Device identity

advertisement
Proposal for device
identification PAR
Scope
• Unique per-device identifiers (DevID)
• Method or methods for authenticating that
device is bound to that identifier
– Abstract framework
– Concrete protocol over 802.3
• Standards for establishing and maintaining
vendor trust
Rationale
• Many ways to identify individuals
• No standard ways to identify devices
• MAC addresses are not sufficient
– Multiple per device
– Reconfigurable
– Not cryptographically bound
• Device identity is important for completing
chains of trust
– Window of vulnerability
Uses
• Network equipment provisioning
• Authenticated key exchange in other
protocols
– E.g., 802.1af, 802.1X
•
•
•
•
Inventory management
Internal component identification
LLDP chassis IDs
…
Market Potential
• Any protocol requiring identification at
layer 2
– Any authentication protocols
• Applicable in bridges, routers, endstations, …
• Consistent acquisition procedures across
manufacturers
• Cost should not be a barrier to adoption
– Low incremental cost
Compatibility
• IEEE 802.1 standard
• In conformance with
– 802 overview and architecture
– Existing standards within 802.1 and 802.3
• Managed objects will be defined
consistent with existing policies and
practices
Relationship with other standards
• No standards providing device identity
within IEEE 802
• No such standards outside of IEEE
• CableLabs DOCSIS
– Not generally applicable (cable modem
specific)
– CableLabs is intermediary for deployment
– CableLabs is not a standards body
• IETF liaison letter in support of value
PKI overview
Manufacturer
Device
Key generation
capability
Key generation
capability
Certification
Authority
Private key
Sign
Certificate
Root
certificate
Public
Key
Intention is that private key
would not be exportable once
installed
DevID number
Technical overview
Vendor
Credentials
Device
Device
Identity
Identity
Management
capability
Analysis
• No registration within IEEE required
– Vendors can be their own root
• Trust by reputation
– Management vendors can aggregate credentials
– Or, IEEE could outsource a PKI, e.g., to Verisign
• Physical security of devices is a known threat
– Some vendors will choose high security
– Others will want to support hot-swapping
• Hardware implementation cost small, not free
– Available crypto capability
• Cheap off the shelf solutions (including software)
– 128 to 512 bytes of storage
Download