Re: Admission Control to the IETF 78 and IETF 79 Networks
Phillip Hallam-Baker <hallam@gmail.com> Tue, 13 July 2010 16:05 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 74E8C3A695E for <ietf@core3.amsl.com>; Tue, 13 Jul 2010 09:05:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.435
X-Spam-Level:
X-Spam-Status: No, score=-1.435 tagged_above=-999 required=5 tests=[AWL=1.164, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TJuQvUyf2kRV for <ietf@core3.amsl.com>; Tue, 13 Jul 2010 09:05:17 -0700 (PDT)
Received: from mail-pw0-f44.google.com (mail-pw0-f44.google.com [209.85.160.44]) by core3.amsl.com (Postfix) with ESMTP id CE01F3A67EC for <ietf@ietf.org>; Tue, 13 Jul 2010 09:05:16 -0700 (PDT)
Received: by pwj1 with SMTP id 1so2791746pwj.31 for <ietf@ietf.org>; Tue, 13 Jul 2010 09:05:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=2gAPY49nvAvB18a+k6CXUxj9lRO5M3jszUdnYc8SjJ0=; b=oHe/774354uz966C0RWTQguHQyKIJpO8kd4IijYCUEqVxQH6uNc6tsNWkp0tx+kxAm jHxUx/dhMdyprtJ/LG8ezWl5IcMoH6CulCj3Pn/23rRg0QxX9rYqdYivsBjsUZI3TuBD oERDzZGZ1iwa5IkJN2flKYgzPDKULFOevfcAI=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=v5jvhXgX4NocKkpLtDoxcScny1DipoY8iMDIZepm7m3L4ZJ/Worxqf/d2A4N0uxWYb eKejF26/FQsN0vOBjXzziSGHNCJr64mXIEOAthK/z5L7w71/5WXu13570a7HQQZ+CV6z cCPoNIRLzcnr1rm59LEDUSpgbp5iTPkmC16yM=
MIME-Version: 1.0
Received: by 10.142.163.15 with SMTP id l15mr3938975wfe.6.1279037121677; Tue, 13 Jul 2010 09:05:21 -0700 (PDT)
Received: by 10.231.32.8 with HTTP; Tue, 13 Jul 2010 09:05:21 -0700 (PDT)
In-Reply-To: <AANLkTinQhd-Cn-wPsjhmGEPjjcpkVTlYkb7UfNf9-7Lc@mail.gmail.com>
References: <CFB08C07-DE90-47BE-ADFF-FC72162BBFA1@daedelus.com> <4C2BBD51.2060605@ietf.org> <6.2.5.6.2.20100701070804.0c26b8a0@resistor.net> <6D6E25E2-057B-4591-9288-1283036D0374@cisco.com> <AANLkTinMFsrGyIy9bu5kzUiZqNmDbf7lpS-eht8h3hvP@mail.gmail.com> <CCD1D0AD-97DC-4CE0-9E27-CC75B5F47C54@muada.com> <AANLkTilVmeg2Tgjgllg2yT3Oc34Y4ZuwXwl9U1ELfjhc@mail.gmail.com> <20100706170631.GK25518@thunk.org> <AANLkTil357pxy8tD49Q9ds9QVlSjo9h3p3akSN9UF1XS@mail.gmail.com> <AANLkTil0YIS9H-vYxIJJS_OC7tAlcCLQQycskFcLE71V@mail.gmail.com> <AANLkTilVAn3j-iXbdytu9en-OWAjlCFQSyQy1jiY1Zq1@mail.gmail.com> <AANLkTilCRrRhYVBNKdkaBudacJDCbBx3_48D9_U2RaSM@mail.gmail.com> <AANLkTinQhd-Cn-wPsjhmGEPjjcpkVTlYkb7UfNf9-7Lc@mail.gmail.com>
Date: Tue, 13 Jul 2010 12:05:21 -0400
Message-ID: <AANLkTikg8QmDxh93OAXbOsXt6KTuMcDYRGeXnU91Kh35@mail.gmail.com>
Subject: Re: Admission Control to the IETF 78 and IETF 79 Networks
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Donald Eastlake <d3e3e3@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"
X-Mailman-Approved-At: Wed, 14 Jul 2010 09:14:52 -0700
Cc: IETF Discussion <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jul 2010 16:05:20 -0000
While the fingerprint of the cert can be used as a globally unique identifier, this approach has advantages and disadvantages. Pro: There is no cost to generating the cert, the cert can be generated after the device ships Con: There is no cost to generating the cert, the cert can be generated after the device ships. Thus there is no degree of accountability established in the presentation of a cert. If a user abuses the network (e.g. to send spam) there is no bar to prevent them ditching the banned cert and re-applying for another. Con: Existing management infrastructure is designed around the communication of MAC addresses. Most computer system retailers servicing the enterprise space already communicate the MAC address of equipment to customers as part of the shipping process. Infrastructure to support additional identifiers would have to be built out separately and to avoid birthday paradox collisions, randomly unique identifiers need to be twice as long as assigned ones making use of simple barcodes impossible. The IETF requirements can be met with cert fingerprints, the general case requirement for accountability cannot without some party providing rate limiting somewhere in the system. On Mon, Jul 12, 2010 at 11:12 PM, Donald Eastlake <d3e3e3@gmail.com> wrote: > See belos ... > >> On Mon, Jul 12, 2010 at 12:07 PM, Phillip Hallam-Baker <hallam@gmail.com> >> wrote: >>> >>> No, if you read my book you would see the scheme I am proposing. >>> >>> The problem with current MAC addresses is that they are not >>> trustworthy. That is accepted. If MAC addresses were not trivially >>> forged then the existing WiFi scheme would work fine. >>> >>> ... >>> >>> Instead every device would have been issued with a device cert to bind >>> the MAC address to a public key during manufacture. This is already a >>> requirement for cable modems. The cost is of the order of cents per >>> device if the certs are installed during manufacture. Maintenance >>> costs get much higher as soon as the device has left the factory. > > I don't see any need for the MAC address to be bound. If the device > has a build in cert, you can use that, regardless of what the MAC > address is, to authenticate and secure communications. > > Isn't this provided by 802.1AR-2009? ( Available from > http://standards.ieee.org/getieee802/802.1.html ) > >>> The function of the certificate is to stop the MAC address being >>> trivially forged. OK yes, if you design the protocols wrong then you >>> can end up with Cisco being able to intercept on the wire traffic. But >>> if you do the job right you can prevent interception even if the >>> manufacturer defects. >>> >>> ... >>> > -- Website: http://hallambaker.com/
- Re: Admission Control to the IETF 78 and IETF 79 … Martin Rex
- Admission Control to the IETF 78 and IETF 79 Netw… IETF Chair
- Re: Admission Control to the IETF 78 and IETF 79 … SM
- Re: Admission Control to the IETF 78 and IETF 79 … Fred Baker
- Re: Admission Control to the IETF 78 and IETF 79 … Olivier MJ Crepin-Leblond
- Re: Admission Control to the IETF 78 and IETF 79 … Dave CROCKER
- Re: Admission Control to the IETF 78 and IETF 79 … Andrew Sullivan
- Re: Admission Control to the IETF 78 and IETF 79 … Richard L. Barnes
- Re: Admission Control to the IETF 78 and IETF 79 … Ole Jacobsen
- Re: Admission Control to the IETF 78 and IETF 79 … Joel Jaeggli
- Re: Admission Control to the IETF 78 and IETF 79 … Marshall Eubanks
- Re: Admission Control to the IETF 78 and IETF 79 … Andrew Sullivan
- Re: Admission Control to the IETF 78 and IETF 79 … Iljitsch van Beijnum
- Re: Admission Control to the IETF 78 and IETF 79 … Ted Hardie
- Re: Admission Control to the IETF 78 and IETF 79 … Russ Housley
- Re: Admission Control to the IETF 78 and IETF 79 … Richard L. Barnes
- Re: Admission Control to the IETF 78 and IETF 79 … Russ Housley
- Re: Admission Control to the IETF 78 and IETF 79 … Russ Housley
- Re: Admission Control to the IETF 78 and IETF 79 … Russ Housley
- Re: Admission Control to the IETF 78 and IETF 79 … Richard L. Barnes
- Re: Admission Control to the IETF 78 and IETF 79 … Iljitsch van Beijnum
- Re: Admission Control to the IETF 78 and IETF 79 … Russ Housley
- Re: Admission Control to the IETF 78 and IETF 79 … David Conrad
- Re: Admission Control to the IETF 78 and IETF 79 … Joel Jaeggli
- Re: Admission Control to the IETF 78 and IETF 79 … Randy Bush
- Re: Admission Control to the IETF 78 and IETF 79 … Randy Bush
- Re: Admission Control to the IETF 78 and IETF 79 … Randy Bush
- Re: Admission Control to the IETF 78 and IETF 79 … Martin Rex
- Re: Admission Control to the IETF 78 and IETF 79 … Randy Bush
- Re: Admission Control to the IETF 78 and IETF 79 … John C Klensin
- Re: Admission Control to the IETF 78 and IETF 79 … Ole Jacobsen
- Re: Admission Control to the IETF 78 and IETF 79 … Russ Housley
- Re: Admission Control to the IETF 78 and IETF 79 … Michael StJohns
- Re: Admission Control to the IETF 78 and IETF 79 … Randy Bush
- Re: Admission Control to the IETF 78 and IETF 79 … Russ Housley
- Re: Admission Control to the IETF 78 and IETF 79 … Russ Housley
- free internet for ieters only Health
- Re: Admission Control to the IETF 78 and IETF 79 … Robert Moskowitz
- Re: Admission Control to the IETF 78 and IETF 79 … Douglas Otis
- Re: Admission Control to the IETF 78 and IETF 79 … SM
- Re: Admission Control to the IETF 78 and IETF 79 … Ole Jacobsen
- Re: Admission Control to the IETF 78 and IETF 79 … Bob Hinden
- Re: Admission Control to the IETF 78 and IETF 79 … Phillip Hallam-Baker
- Re: Admission Control to the IETF 78 and IETF 79 … SM
- Re: Admission Control to the IETF 78 and IETF 79 … Iljitsch van Beijnum
- Re: Admission Control to the IETF 78 and IETF 79 … Andrew G. Malis
- Re: Admission Control to the IETF 78 and IETF 79 … Marocco Enrico
- Re: Admission Control to the IETF 78 and IETF 79 … Ole Jacobsen
- Re: Admission Control to the IETF 78 and IETF 79 … Marocco Enrico
- Re: Admission Control to the IETF 78 and IETF 79 … Joel Jaeggli
- Re: Admission Control to the IETF 78 and IETF 79 … Phillip Hallam-Baker
- Re: Admission Control to the IETF 78 and IETF 79 … Chris Elliott
- Re: Admission Control to the IETF 78 and IETF 79 … tytso
- Re: Admission Control to the IETF 78 and IETF 79 … Mark Atwood
- Re: Admission Control to the IETF 78 and IETF 79 … Chris Elliott
- Re: Admission Control to the IETF 78 and IETF 79 … joel jaeggli
- Re: Admission Control to the IETF 78 and IETF 79 … Phillip Hallam-Baker
- Re: Admission Control to the IETF 78 and IETF 79 … Chris Elliott
- Re: Admission Control to the IETF 78 and IETF 79 … Chris Elliott
- Re: Admission Control to the IETF 78 and IETF 79 … Martin Rex
- Re: Admission Control to the IETF 78 and IETF 79 … Chris Elliott
- Re: Admission Control to the IETF 78 and IETF 79 … Douglas Otis
- Re: Admission Control to the IETF 78 and IETF 79 … Donald Eastlake
- Re: Admission Control to the IETF 78 and IETF 79 … Phillip Hallam-Baker
- Re: Admission Control to the IETF 78 and IETF 79 … Phillip Hallam-Baker
- Re: Admission Control to the IETF 78 and IETF 79 … Phillip Hallam-Baker
- Re: Admission Control to the IETF 78 and IETF 79 … Phillip Hallam-Baker
- Re: Admission Control to the IETF 78 and IETF 79 … Iljitsch van Beijnum
- Re: Admission Control to the IETF 78 and IETF 79 … Iljitsch van Beijnum
- Re: Admission Control to the IETF 78 and IETF 79 … IETF Chair
- RE: Admission Control to the IETF 78 and IETF 79 … Josh Howlett
- Re: Admission Control to the IETF 78 and IETF 79 … Phillip Hallam-Baker