Ipsec

IP Security

IP Security

Have a range of application specific Have a range of application specific security mechanismssecurity mechanisms eg. S/MIME, PGP, Kerberos, SSL/HTTPSeg. S/MIME, PGP, Kerberos, SSL/HTTPS

However there are security concerns that However there are security concerns that cut across protocol layerscut across protocol layers

Would like security implemented by the Would like security implemented by the network for all applicationsnetwork for all applications

IPSec

General IP Security mechanismsGeneral IP Security mechanisms ProvidesProvides

authenticationauthentication confidentialityconfidentiality key managementkey management

Applicable to use over LANs, across public Applicable to use over LANs, across public & private WANs, & for the Internet& private WANs, & for the Internet

IPSec Uses

TransparencyTransparency

Benefits of IPSec

In a firewall/router provides strong security to In a firewall/router provides strong security to all traffic crossing the perimeterall traffic crossing the perimeter

In a firewall/router is resistant to bypassIn a firewall/router is resistant to bypass Is below transport layer, hence transparent to Is below transport layer, hence transparent to

applicationsapplications Can be transparent to end usersCan be transparent to end users Can provide security for individual usersCan provide security for individual users Secures routing architectureSecures routing architecture

IP Security Architecture

Specification is quite complexSpecification is quite complex Defined in numerous RFC’sDefined in numerous RFC’s

incl. RFC 2401/2402/2406/2408incl. RFC 2401/2402/2406/2408 many others, grouped by categorymany others, grouped by category

Mandatory in IPv6, optional in IPv4Mandatory in IPv6, optional in IPv4 Have two security header extensions:Have two security header extensions:

Authentication Header (AH)Authentication Header (AH) Encapsulating Security Payload (ESP)Encapsulating Security Payload (ESP)

Architecture & Concepts Tunnel vs. Transport modeTunnel vs. Transport mode Security association (SA)Security association (SA)

Security parameter index (SPI)Security parameter index (SPI) Security policy database (SPD)Security policy database (SPD) SA database (SAD)SA database (SAD)

Authentication header (AH)Authentication header (AH) Encapsulating security payload (ESP)Encapsulating security payload (ESP) Practical Issues w/ NATPractical Issues w/ NAT

A B

Encrypted Tunnel

Gateway 1 Gateway 2

New IP Header

AH or ESP Header

TCP DataOrig IP Header

Encrypted

Unencrypted Unencrypted

Transport Mode vs. Tunnel Mode Transport mode: host -> hostTransport mode: host -> host Tunnel mode: host->gateway or gateway->gatewayTunnel mode: host->gateway or gateway->gateway

Transport Mode

ESP protects higher layer payload onlyESP protects higher layer payload only AH can protect IP headers as well as higher AH can protect IP headers as well as higher

layer payloadlayer payload

IPheader

IPoptions

IPSecheader

Higherlayer protocol

ESP

AH

Real IPdestination

Tunnel Mode

ESP applies only to the tunneled packetESP applies only to the tunneled packet AH can be applied to portions of the outer AH can be applied to portions of the outer

headerheader

Outer IPheader

Inner IPheader

IPSecheader

Higherlayer protocol

ESP

AH

Real IP destinationDestinationIPSecentity

Security Association - SA Defined by 3 parameters:Defined by 3 parameters:

Security Parameters Index (SPI)Security Parameters Index (SPI) IP Destination AddressIP Destination Address Security Protocol IdentifierSecurity Protocol Identifier

Have a database of Security Associations Have a database of Security Associations Determine IPSec processing for sendersDetermine IPSec processing for senders Determine IPSec decoding for destinationDetermine IPSec decoding for destination SAs are not fixed! Generated and customized per SAs are not fixed! Generated and customized per

traffic flowstraffic flows

Security Parameters Index - SPI Can be up to 32 bits largeCan be up to 32 bits large The SPI allows the destination to select the The SPI allows the destination to select the

correct SA under which the received packet correct SA under which the received packet will be processed will be processed According to the agreement with the senderAccording to the agreement with the sender The SPI is sent with the packet by the senderThe SPI is sent with the packet by the sender

SPI + Dest IP address + IPSec Protocol (AH or SPI + Dest IP address + IPSec Protocol (AH or ESP) uniquely identifies a SAESP) uniquely identifies a SA

SA Database - SAD

Holds parameters for each SAHolds parameters for each SA Lifetime of this SALifetime of this SA AH and ESP informationAH and ESP information Tunnel or transport modeTunnel or transport mode

Every host or gateway participating in Every host or gateway participating in IPSec has their own SA databaseIPSec has their own SA database

Security Policy Database - SPD

What traffic to protect?What traffic to protect? Policy entries define which SA or SA Policy entries define which SA or SA

bundles to use on IP trafficbundles to use on IP traffic Each host or gateway has their own SPDEach host or gateway has their own SPD Index into SPD by Selector fieldsIndex into SPD by Selector fields

Dest IP, Source IP, Transport Protocol, IPSec Dest IP, Source IP, Transport Protocol, IPSec Protocol, Source & Dest Ports, …Protocol, Source & Dest Ports, …

SPD Entry Actions

DiscardDiscard Do not let in or outDo not let in or out

BypassBypass Outbound: do not apply IPSecOutbound: do not apply IPSec Inbound: do not expect IPSecInbound: do not expect IPSec

Protect – will point to an SA or SA bundleProtect – will point to an SA or SA bundle Outbound: apply securityOutbound: apply security Inbound: check that security must have been Inbound: check that security must have been

appliedapplied

SPD Protect Action

If the SA does not exist…If the SA does not exist… Outbound processing: use IKE to generate SA Outbound processing: use IKE to generate SA

dynamicallydynamically Inbound processing: drop packetInbound processing: drop packet

Is it for IPSec?If so, which policyentry to select?

…

SPD(Policy)

…

SA Database

IP Packet

Outbound packet (on A)

A B

SPI & IPSec Packet

Send to B

Determine the SA and its SPI

IPSec processing

Outbound Processing

Use SPI to index the SAD

…

SA Database

Original IP Packet

SPI & Packet

Inbound packet (on B) A B

From A

Inbound Processing

…

SPD(Policy)

Was packet properly secured?

“un-process”




Authenticated Header Data integrityData integrity

Entire packet has not been tampered withEntire packet has not been tampered with AuthenticationAuthentication

Can “trust” IP address sourceCan “trust” IP address source Use MAC to authenticateUse MAC to authenticate

Symmetric encryption, e.g, DESSymmetric encryption, e.g, DES One-way hash functions, e.g, HMAC-MD5-96 or HMAC-One-way hash functions, e.g, HMAC-MD5-96 or HMAC-

SHA-1-96SHA-1-96

Anti-replay featureAnti-replay feature Integrity check valueIntegrity check value

……

SAD

SPI

Sequence Number

ICV

Next Header (TCP/UDP)

Payload LengthReserved

IPSec Authenticated HeaderLength of the authentication headerLength of the authentication header

Integrity Check Value - ICV Keyed Message authentication code (MAC) Keyed Message authentication code (MAC)

calculated overcalculated over IP header field that do not change or are predictableIP header field that do not change or are predictable

Source IP address, destination IP, header length, etc.Source IP address, destination IP, header length, etc. Prevent spoofingPrevent spoofing Mutable fields excluded: e.g., time-to-live (TTL), IP Mutable fields excluded: e.g., time-to-live (TTL), IP

header checksum, etc.header checksum, etc.

IPSec protocol header except the ICV value fieldIPSec protocol header except the ICV value field Upper-level dataUpper-level data

Code may be truncated to first 96 bitsCode may be truncated to first 96 bits

AH: Tunnel and Transport Mode

OriginalOriginal Transport ModeTransport Mode

Cover most of the Cover most of the original packetoriginal packet

Tunnel ModeTunnel Mode Cover entire Cover entire

original packetoriginal packet

Encapsulating Security Payload (ESP)

Provide Provide message content confidentialitymessage content confidentiality ProvideProvide limited traffic flow confidentiality limited traffic flow confidentiality Can optionally Can optionally provide the same authentication provide the same authentication

services as AHservices as AH Supports range of ciphers, modes, paddingSupports range of ciphers, modes, padding

Incl. DES, Triple-DES, RC5, IDEA, CAST etcIncl. DES, Triple-DES, RC5, IDEA, CAST etc A variant of DES most commonA variant of DES most common Pad to meet blocksize, for traffic flowPad to meet blocksize, for traffic flow

ESP: Tunnel and Transport Mode

OriginalOriginal

Transport ModeTransport Mode Good for host to Good for host to

host traffichost traffic Tunnel ModeTunnel Mode

Good for VPNs, Good for VPNs, gateway to gateway gateway to gateway securitysecurity

Outbound Packet Processing Form ESP headerForm ESP header

Security parameter index (SPI)Security parameter index (SPI) Sequence numberSequence number

Pad as necessaryPad as necessary Encrypt result [payload, padding, pad length, Encrypt result [payload, padding, pad length,

next header]next header] Apply authentication (optional)Apply authentication (optional)

Allow rapid detection of replayed/bogus packetsAllow rapid detection of replayed/bogus packets Integrity Check Value (ICV) includes whole ESP Integrity Check Value (ICV) includes whole ESP

packet minus packet minus authentication dataauthentication data field field

SPI

Sequence Number

Original IP Header

Integrity Check Value

Au

then

tica

tio

n c

ove

rag

e

En

cryp

ted Payload (TCP Header and Data)

Variable Length

Pad Length

Padding (0-255 bytes)

Next Header

ES

P T

rans

port

Exa

mpl

e

Inbound Packet Processing... Sequence number checkingSequence number checking

Duplicates are rejected!Duplicates are rejected! Packet decryptionPacket decryption

Decrypt quantity [ESP payload,padding,pad Decrypt quantity [ESP payload,padding,pad length,next header] per SA specificationlength,next header] per SA specification

Processing (stripping) padding per encryption Processing (stripping) padding per encryption algorithmalgorithm

Reconstruct the original IP datagramReconstruct the original IP datagram Authentication verification (optional)Authentication verification (optional)

Allow potential parallel processing - decryption Allow potential parallel processing - decryption & verifying authentication code& verifying authentication code




NATs Network address translation = local, LAN-specific Network address translation = local, LAN-specific

address space translated to small number of globally address space translated to small number of globally routable IP addressesroutable IP addresses

Motivation:Motivation: Scarce address spaceScarce address space Security: prevent unsolicited inbound requestsSecurity: prevent unsolicited inbound requests

Prevalence of NATsPrevalence of NATs Claim: 50% of broadband users are behind NATsClaim: 50% of broadband users are behind NATs All Linksys/D-Link/Netgear home routers are NATsAll Linksys/D-Link/Netgear home routers are NATs

NAT types All use net-10/8 (10.*.*.*) or 192.168/16All use net-10/8 (10.*.*.*) or 192.168/16 Address translationAddress translation Address-and-port translation (NAPT)Address-and-port translation (NAPT)

most common form today, still called NATmost common form today, still called NAT one external (global) IP addressone external (global) IP address

Change IP header and TCP/UDP headersChange IP header and TCP/UDP headers

NAT Example

IAP’s Point of Presence

Router with NATExternal IP: 68.40.162.3Internal IP: 192.168.0.0

Router assigns internal IPs to hosts on LAN :

A: 192.168.0.100B: 192.168.0.101C: 192.168.0.102

A B C

Messages sent between host B to another host on the InternetHost B original source socket:192.168.0.101 port 1341Host B translated socket:68.40.162.3 port 5280

Will IPSec Work with NAT ? Consider both AH and ESP protocols. Consider both AH and ESP protocols. Consider both transport and tunnel modes. For Consider both transport and tunnel modes. For

tunnel mode, consider the following two casestunnel mode, consider the following two cases Sender – NAT – IPSec Gateway 1 – IPSec Gateway 2 – Sender – NAT – IPSec Gateway 1 – IPSec Gateway 2 –

ReceiverReceiver Sender – IPSec Gateway 1 – NAT – IPSec Gateway 2 – Sender – IPSec Gateway 1 – NAT – IPSec Gateway 2 –

ReceiverReceiver What about w/o port # translation?What about w/o port # translation?

Backup Slides

Combining Security Associations

SA’s can implement either AH or ESPSA’s can implement either AH or ESP to implement both need to combine SA’sto implement both need to combine SA’s

form a security form a security association association bundlebundle may terminate at different or same may terminate at different or same

endpointsendpoints combined bycombined by

transport adjacencytransport adjacency iterated tunnelingiterated tunneling

issue of authentication & encryption order issue of authentication & encryption order

Combining Security Associations

SA Bundle

More than 1 SA can apply to a packetMore than 1 SA can apply to a packet Example: ESP does not authenticate new IP Example: ESP does not authenticate new IP

header. How to authenticate?header. How to authenticate? Use SA to apply ESP w/o authentication to Use SA to apply ESP w/o authentication to

original packetoriginal packet Use 2Use 2ndnd SA to apply AH SA to apply AH

Outbound Packet Processing...

Integrity Check Value (ICV) calculationIntegrity Check Value (ICV) calculation ICV includes whole ESP packet minus ICV includes whole ESP packet minus

authentication dataauthentication data field field Implicit padding of ‘0’s between Implicit padding of ‘0’s between next headernext header and and

authentication dataauthentication data is used to satisfy block size is used to satisfy block size requirement for ICV algorithmrequirement for ICV algorithm

Inbound Packet Processing

Sequence number checkingSequence number checking Anti-replay is used only if authentication is Anti-replay is used only if authentication is

selectedselected Sequence number should be the first ESP check Sequence number should be the first ESP check

on a packet upon looking up an SAon a packet upon looking up an SA Duplicates are rejected! Duplicates are rejected!

0Sliding Windowsize >= 32

rejectCheck bitmap, verify if new

verify

Anti-replay Feature

OptionalOptional Information to enforce held in SA entryInformation to enforce held in SA entry Sequence number counter - 32 bit for Sequence number counter - 32 bit for

outgoing IPSec packetsoutgoing IPSec packets Anti-replay window Anti-replay window

32-bit 32-bit Bit-map for detecting replayed packetsBit-map for detecting replayed packets

Anti-replay Sliding Window

Window should not be advanced until the Window should not be advanced until the packet has been authenticatedpacket has been authenticated

Without authentication, malicious packets Without authentication, malicious packets with large sequence numbers can advance with large sequence numbers can advance window unnecessarilywindow unnecessarily Valid packets would be dropped!Valid packets would be dropped!

ESP Processing - Header Location...

Tunnel mode IPv4 and IPv6Tunnel mode IPv4 and IPv6

New IP hdr

OrigIP hdr

TCP DataESP

trailerESPAuth

ESPhdr

Newext hdr

New IP hdr

TCP DataESP

trailerESPAuth

OrigIP hdr

ESPhdr

Origext hdr

IPv4

IPv6

Key Management

Handles key generation & distributionHandles key generation & distribution Typically need 2 pairs of keysTypically need 2 pairs of keys

2 per direction for AH & ESP2 per direction for AH & ESP Manual key managementManual key management

Sysadmin manually configures every systemSysadmin manually configures every system Automated key managementAutomated key management

Automated system for on demand creation of keys Automated system for on demand creation of keys for SA’s in large systemsfor SA’s in large systems

Technology

Ipsec