RE: Key Identification RE: [LinkSec] Requirements
Paul:
>Identifing the security association with the MAC address is not the same
>as authenticating the MAC address or using the MAC address as the peer
>identity. So ... I sort-of agree with some of your points.
>
>However:
>1) MAC addresses are not adiquate for identification of broadcast
>'security associations'.
Agree. The MAC address identifies the entities that are given the
broadcast key, not the key itself. This confusion is one of the things I
really dislike about the current 802.11 solution. SAIDs should identify
the keys and their context, not the addresses of the entities that know the
key.
>2) VLANs need to be considered as part of the 'security association'
>identification.
How is this different than group member/not group member?
>3) Bridges may play tricks with MAC addresses (yes in a 'pure'
>architecture they
> should not). ARP proxies are an example ...
How does this impact the architecture?
>MAC addresses should not be used in certificates (if we get around to
>using certificates). This degree of MAC address binding/authentication is
>inappropriate. Useful devices may have many MAC addresses, it limits user
>mobility, etc...
I disagree. The MAC address allows device authentication. Something else
is needed for user authentication, but it can be weaker. We need to be
careful not to repeat the tunneled authentication issues that were a major
discussion topic at the last IETF, but we can authenticate the user after
authenticating the device, binding the two together for the duration of the
session.
Russ