CISCO.david Gonzalez.soluciones de Cifrado Para Nuevas Tecnologias de Transmision

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 1

Site-to-Site VPN with GET VPN

David GonzalezConsulting Systems EngineerCisco


Introduction


VPN Technology Positioning

Dynamic routing on IP WAN

Dynamic routing on tunnels

Reverse-route InjectionRouting

Multicast replication in IP WAN network

Multicast replication at hub

Multicast replication at hubIP Multicast

Group ProtectionPeer-to-Peer Protection

Peer-to-Peer ProtectionEncryption Style

Route Distribution Model + Stateful

Route Distribution Model

Stateful Hub Crypto Failover

Failover Redundancy

Any-to-Any; (Site-to-Site)

Hub-Spoke and Spoke-to-Spoke; (Site-to-Site)

Hub-Spoke; (Client to Site)Network Style

Private IP Transport

Public Internet Transport

Public Internet Transport

Infrastructure Network

GET VPNDMVPNEzVPN


IP VPN and Security?

Requirements/GoalsSingle Point Bootstrap Provisioning

Network Segmentation

Scalable Architecture for Routing

Optimal Forwarding Plane

Security

Security FunctionsTransport Security (Encryption, Authentication, Authorization)

Protection (Partitioned, Firewall, Access Controls)

Prevention/Detection (Intrusion, Denial of Service)


Context: IP VPN Security Needs

CE PE PE CE

IPSec CE-CE

IPSec PE-PE

IPSec CE-PE

Service: VPN Security

Service:Virtual Provider

Protection

Service: Remote Access into VPN


IP VPN

IP VPN Attributes

CE1

CE 4

10/1

CE 2

CE 3

CE 510/5

RR

IP VPN PE and P Replication

Hierarchical RoutingAny-to-Any ConnectivityRedundancy Established between CE and PE

X

10/210/4

10/3


IPsec Attributes

CE1

CE 4

IP VPN

CE 2

CE 3

CE 5

Multicast Replication Induced at CE

Point-to-Point ConnectivityOverlay Routing in TunnelsRedundancy Established by CE

10/1

10/5

10/210/4

10/3


Network Paradigm Assessment

IP VPN (e.g. MPLS VPN)▲ Any-to-any connectivity without CE-CE Tunnel Adjacency▲ Single Point Provisioning on per CE basis▲ Distributed and Hierarchical Routing for Scalability▲ Optimal traffic forwarding► Security

▼ Confidentiality (segmentation only)▲ Segmentation▼ Integrity

IPsec▼ Scalability Constraints of Point-to-Point Tunnel Adjacency▼ Per Peer Provisioning▼ Scalability Constraints of Point-to-Point Overlay Routing or Route Insertion▼ Traffic forwarding according to non-optimal Tunnel overlay▲ Security

▲ Segmentation▲ Confidentiality▲ Integrity


The Paradox

IP VPN for…Any to Any ConnectivityHierarchical and Scalable RoutingEfficient Multicast DistributionSegmentation from the InternetSimplified QoS Models

IPSec VPN for…ConfidentialityIntegrityAuthentication

The technologies meet ORTHOGONAL requirements and CONFLICT with each other


Reconciliation of the Network Paradigms

So Now What?

ResolutionA new security paradigm for multicast and unicast communication on an IP VPN

Security paradigm does not ‘create’ the VPN, it uses an existing IP VPN

The IP VPN can be MPLS VPN, FR/ATM, Satellite, etc.


VPN Technology Positioning

Internet/Shared Network

MPLS/Private Network

EzVPNSpoke

GET GMDMVPN Spoke

DMVPN Spoke

Data Center

GMGM

KSKS

Internet Edge

IPsec IPsec

WAN Edge

Remote Access

GET GM GET GM


GET-Enabled IP VPN Overview


Tunnel-less VPN - A New Security ModelAny-to-Any encryption

• Scalability—an issue (N^2 problem)• Any-to-any instant connectivity can’t

be done to scale• Overlay routing• Limited advanced QoS• Multicast replication inefficient

WANWAN

Multicast

IPsec Point-to-Point Tunnels Tunnel-less VPN

• Scalable architecture• Any-to-any instant connectivity to

high-scale• No overlays – native routing• Advanced QoS• Efficient Multicast replication


IP Header IP PayloadOriginal IP Packet

How GET VPN Prevents Overlay RoutingCisco GET VPN uses IP header preservation to mitigate routing overlay and to preserve QoS and multicast capabilities

IPSec Tunnel Mode

IP Header Preservation

ESP HeaderOriginal

IP Header

IP Payload

IPSe

cG

ET

New IP Header

Original IP

HeaderIP PayloadESP Header

Original IP Header

Preserved


GDOI Definitions

Key Server (KS): device which distributes keys & policies to group members.

Group Member (GM):A device which registers with a group controlled by the KS to communicate securely with other GMs.

Group SA: IPSec SA that is shared by all the GM in the group.

TEK: Key used to protect traffic between GMs.

KEK: Key used to protect rekeys between KS and GMs.


Group Security Functions

GroupMember

GroupMember

GroupMember

GroupMember

Key Server

RoutingMembers

Group Member• Encryption Devices• Route Between Secure / Unsecure Regions• Multicast Participation

Key Server• Validate Group Members• Manage Security Policy• Create Group Keys• Distribute Policy / Keys

Routing Member• Forwarding• Replication• Routing


Group Security Elements

GroupMember

GroupMember

GroupMember

GroupMember

Key Servers

RoutingMembers

Key Encryption Key (KEK)

Traffic Encryption Key (TEK)

Group Policy

RFC3547:Group Domain of Interpretation (GDOI)

Proprietary: KS Cooperative Protocol


Group Security Association

Group Members share a security associationSecurity association is not to a specific group member

Security association is with a set of group members

Safe when VPN gateways are working together to protect the same traffic

The VPN gateways are trusted in the same way

Traffic can flow between any of the VPN gateways


GET VPN Architecture

Step 1: Group Members (GM) “register” via GDOI with the Key Server (KS)

KS authenticates & authorizes the GM

KS returns a set of IPsec SAs for the GM to use

GM1

GM2

GM3GM4

GM5

GM6

GM7GM8

GM9 KS



Step 2: Data Plane EncryptionGM exchange encrypted traffic using the group keys

The traffic uses IPSec Tunnel Mode with “address preservation”

GM1

GM2

GM3GM4

GM5

GM6

GM7GM8

GM9 KS



Step 3: Periodic Rekey of KeysKS pushes out replacement IPsec keys before current IPsec keys expire. This is called a “rekey”

GM1

GM2

GM3GM4

GM5

GM6

GM7GM8

GM9 KS


Group Membership Management

Group Member RegistrationImmediately upon boot

Immediately upon applying crypto map

Protected by IKE SA (Pre-shared Keys or PKI Certificate)

Group Member Maintenance through RekeyPeriodic Update Protected by Rekey SA (IKE SA expires)

New Policies, Time Sync, or New Keys (TEK or KEK)

Acknowledgement with Unicast Rekey

Unacknowledged with Multicast Rekey

Group Member Data Plane


Rekey

Rekey

Registration

Registration

GDOI Protocol

RFC3547Initiator is a “Group Member”Receiver or GCKS is a “Key Server”

GROUPKEY-PULL (a.k.aRegistration)

Group Member Request Group InfoKey Server Supplies PolicyGroup Member Acknowledges and asks for KeysKey Server Supplies Keys

GROUPKEY-PUSH (a.k.aRekey)

Key Server refreshes Keys and/or Policy

Group Member

GROUP-ID

SA-Policy

Key Server

Acknowledge

Rekey

Policy / Key

ProtectionIKE SA

Key LifetimeKEK, TEK, Seq. #

RekeyX

IKE Phase 1

GROUP-ID

IKE Phase 1

Protection REKEY SA

Key Lifetime

ProtectionIKE SA


GET Deployment Properties


Group Security Methods

Group Encryption MethodsIPsec Tunnel Mode with IP Header Preservation

Group Security Association

Time-based Anti-Replay

Affinity of Group Security AssociationGroup Association on Group Member

Group Authorization on Key Server

Group PolicyKS Authorized Encryption

KS Authorized Encryption Exceptions

GM Authorized Encryption Exceptions


IPsec Tunnel Mode

IP Packet

IP PayloadIP HeaderIPsecTunnel Mode ESPNew IP Header

IP PayloadIP Header

• IPsec header inserted by VPN Gateway• New IP Address requires overlay routing


IPsec Tunnel Mode with IP Address Preservation

IP Packet

IP PayloadIP HeaderESPCopy of Original IP Header

GroupEncryptedTransport

IP PayloadIP Header

• IPsec header preserved by VPN Gateway• Preserved IP Address uses original routing plane


QoS Attribute Preservation

Egress

Ingress

PreservedIP Header

Encryption

IP Header

Payload Encrypted(IP Header)

ESP Header

Encrypted(Payload)

ESP Trailer

IP and DSCP Copy

DSCP

Ports

NLPID= x

DSCP

Ports

NLPID= x

NLPID= IP

NLPID= ESPDSCP

IP

IP


QoS Flow Model

Classifier Police

Mark

Drop

Classifier Police

Drop

Mark

Queue Shape

Route

Ingress Flow

Egress Flow

Encrypt

WAN

LAN


Group Encrypted Transport (Data Plane)

Encapsulation without Time-Based Anti-Replay10.1.1.4 10.1.2.32

10.1.1.4 10.1.2.32Payload

GM GMRouter Router

10.1.1.4 10.1.2.32Payload

10.1.1.4 10.1.2.32ESP Header (SPI)

ESP Trailer

10.1.1.4 10.1.2.32Payload

Encapsulation with Time-based Anti-Replay10.1.1.4 10.1.2.32

Payload10.1.1.4 10.1.2.32

Payload

10.1.1.4 10.1.2.32Payload

10.1.1.4 10.1.2.32ESP Header (SPI)

ESP Trailer

Cisco Meta Data

Time Stamp Time Stamp



Preservation of Original IP Addresses and DSCP

Encapsulating Security Payload (ESP) with irrelevant Sequence Number

OPTIONAL: Time-based Anti-ReplayIPSec Next Header identified as IANA Private Encryption (protocol = 99)

Cisco Meta Data (99) carries PseudoTimeStamp for receiver verification

Encrypted IP Packet followsIP Header (Protocol Type = ESP) – Preserved IP Addresses from Inner IP Header

Security Parameter IndexSequence Number (ignored by receiver)

Next Header = (IP) Length (0x2) Version (0x1) ReservedLen (0x1) Type 5 = Time-based Anti-Replay Reserved

PseudoTimeStamp

Inner IP Header

Original IP Payload

IPSec Padding Pad Length Next Header (MD 99)Authentication Tag

IPSec Padding

ESP

IP

CMD



Group Member Receive Processing

10.1.1.4 10.1.2.32Payload

Time Stamp

ESP/SPI

TEK Decrypt

Compare

DropMatch Idents

Drop

Forward

Too Early

or Late

Mismatch

10.1.1.4 10.1.2.32Payload

10.1.1.4 10.1.2.32ESP Header (SPI)

ESP Trailer

Cisco Meta Data


GM

GM

GM

GM

Secure Data Plane Multicast

Premise: Sender does not know the potential recipients

?

Data ProtectionSecure

Multicast




Sender assumes that legitimate group members obtain Traffic Encryption Key from key server for the group

GM

GM

GM

KS

GM


Multicast


GM

GM

GM

KS

GM



Sender assumes that legitimate group members obtain Traffic Encryption Key from key server for the group

Encrypt Multicast with IP Address Preservation

Replication In the Core based on original (S,G)


Multicast


GM

GM

GM

GM

Corollary:Secure Data Plane Unicast

Premise: Receiver advertises destination prefix but does not know the potential encryption sources

?

??

Data ProtectionSecureUnicast


Premise: Receiver advertises destination prefix but does not know the potential encryption sources

Receiver assumes that legitimate group members obtain Traffic Encryption Key from key server for the group


GM

GM

GM

KS

GM




Premise: Receiver advertises destination prefix but does not know the potential encryption sourcesReceiver assumes that legitimate group members obtain Traffic Encryption Key from key server for the groupReceiver can authenticate the group membership

GM

GM

GM

KS

GM



Group Policy Considerations

What may already be protected?Management Plane

SSH, TACACS, HTTPS

What should not be protected with Group Security?Control Plane

Internet Key Exchange / Group Domain of InterpretationRouting Exchanges (OSPF, BGP)

What needs to be protected with Group Security? Data Plane

Enterprise TransactionsEnterprise Multicast Streams

What may be protected with Group Security?Data Plane

Internet TransactionsDiagnostics (LAN-LAN vs. WAN-WAN vs. WAN-LAN)


Group Policy Protection

Scope of Data Plane Protection—What class of traffic needs protection?

Unicast from LANs Only

Multicast from LANs Only

Unicast and Multicast from LANs

All Traffic

Scope Exclusion—What should not be encrypted?Control Plane

Routing Control Plane (IGP, PIM)

Crypto Control Plane (GDOI)


Group Policy Distribution

Group KeysKey Encryption Keys (Default Lifetime of 24 hours)

Traffic Encryption Keys (Default Lifetime of 1 hour)

Key DistributionUnicast

Infrastructure Capable of Unicast Only

Requirement for Rekey Acknowledgement

Time Required for Serialized Key and Policy Distribution

Multicast

Infrastructure Capable of Multicast

Quick Key and Policy Distribution


Group Keys

IP VPN

KEKTEK1

Key Encryption Key (KEK)Used to encrypt GDOI (i.e. control traffic) between KS and GM for rekey message

Traffic Encryption Key (TEK)

Used to encrypt data (i.e. user traffic) between GMs

Key Server

Group Member

Group Member

Group Member


Key Server

Group Keys

IP VPN

KEKTEK1

Key Server monitors expiration time of TEK1

TEK2Key Server creates TEK2 to replace TEK1 prior to expiration

Key Server distributes TEK2 to all known GM via unicast or via multicast rekey groupGroup Members install new TEK2

Group Member

Group Member

Group Member


Cooperative Key Server


Primary Secondary

Secondary

Group Member

Group Member

Cooperative Key ServerRoles

A Key Server is Elected Primary, Creates Keys, and Distributes Keys

Group Members Complete Registration to an available Key Server and Receive Policy and Keys

GET VPN


Managed Tunnel-less VPN Services

Service integration delivers greater value, stronger brandingIncreased security

– Helps businesses comply with regulations viz. HIPAA, PCI

Operational simplicity– Centralized key-server

reduces complexity– Easy service rollout

Optimized network utilizationService innovation, unique offeringServices Upsell

VPN A

VPN BCustomer B

Customer C

VPN C

• Encrypted traffic is demand-driven • ISR can have “VRF-aware contexts”• Centrally managed key servers enable Group encryption

Cisco2800

Cisco2800

Cisco 7200

Cisco1800

Cisco 3800

SP-owned Key Server

Service ProviderNOC

SP privatenetwork(MPLS)

Customer A

Customer A

Customer B


Scalability Numbers


IOS Platform Support

Not supportedYes1821

PlannedPlanned 6500 VPN-SPA

PlannedYesASR 1000 – IOS XE 2.3

YesYes7200 NPEG2, VSA

YesYes7200 NPEG2, VAM2+

YesYes7200/7301 NPEG1, VAM2+

YesYes3800 (AIM-VPN/SSL)YesYes2800 (AIM-VPN/SSL)

YesYes1841

Not supportedYes870

Yes

Group Member

Not supported

Key Server

Software

Platform

Shipping Planned, CryptoAccelerationDevelopment Required

12.4 (15)T2 Recommended


KS Scalability Summary for 7200

-1,00010Unicast100

-2,0002,000Unicast1

10%2,000

~5,300*2,000Multicast 1

CPU spikesTotal GMsGMs per KSRekey

TransportNumber of

Groups

* Current software allows up to 8 key servers per group theoretically allowing multicast scaling up to 16,000 GM’s assuming registration is distributed evenly across all KS. Currently, software limits GMs per group to 5,300.


Scalability Summary

15 sec16/8 %50AIM-VPN/SSL-11841

500

100

200

500

1000

2000

Tested GM

30/10 %

30/14 %

25/15 %

34/14 %

46/20 %

40/18 %

Max Registration CPU / MAX Rekey CPU

15 secAIM-VPN/SSL-22821

25 sec VAM2+7200

40+ secVAM2+7200/PKI



25 sec AIM-VPN/SSL-33845

Time to register to a single KS

Crypto CardPlatform


Fragmentation and MTU

Issues for Large FramesLack of Tunnel InterfaceNo Path MTU Discovery from WANMulticast Can’t use Path MTU Discovery

Tools for Treatment of Large Frames on WANLook Ahead Fragmentation (LAF)

Fragment large frames before encryption on VPN GatewayTCP MSS Settings

Set TCP MSS value 100 Bytes smaller than smallest MTU on WAN

DF ClearClear the DF bit on frames to allow LAF


Q and A


Documents

CISCO.david Gonzalez.soluciones de Cifrado Para Nuevas Tecnologias de Transmision