Advanced notice :
We will be upgrading wiki.geant.org from the current version of Confluence Server to the current LTS version 8.5. During the maintenance window we expect that there will be an outage of 20 minutes.
Maintenance start time: 22/10/2024 16:00 UTC. Maintenance end time: 22/10/2024 18:00 UTC.
Attendance
Attendees
- Stefan Winter (Restena)
- Mike Zawacki (Internet2)
- Sara Jeanes (Internet2)
- Guy Halse (TENET)
- Halil Adem (GRNET)
- Wenche Backman-Kamila (CSC/Funet)
- Louis Twomey (HEAnet)
- Philippe Hanset (ANYROAM)
- Christian Rohrer (SWITCH)
- Anders Nilsson (SUNET)
- Fabian Mauchle (SWITCH)
- Maja Górecka-Wolniewicz (PSNC)
- Tomasz Wolniewicz (PSNC)
- Ed Wincott (Jisc)
- Stefan Paetow (Jisc)
- Zbigniew Ołtuszyk (PSNC)
- Paul Dekkers (SURF)
- Janfred Rieckers (DFN)
Regrets
- Zenon Mousmoulas (GRNET)
Agenda / Proceedings
Welcome / Agenda Bashing
Update regarding malformed EAP packets
- Josh Howlett updates on the symptoms of the issue seen
- Paul D expresses surprise that he doesn’t see this in Radiator on the ETLRs, given the amounts of requests are lower than the ETLR volumes.
- Chris P that it is raised with FR project to make aware
- Paul D and Chris P suggest that this should probably be raised with the vendor(s) involved too via WBA so others are aware
- EAP-Type is the ‘offending’ attribute, suggestion to have Europe or NROs doing some logging to see how much is being seen
- Suggestion also to possibly terminate such packets at the national proxies to avoid this being a DDoS vector against eduroam
EAP-FIDO update
- probably best to wrap FIDO auth in either EAP-TLS or TEAP (those two deliver server-auth with “traditional PKIX” and allow to derive session keys from the TLS context)
Recurring OpenRoaming chitchat
AOB / next VC (11 Apr 2022 1530 CEST)
- radsecproxy release candidate 1.10.0 - please test [https://github.com/radsecproxy/radsecproxy/releases/tag/1.10.0-rc1]