Post on 17-Feb-2022
IPSec Goals
● Provide end-to-end security for IP payload● SSL/TLS secures only the transport payload– only TCP HTTP payload originally– SSL/TLS can not be used for UDP
● SSL/TLS needs application to be rewritten– How about legacy apps?
● If OS supports IPSec at both end-points, all IP traffic can be encrypted /authenticated
● Routers do not have to be aware of IPSec
End-to-End Layers in the Protocol Stack
App DataIP H TCP H SSL H
App DataIPSec TCP H SSL H
App DataIP H TCP H SSL H
IP H
IPSec
SSL Protects only Application Data
IPSec with TLS in Transport Mode
IPSec with TLS in Tunnel Mode
App DataIP H IPSec Trans H
IPSec Transport mode
App DataIPSec IP H Trans H
IPSec Tunnel mode
IP H
App DataIP TCPUnprotected IP packet
IPv4 / IPv6
● Routers do not have to be aware of IPSec● But NATs do (this is bad)● IPSec created as inherent part of IPv6● Nobody thought that IPv4 will still be used decades later ● Later made compatible with IPv4 too ● New IP protocol definition (51) in IP header for IPv4● Just another extension header in IPv6
IPv6 Header
Optional Headers – 1) Hop-by-Hop options 2) Routing Header 3) Fragment Header 4) AH 5) ESP 6) Dest. Options
IPv4 vs IPv6
• Fragmentation is an optional header in IPv6 (second row of v4 missing in v6)• TTL renamed what it actually is (Hop Limit)• V4 protocol field replaced by next-header in v6• No header checksum in v6. Saves a lot of work for routers• Next header is usually TCP/UDP. But can be
• Hop-by-hop, routing, fragmentation (things need routers to be aware)• Dest options, AH/ESP (routers need not be aware of these)
IPsec
● IP Security (RFCs 2401, 2402, 2406)● Transparent to higher (transport / application)
layers● Provides a virtual connection between two IP hosts
● Security Association (SA)● Different SAs for different type of traffic flowing
in different directions● Not a single protocol
● Provide algorithms + general framework● Up to hosts to choose appropriate methods
Applications
● Secure branch office connectivity over the Internet
● Secure remote access over the Internet● Establishing extranet and intranet connectivity
with partners● Enhancing electronic commerce security● IPSec VPNs
– end-to-end IPSec support may not be available
– IPSec gateways
IPsec Features
● Multiple services● Access Control● Data Integrity ● Authentication ● Protection from replay attacks● Confidentiality● Limited traffic flow confidentiality
● Multiple Algorithms● Not explicitly specified (can be negotiated / changed)
● Multiple Granularity ● Ability to use IPSec for
– Single TCP connection– All traffic between a pair of hosts– All traffic between two routers
Modes, Services and Components
● Modes● Transport Mode● Tunnel Mode
● Services● Authentication only (AH – Authentication Header)● Privacy (ESP – Encapsulated Security Payload)
● Components● Security Association Database (SAD)● Security Policy Database (SPD)● Internet Sec. Assoc. Key Mgmt Protocol
(ISAKMP)
AH / ESP in Transport / Tunnel Modes
Encrypts inner IP packet. Authenticates inner IP packet.
Encrypts IP payload and any IPv6 extesion header. Authenticates IP payload but no IP header
ESP with authentication
Encrypts inner IP packet
Encrypts IP payload and any IPv6 extesion header
ESP
Authenticates entire inner IP packet plus selected portions of outer IP header
Authenticates IP payload and selected portions of IP header and IPv6 extension headers
AH
Tunnel Mode SA
Transport Mode SA
Authentication Header
Provides support for data integrity and authentication (MAC) of IP packets.
Guards against replay attacks. Sequence number incremented with each packet.
SPI helps the receiver figure out how to verify MAC
IP hdrAH
TransPkt
ESP (Encapsulating Security Payload)
●Provides support for confidentiality of IP payload, with optional MAC.●Guards against replay attacks (sequence number incremented with each packet). ●SPI helps the receiver figure out how to decrypt payload (and verify MAC)●More than necessary padding to support traffic flow confidentiality
IP Hdr
SPIseq numtrans pkt
padpad lennxt hdrauth dat
IPSec Components
● Security Association Database (SAD)– A database of SAs indexed by SPI – Each record has several connection specific parameters
● Encryption algorithm, key,source and dest address, key-exchange parameters
● Security Policy Database (SPD)– A rules database that enables determination of SPI for outgoing
packets– Should IPSec should be used for this packet?– If so, which mode (trans/tunn)? Service? (ESP/AH)? – What is the SPI?
● ISAKMP– Protocols for establishing SAs stored in SAD
IPSec Sender
App Data
TransportLayer
IP Layer with IPSEC
Security Policy
Database
Security AssociationDatabase
ISAKMP
Layer 2
● Transport packet enters IP layer that is IPSec enabled
– Should I use IPSEC? (SPD tells you) – If “don’t use”, send IP packet to layer
2– If “should use” SPD returns an SPI
● SPD tells you what SPI, what mode, what service
– Look in the SAD for an SA with same SPI, dest address and source addressI
– If no SA, create one using ISAKMP– AH and ESP headers explicitly indicate
SPI, and a sequence number
IPSec Receiver
App Data
TransportLayer
IP /IPSec
Security AssociationDatabase
Layer 2
● IP with AH/ESP from Layer 2– Look in the SAD for an SA with same
SPI, dest address and source address
– Else look for something with the same SPI and dest address
– Or with the same SPI – If no entry exists, drop packet– If found, use the SA to process packet– deliver ESP/AH payload to higher layer
Security Associations (SA)
● A one way relationship between a sender and a receiver.● Sequence number, algorithms, keys, lifetimes
● Uniquely identified by three parameters:● Security Parameter Index (SPI) (database index) ● IP Destination address● Security Protocol Identifier (AH/ESP)
● Fortunately, we have adopted simpler practices (ESP tunnel only)
Sequence Numbers
● To prevent replay attacks● 64-bit sequence number● Only 32 LSBs included in ESP
header● 32 MSBs in SA entry in SAD● Incremented for every packet sent
using the same SA● Receiver keeps track of previously
received sequence numbers● A little bit tricky as IP packets can
be received out of order.
Traffic Flow Confidentiality (TFC)
● ESP uses padding ● Pad length between 0 to 255 bytes● One additional byte shows pad length● This followed by nxt-header (most often this is 4 as payload
is a tunneled IP packet)● The freedom to add up to 255 bytes of padding is useful for
TFC (to hide data length)● Can also send dummy packets with nxt-hdr 59● All these fields (pad, 1 byte length, nxt-hdr, etc) are
encrypted in the ESP packet, only receiver knows the extent of padding or if the packet is a dummy packet.
Encryption and Authentication Algorithms
Encryption:Three-key triple DESRC5IDEAThree-key triple IDEACASTBlowfish
Authentication:HMAC-MD5-96HMAC-SHA-1-96
Key Management
● ISAKMP (Internet Security Association Key Management Protocol)● Specifies protocols – formats, negotiation of
security attributes● Oakley Key Determination Protocol commonly used
● Oakley – key exchange protocol: based on Diffie-Helman + features for addressing– Clogging attacks (addressed using cookies)– Replay attacks (nonces)– Secure exchange of public keys
● Authenticated DH to thwart M-I-M attacks