<HTML>
<HEAD>
<TITLE>Re: RE : RE : [Sls-slp] Security, NGU and New TC services and there effecton COP-1</TITLE>
</HEAD>
<BODY>
<FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>I’ll take a little issue with Gilles, It all depends on where the frame/CLTU is crated. If the creation is in the POCC and sent vial FCLTU service than scenario one is totally compatible with every thing. (flight and ground). The TC Decoder is unaffected as is the COP. The security ia added befor the frame leaves the POCC and is process on the S/C before the frame is delivered to the TC Decoder. <BR>
<BR>
<BR>
On 10/16/09 10:52 AM, "Gilles Moury" <<a href="gilles.moury@cnes.fr">gilles.moury@cnes.fr</a>> wrote:<BR>
<BR>
</SPAN></FONT><BLOCKQUOTE><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>Hello Marjorie,<BR>
<BR>
With respect to the interaction between COP-1 and SDLS protocol in TC, there are 2 possible scenarios :<BR>
<BR>
Scenario 1 :<BR>
<BR>
Sending end : FOP then SDLS procedure<BR>
Receiving end : SDLS procedure then FARM<BR>
<BR>
<BR>
Scenario 2 :<BR>
<BR>
Reverse order both at sending end and receiving end<BR>
<BR>
<BR>
Pros/Cons :<BR>
- scenario 1 :<BR>
Pros : DLS protocol protects all TC frames (AD, BD, BC). Especially BC frames are protected which is not negligible in terms of overall security of the TC link.<BR>
Cons : SDLS control commands cannot benefit from AD service. If you handle FOP and transfer sub-layer at the ground station, you need to implement SDLS sending end at the ground station as well which can be a security problem (key protection).<BR>
<BR>
<BR>
- scenario 2 :<BR>
Pros : fully compatible with existing CCSDS TC decoder : SDLS processor (receiving end) can be plugged in at the output of existing TC decoders. Security errors (detected & reported by SDLS only) can be easily distinguished from channel errors (detected & reported by FARM only). SDLS specification easier to develop because SDLS protocol clearly separated from transfer sublayer (in between transfer sub-layer and segmentation sub-layer). SDLS control commands can benefit from AD service.<BR>
Cons : SDLS protocol position in CCSDS stack different in TC (between segmentation and transfer sub-layers) and in TM/AOS (between transfer and coding sub-layers). Lower security (no security for BC frames).<BR>
<BR>
Best regards,<BR>
<BR>
Gilles<BR>
<BR>
Gilles MOURY<BR>
CNES Toulouse<BR>
<BR>
<BR>
-----Message d'origine-----<BR>
De : <a href="sls-slp-bounces@mailman.ccsds.org">sls-slp-bounces@mailman.ccsds.org</a> [<a href="mailto:sls-slp-bounces@mailman.ccsds.org">mailto:sls-slp-bounces@mailman.ccsds.org</a>] De la part de Marjorie de Lande Long<BR>
Envoyé : vendredi 16 octobre 2009 19:12<BR>
À : Moury Gilles<BR>
Cc : SLS-SLP WG; Gian.Paolo.Calzolari; Shames, Peter M (3130); Matt Cosby; Howie Weiss; Greenberg, Edward (313B)<BR>
Objet : RE : [Sls-slp] Security, NGU and New TC services and there effecton COP-1<BR>
<BR>
<BR>
Hallo everyone,<BR>
<BR>
I have been following this discussion with interest, about the position<BR>
of the security checks w.r.t. the FARM at the receiving end. <BR>
<BR>
> In short, your common conclusion is that there is no interaction<BR>
> between DLS protocol and COP-1 protocol which ever the order in which<BR>
> we process them. Am I correct ?<BR>
<BR>
The position of the security at the sending end is another factor. I think there is some interaction with the FOP there:<BR>
<BR>
1. The Cryptography Service draft says the ICV (Integrity Check Value) is computed over the whole frame except for the optional CRC. If that is correct, then it includes the Frame Primary Header, which has the Frame Sequence Number. For AD frames, the sequence number is provided by the FOP, so that should mean that the security is done after the FOP at the sending end. BC frames are created inside the FOP, and that also suggests that the security is done after the FOP. (Does the same security apply to BC frames?)<BR>
<BR>
2. And if (1) is true, then symmetry at the receiving end would place the security checks before the FARM.<BR>
<BR>
Best regards,<BR>
Marjorie<BR>
<BR>
<BR>
On Fri, 2009-10-16 at 16:43 +0200, Moury Gilles wrote:<BR>
> Good afternoon Ed and Matt,<BR>
> <BR>
> At our next SDLS WG meeting, we will have to decide where we insert<BR>
> the Data Link Security sublayer within the CCSDS Data Link Layer.<BR>
> Several options exist. If I understood well, what you agree on is that<BR>
> we can, for TC at the receiving end :<BR>
> <BR>
> - either perform security check before the FARM, in that case any AD<BR>
> frame rejected by security will be NACKed and retransmitted by COP<BR>
> - either perform security check after FARM, just before handling TC<BR>
> segment to the upper layer. In that case, upper layers will have to<BR>
> handle missing segments/packets (I assume DLS protocol will not<BR>
> include yet another retransmission protocol !).<BR>
> <BR>
> In short, your common conclusion is that there is no interaction<BR>
> between DLS protocol and COP-1 protocol which ever the order in which<BR>
> we process them. Am I correct ?<BR>
> <BR>
> Personally, I favour "security check before FARM" scenario since, as<BR>
> Ed states, it provides automatic retransmission of frames which did<BR>
> not pass security checks.<BR>
> <BR>
> Best regards,<BR>
> Gilles<BR>
> <BR>
> <BR>
> Gilles MOURY<BR>
> CNES Toulouse<BR>
><BR>
> <BR>
> -----Message d'origine-----<BR>
> De : <a href="sls-slp-bounces@mailman.ccsds.org">sls-slp-bounces@mailman.ccsds.org</a><BR>
> [<a href="mailto:sls-slp-bounces@mailman.ccsds.org">mailto:sls-slp-bounces@mailman.ccsds.org</a>] De la part de<BR>
> Greenberg, Edward (313B)<BR>
> Envoyé : jeudi 15 octobre 2009 18:23<BR>
> À : Howie Weiss; Matt Cosby<BR>
> Cc : Shames, Peter M (3130); SLS-SLP WG<BR>
> Objet : Re: [Sls-slp] Security, NGU and New TC services and<BR>
> there effecton COP-1<BR>
> <BR>
> <BR>
> As usual Howie you are correct....except there needs to be a<BR>
> process somewhere for the system on an end to end basis to<BR>
> report the failure at the security point or at the application<BR>
> layer. Are we going to invent a protocol to do that at the<BR>
> security layer;. notifying the remote user of the failure at<BR>
> the security check point? Cop-1 will respond to the loss of a<BR>
> frame and request a replacement. I guess we could relate you<BR>
> argument to TCP; its role is to handle link problems (ordering<BR>
> and loss) and security (using IPSec) is riding on top of<BR>
> that. If the system requires in order delivery of good data<BR>
> without loss then there needs to be a protocol at the<BR>
> application layer that requests the missed item. I don't<BR>
> believe that we want to do that.....so I'll continue to say<BR>
> that the COP is there to assure the delivery of in order<BR>
> without loss delivery.<BR>
> <BR>
> <BR>
> On 10/15/09 7:51 AM, "Howie Weiss" <<a href="Howard.Weiss@cobham.com">Howard.Weiss@cobham.com</a>><BR>
> wrote:<BR>
> <BR>
> Where we disagree is that the COP isn't "broken" if<BR>
> you put the security afterwards and the security layer<BR>
> fails its checks. This comes back to where the<BR>
> COP/FARM has finished its job (to guarantee delivery<BR>
> of complete in sequence, error free commands). Our<BR>
> disagreement was that I believe that the COP has<BR>
> finished when it hands the command to the next process<BR>
> (whatever that is) - in this example it is the<BR>
> security layer. You believe that the COP has not<BR>
> completing its job correctly if the next process or<BR>
> processes throws the command away for another failure<BR>
> - in this case if the security has failed.<BR>
> <BR>
> This is analogous to IPSec being above the link and<BR>
> network (IP) layers. While IP does not guarantee<BR>
> in-order delivery it does (sort of) guarantee that the<BR>
> packet isn't clobbered (based on its weak checksum).<BR>
> But IP is supposed to simply hand-of what it thinks<BR>
> is a good packet to IPSec for security processing. IP<BR>
> washes its (virtual) hands of the packet and it<BR>
> becomes IPSec's responsibility to pass it up to the<BR>
> next layer as "good" to to send it to the bit-bucket<BR>
> because it didn't pass muster.<BR>
> <BR>
> Howie<BR>
> <BR>
> -----------------------<BR>
> <BR>
> Howard Weiss<BR>
> Technical Director<BR>
> SPARTA National Security Sector<BR>
> Cobham Analytic Solutions<BR>
> T: 443 430 8089<BR>
> F: 443 430 8238<BR>
> C: 410 261 1479<BR>
> <a href="howard.weiss@cobham.com">howard.weiss@cobham.com</a><BR>
> <BR>
> SPARTA, Inc., dba Cobham Analytic Solutions, 7110<BR>
> Samuel Morse Dr., Columbia MD 21046 www.sparta.com<BR>
> <<a href="http://www.sparta.com/">http://www.sparta.com/</a>><BR>
> <BR>
> Please consider the environment before printing this<BR>
> email<BR>
> <BR>
> <BR>
> <BR>
> <BR>
> <BR>
> _______________________________________________<BR>
> Sls-slp mailing list<BR>
> <a href="Sls-slp@mailman.ccsds.org">Sls-slp@mailman.ccsds.org</a><BR>
> <a href="http://mailman.ccsds.org/mailman/listinfo/sls-slp">http://mailman.ccsds.org/mailman/listinfo/sls-slp</a><BR>
<BR>
<BR>
_______________________________________________<BR>
Sls-slp mailing list<BR>
<a href="Sls-slp@mailman.ccsds.org">Sls-slp@mailman.ccsds.org</a> <a href="http://mailman.ccsds.org/mailman/listinfo/sls-slp">http://mailman.ccsds.org/mailman/listinfo/sls-slp</a><BR>
<BR>
_______________________________________________<BR>
Sls-slp mailing list<BR>
<a href="Sls-slp@mailman.ccsds.org">Sls-slp@mailman.ccsds.org</a><BR>
<a href="http://mailman.ccsds.org/mailman/listinfo/sls-slp">http://mailman.ccsds.org/mailman/listinfo/sls-slp</a><BR>
<BR>
</SPAN></FONT></BLOCKQUOTE>
</BODY>
</HTML>