8/14/2019 Dynamic Routing Inside IPsec VPNs
1/40
Dynamic RoutingInside IPsec VPNs
New Threats and Defenses
Paul Knight, Nortel Networks
[email protected]
8/14/2019 Dynamic Routing Inside IPsec VPNs
2/40
Dynamic Routing Inside IPsec VPNs- 2
Black Hat Briefings Paul Knight
Agenda
Setting the stage IPsec topology background
Dynamic routing in IPsec
Attack and Defense Attacks from the Internet Denial of service Remote access Split tunnel
Internal branch-to-branch attacks Routing attacks Misconfigurations
Requirements: Securing IPsec routing
8/14/2019 Dynamic Routing Inside IPsec VPNs
3/40
Dynamic Routing Inside IPsec VPNs- 3
Black Hat Briefings Paul Knight
IPsec topology background
The IPsec VPN model What is an IPsec Gateway?
What are Tunnel and Transport Modes?
Whats a Security Association?
IPsec VPN topologies Not host-to-host
Remote access VPN
Major focus: Multi-site, branch offices
8/14/2019 Dynamic Routing Inside IPsec VPNs
4/40
Dynamic Routing Inside IPsec VPNs- 4
Black Hat Briefings Paul Knight
IPSec Gateway
IPSec VPN models:Hosts and Security Gateways
Untrusted Network
Internet
IPSec GatewayIPSec Gateway
Untrusted Network
Internet
Trusted NetworkTrusted Network
Untrusted Network
Internet
Trusted Network
Branch-to-branch VPN model: between IPsec gateways
Remote access VPN model: host to gateway
Host-to-host (not VPN)
8/14/2019 Dynamic Routing Inside IPsec VPNs
5/40
Dynamic Routing Inside IPsec VPNs- 5
Black Hat Briefings Paul Knight
Two IPSec Modes:Transport and Tunnel Mode
New IP
Header
IPSec ESP
Header Data
IP Header Data
Tunnel Mode
Original IP
Header
IPSec ESP
Header
Transport Mode
Original IP
Header
Data
Optional Encryption
Optional Encryption
Outer IP Header
Inner IP Header
8/14/2019 Dynamic Routing Inside IPsec VPNs
6/40
Dynamic Routing Inside IPsec VPNs- 6
Black Hat Briefings Paul Knight
Application of the IPsec modes
Untrusted Network
Internet
IPSec GatewayIPSec Gateway
Internet
Trusted NetworkTrusted Network
Host Host
Can use Transport (or Tunnel) Mode between Hosts
Can ONLY use Tunnel Mode between Gateways
(or extra IP encapsulation inside Transport Mode)
MUST hide IP addresses of trusted networks
Untrusted Network
8/14/2019 Dynamic Routing Inside IPsec VPNs
7/40
Dynamic Routing Inside IPsec VPNs- 7
Black Hat Briefings Paul Knight
Application of the IPsec modes Remote Access
SHOULD use Tunnel Mode between host and gateway-Hide IP addresses of trusted networks-Allow remote host to truly join trusted network-IPsec gateway assigns host a tunnel address, like DHCP
IPsec Gateway
Untrusted Network
Internet
Trusted Network
Alternative: Transport Mode to Application Level Gateway-IPsec gateway actually becomes a host-Remote host is limited to applications supported by gateway-Similar to SSL gateway model; heavy burden on gateway
8/14/2019 Dynamic Routing Inside IPsec VPNs
8/40
Dynamic Routing Inside IPsec VPNs- 8
Black Hat Briefings Paul Knight
Security Association (SA)
SA = All the information shared between two IPsecsystems to establish secure communication
Selection of the security mechanisms:
ESP or AH protection Ciphering algorithm Hash function Choice of authentication method
Authentication of the two parties
Choice of the ciphering and authentication keys
8/14/2019 Dynamic Routing Inside IPsec VPNs
9/40
Dynamic Routing Inside IPsec VPNs- 9
Black Hat Briefings Paul Knight
Security Databases
A model to ensure a minimum ofinteroperability
RFC 2401 - Security Architecture for IP
Two Security Databases maintained on the
IPSec system
Security Policy Database (SPD)
Security Association Database (SAD)
8/14/2019 Dynamic Routing Inside IPsec VPNs
10/40
Dynamic Routing Inside IPsec VPNs- 10
Black Hat Briefings Paul Knight
Security AssociationDatabase
All active Security Associations
For each SA entry, includes : Identifier :
Outer destination IP address Security Protocol
SPI Security Parameter Index Parameters
Authentication algorithm and keys Encryption algorithm and keys Lifetime Security Protocol Mode (tunnel or
transport) Anti-replay service Link with an associated policy in the SPD
SAD
8/14/2019 Dynamic Routing Inside IPsec VPNs
11/40
Dynamic Routing Inside IPsec VPNs- 11
Black Hat Briefings Paul Knight
Security Policy Database Applies to every packet
For each policy entry, includes: Selectors
Destination IP Address Source IP Address Name
Transport Layer Protocol (protocol number) Source and Destination Ports The policy :
Discard the packet, bypass or process IPSec For IPSec Processing :
- Security Protocol and Mode
- Enabled Services (anti-replay, authentication,encryption)- Algorithms (for authentication and/or
encryption) Link to an active SA in the SAD (if it exists)
SPD
8/14/2019 Dynamic Routing Inside IPsec VPNs
12/40
Dynamic Routing Inside IPsec VPNs- 12
Black Hat Briefings Paul Knight
Inbound Packet Processing
IP
HeaderIPSec
DestinationIP address
Security Protocol
SPI
1. Identifies the SA
in the SAD upon
the selectors
IPSec System
SAD
2. Read the SA
parameters
3. Performs the enabled
IPSec services
- Authentication
- Decryption
- Anti-replay service
SPD
4. Identifies the policy
according to the
selector
5. Check the policy
IP
Header
8/14/2019 Dynamic Routing Inside IPsec VPNs
13/40
Dynamic Routing Inside IPsec VPNs- 13
Black Hat Briefings Paul Knight
Outbound PacketProcessing
IP
Header
PolicySelectors
IPSec System
SAD SPD
1. Identifies the policy in the SPD
according to the selectors
2. Read the policy parameters
4. Read the SA
parameters specified
by the link
5. Computes the
IPSec processing 3. Initiate new SA if necessary
IP
HeaderIPSec
8/14/2019 Dynamic Routing Inside IPsec VPNs
14/40
Dynamic Routing Inside IPsec VPNs- 14
Black Hat Briefings Paul Knight
Agenda
Setting the stage IPsec topology background
Dynamic routing in IPsec
Attack and Defense Attacks from the Internet Denial of service Remote access Split tunnel
Internal branch-to-branch attacks
Routing attacks Misconfigurations
Requirements: Securing IPsec routing
8/14/2019 Dynamic Routing Inside IPsec VPNs
15/40
Dynamic Routing Inside IPsec VPNs- 15
Black Hat Briefings Paul Knight
Why is dynamic routing inIPsec VPNs important?
Like ANY sizable network without dynamic routing, life isHARD!
Its to hard to maintain static routes
Hard to set up load balancing
Hard to set up failover
Hard to manage changes
Hard to add new network sites
8/14/2019 Dynamic Routing Inside IPsec VPNs
16/40
Dynamic Routing Inside IPsec VPNs- 16
Black Hat Briefings Paul Knight
The IPsec routing problem
Usual conversation: Whats the problem? You can already carry routing
protocols over IPsec.
Yes, but you cant actually use them to ROUTE. Huh?
The IPsec Security Associations have selectors thatdetermine the traffic they allow. They are like staticroutes.
Oh Yeah I see the problem.
8/14/2019 Dynamic Routing Inside IPsec VPNs
17/40
Dynamic Routing Inside IPsec VPNs- 17
Black Hat Briefings Paul Knight
The IPsec routing problem
Dynamic routing in VPNs is a requirement
Tunnel mode is incompatible with dynamic routing draft-touch-ipsec-vpn-04.txt (IETF http://www.ietf.org/internet-drafts/X) draft-wang-cevpn-routing-00.txt draft-knight-ppvpn-ipsec-dynroute-01.txt
WHY? Security Associations are created withselectors Tunnels have built-in static routes
SP and SA Database lookups do the routing
SA setup is orders of magnitude slower thanrouting changeDynamically changing SA due torouting updates doesnt scale
8/14/2019 Dynamic Routing Inside IPsec VPNs
18/40
Dynamic Routing Inside IPsec VPNs- 18
Black Hat Briefings Paul Knight
Untrusted
NetworkSite ACPE
Site X
CPE
Site Y
CPE
Site Z
CPE
Reference topology
Typical dynamic routing issues Z adds a new network
New site added (Hub/spoke model)
A link (IPsec connection) breaks; re-route through another site
8/14/2019 Dynamic Routing Inside IPsec VPNs
19/40
Dynamic Routing Inside IPsec VPNs- 19
Black Hat Briefings Paul Knight
SAD
SA pairs 1 per address range
Outbound
traffic
Site X
Site Y
Site Z
SP, SA Databases determine routinginto tunnels cannot adapt dynamically
IPsec Gateway (CPE) at Site A
Untrusted
Network
SPD
Route exchange possible, but useless (SPD, SAD control routing)
8/14/2019 Dyn
