The main objective of this project is the procurement, integration, configuration, test and delivery of testbed demonstrating IP security over satellite. One purpose of this testbed is the verification of theoretical results found in the previous 'IP Security over Satellite' study. Results such as the appropriate architecture design for using IPsec to secure satellite communication.
Furthermore, it should demonstrate, in an illustrative manner, the security functionality provided by IPsec. In order to demonstrate this to a broad audience, the integration of representative demonstration scenarios, as well as the selection of impressive security attack scenarios is a must.
As the demonstrator is intended to be used by different parties, such as other research projects, equipment manufacturer and of course ESTEC itself, a modular design is of significant importance. This modularity allows for easy replacement of functional components, such as DVB-S equipment, IPsec gateways or performance enhancing equipment, as well as for a later enhancement of the demonstrator functionality, e.g. integration of IPv6 or secure IP Multicast support.
Lastly, one goal of this project is the use of open source software to the maximum possible extent.
One of the key issues of this project is certainly the timely and functionally correct integration, configuration and delivery of the IP Security Demonstrator. As the demonstrator has a very complex functionality including e.g. IP Multicast, IPsec or proprietary protocol enhancements, a carefully architecture design and integration of different components is required in order to avoid negative interworking issues.
Another key issue is the thorough documentation of the demonstrator integration and configuration and of the lessons learned in order to allow later users of the demonstrator an easy operation of the testbed.
The following are the main benefits of this project:
- Provision of a 'IP Security Demonstrator' testbed including among others a variety of applications, support of IP Multicast functionality, IPsec based VPN functionality for protecting all traffic sent over external networks, firewalls, protocol enhancing proxies, a network simulator as well as DVB-S equipment. This testbed can be used for verification, analysis, measurement and demonstration of several 'IP Security over Satellite' aspects.
- Provision of an Implementation Handbook containing the description of the demonstrator architecture, configuration guidelines, measurement results and lessons learnt.
- Verification of result of the 'IP Security over Satellite' study.
- Provision of security attack tools for illustrating the benefits of security.
- Provision of detailed performance measurement results for different settings of the demonstrator.
- Provision of a huge variety of applications.
The figure above illustrates the architecture used as basis for the IP security demonstrator. Mainly, it could be divided into 3 organisational blocks, one Central Location and two Branch Locations.
Inside the LAN of the Central Location there are two servers (components 1a and 1b in the figure) hosting different services accessible either from clients from the Central or from the Branch Locations (components 0). Furthermore, the Central Location shows two monitoring and control laptops (2a and 2b). These can be attached to the demonstrator at different locations, and are used for purposes such as configuration, monitoring, security attacks or measurement. Additionally, one of them acts as the Certificate Authority. The LANs of the different locations are connected to the network via Cisco 3620 series router (component 3 in the Central Locations and components 1 in the Branch Locations).
On the way to the external network, the whole traffic is first sent via a Mentat SkyX gateway used for TCP acceleration (component 4 in the Central Locations and components 2 in the Branch Locations), over an IPsec gateway based on the FreeS/WAN code running on Linux (component 5/7 in the Central Locations and components 3/4 in the Branch Locations) to another Cisco 3620 series router (component 8 in the Central Locations and components 5 in the Branch Locations), which provide connectivity to the external networks. It is important to note here, that the Mentat SkyX gateways need to be place before the IPsec gateways, as they require clear text access to the transport layer information. The external networks are realised either by a NIST Net network simulator (component 9 in the Central Locations), or alternat
- Detailed specification of the testbed architecture and selection and specification of appropriate demonstration scenarios.
- Procurement, integration, configuration and testing of the components of the demonstrator.
- Integration and configuration of the security functionality, as well as verification of the security functionality using attack tools.
- Execution of performance tests for different demonstrator settings.
- Integration and configuration of the selected demonstration scenarios.
- Verification of the demonstrator functionality and the measurement results over real satellite and Internet links.
- Provision of an Implementation Handbook and training of ESTEC personnel.
Nearly all the tasks to address within the project objectives are completed:
- The demonstrator has been procured, integrated, configured, tested and delivered to ESTEC.
- A huge variety of applications has been installed.
- Security functionality has been integrated and appropriate security attacks have been performed.
- Performance enhancement has been integrated and appropriate performance measurements have been performed.
- A verification of the results obtained by using a network simulator has been done using real satellite and Internet links.
- The Final Presentation has been given at ESTEC.
- A draft version of the Executive Summary has been provided.
- Implementation Handbook and Final Report are nearly completed.
The remaining tasks are:
- Finalisation of Implementation Handbook and Final Report
- Provision of a training for ESTEC on the IP Security Demonstrator