IP SECURITY – Chapter 16IP SECURITY – Chapter 16Security Mechanisms: email – S/MIME, PGP client/server - Kerberos web access - Secure Sockets Layer network - TCP/IPThree Areas: 1. Authentication – verifies source / no alteration 2. Confidentiality – no eavesdropper 3. Key Management – secure exchange
ATTACKS - REQUIREMENTSATTACKS - REQUIREMENTS1. IP Spoofing - false IP address2. eavesdropping / packet sniffing - logon data, database contentsSecure Branch Office over Internet - Virtual Private NetworkSecure Remote Access over Internet - local call to ISP remote companyextranet/internet – secure comms other orgsSecure Commerce – enhanced by IPSEC …because encrypt/decrypt all traffic at IP level (fig 16.1)
IP SECURITY SCENARIO
I PH eader
IPPayload
IPHeader
IPSecHeader
Secure IPP ayload
IPH
eade
rIP
Se
cH
eade
rSe
cu
re IP
Payl
oa
d
IPH
eade
rIP
Sec
Hea
der
Secu
re IP
Payl
oad
IPHeader
IPPayload
Networking devicewith IPSec
User systemwith IPSec
Networking devicewith IPSec
F igur e 16.1 A n I P Secur ity Scenar io
P ublic (I nter net)or P r ivateN etwor k
BENEFITS of IPSECBENEFITS of IPSEC
• Traffic within company
– ”no need for security”
• Transparent applications and end users
• Security for ”off-site” individuals
IPSEC and ROUTINGIPSEC and ROUTING
• Authorises Routing Advertisement
• Authorises Neighbour Advertisement
• Redirect
• Routing Update - not forged
EXTENSION HEADEREXTENSION HEADER - follows main IP header
Authentication Header Encapsulating Security Payload (ESP) header (encrypted)Fig 16.2 AH - Authentication Header ESP – Encryption + Authentication Table 16.1
IPSec DOCUMENT OVERVIEW A r chitectur e
E SPP r otocol
E ncr yptionA lgor ithm
K eyM anagement
F igur e 16.2 I P Sec D ocument O ver view
A uthenticationA lgor ithm
A HP r otocol
D O I
SECURITY ASSOCIATIONS (SAs)SECURITY ASSOCIATIONS (SAs)
One-way relationship between
sender and receiver-For two-way, need two SAs- Three Parameters
1. Security Parameter Index (SPI)
2. IP Destination Address
3. Security Protocol Identifier
SECURITY ASSOCIATIONS (SAs)SECURITY ASSOCIATIONS (SAs)
1. Security Parameter Index (SPI) - bit string – carried in AH and ESP headers enables receiver to select SA for processing packet.2. IP Destination Address - end user or network system (e.g. firewall, router)3. Security Protocol Identifier indicates AH or ESP
SA PARAMETERSSA PARAMETERS• Sequence Number Counter• Sequence Counter Overflow - overflow auditable?• Anti-Replay Windows - is incoming AH or ESP a replay?• AH information - auth. alg., keys, key lifetimes• ESP information - encryp. alg., auth. alg., keys, init. values, key lifetimes• Lifetime of SA• IPSec Protocol Mode: - Tunnel/Transport/Wildcard (mask)• Path MTU – max packet size
SECURITY POLICY DATABASE (SPD)SECURITY POLICY DATABASE (SPD)
Relates IP traffic to specific SAs
[ Subset0 of IP Traffic] SA [ Subset1 of IP Traffic]
and/or
[Subset of IP Traffic] SA0
SA1
SPD : IP and UPPER LAYER SELECTORSSPD : IP and UPPER LAYER SELECTORS
- filters/maps traffic SA•
Dest. IP Address: single/list/range/wildcard
• Source IP Address: single/list/range/wildcard
• User ID• Data Sensitivity Level:e.g.secret/unclassified
• Transport Layer Protocol: (number) individual/list/range
• IPSEC Protocol: AH/ESP/AH and ESP
• Source and Dest. Ports: (TCP or UDP values) individual/list/wildcard
SPD : IP and UPPER LAYER SELECTORSSPD : IP and UPPER LAYER SELECTORS
- filters/maps traffic SA
• IPv6 Class: specific/wildcard
• IPv6 Flowlabel: specific/wildcard
• IPv4 Type of Service (TOS): specific/wildcard
TRANSPORT MODETRANSPORT MODETransport
Upper-layer protection
End-to-end communication
(e.g. client server, two workstations)
ESP encrypts IP payload (not header)
(optionally authenticates)
AH authenticates IP payload + selected
portions of header
TUNNEL MODETUNNEL MODETunnel Protects entire IP packet entire packet + security fields treated as ”outer” payload with new IP header Original (inner) packet travels through tunnel.
Routers cannot examine inner IP header
e.g. tunneled through firewall Table 16.2
AUTHENTICATION HEADERAUTHENTICATION HEADER
- Detects modification - Prevents address spoofing, replay
Uses MAC - Alice, Bob share secret key
Fig 16.3
AUTHENTICATION HEADER
P ayload L engthN ext H eader
Secur ity P ar ameter s I ndex (SP I )
Sequence N umber
A uthentication D ata (var iable)
0B it: 8 16 31
F igur e 16.3 I P Sec A uthentication H eader
R E SE R V E D
ANTI-REPLAY SERVICEANTI-REPLAY SERVICESequence Number Field (SNF) thwarts attack
New SA: Sender initialises C=0For every new packet on SA: C++Anti-Replay operates up to max C = 232 – 1 If max reached, terminate SA
ANTI-REPLAY SERVICEANTI-REPLAY SERVICEIP is, connectionless, unreliable protocol does NOT guarantee: packets delivered in order all packets delivered
ANTI-REPLAY MECHANISM
F ixed window size W
N
N + 1N Ð W
mar k ed if validpacket r eceived
unmar k ed if validpacket not yet r eceived
¥ ¥ ¥
A dvance window ifvalid packet to the
r ight is r eceived
F igur e 16.4 A nti-R eplay M echanism
ANTI-REPLAY MECHANISMANTI-REPLAY MECHANISM(Fig 16.4) 1. if Rx packet falls in window and new then check MAC. if authentic then mark slot 2. if Rx packet to right of window and new then check MAC. if authentic advance window up to packet. 3. if Rx packet to left of window or authentication fails then, discard, audit
INTEGRITY CHECK VALUE (ICV) - MACINTEGRITY CHECK VALUE (ICV) - MAC
HMAC–MD5-96, HMAC-SHA-1-96 (trunc to 96 bits)MAC over: IP Header Fields which are unchanged in transit (or are predictable at receiver), other fields set ot 0 for calculation purposes. AH Header except Authentication Data Field – AD 0 Upper-Level protocol data
TRANSPORT / TUNNEL MODESTRANSPORT / TUNNEL MODESFig 16.5 Transport SA: workst. server (secret key) Tunnel SA: workst. intern. network firewall intern. server without auth. Fig 16.6 IP Payload is TCP or data for other protocol.
End-to-End vs. End-to-intermediate Auth.
E xternalN etwor k
Internal N etwor k
R outer /F irewall
Server
E nd-to-endauthentication
E nd-to-endauthentication
E nd-to-intermediateauthentication
F igur e 16.5 E nd-to-end vs. E nd-to-inter mediate A uthentication
SCOPE OF AH AUTHENTICATION
or ig I Phdr
hop -b y-h op , d est,r ou ting, fragm ent A H dest T C P D ataI P v6
au thenticated except for m u tab le fields
or ig I Phdr A H T C P D ataI P v4
au thenticated except for m u tab le fields
or ig I Ph dr
N ew I Phdr A H T C P D ataI P v4
au thenticated except for m u tab lefields in the n ew I P h ead er
(b ) T r an spor t M od e
or ig I Phdr
extension h ead ers(if p resent) T C P D ataI P v6
or ig I Phdr T C P D ataI P v4
(a) B efor e A pplying A H
new I Phdr
or ig I PhdrA H
exth ead ers
exth ead ers T C P D ataI P v6
au thenticated except for m u tab le fields innew I P h ead er an d its extension h ead ers
(c) T u nnel M od e
F igur e 16.6 Scope of A H A uthentication
ENCAPSULATING SECURITYENCAPSULATING SECURITY PAYLOAD (ESP) PAYLOAD (ESP)
Message Confidentiality
Limited Traffic flow Confidentiality
Authentication (like AH)
Fig 16.7
ENCAPSULATING SECURITY PAYLOAD (ESP)
Secur ity P ar ameter s I ndex (SP I )
Sequence N umber
A uthentication D ata (var iable)
Au
th
en
tic
at
ion
Co
ve
ra
ge
Co
nf
ide
nt
iali
ty
Co
ve
ra
ge
0B it: 2416 31
F igur e 16.7 I P Sec E SP F or mat
P ayload D ata (var iable)
P adding (0 - 255 bytes)
P ad L ength N ext H eader
ENCAPSULATING SECURITYENCAPSULATING SECURITY PAYLOAD (ESP) PAYLOAD (ESP)
• SPI – Security Association• Sequence Number• Payload – Transport/Tunnel – encrypt• Padding - 0 – 255 bytes• Pad Length• Next Header – Payload type by identifying first header in payload.• Auth. Data – ICV (MAC)
ESPESPEncrypts payload, padding, pad length, next headerOptimal init. vector (IV) for encryp. alg. at beginning of PayloadUses DES(CBC), 3DES, RC5, IDEA, 3IDEA, CAST, Blowfish
Uses HMAC-MD5-96, HMAC-SHA-1-96
PADDINGPADDING
Required,
• if encryp. alg. requires plaintext to be
certain multiple of bytes.
• to make ciphertext a multiple of 32-bits
• for Partial Traffic Flow Confidentiality
TRANSPORT and TUNNEL MODESTRANSPORT and TUNNEL MODES
Fig 16.8
Transport - confidentiality for all appl.
- drawback : traffic analysis
Tunnel – hosts avoid security (VPN)
Fig 16.9
Transport vs. Tunnel Encryp.
I nternalN etwor k
E xternalN etwor k
E ncryptedT C P Session
(a) T ranspor t-level secur ity
I nternet
C or por ateN etwor k C or por ate
N etwor k
C or por ateN etwor k
C or por ateN etwor k
(b) A virtual pr ivate networ k via T unnel M ode
F igur e 16.8 T r anspor t-M ode vs. T unnel-M ode E ncr yption
E ncrypted tunnelscar r ying I P traffic
Scope of ESP Encryp. and Auth.
or ig I Phdr
hop -b y-h op , d est,r ou ting, fragm entI P v6
or ig I PhdrI P v4
N ew I PhdrI P v4
(a) T r an spor t M od e
new I Phdr
exth ead ersI P v6
au thenticated
encrypted
au thenticated
encrypted
au thenticated
encrypted
au thenticated
encrypted
(b ) T u nnel M od e
F igur e 16.9 Scope of E SP E ncr yption and A uthentication
or ig I Phdr
exth ead ers T C P D ata
E S Ptr lr
E S Pau th
E S Phdr
E S Pau th
or ig I Ph dr T C P D ata
E S Ptr lr
E S Pau th
E S Phdr
dest T C P D ata
T C P D ata
E S Ptr lr
E S Pau th
E S Ptr lr
E S Phdr
E S Phdr
COMBINING SAsCOMBINING SAsEach SA implements AH or ESP,but,Some traffic flow may require both. multiple SAs
Security Association Bundle Sequence of SAsSAs may terminate at different endpoints
TWO BUNDLE TYPESTWO BUNDLE TYPESTransport Adjacency: more than one security protocol to same IP packet, no tunneling, one endpoint.Iterated Tunneling: multiple (nested) security layers using tunnelling, possible different end points.
TWO BUNDLE TYPESTWO BUNDLE TYPES
Two approaches can be Combined
e.g. Transport SA between hosts
travels partway through a
Tunnel SA between security
gateways.
AUTHENTICATIONAUTHENTICATION + CONFIDENTIALITY + CONFIDENTIALITY1. ESP with Auth. Option - Fig 16.9
Transport mode ESP:
IP header not protected
Tunnel mode ESP:
Auth. entire outer IP packet
Encryp. entire inner IP packet
For both cases,
ciphertext authenticated
Scope of ESP Encryp. and Auth.
or ig I Phdr
hop -b y-h op , d est,r ou ting, fragm entI P v6
or ig I PhdrI P v4
N ew I PhdrI P v4
(a) T r an spor t M od e
new I Phdr
exth ead ersI P v6
au thenticated
encrypted
au thenticated
encrypted
au thenticated
encrypted
au thenticated
encrypted
(b ) T u nnel M od e
F igur e 16.9 Scope of E SP E ncr yption and A uthentication
or ig I Phdr
exth ead ers T C P D ata
E S Ptr lr
E S Pau th
E S Phdr
E S Pau th
or ig I Ph dr T C P D ata
E S Ptr lr
E S Pau th
E S Phdr
dest T C P D ata
T C P D ata
E S Ptr lr
E S Pau th
E S Ptr lr
E S Phdr
E S Phdr
AUTHENTICATIONAUTHENTICATION + CONFIDENTIALITY + CONFIDENTIALITY2. Transport Adjacency
Two Bundled SAs:
- inner being ESP (no auth.)
outer being AH
- advantage: auth. covers more fields
- disadvantage: two SAs versus one
AUTHENTICATIONAUTHENTICATION + CONFIDENTIALITY + CONFIDENTIALITY3. Transport-Tunnel Bundle Auth. Prior to encryp.: - advantages: Impossible to intercept and alter without detection. Store MAC with message at destination for later. Use Bundle: Inner AH: Transport SA Outer ESP: Tunnel SA entire auth. inner packet encrypted. new outer IP header added
BASIC COMBINATION OF SAsBASIC COMBINATION OF SAs CASE 1 End systems implement IPSec - share keys CASE 2 Security between gateways (routers,firewalls) No hosts implement IPSec Simple VPN Nested tunnels not required because IPSec applied to entire packet. CASE 3 Case 2 + end-to-end security. Gateway-to-gateway ESP provides traffic confidentiality. CASE 4 Support for remote host to reach firewall. Only tunnel mode required. Key Management - Read
BASIC COMBINATION OF SAs
F igur e 16.10 B asic C ombinations of Secur ity A ssociations
I nternet
T unnel SAO ne or T wo SA s
L ocalIntranet
L ocalIntranet
H ost* H ost*
Secur ityG atew ay*
Secur ityG atew ay*
(c) C ase 3
I nternet
T unnel SA
L ocalIntranet
L ocalIntranet
H ost H ost
Secur ityG atew ay*
Secur ityG atew ay*
(b) C ase 2
* = implements IPSec
I nternet
O ne or M or e SA s
L ocalIntranet
L ocalIntranet
H ost* H ost*
R outer R outer
(a) C ase 1
I nternet L ocalIntranet
H ost* H ost*
Secur ityG atew ay*
(d) C ase 4
T unnel SAO ne or T wo SA s