ip security. ipsec objectives n band-aid for ipv4 u spoofing a problem u not designed with security...
Post on 22-Dec-2015
215 views
TRANSCRIPT
IPSEC Objectives Band-aid for IPv4Band-aid for IPv4
Spoofing a problemSpoofing a problem Not designed with security or authentication in Not designed with security or authentication in
mindmind IP layer mechanism for IPv4 and IPv6 IP layer mechanism for IPv4 and IPv6
Not all applications need to be security awareNot all applications need to be security aware Mandatory in IPv6, optional in IPv4Mandatory in IPv6, optional in IPv4
Can be transparent to applications and usersCan be transparent to applications and users Resistant to bypassResistant to bypass
Security Associations A one-way relationship between sender & A one-way relationship between sender &
receiver that affords security for traffic flowreceiver that affords security for traffic flow Can be between Can be between
A pair of hostsA pair of hosts A host and a security gatewayA host and a security gateway A pair of security gatewaysA pair of security gateways
Two basic protocolsTwo basic protocols Authentication headers (AH)Authentication headers (AH) Encapsulating security payload (ESP)Encapsulating security payload (ESP)
Architecture & Concepts Tunnel vs. Transport modeTunnel vs. Transport mode Security association (SA)Security association (SA)
Security parameter index (SPI)Security parameter index (SPI) Security policy database (SPD)Security policy database (SPD) SA database (SAD)SA database (SAD)
Authentication header (AH)Authentication header (AH) Encapsulating security payload (ESP)Encapsulating security payload (ESP) Key managementKey management
A B
Encrypted Tunnel
Gateway 1 Gateway 2
New IP Header
AH or ESP Header
TCP DataOrig IP Header
Encrypted
Unencrypted Unencrypted
Transport Mode vs. Tunnel Mode Transport mode: host -> hostTransport mode: host -> host Tunnel mode: host->gateway or gateway->gatewayTunnel mode: host->gateway or gateway->gateway
Transport Mode
ESP protects higher layer payload onlyESP protects higher layer payload only AH can protect IP headers as well as higher AH can protect IP headers as well as higher
layer payloadlayer payload
IPheader
IPoptions
IPSecheader
Higherlayer protocol
ESP
AH
Real IPdestination
Tunnel Mode
ESP applies only to the tunneled packetESP applies only to the tunneled packet AH can be applied to portions of the outer AH can be applied to portions of the outer
headerheader
Outer IPheader
Inner IPheader
IPSecheader
Higherlayer protocol
ESP
AH
Real IP destinationDestinationIPSecentity
Security Association - SA Defined by 3 parameters:Defined by 3 parameters:
Security Parameters Index (SPI)Security Parameters Index (SPI) IP Destination AddressIP Destination Address Security Protocol IdentifierSecurity Protocol Identifier
Have a database of Security Associations Have a database of Security Associations Determine IPSec processing for sendersDetermine IPSec processing for senders Determine IPSec decoding for destinationDetermine IPSec decoding for destination SAs are not fixed! Generated and customized per SAs are not fixed! Generated and customized per
traffic flowstraffic flows
Security Parameters Index - SPI Can be up to 32 bits largeCan be up to 32 bits large The SPI allows the destination to select the The SPI allows the destination to select the
correct SA under which the received packet correct SA under which the received packet will be processed will be processed According to the agreement with the senderAccording to the agreement with the sender The SPI is sent with the packet by the senderThe SPI is sent with the packet by the sender
SPI + Dest IP address + IPSec Protocol (AH or SPI + Dest IP address + IPSec Protocol (AH or ESP) uniquely identifies a SAESP) uniquely identifies a SA
SA Database - SAD
Holds parameters for each SAHolds parameters for each SA Lifetime of this SALifetime of this SA AH and ESP informationAH and ESP information Tunnel or transport modeTunnel or transport mode
Every host or gateway participating in Every host or gateway participating in IPSec has their own SA databaseIPSec has their own SA database
Security Policy Database - SPD
What traffic to protect?What traffic to protect? Policy entries define which SA or SA Policy entries define which SA or SA
bundles to use on IP trafficbundles to use on IP traffic Each host or gateway has their own SPDEach host or gateway has their own SPD Index into SPD by Selector fieldsIndex into SPD by Selector fields
Dest IP, Source IP, Transport Protocol, IPSec Dest IP, Source IP, Transport Protocol, IPSec Protocol, Source & Dest Ports, …Protocol, Source & Dest Ports, …
SPD Entry Actions
DiscardDiscard Do not let in or outDo not let in or out
BypassBypass Outbound: do not apply IPSecOutbound: do not apply IPSec Inbound: do not expect IPSecInbound: do not expect IPSec
Protect – will point to an SA or SA bundleProtect – will point to an SA or SA bundle Outbound: apply securityOutbound: apply security Inbound: check that security must have been Inbound: check that security must have been
appliedapplied
SPD Protect Action
If the SA does not exist…If the SA does not exist… Outbound processing: use IKE to generate SA Outbound processing: use IKE to generate SA
dynamicallydynamically Inbound processing: drop packetInbound processing: drop packet
Is it for IPSec?If so, which policyentry to select?
…
SPD(Policy)
…
SA Database
IP Packet
Outbound packet (on A)
A B
SPI & IPSec Packet
Send to B
Determine the SA and its SPI
IPSec processing
Outbound Processing
Use SPI to index the SAD
…
SA Database
Original IP Packet
SPI & Packet
Inbound packet (on B) A B
From A
Inbound Processing
…
SPD(Policy)
Was packet properly secured?
“un-process”
Architecture & Concepts Tunnel vs. Transport modeTunnel vs. Transport mode Security association (SA)Security association (SA)
Security parameter index (SPI)Security parameter index (SPI) Security policy database (SPD)Security policy database (SPD) SA database (SAD)SA database (SAD)
Authentication header (AH)Authentication header (AH) Encapsulating security payload (ESP)Encapsulating security payload (ESP) Key managementKey management
Authenticated Header Data integrityData integrity
Entire packet has not been tampered withEntire packet has not been tampered with AuthenticationAuthentication
Can “trust” IP address sourceCan “trust” IP address source Use keyed MAC to authenticateUse keyed MAC to authenticate
Symmetric encryption, e.g, DESSymmetric encryption, e.g, DES One-way hash functions with a shared secret key, e.g, One-way hash functions with a shared secret key, e.g,
HMAC-MD5-96 or HMAC-SHA-1-96HMAC-MD5-96 or HMAC-SHA-1-96
Anti-replay featureAnti-replay feature Integrity check valueIntegrity check value
……
SAD
SPI
Sequence Number
ICV
Next Header (TCP/UDP)
Payload LengthReserved
IPSec Authenticated HeaderLength of the authentication headerLength of the authentication header
Integrity Check Value - ICV Keyed Message authentication code (MAC) Keyed Message authentication code (MAC)
calculated overcalculated over IP header field that do not change or are predictableIP header field that do not change or are predictable
Source IP address, destination IP, header length, etc.Source IP address, destination IP, header length, etc. Prevent spoofingPrevent spoofing Mutable fields: time-to-live (TTL), IP header checksum, Mutable fields: time-to-live (TTL), IP header checksum,
etc.etc.
IPSec protocol header except the ICV value fieldIPSec protocol header except the ICV value field Upper-level dataUpper-level data
Code may be truncated to first 96 bitsCode may be truncated to first 96 bits
AH: Tunnel and Transport Mode
OriginalOriginal Transport ModeTransport Mode
Cover most of the Cover most of the original packetoriginal packet
Tunnel ModeTunnel Mode Cover entire Cover entire
original packetoriginal packet
Encapsulating Security Payload (ESP)
Provide Provide message content confidentialitymessage content confidentiality ProvideProvide limited traffic flow confidentiality limited traffic flow confidentiality Can optionally Can optionally provide the same authentication provide the same authentication
services as AHservices as AH Supports range of ciphers, modes, paddingSupports range of ciphers, modes, padding
Incl. DES, Triple-DES, RC5, IDEA, CAST etcIncl. DES, Triple-DES, RC5, IDEA, CAST etc A variant of DES most commonA variant of DES most common Pad to meet blocksize, for traffic flowPad to meet blocksize, for traffic flow
ESP: Tunnel and Transport Mode
OriginalOriginal
Transport ModeTransport Mode Good for host to Good for host to
host traffichost traffic Tunnel ModeTunnel Mode
Good for VPNs, Good for VPNs, gateway to gateway gateway to gateway securitysecurity
Outbound Packet Processing Form ESP headerForm ESP header
Security parameter index (SPI)Security parameter index (SPI) Sequence numberSequence number
Pad as necessaryPad as necessary Encrypt result [payload, padding, pad length, Encrypt result [payload, padding, pad length,
next header]next header] Apply authentication (optional)Apply authentication (optional)
Allow rapid detection of replayed/bogus packetsAllow rapid detection of replayed/bogus packets Allow potential parallel processing - decryption & Allow potential parallel processing - decryption &
verifying authentication codeverifying authentication code Integrity Check Value (ICV) includes whole ESP Integrity Check Value (ICV) includes whole ESP
packet minus packet minus authentication dataauthentication data field field
SPI
Sequence Number
Original IP Header
Integrity Check Value
Au
then
tica
tio
n c
ove
rag
e
En
cryp
ted Payload (TCP Header and Data)
Variable Length
Pad Length
Padding (0-255 bytes)
Next Header
ES
P T
rans
port
Exa
mpl
e
Inbound Packet Processing... Sequence number checkingSequence number checking
Duplicates are rejected!Duplicates are rejected! Packet decryptionPacket decryption
Decrypt quantity [ESP payload,padding,pad Decrypt quantity [ESP payload,padding,pad length,next header] per SA specificationlength,next header] per SA specification
Processing (stripping) padding per encryption Processing (stripping) padding per encryption algorithmalgorithm
Reconstruct the original IP datagramReconstruct the original IP datagram Authentication verification (option)Authentication verification (option)
Architecture & Concepts Tunnel vs. Transport modeTunnel vs. Transport mode Security association (SA)Security association (SA)
Security parameter index (SPI)Security parameter index (SPI) Security policy database (SPD)Security policy database (SPD) SA database (SAD)SA database (SAD)
Authentication header (AH)Authentication header (AH) Encapsulating security payload (ESP)Encapsulating security payload (ESP) Key managementKey management
Key Management
Handles key generation & distributionHandles key generation & distribution Typically need 2 pairs of keysTypically need 2 pairs of keys
2 per direction for AH & ESP2 per direction for AH & ESP Manual key managementManual key management
Sysadmin manually configures every systemSysadmin manually configures every system Automated key managementAutomated key management
Automated system for on demand creation of keys Automated system for on demand creation of keys for SA’s in large systemsfor SA’s in large systems
NATs Network address translation = local, LAN-specific Network address translation = local, LAN-specific
address space translated to small number of globally address space translated to small number of globally routable IP addressesroutable IP addresses
Motivation:Motivation: Scarce address spaceScarce address space
cost: about $9k/year for up to 262,000 addressescost: about $9k/year for up to 262,000 addresses Security: prevent unsolicited inbound requestsSecurity: prevent unsolicited inbound requests
Prevalence of NATsPrevalence of NATs Claim: 50% of broadband users are behind NATsClaim: 50% of broadband users are behind NATs All Linksys/D-Link/Netgear home routers are NATsAll Linksys/D-Link/Netgear home routers are NATs
NAT types All use net-10/8 (10.*.*.*) or 192.168/16All use net-10/8 (10.*.*.*) or 192.168/16 Address translationAddress translation Address-and-port translation (NAPT)Address-and-port translation (NAPT)
most common form today, still called NATmost common form today, still called NAT one external (global) IP addressone external (global) IP address
Change IP header and TCP/UDP headersChange IP header and TCP/UDP headers Will it work with IPSec?Will it work with IPSec?
NAT Example
IAP’s Point of Presence
Router with NATExternal IP: 68.40.162.3Internal IP: 192.168.0.0
Router assigns internal IPs to hosts on LAN :
A: 192.168.0.100B: 192.168.0.101C: 192.168.0.102
A B C
Messages sent between host B to another host on the InternetHost B original source socket:192.168.0.101 port 1341Host B translated socket:68.40.162.3 port 5280
SA Bundle
More than 1 SA can apply to a packetMore than 1 SA can apply to a packet Example: ESP does not authenticate new IP Example: ESP does not authenticate new IP
header. How to authenticate?header. How to authenticate? Use SA to apply ESP w/o authentication to Use SA to apply ESP w/o authentication to
original packetoriginal packet Use 2Use 2ndnd SA to apply AH SA to apply AH
Outbound Packet Processing...
Integrity Check Value (ICV) calculationIntegrity Check Value (ICV) calculation ICV includes whole ESP packet minus ICV includes whole ESP packet minus
authentication dataauthentication data field field Implicit padding of ‘0’s between Implicit padding of ‘0’s between next headernext header and and
authentication dataauthentication data is used to satisfy block size is used to satisfy block size requirement for ICV algorithmrequirement for ICV algorithm
Inbound Packet Processing
Sequence number checkingSequence number checking Anti-replay is used only if authentication is Anti-replay is used only if authentication is
selectedselected Sequence number should be the first ESP check Sequence number should be the first ESP check
on a packet upon looking up an SAon a packet upon looking up an SA Duplicates are rejected! Duplicates are rejected!
0Sliding Windowsize >= 32
rejectCheck bitmap, verify if new
verify
Anti-replay Feature
OptionalOptional Information to enforce held in SA entryInformation to enforce held in SA entry Sequence number counter - 32 bit for Sequence number counter - 32 bit for
outgoing IPSec packetsoutgoing IPSec packets Anti-replay window Anti-replay window
32-bit 32-bit Bit-map for detecting replayed packetsBit-map for detecting replayed packets
Anti-replay Sliding Window
Window should not be advanced until the Window should not be advanced until the packet has been authenticatedpacket has been authenticated
Without authentication, malicious packets Without authentication, malicious packets with large sequence numbers can advance with large sequence numbers can advance window unnecessarilywindow unnecessarily Valid packets would be dropped!Valid packets would be dropped!