[LinkSec] Notes from teleconf 1/21/03
/21/03 ECSG LinkSec Teleconf
Dolors Sala, chair dolors@ieee.org
Notes by Allyn Romanow, allyn@cisco.com
Attendees:
Marcus Leech, Ali Abaye, Mani Mahalingam, Allyn Romanow, Dolor Sala,
Glen Zorn, Charles Cook, Dan Romascanu, Russ Housley
Dolors - no particular agenda for today
Any insights from the Interim meeting?
Anyone have anything they want to talk about?
Mani - Russ posted applicability of 802.10 SDE to bridges. It would be
good to talk about it at next meeting, when people have looked at the
note.
Dolors - question
There are two trends:
1. Protecting links, meaning a single wire, make the link secure
At first interest was just in EPON, then became more generalized to include
not just an EPON, but also Ethernet, or any type of link
Communication is between two stations, the scope is link
2. Now, another idea is to secure an actual network, a bridged network.
Where is the application that requires us to secure a bridged network?
If the enterprise network is the domain, is a bridged network relevant?
What is the application for secure bridged network?
Marcus - two scenarios
1. Provider of L2 services, uses bridging technology, metro-wide service,
even x-country
2. Similarly in an enterprise network, such as his, Nortel. It works for
network engineering to be able to secure fabric behind end users
relatively cheaply - that would be really cool. Now it requires
separate link layer encryptors that aren't integrated into network equipment.
Dolors - one issue we have been looking at is SP vs Enterprise needs
Does enterprise requires a large bridged network?
Marcus - certainly it's relevant, even if there is not a large bridged
network, there are typically connected islands of bridged networks.
He can imagine link layer security would be most useful.
Charles Cook - from Qwest
He has talked with his security folks. They said this would be good for
customers who want to buy a managed secure network.
They don't know if they want to sell security, but there are customers who
won't buy their product unless security is offered with it.
Glen - We're making a distinction between securing bridges themselves and the
links between bridges.
What's different between securing a bridged network vs securing L2 links?
Marcus - there are two cases
1. Station to station secure, the fact that bridges are in between is
irrelevant, passes through bridges.
2. Station has a Security Association (SA) to the nearest bridged hub
Mani - The distinction is hop by hop vs end to end
Whether we want to be able to secure L2 protocols, such as ST or not.
How do you secure bridging control packets?
Mick's description secures on a hop by hop basis vs an end SA
Are we talking about L2 end to end or hop by hop?
Allyn - hop by hop, endpoints of a subnetwork, not end to end
Who is included in the threat model?
Dolors - these are separate - end to end vs link
Russ - Key management is significantly different for the two cases
Locating the decryptor is different
(see mailing list discussion)
There are 3 situations:
1. Station to station, every station has crypto processing. There is a
source address and destination address. Not necessary to have a
protocol that discovers crypto-enabled bridges.
2. Station to bridge, bridge protects, does crypto for, an enclave
behind it. Then need to run a crypto-enabled bridge discovery
protocol for the end station to locate crypto bridge.
3. Bridge to bridge - there are two subcases:
a. Bridges are adjacent, there is one link between them - don't need
crypto-enabled discovery protocol because each bridge knows its neighbors,
assume always an adjacent bridge
Mick only interested in this case. If a bridge doesn't do encryption,
security is not possible.
b. If allow bridges between stations, don't know how many bridges
between stations.
If there are two bridges where one doesn't doesn't do security,
then you use a discovery protocol to find another bridge that does
security.
802.10 does this
Mailing list discussion on how to do discovery of crypto-enabled bridges
Is there a tutorial on 802.10?
802.10A was supposed to be a tutorial..
What are our goals?
What can't tell from calls is what SP are demanding
How should we get this information?
The presentation that Antti made at Vancouver, was motivated by his
knowledge of service providers
Antti was thinking about EPON, statio to station without bridge,
that is, OLT to ONU.
Protect neighborhood subnets
How universal is this model?
How to get input from non-EPON SPs on their security needs? PPVPN?
We should collect this kind of information. Ask on the mailing list,
talk to SPs who are among the group or are our customers, to
understand their security needs. That seems part of the L2 security
requirements picture.
How much more effort is it to secure the network vs securing a single hop?
Discovery protocol is different, key management different, framing
protocol the same
There are the 4 cases, as above. Pick an identity management scheme for any of
these, then can develop the cases incrementally, not have to do all
cases at once
What should the identity be? Mailing list discussion, whether MAC
address is correct
With reference to Mick's work plan, on the web, item number 4 outlines
partitioning.
Do people agree with this?
Russ - thinks it's a way to get to an architecture, not how to write the doc
Marcus- Using business case relevance to decide what to include is a
very bad idea. One thing is that the definition of business case
relevance differs between different enterprises and amongst different SPs.
Biz relevance can be used as a reason to not do security features that
are doable. He has seen this happen before. Ends up being very
arbitrary, has seen cases where a threat doesn't fall
into current understanding of biz relevance, so certain things that
could be secured against aren't done, and later it that threat is
committed.
Threats should be classified by other characteristics than on biz
relevance, e.g., how much it costs to implement, etc.
He thinks EPON did a minimum in setting security scope.
What do we need to do?
An analysis of the threats, a lot of this was done in 802.10
High level landscape should be similar
Some wireless things not considered in 802.10, .11 came after, would
have led to a change.
Didn't do deep thinking on which derivative services- specified
authentication, integrity, confidentiality, from which others derive.
Marcus - EPON, only protect against threats that aren't protected by
the law, seems foolish. Bad guys don't obey the law, so you have to
protect against what they could do.
Often fixing it correctly is only a little more expensive than fixing it
poorly.
Also, laws differ between countries
What do you mean by EPON specification of security is minimal.
See the NEC Illuminant paper, for example
How to decide what's in and out of Mick's Table? Vote
Think should develop further before voting
Dan - Two questions - the specific issue is relevant for the scope?
Are you willing to participate in finding a solution to a particular problem?
Who considers scenarios important and will put effort into it?
Dolors - can people on call send mail with their opinions to start the
conversation?