Upload
hastin
View
98
Download
0
Tags:
Embed Size (px)
DESCRIPTION
IPSec—An Overview. Somesh Jha University of Wisconsin. Outline. why IPSec? IPSec Architecture Internet Key Exchange (IKE) IPSec Policy discussion. IP is not Secure!. IP protocol was designed in the late 70s to early 80s Part of DARPA Internet Project Very small network - PowerPoint PPT Presentation
Citation preview
11
IPSec—An OverviewIPSec—An Overview
Somesh JhaSomesh Jha University of WisconsinUniversity of Wisconsin
22
OutlineOutline why IPSec?why IPSec? IPSec ArchitectureIPSec Architecture Internet Key Exchange (IKE)Internet Key Exchange (IKE) IPSec PolicyIPSec Policy discussiondiscussion
33
IP is not Secure!IP is not Secure! IP protocol was designed in the IP protocol was designed in the
late 70s to early 80slate 70s to early 80s– Part of DARPA Internet ProjectPart of DARPA Internet Project– Very small networkVery small network
All hosts are known!All hosts are known! So are the users!So are the users! Therefore, security was not an issueTherefore, security was not an issue
44
Security Issues in IPSecurity Issues in IP
source spoofingsource spoofing replay packetsreplay packets no data integrity no data integrity
or confidentialityor confidentiality
• DOS attacks• Replay attacks• Spying• and more…
Fundamental Issue: Networks are not (and will never be)
fully secure
55
Goals of IPSecGoals of IPSec to verify sources of IP packetsto verify sources of IP packets
– authenticationauthentication to prevent replaying of old to prevent replaying of old
packetspackets to protect integrity and/or to protect integrity and/or
confidentiality of packetsconfidentiality of packets– data Integrity/Data Encryptiondata Integrity/Data Encryption
66
OutlineOutline Why IPsec?Why IPsec? IPSec ArchitectureIPSec Architecture Internet Key Exchange (IKE)Internet Key Exchange (IKE) IPsec PolicyIPsec Policy DiscussionDiscussion
77
The IPSec Security The IPSec Security ModelModelSecure
Insecure
88
IPSec ArchitectureIPSec Architecture
ESP AH
IKE
IPSec Security Policy
Encapsulating SecurityPayload
Authentication Header
The Internet Key Exchange
99
IPSec ArchitectureIPSec Architecture IPSec provides security in three
situations:– Host-to-host, host-to-gateway and
gateway-to-gateway IPSec operates in two modes:
– Transport mode (for end-to-end)– Tunnel mode (for VPN)
1010
IPsec ArchitectureIPsec Architecture
Tunnel ModeRouter Router
Transport Mode
1111
Various PacketsVarious Packets
IP header
IP header
IP header
TCP header
TCP header
TCP header
data
data
data
IPSec header
IPSec header IP header
Original
Transportmode
Tunnelmode
1212
IPSecIPSec A collection of protocols (RFC 2401)A collection of protocols (RFC 2401)
– Authentication Header (AH)Authentication Header (AH) RFC 2402RFC 2402
– Encapsulating Security Payload (ESP)Encapsulating Security Payload (ESP) RFC 2406RFC 2406
– Internet Key Exchange (IKE)Internet Key Exchange (IKE) RFC 2409RFC 2409
– IP Payload Compression (IPcomp)IP Payload Compression (IPcomp) RFC 3137RFC 3137
1313
Authentication Header Authentication Header (AH)(AH)
Provides source authenticationProvides source authentication– Protects against source spoofingProtects against source spoofing
Provides data integrityProvides data integrity Protects against replay attacksProtects against replay attacks
– Use monotonically increasing sequence Use monotonically increasing sequence numbersnumbers
– Protects against denial of service attacksProtects against denial of service attacks NO protection for confidentiality!NO protection for confidentiality!
1414
AH DetailsAH Details Use 32-bit monotonically Use 32-bit monotonically
increasing sequence number to increasing sequence number to avoid replay attacksavoid replay attacks
Use cryptographically strong hash Use cryptographically strong hash algorithms to protect data algorithms to protect data integrity (96-bit)integrity (96-bit)– Use symmetric key cryptographyUse symmetric key cryptography– HMAC-SHA-96, HMAC-MD5-96 HMAC-SHA-96, HMAC-MD5-96
1515
AH Packet DetailsAH Packet Details
Authentication Data
Sequence Number
Security Parameters Index (SPI)
Nextheader
Payloadlength Reserved
Old IP header (only in Tunnel mode)TCP header
New IP header
Authenticated
Data
EncapsulatedTCP or IP packet
Hash of everythingelse
1616
Encapsulating Security Encapsulating Security Payload (ESP)Payload (ESP)
Provides all that AH offers, andProvides all that AH offers, and in addition provides in addition provides data data
confidentialityconfidentiality– Uses symmetric key encryptionUses symmetric key encryption
1717
ESP DetailsESP Details Same as AH:Same as AH:
– Use 32-bit sequence number to Use 32-bit sequence number to counter replaying attackscounter replaying attacks
– Use integrity check algorithmsUse integrity check algorithms Only in ESP:Only in ESP:
– Data confidentiality:Data confidentiality: Uses symmetric key encryption Uses symmetric key encryption
algorithms to encrypt packetsalgorithms to encrypt packets
1818
ESP Packet DetailsESP Packet Details
Authentication Data
Sequence NumberSecurity Parameters Index (SPI)
Nextheader
Payloadlength Reserved
TCP header
Authenticated
IP header
Initialization vector
Data
Pad Pad length NextEncrypted TCP packet
1919
Question?Question?
1.1. Why have both AH and ESP?Why have both AH and ESP?2.2. Both AH and ESP use symmetric Both AH and ESP use symmetric
key based algorithmskey based algorithms– Why not public-key cryptography?Why not public-key cryptography?– How are the keys being exchanged?How are the keys being exchanged?– What algorithms should we use?What algorithms should we use?– Similar to deciding on the Similar to deciding on the
ciphersuite in SSLciphersuite in SSL
2020
OutlineOutline Why IPsec?Why IPsec? IPsec ArchitectureIPsec Architecture Internet Key Exchange (IKE)Internet Key Exchange (IKE) IPsec PolicyIPsec Policy DiscussionDiscussion
2121
Internet Key Exchange Internet Key Exchange (IKE)(IKE)
Exchange and negotiate security Exchange and negotiate security policies policies
Establish security sessionsEstablish security sessions– Identified as Identified as Security AssociationsSecurity Associations
Key exchangeKey exchange Key managementKey management Can be used outside IPsec as wellCan be used outside IPsec as well
2222
IPsec/IKE AcronymsIPsec/IKE Acronyms Security Association (SA)Security Association (SA)
– Collection of attribute associated with a Collection of attribute associated with a connectionconnection
– Is Is asymmetric!asymmetric! One SA for inbound traffic, another SA for One SA for inbound traffic, another SA for
outbound trafficoutbound traffic Similar to ciphersuites in SSLSimilar to ciphersuites in SSL
Security Association Database (SADB)Security Association Database (SADB)– A database of SAsA database of SAs
2323
IPsec/IKE AcronymsIPsec/IKE Acronyms Security Parameter Index (SPI)Security Parameter Index (SPI)
– A unique index for each entry in the A unique index for each entry in the SADBSADB
– Identifies the SA associated with a Identifies the SA associated with a packetpacket
Security Policy Database (SPD)Security Policy Database (SPD)– Store policies used to establish SAsStore policies used to establish SAs
2424
How They Fit TogetherHow They Fit TogetherSPD
SADBSA-2
SPI
SPI
SA-1
2525
SPD and SADB SPD and SADB ExampleExampleFroFromm
ToTo ProtocolProtocol PortPort PolicyPolicy
AA BB AnyAny AnyAny AH[HMAC-MD5]AH[HMAC-MD5]Tunnel Mode
Transport Mode
A C B
A’s SPD
FroFromm
ToTo ProtocolProtocol SPISPI SA RecordSA Record
AA BB AHAH 1212 HMAC-MD5 keyHMAC-MD5 keyA’s SADB
D
FromFrom ToTo ProtocoProtocoll
PortPort PolicyPolicy Tunnel DestTunnel Dest
AnyAny AnyAny ESP[3DES]ESP[3DES] DDC’s SPD
FromFrom ToTo ProtocolProtocol SPISPI SA RecordSA RecordESPESP 1414 3DES key3DES key C’s SADB
Asub Bsub
Asub Bsub
2626
How It WorksHow It Works IKE operates in two phasesIKE operates in two phases
– Phase 1:Phase 1: negotiate and establish an negotiate and establish an auxiliary end-to-end secure channelauxiliary end-to-end secure channel
Used by subsequent phase 2 negotiationsUsed by subsequent phase 2 negotiations Only established once between two end points!Only established once between two end points!
– Phase 2:Phase 2: negotiate and establish custom negotiate and establish custom secure channelssecure channels
Occurs multiple timesOccurs multiple times– Both phases use Diffie-Hellman key Both phases use Diffie-Hellman key
exchange to establish a shared keyexchange to establish a shared key
2727
IKE Phase 1IKE Phase 1 Goal:Goal: to establish a secure to establish a secure
channel between two end pointschannel between two end points– This channel provides basic security This channel provides basic security
features:features: Source authenticationSource authentication Data integrity and data confidentialityData integrity and data confidentiality Protection against replay attacksProtection against replay attacks
2828
IKE Phase 1IKE Phase 1 Rationale:Rationale: each application has each application has
different security requirementsdifferent security requirements But they all need to negotiate But they all need to negotiate
policies and exchange keys!policies and exchange keys! So, provide the basic security So, provide the basic security
features and allow application to features and allow application to establish custom sessionsestablish custom sessions
2929
ExamplesExamples All packets sent to address All packets sent to address
mybank.commybank.com must be encrypted must be encrypted using 3DES with HMAC-MD5 using 3DES with HMAC-MD5 integrity checkintegrity check
All packets sent to address All packets sent to address www.forum.comwww.forum.com must use must use integrity check with HMAC-SHA1 integrity check with HMAC-SHA1 (no encryption is required)(no encryption is required)
3030
Phase 1 ExchangePhase 1 Exchange Can operate in two modes:Can operate in two modes:
– Main modeMain mode Six messages in three round tripsSix messages in three round trips More optionsMore options
– Quick modeQuick mode Four messages in two round tripsFour messages in two round trips Less optionsLess options
3131
Phase 1 (Main Mode)Phase 1 (Main Mode)Initiator Responder
[Header, SA1]
3232
Phase 1 (Main Mode)Phase 1 (Main Mode)Initiator Responder
[Header, SA1]
[Header, SA2]
Establish vocabulary for further communication
3333
Phase 1 (Main Mode)Phase 1 (Main Mode)Initiator Responder
[Header, SA1]
[Header, SA2][Header, KE, Ni, {Cert_Reg} ]
3434
Phase 1 (Main Mode)Phase 1 (Main Mode)Initiator Responder
Header, SA1
[Header, SA1][Header, KE, Ni { , Cert_Req} ]
[Header, KE, Nr {, Cert_Req}]
Establish secret key using Diffie-Hellman key exchangeUse nonces to prevent replay attacks
3535
Phase 1 (Main Mode)Phase 1 (Main Mode)Initiator Responder
[Header, SA1]
[Header, SA1]
[Header, KE, Ni {,Cert_Req} ]
[Header, KE, Nr {,Cert_Req}]
[Header, IDi, {CERT} sig]
3636
Phase 1 (Main Mode)Phase 1 (Main Mode)Initiator Responder
[Header, SA1]
[Header, SA1][Header, KE, Ni {, Cert_req}]
[Header, KE, Nr {, Cert_req}]
[Header, IDi, {CERT} sig]
[Header, IDr, {CERT} sig]
Signed hash of IDi (without Cert_req , just send the hash)
3737
Phase 1 (Aggressive Phase 1 (Aggressive Mode)Mode)
Initiator Responder[Header, SA1, KE, Ni, IDi]
3838
Phase 1 (Aggressive Phase 1 (Aggressive Mode)Mode)
Initiator Responder[Header, SA1, KE, Ni, IDi]
[Header, SA2, KE, Nr, IDr, [Cert]sig]
[Header, [Cert]sig]
First two messages combined into one(combine Hello and DH key exchange)
3939
IPSec (Phase 1)IPSec (Phase 1) Four different way to authenticate Four different way to authenticate
(either mode)(either mode)– Digital signatureDigital signature– Two forms of authentication with Two forms of authentication with
public key encryptionpublic key encryption– Pre-shared keyPre-shared key
NOTE:NOTE: IKE does use public-key IKE does use public-key based cryptography for encryptionbased cryptography for encryption
4040
IPSec (Phase 2)IPSec (Phase 2) Goal:Goal: to establish custom secure to establish custom secure
channels between two end pointschannels between two end points– End points are identified by <IP, port>:End points are identified by <IP, port>:
e.g. e.g. <www.mybank.com, 8000><www.mybank.com, 8000> – Or by packet:Or by packet:
e.g. All packets going to e.g. All packets going to 128.124.100.0/24128.124.100.0/24– Use the secure channel established in Use the secure channel established in
Phase 1 for communicationPhase 1 for communication
4141
IPSec (Phase 2)IPSec (Phase 2) Only one mode:Only one mode: Quick Mode Quick Mode Multiple quick mode exchanges Multiple quick mode exchanges
can be multiplexedcan be multiplexed Generate SAs for two end pointsGenerate SAs for two end points Can use secure channel Can use secure channel
established in phase 1established in phase 1
4242
IP Payload IP Payload CompressionCompression
Used for compressionUsed for compression Can be specified as part of the Can be specified as part of the
IPSec policyIPSec policy Will not cover!Will not cover!
4343
OutlineOutline Why IPsec?Why IPsec? IPsec ArchitectureIPsec Architecture Internet Key Exchange (IKE)Internet Key Exchange (IKE) IPSec PolicyIPSec Policy DiscussionDiscussion
4444
IPsec PolicyIPsec Policy Phase 1 policies are defined in terms Phase 1 policies are defined in terms
of of protection suitesprotection suites Each protection suiteEach protection suite
– Must contain the following:Must contain the following: Encryption algorithmEncryption algorithm Hash algorithmHash algorithm Authentication methodAuthentication method Diffie-Hellman GroupDiffie-Hellman Group
– May optionally contain the following:May optionally contain the following: LifetimeLifetime ……
4545
IPSec PolicyIPSec Policy Phase 2 policies are defined in terms Phase 2 policies are defined in terms
of of proposalsproposals Each proposal:Each proposal:
– May contain one or more of the followingMay contain one or more of the following AH sub-proposalsAH sub-proposals ESP sub-proposalsESP sub-proposals IPComp sub-proposalsIPComp sub-proposals Along with necessary attributes such asAlong with necessary attributes such as
– Key length, life time, etcKey length, life time, etc
4646
IPSec Policy ExampleIPSec Policy Example In English: In English:
– All traffic to 128.104.120.0/24 must be:All traffic to 128.104.120.0/24 must be: Use pre-hashed key authenticationUse pre-hashed key authentication DH group is MODP with 1024-bit modulusDH group is MODP with 1024-bit modulus Hash algorithm is HMAC-SHA (128 bit key)Hash algorithm is HMAC-SHA (128 bit key) Encryption using 3DESEncryption using 3DES
In IPSec:In IPSec:– [Auth=Pre-Hash; [Auth=Pre-Hash;
DH=MODP(1024-bit); DH=MODP(1024-bit); HASH=HMAC-SHA; HASH=HMAC-SHA; ENC=3DES] ENC=3DES]
4747
IPsec Policy ExampleIPsec Policy Example In English:In English:
– All traffic to 128.104.120.0/24 must use All traffic to 128.104.120.0/24 must use one of the following:one of the following:
AH with HMAC-SHA or,AH with HMAC-SHA or, ESP with 3DES as encryption algorithm and ESP with 3DES as encryption algorithm and
(HMAC-MD5 or HMAC-SHA as hashing algorithm)(HMAC-MD5 or HMAC-SHA as hashing algorithm) In IPsec:In IPsec:
– [AH: HMAC-SHA] or, [AH: HMAC-SHA] or, – [ESP: (3DES and HMAC-MD5) or [ESP: (3DES and HMAC-MD5) or
(3DES and HMAC-SHA)] (3DES and HMAC-SHA)]
4848
Virtual Private Virtual Private Networks (VPNs)Networks (VPNs)
VirtualVirtual– It is not a physically distinct networkIt is not a physically distinct network
PrivatePrivate– Tunnels are encrypted to provide Tunnels are encrypted to provide
confidentialityconfidentiality CS dept might have a VPNCS dept might have a VPN
– I can be on this VPN while travelingI can be on this VPN while traveling
4949
Alice is TravelingAlice is Traveling AliceAlice works for the mergers and works for the mergers and
acquisitions (M&A) department of acquisitions (M&A) department of takeover.comtakeover.com
She is at She is at HicktownHicktown taking over a taking over a meat-packing plantmeat-packing plant
She wants to access the M&A She wants to access the M&A server at her company server at her company (confidentially of course)(confidentially of course)
5050
Alice is TravelingAlice is Traveling
5151
OutlineOutline Why IPsec?Why IPsec? IPsec ArchitectureIPsec Architecture Internet Key Exchange (IKE)Internet Key Exchange (IKE) IPsec PolicyIPsec Policy DiscussionDiscussion
5252
DiscussionDiscussion IPSec is not the only solution!IPSec is not the only solution!
– Security features can be added on Security features can be added on top of IP!top of IP! e.g. Kerberos, SSLe.g. Kerberos, SSL
Confused?Confused?– IP, IPSec protocols are very complex!IP, IPSec protocols are very complex!
Two modes, three sub protocolsTwo modes, three sub protocols– Complexity is the biggest enemy of Complexity is the biggest enemy of
securitysecurity
5353
DiscussionDiscussion Has it been used?Has it been used?
– Yes—primarily used by some VPN Yes—primarily used by some VPN vendorsvendors
But not all routers support itBut not all routers support it– No—it is not really an end-to-end No—it is not really an end-to-end
solutionsolution Authentication is too coarse (host based)Authentication is too coarse (host based) Default encryption algorithm too weak (DES)Default encryption algorithm too weak (DES) Too complex for applications to useToo complex for applications to use
5454
ResourcesResources IP, IPsec and related RFCs:IP, IPsec and related RFCs:
– http://www.ietf.org/html.charters/ipsec-charter.htmhttp://www.ietf.org/html.charters/ipsec-charter.htmll
– IPsec: RFC 2401, IKE: RFC 2409IPsec: RFC 2401, IKE: RFC 2409– www.freeswan.orgwww.freeswan.org
Google searchGoogle search