Network Layer Security:
Run over non-IP Protocol?
Howie Weiss
(NASA/JPL/Parsons)
San Antonio, TX
October 2013
1
Agenda
• CCSDS Network Layer Security
– Action item SecWG0413:3 from Bordeaux meeting to investigate
how/if IPsec can be run over non-IP protocols
» E.g., a la DTN run over a convergence layer directly on top of
another network layer protocol
2
ESP w/AES-GCM
ESP (IP protocol 50)
total length 160 bytes
IPv4
Header
ESP
AES128 Encrypted Payload
20 bytes
140 bytes
Encrypted (128 bytes)
ESP
SPI
4 bytes
ESP
Seq #
4 bytes
ESP Header
ESP
IV
8 bytes
IPv4
Header
20 bytes
ICMP
(8 bytes hdr +
80 bytes data)
88 bytes
Pad
varies per RFC 2406
- in this example
2 bytes
Pad
Len
Next
Hdr
Authentication
Data
varies: 8, 12,or 16 bytes
1 byte
ESP Trailer
1 byte
12 bytes
ESP Auth
ESP Authenticated (140 bytes)
3
ESP over non-IP Network Layer
• ESP in tunnel mode is an encapsulation protocol
– It carries whatever payload its given
• Old study of IPsec over SCPS-NP (SCPS Network
Protocol) showed that ESP over NP was not a problem
– NP was similar to IP and could ‘look’ like IP but was not
IP
• CCSDS 702.1-B-1 (IP over CCSDS Links): uses
encapsulation to carry IP and its payload (which could
very well be IPsec) over CCSDS space data link
protocols such as TM, TC, AOS, and Prox-1
– CCSDS encapsulation packets
– CCSDS encapsulation service over AOS, TM, TC
Virtual Channel Packet (VCP) service, TC Multiplexer
Access Point Packet (MAPP) Service, or Prox-1.
4
Summary
• Yes – IPSec could be run over non-IP protocols if there
was a reason to do so
– Modifications needed to the underlying protocol to
understand & recognize ESP
– Protocol number assignment needed to ESP over XX
protocol
– “Simple” solution to use IP over CCSDS encapsulation
5