Archive for the ‘OpenSEA’ Category

My favorite 802.11n graph: draft size over time

Monday, April 21st, 2008

My reason for braving the “snowstorm” at Heathrow was to be at the JANET(UK) Networkshop conference. The organizers asked me to present an overview of current wireless standards in development. JANET(UK) is also a founding member of the OpenSEA Alliance, and has arranged for some UK universities to test the supplicant as we develop it.

I impressed (in the older sense of drafting somebody into service) Mark Tysom of JANET(UK) into taking pictures while I spoke. He captured me in front of my favorite slide in the talk, which shows the size of the 802.11n draft over time:

Several interesting vital statistics on the 802.11n draft can be found in this 802.11 working group presentation made by Bruce Kraemer, the long-time chair of TGn who has recently been elected the chair of the entire 802.11 working group.

The venue for my talk was the plenary session, which was held at The Barony Hall at the University of Strathclyde. The Barony Hall was previously a church, and is a wonderful venue for large audiences. As a speaker, it can be slightly intimidating, though!

(Thanks for taking photos, Mark!)

Open1X Project update and roadmap

Thursday, February 7th, 2008

Earlier this week, we published our technology road map for the Open1X supplicant. They are now available for download in either PDF or Microsoft Word.

In the discussions that the project team held, our biggest goal was to get the supplicant running on as many platforms as we could. The first step is the common desktop operating systems (Windows, Mac OS X, Linux). However, there’s a long term trend at work with computers infiltrating everything. When I first started doing wireless LANs, it was something that was nice to have for laptops. In the past several years, we’ve seen 802.11 go from an esoteric data link to the most obvious way to connect a plethora of devices from laptops to game devices (the Xbox and PSP both have 802.11) to phones (I carry a Nokia E61) and PDAs.

Each time a wireless LAN interface gets put into a device, you need the entire protocol stack complete with all the security protocols. Wireless security protocols can be complex, and expertise hasn’t kept up with the wide diversity in available products. Often, a product will have a wireless LAN interface that lags behind the rest of the product in functionality.

One of the best examples of the “wireless feature lag” is our #1 feature request. Everybody who’s interested in our work has asked us to port the supplicant to the iPhone to get better interoperability with wireless LANs. Most university networks require user credentials (WPA-Enterprise) instead of pre-shared keys (WPA-Personal), but the iPhone lacks that feature. Back in October, there was an iPhone SDK announced, with details to follow in February. We’re waiting to see what features the SDK will bring, and hope to start working on an iPhone shortly. (If you’re interested in 802.1X on the iPhone, sign the on-line petition.)

Better 802.1X support for VoIP phones and “network paperclips”

Monday, July 2nd, 2007

One of the recurring annoyances with many 802.11 client devices is that they don’t support the best security protocols. Wi-Fi Protected Access (WPA) has two modes: the Personal mode based on pre-shared keys, and the 802.1X-based Enterprise mode. Well-known weaknesses in the former are not present in the stronger Enterprise mode.

One of the troubles with the lack of support for 802.1X is that it causes headaches for network administrators who are concerned about security, but need some widget to build their networks that doesn’t support 802.1X. I have often labeled many of these devices “network paperclips” because they are small, often inexpensive, and frequently, do a great deal to hold networks together. This morning, Jon Oltsik, the founding father of the OpenSEA Alliance picks up on the theme:

While the PC space is well covered, there is a new network-security frontier out there that remains barren. What about Internet Protocol phones? What about mobile devices? What about network-based appliances like printers?

Jon is getting uncomfortably (for the industry at least) close to an open secret about the Wi-Fi certification, too. There’s no requirement to support 802.1X to get Wi-Fi certification, and it’s often hard to tell from the product packaging whether the 802.1X/Enterprise methods of authentication are supported, or whether the product only supports the quicker-and-less-secure PSK/Personal methods. The Wi-Fi Alliance is working on the issue of how to reduce end-user confusion about security capabilities.

What brought all this to the front of my mind this morning is the much ballyhooed iPhone. There’s been a great deal of excitement about the dual 802.11/cellular capabilities of the device to speak VoIP, but it’s dead on arrival as far as most corporate networks are concerned. In a message to the Salsa-FWNA group this morning, Michael Griego writes about the disappointing wireless LAN security support on the iPhone:

Yes, it lacks 802.1x support out of the box, supporting only PSK security mechanisms. I was personally surprised at this and expect/ hope that this will change in one of the surely-soon-to-be-released updates since it should require only adding the supplicant software to make it work.

(Background note: Salsa-FWNA is an Internet2 group that is defining methods of federated authentication across university campuses. The group is making extensive use of 802.1X, which prevents the current iPhone from doing VoIP across campus boundaries.)

Like Michael, I also hope that Apple is working on an improved supplicant for the iPhone. If the iPhone runs MacOS X, it should be a straightforward port of the existing supplicant.

Finally, I’d like to make an offer for anybody reading this. If you have a device that needs to support 802.1X, but you’re not quite sure what to do (or just need a royalty-free code base), contact the OpenSEA Alliance and we’ll work with you on customizing the software to your device. Sufficiently interesting devices will be “self-customizing” once our developers get their hands on samples.

Getting OpenSEA off the ground

Monday, June 18th, 2007

A little more than a month ago, the OpenSEA Alliance launched. One of my first volunteer roles with the organization was to act as the volunteer “electronic tsar” responsible for many of our communications with the outside world.

Reading stories like this one from Joe Kraus about founding Excite, I can’t help thinking how lucky we were to be getting OpenSEA off the ground in 2007. Excite had to get a $10,000 hard drive that held 10 GB to demonstrate their technology. Now, $10/month hosting accounts give you access to twenty times that storage. Plus, the proliferation of open source software means that a few clicks enabled the domain registration, the content management system for our site, and electronic mailing lists. A team of three volunteers was able to put the whole communications infrastructure together in a couple of weeks of spare time while working our “regular” jobs.

At this point, one of my big personal goals is to make the organization successful enough that we can “fire” the volunteer webmaster (me).

OpenSEA launches!

Monday, May 14th, 2007

Today, the OpenSEA Alliance launched, with the objective of developing a cross-platform open source 802.1X supplicant. I was fortunate enough to be part of the initial group, both as an individual and representing one of the founding companies.

Any time you get multiple companies together, it can be challenging coming to consensus. We were helped immensely by Cliff Schmidt from the Apache foundation, and were lucky to be able to draw extensively on his expertise.

One of the few thorny issues that was outside of Cliff’s immediate expertise in law was deciding on a name. Naturally, he helped assist the group in selecting a name that was not already in use and could be legally protected, but we still had to come up with a name within those broad criteria. “OpenSEA” was my suggestion, originally proposed to come up with a middle ground between a name that was specifically tied to 802.1X and a more general name. Officially, “SEA” stands for “Secure Edge Access,” but unofficially, we’re using the “open sea” phrase to indicate that changes at the network edge will have profound effects on the way networks are built and managed. As a fun point, we get the ability to give nautical-themed code names to our projects.

Starting the organization was quite educational, and I’m glad I participated. In addition to getting agreement on how to structure the organization, there’s a lot of start-up work to do to incorporate, get a bank account, and so on. At our first meeting last week, I was elected to the board of directors for a two-year term, ending in 2009. I’m concurrently serving a one-year term as corporate secretary.

So, the easy work is done, and the organization is running. The challenge now is to make it successful. Right now, the group depends on volunteer labor. As part of the process of starting OpenSEA, I learned from a colleague that the Wi-Fi Alliance started in much the same way, but it has now become successful enough that it has a professional staff. While OpenSEA probably will not be as well-known as Wi-Fi, it can certainly become successful enough to outgrow volunteers.