Time Synchronization Security using IPsec and MACsec

Similar documents
CSC 6575: Internet Security Fall 2017

IPSec. Overview. Overview. Levente Buttyán

Virtual Private Networks (VPN)

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

CIS 6930/4930 Computer and Network Security. Topic 8.1 IPsec

CSCE 715: Network Systems Security

Network Encryption 3 4/20/17

Secure PTP - Protecting PTP with MACsec without losing accuracy. ITSF 2014 Thomas Joergensen Vitesse Semiconductor

The IPsec protocols. Overview

Internet Security. - IPSec, SSL/TLS, SRTP - 29th. Oct Lee, Choongho

Cryptography and Network Security Chapter 16. Fourth Edition by William Stallings

IP Security. Cunsheng Ding HKUST, Kong Kong, China

Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP,

Cryptography and Network Security. Sixth Edition by William Stallings

IP Security. Have a range of application specific security mechanisms

The Internet community has developed application-specific security mechanisms in a number of application areas, including electronic mail (S/MIME,

Junos Security. Chapter 8: IPsec VPNs Juniper Networks, Inc. All rights reserved. Worldwide Education Services

Firewalls, Tunnels, and Network Intrusion Detection

IPv6 Protocol. Does it solve all the security problems of IPv4? Franjo Majstor EMEA Consulting Engineer Cisco Systems, Inc.

THOUGHTS ON TSN SECURITY

SECURE ROUTER DISCOVERY MECHANISM TO OVERCOME MAN-IN THE MIDDLE ATTACK IN IPV6 NETWORK

Cryptography and Network Security

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Lecture 12 Page 1. Lecture 12 Page 3

Effects of Residential Ethernet Standard on other 802.1/ Yong Kim

Lecture 13 Page 1. Lecture 13 Page 3

IPSECv6 Peach Pit User Guide. Peach Fuzzer, LLC. v3.7.50

Chapter 6. IP Security. Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University

S Series Switches. MACsec Technology White Paper. Issue 1.0. Date HUAWEI TECHNOLOGIES CO., LTD.

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1415/ Chapter 16: 1

Corso di Network Security a.a. 2012/2013. Solutions of exercises on the second part of the course

IPv6 Security Considerations: Future Challenges

AIT 682: Network and Systems Security

Control Plane Security Overview

Security and Lawful Intercept In VoIP Networks. Manohar Mahavadi Centillium Communications Inc. Fremont, California

Secure Ethernet Communication for Autonomous Driving. Jared Combs June 2016

Virtual Private Network

CIT 380: Securing Computer Systems. Network Security Concepts

Network Security - ISA 656 IPsec IPsec Key Management (IKE)

CONTENTS. vii. Chapter 1 TCP/IP Overview 1. Chapter 2 Symmetric-Key Cryptography 33. Acknowledgements

IP Security IK2218/EP2120

INTERNET PROTOCOL SECURITY (IPSEC) GUIDE.

IPsec (AH, ESP), IKE. Guevara Noubir CSG254: Network Security

CHAPTER 18 INTERNET PROTOCOLS ANSWERS TO QUESTIONS

IPSec Transform Set Configuration Mode Commands

Key Encryption as per T10/06-103

TABLE OF CONTENTS CHAPTER TITLE PAGE

Cryptography and secure channel. May 17, Networks and Security. Thibault Debatty. Outline. Cryptography. Public-key encryption

8. Network Layer Contents

CSE509: (Intro to) Systems Security

Protocol Architecture (2) Suguru Yamaguchi Nara Institute of Science and Technology Department of Information Science

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München. ilab. Lab 8 SSL/TLS and IPSec

Chapter 6/8. IP Security

School of Computer Sciences Universiti Sains Malaysia Pulau Pinang

INFS 766 Internet Security Protocols. Lectures 7 and 8 IPSEC. Prof. Ravi Sandhu IPSEC ROADMAP

CSC 4900 Computer Networks: Security Protocols (2)

CloudBridge :31:07 UTC Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement

IPv6 Security Vendor Point of View. Eric Vyncke, Distinguished Engineer Cisco, CTO/Consulting Engineering

Compression of IPsec AH and ESP Headers for Constrained Environments dra%-raza-6lo-ipsec-04

HIP Host Identity Protocol. October 2007 Patrik Salmela Ericsson

VPN and IPsec. Network Administration Using Linux. Virtual Private Network and IPSec 04/2009

SFO17-406: IPsec Full Offload Support in OpenDataPlane. Bill Fischofer

Internet Protocol and Transmission Control Protocol

IPSec Transform Set Configuration Mode Commands

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1516/ Chapter 16: 1

Geneve Header Authentication and Encryption Option

Virtual Private Networks

Diet-ESP: A flexible and compressed format for IPsec/ESP

ARP, IP, TCP, UDP. CS 166: Introduction to Computer Systems Security 4/7/18 ARP, IP, TCP, UDP 1

IPv6 migration challenges and Security

CTS2134 Introduction to Networking. Module 08: Network Security

A Solution Framework for Private Media in Privacy Enhanced RTP Conferencing (draft-jones-perc-private-media-framework-00)

CIT 480: Securing Computer Systems

IP Security Part 1 04/02/06. Hofstra University Network Security Course, CSC290A

COSC4377. Chapter 8 roadmap

Internet security and privacy

802.1Q Forwarding PTP messages in an IEEE Transparent Clock Considerations in response to liaison from Q13/15

Wireless LAN Security. Gabriel Clothier

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

IPv6 Security Fundamentals

Virtual Private Networks.

Configuring Security for VPNs with IPsec

Cradlepoint to Palo Alto VPN Example. Summary. Standard IPSec VPN Topology. Global Leader in 4G LTE Network Solutions

Sharing IPsec with Tunnel Protection

IPv6 Security (Theory vs Practice) APRICOT 14 Manila, Philippines. Merike Kaeo

IPSec implementation for SCTP

Introduction to IPsec. Charlie Kaufman

A Study of Two Different Attacks to IPv6 Network

CSE543 Computer and Network Security Module: Network Security

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. June 18, 2015

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

Configuration of an IPSec VPN Server on RV130 and RV130W

Parallelizing IPsec: switching SMP to On is not even half the way

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

Lecture 9: Network Level Security IPSec

Network Security. Thierry Sans

Managing and Securing Computer Networks. Guy Leduc. Chapter 7: Securing LANs. Chapter goals: security in practice: Security in the data link layer

Independent Submission Request for Comments: 6847 Category: Informational. Huawei January 2013

Use of IPSec in Mobile IP

Transcription:

Time Synchronization using IPsec and MACsec Appeared in ISPCS 2011 Tal Mizrahi Israel ing Seminar May 2012

Time Synchronization Time synchronization is used for various applications. Securing the time protocol is a must for securing the applications that use it. IEEE 1588 standard: Precision Time Protocol (PTP). IEEE 1588 is challenging to secure: A large number of nodes involved in the protocol. Hop-by-hop data modification. IEEE 1588 - Annex K: experimental security appendix. Time Synchronization using IPsec and MACsec 2

Agenda Brief overview of IPsec, MACsec, and Annex K. The IPsec and MACsec scenarios. Attacker types. Effectiveness of each attacker in the IPsec and MACsec scenarios, Annex K. Summary and comparison. Conclusion. Time Synchronization using IPsec and MACsec 3

IPsec A suite of security protocols defined by the IETF (RFC 4301 architecture). Two main functions: Integrity protection using Authentication Header (AH). Confidentiality using Encapsulating Payload (ESP). Both functions support: Integrity protection using Integrity Check Value (ICV). Replay protection using Sequence Number. Both functions support: Tunnel mode. Transport mode. IPsec AH encapsulation. Partly Protected by ICV Protected by ICV Time Synchronization using IPsec and MACsec Next Header 1B Ethernet Header IPv4 Header Payload Len 1B Reserved 2B Parameters Index (SPI) 4B Sequence Number Field 4B Integrity Check Value ICV (variable length) IP Header (tunnel mode) IP Payload Ethernet FCS 4B 4

MACsec IEEE 802.1AE MAC security protocol. IEEE 802.1X authentication, key exchange. Supports both encrypted and non-encrypted mode. Integrity protection using Integrity Check Value (ICV). L2 header protected by ICV. Replay protection using Sequence Number. MACsec encrypted packet. Protected by ICV Encrypted MAC DA MAC SA MACsec Ethertype 2B MACsec Header 6B / 14B Ethertype 2B Ethernet Payload Integrity Check Value ICV 16B Ethernet FCS 4B Time Synchronization using IPsec and MACsec 5

IEEE 1588 Annex K Experimental annex in IEEE 1588-2008 (v2). Provides data integrity using symmetric key scheme. Authentication TLV includes: Integrity Check Value (ICV). Replay protection using replaycounter. Annex K authenticated packet. Protected by ICV Ethernet Header IPv4/IPv6 + UDP Headers (optional) PTP Header PTP Payload Authentication TLV Ethernet FCS 4B Time Synchronization using IPsec and MACsec 6

PTP the IPsec Scenario Can be used when PTP is transported over an IP network. -to-network configuration. IPsec can be used in encrypted (ESP) or authenticated (AH) mode. Either dedicated tunnel for time sync, or single tunnel for all traffic. Typical example: Femtocells in 3GPP. Slave IPsec Tunnel Operator Customer Public Time Synchronization using IPsec and MACsec 7

PTP the MACsec Scenario Can be used in L2 networks. Either with/without encryption. All data is secured on a hop-by-hop basis. Typical example: Audio and Video Bridging (AVB). L2 Slave MACsec Tunnel L2 Bridge MACsec Tunnel Time Synchronization using IPsec and MACsec 8

Typical Attackers Mary internal man-in-the-middle (MITM). Jeanie internal injector. Emma external MITM. Enya external injector. Slave 2 Jeanie (2) Emma Mary (2) Mary (1) Enya Jeanie (1) Time Synchronization using IPsec and MACsec 9

MACsec IPsec 1588 Annex K Enya WHAT can Enya do? Slave 2 Jeanie (2) Emma Mary (2) Mary (1) Enya Jeanie (1) Cryptographic Performance Attack. L2/L3 DoS attacks. Time Synchronization using IPsec and MACsec 10

MACsec IPsec 1588 Annex K Emma WHAT can Emma do? Slave 2 Jeanie (2) Emma Mary (2) Mary (1) Enya Packet Interception and Removal. Packet Delay Manipulation. Cryptographic Performance Attack. L2/L3 DoS attacks. Jeanie (1) Time Synchronization using IPsec and MACsec 11

Jeanie WHAT can Jeanie do? Slave 2 Jeanie (2) Emma Mary (2) Mary (1) Enya Spoofing. Replay. Attack. Rogue Attack. L2/L3 DoS attacks. Jeanie (1) Time Synchronization using IPsec and MACsec 12

Jeanie (1) WHERE can Jeanie be found? IPsec scenario. Jeanie 1 is relevant specifically in the IPsec scenario. -to-network scheme. Slave 2 IPsec Tunnel Jeanie (2) Mary (1) Jeanie (1) MACsec scenario / Annex K Slave 2 Jeanie (2) Time Synchronization using IPsec and MACsec 13

Mary WHAT can Mary do? Slave 2 Jeanie (2) Emma Mary (2) Mary (1) Enya Packet Interception and Manipulation. Packet Delay Manipulation. Packet Interception and Removal. Spoofing. Replay. Rogue Attack. L2/L3 DoS attacks. Jeanie (1) Time Synchronization using IPsec and MACsec 14

Mary WHERE can Mary be found? IPsec scenario. Mary 1 is relevant specifically in the IPsec scenario. -to-network scheme. Slave 2 IPsec Tunnel Jeanie (2) Mary (1) Jeanie (1) Mary 2 is relevant specifically in the MACsec scenario. Hop-by-hop scheme. MACsec scenario / Annex K Time Synchronization using IPsec and MACsec Slave 2 Mary (2) 15

Threats Characteristics Analysis Summary IPsec IEEE 1588 Annex MACsec Scenario Scenario K L3 L2 typically public Any typically LAN network approach Hop-by-hop -to-network Hop-by-hop Accuracy + (TCs/BCs) ~ (no TCs/BCs) + (TCs/BCs) L2/L3 DoS Attack Prevention + - - Internal attackers in the trusted network (Jeanie 1, Mary 1) + - + Internal MITM attacks in intermediate nodes (Mary 2) - + - Jeanie (2) Emma Mary (2) Mary (1) Enya Time Synchronization using IPsec and MACsec Jeanie (1) 16

Conclusion IPsec and MACsec are used in different topologies and scenarios. Two complementary building blocks for securing time synchronization. Intermediate solutions in the absence of a standard security solution for PTP. Hybrid solutions can be used in certain topologies. Slave IPsec Tunnel Public Hybrid MACsec Tunnel L2 Time Synchronization using IPsec and MACsec 17

Thanks!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback