Re: [LinkSec] Consensus on Scope?
Hi,
I completely agree. Since the general bridged architecture
is considered difficult to handle, I am slightly worried that
corners will be cut so that later extensions beyond link-by-link
protection becomes cumbersome (or even impossible). It could thus
be that we need to "almost" solve also the general case at the
same time to be future proof.
Best,
/Mats
Russ Housley wrote:
> Dolors:
>
> I do not have any problem with the priorities. However, I do have some
> concerns with the "do it later, if needed" tone. If we look at 802.1X
> development, it focused on 802.3 problems. This solved real-world
> problems. Since a 802-wide view was not applied from the beginning,
> significant changes are needed to make it work in 802.11, and other
> wireless technologies.
>
> If we do not start with the big picture, we will inadvertently make
> deployment in other topologies impossible without changes to the standard.
>
> Russ
>
>
> At 09:10 PM 4/21/2003 -0400, Dolors Sala wrote:
>
>> There seems to be significant consensus in leaving the scenario of
>> untrusted bridges for a later stage (although the final unified
>> architecture should support a complete secure bridge network
>> solution). It seems we may be close to identify the scope of the
>> initial project.
>>
>> In the last call, Bob Moskowitz recommended to initially focus on the
>> link level and leave the entire bridge network definition for a later
>> stage. If I interpret him correctly, he considers that there is enough
>> work in defining the provider side of the link security specification
>> because it doesn't exist an specification or example from where we can
>> leverage from. This work would involve to specify the (bi-directional)
>> authentication and the link protection components of the unified
>> architecture. Bob please clarify or extend as you feel appropriate.
>>
>> We would need to guarantee that the initial effort defines components
>> that fit the unified and general architecture. Could we guarantee this
>> by imposing a set of general requirements to an initial link
>> specification?
>>
>> If so we could define a gradual roadmap where we focus first on the
>> link components and later on the bridged network components. We could
>> first focus on capturing a complete set of requirements from the
>> unified architecture and define an initial project to specify a link
>> security for 802.3 links. At a later stage, additional projects would
>> be defined to complete the architecture for bridged networks (and/or
>> other links if needed).
>>
>> I would like to solicit opinions and comments on this roadmap approach
>> and recommendations on the specific scope and components of an initial
>> project.
>>
>> Dolors
>>