1 Lecture 13 IPsec Internet Protocol Security CIS 4362 - CIS 5357 Network Security.

1

Lecture 13

IPsec

Internet Protocol Security

CIS 4362 - CIS 5357

Network Security

2

What is IPsec?• Protocols and mechanisms to support security at

the network layer (IP layer)– Two main security protocols called Authentication

Header (AH, IP protocol type = 51) and Encapsulating Security Protocol (ESP, IP protocol type = 50)

• Implemented on end hosts and gateways• Separate security associations (SA) are used to

determine processing at each of the two directions (outbound or inbound)

• An SA is uniquely defined by – SPI– Destination IP address– IPSec Protocol (ESP or AH)

3

Logical Format of an IP Packet

Version IHL Service Type Total length

4 bits 4 bits 8 bits 16 bits

Identification Flags Fragment offset

16 bits 3 bits 13 bits

Time to Live Protocol Header Checksum

8 bits 8 bits 16 bits

Source IP Address

32 bits

Destination IP Address

32 bits

IP Options if used plus padding to 4 bytes

Variable length multiples of 4 bytes

Encapsulated Data

Variable length, integral number of bytes

4

IPSec Services:Services That Hosts and Gateways Provide

• Access Control• Data content confidentiality• Connectionless integrity• Data origin authentication• Replay protection• Privacy• Traffic flow masking

5

IPsec Architecture (RFC 2401)

• Security Policies that define which traffic is treated

• Security Associations between network components

• Security Protocols – Authentication Header (AH) – Encapsulating Security Payload (ESP)

• Key Management – Internet Key Exchange (IKE)

• Algorithms for authentication and encryption

6

IPsec Operations

• Transport Mode– Above the IP level– Below the transport level

• Tunnel– IP within IP– Sandwiched between two IP

sessions

7

IPsec OSI Layer

Tunnel ModeTCP

IP

Data Link

Physical

Transport ModeTCP

IPSec

IP

Data Link

Physical

IPSec

8

IPsec Packet Encapsulation

IP Header Rest of Packet

Tunnel ModeTransport Mode

IP Header IPsec Header IP Header Rest of Packet

IP Header Rest of Packet

IP Header IPsec Header Rest of Packet

Original Packet

9

Adding IPSec to IPv4version: 4bits

header length: 4bits (unit = 4-octet)

type of service: 1 octet

packet length: 2 octets

packet identification: 2 octets

flags: 3 bits

fragment offset: 13 bits

hops remaining (TTL): 1 octet

protocol: 1 octet

header checksum: 2 octets

source address: 4 octets

destination address: 4 octets

options: variable

Regular IP protocol values:TCP=6; UDP=17; IP= 4

IPsec protocol values:ESP=50 and AH=51

The communicationprotocols are specifiedin the IPsec header

10

Adding IPsec to IPv6

version| type of service | flow label: 4 octets

payload length: 2 octets

next header: 1 octet (specifies protocol)

TTL: 1 octet

source address: 16 octets

destination address: 16 octets

11

Transport mode

IPheader payload

IPheader IPsec header payload

Transport mode was designed to save bandwidthin end-to-end associations. The payload is typicallyencrypted and authenticated. The IPheader is in theclear, and may or may not be authenticated.

12

Transporting

Alice Bob

IP packet p1

Sender=AliceRecipient=Bob

IP packet p2

(IPsec transport)

Sender=AliceRecipient=Bob

IP packet p1

13

Tunnel Mode

IPheader payload

new IP hdr IPsec hdr IPheader payload

Tunnel mode protects both the payload and IP header of the original packet. If encryption is used between gateways in tunnel mode, then it reduces information for traffic analysis.

14

Tunneling

IP packet p1

Sender=AliceRecipient=Bob

AliceGateway G1

Gateway G2

IP packet p 2

(IPsec tunnel)Sender=G 1

Recipient=G 2

IP packet p1

Bob

15

Security Associations

• An IPsec protected connection is called a security association

• The SPI used in identifying the SA is normally chosen by the receiving system

• Basic Processing– for outbound packets, a packet’s selector is used to

determine the processing to be applied to the packet– More complex than for inbound where the received

SPI, destination address and protocol type uniquely point to an SA

16

SAD and SPD

• The IPsec protocol maintains two databases:– Security association database. Indexed by SPI’s,

contains the information needed to encapsulate packets for one association: cryptographic algorithms, keys, sequence numbers, etc.

– Security policy database: Allows for implementation of packet filtering policies. Defines whether or not to accept non-protected packets, what to require, etc.

17

Security Association Database

• Sequence number• Sequence number overflow• Anti-Replay Window• AH Information

– Algorithms, initialization values, keys, etc.• ESP Information

– Algorithms, initialization values, keys, etc.• SA Lifetime• IPsec Protocol Mode• Path MTU (max packet size)

18

Security Policy Database

• Defines:– Traffic to be protected– How to protect it

• Must be consulted for each packet entering or leaving the IP stack

• Three possible actions– Discard– Bypass IPSEC– Apply IPSEC

19

Some Security Association Selectors

• Destination IP Address• Source IP Address• UserID• Data Sensitivity Level• Transport Layer Protocol number• IPSec Protocol (AH/ESP)

20

Combinations of SAs that must be supported

• Case 1: Host to host

– End to end service

• Case 2: Gateway to Gateway

– Virtual private network

• Case 3: Host to gateway, gateway to gateway, gateway to host

• Case 4. Host to gateway, gateway to host

– Dial-in users

21

Host Router Host

Local Intrane

t

Router

Local Intrane

tThe Internet

Transport or Tunnel

CASE 1

22

Host Gateway Host

Local Intrane

t

Gateway

Local Intrane

tThe Internet

Transport or Tunnel

CASE 2

Tunnel

23

Host Gateway Host

Local Intrane

t

Gateway

Local Intrane

tThe Internet

CASE 3

Tunnel

24

Host Gateway Host

Local Intrane

tThe

Internet

Transport or Tunnel

CASE 4

Tunnel

25

Security Protocols (RFC 2402/6)

• Authentication Header (AH) (RFC 2402)

– Access Control

– Connectionless integrity

– Data origin authentication

– Replay mask

• Encapsulating Security Payload (ESP) (RFC 2406)

– Access Control

– Connectionless integrity

– Data origin authentication

– Replay mask

– Confidentiality

– Traffic flow mask

26

IPSEC Roadmap

ESP

Encryption Algorithm Authentication Algorithm

AH

*DOI

Key Management Policy

*Domain of Interpretation

27

Authentication Header (AH) (RFC 2402)

• The IP AH is used to provide – Connectionless integrity– Data origin authentication– Protection against replays.

• AH provides authentication for as much of the IP header as possible, but cannot all be protected by AH.

• Data privacy is not provided by AH

28

Authentication Header (AH)

next hdr: 1 octet (communication protocol)

payload length: (AH header length): 1 octet

unused: 2 octets

SPI (Security Parameter Index): 4 octets

sequence number: 4 octets

authentication data: variable

The Authentication Header authenticates data -- the protocol field isunencrypted, so it is available for firewall rule-based decisions. AHauthenticates not only the IP payload but all “immutable” IP headercomponents, such as source and destination addresses. This creates incompatibilities with NAT boxes in end-to-end associations.

29

Authentication Header Structure

0 1 2 3

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Next Header | Payload Len | RESERVED |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Security Parameters Index (SPI) |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Sequence Number Field |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+--+-+-+-+

| Authentication Data (variable) |

| |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

30

IP Packets With AH

Original IP Packet: | IP header | TCP | Data |

AH Tunnel Mode

| new IP header | AH | original IP header | TCP | Data |

AH Transport Mode:

| IP header | AH | TCP | Data |

31

AH Elements• Authentication Data

– Variable-length field– Contains the Integrity Check Value (ICV) for this

packet

• Sequence Number – Unsigned 32-bit field– Monotonically increasing counter (sequence number)– It is mandatory and is always present– Processing of the Sequence Number field is at the

discretion of the receiver

32

Other AH Elements

• Payload Length: Length of AH in 32-bit words - 2

• Reserved: 16-bit field. MUST be set to "zero."

• Security Parameters Index (SPI): 32-bit value that, in combination with the destination IP address and security protocol, uniquely identifies the Security Association for this datagram

33

ESP (Encapsulating Security Payload)

• ESP allows for encryption, as well as authentication.– Both are optional, defined by the SPI and policies.

• ESP does not protect the IP header, only the payload– But, in tunnel mode everything is encapsulated

• If ESP encryption is enabled, then everything after the ESP header is encrypted– Communication protocol, ports (NATs and firewalls need this

information).

34

Encapsulating Security Payload(ESP)

• Services provided include:– Confidentiality– Data origin authentication– Connectionless integrity– Anti-replay service– Limited traffic flow confidentiality

• Security services can be provided between– A pair of communicating hosts– A pair of security gateways– A security gateway and a host

35

ESP encapsulationSPI (Security parameter Index): 4 octets

sequence number: 4 octets

IV (initialization vector): variable

data: variable

padding: variable

padding length: 1 octet (unit length: octets)

next header/protocol type

authentication data

36

ESP Header Elements• Security Parameters Index (SPI)• Sequence Number• Payload Data• Padding

– Sometimes need for encryption– Sometimes masks encryption– Sometimes used to mask traffic flow

• Pad length• Next Header• Authentication Data

37

0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ----| Security Parameters Index (SPI) | ^Auth.+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Coverage| Sequence Number | |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ----| Payload Data* (variable) | | ^~ ~ | | | | | Conf.+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Coverage*| | Padding (0-255 bytes) | | |+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| | || | Pad Length | Next Header | v v+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ------| Authentication Data (variable) |~ ~| |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

ESP Header (RFC 2406)

38

Encapsulating Security Header(ESP)

• The ESP header is inserted:–After the IP header–Before the upper layer protocol

header (transport mode)–Before an encapsulated IP header

(tunnel mode)

39

Transport Mode SA Tunnel Mode SA

AH Authenticates IP payload and selected portions of IP header

Authenticates entire inner IP packet (header and payload), plus selected portions of the outer IP header.

ESP Encrypts IP Payload Encrypts inner IP Packet

ESP With Authentication

Encrypts IP payload and authenticates IP payload, but not IP header

Encrypts inner IP packet, and authenticates inner IP packet.