1

CS242 Computer Networks Department of Computer Science Wellesley College

Network-Layer Security IPsec and Virtual Private Networks

IPsec 24-2

Blanket coverage o  IPsec provides security at

the network layer by encrypting the payloads of all datagrams between pairs of network entities.

o  In addition to confidentiality, it can also provide:

o  authentication; o  data integrity; o  and security against replay

attacks.

IPsec 24-3

IPsec and Virtual Private Networks IP

header IPsec header

Secure payload

IP

head

er

IPse

c he

ader

Se

cure

pa

yloa

d IP

header IPsec

header

Secure

payload

IP

head

er

paylo

ad IP

header payload

Wellesley College French House

Your instructor (working from home)

Laptop w/ IPsec

Router w/ IPv4 and IPsec Router w/

IPv4 and IPsec

Internet

IPsec 24-4

A rather complex animal o  IPsec is defined in more

than a dozen RFCs, including RFC 4301, describing overall IP security architecture, and RFC 6071 overviewing the IPsec protocol suit.

o  Two principal protocols: Authentication Header (AH) and Encapsulation Security Payload (ESP).

2

IPsec 24-5

Security associations o  Before sending IPsec

datagrams the source and destination entities create a network-layer logical connection called a security association (SA).

o  An SA is unidirectional from source to destination.

o  If both entities want to send secure datagrams, then two SAs need to be established.

IPsec 24-6

Security association from R1 to R2 Router R1 maintains the following state:

o  32-bit SA identifier: Security Parameter Index (SPI) o  Origin SA interface (200.168.1.100) o  Destination SA interface (193.68.2.23) o  Type of encryption used (e.g., 3DES with CBC) o  Encryption key o  Type of integrity check used (e.g., HMAC with MD5) o  Authentication key

193.68.2.23 200.168.1.100

172.16.1/24 172.16.2/24

security association

Internet Wellesley College French House

R1 R2

IPsec 24-7

IPsec tunnel mode packet format Suppose router R1 receives an

ordinary IPv4 datagram from host 172.16.1.17.

original IP hdr

Original IP datagram payload

IPsec 24-8

IPsec tunnel mode packet format

R1 appends to the back of the original IPv4

datagram an ESP trailer field.

original IP hdr

Original IP datagram payload

ESP trl

padding pad length

next header

3

IPsec 24-9

IPsec tunnel mode packet format

Encrypts the result using agreed algorithm

and key

original IP hdr

Original IP datagram payload

ESP trl

encrypted

padding pad length

next header

IPsec 24-10

IPsec tunnel mode packet format

Appends to the front of encrypted the ESP header field

to create the whole enchilada

ESP hdr

original IP hdr

Original IP datagram payload

ESP trl

encrypted

padding pad length

next header SPI Seq

#

IPsec 24-11

IPsec tunnel mode packet format An authentication MAC is created over the

whole enchilada using algorithm and key specified in SA creating a new payload

ESP hdr

original IP hdr

Original IP datagram payload

ESP trl

ESP auth

padding pad length

next header SPI Seq

#

encrypted

“enchilada” authenticated

IPsec 24-12

IPsec tunnel mode packet format

Finally, a new IP header with standard IPv4 fields is prepended

to the payload

new IP header

ESP hdr

original IP hdr

Original IP datagram payload

ESP trl

ESP auth

encrypted

“enchilada” authenticated

padding pad length

next header SPI Seq

#

The original IP datagram has 172.16.1.17 for the source IP address and 172.16.2.48 for the destination

IP address. What do you suppose the source and destination IP addresses are in the new IP header?

4

IPsec 24-13

Not surprisingly, ...

193.68.2.23 200.168.1.100

172.16.1/24 172.16.2/24

security association

Internet Wellesley College French House

R1 R2

Source and destination IP addresses in new IP header are set to the ends of

the tunnel

*Also, the protocl number in the new IPv4 header is not set to TCP, UDP, or SMTP, but instead to 50, designating an IPsec datagram using the ESP protocol

IPsec 24-14

At the receiving end ...

R2 realizes from the protocol field of the new header (50) that this is

an IPsec ESP datagram ...

new IP header

ESP hdr

original IP hdr

Original IP datagram payload

ESP trl

ESP auth

encrypted

“enchilada” authenticated

padding pad length

next header SPI Seq

#

... and examines the ESP header to determine to which SA the datagram

belongs.

IPsec 24-15

At the receiving end ... R2 then calculates the MAC of the

enchilada and verifies that the MAC is consistent with... the value in the ESP

MAC fields

ESP hdr

original IP hdr

Original IP datagram payload

ESP trl

ESP auth

encrypted

“enchilada” authenticated

padding pad length

next header SPI Seq

#

... the value in the ESP MAC

fields

IPsec 24-16

At the receiving end ... Next the sequence-number field is

checked to verify that the datagram is fresh (and not a replayed datagram).

ESP hdr

original IP hdr

Original IP datagram payload

ESP trl

encrypted

“enchilada” authenticated

padding pad length

next header SPI Seq

#

5

IPsec 24-17

At the receiving end ...

The payload is decrypted using the decryption algorithm and key

associated with SA.

original IP hdr

Original IP datagram payload

ESP trl

padding pad length

next header

IPsec 24-18

At the receiving end ...

Determine the padding length and removed

original IP hdr

Original IP datagram payload

ESP trl

padding pad length

next header

IPsec 24-19

At the receiving end ...

Original IP datagram is passed to its ultimate destination

original IP hdr

Original IP datagram payload

IPsec 24-20

Security Policy Database (SPD) o  When R1 receives an

unsecured datagram from a host at Wellesley College, how does it know whether it should be converted to an IPsec datagram?

o  And if it is to be processed by IPsec, how does R1 know which SA should be used?

6

IPsec 24-21

Key management in IPsec o  When a VPN has a small

number of end points, the network administrator can manually enter the SA information into the SADs.

o  This scheme does not scale.

o  Large, geographically distributed deployments require an automated mechanism for creating SAs.

IPsec 24-22

Internet Key Exchange (IKE) protocol o  Each IPsec entity has a certificate, which includes its

public key.

o  As with SSL, IKE has the two entities exchange certificates, negotiate authentication, encryption algorithms, and secretly exchange key material for creating session keys.

o  This is done in two phases.

193.68.2.23 200.168.1.100

172.16.1/24 172.16.2/24

security association

Internet Wellesley College French House

R1 R2

IPsec 24-23

Internet Key Exchange – Phase 1

193.68.2.23 200.168.1.100

172.16.1/24 172.16.2/24

security association

Internet Wellesley College French House

R1 R2

Two sides use Diffie-Hellman to create a bi-directional IKE SA* between the two entities

*To keep us all confused,this SA is entirely different from the IPsec SAs just discussed.

IPsec 24-24

Internet Key Exchange – Phase 1

193.68.2.23 200.168.1.100

172.16.1/24 172.16.2/24

security association

Internet Wellesley College French House

R1 R2

The IKE SA provides an authenticated and encrypted channel between the two routers ...

... and established a master secret that will be used to compute IPsec SA keys in

phase 2.

7

IPsec 24-25

Internet Key Exchange – Phase 2

193.68.2.23 200.168.1.100

172.16.1/24 172.16.2/24

security association

Internet Wellesley College French House

R1 R2

Both sides reveal their identities to each other by signing their messages and sending them over the secured IKE SA channel.

The two sides then negotiate the IPsec encryption and authentication algorithms

to be employed by the IPsec SAs.

IPsec 24-26

Securing wireless LANs o  Radio waves carries frames

don’t necessarily stay within one room or even one building raising serious concerns.

o  Wired Equivalent Privacy (WEP) was the initial 802.11 standard.

o  It was intended to provide a level of security similar to that found in wired networks.

IPsec 24-27

Wired Equivalent Privacy o  Designed in 1999, WEP was

intended to provide authentication and data encryption between a host and a wireless access point.

o  It did not specify a key management algorithm, so somehow the host and wireless access have to agree on the key via some out-of-band method.

IPsec 24-28

WEP Authentication 1.  Wireless host request

authentication by an access point.

2.  Access point responds with a 128-byte nonce value.

3.  Wireless host encrypts the nonce using the symmetric key that it shares with the access point.

4.  Access point decrypts the host-encrypted nonce.

8

IPsec 24-29

WEP Encryption o  A secret 40-bit symmetric key, KS, is assumed known by both

parties. o  In addition a 24-bit Initialization Vector (IV) is appended to

the 40-key to create a 64-bit key that will be used to encrypt a single frame.

o  The IV will change from one frame to another, hence each

frame will be encrypted with a different 64-bit key.

keystream generator Key+IVpacket keystreampacket

IPsec 24-30

WEP Encryption

24-bit IV (per frame)

KS: 40-bit secret

symmetric key k1

IV k2IV k3

IV … kNIV kN+1

IV… kN+1IV

d1 d2 d3 … dN

CRC1 … CRC4

c1 c2 c3 … cN

cN+1 … cN+4

plaintext frame data

plus CRC

key sequence generator ( for given KS, IV)

802.11 header IV

&

WEP-encrypted data plus CRC

A 4-byte CRC is computed for

the data payload

The payload and CRC bytes are encrypted using the RC4 stream

cipher.

The IV changes from one frame to the next and is included in

plaintext in the header of each WEP-encrypted 802.11 frame.

IPsec 24-31

Problem with using duplicate keys* 1.  Trudy IP spoofs a request

to Alice to transmit a file with known content d1, d2, d2, ...

2.  Trudy also observes the encrypted data c1, c2, c2, ...

3.  Since di = ci XOR kiIV,

XORing ci with each side yields:

di XOR ci = kiIV.

*Soon after it 1999 release, work began on a new and improved version with strong security mechanisms.

IPsec 24-32

AP: access point AS: Authentication server

wired network

STA: client station

1 Discovery of security capabilities

STA and AS mutually authenticate, together generate Master Key (MK). AP serves as “pass through”

2

3 3 STA derives

Pairwise Master Key (PMK)

AS derives same PMK, sends to AP

4 STA, AP use PMK to derive Temporal Key (TK) used for message encryption, integrity

802.11i four phase operation – phase 1

9

IPsec 24-33

AP: access point AS: Authentication server

wired network

STA: client station

1 Discovery of security capabilities

STA and AS mutually authenticate, together generate Master Key (MK). AP serves as “pass through”

2

3 3 STA derives

Pairwise Master Key (PMK)

AS derives same PMK, sends to AP

4 STA, AP use PMK to derive Temporal Key (TK) used for message encryption, integrity

802.11i four phase operation – phase 2

24-34

Extensible Authentication Protocol (EAP)

EAP TLS EAP

EAP over LAN (EAPoL) IEEE 802.11

RADIUS UDP/IP

wired network

EAP messages are encapsulated

using EAPoL (EOP over LAN) and sent over 802.11 to the

AP ...

IPsec

24-35

Extensible Authentication Protocol (EAP)

... where they are decapsulated and then re-encapsulated using the

RADIUS protocol for transmission over UDP/IP between AP and

authentication server

EAP TLS EAP

EAP over LAN (EAPoL) IEEE 802.11

RADIUS UDP/IP

wired network

24-36

Extensible Authentication Protocol (EAP) While 802.11i does not mandate a particular authentication method,

EAP-TLS is often used.

EAP TLS EAP

EAP over LAN (EAPoL) IEEE 802.11

RADIUS UDP/IP

wired network

10

IPsec 24-37

AP: access point AS: Authentication server

wired network

STA: client station

1 Discovery of security capabilities

STA and AS mutually authenticate, together generate Master Key (MK). AP serves as “pass through”

2

3 3 STA derives

Pairwise Master Key (PMK)

AS derives same PMK, sends to AP

4 STA, AP use PMK to derive Temporal Key (TK) used for message encryption, integrity

802.11i four phase operation – phase 3

IPsec 24-38

AP: access point AS: Authentication server

wired network

STA: client station

1 Discovery of security capabilities

STA and AS mutually authenticate, together generate Master Key (MK). AP serves as “pass through”

2

3 3 STA derives

Pairwise Master Key (PMK)

AS derives same PMK, sends to AP

4 STA, AP use PMK to derive Temporal Key (TK) used for message encryption, integrity

802.11i four phase operation – phase 4