esa unclassified – for official use network layer security - food for thought d. fischer, i...
TRANSCRIPT
ESA UNCLASSIFIED – For Official Use
Network Layer Security - Food for Thought
D. Fischer, I Aguilar-SanchezCCSDS Fall Meetings
D. Fischer, I Aguilar-Sanchez | CCSDS Fall Meetings | Slide 2
ESA UNCLASSIFIED – For Official Use
Space Mission Network Architecture
D. Fischer, I Aguilar-Sanchez | CCSDS Fall Meetings | Slide 3
ESA UNCLASSIFIED – For Official Use
E2e Security – Network Security Objectives (1/2)
1. Protection of Service Data Unit (SDU)
a. Integrity (message)/authentication (data origin),
b. Confidentiality,
c. Availability.
Some key questions:
Which is the SDU to be protected?
– Space Packet,
– other?
Which other Protocol Data Units (PDUs) need protection?
Unicast, multicast, broadcast?
D. Fischer, I Aguilar-Sanchez | CCSDS Fall Meetings | Slide 4
ESA UNCLASSIFIED – For Official Use
E2e Security – Network Security Objectives (1/2)
2. Protection of Communications Path
a. Integrity
– Routing information, its generation, its transmission (if not inferred by routers);
– PDU including routing support data (source address, end point address) as part of protocol stack supporting SDU transmission through the network;
– Routing/forwarding process at routers.
b. Confidentiality
– Hidden routing information and SDU routing support data?
c. Availability
– Radio links;
Physical layer/ D-L Layer security in addition to E2e
– Node processors.
D. Fischer, I Aguilar-Sanchez | CCSDS Fall Meetings | Slide 5
ESA UNCLASSIFIED – For Official Use
ISO/OSI Protocol Layer Analysis
Application
Presentation
Session
Transport
Network
Data Link
Physical
Data Link Protocol Sublayer
Synchronization and Channel Coding Sublayer
SDLS
OSI Layers CCSDS Layers
CCSDS Network/ Packet LayerIP Encapsulation
ECSS PUS
DTN
IPSec
CCSDS IPSec Adaptation Profile
Space Packet Security!
D. Fischer, I Aguilar-Sanchez | CCSDS Fall Meetings | Slide 6
ESA UNCLASSIFIED – For Official Use
Space Packet Security – Multi Hop End to End Capability
Data LinkLayer
Data LinkLayer
Data LinkLayer
Data LinkLayer
NetworkLayer
NetworkLayer
SDLS SDLS
NetworkLayer
Network Layer Security
RoutingDecision
D. Fischer, I Aguilar-Sanchez | CCSDS Fall Meetings | Slide 7
ESA UNCLASSIFIED – For Official Use
CCSDS Network Layer Capabilities –Basic Principles
1. Addressing and Routing
a. Network Layer Addressing Scheme: Application Id (APID) (not unique, maybe APID+ Spacecraft ID)
– Addressing scheme allows routing capabilities
– Routing algorithm specification? Currently assumed hardcoded routing tables
2. Packet Grouping
a. Group Flags allow grouping of packets Indication that these packets belong together
– Implication on routing?
3. Sequence Counter
a. Associated with APID Counter for each application, not for packet sequences in general
D. Fischer, I Aguilar-Sanchez | CCSDS Fall Meetings | Slide 8
ESA UNCLASSIFIED – For Official Use
Space Packet Structure- Relevant Fields
AddressingSequenceManagement
Appl. Layer Infoe.g. PUS services
SequenceCounter
D. Fischer, I Aguilar-Sanchez | CCSDS Fall Meetings | Slide 9
ESA UNCLASSIFIED – For Official Use
Space Packet SecurityGeneral Arguments
1. Why?
a. Allows better end-to-end security (identification via SCID+APID)
– Support of individual security sensitive components and payloads
– Easier support for user end-to-end security
b. Allows end-to-end security routing with a SC as intermediate node
– Two possible options:
– Forwarding of encrypted packets in other packets (compare: IPSec Tunnel Mode) SDLS?
– Forwarding of the packet using packet header information (compare: IPSec Transport Mode)
2. Why Not?
a. Application Layer Security (e.g. PUS or MO Services/ DTN) may provide a better leverage on end-to-end security
– However would probably not be that much interoperable
b. Not sure that any mission so far has expressed interest in this
– But the use case setup (multihop SC comms) is not a widely distributed scenario
D. Fischer, I Aguilar-Sanchez | CCSDS Fall Meetings | Slide 10
ESA UNCLASSIFIED – For Official Use
Secure routing (1/2)
1. Authentication
o Common authentication key
Key management issue with distributed routers
– Network blockage if router fails to synchronize key
o Data payload for authentication
As a minimum covering relevant networking PDU
– Also driven by cryptographic algorithm (e.g. block size)
– Could include the packet header as well (two authentication modes as well)
o Anti-replay
Counters not necessarily synchronized,
Counter validation check:
– Only greater than previous value
Residual risks, like
– Replay in different path.
– Use of time and common time base (full sync) to avoid acceptance.
D. Fischer, I Aguilar-Sanchez | CCSDS Fall Meetings | Slide 11
ESA UNCLASSIFIED – For Official Use
Secure routing (2/2)
2. Confidentiality
o It could imply link-by-link encryption (e.g. data link security using SDLS in all involved links) in addition to E2e.
o An alternative??: common security association, shared by routers, providing confidentiality to such data (same as authentication).
PDU including routing data is ciphered with a common key shared by all routers.
Key management issue with distributed routers
– Network blockage if router fails to synchronize key
o Data payload for ciphering
As a minimum covering relevant networking PDU
– Also driven by cryptographic algorithm (e.g. block size)
D. Fischer, I Aguilar-Sanchez | CCSDS Fall Meetings | Slide 12
ESA UNCLASSIFIED – For Official Use
Network Layer SecuritySome Open Questions
1. Security and Routing - Is there a possible interaction that we will have to be aware of?
a. What if two packets take different paths and the sequence numbers are not accurate anymore? -> How does this affect security?
b. Intermediate Hop Authentication? Packets could be authenticated by intermediate nodes
2. Interaction with SLE protocols?
a. F-CLTU should work properly
b. F-SP should work properly, if no header fields are encrypted
c. R-AF/R-CF/R-OCF should work properly
d. Side note: SLE protection?
D. Fischer, I Aguilar-Sanchez | CCSDS Fall Meetings | Slide 13
ESA UNCLASSIFIED – For Official Use
ESA Ground Segment Architecture –Everything based on packets
TM PacketsS2KTM Packets TM
Packet Archive
Prepares TM Packets
1) Amends TM Packets2) Archives TM Packets3) Processes TM Packets
MCS
Perm. Storageas amended TM packets
TC PacketsS2KTC Packets TC
Packet Archive
Processes TCPackets
1) Creates TC Packets2) Archives TC Packets3) Dispatches TC Packets
MCS
Perm. Storageas amended TC packets
Note: S2K = SCOS-2000 is the ESA Mission Control System (MCS)
D. Fischer, I Aguilar-Sanchez | CCSDS Fall Meetings | Slide 14
ESA UNCLASSIFIED – For Official Use
Ground Segment Analysis/ESA
1. Network Layer Security meets a functional gap in ESA ground segment security
2. (Amended) space packets are THE data structure in which all TC & TM information is stored and archived on ground
a. S2K packet = Space Packet + S2K Header (including e.g. ground reception timestamp)
3. This means that network layer security
a. Enables (selective) security of long-time packet archives
b. Could enable selective display of TM packets (e.g. only the security unit expert would be able to see security unit HK TM on his console)
c. Enables forwarding of secured packets to third-parties without need to add security again (e.g. Eumetsat) and potentially without ESA having the capability to access their contents
D. Fischer, I Aguilar-Sanchez | CCSDS Fall Meetings | Slide 15
ESA UNCLASSIFIED – For Official Use
ESA Ground Segment/S2K Processing
NetworkInterfaceSystem
GroundStation
SLE F-CLTU(F-SP)
R-AFR-CFR-OCF
GenericPacketiser
CommandReleaser
CLTUsorPackets
TMFrames
Commanding Sources
MonitoringApplications
MonitoringApplications
MonitoringApplications
Commanding SourcesCommanding
Sources
S2K Packets
S2K Packets
PacketArchive
S2K Packets
S2K Packets