Introduction to IPsec. Charlie Kaufman

Similar documents
Internet security and privacy

Real-time protocol. Chapter 16: Real-Time Communication Security

IP Security IK2218/EP2120

CS 494/594 Computer and Network Security

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

IPsec (AH, ESP), IKE. Guevara Noubir CSG254: Network Security

Network Security - ISA 656 IPsec IPsec Key Management (IKE)

Virtual Private Network

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Virtual Tunnel Interface

Sample excerpt. Virtual Private Networks. Contents

Virtual Private Networks

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Firewalls, Tunnels, and Network Intrusion Detection

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

Firepower Threat Defense Site-to-site VPNs

Network Security: IPsec. Tuomas Aura

Internet Protocol and Transmission Control Protocol

The EN-4000 in Virtual Private Networks

COSC4377. Chapter 8 roadmap

Analysis of the IPSec Key Exchange Standard

Table of Contents 1 IKE 1-1

CSE543 Computer and Network Security Module: Network Security

AIT 682: Network and Systems Security

Lecture 9: Network Level Security IPSec

Configuration of an IPSec VPN Server on RV130 and RV130W

VPN Ports and LAN-to-LAN Tunnels

Network Security: IPsec. Tuomas Aura T Network security Aalto University, Nov-Dec 2014

Chapter 5: Network Layer Security

Service Managed Gateway TM. Configuring IPSec VPN

IP Security Discussion Raise with IPv6. Security Architecture for IP (IPsec) Which Layer for Security? Agenda. L97 - IPsec.

Junos Security. Chapter 8: IPsec VPNs Juniper Networks, Inc. All rights reserved. Worldwide Education Services

IPSec VPN Setup with IKE Preshared Key and Manual Key on WRVS4400N Router

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

Internet Security. - IPSec, SSL/TLS, SRTP - 29th. Oct Lee, Choongho

HIP Host Identity Protocol. October 2007 Patrik Salmela Ericsson

IP Security II. Overview

VPN Auto Provisioning

Hillstone IPSec VPN Solution

INFS 766 Internet Security Protocols. Lectures 7 and 8 IPSEC. Prof. Ravi Sandhu IPSEC ROADMAP

VPN World. MENOG 16 Istanbul-Turkey. By Ziad Zubidah Network Security Specialist

Set Up a Remote Access Tunnel (Client to Gateway) for VPN Clients on RV016, RV042, RV042G and RV082 VPN Routers

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

CIS 6930/4930 Computer and Network Security. Topic 8.2 Internet Key Management

CIS 6930/4930 Computer and Network Security. Final exam review

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1415/ Chapter 16: 1

IKE and Load Balancing

CS Computer Networks 1: Authentication

CSC 4900 Computer Networks: Security Protocols (2)

Some optimizations can be done because of this selection of supported features. Those optimizations are specifically pointed out below.

Outline. Key Management. Security Principles. Security Principles (Cont d) Escrow Foilage Protection

Cryptography and Network Security Chapter 16. Fourth Edition by William Stallings

CSCI 454/554 Computer and Network Security. Topic 8.2 Internet Key Management

Outline. Key Management. CSCI 454/554 Computer and Network Security. Key Management

The Internet community has developed application-specific security mechanisms in a number of application areas, including electronic mail (S/MIME,

IP Security. Have a range of application specific security mechanisms

VPNs and VPN Technologies

Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP,

Security Association Creation

Network Encryption 3 4/20/17

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1516/ Chapter 16: 1

Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München. ilab. Lab 8 SSL/TLS and IPSec

CS 356 Internet Security Protocols. Fall 2013

Configuring LAN-to-LAN IPsec VPNs

CSCE 715: Network Systems Security

On the Internet, nobody knows you re a dog.

Secure channel, VPN and IPsec. stole some slides from Merike Kaeo

14. Internet Security (J. Kurose)

CIS 6930/4930 Computer and Network Security. Topic 8.1 IPsec

CMSC 414 S09 Exam 2 Page 1 of 6 Name:

Cisco Live /11/2016

VPNC Scenario for IPsec Interoperability

Chapter 11 The IPSec Security Architecture for the Internet Protocol

Configuring VPN Policies

CSC/ECE 574 Computer and Network Security. Outline. Key Management. Key Management. Internet Key Management. Why do we need Internet key management

Outline. CSC/ECE 574 Computer and Network Security. Key Management. Security Principles. Security Principles (Cont d) Internet Key Management

CSC 6575: Internet Security Fall 2017

Virtual Tunnel Interface

Lecture 13 Page 1. Lecture 13 Page 3

Computer Networking. What is network security? Chapter 7: Network security. Symmetric key cryptography. The language of cryptography

4 Network Access Control 4.1 IPsec Network Security Encapsulated security payload (ESP) 4.2 Internet Key Exchange (IKE)

Cryptography and Network Security. Sixth Edition by William Stallings

IPSec. Overview. Overview. Levente Buttyán

Chapter 8 Network Security

The IPSec Security Architecture for the Internet Protocol

iii PPTP... 7 L2TP/IPsec... 7 Pre-shared keys (L2TP/IPsec)... 8 X.509 certificates (L2TP/IPsec)... 8 IPsec Architecture... 11

Chapter 6. IP Security. Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University

IPsec and ISAKMP. About Tunneling, IPsec, and ISAKMP

Exercises with solutions, Set 3

SSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1

IPsec and ISAKMP. About Tunneling, IPsec, and ISAKMP

Password. authentication through passwords

Configuring IPsec and ISAKMP

David Wetherall, with some slides from Radia Perlman s security lectures.

Ideal Security Protocol. Identify Friend or Foe (IFF) MIG in the Middle 4/2/2012

IPv6 Security Vendor Point of View. Eric Vyncke, Distinguished Engineer Cisco, CTO/Consulting Engineering

VPN, IPsec and TLS. stole slides from Merike Kaeo apricot2017 1

Digi Application Guide Configure VPN Tunnel with Certificates on Digi Connect WAN 3G

Securing Internet Communication: TLS

Kurose & Ross, Chapters (5 th ed.)

Transcription:

Introduction to IPsec Charlie Kaufman charliek@microsoft.com 1

IP Security (IPsec) IETF standard for Network Layer security Popular for creating trusted link (VPN), either firewall-firewall, or machine to firewall Done at layer 3 (we ll explain that later) Pieces include data packets (AH, ESP), authentication handshake (ISAKMP/IKE), and endless other documents 2

Terminology Nit Cryptographic protection of data usually has two pieces: Encryption, for confidentiality Integrity protection, for authentication In this talk, I ll just say encryption and mean both! 3

Terminology Nit Cryptographic protection of data usually has two pieces: Encryption, for confidentiality Integrity protection, for authentication In this talk, I ll just say encryption and mean both! We could do encryption without integrity protection, but it would be wrong, that s for sure.apologies to Richard Nixon 4

Distinction between IPsec and SSL/TLS Interesting Both real time security Mutual authentication SA (security association) establishment encryption/integrity protection of conversation But important and subtle differences 5

IPsec vs. SSL/TLS IPsec philosophy: only change OS, don t change applications or API SSL/TLS philosophy: don t change OS, deployable as user process. TCP and below in OS, so works on top of TCP 6

SSL vs IPsec Layer 3 (IPsec) theoretically better SSL: Rogue packet problem TCP by definition, not involved in crypto So attacker can generate TCP with (noncrypto) good checksum TCP will accept it Real data will be discarded as duplicate Only recourse: break the connection In contrast, each IPsec pkt ind. protected Also, easier to build outboard crypto assist 7

However... If you don t change the API or the application: the only thing IPsec can pass up is the IP address you re talking to so IKE does all this PKI stuff to find out this is mary.smith.examplecompany.com, but can t tell app 8

What you do get Encryption of the traffic Ability to do filtering, based on a policy database Just as if there were a firewall between the two ends 9

IPsec Scenario 1 Firewall to Firewall Corporate network connected through Internet Unmodified Endnode Protected Subnet IPsec endpoint Untrusted Network IPsec endpoint Unmodified Endnode Protected Subnet 10

IPsec Scenario 2 Endnode to Firewall Mobile node connects home through Internet Endnode w/ipsec in network stack Internet IPsec endpoint Unmodified Endnode Protected Subnet 11

In Scenario 2, allocating an internal IP address Mobile node needs address in Protected Subnet that will be routed to IPsec endpoint Endnode w/ipsec in network stack Internet IPsec endpoint Unmodified Endnode Protected Subnet 12

IPsec Scenario 3 End to End Two nodes don t need to trust the network Endnode w/ipsec in network stack Endnode w/ipsec in network stack internal or external network 13

What does IPsec Protect? Protection from eavesdropping on the untrusted network In scenarios 1 & 2, connectivity only control admission to a protected network In scenario 3, potential for user and server authentication mostly unrealized 14

Tunnel vs. Transport Mode In scenarios 1 & 2, IPsec payload is an IP packet complete with different addresses IP hdr ESP hdr IP hdr TCP or UDP payload In scenario 3, IP endpoints have same addresses as IPsec endpoints, so second header not needed. IP hdr ESP hdr TCP or UDP payload 15

IKE vs. ESP vs. AH IPsec Security Association (SA) established using IKE Payload packets are encapsulated with ESP and/or AH IPsec Security Association could be configured manually (at least in theory) or using some other protocol 16

AH / ESP Extra header between layers 3 and 4 (IP and TCP) to give dest enough info to identify security association AH does integrity only - but also protects parts of IP header ESP does encryption and (optional) integrity protection (but only starting after IP header) encryption optional too now 17

ESP Encapsulating Security Payload IP Header ESP Header Encrypted Payload Encrypted Padding Pad Len NXT MIC Next Header = 50 (ESP) TCP = 6 UDP = 17 ESP = 50 IP = 4 Session ID Sequence # Over ESP Header, Encrypted Payload/Pad/Padlen/NXT 18

AH (Authentication Header) IP Header AH Header Payload Next Header = 51 (AH) TCP = 6 UDP = 17 ESP = 50 IP = 4 AH = 51 Next Len MBZ Session ID Sequence # MIC Over immutable fields of IP Header, AH Header, and Payload 19

ESP / AH Payload may be TCP, UDP, or some other higher layer protocol (transport mode) Payload may be IP datagram (tunnel mode) Payload may be ESP/AH again (recursive encapsulation) If it s important to protect IP header, ESP with tunnel mode will do that 20

Why AH? AH and ESP designed by different groups. AH designers were IPv6 supporters AH looks more like IPv6 AH also protects immutable fields in IP header. Originally, ESP just encryption Encryption without integrity has flaws 21

Why AH, con t Then integrity protection added to ESP. Excuses for keeping AH protects IP header (nobody has a credible security reason why, and ESP-tunnel can too. Makes NAT harder, which pleases IPv6 fans) with AH, firewalls and routers that want to look at layer 4 info (like ports) know it s not encrypted. With ESP, can t tell from packet 22

Why Not AH? IPsec already way too complex. AH implementation headache, makes IP complex (marking everything mutable or not) IP header can t be integrity protected en route anyway (routers don t know the key) You could peek inside ESP and almost always tell if it s encrypted or not. A flag might be nice (reserved SPIs would work) 23

Internet Key Exchange (IKE) Resynchronize two ends of an IPsec SA Choose cryptographic keys Reset sequence numbers to zero Authenticate endpoints Design evolved into something very complex 24

General idea of IKEv2 Alice Bob g A mod p, nonce A g B mod p, nonce B { Alice, proof I m Alice}g AB mod p { Bob, proof I m Bob}g AB mod p 25

Functionality WG wanted Perfect Forward Secrecy Identity hiding Lots of authentication styles Work with NATs DHCP-like address allocation crypto negotiation filtering rules ( selectors ) negotiation ( Traffic over this SA must be between this set of IP addresses and layer 4 ports ) Two phases (next slide) 26

Phases Phase 1: expensive (when based on public keys) mutual authentication, establish SA between two machines Phase 2: leverage the phase 1 SA to create lots of child-sas 27

Why Two Phases We argued for removing this, but people wanted it for: firewalls creating lots of VPNs for lots of customers they feel safer if different SAs different QOS, since might travel at different speeds, sequence numbers get far apart makes rekeying faster different SAs with different security properties 28

Conceptual IKE Diffie-Hellman for PFS Signed D-H to avoid man-in-middle attack Cookies for DoS protection 29

DoS Protection Using Cookies Avoid using memory or computation resources when pkts from forged IP addr s Alice Bob g A mod p, nonce A first send me cookie = h(ip, secret) cookie, g A mod p, nonce A 30

An Intuition for Diffie-Hellman Allows two individuals to agree on a secret key, even though they can only communicate in public Alice chooses a private number and from that calculates a public number Bob does the same Each can use the other s public number and their own private number to compute the same secret An eavesdropper can t reproduce it 31

Why is D-H Secure? We assume the following is hard: Given g, p, and g X mod p, what is X? With the best known mathematical techniques, this is somewhat harder than factoring a composite of the same magnitude as p Subtlety: they haven t proven that the algorithms are as hard to break as the underlying problem 32

Alice Diffie-Hellman agree on g,p Bob choose random A choose random B g A mod p g B mod p compute (g B mod p) A compute (g A mod p) B agree on g AB mod p 33

Man in the Middle Alice g A mod p g T mod p Trudy g T mod p g B mod p Bob agree on g AT mod p {data}g AT mod p {data}g AT mod p agree on g TB mod p {data}g TB mod p {data}g TB mod p 34

Signed Diffie-Hellman (Avoiding Man in the Middle) Alice Bob choose random A choose random B [g A mod p] signed with Alice s Private Key [g B mod p] signed with Bob s Private Key verify Bob s signature verify Alice s signature agree on g AB mod p 35

But if you have RSA keys... Why bother with Diffie-Hellman? Answer: PFS If someone records the entire conversation, and later discovers Alice s and Bob s private keys, you don t want them to be able to decrypt example without PFS (SSL): Alice chooses secret, encrypts it with Bob s PK, rest of session protected based on that secret 36

What are the nonces for? It s expensive to compute g A mod p So, nice to reuse A (or for Bob to reuse B) Using nonces allows you to do that, and still get a new session key for each session Though if you remember A beyond a session, you lose PFS 37

Now details. First IKEv1 Two phases Phase 1 has 8 protocols! two modes aggressive: 3 msgs. mutual auth and get session key main: 6 msgs. that, plus ID hiding For each mode, a protocol for each key type preshared secret key, signature PK, encryption PK (old crufty way), encryption PK (improved way) So, 9 protocols (4*2 phase 1, plus phase 2) 38

General Idea of IKEv1 Main- Mode Alice crypto suites I support crypto suites I choose g A mod p, nonce A g B mod p, nonce B Bob { Alice, proof I m Alice} key variant-dependent { Bob, proof I m Bob} 39

General Idea of IKEv1 Aggressive-Mode Alice Bob I m Alice, g A mod p, nonce A I m Bob, g B mod p, proof I m Bob, nonce B proof I m Alice 40

Which of 8 is MUST? Main mode, preshared key = S Alice-Bob Alice sends: { Alice, proof} f(s Alice-Bob ) Bob can t decrypt that unless he knows who he s talking to! So the WG said your ID has to be your IP addr But then why do 6-msg main mode to hide it? And it doesn t work for road warrior So most IKEv1s are aggressive mode, preshared 41

General idea of IKEv1 quick mode (phase 2) IKE-SA, Y, traffic, SPI A, [g A mod p] IKE-SA, Y, traffic, SPI B, [g B mod p] IKE-SA, Y, ack 42

IKEv2 Greatly cleaned up and simplified Tried not to make gratuitous changes, so code reuse when possible Initial version much simpler, then added NAT traversal, legacy authentication, internal address assignment Copied those from how it was done in IKEv1 43

General idea of IKEv2 Alice Bob g A mod p, nonce A g B mod p, nonce B { Alice, proof I m Alice}g AB mod p, make child-sa { Bob, proof I m Bob}g AB mod p, make child-sa 44

Traffic Restrictions IPsec policy: Traffic between these sets of IP adds, and protocol types, and ports, must have this sort of cryptographic protection Creating SA, specify traffic selectors IKEv1: Initiator proposes. Responder (if has more restrictive policy) can just say no IKEv2: allowed responder to narrow or say single pair 45

Working Through Firewalls and NATs Firewalls might not pass ESP packets Endnodes may share IP addresses (distinguishing them using ports) UDP encapsulation used to get through (make ports visible to NAPT) IP hdr UDP hdr ESP hdr IP hdr TCP or UDP payload 46

Varying Authentication Methods X.509 certificates Naming trusted certifiers User name and password SecurID or challenge/response cards Smart cards Kerberos 47

The Dream of IPsec End to End IPsec envisioned to replace SSL and be standard way to cryptographically protect all communications Protocol itself supports this Deployments don t 48

What would it take? Policy encoding: how does a node know whether to require (or attempt) IPsec Certificate policies: what should be the requirements for certificates authenticating service X (or might keys be in DNS)? APIs How does an application ask the OS the authenticated name of the other end of a connection? 49

What are the prospects? Not good SSL and SSH good enough Hard policy and naming issues without an organizing force 50

Conclusions Until a few years ago, you could connect to the Internet and be in contact with hundreds of millions of other nodes, without giving even a thought to security. The Internet in the 90 s was like sex in the 60 s. It was great while it lasted, but it was inherently unhealthy and was destined to end badly. I m just really glad I didn t miss out again this time. from Network Security: Private Communication in a Public World 51

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback