@@ -5,98 +5,81 @@ As usual, we will provide a fast wired and wireless network.
...
@@ -5,98 +5,81 @@ As usual, we will provide a fast wired and wireless network.
## Rules of Conduct
## Rules of Conduct
* Be fair! Do not do to others what you do not wish done to yourself!🌈
* Be fair! Do not do to others what you do not wish done to yourself!🌈
* Protect your computer! We cannot be held responsible for any damage your computer may face due to attachment to our network. Be reminded that both internet access and the local network are unfirewalled and unfiltered. Even well-maintained systems can be attacked and get hacked, even more so at a hacker event.
* Protect your computer! Make sure your operating system is up to date and your firewall is enabled before arriving at the camp.
* Do not run your own DHCP server! Doing so is harmful.
* If you want to download terabytes of data, you are better off connecting to the wired network.
* While we are quite able to find and disconnect you in case of network misuse, we prefer not to have to do so. Respect other visitors. Be aware that we cannot prevent law enforcement from acting within or related to our network.👮🚨🚔
* Do not connect shielded ethernet cables (STP or FTP) to a Datenklo.
* Do not run your own DHCP server.
* Do not send IPv6 Router Advertisements.
* Do not send IPv6 Router Advertisements.
* Do not ARP spoof or otherwise impede the operation of the network!
* Do not ARP spoof or otherwise impede the operation of the network.
* While we are generally quite able to find and disconnect you in case of network misuse if necessary, we still prefer to not have to do so and that everybody respects the other visitors.
* If you want to run your own wireless equipment, there are a [few additional rules](#rules-for-wireless-equipment).
* Think twice before you do something that affects others! If you hack someone, you might be prosecuted. Be aware that we cannot prevent law enforcement from acting within or related to our network.👮🚨🚔
* Do not connect S/FTP or F/FTP (so called shielded cables) to a Datenklo; this is to prevent ground-loops.
* See also Rules for wireless equipment.
## Wired
## Wired
There will be wired 100BASE-TX/1000BASE-T/10GBASE-T ethernet on the camping grounds and in the caravan area by means of so-called "Data Toilets" or "Datenklos". Look for construction toilets with tin foil wrapped around them.
There will be wired 100BASE-TX/1000BASE-T/10GBASE-T ethernet on the camping grounds and in the caravan areas, provided by our state-of-the-art Datenklos (DKs or "Data Toilets"). Look for construction toilets with tin foil wrapped around them.
You can lay your own cables, but please do so in a tidy manner. You must not cross any roads, paths or borders between camping grounds. Always lay your cable from the Datenklo towards your tent to keep any slack close to your tent. Leave 5m of slack cable at the Datenklo. You can simply leave the end of your cable at the Datenklo, it will be connected by helpers at regular intervals (during reasonable work hours). If you want your cable back, make a proper spool of it and leave that at the Datenklo or mark it accordingly. It will be disconnected for you to pick up.
**Wired connections are completely unfiltered and will receive a public IP address**. If you have (older) devices that cannot be trusted with unrestricted incoming connections, bring a firewall.
The maximum line-of-sight distance to the next Datenklo will be approximately 50 meters. Cables will not be provided. A length of 50 meters is recommended. If that is insufficient, you will find someone within this range who has a switch and can plug you in. But bringing 60 or 75 meters won't hurt if you want to be sure. Do not bring SFTP or other shielded cables, this can cause harm you your and our equipment, we will not connect them (this is to prevent ground loops).
You can lay your own ethernet cables (we don't provide them), but please do so in a tidy manner. You must not cross any roads, paths or borders between camping grounds. Always lay your cable from the Datenklo towards your tent to keep most of the slack close to your tent, but leave a few metres of slack cable at the Datenklo. Do not use shielded cables – these can damage equipment due to ground loops and we will not connect them.
Optionally, bring & connect a small ethernet switch when connecting multiple devices. Please disable Spanning-Tree Protocol if you would connect a managed switch.
The maximum distance to your nearest Datenklo will be approximately 50 meters, but bringing a longer cable is a good idea if you want to be sure. If your cable isn't long enough, you might find someone within range who has a switch and can plug you in.
Wired connections are unfiltered. If you have (older) devices that cannot be trusted with unrestricted incoming connections, bring a router or firewall (and disable the wifi!).
Simply leave the end of your cable at the Datenklo and it will be connected by helpers at regular intervals (during reasonable work hours). If you want your cable back, coil it up at the Datenklo or mark it accordingly. It will be disconnected for you to pick up.
Optionally, bring a small ethernet switch when connecting multiple devices. Please disable Spanning-Tree Protocol if you connect a managed switch.
We don't have (m)any fibre/SFP+ ports available in the DKs this time.
We don't have (m)any fibre/SFP+ ports available in the DKs this time.
## Wireless
## Wireless
You can't live without wireless access, so we've built an awesome wireless network again.
You can't live without wireless access, so we've built an awesome wireless network again. The following WiFi networks are provided on 2.4 GHz and 5 GHz:
Due to popular demand (and with security in mind) we provide WPA2 802.1X. This will encrypt your traffic, preventing attackers from sniffing your data. Keep in mind that this won't protect you from other network attacks and you should still be aware that you are at a hacker conference! Your link layer should be secure if you do certificate checking (see below).
You might think: "WTF!? Do I need to register a user and password blah, blah". Fortunately not. You can use any username/password combination using EAP-TTLS with PAP to login (example: "user: fbhfbhiaf pass: bgufwbnkqo" is valid), because we don't care who logs in and who you are. We just want to encrypt your data.
Users which use MSCHAPv2 (like Windows users with default 802.1X supplicant) should use a fixed username and password. You can use "camp/camp" or "guest/guest" as "username/password".
We recommend you use the `Camp2023` network. For the highest security, this requires some configuration, which we've documented here:
Also see [here](network_dot1x_settings.md) for a list of OS-specific client settings.
```
*[Linux](network_dot1x_settings.md#linux-etc)
SSID: Camp2023
*[Android](network_dot1x_settings.md#android)
*[iOS](network_dot1x_settings.md#apple-ios)
*[MacOS](network_dot1x_settings.md#apple-macos)
*[Windows](network_dot1x_settings.md#windows)
EAP-TTLS:
Connecting in this way allows your device to authenticate our wireless infrastructure, preventing your traffic from being intercepted by a malicious access point.
Phase 1: EAP-TTLS
The `Camp2023` network requires a username and password — you can use "camp/camp" or any random username and password, because we don't care who you are, we just want to encrypt your data. There are some [special credentials](#services-vlans) which you can use to modify the firewall behaviour.
Phase 2: PAP
PEAP:
The `Camp2023-open` network supports [Opportunistic Wireless Encryption](https://en.wikipedia.org/wiki/Opportunistic_Wireless_Encryption)(OWE) which will automatically provide security comparable to a normal WiFi network with a shared password, _if your device supports OWE_. Otherwise, it will be completely unencrypted.
Phase 1: PEAP
Keep in mind that wireless security won't protect you from network attacks and you should still be aware that you are at a hacker conference! By default, wireless devices are firewalled from the Internet, but inbound connections from other users on the camp network are still allowed.
We have a few special usernames and passwords which you can use when connecting to the `Camp2023` network, which allow you to modify the firewall behaviour:
```
Make sure you check the certificate in order to know you are connecting to the correct network (you should check on both the CN and the CA). Check [here](network_dot1x_certificate.md) for the complete certificate.
| Username | Password | Comments |
| ------------ | ------------ | -------- |
| camp | camp | (Or any random username and password.) Filtered connection with public IP address. Inbound connections from the rest of the campsite are possible, but connections from the Internet are blocked. |
| outboundonly | outboundonly | Filtered connection with public IP address. Inbound connections from the Internet or campsite are not possible. |
| allowany | allowany | Unfiltered connection with public IP address. |
We're using WPA2 802.1X to push your client into the correct VLAN. This keeps the number of SSIDs broadcast to a minimum, saving airtime.
### Services VLANs
### Rules for wireless equipment
Please don't set up your own access point if at all possible. Wireless airtime is a precious commodity at hacker events, and every additional wireless network will transmit 802.11 beacons and management frames, slowing down wireless connectivity for everyone in the area.
We're using WPA2 802.1X to push your client in the correct VLAN. The reason we are doing this is to keep the number of SSID's per wireless band to a minimum; this way we are saving airtime by not wasting it too much with 802.11 beacons/mgmt-frames. Use the following user/password combinations:
If you have no other choice (for running experiments and such), please be nice and follow these rules:
| Username | Password | Comments |
* Do not operate non-WiFi equipment in these frequencies.
| ------------ | ------------ | -------- |
* 2.4GHz: use channels 1, 5, 9 or 13 @ 20 MHz. Disable 802.11b.
| camp | camp | Filtered connection with public IP address. Inbound connections from the rest of the campsite are possible, inbound connections from the Internet are blocked. |
* 5GHz: use channels 36 or 140 @ 20 MHz.
| outboundonly | outboundonly | Filtered connection with public IP address. Inbound connections from the Internet or camp-site are not possible. |
* Use a _minimum_ data and beacon rate of 12 Mbit/s. Beacon interval 100 ms or higher.
| allowany | allowany | Unfiltered connection with public IP address |
* Limit the number of broadcasted SSIDs per radio to 1 or 2. No SSID spamming is allowed.
* Do not prefix your broadcasted SSID(s) with "Camp". Do not use other well-known SSIDs.
### Rules
* Do not use high-gain antennas.
* Limit your transmit power as much as possible, for example to 6 dBm or 4 mW.
To keep the wireless working for you, keep a few things in mind:
* We're aware you can break the WiFi infrastructure. We're hoping that you won't and don't want to be chased by 5000 hackers through the Camp.
* If you want to download terabytes of data, you might be better off connecting to the wired network
* Don't set up your own accesspoint. However, if you have no other choice (for running experiments and such), please be nice and consider these rules:
* Please do not operate non-WiFi/analog equipment in these frequencies.
* 2.4GHz: use channels 1, 5, 9 or 13 @ 20MHz. Disable 802.11b.
* 5GHz: use channels 36 or 140 @ 20MHz.
* Minimum data-rate = 12Mbit/s, also for beacon-rate. Beacon interval 100ms or higher.
* Limit the number of broadcasted BSSID's per radio to 1 or 2. No SSID spamming etc is allowed.
* Do not prefix your broadcasted ESSID(s) with "Camp". Do not use "Camp2023" as your ESSID. Do not use other well-known ESSIDs.
* Do not use high-gain antennas.
* Limit your transmit-power for example to 6dBm or 4mW.
## Co-location
## Co-location
...
@@ -104,7 +87,7 @@ There will unfortunately be no co-location service at Camp. You are welcome to h
...
@@ -104,7 +87,7 @@ There will unfortunately be no co-location service at Camp. You are welcome to h
## Special requests
## Special requests
Do you have some special requirements not listed above? We can try to help! You can contact us in English via hello@c3noc.net.
Do you have some special requirements not listed above? We can try to help! You can contact us in English via [hello@c3noc.net](mailto:hello@c3noc.net).
## Supporters
## Supporters
...
@@ -117,6 +100,6 @@ This is a list of companies providing network hardware and connectivity services
...
@@ -117,6 +100,6 @@ This is a list of companies providing network hardware and connectivity services
|  | <https://community-ix.de/> | IP Upstream |
|  | <https://community-ix.de/> | IP Upstream |
|  | <http://www.telekom.com/> | IP Upstream |
|  | <http://www.telekom.com/> | IP Upstream |
|  | <https://www.ediscom.de/> | Wavelength |
|  | <https://www.ediscom.de/> | Wavelength |
This app installs the certificate and WiFi profile which will allow your device to automatically connect. You can do it manually, as shown below, but it's a bit more hassle.
If you don't want to use the app, download the [ISRG Root X1](https://letsencrypt.org/certs/isrgrootx1.pem), and [install it](https://support.google.com/pixelphone/answer/2844832) into your device's **Wi-Fi certificate** store, giving it any name you like. Then connect to the **Camp2023** network using the following information:
### Manual configuration
If you don't want to use the app, download the [ISRG Root X1](https://letsencrypt.org/certs/isrgrootx1.pem) certificate, and [install it](https://support.google.com/pixelphone/answer/2844832) into your device's **Wi-Fi certificate** store, giving it any name you like. Then connect to the **Camp2023** network using the following information:
* EAP method: TTLS *(not TLS)*
* EAP method: TTLS *(not TLS)*
* CA certificate: *(whatever name you gave the ISRG Root X1)*
* CA certificate: *(whatever name you gave the ISRG Root X1)*
You can use one of these profiles for the correct WiFi-settings for Apple MacOS / iOS:
To enable the most secure WiFi configuration on macOS:
1. Download [this mobileconfig file](https://eventinfra.org/Camp2023/Camp2023.mobileconfig) and double-click on it. You'll get an unhelpful notification.
2. Open Settings and search for the "Profiles" pane.
3. Click the "+" button and select the mobileconfig file.
4. After you've finished the install, your computer should automatically connect to the camp WiFi.
## Apple iOS
To enable the most secure WiFi configuration on iOS, open this [mobileconfig file](https://eventinfra.org/Camp2023/Camp2023.mobileconfig) in Safari. After the file is installed, your device should automatically connect to the camp WiFi.
Windows users (and other clients using MSCHAPv2) should use a fixed username and password. You can use "camp/camp" or "guest/guest" as username/password.
## Windows
Import one of these profiles for the most secure WiFi settings for Windows:
Import one of these profiles for the correct WiFi-settings for Windows:
