1

Virtual Private Networks (VPNs)Virtual Private Networks (VPNs)and IP Security (IPSec)and IP Security (IPSec)

G53ACCG53ACC

Chris GreenhalghChris Greenhalgh

2

ContentsContents

What is a VPN?What is a VPN? Types of VPNTypes of VPN StandardsStandards How does it WorkHow does it Work IssuesIssues

Books: Comer ch. 15.5, 40.13, 40.14; Stallings 6Books: Comer ch. 15.5, 40.13, 40.14; Stallings 6thth Ed. Ch. Ed. Ch. 18.5 (“IPv4/IPV6 security”)18.5 (“IPv4/IPV6 security”)

3

What is a VPN? (1)What is a VPN? (1)

Public network:Public network:

– Shared network using common networking Shared network using common networking infrastructure, e.g. the Internetinfrastructure, e.g. the Internet

PublicNetwork

(insecure, open)

Trusted machines

Malicious machines

4

What is a VPN? (2)What is a VPN? (2)

Private network:Private network:

– Dedicated network, specific to a single Dedicated network, specific to a single company/organisationcompany/organisation

More secure, guaranteed quality of service, but More secure, guaranteed quality of service, but more expensivemore expensive

Trusted machines

PrivateNetwork

No physical access to private network

for untrusted machines

5

What is a VPN? (3)What is a VPN? (3)

Virtual Private Network:Virtual Private Network:

– Benefits of a private network, but making use of a Benefits of a private network, but making use of a public network to carry packetspublic network to carry packets

Secure, cheaper than a private networkSecure, cheaper than a private network

PublicNetwork

(insecure, open)

Trusted machines

Can access packetson public networkbut cannot read/writeVPN data

VPN

6

VPN OverviewVPN Overview

Regular IP packet

Encrypted IP packet

VPN Access (encrypt/decrypt) hardware or software

PublicNetwork

Regular IP packet

Encrypted IP packet

VPN Access

Cannot understand encrypted packets;cannot forge encrypted packets.

Virtual Private Network!

7

Types of VPN (CISCO-speak!)Types of VPN (CISCO-speak!)

Intranet VPNIntranet VPN

– Straight replacement for an internal private networkStraight replacement for an internal private network Access VPNAccess VPN

– Allows remote dialup users (e.g. from laptop) to Allows remote dialup users (e.g. from laptop) to securely ‘join’ the company internetsecurely ‘join’ the company internet

Authentication is a critical concern!Authentication is a critical concern!i.e. securely identifying the remote user/devicei.e. securely identifying the remote user/device

Extranet VPNsExtranet VPNs

– Includes partner organisations, but retains additional Includes partner organisations, but retains additional security and QoS support over public network(s).security and QoS support over public network(s).

8

Standards?Standards?

E.g. the Internet IP Security (IPsec) standards:E.g. the Internet IP Security (IPsec) standards:

– RFCs 2401-2411 & 2451RFCs 2401-2411 & 2451 Includes standards:Includes standards:

– Internet Key Exchange (RFC 2409)Internet Key Exchange (RFC 2409) Allows peers to authenticate and establish secure Allows peers to authenticate and establish secure

session information session information

– Authentication Header (AH) (RFC 2402)Authentication Header (AH) (RFC 2402) Packet (& header) integrity & authenticationPacket (& header) integrity & authentication

– Encapsulated Security Payload (ESP) (RFC 2406)Encapsulated Security Payload (ESP) (RFC 2406) Additionally, packet contents are encryptedAdditionally, packet contents are encrypted

(Or Microsoft protocols, MPPE, MMTP?)(Or Microsoft protocols, MPPE, MMTP?)

9

How does it work?How does it work?

Transport modeTransport mode

– End systems negotiate IKE Security Association (SA) End systems negotiate IKE Security Association (SA) directly and use AH and/or ESP on packets sent to each directly and use AH and/or ESP on packets sent to each other.other.

Tunnel mode (more common)Tunnel mode (more common)

– Intermediate systems (e.g. access routers, firewalls) Intermediate systems (e.g. access routers, firewalls) negotiate IKE SAs and tunnel packets to each other negotiate IKE SAs and tunnel packets to each other (with AH and/or ESP).(with AH and/or ESP).

Router Router

Transport mode: secured packets

Tunnel mode: secured packets

Tunnel mode: normal packets

10

Security Agreement (SA)Security Agreement (SA)

Unidirectional logical channel between two hostsUnidirectional logical channel between two hosts– Logical secure ‘connection’ for ‘connectionless’ IP Logical secure ‘connection’ for ‘connectionless’ IP

packets!packets! Typically defines:Typically defines:

– Protocol; chosen ciphers, e.g. HMAC Hash functionProtocol; chosen ciphers, e.g. HMAC Hash function– shared secret keyshared secret key

Identified by:Identified by:– Security protocol (AH or ESP) identifierSecurity protocol (AH or ESP) identifier– Destination Destination IP address IP address (not source as per some texts)(not source as per some texts)

– 32 bit connection identifier or Security Parameter Index 32 bit connection identifier or Security Parameter Index (SPI), selected by destination host(SPI), selected by destination host

Established Established beforebefore secure communication can take place secure communication can take place– e.g. using SKE, or pre-configurede.g. using SKE, or pre-configured

11

Authentication Header protocolAuthentication Header protocol

AH fields:AH fields:

– Next Header: points to TCP/UDP segmentNext Header: points to TCP/UDP segment

– Security Parameter Index: identifies SASecurity Parameter Index: identifies SA

– Sequence Number (32 bit): prevent playback/MITMSequence Number (32 bit): prevent playback/MITM

– Authentication Data: signed message digest for Authentication Data: signed message digest for wholewhole IP datagram (e.g. DES, MD5, or SHA)IP datagram (e.g. DES, MD5, or SHA)

Uses HMAC authentication scheme (see RFC 2104) using Uses HMAC authentication scheme (see RFC 2104) using shared secret key:shared secret key:

– Hash(Key XOR outpad, Hash(Key XOR inpad, text)) Hash(Key XOR outpad, Hash(Key XOR inpad, text))

IP Header AH Header TCP/UDP Segment

Protocol 51

12

AH NotesAH Notes

Only the parties sharing the SA’s secret key can compute Only the parties sharing the SA’s secret key can compute the Hashed Message Authentication Code (HMAC)the Hashed Message Authentication Code (HMAC)

The HMAC covers the source IP address, SPI, sequence The HMAC covers the source IP address, SPI, sequence number and payloadnumber and payload

Therefore:Therefore:

– Another host cannot construct a packet appearing to Another host cannot construct a packet appearing to come from the source host with a correct (for that come from the source host with a correct (for that source) HMACsource) HMAC

– Another host cannot re-generate a correct HMAC for Another host cannot re-generate a correct HMAC for that source if it changes any of the packet in transitthat source if it changes any of the packet in transit

– Replay is easily detected and packets with repeated Replay is easily detected and packets with repeated sequence number dropped early in processingsequence number dropped early in processing

13

Encapsulated Security Payload protocolEncapsulated Security Payload protocol

Header includes:Header includes:

– Security Parameter Index: as per AHSecurity Parameter Index: as per AH

– Sequence Number (32 bit): as per AHSequence Number (32 bit): as per AH Encryption: e.g. DES-CBCEncryption: e.g. DES-CBC Trailer include:Trailer include:

– Next Header: encrypted, so segment protocol is hiddenNext Header: encrypted, so segment protocol is hidden Authentication trailer: as per AH authentication data Authentication trailer: as per AH authentication data

(optional, per SA)(optional, per SA)

ESP Header

Protocol 50

ESP Auth.

ESP Trailer

TCP/UDPSegment

IP Header

AuthenticatedEncrypted

14

ESP NotesESP Notes

Can be used as above in transport modeCan be used as above in transport mode

– NB does not authenticate or encrypt IP Header infoNB does not authenticate or encrypt IP Header info(AH does authenticate IP Header info)(AH does authenticate IP Header info)

Can also be used in tunnel mode:Can also be used in tunnel mode:

– Encrypts and authenticates all of original packetEncrypts and authenticates all of original packet

– Especially between security gateways, but also between Especially between security gateways, but also between hostshosts

OriginalIP Header

ESP Auth.

ESP Trailer

TCP/UDPSegment

ESP Header

AuthenticatedEncryptedProtocol 50

New IP Header

15

IssuesIssues

ConfigurationConfiguration

– Public Key infrastructure (or shared initial secrets) for Public Key infrastructure (or shared initial secrets) for IKE SA establishmentIKE SA establishment

– Security policies – defining what is allowedSecurity policies – defining what is allowed Resources/deploymentResources/deployment

– Client IPsec software for transport modeClient IPsec software for transport mode

– VPN-capable routers for tunnel modeVPN-capable routers for tunnel mode

– Encryption CPU costs (e.g. extra router hardware Encryption CPU costs (e.g. extra router hardware support)support)