An Introduction To IPsec

Bezawada Bruhadeshwar,International Institute of Information Technology,

Hyderabad

Overview of Presentation

Introduction The Internet Model and Threats Solutions Possible Security Measures at Various Layers IPsec: security at network layer

How IPsec works IPsec model Authentication Header Encapsulating Security Payload Internet Key Exchange

Limitations of IPsecConclusions

Introduction

Original Design Model for Internet The model of Internet was made for a

more benign environment like academia All data on Internet was free to all and

anyone could share or modify the data Since the some etiquette was being

observed by the limited Internet community, security was hardly an issue

Internet has grown beyond academia

Introduction (contd.)

Several useful applications have prompted businesses to make use of the Internet

E.g., Amazon.com, rediff.com, icicibank.com… Almost all conventional businesses now have a

prescence on the Internet

Some businesses only have Internet prescence E.g., Ebay.com, Amazon.com, fabmall.com

Several social communities are built over the Internet

E.g., Orkut.com, yahoo.groups, google groups

Introduction (contd.)

In present scenario, Internet enables instant on-demand business by Establishing communication links with suppliers

and business partners By eliminating the need for costly wide area

network dedicated lines Enabling remote access to corporate networks

using many available Internet service providers

One of the main stumbling blocks to achieve these benefits is lack of security (besides, reliability, quality of service among others)

Internet Threats

The varied nature of Internet users and networks has brought the security concernTo ratify the fears several threats have surfaced, such as, Identity spoofing Denial of service Loss of privacy Loss of data integrity Replay attacks

Internet Threats (contd.)

Identity spoofing Executing transactions by masquerading

Denial of service Preventing a service provider by flooding with fake

requests for service

Loss of privacy Eavesdropping on conversations, database replies etc

Loss of data integrity Modifying data in transit to disrupt a valid communication

Replay attacks Using older legitimate replies to execute new and

malicious transactions

Solutions to the Problems

Confidentiality If data is encrypted intruders cannot observe

Integrity Modification can be detected

Authentication If devices can identify source of data then it is

difficult to impersonate a friendly device Spoofing , replay attacks and denial of service can be

averted

The question is where should such a solution be implemented in the protocol stack?

Public-Key Cryptography

A user generates two keys: public-key and private-key pairPublic-key and private-key pairs can be viewed as mutually cancelling What public-key can encrypt only private-key can decrypt

Public-key is known to everyone Anyone can send a message to the user using public key

Private-key is secret Only the user can decrypt with private key

Encryption with private is called digital signature Can be verified but cannot be forged

Message Authentication Codes

A Message Authentication Code algorithm is a family of hash functions hk, parametrized by a secret k, with properties: Ease of computation: given a key k and input x, it is easy

to compute hk(x) Compression: hk maps an input of arbitrary length to an

output of hk(x) of bitlength n Computation-resistance: given zero or more text-MAC

pairs (xi, hk(xi)) it is computationally infeasible to compute any text-MAC pair (x, hk(x)) for any new input x

If two users share a cryptographic key they can use it generate same MAC and hence, validate each other

Recalling Protocol Stack

TCP, UDP

IP

Physical Layer

Link Layer

Application

HT

TP

SM

TP

FT

P

SN

MP

NF

S

FT

P

DN

S

Security Measures at Different Layers

Application Layer

Transport Layer

Network Layer

Data Link Layer

PGP, Kerberos, SSH, S/MIME

SSL/Transport Layer Security (TLS)

IPsec

Hardware encryption

Security Measures at Different Layers (contd.)

Application Layer Security Implemented as a User Software No need to modify operating system or underlying

network structure Each application and system requires its own

security mechanisms

SSL/TLS (transport layer security) is implement as user-end software, and is protocol specificLink layer security

Implemented in hardware Requires encryption decryption between every link Difficult to implement in Internet like scenario

IPsec: Security at IP Layer

IPsec is a framework of open standards developed by IETF (www.ietf.org, rfc’s 4301-4308)IPsec is below transport layer and is transperant to applications IPsec provides security to all traffic passing

through the IP layer

End users need not be trained on security mechanisms, issued keys or revokedIPsec has the granularity to provide per-user security if needed

IPsec: Security at IP Layer (contd.)

IPsec has additional advantages of protecting routing architecture IPsec can assure that a router

advertisement is from an authorized router

A routing update is not forged A neighbor advertisement comes

from an authorized router

IPsec Services

Access controlConnectionless IntegrityData origin authenticationRejection of replayed packetsConfidentialityLimited traffic flow confidentiality

IPsec Manifestation

IPsec Manifestation

Protects data flow between/among Pair of hosts: end-to-end protection between two

users, independent of applications they are using Pair of security gateways: A security gateway can be

a router, firewall, proxy etc. Secures entire traffic from/to the network

Security gateway and a host: secure remote access to network resources

Granularity in Ipsec Mode, choice of cryptographic algorithms, protocols Which subsets of traffic are afforded protection

IPsec at a Glance

IPsec uses a combination of the following techniques to provide its services Diffie-Hellman key exchange to

establish keys between peers Encryption algorithms like DES to

provide confidentiality Keyed hash algorithms like MD5 and

SHA-1 to provide message authentication

IPsec: Roadmap

Security Association, Security Policy Database IPsec protocol componentsIPsec modesAuthentication HeaderEncapsulating Security PayloadInternet Key ExchangeCommercial Instantiations

Security Association

A simplex (one-way) relationship that affords security services to the traffic carried by itOnly one service per SA : AH or ESPTo secure bi-directional traffic 2 SAs are requiredSpecified by Security parameters index (SPI), destination IP address Multiple SAs used by same source/receiver Multiple sources can use same SA

Security Association

Security Parameters IndexIP Destination AddressSecurity Protocol Identifier

All three identify the particular SA being used

SA Parameters

Sequence Number CounterSequence Counter OverflowAnti-Replay WindowAH InformationESP InformationLifetime of SAIPSec Protocol mode –Tunnel, Transport Path MTU

Security Policy Database

Defines policies for all IP traffic passing through the interface

Each SPD points to one or more corresponding SAs Processing is done after matching against the corresponding

SPD entry by using the relevant SA

Protection offered by IPsec is based on requirements defined by a security policy database, SPDPackets are selected for one of three processing actions based on IPheader information, matched against entries in SPD

Actions:PROTECT, DISCARD, BYPASS

SPD Entries

Destination IP AddressSource IP AddressUserIDData sensitivity levelTransport layer protocolIPSec protocolSource and Destination PortsIPv6 ClassIPv6 Flow labelIPv4 Type of Service

Security Policy Database (contd.)

Logical divisions of SPD: SPD-S, SPD-I, SPD-O SPD-I (bypassed or discarded), entries that

apply to the inbound traffic SPD-O(bypassed or discarded), entries

identifying outbound traffic SPD-S(secure traffic), entries to lookup

SAs, create SAs,

IPsec components

IPsec consists of two important protocol components The first, defines the information that needs

to be added to the IP packet to achieve the required services. These are classified further as Authentication Header and Encapsulating Security Protocol

The second, Internet Key Exchange, which negotiates security association between two peers and exchanges keying material

Recalling Packet HeadersEncapsulation of Data for Network Delivery

Original Message

Data 3Header 3

Data 2Header 2

Transport Layer(TCP, UDP)

Network Layer(IP)

Data 1Header 1

Application Layer

Data Link Layer

IPsec Modes

IPsec can operate in two modes Transport Mode

Only IP payload is encrypted IP headers are left in tact Adds limited overhead to the IP packet

Tunnel Entire IP packet is encrypted New IP headers are generated for this

packet Transparent to end-users

IPsec modes (contd.)Transport Mode: protect the upper layer protocols

IP Header

TCPHeader

DataOriginal IP Datagram

IP Header

TCPHeader

IPSecHeader

DataTransport Mode protected packet

Tunnel Mode: protect the entire IP payload

Tunnel Mode protected packet

New IP Header

TCPHeader

IPSecHeader

DataOriginal IP Header

protected

protected

Authentication Header

This information is added to the header to provide the following services: Access control, connectionless

integrity, data origin authentication, rejection of replayed packets

Information added are: Sequence number (32-bit) Integrity check value (variable, multiple

of 32-bits)

Authentication Header (contd.)

Anti-replay attacks Range of sequence numbers for session is

232-1 Sequence numbers are not reused

Integrity Check Value (ICV) Keyed MAC algorithms used: AES, MD5,

SHA-1 MAC is calculated over immutable fields in

transit (source/dest. addr, IP version, header length, packet length)

Encapsulating Security Payload

Three types of services Confidentiality only Integrity only Confidentiality and integrity

Others Anti-replay service Limited traffic flow confidentiality

ESP (contd.)

Header fields Security parameters index (32-bit) Sequence number (32-bit) Encrypted payload (variable)+padding(0-255

bytes) computed over upper layer segment (transport mode) or entire packet (tunnel mode)

TFC padding (optional, variable) Integrity check value-ICV (variable, optional),

computed over ESP header (all above data)

ESP (contd.)

Most purposes ESP is sufficient to achieve both confidentiality and integrity. Some auditable events by IPsec are: Invalid SA Processing fragmented packet Transmitting packet which can cause

sequence number overflow Received packet fails anti-replay Integrity check fails

Internet Key Exchange (IKE)

IKE creates authenticated secure channel between two peers and then, negotiates SA Phases of IKE Authentication Key Exchange Establishing SA

Authentication

Two peers in IPsec need to identify each other. Forms of authentication : Pre-shared keys: same keys are pre-installed

and authentication is done exchanging known data Decryption requires same key and hence, only valid

receivers can recover data Public key cryptography: Nonces are

exchanged using other user’s public-key and replies are checked for verification Public-key to encrypt, Private-key to decrypt

IKE and IPsec

Limitations

Security implemented by AH and ESP ultimately depends on their implementation

Operating environment affects the way IPsec security works

Defects in OS security, poor random number generators, misconfiguration of protocols, can all degrade security provided by IPssec.

Cryptographic Standards for ESP & IKE

Encapsulating Security Payload ESP encryption: TripleDES in CBC mode [RFC2451] ESP integrity : HMAC-SHA1-96 [RFC2404]

IKE and IKEv2 Encryption : TripleDES in CBC mode [RFC2451] Pseudo-random function: HMAC-SHA1 [RFC2104] Integrity : HMAC-SHA1-96 [RFC2404] Diffie-Hellman group: 1024-bit Modular Exponential

(MODP) [RFC2409]

Conclusions

IPsec provides a method for creating secure private networks over public networksApplications, operating systems need not be changed Implementation can be limited to secure

gateways

Several products based on IPsec are commercially deployedUsers can even enable and use IPsec on their machines