Preso - OpenLoop.com

Download Report

Transcript Preso - OpenLoop.com 

By
Mau, Morgan
Arora, Pankaj
Desai, Kiran







Large address space
Briefing on IPsec
IPsec implementation
IPsec operational modes
Authentication Header in IPv6
ESP in IPv6
Security Issues in IPv6
A (Poor) Representation of Relative IPv4 and IPv6 Address Space Sizes[1]


With IPv4 a typical Class C network has 8 bits for
host addressing.
◦ If we scan at the rate of 1 host/sec
◦ 2exp8 hosts X 1sec/host X1 minute/60secs = 4.2
mins
◦ Takes us ~4 minutes to completely scan the C
network
With IPv6 the subnets use 64 bits for host
addressing.
◦ If we scan at the rate of 1 host/sec
◦ 2exp64 hosts X 1sec/host X 1yr/31536000secs =
584 billion yrs
◦ Takes us ~584billion yrs to completely scan the
network

Advantages
◦ Port scanning attacks become an arduous task
◦ Well organized IP address assignment, helps track
down issues

Disadvantages
◦ Increased overhead, since every datagram header or
other place where IP addresses are referenced must
use 16bytes for each address instead of 4bytes



IPsec is a set of cryptographic protocols that
secure data communication and provide for
secure exchange of keys during initial
negotiation
Although IPsec has been there for quite some
time now, it was optional in IPv4.
IPv6 mandates the use of IPsec
IPsec overview [1]

Integrated architecture
◦ Integrated in IP layer itself
◦ Example: IPv6
◦ Most elegant but would not be possible with IPv4 as
the IP implementation in each device needs to be
changed
BITS architecture or Bump In The Stack
BITS architecture [1]
BITW architecture or Bump In The Wire
BITW architecture [1]
As its name suggests, in transport mode, the protocol protects the
message passed down to IP from the transport layer.
In this mode, IPSec is used to protect a complete encapsulated
IP datagram after the IP header has already been applied to it.

Thus to generalize, the order of headers are
as below
o Transport Mode: IP header, IPSec headers (AH and/or ESP), IP payload
(including transport header).
o Tunnel Mode: New IP header, IPSec headers (AH and/or ESP), old IP header,
IP payload.

For IPv6, there are 2 variables and 4
combinations. Thus 2 protocols(AH& ESP) and
2 modes(Transport and Tunnel) could be
combined in different ways.


AH is one among the two core security protocols
in IPsec
AH is intended to guarantee connectionless
integrity and data origin authentication
IPsec AH packet [2]

The calculation of the authentication header is similar for both IPv4 and IPv6.

Difference is in placing the header into the datagram and for linking the headers
together

The AH is inserted into the IP datagram as an extension header following normal
rules of IPv6 extension header linking.

Each header field is linked to by the previous field by the Next header link.

Thus the headers could be chained one after the other.

The numbers indicated are a standard specified by IETF for each protocol.
Authentication Header Placement and Linking



AH is not enough if we do not want the
intermediate devices to change our datagrams.
ESP provides the privacy we seek by encrypting
them.
ESP also supports its own authentication scheme.
ESP headers without and with authentication [2]

Unlike AH, which provides a small header before the
payload, ESP surrounds the payload it's protecting
The next hdr field gives the type (IP, TCP, UDP, etc.) of the
payload in the usual way, though it can be thought of as
pointing "backwards" into the packet rather than forward
as we've seen in AH
Header Calculation and Placement

Trailer Calculation and Placement

ESP Authentication Field Calculation and Placement


◦ The ESP header placement works similar to AH.
◦ It is inserted into the IP datagram as an extension header.
◦ The ESP Trailer is appended to the data to be encrypted.
◦ The Next Header field in ESP appears in the trailer and not the
header.
◦ The authentication field is computed over the entire ESP
datagram.
ESP in Transport and Tunnel Mode [1]

IPv6-IPv4 stack issues
◦ Dual stacks during migration always bring in
security vulnerabilities

Extension Header issues
◦ Large size of extension headers will overwhelm
certain nodes.

Multicast flooding
◦ New features like multicast address would increase
the smurf attacks
[1]“TCPIP Guide”, http://www.tcpipguide.com,
Web resource retrieved on Oct 13th 2008
[2]“An illustrated guide to IPsec”,
http://unixwiz.net/techtips/iguideipsec.html, Web resource retrieved on Oct
13th 2008