1 ipsec—an overview somesh jha somesh jha university of wisconsin university of wisconsin
TRANSCRIPT
11
IPSec—An OverviewIPSec—An Overview
Somesh JhaSomesh Jha
University of WisconsinUniversity of Wisconsin
22
OutlineOutline
why IPSec?why IPSec? IPSec ArchitectureIPSec Architecture Internet Key Exchange (IKE)Internet Key Exchange (IKE) IPSec PolicyIPSec Policy discussiondiscussion
33
IP is not Secure!IP is not Secure!
IP protocol was designed in the IP protocol was designed in the late 70s to early 80slate 70s to early 80s– Part of DARPA Internet ProjectPart of DARPA Internet Project– Very small networkVery small network
All hosts are known!All hosts are known! So are the users!So are the users! Therefore, security was not an issueTherefore, security was not an issue
44
Security Issues in IPSecurity Issues in IP
source spoofingsource spoofing replay packetsreplay packets no data integrity no data integrity
or confidentialityor confidentiality
• DOS attacks• Replay attacks• Spying• and more…
Fundamental Issue: Networks are not (and will never be)
fully secure
55
Goals of IPSecGoals of IPSec
to verify sources of IP packetsto verify sources of IP packets– authenticationauthentication
to prevent replaying of old to prevent replaying of old packetspackets
to protect integrity and/or to protect integrity and/or confidentiality of packetsconfidentiality of packets– data Integrity/Data Encryptiondata Integrity/Data Encryption
66
OutlineOutline
Why IPsec?Why IPsec? IPSec ArchitectureIPSec Architecture Internet Key Exchange (IKE)Internet Key Exchange (IKE) IPsec PolicyIPsec Policy DiscussionDiscussion
77
The IPSec Security The IPSec Security ModelModel
Secure
Insecure
88
IPSec ArchitectureIPSec Architecture
ESP AH
IKE
IPSec Security Policy
Encapsulating SecurityPayload
Authentication Header
The Internet Key Exchange
99
IPSec ArchitectureIPSec Architecture
IPSec provides security in three situations:– Host-to-host, host-to-gateway and
gateway-to-gateway IPSec operates in two modes:
– Transport mode (for end-to-end)– Tunnel mode (for VPN)
1010
IPsec ArchitectureIPsec Architecture
Tunnel Mode
Router Router
Transport Mode
1111
Various PacketsVarious Packets
IP header
IP header
IP header
TCP header
TCP header
TCP header
data
data
data
IPSec header
IPSec header IP header
Original
Transportmode
Tunnelmode
1212
IPSecIPSec
A collection of protocols (RFC 2401)A collection of protocols (RFC 2401)– Authentication Header (AH)Authentication Header (AH)
RFC 2402RFC 2402
– Encapsulating Security Payload (ESP)Encapsulating Security Payload (ESP) RFC 2406RFC 2406
– Internet Key Exchange (IKE)Internet Key Exchange (IKE) RFC 2409RFC 2409
– IP Payload Compression (IPcomp)IP Payload Compression (IPcomp) RFC 3137RFC 3137
1313
Authentication Header Authentication Header (AH)(AH)
Provides source authenticationProvides source authentication– Protects against source spoofingProtects against source spoofing
Provides data integrityProvides data integrity Protects against replay attacksProtects against replay attacks
– Use monotonically increasing sequence Use monotonically increasing sequence numbersnumbers
– Protects against denial of service attacksProtects against denial of service attacks NO protection for confidentiality!NO protection for confidentiality!
1414
AH DetailsAH Details
Use 32-bit monotonically Use 32-bit monotonically increasing sequence number to increasing sequence number to avoid replay attacksavoid replay attacks
Use cryptographically strong hash Use cryptographically strong hash algorithms to protect data algorithms to protect data integrity (96-bit)integrity (96-bit)– Use symmetric key cryptographyUse symmetric key cryptography– HMAC-SHA-96, HMAC-MD5-96 HMAC-SHA-96, HMAC-MD5-96
1515
AH Packet DetailsAH Packet Details
Authentication Data
Sequence Number
Security Parameters Index (SPI)
Nextheader
Payloadlength Reserved
Old IP header (only in Tunnel mode)
TCP header
New IP header
Authenticated
Data
EncapsulatedTCP or IP packet
Hash of everythingelse
1616
Encapsulating Security Encapsulating Security Payload (ESP)Payload (ESP)
Provides all that AH offers, andProvides all that AH offers, and in addition provides in addition provides data data
confidentialityconfidentiality– Uses symmetric key encryptionUses symmetric key encryption
1717
ESP DetailsESP Details
Same as AH:Same as AH:– Use 32-bit sequence number to Use 32-bit sequence number to
counter replaying attackscounter replaying attacks– Use integrity check algorithmsUse integrity check algorithms
Only in ESP:Only in ESP:– Data confidentiality:Data confidentiality:
Uses symmetric key encryption Uses symmetric key encryption algorithms to encrypt packetsalgorithms to encrypt packets
1818
ESP Packet DetailsESP Packet Details
Authentication Data
Sequence Number
Security Parameters Index (SPI)
Nextheader
Payloadlength Reserved
TCP header
Authenticated
IP header
Initialization vector
Data
Pad Pad length Next
Encrypted TCP packet
1919
Question?Question?
1.1. Why have both AH and ESP?Why have both AH and ESP?2.2. Both AH and ESP use symmetric Both AH and ESP use symmetric
key based algorithmskey based algorithms– Why not public-key cryptography?Why not public-key cryptography?– How are the keys being How are the keys being
exchanged?exchanged?– What algorithms should we use?What algorithms should we use?– Similar to deciding on the Similar to deciding on the
ciphersuite in SSLciphersuite in SSL
2020
OutlineOutline
Why IPsec?Why IPsec? IPsec ArchitectureIPsec Architecture Internet Key Exchange (IKE)Internet Key Exchange (IKE) IPsec PolicyIPsec Policy DiscussionDiscussion
2121
Internet Key Exchange Internet Key Exchange (IKE)(IKE)
Exchange and negotiate security Exchange and negotiate security policies policies
Establish security sessionsEstablish security sessions– Identified as Identified as Security AssociationsSecurity Associations
Key exchangeKey exchange Key managementKey management Can be used outside IPsec as wellCan be used outside IPsec as well
2222
IPsec/IKE AcronymsIPsec/IKE Acronyms
Security Association (SA)Security Association (SA)– Collection of attribute associated with a Collection of attribute associated with a
connectionconnection– Is Is asymmetric!asymmetric!
One SA for inbound traffic, another SA for One SA for inbound traffic, another SA for outbound trafficoutbound traffic
Similar to ciphersuites in SSLSimilar to ciphersuites in SSL
Security Association Database (SADB)Security Association Database (SADB)– A database of SAsA database of SAs
2323
IPsec/IKE AcronymsIPsec/IKE Acronyms
Security Parameter Index (SPI)Security Parameter Index (SPI)– A unique index for each entry in the A unique index for each entry in the
SADBSADB– Identifies the SA associated with a Identifies the SA associated with a
packetpacket Security Policy Database (SPD)Security Policy Database (SPD)
– Store policies used to establish SAsStore policies used to establish SAs
2424
How They Fit TogetherHow They Fit Together
SPD
SADBSA-2
SPI
SPI
SA-1
2525
SPD and SADB SPD and SADB ExampleExample
FroFromm
ToTo ProtocolProtocol PortPort PolicyPolicy
AA BB AnyAny AnyAny AH[HMAC-MD5]AH[HMAC-MD5]Tunnel Mode
Transport Mode
AC
B
A’s SPD
FroFromm
ToTo ProtocolProtocol SPISPI SA RecordSA Record
AA BB AHAH 1212 HMAC-MD5 keyHMAC-MD5 key
A’s SADB
D
FromFrom ToTo ProtocoProtocoll
PortPort PolicyPolicy Tunnel DestTunnel Dest
AnyAny AnyAny ESP[3DES]ESP[3DES] DD
C’s SPD
FromFrom ToTo ProtocolProtocol SPISPI SA RecordSA Record
ESPESP 1414 3DES key3DES keyC’s SADB
Asub Bsub
Asub Bsub
2626
How It WorksHow It Works
IKE operates in two phasesIKE operates in two phases– Phase 1:Phase 1: negotiate and establish an negotiate and establish an
auxiliary end-to-end secure channelauxiliary end-to-end secure channel Used by subsequent phase 2 negotiationsUsed by subsequent phase 2 negotiations Only established once between two end points!Only established once between two end points!
– Phase 2:Phase 2: negotiate and establish custom negotiate and establish custom secure channelssecure channels
Occurs multiple timesOccurs multiple times
– Both phases use Diffie-Hellman key Both phases use Diffie-Hellman key exchange to establish a shared keyexchange to establish a shared key
2727
IKE Phase 1IKE Phase 1
Goal:Goal: to establish a secure to establish a secure channel between two end pointschannel between two end points– This channel provides basic security This channel provides basic security
features:features: Source authenticationSource authentication Data integrity and data confidentialityData integrity and data confidentiality Protection against replay attacksProtection against replay attacks
2828
IKE Phase 1IKE Phase 1
Rationale:Rationale: each application has each application has different security requirementsdifferent security requirements
But they all need to negotiate But they all need to negotiate policies and exchange keys!policies and exchange keys!
So, provide the basic security So, provide the basic security features and allow application to features and allow application to establish custom sessionsestablish custom sessions
2929
ExamplesExamples
All packets sent to address All packets sent to address mybank.commybank.com must be encrypted must be encrypted using 3DES with HMAC-MD5 using 3DES with HMAC-MD5 integrity checkintegrity check
All packets sent to address All packets sent to address www.forum.comwww.forum.com must use must use integrity check with HMAC-SHA1 integrity check with HMAC-SHA1 (no encryption is required)(no encryption is required)
3030
Phase 1 ExchangePhase 1 Exchange
Can operate in two modes:Can operate in two modes:– Main modeMain mode
Six messages in three round tripsSix messages in three round trips More optionsMore options
– Quick modeQuick mode Four messages in two round tripsFour messages in two round trips Less optionsLess options
3131
Phase 1 (Main Mode)Phase 1 (Main Mode)
Initiator Responder
[Header, SA1]
3232
Phase 1 (Main Mode)Phase 1 (Main Mode)
Initiator Responder
[Header, SA1]
[Header, SA2]
Establish vocabulary for further communication
3333
Phase 1 (Main Mode)Phase 1 (Main Mode)
Initiator Responder
[Header, SA1]
[Header, SA2]
[Header, KE, Ni, {Cert_Reg} ]
3434
Phase 1 (Main Mode)Phase 1 (Main Mode)
Initiator Responder
Header, SA1
[Header, SA1]
[Header, KE, Ni { , Cert_Req} ]
[Header, KE, Nr {, Cert_Req}]
Establish secret key using Diffie-Hellman key exchangeUse nonces to prevent replay attacks
3535
Phase 1 (Main Mode)Phase 1 (Main Mode)
Initiator Responder
[Header, SA1]
[Header, SA1]
[Header, KE, Ni {,Cert_Req} ]
[Header, KE, Nr {,Cert_Req}]
[Header, IDi, {CERT} sig]
3636
Phase 1 (Main Mode)Phase 1 (Main Mode)
Initiator Responder
[Header, SA1]
[Header, SA1]
[Header, KE, Ni {, Cert_req}]
[Header, KE, Nr {, Cert_req}]
[Header, IDi, {CERT} sig]
[Header, IDr, {CERT} sig]
Signed hash of IDi (without Cert_req , just send the hash)
3737
Phase 1 (Aggressive Phase 1 (Aggressive Mode)Mode)
Initiator Responder
[Header, SA1, KE, Ni, IDi]
3838
Phase 1 (Aggressive Phase 1 (Aggressive Mode)Mode)
Initiator Responder
[Header, SA1, KE, Ni, IDi]
[Header, SA2, KE, Nr, IDr, [Cert]sig]
[Header, [Cert]sig]
First two messages combined into one(combine Hello and DH key exchange)
3939
IPSec (Phase 1)IPSec (Phase 1)
Four different way to authenticate Four different way to authenticate (either mode)(either mode)– Digital signatureDigital signature– Two forms of authentication with Two forms of authentication with
public key encryptionpublic key encryption– Pre-shared keyPre-shared key
NOTE:NOTE: IKE does use public-key IKE does use public-key based cryptography for encryptionbased cryptography for encryption
4040
IPSec (Phase 2)IPSec (Phase 2)
Goal:Goal: to establish custom secure to establish custom secure channels between two end pointschannels between two end points– End points are identified by <IP, port>:End points are identified by <IP, port>:
e.g. e.g. <www.mybank.com, 8000><www.mybank.com, 8000>
– Or by packet:Or by packet: e.g. All packets going to e.g. All packets going to 128.124.100.0/24128.124.100.0/24
– Use the secure channel established in Use the secure channel established in Phase 1 for communicationPhase 1 for communication
4141
IPSec (Phase 2)IPSec (Phase 2)
Only one mode:Only one mode: Quick Mode Quick Mode Multiple quick mode exchanges Multiple quick mode exchanges
can be multiplexedcan be multiplexed Generate SAs for two end pointsGenerate SAs for two end points Can use secure channel Can use secure channel
established in phase 1established in phase 1
4242
IP Payload IP Payload CompressionCompression
Used for compressionUsed for compression Can be specified as part of the Can be specified as part of the
IPSec policyIPSec policy Will not cover!Will not cover!
4343
OutlineOutline
Why IPsec?Why IPsec? IPsec ArchitectureIPsec Architecture Internet Key Exchange (IKE)Internet Key Exchange (IKE) IPSec PolicyIPSec Policy DiscussionDiscussion
4444
IPsec PolicyIPsec Policy
Phase 1 policies are defined in terms Phase 1 policies are defined in terms of of protection suitesprotection suites
Each protection suiteEach protection suite– Must contain the following:Must contain the following:
Encryption algorithmEncryption algorithm Hash algorithmHash algorithm Authentication methodAuthentication method Diffie-Hellman GroupDiffie-Hellman Group
– May optionally contain the following:May optionally contain the following: LifetimeLifetime ……
4545
IPSec PolicyIPSec Policy
Phase 2 policies are defined in terms Phase 2 policies are defined in terms of of proposalsproposals
Each proposal:Each proposal:– May contain one or more of the followingMay contain one or more of the following
AH sub-proposalsAH sub-proposals ESP sub-proposalsESP sub-proposals IPComp sub-proposalsIPComp sub-proposals Along with necessary attributes such asAlong with necessary attributes such as
– Key length, life time, etcKey length, life time, etc
4646
IPSec Policy ExampleIPSec Policy Example
In English: In English: – All traffic to 128.104.120.0/24 must be:All traffic to 128.104.120.0/24 must be:
Use pre-hashed key authenticationUse pre-hashed key authentication DH group is MODP with 1024-bit modulusDH group is MODP with 1024-bit modulus Hash algorithm is HMAC-SHA (128 bit key)Hash algorithm is HMAC-SHA (128 bit key) Encryption using 3DESEncryption using 3DES
In IPSec:In IPSec:– [Auth=Pre-Hash; [Auth=Pre-Hash;
DH=MODP(1024-bit); DH=MODP(1024-bit); HASH=HMAC-SHA; HASH=HMAC-SHA; ENC=3DES] ENC=3DES]
4747
IPsec Policy ExampleIPsec Policy Example
In English:In English:– All traffic to 128.104.120.0/24 must use All traffic to 128.104.120.0/24 must use
one of the following:one of the following: AH with HMAC-SHA or,AH with HMAC-SHA or, ESP with 3DES as encryption algorithm and ESP with 3DES as encryption algorithm and
(HMAC-MD5 or HMAC-SHA as hashing algorithm)(HMAC-MD5 or HMAC-SHA as hashing algorithm)
In IPsec:In IPsec:– [AH: HMAC-SHA] or, [AH: HMAC-SHA] or, – [ESP: (3DES and HMAC-MD5) or [ESP: (3DES and HMAC-MD5) or
(3DES and HMAC-SHA)] (3DES and HMAC-SHA)]
4848
Virtual Private Virtual Private Networks (VPNs)Networks (VPNs)
VirtualVirtual– It is not a physically distinct networkIt is not a physically distinct network
PrivatePrivate– Tunnels are encrypted to provide Tunnels are encrypted to provide
confidentialityconfidentiality CS dept might have a VPNCS dept might have a VPN
– I can be on this VPN while travelingI can be on this VPN while traveling
4949
Alice is TravelingAlice is Traveling
AliceAlice works for the mergers and works for the mergers and acquisitions (M&A) department of acquisitions (M&A) department of takeover.comtakeover.com
She is at She is at HicktownHicktown taking over a taking over a meat-packing plantmeat-packing plant
She wants to access the M&A She wants to access the M&A server at her company server at her company (confidentially of course)(confidentially of course)
5050
Alice is TravelingAlice is Traveling
5151
OutlineOutline
Why IPsec?Why IPsec? IPsec ArchitectureIPsec Architecture Internet Key Exchange (IKE)Internet Key Exchange (IKE) IPsec PolicyIPsec Policy DiscussionDiscussion
5252
DiscussionDiscussion
IPSec is not the only solution!IPSec is not the only solution!– Security features can be added on Security features can be added on
top of IP!top of IP! e.g. Kerberos, SSLe.g. Kerberos, SSL
Confused?Confused?– IP, IPSec protocols are very complex!IP, IPSec protocols are very complex!
Two modes, three sub protocolsTwo modes, three sub protocols
– Complexity is the biggest enemy of Complexity is the biggest enemy of securitysecurity
5353
DiscussionDiscussion Has it been used?Has it been used?
– Yes—primarily used by some VPN Yes—primarily used by some VPN vendorsvendors But not all routers support itBut not all routers support it
– No—it is not really an end-to-end No—it is not really an end-to-end solutionsolution Authentication is too coarse (host based)Authentication is too coarse (host based) Default encryption algorithm too weak (DES)Default encryption algorithm too weak (DES) Too complex for applications to useToo complex for applications to use
5454
ResourcesResources
IP, IPsec and related RFCs:IP, IPsec and related RFCs:– http://www.ietf.org/html.charters/ipsec-charter.htmhttp://www.ietf.org/html.charters/ipsec-charter.htm
ll– IPsec: RFC 2401, IKE: RFC 2409IPsec: RFC 2401, IKE: RFC 2409– www.freeswan.orgwww.freeswan.org
Google searchGoogle search