The IPsec protocols. Overview

Similar documents
IPsec Details 1 / 43. IPsec Details

Protocol Security Where?

Internet Protocol Security IPSec

CSCI 454/554 Computer and Network Security. Topic 8.1 IPsec

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

Lecture 5.1: IPsec Basics

Protecting Internet Key Exchange (IKE) Implementations from Distributed Denial of Service Attacks

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

Securing IP Networks with Implementation of IPv6

IP Security. Ola Flygt Växjö University, Sweden

Introduction to Security and PIX Firewall

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

Chapter 5: Network Layer Security

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

VPN with Windows 7 and Linux strongswan using IKEv2

Network Security Part II: Standards

21.4 Network Address Translation (NAT) NAT concept

Chapter 4 Virtual Private Networking

Príprava štúdia matematiky a informatiky na FMFI UK v anglickom jazyku

Laboratory Exercises V: IP Security Protocol (IPSec)

T Cryptography and Data Security

Computer and Network Security

Security Engineering Part III Network Security. Security Protocols (II): IPsec

Internet Security Architecture

IPSec and SSL Virtual Private Networks

Authentication applications Kerberos X.509 Authentication services E mail security IP security Web security

Internetwork Security

SonicOS Enhanced 3.2 IKE Version 2 Support

Network Security. Lecture 3

IP SECURITY (IPSEC) PROTOCOLS

13 Virtual Private Networks 13.1 Point-to-Point Protocol (PPP) 13.2 Layer 2/3/4 VPNs 13.3 Multi-Protocol Label Switching 13.4 IPsec Transport Mode

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Lecture 17 - Network Security

CS 356 Lecture 27 Internet Security Protocols. Spring 2013

Chapter 8 Virtual Private Networking

Chapter 7 Transport-Level Security

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

The BANDIT Products in Virtual Private Networks

Secure Sockets Layer

Security Architecture for IP (IPsec)

Branch Office VPN Tunnels and Mobile VPN

Security Considerations for Intrinsic Monitoring within IPv6 Networks: Work in Progress

Chapter 3. Network Domain Security

Security vulnerabilities in the Internet and possible solutions

Implementing and Managing Security for Network Communications

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Outline. INF3510 Information Security. Lecture 10: Communications Security. Communication Security Analogy. Network Security Concepts

Lecture 10: Communications Security

Bit Chat: A Peer-to-Peer Instant Messenger

Communication Security for Applications

Overview. Protocols. VPN and Firewalls

Insecure network services

Chapter 17. Transport-Level Security

Communication Systems 16 th lecture. Chair of Communication Systems Department of Applied Sciences University of Freiburg 2009

Chapter 9. IP Secure

T Cryptography and Data Security

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

Network Security. Marcus Bendtsen Institutionen för Datavetenskap (IDA) Avdelningen för Databas- och Informationsteknik (ADIT)

Chapter 10. Network Security

Real-Time Communication Security: SSL/TLS. Guevara Noubir CSU610

Application Note: Onsight Device VPN Configuration V1.1

Communication Systems SSL

MINI-FAQ: OpenBSD 2.4 IPSEC VPN Configuration

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

Secure Shell SSH provides support for secure remote login, secure file transfer, and secure TCP/IP and X11 forwarding. It can automatically encrypt,

VPNs. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

Chapter 49 IP Security (IPsec)

Configuring a Site-to-Site VPN Tunnel Between Cisco RV320 Gigabit Dual WAN VPN Router and Cisco (1900/2900/3900) Series Integrated Services Router

WEB Security & SET. Outline. Web Security Considerations. Web Security Considerations. Secure Socket Layer (SSL) and Transport Layer Security (TLS)

VPN VPN requirements Encryption VPN-Types Protocols VPN and Firewalls

Fireware How To VPN. Introduction. Is there anything I need to know before I start? Configuring a BOVPN Gateway

Virtual Private Network VPN IPSec Testing: Functionality Interoperability and Performance

How To Establish IPSec VPN connection between Cyberoam and Mikrotik router

3GPP TSG SA WG3 Security S Meeting S3#16 Sophia Antipolis, November, Abstract

ETSF10 Part 3 Lect 2

CS 4803 Computer and Network Security

MPLS VPN in Cellular Mobile IPv6 Architectures(04##017)

Outline. Transport Layer Security (TLS) Security Protocols (bmevihim132)

Case Study for Layer 3 Authentication and Encryption

Guide to TCP/IP, Third Edition. Chapter 3: Data Link and Network Layer TCP/IP Protocols

Building scalable IPSec infrastructure with MikroTik. IPSec, L2TP/IPSec, OSPF

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

Joe Davies Principal Writer Windows Server Documentation

IPsec VPN Security between Aruba Remote Access Points and Mobility Controllers

Chapter 32 Internet Security

Web Security Considerations

IPv6 Security: How is the Client Secured?

Network Working Group Request for Comments: Category: Standards Track December Security Architecture for the Internet Protocol

Creating a Gateway to Client VPN between Sidewinder G2 and a Mac OS X Client

Use Shrew Soft VPN Client to connect with IPSec VPN Server on RV130 and RV130W

KeyStone Architecture Security Accelerator (SA) User Guide

SSL Secure Socket Layer

Configuring IKEv2 Load Balancer

VPN. VPN For BIPAC 741/743GE

This section provides a summary of using network location profiles to identify network connection types. Details include:

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

IPsec VPN Application Guide REV:

VPN Technologies: Definitions and Requirements

FortiOS Handbook - IPsec VPN VERSION 5.2.2

Transcription:

The IPsec protocols -- components and services -- modes of operation -- Security Associations -- Authenticated Header (AH) -- Encapsulated Security Payload () -- Internet Key Exchange (IKE) version 2 (c) Levente Buttyán (buttyan@crysys.hu) Overview IPsec is an Internet standard for network layer security provides protection for IP and protocols above (ICMP, TCP, ) allows selection of the required security services and algorithms puts in place the necessary cryptographic keys can be applied between a pair of hosts, between a pair of security gateways (e.g., firewalls), and between a host and a gateway components: an authentication protocol (Authentication Header AH) a combined encryption and authentication protocol (Encapsulated Security Payload ) Security Association and key establishment protocol (IKEv2) possible ways to implement IPsec: integration into the native IP stack implementation bump-in-the-stack (BITS): between IP and the network driver bump-in-the-wire (BITW): a separate HW device (security gateway) The IPsec protocol 2

IPsec services AH (encryption only) (encryption and authentication) integrity data origin authentication replay detection confidentiality limited traffic flow confidentiality The IPsec protocol 3 Modes of operation (both AH and ) transport mode provides protection primarily for upper layer protocols protection is applied to the payload of the IP packet in transport mode encrypts and optionally authenticates the IP payload but not the IP AH in transport mode authenticates the IP payload and selected fields of the IP typically used between end-systems tunnel mode provides protection to the entire IP packet the entire IP packet is considered as payload and encapsulated in another IP packet (with potentially different source and destination addresses) in tunnel mode encrypts and optionally authenticates the entire inner IP packet AH in tunnel mode authenticates the entire inner IP packet and selected fields of the outer IP usually used between two security gateways, or between a host and a security gateway The IPsec protocol 4

Security Associations (SA) the IPsec state shared by two systems (hosts, gateways) is represented by SAs an SA is always one-way, and it is either created for AH or for (or IKE) an SA includes the following information: end-point identifiers (e.g., IP addresses) protocol information (algorithms, keys, and related parameters) operational mode (tunnel or transport) sending sequence number (for the sender of this SA) anti-replay window (for the receiver of this SA) a counter and a bit-map (or equivalent) used to determine whether an inbound packet is a replay lifetime (a time interval or byte count) SAs are referenced by an SPI (Security Parameter Index) a bit string carried in AH and s to allow the receiving party to select the SA which must be used to process the packet The IPsec protocol 5 Selecting SAs Security Policy Database (SPD) two separate databases for inbound and outbound traffic each entry defines a subset of IP traffic and a set of SAs to be applied for that traffic subset of IP traffic is defined in terms of selectors ( fields) destination IP address (single, enumerated list, range, or mask) source IP address (single, enumerated list, range, or mask) transport layer protocol (single, enumerated list, or range) source or destination port (single, enumerated list, range, or wildcard) outbound processing compare the selector fields of the packet to the values in the SPD determine which SAs should be used for the packet and their SPIs do the requiered IPsec processing inbound processing retrieve the SA that should be used based on the SPI in the inbound packet do the IPsec processing verify in the SPD if the right SAs have been applied The IPsec protocol 6

Authentication Header AH 0 8 16 31 next payload length Security Parameters Index (SPI) sequence number authentication data (variable length) reserved next type of immediately following this (e.g., TCP, IP, etc.) payload length length of AH (in 32 bit words) minus 2 e.g., 4 if Authentication data is 3x32 bits long Security Parameters Index identifies the SA used to generate this sequence number sequence number of the packet authentication data a (truncated) MAC (default length is 3x32 bits) The IPsec protocol 7 MAC the MAC is calculated over IP fields that do not change in transit the AH fields (authentication data field is set to 0) entire upper layer protocol data the fields not covered by the MAC are set to 0 for the calculation TTL checksum IP 0000 0000... AH 0000... MAC MAC authentication data payload The IPsec protocol 8

Supported MAC algorithms Requirement Algorithm (notes) MUST HMAC-SHA1-96 [RFC2404] SHOULD+ AES-XCBC-MAC-96 [RFC3566] MAY HMAC-MD5-96 [RFC2403] (1) Note: (1) Weaknesses have become apparent in MD5; however, these should not affect the use of MD5 with HMAC. The IPsec protocol 9 Replay detection replay: the attacker obtains an authenticated packet and later transmits (replays) it to the intended destination receiver has an anti-replay window of default size W = 64 last received packet packets received window (of size 7)...... dropped dropped if MAC is correct then mark otherwise drop if MAC is correct then mark and advance window The IPsec protocol 10

AH in transport and tunnel mode original IPv4 packet original IP TCP/UDP data AH in transport mode original IP AH TCP/UDP data authenticated except for mutable fields in the IP AH in tunnel mode new IP AH original IP TCP/UDP data authenticated except for mutable fields in the outer IP The IPsec protocol 11 Encapsulating Security Payload 0 16 24 31 Security Parameters Index (SPI) sequence number payload (variable length) padding (0-255 bytes) pad length authentication data (variable length) next Security Parameters Index identifies the SA used to generate this encrypted packet sequence number payload transport level segment (transfer mode) or encapsulated IP packet (tunnel mode) padding variable length padding pad length next identifies the type of data contained in the payload authentication data a (truncated) MAC computed over the packet (SPI... next ) The IPsec protocol 12

Encryption and MAC encryption applied to the payload, padding, pad length, and next fields if an IV is needed, then it is explicitly carried at the beginning of the payload data (the IV is not encrypted) MAC default length is 3x32 bits MAC is computed over the SPI, sequence number, and encrypted payload, padding, pad length, and next fields unlike in AH, here the MAC does not cover the preceding IP The IPsec protocol 13 Supported encryption and MAC algorithms Requirement MUST MUST- SHOULD+ SHOULD SHOULD NOT Encryption Algorithm NULL TripleDES-CBC [RFC2451] AES-CBC with 128-bit keys [RFC3602] AES-CTR [RFC3686] DES-CBC [RFC2405] Requirement MUST MUST SHOULD+ MAY Authentication Algorithm HMAC-SHA1-96 [RFC2404] NULL AES-XCBC-MAC-96 [RFC3566] HMAC-MD5-96 [RFC2403] The IPsec protocol 14

in transport and tunnel mode original IPv4 packet original IP TCP/UDP data in transport mode original IP TCP/UDP data trailer MAC encrypted authenticated in tunnel mode new IP original IP TCP/UDP data trailer MAC encrypted authenticated The IPsec protocol 15 Combining SAs transport adjacency (basic -AH combination) first apply in transport mode without authentication then apply AH in transport mode original IP AH TCP/UDP data trailer authenticated except for mutable fields in the IP iterated tunneling (multiple nested tunnels) both end-points of the two tunnels are the same one end-point of the two tunnels is the same neither endpoint of the two tunnels is the same transport within tunnel The IPsec protocol 16

Example: secure end-to-end communications one or more transport SAs (transport adjacency) local intranet Internet local intranet The IPsec protocol 17 Example: corporate VPN with tunneling tunnel SAs in both direction local intranet Internet local intranet The IPsec protocol 18

Example: remote access tunnel SAs in both direction Internet local intranet The IPsec protocol 19 IKEv2 generic message format next payload next payload IKE SA initiator s SPI IKE SA responder s SPI mj ver mn ver exchange type message ID length C reserved flags payload length payload type specific and payload data initiator s SPI an 8 byte value chosen by the initiator to identify the IKE SA reponder s SPI an 8 byte value chosen by the responder to identify the IKE SA major and minor version 2.0 exchange type IKE_SA_INIT IKE_AUTH CREATE_CHILD_SA INFORMATIONAL flags I(nitiator) set in messages sent by the original initiator R(esponse) indicates that this message is a response to a previous message with the same msg ID message ID used to match responses and requests, and to detect retransmissions The IPsec protocol 20

Message IDs every IKE message contains a Message ID as part of its fixed this Message ID is used to match up requests and responses (responses always contain the same message ID as the corresponding request) to identify retransmissions of messages each endpoint in the IKE SA maintains two "current" Message IDs: the next one to be used for a request it initiates and the next one it expects to see in a request from the other end counters are incremented as requests are generated and received thus, each integer n may appear as the message ID in four distinct messages: the n-th request from the original IKE initiator, the corresponding response, the n-th request from the original IKE responder, and the corresponding response there is no ambiguity in the messages, because the (I)nitiator and (R)esponse bits in the message specify which of the four messages a particular one is The IPsec protocol 21 Payload types Security Association (SA) Key Exchange (KE) Identification - Initiator (IDi) Identification - Responder (IDr) Certificate (CERT) Certificate Request (CERTREQ) Authentication (AUTH) Nonce (Ni, Nr) Notify (N) Delete (D) Vendor ID (V) Traffic Selector - Initiator (TSi) Traffic Selector - Responder (TSr) Encrypted (E) Configuration (CP) Extensible Authentication (EAP) The IPsec protocol 22

IKE exchange types all IKE exchanges consist of request/response pairs IKE_SA_INIT negotiation of cryptographic algorithms (for the IKE SA) exchange of nonces execution of a Diffie-Hellman key exchange IKE_AUTH authenticates the previous (IKE_SA_INIT) messages exchange of identities and certificates establishment of the first CHILD_SA (for AH and ) CREATE_CHILD_SA may be initiated by either end of the IKE_SA after the initial exchanges are completed establishes further SAs between the two ends if needed (for AH and ) The IPsec protocol 23 The IKE_SA_INIT exchange messages: I R : HDR; SAi1, KEi, Ni R I : HDR; SAr1, KEr, Nr where SAi1 proposed cryptographic algorithms for the IKE SA encryption alg integrity alg prf (pseudo-random function) DH group SAr1 cryptographic algorithms chosen by the responder KEi initiator s ephemeral DH value KEr responder s ephemeral DH value Ni, Nr - nonces The IPsec protocol 24

Supported algorithms encryption ENCR_DES_IV64 (RFC1827) ENCR_DES (RFC2405) ENCR_3DES (RFC2451) ENCR_RC5 (RFC2451) ENCR_IDEA (RFC2451) ENCR_CAST (RFC2451) ENCR_BLOWFISH (RFC2451) ENCR_3IDEA (RFC2451) ENCR_DES_IV32 ENCR_AES_CBC (RFC3602) ENCR_AES_CTR (RFC3664) integrity AUTH_HMAC_MD5_96 (RFC2403) AUTH_HMAC_SHA1_96 (RFC2404) AUTH_DES_MAC AUTH_KPDK_MD5 (RFC1826) AUTH_AES_XCBC_96 (RFC3566) prf PRF_HMAC_MD5 (RFC2104) PRF_HMAC_SHA1 (RFC2104) PRF_HMAC_TIGER (RFC2104) PRF_AES128_XCBC (RFC3664) The IPsec protocol 25 Key derivation - preliminaries keying material is derived as the output of the negotiated prf algorithm prf+ (K,S) = T1 T2 T3... where: T1 = prf (K, S 0x01) T2 = prf (K, T1 S 0x02) T3 = prf (K, T2 S 0x03) keys are taken from the output string T1 T2 T3 without regard to boundaries The IPsec protocol 26

Key derivation SKEYSEED = prf( Ni Nr, g XiXr ) SK_d SK_ai SK_ar SK_ei SK_er SK_pi SK_pr = = prf+ (SKEYSEED, Ni Nr SPIi SPIr ) KEYMAT = prf+(sk_d, Ni Nr) // key material // for child SAs SK_ei, SK_er message encryption keys for the IKE SA SK_ai, SK_ar message integrity (authentication) keys SK_pi, SK_pr keys used to generate the AUTH payloads The IPsec protocol 27 The IKE_AUTH exchange messages: I R : HDR; { IDi, [CERT,] AUTHi, SAi2, TSi, TSr } R I : HDR; { IDr, [CERT,] AUTHr, SAr2, TSi, TSr } where IDi identifier of the initiator (e.g., its IP address) IDr identifier of the responder (e.g., its IP address) CERT public key certificate (optional) AUTH authentication payload used to authenticate the messages of the IKE_SA_INIT exchange SAi2 proposals for the first child SA SAr2 algorithms chosen by the responder for the child SA TSi, TSr traffic selectors { } denotes cryptographic protection (encryption and integrity) with the keys SK_ai, SK_ar, SK_ei, SK_er The IPsec protocol 28

The AUTH payload AUTH authenticates the IKE_SA_INIT exchange two options are supported: signature based authentication authentication with a pre-shared secret in case of signature based authentication: AUTHi : sig( msg1_of_ike_sa_init Nr prf(sk_pi, IDi) ) AUTHr : sig( msg2_of_ike_sa_init Ni prf(sk_pr, IDr) ) the signature can be an RSA or a DSS signature CERT contains the public signature verification key in case of shared secret based authentication: AUTH = prf(prf(secret,"key Pad for IKEv2"), msg_octets) AUTHi and AUTHr may not necessarily be computed with the same authentication approach The IPsec protocol 29 Protection against DoS attacks messages: I R : HDR; SAi1, KEi, Ni R I : HDR; N(cookie) I R : HDR; N(cookie), SAi1, KEi, Ni R I : HDR; SAr1, KEr, Nr I R : HDR; { IDi, [CERT,] AUTHi, SAi2, TSi, TSr } R I : HDR; { IDr, [CERT,] AUTHr, SAr2, TSi, TSr } the responder sends a random cookie to the IP address from which the first message was received the initiator must repeat its first message with the cookie included an attacker cannot initiate an IKE exchange from a spoofed IP address The IPsec protocol 30

Protection against DoS attacks the responder shouldn t keep state for the purpose of verifying a previously sent cookie (because that could be exploited by a DoS attack) possible solution: cookie = <VersionIDofSecret> Hash(Ni IPi SPIi <secret>) where <secret> is a randomly generated secret known only to the responder and periodically changed <VersionIDofSecret> is changed whenever <secret> is regenerated in this way, the cookie can be re-computed when the IKE_SA_INIT request arrives the second time and compared to the cookie in the received message in order to avoid problems when <secret> is changed to a new value during a pending IKE_SA_INIT, the responder may keep the old value of <secret> around for a short time and accept cookies computed from either value The IPsec protocol 31 The CREATE_CHILD_SA exchange messages: I R : HDR; { SAi, Ni, TSi, TSr } R I : HDR; { SAr, Nr, TSi, TSr } where SAi contains proposals for the child SA to be created SAr contains a single accepted offer Ni, Nr nonces (used in key derivation) TSi, TSr traffic selectors (specify which packets should be protected by the new SA) The IPsec protocol 32

Further readings RFC 4301: an overview of the IPSec security architecture RFC 4302: specification of AH RFC 4303: specification of RFC 4305: specification of algorithms for AH and RFC 4306: specification of IKEv2 The IPsec protocol 33

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information