Transcript ppt

IP SECURITY – Chapter 16
Security Mechanisms:
email – S/MIME, PGP
client/server - Kerberos
web access - Secure Sockets Layer
network
- TCP/IP
Three Areas:
1. Authentication –
verifies source / no alteration
2. Confidentiality –
no eavesdropper
3. Key Management –
secure exchange
ATTACKS - REQUIREMENTS
1. IP Spoofing - false IP address
2. eavesdropping / packet sniffing
- logon data, database contents
Secure Branch Office over Internet
- Virtual Private Network
Secure Remote Access over Internet
- local call to ISP  remote company
extranet/internet – secure comms  other orgs
Secure Commerce – enhanced by IPSEC
…because encrypt/decrypt all traffic at IP level
(fig 16.1)
IP SECURITY SCENARIO
Secure IP
Payload
I
He P
ade
r
IP
ea
de
IP
He S e c
ade
Sec
r
u
Pay r IeP
loa
d
Public (I nternet)
or Private
Network
r I PS
H
ea ec
de
r S
e
P a cur e
lyo I P
ad
IP
IPSec
Header Header
H
User system
with IPSec
Networking device
with IPSec
IP
Header
IP
Payload
Figur e 16.1 An IP Security Scenario
Networking device
with IPSec
IP
Header
IP
Payload
BENEFITS of IPSEC
• Traffic within company
– ”no need for security”
• Transparent applications and end users
• Security for ”off-site” individuals
IPSEC and ROUTING
• Authorises Routing Advertisement
• Authorises Neighbour Advertisement
• Redirect
• Routing Update - not forged
EXTENSION HEADER
- follows main IP header
Authentication Header
Encapsulating Security Payload
(ESP) header (encrypted)
Fig 16.2
AH - Authentication Header
ESP – Encryption + Authentication
Table 16.1
IPSec DOCUMENT OVERVIEW
Ar chi tectur e
ESP
Pr otocol
AH
Pr otocol
Encr yption
Algor ithm
Authentication
Algor ithm
DOI
K ey
M anagement
Fi gur e 16.2
I PSec Document Over vi ew
SECURITY ASSOCIATIONS
(SAs)
One-way relationship between
sender and receiver
-For two-way, need two SAs
- Three Parameters
1. Security Parameter Index (SPI)
2. IP Destination Address
3. Security Protocol Identifier
SECURITY ASSOCIATIONS
(SAs)
1. Security Parameter Index (SPI)
- bit string – carried in AH and ESP
headers enables receiver to select
SA for processing packet.
2. IP Destination Address
- end user or network system
(e.g. firewall, router)
3. Security Protocol Identifier
indicates AH or ESP
SA PARAMETERS
• Sequence Number Counter
• Sequence Counter Overflow
- overflow auditable?
• Anti-Replay Windows
- is incoming AH or ESP a replay?
• AH information
- auth. alg., keys, key lifetimes
• ESP information
- encryp. alg., auth. alg., keys,
init. values, key lifetimes
• Lifetime of SA
• IPSec Protocol Mode:
- Tunnel/Transport/Wildcard (mask)
• Path MTU – max packet size
SECURITY POLICY DATABASE (SPD)
Relates IP traffic to specific SAs
[ Subset0 of IP Traffic]
[ Subset1 of IP Traffic]
SA
and/or
[Subset of IP Traffic]
SA0
SA1
SPD : IP and UPPER LAYER SELECTORS
- filters/maps traffic  SA
• Dest. IP Address: single/list/range/wildcard
• Source IP Address: single/list/range/wildcard
• User ID
• Data Sensitivity Level:e.g.secret/unclassified
• Transport Layer Protocol:
(number) individual/list/range
IPSEC Protocol: AH/ESP/AH and ESP
•
• Source and Dest. Ports:
(TCP or UDP values) individual/list/wildcard
SPD : IP and UPPER LAYER SELECTORS
- filters/maps traffic  SA
• IPv6 Class: specific/wildcard
• IPv6 Flowlabel: specific/wildcard
• IPv4 Type of Service (TOS):
specific/wildcard
TRANSPORT MODE
Transport
Upper-layer protection
End-to-end communication
(e.g. client  server, two workstations)
ESP encrypts IP payload (not header)
(optionally authenticates)
AH authenticates IP payload + selected
portions of header
TUNNEL MODE
Tunnel
Protects entire IP packet
entire packet + security fields treated as
”outer” payload with new IP header
Original (inner) packet travels through
tunnel.
Routers cannot examine inner IP header
e.g. tunneled through firewall
Table 16.2
AUTHENTICATION HEADER
- Detects modification
- Prevents address spoofing, replay
Uses MAC
- Alice, Bob share secret key
Fig 16.3
AUTHENTICATION HEADER
Bit:
0
16
8
Next Header
Payload Length
31
RESERVED
Security Parameters Index (SPI)
Sequence Number
Authentication Data (variable)
Figure 16.3 IPSec Authentication Header
ANTI-REPLAY SERVICE
Sequence Number Field (SNF)
thwarts attack
New SA: Sender initialises
C=0
For every new packet on SA: C++
Anti-Replay operates up to
max C = 232 – 1
If max reached, terminate SA
ANTI-REPLAY SERVICE
IP is,
connectionless,
unreliable

protocol does NOT guarantee:
packets delivered in order
all packets delivered
ANTI-REPLAY MECHANISM
Advance window if
valid packet to the
right is r eceived
Fixed window size W
¥¥¥
N
N ÐW
N+1
marked if valid
packet r eceived
unmarked if valid
packet not yet r eceived
Figure 16.4 Anti-Replay Mechanism
ANTI-REPLAY MECHANISM
(Fig 16.4)
1. if Rx packet falls in window and new
then check MAC.
if authentic then mark slot
2. if Rx packet to right of window and
new then check MAC.
if authentic advance window up to
packet.
3. if Rx packet to left of window or
authentication fails then,
discard, audit
INTEGRITY CHECK VALUE (ICV) - MAC
HMAC–MD5-96, HMAC-SHA-1-96
(trunc to 96 bits)
MAC over:
IP Header Fields which are
unchanged in transit (or are predictable
at receiver), other fields set ot 0
for calculation purposes.
AH Header except Authentication Data
Field – AD  0
Upper-Level protocol data
TRANSPORT / TUNNEL MODES
Fig 16.5
Transport SA: workst.  server
Tunnel SA:
(secret key)
workst.
intern. network
firewall
intern. server
without auth.
Fig 16.6
IP Payload is TCP or data for other
protocol.
End-to-End vs. End-to-intermediate Auth.
Server
End-to-end
authentication
Internal Network
End-to-end
authentication
External
Network
Router/Firewall
End-to-intermediate
authentication
Figure 16.5 End-to-end vs. End-to-intermediate Authentication
SCOPE OF AH AUTHENTICATION
or ig I P
hdr
T CP
Data
extension header s
(if present)
T CP
Data
I Pv4
I Pv6
or ig I P
hdr
(a) Befor e Applying AH
authenticated except for mutable fields
I Pv4
or ig I P
hdr
AH
T CP
Data
authenticated except for mutable fields
I Pv6
or ig I P
hdr
hop-by-hop, dest,
r outing, fragment
AH
dest
T CP
Data
(b) T r anspor t M ode
authenticated except for mutable
fields in the new I P header
I Pv4
New I P
hdr
AH
or ig I P
hdr
T CP
Data
authenticated except for mutable fields in
new I P header and i ts extension header s
I Pv6
new I P
hdr
ext
header s
AH
or ig I P
hdr
ext
header s
T CP
(c) T unnel M ode
Fi gur e 16.6
Scope of AH Authentication
Data
ENCAPSULATING SECURITY
PAYLOAD (ESP)
Message Confidentiality
Limited Traffic flow Confidentiality
Authentication (like AH)
Fig 16.7
A u th e n tic a tio n C o v e r a g e
C o n f id e n t ia lit y C o v e r a g e
Bit:
ENCAPSULATING SECURITY
PAYLOAD (ESP)
0
16
24
Secur ity Par ameter s I ndex (SPI )
Sequence Number
Payload Data (var iable)
Padding (0 - 255 bytes)
Pad L ength
Authentication Data (var iable)
Figur e 16.7 I PSec ESP For mat
Next Header
31
ENCAPSULATING SECURITY
PAYLOAD (ESP)
• SPI – Security Association
• Sequence Number
• Payload – Transport/Tunnel – encrypt
• Padding - 0 – 255 bytes
• Pad Length
• Next Header – Payload type by
identifying first header
in payload.
• Auth. Data – ICV (MAC)
ESP
Encrypts payload, padding, pad length,
next header
Optimal init. vector (IV) for encryp. alg.
at beginning of Payload
Uses DES(CBC), 3DES, RC5, IDEA,
3IDEA, CAST, Blowfish
Uses HMAC-MD5-96, HMAC-SHA-1-96
PADDING
Required,
• if encryp. alg. requires plaintext to be
certain multiple of bytes.
• to make ciphertext a multiple of 32-bits
• for Partial Traffic Flow Confidentiality
TRANSPORT and TUNNEL MODES
Fig 16.8
Transport - confidentiality for all appl.
- drawback : traffic analysis
Tunnel – hosts avoid security (VPN)
Fig 16.9
Transport vs. Tunnel Encryp.
Encr ypted
TCP Session
Exter nal
Networ k
I nter nal
Networ k
(a) Tr anspor t-level secur ity
Cor por ate
Networ k
Encr ypted tunnels
car r ying I P tr affic
Cor por ate
Networ k
Cor por ate
Networ k
I nter net
Cor por ate
Networ k
(b) A virtual pr ivate networ k via Tunnel M ode
Fi gur e 16.8 Tr anspor t-M ode vs. Tunnel -M ode Encr yption
Scope of ESP Encryp. and Auth.
authenticated
encr ypted
I Pv4
or ig I P
hdr
ESP
hdr
T CP
Data
ESP ESP
trlr auth
Data
ESP ESP
trlr auth
Data
ESP ESP
trlr auth
Data
ESP ESP
trlr auth
authenticated
encr ypted
I Pv6
or ig I P
hdr
hop-by-hop, dest,
r outing, fragment
ESP
hdr
dest
T CP
(a) T r anspor t M ode
authenticated
encr ypted
I Pv4
New I P
hdr
ESP
hdr
or ig I P
hdr
T CP
authenticated
encr ypted
I Pv6
new I P
hdr
ext
header s
ESP
hdr
or ig I P
hdr
ext
header s
T CP
(b) T unnel M ode
Fi gur e 16.9
Scope of ESP Encr yption and Authentication
COMBINING SAs
Each SA implements AH or ESP,
but,
Some traffic flow may require both.
 multiple SAs
Security Association Bundle
Sequence of SAs
SAs may terminate at different
endpoints
TWO BUNDLE TYPES
Transport Adjacency:
more than one security protocol to
same IP packet, no tunneling,
one endpoint.
Iterated Tunneling:
multiple (nested) security layers
using tunnelling, possible different
end points.
TWO BUNDLE TYPES
Two approaches can be Combined
e.g. Transport SA between hosts
travels partway through a
Tunnel SA between security
gateways.
AUTHENTICATION
+ CONFIDENTIALITY
1. ESP with Auth. Option - Fig 16.9
Transport mode ESP:
IP header not protected
Tunnel mode ESP:
Auth. entire outer IP packet
Encryp. entire inner IP packet
For both cases,
ciphertext authenticated
Scope of ESP Encryp. and Auth.
authenticated
encr ypted
I Pv4
or ig I P
hdr
ESP
hdr
T CP
Data
ESP ESP
trlr auth
Data
ESP ESP
trlr auth
Data
ESP ESP
trlr auth
Data
ESP ESP
trlr auth
authenticated
encr ypted
I Pv6
or ig I P
hdr
hop-by-hop, dest,
r outing, fragment
ESP
hdr
dest
T CP
(a) T r anspor t M ode
authenticated
encr ypted
I Pv4
New I P
hdr
ESP
hdr
or ig I P
hdr
T CP
authenticated
encr ypted
I Pv6
new I P
hdr
ext
header s
ESP
hdr
or ig I P
hdr
ext
header s
T CP
(b) T unnel M ode
Fi gur e 16.9
Scope of ESP Encr yption and Authentication
AUTHENTICATION
+ CONFIDENTIALITY
2. Transport Adjacency
Two Bundled SAs:
- inner being ESP (no auth.)
outer being AH
- advantage:
auth. covers more fields
- disadvantage: two SAs versus one
AUTHENTICATION
+ CONFIDENTIALITY
3. Transport-Tunnel Bundle
Auth. Prior to encryp.:
- advantages:
Impossible to intercept and alter
without detection.
Store MAC with message at
destination for later.
Use Bundle:
Inner AH: Transport SA
Outer ESP: Tunnel SA
 entire auth. inner packet
encrypted.
new outer IP header added
BASIC COMBINATION OF SAs
CASE 1
End systems implement IPSec - share keys
CASE 2
Security between gateways (routers,firewalls)
No hosts implement IPSec
Simple VPN
Nested tunnels not required because IPSec
applied to entire packet.
CASE 3
Case 2 + end-to-end security.
Gateway-to-gateway ESP provides traffic
confidentiality.
CASE 4
Support for remote host to reach firewall.
Only tunnel mode required.
Key Management - Read
BASIC COMBINATION OF SAs
Tunnel SA
One or M or e SAs
Router
Secur ity
Gateway*
Router
Host*
H ost*
L ocal
I ntranet
Internet
L ocal
I ntranet
H ost*
L ocal
I ntranet
Internet
Tunnel SA
Secur ity
Gateway*
H ost
(b) Case 2
L ocal
ntranet
I
One or Two SAs
Secur ity
Gateway*
H ost
Internet
L ocal
I ntranet
(c) Case 3
Tunnel SA
L ocal
ntranet
I
Secur ity
Gateway*
Host*
(a) Case 1
Secur ity
Gateway*
One or Two SAs
Host*
H ost*
Internet
(d) Case 4
* = implements IPSec
Figur e 16.10 Basic Combinations of Secur ity Associations
L ocal
ntranet
I