190 likes | 357 Views
NIST’s IPsec Web-Based Interoperability Tester (IPsec-WIT). Sheila Frankel NIST Computer Security Division sheila.frankel@nist.gov. Motivation. Inter-operability of multiple implementations essential for IPsec to succeed Existing test modalities Interoperability “Bake-offs”
E N D
NIST’s IPsec Web-Based Interoperability Tester (IPsec-WIT) Sheila Frankel NIST Computer Security Division sheila.frankel@nist.gov
Motivation • Inter-operability of multiple implementations essential for IPsec to succeed • Existing test modalities • Interoperability “Bake-offs” • Pre-planned Web-based interoperability testing • Needed: spontaneous Web-based testing
User-Related Objectives • Accessible from remote locations • Available at any time • Require no modification to the tester’s IPsec implementation • Allow testers to resume testing later • Configurable • Well-documented • Easy to use
Implementation Objectives • Simultaneous access by multiple users • Rapid, modular implementation • Easily modified and expanded as IPsec/IKE specifications evolve • Built around NIST’s IPsec/IKE Reference Implementations, Cerberus and PlutoPlus
Implementation Objectives(continued) • Require minimal changes to Cerberus and PlutoPlus • Operator intervention not required
IPsec WIT Web Browser WWW-based Tester Control (HTML/CGI) HTML Docs., Forms, and HTTP Server IKE Negotiation Message logging and IKE Configuration Local IUT Configuration IUT NIST PlutoPlus PERL CGI Test Engine State Files Test Suites Negotiated SAs and SA mgmt. messages Manual SAs and IP/IPsec Packet Traces Linux Kernel IP + NIST Cerberus IPsec Encapsulated IP Packets INTERNET IPsec-WIT Architecture
Implementation • Perl cgi-bin tester • HTML forms • Executable test cases • Output • PlutoPlus: tracing the IKE negotiation • Cerberus: dumping the ping packets • expect command: color-coded output
Implementation(continued) • Individual tester files • Tester-specific parameters • Tester’s individual output • Storage and expiration
Current Capabilities • Key establishment: manual or IKE negotiation • IKE negotiation: initiator or responder • Peer authentication: pre-shared secrets • ISAKMP hash: MD5 or SHA • ISAKMP encryption: DES or 3DES • Diffie-Hellman Exchange: First Oakley Group
Current Capabilities(continued) • Configurable port for IKE negotiation • IPsec AH algorithms: HMAC-MD5 or HMAC-SHA1 • IPsec ESP algorithms: • Encryption: DES, 3DES, IDEA, RC5, Blowfish, or ESP-Null • Authentication (optional): HMAC-MD5 or HMAC-SHA1 • Variable key length for RC5 and Blowfish
Current Capabilities(continued) • IPsec encapsulation mode: transport or tunnel • Perfect Forward Secrecy (PFS) • Verbosity of IKE/IPsec output configurable • IPsec SA tested using “ping” command • Transport-mode SA: host-to-host
Current Capabilities(continued) • Tunnel-mode SA:host-to-host or host-to-gateway • Host-to-gateway SA tests communications with tester’s host behind gateway • Sample test cases for testers without a working IKE/IPsec implementation • Current/cumulative test results can be viewed via browser or emailed to tester
Limitations • Re-keying • Crash/disaster recovery • Complex policy-related scenarios
Lessons Learned • Voluntary interoperability testing is useful and used • Interoperability tests can also serve as conformance tests • Stateful protocols can be tested using a Web-based tester • “Standard” features are more useful than “cutting edge”
Lessons Learned(continued) • Some human intervention is required • Productive and informative multi-protocol interaction is challenging • Users do the “darnedest” - and most unexpected - things
Future Horizons - PlutoPlus • Additional Diffie-Hellman groups • More complex policy options • Multiple proposals • Adjacent SA’s • Nested SA’s • Peer authentication: public key • PKI interaction and certificate exchanges
Future Horizons - IPsec-WIT • Test IPsec SA’s with UDP/TCP connections, rather than ICMP • Better diagnostics from underlying protocols
Futuristic Horizons • Negative testing • Robustness testing
Contact/Usage Information • IPsec-WIT: http://ipsec-wit.antd.nist.gov • Cerberus documentation: http://www.antd.nist.gov/cerberus • PlutoPlus documentation: http://ipsec-wit.antd.nist.gov/newipsecdoc/pluto.html • For further information, contact: • Sheila Frankel: sheila.frankel@nist.gov • Rob Glenn: rob.glenn@nist.gov