cisco.david gonzalez.soluciones de cifrado para nuevas tecnologias de transmision
TRANSCRIPT
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 1
Site-to-Site VPN with GET VPN
David GonzalezConsulting Systems EngineerCisco
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 2
Introduction
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 3
VPN Technology Positioning
Dynamic routing on IP WAN
Dynamic routing on tunnels
Reverse-route InjectionRouting
Multicast replication in IP WAN network
Multicast replication at hub
Multicast replication at hubIP Multicast
Group ProtectionPeer-to-Peer Protection
Peer-to-Peer ProtectionEncryption Style
Route Distribution Model + Stateful
Route Distribution Model
Stateful Hub Crypto Failover
Failover Redundancy
Any-to-Any; (Site-to-Site)
Hub-Spoke and Spoke-to-Spoke; (Site-to-Site)
Hub-Spoke; (Client to Site)Network Style
Private IP Transport
Public Internet Transport
Public Internet Transport
Infrastructure Network
GET VPNDMVPNEzVPN
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 4
IP VPN and Security?
Requirements/GoalsSingle Point Bootstrap Provisioning
Network Segmentation
Scalable Architecture for Routing
Optimal Forwarding Plane
Security
Security FunctionsTransport Security (Encryption, Authentication, Authorization)
Protection (Partitioned, Firewall, Access Controls)
Prevention/Detection (Intrusion, Denial of Service)
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 5
Context: IP VPN Security Needs
CE PE PE CE
IPSec CE-CE
IPSec PE-PE
IPSec CE-PE
Service: VPN Security
Service:Virtual Provider
Protection
Service: Remote Access into VPN
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 6
IP VPN
IP VPN Attributes
CE1
CE 4
10/1
CE 2
CE 3
CE 510/5
RR
IP VPN PE and P Replication
Hierarchical RoutingAny-to-Any ConnectivityRedundancy Established between CE and PE
X
10/210/4
10/3
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 7
IPsec Attributes
CE1
CE 4
IP VPN
CE 2
CE 3
CE 5
Multicast Replication Induced at CE
Point-to-Point ConnectivityOverlay Routing in TunnelsRedundancy Established by CE
10/1
10/5
10/210/4
10/3
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 8
Network Paradigm Assessment
IP VPN (e.g. MPLS VPN)▲ Any-to-any connectivity without CE-CE Tunnel Adjacency▲ Single Point Provisioning on per CE basis▲ Distributed and Hierarchical Routing for Scalability▲ Optimal traffic forwarding► Security
▼ Confidentiality (segmentation only)▲ Segmentation▼ Integrity
IPsec▼ Scalability Constraints of Point-to-Point Tunnel Adjacency▼ Per Peer Provisioning▼ Scalability Constraints of Point-to-Point Overlay Routing or Route Insertion▼ Traffic forwarding according to non-optimal Tunnel overlay▲ Security
▲ Segmentation▲ Confidentiality▲ Integrity
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 9
The Paradox
IP VPN for…Any to Any ConnectivityHierarchical and Scalable RoutingEfficient Multicast DistributionSegmentation from the InternetSimplified QoS Models
IPSec VPN for…ConfidentialityIntegrityAuthentication
The technologies meet ORTHOGONAL requirements and CONFLICT with each other
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 10
Reconciliation of the Network Paradigms
So Now What?
ResolutionA new security paradigm for multicast and unicast communication on an IP VPN
Security paradigm does not ‘create’ the VPN, it uses an existing IP VPN
The IP VPN can be MPLS VPN, FR/ATM, Satellite, etc.
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 11
VPN Technology Positioning
Internet/Shared Network
MPLS/Private Network
EzVPNSpoke
GET GMDMVPN Spoke
DMVPN Spoke
Data Center
GMGM
KSKS
Internet Edge
IPsec IPsec
WAN Edge
Remote Access
GET GM GET GM
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 12
GET-Enabled IP VPN Overview
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 13
Tunnel-less VPN - A New Security ModelAny-to-Any encryption
• Scalability—an issue (N^2 problem)• Any-to-any instant connectivity can’t
be done to scale• Overlay routing• Limited advanced QoS• Multicast replication inefficient
WANWAN
Multicast
IPsec Point-to-Point Tunnels Tunnel-less VPN
• Scalable architecture• Any-to-any instant connectivity to
high-scale• No overlays – native routing• Advanced QoS• Efficient Multicast replication
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 14
IP Header IP PayloadOriginal IP Packet
How GET VPN Prevents Overlay RoutingCisco GET VPN uses IP header preservation to mitigate routing overlay and to preserve QoS and multicast capabilities
IPSec Tunnel Mode
IP Header Preservation
ESP HeaderOriginal
IP Header
IP Payload
IPSe
cG
ET
New IP Header
Original IP
HeaderIP PayloadESP Header
Original IP Header
Preserved
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 15
GDOI Definitions
Key Server (KS): device which distributes keys & policies to group members.
Group Member (GM):A device which registers with a group controlled by the KS to communicate securely with other GMs.
Group SA: IPSec SA that is shared by all the GM in the group.
TEK: Key used to protect traffic between GMs.
KEK: Key used to protect rekeys between KS and GMs.
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 16
Group Security Functions
GroupMember
GroupMember
GroupMember
GroupMember
Key Server
RoutingMembers
Group Member• Encryption Devices• Route Between Secure / Unsecure Regions• Multicast Participation
Key Server• Validate Group Members• Manage Security Policy• Create Group Keys• Distribute Policy / Keys
Routing Member• Forwarding• Replication• Routing
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 17
Group Security Elements
GroupMember
GroupMember
GroupMember
GroupMember
Key Servers
RoutingMembers
Key Encryption Key (KEK)
Traffic Encryption Key (TEK)
Group Policy
RFC3547:Group Domain of Interpretation (GDOI)
Proprietary: KS Cooperative Protocol
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 18
Group Security Association
Group Members share a security associationSecurity association is not to a specific group member
Security association is with a set of group members
Safe when VPN gateways are working together to protect the same traffic
The VPN gateways are trusted in the same way
Traffic can flow between any of the VPN gateways
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 19
GET VPN Architecture
Step 1: Group Members (GM) “register” via GDOI with the Key Server (KS)
KS authenticates & authorizes the GM
KS returns a set of IPsec SAs for the GM to use
GM1
GM2
GM3GM4
GM5
GM6
GM7GM8
GM9 KS
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 20
GET VPN Architecture
Step 2: Data Plane EncryptionGM exchange encrypted traffic using the group keys
The traffic uses IPSec Tunnel Mode with “address preservation”
GM1
GM2
GM3GM4
GM5
GM6
GM7GM8
GM9 KS
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 21
GET VPN Architecture
Step 3: Periodic Rekey of KeysKS pushes out replacement IPsec keys before current IPsec keys expire. This is called a “rekey”
GM1
GM2
GM3GM4
GM5
GM6
GM7GM8
GM9 KS
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 22
Group Membership Management
Group Member RegistrationImmediately upon boot
Immediately upon applying crypto map
Protected by IKE SA (Pre-shared Keys or PKI Certificate)
Group Member Maintenance through RekeyPeriodic Update Protected by Rekey SA (IKE SA expires)
New Policies, Time Sync, or New Keys (TEK or KEK)
Acknowledgement with Unicast Rekey
Unacknowledged with Multicast Rekey
Group Member Data Plane
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 23
Rekey
Rekey
Registration
Registration
GDOI Protocol
RFC3547Initiator is a “Group Member”Receiver or GCKS is a “Key Server”
GROUPKEY-PULL (a.k.aRegistration)
Group Member Request Group InfoKey Server Supplies PolicyGroup Member Acknowledges and asks for KeysKey Server Supplies Keys
GROUPKEY-PUSH (a.k.aRekey)
Key Server refreshes Keys and/or Policy
Group Member
GROUP-ID
SA-Policy
Key Server
Acknowledge
Rekey
Policy / Key
ProtectionIKE SA
Key LifetimeKEK, TEK, Seq. #
RekeyX
IKE Phase 1
GROUP-ID
IKE Phase 1
Protection REKEY SA
Key Lifetime
ProtectionIKE SA
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 24
GET Deployment Properties
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 25
Group Security Methods
Group Encryption MethodsIPsec Tunnel Mode with IP Header Preservation
Group Security Association
Time-based Anti-Replay
Affinity of Group Security AssociationGroup Association on Group Member
Group Authorization on Key Server
Group PolicyKS Authorized Encryption
KS Authorized Encryption Exceptions
GM Authorized Encryption Exceptions
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 26
IPsec Tunnel Mode
IP Packet
IP PayloadIP HeaderIPsecTunnel Mode ESPNew IP Header
IP PayloadIP Header
• IPsec header inserted by VPN Gateway• New IP Address requires overlay routing
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 27
IPsec Tunnel Mode with IP Address Preservation
IP Packet
IP PayloadIP HeaderESPCopy of Original IP Header
GroupEncryptedTransport
IP PayloadIP Header
• IPsec header preserved by VPN Gateway• Preserved IP Address uses original routing plane
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 28
QoS Attribute Preservation
Egress
Ingress
PreservedIP Header
Encryption
IP Header
Payload Encrypted(IP Header)
ESP Header
Encrypted(Payload)
ESP Trailer
IP and DSCP Copy
DSCP
Ports
NLPID= x
DSCP
Ports
NLPID= x
NLPID= IP
NLPID= ESPDSCP
IP
IP
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 29
QoS Flow Model
Classifier Police
Mark
Drop
Classifier Police
Drop
Mark
Queue Shape
Route
Ingress Flow
Egress Flow
Encrypt
WAN
LAN
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 30
Group Encrypted Transport (Data Plane)
Encapsulation without Time-Based Anti-Replay10.1.1.4 10.1.2.32
10.1.1.4 10.1.2.32Payload
GM GMRouter Router
10.1.1.4 10.1.2.32Payload
10.1.1.4 10.1.2.32ESP Header (SPI)
ESP Trailer
10.1.1.4 10.1.2.32Payload
Encapsulation with Time-based Anti-Replay10.1.1.4 10.1.2.32
Payload10.1.1.4 10.1.2.32
Payload
10.1.1.4 10.1.2.32Payload
10.1.1.4 10.1.2.32ESP Header (SPI)
ESP Trailer
Cisco Meta Data
Time Stamp Time Stamp
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 31
Group Encrypted Transport (Data Plane)
Preservation of Original IP Addresses and DSCP
Encapsulating Security Payload (ESP) with irrelevant Sequence Number
OPTIONAL: Time-based Anti-ReplayIPSec Next Header identified as IANA Private Encryption (protocol = 99)
Cisco Meta Data (99) carries PseudoTimeStamp for receiver verification
Encrypted IP Packet followsIP Header (Protocol Type = ESP) – Preserved IP Addresses from Inner IP Header
Security Parameter IndexSequence Number (ignored by receiver)
Next Header = (IP) Length (0x2) Version (0x1) ReservedLen (0x1) Type 5 = Time-based Anti-Replay Reserved
PseudoTimeStamp
Inner IP Header
Original IP Payload
IPSec Padding Pad Length Next Header (MD 99)Authentication Tag
IPSec Padding
ESP
IP
CMD
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 32
Group Encrypted Transport (Data Plane)
Group Member Receive Processing
10.1.1.4 10.1.2.32Payload
Time Stamp
ESP/SPI
TEK Decrypt
Compare
DropMatch Idents
Drop
Forward
Too Early
or Late
Mismatch
10.1.1.4 10.1.2.32Payload
10.1.1.4 10.1.2.32ESP Header (SPI)
ESP Trailer
Cisco Meta Data
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 33
GM
GM
GM
GM
Secure Data Plane Multicast
Premise: Sender does not know the potential recipients
?
Data ProtectionSecure
Multicast
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 34
Secure Data Plane Multicast
Premise: Sender does not know the potential recipients
Sender assumes that legitimate group members obtain Traffic Encryption Key from key server for the group
GM
GM
GM
KS
GM
Data ProtectionSecure
Multicast
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 35
GM
GM
GM
KS
GM
Secure Data Plane Multicast
Premise: Sender does not know the potential recipients
Sender assumes that legitimate group members obtain Traffic Encryption Key from key server for the group
Encrypt Multicast with IP Address Preservation
Replication In the Core based on original (S,G)
Data ProtectionSecure
Multicast
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 36
GM
GM
GM
GM
Corollary:Secure Data Plane Unicast
Premise: Receiver advertises destination prefix but does not know the potential encryption sources
?
??
Data ProtectionSecureUnicast
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 37
Premise: Receiver advertises destination prefix but does not know the potential encryption sources
Receiver assumes that legitimate group members obtain Traffic Encryption Key from key server for the group
Corollary:Secure Data Plane Unicast
GM
GM
GM
KS
GM
Data ProtectionSecureUnicast
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 38
Corollary:Secure Data Plane Unicast
Premise: Receiver advertises destination prefix but does not know the potential encryption sourcesReceiver assumes that legitimate group members obtain Traffic Encryption Key from key server for the groupReceiver can authenticate the group membership
GM
GM
GM
KS
GM
Data ProtectionSecureUnicast
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 39
Group Policy Considerations
What may already be protected?Management Plane
SSH, TACACS, HTTPS
What should not be protected with Group Security?Control Plane
Internet Key Exchange / Group Domain of InterpretationRouting Exchanges (OSPF, BGP)
What needs to be protected with Group Security? Data Plane
Enterprise TransactionsEnterprise Multicast Streams
What may be protected with Group Security?Data Plane
Internet TransactionsDiagnostics (LAN-LAN vs. WAN-WAN vs. WAN-LAN)
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 40
Group Policy Protection
Scope of Data Plane Protection—What class of traffic needs protection?
Unicast from LANs Only
Multicast from LANs Only
Unicast and Multicast from LANs
All Traffic
Scope Exclusion—What should not be encrypted?Control Plane
Routing Control Plane (IGP, PIM)
Crypto Control Plane (GDOI)
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 41
Group Policy Distribution
Group KeysKey Encryption Keys (Default Lifetime of 24 hours)
Traffic Encryption Keys (Default Lifetime of 1 hour)
Key DistributionUnicast
Infrastructure Capable of Unicast Only
Requirement for Rekey Acknowledgement
Time Required for Serialized Key and Policy Distribution
Multicast
Infrastructure Capable of Multicast
Quick Key and Policy Distribution
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 42
Group Keys
IP VPN
KEKTEK1
Key Encryption Key (KEK)Used to encrypt GDOI (i.e. control traffic) between KS and GM for rekey message
Traffic Encryption Key (TEK)
Used to encrypt data (i.e. user traffic) between GMs
Key Server
Group Member
Group Member
Group Member
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 43
Key Server
Group Keys
IP VPN
KEKTEK1
Key Server monitors expiration time of TEK1
TEK2Key Server creates TEK2 to replace TEK1 prior to expiration
Key Server distributes TEK2 to all known GM via unicast or via multicast rekey groupGroup Members install new TEK2
Group Member
Group Member
Group Member
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 44
Cooperative Key Server
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 45
Primary Secondary
Secondary
Group Member
Group Member
Cooperative Key ServerRoles
A Key Server is Elected Primary, Creates Keys, and Distributes Keys
Group Members Complete Registration to an available Key Server and Receive Policy and Keys
GET VPN
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 46
Managed Tunnel-less VPN Services
Service integration delivers greater value, stronger brandingIncreased security
– Helps businesses comply with regulations viz. HIPAA, PCI
Operational simplicity– Centralized key-server
reduces complexity– Easy service rollout
Optimized network utilizationService innovation, unique offeringServices Upsell
VPN A
VPN BCustomer B
Customer C
VPN C
• Encrypted traffic is demand-driven • ISR can have “VRF-aware contexts”• Centrally managed key servers enable Group encryption
Cisco2800
Cisco2800
Cisco 7200
Cisco1800
Cisco 3800
SP-owned Key Server
Service ProviderNOC
SP privatenetwork(MPLS)
Customer A
Customer A
Customer B
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 47
Scalability Numbers
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 48
IOS Platform Support
Not supportedYes1821
PlannedPlanned 6500 VPN-SPA
PlannedYesASR 1000 – IOS XE 2.3
YesYes7200 NPEG2, VSA
YesYes7200 NPEG2, VAM2+
YesYes7200/7301 NPEG1, VAM2+
YesYes3800 (AIM-VPN/SSL)YesYes2800 (AIM-VPN/SSL)
YesYes1841
Not supportedYes870
Yes
Group Member
Not supported
Key Server
Software
Platform
Shipping Planned, CryptoAccelerationDevelopment Required
12.4 (15)T2 Recommended
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 49
KS Scalability Summary for 7200
-1,00010Unicast100
-2,0002,000Unicast1
10%2,000
~5,300*2,000Multicast 1
CPU spikesTotal GMsGMs per KSRekey
TransportNumber of
Groups
* Current software allows up to 8 key servers per group theoretically allowing multicast scaling up to 16,000 GM’s assuming registration is distributed evenly across all KS. Currently, software limits GMs per group to 5,300.
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 50
Scalability Summary
15 sec16/8 %50AIM-VPN/SSL-11841
500
100
200
500
1000
2000
Tested GM
30/10 %
30/14 %
25/15 %
34/14 %
46/20 %
40/18 %
Max Registration CPU / MAX Rekey CPU
15 secAIM-VPN/SSL-22821
25 sec VAM2+7200
40+ secVAM2+7200/PKI
15 secAIM-VPN/SSL-22851
15 secAIM-VPN/SSL-33825
25 sec AIM-VPN/SSL-33845
Time to register to a single KS
Crypto CardPlatform
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 51
Fragmentation and MTU
Issues for Large FramesLack of Tunnel InterfaceNo Path MTU Discovery from WANMulticast Can’t use Path MTU Discovery
Tools for Treatment of Large Frames on WANLook Ahead Fragmentation (LAF)
Fragment large frames before encryption on VPN GatewayTCP MSS Settings
Set TCP MSS value 100 Bytes smaller than smallest MTU on WAN
DF ClearClear the DF bit on frames to allow LAF
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 52
Q and A
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 53