In FY97 & FY98 ANTD and CSD staff members took a leadership role in the IETF and vendor community in design and standardization of internetwork layer security protocols, known as IPsec, and a key exchange and key management protocol known as IKE (Internet Key Exchange). IPsec & IKE protocols are designed to provide dynamic authentication, integrity and confidentiality services to both the current IP protocol (IPv4) and IPv6. We have concentrated our current efforts on IPv4 because of the high level of interest in fielding Internet security technology as quickly as possible.

At the request of IETF area directors, NIST staff collaborated with key industry partners to develop several specifications for emerging IPsec protocols. NIST staff co-authored IPsec protocol specifications with: Cisco Systems Inc, Bay Networks, IBM T. J. Watson Research Center, Sable Systems and GTE Internetworking.

In addition to contributing to IETF standards development, we designed and developed Cerberus, a leading edge prototype and reference implementation of the latest IPsec specifications. We also developed PlutoPlus, a prototype implementation of the latest IKE specifications. Cerberus and PlutoPlus serve as publicly available reference implementations and platforms for on-going research on advanced issues in IPsec and IKE technology.

To answer an industry call for more frequent and accessible interoperability testing for emerging commercial implementations of IPsec technology, we developed the NIST IPsec WWW-based Interoperability Tester (IPsec-WIT). IPsec-WIT is built around the Cerberus and PlutoPlus prototypes and ubiquitous WWW technology and allows implementers to remotely execute series of interoperability tests against the NIST reference implementation. IPsec-WIT also serves as an experiment in test system architectures and technologies. The novel use of WWW technology allows IPsec-WIT to provide interoperability testing services anytime and anywhere without requiring any distribution of test system software, or relocation of the systems under test.

Cerberus, PlutoPlus, and IPsec-WIT are only initial building blocks toward a complete solution to the security problems of today's Internet. In order for security to be an ubiquitous part of the future NGI infrastructure, much research and development must occur to address unresolved issues such as scalable certificate infrastructures, mechanisms to manage and enforce security policies, and 2nd order issues relating to IPsec technology (e.g. mobile IP security, IPv6 security, IP multicast security, IPsec resiliency, IPsec VPN applicability).

This proposal defines a series of NIST tasks aimed at further advancing the state of security technology in the IETF standards, the commercial vendor, and Internet user communities. This project is a continuation of ongoing NIST efforts in these areas. It is predicted that some of these tasks will become the initial impetus for larger tasks that will continue into FY00. It is possible that the resources to accomplish all of these tasks will not be available for FY99. It is also possible for new developments in the IETF community to arise that will cause some of these tasks to become less significant. These potential problems will be addressed as they develop.

In the next few weeks, NIST will release PlutoPlus, an early prototype reference implementation which provides the core set of services defined in the IKE standards. PlutoPlus provides the community a valuable tool to further research and standardize the areas of IPsec and dynamic key management and will help expedite the availability of interoperable commercial implementations.

PlutoPlus requires additional functionality to provide the community with a fully functional IKE reference implementation. A list is provided below which highlights the additional required functionality. In addition, other protocols and mechanisms are required for IKE to provide its defined security services. There is an IETF proposal to use newly defined DNS record types to identify the location of IPsec tunnel end-points. To dynamically authenticate its exchanges, IKE must request and use a public key certificate from a public key Certificate Authority (CA). These mechanisms are required to have a complete, stand-alone, scalable, key management solution.

In this task we will continue the development of the NIST IKE Reference Implementation. Additional protocol extensions and mechanisms will be integrated to provide a complete IPsec key management reference implementation. The following is the task outline that will be used to meet the objectives defined above.

• Evaluate the functional differences between the current PlutoPlus and the NSA IKE prototype. Determine whether we should proceed updating PlutoPlus or adopting the NSA prototype as the basis for our current IKE development.
• Modify the chosen prototype to include the functionality listed below. The NSA prototype may already implement some of these items.
• Identify a CA server from which the prototype will request public key certificates. The current choices are the NIST developed PKIX server and the Netscape Certificate Server.
• Implement an IKE-CA Server interface and modify the IKE prototype to use the public key certificate for authentication.
• Modify a current version of BIND to use the proposed IPsec tunnel records.
• Implement an IKE-DNS interface and modify the IKE prototype to use this DNS extension to select IPsec tunnel end-points.
• Participate in IPsec/IKE Interoperability workshops.
• Provide recommendations and observations to the IETF IPsec Working Group.
• Demonstrate the utility and feasibility of a complete, integrated IP security solution.

The following is a prioritized list of functionality that is missing from the current PlutoPlus prototype. An additional list is provided that includes optional functionality that will be included given the time and resources.

• IKE Notify Messages
• Maintenance of the Commit Bit
• The ability to accept IKE payloads in any order
• SA lifetime management
• Multiple IPsec proposals support
• Multiple destination support (e.g., address ranges, subnets, etc.)
• IPsec packet queue support

• Additional destinations support (e.g. ASN.1 names, user names)
• Digital signature support for authentication and Signature Payloads
• Phase 1 Aggressive Mode
• Diffie-Hellman Group 2 support
• Additional Phase1 encryption algorithms
• New Groups Exchange to negotiate private Diffie-Hellman Groups
• Dynamic re-keying with Perfect Forward Secrecy (PFS)

One of the primary differences between IPv6 and IPv4 is that security is a mandatory component of IPv6. For IPv6 to become a viable, next generation replacement of IPv4, security services must become an integral part of IPv6. IPv6 offers many other core services that are considered optional for IPv4. While it is the intent of the IETF IPsec WG to use the existing IPsec specifications to define security services for IPv6, the IPsec specifications do not address the security issues regarding these additional services. In general, very little research and development has been done in the area of IPv6 security.

In this task we will develop IPv6 versions of our IPsec and IKE reference implementation prototypes. We will also participate in the development of a set of protocols to provide integrated security services for IPv6. The following is the task outline that will be used to meet the objectives defined above.

• Port and modify Cerberus to provide IPsec security services for the Linux IPv6 stack.

• Design and develop IPsec components specific to IPv6 that are not included in the Cerberus IPv4 prototype.
• Modify and port PlutoPlus to provide IKE services for the Linux IPv6 stack.
• Participate in the IETF IPv6 and IPsec working groups providing recommendations and insights on issues regarding IPv6 IPsec.

The NIST IPsec WWW-based Interoperability Tester (IPsec-WIT) is an experimental interoperability testing tool for emerging IETF security protocols. The goals of the IPsec-WIT effort are to (1) investigate lightweight testing architectures/technologies that will actually get used by the Internet community, and (2) to produce an operational interoperability test system for IPsec protocols.

IPsec-WIT was initially designed around 2 stateless IPsec protocols (AH and ESP). Incorporating IKE, a stateful protocol, into the test system was not trivial and has pushed the utility of the tester, in its current design, to its limits. All of the tasks listed in this project proposal involve adding more complexity and integrating individual Internet security protocols to provide a more complete Internet security solution. To continue providing this service to the Internet community, a more robust interoperability testing language and testing tool is required.

In this task we will develop a new version of IPsec-WIT to provide interoperability testing anytime and anywhere for an integrated IPsec environment. This new test system will incorporate all of the additional features added to Cerberus and PlutoPlus as part of this proposal. The following is the task outline that will be used to meet the objectives defined above.

• Identify issues regarding the current test system that need to be re-worked to support an integrated, system-level, stateful, WWW-based Internet security interoperability test system. Include support for the new features to be added to the IPsec and IKE prototypes.
• Define a more robust test language to support the new test system.
• Design and develop the new test system to operate over both IPv4 and IPv6.
• Design and develop test cases for individual protocol components and integrated multi-protocol components.

IPsec and IKE standards were developed to operate in virtually any environment in which someone would want to secure IP traffic. As a result, these protocols have many optional components (i.e. algorithms, functions, and IKE message types). The IPsec specifications refer to a Security Policy Database (SPD) and local policy as the mechanisms to determine which components to use in any particular communication. The SPD contains controls for a subset of the optional components defined the IPsec specifications and excludes policy controls for IKE. The term local policy is vague and provides little direction to the people, institutions, and organizations that may wish to use and deploy IPsec technology. An additional complexity involves the ability to distribute policy across multiple IPsec/IKE systems in a network. Without a better understanding on how to setup and use IPsec technology to implement network security policy, wide-scale deployment will fail.

In this task, we will develop documentation, protocol extensions, and prototypes to assist IPsec users in better understanding and implementing IPsec policy. The following is the task outline that will be used to meet the objectives defined above.

• Identify and document the optional components in the IPsec standards. This document will define these components in terms more relevant to users.
• Identify and document any additional optional components not included in the IPsec standards, which are relevant to configuring and controlling the services, provided by IPsec.
• Expand the definition of the IPsec SPD to include a more robust and thorough set of optional components.
• Define a second SPD for use with IKE.
• Define mechanisms and recommendations on how to manage (i.e. add, delete, update, timeout, etc.) both SPDs.
• Extend IKE to include the ability to securely distribute the SPDs within defined policy regions creating an IPsec Network Policy Database (NPD).
• Expand the Cerberus and PlutoPlus prototypes to include these extensions.
• Document the protocol and SPD extensions as Internet Drafts.

In the past few years we have witnessed an explosive growth in the use of notebook computers, hand-held computers, and wireless technology. Over the next several years, we will see the majority of these mobile computers, connected to the Internet via Mobile IP protocols. As organizations adopt more of this technology, requirements for mobility will include large numbers of highly mobile nodes, frequently/continuously changing points of network attachment, potential for rapidly evolving / moving network infrastructures, and the need for stringent security services in all aspects of mobile networking. The only scalable standardized security solution available for use with Mobile IP is through the application of IPsec and IKE technology.

Little effort has been made to study the feasibility of using IPsec and IKE protocols in a mobile networking environment. The current IPsec and IKE specifications assume, for the most part, the use of wired technology and large bandwidth networks. Mobile IP networks are typically bandwidth constrained and require high levels of compression to transmit effectively. Strong encryption removes the ability to compress data. In response to this, the IETF has defined an IPsec-like compression protocol, the IP Payload Compression Protocol (IPPCP), and extensions to IKE to allow mobile computers to negotiate and apply compression prior to applying IPsec encryption.

Under this task, NIST will research the security requirements for mobile IP environments and evaluate the applicability of emerging IETF IPsec/IKE technology to support such environments. Initially, this will be something of a seed task, with NIST devoting minor resources to research and experimentation with mobile IP and IPsec. As other efforts mature, we will increase our efforts by defining more significant research topics involving Mobile IP and IPsec.

• Establish a mobile IP test-bed for research, development and testing purposes.
• Install Cerberus and PlutoPlus to provide security services in this test-bed. Modify the prototypes if necessary.
• Add support for the IETF IP Compression Protocol to Cerberus and PlutoPlus.
• Demonstrate the feasibility of IPsec and IKE operating in a mobile IP environment.
• Provide observations and feedback to the IETF Mobile IP and IPsec Working Groups.
• Develop more involved research tasks for this area.