Ieee p802. 21m Media Independent Services Framework Project

Fragmentation (informative) Example MIS message fragmentation

Download 3.39 Mb.

Page	29/33
Date	18.10.2016
Size	3.39 Mb.
	#452

1 ... 25 26 27 28 29 30 31 32 33

Calculation of securityOverhead when there is an MIS SA

Fragmentation (informative)

Example MIS message fragmentation

An example of an original MIS message and fragmented MIS messages is shown in Figure K. 1.

fig k1

Figure K.—MIS Fragmentation example for MTU of 1500 octets

Calculation of securityOverhead when there is an MIS SA

To calculate securityOverhead when there is an MIS SA, the following parameters are used:

— x is 0 when Source MISF Identifier TLV and Destination MISF Identifier TLV are contained in the protected MIS message, otherwise, x is 1.

— y is 1 for TLS-generated MIS SA. Otherwise, y is 0.

^—^L_SAID^deno^t^es^the^o^ctet^l^eng^t^h^of^the^SAID^TLV^carriedⁱⁿ^the^protected^MIS^mes^s^age.^L_S_A_ID

depends on the implementation.

^—^L_SID^d^enotes^t^he^octet^leng^t^h^of^the^So^u^rce^MISF^Ideⁿ^t^ifⁱ^er^{TLV o}^p^ti^o^nally^carriedⁱⁿ^the^protected

^MIS^message.^L_S_I_D^d^epen^d^s^on^t^heⁱ^m^p^lemeⁿ^tatⁱ^on.

— L_DIDdenotes the octet length of the Destination MISF Identifier TLV optionally carried in the pro- tected MIS message. L_DIDdepends on the implementation.

— O_S_E_CTLVdenotes the overhead of the Security TLV carried in the protected MIS message.

— O_T_YPE(y) denotes the overhead of the MIS data type contained in the Security TLV.

^{— O}_T_LS^denotes^the^overhead^of^the^TLS^record.^O_T_L_S⁼^5,^i.e.,^1-octet^TLSCi^p^her^t^ext.t^y^pe^p^lus²^-^o^ctet

TLSCiphertext.version plus 2-octet TLSCiphertext.length [RFC5246].

— O_E_NCdenotes the overhead of encryption. O_ENCdepends on the ciphersuite.

— O_I_N_TGdenotes the overhead of integrity protection. O_IN_T_Gdepends on the ciphersuite. securityOverhead is calculated as follows:

securityOverhead = L_SAID–x*(L_S_I_D+ L_D_I_D)+ O_S_E_CTLV+ O_T_YPE(y) + y*O_T_L_S+ O_E_NC+ O_I_NTG
Note that securityOverhead can be a negative value when x = 1.
_Since_the_maximum_size_of_Security_TLV_is_no_more_th_a_n_t_he_ma_xi_m_um_s_iz_e_of_Va_ri_ab_le_Pa_y_load_of_MIS

_message,_w_hich_i_s₂¹⁶_–1_octe_t_s_,_the_m_a_x_i_m_um_v_a_l_ues_o_f_OSECTLV_and_O_T_Y_PE(y)_are_sho_w_n_belo_w_.

— O_S_E_CTLV= 3 (i.e., 1-octet TLV Type plus 2-octet TLV Length).

— O_T_YPE(0) = 6, i.e., 1-octet CHOICE Selector in CHOICE(TLS_RECORD, MIS_SPS_RECORD) plus 2-octet Length field of ENCR_BLOCK data plus 1-octet CHOICE Selector in MIS_SPS_RECORD plus 2- octet Length field of INTG_BLOCK data.

^{— O}_T_YPE⁽¹⁾⁼^3,^i.e.,^1-octet^CHOICE^Se^l^ectorⁱⁿ^CHOI^C^E(TLS_REC^O^RD,^{MIS_SPS_RECORD)}

plus 2-octet Length field of TLS_RECORD data.

Table K.1 shows O_E_N_Cand O_IN_T_Gvalues for the MIS ciphersuites for EAP-generated MIS SA.
_Ta_b_l_e_K.1—P_r_ot_e_c_t_i_on_Ov_er_he_ad_fo_r_EAP-_g_en_e_ra_t_e_d_SAs

Ciphersuite code

Encryption

Integrity

Ptotection

^OENC

^OINTG

00000010

AES_CBC

HMAC-SHA1-96

32(IV+padding)

12 (MIC)

00000100

NULL

HMAC-SHA1-96

0

12 (MIC)

00000101

NULL

AES_CMAC

0

12 (MIC)

00000110

AES_CCM

10 (SN)+ 12(MIC)

0

For example, consider a case where Ciphersuite Code 00000010 (AES-CBC + HMAC-SHA1-96) is used for EAP-generated MIS SA (y=0) without containing Source MISF Identifier TLV and Destination MISF Identifier TLV in the protected MIS message (x=0), and the length of SAID TLV, the length of Source MISF Identifier TLV, the length of Destination MISF Identifier TLV are 30 octets, 20 octets and 30 octets, respectively. Then securityOverhead is computed as:

securityOverhead = L_SAID– (L_S_I_D+ L_DI_D) + O_SECT_L_V+ O_TYP_E(0) + O_ENC+ O_IN_T_G
= 30– (20+30)+3+6+44 = 33 (octets).
Figure K.2 shows the protected fragments for the original message shown in Figure K.1, when operating in the same condition as described in the above example with securityOverhead=33 (octets). The integer number within the brackets of each field in Figure K.2 indicates the length of the field in octets. In Figure K.2, the fragment size before applying MIS protection is set to 1424 (=16*89) octets to have the fragment size of 1499 octets after applying MIS protection, which gives the largest number of 16-octet blocks (89) under the condition that the resulting protected fragment does not exeeds 1500 octets.

_Fi_r_s_t_pr_o_tected_f_r_agment_message_(M=1,_FN=0,_size₌₁₄₉₉_octets)

Header (S=1) (8)

SAID TLV (30)

Security TLV (1461)

Encrypted fragment = 16*19 = 1424 octets

IV = 16 octets

MIC = 12 octets

TLV overhead = 3 octets

_MIS_data_type_o_verhead_{= 6}_octets

_Sec_o_nd_pr_o_tected_f_ragment_message_(M=0,_{FN=1, size}₌₂₅₁_octets)

Header (S=1) (8)

SAID TLV (30)

Security TLV (213)

Encrypted fragment = 1600-1424 = 176 octets

IV = 16 octets

MIC = 12 octets

TLV overhead = 3 octets

_MIS_d_ata_type_ov_e_rhead₌₆_octets

Figure K.2—Example of protected MIS fragment message

Directory: 802.21 -> dcn
dcn -> Ieee 802. 21 Working Group for Media Independent Services

Download 3.39 Mb.

Share with your friends:

1 ... 25 26 27 28 29 30 31 32 33