Internet DRAFT - draft-eastlake-linksectos

draft-eastlake-linksectos



HTTP/1.1 200 OK
Date: Mon, 08 Apr 2002 23:42:57 GMT
Server: Apache/1.3.20 (Unix)
Last-Modified: Wed, 09 Dec 1992 04:36:00 GMT
ETag: "3ddd83-2a7e-2b2577b0"
Accept-Ranges: bytes
Content-Length: 10878
Connection: close
Content-Type: text/plain






INTERNET-DRAFT             Link Security TOS        Donald Eastlake, III
                                                        15 November 1992
                                                     Expires 14 May 1993



                 Physical Link Security Type of Service


Abstract

   This draft proposes a type of service (TOS) to request maximum
   physical link security.  This would be an addition to the types of
   service enumerated in RFC 1349: Type of Service in the Internet
   Protocol Suite.  This TOS would request the network to provide what
   protection it can against surreptitious observation by outside agents
   of traffic so labeled.  The purpose is protection against traffic
   analysis and as an additional possible level of data confidentiality.
   This TOS is consistent with all other defined types of service in
   that it is based on physical link characteristics and will not
   provide any particular guaranteed level of service.

   This draft is intended to be submitted to the RFC editor as a
   Proposed Standard.  Distribution of this document is unlimited.

   Please send any comments to the  author, Donald Eastlake, III,
   <dee@ranger.enet.dec.com>.


Status

   This document is an Internet Draft.  Internet Drafts are working
   documents of the Internet Engineering Task Force (IETF), its Areas,
   and its Working Groups.  Note that other groups may also distribute
   working documents as Internet Drafts.

   Internet Drafts are draft documents valid for a maximum of six
   months.  Internet Drafts may be updated, replaced, or obsoleted by
   other documents at any time.  It is not appropriate to use Internet
   Drafts as reference material or to cite them other than as a
   ``working draft'' or ``work in progress.'' Please check the 1id-
   abstracts.txt listing contained in the internet-drafts Shadow
   Directories on nic.ddn.mil, nnsc.nsf.net, nic.nordu.net,
   ftp.nisc.sri.com, or munnari.oz.au to learn the current status of any
   Internet Draft.

   This draft expires 14 May 1993




Eastlake                                                        [Page 1]


INTERNET-DRAFT             Link Security TOS     Donald E. Eastlake, III


1. Nature of Requirement

   This proposal addresses two potential security requirements:
   resistance to traffic analysis and confidentiality.  These are
   described in the two subsections below followed by a discussion of
   why links have different levels of physical security so that it is
   meaningful to request that more secure links by used.

1.1 Traffic Analysis

   At this time all Internet Protocol (IP) packets must have most of
   their header information, including the from and to address, in the
   clear.  This is required for routers to properly handle the traffic
   even if a higher level protocol fully encrypts all bytes in the
   packet after the IP header.  This renders even end-to-end encrypted
   IP packets subject to traffic analysis if the data stream can be
   observed.  While traffic statistics are normally less sensitive than
   the data content of packets, in some cases activities of hosts or
   users are deducible from traffic information.

   It is essential that routers have access to header information, so it
   is hard to protect traffic statistics from an entity inside the
   network.  However, use of more secure physical links will make
   traffic observation by entities outside of the network more difficult
   thus improving protection from traffic analysis.

   No doubt users would like to be able to request a guaranteed level of
   link security, just as they would like to be able to request a
   guaranteed bandwidth or delay through the network.  However, such
   guarantees require a resource reservation and/or policy routing
   scheme and are beyond the scope of the TOS facility.

   Although the TOS field is provided in all current Internet packets
   and routing based on TOS is provided in routing protocols such as
   OSPF, there is no chance that all of the Internet will implement the
   proposed additional TOS anytime in the foreseeable future.
   Nevertheless, users concerned about traffic analysis need to be able
   to request that the physical security of the links over which their
   packets will be pass be maximized in preference to other link
   characteristics.  The proposed TOS provides this capability.

1.2 Confidentiality

   Use of physical links with greater physical security provides a layer
   of protection for the confidentiality of the data in the packets as
   well as traffic analysis protection.  If the content of the packets
   are otherwise protected by end-to-end encryption, using secure links
   makes it harder for an external adversary to obtain the encrypted
   data to attack.  If the content of the packets is unencrypted plain
   text, secure links may provide the only protection of data


Eastlake                                                        [Page 2]


INTERNET-DRAFT             Link Security TOS     Donald E. Eastlake, III


   confidentiality.

   There are cases where end-to-end encryption can not be used.
   Examples include paths which incorporate links within nations which
   severely restrict encryption, such as France, or which incorporate an
   amateur radio link, where encryption is prohibited.  In these cases,
   link security is generally the only type of security available.  The
   proposed TOS will provide a way of requesting the best that the
   network can do for the confidentiality of such unencrypted data.

   This TOS is required for improved confidentiality, especially in
   cases where encryption can not be used, despite the fact that it does
   not provide the guarantees that many users would like.  See
   discussion at the end of the Traffic Analysis section above.

   1.3 Link Physical Security Characteristics

   Physical links differ widely in their susceptibility to surreptitious
   observation of the traffic flowing over them. For example:

   1) Land line media is usually harder to intercept than radio
   broadcast media.

   2)  Between radio broadcast media, spread spectrum, or other low
   probability of intercept systems, are harder to intercept than normal
   broadcast systems.  At the other extreme, systems with a large
   footprint on the earth, such as some satellite down links, may be
   particularly accessible.

   3) Between land lines, point to point systems are generally harder to
   intercept than multi-point systems such as Ethernet or FDDI.

   4) Fiber optic land lines are generally harder to intercept than
   metallic paths because fiber is harder to tap.

   5) A secure land line, such as one in pressurized conduit with
   pressure alarms or one installed so as to be observable by guards, is
   harder to intercept than an unsecured land line.

   6) An encrypted link would be preferable to an unencrypted link
   because, even if it was intercepted, it would be much more difficult
   to obtain any useful information.

   The above comparisons show that there are significant real
   differences between the security of the physical links in use in the
   Internet.  Choosing links where it is hard for an outside observer to
   observe the traffic improves confidentiality and protection against
   traffic analysis.




Eastlake                                                        [Page 3]


INTERNET-DRAFT             Link Security TOS     Donald E. Eastlake, III


2. Specification

   The value 15 decimal (F hex) in the four-bit Type of Service IP
   header field requests routing the packet to minimize the chance of
   surreptitious observation of its contents by agents external to the
   network.


3. Note on Choice of TOS Value

   The value 15 is at the maximum hamming distance from existing TOS
   values.  In addition, although the TOS field is no longer bit
   encoded, this value is chosen so that it is binarily convenient to
   specify any pair of the five defined TOS attributes should it be
   decided to make such a pair a recognized TOS.  The exclusive-or
   (i.e., bitwise addition without carry) of any pair of the five TOS
   values produces a new value not presently used for a defined TOS
   which could be used to specify the combination of the two types of
   service indicated by the values that were so combined.


4. Implementation

   This TOS can be implemented in routing systems that offer TOS based
   routing (as can be done with OSPF, see RFCs 1245 through 1248) by
   assigning costs to links.  Establishing the "cost" for different
   links for this TOS is a local policy function.

   In principle services are incomparable when criterion such as those
   given in the Nature of Requirement section above conflict.  For
   example a choice between an encrypted broadcast system and an
   unencrypted fiber optic land line.  In practice, link encryption
   would probably dominate all other forms of protection and physical
   security as mentioned in criterion 5 above would dominate other land
   line distinctions.

   An example of costs for a hypothetical router would be as follows:

           Cost    Type
            1      Strong encryption with secure key distribution
            2      Physically secure point-to-point line
            6      Typical point-to-point line
            8      Typical local multi-point media
           12      Metropolitan area multi-point media
           24      Local radio broadcast
           32      Satellite link

   It should be noted that routing algorithms typically compute the sum
   of the costs of the links.  For this particular type of service, the
   product of the link probabilities of secure transmission would be


Eastlake                                                        [Page 4]


INTERNET-DRAFT             Link Security TOS     Donald E. Eastlake, III


   more appropriate.  However, the same problem is present for the high
   reliability TOS and the use of a sum is an adequate approximation for
   most uses.

   It should also be noted that using costs such as the sample given
   above could result in using many more links than if the default class
   of service were requested.  For example, over 50 highly secure links
   where two insecure links, such as a satellite hop and a radio link,
   might otherwise have served.


Security Considerations

   The entirety of this draft concerns an Internet Protocol Type of
   Service to request maximum physical link security against
   surreptitious interception.


Author's Address

   Donald E. Eastlake, III
   PO Box N, MIT Branch PO
   Cambridge, MA 02139 USA

   phone:  +1 508 486 2358

   email:  dee@ranger.enet.dec.com


Expiration

   This draft expires 14 May 1993.




















Eastlake                                                        [Page 5]