By Mau, Morgan

Arora, PankajDesai, Kiran

Large address space Briefing on IPsec IPsec implementation IPsec operational modes Authentication Header in IPv6 ESP in IPv6 Security Issues in IPv6

A (Poor) Representation of Relative IPv4 and IPv6 Address Space Sizes[1]

With IPv4 a typical Class C network has 8 bits for host addressing.◦ If we scan at the rate of 1 host/sec ◦ 2exp8 hosts X 1sec/host X1 minute/60secs =

4.2 mins◦ Takes us ~4 minutes to completely scan the C

network With IPv6 the subnets use 64 bits for host

addressing.◦ If we scan at the rate of 1 host/sec ◦ 2exp64 hosts X 1sec/host X 1yr/31536000secs

= 584 billion yrs◦ Takes us ~584billion yrs to completely scan

the network

Advantages◦ Port scanning attacks become an arduous task◦ Well organized IP address assignment, helps track

down issues Disadvantages

◦ Increased overhead, since every datagram header or other place where IP addresses are referenced must use 16bytes for each address instead of 4bytes

IPsec is a set of cryptographic protocols that secure data communication and provide for secure exchange of keys during initial negotiation

Although IPsec has been there for quite some time now, it was optional in IPv4.

IPv6 mandates the use of IPsec

IPsec overview [1]

Integrated architecture◦ Integrated in IP layer itself◦ Example: IPv6◦ Most elegant but would not be possible with IPv4

as the IP implementation in each device needs to be changed

BITS architecture or Bump In The Stack

BITS architecture [1]

BITW architecture or Bump In The Wire

BITW architecture [1]

As its name suggests, in transport mode, the protocol protects the message passed down to IP from the transport layer.

In this mode, IPSec is used to protect a complete encapsulated IP datagram after the IP header has already been applied to it.

Thus to generalize, the order of headers are as belowo Transport Mode: IP header, IPSec headers (AH and/or ESP), IP payload

(including transport header). o Tunnel Mode: New IP header, IPSec headers (AH and/or ESP), old IP

header, IP payload.

For IPv6, there are 2 variables and 4 combinations. Thus 2 protocols(AH& ESP) and 2 modes(Transport and Tunnel) could be combined in different ways.

AH is one among the two core security protocols in IPsec

AH is intended to guarantee connectionless integrity and data origin authentication

IPsec AH packet [2]

The calculation of the authentication header is similar for both IPv4 and IPv6.

Difference is in placing the header into the datagram and for linking the headers together

The AH is inserted into the IP datagram as an extension header following normal rules of IPv6 extension header linking.

Each header field is linked to by the previous field by the Next header link.

Thus the headers could be chained one after the other.

The numbers indicated are a standard specified by IETF for each protocol.

Authentication Header Placement and Linking

AH is not enough if we do not want the intermediate devices to change our datagrams.

ESP provides the privacy we seek by encrypting them.

ESP also supports its own authentication scheme.

ESP headers without and with authentication [2]

Unlike AH, which provides a small header before the payload, ESP surrounds the payload it's protecting

The next hdr field gives the type (IP, TCP, UDP, etc.) of the payload in the usual way, though it can be thought of as pointing "backwards" into the packet rather than forward as we've seen in AH

Header Calculation and Placement◦ The ESP header placement works similar to AH.◦ It is inserted into the IP datagram as an extension header.

Trailer Calculation and Placement◦ The ESP Trailer is appended to the data to be encrypted.◦ The Next Header field in ESP appears in the trailer and not the

header. ESP Authentication Field Calculation and

Placement◦ The authentication field is computed over the entire ESP

datagram.

ESP in Transport and Tunnel Mode [1]

IPv6-IPv4 stack issues◦ Dual stacks during migration always bring in

security vulnerabilities Extension Header issues

◦ Large size of extension headers will overwhelm certain nodes.

Multicast flooding◦ New features like multicast address would

increase the smurf attacks

[1]“TCPIP Guide”, http://www.tcpipguide.com, Web resource retrieved on Oct 13th 2008

[2]“An illustrated guide to IPsec”, http://unixwiz.net/techtips/iguide-ipsec.html, Web resource retrieved on Oct 13th 2008