eduroam Development VC Minutes 2024-10-22 1530 CEST

Attendance

Attendees

• Stefan Winter (Restena)
• Stefan Paetow (Jisc)
• Anders Nilsson (SUNET) (A Polar Bear in Prague)
• Halil Adem (GRNET)
• Derek Eiler (NSHE)
• Mike Zawacki (Internet2)
• Janfred Rieckers (DFN)
• Guy Halse (TENET)
• Maja Górecka-Wolniewicz (PSNC)
• Zbigniew Ołtuszyk (PSNC)
• Paul Dekkers (SURF)
• Ed Kingscote (CANARIE)
• János Mohácsi (KIFÜ)
• Louis Twomey (HEAnet)
• Fabian Mauchle (Switch)
• Ed Wincott (Jisc)
• Tomasz Wolniewicz (PSNC)

Regrets

• Zenon Mousmoulas (GRNET)

Agenda / Proceedings

1. Welcome / Agenda Bashing

2. WPA3 no-transition for eduroam

   • Everyone was invited to test (oldish) devices for their WPA3 compatibility (i.e. support for PMF and no transition mode) … ?
   • Transition Mode spec may have some hurdles that hinder interop
   • advice to use transitioin mode was probably okay at the time; but if there are now interop probs, the cleaner (less breaking) advice may very well be to let go of transition mode
   • Is 5 years of WPA3 spec enough time to conclude that we are not hurting deployed client device base much?
   • Middle way could be to have WPA2-only on 2.4 GHz and WPA3-only on 5+6
   • Devices which have WPA2-only typically do not have 5 GHz either; so this could be a good match.
   • more a policy issue (given that there is no perfect technical solution to suggest) - so discuss in eduroam Europe SG call tomorrow

3. IETF updates

   • radext interim meeting done
   • RADIUS/(D)TLS draft updated
   • proxying is an issue, but not part of the core RADIUS/TLS spec, so pursued in a different I-D
   • other documents already further in the queue

4. OpenRoaming / WBA Meeting update

5. AOB

   • With RADIUS/UDP deprecated: concrete action to take?
   • One could argue that NRO-to-NRO(and TLR) links that replace the transport from UDP to TLS 1:1 (X.509 cert, no dynamic peer discovery) is rather mature
   • This would fix the most “insecure” leg: int’l connectivity
   • NRO’s own network (national network) could be considered a trusted network
   • every implementation has its own rough edges
   • at some point, we need to deploy at a larger scale to learn about and fix issues as they come up
   • this may result in a lower uptime/service availability than good-old RADIUS/UDP provided

6. Next VC

   • 5 Nov 2024, 1530 CET