ISO/IEC ISP 10608-7:1998

INTERNATIONAL ISOAEC
STANDARDIZED ISP
PROFILE 10608-7
First edition
1998-08-01
Information technology - International
Standardized Profile TAnnnn -
Connection-mode Transport Service over
Connectionless-mode Network Service -
Part 7:
Security employing the Network Layer Security
Protocol - Connectionless-mode for TAnnnn
profiles
Technologies de Sin formation - Profil normal& international TAnnnn -
Service de franspot? en mode connexion sur service de rkseau en mode
sans connexion -
Partie 7: S&wit6 employant le protocole de s&wit@ de la couche
rkseau - Mode sans connexion, pour profils TAnnnn
Reference number
ISO/l EC ISP 10608-7: 1998(E)

---------------------- Page: 1 ----------------------
ISO/IEC ISP 10608-7: 1998(E)
Contents
1. SCOPE
1.1. General
1.2. Position within the Taxonomy
1
1.3. Scenario
2
1.4. Security Services
2
1.5. Security Mechanisms
2
2. NORMATIVE REFERENCES
2
3. DEFINITIONS
2
4. ABBREVIATIONS
3
5. REQUIREMENTS
3
5.1. General
3
5.2. Static Conformance Requirements
3
5.3. Dynamic Conformance Requirements
4
5.4. Placement
ANNEX A - INTERNATIONAL STANDARDIZED PROFILE IMPLEMENTATION
CONFORMANCE STATEMENT REQUIREMENTS LIST (IPRL)
A. 1 Introduction
A.2 Notation
A.3 Features Common to NLSP-CO and NLSP-CL
A.3.1 Major Capabilities (Common)
A.3.2 PDUs (Common)
A.3.3 SDT PDU Fields Common to CO & CL & Generic to Mechanisms
8
A.3.4 SDT PDU Fields Common to CO & CL with Specific SDT Based Encapsulation Mech.
0 ISO/IEC 1998
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or
utilized in any form or by any means, electronic or mechanical, including photocopying and micro-
film, without permission in writing from the publisher.
ISO/IEC Copyright Office l Case postale 56 l CH-121 1 Geneve 20 l Switzerland
Printed in Switzerland
ii

---------------------- Page: 2 ----------------------
0 ISOIIEC
ISO/IEC ISP 10608=7:1998(E)
A.4 Features Specific to NLSP-CL
9
A.4.1 Major Capabilities (NLSP-CL) 9
A.4.2 Initiator/Responder (Connectionless Mode) 9
A.4.3 Environment (Connectionless Mode)
9
A.4.4 SDT PDU Fields (Connectionless Mode)
10
A. 5 Placement
10
ANNEX B- ADDITIONAL AGREEMENTS REQUIRED
11
. . .
111

---------------------- Page: 3 ----------------------
0 ISO/IEC
ISO/IEC ISP 10608-7: 1998(E)
Foreword
for Standardization) and IEC (the
IS0 (the International Organization
International Electrotechnical Commission) form the specialized system for
worldwide standardization. National bodies that are members of IS0 or IEC
participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields
of technical activity. IS0 and IEC technical committees collaborate in fields of
mutual interest. Other international organizations, governmental and non-
governmental, in liaison with IS0 and IEC, also take part in the work.
In the field of information technology, IS0 and IEC have established a joint
technical committee, ISO/IEC JTC 1. In addition to developing International
Standards, ISO/IEC JTC 1 has created a Special Group on Functional
Standardization for the elaboration of International Standardized Profiles.
An International Standardized Profile is an internationally agreed, harmonized
document which identifies a standard or group of standards, together with options
and parameters, necessary to accomplish a function or a set of functions.
Draft International Standardized Profiles are circulated to national bodies for
voting. Publication as an International Standardized Profile requires approval by
at least 75 % of the national bodies casting a vote.
International Standardized Profile ISO/IEC ISP 10608-7 was prepared with the
collaboration of
- Asia-Oceania Workshop (AOW);
- European Workshop for Open Systems (EWOS);
- Open Systems Environment Implementors’ Workshop (OIW).
ISO/IEC ISP 10608 consists of the following parts, under the general title
Information technology - International Standardised Profile TAnnnn -
Connection-mode Transport Service over Connectionless-mode Network Service:
- Part 1: General overview and subnetwork-independent requirements
- Part 2: TA51 profile including subnetwork-dependent requirements for
CSM4lCD Local Area Networks (LANs)
- Part 4: Definition of profile TA53, operation over a Token Ring LAN
subnetwork
- Part 5: TAIIIIffA1121 profiles including subnetwork-dependent
requirements for X.25 packet-switched data networks using virtual calls
- Part 6: Definition of profile TA.54, operation over an FDDI LAN subnetwork
- Part 7: Security employing the Network Layer Security Protocol -
Connectionless-mode for TAnnnn profiles
iv

---------------------- Page: 4 ----------------------
ISOiIEC ISP 10608=7:1998(E)
@ ISO/IEC
- Part 8: Security employing the Network Layer Security Protocol -
Connection-mode with SDT-PDU based protection over X.25 packet
switched data networks using virtual calls, for TA1 I I I/TA1 121 profiles
- Part 12: MAC sublayer and physical layer dependent requirements for a
CSMAKD LAN subnetwork
- Part 13: MAC sublayer and physical layer dependent requirements for a
Token Ring LAN subnetwork
- Part 14: MAC, PHY and PMD sublayer dependent and Station Management
requirements over an FDDl LAN subnetwork
Annex A forms an integral part of this part of ISO/IEC ISP 10608. Annex B is for
information only.
V

---------------------- Page: 5 ----------------------
@ ISO/IEC
ISO/IEC ISP 1060%7:1998(E)
Introduction
ISO/IEC ISP 10608 is defined in accordance with the principles specified by ISO/IEC Technical Report
10000.
The context of Functional Standardization is one area in the overall field of Information Technology (IT)
standardization activities, covering base standards, profiles, and registration mechanisms. A profile defines
a combination of base standards that collectively perform a specific well-defined IT function. Profiles
standardize the use of options and other variations in the base standards, and provide a basis for the
development of uniform, internationally recognized system tests.
ISPs are produced not simply to ‘legitimize’ a particular choice of base standards and options, but to
promote real system interoperability. One of the most important roles for an ISP is to serve as the basis for
the development (by organizations other than IS0 and IEC) of internationally recognized tests. The
development and widespread acceptance of tests based on this and other ISPs is crucial to the successful
realization of this goal.
ISO/IEC ISP 10608 consists of several parts of which this is part 7. This part of ISO/IEC 10608 specifies
the security profile requirements employing the Network Layer Security Protocol (ITU-T X.273 1
ISO/IEC 11577) connectionless-mode.
This part extends existing TA profiles adding security protection.

---------------------- Page: 6 ----------------------
INTERNATIONAL STANDARDIZED PROFILE @ ISO/IEC
ISO/IEC ISP 10608-7: 1998(E)
Information technology -
International Standardized Profile TAnnnn -
Connection-mode Transport Service over Connectionless-mode Network Service -
Part 7:
Security employing the Network Layer Security Protocol --
Connectionless-mode for TAnnnn profiles
1 Scope
1 .I General
ISO/IEC 10608 is applicable to End Systems concerned with operating in the Open Systems
Interconnection (OSI) environment. It specifies a combination of OS1 standards which collectively
provide the connection-mode Transport Service using the connectionless-mode Network Service.
This part of ISO/IEC 10608 specifies the profile requirements for the provision of security services
using cryptographic techniques with the Network Layer Security Protocol connectionless-mode.
This part of ISO/IEC 10608 specifies profile requirements that are applicable to any type of
subnetwork.
1.2 Position within the Taxonomy
The taxonomy of profiles is specified in ISO/IEC TR 10000-2. This part of ISO/IEC ISP 10608
supports security services for any TA profile specified in ISO/IEC ISP 10608 (Connection-mode
transport over Connectionless-mode Network Service).
Note: ISO/IEC TR 10000 currently does not identify security sub-profiles. Profiles based on this part
of ISO/IEC ISP 10608 may be referred to as TAnnnS 1, or TAnnnS 1 C if confidentiality is
selected.
1.3 Scenario
Connection Mode
Transport Protocol
Connectionless Mode
Network Protcol
+ Connectionless Mode
NLSP
End System
1

---------------------- Page: 7 ----------------------
0 ISO/IEC
ISO/IEC ISP 10608-7: 1998(E)
Note: The relationship between the Connectionless Mode Network Protocol and Connectionless Mode NLSP is
specified in 5.4
1.4 Security Services
The following security services are within the scope of this part of ISO/IEC ISP 10608:
a) Data origin authentication
b) Connectionless integrity
Note: It is strongly recommended that some forrn of access control is supported. However, this may
be achieved using local access control lists which are outside the scope of this ISO/IEC ISP
10608.
c) Access control using security labels (optional)
d) Connectionless confidentiality (optional)
e) Traffic flow confidentiality (optional)
1.5 Security Mechanisms
This part of ISP 10608 provides no assurance as to the strength of the security mechanisms employed.
This part of ISO/IEC ISP 10608 does not specify the cryptographic algorithms to be employed.
2 Normative References
The following documents contain provisions which, through reference in this text, constitute provisions
of this part of ISO/IEC 10608. At the time of publication, the editions indicated were valid. All
documents are subject to revision, and parties to agreements based on this part of ISO/IEC ISP 10608
are warned against automatically applying any more recent editions of the documents listed below,
since the nature of the references made by ISPs to such documents is that they may be specific to a
Members of IEC and IS0 maintain registers of currently valid International
particular edition.
Standards and ISPs, and the ITU maintains published editions of its current Recommendations.
- ITU-T Recommendation X.273 (1994) 1 ISO/IEC 11577: 1995 Information technology -
Open Systems Interconnection - Network layer security protocol
3 Definitions
The terms used in this part of ISO/IEC 10608 are specified in the base standards referenced (see clause
.
2)
4 Abbreviations
The abbreviations and acronyms used in this part of ISO/IEC 10608 are specified in the base standards
referenced (see clause 2).

---------------------- Page: 8 ----------------------
0 ISOAEC
ISO/IEC ISP 10608-7: 1998(E)
5 Requirements
5.1 General
The requirements stated in these clauses apply to all conforming systems, without regard to the type of
subnetworks to which those end systems might be attached. Additional requirements are specified in
other parts of ISO/IEC ISP 10608.
This part of ISO/IEC ISP 10608 specifies provision of security services using the Network Layer
Security Protocol connectionless-mode
Additional requirements are given in annex A which specifies the IPRL for the Network Layer Security
Protocol.
5.2 Static Conformance Requirements
A conforming system shall:
support the NLSP-CL mode conformance class capabilities as stated in 14.1.2 of ITU-T X.273 1
a>
ISO/IEC 11577.
support the SDT-PDU structure as specified in 13.3 of ITU-T X.273 1 ISO/IEC 11577.
b)
support the static requirements for mechanisms to support connectionless integrity and data origin
C
...