[Docs] [txt|pdf] [Tracker] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01 02 03 04 draft-ietf-ipdvb-sec-req

     Internet Engineering Task Force                       H.Cruickshank
     Internet Draft                                           S. Iyengar
     draft-cruickshank-ipdvb-sec-req-02.txt     University of Surrey, UK
                                                            L. Duquerroy
                                            Alcatel Alenia Space, France
     Expires: December 2006                                    P. Pillai
                                              University of Bradford, UK
    
     Category: Internet Draft                              June 16, 2006
    
    
    
            Security requirements for the Unidirectional Lightweight
                         Encapsulation (ULE) protocol
                     draft-cruickshank-ipdvb-sec-req-02.txt
    
    
    Status of this Draft
    
       By submitting this Internet-Draft, each author represents that
       any applicable patent or other IPR claims of which he or she is
       aware have been or will be disclosed, and any of which he or she
       becomes aware will be disclosed, in accordance with Section 6 of
       BCP 79.
    
       Internet-Drafts are working documents of the Internet Engineering
       Task Force (IETF), its areas, and its working groups.  Note that
       other groups may also distribute working documents as Internet-
       Drafts.
    
       Internet-Drafts are draft documents valid for a maximum of six
       months and may be updated, replaced, or obsoleted by other
       documents at any time.  It is inappropriate to use Internet-
       Drafts as reference material or to cite them other than as "work
       in progress."
    
       The list of current Internet-Drafts can be accessed at
            http://www.ietf.org/ietf/1id-abstracts.txt
    
       The list of Internet-Draft Shadow Directories can be accessed at
            http://www.ietf.org/shadow.html
    
       This Internet-Draft will expire on December 16, 2006.
    
    Abstract
    
       This document provides a threat analysis and derives security
       requirements for MPEG-2 transmission links using the
       Unidirectional Lightweight Encapsulation (ULE). It also provides
    
    
    Cruickshank           Expires December 15, 2006          [Page 1]


    Internet-Draft         Security Requirements for ULE      June 2006
    
    
       the motivation for ULE link-level security. This work is intended
       as a work item of the ipdvb WG, and contributions are sought from
       the IETF on this topic.
    
    Requirements notation
    
       The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
       NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
       "OPTIONAL" in this document are to be interpreted as described in
       RFC2119 [1].
    
    Table of Contents
    
    
       1. Introduction                                                2
          1.1. System Components                                      4
       2. Threat Analysis                                             4
          2.1. Threat Scenarios                                       5
             2.1.1. Scenario 1: Monitoring (passive threat)           5
             2.1.2. Scenario 2: Local highjacking of the MPEG-TS
             multiplex (active threat)                                6
             2.1.3. Scenario 3: Global high jacking of the MPEG-TS
             multiplex (active threat)                                6
       3. Security Requirements for IP over MPEG-2 TS                 6
       4. IPsec and MPEG-2 Transmission Networks                      8
          4.1. Tunnel mode use of IPsec for multicast                 9
          4.2. IPsec and L2 security                                  9
       5. Motivation for ULE link-layer security                     10
          5.1. Link security below the Encapsulation layer           11
          5.2. Link security as a part of the Encapsulation layer    11
       6. Summary                                                    12
       7. Security Considerations                                    13
       8. IANA Considerations                                        13
       9. Acknowledgments                                            13
       10. References                                                14
          10.1. Normative References                                 14
          10.2. Informative References                               14
       Author's Addresses                                            15
       Intellectual Property Statement                               16
       Disclaimer of Validity                                        16
       Copyright Statement                                           16
    
    1. Introduction
    
       In the security considerations section of RFC 4259[2], there is
       an initial analysis of the security requirements in MPEG-2
       transmission networks. For example, when the MPEG-2 transmission
    
    
    Cruickshank           Expires December 15, 2006           [Page 2]


    Internet-Draft         Security Requirements for ULE      June 2006
    
    
       network is not using a wireline network, the normal security
       issues relating to the use of wireless links for transport of
       Internet traffic should be considered [16]. RFC 4259 recommends
       that any new encapsulation defined by the IETF allows Transport
       Stream encryption and also supports optional link level
       encryption/authentication of the SNDU payload. In ULE [3], this
       may be provided in a flexible way using Extension Headers. This
       requires definition of a mandatory header extension, but has the
       advantage that it decouples specification of the security
       functions from the encapsulation functions. This method also
       supports hiding of the NPA/MAC addresses.
    
       This document extends the above analysis and derives the security
       requirements for ULE.
    
       The main objective of this document is to specify the
       requirements for securing the link between the Encapsulation
       Gateways (ULE source) and Receivers only. In addition, this
       document provides an overview of the threat analysis for an IP
       network that utilises ULE over an underlying MPEG-2 transmission
       network.
    
       The MPEG-2 Transport Stream (TS) has been widely accepted not
       only for providing digital TV services, but also as a subnetwork
       technology for building IP networks. The Unidirectional
       Lightweight Encapsulation (ULE) mechanism described in [3] can be
       used for the transport of IPv4 and IPv6 Datagrams, bridged
       Ethernet frames and other network protocol packets directly over
       the ISO MPEG-2 Transport Stream as TS Private Data. ULE specifies
       a base encapsulation format and supports an extension format that
       allows it to carry additional header information to assist in
       network/Receiver processing.
    
       Important characteristics of MPEG-2 transmission networks are
       that they may provide link-level broadcast capability, and that
       many support applications that require access to a very large
       number of subnetwork nodes [2]. In addition, the majority of
       MPEG-2 transmission networks are bandwidth-limited, encapsulation
       protocols must therefore add minimal overhead to ensure good link
       efficiency while providing adequate network services. They also
       need to be simple to minimize processing, robust to errors and
       security threats, and extensible to a wide range of services.
    
       In MPEG-2 transmission network there are several signalling
       messages that are broadcast by the Encapsulator or Multiplexor
       in the form of tables. Examples of these signalling messages or
       (SI tables) are PAT - Program Association Table, PMT - Program
    
    
    Cruickshank           Expires December 15, 2006           [Page 3]


    Internet-Draft         Security Requirements for ULE      June 2006
    
    
       Map Table and NIT - Network Information Table.  In existing MPEG-
       2 transmission networks, these messages are broadcast in clear
       (no encryption or integrity checks). The integrity of these
       messages is important for the correct working of the ULE network.
       However, securing these messages is out of scope for ULE
       security.
    
    1.1. System Components
    
       There are several entities in within the MPEG-2 transmission
       network architecture, as defined in [2]). These include (ULE)
       Encapsulation Gateways, TS multiplexers (including re-
       multiplexers), modulators and Receivers.
    
       The ULE link security focuses on security between the
       Encapsulation Gateways (ULE source) and Receivers only.
    
    2. Threat Analysis
    
       The simplest type of network threat is a passive threat. Passive
       attacks include eavesdropping or monitoring of transmissions,
       with a goal to obtain information that is being transmitted. In
       broadcast networks (especially those utilising widely available
       low-cost physical layer interfaces, such as DVB) passive threats
       are considered the major threats. An example of such a threat is
       an intruder monitoring the MPEG-2 transmission broadcast and
       being able to extract traffic communicated between IP hosts.
       Another example an intruder trying to gain information about the
       communication parties by monitoring their Layer 2 MAC/NPA
       addresses; an intruder can gain some information by just knowing
       the identity of the communicating parties and the volume of their
       traffic. This is a well-known issue in the security field;
       however it is more problematic in the case of broadcast networks
       such as MPEG-2 transmission networks.
    
       Active threats (or attacks) are, in general, more difficult to
       implement successfully than passive threats, and usually require
       more sophisticated resources and may require access to the
       transmitter. Examples of active attacks are:
    
       o Masquerading: where an entity pretends to be a different
          entity. This includes masquerading other users and subnetwork
          control plane messages.
    
       o Modification of messages in an unauthorised manner.
    
    
    
    
    Cruickshank           Expires December 15, 2006           [Page 4]


    Internet-Draft         Security Requirements for ULE      June 2006
    
    
       o Repudiation: Repudiation of origin occurs when a party denies
          being the originator of a message and repudiation of
          destination occurs when a party denies the reception of a
          message.
    
       o Replay attacks: When an intruder sends some old (authentic)
          messages to the Receiver.
    
       o Denial of service attacks:  When an entity fails to perform
          its proper function or acts in a way that prevents other
          entities from performing their proper functions.
    
       Active threats such as masquerading, replay, modification of
       messages and injecting IP packet attacks are major security
       concerns for the Internet community and several of these attacks
       have been described [5]. The defence against such attacks is data
       integrity using cryptographic techniques and sequence numbers.
    
       In the context of active threats in MPEG-2 transmission networks,
       ULE source authentication (i.e. verification that packets are
       being sent by the expected Encapsulation Gateway) is required by
       the ULE Receivers, although attacks such as masquerading,
       modification of messages and injecting IP packets are more
       difficult. However such attacks on individual ULE Receivers are
       possible and can pass unnoticed by the ULE network operators or
       ISPs. Therefore ULE authentication and integrity checks are
       required. IPsec can be used to provide source authentication but
       has some disadvantages; further analysis on IPsec is presented in
       section 4.
    
    2.1. Threat Scenarios
    
       In normal MPEG transmission networks packets are transmitted by
       the ULE Encapsulation Gateway to the ULE Receivers. This is
       sometimes called a star topology which is the main focus of this
       document. Mesh topologies where ULE Receivers are ULE sources as
       well are out of scope of this document.
    
       In the star topology, three threat scenarios can be envisaged:
    
    2.1.1. Scenario 1: Monitoring (passive threat)
    
       Here the intruder monitors the ULE broadcasts in order to gain
       information about ULE data and/or tracking the communicating
       parties. In this scenario, measures should be taken to hide the
       ULE data and the ULE Receivers identity.
    
    
    
    Cruickshank           Expires December 15, 2006           [Page 5]


    Internet-Draft         Security Requirements for ULE      June 2006
    
    
    2.1.2. Scenario 2: Local high jacking of the MPEG-TS multiplex
       (active threat)
    
       Here we assume an intruder is sophisticated and able to block the
       original transmission from the ULE Encapsulation Gateway and
       deliver a modified version of the MPEG-TS transmission to a
       single ULE Receiver or a small group of Receivers (e.g. in a
       single company site). The MPEG transmission network might not be
       aware of such attacks. In addition to the security requirements
       for scenario 1, here extra measures should be taken to ensure ULE
       source authentication and preventing replay of old messages.
    
    2.1.3. Scenario 3: Global high jacking of the MPEG-TS multiplex
       (active threat)
    
       Here we assume an intruder is very sophisticated and able to high
       jack the whole MPEG transmission multiplex. The requirements here
       are similar to scenario 2. The MPEG transmission network can
       quickly identify such attacks. This type of attack cannot be
       protected against with a ULE security system. The MPEG
       transmission network must resort to other means to restore the
       original transmissions.
    
       In terms of priority, scenario 1 is considered the major threat
       in MPEG transmission systems. Scenario 2 is likely to a smaller
       degree in certain cases and hence the extra protections should be
       optional and used only when such threat is a possibility to some
       MPEG transmission services. Scenario 3 is not envisaged to be a
       practical because it will be very difficult to pass unnoticed by
       the MPEG transmission operator. Therefore scenario 3 is out of
       scope for this document.
    
    3. Security Requirements for IP over MPEG-2 TS
    
       From the above analysis, the following security requirements can
       be derived:
    
       o Data confidentiality is the major requirement against passive
          threats (using encryption). L2 encryption or L3 (IPsec)
          encryption can satisfy this requirement.
    
       o Hiding of Layer 2 MAC/NPA address. This is needed particularly
          in the MPEG-2 broadcast networks to stop an intruder gaining
          information by observing the identity of the communicating
          parties and the volume of their traffic.
    
       o For active threats: ULE source authentication and data
    
    
    Cruickshank           Expires December 15, 2006           [Page 6]


    Internet-Draft         Security Requirements for ULE      June 2006
    
    
          integrity are required, using techniques such as message
          authentication code and digital signatures. Sequence numbers
          are required to stop replay attacks.  Therefore, L2 data
          integrity/authentication is optional, but still important in
          environments in which several independent networks share a
          single transmission resource. In addition, functions to
          determine the integrity of control and management messages in
          MPEG-2 transmission networks such as SI tables are another
          optional requirement, but are outside the scope of ULE
          security.
    
       o Layer L2 endpoint authentication: This will be part of the key
          management. It will be performed during the initial key
          exchange and authentication phase.
    
       o End-to-end security (such as IPsec and TLS [13]) and ULE link
          security should work in parallel without obstructing each
          other.
    
       o Decoupling of ULE key management functions from ULE
          encryption. This will allow the independent definition of
          these systems such as the re-use of existing security
          management systems (e.g. GSAKMP [9] and GDOI [10]), plus other
          systems such as DVB-RCS [6] and/or the development of new
          systems, as required.
    
       o Other general requirements are:
    
            o Protection of the management system and the infrastructure
              from unauthorized people. ULE encryption will provide
              partial protection through the key management procedures
              and data encryption.
    
            o Operational issues: Because of the possible large coverage
              of a broadcast transmission network, it may be required to
              deliver data to many different countries that may have
              different security legislation (related to authorized
              encryption algorithms and the length of keys). Therefore
              the ULE security system should allow a wide range of
              security parameters during the negotiation phase in order
              to offer flexibility to operators. In ULE security, the
              choice of such algorithms will be decided by the key
              management system in use.
    
            o Compatibility with other networking functions: Other
              networking functions such as NAT (Network Address
              Translation) [12] or TCP acceleration can be used in a
    
    
    Cruickshank           Expires December 15, 2006           [Page 7]


    Internet-Draft         Security Requirements for ULE      June 2006
    
    
              wireless DVB networks (see RFC3135). The ULE security
              solution should be compatible with functions such as
              NAT/NAPT, IPsec, TLS, etc.
    
            o Traceability (such as using intrusion detection systems):
              To monitor transmission network (e.g. using log files to
              record the activities on the network). This is out of
              scope for ULE security.
    
       Examining scenarios 1 and 2 in section 2.1., the requirements for
       each scenario can be summarised as:
    
       Scenario 1: Data confidentiality MUST be provided to prevent
       monitoring of the ULE data (such as IP packet and user
       information). Also ULE MAC address hiding should be provided to
       prevent access to communicating parties' identity and tracking
       their communications. These requirements are mandatory for a ULE
       security system.
    
       Scenario 2: In addition to scenario 1 requirements, additional
       measures need to be implemented such as source authentication and
       using sequence numbers to prevent replay attacks. This will stop
       intruders from injecting their own data into the MPEG-TS stream.
       However, scenario 2 threats can happen only in specific service
       cases and therefore source authentication and sequence numbers
       SHOULD be optional for the ULE security system because of the
       extra overheads it incurs.
    
       Scenario 3: ULE security system can not protect against such
       attacks.
    
    4. IPsec and MPEG-2 Transmission Networks
    
       IPsec supports two modes of use: transport mode and tunnel mode.
       In transport mode, AH and ESP provide protection primarily for
       next layer protocols; in tunnel mode, AH and ESP are applied to
       tunnelled IP packets. In both modes, data integrity is provided
       and in addition, ESP provides the data privacy service as well.
    
       It is possible to use IPsec to secure ULE links. The major
       advantage of IPsec is its wide implementation in IP routers and
       hosts. The security architecture for the Internet Protocol [15]
       describes security services for traffic at the IP layer. That
       architecture primarily defines services for Internet Protocol
       (IP) unicast packets, as well as manually configured IP multicast
       packets.
    
    
    
    Cruickshank           Expires December 15, 2006           [Page 8]


    Internet-Draft         Security Requirements for ULE      June 2006
    
    
       However IPsec is not well-suited to protect the identity of the
       ULE encapsulator/Receivers to provide this. The interfaces of
       these devices also do not necessarily have IP addresses (they can
       be L2 devices).
    
       In addition, IP Multicast is considered as a major service over
       MPEG-2 Transmission Networks. A document produced by the IETF
       Multicast Security (msec) [8] Working Group on IPsec extensions
       for multicast [11] describes extensions to [15] that further
       define the IPsec security architecture for packets that carry a
       multicast address in the IP destination field, allowing these to
       remain IP multicast packets.
    
    4.1. Tunnel mode use of IPsec for multicast
    
       In the context of MPEG-2 transmission links, if IPsec is used to
       secure a ULE link, then the ULE Encapsulators and Receivers are
       equivalent to the security gateways in IPsec terminology. A
       security gateway implementation of IPsec using the multicast
       extensions MUST use tunnel mode. In particular, the security
       gateway must use the tunnel mode to encapsulate incoming
       fragments.
    
       With IPsec tunnel mode, there are two challenges: First, if the
       destination of an IP multicast packet is changed it will no
       longer be properly routed. Secondly, IP multicast routing
       protocols also typically create multicast distribution trees
       based on the source address. An IPsec security gateway that
       changes the source address of an IP multicast packet, again this
       will cause multicast routing problems. The document referenced in
       [11] defines a way for retaining both the IP source and
       destination addresses of the inner IP header to allow IP
       multicast routing protocols to route the packet irrespective of
       the packet being IPsec protected. This interpretation of tunnel
       mode is known as tunnel mode with address preservation.
    
    4.2. IPsec and L2 security
    
       IPsec in transport mode can be used for end-to-end security
       transparently of MPEG-2 transmission links with no impact.
    
       However, if IPsec is used to secure ULE links, then it must be
       used in tunnel mode. Such usage has the following disadvantages:
    
       o There is a need to protect the identity of ULE encapsulator /
          receivers over the ULE broadcast medium; IPsec is not suitable
          for providing this service.
    
    
    Cruickshank           Expires December 15, 2006           [Page 9]


    Internet-Draft         Security Requirements for ULE      June 2006
    
    
       o There is an extra overheads associated with using IPsec in
          tunnel mode, i.e. the extra IP header (IPv4 or IPv6).
    
       o Multicast is considered as a major service over ULE links. The
          current IPsec specifications [15] only define a pairwise
          tunnel between two IPsec devices with manual keying. Work in
          progress [11] is defining the extra detail needed for
          multicast and to use the tunnel mode with address preservation
          as described in section 4.1.
    
       In the ULE link context, in addition to the IPsec tunnelling
       overhead, the source and destination address preservation means
       that these IP addresses are broadcast in the clear. This provides
       an opportunity to intercept the traffic information (weakening
       the ability to provide the identity hiding). However [11]
       mentions the possibility that multicast data is sent through a
       service provider network, and is encapsulated under a different
       IP multicast address while in the provider network. The source
       address of the encapsulating (outside) IP header could be changed
       to that of the ULE gateway.
    
    5. Motivation for ULE link-layer security
    
       Examination of the threat analysis and security requirements in
       sections 2 and 3 has shown that there is a need to provide link-
       layer (L2) security in MPEG-2 transmission networks employing
       ULE, particularly when network-layer and transport-layer security
       (e.g. IPsec, TLS ) are insufficient.
    
       ULE link security is therefore considered an additional security
       mechanism to IP, transport, and application layer security, not a
       replacement. It should provide similar functions to that of IPsec
       [7], but in addition provides link confidentiality and Receiver
       identity hiding.
    
       End-to-end security, IPsec and ULE link security (between ULE
       Encapsulation Gateway to the ULE Receivers) can work in parallel:
       IPsec providing the end-to-end security between hosts and ULE
       providing the security over the MPEG-2 transmission link.
       However, no direct interaction between the IPsec and the ULE
       security system is envisaged.
    
       A modular design to ULE Security may allow it to use and benefit
       from IETF key management protocols, such as the MSEC [9] and GDOI
       [10]. This does not preclude the use of other key management
       methods in scenarios that benefit from this.
    
    
    
    Cruickshank           Expires December 15, 2006           [Page 10]


    Internet-Draft         Security Requirements for ULE      June 2006
    
    
    5.1. Link security below the Encapsulation layer
    
       Link layer security can be provided in the MPEG-TS level (below
       ULE). MPEG-TS encryption encrypts all TS Packets sent with a
       specific PID value. However MPEG-TS may multiplex several IP
       streams using a common PID. Therefore all multiplexed traffic
       will share the same security keys.
    
       This has the following advantages:
    
       o The bit stream sent on the broadcast network does not expose
          any L2 or L3 headers, specifically all addresses, type fields,
          and length fields are encrypted prior to transmission.
    
       o This method does not preclude the use of IPsec, or any other
          form of higher-layer security.
    
       However it has the following disadvantages:
    
       o Each ULE Receiver needs to decrypt all MPEG-2 TS Packets with
          a matching PID, possibly including those that are not required
          to be forwarded. Therefore it does not have the flexibility to
          secure every individual IP connection separately.
    
       o ULE Receivers will be able to see the private traffic destined
          to other ULE Receivers, since they share a common key.
    
       o If the key is compromised, then this will impact several ULE
          Receivers. Existing access control mechanisms have limited
          flexibility in terms of controlling the use of key and
          rekeying. IETF based key management are not used in existing
          systems.
    
       In practice there are not many L2 security systems for MPEG
       transmission networks. Conditional access for digital TV
       broadcasting is one example that exists today. This system is
       optimised for TV services and will be suitable to IP packet
       transmissions. Some other systems are specified in standards such
       the MPE [4] system. However, there are no known implementations
       of such systems.
    
    5.2. Link security as a part of the Encapsulation layer
    
       Therefore major advantages for ULE link security are:
    
       o The protection of the complete ULE Protocol Data Unit (PDU)
          including IP addresses.
    
    
    Cruickshank           Expires December 15, 2006           [Page 11]


    Internet-Draft         Security Requirements for ULE      June 2006
    
    
       o Ability to protect the identity of the Receiver within the
          MPEG-2 transmission network.
    
       o Efficient protection of IP multicast over ULE links.
    
       o Transparency to the use of Network Address Translation (NATs)
          [12] and TCP Performance Enhancing Proxies (PEP) [14], which
          require the ability to inspect and modify the packets sent
          over the ULE link.
    
       o This method does not preclude the use of IPsec. IPsec also
          provides a proven security architecture defining key exchange
          mechanisms and the ability to use a range of cryptographic
          algorithms. ULE security can make use of these mechanisms and
          algorithms.
    
       In some current encapsulation methods, e.g. MPE [4], encryption
       of the MAC address requires each Receiver to decrypt all
       encrypted data sent using a TS Logical Channel (PID), before it
       can then filter the PDUs that match the set of MAC/NPA addresses
       that the Receiver wishes to receive, therefore encryption of the
       MPE MAC address is not permitted in such systems. For ULE
       security, support for Layer 2 MAC/NPA address hiding should be
       provided.
    
       Examining the threat analysis in section 2, has shown that
       protection of ULE link from eavesdropping and ULE Receiver
       identity hiding are major requirements. Such requirements can be
       met using ULE link encryption.
    
       In the context of active threats in MPEG-2 transmission networks,
       ULE source authentication is required by the ULE Receivers.
       Attacks such as masquerading, modification of messages and
       injecting IP packets are more difficult. However, such attacks on
       individual ULE Receivers are possible, and can pass unnoticed by
       the ULE network operators or ISPs. Therefore using HMACs is one
       possibility which an associated overheads per ULE packets.
       Another possibility is to use lightweight data integrity methods
       or procedures can be provided by the ULE security system. In
       addition sequence numbers can provide protection against replay
       attacks.
    
    6. Summary
    
       This document analyses a set of threats and security
       requirements. It also defines the requirements for ULE security
       and states the motivation for link security as a part of the
    
    
    Cruickshank           Expires December 15, 2006           [Page 12]


    Internet-Draft         Security Requirements for ULE      June 2006
    
    
       Encapsulation layer. In summary, there is a strong need for L2
       encryption and ULE Receiver identity hiding.
    
       There is an addition need (optional) for L2 source authentication
       and protection against insertion of other data into the ULE
       stream (i.e. data integrity). This is optional because of the
       associated overheads for the extra features and they are only
       required for specific service cases.
    
    7. Security Considerations
    
       Link-level (L2) encryption of IP traffic is commonly used in
       broadcast/radio links to supplement End-to-End security (e.g.
       provided by TLS, SSH, Open PGP, S/MIME, IPsec). A common
       objective is to provide the same level of privacy as wired links.
       An ISP or User may also wish to provide end-to-end security
       services to the end-users (based on the well known mechanisms
       such as IPsec).
    
       This document provides a threat analysis and derives the security
       requirements to provide optional link encryption and link-level
       integrity / authentication of the SNDU payload.
    
    8. IANA Considerations
    
       This document does not define any protocol and does not require
       any IANA assignments.
    
    9. Acknowledgments
    
       The authors acknowledge the help and advice from Gorry Fairhurst
       (University of Aberdeen), Stephane Coombes (ESA) and Y.F. Hu
       (University of Bradford) in the preparation of this draft.
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    Cruickshank           Expires December 15, 2006           [Page 13]


    Internet-Draft         Security Requirements for ULE      June 2006
    
    
    10. References
    
    10.1. Normative References
    
       [1]  Bradner, S., "Key Words for Use in RFCs to Indicate
             Requirement Levels", BCP 14, RFC 2119, March 1997.
    
       [2]  Montpetit, M.-J., Fairhurst, G., Clausen, H.,
             Collini-Nocker, B., and H. Linder, "A Framework for
             Transmission of IP Datagrams over MPEG-2 Networks",
             RFC 4259, November 2005.
    
       [3]  Fairhurst, G. and B. Collini-Nocker, "Unidirectional
             Lightweight Encapsulation (ULE) for Transmission of IP
             Datagrams over an MPEG-2 Transport Stream (TS)", RFC 4326,
             December 2005.
    
       [4]  EN 301 192, "Digital Video Broadcasting (DVB); DVB
             Specifications for Data Broadcasting", European
             Telecommunications Standards Institute (ETSI).
    
    10.2. Informative References
    
       [5]  Bellovin, S., "Problem Area for the IP Security protocols",
             Computer Communications Review 2:19, pp. 32-48, April 989.
             http://www.cs.columbia.edu/~smb/
    
       [6]  "Digital Video Broadcasting (DVB) -- interaction channel
             for satellite distribution systems", ETSI EN 301 790 V1.4.1
             (2005-04)
    
       [7]  http://www.ietf.org/html.charters/wg-
             dir.html#Security%20Area. RFCs 2401, 2402 and 2406
    
       [8]  http://www.ietf.org/html.charters/msec-charter.html
    
       [9]  H Harney (SPARTA), et al, "GSAKMP: Group Secure Association
             Group Management Protocol", <draft-ietf-msec-gsakmp-sec-
             10.txt>, IETF Work in Progress.
    
       [10] M. Baugher, et al, "GDOI: The Group Domain of
             Interpretation", RFC 3547.
    
       [11] Weis B., et al, "Multicast Extensions to the Security
             Architecture for the Internet", <draft-ietf-msec-ipsec-
             extensions-01.txt>, IETF Work in Progress.
    
    
    
    Cruickshank           Expires December 15, 2006           [Page 14]


    Internet-Draft         Security Requirements for ULE      June 2006
    
    
       [12] B. Aboba and W Dixson, "IPsec-Network Address Translation
             (NAT) Compatibility Requirements"
    
       [13] http://www.ietf.org/html.charters/tls-charter.html
    
       [14] Border, J., Kojo, M., Griner, J., Montenegro, G., and Z.
             Shelby, "Performance Enhancing Proxies Intended to Mitigate
             Link-Related Degradations", RFC 3135, June 2001.
    
       [15] Kent, S. and Seo K., "Security Architecture for the
             Internet Protocol", RFC 4301, December 2006.
    
       [16] Karn, P., Bormann, C., Fairhurst, G., Grossman, D., Ludwig,
             R., Mahdavi, J., Montenegro, G., Touch, J., and L. Wood,
             "Advice for Internet Subnetwork Designers", BCP 89, RFC
             3819, July 2004.
    
    Author's Addresses
    
       Haitham Cruickshank
       Centre for Communications System Research (CCSR)
       University of Surrey
       Guildford, Surrey, GU2 7XH
       UK
       Email: h.cruickshank@surrey.ac.uk
    
       Sunil Iyengar
       Centre for Communications System Research (CCSR)
       University of Surrey
       Guildford, Surrey, GU2 7XH
       UK
       Email: S.Iyengar@surrey.ac.uk
    
       Laurence Duquerroy
       Research Department/Advanced Telecom Satellite Systems
       Alcatel Space, Toulouse
       France
       E-Mail: Laurence.Duquerroy@space.alcatel.fr
    
       Prashant Pillai
       Mobile and Satellite Communications Research Centre
       School of Engineering, Design and Technology
       University of Bradford
       Richmond Road, Bradford BD7 1DP
       UK
       Email: P.Pillai@bradford.ac.uk
    
    
    
    Cruickshank           Expires December 15, 2006           [Page 15]


    Internet-Draft         Security Requirements for ULE      June 2006
    
    
    Intellectual Property Statement
    
       The IETF takes no position regarding the validity or scope of any
       Intellectual Property Rights or other rights that might be
       claimed to pertain to the implementation or use of the technology
       described in this document or the extent to which any license
       under such rights might or might not be available; nor does it
       represent that it has made any independent effort to identify any
       such rights.  Information on the procedures with respect to
       rights in RFC documents can be found in BCP 78 and BCP 79.
    
       Copies of IPR disclosures made to the IETF Secretariat and any
       assurances of licenses to be made available, or the result of an
       attempt made to obtain a general license or permission for the
       use of such proprietary rights by implementers or users of this
       specification can be obtained from the IETF on-line IPR
       repository at http://www.ietf.org/ipr.
    
       The IETF invites any interested party to bring to its attention
       any copyrights, patents or patent applications, or other
       proprietary rights that may cover technology that may be required
       to implement this standard.  Please address the information to
       the IETF at ietf-ipr@ietf.org.
    
    Disclaimer of Validity
    
       This document and the information contained herein are provided
       on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE
       REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND
       THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES,
       EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY
       THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY
       RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS
       FOR A PARTICULAR PURPOSE.
    
    Copyright Statement
    
       Copyright (C) The Internet Society (2006).
    
       This document is subject to the rights, licenses and restrictions
       contained in BCP 78, and except as set forth therein, the authors
       retain all their rights.
    
    
    
    
    
    
    
    Cruickshank           Expires December 15, 2006           [Page 16]
    

Html markup produced by rfcmarkup 1.129c, available from https://tools.ietf.org/tools/rfcmarkup/