Static:Network

From Camp_2015_Wiki
Jump to: navigation, search

There will be a network! Available in both wired and wireless flavours Be sure to read the Survival Guide before connecting your devices.


Rules of Conduct

  • Be fair! Do not do to others what you do not wish done to yourself!
  • Protect your computer! We cannot be held responsible for any damage your computer may face due to attachment to our network. Be reminded that both internet access and the local network are unfirewalled and unfiltered. Even well-maintained systems can be attacked and get hacked, even more so at a hacker event.
  • Do not run your own DHCP server! Doing so is harmful.
  • Do not send IPv6 Router Advertisements.
  • Do not ARP spoof or otherwise impede the operation of the network!
  • While we are generally quite able to find and disconnect you in case of network misuse if necessary, we still prefer to not have to do so and that everybody respects the other visitors.
  • Think twice before you do something that affects others! If you hack someone, you might be prosecuted. Be aware that we cannot prevent law enforcement from acting within or related to our network.

Wireless

You can't live without wireless access, so we've built an awesome wireless network again. The setup is improved from last camp:

CCC SSIDs

The following SSIDs are provided:

  • Camp2015 (WPA2 802.1X (see below), 5GHz)
  • Camp2015-legacy (WPA2 802.1X (see below), 2.4GHz)
  • Camp2015-open (open, 5GHz)
  • Camp2015-open-legacy (open, 2.4GHz)
  • spacenet (federated hacker authentication system, WPA2 802.1X, 2.4GHz+5GHz)
  • freifunk.net (extension of the Freifunk network, open, 2.4GHz+5GHz)

WPA2 802.1X, encryption

Due to popular demand (and with security in mind) we provide WPA2 802.1X. This will encrypt your traffic, preventing attackers from sniffing your data. Keep in mind that this won't protect you from other network attacks and you should still be aware that you are at a hacker conference! Your link layer should be secure if you do certificate checking (see below).

You might think: "WTF!? Do I need to register a user and password blah, blah". Fortunately not. You can use any username/password combination using EAP-TTLS with PAP to login (example: "user: fbhfbhiaf pass: bgufwbnkqo" is valid), because we don't care who logs in and who you are. We just want to encrypt your data.

Users which use MSCHAPv2 (like Windows users with default 802.1X supplicant) should use a fixed username and password. You can use "camp2015/camp2015" or "guest/guest" as "username/password".

Client Settings

SSID: Camp2015 or Camp2015-legacy
Phase 1: EAP-TTLS or PEAP
Phase 2: MSCHAPv2 or EAP-MSCHAPv2 or PAP

CN = radius.c3noc.net
CA = StartCom Certification Authority
Fingerprint = A9:15:4F:80:83:D9:C6:B4:AC:8A:3F:06:9A:D9:4E:9E:5F:D1:DF:0C

Make sure you check the certificate in order to know you are connecting to the correct network (you should check on both the CN and the CA). Check here for the complete certificate.

Network Manager

You can use the following config file:

Please note that some versions of NM are buggy and will only work with 802.1X using MSCHAPv2, or not at all. If that affects you, it may be easiest to use wpa_supplicant.

/etc/NetworkManager/system-connections/Camp2015:

[connection]
id=Camp2015
uuid=c80101e2-7b99-4511-846b-2388eb86a5ad
type=wifi
permissions=
secondaries=

[wifi]
mac-address=42:23:42:23:42:23 <- !! Please change this !!
mac-address-blacklist=
mode=infrastructure
seen-bssids=
ssid=Camp2015

[wifi-security]
auth-alg=open
group=
key-mgmt=wpa-eap
pairwise=
proto=

[802-1x]
altsubject-matches=DNS:radius.c3noc.net
ca-cert=/etc/ssl/certs/StartCom_Certification_Authority.pem
eap=ttls;
identity=camp2015
password=camp2015
phase2-altsubject-matches=
phase2-auth=pap

[ipv4]
dns-search=
method=auto

[ipv6]
dns-search=
method=auto
WICD

You need an additional crypto setting for WiCD. Put this file into /etc/wicd/encryption/templates/eap-ttls (debian systems, might be different with other *nix flavours):

 name = EAP-TTLS Camp2015
 author = Felicitus
 require identity *Identity password *password
 -----
 ctrl_interface=/var/run/wpa_supplicant
 network={
  ssid="Camp2015"
  scan_ssid=$_SCAN
  identity="edward"
  password="snowden"
  proto=WPA2
  key_mgmt=WPA-EAP
  group=CCMP
  pairwise=CCMP
  eap=TTLS
  ca_cert="/etc/ssl/certs/StartCom_Certification_Authority.pem"
  altsubject_match="DNS:radius.c3noc.net"
  anonymous_identity="$_ANONYMOUS_IDENTITY"
  phase2="auth=PAP"
  #priority=2
 }

Edit /etc/wicd/encryption/templates/active to include the eap-ttls config template. Restart the WiCD daemon, choose the proper encryption (EAP-TTLS Camp) and enter a random username/password.

Jolla/connman

/var/lib/connman/Camp2015wifi.config :

 [service_Camp2015]
 Type=wifi
 Name=Camp2015
 EAP=peap
 Phase2=MSCHAPV2
 Identity=edward
 Passphrase=snowden
wpa_supplicant.conf

/etc/wpa_supplicant/wpa_supplicant.conf :

 network={
 	ssid="Camp2015"
 	key_mgmt=WPA-EAP
 	eap=TTLS
 	identity="edward"
 	password="snowden"
 	# ca path on debian 7.x, modify accordingly
 	ca_cert="/etc/ssl/certs/StartCom_Certification_Authority.pem"
 	altsubject_match="DNS:radius.c3noc.net"
 	phase2="auth=PAP"
 }
interfaces

As an alternative, you can specify the wpa_supplicant config options directly in /etc/network/interfaces:

 iface wlan0 inet dhcp
 	wpa-ssid Camp2015
 	wpa-identity edward
 	wpa-password snowden
 	wpa-proto WPA2
 	wpa-key_mgmt WPA-EAP
 	wpa-group CCMP
 	wpa-pairwise CCMP
 	wpa-eap TTLS
 	wpa-phase2 "auth=PAP"
 	wpa-ca_cert "/etc/ssl/certs/StartCom_Certification_Authority.pem"
 	wpa-altsubject_match DNS:radius.c3noc.net
netctl
Description='Camp2015 secure WPA2 802.1X config'
Interface=wls1
Connection=wireless
Security=wpa-configsection
IP=dhcp
ESSID=Camp2015
WPAConfigSection=(
    'ssid="Camp2015"'
    'proto=RSN WPA'
    'key_mgmt=WPA-EAP'
    'eap=TTLS'
    'identity="edward"'
    'password="snowden"'
    'ca_cert="/etc/ssl/certs/StartCom_Certification_Authority.pem"'
    'altsubject_match="DNS:radius.c3noc.net"'
    'phase2="auth=PAP"'
)
Apple MacOS / iOS

You can use one of these profiles for the correct WiFi-settings for Apple MacOS / iOS:

Windows

Import one of these profiles for the correct WiFi-settings for Windows

To import and connect follow these steps:

  1. Open a command prompt and execute: netsh wlan add profile filename=camp2015.xml
  2. Connect to the Camp2015 or Camp2015-legacy network; use "camp2015/camp2015" as the username/password when prompted.
Android

You can use our Android App to configure the correct WiFi settings on your Android device. Download it here:

  • From c3noc.net: [1]
  • From Google Playstore: [2]]

Services

Last camp we had separate SSID's for additional services like Fixed-IP. This camp we're using WPA2 802.1X to push your client in the correct VLAN. The reason we are doing this is to keep the number of SSID's per wireless band to a minimum; this way we are saving airtime by not wasting it too much with 802.11 beacons/mgmt-frames. Use the following user/password combinations:

  • nat64/nat64 (for the nat64 VLAN)
  • fixip/fixip (fixed IP - to be confirmed)
  • camp/camp or camp2015/camp2015 or guest/guest (for regular user VLAN - for devices that have correctly implemented MSCHAPv2, like Windows)

Please note the username AND password are case-sensitive.

2.4GHz & 5GHz

The 2.4GHz spectrum is very limited. Previously we've tried to use the vendor implemented workarounds like band-steering and band-select to persuade clients to use 5GHz. This might work in a controlled enterprise environment, but it doesn't work with 5000 hackers with 50 different operating systems.

The default SSIDs are 5GHz only. The "legacy" SSIDs are 2.4GHz only. If your client supports both, don't use the *-legacy SSIDs. If you only see the legacy SSIDs, consider upgrading your device. We cannot guarantee that 2.4GHz works.

Rules

To keep the wireless working for you, keep a few things in mind:

  • We're aware you can break the WiFi infrastructure. We're hoping that you won't and don't want to be chased by 5000 hackers.
  • If you want to download terabytes of data, you might be better off connecting to the wired network.
  • Don't set up any of your own access points.

Wired

There will be wired gigabit ethernet on the camping grounds and in the caravan area by means of so-called "Data Toilets" or "Datenklos". Look for construction toilets with tin foil wrapped around them.

You can lay your own cables, but please do so in a tidy manner. You may not cross any roads, paths or borders between camping grounds. Always lay your cable from the Datenklo towards your tent to keep any slack close to your tent. Leave 5m of slack cable at the Datenklo. You can simply leave the end of your cable at the Datenklo, it will be connected by helpers at regular intervals (during reasonable work hours). If you want your cable back, make a proper spool of it and leave that at the Datenklo or mark it accordingly. It will be disconnected for you to pick up.

The maximum line-of-sight distance to the next Datenklo will be approximately 50 meters. Cables will not be provided. A length of 50 meters is recommended. If that is insufficient, you will find someone within this range who has a switch and can plug you in. But bringing 60 or 75 meters won't hurt if you want to be sure.

Helpdesk

If you have questions about the network or need help connecting, drop by the friendly people of the Static:NOC Helpdesk, which will be located near the Static:Infodesk in the info tent, which will probably be located next to the southern lecture tent.

NAT64/DNS64

Please see the Static:NAT64 page for more details.

Co-location

Each Congress usually has a co-location service, but given the [power situation] there will unfortunately be no co-location service at Camp. You are welcome to host a server in your tent/village and you can get a gigabit copper uplink from one of the nearby datenklo's. If you have any special requests regarding bandwidth please contact the NOC at camp2015 [at] c3noc *DOT* net. Please send your requests in English.

Datenklo patrol route

Recommended datenklo patrol route:

Image:Datenklopatrolmap.jpg

Supporters

This is a list of companies providing network hardware and connectivity services. The event would not have been possible without their support (and a few unlisted), and we thank them for it.

Who For
Supporter-aruba.jpg http://www.arubanetworks.com WiFi Network Equipment
Supporter-babiel.jpg http://www.babiel.com/ Servers
Supporter-ecix.png http://www.ecix.net Connectivity
Supporter-ediscom.gif http://www.ediscom.de Connectivity
Supporter-flexoptix.jpeg http://www.flexoptix.net Optical Networking Equipment
Supporter-kpn.jpeg http://www.kpn-international.com IP Uplink
Supporter-securelink.png http://www.securelink.nl/ Network Equipment
Supporter-speedbone.png http://www.speedbone.de Colocation
Supporter-strato.jpg http://www.strato.de IP Uplink
Supporter-syseleven.png http://www.syseleven.de/ IP Uplink