esa unclassified – for official use network layer security - food for thought d. fischer, i...

ESA UNCLASSIFIED – For Official Use

Network Layer Security - Food for Thought

D. Fischer, I Aguilar-SanchezCCSDS Fall Meetings

D. Fischer, I Aguilar-Sanchez | CCSDS Fall Meetings | Slide 2


Space Mission Network Architecture



E2e Security – Network Security Objectives (1/2)

1. Protection of Service Data Unit (SDU)

a. Integrity (message)/authentication (data origin),

b. Confidentiality,

c. Availability.

Some key questions:

Which is the SDU to be protected?

– Space Packet,

– other?

Which other Protocol Data Units (PDUs) need protection?

Unicast, multicast, broadcast?



E2e Security – Network Security Objectives (1/2)

2. Protection of Communications Path

a. Integrity

– Routing information, its generation, its transmission (if not inferred by routers);

– PDU including routing support data (source address, end point address) as part of protocol stack supporting SDU transmission through the network;

– Routing/forwarding process at routers.

b. Confidentiality

– Hidden routing information and SDU routing support data?

c. Availability

– Radio links;

Physical layer/ D-L Layer security in addition to E2e

– Node processors.



ISO/OSI Protocol Layer Analysis

Application

Presentation

Session

Transport

Network

Data Link

Physical

Data Link Protocol Sublayer

Synchronization and Channel Coding Sublayer

SDLS

OSI Layers CCSDS Layers

CCSDS Network/ Packet LayerIP Encapsulation

ECSS PUS

DTN

IPSec

CCSDS IPSec Adaptation Profile

Space Packet Security!



Space Packet Security – Multi Hop End to End Capability

Data LinkLayer

Data LinkLayer

Data LinkLayer

Data LinkLayer

NetworkLayer

NetworkLayer

SDLS SDLS

NetworkLayer

Network Layer Security

RoutingDecision



CCSDS Network Layer Capabilities –Basic Principles

1. Addressing and Routing

a. Network Layer Addressing Scheme: Application Id (APID) (not unique, maybe APID+ Spacecraft ID)

– Addressing scheme allows routing capabilities

– Routing algorithm specification? Currently assumed hardcoded routing tables

2. Packet Grouping

a. Group Flags allow grouping of packets Indication that these packets belong together

– Implication on routing?

3. Sequence Counter

a. Associated with APID Counter for each application, not for packet sequences in general



Space Packet Structure- Relevant Fields

AddressingSequenceManagement

Appl. Layer Infoe.g. PUS services

SequenceCounter



Space Packet SecurityGeneral Arguments

1. Why?

a. Allows better end-to-end security (identification via SCID+APID)

– Support of individual security sensitive components and payloads

– Easier support for user end-to-end security

b. Allows end-to-end security routing with a SC as intermediate node

– Two possible options:

– Forwarding of encrypted packets in other packets (compare: IPSec Tunnel Mode) SDLS?

– Forwarding of the packet using packet header information (compare: IPSec Transport Mode)

2. Why Not?

a. Application Layer Security (e.g. PUS or MO Services/ DTN) may provide a better leverage on end-to-end security

– However would probably not be that much interoperable

b. Not sure that any mission so far has expressed interest in this

– But the use case setup (multihop SC comms) is not a widely distributed scenario



Secure routing (1/2)

1. Authentication

o Common authentication key

Key management issue with distributed routers

– Network blockage if router fails to synchronize key

o Data payload for authentication

As a minimum covering relevant networking PDU

– Also driven by cryptographic algorithm (e.g. block size)

– Could include the packet header as well (two authentication modes as well)

o Anti-replay

Counters not necessarily synchronized,

Counter validation check:

– Only greater than previous value

Residual risks, like

– Replay in different path.

– Use of time and common time base (full sync) to avoid acceptance.



Secure routing (2/2)

2. Confidentiality

o It could imply link-by-link encryption (e.g. data link security using SDLS in all involved links) in addition to E2e.

o An alternative??: common security association, shared by routers, providing confidentiality to such data (same as authentication).

PDU including routing data is ciphered with a common key shared by all routers.

Key management issue with distributed routers

– Network blockage if router fails to synchronize key

o Data payload for ciphering

As a minimum covering relevant networking PDU

– Also driven by cryptographic algorithm (e.g. block size)



Network Layer SecuritySome Open Questions

1. Security and Routing - Is there a possible interaction that we will have to be aware of?

a. What if two packets take different paths and the sequence numbers are not accurate anymore? -> How does this affect security?

b. Intermediate Hop Authentication? Packets could be authenticated by intermediate nodes

2. Interaction with SLE protocols?

a. F-CLTU should work properly

b. F-SP should work properly, if no header fields are encrypted

c. R-AF/R-CF/R-OCF should work properly

d. Side note: SLE protection?



ESA Ground Segment Architecture –Everything based on packets

TM PacketsS2KTM Packets TM

Packet Archive

Prepares TM Packets

1) Amends TM Packets2) Archives TM Packets3) Processes TM Packets

MCS

Perm. Storageas amended TM packets

TC PacketsS2KTC Packets TC

Packet Archive

Processes TCPackets

1) Creates TC Packets2) Archives TC Packets3) Dispatches TC Packets

MCS

Perm. Storageas amended TC packets

Note: S2K = SCOS-2000 is the ESA Mission Control System (MCS)



Ground Segment Analysis/ESA

1. Network Layer Security meets a functional gap in ESA ground segment security

2. (Amended) space packets are THE data structure in which all TC & TM information is stored and archived on ground

a. S2K packet = Space Packet + S2K Header (including e.g. ground reception timestamp)

3. This means that network layer security

a. Enables (selective) security of long-time packet archives

b. Could enable selective display of TM packets (e.g. only the security unit expert would be able to see security unit HK TM on his console)

c. Enables forwarding of secured packets to third-parties without need to add security again (e.g. Eumetsat) and potentially without ESA having the capability to access their contents



ESA Ground Segment/S2K Processing

NetworkInterfaceSystem

GroundStation

SLE F-CLTU(F-SP)

R-AFR-CFR-OCF

GenericPacketiser

CommandReleaser

CLTUsorPackets

TMFrames

Commanding Sources

MonitoringApplications



Commanding SourcesCommanding

Sources

S2K Packets

S2K Packets

PacketArchive

S2K Packets

S2K Packets

esa unclassified – for official use network layer security - food for thought d. fischer, i...

Documents