SECURITY ASSOCIATIONS (SAs) One-way relationship between sender and receiver -For two-way, need two SAs - Three Parameters 1. Security Parameter Index (SPI) 2. IP Destination Address 3. Security Protocol Identifier
SECURITY ASSOCIATIONS (SAs) 1. Security Parameter Index (SPI) - bit string – carried in AH and ESP headers enables receiver to select SA for processing packet. 2. IP Destination Address - end user or network system (e.g. firewall, router) 3. Security Protocol Identifier indicates AH or ESP
SA PARAMETERS SA PARAMETERS Sequence Number Counter Sequence Counter Overflow - overflow auditable? Anti-Replay Windows - is incoming AH or ESP a replay? AH information - auth. alg., keys, key lifetimes ESP information - encryp. alg., auth. alg., keys, init. values, key lifetimes Lifetime of SA IPSec Protocol Mode: - Tunnel/Transport/Wildcard (mask) Path MTU – max packet size
SECURITY POLICY DATABASE (SPD) SECURITY POLICY DATABASE (SPD) Relates IP traffic to specific SAs [ Subset 0 of IP Traffic] SA [ Subset 1 of IP Traffic] and/or [Subset of IP Traffic] SA 0 SA 1
SPD : IP and UPPER LAYER SELECTORS SPD : IP and UPPER LAYER SELECTORS - filters/maps traffic SA Dest. IP Address: single/list/range/wildcard Source IP Address: single/list/range/wildcard User ID Data Sensitivity Level: e.g.secret/unclassified Transport Layer Protocol: (number) individual/list/range IPSEC Protocol: AH/ESP/AH and ESP Source and Dest. Ports: (TCP or UDP values) individual/list/wildcard
SPD : IP and UPPER LAYER SELECTORS SPD : IP and UPPER LAYER SELECTORS - filters/maps traffic SA IPv6 Class: specific/wildcard IPv6 Flowlabel: specific/wildcard IPv4 Type of Service (TOS): specific/wildcard
TRANSPORT MODE TRANSPORT MODE Transport Upper-layer protection End-to-end communication (e.g. client server, two workstations) ESP encrypts IP payload (not header) (optionally authenticates) AH authenticates IP payload + selected portions of header
TUNNEL MODE TUNNEL MODE Tunnel Protects entire IP packet entire packet + security fields treated as ”outer” payload with new IP header Original (inner) packet travels through tunnel. Routers cannot examine inner IP header e.g. tunneled through firewall Table 16.2
ANTI-REPLAY SERVICE ANTI-REPLAY SERVICE Sequence Number Field (SNF) thwarts attack New SA: Sender initialises C=0 For every new packet on SA: C++ Anti-Replay operates up to max C = 2 32 – 1 If max reached, terminate SA
ANTI-REPLAY SERVICE ANTI-REPLAY SERVICE IP is, connectionless, unreliable protocol does NOT guarantee: packets delivered in order all packets delivered
ANTI-REPLAY MECHANISM ANTI-REPLAY MECHANISM (Fig 16.4) 1. if Rx packet falls in window and new then check MAC. if authentic then mark slot 2. if Rx packet to right of window and new then check MAC. if authentic advance window up to packet. 3. if Rx packet to left of window or authentication fails then, discard, audit
INTEGRITY CHECK VALUE (ICV) - MAC INTEGRITY CHECK VALUE (ICV) - MAC HMAC–MD5-96, HMAC-SHA-1-96 (trunc to 96 bits) MAC over: IP Header Fields which are unchanged in transit (or are predictable at receiver), other fields set ot 0 for calculation purposes. AH Header except Authentication Data Field – AD 0 Upper-Level protocol data
TRANSPORT / TUNNEL MODES TRANSPORT / TUNNEL MODES Fig 16.5 Transport SA: workst. server (secret key) Tunnel SA: workst. intern. network firewall intern. server without auth. Fig 16.6 IP Payload is TCP or data for other protocol.
ENCAPSULATING SECURITY PAYLOAD (ESP) ENCAPSULATING SECURITY PAYLOAD (ESP) SPI – Security Association Sequence Number Payload – Transport/Tunnel – encrypt Padding - 0 – 255 bytes Pad Length Next Header – Payload type by identifying first header in payload. Auth. Data – ICV (MAC)
ESP ESP Encrypts payload, padding, pad length, next header Optimal init. vector (IV) for encryp. alg. at beginning of Payload Uses DES(CBC), 3DES, RC5, IDEA, 3IDEA, CAST, Blowfish Uses HMAC-MD5-96, HMAC-SHA-1-96
PADDING PADDING Required, if encryp. alg. requires plaintext to be certain multiple of bytes. to make ciphertext a multiple of 32-bits for Partial Traffic Flow Confidentiality
TRANSPORT and TUNNEL MODES TRANSPORT and TUNNEL MODES Fig 16.8 Transport - confidentiality for all appl. - drawback : traffic analysis Tunnel – hosts avoid security (VPN) Fig 16.9
COMBINING SAs COMBINING SAs Each SA implements AH or ESP, but, Some traffic flow may require both. multiple SAs Security Association Bundle Sequence of SAs SAs may terminate at different endpoints
TWO BUNDLE TYPES TWO BUNDLE TYPES Transport Adjacency: more than one security protocol to same IP packet, no tunneling, one endpoint. Iterated Tunneling: multiple (nested) security layers using tunnelling, possible different end points.
TWO BUNDLE TYPES TWO BUNDLE TYPES Two approaches can be Combined e.g. Transport SA between hosts travels partway through a Tunnel SA between security gateways.
AUTHENTICATION + CONFIDENTIALITY AUTHENTICATION + CONFIDENTIALITY 1. ESP with Auth. Option - Fig 16.9 Transport mode ESP: IP header not protected Tunnel mode ESP: Auth. entire outer IP packet Encryp. entire inner IP packet For both cases, ciphertext authenticated
AUTHENTICATION + CONFIDENTIALITY AUTHENTICATION + CONFIDENTIALITY 2. Transport Adjacency Two Bundled SAs: - inner being ESP (no auth.) outer being AH - advantage: auth. covers more fields - disadvantage: two SAs versus one
AUTHENTICATION + CONFIDENTIALITY AUTHENTICATION + CONFIDENTIALITY 3. Transport-Tunnel Bundle Auth. Prior to encryp.: - advantages: Impossible to intercept and alter without detection. Store MAC with message at destination for later. Use Bundle: Inner AH: Transport SA Outer ESP: Tunnel SA entire auth. inner packet encrypted. new outer IP header added
BASIC COMBINATION OF SAs BASIC COMBINATION OF SAs CASE 1 End systems implement IPSec - share keys CASE 2 Security between gateways (routers,firewalls) No hosts implement IPSec Simple VPN Nested tunnels not required because IPSec applied to entire packet. CASE 3 Case 2 + end-to-end security. Gateway-to-gateway ESP provides traffic confidentiality. CASE 4 Support for remote host to reach firewall. Only tunnel mode required. Key Management - Read