CCSDS IPsec Compatibility Testing 05/4/2016 CHARLES SHEEHE, CCSDS GRC POC OKECHUKWU MEZU, Test Engineer 1

IPsec Project Overview Performing Encapsulating Security Payload (ESP) using pre-shared keys on a CCSDS Internet Protocol (IP) packet going from source node over a satellite in space to a destination node Why this is important? Network Layer Security Adaptation Profile, which is to adapt and standardize the IETF's Internet Protocol Security (IPsec) protocol for use by CCSDS on missions replacing SCPS-SP – Two independent compatible developments are required prior to acceptance NASA GRC IPsec implementation will satisfy one independent development CNES IPsec implementation will satisfy the second independent development – Compatibility tests to ensure interoperability – Compatibility test will be recorded in the CCSDS Y-1 book as official documentation of testing CCSDS IPsec NASA development and testing started November

IPsec Project Process IPsec compatibility testing for CCSDS Evaluate IPsec/CCSDS related standards Define CCSDS/IPsec approved parameters by CCSDS working group Develop Test Plan Approval of Test Plan Perform independent testing based on defined IPsec parameters Modify test plan test only IPV4 Connection between agencies end point devices. Started compatibility testing Completed compatibility tests Documentation of test results Document Lessons Learned Present results to CCSDS working group April 2016 Key deliverable Test report in CCSDS format for yellow book 3

NASA Internal IPV4 IPsec VPN Tunnel Tests Cisco 3825 Router Ground Station R1 Cisco 3825 Router CCSDS Satellite R2 GE 0/ GE 0/ GE 0/ GE 0/ GE 0/ GE 0/ IPsec VPN Legend GE – Gigabit Ethernet Cisco 3825 Router Receive Station R3 Tunnel represents a direct logical connection between R1 & R3 through R2. However, all communication between R1 & R3 go through R2 (representing a satellite/networked cloud) Linux Box Internal IPsec IPv4 tests completed 4

Legend GE – Gigabit Ethernet CCSDS IPV4 IPsec VPN Tunnel 5 Current CCSDS IPv4 IPsec VPN Tunnel setup and configuration

Modified* CCSDS Yellow Book IPsec Test Matrix #IPV4ESPTunnelIntegrityIPcomp Authenticated EncryptionConfidentialityManual KeyAuto KeyNo Rekey 1*4XXX X X 24XXXX*X X 3*4XX*X XX 44XXX XX 54X X XX 64XXX X XX 74XXX X XX 84XXX X XX 6 * firewall restrictions, No IP Compression allowed and Phase one tunnel requires HASH, Tests #1 & #3 were not completed due to compatibility issues between Cisco & Palo Alto routers on Manual keying

CCSDS IPsec Compatibility issues Firewall restrictions – Firewall will not allow compressed packets to pass through. Internet Protocol compression is being removed from future Internet Engineering Task Force Transport Layer Security. – Firewall requires an null hash value for phase one tunnel Compatibility issues, Palo Alto devices would not allow manual keying options. 7

Lessons Learned Configurations must be shared and tested in advance. Successful test configuration files should be maintained for future connection issue. IPcomp should be removed from IP security documentation compressed packets not allowed to pass through firewall because they can not be inspected. Internet Protocol compression is being removed from future Internet Engineering Task Force Transport Layer Security Firewalls, vendor equipment and software differences are major obstacle to connections with legacy / space systems 8

We at NASA Glenn would like to thank; Julien Airaud and the team from CNES, it has been a much valued partnership. 9

Backup 10

Questions 11