Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Security: IPsec

Published byKory Arnold Modified over 6 years ago

Similar presentations

Presentation on theme: "Network Security: IPsec"— Presentation transcript:

1 Network Security: IPsec
Tuomas Aura T Network security Aalto University, Nov-Dec 2013

2 IPsec: Architecture and protocols

3 Internet protocol security (IPsec)
Network-layer security protocol Protects IP packets between two hosts or gateways Transparent to transport layer and applications; security policy defined and enforced on network level IP addresses used to as host identifiers Two steps: IKE authenticated key exchange creates security associations ESP session protocol protects data Specified by Internet Engineering Task Force (IETF) Original goal: encryption and authentication layer that will replace all others Security (IPsec) was a sales point for IPv6, but it now works just as well for IPv4

4 IPsec architecture [RFC4301]
Network Security Part 4: TLS, IPSec July 2004, Shanghai IPsec architecture [RFC4301] Untrusted network Node A Node B PAD 1. Key exchange PAD IKE(v2) IKE(v2) Session Key Session Key SPD Security Policy Database Security Policy Database SPD IKE SA SAD Security Association Database SAD Security Association Database IPSec IPSec IPsec SA Pair 2. ESP protects data Security associations (SA) created by IKE, used by IPsec ESP Security policy guides SA creation and selection for use IPsec is part of the IP layer in the OS kernel; IKE is a user-space service (daemon) Tuomas Aura, Microsoft Research

5 Internet Key Exchange (IKEv2)
Network Security Part 4: TLS, IPSec July 2004, Shanghai Internet Key Exchange (IKEv2) Initial exchanges (using the notation from the IPsec RFC): 1. I → R: HDR(A,0), SAi1, KEi, Ni 2. R → I: HDR(A,B), SAr1, KEr, Nr, [CERTREQ] 3. I → R: HDR(A,B), SK { IDi, [CERT,] [CERTREQ,] [IDr,] AUTHi, SAi2, TSi, TSr } 4. R → I: HDR(A,B), SK { IDr, [CERT,] AUTHr, SAr2, TSi, TSr } A, B = SPI values that identity the protocol run and the created IKE SA Nx = nonces SAx1 = offered and chosen algorithms, DH group (p and g) KEx = Diffie-Hellman public key (gx or gy) CERTREQ = accepted root CAs (or other trust roots) IDx, CERT = identity, certificate AUTHi = SignI (Message 1, Nr, h(SK, IDi)) AUTHr = SignR (Message 2, Ni, h(SK, IDr)) SK = h(Ni, Nr, gxy) — actually, 6 different keys are derived from this SK { … } = ESK( …, MACSK(…)) — MAC and encrypt with session key SAx2, TSx = parameters for the first IPsec SA (algorithms, SPIs, traffic selectors) Tuomas Aura, Microsoft Research

6 Internet Key Exchange (IKEv2)
Network Security Part 4: TLS, IPSec July 2004, Shanghai Internet Key Exchange (IKEv2) Initial exchanges: 1. I → R: HDR(A,0), SAi1, KEi, Ni 2. R → I: HDR(A,B), SAr1, KEr, Nr, [CERTREQ] 3. I → R: HDR(A,B), SK { IDi, [CERT,] [CERTREQ,] [IDr,] AUTHi, SAi2, TSi, TSr } 4. R → I: HDR(A,B), SK { IDr, [CERT,] AUTHr, SAr2, TSi, TSr } A, B = SPI values that identity the protocol run and the created IKE SA Nx = nonces SAx1 = offered and chosen algorithms, DH group (p and g) KEx = Diffie-Hellman public key (gx or gy) CERTREQ = accepted root CAs (or other trust roots) IDx, CERT = identity, certificate AUTHi = SignI (Message 1, Nr, h(SK, IDi)) AUTHr = SignR (Message 2, Ni, h(SK, IDr)) SK = h(Ni, Nr, gxy) — actually, 6 different keys are derived from this SK { … } = ESK( …, MACSK(…)) — MAC and encrypt with session key SAx2, TSx = parameters for the first IPsec SA (algorithms, SPIs, traffic selectors) Secret, fresh session key? Mutual authentication? Entity authentication and key confirmation? Contributory? Perfect forward secrecy? Integrity check for initial negotiation? Non-repudiation or plausible deniability? Identity protection? Tuomas Aura, Microsoft Research

7 IKEv2 with a cookie exchange
Network Security Part 4: TLS, IPSec July 2004, Shanghai IKEv2 with a cookie exchange In the second message, responder may send a cookie (a nonce) Goal: prevent DOS attacks from a spoofed IP address 1. I → R: HDR(A,0), SAi1, KEi, Ni 2. R → I: HDR(A,0), N(COOKIE) // R stores no state 3. I → R: HDR(A,0), N(COOKIE), SAi1, KEi, Ni 4. R → I: HDR(A,B), SAr1, KEr, Nr, [CERTREQ] // R creates a state 5. I → R: HDR(A,B), SK{ IDi, [CERT,] [CERTREQ,] [IDr,] AUTH, SAi2, TSi, TSr } 6. R → I: HDR(A,B), ESK (IDr, [CERT,] AUTH, SAr2, TSi, TSr) How to bake a good cookie? For example: COOKIE = h(NR-periodic, IP addr of I, IP addr of R) where NR-periodic is a periodically changing secret random value know only by the responder R Tuomas Aura, Microsoft Research

8 Security Associations (SA)
Network Security Part 4: TLS, IPSec July 2004, Shanghai Security Associations (SA) One IKE SA for each pair of nodes Stores the master key SK = h(Ni, Nr, gxy) for creating IPsec SAs At least one IPsec SA pair for each pair of nodes Stores the negotiated session protocol, encryption and authentication algorithms, keys and other session parameters Stores the encryption algorithm state IPsec SAs always come in pairs, one in each direction IPsec SAs are identified by a 32-bit security parameter index (SPI) [RFC4301] The destination node selects the SPI value Node stores IPsec SAs in a security association database (SAD) Tuomas Aura, Microsoft Research

9 Network Security Part 4: TLS, IPSec
July 2004, Shanghai Session protocol Encapsulated Security Payload (ESP) [RFC 4303] Encryption and/or MAC for each packet Optional replay prevention with sequence numbers Protects the IP payload (= transport-layer PDU) only ESP with encryption only is insecure! Old protocol: Authentication Header (AH) Do not use for new applications Authentication only, no encryption Protects payload and some IP header fields Tuomas Aura, Microsoft Research

10 Session protocol modes
Lecture 8 July 2004, Shanghai Session protocol modes Transport mode Encryption and/or authentication from end host to end host Network Encrypted Tunnel mode Encryption and/or authentication between two gateways (VPN) IPsec gateway IPsec gateway Internet Intranet Intranet Encrypted Tuomas Aura, Microsoft Research

11 Using tunnel mode with hosts
Network Security Part 4: TLS, IPSec July 2004, Shanghai Using tunnel mode with hosts Tunnel mode - between end hosts (security equivalent to transport mode) Network Tunnel mode - between a host and a gateway (typical VPN connection) Untrusted access network IPsec gateway Internet Intranet Tuomas Aura, Microsoft Research

12 Network Security Part 4: TLS, IPSec
July 2004, Shanghai ESP packet format Original packet: ESP header and trailer = SPI + Sequence number + Padding ESP authentication trailer = message authentication code (MAC) IP header IP Payload ESP in transport mode: Original Original IP header ESP header Auth trailer ESP trailer IP Payload ! Encrypted Authenticated ESP in tunnel mode: Original IP header ESP header IP header IP Payload ESP trailer Auth trailer Encrypted Authenticated Tuomas Aura, Microsoft Research

13 IPsec databases Security association database (SAD)
Contains the IPsec SAs i.e.t the dynamic protection state Security policy database (SPD) Contains the static security policy Usually set by system administrators (e.g. Windows group policy), although some protocols and applications make dynamic changes Peer authorization database (PAD) Needed in IKE for mapping between authenticated names and IP addresses Conceptual; not implemented as an actual database Additionally, the IKE service/daemon stores IKE SAs: Master secret created with Diffie-Hellman key exchange Used for instantiating new IPsec Sas (Note: our description of SPD differs somewhat from RFC4301 and is probably closer to most implementations)

14 Gateway SPD/SAD example
SPD of gateway A, interface 2 Protocol Local IP Port Remote IP Action Comment UDP 500 BYPASS IKE * /24 /24 ESP tunnel to Protect VPN traffic All other peers Pointers to created associations SAD of gateway A SPI SPD selector values Protocol Algorithms, keys, algorithm state spi1 UDP, /24, /24 ESP tunnel from spi2 ESP tunnel to Intranet /24 Intranet /24 Internet interface1 interface2 interface1 interface2 IPsec gateway A IPsec gateway B

15 Security policy database (SPD)
Network Security Part 4: TLS, IPSec July 2004, Shanghai Security policy database (SPD) Specifies the static security policy Multi-homed nodes have a separate SPD for each network interface (in practice, they can be stored on one database) (multihomed = node with multiple network interfaces) Policy maps inbound and outbound packets to actions SPD = linearly ordered list of policies Policy = selectors + action The first policy with matching selectors applies to each packet Policy selector is a 5-tuple: Local and remote IP address Transport protocol (TCP, UDP, ICMP) Source and destination ports Actions: BYPASS (allow), DISCARD (block), or PROTECT PROTECT specifies also the session protocol and algorithms Packet is mapped to a suitable IPsec security association (SA) If the SA does not exist, IKE is triggered to create them SPD stores pointers to previously created SAs Policies at peer nodes must match if they are to communicate Tuomas Aura, Microsoft Research

16 Some problems with IPsec

17 IPsec and NAT Problems: → Host behind a NAT could not use IPsec
NAT cannot multiplex IPsec: impossible to modify SPI or port number because they are authenticated → Host behind a NAT could not use IPsec NAT traversal (NAT-T): UDP-encapsulated ESP (port 4500) NAT detection: extension of IKEv1 and IKEv2 for sending the original source address in initial packets → Enables host behind a NAT to use IPsec

18 IPsec and mobility Problem: IPsec policies and SAs are bound to IP addresses. Mobile nodes change their IP address Mobile IPv6 helps: home address (HoA) is stable. But Mobile IPv6 itself depends on IPsec for the tunnel between HA and MN. → chicken-and-egg situation Solutions: IPsec was changed to look up inbound SAs by SPI only IPsec-based VPNs from mobile hosts do not use the IP address as selector. Instead, proprietary solutions MOBIKE mobility protocol

19 IPsec and name resolution
Typical TCP socket API use: resolve name into an IP address; then connect to the address TCP SYN to the address triggers IKE (if the ESP SA does not exist yet)

20 Classic IPsec/DNS Vulnerability
IPsec policy selection depends on secure name resolution Attacker spoofs DNS response to circumvent the IPsec policy

21 IPsec and Certificates
Let’s assume DNS is secure Another problem: IKE knows the peer IP address, not the peer name; the certificate only contains the name  How does IPsec decide whether the certificate is ok?

22 What can go wrong?

23 IPsec and Certificates - Attack
IPsec cannot detect whether the certificate contains the correct name Secure DNS (forward lookup) does not help — why? Result: group authentication of those certified by the same CA → maybe ok for protecting an intranet where the goal is to keep outsiders out

24 Peer authorization database (PAD)
IPsec spec [RFC4301] defines a database that maps authenticated names to the IP addresses which they are allowed to represent How implemented? Secure reverse DNS would be the best solution — but it does not exist Other solutions: Secure DNS — both secure forward and reverse lookup needed, which is unrealistic Give up IPsec transparency — extend the socket API so that applications can query for the authenticated name and other security state Connect by name — change the socket API so that the connect() call specifies the host name, not the IP address Currents situation: IPsec is only used for VPN where the gateway names and IP addresses are preconfigured

25 Related reading William Stallings. Network security essentials: applications and standards, 3rd ed. chapter 6; 4th ed. chapters 8, 11 William Stallings. Cryptography and Network Security, 4th ed.: chapter 16 Kaufmann, Perlman, Speciner. Network security, 2nd ed.: chapter 17 (ignore AH) Note: chapter 18 on the older IKEv1 is historical Dieter Gollmann. Computer Security, 2nd ed. chapter 13.3; 3rd ed. chapters 16.1–16.3, 17.3

26 Network Security Part 4: TLS, IPSec
July 2004, Shanghai Exercises Why is IPsec used mainly for VPN implementations? Does IPsec VPN suffer from any of the problems mentioned in the lecture? For the IPsec policy examples of this lecture, define the IPsec policy for the peer nodes i.e. the other ends of the connections. Try to configure the IPsec policy between two computers. What difficulties did you meet? Use ping and TCP to test connectivity. Use a network sniffer to observe the key exchange and to check that packets on the wire are encrypted. What administrative problems arise from the fact that IPsec security policies in two communicating nodes must match? How is this solved in Windows? RFC 4301 requires that the SPD is decorrelated, i.e. that the selectors of policy entries not to overlap, i.e. that any IP packet will match at most one rule (excluding the default rule which matches all packet). Yet, the policies created by system administrators almost always have overlapping entries. Device an algorithm for transforming any IPsec policy to an equivalent decorrelated policy. (Real protocol stacks do not implement decorrelation. Why?) Each SAD entry stores (caches) policy selector values from the policy that was used when creating it. Inbound packets are compared against these selectors to check that the packet arrives on the correct SA. What security problem would arise without this check? What security weakness does the caching have (compared to a lookup through the SPD)? Does policy decorrelation solve the problem? Tuomas Aura, Microsoft Research

Download ppt "Network Security: IPsec"

Similar presentations

CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Internet Security CSCE 813 IPsec

Internet Security CSCE 813 IPsec
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
Chapter 5 Network Security Protocols in Practice Part I

Chapter 5 Network Security Protocols in Practice Part I
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.

1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.
Henric Johnson1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 IP Security.

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.

Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.
IKE message flow IKE message flow always consists of a request followed by a response. It is the responsibility of the requester to ensure reliability.

IKE message flow IKE message flow always consists of a request followed by a response. It is the responsibility of the requester to ensure reliability.
IP Security. IPSEC Objectives n Band-aid for IPv4 u Spoofing a problem u Not designed with security or authentication in mind n IP layer mechanism for.

IP Security. IPSEC Objectives n Band-aid for IPv4 u Spoofing a problem u Not designed with security or authentication in mind n IP layer mechanism for.
Softwire Security Requirement draft-ietf-softwire-security-requirements-03.txt Softwires WG IETF#69, Chicago 25 th July 2007 Shu Yamamoto Carl Williams.

Softwire Security Requirement draft-ietf-softwire-security-requirements-03.txt Softwires WG IETF#69, Chicago 25 th July 2007 Shu Yamamoto Carl Williams.
1 Network Security Lecture 8 IP Sec Waleed Ejaz

1 Network Security Lecture 8 IP Sec Waleed Ejaz
CSCE 715: Network Systems Security

CSCE 715: Network Systems Security
TCP/IP Protocols Contains Five Layers

TCP/IP Protocols Contains Five Layers
IPSec IPSec provides the capability to secure communications across a LAN, across private and public wide area networks (WANs) and across the Internet.

IPSec IPSec provides the capability to secure communications across a LAN, across private and public wide area networks (WANs) and across the Internet.
1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.

1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.
Karlstad University IP security Ge Zhang

Karlstad University IP security Ge Zhang
IPsec. 18.1 Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.

IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.
IPSec ● IP Security ● Layer 3 security architecture ● Enables VPN ● Delivers authentication, integrity and secrecy ● Implemented in Linux, Cisco, Windows.

IPSec ● IP Security ● Layer 3 security architecture ● Enables VPN ● Delivers authentication, integrity and secrecy ● Implemented in Linux, Cisco, Windows.

Similar presentations

Ads by Google