1

Network Layer Security:Run over non-IP Protocol?

Howie Weiss (NASA/JPL/Parsons)

San Antonio, TXOctober 2013

2

Agenda

• CCSDS Network Layer Security– Action item SecWG0413:3 from Bordeaux meeting to investigate

how/if IPsec can be run over non-IP protocols» E.g., a la DTN run over a convergence layer directly on top of

another network layer protocol

3

ESP w/AES-GCM

IPv4Header

20 bytes

ESPAES128 Encrypted Payload

140 bytes

ESPSPI

4 bytes

ESPSeq #

4 bytes

ESPIV

8 bytes

IPv4Header

20 bytes

ICMP(8 bytes hdr + 80 bytes data)88 bytes

Padvaries per RFC 2406

- in this example2 bytes

PadLen

1 byte

NextHdr

1 byte

AuthenticationData varies: 8, 12,or 16 bytes

12 bytes

ESP (IP protocol 50) total length 160 bytes

Encrypted (128 bytes)

ESP Authenticated (140 bytes)

ESP Header ESP AuthESP Trailer

4

ESP over non-IP Network Layer

• ESP in tunnel mode is an encapsulation protocol– It carries whatever payload its given

• Old study of IPsec over SCPS-NP (SCPS Network Protocol) showed that ESP over NP was not a problem– NP was similar to IP and could ‘look’ like IP but was not

IP• CCSDS 702.1-B-1 (IP over CCSDS Links): uses

encapsulation to carry IP and its payload (which could very well be IPsec) over CCSDS space data link protocols such as TM, TC, AOS, and Prox-1– CCSDS encapsulation packets– CCSDS encapsulation service over AOS, TM, TC

Virtual Channel Packet (VCP) service, TC Multiplexer Access Point Packet (MAPP) Service, or Prox-1.

5

Summary

• Yes – IPSec could be run over non-IP protocols if there was a reason to do so– Modifications needed to the underlying protocol to

understand & recognize ESP– Protocol number assignment needed to ESP over XX

protocol– “Simple” solution to use IP over CCSDS encapsulation