RE: ISATAP and admin/IP domains [RE: 3gpp-analysis: Recommendatio n on tunneling in the UE]

["Karim El-Malki (HF/EAB)" <karim.el-malki@ericsson.com>]

 > > I don't understand what you mean? The user gets charged and is able
 > > to access services (e.g. internet access). That's the 3gpp 
 > model and
 > > ISATAP can be just one of those services.
 > 
 > Let me try to clarify, as the differences in security properties of 
 > different scenarios are clearly not clear.
 > 
 > My home xDSL system gets charged as well, and the ISP provides me 
 > services as well.
 > 
 > That doesn't mean the ISP trusts me to "behave well" in 
 > their network.  
 > E.g., I can spoof my address, I can send specially crafted packets, I
 > can try to confuse their router with OSPF packets if they haven't
 > disabled the interface, I can harass my neighbor, etc.etc. -- to the
 > ISP (and other users), I'm a "hostile user".

OK. There are 3gpp specific mechanisms for this like ggsn
spoofing protection. But these are generic issues which are
not specific to ISATAP.

 > 
 > Much the same with 3GPP, actually more, because you don't 
 > have to have 
 > a contract or details where you can be traced, because you can use 
 > anonymous SIMs and similar.
 > 
 > In a similar fashion, you cannot trust other users, because 
 > you cannot 
 > trust that the ISP is ensuring that the users cannot harm you (even 
 > if that was somehow possible).
 > 
 > On the other hand, within an enterprise network, or at least 
 > a branch 
 > of the enterprise network, typically the assumptions are entirely 
 > different: you have to trust the users at least to some degree.  You 
 > have contracts etc. with them.  While some host may be acting weird 
 > for some reason, the users are not typically intentionally 
 > malicious.

Not sure I totally agree on this but I see the point.

 > 
 > So...
 > 
 > As it should be obvious, security mechanisms used and assumptions
 > implied when devising a solution to the enterprise network are very
 > probably not adequate for ISP/3GPP scenarios with a different set of
 > requirements.
 > 
 > Hence, I have always given significant pushback for re-using the 
 > ISATAP model outside of its (original?) scope, the enterprise 
 > networks.

You have talked above about generic security issues which exist
independently of ISATAP. Even if you don't use ISATAP you still
have those issues and I think many are addressed in 3gpp. So how
can you come to the conclusion to push-back on ISATAP?
We've already discussed the ISATAP security issues and I don't
see the problem when using it in the 3gpp network. Plus it
is only an optional mechanism!

 > > But please take note that there are people on this list 
 > who would like
 > > to stop discussing and start finishing off those specs now 
 > pending for
 > > years.
 > 
 > I'm sure that there are people who would like to do that.  On the
 > other hand, that's exactly what we should not do, as even the
 > differences in security properties are not clear enough.
 > 
 > We must do what we must do, not necessarily what people would like to
 > do.

We must create appropriate solutions to solve problems and not ignore
them or generate new ones (like the configured tunnel proposal), otherwise
quite naturally people will go off and solve it their own way. I think
people want to solve problems they don't just like to do things. Careful
reviewing is important but specs being discussed for years when they are
implemented and out in commercial products just demonstrates that there is
something wrong with the way we are handling things.

/Karim