[LinkSec] Teleconf Notes 1/2/03
ECSG LinkSec Teleconf
1/2/03
Dolors Sala, SG chair, dolors@ieee.org
Allyn Romanow, notes, allyn@cisco.com
Attendees - Dennis Volpano, Dan Romascanu, Mani Mahalingam, Allyn
Romanow, Russ Housley, Dolors Sala, Norm Finn
Dolors
Agenda for the Interim
There is an overlap with 802.1. Mick and Tony will try to have 802.1
free all day Thurs and some of Friday
Gerry Pesavento EFM overlap Thurs, split session in AM,
will know today if they can be free on Thurs AM
Contributions
Not that many
Ask Tony and Mick if they need additional time, maybe during Thurs afternoon
If there is a gap and we don't meet, people could go to EFM closing or
to 802.1. Depends on how much time we want to take
Will set up call-in facilities for 802.11 people who can't come to the interim
Agenda, 802.1 will post agenda on Monday
There are 5 contributions
Mick - architectural model
Antti - EPON requirements
Dennis - scope and progress
Glen - PAR and 5 criteria
Mani - considerations on PAR and 5 criteria and placement issue
Placement - So far, there seems to be general agreement on using the
802.10 committee
Dan - noted similar recommendations for placement of the work
amongst the 3 presentations dealing with general issues
Do the authors want to get together and do a joint contribution?
Their recommendations are not so divergent
Mani - in favor of using 802.10
Dennis - 802.10 has a unique charter L7 as well as L2, needed for key
management, if this is impt. (Norm thinks not)
Norm doesn't have a strong opinion where the work should be - 802.10
or 802.1 both are fine.
He heard that previously 802.1 didn't want to house the security
effort, but now .1 wouldn't object, some benefit because ensures
solution will work well with bridges. Doesn't matter whether it goes
to .10 or .1, in his opinion, as the same people will be working on it
in either case.
Does anyone think we shouldn't use 802.10?
Dennis - thinks we should leverage .10, but not commit to it
He favors a proposed scope more like 802.1ad, wants to make scope
consistent with scope of 802.1ad
He has a different proposal, which he hasn't presented yet.
Some people want to amend 802.10, Glen's proposal
Dennis' idea is orthogonal, wants to use the framework of 802.1ad and
provider bridging
Mani - favors using .10 as a starting point
802.1 will find 802.1ad is a small effort
Norm - difference between provider and secure enterprise are small wrt security
requirements
The case of corporate guest in conference room accessing internet
through a wired hub, and prevented from seeing the company's personnel
records is similar to that of the provider who needs to separate
users' traffic.
Get rid of LLC stuff in 802.10 spec
Dennis - 802.10 is deficient in key management,
Russ- everyone from .10 agrees
bridged network not taken into account
Norm - .1x not just tied to bridges, broader in scope
Russ - need to agree on what to accomplish
802.10 - once know end points, key management is simple, what isn't
clear is how to know the endpoints. 802.10 proposed probes.
Mick on mailing list shows that probes do not work, but he proposed
something that may not work if one end point is a bridge and the other
is a router
Norm - There is alot of stuff we could cover which is difficult. He would
favor doing something simpler, more focused. (I think he said-AR)
Russ - Yes, we need encryption, encapsulation and a key management approach
then we don't limit ourselves.
Norm agrees, just as we shouldn't limitour solution just to provider space
Norm wants to trim the 32 bit ID, doesn't need that many bits, but not
sure he can trim them.
Russ- this is a whole separate discussion
802.11 doesn't have enough bits
Dolors - With respect to the agenda for the Interim, how shall we
organize it? Should we have contributions first, then discussion on
individual topics? or use presentations as basis for discussion?
For example, there is a contribution for EPON requirements, but we
have discussed in email and teleconf requirements that are wider in
scope than just EPON, but there is no presentation on wider requirements.
Norm - he would hate to see us get bogged down in requirements-
sometimes requirements discussions can be misused to outlaw what one
person suspects someone else's solution may be.
He would like to see presentations that talk about real solutions.
The technology is mature enough so that people can present complete solutions,
so that we can see where people want to take this, and if we can agree
on a general approach. Then we don't have to play reqmts. games.
Dolors- Agree, but at the moment we only have these five
presentations, limited material, not the proposed solutions.
Norm- We could couch the free discussion in terms of topics, what
approaches, what presentations we would like to be seeing
Dolors - such as architectural models
A set of topics - can develop now and on mailing list
eg. key management, what material needs to be authenticated
Norm - Dolors you can send your list of questions-
How should we use the time Thurs and Friday? Should we leave some time
free Thurs afternoon?
Allyn- since we're trying to have PAR and 5 by mid February, important
to use all time available. General agreement, use all of
Thursday. Probably do presentations first.
List of Topics - includes requirements, scope, key management, entity
authentication, device authentication
Norm - wrt device authentication, at L2 all you *can* authenticate is
a device, since you don't have an address to authenticate a user within a box,
can't associate a user with a device
port numbers not in our purview, much less anything that lives above
Norm - 802.1x can authenticate a device on the basis of a user, assuming
there is one user per device, same as .11
but this assumption is not necessarily the case
Mani - this issue will be clarified with scenarios
Norm - has ideas for some proposals
Agenda summary - develop additional topics
any other topics for today?
Logistics for calling in to the Interim need to be worked out