The impact of security service selection for LANs

Abstract

IEEE 802 has defined a Local Area Network (LAN) architecture that contains a Logical Link Control (LLC) and a Media Access Control (MAC) protocol layer. Within this architecture, IEEE 802.10 is attempting to define protocols and interfaces that provide security. The authors of this paper submitted a protocol that implemented a specific set of security services and was placed between the LLC and MAC layers. This paper explains why the placement between the two layers was preferred to the placement being above LLC or within the LLC or MAC layers. It describes the security services that can be obtained by different placements, but then describes the reasons that between the MAC and the LLC was deemed the best option.

While this paper specifically addresses the IEEE 802 architecture, it contains trade-offs that can be applied to any security architecture involving both connection and connectionless services.

Author's Note: This paper was presented at the IEEE 802.10 meeting in March 1989. Some features have been added to the SDE proposal (between LLC and MAC) since that time to allow for bypassing key management information. Those features are not discussed in this paper. The inclusion of this paper in the EISS proceedings was to provide an alternative viewpoint to Paul Lambert's paper on the placement of a security sublayer.

Also, on retrospect, the subject of a connectionless security protocol running below a connection-oriented service was probably glossed over in this paper. For the statements about equivalence to be true, the connection-oriented service must have some knowledge about the way that keys are used in the connectionless protocol.