IP security

Ge Zhang ge.zhang@kau.se

Karlstad University

Packet-switched network is not Secure!

The protocols were designed in the late 70s to early 80s
Very small network (closed environment)
All hosts are assumed to be trusted So are the users Therefore, security was not an issue

Karlstad University

Message transfer over the Internet

d e t s u r t n U
Alice Bob

Karlstad University

OSI security architecture

Security attacks: any action that compromises the security of information. Security mechanism: A method that is designed to detect, prevent or recover from a security attack Security service: A service that enhances the security of a system

Karlstad University

Scenario

Alice

Attacker

Bob

Karlstad University

Passive attacks
Read contents of message from Alice to Bob Attacker

Alice

Bob

Attacker

Observe who communicated whom

Alice

Bob

Karlstad University

Active attacks
Attacker disrupts service provided by server Attacker

Message from attacker that appears to be from Alice Attacker

Alice

Alice

Bob

Capture message from Bob to Alice; later replay message to Alice Attacker

Attacker modifies message from Attacker Alice to Bob

Alice

Bob

Alice

Bob

Karlstad University

Security services
Data origin authentication Data confidentiality Anonymity Data integrity Non-repudiation

Karlstad University

Security mechanism
Encipher Digital signature Trusted functionality Detection and prevention

Karlstad University

Layered TCP/IP model

IPSec is working in IP layer Protect IP packets

Karlstad University

Goals of IPSec
to verify sources of IP packets
Data source authentication

to prevent replaying of old packets to protect integrity and/or confidentiality of packets

Data Integrity/Data Encryption

Karlstad University

IPSec subprotocols

ESP Encapsulating Security Payload

AH

Authentication Header
IPSec Security Policy

IKE The Internet Key Exchange

Karlstad University

IPSecIP Security
Provide encryption and integrity protection to IP packets (and authentication of two peers).
AH (Authentication Header)
An additional header, provides integrity protection

ESP (Encapsulating Security Payload)

Also an addition header, provides encryption and integrity protection

IKE (Internet Key Exchange)

Establishing session keys (used for AH & ESP) as well as authentication.

Karlstad University

IPSec related RFCs

A collection of protocols (RFC 2401)
Authentication Header (AH)
RFC 2402

Encapsulating Security Payload (ESP)

RFC 2406

Internet Key Exchange (IKE)

RFC 2409

IP Payload Compression (IPcomp)

RFC 3137

Karlstad University

Transport mode and tunnel mode

A->B Payload

Transport mode

R1 A

R2

Tunnel mode
R1->R2 A->B Payload A->B Payload

A->B

Payload

Karlstad University

Authentication Header (AH)

Provides source authentication
Protects against source spoofing

Provides data integrity Protects against replay attacks

Use monotonically increasing sequence numbers

NO support for confidentiality!

Karlstad University

AH Details
Use 32-bit increasing sequence number to avoid replay attacks Use cryptographically strong hash algorithms to protect data integrity (96-bit)
Use symmetric key cryptography HMAC-SHA-96, HMAC-MD5-96

Karlstad University

AH Protocol (transport & tunnel mode in IPv4)

Authenticated except for mutable fields IP header AH header data (e.g., TCP, UDP segment)

Authenticated except for mutable fields

New IP header AH header

IP header data (e.g., TCP, UDP segment)

Karlstad University

IPSec Authentication Header

Karlstad University

Encapsulating Security Payload (ESP)

Provides most that AH offers, and in addition provides data confidentiality
Uses symmetric key encryption

Karlstad University

ESP Details
Same as AH:
Use 32-bit sequence number to counter replaying attacks Use integrity check algorithms ( protect on different fields)

Only in ESP:
Data confidentiality:
Uses symmetric key encryption algorithms to encrypt packets

Karlstad University

ESP Protocol (transport & tunnel mode in IPv4)

authenticated encrypted
IP header ESP ESP ESP TCP, UDP segment header trailer authent. authenticated encrypted ESP New IP header header

ESP ESP TCP, UDP segment IP header trailer authent.

ESP in fact puts information both before and after the protected data. For encryption, DATA, padding, padding length and next header are encrypted. For authentication, all fields are included.
Karlstad University

IPSec ESP Format

Karlstad University

Anti-replay service
Sequence number (from 0 to 232-1) The sender increments the sequence number for each generated packet. How to detect replayed packet?
The receiver maintains an array with 232 units to mark which packets have been received. The receiver only accepts the packets with larger sequence number than the previous one. Both are not good methods, why?

Karlstad University

Slide window scheme

A windows of size W (default W = 64) N: highest sequence number of successfully received packets Three cases
Packets in the window Packets to the right of the window Packets to the left of the window

59 54 64

53 55 56 54 57 58 59 60 61 62 63 64 65 66

Karlstad University

Security Associations (SA)

A SA is a one-way relationship between a sender and a receiver that affords security services to the traffic carried on it.
Two ends (from one end the other end) A SA is identified by:
Security Parameters Index (SPI): a local identifier points to a SA IP destination address Security protocol identifier: AH? Or ESP?

SA parameters:
Sequence number counter Anti-replay window AH information (key, algorithms) ESP information (key, algorithms) IPSec protocol mode (Tunnel, transport)

Karlstad University

Internet Key Exchange Protocol

SA could be created manually, but Internet Key Exchange Protocol (IKE)
Exchange and negotiate security policies Establish security sessions
Identified as Security Associations (SA)

Key exchange Key management Can be used outside IPSec as well

Karlstad University

Virtual Private Networks (VPNs)

Virtual
It is not a physically distinct network

Private
Tunnels are encrypted to provide confidentiality

Using VPN while traveling

Tunnel

Intranet server

Mail server

Karlstad University

Discussion
IPSec is not the only solution!
Security features can be added on top of IP!
e.g. Kerberos, SSL

Confused?
IP, IPSec protocols are very complex!
Two modes, three sub protocols

Complexity is the biggest enemy of security

Karlstad University

Discussion
Has it been used?
Yesprimarily used by some VPN vendors
But not all routers support it

Noit is not really an end-to-end solution

Authentication is too coarse (host based) Default encryption algorithm too weak (DES) Too complex for applications to use

Karlstad University

Key points
Security attack, mechanism and service Classical attacks in the internet IPSec encompasses : authentication, confidentiality and key management AH and ESP Transport mode and tunnel mode Slide window to defend against replay attack VPN

Karlstad University