secure communications: the ipsec roledsie10/presentations... · 12 secure communications: the ipsec...

URL: www.fe.up.pt/dsie10 E-mail:[email protected]

Secure Communications:

The IPsec Role

Jorge Pinto Leite

[email protected]

http://www.fe.up.pt/dsie10

2

Secure Communications: The IPsec Role

Communications links are widely used for

various purposes

Increasing every day

Sometimes, without any security concern

As an example, 53,3% of the online payment by Internet

during 2009 in Portugal has been done providing the

codes of the personal credit or debit card (INE)

3


This facts shows the need for a security

protocol specially when communicating with

sensitive data

Banks

Health

Professional (employer, between companies,…)

Personal (plan trips, buying tickets or goods, …)

4


When IPv6 started being developed, security

was in the mind of everyone involved

But what about IPv4?

It has a lack of any kind of mechanism to ensure

the privacy and authenticity

When datagrams are routed over unknown

networks, the information could be intercepted

and/or changed

5


As IPv6 deployment is expected to happen in

a large period, a security protocol to protect

the data with the existing protocol, IPv4, was

needed

As an huge IP layered infrastructure was already

implemented

6


IPsec

Internet Protocol Security

Provides security over the TCP stack

Its architecture can be

Integrated

“Bump In The Stack”

“Bump In The Wire”

7


What is the “must do” for a security protocol

that all expect?

Authenticity

Confidentiality

Integrity

8


IPsec provides this by using

Two protocol variants

Authentication Header (AH)

Encapsulating Security Payload (ESP)

Two modes of operation

Transport

Tunnel

It constructs a Security Association (SA)

between the end points (peers)

9


Authentication Header

AH provides connectionless integrity and data

origin authentication for IP datagrams

Also provides protection against replays

This facility is optional and may be selected by the

receiver after a SA is established

It implies that the SA management protocol should be

able to negotiate this feature

10


Authentication Header

The authentication is for the whole IP datagram

except for the ones changed in traffic

The integrity algorithm employed is specified by

the SA

The most recent definition of IPsec (version 3)

specifies that implementations MAY support AH

11


Encapsulating Security Payload

Provides confidentiality, data origin authentication,

connectionless integrity, an anti-replay service

and (limited) traffic flow confidentiality

Depending on the configuration options selected when

the SA is established

The anti-replay option has same operation mode of the

AH protocol

IPsec implementations MUST support ESP

12


Encapsulating Security Payload

The encryption algorithms are specified by the SA

The mandatory-to-implement algorithms to be used are

object of a separated RFC (RFC 4835 is the last update)

to facilitate updating the requirements

Dummy packets can (should?) be inserted at random

intervals to mask the absence of actual traffic

The objective is to look like a continuous stream of data

13


Transport mode

It’s objective is to protect the upper OSI model

layers but leaving unaltered the IP header

Original IP header AH header Payload

authenticated except for the IP header fields changeable during traffic

Original IP header ESP header Payload Trailer ESP ESP authentication

encrypted

authenticated

14


Tunnel mode

It’s objective is to protect the upper OSI layers

including the IP header (meaning, the OSI layer 3 itself)

New IP header AH header Original IP header Payload

authenticated except for the IP header fields changeable during traffic

New IP

header

ESP header Original IP

header

Payload Trailer

ESP

ESP authentication

encrypted

authenticated

15


Transport mode Tunnel mode

Source: http://www.tcpipguide.com/free/t_IPSecModesTransportandTunnel.htm, accessed on the 5th Nov 2009

16


Experimental lab test

192.168.0.5/30

192.168.0.2/30 192.168.0.10/30

192.168.0.6/30

(1)

IPsec was configured in both routers with AH and ESP

(1) Station with Wireshark ® installed with the NIC in promiscuous mode

http://images.google.pt/imgres?imgurl=http://www2.ufersa.edu.br/portal/view/uploads/setores/21/arquivos/LABCOMP/wireshark.png&imgrefurl=http://www2.ufersa.edu.br/portal/cursos/graduacao/ciencias_da_computacao/1057&usg=__ESa3oFNX7a2Dd56NVjI6R19Ol2U=&h=200&w=200&sz=19&hl=pt-PT&start=4&tbnid=rIdK1o3X9qmcLM:&tbnh=104&tbnw=104&prev=/images%3Fq%3Dwireshark%26gbv%3D2%26hl%3Dpt-PT

17


Test message sent from 192.168.0.10/30

was Echo request (ICMP message type 8)

ICMP packet (type 08)

Source and destination IP of the PC’s (0xc0a8000a = 192.168.0.10 and 0xc0a80002 = 192.168.0.2)

18


Transport mode

Source and destination IP remains equal (0xc0a8000a = 192.168.0.10 and 0xc0a80002 = 192.168.0.2)

The protocol field in IPv4 header points to AH (0x33 = 51(10))The protocol of AH header points to ESP (0x32 = 50(10))

19


Tunnel mode

The protocol field in IPv4 header points to AH (0x33 = 51(10))and the “protocol” in AH header points to ESP (0x32 = 50(10))

Source and destination IP changed to the peers external IP’s(0xc0a8006a = 192.168.0.06 and 0xc0a80005 = 192.168.0.5)

20


Advantages

Authentication

Anti-replay

Confidentiality

Traffic flow confidentiality

Disadvantages

Time and processing power consuming

Overhead

Other disadvantages

21


The overhead problem

Original IP datagram size 3C16

IP datagram size after applying IPsec with both

security protocol algorithms 6C16

Overhead 80%

22


Thank you

Any questions?

Jorge Pinto Leite

[email protected]

secure communications: the ipsec roledsie10/presentations... · 12 secure communications: the ipsec...

Documents