RE: RE: [LinkSec] Requirements
I agree that MAC address authentication has many security issues.
However ,the motivation to support such a 'feature' these days is mostly
driven by customer requirements, mostly to have support of legacy device
authentication schemes like PAP. This especially applies to devices
such as printers, etc which do not support more sophisticated
authentication schemes.
-----Original Message-----
From: Paul Lambert [mailto:PaulLambert@AirgoNetworks.Com]
Sent: Thursday, December 12, 2002 1:24 PM
To: Clint Chaplin; stds-802-linksec@ieee.org
Subject: RE: RE: [LinkSec] Requirements
> And yet, the real problem is that the MAC address is not
> fixed, and can easily be spoofed.
Authentication of MAC addresses is a flaw not a feature. MAC addresses
should NOT be used as the authenticated identity. Reasons:
1) The MAC address may not be 'end-to-end' over a 'link'
example - IPsec with NAT
2) MAC addresses can be media specific
ok for 802, but limits wider architectural application
3) Limits user mobility (versus device mobility)
4) Does not allow anonymous MAC addresses
(802.11 currently allows easy tracking of users)
5) Spoofing of MAC addresses is not a risk when pair-wise keys are used
(authentication is provided of originator and data without using
addresses)
6) Devices may have multiple MAC addresses
7) Prevent architectural usage of vlan tags with cryptographic
mechanisms
(much longer discussion ... several vlan/partitioning options)