| 摘要 |
This addendum extends the in-band security establishment mechanism specified in [1] to support
simplex connections. The in-band security approach in [1] is only supported on duplex
connections.
The signaling-based security mechanism defined in [1] does not support the Three-Way Security
Message Exchange (SME) protocol. Therefore, signaling-based security cannot support
algorithm negotiation or certificate exchange and requires time synchronization. The main reason
for this limitation is that the number of end-to-end flows (messages) that are required to support
these services does not match the number of end-to-end flows in signaling. These services
require three signaling flows and an acknowledgment flow. Adding a fourth flow to the signaling
protocols to support security would solve this problem but would have a larger impact than the
approach listed here.
The simplex in-band approach, specified herein, supports the use of the Three-Way SME protocol
for securing simplex VCs (that is, VCs with zero return bandwidth). This approach uses the in-band
mechanism specified in [1], which solves the limitations of the signaling approach (which
was previously the only approach available for securing simplex VCs). However, to support the
in-band SME protocol, the intervening network and security agents must support and establish
duplex VCs. Furthermore, since this mechanism uses the Security Services Information Element
(SSIE) in signaling messages, the network that connects the Security Agents (SAs) must support
transport of the SSIE in signaling.
The in-band simplex security approach is named such because the SME protocol is not performed
in signaling, but “in-band” on a separate temporary duplex connection. |
