The first (bottom) layer of defense is provided by the air to ground communication providers. Although those details will remain out of the scope of this document, this layer would typically include lists of allowed and blocked web sites, restrictions on Transmission Control Protocol (TCP) session initiation, site-to-site ground Virtual Private Networks (VPNs), etc.

The middle layer of defense, MISON, is the sole scope of this document. MISON provides secure tunnels to the applications to ensure integrity and confidentiality of the communication. In so doing, MISON relieves the applications from this burden and relieves the airlines from a patchwork of security implementations.

The third (top) layer of defense is provided by the applications themselves, to ensure only authorized use of that application. Although those details are outside the scope of this document, note that more than one application may be simultaneously utilizing a MISON instance.

The onboard LAN configurations vary across aircraft manufacturers, aircraft models, and equipment suites. MISON defines a flexible approach that can operate in all onboard LAN configurations.

The interface between the MISON Client and the MISON onboard instance is in scope for this document.

The interface between the MISON air instance and the MISON ground instance is within the scope of this document.

MISON can support Quality of Service (QoS) implementation in a variety of methods. See Section 5.0. MISON applies to the Passenger-Owned Device Domain (PODD), Passenger Information and Entertainment Services Domain (PIESD), and Airline Information Services Domain (AISD).

The following items are outside the scope of this document:

• The hosting environment for the MISON software is outside the scope of this document.

• The software design of the MISON instance is outside the scope of this document.

• A VPN concentrator within the airline enterprise may host all the ground MISON gateways. The airline enterprise is outside the scope of this document.

• MISON will need to operate in a variety of onboard network configurations. A preferred network configuration is outside the scope of this document.

• Onboard wireless network access is outside the scope of this document.

• Mechanisms for TCP Acceleration are outside of the scope of MISON.

COMMENTARY

Note that because IPsec VPN encrypts the TCP packet header, TCP acceleration can be nullified because the modem cannot detect the TCP packet and will consequently pass the unrecognized packet as a “raw” packet. TCP ACKS will then have to transmit end to end over a high latency communication path which causes decreased performance. When implementing MISON, suppliers should consider adding mechanisms, such as TCP Performance Enhancing Proxy, also known as Transmission Control Protocol – Performance Enhancing Protocol (TCP-PEP), to minimize impact to TCP throughput incurred on high latency links.