RE: [EFM] OAM - Faye's seven points
Fletcher,
It is true that current cable access networks use MAC address for
authentication. However, this is widely considered a weak authentication
scheme which will be replaced with X.509 digital certificates plus 1,024 bit
RSA key pair. You will start seeing deployment of BPI+ by 2002.
Strong authentication is key in preventing the following attacks:
- Masquerading
- DOS
- Replay
- Device cloning
- Theft of service
In all cases both the service provider and customer are at risk.
Harry
-----Original Message-----
From: Fletcher E Kittredge [mailto:fkittred@gwi.net]
Sent: Tuesday, September 18, 2001 8:42 AM
To: bob.barrett@fourthtrack.com
Cc: Faye Ly; Geoff Thompson; stds-802-3-efm@ieee.org
Subject: Re: [EFM] OAM - Faye's seven points
Below, please read "Ethernet MAC address" for MAC address.
On Tue, 18 Sep 2001 11:25:43 +0100 "Bob Barrett" wrote:
> > 3. CPE registration or inventory (The former is the action and the later
> > is
> > the results).
>
> Some form of registration, even if it is operator driven is mandatory.
> Auto registration is desirable.
Is this not just the use of an Ethernet MAC address? As a provider of
both cable and dsl based public ethernets, we think the MAC address
works well.
One of the reasons the Ethernet MAC address works well is that the SP
already has the necessity of monitoring the network in order to pick
up the MAC addresses of customer equipment beyond the CPE. This
information is sufficent to provide the ability to map any given
Ethernet Frame to a customer. Such a mapping is required in order to
provide secure networks.
For a SP, two illustrations of the necessity of such a mapping are the
recent "Code Red" infestation when SPs needed to contact customers to
inform them of infected servers and the events of September 11th,
2001. For those outside the US, like most (all?) SPs serving the US
market, we have been spending time this week responding to subpoenas.
thank you,
fletcher