CSC 6575: Internet Security Fall 2017

Transcription

1 CSC 6575: Internet Security Fall 2017 Network Security Devices IP Security Mohammad Ashiqur Rahman Department of Computer Science College of Engineering Tennessee Tech University

2 2 IPSec Agenda Architecture IPSec Packets Security Association IPSec Policy IPSec Policy Anomaly

3 3 IPSec: IP Security To perform authentication To verify sources of IP packets To prevent replaying of old packets To protect integrity and/or confidentiality of packets Data integrity and encryption Applicable to use over LANs, across public & private WANs, & for the Internet There are application specific security mechanisms E.g., S/MIME, PGP, Kerberos, SSL/HTTPS IPSec provides security implemented at the network layer for all applications

4 The IPSec Security Model Communicating parties are authenticated. Intermediate IPSec devices/gateways are secured. Communication needs to be secured over insecure network. authenticated, data integrity protected, and/or confidential. Secure Insecure 4

5 5 IPSec Architecture ESP AH IPSec Security Policy IKE Have two security header extensions: Authentication Header (AH) Encapsulating Security Payload (ESP) Exchange and negotiate security policies Internet Key Exchange (IKE) Security Associations

6 6 IPSec Architecture (2) IPSec provides security in three situations: Host-to-host, host-to-gateway (router), gateway-to-gateway IPSec operates in two modes: Transport mode (for end-to-end) Tunnel mode (for VPN) Host Transport Mode Host Unencrypted/Insecure (tunnel mode only) Router Tunnel Mode Router

7 7 IPSec Packets Original IP header TCP header data Transport mode IP header IPSec header TCP header data Tunnel mode IP header IPSec header IP header TCP header data A collection of protocols (see RFC 2401) Authentication Header- RFC 2402 Encapsulated Security Payload- RFC 2406 Internet Key Exchange- RFC 2409

8 8 Authentication Header (AH) Provides source authentication Protects against source spoofing Provides data integrity Protects against replay attacks Use monotonically increasing sequence numbers Protects against denial of service attacks No protection for confidentiality! Uses 32-bit sequence number to avoid replay attacks Uses cryptographically strong hash algorithms to protect data integrity (96-bit) Uses symmetric key cryptography HMAC-SHA-96, HMAC-MD5-96

9 9 AH Packet New IP header Next header Payload length Reserved Authenticated Security Parameters Index (SPI) Sequence Number Old IP header (only in Tunnel mode) TCP header Data Authentication Data Encapsulated TCP or IP packet (Tunnel Mode) Integrity Checked Value (ICV)

10 10 Integrity Check Value (ICV) Keyed Message authentication code (MAC) calculated over IP header fields that do not change or are predictable Source IP address, destination IP, header length, etc. Prevent spoofing Mutable fields excluded: e.g., time-to-live (TTL), IP header checksum, etc. IPSec protocol header except the ICV value field Upper-level (TCP and ) data Code may be truncated to first 96 bits

11 11 Encapsulating Security Payload (ESP) Provides all that AH offers plus Same as AH: Use 32-bit sequence number to counter replaying attacks Use integrity check algorithms Only in ESP: Data confidentiality Uses symmetric key encryption algorithms to encrypt packets

12 12 ESP Packet Details Next header IP header Payload length Reserved Authenticated Security Parameters Index (SPI) Sequence Number Initialization vector TCP header Data Pad Pad length Next Authentication Data Encrypted TCP packet

13 13 Internet Key Exchange (IKE) Exchange and negotiate security policies Establish security sessions Identified as Security Associations Key exchange and key management Security Association (SA) Security Parameter Index (SPI) SA Database (SAD) Security Policy Database (SPD)

14 14 Security Association (SA) Has three parameters: Security Parameter Index (SPI) Destination IP address Specifies the security protocol identifier Algorithm and its mode Keys Have a database for Security Policy (SPD) Look for IPSec policy for each traffic Have a database of Security Associations (SAD) Determine IPSec encoding for senders Determine IPSec decoding for the destination

15 15 Security Parameters Index (SPI) SPI is a 32 bit number. The SPI allows the destination to select the correct SA under which the received packet will be processed. According to the agreement with the sender The SPI is sent with the packet by the sender SA is uniquely identified with: SPI + Dest IP address [+ IPSec Protocol (AH or ESP)]

16 16 SA Database (SAD) Holds parameters for each SA Lifetime of this SA AH and ESP information Tunnel or transport mode Every host or gateway participating in IPSec has their own SA database.

17 17 Security Policy Database (SPD) What traffic to protect? Policy entries define which SA or SA bundles to use on each IP traffic flow. Each host or gateway has their own SPD Index into SPD by Selector fields Dest IP, Source IP, Transport Protocol, IPSec Protocol, Source Port, Dest Port,

18 18 SPD Entry Actions Discard Do not let in or out Bypass Do not apply IPSec for the outbound traffic Do not expect IPSec for the inbound traffic Protect Point to an SA or SA bundle Outbound: Apply security Inbound: Check that security must have been applied Actions for Protect If the SA does not exist Outbound processing: use IKE to generate SA dynamically Inbound processing: drop packet

19 Outbound Processing Outbound packet (on A) A B IP Packet SPD SAD Is it for IPSec? If so, which policy entry to select? IPSec processing Determine the SA and its SPI SPI & IPSec Packet Send to B 19

20 20 Outbound Packet Processing Form ESP header Security parameter index (SPI) Sequence number Pad as necessary Encrypt result payload, padding, pad length, and next header Apply authentication Allow rapid detection of replayed/bogus packets Integrity Check Value (ICV) includes whole ESP packet minus authentication data field

21 Inbound Processing Inbound packet (on B) A B From A SPI & Packet SAD SPD Use SPI to index the SAD Was packet properly secured? un-process Original IP Packet 21

22 22 Inbound Packet Processing... Sequence number checking Duplicates are rejected! Replay attack mitigation Packet decryption Decrypt based on the SA specification ESP payload, padding, pad length, next header Processing (stripping) padding per encryption algorithm Reconstruct the original IP datagram Authentication verification Allow potential parallel processing (decryption) and verifying authentication code

23 23 IPSec Security Policy: Example TCP 1.1.*.* : any 2.2.*.* : any protect TCP : any : any AH Transport {MD5} TCP 1.1.*.* : any 2.2.*.* : any protect TCP * : any * : any ESP Tunnel {3DES} TCP 2.2.*.* : any 1.1.*.* : any protect TCP * : any * : any ESP Tunnel {3DES} TCP 2.2.*.* : any 1.1.*.* : any protect TCP : any : any AH Transport {MD5}

24 24 IPSec Inter-Policy Conflicts Shadowing: Upstream policy blocks traffic TCP 1.1.*.* : any 2.2.*.* : any protect Traffic Dropped TCP 2.2.*.* : any 1.1.*.* : any bypass Spurious: Downstream policy blocks traffic TCP 1.1.*.* : any 2.2.*.* : any bypass Traffic Dropped TCP 2.2.*.* : any 1.1.*.* : any protect

25 25 IPSec Inter-Policy Conflicts (2) Overlapping tunnels with shared/common traffic Traffic is decapsulated in reverse order to traffic flow TCP : any 2.2.*.* : any protect TCP : any 2.2.*.* : any ESP Tunnel {3DES} TCP 1.1.*.* : any 6.6.*.* : any protect TCP 1.1.*.* : any 6.6.*.* : any ESP Tunnel {3DES} Plain Text

26 26 IPSec Intra-Policy Conflicts Traffic is decapsulated in reverse order of the traffic flow. TCP : any 2.2.*.* : any protect TCP : any * : any ESP Tunnel {3DES} TCP : any : any AH Tunnel {MD5} Plain Text

27 27 IPSec Intra-Policy Conflicts (3) Application of redundant or weaker protection TCP : any 2.2.*.* : any protect TCP : any 2.2.*.* : any ESP Transport {3DES} TCP 1.1.*.* : any 2.2.*.* : any protect TCP 1.1.*.* : any 2.2.*.* : any AH Tunnel {MD5}

28 28 THANKS Source: IPsec: RFC 2401, IKE: RFC H. Hamed, E. Al-Shaer, and W. Marrero. Modeling and Verification of IPSec and VPN Security Policies, In IEEE ICNP, 2005.