1 / 12

Implementing and Testing IPsec: NIST’s Contributions

Implementing and Testing IPsec: NIST’s Contributions. Sheila Frankel Systems and Network Security Group Computer Security Division NIST sheila.frankel@nist.gov. Customers: IPsec Reference Implementation. IBM, Microsoft, Boeing, Nortel, Cabletron AT&T, Lucent, GTE, America Online

cfarrand
Download Presentation

Implementing and Testing IPsec: NIST’s Contributions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Implementing and Testing IPsec:NIST’s Contributions Sheila Frankel Systems and Network Security Group Computer Security Division NIST sheila.frankel@nist.gov

  2. Customers: IPsec Reference Implementation • IBM, Microsoft, Boeing, Nortel, Cabletron • AT&T, Lucent, GTE, America Online • NASA, Sandia, Lawrence Berkeley Lab • UC-Santa Barbara, Mich. Tech. U • CA Dept. of Justice, US Geological Survey • McGill U, St. Paul’s Hospital (Canada) • Small consulting cos, private consultants • Total to date: 540

  3. Customers: IPsec-WIT Interoperability Tester • IBM, Nortel, Intel, Cisco, Xedia • Cabletron, Frontiertech, Nokia, 3Com • Indus River Network, Cryptek • MIT, U of Wisc, Boston College, USC/ISI • Internet Initiative Japan, Korea Telecom • Total to date: 130

  4. What can NIST contribute? • Encourage rapid development and deployment of a significant technology • Facilitate ongoing inter-operability testing • Help vendors to develop secure, robust products • Enable smaller industry vendors to jump-start their entry into IPsec • Act as an “honest broker”

  5. Why Internet Layer Security? Implement once, in a consistent manner, for multiple applications Centrally-controlled access policy Currently used for Virtual Private Networks (VPNs) Industry-wide Networks (e.g., ANX) Will be used to protect Internet infrastructure

  6. Protections Provided by IPsec • Authentication • Integrity • Replay protection • Confidentiality • Traffic analysis protection

  7. Components of IPsec • Security Headers • Authentication Header (AH) • Encapsulating Security Payload Header (ESP) • Security Protection Negotiation • Internet Key Exchange (IKE)

  8. NIST’s Contributions to IPsec • Cerberus - Linux-based reference implementation of IPsec • PlutoPlus - Linux-based reference implementation of IKE • IPsec-WIT - Web-based IPsec interoperability test facility

  9. IPsec-WIT: Motivation • Inter-operability of multiple implementations essential for IPsec to succeed • Existing test modalities • Interoperability “Bake-offs” • Pre-planned Web-based interoperability testing • Needed: spontaneous Web-based testing

  10. IPsec WIT Web Browser WWW-based Tester Control (HTML/CGI) HTML Docs., Forms, and HTTP Server IKE Negotiation Message logging and IKE Configuration Local IUT Configuration IUT NIST PlutoPlus PERL CGI Test Engine State Files Test Suites Negotiated SAs and SA mgmt. messages Manual SAs and IP/IPsec Packet Traces Linux Kernel IP + NIST Cerberus IPsec Encapsulated IP Packets INTERNET IPsec-WIT Architecture

  11. Are our customers satisfied? “Thanks for the quick response! I wasn't even to the point of being worried yet - are you sure you're part of a gov't agency ?” --A.J. LaSalle Automation Tools Group Cabletron Systems

  12. Contact/Usage Information • IPsec-WIT: http://ipsec-wit.antd.nist.gov • Cerberus documentation: http://www.antd.nist.gov/cerberus • PlutoPlus documentation: http://ipsec-wit.antd.nist.gov/newipsecdoc/pluto.html • For further information, contact: • Sheila Frankel: sheila.frankel@nist.gov • Rob Glenn: rob.glenn@nist.gov

More Related