The procedures specified in this Recommendation | International Standard operate as extensions to those defined in ITU-T Rec. X.224 | ISO/IEC 8073 and ITU-T Rec. X.234 | ISO/IEC 8602 and do not preclude unprotected communication between transport entities implementing ITU-T Rec. X.224 | ISO/IEC 8073 or ITU-T Rec. X.234 | ISO 8602. The protection achieved by the security protocol defined in this Recommendation | International Standard depends on the proper operation of security management including key management. However, this Recommendation | International Standard does not specify the management functions and protocols needed to support this security protocol. This protocol can support all the integrity, confidentiality, authentication and access control services identified in CCITT Rec. X.800 I ISO 7498-2 as relevant to the transport layer. The protocol supports these services through use of cryptographic mechanisms, security labelling and attributes, such as keys and authenticated identities, pre-established by security management or established through the use of the Security Association — Protocol (SA-P). Protection can be provided only within the context of a security policy. This protocol supports peer-entity authentication at the time of connection establishment. In addition, rekeying is supported within the protocol through the use of SA-P or through means outside the protocol. Security associations can only be established within the context of a security policy. It is a matter for the users to establish their own security policy, which may be constrained by the procedures specified in this Recommendation | International Standard. The following items could be included in a Security Policy: a) the method of SA establishment/release, the lifetime of SA; b) Authentication/Access Control mechanisms; c) Label mechanism; d) the procedure of the receiving an invalid TPDU during SA establishment procedure or transmission of protected PDU; e) the lifetime of Key; f) the interval of the rekey procedure in order to update key and security control information (SCI) exchange procedure; g) the time out of SCI exchange and rekey procedure; h) the number of retries of sci exchange and rekey procedure. this Recommendation | International Standard defines a protocol which may be used for Security Association establishment. Entities wishing to establish an SA must share common mechanisms for authentication and key distribution. this Recommendation | International Standard specifies one algorithm for authentication and key distribution which is based on public key crypto systems. The implementation of this algorithm is not mandatory; however, when an alternative mechanism is used, it shall satisfy the following conditions: a) All SA attributes defined in 5.2 are derived. b) Derived keys are authenticated.