Ip Sec Rev1

IP Security

TCP/IP ExampleTCP/IP Example

Security facilities in the Security facilities in the TCP/IP protocol stackTCP/IP protocol stack

Need for IPSecNeed for IPSec

• Application level security services– Electronic mail

• S/MIME, PGP– Client Server

• Kerberos, X.509– Web access

• SSL, TLS, SET

• Enterprises need security at IP layer– To protect security ignorant applications– Additional security to applications with security

mechanisms– Establish private secure network

IPv4 HeaderIPv4 Header

IPv6 HeaderIPv6 Header

IP Security OverviewIP Security Overview

• IPSec is not a single protocol. • IPSec provides a set of security

algorithms• IPSec provides a general security

framework for a pair of communicating entities

– Across LAN, Private & Public WANs– Across Internet


• Applications of IPSec– Secure branch office connectivity over

the Internet– Secure remote access over the

Internet– Establsihing extranet and intranet

connectivity with partners– Enhancing electronic commerce

security


• Benefits of IPSec– Better firewall protection– Transparent to applications (below transport

layer (TCP, UDP)– Provide security for individual users

• IPSec can assure that:– A router or neighbor advertisement comes

from an authorized router– A redirect message comes from the router

to which the initial packet was sent– A routing update is not forged

IP Security ScenarioIP Security Scenario

IP Security IP Security ArchitecturesArchitectures

• Integrated architecture– Supported in IPv6– Difficult to implement in IPv4

• Bump in The stack (BITS) for IPv4– Between Data link and IP layers

• Bump in The Wire (BITW)– Hardware implementation

IPSec RFCsIPSec RFCs

• IPSec documents:– RFC 2401: An overview of security

architecture– RFC 2402: Description of a packet

authentication extension to IPv4 and IPv6– RFC 2406: Description of a packet

encryption extension to IPv4 and IPv6– RFC 2408: Specification of key managament

capabilities

IPSec ServicesIPSec Services

• Access Control• Connectionless integrity• Data origin authentication• Rejection of replayed packets• Confidentiality (encryption)• Limited traffic flow confidentiallity

IPSec protocolsIPSec protocols

• Authentication header (AH)• Encapsulating security payload

(ESP)• ESP with Authentication

Protocols vs servicesProtocols vs servicesAH ESP(encryption

only)ESP(encryption and authentication)

Access control yes yes yes

Connectionless integrity

yes yes

Data origin authentication

yes yes

Rejection of replay attacks

yes yes yes

confidentiality no yes yes

Limited traffic flow confidentiality

no yes yes

IPSec modes of IPSec modes of operationsoperations

• Transport– IPSec protects IP payload– IPSec headers added before IP payload– No change in IP header

• Tunnel– IPSec protects total IP packet– IPSec headers encapsulates IP packet– New IP header is created

DiscussionDiscussiononTunnel and Transport onTunnel and Transport

mode mode • Tunnel mode header order

– New IP hdr->IPsec hdr->old IP hdr->IP payload

– BITS or BITW architecture– Choice for VPN

• Transport mode header order– IP hdr->IPSec hdr->IP payload– IPSec integrated architecture– End to End security

Protocols Transport Mode SA

Tunnel Mode SA

AH Authenticates IP payload and selected portions of IP header and IPv6 extension headers

Authenticates entire inner IP packet plus selected portions of outer IP header

ESP Encrypts IP payload and any IPv6 extesion header

Encrypts inner IP packet

ESP with authentication

Encrypts IP payload and any IPv6 extesion header. Authenticates IP payload but no IP header

Encrypts inner IP packet. Authenticates inner IP packet.

Security services

Security Associations Security Associations (SA)(SA)

• One SA for one way relationship between a sender and a receiver

• Two SAs for two way relationship• One SA for one protocol• Uniquely Identified by three

parameters:– Security Parameter Index (SPI)

• Each SA identified by a bit string• Carried in Ah & ESP headers

– IP Destination address– Security Protocol Identifier

SA: Other parametersSA: Other parameters

• Seq num cntr : 32 bit value• Seq cntr overflow: overflow flag • Anti replay window: to find if incoming

AH or ESP is a replay• AH info: algo, keys etc• ESP info: algo, keysetc• Life time of this SA• IPSec mode: transport, tunnel• Path MTU:

Security Policy database Security Policy database (SPD)(SPD)

• Each entry in SPD– define a subset of IP traffic

• Selectors for IP and UL protocol values

– Points to an SA for that traffic

• Multiple entries -> single SA• Multiple SAs -> single entry

SPD selector entriesSPD selector entries

• Dest IP address• SRC IP address• UserID• Data sensitivity level ( Classification)• Transport layer protocol:IPv4/IPv6• IPSec protocol: AH or ESP or both• SRC dest ports• IPv6 class• IPv6 flow label• IPv4 TOS

Authentication HeaderAuthentication Header

• Provides support for data integrity and authentication (MAC code) of IP packets.

• Guards against replay attacks.

Anti-replay serviceAnti-replay service

• Use of seq number field- 32 bits• On each SA it is initialised to 0• Incremented for each packet• When seq number > 232-1 new SA• Anti replay window

Authentication dataAuthentication data• Holds integrity check value• HMAC-MD5-96, HMAC-SHA-1-96• MAC calculated over

– IP header • field that unchange in transit• Fields that are predictable• Others set to zero for MAC

– AH header• Other than authentication data which is set to 0

– Entire UL protocol data• Immutable

– IHL, src address• Mutable but predictable

– Destination address• Mutable

– TTL, hdr checksum

Before applying AHBefore applying AH

Transport Mode (AH Transport Mode (AH Authentication)Authentication)

Tunnel Mode (AH Tunnel Mode (AH Authentication)Authentication)

End-to-end versus End-End-to-end versus End-to-Intermediate to-Intermediate AuthenticationAuthentication

Encapsulating Security Encapsulating Security PayloadPayload

• ESP provides confidentiality services

Encryption and Encryption and Authentication Authentication

AlgorithmsAlgorithms• Encryption:

– Three-key triple DES– RC5– IDEA– Three-key triple IDEA– CAST– Blowfish

• Authentication:– HMAC-MD5-96– HMAC-SHA-1-96

ESP Encryption and ESP Encryption and AuthenticationAuthentication

ESP Encryption and ESP Encryption and AuthenticationAuthentication

Combinations of Combinations of Security AssociationsSecurity Associations




Key ManagementKey Management• Ipsec management

– determination of keys– Distribution of keys

• Typical requirements– 4 keys between communicating applications– Transmit and receive pairs

• Two types:– Manual– Automated on demand

• Oakley Key Determination Protocol• Internet Security Association and Key

Management Protocol (ISAKMP)

Diffie Hellman key Diffie Hellman key exchangeexchange

• Attractive features– Secret keys created only when needed– No pre-existing infrastructure required

• Weaknesses– No information about identities of

parties– Man-in-the-middle attack– Clogging attack

OakleyOakley• Based on Diffie Hellman algo

– Exchange of DH PK values

• Providing added security– Cookies to thwart clogging attacks– Two parties to negotiate a group

• Selection of global parameters

– Nonces to prevent replay attacks– Authentication of DH exchange to prevent

MITM attack

• Generic no specific format

OakleyOakley: Use of Cookies : Use of Cookies exchangeexchange

• Each side send a PRN (cookie) initially

• Each side ack other• This ack repeated in the first DH key

exchange• If the src address was forged

opponent does not get ack • Cannot make user calculate DH

OakleyOakley: Use of Groups: Use of Groups

• Each group define – Global parameters q and α

• Modular expo with a 768 bit modulus• Modular expo with a 1024 bit modulus• Modular expo with a 1536 bit modulus• Elliptical curve over 2155

• Elliptical curve over 2185

– Identity of algorithm• DH• Elliptical curve

Oakley: AuthenticationOakley: Authentication

• Three authentication methods:– Digital signatures

• Eks[ H [Nonces, ID]]

– Public-key encryption• EKra [ ID, Nonces]

– Symmetric-key encryption• Eksym [ ID, Nonces]

ISAKMPISAKMP

• Set of procedures, messages for SAs– Establish, negotiate, modify and delete

• ISAKMP message– Header + payloads

• Payload format independent of– Key exchange protocol, encryption algo,

authentication mechanism• Uses UDP

ISAKMPISAKMP

ISAKMP: payload typesISAKMP: payload types

• SA : SA initiation– Proposal, Transform, KE

• ID• Certificate• Certificate request• Hash• Signature• Nonce• Notification• Delete

ISAKMP: Exchange ISAKMP: Exchange typestypes

1. Base exchange– I->R: SA;Nonce– R->I: SA:Nonce– I->R: KE;IDi;Auth– R->I: KE:IDr;Auth

• 4 messages; no ID protection


2. ID protection exchange– I->R: SA– R->I: SA– I->R: KE;Nonce– R->I: KE:Nonce– * I->R: IDi;Auth– * R->I: IDr;Auth

• 6 messages; ID protected


3. Authentication only exchange– I->R: SA: Nonce– R->I: SA; Nonce;IDr;Auth– I->R: IDi;Auth

• 3 messages; authentication wo key exchange


4. Aggressive exchange– I->R: SA: KE; Nonce;IDi– R->I: SA; KE; Nonce;IDr;Auth– * I->R: Auth

• 3 messages; Express SA set up wo ID protection


4. Informational exchange– * I->R: N/D

• 1 message; Error or Status notification or deletion

Technology

Ip Sec Rev1