Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Layer Security Update

Published byTrevor Jenkins Modified over 6 years ago

Similar presentations

Presentation on theme: "Network Layer Security Update"— Presentation transcript:

1 Network Layer Security Update
10/23/2016 CHARLES SHEEHE, CCSDS GRC POC

2 Discussions with Area Director
Area director would like another round of build and test because of the minimal set of successfully completed test.

3 Status IPsec compatibility testing for CCSDS Key deliverable
Reported Last year IPsec compatibility testing for CCSDS Evaluate IPsec/CCSDS related standards Define CCSDS/IPsec approved parameters by CCSDS working group Develop Test Plan Approval of Test Plan Perform independent testing based on defined IPsec parameters Modify test plan test only IPV4 Connection between agencies end point devices. Started compatibility testing Completed compatibility tests Documentation of test results Document Lessons Learned Present results to CCSDS working group April 2016 Key deliverable Test report in CCSDS format for yellow book

4 CCSDS IPsec Compatibility Testing
05/4/2016 CHARLES SHEEHE, CCSDS GRC POC OKECHUKWU MEZU, Test Engineer

5 IPsec Project Overview
Performing Encapsulating Security Payload (ESP) using pre-shared keys on a CCSDS Internet Protocol (IP) packet going from source node over a satellite in space to a destination node Why this is important? Network Layer Security Adaptation Profile, which is to adapt and standardize the IETF's Internet Protocol Security (IPsec) protocol for use by CCSDS on missions replacing SCPS-SP Two independent compatible developments are required prior to acceptance NASA GRC IPsec implementation will satisfy one independent development CNES IPsec implementation will satisfy the second independent development Compatibility tests to ensure interoperability Compatibility test will be recorded in the CCSDS Y-1 book as official documentation of testing CCSDS IPsec NASA development and testing started November 2013

6 IPsec Project Process IPsec compatibility testing for CCSDS
Evaluate IPsec/CCSDS related standards Define CCSDS/IPsec approved parameters by CCSDS working group Develop Test Plan Approval of Test Plan Perform independent testing based on defined IPsec parameters Modify test plan test only IPV4 Connection between agencies end point devices. Started compatibility testing Completed compatibility tests Documentation of test results Document Lessons Learned Present results to CCSDS working group April 2016 Key deliverable Test report in CCSDS format for yellow book

7 NASA Internal IPV4 IPsec VPN Tunnel Tests
Cisco 3825 Router Ground Station R1 CCSDS Satellite R2 GE 0/ GE 0/ GE 0/ GE 0/ GE 0/ GE 0/ IPsec VPN Legend GE – Gigabit Ethernet Receive Station R3 Internal IPsec IPv4 tests completed Linux Box Linux Box Tunnel represents a direct logical connection between R1 & R3 through R2. However, all communication between R1 & R3 go through R2 (representing a satellite/networked cloud)

8 CCSDS IPV4 IPsec VPN Tunnel
Legend GE – Gigabit Ethernet Current CCSDS IPv4 IPsec VPN Tunnel setup and configuration

9 Modified* CCSDS Yellow Book IPsec Test Matrix
# IPV4 ESP Tunnel Integrity IPcomp Authenticated Encryption Confidentiality Manual Key Auto Key No Rekey 1* 4 X 2 X* 3* 5 6 7 8 * firewall restrictions, No IP Compression allowed and Phase one tunnel requires HASH, Tests #1 & #3 were not completed due to compatibility issues between Cisco & Palo Alto routers on Manual keying of 10

10 CCSDS IPsec Compatibility issues
Firewall restrictions Firewall will not allow compressed packets to pass through. Internet Protocol compression is being removed from future Internet Engineering Task Force Transport Layer Security. Firewall requires an null hash value for phase one tunnel Compatibility issues, Palo Alto devices would not allow manual keying options. of 10

11 Lessons Learned Configurations must be shared and tested in advance.
Successful test configuration files should be maintained for future connection issue. IPcomp should be removed from IP security documentation compressed packets not allowed to pass through firewall because they can not be inspected. Internet Protocol compression is being removed from future Internet Engineering Task Force Transport Layer Security Firewalls, vendor equipment and software differences are major obstacle to connections with legacy / space systems

12 We at NASA Glenn would like to thank; Julien Airaud and the team from CNES, it has been a much valued partnership.

13 Backup

14 Questions

Download ppt "Network Layer Security Update"

Similar presentations

Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
CCSDS Security Working Group Spring 2014 Meeting 10 November – 13 November 2014 London, England Okechukwu Mezu, Charles Sheehe NASA/Glenn.

CCSDS Security Working Group Spring 2014 Meeting 10 November – 13 November 2014 London, England Okechukwu Mezu, Charles Sheehe NASA/Glenn.
 IPv6 Has built in security via IPsec (Internet Protocol Security). ◦ IPsec Operates at OSI layer 3 or internet layer of the Internet Protocol Suite.

 IPv6 Has built in security via IPsec (Internet Protocol Security). ◦ IPsec Operates at OSI layer 3 or internet layer of the Internet Protocol Suite.
IPv6 Network Security.

IPv6 Network Security.
Internet Security CS457 Seminar Zhao Cheng. Security attacks interruption, interception, modification, fabrication passive attack, active attack.

Internet Security CS457 Seminar Zhao Cheng. Security attacks interruption, interception, modification, fabrication passive attack, active attack.
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
Security at the Network Layer: IPSec

Security at the Network Layer: IPSec
NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT 09.11.2005.

NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT
IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.

IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
K. Salah1 Security Protocols in the Internet IPSec.

K. Salah1 Security Protocols in the Internet IPSec.
Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.

Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.

What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.
CCSDS IPsec Compatibility Testing

CCSDS IPsec Compatibility Testing
32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.

32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.
CCSDS IPsec Compatibility Testing 10/28/2013 OKECHUKWU MEZU CHARLES SHEEHE CCSDS GRC POC.

CCSDS IPsec Compatibility Testing 10/28/2013 OKECHUKWU MEZU CHARLES SHEEHE CCSDS GRC POC.
An Introduction to Encrypting Messages on the Internet Mike Kaderly INFS 750 Summer 2010.

An Introduction to Encrypting Messages on the Internet Mike Kaderly INFS 750 Summer 2010.

Similar presentations

Ads by Google