action points: security scope & requirements
Folks,
Coming back to APs and those assigned to me in the last f2f meeting. Three points:
1) We had the initial discussion on security. It is rather clear we need an ability to (mutually) authenticate REs and RECs. Using existing mechanisms available like 802.1X here makes a lot of sense. I think we are all in agreement here. I am not sure whether we actually need to agree on any mandatory to support authentication method(s).
2) RoE user payload protection. Generally no use for it. User payload is typically already protected by upper layers. If someone desires to cipher that again, they are free to put e.g. MACsec below. We do not need to define that part. I think we are all in agreement here.
3) RoE control message protection. I think we all agree that we need to say something here how to protect RoE control plane. However, what is not clear to me how we were to do that. First we need to agree whether it is a network issue or an "application" issue. If it is a network issue then MACsec would be a natural choice but should then also be able to selectively pick up flows which to protect in an e2e manner. If it is an application issue we might need to pick up some ciphering solution to do that - most likely.
So for the security scope & requirements:
* Mutual authentication of REs and RECs.
- Provide only 802.1X framework?
* RoE control plane security.
- E2E solution.
- Done at the application layer?
Comments?
- Jouni
--
Jouni Korhonen, CTO Office, Networking, Broadcom Corporation
O: +1-408-922-8135, M: +1-408-391-7160