11

IPSec—An OverviewIPSec—An Overview

Somesh JhaSomesh Jha University of WisconsinUniversity of Wisconsin

22

OutlineOutline why IPSec?why IPSec? IPSec ArchitectureIPSec Architecture Internet Key Exchange (IKE)Internet Key Exchange (IKE) IPSec PolicyIPSec Policy discussiondiscussion

33

IP is not Secure!IP is not Secure! IP protocol was designed in the IP protocol was designed in the

late 70s to early 80slate 70s to early 80s– Part of DARPA Internet ProjectPart of DARPA Internet Project– Very small networkVery small network

All hosts are known!All hosts are known! So are the users!So are the users! Therefore, security was not an issueTherefore, security was not an issue

44

Security Issues in IPSecurity Issues in IP

source spoofingsource spoofing replay packetsreplay packets no data integrity no data integrity

or confidentialityor confidentiality

• DOS attacks• Replay attacks• Spying• and more…

Fundamental Issue: Networks are not (and will never be)

fully secure

55

Goals of IPSecGoals of IPSec to verify sources of IP packetsto verify sources of IP packets

– authenticationauthentication to prevent replaying of old to prevent replaying of old

packetspackets to protect integrity and/or to protect integrity and/or

confidentiality of packetsconfidentiality of packets– data Integrity/Data Encryptiondata Integrity/Data Encryption

66

OutlineOutline Why IPsec?Why IPsec? IPSec ArchitectureIPSec Architecture Internet Key Exchange (IKE)Internet Key Exchange (IKE) IPsec PolicyIPsec Policy DiscussionDiscussion

77

The IPSec Security The IPSec Security ModelModelSecure

Insecure

88

IPSec ArchitectureIPSec Architecture

ESP AH

IKE

IPSec Security Policy

Encapsulating SecurityPayload

Authentication Header

The Internet Key Exchange

99

IPSec ArchitectureIPSec Architecture IPSec provides security in three

situations:– Host-to-host, host-to-gateway and

gateway-to-gateway IPSec operates in two modes:

– Transport mode (for end-to-end)– Tunnel mode (for VPN)

1010

IPsec ArchitectureIPsec Architecture

Tunnel ModeRouter Router

Transport Mode

1111

Various PacketsVarious Packets

IP header

IP header

IP header

TCP header

TCP header

TCP header

data

data

data

IPSec header

IPSec header IP header

Original

Transportmode

Tunnelmode

1212

IPSecIPSec A collection of protocols (RFC 2401)A collection of protocols (RFC 2401)

– Authentication Header (AH)Authentication Header (AH) RFC 2402RFC 2402

– Encapsulating Security Payload (ESP)Encapsulating Security Payload (ESP) RFC 2406RFC 2406

– Internet Key Exchange (IKE)Internet Key Exchange (IKE) RFC 2409RFC 2409

– IP Payload Compression (IPcomp)IP Payload Compression (IPcomp) RFC 3137RFC 3137

1313

Authentication Header Authentication Header (AH)(AH)

Provides source authenticationProvides source authentication– Protects against source spoofingProtects against source spoofing

Provides data integrityProvides data integrity Protects against replay attacksProtects against replay attacks

– Use monotonically increasing sequence Use monotonically increasing sequence numbersnumbers

– Protects against denial of service attacksProtects against denial of service attacks NO protection for confidentiality!NO protection for confidentiality!

1414

AH DetailsAH Details Use 32-bit monotonically Use 32-bit monotonically

increasing sequence number to increasing sequence number to avoid replay attacksavoid replay attacks

Use cryptographically strong hash Use cryptographically strong hash algorithms to protect data algorithms to protect data integrity (96-bit)integrity (96-bit)– Use symmetric key cryptographyUse symmetric key cryptography– HMAC-SHA-96, HMAC-MD5-96 HMAC-SHA-96, HMAC-MD5-96

1515

AH Packet DetailsAH Packet Details

Authentication Data

Sequence Number

Security Parameters Index (SPI)

Nextheader

Payloadlength Reserved

Old IP header (only in Tunnel mode)TCP header

New IP header

Authenticated

Data

EncapsulatedTCP or IP packet

Hash of everythingelse

1616

Encapsulating Security Encapsulating Security Payload (ESP)Payload (ESP)

Provides all that AH offers, andProvides all that AH offers, and in addition provides in addition provides data data

confidentialityconfidentiality– Uses symmetric key encryptionUses symmetric key encryption

1717

ESP DetailsESP Details Same as AH:Same as AH:

– Use 32-bit sequence number to Use 32-bit sequence number to counter replaying attackscounter replaying attacks

– Use integrity check algorithmsUse integrity check algorithms Only in ESP:Only in ESP:

– Data confidentiality:Data confidentiality: Uses symmetric key encryption Uses symmetric key encryption

algorithms to encrypt packetsalgorithms to encrypt packets

1818

ESP Packet DetailsESP Packet Details

Authentication Data

Sequence NumberSecurity Parameters Index (SPI)

Nextheader

Payloadlength Reserved

TCP header

Authenticated

IP header

Initialization vector

Data

Pad Pad length NextEncrypted TCP packet

1919

Question?Question?

1.1. Why have both AH and ESP?Why have both AH and ESP?2.2. Both AH and ESP use symmetric Both AH and ESP use symmetric

key based algorithmskey based algorithms– Why not public-key cryptography?Why not public-key cryptography?– How are the keys being exchanged?How are the keys being exchanged?– What algorithms should we use?What algorithms should we use?– Similar to deciding on the Similar to deciding on the

ciphersuite in SSLciphersuite in SSL

2020

OutlineOutline Why IPsec?Why IPsec? IPsec ArchitectureIPsec Architecture Internet Key Exchange (IKE)Internet Key Exchange (IKE) IPsec PolicyIPsec Policy DiscussionDiscussion

2121

Internet Key Exchange Internet Key Exchange (IKE)(IKE)

Exchange and negotiate security Exchange and negotiate security policies policies

Establish security sessionsEstablish security sessions– Identified as Identified as Security AssociationsSecurity Associations

Key exchangeKey exchange Key managementKey management Can be used outside IPsec as wellCan be used outside IPsec as well

2222

IPsec/IKE AcronymsIPsec/IKE Acronyms Security Association (SA)Security Association (SA)

– Collection of attribute associated with a Collection of attribute associated with a connectionconnection

– Is Is asymmetric!asymmetric! One SA for inbound traffic, another SA for One SA for inbound traffic, another SA for

outbound trafficoutbound traffic Similar to ciphersuites in SSLSimilar to ciphersuites in SSL

Security Association Database (SADB)Security Association Database (SADB)– A database of SAsA database of SAs

2323

IPsec/IKE AcronymsIPsec/IKE Acronyms Security Parameter Index (SPI)Security Parameter Index (SPI)

– A unique index for each entry in the A unique index for each entry in the SADBSADB

– Identifies the SA associated with a Identifies the SA associated with a packetpacket

Security Policy Database (SPD)Security Policy Database (SPD)– Store policies used to establish SAsStore policies used to establish SAs

2424

How They Fit TogetherHow They Fit TogetherSPD

SADBSA-2

SPI

SPI

SA-1

2525

SPD and SADB SPD and SADB ExampleExampleFroFromm

ToTo ProtocolProtocol PortPort PolicyPolicy

AA BB AnyAny AnyAny AH[HMAC-MD5]AH[HMAC-MD5]Tunnel Mode

Transport Mode

A C B

A’s SPD

FroFromm

ToTo ProtocolProtocol SPISPI SA RecordSA Record

AA BB AHAH 1212 HMAC-MD5 keyHMAC-MD5 keyA’s SADB

D

FromFrom ToTo ProtocoProtocoll

PortPort PolicyPolicy Tunnel DestTunnel Dest

AnyAny AnyAny ESP[3DES]ESP[3DES] DDC’s SPD

FromFrom ToTo ProtocolProtocol SPISPI SA RecordSA RecordESPESP 1414 3DES key3DES key C’s SADB

Asub Bsub

Asub Bsub

2626

How It WorksHow It Works IKE operates in two phasesIKE operates in two phases

– Phase 1:Phase 1: negotiate and establish an negotiate and establish an auxiliary end-to-end secure channelauxiliary end-to-end secure channel

Used by subsequent phase 2 negotiationsUsed by subsequent phase 2 negotiations Only established once between two end points!Only established once between two end points!

– Phase 2:Phase 2: negotiate and establish custom negotiate and establish custom secure channelssecure channels

Occurs multiple timesOccurs multiple times– Both phases use Diffie-Hellman key Both phases use Diffie-Hellman key

exchange to establish a shared keyexchange to establish a shared key

2727

IKE Phase 1IKE Phase 1 Goal:Goal: to establish a secure to establish a secure

channel between two end pointschannel between two end points– This channel provides basic security This channel provides basic security

features:features: Source authenticationSource authentication Data integrity and data confidentialityData integrity and data confidentiality Protection against replay attacksProtection against replay attacks

2828

IKE Phase 1IKE Phase 1 Rationale:Rationale: each application has each application has

different security requirementsdifferent security requirements But they all need to negotiate But they all need to negotiate

policies and exchange keys!policies and exchange keys! So, provide the basic security So, provide the basic security

features and allow application to features and allow application to establish custom sessionsestablish custom sessions

2929

ExamplesExamples All packets sent to address All packets sent to address

mybank.commybank.com must be encrypted must be encrypted using 3DES with HMAC-MD5 using 3DES with HMAC-MD5 integrity checkintegrity check

All packets sent to address All packets sent to address www.forum.com must use must use integrity check with HMAC-SHA1 integrity check with HMAC-SHA1 (no encryption is required)(no encryption is required)

3030

Phase 1 ExchangePhase 1 Exchange Can operate in two modes:Can operate in two modes:

– Main modeMain mode Six messages in three round tripsSix messages in three round trips More optionsMore options

– Quick modeQuick mode Four messages in two round tripsFour messages in two round trips Less optionsLess options

3131

Phase 1 (Main Mode)Phase 1 (Main Mode)Initiator Responder

[Header, SA1]

3232

Phase 1 (Main Mode)Phase 1 (Main Mode)Initiator Responder

[Header, SA1]

[Header, SA2]

Establish vocabulary for further communication

3333

Phase 1 (Main Mode)Phase 1 (Main Mode)Initiator Responder

[Header, SA1]

[Header, SA2][Header, KE, Ni, {Cert_Reg} ]

3434

Phase 1 (Main Mode)Phase 1 (Main Mode)Initiator Responder

Header, SA1

[Header, SA1][Header, KE, Ni { , Cert_Req} ]

[Header, KE, Nr {, Cert_Req}]

Establish secret key using Diffie-Hellman key exchangeUse nonces to prevent replay attacks

3535

Phase 1 (Main Mode)Phase 1 (Main Mode)Initiator Responder

[Header, SA1]

[Header, SA1]

[Header, KE, Ni {,Cert_Req} ]

[Header, KE, Nr {,Cert_Req}]

[Header, IDi, {CERT} sig]

3636

Phase 1 (Main Mode)Phase 1 (Main Mode)Initiator Responder

[Header, SA1]

[Header, SA1][Header, KE, Ni {, Cert_req}]

[Header, KE, Nr {, Cert_req}]

[Header, IDi, {CERT} sig]

[Header, IDr, {CERT} sig]

Signed hash of IDi (without Cert_req , just send the hash)

3737

Phase 1 (Aggressive Phase 1 (Aggressive Mode)Mode)

Initiator Responder[Header, SA1, KE, Ni, IDi]

3838

Phase 1 (Aggressive Phase 1 (Aggressive Mode)Mode)

Initiator Responder[Header, SA1, KE, Ni, IDi]

[Header, SA2, KE, Nr, IDr, [Cert]sig]

[Header, [Cert]sig]

First two messages combined into one(combine Hello and DH key exchange)

3939

IPSec (Phase 1)IPSec (Phase 1) Four different way to authenticate Four different way to authenticate

(either mode)(either mode)– Digital signatureDigital signature– Two forms of authentication with Two forms of authentication with

public key encryptionpublic key encryption– Pre-shared keyPre-shared key

NOTE:NOTE: IKE does use public-key IKE does use public-key based cryptography for encryptionbased cryptography for encryption

4040

IPSec (Phase 2)IPSec (Phase 2) Goal:Goal: to establish custom secure to establish custom secure

channels between two end pointschannels between two end points– End points are identified by <IP, port>:End points are identified by <IP, port>:

e.g. e.g. <www.mybank.com, 8000><www.mybank.com, 8000> – Or by packet:Or by packet:

e.g. All packets going to e.g. All packets going to 128.124.100.0/24128.124.100.0/24– Use the secure channel established in Use the secure channel established in

Phase 1 for communicationPhase 1 for communication

4141

IPSec (Phase 2)IPSec (Phase 2) Only one mode:Only one mode: Quick Mode Quick Mode Multiple quick mode exchanges Multiple quick mode exchanges

can be multiplexedcan be multiplexed Generate SAs for two end pointsGenerate SAs for two end points Can use secure channel Can use secure channel

established in phase 1established in phase 1

4242

IP Payload IP Payload CompressionCompression

Used for compressionUsed for compression Can be specified as part of the Can be specified as part of the

IPSec policyIPSec policy Will not cover!Will not cover!

4343

OutlineOutline Why IPsec?Why IPsec? IPsec ArchitectureIPsec Architecture Internet Key Exchange (IKE)Internet Key Exchange (IKE) IPSec PolicyIPSec Policy DiscussionDiscussion

4444

IPsec PolicyIPsec Policy Phase 1 policies are defined in terms Phase 1 policies are defined in terms

of of protection suitesprotection suites Each protection suiteEach protection suite

– Must contain the following:Must contain the following: Encryption algorithmEncryption algorithm Hash algorithmHash algorithm Authentication methodAuthentication method Diffie-Hellman GroupDiffie-Hellman Group

– May optionally contain the following:May optionally contain the following: LifetimeLifetime ……

4545

IPSec PolicyIPSec Policy Phase 2 policies are defined in terms Phase 2 policies are defined in terms

of of proposalsproposals Each proposal:Each proposal:

– May contain one or more of the followingMay contain one or more of the following AH sub-proposalsAH sub-proposals ESP sub-proposalsESP sub-proposals IPComp sub-proposalsIPComp sub-proposals Along with necessary attributes such asAlong with necessary attributes such as

– Key length, life time, etcKey length, life time, etc

4646

IPSec Policy ExampleIPSec Policy Example In English: In English:

– All traffic to 128.104.120.0/24 must be:All traffic to 128.104.120.0/24 must be: Use pre-hashed key authenticationUse pre-hashed key authentication DH group is MODP with 1024-bit modulusDH group is MODP with 1024-bit modulus Hash algorithm is HMAC-SHA (128 bit key)Hash algorithm is HMAC-SHA (128 bit key) Encryption using 3DESEncryption using 3DES

In IPSec:In IPSec:– [Auth=Pre-Hash; [Auth=Pre-Hash;

DH=MODP(1024-bit); DH=MODP(1024-bit); HASH=HMAC-SHA; HASH=HMAC-SHA; ENC=3DES] ENC=3DES]

4747

IPsec Policy ExampleIPsec Policy Example In English:In English:

– All traffic to 128.104.120.0/24 must use All traffic to 128.104.120.0/24 must use one of the following:one of the following:

AH with HMAC-SHA or,AH with HMAC-SHA or, ESP with 3DES as encryption algorithm and ESP with 3DES as encryption algorithm and

(HMAC-MD5 or HMAC-SHA as hashing algorithm)(HMAC-MD5 or HMAC-SHA as hashing algorithm) In IPsec:In IPsec:

– [AH: HMAC-SHA] or, [AH: HMAC-SHA] or, – [ESP: (3DES and HMAC-MD5) or [ESP: (3DES and HMAC-MD5) or

(3DES and HMAC-SHA)] (3DES and HMAC-SHA)]

4848

Virtual Private Virtual Private Networks (VPNs)Networks (VPNs)

VirtualVirtual– It is not a physically distinct networkIt is not a physically distinct network

PrivatePrivate– Tunnels are encrypted to provide Tunnels are encrypted to provide

confidentialityconfidentiality CS dept might have a VPNCS dept might have a VPN

– I can be on this VPN while travelingI can be on this VPN while traveling

4949

Alice is TravelingAlice is Traveling AliceAlice works for the mergers and works for the mergers and

acquisitions (M&A) department of acquisitions (M&A) department of takeover.comtakeover.com

She is at She is at HicktownHicktown taking over a taking over a meat-packing plantmeat-packing plant

She wants to access the M&A She wants to access the M&A server at her company server at her company (confidentially of course)(confidentially of course)

5050

Alice is TravelingAlice is Traveling

5151

OutlineOutline Why IPsec?Why IPsec? IPsec ArchitectureIPsec Architecture Internet Key Exchange (IKE)Internet Key Exchange (IKE) IPsec PolicyIPsec Policy DiscussionDiscussion

5252

DiscussionDiscussion IPSec is not the only solution!IPSec is not the only solution!

– Security features can be added on Security features can be added on top of IP!top of IP! e.g. Kerberos, SSLe.g. Kerberos, SSL

Confused?Confused?– IP, IPSec protocols are very complex!IP, IPSec protocols are very complex!

Two modes, three sub protocolsTwo modes, three sub protocols– Complexity is the biggest enemy of Complexity is the biggest enemy of

securitysecurity

5353

DiscussionDiscussion Has it been used?Has it been used?

– Yes—primarily used by some VPN Yes—primarily used by some VPN vendorsvendors

But not all routers support itBut not all routers support it– No—it is not really an end-to-end No—it is not really an end-to-end

solutionsolution Authentication is too coarse (host based)Authentication is too coarse (host based) Default encryption algorithm too weak (DES)Default encryption algorithm too weak (DES) Too complex for applications to useToo complex for applications to use

5454

ResourcesResources IP, IPsec and related RFCs:IP, IPsec and related RFCs:

– http://www.ietf.org/html.charters/ipsec-charter.html

– IPsec: RFC 2401, IKE: RFC 2409IPsec: RFC 2401, IKE: RFC 2409– www.freeswan.orgwww.freeswan.org

Google searchGoogle search