nanog mailing list archives
RE: RFID in datacenter (was Re: Default Passwords for World WidePackets/Lightning Edge Equipment)
From: "Brandon M. Lapointe" <brandon () shrader net>
Date: Wed, 13 Jan 2010 13:38:39 -0600
I have something akin to experience in this arena at least as it applies to the ambient RF environment and the security of the data transferred. As a matter of fact the two usually go hand in hand. The issue that I usually see is how to protect your new drivers license / passport / ID badge (with embedded RFID) from someone stopping next to you at a subway station with an RFID reader hidden in their briefcase, although densely populated CoLo's wouldn't be much different. The preferred standard is usually the FIPS 201 standard and is deployed at 13.56Mhz which ensures you have to be pretty darn near the transceiver to "get a read" but also makes the problem of ambient (RF) noise pretty much a non-issue. The issue arises in tags placed so close together that they are in the read field at the same time causing multiple emitters in the same channel. Recent implementations have a built in collision avoidance mechanism that eliminates the issue entirely in my testing (understanding channel contention for this exercise is at most dozens of transmitters, and wouldn't scale up to anything larger). These same recent implementations use 3DES to secure the open-air channel, reducing prevalence of man-in-the-middle type attacks. Finally, it is common now to retrieve the encrypted contents of the RFID tags and require that a CA hierarchy validate both sides of the transaction prior to decryption which can contain 4K in the data sectors or more. Brandon L. -----Original Message----- From: George Imburgia [mailto:nanog () armorfirewall com] Sent: Wednesday, January 13, 2010 12:52 PM Cc: nanog () nanog org Subject: RFID in datacenter (was Re: Default Passwords for World WidePackets/Lightning Edge Equipment) On Wed, 13 Jan 2010, Barry Shein wrote:
The big advantage of RFIDs is that you don't need line of sight
access
like you do with bar codes, they use RF, radio frequency.
Which is also a big disadvantage in a datacenter. Ever tried to use a radio in one?
The RF noise generated by digital equipment seriously erodes signal quality. Considering the relatively weak signal returned from RFID
tags,
I'd be surprised if you'd get any kind of useful range.
Has anybody tried it out?
I have something akin to experience in this arena at least as it applies to the ambient RF environment and the security of the data transferred. As a matter of fact the two usually go hand in hand. The issue that I usually see is how to protect your new drivers license / passport / ID badge (with embedded RFID) from someone stopping next to you at a subway station with an RFID reader hidden in their briefcase, although densely populated CoLo's wouldn't be much different. The preferred standard is usually the FIPS 201 and is deployed at 13.56Mhz which ensures you have to be pretty darn near the transceiver to "get a read" but also makes the problem of ambient (RF) noise pretty much a non-issue. The issue arises in tags placed so close together that they are in the read field at the same time causing multiple emitters in the same channel. Recent implementations have a built-in collision avoidance mechanism that eliminates the issue entirely in my testing (understanding channel contention for this exercise is at most dozens of transmitters, and wouldn't scale up to anything larger). These same recent implementations use 3DES to secure the open-air channel, reducing prevalence of man-in-the-middle type attacks. Finally, it is common now to retrieve the encrypted contents of the RFID tags and require that a CA hierarchy validate both sides of the transaction prior to decryption which can contain 4K in the data sectors or more. Brandon L.
Current thread:
- Re: Default Passwords for World Wide Packets/Lightning Edge Equipment, (continued)
- Re: Default Passwords for World Wide Packets/Lightning Edge Equipment Bill Stewart (Jan 12)
- Re: Default Passwords for World Wide Packets/Lightning Edge Equipment Valdis . Kletnieks (Jan 12)
- Re: Default Passwords for World Wide Packets/Lightning Edge Equipment Barry Shein (Jan 13)
- Re: Default Passwords for World Wide Packets/Lightning Edge Equipment Matt Simmons (Jan 13)
- Re: Default Passwords for World Wide Packets/Lightning Edge Equipment Valdis . Kletnieks (Jan 13)
- Re: Default Passwords for World Wide Packets/Lightning Edge Equipment Lyndon Nerenberg (VE6BBM/VE7TFX) (Jan 13)
- Re: Default Passwords for World Wide Packets/Lightning Edge Equipment Barry Shein (Jan 13)
- Re: Default Passwords for World Wide Packets/Lightning Edge Equipment Lyndon Nerenberg (VE6BBM/VE7TFX) (Jan 13)
- RFID in datacenter (was Re: Default Passwords for World Wide Packets/Lightning Edge Equipment) George Imburgia (Jan 13)
- Re: RFID in datacenter (was Re: Default Passwords for World Wide Packets/Lightning Edge Equipment) Brett Frankenberger (Jan 13)
- RE: RFID in datacenter (was Re: Default Passwords for World WidePackets/Lightning Edge Equipment) Brandon M. Lapointe (Jan 13)
- Re: RFID in datacenter (was Re: Default Passwords for World Wide Packets/Lightning Edge Equipment) Stefan (Jan 13)
- Re: Default Passwords for World Wide Packets/Lightning Edge Equipment Steven Bellovin (Jan 13)
- RE: Default Passwords for World Wide Packets/Lightning Edge Equipment Nathan Eisenberg (Jan 13)
- Re: Default Passwords for World Wide Packets/Lightning Edge Equipment Steven Bellovin (Jan 13)
- Re: Default Passwords for World Wide Packets/Lightning Edge Equipment Graeme Fowler (Jan 13)
- RE: Default Passwords for World Wide Packets/Lightning Edge Equipment Nathan Eisenberg (Jan 13)
- Re: Default Passwords for World Wide Packets/Lightning Edge Equipment Valdis . Kletnieks (Jan 13)
- Re: Default Passwords for World Wide Packets/Lightning Edge Equipment Joel Jaeggli (Jan 13)
- Re: Default Passwords for World Wide Packets/Lightning Edge Equipment Valdis . Kletnieks (Jan 13)
- Re: Default Passwords for World Wide Packets/Lightning Edge Equipment Jon Lewis (Jan 13)