ISATAP security model wrt. 3GPP networks [Re: 3gpp-analysis-05: miscellaneous non-critical issues]

[Pekka Savola <pekkas@netcore.fi>]

Let's try not to get sidetracked too much on ISATAP..

On Mon, 29 Sep 2003, Fred Templin wrote:
> >>So to work around this, you need to use something
> >>to enable you to tunnel to a router in the home network. 
> >>IMO ISATAP fits nicely in this model. 
> >
> >That's a detail at this point, but this is certainly at odds with the 
> >ISATAP security model.
> 
> As the lead ISATAP author, I must ask what you see as
> the problem with the ISATAP security model in this
> context?

The ISATAP spec employs automatic tunneling within a site, trusting the
other nodes in the site (that alone is pretty serious, but it gets worse).  
When you have access to an ISATAP link, you can do pretty much everything
on that link (especially due to the current, flexibility tradeoffs -- see
Appendix D on the spec).

That may be more-or-less fine under a single administrative domain, where
such trust relations may (or may not) be assumed, but in this particular
case, the ISATAP link would consist of the 3GPP operator and all the
ISATAP-using UE's.  Every UE is basically untrusted by the others (and by
the 3GPP operator, but that's not so relevant here).

Thus, I fail to see how something like ISATAP could be even be considered
for use in this scenario.

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings