Thread Links			Date Links
Thread Prev	Thread Next	Thread Index	Date Prev	Date Next	Date Index

RE: [LinkSec] Requirements

To: mick_seaman@ieee.org
Subject: RE: [LinkSec] Requirements
From: Russ Housley <housley@vigilsec.com>
Date: Wed, 11 Dec 2002 17:14:12 -0500
Cc: stds-802-linksec@ieee.org
In-Reply-To: <003001c2a14d$e4f39e80$220110ac@corp.telseon.com>
References: <5.2.0.9.2.20021211132057.02881530@mail.binhost.com>
Sender: owner-stds-802-linksec@majordomo.ieee.org


Mick:

This looks like it is going to be a good debate.  Several beers will 
probably be needed to settle it.  Either that, or we already violently 
agree and are using different words to describe it.

>I could not diagree more with the statement "At this layer, the MAC address
>is the identity that should be authenticated".
>
>What you want to authenticate depends on what you want to allow. If you want
>to allow someone using a PC to access a network through a network access
>point/network access port you want to be able to authenticate the person
>using (with trusted authority over) the PC and then securely associate all
>the frames from and intend for with the PC's own attachment to the LAN, i.e.
>with its M-SAP in architectural speak. An M-SAP is not the same as M-SAP
>address.
>
>This may become clearer if you consider authenticating/authorizing the
>attachment of a bridge to secured LAN. The addresses used by the bridge may
>be reasonably unknown at authentication/authorization time, and the address
>associated with the bridge port for management protocol purposes is only
>peripherally relevant (it could change it without any impact on the
>authorized communications). What needs authenticating are the credentials
>that the bridge has for placing traffic on the secured LAN (or segregated
>portion of the LAN) and what needs authorizing is transmission and reception
>at the M-SAP (the MAC Internal Layer Service uses the same M-SAPs as the MAC
>Service).

If you want distributed or remote enforcement to occur at layer 2, then the 
identity must be meaningful at layer 2.

The points that you make support my assertion that higher-layer identities 
may need to be authenticated in the authorization process.  In your first 
example, the identity of the human using the PC is being authenticated, 
then an M-SAP is enabled (or disabled) based on the success (or failure) of 
the authentication.  Now, if remote enforcement of an access control 
decision that is based on the identity of the human user is to be performed 
at layer 2 (perhaps packet filtering), then for the duration of the 
session, the MAC address needs to be associated with the privileges of that 
human user.

Russ

Follow-Ups:
- RE: [LinkSec] Requirements
  - From: "Mick Seaman" <mick_seaman@ieee.org>

References:
- Re: [LinkSec] Requirements
  - From: Russ Housley <housley@vigilsec.com>
- RE: [LinkSec] Requirements
  - From: "Mick Seaman" <mick_seaman@ieee.org>

Prev by Date: RE: [LinkSec] Requirements
Next by Date: Re: [LinkSec] Notes from meeting 12/10/02
Prev by thread: RE: [LinkSec] Requirements
Next by thread: RE: [LinkSec] Requirements
Index(es):
- Date
- Thread