![Page 1: IPsec: Security Across the Protocol Stack - Computer … Security Across the Protocol Stack Brad Stephenson ... (firewall to firewall) Benefits of IPsec ... Linux • Must specify](https://reader033.vdocuments.us/reader033/viewer/2022051722/5aa9e0577f8b9a95188d6b74/html5/thumbnails/1.jpg)
IPsec: Security Across the Protocol Stack
Brad Stephenson
CSCI NetProg
![Page 2: IPsec: Security Across the Protocol Stack - Computer … Security Across the Protocol Stack Brad Stephenson ... (firewall to firewall) Benefits of IPsec ... Linux • Must specify](https://reader033.vdocuments.us/reader033/viewer/2022051722/5aa9e0577f8b9a95188d6b74/html5/thumbnails/2.jpg)
Network Security
• There are application specific security mechanisms (eg. S/MIME, PGP, Kerberos, SSL/HTTPS)
• But there are security concerns that cut across protocol layers
• Can we implement security in the network for all applications?
![Page 3: IPsec: Security Across the Protocol Stack - Computer … Security Across the Protocol Stack Brad Stephenson ... (firewall to firewall) Benefits of IPsec ... Linux • Must specify](https://reader033.vdocuments.us/reader033/viewer/2022051722/5aa9e0577f8b9a95188d6b74/html5/thumbnails/3.jpg)
What is IPsec?
• A collection of tools and algorithms (protocols)
• General IP security mechanisms
• It provides• authentication
• confidentiality
• key management
![Page 4: IPsec: Security Across the Protocol Stack - Computer … Security Across the Protocol Stack Brad Stephenson ... (firewall to firewall) Benefits of IPsec ... Linux • Must specify](https://reader033.vdocuments.us/reader033/viewer/2022051722/5aa9e0577f8b9a95188d6b74/html5/thumbnails/4.jpg)
Services Provided by IPsec
• Authentication – ensure the identity of an entity
• Confidentiality – protection of data from unauthorized disclosure
• Key Management – generation, exchange, storage, safeguarding, etc. of keys in a public key cryptosystem
![Page 5: IPsec: Security Across the Protocol Stack - Computer … Security Across the Protocol Stack Brad Stephenson ... (firewall to firewall) Benefits of IPsec ... Linux • Must specify](https://reader033.vdocuments.us/reader033/viewer/2022051722/5aa9e0577f8b9a95188d6b74/html5/thumbnails/5.jpg)
IPsec Services (detailed)
• Access control
• Connectionless integrity
• Data origin authentication
• Rejection of replayed packets
• Confidentiality (via encryption)
• Some traffic flow confidentiality (firewall to firewall)
![Page 6: IPsec: Security Across the Protocol Stack - Computer … Security Across the Protocol Stack Brad Stephenson ... (firewall to firewall) Benefits of IPsec ... Linux • Must specify](https://reader033.vdocuments.us/reader033/viewer/2022051722/5aa9e0577f8b9a95188d6b74/html5/thumbnails/6.jpg)
Benefits of IPsec
• If implemented in a firewall or router, provides strong security to all traffic crossing the perimeter
• Resides below the transport layer, hence transparent to application layer
• Can be transparent to end users
• Note: Mandatory for IPv6 implementations
![Page 7: IPsec: Security Across the Protocol Stack - Computer … Security Across the Protocol Stack Brad Stephenson ... (firewall to firewall) Benefits of IPsec ... Linux • Must specify](https://reader033.vdocuments.us/reader033/viewer/2022051722/5aa9e0577f8b9a95188d6b74/html5/thumbnails/7.jpg)
AH and ESP
• Authentication Header (AH) provides:• Data integrity• Authentication of IP packets• Prevents replay attacks
• Encapsulating Security Payload (ESP):• Data confidentiality• Some traffic flow confidentiality• Authentication services of AH (optional)
![Page 8: IPsec: Security Across the Protocol Stack - Computer … Security Across the Protocol Stack Brad Stephenson ... (firewall to firewall) Benefits of IPsec ... Linux • Must specify](https://reader033.vdocuments.us/reader033/viewer/2022051722/5aa9e0577f8b9a95188d6b74/html5/thumbnails/8.jpg)
Authentication Header (AH)
• Provides support for data integrity & authentication of IP packets• end system/router can authenticate user/app
• prevents address spoofing attacks by tracking sequence numbers
• Based on use of a MAC• HMAC-MD5-96 or HMAC-SHA-1-96
• Parties must share a secret key
![Page 9: IPsec: Security Across the Protocol Stack - Computer … Security Across the Protocol Stack Brad Stephenson ... (firewall to firewall) Benefits of IPsec ... Linux • Must specify](https://reader033.vdocuments.us/reader033/viewer/2022051722/5aa9e0577f8b9a95188d6b74/html5/thumbnails/9.jpg)
Authentication Header
Figure 32.1, D. Comer
Figure 16-3, W. Stallings
![Page 10: IPsec: Security Across the Protocol Stack - Computer … Security Across the Protocol Stack Brad Stephenson ... (firewall to firewall) Benefits of IPsec ... Linux • Must specify](https://reader033.vdocuments.us/reader033/viewer/2022051722/5aa9e0577f8b9a95188d6b74/html5/thumbnails/10.jpg)
Encapsulating Security Payload (ESP)
• Provides message content confidentiality & limited traffic flow confidentiality
• Can optionally provide the same authentication services as AH
• Supports many ciphers, modes, padding• DES, Triple-DES, RC5, IDEA, CAST, others
![Page 11: IPsec: Security Across the Protocol Stack - Computer … Security Across the Protocol Stack Brad Stephenson ... (firewall to firewall) Benefits of IPsec ... Linux • Must specify](https://reader033.vdocuments.us/reader033/viewer/2022051722/5aa9e0577f8b9a95188d6b74/html5/thumbnails/11.jpg)
Encapsulating Security Payload
Figure 32.3, D. Comer
Figure 16-7, W. Stallings
![Page 12: IPsec: Security Across the Protocol Stack - Computer … Security Across the Protocol Stack Brad Stephenson ... (firewall to firewall) Benefits of IPsec ... Linux • Must specify](https://reader033.vdocuments.us/reader033/viewer/2022051722/5aa9e0577f8b9a95188d6b74/html5/thumbnails/12.jpg)
Security Associations (SAs)
• A one-way relationship between sender & receiver that affords security for traffic flow
• Defined by 3 parameters:• Security Parameters Index (local identifier)• IP Destination Address• Security Protocol Identifier (AH or ESP)
• Each implementation of IPsec must keep a database of SAs
![Page 13: IPsec: Security Across the Protocol Stack - Computer … Security Across the Protocol Stack Brad Stephenson ... (firewall to firewall) Benefits of IPsec ... Linux • Must specify](https://reader033.vdocuments.us/reader033/viewer/2022051722/5aa9e0577f8b9a95188d6b74/html5/thumbnails/13.jpg)
Combining Security Associations
• SAs can implement either AH or ESP
• To implement both need to combine SAs into a security bundle
![Page 14: IPsec: Security Across the Protocol Stack - Computer … Security Across the Protocol Stack Brad Stephenson ... (firewall to firewall) Benefits of IPsec ... Linux • Must specify](https://reader033.vdocuments.us/reader033/viewer/2022051722/5aa9e0577f8b9a95188d6b74/html5/thumbnails/14.jpg)
Combining Security AssociationsF
igur
e 1
6-10
, W
. S
talli
ngs
* = Implements IPsec
![Page 15: IPsec: Security Across the Protocol Stack - Computer … Security Across the Protocol Stack Brad Stephenson ... (firewall to firewall) Benefits of IPsec ... Linux • Must specify](https://reader033.vdocuments.us/reader033/viewer/2022051722/5aa9e0577f8b9a95188d6b74/html5/thumbnails/15.jpg)
Transport vs. Tunnel Mode
• Transport mode• data protected but header left in clear
• can do traffic analysis but is efficient
• good for ESP host to host traffic
• Tunnel mode• add new header for next hop
• hides end-host IP addresses through insecure networks
• good for VPNs, gateway to gateway security
![Page 16: IPsec: Security Across the Protocol Stack - Computer … Security Across the Protocol Stack Brad Stephenson ... (firewall to firewall) Benefits of IPsec ... Linux • Must specify](https://reader033.vdocuments.us/reader033/viewer/2022051722/5aa9e0577f8b9a95188d6b74/html5/thumbnails/16.jpg)
Transport & Tunnel Modes
Figure 16-8, W. Stallings
![Page 17: IPsec: Security Across the Protocol Stack - Computer … Security Across the Protocol Stack Brad Stephenson ... (firewall to firewall) Benefits of IPsec ... Linux • Must specify](https://reader033.vdocuments.us/reader033/viewer/2022051722/5aa9e0577f8b9a95188d6b74/html5/thumbnails/17.jpg)
So you wanna try it?
• Implemented in OS kernel
• Non-trivial to understand
![Page 18: IPsec: Security Across the Protocol Stack - Computer … Security Across the Protocol Stack Brad Stephenson ... (firewall to firewall) Benefits of IPsec ... Linux • Must specify](https://reader033.vdocuments.us/reader033/viewer/2022051722/5aa9e0577f8b9a95188d6b74/html5/thumbnails/18.jpg)
So you wanna try it?
• Linux• racoon• openswan (openswan.org)• Free S/WAN (freeswan.org)
• Unix• man ipsec
• Windows• mmc (Microsoft Management Console)
![Page 19: IPsec: Security Across the Protocol Stack - Computer … Security Across the Protocol Stack Brad Stephenson ... (firewall to firewall) Benefits of IPsec ... Linux • Must specify](https://reader033.vdocuments.us/reader033/viewer/2022051722/5aa9e0577f8b9a95188d6b74/html5/thumbnails/19.jpg)
Linux
• Must specify a security policy in kernel• Who do you trust?
• racoon• Key management daemon
• Free S/WAN• IPsec implementation for Linux
• openswan• Another IPsec implementation for Linux
![Page 20: IPsec: Security Across the Protocol Stack - Computer … Security Across the Protocol Stack Brad Stephenson ... (firewall to firewall) Benefits of IPsec ... Linux • Must specify](https://reader033.vdocuments.us/reader033/viewer/2022051722/5aa9e0577f8b9a95188d6b74/html5/thumbnails/20.jpg)
Unix
• IPsec policy is enforced in the ip(7P) driver for system-wide policy
• Usendd to alter /dev/ip at the system level
• Or specify per-socket options
![Page 21: IPsec: Security Across the Protocol Stack - Computer … Security Across the Protocol Stack Brad Stephenson ... (firewall to firewall) Benefits of IPsec ... Linux • Must specify](https://reader033.vdocuments.us/reader033/viewer/2022051722/5aa9e0577f8b9a95188d6b74/html5/thumbnails/21.jpg)
Unix Socket Options
#include <sys/socket.h>
#include <netinet/in.h>
#include <net/pfkeyv2.h>
/* .... socket setup */
rc = setsockopt(sock, IPPROTO_IP, IP_SEC_OPT, (const char *)&ipsec_req, sizeof (ipsec_req_t));
![Page 22: IPsec: Security Across the Protocol Stack - Computer … Security Across the Protocol Stack Brad Stephenson ... (firewall to firewall) Benefits of IPsec ... Linux • Must specify](https://reader033.vdocuments.us/reader033/viewer/2022051722/5aa9e0577f8b9a95188d6b74/html5/thumbnails/22.jpg)
ipsec_req
typedef struct ipsec_req {
uint_t ipsr_ah_req; /* AH request */
uint_t ipsr_esp_req; /* ESP request */
uint_t ipsr_self_encap_req; /* Self-Encap request */
uint8_t ipsr_auth_alg; /* Auth algs for AH */
uint8_t ipsr_esp_alg; /* Encr algs for ESP */
uint8_t ipsr_esp_auth_alg; /* Auth algs for ESP */
} ipsec_req_t;
![Page 23: IPsec: Security Across the Protocol Stack - Computer … Security Across the Protocol Stack Brad Stephenson ... (firewall to firewall) Benefits of IPsec ... Linux • Must specify](https://reader033.vdocuments.us/reader033/viewer/2022051722/5aa9e0577f8b9a95188d6b74/html5/thumbnails/23.jpg)
Windows XP
• Type mmc at a command line
• Add snap-in IPsec Policy
• Edit the policy as you see fit
![Page 24: IPsec: Security Across the Protocol Stack - Computer … Security Across the Protocol Stack Brad Stephenson ... (firewall to firewall) Benefits of IPsec ... Linux • Must specify](https://reader033.vdocuments.us/reader033/viewer/2022051722/5aa9e0577f8b9a95188d6b74/html5/thumbnails/24.jpg)
Summary
• IPsec is a collection of protocols that provide low-level network security
• Last specification was in 1998, currently being revised as Internet Draft
• Required for IPv6
• Currently the most popular use is for implementing VPNs
![Page 25: IPsec: Security Across the Protocol Stack - Computer … Security Across the Protocol Stack Brad Stephenson ... (firewall to firewall) Benefits of IPsec ... Linux • Must specify](https://reader033.vdocuments.us/reader033/viewer/2022051722/5aa9e0577f8b9a95188d6b74/html5/thumbnails/25.jpg)
References
• RFC 2401 “Security Architecture for the Internet Protocol”
• Internet Draft, Dec 2004, “Security Architecture for the Internet Protocol”
• Cryptography and Network Security, W. Stallings, Chap. 16 “IP Security”
• Internetworking with TCP/IP Vol. 1, D. Comer, Chap. 32 “Internet Security”
![Page 26: IPsec: Security Across the Protocol Stack - Computer … Security Across the Protocol Stack Brad Stephenson ... (firewall to firewall) Benefits of IPsec ... Linux • Must specify](https://reader033.vdocuments.us/reader033/viewer/2022051722/5aa9e0577f8b9a95188d6b74/html5/thumbnails/26.jpg)
![Page 27: IPsec: Security Across the Protocol Stack - Computer … Security Across the Protocol Stack Brad Stephenson ... (firewall to firewall) Benefits of IPsec ... Linux • Must specify](https://reader033.vdocuments.us/reader033/viewer/2022051722/5aa9e0577f8b9a95188d6b74/html5/thumbnails/27.jpg)
ERROR: undefinedOFFENDING COMMAND: ��
STACK: