Thread Links			Date Links
Thread Prev	Thread Next	Thread Index	Date Prev	Date Next	Date Index

RE: [LinkSec] Failure of probe mechanisms to scale

To: "'Ken Alonge'" <kenneth.alonge@verizon.net>, "'LinkSec'" <stds-802-linksec@ieee.org>
Subject: RE: [LinkSec] Failure of probe mechanisms to scale
From: "Mick Seaman" <mick_seaman@ieee.org>
Date: Fri, 25 Apr 2003 14:34:09 -0700
Importance: Normal
In-Reply-To: <001501c30b6e$78688650$051efea9@Pam>
Reply-To: <mick_seaman@ieee.org>
Sender: owner-stds-802-linksec@majordomo.ieee.org



Ken,

No misunderstanding at all, every link in a spanning tree necessarily is the
only way all the stations on one side of a link in the active topology
communicate with all stations on the other side, so a network
reconfiguration of a spanning tree typically moves all the stations from the
point of view of at least one bridge.

Mick

-----Original Message-----
From: owner-stds-802-linksec@majordomo.ieee.org
[mailto:owner-stds-802-linksec@majordomo.ieee.org]On Behalf Of Ken
Alonge
Sent: Friday, April 25, 2003 2:06 PM
To: mick_seaman@ieee.org; 'LinkSec'
Subject: Re: [LinkSec] Failure of probe mechanisms to scale



Mick-

I think there may be a slight misunderstanding of the 802.10 Probe
mechanism.  A Probe is only issued when a conversation is attempted by an
end entity and the lack of a Security Association between the sending end
entity and the receiving end entity is discovered.  Just because a network
reconfiguration has occurred doesn't mean that even one Probe will be
issued -- it depends on whether the population of end stations attached to
an SDE-enabled bridge changes.  End stations moving to a new SDE-enabled
bridge will have to have new Security Associations established for it for
its peer-to-peer communications.

Ken

----- Original Message -----
From: "Mick Seaman" <mick_seaman@ieee.org>
To: "'LinkSec'" <stds-802-linksec@ieee.org>
Sent: Friday, April 25, 2003 2:57 PM
Subject: [LinkSec] Failure of probe mechanisms to scale


>
>
> Here is some data on scale from an earlier email ....
>
> Today's implementations of RSTP (Rapid Spanning Tree Protocol) can
> reconfigure after failure in a few hundred milliseconds or better (I
> consider two milliseconds per bridge in path to be achievable) in networks
> where tens of thousands of conversations can be carried. That's a peak
probe
> issuance/response rate of ~10**5 per second. It is just such large
networks
> where the demand for security may be highest. The best bridges can (or
> claim) to learn source addresses at line rate after reconfiguration, I
don't
> think anyone has an architecture which could issue/respond to probes at
> anywhere close to that rate.
>
> Mick
>
>
> -----Original Message-----
> From: owner-stds-802-linksec@majordomo.ieee.org
> [mailto:owner-stds-802-linksec@majordomo.ieee.org]On Behalf Of Russ
> Housley
> Sent: Thursday, April 24, 2003 7:36 AM
> To: Dolors Sala; Mats Näslund; LinkSec
> Subject: Re: [LinkSec] Consensus on Scope?
>
>
>
> Dolors:
>
> I think that the only contentious issue is peer discovery.  Mick and
others
> have said that the probe approach specified by 802.10 does not scale.  No
> convincing argument has been presented.  So far, it is just emphatic
> assertion with the promise of a more complete discussion some time over a
> beer.  I observe that the probe approach is not all that different than
> ARP, so it cannot be too badly broken.
>
> The link-by-link approach completely avoids peer discovery.  However, I am
> not convinced that this approach really resolves any important
> problems.  It seem to me that the device that is implementing the security
> protocol will be placed in the hands of the customer.  If the customer
> messes with it, can all traffic be exposed.  In an end-to-end scheme, the
> key needed to expose neighbor traffic will not be present, significantly
> reducing the motive for messing with the box.
>
> Russ
>
>   At 07:01 AM 4/23/2003 -0400, Dolors Sala wrote:
> >Russ, Mats,
> >
> >I understand your concerns but we need to identify a work plan to make
some
> >progress towards the current needs represented by the interests and
> >participation in the group.
> >
> >It seems to me there is significant interest in working on the
link-by-link
> >protection, and very little interest on the end-to-end security solution
> >right now. If this interest is correct, we need to work on how we can
> >characterize this first effort so that it addresses the immediate needs
> >and is an step forward towards a unified architecture. It would be
> >great if you can prepare material on the needs imposed by the unified
> >architecture to the link solution.
> >
> >My specific suggestion or question was to explore if it is possible to
> >characterize the unified architecture in a set of requirements that can
be
> >imposed to the link solution. Another way to express this could be.
> >
> >Let's say that the unified end-to-end solution defines a complete
> >"link-layer security architecture". A link-layer solution would cover a
> >complete L2 network security solution including the secure bridge network
> >and the single link secure communication. But we would like to focus
> >just on the single link solution component. So we need to define
> >a link security architecture solution
> >with the right hooks so that it is possible to build a complete
link-layer
> >solution on top of it. What is the best way to characterize these hooks?
Is
> >a list of requirements enough? if so, what are the requirements we would
> >like to impose to the link security architecture?
> >
> >Russ, based on 802.10 and other IEEE security experiences,
> >can you recommend a list of requirements or other form of material
> >to capture this characterization?
> >
> >We need a framework expressing the extendibility needs of the link
> solution.
> >Any material or contribution on this respect will be very helpful.
> >
> >Dolors
> >
> >
> >
> >
> >----- Original Message -----
> >From: "Mats Näslund" <mats.naslund@era.ericsson.se>
> >To: <stds-802-linksec@ieee.org>
> >Sent: Wednesday, April 23, 2003 3:58 AM
> >Subject: Re: [LinkSec] Consensus on Scope?
> >
> >
> > >
> > >
> > > Hi,
> > >
> > > I completely agree. Since the general bridged architecture
> > > is considered difficult to handle, I am slightly worried that
> > > corners will be cut so that later extensions beyond link-by-link
> > > protection becomes cumbersome (or even impossible). It could thus
> > > be that we need to "almost" solve also the general case at the
> > > same time to be future proof.
> > >
> > > Best,
> > >
> > > /Mats
> > >
> > > Russ Housley wrote:
> > > > Dolors:
> > > >
> > > > I do not have any problem with the priorities.  However, I do have
> some
> > > > concerns with the "do it later, if needed" tone.  If we look at
802.1X
> > > > development, it focused on 802.3 problems.  This solved real-world
> > > > problems.  Since a 802-wide view was not applied from the beginning,
> > > > significant changes are needed to make it work in 802.11, and other
> > > > wireless technologies.
> > > >
> > > > If we do not start with the big picture, we will inadvertently make
> > > > deployment in other topologies impossible without changes to the
> >standard.
> > > >
> > > > Russ
> > > >
> > > >
> > > > At 09:10 PM 4/21/2003 -0400, Dolors Sala wrote:
> > > >
> > > >> There seems to be significant consensus in leaving the scenario of
> > > >> untrusted bridges for a later stage (although the final unified
> > > >> architecture should support a complete secure bridge network
> > > >> solution). It seems we may be close to identify the scope of the
> > > >> initial project.
> > > >>
> > > >> In the last call, Bob Moskowitz recommended to initially focus on
the
> > > >> link level and leave the entire bridge network definition for a
later
> > > >> stage. If I interpret him correctly, he considers that there is
> enough
> > > >> work in defining the provider side of the link security
specification
> > > >> because it doesn't exist an specification or example from where we
> can
> > > >> leverage from. This work would involve to specify the
> (bi-directional)
> > > >> authentication and the link protection components of the unified
> > > >> architecture. Bob please clarify or extend as you feel appropriate.
> > > >>
> > > >> We would need to guarantee that the initial effort defines
components
> > > >> that fit the unified and general architecture. Could we guarantee
> this
> > > >> by imposing a set of general requirements to an initial link
> > > >> specification?
> > > >>
> > > >> If so we could define a gradual roadmap where we focus first on the
> > > >> link components and later on the bridged network components. We
could
> > > >> first focus on capturing a complete set of requirements from the
> > > >> unified architecture and define an initial project to specify a
link
> > > >> security for 802.3 links. At a later stage, additional projects
would
> > > >> be defined to complete the architecture for bridged networks
(and/or
> > > >> other links if needed).
> > > >>
> > > >> I would like to solicit opinions and comments on this roadmap
> approach
> > > >> and recommendations on the specific scope and components of an
> initial
> > > >> project.
> > > >>
> > > >> Dolors
> > > >>
> > >
>
>
>
>

Follow-Ups:
- RE: [LinkSec] Failure of probe mechanisms to scale
  - From: Russ Housley <housley@vigilsec.com>

References:
- Re: [LinkSec] Failure of probe mechanisms to scale
  - From: "Ken Alonge" <kenneth.alonge@verizon.net>

Prev by Date: RE: [LinkSec] Failure of probe mechanisms to scale
Next by Date: Re: [LinkSec] Failure of probe mechanisms to scale
Prev by thread: Re: [LinkSec] Failure of probe mechanisms to scale
Next by thread: RE: [LinkSec] Failure of probe mechanisms to scale
Index(es):
- Date
- Thread