Optical control and management security standards for the GIG-BE

This paper presents an overview of requirements and standards development activities for securing the control and management infrastructure protocols for optical networking protocols used in the Global Information Grid-Bandwidth Expansion (GIG-BE). Our approaches to hardening these protocols are: (1) to develop open standards that encompass the Department of Defense´s needs; and (2) to encourage vendors to supply products that support these standards and other appropriate security functionality for GIG-BE signaling, routing, discovery, and management. At MILCOM 2001, Buda et al. reported on commercial-off-the-shelf security standards being developed for the GIG; they covered asynchronous transfer mode, multi-protocol label switching, and newly emerging optical networking. We have now completed control plane security and management plane security implementation agreements at the Optical Internetworking Forum (OIF), coordinated and aligned these with ATIS-T1M1 and the IETF, and begun efforts to implement and demonstrate these agreements. This paper briefly describes the OIF´s work on control plane functionality in optical networks and the security requirements for these control protocols. It then explains why additional security was required for signaling, routing, and discovery; shows what alternatives were considered; and describes the choices made in the OIF´s Security Extension for UNI and NNI. Securing an optical switch depends on much more than secure control protocols, so the paper next covers the OIF´s Security for Management Interfaces to Transport Network Elements, which describes security objectives and choices for securing operations, administration, maintenance, and provisioning (OAM and P) interfaces to these network elements. Specifications and recommendations are given along with a mapping of how following the specifications satisfies the initial objectives. The relationship of this work to the security standards developed by T1M1 is also described. Beyond these two implementation agreements, on-going efforts are focused on demonstrating the practicality of this approach, addressing end-to-end security, adding an audit log capability, continuing cooperation with T1M1 on OAM and P security, and keeping these im- plementation agreements aligned with new drafts and RFC on signaling, routing, discovery, and security at the IETF.