RE: [LinkSec] Requirements
Mick Seaman writes...
> Well that's all very nice, but if you can't accommodate a
> bridge attaching to a LAN within your secure architecture
> then it is going to be irrelevant (again). If you want to
> separately authenticate all MAC addresses in the network
> to all the access points that they might pass through
> that's nice but it certainly isn't the solution that any
> of us working on MAN Service provision with secured LAN
> access points would find scaleable, or just plain
> workable.
Mick, I think that Jesse's point was that MAC address is the
only viable surrogate for username that is attached to each
and every packet in the 802 architecture. Once you have
established a security association for a user, granting that
user access to the network, you need a convenient and
efficient mechanism to weed out the authorized packets from
the unauthorized packets. In the end, the ability to
correctly decrypt a packet, using the appropriate key, is
the test of legitimacy. However, all practical systems
that I know of need to chose the key based on some convenient
security association label -- and at Layer 2 that's the
source MAC address.
Of course a bridge could be considered a user, but if it
is a transparent bridge and has no unique source MAC address
of its own to serve as a surrogate per-packet username label,
I don't see how you're going to effectively triage the
packets.
Regards,
Dave Nelson