diff --git a/docs/facilities.md b/docs/facilities.md index 5cc58d2ecc1964aec715b1700cf4fe75cff63656..431b35406551d12a87941e6cdf5c8dc5d6038d09 100644 --- a/docs/facilities.md +++ b/docs/facilities.md @@ -135,24 +135,22 @@ How to contact you. [#retronetworking](https://web.libera.chat/#retronetworking) IRC channel on libera.chat or [e-mail](mailto:c3isdn@osmocom.org). - ## Network -As usual there will be wired and wireless connectivity avaible. -See [Network](network.md) for more information. +As usual there will be wired and wireless connectivity available. See [Network](network.md) for more information. ### Wired -see [Network#wired](network.md#wired) +see [Network#wired](network.md#wired). -### Wifi +### WiFi -The following SSIDs are provided: +The following wireless networks are provided: - * Camp2023 (WPA2 802.1X (username: camp / password: camp), 2.4GHz+5GHz) ✅ noc recommended ✅ - * Camp2023-open (open/OWE, 2.4GHz+5GHz) + * `Camp2023` (Username: camp / Password: camp) ✅ NOC recommended ✅ + * `Camp2023-open` (open, may be insecure) -see [Network#wireless](network.md#wireless) +For more information about configuring your WiFi device securely, see [Network#wireless](network.md#wireless). ## Power diff --git a/docs/network.md b/docs/network.md index d1d51fafa93f21b153eb1aa5bd72d602e2441310..a52f2807352194eaa76912968d223852f6d22ed8 100644 --- a/docs/network.md +++ b/docs/network.md @@ -5,98 +5,81 @@ As usual, we will provide a fast wired and wireless network. ## Rules of Conduct * Be fair! Do not do to others what you do not wish done to yourself!🌈 - * Protect your computer! We cannot be held responsible for any damage your computer may face due to attachment to our network. Be reminded that both internet access and the local network are unfirewalled and unfiltered. Even well-maintained systems can be attacked and get hacked, even more so at a hacker event. - * Do not run your own DHCP server! Doing so is harmful. + * Protect your computer! Make sure your operating system is up to date and your firewall is enabled before arriving at the camp. + * If you want to download terabytes of data, you are better off connecting to the wired network. + * While we are quite able to find and disconnect you in case of network misuse, we prefer not to have to do so. Respect other visitors. Be aware that we cannot prevent law enforcement from acting within or related to our network.👮🚨🚔 + * Do not connect shielded ethernet cables (STP or FTP) to a Datenklo. + * Do not run your own DHCP server. * Do not send IPv6 Router Advertisements. - * Do not ARP spoof or otherwise impede the operation of the network! - * While we are generally quite able to find and disconnect you in case of network misuse if necessary, we still prefer to not have to do so and that everybody respects the other visitors. - * Think twice before you do something that affects others! If you hack someone, you might be prosecuted. Be aware that we cannot prevent law enforcement from acting within or related to our network.👮🚨🚔 - * Do not connect S/FTP or F/FTP (so called shielded cables) to a Datenklo; this is to prevent ground-loops. - * See also Rules for wireless equipment. + * Do not ARP spoof or otherwise impede the operation of the network. + * If you want to run your own wireless equipment, there are a [few additional rules](#rules-for-wireless-equipment). ## Wired -There will be wired 100BASE-TX/1000BASE-T/10GBASE-T ethernet on the camping grounds and in the caravan area by means of so-called "Data Toilets" or "Datenklos". Look for construction toilets with tin foil wrapped around them. +There will be wired 100BASE-TX/1000BASE-T/10GBASE-T ethernet on the camping grounds and in the caravan areas, provided by our state-of-the-art Datenklos (DKs or "Data Toilets"). Look for construction toilets with tin foil wrapped around them. -You can lay your own cables, but please do so in a tidy manner. You must not cross any roads, paths or borders between camping grounds. Always lay your cable from the Datenklo towards your tent to keep any slack close to your tent. Leave 5m of slack cable at the Datenklo. You can simply leave the end of your cable at the Datenklo, it will be connected by helpers at regular intervals (during reasonable work hours). If you want your cable back, make a proper spool of it and leave that at the Datenklo or mark it accordingly. It will be disconnected for you to pick up. +**Wired connections are completely unfiltered and will receive a public IP address**. If you have (older) devices that cannot be trusted with unrestricted incoming connections, bring a firewall. -The maximum line-of-sight distance to the next Datenklo will be approximately 50 meters. Cables will not be provided. A length of 50 meters is recommended. If that is insufficient, you will find someone within this range who has a switch and can plug you in. But bringing 60 or 75 meters won't hurt if you want to be sure. Do not bring SFTP or other shielded cables, this can cause harm you your and our equipment, we will not connect them (this is to prevent ground loops). +You can lay your own ethernet cables (we don't provide them), but please do so in a tidy manner. You must not cross any roads, paths or borders between camping grounds. Always lay your cable from the Datenklo towards your tent to keep most of the slack close to your tent, but leave a few metres of slack cable at the Datenklo. Do not use shielded cables – these can damage equipment due to ground loops and we will not connect them. -Optionally, bring & connect a small ethernet switch when connecting multiple devices. Please disable Spanning-Tree Protocol if you would connect a managed switch. +The maximum distance to your nearest Datenklo will be approximately 50 meters, but bringing a longer cable is a good idea if you want to be sure. If your cable isn't long enough, you might find someone within range who has a switch and can plug you in. -Wired connections are unfiltered. If you have (older) devices that cannot be trusted with unrestricted incoming connections, bring a router or firewall (and disable the wifi!). +Simply leave the end of your cable at the Datenklo and it will be connected by helpers at regular intervals (during reasonable work hours). If you want your cable back, coil it up at the Datenklo or mark it accordingly. It will be disconnected for you to pick up. + +Optionally, bring a small ethernet switch when connecting multiple devices. Please disable Spanning-Tree Protocol if you connect a managed switch. We don't have (m)any fibre/SFP+ ports available in the DKs this time. ## Wireless -You can't live without wireless access, so we've built an awesome wireless network again. - -### Camp2023 SSIDs - -The following SSIDs are provided: - - * Camp2023 (WPA2 802.1X (see below), 2.4GHz+5GHz) ✅ noc recommended ✅ - * Camp2023-open (open/OWE, 2.4GHz+5GHz) - -### WPA(2/3) 802.1X, encryption - -Due to popular demand (and with security in mind) we provide WPA2 802.1X. This will encrypt your traffic, preventing attackers from sniffing your data. Keep in mind that this won't protect you from other network attacks and you should still be aware that you are at a hacker conference! Your link layer should be secure if you do certificate checking (see below). - -You might think: "WTF!? Do I need to register a user and password blah, blah". Fortunately not. You can use any username/password combination using EAP-TTLS with PAP to login (example: "user: fbhfbhiaf pass: bgufwbnkqo" is valid), because we don't care who logs in and who you are. We just want to encrypt your data. +You can't live without wireless access, so we've built an awesome wireless network again. The following WiFi networks are provided on 2.4 GHz and 5 GHz: -Users which use MSCHAPv2 (like Windows users with default 802.1X supplicant) should use a fixed username and password. You can use "camp/camp" or "guest/guest" as "username/password". +| SSID | Security | | +| --------------- | ---------------------- | -------------------- | +| `Camp2023` | WPA2 Enterprise 802.1X | ✅ NOC recommended ✅ | +| `Camp2023-open` | Open (OWE supported) | | -### Client Settings -Also see [here](network_dot1x_settings.md) for a list of OS-specific client settings. +We recommend you use the `Camp2023` network. For the highest security, this requires some configuration, which we've documented here: -``` -SSID: Camp2023 +* [Linux](network_dot1x_settings.md#linux-etc) +* [Android](network_dot1x_settings.md#android) +* [iOS](network_dot1x_settings.md#apple-ios) +* [MacOS](network_dot1x_settings.md#apple-macos) +* [Windows](network_dot1x_settings.md#windows) -EAP-TTLS: +Connecting in this way allows your device to authenticate our wireless infrastructure, preventing your traffic from being intercepted by a malicious access point. -Phase 1: EAP-TTLS -Phase 2: PAP +The `Camp2023` network requires a username and password — you can use "camp/camp" or any random username and password, because we don't care who you are, we just want to encrypt your data. There are some [special credentials](#services-vlans) which you can use to modify the firewall behaviour. -PEAP: +The `Camp2023-open` network supports [Opportunistic Wireless Encryption](https://en.wikipedia.org/wiki/Opportunistic_Wireless_Encryption) (OWE) which will automatically provide security comparable to a normal WiFi network with a shared password, _if your device supports OWE_. Otherwise, it will be completely unencrypted. -Phase 1: PEAP -Phase 2: MSCHAPv2 or EAP-MSCHAPv2 or PAP +Keep in mind that wireless security won't protect you from network attacks and you should still be aware that you are at a hacker conference! By default, wireless devices are firewalled from the Internet, but inbound connections from other users on the camp network are still allowed. -CN = radius.c3noc.net -CA = ISRG Root X1 +### Services VLANs -SHA256 Fingerprint = 6C:5E:71:4F:1E:AD:3A:D5:FE:1A:F6:F3:67:17:FD:63:13:2F:CA:9C:51:36:92:5E:1B:3A:D2:DF:5F:A8:D2:D7 -``` -Make sure you check the certificate in order to know you are connecting to the correct network (you should check on both the CN and the CA). Check [here](network_dot1x_certificate.md) for the complete certificate. +We have a few special usernames and passwords which you can use when connecting to the `Camp2023` network, which allow you to modify the firewall behaviour: +| Username | Password | Comments | +| ------------ | ------------ | -------- | +| camp | camp | (Or any random username and password.) Filtered connection with public IP address. Inbound connections from the rest of the campsite are possible, but connections from the Internet are blocked. | +| outboundonly | outboundonly | Filtered connection with public IP address. Inbound connections from the Internet or campsite are not possible. | +| allowany | allowany | Unfiltered connection with public IP address. | +We're using WPA2 802.1X to push your client into the correct VLAN. This keeps the number of SSIDs broadcast to a minimum, saving airtime. -### Services VLANs +### Rules for wireless equipment +Please don't set up your own access point if at all possible. Wireless airtime is a precious commodity at hacker events, and every additional wireless network will transmit 802.11 beacons and management frames, slowing down wireless connectivity for everyone in the area. -We're using WPA2 802.1X to push your client in the correct VLAN. The reason we are doing this is to keep the number of SSID's per wireless band to a minimum; this way we are saving airtime by not wasting it too much with 802.11 beacons/mgmt-frames. Use the following user/password combinations: +If you have no other choice (for running experiments and such), please be nice and follow these rules: -| Username | Password | Comments | -| ------------ | ------------ | -------- | -| camp | camp | Filtered connection with public IP address. Inbound connections from the rest of the campsite are possible, inbound connections from the Internet are blocked. | -| outboundonly | outboundonly | Filtered connection with public IP address. Inbound connections from the Internet or camp-site are not possible. | -| allowany | allowany | Unfiltered connection with public IP address | - -### Rules - -To keep the wireless working for you, keep a few things in mind: - - * We're aware you can break the WiFi infrastructure. We're hoping that you won't and don't want to be chased by 5000 hackers through the Camp. - * If you want to download terabytes of data, you might be better off connecting to the wired network - * Don't set up your own accesspoint. However, if you have no other choice (for running experiments and such), please be nice and consider these rules: - * Please do not operate non-WiFi/analog equipment in these frequencies. - * 2.4GHz: use channels 1, 5, 9 or 13 @ 20MHz. Disable 802.11b. - * 5GHz: use channels 36 or 140 @ 20MHz. - * Minimum data-rate = 12Mbit/s, also for beacon-rate. Beacon interval 100ms or higher. - * Limit the number of broadcasted BSSID's per radio to 1 or 2. No SSID spamming etc is allowed. - * Do not prefix your broadcasted ESSID(s) with "Camp". Do not use "Camp2023" as your ESSID. Do not use other well-known ESSIDs. - * Do not use high-gain antennas. - * Limit your transmit-power for example to 6dBm or 4mW. +* Do not operate non-WiFi equipment in these frequencies. +* 2.4GHz: use channels 1, 5, 9 or 13 @ 20 MHz. Disable 802.11b. +* 5GHz: use channels 36 or 140 @ 20 MHz. +* Use a _minimum_ data and beacon rate of 12 Mbit/s. Beacon interval 100 ms or higher. +* Limit the number of broadcasted SSIDs per radio to 1 or 2. No SSID spamming is allowed. +* Do not prefix your broadcasted SSID(s) with "Camp". Do not use other well-known SSIDs. +* Do not use high-gain antennas. +* Limit your transmit power as much as possible, for example to 6 dBm or 4 mW. ## Co-location @@ -104,7 +87,7 @@ There will unfortunately be no co-location service at Camp. You are welcome to h ## Special requests -Do you have some special requirements not listed above? We can try to help! You can contact us in English via hello@c3noc.net. +Do you have some special requirements not listed above? We can try to help! You can contact us in English via [hello@c3noc.net](mailto:hello@c3noc.net). ## Supporters @@ -117,6 +100,6 @@ This is a list of companies providing network hardware and connectivity services |  | <https://community-ix.de/> | IP Upstream | |  | <http://www.telekom.com/> | IP Upstream | |  | <https://www.ediscom.de/> | Wavelength | -|  | <https://eventinfra.org/> | Network equipment loan | -|  | <https://www.flexoptix.net/> | Network equipment loan | +|  | <https://eventinfra.org/> | Network equipment loan | +|  | <https://www.flexoptix.net/> | Network equipment loan | diff --git a/docs/network_dot1x_settings.md b/docs/network_dot1x_settings.md index 1d2802d7a16bcd6485d8c3a653af345438aac3e5..8f150d4c3ff394dd9733042f3560f78325cfeeaa 100644 --- a/docs/network_dot1x_settings.md +++ b/docs/network_dot1x_settings.md @@ -1,13 +1,35 @@ +## Generic settings +``` +SSID: Camp2023 + +EAP-TTLS: + +Phase 1: EAP-TTLS +Phase 2: PAP + +PEAP: + +Phase 1: PEAP +Phase 2: MSCHAPv2 or EAP-MSCHAPv2 or PAP + +CN = radius.c3noc.net +CA = ISRG Root X1 + +SHA256 Fingerprint = 6C:5E:71:4F:1E:AD:3A:D5:FE:1A:F6:F3:67:17:FD:63:13:2F:CA:9C:51:36:92:5E:1B:3A:D2:DF:5F:A8:D2:D7 +``` +Make sure you check the certificate in order to know you are connecting to the correct network (you should check on both the CN and the CA). + ## Android -### App -You can use our Android App to configure the correct WiFi settings on your Android device. Download it here: +You can use our Android app to automatically configure the most secure WiFi settings on your Android device: -* From Google Playstore: https://play.google.com/store/apps/details?id=nl.eventinfra.wifisetup -* Source-code: https://github.com/EventInfra/wifisetup -* APK download: https://eventinfra.org/Camp2023/app-release.apk +* [Download on Google Play Store](https://play.google.com/store/apps/details?id=nl.eventinfra.wifisetup) +* [APK download](https://eventinfra.org/Camp2023/app-release.apk) +* [Source code](https://github.com/EventInfra/wifisetup) -### Manually -If you don't want to use the app, download the [ISRG Root X1](https://letsencrypt.org/certs/isrgrootx1.pem), and [install it](https://support.google.com/pixelphone/answer/2844832) into your device's **Wi-Fi certificate** store, giving it any name you like. Then connect to the **Camp2023** network using the following information: +This app installs the certificate and WiFi profile which will allow your device to automatically connect. You can do it manually, as shown below, but it's a bit more hassle. + +### Manual configuration +If you don't want to use the app, download the [ISRG Root X1](https://letsencrypt.org/certs/isrgrootx1.pem) certificate, and [install it](https://support.google.com/pixelphone/answer/2844832) into your device's **Wi-Fi certificate** store, giving it any name you like. Then connect to the **Camp2023** network using the following information: * EAP method: TTLS *(not TLS)* * CA certificate: *(whatever name you gave the ISRG Root X1)* @@ -197,13 +219,21 @@ networking.wireless.networks."Camp2023".auth = '' ''; ``` -## Apple MacOS/iOS -You can use one of these profiles for the correct WiFi-settings for Apple MacOS / iOS: +## Apple macOS +To enable the most secure WiFi configuration on macOS: + +1. Download [this mobileconfig file](https://eventinfra.org/Camp2023/Camp2023.mobileconfig) and double-click on it. You'll get an unhelpful notification. +2. Open Settings and search for the "Profiles" pane. +3. Click the "+" button and select the mobileconfig file. +4. After you've finished the install, your computer should automatically connect to the camp WiFi. + +## Apple iOS +To enable the most secure WiFi configuration on iOS, open this [mobileconfig file](https://eventinfra.org/Camp2023/Camp2023.mobileconfig) in Safari. After the file is installed, your device should automatically connect to the camp WiFi. -* [Camp2023](https://eventinfra.org/Camp2023/Camp2023.mobileconfig) (2.4GHz+5GHz, Camp user) +## Windows +Windows users (and other clients using MSCHAPv2) should use a fixed username and password. You can use "camp/camp" or "guest/guest" as username/password. -## Windows -Import one of these profiles for the correct WiFi-settings for Windows: +Import one of these profiles for the most secure WiFi settings for Windows: * [Camp2023](https://eventinfra.org/Camp2023/Camp2023.xml) (2.4GHz+5GHz)