ETSI-BSM work on Satellite Communication Network Security Dr. Haitham S Cruickshank
advertisement
ETSI-BSM work on Satellite Communication Network Security Future Security Workshop: The threats, risks and opportunities Sophia Antipolis 16-17 January 2006 Dr. Haitham S Cruickshank University of Surrey h.cruickshank@surrey.ac.uk http://www.ee.surrey.ac.uk/Personal/H.Cruickshank/ 1 Presentation overview • Introduction to BSM architecture. • Threat analysis in BSM. • Security architecture and various • • security scenarios. Some security challenges in BSM network such as PEPs and multicast. Conclusions and future plans in BSM WG. 2 Introduction to BSM STF283 - Security • The • ETSI Broadband Satellite Multimedia (BSM) working group aims to develop broadband satellite services based on complete interworking with the Internet Protocol (IP). An important feature of BSM is the Satellite Independent Service Access Point interface or SISAP interface: • This interface provides the BSM with a layer of abstraction for the lower layer functions • Part of BSM STF 283 work focuses on the security architecture for BSM networks (ETSI TS 102 465). 3 Threats and security requirement in BSM networks • • • • • Network threats: Including passive and active threats: • In satellite broadcast networks (such as BSM), passive attacks need particular attention, such as eavesdropping or monitoring of transmissions. Software threats: Many systems fail because of mistakes in software implementation. Hardware threats: All hardware systems including hosts ( e.g. client stations), satellite terminals and network equipment (e.g. routers and firewalls) can provide a way of attack if not properly configured. Human threats: Insider and outsider attacks. BSM security deals with the above threats with the focus on networking issues. 4 BSM general architecture IP v 4 a n d I P v 6 I P R o u t in g I P R o u t e D e t e r m in a t io n A d d re s s T a b le BSM A d d r e s s R e s o lu tio n BSM R o u tin g A d a p ta tio n IP Q o S M a n a g e m e n t BSM C o n n e c tio n CTRL BSM Q oS A d a p ta tio n I P S e c u r it y BSM QoS M gm t BSM S e c u r ity M gm t S IA F I P P a c k e t F o r w a r d in g S I- C -S A P S I- U -S A P S e g m e n ta t io n / e n c a p s u la t io n BSM A d d r e s s R e s o lu tio n S I-M -S A P BSM C o n n e c tio n CTRL SDAF S a t e llit e D a t a U n it S w it c h in g S a t e llit e L in k C o n t r o l ( S L C ) S a t e llit e M e d iu m A c c e s s C o n t r o l ( S M A C ) S a t e llit e P h y s ic a l ( S P H Y ) 5 BSM R e s o u rc e M gm t BSM S e c u r ity M gm t Architecture case 1: IPsec and security entities in BSM User data privacy Supplicant Secure data handling (Encryption engine) BSM ST SID, Keys SI-U-SAP SI-C-SAP BSM Local security manager SI-M-SAP BSM network BSM Gateway SI-U-SAP SI-C-SAP SID, Keys Secure data handling (Encryption engine) SI-M-SAP BSM Network security manager SID, Keys Authentication server Authenticator User data privacy 6 User data Key data Authorization data ST local Key data Architecture case 2: Mixed link layer security entities Supplicant Host/User BSM Local security manager SID, Keys BSM ST SI-U-SAP Secure data handling (Encryption engine) SI-C-SAP SI-M-SAP SID, Keys BSM network BSM Gateway Secure data handling (Encryption engine) SID, Keys SI-U-SAP Authenticator Authentication server SI-C-SAP SID, Keys Server BSM Billing entity 7 SI-M-SAP BSM Network security manager User data (encrypted) Key data Authorization data Clear text ST local Key data Challenges for using security with Performance Enhancing Proxies (PEPs) • • • A Performance Enhancing Proxy (PEP, RFC 3135) is used to improve the performance of the Internet protocols on network paths where native TCP performance suffers due to characteristics of a link such as satellites. The most detrimental negative implication of PEPs is breaking the end-to-end semantics of a connection: • Therefore it disables end-to-end use of IPsec In BSM networks, PEPs should be used in the following configurations: • With Link layer security (such as DVB-RCS security) • With IPsec being performed closer to BSM ST/Gateway than the PEP 8 Suitable security associations for interworking with PEPs End-t-end security association (e.g. application layer security) Host Host Successful PEP operations PEP PEP ST/Gateway with BSM security ST with BSM security BSM security association (link layer or BSM IPsec security BSM network 9 Challenges in Secure multicast over satellites • • Secure multicast is a difficult problem. There are many open issues: • IPsec with multicast between BSM security gateways • Key management architecture for large groups • Security policies creation and enforcement • Centralised versus distributed architectures BSM multicast security architecture will aim to provide a balanced solution between existing link layer (such as DVBRCS) and network layer (such as IPsec) solutions: • Interactions through the SI-SAP interface have to be carefully thought. 10 Secure Multicast architecture - Centralised Multicast security policies Group key management Policy server Group Controller/Key Server Receiver Multicast data handling Sender 11 Secure Multicast architecture - Distributed Multicast security policies Group key management Policy server Policy server Group Controller/Key Server Group Controller/Key Server Receiver Multicast data handling Sender Receiver 12 Liaison with EU IST projects • The • • work in ETSI BSM on security will not be complete without full liaison with relevant IST projects: • The aim is to achieve co-ordination of work between BSM and these projects One example of such collaboration is the EU NoE called SATNEX project (Satellite Communications Network of Excellence). Other examples of EU projects are SATLIFE and SATSIX. 13 Conclusion • Interworking with the IPsec and link layer security • • is critical for the success of BSM specifications. Security interactions through the BSM SI-SAP interface has been defined. There are future challenges in secure multicast over satellites: • Next phase in BSM security work will focus on multicast issues (New ETSI TS 102 466) 14 Extra slides 15 Architecture case 3:End-to-end security, transparent to BSM User data Secure data handling (Encryption engine) End user security manager Supplicant BSM ST SI-U-SAP SI-C-SAP SI-M-SAP BSM network BSM Gateway SI-U-SAP Authentication server User data privacy SI-C-SAP SI-M-SAP Authenticator Secure data handling (Encryption engine) BSM independent local Key data Authorisation data End user/remote server security manager User data Key data 16 Architecture case 4: link layer security, transparent to BSM User data BSM Local security manager Supplicant SI-U-SAP Secure data handling (Encryption engine) SI-C-SAP SID, Policy SI-M-SAP ST security manager BSM ST BSM network BSM Gateway Authentication server Secure data handling (Encryption engine) BSM security manager SI-U-SAP SI-C-SAP BSM Network security manager Authenticator SI-M-SAP SID, Policy User data User data Key data Authorisation data ST local Key data 17 Interactions between security and QoS entities in BSM - 1 Local BSM security manager Local BSM QoS manager Local BSM Address_res manager BSM ST Secure data handling (Encryption engine) BSM network Secure data handling (Encryption engine) BSM NCC/Gateway BSM Network Address_res manager BSM Network QoS manager BSM Network security manager 18 Encrypted data Local interactions Interactions between security and QoS entities in BSM - 2 2 1 19 3 Interactions between security and Address management entities in BSM SIAF: IP to BSM_ID association BSM_IDs network access provider BSM_ID Subset 1 BSM_ID Subset 2 BSM_ID Subset 3 Map subset 1 Map subset 2 Map subset 3 SDAF: BSM_ID to MAC association satellite network operator SATELLITE DEPENDENT IDs (SDIDs) e.g. MAC_Add; PIDs; Channel_ID 20 IP subset C4 IP subset B4 IP subset B3 IP subset B2 IP subset B1 Secure signalling IP subset C3 IP to IP associations (routing/ bridging tables) IP subset C2 IP subset C1 IP subset A4 IP subset A3 IP subset A2 IP subset A1 ISP & customer IP LAYER
