IPSecAn Overview Somesh Jha University of Wisconsin

Outlinewhy IPSec?IPSec ArchitectureInternet Key Exchange (IKE)IPSec Policydiscussion

IP is not Secure!IP protocol was designed in the late 70s to early 80sPart of DARPA Internet ProjectVery small networkAll hosts are known!So are the users!Therefore, security was not an issue

Security Issues in IPsource spoofingreplay packetsno data integrity or confidentiality DOS attacks Replay attacks Spying and moreFundamental Issue: Networks are not (and will never be) fully secure

Goals of IPSecto verify sources of IP packetsauthenticationto prevent replaying of old packetsto protect integrity and/or confidentiality of packetsdata Integrity/Data Encryption

OutlineWhy IPsec?IPSec ArchitectureInternet Key Exchange (IKE)IPsec PolicyDiscussion

The IPSec Security ModelSecureInsecure

IPSec ArchitectureESPAHIKEIPSec Security PolicyEncapsulating SecurityPayloadAuthentication HeaderThe Internet Key Exchange

IPSec ArchitectureIPSec provides security in three situations: Host-to-host, host-to-gateway and gateway-to-gatewayIPSec operates in two modes:Transport mode (for end-to-end)Tunnel mode (for VPN)

IPsec ArchitectureTunnel ModeRouterRouterTransport Mode

Various PacketsIP headerIP headerIP headerTCP headerTCP headerTCP headerdatadatadataIPSec headerIPSec headerIP headerOriginalTransportmodeTunnelmode

IPSecA collection of protocols (RFC 2401)Authentication Header (AH)RFC 2402Encapsulating Security Payload (ESP)RFC 2406Internet Key Exchange (IKE)RFC 2409IP Payload Compression (IPcomp)RFC 3137

Authentication Header (AH)Provides source authenticationProtects against source spoofingProvides data integrityProtects against replay attacksUse monotonically increasing sequence numbersProtects against denial of service attacksNO protection for confidentiality!

AH DetailsUse 32-bit monotonically increasing sequence number to avoid replay attacksUse cryptographically strong hash algorithms to protect data integrity (96-bit)Use symmetric key cryptographyHMAC-SHA-96, HMAC-MD5-96

AH Packet DetailsAuthentication DataSequence NumberSecurity Parameters Index (SPI)NextheaderPayloadlengthReservedOld IP header (only in Tunnel mode)TCP headerNew IP headerAuthenticatedDataEncapsulatedTCP or IP packetHash of everythingelse

Encapsulating Security Payload (ESP)Provides all that AH offers, andin addition provides data confidentialityUses symmetric key encryption

ESP DetailsSame as AH:Use 32-bit sequence number to counter replaying attacksUse integrity check algorithmsOnly in ESP:Data confidentiality:Uses symmetric key encryption algorithms to encrypt packets

ESP Packet DetailsAuthentication DataSequence NumberSecurity Parameters Index (SPI)NextheaderPayloadlengthReservedTCP headerAuthenticatedIP headerInitialization vectorData

PadPad lengthNextEncrypted TCP packet

Question?Why have both AH and ESP?Both AH and ESP use symmetric key based algorithmsWhy not public-key cryptography?How are the keys being exchanged?What algorithms should we use?Similar to deciding on the ciphersuite in SSL

OutlineWhy IPsec?IPsec ArchitectureInternet Key Exchange (IKE)IPsec PolicyDiscussion

Internet Key Exchange (IKE)Exchange and negotiate security policies Establish security sessionsIdentified as Security AssociationsKey exchangeKey managementCan be used outside IPsec as well

IPsec/IKE AcronymsSecurity Association (SA)Collection of attribute associated with a connectionIs asymmetric!One SA for inbound traffic, another SA for outbound trafficSimilar to ciphersuites in SSLSecurity Association Database (SADB)A database of SAs

IPsec/IKE AcronymsSecurity Parameter Index (SPI)A unique index for each entry in the SADBIdentifies the SA associated with a packetSecurity Policy Database (SPD)Store policies used to establish SAs

How They Fit TogetherSPDSADBSA-2SPISPISA-1

SPD and SADB ExampleTunnel ModeTransport ModeACBAs SPDAs SADBDCs SPDCs SADBAsubBsubAsubBsub

FromToProtocolSPISA RecordABAH12HMAC-MD5 key

FromToProtocolPortPolicyTunnel DestAnyAnyESP[3DES]D

FromToProtocolSPISA RecordESP143DES key

How It WorksIKE operates in two phasesPhase 1: negotiate and establish an auxiliary end-to-end secure channelUsed by subsequent phase 2 negotiationsOnly established once between two end points!Phase 2: negotiate and establish custom secure channelsOccurs multiple timesBoth phases use Diffie-Hellman key exchange to establish a shared key

IKE Phase 1Goal: to establish a secure channel between two end pointsThis channel provides basic security features:Source authenticationData integrity and data confidentialityProtection against replay attacks

IKE Phase 1Rationale: each application has different security requirementsBut they all need to negotiate policies and exchange keys!So, provide the basic security features and allow application to establish custom sessions

ExamplesAll packets sent to address mybank.com must be encrypted using 3DES with HMAC-MD5 integrity checkAll packets sent to address www.forum.com must use integrity check with HMAC-SHA1 (no encryption is required)

Phase 1 ExchangeCan operate in two modes:Main modeSix messages in three round tripsMore optionsQuick modeFour messages in two round tripsLess options

Phase 1 (Main Mode)InitiatorResponder[Header, SA1]

Phase 1 (Main Mode)InitiatorResponder[Header, SA1][Header, SA2]Establish vocabulary for further communication

Phase 1 (Main Mode)InitiatorResponder[Header, SA1][Header, SA2][Header, KE, Ni, {Cert_Reg} ]

Phase 1 (Main Mode)InitiatorResponderHeader, SA1[Header, SA1][Header, KE, Ni { , Cert_Req} ][Header, KE, Nr {, Cert_Req}]Establish secret key using Diffie-Hellman key exchangeUse nonces to prevent replay attacks

Phase 1 (Main Mode)InitiatorResponder[Header, SA1][Header, SA1][Header, KE, Ni {,Cert_Req} ][Header, KE, Nr {,Cert_Req}][Header, IDi, {CERT} sig]

Phase 1 (Main Mode)InitiatorResponder[Header, SA1][Header, SA1][Header, KE, Ni {, Cert_req}][Header, KE, Nr {, Cert_req}][Header, IDi, {CERT} sig][Header, IDr, {CERT} sig]Signed hash of IDi (without Cert_req , just send the hash)

Phase 1 (Aggressive Mode)InitiatorResponder[Header, SA1, KE, Ni, IDi]

Phase 1 (Aggressive Mode)InitiatorResponder[Header, SA1, KE, Ni, IDi][Header, SA2, KE, Nr, IDr, [Cert]sig][Header, [Cert]sig]First two messages combined into one(combine Hello and DH key exchange)

IPSec (Phase 1)Four different way to authenticate (either mode)Digital signatureTwo forms of authentication with public key encryptionPre-shared keyNOTE: IKE does use public-key based cryptography for encryption

IPSec (Phase 2)Goal: to establish custom secure channels between two end pointsEnd points are identified by :e.g. Or by packet:e.g. All packets going to 128.124.100.0/24Use the secure channel established in Phase 1 for communication

IPSec (Phase 2)Only one mode: Quick ModeMultiple quick mode exchanges can be multiplexedGenerate SAs for two end pointsCan use secure channel established in phase 1

IP Payload CompressionUsed for compressionCan be specified as part of the IPSec policyWill not cover!

OutlineWhy IPsec?IPsec ArchitectureInternet Key Exchange (IKE)IPSec PolicyDiscussion

IPsec PolicyPhase 1 policies are defined in terms of protection suitesEach protection suiteMust contain the following:Encryption algorithmHash algorithmAuthentication methodDiffie-Hellman GroupMay optionally contain the following:Lifetime

IPSec PolicyPhase 2 policies are defined in terms of proposalsEach proposal:May contain one or more of the followingAH sub-proposalsESP sub-proposalsIPComp sub-proposalsAlong with necessary attributes such asKey length, life time, etc

IPSec Policy ExampleIn English: All traffic to 128.104.120.0/24 must be:Use pre-hashed key authenticationDH group is MODP with 1024-bit modulusHash algorithm is HMAC-SHA (128 bit key)Encryption using 3DESIn IPSec:[Auth=Pre-Hash; DH=MODP(1024-bit); HASH=HMAC-SHA; ENC=3DES]

IPsec Policy ExampleIn English:All traffic to 128.104.120.0/24 must use one of the following:AH with HMAC-SHA or,ESP with 3DES as encryption algorithm and (HMAC-MD5 or HMAC-SHA as hashing algorithm)In IPsec:[AH: HMAC-SHA] or, [ESP: (3DES and HMAC-MD5) or (3DES and HMAC-SHA)]

Virtual Private Networks (VPNs)VirtualIt is not a physically distinct networkPrivateTunnels are encrypted to provide confidentialityCS dept might have a VPNI can be on this VPN while traveling

Alice is TravelingAlice works for the mergers and acquisitions (M&A) department of takeover.comShe is at Hicktown taking over a meat-packing plantShe wants to access the M&A server at her company (confidentially of course)

Alice is Traveling

OutlineWhy IPsec?IPsec ArchitectureInternet Key Exchange (IKE)IPsec PolicyDiscussion

DiscussionIPSec is not the only solution!Security features can be added on top of IP!e.g. Kerberos, SSLConfused?IP, IPSec protocols are very complex!Two modes, three sub protocolsComplexity is the biggest enemy of security

DiscussionHas it been used?Yesprimarily used by some VPN vendorsBut not all routers support itNoit is not really an end-to-end solutionAuthentication is too coarse (host based)Default encryption algorithm too weak (DES)Too complex for applications to use

ResourcesIP, IPsec and related RFCs:http://www.ietf.org/html.charters/ipsec-charter.htmlIPsec: RFC 2401, IKE: RFC 2409www.freeswan.org

Google search