[Search] [txt|pdf|bibtex] [Tracker] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01                                                         
IPDVB Working Group                                      M. Noisternig
Internet Draft                                  University of Salzburg
Intended status: Standards Track                             P. Pillai
Expires: January 2010                           University of Bradford
                                                        H. Cruickshank
                                                  University of Surrey
                                                         July 13, 2009

     Security Extension for Unidirectional Lightweight Encapsulation

Status of this Memo

   This Internet-Draft is submitted to IETF in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups. Note that other
   groups may also distribute working documents as Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time. It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at

   The list of Internet-Draft Shadow Directories can be accessed at

   This Internet-Draft will expire on January 13, 2009.

Copyright Notice

   Copyright (c) 2009 IETF Trust and the persons identified as the
   document authors. All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents in effect on the date of
   publication of this document (http://trustee.ietf.org/license-info).

Noisternig et al.     Expires January 13, 2010                [Page 1]

Internet-Draft       Security Extension for ULE              July 2009

   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.


   The Unidirectional Lightweight Encapsulation (ULE) protocol provides
   an efficient mechanism for transporting IP and other network layer
   protocol data over MPEG-2 networks. Such networks, widely used
   especially for providing digital TV services, often use broadcast
   wireless transmission media, and are hence vulnerable to various
   types of security attacks.

   This document describes a new mandatory ULE extension to protect ULE
   traffic using security features such as data confidentiality, data
   integrity, data origin authentication, and prevention against replay
   attacks. Additionally, destination addresses may be hidden from
   unauthorized receiver devices using the identity protection feature.

   The format of the security extension header as well as the processing
   at receivers and transmitters are described in detail. The extension
   aims to be lightweight and flexible such that it may be implemented
   in low-cost, resource-scarce transceivers, and different levels of
   security may be selected.

   The security extension may be easily adapted to the Generic Stream
   Encapsulation (GSE) protocol, which uses a similar extension header

Table of Contents

   1. Introduction ................................................. 3
   2. Requirements Notation ........................................ 4
   3. Abbreviations used in this document .......................... 4
   4. Security Services ............................................ 5
   5. Secure ULE SNDU Format ....................................... 7
      5.1. Type Field .............................................. 9
      5.2. Receiver Destination Address Field ...................... 9
      5.3. ULE-SID Field ........................................... 9
      5.4. Encrypted Destination Address Field ..................... 9
      5.5. SA-Dependant Data Field ................................ 10
      5.6. Encrypted Next-Type Field .............................. 10
      5.7. Encrypted Payload ...................................... 10
      5.8. Message Authentication Code (MAC) Field ................ 10
   6. Transmitter and Receiver Processing ......................... 11
      6.1. Security Policy Database (SPD) ......................... 12
      6.2. Security Association Database (SAD) .................... 13
      6.3. Transmitter Processing ................................. 14

Noisternig et al.     Expires January 13, 2010                [Page 2]

Internet-Draft       Security Extension for ULE              July 2009

      6.4. Receiver Processing .................................... 16
   7. Key Management Considerations ............................... 18
      7.1. MSEC/IPsec Key Management Protocols .................... 19
      7.2. Existing L2 Key Management Infrastructure .............. 19
      7.3. Other Considerations ................................... 19
   8. Security Considerations ..................................... 19
   9. IANA Considerations ......................................... 21
   10. Acknowledgments ............................................ 21
   11. References ................................................. 22
      11.1. Normative References .................................. 22
      11.2. Informative References ................................ 22

1. Introduction

   The Unidirectional Lightweight Encapsulation (ULE) protocol [3]
   provides an efficient mechanism for transporting IP and other network
   layer protocol data over ISO MPEG-2 Transport Streams (TS) [1]. This
   document describes a new ULE mandatory extension header for providing
   link layer security for ULE.

   In MPEG-2 transmission networks employing ULE there is a need to
   provide link layer security, particularly where network layer and
   transport layer security may not be present or may not be sufficient.
   The security requirements are presented and discussed in detail in
   [4]. The set of security services that the security extension for ULE
   can provide includes data confidentiality, data integrity, data
   origin authentication and rejection of replayed packets. While
   providing suitable link encryption is mandatory, link layer data
   integrity and data origin authentication is provided as an optional
   security service. These are especially desirable for systems where
   there are several ULE transmitters (e.g., satellite mesh systems).

   The extension also supports what is called 'identity protection' in
   this specification. This allows hiding destination addresses from
   unauthorized receiver devices, thus enabling a form of traffic flow

   The method described in this document provides security for ULE SNDUs
   at the link layer, in contrast to higher-layer mechanisms, such as
   IPsec [7] and TLS [10]. This allows protecting any network layer
   protocol (even with Ethernet bridging), while higher-layer security
   may be used independently and in parallel. Link-layer signalling
   information may be protected as well.

   The processing specification follows the IPsec approach of defining a
   Security Policy Database (SPD) and a Security Association Database
   (SAD). A Security Identifier (SID), similar to the Security Parameter

Noisternig et al.     Expires January 13, 2010                [Page 3]

Internet-Draft       Security Extension for ULE              July 2009

   Index (SPI) in the IPsec protocols, assists receiver devices in
   looking up security states. The design of the databases for ULE
   security is similar but simpler because unlike in IPsec a receiver
   only needs the SID along with the NPA address and possibly the PID to
   retrieve the data from these databases.

   Key management protocols assuming similar processing functionality,
   such as the MSEC Group Domain of Interpretation (GDOI) [8] and the
   Group Secure Association Key Management Protocol (GSAKMP) [6], may be
   adapted for the ULE scenario. Simple configurations are supported
   using manual keying (i.e., pre-shared keys).

   Security transforms such as encryption algorithms may be modelled
   after existing MSEC and IPsec security algorithms, but will be
   defined in separate documents in order to proceed/update them
   independently of this specification.

   The ULE security extension is designed for both bi-directional and
   unidirectional links, as well as unicast and multicast settings [9].

2. Requirements Notation

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   document are to be interpreted as described in [2].

3. Abbreviations used in this document

   AES - Advanced Encryption Standard

   DES - Data Encryption Standard

   DVB - Digital Video Broadcasting

   GDOI - Group Domain of Interpretation

   GSKAMP - Group Secure Association Key Management Protocol

   GSE - Generic Stream Encapsulation

   IPsec - Internet Protocol Security

   MPE - Multi-Protocol Encapsulation

   MAC - Message Authentication Code

   NAT - Network Address Translation

Noisternig et al.     Expires January 13, 2010                [Page 4]

Internet-Draft       Security Extension for ULE              July 2009

   NCC - Network Control Centre

   NPA - Network Point of Attachment

   PEP - Protocol Enhancing Proxy

   PID - Packet Identifier

   PDU - Protocol Data Unit

   SAD - Security Association Database

   SID - Security Identifier

   SHA - Standard Hash Algorithm

   SNDU - Subnetwork Data Unit

   SPD - Security Policy Database

   SPI - Security Parameter Index

   TLS - Transport Layer Security

   ULE - Unidirectional Lightweight Encapsulation Protocol

   VPN - Virtual Private Network

4. Security Services

   MPEG-2 based networks are susceptible to several security attacks,
   both passive and active [4]. Some of the main security services
   (mandatory or optional) that the security extension for ULE provides:

   o Data confidentiality (mandatory): Data confidentiality is
      achieved by encrypting the higher layer PDU (and other ULE
      extensions headers that may be present and require security)
      before encapsulation in the ULE SNDU, so that only authorised
      receivers can decrypt the transmitted information while an
      adversary would not be able to recover the important information
      even if it got access to the transmitted data.

Noisternig et al.     Expires January 13, 2010                [Page 5]

Internet-Draft       Security Extension for ULE              July 2009

   o Receiver address hiding (optional): Hiding an SNDU's real
      destination NPA address from an adversary is an important step in
      providing identity protection. While one solution for this is to
      use temporary addresses, this is susceptible to various practical
      issues. More importantly, from a security point of view, temporary
      addresses do not provide adequate identity protection, as a
      passive adversary may easily link different SNDUs to the same
      connection. Also, a procedure to allocate temporary addresses is
      required such that they are unique in the system. Hence it is
      proposed to encrypt the destination address. By encrypting the
      destination address within the SNDU, an attacker is effectively
      denied from gaining information by monitoring addresses.

   o Data origin authentication (optional): Data origin (source)
      authentication allows a ULE receiver to verify data as sent by a
      legitimate ULE sender. A Message Authentication Code (MAC) using a
      shared secret key may be used to authenticate the sender in
      unicast settings, or to guarantee an SNDU originating from a group
      member in secure group communication. For the latter, other source
      authentication schemes, such as digital signatures, may be used to
      assure source authenticity.

   o Data integrity (optional): Data integrity provides a way for the
      receiver of the data message to know if the data has been tampered
      with in transit by an attacker. This is provided for by the data
      origin authentication algorithm. A change in the message will
      alter the authentication value, and an adversary will unlikely be
      able to derive a correct one.

Noisternig et al.     Expires January 13, 2010                [Page 6]

Internet-Draft       Security Extension for ULE              July 2009

   o Replay attacks countermeasures (optional): Methods against replay
      attacks need to ensure that an adversary has not replayed old
      authentic messages at a later time. A monotonically increasing
      sequence number may be part of the SA-dependent data field of the
      security extension header, allowing messages with old sequence
      number values to be rejected. As with other security services, the
      choice of using sequence numbers is dictated by policy, usually
      effected by the key management system.

      Note that sequence numbers resemble unkeyed connection states that
      an adversary may track to link packets to different connections.
      Therefore, use of sequence numbers is not mandated. One solution
      is encrypting sequence numbers using standard Electronic Code Book
      (ECB) mode (i.e., encrypt as one block of data). A receiver first
      decrypts the encrypted value within the protocol to check for a
      replay, and then may use either the encrypted value as an
      initialization vector for the Cipher Block Chaining (CBC) mode of
      operation, or the decoded sequence number for the Counter (CTR)
      mode (with the internal counter incremented by one). The
      disadvantage is a slightly higher protocol overhead compared to
      unencoded sequence numbers. Another solution is to use connection-
      independent timestamp values. Depending on the resolution,
      timestamps may or may not provide perfect replay protection. The
      drawback is a higher protocol overhead, including the need for
      synchronized clocks.

5. Secure ULE SNDU Format

   Figure 1 below shows the format of an SNDU containing the security
   extension header. The extension header is designed as a framework for
   a set of security transforms, enabling high flexibility in selecting
   various security services (including common encryption algorithms
   such as DES [11], 3DES, AES [12], etc.). Security transforms are to
   be described in separate documents, and will be based on algorithms
   defined for the MSEC/IPsec protocols.

   The ULE security extension is a standard extension header as
   described in Section 5 of RFC 4326 [3], and does not affect the ULE
   base protocol. Furthermore, the extension is a Mandatory ULE
   Extension header, which means that a receiver MUST process this
   header before it processes the next extension header or the
   encapsulated PDU, otherwise the entire SNDU should be discarded.

   When configuring use of the security extension at encapsulation
   devices, it is RECOMMENDED to place the extension header directly
   after the base header. This permits full protection for all headers.

Noisternig et al.     Expires January 13, 2010                [Page 7]

Internet-Draft       Security Extension for ULE              July 2009

   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   |D|          Length            |     Type = Secure-ULE        |
   |           Receiver Destination NPA Address (D=0)            |
   |                              +------------------------------+
   |                              |           ULE-SID            |
   |         Encrypted Destination NPA Address (optional)        |
   |                                                             |
   =                  SA-Dependant Data (optional)               =
   |                                                             |
   |                              +------------------------------+
   |                              |    Encrypted Next-PDU Type   |
   |                                                             |
   |                                                             |
   =                         Encrypted PDU                       =
   |                                                             |
   |                                                             |
   |                                                             |
   =            Message Authentication Code (optional)           =
   |                                                             |
   |                    Cyclic Redundancy Check                  |
   Figure 1. General SNDU format with security extension header

   In Figure 1, the Type field in the base header denotes that a
   mandatory security extension header is present. The receiver
   destination NPA address is optional (dependent on the D bit). The
   security extension header follows the ULE base header. This header
   contains the ULE Security Identifier (SID), an optional Encrypted
   Destination Address, a variable-length field whose content is
   determined by a Security Association (SA), and an encrypted Type
   field denoting the type of the enclosed PDU (or a subsequent
   extension header if present). The security extension header has an
   associated trailer following the PDU data that contains an optional
   Message Authentication Code (MAC) field. Placing the MAC in the end
   of the SNDU is in similar spirit to the CRC, and allows computation
   in an on-line way, i.e., an encapsulator may derive the MAC of an
   SNDU during the process of transmitting it, and following the last
   bit of the PDU it can simply attach the MAC.

Noisternig et al.     Expires January 13, 2010                [Page 8]

Internet-Draft       Security Extension for ULE              July 2009

   The following subsections describe the fields that are part of or are
   directly relevant to the security extension header in more detail.
   All other fields are defined within the ULE standard [3].

5.1. Type Field

   The 16-bit Type field of the ULE base header (or some other extension
   header) indicates a security extension header following subsequently.

   [XXX IANA ACTION REQUIRED to allocate xxSecure-ULExx XXX]

   This Secure-ULE Type code is to be defined in the IANA maintained
   Next-Header Registry for ULE and has the value xxSecure-ULExx


5.2. Receiver Destination Address Field

   This field, defined in the ULE standard, typically carries the
   destination NPA address of a receiver device, or the address of a
   multicast group. However, when the identity protection service is
   used, this address is moved into the security extension header (see
   section 5.4). The address field in the base header may still be
   present, though, to reduce processing constraints for other receiver
   devices and aid in the lookup of security states, for example by
   containing a multicast address designating a VPN of the destination.
   However, it MUST NOT contain the real destination NPA address that is
   hidden within the Encrypted Destination Address Field, and it MUST
   NOT carry any other unique identifier for the receiver device.

5.3. ULE-SID Field

   A 16-bit Security Identifier (SID), similar to the SPI in IPsec, is
   used to look up the security state for a connection. This SID
   represents the Security Association (SA) between the ULE transmitter
   and receiver for a particular session and indicates the keys and
   algorithms used for encrypting the data payload and calculating the
   MAC. The SID is used by a receiver to filter PDUs in combination with
   the NPA address when present.

5.4. Encrypted Destination Address Field

   This field is only present if the identity protection service is
   selected. In that case, the 48-bit destination NPA address from the
   base header is omitted, and instead appears in the security extension
   header, where it is encrypted subsequently (along with the payload

Noisternig et al.     Expires January 13, 2010                [Page 9]

Internet-Draft       Security Extension for ULE              July 2009

   data). If no other label is inserted in the base header's address
   field (see section 5.2), the D bit is set to 1.

5.5. SA-Dependant Data Field

   This variable-length optional field may contain any auxiliary
   information that is specific to the particular SA. Typical content
   would be sequence numbers to provide replay protection, nonces for
   stream cipher encryption, or Initialisation Vectors (IVs) for
   randomized security algorithms. The length of this field, of the
   subentries, and their order is defined by the SA and mandated by

5.6. Encrypted Next-Type Field

   This 16-bit value denotes the type of a subsequent extension header,
   respectively the content type of the payload data [3]. It is
   encrypted along with the payload. If another ULE extension header
   follows, then this type field indicates the type of this extension

5.7. Encrypted Payload

   All data transmitted between ULE sender and receiver is encrypted
   under the data confidentiality service. The coverage of this service
   includes the Payload Data Unit (PUD), the Encrypted Next-Type Field,
   and the Encrypted Destination NPA Address Field if present. The
   algorithms and keys used for this purpose are determined by the SA
   shared between the communicating points.

5.8. Message Authentication Code (MAC) Field

   This field, when present, carries the tag of a Message Authentication
   Code (MAC) to provide both data origin authentication and data
   integrity. The default scope of the MAC algorithm is the entire SNDU
   up to but not including the MAC and CRC fields.

   The MAC field may also contain a digital signature or suitable output
   of another multicast source authentication scheme if source
   authentication under group communication is desired.

   Reliable protection against modification of data and masquerading
   attacks requires both sender and receiver identifiers to be
   authenticated in addition to the payload. This is an issue for the
   ULE protocol because it does not exhibit a source identifier field,
   and the PID of an underlying MPEG-2 TS cell does not depict a unique
   and reliable identifier [9]. Without authenticating the source, an

Noisternig et al.     Expires January 13, 2010               [Page 10]

Internet-Draft       Security Extension for ULE              July 2009

   active attacker may re-write the PID to appear from a different
   transmitter under the same encryption key. This problem can only
   arise in configurations with multiple senders sharing a key. In
   networks that do not employ PID re-numbering, the PID may be part of
   a pseudo-header for authenticating the source. This may be configured
   via policy.

6. Transmitter and Receiver Processing

   The processing specification follows the IPsec [7] approach of
   defining a Security Policy Database (SPD) and a Security Association
   Database (SAD). The SPD contains an ordered list of Security Policies
   (SPs). These policies allow simple filtering of incoming or outgoing
   data based on address and other information, including assignment of
   different security services and keys to different connections and
   secure groups. The SAD refers to the set of security states, called
   Security Associations (SAs), which are referenced on the receiver
   side using the SID along with the address information of the received

   In the IPsec protocols, a receiver normally uses the SPI it has
   chosen itself for looking up SAs within its SAD. In this
   specification the SPI is equivalent to the SID. However, under
   automated key management, this mechanism of using the SPI does not
   work for multicast settings, multi-sender shared SA scenarios, and
   unidirectional links, where the SPI value has to be centrally
   selected by a group controller. A multicast IPsec implementation
   partially solves these issues by taking into account the source and
   multicast destination of a packet, and following a longest-match
   approach in determining the appropriate SA in the following way:
   First, an SA is looked up using the triple (SPI, destination, source)
   (1); if not successful, a search is done for (SPI, destination) (2);
   finally, only the SPI is taken for the lookup (3). While (1) aims to
   support source-specific multicast groups, (2) is meant for any-source
   multicast groups. This document adapts that approach in the following
   way, using the Packet Identifier (PID) of the underlying MPEG-2 TS

   For an SNDU with a multicast address present, a longest-match search
   on (SID, destination NPA, PID) is performed in the incoming SAD.
   Otherwise, a longest-match search is derived using (SID, PID) in the
   incoming SAD. This takes into account VPN-like settings with a single
   sender, as well as unidirectional links.

   Support for shared SAs with multiple senders requires a coordinated
   solution for determining a unique SID value. To support shared SAs
   permitting bi-directional communication and avoid the effort of

Noisternig et al.     Expires January 13, 2010               [Page 11]

Internet-Draft       Security Extension for ULE              July 2009

   duplicating SAs, an SAD may store references to SAs, and reference
   bi-directional SAs in both the incoming and outgoing SAD.

   Another difference to IPsec is the treatment of directionality for
   SPs and SAs. In a standard IPsec implementation, a match on an SP
   affects traffic in both directions, resulting in two separate
   unidirectional SAs being created. This document always requires
   separate SPs to be defined for incoming and outgoing data, and in
   turn allows SAs to be shared across several devices, supporting both
   unidirectional links and group communication.

   For the rest of this section, a Selector is defined as a pair of
   destination NPA address and PID.

6.1. Security Policy Database (SPD)

   An SPD contains an ordered list of SPs, similar to Access Control
   Lists (ACLs). Each transmitter and receiver device defines one SPD
   for outgoing data, and an independent one for incoming SNDUs. For
   both databases, an SP must provide the following information:

   o An SP Selector, together with an SP Selector mask. This provides a
      simple and basic way to filter based on address information. For a
      transmitter SP, the Selector may be extended to include additional
      filtering information, such as higher-layer addresses, and port

   o Information about the SA(s) to be instantiated by this SP, when a
      match is found based on filtering. This contains:

      o A Selector mask, denoted SA Selector mask, which specifies the
        set of SAs derived from the policy. This provides a simple way
        to instantiate secure unicast connections, as well as shared SAs
        for secure group communication. It is similar to the Populate-
        From-Packet (PFP) flags in the IPsec specification, but slightly
        more general.

      o An optional SID value. If not defined, Group Controller and Key
        Server (GCKS) data must be present for the SID to be selected

      o Optional GCKS data. When a GCKS is configured, it MUST be
        contacted by a device which cannot find an SA for a matching SP,
        and when the SP does not define a static SID and default key
        data in its first set of Security Parameters.

      o An ordered list of Security Parameter sets used for

Noisternig et al.     Expires January 13, 2010               [Page 12]

Internet-Draft       Security Extension for ULE              July 2009

        instantiating an SA, sorted according to preference. On creating
        an SA, devices must default to the first entry in the list,
        unless a key management protocol permits negotiation (e.g., for
        unicast, bidirectional settings), and the device contacts the
        GCKS to request another set of Security Parameters from the

   Each set of Security Parameters contains:

   o The cryptographic algorithms used.

   o The cryptographic parameters required by these algorithms (e.g.,
      sequence number length, MAC length).

   o Optional key data for manual keying.

   A Security Parameter set may select no security services, by which it
   is to be interpreted requesting processing without the security
   extension header.

   Each SPD may be manually constructed by a device or network operator,
   but it may also be dynamically set up via a GCKS. This document does
   not describe how to create such databases, or how to store, manage,
   and look up SPs within the SPD; this is regarded as implementation
   specific detail.

6.2. Security Association Database (SAD)

   A Security Association (SA) is an instantiation of an SP. It
   describes the current state of a secure connection between two or
   more devices. Each SA within the SAD must contain the following

   o The SA Selector derived from the instantiating SP.

   o The SID defined by the SP or the GCKS.

   o Static security parameters defined by the SP (cryptographic
      algorithms, MAC length, Sequence Number length, etc.).

   o Dynamic security parameters (keys, sequence number, SA lifetime,
      etc.), initially defined by the SP or the GCKS, and updated during

   o GCKS specific data defined by the SP or the GCKS, including GCKS
      contact information.

Noisternig et al.     Expires January 13, 2010               [Page 13]

Internet-Draft       Security Extension for ULE              July 2009

   As with the SPD, the description of the implementation-specific
   details of the SAD is out of scope of this document.

6.3. Transmitter Processing

   The following list describes in detail the processing steps required
   for a ULE encapsulator implementing the unified ULE security

    1. Get SP: Upon constructing an SNDU for transmission over the ULE
      link, an encapsulator must scan its outgoing SPD for a matching
      policy. If no such policy can be found, the SNDU data MUST be
      discarded, and this event SHOULD be logged as an invalid
      transmission attempt.

    2. Get SA: Given a matching SP, an SA is searched within the outgoing
      SAD using the SNDU's Selector information and the policy's SA
      Selector masks, including the SP's SID value if defined. If no SA
      could be found, it must be set up as follows: If the SP's first
      Security Parameter set contains default key data, or defines data
      to be sent without protection, the SA is immediately created and
      initialized according to these settings. Otherwise, if the SP
      defines GCKS contact information, the GCKS MUST be queried for
      obtaining key material. During that attempt the device SHOULD
      postpone transmission, or discard the data. Any case of failure
      MUST result in the data being discarded, and this event SHOULD be
      logged (e.g., as a user authentication failure in the case of
      membership denial by the GCKS). If the SA allows passing data
      unprotected, processing continues as usual [3].

    3. Check SA: The SA may have a pre-defined lifetime (e.g., maximum
      number of encryptions, sequence number state, seconds since
      instantiation) after which it may no longer be used. To allow for
      a transient switch-over to a new SA, the SA must define a point
      prior to its lifetime end at which transmitters switch to the new
      SA. If that point is reached, a device MAY proactively request a
      new SA from a GCKS. In general, it is the responsibility of the
      operator or the GCKS to create new SAs, and distributing these to
      legitimate transmitter and receiver devices in time. If no new SA
      is available, a transmitter MAY still use the current SA during
      its full lifetime. After that, it MUST discard the data, and this
      event SHOULD be logged.

    4. Construct SNDU: A protected SNDU is built as follows:

      a. First, the ULE base header and any extension headers preceding
         the security extension header are written. If the SA requests

Noisternig et al.     Expires January 13, 2010               [Page 14]

Internet-Draft       Security Extension for ULE              July 2009

         identity protection, the destination NPA address is omitted
         from the base header, setting the base header's D bit to 1
         (though another label may be re-inserted, see section 5.2). The
         last next-header-type field within the extension header chain
         contains the type code for the security extension.

      b. The SID value is written as the first field of the security
         extension header.

      c. If identity protection is used, the SNDU's destination NPA
         address follows. It is encrypted along with the payload.

      d. Any SA-dependent data, such as sequence numbers and
         initialization vectors, are written subsequently.

      e. Then, the next-header-type field, any further extension
         headers, and the payload data are encoded as defined by the
         SA's data confidentiality algorithm (together with the
         encrypted destination NPA address).

      f. For authentication and integrity protection, a MAC of length as
         defined by the SA is appended. The MAC is computed over all the
         data encoded so far, i.e., from the start of the SNDU to the
         end of the payload data.

      g. Finally, the CRC is calculated and appended, and the SNDU
         further processed according to RFC 4326.

    5. Update SA: After transmission of the SNDU, the SA MUST be updated
      (e.g., the sequence number incremented by one).

Noisternig et al.     Expires January 13, 2010               [Page 15]

Internet-Draft       Security Extension for ULE              July 2009

         |   receive PDU   |                    +-----------------+
   +---->|from upper layers|<-------------------|   discard PDU   |
   |     +-----------------+                    +-----------------+
   |              v                                      ^
   |     +-----------------+ not found?         +-----------------+
   |     |     get SP      |------------------->|    log event    |<-+
   |     +-----------------+                    +-----------------+  |
   |              v                                      ^ failure?  |
   |     +-----------------+ not found?         +-----------------+  |
   |  +--|     get SA      |------------------->|    create SA    |  |
   |  |  +-----------------+                    +-----------------+  |
   |  |w/o        |                                      | success?  |
   |  |sec.ext.   |                     +----------------+           |
   |  |           v                     |                            |
   |  |  +-----------------+ end of     |                            |
   |  |  |    check SA     |-----------------------------------------+
   |  |  +-----------------+ lifetime?  |
   |  |           |                     |       +-----------------+
   |  |           | expected            |       |   get new SA    |
   |  |           +---------------------------->|    from GCKS    |
   |  |           | lifetime end?       |       +-----------------+
   |  |           v                     |                v failure?
   |  |  +-----------------+            |       +-----------------+
   |  +->| construct SNDU  |<-----------+       |    log event    |
   |     |   & transmit    |                    +-----------------+
   |     +-----------------+
   |              v
   |     +-----------------+
   |     |    update SA    |
   |     +-----------------+
   |              |

   Figure 2. Transmitter Processing Flow Chart

6.4.  Receiver Processing

   For a receiver device to process SNDUs containing the security
   extension, the following steps must be performed:

    1. Decode SNDU (1): First, the CRC of an SNDU received is verified,
      and the base header and extension headers preceding a security
      extension header or the payload are evaluated.

    2. Get SA: If a security extension header is found, a longest-match
      search within the incoming SAD is performed as described in

Noisternig et al.     Expires January 13, 2010               [Page 16]

Internet-Draft       Security Extension for ULE              July 2009

      section III. If it contains a matching SA, processing continues at
      step 4.

    3. Get SP: The SPD is scanned similar to step 1 in the transmitter
      processing specification. However, the destination NPA address may
      be hidden, and consequently the SP must define whether the address
      must be matched or not. When the SNDU is received without a
      security extension header but the SP does not permit data to pass
      unprotected, the SNDU MUST be discarded immediately, and this
      event SHOULD be logged. Likewise, if there is a security extension
      header, but the policy allows only for unprotected data, the SNDU
      MUST be discarded, and the event SHOULD be logged. When permitted,
      an unprotected SNDU is processed as usual [3]. Otherwise, an SA is
      created as described in step 2 of the transmitter processing

    4. Check SA: If the SA's lifetime has expired, the SNDU MUST be
      discarded, and this SHOULD be logged. If the extension header
      contains an encrypted destination NPA address, it is first
      decrypted, using the SA-dependent data, and checked for a valid
      address for that SA. If the decoded address is not accepted by the
      receiver device and the SA, the SNDU MUST be silently discarded.

    5. Decode SNDU (2): This step includes verification of the MAC,
      protection against replay attacks, and decoding of the payload. In
      any case of failure, the SNDU MUST be discarded, and this event
      SHOULD be logged.

    6. Update SA: After successful reception of an SNDU, the SA MUST be
      updated (e.g., the sequence number set to the one found within the
      SNDU, incremented by one).

Noisternig et al.     Expires January 13, 2010               [Page 17]

Internet-Draft       Security Extension for ULE              July 2009

         |   receive SNDU  |                 +-----------------+
   +---->| from MPEG layer |<----------------|   discard SNDU  |<----+
   |     +-----------------+                 +-----------------+     |
   |              v                                   ^              |
   |     +-----------------+ decoding error? +-----------------+     |
   |     |decode headers up|- - - - - - - - >|    log event    |<-+  |
   |     | to security ext.|        +------->|                 |  |  |
   |     +-----------------+        |        +-----------------+  |  |
   |              |                 |      not found/ ^           |  |
   |              v                 |  not permitted? |           |  |
   |     +-----------------+ not found?      +-----------------+  |  |
   |  +--|     get SA      |---------------->|      get SP     |  |  |
   |  |  +-----------------+        |        +-----------------+  |  |
   |  |w/o        |                 |        success? |           |  |
   |  |sec.ext.   v                 |                 v           |  |
   |  |  +-----------------+ end of |        +-----------------+  |  |
   |  |  |    check SA     |--------+        |    create SA    |->|  |
   |  |  +-----------------+ lifetime?       +----------------+   |  |
   |  |           |                          success? |           |  |
   |  |           |  +--------------------------------+           |  |
   |  |           |  |                                            |  |
   |  |           v  v                                            |  |
   |  |  +-----------------+  decoding error?                     |  |
   |  +->|   decode SNDU   |--------------------------------------+  |
   |     |  & pass to L3   |                                         |
   |     |                 |-----------------------------------------+
   |     +-----------------+  destination address mismatch?
   |              v
   |     +-----------------+
   |     |    update SA    |
   |     +-----------------+
   |              |

   Figure 3. Receiver Processing Flow Chart

7. Key Management Considerations

   Small and rather static network configurations may be supported using
   manual keying. More elaborate settings, consisting of a higher number
   of devices, or when users need to be added or excluded more
   frequently, require some automated key management. This may be
   defined independently of the ULE security extension. This section
   presents some considerations on this issue.

Noisternig et al.     Expires January 13, 2010               [Page 18]

Internet-Draft       Security Extension for ULE              July 2009

7.1. MSEC/IPsec Key Management Protocols

   MSEC/IPsec key management protocols, such as the Group Domain of
   Interpretation (GDOI) and the Group Secure Association Key Management
   Protocol (GSAKMP) protocols, may be adapted for the ULE security
   extension. This has the advantage of sharing similar functionality in
   terms of SA lookup and database architectures.

   The protocol may be run entirely within the ULE network, or it may be
   performed by some other means.  This is a matter of policy and an
   architecture decision. For example, for bidirectional transfers the
   whole key exchange procedures could be carried within the ULE
   network, while for unidirectional links some other bidirectional
   connection could be used.

7.2. Existing L2 Key Management Infrastructure

   ULE security may re-use an already existing L2 key management
   infrastructure, such as the DVB-RCS security system [5]. The format
   of the ULE-Security-ID will be the same format as defined in DVB-RCS
   security procedures.

7.3. Other Considerations

   Key management protocols are traditionally assuming bidirectional
   links. GSAKMP provides some initial support for push operation.
   However, supporting unidirectional links within the ULE network may
   require defining a new protocol. Such a protocol should be designed
   flexibly to support bidirectional operation as well without a change
   in the header structures.

   Existing L2 unidirectional mechanism may be evaluated, such as DVB-
   Conditional Access (CA) and ATSC-CA.

8. Security Considerations

   Link-level security is commonly used in broadcast/radio links to
   supplement end-to-end security, and may not be treated as a
   substitute for end-to-end security. A common objective is to provide
   the same level of privacy as terrestrial links.

   A number of security considerations specific to the ULE security
   extension have been outlined throughout the document. The following
   paragraphs extend that analysis.

   Hiding destination addresses under the identity protection service is
   an effective mechanism against traffic flow analysis. However, there

Noisternig et al.     Expires January 13, 2010               [Page 19]

Internet-Draft       Security Extension for ULE              July 2009

   are other more subtle ways for a passive adversary to deduce the real
   destination address of an SNDU, even when precluded from decoding the
   destination NPA address field. For example, SNDUs with increasing
   sequence numbers may be linked to a single connection, providing a
   hint regarding the identities of the communicating parties based on
   packet sizes and distribution patterns. Alternatives to sequence
   numbers were outlined in section 5. When SID values are selected at
   random for bidirectional links using identity protection, they may
   resemble unique temporary addresses. This may be mitigated by always
   selecting the smallest free SID value on a receiver device, thereby
   increasing the chance of equal SID values among several devices.
   However, this also means increased processing requirements in the
   filtering step for these devices.

   Other problems arise with certain cryptographic algorithms. Stateful
   algorithms are problematic for manually keyed configurations when
   devices cannot retain their cryptographic states across device
   restarts (due to power or device failures, etc.). Reuse of sequence
   numbers for the Counter (CTR) mode renders all encryption insecure.
   Receiver devices may be vulnerable to replay attacks if they do not
   remember prior lower bounds for sequence numbers. If devices cannot
   store their cryptographic state in non-volatile memory, it is advised
   that they resort to non-stateful schemes, such as the randomized
   Cipher Block Chaining (CBC) mode for encryption, or the use of
   timestamps for replay protection (if replay protection is desired).

   Many stateful schemes, such as the CTR mode of operation, require
   nonces as part of their input. As mentioned before, nonces must never
   be re-used under the same key. To provide this guarantee,
   particularly under group communication where the encryption key is
   shared among several group members, some source identifier must be
   incorporated into the construction of the nonce.

   Within ULE networks, the PID may be used as a source identifier, but
   this is not reliable. A device may receive data from different MPEG-2
   multiplexes, which both may allocate PID values independently [9].
   Furthermore, multiplexors within the network may transparently re-
   number PID values. This is a problem for receivers as they require
   the originating PID value for reconstructing nonces.

   One solution to circumvent these issues is to assign a unique sender
   identifier to each legitimate transmitter under the same key [14]. To
   avoid the problem of associating an MPEG-2 TS with a sender
   identifier, the latter is included explicitly as part of the nonce in
   each SNDU. This means that the nonce field (e.g., sequence number)
   may get enlarged by the size necessary to support a predefined
   maximum number of different senders sharing a key. The other caveat

Noisternig et al.     Expires January 13, 2010               [Page 20]

Internet-Draft       Security Extension for ULE              July 2009

   of this approach is the problem of generating and distributing unique
   sender identifiers.

   The lack of a reliable source identifier entails also a potential
   authentication insecurity. However, this only applies for specific
   communication scenarios, as outlined in section 5.

9. IANA Considerations

   The Secure-ULE header is defined in the IANA maintained Next-Header
   Registry for ULE and has the value xxSecure-ULExx.

10. Acknowledgments

   The authors acknowledge the help and advice from Gorry Fairhurst
   (University of Aberdeen), L. Duquerroy (Alcatel Alenia Space)
   Stephane Coombes (ESA) and Yim Fun Hu (University of Bradford) in the
   preparation of this document.

Noisternig et al.     Expires January 13, 2010               [Page 21]

Internet-Draft       Security Extension for ULE              July 2009

11. References

11.1. Normative References

    [1] ISO/IEC DIS 13818-1, "Information technology - Generic coding
         of moving pictures and associated audio information - Part1:
         Systems", International Standards Organisation (ISO)

    [2] Bradner, S., "Key words for use in RFCs to Indicate Requirement
         Levels", BCP 14, RFC 2119, March 1997.

    [3] Fairhurst, G. and B. Collini-Nocker, "Unidirectional
         Lightweight Encapsulation (ULE) for Transmission of IP
         Datagrams over an MPEG-2 Transport Streams", RFC 4326, December

11.2. Informative References

    [4] H. Cruickshank, P. Pillai, M. Noisternig, and S. Iyengar,
         "Security requirements for the Unidirectional Lightweight
         Encapsulation (ULE) protocol", RFC 5458, March 2009.

    [5] "Digital Video Broadcasting (DVB): Interaction Channel for
         satellite distribution systems", ETSI EN 301 790 v1.4.1, 2005.

    [6] Harney, H., Meth, U., Colegrove, A., and G. Gross, "GSAKMP:
         Group Secure Association Key Management Protocol", RFC 4535,
         June 2006.

    [7] S. Kent and K. Seo, "Security Architecture for the Internet
         Protocol", RFC 4301, December 2005.

    [8] Baugher, M., Weis, B., Hardjono, T., and H. Harney, "The Group
         Domain of Interpretation", RFC 3547, July 2003.

    [9] Montpetit, M., Fairhurst, G., Clausen, H., Collini-Nocker, B.,
         and H. Linder, "A Framework for Transmission of IP Datagrams
         over MPEG-2 Networks", RFC 4259, November 2005.

    [10] http://www.ietf.org/html.charters/tls-charter.html

    [11] National Institute of Standards and Technology, "Data
         Encryption Standard (DES)", Federal Information Processing
         Standard (FIPS) Publication, FIPS PUB 46-3, October 1999.

    [12] National Institute of Standards and Technology, "Advanced
         Encryption Standard (AES)", Federal Information Processing

Noisternig et al.     Expires January 13, 2010               [Page 22]

Internet-Draft       Security Extension for ULE              July 2009

         Standard (FIPS) Publication, FIPS PUB 197, November 2001.[14]                                                                          D.
         McGrew, B. Weis, "Using Counter Modes with Encapsulating
         Security Payload (ESP) and  Authentication Header (AH) to
         Protect Group Traffic", draft-ietf-msec-ipsec-group-counter-
         modes-03 (work in progress), 2009.

Author's Addresses

   Michael Noisternig
   University of Salzburg
   Jakob-Haringer-Str. 2
   5020 Salzburg
   Email: mnoist@cosy.sbg.ac.at

   Prashant Pillai
   Mobile and Satellite Communications Research Centre (MSCRC)
   School of Engineering, Design and Technology
   University of Bradford
   Richmond Road, Bradford BD7 1DP
   Email: p.pillai@bradford.ac.uk

   Haitham Cruickshank
   Centre for Communications System Research (CCSR)
   University of Surrey
   Guildford, Surrey, GU2 7XH
   Email: h.cruickshank@surrey.ac.uk

Noisternig et al.     Expires January 13, 2010               [Page 23]