Implementing and Testing IPsec: NIST’s Contributions and Future Developments Sheila Frankel Systems and Network Security Group NIST [email protected].

Implementing and Testing IPsec:NIST’s Contributions

and Future Developments

Sheila FrankelSystems and Network Security Group

NIST

[email protected]

RSA 2000 - Jan. 20, 2000

2

IPsec : Security a) foundation : house b) hammer : nail c) electron : chemistry d) government : progress

An SAT-type Analogy:The Question

RSA 2000 - Jan. 20, 2000

3

Topics

• Overview of IPsec

• NIST’s IPsec Reference Implementations

• NIST’s IPsec Web-Based Interoperability Tester (IPsec-WIT)

• Current Status of IPsec

• Future Directions of IPsec

RSA 2000 - Jan. 20, 2000

4

At Which Network Layer Should Security Be Provided?

• Application Layer

• Transport (Sockets) Layer

• Internet Layer

RSA 2000 - Jan. 20, 2000

5

Why Internet Layer Security?

• Implement once, in a consistent manner, for multiple applications

• Centrally-controlled access policy

• Enable multi-level, layered approach to security

RSA 2000 - Jan. 20, 2000

6

Internet Packet Format

IP

Header

Upper Protocol Headers

and Packet Data

RSA 2000 - Jan. 20, 2000

7

Types of Security Provided by IPsec

• Data Origin Authentication

• Connectionless Integrity

• Replay Protection

• Confidentiality (Encryption)

• Traffic Flow Confidentiality

RSA 2000 - Jan. 20, 2000

8

Authentication Header (AH)

• Data origin authentication• Connectionless integrity• Replay protection (optional)• Transport or tunnel mode• Mandatory algorithms:

– HMAC-MD5

– HMAC-SHA1

– Other algorithms optional

RSA 2000 - Jan. 20, 2000

9

Internet Packet Format with AH

IP

Header

AH

Header

Upper Protocol Headers

and Packet Data

Tunnel Mode

New IP

Header

Old IP

Header

AH

Header

Upper Protocol Headers

and Packet Data

Transport Mode

RSA 2000 - Jan. 20, 2000

10

Encapsulating Security Payload (ESP)

• Confidentiality

• Limited traffic flow confidentiality (tunnel mode only)

• Data origin authentication

• Connectionless integrity

• Replay protection (optional)

• Transport or tunnel mode

RSA 2000 - Jan. 20, 2000

11

Encapsulating Security Payload (ESP) (continued)

• Mandatory algorithms:– DES-CBC

– HMAC-MD5

– HMAC-SHA1

– Null Authentication algorithm

– Null Encryption algorithm

– Other algorithms optional

RSA 2000 - Jan. 20, 2000

12

Internet Packet Format with ESP

IP

Header

ESP

Header

Upper Protocol Headers

and Packet Data

Tunnel Mode

New IP

Header

Old IP

Header

ESP

Header

Upper Protocol Headers

and Packet Data

Transport Mode

RSA 2000 - Jan. 20, 2000

13

Transport vs. Tunnel Mode

RSA 2000 - Jan. 20, 2000

14

Constructs Underlying IP Security

• Security Association (SA)

• Security Association Database (SAD)

• Security Parameter Index (SPI)

• Security Policy Database (SPD)

RSA 2000 - Jan. 20, 2000

15

Internet Key Exchange (IKE)

• Negotiate:– Communication Parameters– Security Features

• Authenticate Communicating Peer

• Protect Identity

• Generate, Exchange, and Establish Keys in a Secure Manner

• Delete Security Associations

RSA 2000 - Jan. 20, 2000

16

Internet Key Exchange (IKE) (continued)

• Threat Mitigation– Denial of Service

– Replay

– Man in Middle

– Perfect Forward Secrecy

• Usable by IPsec and other domains

RSA 2000 - Jan. 20, 2000

17

Internet Key Exchange (IKE) (continued)

• Components:– Internet Security Association and Key

Management Protocol (ISAKMP)

– Internet Key Exchange (IKE, aka ISAKMP/Oakley)

– IP Security Domain of Interpretation (IPsec DOI)

RSA 2000 - Jan. 20, 2000

18

IKE Negotiations - Phase 1

• Purpose: Establish ISAKMP SA (“Secure Channel”)

• Steps (4-6 messages exchanged):– Negotiate Security Parameters

– Diffie-Hellman Exchange

– Authenticate Identities

• Main Mode vs. Aggressive Mode

RSA 2000 - Jan. 20, 2000

19

IKE Negotiations - Phase 2

• Purpose: Establish IPsec SA

• Steps (3-5 messages exchanged):– Negotiate Security Parameters

– Optional Diffie-Hellman Exchange

– Final Verification

• Quick Mode

RSA 2000 - Jan. 20, 2000

20

NIST’s Contributions to IPsec

• Cerberus - Linux-based reference implementation of Ipsec

• PlutoPlus - Linux-based reference implementation of IKE

• IPsec-WIT - Web-based IPsec interoperability test facility

RSA 2000 - Jan. 20, 2000

21

NIST’s Contributions to Ipsec (continued)

• Goals:– Enable smaller industry vendors to jump-start

their entry into IPsec

– Facilitate ongoing interoperability testing of multiple IPsec implementations

RSA 2000 - Jan. 20, 2000

22

IPsec-WIT: Motivation

• Inter-operability of multiple implementations essential for IPsec to succeed

• Existing test modalities– Interoperability “Bake-offs”

– Pre-planned Web-based interoperability testing

• Needed: spontaneous Web-based testing

RSA 2000 - Jan. 20, 2000

23

User-Related Objectives

• Accessible from remote locations

• Available at any time

• Require no modification to the tester’s IPsec implementation

• Allow testers to resume testing at a later time

• Configurable

• Well-documented

• Easy to use

RSA 2000 - Jan. 20, 2000

24

Implementation Objectives

• Simultaneous access by multiple users

• Rapid, modular implementation

• Easily modified and expanded as IPsec/IKE specifications evolve

• Built around NIST’s IPsec/IKE Reference Implementations, Cerberus and PlutoPlus

RSA 2000 - Jan. 20, 2000

25

Implementation Objectives(continued)

• Require minimal changes to Cerberus and PlutoPlus

• Operator intervention not required

26RSA 2000 - Jan. 20, 2000

IPsec-WIT Architecture

IUT

WWW-based Tester Control (HTML/CGI)

IPsec EncapsulatedIP Packets

Local IUTConfiguration

IPsec WITIPsec WIT

Linux Kernel

HTML Docs., Forms,HTML Docs., Forms,and HTTP Serverand HTTP Server

IP + IP + NIST CerberusNIST Cerberus

PERL CGIPERL CGITest EngineTest Engine

TestTestSuitesSuites

Manual SAs and IP/IPsecPacket Traces

NIST NIST PlutoPlusPlutoPlus

Negotiated SAs and SA mgmt.messages

Message loggingandIKE Configuration

Web Browser

IKE Negotiation

StateStateFilesFiles

RSA 2000 - Jan. 20, 2000

27

Implementation

• Perl cgi-bin tester

• HTML forms

• Executable test cases

• Output– PlutoPlus: tracing the IKE negotiation

– Cerberus: dumping the ping packets

– expect command: color-coded output

RSA 2000 - Jan. 20, 2000

28

Implementation(continued)

• Individual tester files– Tester-specific parameters

– Tester’s individual output

– Storage and expiration

RSA 2000 - Jan. 20, 2000

29

Current Capabilities

• Key establishment: manual or IKE negotiation

• IKE negotiation: Initiator or Responder

• Peer authentication: pre-shared secrets

• ISAKMP hash: MD5 or SHA

• ISAKMP encryption: DES or 3DES

• Diffie-Hellman exchange: 1st Oakley group

RSA 2000 - Jan. 20, 2000

30

Current Capabilities(continued)

• Configurable port for IKE negotiation

• IPsec AH algorithms: HMAC-MD5 or HMAC-SHA1

• IPsec ESP algorithms: – Encryption: DES, 3DES, IDEA, RC5, Blowfish,

or ESP-Null

– Authentication (optional): HMAC-MD5 or HMAC-SHA1

– Variable key length for RC5 and Blowfish

RSA 2000 - Jan. 20, 2000

31

Current Capabilities(continued)

• IPsec encapsulation mode: transport or tunnel

• Perfect Forward Secrecy (PFS)

• Verbosity of IKE/IPsec output configurable

• IPsec SA tested using “ping” command

• Transport-mode SA: host-to-host

RSA 2000 - Jan. 20, 2000

32

Current Capabilities(continued)

• Tunnel-mode SA:host-to-host or host-to-gateway– Host-to-gateway SA tests communications

with tester’s host behind gateway

• Sample test cases for testers without a working IKE/IPsec implementation

• Current/cumulative test results can be viewed via browser or emailed to tester

RSA 2000 - Jan. 20, 2000

33

Limitations

• Re-keying

• Crash/disaster recovery

• Complex policy-related scenarios

RSA 2000 - Jan. 20, 2000

34

Lessons Learned

• Voluntary interoperability testing is useful and used

• Interoperability tests can also serve as conformance tests

• Stateful protocols can be tested using a Web-based tester

• “Standard” features are more useful than “cutting edge”

RSA 2000 - Jan. 20, 2000

35

Lessons Learned(continued)

• Some human intervention is required

• Productive and informative multi-protocol interaction is challenging

• Users do the “darnedest” - and most unexpected - things

RSA 2000 - Jan. 20, 2000

36

Future Horizons - PlutoPlus

• Additional Diffie-Hellman groups

• More complex policy options– Multiple proposals

– Adjacent SA’s

– Nested SA’s

• Peer authentication: public key

• PKI interaction and certificate exchanges

RSA 2000 - Jan. 20, 2000

37

Future Horizons - IPsec-WIT

• Test IPsec SA’s with UDP/TCP connections, rather than ICMP

• Better diagnostics from underlying protocols

RSA 2000 - Jan. 20, 2000

38

Futuristic Horizons

• Negative testing

• Robustness testing

RSA 2000 - Jan. 20, 2000

39

Current Status of IPsec

• Basic IPsec and IKE functionality defined in RFC’s

• Add-ons and additional functionality defined in Internet Drafts

• Numerous IPsec implementations in hardware and software

• Periodic interoperability/conformance testing at IPsec “Bake-offs”

RSA 2000 - Jan. 20, 2000

40

Current Status of IPsec (continued)

• Deployed in Auto Industry Networks (ANX and ENX)

• Used for Virtual Private Networks (VPNs)

RSA 2000 - Jan. 20, 2000

41

Future Directions of IPsec

• PKI profiles for IPsec

• Policy configuration and control (IPSP)

• Secure remote access (IPSRA)

• Transport-friendly ESP (TF-ESP)

RSA 2000 - Jan. 20, 2000

42

An SAT-type Analogy:The Answer

?? To Be Announced ??

RSA 2000 - Jan. 20, 2000

43

Contact/Usage Information

• IPsec-WIT: http://ipsec-wit.antd.nist.gov

• Cerberus documentation: http://www.antd.nist.gov/cerberus

• PlutoPlus documentation: http://ipsec-wit.antd.nist.gov/newipsecdoc/pluto.html

• For further information, contact:– Sheila Frankel: [email protected]

– Rob Glenn: [email protected]