Re: [LinkSec] linksec roadmap
On Tue, 10 Dec 2002, Marcus Leech wrote:
> The roadmap had me somewhat confused, and maybe it's because I don't really
> understand what the *application space* of VLANs is. But it seems to me
> that a LAN segment with a group-shared key suffers from the same problems as
> a completely unsecured LAN segment--I can spy on my neighbours, and forge
> traffic. Having a single key that is shared among 500 of my nearest and
> dearest is like having no key at all. Granted, I won't be able to forge
> traffic on a *different* VLAN, but that's only slightly better than nothing
> at all. But maybe that's not what Dennis intended?
>
In my trust model, group members trust each other because the group is
a "security group", in the sense that it requires authentication to join.
Once the group leader has taken the steps needed to be convinced
that a station and perhaps its user is trustworthy, it may admit the
station, depending on whether the station is authorized to join.
Granted, a station may misbehave after being given membership, in
which case group members are at *some* risk. Precisely, they need only
be at risk with respect to link layer integrity because stations can still
take other steps at upper layers to protect privacy if they wish. Limiting
the consequences of the misbehavior to the group is the best one can do.
Dennis
>
> --
> ----------------------------------------------------------------------
> Marcus Leech Mail: Dept 8M70, MS 012, FITZ
> Advisor Phone: (ESN) 393-9145 +1 613 763 9145
> Security Architecture and Planning Fax: (ESN) 393-9435 +1 613 763 9435
> Nortel Networks mleech@nortelnetworks.com
> -----------------Expressed opinions are my own, not my employer's------
>