Top Banner
Network Layer Security: IPSec
27

Network Layer Security: IPSec. 2 Overview IPSec is an Internet standard for network layer security components: – an authentication protocol (Authentication.

Dec 18, 2015

Download

Documents

Esmond Chandler
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Network Layer Security: IPSec. 2 Overview  IPSec is an Internet standard for network layer security  components: – an authentication protocol (Authentication.

Network Layer Security:IPSec

Page 2: Network Layer Security: IPSec. 2 Overview  IPSec is an Internet standard for network layer security  components: – an authentication protocol (Authentication.

2

Overview

IPSec is an Internet standard for network layer security components:

– an authentication protocol (Authentication Header – AH)– a combined encryption and authentication protocol (Encapsulated

Security Payload – ESP)– key management protocols (the default is ISAKMP/Oakley)

important RFCs– RFC 2401: an overview of the IPSec security architecture– RFC 2402: specification of AH– RFC 2406: specification of ESP– RFC 2408: specification of ISAKMP– RFC 2412: specification of Oakley

IPSec is mandatory for IPv6 and optional for IPv4

Page 3: Network Layer Security: IPSec. 2 Overview  IPSec is an Internet standard for network layer security  components: – an authentication protocol (Authentication.

3

IPSec services

AHESP

(encryption only)

ESP(encryption and authentication)

integrity

data origin authentication

replay detection

confidentiality

limited traffic flowconfidentiality

x

x

x x

x

x

x

x

x

x

x

Page 4: Network Layer Security: IPSec. 2 Overview  IPSec is an Internet standard for network layer security  components: – an authentication protocol (Authentication.

4

Security associations (SA)

an SA is a one-way relationship between a sender and a receiver system

an SA is used either for AH or for ESP but never for both an SA is uniquely identified by three parameters

– Security Parameters Index (SPI)• a bit string assigned to the SA• carried in AH and ESP headers to allow the receiving party to select the SA

which must be used to process the packet

– IP destination address• address of an end-system or a network element (e.g., router)

– security protocol identifier • indicates whether the SA is an AH or an ESP SA

Sec

urity

Ass

ocia

tions

Page 5: Network Layer Security: IPSec. 2 Overview  IPSec is an Internet standard for network layer security  components: – an authentication protocol (Authentication.

5

SA parameters

sequence number counter– counts the packets sent using this SA

sequence counter overflow flag– indicates whether overflow of the sequence number counter should prevent

further transmission using this SA anti-replay window

– used to determine whether an inbound AH or ESP packet is a replay AH / ESP information

– algorithm, key, and related parameters lifetime

– a time interval or byte count after which this SA must be terminated protocol mode

– tunnel or transport mode path MTU

– any observed maximum transmission unit

Sec

urity

Ass

ocia

tions

Page 6: Network Layer Security: IPSec. 2 Overview  IPSec is an Internet standard for network layer security  components: – an authentication protocol (Authentication.

6

SA selectors

Security Policy Database (SPD)– each entry defines a subset of IP traffic and points to the SAs to be

applied to that traffic– subset of IP traffic is defined in terms of selectors

• destination IP address (single, enumerated list, range, or mask)• source IP address (single, enumerated list, range, or mask)• transport layer protocol (single, enumerated list, or range)• destination port (single, enumerated list, range, or wildcard)• …

outbound processing– compare the selector fields of the packet to the values in the SPD– determine which SAs should be used for the packet and their SPIs– do the requiered IPSec processing

Sec

urity

Ass

ocia

tions

Page 7: Network Layer Security: IPSec. 2 Overview  IPSec is an Internet standard for network layer security  components: – an authentication protocol (Authentication.

7

Modes of operation

transport mode– provides protection primarily for upper layer protocols– protection is applied to the payload of the IP packet

• ESP in transport mode encrypts and optionally authenticates the IP payload but not the IP header

• AH in transport mode authenticates the IP payload and selected fields of the IP header

– usually used between end-systems tunnel mode

– provides protection to the entire IP packet– the entire IP packet is considered as payload and encapsulated in another IP

packet (with potentially different source and destination addresses)• ESP in tunnel mode encrypts and optionally authenticates the entire inner IP packet• AH in transport mode authenticates the entire inner IP packet and selected fields of

the outer IP header

– usually used between security gateways (routers, firewalls)

Page 8: Network Layer Security: IPSec. 2 Overview  IPSec is an Internet standard for network layer security  components: – an authentication protocol (Authentication.

8

Authentication Header – AH

Next header– type of header immediately

following this header (e.g., TCP, IP, etc.)

Payload length– length of AH (in 32 bit words)

minus 2– e.g., 4 if Authentication data is

3x32 bits long Security Parameters Index

– identifies the SA used to generate this header

Sequence number– sequence number of the packet

Authentication data– a (truncated) MAC (default length

is 3x32 bits)

Next header

Payloadlength

Security Parameters Index (SPI)

Reserved

Sequence number

Authentication data (variable length)

0 8 16 31

Aut

hent

icat

ion

Hea

der

– A

H

Page 9: Network Layer Security: IPSec. 2 Overview  IPSec is an Internet standard for network layer security  components: – an authentication protocol (Authentication.

9

Replay detection

replay: the attacker obtains an authenticated packet and later transmits (replays) it to the intended destination

receiver has an anti-replay window of default size W = 64

dropped dropped if MAC iscorrect then

markotherwise

drop

advancewindow

packets received

window (of size 7)

last received packet

... ...

Aut

hent

icat

ion

Hea

der

– A

H

Page 10: Network Layer Security: IPSec. 2 Overview  IPSec is an Internet standard for network layer security  components: – an authentication protocol (Authentication.

10

MAC

implementations must support– HMAC-MD5-96– HMAC-SHA1-96

the MAC is calculated over– IP header fields that do not change in transit– the AH header fields except the Authentication data field– entire upper layer protocol data

the fields not covered by the MAC are set to 0 for the calculation

0000...

0000

0000...

TTLHeader checksum

IPA

Hpa

yloa

d

MACMAC Authentication data

Aut

hent

icat

ion

Hea

der

– A

H

Page 11: Network Layer Security: IPSec. 2 Overview  IPSec is an Internet standard for network layer security  components: – an authentication protocol (Authentication.

11

AH in transport and tunnel mode

AH in transport mode

AH in tunnel mode

originalIP header

TCP/UDPheader

data

original IPv4 packet

originalIP header

TCP/UDPheader

AH data

authenticated except for mutable fields in the IP header

newIP header

AH

authenticated except for mutable fields in the outer IP header

originalIP header

TCP/UDPheader

data

Aut

hent

icat

ion

Hea

der

– A

H

Page 12: Network Layer Security: IPSec. 2 Overview  IPSec is an Internet standard for network layer security  components: – an authentication protocol (Authentication.

12

Encapsulating Security Payload – ESP

Security Parameters Index– identifies the SA used to generate

this encrypted packet Sequence number payload

– transport level segment (transfer mode) or encapsulated IP packet (tunnel mode)

padding– variable length padding

Pad length Next header

– identifies the type of data contained in the header

Authentication data– a (truncated) MAC computed over the

ESP packet (SPI ... Next Header)

Security Parameters Index (SPI)

Sequence number

Authentication data (variable length)

0 2416 31

payload (variable length)

padding (0-255 bytes)

Padlength

Nextheader

Enc

apsu

latin

g S

ecur

ity P

Ayl

oad

– E

SP

Page 13: Network Layer Security: IPSec. 2 Overview  IPSec is an Internet standard for network layer security  components: – an authentication protocol (Authentication.

13

Encryption and MAC algorithms

encryption– applied to the payload, padding, pad length, and next header fields– if an IV is needed, then it is explicitly carried at the beginning of the

payload data (the IV is not encrypted)– implementations must support DES-CBC– other suggested algorithms: 3DES, RC5, IDEA, 3IDEA, CAST, Blowfish

MAC– default length is 3x32 bits– implementations must support HMAC-MD5-96 and HMAC-SHA1-96– MAC is computed over the SPI, sequence number, and encrypted

payload, padding, pad length, and next header fields– unlike in AH, here the MAC does not cover the preceding IP header

Enc

apsu

latin

g S

ecur

ity P

Ayl

oad

– E

SP

Page 14: Network Layer Security: IPSec. 2 Overview  IPSec is an Internet standard for network layer security  components: – an authentication protocol (Authentication.

14

ESP in transport and tunnel mode

ESP in transport mode

ESP in tunnel mode

originalIP header

TCP/UDPheader

data

original IPv4 packet

originalIP header

TCP/UDPheader

ESPheader

encrypted

newIP header

ESPheader

originalIP header

TCP/UDPheader

ESPtrailer

ESPMAC

data

data

authenticated

ESPtrailer

ESPMAC

encrypted

authenticated

Enc

apsu

latin

g S

ecur

ity P

Ayl

oad

– E

SP

Page 15: Network Layer Security: IPSec. 2 Overview  IPSec is an Internet standard for network layer security  components: – an authentication protocol (Authentication.

15

Combining security associations

basic ESP-AH combination1. apply ESP in transport mode without authentication

2. apply AH in transport mode

basic AH-ESP combination1. apply AH in transport mode

2. apply ESP in tunnel mode without authentication

originalIP header

TCP/UDPheader

ESPheader

ESPtrailer

dataAH

authenticated except for mutable fields in the IP header

newIP header

ESPheader

originalIP header

TCP/UDPheader

dataESPtrailer

AH

authenticated except for mutable fields in the inner IP header

Com

bini

ng s

ecur

ity a

ssoc

iatio

ns

Page 16: Network Layer Security: IPSec. 2 Overview  IPSec is an Internet standard for network layer security  components: – an authentication protocol (Authentication.

16

Combining security associations cont’d

case 1: host-to-host security

Internetlocal

intranetlocal

intranet

one or more SAs

Com

bini

ng s

ecur

ity a

ssoc

iatio

ns

Page 17: Network Layer Security: IPSec. 2 Overview  IPSec is an Internet standard for network layer security  components: – an authentication protocol (Authentication.

17

Combining security associations cont’d

case 2: gateway-to-gateway security

Internetlocal

intranetlocal

intranet

single tunnel SA

Com

bini

ng s

ecur

ity a

ssoc

iatio

ns

Page 18: Network Layer Security: IPSec. 2 Overview  IPSec is an Internet standard for network layer security  components: – an authentication protocol (Authentication.

18

Combining security associations cont’d

case 3: host-to-gateway security

Internetlocal

intranet

single tunnel SA

Com

bini

ng s

ecur

ity a

ssoc

iatio

ns

Page 19: Network Layer Security: IPSec. 2 Overview  IPSec is an Internet standard for network layer security  components: – an authentication protocol (Authentication.

19

Combining security associations cont’d

combinations of the 3 cases

Internetlocal

intranetlocal

intranet

one or more SAssingle tunnel SA

Com

bini

ng s

ecur

ity a

ssoc

iatio

ns

Page 20: Network Layer Security: IPSec. 2 Overview  IPSec is an Internet standard for network layer security  components: – an authentication protocol (Authentication.

20

Key management

two types must be supported by implementations– manual

• system administrator configures each system with the necessary keys

– automated• on-demand creation of keys for SAs

default automated method is ISAKMP/Oakley– Oakley key determination protocol

• a key exchange protocol based on Diffie-Hellman• provides added security (e.g., authentication)

– ISAKMP – Internet Security Association and Key Management Protocol• provides a framework for key exchange• defines message formats that can carry the messages of various key

exchange protocols

Key

man

agem

ent

Page 21: Network Layer Security: IPSec. 2 Overview  IPSec is an Internet standard for network layer security  components: – an authentication protocol (Authentication.

21

Oakley key determination protocol

problems with basic DH:– it is subject to a man-in-the-middle type attack– it is vulnerable to a clogging attack

• attacker sends fake DH messages to a victim from a forged IP address• victim starts performing modular exponentiations to compute a secret key• victim can be blocked with useless work

added security features of Oakley– cookie exchange to thwart clogging attacks

• hash(src IP addr, dst IP addr, src UDP port, dst UDP port, local secret)• local secret is periodically changed

– uses nonces to detect replay attacks– authenticates the DH exchange to thwart man-in-the-middle attacks

• based on digital signatures, public key encryption, or symmetric key encryption

– enables the parties to negotiate the global parameters of the DH exchange (e.g., the prime p that defines the group and the generator g of the group)

• few predefined groups

Key

man

agem

ent

/ O

akle

y

Page 22: Network Layer Security: IPSec. 2 Overview  IPSec is an Internet standard for network layer security  components: – an authentication protocol (Authentication.

22

Oakley example – conservative

where– CKY: cookie– OK_KEYX: message type is Oakley key exchange– GRP: group– EHAO/EHAS: encryption, hash, authentication alg. offered/selected– NIDP: no ID protection– N: nonce

and– Kir = hash( Ni | Nr )– shared secret key = f( Ni, Nr, gxy, CKYi, CKYr )

I R: CKYi | 0 | OK_KEYX | GRP | gx | EHAO

R I: CKYr | CKYi | OK_KEYX | GRP | gy | EHAS

I R: CKYi | CKYr | OK_KEYX | GRP | gx | NIDP | IDi | IDr | {Ni}Kr

R I: CKYr | CKYi | OK_KEYX | GRP | NIDP | { Nr | Ni }Ki | IDr | IDi |

MAC(Kir, IDr | IDi | GRP | gy | gx | EHAS )

I R: CKYi | CKYr | OK_KEYX | GRP | NIDP | MAC(Kir, IDi | IDr | GRP | gx | gy | EHAS )

Key

man

agem

ent

/ O

akle

y

Page 23: Network Layer Security: IPSec. 2 Overview  IPSec is an Internet standard for network layer security  components: – an authentication protocol (Authentication.

23

Oakley example – aggressive

I R: CKYi | 0 | OK_KEYX | GRP | gx | EHAO | NIDP | IDi | IDr | Ni | 0 | Sig( Ki

-1, IDi | IDr | Ni | 0 | GRP | gx | 0 | EHAO )

R I: CKYr | CKYi | OK_KEYX | GRP | gy | EHAS | NIDP | IDr | IDi | Nr | Ni | Sig( Kr

-1, IDr | IDi | Nr | Ni | GRP | gy | gx | EHAS )

I R: CKYi | CKYr | OK_KEYX | GRP | gx | NIDP | IDi | IDr | Ni | Nr | Sig( Ki

-1, IDi | IDr | Ni | Nr | GRP | gx | gy | EHAS )

Key

man

agem

ent

/ O

akle

y

Page 24: Network Layer Security: IPSec. 2 Overview  IPSec is an Internet standard for network layer security  components: – an authentication protocol (Authentication.

24

ISAKMP generic message format

Nextpayload

Mjver

MnVer

Exchangetype

Flags

Message ID

Length

Initiator cookie

Responder cookie

Nextpayload

Reserved Payload length

payload

Next payload– type of next payload (e.g.,

transform, key exchange, certificate, …)

– 0 if this is the last payload Exchange type

– 5 default exchange types (base, ID protection, auth only, aggressive, informational)

Message ID– unique ID of this message

Length– length of header + all payloads

Key

man

agem

ent

/ IS

AK

MP

Page 25: Network Layer Security: IPSec. 2 Overview  IPSec is an Internet standard for network layer security  components: – an authentication protocol (Authentication.

25

ISAKMP payload types

Security Association (SA)– used to begin the setup of a new SA; carries various attributes

Proposal (P)– used during SA setup; indicates protocol to be used (AH or ESP) and number of

transforms Transform (T)

– used during SA setup; indicates transform (e.g., DES, 3DES) and its attributes Key exchange (KE)

– used to carry key exchange data (e.g., Oakley) Identification (ID)

– used to exchange identification information (e.g., IP address) Certificate (CR)

– carries a public key certificate (PGP, X.509, SPKI, …) Hash (HASH) Signature (SIG) Nonce (NONCE) Notification (N)

– contains error or status information Delete (D)

– indicates one or more SAs that the sender has deleted from its database (no longer valid)

Key

man

agem

ent

/ IS

AK

MP

Page 26: Network Layer Security: IPSec. 2 Overview  IPSec is an Internet standard for network layer security  components: – an authentication protocol (Authentication.

26

ISAKMP exchange types

base exchangeI R : SA; NONCE

R I : SA; NONCE

I R : KE; IDi; AUTH

R I : KE; IDr; AUTH

identity protection exchangeI R : SA

R I : SA

I R : KE; NONCE

R I : KE; NONCE

I R : IDi; AUTH

R I : IDr; AUTH

Key

man

agem

ent

/ IS

AK

MP

Page 27: Network Layer Security: IPSec. 2 Overview  IPSec is an Internet standard for network layer security  components: – an authentication protocol (Authentication.

27

ISAKMP exchange types cont’d

authentication only exchangeI R : SA; NONCE

R I : SA; NONCE; IDr; AUTH

I R : IDi; AUTH

aggressive exchangeI R : SA; KE; NONCE; IDi

R I : SA; KE; NONCE; IDr; AUTH

I R : AUTH

informational exchangeI R : N/D

Key

man

agem

ent

/ IS

AK

MP