Title: Internet Security CSCE 813 IPsec
1Internet Security CSCE 813IPsec
2Reading
- Today IPSec Chapters 4, 5, 6
- Next ClassIPSec Chapter 7
3Benefits of IPSec
- When implemented in a firewall or router, IPSec
provides strong security to ALL TRAFFIC crossing
the perimeter. Traffic within the perimeter does
not incur security overhead. - Cannot be bypassed (if all traffic must go
through the firewall implementing IPSec) - Transparent to applications
- Transparent to end users
4IP Security Architecture
RFC 2401 Overview of Security Architecture RFC
2402 Desc. Of packet authentication extension to
IPv4 and IPv6 RFC 2406 Desc. Of packet
encryption extension to IPv4 and IPv6 RFC 2408
Specification of key management capabilities
5IPSec Document OverviewRFC 2401
6IPSec Services
7Security Association
- One-way relationship
- Identified by
- Security parameters indes (SPI)
- IP destination address
- Security protocol identifier
- Security Association Database
- SA parameters sequence number counter, sequence
number overflow, anti-replay window, AH
information, ESP information, lifetime of SA,
IPSec protocol mode, path MTU - Security Policy Database
- SA selectors destination IP address, source IP
address, UserID, Data Sensitivity Level,
transport layer protocol, source and destination
port
8Modes
9Encapsulating Security Payload(ESP)
10ESP
- Confidentiality Encryptor
- Integrity Authenticator
- Algorithm is determined by the Security
Association (SA) - Each ESP has at most
- One cipher and one authenticator or
- One cipher and zero authenticator or
- Zero cipher and one authenticator or
- Disallowed zero cipher and zero authenticator or
11ESP Protected IP packet
encrypted
Protected data
ESP Trailer
ESP header
IP header
authenticated
- ESP goals
- Authenticate as much information as possible
- Allow efficient processing
12ESP Format
IV
Payload data
Authenticity protected
Confidentiality protected
padding
Next header
Pad length
padding
13ESP Header
- SPI
- Combined with the destination address and
protocol in the preceding IP header identifies
the SA - Authenticated but not encrypted
- Sequence number
- Used for anti-replay
- Monotonically increasing number
- Authenticated but not encrypted
14Payload Data Field
- Data to be protected
- Length depends on the length of data to be
protected - Contains
- Initialization Vector (IV)
- Protected Data
- Pad
- Pad Length
- Next Header
15Initialization Vector
- Specific algorithm must define location of IV
- DES-CBC location first 8 octets of protected data
field - Authenticated but not encrypted
16Padding
- Needed for encryption (input data multiple of
block size) - Hide actual data length
- Padding values
- Algorithm may specify
- ESP default values start with 1 and
monotonically increases - Used for checking proper decryption by recipient
17Padding
- Padding Length
- Needed for restoring actual length of payload
data - Mandatory (even if there is no padding)
- Additional padding maybe added to provide traffic
flow confidentiality - Next header
- Defines that type of protected data
- Transport mode type of upper-level protocol
(e.g., TCP 6) - Tunnel mode 4 (IP-in-IP)
18Authentication Data Field
- Used for data integrity check
- Usually keyed hash function
- Length depends on the authentication algorithm
defined in SA - If no authenticator is specified there is no
authentication data
19ESP Processing
- Depends on mode in which ESP is employed
- Both modes
- Cipher is authenticated
- Authenticated plain text is not encrypted
- Outbound encryption happens first
- Inbound authentication happens first
20Protected Data
- Depends on the mode of ESP
- Transport mode Upper-layer protocol packet
- Tunnel mode entire IP packet is protected
21Scope of ESP Encryption and Authentication
Transport mode
Authenticate
Encrypt
IPv4
Tunnel mode
Authenticate
Encrypt
22Outbound Processing
- ESP header inserted into the outgoing IP packet
- Protocol field of IP header copied into Next
header field of ESP - Remaining fields of ESP filled (SPI, sequence
number, pad, pad length) - Protocol number of IP header is given the value
ESP (50) - Encrypt packet from the beginning of payload data
to the next header field - Authenticate packet form the ESP header, through
the encrypted ciphertext to the ESP trailer and
insert authentication data into ESP trailer - Packet is routed to the destination
23Inbound Processing
- Check for SA of the packet
- If no SA ? drop packet
- Otherwise use valid SA to process the packet
- Check sequence number
- Invalid number ? drop packet
- Authenticate cipher text
- Entire packet (without the authentication data)
is processed by the authenticator - Match generated data with authentication data
- No match ? drop packet
24Inbound Processing
- Decrypt ESP packet (from beginning on payload to
the next header field) - Check pad integrity
- Validate ESP mode using Next header field and
decrypted payload
25Authentication Header
26Authentication Header (AH)
- Does NOT provide confidentiality
- Provides
- Data origin authentication
- Connectionless data integrity
- Prevents spoofing attack
- May provide
- Non-repudiation (depends on cryptographic alg.)
- Anti-replay protection
- Precision of authentication granularity of SA
- Protocol number 51
27AH Header
Reserved
Payload length
Next header
32 bit
28Authentication Data
- AH protects outer IP header (unlike ESP)
- Computed by using
- Authentication algorithm (MD5, SHA-1)
- Cryptographic key (secret key)
- Sender computes authentication data
- Recipient verifies data
29Scope of Authentication
Transport Mode
Authenticates except for mutable fields
IPv4
Tunnel Mode
Authenticates except for mutable fields in NEW IP
hdr
IPv4
30Integrity Check Values
- Message Authentication Code is Calculated from
- IP header fields that either do not change in
transit or are predictable upon arrival Fields
that change and cannot be predicted are set to
zero for the MAC calculation - AH header -- other than the authentication data
field - Entire upper level protocol data
- Note both source and destination address fields
are protected
31Combining Security Associations
32SA Bundle
- Individual SA either AH or ESP but NOT BOTH
- Some traffic flow needs both HOW?
- Some traffic between host and security gateway
requires different services than flow between
security gateways HOW? - Security Association Bundle
- sequence of SAs through which traffic must be
processed to provide a desired set of IPSec
services - SAs within a bundle may terminate at different
end points
33SA Combinations
- Transport adjacency
- Applying more than one security protocol to the
same IP packet without invoking tunneling. - Allows 1 level of combination (all IPSec
processing are performed at one IPSec instance) - Iterated tunnelingL
- Multiple layers of security protocols efected
through IP tunneling - Multiple levels of nesting (each tunnel may
originate and terminate at different IPSec site) - Combination of the two approaches above.
34Next Class Key ManagementISAKMPExchanges