Agenda

1. Network Layer Security:Run over non-IP Protocol?Howie Weiss(NASA/JPL/Parsons)San Antonio, TXOctober 2013

2. Agenda • CCSDS Network Layer Security • Action item SecWG0413:3 from Bordeaux meeting to investigate how/if IPsec can be run over non-IP protocols • E.g., a la DTN run over a convergence layer directly on top of another network layer protocol

3. ESP w/AES-GCM ESP (IP protocol 50) total length 160 bytes Encrypted (128 bytes) ESP Header ESP Trailer ESP Auth ESP Authenticated (140 bytes)

4. ESP over non-IP Network Layer • ESP in tunnel mode is an encapsulation protocol • It carries whatever payload its given • Old study of IPsec over SCPS-NP (SCPS Network Protocol) showed that ESP over NP was not a problem • NP was similar to IP and could ‘look’ like IP but was not IP • CCSDS 702.1-B-1 (IP over CCSDS Links): uses encapsulation to carry IP and its payload (which could very well be IPsec) over CCSDS space data link protocols such as TM, TC, AOS, and Prox-1 • CCSDS encapsulation packets • CCSDS encapsulation service over AOS, TM, TC Virtual Channel Packet (VCP) service, TC Multiplexer Access Point Packet (MAPP) Service, or Prox-1.

5. Summary • Yes – IPSec could be run over non-IP protocols if there was a reason to do so • Modifications needed to the underlying protocol to understand & recognize ESP • Protocol number assignment needed to ESP over XX protocol • “Simple” solution to use IP over CCSDS encapsulation