[LinkSec] Fwd: Bridging model and link security
Here is Norm Finn's note to me. Took me a bit to find where I filed it.
Note that he is strickly staying wiht single link protection. If you want
his arguements against SA associaitions across brdiges, check out his
tutorial from Dallas.
>Date: Tue, 01 Apr 2003 15:01:06 -0800
>From: Norman Finn <nfinn@cisco.com>
>To: Robert Moskowitz <rgm@trusecure.com>
>Subject: Bridging model and link security
>
>Bob,
>
>As outlined in my slides presented at the last meeting, the bridging
>model in 802.10 is not scalable to even medium-sized bridged networks.
>
>The model that I think most bridge builders have in mind:
>
> 1. Each bridge authorizes its bridge neighbors.
>
> 2. No bridge accepts L2 control packets (e.g. spanning tree BPDUs)
> except from authorized neighbor bridges. Such control packets
> are discarded when received from any other sources.
>
> 3. At least the control packets transferred between bridges are
> authenticated. Better yet, all packets are authenticated on
> the link. Better yet, all are encrypted.
>
> 4. Links between bridges and endstations may also be authorized,
> authenticated, and even encrypted. This improves the security
> of the users' traffic.
>
>Except for link-by-link encryption mechanisms and protocol filtering
>activities, which can both be confined to the port ASICs, the secure
>bridges operate exactly like normal bridges. For example, since
>authorization and establishment of security associations among
>bridges takes place before spanning tree runs, the spanning tree(s)
>run(s) over a network of secure links, not the other way around.
>
>The point of this model is primarily to secure the L2 infrastructure
>against attack and/or misuse, and only secondarily to secure the
>users' data.
>
>-- Norm
Robert Moskowitz
Senior Technical Director
ICSA Labs
(248) 968-9809
Fax: (248) 968-2824
rgm@trusecure.com
There's no limit to what can be accomplished
if it doesn't matter who gets the credit