Thread Links Date Links
Thread Prev Thread Next Thread Index Date Prev Date Next Date Index

Re: [802SEC] +++ SEC EMAIL BLLOT +++ MOTION: Authorize the Link Security Exec SG to become an 802.1 SG




Hello Ken -

At 10:27 24/02/2003 -0500, Ken Alonge wrote:
>Hello Tony-
>
>Nice to see you weighing in on the discussion.

Thank you - my apologies for my late arrival in this part of the 
discussion, but I was away from the office most of last week.


>I apologize if my statement about MAC-oriented working groups caused
>confusion -- I was not referring to .1 in that context.  There had been some
>early discussion about placement of the SG -- one of the options being
>proposed was to potentially put it in .3 or .11.

Neither of those options are (as far as I am aware) being seriously 
considered. I'm sure Bob and/or Stuart will correct me if I am wrong.

>The comments I made in my
>initial e-mail were two-fold: first, that the deck appeared to be stacked
>with .1 players,

Not sure what you are implying here, Ken. Dolors's statements about 
participation were that the majority of participation came from 802.1 *and* 
802.3, plus some participation from other 802 groups. However, if what you 
mean by "stacking the deck" is active and constructive 
participation/assistance in the work of the SG, then I guess that both 
802.1 and 802.3 stand accused. Personally, I feel that it is a great shame 
that the same accusation cannot be made of 802.10.

>and; second, that I was afraid that the SG might wind up in
>a MAC-oriented WG.  These were separate concerns, but I see now how they
>could have been lumped together and give the impression that I was including
>.1 in the latter concern.

As I mentioned above, I don't believe that there is any serious suggestion 
that this work be carried out within any of the MAC groups.


>You raise a good point about the .10 charter currently being limited to
>answering questions about our security standards and providing maintenance,
>as necessary.  My opinion in my e-mail to the Exec is that I believe that
>any PAR created by the study group should be placed in .10, which would have
>the effect of modifying our charter.  While it is true that we are
>hibernating, the body of security expertise that .10 brought together to
>develop our set of standards is still available and some of them will,
>hopefully, be able to support a new security effort.  Like I also stated, it
>is a very unfortunate situation that we are in because of funding, that I'm
>unable to guarantee our participation.  The reality is that we are stuck
>between the proverbial "rock and a hard place" in trying to do what we
>believe is best for 802 security and, at the same time, trying not to put
>802 in a bind if it turns out that we can't fully participate.  If .10 is
>able to come out of hibernation and our members are able to support the new
>security effort, we would certainly encourage and welcome the participation
>of the .1 security engineers, as well as those from other working groups.
>There are a lot of "ifs" and I certainly don't want to mislead anyone about
>the probability of our continued participation.  Right now the funding
>situation is looking better, but the timing might not permit me to attend
>the March plenary.  I believe Russ will be there in any event though.

Ken, there are way to many "ifs" and "buts" in what you have said here.

The people that are currently interested in driving this work forward 
deserve better than to be told that they will be placed in a working group 
that might or might not be able to resurrect itself depending on whether or 
not the funding scene changes, and frankly, it seems to me that continuing 
to propose placement in 802.10 in the absence of any certainty that such a 
thing is feasible simply serves to muddy the waters. The SG perfectly 
reasonably want to be able to get on with some real work. It is the 
expressed wish of those people that want to do the work that the SG should 
be placed in 802.1. Similarly, 802.1 has made it clear that the activity 
would be welcome, as would be participation in that activity by all 
relevant experts, including 802.10 experts, that choose to join in.

Right now, what is under consideration is the placement of the study group, 
not the final destination of any work that the SG might decide is necessary 
- that is a decision for the SEC once any PAR(s) generated by the SG get 
approved. Maybe if you are able to commit to reincarnating 802.10 when we 
come to make decisions on the placement of PARs, then it would stand a 
chance of being given serious consideration.


>We have always been able to work well together in the past for the
>betterment of our standards and I'm sure that we will continue to do so in
>the future, no matter what the outcome of this particular issue.

Absolutely.

Regards,
Tony

>Respectfully,
>
>Ken
>
>----- Original Message -----
>From: "Tony Jeffree" <tony@jeffree.co.uk>
>To: "Ken Alonge" <kenneth.alonge@verizon.net>
>Cc: "Dolors Sala" <dolors@ieee.org>; "Russ Housley" <housley@vigilsec.com>;
>"Paul Nikolich" <p.nikolich@ieee.org>; "Geoff Thompson"
><gthompso@nortelnetworks.com>; "IEEE802" <stds-802-sec@ieee.org>
>Sent: Sunday, February 23, 2003 6:30 AM
>Subject: Re: [802SEC] +++ SEC EMAIL BLLOT +++ MOTION: Authorize the Link
>Security Exec SG to become an 802.1 SG
>
>
> >
> > Ken -
> >
> > I think it is high time to inject a bit of reality into this discussion.
> >
> > Firstly, it is not at all clear to me what you mean when you describe
>802.1
> > as a MAC-oriented working group. Our charter is 802's architecture,
> > interworking, and higher (than MAC) layer issues. I would certainly agree
> > that the link security activity should not be buried within one of the
> > MAC-specific groups (.3, .11, ...etc.), but I see nothing about the
> > existing charter of 802.1 that doesn't make it a good fit for us.
> >
> > Secondly, you talk about 802.10 and its charter being the best fit for
>this
> > activity. If 802.10 existed in any meaningful way right now, I would
> > perhaps agree with you; however, as you have acknowledged, active
> > participation by 802.10 members is a problem for them in these
> > funding-challenged times, and they have been conspicuous by their absence
> > at meetings of the link sec study group to date. Having said that, the
> > meetings we have held do not seem to have suffered from a lack of security
> > expertise - just not expertise that used to be in 802.10.
> >
> > Thirdly, 802.1 is not without its own track record, however small, in
> > developing security standards. In fact, it is arguably the case that 802.1
> > is, to date, the only 802 working group that has developed a successful
> > security standard for LANs; unlike the 802.10 standards, 802.1X has been
> > implemented, and found to be useful, by a significant number of vendors.
>As
> > a consequence, we now have participants in 802.1 that are there
> > specifically to work on security issues; this is, in fact, one of the
> > reasons that 802.1 made the offer to host the link sec SG, as these
> > particular experts wanted to avoid the potential for conflicting meeting
> > times if the two activities were kept separate.
> >
> > A final point. Strictly speaking, as 802.10 is a hibernating group, the
> > charter of 802.10 is restricted to exactly one thing right now; performing
> > any maintenance that is required for the standards that they developed
>when
> > they were an active WG. It has no charter with regard to any new work.
>That
> > being the case, whatever new work comes out of this activity will, of
> > necessity, result in the creation of a new charter, either by extending
>the
> > charter of an existing (active) working group, or re-chartering
>hibernating
> > group, or chartering a new working group altogether. When making that
> > decision, it would make absolutely no sense to me to place the work within
> > 802 in a way that conflicts with existing non MAC-specific activity in the
> > security area, all of which currently resides in 802.1.
> >
> > Regards,
> > Tony
> >
> > At 23:14 20/02/2003 -0500, Ken Alonge wrote:
> >
> > >Dolors-
> > >
> > >I was copied on a few e-mails from you last fall, but then they
>stopped -- I
> > >assume that is when you switched to the reflector.  I guess I missed the
> > >notification that a reflector was established for the study group
> > >discussions.  The last thing that I heard was that Russ Housley was
> > >participating in some conference calls regarding the EPON security
>issues,
> > >until I was notified this week of the current ballot. So, unfortunately,
>I
> > >am not up to speed as to what has been discussed over the past few
>months.
> > >
> > >I'm glad to see that there is representation from multiple working groups
>in
> > >the study group, but as you point out the majority of the people are from
> > >.1, which (as you also pointed out) is the 802 architecture group.  While
> > >the security matters on the table have some architectural component, they
> > >are by far technical security issues that I feel should be addressed by
>the
> > >802 security working group (which is the charter of .10).  I can
>certainly
> > >appreciate and applaud the effort that you and the other the participants
> > >have put into the study group thus far, security can be a daunting task,
> > >both from a technical and political perspective.
> > >
> > >My point about the MAC-oriented WG was to delineate between the technical
> > >protocol and hardware engineering issues that each MAC group deals with
>(the
> > >things they are good at) versus the serious technical security issues
>that
> > >the security working group deals with (the things that we are good at).
>I
> > >guess what I'm trying to say is that security engineers wouldn't do
>nearly
> > >as good a job designing a MAC interface, as engineers trained to build
> > >hardware, and vice versa (evidence .11 WEP).
> > >
> > >At this point there are no guarantees that any of the .10 WG members will
> > >get funding to bring .10 out of hibernation, which is an unfortunate
> > >situation that leaves 802 and the study group hanging.  I would like to
>be
> > >able to tell you definitely that one or more of our members will
>participate
> > >in the study group, but I can't make any commitment for us at this point,
> > >even though I believe that .10 is the working group into which the SEC
> > >should direct the resultant PAR.  We're pretty much in a Catch 22
>situation
> > >and all we can do is hope that a government sponsor will come through for
> > >us.  As you stated, there are deadlines that the SG is trying to meet and
>we
> > >certainly don't want to stand in the way of progress, but to be sure any
> > >resultant security solution has got to be absolutely correct, in order to
> > >avoid another 802 black eye.
> > >
> > >By the way, I attempted to join the LinkSec reflector, but was informed
>by
> > >the majordomo that "linksec" was not a recognized group.  Can you tell me
> > >the correct group name to put on the "subscribe" line?
> > >
> > >We can have further discussions of the technical security issues via the
> > >reflector, but I think the political wranglings should be in full view of
> > >the SEC.
> > >
> > >Respectfully,
> > >
> > >Ken
> > >
> > >----- Original Message -----
> > >From: "Dolors Sala" <dolors@ieee.org>
> > >To: "Paul Nikolich" <p.nikolich@ieee.org>; "Ken Alonge"
> > ><kenneth.alonge@verizon.net>; "Geoff Thompson"
> > ><gthompso@nortelnetworks.com>; "IEEE802" <stds-802-sec@ieee.org>
> > >Cc: "Russ Housley" <housley@vigilsec.com>
> > >Sent: Thursday, February 20, 2003 4:11 PM
> > >Subject: Re: [802SEC] +++ SEC EMAIL BLLOT +++ MOTION: Authorize the Link
> > >Security Exec SG to become an 802.1 SG
> > >
> > >
> > > >
> > > > Dear Ken,
> > > >
> > > > I am glad to hear that the 802.10 members may finally get their
>personal
> > > > funding issues resolved to participate in this effort soon. The
>current
> > > > economical environment makes funding a challenge for a lot of
>individuals
> > > > and companies. And we are making everything possible to make
>participation
> > > > accessible to everyone.
> > > >
> > > > As you know, I have personally updated you as chairman of 802.10WG
>since
> > > > this effort started early September 2002 until the formation of the
>SG.
> > > > After that I have posted all the information to the reflector. No
>concerns
> > > > have been voiced in there and currently there are members from at
>least
> > > > 802.1, 802.3, 802.11, 802.15 and even 802.10.
> > > >
> > > > To give you an update of the first official SG meeting, we had up to
>70
> > > > participants in the meeting. It is true we have very strong
>participation
> > > > from 802.1 but also from 802.3, and some participation from 802.11.
>This
> > > > includes security experts, bridging experts and MAC experts. Thanks to
> > >this
> > > > participation we have been able to agree on a placement of the project
>but
> > > > also on a work plan and make progress towards consensus, and more
> > > > importantly a critical mass with the right expertise to take the job.
> > > > (Obviously, we will get more participants as the process move
>forward.) So
> > > > from my point of view, all 802.1 members, as well as all other
> > >participants,
> > > > deserve my full respect for taking their time and resources to attend
>the
> > > > meetings and work on this project.
> > > >
> > > > At the same time, your opinion is also respected. I personally was not
> > >aware
> > > > of it. I would like to ask you to elaborate more on your proposal,
> > >although
> > > > it would have been useful to bring it to the group first. Do you plan
>to
> > > > post this to the SG reflector?
> > > >
> > > > Can you please elaborate on the advantages of being part of 802.10 and
> > > > outline the disadvantages of being part of 802.1? If you review the
> > >minutes
> > > > of the SG, I personally asked 802.1 officers to elaborate on the
>technical
> > > > constraints due to being part of 802.1. The answer was none. 802.1 is
>the
> > > > group "owning" the architecture issues of 802 and it is not restricted
>to
> > > > the traditional layer location they have been working so far. 802.1 is
> > > > focused on the global view of 802 networks instead of specific MACs.
>This
> > >in
> > > > fact was the reason for not doing it in 802.3. Therefore, this
>combined
> > >with
> > > > the attraction of security experts to the group meets the initial
> > >motivation
> > > > of this effort. If you think it doesn't, can you please elaborate on
>this?
> > > > what do you mean with the following statement: "This SG will wind up
>in a
> > > > MAC-oriented working group rather than in a non-biased
>security-oriented
> > > > working group".
> > > >
> > > > I would like to remind that we are not approving an standard with this
> > > > decision. We are just letting it start. The EPON people is trying to
>get
> > > > this process running since EFM started early 2001. There is a real
>market
> > > > need with real deadlines, specially in Asia, waiting for this
>solution.
> > > >
> > > > Ken, can you please explain how you want to proceed? do you want time
>in
> > >the
> > > > SG agenda to present your proposal? or in the opening or closing SEC
> > > > meeting? You are saying there is no guarantees yet that any of you can
> > > > attend the meeting. With the due respect, I am not sure what you are
> > > > requesting. Should we take this to the SG reflector over email?
> > > >
> > > > Respectfully,
> > > >
> > > > Dolors
> > > >
> > > > ----- Original Message -----
> > > > From: "Paul Nikolich" <paul.nikolich@att.net>
> > > > To: "Ken Alonge" <kenneth.alonge@verizon.net>; "Geoff Thompson"
> > > > <gthompso@nortelnetworks.com>; "Paul Nikolich" <p.nikolich@ieee.org>;
> > > > "IEEE802" <stds-802-sec@ieee.org>
> > > > Cc: "Russ Housley" <housley@vigilsec.com>; "Dolors Sala (E-mail)"
> > > > <dolors@ieee.org>
> > > > Sent: Wednesday, February 19, 2003 9:01 PM
> > > > Subject: Re: [802SEC] +++ SEC EMAIL BLLOT +++ MOTION: Authorize the
>Link
> > > > Security Exec SG to become an 802.1 SG
> > > >
> > > >
> > > > > Dear SEC,
> > > > >
> > > > > Attached is a message from Ken Alonge, the Chairman of the
>hibernating
> > > > > 802.10 Security WG, on the ECSG Motion.
> > > > >
> > > > > (Bob O'Hara, please add Ken to the SEC reflector list.)
> > > > >
> > > > > Regards,
> > > > >
> > > > > --Paul Nikolich
> > > > >
> > > > >
> > > > > ----- Original Message -----
> > > > > From: "Ken Alonge" <kenneth.alonge@verizon.net>
> > > > > To: "Geoff Thompson" <gthompso@nortelnetworks.com>; "Paul Nikolich"
> > > > > <p.nikolich@ieee.org>
> > > > > Cc: "Russ Housley" <housley@vigilsec.com>; "Dolors Sala (E-mail)"
> > > > > <dolors@ieee.org>
> > > > > Sent: Wednesday, February 19, 2003 4:46 PM
> > > > > Subject: Re: [802SEC] +++ SEC EMAIL BLLOT +++ MOTION: Authorize the
>Link
> > > > > Security Exec SG to become an 802.1 SG
> > > > >
> > > > >
> > > > > > Paul and Geoff-
> > > > > >
> > > > > > I couldn't agree with Geoff's position more.  I think it is a
>grave
> > > > > mistake
> > > > > > to vote (at this point) to put the study group into 802.1.
> > > > > >
> > > > > > It seems to me (and was voiced to you by Russ Housley) that the
>deck
> > >was
> > > > > > stacked by the fact that the LinkSec study group meeting was held
>in
> > > > > > conjunction with an 802.1 interim meeting. Some of the other
>working
> > > > > groups
> > > > > > that have an interest in the SG had conflicting meetings during or
> > >near
> > > > > the
> > > > > > time of the SG meeting and therefore could not attend. It's
>obvious
> > >that
> > > > > the
> > > > > > recommendation coming out of that meeting would be to move the SG
>into
> > > > .1
> > > > > > since most of the attendees were from .1, and it seems that
>members of
> > > > .1
> > > > > > are the ones driving this e-mail ballot.
> > > > > >
> > > > > > The other problem that I have with this is that it appears that
>this
> > >SG,
> > > > > > which is focused on critical 802 security issues, will wind up in
>a
> > > > > > MAC-oriented working group rather than in a non-biased
> > >security-oriented
> > > > > > working group, such as .10.  We clearly see, and the industry is
>still
> > > > > > feeling, the result of the .11 security fiasco.  Can 802 afford
> > >another
> > > > > > oops?
> > > > > >
> > > > > > Russ is pursuing funding from Government sponsors for both himself
>and
> > > > me
> > > > > so
> > > > > > that we can unhibernate .10, if need be, in order to deal with the
>802
> > > > > > security issues.  My guess is that we will be successful in
>getting
> > >the
> > > > > > required funding if 802 decides that .10 is where these issues
>should
> > >be
> > > > > > handled.  It is also a possibility that the other two key .10
>members
> > > > > (Dick
> > > > > > McAllister and Joe Maley) could get funding to participate, if .10
> > >comes
> > > > > out
> > > > > > of hibernation.
> > > > > >
> > > > > > There is a possibility that I might be able to attend the March
> > >plenary
> > > > to
> > > > > > discuss this further in person, but that depends on contractual
>issues
> > > > > that
> > > > > > are currently in the works and which probably won't get resolved
>until
> > > > > late
> > > > > > this week or early next week.
> > > > > >
> > > > > > Ken Alonge
> > > > > >
> > > > > > ----- Original Message -----
> > > > > > From: "Geoff Thompson" <gthompso@nortelnetworks.com>
> > > > > > To: "Paul Nikolich" <p.nikolich@ieee.org>
> > > > > > Cc: "IEEE802" <stds-802-sec@ieee.org>; "Dolors Sala (E-mail)"
> > > > > > <dolors@ieee.org>
> > > > > > Sent: Tuesday, February 18, 2003 11:36 AM
> > > > > > Subject: Re: [802SEC] +++ SEC EMAIL BLLOT +++ MOTION: Authorize
>the
> > >Link
> > > > > > Security Exec SG to become an 802.1 SG
> > > > > >
> > > > > >
> > > > > > >
> > > > > > > Colleagues-
> > > > > > >
> > > > > > > I vote DISAPPROVE
> > > > > > > Further, were this vote to come up on the agenda for Monday
>morning,
> > >I
> > > > > > > would move to defer the decision until Friday.
> > > > > > >
> > > > > > > By conducting this as an e-mail ballot we are taking a vote of
>the
> > > > SEC.
> > > > > By
> > > > > > > conducting this vote at the closing plenary as I consider
>proper, we
> > > > > would
> > > > > > > (hopefully) have the input of the body of the Working Groups.
> > > > > > >
> > > > > > > It is my opinion that this sort of 802 structural decision will
>have
> > > > far
> > > > > > > reaching consequences for each/all of the Working Groups and
>should
> > > > not
> > > > > be
> > > > > > > taken lightly.
> > > > > > >
> > > > > > > Respectfully,
> > > > > > >
> > > > > > > Geoff
> > > > > > >
> > > > > > >
> > > > > > > At 02:04 PM 2/12/2003 -0500, Paul Nikolich wrote:
> > > > > > >
> > > > > > > >Dear SEC,
> > > > > > > >
> > > > > > > >This is a 10 day SEC email ballot to make a determination on
>the
> > > > below
> > > > > > SEC
> > > > > > > >motion to authorize the Link Security Executive Study Group to
> > >become
> > > > > an
> > > > > > > >802.1 Study Group. Moved by Tony Jeffree, seconded by Bob Grow.
> > > > > > > >
> > > > > > > >The email ballot opens on Wednesday February 11 2PM EST and
>closes
> > > > > Friday
> > > > > > > >February 21 2PM EST.
> > > > > > > >
> > > > > > > >Please direct your responses to the SEC reflector.
> > > > > > > >
> > > > > > > >Regards,
> > > > > > > >
> > > > > > > >--Paul Nikolich
> > > > > > > >Chairman, IEEE 802 LMSC
> > > > > > > >
> > > > > > > >MOTION: "The SEC resolves that the Link Security Study Group
>will
> > > > > become
> > > > > > a
> > > > > > > >study  group of the 802.1 HiLi working group, effective from
>the
> > > > start
> > > > > of
> > > > > > > >the  March 802 Plenary meeting."
> > > > > > > >
> > > > > > > >MOVER: Tony Jeffree
> > > > > > > >SECOND: Bob Grow
> > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> >
> > Regards,
> > Tony
> >
> >

Regards,
Tony