Network Security Lecture 07: IP Security PDF

Summary

Lecture 07 on IP security, part of a network security course. The lecture covers key aspects of IP security, including overview, policies, security payload, security associations, key exchange, cryptographic suites and more. Presented by Dr. Sahar M. Ghanem at Alexandria University.

Full Transcript

Network Security

Lecture 07: IP Security
Prof. Dr. Sahar M. Ghanem
Associate Professor
Computer & Systems Engineering Dept.
Faculty of Engineering, Alexandria University
Outline
IP Security Overview
IP Security Policy
Encapsulating Security Payload
Combining Security Associations
Internet Key Exchange
Cryptographic Suites

Network Security 2024, (c) Sahar M. Ghanem 2
Overview

Network Security 2024, (c) Sahar M. Ghanem 3
Overview
There are application-specific security mechanisms for many
applications.
By implementing security at the IP level, we can ensure secure
networking not only for applications that have security mechanisms
but also for the many security-ignorant applications.
IP-level security encompasses three functional areas: authentication,
confidentiality, and key management.
IP-level authentication means that the source of the packet is as stated in the
packet header and the packet was not altered during transmission.
These security capabilities were designed to be usable both with the
current IPv4 and the future IPv6.
Network Security 2024, (c) Sahar M. Ghanem 4
IPsec VPN Scenario (1/2)
An organization maintains LANs at dispersed locations.
IPsec operate in networking devices, such as a router or firewall, that
connect each LAN to the outside world.
IPsec operations are transparent to workstations and servers on the
LAN.
Secure transmission is also possible with individual users who dial
into the Internet.

Network Security 2024, (c) Sahar M. Ghanem 5
Network Security 2024, (c) Sahar M. Ghanem 6
IPsec VPN Scenario (2/2)
Host A on a network generates an IP packet with the destination
address of host B on another network.
This packet is routed to a firewall or secure router at the boundary of
A’s network that filters all outgoing packets to determine the need for
IPsec processing.
Tunneling: the firewall performs IPsec processing and encapsulates
the packet with an outer IP header. The source IP address is this
firewall, and the destination address may be a firewall that forms the
boundary to B’s local network.
This packet is now routed to B’s firewall, where outer IP header is
stripped off, and the inner packet is delivered to B.
Network Security 2024, (c) Sahar M. Ghanem 7
Routing Applications
IPsec can play a vital role in the routing architecture required for
internetworking.
It can be used to ensure that an authorized router is sending router
advertisement and neighbor advertisement.
It can be used to check redirect message comes from the router to
which the initial IP packet was sent, and a routing update is not
forged.

Network Security 2024, (c) Sahar M. Ghanem 8
IPsec Services
IPsec enables a system to select required security protocols,
determine the algorithm(s), and put in place any cryptographic keys.
Two protocols are used to provide security:
Authentication Header (AH): for authentication of the
sender/receiver information that is placed in the IP headers.
Encapsulating Security Payload (ESP): consists of an encapsulating
header and trailer used to provide encryption or combined
encryption/authentication.
Both AH and ESP protocols support two modes of use: transport
mode and tunnel mode.

Network Security 2024, (c) Sahar M. Ghanem 9
Security Policy

Network Security 2024, (c) Sahar M. Ghanem 10
Security Association (SA)
IPsec policy is determined primarily by the interaction of two
databases, the security association database (SAD) and the security
policy database (SPD).
An association is a one-way logical connection between a sender and
a receiver that affords security services to the traffic carried on it.
A security association (SA) is uniquely identified by three parameters.
Security Parameters Index (SPI): A 32-bit unsigned integer
IP Destination Address
Security Protocol Identifier: AH or ESP

Network Security 2024, (c) Sahar M. Ghanem 11
SA Database (SAD)
Security Association Database (SAD) defines the parameters
associated with each SA, and the parameters in a SAD entry are
Security Parameter Index;
Sequence Number Counter;
Sequence Counter Overflow;
Anti-Replay Window;
AH Information;
ESP Information;
Lifetime of this Security Association;
IPsec Protocol Mode;
Path MTU

Network Security 2024, (c) Sahar M. Ghanem 12
Security Policy Database (SPD)
Security Policy Database (SPD) contains entries, each of which
defines a subset of IP traffic and points to an SA for that traffic.
Each SPD entry is defined by a set of IP and upper-layer protocol field
values, called selectors to filter outgoing traffic and map it into a
particular SA.
The following selectors determine an SPD entry:
Remote IP Address;
Local IP Address;
Next Layer Protocol;
Name;
Local and Remote Ports

Network Security 2024, (c) Sahar M. Ghanem 13
Network Security 2024, (c) Sahar M. Ghanem 14
Network Security 2024, (c) Sahar M. Ghanem 15
Encapsulating Security Payload (ESP)

Network Security 2024, (c) Sahar M. Ghanem 16
Network Security 2024, (c) Sahar M. Ghanem 17
Protocol Field
The Protocol field of the IPv4 indicates the next higher level protocol
in the TCP/IP stack that is responsible for the contents of the data
field of the IP packet. (e.g., the number 6 represents the TCP
protocol).
When IPSec is used with IPv4, this field contains the integer value that
represents the security header to follow the main header.
the integer 50 represents the ESP header
the number 51 represents the AH protocol
IPv6 was designed with the idea of using an arbitrary number of
headers for a packet, the chain of headers being linked by the Next
Header field consisting of 8 bits.

Network Security 2024, (c) Sahar M. Ghanem 18
ESP Services
Confidentiality
Data origin authentication: uses keyed ICV
Connectionless integrity: uses integrity check value (ICV)
An anti-replay service: uses sequence number
(Limited) traffic flow confidentiality: uses padding (TFC)

Network Security 2024, (c) Sahar M. Ghanem 19
Network Security 2024, (c) Sahar M. Ghanem 20
Encryption and Authentication
The Payload Data, Padding, Pad Length, and Next Header fields are
encrypted by the ESP service.
If included, an Initialization Vector (IV) is usually not encrypted.
The Integrity Check Value (ICV) field is optional and is not protected
by encryption. The ICV is computed after the encryption is performed
using a keyed integrity algorithm.

Network Security 2024, (c) Sahar M. Ghanem 21
Padding
Padding field is used to expand the plaintext to a required length.
Additional padding may be added to provide partial traffic-flow
confidentiality (TFC) by concealing the actual length of the payload.

Network Security 2024, (c) Sahar M. Ghanem 22
Anti-Replay Service
The Sequence Number field is designed to thwart replay attacks.
When a new SA is established, the sender initializes a sequence
number counter to 0.
Each time that a packet is sent on this SA, the sender increments the
counter and places the value in the Sequence Number field.
For out-of-order delivery, the receiver should implement a window of
size W (a default of W = 64).
The sender must not allow the sequence number to cycle back to
zero. If the limit of (2^32 – 1) is reached, the sender should terminate
this SA and negotiate a new SA with a new key.

Network Security 2024, (c) Sahar M. Ghanem 23
Transport Mode
Transport mode ESP is used to encrypt and optionally authenticate
the data carried by IP. It is suitable for protecting connections
between hosts.
At the source, the block of data consisting of the ESP trailer plus the
entire transport-layer segment is encrypted. Authentication is added
if this option is selected.
Each intermediate router needs to examine and process the IP
header but does not need to examine the ciphertext.
The destination node on the basis of the SPI in the ESP header,
process the packet.
Network Security 2024, (c) Sahar M. Ghanem 24
Network Security 2024, (c) Sahar M. Ghanem 25
Tunnel Mode
The ESP header is prefixed to the packet and then the packet plus the
ESP trailer is encrypted. This method can be used to counter traffic
analysis.
The tunnel mode is useful in a configuration that includes a firewall
that protects a trusted network from external networks.
Consider a case in which an external host wishes to communicate
with a host on an internal network protected by a firewall.
The source prepares an inner IP packet with a destination address of the
target internal host. This packet is prefixed by an ESP header; then the packet
and ESP trailer are encrypted and Authentication Data may be added. The
resulting block is encapsulated with a new IP header whose destination
address is the firewall; this forms the outer IP packet.

Network Security 2024, (c) Sahar M. Ghanem 26
Network Security 2024, (c) Sahar M. Ghanem 27
Combining Security Associations

Network Security 2024, (c) Sahar M. Ghanem 28
Authentication & Confidentiality Approaches
The term security association bundle refers to a sequence of SAs through
which traffic must be processed to provide a desired set of IPsec services.
1. ESP with Authentication Option: the user first applies ESP to the data to
be protected and then appends the authentication data field.
2. Transport Adjacency: use two bundled transport SAs, with the inner
being an ESP SA and the outer being an AH SA. The authentication covers
more fields including the source and destination IP addresses.
3. Transport-Tunnel Bundle: to apply authentication before encryption
between two hosts is to use a bundle consisting of an inner AH transport
SA and an outer ESP tunnel SA.

Network Security 2024, (c) Sahar M. Ghanem 29
Basic Combinations of Security Associations
Case 1. All security is provided between end systems that implement
IPsec. This mode may be either transport or tunnel.
Case 2. Security is provided only between gateways (routers, firewalls,
etc.) and no hosts implement IPsec. It must be tunnel mode.
Case 3. This builds on case 2 by adding end-to-end security.
Case 4. A remote host that uses the Internet to reach an
organization’s firewall and then to gain access to some server or
workstation behind the firewall.

Network Security 2024, (c) Sahar M. Ghanem 30
Network Security 2024, (c) Sahar M. Ghanem 31
Internet Key Exchange

Network Security 2024, (c) Sahar M. Ghanem 32
Key Management
A typical requirement is four keys for communication between two
applications: transmit and receive pairs for both integrity and
confidentiality.
Two types of key management:
Manual: A system administrator manually configures each system
with its own keys and with the keys of other communicating systems.
Automated: An automated system enables the on-demand creation
of keys for SAs and facilitates the use of keys in a large distributed
system with an evolving configuration.

Network Security 2024, (c) Sahar M. Ghanem 33
Automated Key Management (IKEv2)
IKE key determination is a refinement of the Diffie–Hellman key
exchange algorithm. There should be prior agreement on two global
parameters: a large prime number (q); and a primitive root of q (a).
DH has the following disadvantages:
It does not provide any information about the identities of the
parties.
It is subject to a man-in-the-middle attack.
It is computationally intensive. As a result, it is vulnerable to a
clogging attack, in which an opponent requests a high number of
keys.

Network Security 2024, (c) Sahar M. Ghanem 34
IKEv2
IKE key determination is based on the Diffie–Hellman key exchange
algorithm and is characterized by five important features:
1. It employs cookies to thwart clogging attacks.
2. It enables the two parties to negotiate the global parameters of the
Diffie–Hellman key exchange.
3. It uses nonces to ensure against replay attacks.
4. It enables the exchange of Diffie–Hellman public key values.
5. It authenticates the Diffie–Hellman exchange to thwart man-in-the-
middle attacks.

Network Security 2024, (c) Sahar M. Ghanem 35
Clogging Attack
An opponent forges the source address of a legitimate user and
sends a public DH key to the victim. The victim then performs a
modular exponentiation to compute the secret key. Repeated
messages of this type can clog the victim’s system with useless work.
The cookie exchange requires that each side send a pseudorandom
number, the cookie, in the initial message, which the other side
acknowledges.
Thus, an opponent can only force a user to generate
acknowledgments and not to perform the DH calculation.

Network Security 2024, (c) Sahar M. Ghanem 36
Global Parameters
IKE key determination supports the use of 5 different groups for the
DH key exchange.

Network Security 2024, (c) Sahar M. Ghanem 37
Network Security 2024, (c) Sahar M. Ghanem 38
Replay Attacks
IKE key determination employs nonces to ensure against replay
attacks.
Each nonce is a locally generated pseudorandom number.
Nonces appear in responses and are encrypted during certain
portions of the exchange to secure their use.

Network Security 2024, (c) Sahar M. Ghanem 39
Authentication
Digital signatures: The hash is generated over important parameters,
such as user IDs and nonces. Each party encrypts the hash with its
private key.
Public-key encryption: Encrypting the parameters such as IDs and
nonces with the sender’s private key.
Symmetric-key encryption: A key derived by some out-of-band
mechanism can be used to authenticate the exchange by symmetric
encryption of exchange parameters.

Network Security 2024, (c) Sahar M. Ghanem 40
IKEv2 Exchanges
The IKEv2 protocol involves the exchange of messages in pairs.
The initial exchanges, the two peers exchange information
concerning cryptographic algorithms and other security parameters
along with nonces and DH values. The result is to set up a special SA
called the IKE SA used to protect all subsequent IKE message
exchanges.
In the second exchange, the two parties authenticate one another
and set up a first IPsec SA to be placed in the SADB.
The CREATE_CHILD_SA exchange can be used to establish further
SAs.
Network Security 2024, (c) Sahar M. Ghanem 41
IKE messages
An IKE message consists of an IKE header followed by one or more
payloads. All of this is carried by UDP transport protocol.
The payload has a complex, hierarchical structure.
The payload may contain multiple proposals.
Each proposal may contain multiple protocols (e.g. AH, ESP, IKE, …).
Each protocol may contain multiple transforms (cryptographic
algorithm).
And each transform may contain multiple attributes (e.g. key length).

Network Security 2024, (c) Sahar M. Ghanem 42
Cryptographic Suites

Network Security 2024, (c) Sahar M. Ghanem 43
Suites
To promote interoperability, two RFCs define recommended suites of
cryptographic algorithms and parameters for various applications.
RFC 4308 defines two cryptographic suites for establishing VPNs.
Suite VPN-A matches the commonly used corporate VPN security.
Suite VPN-B provides stronger security and is recommended for new
VPNs.
RFC 6379 defines four optional cryptographic suites that offer greater
protection. The suites provide choices for ESP and IKE and are
differentiated by the choice of cryptographic algorithm strengths.

Network Security 2024, (c) Sahar M. Ghanem 44
Network Security 2024, (c) Sahar M. Ghanem 45
Network Security 2024, (c) Sahar M. Ghanem 46
Assignment
Briefly list all features of all algorithms mentioned in IPsec
cryptographic suites (slides 45 and 46)
Visit “Juniper IPsec VPN User guide” and detail how to configure one
of the 4 cases mentioned in slide 30
https://www.juniper.net/documentation/us/en/software/junos/vpn-
ipsec/topics/topic-map/security-ipsec-vpn-configuration-overview.html

Network Security 2024, (c) Sahar M. Ghanem 47