Dynamic Routing Inside IPsec VPNs

  • View
    219

  • Download
    0

Embed Size (px)

Text of Dynamic Routing Inside IPsec VPNs

  • 8/14/2019 Dynamic Routing Inside IPsec VPNs

    1/40

    Dynamic RoutingInside IPsec VPNs

    New Threats and Defenses

    Paul Knight, Nortel Networks

    [email protected]

  • 8/14/2019 Dynamic Routing Inside IPsec VPNs

    2/40

    Dynamic Routing Inside IPsec VPNs- 2

    Black Hat Briefings Paul Knight

    Agenda

    Setting the stage IPsec topology background

    Dynamic routing in IPsec

    Attack and Defense Attacks from the Internet Denial of service Remote access Split tunnel

    Internal branch-to-branch attacks Routing attacks Misconfigurations

    Requirements: Securing IPsec routing

  • 8/14/2019 Dynamic Routing Inside IPsec VPNs

    3/40

    Dynamic Routing Inside IPsec VPNs- 3

    Black Hat Briefings Paul Knight

    IPsec topology background

    The IPsec VPN model What is an IPsec Gateway?

    What are Tunnel and Transport Modes?

    Whats a Security Association?

    IPsec VPN topologies Not host-to-host

    Remote access VPN

    Major focus: Multi-site, branch offices

  • 8/14/2019 Dynamic Routing Inside IPsec VPNs

    4/40

    Dynamic Routing Inside IPsec VPNs- 4

    Black Hat Briefings Paul Knight

    IPSec Gateway

    IPSec VPN models:Hosts and Security Gateways

    Untrusted Network

    Internet

    IPSec GatewayIPSec Gateway

    Untrusted Network

    Internet

    Trusted NetworkTrusted Network

    Untrusted Network

    Internet

    Trusted Network

    Branch-to-branch VPN model: between IPsec gateways

    Remote access VPN model: host to gateway

    Host-to-host (not VPN)

  • 8/14/2019 Dynamic Routing Inside IPsec VPNs

    5/40

    Dynamic Routing Inside IPsec VPNs- 5

    Black Hat Briefings Paul Knight

    Two IPSec Modes:Transport and Tunnel Mode

    New IP

    Header

    IPSec ESP

    Header Data

    IP Header Data

    Tunnel Mode

    Original IP

    Header

    IPSec ESP

    Header

    Transport Mode

    Original IP

    Header

    Data

    Optional Encryption

    Optional Encryption

    Outer IP Header

    Inner IP Header

  • 8/14/2019 Dynamic Routing Inside IPsec VPNs

    6/40

    Dynamic Routing Inside IPsec VPNs- 6

    Black Hat Briefings Paul Knight

    Application of the IPsec modes

    Untrusted Network

    Internet

    IPSec GatewayIPSec Gateway

    Internet

    Trusted NetworkTrusted Network

    Host Host

    Can use Transport (or Tunnel) Mode between Hosts

    Can ONLY use Tunnel Mode between Gateways

    (or extra IP encapsulation inside Transport Mode)

    MUST hide IP addresses of trusted networks

    Untrusted Network

  • 8/14/2019 Dynamic Routing Inside IPsec VPNs

    7/40

    Dynamic Routing Inside IPsec VPNs- 7

    Black Hat Briefings Paul Knight

    Application of the IPsec modes Remote Access

    SHOULD use Tunnel Mode between host and gateway-Hide IP addresses of trusted networks-Allow remote host to truly join trusted network-IPsec gateway assigns host a tunnel address, like DHCP

    IPsec Gateway

    Untrusted Network

    Internet

    Trusted Network

    Alternative: Transport Mode to Application Level Gateway-IPsec gateway actually becomes a host-Remote host is limited to applications supported by gateway-Similar to SSL gateway model; heavy burden on gateway

  • 8/14/2019 Dynamic Routing Inside IPsec VPNs

    8/40

    Dynamic Routing Inside IPsec VPNs- 8

    Black Hat Briefings Paul Knight

    Security Association (SA)

    SA = All the information shared between two IPsecsystems to establish secure communication

    Selection of the security mechanisms:

    ESP or AH protection Ciphering algorithm Hash function Choice of authentication method

    Authentication of the two parties

    Choice of the ciphering and authentication keys

  • 8/14/2019 Dynamic Routing Inside IPsec VPNs

    9/40

    Dynamic Routing Inside IPsec VPNs- 9

    Black Hat Briefings Paul Knight

    Security Databases

    A model to ensure a minimum ofinteroperability

    RFC 2401 - Security Architecture for IP

    Two Security Databases maintained on the

    IPSec system

    Security Policy Database (SPD)

    Security Association Database (SAD)

  • 8/14/2019 Dynamic Routing Inside IPsec VPNs

    10/40

    Dynamic Routing Inside IPsec VPNs- 10

    Black Hat Briefings Paul Knight

    Security AssociationDatabase

    All active Security Associations

    For each SA entry, includes : Identifier :

    Outer destination IP address Security Protocol

    SPI Security Parameter Index Parameters

    Authentication algorithm and keys Encryption algorithm and keys Lifetime Security Protocol Mode (tunnel or

    transport) Anti-replay service Link with an associated policy in the SPD

    SAD

  • 8/14/2019 Dynamic Routing Inside IPsec VPNs

    11/40

    Dynamic Routing Inside IPsec VPNs- 11

    Black Hat Briefings Paul Knight

    Security Policy Database Applies to every packet

    For each policy entry, includes: Selectors

    Destination IP Address Source IP Address Name

    Transport Layer Protocol (protocol number) Source and Destination Ports The policy :

    Discard the packet, bypass or process IPSec For IPSec Processing :

    - Security Protocol and Mode

    - Enabled Services (anti-replay, authentication,encryption)- Algorithms (for authentication and/or

    encryption) Link to an active SA in the SAD (if it exists)

    SPD

  • 8/14/2019 Dynamic Routing Inside IPsec VPNs

    12/40

    Dynamic Routing Inside IPsec VPNs- 12

    Black Hat Briefings Paul Knight

    Inbound Packet Processing

    IP

    HeaderIPSec

    DestinationIP address

    Security Protocol

    SPI

    1. Identifies the SA

    in the SAD upon

    the selectors

    IPSec System

    SAD

    2. Read the SA

    parameters

    3. Performs the enabled

    IPSec services

    - Authentication

    - Decryption

    - Anti-replay service

    SPD

    4. Identifies the policy

    according to the

    selector

    5. Check the policy

    IP

    Header

  • 8/14/2019 Dynamic Routing Inside IPsec VPNs

    13/40

    Dynamic Routing Inside IPsec VPNs- 13

    Black Hat Briefings Paul Knight

    Outbound PacketProcessing

    IP

    Header

    PolicySelectors

    IPSec System

    SAD SPD

    1. Identifies the policy in the SPD

    according to the selectors

    2. Read the policy parameters

    4. Read the SA

    parameters specified

    by the link

    5. Computes the

    IPSec processing 3. Initiate new SA if necessary

    IP

    HeaderIPSec

  • 8/14/2019 Dynamic Routing Inside IPsec VPNs

    14/40

    Dynamic Routing Inside IPsec VPNs- 14

    Black Hat Briefings Paul Knight

    Agenda

    Setting the stage IPsec topology background

    Dynamic routing in IPsec

    Attack and Defense Attacks from the Internet Denial of service Remote access Split tunnel

    Internal branch-to-branch attacks

    Routing attacks Misconfigurations

    Requirements: Securing IPsec routing

  • 8/14/2019 Dynamic Routing Inside IPsec VPNs

    15/40

    Dynamic Routing Inside IPsec VPNs- 15

    Black Hat Briefings Paul Knight

    Why is dynamic routing inIPsec VPNs important?

    Like ANY sizable network without dynamic routing, life isHARD!

    Its to hard to maintain static routes

    Hard to set up load balancing

    Hard to set up failover

    Hard to manage changes

    Hard to add new network sites

  • 8/14/2019 Dynamic Routing Inside IPsec VPNs

    16/40

    Dynamic Routing Inside IPsec VPNs- 16

    Black Hat Briefings Paul Knight

    The IPsec routing problem

    Usual conversation: Whats the problem? You can already carry routing

    protocols over IPsec.

    Yes, but you cant actually use them to ROUTE. Huh?

    The IPsec Security Associations have selectors thatdetermine the traffic they allow. They are like staticroutes.

    Oh Yeah I see the problem.

  • 8/14/2019 Dynamic Routing Inside IPsec VPNs

    17/40

    Dynamic Routing Inside IPsec VPNs- 17

    Black Hat Briefings Paul Knight

    The IPsec routing problem

    Dynamic routing in VPNs is a requirement

    Tunnel mode is incompatible with dynamic routing draft-touch-ipsec-vpn-04.txt (IETF http://www.ietf.org/internet-drafts/X) draft-wang-cevpn-routing-00.txt draft-knight-ppvpn-ipsec-dynroute-01.txt

    WHY? Security Associations are created withselectors Tunnels have built-in static routes

    SP and SA Database lookups do the routing

    SA setup is orders of magnitude slower thanrouting changeDynamically changing SA due torouting updates doesnt scale

  • 8/14/2019 Dynamic Routing Inside IPsec VPNs

    18/40

    Dynamic Routing Inside IPsec VPNs- 18

    Black Hat Briefings Paul Knight

    Untrusted

    NetworkSite ACPE

    Site X

    CPE

    Site Y

    CPE

    Site Z

    CPE

    Reference topology

    Typical dynamic routing issues Z adds a new network

    New site added (Hub/spoke model)

    A link (IPsec connection) breaks; re-route through another site

  • 8/14/2019 Dynamic Routing Inside IPsec VPNs

    19/40

    Dynamic Routing Inside IPsec VPNs- 19

    Black Hat Briefings Paul Knight

    SAD

    SA pairs 1 per address range

    Outbound

    traffic

    Site X

    Site Y

    Site Z

    SP, SA Databases determine routinginto tunnels cannot adapt dynamically

    IPsec Gateway (CPE) at Site A

    Untrusted

    Network

    SPD

    Route exchange possible, but useless (SPD, SAD control routing)

  • 8/14/2019 Dyn

Search related