cse 5/7349 – february 15 th 2006

CSE 5/7349 – February 15th 2006

IPSec

Basics

• Stack Level• V4 vs V6• Provides

– Authentication – Confidentiality

Architecture & Concepts

• Placement• Mode• Security association (SA)• ESP• AH

IPSec Placement

Transport Mode Security

• ESP protects higher layer payload only• AH can protect IP headers as well as higher

layer payload

IPheader

IPoptions

IPSecheader

Higherlayer protocol

ESP

AH

Real IPdestination

Tunnel Mode Security

• ESP applies only to the tunneled packet• AH can be applied to portions of the outer

header

Outer IPheader

Inner IPheader

IPSecheader

Higherlayer protocol

ESP

AH

Real IP destinationDestinationIPSecentity

A B

Encrypted Tunnel

Gateway Gateway

New IP Header

AH or ESP Header

TCP DataOrig IP Header

Encrypted

Unencrypted Unencrypted

Tunnel Mode

Security Association - SA

• One way relationship (uni-directional)• Determine IPSec processing for senders• Determine IPSec decoding for destination• SAs are not fixed! Generated and

customized per traffic flows (manual as well as dynamic)– If manual, no lifetime; dynamic has lifetime

Security Parameters Index - SPI

• Can be up to 32 bits large• The SPI allows the destination to select

the correct SA under which the received packet will be processed (according to the agreement with the sender)– The SPI is sent with the packet by the sender

• SPI + Dest IP address + IPSec Protocol (AH or ESP) uniquely identifies a SA

SA Bundle

• More than 1 SA can apply to a packet• Example: ESP does not authenticate new

IP header. How to authenticate?– Use SA to apply ESP w/out authentication to

original packet– Use 2nd SA to apply AH

Authenticated Header (AH)

AH Security

• Connectionless integrity– Flow/error control left to transport layer – Data integrity

• Authentication– Can “trust” IP address source– Use MAC to authenticate

• Anti-replay feature• Integrity check value

AH Header Format

SPI

Sequence Number

Auth Data

Next Header (TCP/UDP)

Payload Length Reserved

Anti-Replay

• Message authentication code (MAC) calculated over– IP header field that do not change or are

predictable– IPSec protocol header minus where the ICV

value goes– Upper-level data

• Code may be truncated to first 96 bits

Integrity Check Value - ICV

• Message authentication code (MAC) calculated over– IP header field that do not change or are

predictable– IPSec protocol header minus where the ICV

value goes– Upper-level data

• Code may be truncated to first 96 bits

AH Modes

• Tunnel• Transport• Nested headers

– Multiple SAs applied to same message– Nested tunnels

Processing Outbound Messages

• Insert Next Header and SPI field• Compute the sequence no. field• If transport mode …• If tunnel mode …• Compute authentication value

Outbound Processing (cont’d)

• If transport mode• If tunnel mode• Compute authentication value

Outbound Processing (cont’d)

Fragment the Message• IPSec processing may result in large

message which will be fragmented– Transport mode

– Tunnel mode

Input Processing

• Identify the inbound SA

• Replay protection check

Inbound Processing (cont’d)

• Verify authentication data

• Strip off the AH header and continue IPSec processing for any remaining IPSec headers

Replay Protection

• Sequence number checking– Anti-replay is used only if authentication is

selected– Sequence number should be the first

check on a packet upon looking up an SA– Duplicates are rejected!

0Sliding Windowsize >= 32

rejectCheck bitmap, verify if new

verify

Anti-replay Feature

• Sequence number counter - 32 bit for outgoing IPSec packets

• Anti-replay window

Internet Key Exchange (IKE)

Key Management

• AH and ESP require encryption and authentication keys

• Process to negotiate and establish IPSec SA’s between two entities

Manual Key Management

• Mandatory• Useful when IPSec developers are

debugging• Keys exchanged offline (phone, email,

etc.)• Set up SPI and negotiate parameters • Not scalable

Oakley Key Exchange

• Designed to – Leverage advantages of DH

– Counter DH weaknesses

Oakley - Major Features

Cookies

SA, CKY-II R

Initiator Responder

SA, CKY-RNegotiate IKE SA parameters

NonceI, YI

NonceR, YR

IDI, HashI

IDR, HashR

Exchange items to generate secret

Send hash digest so peer can authenticate sender

Example: Main Mode Preshared

Generate SKEYID

Main Mode Preshared Hashes

• To authenticate each other, each entity generates a hash digest that only the peer could know

Hash-I=PRF(SKEYID,YI|YR|CKY-I|CKY-R|SA Offer|ID-I)

Hash-R =PRF(SKEYID,YR|YI|CKY-R|CKY-I|SA Offer|ID-R)

Phase II

• What traffic does SA cover ?• Initiator specifies which entries (selectors)

in SPD are for this IPSec SA, sends off to responder

• Keys and SA attributes communicated with the Phase I - IKE SA – Passes encrypted & authenticated

HASH1, IPSec SA, NonceI, [New K]I R

Initiator Responder

HASH2, SA, NonceR, [New K]Negotiate IPSec SA Parameters, [PFS]

Example: Quick Mode

HASH3‘Liveness’ proof for Responder