IPSECv6 Peach Pit User Guide. Peach Fuzzer, LLC. v3.7.50

Similar documents
Ethernet Peach Pit User Guide. Peach Fuzzer, LLC. v3.7.50

CoAP Peach Pit User Guide. Peach Fuzzer, LLC. Version

LDAP Peach Pit User Guide. Peach Fuzzer, LLC. v3.7.50

NFSv4 Peach Pit User Guide. Peach Fuzzer, LLC. v3.7.50

UDPv6 Peach Pit Data Sheet

ARP Peach Pit Data Sheet

IGMP Peach Pit Data Sheet

ICMPv6 Peach Pit Data Sheet

HTTP Peach Pit Data Sheet

ICMPv4 Peach Pit Data Sheet

MLD Peach Pit Data Sheet

LDAP Peach Pit Data Sheet

LACP Peach Pit Data Sheet

IPSec. Overview. Overview. Levente Buttyán

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

The IPsec protocols. Overview

Lecture 13 Page 1. Lecture 13 Page 3

Lecture 12 Page 1. Lecture 12 Page 3

CSCE 715: Network Systems Security

How to Create a TINA VPN Tunnel between F- Series Firewalls

Virtual Private Networks (VPN)

Junos Security. Chapter 8: IPsec VPNs Juniper Networks, Inc. All rights reserved. Worldwide Education Services

CSC 6575: Internet Security Fall 2017

Cryptography and Network Security Chapter 16. Fourth Edition by William Stallings

CONTENTS. vii. Chapter 1 TCP/IP Overview 1. Chapter 2 Symmetric-Key Cryptography 33. Acknowledgements

Firewalls, Tunnels, and Network Intrusion Detection

CIS 6930/4930 Computer and Network Security. Topic 8.1 IPsec

IPSec Transform Set Configuration Mode Commands

IP Security. Have a range of application specific security mechanisms

IPSec Transform Set Configuration Mode Commands

IP Security. Cunsheng Ding HKUST, Kong Kong, China

Time Synchronization Security using IPsec and MACsec

Service Managed Gateway TM. How to Configure and Debug Generic Routing Encapsulation (GRE)

CSC 4900 Computer Networks: Security Protocols (2)

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Internet Security. - IPSec, SSL/TLS, SRTP - 29th. Oct Lee, Choongho

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

Virtual Private Network

Set Up a Remote Access Tunnel (Client to Gateway) for VPN Clients on RV016, RV042, RV042G and RV082 VPN Routers

Cryptography and Network Security

CIT 380: Securing Computer Systems. Network Security Concepts

Transport Level Security

Chapter 11 The IPSec Security Architecture for the Internet Protocol

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

INTERNET PROTOCOL SECURITY (IPSEC) GUIDE.

The Internet community has developed application-specific security mechanisms in a number of application areas, including electronic mail (S/MIME,

IPSec. Dr.Talal Alkharobi. IPsec (IP security)

The IPSec Security Architecture for the Internet Protocol

CSE509: (Intro to) Systems Security

IP Security IK2218/EP2120

JPG2000 Peach Pit Data Sheet

Parallelizing IPsec: switching SMP to On is not even half the way

Chapter 6. IP Security. Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University

Position of IP and other network-layer protocols in TCP/IP protocol suite

Network Security - ISA 656 IPsec IPsec Key Management (IKE)

Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP,

CloudBridge :31:07 UTC Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement

CS 356 Internet Security Protocols. Fall 2013

COSC4377. Chapter 8 roadmap

Numerics I N D E X. 3DES (Triple Data Encryption Standard), 48

VPN, IPsec and TLS. stole slides from Merike Kaeo apricot2017 1

Configuring Security for VPNs with IPsec

Prof. Shervin Shirmohammadi SITE, University of Ottawa. Security Architecture. Lecture 13: Prof. Shervin Shirmohammadi CEG

Secure channel, VPN and IPsec. stole some slides from Merike Kaeo

VPN Ports and LAN-to-LAN Tunnels

Packet Header Formats

Chapter 6/8. IP Security

INFS 766 Internet Security Protocols. Lectures 7 and 8 IPSEC. Prof. Ravi Sandhu IPSEC ROADMAP

Lecture 9: Network Level Security IPSec

IPsec and SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dec. 1st, /43

Manageable & Interoperable. Implementations. IPSec: Seattle SAGE Group, March Leon Towns-von Stauber.

IBM i Version 7.2. Security Virtual Private Networking IBM

Compression of IPsec AH and ESP Headers for Constrained Environments dra%-raza-6lo-ipsec-04

IP Security Part 1 04/02/06. Hofstra University Network Security Course, CSC290A

How to configure IPSec VPN between a Cradlepoint router and a SRX or J Series Juniper router

VPN Overview. VPN Types

VPN and IPsec. Network Administration Using Linux. Virtual Private Network and IPSec 04/2009

Cryptography and secure channel. May 17, Networks and Security. Thibault Debatty. Outline. Cryptography. Public-key encryption

Cryptography and Network Security. Sixth Edition by William Stallings

Fundamentals of Computer Networking AE6382

Quick Note 65. Configure an IPSec VPN tunnel between a TransPort WR router and an Accelerated SR router. Digi Technical Support 7 June 2018

8. Network Layer Contents

Request for Comments: 3566 Category: Standards Track Intel September The AES-XCBC-MAC-96 Algorithm and Its Use With IPsec

IPsec NAT Transparency

The Secure Shell (SSH) Protocol

Cisco Unified Operating System Administration Web Interface

Cisco Unified Operating System Administration Web Interface for Cisco Emergency Responder

CS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis

Security for VPNs with IPsec Configuration Guide, Cisco IOS XE Release 3S

Fundamental Questions to Answer About Computer Networking, Jan 2009 Prof. Ying-Dar Lin,

Configuration of an IPSec VPN Server on RV130 and RV130W

Protocol Architecture (2) Suguru Yamaguchi Nara Institute of Science and Technology Department of Information Science

Lab 9: VPNs IPSec Remote Access VPN

IPsec (AH, ESP), IKE. Guevara Noubir CSG254: Network Security

Virtual Private Networks

Chapter 5: Network Layer Security

Chapter 8 Network Security

CIT 480: Securing Computer Systems

INTRODUCTION OF IPV6. Ravikumar Naik 21/11/2011

How to Configure IPSec Tunneling in Windows 2000

Transcription:

IPSECv6 Peach Pit User Guide Peach Fuzzer, LLC v3.7.50

Copyright 2015 Peach Fuzzer, LLC. All rights reserved. This document may not be distributed or used for commercial purposes without the explicit consent of the copyright holders. Peach Fuzzer is a registered trademark of Peach Fuzzer, LLC. Peach Fuzzer contains Patent Pending technologies. While every precaution has been taken in the preparation of this book, the publisher and authors assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein. Peach Fuzzer, LLC 1122 E Pike St Suite 1064 Seattle, WA 98112 1

1. IPSECv6 Peach Pit Data Sheet Peach Pit: IPSECv6 Target: Client (AH and ESP) Supported Platforms: Windows, Linux, OS X Internet Protocol Security version 6, (IPsecv6) is a protocol suite for securing Internet Protocol (IP) communications. IPsecv6 operates at Internet layer (layer 3), and provides security for almost all protocols in the TCP/IP suite. IPsec provides two choices of security service: Authentication Header (AH), which essentially allows authentication of the sender of data, and Encapsulating Security Payload (ESP), which supports both authentication of the sender and encryption of data as well. IPsec helps provide in-depth defense against: Network-based attacks from untrusted computers that can result in denial-of-service of applications, services, or the network Data corruption Data theft User-credential theft Administrative control of servers, other computers, and the network. IPsecv6 has two modes of operation: Transport mode is used in host-to-host communications and encrypts the payload of the IP packets in the communication. Tunnel mode is used in host-to-network communications (remote user access), host-to-host communications (private chats), and netowrk-to-network communications (creating Virtual Private Networks). Tunnel mode encrypts the entire IP packet, header and payload, and inserts the encrypted packet into a new packet with a new IP header. 1.1. Specifications Specification RFC2403 RFC2404 RFC2405 Title The Use of HMAC-MD5-96 within ESP and AH The Use of HMAC-SHA-1-96 within ESP and AH The ESP DES-CBC Cipher Algorithm With Explicit IV 2

Specification RFC2410 RFC2451 RFC2857 RFC4302 RFC4303 Title The NULL Encryption Algorithm and Its Use With IPsec The ESP CBC-Mode Cipher Algorithms The Use of HMAC-RIPEMD-160-96 within ESP and AH IP Authentication Header IP Encapsulating Security Payload 1.2. Use Cases Messages Authentication Header (AH) Encapsulating Security Payload (ESP) Specification RFC4302 RFC4303 Transport Mode Processing RFC4302 - Section 3.1.1, RFC4303 - Section 3.1.1 Tunnel Mode Processing RFC4302 - Section 3.1.2, RFC4303 - Section 3.1.2 Separate Confidentiality and Integrity Algorithms RFC4303 3.4.4.1 ICV HMAC-MD5-96 ICV HMAC-SHA-1-96 ICV HMAC-RIPEMD-160-96 3DES-CBC Cipher Encryption Null Encryption RFC2403 RFC2404 RFC2857 RFC2405, RFC2451 RFC2410 3

2. Target Authentication Header (AH) Configuration An IPsec target configured for manual keying using the keys defined in the configuration file is required. Both a UDP and a TCP listener are required to run all the tests. The networking tool socat can be used as a listener. IP-tools on Linux can be used. 2.1. Required Pit Configuration Changes Target IPv4 Address (TargetIPv4) IPv4 address of the target host machine (used for encapsulating IPv4 in IPv6). The default value is 127.0.0.1. For information on obtaining the IP v4 address, see Retrieving Machine Information. Target IPv6 Address (TargetIPv6) IPv6 address of the target host machine. Default value is ::1. For more information, see Retrieving Machine Information. Target MAC Address (TargetMAC) Hardware address of the network interface on the target machine. The default value is 000000000000. For information about obtaining the MAC address, see Retrieving Machine Information. Target Port (TargetPort) UDPv6 and/or TCPv6 port number of the target host machine. The Target Port is the packet destination. The default value is 1234. Source IPv4 Address (SourceIPv4) IPv4 address of the machine running Peach (used for encapsulating IPv4 in IPv6). Default value is 127.0.0.1. For more information, see Retrieving Machine Information. Source IPv6 Address (SourceIPv6) IPv6 address of the machine running Peach. Default value is ::1. For more information, see Retrieving Machine Information. Source MAC Address (SourceMAC) Hardware address of the network interface on the machine running Peach (client). Default value is 000000000000. For more information, see Retrieving Machine Information. 4

Source Port (SourcePort) UDP and/or TCP port number of the local machine. The Source Port sends the network packets. The default value is 1234. Encryption Algorithm (EncryptionAlg) Advanced option. Use the default value, Aes128. This parameter specifies the algorithm used to encrypt packets. Encryption Key (CryptoKey) Advanced option. Use the default value, 41414141414141414141414141414141. This parameter specifies the shared key used to encrypt packets. Initialization Vector (IV) Advanced option. Use the default value, baae9ef59ff1ee56211769bd91da50ed. Initialization vector used with the encryption algorithm. 2.2. Optional Pit Configuration Changes IPsec Mode (Mode) Processing mode for IPsec is either Tunnel or Transport. Transport mode encrypts only the IP packet payload. Tunnel mode encrypts the entire IP packet, header and payload.+ The default value is Transport. HMAC Hash Algorithm (HashAlg) Hashing algorithm used to provide data integrity. The default value is HMACSHA1. Available hashing algorithm choices include the following: HMACSHA1, HMACMD5, HMACRIPEMD160, HMACSHA256, HMACSHA384, HMACSHA512, and MACTripleDES. HMAC Key (AuthKey) Shared authentication key used for HMAC hashing. The selected hashing algorithm determines the length of this key. The default value is 4141414141414141414141414141414141414141. Security Parameters Index (SPI) An arbitrary 32-bit value that, in combination with the destination IP address and security protocol (AH), uniquely identifies the Security Association for this datagram. The default value is 201. Timeout (Timeout) Duration, in milliseconds, to wait for incoming data. A value of -1 extends the duration to infinity. During fuzzing, a timeout failure causes the fuzzer to skip to the next test case. 5

3. Target Encapsulating Security Payload (ESP) Configuration An IPsec target configured for manual keying using the keys defined in the configuration file is required. Both a UDP and an TCP listener are required to run all the tests. The networking tool socat can be used as a listener. IP-tools on Linux can be used. 3.1. Required Pit Configuration Changes Target IPv4 Address (TargetIPv4) IPv4 address of the target host machine (used for encapsulating IPv4 in IPv6). The default value is 127.0.0.1. For information on obtaining the IP v4 address, see Retrieving Machine Information. Target IPv6 Address (TargetIPv6) IPv6 address of the target host machine. Default value is ::1. For more information, see Retrieving Machine Information. Target MAC Address (TargetMAC) Hardware address of the network interface on the target machine. The default value is 000000000000. For information about obtaining the MAC address, see Retrieving Machine Information. Target Port (TargetPort) UDPv6 and/or TCPv6 port number of the target host machine. The Target Port is the packet destination. The default value is 1234. Source IPv4 Address (SourceIPv4) IPv4 address of the machine running Peach (used for encapsulating IPv4 in IPv6). Default value is 127.0.0.1. For more information, see Retrieving Machine Information. Source IPv6 Address (SourceIPv6) IPv6 address of the machine running Peach. Default value is ::1. For more information, see Retrieving Machine Information. Source MAC Address (SourceMAC) Hardware address of the network interface on the local machine running Peach. Default value is 000000000000. For more information, see Retrieving Machine Information. 6

Source Port (SourcePort) UDP and/or TCP port number of the local machine. The Source Port sends the network packets. The default value is 1234. Encryption Algorithm (EncryptionAlg) Advanced option. Use the default value, Aes128. This parameter specifies the algorithm used to encrypt packets. Encryption Key (CryptoKey) Advanced option. Use the default hexadecimal value, 41414141414141414141414141414141. This parameter specifies the shared key used to encrypt packets. For AES, this key must be 16 bytes long. For 3DES, this key must be 8 bytes long. Initialization Vector (IV) Advanced option. Use the default value, baae9ef59ff1ee56211769bd91da50ed. Initialization vector used with the encryption algorithm. 3.2. Optional Pit Configuration Changes IPsec Mode (Mode) Processing mode for IPsec; can either be Tunnel or Transport. Transport mode encrypts only the IP packet payload. Tunnel mode encrypts the entire IP packet, header and payload.+ The default value is Transport. HMAC Hash Algorithm (HashAlg) Hashing algorithm used to provide data integrity. The default value is HMACSHA1. Available hashing algorithm choices include the following: HMACSHA1, HMACMD5, HMACRIPEMD160, HMACSHA256, HMACSHA384, HMACSHA512, and MACTripleDES. HMAC Key (AuthKey) Shared authentication key used for HMAC hashing. The selected hashing algorithm determines the length of this key. The default value is 4141414141414141414141414141414141414141. Security Parameters Index (SPI) An arbitrary 32-bit value assigned to the local machine. In combination with the destination IP address and security protocol (ESP), SPI uniquely identifies the Security Association for this datagram. The default value is 201. Timeout (Timeout) Duration, in milliseconds, to wait for incoming data. A value of -1 extends the duration to infinity. During fuzzing, a timeout failure causes the fuzzer to skip to the next test case. 7

4. Retrieving Machine Information Interface names, hardware addresses, and IP addresses are used when fuzzing network protocols. Windows, Linux, and OS X each have their idiosynchrasies in reporting machine configuration details. This appendix provides an example of retrieving the machine information Interface name, MAC address, and IP v4 and v6 addresses from each of the operating systems. 4.1. Windows In Windows, ipconfig runs from the command line interface. Using the all parameter, ipconfig /all, displays the pieces of information. The following illustration calls out instances of the Interface name, MAC address, and IP addresses. 8

Figure 1. ipconfig //all command Interface Name The interface name is part of the main entry on the line not indented and immediately follows the word "adapter". The previous illustration identifies two interfaces "Local Area Conection 2" and "Ethernet". The Interface name does not include the asterisk (*). You need to remove the asterisk, if present, when specifying the interface name to Peach. MAC Address The MAC address, labeled the "Physical Address" by ipconfig, is the address of the hardware interface. The entry is just a few lines into the detail, as shown in the previous illustration. 9

IPv4 Address The IP v4 address is the value labeled "IPv4 Address". The previous illustration calls out the IP v4 Address of the Ethernet interface. IPv6 Address The IP v6 address is the value labeled "Link-local IPv6 Address". The previous illustration calls out the IP v6 Address of the Ethernet interface. You can confirm the correctness of an IP v4 or IP v6 address by using ping or ping -6 followed by the appropriate IP address. For IP v6, the value fe80 in the leftmost block of hex digits indicates a link local address (i.e. a local network). 4.2. Linux In Linux, ifconfig provides all of the needed information. The main entries reported by ifconfig identify each addapter by name, type, and other attributes. The following illustration calls out instances of the Interface name, MAC address, and IP addresses. 10

Figure 2. Linux ifconfig command Interface Name The interface name is in leftmost column. Additional details are provided on indented lines. The previous illustration calls out the "eth0" and "lo" interfaces. The MAC address The MAC address is labeled with "HWaddr", and is located on the first line of the interface entry. The previous illustration calls out the MAC address of the "eth0" interface. IPv4 Address The IP v4 address is labeled with "inet addr", and is located in one of the first detail lines. The previous illustration calls out the IP v4 address of the "eth0" interface. 11

IPv6 Address The IP v6 address is labeled with "inet6 addr", and is follows the IP v4 address in the listing detail. The previous illustration calls out the IP v6 address of the "eth0" interface. You can confirm the correctness of an IP v4 or IP v6 address by using ping or ping6 followed by the appropriate IP address. For IP v6, the value fe80 in the leftmost block of hex digits indicates a link local address (i.e. a local network). 4.3. OS X In OS X, ifconfig provides all of the needed information. The main entries reported by ifconfig identify each addapter by name, type, and other attributes. The following illustration calls out instances of the Interface name, MAC address, and IP addresses. Figure 3. OS X ifconfig command Interface Name The interface name is in leftmost column. Additional details are provided on indented lines. The previous illustration calls out the "en0" and "en1" interfaces. MAC Address The MAC address is labeled with "ether", and is located on the first line of the interface entry. The 12

previous illustration calls out the MAC address of the "en0" and "en1" interfaces. IPv4 Address The IP v4 address is labeled with "inet ", and is located further down in the interface details. The previous illustration calls out the IP v4 address of the "en1" interface. IPv6 Address The IP v6 address is labeled with "inet6 ", and is located further down in the interface details. The previous illustration calls out the IP v4 address of the "en1" interface. You can confirm the correctness of an IP v4 or IP v6 address by using ping or ping6 followed by the appropriate IP address. For IP v6, the value fe80 in the leftmost block of hex digits indicates a link local address (i.e. a local network). 13

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback