Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Frame Format Proposal SFF: PAR, Architecture, 5 Criteria, Some ideas and notes

Published byHomer Gaines Modified over 7 years ago

Similar presentations

Presentation on theme: "Secure Frame Format Proposal SFF: PAR, Architecture, 5 Criteria, Some ideas and notes"— Presentation transcript:

1 Secure Frame Format Proposal SFF: PAR, Architecture, 5 Criteria, Some ideas and notes mick_seaman@ieee.org

2 802.1 June ‘03Secure Frame Format ProposalMick Seaman 2 SFF Proposal : Agenda Explain the key concepts behind the words of the PARExplain the key concepts behind the words of the PAR Describe the architectural fit of this component of the security solutionDescribe the architectural fit of this component of the security solution Provide further material for the 5 criteriaProvide further material for the 5 criteria Share some ideas about potential solutions and consequencesShare some ideas about potential solutions and consequences

3 802.1 June ‘03Secure Frame Format ProposalMick Seaman 3 Proposed Scope : Some words To define a secure frame format to ensure the connectionless confidentiality of MAC Service Data Units (MSDUs) and to ensure data origin identification and the connectionless integrity of the MAC frames that convey these MSDUs using a secure association between MAC layer entities providing the MAC Internal Sublayer Service (-1-) or the MAC Enhanced Internal Sublayer Service (-2-). This proposed standard will not include key management but will make use of other projects to establish the secure association. References: -1- IEEE Std 802.1D, -2- IEEE Std 802.1Q.

4 802.1 June ‘03Secure Frame Format ProposalMick Seaman 4 SFF PAR Concepts Communication between: Peer media access method independent MAC layer entities:Peer media access method independent MAC layer entities: Providing ISS (.1D) or EISS (.1Q)Providing ISS (.1D) or EISS (.1Q)With Connectionless data integrityConnectionless data integrity Connectionless data confidentialityConnectionless data confidentiality Data origin authenticityData origin authenticity

5 802.1 June ‘03Secure Frame Format ProposalMick Seaman 5 Concepts : SFF Entities PeersPeers Media access method independentMedia access method independent MAC layer entitiesMAC layer entities MAC Service Boundary Media Access Method Dependent Functions

6 802.1 June ‘03Secure Frame Format ProposalMick Seaman 6 Concepts : Internal Sublayer Service ISS = MAC Service + MAC SA, FCS, access priority EISS = ISS + VLAN ID MAC Service Boundary Media Access Method Dependent Functions

7 802.1 June ‘03Secure Frame Format ProposalMick Seaman 7 Concepts : Connectionless data Connectionless Service Provision Each service request is independent of any otherEach service request is independent of any other –Delivery probability and ordering are aspects of QoS Connectionless Service Support Each service request is supported by a single frame transmission, not a sequence of related framesEach service request is supported by a single frame transmission, not a sequence of related frames Frames are mutually independentFrames are mutually independent –Agreed replay protection discussion is in PAR scope

8 802.1 June ‘03Secure Frame Format ProposalMick Seaman 8 Concepts : Data integrity & confidentiality Data integrity Covers MAC DA, SA, VID*, user priority*, user dataCovers MAC DA, SA, VID*, user priority*, user data Does not cover MAC dependent fieldsDoes not cover MAC dependent fields Data confidentiality Covers user dataCovers user data –Possible interworking issues between.1D + SFF and.1Q + SFF Does not cover MAC DA, SA, VID*, user priority*, MAC dependent fieldsDoes not cover MAC DA, SA, VID*, user priority*, MAC dependent fields

9 802.1 June ‘03Secure Frame Format ProposalMick Seaman 9 Concepts : Data origin authenticity Need to know which entity has ‘secured’ the data if not implicit at receiver, i.e. if ‘multihop’ or non-pt-to-pt Integrity guaranteedIntegrity guaranteed Confidentiality explicitly not providedConfidentiality explicitly not provided –Facilitate management observation Confuse or optimize with key identity?Confuse or optimize with key identity? Field may be absent if pt-to-pt single hopField may be absent if pt-to-pt single hop Field may be absent, if logical pt-to-pt single hop?Field may be absent, if logical pt-to-pt single hop? –System redundancy with LLID?

10 802.1 June ‘03Secure Frame Format ProposalMick Seaman 10 Concepts : What’s not in Denial of service BUT after known time deltaT has elapsed after any attack has ceased the system is guaranteed to recover from the DoSBUT after known time deltaT has elapsed after any attack has ceased the system is guaranteed to recover from the DoS

11 802.1 June ‘03Secure Frame Format ProposalMick Seaman 11 SFF Architecture (likely consequences 1) Secure association end points map to Ports (.1D,.1X)Secure association end points map to Ports (.1D,.1X) Uncontrolled and Secured/Authorized PortsUncontrolled and Secured/Authorized Ports –Address the bootstrap problem –In principle could have multiple Ports, each corresponding to a number of security associations MAC Service Boundary Media Access Method Dependent Functions

12 802.1 June ‘03Secure Frame Format ProposalMick Seaman 12 SFF Architecture (likely consequences 2)

13 802.1 June ‘03Secure Frame Format ProposalMick Seaman 13 Notes : On a frame format DA, SADA, SA SFF TAGSFF TAG –Key Identifier –Data Origin (Securing Party) Identifier VLAN TAG (optional)VLAN TAG (optional) User dataUser data Integrity Check ValueIntegrity Check Value Integrity Confidentiality optional

Download ppt "Secure Frame Format Proposal SFF: PAR, Architecture, 5 Criteria, Some ideas and notes"

Similar presentations

Doc.: IEEE 802.11-04/1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,

Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
Overview of the 802.10 SDE Protocol Presented by Ken Alonge Chair, 802.10.

Overview of the SDE Protocol Presented by Ken Alonge Chair,
Doc.: IEEE 802.11-04/1191r5 Submission November 2004 Mike Moreton, STMicroelectronicsSlide 1 AP Architecture Thoughts Mike Moreton, STMicroelectronics.

Doc.: IEEE /1191r5 Submission November 2004 Mike Moreton, STMicroelectronicsSlide 1 AP Architecture Thoughts Mike Moreton, STMicroelectronics.
ECMP for 802.1Qxx Proposal for PAR and 5 Criteria Version 2 16 people from ECMP ad-hoc committee.

ECMP for 802.1Qxx Proposal for PAR and 5 Criteria Version 2 16 people from ECMP ad-hoc committee.
LAN Protocol Architecture

LAN Protocol Architecture
CompTIA Network+ Chapter 2

CompTIA Network+ Chapter 2
Henric Johnson1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 IP Security.

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.

Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.
An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.

An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.
OSI Model.

OSI Model.
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.

Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.
Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.

Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.
Securing TCP/IP Chapter 6. Introduction to Transmission Control Protocol/Internet Protocol (TCP/IP) TCP/IP comprises a suite of four protocols The protocols.

Securing TCP/IP Chapter 6. Introduction to Transmission Control Protocol/Internet Protocol (TCP/IP) TCP/IP comprises a suite of four protocols The protocols.
Chapter 8 Web Security.

Chapter 8 Web Security.
IEEE Wireless LAN Standard

IEEE Wireless LAN Standard
1 CSE 651: Introduction to Network Security Steve Lai Spring 2010.

1 CSE 651: Introduction to Network Security Steve Lai Spring 2010.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Data Link Layer Network Fundamentals – Chapter 7.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Data Link Layer Network Fundamentals – Chapter 7.
Network Security1 – Chapter 5 (B) – Using IEEE 802.1x Purpose: (a) port authentication (b) access control An IEEE standard

Network Security1 – Chapter 5 (B) – Using IEEE 802.1x Purpose: (a) port authentication (b) access control An IEEE standard

Similar presentations

Ads by Google