IEEE Std 802.10-1998 Proposed Revision

1
IEEE Std 802.10-1998 Proposed Revision

• Purpose, Scope 5 Criteria

2
Purpose

• The purpose of this PAR is to update the Secure
  Data Exchange (SDE) Protocol specified in IEEE
  Std 802.10-1998, to accommodate newly identified
  security requirements for all current 802 MACs
  and delete unneeded header fields.

3
Scope

• The scope of this PAR is to make changes to the
  format and processing of SDE PDUs to
• Accommodate replay protection
• Integrity protect the Destination MAC address
• Integrity protect additional header fields,
  particularly the VLAN tag, as needed
• The current PDU format and processing will have
  to be modified to incorporate a sequence number
  the DA will have to be included in the
  computation of the ICV, and the VLAN tag (and
  any other required header fields) will be
  included in the computation of the ICV, if
  protection is required by VLAN tagging rules
  (which are to be specified).
• In addition, an informative annex will be
  developed that discusses various scenarios for
  securing Layer 2 bridged networks and a normative
  annex will be developed that defines an SDE
  profile specifying a single interoperable SDE
  configuration that must be supported by all
  vendors claiming conformance to the revised SDE
  specification.

4
SDE Header Format Modifications
INTEGRITY PROTECTED
ENCRYPTED
DA
SA
CLEAR HEADER
PROTECTED HEADER
ICV
DATA
PAD
Current Format
STA ID
FLAGS
FRAG ID
SEC LABEL
SDE Des
SAID
MDF
INTEGRITY PROTECTED
ENCRYPTED
CLEAR HEADER
PROTECTED HEADER
DATA
ICV
DA
SA
VLAN TAG
PAD
Revised Format
Pload EType
FLAGS
FRAG ID
SEC LABEL
SAID
SEQ NO.
MDF
5
5 Criteria
6
Broad Market Potential

1. Broad sets of applicability
2. Multiple vendors numerous users
3. Balanced costs (LAN vs attached stations)

• Security is applicable to most personal and
  business environments that utilize 802 Layer 2
  products. Increased security awareness in the
  general user population has dramatically
  increased the demand for security in networks
  composed of 802 Layer 2 products.
• Several hundred people representing more than a
  hundred companies attend various 802 working
  groups that require security support in their
  products. These currently include 802.3 (P2P
  P2MP), 802.11 (WLAN), 802.15 (WPAN), 802.16
  (WMAN), 802.17 (RPR), 802.20 (MBWA).
• 3. Layer 2 security can be implemented in either
  LAN devices or attached stations. Implementation
  of security in bridges is the most cost effective
  method, since many attached stations can be
  supported by a single bridge.

7
Compatibility

• The proposed revisions to IEEE Std 802.10-1998
  are compatible with all current 802 MAC and
  bridging standards
• There are no implementations of 802.10-1998,
  therefore backwards compatibility is not an issue
• Revisions to 802.10-1998 will conform with 802
  Overview Architecture and 802 layer management,
  as appropriate

8
Distinct Identity

1. Substantially different from other IEEE standards
2. One unique solution per problem
3. Easy for the document reader to select the
   relevant specification

• There are no other 802-wide security standards.
  802.11i security work is specific to 802.11
  products, and is not intended to be a generic
  solution for all 802 MACs. PARs produced by the
  LinkSec ECSG will either support this effort, or
  be entirely distinct from it, but will not
  duplicate any of 802.10s work.
• The goal of the revisions to 802.10-1998 is to
  provide a unique security
• solution that is applicable to all 802 MAC and
  bridging Standards.
• The proposed effort is a revision to 802.10-1998,
  which will have a distinct document revision
  number (probably IEEE Std 802.10-2004)

9
Technical Feasibility

1. Demonstrated system feasibility
2. Proven technology, reasonable testing
3. Confidence in reliability

• Technological revisions to 802.10-1998 are simple
  and straight-forward. Similar constructs are
  being used in a variety of products and other
  standards efforts today.
• Products supporting Internet standards that
  incorporate similar technology have been sold
  world-wide and have been thoroughly tested in the
  field.
• As with many security Standards, reference
  implementations will have to be constructed to
  which compliance must be proven in order to
  achieve the necessary confidence.

10
Economic Feasibility

1. Known cost factors, reliable data
2. Reasonable cost for performance
3. Consideration of installation costs

• The goal of this project is to create a Layer 2
  security mechanism that balances the cost of
  implementing data security with the cost and
  performance of the access technology.
• 2. Security mechanisms have been incorporated in
  Layers 2, 3, 4, and 7 at a reasonable cost
  increment, in terms of both dollars and
  throughput.
• 3. Any Layer 2 security mechanism may require
  additional infrastructure, depending on the type
  of key management mechanism selected. This
  translates into additional installation cost for
  equipment, software, and/or administration.