[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: draft-lltm-v5
About security, I agree in general with what Emmanuel and Takei-san have said.
> 1. the security considerations fail to list the threat of ARP spoofing
> when ARP packets are being tunneled over the back channel.
ARP spoofing is a potential problem on any broadcast network, so I don't
think there's a new issue here.
> 6.> 10. Security Considerations
> >
> > Security in a network using the link layer tunneling mechanism should
> > be relatively similar to security in a normal IPv4 network. However,
> > as the link layer tunneling mechanism uses GRE[rfc2784], it is
> > expected that GRE authentication mechanism combined with a specific
> > link layer security mechanism on the back-channel will help to
> > enhance security in a unidirectional link environment.
>
> And what GRE authentication mechanism would that be? AFAIK, GRE has no
> authentication.
The phrase "GRE authentication mechanism" could be replaced by something
less general, but other than this, we could probably be a little bit more
specific about threats and countermeasures, but we don't need to be too
specific because, as Takei-san says, these problems are inherent with tunnels.
* Tunnel mechanisms introduce the potential for unauthorized access to the
service. This can be countered by authenticating all tunnels. It doesn't
matter what the specific mechanism used is: inside-GRE or outside-GRE (maybe AH).
* Many unidirectional links are open-broadcast, and can be received by
anyone. This lack of secrey isn't especially a problem for the UDLR
protocol itself. There is one exception: the feed addresses are broadcast
here - keeping them secret might help with the first problem. Depending on
the service being offered, open-broadcast might be problematic, but this
really isn't our problem. If secrecy is needed, link level secrecy
mechanisms are appropriate.
Tim