Local Area Networks (LANs) in Aircraft - FTP Directory Listing - FAA
Local Area Networks (LANs) in Aircraft - FTP Directory Listing - FAA
Local Area Networks (LANs) in Aircraft - FTP Directory Listing - FAA
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
us<strong>in</strong>g the traditional dual router implementation of reference 99 currently deployed <strong>in</strong> the<br />
Internet today:<br />
• To reduce the SWAP footpr<strong>in</strong>t of the encapsulation upon aircraft.<br />
• To enable network management deployments where an entire airplane (e.g., multiple<br />
enclaves) can be managed from a s<strong>in</strong>gle network management system (see section 8.4).<br />
It is probable that no middlebox implementation of this technology existed at the time this study<br />
was written. Creat<strong>in</strong>g a middlebox variant of this technology, therefore, represents a<br />
recommended development activity. Special care should be taken <strong>in</strong> the security design of its<br />
network management support capability (see section 8.4).<br />
Figure 30 shows that the encapsulat<strong>in</strong>g gateway that service Level A software networks on the<br />
airplane communicates with its peer encapsulation gateways servic<strong>in</strong>g Level A networks on<br />
another airplane or on the ground via IPsec’s ESP <strong>in</strong> tunnel mode communications. Entities<br />
with<strong>in</strong> the Level A networks use normal IP communications between themselves (i.e., pla<strong>in</strong><br />
text). From their perspective, they are us<strong>in</strong>g COTS IPs just like any other IP device would.<br />
They are unaware that any network exists outside of their own Level A enclave. They are also<br />
unaware that their enclave is us<strong>in</strong>g network services provided outside of their enclave (e.g., the<br />
network between the encapsulation gateways that service their enclave). VPN encryption and<br />
encapsulation is performed by their local encapsulation gateway so that no entity or network<br />
outside of their network enclave sees <strong>in</strong>traenclave communication except <strong>in</strong> its encrypted and<br />
encapsulated form. For example, from the po<strong>in</strong>t of view of the firewall <strong>in</strong> figure 30,<br />
communications from a Level A device on the airplane to a Level A device off of the airplane is<br />
merely an IP communication between two different encapsulation gateways (i.e., no entity<br />
outside of the VPN-protected enclave itself knows about the enclave).<br />
Therefore, the Level A VPN enclave entities have no knowledge about any entity outside of their<br />
own enclave community. The same is true for the Level B VPN enclave, the Level C<br />
VPN enclave, and so on—each VPN enclave only knows about itself. No entity outside of that<br />
enclave knows about entities <strong>in</strong>side a different enclave. Therefore, the enclave population is<br />
narrowly restricted to the members of the enclave only. Effective network partition<strong>in</strong>g has<br />
occurred. Even <strong>in</strong> the worst-case scenario where all firewalls <strong>in</strong> the entire NAS and on every<br />
airplane have become compromised and the airplanes are connected to the worldwide Internet,<br />
the enclave population rema<strong>in</strong>s restricted to the enclave membership only. Airplane passengers<br />
cannot communicate with devices <strong>in</strong>side an enclave (<strong>in</strong>deed, they do not know they exist) nor<br />
can any other entity outside of the enclave do so. Therefore, the risks articulated <strong>in</strong> section 4.1<br />
have been mitigated. If there is no human presence <strong>in</strong> an enclave (i.e., if the enclave is solely<br />
populated by devices), then the risks articulated <strong>in</strong> section 4.2 have also been mitigated for that<br />
enclave. If both of these are the case, then the concerns mentioned <strong>in</strong> sections 4.3 and 4.4 persist<br />
at a dim<strong>in</strong>ished risk level because the threat agents that can directly attack VPN entities are now<br />
restricted to the device population of the VPN itself. (Note: defense-<strong>in</strong>-depth protections (e.g.,<br />
QoS) are still needed to ensure that the LAN support<strong>in</strong>g the VPN is not attacked, which, if<br />
successful, could potentially result <strong>in</strong> DoS to the VPN.) Nevertheless, COTS devices are not<br />
111