[LinkSec] teleconf notes 4/15/03
4/15/03
Chair - Dolors Sala, dolors@ieee.org
notes- Allyn Romanow, allyn@cisco.com
Ken Alonge, Rene Struik, Bob Moskowitz, Allyn Romanow, Dolors Sala,
David Nelson, Antti Pietilainen, Jeff Waters, Tom Dineen
Brief Summary:
June meeting Mon and Tues June 2,3 for sure. Perhaps more days, will
be decided when we see how many contributions there are
Discussion of threat analysis:
Paper by Ken, Rene and Mani, sent out this am
http://www.ieee802.org/linksec/docs.html
Threat Assessment to determine Layer 2 security services for IEEE 802
LANs/MANs
There is general agreement that we need to limit the scope of the
security we are providing for L2 networks to single links. End stations will be
secured, authenticated. The problem of providing end to end security through an
arbitrary bridged topology is considered not sufficiently understood
to be undertaken at the current time.
First week of May for update of the threat analysis, to a list of
threats on which we can seek consensus
Next week teleconf possible talk about major issues outstanding
Cancelled teleconf for the 29th - Interop meeting.
===========================================
More Detailed Notes:
Reflector bounces files larger than 100KB
Threat Analysis Discussion
Ken - Overview of doc:
a modification of 802.10 threat analysis
ISO security architecture
LAN characteristics that create threats
security services for LAN threats
mechanisms to describe services
summary
Discussion
Bob - threats only to links themselves, bridges not protected
threats to L2 structure
if bridge is corrupted, it's not considered part of the relevant architecture
L2 fabric and events are included
what's authenticated?
each end authenticates other link directly bi-directional authentication
all traffic authenticated, encrypted
attacks against against the L2 links are protected against
Refer to Norm's note
authenticated link, can only authenticate end points not really the links
each bridge (B) authens other B, doesn't accept traffic from B's not
authenticated
A B accepts control frames only from Bs it has authenticated
it's a question of specifying what threats we are willing to address?
L2 devices, limits to class of threats we can deal with
can't deal with threats from a compromised B
threats injected by a authenticated bad end station
not protecting user data exposed at bridges
We don't do end to end security
can't do e2e L2 security,
don't understand well enough issues for arbitrary e2e security
can only achieve link security in this SG
need to identify threats for both architectures, though we will only
provide security for the one architecture in scope
identify threats for out of scope as well, for understanding and completeness
if some bridges support security, require discovery protocol
or if all bridges support security, then don't require discovery proto
consider e2e if all bridges support
Ken questions leaving out discovery and
Dolors suggests we prioritize rather than dismiss discovery, leaving
discovery for later, out of scope for now
need to limit scope, but if someone wants to do the work and figure
out the harder problem, will be welcome
Dolors -need to consider what we specify now so that later we can add
security for transparent bridges
What need so that will be ready to add security for tranparent bridges later
First, lets just look at single links and devices at the edges
enough work here
single hop
support single link because gets the group back to it's original
motivation, security for an application like EFM
Dolors - can we leave aside the rest for now, and the architecture
will be extensible?
Can what we do now be easily or directly extensible?
Rene - what .15 did is similar.
Initially link threat model, can look at .3 EPON, if can make more
complete will
We can show complexity that is involved by addressing larger problem,
develop a roadmap for the larger problem space
Dolors asks Rene and Ken to have a presentation listing threats so we
can get consensus on what threats are impt. to address
in addition to their paper
First week of May for update of the threat analysis
Next week teleconf possible talk about major issues outstanding
Cancelled teleconf for the 29th - Interop meeting.