ATM Networks and Security
by Dr. Eva Bozoki - May 30, 2000
3. ATM Protocol Basics
3.1. ATM Architecture
The standard OSI reference model consists of seven layers, as shown in the first part of Figure 4. In ATM networks, the ATM layer replaces the physical, data link, and network layers. The second part of Figure 4 illustrates the ATM reference model, showing two end systems and two intermediate systems (ATM switches).
Layers of the standard OSI reference model (a) and the ATM view of protocol stacks with two end nodes and two switches (b)
The ATM switches switch the unit ATM message and the fixed-length ATM cell, so the ATM layer forms an end-to-end layer. The interfaces are user-to-network (UNI) and network-to-network (NNI).
Unlike IP networks, an ATM network is connection-oriented, so it requires establishment of a connection between the two end systems prior to data transfer. The network nodes assign the virtual channels and virtual path through which the cell will travel.
The ATM reference model consists of three main layers and three planes (see Figure 5). The layers are as follows:
Planes are used to separate the different needs and functions the ATM model has to address:
The ATM reference model
3.2. ATM Cell Structure
An ATM cell consists of 53 bytes, divided into a 5-byte header and a 48-byte payload. The structure of the (UNI) header is shown in Figure 6. VPI and VCI are the virtual path and virtual channel identifiers. GFC, CLP, PTI, and HEC represent generic flow control, cell loss priority, payload type indicator, and header error control, respectively.
The structure of the (UNI) ATM cell
Signaling is the process by which ATM users and the network exchange the control of information, request the use of network resources, or negotiate for the use of circuit parameters. The VPI-VCI pair and requested bandwidth are allocated as a result of a successful signaling exchange.
The following is a partial list of signals, grouped according to their functions:
3.4. Weaknesses in ATM Signaling
Because there is no caller authentication or proof of identity associated with SETUP, it is subject to masquerading (spoofing) attacks.
An attacker may delay a CALL PROCEEDING signal so that it is received after more than t1 seconds by the party that issued the SETUP signal. This has the effect of denial of service.
An attacker also may delay a CONNECT ACKNOWLEDGE signal so that it is received after more than t2 seconds by the party that issued the CONNECT signal. This also has the effect of denial of service.
No proof of identity is required for RELEASE or RESTART, so both can be a vehicle for denial of service.
An attacker may send an ADD PARTY signal, thereby adding an unauthorized or hostile party.
An attacker may send an ADD PARTY REJECT or a DROP PARTY signal, causing a denial of service attack.