[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: I-D ACTION: draft-cruickshank-ipdvb-sec-req-01.txt



Hi William,

This draft ( draft-cruickshank-ipdvb-sec-req-01.txt) is about specifying
the actual security requirements before talking about solutions.  

Currently, there are two proposed solution: One is Preshant's document
(draft-ppillai-ipdvb-sule-00.txt).  We, the authors of this draft
(draft-cruickshank-ipdvb-sec-req-01.txt) also in the process of
submitting our solution to the ipdvb group. The two solutions have some
similarities and some differences.  We might converge in the future into
one solution.

However, regarding the security requirements, there were several
comments in the past from the ipdvb group about the old version of the
draft (draft-cruickshank-ipdvb-sec-req-00.txt).  The new version address
these issues.

Here is a summary of the major comments raised and the responses that
are included in the new draft:

* Comment: Section 1: Can you also identify what is it that is being
protected? (Security objectives 
** Response: The main objective of this document is to specify the
requirements for securing the link between the Encapsulation Gateways
(ULE source) and Receivers only.  I

* Comment: Section 1.1: SI issues: this document must identify the
control-plane dependencies that are a function of a MPEG-2 transmission
network. In
particular, what are the properties, potential threats, and the security
assumptions (e.g. The device generating MPEG-2 SI are trusted)
** Response: In MPEG-2 transmission network there are several signalling
messages that broadcast by the Network Control Centre (NCC).  Examples
of these signalling messages or (SI tables) are PAT - Program
Association Table, PMT - Program Map Table and NIT - Network Information
Table.  In existing MPEG-2 transmission network, these messages
broadcast in clear (no encryption or integrity checks).  The integrity
of these messages is important for the correct working ULE network.
However, securing these messages is out of scope for ULE security.

* Comment: What are the goals of the security integrity check
** Response: ULE source authentication and its packet integrity checks
are required.

* Comment: Section 3: Layer L2 terminal authentication. This point needs
more elaboration
** Response: This section is combined with the active threats.

*Comment: Section 4.2: There is a need to protect the identity of ULE
encapsulator/Receivers over the ULE broadcast medium; IPsec can not
provide this service. Is it that IPsec can not provide this. Or that
Ipsec is not well-suited to provide this.  The interfaces of these
devices also do not necessarily have IP addresses (they can be L2
devices).
** Response: this text is added  to the draft.

* Comment: Section 5.1: Another disadvantage. There is an additional
issue with key distribution in that a channel needs to be created to
distribute and control the use of the keys. IP-based methods to perform
this are well-known, and do not require new protocol machinery. This
point needs more elaboration
** Response: this text is added.

* Comment: Two other point that were raised in the WG meeting of
IETF-62: Are there any specific requirements on the crypto and IP-based
key management algorithms that can be used with this approach
** Response :  No .

Haitham (& Sunny and Laurence)

----

Dr. Haitham S. Cruickshank

Lecturer 
Communications Centre for Communication Systems Research (CCSR)
School of Electronics, Computing and Mathematics
University of Surrey, Guildford, Surrey GU2 7XH, UK 

Tel: +44 1483 686007 (indirect 689844) 
Fax: +44 1483 686011
e-mail: H.Cruickshank@surrey.ac.uk
http://www.ee.surrey.ac.uk/Personal/H.Cruickshank/




-----Original Message-----
From: owner-ipdvb@erg.abdn.ac.uk [mailto:owner-ipdvb@erg.abdn.ac.uk] On
Behalf Of William Stanislaus
Sent: 12 May 2006 12:59
To: Ipdvb IETF
Subject: Re: I-D ACTION: draft-cruickshank-ipdvb-sec-req-01.txt


Hello,
I'm a bit confused, sometime before we received similar draft from
P.Pillai on the same area ( secure ULE). The security requirements
discussed by "draft-ppillai-ipdvb-sule-00.txt" are already discussed in
detail by "draft-cruickshank-ipdvb-sec-req-01.txt".

In general, the DVB terminals are just a forwarders i.e. Forwards IP
packets from DVB interface to Ethernet interface (DVB-S/DVB-RCS) and
forwards IP packets from Ethernet interface to DVB interface (DVB-RCS).
They don't do much packet processing, that makes the DVB terminal simple
and cheaper in performance. I was wondering there was no discussion in
these drafts about the performance issues by implementing these security
encryptions and decryptions. In these drafts it was referred to IPSEC
and its functionalities, but at the same time we should not forget the
IPSEC performance degrades and hardware based accelerators

Best Regards,
William Stanislaus | Technical Consultant
Nortel Networks Division | CalSoft
email: williams@calsoft.co.in | Mobile: (+91) 98409 10581 SkypeIn
(VoIP): +1 (650) 515 3738 www.californiasw.com




> From: Gorry Fairhurst <gorry@erg.abdn.ac.uk>
> Reply-To: <ipdvb@erg.abdn.ac.uk>
> Date: Thu, 11 May 2006 10:23:24 +0100
> To: "ipdvb@erg.abdn.ac.uk" <ipdvb@erg.abdn.ac.uk>
> Conversation: I-D ACTION: draft-cruickshank-ipdvb-sec-req-01.txt
> Subject: I-D ACTION: draft-cruickshank-ipdvb-sec-req-01.txt
> 
> 
> A New Internet-Draft is available from the on-line Internet-Drafts 
> directories.
> 
> 
>     Title        : Security requirements for the Unidirectional
>                    Lightweight Encapsulation (ULE) protocol
>     Author(s)    : H. Cruickshank, S. Iyengar, L. Duquerroy
>     Filename     : draft-cruickshank-ipdvb-sec-req-01.txt
>     Pages        : 13
>     Date         : 2006-5-09
> 
> 
>    This document provides a threat analysis and derives security
>    requirements for MPEG-2 transmission links using the Unidirectional
>    Lightweight Encapsulation (ULE). It also provides the motivation
for
>    ULE link level security. This work is intended as a work item of
the
>    ipdvb WG, and contributions are sought from the IETF on this topic.
> 
> 
> A URL for this Internet-Draft is: 
> http://www.ietf.org/internet-drafts/draft-cruickshank-ipdvb-sec-req-01
> .txt
> 
> Internet-Drafts are also available by anonymous FTP. Login with the 
> username "anonymous" and a password of your e-mail address. After 
> logging in, type "cd internet-drafts" and then
>     "get draft-cruickshank-ipdvb-sec-req-01.txt".
> 
> A list of Internet-Drafts directories can be found in 
> http://www.ietf.org/shadow.html or 
> ftp://ftp.ietf.org/ietf/1shadow-sites.txt
> 
> 
> Best wishes,
> 
> G Fairhurst
> (ipdvb WG Chair)
> 
> 
>