RE: ISATAP and admin/IP domains [RE: 3gpp-analysis: Recommendatio n on tunneling in the UE]

[Pekka Savola <pekkas@netcore.fi>]

On Tue, 18 Nov 2003, Karim El-Malki (HF/EAB) wrote:
>  > That doesn't mean the operator trusts the user at all; in this case, 
>  > it seems like a way to identify what is the home network to send the 
>  > packets to.
> 
> I don't understand what you mean? The user gets charged and is able
> to access services (e.g. internet access). That's the 3gpp model and
> ISATAP can be just one of those services.

Let me try to clarify, as the differences in security properties of 
different scenarios are clearly not clear.

My home xDSL system gets charged as well, and the ISP provides me 
services as well.

That doesn't mean the ISP trusts me to "behave well" in their network.  
E.g., I can spoof my address, I can send specially crafted packets, I
can try to confuse their router with OSPF packets if they haven't
disabled the interface, I can harass my neighbor, etc.etc. -- to the
ISP (and other users), I'm a "hostile user".

Much the same with 3GPP, actually more, because you don't have to have 
a contract or details where you can be traced, because you can use 
anonymous SIMs and similar.

In a similar fashion, you cannot trust other users, because you cannot 
trust that the ISP is ensuring that the users cannot harm you (even 
if that was somehow possible).

On the other hand, within an enterprise network, or at least a branch 
of the enterprise network, typically the assumptions are entirely 
different: you have to trust the users at least to some degree.  You 
have contracts etc. with them.  While some host may be acting weird 
for some reason, the users are not typically intentionally malicious.  

So...

As it should be obvious, security mechanisms used and assumptions
implied when devising a solution to the enterprise network are very
probably not adequate for ISP/3GPP scenarios with a different set of
requirements.

Hence, I have always given significant pushback for re-using the 
ISATAP model outside of its (original?) scope, the enterprise 
networks.

>  > I don't think ISATAP should be used at the home network either, due 
>  > to the reasons described: it doesn't fit well to a model of crossing 
>  > administrative borders.
> 
> I lost you here. What are the admin domains when the user is at home?

Between the user and the ISP/3GPP operator, see above for better 
explanation.
 
> But please take note that there are people on this list who would like
> to stop discussing and start finishing off those specs now pending for
> years.

I'm sure that there are people who would like to do that.  On the
other hand, that's exactly what we should not do, as even the
differences in security properties are not clear enough.

We must do what we must do, not necessarily what people would like to
do.

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings