The main objective of this project is the procurement, integration, configuration, test and delivery of testbed demonstrating IP security over satellite. One purpose of this testbed is the verification of theoretical results found in the previous 'IP Security over Satellite' study. Results such as the appropriate architecture design for using IPsec to secure satellite communication.
Furthermore, it should demonstrate, in an illustrative manner, the security functionality provided by IPsec. In order to demonstrate this to a broad audience, the integration of representative demonstration scenarios, as well as the selection of impressive security attack scenarios is a must.
As the demonstrator is intended to be used by different parties, such as other research projects, equipment manufacturer and of course ESTEC itself, a modular design is of significant importance. This modularity allows for easy replacement of functional components, such as DVB-S equipment, IPsec gateways or performance enhancing equipment, as well as for a later enhancement of the demonstrator functionality, e.g. integration of IPv6 or secure IP Multicast support.
Lastly, one goal of this project is the use of open source software to the maximum possible extent.
One of the key issues of this project is certainly the timely and functionally correct integration, configuration and delivery of the IP Security Demonstrator. As the demonstrator has a very complex functionality including e.g. IP Multicast, IPsec or proprietary protocol enhancements, a carefully architecture design and integration of different components is required in order to avoid negative interworking issues.
Another key issue is the thorough documentation of the demonstrator integration and configuration and of the lessons learned in order to allow later users of the demonstrator an easy operation of the testbed.
The following are the main benefits of this project:
The figure above illustrates the architecture used as basis for the IP security demonstrator. Mainly, it could be divided into 3 organisational blocks, one Central Location and two Branch Locations.
Inside the LAN of the Central Location there are two servers (components 1a and 1b in the figure) hosting different services accessible either from clients from the Central or from the Branch Locations (components 0). Furthermore, the Central Location shows two monitoring and control laptops (2a and 2b). These can be attached to the demonstrator at different locations, and are used for purposes such as configuration, monitoring, security attacks or measurement. Additionally, one of them acts as the Certificate Authority. The LANs of the different locations are connected to the network via Cisco 3620 series router (component 3 in the Central Locations and components 1 in the Branch Locations).
On the way to the external network, the whole traffic is first sent via a Mentat SkyX gateway used for TCP acceleration (component 4 in the Central Locations and components 2 in the Branch Locations), over an IPsec gateway based on the FreeS/WAN code running on Linux (component 5/7 in the Central Locations and components 3/4 in the Branch Locations) to another Cisco 3620 series router (component 8 in the Central Locations and components 5 in the Branch Locations), which provide connectivity to the external networks. It is important to note here, that the Mentat SkyX gateways need to be place before the IPsec gateways, as they require clear text access to the transport layer information. The external networks are realised either by a NIST Net network simulator (component 9 in the Central Locations), or alternat
Nearly all the tasks to address within the project objectives are completed:
The remaining tasks are: