EE579T/5 #1 Spring 2003 © 2000-2003, Richard A. Stanley EE579T / CS525T Network Security 6: IPSec Prof. Richard A. Stanley

Spring 2003© 2000-2003, Richard A. Stanley

EE579T/5 #1

EE579T / CS525TNetwork Security

6: IPSec

Prof. Richard A. Stanley


EE579T/5 #2

Overview of Tonight’s Class

• Review of last week’s class

• Class projects

• Security in the news

• IP Security


EE579T/5 #3

Administrivia

• I must be out of town on Feb. 18. Our normal class meeting will be held, using videotape as we did once before.


EE579T/5 #4

Last class (1)...

• Combining hashing algorithms and asymmetric cryptography, it is possible to digitally sign a message

• A digitally signed message can, under certain conditions, assure both integrity of the contents and authenticity of the sender

• Trust relationships are necessary to extend this concept. The most common such system is X.509 v3


EE579T/5 #5

Last class (2) ...

• PGP is a very good cryptosystem, providing confidentiality, authentication, and features to make it compatible with email

• Despised by governments worldwide, and subject to legal restrictions in many places

• Complex key management scheme that does not scale well to large systems where parties previously unknown need services


EE579T/5 #6

Projects

• Who, what?

• Finalized topics and lists


EE579T/5 #7

Security News Topics

• SQL Slammer

• Routing protocols in the news again– Insecure (still!)– Not much changed in 15+ years– “An expert could take out the Internet any time they

want to.” Richard Stiennon, Gartner research director

• Privacy International has launched a quest to find the “World's Most Stupid Security Measure”


EE579T/5 #8

IP Security

• Using the original IP standards, this is an oxymoron

• Needs– Protection from eavesdropping– Protection from spoofing– Provision for secure user-to-user traffic

• Problems– IP not designed for this


EE579T/5 #9

Enter IPSec

• IPSec intended to meet the security needs of IP networks, especially the Internet – Originally intended to come in as part of IP v6– IP v6 may never come, so most of the IPSec

functionality has become available in IP v4– Becoming widely available in products such as

virtual private networks, etc.


EE579T/5 #10

What Does IPSec Do?• Enables secure VPNs over the Internet• Allows secure remote access over the Internet• Facilitates secure connectivity with business

partners, especially temporarily• Improves eCommerce security• It does all this using the cryptographic tools

we have just studied. Now we’ll see how.


EE579T/5 #11

IPSec Features

• Can be applied at the perimeter– In-house traffic avoids security overhead that

may not actually be needed

• Lies below the transport layer, so is transparent to applications

• Can be made transparent to end users, which keeps training and support costs low

• Can support individual user security


EE579T/5 #12

Services

• Access control

• Datagram integrity

• Sender authenticity

• Replay protection

• Message body confidentiality

• Traffic flow security (very limited, though)


EE579T/5 #13

Security Association• IPSec concept that defines the relationship

between one party and another for security– ONE-WAY!– If A & B have bilateral security needs, two security

associations are required

• Defined by– Security parameters index (SPI)– Destination IP address– Security protocol identifier


EE579T/5 #14

So...

• Security association (SA) is uniquely defined by – Destination address in the IP header, and– SPI in the enclosed extension header (AH or

ESP)

• What’s an extension header?

• What are AH and ESP?

• Stick around!


EE579T/5 #15

Security Parameters

• Encapsulating Security Payload (ESP)– Deals with packet encryption

• Authentication Header (AH)– Deals with packet authentication

• Encryption algorithm (several available)

• Authentication algorithm (ditto)

• Key management scheme


EE579T/5 #16

SA Parameters

• Sequence number counter• Sequence counter overflow flag• Anti-replay window• AH information• ESP information• SA lifetime• IPSec protocol mode (tunnel, transport, wildcard)• Path MTU


EE579T/5 #17

Policy

• Association of traffic with SAs is done by the Security Policy Database (SPD)

• Each SPD entry is defined by a selector– Selectors filter outbound traffic

• Compare packet selector fields with SPD to find matching SPD entry; points to zero or more SAs

• Determine SA for this packet and its SPI (Security Parameters Index)

• Perform the required processing (AH or ESP)


EE579T/5 #18

Authentication Header (AH)

• Supports data integrity and authentication– Assures data modification will be detected– Also guards against replay

• Based on Message Authentication Code (MAC) – Requires shared secret key


EE579T/5 #19

AH Fields

• Next header– Identifies type of header that follows

• Payload length

• Reserved for future use

• SPI (defines an SA)

• Sequence number

• Authentication data


EE579T/5 #20

AH Overview

0 8 16 31

Next header PayloadLength (reserved)

SPI

Sequence number

Authentication data (variable length)


EE579T/5 #21

Overview of Headers(IP v4)

OriginalIP header TCP Payload (data)

OriginalIP header TCP Payload (data)AH

Standard

Transport mode

OriginalIP header TCP Payload (data)AHNew

IP headerTunneling

mode


EE579T/5 #22

Integrity Check Value (ICV)• Included in the Authentication Data field

– Based on HMAC (keyed hash)• HMAC MD5• HMAC SHA-1

– 96 MSB of HMAC result used for ICV– HMAC calculated over

• Immutable or predictable IP header fields• The AH header except the Authentication Data field• The entire upper-level protocol data


EE579T/5 #23

Anti-Replay Service

• Replay: retransmission of an already-authenticated packet at a later time– A favorite way to break into or disrupt services

• IPSec implements anti-replay using the Sequence Number field (32 bits), so the maximum Sequence Number is 232

• If the Sequence Number would wrap around, a new SA, with new key, is needed


EE579T/5 #24

Anti-Replay in Action

• Sender initializes sequence counter to 0, increments counter by 1 for every packet sent

• Counter value is placed in SN field• Receiver has a problem:

– IP is connectionless, so packets can arrive in any order

– IP doesn’t guarantee delivery (that is done by TCP), so packets can -- and do -- go missing


EE579T/5 #25

Anti-Replay at the Receiver

• Receiver maintains a sliding window over received packets, default width = 64 = W

• Right edge of window holds highest SN packet so far received that is valid

• All slots from (N-W+1) to N that have been authenticated are marked


EE579T/5 #26

Window Management

• If new packet is within the window and is new, the corresponding slot is marked

• If new packet is outside window to the right, and is authenticated, window is moved to the right and slot is marked

• If new packet is outside the window to the left, or if not authenticated, packet discarded and audit event raised


EE579T/5 #27

The Window in Action

Window

N-W

N

Space for valid packetnot yet received

Received, valid, marked

The window makes replay attacks much more difficult, as they would have to occur within the width of the window: possible, but unlikely (most of the time)


EE579T/5 #28

IPSec Authentication: Transport Mode

• Transport Mode uses the Authentication Header (AH)– IP v4: AH inserted after original IP header, but

before the IP payload– IP v6: AH is an end-to-end payload, not

examined by intermediate routers. So, AH comes after the other IP v6 header routing fields (base, hop-to-hop, etc.)

• Clearly, does not provide data confidentiality


EE579T/5 #29

IPSec Authentication: Tunnel Mode

• Entire original IP packet authenticated– AH inserted before original IP header and after

new “outer” IP header– Allows placing original routing info within the

authentication envelope, but more importantly– Allows a new set of IP addresses to be used as a

wrapper for the original packet

• As we shall see, this forms the basis for IPSec-based virtual private networks.


EE579T/5 #30

Encapsulating Security Payload (ESP)

• Provides confidentiality services– Optionally, can also provide authenticity

• Fields– SPI

– Sequence number

– Payload data

– Padding

– Pad length

– Next header


EE579T/5 #31

ESP

SPI

Sequence number

Payload data (variable length)

Padding (0-255 bytes)

Pad length Next header

Authentication data (variable)

AuthenticationCoverage

ConfidentialityCoverage


EE579T/5 #32

Encryption Algorithms

• Confidentiality services provided by symmetric cryptography

• Algorithms supported:– DES (CBC) – TDEA (three key)– IDEA – Three key triple IDEA– CAST – Blowfish– RC5

• MAC same as AH (96-bit HMAC)


EE579T/5 #33

Padding?

• Extends the plaintext to a multiple of some number of bytes to accommodate those encryption algorithms that require this (e.g. DES)

• Ensures that the end of the Next Header field is right-aligned with the 32-bit word

• Can be used to provide partial traffic flow security, by concealing payload length


EE579T/5 #34

Transport mode ESP Service

• Encrypts data carried by IP– Optionally, also authenticates the data



ESPheader

Standard

Transport mode ESPtrlr

ESPauth

Encrypted

Authenticated


EE579T/5 #35

Transport Mode

• Provides end-to-end confidentiality

• Is transparent to applications

• Is efficient, adds little extra to IP overhead

• Does not provide traffic flow security– Possible to analyze source - destination traffic

flows and volumes– Useful for drawing conclusions about

associations, workload, etc.


EE579T/5 #36

Tunneling Mode ESP

• Encrypts the entire IP packet– Including the original source, destination


NewIP header

Tunnelingmode

ESPheader

ESPtrlr

ESPauth

OriginalIP header TCP Payload (data)Standard

Encrypted

Authenticated


EE579T/5 #37

Tunneling Mode

• Encrypts entire original IP packet, including source and destination addresses– Can help to counter traffic analysis

• Allows construction of secure virtual private networks (VPNs) over unsecured networks

• Useful when firewalls in the path -- security can be done only at the network edge


EE579T/5 #38

VPN Example

Edge routers need info about the other end of the network

IPSec starts/ends here


EE579T/5 #39

SA Limits• An individual SA can implement either AH or

ESP, but not both

• But, sometimes both services are needed– This requires multiple SA’s in the same traffic

flow– Just as with Feistel encryption/decryption key

scheduling, we must “unwrap” the SA’s in inverse order to their application

– Referred to as SA bundle


EE579T/5 #40

SA Bundling• Transport adjacency

– Applies >1 SA to the same IP packet, without tunneling

– Only one level of combination

• Iterated tunneling– Applies multiple security protocols through IP

tunneling– Multiple nesting, since each tunnel can originate or

terminate at any IPSec site


EE579T/5 #41

What to do First?• Transport adjacency

– Wrap an ESP SA inside an AH SA• IP payload is encrypted (because ESP is inner level)

• AH covers ESP, original IP header

• Result: more fields are authenciated

• Transport-tunnel bundle– Wrap an AH SA inside an ESP SA

• Authentication data protected by encryption

• Authentication data can be accessed in clear


EE579T/5 #42

Key Management

• IPSec has many good features. Performing key distribution manually is not one of them

• Protocol has been developed to provide for session key distribution– Internet Key Exchange (IKE) [RFC 2409]

– IKE incorporates• ISAKMP [RFC 2408]

• Oakley

• A few other things

– Current version (Nov 2001) is v2


EE579T/5 #43

Diffie-Hellman Revisited• Advantages

– Generates keys only when required– Requires no preexisting infrastructure

• Disadvantages– No authentication of communicating parties– Vulnerable to man-in-the-middle attack– Computationally intensive

• Slow

• Vulnerable to denial of service attack


EE579T/5 #44

Oakley Key Determination

• Based on D-H, but improved

• Advantages over Diffie-Hellman– Uses cookies to avoid denial of service attacks– Enables prior negotiation of global parameters– Uses nonces to guard against replay– Allows exchange of D-H public key values– Authenticates D-H exchange (defeats man-in-

the-middle attacks)


EE579T/5 #45

Nonce

• nonce (nns) noun– The present or particular occasion: “Her tendency

to discover a touch of sadness had for the nonce disappeared” (Theodore Dreiser).

– [From Middle English for the nones, for the occasion]

• The American Heritage® Dictionary of the English Language, Third Edition, 1992, Houghton Mifflin Company

• Say what?• In cryptography, nonce is a pseudorandom

number


EE579T/5 #46

Oakley Authentication

• Three types available– Digital Signature– Asymmetric-key cryptography– Symmetric-key cryptography

• This ensures against man-in-the-middle attacks


EE579T/5 #47

We Like IKE

• IKE is an IPSec protocol that defines the procedures and formats needed to establish, negotiate, modify, or delete Security Associations within IPSec

• Built on the ISAKMP protocol, which is sometimes viewed as IKE v0.1

• ISAKMP notation still in wide use, but officially, it is now IKE


EE579T/5 #48

Summary

• IPSec is a complex security protocol, originally developed for roll-out with IP v6

• Provides authentication, integrity, and confidentiality services to IP transmission

• Improves on basic protocols like D-H

• Many implementations available for IP v4, so it is usable today

• Authentication and encapsulation services provide a basis for VPNs


EE579T/5 #49

Homework

• Read Stallings, Chapter 7

• Do Stallings, Problems 6.1a, 6.2 (for IPv4 only), 6.3a, 6.5a

Documents

EE579T/5 #1 Spring 2003 © 2000-2003, Richard A. Stanley EE579T / CS525T Network Security 6: IPSec Prof. Richard A. Stanley