On 10/18/2011 11:37 AM, Tim Frost wrote: > I think most of the reviewers are missing the point of this draft. > > The point is not that the timing packets are inherently secret and need encryption, but that the 3GPP architecture mandates that EVERYTHING flowing to the femtocell must be inside a secure tunnel, whether the security is needed or not. It's a wider architecture issue, not the issue about whether encryption is needed and how best to do it.
Thank you for clarifying this. This information is totally missing in the draft which should be providing a rationale for the proposal. I might argue that the 3GPP architecture is wrong when dealing with timing packets but this is the wrong forum to discuss that and that boat has probably sailed anyway. > The key figure from the draft is Figure 1: > > +-------------+ > | | > | Femtocell |<-----------------------------+ > | | | > +-------------+ | > | > | > /---------------------\ > | | > | Public Network | > | | > \---------------------/ > | > | > +------------+ +-------------+ | > |Clock Server|---------->| | | > +------------+ | | | > | Security GW |->---+ > +------------+ | | > |Femto GW |---------->| | > +------------+ +-------------+ > > > Figure 1. Typical Architecture of a Femtocell Network > > The problem with this is once the packets have been encrypted, it is not possible for the femtocell to timestamp them on reception because it doesn't recognise them until after decryption, which is what this draft tries to address. You could always timestamp all packets and then worry about whether or not you need the timestamp or is this prohibitive in cost? > > I totally agree with the comments people like Danny have made that point out the difficulties that identifying timing packets just opens them up to attack. However, comments attacking the rationale for encryption are wide of the mark - the packets are encrypted by 3GPP architecture, we have to work out how to deal with that. > The rationale was attacked because it was not spelled out in the document, it's as simple as that. The next question becomes is there a better way to accomplish the goal given the architecture? > We could argue that 3GPP should never have mandated this type of architecture, but we would be better off arguing that at 3GPP, not here in IETF. Agreed. Danny _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
