| RE: Response to LWAPP Security Review | <– Date –> <– Thread –> |
From: Darren Loher (DLoher rovingplanet.com)
|
|
| Date: Mon, 16 May 2005 12:44:24 -0400 (EDT) | |
Agreed, we should leverage an existing protocol for authentication. TLS with a limited, minimum set (1 or 2?) of required ciphers sounds like a good idea. Additional ciphers should be optional. Given the emergence of WPA and 802.11i, it seems to make sense to leverage one/some of these methods for the WTP <-> AC authentication. I also support that authentication be a requirement (MUST) of both the WTP and AC. Asymmetric ciphers should be allowed. -- Darren Loher Senior Architect Roving Planet http://www.rovingplanet.com +1.303.996.7578 > -----Original Message----- > From: capwap-admin [at] frascone.com [mailto:capwap-admin [at] frascone.com] > On > Behalf Of Charles Clancy > Sent: Monday, May 16, 2005 6:31 AM > To: Agcaoili, Philip > Cc: capwap [at] frascone.com > Subject: RE: [Capwap] Response to LWAPP Security Review > > One problem with many of the standards-based authentication protocols is > that they often strive for flexibility rather than simplicity, making them > suboptimal for smaller devices, such as a thin AP. Of course, that's not > to say they should all be disqualified. IMHO, something like TLS > authentication (similar to RFC 2716) would be good, with an application > profile limiting the ciphersuites to the following: > > * TLS_RSA_WITH_AES_128_CBC_SHA > * TLS_PSK_WITH_AES_128_CBC_SHA > > This would allow for both PSK and public-key authentication, using > standard protocols. > > [ t. charles clancy ]--[ tcc [at] umd.edu ]--[ www.cs.umd.edu/~clancy ] > [ computer science ]-----[ university of maryland | college park ] > > > On Sun, 15 May 2005, Agcaoili, Philip wrote: > > > This is great to hear. > > > > It also seems like we're adding complexity to this working group by > > reinventing the wheel. Why bother fixing something that's been solved > many > > times already? This working group should reusing other standards-based, > well > > understood, and battle-proven methods such as IKE with IPSec or TLS with > > certificates? > > > > Thanks, > > > > Philip Agcaoili > > Chief Security Architect > > Enterprise Information Protection > > Scientific-Atlanta, Inc. > > > > -----Original Message----- > > From: Pat Calhoun > > To: 'Agcaoili, Philip'; capwap [at] frascone.com > > Sent: 5/14/2005 12:12 AM > > Subject: RE: [Capwap] Response to LWAPP Security Review > > > > Actually, I agree, and the issues raised in the review state that the > > specification needs to have clarifying text to ensure that other > > implementations do things right. As I mentioned below, we will be adding > > such text to ensure that the document is very clear, minimizing the > > possibility of 3rd party implementors being vulnerable to the issues > > mentioned. > > > > Your voice is heard. > > > > Pat Calhoun > > CTO, Wireless Networking Business Unit > > Cisco Systems > > > > > > > > > > _____ > > > > From: capwap-admin [at] frascone.com [mailto:capwap-admin [at] frascone.com] On > > Behalf Of Agcaoili, Philip > > Sent: Friday, May 13, 2005 4:34 PM > > To: 'capwap [at] frascone.com' > > Subject: Re: [Capwap] Response to LWAPP Security Review > > > > > > > > So to summarize, you appear to be saying that LWAPP security depends > > from implementation to implementation of the draft. > > > > I'd like to be the voice of reason here and ask as a customer that the > > IETF specification is explicit enough to reasonably ensure that every > > implementation of the spec is secure. > > > > Thanks, > > > > Philip Agcaoili > > Chief Security Architect > > Enterprise Information Protection > > Scientific-Atlanta, Inc. > > > > > > > > - - - - - - - Appended by Scientific-Atlanta, Inc. - - - - - - - > > This e-mail and any attachments may contain information which is > > confidential, proprietary, privileged or otherwise protected by law. The > > information is solely intended for the named addressee (or a person > > responsible for delivering it to the addressee). If you are not the > > intended recipient of this message, you are not authorized to read, > > print, retain, copy or disseminate this message or any part of it. If > > you have received this e-mail in error, please notify the sender > > immediately by return e-mail and delete it from your computer. > > > > > > > _______________________________________________ > Capwap mailing list > Capwap [at] frascone.com > http://mail.frascone.com/mailman/listinfo/capwap
- Re: Response to LWAPP Security Review, (continued)
- Re: Response to LWAPP Security Review Charles Clancy, May 13 2005
- RE: Response to LWAPP Security Review Pat Calhoun, May 13 2005
-
RE: Response to LWAPP Security Review Agcaoili, Philip, May 15 2005
- RE: Response to LWAPP Security Review Charles Clancy, May 16 2005
- RE: Response to LWAPP Security Review Darren Loher, May 16 2005
Results generated by Tiger Technologies using MHonArc.