Module 5
IP Security
IP security overview
Applications of IPsec
An IP Security Scenario
• An organization maintains LANs at dispersed locations.
• Nonsecure IP traffic is conducted on each LAN.
• For traffic offsite, through some sort of private or public WAN, IPsec
protocols are used. These protocols operate in networking devices,
such as a router or firewall, that connect each LAN to the outside
world.
• The IPsec networking device will typically encrypt and compress all
traffic going into the WAN and decrypt and decompress traffic coming
from the WAN; these operations are transparent to workstations and
servers on the LAN.
• Secure transmission is also possible with individual users who dial
into the WAN. Such user workstations must implement the IPsec
protocols to provide security.
Benefits of IPsec
• When IPsec is implemented in a firewall or router, it provides strong security that
can be applied to all traffic crossing the perimeter. Traffic within a company or
workgroup does not incur the overhead of security-related processing.
• IPsec in a firewall is resistant to bypass if all traffic from the outside must use IP
and the firewall is the only means of entrance from the Internet into the
organization.
• IPsec is below the transport layer (TCP, UDP) and so is transparent to
applications. There is no need to change software on a user or server system when
IPsec is implemented in the firewall or router. Even if IPsec is implemented in end
systems, upper-layer software, including applications, is not affected.
• IPsec can be transparent to end users. There is no need to train users on security
mechanisms, issue keying material on a per-user basis, or revoke keying material
when users leave the organization.
• IPsec can provide security for individual users if needed. This is useful for offsite
workers and for setting up a secure virtual subnetwork within an organization for
sensitive applications
Routing Applications
• IPsec can assure that
• • A router advertisement (a new router advertises its presence)
comes from an authorized router.
• • A neighbor advertisement (a router seeks to establish or maintain a
neighbor relationship with a router in another routing domain) comes
from an authorized router.
• • A redirect message comes from the router to which the initial IP
packet was sent.
• • A routing update is not forged
IPsec Documents
IPsec Services
IPsec provides two protocols to provide security:
Authentication Header (AH):An authentication protocol designated by the
header of the protocol.
Encapsulating Security Payload (ESP):A combined encryption/
authentication protocol designated by the format of the packet for that
protocol.
RFC 4301 lists the following services:
• Access control
• Connectionless integrity
• Data origin authentication
• Rejection of replayed packets (a form of partial sequence integrity)
• Confidentiality (encryption)
• Limited traffic flow confidentiality
Transport and Tunnel Modes
Transport mode
• Transport mode provides protection primarily for upper-layer protocols.
• ESP in transport mode encrypts and optionally authenticates the IP payload
but not the IP header.
• AH in transport mode authenticates the IP payload and selected portions of
the IP header.
Tunnel mode
• Tunnel mode provides protection to the entire IP packet.
• ESP in tunnel mode encrypts and optionally authenticates the entire inner IP
packet, including the inner IP header.
• AH in tunnel mode authenticates the entire inner IP packet and selected
portions of the outer IP header.
IP SECURITY POLICY
• IPsec policy is determined primarily by the interaction of two
databases, the security association database (SAD) and the security
policy database (SPD).
Security Associations(SA):
• An association is a one-way logical connection between a sender and a
receiver that affords security services to the traffic carried on it.
• If a peer relationship is needed for two-way secure exchange, then
two security associations are required.
Security Association Database(SAD)
A security association is defined by the following parameters in an SAD
entry.
• Security Parameter Index: A 32-bit value selected by the receiving
end of an SA to uniquely identify the SA. In an SAD entry for an
outbound SA, the SPI is used to construct the packet’s AH or ESP
header. In an SAD entry for an inbound SA, the SPI is used to map
traffic to the appropriate SA.
• Sequence Number Counter: A 32-bit value used to generate the
Sequence Number field in AH or ESP headers.
• Sequence Counter Overflow: A flag indicating whether overflow of
the Sequence Number Counter should generate an auditable event and
prevent further transmission of packets on this SA.
• Anti-Replay Window: Used to determine whether an inbound AH or
ESP packet is a replay.
• AH Information: Authentication algorithm, keys, key lifetimes, and
related parameters being used with AH.
• ESP Information: Encryption and authentication algorithm, keys,
initialization values, key lifetimes, and related parameters being used
with ESP.
• Lifetime of this Security Association: A time interval or byte count
after which an SA must be replaced with a new SA (and new SPI) or
terminated, plus an indication of which of these actions should occur.
• IPsec Protocol Mode: Tunnel, transport, or wildcard.
• Path MTU: Any observed path maximum transmission unit
(maximum size of a packet that can be transmitted without
fragmentation) and aging variables.
Security Policy Database(SPD)
• An SPD contains entries, each of which defines a subset of IP traffic
and points to an SA for that traffic.
• Each SPD entry is defined by a set of IP and upper-layer protocol field
values, called selectors.
• Outbound processing obeys the following general sequence for each
IP packet
1. Compare the values of the appropriate fields in the packet (the
selector fields) against the SPD to find a matching SPD entry, which
will point to zero or more SAs .
2. Determine the SA if any for this packet and its associated SPI.
3. Do the required IPsec processing (i.e., AH or ESP processing).
• The following selectors determine an SPD entry:
• Remote IP Address: This may be a single IP address, an enumerated
list or range of addresses, or a wildcard (mask) address.
• Local IP Address: This may be a single IP address, an enumerated list
or range of addresses, or a wildcard (mask) address.
• Next Layer Protocol: The IP protocol header includes a field (that
designates the protocol operating over IP.
• Name: A user identifier from the operating system. This is not a field
in the IP or upper-layer headers but is available if IPsec is running on
the same operating system as the user.
• Local and Remote Ports: These may be individual TCP or UDP port
values, an enumerated list of ports, or a wildcard port.
IP Traffic Processing
• IPsec is executed on a packet-by-packet basis.
• When IPsec is implemented, each outbound IP packet is processed by
the IPsec logic before transmission, and each inbound packet is
processed by the IPsec logic after reception and before passing the
packet contents on to the next higher layer.
Outbound Packets
• A block of data from a higher layer, such as TCP, is passed down to
the IP layer and an IP packet is formed, consisting of an IP header and
an IP body. Then the following steps occur:
Inbound Packets
An incoming IP packet triggers the IPsec processing in the following order
1. IPsec determines whether this is an unsecured IP packet or one that has
ESP or AH headers/trailers, by examining the IP Protocol field (IPv4) or
Next Header field (IPv6).
2. If the packet is unsecured, IPsec searches the SPD for a match to this
packet. If the first matching entry has a policy of BYPASS, the IP header
is processed and stripped off and the packet body is delivered to the next
higher layer, such as TCP. If the first matching entry has a policy of
PROTECT or DISCARD, or if there is no matching entry, the packet is
discarded.
3. For a secured packet, IPsec searches the SAD. If no match is found, the
packet is discarded. Otherwise, IPsec applies the appropriate ESP or AH
processing. Then, the IP header is processed and stripped off and the
packet body is delivered to the next higher layer, such as TCP.
Encapsulating security payload(ESP)
• ESP can be used to provide confidentiality, data origin authentication,
connectionless integrity, an anti-replay service, and traffic flow
confidentiality.
ESP Format
Two additional fields present in the payload (Figure 20.5b).
• An initialization value (IV), or nonce, is present if this is required by
the encryption or authenticated encryption algorithm used for ESP.
• If tunnel mode is being used, then the IPsec implementation may add
traffic flow confidentiality (TFC) padding after the Payload Data and
before the Padding field, as explained subsequently.
Encryption and Authentication Algorithms
• The Payload Data, Padding, Pad Length, and Next Header fields are
encrypted by the ESP service.
• If the algorithm used to encrypt the payload requires cryptographic
synchronization data, such as an initialization vector (IV), then these
data may be carried explicitly at the beginning of the Payload Data
field.
• Integrity check value is present only if the integrity service is selected
and is provided by either a separate integrity algorithm or a combined
mode algorithm that uses an ICV.
• A keyed integrity algorithm must be employed to compute the ICV
Padding
The Padding field serves following purposes:
• If an encryption algorithm requires the plaintext to be a multiple of
some number of bytes ,the Padding field is used to expand the plaintext
to the required length.
• The ESP format requires that the Pad Length and Next Header fields
be right aligned within a 32-bit word. The ciphertext must be an
integer multiple of 32 bits. The Padding field is used to assure this
alignment
• Additional padding may be added to provide partial traffic-flow
confidentiality by concealing the actual length of the payload.
Anti-Replay Service
• A replay attack is one in which an attacker obtains a copy of an
authenticated packet and later transmits it to the intended destination.
• The receipt of duplicate, authenticated IP packets may disrupt service
in some way or may have some other undesired consequence.
• The Sequence Number field is designed to throw such attacks.
• Steps to generate sequence number by the sender
When a new SecurityAssociation(SA) is established, the sender
initializes a sequence number counter to 0.
Each time that a packet is sent on this SA, the sender increments the
counter and places the value in the Sequence Number field. Thus, the
first value to be used
If the limit of 232 - 1 is reached, the sender should terminate this SA
and negotiate a new SA with a new key. is 1.
• IP is a connectionless, unreliable service, the protocol does not
guarantee that packets will be delivered in order and does not
guarantee that all packets will be delivered.
• the IPsec authentication document should ensure that the receiver
should implement a window of size W, with a default of W = 64.
• For any packet with a sequence number in the range from N - W + 1 to
N that has been correctly received corresponding slot in the window is
marked (Figure 20.6).
• Inbound processing proceeds as follows when a packet is received
Transport and tunnel modes
• In figure 20.7a encryption and authentication is provided directly
between two hosts.
• Figure 20.7b shows how tunnel mode operation can be used to set up a
virtual private network.
An organization has four private networks interconnected across the
Internet.
Hosts on the internal networks use the Internet for transport of data
but do not interact with other Internet-based hosts.
By terminating the tunnels at the security gateway to each internal
network, the configuration allows the hosts to avoid implementing the
security capability.
Transport Mode ESP
• For transport mode using IPv4, the ESP header is inserted into the
IP packet immediately prior to the transport -layer header (e.g., TCP,
UDP, ICMP), and an ESP trailer (Padding, Pad Length, and Next
Header fields) is placed after the IP packet.
• If authentication is selected, the ESP Authentication Data field is
added after the ESP trailer.
• The entire transport-level segment plus the ESP trailer are encrypted.
Authentication covers all of the ciphertext plus the ESP header.
• For transport mode using IPv6, ESP is viewed as an end-to-end
payload; that is, it is not examined or processed by intermediate
routers.
• For IPv6, encryption covers the entire transport-level segment plus the
ESP trailer plus the destination options extension header if it occurs
after the ESP header.
• Authentication covers the ciphertext plus the ESP header.
• Transport mode operation summarized as follows
1. At the source, the block of data consisting of the ESP trailer plus the
entire transport-layer segment is encrypted and the plaintext of this
block is replaced with its ciphertext to form the IP packet for
transmission. Authentication is added if this option is selected.
2. The packet is then routed to the destination. Each intermediate
router needs to examine and process the IP header plus any plaintext
IP extension headers but does not need to examine the ciphertext.
3. The destination node examines and processes the IP header plus any
plaintext IP extension headers. Then, on the basis of the SPI in the
ESP header, the destination node decrypts the remainder of the
packet to recover the plaintext transport-layer segment.
Tunnel mode ESP
• In tunnel mode, the ESP header is prefixed to the packet and then the
packet plus the ESP trailer is encrypted.
• This method can be used to counter traffic analysis.
• The IP header contains the destination address and possibly source
routing directives and hop-by-hop option information, it is not
possible simply to transmit the encrypted IP packet prefixed by the
ESP header.
• It is necessary to encapsulate the entire block (ESP header plus
ciphertext plus Authentication Data, if present) with a new IP header
that will contain sufficient information for routing.
Consider a case in which an external host wishes to communicate with a
host on an internal network protected by a firewall, and in which ESP is
implemented in the external host and the firewalls.
The following steps occur for transfer of a transport-layer segment from
the external host to the internal host
Protocol architecture for tunnel and transport modes.
Combining security associations
Security associations may be combined into two ways:
Authentication Plus Confidentiality
• Encryption and authentication can be combined in order to transmit
an IP packet that has both confidentiality and authentication between
hosts.
• Approaches include
ESP with Authentication Option.
Transport Adjacency.
Transport-Tunnel Bundle
ESP with Authentication Option
• This approach is illustrated in Figure 20.8.
• In this approach, the user first applies ESP to the data to be protected
and then appends the authentication data field.
• There are actually two subcases:
Transport Adjacency
• This approach uses two bundled transport SecurityAssociations(SA),
with the inner being an ESP SA and the outer being an AH SA.
• In this case, ESP is used without its authentication option. Because the
inner SA is a transport SA, encryption is applied to the IP payload. The
resulting packet consists of an IP header followed by an ESP.
• AH is then applied in transport mode, so that authentication covers the
ESP plus the original IP header (and extensions) except for mutable
fields.
Transport-Tunnel Bundle
• The use of authentication prior to encryption might be preferable for
following reasons.
the authentication data are protected by encryption, it is impossible
for anyone to intercept the message and alter the authentication data
without detection.
It may be desirable to store the authentication information with the
message at the destination for later reference.
• In this approach authentication before encryption is applied between
two hosts by using a bundle consisting of an inner AH transport SA
and an outer ESP tunnel SA.
Basic Combinations of Security Associations
• The IPsec Architecture document lists four combinations of SAs that
must be supported by compliant IPsec hosts. (illustrated in Figure
20.10).
• The lower part of each case in the figure represents the physical
connectivity of the elements;
• The upper part represents logical connectivity via one or more nested
SAs.
• Each SA can be either AH or ESP.
• For host-to-host SAs, the mode may be either transport or tunnel;
otherwise it must be tunnel mode.
Case 1
• All security is provided between end systems that implement IPsec.
For any two end systems to communicate via an SA, they must share
the appropriate secret keys.
• Among the possible combinations are
a. AH in transport mode
b. ESP in transport mode
c. ESP followed by AH in transport mode (an ESP SA inside an AH SA)
d. Any one of a, b, or c inside an AH or ESP in tunnel mode
Case 2
• Security is provided only between gateways (routers, firewalls, etc.)
and no hosts implement IPsec.
• Case2 illustrates simple virtual private network support.
• The security architecture document specifies that only a single tunnel
SA is needed for this case.
• The tunnel could support AH, ESP, or ESP with the authentication
option.
• Nested tunnels are not required, since the IPsec services apply to the
entire inner packet.
Case 3
• Case 3 builds on case 2 by adding end-to-end security.
• The gateway-to-gateway tunnel provides either authentication,
confidentiality, or both for all traffic between end systems.
• When the gateway-to-gateway tunnel is ESP, it also provides a limited
form of traffic confidentiality.
• Individual hosts can implement any additional IPsec services required
for given applications or given users by means of end-toend SAs.
CASE 4
Case 4 provides support for a remote host that uses the Internet to reach
an organization’s firewall and then to gain access to some server or
workstation behind the firewall.
Only tunnel mode is required between the remote host and the firewall.
INTERNET KEY EXCHANGE
• The IPsec Architecture document mandates support for two types of key
management:
Manual: A system administrator manually configures each system with its
own keys and with the keys of other communicating systems. This is
practical for small, relatively static environments.
Automated: An automated system enables the on-demand creation of keys
for SAs and facilitates the use of keys in a large distributed system with an
evolving configuration.
• The default automated key management protocol for IPsec is referred to as
ISAKMP/Oakley.
ISAKMP/Oakley consists of the following elements
Key Determination Protocol
• IKE key determination is a refinement of the Diffie-Hellman key
exchange algorithm.
• IKE key determination is designed to retain the advantages of Diffie-
Hellman, while countering its weaknesses.
Weaknesses to Diffie-Hellman are
Features of IKE key determination
Clogging attacks:An opponent forges the source address of a legitimate
user and sends a public Diffie-Hellman key to the victim.
The victim then performs a modular exponentiation to compute the
secret key. Repeated messages of this type can clog the victim’s system
with useless work.
The cookie exchange requires that each side send a pseudorandom
number, the cookie, in the initial message, which the other side
acknowledges.
This acknowledgment must be repeated in the first message of the
Diffie-Hellman key exchange.
IKE mandates that cookie generation satisfy three basic requirements
1. The cookie must depend on the specific parties. This prevents an
attacker from obtaining a cookie using a real IP address and UDP
port and then using it to swamp the victim with requests from
randomly chosen IP addresses or ports.
2. It must not be possible for anyone other than the issuing entity to
generate cookies that will be accepted by that entity. This implies
that the issuing entity will use local secret information in the
generation and subsequent verification of a cookie.
3. The cookie generation and verification methods must be fast to
thwart attacks intended to sabotage processor resources.
IKE key determination supports specification of following groups
IKE key determination supports following authentication methods
IKEv2 Exchanges
• It involves the exchange of messages in pairs.
• The first two pairs of exchanges are referred to as the initial exchanges
(Figure 20.11a).
• In the first exchange, the two peers exchange information concerning
cryptographic algorithms and other security parameters they are
willing to use along with nonces and Diffie-Hellman (DH) values.
• The result of this exchange is to set up a special SA called the IKE SA
(see Figure 20.2).
• This SA defines parameters for a secure channel between the peers
over which subsequent message exchanges take place.
• In the second exchange, the two parties authenticate one another and
set up a first IPsec SA to be placed in the SADB and used for
protecting ordinary (i.e. non-IKE) communications between the peers.
Header and Payload Formats
• For SecurityAssociation establishment, IKE defines payloads for
exchanging key generation and authentication data.
• These payload formats provide a consistent framework independent of
the specific key exchange protocol, encryption algorithm, and
authentication mechanism.
IKE Header Format
The header format for an IKE message. It consists of the following fields
(shown in Figure 20.12a)..
IKE Payload Types(shown in Figure 20.12b).
• All IKE payloads begin with the same generic payload header.
• The Next Payload field has a value of 0 if this is the last payload in the
message; otherwise its value is the type of the next payload.
• The Payload Length field indicates the length in octets of this payload,
including the generic payload header.
• The critical bit is 0 if the sender wants the recipient to skip this
payload if it does not understand the payload type code in the Next
Payload field of the previous payload. It is set to 1 if the sender wants
the recipient to reject this entire message if it does not understand the
payload type.
The SA payload is used to begin the establishment of an SA.
The elements of SA payload are formatted as follows:
Uses of payloads
The Key Exchange payload can be used for a variety of key
exchange techniques, including Oakley, Diffie-Hellman, and the RSA-
based key exchange used by PGP.
The Identification payload is used to determine the identity of
communicating peers and may be used for determining authenticity of
information.
The Certificate payload transfers a public-key certificates.
The Authentication payload contains data used for message
authentication purposes.
The Nonce payload contains random data used to guarantee liveness
during an exchange and to protect against replay attacks
• The Notify payload contains either error or status information
associated with this SA or this SA negotiation. The following table
lists the IKE notify messages.
• The Delete payload indicates one or more SAs that the sender has
deleted from its database and that therefore are no longer valid.
• The Vendor ID payload contains a vendor-defined constant.
• The Traffic Selector payload allows peers to identify packet flows
for processing by IPsec services.
• The Encrypted payload contains other payloads in encrypted form.
• The Configuration payload is used to exchange configuration
information between IKE peers.
• The Extensible Authentication Protocol (EAP) payload allows IKE
SAs to be authenticated using EAP
Cryptographic suites
RFC 4308 defines two cryptographic suites namely
Suite VPN-A matches the commonly used corporate VPN security
used in older IKEv1 implementations at the time of the issuance of
IKEv2 in 2005.
Suite VPN-B provides stronger security and is recommended for new
VPNs that implement IPsecv3 and IKEv2.
RFC 4869 defines four suites by providing choices for ESP and IKE.
Three categories of secret key algorithms are listed: