Internet Security Internet Security CSCE 813CSCE 813
IPsecIPsec
CSCE 813 - Farkas 2
ReadingReading
Oppliger: Chapter 14
CSCE 813 - Farkas 3
Benefits of IPSecBenefits of IPSec When implemented in a firewall or router, IPSec
provides strong security to ALL TRAFFIC crossing the perimeter. Traffic within the perimeter does not incur security overhead.
Cannot be bypassed (if all traffic must go through the firewall implementing IPSec)
Transparent to applications Transparent to end users
CSCE 813 - Farkas 4
IP Security ArchitectureIP Security ArchitectureIPsec module 1 IPsec module 2
SPD
SADSAD
SPD
IKE IKE
IPsec IPsecSA
RFC 2401: Overview of Security ArchitectureRFC 2402: Desc. Of packet authentication extension to IPv4 and IPv6RFC 2406: Desc. Of packet encryption extension to IPv4 and IPv6RFC 2408: Specification of key management capabilities
CSCE 813 - Farkas 5
IPSec Document IPSec Document OverviewOverview
RFC 2401RFC 2401
Architecture
Key Management
DOI
Authentication algs.
Enryption algs.
AHESP
CSCE 813 - Farkas 6
IPSec Services IPSec Services AH ESP
(encrypt.)ESP (Encrypt. & Auth.)
Access Control Connectionless integrity Data origin auth. Replay protection Confidentiality Traffic flow confidentiality
CSCE 813 - Farkas 7
Security AssociationSecurity Association One-way relationship Identified by:
– Security parameters index (SPI)– IP destination address– Security protocol identifier
Security Association Database:– SA parameters: sequence number counter, sequence number
overflow, anti-replay window, AH information, ESP information, lifetime of SA, IPSec protocol mode, path MTU
Security Policy Database:– SA selectors: destination IP address, source IP address,
UserID, Data Sensitivity Level, transport layer protocol, source and destination port
CSCE 813 - Farkas 8
ModesModes
Transport Mode Tunnel Mode
AH Authenticates IP payload and selected portions of IP header and IPv6 extension headers
Authenticates entire inner IP packet (inner header plus IP payload) plus selected portions of outer IP header and outer IPv6 extension headers
ESP (encrypt. only)
Encrypts IP payload and any IPv6 extension headers following the ESP header
Encrypts entire inner IP packet
ESP with Authentication
(see above) plus authenticates IP payload but not IP header
(see above) plus authenticates inner IP packet.
Encapsulating Security Encapsulating Security PayloadPayload(ESP)(ESP)
CSCE 813 - Farkas 10
ESP ESP Confidentiality: Encryptor Integrity: Authenticator Algorithm is determined by the Security
Association (SA) Each ESP has at most:
– One cipher and one authenticator or– One cipher and zero authenticator or– Zero cipher and one authenticator or– Disallowed: zero cipher and zero authenticator or
CSCE 813 - Farkas 11
ESP ProcessingESP Processing
Depends on mode in which ESP is employed
Both modes: – Cipher is authenticated– Authenticated plain text is not encrypted
Outbound: encryption happens firstInbound: authentication happens first
CSCE 813 - Farkas 12
Protected DataProtected Data
Depends on the mode of ESP– Transport mode: Upper-layer protocol packet– Tunnel mode: entire IP packet is protected
CSCE 813 - Farkas 13
Scope of ESP Encryption and Scope of ESP Encryption and AuthenticationAuthentication
Orig. IP hdr
ESP hdr.
TCP Data ESP ESP auth.
IPv4
Transport mode Authenticate
Encrypt
New IP hdr
ESP hdr
Orig. IP hdr
TCP Data ESP trlr ESP auth
Encrypt
AuthenticateTunnel mode
CSCE 813 - Farkas 14
Outbound Processing Outbound Processing
1. ESP header inserted into the outgoing IP packeta. Protocol field of IP header copied into Next header
field of ESPb. Remaining fields of ESP filled (SPI, sequence number,
pad, pad length)c. Protocol number of IP header is given the value ESP
(50)2. Encrypt packet from the beginning of payload data to the
next header field3. Authenticate packet form the ESP header, through the
encrypted ciphertext to the ESP trailer and insert authentication data into ESP trailer
4. Packet is routed to the destination
CSCE 813 - Farkas 15
Inbound ProcessingInbound Processing
1. Check for SA of the packeta. If no SA drop packet b. Otherwise: use valid SA to process the packet
2. Check sequence numbera. Invalid number drop packet
3. Authenticate cipher texta. Entire packet (without the authentication data) is
processed by the authenticatorb. Match generated data with authentication datac. No match drop packet
CSCE 813 - Farkas 16
Inbound ProcessingInbound Processing
4. Decrypt ESP packet (from beginning on payload to the next header field)
a. Check pad integrity
5. Validate ESP mode using Next header field and decrypted payload
Authentication HeaderAuthentication Header
CSCE 813 - Farkas 18
Authentication Header (AH)Authentication Header (AH)
Does NOT provide confidentiality Provides:
– Data origin authentication– Connectionless data integrity – Prevents spoofing attack
May provide:– Non-repudiation (depends on cryptographic alg.)– Anti-replay protection
Precision of authentication: granularity of SA Protocol number: 51
CSCE 813 - Farkas 19
Authentication DataAuthentication Data
AH protects outer IP header (unlike ESP)Computed by using
– Authentication algorithm (MD5, SHA-1)– Cryptographic key (secret key)
Sender: computes authentication dataRecipient: verifies data
CSCE 813 - Farkas 20
Scope of Authentication Scope of Authentication
Orig. IP hdr AH TCP DataIPv4
Authenticates except for mutable fields in NEW IP hdr
Transport Mode
Tunnel Mode
IPv4 New IP hdr
AH Orig. IP hdr
TCP data
Authenticates except for mutable fields
CSCE 813 - Farkas 21
Integrity Check ValuesIntegrity Check Values
Message Authentication Code is Calculated from:– IP header fields that either do not change in transit or
are predictable upon arrival – Fields that change and cannot be predicted are set to zero for the MAC calculation
– AH header -- other than the authentication data field– Entire upper level protocol data
Note: both source and destination address fields are protected
CSCE 813 - Farkas 22
Combining Security AssociationsCombining Security Associations
CSCE 813 - Farkas 23
SA BundleSA Bundle
Individual SA: either AH or ESP but NOT BOTH Some traffic flow needs both – HOW? Some traffic between host and security gateway
requires different services than flow between security gateways
Security Association Bundle: – sequence of SAs through which traffic must be
processed to provide a desired set of IPSec services– SAs within a bundle may terminate at different end
points
CSCE 813 - Farkas 24
SA CombinationsSA Combinations
Transport adjacency: – Applying more than one security protocol to the same
IP packet without invoking tunneling. – Allows 1 level of combination (all IPSec processing are
performed at one IPSec instance) Iterated tunneling:
– Multiple layers of security protocols efected through IP tunneling
– Multiple levels of nesting (each tunnel may originate and terminate at different IPSec site)
Combination of the two approaches above.
Transport AdjacencyTransport Adjacency
Two bundled transport Sas
1. Inner SA: ESP transport SA without authentication (encrypted IP payload)
2. Outer SA: AH transport SA (covers ESP and the original IP header)
CSCE 813 - Farkas 25
Transport-Tunnel BundleTransport-Tunnel Bundle
Authenticate before encrypting
1. Inner SA: AH transport SA (authenticates the entire IP payload + IP header)
2. Outer SA: ESP tunnel SA (entire authenticated packet is encrypted + new IP header)
Advantages: Authentication data is protected by encryption Can store authentication information with the message
(convenience)
CSCE 813 - Farkas 26
CSCE 813 - Farkas 27
Combining Security Combining Security AssociationsAssociations
Case 1: between end-systems
Internetlocal
intranetlocal
intranet
one or more SAs
Figure from L. Buttyan
Possible combinations:1.AH in transport2.ESP in transport3.ESP followed by AH in transport4.Any 1,2,3 inside an AH or ESP tunnel
CSCE 813 - Farkas 28
Combining Security Combining Security AssociationsAssociations
Case 2: between gateways only
Internetlocal
intranetlocal
intranet
single tunnel SA
Figure from L. Buttyan
Security provided:1.Only between gateways2.No host security3.Only single tunnel SA4.AH, ESP or ESP with
authentication
CSCE 813 - Farkas 29
Combining Security Combining Security AssociationsAssociations
Case 3: host-to-gateway (Case 2 + end-to-end security)
Internetlocal
intranetlocal
intranet
single tunnel SAOne or two SAs
Figure from L. Buttyan
End-to-end protection:1.Combinations for case 1 &2 allowed2.Gateway tunnel: authentication and
confidentiality3. Hosts: application specific IPSec
CSCE 813 - Farkas 30
Combining Security Combining Security AssociationsAssociations
Case 4: remote host
Internetlocal
intranet
Tunnel SA One or two SAs
Figure from L. Buttyan
Remote host:1.Host: tunnel mode to firewall
CSCE 813 - Farkas 31
Next Class: Key ManagementNext Class: Key Management
ISAKMPISAKMPExchangesExchanges