<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Texte brut Car";
margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
span.TextebrutCar
{mso-style-name:"Texte brut Car";
mso-style-priority:99;
mso-style-link:"Texte brut";
font-family:"Calibri",sans-serif;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:209457273;
mso-list-type:hybrid;
mso-list-template-ids:-1688968178 -1032557262 67895299 67895301 67895297 67895299 67895301 67895297 67895299 67895301;}
@list l0:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:18.0pt;
text-indent:-18.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-font-family:Calibri;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:54.0pt;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:90.0pt;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:126.0pt;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:162.0pt;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:198.0pt;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:234.0pt;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:270.0pt;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:306.0pt;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l1
{mso-list-id:1122578749;
mso-list-type:hybrid;
mso-list-template-ids:-1471270756 -2018450062 67895309 618667778 67895297 67895299 67895301 67895297 67895299 67895301;}
@list l1:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:\2022;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:53.5pt;
text-indent:-35.5pt;
font-family:"Calibri",sans-serif;
mso-fareast-font-family:Calibri;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:\F0FC;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:89.5pt;
text-indent:-35.5pt;
font-family:Wingdings;}
@list l1:level3
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:125.5pt;
text-indent:-35.5pt;
font-family:Symbol;
mso-fareast-font-family:Calibri;
mso-bidi-font-family:"Times New Roman";}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l2
{mso-list-id:1203635661;
mso-list-type:hybrid;
mso-list-template-ids:-2142717932 67895297 67895299 67895301 67895297 67895299 67895301 67895297 67895299 67895301;}
@list l2:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l2:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l2:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l2:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l2:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l2:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l2:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l2:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l2:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="FR" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoPlainText"><span lang="EN-US">Dear Peter,<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">Please find hereafter the reasons why the COP Management Service (TC) and the OCF Service (TM, AOS, USLP) are not protected by SDLS:<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">- SDLS function has to be applied to the transfer frame before the COP function at the sending end, and after the COP at the receiving end (see attached diagram - that should be added to SDLS GB for clarification of
the order of processing between the COP and SDLS). The reasons for that ordering are the following :<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoPlainText" style="margin-left:53.5pt;text-indent:-35.5pt;mso-list:l1 level1 lfo2">
<![if !supportLists]><span lang="EN-US"><span style="mso-list:Ignore">•<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN-US">COP-1, being a go-back-N retransmission protocol, will eventually replay TC frames. SDLS is a function providing anti-replay protection, integrity and confidentiality. Therefore if FOP is applied before SDLS
at the sending end, and SDLS before FARM at the receiving end, SDLS at the receiving end will discard all replayed frames by COP-1, thus defeating the COP (and eventually blocking the link).<br>
<o:p></o:p></span></p>
<p class="MsoPlainText" style="margin-left:53.5pt;text-indent:-35.5pt;mso-list:l1 level1 lfo2">
<![if !supportLists]><span lang="EN-US"><span style="mso-list:Ignore">•<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN-US">SDLS at the receiving end checks integrity of TC frames by checking the MAC. The MAC is a very powerful error detecting code (in fact much more powerful than the BCH code). Therefore, SDLS receiving end will
discard all TC frames impacted by transmission errors, if the FARM is applied after SDLS. This has two impacts :
<o:p></o:p></span></p>
<p class="MsoPlainText" style="margin-left:89.5pt;text-indent:-35.5pt;mso-list:l1 level2 lfo2">
<![if !supportLists]><span lang="EN-US" style="font-family:Wingdings"><span style="mso-list:Ignore">ü<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN-US">Accountability of transmission errors vs security related events cannot be made : all errors are detected by SDLS and therefore classified as security events
<o:p></o:p></span></p>
<p class="MsoPlainText" style="margin-left:89.5pt;text-indent:-35.5pt;mso-list:l1 level2 lfo2">
<![if !supportLists]><span lang="EN-US" style="font-family:Wingdings"><span style="mso-list:Ignore">ü<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN-US">COP-1 will replay those SDLS rejected frames, because the FARM will never see them. Those replayed TC frames will be later rejected as replay by SDLS.<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoPlainText" style="margin-left:18.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo3">
<![if !supportLists]><span lang="EN-US"><span style="mso-list:Ignore">-<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN-US">given the mandatory order of processing at the sending end (SDLS before COP) and at the receiving end (COP before SDLS), COP commands cannot be protected since they are generated and extracted respectively after
and before SDLS is applied at both end of the link.<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoPlainText" style="margin-left:18.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo3">
<![if !supportLists]><span lang="EN-US"><span style="mso-list:Ignore">-<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN-US">for the OCF Service, again the order of processing at the sending end makes it unpractical to protect the OCF: the interface to the SDLS function is either with the VC generation function or with the VC multiplexing
function; in both cases before the MC_OCF is appended to the frame by the Master Channel Generation function.<o:p></o:p></span></p>
<p class="MsoListParagraph"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN-US">Not protecting the COP commands and the OCF (i.e CLCW and FSR) has indeed implications as stated in Annex B1 of SDLS BB : “The Security Protocol provides no protection to TC COP control commands
nor to COP CLCW status information returned in the OCF; an attacker could use false COP control directives or OCF contents to interfere with a communications session.”. Nevertheless, this residual risk was evaluated as acceptable operationally by the WG since
the legitimate operator can always reinitialize the COP. Denial of service is only temporary and not so easy to implement in the first place.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN-US">I leave it to the WG members to complement my answer. I might have missed part of the rationale.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN-US">Best regards,<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN-US">Gilles </span>
<span lang="EN-US" style="font-size:12.0pt;font-family:"Times New Roman",serif"><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">Gilles MOURY<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">SDLS WG Chairman<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoPlainText"><span style="mso-fareast-language:FR">-----Message d'origine-----<br>
De : CCSDS Secretariat <thomas.gannett@tgannett.net> <br>
Envoyé : mardi 4 mai 2021 17:48<br>
À : Moury Gilles <Gilles.Moury@cnes.fr>; craig.biggerstaff-1@nasa.gov<br>
Cc : Peter.M.Shames@jpl.nasa.gov<br>
Objet : Re: CESG-P-2021-04-001 Approval to release CCSDS 355.0-P-1.1, Space Data Link Security Protocol (Pink Sheets, Issue 1.1) for CCSDS Agency review</span></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Dear Document Rapporteur,<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">The CESG poll to approve release of CCSDS 355.0-P-1.1, Space Data Link Security Protocol (Pink Sheets, Issue 1.1) for CCSDS Agency review concluded with conditions. Please negotiate disposition of the conditions directly with the AD(s)
who voted to approve with conditions and CC the Secretariat on all related correspondence.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">CESG E-Poll Identifier: CESG-P-2021-04-001 Approval to release CCSDS 355.0-P-1.1, Space Data Link Security Protocol (Pink Sheets, Issue<o:p></o:p></p>
<p class="MsoPlainText">1.1) for CCSDS Agency review<o:p></o:p></p>
<p class="MsoPlainText">Results of CESG poll beginning 19 April 2021 and ending 3 May 2021:<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"> Abstain: 0 (0%) Approve Unconditionally: 4 (80%) (Merri, Duhaze, Burleigh, Moury) Approve with Conditions: 1 (20%) (Shames) Disapprove with Comment: 0 (0%)<o:p></o:p></p>
<p class="MsoPlainText">CONDITIONS/COMMENTS:<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"> Peter Shames (Approve with Conditions): In looking these Pink
<o:p></o:p></p>
<p class="MsoPlainText">Sheets over it does occur to me that not providing protection to the OCF and COP fields creates a vulnerbility that can be exploted by an adversary. Annex B properly identifies this as a security vulnerability. Can you state why this
choice was made and why it would not be appropriate to also provide coverage for these operationally required fields that can potentially be attacked?<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Total Respondents: 5<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">No response was received from the following Area(s):<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"> CSS<o:p></o:p></p>
<p class="MsoPlainText"> SOIS<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">SECRETARIAT INTERPRETATION OF RESULTS: Approved with Conditions<o:p></o:p></p>
<p class="MsoPlainText">PROPOSED SECRETARIAT ACTION: Generate CMC poll after
<o:p></o:p></p>
<p class="MsoPlainText">conditions have been addressed<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">* * * * * * * * * * * * * * * * * * * * * * * *<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
</div>
</body>
</html>