|
1
|
- September 20-22, 2011
- San Jose, CA
- Day 2
- Systems Engineering Team
- connected vehicle Core System
Architecture/Requirements
- Workshop #2
|
|
2
|
|
|
3
|
|
|
4
|
- Enable data transfers between system users
- Are in a secure, trusted environment
- Enabling trust between parties that have no direct relationship
- Enabling secure data exchange between parties that have no direct
relationship
- Enabling the exchange of data between parties that have data and
parties that want data
|
|
5
|
|
|
6
|
|
|
7
|
- Views that will describe the logical interactions
|
|
8
|
- Focuses on the behavior, structure, and interaction of the functions
performed by the system
- Shows functions for each subsystem
- Traceable to functional requirements
- Color coding:
- Subsystems each represented by a different color
- Information Objects are the same color as the source Function object
|
|
9
|
- For each view:
- Description
- Consideration/Concerns
- Entities and their relationships (diagram)
- Alternatives explored
- Other related views
|
|
10
|
|
|
11
|
- Top Level
- Data Distribution
- System Configuration
- User Configuration
- System Monitor and Control
- Credentials Distribution
- Misbehavior Management
- Core Decryption
- Networking
- Core Backup
|
|
12
|
- Description:
- Objects map to the subsystems in the Concept of Operations,
- Provide the basis for all subsequent functional views
- Satisfy functional requirements
- Illustrate interface requirements
- Specifies which subsystems provide external interfaces
|
|
13
|
- Considerations/Concerns Addressed:
|
|
14
|
|
|
15
|
|
|
16
|
|
|
17
|
|
|
18
|
|
|
19
|
- Description:
- System Users provide data, other System Users subscribe to data;
- The Core matches those providers and consumers without requiring them
to enter into a relationship with the other
- Includes several optional functions: data aggregation, data parsing and
data sampling
|
|
20
|
- Considerations/Concerns Addressed:
|
|
21
|
|
|
22
|
- Alternatives Considered:
- An alternative that omitted the parsing and repackaging function was
reviewed at the June workshop
- Deployers of a Core System might weigh the communications requirements
to send large blocks of raw data against the computing requirements to
process the queries for data.
- Result was to make the parsing, aggregating, and sampling functions
optional
|
|
23
|
|
|
24
|
- Description:
- Addresses the configuration of all Core subsystems, both for
installation and changes to configuration
- Maintain an understanding of the configuration of other Cores
- Enables a variety of Core System configurations
|
|
25
|
- Considerations/Concerns Addressed:
|
|
26
|
|
|
27
|
|
|
28
|
- Description:
- Addresses the configuration of Core System user accounts and their data
subscriptions
- Manages Operator, System User, and Core requests for periodic service
status updates
- Creation and modification of System User data provision requests and
subscriptions
- Including actions by Operators, System Users and other Cores
|
|
29
|
- Considerations/Concerns Addressed:
|
|
30
|
|
|
31
|
|
|
32
|
|
|
33
|
|
|
34
|
- Description:
- Day-to-day housekeeping functions that enable the Operator to manage
the Core Systems operations
- Monitoring of subsystem anomalies and state changes
- Operator interfaces
- Monitor the environmental conditions the Core operates in
- Provide status to operators, some system users
- Supports maintenance actions
|
|
35
|
- Considerations/Concerns Addressed:
|
|
36
|
|
|
37
|
|
|
38
|
- Description:
- Ensure Trust with Field and Center System Users and with Other Cores
- Mobile User credentials handled outside Core
- Management of credentials, including X.509 digital certificates, CRLs,
and assignment and recognition of credential-related roles (i.e.,
registration versus certificate distribution)
|
|
39
|
- Considerations/Concerns Addressed:
|
|
40
|
|
|
41
|
- Alternatives Considered:
- Discussed previously in Enterprise Views for Credential Distribution
- Functional alternatives not selected included features:
- Core as a CA,
- Core as a CA, with pre-loaded Certs
- Separate RA and CA Cores
- External CA for anonymous DSRC Certs only
- Multiple root CAs
|
|
42
|
|
|
43
|
- Description:
- Identify System Users that are not acting properly
- Prevent the actions of misbehaving System Users from negatively
affecting other System Users
- Core requests actions of the External CA to deal with the misbehaving
user (cert holder)
- Monitor Operators, and identify and act when they operate in such a way
as to jeopardize the Core or the information it passes and stores
|
|
44
|
- Considerations/Concerns Addressed:
|
|
45
|
|
|
46
|
|
|
47
|
- Description:
- Encrypted messages meant for the Core must be decrypted in order for
the Core to act on their contents
- Encrypted messages that come to the Core but are addressed to System
Users are not decrypted by the Core.
- Requires the storage of a private key at the receiving nodes
- Balance security risk of having key in multiple locations
|
|
48
|
- Considerations/Concerns Addressed:
|
|
49
|
|
|
50
|
- Alternatives Considered:
- Store the private encryption key at each node that requires the ability
to read encrypted messages directed to the Core
- Supports scalability
- Exposes security risks
|
|
51
|
|
|
52
|
- Description:
- Functionality required to maintain security and provide communications
for the Core
- Addresses the Cores connectivity to private networks and the Internet
- Defense against attack through those networks
- All network traffic must be passed through the Intrusion Prevention
System (IPS).
|
|
53
|
- Considerations/Concerns Addressed:
|
|
54
|
|
|
55
|
- Alternatives Considered:
- Network traffic could be allowed in without being passed through a
single Intrusion Prevention System (IPS)
- Opens up a potential bottleneck
- Relies on separate security systems
- Considered but rejected to preserve security/integrity of the system
|
|
56
|
- Connectivity Views
- High Level
- Core System Functional Allocation
- Communications Views
- Information Views
- Top Level External Objects
- Top Level Internal Objects
|
|
57
|
- Description:
- Core Systems may provide backup functionality to one another.
- Backup of services, where one Core may provide services in behalf of
another Core
- Backup of data, since data backup is required to implement service
backup
|
|
58
|
- Considerations/Concerns Addressed:
|
|
59
|
|
|
60
|
|
|
61
|
- Nodes, communications Links, and Applications
|
|
62
|
- Composition of the physical elements (nodes) and their connections and
interactions
- Links are traceable to interface requirements
|
|
63
|
- Description:
- Allow deployment of the Core System across multiple hardware nodes
- Provides the interface between the Internet and the Core Systems
Service Component Node
- Also supports connectivity through private networks
|
|
64
|
- Considerations/Concerns Addressed:
|
|
65
|
|
|
66
|
- Alternatives Considered:
- Whether to allow private networks to connect to Core Systems was
reviewed in June vs. requiring all System Users to come through the
Internet
- Decided to allow private network connections
- Greater flexibility, promote deployment
|
|
67
|
|
|
68
|
- Description:
- Allocates functional objects to engineering objects
- Identifies devices (hardware engineering objects, nodes) and Software
Engineering Objects (SEOs)
- Possible to vary how SEOs are distributed among nodes
- Supports redundancy
|
|
69
|
- Considerations/Concerns Addressed:
- Performance
- Interfaces
- Security
- Feasibility
- Risks
- Evolvability
- Deployability
- Maintainability
|
|
70
|
|
|
71
|
|
|
72
|
- Other variations to the above shown in SAD
- Alternatives Considered:
- Allow SCNs, Core Decryptor and Service Router to be implemented on
Nodes that are not connected to the same LAN
- Put Core Decryptor on same LAN as other components simplifies network
configuration but could compromise security
- Related to all functional and comm views
|
|
73
|
- Description:
- Covers the states and modes and transitions for the hardware and
software objects
- Standby or Operational State
- Normal, Degraded, Restricted, Maintenance, Degraded/Restricted
- Training or Installation State
- Normal, Degraded, Maintenance
|
|
74
|
- Considerations/Concerns Addressed:
- Related View: Functional Top Level
|
|
75
|
|
|
76
|
- Return tomorrow for discussion on Communications and Information Views
and Other Topics
|
Notes
