[Sis-csi] IPSec AH and SCPS-NP
Scott, Keith L.
kscott at mitre.org
Thu Dec 7 12:59:34 EST 2006
I think your assessment about tunneling makes sense (as in my response
to Marc). I also mentioned v6 support at the end of that email as well
(and yes, it needs to be looked at).
There are a few implementations of NP (maybe a small handful, I know
Xiphos did their own implementation independent of the SCPS Reference
Implementation). I don't know of anybody who's deployed it on anything
but in a lab.
The immediate DoD need for NP (GPALS) went away, and while some things
have changed in the interim (higher data rates, etc.), some things have
not. It's probably possible to coerce IP diffserv into supporting
military precedence and some of the per-packet routing treatment NP
supports.
Your question about gatewaying SCPS-SP whenever IP/NP gatewaying takes
place makes sense. I wonder if we could suggest that direct carriage
of AH across an NP network just shouldn't be supported (in favor of
forced AH-to-SP gatewaying).
--keith
-----Original Message-----
From: Ivancic, William D. (GRC-RCN0)
[mailto:william.d.ivancic at nasa.gov]
Sent: Thursday, December 07, 2006 11:24 AM
To: Marc Blanchet; Scott, Keith L.
Cc: Durst, Robert C.; sis-csi at mailman.ccsds.org; Feighery, Patrick D.
Subject: RE: [Sis-csi] IPSec AH and SCPS-NP
If I am going to tunnel, I don't think I would ever use SCPS-NP as I
don't understand what the benefit would be.
My understanding is that one would use NP because your link is so
confined that every bit counts. Thus SCPS-NP only makes sense to me as
a gateway deployment. Likewise if one is using SCPS-NP, I believe one
would use SCPS-SP as well because there simply would not be enough
bandwidth to carry IPsec.
Am I off-base hear or does that make sense?
Now, the 100,000 dollar question. Has anyone deployed SCPS-NP? If
not, will anyone deploy SCPS-NP?
Also, if one is addressing IPv4/NP one most certainly should also
address IPv6/NP.
Will
******************************
William D. Ivancic
Phone 216-433-3494
Fax 216-433-8705
Lab 216-433-2620
Mobile 440-503-4892
http://roland.grc.nasa.gov/~ivancic
> -----Original Message-----
> From: sis-csi-bounces at mailman.ccsds.org
> [mailto:sis-csi-bounces at mailman.ccsds.org] On Behalf Of Marc Blanchet
> Sent: Thursday, December 07, 2006 9:43 AM
> To: Scott, Keith L.
> Cc: Durst, Robert C.; sis-csi at mailman.ccsds.org; Feighery,Patrick D.
> Subject: Re: [Sis-csi] IPSec AH and SCPS-NP
>
> Maybe my comment is dumb, but why don't tunnel
> IPv*-with-IPsec into the payload of SCPS-NP (i.e. include the
> whole IP header and payload into the payload of SCPS-NP) and
> then you have "nothing" to do to support IPsec in NP, since
> IPsec will be managed by IP devices. dumb?
>
> Marc.
>
> Le 06-12-06 à 15:28, Scott, Keith L. a écrit :
>
> > As part of our charter item to update existing CCSDS
> > specifications, there is a rather old outstanding action item to
> > update the SCPS Network Protocol (SCPS-NP) to support carriage of
> > information needed for end-to-end IPSec AH across SCPS-NP networks.
> >
> > I put together some slides on this topic and placed them at
> (http://
> >
> public.ccsds.org/sites/cwe/sis-csi/Public/Draft%20Documents/Carrying
> > %20IPSEC%20Authentication%20Headers%20in%20SCPS-NP.ppt). The
> > slides present three options with varying implications (one option
> > uses only a new TPID but costs a byte, the other two have lower
> > overhead but use bits from the NP control field).
> >
> > I'd like to open this up for disucussion and try to come to
> a rough
> > consensus before we go into the January meetings.
> >
> > --keith
> >
> > _______________________________________________
> > Sis-CSI mailing list
> > Sis-CSI at mailman.ccsds.org
> > http://mailman.ccsds.org/cgi-bin/mailman/listinfo/sis-csi
>
>
> _______________________________________________
> Sis-CSI mailing list
> Sis-CSI at mailman.ccsds.org
> http://mailman.ccsds.org/cgi-bin/mailman/listinfo/sis-csi
>
More information about the Sis-CSI
mailing list