1 Network Layer Security: Run over non-IP Protocol? Howie Weiss (NASA/JPL/Parsons) San Antonio, TX October 2013
2 Agenda CCSDS Network Layer Security – Action item SecWG0413:3 from Bordeaux meeting to investigate how/if IPsec can be run over non-IP protocols » E.g., a la DTN run over a convergence layer directly on top of another network layer protocol
3 ESP w/AES-GCM IPv4 Header 20 bytes ESP AES128 Encrypted Payload 140 bytes ESP SPI 4 bytes ESP Seq # 4 bytes ESP IV 8 bytes IPv4 Header 20 bytes ICMP (8 bytes hdr + 80 bytes data) 88 bytes Pad varies per RFC in this example 2 bytes Pad Len 1 byte Next Hdr 1 byte Authentication Data varies: 8, 12,or 16 bytes 12 bytes ESP (IP protocol 50) total length 160 bytes Encrypted (128 bytes) ESP Authenticated (140 bytes) ESP HeaderESP AuthESP Trailer
4 ESP over non-IP Network Layer ESP in tunnel mode is an encapsulation protocol – It carries whatever payload its given Old study of IPsec over SCPS-NP (SCPS Network Protocol) showed that ESP over NP was not a problem – NP was similar to IP and could ‘look’ like IP but was not IP CCSDS B-1 (IP over CCSDS Links): uses encapsulation to carry IP and its payload (which could very well be IPsec) over CCSDS space data link protocols such as TM, TC, AOS, and Prox-1 – CCSDS encapsulation packets – CCSDS encapsulation service over AOS, TM, TC Virtual Channel Packet (VCP) service, TC Multiplexer Access Point Packet (MAPP) Service, or Prox-1.
5 Summary Yes – IPSec could be run over non-IP protocols if there was a reason to do so – Modifications needed to the underlying protocol to understand & recognize ESP – Protocol number assignment needed to ESP over XX protocol – “Simple” solution to use IP over CCSDS encapsulation