Re: [LinkSec] LinkSec Security Issues & 802.10
At 08:15 AM 3/13/2003 -0800, Ken Alonge wrote:
Another
point of concern that was raised in this week’s LinkSec meeting was the
ability of 802.1X to meet the key management requirements of all the 802
MACs, because of the .1X requirement to have access to a server for key
distribution. This type of configuration does not work for 802.15
where it is unreasonable to expect an infrastructure; also it can cause
denial of service in enterprise networks when the authentication server
cannot be reached. The .1X protocol is great for the environments
that it was designed to support, but it does not fit all environments.
Therefore, additional key management approaches may be
necessary.
This is a mis-representation of 802.1x.
There is NOTHING in 802.1x requiring a backend server for key
distribution.
Example 1:
Every device has a userid/secret table and uses EAP-AKA to their own
internal Authentication Server.
Example 2:
Every device has the group's PGP keyring and uses an EAP-PGP (does not
exist, but easy to do) to their own internal Authentication
Server.
The ONLY concern .15 should have about 802.1x is the code size.
Remember ANNEX D is an ANNEX and just a recommended practice. I
happen to know of a number of vendors that are implementing the EAP
methods directly in their APs and are not implementing RADIUS.
Robert Moskowitz
Senior Technical Director
ICSA Labs
(248)
968-9809
Fax: (248) 968-2824
rgm@trusecure.com
There's no limit to what can be accomplished
if it doesn't matter who gets the credit