----Has used the ATM technology operation business, facing the IP service rapid development, all is seeking ATM to support IP the preferred plan.
----The present universal mutual recognition is selects MPLS to take the public backbone net the solution. MPLS 000-741 first in the public ATM backbone on-line introduction, it will use the integrated pattern, the IP technology and the ATM technology good will unify in together, concurrently has had the ATM high speed performance, the QoS 000-741 performance, the flow control performance and the IP flexibility, may the 000-741 expansion, will be one kind of more ideal backbone IP net technology.
----The international telecommunication standard organized ITU-T to put the IP standard research on the 000-741 first place, this September, the SG13 IP expert group conference transmits to the public ATM net IP the MPLS technology plan to propose suggestion draft I.ipatm. This draft comprehensively proposed the network overall request, the network system structure, the agreement system structure, the service mapping request and so on, and used MPLS to the public ATM net the solution to give explicit showing. 000-741 This article makes a summary introduction to this suggestion draft main content.
Network system structure
----ATM transmits the IP technology to have some overall requests, must be independent including the 000-741 network technical plan to the IP agreement edition which supports; Must have the support large-scale network to be enough may the extension; Must contain in the ATM network supports highly effective moreover has may the expansion IP group broadcast the ability; Must have the enough robustness to support the large-scale 000-741 network. These requests regarding all determinations IP service all is suitable.
----Supports the IP level service on ATM the frame system structure to define for supports the network system structure and the agreement system structure union which the IP service needs.
----The IPOA reference 000-741 network architecture like chart 1 shows, this disposition had demonstrated supports the IP service each kind of possibility situation. The dashed 000-741 line frame demonstrates is the public net. In the dashed line frame square demonstration is in the public net general disposition, they including ATM core, IPOA network and edge router. Outside the dashed line frame is some different networks, they had demonstrated the public net provides each kind of specific IP service to each 000-741 kind of specific network the situation. Looked from the public net angle that, these networks all may think is the user network. Here need explanation is, involves the public net in this article to be only restricted in has the ATM core the public network.
----In chart 1, some two kind of reference points. The 1st kind of reference point is the public net and the user network boundary. But the 2nd kind of reference point is the public net and the IPOA network connection. The reference point 1 disposition may rely on to the user network facility as well as provides the IP service the definition. The edge router 000-741 possibly needs the interworking function iwf with/or suitably matches the function. This article key point is a technology which 2nd kinds of reference point as well as in the public net uses.
----Chart 2 has demonstrated the public ATM network and special-purpose ATM the on-line IP service reference 000-741 disposition. In special-purpose and public IPOA network, the IP service is (IPSF) realizes using the ATM exchange function and the IP service function. In this kind of situation, between the ATM exchange function and the IP service function connection should define in P or is in the M reference point. The IP service function refers is realizes the function which IPOA needs, a IPSF typical example is the address analysis service. As one kind of terminal system, IPSF is in fact has the ATM connection the router.
----The IPSF function and the ATM exchange function may realize on the identical equipment, we was not on unnecessary definition reference point P in this kind of situation the connection. 000-741The IPSF function and the ATM exchange function also may separately realize on the different equipment, in this kind of situation, to relies on with M or P on connection definition to IPSF is inside the core ATM network or outside.
----Outside ATM network ISP and the terminal system (ES) may turn on special-purpose or is the public ATM network. Each terminal system all has a set of complete IPOA agreement stack, if is connected with special-purpose IPOA, then uses special-purpose UNI; If is connected with public IPOA, then uses public UNI.
----This network main 000-741 characteristic is the network and the service exchanges. Exchanges in the environment in the network, with the aid of between two networks interworking function iwfs (IWF), the IP agreement control information (PCI) may transparently transmit with the load data through the ATM network other IP network. The typical situation is, IWF merely uses one kind for the IP grouping suitably to match the function to carry on the seal and its transparently passes to far-end IWF.
----Regarding existing IP and ATM network exchanging, the typical situation is the network exchanges, that is provides the backbone with ATM or is the core network transmits the IP agreement. In this kind of situation, the ATM network may regard as is third (or higher level) the agreement lower level transmission.
Agreement system structure
----Chart 3 described the public net to transmit IP on ATM the agreement reference model. Must pay attention is: The lower level about the level management, the plane (or system) managed and the 000-741 control plane concept all obtained the expansion, in order to contained third as well as the upper formation function block.
----Between the function module connection may be between the internal, the sub- level or the plane non- standardization correspondence connection, also may be exterior, the standardized agreement connection.
----In the general model each level all has corresponding the level management function module. The level management function module is only responsible for this management and the agreement control information (PCI) processing; The level correspondence only can carry on through the plane management function, in this function use plane management cooperation function (CoF) the module carries out.
----In the IPOA each kind of network application does not need all to contain all functions module. Thus, the above function module may regard as is realizes each kind of specific network (or NE) application basic "the component". The network must maintain between the different module the basic relations and the order, in order to guaranteed consistent may be operational.
----Under carries on the description to the IPOA agreement reference model function.
----IP-SSCS/AAL5 function
----The IP-SSCS/AAL5 function module integrated has mapped each kind of transmission function the IP load which on AAL5 needed, this module provided in RFC1483 the IETF acceptance, has duplicate attached the seal based on the IEEE802.2 link level control/sub- net which the dot (LLC/SNAP) in the agreement defined with the multi- agreements duplicate to use the function.
----IP level function
----The IP level function has provided retransmits (IP data newspaper transmission) the system realization source which exchanges through to destination IP the ability. IP retransmits refers is receives to a grouping, uses one kind of expenses very low decision procedure to decide how processes this grouping the process.
----The IPOA agreement structure must be independent to the IP edition. At present, IP has two editions, IPv4 (the IP edition 4) and IPv6 (the IP edition 6). The IP level function should (separately corresponds with IETF in RFC791 and RFC2460 to IPv4 and IPv6) the center definition is same.
----The IP level function certainly cannot provide one kind of reliable correspondence facility. In data transmission process between, regardless of is end-to-end or each as soon as jumps all does not have the confirmation the process.
----IP level management function
----The IP level management function has two kind of basic functions: Addressing and partition. The IP level function uses the address which in the IP first prize carries the IP data packet to transmit the destination. Is the letter makes and the route function module regarding the transmission route choice use. If has the necessity, the IP level function also will use in the IP first prize the special localization to come to the IP data packet to carry on the partition and 重装.
----IPv4 mainly uses 4 kind of mechanisms to provide its service: Service type, lifetime, option and first prize verification sum. IPv6 is the Internet agreement new edition, its change mainly has following four aspects: The expansion addressing ability, the first prize form simplification, with may choose the function support regarding the expansion the enhancement, flows the mark ability and the authentication (security ability).
----The IP level management function certainly logarithm according to does not provide the mistake control, besides has a verification in the first prize and, in the agreement does not have the re-transmit and the class controls the mechanism.
----Transmission level function
----Transmission level including face connection TCP function and connectionless UDP function.
----The TCP function provides the reliable connection for the advancement between. The TCP function and IETF in the RFC793 definition are consistent, TCP function including following facility: The basic data transmission, the reliability, the class control, turns round with, connects, the priority and the security.
----The UDP function provides is the data newspaper transmission. The UDP function and IETF in the RFC768 definition are consistent, UDP faces business, the transmission and the repetition protection has not safeguarded. Uses the transmission level function on ATM not to be supposed to change the transmission level itself function.
----Network management function module
----The network management function relies on the specific IPOA network application. Usually, they including with under management related some TMN function, like fault management, performance management, disposition management, safety control and so on.
----The letter makes and the route control function
----This function has included IP and in the ATM control letter makes and the route function module. The IP control and the letter command included contained chooses the road each kind of IP control, the ATM control to include the ATM letter to make and to choose the road.
IP service mapping
----The IP service is (the Internet agreement) the package (data packet) the form transmits the data through between the user and the tenderer connection by IP one kind of data transmission service. In this kind of situation, the request tenderer does not need to know IP package of in the data attribute. Between the user and the tenderer actual either the concealment contract is the tenderer does not only change (control territory to the Dutch content to be allowed to change or to be invariable) transmits the IP package to the destination (a IP address or another operation/user connection). This contract may conceal a group by the user in to the tenderer to propose when conversation request assigns the transmission quality parameter (for example BER, end-to-end detention, sequence are correct or not and so on). When concrete realization may use assigns the data attribute shorthand way which the IP package carries to assign these parameters. For example, if the user assigns these packages to carry the voice, then may directly map a group of specific transmissions quality parameter. But must pay attention, this kind of situation is different to the user requested a time of voice call, it is in fact expected the tenderer takes the user data the voice data processing. Also for example, carries on the transformation code or in the TDM facility the load bearing data, this kind of situation is the voice feature but is not the IP service.
----IPIntserv technology
----Intserv is flows the QoS rank according to each IP the precise description, by has RSVP the function in the router RSVP agreement and flows admits the control to support IP the QoS classification.
----Flows in Intserv, has defined two kind of services - guarantees service (GuaranteedService, GS) and is controlled the load service (ControlledLoadService, CLS). Regarding the GS service, flows most greatly lines up when extends receives the control, on route any o'clock extends can affect most greatly lines up when extends. When CLS not fixed extends the guarantee, but the service class must with in the network 轻载 situation class quality quite, in fact the CLS request have the long-term band width guarantee. In brief, these two kind of services all request with the characteristic which is defined the sign funnel agreement flows, the superhigh service flows is treated as "does everything possible" business volume processing.
----IPDiffserv technology
----The IETF diffserv model is based on each 跳行 for (PerHopBahaviors, PHB) the concept, diffservPHB 前转 the behavior which has by route on each local router defines. At present, IETF has defined two kind of main PHB:
Acceleration 前转 PHB (ExpeditedForwardingPHB, EF-PHB)
----The EF-PHB characteristic is the band width has may the disposition and on the identical link not other business volumes influences. EF-PHB may use for when the Diffserv territory to establish the request has the low loss rate, low extends with is low when extends the vibration the end-to-end service.
May determine 前转 the PHB group (AssuredForwardingPHBGroup, the AF-PHB group)
----The AF-PHB group's characteristic has 4 AF rank, each rank assignment has a quota to retransmit the resources (for instance in a Diffserv pitch point buffer and band width and so on). In each AF rank, each IP grouping is marked on three kind of possibilities to discard the priority. When has the jam, the grouping will discard the priority to decide in some AF rank each grouping relative importance. Between 4 AF rank relative performance does not have the standard the relations, the AF-PHB group to be allowed to realize by a higher possibility guaranteed the service requests information speed.
----Supports QoS to be sensitive (aware) the IP service network model
----In the frame which IETF produces, end-to-end QoS is provides together by the network edge Intserv region and the network core Diffserv region, this way is often called "the core edge" the way. Certainly here proposed network model, but also can consider other some possibilities, moreover the link level media in here always hypothesis is ATM.
----Supports QoS sensitive IP service possible network model like chart 4, chart 5 and chart 6 shows.
----Situation 1: In ATM network Intserv
----In this model, two Intserv terminal (stub) between the network correspondence supports by the IPOA core network. In the core network IPOA equipment may simultaneously provide Intserv and the Diffserv ability. Must support the end-to-end integration service, the network only needs to activate IPOA on the equipment the Intserv function. Two services levels agreement (SLA1 and SLA2) all request to be able to satisfy the intserv service the request.
----Situation 2: In ATM network Diffserv
----In this model, two Diffserv terminal (stub) between the network correspondence supports by the IPOA core network. In the core network IPOA equipment may simultaneously provide Intserv and the Diffserv ability. Must support the end-to-end difference service, the network only needs to activate IPOA on the equipment the Diffserv function. Two services levels agreement (SLA1 and SLA2) all request to be able to satisfy the diffserv service the request.
----Situation 3: Region supports the Intserv service through ATM in the network Diffserv.
----In this model, two Intserv terminal (stub) between the network correspondence supports by the IPOA core network. In the core network, has some regions only to support Diffserv, but other regions may simultaneously provide Intserv and the Diffserv ability. In this kind of situation, Intserv transparently will transmit through the Diffserv region, moreover the network will have two kind of services levels agreement.
----Service mapping function detailed list
----The service mapping function does not rely on the periphery network architecture, it only relies on to needs to carry on the mapping the contact surface two sides to support IP and the ATMQoS way.
----Chart 7 had demonstrated we consider the IP service which must in the network architecture to the ATM service mapping each kind of possibility combination.
----ATM will support IP only to solve maps 6 and maps 12 services, in this kind of situation, in the ATM partial networks exportation, certainly will not need to have 5 with the 10th kind of mapping function, this will be because in the goal IP network, regarding the QoS support will be completely based on the IP information (for instance, the RSVP news or will be IP in grouping DS territory), but these information will be transparently transmit by the ATM network. When the local ATM business volume must by way of a pure IP network transmission or the destination be a pure IP network, possibly will need to have 5 and the 10th kind of mapping function.
----3rd only belongs to the IP region with the 4th kind of mapping function, to their research is a IETF work part. At the same time, the outset to expands the ATM parameter and QoS rank all mappings to/the termination all belongs to the ATM forum the work (to support in the ATM special net).
----Maps the IP integration service the ATM service
----When two have Intserv the ability the router ATM connection to have to support has which GS [ RFC2212 ] or CLS [ RFC2211 ] requests IP flows, can produce the IP integration service maps the ATM service the question. This mapping mainly has two ways: A pair of mapping and are many to a mapping.
----The safeguard service (GS) will map ATM not to need to ATM to make any expansion. However, the choice mapping plan must satisfy the following request: Choice ATC must be able to support when extends the request; Choice ATC must be able for to flow the retention certain band width.
----(CLS) the service maps the load control ATM similarly not to need to ATM to do any expansion, but chooses the mapping plan must be able for to flow the retention certain band width.
----Maps the IP difference service the ATM service
----In the Diffserv territory, PHB may take defines the IP service the important essential factor. However, PHB itself is suitable for end-to-end IP the service which has nothing to do with with QoS. Thus, between Diffserv and the ATM mapping foundation must be the IP service and the ATM service. Specially, the IP service may define for conforms to a business volume adjustment standard group of PHB realization, the ATM service may define is a group has the QoS rank [ I.356 ] the ATM through-put capacity [ I.371 ].
----In order to provides the service to the user, the Diffserv service provider must unifies the PHB realization and the business volume adjustment and the provision of service strategy. But ATM has not solved the PHB problem, PHB and between the ATM through-put capacity mapping certainly is not suitable. Therefore, the service mapping may regard as is one kind of specific difference service to one kind of ATM service mapping. Based on the IP service definition which considered, Diffserv to the ATM mapping may through two services providers' between consultation be able to be clear about the realization.
MPLS plan superiority
----We suggested uses MPLS to take in the public net supports IP on ATM the best technology, this not only because the MPLS support at present determined all IP service, moreover also has the following reason.
----Adapts in the comparatively large-scale network
----Well known, MPOA extremely is suitable for the small scale network, applies must be restricted to the comparatively large-scale network. But MPLS is precisely for satisfies the large-scale network each kind of request (for example flexibility, may and manageability request and so on expansion) designs.
----Adapts in the many kinds of load bearings network
----The large-scale network may use including ATM the many kinds of load bearings technology. Says from a wider scope, should select one kind regarding IPOA is most superior, moreover regarding other link level technologies also is the most superior technology. MPLS is precisely can cover this scope the only technology.
---- The route controls flexibility
----From chooses the road the angle to say, the MPLS technology may cause us to obtain simultaneously chooses the use fixed route or is the dynamic route way possibility. Which way specifically uses to be decided by the network operator's choice.
----Can simultaneously support MPLS and the ATM controlling agreement
----A more ideal situation has one kind of independence to the link level agreement control technology. At the same time, on the identical switchboard also may use the ATM control, this kind of situation is called "shipsinthenight the" way.
----IP service business volume project
----At present, ATM has the most complete business volume project ability. MPLS has borrowed some ATM technology ability, like QoS, chooses the road, the resource management and so on, moreover has introduced the explicit route concept, it is helpful to maps the business volume request above the network analysis situs.
----Use existing investment
----Considered existing ATM with other technical investments, transmits the IP request in each kind of link level technology to have one kind of identical exchange technology. In the current load bearing network, the ATM hardware can use one fixed way to the IP business volume transmission, moreover MPLS was considered is the CIPOA evolution direction.
----Supports the VPN service
----The MPLS main merit is can or be the explicit route way provides by the connectionless way face the connection service. This kind of characteristic causes MPLS especially to be suitable for the dynamic tunnel technology, but the dynamic tunnel technology is at present supports the VPN service the effective transmission method.
----QoS guarantee
----IPDiffserv and MPLS have the obvious tacit understanding, because their design all meets the service provider's need. Because marks the expansion semantics may carry the Diffserv information, with the aid of to the mark, the end-to-end mark exchange way and the certain resources will reserve the mechanism, the network may guarantee the QoS mechanism in the specific MPLS territory uniformity.
Monday, July 9, 2007
ATM security survey
Estimated ATM will be may very many different applications (for example: The sound, the image, the data and so on) all concentrate in the network, and has the high speed directional connection company net standard which the different grade of service (QoS) requests. Entrusts with 640-863 ATM as the directional connection the characteristic to indicate that, the connection uses the fixed route the entire network and on the constitution route 640-863 link retention band width all is for satisfy QoS the application request. In order to assigns the source destination antithesis pitch point establishment connection, must choose the good entire network the route. In the ATM network 640-863 route since establishes (namely incompletely is in advance permanent connection) also is in under the dynamic situation request immediately according to the connection request establishment. In is called in the ATM letter Yuan short fixed 640-863 length grouping package to carry very many different types the information. The ATM letter 元长度 is composed by 53 bytes, 48 bytes are the actual loads, other 5 bytes constitution letter Yuan first. Is all included within in the edge network user information frame the ATM letter Yuan. Assigns (goal) in the network the side, the user information frame all is by the letter Yuan which turns on reconstitutes.
ATM at present displays one 640-863 of weakness is it does not provide the safe service, this when implements the ATM ability for the customer is a main barrier. Although the more and more business organization, the financial field and the government department all in abundance request to change ATM, but in order to fully displays ATM the potential, people all urgent need ATM should have the safe service. At present the overwhelming majority ATM electric circuit all only can (PVC) exist by the permanent empty 640-863 electric circuit, and by special line connection fixed company's locus. But, when it arrives stretches across the common boundary the exchange empty electric circuit (SVC) or stretches across the service provider network company interior SVC, the ATM effective use value becomes had decided whether promotes uses ATM the primary factor.
ATM will possibly be able to use in the future to the mission requirement extremely strict communication 640-863 application domain, will like the financial transaction, the medical service information system, the national defense military correspondence and so on. These applications all request in the safe correspondence to have the high reliable crypto-algorithm and the agreement make the guarantee. Said on the very strong ATM safety mechanism that, to guards against the deceit, guards against malicious the data revision as well as guards against the interception and so on all to have to have the practical reliable guarantee measure. If in these mechanism guarantees situations, the important task application only has not been able to depend on the 640-863 expensive expenditure to be able to exist, perhaps this all is because does not have the equipment which may mutually operate therefore.
Security ATM must provide most is low grade is the ATM vertex distinction as well as the protection user data measure. The ATM high speed letter Yuan relaying performance in guaranteed in its safe duty to display some special questions. Some questions may outline as follows:
1) the safe service must adapt in effective ATM letter Yuan Ji 细粒度 multiplex, requests the key to be supposed to have the corresponding flexibility, also is must use the different key to the different data pool letter Yuan.
2) because the ATM network high speed and the strict grade of service (QoS) requests, the safe service should not bring the attachment the detention or the letter Yuan detention change.
3) the high speed transmission speed causes the conversation to save the current account the key only to have a very short cycle. Therefore, the traditional entire key swap agreement is not 640-863 suitable, moreover in order to can renew these keys to need frequently to carry on the revision to these keys. In other words, requests in a longer time foundation reto revise the key also to have to have the new mechanism.
4) the password mechanism must have in the flexible in the key situation, by 1Gbps speed operation. At present, the well known password mechanism possibly very is difficult to adapt these 640-863 requests.
5) the password mechanism also must carry on under the different speed mutually operates. For example: May (SONET) OC - the 3C company arrive a client after the synchronized optical fiber network in the ATM network, but its server may have OC - 48C the connection. Obviously, the server encryption installment (may be a parallel realization algorithm) must (be allowed to be a serial realization similar algorithm) carries on with the client encryption installment mutually operates.
The ATM security defines which by the 640-863 ATM topic security work team is imitates the ATM agreement reference model to draw up. This agreement reference model by the division is three 640-863 planes: User plane, control plane and management plane. The user plane guarantee supplies transmission user's data, it contains the physical level, the ATM level and multi- ATM suitably matches the level (AAL) several kind of types. The control plane needs to process the connection the establishment, the release and other connection functions. Control plane and user plane sharing physics level and ATM level. Moreover, it also includes according to AAL5 and a higher letter the 640-863 letter which was stipulated the agreement makes AAL. The management plane execution management harmonious cooperation adjusts the user and the control plane both sides related function. The ATM topic security specifications is must provide the user in the first stage the plane (data) the safe service and the control plane (letter makes) the safe service standard. Perhaps to will manage the plane the safe service to have in the future standard issue time only then will be able to provide.
ATM user plane safe service
The user plane safe service is must the load bearing user information provide the protection to very many 640-863 ways in the empty connection. The distinction is must cause the call origination and obtain by call origination each other the absolute confirmation, and causes the third party not to have to pretend one of its two.
The key exchange service is must cause the call origination and the key which obtain by the call origination is consistent, this key is uses in empty connection survival period provides the data integrity and the secret service. The complete service is must provide by the empty connection load bearing data cannot the guarantee which is revised by the third party. The secret service is must provide prevented transmits the data in the empty connection not the third party "the interception" the protection. Finally, the access control service is must provide other correlation security information the protection, namely establishes in the connection, must enable the terminal to determine whether defers to the scene the security policy to accept the connection the request.
The user plane safe service which will define by the ATM topic group can apply to the spot to and to the multi- spots connection empty channel connection (VCC) and the empty circuit connection (VPC). Said to the first stage security specifications that, is making the stipulation to three kind of situations safe services, namely: User to user, user to network and network to network. Every is can realize the security ATM pitch point all has "the security proxy" the function, this security proxy may carry out when the connection establishment and connection survival period plays the role security agreement and the safety mechanism.
Distinction, key exchange and security option consultation
The distinction is the user plane safe service, it may cause the connection to establish the entire process bilateral each other to obtain the absolute confirmation. This not only has the very vital role to its direct benefit, moreover because to other safe services, like the key exchange also is the need. The distinction, the key exchange and the security option consultation must give in here to narrate together, because must realize these three characteristics to need to use the similar agreement.
Does not like directional data newspaper agreement such, they only have in each grouping package of foundation complete the distinction, but the ATM directional connection characteristic may cause in the connection establishment period two parts both to use the more precise distinction agreement, because is connected with the digital signature the total expenses cost must repay in the entire connection lifetime, therefore in connection establishment period may use strongly (even if is slower) distinguishes the agreement. This also may cause other security functions (to like key exchange) at the same time then to complete by the small amount attachment expenses.
Considered the above this kind of characteristic, the ATM topic work team had stipulated when establishes VCC or VPC uses the agreement, this agreement may complete the distinction, the key exchange and the security option consultation. This agreement mainly is ISO/IEC which (ISO) the international electronic committee (IEC) draws up according to the International Standardization Organization 9,594 - 8 and the ISO/IEC 11,770 - 2 standards is the basis, it provided has used three flows or two flows does mutually distinguishes. Two and three users planes security text of a telegram swap agreement certainly did not decide uses what kind of specific crypto-algorithm. Said to each method that, the distinction all may use is asymmetrical or the symmetrical crypto-algorithm completes.
Security text of a telegram swap agreement
In two and three securities text of a telegram swap agreement, an agreement side user is shouldering "the starting" the role, another side user is getting up "the response" role. On behalf of the starting user operation "the security proxy" thought is "the starting", on behalf of the response user operation thought is "the response".
In security text of a telegram swap agreement, when uses the asymmetry (publicly) the key algorithm, may suppose each distinction entity (namely A, B) has a public key/private dense key to be right. When uses in the encryption, Ka expresses the A asymmetrical key public part. When to digital signature, Ka expresses the A asymmetrical key special-purpose part. Is similar to the B entity situation. When uses (secret) symmetrically the key algorithm, then must suppose the distinction entity A and B altogether uses two unidirectional secret keys Ka and Kb or sole secret key Ka=Kb.
The safe consultation is completes through the operating parameter in three swap agreements. In order to support in the system structure the flexibility to need to carry on the consultation. This flexibility needs to permit the performer and the user may choose the crypto-algorithm and they likes with the agreement. In the first flow, the starting provides a safe service table of contents and the connection use parameter (for example: Algorithm type, key length, public key concrete algorithm parameter). In the second flow, the response must act according to serves the table of contents and the connection parameter replied. If the starting is consistent with the response, that has carried out the agreement, moreover both sides have both used the parameter which the service and the response reply contained, otherwise, this agreement and the connection request crashed.
Agreement adjustment
When designated when ATM two or three securities texts of a telegram transmit the agreement, must consider has the many kinds of adjustments measure existence. These adjustment measure as follows are going to carry on the narration to it, its outline see Table 1 (n is in network pitch point number, safety clothing must carry on application to them). In order to protect the distinction agreement is far away uses "the replay attack" well known the deceit, the distinction flow must be only, has the foreword moreover is newest. Regarding this may some two ways achieve that, Uses the time stamp obliging serial number or "the inquiry responds" the agreement by way of.
If requests in two flows mutually to distinguish or requests in a flow to the source to send the side to carry on the distinction, then should use based on the time stamp way. Sends the side according to the source the distinction certificate, if uses ATM "the firewall" to come passively to filter out (with end system related) connects the request, then latter is important. But, is sends the side and between the certificate distinction certificate entity based on the time stamp way disadvantage factor in the text of a telegram source the request has the certain degree time synchronization.
Through uses a time of random number or is near 时数, it "the inquiry responded" the way to provide has been unitary, the arrangement has the foreword and the most new style essential guarantee. This must through transmit "the inquiry" to realize near 时数 the achievement, namely is solid to the long-distance distance essentially to 计数法 marks and returns to the entity which must inquire.
Moreover, the coordination also relates uses (public key) the algorithm resistance to be symmetrical asymmetrically (secret key) the algorithm question. The asymmetrical algorithm provides each entity all has by this entity maintenance "the private dense key", but the public key, it may freely proliferate, moreover may use by other people confirmed by belongs to the digital signature which the entity the key produces is effective. The asymmetrical algorithm (and encrypts this two to digital signature to say) the merit is, the private dense key only requests each user to appear a time, this causes the key management to change complex, but, asymmetrical algorithm because uses the complex function, the picture "the modulus takes the power", therefore it very is precise in the computation.
In on the other hand, the symmetrical algorithm may very quickly carry on the computation, because they have specially utilized "shifting and the arrangement" the operation. But, the symmetrical algorithm wants the as desired source to send with the destination solid essential sharing identical public key. Has several pitch points to the networks, has two and three swap agreement each other distinction ability requests each pitch point with to possess other pitch points all to have to have the common key, like this may by O (n2) express the key manages complexity. In the large-scale network, the key management complexity needs to act according to the symmetrical algorithm to carry on the distinction.
ATM safely transmits
In order to complete the above safe service, needs to have the correlation the security text of a telegram transmission mechanism, uses through the safe service change transmits the mechanism to be decided thereupon when connection establishment or in the connection lifetime requests the service. When connection establishment, the security text of a telegram may the data channel which or reestablishes make the channel carry on after the letter the exchange. In connection survival period, the OAM letter Yuan uses for the load bearing security text of a telegram.
Transmits in the connection establishment time security
To connects establishes said that, some two methods use in safely to transmit. If all supports in the end system letter make the entity and the network equipment safely transmits, then the security text of a telegram may makes in the channel in the letter to exchange. But, if these equipment do not support the security text of a telegram, then carries the system and the security proxy all must after the connection establishment, transmits in front of the data on new VCC/VPC, exchanges the security text of a telegram in the data channel.
The connection lifetime security transmits
Once the data connection can establish, related exchange security text of a telegram mechanism on request password synchronization and execution conversation key renewal. Because these texts of a telegram all are with the data business volume related sensitive time, they must take the attachment the data transmits in same VCC/VPC. Moreover, if again the synchronized text of a telegram possibly arrives too late, thus has been separated from synchronized decipher processing.
The security work team accepts the way is uses load bearing correlation security information the OAM letter Yuan. This kind of OAM letter Yuan already may be F4 (the VPC level), also may be F5 (the VCC level) OAM letter Yuan, moreover likes like this can very quickly the end system or the security proxy which receives distinguishes. In these two kind of situations, its OAM letter Yuan type is "the system administration", in order to indicate the security function only then stipulated has "the function type" suitably.
Subtotal
ATM safely besides provides the network infrastructure the related protection, but also can provide the user information the protection. The ATM security is after the ATM agreement reference model imitates draws up, it divides three planes are: The user plane, the control plane and manage evenly. The first stage ATM topic security specifications has mainly arranged the user plane safe service and the control plane limited service.
The ATM user plane service has stipulated in the empty electric circuit by the massive methods load bearing to the user information protection. The access control service emphasized any may allow the visit to connect ATM the service and the resources. The distinction service had guaranteed is obtained to the call origination and by the call origination the real confirmation. The secret service had stipulated the encryption mechanism, protected the entire ATM connection load bearing after the authorized information, the complete service guarantee has avoided to the user data value revising or the survey user data order. (End)
ATM at present displays one 640-863 of weakness is it does not provide the safe service, this when implements the ATM ability for the customer is a main barrier. Although the more and more business organization, the financial field and the government department all in abundance request to change ATM, but in order to fully displays ATM the potential, people all urgent need ATM should have the safe service. At present the overwhelming majority ATM electric circuit all only can (PVC) exist by the permanent empty 640-863 electric circuit, and by special line connection fixed company's locus. But, when it arrives stretches across the common boundary the exchange empty electric circuit (SVC) or stretches across the service provider network company interior SVC, the ATM effective use value becomes had decided whether promotes uses ATM the primary factor.
ATM will possibly be able to use in the future to the mission requirement extremely strict communication 640-863 application domain, will like the financial transaction, the medical service information system, the national defense military correspondence and so on. These applications all request in the safe correspondence to have the high reliable crypto-algorithm and the agreement make the guarantee. Said on the very strong ATM safety mechanism that, to guards against the deceit, guards against malicious the data revision as well as guards against the interception and so on all to have to have the practical reliable guarantee measure. If in these mechanism guarantees situations, the important task application only has not been able to depend on the 640-863 expensive expenditure to be able to exist, perhaps this all is because does not have the equipment which may mutually operate therefore.
Security ATM must provide most is low grade is the ATM vertex distinction as well as the protection user data measure. The ATM high speed letter Yuan relaying performance in guaranteed in its safe duty to display some special questions. Some questions may outline as follows:
1) the safe service must adapt in effective ATM letter Yuan Ji 细粒度 multiplex, requests the key to be supposed to have the corresponding flexibility, also is must use the different key to the different data pool letter Yuan.
2) because the ATM network high speed and the strict grade of service (QoS) requests, the safe service should not bring the attachment the detention or the letter Yuan detention change.
3) the high speed transmission speed causes the conversation to save the current account the key only to have a very short cycle. Therefore, the traditional entire key swap agreement is not 640-863 suitable, moreover in order to can renew these keys to need frequently to carry on the revision to these keys. In other words, requests in a longer time foundation reto revise the key also to have to have the new mechanism.
4) the password mechanism must have in the flexible in the key situation, by 1Gbps speed operation. At present, the well known password mechanism possibly very is difficult to adapt these 640-863 requests.
5) the password mechanism also must carry on under the different speed mutually operates. For example: May (SONET) OC - the 3C company arrive a client after the synchronized optical fiber network in the ATM network, but its server may have OC - 48C the connection. Obviously, the server encryption installment (may be a parallel realization algorithm) must (be allowed to be a serial realization similar algorithm) carries on with the client encryption installment mutually operates.
The ATM security defines which by the 640-863 ATM topic security work team is imitates the ATM agreement reference model to draw up. This agreement reference model by the division is three 640-863 planes: User plane, control plane and management plane. The user plane guarantee supplies transmission user's data, it contains the physical level, the ATM level and multi- ATM suitably matches the level (AAL) several kind of types. The control plane needs to process the connection the establishment, the release and other connection functions. Control plane and user plane sharing physics level and ATM level. Moreover, it also includes according to AAL5 and a higher letter the 640-863 letter which was stipulated the agreement makes AAL. The management plane execution management harmonious cooperation adjusts the user and the control plane both sides related function. The ATM topic security specifications is must provide the user in the first stage the plane (data) the safe service and the control plane (letter makes) the safe service standard. Perhaps to will manage the plane the safe service to have in the future standard issue time only then will be able to provide.
ATM user plane safe service
The user plane safe service is must the load bearing user information provide the protection to very many 640-863 ways in the empty connection. The distinction is must cause the call origination and obtain by call origination each other the absolute confirmation, and causes the third party not to have to pretend one of its two.
The key exchange service is must cause the call origination and the key which obtain by the call origination is consistent, this key is uses in empty connection survival period provides the data integrity and the secret service. The complete service is must provide by the empty connection load bearing data cannot the guarantee which is revised by the third party. The secret service is must provide prevented transmits the data in the empty connection not the third party "the interception" the protection. Finally, the access control service is must provide other correlation security information the protection, namely establishes in the connection, must enable the terminal to determine whether defers to the scene the security policy to accept the connection the request.
The user plane safe service which will define by the ATM topic group can apply to the spot to and to the multi- spots connection empty channel connection (VCC) and the empty circuit connection (VPC). Said to the first stage security specifications that, is making the stipulation to three kind of situations safe services, namely: User to user, user to network and network to network. Every is can realize the security ATM pitch point all has "the security proxy" the function, this security proxy may carry out when the connection establishment and connection survival period plays the role security agreement and the safety mechanism.
Distinction, key exchange and security option consultation
The distinction is the user plane safe service, it may cause the connection to establish the entire process bilateral each other to obtain the absolute confirmation. This not only has the very vital role to its direct benefit, moreover because to other safe services, like the key exchange also is the need. The distinction, the key exchange and the security option consultation must give in here to narrate together, because must realize these three characteristics to need to use the similar agreement.
Does not like directional data newspaper agreement such, they only have in each grouping package of foundation complete the distinction, but the ATM directional connection characteristic may cause in the connection establishment period two parts both to use the more precise distinction agreement, because is connected with the digital signature the total expenses cost must repay in the entire connection lifetime, therefore in connection establishment period may use strongly (even if is slower) distinguishes the agreement. This also may cause other security functions (to like key exchange) at the same time then to complete by the small amount attachment expenses.
Considered the above this kind of characteristic, the ATM topic work team had stipulated when establishes VCC or VPC uses the agreement, this agreement may complete the distinction, the key exchange and the security option consultation. This agreement mainly is ISO/IEC which (ISO) the international electronic committee (IEC) draws up according to the International Standardization Organization 9,594 - 8 and the ISO/IEC 11,770 - 2 standards is the basis, it provided has used three flows or two flows does mutually distinguishes. Two and three users planes security text of a telegram swap agreement certainly did not decide uses what kind of specific crypto-algorithm. Said to each method that, the distinction all may use is asymmetrical or the symmetrical crypto-algorithm completes.
Security text of a telegram swap agreement
In two and three securities text of a telegram swap agreement, an agreement side user is shouldering "the starting" the role, another side user is getting up "the response" role. On behalf of the starting user operation "the security proxy" thought is "the starting", on behalf of the response user operation thought is "the response".
In security text of a telegram swap agreement, when uses the asymmetry (publicly) the key algorithm, may suppose each distinction entity (namely A, B) has a public key/private dense key to be right. When uses in the encryption, Ka expresses the A asymmetrical key public part. When to digital signature, Ka expresses the A asymmetrical key special-purpose part. Is similar to the B entity situation. When uses (secret) symmetrically the key algorithm, then must suppose the distinction entity A and B altogether uses two unidirectional secret keys Ka and Kb or sole secret key Ka=Kb.
The safe consultation is completes through the operating parameter in three swap agreements. In order to support in the system structure the flexibility to need to carry on the consultation. This flexibility needs to permit the performer and the user may choose the crypto-algorithm and they likes with the agreement. In the first flow, the starting provides a safe service table of contents and the connection use parameter (for example: Algorithm type, key length, public key concrete algorithm parameter). In the second flow, the response must act according to serves the table of contents and the connection parameter replied. If the starting is consistent with the response, that has carried out the agreement, moreover both sides have both used the parameter which the service and the response reply contained, otherwise, this agreement and the connection request crashed.
Agreement adjustment
When designated when ATM two or three securities texts of a telegram transmit the agreement, must consider has the many kinds of adjustments measure existence. These adjustment measure as follows are going to carry on the narration to it, its outline see Table 1 (n is in network pitch point number, safety clothing must carry on application to them). In order to protect the distinction agreement is far away uses "the replay attack" well known the deceit, the distinction flow must be only, has the foreword moreover is newest. Regarding this may some two ways achieve that, Uses the time stamp obliging serial number or "the inquiry responds" the agreement by way of.
If requests in two flows mutually to distinguish or requests in a flow to the source to send the side to carry on the distinction, then should use based on the time stamp way. Sends the side according to the source the distinction certificate, if uses ATM "the firewall" to come passively to filter out (with end system related) connects the request, then latter is important. But, is sends the side and between the certificate distinction certificate entity based on the time stamp way disadvantage factor in the text of a telegram source the request has the certain degree time synchronization.
Through uses a time of random number or is near 时数, it "the inquiry responded" the way to provide has been unitary, the arrangement has the foreword and the most new style essential guarantee. This must through transmit "the inquiry" to realize near 时数 the achievement, namely is solid to the long-distance distance essentially to 计数法 marks and returns to the entity which must inquire.
Moreover, the coordination also relates uses (public key) the algorithm resistance to be symmetrical asymmetrically (secret key) the algorithm question. The asymmetrical algorithm provides each entity all has by this entity maintenance "the private dense key", but the public key, it may freely proliferate, moreover may use by other people confirmed by belongs to the digital signature which the entity the key produces is effective. The asymmetrical algorithm (and encrypts this two to digital signature to say) the merit is, the private dense key only requests each user to appear a time, this causes the key management to change complex, but, asymmetrical algorithm because uses the complex function, the picture "the modulus takes the power", therefore it very is precise in the computation.
In on the other hand, the symmetrical algorithm may very quickly carry on the computation, because they have specially utilized "shifting and the arrangement" the operation. But, the symmetrical algorithm wants the as desired source to send with the destination solid essential sharing identical public key. Has several pitch points to the networks, has two and three swap agreement each other distinction ability requests each pitch point with to possess other pitch points all to have to have the common key, like this may by O (n2) express the key manages complexity. In the large-scale network, the key management complexity needs to act according to the symmetrical algorithm to carry on the distinction.
ATM safely transmits
In order to complete the above safe service, needs to have the correlation the security text of a telegram transmission mechanism, uses through the safe service change transmits the mechanism to be decided thereupon when connection establishment or in the connection lifetime requests the service. When connection establishment, the security text of a telegram may the data channel which or reestablishes make the channel carry on after the letter the exchange. In connection survival period, the OAM letter Yuan uses for the load bearing security text of a telegram.
Transmits in the connection establishment time security
To connects establishes said that, some two methods use in safely to transmit. If all supports in the end system letter make the entity and the network equipment safely transmits, then the security text of a telegram may makes in the channel in the letter to exchange. But, if these equipment do not support the security text of a telegram, then carries the system and the security proxy all must after the connection establishment, transmits in front of the data on new VCC/VPC, exchanges the security text of a telegram in the data channel.
The connection lifetime security transmits
Once the data connection can establish, related exchange security text of a telegram mechanism on request password synchronization and execution conversation key renewal. Because these texts of a telegram all are with the data business volume related sensitive time, they must take the attachment the data transmits in same VCC/VPC. Moreover, if again the synchronized text of a telegram possibly arrives too late, thus has been separated from synchronized decipher processing.
The security work team accepts the way is uses load bearing correlation security information the OAM letter Yuan. This kind of OAM letter Yuan already may be F4 (the VPC level), also may be F5 (the VCC level) OAM letter Yuan, moreover likes like this can very quickly the end system or the security proxy which receives distinguishes. In these two kind of situations, its OAM letter Yuan type is "the system administration", in order to indicate the security function only then stipulated has "the function type" suitably.
Subtotal
ATM safely besides provides the network infrastructure the related protection, but also can provide the user information the protection. The ATM security is after the ATM agreement reference model imitates draws up, it divides three planes are: The user plane, the control plane and manage evenly. The first stage ATM topic security specifications has mainly arranged the user plane safe service and the control plane limited service.
The ATM user plane service has stipulated in the empty electric circuit by the massive methods load bearing to the user information protection. The access control service emphasized any may allow the visit to connect ATM the service and the resources. The distinction service had guaranteed is obtained to the call origination and by the call origination the real confirmation. The secret service had stipulated the encryption mechanism, protected the entire ATM connection load bearing after the authorized information, the complete service guarantee has avoided to the user data value revising or the survey user data order. (End)
Subscribe to:
Posts (Atom)