Re: [802.1] Re: [LinkSec] Proposal on link layer security
Bob's last two points sum it up. To be more specific, the essential
thing that LinkSec must provide, is assurance to the higher layers
that the source MAC address of a received frame is accurate. This
is the tool that higher layers can use to ensure all sorts of things.
ARP security is one of those things. Checking the validity of the
source IP address is another. If we do our job, then the upper
layers (including 2.5) can do theirs.
-- Norm
Robert Moskowitz wrote:
>
> At 09:39 AM 6/27/2003 +0530, Sai Dattathrani wrote:
>
>> Hi,
>> I have a proposal to avoid ARP spoofing by providing additional security
>> checks at the MAC sub-layer. I would like to initiate a discussion on the
>> proposal and take it forward. I am attaching the proposal. Kindly
>> initiate
>> the discussion on the same.
>
>
> If the device is on a shared media, one thing we want to provide is
> pair-wise SAs to all other devices on the media. This will
> automagically protect ARPs and any other MAC frames.
>
> A specific solution to ARP is a mis-application of our resources.
>
> A linksec solution that does not provide protection for ARPs has to be
> questioned as to its completeness.
>
>
>
> Robert Moskowitz
> Senior Technical Director
> ICSA Labs, a division of TruSecure Corp.
> (248) 968-9809
> Fax: (248) 968-2824
> rgm@icaslabs.com
>
> There's no limit to what can be accomplished
> if it doesn't matter who gets the credit
>
>