If you break these rules, we will track you down or triangulate you, but we'd rather spend the time maintaining the smooth operation of the network, so please don't waste our time.

Uplink

We are planning for a 100 Gbps uplink to our router in Amsterdam. From there we will have various transits to the rest of the world, supplied by various supporters.

Wireless

The whole field has been covered with many wireless access points to ensure the best possible coverage and to allow you to roam seamlessly without interruption. Naturally, there is additional coverage in popular areas such as the talk tents. The following wireless networks will be available:

SHA2017
This is 5GHz and should you should use this one in preference, if you can see it. The username is "sha2017" with password "sha2017". This is the most secure, WPA2-Enterprise.
SHA2017-legacy
This is 2.4GHz and less resistant to interference, use it only if you have to. The username is "sha2017" with password "sha2017". This is also WPA2-Enterprise.
SHA2017-insecure
Warning: insecure This is both 5GHz and 2.4GHz, and is for older devices that don't support WPA2-Enterprise. It's unencrypted, and people will likely intercept your traffic.
spacenet
This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your hackerspace offers spacenet.
eduroam
This is 2.4GHz + 5GHz and WPA2-Enterprise, you can connect with a valid account if your university/college/school is offering eduroam. More information can be found at eduroam.org.

Use of the 5GHz SSIDs is recommended if your device supports them. 802.11b is disabled as it slows everyone else down.

Even if you are using an encrypted network, you should still encrypt your connection to prevent snooping. Although some SSIDs offer encryption, it is only over-the-air.

We have airtime fairness configured on our wireless controllers, so if you wish to download large files please use a wired connection (there will be plenty about).

For proper wireless support under linux, you should have a kernel newer than 2.6.39.2. There is also a kernel panic with brcmsmac on linux 3.10.3 that can be fixed by downgrading to kernel 3.10.2.

WPA2 802.1X, encryption

Due to popular demand (and with security in mind) we provide WPA2 802.1X. This will encrypt your traffic, preventing attackers from sniffing your data. Keep in mind that this won't protect you from other network attacks and you should still be aware that you are at a hacker conference! Your link layer should be secure if you do certificate checking (see below).

You might think: "WTF!? Do I need to register a user and password blah, blah". Fortunately not. You can use any username/password combination using EAP-TTLS with PAP to login (example: "user: fbhfbhiaf pass: bgufwbnkqo" is valid), because we don't care who logs in and who you are. We just want to encrypt your data.

Users which use MSCHAPv2 (like Windows users with default 802.1X supplicant) should use a fixed username and password. You can use "sha2017/sha2017" or "guest/guest" as "username/password".

Client Settings

Also see Network/802.1X client settings for a list of OS-specific client settings. 

SSID: SHA2017 or SHA2017-legacy

EAP-TTLS:

Phase 1: EAP-TTLS
Phase 2: PAP

PEAP:

Phase 1: PEAP
Phase 2: MSCHAPv2 or EAP-MSCHAPv2 or PAP

CN = radius.sha2017.org
CA = DST Root CA X3
SHA1 Fingerprint = TODO

Make sure you check the certificate in order to know you are connecting to the correct network (you should check on both the CN and the CA). Check here for the complete certificate.

Services / VLANs

TODO

Camping area and workshops

All camping areas will be within 40m of a Datenklo (Data Toilet), please bring around 50-70m of CAT5 cable to make sure you have some slack in the cable. We do not supply you with a cable.

Lay your own cable neatly from your tent back to the nearest Datenklo, and leave 6m of slack coiled on the floor in front of it. And please lay it so that it can be clearly seen that it needs to be plugged in - or you risk having your cable overlooked. At regular intervals a member of the NOC helpdesk will connect it up.

If you wish to be removed from a Datenklo early, contact the NOC helpdesk directly.

All of our access ports are 1Gbit/s (1000BASE-T) or 100Mbit/s (100BASE-TX), plus Auto-MDIX. If you want to connect something else, please contact the NOC-team beforehand at noc-requests@sha2017.org.

We do not support 10Mbit/s. It might work on a few devices, but there is no guarrantee. If you need it for old or embedded things please bring a switch to convert.

Static IPs

If you need a static IP on the wired network, drop by the NOC helpdesk in the Infodesk-tent.

IPv6

Naturally, IPv6 is available throughout the network and should "just work" for you. Team:NOC does not recommend disabling IPv6 if you have problems, instead try to understand the problem you are experiencing and get educated in the new world order. Contact the NOC Helpdesk if you need help.

Services

TODO

Security

Recent vulnerabilities

WARNING: Bring a recent DHCP Client. If your OS uses ISC DHCP dhclient make sure you don't run a vulnerable version. https://www.kb.cert.org/vuls/id/410676

Encryption

Please treat the network as wide open and full of attackers.

The following mechanisms should be safe:

  • Anything that goes through a VPN
  • Any website that uses HTTPS
  • Any application that uses SSL
    • In the case of email, you need to have SSL enabled for both receiving mail (POP, IMAP) and sending it (SMTP)
  • ssh and scp
  • Where possible, use One-time passwords.

The following are almost always unsafe:

  • FTP with login/password (are almost always sent in the clear)
  • Telnet with login/password
  • Email if you don't use SSL
  • Webmail that doesn't use HTTPS
    • Someone could trigger a password reminder and then intercept your email
  • Websites that use HTTP (not HTTPS) where you need to fill in a password in the page itself

Possibly unsafe, make sure that you understand what you're doing:

  • Websites where you need to fill in a password and your browser (not the website!) tells you it's going to be sent securely
  • Websites that require an account but remember you're logged in
    • The password may be protected but not the content or cookies that automatically log you in
  • Any time your browser or other application brings up anything to do with a certificate
  • Anything not protected with SSL: someone could be faking DNS answers to impersonate certain sites

Firewall

There is none. Bring your own! A router which is just doing NAT is not a firewall!

FAQ

Can I bring a server?

Sure! You should host your server in your tent/village and connect to the nearest datenklo.

We have not yet decided if there will be a public-colocation facility though. Please get in touch with us if you want to help out running such a facility.

Can I use the 2.4GHz band for non-wifi projects?

The following channels are available for adhoc/mesh/other wireless stuff:

  • 2.4GHz: Channel 1
  • 5GHz: Channel 136, 140

We cannot force you to use these channels, but we are trying to build a functional wireless network for the other attendees too. So please, don't do any experiments on other channels.

Can I bring an access point?

No!

If you are operating a village (using an SHA2017-supplied tent) that has poor coverage, we may be able to arrange to put an access point in it during the event to improve coverage. Stop by the Helpdesk and ask.

Can I bring a switch?

Yes, but for stability purposes all edge ports are limited to 64 MAC addresses at a time. If you want to connect more, you need to stop by the helpdesk and ask us to raise the port-security on your port. If you do this, you need to convince us that you know what you're doing and promise not to do anything that may harm the network - in particular, you must not connect the switch to our network by more than 1 cable (not even to a different DK).

My port goes up and down every couple of minutes

You have probably tripped port security. Most likely scenario is that you have connected more than 64 stations without consulting us (see answer to previous question). Contact the helpdesk if you can't figure it out.

Supporters

We'd like to extend special thanks to the following people and organisations who have been instrumental in making SHA2017 Network happen:

Retrieved from "https://wiki.sha2017.org/index.php?title=Network&oldid=3766"