INTERNET-DRAFT Link Security TOS Donald Eastlake, III March 1992 Physical Link Security Type of Service Abstract This draft proposes a type of service to request maximum physical link security. This would be an addition to the types of service enumerated in draft-almquist-tos-02 (which is to be issued as a Proposed Standard). This draft is intended to be submitted to the RFC editor as a Proposed Standard. Distribution of this document is unlimited. Please send any comments to the author, Donald Eastlake . 1. Nature of Requirement Right now all Internet Protocol (IP) packets must have most of their header information, including the from and to address, in the clear. This is required for routers to properly handle the traffic even if a higher level protocol fully encrypts all bytes in the packet after the IP header. This renders even end-to-end encrypted IP packets subject to traffic analysis wherein activities of hosts or users are deducible from packet traffic statistics. Physical links differ widely in their susceptibility to surreptitious analysis of the traffic flowing over them. For example: 1) Land line media is harder to intercept than radio broadcast media. 2) Between radio broadcast media, spread spectrum, or other low probability of intercept systems, are harder to intercept than normal broadcast systems. On the other hand, systems with a large footprint on the earth, such as some satellite down links, may be particularly accessible. 3) Between land lines, point to point systems are somewhat harder to intercept than multi-point systems such as Ethernet or FDDI. 4) Fiber optic land lines are harder to intercept than metallic paths because fiber is generally harder to tap. 5) A secure land line, such as one in pressurized conduit with Eastlake [Page 1] INTERNET-DRAFT Link Security TOS Donald E. Eastlake, III pressure alarms or one installed so as to be observable by guards, is harder to intercept than an unsecured land line. 6) An encrypted link would be preferable to an unencrypted link because, even if it was intercepted, it would be much more difficult to obtain any useful information. Choosing links where it is hard for an outside observer to intercept the information being transmitted defends against traffic analysis. In addition, it provides an additional level of protection for the content of the messages, which some users might want for sensitive messages, whether or not they are encrypted. 2. Specification The value 15 decimal (F hex) in the four-bit Type of Service IP header field requests routing the packet to minimize the chance of surreptitious observation of its contents by agents external to the network. 3. Note on Choice of TOS Value The value 15 is at the maximum hamming distance from existing TOS values. In addition, although the TOS field is no longer bit encoded, this value is chosen so that it is binarily convenient to specify any pair of the five defined TOS attributes should it be decided to make such a pair a recognized TOS. The exclusive-or (i.e., bitwise addition without carry) of any pair of the five TOS values produces a new value not presently used for a defined TOS which could be used to specify the combination of the two types of service indicated by the values that were so combined. 4. Implementation This TOS can be implemented in routing systems that offer TOS based routing (as can be done with OSPF, see RFCs 1245 through 1248) by assigning costs to links. Establishing the "cost" for different links for this TOS is a local policy function. In principle services are incomparable when criterion such as those given in the Nature of Requirement section above conflict. For example a choice between an encrypted broadcast system and an unencrypted fiber optic land line. In practice, link encryption would probably dominate almost all other forms of protection and physical security as mentioned in criterion 5 above would dominate other land line distinctions. Eastlake [Page 2] INTERNET-DRAFT Link Security TOS Donald E. Eastlake, III An example of costs for a hypothetical router would be as follows: Cost Type 1 Strong encryption with secure key distribution 2 Physically secure point-to-point line 6 Typical point-to-point line 8 Typical local multi-point media 12 Metropolitan area multi-point media 24 Local radio broadcast 32 Satellite link It should be noted that routing algorithms typically compute the sum of the costs of the links. As a result, using costs such as the sample given above could result in using many more links than if the default class of service were requested. For example, over 50 links where two, such as a satellite hop and a radio link, might otherwise have served. Security Considerations The entirety of this draft concerns an Internet Protocol Type of Service to request maximum physical link security against surreptitious interception. Author's Address Donald E. Eastlake, III PO Box N, MIT Branch PO Cambridge, MA 02139 USA phone: +1 508 486 2358 email: dee@ranger.enet.dec.com Eastlake [Page 3]