IEEE Std 802.10-1998 Proposed Revision Purpose, Scope & 5 Criteria

advertisement
IEEE Std 802.10-1998 Proposed
Revision
Purpose, Scope
& 5 Criteria
Purpose
The purpose of this PAR is to update the Secure
Data Exchange (SDE) Protocol specified in IEEE
Std 802.10-1998, to accommodate newly
identified security requirements for all current
802 MACs and delete unneeded header fields.
Scope
The scope of this PAR is to make changes to the format and
processing of SDE PDUs to:
– Accommodate replay protection
– Integrity protect the Destination MAC address
– Integrity protect additional header fields, particularly the
VLAN tag, as needed
The current PDU format and processing will have to be modified to
incorporate a sequence number; the DA will have to be included
in the computation of the ICV, and; the VLAN tag (and any other
required header fields) will be included in the computation of the
ICV, if protection is required by VLAN tagging rules (which are to
be specified).
In addition, an informative annex will be developed that discusses
various scenarios for securing Layer 2 bridged networks and a
normative annex will be developed that defines an SDE profile
specifying a single interoperable SDE configuration that must be
supported by all vendors claiming conformance to the revised
SDE specification.
SDE Header Format Modifications
INTEGRITY PROTECTED
ENCRYPTED
DA SA
CLEAR
HEADER
Current Format
SDE
SAID MDF
Des
PROTECTED
HEADER
DATA
PAD
ICV
STA
FRAG SEC
FLAGS
ID
ID LABEL
INTEGRITY PROTECTED
ENCRYPTED
DA SA
VLAN
TAG
Revised Format
SAID
CLEAR
HEADER
SEQ
MDF
NO.
PROTECTED
HEADER
Pload
FLAGS
EType
DATA
FRAG SEC
ID LABEL
PAD
ICV
5 Criteria
Broad Market Potential
1.
2.
3.
Broad sets of applicability
Multiple vendors & numerous users
Balanced costs (LAN vs attached stations)
1. Security is applicable to most personal and business environments that utilize
802 Layer 2 products. Increased security awareness in the general user
population has dramatically increased the demand for security in networks
composed of 802 Layer 2 products.
2. Several hundred people representing more than a hundred companies attend
various 802 working groups that require security support in their products.
These currently include 802.3 (P2P & P2MP), 802.11 (WLAN), 802.15 (WPAN),
802.16 (WMAN), 802.17 (RPR), & 802.20 (MBWA).
3. Layer 2 security can be implemented in either LAN devices or attached
stations. Implementation of security in bridges is the most cost effective
method, since many attached stations can be supported by a single bridge.
Compatibility

The proposed revisions to IEEE Std 802.10-1998 are compatible
with all current 802 MAC and bridging standards

There are no implementations of 802.10-1998, therefore
backwards compatibility is not an issue

Revisions to 802.10-1998 will conform with 802 Overview &
Architecture and 802 layer management, as appropriate
Distinct Identity
1.
2.
3.
Substantially different from other IEEE standards
One unique solution per problem
Easy for the document reader to select the relevant specification
1. There are no other 802-wide security standards. 802.11i security work is specific
to 802.11 products, and is not intended to be a generic solution for all 802 MACs.
PARs produced by the LinkSec ECSG will either support this effort, or be entirely
distinct from it, but will not duplicate any of 802.10’s work.
2. The goal of the revisions to 802.10-1998 is to provide a unique security
solution that is applicable to all 802 MAC and bridging Standards.
3. The proposed effort is a revision to 802.10-1998, which will have a distinct
document revision number (probably IEEE Std 802.10-2004)
Technical Feasibility
1.
2.
3.
Demonstrated system feasibility
Proven technology, reasonable testing
Confidence in reliability
1. Technological revisions to 802.10-1998 are simple and straight-forward.
Similar constructs are being used in a variety of products and other
standards efforts today.
2. Products supporting Internet standards that incorporate similar
technology have been sold world-wide and have been thoroughly tested
in the field.
3. As with many security Standards, reference implementations will have
to be constructed to which compliance must be proven in order to
achieve the necessary confidence.
Economic Feasibility
1.
2.
3.
Known cost factors, reliable data
Reasonable cost for performance
Consideration of installation costs
1. The goal of this project is to create a Layer 2 security mechanism that
balances the cost of implementing data security with the cost and
performance of the access technology.
2. Security mechanisms have been incorporated in Layers 2, 3, 4, and 7 at a
reasonable cost increment, in terms of both dollars and throughput.
3. Any Layer 2 security mechanism may require additional infrastructure,
depending on the type of key management mechanism selected. This
translates into additional installation cost for equipment, software,
and/or administration.
Download