Re: [LinkSec] linksec roadmap
Russ Housley wrote:
>
> A bit of history.
>
> When the VLAN standard began, several people advocated the use of SDE
> (802.10b) as the protocol. Cisco wan the most vocal proponent. There were
> a whole bunch of people that were concerned that the encryption overhead
> would be too great. The initial response to this was to specify the
> Identity encryption function. In this case, the key identifier would
> provide the VLAN identifier.
>
> After a few months, the wind direction changed, and the VLAN proposal that
> we all know was adopted.
>
> The recently posted roadmap essentially proposes a return to the original
> proposal.
>
> Russ
What was it about 802.10 that caused it to be a failure? I'm anticipating that
the answer is the key-management layer (GULS?).
The roadmap had me somewhat confused, and maybe it's because I don't really
understand what the *application space* of VLANs is. But it seems to me
that a LAN segment with a group-shared key suffers from the same problems as
a completely unsecured LAN segment--I can spy on my neighbours, and forge
traffic. Having a single key that is shared among 500 of my nearest and
dearest is like having no key at all. Granted, I won't be able to forge
traffic on a *different* VLAN, but that's only slightly better than nothing
at all. But maybe that's not what Dennis intended?
--
----------------------------------------------------------------------
Marcus Leech Mail: Dept 8M70, MS 012, FITZ
Advisor Phone: (ESN) 393-9145 +1 613 763 9145
Security Architecture and Planning Fax: (ESN) 393-9435 +1 613 763 9435
Nortel Networks mleech@nortelnetworks.com
-----------------Expressed opinions are my own, not my employer's------