Upload
laureen-quinn
View
212
Download
0
Embed Size (px)
Citation preview
1
Network Layer Security:Run over non-IP Protocol?
Howie Weiss (NASA/JPL/Parsons)
San Antonio, TXOctober 2013
2
Agenda
• CCSDS Network Layer Security– Action item SecWG0413:3 from Bordeaux meeting to investigate
how/if IPsec can be run over non-IP protocols» E.g., a la DTN run over a convergence layer directly on top of
another network layer protocol
3
ESP w/AES-GCM
IPv4Header
20 bytes
ESPAES128 Encrypted Payload
140 bytes
ESPSPI
4 bytes
ESPSeq #
4 bytes
ESPIV
8 bytes
IPv4Header
20 bytes
ICMP(8 bytes hdr + 80 bytes data)88 bytes
Padvaries per RFC 2406
- in this example2 bytes
PadLen
1 byte
NextHdr
1 byte
AuthenticationData varies: 8, 12,or 16 bytes
12 bytes
ESP (IP protocol 50) total length 160 bytes
Encrypted (128 bytes)
ESP Authenticated (140 bytes)
ESP Header ESP AuthESP Trailer
4
ESP over non-IP Network Layer
• ESP in tunnel mode is an encapsulation protocol– It carries whatever payload its given
• Old study of IPsec over SCPS-NP (SCPS Network Protocol) showed that ESP over NP was not a problem– NP was similar to IP and could ‘look’ like IP but was not
IP• CCSDS 702.1-B-1 (IP over CCSDS Links): uses
encapsulation to carry IP and its payload (which could very well be IPsec) over CCSDS space data link protocols such as TM, TC, AOS, and Prox-1– CCSDS encapsulation packets– CCSDS encapsulation service over AOS, TM, TC
Virtual Channel Packet (VCP) service, TC Multiplexer Access Point Packet (MAPP) Service, or Prox-1.
5
Summary
• Yes – IPSec could be run over non-IP protocols if there was a reason to do so– Modifications needed to the underlying protocol to
understand & recognize ESP– Protocol number assignment needed to ESP over XX
protocol– “Simple” solution to use IP over CCSDS encapsulation