4.1. Introduction: Issues with Link Layer-Only Security
In previous chapters, we discussed some of the problems associated with security provisioning for links providing access to networks. Often, the link security mechanisms are developed specifically for the physical media on that link. We also provided some examples on how protocols such as EAP can be used to provide authentication and secure channels between a client and the network over a generic link technology. Still, methods such as EAP must be fitted tightly to the link technology. A bigger problem with such link security mechanisms is that they only provide security mechanisms for the link between the client and a device at the edge of the network (network point of presence) and do not extend beyond that single hop. The following example intends to demonstrate the problem that arises when link layer security mechanisms are deployed for generic communications scenarios.
Consider the case, when the two communicating hosts A and B are four hops away, i.e. separated by three routers. When only link layer security mechanisms are available, security protection can be provided over a single link (between two neighboring routers) at a time. In our example, this would mean that each of the hops 1, 2, 3, and 4 in Figure 4.1 must be secured individually based on the trust relationships between the routers on each end of that hop. When a packet traverses from host A to host B, each receiving router on the path must first decrypt ...
Get AAA and Network Security for Mobile Access: Radius, Diameter, EAP, PKI and IP Mobility now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
