Local Area Networks (LANs) in Aircraft - FTP Directory Listing - FAA
Local Area Networks (LANs) in Aircraft - FTP Directory Listing - FAA
Local Area Networks (LANs) in Aircraft - FTP Directory Listing - FAA
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
• Lightweight directory access protocol (LDAP), HTTP, SSH, TLS and, optionally, IPsec<br />
rely upon asymmetric cryptography. However, the specific mechanism for do<strong>in</strong>g this<br />
varies widely between these protocols. LDAP and TLS, for example, natively use<br />
X.509v3 conformant public key <strong>in</strong>frastructure (PKI) certificates. HTTP uses the<br />
underly<strong>in</strong>g provisions provided by TLS. TLS can function without the use of asymmetric<br />
keys, but they are required if mutual authentication is supported. In the latter case, the<br />
server must provide a PKI Server Certificate and the Client a PKI Identity Certificate.<br />
IPsec only uses asymmetric keys for automated key management. The manual key<br />
management alternative, by contrast, solely uses preplaced symmetric keys. On L<strong>in</strong>ux<br />
systems, SSH can be directly configured by runn<strong>in</strong>g an <strong>in</strong>ternal Rivest Shamir Addleman<br />
(RSA) algorithm with<strong>in</strong> their daemon to create their asymmetric keys.<br />
• Other approaches require that unique symmetric key <strong>in</strong>stances be distributed between<br />
each client-server pair<strong>in</strong>g. This is the case for Doma<strong>in</strong> Name System (DNS), dynamic<br />
host configuration protocol (DHCP), network time protocol (NTP) and real-time protocol<br />
(RTP). These symmetric keys must have been established at configuration time s<strong>in</strong>ce<br />
these protocols lack a mechanism to dynamically distribute these keys. Simple network<br />
management protocol (SNMP) also requires unique symmetric key pair<strong>in</strong>gs between<br />
network adm<strong>in</strong>istrators and SNMP agents; however, these keys may be constructed from<br />
the network adm<strong>in</strong>istrator’s password. The key po<strong>in</strong>t is that a s<strong>in</strong>gle SNMP agent, DNS,<br />
DHCP, or RTP daemon with<strong>in</strong> any given device has a large number of unique secret key<br />
values that are used on a per-protocol basis that it must ma<strong>in</strong>ta<strong>in</strong> and associate with the<br />
appropriate remote peer. This represents substantial local key management complexity<br />
that is often implemented <strong>in</strong> a manner that is difficult to subject to adm<strong>in</strong>istrative<br />
oversight.<br />
4.6 NETWORK MANAGEMENT—NETWORK SECURITY CONCERN.<br />
Network management is an <strong>in</strong>herently important and a difficult task. The difficulty of the task<br />
becomes <strong>in</strong>creas<strong>in</strong>gly untenable the greater the size and diversity of the deployed network<br />
devices be<strong>in</strong>g managed. This difficulty arises from subtle and not-so-subtle differences between<br />
various implementations of the management protocol and the management schemas (i.e.,<br />
management <strong>in</strong>formation and variables) supported by the various devices. For example, <strong>in</strong> 2001,<br />
one of the authors of this document <strong>in</strong>vestigated <strong>in</strong>dustry support for the Distributed<br />
Management Task Force’s (DMTF) 9 management schemas to exam<strong>in</strong>e their applicability to<br />
create policy-based network management constructs. He learned that although the vast majority<br />
of vendors claimed compliance with DMTF standards, upon closer <strong>in</strong>spection, it became<br />
apparent that they were support<strong>in</strong>g different (non<strong>in</strong>teroperable) versions of the schemas from<br />
each other. Most of the vendors had also <strong>in</strong>troduced unique extensions to the schemas, and some<br />
of them had substituted constructs of their own <strong>in</strong>vention for elements with<strong>in</strong> the standard<br />
schemas. The net result was that a common management approach became <strong>in</strong>creas<strong>in</strong>gly<br />
untenable the more the deployment <strong>in</strong>cluded different vendors products. A similar observation<br />
can be made concern<strong>in</strong>g multivendor support for the SNMP’s management <strong>in</strong>formation base<br />
9 DMTF; see http://www.dmtf.org/home<br />
43