![Outbound Packet Processing
Form ESP header
Form ESP header
Security parameter index (SPI)
Security parameter index (SPI)
Sequence number
Sequence number
Pad as necessary
Pad as necessary
Encrypt result [payload, padding, pad length,
Encrypt result [payload, padding, pad length,
next header]
next header]
Apply authentication (optional)
Apply authentication (optional)
Allow rapid detection of replayed/bogus packets
Allow rapid detection of replayed/bogus packets
Integrity Check Value (ICV) includes whole ESP
Integrity Check Value (ICV) includes whole ESP
packet minus
packet minus authentication data
authentication data field
field](https://image.slidesharecdn.com/ipsec-240827122005-21738fca/85/ipsec-internet-security-in-network-and-system-ppt-26-320.jpg)
![Inbound Packet Processing...
Sequence number checking
Sequence number checking
Duplicates are rejected!
Duplicates are rejected!
Packet decryption
Packet decryption
Decrypt quantity [ESP payload,padding,pad
Decrypt quantity [ESP payload,padding,pad
length,next header] per SA specification
length,next header] per SA specification
Processing (stripping) padding per encryption
Processing (stripping) padding per encryption
algorithm
algorithm
Reconstruct the original IP datagram
Reconstruct the original IP datagram
Authentication verification (optional)
Authentication verification (optional)
Allow potential parallel processing - decryption
Allow potential parallel processing - decryption
& verifying authentication code
& verifying authentication code](https://image.slidesharecdn.com/ipsec-240827122005-21738fca/85/ipsec-internet-security-in-network-and-system-ppt-28-320.jpg)
ipsec internet security in network and system.ppt
- 1. IP Security
- 2. IP Security Have a range of application specific Have a range of application specific security mechanisms security mechanisms eg. S/MIME, PGP, Kerberos, SSL/HTTPS eg. S/MIME, PGP, Kerberos, SSL/HTTPS However there are security concerns that However there are security concerns that cut across protocol layers cut across protocol layers Would like security implemented by the Would like security implemented by the network for all applications network for all applications
- 3. IPSec General IP Security mechanisms General IP Security mechanisms Provides Provides authentication authentication confidentiality confidentiality key management key management Applicable to use over LANs, across public Applicable to use over LANs, across public & private WANs, & for the Internet & private WANs, & for the Internet
- 4. IPSec Uses
- 5. Benefits of IPSec In a firewall/router provides strong security to In a firewall/router provides strong security to all traffic crossing the perimeter all traffic crossing the perimeter In a firewall/router is resistant to bypass In a firewall/router is resistant to bypass Is below transport layer, hence transparent to Is below transport layer, hence transparent to applications applications Can be transparent to end users Can be transparent to end users Can provide security for individual users Can provide security for individual users Secures routing architecture Secures routing architecture
- 6. IP Security Architecture Specification is quite complex Specification is quite complex Defined in numerous RFC’s Defined in numerous RFC’s incl. RFC 2401/2402/2406/2408 incl. RFC 2401/2402/2406/2408 many others, grouped by category many others, grouped by category Mandatory in IPv6, optional in IPv4 Mandatory in IPv6, optional in IPv4 Have two security header extensions: Have two security header extensions: Authentication Header (AH) Authentication Header (AH) Encapsulating Security Payload (ESP) Encapsulating Security Payload (ESP)
- 7. Architecture & Concepts Tunnel vs. Transport mode Tunnel vs. Transport mode Security association (SA) Security association (SA) Security parameter index (SPI) Security parameter index (SPI) Security policy database (SPD) Security policy database (SPD) SA database (SAD) SA database (SAD) Authentication header (AH) Authentication header (AH) Encapsulating security payload (ESP) Encapsulating security payload (ESP) Practical Issues w/ NAT Practical Issues w/ NAT
- 8. A B Encrypted Tunnel Gateway 1 Gateway 2 New IP Header AH or ESP Header TCP Data Orig IP Header Encrypted Unencrypted Unencrypted Transport Mode vs. Tunnel Mode Transport mode: host -> host Transport mode: host -> host Tunnel mode: host->gateway or gateway->gateway Tunnel mode: host->gateway or gateway->gateway
- 9. Transport Mode ESP protects higher layer payload only ESP protects higher layer payload only AH can protect IP headers as well as higher AH can protect IP headers as well as higher layer payload layer payload IP header IP options IPSec header Higher layer protocol ESP AH Real IP destination
- 10. Tunnel Mode ESP applies only to the tunneled packet ESP applies only to the tunneled packet AH can be applied to portions of the outer AH can be applied to portions of the outer header header Outer IP header Inner IP header IPSec header Higher layer protocol ESP AH Real IP destination Destination IPSec entity
- 11. Security Association - SA Defined by 3 parameters: Defined by 3 parameters: Security Parameters Index (SPI) Security Parameters Index (SPI) IP Destination Address IP Destination Address Security Protocol Identifier Security Protocol Identifier Have a database of Security Associations Have a database of Security Associations Determine IPSec processing for senders Determine IPSec processing for senders Determine IPSec decoding for destination Determine IPSec decoding for destination SAs are not fixed! Generated and customized per SAs are not fixed! Generated and customized per traffic flows traffic flows
- 12. Security Parameters Index - SPI Can be up to 32 bits large Can be up to 32 bits large The SPI allows the destination to select the The SPI allows the destination to select the correct SA under which the received packet correct SA under which the received packet will be processed will be processed According to the agreement with the sender According to the agreement with the sender The SPI is sent with the packet by the sender The SPI is sent with the packet by the sender SPI + Dest IP address + IPSec Protocol (AH or SPI + Dest IP address + IPSec Protocol (AH or ESP) uniquely identifies a SA ESP) uniquely identifies a SA
- 13. SA Database - SAD Holds parameters for each SA Holds parameters for each SA Lifetime of this SA Lifetime of this SA AH and ESP information AH and ESP information Tunnel or transport mode Tunnel or transport mode Every host or gateway participating in Every host or gateway participating in IPSec has their own SA database IPSec has their own SA database
- 14. Security Policy Database - SPD What traffic to protect? What traffic to protect? Policy entries define which SA or SA Policy entries define which SA or SA bundles to use on IP traffic bundles to use on IP traffic Each host or gateway has their own SPD Each host or gateway has their own SPD Index into SPD by Selector fields Index into SPD by Selector fields Dest IP, Source IP, Transport Protocol, IPSec Dest IP, Source IP, Transport Protocol, IPSec Protocol, Source & Dest Ports, … Protocol, Source & Dest Ports, …
- 15. SPD Entry Actions Discard Discard Do not let in or out Do not let in or out Bypass Bypass Outbound: do not apply IPSec Outbound: do not apply IPSec Inbound: do not expect IPSec Inbound: do not expect IPSec Protect – will point to an SA or SA bundle Protect – will point to an SA or SA bundle Outbound: apply security Outbound: apply security Inbound: check that security must have been Inbound: check that security must have been applied applied
- 16. SPD Protect Action If the SA does not exist… If the SA does not exist… Outbound processing: use IKE to generate SA Outbound processing: use IKE to generate SA dynamically dynamically Inbound processing: drop packet Inbound processing: drop packet
- 17. Is it for IPSec? If so, which policy entry to select? … SPD (Policy) … SA Database IP Packet Outbound packet (on A) A B SPI & IPSec Packet Send to B Determine the SA and its SPI IPSec processing Outbound Processing
- 18. Use SPI to index the SAD … SA Database Original IP Packet SPI & Packet Inbound packet (on B) A B From A Inbound Processing … SPD (Policy) Was packet properly secured? “un-process”
- 19. Architecture & Concepts Tunnel vs. Transport mode Tunnel vs. Transport mode Security association (SA) Security association (SA) Security parameter index (SPI) Security parameter index (SPI) Security policy database (SPD) Security policy database (SPD) SA database (SAD) SA database (SAD) Authentication header (AH) Authentication header (AH) Encapsulating security payload (ESP) Encapsulating security payload (ESP) Practical Issues w/ NAT Practical Issues w/ NAT
- 20. Authenticated Header Data integrity Data integrity Entire packet has not been tampered with Entire packet has not been tampered with Authentication Authentication Can “trust” IP address source Can “trust” IP address source Use MAC to authenticate Use MAC to authenticate Symmetric encryption, e.g, DES Symmetric encryption, e.g, DES One-way hash functions, e.g, HMAC-MD5-96 or HMAC- One-way hash functions, e.g, HMAC-MD5-96 or HMAC- SHA-1-96 SHA-1-96 Anti-replay feature Anti-replay feature Integrity check value Integrity check value
- 21. … … SAD SPI Sequence Number ICV Next Header (TCP/UDP) Payload Length Reserved IPSec Authenticated Header Length of the authentication header Length of the authentication header
- 22. Integrity Check Value - ICV Keyed Message authentication code (MAC) Keyed Message authentication code (MAC) calculated over calculated over IP header field that do not change or are predictable IP header field that do not change or are predictable Source IP address, destination IP, header length, etc. Source IP address, destination IP, header length, etc. Prevent spoofing Prevent spoofing Mutable fields excluded: e.g., time-to-live (TTL), IP Mutable fields excluded: e.g., time-to-live (TTL), IP header checksum, etc. header checksum, etc. IPSec protocol header except the ICV value field IPSec protocol header except the ICV value field Upper-level data Upper-level data Code may be truncated to first 96 bits Code may be truncated to first 96 bits
- 23. AH: Tunnel and Transport Mode Original Original Transport Mode Transport Mode Cover most of the Cover most of the original packet original packet Tunnel Mode Tunnel Mode Cover entire Cover entire original packet original packet
- 24. Encapsulating Security Payload (ESP) Provide Provide message content confidentiality message content confidentiality Provide Provide limited traffic flow confidentiality limited traffic flow confidentiality Can optionally Can optionally provide the same authentication provide the same authentication services as AH services as AH Supports range of ciphers, modes, padding Supports range of ciphers, modes, padding Incl. DES, Triple-DES, RC5, IDEA, CAST etc Incl. DES, Triple-DES, RC5, IDEA, CAST etc A variant of DES most common A variant of DES most common Pad to meet blocksize, for traffic flow Pad to meet blocksize, for traffic flow
- 25. ESP: Tunnel and Transport Mode Original Original Transport Mode Transport Mode Good for host to Good for host to host traffic host traffic Tunnel Mode Tunnel Mode Good for VPNs, Good for VPNs, gateway to gateway gateway to gateway security security
- 26. Outbound Packet Processing Form ESP header Form ESP header Security parameter index (SPI) Security parameter index (SPI) Sequence number Sequence number Pad as necessary Pad as necessary Encrypt result [payload, padding, pad length, Encrypt result [payload, padding, pad length, next header] next header] Apply authentication (optional) Apply authentication (optional) Allow rapid detection of replayed/bogus packets Allow rapid detection of replayed/bogus packets Integrity Check Value (ICV) includes whole ESP Integrity Check Value (ICV) includes whole ESP packet minus packet minus authentication data authentication data field field
- 27. SPI Sequence Number Original IP Header Integrity Check Value Authentication coverage Encrypted Payload (TCP Header and Data) Variable Length Pad Length Padding (0-255 bytes) Next Header ESP Transport Example
- 28. Inbound Packet Processing... Sequence number checking Sequence number checking Duplicates are rejected! Duplicates are rejected! Packet decryption Packet decryption Decrypt quantity [ESP payload,padding,pad Decrypt quantity [ESP payload,padding,pad length,next header] per SA specification length,next header] per SA specification Processing (stripping) padding per encryption Processing (stripping) padding per encryption algorithm algorithm Reconstruct the original IP datagram Reconstruct the original IP datagram Authentication verification (optional) Authentication verification (optional) Allow potential parallel processing - decryption Allow potential parallel processing - decryption & verifying authentication code & verifying authentication code
- 29. Architecture & Concepts Tunnel vs. Transport mode Tunnel vs. Transport mode Security association (SA) Security association (SA) Security parameter index (SPI) Security parameter index (SPI) Security policy database (SPD) Security policy database (SPD) SA database (SAD) SA database (SAD) Authentication header (AH) Authentication header (AH) Encapsulating security payload (ESP) Encapsulating security payload (ESP) Practical Issues w/ NAT Practical Issues w/ NAT
- 30. NATs Network address translation = local, LAN-specific Network address translation = local, LAN-specific address space translated to small number of globally address space translated to small number of globally routable IP addresses routable IP addresses Motivation: Motivation: Scarce address space Scarce address space Security: prevent unsolicited inbound requests Security: prevent unsolicited inbound requests Prevalence of NATs Prevalence of NATs Claim: 50% of broadband users are behind NATs Claim: 50% of broadband users are behind NATs All Linksys/D-Link/Netgear home routers are NATs All Linksys/D-Link/Netgear home routers are NATs
- 31. NAT types All use net-10/8 (10.*.*.*) or 192.168/16 All use net-10/8 (10.*.*.*) or 192.168/16 Address translation Address translation Address-and-port translation (NAPT) Address-and-port translation (NAPT) most common form today, still called NAT most common form today, still called NAT one external (global) IP address one external (global) IP address Change IP header and TCP/UDP headers Change IP header and TCP/UDP headers Will it work with IPSec? Will it work with IPSec?
- 32. NAT Example IAP’s Point of Presence Router with NAT External IP: 68.40.162.3 Internal IP: 192.168.0.0 Router assigns internal IPs to hosts on LAN : A: 192.168.0.100 B: 192.168.0.101 C: 192.168.0.102 A B C Messages sent between host B to another host on the Internet Host B original source socket: 192.168.0.101 port 1341 Host B translated socket: 68.40.162.3 port 5280
- 33. Backup Slides
- 34. Combining Security Associations SA’s can implement either AH or ESP SA’s can implement either AH or ESP to implement both need to combine SA’s to implement both need to combine SA’s form a security form a security association association bundle bundle may terminate at different or same may terminate at different or same endpoints endpoints combined by combined by transport adjacency transport adjacency iterated tunneling iterated tunneling issue of authentication & encryption order issue of authentication & encryption order
- 36. SA Bundle More than 1 SA can apply to a packet More than 1 SA can apply to a packet Example: ESP does not authenticate new IP Example: ESP does not authenticate new IP header. How to authenticate? header. How to authenticate? Use SA to apply ESP w/o authentication to Use SA to apply ESP w/o authentication to original packet original packet Use 2 Use 2nd nd SA to apply AH SA to apply AH
- 37. Outbound Packet Processing... Integrity Check Value (ICV) calculation Integrity Check Value (ICV) calculation ICV includes whole ESP packet minus ICV includes whole ESP packet minus authentication data authentication data field field Implicit padding of ‘0’s between Implicit padding of ‘0’s between next header next header and and authentication data authentication data is used to satisfy block size is used to satisfy block size requirement for ICV algorithm requirement for ICV algorithm
- 38. Inbound Packet Processing Sequence number checking Sequence number checking Anti-replay is used only if authentication is Anti-replay is used only if authentication is selected selected Sequence number should be the first ESP check Sequence number should be the first ESP check on a packet upon looking up an SA on a packet upon looking up an SA Duplicates are rejected! Duplicates are rejected! 0 Sliding Window size >= 32 reject Check bitmap, verify if new verify
- 39. Anti-replay Feature Optional Optional Information to enforce held in SA entry Information to enforce held in SA entry Sequence number counter - 32 bit for Sequence number counter - 32 bit for outgoing IPSec packets outgoing IPSec packets Anti-replay window Anti-replay window 32-bit 32-bit Bit-map for detecting replayed packets Bit-map for detecting replayed packets
- 40. Anti-replay Sliding Window Window should not be advanced until the Window should not be advanced until the packet has been authenticated packet has been authenticated Without authentication, malicious packets Without authentication, malicious packets with large sequence numbers can advance with large sequence numbers can advance window unnecessarily window unnecessarily Valid packets would be dropped! Valid packets would be dropped!
- 41. ESP Processing - Header Location... Tunnel mode IPv4 and IPv6 Tunnel mode IPv4 and IPv6 New IP hdr Orig IP hdr TCP Data ESP trailer ESP Auth ESP hdr New ext hdr New IP hdr TCP Data ESP trailer ESP Auth Orig IP hdr ESP hdr Orig ext hdr IPv4 IPv6
- 42. Key Management Handles key generation & distribution Handles key generation & distribution Typically need 2 pairs of keys Typically need 2 pairs of keys 2 per direction for AH & ESP 2 per direction for AH & ESP Manual key management Manual key management Sysadmin manually configures every system Sysadmin manually configures every system Automated key management Automated key management Automated system for on demand creation of keys Automated system for on demand creation of keys for SA’s in large systems for SA’s in large systems
Editor's Notes
- #2: The Internet community has developed application-specific security mechanisms in a number of application areas, including electronic mail (S/MIME, PGP), client/server (Kerberos), Web access (Secure Sockets Layer), and others. However users have some security concerns that cut across protocol layers. By implementing security at the IP level, an organization can ensure secure networking not only for applications that have security mechanisms but also for the many security-ignorant applications.
- #3: IP-level security encompasses three functional areas: authentication, confidentiality, and key management. The authentication mechanism assures that a received packet was transmitted by the party identified as the source in the packet header, and that the packet has not been altered in transit. The confidentiality facility enables communicating nodes to encrypt messages to prevent eavesdropping by third parties. The key management facility is concerned with the secure exchange of keys. IPSec provides the capability to secure communications across a LAN, across private and public WANs, and across the Internet.
- #4: Stallings Figure 16.1 illustrates a typical IP Security scenario. An organization maintains LANs at dispersed locations. Nonsecure IP traffic is conducted on each LAN. For traffic offsite, through some sort of private or public WAN, IPSec protocols are used. These protocols operate in networking devices, such as a router or firewall, that connect each LAN to the outside world. The IPSec networking device will typically encrypt and compress all traffic going into the WAN, and decrypt and decompress traffic coming from the WAN; these operations are transparent to workstations and servers on the LAN. Secure transmission is also possible with individual users who dial into the WAN. Such user workstations must implement the IPSec protocols to provide security. Security Associations A one-way relationship between sender & receiver that affords security for traffic flow Can be between A pair of hosts A host and a security gateway A pair of security gateways
- #5: [MARK97] lists the benefits shown for IPSec. It also plays a vital role in the routing architecture required for internetworking.
- #6: The IPSec specification has become quite complex. The IPSec specification consists of numerous documents. The most important of these,issued in November of 1998, are • RFC 2401: An overview of a security architecture • RFC 2402: Description of a packet authentication extension to IPv4 and IPv6 • RFC 2406: Description of a packet encryption extension to IPv4 and IPv6 • RFC 2408: Specification of key management capabilities In addition to these four RFCs, a number of additional drafts have been published by the IP Security Protocol Working Group set up by the IETF. The documents are divided into seven groups. Support for these features is mandatory for IPv6 and optional for IPv4. In both cases, the security features are implemented as extension headers that follow the main IP header. The extension header for authentication is known as the Authentication Header (AH); that for encryption is known as the Encapsulating Security Payload (ESP) header.
- #8: Stallings Figure 16.5 shows the difference between end-to-end (transport) mode and end-to-intermediate (tunnel) mode. Transport mode provides protection primarily for upper-layer protocol payloads, by inserting the AH after the original IP header and before the IP payload. Typically, transport mode is used for end-to-end communication between two hosts. Tunnel mode provides protection to the entire IP, after the AH or ESP fields are added to the IP packet, the entire packet plus security fields is treated as the payload of new “outer”IP packet with a new outer IP header. Tunnel mode is used when one or both ends of an SA are a security gateway, such as a firewall or router that implements IPSec.
- #12: Dest IP can be a security gateway.
- #13: See page 168, Stallings
- #14: See page 169, Stallings
- #15: Doraswamy & Harkins, page 45
- #16: Doraswamy & Harkins, page 46
- #17: SA Selectors figure out which policy in SPD applies to traffic
- #21: Stallings Figure 16.3 shows the Authentication Header fields: • Next Header (8 bits): Identifies the type of header immediately following this header • Payload Length (8 bits): Length of Authentication Header in 32-bit words, minus 2. • Reserved (16 bits): For future use • Security Parameters Index (32 bits): Identifies a security association • Sequence Number (32 bits): A monotonically increasing counter value • Authentication Data (variable): A variable-length field (must be an integral number of 32-bit words) that contains the Integrity Check Value (ICV), or MAC,for this packet
- #31: No, no matter transport mode, tunnel mode, AH or ESP.
- #34: An individual SA can implement either the AH or ESP protocol but not both. Sometimes a particular traffic flow will call for the services provided by both AH and ESP. Further, a particular traffic flow may require IPSec services between hosts and ,for that same flow, separate services between security gateways, such as firewalls. In all of these cases, multiple SAs must be employed for the same traffic flow to achieve the desired IPSec services. The term security association bundle refers to a sequence of SAs through which traffic must be processed to provide a desired set of IPSec services. The SAs in a bundle may terminate at different endpoints or at the same endpoints. Security associations may be combined into bundles in two ways: • Transport adjacency: more than one security protocol on same IP packet, without invoking tunneling • Iterated tunneling: application of multiple layers of security protocols effected through IP tunneling One interesting issue is the order in which authentication and encryption may be applied between a given pair of endpoints.
- #35: The IPSec Architecture document lists four examples of combinations of SAs that must be supported by compliant IPSec hosts or security gateways. These are illustrated in Stallings Figure 16.10. Note the *’d devices implement IPSec. The cases are: Case 1 security is provided between end systems that implement IPSec. Case 2 security is provided only between gateways (routers,firewalls,etc.) and no hosts implement IPSec. Case 3 builds on Case 2 by adding end-to-end security .The same combinations discussed for cases 1 and 2 are allowed here. Case 4 provides support for a remote host that uses the Internet to reach an organization’s firewall and then to gain access to some server or workstation behind the firewall. Only tunnel mode is required between the remote host and the firewall.
- #40: D & H, p 47