3rd Edition, Chapter 5

Link Layer SECURITYObjective: Understanding a collision domainLayer 2 protocolShared access to the same mediumLayer 2 addressingLayer 2 General Security IssuesWired L2 Security issues (802.3)Wireless L2 Security issues (802.11)

5: DataLink Layer5-115: DataLink Layer5-2Link Layer: IntroductionSome terminology:hosts and routers are nodescommunication channels that connect adjacent nodes along communication path are linkswired linkswireless linksLANslayer-2 packet is a frame, encapsulates datagram

data-link layer has responsibility of transferring datagram from one node to adjacent node over a link

25: DataLink Layer5-3Link layer: contextdatagram transferred by different link protocols over different links:e.g., Ethernet on first link, frame relay on intermediate links, 802.11 on last linkeach link protocol provides different servicese.g., may or may not provide rdt over linktransportation analogytrip from Princeton to Lausannelimo: Princeton to JFKplane: JFK to Genevatrain: Geneva to Lausannetourist = datagramtransport segment = communication linktransportation mode = link layer protocoltravel agent = routing algorithm

3Cosa fa il livello 2Framing, accesso al link: incorpora i datagrammi in frame, aggiunge intestazioni opportune;decide come accedere al canale se condiviso da pi di due nodisi usano i MAC address per identificare i nodi sorgente e destinazionesono DIFFERENTI dagli indirizzi IP! servono per identificarsi allinterno di un dominio di collisione, non oltreGarantisce affidabilit nel transito del linkStesse tecniche del livello 4 (ricevute di ritorno, finestre, checksum)Link senza fili: tassi di errore esorbitanti a causa delle interferenze.D: A cosa servono le ricevute di ritorno a livello 2, se le abbiamo a livello 4?5: DataLink Layer5-44animazione5: DataLink Layer5-5Link Layer Servicesframing, link access: encapsulate datagram into frame, adding header, trailerchannel access if shared mediumMAC addresses used in frame headers to identify source, dest different from IP address!reliable delivery between adjacent nodeswe learned how to do this already (chapter 3)!seldom used on low bit-error link (fiber, some twisted pair)wireless links: high error ratesQ: why both link-level and end-end reliability?55: DataLink Layer5-6Where is the link layer implemented?in each and every hostlink layer implemented in adaptor (aka network interface card NIC)Ethernet card, PCMCI card, 802.11 cardimplements link, physical layerattaches into hosts system busescombination of hardware, software, firmware

controllerphysicaltransmissioncpumemoryhost bus (e.g., PCI)network adaptercardhost schematicapplicationtransportnetworklinklinkphysical

65: DataLink Layer5-7Adaptors Communicatingsending side:encapsulates datagram in frameadds error checking bits, rdt, flow control, etc.receiving sidelooks for errors, rdt, flow control, etcextracts datagram, passes to upper layer at receiving side

controllercontrollersending hostreceiving hostdatagramdatagramdatagramframe7LINK TYPESDue tipi:Point-to-pointPPP, PPPoA, PPPoE broadcast (shared medium: space, wires)Ethernet802.11 wireless LAN

Broadcast links are evidently a challenge for confidentiality and integrity

5: DataLink Layer5-8

8animazioneETHERNET FRAME STRUCTUREAddresses: 6 bytesNICs process incoming frames only if Dst MAC corresponds to the NICs MAC, or to a broadcast address (ff:ff:ff:ff:ff:ff)Otherwise the NIC should discard the frameType: code of transported layer 3 protocol (e.g. IP, IPv6, others were and are possible)CRC: checked by receiver. Frame should be discarded if CRC not corresponding. It is NOT cryptographic.

5: DataLink Layer5-9

9MAC AddressesIP addressValid among layer 3 nodesMAC address: Works only within current link. Does not need configuration.Hardwired within NICs. Cannot be used for authenticating stations. Cannot be used for managing Layer 2 ACLs

5: DataLink Layer5-1010ARP: Address Resolution ProtocolEach station handles an ARP tableARP Table: IP/MAC address triples < IP address; MAC address; TTL> TTL (Time To Live)5: DataLink Layer5-11Needed when an host must be reached at layer 2. Conversion IP -> MAC needed

1A-2F-BB-76-09-AD58-23-D7-FA-20-B00C-C4-11-6F-E3-9871-65-F7-2B-08-53 LAN237.196.7.23237.196.7.78237.196.7.14237.196.7.8811Routing tra due domini di collisioneA needs to contact B via R Assume A knows Bs IP address.

R ha due tabelle ARP, una per dominio di collisione

In routing table at source Host, find router 111.111.111.110In ARP table at source, find MAC address E6-E9-00-17-BB-4B, etc

5: DataLink Layer5-12

ARB12A originates datagram D, A -> BIs B in the same LAN? NO. Routing is needed via R.Rs MAC address is needed. ARP is the recipe!D is embedded in a frame F. Note that F goes from MAC A-> MAC R, but D refers IP A -> IP BR received F, extracts D, sees B IP, and understands that B is within LAN2R uses ARP for having the MAC address of BR creates a frame F2, and sends it to B. F2 contains D (unchanged) but at layer 2 the conversation if between R and B.5: DataLink Layer5-13

BAR

13appare datagramma (nel datagramma deve apparire indirizzo mittente e destinatario)3. appare frame ARP (destinato a tutti). deve comparire mac address mittente: 74-29-ecc-ecc- , destinatario: ff-ff-ff-ff-ff-ff-ff4. ARP Poisoning in LAN

14ARP poisoning in LAN

15Half mitm

16CountermeasuresARP WatchingStatic ARP tablesARP JammingVPN technologies IP Sec, Tunnels, SSHSSL (but works only on a per app basis)17HubsAn hub repeats frames on each ports (expect the incoming one)5: DataLink Layer5-18

doppino intrecciato in ramehub18pallino che parte da uno e va verso tutti gli altriTypical Switch workflowWhen a new frame F enters some interface:

Lookup in the switch table for Dst MACif Dst MAC is in switch tablethen{ if MAC dst.intf = MAC src.intf then ignores this frame else send F over MAC dst.intf ONLY } else broadcast F on all ports (except the incoming one) 5-1919ExampleC sends frame F to D5: DataLink Layer5-20Switch receives F from CC is discovered to operate from intf 1. This is recorded.It is not known where D operates fromF is sent to intf 2 and 3D receives F

hubhubhubswitchABCDEFGHIaddressinterfaceABEG

112312320animazione.Switch exampleWhen D answers to C:

5: DataLink Layer5-21D answers with F2D is discovered to be operating from intf 2. This is recordedC is known to work on intf 1, only this interface receives F2

hubhubhubswitchABCDEFGHIaddressinterfaceABEGC11231D 221animazionePort Stealing: exampleC send a frame to R. G is an intruder5: DataLink Layer5-22G sends frames using R as source MAC. This forces wrong updating of the switch tableG can then capture frames to R, can record, filter and alter them. Then, for avoiding disruption of communication, it sends frames to the real R, stimulating re-update of the switch tablehubhubhubswitchABCRGHIaddressinterfaceABRG

1123123

22animazione.MAC Spoofing / FloodingFlooding. Idea: the switch table needs memory.This memory can be saturated producing a huge number of frames with random MAC sources. When this happens, a switch starts behaving like an hub.

Countermeasures: port locking.

23DHCP SpoofingAllows to capture client trafficNeeds installing a rogue DHCP server competing with the real DHCPMuch more stable than ARP poisoning

Countermeasures:Detect multiple DHCP leases;Utilities for detecting rogue DHCP exist

24Broadcast attacksExample:Fake victims IPGenerate broadcast traffic using the fake IP.Answers flood the victim.Depending on the type of attack, particular conditions are required

Network Layer4-25

AttackerIP falso: 192.168.0.1ReteVictimIP: 192.168.0.1Subnet hosts. Passive attackers 25COUNTERMEASUrESLimiting ICMP and other types of broadcast on LANsConfigure firewallsIP spoofing is severely limited from LAN to LAN, but are still possible.26Wireless L2 Security5: DataLink Layer5-2727802.11 frame: Addressing5: DataLink Layer5-28framecontroldurationaddress1address2address4address3payloadCRC22666260 - 23124seqcontrolAddress 2: src MAC addressAddress 1: dst MAC addressAddress 3: MAC addressBSSIDAddress 3: Used in WDS285: DataLink Layer5-29InternetrouterAP

H1R1AP MAC addr H1 MAC addr R1 MAC addraddress 1address 2address 3802.11 frameR1 MAC addr H1 MAC addr dest. address source address 802.3 frame802.11 frame: bridging295: DataLink Layer5-30framecontroldurationaddress1address2address4address3payloadCRC22666260 - 23124seqcontrolTypeFromDSSubtypeToDSMore fragWEPMoredataPowermgtRetryRsvdProtocolversion22411111111802.11 frame: moreduration of reserved transmission time (RTS/CTS)frame seq #(for reliable ARQ)frame type(RTS, CTS, ACK, data)30802.11: BSS & ESSESSID = string denoting an AP group. Members of the group should be coordinated. Not necessarily configured in a WDS.BSSID = single AP MAC address. Should be unique.

Association: process of entering a virtual collision domainBeacon framesProbe framesAssociation requestsAssociation responsesAuth requestsAuth responses5: DataLink Layer5-3131Channel allocation

5: DataLink Layer5-32802.11n APs take two 22Mhz Channel together32WLAN openVirtually equivalent to an hubbed LANSniffing is possible, but also ESSID & BSSID spoofing its very easyDe-authentication attack can block traffic

Primitive solution: WEP

33Wep Frame Format

34WLAN WEPVery simple cryptography with pre-shared key Each frame is encoded in terms ofRC4( Key + IV )IV is transmitted in plain text, and is only 24 bit long: repetitions are possible, thus allowing analysisOnce knowing the key, it is allowed Hub equivalent sniffing in promiscous modeFrames can be altered without knowing the key ICV = CRC-32 lot of predictable collisions

35WEP Authentication (open)

36WEP Shared key authentication

37WEP weaknessesIV space is 24 bit = 16MAny IV can be reused at any timeAllows replay attacks: can collect lot of data encrypted with the IV of choiceCan decode RC4 sequence without knowledge of the keyCan find packets with same ICV38WPA: TKIP encryption scheme

39WPA PersonalPre-shared key with improvementsTKIP: keeps RC4 with longer IVs: cant be reused. The new MIC (Message integrity check) is more cryptographically robustWPA2 -> AES & Cipher suiteSession PTK & GTK are exchanged during authentication. PTKs are Peer to peer (WPA and WPA2)Even if you know the pre-shared key, you cant decode everybody else trafficPTK & GTKs are periodically re-generated

40Key hierarchy

41WPA EnterpriseAn authenticated server comes into playPersonal account are now possible. There is no MASTER PMK

42802.1x Authentication steps

43Step 1: pre-auth

44Step 2: Authentication

45WPA-PersonalStep 2 is not present in WPA1/2-PersonalMK is obtained directly from PMKPMK (256 bit) is obtained from passphrases according to a fixed algorithm

PBKDF2 (P, S, c, dkLen) = PMK (see RfC 2898)

where: PBKDF2 is a HMAC-SHA1 repeated c times over P and SP = passphrase, S = SSID, c = 4096 (!)Output: PMK, (dkLen =256 bit long)

Possibility of rainbow table attack over common SSID

Rainbow tables: http://www.renderlab.net/projects/WPA-tables/Most common SSIDs: http://www.wigle.net/gps/gps//Stat

Commond SSID should be avoided as well as common passwords, but this is another story.46Step 3: WPA Authorization process

PTKPRF-X: RfC 434647Other Things to knowWPA-Personal does not ensure PFS (Perfect forward secrecy)De-Authentication DoSRogue APsLocalization?WPA2-Enterprise can sometimes be worse than WPA2-Personal WPS: quick association, but known to be WEAKWhy ARP Spoofing is still possible?48Summary: Wired & WirelessMITM attacksMAC Spoofing, port stealing (Wired, and sometimes Wireless open+wep)ARP IP Spoofing (All)DHCP Spoofing (All)Broadcast attacks (All)

WirelessOpen WLANs, WEP WLANs : virtually an Ethernet domain with an hubWPA & WPA2 WLANs: private unicast, possibility of user isolation

49