RE: [LinkSec] LinkSec Security Issues & 802.10

Thread Links	Date Links
Thread Prev	Thread Next	Thread Index	Date Prev	Date Next	Date Index

Thread Links

Date Links

Thread Prev

To: "Romascanu, Dan (Dan)" <dromasca@avaya.com>, "Ken Alonge" <kennyg698@yahoo.com>, <stds-802-linksec@ieee.org>

Subject: RE: [LinkSec] LinkSec Security Issues & 802.10

From: "Paul Lambert" <PaulLambert@AirgoNetworks.Com>

Date: Thu, 13 Mar 2003 17:36:49 -0800

Sender: owner-stds-802-linksec@majordomo.ieee.org

Thread-Index: AcLpfAoGfFa7yWkTTN2x8pIvcDzhcAAAXk7gABK37xA=

Thread-Topic: [LinkSec] LinkSec Security Issues & 802.10

Title: Message

I'd like to see 802.10 fix SDE. This is an excellent task that could be completed quickly and would be be of benefit to the industry. It seems reasonable to be a parallel task that may or may not be adopted by LinkSec. If LinkSec needs SDE it would be ready. If LinkSec does not select SDE, it still would be ready :-)

LinkSec will take quite awhile to just get it's base requirements in place. SDE could be completed and ready.

I do not see multiple working groups to be a problem.

Paul

-----Original Message-----
From: Romascanu, Dan (Dan) [mailto:dromasca@avaya.com]
Sent: Thursday, March 13, 2003 8:39 AM
To: Ken Alonge; stds-802-linksec@ieee.org
Subject: RE: [LinkSec] LinkSec Security Issues & 802.10

FWIW - I do not support un-hibernating 802.10 before LinkSec concludes this is the way to go. I favor ONE effort within the IEEE 802 in order to address the security work - at architecture and protocol levels. At this point in time it looks to me that the already chartered LinkSec SG is the place where the discussions are taking place, and one of the questions the SG needs to answer is where to place the possible follow-up work. I suggest that the efforts of the participants be focused right now into contributing to the LinkSec chartered work, including recommendations on architecture extensions and on the ways to proceed with Security in IEEE 802. As far as I know, members of the hibernating 802.10 have been invited from the start to take an active part in this work.

Thanks,

Dan

-----Original Message-----
From: Ken Alonge [mailto:kennyg698@yahoo.com]
Sent: Thursday, March 13, 2003 6:15 PM
To: stds-802-linksec@ieee.org
Subject: [LinkSec] LinkSec Security Issues & 802.10

To All-

I'm having trouble sending e-mail from my normal e-mail address, so I've had to resort to using this more obscure address. Sorry.

After having participated in the LinkSec meetings this week and having had discussions with many study group participants as well as the Chairs of other MAC working groups, it seems to me that the 802.10 Secure Data Exchange Protocol (SDE) is the preferred method of providing generic security services across all of the 802 MACs (note that some MACs, like .11 would have additional security within the MAC layer). In order to provide the all desired security services, the SDE protocol will have to be slightly modified. The modifications are needed in order to accommodate replay protection, destination MAC address authentication, and optional integrity protection of additional header fields such as the VLAN tag.

Another point of concern that was raised in this week’s LinkSec meeting was the ability of 802.1X to meet the key management requirements of all the 802 MACs, because of the .1X requirement to have access to a server for key distribution. This type of configuration does not work for 802.15 where it is unreasonable to expect an infrastructure; also it can cause denial of service in enterprise networks when the authentication server cannot be reached. The .1X protocol is great for the environments that it was designed to support, but it does not fit all environments. Therefore, additional key management approaches may be necessary.

Additionally, part of the LinkSec charter is to develop an 802 security architecture document. 802.10 already published the 802 security architecture Standard. While we have learned a lot since this document was developed, it does not make sense to have two 802 Security Architectures. The current document (802.10a) ought to be used as a baseline for the LinkSec security architecture study. Revision of the .10 security architecture may be required to accommodate information not considered when .10 originally created that Standard.

These issues are being raised at a good time, since all of the .10 Standards are up for reaffirmation this year (i.e., 802.10-1998, 802.10a-1999, as well as 802.10c-1998 (the Key Management standard)). So, in order to make the necessary modifications, I am proposing that 802.10 be brought out of hibernation by the Exec. I think that our initial focus should be on the SDE revision; followed by needed modifications to, or withdrawal of the key management standard, and; finally, possible modifications to the .10 security architecture Standard.

Two of the Exec members expressed to me their concern that .10 might not have enough participants to do the required revisions, and they would like me to demonstrate that an unhibernated .10 will have sufficiently broad participation (membership), drawing the necessary expertise from other working groups. Therefore, I’m sending this e-mail to you to serve as a straw poll of the LinkSec study group to determine who would be willing to participate in an unhibernated .10 to assist in making the necessary revisions to our Standards.

Your prompt response today would be greatly appreciated.

Sincerely,

Ken Alonge

Chair, 802.10

Do you Yahoo!?
Yahoo! Web Hosting - establish your business online