Network Layer Security:IPSec
2
Overview
IPSec is an Internet standard for network layer security components:
– an authentication protocol (Authentication Header – AH)– a combined encryption and authentication protocol (Encapsulated
Security Payload – ESP)– key management protocols (the default is ISAKMP/Oakley)
important RFCs– RFC 2401: an overview of the IPSec security architecture– RFC 2402: specification of AH– RFC 2406: specification of ESP– RFC 2408: specification of ISAKMP– RFC 2412: specification of Oakley
IPSec is mandatory for IPv6 and optional for IPv4
3
IPSec services
AH ESP(encryption only)
ESP(encryption and authentication)
integrity
data origin authentication
replay detection
confidentiality
limited traffic flowconfidentiality
x
x
x x
x
x
x
x
x
x
x
4
Security associations (SA)
an SA is a one-way relationship between a sender and a receiver system
an SA is used either for AH or for ESP but never for both an SA is uniquely identified by three parameters
– Security Parameters Index (SPI)• a bit string assigned to the SA• carried in AH and ESP headers to allow the receiving party to select the SA
which must be used to process the packet– IP destination address
• address of an end-system or a network element (e.g., router)– security protocol identifier
• indicates whether the SA is an AH or an ESP SA
Sec
urity
Ass
ocia
tions
5
SA parameters
sequence number counter– counts the packets sent using this SA
sequence counter overflow flag– indicates whether overflow of the sequence number counter should prevent
further transmission using this SA anti-replay window
– used to determine whether an inbound AH or ESP packet is a replay AH / ESP information
– algorithm, key, and related parameters lifetime
– a time interval or byte count after which this SA must be terminated protocol mode
– tunnel or transport mode path MTU
– any observed maximum transmission unit
Sec
urity
Ass
ocia
tions
6
SA selectors
Security Policy Database (SPD)– each entry defines a subset of IP traffic and points to the SAs to be
applied to that traffic– subset of IP traffic is defined in terms of selectors
• destination IP address (single, enumerated list, range, or mask)• source IP address (single, enumerated list, range, or mask)• transport layer protocol (single, enumerated list, or range)• destination port (single, enumerated list, range, or wildcard)• …
outbound processing– compare the selector fields of the packet to the values in the SPD– determine which SAs should be used for the packet and their SPIs– do the requiered IPSec processing
Sec
urity
Ass
ocia
tions
7
Modes of operation
transport mode– provides protection primarily for upper layer protocols– protection is applied to the payload of the IP packet
• ESP in transport mode encrypts and optionally authenticates the IP payload but not the IP header
• AH in transport mode authenticates the IP payload and selected fields of the IP header
– usually used between end-systems tunnel mode
– provides protection to the entire IP packet– the entire IP packet is considered as payload and encapsulated in another IP
packet (with potentially different source and destination addresses)• ESP in tunnel mode encrypts and optionally authenticates the entire inner IP packet• AH in transport mode authenticates the entire inner IP packet and selected fields of
the outer IP header– usually used between security gateways (routers, firewalls)
8
Authentication Header – AH
Next header– type of header immediately
following this header (e.g., TCP, IP, etc.)
Payload length– length of AH (in 32 bit words)
minus 2– e.g., 4 if Authentication data is
3x32 bits long Security Parameters Index
– identifies the SA used to generate this header
Sequence number– sequence number of the packet
Authentication data– a (truncated) MAC (default length
is 3x32 bits)
Next header
Payloadlength
Security Parameters Index (SPI)
Reserved
Sequence number
Authentication data (variable length)
0 8 16 31
Aut
hent
icat
ion
Hea
der –
AH
9
Replay detection
replay: the attacker obtains an authenticated packet and later transmits (replays) it to the intended destination
receiver has an anti-replay window of default size W = 64
dropped dropped if MAC iscorrect then
markotherwise
drop
advancewindow
packets receivedwindow (of size 7)
last received packet
... ...
Aut
hent
icat
ion
Hea
der –
AH
10
MAC implementations must support
– HMAC-MD5-96– HMAC-SHA1-96
the MAC is calculated over– IP header fields that do not change in transit– the AH header fields except the Authentication data field– entire upper layer protocol data
the fields not covered by the MAC are set to 0 for the calculation
0000...
00000000...
TTLHeader checksum
IPA
Hpa
yloa
d
MAC Authentication data
Aut
hent
icat
ion
Hea
der –
AH
11
AH in transport and tunnel mode
AH in transport mode
AH in tunnel mode
originalIP header
TCP/UDPheader data
original IPv4 packet
originalIP header
TCP/UDPheaderAH data
authenticated except for mutable fields in the IP header
newIP header AH
authenticated except for mutable fields in the outer IP header
originalIP header
TCP/UDPheader data
Aut
hent
icat
ion
Hea
der –
AH
12
Encapsulating Security Payload – ESP
Security Parameters Index– identifies the SA used to generate
this encrypted packet Sequence number payload
– transport level segment (transfer mode) or encapsulated IP packet (tunnel mode)
padding– variable length padding
Pad length Next header
– identifies the type of data contained in the header
Authentication data– a (truncated) MAC computed over the
ESP packet (SPI ... Next Header)
Security Parameters Index (SPI)
Sequence number
Authentication data (variable length)
0 2416 31
payload (variable length)
padding (0-255 bytes)
Padlength
Nextheader
Enc
apsu
latin
g S
ecur
ity P
Ayl
oad
– E
SP
13
Encryption and MAC algorithms
encryption– applied to the payload, padding, pad length, and next header fields– if an IV is needed, then it is explicitly carried at the beginning of the
payload data (the IV is not encrypted)– implementations must support DES-CBC– other suggested algorithms: 3DES, RC5, IDEA, 3IDEA, CAST, Blowfish
MAC– default length is 3x32 bits– implementations must support HMAC-MD5-96 and HMAC-SHA1-96– MAC is computed over the SPI, sequence number, and encrypted
payload, padding, pad length, and next header fields– unlike in AH, here the MAC does not cover the preceding IP header
Enc
apsu
latin
g S
ecur
ity P
Ayl
oad
– E
SP
14
ESP in transport and tunnel mode
ESP in transport mode
ESP in tunnel mode
originalIP header
TCP/UDPheader data
original IPv4 packet
originalIP header
TCP/UDPheader
ESPheader
encrypted
newIP header
ESPheader
originalIP header
TCP/UDPheader
ESPtrailer
ESPMACdata
data
authenticated
ESPtrailer
ESPMAC
encryptedauthenticated
Enc
apsu
latin
g S
ecur
ity P
Ayl
oad
– E
SP
15
Combining security associations
basic ESP-AH combination1. apply ESP in transport mode without authentication2. apply AH in transport mode
basic AH-ESP combination1. apply AH in transport mode 2. apply ESP in tunnel mode without authentication
originalIP header
TCP/UDPheader
ESPheader
ESPtrailerdataAH
authenticated except for mutable fields in the IP header
newIP header
ESPheader
originalIP header
TCP/UDPheader data ESP
trailerAH
authenticated except for mutable fields in the inner IP header
Com
bini
ng s
ecur
ity a
ssoc
iatio
ns
16
Combining security associations cont’d
case 1: host-to-host security
Internetlocalintranet
localintranet
one or more SAs
Com
bini
ng s
ecur
ity a
ssoc
iatio
ns
17
Combining security associations cont’d
case 2: gateway-to-gateway security
Internetlocalintranet
localintranet
single tunnel SA
Com
bini
ng s
ecur
ity a
ssoc
iatio
ns
18
Combining security associations cont’d
case 3: host-to-gateway security
Internet localintranet
single tunnel SA
Com
bini
ng s
ecur
ity a
ssoc
iatio
ns
19
Combining security associations cont’d
combinations of the 3 cases
Internetlocalintranet
localintranet
one or more SAssingle tunnel SA
Com
bini
ng s
ecur
ity a
ssoc
iatio
ns
20
Key management
two types must be supported by implementations– manual
• system administrator configures each system with the necessary keys– automated
• on-demand creation of keys for SAs default automated method is ISAKMP/Oakley
– Oakley key determination protocol• a key exchange protocol based on Diffie-Hellman• provides added security (e.g., authentication)
– ISAKMP – Internet Security Association and Key Management Protocol• provides a framework for key exchange• defines message formats that can carry the messages of various key
exchange protocols
Key
man
agem
ent
21
Oakley key determination protocol
problems with basic DH:– it is subject to a man-in-the-middle type attack– it is vulnerable to a clogging attack
• attacker sends fake DH messages to a victim from a forged IP address• victim starts performing modular exponentiations to compute a secret key• victim can be blocked with useless work
added security features of Oakley– cookie exchange to thwart clogging attacks
• hash(src IP addr, dst IP addr, src UDP port, dst UDP port, local secret)• local secret is periodically changed
– uses nonces to detect replay attacks– authenticates the DH exchange to thwart man-in-the-middle attacks
• based on digital signatures, public key encryption, or symmetric key encryption– enables the parties to negotiate the global parameters of the DH exchange (e.g.,
the prime p that defines the group and the generator g of the group)• few predefined groups
Key
man
agem
ent /
Oak
ley
22
Oakley example – conservative
where– CKY: cookie– OK_KEYX: message type is Oakley key exchange– GRP: group– EHAO/EHAS: encryption, hash, authentication alg. offered/selected– NIDP: no ID protection– N: nonce
and– Kir = hash( Ni | Nr )– shared secret key = f( Ni, Nr, gxy, CKYi, CKYr )
I R: CKYi | 0 | OK_KEYX | GRP | gx | EHAO
R I: CKYr | CKYi | OK_KEYX | GRP | gy | EHAS
I R: CKYi | CKYr | OK_KEYX | GRP | gx | NIDP | IDi | IDr | {Ni}Kr
R I: CKYr | CKYi | OK_KEYX | GRP | NIDP | { Nr | Ni }Ki | IDr | IDi |
MAC(Kir, IDr | IDi | GRP | gy | gx | EHAS )
I R: CKYi | CKYr | OK_KEYX | GRP | NIDP | MAC(Kir, IDi | IDr | GRP | gx | gy | EHAS )
Key
man
agem
ent /
Oak
ley
23
Oakley example – aggressive
I R: CKYi | 0 | OK_KEYX | GRP | gx | EHAO | NIDP | IDi | IDr | Ni | 0 | Sig( Ki
-1, IDi | IDr | Ni | 0 | GRP | gx | 0 | EHAO )
R I: CKYr | CKYi | OK_KEYX | GRP | gy | EHAS | NIDP | IDr | IDi | Nr | Ni | Sig( Kr
-1, IDr | IDi | Nr | Ni | GRP | gy | gx | EHAS )
I R: CKYi | CKYr | OK_KEYX | GRP | gx | NIDP | IDi | IDr | Ni | Nr | Sig( Ki
-1, IDi | IDr | Ni | Nr | GRP | gx | gy | EHAS )
Key
man
agem
ent /
Oak
ley
24
ISAKMP generic message format
Nextpayload
Mjver
MnVer
Exchangetype Flags
Message ID
Length
Initiator cookie
Responder cookie
Nextpayload Reserved Payload length
payload
Next payload– type of next payload (e.g.,
transform, key exchange, certificate, …)
– 0 if this is the last payload Exchange type
– 5 default exchange types (base, ID protection, auth only, aggressive, informational)
Message ID– unique ID of this message
Length– length of header + all payloads
Key
man
agem
ent /
ISA
KM
P
25
ISAKMP payload types Security Association (SA)
– used to begin the setup of a new SA; carries various attributes Proposal (P)
– used during SA setup; indicates protocol to be used (AH or ESP) and number of transforms
Transform (T)– used during SA setup; indicates transform (e.g., DES, 3DES) and its attributes
Key exchange (KE)– used to carry key exchange data (e.g., Oakley)
Identification (ID)– used to exchange identification information (e.g., IP address)
Certificate (CR)– carries a public key certificate (PGP, X.509, SPKI, …)
Hash (HASH) Signature (SIG) Nonce (NONCE) Notification (N)
– contains error or status information Delete (D)
– indicates one or more SAs that the sender has deleted from its database (no longer valid)
Key
man
agem
ent /
ISA
KM
P
26
ISAKMP exchange types
base exchangeI R : SA; NONCER I : SA; NONCEI R : KE; IDi; AUTHR I : KE; IDr; AUTH
identity protection exchangeI R : SAR I : SAI R : KE; NONCER I : KE; NONCEI R : IDi; AUTHR I : IDr; AUTH
Key
man
agem
ent /
ISA
KM
P
27
ISAKMP exchange types cont’d
authentication only exchangeI R : SA; NONCER I : SA; NONCE; IDr; AUTHI R : IDi; AUTH
aggressive exchangeI R : SA; KE; NONCE; IDi
R I : SA; KE; NONCE; IDr; AUTHI R : AUTH
informational exchangeI R : N/D
Key
man
agem
ent /
ISA
KM
P