Computer Science Fall, 2005CPSC499 Information Security Management IPSec CPSC499 Information Security Management.

Computer Computer ScienceScience

IPSec

CPSC499 Information Security Management


Outline

• Internet Protocol– Datagram format– IPv4 addressing– NAT– IPv6

• IPSec– Security Association (SA)– IPSec Base Protocol (AH, ESP)– Encapsulation Mode (transport, tunnel)– Key Management


The Internet Network layer

forwardingtable

Host, router network layer functions:

Routing protocols•path selection•RIP, OSPF, BGP

IP protocol•addressing conventions•datagram format•packet handling conventions

ICMP protocol•error reporting•router “signaling”

Transport layer: TCP, UDP

Link layer

physical layer

Networklayer


IP datagram format

ver length

32 bits

data (variable length,typically a TCP

or UDP segment)

16-bit identifier

Internet checksum

time tolive

32 bit source IP address

IP protocol versionnumber

header length (bytes)

max numberremaining hops

(decremented at each router)

forfragmentation/reassembly

total datagramlength (bytes)

upper layer protocolto deliver payload to

head.len

type ofservice

“type” of data flgsfragment

offsetupper layer

32 bit destination IP address

Options (if any) E.g. timestamp,record routetaken, specifylist of routers to visit.

how much overhead with TCP?

• 20 bytes of TCP

• 20 bytes of IP

• = 40 bytes + app layer overhead


IP Fragmentation & Reassembly

• network links have MTU (max.transfer size) - largest possible link-level frame.– different link types, different

MTUs

• large IP datagram divided (“fragmented”) within net– one datagram becomes

several datagrams

– “reassembled” only at final destination

– IP header bits used to identify, order related fragments

fragmentation: in: one large datagramout: 3 smaller datagrams

reassembly


IP Fragmentation and Reassembly

ID=x

offset=0

fragflag=0

length=4000

ID=x

offset=0

fragflag=1

length=1500

ID=x

offset=185

fragflag=1

length=1500

ID=x

offset=370

fragflag=0

length=1040

One large datagram becomesseveral smaller datagrams

Example• 4000 byte

datagram• MTU = 1500 bytes

1480 bytes in data field

offset =1480/8


Outline




IP Addressing: introduction

• IP address: 32-bit identifier for host, router interface

• interface: connection between host/router and physical link– router’s typically have

multiple interfaces– host may have multiple

interfaces– IP addresses

associated with each interface

223.1.1.1

223.1.1.2

223.1.1.3

223.1.1.4 223.1.2.9

223.1.2.2

223.1.2.1

223.1.3.2223.1.3.1

223.1.3.27

223.1.1.1 = 11011111 00000001 00000001 00000001

223 1 11


Subnets

• IP address: – subnet part (high order

bits)

– host part (low order bits)

• What’s a subnet ?– device interfaces with

same subnet part of IP address

– can physically reach each other without intervening router

223.1.1.1

223.1.1.2

223.1.1.3

223.1.1.4 223.1.2.9

223.1.2.2

223.1.2.1

223.1.3.2223.1.3.1

223.1.3.27

network consisting of 3 subnets

LAN


Subnets

223.1.1.0/24223.1.2.0/24

223.1.3.0/24

Recipe• To determine the

subnets, detach each interface from its host or router, creating islands of isolated networks. Each isolated network is called a subnet.

Subnet mask: /24


IP addressing: CIDR

CIDR: Classless InterDomain Routing– subnet portion of address of arbitrary length– address format: a.b.c.d/x, where x is # bits in subnet

portion of address

11001000 00010111 00010000 00000000

subnetpart

hostpart

200.23.16.0/23


IP addresses: how to get one?

Q: How does host get IP address?• hard-coded by system admin in a file

– Wintel: control-panel->network->configuration->tcp/ip->properties

– UNIX: /etc/rc.config• DHCP: Dynamic Host Configuration Protocol: dynamically get

address from as server– “plug-and-play”

(more in next chapter)


IP addresses: how to get one?

Q: How does network get subnet part of IP addr?

A: gets allocated portion of its provider ISP’s address space

ISP's block 11001000 00010111 00010000 00000000 200.23.16.0/20

Organization 0 11001000 00010111 00010000 00000000 200.23.16.0/23 Organization 1 11001000 00010111 00010010 00000000 200.23.18.0/23 Organization 2 11001000 00010111 00010100 00000000 200.23.20.0/23 ... ….. …. ….

Organization 7 11001000 00010111 00011110 00000000 200.23.30.0/23


Outline




NAT: Network Address Translation

10.0.0.1

10.0.0.2

10.0.0.3

10.0.0.4

138.76.29.7

local network(e.g., home network)

10.0.0/24

rest ofInternet

Datagrams with source or destination in this networkhave 10.0.0/24 address for

source, destination (as usual)

All datagrams leaving localnetwork have same single source

NAT IP address: 138.76.29.7,different source port numbers



• Motivation: local network uses just one IP address as far as outside word is concerned:– no need to be allocated range of addresses from ISP: -

just one IP address is used for all devices– can change addresses of devices in local network

without notifying outside world– can change ISP without changing addresses of devices

in local network– devices inside local net not explicitly addressable, visible

by outside world (a security plus).


NAT: Network AddressTranslation

Implementation: NAT router must:

– outgoing datagrams: replace (source IP address, port #) of every outgoing datagram to (NAT IP address, new port #)

. . . remote clients/servers will respond using (NAT IP address, new port #) as destination addr.

– remember (in NAT translation table) every (source IP address, port #) to (NAT IP address, new port #) translation pair

– incoming datagrams: replace (NAT IP address, new port #) in dest fields of every incoming datagram with corresponding (source IP address, port #) stored in NAT table



10.0.0.1

10.0.0.2

10.0.0.3

S: 10.0.0.1, 3345D: 128.119.40.186, 80

1

10.0.0.4

138.76.29.7

1: host 10.0.0.1 sends datagram to 128.119.40, 80

NAT translation tableWAN side addr LAN side addr

138.76.29.7, 5001 10.0.0.1, 3345…… ……

S: 128.119.40.186, 80 D: 10.0.0.1, 3345

4

S: 138.76.29.7, 5001D: 128.119.40.186, 80

2

2: NAT routerchanges datagramsource addr from10.0.0.1, 3345 to138.76.29.7, 5001,updates table

S: 128.119.40.186, 80 D: 138.76.29.7, 5001

3

3: Reply arrives dest. address: 138.76.29.7, 5001

4: NAT routerchanges datagramdest addr from138.76.29.7, 5001 to 10.0.0.1, 3345



• 16-bit port-number field: – 60,000 simultaneous connections with a single LAN-

side address!

• NAT is controversial:– routers should only process up to layer 3– violates end-to-end argument

• NAT possibility must be taken into account by app designers, eg, P2P applications

– address shortage should instead be solved by IPv6


Outline




IPv6 Header

• Initial motivation: – 32-bit address space soon to be completely allocated.

– Expands addresses to 128 bits• 430,000,000,000,000,000,000 for every square inch of

earth’s surface!• Solves IPv4 problem of insufficient address space

• Additional motivation:– header format helps speed processing/forwarding– header changes to facilitate QoS IPv6 datagram format: – fixed-length 40 byte header– no fragmentation allowed


IPv6 Header (Cont)

Priority: identify priority among datagrams in flowFlow Label: identify datagrams in same “flow.” (concept of“flow” not well defined).Next header: identify upper layer protocol for data


Other Changes from IPv4

• Checksum: removed entirely to reduce processing time at each hop

• Options: allowed, but outside of header, indicated by “Next Header” field

• ICMPv6: new version of ICMP– additional message types, e.g. “Packet Too Big”– multicast group management functions


IPv6 Security – IPsec mandated

• IPsec is mandated in IPv6– This means that all implementations (i.e. hosts, routers,

etc) must have IPsec capability to be considered as IPv6-conformant

• When (If?) IPv6 is in widespread use, this means that IPsec will be installed everywhere– At the moment, IPsec is more common in network devices

(routers, etc) than user hosts, but this would change with IPsec

• All hosts having IPsec => real end-to-end security possible


IPv6 Security

• Enough IP addrs for every imaginable device

+ Real end-to-end security

= Ability to securely communicate from anything to anything


IPv6 Security – harder to scan networks

• With IPv4, it is easy to scan a network– With tools like nmap, can scan a typical subnet in a

few minutes

– Returning list of active hosts and open ports– Many worms also operate by scanning

• e.g. Blaster, Slammer

– Attackers (& worms) scan for proxies, weak services and back doors

see: http://www.insecure.org/nmap/


IPv6 Security – harder to scan networks

• With IPv6, sparse address allocation makes such brute force scanning impractical– It is 4 billion times harder to scan 1 IPv6 subnet than

all of IPv4

• No more Blaster, Slammer, …

• Use of “dense” address allocations makes it easier though


Transition From IPv4 To IPv6

Transition from IPv4 to IPv6 will take time:• Due to need to support legacy systems and

applications, not all system can be upgraded simultaneously

• Instead, organisations deploy IPv6 piecewise with pilot/experimental implementations first

• Thus need for IPv4-IPv6 coexistence– Have dual-stack systems (supporting both v4 and v6)– Tunnelling used to deliver IPv6 packets over IPv4

networks• Tunneling: IPv6 carried as payload in IPv4 datagram

among IPv4 routers

known as “6to4”


Tunneling

B-to-C:IPv6 inside

IPv4

D-to-E:IPv6 inside

IPv4

A B E F

IPv6 IPv6 IPv6 IPv6

tunnelLogical view:

Physical view:A B E F

IPv6 IPv6 IPv6 IPv6

C D

IPv4 IPv4

Flow: XSrc: ADest: F

data


data


data

Src:BDest: E


data

Src:BDest: E

A-to-B:IPv6

E-to-F:IPv6


Outline




IP Security (IPsec)

• Suite of protocols from Internet Engineering Task Force (IETF) providing encryption and authentication at the IP layer– Arose from needs identified in RFC 1636– Specifications in:

• RFC 2401: Security architecture• RFC 2402: Authentication• RFC 2406: Encryption• RFC 2408: Key management

• Objective is to encrypt and/or authenticate all traffic at the IP level.


IP Security Issues

• Eavesdropping• Modification of packets in transit• Identity spoofing (forged source IP addresses)• Denial of service

• Many solutions are application-specific– TLS for Web, S/MIME for email, SSH for remote login

• IPSec aims to provide a framework of open standards for secure communications over IP– Protect every protocol running on top of IPv4 and IPv6


Typical Usage


IPSec Services

• Data origin authentication• Confidentiality• Connectionless and partial sequence integrity

– Connectionless = integrity for a single IP packet– Partial sequence integrity = prevent packet replay

• Limited traffic flow confidentiality– Eavesdropper cannot determine who is talking

• These services are transparent to applications above transport (TCP/UDP) layer


Major IPSec Components

• Security Association (SA) Database• Each SA refers to all the security parameters of one communication

direction• For two-way communications, at least two SAs are needed.

• Two Protocols• AH – Authentication Header• ESP – Encapsulating Security Payload

1. Encryption only

2. Encryption with authentication• Two Encapsulation modes

1. Transport mode

2. Tunnel mode


Outline




Security Association (SA)

• In order to communicate, each pair of hosts must set up SA with each other

• Acts as virtual connection for which various parameters are set:– Type of protection– Algorithms– Keys– …

• Simplex: a one way relationship between a sender and a receiver.

• For either AH or ESP, but not both



• Each SA uniquely identified by:– Security Parameters Index (SPI)

• 32-bit string assigned to this SA (local meaning only)

– IP destination address of packets• May be end user system, or firewall or router

– Security Protocol Identifier (e.g. AH, ESP)

• For each IP packet, governing SA is identified by:– Destination IP address in packet header– SPI in extension header (AH or ESP)



• It contains all the security parameters needed for one way communication– Sequence number counter– Anti-replay window– Protocol (e.g. AH / ESP)– Transform mode (e.g. transport / tunnel mode /

wildcard)– Protocol parameters (e.g. AES, 128-bit, CBC mode,

SHA-1)– Lifetime of the SA– etc.


Outline




Two IPSec Base Protocols

• Authentication Header (AH)– Provides message

authentication and integrity check of IP data payload, but not confidentiality.

– Also Provides authentication for as much of the IP header as possible.

– Next header: TCP, UDP, etc.– Sequence Number: Starts at

1, never recycle (optional)


Two IPSec Base Protocols

• Encapsulating Security Payload (ESP)• Provides confidentiality and

authentication. Either is optional.• When not used, the NULL

algorithm defined in RFC-2410 is used.

• The authentication trailer must be omitted if not used.

• Either encryption or authentication (or both) must be enabled (NULL-NULL is an invalid option)


Outline




Two Encapsulation Modes• IPsec defines two encapsulation modes for an IP packet

– Transport

– Tunnel

IP header

TCP header

data

IP header

TCP header

dataIPsec

header

IP header

TCP header

dataIPsec

headerIP

header

Original IP packet

Transport mode protected packet

Tunnel mode protected packet


Transport mode

• Intercept Network layer packets Encrypt / Authenticate these packets preserving most of the original IP header

• End-to-end security between two hosts– Typically, client to gateway (e.g., PC to remote host)

• Requires IPSec support at each host

IP header TCP header data

IP header TCP header dataIPsec header

Original IP packet

Transport mode protected packet

Network

BA


Tunnel Mode

• Gateway-to-gateway security– Internal traffic behind gateways not protected– Typical application: virtual private network (VPN)

• Only requires IPSec support at gateways


Tunnel Mode Illustration

IPSec protects communication on the insecure part of the network

ImplementsIPSec

ImplementsIPSec


Tunnel mode• Intercept Network layer packets

Encrypt / Authenticate these packets, while encapsulating the original IP packet entirely

IP header

TCP header

data

IP header

TCP header

dataIPsec

headerIP

header

Original IP packet

Tunnel mode protected packet

• Versatile and has many deployment modes– Host-to-host– Host-to-router (i.e. remote access)– Router-to-router (a.k.a. Gateway-to-gateway)


Tunnel mode(Router-to-router / Gateway-to-gateway)

Nested packet format

Network

RB

3.3.3.12.3.2.2RA

2.2.2.11.1.1.2

HostB

3.3.3.2

HostA

1.1.1.1

Packet flow

Secure Tunnel

IP header TCP header dataIPsec header IP header

Src = 2.2.2.1Dst = 2.3.2.2

Src = 1.1.1.1Dst = 3.3.3.2


Tunnel mode(Host-to-Router / Remote Access)

HostA

Secure Tunnel

Internet / Intranet

HostB

SGW


• Transport mode secures packet payload and leaves IP header unchanged

• Tunnel mode encapsulates both IP header and payload into IPSec packets

Transport Mode vs. Tunnel Mode

IP header(real dest) IPSec header TCP/UDP header + data

IP header(gateway) IPSec header TCP/UDP header + dataIP header

(real dest)


Encapsulation Modes

Transport Mode Tunnel Mode

AH

Authenticates IP payload and selected portions of IP header and

IPv6 extension headers

Authenticates entire inner IP packet plus selected

portions of outer IP header

ESPEncrypts IP payload and any IPv6

extension headerEncrypts inner IP packet

ESP with authentication

Encrypts IP payload and any IPv6 extesion header. Authenticates IP

payload but no IP header

Encrypts inner IP packet. Authenticates inner IP packet but no outer IP

header


• Adds extra field to traditional IP packet• This is used to verify authenticity & integrity of

the packet

Before applying AH:

Transport Mode: data is authenticated, as

well as parts of IP header

Tunnel Mode: entire original packet

is authenticated + parts of new header

Authenticated (Data + orig IP header + parts of new header)

Authentication Header (AH)

Authenticated (Data + parts of IP header)


• Protection against replay attack with use of sequence number

• Why have an Authentication-only protocol (AH)?– May be used where export/import/use of encryption is

restricted– Faster implementation– Receiver can choose whether expend the effort to

verify authenticity/integrity

Authentication Header (AH)

Computer Computer ScienceScience• Provides integrity and origin authentication

• Authenticates portions of the IP header• Anti-replay service (to counter denial of service)• No confidentiality

AH: Authentication Header

Next header(TCP) Payload length Reserved

Security parameters index (SPI)

Sequence number

ICV: Integrity Check Value

(HMAC of IP header, AH, TCP payload)

Identifies securityassociation (shared

keys and algorithms)

Anti-replay

Authenticates source,

verifies integrity ofpayload


Prevention of Replay Attacks

• When SA is established, sender initializes 32-bit counter to 0, increments by 1 for each packet– If wraps around 232-1, new SA must be established

• Recipient maintains a sliding 64-bit window– If a packet with high sequence number is received, do

not advance window until packet is authenticated


Original IP packet:

Transport Mode: only data is encrypted &

authenticated

Tunnel Mode: entire packet encrypted &

authenticated

Authenticated (optionally)

Encrypted

Authenticated (optionally)

Encrypted

Encapsulating Security Payload (ESP)


ESP Packet

Identifies securityassociation (shared

keys and algorithms)

Anti-replay

TCP segment (transport mode)

orentire IP packet (tunnel

mode)Pad to block size for cipher,

also hide actual payload length

Type of payload

HMAC-based IntegrityCheck Value (similar to

AH)


Encapsulating Security Payload (ESP)

• Content of IP packet is encrypted and encapsulated between header and trailer fields.

• Authentication data optionally added


• Confidentiality and integrity for packet payload– Symmetric cipher negotiated as part of security assoc

• Provides authentication (similar to AH)• Can work in transport…

• …or tunnel mode

Authentication + Confidentiality (ESP)

encrypted

Original IPheader ESP header TCP/UDP segment ESP trailer ESP auth

authenticated

New IPheader

Original IPheaderESP header TCP/UDP segment ESP trailer ESP auth


Combining Security Associations

• SAs can implement either AH or ESP• to implement both need to combine SAs

– form a security bundle

• have 4 cases (see next)


Selection of Protocol Modes(Host-to-Host)

• Transport Mode• Tunnel Mode


Selection of Protocol Modes(Router-to-Router)

• Tunnel Mode


Selection of Protocol Modes(Pass-through IPSec)

• Tunnel mode for gateway-to-gateway• Transport mode / tunnel mode for host-to-host


Selection of Protocol Modes(Remote access)

• Tunnel mode for host-to-gateway• Transport mode / tunnel mode for gateway-to-host


Outline




Key Management in IPsec

• Generation and distribution of secret keys

• Manual– Sysadmin configures keys (doesn’t scale well)

• automated key management– automated system for on demand creation of keys

for SA’s in large systems– has Oakley & ISAKMP elements


Oakley

• a key exchange protocol• based on Diffie-Hellman key exchange• adds features to address weaknesses

– cookies, groups (global params), nonces, DH key exchange with authentication


Diffie-Hellman Setup

• all users agree on global parameters:– large prime integer or polynomial q– α a primitive root mod q

• each user (eg. A) generates their key– chooses a secret key (number): xA < q

– compute their public key: yA = αxA mod q

• each user makes public that key yA


Diffie-Hellman Calculation

• shared session key for users A & B is KAB: KAB = α

xA.xB mod q

= yA

xB mod q (which B can compute)

= yB

xA mod q (which A can compute)

• KAB is used as session key in private-key encryption scheme between Alice and Bob

• if Alice and Bob subsequently communicate, they will have the same key as before, unless they choose new public-keys

• attacker know q and public key YA, not possible to calculate private key XA, nor shared session key


ISAKMP

• Internet Security Association and Key Management Protocol (ISAKMP)

• provides framework for key management• defines procedures and packet formats to

establish, negotiate, modify, & delete SAs• independent of key exchange protocol,

encryption alg, & authentication method


ISAKMP


IPsec Benefits

• Provides a level of security for all applications.– Allows deployment of new/emerging applications that

may not have their own security.

• Transparent to transport layer• Transparent to end-users

– No need for training, key issue, key revocation, etc.

• Can be provided to individual users where needed (e.g. off-site workers)

• Extensible to new, stronger, cryptographic methods as these become available


IPsec Drawbacks

• Processing performance overhead– Protection is applied to all traffic, though only a small

portion may be security-sensitive

• Blocks access to non-IPsec hosts• Hosts must have security association

– Not great for short-lived connections

• Not practical for broadcast


Uses of IPsec

• Virtual Private Network (VPN) establishment– For connecting remote offices and users using

public Internet

• Low-cost remote access– e.g. teleworker gains secure access to company

network via local call to ISP

• Extranet connectivity– Secure communication with partners, suppliers, etc.


Note on VPN concept

• Private Network– A set of computers connected together and

protected from the Internet (usually with a firewall)

– Traditionally made up of LAN(s) within individual locations. If needed, wide area (e.g. inter-branch) connection is made by secure leased telecommunications lines.


Note on VPN concept

• Virtual Private Network (VPN)– Uses public (insecure) Internet for parts of

network connectivity

– Made possible by use of cryptography

– Can be enabled by IPsec or SSH tunnelling, among other methods


Virtual Private Networks

(a) A leased-line private network. (b) A virtual private network.


• A virtual private network (VPN) is the extension of a private network.

• A VPN enables you to send data between two computers across the Internet in a manner that emulates the properties of a point-to-point private link.

• To emulate a point-to-point link, data is encapsulated (or wrapped) with a header that provides routing information allowing it to traverse the Internet to reach its endpoint.

• To emulate a private link, the data being sent is encrypted for confidentiality.

Virtual Private Networks (VPNs)


Components of a VPN Connection

• VPN server: A computer that accepts VPN connections from VPN clients.

• VPN client: A computer that initiates a VPN connection to a VPN server.

• Tunnel: The portion of the connection in which your data is encapsulated (or wrapped) according to a tunneling protocol.

• VPN connection: The portion of the connection in which your data is encrypted.


VPN Connections

• Router-to-Router VPN connection

• Remote Access VPN connection


Standards

• RFC2401 IPSec

• RFC2402 AH

• RFC2403 HMAC MD5

• RFC2404 HMAC SHA-1

• RFC2405 DES CBC with IV

• RFC2406 IP ESP

• RFC2407 DOI for ISAKMP

• RFC2408 ISAKMP

• RFC2409 IKE

Computer Computer ScienceScienceIPSec Document Overview


Outline



Computer Science Fall, 2005CPSC499 Information Security Management IPSec CPSC499 Information Security Management.

Documents