IETF Logo Mail Archive

Re: Admission Control to the IETF 78 and IETF 79 Networks

Donald Eastlake <d3e3e3@gmail.com> Tue, 13 July 2010 03:12 UTC

Return-Path: <d3e3e3@gmail.com>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C120B3A68E3 for <ietf@core3.amsl.com>; Mon, 12 Jul 2010 20:12:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.271
X-Spam-Level:
X-Spam-Status: No, score=-2.271 tagged_above=-999 required=5 tests=[AWL=0.328, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vifWi0QaPUYq for <ietf@core3.amsl.com>; Mon, 12 Jul 2010 20:12:42 -0700 (PDT)
Received: from mail-wy0-f172.google.com (mail-wy0-f172.google.com [74.125.82.172]) by core3.amsl.com (Postfix) with ESMTP id 2B1493A68F0 for <ietf@ietf.org>; Mon, 12 Jul 2010 20:12:41 -0700 (PDT)
Received: by wyb40 with SMTP id 40so4154025wyb.31 for <ietf@ietf.org>; Mon, 12 Jul 2010 20:12:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=R/aP95EdAI7L7gJ32Rnkkmub/7r21Qe3+mLmOjJfR7Y=; b=u8N2VgF6Ge+iorTNbczSw/Tsa8Wz8479T6yjIONbWy/wgzYebelBkzvyX4aRjUACz/ ntRdozIf6Bfa5T0NeJHKSsmj3cyYpX9gAfiWpYJr4f0i3B2yPwby0tUxnwQ1AImRJgo1 ppwODjE2edv0AEnR4Ba+KZMIDcl7iCDFGb3Yc=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=aLHETWtGJrOlZF1zBkuNkdLyw2qrPk30lzMIOdJqX4Zge3mJECTMhBLJWuOchDN8h1 99E7wO143YFNDJ9xna1flXMrRp+H1Y/McBdz7Ue8KNWdhtbETBJPShrL5nbbHTmDRsOq /58xaothaoQz+s4UfBlsbIKncUm8ClOp7WsVA=
MIME-Version: 1.0
Received: by 10.227.138.11 with SMTP id y11mr13567168wbt.49.1278990763351; Mon, 12 Jul 2010 20:12:43 -0700 (PDT)
Received: by 10.216.88.70 with HTTP; Mon, 12 Jul 2010 20:12:43 -0700 (PDT)
In-Reply-To: <AANLkTilCRrRhYVBNKdkaBudacJDCbBx3_48D9_U2RaSM@mail.gmail.com>
References: <CFB08C07-DE90-47BE-ADFF-FC72162BBFA1@daedelus.com> <4C2BBD51.2060605@ietf.org> <6.2.5.6.2.20100701070804.0c26b8a0@resistor.net> <6D6E25E2-057B-4591-9288-1283036D0374@cisco.com> <AANLkTinMFsrGyIy9bu5kzUiZqNmDbf7lpS-eht8h3hvP@mail.gmail.com> <CCD1D0AD-97DC-4CE0-9E27-CC75B5F47C54@muada.com> <AANLkTilVmeg2Tgjgllg2yT3Oc34Y4ZuwXwl9U1ELfjhc@mail.gmail.com> <20100706170631.GK25518@thunk.org> <AANLkTil357pxy8tD49Q9ds9QVlSjo9h3p3akSN9UF1XS@mail.gmail.com> <AANLkTil0YIS9H-vYxIJJS_OC7tAlcCLQQycskFcLE71V@mail.gmail.com> <AANLkTilVAn3j-iXbdytu9en-OWAjlCFQSyQy1jiY1Zq1@mail.gmail.com> <AANLkTilCRrRhYVBNKdkaBudacJDCbBx3_48D9_U2RaSM@mail.gmail.com>
Date: Mon, 12 Jul 2010 23:12:43 -0400
Message-ID: <AANLkTinQhd-Cn-wPsjhmGEPjjcpkVTlYkb7UfNf9-7Lc@mail.gmail.com>
Subject: Re: Admission Control to the IETF 78 and IETF 79 Networks
From: Donald Eastlake <d3e3e3@gmail.com>
To: Phillip Hallam-Baker <hallam@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: IETF Discussion <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jul 2010 03:12:43 -0000

See belos ...

> On Mon, Jul 12, 2010 at 12:07 PM, Phillip Hallam-Baker <hallam@gmail.com>
> wrote:
>>
>> No, if you read my book you would see the scheme I am proposing.
>>
>> The problem with current MAC addresses is that they are not
>> trustworthy. That is accepted. If MAC addresses were not trivially
>> forged then the existing WiFi scheme would work fine.
>>
>> ...
>>
>> Instead every device would have been issued with a device cert to bind
>> the MAC address to a public key during manufacture. This is already a
>> requirement for cable modems. The cost is of the order of cents per
>> device if the certs are installed during manufacture. Maintenance
>> costs get much higher as soon as the device has left the factory.

I don't see any need for the MAC address to be bound. If the device
has a build in cert, you can use that, regardless of what the MAC
address is, to authenticate and secure communications.

Isn't this provided by 802.1AR-2009? ( Available from
http://standards.ieee.org/getieee802/802.1.html )

>> The function of the certificate is to stop the MAC address being
>> trivially forged. OK yes, if you design the protocols wrong then you
>> can end up with Cisco being able to intercept on the wire traffic. But
>> if you do the job right you can prevent interception even if the
>> manufacturer defects.
>>
>> ...
>>

v2.23.0 | Report a Bug | By Email