andreas steffen, 29.06.2015, siemens-1.pptx 1 strongswan workshop for siemens block 1 overview /...

Andreas Steffen, 29.06.2015, Siemens-1.pptx 1

strongSwan Workshop for Siemens

Block 1Overview / IPsec Basics

Prof. Dr. Andreas Steffen

[email protected]


Where the heck is Rapperswil?


HSR - Hochschule für Technik Rapperswil

• University of Applied Sciences with about 1500 students

• Faculty of Information Technology (300-400 students)• Bachelor Course (3 years), Master Course (+1.5 years)



What is strongSwan?


The strongSwan Open Source VPN Project

Super FreeS/WANSuper FreeS/WAN

2003 X.509 2.x PatchX.509 2.x Patch

FreeS/WAN 2.xFreeS/WAN 2.x

1999 FreeS/WAN 1.xFreeS/WAN 1.x

X.509 1.x PatchX.509 1.x Patch2000

Openswan 1.xOpenswan 1.x

2004

2004

strongSwan 2.xstrongSwan 2.xOpenswan 2.xOpenswan 2.x

2005

ITA IKEv2 ProjectITA IKEv2 Project

…

strongSwan 5.xstrongSwan 5.x

strongSwan 4.xstrongSwan 4.x

2012

Monolithic IKE Daemon

IKEv1 & partial IKEv2

IKEv2 RFC 4306

New architecture,same config.

IKEv1 & IKEv2

S/WAN = Secure WAN


strongSwan – the OpenSource VPN Solution

CorporateNetwork

LinuxFreeRadius Server

Windows Active

Directory Server

Internet

High-AvailabilitystrongSwan

VPN Gateway

Windows 7/8Agile VPN

Client

strongSwan

Linux Client


Supported Operating Systems and Platforms

• Supported Operating Systems• Linux 2.6.x, 3.x, 4.x (optional integration into

NetworkManager)• Android 4.x/5.x App (using libipsec userland ESP encryption)• OS X App (using libipsec userland ESP encryption)• OS X (IPsec via PFKEYv2 kernel interface)• FreeBSD (IPsec via PFKEYv2 kernel interface)• Windows 7/8 (native Windows IPsec stack, MinGW-W64

build)

• Supported Hardware Platforms (GNU autotools)• Intel i686/x86_64, AMD64• ARM, MIPS• PowerPC

• Supported Network Stacks• IPv4, IPv6• IPv6-in-IPv4 ESP tunnels• IPv4-in-IPv6 ESP tunnels


Free Download from Google Play Store

March 24, 2015:12’619 installations


OS X App

http://download.strongswan.org/osx/


IKEv2 Interoperability Workshops

• strongSwan successfully interoperated with IKEv2 products fromAlcatel-Lucent, Certicom, CheckPoint, Cisco, Furukawa, IBM, Ixia,Juniper, Microsoft, Nokia, SafeNet, Secure Computing, SonicWall,and the IPv6 TAHI Project.

Spring 2007 in Orlando, FloridaSpring 2008 in San Antonio, Texas


strongSwan 4.x pluto & charon Daemons

rawsocket

rawsocket

IKEv1 IKEv2

ipsecstarter

ipsecstarter

ipsecwhack

ipsecwhack

ipsecstroke

ipsecstroke

charoncharonplutopluto

LSFLSF

UDP/500socket

UDP/500socket

nativeIPsec

nativeIPsec

NetlinkXFRMsocket

Linux 2.6kernel

ipsec.confipsec.conf

stroke socket

whack socket

2005


strongSwan 5.x charon Daemon

UDP 500/4500socket

UDP 500/4500socket

IKEv1/v2

ipsecstarter

ipsecstarter

ipsecstroke

ipsecstroke

charoncharon

nativeIPsec

nativeIPsec

Netlink XFRMsocket

Linux 2.6 / 3.x

kernel

ipsec.confipsec.conf

stroke socket

libipseclibipsec

UDP 4500socket

UDP 4500socket

Any OS

TUN device

ESPinUDP

2012


strongSwan 5.2 charon Daemon

UDP 500/4500socket

UDP 500/4500socket

swanctlswanctl

charoncharon

nativeIPsec

nativeIPsec

Netlink XFRMsocket

Linux 2.6 / 3.x

kernel

swanctl.confswanctl.conf

libipseclibipsec

UDP 4500socket

UDP 4500socket

Any OS

TUN device

ESPinUDP

2014

vici socket

rubygem

rubygem

vici socket

IKEv1/v2


strongSwan 5.2 charon-systemd Daemon

UDP 500/4500socket

UDP 500/4500socket

swanctlswanctl

charon-systemdcharon-systemd

nativeIPsec

nativeIPsec

Netlink XFRMsocket

Linux 2.6 / 3.x

kernel


libipseclibipsec

UDP 4500socket

UDP 4500socket

Any OS

TUN device

ESPinUDP

2014systemdutilities

systemdutilities

vici socket

IKEv1/v2


strongSwan 5.3 charon Daemon

UDP 500/4500socket

UDP 500/4500socket

swanctlswanctl

charoncharon

nativeIPsec

nativeIPsec

Netlink XFRMsocket

Linux 2.6 / 3.x

kernel


libipseclibipsec

UDP 4500socket

UDP 4500socket

Any OS

TUN device

ESPinUDP

2015python 2.7/3.xegg

python 2.7/3.xegg

vici socket

vici socket

IKEv1/v2


IKE Daemon – Software Architecture

socketsocket

charon

busbus

backendsbackendscredentialscredentials

receiverreceiver

sendersender

kernel interfacekernel interface

schedulerscheduler

processorprocessor

file loggerfile logger sys loggersys logger

IKE SAManager

IKE SAManager

IKE SA

IKE SA

IKE SA

IKE SA

CHILD SACHILD SA

CHILD SACHILD SA

CHILD SACHILD SA

IPsec stackIPsec stack

16 concurrent worker threads


Plugins for charon

credentialscredentials

charon

Plugin

Loader

busbus

backendsbackends

eapeap

…

strokestroke

vicivici

sqlsql

eap_md5eap_md5

eap_tlseap_tls

eap_radiuseap_radius

controllercontroller

…

• eap_xAny EAP protocol.

• stroke/vicisocket-based control & configuration interface

• sqlGeneric SQL interfacefor configurations,credentials & logging.

nmnm• nm

DBUS-based pluginfor NetworkManager


Modular Architecture: libcharon plugins I

addrblock eap-gtc eap-ttls medcli

android_dns eap-identity error-notify medsrv

android_log eap-md5 ext-auth osx-attr

attr eap-mschapv2 farp radattr

attr-sql eap-peap forecast resolve

certexpire eap-radius ha smp

connmark eap-sim ipseckey socket-default

coupling eap-sim-file kernel-iph socket-dynamic

dhcp eap-sim-pcsc kernel-libipsec

socket-win

dnscert eap-simaka-pseudonym

kernel-wfp sql

duplicheck eap-simaka-reauth led stroke

eap-aka eap-simaka-sql load-tester systime-fix

eap-aka-3gpp2

eap-tls lookip tnc-ifmap

eap-dynamic eap-tnc maemo tnc-pdp


Modular Architecture: libcharon plugins II

uci

unity

updown

vici

whitelist

xauth-eap

xauth-generic

xauth-noauth

xauth-pam


Modular Architecture: libhydra plugins

kernel-netlink

kernel-pfkey

kernel-pfroute


Plugins for libstrongswan

credentialscredentials

libstrongswan

Plugin

Loader

cryptocrypto

databasedatabase

fetcherfetcher

…

…

…

sha2sha2

randomrandom

x509x509

sqlitesqlite

mysqlmysql

curlcurl

ldapldap

Factories

aesaes

• Certificate retrieval (HASH-and-URL)

• CRL fetching, OCSP

• Non-US crypto code

• No OpenSSL library

• ECCN: No LicenseRequired (NLR)


Modular Architecture: libstrongswan plugins

acert fips-prf pem soup

aes gcm pgp sqlite

aesni gcrypt pkcs1 sshkey

af-alg gmp pkcs7 test-vectors

agent hmac pkcs8 unbound

bliss keychain pkcs11 winhttp

blowfish ldap pkcs12 x509

ccm md4 pubkey xcbc

cmac md5 random

constraints mysql rc2

ctr nonce rdrand

curl ntru revocation

des openssl sha1

dnskey padlock sha2


Modular Architecture: libtnccs plugins

tnc-imc

tnc-imv

tnc-tnccs

tnccs-11

tnccs-20

tnccs-dynamic


Modular Architecture: libimcv plugins

imc-attestation imv-attestation

imc-os imv-os

imc-scanner imv-scanner

imc-swid imv-swid

imc-test imv-test


strongSwan Roadmap

• Release Cycle• Stable minor release (strongSwan x.y.z) every 3 months• Stable major release (strongSwan x.y) every 12-18 months• Release candidate and code freeze about 2 weeks before

release

• Roadmap• Windows 10 port (Q3 2015)• Windows 10 Mobile port (Q4 2015) • iOS port (Q4 2015?)• Post-quantum BLISS standardization (Q3 2015)• Public key retrieval via DNSSEC (DANE) (Q4 2015)• Refactoring of entropy generation (Q4 2015)


KVM VPN Testbed



IPsec Transport Modeusing AH or ESP


Internet

IPsec – Transport Mode

2001:1620:f00::1 2001:620:130:a036::121

IP connectionsecure

• Secure Host to host connection• IP datagrams must be authenticated• IP datagrams should be encrypted and authenticated


IPsec – Transport ModeIP Authentication Header (AH)

• IP protocol number for AH: 51• Mutable fields: Type of Service (TOS), Fragment Offset,

Flags, Time to Live (TTL), IP header checksum

OriginalIP Header

OriginalIP Header

TCPHeader

TCPHeader DataDataIPv4

Before applying AH

AH: RFC 4302

After applying AH

IPv4

authenticatedexcept for mutable fields

OriginalIP Header

OriginalIP Header

AHHeader

AHHeader

TCPHeader

TCPHeader DataData


IPsec – Transport ModeIP Encapsulating Security Payload (ESP)

• IP protocol number for ESP: 50• ESP authentication is optional• With ESP authentication the IP header is not protected.

OriginalIP Header

OriginalIP Header

TCPHeader


Before applying ESP

ESP: RFC 4303

OriginalIP Header

OriginalIP Header

ESPHeader

ESPHeader

IPv4

After applying ESP

encryptedauthenticate

d

TCPHeader

TCPHeader DataData ESP

Trailer

ESPTrailer

ESPAuth

ESPAuth



IPsec Tunnel Modeusing ESP


Internet

IPsec – Tunnel ModeVirtual Private Network (VPN)

10.1.0.2

10.1.0.3

10.1.0.1

Subnet10.1.0.0/16

10.2.0.2

10.2.0.3

10.2.0.1

Subnet10.2.0.0/16

194.230.203.86

160.85.180.0

SecurityGateway

SecurityGateway

secure IP tunnel


IPsec Tunnel Mode using ESP

OriginalIP Header

OriginalIP Header

TCPHeader


Before applying ESP

• IP protocol number for ESP: 50• ESP authentication is optional but often used in place of

AH• Original IP Header is encrypted and therefore hidden

OuterIP Header

OuterIP Header

ESPHeader

ESPHeader

IPv4

After applying ESP

encryptedauthenticate

d

OriginalIP Header

OriginalIP Header

TCPHeader

TCPHeader DataData ESP

Trailer

ESPTrailer

ESPAuth

ESPAuth

Encapsulating SecurityPayload (ESP): RFC 4303


ESP Header (Header / Payload / Trailer)

encrypted

authenticated

After applying ESP

Security Parameters Index (SPI)

Anti-Replay Sequence Number

Payload Data (variable, including IV)

Padding (0-255 bytes)

Authentication Data (variable)

0 1 2 3 4 bytes

Next HeaderPad Length


IPsec Tunnel Mode CBC Packet Overhead

Outer IP Header

AES_XCBC_96

HMAC_SHA1_96

SPI / Seq. Number

3DES_CBC IV

AES_CBC IV

3DES_CBC max Pad

AES_CBC max Pad

Pad Len / Next Header

HMAC_SHA2_256_128

HMAC_SHA2_384_192

HMAC_SHA2_512_256

20

8

8

16

7

15

12

2

12

16

24

32

12

12

16

24

32

12

12

16

24

32

20 20 20 20 20 20 20 20 20 20

8 8 8 8 8 8 8 8 8 8

8 8 8 8 8

16 16 16 16 16

7 7 7 7 7

15 15 15 15 15

2 2 2 2 2 2 2 2 2 2

50 50 54Best Case Overhead 62 70 58 58 62 70 78

BytesWorst Case Overhead 57 57 61 69 77 73 73 77 85 93


Authenticated Encryption with Associated Data (AEAD)

• AEAD is based on specialblock cipher modes:

• Block size: 128 bits• Key size: 128/256 bits• Tag size : 128/96/64 bits• Nonce size: 96 bits

32 bits 64 bits 32 bits

• Recommended AEAD Modes: AES-Galois/Counter ModeAES-GMAC (auth. only)

• Alternative AEAD Modes:AES-CCMCAMELLIA-GCMCAMELLIA-CCM

Salt IV Counter

Salt IV 0 Salt IV 1 Salt IV 2

Key K Key K

Hash Subkey H

0………………..0

Key K

Hash Subkey Derivation


IPsec Tunnel Mode AEAD Packet Overhead

Outer IP Header

AES_GCM_96 Tag

AES_GCM_64 Tag

Security Parameter IndexAES_GCM IV

AES_CNT max Pad

Pad Len / Next Header

20

8

8

3

8

2

12

8

12

20 20 20

8 8 8

8 8 8

2 2 2

46 50 54Best Case Overhead

Bytes

Worst Case Overhead 49 53 57

3 3 3

AES_GCM_128 Tag 16 16

Additional Authenticated Data:

Sequence Number

0 1 2 3

Security Parameter Index

ExtendedSequence Number

0 1 2 3

SPI / Seq. Number

or



Layer 3 VPN vs Layer 4 VPN


Layer 3 Tunnel based on IPSec

IPIP PayloadPayload

Private Network

InternetIP

ISPVPN Client VPN Gateway

PSTN

IPsec TunnelIPIP ESPESP IPIP PayloadPayload

PPPPPP

PSTN

IPIP ESPESP IPIP PayloadPayload


IPIP PayloadPayload

Private Network

InternetIP

ISPTLS Client

TLS Proxy Server

PSTN

PPPPPP IPIP

PSTN

TCP*TCP* TLSTLS IPIP PayloadPayload

SSL/TLSTunnelIPIP TCP*TCP* TLSTLS IPIP PayloadPayload

Layer 4 Tunnel based on SSL/TLS

*OpenVPN uses TLS over UDP


• Layer 3 – IPSecIPsec is an Internet standard ESP and AH don’t have ports and thus cannot traverse NAT

routersBut with ESP-in-UDP encapsulation NAT-Traversal becomes

simpleFirst generation IPsec with IKEv1 was complex and difficult to

set upSecond generation IPsec with IKEv2 is fast, simple and robustHigh throughput because encryption is handled by kernel

• Layer 4 – TLS (OpenVPN)Although available on many platforms, OpenVPN is not a

standardEasy to handle NAT situations since single TCP or UDP socket is

usedFast, simple and robust connection setupLower throughput (factor 2..3) because encryption is done in

userland

Layer 3 versus Layer 4 VPN

andreas steffen, 29.06.2015, siemens-1.pptx 1 strongswan workshop for siemens block 1 overview /...

Documents