[Security_sig] Update on CGL Security
Makan.Pourzandi at ericsson.com
Fri Jul 30 15:04:41 PDT 2004
Gé Weijers wrote:
> I'm assuming we're having a security SIG meeting tomorrow. If we don't
> or if you cannot attend I'd like to ask you for your opinion on the
> I've studied ITU document "Security in Telecommunications and
> Information Technology" in some detail, and I've tentatively drawn the
> following conclusions:
> * telecommunications security is dictated by a host of ITU standards
> * studying a comprehensive subset of them is not feasible
> * the examples given in the ITU document do not have that much in
> common beyond basic mechanisms such as certificates, so a
> generically applicable security analysis is almost impossible.
> * we should therefor limit ourselves to the security of the
> underlying platform.
I agree with you. However, we should take into account the
characteristics of CGL systems when defining the specs. Even though,
the CG applications are very different, I believe that we should be able
to find some general common aspects like high availability for these
different applications. I agree that these are rather high level
requirements (and sometimes perhaps somehow vague), but if we don't take
them into account the NEPs/Linux distros risk not accepting them as
valid requirements. For example, we don't want to add a single point of
failure into the system, an example of this can be some sort of key
storage system that can not support any fail over mechanism.
> One issue I have not resolved yet is whether the separation between
> control plane, management plane and end-user plane (see discussion of
> X.805 in ITU doc) is something we should include in our analysis or not.
IMO, the security needs for different layers are sometimes completely
different. For example, the security needs at management plane are
definitely different from the needs at end-user plane. This should be
reflected on the analysis, however, we don't want to have different sets
of requirements for each plane. What we could do is to explicitly
mention them in the document when needed. For example, we could mention
that "all communications at __management plane__ should be protected
against confidentiality and integrity".
> I have talked my manager into reserving 2 days/week for my OSDL
> activities. I apologise for the slow progress. Between vacation and the
> inevitable post-vacation catch-up operation another month has gone by.
> Progress should be much faster now I have 16 hours/week to spend on this.
> I've attached the current state of the work document. Not too much has
> changed, but I've updated the assumptions and policies sections.
> Talk to you tomorrow, I hope.
> security_sig mailing list
> security_sig at lists.osdl.org
Makan Pourzandi, Open Systems Lab
Ericsson Research Canada
*This email does not represent or express the opinions of Ericsson Inc.
More information about the security_sig