Dynamic Routing Inside IPsec VPNs New Threats and Defenses Paul Knight, Nortel Networks [email protected]

Dynamic Routing Inside IPsec VPNs

New Threats and Defenses

Paul Knight, Nortel Networks

[email protected]

Dynamic Routing Inside IPsec VPNs- 2

Black Hat Briefings – Paul Knight

Agenda

• Setting the stage– IPsec topology background– Dynamic routing in IPsec

• Attack and Defense– Attacks from the Internet

• Denial of service• Remote access “Split tunnel”

– Internal “branch-to-branch” attacks• Routing attacks• Misconfigurations

– Requirements: Securing IPsec routing



IPsec topology background

• The IPsec VPN model– What is an “IPsec Gateway’?– What are Tunnel and Transport Modes?– What’s a Security Association?

• IPsec VPN topologies– Not host-to-host– Remote access VPN– Major focus: Multi-site, branch offices



IPSec Gateway

IPSec VPN models: Hosts and Security Gateways

Untrusted Network

Internet

IPSec GatewayIPSec Gateway

Untrusted Network

Internet

Trusted NetworkTrusted Network

Untrusted Network

Internet

Trusted Network

“Branch-to-branch” VPN model: between IPsec gateways

“Remote access” VPN model: host to gateway

Host-to-host (not VPN)



Two IPSec Modes: Transport and Tunnel Mode

New IPHeader

IPSec ESPHeader

Data

IP Header Data

Tunnel Mode

Original IPHeader

IPSec ESPHeader

Transport Mode

Original IPHeader

Data

Optional Encryption

Optional Encryption

Outer IP Header

Inner IP Header



Application of the IPsec modes

Untrusted Network

Internet


Internet


Host Host

Can use Transport (or Tunnel) Mode between Hosts

Can ONLY use Tunnel Mode between Gateways(or extra IP encapsulation inside Transport Mode) –MUST hide IP addresses of trusted networks

Untrusted Network



Application of the IPsec modes –Remote Access

SHOULD use Tunnel Mode between host and gateway-Hide IP addresses of trusted networks-Allow remote host to truly join trusted network-IPsec gateway assigns host a tunnel address, like DHCP

IPsec Gateway

Untrusted Network

Internet

Trusted Network

Alternative: Transport Mode to “Application Level Gateway”-IPsec gateway actually becomes a “host”-Remote host is limited to applications supported by “gateway”-Similar to SSL gateway model; heavy burden on “gateway”



Security Association (SA)

• SA = All the information shared between two IPsec systems to establish secure communication– Selection of the security mechanisms:

• ESP or AH protection• Ciphering algorithm• Hash function • Choice of authentication method

– Authentication of the two parties– Choice of the ciphering and authentication keys



Security Databases

• A model to ensure a minimum of interoperability

• RFC 2401 - “Security Architecture for IP”

• Two Security Databases maintained on the IPSec system

– Security Policy Database (SPD)

– Security Association Database (SAD)



Security Association Database

• All active Security Associations

• For each SA entry, includes :– Identifier :

• Outer destination IP address• Security Protocol• SPI – Security Parameter Index

– Parameters• Authentication algorithm and keys• Encryption algorithm and keys• Lifetime• Security Protocol Mode (tunnel or

transport)• Anti-replay service• Link with an associated policy in the SPD

SAD



Security Policy Database• Applies to every packet

• For each policy entry, includes:– Selectors

• Destination IP Address• Source IP Address• Name• Transport Layer Protocol (protocol number)• Source and Destination Ports

– The policy :• Discard the packet, bypass or process IPSec• For IPSec Processing :

- Security Protocol and Mode- Enabled Services (anti-replay, authentication,

encryption)- Algorithms (for authentication and/or

encryption)– Link to an active SA in the SAD (if it exists)

SPD



Inbound Packet Processing

IPHeader

IPSec

DestinationIP address

Security ProtocolSPI

1. Identifies the SAin the SAD upon the selectors

IPSec System

SAD

2. Read the SAparameters

3. Performs the enabledIPSec services

- Authentication- Decryption- Anti-replay service

SPD

4. Identifies the policyaccording to theselector

5. Check the policy

IPHeader



Outbound Packet Processing

IPHeader

PolicySelectors

IPSec System

SAD SPD

1. Identifies the policy in the SPDaccording to the selectors

2. Read the policy parameters

4. Read the SAparameters specifiedby the link

5. Computes theIPSec processing 3. Initiate new SA if necessary

IPHeader

IPSec



Agenda



• Denial of service• Remote access “Split tunnel”





Why is dynamic routing in IPsec VPNs important?

• Like ANY sizable network – without dynamic routing, life is HARD!

• It’s to hard to maintain static routes

• Hard to set up load balancing

• Hard to set up failover

• Hard to manage changes

• Hard to add new network sites



The IPsec “routing problem”

• Usual conversation:– What’s the problem? You can already carry routing

protocols over IPsec.– Yes, but you can’t actually use them to ROUTE.– Huh?– The IPsec Security Associations have selectors that

determine the traffic they allow. They are like static routes.

– Oh… Yeah… I see the problem.



The IPsec “routing problem”

• Dynamic routing in VPNs is a requirement

• Tunnel mode is incompatible with dynamic routing– draft-touch-ipsec-vpn-04.txt (IETF – http://www.ietf.org/internet-drafts/X)– draft-wang-cevpn-routing-00.txt– draft-knight-ppvpn-ipsec-dynroute-01.txt

• WHY? Security Associations are created with selectors Tunnels have built-in “static routes”

• SP and SA Database lookups do the “routing”

• SA setup is orders of magnitude slower than routing change Dynamically changing SA due to routing updates doesn’t scale



Untrusted NetworkSite A

CPE

Site XCPE

Site YCPE

Site ZCPE

Reference topology

• Typical dynamic routing issues– “Z” adds a new network– New site added (Hub/spoke model)– A link (IPsec connection) breaks; re-route through another site



SAD

SA pairs – 1 per address range

Outbound traffic

Site X

Site Y

Site Z

SP, SA Databases determine “routing” into tunnels – cannot adapt dynamically

IPsec Gateway (CPE) at Site A

UntrustedNetwork

SPD

Route exchange possible, but useless… (SPD, SAD control “routing”)



The basic solution• Remove the tunnel’s “static routes” …. HOW?

• (1) Use “wild card” in tunnel SAs (allow all traffic) OR

• (2) Use encapsulation to make the traffic fit the “static route”, by setting destination address in the encapsulated traffic

– IP-in-IP over Transport (IIPtran)–Generic Routing Encapsulation (GRE) in tunnel or

transport• Both approaches are essentially similar in key ways, but (2) is

more secure

– IPsec can still apply source/destination selectors–Less chance for errors due to different systems’

dynamic routing abilities• Either way, you must do “routing” (SA selection or encapsulation

addressing) outside IPsec, and push traffic into a “VPN Tunnel” (may be Transport Mode)



SPD

SPD

SPD

SAD

Outbound traffic

Site XCPE

Site YCPE

Site ZCPE

Routing outside IPsec:Each SPD/SAD handles a smaller address selector range

One “VPN Tunnel” SA pair between sites (unless QOS or security requires more)IPsec Gateway at Site A

SAD

SAD

Routing

Untrusted Network

RoutingExchangeVia OSPF,RIP, etc.



Tunnel mode = Transport mode + IP encapsulation • Key concept for dynamic routing

1) Determine “next IPsec hop” of the packet, using policy, based on any criteria the “routing engine” can handle –route to destination (using dynamic information!), protocol, port (socket), even content analysis (URL, etc.)

2) Construct new encapsulating IP header with source/destination of next IPsec hop

3) Pass to IPsec process for TRANSPORT mode processing

• Resulting packet is equivalent to tunnel mode, but now it is routed using dynamic routing updates



Tunnel mode = Transport mode + IP encapsulation

New IPHeader

IPSec ESPHeader

Data

Transport Mode

Original IPHeader

Optional Encryption

IP Header Data

IP-in-IP encapsulation

Original IPHeader

DataNew IPHeader

Addresses in newIP header determineswhere packet goes

Original IPHeader

IPSec ESPHeader Data

Optional Encryption

New “Data”

Remember transport mode?

Packet looks likeTunnel Mode!

New “Data”



Routing with VPN tunnels

• What is a “VPN TUNNEL?”– An IPsec SA with NO effective address filters– May be IPsec tunnel mode or IP-in-IP over transport mode– It allows ANY IP traffic (unicast/multicast) to pass – It allows routing protocols to pass– Its end points are the IPsec gateway interfaces– It still protects all traffic with encryption– It is like an Ethernet, ATM, or Frame Relay “link” over the

Internet, but secured by IPsec

• Since you can’t use the IPsec tunnel definitions or “filters” to select destinations, you MUST route before putting the traffic into an IPsec “VPN tunnel”



Routing with VPN Tunnels:Requirements for IPsec Gateways

• Full-power router “inside” the IPsec gateway, with traffic and route filters, even firewalls

• Ability to separate VPN routes from external (untrusted network) and local routes

• Ability to use the endpoint of the IPsec “VPN Tunnel” just like any IP-capable interface– To pass routed traffic – To send and receive routing protocols



Agenda



• Remote access “Split tunnel”• Denial of service





Remote Access IPsec VPN routing attack

• Split tunneling– Captive tunnel: Client’s “default route” points into

tunnel to IPsec gateway; other routes not allowed– Split tunnel: Client’s default route is into Internet;

specific routes to trusted network are loaded into Client’s routing table by IPsec Gateway

• Denial of Service Attacks– Various attacks to waste Gateway’s resources

(bandwidth, open connections, processing time, etc.)– Not the subject of this talk (but interesting!)

IPsec Gateway

Untrusted Network

Internet

Trusted NetworkRemote Client



No Split Tunneling:

IPsec Gateway

Untrusted Network

Internet


Firewall

Internet Host

Split Tunneling:IPsec Gateway

Untrusted Network

Internet


FirewallInternet

Host



Why allow split tunneling?

• Avoid wasting bandwidth at VPN hub site– Internet traffic of clients would traverse the hub site– (Can be avoided by policy blocking Internet access

during remote access, forcing client to logout of VPN)

• Short DHCP/PPPOE leases may require frequent contact to server at client’s ISP– Can’t contact server if all routes point to VPN tunnel

• Convenience of keeping VPN connection up during other Internet access



Split Tunneling – Potential Attacks

• FTP relay through client– Client running FTP server can become

conduit from Internet into trusted network– Other similar services running on client – tftp,

smtp, or custom relay application, maybe malicious application

• RAT – Remote Access Trojan on client– Back Orifice, etc.– PC Anywhere (not a “Trojan” but same issue)– Allow remote control control of PC, and thus

potential access to trusted network



Split Tunneling – Defenses

• Prevent split tunneling– Corporate policy decision– Enforcement through Gateway/client software

capabilities• Gateway sends only default route to client• Client s/w reads routing table on client, reports to

gateway and/or blocks access if routes are found.

• Prevent active relay services or remote control– Break connection if unexpected port is open on client

• Both defenses depend on client software ability to determine true state of client machine.– Depends on operating system and multitasking,

multiprocessing capabilities of client system.



Branch-to-Branch IPsec VPN Routing Issues

• Misconfiguration

• Default Route issues

• Internal Routing Attack


Internet


Untrusted Network

Firewall

Default Route?

Firewall

Default Route? ?



Security risks of incorrect routing in IPsec VPNs

• Traffic may be forced over an unprotected path– May be intercepted

• Traffic goes toward wrong destination– Doesn’t get to correct destination– May be intercepted

• Traffic follows “wrong” path toward correct destination– May be intercepted



Attacks on routing

• Injection of routes inside a site– Malicious

• Routing process running on compromised host or router• Redirect traffic toward a compromised system internal to

trusted network• Redirect via default route over unprotected path through

untrusted network

– Misconfiguration• Advertising routes via unprotected path• Static routes configured in routers• Routed (routing daemon) running on unauthorized hosts



Protection against routing attacks

• Routing authentication

• Options for OSPF– Keyed MD5 verifies identity– Digital signature allows tracing of bad route

information

• Audit routers for bogus routes

• Restrict use of routing protocols on hosts– Use default route instead– Implement redundancy on routers (VRRP) or

switches in LAN, not in host routing



Default route attacks• Where does default route point?

– To Internet?– Lost “internal” route can result in traffic being sent over

Internet– Particularly problematic if the destination is reachable via

Internet

• Key solution: policies on firewall– No traffic to internal destinations goes out through firewall– No traffic from internal source address can com in through

firewall

• Harder solution: no default route to Internet– Specific management/advertisement of “allowable” routes



Securing IPsec Routing – Dynamic Routing Requirements

SPD

SPD

SPD

SAD

Outbound traffic

Site XCPE

Site YCPE

Site ZCPE

IPsec Gateway at Site A

SAD

SAD

Routing

Untrusted Network

RoutingExchangeVia OSPF,RIP, etc.

Firewall functions



• Strong Firewall capabilities– Inbound/outbound– Full range stateful inspection capabilities

• Full router functionality INSIDE the IPsec Gateway– Route filtering to prevent attacks– Ability to separate internal/external routes– Ability to see IPsec peer gateways as next-hop for

routes learned via IPsec VPN tunnels

• Apply the routing rules by encapsulating the traffic, with “next IPsec hop” as the destination

Securing IPsec Routing – Dynamic Routing Requirements



Conclusion:Dynamic IPsec Routing opens new vulnerabilities

• The manageability and flexibility of dynamic routing are important for large networks, BUT:

• It is not enough to just add routing to an IPsec VPN box

• Firewall traffic filtering PLUS full-featured routing capabilities must be integrated into the system

• Remote access IPsec VPN security depends on trusted client software – To control insecure routing or relay capabilities of client– Use intrusion detection monitoring for verification



Questions???

Thank You!

Documents

Dynamic Routing Inside IPsec VPNs New Threats and Defenses Paul Knight, Nortel Networks [email protected]