Transcript tictoc-2
Problem Statement
for
Securing
of
Synchronization Networks
Greg Dowd
Problem Statement for Securing of Synchronization Networks
Synchronization for telecoms applications (e.g. sync to wireless
basestations, wireline sync replacement, circuit emulation
services) is a mission-critical service, in the sense that if the sync
goes out of tolerance, the enabled service goes down and impacts
revenue. Packet-based synchronization (e.g. PTP or NTP
distributed over IP or MPLS networks) therefore requires both
security of stream as well as protection of the ephemeral nature of
the data being delivered. While this is an example of a
synchronization need, it is inevitable that other applications will
require the same types of services. The engineering and
interoperability of these requirements is within the domain of the
ietf and typically not considered by other standards bodies with
respect to IP based models.
Looking at the requirements for successful synchronization, a
number of fundamental considerations are obvious
With respect to the stream:
1.
2.
3.
Data must come from an unambiguous source.
Data may need to come from a trusted source of synchronization.
Loss, manipulation or corruption of data must be prevented or detected.
With respect to the timing:
1.
2.
3.
4.
Data may be lost.
Data may be delayed.
Data should not be reordered.
Data must not be replayed.
In the telecom world,
various network topologies exist in synchronization schemes:
1.
2.
3.
Single network domain
Operator network with intervening backhaul provider
Unprotected CPE appliance attached to operator network via public domain Internet
A variety of options are available to address
the requirements for successful synchronization
These options can be as simple as network engineering or as complex as
ensemble clocks verifying the integrity of the timing data against an alternate
signal carried at a different layer of the network. The issues of configuration,
management and interoperability of these systems should be addressed by the
ietf. While some implementations may be highly customized, many of these
are likely to use traditional data integrity and protection schemes. For instance,
home femtocells will be connected to the network via IPSec tunnels while
operator networks will typically isolate the synchronization networks with
VLANs. As these types of operations may have an impact on the quality of the
synchronization data, multiple approaches have been put forward to provide
optimal solutions. For instance, signaling and management messages might
flow over an encrypted IPSec pipe while standard synchronization packets
might flow unencrypted. After all, there is little inherent value in a timestamp.
How do we determine if this system meets the security requirements of
protecting the synchronization flow? What is the impact on other protocols
and/or other synchronization flows which may exist in the network? Can the
discovery or provisioning of these services be supported, assisted or enhanced
by other standard IP protocols such as dhcp?
Another approach is to examine the security models provided
by the protocols themselves
NTP and PTP provide protocol level security to mitigate some of the issues detailed above,
however they each have their strengths and weaknesses. For instance, an authentication
scheme has been suggested for use in PTP but, as a new protocol, it has had limited security
review and the initial data suggests that there are some serious flaws in the initialization of
the connections. On the other hand, NTP has a more highly evolved security model, with a
layered approach. While this protocol has been subjected to more scrutiny, the sheer variety
of trust schema can make the system unwieldy for those unschooled in the protocol.
Looking further, the synchronization protocols themselves are inherently resistant to some
issues by design. In synchronization systems, each sample input tends to carry little weight
so individual data errors, whether malicious or unintentional, can often be rejected. But it is
not clear whether the protection provided is sufficient for a particular application framework
or is even required. Also, the interaction between these various security models is not
clearly understood. The OSI model often has the effect of preventing one layer of the
protocol from discovering what security protections are in place at other layers. These
issues of configuration, discovery and management of the security framework for
synchronization are the type of problem which can be addressed by the ietf and is not
currently being addressed in other standards bodies.