Lakshminath,
> Sorry for barging in on your email to Vidya, but let me
take a stab at
> this.
>
No problem.
> We can envision a hot-spot model where APs may be
deployed in accessible
> locations and ARs may be deployed in let's say
semi-accessible locations
> (the APs and one or more ARs comprising a hot-spot) and
the rest of the
> backend less and less accessible for physical
compromise, culminating in
> MAPs and especially AAA servers being in the most
secure locations. Is
> that a possible deployment model?
>
Service providers don't want people fooling around with
their routers, and
for most deployment circumstances in service provider
networks there is no
reason why routers can't be deployed in secure locations.
Routers, unlike
access points, don't require public deployments in order to
achieve good
radio reception. If there is customer premises equipment
involved, its
possible that the deployment might be less secure if the
customer's security
procedures are sloppy.
> If a hot-spot owner controlled the "edge
network" and the service provider
> controlled the rest of the network, wouldn't we say
that AR compromise is
> a real threat (if nothing, due to administrative
boundaries)?
> Specifically, the service provider would want to avoid
the domino effect
> by limiting the impact of a compromise of a hot-spot to
just that
> hot-spot's coverage. Does that make sense?
>
This particular case involves propagating information across
an
administrative boundary. In such a case, naturally, the core
network service
provider must take care that the information coming from the
access network
service provider is trustworthy. And the security
architecture needs to make
sure that this threat is accommodated.
However, for this case, I believe the focus of the threat
analysis must
shift to the access network provider. It is incumbent upon
the access
network provider that they secure their access equipment.
>
>
>>When we did the threat analysis for Neighbor
Discovery (RFC 3756), we
>>concluded that it was not feasible to mitigate
compromise of a previously
>>trusted AR. The threat is, however, mentioned. We
concentrated on
>>mitigating the threat of a masqurading AR, which is
not possible to deter
>>using physical security, and is a very real threat
for 802.11 end nodes.
>
> Right, here the protocol is between the AR and the MN.
If one of the
> parties to the protocol is compromised, we have a tough
problem. The best
> we can hope for is that the MN should be able to
identify a misbehaving
> AR.
>
>
>>As for HMIP security, please note the thread topic.
This topic has come up
>>in other WGs, raised by you and Lakshimath, and I
wanted an opportunity to
>>discuss the threat specifically with you both, this
seemed a good
>>opportunity. As I mentioned in the original post, I
don't have an opinion
>>on the HIMP security protocol (otherwise I would
have continued to post
>>under the original thread) except that I think it
should try to fit
>>architecturally with an existing model. If, as you
mentioned in a previous
>>post, it does not, then I think the authors would do
well to reconsider
>>the design and try to make it fit.
>
> Right, my motivation in pursuing this topic is to avoid
going down the
> slippery slope of unrealistic trust models where (i)
edge entities are
> trusted as key distributors, especially to entities
deeper in the network,
> and (ii) assumptions of secure links in the network.
We cannot
> realistically assume that the infrastructure and edge
routers are secure
> (if we do, for instance, NETLMM doesn't need any
security protocol between
> the MAG and the LMA).
>
I agree with you up to the last sentence. I think there is a
difference
between "assuming" security, and performing a
threat analysis in which the
threats are enumerated and realistic countermeasures are
appraised,
including physical security.
Regarding your point about NETLMM, the security protocol
between the MAG and
LMA is intended to make sure that a) both the MAG and LMA
are authenticated
to each other, so that both can verify that the other is
authorized to
provide mobility service b) if the NETLMM protocol is
running over a public
access network, the protocol exchanges are confidential.
Note that neither
of these protects against the threat of MAG compromise. The
cryptomaterial
used by the MAG to prove authorization is valid for some
period of time, and
until that period elapses (or, alternatively, the compromise
is discovered
and the MAG is put on a CRL), the authentication with the
LMA will succeed.
These security measures are intended to protect against an
attacker
masquerading as an authorized LMA or MAG, not an authorized
LMA or MAG that
is compromised. A compromised LMA or MAG will only be
discovered by noting
differences in its behavior, and then brought off line or
put onto the CRL.
There is an important and critical difference here, IMHO.
Do you agree that
there is a difference?
Anyway, enough about NETLMM. We should take this to the
NETLMM list if you
want to discuss it further.
jak
_______________________________________________
Mipshop mailing list
Mipshop ietf.org
https:
//www1.ietf.org/mailman/listinfo/mipshop
|