[Mipshop] How probable is compromise of an AR? (was: Re: SEND-based protection and related confusions )

["James Kempf" <kempf at docomolabs-usa.com>]

I've not read the protocol design document, so I won't comment on the 
details. However, I'd like to comment on the debate about compromise of an 
AR.

In typical deployment situations, the AR is located in a locked closet that 
only personnel who are authorized can access. This does not, of course, mean 
that an AR can't be compromised over the wire, through some security hole in 
the software or something like that. But that risk exists for any network 
element that has a globally visible IP address. The situation is entirely 
different for APs, which are typically located in public places. In fact, 
this argument - that physical security is stronger for network elements such 
as routers and switches - is one of the major selling points for WLAN 
switching gear, because WLAN switches often handle security instead of APs 
and are considered more secure.

I think it is important to make this distinction when doing a threat 
analysis. It does not meant that an AR can never be physically compromised, 
but it does mean that such a compromise is more likely to be an inside job 
(that is corrupt personnel) than is the case for an AP, where anybody can 
walk up, detach the AP, download the firmware to a laptop, analyze it to 
extract a key, then use the key to compromise the network.

           jak

----- Original Message ----- 
From: "Wassim Haddad" <whaddad at tcs.hut.fi>
To: "Narayanan, Vidya" <vidyan at qualcomm.com>
Cc: "Dondeti, Lakshminath" <ldondeti at qualcomm.com>; "Jari Arkko" 
<jari.arkko at kolumbus.fi>; "James Kempf" <kempf at docomolabs-usa.com>; 
<mipshop at ietf.org>
Sent: Thursday, August 17, 2006 1:06 AM
Subject: RE: SEND-based protection and related confusions (was RE: AR 
compromise(Re: [Mipshop] Review ofdraft-haddad-mipship-hmipv6-security-04))


> On Wed, 16 Aug 2006, Narayanan, Vidya wrote:
>
> > In the HMIP model (as in any host-based mobility model), I do feel
> > strongly that the compromise of an AR must not cause spurious binding
> > cache entries at the MAP on behalf of the MN.
>
> => A compromise of the AR has a much bigger impact on HMIPv6 protocol than
> what you are describing. Thus it does not make sense to ignore the real
> impact of an AR compromise (in an HMIPv6 domain) and just highlight the
> fact that it can cause "spurious binding cache entries"!
>
> > So, brokering a trust relationship between the MN and the MAP by the AR
> > providing a key and then doing a DH exchange is not attractive to me.
>
> => This is NOT accurate since it is assumed to have a trust relationship
> and secure links between nodes inside the MAP domain and the AR is not
> outside such domain (note that this assumption is not new!). This is
> mentioned in the security considerations section in the latest version.
>
> > If we want to leverage the presence of CGAs, we could perhaps go down
> > the path of IKEv2 using CGAs/self-signed certs,
> > etc.
>
> => You don't need to go down to this path with CGA (even when talking
> about alternative).
>
> > We have to keep in mind that this is not equivalent to simple IPsec
> > or IKEv2/EAP, but, in the interest of infrastructureless security, it
> > can be done.
>
> => The draft assumes that the infrastructure is secure and the protocol
> is built on such assumption.
>
>
> Regards,
> Wassim H.



_______________________________________________
Mipshop mailing list
Mipshop at ietf.org
https://www1.ietf.org/mailman/listinfo/mipshop