RE: [LinkSec] teleconf notes 4/15/03
Hi all,
I have a question concerning the conclusions (I make) of the meeting
notes below. (My apologies for not being able to attend so far; the
time of day in combination with day of week makes it very difficult.)
Allyn Romanow wrote:
>
> 4/15/03
> Chair - Dolors Sala, dolors@ieee.org
> notes- Allyn Romanow, allyn@cisco.com
>
> Ken Alonge, Rene Struik, Bob Moskowitz, Allyn Romanow, Dolors Sala,
> David Nelson, Antti Pietilainen, Jeff Waters, Tom Dineen
>
> Brief Summary:
> June meeting Mon and Tues June 2,3 for sure. Perhaps more days, will
> be decided when we see how many contributions there are
>
> Discussion of threat analysis:
> Paper by Ken, Rene and Mani, sent out this am
> http://www.ieee802.org/linksec/docs.html
> Threat Assessment to determine Layer 2 security services for IEEE
> 802
> LANs/MANs
>
> There is general agreement that we need to limit the scope of the
> security we are providing for L2 networks to single links. End stations
> will be
> secured, authenticated. The problem of providing end to end security
> through an
> arbitrary bridged topology is considered not sufficiently understood
> to be undertaken at the current time.
>
> First week of May for update of the threat analysis, to a list of
> threats on which we can seek consensus
>
> Next week teleconf possible talk about major issues outstanding
>
> Cancelled teleconf for the 29th - Interop meeting.
>
>
>
> ===========================================
> More Detailed Notes:
>
> Reflector bounces files larger than 100KB
>
> Threat Analysis Discussion
> Ken - Overview of doc:
> a modification of 802.10 threat analysis
> ISO security architecture
> LAN characteristics that create threats
> security services for LAN threats
> mechanisms to describe services
> summary
>
> Discussion
> Bob - threats only to links themselves, bridges not protected
> threats to L2 structure
> if bridge is corrupted, it's not considered part of the relevant
> architecture
I don't get this. If this is the assumption made, then won't it
be absolutley *necessary* to be able to "tunnel" the security
through such a corrupted bridge? This seems to contradict the
conclusion in the summary above (and elsewhere) that: "end to end
security through an arbitrary bridged topology is considered not
sufficiently understood to be undertaken at the current time".
My point is that if there is a case when you might need to tunnel
one bridge, you might in other cases need to tunnel through N bridges,
which asymptotically means e2e.
Moreover, refering to Norm's tutorial from Dallas, the last slide
states: "end-to-end security associations transported through bridges
must not authenticate the 802.1Q tag".
Now, if there indeed could exist corrupt bridges as mentioned above
that are defined "out" of the relevant architecture, I feel very
worried about such a bridge messing with my 802.1Q tags... Thus,
bridges that *are* part of the relevant arch. SHOULD have the
option to e2e protcet 802.1Q tags that are important to them,
and could need to pass the corrupt bridge.
Again, my aplogies if my confusion is caused by not being able
to attend the phone conf.
Thanks,
/Mats