IPSec Integration & Testing
OdiTek offers IPSec Stack integration & functionality support on your Simulator/Analyzer Product. We also verify IPSec via conformance and load testing.
Internet Protocol Security (IPSec) provides application-transparent encryption services for IP network traffic as well as other network access. Designed by the Internet Engineering Task Force (IETF) as the security architecture for the Internet Protocol (IP), IPSec defines IP packet formats and related infrastructure to provide end-to-end strong authentication, integrity, anti-replay, and (optionally) confidentiality for network traffic. An on-demand security negotiation and automatic key management service is also provided using the IETF-defined Internet Key Exchange (IKE), RFC 2409. IPSec (Rfc-6071),RFC 4305
The transport mode is the default mode and should be used on local network deployments. The tunnel mode option is used for external connection types—for example, site-to site-connections over the internet or client-to-site connections over a VPN. The main reason that tunnel mode is more suitable is that like transport mode, it uses AH and ESP for encapsulating the IP packet but then encapsulates the entire packet header and trailer again in tunnel mode for additional security.
The simplest way to differentiate between the two modes is to know transport mode is for the LAN and tunnel mode is for external connections.
The key facts of IPSEC policy is made up of five variables. These are the filter list, the filter action , the authentication method, the tunnel endpoint, and the connection type.
filter list establishes what exactly is going to have a filter rule applied to it. In most cases, this is a destination IP or subnet, but there are other variables too, and the policies can be applied to inbound and outbound traffic. The filter rule or action establishes whether traffic is permitted, blocked, or whether security negotiation needs to take place. when multiple filters are applied, they are applied in order of the most specific first. The connection type refers to whether you are applying the policy to the LAN or to a dial up connection.
IPSEC policy is made up of two parts: the Main mode and the Quick mode. Main mode uses a three-stage negation process—stage one is the negotiation of the security suites to be used, stage two is referred to as the Diffie-Hellman key exchange and stage three is the authentication stage between the clients using the chosen authentication method . An important fact to remember is that the strength of the Main mode connection will then dictate the strength of the quick mode negotiations within it once the connection is established.
The Quick mode phase of the connection is used to conduct the actual transfer of data, creating a separate security association (SA) from within the Main mode connection. As a result, the lifespan of Quick mode is much shorter and by default will timeout after just five minutes (3600 seconds) or when the data limit is reached, which by default is 100mb. After this point, the session is renegotiated and the process starts again.
Providing authentication methods on the local network make no sense. If we are using IPSEC over the internet using IPSEC tunnel mode, then we would need to use an external authentication method, namely a Public Key Infrastructure (PKI). This could be in the form of a third-party certification provider . The bottom of the pile in terms of authentication methods is the pre-shared key.
The security vulnerabilities present in the LTE access network, resulting from a simplified flat architecture and the use of unsecure IP transport network, encourage the introduction of the Internet Protocol Security (IPsec). IPsec is a protocol suite for data authentication, integrity and encryption protection through procedures and cryptographic algorithms. The authentication and encryption processes are computationally quite demanding, requiring the introduction of a dedicated element in the network, the Security Gateway (SecGW), to terminate IPsec tunnels and protect LTE core side; b) eNB certificate-based authentication, using digital signature with asymmetric keys, requires implementations of a Public Key Infrastructure (PKI) for SecGW and eNB public keys certificate issuing. Besides performance degradation, there is also a network complexity increase, with the SecGW introduction, the architecture needs to be redesigned to meet high availability requirements. IPsec uses public key certificates for mutual peer authentication. The eNB and SecGW public key need to be renewed and certified periodically.
Scenarios Considering factors as performance, security and costs.
OdiTek focusses on testing new technologies & technology generations. It aims to be a preferred partner for enterprises that develop software products based on Telecom Wireless, along with providing QA / Testing services (products & services).
- Focussed on Telecom Wireless, Mobile & Internet technologies
- Expertise on telecom product development (Wireless), strong on all latest technologies in telecom wireless networks (2G, 3G, IMS, WiMAX, LTE..). We have telecom teams who are one of the first ones in India who worked on LTE & Air Interface.
- Deployment, testing of telecom network equipments and solutions
Focus on implementation, support, development, upgrade, rollouts & QA services for Telecoms
- OdiTek brings in a very strong competency pool and experienced professional expertise that makes project commitments more reliable and consistent.
- Proven offshore delivery model to provide competitive edge
- Product Development on C, C++, Java
- Field deployment & testing of telecom equipments
- Proprietary scripting for baseline releases
- Applications for all technology generations- GMS, CDMA, UMTS, LTE (RAN, EPC, Air).
- Telecom Wireless Consulting
- E2E QA solution for LTE, EPC, IMS, WiMAX
- Regression, Load Testing
- Expertise on various simulators like EXFO EAST, IxLoad, dsTest scripts to test against real/simulated SUT/DUT;
- Bug tracking; test plans & execution;
- Sanity & regression tests of new packages/baselines
- Developing security protocol stacks like IPSec, SRTP, EAP, and SSL/TLS etc.
- Variety of open source libraries and hardware accelerators
- Integrating crypto libraries and accelerators
- Intel® QuickAssist Technology in different form factors (SoC, PCI-E Adapter)
- Intel® Advanced Encryption Standard New Instructions (AES-NI)
- Intel® DPDK using Intel® QAT and AES-NI
- Cavium Octeon® and Nitrox® Security Processors
- Integrate any IPSec stack or security packages into product
- Variety of security RFCs or standard protocols on IP Security
- IPSec (AH/ESP), PPP, PPPoE, VLAN, MPLS UDP,
- TCP, ICMP/ICMPv6, IP/IPv6 RTP, RTCP, GTP, GRE
- C, C++, Network Programming
- Linux Kernel Module Programming
- Multi Core Programming using Cavium Octeon SDK/Intel DPDK
Our services include application development, post implementation support, maintenance, Functional testing , Conformance and Performance Testing.
- Integration of 3rd party IPSec stack (exp: Xpressent)
- IPSEC Server and client support
- SecGw feature Integration
- Quality of Service
The LTE network intends to be a single transport network for all types of services. Services such as voice, video, internet browsing or email will compete for network resources. Thus, LTE needs to have mechanisms to manage their own resources and meet the Quality of Service (QoS) required by each type of service.
- IPsec overhead
The overhead introduced by IPsec, increase the IP packets size and result in network performance degradation. This overhead rate introduced by IPsec and the size of the Maximum Transmit Unit (MTU) to avoid fragmentation and packet discards.
With IPsec introduction the median latency value increased 104% in the downlink (DL) and 108% in uplink (UL) for small packets (84 bytes). For large packets (1400 bytes) increased 89% in DL and 83% in UL. The maximum latency values increased 100% in DL and 70% in UL for small packets and 100% DL and 68% UL for large packets.
- Tunnel setup rate testing methodology
Tunnel setup rate is measured by configuring a user-definable number of simultaneous tunnel requests. As more tunnels are set up, the rate is measured as a function of the number of tunnels already established. All statistics, including capacity and tunnel setup rates, are presented in real-time.
Test cases are designed to include tests for IKE, AH and ESP, and supports a wide range of encryption and authentication algorithms, including 3DES, AES, MD5, and SHA. It also provides positive as well as negative test cases.
Performance degraded when overload with IPSec. We need to check throughput calculations. Once the tunnels are established, stateful application data(TCP) is sent over the tunnels using Iperf. The Iperf software sends the traffic patterns of over thousands transactions per second.It shows throughput in terms of Mbps/sec in each Tunnel.