cse 5/7349 – february 15 th 2006
DESCRIPTION
CSE 5/7349 – February 15 th 2006. IPSec. Basics. Stack Level V4 vs V6 Provides Authentication Confidentiality. Architecture & Concepts. Placement Mode Security association (SA) ESP AH. IPSec Placement. Transport Mode Security. ESP protects higher layer payload only - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: CSE 5/7349 – February 15 th 2006](https://reader036.vdocuments.us/reader036/viewer/2022062310/56815d74550346895dcb8190/html5/thumbnails/1.jpg)
CSE 5/7349 – February 15th 2006
IPSec
![Page 2: CSE 5/7349 – February 15 th 2006](https://reader036.vdocuments.us/reader036/viewer/2022062310/56815d74550346895dcb8190/html5/thumbnails/2.jpg)
Basics
• Stack Level• V4 vs V6• Provides
– Authentication – Confidentiality
![Page 3: CSE 5/7349 – February 15 th 2006](https://reader036.vdocuments.us/reader036/viewer/2022062310/56815d74550346895dcb8190/html5/thumbnails/3.jpg)
Architecture & Concepts
• Placement• Mode• Security association (SA)• ESP• AH
![Page 4: CSE 5/7349 – February 15 th 2006](https://reader036.vdocuments.us/reader036/viewer/2022062310/56815d74550346895dcb8190/html5/thumbnails/4.jpg)
IPSec Placement
![Page 5: CSE 5/7349 – February 15 th 2006](https://reader036.vdocuments.us/reader036/viewer/2022062310/56815d74550346895dcb8190/html5/thumbnails/5.jpg)
Transport Mode Security
• ESP protects higher layer payload only• AH can protect IP headers as well as higher
layer payload
IPheader
IPoptions
IPSecheader
Higherlayer protocol
ESP
AH
Real IPdestination
![Page 6: CSE 5/7349 – February 15 th 2006](https://reader036.vdocuments.us/reader036/viewer/2022062310/56815d74550346895dcb8190/html5/thumbnails/6.jpg)
Tunnel Mode Security
• ESP applies only to the tunneled packet• AH can be applied to portions of the outer
header
Outer IPheader
Inner IPheader
IPSecheader
Higherlayer protocol
ESP
AH
Real IP destinationDestinationIPSecentity
![Page 7: CSE 5/7349 – February 15 th 2006](https://reader036.vdocuments.us/reader036/viewer/2022062310/56815d74550346895dcb8190/html5/thumbnails/7.jpg)
A B
Encrypted Tunnel
Gateway Gateway
New IP Header
AH or ESP Header
TCP DataOrig IP Header
Encrypted
Unencrypted Unencrypted
Tunnel Mode
![Page 8: CSE 5/7349 – February 15 th 2006](https://reader036.vdocuments.us/reader036/viewer/2022062310/56815d74550346895dcb8190/html5/thumbnails/8.jpg)
Security Association - SA
• One way relationship (uni-directional)• Determine IPSec processing for senders• Determine IPSec decoding for destination• SAs are not fixed! Generated and
customized per traffic flows (manual as well as dynamic)– If manual, no lifetime; dynamic has lifetime
![Page 9: CSE 5/7349 – February 15 th 2006](https://reader036.vdocuments.us/reader036/viewer/2022062310/56815d74550346895dcb8190/html5/thumbnails/9.jpg)
Security Parameters Index - SPI
• Can be up to 32 bits large• The SPI allows the destination to select
the correct SA under which the received packet will be processed (according to the agreement with the sender)– The SPI is sent with the packet by the sender
• SPI + Dest IP address + IPSec Protocol (AH or ESP) uniquely identifies a SA
![Page 10: CSE 5/7349 – February 15 th 2006](https://reader036.vdocuments.us/reader036/viewer/2022062310/56815d74550346895dcb8190/html5/thumbnails/10.jpg)
SA Bundle
• More than 1 SA can apply to a packet• Example: ESP does not authenticate new
IP header. How to authenticate?– Use SA to apply ESP w/out authentication to
original packet– Use 2nd SA to apply AH
![Page 11: CSE 5/7349 – February 15 th 2006](https://reader036.vdocuments.us/reader036/viewer/2022062310/56815d74550346895dcb8190/html5/thumbnails/11.jpg)
Authenticated Header (AH)
![Page 12: CSE 5/7349 – February 15 th 2006](https://reader036.vdocuments.us/reader036/viewer/2022062310/56815d74550346895dcb8190/html5/thumbnails/12.jpg)
AH Security
• Connectionless integrity– Flow/error control left to transport layer – Data integrity
• Authentication– Can “trust” IP address source– Use MAC to authenticate
• Anti-replay feature• Integrity check value
![Page 13: CSE 5/7349 – February 15 th 2006](https://reader036.vdocuments.us/reader036/viewer/2022062310/56815d74550346895dcb8190/html5/thumbnails/13.jpg)
AH Header Format
SPI
Sequence Number
Auth Data
Next Header (TCP/UDP)
Payload Length Reserved
![Page 14: CSE 5/7349 – February 15 th 2006](https://reader036.vdocuments.us/reader036/viewer/2022062310/56815d74550346895dcb8190/html5/thumbnails/14.jpg)
Anti-Replay
• Message authentication code (MAC) calculated over– IP header field that do not change or are
predictable– IPSec protocol header minus where the ICV
value goes– Upper-level data
• Code may be truncated to first 96 bits
![Page 15: CSE 5/7349 – February 15 th 2006](https://reader036.vdocuments.us/reader036/viewer/2022062310/56815d74550346895dcb8190/html5/thumbnails/15.jpg)
Integrity Check Value - ICV
• Message authentication code (MAC) calculated over– IP header field that do not change or are
predictable– IPSec protocol header minus where the ICV
value goes– Upper-level data
• Code may be truncated to first 96 bits
![Page 16: CSE 5/7349 – February 15 th 2006](https://reader036.vdocuments.us/reader036/viewer/2022062310/56815d74550346895dcb8190/html5/thumbnails/16.jpg)
AH Modes
• Tunnel• Transport• Nested headers
– Multiple SAs applied to same message– Nested tunnels
![Page 17: CSE 5/7349 – February 15 th 2006](https://reader036.vdocuments.us/reader036/viewer/2022062310/56815d74550346895dcb8190/html5/thumbnails/17.jpg)
Processing Outbound Messages
• Insert Next Header and SPI field• Compute the sequence no. field• If transport mode …• If tunnel mode …• Compute authentication value
![Page 18: CSE 5/7349 – February 15 th 2006](https://reader036.vdocuments.us/reader036/viewer/2022062310/56815d74550346895dcb8190/html5/thumbnails/18.jpg)
Outbound Processing (cont’d)
• If transport mode• If tunnel mode• Compute authentication value
![Page 19: CSE 5/7349 – February 15 th 2006](https://reader036.vdocuments.us/reader036/viewer/2022062310/56815d74550346895dcb8190/html5/thumbnails/19.jpg)
Outbound Processing (cont’d)
Fragment the Message• IPSec processing may result in large
message which will be fragmented– Transport mode
– Tunnel mode
![Page 20: CSE 5/7349 – February 15 th 2006](https://reader036.vdocuments.us/reader036/viewer/2022062310/56815d74550346895dcb8190/html5/thumbnails/20.jpg)
Input Processing
• Identify the inbound SA
• Replay protection check
![Page 21: CSE 5/7349 – February 15 th 2006](https://reader036.vdocuments.us/reader036/viewer/2022062310/56815d74550346895dcb8190/html5/thumbnails/21.jpg)
Inbound Processing (cont’d)
• Verify authentication data
• Strip off the AH header and continue IPSec processing for any remaining IPSec headers
![Page 22: CSE 5/7349 – February 15 th 2006](https://reader036.vdocuments.us/reader036/viewer/2022062310/56815d74550346895dcb8190/html5/thumbnails/22.jpg)
Replay Protection
• Sequence number checking– Anti-replay is used only if authentication is
selected– Sequence number should be the first
check on a packet upon looking up an SA– Duplicates are rejected!
0Sliding Windowsize >= 32
rejectCheck bitmap, verify if new
verify
![Page 23: CSE 5/7349 – February 15 th 2006](https://reader036.vdocuments.us/reader036/viewer/2022062310/56815d74550346895dcb8190/html5/thumbnails/23.jpg)
Anti-replay Feature
• Sequence number counter - 32 bit for outgoing IPSec packets
• Anti-replay window
![Page 24: CSE 5/7349 – February 15 th 2006](https://reader036.vdocuments.us/reader036/viewer/2022062310/56815d74550346895dcb8190/html5/thumbnails/24.jpg)
Internet Key Exchange (IKE)
![Page 25: CSE 5/7349 – February 15 th 2006](https://reader036.vdocuments.us/reader036/viewer/2022062310/56815d74550346895dcb8190/html5/thumbnails/25.jpg)
Key Management
• AH and ESP require encryption and authentication keys
• Process to negotiate and establish IPSec SA’s between two entities
![Page 26: CSE 5/7349 – February 15 th 2006](https://reader036.vdocuments.us/reader036/viewer/2022062310/56815d74550346895dcb8190/html5/thumbnails/26.jpg)
Manual Key Management
• Mandatory• Useful when IPSec developers are
debugging• Keys exchanged offline (phone, email,
etc.)• Set up SPI and negotiate parameters • Not scalable
![Page 27: CSE 5/7349 – February 15 th 2006](https://reader036.vdocuments.us/reader036/viewer/2022062310/56815d74550346895dcb8190/html5/thumbnails/27.jpg)
Oakley Key Exchange
• Designed to – Leverage advantages of DH
– Counter DH weaknesses
![Page 28: CSE 5/7349 – February 15 th 2006](https://reader036.vdocuments.us/reader036/viewer/2022062310/56815d74550346895dcb8190/html5/thumbnails/28.jpg)
Oakley - Major Features
![Page 29: CSE 5/7349 – February 15 th 2006](https://reader036.vdocuments.us/reader036/viewer/2022062310/56815d74550346895dcb8190/html5/thumbnails/29.jpg)
Cookies
![Page 30: CSE 5/7349 – February 15 th 2006](https://reader036.vdocuments.us/reader036/viewer/2022062310/56815d74550346895dcb8190/html5/thumbnails/30.jpg)
SA, CKY-II R
Initiator Responder
SA, CKY-RNegotiate IKE SA parameters
NonceI, YI
NonceR, YR
IDI, HashI
IDR, HashR
Exchange items to generate secret
Send hash digest so peer can authenticate sender
Example: Main Mode Preshared
Generate SKEYID
![Page 31: CSE 5/7349 – February 15 th 2006](https://reader036.vdocuments.us/reader036/viewer/2022062310/56815d74550346895dcb8190/html5/thumbnails/31.jpg)
Main Mode Preshared Hashes
• To authenticate each other, each entity generates a hash digest that only the peer could know
Hash-I=PRF(SKEYID,YI|YR|CKY-I|CKY-R|SA Offer|ID-I)
Hash-R =PRF(SKEYID,YR|YI|CKY-R|CKY-I|SA Offer|ID-R)
![Page 32: CSE 5/7349 – February 15 th 2006](https://reader036.vdocuments.us/reader036/viewer/2022062310/56815d74550346895dcb8190/html5/thumbnails/32.jpg)
Phase II
• What traffic does SA cover ?• Initiator specifies which entries (selectors)
in SPD are for this IPSec SA, sends off to responder
• Keys and SA attributes communicated with the Phase I - IKE SA – Passes encrypted & authenticated
![Page 33: CSE 5/7349 – February 15 th 2006](https://reader036.vdocuments.us/reader036/viewer/2022062310/56815d74550346895dcb8190/html5/thumbnails/33.jpg)
HASH1, IPSec SA, NonceI, [New K]I R
Initiator Responder
HASH2, SA, NonceR, [New K]Negotiate IPSec SA Parameters, [PFS]
Example: Quick Mode
HASH3‘Liveness’ proof for Responder