Network Layer Security: Run over non-IP Protocol? Howie Weiss (NASA/JPL/Parsons) San Antonio, TX October 2013 1 Agenda • CCSDS Network Layer Security – Action item SecWG0413:3 from Bordeaux meeting to investigate how/if IPsec can be run over non-IP protocols » E.g., a la DTN run over a convergence layer directly on top of another network layer protocol 2 ESP w/AES-GCM ESP (IP protocol 50) total length 160 bytes IPv4 Header ESP AES128 Encrypted Payload 20 bytes 140 bytes Encrypted (128 bytes) ESP SPI 4 bytes ESP Seq # 4 bytes ESP Header ESP IV 8 bytes IPv4 Header 20 bytes ICMP (8 bytes hdr + 80 bytes data) 88 bytes Pad varies per RFC 2406 - in this example 2 bytes Pad Len Next Hdr Authentication Data varies: 8, 12,or 16 bytes 1 byte ESP Trailer 1 byte 12 bytes ESP Auth ESP Authenticated (140 bytes) 3 ESP over non-IP Network Layer • ESP in tunnel mode is an encapsulation protocol – It carries whatever payload its given • Old study of IPsec over SCPS-NP (SCPS Network Protocol) showed that ESP over NP was not a problem – NP was similar to IP and could ‘look’ like IP but was not IP • CCSDS 702.1-B-1 (IP over CCSDS Links): uses encapsulation to carry IP and its payload (which could very well be IPsec) over CCSDS space data link protocols such as TM, TC, AOS, and Prox-1 – CCSDS encapsulation packets – CCSDS encapsulation service over AOS, TM, TC Virtual Channel Packet (VCP) service, TC Multiplexer Access Point Packet (MAPP) Service, or Prox-1. 4 Summary • Yes – IPSec could be run over non-IP protocols if there was a reason to do so – Modifications needed to the underlying protocol to understand & recognize ESP – Protocol number assignment needed to ESP over XX protocol – “Simple” solution to use IP over CCSDS encapsulation 5