Lecture 6W.Lilakiatsakun

Internet Protocol IPv4 /IPv6 IPsec

ICMP Routing Protocol

RIP/OSPF BGP Attack on Layer3

Layer 3 Technology

IPv4 basic characteristics: Connectionless - No connection is

established before sending data packets. Best Effort (unreliable) - No overhead is

used to guarantee packet delivery. Media Independent - Operates

independently of the medium carrying the data.

IPv4

IPV4 – Connectionless (1)

It requires no initial exchange of control information to establish an end-to-end connection before packets are forwarded, nor does it require additional fields in the PDU header to maintain this connection.

Connectionless packet delivery may, however, result in packets arriving at the destination out of sequence.

IPV4 – Connectionless (2)

IPV4 – Best Effort (1)

Best effort can be realized as unreliable Unreliable means simply that IP does not

have the capability to manage, and recover from, undelivered or corrupt packets.

IPV4 – Best Effort (2)

IPV4 – Media Independent (1)

IPV4 – Media Independent (2)

In some cases, an intermediary device - usually a router - will need to split up a packet when forwarding it from one media to a media with a smaller MTU.

This process is called fragmenting the packet or fragmentation.

IPV4 – Packaging the Transport Layer PDU

IPv4 – Packet Header (1)

IPv4 –Packet Header (2)

IP Destination Address The IP Destination Address field contains a 32-

bit binary value that represents the packet destination Network layer host address.

IP Source Address The IP Source Address field contains a 32-bit

binary value that represents the packet source Network layer host address.

IPv4 –Packet Header (3)

Time-to-Live The Time-to-Live (TTL) is an 8-bit binary value

that indicates the remaining "life" of the packet. The TTL value is decreased by at least one each

time the packet is processed by a router (that is, each hop).

When the value becomes zero, the router discards or drops the packet and it is removed from the network data flow.

IPv4 –Packet Header (4)

• Time-to-Live (con’t) This mechanism prevents packets that

cannot reach their destination from being forwarded indefinitely between routers in a routing loop.

If routing loops were permitted to continue, the network would become congested with data packets that will never reach their destination.

IPv4 –Packet Header (5)

Protocol This 8-bit binary value indicates the data

payload type that the packet is carrying. The Protocol field enables the Network layer to pass the data to the appropriate upper-layer protocol.

Example values are: 01 ICMP 06 TCP 17 UDP

IPv4 –Packet Header (6)

Type-of-Service The Type-of-Service field contains an 8-bit binary

value that is used to determine the priority of each packet.

This value enables a Quality-of-Service (QoS) mechanism to be applied to high priority packets, such as those carrying telephony voice data.

The router processing the packets can be configured to decide which packet it is to forward first based on the Type-of-Service value.

IPv4 –Packet Header (7)

Fragment Offset A router may have to fragment a packet when

forwarding it from one medium to another medium that has a smaller MTU.

When fragmentation occurs, the IPv4 packet uses the Fragment Offset field and the MF flag in the IP header to reconstruct the packet when it arrives at the destination host.

The fragment offset field identifies the order in which to place the packet fragment in the reconstruction.

IPv4 –Packet Header (8)

More Fragments flag The More Fragments (MF) flag is a single bit in the

Flag field used with the Fragment Offset for the fragmentation and reconstruction of packets.

The More Fragments flag bit is set, it means that it is not the last fragment of a packet.

When a receiving host sees a packet arrive with the MF = 1, it examines the Fragment Offset to see where this fragment is to be placed in the reconstructed packet.

IPv4 –Packet Header (9)

• When a receiving host receives a frame with the MF = 0 and a non-zero value in the Fragment offset, it places that fragment as the last part of the reconstructed packet.

• An unfragmented packet has all zero fragmentation information (MF = 0, fragment offset =0).

IPv4 –Packet Header (10)

Don't Fragment flag The Don't Fragment (DF) flag is a single bit in the

Flag field that indicates that fragmentation of the packet is not allowed.

If the Don't Fragment flag bit is set, then fragmentation of this packet is NOT permitted.

If a router needs to fragment a packet to allow it to be passed downward to the Data Link layer but the DF bit is set to 1, then the router will discard this packet.

IPv4 –Packet Header (11)

Version - Contains the IP version number (4). Header Length (IHL) - Specifies the size of the

packet header. Packet Length - This field gives the entire

packet size, including header and data, in bytes.

Identification - This field is primarily used for uniquely identifying fragments of an original IP packet.

IPv4 –Packet Header (12)

Header Checksum - The checksum field is used for error checking the packet header.

Options - There is provision for additional fields in the IPv4 header to provide other services but these are rarely used.

Example of IPv4 Header (1)

Example of IPv4 Header (2)

Ver = 4; IP version. IHL = 5; size of header in 32 bit words (4

bytes). This header is 5*4 = 20 bytes, the minimum valid size.

Total Length = 472; size of packet (header and data) is 472 bytes.

Identification = 111; original packet identifier (required if it is later fragmented).

Example of IPv4 Header (3)

Flag = 0; the packet can be fragmented if required.

Fragment Offset = 0; this packet is not currently fragmented (there is no offset).

Time to Live = 123; (decremented by at least 1 every time a device processes the packet header).

Protocol = 6; the data carried by this packet is a TCP segment .

Performance TOS cannot provide QoS efficiently Calculate header length Calculate header checksum Allow fragmentation lead to lower performance

Most of performance problems have been improved in IPv6

Problem on IPv4 (1)

Security No encryption – sniffing attack No authentication – spoof attack

Security issues are improved by IPSec

Problem on IPv4 (2)

IPsec uses the following protocols : Authentication Headers (AH) 

provide connectionless integrity and data origin authentication for IP datagrams and provides protection against replay attacks.

Encapsulating Security Payloads (ESP)  provide confidentiality, data-origin authentication,

connectionless integrity, an anti-replay service (a form of partial sequence integrity), and limited traffic-flow confidentiality.

IPSec (1)

Security Associations (SA) provide the bundle of algorithms and data that provide the parameters necessary for AH and/or ESP operations. The Internet Security Association and Key

Management Protocol (ISAKMP) provides a framework for authentication and key exchange, with actual authenticated keying material provided either by manual configuration with pre-shared keys, Internet Key Exchange (IKE and IKEv2), Kerberized Internet Negotiation of Keys (KINK), or IPSECKEY DNS records

IPSec (3)

IPSec (2)

Authentication Header

Use when confidentiality is not required or permitted.

AH provides data authentication and integrity for IP packets passed between two systems.

It verifies that any message passed from R1 to R2 has not been modified during transit.

It also verifies that the origin of the data was either R1 or R2.

AH does not provide data confidentiality (encryption) of packets.

Encapsulating Security Payload

Provides confidentiality and authentication by encrypting the IP packet.

IP packet encryption conceals the data and the identities of the source and destination.

ESP authenticates the inner IP packet and ESP header.

Authentication provides data origin authentication and data integrity.

Although both encryption and authentication are optional in ESP, at a minimum, one of them must be selected.

IPSEC Framework (1)

IPSEC Framework (2)

Algorithms used in IPSEC Framework DES - Encrypts and decrypts packet data. 3DES - Provides significant encryption strength

over 56-bit DES. AES - Provides stronger encryption, depending

on the key length used, and faster throughput. MD5 - Authenticates packet data, using a 128-bit

shared secret key. SHA-1 - Authenticates packet data, using a 160-

bit shared secret key. DH - Allows two parties to establish a shared

secret key used by encryption and hash algorithms, for example, DES and MD5, over an insecure communications channel.

IPSEC Framework (3)

When configuring an IPsec gateway to provide security services, first choose an IPsec protocol. The choices are ESP or ESP with AH.

The second square is an encryption algorithm if IPsec is implemented with ESP. Choose the encryption algorithm that is appropriate for

the desired level of security: DES, 3DES, or AES.

The third square is authentication. Choose an authentication algorithm to provide

data integrity: MD5 or SHA. The last square is the Diffie-Hellman (DH)

algorithm group. Which establishes the sharing of key information between peers. Choose which group to use, DH1 or DH2.

IPSEC Framework (4)

Transport mode In transport mode, only the payload of the IP

packet is usually encrypted and/or authenticated.

The routing is intact, since the IP header is neither modified nor encrypted; however, when the authentication header is used, the IP addresses cannot be translated, as this always will invalidate the hash value.

Mode of operation (1)

Tunnel mode In tunnel mode, the entire IP packet is encrypted

and/or authenticated. It is then encapsulated into a new IP packet with a

new IP header. Tunnel mode is used to create virtual private

networks for network-to-network communications (e.g. between routers to link sites), host-to-network communications (e.g. remote user access) and host-to-host communications (e.g. private chat).

Tunnel mode supports NAT traversal.

Mode of operation (2)

Mode of operation (3)

RFC 4302 AH uses a special hashing algorithm and a specific

key known only to the source and the destination. A security association between two devices is set

up that specifies these particulars so that the source and destination know how to perform the computation but nobody else can.

On the source device, AH performs the computation and puts the result (called the Integrity Check Value or ICV) into a special header with other fields for transmission.

AH operation (1)

The destination device does the same calculation using the key the two devices share, which enables it to see immediately if any of the fields in the original datagram were modified (either due to error or malice).

AH operation (2)

The Next Header is an 8-bit field that identifies the type of the next payload after the Authentication Header.

The value of this field is chosen from the set of IP Protocol Numbers defined by Internet Assigned Numbers Authority (IANA). For example

a value of 4 indicates IPv4, a value of 41 indicates IPv6, and a value of 6 indicates TCP.

AH Format (1)

Payload Len (8 bits) The length of this Authentication Header in 4-octet units, minus 2. Thus, for example, if an integrity algorithm

yields a 96-bit authentication value, this length field will be "4" (3 32-bit word fixed fields plus 3 32-bit words for the ICV, minus 2).

For IPv6, the total length of the header must be a multiple of 8-octet units.

AH Format (2)

Reserved (16 bits) Reserved for future use (all zeroes until then).

Security Parameters Index (32 bits) Arbitrary value which is used (together with the destination IP address) to identify the security association of the receiving party.

AH Format (3)

Sequence Number (32 bits) A monotonic strictly increasing sequence number (incremented by 1 for every packet sent) to prevent replay attacks. When replay detection is enabled, sequence

numbers are never reused, because a new security association must be renegotiated before an attempt to increment the sequence number beyond its maximum value.

Extended (64-bit) Sequence Number To support high-speed IPsec implementations, a new

option for sequence numbers SHOULD be offered, as an extension to the current, 32-bit sequence number field. Use of an Extended Sequence Number (ESN) MUST be negotiated by an SA management protocol.

AH Format (4)

Integrity Check Value (multiple of 32 bits) Variable length check value. Calculate over

IP or extension header fields before the AH header that are either immutable in transit or that are predictable in value upon arrival at the endpoint for the AH SA

the AH header (Next Header, Payload Len, Reserved, SPI, Sequence Number (low-order 32 bits), and the ICV (which is set to zero for this computation), and explicit padding bytes (if any))

everything after AH is assumed to be immutable in transit

the high-order bits of the ESN (if employed), and any implicit padding required by the integrity algorithm

AH Format (5)

AH Format (6)

Immutable Version Internet Header Length Total Length Identification Protocol (This should be

the value for AH.) Source Address Destination Address

(without loose or strict source routing)

Mutable but predictable Destination Address (with

loose or strict source routing)

Mutable (zeroed prior to ICV calculation) Differentiated Services Code

Point (DSCP) Explicit Congestion

Notification (ECN) Flags Fragment Offset Time to Live (TTL) Header Checksum

RFC 4303 It provides origin authenticity, integrity and

confidentiality protection of packets. ESP also supports encryption-only and

authentication-only configurations, but using encryption without authentication is strongly discouraged because it is insecure

ESP Operation (1)

Unlike Authentication Header (AH), ESP in transport mode does not provide integrity and authentication for the entire IP packet.

However, in Tunnel Mode, where the entire original IP packet is encapsulated with a new packet header added, ESP protection is afforded to the whole inner IP packet (including the inner header) while the outer header (including any outer IPv4 options or IPv6 extension headers) remains unprotected.

ESP Operation (2)

ESP Format (1)

Security Parameters Index (32 bits) Arbitrary value used (together with the

destination IP address) to identify the security association of the receiving party.

Sequence Number (32 bits) A monotonically increasing sequence number

(incremented by 1 for every packet sent) to protect against replay attacks. There is a separate counter kept for every security association.

ESP Format (2)

Payload data (variable) The protected contents of the original IP packet,

including any data used to protect the contents (e.g. an Initialization Vector for the cryptographic algorithm).

The type of content that was protected is indicated by the Next Header field.

Padding (0-255 octets)  Padding for encryption, to extend the payload

data to a size that fits the encryption's cipher block size, and to align the next field.

ESP Format (3)

Pad Length (8 bits)  Size of the padding (in octets).

Next Header (8 bits)  Type of the next header. The value is taken from the list of IP protocol

numbers. Integrity Check Value (multiple of 32 bits) 

Variable length check value. It may contain padding to align the field to an 8-octet boundary for IPv6, or a 4-octet boundary for IPv4.

ESP Format (4)

ESP Format (5)

ESP Format (6)