-
7/27/2019 IPsec (9)
1/37
1
Security at different layers Link layer: WEP / 802.11i
Application layer: PGP Transport layer: SSL Network layer:
IPsecIPsec approach:
IPsec
TCP/UDP/ICMP
HTTP/SMTP/IM
IPsec can provide security between any pair of
network-layerentities (eg, between two hosts, two routers, or a
host and a router).
-
7/27/2019 IPsec (9)
2/37
2
IP Security
IP datagrams have no inherent security IP source address can be
spoofed Content of IP datagrams can be sniffed
Content of IP datagrams can be modified IP datagrams can be
replayed
IPSec is a method for protecting IPdatagrams
Standardized by IETF: dozens of RFCs.Only sender and receiver
have to be IPsec
compliant Rest of network can be regular IP
-
7/27/2019 IPsec (9)
3/37
3
What is confidentiality at thenetwork-layer?
Between two network entities:
Sending entity encrypts the payloads ofdatagrams. Payload could
be: TCP segment, UDP segment, ICMP message,
OSPF message, and so on.
All data sent from one entity to the otherwould be hidden:Web
pages, e-mail, P2P file transfers, TCP SYN
packets, and so on.
That is, blanket coverage.
-
7/27/2019 IPsec (9)
4/37
4
Virtual Private Networks (VPNs)
Institutions often want private networksfor security. Costly!
Separate routers, links, DNS
infrastructure.
With a VPN, institutions inter-officetraffic is sent over public
Internetinstead. But inter-office traffic is encrypted before
entering public Internet
-
7/27/2019 IPsec (9)
5/37
5
IP
header
IPsec
header
Secure
payload
headquarters
branch office
salespersonin hotel
PublicInternet
laptopw/ IPsec
Router w/IPv4 and IPsec
Router w/IPv4 and IPsec
Virtual Private Network (VPN)
-
7/27/2019 IPsec (9)
6/37
6
IPsec services
Data integrity
Origin authentication
Replay attack prevention
Confidentiality
Two protocols providing different service
models: AH
ESP
-
7/27/2019 IPsec (9)
7/37
7
IPsec Transport Mode
IPsec datagram emitted and received by
end-system. Protects upper level protocols
IPsec IPsec
-
7/27/2019 IPsec (9)
8/37
8
IPsec tunneling mode (1)
End routers are IPsec aware. Hosts neednot be.
IPsec IPsec
-
7/27/2019 IPsec (9)
9/37
9
IPsec tunneling mode (2)
Also tunneling mode.
IPsecIPsec
-
7/27/2019 IPsec (9)
10/37
Two protocols
Authentication Header (AH) protocol provides source
authentication & data integrity
but notconfidentiality
Encapsulation Security Protocol (ESP) provides source
authentication,data integrity,
and confidentiality
more widely used than AH
10
-
7/27/2019 IPsec (9)
11/37
11
Four combinations are possible!
Host modewith AH
Host modewith ESP
Tunnel modewith AH
Tunnel modewith ESP
Most common andmost important
-
7/27/2019 IPsec (9)
12/37
12
Security associations (SAs)
Before sending data, a virtual connection isestablished from
sending entity to receiving entity.
Called security association (SA) SAs are simplex: for only one
direction
Both sending and receiving entites maintain
stateinformationabout the SA Recall that TCP endpoints also
maintain state information.
IP is connectionless; IPsec is connection-oriented!
How many SAs in VPN w/ headquarters, branch
office, and n traveling salesperson?
-
7/27/2019 IPsec (9)
13/37
13
193.68.2.23200.168.1.100
172.16.1/24172.16.2/24
SA
InternetHeadquartersBranch Office
R1R2
Example SA from R1 to R2
R1 stores for SA 32-bit identifier for SA: Security Parameter
Index (SPI) the origin interface of the SA (200.168.1.100)
destination interface of the SA (193.68.2.23)
type of encryption to be used (for example, 3DES with CBC)
encryption key type of integrity check (for example, HMAC with with
MD5) authentication key
-
7/27/2019 IPsec (9)
14/37
14
Security Association Database (SAD)
Endpoint holds state of its SAs in a SAD, where itcan locate
them during processing.
With n salespersons, 2 + 2n SAs in R1s SAD
When sending IPsec datagram, R1 accesses SADto determine how to
process datagram.
When IPsec datagram arrives to R2, R2 examinesSPI in IPsec
datagram, indexes SAD with SPI, andprocesses datagram
accordingly.
-
7/27/2019 IPsec (9)
15/37
15
IPsec datagram
Focus for now on tunnel mode with ESP
new IP
header
ESP
hdr
original
IP hdr
Original IP
datagram payloadESP
trl
ESP
auth
encrypted
enchilada authenticated
padding padlength
nextheader
SPI Seq#
-
7/27/2019 IPsec (9)
16/37
16
What happens?
193.68.2.23200.168.1.100
172.16.1/24
172.16.2/24
SA
InternetHeadquarters
Branch Office
R1R2
new IP
header
ESP
hdr
original
IP hdr
Original IP
datagram payload
ESP
trl
ESP
auth
encrypted
enchilada authenticated
paddingpad
length
next
headerSPI
Seq
#
-
7/27/2019 IPsec (9)
17/37
17
R1 converts original datagraminto IPsec datagram
Appends to back of original datagram (which includesoriginal
header fields!) an ESP trailer field.
Encrypts result using algorithm & key specified by SA.
Appends to front of this encrypted quantity the ESPheader,
creating enchilada.
Creates authentication MAC over the whole enchilada,using
algorithm and key specified in SA;
Appends MAC to back of enchilada, formingpayload; Creates brand
new IP header, with all the classic IPv4
header fields, which it appends before payload.
-
7/27/2019 IPsec (9)
18/37
-
7/27/2019 IPsec (9)
19/37
19
IPsec sequence numbers
For new SA, sender initializes seq. # to 0
Each time datagram is sent on SA: Sender increments seq #
counter
Places value in seq # field
Goal: Prevent attacker from sniffing and replaying a packet
Receipt of duplicate, authenticated IP packets may
disruptservice
Method: Destination checks for duplicates
But doesnt keep track of ALL received packets; insteaduses a
window
-
7/27/2019 IPsec (9)
20/37
20
Algorithm at receiver
1. If rcvd packet falls in window, packet is new, and
MAC checksslot in window marked2. If rcvd packet is to right of
window, MAC checks
window advanced & right-most slot marked
3. If rcvd packet is left of window, or already marked,or fails
MAC check packet is discarded
N is highestsequence #rcvd.
Default W=64
-
7/27/2019 IPsec (9)
21/37
21
Security Policy Database (SPD)
Policy: For a given datagram, sending entityneeds to know if it
should use IPsec.
Needs also to know which SA to use
May use: source and destination IP address;protocol number.
Info in SPD indicates what to do witharriving datagram;
Info in the SAD indicates how to do it.
-
7/27/2019 IPsec (9)
22/37
22
Linux example: ESP in tunnel mode
In each host, create config file: /etc/setkey.conf
Execute setkey command in both hosts,which reads the setkey.conf
file setkey f/etc/setkey.conf Creates SAD and SPD databases
193.68.2.23200.168.1.100
172.16.1/24
172.16.2/24
SA
InternetHeadquarters
Branch Office
R1R2
k f f R1
-
7/27/2019 IPsec (9)
23/37
23
# Flush the SAD and SPD
flush;
spdflush;
# SAs encrypt w/ 192 bit keys & auth w/ 128 bit keys
Add 200.168.1.100 193.68.2.23 esp 0x201 -m tunnel -E
3des-cbc
0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831 -A
hmac-md5 0xc0291ff014dccdd03874d9e8e4cdf3e6;
Add 193.68.2.23 200.168.1.100 esp 0x301 -m tunnel -E
3des-cbc
0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df -A
hmac-md5 0x96358c90783bbfa3d7b196ceabe0536b;
# Security policies
spdadd 172.16.1.0/24 172.16.2.0/24 any -P out ipsec
esp/tunnel/ 200.168.1.100 - 193.68.2.23 /require;
spdadd 172.16.2.0/24 172.16.1.0/24 any -P in ipsec
esp/tunnel/ 193.68.2.23 - 200.168.1.100 /require;
setkey.conf for R1
2 SAsaddedto SAD
SPI
ESP protocol
2 policiesaddedto SPD
apply to all packets
-
7/27/2019 IPsec (9)
24/37
24
# Flush the SAD and SPDflush;spdflush;
# AH SAs using 128 bit long keys
Add 200.168.1.100 193.68.2.23 ah 0x200 -A
hmac-md50xc0291ff014dccdd03874d9e8e4cdf3e6;Add 193.68.2.23
200.168.1.100 ah 0x300 -A
hmac-md50x96358c90783bbfa3d7b196ceabe0536b;
# Security policies
Spdadd 200.168.1.100 193.68.2.23 any -P out
ipsecah/transport//require;Spdadd 193.68.2.23 200.168.1.100 any -P
in ipsec
ah/transport//require;
Another Example: AH in Transport Modebetween R1 and R2
2 SAsaddedto SAD
2 policiesaddedto SPD
-
7/27/2019 IPsec (9)
25/37
25
Possible encryption algorithms
DES
3DES
AES
RC5
IDEA
3-IDEA
CAST Blowfish
.
-
7/27/2019 IPsec (9)
26/37
IPsec services
Suppose Trudy sits somewhere between R1and R2. She doesnt know
the keys.Will Trudy be able to see contents of original
datagram? How about source, dest IP address,transport protocol,
application port?
Flip bits without detection?
Masquerade as R1 using R1s IP address?
Replay a datagram?
26
-
7/27/2019 IPsec (9)
27/37
27
IPsec vs. SSL SSL is in application; IPsec in OS
IPsec protects all apps SSL is susceptible to a DoS attack:
Attacker inserts bogus TCP segment into packet stream: with
correct TCP checksum and seq #s
TCP acks segment and sends segments payload up to SSL.
SSL will discard since integrity check is bogus Real segment
arrives:
TCP rejects since it has the wrong seq # SSL never gets real
segment
SSL closes connection since it cant provide lossless bytestream
service
What happens if an attacker inserts a bogus IPsecdatagram? IPsec
at receiver drops datagram since integrity check is
bogus; not marked as arrived in seq # window Real segment
arrives, passes integrity check and passed up
to TCP no problem!
-
7/27/2019 IPsec (9)
28/37
28
Lab Topology
Will need to work with another group
But each group hands in a separate report
m1
m3
m2
m1
m2
m3
subnet A subnet B
-
7/27/2019 IPsec (9)
29/37
29
Lab: Use ESP protocol throughout
Part 1: manual keying Setup IPsec between your groups m1 and m3
using
transport mode
Part 2: manual keying Setup IPsec between m2 and partners m2
using tunnel
mode Send traffic between m1 and partners m1
Part 3: manual keying Setup IPsec between m1 and partners m1
using transport
mode
-
7/27/2019 IPsec (9)
30/37
30
Internet Key Exchange
In previous examples, we manually establishedIPsec SAs in IPsec
endpoints:
Example SASPI: 12345Source IP: 200.168.1.100Dest IP:
193.68.2.23Protocol: ESPEncryption algorithm: 3DES-cbcHMAC
algorithm: MD5Encryption key: 0x7aeaca
HMAC key:0xc0291f Such manually keying is impractical for large
VPN
with, say, hundreds of sales people. Instead use IPsec IKE
(Internet Key Exchange)
-
7/27/2019 IPsec (9)
31/37
31
IKE: PSK and PKI
Authentication (proof who you are) witheither pre-shared secret
(PSK) or with PKI (pubic/private keys and certificates).
With PSK, both sides start with secret: then run IKE to
authenticate each other and to
generate IPsec SAs (one in each direction),including encryption
and authentication keys
With PKI, both sides start withpublic/private key pair and
certificate. run IKE to authenticate each other and obtain
IPsec SAs (one in each direction). Similar with handshake in
SSL.
-
7/27/2019 IPsec (9)
32/37
32
Linux example PSK (1)
In each host, create 3 files: racoon.conf setkey.conf
psk.txt
Execute racoon command in both hosts,which generates SAs
IPsec IPsec
172.16.1/24 172.16.2/24
-
7/27/2019 IPsec (9)
33/37
33
Linux example PSK (2)
psk.txtHolds the preshared secret; access is protected
racoon.conf Indicates IKE mode Cryptography preferences for
phase 1 and phase 2
setkey.conf
security policies section (similar with manualkeying)
But no security association block (since SAsestablished with
IKE)
-
7/27/2019 IPsec (9)
34/37
34
Linux example: certificates
Use open SSL to generate public/privatekey pair and certificate
in both hosts
racoon.conf file
Provides path to certificate IKE modeWhether correspondents
certificate needs to
be validated Cryptography algorithms for two IKE phases
setkey.conf Similar for PSK
No psk.txt file!
-
7/27/2019 IPsec (9)
35/37
35
IKE Phases
IKE has two phases Phase 1: Establish bi-directional IKE SA
Note: IKE SA different from IPsec SA Also called ISAKMP security
association
Phase 2: ISAKMP is used to securely negotiatethe IPsec pair of
SAs
Phase 1 has two modes: aggressive modeand main mode Aggressive
mode uses fewer messagesMain mode provides identity protection and
is
more flexible
-
7/27/2019 IPsec (9)
36/37
36
IKE lab
Part 4: IKE with PSK
Transport mode
Part 5: IKE with certificates
Tunnel mode
-
7/27/2019 IPsec (9)
37/37
37
Summary of IPsec
IKE message exchange for algorithms, secretkeys, SPI numbers
Either the AH or the ESP protocol (or both)
The AH protocol provides integrity and sourceauthentication
The ESP protocol (with AH) additionally providesencryption
IPsec peers can be two end systems, tworouters/firewalls, or a
router/firewall and an endsystem
