Fwd: Re: [LinkSec] New Authentication paper
>Date: Fri, 08 Aug 2003 14:34:54 -0400
>To: Sai Dattathrani <saidatta@in.ibm.com>
>From: Robert Moskowitz <rgm@trusecure.com>
>Subject: Re: [LinkSec] New Authentication paper
>
>At 06:30 PM 8/8/2003 +0530, Sai Dattathrani wrote:
>
>> Thank you for clarifying my doubts. I accept the problems that I have
>>mentioned are inherent to authentication & encryption models. But if it is
>>not reliable should we be adopting these techniques to protect data at Data
>>Link layer. As it is these features require additional resources and
>>processing, inspite of this, should we adopt this mechanism if we know it
>>might not be entirely reliable?
>>
>>Should we be thinking of some other reliable mechanism to protect data?
>
>Security is a house of 100 windows. If one is open the crook will get
>in. But that does not excuse you from designing your window as best you can.
>
>LinkSec will (most likely) have two components: a MACsec frame, and an
>improvement over 802.1x authentication flow.
>
>Just like with IPsec, ESP protected data is as good as the keying
>material. MACsec is no different. We have all the lessons learned on
>ESP. I co-chaired that group, and there are others from the IPsec legacy
>on LinkSec.
>
>802.1x is there to provide authentication and authentication MAY provide
>keying material.
>
>There is no magic bullet that is flexable enough for all 802 media and for
>all users.
>
>BTW, may I copy this conversation to the LinkSec mailing list?
Robert Moskowitz
Senior Technical Director
ICSA Labs, a division of TruSecure Corp.
(248) 968-9809
Fax: (248) 968-2824
rgm@icaslabs.com
There's no limit to what can be accomplished
if it doesn't matter who gets the credit