On Thursday, May 13, I moderated the LAN Access Security panel at Interop. On the panel, we had (in alphabetical order) Paul Congdon of Hewlett-Packard, who is also vice chair of the 802.1 working group; Geoff Horne of Infoblox, who helps customers implement large-scale network services, including authentication; Christian MacDonald of Funk, who knows everything about Funk’s RADIUS servers, and almost everything about what people plug in to them; and Rodney Thayer, an independent security consultant and author of the Network World article on the iLabs. We were up on stage to answer questions from conference attendees on the iLabs. Although the panel is free and open to the public, not everybody can make the trip to Las Vegas. For the benefit of those who couldn’t make it (or chose not to visit), here’s a rough summary of what we discussed.

Question: What are the relative merits of Protected EAP (PEAP) and Tunneled TLS (TTLS)?

• The protocols themselves are very similar from an architectural perspective. Both use a TLS-encrypted channel to secure older authentication methods. Network-to-user authentication is handled with a server certificate, and the user-to-network authentication is done with a “legacy authentication method” that may include password-based authentication. The first (network-to-user) stage is sometimes referred to as the “outer” authentication because it establishes the tunnel used to protect the “inner” (user-to-network) authentication in the second stage.
• Sometimes, one or the other may fit better into your network, based on the type of user database that you have. PEAP requires that your inner authentication method be defined as an EAP method, while TTLS imposes no such requirement. In practice, PEAP is useful for authenticating against Active Directories using EAP-MS-CHAP-V2 as the inner authentication method, while TTLS is useful for authenticating against reusable (plaintext) password databases. Many corporations use Windows and Active Directory, and PEAP is a natural choice. Reusable passwords are often stored in an LDAP directory; as a result, TTLS is often favored by universities.
• The two methods differ in implementation complexity. Chris Hessing, the lead developer of xsupplicant, was part of the iLabs LAN Access Security team this year. He has written code for both TTLS and PEAP, and found that TTLS was much easier to implement. I had hoped for him to be on the panel to speak in more detail, but he was unable to do so.
• Recent drafts of PEAP are adding support for features that make it more flexible. The current draft has support for Type/Length/Value (TLV) attributes, which can provide much more extensibility to the protocol. The use of TLV encoding also gives PEAP the ability to pass arbitrary data around, which has been part of TTLS from the beginning.

Question: Is cleartext password authentication a good idea or a bad idea?
First, a bit of background: There are many ways to use passwords to authenticate users. The simplest method is to submit a user name and a password to an authentication server, and wait for its response. More complex methods may perform challenge-response exchanges based on the password. In the former case, the password from the user is submitted to the authentication server in the clear (or using reversible encryption, so the authentication server can recover the password submitted for validation). Cleartext authentication is often used with passwords that are stored as one-way hashes such as MD5 or SHA-1. When the password is received, it is hashed and compared to the stored value. If the hashes match, the password was almost certainly correct and access can be granted. This type of authentication is typically used with LDAP directories, which often can only validate passwords given to them in cleartext.

• As a general principle, it’s better to authenticate, even weakly, than to leave connections unauthenticated, provided that the weak authentication cannot be spoofed. Wireless network authentication protocols were designed to protect older weaker authentication methods (including reusable passwords) with strong encryption to dramatically reduce the risk. Cleartext authentication, secured by TLS, is definitely better than giving up.
• Cleartext authentication is not as bad an idea as it might sound at first glance. By using TTLS/PAP, the cleartext authentication is protected by a TLS tunnel and is not subject to eavesdropping. The key is to ensure that the password is protected all the way from the client to the server. On the front end, the password is secured by the TLS tunnel from the supplicant to the TTLS server. The cleartext password is recovered, and the back-end request with, say an LDAP client, can be secured by a second SSL session.
• As another general principle, it is also good not to redefine user databases specifically for wireless networks. Depending on what the existing user database supports, you may need to do cleartext authentication. Many LDAP directories, for example, do not support anything other than cleartext authentication. (Though, it should be noted, every widely-used directory server implementation can secure the cleartext authentication requests inside of an SSL tunnel.) As a result, most directories need to be front-ended by TTLS/PAP.

Question: How can you choose an appropriate EAP method?

• This is one of the major challenges facing the industry. There are a number of EAP methods, and there is not a great deal of guidance for users. There is very little written guidance for users on the how the plethora of methods differ and how to select an appropriate protocol.
• Paul Congdon of HP stated that this was a usability problem, and that the Wi-Fi Alliance could address it through the WPA certification program. Rather than the free-for-all it is now, WPA certification could require certain EAP methods (as well as inner authentication methods) to be implemented before granting certification to products.
• (This was not mentioned on the panel, but I include it for completeness.) During the LAN Access Security class, I included a reference to an Internet-Draft that reviews shared-secret authentication EAP methods written by Florent Bersani at France Telecom. After the show, I found an Internet-Draft that reviewed requirements for EAP methods for use on 802.11 networks, written by Jesse Walker, of “Unsafe at Any Key Length Fame.”

Question: What is the high-level summary of the interoperability test results?

• Interoperability is generally quite good. We had several RADIUS servers, more than a dozen APs, and several supplicants. We tested over 150 (supplicant, AP, authentication server) tuples and found that most of them worked flawlessly on the first try.
• Most of our testing was with WPA, with some exceptions. xsupplicant does not yet support WPA because it depends on lower-level primitive operations to set link-layer encryption keys dynamically. Those operations are in place for WEP, but not for WPA. Additionally, most of the testing used TKIP, the RC4-based replacement for dynamic WEP. Only a few products supported CCMP, the new AES-based privacy algorithm. We did have a demonstration in the booth, but we were not able to test enough devices with support for CCMP to offer opinions on its interoperability.
• The major interoperability problem we had was with VLAN assignment. At the 2003 iLabs, there were only two products that could dynamically assign users to VLANs. There was no standard for how to assign users to VLANs, though RFC 3580 had almost emerged from the IETF as a final document. (It was on draft 26, if my memory is correct.) This year, nearly every access point supported some form of dynamic VLAN assignment, though many did not follow the standard. RFC 3580 says that a user may be assigned to a VLAN by taking the ASCII representation of the VLAN tag number and passing that to the access point in the Tunnel-Private-Group-ID attribute. Some vendors required a vendor-specific attribute rather than Tunnel-Private-Group-ID, and many vendors used the Tunnel-Private-Group-ID in the wrong way. By far, the most common incorrect use was to expect the VLAN number, but as an integer rather than a string. (To deal with this common incorrect use, I wrote code for Radiator.)

Question: What is the state of the art on security? Have the security problems been “fixed”?

• The panel agreed that substantial progress has been made in addressing the outstanding security issues. TKIP is substantially better than anything based on WEP, including WEP with dynamic keys. With two exceptions (which, for the record, includes me), the panel felt that TKIP (WPA version 1) was good enough for large-scale deployment.
• My personal opinion on WPA is that there are still substantial theoretical weaknesses in TKIP. TKIP was designed for backwards-compatibility with WEP-based hardware, and it shows. For example, TKIP includes countermeasures that are invoked upon detection of certain types of attacks against the new integrity check, called Michael. I do not consider the existence of countermeasures to be a feature. Rather, they indicate how weak the revised integrity check is. (I should note that Michael is as good as it can be, given that it was designed to be compatible with WEP-based hardware. Its flaws are inherited from backwards-compatibility. Within its design constraint, Michael is quite clever.) Instead of implementing TKIP (WPA 1), I recommend using CCMP, the AES-based algorithm in 802.11i.

Question: How is wireless driving the standards process?

• I answered a slightly different version of the question than the one posed by the audience member. Wireless networks are causing changes in the standards, but they are also causing network engineers to re-think the way they build networks. For example, one of the organizations I worked with started off with two VLANs on their network. A VLAN for the users, and a VLAN for the servers. That way, the server network would be isolated from any problems on the user network. When they initially deployed a wireless LAN, anybody who could authenticate successfully was attached to the user network. However, the equipment they selected for their wireless network was capable of dynamic VLAN assignment, and could do much more than attach everybody to the same VLAN. As part of a later core network upgrade, they redesigned the network so that there was a VLAN for each department. Then, in Active Directory, they associated each VLAN with a user group. As a result, when a user authenticates to a network, he or she is attached to a network that was built to serve departmental needs only. Access control between the different functional groups can be built into the core network equipment, enhancing security of the network from internal attacks.
• Paul Congdon answered the real question. There are notable gaps in the specifications that have appeared because of the differences between wireless and wired networks, and working groups have formed to close those gaps. 802.1X was originally intended for wired networks, and the 802.1X state machine reflects that. A working group called 802.1X-rev (formerly 802.1aa) is revising the state machine to better fit on wireless networks. He also mentioned two other groups. 802.1ae is working on MAC security, and 802.1af is working on “key agreement.” Key management has been a problem on wireless networks. Right now, the generation and distribution of link layer keys is not formally specified anywhere. Keys are sent from authentication servers to access points through the use of Microsoft vendor-specific attributes in an ad hoc standard that the industry has adopted. By formally specifying where keys come from and how they are transported, it should be possible to make more interoperable products as well as enhance the security of keying mechanisms.

Question: What will the state of the art in wireless LANs be next year?

• User identity will become a larger component of network engineering, especially as it relates to policy. User identification has traditionally been absent from the LAN world because it has been assumed that if you can connect, you are authorized. Policies have usually been based on location or IP address. With user identity available, more tools will develop to use the identity to control and direct traffic.
• In a related point, the RADIUS clients in access points will need to grow up and become much more feature-rich. RADIUS is a AAA (authentication, authorization, and accounting) server implementation. 802.1X is the first A in AAA, and every AP in our testbed supports authenticating users. With the implementation of dynamic VLAN assignment, APs are moving towards a more active role with the second A as well. Nearly every AP in the iLabs network supported dynamic VLAN assignment. VLANs can be used to assign network privileges, but there is a large list of other authorization attributes that can be enforced. It would be possible, given a suitable set of RADIUS attributes, to restrict access to particular physical locations, APs that support certain types of encryption (e.g. WPA but not WEP), and apply additional traffic filters to a user. A few advanced products have already begun to extend authorization beyond VLANs, and we expect that number to grow in the coming year.
• As an additional type of authorization attribute, the panel discussed something which we broadly called “network integrity protection.” Authorization depends on two factors: the user identity, plus the machine’s configuration. Obviously, the user must be identified as an authorized network user before granting access. However, the level of access can be made to depend on the state of the machine. Users sessions coming from machines that have up-to-date software are given the full privileges the user is entitled to. If the machine is not up to date with required operating system patches and additional security software, such as anti-virus with current signatures, then the session will be connected to a “quarantine” network with less access. Typically, quarantine networks have captive web portals that offer instructions on how to update software to bring them in to line with the policies. At the iLabs, we had products from Sygate and ZoneLabs to demonstrate this; they are both part of a larger organization called the Trusted Computing Group. TCG’s work is the first step towards more extensive protection at the edge from user machines.
• VLAN assignment will be worked out. Next year, most, if not all, products should comply with the relevant standards. There was, admittedly, a hint of irony in our tone because we said the same thing last year. Last year, however, the standards were still in draft form. Next year, RFC 3580 will be a year and a half old, so there is no excuse for not complying with it.

What else should the panel audience have asked?

Related link: http://edocuments.oreilly.com/

We’ve just launched a new line of O’Reilly Network eDocuments — affordable, downloadable PDFs of premium O’Reilly Network content.

Our eDocuments will range from collections of related O’Reilly Network articles to in-depth and timely treatments of topics that fall somewhere between an article and a book. O’Reilly’s eDocuments are available in PDF format with no restrictions on the ability to save, copy, or print these documents. You can instantly download the PDF from your O’Reilly account management page once you’ve purchased it online, and permanent links to all the PDFs you purchase will remain available to you there indefinitely. If you need to access the information when you’re traveling or away from your normal computer, no problem, just visit your O’Reilly account page and grab it again.

We’re starting out covering topics like digital media, Java vs. .NET security, and Web Services. Visit edocuments.oreilly.com to see our first batch of offerings, and check back often as we’ll be adding new titles regularly.

We welcome your feedback on these new products. Please feel free to drop me an email or comment at the bottom of this weblog with your thoughts about PDF-based eDocuments and any ideas you have for topics you’d like to see us cover in this format.

Please let us know what you think about our new eDocuments.

Related link: http://www.scaled.com

Video clips associated with this article can be found here.

Special thanks to Trekmail, a provider of multimedia messaging services for cellular networks, and Nacio Systems, a co-location and managed hosting service provider, for hosting the Quicktime streaming video clips for this article.

---

About two weeks ago, Burt Rutan’s airplane design shop, Scaled Composites , announced that they would attempt the first manned suborbital space flight in a privately built aircraft. Rutan is a living legend in the aviation community, and prior to Monday’s flight, was best known for Voyager, the first aircraft to circumnavigate the globe without refueling.

It is rare that you have an opportunity to watch history. If successful, this flight would be a historic moment in aviation, on par with Kitty Hawk and Charles Lindberg’s solo flight across the Atlantic. Nothing like this had been done before. This would be the first time that a completely new aircraft design, built entirely with private funds, would be launched into space.

When news of the flight broke, I decided to rent a plane fly down to Mojave to watch the flight in person. I am a pilot, and having not flown for a couple of years, decided this was a perfect excuse to get back in the cockpit and go for a ride. So I booked a Cessna 182 and an instructor at West Valley Flying Club and started planning my trip. I suppose we could have driven down to Mojave, but since this would be the first flight of a privately built spaceplane, it only seemed appropriate to fly down.

Since I had not flown for a couple years, I was not legal to fly as pilot in command (PIC), so I went down with Nick Ulman, a physicist and part-time instructor at West Valley. West Valley is a great place to learn to fly. They have about 70 airplanes available to rent, ranging from tailwheels that can land on dirt runways to high-performance turboprop planes. If you live in the Bay Area and are thinking about learning to fly, check them out, they operate out of San Carlos (KSQL), Palo Alto (KPAO) and most recently, Hayward (KHWD).

Joining us for the ride were Richard Quinn, a planetary scientist at JPL who is working on upcoming Mars missions in 2007 and 2009, and Moses Corrette, a city planner and architectural historian. Moses is also an amateur videographer, and brought a handheld DV camera along for the ride to document our “road trip”. The video clips linked to this article were produced using iMovie on a Powerbook running OS X. (I had never made a video before, and was astonished at how intuitive Apple has made this process).

They say getting there is half the fun, and that was certainly the case with our two-day “road” trip to the high desert.

---

Flight Currency

Flying an airplane isn’t like driving a car. You can not set foot in a car for months, even years, and still remember how to drive it. If you forget something, you can always pull over. This isn’t really an option when you’re cruising along at about 150mph several thousand feet above the earth. Controlling the airplane is pretty easy once you learn to fly, but that’s only a small part of traveling safely from point A to point B. Procedures, finer points of flying the aircraft (such as proper fuel/air mixture settings), and dealing with complicated air traffic control procedures are the things you forget first. So the FAA has some common sense rules that dictate what you need to do to stay current, or legal to fly as pilot in command. Since I had not set foot in a small aircraft in two years, I was definitely not current.

Fortunately, there was no shortage of flight instructors who were eager to make the trip to Mojave to watch the launch of Spaceship One. It seemed like any pilot who could play hookey on Monday called in sick and either flew or drove to watch the launch.

Planning the Trip

For a short flight in your local area, such as a Bay Tour, you generally don’t need to plan every minute detail. You call the local flight service station (FSS) for a weather briefing, plot your route on a sectional map, and off you go. If you’re familiar with the local airports, airspace and weather trends, you can generally plot a rough course, grab a plane, do your pre-flight inspection and go.

Longer trips outside familiar territory require thorough planning because, at a 150 miles per hour, a common speed for a higher performance single engine plane, you can cover a lot of ground, and can easily get lost even if the weather is good. Adverse weather is a small plane’s worst enemy, and the leading cause of small aircraft accidents. Fly into bad weather when you’re not prepared for it, and you can easily get lost and/or kill yourself.

One thing you learn flying airplanes is that your definition of bad weather changes dramatically. The weather has to be REALLY bad before you’d think twice about driving. Even in the most perilous weather, you have the option of driving REALLY SLOWLY, so if you spin out of control on I-80 during a snowstorm, you do so at 5 or 10 miles per hour, fast enough to wreck a paint job, but not much else. You don’t have this option in an airplane. In a small airplane, slow flight means about 70mph. If you get lost and fly into the side of a hill at 70mph, you’ll have a very bad day.

Bad weather, also known as IMC (Instrument Meteorological Conditions) is defined as follows: visibility less than 3 miles, ceiling (cloud level) below 1,000 feet (higher than all but the tallest skyscrapers). It doesn’t even need to be raining. A hazy day with low clouds, a common occurence along the California coastline, can be IMC, which means that in order to fly, you need to be rated to fly IFR (under Instrument Flight Rules). Flying IFR means that you control and navigate the airplane solely by reference to cockpit instrumentation except during takeoff and landing.

In addition to visibility, you also need to watch out for high winds. Most small airplanes can’t land well in strong crosswinds (where the wind is blowing across the runway instead of down the centerline).

To plan a cross-country plane trip, you need to do the following:

1) Select a safe route that gives you lots of options, usually this means avoiding long stretches of open water, rugged terrain, and also selecting a path that is close to small airports, or if airports are scarce, open land where you can make a forced landing in the event of engine trouble.

2) Call for a weather briefing, or go to DUATS, an online briefing and flight plan filing system for pilots. Check that current and forecast weather along the route exceeds the minimum requirements for both pilot and airplane. Modify the route as needed to avoid adverse conditions.

3) Once you’ve refined the route, consult the pilot’s operating handbook (aircraft owner’s manual) to determine how much fuel will be required for the flight (including reserves), and how much payload the aircraft can carry with this fuel load. Often you are forced to trade fuel for payload. If you fly three passengers and top of the tanks, you may be over the maximum takeoff weight. If you’re flying close to maximum weight, you might need to add a fuel stop to the route.

4) File a flight plan with the FAA. This is optional if you are flying under visual flight rules, but mandatory if you are flying under instrument flight rules. You can file online, by phone, or by radio once you are in the air. If you are taking off in instrument conditions, you have to file before you take off.

Our Flight Plan To Mojave

For the flight to Mojave, we originally planned to fly from Palo Alto, CA (KPAO) directly to Mojave, CA (KMHV), the same airport where the Spaceship One flight was planned. Unfortunately, Mojave airport was closed to private aircraft several days prior to launch due to limited parking/tie-down space. If you knew someone at Scaled Composites, you could get in, but otherwise, no luck. That was the official reason.

I think the real reason was that they did not want the event to be marred by accidents at the airport. The high desert is very windy, especially in the afternoon and evening, when many people would be attempting to land. High, gusty winds and small airplanes are not a happy combination. If hundreds of small planes had converged on Mojave Sunday afternoon and evening, I think it’s likely the place would be littered with more than one bent airplane.

There are two small aiports close to Mojave, General Fox and Palmdale (PMD), both of which we considered. We planned to fly to one of them if the forecast looked good, and planned to fly into Burbank (KBUR), about 70 miles south, if the not. By Sunday, the forecast was for high winds, so we decided to go to Burbank and do some sightseeing along the coast and over Los Angeles on the way in. It added an hour to the trip, but safety is always #1 when planning a flight. It’s a cliched saying that “Takes are optional, landings are mandatory,” but it’s true.

After rechecking the weather, we settled on the following route to Burbank:

• Palo Alto (KPAO) to Woodside VOR (OSI)
• Woodside (OSI) to Salinas (SNS)
• Salinas (SNS) to Paso Robles (PRB)
• Paso Robles (PRB) to Morro Bay (MQO)
• Morro Bay (MQO) to Gaviato (GVO)
• Gavioto (GVO) to San Marcus (RZS)
• San Marcus (RZS) to Burbank/Bob Hope Airport (KBUR)

Weather conditions along the route, except for the coastline near San Luis Obispo (KSBP), were good, so Richard and Moses had a good view. I decided to fly simulated instrument conditions and wore a hood for most of the trip. It was a smooth, uneventful flight. Everyone except me enjoyed the view along the coast.

Route From Palo Alto to Salinas (San Francisco Sectional Map)
We flew from Palo Alto airport to Woodside VOR, then to Santa Cruz and Salinas along a victor airway (standard route for VFR traffic). San Jose Airport and Moffett Field are at the south end of the San Francisco Bay.

Route From Salinas to Paso Robles (San Francisco Sectional)
We flew from Santa Cruz to Salinas, and then down along 101 to Paso Robles.

Route From Paso Robles to Santa Maria (LA Sectional)
We flew from Paso Robles to Morro Bay, and then south to Gaviato VOR, a route which took us past Santa Maria. We had to divert inland slightly due to heavy coastal fog south of San Luis.

Route From Santa Maria to Fillmore VOR
This route took us along the coast near Santa Barbara.

Approach into Burbank (Visual Flight Plan)
Approach from Fillmore VOR to Burbank airport for straight in landing on runway 8. We filed IFR (Instrument Flight Rules) and flew the ILS Runway 8 approach, see IFR chart later in this article.

Since I had not flown in two years and was rusty, I wanted to squeeze in as much training as I could. We filed an instrument flight plan into the Los Angeles area. Apart from enabling you to fly in poor weather, flying IFR makes flying into complicated airspace much simpler. You just follow published procedures and/or air traffic control instructions. You’re much less likely to get lost and accidentally blunder into restricted airspace.

We then flew the ILS (Instrument Landing System) approach to runway 8 at Burbank (KBUR - ILS RWY 8). When you fly an ILS approach, you fly along a directional radio beacon that is aligned with the runway centerline, and is angled approximately 3 degrees above the horizon. If you fly along the center of this beam, you pop out of the clouds with the runway directly ahead of you. Our approach is plotted on the chart below.

The ILS approach went well, I popped out of the simulated clouds (lifted my visor) at an altitude of about 400 feet. The runway was slightly to the right, and I was right on glideslope. I made a minor course correction to get onto the runway centerline and set up for landing. The Cessna 182 we were flying was a bit faster and heaver than the Cessna 172 I was used to. The 182 is easier to fly precisely, but it’s slower to respond when landing, and requires more aggressive steering to make the plane go where you want it to.

Landing is really the trickiest part of flying because it is essentially a controlled crash. The basic idea is to enter a flare (pull the nose up slightly) when you’re close to the runway. You pull the throttle back to idle and hold the airplane so it is flying level just a few feet above the runway, and keep pulling back on the stick. As you’re doing this, the airplane slows down, eventually to its stall speed (the speed at which the wings stop producing lift). At that point, the airplane falls onto the runway. If all goes well, the plane falls a foot or two and gently squeaks onto the runway. If you botch the flare or get thrown off by the wind, you land with more of a thud. It was windy, I was rusty and flying an unfamiliar aircraft, so we landed with a bit of a whack.

The Drive to Mojave

We taxied the Cessna over to Mercury Air Center to park the plane and pick up our rental car. We felt self-conscious about parking at Millionaire, since none of us were millionaires and our rented Cessna would look pretty lame parked next to Gulfstream jets, kind of like a beat up Pinto next to a Jaguar. The lobby of Mercury Air was littered with signed photos from celebrities who seemed to travel primarily by private jet. It was fun listening to the receptionist taking calls from who knows who, the key phrase I kept hearing was “incognito… of course”. I pictured Britney Spears walking into the lobby with a bag over her head, as if being seen boarding a private jet bound for Trinidad was somehow a bad thing.

We picked up our car and headed up routes 5 and 14 to the town of Mojave. The ride was pretty uneventful, with little to report except the sameness of the strip malls that lined the highway.

Mojave is a small town which the media persistently described as “the middle of nowhere”. A note to people who work for the press … if your reference points are Manhattan, LA or San Francisco, everything is “the middle of nowhere”. Try living in a small town for a while to adjust your expectations. Most small towns don’t have five star hotels, boutique restaurants, and pedestrian districts. Mojave is close to Palmdale to the south, which might as well be called Lockeed Town, and Edwards Air Force Base to the east. It is in the high desert, so not surprisingly it is full of cowboy types, people who are into weird airplanes, and cowboy types who are into weird airplanes (see also Burt Rutan).

Launch Day

We arrive at Mojave airport at 6:00am. About 12,000 other people had the same idea. Mojave airport is not LAX, and is not normally equipped to handle this kind of crowd. A small army of local police officers, Civil Air Patrol cadets and volunteers directed traffic and generally prevented the event from degenerating into total chaos.

Unlike Space Shuttle launches, where spectators are kept at least three miles away from the launchpad, we were able to walk right up to the taxiway leading to the active runway. The aircraft would later taxi out directly past us. People lined the taxiway with just about every type of recording device imaginable.

Spaceship One, like most Rutan designs, is simple and elegant. While most aircraft built today rely on sophisticated electronic controls, Spaceship One has no automatic controls, and is flown entirely by hand. Rutan’s design eliminates unnecessary weight and complexity, and therefore the number of things that can go wrong. It is interesting to note that Spaceship One is the first supersonic airplane to fly with manual controls since the X-1, the first aircraft to break the sound barrier, flown by Chuck Yeager.

Spaceship One is a small single motor rocketplane. It is carried up to an altitude of 50,000 feet by a larger mothership named White Knight. The mated aircraft were scheduled to take off, weather permitting, at 6:30am, and would take about an hour to climb up to 50,000 feet.
Upon reaching their target altitude, White Knight would drop Spaceship One, which would ignite its hybrid rocket engine once clear of the mothership. The rocket burn was slated to last 70-80 seconds and would accelerate Spaceship One to Mach 3.5. The spaceplane would coast in freefall to an apogee, peak altitude, of 360,000 feet (the planned altitude for the flight), and would then fall back to re-enter the earth’s atmopshere.

The pilot, Mike Melville, would experience up to 5 G’s of deceleration during re-entry, and would hand fly the aircraft, and glide back to Mojave airport for a dead stick (no engine) landing about 20 minutes later. The entire operation would last about an hour and a half.

Before the launch, some of us discussed what might go wrong during the flight. While Rutan’s group was confident enough to invite the public to watch the launch, all of knew that the attempt was very risky. Before Spaceship One, no civilian aircraft had broken the sound barrier, much less flown a suborbital trajectory. Most people seemed to be worried about the rocket engine exploding, but this was probably the least risky part of the flight. Among our main worries were:

• A flight control malfunction would occur, causing the aircraft to tumble out of control when outside of the atmosphere
• A catastrophic structural failure during re-entry
• Failure of the feathered wing to swing properly into place for re-entry

In fact, the spacecraft experienced a serious problem with its flight controls during its ascent to orbital flight. The aircraft abruptly rolled 90 degrees, and nearly tumbled out of control. Melville used a backup control system to regain control of the ship, but flew 20 miles off course within a matter of seconds. Were it not for the backup controls, the flight may have ended with a tragic mishap. This malfunction was visible from the ground if you looked closely at the contrail from the rocket engine. The ship should have flown in an almost straight line as seen from the ground, but instead appeared to swerve slightly. The pilot also reported hearing a loud bang during the flight, whose cause is still being investigated.

After regaining control of the ship, Melville coasted up to an altitude of 328,400 feet, just a few hundred feet above the 328,000 foot (60 kilometer) mark (the internationally recognized boundary of space). The flight was planned to fly to 360,000 feet, but the control problem forced the ship off course. The ship re-entered the atmosphere as planned, and as it passed overhead, spectators heard two sonic booms as it descended for its return to Mojave.

A few minutes later, we spotted Spaceship One and its chase planes as the circled the field to set up for landing. The ship came in for a perfect landing, and was followed a few minutes later by White Knight. From the spectators’ perspective it was a perfect launch and landing, we only learned of the serious control problem later in the day.

The Trip Back to San Francisco

Since we played hookey to watch the launch, we milled around for a short while, and then headed back to Burbank for the return flight to Palo Alto. For the flight back, we decided to fly along I-5 in the Central Valley. The weather in Los Angeles was IFR, with low ceilings, and about 2 miles visibility in haze.

We departed from Burbank runway 15, and were vectored by air traffic control toward Santa Barbara, and then over the coastal mountains toward the central valley. Our return route was as follows:

• Burbank (KBUR), Van Nuys 7 Departure to Gorman (GMN)
• Gorman (GMN) to Avenal (AVE)
• Avenal (AVE) to Priest (ROM)
• Priest (ROM) to Palo Alto via GPS RWY 31 Approach (KPAO)

We flew in actual instrument conditions out of the Los Angeles basin, and broke through the cloud tops around 3,000 feet. I flew simulated instrument conditions (under the hood) all the way to Palo Alto, including a simulated GPS approach for a straight in landing on runway 31.

Afterthoughts

It’s rare that you have the opportunity to watch the beginning of a new era, and that’s what happened in the high desert on Monday. Rutan and his group proved that they can build spaceplanes without government patronage. Rutan will surely follow this invention with others, and other airplane designers will follow his lead. While I don’t think we’ll be hopping cheap flights to space on Jet Blue anytime soon, I am quite certain that by the time I reach retirement age, I’ll have the opportunity to fly into space, even if it is a relatively short joyride.

I suspect that most people, given the opportunity, would like to see the view from space. It seems to me that it is one of those things that everyone should do once in their lifetime. My guess is that space tourism will develop much like commercial flight did. It will start as an adventure for the idle rich, and as the technology is refined and mass produced, will eventually be within the reach of ordinary people. Predicting the future of technology is a dangerous sport, but I think it is a safe bet that a mass produced variant of something like Spaceship One is feasible, and that at the very least, we’ll be able to take short rides to suborbital space within a decade or so. How much will it cost, and how much will people pay? I don’t have a clue, but now that space flight is open to entrepreneurs, I think it is safe to predict that we are at the beginning of a period of rapid innovation, and who knows where that could ultimately lead.

A lot can happen in 30 years. To put things in perspective, the Apollo program lasted just ten years.

How much would you pay for a suborbital joyride?

Acknowledgements

Special thanks to Trekmail, a provider of multimedia messaging (voice email) services for cellular networks, and Nacio Systems, a co-location and managed hosting service provider, for hosting the Quicktime video clips associated with this article.

Remarks

We don’t have any good video of the rocket burn because the sun was almost directly behind Spaceship One when it was launched. If anyone has video of the launch posted online, please let us know so we can link to it.

Departing Palo Alto

Pre-flight inspection, runup and departure from Palo Alto, CA (KPAO). We flew from Palo Alto, south along the California coast to Los Angeles.

Approach and landing at Burbank

We filed IFR (Instrument Flight Rules) into Los Angeles. I flew a simulated ILS (Instrument Landing System) approach to runway 8 at Burbank (KBUR). The approach was good, but the landing wasn’t my finest.

White Knight Taxi & Takeoff

White Knight, with Spaceship One beneath its fuselage, taxis out and takes off from Mojave Airport (KMHV) shortly after 6:30am local time on Monday, June 21st6.

White Knight Climbs to 50,000 Feet

White Knight and chase planes during their climb to 50,000 feet. The sleek, swept wing aircraft at the end of the climb is a Beech Starship, another famous Rutan design.

Spaceship One Landing

Spaceship One, followed by chase planes, lands after its historic surborbital flight.

White Knight Flyby and Landing

White Knight does a victory lap around the airport and lands shortly after Spaceship One.

Returning to Palo Alto

Taxi and takeoff from Burbank, CA (KBUR). We took off in instrument conditions (2.5 miles visibility, low ceiling with haze). We broke through the cloudtops at about 3,000 feet.

I’m currently delayed on a runway to Atlanta. My flight was originally scheduled for a 4:15 departure. We pulled away from the gate shortly after 5:00, and it’s now 6:30. Our delay is so long that we’ve pulled off to a side area while we wait for Chicago to reopen before departing, and the seat belt sign is off. As pacification, we’re also allowed to use electronics.

A good number of folks are working on laptop computers, which is a common enough sight these days. However, wireless WAN access is getting common enough that a notable number of passengers have Internet access. (Obviously, I include myself in that statement, since I’m writing this entry through my GPRS uplink.)

One passenger two rows ahead of me called a meteorologist in Chicago and found out that there was nothing much serious at the airport, and began to question the flight crew about it. They dismissed the passenger’s “I’m on the phone with a weatherman in Chicago…” statement as an unsupported assertion.

Rising to the implied challenge, a second passenger went to AccuWeather’s O’Hare radar map and pulled up the radar map of the area around Chicago, which didn’t show much. For good measure, he also pulled up the North Central regional radar map, which showed storms in Milwaukee and Cleveland, but again, nothing much in Chicago. Nonetheless, I find it amusing that air travelers now have sufficient access to information that they can’t be kept totally in the dark. The mantra of “Trust, but verify” has come to my flight out on a lonely corner of Atlanta’s tarmac.

(As an unrelated note, at times like these, I curse airlines that don’t provide laptop power in the plane, since I’m now running through my second battery of the delay, and once it drain’s, I’ll be out of juice.)