implementing and testing ipsec: nist’s contributions and future developments sheila frankel...
TRANSCRIPT
Implementing and Testing IPsec:NIST’s Contributions
and Future Developments
Sheila FrankelSystems and Network Security Group
NIST
RSA 2000 - Jan. 20, 2000
2
IPsec : Security a) foundation : house b) hammer : nail c) electron : chemistry d) government : progress
An SAT-type Analogy:The Question
RSA 2000 - Jan. 20, 2000
3
Topics
• Overview of IPsec
• NIST’s IPsec Reference Implementations
• NIST’s IPsec Web-Based Interoperability Tester (IPsec-WIT)
• Current Status of IPsec
• Future Directions of IPsec
RSA 2000 - Jan. 20, 2000
4
At Which Network Layer Should Security Be Provided?
• Application Layer
• Transport (Sockets) Layer
• Internet Layer
RSA 2000 - Jan. 20, 2000
5
Why Internet Layer Security?
• Implement once, in a consistent manner, for multiple applications
• Centrally-controlled access policy
• Enable multi-level, layered approach to security
RSA 2000 - Jan. 20, 2000
7
Types of Security Provided by IPsec
• Data Origin Authentication
• Connectionless Integrity
• Replay Protection
• Confidentiality (Encryption)
• Traffic Flow Confidentiality
RSA 2000 - Jan. 20, 2000
8
Authentication Header (AH)
• Data origin authentication• Connectionless integrity• Replay protection (optional)• Transport or tunnel mode• Mandatory algorithms:
– HMAC-MD5
– HMAC-SHA1
– Other algorithms optional
RSA 2000 - Jan. 20, 2000
9
Internet Packet Format with AH
IP
Header
AH
Header
Upper Protocol Headers
and Packet Data
Tunnel Mode
New IP
Header
Old IP
Header
AH
Header
Upper Protocol Headers
and Packet Data
Transport Mode
RSA 2000 - Jan. 20, 2000
10
Encapsulating Security Payload (ESP)
• Confidentiality
• Limited traffic flow confidentiality (tunnel mode only)
• Data origin authentication
• Connectionless integrity
• Replay protection (optional)
• Transport or tunnel mode
RSA 2000 - Jan. 20, 2000
11
Encapsulating Security Payload (ESP) (continued)
• Mandatory algorithms:– DES-CBC
– HMAC-MD5
– HMAC-SHA1
– Null Authentication algorithm
– Null Encryption algorithm
– Other algorithms optional
RSA 2000 - Jan. 20, 2000
12
Internet Packet Format with ESP
IP
Header
ESP
Header
Upper Protocol Headers
and Packet Data
Tunnel Mode
New IP
Header
Old IP
Header
ESP
Header
Upper Protocol Headers
and Packet Data
Transport Mode
RSA 2000 - Jan. 20, 2000
14
Constructs Underlying IP Security
• Security Association (SA)
• Security Association Database (SAD)
• Security Parameter Index (SPI)
• Security Policy Database (SPD)
RSA 2000 - Jan. 20, 2000
15
Internet Key Exchange (IKE)
• Negotiate:– Communication Parameters– Security Features
• Authenticate Communicating Peer
• Protect Identity
• Generate, Exchange, and Establish Keys in a Secure Manner
• Delete Security Associations
RSA 2000 - Jan. 20, 2000
16
Internet Key Exchange (IKE) (continued)
• Threat Mitigation– Denial of Service
– Replay
– Man in Middle
– Perfect Forward Secrecy
• Usable by IPsec and other domains
RSA 2000 - Jan. 20, 2000
17
Internet Key Exchange (IKE) (continued)
• Components:– Internet Security Association and Key
Management Protocol (ISAKMP)
– Internet Key Exchange (IKE, aka ISAKMP/Oakley)
– IP Security Domain of Interpretation (IPsec DOI)
RSA 2000 - Jan. 20, 2000
18
IKE Negotiations - Phase 1
• Purpose: Establish ISAKMP SA (“Secure Channel”)
• Steps (4-6 messages exchanged):– Negotiate Security Parameters
– Diffie-Hellman Exchange
– Authenticate Identities
• Main Mode vs. Aggressive Mode
RSA 2000 - Jan. 20, 2000
19
IKE Negotiations - Phase 2
• Purpose: Establish IPsec SA
• Steps (3-5 messages exchanged):– Negotiate Security Parameters
– Optional Diffie-Hellman Exchange
– Final Verification
• Quick Mode
RSA 2000 - Jan. 20, 2000
20
NIST’s Contributions to IPsec
• Cerberus - Linux-based reference implementation of Ipsec
• PlutoPlus - Linux-based reference implementation of IKE
• IPsec-WIT - Web-based IPsec interoperability test facility
RSA 2000 - Jan. 20, 2000
21
NIST’s Contributions to Ipsec (continued)
• Goals:– Enable smaller industry vendors to jump-start
their entry into IPsec
– Facilitate ongoing interoperability testing of multiple IPsec implementations
RSA 2000 - Jan. 20, 2000
22
IPsec-WIT: Motivation
• Inter-operability of multiple implementations essential for IPsec to succeed
• Existing test modalities– Interoperability “Bake-offs”
– Pre-planned Web-based interoperability testing
• Needed: spontaneous Web-based testing
RSA 2000 - Jan. 20, 2000
23
User-Related Objectives
• Accessible from remote locations
• Available at any time
• Require no modification to the tester’s IPsec implementation
• Allow testers to resume testing at a later time
• Configurable
• Well-documented
• Easy to use
RSA 2000 - Jan. 20, 2000
24
Implementation Objectives
• Simultaneous access by multiple users
• Rapid, modular implementation
• Easily modified and expanded as IPsec/IKE specifications evolve
• Built around NIST’s IPsec/IKE Reference Implementations, Cerberus and PlutoPlus
RSA 2000 - Jan. 20, 2000
25
Implementation Objectives(continued)
• Require minimal changes to Cerberus and PlutoPlus
• Operator intervention not required
26RSA 2000 - Jan. 20, 2000
IPsec-WIT Architecture
IUT
WWW-based Tester Control (HTML/CGI)
IPsec EncapsulatedIP Packets
Local IUTConfiguration
IPsec WITIPsec WIT
Linux Kernel
HTML Docs., Forms,HTML Docs., Forms,and HTTP Serverand HTTP Server
IP + IP + NIST CerberusNIST Cerberus
PERL CGIPERL CGITest EngineTest Engine
TestTestSuitesSuites
Manual SAs and IP/IPsecPacket Traces
NIST NIST PlutoPlusPlutoPlus
Negotiated SAs and SA mgmt.messages
Message loggingandIKE Configuration
Web Browser
IKE Negotiation
StateStateFilesFiles
RSA 2000 - Jan. 20, 2000
27
Implementation
• Perl cgi-bin tester
• HTML forms
• Executable test cases
• Output– PlutoPlus: tracing the IKE negotiation
– Cerberus: dumping the ping packets
– expect command: color-coded output
RSA 2000 - Jan. 20, 2000
28
Implementation(continued)
• Individual tester files– Tester-specific parameters
– Tester’s individual output
– Storage and expiration
RSA 2000 - Jan. 20, 2000
29
Current Capabilities
• Key establishment: manual or IKE negotiation
• IKE negotiation: Initiator or Responder
• Peer authentication: pre-shared secrets
• ISAKMP hash: MD5 or SHA
• ISAKMP encryption: DES or 3DES
• Diffie-Hellman exchange: 1st Oakley group
RSA 2000 - Jan. 20, 2000
30
Current Capabilities(continued)
• Configurable port for IKE negotiation
• IPsec AH algorithms: HMAC-MD5 or HMAC-SHA1
• IPsec ESP algorithms: – Encryption: DES, 3DES, IDEA, RC5, Blowfish,
or ESP-Null
– Authentication (optional): HMAC-MD5 or HMAC-SHA1
– Variable key length for RC5 and Blowfish
RSA 2000 - Jan. 20, 2000
31
Current Capabilities(continued)
• IPsec encapsulation mode: transport or tunnel
• Perfect Forward Secrecy (PFS)
• Verbosity of IKE/IPsec output configurable
• IPsec SA tested using “ping” command
• Transport-mode SA: host-to-host
RSA 2000 - Jan. 20, 2000
32
Current Capabilities(continued)
• Tunnel-mode SA:host-to-host or host-to-gateway– Host-to-gateway SA tests communications
with tester’s host behind gateway
• Sample test cases for testers without a working IKE/IPsec implementation
• Current/cumulative test results can be viewed via browser or emailed to tester
RSA 2000 - Jan. 20, 2000
33
Limitations
• Re-keying
• Crash/disaster recovery
• Complex policy-related scenarios
RSA 2000 - Jan. 20, 2000
34
Lessons Learned
• Voluntary interoperability testing is useful and used
• Interoperability tests can also serve as conformance tests
• Stateful protocols can be tested using a Web-based tester
• “Standard” features are more useful than “cutting edge”
RSA 2000 - Jan. 20, 2000
35
Lessons Learned(continued)
• Some human intervention is required
• Productive and informative multi-protocol interaction is challenging
• Users do the “darnedest” - and most unexpected - things
RSA 2000 - Jan. 20, 2000
36
Future Horizons - PlutoPlus
• Additional Diffie-Hellman groups
• More complex policy options– Multiple proposals
– Adjacent SA’s
– Nested SA’s
• Peer authentication: public key
• PKI interaction and certificate exchanges
RSA 2000 - Jan. 20, 2000
37
Future Horizons - IPsec-WIT
• Test IPsec SA’s with UDP/TCP connections, rather than ICMP
• Better diagnostics from underlying protocols
RSA 2000 - Jan. 20, 2000
39
Current Status of IPsec
• Basic IPsec and IKE functionality defined in RFC’s
• Add-ons and additional functionality defined in Internet Drafts
• Numerous IPsec implementations in hardware and software
• Periodic interoperability/conformance testing at IPsec “Bake-offs”
RSA 2000 - Jan. 20, 2000
40
Current Status of IPsec (continued)
• Deployed in Auto Industry Networks (ANX and ENX)
• Used for Virtual Private Networks (VPNs)
RSA 2000 - Jan. 20, 2000
41
Future Directions of IPsec
• PKI profiles for IPsec
• Policy configuration and control (IPSP)
• Secure remote access (IPSRA)
• Transport-friendly ESP (TF-ESP)
RSA 2000 - Jan. 20, 2000
43
Contact/Usage Information
• IPsec-WIT: http://ipsec-wit.antd.nist.gov
• Cerberus documentation: http://www.antd.nist.gov/cerberus
• PlutoPlus documentation: http://ipsec-wit.antd.nist.gov/newipsecdoc/pluto.html
• For further information, contact:– Sheila Frankel: [email protected]
– Rob Glenn: [email protected]