<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:Consolas;}
span.EmailStyle23
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:209457273;
mso-list-type:hybrid;
mso-list-template-ids:-1688968178 -1032557262 67895299 67895301 67895297 67895299 67895301 67895297 67895299 67895301;}
@list l0:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:.25in;
text-indent:-.25in;
font-family:"Calibri",sans-serif;
mso-fareast-font-family:Calibri;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:.75in;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.25in;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.75in;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:2.25in;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:2.75in;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:3.25in;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:3.75in;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:4.25in;
text-indent:-.25in;
font-family:Wingdings;}
@list l1
{mso-list-id:1122578749;
mso-list-type:hybrid;
mso-list-template-ids:-1471270756 -2018450062 67895309 618667778 67895297 67895299 67895301 67895297 67895299 67895301;}
@list l1:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:•;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:53.5pt;
text-indent:-35.5pt;
font-family:"Calibri",sans-serif;
mso-fareast-font-family:Calibri;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:89.5pt;
text-indent:-35.5pt;
font-family:Wingdings;}
@list l1:level3
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:125.5pt;
text-indent:-35.5pt;
font-family:Symbol;
mso-fareast-font-family:Calibri;
mso-bidi-font-family:"Times New Roman";}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style>
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">I accept this answer. Proceed.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Peter<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:12.0pt;color:black">From: </span></b><span style="font-size:12.0pt;color:black">Gilles Moury <Gilles.Moury@cnes.fr><br>
<b>Date: </b>Wednesday, May 12, 2021 at 9:21 AM<br>
<b>To: </b>Peter Shames <peter.m.shames@jpl.nasa.gov><br>
<b>Cc: </b>Tom Gannett <thomas.gannett@tgannett.net>, "craig.biggerstaff-1@nasa.gov" <craig.biggerstaff-1@nasa.gov>, "sls-sea-dls@mailman.ccsds.org" <sls-sea-dls@mailman.ccsds.org>, Greg Kazz <greg.j.kazz@jpl.nasa.gov>, Gian Paolo Calzolari <Gian.Paolo.Calzolari@esa.int><br>
<b>Subject: </b>[EXTERNAL] RE: CESG-P-2021-04-001 Approval to release CCSDS 355.0-P-1.1, Space Data Link Security Protocol (Pink Sheets, Issue 1.1) for CCSDS Agency review<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoPlainText">Dear Peter,<o:p></o:p></p>
<p class="MsoPlainText"> <o:p></o:p></p>
<p class="MsoPlainText">Please find hereafter the reasons why the COP Management Service (TC) and the OCF Service (TM, AOS, USLP) are not protected by SDLS:<o:p></o:p></p>
<p class="MsoPlainText"> <o:p></o:p></p>
<p class="MsoPlainText">- SDLS function has to be applied to the transfer frame before the COP function at the sending end, and after the COP at the receiving end (see attached diagram - that should be added to SDLS GB for clarification of the order of processing
between the COP and SDLS). The reasons for that ordering are the following :<o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:53.5pt;text-indent:-35.5pt;mso-list:l1 level1 lfo2">
<![if !supportLists]><span style="mso-list:Ignore">•<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>COP-1, being a go-back-N retransmission protocol, will eventually replay TC frames. SDLS is a function providing anti-replay protection, integrity and confidentiality. Therefore if FOP is applied before SDLS at the sending end, and SDLS
before FARM at the receiving end, SDLS at the receiving end will discard all replayed frames by COP-1, thus defeating the COP (and eventually blocking the link).<br>
<br>
<o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:53.5pt;text-indent:-35.5pt;mso-list:l1 level1 lfo2">
<![if !supportLists]><span style="mso-list:Ignore">•<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>SDLS at the receiving end checks integrity of TC frames by checking the MAC. The MAC is a very powerful error detecting code (in fact much more powerful than the BCH code). Therefore, SDLS receiving end will discard all TC frames impacted
by transmission errors, if the FARM is applied after SDLS. This has two impacts :
<o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:89.5pt;text-indent:-35.5pt;mso-list:l1 level2 lfo2">
<![if !supportLists]><span style="font-family:Wingdings"><span style="mso-list:Ignore">ü<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>Accountability of transmission errors vs security related events cannot be made : all errors are detected by SDLS and therefore classified as security events
<o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:89.5pt;text-indent:-35.5pt;mso-list:l1 level2 lfo2">
<![if !supportLists]><span style="font-family:Wingdings"><span style="mso-list:Ignore">ü<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>COP-1 will replay those SDLS rejected frames, because the FARM will never see them. Those replayed TC frames will be later rejected as replay by SDLS.<o:p></o:p></p>
<p class="MsoPlainText"> <o:p></o:p></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoPlainText" style="margin-left:-.25in;mso-list:l0 level1 lfo4">given the mandatory order of processing at the sending end (SDLS before COP) and at the receiving end (COP before SDLS), COP commands cannot be protected since they are generated and
extracted respectively after and before SDLS is applied at both end of the link.<o:p></o:p></li></ul>
<p class="MsoPlainText"> <o:p></o:p></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoPlainText" style="margin-left:-.25in;mso-list:l0 level1 lfo4">for the OCF Service, again the order of processing at the sending end makes it unpractical to protect the OCF: the interface to the SDLS function is either with the VC generation function
or with the VC multiplexing function; in both cases before the MC_OCF is appended to the frame by the Master Channel Generation function.<o:p></o:p></li></ul>
<p class="MsoListParagraph"> <o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none">Not protecting the COP commands and the OCF (i.e CLCW and FSR) has indeed implications as stated in Annex B1 of SDLS BB : “The Security Protocol provides no protection to TC COP control commands nor to COP CLCW
status information returned in the OCF; an attacker could use false COP control directives or OCF contents to interfere with a communications session.”. Nevertheless, this residual risk was evaluated as acceptable operationally by the WG since the legitimate
operator can always reinitialize the COP. Denial of service is only temporary and not so easy to implement in the first place.<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"> <o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none">I leave it to the WG members to complement my answer. I might have missed part of the rationale.<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"> <o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none">Best regards,<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"> <o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none">Gilles <o:p></o:p></p>
<p class="MsoPlainText"> <o:p></o:p></p>
<p class="MsoPlainText">Gilles MOURY<o:p></o:p></p>
<p class="MsoPlainText">SDLS WG Chairman<o:p></o:p></p>
<p class="MsoPlainText"> <o:p></o:p></p>
<p class="MsoPlainText"><span style="mso-fareast-language:FR">-----Message d'origine-----<br>
De : CCSDS Secretariat <thomas.gannett@tgannett.net> <br>
Envoyé : mardi 4 mai 2021 17:48<br>
À : Moury Gilles <Gilles.Moury@cnes.fr>; craig.biggerstaff-1@nasa.gov<br>
Cc : Peter.M.Shames@jpl.nasa.gov<br>
Objet : Re: CESG-P-2021-04-001 Approval to release CCSDS 355.0-P-1.1, Space Data Link Security Protocol (Pink Sheets, Issue 1.1) for CCSDS Agency review</span><o:p></o:p></p>
<p class="MsoPlainText"> <o:p></o:p></p>
<p class="MsoPlainText">Dear Document Rapporteur,<o:p></o:p></p>
<p class="MsoPlainText"> <o:p></o:p></p>
<p class="MsoPlainText">The CESG poll to approve release of CCSDS 355.0-P-1.1, Space Data Link Security Protocol (Pink Sheets, Issue 1.1) for CCSDS Agency review concluded with conditions. Please negotiate disposition of the conditions directly with the AD(s)
who voted to approve with conditions and CC the Secretariat on all related correspondence.<o:p></o:p></p>
<p class="MsoPlainText"> <o:p></o:p></p>
<p class="MsoPlainText"> <o:p></o:p></p>
<p class="MsoPlainText">CESG E-Poll Identifier: CESG-P-2021-04-001 Approval to release CCSDS 355.0-P-1.1, Space Data Link Security Protocol (Pink Sheets, Issue<o:p></o:p></p>
<p class="MsoPlainText">1.1) for CCSDS Agency review<o:p></o:p></p>
<p class="MsoPlainText">Results of CESG poll beginning 19 April 2021 and ending 3 May 2021:<o:p></o:p></p>
<p class="MsoPlainText"> <o:p></o:p></p>
<p class="MsoPlainText"> Abstain: 0 (0%) Approve Unconditionally: 4 (80%) (Merri, Duhaze, Burleigh, Moury) Approve with Conditions: 1 (20%) (Shames) Disapprove with Comment: 0 (0%)<o:p></o:p></p>
<p class="MsoPlainText">CONDITIONS/COMMENTS:<o:p></o:p></p>
<p class="MsoPlainText"> <o:p></o:p></p>
<p class="MsoPlainText"> Peter Shames (Approve with Conditions): In looking these Pink
<o:p></o:p></p>
<p class="MsoPlainText">Sheets over it does occur to me that not providing protection to the OCF and COP fields creates a vulnerbility that can be exploted by an adversary. Annex B properly identifies this as a security vulnerability. Can you state why this
choice was made and why it would not be appropriate to also provide coverage for these operationally required fields that can potentially be attacked?<o:p></o:p></p>
<p class="MsoPlainText"> <o:p></o:p></p>
<p class="MsoPlainText"> <o:p></o:p></p>
<p class="MsoPlainText">Total Respondents: 5<o:p></o:p></p>
<p class="MsoPlainText"> <o:p></o:p></p>
<p class="MsoPlainText">No response was received from the following Area(s):<o:p></o:p></p>
<p class="MsoPlainText"> <o:p></o:p></p>
<p class="MsoPlainText"> CSS<o:p></o:p></p>
<p class="MsoPlainText"> SOIS<o:p></o:p></p>
<p class="MsoPlainText"> <o:p></o:p></p>
<p class="MsoPlainText"> <o:p></o:p></p>
<p class="MsoPlainText"> <o:p></o:p></p>
<p class="MsoPlainText">SECRETARIAT INTERPRETATION OF RESULTS: Approved with Conditions<o:p></o:p></p>
<p class="MsoPlainText">PROPOSED SECRETARIAT ACTION: Generate CMC poll after
<o:p></o:p></p>
<p class="MsoPlainText">conditions have been addressed<o:p></o:p></p>
<p class="MsoPlainText"> <o:p></o:p></p>
<p class="MsoPlainText">* * * * * * * * * * * * * * * * * * * * * * * *<o:p></o:p></p>
<p class="MsoPlainText"> <o:p></o:p></p>
</div>
</body>
</html>