RE: [LinkSec] Business models still missing for point to point
It appaears that from earlier generalization made about three topologies
- station-station, station-bridge and bridge-bridge; that the second one
is characterizeable as a client-server model and the other two as
peer-peer models.
As an example - rather than presupposing any one authentication model -
from prior experiences, say in 802.11, client-server topology seems
conducive to be addressed by a 802.1X-like framework. (The peer-peer
topology has been approached using a dual 802.1X framework as a two-way
extension of the former).
It would be useful to discuss scalable alternatives to peer-peer
framework - including perhaps certificate based approaches.
-mani
> -----Original Message-----
> From: antti.pietilainen@nokia.com [mailto:antti.pietilainen@nokia.com]
> Sent: Saturday, January 04, 2003 3:47 AM
> To: stds-802-linksec@ieee.org
> Subject: RE: [LinkSec] Business models still missing for point to
point
>
>
> Mick brought up two real usage scenarios for point-to-point security.
> These could be refined into a presentation and discussed in the
meeting.
> Support from subscriber access Ethernet operators would be welcome, as
> well. I think this kind of discussion is required for being able to
define
> a scope for a link security project.
>
> As a refinement to these cases, I would welcome conversation about
usage
> scenarios in homes to find out what kind of equipment should
authenticate
> themselves, is it a box that connects home network to operator network
or
> should all equipment who wish to communicate towards operator network
> authenticate themselves.
>
> Antti
>
>
>
> > -----Original Message-----
> > From: owner-stds-802-linksec@majordomo.ieee.org
> > [mailto:owner-stds-802-linksec@majordomo.ieee.org]On Behalf
> > Of ext Mick
> > Seaman
> > Sent: Friday, January 03, 2003 6:30 PM
> > To: stds-802-linksec@ieee.org
> > Subject: RE: [LinkSec] Business models still missing for
> > point to point
> >
> >
> >
> > Although the Telseon networks used all of below (point to
> > point, VLANs, filtering) we had an ongoing requirement for
> > securely identifying which customer was which in the network
> > to prevent hookup mistakes in the field. Without
> > authentication and authorisation built into the switches
> > solutions to this problem are hokey, like requring each
> > customer to use the certificate distributed to that customer
> > for provisioning management access to conduct a session from
> > each site so that connectivity could be verified before it
> > was fully switched on. Comprehensive deployment of .1X or
> > better would have simplified operational practice in our network.
> >
> > While I don't think a lot of Norm's scenario in the single
> > enterprise context (if you have eavesdroppers and cable
> > rerouters working for you you have worse problems) it is a
> > real worry in multi-tenant units which are often occupied by
> > professional organizations that are really meant to keep
> > there data secure from others who could rent another office
> > in the same building.
> >
> > Though most of the current market may live with the current
> > level of security (an assertion I find very plausible) very
> > little of the .3ah EPON market will.
> >
> > Mick
> >
> > > -----Original Message-----
> > > From: owner-stds-802-linksec@majordomo.ieee.org
> > > [mailto:owner-stds-802-linksec@majordomo.ieee.org]On Behalf Of
> > > antti.pietilainen@nokia.com
> > > Sent: Friday, January 03, 2003 6:49 AM
> > > To: stds-802-linksec@ieee.org
> > > Subject: [LinkSec] Business models still missing for point to
point
> > >
> > >
> > >
> > > Hello all,
> > > Usage scenarios for point-to-point networks are still missing
> > > business case wise. It is possible that link security in
> > > point-to-point case does not make sense. For example, it is
> > > being told that 802.10 was used for a while but has not been
> > > used after VLAN tagging was standardized. VLAN tagging,
> > > source port filtering, and maybe filtering some Ethertypes at
> > > access ports may be adequate to achieve high level of
> > > security at layer two. For example, in Sweden and in other
> > > places, as well, there are well established operators who run
> > > IP over Ethernet networks for subscriber access. Probably
> > > other L3 protocols may be carried over these L2 segments if
> > > required.
> > >
> > > There are about 80 000 customers in Bredbandsbolaget's
> > > network in Stockholm, Sweden. The company has been
> > > operational for several years so they can probably cope with
> > > the current level of security.
> > >
> > > Norman Finn brought up in principle a valid point-to-point
> > > scenario in the security session in New Orleans. In that
> > > scenario cables are run through multiple offices. There is a
> > > risk of somebody in one office eavesdropping or inserting a
> > > man-in-the-middle box into a cable running to another office.
> > > With added L2 security it could be allowed that cables are
> > > installed in that way. However, that kind of installation
> > > does not really comply with current regulations for
> > > installations in buildings. Therefore, I believe that the
> > > scenario does not cover a large proportion of the total market.
> > >
> > > Antti Pietilainen
> > > Nokia Research Center
> > > P.O. Box 407
> > > FIN-00045 NOKIA GROUP
> > > Finland
> > > tel. +358-(0)71-8036660, fax. +358-(0)71-8036214
> > > email: antti.pietilainen@nokia.com
> > >
> >