[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: WG/Authors Opinions please :draft-cruickshank-ipdvb-sec-req-03.txt
Hello George,
thanks for commenting on this. See below.
George Gross wrote:
Hi Michael,
in looking over this thread, I think that there might be confusion about
which threat model is being assumed by you versus the one assumed by
Prashant. The group key management subsystem does the authentication and
authorization of the IPDVB group membership. The network's security policy
administrator decides what constitutes a group's membership and whether
there is an unacceptable risk of an insider attack that the group must be
defended against.
For a basic security policy, group authentication is sufficient because
group members are trusted. Source authentication using digital signature
or TESLA is not required. In the event that the group's authentication key
is compromised then the scope of the damage is limited to only that group
rather than all groups sharing that MPEG TS. Limiting the size of each
group can help minimize this risk.
For a security policy that considers an insider attack a risk, then source
authentication would be a reasonable mechanism to counter that
vulnerability. However, I have not heard on this list any use cases that
would need that service at layer-2.
This is exactly what I was talking about. I am fully aware that insider
attacks are more unlikely than attacks from outside a VPN (or virtual
LAN, to stay with your terminology) within the ULE network, and that
most will be fine with group authentication (i.e. MACs). (And there are
good other reasons why one would want to stick with MACs.)
I was just trying to point out that...
one can distinguish between two other cases:
(a) insider attacks, i.e. active attacks from adverseries in the know of
certain keys
-> protection against this attack requires source authentication
(e.g. digitial signatures)
(b) outsider attacks, i.e. active attacks from outside of a VPN
-> in this case simple MACs are sufficient (i.e. group authentication)
Michael, did you have such an example in mind for IPDVB?
Yes, I was considering just another threat model in which MACs do not
provide source authentication. I guess the authors of that draft have
also considered that threat once because of mentioning TESLA.
hth,
George
Best regards,
Michael