1 / 19

NIST’s IPsec Web-Based Interoperability Tester (IPsec-WIT)

NIST’s IPsec Web-Based Interoperability Tester (IPsec-WIT). Sheila Frankel NIST Computer Security Division sheila.frankel@nist.gov. Motivation. Inter-operability of multiple implementations essential for IPsec to succeed Existing test modalities Interoperability “Bake-offs”

ruana
Download Presentation

NIST’s IPsec Web-Based Interoperability Tester (IPsec-WIT)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. NIST’s IPsec Web-Based Interoperability Tester (IPsec-WIT) Sheila Frankel NIST Computer Security Division sheila.frankel@nist.gov

  2. Motivation • Inter-operability of multiple implementations essential for IPsec to succeed • Existing test modalities • Interoperability “Bake-offs” • Pre-planned Web-based interoperability testing • Needed: spontaneous Web-based testing

  3. User-Related Objectives • Accessible from remote locations • Available at any time • Require no modification to the tester’s IPsec implementation • Allow testers to resume testing later • Configurable • Well-documented • Easy to use

  4. Implementation Objectives • Simultaneous access by multiple users • Rapid, modular implementation • Easily modified and expanded as IPsec/IKE specifications evolve • Built around NIST’s IPsec/IKE Reference Implementations, Cerberus and PlutoPlus

  5. Implementation Objectives(continued) • Require minimal changes to Cerberus and PlutoPlus • Operator intervention not required

  6. IPsec WIT Web Browser WWW-based Tester Control (HTML/CGI) HTML Docs., Forms, and HTTP Server IKE Negotiation Message logging and IKE Configuration Local IUT Configuration IUT NIST PlutoPlus PERL CGI Test Engine State Files Test Suites Negotiated SAs and SA mgmt. messages Manual SAs and IP/IPsec Packet Traces Linux Kernel IP + NIST Cerberus IPsec Encapsulated IP Packets INTERNET IPsec-WIT Architecture

  7. Implementation • Perl cgi-bin tester • HTML forms • Executable test cases • Output • PlutoPlus: tracing the IKE negotiation • Cerberus: dumping the ping packets • expect command: color-coded output

  8. Implementation(continued) • Individual tester files • Tester-specific parameters • Tester’s individual output • Storage and expiration

  9. Current Capabilities • Key establishment: manual or IKE negotiation • IKE negotiation: initiator or responder • Peer authentication: pre-shared secrets • ISAKMP hash: MD5 or SHA • ISAKMP encryption: DES or 3DES • Diffie-Hellman Exchange: First Oakley Group

  10. Current Capabilities(continued) • Configurable port for IKE negotiation • IPsec AH algorithms: HMAC-MD5 or HMAC-SHA1 • IPsec ESP algorithms: • Encryption: DES, 3DES, IDEA, RC5, Blowfish, or ESP-Null • Authentication (optional): HMAC-MD5 or HMAC-SHA1 • Variable key length for RC5 and Blowfish

  11. Current Capabilities(continued) • IPsec encapsulation mode: transport or tunnel • Perfect Forward Secrecy (PFS) • Verbosity of IKE/IPsec output configurable • IPsec SA tested using “ping” command • Transport-mode SA: host-to-host

  12. Current Capabilities(continued) • Tunnel-mode SA:host-to-host or host-to-gateway • Host-to-gateway SA tests communications with tester’s host behind gateway • Sample test cases for testers without a working IKE/IPsec implementation • Current/cumulative test results can be viewed via browser or emailed to tester

  13. Limitations • Re-keying • Crash/disaster recovery • Complex policy-related scenarios

  14. Lessons Learned • Voluntary interoperability testing is useful and used • Interoperability tests can also serve as conformance tests • Stateful protocols can be tested using a Web-based tester • “Standard” features are more useful than “cutting edge”

  15. Lessons Learned(continued) • Some human intervention is required • Productive and informative multi-protocol interaction is challenging • Users do the “darnedest” - and most unexpected - things

  16. Future Horizons - PlutoPlus • Additional Diffie-Hellman groups • More complex policy options • Multiple proposals • Adjacent SA’s • Nested SA’s • Peer authentication: public key • PKI interaction and certificate exchanges

  17. Future Horizons - IPsec-WIT • Test IPsec SA’s with UDP/TCP connections, rather than ICMP • Better diagnostics from underlying protocols

  18. Futuristic Horizons • Negative testing • Robustness testing

  19. Contact/Usage Information • IPsec-WIT: http://ipsec-wit.antd.nist.gov • Cerberus documentation: http://www.antd.nist.gov/cerberus • PlutoPlus documentation: http://ipsec-wit.antd.nist.gov/newipsecdoc/pluto.html • For further information, contact: • Sheila Frankel: sheila.frankel@nist.gov • Rob Glenn: rob.glenn@nist.gov

More Related