Thread Links			Date Links
Thread Prev	Thread Next	Thread Index	Date Prev	Date Next	Date Index

[LinkSec] Link sec - EPON view

To: <stds-802-linksec@ieee.org>
Subject: [LinkSec] Link sec - EPON view
From: <antti.pietilainen@nokia.com>
Date: Fri, 30 May 2003 18:05:06 +0300
Sender: owner-stds-802-linksec@majordomo.ieee.org
Thread-Index: AcMmvNseTDXyEcbKRTGEQ3bEkG1K1g==
Thread-Topic: Link sec - EPON view

Hello all,

The EPON people are in a difficult situation because there are EFM meetings in May and June with a lot of comments to go through.

For this and other excuses there will probably be no EPON people in the meeting next week. Thus, there will not be a presenter for the two EPON/single hop related presentations below.

Therefore, I hope you have time to go through these two relatively short presentations on your own. The first describes the solution proposed in EFM last July, as well as other EPON security proposals. Almost all people attending the EPON session supported the proposal that failed later in 802.3 plenary.
http://www.ieee802.org/linksec/meetings/Jun03/pietilainen_1_0603.pdf

There has been a lot of debate whether MAC addresses and control messages should be encrypted or not. The following presentation shows what information can be obtained if they are not encrypted.
http://www.ieee802.org/linksec/meetings/Jun03/pietilainen_2_0603.pdf
Check also the following link which shows what an eavesdropper can find out from MAC addresses: http://network.ucomm.wayne.edu/vendor_count/index.php?submit=count
From this list one can get a picture of PC models, unix stations, printers, routers, bridges, and firewall routers that are used in the neighboring companies that share same EPON. In EPON the traffic profile of each equipment is also revealed.

The presentation is based on a business case of pure L2 connectivity provided by an operator between offices of a company. One can question the validity of that business case. Depending on the encryption solution, a company has two choices regarding EPON:
a) Install a firewall router (revealing just a single MAC address) at each end of links between the offices because otherwise L2 operator would reveal to the neighbors what equipment one owns.
b) Install only L2 interfaces to ones existing Ethernet bridges to get connectivity between offices because the MAC addresses remain a secret between the company and the operator.

From the above, option b) costs a small fraction of a).

Here is the main point of this message: those who are able to attend Ottawa, please wordsmith PAR in such a way that it does not rule out the proposals mentioned in the first document. There is time to narrow the scope later after project authorization.

I will be at office during the week of the meeting so I can answer questions about the presentations by email.

With thanks for going through this message and best regards,

Antti Pietilainen
Nokia Research Center
P.O. Box 407
00045 NOKIA GROUP
Finland
tel. +358(0)71-8036660, fax. +358(0)71-8036214

Prev by Date: Re: [LinkSec] meeting material
Next by Date: [LinkSec] meeting material
Prev by thread: RE: [LinkSec] FW: [802-11Technical] <TGi> 802.1X Controlled Port
Next by thread: [LinkSec] meeting material
Index(es):
- Date
- Thread