Transcript IPSec

Internet Security
CSCE 813
Network Access Layer
Security Protocols
Reading

Frequently Asked Questions -- Microsoft's PPTP
Implementation, http://www.schneier.com/pptpfaq.html
 CISCO, How Virtual Private Networks Work,
http://www.cisco.com/en/US/tech/tk583/tk372/tec
hnologies_tech_note09186a0080094865.shtml
CSCE 813 - Farkas
2
TCP/IP Protocol Stack
Application Layer
Transport Layer
Internetwork Layer
• Each layer interacts with
neighboring layers above
and below
• Each layer can be defined
independently
• Complexity of the networking
is hidden from the application
Network Access Layer
CSCE 813 - Farkas
3
Network Access Layer





Roughly corresponds to OSI Physical and Data
Link layers
Least uniform of TCP/IP layers
Services and functionalities to prepare data for he
physical network
– Interfacing with computer network adapter,
coordinating data transmission, formatting data,
checking for errors acknowledging receipts, etc.
LAN technologies: ethernet and token ring
Diverse, complex, invisible
CSCE 813 - Farkas
4
Security -- At What Level?

Secure traffic at various levels in the
network
 Where to implement security? -- Depends
on the security requirements of the
application and the user
CSCE 813 - Farkas
5
Security at Network Access Layer
Dedicated link between hosts/routers  hardware
devices for encryption
 Advantages:

– Speed

Disadvantages:
– Not scaleable
– Works well only on dedicates links
– Two hardware devices need to be physically connected
CSCE 813 - Farkas
6
SILS

1980s: IEEE security for LAN and MAN
 Standard for Interoperable LAN/MAN
Security (compatible with IEEE 802 and
OSI specifications)
 Has not been commercially successful
 Recent work on secure dial-up connections
using PPP
CSCE 813 - Farkas
7
Virtual Private Network (VPN)

Private network, constructed within the pubic
Internet
 Goals:
– Connect private networks, using public infrastructure
– Simplify distributed network creation

Requirements:
– Security (confidentiality, authentication, integrity)
– Quality of Service
CSCE 813 - Farkas
8
Without VPN
Internet
RAS
PSTN/ISDN to set up PPP connection
Security?
Client
Main office
CSCE 813 - Farkas
9
With VPN
Internet
LAC
LNS
L2TP Tunnel
PSTN
Client
Main office
CSCE 813 - Farkas
10
Virtual Private Network

L2TP: combines Layer 2 Forwarding (L2F) and
Point-to-Point Tunneling Protocol (PPTP)
 Terms:
– CHAP: Challenge Handshake Authentication
protocol
– L2TP Access Concentrator (LAC)
– L2TP Network Server (LNS)
– Virtual Private Dial Network (VPDN)
CSCE 813 - Farkas
11
Security Support

Message confidentiality
– Encryption supported by IPSec, PPTP/MPPE,
or L2TP/IPSec protocols

Message integrity
– Integrity verification in IPSec, origin
authentication

Data origin authentication
CSCE 813 - Farkas
12
Security Support

Anti Replay
 Traffic flow Confidentiality
– Data tunneling to hide traffic

Non-repudiation
 AAA: Authentication, Authorization and
accountability
 Key management
CSCE 813 - Farkas
13
Secure Dial-Up Connection
CSCE 813 - Farkas
Copyright: Oppliger, eSecurity14
Network Services

Tunneling and Encapsulation
– Tunneling uses encapsulation where data transfer units
of one protocol are enclosed inside a different kind of
protocol
– Advantage:
 Allows transmission of incompatible frames over
existing network
 Allows cryptographic protection
– Disadvantage:
 Need extra software to allow encapsulation 
slower performance
CSCE 813 - Farkas
15
L2TP - Terminology

Remote system (dial-up client): computer system
that is either the initiator or recipient of the a layer
2 tunnel
 L2TP Access Concentrator (LAC): node that acts
as one side of the layer 2 tunnel an peer to the
L2TP server
 L2TP Network server (LNS): node that acts as one
side of the layer 2 tunnel an peer to the LAC
CSCE 813 - Farkas
16
Tunneling Establishment


Voluntary tunneling:
– Tunnel is created by the client (user)
– User sends packets encapsulated in the tunneling
protocol (L2TP, PPTP)
Compulsory tunneling:
– Tunnel is created without any action from the client
– Client sends PPP packets to LAC (e.g., ISP), which
encapsulates them in the tunneling protocol (L2TP,
PPTP)
Level of protection of the packets differ!
CSCE 813 - Farkas
17
Layer 2 Tunneling Protocol
(L2TP)


Goal: Tunnel PPP frames between remote system (LAC
client) and LNS located at LAN.
Encapsulate a given network layer protocol (e.g., IP, IPX)
inside PPP to cryptographically protect the PPP frames
(L2TP) and to encapsulate the data inside a tunneling
protocol (e.g., IP)
IP


L2TP
PPP
IPX
Most popular
Applicable over the internet
CSCE 813 - Farkas
18
L2TP Protocol
LAC

Control
Session 1 (Call ID 1)
Session 2 (Call ID 2)
LNS
Tunnel components
– Control channel (reliable): control sessions and tunnel
– Data channel (unreliable): created for each call

Multiple tunnels may exist been LAC-LNS pair to
support different QoS needs
CSCE 813 - Farkas
Copyright: G. Chaffee, UCA/Berkley
19
L2TP Protocol Structure
PPP Frames
L2TP Data Messages
L2TP Contr. msgs
L2TP Data channel
(unreliable)
L2TP Control channel
(reliable)
Packet Transport (IP,UDP, ATM, etc.)
CSCE 813 - Farkas
20
Control Messages

Establishment, maintenance and clearing of
tunnels and calls
 Utilize a reliable Control Channel within
L2TP to guarantee delivery
 Control message types:
– Control Connection Management
– Call Management
– Error Reporting
– PPP Session Control
CSCE 813 - Farkas
21
Data Messages

Encapsulate PPP frames being carried over
the tunnel
 Not retransmitted when packet loss occurs
 Sequence numbers (optional):
– Optional data message sequencing
– May be used to detect lost packets

No fragmentation avoidance
CSCE 813 - Farkas
22
Security Considerations
Tunnel Endpoint Security
 Endpoints may optionally perform an
authentication procedure of one another during
tunnel establishment (CHAP)
 Reasonable protection against replay and snooping
 Designed to provide authentication for tunnel
establishment only
 LAC and LNS MUST share a single secret key
 Each side uses this same secret when acting as
authenticate as well as authenticator
CSCE 813 - Farkas
23
Security Considerations
Packet Level Security
 L2TP requires that the underlying transport make
available encryption, integrity and authentication
services for all L2TP traffic
 Secure transport operates on the entire L2TP
packet and is functionally independent of PPP and
the protocol being carried by PPP
 L2TP is only concerned with confidentiality,
authenticity, and integrity of the L2TP packets
between tunnel endpoints
CSCE 813 - Farkas
24
Security Considerations
End to End Security
 Secure transport in tunnel protects the data
within the tunneled PPP packets while
transported from the LAC to the LNS
 Need: security between communicating
hosts or applications (IPSec)
CSCE 813 - Farkas
25
L2TP and IPSec
Attacks to consider:
 Packet snooping: discover user identity
 Packet modification (both control and data
messages)
 Denial of Service by terminating PPP
connections or L2TP tunnels
 Disrupt L2TP tunnel establishment
CSCE 813 - Farkas
26
PPTP

Designed to create and maintain VNP
tunnels over public TCP/IP networks using
PPP
 Joint effort of Microsoft and product
vendors
 Server in Windows NT 4.0
 Clients for Win 95, NT 4.0
Copyright: G. Chaffee, UCA/Berkley
CSCE 813 - Farkas
27
CSCE 813 - Farkas
Copyright: Oppliger, eSecurity28
PPTP

Data channel:
– Encapsulates PPP over IP using Generic
Routing Encapsulation (GRE)
– Encapsulates link layer (PPP), communicates at
network layer (IP)
Media spec. IP
header
GRE
PPP
CSCE 813 - Farkas
IP
29
PPTP

Signaling (control) channel:
– Uses TCP connection for signaling
– Query status and convey signaling information
between LAC and LNS
– Always initiated by the PPTP client to the
PPTP server via port 1723
– Bidirectional
CSCE 813 - Farkas
30
CSCE 813 - Farkas
Copyright: Oppliger, eSecurity31
Authentication – MS-PPTP

Three methods:
– Clear password: client authenticates to the
server
– Hashed password: client authenticates to the
server
– Challenge-response: client and server
authenticate each other
CSCE 813 - Farkas
32
Hashed authentication

LAN manager: DES encryption
– Password is turned into a 14 character string
– All converted to upper case
– String is splint into two 7-character strings and used as
the key to encrypt a fixed constant  two 8-byte strings
– Concatenate strings  16-byte string = hash value

Windows NT hash function: MD4 hash
– Password converted to unicode
– Hashed using MD4  16 byte hash value
CSCE 813 - Farkas
33
Security Problems with
Hashed Authentication

Dictionary attack
– LAN Manager is easier to break
– Windows NT: better (mixed case)

Neither supports password salt
 Both hash values are sent together
CSCE 813 - Farkas
34
Encryption

Assume existence of secret key shared
between client and server
 RC4 stream cipher: encrypt data traffic
 Need key agreement:
– Diffie-Hellman key exchange
– Generate deterministically from LAN
Manager’s hash value (NOT SECURE!)
CSCE 813 - Farkas
35
Summary of L2TP

Not secure without the support of IPSec
CSCE 813 - Farkas
36
Next Class

Transport layer security
CSCE 813 - Farkas
37