Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Layer Security Update

Similar presentations


Presentation on theme: "Network Layer Security Update"— Presentation transcript:

1 Network Layer Security Update
10/23/2016 CHARLES SHEEHE, CCSDS GRC POC

2 Discussions with Area Director
Area director would like another round of build and test because of the minimal set of successfully completed test.

3 Status IPsec compatibility testing for CCSDS Key deliverable
Reported Last year IPsec compatibility testing for CCSDS Evaluate IPsec/CCSDS related standards Define CCSDS/IPsec approved parameters by CCSDS working group Develop Test Plan Approval of Test Plan Perform independent testing based on defined IPsec parameters Modify test plan test only IPV4 Connection between agencies end point devices. Started compatibility testing Completed compatibility tests Documentation of test results Document Lessons Learned Present results to CCSDS working group April 2016 Key deliverable Test report in CCSDS format for yellow book

4 CCSDS IPsec Compatibility Testing
05/4/2016 CHARLES SHEEHE, CCSDS GRC POC OKECHUKWU MEZU, Test Engineer

5 IPsec Project Overview
Performing Encapsulating Security Payload (ESP) using pre-shared keys on a CCSDS Internet Protocol (IP) packet going from source node over a satellite in space to a destination node Why this is important? Network Layer Security Adaptation Profile, which is to adapt and standardize the IETF's Internet Protocol Security (IPsec) protocol for use by CCSDS on missions replacing SCPS-SP Two independent compatible developments are required prior to acceptance NASA GRC IPsec implementation will satisfy one independent development CNES IPsec implementation will satisfy the second independent development Compatibility tests to ensure interoperability Compatibility test will be recorded in the CCSDS Y-1 book as official documentation of testing CCSDS IPsec NASA development and testing started November 2013

6 IPsec Project Process IPsec compatibility testing for CCSDS
Evaluate IPsec/CCSDS related standards Define CCSDS/IPsec approved parameters by CCSDS working group Develop Test Plan Approval of Test Plan Perform independent testing based on defined IPsec parameters Modify test plan test only IPV4 Connection between agencies end point devices. Started compatibility testing Completed compatibility tests Documentation of test results Document Lessons Learned Present results to CCSDS working group April 2016 Key deliverable Test report in CCSDS format for yellow book

7 NASA Internal IPV4 IPsec VPN Tunnel Tests
Cisco 3825 Router Ground Station R1 CCSDS Satellite R2 GE 0/ GE 0/ GE 0/ GE 0/ GE 0/ GE 0/ IPsec VPN Legend GE – Gigabit Ethernet Receive Station R3 Internal IPsec IPv4 tests completed Linux Box Linux Box Tunnel represents a direct logical connection between R1 & R3 through R2. However, all communication between R1 & R3 go through R2 (representing a satellite/networked cloud)

8 CCSDS IPV4 IPsec VPN Tunnel
Legend GE – Gigabit Ethernet Current CCSDS IPv4 IPsec VPN Tunnel setup and configuration

9 Modified* CCSDS Yellow Book IPsec Test Matrix
# IPV4 ESP Tunnel Integrity IPcomp Authenticated Encryption Confidentiality Manual Key Auto Key No Rekey 1* 4 X 2 X* 3* 5 6 7 8 * firewall restrictions, No IP Compression allowed and Phase one tunnel requires HASH, Tests #1 & #3 were not completed due to compatibility issues between Cisco & Palo Alto routers on Manual keying of 10

10 CCSDS IPsec Compatibility issues
Firewall restrictions Firewall will not allow compressed packets to pass through. Internet Protocol compression is being removed from future Internet Engineering Task Force Transport Layer Security. Firewall requires an null hash value for phase one tunnel Compatibility issues, Palo Alto devices would not allow manual keying options. of 10

11 Lessons Learned Configurations must be shared and tested in advance.
Successful test configuration files should be maintained for future connection issue. IPcomp should be removed from IP security documentation compressed packets not allowed to pass through firewall because they can not be inspected. Internet Protocol compression is being removed from future Internet Engineering Task Force Transport Layer Security Firewalls, vendor equipment and software differences are major obstacle to connections with legacy / space systems

12 We at NASA Glenn would like to thank; Julien Airaud and the team from CNES, it has been a much valued partnership.

13 Backup

14 Questions


Download ppt "Network Layer Security Update"

Similar presentations


Ads by Google