SSHIPSECExpress WhitePaperversion2 · Fax: +358-9-43543206 (Finland), +1-650-404-0161(USA) c 1999...

SSH IPSEC ExpressWhite Paper version 2.1

August1999

2

c�

1996-1999SSHCommunicationsSecurityLtd, Espoo,Finland.

No part of this publicationmay be reproduced,published,storedin aelectronicdatabase,or transmitted,in any form or by any means,elec-tronic,mechanical,recording,or otherwise,for any purpose,without theprior writtenpermissionof SSHCommunicationsSecurityLtd.

SSHandIPSECExpressaretrademarksor registeredtrademarksof SSHCommunicationsSecurityLtd.

USandotherpatentspending.

This productincludessoftwaredevelopedby the Universityof Califor-nia,Berkeley andits contributors.

All brandandproductnamesthataretrademarksor registeredtrademarksarethepropertyof theirowners.

THERE IS NO WARRANTY OF ANY KIND FOR THE ACCU-RACY OR USEFULNESSOF THIS INFORMATION EXCEPT ASREQUIRED BY APPLICABLE LAW OR EXPRESSLY AGREEDINWRITING.

SSHCommunicationsSecurity LtdTekniikantie12FIN-02150ESPOOFINLAND

SSHCommunicationsSecurity, Inc.650CastroStreet,Suite220MountainView, CA 94041USA

http://www.ipsec.com/e-mail: [email protected](sales),[email protected](technicalsupport)Tel: +358-9-43543208(Finland),+1-650-404-0160(USA)Fax: +358-9-43543206(Finland),+1-650-404-0161(USA)

c�

1999SSHCommunicationsSecurityLtd SSHIPSEC ExpressWhite Paper

CONTENTS 3

Contents

1 Summary 5

2 IPSEC Protocol 7

3 AH Transformations 9

4 ESPTransformations 11

5 Security Associations,SAs 13

6 ISAKMP/Oakley (IKE) 15

6.1 IKE Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

6.1.1 Main Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

6.1.2 AggressiveMode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

6.1.3 QuickMode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

6.1.4 New GroupMode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

7 What is SSHIPSEC Express? 19

7.1 SSHIPSECExpressandISAKMP/Oakley FunctionalOverview . . . . . . . . . . . . . . . 19

7.1.1 SSHIPSECPacket Interceptor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

7.1.2 SSHIPSECEngine. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

7.1.3 SSHIPSECPolicy Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

7.1.4 SSHISAKMP/Oakley . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

SSHIPSEC ExpressWhite Paper c�

1999SSHCommunicationsSecurityLtd

4 CONTENTS

7.1.5 ManualKeying . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

7.1.6 CertificateProcessingTools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

7.2 PreventingDenialof ServiceAttacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

8 Conclusions 25

9 RelatedPublications 27

10 Termsand Abbreviations 29

c�


5

Chapter 1

Summary

The openarchitectureof the InternetProtocol(IP) makes it a highly efficient, costeffective, andflexiblecommunicationprotocolfor local andglobal communications.It hasbeenwidely adoptednot only in theglobalInternet,but alsoin theinternalnetworksof largecorporations.However, IP is vulnerableto securityrisksthatarecomplicatingits full usefor businessandotherpurposesinvolving confidentialdata.

To enablenew typesof businessopportunitieswith IP, a numberof securitysolutionshave beendeveloped.Sofar, thesesolutionshave lackedstandardsthatmake it possibleto manufactureproductsthat interoperate- a featurethatis crucialfor globalcommunications.

IPSECis anInternetEngineeringTaskForce(IETF) standardfor protectingIP traffic on packet level. It canprotectany IP-basedserviceor application.IPSEChasbeenadoptedby dozensof vendors,andwill be thefuturestandardfor securecommunicationson theInternet.

TheSSHIPSECExpresstoolkit is a full, portableimplementationof theIPSECprotocolintendedfor OEMsandsystemintegratorswhowantto includeIPSECfunctionalityin theirown TCP/IPproducts.

TheSSHIPSECExpresstoolkit is highly efficient andprovidesunrestricted,strongcryptographicsecurity.Itsmodularstructureenablesthevendorstoflexibly choosetheneededcomponentsfor aspecificimplementa-tion. SSHCommunicationsSecurity’scommitmentto customersupport,productquality, andnew innovationensurethattheSSHpartnerscansuccessfullyoffer leadingIPSECproductsto theircustomersnow andin thefuture.

TheSSHIPSECExpresstoolkit makesit easyto integrateIPSECinto theexisting TCP/IPstackof a ven-dor’s product. It is designedto beeasilyportableandto have cleaninterfacesto thesurroundingoperatingenvironmentto facilitateeasyintegration into OEM products. The SSHIPSECExpresstoolkit is highlyinteroperable.It hasbeenthoroughlytestedagainstall majorIPSECimplementationsin themarket.



6 Chapter 1. Summary

c�


7

Chapter 2

IPSEC Protocol

With the help of cryptography, TCP/IPcommunicationcanbe madesecurewithout limiting its flexibility .Cryptographicmethodsandprotocolshave beendesignedfor differentpurposesin securingcommunicationon the Internet. Theseinclude,for example,theSSL for HTTP traffic, theSSHfor securelogin, S/MIMEandPGPfor e-mail,andtheIPSECfor packet level security.

Thepurposeof the IPSECprotocolsuiteis to provide a standard,secureway for communicatingby usingthe TCP/IP protocol. The IPSECprotocol is a set of securityextensionsdevelopedby the IETF and itprovidesprivacy andauthenticationservicesby usingmoderncryptographicmethods.SSHCommunicationsSecurityis notonly following standards,but hasbeenactively involvedin theIETF IPseceffort andhasbeendevelopingthosestandards.

To protectthecontentsof an IP datagram,thedatais transformedusingcryptography. Therearetwo maintransformationtypesthatform thebuilding blocksof IPsec,theAuthenticationHeader(AH) transformation,andtheEncapsulatingSecurityPayload(ESP)transformation.Theseareconfiguredin a datastructurethatis calleda SecurityAssociation(SA).



8 Chapter 2. IPSEC Protocol

c�


9

Chapter 3

AH Transformations

TheAuthenticationHeader(AH) providesauthentication(dataoriginauthentication,connectionlessintegrity,andanti-replayprotectionservices)to a datagram.It protectsall thedatain thedatagramfrom tamperingasspecifiedin theSecurityAssociation,includingthefieldsin theheaderthatdonotchangein transit.However,it doesnotprovideconfidentiality.

An IPsecAH transformationcalculatesor verifiesa MessageAuthenticationCode(MAC) for thedatagrambeinghandled.More specifically, in the caseof an outgoingdatagram,an AH transformationcalculatesaMAC valueasspecifiedin therelevantIPsecstandard.TheMAC is calculatedusingtheappropriatesecurityassociationasspecifiedby thetransformationsequencethat is applied.TheresultingMAC codeis attachedto thedatagram.

AH transformscanbe madein either transportor tunnelmode. Transformationin transportmodemeansthat theoriginal packet’s IP headerwill betheIP headerfor thetransformedpacket andtunnelmodetrans-formationmeansthe thatpacket is appendedaftera new IP headerasshown below in Figure3.1 (TheAHtransformations).Transformationin tunnelmodeis typically usedin a securitygateway or a VPN devicewhile thetransportmodetransformationis usedin host-to-hostcommunications.



10 Chapter 3. AH Transformations

� �� "!�#�$�%�& ')(�*�+�,�-/.�0 132�4

5 6�7�8�9:�;�< =?>�@�A/B�C�D�E�F�G�H�I�J KML�N�O�PRQ S)T�U�V�W�X)Y�Z [3\�]^�_a`�b�c�d�e�f

g"h�i/j�k�l�m/n o�p)q r�s

t u�v�w�x�y�z�{ |?}�~��/�� M�� )��R��)�� 3��

� �� ¡ ¢?£�¤�¥/¦�§�¨�©�ª�«�¬��® ¯M°�±�²�³�´ µ)¶�·�¸R¹�º)»�¼ ½3¾�¿À�ÁaÂ�Ã�Ä�Å�Æ�Ç

ÈMÉ�Ê/Ë�Ì�Í�Î/Ï Ð�Ñ)Ò Ó�Ô

Õ Ö�×�Ø�Ù�Ú�Û�Ü

ÝßÞáà�âãåäçæéèëêíìëîðïòñóõô÷öùø

úßûáü�ýÿþ��

Figure3.1: TheAH transformations.

c�


11

Chapter 4

ESPTransformations

TheESPheaderprovidesconfidentiality, dataorigin authentication,connectionlessintegrity, anti-replaypro-tection,andlimited traffic flow confidentiality. It doesthis by encryptingthe contentsof the datagramasspecifiedby theSecurityAssociation.TheESPtransformationsencryptanddecryptportionsof datagrams,optionallywrappingor unwrappingthedatagramwithin anotherIP datagram.OptionallyESPtransforma-tions may performdataintegrity validationandcomputean Integrity CheckValue(ICV) for the datagrambeingsent.Like AH, ESPcanwork in bothtunnelandtransportmode(seeFigure4.1 (EncapsulatedSecu-rity Payload)below). In the caseof a transportmodeassociation,the upperlayer payloadalongwith anyheadersfollowing theIP headerareencryptedandenclosedwithin anESPpayload.If thetransformationisa tunnelingtransformation,thecompleteIP datagramis enclosedwithin theESPpayload.A new IP headeris generatedandattachedto the ESPpayload. The new headerwill containno IP options,independentofwhethertheoriginal IP datagramhadany IP optionsor not.



12 Chapter 4. ESPTransformations

� �� "! # $ %�&�')("*�+�, -/.�0)1�243 576)8�94:�;7<�= >@?"A

B C�D�E�F�G�H�I JLK/M"N O P Q�R�S)T"U�V�W X/Y�Z�[�\4] ^7_)`�a4b�c7d�e f@g"hi�j)k�l�m)n"o�p�q

rts"u v�w�x"y z {"|7} ~)�

��)�t� � �� )�"�� "�� 7�� ¡�¢ £)¤

¥ ¦�§7¨�©�ª�«�¬ �® ¯"° ± ² ³�´�µ)¶"·�¸�¹ º/»�¼)½�¾4¿ À7Á�Â�Ã�Ä�Å7Æ�Ç È@É"Ê

Ë Ì�Í�Î)Ï"Ð�Ñ�Ò Ó�Ô Õ"Ö × Ø Ù�Ú�Û)Ü"Ý�Þ�ß à/á�â)ã�ä4å æ7ç�è�é�ê�ë7ì�í î@ï"ðñ�ò�ó�ô�õ)ö"÷�ø�ù

útû�ü7ý�þ�ÿ��

�� "! #�$%'&�(�) *+�,�-�. /�0"1 23

4 576�89�:�;�<

=?>A@CB�DEGF7H?IKJMLKNPO'QRTSVUXW

Y?ZA[C\�]_^M`XaVbdc?efTgVhXi

Figure4.1: EncapsulatedSecurityPayload.

c�


13

Chapter 5

Security Associations,SAs

FromtheIPsecpoint of view, a SecurityAssociationis a datastructurethatdescribeswhich transformationis to beappliedto a datagram,andhow. TheSA specifiesthefollowing parameters:

j Theauthenticationalgorithmfor AH andESP.

j Theencryptionalgorithmfor ESP.

j Theencryptionandauthenticationkeys.

j Lifetime of encryptionkeys.

j Thelifetime of theSA.

j Replaypreventionsequencenumberandthereplaybit table.

Thesizeandcontentsof a SecurityAssociationarespecifiedby thetransformation.An associationmaybestatic,containingonly datathat is never changedby the transformation.Alternatively, it canbe dynamic,containingdatathatis maintainedby thetransformationandchangedwheneveradatagramis handled.Serialnumberbasedreplayprevention,compressionareexamplesof transformationsthatneeddynamicdata.

An arbitrary32-bitnumbercalledaSecurityParametersIndex (SPI),aswell asthedestinationhost’saddressandthe IPsecprotocolidentifier, identify eachSA. An SPI is assignedto a SA whentheSA is negotiated.TheSA canbereferredto by usinga SPIin AH andESPtransformations.

SA is unidirectional. They are commonlysetupas bundles,becausetypically two SA’s are requiredforcommunications.SA managementis alwaysdoneonbundles(setup,delete,rekey).



14 Chapter 5. Security Associations,SAs

c�


15

Chapter 6

ISAKMP/Oakley (IKE)

Beforea securesessioncanbegin, the communicatingpartiesneedto negotiatethe termsfor the commu-nication. Thesetermsaretheonesthat aredefinedin theSecurityAssociation(SA). Thereneedsto be anautomatedprotocolto establishtheSAs to make the processfeasiblein a global network like the Internet.This automatedprotocolis the IKE. It is meantfor establishing,negotiating,modifying, anddeletingSAs.IKE combinestheInternetSecurityAssociationandKey ManagementProtocol(ISAKMP) with theOakleykey exchange. ISAKMP is a framework for creatingconnectionspecificparametersthat is not limited toIPsec,but currentlyIPsecis theonly domainof interpretationfor it. Oakley is theactualinstantiationof theISAKMP framework for IPseckey andSA generation.

6.1 IKE Modes

IKE worksin two phases.Thepurposeof PhaseI is to establishasecurechannelfor furthernegotiationtrafficandauthenticatesthenegotiatingparties.It establishesa SA for theISAKMP itself. PhaseII negotiationisthenusedto establishtheSA for IPsec.Thoughthetwo phaseapproachis moretimeconsumingfor theinitialnegotiationthanjust onephasenegotiationwould be, thebenefitsaregainedasthemorefrequentPhaseIInegotiationscanbeperformedfasterafter thePhaseI negotiationhasbeenmade.Therearetwo modestoestablishthephaseoneSA: Main ModeandAggressiveMode.They bothaccomplishthesamething,namelytheSA.AggressiveModeis alittle faster, but it doesnotprovideidentityprotectionfor thenegotiatingnodes.QuickModeis usedfor establishingthePhaseII SA, andasthenameimplies,usingit is quickafterPhaseInegotiationhasbeenmade.

6.1.1 Main Mode

In theMain Mode,thenegotiatingpartiesusethefirst two messagesto negotiatethesecuritypolicy for theexchange.The next two messagesperforma Diffie-Hellmankey exchangeandpassnoncesto eachotherfor signingandproving their identities.Thelast two messagesareusedto authenticatethenegotiatorswithsignaturesor hashesandoptionalcertificates.



16 Chapter 6. ISAKMP/Oakley (IKE)

k lm no pq r s t u vw x yz {|

}'~��

��

�� ¡ ¢7£�¤ ¥ ¦§�¨ ©�ª « ¬' ®¯'°�±�²�³�´ µ ¶7·�¸ ¹ º »�¼ ½�¾¿ À�Á Â

Ã�Ä�Å�Æ�Ç�È É�Ê Ë�Ì�Í�Î�Ï�Ð

Ñ'Ò�Ó�Ô�Õ�Ö ×�Ø

Ù�ÚÛÜ�Ý�Þ�ß�à�á'â ã�ä�å�æ�çéè"êë�ìí�î�ïñð�ò ó ôõ�ö"÷�ø"ù�ú û�ü'ý þ ÿ �� !�" #�$�%'&)(�*+ , - .0/21�3�4�5�6 7�8 9 :�;<>='?)@ACB�D�E F)G�H�I)JLK�MNCO�P)Q)R�S)T�U�V W)X)YZ [)\�] ^�_`badc'e'fgCh�i�j�k�l�m�n�oCpq�r sut v�wyx>z { | } ~� �2�)� � �u�)�C��u��>� ��y�� )�� ¡¢�£ ¤¥�¦�§�¨�©�ªu« ¬�)®)¯�° ±�²)³�´ µ ¶�·�¸ ¹ º�»¼>½�¾ ¿yÀyÁCÂÄÃ�Å Æ Ç È É ÊÄË�Ì ÍÏÎ Ð)Ñ)Ò Ó�Ô�Õ�Ö�×Ø Ù ÚuÛ ÜÝÞ ßáà'â ã�ä�å�æ ç è éCê�ëì�í îï�ð�ñ ò ó�ô õuö ÷�ø ù ú ûü ý�þ�ÿ��

� "!�#�$�%�& '�(*)�+*,�-�. / 0�1�2�3�4�5�6�7 8�9�:;"<�= >@? A B�C�D E�F GIH�J�K�L�M�NPOIQ�R�S T�U�V�W X Y[Z�\ ] ^�_a`�b�c�d�e f�gah�i j�k�l�m n�o p�q�rs"t�u�v�w�x�y z�{�|�}�~�� a�� P�� *�� P� ��*��P�I�� P�P�� ¡�¢ £ ¤¦¥�§ ¨ ©Pª«*¬� ®�¯�°�±�²�³ ´�µ�¶�·�¸�¹�º¼»�½�¾*¿�À ÁIÂPÃ Ä Å Æ�Ç È�É�Ê[Ë�Ì Í*Î Ï�Ð�Ñ�Ò Ó�Ô�Õ�Ö ×�Ø�Ù�Ú Û�Ü ÝÞ ßaà á�â�ã äPå[æ�ç�è�é*ê�ë�ì�í�îPï

Figure6.1: IKE Main Mode.

6.1.2 AggressiveMode

TheAggressiveModeresemblestheMain Mode,but therearefewerexchanges.Thefirst messageproposesthe policy, and passesdatafor key-exchangeand the noncefor identification. The secondmessageis aresponsethatauthenticatesthe responderandconcludesthepolicy negotiationandkey-exchange.The lastmessageis usedto authenticatetheinitiator.

6.1.3 Quick Mode

Quick modeis usedto negotiatethe IPsecsecurityservicesand to generatenew keying material. A fullDiffie-Hellmankey exchangemaybedoneto provideperfectforwardsecrecy, thoughit is notmandatory. Ifno PFSis required,thepartiesjust generatenew key usinghashes,andidentify themselvesby usingnonces.Otherwise,thenew keying materialis includedin theexchange.

6.1.4 NewGroup Mode

The purposeof the New GroupMode is to negotiatea new group(MODP or elliptic curve) whereto doDiffie-Hellmanexchange.

c�


6.1. IKE Modes 17

Figure6.2: IKE AggressiveMode.

ð ñò óò ôóõö

÷ øùúû üý øþ

ÿ � � � � ��

� � � �� ! " # $ % & ' ( ) *

+ , - . , / 0 1 2 3 4 56 7 8 9 : ; < = > ? @ AB C D E F GH I J K L

M N O P N QR S T U V W X W Y Z U [ \ U W ] ^ W _ ` a [ U b c d d Z _ [ \ U [ Z X

e f g h i j k l k m n o p m q p r s l t s m u v o l k q u w s m u x y k u x o mz { | } ~ � � � � � � � � ~ � � � � � � �� ¡ ¢ £ ¤ ¥ ¦ § ¨ © ¥ ª © ¥ ¨ « ¬ ¦ ¬ ¦ « © ® ¯ ¥ ° ¨ ® ¨ ± § ² ª § ¯ ° « ° § ³ ª ¬ ´ µ ¨ ¬ ³ ³ ¬ ¥ ¬¶ · ¸ ¹ º » ¼ ½ ¹ ½ ¾ ¿ À ¾ Á Â À º ÃÄ Å Æ Ç Æ È Æ É Æ Ê É Ë Ì Ê È Í Î Ï Ð Ñ Ò Ó Ô Õ Ö Ñ Ð × Õ Ó Ø Ù Ò Ñ Ú Ú Û

Ü ÝÞ ß à á â ã ä å æ ç è ß é è ê ë ì ê ê è í î ì à é ï à ð ñ ì ñ ç è ò í è é ó ì é è ô õ ö ÷ ø õ ù ú ö ÷ û ø ü ÷ ö ú ý û ú þ ý ÷ ú ô

Figure6.3: IKE QuickMode.



18 Chapter 6. ISAKMP/Oakley (IKE)

ÿ ��

� ��

� �

� � � � � ��

� � � � � � � ! " # $ %

& ' ( ) ' *+ , - . / 0 1 0 2 3 . 4 5 . 0 6 7 0 8 9 : 4 . ; < = = 3 8 4 5 . 4 3 1

> ? @ A B C D E F G C H G C F I J D J K D I G L M C N F L F O E P K H E M N I N E Q H J R S F J Q Q J C J

T U V W X Y Z W [ \ X Y ] Z ^ Y X \ _ ] \ ` _ Y \ Va b c d e f g h i j k b l k m n o m m k p q o c l r c s t o t j k u p k l v o l k

Figure6.4: IKE New GroupMode.

c�


19

Chapter 7

What is SSHIPSEC Express?

SSHIPSECExpressis a setof protocolimplementationsdevelopedby SSHCommunicationsSecurityLtd.(SSH)accordingto thespecificationssetoutby theInternetEngineeringTaskForce(IETF).

The implementedprotocolsincludethe IPsecAuthenticationHeader(AH) andEncapsulatedSecurityPay-load (ESP)alongwith the standardtransformationsasspecifiedby IETF. Both RFC definedold ESPandAH andnew internet-draftversionsof theprotocolsareimplemented.TheSSHIPSECExpressusesstrong,unrestrictedcryptographyto providemaximumprotectionto confidentialinformation.

TheSSHISAKMP/Oakley is a full implementationof theISAKMP/Oakley protocol.It is aseparatemodulefrom the SSH IPSECExpressand can be usedtogetherwith SSH IPSECExpress,or as a separatekeymanagementproduct. It is alsopossibleto usemanualkeying with the SSHIPSECExpressandaddingsupportfor morekey managementprotocolsis easy.

7.1 SSHIPSEC Expressand ISAKMP/Oakley Functional Overview

Thetwo majorgoalsin theSSHIPSECExpressspecificationprocessareportabilityandarchitecturalperfor-mance.Thedesignreflectsthesecontradictorygoals.

The focuson portability hasled to a designwith a numberof platform independentmodulesalongwitha numberof well definedinterfaceswith platform specificmodulesandservices. In order to easesourcecodeanalysisbasedsecurityassurance,all securityrelevantfunctionalityhasbeenencapsulatedin platformindependentmodules. The useris able to assurethe securityof the productby inspectingjust onesetofsourcecode.

SSHIPSECExpresscontainsfivebasicparts,whichare:

j SSHIPSECInterceptorModule

j SSHIPSECPacketProcessingEngine



20 Chapter 7. What is SSHIPSEC Express?

Network adapter

TCP UDP

IP

Applications

SSH IPSEC Policy Manager

SSH IPSEC Engine

SSH IPSEC ISAKMP/Oakley

Key Manager

SSH CryptographicL ibrary

SSH Utility L ibrary

SSH Cer tificate Processing Tools

Figure7.1: Theintegrationof SSHIPSECExpressto theexistingTCP/IPstack.

j SSHIPSECPolicy Manager

j SSHIPSECISAKMP/Oakley

j SSHIPSECCertificateProcessingTools

Figure7.1 (SSHIPSECExpressandthe TCP/IPstack)shows oneexampleon how SSHIPSECExpressinterfaceswith theunderlyingoperatingsystem.TheSSHIPSECExpresscanbe thoughtasan additionalprotocollayer insertedbetweena TCP/IPimplementation’s IP layerandany numberof network interfaces.SSHIPSECInterceptormodulerepresentsthisprotocollayer. It is anoperatingsystemdependentportionofSSHIPSECExpressthatpassespacketsfrom thenetwork interfacesandtheIP protocolstackto SSHIPSECExpressandback. It hidesall operatingsystemdependencies,so that theothermodulescanbeadaptedtonew environmentswithoutmajormodifications.

The SSHIPSECInterceptormodulelooks like a protocolwhenviewed from network adapterand like anetwork adapterwhenviewedfrom theupperprotocol. The InterceptormodulepassesIP packetsbetweenoperatingsystemandtheSSHIPSECEngine.

Thesecuritytransformationfunctionalitymeansthatsecuritypayloadsareadded,verifiedand/orremoved.Thepayloadshandledbelongto the IP datagramsflowing from IP to thenetwork interfaceandvice versa.Theapplicationandorderof thesetransformationsis directedby compiledinterpretedbyte-code,latercalledasfilter-code. Using compiledfilter codeto directhow the transformationsareappliedis oneof the novelideasin SSHIPSECExpress,not foundin othercurrentIPsecimplementations.

c�


7.1. SSHIPSEC Expressand ISAKMP/Oakley Functional Overview 21

At a superficiallevel, the filter coderesemblesthe packet filtering capabilitiesavailable in most modernTCP/IProuters.However, whencombinedwith securitytransformationfunctionality, theexpressive powergreatlyexceedscurrentrouterbasedfiltering capabilities.

AbovetheSSHIPSECengineis theSSHIPSECPolicy Manager, alevel for policy-management.It is respon-siblefor decidingwhetheror not certainconnectionscanbeestablished,how thecorrespondingparametersaresetup,whichcertificatescanbeusedfor authentication,andwhatkind of limitationstheparametershave.A limitation canbefor examplethemaximumlifetime of aconnectionwithoutre-keying or somealgorithmsthatarenotpreferred.

Theapplicationlevel processesthathandlekey andsecurityassociationnegotiationform thetopmostlayer.Thesearecalledwith themutualname‘K ey Managers’.Their taskis to find appropriatekey materialandsecurityassociationparametersbasedon which partiesareconnectingandthesecuritypolicy givenby thepolicy managementandthusby thesecurityadministrator.

Key materialcanbepre-sharedor generatedondemandusingtheISAKMP/Oakley protocol.

7.1.1 SSHIPSEC Packet Interceptor

The packet interceptoris an operatingsystemdependentmodule. The moduleis injectedbetweenthe IPprotocollayerandany protectednetwork interfacesatsystemstart-uptime.

Thepacket interceptorreceivescompleteIP datagrams,or possiblyfragmentedIP packets,bothfrom theIPprotocolandnetwork interfaces.As thepacket interceptoris platformdependent,it hasbeendesignedto beassimpleaspossibleto makeportingto differentplatformsaseasyaspossible.

7.1.2 SSHIPSEC Engine

Theprimarypurposeof theSSHIPSECExpressis to authenticateandsecurecommunications.In practicethis meansperformingsecuritytransformationsto incomingandoutgoingIP datagrams.Theorderandtypeof transformationsis determinedby filtering in theform of transformationsequences.

SSHIPSECEngineperformsthreetypesof operations:

j IP packetfiltering

j Securitytransformations

j Othertransformations

In the SSH IPSECExpressframework, a securitytransformationmay be an AH transformation,an ESPtransformation,a compressiontransformation,or a specialtransformation.Theseareall discussedin detailbelow. A ”specialtransformation”is a term introducedfor SSHIPSECExpress,it is not part of the IPsecstandardstrack. Most specialtransformationshandleIP options,filter packetsbasedon their contents,orperforma network addresstranslation(NAT).




If thesizeof a datagramexceedstheMaximumTransferUnit (MTU) of theunderlyingnetwork, theIPSECEnginetakescarethatall necessaryfragmentationwill beperformed.

IPSECEngineis implementedin theoperatingsystemkernel.

Security Transformations

SecuritytransformationsarealgorithmicmodulesthatperformtheESPandAH transformationsasspecifiedin thestandards.Thetransformationalgorithmsarefully re-entrant,makinga latertransitionto parallelizedarchitectureeasier.

SpecialTransformations

Specialtransformationsmaybeusedto modify theIP headeror theTCP/UDPheader. They havenothingtodo with AH andESPtransformations,which addor deleteAH headersandESPpayloads,respectively. Forexample,a specialtransformationmay be usedfor Network AddressTranslation,to redirecta certainportfor all hostswithin a network to a singlehost,e.g.,a hostperforminga proxykey managementserver for allhostswithin thenetwork. As anotherexample,a specialtransformationmaybeusedto detectany IP routingoptionsanddropany datagramscontainingthem.

7.1.3 SSHIPSEC Policy Manager

Thepurposeof thePolicy Manageris to:

j Maintainthecompiledfilter languageon behalfof theIPSECEngine,thuskeepingtheactualIPSECEnginesmallandfast.

j Createthefilter codeexecutedby theenginebasedon theSPDandSAIS.

j Communicatesecurityassociationmaintenanceinformationto theIPSECEngine(add,delete).

j Makepolicy decisionsaboutacceptabilityof new connectionsbasedon local andremoteidentities.

Policy managementgetsrequestsfrom the IPSECEngineandthekey managers.Theremayalsobea userinterfacethatcommunicateswith policy manager.

7.1.4 SSHISAKMP/Oakley

TheSSHISAKMP/Oakley is a separatelibrary from SSHIPSECExpress.It canbeusedasa partof SSHIPSECExpressor asa completelyseparatekey managementsolutionin conjunctionwith a third partyIPsecEngine. The designgoal hasbeento createan opensolutionthat canbe usedwith any IPsecEngineand

c�


7.1. SSHIPSEC Expressand ISAKMP/Oakley Functional Overview 23

any CA. Thestructureenableseasyintegrationto differentPublicKey Infrastructures(PKIs)with thehelpofcertificateprocessingtools.Currently, thecertificatetoolssupportX.509v3certificates.

The SSH ISAKMP/Oakley is a full ISAKMP/Oakley implementationthat implementsall the necessaryphasesandmodesaccordingto the latestdraftsavailable,including supportfor the New GroupMode notfoundin many implementations.Compatibilityoptionsfor oldersystemshave alsobeenimplemented.Au-thenticationcanbedoneusingseveralmethods,includingpre-sharedkeys,DSSsignatures,RSA signatures,or RSAencryption.

To provide perfectforwardsecrecy, theSSHISAKMP/Oakley supportsDiffie-Hellmankey exchangeusingthedefault768-bitMODPor 1356-bitMODPgroups.MoregroupsoverMODPcanbefreelynegotiated.

Efficiency hasbeenincreasedby, for example,supportingmultiple Quick Mode SAs in oneQuick Modeexchangeandby supportingautomaticrandomizergeneratorduringidle time to make Diffie-Hellmanexpo-nentiationsfaster.

7.1.5 Manual Keying

Manualkeys arestaticcryptographickeys thathave beenpre-sharedby securityadministrators.Statickeysmustbekeptsecret,asthey areusedfor encryptionanddecryptionasis.

In SSHIPSECExpress,manualkeying is not intendedfor normal,every dayusebut mainly for testingandevaluationpurposes.UsingstatickeysmakesreplaypreventionimpossibleandthereforeSSHIPSECExpresswill notcheckfor replaypreventionif thesecurityassociationis markedasstaticallykeyedby akey manager.

ThePolicy Managerimplementsmanualkeying.

7.1.6 Certificate ProcessingTools

TheSSHIPSECCertificateProcessingToolsenabletheSSHISAKMP/Oakley to useX.509v3certificates.Thesetoolsmake it possibleto:

j Verify theX.509v3certificatesandaddpublickeys to thepublickey database.

j GenerateX.509v3certificates,CRLsandARLs.

j GeneratePKCS#10certificaterequests.

j Traversecertificatechainsup to a givenCertificateAuthority (CA).

j CheckX.509CLRs.

j AccessLDAP directoriesfor certificatesandCRLs.




7.2 Preventing Denial of ServiceAttacks

Any hostinterfacingto theInternet,or any otherinsecurenetwork, maybecomesubjectto Denialof Service(DoS)attacks.

The first preventionagainstresourceexhaustingDoS attacksis built into the IPsecprotocolspecifications.Within anincomingpacket, theSPIvaluealongwith thedestinationaddressselectsthesecurityassociationusedto decryptor checkthe incomingdatagram.If an adversarydoesnot know any valid (protocol,SPI,destinationaddress)triples,its probabilityto guessoneis small.However, any partyhaving avalid (protocol,SPI,destinationaddress)triple canconsumeresourcesby sendingencryptedor integrity protectedpacketsthatdon’t decryptor appearto bevalid.

In the SSHIPSECExpress,the input packet handlinghasbeendesignedandimplementedin sucha waythata baddatagramis droppedasearlyaspossible.No moreresourcesthanis necessaryto determinethedatagram’svalidity areconsumed.If thedatagramhasabaddestinationaddressor abadsourceaddress,it isdropped.If the(protocol,SPI,destinationaddress)triple is not foundandsecuritytransformationis required,thedatagramis dropped,andsoforth.

Therearealsoconfigurablelimits on resourceconsumptionsuchasthenumberof SAsandthe numberofSAsperhost.

c�


25

Chapter 8

Conclusions

IPsecis a technologythat will solve many of the securityproblemsof the currentInternet. It hasa widesupportfrom all the major playersin the industry. As the Internetgrows, the market mandatedby dif-ferent organizationswill demandsecurity. The SSH IPSECExpressis a full IPsecimplementationwithISAKMP/Oakley thatbringsthebenefitsof secure,interoperablecommunicationsto networkingproducts.Itsupportsall the latestfeaturesandstandardsandoffersuniquearchitecturalsolutionsthat enableeasyandfastmigrationto asecureInternet.



26 Chapter 8. Conclusions

c�


27

Chapter 9

RelatedPublications

1. R. Atkinson,”The IP AuthenticationHeader”,RFC1826.August1995.

2. R. Atkinson,”IP EncapsulatingSecurityPayload(ESP)”,RFC1827Terminology

3. S.Kent,R. Atkinson,”SecurityArchitecturefor theInternetProtocol”,InternetDraft. 1997.

4. S.Kent,R. Atkinson,”IP AuthenticationHeader”,InternetDraft. 1997.

5. S.Kent,R. Atkinson,”IP EncapsulatingSecurityPayload(ESP)”,InternetDraft. 1997.

6. C. Madson,N. Doraswamy, ”The ESP DES-CBC Cipher Algorithm With Explicit IV”, InternetDraft.1997.

7. C. Madson,R. Glenn,”The Useof HMAC-MD5-96within ESPandAH”, InternetDraft. 1997.

8. C. Madson,R. Glenn,”The Useof HMAC-SHA-1-96within ESPandAH”, InternetDraft. 1997.

9. R. Rivest,”The MD5 MessageDigestAlgorithm”, RFC-1321.April 1992.

10. NIST, FIPSPUB 180-1:SecureHashStandard.April 1995.

11. Comer, DouglasE. ”Internetworkingwith TCP/IP”,Vol 1. 3rded.New Jersey, PrenticeHall. 1995.

12. Denning,DorothyE. R. ”CryptographyandDataSecurity”,AddisonWesley. 1983.

13. Halsall,Fred. ”Data Communications,ComputerNetworksandOpenSystems”,4th ed,Wokingham,Addison-Wesley. 1995.

14. Menezes,Alfred J.;vanOorschot,PaulC.; Vanstone,ScottA..” Handbookof AppliedCryptography”,New York, CRCPress.1997.

15. Schneier, Bruce.”Applied Cryptography- Protocols,AlgorithmsandSourceCodein C”, 2nded.NewYork, JohnWiley & Sons.1996

16. Stevens,RichardW. ”TCP/IP Illustrated”,volume1. Reading,Massachusetts.AddisonWesley. 1996



28 Chapter 9. RelatedPublications

c�


29

Chapter 10

Termsand Abbreviations

Thissectionprovidesdefinitionsfor severalkey termsthatareusedin this document.Otherdocumentspro-vide additionaldefinitionsandbackgroundinformationrelevantto this technology. Includedin thisglossaryaregenericsecurityserviceandsecuritymechanismterms,plussomeSSHIPSECExpress-specificterms.

Accesscontrol A securitymeasurethat preventsunauthorizeduseof resources.In the IPSECcontext,theresourcesto which accessis beingcontrolledareusuallythecomputingcyclesof a host,thedatastoredin it, thenetwork behinda securitygateway, or thebandwidthon thatnetwork.

Authentication Header(AH) An upperlevel headerlocatedbetweentheIP headerandapayloadwithinan IP packet. Typically, anAH includesan ICV of the transfer-independentcontentsof the IP packet. Theexactnatureof thechecksumdependson thetransformationused.An AH is usedto ensuretheintegrity ofthewhole IP packet, includingboth thepayloadandthe IP header. It doesnot provide dataconfidentiality.TheAH transformationis definedin RFC2402.

Authentication The verificationof the identity of a personor process. In a communicationssystem,authenticationverifiesthatmessagescomefrom their statedsource.In relationto SSHIPSECExpress,thistermis usedto refer to thecombinationof two nominallydistinctsecurityservices,dataauthenticationandconnectionlessintegrity.

Availability A securityservicethataddressesthe securityconcernsengenderedby attackson networksthatdeny or degradeservice.For example,in theIPseccontext, theuseof replaypreventionmechanismsinAH andESPsupportavailability.

BITS Bump-in-the-stack.Denotesthepossiblelocationof an IPsecimplementationcomparedwith thelocationof theTCP/IPstack.In a BITS implementation,IPsecis locatedunderneathanexisting implemen-tationof anIP stack,betweenthenativeIP andthelocalnetwork drivers.Sourcecodeaccessfor theIP stackis notrequiredin thiscontext, makingthis implementationapproachappropriatefor usewith legacy systems.Thisapproach,whenit is adopted,is usuallyemployedin hosts.

BITW Bump-in-the-wire.Denotesthepossiblelocationof anIPsecimplementationcomparedwith thelocationof theTCP/IPstack. In a BITW implementation,an outboardcryptoprocessoris used.Suchim-



30 Chapter 10. Termsand Abbreviations

plementationsmay be designedto serve eithera hostor a gateway (or both). Usually the BITW device isIP addressable.Whensupportinga singlehost,it maybequiteanalogousto a BITS implementation,but insupportinga routeror firewall, it mustoperatelikea securitygateway.

Certification Authority (CA) An entity thatatteststo theidentity of a personor anorganization.A CAcanbe an externalcompany that offers certificateservicesor it canbe an internalorganizationsuchasacorporateManagementInformationSystem(MIS) department.Thechief functionof theCA is to verify theidentityof entitiesandissuedigital certificatesattestingto thatidentity.

Certificate A digital documentwhichisusedfor verifyingtheidentityof theotherendof thetransmission.Any typeof addressincludingdomainnames,IP andemailaddressescanbeauthenticatedusingcertificates.CurrentSSHproductsuseX.509certificates.

Confidentiality A securityservicethatprotectsdatafrom unauthorizeddisclosure.Usually, unauthorizeddisclosureof applicationlevel datais theprimaryconcern,but thedisclosureof theexternalcharacteristicsof communicationcan also be a concernin somecircumstances.The traffic flow confidentialityserviceaddressesthis latterconcernby concealingsourceanddestinationaddresses,messagelength,or frequency ofcommunication.In theIPseccontext, usingESPin tunnelmode,especiallyatasecuritygateway, canprovidesomelevel of traffic flow confidentiality. Seealsotraffic analysis.

CompressionParameter Index (CPI) A field in the IPCOMPheaderthatdenotesthealgorithmto beusedonpayloadcompression.SeealsoSPI.

Denial of Service (DoS) Denotesattacksthat do not causea securityviolation per se, but harm theavailability of aservice.For example,if anattackersendslotsof forgedpacketsto anSSHIPSECVPN host,they maydegradetheperformanceof thehost. Oneof thedesigngoalsin theSSHIPSECarchitecturehasbeenminimizingtheconsequencesof Denialof Serviceattacks.

Encryption A securitymechanismusedfor thetransformationof datafrom anintelligible form(plaintext)into an unintelligible form (ciphertext), to provide confidentiality. The inversetransformationprocessisdesignateddecryption,but encryptionis oftenusedto genericallyreferto bothprocesses.

EncapsulatingSecurity Payload (ESP) An upperlevel IP headerthat denotesthat thecontentsof thepayloadareencryptedandpossiblyalsootherwiseprotected.An ESPmayappearafter theIP header, afteran ESPheaderor theoreticallyalsoelsewherewithin an IP packet. An ESPonly protectsthe contentsofthe payload,not any associatedheader. Therefore,it is possible,for example,to changeany field in theheaderof theIP packetcarryinganESPwithoutcausingasecurityviolation. Thecontentsof theESPheaderareunknown to anyonenot possessinginformationaboutthe transformationandSA neededto recover theprotecteddata.An ESPmayalsocontainintegrity protection.TheESPprotocolis definedin RFC2406.

HMA C HashMessageAuthenticationCode. A secretkey authenticationalgorithm. Dataintegrity anddataorigin authenticationasprovidedby HMAC dependon thescopeof thedistributionof thesecretkey. Ifonly thesourceanddestinationknow theHMAC key, this providesbothdataorigin authenticationanddataintegrity for packetssentbetweenthetwo parties.If theHMAC is correct,thisprovesthatit musthavebeenaddedby thesource.

Integrity Check Value (ICV) Usually, an HMAC algorithmusingeitherMessageDigest5 (MD5) orSHA-1hashfunctions,but possiblyalsoaDES-MAC or HMAC-RIPEMDalgorithm.Seealsointegrity.

c�


31

Inter net KeyExchangedaemon(IKEd) TheInternetKey Exchangedaemonis anarchitecturalcompo-nentof SSHIPSECExpressresponsiblefor negotiatingandsettingupSAs.TheSSHIPSECExpresspolicymanagementis alsocombinedIKEd, that makespolicy decisionsaccordingto the rulessetup by securityadministration.

Integrity A securityservicethatensuresthatdatamodificationsaredetectable.Integrity servicesneedtomatchapplicationrequirements.IPsecsupportstwo formsof integrity: connectionlessintegrity andreplayprevention. This is in contrastto connection-orientedintegrity, which imposesmorestringentsequencingrequirementsontraffic to beableto detectlostor re-orderedmessages,for example.Althoughauthenticationandintegrity servicesareoftencitedseparately, in practicethey areintimatelyconnectedandalmostalwaysofferedtogether.

MessageAuthentication Code(MAC) A mechanismthatprovidesmessageintegrity by usinga secretkey cryptographicfunction.

Packet filtering A methodfor determininghow passingIP packetsshouldbehandled.Packet filtering isappliedto all IP packetspassingtheIPSECEngine.Packetfiltering maymodify theIP packet,passit intact,or evendropit.

Security ParametersIndex (SPI) An arbitraryvalueusedin combinationwith adestinationaddressanda securityprotocolto uniquelyidentify an SA. The SPI is carriedin AH andESPprotocolsto enablethereceiving systemto selecttheSA underwhicha receivedIP packetwill beprocessed.An SPIhasonly localsignificanceasit is definedby thecreatorof theSA, which is usuallythereceiver of theIP packet carryingtheSPI.ThusanSPIis generallyviewedasanopaquebit string.However, thecreatorof anSA maychooseto interpretthebits in anSPIto facilitatelocalprocessing.This termis definedin RFC2401.

Traffic analysis Theanalysisof network traffic flow for thepurposeof deducinginformationthatis usefulto anadversary. For example,frequency of transmission,the identitiesof theconversingparties,sizesof IPpackets,andflow identifiers.

Transformation A particulartypeof changeappliedto anIP packet. For example,ESPencryption,AHintegrity service,and payloadcompressionare transformationtypes. An SA suppliesthe keys andotherassociation-specificdatato a transformation.The IPSECtransformationsaredefinedin RFC 2401,RFC2402,RFC2403,RFC2404,RFC2406,andRFC2405.

Transformation sequence A setof transformationsappliedtoanIPpacketoneafteranother. For exampleanoutgoingIP packetcanbeprotectedfirst with andESPto ensuredataconfidentialityandhigherlevel dataintegrity, andthenwith anAH to protecttheintegrity of theIP headercarryingtheIP packet. In thiscase,thetransformationsequenceconsistsof anESPtransformationfollowedby anAH transformation.SSHIPSECsupportsalsoother typesof transformations,andthereforetransformationsequencesmay occasionallyberatherlong, even5 or 6 steps.However, typically mosttransformationsequencesconsistof just oneor twosteps.This is discussedin RFC2401.

Trusted subnetwork A subnetwork of hostsandroutersthatcantrusteachothernot to engagein activeor passiveattacks.It is alsoassumedthattheunderlyingcommunicationschannelsuchasa LAN or CAN isnotbeingattackedby any othermeans.



SSHIPSECExpress WhitePaperversion2 · Fax: +358-9-43543206 (Finland), +1-650-404-0161(USA) c 1999...

Documents

Transcript of SSHIPSECExpress WhitePaperversion2 · Fax: +358-9-43543206 (Finland), +1-650-404-0161(USA) c 1999...