Presentation is loading. Please wait.

Presentation is loading. Please wait.

NIST’s IPsec Web-Based Interoperability Tester (IPsec-WIT) Sheila Frankel NIST Computer Security Division

Published byKory Greer Modified over 9 years ago

Similar presentations

Presentation on theme: "NIST’s IPsec Web-Based Interoperability Tester (IPsec-WIT) Sheila Frankel NIST Computer Security Division"— Presentation transcript:

1 NIST’s IPsec Web-Based Interoperability Tester (IPsec-WIT) Sheila Frankel NIST Computer Security Division sheila.frankel@nist.gov

2 IPsec99 - Oct. 29, 19992 Motivation Inter-operability of multiple implementations essential for IPsec to succeed Existing test modalities –Interoperability “Bake-offs” –Pre-planned Web-based interoperability testing Needed: spontaneous Web-based testing

3 IPsec99 - Oct. 29, 19993 User-Related Objectives Accessible from remote locations Available at any time Require no modification to the tester’s IPsec implementation Allow testers to resume testing later Configurable Well-documented Easy to use

4 IPsec99 - Oct. 29, 19994 Implementation Objectives Simultaneous access by multiple users Rapid, modular implementation Easily modified and expanded as IPsec/IKE specifications evolve Built around NIST’s IPsec/IKE Reference Implementations, Cerberus and PlutoPlus

5 IPsec99 - Oct. 29, 19995 Implementation Objectives (continued) Require minimal changes to Cerberus and PlutoPlus Operator intervention not required

6 IPsec99 - Oct. 29, 19996 IPsec-WIT Architecture IUT WWW-based Tester Control (HTML/CGI) IPsec Encapsulated IP Packets Local IUT Configuration IPsec WIT Linux Kernel HTML Docs., Forms, and HTTP Server IP + NIST Cerberus PERL CGI Test Engine TestSuites Manual SAs and IP/IPsec Packet Traces NISTPlutoPlus Negotiated SAs and SA mgmt. messages Message logging and IKE Configuration Web Browser IKE Negotiation StateFiles

7 IPsec99 - Oct. 29, 19997 Implementation Perl cgi-bin tester HTML forms Executable test cases Output –PlutoPlus: tracing the IKE negotiation –Cerberus: dumping the ping packets – expect command: color-coded output

8 IPsec99 - Oct. 29, 19998 Implementation (continued) Individual tester files –Tester-specific parameters –Tester’s individual output –Storage and expiration

9 IPsec99 - Oct. 29, 19999 Current Capabilities Key establishment: manual or IKE negotiation IKE negotiation: initiator or responder Peer authentication: pre-shared secrets ISAKMP hash: MD5 or SHA ISAKMP encryption: DES or 3DES Diffie-Hellman Exchange: First Oakley Group

10 IPsec99 - Oct. 29, 199910 Current Capabilities (continued) Configurable port for IKE negotiation IPsec AH algorithms: HMAC-MD5 or HMAC-SHA1 IPsec ESP algorithms: –Encryption: DES, 3DES, IDEA, RC5, Blowfish, or ESP-Null –Authentication (optional): HMAC-MD5 or HMAC-SHA1 –Variable key length for RC5 and Blowfish

11 IPsec99 - Oct. 29, 199911 Current Capabilities (continued) IPsec encapsulation mode: transport or tunnel Perfect Forward Secrecy (PFS) Verbosity of IKE/IPsec output configurable IPsec SA tested using “ping” command Transport-mode SA: host-to-host

12 IPsec99 - Oct. 29, 199912 Current Capabilities (continued) Tunnel-mode SA:host-to-host or host-to-gateway –Host-to-gateway SA tests communications with tester’s host behind gateway Sample test cases for testers without a working IKE/IPsec implementation Current/cumulative test results can be viewed via browser or emailed to tester

13 IPsec99 - Oct. 29, 199913 Limitations Re-keying Crash/disaster recovery Complex policy-related scenarios

14 IPsec99 - Oct. 29, 199914 Lessons Learned Voluntary interoperability testing is useful and used Interoperability tests can also serve as conformance tests Stateful protocols can be tested using a Web-based tester “Standard” features are more useful than “cutting edge”

15 IPsec99 - Oct. 29, 199915 Lessons Learned (continued) Some human intervention is required Productive and informative multi-protocol interaction is challenging Users do the “darnedest” - and most unexpected - things

16 IPsec99 - Oct. 29, 199916 Future Horizons - PlutoPlus Additional Diffie-Hellman groups More complex policy options –Multiple proposals –Adjacent SA’s –Nested SA’s Peer authentication: public key PKI interaction and certificate exchanges

17 IPsec99 - Oct. 29, 199917 Future Horizons - IPsec-WIT Test IPsec SA’s with UDP/TCP connections, rather than ICMP Better diagnostics from underlying protocols

18 IPsec99 - Oct. 29, 199918 Futuristic Horizons Negative testing Robustness testing

19 IPsec99 - Oct. 29, 199919 Contact/Usage Information IPsec-WIT: http://ipsec-wit.antd.nist.gov Cerberus documentation: http://www.antd.nist.gov/cerberus PlutoPlus documentation: http://ipsec-wit.antd.nist.gov/newipsecdoc/pluto.html For further information, contact: –Sheila Frankel: sheila.frankel@nist.gov –Rob Glenn: rob.glenn@nist.gov

Download ppt "NIST’s IPsec Web-Based Interoperability Tester (IPsec-WIT) Sheila Frankel NIST Computer Security Division"

Similar presentations

IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.

IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.
Network Security. Reasons to attack Steal information Modify information Deny service (DoS)

Network Security. Reasons to attack Steal information Modify information Deny service (DoS)
Security at the Network Layer: IPSec

Security at the Network Layer: IPSec
Network Security Essentials Chapter 8 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Network Security Essentials Chapter 8 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Chapter 5 Network Security Protocols in Practice Part I

Chapter 5 Network Security Protocols in Practice Part I
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.

1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.
Henric Johnson1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 IP Security.

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.

Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.
IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.

IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.
PlutoPlus: Policy and PKI Plans for FY00 Sheila Frankel Systems and Network Security Group Computer Security Division NIST

PlutoPlus: Policy and PKI Plans for FY00 Sheila Frankel Systems and Network Security Group Computer Security Division NIST
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.

Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.
1 IPsec Youngjip Kim 2004. 05. 24. 2 Objective Providing interoperable, high quality, cryptographically-based security for IPv4 and IPv6 Services  Access.

1 IPsec Youngjip Kim Objective Providing interoperable, high quality, cryptographically-based security for IPv4 and IPv6 Services  Access.
Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.

Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.
W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T IKE Tutorial.

W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T IKE Tutorial.

Similar presentations

Ads by Google