NIST’s IPsec Web-Based Interoperability Tester (IPsec-WIT) Sheila Frankel NIST Computer Security Division

Slides:



Advertisements
Similar presentations
IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.
Advertisements

Network Security. Reasons to attack Steal information Modify information Deny service (DoS)
Security at the Network Layer: IPSec
Network Security Essentials Chapter 8 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Chapter 5 Network Security Protocols in Practice Part I
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.
Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.
IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.
PlutoPlus: Policy and PKI Plans for FY00 Sheila Frankel Systems and Network Security Group Computer Security Division NIST
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.
1 IPsec Youngjip Kim Objective Providing interoperable, high quality, cryptographically-based security for IPv4 and IPv6 Services  Access.
Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.
W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T IKE Tutorial.
Internet Security CSCE 813 IPsec. CSCE Farkas2 Reading Today: – Oppliger: IPSec: Chapter 14 – Stalllings: Network Security Essentials, 3 rd edition,
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
Creating an IPsec VPN using IOS command syntax. What is IPSec IPsec, Internet Protocol Security, is a set of protocols defined by the IETF, Internet Engineering.
Implementing and Testing IPsec: NIST’s Contributions and Future Developments Sheila Frankel Systems and Network Security Group NIST
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 9: Securing Network Traffic Using IPSec.
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 3: VPN and Encryption Technology.
Secure Socket Layer (SSL)
IP Security: Security Across the Protocol Stack
IPSec Chapter 3 – Secure WAN’s. Definition IPsec, Internet Protocol Security, is a set of protocols defined by the IETF, Internet Engineering Task Force,
1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
IP Security Lawrence Taub IPSEC IP security — security built into the IP layer Provides host-to-host (or router-to-router) encryption and.
Advanced Unix 25 Oct 2005 An Introduction to IPsec.
CSCE 715: Network Systems Security
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
Information management 1 Groep T Leuven – Information department 1/26 IPSec IP Security (IPSec)
/IPsecurity.ppt 1 - Chapter 6 of William Stallings. Network Security Essentials (2nd edition). Prentice Hall.
IT:Network:Apps.  RRAS does nice job of routing ◦ NAT is nice ◦ BASIC firewall ok but somewhat weak  Communication on network (WS to SRV) is in clear.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 Module 3 City College of San.
Generic Routing Encapsulation GRE  GRE is an OSI Layer 3 tunneling protocol: Encapsulates a wide variety of protocol packet types inside.
Module 8: Planning and Troubleshooting IPSec. Overview Understanding Default Policy Rules Planning an IPSec Deployment Troubleshooting IPSec Communications.
Behavioral and Performance Characteristics of IPsec/IKE in Large-Scale VPNs Okhee Kim Doug Montgomery Advanced Network.
Chapter 6 IP Security. We have considered some application specific security mechanisms in last chapter eg. S/MIME, PGP, Kerberos however there are security.
Securing Data with Internet Protocol Security (IPSec) Designing IPSec Policies Planning IPSec Deployment.
21 July 2004Bill Nickless / IPSec1 IPSec Internet Protocol Security And You.
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys.
18 July 2004Bill Nickless / IPSec1 IPSec Internet Protocol Security And You.
IP Security: Security Across the Protocol Stack. IP Security There are some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS.
Hands-On Microsoft Windows Server 2003 Networking Chapter 9 IP Security.
Attacking IPsec VPNs Charles D George Jr. Overview Internet Protocol Security (IPSec) is a suite of protocols for authenticating and encrypting packets.
IPSec VPN: How does it really work? Yasushi Kono (ComputerLinks Frankfurt)
1 Chapter 6 IP Security. 2 Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.
Virtual Private Network. ATHENA Main Function of VPN  Privacy  Authenticating  Data Integrity  Antireplay.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 10: Planning and Managing IP Security.
Chapter 8 IP Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI.
Internet Key Exchange IKE ● RFC 2409 ● Services – Constructs shared authenticated keys – Establishes shared security parameters – Common SAs between IPSec.
Securing Data Transmission and Authentication. Securing Traffic with IPSec IPSec allows us to protect our network from within IPSec secures the IP protocol.
Cryptography and Network Security (CS435) Part Thirteen (IP Security)
IPSec  general IP Security mechanisms  provides  authentication  confidentiality  key management  Applications include Secure connectivity over.
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
1 IPSec: An Overview Dr. Rocky K. C. Chang 4 February, 2002.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Network Layer Security Network Systems Security Mort Anvari.
Securing Access to Data Using IPsec Josh Jones Cosc352.
Security Data Transmission and Authentication Lesson 9.
@Yuan Xue CS 285 Network Security IP Security Yuan Xue Fall 2013.
Sheila Frankel Systems and Network Security Group, ITL
Presentation transcript:

NIST’s IPsec Web-Based Interoperability Tester (IPsec-WIT) Sheila Frankel NIST Computer Security Division

IPsec99 - Oct. 29, Motivation Inter-operability of multiple implementations essential for IPsec to succeed Existing test modalities –Interoperability “Bake-offs” –Pre-planned Web-based interoperability testing Needed: spontaneous Web-based testing

IPsec99 - Oct. 29, User-Related Objectives Accessible from remote locations Available at any time Require no modification to the tester’s IPsec implementation Allow testers to resume testing later Configurable Well-documented Easy to use

IPsec99 - Oct. 29, Implementation Objectives Simultaneous access by multiple users Rapid, modular implementation Easily modified and expanded as IPsec/IKE specifications evolve Built around NIST’s IPsec/IKE Reference Implementations, Cerberus and PlutoPlus

IPsec99 - Oct. 29, Implementation Objectives (continued) Require minimal changes to Cerberus and PlutoPlus Operator intervention not required

IPsec99 - Oct. 29, IPsec-WIT Architecture IUT WWW-based Tester Control (HTML/CGI) IPsec Encapsulated IP Packets Local IUT Configuration IPsec WIT Linux Kernel HTML Docs., Forms, and HTTP Server IP + NIST Cerberus PERL CGI Test Engine TestSuites Manual SAs and IP/IPsec Packet Traces NISTPlutoPlus Negotiated SAs and SA mgmt. messages Message logging and IKE Configuration Web Browser IKE Negotiation StateFiles

IPsec99 - Oct. 29, Implementation Perl cgi-bin tester HTML forms Executable test cases Output –PlutoPlus: tracing the IKE negotiation –Cerberus: dumping the ping packets – expect command: color-coded output

IPsec99 - Oct. 29, Implementation (continued) Individual tester files –Tester-specific parameters –Tester’s individual output –Storage and expiration

IPsec99 - Oct. 29, Current Capabilities Key establishment: manual or IKE negotiation IKE negotiation: initiator or responder Peer authentication: pre-shared secrets ISAKMP hash: MD5 or SHA ISAKMP encryption: DES or 3DES Diffie-Hellman Exchange: First Oakley Group

IPsec99 - Oct. 29, Current Capabilities (continued) Configurable port for IKE negotiation IPsec AH algorithms: HMAC-MD5 or HMAC-SHA1 IPsec ESP algorithms: –Encryption: DES, 3DES, IDEA, RC5, Blowfish, or ESP-Null –Authentication (optional): HMAC-MD5 or HMAC-SHA1 –Variable key length for RC5 and Blowfish

IPsec99 - Oct. 29, Current Capabilities (continued) IPsec encapsulation mode: transport or tunnel Perfect Forward Secrecy (PFS) Verbosity of IKE/IPsec output configurable IPsec SA tested using “ping” command Transport-mode SA: host-to-host

IPsec99 - Oct. 29, Current Capabilities (continued) Tunnel-mode SA:host-to-host or host-to-gateway –Host-to-gateway SA tests communications with tester’s host behind gateway Sample test cases for testers without a working IKE/IPsec implementation Current/cumulative test results can be viewed via browser or ed to tester

IPsec99 - Oct. 29, Limitations Re-keying Crash/disaster recovery Complex policy-related scenarios

IPsec99 - Oct. 29, Lessons Learned Voluntary interoperability testing is useful and used Interoperability tests can also serve as conformance tests Stateful protocols can be tested using a Web-based tester “Standard” features are more useful than “cutting edge”

IPsec99 - Oct. 29, Lessons Learned (continued) Some human intervention is required Productive and informative multi-protocol interaction is challenging Users do the “darnedest” - and most unexpected - things

IPsec99 - Oct. 29, Future Horizons - PlutoPlus Additional Diffie-Hellman groups More complex policy options –Multiple proposals –Adjacent SA’s –Nested SA’s Peer authentication: public key PKI interaction and certificate exchanges

IPsec99 - Oct. 29, Future Horizons - IPsec-WIT Test IPsec SA’s with UDP/TCP connections, rather than ICMP Better diagnostics from underlying protocols

IPsec99 - Oct. 29, Futuristic Horizons Negative testing Robustness testing

IPsec99 - Oct. 29, Contact/Usage Information IPsec-WIT: Cerberus documentation: PlutoPlus documentation: For further information, contact: –Sheila Frankel: –Rob Glenn:

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.