Network Security Network Security EssentialsEssentialsChapter 8Chapter 8

Fourth EditionFourth Edition

by William Stallingsby William Stallings

Lecture slides by Lawrie BrownLecture slides by Lawrie Brown

Chapter 8 – IP SecurityChapter 8 – IP Security

If a secret piece of news is divulged by a spy If a secret piece of news is divulged by a spy before the time is ripe, he must be put to before the time is ripe, he must be put to death, together with the man to whom the death, together with the man to whom the secret was told.secret was told.

——The Art of WarThe Art of War, Sun Tzu, Sun Tzu

IP SecurityIP Security

have a range of application specific have a range of application specific security mechanismssecurity mechanisms eg. S/MIME, PGP, Kerberos, SSL/HTTPSeg. S/MIME, PGP, Kerberos, SSL/HTTPS

however there are security concerns that however there are security concerns that cut across protocol layerscut across protocol layers

would like security implemented by the would like security implemented by the network for all applicationsnetwork for all applications

IP SecurityIP Security general IP Security mechanismsgeneral IP Security mechanisms providesprovides

authenticationauthentication confidentialityconfidentiality key managementkey management

applicable to use over LANs, across public applicable to use over LANs, across public & private WANs, & for the Internet& private WANs, & for the Internet

need identified in 1994 reportneed identified in 1994 report need authentication, encryption in IPv4 & IPv6need authentication, encryption in IPv4 & IPv6

IP Security UsesIP Security Uses

Benefits of IPSecBenefits of IPSec

in a firewall/router provides strong security in a firewall/router provides strong security to all traffic crossing the perimeterto all traffic crossing the perimeter

in a firewall/router is resistant to bypassin a firewall/router is resistant to bypass is below transport layer, hence transparent is below transport layer, hence transparent

to applicationsto applications can be transparent to end userscan be transparent to end users can provide security for individual userscan provide security for individual users secures routing architecturesecures routing architecture

IP Security ArchitectureIP Security Architecture specification is quite complex, with groups:specification is quite complex, with groups:

ArchitectureArchitecture• RFC4301 RFC4301 Security Architecture for Internet ProtocolSecurity Architecture for Internet Protocol

Authentication Header (AH)Authentication Header (AH)• RFC4302 RFC4302 IP Authentication HeaderIP Authentication Header

Encapsulating Security Payload (ESP)Encapsulating Security Payload (ESP)• RFC4303 RFC4303 IP Encapsulating Security Payload (ESP)IP Encapsulating Security Payload (ESP)

Internet Key Exchange (IKE)Internet Key Exchange (IKE)• RFC4306RFC4306 Internet Key Exchange (IKEv2) Protocol Internet Key Exchange (IKEv2) Protocol

Cryptographic algorithmsCryptographic algorithms Other Other

IPSec ServicesIPSec Services

Access controlAccess control Connectionless integrityConnectionless integrity Data origin authenticationData origin authentication Rejection of replayed packetsRejection of replayed packets

a form of partial sequence integritya form of partial sequence integrity Confidentiality (encryption)Confidentiality (encryption) Limited traffic flow confidentialityLimited traffic flow confidentiality

Transport and Tunnel ModesTransport and Tunnel Modes Transport ModeTransport Mode

to encrypt & optionally authenticate IP datato encrypt & optionally authenticate IP data can do traffic analysis but is efficientcan do traffic analysis but is efficient good for ESP host to host trafficgood for ESP host to host traffic

Tunnel ModeTunnel Mode encrypts entire IP packetencrypts entire IP packet add new header for next hopadd new header for next hop no routers on way can examine inner IP headerno routers on way can examine inner IP header good for VPNs, gateway to gateway securitygood for VPNs, gateway to gateway security

TransportTransport and and

Tunnel Tunnel ModesModes

TransportTransport and and

Tunnel Tunnel ModeMode

ProtocolsProtocols

Security AssociationsSecurity Associations

a one-way relationship between sender & a one-way relationship between sender & receiver that affords security for traffic flowreceiver that affords security for traffic flow

defined by 3 parameters:defined by 3 parameters: Security Parameters Index (SPI)Security Parameters Index (SPI) IP Destination AddressIP Destination Address Security Protocol IdentifierSecurity Protocol Identifier

has a number of other parametershas a number of other parameters seq no, AH & EH info, lifetime etcseq no, AH & EH info, lifetime etc

have a database of Security Associationshave a database of Security Associations

Security Policy DatabaseSecurity Policy Database relates IP traffic to specific SAsrelates IP traffic to specific SAs

match subset of IP traffic to relevant SAmatch subset of IP traffic to relevant SA use selectors to filter outgoing traffic to mapuse selectors to filter outgoing traffic to map based on: local & remote IP addresses, next based on: local & remote IP addresses, next

layer protocol, name, local & remote ports layer protocol, name, local & remote ports

Encapsulating Security Payload Encapsulating Security Payload (ESP)(ESP)

provides provides message content confidentiality, message content confidentiality, data data origin authentication, connectionless integrity, an origin authentication, connectionless integrity, an anti-replay serviceanti-replay service, limited traffic flow , limited traffic flow confidentialityconfidentiality

services depend on options selected when services depend on options selected when establish Security Association (SA), net locationestablish Security Association (SA), net location

can use a variety of encryption & authentication can use a variety of encryption & authentication algorithmsalgorithms

Encapsulating Security Encapsulating Security PayloadPayload

Encryption & Authentication Encryption & Authentication Algorithms & PaddingAlgorithms & Padding

ESP can encrypt payload data, padding, ESP can encrypt payload data, padding, pad length, and next header fieldspad length, and next header fields if needed have IV at start of payload dataif needed have IV at start of payload data

ESP can have optional ICV for integrityESP can have optional ICV for integrity is computed after encryption is performedis computed after encryption is performed

ESP uses paddingESP uses padding to expand plaintext to required lengthto expand plaintext to required length to to alignalign pad length and next header fields pad length and next header fields to to provide partial traffic flow confidentialityprovide partial traffic flow confidentiality

Anti-Replay ServiceAnti-Replay Service replay is when attacker resends a copy of replay is when attacker resends a copy of

an authenticated packetan authenticated packet use sequence number to thwart this attackuse sequence number to thwart this attack sender initializes sequence number to 0 sender initializes sequence number to 0

when a new SA is establishedwhen a new SA is established increment for each packetincrement for each packet must not exceed limit of must not exceed limit of 223232 – 1 – 1

receiver then accepts packets with seq no receiver then accepts packets with seq no within window of (within window of (N –W+1N –W+1))

Combining Security Combining Security AssociationsAssociations

SA’s can implement either AH or ESPSA’s can implement either AH or ESP to implement both need to combine SA’sto implement both need to combine SA’s

form a security association bundleform a security association bundle may terminate at different or same endpointsmay terminate at different or same endpoints combined bycombined by

• transport adjacencytransport adjacency• iterated tunnelingiterated tunneling

combining authentication & encryptioncombining authentication & encryption ESP with authentication, bundled inner ESP & ESP with authentication, bundled inner ESP &

outer AH, bundled inner transport & outer ESPouter AH, bundled inner transport & outer ESP

Combining Security Combining Security AssociationsAssociations

IPSec Key ManagementIPSec Key Management

handles key generation & distributionhandles key generation & distribution typically need 2 pairs of keystypically need 2 pairs of keys

2 per direction for AH & ESP2 per direction for AH & ESP manual key managementmanual key management

sysadmin manually configures every systemsysadmin manually configures every system automated key managementautomated key management

automated system for on demand creation of automated system for on demand creation of keys for SA’s in large systemskeys for SA’s in large systems

has Oakley & ISAKMP elementshas Oakley & ISAKMP elements

OakleyOakley

a key exchange protocola key exchange protocol based on Diffie-Hellman key exchangebased on Diffie-Hellman key exchange adds features to address weaknessesadds features to address weaknesses

no info on parties, man-in-middle attack, costno info on parties, man-in-middle attack, cost so adds cookies, groups (global params), so adds cookies, groups (global params),

nonces, DH key exchange with authenticationnonces, DH key exchange with authentication can use arithmetic in prime fields or elliptic can use arithmetic in prime fields or elliptic

curve fieldscurve fields

ISAKMPISAKMP Internet Security Association and Key Internet Security Association and Key

Management ProtocolManagement Protocol provides framework for key managementprovides framework for key management defines procedures and packet formats to defines procedures and packet formats to

establish, negotiate, modify, & delete SAsestablish, negotiate, modify, & delete SAs independent of key exchange protocol, independent of key exchange protocol,

encryption alg, & authentication methodencryption alg, & authentication method IKEv2 no longer uses Oakley & ISAKMP IKEv2 no longer uses Oakley & ISAKMP

terms, but basic functionality is sameterms, but basic functionality is same

IKEV2 ExchangesIKEV2 Exchanges

ISAKMPISAKMP

IKE Payloads & ExchangesIKE Payloads & Exchanges

have a number of ISAKMP payload types:have a number of ISAKMP payload types: Security Association, Key Exchange, Security Association, Key Exchange,

Identification, Certificate, Certificate Request, Identification, Certificate, Certificate Request, Authentication, Nonce, Notify, Delete, Vendor Authentication, Nonce, Notify, Delete, Vendor ID, Traffic Selector, Encrypted, Configuration, ID, Traffic Selector, Encrypted, Configuration, Extensible Authentication ProtocolExtensible Authentication Protocol

payload has complex hierarchical structurepayload has complex hierarchical structure may contain multiple proposals, with may contain multiple proposals, with

multiple protocols & multiple transformsmultiple protocols & multiple transforms

Cryptographic SuitesCryptographic Suites variety of cryptographic algorithm typesvariety of cryptographic algorithm types to promote interoperability haveto promote interoperability have

RFC4308 defines VPN cryptographic suitesRFC4308 defines VPN cryptographic suites• VPN-A matches common corporate VPN security VPN-A matches common corporate VPN security

using 3DES & HMACusing 3DES & HMAC• VPN-B has stronger security for new VPNs VPN-B has stronger security for new VPNs

implementing IPsecv3 and IKEv2 using AESimplementing IPsecv3 and IKEv2 using AES RFC4869 defines four cryptographic suites RFC4869 defines four cryptographic suites

compatible with US NSA specscompatible with US NSA specs• provide choices for ESP & IKEprovide choices for ESP & IKE• AES-GCM, AES-CBC, HMAC-SHA, ECP, ECDSAAES-GCM, AES-CBC, HMAC-SHA, ECP, ECDSA

SummarySummary

have considered:have considered: IPSec security frameworkIPSec security framework IPSec security policyIPSec security policy ESPESP combining security associationscombining security associations internet key exchangeinternet key exchange cryptographic suites usedcryptographic suites used