Thread Links			Date Links
Thread Prev	Thread Next	Thread Index	Date Prev	Date Next	Date Index

RE: RE: [LinkSec] Requirements

To: "Clint Chaplin" <cchaplin@sj.symbol.com>, <stds-802-linksec@ieee.org>
Subject: RE: RE: [LinkSec] Requirements
From: "Paul Lambert" <PaulLambert@AirgoNetworks.Com>
Date: Thu, 12 Dec 2002 10:23:58 -0800
Sender: owner-stds-802-linksec@majordomo.ieee.org
Thread-Index: AcKh/PojVrLDO6LRTV6SgZi0T0XvXgADbb0Q
Thread-Topic: RE: [LinkSec] Requirements




> And yet, the real problem is that the MAC address is not 
> fixed, and can easily be spoofed.

Authentication of MAC addresses is a flaw not a feature.  MAC addresses should NOT be used as the authenticated identity. Reasons:

1) The MAC address may not be 'end-to-end' over a 'link'
   example - IPsec with NAT
2) MAC addresses can be media specific
   ok for 802, but limits wider architectural application
3) Limits user mobility (versus device mobility)
4) Does not allow anonymous MAC addresses
   (802.11 currently allows easy tracking of users)
5) Spoofing of MAC addresses is not a risk when pair-wise keys are used
   (authentication is provided of originator and data without using addresses)
6) Devices may have multiple MAC addresses
7) Prevent architectural usage of vlan tags with cryptographic mechanisms
   (much longer discussion ... several vlan/partitioning options)

Follow-Ups:
- RE: RE: [LinkSec] Requirements
  - From: Russ Housley <housley@vigilsec.com>

Prev by Date: RE: [LinkSec] Requirements
Next by Date: FW: [LinkSec] Requirements
Prev by thread: [LinkSec] The Task In Front Of Us - slides from January Interim (Friday a.m.)
Next by thread: RE: RE: [LinkSec] Requirements
Index(es):
- Date
- Thread