CCSDS IPsec Compatibility Testing 10/28/2013 OKECHUKWU MEZU CHARLES SHEEHE CCSDS GRC POC.

Slides:

Advertisements

Similar presentations

Internet Protocol Security (IP Sec)

Advertisements

CCSDS Security Working Group Spring 2014 Meeting 10 November – 13 November 2014 London, England Okechukwu Mezu, Charles Sheehe NASA/Glenn.

CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

Internet Security CSCE 813 IPsec

IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

Security at the Network Layer: IPSec

NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.

IP Security. IPSEC Objectives n Band-aid for IPv4 u Spoofing a problem u Not designed with security or authentication in mind n IP layer mechanism for.

VPN – Technologies and Solutions CS158B Network Management April 11, 2005 Alvin Tsang Eyob Solomon Wayne Tsui.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 Implementing Virtual Private Networks.

Creating an IPsec VPN using IOS command syntax. What is IPSec IPsec, Internet Protocol Security, is a set of protocols defined by the IETF, Internet Engineering.

What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.

Chapter 6 Configuring, Monitoring & Troubleshooting IPsec

CCSDS IPsec Compatibility Testing

32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.

6/21/01Team 2 DCS 835 Rev 6/22/011 IP Security (IPSec)  Background –The internet has no centralized technical support. What makes it work is an agreed.

Implementing Secure Converged Wide Area Networks (ISCW) Module 3.2.

An Introduction to Encrypting Messages on the Internet Mike Kaderly INFS 750 Summer 2010.

IPSec in a Multi-OS Environment. What is IPSec? IPSec stands for Internet Protocol Security It is at a most basic level a way of adding security to your.

1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.

Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),

Information management 1 Groep T Leuven – Information department 1/26 IPSec IP Security (IPSec)

IPSec IPSec provides the capability to secure communications across a LAN, across private and public wide area networks (WANs) and across the Internet.

Generic Routing Encapsulation GRE  GRE is an OSI Layer 3 tunneling protocol: Encapsulates a wide variety of protocol packet types inside.

Karlstad University IP security Ge Zhang

IPsec IPsec (IP security) Security for transmission over IP networks –The Internet –Internal corporate IP networks –IP packets sent over public switched.

Chapter 8: Implementing Virtual Private Networks

IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.

IPSec ● IP Security ● Layer 3 security architecture ● Enables VPN ● Delivers authentication, integrity and secrecy ● Implemented in Linux, Cisco, Windows.

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys.

Attacking IPsec VPNs Charles D George Jr. Overview Internet Protocol Security (IPSec) is a suite of protocols for authenticating and encrypting packets.

IPSec VPN: How does it really work? Yasushi Kono (ComputerLinks Frankfurt)

Chapter 32 Internet Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

Virtual Private Network. ATHENA Main Function of VPN  Privacy  Authenticating  Data Integrity  Antireplay.

IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.

Agenda CCSDS Network Layer Security IPSec+IKE Profile for CCSDS

1 Network Layer Security: Status Update Howie Weiss (NASA/JPL/Parsons) Bordeaux, France April 2013.

IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.

Securing Data Transmission and Authentication. Securing Traffic with IPSec IPSec allows us to protect our network from within IPSec secures the IP protocol.

Encapsulated Security Payload Header ● RFC 2406 ● Services – Confidentiality ● Plus – Connectionless integrity – Data origin authentication – Replay protection.

Virtual Private Network Chapter 4. Lecturer : Trần Thị Ngọc Hoa2 Objectives  VPN Overview  Tunneling Protocol  Deployment models  Lab Demo.

Virtual Private Network Configuration

Internet Security CSCE 813 IPsec. CSCE813 - Farkas2 TCP/IP Protocol Stack Application Layer Transport Layer Network Layer Data Link Layer.

IPSec – IP Security Protocol By Archis Raje. What is IPSec IP Security – set of extensions developed by IETF to provide privacy and authentication to.

IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.

1 IPSec: An Overview Dr. Rocky K. C. Chang 4 February, 2002.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

IPSEC Modes of Operation. Breno de MedeirosFlorida State University Fall 2005 IPSEC  To establish a secure IPSEC connection two nodes must execute a.

Computer Science and Engineering Computer System Security CSE 5339/7339 Session 27 November 23, 2004.

IP Security (IPSec) Authentication Header (AH) Dr Milan Marković.

CCSDS IPsec Compatibility Testing 05/4/2016 CHARLES SHEEHE, CCSDS GRC POC OKECHUKWU MEZU, Test Engineer 1.

CCSDS IPsec Compatibility Testing

Module 4: Configuring Site to Site VPN with Pre-shared keys

VPNs and IPSec Review VPN concepts Encryption IPSec Lab.

CCSDS Security Credentials Blue Book

Network Layer Security Update

CCSDS IPsec Compatibility Testing

UNIT.4 IP Security.

Agenda CCSDS Network Layer Security IPSec+IKE Profile for CCSDS

Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls

B. R. Chandavarkar CSE Dept., NITK Surathkal

Presentation transcript:

CCSDS IPsec Compatibility Testing 10/28/2013 OKECHUKWU MEZU CHARLES SHEEHE CCSDS GRC POC

IPsec Project Overview Performing Encapsulating Security Payload (ESP) using pre- shared keys on a CCSDS Internet Protocol (IP) packet going from source node over a satellite in space to a destination node Why this is important – Two independent verifications of a specification are required prior to acceptance – NASA GRC IPsec compatibility testing will satisfy one independent tests – It will be recorded in the CCSDS yellow book as official documentation of testing CCSDS IPsec testing expected start date November 2013

IPsec Project Process IPsec compatibility testing for CCSDS – Evaluate IPsec/CCSDS related standards – Define CCSDS/IPsec approved parameters by CCSDS working group – Develop Test Plan by working group – Approval of Test Plan by working group – Perform Compatibility Testing based on defined IPsec parameters – Validate Compatibility Testing results – Documentation of test results – Present result to CCSDS GRC working group – Present results to CCSDS working group Key deliverable – Test report in CCSDS format for inclusion in yellow book

IPsec draft test topology Cisco 3825 Router Ground Station R1 Cisco 3825 Router CCSDS Satellite R2 Cisco 3825 Router Receive Station R3 GE 0/ GE 0/ GE 0/ GE 0/ GE 0/ GE 0/ IPsec VPN Legend GE – Gigabit Ethernet Tunnel represents a direct logical connection between R1 & R3 through R2. However, all communication between R1 & R3 go through R2 (representing a satellite/networked cloud)

Test plan parameters CategoryPrimaryOptions Modes Tunnel Mode Protocol ESP only Security Services Allowed Authenticated encryption mode Authentication only Keying Automated keying: Internet Key Exchange Manual key management IKE Operation IKEv2 w/rekey commanding “button” Cipher suite AES-256 Hash function SHA-2 IP Version V4V6 IPCOMP YESNO Fragmentation Yes/No/Size

Backup

Questions Appendix D: Fragment Handling Rationale There are three issues that must be resolved regarding processing of (plaintext) fragments in IPsec: - mapping a non-initial, outbound fragment to the right SA (or finding the right SPD entry) - verifying that a received, non-initial fragment is authorized for the SA via which it is received - mapping outbound and inbound non-initial fragments to the right SPD/cache entry, for BYPASS/DISCARD traffic The first and third issues arise because we need a deterministic algorithm for mapping traffic to SAs (and SPD/cache entries). All three issues are important because we want to make sure that non-initial fragments that cross the IPsec boundary do not cause the access control policies in place at the receiver (or transmitter) to be violated. Conclusions There is no simple, uniform way to handle fragments in all contexts. Different approaches work better in different contexts. Thus, this document offers 3 choices -- one MUST and two MAYs. At some point in the future, if the community gains experience with the two MAYs, they may become SHOULDs or MUSTs or other approaches may be proposed