31
Internet Security Internet Security CSCE 813 CSCE 813 IPsec IPsec

Internet Security CSCE 813 IPsec. CSCE 813 - Farkas2 Reading Oppliger: Chapter 14

Embed Size (px)

Citation preview

Page 1: Internet Security CSCE 813 IPsec. CSCE 813 - Farkas2 Reading Oppliger: Chapter 14

Internet Security Internet Security CSCE 813CSCE 813

IPsecIPsec

Page 2: Internet Security CSCE 813 IPsec. CSCE 813 - Farkas2 Reading Oppliger: Chapter 14

CSCE 813 - Farkas 2

ReadingReading

Oppliger: Chapter 14

Page 3: Internet Security CSCE 813 IPsec. CSCE 813 - Farkas2 Reading Oppliger: Chapter 14

CSCE 813 - Farkas 3

Benefits of IPSecBenefits of IPSec When implemented in a firewall or router, IPSec

provides strong security to ALL TRAFFIC crossing the perimeter. Traffic within the perimeter does not incur security overhead.

Cannot be bypassed (if all traffic must go through the firewall implementing IPSec)

Transparent to applications Transparent to end users

Page 4: Internet Security CSCE 813 IPsec. CSCE 813 - Farkas2 Reading Oppliger: Chapter 14

CSCE 813 - Farkas 4

IP Security ArchitectureIP Security ArchitectureIPsec module 1 IPsec module 2

SPD

SADSAD

SPD

IKE IKE

IPsec IPsecSA

RFC 2401: Overview of Security ArchitectureRFC 2402: Desc. Of packet authentication extension to IPv4 and IPv6RFC 2406: Desc. Of packet encryption extension to IPv4 and IPv6RFC 2408: Specification of key management capabilities

Page 5: Internet Security CSCE 813 IPsec. CSCE 813 - Farkas2 Reading Oppliger: Chapter 14

CSCE 813 - Farkas 5

IPSec Document IPSec Document OverviewOverview

RFC 2401RFC 2401

Architecture

Key Management

DOI

Authentication algs.

Enryption algs.

AHESP

Page 6: Internet Security CSCE 813 IPsec. CSCE 813 - Farkas2 Reading Oppliger: Chapter 14

CSCE 813 - Farkas 6

IPSec Services IPSec Services AH ESP

(encrypt.)ESP (Encrypt. & Auth.)

Access Control Connectionless integrity Data origin auth. Replay protection Confidentiality Traffic flow confidentiality

Page 7: Internet Security CSCE 813 IPsec. CSCE 813 - Farkas2 Reading Oppliger: Chapter 14

CSCE 813 - Farkas 7

Security AssociationSecurity Association One-way relationship Identified by:

– Security parameters index (SPI)– IP destination address– Security protocol identifier

Security Association Database:– SA parameters: sequence number counter, sequence number

overflow, anti-replay window, AH information, ESP information, lifetime of SA, IPSec protocol mode, path MTU

Security Policy Database:– SA selectors: destination IP address, source IP address,

UserID, Data Sensitivity Level, transport layer protocol, source and destination port

Page 8: Internet Security CSCE 813 IPsec. CSCE 813 - Farkas2 Reading Oppliger: Chapter 14

CSCE 813 - Farkas 8

ModesModes

Transport Mode Tunnel Mode

AH Authenticates IP payload and selected portions of IP header and IPv6 extension headers

Authenticates entire inner IP packet (inner header plus IP payload) plus selected portions of outer IP header and outer IPv6 extension headers

ESP (encrypt. only)

Encrypts IP payload and any IPv6 extension headers following the ESP header

Encrypts entire inner IP packet

ESP with Authentication

(see above) plus authenticates IP payload but not IP header

(see above) plus authenticates inner IP packet.

Page 9: Internet Security CSCE 813 IPsec. CSCE 813 - Farkas2 Reading Oppliger: Chapter 14

Encapsulating Security Encapsulating Security PayloadPayload(ESP)(ESP)

Page 10: Internet Security CSCE 813 IPsec. CSCE 813 - Farkas2 Reading Oppliger: Chapter 14

CSCE 813 - Farkas 10

ESP ESP Confidentiality: Encryptor Integrity: Authenticator Algorithm is determined by the Security

Association (SA) Each ESP has at most:

– One cipher and one authenticator or– One cipher and zero authenticator or– Zero cipher and one authenticator or– Disallowed: zero cipher and zero authenticator or

Page 11: Internet Security CSCE 813 IPsec. CSCE 813 - Farkas2 Reading Oppliger: Chapter 14

CSCE 813 - Farkas 11

ESP ProcessingESP Processing

Depends on mode in which ESP is employed

Both modes: – Cipher is authenticated– Authenticated plain text is not encrypted

Outbound: encryption happens firstInbound: authentication happens first

Page 12: Internet Security CSCE 813 IPsec. CSCE 813 - Farkas2 Reading Oppliger: Chapter 14

CSCE 813 - Farkas 12

Protected DataProtected Data

Depends on the mode of ESP– Transport mode: Upper-layer protocol packet– Tunnel mode: entire IP packet is protected

Page 13: Internet Security CSCE 813 IPsec. CSCE 813 - Farkas2 Reading Oppliger: Chapter 14

CSCE 813 - Farkas 13

Scope of ESP Encryption and Scope of ESP Encryption and AuthenticationAuthentication

Orig. IP hdr

ESP hdr.

TCP Data ESP ESP auth.

IPv4

Transport mode Authenticate

Encrypt

New IP hdr

ESP hdr

Orig. IP hdr

TCP Data ESP trlr ESP auth

Encrypt

AuthenticateTunnel mode

Page 14: Internet Security CSCE 813 IPsec. CSCE 813 - Farkas2 Reading Oppliger: Chapter 14

CSCE 813 - Farkas 14

Outbound Processing Outbound Processing

1. ESP header inserted into the outgoing IP packeta. Protocol field of IP header copied into Next header

field of ESPb. Remaining fields of ESP filled (SPI, sequence number,

pad, pad length)c. Protocol number of IP header is given the value ESP

(50)2. Encrypt packet from the beginning of payload data to the

next header field3. Authenticate packet form the ESP header, through the

encrypted ciphertext to the ESP trailer and insert authentication data into ESP trailer

4. Packet is routed to the destination

Page 15: Internet Security CSCE 813 IPsec. CSCE 813 - Farkas2 Reading Oppliger: Chapter 14

CSCE 813 - Farkas 15

Inbound ProcessingInbound Processing

1. Check for SA of the packeta. If no SA drop packet b. Otherwise: use valid SA to process the packet

2. Check sequence numbera. Invalid number drop packet

3. Authenticate cipher texta. Entire packet (without the authentication data) is

processed by the authenticatorb. Match generated data with authentication datac. No match drop packet

Page 16: Internet Security CSCE 813 IPsec. CSCE 813 - Farkas2 Reading Oppliger: Chapter 14

CSCE 813 - Farkas 16

Inbound ProcessingInbound Processing

4. Decrypt ESP packet (from beginning on payload to the next header field)

a. Check pad integrity

5. Validate ESP mode using Next header field and decrypted payload

Page 17: Internet Security CSCE 813 IPsec. CSCE 813 - Farkas2 Reading Oppliger: Chapter 14

Authentication HeaderAuthentication Header

Page 18: Internet Security CSCE 813 IPsec. CSCE 813 - Farkas2 Reading Oppliger: Chapter 14

CSCE 813 - Farkas 18

Authentication Header (AH)Authentication Header (AH)

Does NOT provide confidentiality Provides:

– Data origin authentication– Connectionless data integrity – Prevents spoofing attack

May provide:– Non-repudiation (depends on cryptographic alg.)– Anti-replay protection

Precision of authentication: granularity of SA Protocol number: 51

Page 19: Internet Security CSCE 813 IPsec. CSCE 813 - Farkas2 Reading Oppliger: Chapter 14

CSCE 813 - Farkas 19

Authentication DataAuthentication Data

AH protects outer IP header (unlike ESP)Computed by using

– Authentication algorithm (MD5, SHA-1)– Cryptographic key (secret key)

Sender: computes authentication dataRecipient: verifies data

Page 20: Internet Security CSCE 813 IPsec. CSCE 813 - Farkas2 Reading Oppliger: Chapter 14

CSCE 813 - Farkas 20

Scope of Authentication Scope of Authentication

Orig. IP hdr AH TCP DataIPv4

Authenticates except for mutable fields in NEW IP hdr

Transport Mode

Tunnel Mode

IPv4 New IP hdr

AH Orig. IP hdr

TCP data

Authenticates except for mutable fields

Page 21: Internet Security CSCE 813 IPsec. CSCE 813 - Farkas2 Reading Oppliger: Chapter 14

CSCE 813 - Farkas 21

Integrity Check ValuesIntegrity Check Values

Message Authentication Code is Calculated from:– IP header fields that either do not change in transit or

are predictable upon arrival – Fields that change and cannot be predicted are set to zero for the MAC calculation

– AH header -- other than the authentication data field– Entire upper level protocol data

Note: both source and destination address fields are protected

Page 22: Internet Security CSCE 813 IPsec. CSCE 813 - Farkas2 Reading Oppliger: Chapter 14

CSCE 813 - Farkas 22

Combining Security AssociationsCombining Security Associations

Page 23: Internet Security CSCE 813 IPsec. CSCE 813 - Farkas2 Reading Oppliger: Chapter 14

CSCE 813 - Farkas 23

SA BundleSA Bundle

Individual SA: either AH or ESP but NOT BOTH Some traffic flow needs both – HOW? Some traffic between host and security gateway

requires different services than flow between security gateways

Security Association Bundle: – sequence of SAs through which traffic must be

processed to provide a desired set of IPSec services– SAs within a bundle may terminate at different end

points

Page 24: Internet Security CSCE 813 IPsec. CSCE 813 - Farkas2 Reading Oppliger: Chapter 14

CSCE 813 - Farkas 24

SA CombinationsSA Combinations

Transport adjacency: – Applying more than one security protocol to the same

IP packet without invoking tunneling. – Allows 1 level of combination (all IPSec processing are

performed at one IPSec instance) Iterated tunneling:

– Multiple layers of security protocols efected through IP tunneling

– Multiple levels of nesting (each tunnel may originate and terminate at different IPSec site)

Combination of the two approaches above.

Page 25: Internet Security CSCE 813 IPsec. CSCE 813 - Farkas2 Reading Oppliger: Chapter 14

Transport AdjacencyTransport Adjacency

Two bundled transport Sas

1. Inner SA: ESP transport SA without authentication (encrypted IP payload)

2. Outer SA: AH transport SA (covers ESP and the original IP header)

CSCE 813 - Farkas 25

Page 26: Internet Security CSCE 813 IPsec. CSCE 813 - Farkas2 Reading Oppliger: Chapter 14

Transport-Tunnel BundleTransport-Tunnel Bundle

Authenticate before encrypting

1. Inner SA: AH transport SA (authenticates the entire IP payload + IP header)

2. Outer SA: ESP tunnel SA (entire authenticated packet is encrypted + new IP header)

Advantages: Authentication data is protected by encryption Can store authentication information with the message

(convenience)

CSCE 813 - Farkas 26

Page 27: Internet Security CSCE 813 IPsec. CSCE 813 - Farkas2 Reading Oppliger: Chapter 14

CSCE 813 - Farkas 27

Combining Security Combining Security AssociationsAssociations

Case 1: between end-systems

Internetlocal

intranetlocal

intranet

one or more SAs

Figure from L. Buttyan

Possible combinations:1.AH in transport2.ESP in transport3.ESP followed by AH in transport4.Any 1,2,3 inside an AH or ESP tunnel

Page 28: Internet Security CSCE 813 IPsec. CSCE 813 - Farkas2 Reading Oppliger: Chapter 14

CSCE 813 - Farkas 28

Combining Security Combining Security AssociationsAssociations

Case 2: between gateways only

Internetlocal

intranetlocal

intranet

single tunnel SA

Figure from L. Buttyan

Security provided:1.Only between gateways2.No host security3.Only single tunnel SA4.AH, ESP or ESP with

authentication

Page 29: Internet Security CSCE 813 IPsec. CSCE 813 - Farkas2 Reading Oppliger: Chapter 14

CSCE 813 - Farkas 29

Combining Security Combining Security AssociationsAssociations

Case 3: host-to-gateway (Case 2 + end-to-end security)

Internetlocal

intranetlocal

intranet

single tunnel SAOne or two SAs

Figure from L. Buttyan

End-to-end protection:1.Combinations for case 1 &2 allowed2.Gateway tunnel: authentication and

confidentiality3. Hosts: application specific IPSec

Page 30: Internet Security CSCE 813 IPsec. CSCE 813 - Farkas2 Reading Oppliger: Chapter 14

CSCE 813 - Farkas 30

Combining Security Combining Security AssociationsAssociations

Case 4: remote host

Internetlocal

intranet

Tunnel SA One or two SAs

Figure from L. Buttyan

Remote host:1.Host: tunnel mode to firewall

Page 31: Internet Security CSCE 813 IPsec. CSCE 813 - Farkas2 Reading Oppliger: Chapter 14

CSCE 813 - Farkas 31

Next Class: Key ManagementNext Class: Key Management

ISAKMPISAKMPExchangesExchanges