cisco presentation guidewh.cs.vsb.cz/sps/images/6/6b/vpn.pdf · • in principle, vpn overlay...

© 2005 Petr Grygarek, Advanced Computer Networks Technologies 1

Virtual Private Networks Virtual Private Networks

Petr GrygPetr Grygáárekrek

Agenda:VPN TaxonomyVPN Principles and UsageCryptography BasicsIPSec

2© 2005 Petr Grygarek, Advanced Computer Networks Technologies

Basic Terminology and Mechanisms Basic Terminology and Mechanisms of Network Security of Network Security

and Cryptographyand Cryptography


Data ProtectionData Protection

• CConfidentalityonfidentality• unauthorized listener cannot understand data meaningunauthorized listener cannot understand data meaning• implemented by encryptionimplemented by encryption

• AAuthenticationuthentication • verification of data sender identityverification of data sender identity

• Data Data integrityintegrity• verification that data were not modified during transportverification that data were not modified during transport

• NNon-repudiationon-repudiation• data source cannot repudiate that it sent particular data source cannot repudiate that it sent particular

piece of datapiece of data• (i.e. it signed it)(i.e. it signed it)


Cryptographic Hash Function (1)Cryptographic Hash Function (1)

• one-wayone-way fun function (algorithm) that converts (arbitrary, ction (algorithm) that converts (arbitrary, long) block of data to (short) fixed-size hash valuelong) block of data to (short) fixed-size hash value• easy to computeeasy to compute

• infeasible to find a message with a given hashinfeasible to find a message with a given hash

• infeasible to modify a message without changing its hashinfeasible to modify a message without changing its hash

• Infeasible to find 2 different messages with the same hashInfeasible to find 2 different messages with the same hash


Cryptographic Hash Function (2)Cryptographic Hash Function (2)

• often used as Hashed Message Authentication Code often used as Hashed Message Authentication Code (HMAC)(HMAC)• the hash is computed from [data+secret] blockthe hash is computed from [data+secret] block

• algorithms commonly used as hash function algorithms commonly used as hash function • HMAC-MD5 –– Message Digest 5 HMAC-MD5 –– Message Digest 5

• (128b message digest)(128b message digest)

• HMAC-SHA1 – Secure Hash Algorithm HMAC-SHA1 – Secure Hash Algorithm • (stronger -160b message digest)(stronger -160b message digest)


Cryptographic SystemCryptographic System

Implementation options

• Conceal encryption/decryption algorithm• If the algorithm is revealed, implementation is useless

• Conceal keys• Keys used to parametrize (known) algorithm

• Sufficiently high number of possible keys has to be available

Encryption Decryption

Key

plaintext

plaintext

cypertext

Key


Symmetric CryptosystemSymmetric Cryptosystem


Properties of Symmetric Properties of Symmetric CryptosystemCryptosystem

• Shared secret keyShared secret key

• Effective algorithm implementationsEffective algorithm implementations• speed, relative simplicityspeed, relative simplicity

• possible to implement in hardwarepossible to implement in hardware

• DES, 3DES, AES, …DES, 3DES, AES, …

• Problem with secure secret key distributionProblem with secure secret key distribution


Authentication in Symmetric CryptosystemAuthentication in Symmetric Cryptosystem

• Sender encrypts uSender encrypts username sername using shared key, receiver decrypts using shared key, receiver decrypts using the same key and tests username validityusing the same key and tests username validity• Requires database of valid usernamesRequires database of valid usernames

• Alternative validity check implementation:Alternative validity check implementation:• Sender appends username hash behind username, then encrypts Sender appends username hash behind username, then encrypts

whole block with shared keywhole block with shared key

• Receiver decrypts [username+hash] with shared key, computes Receiver decrypts [username+hash] with shared key, computes username hash and compares with received hashusername hash and compares with received hash

• Does not require to maintain username databaseDoes not require to maintain username database

Combines authentication with data integrity checkCombines authentication with data integrity check


Data Integrity Check Data Integrity Check ImplementationImplementation

• [[messagemessage++shared secret keyshared secret key]->hash]->hash

• messagemessage+hash+hash is sent is sent

• receiver appends shared secret key behind receiver appends shared secret key behind received message, calculates hash by itself and received message, calculates hash by itself and compares with received hashcompares with received hash

Combines origin authentication and data integrity Combines origin authentication and data integrity checkcheck


Asymmetric CryptosystemAsymmetric Cryptosystem


Public and Private KeysPublic and Private Keys

• Keys generated as pair – Keys generated as pair – publicpublic and and privateprivate key key

• One key of pair used for encryption, second one for decryptionOne key of pair used for encryption, second one for decryption• no matter which one for whatno matter which one for what

• uses identical or complementary algorithms for encryption and decryptionuses identical or complementary algorithms for encryption and decryption

Encryption Decryption

publickey

KB_PUBLIC

ALICE BOB

privatekey

KB_PRIVATE

KB_PUBLICKB_PRIVATE

KA_PUBLICKA_PRIVATE

Certificationauthority

KA_PUBLICKB_PUBLIC


Features of Asymmetric CryptosystemFeatures of Asymmetric Cryptosystem

• More calculations comparing to symmetric algorithm More calculations comparing to symmetric algorithm => slower=> slower• RSA, El-GammalRSA, El-Gammal

• Problem of secure public key distributionProblem of secure public key distribution• no need to conceal themno need to conceal them, but we need a mechanism to , but we need a mechanism to

protect public keys against modification during transportprotect public keys against modification during transport

• certification authority digitally signs public keys packed certification authority digitally signs public keys packed together with owner information together with owner information • (so called “certificates”)(so called “certificates”)


Usages ofUsages of asy asymmmetric sysmetric systemtem

• Digital signaturesDigital signatures• No problem with secret key distributionNo problem with secret key distribution

• Exchange of keys for symmetric systemExchange of keys for symmetric system• Often dynamically generated keys with limited Often dynamically generated keys with limited

lifetimelifetime


CertifiCertification authority (1)cation authority (1)

• Trusted entityTrusted entity• Digitally signs public keys packed together with owner Digitally signs public keys packed together with owner

information - information - certificatescertificates• First contact with CA must be physicalFirst contact with CA must be physical

• (identity verification)(identity verification)• obtaining of private+public key pairobtaining of private+public key pair

• private key + signed certificateprivate key + signed certificate

• There exist ways how to deliver encrypted private key + certificate There exist ways how to deliver encrypted private key + certificate (containing signed public key) without physical contact(containing signed public key) without physical contact• need to authenticate certificate request (e..g with existing trusted password need to authenticate certificate request (e..g with existing trusted password

already used for something else)already used for something else)

• LDAP password etc.LDAP password etc.

• prenegotiated password is used between user and CA to encrypt private key prenegotiated password is used between user and CA to encrypt private key and certificate before sending it to user and certificate before sending it to user

• private+public key generation may take place in client OSprivate+public key generation may take place in client OS• Only client keeps private key and sends public key for signing to CA using HTTPSOnly client keeps private key and sends public key for signing to CA using HTTPS


CertifiCertification authority (2)cation authority (2)• Public key of CA needed by communicating parties Public key of CA needed by communicating parties

to verify certificates of other communicating peersto verify certificates of other communicating peers

• Public key of CA has to be inserted into every system Public key of CA has to be inserted into every system by some trustworthy mannerby some trustworthy manner• built-in into OS/WWW browser installation files, built-in into OS/WWW browser installation files,

……Advantage: only one public key (CA certificate) has to Advantage: only one public key (CA certificate) has to

be preconfigured manuallybe preconfigured manually


AutAuthhentienticationcation and Data Integrity and Data Integrity Check inCheck in AAsymsymmmetricetric S Systysteemm

Data

KB_PUBLIC

ALICE BOB

KA_PRIVATE

KB_PUBLICKB_PRIVATE

KA_PUBLICKA_PRIVATE

comparison

Hash Data

KB_PRIVATEKA_PUBLIC

Hash

Hash

© 2005 Petr Grygarek, Advanced Computer Networks Technologies 18

Virtual Private Networks Virtual Private Networks (VPN)(VPN)


What is VPN ?What is VPN ?• VPN VPN allow to build private WANs using (public) shared allow to build private WANs using (public) shared

infrastructure with the same level of security and configuration infrastructure with the same level of security and configuration options as with private infrastructureoptions as with private infrastructure

• Cheaper and flexible method for interconnection of geographically Cheaper and flexible method for interconnection of geographically dispersed sitesdispersed sites

Notes: Notes:

• In principle, VPN overlay itself does NOT have to be encryptedIn principle, VPN overlay itself does NOT have to be encrypted

• Trasport over secure infra, encryption on application level , …Trasport over secure infra, encryption on application level , …

• VPNs over private infra are also commonly usedVPNs over private infra are also commonly used

• e.g. for network administration accesse.g. for network administration access


Advantages of VPNs over Physical Advantages of VPNs over Physical Private WAN InfrastructurePrivate WAN Infrastructure

• Lower costLower cost• Short time of deploymentShort time of deployment• Flexibility of (virtual) topologyFlexibility of (virtual) topology

• topology defined just by configurationtopology defined just by configuration• No WAN link maintenance and management neededNo WAN link maintenance and management needed

• provider (ISP) takes responsibility of physical provider (ISP) takes responsibility of physical infrastructureinfrastructure


Some VPN Classification Criteria (1)Some VPN Classification Criteria (1)

• Level of customer trust to the shared infrastructure Level of customer trust to the shared infrastructure providerprovider• trusted/secured (+ level of security)trusted/secured (+ level of security)

• Protocol/technology applied in the infrastructure Protocol/technology applied in the infrastructure provider's (underlay) networkprovider's (underlay) network• L3: packet-based (IPv4/IPv6), VxLANs, ...L3: packet-based (IPv4/IPv6), VxLANs, ...

• L2: Virtual-circuit based (Frame Relay, ATM, VLANs)L2: Virtual-circuit based (Frame Relay, ATM, VLANs)

• L2.5: IP/MPLS VPNL2.5: IP/MPLS VPN

• Location of tunnel termination (CE/PE)Location of tunnel termination (CE/PE)



• Amount of routing information exchanged between Amount of routing information exchanged between provider and customer sitesprovider and customer sites• Overlay (CPE-based) modelOverlay (CPE-based) model

• Peer-to-peer (network-based) model Peer-to-peer (network-based) model

• encyption between endopoint devicesencyption between endopoint devices

• Mixed model (MPLS VPN)Mixed model (MPLS VPN)

• Virtual topology optionsVirtual topology options• Point-to-point (virtual private lines)Point-to-point (virtual private lines)

• + topologies built from virtual P2P links+ topologies built from virtual P2P links

• Multipoint (virtual routed/switched network)Multipoint (virtual routed/switched network)



• OSI layer of overlay connectivityOSI layer of overlay connectivity• L2 L2

• L2-technology dependent L2-technology dependent

• May support interworking May support interworking

• L3 protocol transparentL3 protocol transparent

• L3L3

• Independent on L2 protocolsIndependent on L2 protocols

• L3-protocol dependentL3-protocol dependent

• unicast/multicast/both traffic supportunicast/multicast/both traffic support

• Application scenariosApplication scenarios• Site-to-site (L2L VPN) / Remote access (Client VPN) / VPDNSite-to-site (L2L VPN) / Remote access (Client VPN) / VPDN



• Manual/Automatic configurationManual/Automatic configuration• automatic configuration requires signaling & automatic configuration requires signaling &

authenticationauthentication

• automatic configuration is almost inevitable for automatic configuration is almost inevitable for interconnection of hundreds of thousands of interconnection of hundreds of thousands of customer sitescustomer sites


Overlay modelOverlay model• Uses tunneling methodsUses tunneling methods

• Encryption and authentication applied in most casesEncryption and authentication applied in most cases

• Does not utilize underlying infrastructure efficiently unless full mesh Does not utilize underlying infrastructure efficiently unless full mesh overlay is configuredoverlay is configured

• Customers have no visibility of provider's network and vice versaCustomers have no visibility of provider's network and vice versa• No special contract with infrastructure provider is neededNo special contract with infrastructure provider is needed

• ISP musr not filter tunneling protocols (GRE, IPSec AH/ESP etc.)ISP musr not filter tunneling protocols (GRE, IPSec AH/ESP etc.)


Peer-to-Peer modelPeer-to-Peer model• Provider network devices have to carry all Provider network devices have to carry all

customers' routescustomers' routes• Problems with overlapping (private) addresses Problems with overlapping (private) addresses

• non-unique destination addressesnon-unique destination addresses

• Complicated filtering has to be configuredComplicated filtering has to be configured• poor scalability, risk of misconfigurationpoor scalability, risk of misconfiguration

• Optimal routing across provider's shared Optimal routing across provider's shared infrastructureinfrastructure


TunnelTunnel• Virtual point-to-point connection over shared Virtual point-to-point connection over shared

infrastructureinfrastructure• often authenticated and encryptedoften authenticated and encrypted

• Carries packets of some protocol encapsulated in Carries packets of some protocol encapsulated in another protocol another protocol • sometimes in the same protocol (sometimes in the same protocol (IP over IPIP over IP))

• tunnel can also transport layer 2 framestunnel can also transport layer 2 frames

• allows other protocols to be carried over underlay (mostly allows other protocols to be carried over underlay (mostly IP) network IP) network • (even nonroutable protocols such as NetBEUI etc.)(even nonroutable protocols such as NetBEUI etc.)


VPN Protocols and Tunneling VPN Protocols and Tunneling TechniquesTechniques

• IP/IP (v4xv6),IP/IP (v4xv6),

• GRE, VxLANGRE, VxLAN

• L2TP (PPP frames), L2TP (PPP frames),

• MPLS, MPLS,

• IPSecIPSec

• SSLSSL

• ......


Most Common VPN Implementation Most Common VPN Implementation OptionsOptions

Internetwork-wide VPNs => tunnels at or above layer 3Internetwork-wide VPNs => tunnels at or above layer 3

• Layer 3 VPN – IPSecLayer 3 VPN – IPSec• media independent (above hop-by-hop L2 security)media independent (above hop-by-hop L2 security)

• application independentapplication independent

• connectionless securityconnectionless security

• Layer 4 VPNLayer 4 VPN• SSL/TLS for TCPSSL/TLS for TCP

• DTLS for UDPDTLS for UDP

• Layer 7 VPN – application level (WWW)Layer 7 VPN – application level (WWW)Neighbor-to-neighbor protection in today's LANsNeighbor-to-neighbor protection in today's LANs

• Later2: MACSec/TrustSecLater2: MACSec/TrustSec

30© 2009 Petr Grygárek, FEI VŠB-TU Ostrava, Computer Networks (Bc.)

Most Common VPN Implementation Most Common VPN Implementation ScenariosScenarios

• Router-to-router (Router-to-router (firewallfirewall))• Site-to-site VPNsSite-to-site VPNs

• Single router may terminate multiple tunnelsSingle router may terminate multiple tunnels

• Remote User to VPN concentratorRemote User to VPN concentrator• Remote access VPNsRemote access VPNs

• user has to have special encryption software installed user has to have special encryption software installed ((VPN VPN cclientlient))

• Often used also over corporate LANs for Often used also over corporate LANs for production network managenent accessproduction network managenent access


Common VPN Applications (1)Common VPN Applications (1)• Site-to-site VPNsSite-to-site VPNs

• RRouterouter to to router router ((firewall to firewallfirewall to firewall))

• secure interconnection of (multiple) distant LANssecure interconnection of (multiple) distant LANs

• counterpart with classical WAN networkscounterpart with classical WAN networks

Secure intranet (2)

Unsecure publicinfrastructure(Internet)

Secure intranet (1)

Encryption,Decryption

Site-to-site tunnel

Encryption,Decryption


Common VPN Applications (2/1)Common VPN Applications (2/1)

• Remote access VPNsRemote access VPNs• Client-initiatedClient-initiated

• Remote user to Remote user to VPN VPN cconcentroncentraatortor

• user has special encryption software installed (user has special encryption software installed (VPN VPN cclientlient))

• NAS-initiatedNAS-initiated• Remote user dials in to service provider’s NAS using some Remote user dials in to service provider’s NAS using some

connection-oriented telecommunication network (e.g. PSTN, connection-oriented telecommunication network (e.g. PSTN, ISDN) considered trustworthy ISDN) considered trustworthy

• NAS initiates secure tunnel to secure corporate networkNAS initiates secure tunnel to secure corporate network


Common VPN applications (2/2)Common VPN applications (2/2)

Secure intranet

Unsecure publicinfrastructure

(Internet)

VPNconcentrator

PSTN

modem

User without any special

software

ISPNAS

Encryption

Encryption

Decryption

tunnels

User with VPNclient software

Client-initiatedVPN tunnel

NAS-initiated VPNtunnel


Virtual Private Dial-up NetworksVirtual Private Dial-up Networks

• Provides connection of remote users into private Provides connection of remote users into private networksnetworks

• Saves customers from maintaining their own physical Saves customers from maintaining their own physical RAS solution and interconnection to TelcoRAS solution and interconnection to Telco

• Interoperation between provider's and customers' Interoperation between provider's and customers' AAA infrastructuresAAA infrastructures

• L2TP – carries PPP sessionsL2TP – carries PPP sessions• LAC – L2TP Access ConcentratorLAC – L2TP Access Concentrator

• LNS – L2TP Network ServerLNS – L2TP Network Server


IPSec IPSec


IPSecIPSec (RFC 2401) (RFC 2401)IPSec IPSec = suite of protocols and algorithms used for data security = suite of protocols and algorithms used for data security

implementation at network layerimplementation at network layer

• Open standards Open standards frameworkframework

• GeneralGeneral, , independent to actual algorithms usedindependent to actual algorithms used• flexible and stable – no need for complete change if particular algorithm is flexible and stable – no need for complete change if particular algorithm is

compromised or obsoletecompromised or obsolete

• ProvidesProvides aut authhentienticationcation, , data data integritintegrity and confidentalityy and confidentality• using particular preconfigured or negotiated algorithms, not by itselfusing particular preconfigured or negotiated algorithms, not by itself

• Only for unicast Only for unicast IPIP traffic traffic• but other protocols (including IP broadcasts/multicasts) can be encapsulated into but other protocols (including IP broadcasts/multicasts) can be encapsulated into

IP unicast before transportation over IPSec mechanismIP unicast before transportation over IPSec mechanism

• Implemented as additional mechanism for IPv4, natively built-in into Implemented as additional mechanism for IPv4, natively built-in into IPv6IPv6


Basic IPSec terminologyBasic IPSec terminology• Security AssociationSecurity Association

• Set of policies and keys for data protectionSet of policies and keys for data protection• Data structure in communicating partners' RAMData structure in communicating partners' RAM

• Shared by (two) communicating partnersShared by (two) communicating partners

• Authentication HeaderAuthentication Header• Header appended to IP packet to carry authentication Header appended to IP packet to carry authentication

system information (HMAC etc.)system information (HMAC etc.)

• Encapsulating Security Payload HeaderEncapsulating Security Payload Header• Header appended to IP packet to carry security system Header appended to IP packet to carry security system

information (authentication, confidenitality)information (authentication, confidenitality)


Security AssociationSecurity Association (1) (1)• Defines encryption and authentication parameters used Defines encryption and authentication parameters used

between two partners communicating over IPSec between two partners communicating over IPSec tunnel tunnel • encryption and authentication algorithm,encryption and authentication algorithm, key size, key lifetimekey size, key lifetime

• encryption and authentication key (symmetric)encryption and authentication key (symmetric)

• IPSec mode (tunnel/transport)IPSec mode (tunnel/transport)

• encapsulation protocol (AH/ESP)encapsulation protocol (AH/ESP)

• specification of traffic to be encrypted (/decrypted) specification of traffic to be encrypted (/decrypted) (“proxyID”)(“proxyID”)

• Pre-configured or dynamically negotiated between Pre-configured or dynamically negotiated between partners during IPSec tunnel establishmentpartners during IPSec tunnel establishment


Security AssociationSecurity Association (2) (2)

• Independent for both traffic directionsIndependent for both traffic directions

• Independent SAs are created for individual security Independent SAs are created for individual security protocolsprotocols• i.e. AH, ESP, IKE i.e. AH, ESP, IKE

• Internet Key Exchange (IKE) provides secure tunnel for Internet Key Exchange (IKE) provides secure tunnel for dynamic SA negotiationdynamic SA negotiation

• Limited lifetimeLimited lifetime• time/bytes transferredtime/bytes transferred

• new SA is negotiated before lifetime expirationnew SA is negotiated before lifetime expiration

• Stored in Security Association Database (SADB) Stored in Security Association Database (SADB) • Security Parameter Index (SPI) + SA valuesSecurity Parameter Index (SPI) + SA values


IPSec modes: Tunnel and TransportIPSec modes: Tunnel and Transport

Transport Mode

Tunnel modeTunnel mode


Transport ModeTransport Mode• End-to-end securityEnd-to-end security

• Needs Needs IPSec IPSec support in end-user stations’ operating systemsupport in end-user stations’ operating system

• AH or/and ESP inserted between AH or/and ESP inserted between L3 aL3 andnd L4 L4 headers headers• It is impossible to filter traffic according to It is impossible to filter traffic according to L4 L4 header in the header in the

network (L4 header is encrypted)network (L4 header is encrypted)

• Next-header field of AH/ESP header identifies L4 header Next-header field of AH/ESP header identifies L4 header (L4 protocol)(L4 protocol)

• OriginalOriginal IP IP headerheader unencryptedunencrypted• But protected by But protected by autauthhentientication/data integrity hashes cation/data integrity hashes

=> => incompatible withincompatible with NAT NAT


Tunnel ModeTunnel Mode• IPSec tunnel between routers connecting secure LANs via IPSec tunnel between routers connecting secure LANs via

unsecure shared infrastructure (IPSec gateways)unsecure shared infrastructure (IPSec gateways)• no need for IPSec support in user stations' operating systemsno need for IPSec support in user stations' operating systems

• IP packets encapsulated by another IP packets (tunnel)IP packets encapsulated by another IP packets (tunnel) • AH and ESP inserted at the beginning of encapsulating AH and ESP inserted at the beginning of encapsulating

packet data field, original unchanged (tunneled) packet followspacket data field, original unchanged (tunneled) packet follows• Packets are encrypted including their IP headers Packets are encrypted including their IP headers

==> potential spy in insecure network cannot even determine > potential spy in insecure network cannot even determine which stations of secure networks speak togetherwhich stations of secure networks speak together

Used most commonly today.Used most commonly today.


Transfer of Transfer of IPSec CIPSec Control ontrol InformationInformation

• AuthentiAuthenticcation Headeration Header• Information for authentication and data integrityInformation for authentication and data integrity

• Encapsulating Security PayloadEncapsulating Security Payload• Information for encryption, authentication and data Information for encryption, authentication and data

integrityintegrity• and optionally anti-replayand optionally anti-replay

• May completely supersede authentication headerMay completely supersede authentication header• AH was defined earlier and is still maintained mostly for AH was defined earlier and is still maintained mostly for

compatibility with older implementations and for use compatibility with older implementations and for use cases that needs authentication only cases that needs authentication only (e.g routing information (e.g routing information exchange)exchange)


Authentication headerAuthentication header

• Assures authentication and (connectionless) data Assures authentication and (connectionless) data integrity integrity

• Protects Protects IP hIP headereader ( (unchanging fieldsunchanging fields) ) andand IP IP packet packet datdataa• carries authentication information (HMAC)carries authentication information (HMAC)• carries Security Parameters Index (SPI) to identify particular carries Security Parameters Index (SPI) to identify particular

security association security association used for current packetused for current packet• if multiple SAs are used concurrently for enhanced security (mostly if multiple SAs are used concurrently for enhanced security (mostly

not)not)

• Optional support forOptional support for anti-replay anti-replay• Sender inserts sequence numbers into packets, receiver may Sender inserts sequence numbers into packets, receiver may

optionally verify themoptionally verify them

• Protects transport IP header Protects transport IP header (both in tunnel and transport mode)(both in tunnel and transport mode)

==> incompatible with NAT> incompatible with NAT


AH – transport modeAH – transport mode


AH – tunnel modeAH – tunnel mode


Encapsulating Security Payload-ESPEncapsulating Security Payload-ESP

• Carries control information for data encryption Carries control information for data encryption (and authentication)(and authentication)• encapsulates protected dataencapsulates protected data

• Optional data authentication and integrity check Optional data authentication and integrity check (only user data)(only user data)

• Optional Optional anti-replayanti-replay check check

• May provide all functions of authentication May provide all functions of authentication header and supersede its functionheader and supersede its function


ESP – transport modeESP – transport mode


ESP – tunnel modeESP – tunnel mode


Dynamic SA negotiationDynamic SA negotiation

• Manual configuration of SAs at multiple stations would Manual configuration of SAs at multiple stations would be a tedious and error-prone taskbe a tedious and error-prone task

• Periodic change of authentication/encryption keys is Periodic change of authentication/encryption keys is necessary, which calls for dynamic negotiation necessary, which calls for dynamic negotiation mechanismmechanism


Dynamic SA Negotiation Dynamic SA Negotiation FrameworksFrameworks

• Internet Security Association and Key Management Protocol Internet Security Association and Key Management Protocol (ISAKMP)(ISAKMP)• framework for secure (dynamic) key exchange and negotiation of security framework for secure (dynamic) key exchange and negotiation of security

associationsassociations• does not define any particular algorithms, provides only mechanics of does not define any particular algorithms, provides only mechanics of

parameter negotiation and key exchange protocolsparameter negotiation and key exchange protocols• payload formats etc.payload formats etc.

• Internet Key Interchange (IKE)Internet Key Interchange (IKE)• operates within ISAKMP frameworkoperates within ISAKMP framework• particular key exchange protocol (Oakley Key Exchange + Skeme Key particular key exchange protocol (Oakley Key Exchange + Skeme Key

Exchange)Exchange)• used to negotiate IPSec SAsused to negotiate IPSec SAs

• SA negotiation is protected by tunnel encrypted with dynamically SA negotiation is protected by tunnel encrypted with dynamically negotiated keys (negotiated keys (Diffie-HellmaDiffie-Hellmann algorit algorithhmm))


Diffie-Hellman algorithmDiffie-Hellman algorithm

• Used to negotiate shared secret key between two parties Used to negotiate shared secret key between two parties over unsecure channelover unsecure channel

• Key values are never sent over unsecure channelKey values are never sent over unsecure channel

• Based on public/private key pair generation on both sides, public Based on public/private key pair generation on both sides, public key interchange and calculations with big prime numberskey interchange and calculations with big prime numbers

• communicating parties have to be authenticated by some communicating parties have to be authenticated by some external mechanism external mechanism

• prevents man-in-the-middle attackprevents man-in-the-middle attack

• pre-shared key or certificates are commonly usedpre-shared key or certificates are commonly used


Practical IPSec OperationPractical IPSec Operation1.1. Interesting traffic to be encrypted is detected based on ProxyIDs or Interesting traffic to be encrypted is detected based on ProxyIDs or

traffic is routed explicitly to IPSec tunnel interfacetraffic is routed explicitly to IPSec tunnel interface2.2. IKE Phase 1IKE Phase 1

• IPSec peer authentication (pre-shared keys, RSA signatures (X.509))IPSec peer authentication (pre-shared keys, RSA signatures (X.509))

• Negotiation of IKE SAs (Diffie-Hellman), for both directionsNegotiation of IKE SAs (Diffie-Hellman), for both directions• Encryption algorithm, hash algorithm, keys, key lifetime, …Encryption algorithm, hash algorithm, keys, key lifetime, …

• Establishes secure channel for IPSec SA negotiationEstablishes secure channel for IPSec SA negotiation

3.3. IKE Phase 2IKE Phase 2• Negotiation of IPSec SAs (for both directions)Negotiation of IPSec SAs (for both directions)

• According to policies supported by peersAccording to policies supported by peers• Multiple priorized policies to choose from may be definedMultiple priorized policies to choose from may be defined

4.4. Secure data exchange using IPSecSecure data exchange using IPSec• SAs renegotiated by IKE if lifetime expiresSAs renegotiated by IKE if lifetime expires

5.5. After inactivity timeout, IPSec tunnel closed (SAs discarded) After inactivity timeout, IPSec tunnel closed (SAs discarded)


Which Traffic should be Encrypted ?Which Traffic should be Encrypted ?

Crypto Access Lists / ProxyIDsCrypto Access Lists / ProxyIDs

• OutboundOutbound - - indicate which data have to be protected by indicate which data have to be protected by IPSecIPSec

• InboundInbound - - filter out and discard traffic that should have filter out and discard traffic that should have been protected by IPSec (but is not)been protected by IPSec (but is not)

• Must be symmetrical on both sides, otherwise IPSec tunnel Must be symmetrical on both sides, otherwise IPSec tunnel is not establishedis not established


Infrastructure ACL Modification for Infrastructure ACL Modification for Operation of IPSecOperation of IPSec

Underlying infrastructure has to allow these types Underlying infrastructure has to allow these types of traffic:of traffic:

• ISAKMP – UDP port 500ISAKMP – UDP port 500

• ESP – IP protocol 50ESP – IP protocol 50

• AH – IP protocol 51AH – IP protocol 51


IPSec NAT TraversalIPSec NAT Traversal

• Changing of IP header fields by NAT causes Changing of IP header fields by NAT causes HMAC mismatchHMAC mismatch

• NAT-T encapsulates IPSec-protected packet with NAT-T encapsulates IPSec-protected packet with another UDP/IP envelopeanother UDP/IP envelope• NAT-T - UDP port 4500NAT-T - UDP port 4500

• Negotiated in IKENegotiated in IKE

cisco presentation guidewh.cs.vsb.cz/sps/images/6/6b/vpn.pdf · • in principle, vpn overlay...

Documents