IPSec Overview PDF

Summary

This presentation from the University of Bern details the IPsec overview. It covers topics such as IPsec architecture, security services, and key management in 2024.

Full Transcript

Network Security
VIII. IP Security

Prof. Dr. Torsten Braun, Institut für Informatik
Bern, 04.11.2024 – 11.11.2024
Network Security: IP Security

IP Security
Table of Contents

1. IPsec Overview
2. IPsec Policy
3. Encapsulating Security Payload
4. Authentication Header
5. Combining Security Associations
6. Internet Key Exchange

3
Network Security: IP Security

1. IPsec Overview
1. Architecture

”Security in the Internet Architecture” (RFC 1636)
- issued in 1994 by Internet Architecture Board
- Goals: to secure
- network infrastructure from unauthorized monitoring and control
of network traffic
- end-user-to-end-user traffic using authentication and encryption
- Design for IPv6 and IPv4
IPsec specification now exists as a set of Internet standards.
4
Network Security: IP Security

1. IPsec Overview
2. Documents
- Architecture - Internet Key Exchange
- general concepts, security requirements, - collection of documents describing key
definitions, and mechanisms defining management schemes, RFC 7296
IPsec technology, RFC 4301 - Cryptographic algorithms
- Authentication Header Documents to describe
- is an extension header to provide - cryptographic algorithms for encryption
message authentication, RFC 4302 - message authentication
- Because message authentication is - pseudorandom functions
provided by ESP, use of AH is deprecated. - cryptographic key exchange.
It is included in IPsecv3 for backward
compatibility but should not be used in - Other
new applications. - IPsec-related RFCs,
- Encapsulating Security Payload dealing with security policy and
Management Information Base content.
- consists of an encapsulating header and
trailer used to provide encryption or
5
Network Security: IP Security

1. IPsec Overview
3. Applications
IPsec Example applications
- allows to secure communications - Secure branch office connectivity over
the Internet using
over LANs, public WANs, Internet virtual private networks
- supports applications to encrypt - Secure remote access over the Internet
and/or authenticate all traffic to ISPs or companies
at IP level - Establishing extranet and intranet
connectivity with partners and
organizations
- Enhancing electronic commerce security
independent on
application layer
6
Network Security: IP Security

1. IPsec Overview
4. Applications in IP Related Protocols

- Mobile IP
- Routing Protocols
- Address Resolution
- ICMP

7
Network Security: IP Security

1. IPsec Overview
5. Services

IPsec provides security services RFC 4301 services
at IP layer by enabling a system to
- Access control
- select required security protocols
- Connectionless integrity
- determine algorithms for the
services - Data origin authentication
- put in place any cryptographic - Rejection of replayed packets
keys required to provide the
requested services - Confidentiality (encryption)

8
- Limited traffic flow confidentiality
Network Security: IP Security

2. IPsec Policy
1. IPsec Architecture

9
Network Security: IP Security

2. IPsec Policy
2. Security Association

one-way logical connection between a sender Identification Parameters
and a receiver that affords security services to - Security Parameter Index
the traffic carried on it. - 32-bit unsigned integer assigned to this SA and having
local significance only
- carried in AH and ESP headers to enable the receiving
system to select the SA under which a received packet
will be processed.

- IP Destination Address
- Address of SA’s destination endpoint
- may be an end-user system or a network system such as
a firewall or router.

- Security Protocol Identifier
- This field from the outer IP header indicates whether the
association is an AH or ESP security association.
10
Network Security: IP Security

2. IPsec Policy
3. Security Association Database
- defines the parameters associated Parameters
with each SA - Security parameter index
- SA is defined by several parameters in - Sequence number counter
an SAD entry. - Sequence counter overflow
- Anti-replay window
- AH information
(algorithms, key, key lifetime)
- ESP information
- SA Lifetime
- IPsec protocol mode
- Path MTU
11
Network Security: IP Security

2. IPsec Policy
4. Security Policy Database

- means by which IP traffic is related to specific SAs
- Each SPD entry IP packet SPD SA
- is defined by a set of IP and upper-layer
protocol field values called selectors.
- These are used to filter outgoing traffic to map
it into a particular SA for outbound processing
- in more complex environments:
- multiple SPD entries relate to a single SA or
- multiple SAs are associated with a single SPD
entry
12
Network Security: IP Security

2. IPsec Policy
5. Selectors Determining an SPD Entry

- Remote IP Address - Next Layer Protocol
- single IP address, - IPv4 Protocol or IPv6 Next Header designates
enumerated list or range of addresses, the protocol operating over IP.
or wildcard (mask) address. - If AH or ESP is used, then this IP protocol header
- The latter two are required to support more immediately precedes the AH or ESP header in
the packet.
than one destination system sharing the
same SA, e.g., behind a firewall - Name
- a user identifier from the operating system
- Local IP Address - not a field in the IP or upper-layer headers,
- single IP address, but available if IPsec is running on the same OS
enumerated list or range of addresses, as the user.
or wildcard (mask) address. - Local and Remote Ports
- individual TCP or UDP port values,
- an enumerated list of ports, or
- wildcard port.
13
Network Security: IP Security

2. IPsec Policy
6. SPD Example

14
Network Security: IP Security

2. IPsec Policy
7. Outbound IP
Traffic Processing

15
Network Security: IP Security

2. IPsec Policy
8. Inbound IP
Traffic Processing

16
 Network Security: IP Security

3. Encapsulation Security Payload
1. Packet Format

- Optional Initialization SPI
Vector at beginning sequence number
of payload data
IV (optional)
- Padding to
- achieve certain
payload data
block length padding
- align padding length
padding padding length next header
and next header
- conceal packet length Integrity Check Value (variable)
17 encryption / authentication
 Network Security: IP Security

3. Encapsulation Security Payload
2. Anti Replay Attack Service
- Receipt of duplicate, authenticated IP packets may harm service.
- Sequence Number field is designed to thwart such attacks.
- When a new SA is established, the sender initializes a sequence number counter to 0.
- For each packet on an SA, the sender increments the counter and places the value in the Sequence Number field.
- If the limit of 232-1 is reached, the sender should terminate this SA and negotiate a new SA with a new key.
- Receiver implements a window of size W, default W = 64. The right edge of the window represents the
highest sequence number, N, so far received for a valid packet.
- For any properly authenticated packet with a sequence number in (N-W+1 … N) processing is as follows:
1. If the received packet falls within the window and is new, the MAC is checked.
If packet is authenticated, the corresponding slot in the window is marked.
2. If the received packet is to the right of the window and is new, the MAC is checked.
If the packet is authenticated, the window is advanced so that this sequence number
is the right edge of the window, and the corresponding slot in the window is marked.
3.18 If the received packet is to the left of the window or if authentication fails, it is discarded.
Network Security: IP Security

3. Encapsulation Security Payload
3. Transport and Tunnel Mode

19
Network Security: IP Security

3. Encapsulation Security Payload
4.1 End-to-End IPsec Transport Mode

Encryption

20
Network Security: IP Security

3. Encapsulation Security Payload
4.2 Transport Mode Operation
- Source - Routing
- Block of data consisting of - Packet is routed to destination.
ESP trailer + entire transport-layer - Each intermediate router needs to process
IP header + any plaintext IP extension
segment is encrypted. header, but does not need to examine
- Plaintext of block is replaced by its ciphertext.
ciphertext to form IP packet for - Destination node
transmission.
- processes IP header + any plaintext IP
- Authentication is added, extension headers.
if this option is selected. - decrypts the remainder of the packet to
recover the plaintext transport-layer
segment based on the SPI in the ESP
header.
21
 Network Security: IP Security

3. Encapsulation Security Payload
5.1 Tunnel Mode
- Security gateway to
security gateway
Encryption
- Example: Virtual Private Network
- End system to
security gateway
- Example: access to company Encryption
/ university network

22
Network Security: IP Security

3. Encapsulation Security Payload
5.2 Tunnel Mode
- After the AH or ESP fields are added to IP - Tunnel mode is used when one or both ends
packet, the entire packet + security fields of a SA are a security gateway, such as a
are treated as payload of new outer IP firewall or router implementing IPsec.
packet with new outer IP header.
- With tunnel mode, several hosts on
- Entire original (inner) packet travels through networks behind firewalls may engage in
a tunnel from one point of an IP network to secure communications without
another. implementing IPsec.
No routers along the way can examine the
Unprotected packets generated by such
inner IP header.
hosts are tunneled through external
- Because original packet is encapsulated, networks by tunnel mode SAs set up by
the new larger packet may have totally IPsec software in the firewall or secure
different source and destination addresses, router at the boundary of the local network.
adding to security.
23
Network Security: IP Security

3. Encapsulation Security Payload
5.3 Tunnel Mode

- Tunnel mode is useful in a - Encryption occurs only between
configuration that includes a external host and security gateway
firewall or other sort of or between two security gateways.
security gateway that protects - This relieves hosts on the internal
a trusted network from network of the processing burden
external networks. of encryption and simplifies key
distribution task by reducing the
number of needed keys
- It thwarts traffic analysis based on
ultimate destination.
24
Network Security: IP Security

3. Encapsulation Security Payload
6. Virtual Private Network

- Tunnel mode can be used to VPNs are used to
implement a secure VPN, i.e., - create wide area networks that
a private network configured span large geographic areas.
within a public network.
- provide site-to-site
- Traffic designated as VPN
connections to branch offices.
traffic can only go from a VPN
source to a destination in the - allow mobile users to dial up
same VPN. their company LANs.

25
Network Security: IP Security

4. Authentication Header
1. Packet Format
- Authentication of all IP header fields that can not change on the path
between sender and receiver.
- Default algorithm: keyed MD5 calculates 128-bit authentication data over
- Immutable IP header fields
- AH header except authentication data
- Higher protocols next header payload length reserved
and data
- Secret key SPI

sequence number

authentication data (n. 32 bit)
26
Network Security: IP Security

4. Authentication Header
2. Transport and Tunnel Mode

27
Network Security: IP Security

4. Authentication Header
3. AH vs ESP Authentication

- AH protects IP header, ESP protects anything beyond IP header.
- There may be export issues with ESP.
- With ESP, routers and firewalls can not look
on anything beyond layer 3 (IP layer) header.

28
Network Security: IP Security

4. Authentication Header
4. Tunnel and Transport Mode Functionality

29
Network Security: IP Security

5. Combining Security Associations
1. Transport Adjacency and Iterated Tunneling

Transport Adjacency Iterated Tunneling
- Applying more than one SA - Application of multiple layers
to the same IP packet of security protocols effected
without tunneling through IP tunneling.
- allows for multiple levels of
nesting

30
Network Security: IP Security

5. Combining Security Associations
2.1 Authentication and Confidentiality:
ESP with Authentication Option
- User first applies ESP to the data to Subcases
be protected and then appends - Transport mode ESP
authentication data field.
- Authentication and encryption apply to IP
- Authentication applies to ciphertext payload, but IP header is not protected.
rather than plaintext. - Tunnel mode ESP
- Authentication applies to entire IP packet
delivered to the outer IP destination
address (e.g., a firewall).
Authentication is performed at destination.
- Entire inner IP packet is protected by the
privacy mechanism for delivery to the
31 inner IP destination.
Network Security: IP Security

5. Combining Security Associations
2.2 Authentication and Confidentiality:
Transport Adjacency
- Two bundled transport SAs - Advantage
- inner SA: ESP SA (without - Authentication covers more fields, incl.
authentication option), i.e., transport SA source / destination IP addresses.
→ encryption is applied to IP payload. - Disadvantage
- outer SA: AH SA. - Overhead of two SAs vs. one SA
- Resulting packet:
IP header followed by ESP
- AH is then applied in transport mode,
so that authentication covers the ESP
plus the original IP header except for
mutable fields.
32
Network Security: IP Security

5. Combining Security Associations
2.3 Authentication and Confidentiality:
Transport-Tunnel Bundle
Use of authentication prior to encryption might be - Applying authentication before encryption between
preferable for several reasons. two hosts is to use a bundle consisting of an inner
1. Because authentication data are protected by
AH transport SA and an outer ESP tunnel SA.
encryption, it is impossible for anyone to - Authentication is applied to the IP payload plus the
intercept the message and alter the IP header (and extensions) except for mutable
authentication data without detection. fields.
2. It may be desirable to store the authentication - The resulting IP packet is then processed in tunnel
information with the message at the destination
for later reference. mode by ESP; the result is that the entire,
It is more convenient to do this if the authenticated inner packet is encrypted and a new
authentication information applies to the outer IP header (and extensions) is added.
unencrypted message;
otherwise, the message would have
to be re-encrypted to verify the
33 authentication information.
Network Security: IP Security

5. Combining Security Associations
3. Basic Combinations of Security Associations
1. All security provided between IPsec
end systems, possible combinations:
a) AH in transport mode
b) ESP in transport mode
c) ESP followed by AH in transport
mode
d) a, b, c inside AH or ESP in tunnel
mode
2. Security between gateways
3. 2.) plus end-to-end security
4. Support for a remote host to reach
servers behind firewall
34
Network Security: IP Security

6. Internet Key Exchange
1. Key Management Types
- determination and distribution Key Management Types
of secret keys. - Manual
- Typical requirement: - A system administrator manually
4 keys for communication configures each system with its own keys
and with the keys of other communicating
between 2 applications systems.
- transmit and receive pairs for both - practical for small and relatively static
integrity and confidentiality environments
- Automated
- Automated system enables
on-demand creation of keys for SAs and
facilitates the use of keys in a large
distributed system with evolving
configuration.
35
Network Security: IP Security

6. Internet Key Exchange
2. Key Determination Protocol

Refinement of Diffie-Hellman key exchange
retaining DH advantages and counter its disadvantages.

- Advantages - Disadvantages
- Secret keys generated when - Does not provide any information
needed about identities of parties
- Exchange does not require - Subject to man-in-the-middle attack
pre-existing infrastructure. - Computationally expensive

36
Network Security: IP Security

6. Internet Key Exchange
3. Clogging Attack

- An opponent forges the source address of a legitimate user and
sends a public DH key to victim.
- Victim then computes secret key.
- Repeated messages of this type can clog the victim’s system with
useless work.

37
Network Security: IP Security

6. Internet Key Exchange
4. IKE Key Determination

- uses cookies to thwart clogging - enables the exchange of
attacks. DH public key values.
- enables the two parties to - authenticates DH exchange to
negotiate a group to specify the thwart man-in-the-middle attacks
global parameters of the Diffie- - Digital signatures
Hellman key exchange. - Public key encryption
- uses nonces against replay - Symmetric key encryption
attacks.

38
Network Security: IP Security

6. Internet Key Exchange
5.1 Cookie Exchange

1. Cookie exchange requires that - If the source address was
each side sends a forged, the opponent gets no
pseudorandom number answer.
(cookie) in the initial message. - Thus, an opponent can only
2. The other side acknowledges force a user to generate
initial message. acknowledgments and not to
perform the DH calculation
3. Acknowledgment must be
repeated in the first message
of DH key exchange.
39
Network Security: IP Security

6. Internet Key Exchange
5.2 Cookie Generation
- Requirements
1. Cookie must depend on the specific parties. This prevents an attacker from obtaining a
cookie using a real IP address and UDP port and then using it to swamp the victim with
requests from randomly chosen IP addresses or ports.
2. It must not be possible for anyone other than the issuing entity to generate cookies that
will be accepted by that entity. This implies that the issuing entity will use local secret
information in the generation and subsequent verification of a cookie.
It must not be possible to deduce this secret information from any particular cookie.
3. Cookie generation and verification methods must be fast
to thwart attacks intended to sabotage processor resources.
- Recommended method
- Perform fast hash, e.g., MD5, over source and destination IP address,
40 source and destination UDP ports, and a locally generated secret value
Network Security: IP Security

6. Internet Key Exchange
6. IKEv2 Exchanges
- Initial Exchange
1. Parties exchange information concerning
cryptographic algorithms and other security
parameters along with nonces and DH values.
Result: IKE SA, which defines parameters for a
secure channel over which subsequent message
exchanges take place. All subsequent IKE message
exchanges are protected by encryption and message
authentication.
2. Parties authenticate each other and set up a first
IPsec SA to be placed in the SAD and used for
protecting ordinary (i.e., non-IKE) communication.
- CREATE_CHILD_SA Exchange
- to establish further SAs for protecting traffic
- Informational Exchange
41
- to exchange management information
Network Security: IP Security

6. Internet Key Exchange
7. Formats

42
Network Security: IP Security

6. Internet Key Exchange
8. Payload Types

43
Thanks a lot
for your Attentation
Prof. Dr. Torsten Braun, Institut für Informatik
Bern, 04.11.2024 – 11.11.2024