On Tue, Oct 18, 2011 at 10:37 AM, Tim Frost <tfr...@symmetricom.com> wrote: > I think most of the reviewers are missing the point of this draft. > > The point is not that the timing packets are inherently secret and need > encryption, but that the 3GPP architecture mandates that EVERYTHING flowing > to the femtocell must be inside a secure tunnel, whether the security is > needed or not. It's a wider architecture issue, not the issue about whether > encryption is needed and how best to do it.
"Everything"?? Some bits can't be in a tunnel. For example, the outer IP headers. Obviously some bits of IKE also go in the clear. What exactly is "everything" intended to encompass? It can't be truly all bits. At most it can only be "all bits that can be tunneled". I don't see why timing signals need to be protected by IPsec if they can carry their own cryptographic protection. I know very little about IEEE 1588 (PTP), but if there's any way that it can provide its own security protocol[*] then I think it'd be fair to keep PTP out of the "everything" that must be tunneled. OTOH, if PTP lacks sufficient security functionality, then my suggestions would be to either use NTP or else we'll all have to hold our noses for the proposed solution. Is PTP mandated for Femtocell as well? [*] The paper "Security Flaws and Workarounds for IEEE 1588 (Transparent) Clocks" by A. Treytl and B. Hirschler tells me that PTP does have a secure mode and that it's not very good. Have those issues been addressed since? Nico -- _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec