11

IPSec—An OverviewIPSec—An Overview

Somesh JhaSomesh Jha University of WisconsinUniversity of Wisconsin

22

OutlineOutline

why IPSec?why IPSec? IPSec ArchitectureIPSec Architecture Internet Key Exchange (IKE)Internet Key Exchange (IKE) IPSec PolicyIPSec Policy discussiondiscussion

33

IP is not Secure!IP is not Secure!

IP protocol was designed in the late IP protocol was designed in the late 70s to early 80s70s to early 80s– Part of DARPA Internet ProjectPart of DARPA Internet Project– Very small networkVery small network

All hosts are known!All hosts are known! So are the users!So are the users! Therefore, security was not an issueTherefore, security was not an issue

44

Security Issues in IPSecurity Issues in IP

source spoofingsource spoofing replay packetsreplay packets no data integrity or no data integrity or

confidentialityconfidentiality

• DOS attacks• Replay attacks• Spying• and more…

Fundamental Issue: Networks are not (and will never be)

fully secure

55

Goals of IPSecGoals of IPSec

to verify sources of IP packetsto verify sources of IP packets– authenticationauthentication

to prevent replaying of old packetsto prevent replaying of old packets to protect integrity and/or to protect integrity and/or

confidentiality of packetsconfidentiality of packets– data Integrity/Data Encryptiondata Integrity/Data Encryption

66

OutlineOutline

Why IPsec?Why IPsec? IPSec ArchitectureIPSec Architecture Internet Key Exchange (IKE)Internet Key Exchange (IKE) IPsec PolicyIPsec Policy DiscussionDiscussion

77

The IPSec Security ModelThe IPSec Security Model

Secure

Insecure

88

IPSec ArchitectureIPSec Architecture

ESP AH

IKE

IPSec Security Policy

Encapsulating SecurityPayload

Authentication Header

The Internet Key Exchange

99

IPSec ArchitectureIPSec Architecture

IPSec provides security in three situations:– Host-to-host, host-to-gateway and

gateway-to-gateway IPSec operates in two modes:

– Transport mode (for end-to-end)– Tunnel mode (for VPN)

1010

IPsec ArchitectureIPsec Architecture

Tunnel Mode

Router Router

Transport Mode

1111

Various PacketsVarious Packets

IP header

IP header

IP header

TCP header

TCP header

TCP header

data

data

data

IPSec header

IPSec header IP header

Original

Transportmode

Tunnelmode

1212

IPSecIPSec

A collection of protocols (RFC 2401)A collection of protocols (RFC 2401)– Authentication Header (AH)Authentication Header (AH)

RFC 2402RFC 2402– Encapsulating Security Payload (ESP)Encapsulating Security Payload (ESP)

RFC 2406RFC 2406– Internet Key Exchange (IKE)Internet Key Exchange (IKE)

RFC 2409RFC 2409– IP Payload Compression (IPcomp)IP Payload Compression (IPcomp)

RFC 3137RFC 3137

1313

Authentication Header Authentication Header (AH)(AH)

Provides source authenticationProvides source authentication– Protects against source spoofingProtects against source spoofing

Provides data integrityProvides data integrity Protects against replay attacksProtects against replay attacks

– Use monotonically increasing sequence Use monotonically increasing sequence numbersnumbers

– Protects against denial of service attacksProtects against denial of service attacks NO protection for confidentiality!NO protection for confidentiality!

1414

AH DetailsAH Details

Use 32-bit monotonically increasing Use 32-bit monotonically increasing sequence number to avoid replay sequence number to avoid replay attacksattacks

Use cryptographically strong hash Use cryptographically strong hash algorithms to protect data integrity algorithms to protect data integrity (96-bit)(96-bit)– Use symmetric key cryptographyUse symmetric key cryptography– HMAC-SHA-96, HMAC-MD5-96 HMAC-SHA-96, HMAC-MD5-96

1515

AH Packet DetailsAH Packet Details

Authentication Data

Sequence Number

Security Parameters Index (SPI)

Nextheader

Payloadlength Reserved

Old IP header (only in Tunnel mode)TCP header

New IP header

Authenticated

Data

EncapsulatedTCP or IP packet

Hash of everythingelse

1616

Encapsulating Security Encapsulating Security Payload (ESP)Payload (ESP)

Provides all that AH offers, andProvides all that AH offers, and in addition provides in addition provides data data

confidentialityconfidentiality– Uses symmetric key encryptionUses symmetric key encryption

1717

ESP DetailsESP Details

Same as AH:Same as AH:– Use 32-bit sequence number to counter Use 32-bit sequence number to counter

replaying attacksreplaying attacks– Use integrity check algorithmsUse integrity check algorithms

Only in ESP:Only in ESP:– Data confidentiality:Data confidentiality:

Uses symmetric key encryption algorithms Uses symmetric key encryption algorithms to encrypt packetsto encrypt packets

1818

ESP Packet DetailsESP Packet Details

Authentication Data

Sequence Number

Security Parameters Index (SPI)

Nextheader

Payloadlength Reserved

TCP header

Authenticated

IP header

Initialization vector

Data

Pad Pad length Next

Encrypted TCP packet

1919

Question?Question?

1.1. Why have both AH and ESP?Why have both AH and ESP?2.2. Both AH and ESP use symmetric Both AH and ESP use symmetric

key based algorithmskey based algorithms– Why not public-key cryptography?Why not public-key cryptography?– How are the keys being exchanged?How are the keys being exchanged?– What algorithms should we use?What algorithms should we use?– Similar to deciding on the ciphersuite Similar to deciding on the ciphersuite

in SSLin SSL

2020

OutlineOutline

Why IPsec?Why IPsec? IPsec ArchitectureIPsec Architecture Internet Key Exchange (IKE)Internet Key Exchange (IKE) IPsec PolicyIPsec Policy DiscussionDiscussion

2121

Internet Key Exchange Internet Key Exchange (IKE)(IKE)

Exchange and negotiate security Exchange and negotiate security policies policies

Establish security sessionsEstablish security sessions– Identified as Identified as Security AssociationsSecurity Associations

Key exchangeKey exchange Key managementKey management Can be used outside IPsec as wellCan be used outside IPsec as well

2222

IPsec/IKE AcronymsIPsec/IKE Acronyms

Security Association (SA)Security Association (SA)– Collection of attribute associated with a Collection of attribute associated with a

connectionconnection– Is Is asymmetric!asymmetric!

One SA for inbound traffic, another SA for One SA for inbound traffic, another SA for outbound trafficoutbound traffic

Similar to ciphersuites in SSLSimilar to ciphersuites in SSL Security Association Database (SADB)Security Association Database (SADB)

– A database of SAsA database of SAs

2323

IPsec/IKE AcronymsIPsec/IKE Acronyms

Security Parameter Index (SPI)Security Parameter Index (SPI)– A unique index for each entry in the A unique index for each entry in the

SADBSADB– Identifies the SA associated with a Identifies the SA associated with a

packetpacket Security Policy Database (SPD)Security Policy Database (SPD)

– Store policies used to establish SAsStore policies used to establish SAs

2424

How They Fit TogetherHow They Fit Together

SPD

SADBSA-2

SPI

SPI

SA-1

2525

SPD and SADB ExampleSPD and SADB Example

FromFrom ToTo ProtocolProtocol PortPort PolicyPolicyAA BB AnyAny AnyAny AH[HMAC-MD5]AH[HMAC-MD5]

Tunnel Mode

Transport Mode

A C B

A’s SPD

FromFrom ToTo ProtocolProtocol SPISPI SA RecordSA RecordAA BB AHAH 1212 HMAC-MD5 keyHMAC-MD5 key

A’s SADB

D

FromFrom ToTo ProtocolProtocol PortPort PolicyPolicy Tunnel DestTunnel DestAnyAny AnyAny ESP[3DES]ESP[3DES] DD C’s SPD

FromFrom ToTo ProtocolProtocol SPISPI SA RecordSA RecordESPESP 1414 3DES key3DES key

C’s SADB

Asub Bsub

Asub Bsub

2626

How It WorksHow It Works

IKE operates in two phasesIKE operates in two phases– Phase 1:Phase 1: negotiate and establish an auxiliary negotiate and establish an auxiliary

end-to-end secure channelend-to-end secure channel Used by subsequent phase 2 negotiationsUsed by subsequent phase 2 negotiations Only established once between two end points!Only established once between two end points!

– Phase 2:Phase 2: negotiate and establish custom negotiate and establish custom secure channelssecure channels

Occurs multiple timesOccurs multiple times– Both phases use Diffie-Hellman key exchange Both phases use Diffie-Hellman key exchange

to establish a shared keyto establish a shared key

2727

IKE Phase 1IKE Phase 1

Goal:Goal: to establish a secure channel to establish a secure channel between two end pointsbetween two end points– This channel provides basic security This channel provides basic security

features:features: Source authenticationSource authentication Data integrity and data confidentialityData integrity and data confidentiality Protection against replay attacksProtection against replay attacks

2828

IKE Phase 1IKE Phase 1

Rationale:Rationale: each application has each application has different security requirementsdifferent security requirements

But they all need to negotiate But they all need to negotiate policies and exchange keys!policies and exchange keys!

So, provide the basic security So, provide the basic security features and allow application to features and allow application to establish custom sessionsestablish custom sessions

2929

ExamplesExamples

All packets sent to address All packets sent to address mybank.commybank.com must be encrypted using must be encrypted using 3DES with HMAC-MD5 integrity 3DES with HMAC-MD5 integrity checkcheck

All packets sent to address All packets sent to address www.forum.comwww.forum.com must use integrity must use integrity check with HMAC-SHA1 (no check with HMAC-SHA1 (no encryption is required)encryption is required)

3030

Phase 1 ExchangePhase 1 Exchange

Can operate in two modes:Can operate in two modes:– Main modeMain mode

Six messages in three round tripsSix messages in three round trips More optionsMore options

– Quick modeQuick mode Four messages in two round tripsFour messages in two round trips Less optionsLess options

3131

Phase 1 (Main Mode)Phase 1 (Main Mode)

Initiator Responder

[Header, SA1]

3232

Phase 1 (Main Mode)Phase 1 (Main Mode)

Initiator Responder

[Header, SA1]

[Header, SA2]

Establish vocabulary for further communication

3333

Phase 1 (Main Mode)Phase 1 (Main Mode)

Initiator Responder

[Header, SA1]

[Header, SA2][Header, KE, Ni, {Cert_Reg} ]

3434

Phase 1 (Main Mode)Phase 1 (Main Mode)

Initiator Responder

Header, SA1

[Header, SA1]

[Header, KE, Ni { , Cert_Req} ]

[Header, KE, Nr {, Cert_Req}]

Establish secret key using Diffie-Hellman key exchangeUse nonces to prevent replay attacks

3535

Phase 1 (Main Mode)Phase 1 (Main Mode)

Initiator Responder

[Header, SA1]

[Header, SA1]

[Header, KE, Ni {,Cert_Req} ]

[Header, KE, Nr {,Cert_Req}]

[Header, IDi, {CERT} sig]

3636

Phase 1 (Main Mode)Phase 1 (Main Mode)

Initiator Responder

[Header, SA1]

[Header, SA1]

[Header, KE, Ni {, Cert_req}]

[Header, KE, Nr {, Cert_req}]

[Header, IDi, {CERT} sig]

[Header, IDr, {CERT} sig]

Signed hash of IDi (without Cert_req , just send the hash)

3737

Phase 1 (Aggressive Mode)Phase 1 (Aggressive Mode)

Initiator Responder

[Header, SA1, KE, Ni, IDi]

3838

Phase 1 (Aggressive Mode)Phase 1 (Aggressive Mode)

Initiator Responder

[Header, SA1, KE, Ni, IDi]

[Header, SA2, KE, Nr, IDr, [Cert]sig]

[Header, [Cert]sig]

First two messages combined into one(combine Hello and DH key exchange)

3939

IPSec (Phase 1)IPSec (Phase 1)

Four different way to authenticate Four different way to authenticate (either mode)(either mode)– Digital signatureDigital signature– Two forms of authentication with Two forms of authentication with

public key encryptionpublic key encryption– Pre-shared keyPre-shared key

NOTE:NOTE: IKE does use public-key IKE does use public-key based cryptography for encryptionbased cryptography for encryption

4040

IPSec (Phase 2)IPSec (Phase 2)

Goal:Goal: to establish custom secure to establish custom secure channels between two end pointschannels between two end points– End points are identified by <IP, port>:End points are identified by <IP, port>:

e.g. e.g. <www.mybank.com, 8000><www.mybank.com, 8000> – Or by packet:Or by packet:

e.g. All packets going to e.g. All packets going to 128.124.100.0/24128.124.100.0/24– Use the secure channel established in Use the secure channel established in

Phase 1 for communicationPhase 1 for communication

4141

IPSec (Phase 2)IPSec (Phase 2)

Only one mode:Only one mode: Quick Mode Quick Mode Multiple quick mode exchanges can Multiple quick mode exchanges can

be multiplexedbe multiplexed Generate SAs for two end pointsGenerate SAs for two end points Can use secure channel established Can use secure channel established

in phase 1in phase 1

4242

IP Payload CompressionIP Payload Compression

Used for compressionUsed for compression Can be specified as part of the Can be specified as part of the

IPSec policyIPSec policy Will not cover!Will not cover!

4343

OutlineOutline

Why IPsec?Why IPsec? IPsec ArchitectureIPsec Architecture Internet Key Exchange (IKE)Internet Key Exchange (IKE) IPSec PolicyIPSec Policy DiscussionDiscussion

4444

IPsec PolicyIPsec Policy

Phase 1 policies are defined in terms of Phase 1 policies are defined in terms of protection suitesprotection suites

Each protection suiteEach protection suite– Must contain the following:Must contain the following:

Encryption algorithmEncryption algorithm Hash algorithmHash algorithm Authentication methodAuthentication method Diffie-Hellman GroupDiffie-Hellman Group

– May optionally contain the following:May optionally contain the following: LifetimeLifetime ……

4545

IPSec PolicyIPSec Policy

Phase 2 policies are defined in terms of Phase 2 policies are defined in terms of proposalsproposals

Each proposal:Each proposal:– May contain one or more of the followingMay contain one or more of the following

AH sub-proposalsAH sub-proposals ESP sub-proposalsESP sub-proposals IPComp sub-proposalsIPComp sub-proposals Along with necessary attributes such asAlong with necessary attributes such as

– Key length, life time, etcKey length, life time, etc

4646

IPSec Policy ExampleIPSec Policy Example

In English: In English: – All traffic to 128.104.120.0/24 must be:All traffic to 128.104.120.0/24 must be:

Use pre-hashed key authenticationUse pre-hashed key authentication DH group is MODP with 1024-bit modulusDH group is MODP with 1024-bit modulus Hash algorithm is HMAC-SHA (128 bit key)Hash algorithm is HMAC-SHA (128 bit key) Encryption using 3DESEncryption using 3DES

In IPSec:In IPSec:– [Auth=Pre-Hash; [Auth=Pre-Hash;

DH=MODP(1024-bit); DH=MODP(1024-bit); HASH=HMAC-SHA; HASH=HMAC-SHA; ENC=3DES] ENC=3DES]

4747

IPsec Policy ExampleIPsec Policy Example

In English:In English:– All traffic to 128.104.120.0/24 must use one All traffic to 128.104.120.0/24 must use one

of the following:of the following: AH with HMAC-SHA or,AH with HMAC-SHA or, ESP with 3DES as encryption algorithm and ESP with 3DES as encryption algorithm and

(HMAC-MD5 or HMAC-SHA as hashing algorithm)(HMAC-MD5 or HMAC-SHA as hashing algorithm) In IPsec:In IPsec:

– [AH: HMAC-SHA] or, [AH: HMAC-SHA] or, – [ESP: (3DES and HMAC-MD5) or [ESP: (3DES and HMAC-MD5) or

(3DES and HMAC-SHA)] (3DES and HMAC-SHA)]

4848

Virtual Private Networks Virtual Private Networks (VPNs)(VPNs)

VirtualVirtual– It is not a physically distinct networkIt is not a physically distinct network

PrivatePrivate– Tunnels are encrypted to provide Tunnels are encrypted to provide

confidentialityconfidentiality CS dept might have a VPNCS dept might have a VPN

– I can be on this VPN while travelingI can be on this VPN while traveling

4949

Alice is TravelingAlice is Traveling

AliceAlice works for the mergers and works for the mergers and acquisitions (M&A) department of acquisitions (M&A) department of takeover.comtakeover.com

She is at She is at HicktownHicktown taking over a taking over a meat-packing plantmeat-packing plant

She wants to access the M&A She wants to access the M&A server at her company server at her company (confidentially of course)(confidentially of course)

5050

Alice is TravelingAlice is Traveling

5151

OutlineOutline

Why IPsec?Why IPsec? IPsec ArchitectureIPsec Architecture Internet Key Exchange (IKE)Internet Key Exchange (IKE) IPsec PolicyIPsec Policy DiscussionDiscussion

5252

DiscussionDiscussion

IPSec is not the only solution!IPSec is not the only solution!– Security features can be added on top Security features can be added on top

of IP!of IP! e.g. Kerberos, SSLe.g. Kerberos, SSL

Confused?Confused?– IP, IPSec protocols are very complex!IP, IPSec protocols are very complex!

Two modes, three sub protocolsTwo modes, three sub protocols– Complexity is the biggest enemy of Complexity is the biggest enemy of

securitysecurity

5353

DiscussionDiscussion Has it been used?Has it been used?

– Yes—primarily used by some VPN Yes—primarily used by some VPN vendorsvendors But not all routers support itBut not all routers support it

– No—it is not really an end-to-end No—it is not really an end-to-end solutionsolution Authentication is too coarse (host based)Authentication is too coarse (host based) Default encryption algorithm too weak Default encryption algorithm too weak

(DES)(DES) Too complex for applications to useToo complex for applications to use

5454

ResourcesResources

IP, IPsec and related RFCs:IP, IPsec and related RFCs:– http://www.ietf.org/html.charters/ipsec-charter.htmlhttp://www.ietf.org/html.charters/ipsec-charter.html– IPsec: RFC 2401, IKE: RFC 2409IPsec: RFC 2401, IKE: RFC 2409– www.freeswan.orgwww.freeswan.org

Google searchGoogle search