1、 ITU-T RECMN*X-8OZ 75 m- 4862593 Ob03535 942 INTERNATIONAL TELECOMMUNICATION UNION ITU-T TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU DATA NETWORKS AND OPEN SYSTEM COMMUNICATIONS SECURITY X.802 (04/95) INFORMATION TECHNOLOGY - LOWER LAYERS SECURITY MODEL ITU-T Recommendation X.802 (Previously “CC
2、ITT Recommendation”) Foreword ITU (International Telecommunication Union) is the United Nations Specialized Agency in the field of telecommunications. The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of the ITU. Some 179 member countries, 84 telecom operating entities, 1
3、45 scientific and industrial organizations and 38 international organizations participate in ITU-T which is the body which sets world telecommunications standards (Recommendations). The approval of Recommendations by the Members of ITU-T is covered by the procedure laid down in WTSC Resolution No. 1
4、 (Helsinki, 1993). In addition, the World Telecommunication Standardization Conference (WTSC), which meets every four years, approves Recommendations submitted to it and establishes the study programme for the following period. In some areas of information technology which fall within ITU-Ts purview
5、, the necessary standards are prepared on a collaborative basis with IS0 and IEC. The text of ITU-T Recommendation X.802 was approved on 10th of April 1995. The identical text is also published as ISOAEC International Standard 13594. NOTE In this Recommendation, the expression “Administration” is us
6、ed for conciseness to indicate both a telecommunication administration and a recognized operating agency. O ITU 1995 All rights reserved. No part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without per
7、mission in writing from the ITU. ITU-T RECflN*X-802 95 = 4862593 0603537 715 Services and Facilities Interfaces ITU-T X-SERIES RECOMMENDATIONS DATA NETWORKS AND OPEN SYSTEM COMMUNICATIONS (February 1994) ORGANIZATION OF X-SERIES RECOMMENDATIONS X.l-X. 19 X.20-X.49 I Subiect area I Recommendation Ser
8、ies I Transmission, Signalling and Switching Network Asvects I PUBLIC DATA NETWORKS I I X.50-X.89 X.90-X. 149 Administrative Arrangements OPEN SYSTEMS INTERCONNECTION X.180-X.199 I Maintenance I X. 150-X.179 I Model and Notation Service Definitions X.200-X.209 X.210-X.219 Connectionless-mode Protoco
9、l Specifications PICS Proformas I Connection-mode Protocol Specifications I X.220-X.229 I X.230-X.239 X.240-X.259 Security Protocols Layer Managed Objects I Protocol Identification I X.260-X.269 I X.270-X.25 X.280-X.289 Conformance Testing INTERWORKING BETWEEN NETWORKS X.290-X.299 I General I X.300-
10、X.349 I Mobile Data Transmission Systems Management X.350-X.369 X.370-X.399 I MESSAGE HANDLING SYSTEMS I X.400-X.499 I DIRECTORY OS1 NETWORKING AND SYSTEM ASPECTS X.500-X.599 Networking Naming, Addressing and Registration I Abstract Syntax Notation One (ASN. 1) I X.680-X.699 I X.600-X.649 X.650-X.67
11、9 OS1 MANAGEMENT SECURITY I OS1 APPLICATIONS I I X.700-X.799 X.800-X.849 Commitment, Concurrency and Recovery Transaction Processing I Remote Operations I X.880-X.899 I X.850-X.859 X.860-X.879 _ OPEN DISTRZBUTED PROCESSING X.900-X.999 ITU-T RECMN*X.802 95 = 4862591 KI603538 b51 1 2 3 4 5 6 7 8 9 10
12、11 12 13 14 15 16 17 18 19 CONTENTS Scope References 2.1 Identical Recommendations I International Standards 2.2 Paired Recommendations I International Standards equivalent in technical content 2.3 Additional references Definitions. . 3.1 OS1 Reference Model definitions . 3.2 Open System Security Fr
13、ameworks definitions 3.3 Internal Organization of the Network Layer definitions . 3.4 Additional definitions . Abbreviations . Security associations 5.1 General overview 5.2 Establishing a security association for the lower layers 5.3 Security association close . 5.4 Modification of attributes in a
14、connection Influence on existing protocols 6.2 Connectionless SDU size 6.3 Concatenation of PDUs . 6.4 Algorithm and mechanism independence . 6.1 General principle . Common security PDU structure . Determination of security services and mechanisms Protection QOS Security rules Placement of security
15、in the lower layers . Use of (N-1)-layer(s) to enhance (N)-layer security Security labelling . Security of routeing 16.1 Security policy 16.2 Security association management . Security domains Security Management . 16.3 Key management 16.4 Security Audit . Traffic flow confidentiality Guidelines for
16、 the definition of SA-Attributes . Error handling Annex A . Illustrative example of an Agreed Set of Security Rules ITU-T Rec . X.802 (1995 E) Page 1 1 1 2 2 2 2 3 3 3 3 3 3 5 6 6 6 6 6 6 6 7 7 7 7 7 13 13 13 13 14 14 14 14 14 14 15 15 16 1 ITU-T RECMN*Xm802 95 4Ab259L Ob03539 598 Summary This Recom
17、mendation I International Standard describes the cross layer aspects of the revision of security services in the lower layers of the OS1 Reference Model (Transport, Network, Data Link, Physical). It describes the architectural concepts common to these layers, the basis for interactions relating to s
18、ecurity between layers and the placement of security protocols in the lower layers. 11 ITU-T Rec. X.802 (1995 E) - ITU-T RECMNxX.802 95 48b259L Ob03540 2OT ISO/IEC TR 13594 : 1995 (E) TECHNICAL REPORT ITU-T RECOMMENDATION INFORMATION TECHNOLOGY - LOWER LAYERS SECURITY MODEL 1 Scope This Recommendati
19、on I Technical Report describes the cross layer aspects of the provision of security services in the lower layers of the OS1 Reference Model (Transport, Network, Data Link and Physical layers). This Recommendation I Technical Report describes: a) architectural concepts common to the lower layers bas
20、ed on those defined in CCITT Rec. X.800 I the basis for interactions relating to security between protocols in the lower layers; the basis for any interactions relating to security between the lower layers and upper layers of OSI; the placement of security protocols in relation to other lower layer
21、security protocols and the relative role of such placements. IS0 7498-2; b) c) d) There should be no conflict between the security protocols for the lower layers and the model described in this Recommendation I Technical Report. CCITT Rec. X.500 I ISO/IEC 9594-1 identifies the security services rele
22、vant to each of the lower layers of the OS1 Reference Model. 2 References The following Recommendations and International Standards contain provisions which, through reference in this text, constitute provisions of this Recommendation I Technical Report. At time of publication, the editions indicate
23、d were valid. All Recommendations and Standards are subject to revision, and parties to agreements based on this Recommendation I Technical Report are encouraged to investigate the possibility of applying the most recent edition of the Recommendations and Standards listed below. Members of IEC and I
24、S0 maintain registers of currently valid International Standards. The Telecommunication Standardization Bureau of the ITU maintains a list of currently valid ITU-T Recommendations. Identical Recommendations I International Standards - ITU-T Recommendation X.200 (1994) I ISO/IEC 7498-1:1994, Infomzat
25、ion technology - Open Systems Interconnection - Basic Reference Model: The Basic Model. ITU-T Recommendation X.233 (1993) I ISO/IEC 8473-1 : 1994, Information technology - Protocol for providing the OSI connectionless-mode Network service: Protocol specification. ITU-T Recommendation X.234 (1994) I
26、ISO/IEC 8602: 1995, Information technology - Protocol for providing the OSI connectionless-mode Transport service. ITU-T Recommendation X.273 (1994) I ISO/IEC 11577:1995, Infomution technology - Open Systems Interconnection - Network layer security protocol. ITU-T Recommendation X.274 (1994) I ISO/I
27、EC 10736: 1995, Information technology - Open Systems Interconnection - Transport layer securiQ protocol. ITU-T Recommendation X.803 (1994) I ISO/IEC 10745:1995, Information technology - Open Systems Interconnection - Upper layers security model. - - - - - ITU-T Rec. X.802 (1995 E) 1 ITU-T RECNN*X*8
28、02 95 4862593 0603.543 L4b = ISO/IEC TR 13594 : 1995 (E) - IT-T Recommendation X.810) I ISOAEC 10181-1 .), Information technology - Open Systems Interconnection - Security frameworks in open systems: Securityframeworks overview. ITU-T Recommendation X.812l) I ISOAEC 10181-3 .), Information technolog
29、y - Open Systems Interconnection - Security frameworks in open systems: Access control framework. - 2.2 Paired Recommendations I International Standards equivalent in technical content - CCITT Recommendation X.800 (1991), Security architecture for Open Systems Interconnection for CCIT applications.
30、IS0 7498-2: 1989, Information processing system - Open Systems Interconnection - Basic Reference Model - Part 2: Security Architecture. ITU-T Recommendation X.224 (1993), Protocol for providing the OS1 connection-mode transport service. ISOAEC 8073: 1992, Informution technology - Telecommunications
31、and information exchange between systems - Open Systems Interconnection - Protocol for providing the connection-mode Transport service. CCIT Recommendation X.208 (1988), Specification of Abstract Syntax Notation One (ASN.I). ISOAEC 8824: 1990, Information technology - Open Systems Interconnection -
32、Specification of Abstract Syntax Notation One (ASN.l). CCIT Recommendation X.209 (1988), Specification of Basic Encoding Rules for Abstract Syntax Notation One (ASN.l). ISO/IEC 8825: 1990, Information technology - Open Systems Interconnection - Specification of Basic Encoding Rules for Abstract Synt
33、ax Notation One (ASN.1). - - - 2.3 Additional references - ISOAEC 8208:1995, Information technology - Data communications - X.25 Packet Layer Protocol For Data Terminal Equipment. ITU-T Recommendation X.25 (1993), Interface between Data Terminal Equipment (DTE) and Data Circuit-Terminating Equipment
34、 (DCE) for terminals operating in packet mode and connected to public datu networks by dedicated circuits. IS0 8648: 1988, Information processing systems - Open Systems Interconnection - Internal organization of the Network Layer. IS0 9542: 198S2), Information processing systems - Telecommunications
35、 and information exchange between systems - End system to intemediate system routeing exchange protocol for use in conjunction with the Protocol routeing for providing the connectionless-mode network service (IS0 8473). ISO/IEC 10589: 1992, Information technology - Telecommunications and information
36、 exchange between systems - Intermediate system to intermediate system intra-domain-routeing routine information exchange protocol for use in conjunction with the protocol for providing the connectionless-rnode Network service (IS0 8473). ISOIIEC 10141: 1994, Information technology - Telecommunicati
37、ons and information exchange between systems - Protocol for exchange of inter-domain routeing information among intermediate systems to support forwarding of IS0 8473 PDUs. - - - - - 3 Definitions 3.1 OS1 Reference Model definitions This Recommendation I Technical Report makes use of the following t
38、erms as defined in ITU-T Rec. X.200 I ISOAEC 7498- 1 - Quality of Service I) Presently at the stage of draft. 2, Currently under revision. 2 ITU-T Rec. X.802 (1995 E) ITU-T RECNN*X*802 95 W 4862571 Ob03542 082 = ISO/IEC TR 13594 : 1995 (E) 3.2 This Recommendation I Technical Report makes use of the
39、following terms as defined in ITU-T Rec. X.810 I Open System Security Frameworks definitions ISOAEC 10181-1: - security domain 3.3 This Recommendation I Technical Report makes use of the following terms as defined in IS0 8648: Internal Organization of the Network Layer definitions a) subnetwork acce
40、ss protocol; b) end system; c) intermediate system. 3.4 Additional definitions For the purposes of this Recommendation I Technical Report, the following definitions apply: 3.4.1 originator. 3.4.2 security association attributes: The collection of information required to control the security of commu
41、nications between an entity and its remote peer(s). 3.4.3 corresponding security association attributes. 3.4.4 mechanisms to be employed, including all parameters needed for the operation of the mechanism. (IT-T Rec. X.803 I ISO/EC 10745). reflection protection: A protection mechanism to detect when
42、 a protocol data unit has been sent back to the security association: The relationship between lower layer communicating entities for which there exists security niles: Local information which, given the security services selected specify the underlying security NOTE - Security rules are a form of s
43、ecure interaction rules as defined in the Upper Layers Security Model 4 Abbreviations ISN Integrity Sequence Number SSAA Set of SA-Attributes NLSP Network Layer Security Protocol NLSP-CO NLSP Connection mode NLSP-CL NLSP Connectionless mode QOS SA Security Association SA-ID Security Association Iden
44、tifier SNAcP SMSP Subnetwork Independent Security Protocol TLSP Transport Layer Security Protocol Quality of Service (as defined in CCITT Rec. X.200 I ISOAEC 7498-1) Subnetwork Access Protocol (as defined in IS0 8648) 5 Security associations 5.1 General overview 5.1.1 Any security protocol makes use
45、 of a number of security mechanisms to provide security services to the layer above. The security services required by the higher layer may be indicated to the lower layers through use of local security management functions. The security protocol and each of its security mechanisms require informati
46、on, in addition to that which is encoded in the PDUs, to enable secure communication. Examples of such additional ITU-T Rec. X.802 (1995 E) 3 ISO/IEC TR 13594 : 1995 (E) information are the specification of the mechanisms to be used by the protocol and, for each mechanism, specific information such
47、as the key required by an encipherment mechanism. Each piece of additional information is known as a Security Association Attribute. 5.1.2 examples of placement mechanisms are: Security Association Attributes may be placed in a protocol entity using a number of mechanisms. Some a) b) c) d) e) f) 5.1
48、.3 SA-Attributes may be placed at any time prior to the communication to which they relate. When compatible Sets of SA-Attributes (SSAA) are in place in each protocol entity, a Security Association is said to exist between the protocol entities. 5.1.4 SSAAs (and Security Associations) may exist with
49、 different granularity. Sometimes it is useful to be able to refer to SSAAs with different granularity. For instance, the SSAA defined by an Agreed Set of Security Rules (ASSR) could be denoted by SSAA ASSR. Or a pairwise key may be established between two protocol entities for use over a number of instances of common Source-Destination Address Pair. Similarly the SSAA for an instance of communication could be referred to by SSAA-Instance of Communication. Likewise the SSAA for a connection oriented PDU could be referred to by SSAA CO PDU. 5.1.5 In
