Local Area Networks (LANs) in Aircraft - FTP Directory Listing - FAA
Local Area Networks (LANs) in Aircraft - FTP Directory Listing - FAA
Local Area Networks (LANs) in Aircraft - FTP Directory Listing - FAA
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
transport mode and come from a network management station or IDS device that is local to that<br />
airplane.<br />
8.3.7 High-Assurance LAN.<br />
The high-assurance LAN should consider the restrictions and provisions specified by the “Safety<br />
and Certification Approaches for Ethernet-Based Aviation Databuses” document [9]. The virtual<br />
l<strong>in</strong>k capability that is available with<strong>in</strong> avionics full-duplex switched (AFDX) [102-104]<br />
determ<strong>in</strong>istic Ethernet makes that technology an attractive alternative to serve as the highassurance<br />
LAN. The high-assurance LAN should be configured, if possible, to provide physical<br />
layer connectivity that duplicates the VPN enclave configurations as a defense-<strong>in</strong>-depth<br />
provision. This means that enclaves would be def<strong>in</strong>ed and protected by two complementary<br />
controls: the physical (OSI physical layer) connectivity restrictions by the high-assurance LAN<br />
and the protocol restrictions at the IP Layer enforced by VPN encapsulation and encryption.<br />
The SWAP footpr<strong>in</strong>t of the airborne LAN system could be theoretically reduced by logically<br />
creat<strong>in</strong>g the multiple <strong>in</strong>stances of high-assurance <strong>LANs</strong> shown <strong>in</strong> figure 30. Specifically, the<br />
many high-assurance LAN entities with<strong>in</strong> figure 30 may actually be two physical <strong>LANs</strong>, with the<br />
rema<strong>in</strong>der logically created by means of AFDX virtual l<strong>in</strong>ks. However, the entire LAN system<br />
should not be limited to a s<strong>in</strong>gle physical LAN because the passenger network needs to be a<br />
dist<strong>in</strong>ct physical LAN entity from all other <strong>LANs</strong> on the airplane. This latter requirement exists<br />
so that there could be no possibility to misconfigure the network and bypass the packet filter<br />
controls that need to be applied to passenger services <strong>in</strong> figure 1 deployments.<br />
8.3.8 Quality of Service.<br />
It is desirable for the virtual l<strong>in</strong>ks to support QoS rate control semantics. This may be<br />
accomplished at the physical layer through explicit rate controls or, more probably, at the<br />
network layer (i.e., IP Layer) through deploy<strong>in</strong>g differentiated service QoS (see RFC 2474).<br />
However it is accomplished, the communications with<strong>in</strong> the safety enclaves must be ensured to<br />
have the capacity that they need to perform their function. If the total actual network use across<br />
the aircraft control’s high-assurance LAN exceeds the physical capacity of that LAN, then the<br />
difference needs to come from dropp<strong>in</strong>g the passengers’ packets to ensure that aircraft systems<br />
have adequate network capacity. The rate controls associated with the packet filter cannot<br />
ensure that this happens alone because of the possibility of denial of service attacks orig<strong>in</strong>at<strong>in</strong>g<br />
from other sources (e.g., ground, other aircraft). While the firewall will drop packets targeted<br />
<strong>in</strong>appropriately, it will permit packets targeted to passengers to pass through. Thus, an <strong>in</strong>ternal<br />
QoS system is also needed to rate-limit external traffic go<strong>in</strong>g to passengers <strong>in</strong> aircraft that may<br />
be deployed (see figure 1).<br />
8.3.9 Air-to-Ground and Air-to-Air Communications.<br />
Air-to-ground COMSEC should ensure that the signals <strong>in</strong> space used for wireless<br />
communication are encrypted at the OSI reference model’s physical layer. This would provide<br />
protection from eavesdropp<strong>in</strong>g by nonauthorized entities and discourage attacks that <strong>in</strong>ject false<br />
communications <strong>in</strong>to the data stream. However, these l<strong>in</strong>ks will rema<strong>in</strong> potentially vulnerable to<br />
availability attacks caused by hostile jamm<strong>in</strong>g, unless mitigation techniques such as antijamm<strong>in</strong>g<br />
118