ITU-T X 273-1994 Information Technology - Open Systems Interconnection - Network Layer Security Protocol - Data Networks and Open System Communications Open Systems Interconnection.pdf

1、- ITU-T RECMN*X=273 94 4862593 05968117 323 = INTERNATIONAL TELECOMMUNICATION UNION ITU-T TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU DATA NETWORKS AND OPEN SYSTEM COMMUNICATIONS OPEN SYSTEMS INTERCONNECTION - SECURITY PROTOCOLS X.273 (07/94) INFORMATION TECHNOLOGY - OPEN SYSTEMS INTERCONNECTION

2、 - NETWORK LAYER SECURITY PROTOCOL ITU-T Recommendation X.273 (Previously “CCIlT Recommendation“) ITU-T RECMNxX.273 94 W 4862593 059b848 2bT FOREWORD (International Telecommunication Union) is the United Nations Specialized Agency in the field of telecommunications. The ITU Telecommunication Standar

3、dization Sector (ITU-T) is a permanent organ of the ITU. Some 179 member countries, 84 telecom operating entities, 145 scientific and industrial organizations and 38 international organizations participate in ITU-T which is the body which sets world telecommunications standards . (Recommendations).

4、The approval of Recommendations by the Members of ITU-T is covered by the procedure laid down in WTSC Resolution No. 1 (Helsinki, 1993). In addition, the World Telecommunication Standardization Conference (WTSC), which meets every four years, approves Recommendations submitted to it and establishes

5、the study programme for the following period. In some areas of information technology which fall within IT-Ts purview, the necessary standards are prepared on a collaborative basis with IS0 and IEC. The text of -T Recommendation X.273 was approved on 1st of July 1994. The identical text is also publ

6、ished as ISO/IEC International Standard 11577. NOTE In this Recommendation, the expression “Administration” is used for conciseness to indicate both a telecommunication administration and a recognized operating agency. O ITU 1995 All rights reserved. No part of this publication may be reproduced or

7、utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from the ITU. ITU-T X-SERIES RECOMMENDATIONS DATA NETWORKS AND OPEN SYSTEM COMMUNICATIONS (FEBRUARY 1994) PUBLIC DATA NETWORKS Services and Facilities ORGANIZATION OF X

8、-SERIES RECOMMENDATIONS X.l-X.19 Subject area Transmission, Signalling and Switching Network AsDects Recommendation I series X.50-X.89 X.90-X. 149 Maintenance Administrative Arrangements I interfaces I X.20-X.49 I X. 150-X.179 X. 180-X. 199 OPEN SYSTEMS INTERCONNECTION Model and Notation x.200-x.209

9、 Service Definitions Connection-mode Protocol Soecifications X.210-X.219 X.220-X.229 Connectionless-mode Protocol Specifications PICS Proformas X.230-X.239 X.240-X.259 Protocol Identification Securitv Protocols X.260-X.269 X.270-X.279 Layer Managed Objects Conformance Testing X.280-X.289 X.290-X.299

10、 INTERWORKING BETWEEN NEIWORKS General x.300-x.349 Mobile Data Transmission Systems Management X.350-X.369 X.370-X.399 MESSAGE HANDLING SYSTEMS DIRECTORY x.400-x.499 x.500-x.599 OS1 NETWORKING AND SYSTEM ASPECTS Networking X.600-X.649 Naming, Addressing and Registration Abstract Svntax Notation One

11、ASN.1) X.650-X.679 X.680-X.699 - OS1 MANAGEMENT x.700-x.799 SECURiTY X.800-X. 849 OS1 APPLICATIONS Commitment, Concurrency and Recovery X.850-X.859 Transaction Processing X.860-X.879 Remote Operations OPEN DISTRIBUTED PROCESSING X.880-X.899 x.900-x.999 4 5 6 7 CONTENTS Scope Normative references . 2

12、.1 Identical Recommendations I International Standards 2.2 Paired Recommendations I International Standards equivalent in technical content 2.3 Additional References . Definitions 3.1 Reference Model definitions . 3.2 Security Architecture definitions 3.3 Service Convention definitions . 3.4 Network

13、 Service definitions 3.5 Internal Organisation of the Network Layer definitions . 3.6 Connectionless Network Protocol definitions . 3.7 Upper Layer Security Model definitions 3.8 Conformance Testing definitions 3.9 Additional definitions . Abbreviations . 4.1 Data Units . 4.2 Protocol Data Unit Fiel

14、ds 4.3 Parameters . 4.4 Miscellaneous . Overview of the Protocol . 5.1 Introduction . 5.2 Overview of Services Provided 5.3 Overview of Services Assumed 5.4 Security Associations and Security Rules . 5.5 Overview of Protocol - Protection Functions . 5.6 Overview of Protocol - NLSP-CL 5.7 Overview of

15、 Protocol - NLSP-CO . Protocol Functions Common to NLSP-CL and NLSP-CO 6.1 Introduction . 6.2 Common SA Attributes . 6.3 6.4 Secure Data Transfer Protocol Functions . 6.5 Use of a Security Association Protocol . Protocol Functions FOR NLSP-CL 7.1 Services Provided by NLSP-CL . 7.2 Services Assumed .

16、 7.3 Security Association Attributes 7.4 Checks . 7.5 In-Band SA Establishment 7.6 Processing NLSP-UNITDATA Request . 7.7 Processing UN-UNITDATA Indication . Common Functions on a Request for an Instance of Communication Page 1 2 2 2 3 3 3. 3 4- 4 4 4 4 4 5 5 5 5 5 5 6 6 7 7 8 8 10 * 11 /- 13 13 13

17、14 14 16 16 16 17 17 17 17 17 18 Recommendation X.273 (07194) i ITU-T RECMN*X-273 94 = 48b259L 059b85L 854 8 9 10 11 12 13 14 Protocol Functions for NLSP-CO 8.1 Services Provided by NLSP-CO . 8.2 Services Assumed . 8.3 Security Association Attributes 8.4 Checks and other Common Functions 8.5 NLSP-Co

18、nnect Functions . 8.6 NLSP-DATA Functions 8.7 NLSP-EXPEDITED-DATA Functions 8.8 RESET Functions 8.9 NLSP-DATA ACKNOWLEDGE 8.10 NLSP-DISCONNECT 8.1 1 Other Functions . 8.12 Peer Entity Authentication Overview of Mechanisms used 9.1 Security Services and Mechanisms . 9.2 Functions Supported . Connecti

19、on security control (NLSP-CO only) . 10.1 Overview . 10.2 SA-Attributes 10.3 Procedures . 10.4 CSC-PDU Fields used . SDT PDU Based encapsulation Function 11.1 Overview . 11.2 SA Attributes 1 1.3 Procedures . 11.4 PDU Fields used . No-Header Encapsulation Function (NLSP-CO only) . 12.1 Overview . 12.

20、2 SA Attributes 12.3 Procedures . Structure and Encoding of PDUS 13.1 Introduction . 13.2 Content Field Format 13.3 Protected Data . 13.4 Security Association PDU 13.5 Connection Security Control PDU Conformance 14.1 Static Conformance Requirements 14.2 Dynamic Conformance Requirements 14.3 Protocol

21、 Implementation Conformance Statement . Annex A . Mapping UN primitives to CCITT Rec . X.213 I IS0 8348 . Annex B . Mapping UN Primitives to CCITT Rec . X.25 I IS0 8208 . Page 19 19 20 21c 21 22. 33. 34 35 36. 36 39 400 41. 41 42 42 42 43 44 45 45 45 46 47 49 49 49 49 50 50 50 51 51 57 57 59 59 61 6

22、1 62 63 ii Recommendation X.273 (07D4) ITU-T RECMNrX.273 9q = V8b2571 0576852 790 Annex C . Security Association Protocol Using Key Token Exchange and Digital Signatures . C.1 Overview . C.2 Key Token Exchange (KTE) C.3 SA-Protocol Authentication C.4 SA Attribute Negotiation C.5 SA AbodRelease C.6 C

23、.7 SA PDU - SA Contents Annex D - NLSP PICS Proforma D.l Introduction . D.2 Abbreviations and Special Symbols . D.3 Instructions for Completing the PICS Proforma . D.4 Identification . D.5 Features Common to NLSP-CO and NLSP-CL D.6 Features Specific to NLSP-CL D.7 Features Specific to NLSP-CO . Anne

24、x E - Tutorial on some Basic Concepts of NLSP E.l Basis of Protection . E.2 Underlying vs NLSP Service E.3 NLSP Addressing E.4 Connection Mode NLSP . ES Connectionless Mode NLSP . E.6 Security Attributes and Associations E.7 Dynamic Functional Relationship between NLSP and CLI“ E.8 Annex F - Example

25、 of an Agreed Set of Security Rules . Annex G - Security Associations and Attributes . Annex H - Example Key Token Exchange - EKE Algorithm Mapping of SA-Protocol Functions to Protocol Exchanges . Dynamic Functionality Related to Layered Model . Page 64 64 65 65 66 67 67 70 74 74 74 74 76 77 81 83 8

26、7 87 88 88 92 94 99 99 101 103 105 107 Recommendation X.273 (07/94) iii _ . ITU-T RECMN*X.273 9L1 48b259L 059b853 b27 M Sumary This Recommendation I International Standard specifies the protocol to support the integrity, confidentiality, authentication and access control services identified in the O

27、S1 security model as applicable to connection-mode and connectionless-mode network layer protocols. The protocol supports these services through the use of cryptographic mechanisms, security labelling and assigned security attributes, such as cryptographic keys. iv Recommendation X.273 (07/94) Intro

28、duction The protocol defined by this IT-T Recommendation I International Standard is used to provide security services in support of an instance of communication between lower layer entities. This protocol is positioned with respect to other Standards by the layered structure defined in CC Rec. X.20

29、0 I IS0 7498 and by the Network layer organization as defined in IS0 8648 and extended by ITU-T Rec. X.802 I TR 13595 (Lower Layer Security Model). It provides security services in support of both connection-mode and connectionless-mode Network services. In particular, this protocol is located in th

30、e Network layer, and it has functional interfaces and clearly defined service interfaces at its upper and lower boundaries. To evaluate conformance of a particular implementation, it is necessary to have a statement of which capabilities and options have been implemented for a given OS1 protocol. Su

31、ch a statement is called a Protocol Implementation Conformance Statement (PICS). Recommendation X.273 (07/94) V - ITU-T RECMNxX.273 94 W 48b259L 0596855 4TT 9 ISo/IEC 11577 : 1995 (E) INTERNATIONAL STANDARD ITU-T RECOMMENDATION INFORMATION TECHNOLOGY - OPEN SYSTEMS INTERCONNECTION - NETWORK LAYER SE

32、CURITY PROTOCOL 1 Scope This IT-T Recommendation I International Standard specifies a protocol to be used by End Systems and Intermediate Systems in order to provide security services in the Network layer, which is defined by CCITT Rec. X.213 I IS0 8348, IS0 8348 AD2 and IS0 8648. The protocol defin

33、ed in this ITU-T Recommendation I International Standard is called the Network Layer Security Protocol (NLSP). This ITU-T Recommendation I International Standard specifies: 1) Support for the following security services defined in CCITT Rec. X.800 I IS0 7498-2: a) peer entity authentication; b) data

34、 origin authentication; c) access control; d) connection confidentiality; e) connectionless confidentiality; f) traffic flow confidentiality; g) connection integrity without recovery (including Data Unit Integrity, in which individual SDUs on a connection are integrity protected); h) connectionless

35、integrity. The functional requirements for implementations that claim conformance to this ITU-T Recommen- dation I International Standard. 2) The procedures of this protocol are defined in terms of: a) b) requirements on the cryptographic techniques that can be used in an instance of this protocol;

36、requirements on the information carried in the security association used in an instance of communication. Although the degree of protection afforded by some security mechanisms depends on the use of some specific cryptographic techniques, correct operation of this protocol is not dependent on the ch

37、oice of any particular encipherment or decipherment algorithm. This is a local matter for the communicating systems. Furthermore, neither the choice nor the implementation of a specific security policy are within the scope of this ITU-T Recommendation I International Standard. The choice of a specif

38、ic security policy, and hence the degree of protection that will be achieved, is left as a local matter among the systems that are using a single instance of secure communications. This IT-T Recommendation I International Standard does not require that multiple instances of secure communications inv

39、olving a single open system must use the same security protocol. Annex D provides the PICS proforma for the Network Layer Security Protocol in compliance with the relevant guidance given in ISO/IEC 9646-2. ITU-T Rec. X.273 (1994 E) 1 ITU-T RECflN*X.273 94 4862593 059bA5b 33b ISOAEC 11577 : 1995 (E)

40、2 Normative references The following Recommendations and Intemational Standards contain provisions which, though reference in this text, constitute provisions of this ITU-T Recommendation I International Standard. At time of publication, the editions indicated were valid. All Recommendations and Sta

41、ndards are subject to revision, and parties to agreements based on this ITU-T Recommendation I International Standard are encouraged to investigate the possibility of applying the most recent edition of the Recommendations and Standards listed below. Members of IEC and IS0 maintain a registry of cur

42、rently valid International Standards. The Telecommunications Standardization Bureau of ITU maintains a list of currently valid ITU-T Recommendations. 2.1 Identical Recommendations I International Standards - CCITT Recommendation X.213 (1992) I IS0 8348:1993, Information technology - Network Service

43、Definition for Open Systems Interconnection. ITU-T Recommendation X.233 (1993) I ISO/IEC 8473:1994, Information technology - Protocol for providing the OS1 connectionless-mode network service: Protocol specification. ITU-T Recommendation X.802 (1994) I ISO/IEC TR 13594:1994, Information technology -

44、 Open Systems Interconnection - Lower layers security model. ITU-T Recommendation X.803 (1994) I ISOAEC 10745: 1993, Information technology - Open Systems Interconnection - Upper layers security model. - - - 2.2 Paired Recommendations I International Standards equivalent in technical content - CCITT

45、 Recommendation X.200 (1988). Information technology - Open Systems Interconnection - Reference Mode: Basic Reference Model. IS0 7498: 1984, Information processing systems - Open Systems Interconnection - Basic Reference Model. CCITT Recommendation X.800 (1991), Security architecture for Open System

46、s Interconnection for CCIZT applications. IS0 7498-2: 1989, Information processing systems - Open Systems Interconnection - Basic Reference Model - Part 2: Security Architecture. CCITT Recommendation X.210 (1988), Information processing systems - Open Systems Interconnection - Conventions for the de

47、jnition of OS1 services. ISO/TR 8509: 1987, Information processing systems - Open Systems Interconnection - OS1 service conventions. CCIIT Recommendation X.209 (1988), Specification of basic encoding rules for Abstract Syntax Notation One (ASN.). ISO/IEC 8825: 1990, Information technology - Open Sys

48、tems Interconnection - Specification of basic encoding rules for Abstract Syntax Notation One (ASN. 1). CCITT Recommendation X.223 (1988), Use of X.25 to provide the OS1 connection-mode network service. ISO/IEC 8878:1992, Information technology - Telecommunications and information exchange between s

49、ystems - Use of X.25 to provide the OS1 connection-mode network service. CCITT Recommendation X.290 (1992), OS1 conformation testing methodology and framework for protocol Recommendations for CCIZT applications - General concepts. ISOTEC 9646-1: 1991, Information technology - Open Systems Interconnection - Conformation testing methodology andframework - Part 1: General concepts. CCITT Recommendation X.291 (1992). OS1 conformation testing methodology and framework for protocol Recommendations for CClT applications -Abstract tes