ETSI-BSM work on Satellite
Communication Network Security
Future Security Workshop: The threats, risks
and opportunities
Sophia Antipolis
16-17 January 2006
Dr. Haitham S Cruickshank
University of Surrey
h.cruickshank@surrey.ac.uk
http://www.ee.surrey.ac.uk/Personal/H.Cruickshank/
1
Presentation overview
• Introduction to BSM architecture.
• Threat analysis in BSM.
• Security architecture and various
•
•
security
scenarios.
Some security challenges in BSM network
such as PEPs and multicast.
Conclusions and future plans in BSM WG.
2
Introduction to BSM STF283 - Security
• The
•
ETSI Broadband Satellite Multimedia (BSM)
working group aims to develop broadband satellite
services based on complete interworking with the
Internet Protocol (IP).
An important feature of BSM is the Satellite
Independent Service Access Point interface or SISAP interface:
• This interface provides the BSM with a layer of abstraction
for the lower layer functions
• Part of BSM STF 283 work focuses on the security
architecture for BSM networks (ETSI TS 102 465).
3
Threats and security requirement in BSM networks
•
•
•
•
•
Network threats: Including passive and active threats:
• In satellite broadcast networks (such as BSM), passive
attacks need particular attention, such as eavesdropping
or monitoring of transmissions.
Software threats: Many systems fail because of mistakes in
software implementation.
Hardware threats: All hardware systems including hosts (
e.g. client stations), satellite terminals and network equipment
(e.g. routers and firewalls) can provide a way of attack if not
properly configured.
Human threats: Insider and outsider attacks.
BSM security deals with the above threats with the focus on
networking issues.
4
BSM general architecture
IP v 4 a n d I P v 6
I P R o u t in g
I P R o u t e D e t e r m in a t io n
A d d re s s
T a b le
BSM
A d d r e s s R e s o lu tio n
BSM
R o u tin g
A d a p ta tio n
IP Q o S M a n a g e m e n t
BSM
C o n n e c tio n
CTRL
BSM Q oS
A d a p ta tio n
I P S e c u r it y
BSM QoS
M gm t
BSM
S e c u r ity
M gm t
S IA F
I P P a c k e t F o r w a r d in g
S I- C -S A P
S I- U -S A P
S e g m e n ta t io n
/
e n c a p s u la t io n
BSM
A d d r e s s R e s o lu tio n
S I-M -S A P
BSM
C o n n e c tio n
CTRL
SDAF
S a t e llit e D a t a U n it S w it c h in g
S a t e llit e L in k C o n t r o l ( S L C )
S a t e llit e M e d iu m A c c e s s C o n t r o l ( S M A C )
S a t e llit e P h y s ic a l ( S P H Y )
5
BSM
R e s o u rc e
M gm t
BSM
S e c u r ity
M gm t
Architecture case 1: IPsec and security
entities in BSM
User data
privacy
Supplicant
Secure data handling
(Encryption engine)
BSM ST
SID, Keys
SI-U-SAP
SI-C-SAP
BSM Local security
manager
SI-M-SAP
BSM network
BSM Gateway
SI-U-SAP
SI-C-SAP
SID,
Keys
Secure data handling
(Encryption engine)
SI-M-SAP
BSM Network security
manager
SID, Keys
Authentication server
Authenticator
User data
privacy
6
User data
Key data
Authorization data
ST local Key data
Architecture case 2: Mixed link layer
security entities
Supplicant
Host/User
BSM Local security
manager
SID, Keys
BSM ST
SI-U-SAP
Secure data handling
(Encryption engine)
SI-C-SAP
SI-M-SAP
SID, Keys
BSM network
BSM Gateway
Secure data handling
(Encryption engine)
SID, Keys
SI-U-SAP
Authenticator
Authentication server
SI-C-SAP
SID, Keys
Server
BSM Billing entity
7
SI-M-SAP
BSM Network security
manager
User data (encrypted)
Key data
Authorization data
Clear text
ST local Key data
Challenges for using security with Performance
Enhancing Proxies (PEPs)
•
•
•
A Performance Enhancing Proxy (PEP, RFC 3135) is used to
improve the performance of the Internet protocols on network
paths where native TCP performance suffers due to
characteristics of a link such as satellites.
The most detrimental negative implication of PEPs is breaking
the end-to-end semantics of a connection:
• Therefore it disables end-to-end use of IPsec
In BSM networks, PEPs should be used in the following
configurations:
• With Link layer security (such as DVB-RCS security)
• With IPsec being performed closer to BSM ST/Gateway
than the PEP
8
Suitable security associations for interworking
with PEPs
End-t-end security association (e.g.
application layer security)
Host
Host
Successful PEP operations
PEP
PEP
ST/Gateway with
BSM security
ST with BSM
security
BSM security association (link layer or
BSM IPsec security
BSM network
9
Challenges in Secure multicast over satellites
•
•
Secure multicast is a difficult problem. There are many
open issues:
• IPsec with multicast between BSM security gateways
• Key management architecture for large groups
• Security policies creation and enforcement
• Centralised versus distributed architectures
BSM multicast security architecture will aim to provide a
balanced solution between existing link layer (such as DVBRCS) and network layer (such as IPsec) solutions:
• Interactions through the SI-SAP interface have to be
carefully thought.
10
Secure Multicast architecture - Centralised
Multicast
security
policies
Group key
management
Policy
server
Group
Controller/Key
Server
Receiver
Multicast data
handling
Sender
11
Secure Multicast architecture - Distributed
Multicast
security
policies
Group key
management
Policy
server
Policy
server
Group
Controller/Key
Server
Group
Controller/Key
Server
Receiver
Multicast data
handling
Sender
Receiver
12
Liaison with EU IST projects
• The
•
•
work in ETSI BSM on security will not be
complete without full liaison with relevant IST
projects:
• The aim is to achieve co-ordination of work
between BSM and these projects
One example of such collaboration is the EU NoE
called SATNEX project (Satellite Communications
Network of Excellence).
Other examples of EU projects are SATLIFE and
SATSIX.
13
Conclusion
• Interworking with the IPsec and link layer security
•
•
is critical for the success of BSM specifications.
Security interactions through the BSM SI-SAP
interface has been defined.
There are future challenges in secure multicast
over satellites:
• Next phase in BSM security work will focus on
multicast issues (New ETSI TS 102 466)
14
Extra slides
15
Architecture case 3:End-to-end security,
transparent to BSM
User data
Secure data handling
(Encryption engine)
End user security
manager
Supplicant
BSM ST
SI-U-SAP
SI-C-SAP
SI-M-SAP
BSM network
BSM Gateway
SI-U-SAP
Authentication
server
User data
privacy
SI-C-SAP
SI-M-SAP
Authenticator
Secure data handling
(Encryption engine)
BSM independent local Key data
Authorisation data
End user/remote server
security manager
User data
Key data
16
Architecture case 4: link layer security,
transparent to BSM
User data
BSM Local security
manager
Supplicant
SI-U-SAP
Secure data handling
(Encryption engine)
SI-C-SAP
SID, Policy
SI-M-SAP
ST security manager
BSM ST
BSM network
BSM Gateway
Authentication
server
Secure data handling
(Encryption engine)
BSM security manager
SI-U-SAP
SI-C-SAP
BSM Network security
manager
Authenticator
SI-M-SAP
SID, Policy
User data
User data
Key data
Authorisation data
ST local Key data
17
Interactions between security and QoS
entities in BSM - 1
Local BSM security
manager
Local BSM QoS
manager
Local BSM
Address_res manager
BSM ST
Secure data handling
(Encryption engine)
BSM network
Secure data handling
(Encryption engine)
BSM
NCC/Gateway
BSM Network
Address_res manager
BSM Network QoS
manager
BSM Network security
manager
18
Encrypted data
Local interactions
Interactions between security and QoS
entities in BSM - 2
2
1
19
3
Interactions between security and Address
management entities in BSM
SIAF: IP to BSM_ID association
BSM_IDs
network access
provider
BSM_ID
Subset 1
BSM_ID
Subset 2
BSM_ID
Subset 3
Map
subset 1
Map
subset 2
Map
subset 3
SDAF: BSM_ID to MAC association
satellite network
operator
SATELLITE DEPENDENT IDs (SDIDs)
e.g. MAC_Add; PIDs; Channel_ID
20
IP subset C4
IP subset B4
IP subset B3
IP subset B2
IP subset B1
Secure signalling
IP subset C3
IP to IP associations (routing/ bridging tables)
IP subset C2
IP subset C1
IP subset A4
IP subset A3
IP subset A2
IP subset A1
ISP &
customer
IP LAYER
0
