dynamic routing inside ipsec vpns

8/14/2019 Dynamic Routing Inside IPsec VPNs

1/40

Dynamic RoutingInside IPsec VPNs

New Threats and Defenses

Paul Knight, Nortel Networks

[email protected]


2/40

Dynamic Routing Inside IPsec VPNs- 2

Black Hat Briefings Paul Knight

Agenda

Setting the stage IPsec topology background

Dynamic routing in IPsec

Attack and Defense Attacks from the Internet Denial of service Remote access Split tunnel

Internal branch-to-branch attacks Routing attacks Misconfigurations

Requirements: Securing IPsec routing


3/40



IPsec topology background

The IPsec VPN model What is an IPsec Gateway?

What are Tunnel and Transport Modes?

Whats a Security Association?

IPsec VPN topologies Not host-to-host

Remote access VPN

Major focus: Multi-site, branch offices


4/40



IPSec Gateway

IPSec VPN models:Hosts and Security Gateways

Untrusted Network

Internet

IPSec GatewayIPSec Gateway

Untrusted Network

Internet

Trusted NetworkTrusted Network

Untrusted Network

Internet

Trusted Network

Branch-to-branch VPN model: between IPsec gateways

Remote access VPN model: host to gateway

Host-to-host (not VPN)


5/40



Two IPSec Modes:Transport and Tunnel Mode

New IP

Header

IPSec ESP

Header Data

IP Header Data

Tunnel Mode

Original IP

Header

IPSec ESP

Header

Transport Mode

Original IP

Header

Data

Optional Encryption

Optional Encryption

Outer IP Header

Inner IP Header


6/40



Application of the IPsec modes

Untrusted Network

Internet


Internet

Trusted NetworkTrusted Network

Host Host

Can use Transport (or Tunnel) Mode between Hosts

Can ONLY use Tunnel Mode between Gateways

(or extra IP encapsulation inside Transport Mode)

MUST hide IP addresses of trusted networks

Untrusted Network


7/40



Application of the IPsec modes Remote Access

SHOULD use Tunnel Mode between host and gateway-Hide IP addresses of trusted networks-Allow remote host to truly join trusted network-IPsec gateway assigns host a tunnel address, like DHCP

IPsec Gateway

Untrusted Network

Internet

Trusted Network

Alternative: Transport Mode to Application Level Gateway-IPsec gateway actually becomes a host-Remote host is limited to applications supported by gateway-Similar to SSL gateway model; heavy burden on gateway


8/40



Security Association (SA)

SA = All the information shared between two IPsecsystems to establish secure communication

Selection of the security mechanisms:

ESP or AH protection Ciphering algorithm Hash function Choice of authentication method

Authentication of the two parties

Choice of the ciphering and authentication keys


9/40



Security Databases

A model to ensure a minimum ofinteroperability

RFC 2401 - Security Architecture for IP

Two Security Databases maintained on the

IPSec system

Security Policy Database (SPD)

Security Association Database (SAD)


10/40



Security AssociationDatabase

All active Security Associations

For each SA entry, includes : Identifier :

Outer destination IP address Security Protocol

SPI Security Parameter Index Parameters

Authentication algorithm and keys Encryption algorithm and keys Lifetime Security Protocol Mode (tunnel or

transport) Anti-replay service Link with an associated policy in the SPD

SAD


11/40



Security Policy Database Applies to every packet

For each policy entry, includes: Selectors

Destination IP Address Source IP Address Name

Transport Layer Protocol (protocol number) Source and Destination Ports The policy :

Discard the packet, bypass or process IPSec For IPSec Processing :

- Security Protocol and Mode

- Enabled Services (anti-replay, authentication,encryption)- Algorithms (for authentication and/or

encryption) Link to an active SA in the SAD (if it exists)

SPD


12/40



Inbound Packet Processing

IP

HeaderIPSec

DestinationIP address

Security Protocol

SPI

1. Identifies the SA

in the SAD upon

the selectors

IPSec System

SAD

2. Read the SA

parameters

3. Performs the enabled

IPSec services

- Authentication

- Decryption

- Anti-replay service

SPD

4. Identifies the policy

according to the

selector

5. Check the policy

IP

Header


13/40



Outbound PacketProcessing

IP

Header

PolicySelectors

IPSec System

SAD SPD

1. Identifies the policy in the SPD

according to the selectors

2. Read the policy parameters

4. Read the SA

parameters specified

by the link

5. Computes the

IPSec processing 3. Initiate new SA if necessary

IP

HeaderIPSec


14/40



Agenda



Attack and Defense Attacks from the Internet Denial of service Remote access Split tunnel

Internal branch-to-branch attacks

Routing attacks Misconfigurations



15/40



Why is dynamic routing inIPsec VPNs important?

Like ANY sizable network without dynamic routing, life isHARD!

Its to hard to maintain static routes

Hard to set up load balancing

Hard to set up failover

Hard to manage changes

Hard to add new network sites


16/40



The IPsec routing problem

Usual conversation: Whats the problem? You can already carry routing

protocols over IPsec.

Yes, but you cant actually use them to ROUTE. Huh?

The IPsec Security Associations have selectors thatdetermine the traffic they allow. They are like staticroutes.

Oh Yeah I see the problem.


17/40



The IPsec routing problem

Dynamic routing in VPNs is a requirement

Tunnel mode is incompatible with dynamic routing draft-touch-ipsec-vpn-04.txt (IETF http://www.ietf.org/internet-drafts/X) draft-wang-cevpn-routing-00.txt draft-knight-ppvpn-ipsec-dynroute-01.txt

WHY? Security Associations are created withselectors Tunnels have built-in static routes

SP and SA Database lookups do the routing

SA setup is orders of magnitude slower thanrouting changeDynamically changing SA due torouting updates doesnt scale


18/40



Untrusted

NetworkSite ACPE

Site X

CPE

Site Y

CPE

Site Z

CPE

Reference topology

Typical dynamic routing issues Z adds a new network

New site added (Hub/spoke model)

A link (IPsec connection) breaks; re-route through another site


19/40



SAD

SA pairs 1 per address range

Outbound

traffic

Site X

Site Y

Site Z

SP, SA Databases determine routinginto tunnels cannot adapt dynamically

IPsec Gateway (CPE) at Site A

Untrusted

Network

SPD

Route exchange possible, but useless (SPD, SAD control routing)


20/40



The basic solution

Remove the tunnels static routes . HOW?

(1) Use wild card in tunnel SAs (allow all traffic) OR (2) Use encapsulation to make the traffic fit the static route, by

setting destination address in the encapsulated traffic

IP-in-IP over Transport (IIPtran)

Generic Routing Encapsulation (GRE) in tunnel ortransport

Both approaches are essentially similar in key ways, but (2) is moresecure

IPsec can still apply source/destination selectors

Less chance for errors due to different systemsdynamic routing abilities

Either way, you must do routing (SA selection or encapsulationaddressing) outside IPsec, and push traffic into a VPN Tunnel(may be Transport Mode)


21/40



SPD

SPD

SPD

SAD

Outbound

traffic

Site X

CPE

Site Y

CPE

Site Z

CPE

Routing outside IPsec:Each SPD/SAD handles a smaller address selector range

One VPN Tunnel SA pair

between sites (unless QOSor security requires more)IPsec Gateway at Site A

SAD

SAD

Routing

UntrustedNetwork

RoutingExchangeVia OSPF,RIP, etc.


22/40



Tunnel mode =Transport mode + IP encapsulation

Key concept for dynamic routing

1) Determine next IPsec hop of the packet, usingpolicy, based on any criteria the routing enginecan handle route to destination (using dynamic

information!), protocol, port (socket), even contentanalysis (URL, etc.)

2) Construct new encapsulating IP header withsource/destination of next IPsec hop

3) Pass to IPsec process for TRANSPORT modeprocessing

Resulting packet is equivalent to tunnel mode, butnow it is routed using dynamic routing updates


23/40



Tunnel mode =Transport mode + IP encapsulation

New IP

Header

IPSec ESP

HeaderData

Transport Mode

Original IP

Header

Optional Encryption

IP Header Data

IP-in-IP encapsulation

Original IP

HeaderData

New IP

Header

Addresses in new

IP header determines

where packet goes

Original IPHeader

IPSec ESP

HeaderData

Optional Encryption

New Data

Remember transport mode?

Packet looks like

Tunnel Mode!

New Data


24/40



Routing with VPN tunnels

What is a VPN TUNNEL? An IPsec SA with NO effective address filters

May be IPsec tunnel mode or IP-in-IP over transport mode

It allows ANY IP traffic (unicast/multicast) to pass

It allows routing protocols to pass Its end points are the IPsec gateway interfaces

It still protects all traffic with encryption

It is like an Ethernet, ATM, or Frame Relay link over theInternet, but secured by IPsec

Since you cant use the IPsec tunnel definitions orfilters to select destinations, you MUST routebefore putting the traffic into an IPsec VPN tunnel


25/40



Routing with VPN Tunnels:Requirements for IPsec Gateways

Full-power router inside the IPsec gateway, withtraffic and route filters, even firewalls

Ability to separate VPN routes from external(untrusted network) and local routes

Ability to use the endpoint of the IPsec VPNTunnel just like any IP-capable interface

To pass routed traffic

To send and receive routing protocols


26/40



Agenda



Attack and Defense Attacks from the Internet Remote access Split tunnel Denial of service

Internal branch-to-branch attacks

Routing attacks Misconfigurations



27/40



Remote Access IPsec VPN routing attack

Split tunneling Captive tunnel: Clients default route points into tunnel to IPsec

gateway; other routes not allowed

Split tunnel: Clients default route is into Internet; specific routes totrusted network are loaded into Clients routing table by IPsecGateway

Denial of Service Attacks

Various attacks to waste Gateways resources (bandwidth, openconnections, processing time, etc.)

Not the subject of this talk (but interesting!)

IPsec Gateway

Untrusted Network

Internet

Trusted NetworkRemote Client


28/40



No Split Tunneling:

IPsec Gateway

Untrusted Network

Internet


Firewall

Internet

Host

Split Tunneling:IPsec Gateway

Untrusted Network

Internet


Firewall

Internet

Host


29/40



Why allow split tunneling?

Avoid wasting bandwidth at VPN hub site Internet traffic of clients would traverse the hub site

(Can be avoided by policy blocking Internet access

during remote access, forcing client to logout of VPN) Short DHCP/PPPOE leases may require frequent

contact to server at clients ISP

Cant contact server if all routes point to VPN tunnel

Convenience of keeping VPN connection upduring other Internet access


30/40



Split Tunneling Potential Attacks

FTP relay through client Client running FTP server can become

conduit from Internet into trusted network

Other similar services running on client tftp,smtp, or custom relay application, maybemalicious application

RAT Remote Access Trojan on client Back Orifice, etc.

PC Anywhere (not a Trojan but same issue)

Allow remote control control of PC, and thuspotential access to trusted network


31/40



Split Tunneling Defenses

Prevent split tunneling Corporate policy decision Enforcement through Gateway/client software

capabilities Gateway sends only default route to client Client s/w reads routing table on client, reports to

gateway and/or blocks access if routes are found.

Prevent active relay services or remote control Break connection if unexpected port is open on client

Both defenses depend on client software abilityto determine true state of client machine. Depends on operating system and multitasking,

multiprocessing capabilities of client system.


32/40



Branch-to-Branch IPsec VPNRouting Issues

Misconfiguration

Default Route issues

Internal Routing Attack


Internet

Trusted Network

Trusted Network

Untrusted Network

Firewall

DefaultRoute?

Firewall

DefaultR

oute? ?


33/40



Security risks of incorrect routingin IPsec VPNs

Traffic may be forced over an unprotectedpath

May be intercepted

Traffic goes toward wrong destination Doesnt get to correct destination

May be intercepted

Traffic follows wrong path toward correct

destination May be intercepted


34/40



Attacks on routing

Injection of routes inside a site Malicious

Routing process running on compromised host or router

Redirect traffic toward a compromised system internal totrusted network Redirect via default route over unprotected path through

untrusted network

Misconfiguration

Advertising routes via unprotected path Static routes configured in routers Routed (routing daemon) running on unauthorized hosts


35/40



Protection against routing attacks

Routing authentication

Options for OSPF Keyed MD5 verifies identity

Digital signature allows tracing of bad routeinformation

Audit routers for bogus routes

Restrict use of routing protocols on hosts

Use default route instead Implement redundancy on routers (VRRP) or

switches in LAN, not in host routing


36/40



Default route attacks

Where does default route point? To Internet? Lost internal route can result in traffic being sent over

Internet Particularly problematic if the destination is reachable via

Internet

Key solution: policies on firewall No traffic to internal destinations goes out through firewall No traffic from internal source address can com in through

firewall

Harder solution: no default route to Internet Specific management/advertisement of allowable routes


37/40



Securing IPsec Routing Dynamic Routing Requirements

SPD

SPD

SPD

SAD

Outbound

traffic

Site X

CPE

Site Y

CPE

Site Z

CPE

IPsec Gateway at Site A

SAD

SAD

Routing

Untrusted

Network

RoutingExchangeVia OSPF,RIP, etc.

Firewall

functions


38/40



Strong Firewall capabilities Inbound/outbound

Full range stateful inspection capabilities

Full router functionality INSIDE the IPsec Gateway Route filtering to prevent attacks Ability to separate internal/external routes

Ability to see IPsec peer gateways as next-hop for routeslearned via IPsec VPN tunnels

Apply the routing rules by encapsulating the traffic,with next IPsec hop as the destination

Securing IPsec Routing Dynamic Routing Requirements


39/40


40/40

Questions???

Thank You!

dynamic routing inside ipsec vpns

Documents