RE: Key Identification RE: [LinkSec] Requirements
Identifing the security association with the MAC address is not the same as authenticating the MAC address or using the MAC address as the peer identity. So ... I sort-of agree with some of your points.
However:
1) MAC addresses are not adiquate for identification of broadcast 'security associations'.
2) VLANs need to be considered as part of the 'security association' identification.
3) Bridges may play tricks with MAC addresses (yes in a 'pure' architecture they
should not). ARP proxies are an example ...
MAC addresses should not be used in certificates (if we get around to using certificates). This degree of MAC address binding/authentication is inappropriate. Useful devices may have many MAC addresses, it limits user mobility, etc...
Paul
> -----Original Message-----
> From: Russ Housley [mailto:housley@vigilsec.com]
> Sent: Monday, December 16, 2002 12:05 PM
> To: Paul Lambert
> Cc: stds-802-linksec@ieee.org
> Subject: Re: Key Identification RE: [LinkSec] Requirements
>
>
> Paul:
>
> > >The only
> > > possible identifier for the key that can be used at this
> level are MAC
> > > addresses, unless of course someone wants to invent a new 802
> > > architecture.
> >
> >Yes ... the MAC address is very useful for identifing a key,
> although a
> >keyID, SAID, or SPI mechanism could also be used. Using a
> MAC address to
> >identify an association/key is not the same as
> authenticating the MAC address.
>
> Security Association Identifiers (SAIDs) are useful. However,
> they ought to
> be transient. I envision the MAC address as the identifier
> for the layer 2
> participant in the security protocol. This is more static
> than an SAID.
>
> Russ
>
>