Re: [LinkSec] Failure of probe mechanisms to scale
Tony-
A bridge has what we termed a Security Management Information Base (SMIB) --
a glorified MIB -- which holds all of its current SAs. In the case I
presented, Bridge B would not have an SA with Bridge A for the pair of
Stations X & Y.
Ken
----- Original Message -----
From: "Tony Jeffree" <tony@jeffree.co.uk>
To: "Ken Alonge" <kenneth.alonge@verizon.net>
Cc: <mick_seaman@ieee.org>; "'Russ Housley'" <housley@vigilsec.com>;
"'LinkSec'" <stds-802-linksec@ieee.org>
Sent: Wednesday, April 30, 2003 9:41 AM
Subject: Re: [LinkSec] Failure of probe mechanisms to scale
Ken -
My reading of Mick's question was not "what does Bridge B do when it has
figured out that it doesn't have an SA", but "How does Bridge B figure out
that it doesn't have an SA". I think you answered the former, not the
latter.
Regards,
Tony
At 09:26 30/04/2003 -0400, Ken Alonge wrote:
>Mick-
>
>I believe the way we envisioned that a broken security association (SA)
>would be discovered (and Russ will correct me if I'm wrong) is as follows:
>
>Bridge A had an existing SA with Bridge B for Stations X and Y (X is
>attached to A and Y is attached to B). Station Y has been moved to Bridge
>C. Bridge A sends a protected frame to Bridge B on behalf of Station X,
>destined for Station Y. Upon receipt of the frame at Bridge B, Bridge B
>determines that it does not have an SA for Stations X & Y and returns an
>error to Bridge A. Bridge A then generates a Probe sequence to determine
>which SDE-enabled bridge now has Station Y. Bridge C responds and a new SA
>is established between Bridge A and Bridge C for Stations X & Y.
>
>Ken
>
>----- Original Message -----
>From: "Mick Seaman" <mick_seaman@ieee.org>
>To: "'Russ Housley'" <housley@vigilsec.com>; "'Ken Alonge'"
><kenneth.alonge@verizon.net>; "'LinkSec'" <stds-802-linksec@ieee.org>
>Sent: Wednesday, April 30, 2003 3:01 AM
>Subject: RE: [LinkSec] Failure of probe mechanisms to scale
>
>
> >
> > Russ,
> >
> > The point is that some changes in the core of the network will see a lot
>of
> > changes. My focus is on securing these links as well, not just those at
>the
> > edge of the net. I don't want a separate, not to be specified,
mechanisms
>to
> > cover these core links. If SDE-enabled bridges are in front of protected
> > networks, what is protecting the internals of these networks? These
> > networks often have their fiber routed through patch panels not under
the
> > direct physical lock and key of the network provider but of the colo
> > operator (your security mileage may vary).
> >
> > If your answer is that SDE associations are always tunneled across
>networks
> > then I have other technology today I can use - with much pain and manual
> > configuration so it is not really adequate but its problems are
tunneling
> > problems.
> >
> > I'd be interested in how you propose that an SDE bridge may be able to
> > figure out what security associations are to be affected. In cases other
> > than the SDE bridge being the edge bridge of the network I don't regard
>this
> > as possible in bridge networks as currently defined.
> >
> > Mick
> >
> > -----Original Message-----
> > From: Russ Housley [mailto:housley@vigilsec.com]
> > Sent: Tuesday, April 29, 2003 12:19 PM
> > To: mick_seaman@ieee.org; 'Ken Alonge'; 'LinkSec'
> > Subject: RE: [LinkSec] Failure of probe mechanisms to scale
> >
> >
> > Mick:
> >
> > I think that you and Ken are not communicating.
> >
> > An SDE-enabled bridge may be able to figure out that a spanning tree
>change
> > will impact some or all of the security associations to which it is a
>party.
> >
> > Also, a security association may not be impacted in any way by a
spanning
> > tree change. I envision a topology where SDE-enabled bridges are "in
> > front" of protected networks. In this topology, few spanning tree
changes
> > have any impact on the security associations.
> >
> > Russ
> >
> > At 02:34 PM 4/25/2003 -0700, Mick Seaman wrote:
> >
> >
> > >Ken,
> > >
> > >No misunderstanding at all, every link in a spanning tree necessarily
is
> > the
> > >only way all the stations on one side of a link in the active topology
> > >communicate with all stations on the other side, so a network
> > >reconfiguration of a spanning tree typically moves all the stations
from
> > the
> > >point of view of at least one bridge.
> > >
> > >Mick
> > >
> > >-----Original Message-----
> > >From: owner-stds-802-linksec@majordomo.ieee.org
> > >[mailto:owner-stds-802-linksec@majordomo.ieee.org]On Behalf Of Ken
> > >Alonge
> > >Sent: Friday, April 25, 2003 2:06 PM
> > >To: mick_seaman@ieee.org; 'LinkSec'
> > >Subject: Re: [LinkSec] Failure of probe mechanisms to scale
> > >
> > >
> > >
> > >Mick-
> > >
> > >I think there may be a slight misunderstanding of the 802.10 Probe
> > >mechanism. A Probe is only issued when a conversation is attempted by
an
> > >end entity and the lack of a Security Association between the sending
end
> > >entity and the receiving end entity is discovered. Just because a
>network
> > >reconfiguration has occurred doesn't mean that even one Probe will be
> > >issued -- it depends on whether the population of end stations attached
>to
> > >an SDE-enabled bridge changes. End stations moving to a new
SDE-enabled
> > >bridge will have to have new Security Associations established for it
for
> > >its peer-to-peer communications.
> > >
> > >Ken
> > >
> > >----- Original Message -----
> > >From: "Mick Seaman" <mick_seaman@ieee.org>
> > >To: "'LinkSec'" <stds-802-linksec@ieee.org>
> > >Sent: Friday, April 25, 2003 2:57 PM
> > >Subject: [LinkSec] Failure of probe mechanisms to scale
> > >
> > >
> > > >
> > > >
> > > > Here is some data on scale from an earlier email ....
> > > >
> > > > Today's implementations of RSTP (Rapid Spanning Tree Protocol) can
> > > > reconfigure after failure in a few hundred milliseconds or better (I
> > > > consider two milliseconds per bridge in path to be achievable) in
> > networks
> > > > where tens of thousands of conversations can be carried. That's a
peak
> > >probe
> > > > issuance/response rate of ~10**5 per second. It is just such large
> > >networks
> > > > where the demand for security may be highest. The best bridges can
(or
> > > > claim) to learn source addresses at line rate after reconfiguration,
I
> > >don't
> > > > think anyone has an architecture which could issue/respond to probes
>at
> > > > anywhere close to that rate.
> > > >
> > > > Mick
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: owner-stds-802-linksec@majordomo.ieee.org
> > > > [mailto:owner-stds-802-linksec@majordomo.ieee.org]On Behalf Of Russ
> > > > Housley
> > > > Sent: Thursday, April 24, 2003 7:36 AM
> > > > To: Dolors Sala; Mats Näslund; LinkSec
> > > > Subject: Re: [LinkSec] Consensus on Scope?
> > > >
> > > >
> > > >
> > > > Dolors:
> > > >
> > > > I think that the only contentious issue is peer discovery. Mick and
> > >others
> > > > have said that the probe approach specified by 802.10 does not
scale.
> > No
> > > > convincing argument has been presented. So far, it is just emphatic
> > > > assertion with the promise of a more complete discussion some time
>over
> > a
> > > > beer. I observe that the probe approach is not all that different
>than
> > > > ARP, so it cannot be too badly broken.
> > > >
> > > > The link-by-link approach completely avoids peer discovery.
However,
>I
> > am
> > > > not convinced that this approach really resolves any important
> > > > problems. It seem to me that the device that is implementing the
> > security
> > > > protocol will be placed in the hands of the customer. If the
customer
> > > > messes with it, can all traffic be exposed. In an end-to-end
scheme,
> > the
> > > > key needed to expose neighbor traffic will not be present,
>significantly
> > > > reducing the motive for messing with the box.
> > > >
> > > > Russ
> > > >
> > > > At 07:01 AM 4/23/2003 -0400, Dolors Sala wrote:
> > > > >Russ, Mats,
> > > > >
> > > > >I understand your concerns but we need to identify a work plan to
>make
> > >some
> > > > >progress towards the current needs represented by the interests and
> > > > >participation in the group.
> > > > >
> > > > >It seems to me there is significant interest in working on the
> > >link-by-link
> > > > >protection, and very little interest on the end-to-end security
> > solution
> > > > >right now. If this interest is correct, we need to work on how we
can
> > > > >characterize this first effort so that it addresses the immediate
>needs
> > > > >and is an step forward towards a unified architecture. It would be
> > > > >great if you can prepare material on the needs imposed by the
unified
> > > > >architecture to the link solution.
> > > > >
> > > > >My specific suggestion or question was to explore if it is possible
>to
> > > > >characterize the unified architecture in a set of requirements that
>can
> > >be
> > > > >imposed to the link solution. Another way to express this could be.
> > > > >
> > > > >Let's say that the unified end-to-end solution defines a complete
> > > > >"link-layer security architecture". A link-layer solution would
cover
>a
> > > > >complete L2 network security solution including the secure bridge
> > network
> > > > >and the single link secure communication. But we would like to
focus
> > > > >just on the single link solution component. So we need to define
> > > > >a link security architecture solution
> > > > >with the right hooks so that it is possible to build a complete
> > >link-layer
> > > > >solution on top of it. What is the best way to characterize these
> > hooks?
> > >Is
> > > > >a list of requirements enough? if so, what are the requirements we
> > would
> > > > >like to impose to the link security architecture?
> > > > >
> > > > >Russ, based on 802.10 and other IEEE security experiences,
> > > > >can you recommend a list of requirements or other form of material
> > > > >to capture this characterization?
> > > > >
> > > > >We need a framework expressing the extendibility needs of the link
> > > > solution.
> > > > >Any material or contribution on this respect will be very helpful.
> > > > >
> > > > >Dolors
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >----- Original Message -----
> > > > >From: "Mats Näslund" <mats.naslund@era.ericsson.se>
> > > > >To: <stds-802-linksec@ieee.org>
> > > > >Sent: Wednesday, April 23, 2003 3:58 AM
> > > > >Subject: Re: [LinkSec] Consensus on Scope?
> > > > >
> > > > >
> > > > > >
> > > > > >
> > > > > > Hi,
> > > > > >
> > > > > > I completely agree. Since the general bridged architecture
> > > > > > is considered difficult to handle, I am slightly worried that
> > > > > > corners will be cut so that later extensions beyond link-by-link
> > > > > > protection becomes cumbersome (or even impossible). It could
thus
> > > > > > be that we need to "almost" solve also the general case at the
> > > > > > same time to be future proof.
> > > > > >
> > > > > > Best,
> > > > > >
> > > > > > /Mats
> > > > > >
> > > > > > Russ Housley wrote:
> > > > > > > Dolors:
> > > > > > >
> > > > > > > I do not have any problem with the priorities. However, I do
>have
> > > > some
> > > > > > > concerns with the "do it later, if needed" tone. If we look
at
> > >802.1X
> > > > > > > development, it focused on 802.3 problems. This solved
>real-world
> > > > > > > problems. Since a 802-wide view was not applied from the
> > beginning,
> > > > > > > significant changes are needed to make it work in 802.11, and
> > other
> > > > > > > wireless technologies.
> > > > > > >
> > > > > > > If we do not start with the big picture, we will inadvertently
> > make
> > > > > > > deployment in other topologies impossible without changes to
the
> > > > >standard.
> > > > > > >
> > > > > > > Russ
> > > > > > >
> > > > > > >
> > > > > > > At 09:10 PM 4/21/2003 -0400, Dolors Sala wrote:
> > > > > > >
> > > > > > >> There seems to be significant consensus in leaving the scenar
io
> > of
> > > > > > >> untrusted bridges for a later stage (although the final
unified
> > > > > > >> architecture should support a complete secure bridge network
> > > > > > >> solution). It seems we may be close to identify the scope of
>the
> > > > > > >> initial project.
> > > > > > >>
> > > > > > >> In the last call, Bob Moskowitz recommended to initially
focus
>on
> > >the
> > > > > > >> link level and leave the entire bridge network definition for
a
> > >later
> > > > > > >> stage. If I interpret him correctly, he considers that there
is
> > > > enough
> > > > > > >> work in defining the provider side of the link security
> > >specification
> > > > > > >> because it doesn't exist an specification or example from
where
> > we
> > > > can
> > > > > > >> leverage from. This work would involve to specify the
> > > > (bi-directional)
> > > > > > >> authentication and the link protection components of the
>unified
> > > > > > >> architecture. Bob please clarify or extend as you feel
> > appropriate.
> > > > > > >>
> > > > > > >> We would need to guarantee that the initial effort defines
> > >components
> > > > > > >> that fit the unified and general architecture. Could we
>guarantee
> > > > this
> > > > > > >> by imposing a set of general requirements to an initial link
> > > > > > >> specification?
> > > > > > >>
> > > > > > >> If so we could define a gradual roadmap where we focus first
on
> > the
> > > > > > >> link components and later on the bridged network components.
We
> > >could
> > > > > > >> first focus on capturing a complete set of requirements from
>the
> > > > > > >> unified architecture and define an initial project to specify
a
> > >link
> > > > > > >> security for 802.3 links. At a later stage, additional
projects
> > >would
> > > > > > >> be defined to complete the architecture for bridged networks
> > >(and/or
> > > > > > >> other links if needed).
> > > > > > >>
> > > > > > >> I would like to solicit opinions and comments on this roadmap
> > > > approach
> > > > > > >> and recommendations on the specific scope and components of
an
> > > > initial
> > > > > > >> project.
> > > > > > >>
> > > > > > >> Dolors
> > > > > > >>
> > > > > >
> > > >
> > > >
> > > >
> > > >
> >
> >
> >
> >
Regards,
Tony