RE: [LinkSec] Thoughts on high-level requirements
Mike,
I agree that perimeter security seems to be required in all scenarios considered thus far. My questions was aimed more at whether we must *also* do link layer security among bridges and other internal network components, and if so, do we make a single set of mechanisms that accomplishes both tasks, or a separate set of mechanisms for each task.
I agree that securing peer to peer communications is best done at higher layers. Maybe the government requirement to stop users from spying on each other's traffic to see data for which they are not authorized is fundamentally similar the cable companies' requirement to stop users from spying on each other's traffic to see movies for which they have not paid. Maybe there really is only one business model that matters to us a the link layer. I'll have to think on that.
It seems to me that the 802.11 management frames must be secured as part of a perimeter defense, as contrasted to the STP which is in the guts of the network.
On general principles, I think there should be some way to at least authenticate every node in a network to the others (e.g., so that only authorized bridges can participate in the STP). One could simply physically protect the rooms where the bridges are installed, but we may want to help protect against a malicious client device that gets the user to authenticate so that it can connect, and then begins to pose as a bridge and either hoses the STP or gains access to unauthorized data. For example, one could enter some keys on the bridge when it's installed that allow it to authenticate itself as a bridge.
I have no objection if the group decides to do only perimeter security. That in itself would be a great accomplishment.
Peter K. Boucher
Rappore Technologies
www.rappore.com
-----Original Message-----
From: Mike Moreton [mailto:Mike.Moreton@synad.com]
Sent: Friday, December 20, 2002 9:55 AM
To: LinkSec
Subject: RE: [LinkSec] Thoughts on high-level requirements
Peter,
One viewpoint on this:
If you want perimeter security, it can only be sensibly implemented at the link layer. The one business requirement that the group definitely has is EPON, which seems to want perimeter security. So whatever else you do, I think you have to do perimeter security.
On the other hand, peer to peer security can generally be achieved at the network layer, and if the user isn't prepared to set-up peer-to-peer security at the network layer I don't see why they would be prepared to do it at the link layer. I haven't seen anyone suggesting there is a business requirement for peer-to-peer link layer security.
The only group of protocols that seems to be left is link layer maintenance protocols like STP and 802.11 management frames. No-one seems greatly to care about securing them - maybe they're best left to the groups responsible for them rather than attempting to do something generic.
Mike Moreton, Synad Technologies.
-----Original Message-----
From: Peter Boucher [mailto:pboucher@rappore.com]
Sent: Friday, December 20, 2002 4:22 PM
To: LinkSec
Subject: [LinkSec] Thoughts on high-level requirements
In our last teleconference we all seemed to agree that it would be useful to look at business model requirements as a way to ensure that the technical requirements we settle on are all addressing important business concerns.
It seems to me that there are really two or more business models we could try to address. For example, service providers want to prevent theft of services and protect customers from each other, while enterprises may want us to help solve a different set of access control problems, and government may want to rely on us to help ensure that certain sensitive-but-unclassified data is secure from users who don't need-to-know, and thus are not authorized (by law) to gain access.
Some questions arise: Do we pick one model and ignore the others? Do we try to come up with a one-size-fits-all set of technical requirements that will address all of the business concerns of all of the models? Do we create a set of (not mutually incompatible) standards, one for each model?
Another area of high-level requirements related to the above, but interesting in its own right, is whether we do link security only as a perimeter-defense, or pervasively throughout the network. If we simply defend the perimeter, then each MAC address (for example) can be associated with a user, but if we are also supposed to secure the spanning-tree protocols and other communications between bridges, then some devices are not operating on behalf of any specific user.
Again: Do we do perimeter-defense and ignore the internal communications? Do we try to come up with a comprehensive set of technical requirements that will address both sets of concerns? Do we create a pair of (not mutually incompatible) standards, one for each model?