| Re: Last call comments for capwap-threat-analysis-01 | <– Date –> <– Thread –> |
From: Scott G. Kelly (s.kelly ix.netcom.com)
|
|
| Date: Wed, 30 Jul 2008 07:40:01 -0700 (PDT) | |
Some comments inline below... Pasi.Eronen wrote: >Couple of comments/observations about capwap-threat-analysis-01: > >There seem to be couple of places where this document isn't >completely in sync with the protocol/binding documents. >In particular, the following two places: > >Section 4.2, "The current CAPWAP binding for IEEE 802.11 only >supports the use of IEEE 802.11i [80211I] security on the >wireless link." The current version of the binding spec seems >to support WEP, too. > I think Charles already addressed this. >Section 6.1: The text about "Local MAC", "Remote MAC", and "Split MAC" >doesn't seem to match the other documents. E.g., there's no "Remote MAC" >in the other documents, and description of "Local MAC" doesn't quite >match the description in IEEE 802.11 binding. See RFC4118. >The document would benefit from some discussion about authorization. >Especially if WTPs/ACs have manufacturer-issued certificates installed >in factory, everyone can easily authenticate everyone else. And with >DHCP AC option, this could "zero configuration" for WTPs -- except >that this wouldn't be secure: WTP (and AC) needs some configuration >to know who is the *right* AC (who are the *right* WTPs). I believe you attended the lunch with Sam where this was discussed. We've explicitly deferred certificate-related authn/authz discussion for now so that we can get these specs published in a meaningful timeframe, although we do discuss validating the EKU bits and MAC address for this. This is the classic "camel's nose" problem: if you attempt to add text that addresses this more fully, where do you stop? I don't think we want to open this can of worms just now. At Sam's request, we added some cert-related clarifications, but I think we all agreed to stop there. > >Editorial nits: > >Section 9.2: the section title includes "Rootkit installation": is >this in right place, or should it be in Section 9.3? > It definitely belongs in 9.2, as this would be an attacker objective for decentralized (802.11) encryption scenarios. It could also be referenced separately in 9.3. It's straightforward to modify the section header to accommodate this. --Scott >Best regards, >Pasi >_________________________________________________________________ >To unsubscribe or modify your subscription options, please visit: >http://lists.frascone.com/mailman/listinfo/capwap > >Archives: http://lists.frascone.com/pipermail/capwap
-
Last call comments for capwap-threat-analysis-01 Pasi.Eronen, July 29 2008
- Re: Last call comments for capwap-threat-analysis-01 Scott G. Kelly, July 30 2008
- Re: Last call comments for capwap-threat-analysis-01 Pasi.Eronen, July 30 2008
Results generated by Tiger Technologies using MHonArc.