IEEE Std 802.10-1998 Standard for Interoperable LAN/MAN Security (SILS) -Description

Abstract: IEEE 802.10 provides specifications for an interoperable data link layer security protocol and associated security services. The Secure Data Exchange (SDE) protocol is supported by an application layer Key Management Protocol (KMP) that establishes security associations for SDE and other security protocols. A security label option is specified that enables rule-based access control to be implemented using the SDE protocol. A method to allow interoperability with type-encoded Medium Access Control (MAC) clients is also provided, as well as a set of managed object classes to be used in the management of the SDE sublayer and its protocol exchanges.

Keywords: decipherment, encipherment, local area networks, security, metropolitan area networks, secure data exchange, security, security association

Content

1. Overview and model
- 1.1 Scope and purpose
- 1.2 References
- 1.3 Definitions and acronyms
- - 1.3.1 Definitions
  - 1.3.2 Acronyms
- 1.4 Architecture
2. Secure Data Exchange (SDE)
- 2.1 Overview
- 2.2 Definitions
- 2.3 SDE security services
- 2.4 SDE service specifications
- - 2.4.1 SDE_UNITDATA.request parameters
  - 2.4.2 SDE_UNITDATA.indication parameters
  - 2.4.3 Services assumed
- 2.5 SDE PDU structure
- - 2.5.1 SDE PDU format
  - 2.5.2 Elements of the SDE PDU
  - 2.5.3 Building the SDE PDU
  - 2.5.4 SDE procedure
  - 2.5.5 Reception procedures
- 2.6 Minimum Essential Requirements (MERs)
- - 2.6.1 Station objects
  - 2.6.2 Security association objects
  - 2.6.3 SAID requirements
  - 2.6.4 Security services
- 2.7 SDE sublayer management
- - 2.7.1 Overview
  - 2.7.2 Scope
  - 2.7.3 Definitions
  - 2.7.4 Management model
  - 2.7.5 SDE sublayer management entity definitions
  - 2.7.6 SDE sublayer management managed object definitions
  - 2.7.7 Conformance
3. Key Management
4. Bibliography
5. Annexes
Annex A Service rationale
- A.1 Layer 2 security services for LANs
- - A.1.1 Abstract
  - A.1.2 Introduction
  - A.1.3 Security services under the ISO security architecture
  - A.1.4 LAN characteristics that necessitate security services at the Data Link Layer
  - A.1.5 Security services
  - A.1.6 Mechanisms for provision of security systems
- A.2 Summary
- A.3 Bibliography
Annex B Example
- B.1 Algorithm registry
- B.2 Key management
- - B.2.1 Party A's proposed options
  - B.2.2 Party B's selected options
- B.3 Party A's SMIB
- - B.3.1 Station parameters
  - B.3.2 SAP parameters
  - B.3.3 Security association parameters
- B.4 Party B's SMIB
- - B.4.1 Station parameters
  - B.4.2 SAP parameters
  - B.4.3 Security association parameters
- B.5 Transmission processing (from Party A)
- - B.5.1 Obtaining the attributes
  - B.5.2 Transmission to non-SDE
  - B.5.3 Oversize SDU
  - B.5.4 Forming the Protected Header
  - B.5.5 Pad
  - B.5.6 Calculation of the ICV
  - B.5.7 Encipher the PDU
  - B.5.8 Clear Header
  - B.5.9 MAC request
- B.6 Reception processing (at Party B)
- - B.6.1 Requirements for reception
  - B.6.2 Decipherment of the PDU
  - B.6.3 ICV checking
  - B.6.4 Pad
  - B.6.5 Station ID
  - B.6.6 Security label
  - B.6.7 SDE_UNITDATA
- B.7 Bibliography
Annex C Objectives of SDE
Annex D Rationale for placement
- D.1 Introduction
- D.2 Integrated into MAC
- D.3 Between LLC and MAC or lower LLC
- D.4 Integrated into upper LLC
- D.5 Above LLC
- D.6 Conclusion
- D.7 Bibliography
Annex E Fragmentation
- E.1 Introduction
- E.2 Overview
- E.3 Additional station objects
- E.4 SAP objects
- E.5 Additional association object
- E.6 Additional Protected Header fields
- - E.6.1 Flags field
  - E.6.2 Fragment Identifier field
- E.7 Detailed functional specification
- - E.7.1 SDE_UNITDATA.request
  - E.7.2 SDE_UNITDATA.indication
  - E.7.3 Build Protected Header
  - E.7.4 Station_Reassembly_Timer
Annex F ASN.1 encodings
- F.1 Unrestricted ASN.1 types
- F.2 Imported encodings
- F.3 ASN.1 productions
Annex G Allocation of object identifier values
Annex H Recommended practice for SDE with IEEE 802.3 Type-encoded frames
- H.1 Introduction and scope
- H.2 Processing steps
- - H.2.1 Conversion of IEEE 802.3 Typed-encoded frames
  - H.2.2 Reception processing of SDE-protected IEEE 802.3 Type-encoded MAC frames
- H.3 Bibliography
Annex I Secure data exchange security label
- I.1 Introduction
- I.2 Overview
- I.3 SDE security label option
- I.4 Security label length
- I.5 Security tags
- - I.5.1 Tag type
  - I.5.2 Tag length
  - I.5.3 Security data
- I.6 Security Tag Type 1
- - I.6.1 Restrictive security attribute bit map
- I.7 Security Tag Type 2
- - I.7.1 Enumerated attributes
- I.8 Security Tag Type 5
- - I.8.1 Security attribute ranges
- I.9 Security Tag Type 6
- - I.9.1 Permissive Security Attribute Bit Map
- I.10 Security Tag Type 7
- I.11 Additional station objects
- I.12 Additional association objects
- I.13 Additional Protected Header field
- I.14 Detailed functional specification
- - I.14.1 SDE_UNITDATA.request
  - I.14.2 SDE_UNITDATA.indication
Annex J Security label set registration service
Annex K Basic processing rules for security labels
- K.1 Introduction
- K.2 Trustworthiness of transmitted labels
- K.3 Originator requirements
- K.4 Receiver requirements
- K.5 Error reports
- K.6 Policy-based processing rules
- K.7 Bibliography
Annex L Secure Data Exchange (SDE) Protocol Implementation Conformance Statement (PICS) proforma
- L.1 Introduction
- L.2 Abbreviations and special symbols
- L.3 Instructions for completing the PICS proforma
- - L.3.1 General structure
  - L.3.2 Additional information
  - L.3.3 Exception information
  - L.3.4 Conditional items
  - L.3.5 Specific instructions
- L.4 Identification
- L.5 Amendments, corrigenda, and exceptions
- L.6 SDE feature declarations
- L.7 SDE PDU declarations

links: [Standard Status] - [Purchase] - [PDF^*] - [LAN/MAN (802) Collection - Description]

available for Standards Online LAN/MAN (802) Collection subscribers only