
Really, Google? (Or Why We Can’t Have Nice Wireless Networks) - Varcht
https://it.toolbox.com/blogs/leebadman/really-google-or-why-we-cant-have-nice-wireless-networks-010219
======
kbirkeland
While the rant is valid, I feel like the amount of effort venting about this
was equal to or more than actually attempting to get this to work. The author
claims that there is "a fair amount of multicast in play which could be part
of the issue," but there are no inherent issues with multicast over wifi. My
suspicion is that it uses mDNS or some other _link-local_ multicast protocol
for discovery. This isn't really news though; any network operator that
supports Apple TVs, Chromecasts, etc on their network has had to deal with
this (and most vendors have solutions for proxying mDNS).

~~~
Spivak
Proxying mDNS is such a pain if your vendor doesn't have something built-in.

Like when you have to start creating VXLANs to accommodate devices that assume
L2 adjacency or installing L7 proxies I think it's fair to say there's some
fault with the application vendor.

------
mikestew
"IT admin being a dick and won't turn on peer-to-peer networking on the
corpnet? Plug a router you bought off the internet into the corpnet tap, or
better yet, run a hotspot from some random phone!"

I don't think the title fully encapsulates how astounded I am that this made
it through the multiple layers of the Google corporate machine without someone
in the chain, _someone_ , saying, "umm..." Next time someone asks you to
review those user docs, really read them this time in case you have to be the
one raising your hand. ('cuz I know _I 've_ been guilty of kind of skimming
them.)

~~~
detaro
According to the description above that section, it doesn't even need an
internet connection in that mode, so a quick dumb hotspot for just this
purpose seems like a fairly reasonable solution. If IT isn't flexible enough
to provide that on request, someone else setting it up at least doesn't hurt
that much.

(a server-based fallback would have some value, but I bet people would find
something to complain about that too. To slow, unnecessarily sending data back
to Google, ...)

~~~
mikestew
_so a quick dumb hotspot for just this purpose seems like a fairly reasonable
solution._

I believe the issue at hand is the question of who the user is going to call
when that doesn't work. The phone vendor? The phone OS vendor? The telecom?
Hmm, somehow I feel that those three options will not be first on the list,
but rather who is closest and has technical knowledge of any kind.

~~~
detaro
Who either has "making such things work" in their job description and thus is
the right address, or says "not a school-owned device, not my responsibility,
please go through the process next time". If it truly works without connection
to the internet (and you thus can ignore a lot of the security etc concerns),
providing an unconnected AP with a flat network shouldn't be a big issue for
most sysadmins. (And yes, I know what first-level support for random non-
technical users is like). Yes, they'd prefer if it just worked in whatever
environment, but I don't think it's that out of order that it doesn't,
especially without knowing the tradeoffs involved in the design.

I agree with the article on "they should specify what they need exactly"
though, for those orgs that want to explicitly allow it in their main
infrastructure instead of providing a workaround.

~~~
zelon88
I think you're missing an important point, but I don't disagree completely.

The biggest problem is that this is a product DESIGNED to be placed in
educational IT environments. As such, the product should either be designed to
work in those environments with reasonable effort and without violating common
security practices.

It's like marketing a car specifically to people with garages that are too
small to fit the dimensions of the car. Either you make the car fit where it
needs to go or you market it somewhere that fits. You DON'T market it to a
demographic who can't reasonably use it. You're just making bad press for
yourself.

And as a network IT guy myself we have a responsibility to maintain order on
the networks we administer. Just because someone calls me down to their desk
to install CCleaner on their laptop doesn't mean I'm obligated to do it.
Infact I'm obligated to steer him in the right direction and make sure he
understands the errors of his ways.

IT is the gatekeeper. You don't tell IT what to do... You tell them what you
want to accomplish and let them tell you how to do it.

~~~
emj
The IT department is an enabler for the avarage user or the least common
denominator, when we are talking about the monocultures of companies there is
no room for niched solutions. The issue here is that location based computing
is an feature that people need, but the official channels fight.

~~~
zelon88
Companies hire IT departments to manage their IT infrastructure correctly.
Maybe some companies just want some cheap kid who can activate a cell phone or
plug wires into a tower, but those aren't the companies who NEED to care about
IT.

You go to your doctor and pay him good money so he can tell you how to
properly take care of your body. If your doctor tells you that you have
diabetes and you continue eating sugar, you will die.

If your IT department tells you something is a bad idea there's a reason for
it. You don't have to understand his logic, and he doesn't have to explain it
to you. Your company pays him to understand all of that so you don't have too.

Enterprise infrastructure is extremely complex and enterprise applications are
often extremely fragile. If the company could exist without their
contributions I'm sure there would be no IT department.

------
reaperducer
Bigcorp gets all the positive PR for bringing new technology to schools and
"disrupting" the classroom paradigm, while the IT department gets all the
blame because Bigcorp doesn't field test.

Sounds like Google to me.

------
jon889
How come multicast, bonjour etc doesn't work on enterprise networks? I've
always wondered this because it would've been helpful several times.

~~~
the_pwner224
I'm no expert, but I think most enterprise & university networks enable client
isolation in the routers.

If I know the IP of a friend on the LAN, I can connect to him directly, as
normal - the connection will not be blocked by the router. But other than
that, the router shows my device a view of the world in which it is the only
thing connected to the LAN.

Enumerating the private IP space and trying to connect to all of the possible
addresses might reveal the actual stuff though? But the multicast protocols I
assume use a smarter and more efficient approach which gets blocked by client
isolation.

~~~
zylent
Client isolation is just wireless clients on the same AP. PIM routing acts
like a proxy, and the multicast address for whatever service your routing will
be proxied to the clients local multicast address.

Ruckus calls it bonjour fencing, and has pretty good support for creating
useful policy.

[http://docs.ruckuswireless.com/smartzone/3.6.2/sz300-vszh-
sc...](http://docs.ruckuswireless.com/smartzone/3.6.2/sz300-vszh-
scg200-administrator-guide/GUID-538CB11D-E4D2-4C71-BEBF-3B0645E7D12E.html)

------
jbb67
I expect to read next that they blocked port 80 too because "security" and
it's Google's fault they can't get to web sites now.

------
jeffrallen
Wtf dude, you're a network admin, administer your network. Perhaps you should
read up on the end to end principle, instead of blaming the apps.

~~~
Spivak
I think the point is that admins _are_ administering their network.
Disallowing wireless clients from communicating with one another is SOP.

~~~
crankylinuxuser
No, they aren't.

Making a one-size-fits-badly policy is how you get large amounts of shadow IT
and assets on non-controlled machines.

The security policy has to balance with what the users are tasked with, and
what's expected. And when IT won't budge, you get really weird stuff
happening.

I've seen professors running a linksys natted network on a uni lan, precisely
because he needed control and lookup of IPs for his robotics setup. And Uni IT
did their knuckle-dragging usual of nothing (blame the user). His solution was
"insecure" but that went to his real task of robotics prof.

~~~
zelon88
This sounds to me like the prof tried to tell IT what to do instead of
explaining to IT what he wanted to accomplish.

If you came up to me and said "Hey I want to plug in my own router in my
office so I can have my own little WiFi network for my projects" I'd tell them
no, it's against policy, against SOP, against best everything, and it would be
an unmanaged, insecure, non-company asset (probably with default credentials
and unpatched firmware). I would then just nod my head at his hemming and
hawing and invite him to go over my head.

Now... If you came up to me and said "Hey I've got a ton of wireless devices
in my office that are related to my work. What would be the best way for me to
network them all together and isolate them from the rest of the network?" I'd
gladly draw up a plan to get the task done, order the assets that I want in my
shop (with company money), configure it the way I want, and then roll it out
and keep tabs on it.

Just doing whatever you want on the network because IT won't let you is asking
for trouble, and could/should get you fired.

~~~
dingaling
But if the prof doesn't have a budget or billable cost-centre you're just
going to shrug and he's back to 'do it myself'

That's the most common problem users have with IT.

~~~
crankylinuxuser
Yep, and since he was one of the senior faculty teaching engineering (that the
uni started the new program for within the last 4 years), he's immune to these
kinds of "we'll fire you if you do X it thing".

He needed not wpa2 enterprise wireless. WPA2 personal would have sufficed for
his robotics... but "Policies". When he asked how to proceed, IT-Networks
responded with "We dont tell people how to do their networking. We enforce
policy."

He had contacts in IT (my director), and put me to make it work. So I helped
configure a better router, made sure DHCP and other protos wasn't leaking out
the WAN, set a stupid long PSK. Took me .5h to get a good environment set up.
And sure, it violated policy, but it was secure and enabled the prof to
continue his swarming robotics experiments.

------
viraptor
I'm curious what's the suggested alternative. If you have a self-setup device
with no physical interface, which can be accessible from any place on the
network - how would you do that?

Is there some kind of interval version of upnp? Nmb is theoretically possible,
not wouldn't work outside of specific environments.

------
amaccuish
Reminds me of trying to get Active Directory to work across firewalls. MSRPC
makes it a total nightmare with moving, randomly assigned ports.

~~~
g45y45
Yes, but this is MUCH easier today. Next Gen firewalls support Deep Packet
Inspection for MSRPC traffic, you can even whitelist specific RPC calls,
auto/temp allow the ephemeral ports, etc

------
hannob
tl;dr "I run a network with some wonky Enterprise stuff that does weird things
I don't understand and it's Google's fault."

~~~
g45y45
Yeah, this was a lame rant. Just create a single purpose SSID on your
enterprise wireless controller that supports peer-to-peer (client to client
connectivity). Bind the educational hardware to that, everything is fine.
Really I dont see Google doing anything wrong here...

~~~
elcritch
True that sounds tenable, but dealing with multicast can be a pain. There's no
such thing as "enable p2p", there's enable multicast and open specific ports
between clients, etc. Does Google give the IP and netmask for the multicast,
or the requirements for TTL, or even just the multi-cast ports used, etc? Are
they even using multicast? It's all basic info which could readily be listed
allowing a configuration to meet the user's needs. Having a single "wide open
on all ports" (e.g. consumer grade) SSID on a network could be a significant
vulnerability vector.

~~~
g45y45
There is enable p2p, its called disabling client isolation mode. This isn't
even specifically about multicast. Its just the peers (clients) cannot make
unicast connections to each other.

~~~
syshum
>> its called disabling client isolation mode.

So then you proved your statement wrong, there is not a setting or feature
called "enable p2p"

>This isn't even specifically about multicast

According to the article it is

~~~
g45y45
Buddy, client isolation mode or lack there of is sometimes called allowing
'peer to peer' traffic. I understand the ambiguity over TCP P2P networks, but
given the context most network engineers know what you are talking about.
Regarding the article mentioning multicast -- the engineer SUSPECTS its to do
with multicast. Im saying it could be due to several configuration issues, but
most likely client isolation mode (aka not allowing peer-to-peer traffic). Why
pick a fight over this?

~~~
syshum
I am not your buddy, pal...

as far as picking a "fight" I was not, I was being technical. When it comes to
talking about Technical things I prefer when people are technical. This is key
when writing technical documentation.

For example, if you were writing a technical doc you would not put in the doc
"Turn on P2P feature" as that feature does not exist, instead you would say
"To enable P2P communication, turn off Client Isolation"

One should be technical when talking about technical things, and assuming
"most network engineers know what you are talking about" is often how mistakes
are made...

I have seen companies lose millions because one engineer assumed another
engineer knew or thought about, or would preform steps not included implicitly
in an instruction set

