1 crossing the styx: taming the underworld using cerberus and plutoplus (itls contributions in the...
TRANSCRIPT
![Page 1: 1 Crossing the Styx: Taming the Underworld Using Cerberus and PlutoPlus (ITLs Contributions in the Area of Internet Security) Sheila Frankel Systems and](https://reader035.vdocuments.mx/reader035/viewer/2022062511/5516b19a550346f0208b52c4/html5/thumbnails/1.jpg)
1
Crossing the Styx:Taming the Underworld
Using Cerberus and PlutoPlus(ITL’s Contributions in the Area of Internet Security)
Sheila FrankelSystems and Network Security Group, ITL
![Page 2: 1 Crossing the Styx: Taming the Underworld Using Cerberus and PlutoPlus (ITLs Contributions in the Area of Internet Security) Sheila Frankel Systems and](https://reader035.vdocuments.mx/reader035/viewer/2022062511/5516b19a550346f0208b52c4/html5/thumbnails/2.jpg)
2
Unsolved Problems of the 1990s
World Peace A Drinkable Diet Cola Secure Communications over an
Insecure Network
![Page 3: 1 Crossing the Styx: Taming the Underworld Using Cerberus and PlutoPlus (ITLs Contributions in the Area of Internet Security) Sheila Frankel Systems and](https://reader035.vdocuments.mx/reader035/viewer/2022062511/5516b19a550346f0208b52c4/html5/thumbnails/3.jpg)
3
Types of Security Protection
Data Origin Authentication Connectionless Integrity Replay Protection Confidentiality (Encryption) Traffic Flow Confidentiality
![Page 4: 1 Crossing the Styx: Taming the Underworld Using Cerberus and PlutoPlus (ITLs Contributions in the Area of Internet Security) Sheila Frankel Systems and](https://reader035.vdocuments.mx/reader035/viewer/2022062511/5516b19a550346f0208b52c4/html5/thumbnails/4.jpg)
4
At Which Network Layer Should Security Be Provided?
Application Layer Transport (Sockets) Layer Internet Layer
![Page 5: 1 Crossing the Styx: Taming the Underworld Using Cerberus and PlutoPlus (ITLs Contributions in the Area of Internet Security) Sheila Frankel Systems and](https://reader035.vdocuments.mx/reader035/viewer/2022062511/5516b19a550346f0208b52c4/html5/thumbnails/5.jpg)
5
Why Internet Layer Security?
Implement once, in a consistent manner, for multiple applications
Centrally-controlled access policy Enable multi-level, layered approach to
security
![Page 6: 1 Crossing the Styx: Taming the Underworld Using Cerberus and PlutoPlus (ITLs Contributions in the Area of Internet Security) Sheila Frankel Systems and](https://reader035.vdocuments.mx/reader035/viewer/2022062511/5516b19a550346f0208b52c4/html5/thumbnails/6.jpg)
6
Internet Packet Format
IP
Header
Upper Protocol Headers
and Packet Data
![Page 7: 1 Crossing the Styx: Taming the Underworld Using Cerberus and PlutoPlus (ITLs Contributions in the Area of Internet Security) Sheila Frankel Systems and](https://reader035.vdocuments.mx/reader035/viewer/2022062511/5516b19a550346f0208b52c4/html5/thumbnails/7.jpg)
7
Authentication Header (AH)
Data origin authentication Connectionless integrity Replay protection (optional) Transport or tunnel mode Mandatory algorithms:
HMAC-MD5 HMAC-SHA1 Other algorithms optional
![Page 8: 1 Crossing the Styx: Taming the Underworld Using Cerberus and PlutoPlus (ITLs Contributions in the Area of Internet Security) Sheila Frankel Systems and](https://reader035.vdocuments.mx/reader035/viewer/2022062511/5516b19a550346f0208b52c4/html5/thumbnails/8.jpg)
8
Internet Packet Format with AH
IP
Header
AH
Header
Upper Protocol Headers
and Packet Data
Tunnel Mode
New IP
Header
Old IP
Header
AH
Header
Upper Protocol Headers
and Packet Data
Transport Mode
![Page 9: 1 Crossing the Styx: Taming the Underworld Using Cerberus and PlutoPlus (ITLs Contributions in the Area of Internet Security) Sheila Frankel Systems and](https://reader035.vdocuments.mx/reader035/viewer/2022062511/5516b19a550346f0208b52c4/html5/thumbnails/9.jpg)
9
Encapsulating Security Payload (ESP)
Confidentiality Limited traffic flow confidentiality (tunnel
mode only) Data origin authentication Connectionless integrity Replay protection (optional) Transport or tunnel mode
![Page 10: 1 Crossing the Styx: Taming the Underworld Using Cerberus and PlutoPlus (ITLs Contributions in the Area of Internet Security) Sheila Frankel Systems and](https://reader035.vdocuments.mx/reader035/viewer/2022062511/5516b19a550346f0208b52c4/html5/thumbnails/10.jpg)
10
Encapsulating Security Payload (ESP) (cont’d)
Mandatory algorithms: DES-CBC HMAC-MD5 HMAC-SHA1 Other algorithms optional
![Page 11: 1 Crossing the Styx: Taming the Underworld Using Cerberus and PlutoPlus (ITLs Contributions in the Area of Internet Security) Sheila Frankel Systems and](https://reader035.vdocuments.mx/reader035/viewer/2022062511/5516b19a550346f0208b52c4/html5/thumbnails/11.jpg)
11
Internet Packet Format with ESP
IP
Header
ESP
Header
Upper Protocol Headers
and Packet Data
Tunnel Mode
New IP
Header
Old IP
Header
ESP
Header
Upper Protocol Headers
and Packet Data
Transport Mode
![Page 12: 1 Crossing the Styx: Taming the Underworld Using Cerberus and PlutoPlus (ITLs Contributions in the Area of Internet Security) Sheila Frankel Systems and](https://reader035.vdocuments.mx/reader035/viewer/2022062511/5516b19a550346f0208b52c4/html5/thumbnails/12.jpg)
12
Transport vs. Tunnel Mode
![Page 13: 1 Crossing the Styx: Taming the Underworld Using Cerberus and PlutoPlus (ITLs Contributions in the Area of Internet Security) Sheila Frankel Systems and](https://reader035.vdocuments.mx/reader035/viewer/2022062511/5516b19a550346f0208b52c4/html5/thumbnails/13.jpg)
13
Constructs Underlying IP Security
Security Association (SA) Security Association Database (SAD) Security Parameter Index (SPI)
![Page 14: 1 Crossing the Styx: Taming the Underworld Using Cerberus and PlutoPlus (ITLs Contributions in the Area of Internet Security) Sheila Frankel Systems and](https://reader035.vdocuments.mx/reader035/viewer/2022062511/5516b19a550346f0208b52c4/html5/thumbnails/14.jpg)
14
Internet Key Exchange (IKE)
Negotiate: Communication Parameters Security Features
Authenticate Communicating Peer Protect Identity Generate, Exchange, and Establish Keys
in a Secure Manner Delete Security Associations
![Page 15: 1 Crossing the Styx: Taming the Underworld Using Cerberus and PlutoPlus (ITLs Contributions in the Area of Internet Security) Sheila Frankel Systems and](https://reader035.vdocuments.mx/reader035/viewer/2022062511/5516b19a550346f0208b52c4/html5/thumbnails/15.jpg)
15
Internet Key Exchange (IKE) (cont’d)
Threat Mitigation Denial of Service Replay Man in Middle Perfect Forward Secrecy
Usable by Ipsec and other domains (e.g., private keys for VPNs)
![Page 16: 1 Crossing the Styx: Taming the Underworld Using Cerberus and PlutoPlus (ITLs Contributions in the Area of Internet Security) Sheila Frankel Systems and](https://reader035.vdocuments.mx/reader035/viewer/2022062511/5516b19a550346f0208b52c4/html5/thumbnails/16.jpg)
16
Internet Key Exchange (IKE) (cont’d)
Components: Internet Security Association and Key
Management Protocol (ISAKMP) Internet Key Exchange (IKE, aka
ISAKMP/Oakley) IP Security Domain of Interpretation (IPsec
DOI)
![Page 17: 1 Crossing the Styx: Taming the Underworld Using Cerberus and PlutoPlus (ITLs Contributions in the Area of Internet Security) Sheila Frankel Systems and](https://reader035.vdocuments.mx/reader035/viewer/2022062511/5516b19a550346f0208b52c4/html5/thumbnails/17.jpg)
17
IKE Negotiations - Phase 1
Purpose: Establish ISAKMP SA (“Secure Channel”)
Steps (4-6 messages exchanged): Negotiate Security Parameters Diffie-Hellman Exchange Authenticate Identities
Main Mode vs. Aggressive Mode
![Page 18: 1 Crossing the Styx: Taming the Underworld Using Cerberus and PlutoPlus (ITLs Contributions in the Area of Internet Security) Sheila Frankel Systems and](https://reader035.vdocuments.mx/reader035/viewer/2022062511/5516b19a550346f0208b52c4/html5/thumbnails/18.jpg)
18
IKE Negotiations - Phase 2
Purpose: Establish IPsec SA
Steps (3-5 messages exchanged): Negotiate Security Parameters Optional Diffie-Hellman Exchange Final Verification
Quick Mode
![Page 19: 1 Crossing the Styx: Taming the Underworld Using Cerberus and PlutoPlus (ITLs Contributions in the Area of Internet Security) Sheila Frankel Systems and](https://reader035.vdocuments.mx/reader035/viewer/2022062511/5516b19a550346f0208b52c4/html5/thumbnails/19.jpg)
19
IKE Network Placement
DOI
Definition
Security Protocol
(IPsec)
Application Protocol
Application Process
IKE
Socket Layer Protocol
Internet Protocol (IP)
Transport Protocols (TCP/UDP)
Link Layer Protocol
![Page 20: 1 Crossing the Styx: Taming the Underworld Using Cerberus and PlutoPlus (ITLs Contributions in the Area of Internet Security) Sheila Frankel Systems and](https://reader035.vdocuments.mx/reader035/viewer/2022062511/5516b19a550346f0208b52c4/html5/thumbnails/20.jpg)
20
IKE Peer Negotiation
Application
IKE
Application
IKEApplication Space Application Space
Kernel Space
Kernel Space
IPSEC IPSEC
Physical Network
1
2 4
3 3
5
4
5
![Page 21: 1 Crossing the Styx: Taming the Underworld Using Cerberus and PlutoPlus (ITLs Contributions in the Area of Internet Security) Sheila Frankel Systems and](https://reader035.vdocuments.mx/reader035/viewer/2022062511/5516b19a550346f0208b52c4/html5/thumbnails/21.jpg)
21
Current Status of IPsec
Most documents in Internet-Draft last call, headed for RFC status
IPsec Working Group disbanded IPsecond Working Group starting up Multiple implementations (Sun, IBM,
Microsoft, DEC, Cisco, Telebit, others) deployed, in beta test, or under development
![Page 22: 1 Crossing the Styx: Taming the Underworld Using Cerberus and PlutoPlus (ITLs Contributions in the Area of Internet Security) Sheila Frankel Systems and](https://reader035.vdocuments.mx/reader035/viewer/2022062511/5516b19a550346f0208b52c4/html5/thumbnails/22.jpg)
22
Current Status of Ipsec (cont’d)
Periodic interoperability/conformance testing using reference implementations
Auto Industry eXchange (ANX) pushing for early deployment
PKI work underway in IETF, industry, government (NIST et. al.)
![Page 23: 1 Crossing the Styx: Taming the Underworld Using Cerberus and PlutoPlus (ITLs Contributions in the Area of Internet Security) Sheila Frankel Systems and](https://reader035.vdocuments.mx/reader035/viewer/2022062511/5516b19a550346f0208b52c4/html5/thumbnails/23.jpg)
23
The IETF’s Direction in IP Security
IETF has mandated use of IPsec and IKE wherever feasible
Testing support needed for emerging implementations Need publicly-available sites that are willing
to provide IPsec testing Requested at 38th IETF meeting
![Page 24: 1 Crossing the Styx: Taming the Underworld Using Cerberus and PlutoPlus (ITLs Contributions in the Area of Internet Security) Sheila Frankel Systems and](https://reader035.vdocuments.mx/reader035/viewer/2022062511/5516b19a550346f0208b52c4/html5/thumbnails/24.jpg)
24
NIST’s Contributions to IPsec
Cerberus - Linux-based reference implementation of Ipsec (http://snad.ncsl.nist.gov/cerberus)
PlutoPlus - Linux-based reference implementation of IKE
IPsec-WIT - Web-based IPsec interoperability test facility (http://ipsec-wit.antd.nist.gov)
![Page 25: 1 Crossing the Styx: Taming the Underworld Using Cerberus and PlutoPlus (ITLs Contributions in the Area of Internet Security) Sheila Frankel Systems and](https://reader035.vdocuments.mx/reader035/viewer/2022062511/5516b19a550346f0208b52c4/html5/thumbnails/25.jpg)
25
NIST’s Contributions to IPsec (cont’d)
Goals: Enable smaller industry vendors to jump-
start their entry into IPsec Facilitate ongoing interoperability testing of
multiple IPsec implementations
![Page 26: 1 Crossing the Styx: Taming the Underworld Using Cerberus and PlutoPlus (ITLs Contributions in the Area of Internet Security) Sheila Frankel Systems and](https://reader035.vdocuments.mx/reader035/viewer/2022062511/5516b19a550346f0208b52c4/html5/thumbnails/26.jpg)
26
IPsec - Missing Pieces
Policy specification and control Communication with CAs
![Page 27: 1 Crossing the Styx: Taming the Underworld Using Cerberus and PlutoPlus (ITLs Contributions in the Area of Internet Security) Sheila Frankel Systems and](https://reader035.vdocuments.mx/reader035/viewer/2022062511/5516b19a550346f0208b52c4/html5/thumbnails/27.jpg)
27
IPsec Internet Drafts - Basic Documents
IP Security Document Roadmap (draft-ietf-ipsec-doc-roadmap-02.txt)
Security Architecture for the Internet Protocol (draft-ietf-ipsec-arch-sec-04.txt)
IP Authentication Header (draft-ietf-ipsec-auth-header-05.txt)
IP Encapsulating Security Payload (ESP) (draft-ietf-ipsec-esp-v2-04.txt)
![Page 28: 1 Crossing the Styx: Taming the Underworld Using Cerberus and PlutoPlus (ITLs Contributions in the Area of Internet Security) Sheila Frankel Systems and](https://reader035.vdocuments.mx/reader035/viewer/2022062511/5516b19a550346f0208b52c4/html5/thumbnails/28.jpg)
28
IPsec Internet Drafts - Authentication Algorithms
The Use of HMAC-MD5-96 within ESP and AH (draft-ietf-ipsec-auth-hmac-md5-96-03.txt)
The Use of HMAC-SHA-1-96 within ESP and AH (draft-ietf-ipsec-auth-hmac-sha1-96-03.txt)
The Use of HMAC-RIPEMD-160-96 within ESP and AH (draft-ietf-ipsec-auth-hmac-ripemd-160-96-01.txt)
![Page 29: 1 Crossing the Styx: Taming the Underworld Using Cerberus and PlutoPlus (ITLs Contributions in the Area of Internet Security) Sheila Frankel Systems and](https://reader035.vdocuments.mx/reader035/viewer/2022062511/5516b19a550346f0208b52c4/html5/thumbnails/29.jpg)
29
IPsec Internet Drafts -Cryptographic Transforms
The ESP ARCFOUR Algorithm (draft-ietf-ipsec-ciph-arcfour-00.txt)
The ESP Blowfish-CBC Algorithm Using an Explicit IV (draft-ietf-ipsec-ciph-blowfish-cbc-00.txt)
The ESP CAST128-CBC Algorithm (draft-ietf-ipsec-ciph-cast128-cbc-00.txt)
The ESP CAST5-128-CBC Transform (draft-ietf-ipsec-ciph-cast-div-00.txt)
![Page 30: 1 Crossing the Styx: Taming the Underworld Using Cerberus and PlutoPlus (ITLs Contributions in the Area of Internet Security) Sheila Frankel Systems and](https://reader035.vdocuments.mx/reader035/viewer/2022062511/5516b19a550346f0208b52c4/html5/thumbnails/30.jpg)
30
IPsec Internet Drafts - Cryptographic Transforms (cont’d)
The ESP CBC-Mode Cipher Algorithms (draft-ietf-ipsec-ciph-cbc-02.txt)
ESP with Cipher Block Chaining (CBC) (draft-ietf-ipsec-cbc-00.txt)
The ESP DES-CBC Transform (draft-ietf-ipsec-ciph-des-derived-00.txt)
The ESP DES-CBC Cipher Algorithm With Explicit IV (draft-ietf-ipsec-ciph-des-expiv-02.txt)
![Page 31: 1 Crossing the Styx: Taming the Underworld Using Cerberus and PlutoPlus (ITLs Contributions in the Area of Internet Security) Sheila Frankel Systems and](https://reader035.vdocuments.mx/reader035/viewer/2022062511/5516b19a550346f0208b52c4/html5/thumbnails/31.jpg)
31
IPsec Internet Drafts - Cryptographic Transforms (cont’d)
The ESP Triple DES Transform (draft-ietf-ipsec-ciph-des3-00.txt)
The ESP 3DES-CBC Algorithm Using an Explicit IV (draft-ietf-ipsec-ciph-3des-expiv-00.txt)
The ESP DES-XEX3-CBC Transform (draft-ietf-ipsec-ciph-desx-00.txt)
The ESP IDEA-CBC Algorithm Using Explicit IV (draft-ietf-ipsec-ciph-idea-cbc-00.txt)
![Page 32: 1 Crossing the Styx: Taming the Underworld Using Cerberus and PlutoPlus (ITLs Contributions in the Area of Internet Security) Sheila Frankel Systems and](https://reader035.vdocuments.mx/reader035/viewer/2022062511/5516b19a550346f0208b52c4/html5/thumbnails/32.jpg)
32
IPsec Internet Drafts - Cryptographic Transforms (cont’d)
The ESP RC5-CBC Algorithm (draft-ietf-ipsec-ciph-rc5-cbc-00.txt)
The NULL Encryption Algorithm and Its Use With Ipsec (draft-ietf-ipsec-ciph-null-00.txt)
![Page 33: 1 Crossing the Styx: Taming the Underworld Using Cerberus and PlutoPlus (ITLs Contributions in the Area of Internet Security) Sheila Frankel Systems and](https://reader035.vdocuments.mx/reader035/viewer/2022062511/5516b19a550346f0208b52c4/html5/thumbnails/33.jpg)
33
IPsec Internet Drafts -Key Management
Internet Security Association and Key Management Protocol (ISAKMP) (draft-ietf-ipsec-isakmp-09.txt, .ps)
The OAKLEY Key Determination Protocol (draft-ietf-ipsec-oakley-02.txt)
The Internet Key Exchange (IKE) (draft-ietf-ipsec-isakmp-oakley-07.txt)
![Page 34: 1 Crossing the Styx: Taming the Underworld Using Cerberus and PlutoPlus (ITLs Contributions in the Area of Internet Security) Sheila Frankel Systems and](https://reader035.vdocuments.mx/reader035/viewer/2022062511/5516b19a550346f0208b52c4/html5/thumbnails/34.jpg)
34
IPsec Internet Drafts - Key Management (cont’d)
The Internet IP Security Domain of Interpretation for ISAKMP (draft-ietf-ipsec-ipsec-doi-08.txt)
Inline Keying within the ISAKMP Framework (draft-ietf-ipsec-inline-isakmp-01.txt)
![Page 35: 1 Crossing the Styx: Taming the Underworld Using Cerberus and PlutoPlus (ITLs Contributions in the Area of Internet Security) Sheila Frankel Systems and](https://reader035.vdocuments.mx/reader035/viewer/2022062511/5516b19a550346f0208b52c4/html5/thumbnails/35.jpg)
35
IPsec Internet Drafts -Additional Key Management Modes
Extended Authentication Within ISAKMP/Oakley (draft-ietf-ipsec-isakmp-xauth-01.txt)
A GSS-API Authentication Mode for ISAKMP/Oakley (draft-ietf-ipsec-isakmp-gss-auth-00.txt)
The ISAKMP Configuration Method (draft-ietf-ipsec-isakmp-mode-cfg-02.txt)
![Page 36: 1 Crossing the Styx: Taming the Underworld Using Cerberus and PlutoPlus (ITLs Contributions in the Area of Internet Security) Sheila Frankel Systems and](https://reader035.vdocuments.mx/reader035/viewer/2022062511/5516b19a550346f0208b52c4/html5/thumbnails/36.jpg)
36
IPsec Internet Drafts - Additional Key Mgmt Modes (cont’d)
A revised encryption mode for ISAKMP/Oakley (draft-ietf-ipsec-revised-enc-mode-01.txt)
Revised SA negotiation mode for ISAKMP/Oakley (draft-ietf-ipsec-isakmp-SA-revised-00.txt)
![Page 37: 1 Crossing the Styx: Taming the Underworld Using Cerberus and PlutoPlus (ITLs Contributions in the Area of Internet Security) Sheila Frankel Systems and](https://reader035.vdocuments.mx/reader035/viewer/2022062511/5516b19a550346f0208b52c4/html5/thumbnails/37.jpg)
37
IPsec Internet Drafts -Additional Documents
Implementation of Virtual Private Network (VPNs) with IP Security (draft-moskowitz-ipsec-vpn-00.txt)
Dynamic remote host configuration over IPSEC using DHCP (draft-ietf-ipsec-dhcp-00.txt)
IPSec Policy Data Model (draft-ietf-ipsec-policy-model-00.txt)