email or call for office visit Chapter 6 - IPsec (IP Secure) ECE-6612 http://www.csc.gatech.edu/copeland/jac/6612/ Prof. John A. Copeland john.copeland@ece.gatech.edu 404 894-5177 Office: Klaus 3362 email or call for office visit Chapter 6 - IPsec (IP Secure) (note: includes copies of figures from Chap. 6 of “Network Security Essentials, Applications and Standards” by William Stallings) 2/15/16

Each LAN Connects to Internet via a Router Link (LAN) Link (P-P) Link (P-P) Link (LAN) 2

The Internet is a Router Network In an Router Network, circuits are defined by entries in the Routing Tables along the way. These may be Static (manually set up) or Dynamic (set up according to an Algorithm in the Router). B IP A to D A C 1 2 3 E’net 6 E 4 5 7 D Station ( on a LAN) Token Ring A Local Connection 1 Router Trunk or Long-Haul 3

Optimal Paths From Router 1 OSPF Defines Router 1's Sink Tree 4 E 3 A 5 C D B 1 7 6 2 A Host (e.g., PC, Webcam, ...) Local Connection 1 Backbone Connections Router 4

Interconnected ASes 3b 1d 3a 1c 2a AS3 AS1 AS2 1a 2c 2b 1b Intra-AS Routing algorithm Inter-AS Forwarding table 3c Forwarding table is configured by both intra- and inter-AS routing algorithm Intra-AS sets entries for internal dests Inter-AS & Intra-As sets entries for external dests OSPF BGP BGP for “which Internet gateway” (1b or 1c) Network Layer

Hurricane Electric Internet Services http://bgp.he.net/ Cogent Comm. Telesonera GT-Fr. GT-U.S. Internet2 www.sox.net Hurricane Electric

Router http://www.cnn.com/ Find: IP address, TCP port Router Ethernet Address Browser Web Server Application Application Layer Layer (HTTP) Router (HTTP) Transport Transport Buffers Packets that Layer Layer need to be forwarded (TCP,UDP) (TCP,UDP) (based on IP address). Port 31337 Port 80 Network Network Layer (IP) Layer (IP) IP Address 130.207.22.5 Network Network IP Address 64.236.16.52 Layer Layer Token Ring E'net Data Token Ring E'net Data Link Layer Link Layer Data-Link Layer Data Link Layer Ethernet Token Ring E'net Phys. Token Ring Phys. Layer Phys. Layer Layer Phys. Layer 7

Starting a TCP Client-Server Connection Your computer has been configured with IP addresses for: 1) Itself (143.215.25.3), 2) Local Router (143.215.25.1), 3) Domain Name Server (130.207.244.251) 4) it’s subnet Mask (/24 or 255.255.255.0). The IP Broadcast Address is (IP address) bitwise-OR (~Mask) 143.215.25.1 | 0.0.0.255 = 143.215.25.255 Its Ethernet, or WiFi, MAC Address is built into the adapter. After you type “http://www.cnn.com” into your browser, your computer has to know or discover (it assigns client port number): 1) IP address of “www.cnn.com” and TCP port number (80), 2) Ethernet (MAC) address to use for DNS server, 3) Ethernet (MAC) address to use for “www.cnn.com” 8

Checking, Setting the Network Configuration ~ copeland$ ifconfig en0 # Windows use CMD, “ipconfig” en0: flags=8963<UP,BROADCAST,SMART,RUNNING, PROMISC,SIMPLEX,MULTICAST> mtu 1500 ether 00:1f:5b:ef:8a:cc inet 192.168.1.38 netmask 0xffffff00 broadcast 192.168.1.255 media: autoselect (100baseTX <full-duplex>) status: active

Preparations for a TCP/IP Connection ARP “who has 143.215.25.8 (LAN broadcast) ARP “ 143.215.25.8 is at 00:0f:66:c1:0f:ae” DNS (UDP:53) “ resolve www.cnn.com” DNS “www.cnn.com IP address is 157.166.224.25 ARP “who has 157.166.224.25 ARP “143.215.25.1 is at 00:0f:66:c1:0f:ae” TCP ( SYN ) to 157.166.224.25 port 80 TCP (SYN-ACK) from 157.166.224.25 Red – Ethernet Frame Black – IP Datagram You need MAC address of Router since CNN is off LAN MAC addresses are cached for 30 seconds Your Host 143.215.25.3 00:1f:5b:ef:8a:cc DNS 143.215.25.8 Router 143.215.25.1 “www.cnn.com” TCP port 80 Each type of response might be spoofed or falsified 10

Address Resolution Protocol (ARP) ARP is a Link-Layer protocol (e.g., Ethernet, WiFi). It can be used for Network Layer protocols other than IP. When a host needs to find the MAC Address (e.g., Ethernet, WiFi) of corresponding to an IP address, it broadcasts an ARP Request (MAC broadcast address is ff:ff:ff:ff:ff:ff). If the IP address is not local, ARP is used to find the MAC address of the Local Router (aka Gateway Router). MAC addresses found by ARP are cached for 30 seconds, so during an IP connection, there will be ARPs every 30 seconds. ARP Response spoofing can be used to set up a Man-in-the-Middle attack. Critical IP:MAC associations (e.g., Router, DNS) can be “nailed up” by manually putting permanent lines in the ARP table. When a host first comes on line, it issues a Gratuitous ARP for its own IP address to see if there is another host using the same IP address. 11

WireShark Packet Capture - Browsing www.cnn.com Notes: Ethernet Addresses have the first 3 bytes (of 6) translated into the interface manufacturer’s name (Apple_Computer is my PowerBook, Cisco_Linksys is the router). 192.168.1.132 in my PowerBook, 192.168.1.1 is the router, 68.87.96.3 if the DNS server, and 64.236.16.52 is www.cnn.com In this case, the Apple PowerBook has code that detects that the DNS IP is outside the local area network, so it ARPs for the Ethernet address of the router (192.168.1.1). It caches this address for 30 seconds, so it does not have to ARP again for the CNN IP address. 12

You will find information on Wireshark filters, and a input file: For information on installing "Wireshark" and other Network Utility Programs, go to: www.csc.gatech.edu/copeland/jac/6612/info-links.html http://www.csc.gatech.edu/copeland/jac/6612/tool-links.html You will find information on Wireshark filters, and a input file: capture-example.cap in www.csc.gatech.edu/copeland/jac/6612/info/ http://www.csc.gatech.edu/copeland/jac/6612/info/ 13

Internet Layer Security (IPsec) Rolf Oppliger, "Internet Security: Firewalls and Beyond," p92, Comm. ACM 40, May 1997 The Internet Engineering Task Force (IETF) • Internet Security Protocol working group standardized an IP Security Protocol (IPsec) and an Internet Key Management Protocol (IKMP). objective of IPsec is to make available cryptographic security mechanisms to users who desire security. mechanisms should work for both the current version of IP (IPv4) and the new IP (IPv6). should be algorithm-independent, in that the cryptographic algorithms can be altered. should be useful in enforcing different security policies, but avoid adverse impacts on users who do not employ them. 14

IPsec Authentication Header (AH) Transport Mode Transport Mode Rb B - Bob Tunnel Mode A - Alice 15

Encapsulated Secure Payload (ESP) Transport Level Security (not TLS = Transport Layer Sec.) 16

Virtual Private Network (VPN) IPsec ESP - Tunnel Mode Virtual Private Network (VPN) 17

Security Associations Transport, Host-Host Tunnel, Gateway-Gateway (Routers) 18

Rb is the Gateway Router to B Internet Layer Security (IPsec) Normal Internet Protocol (IP) IP Header, A to B TCP Header Application Header Data IPsec Authentication Header (AH) - Transport and Tunnel Modes IP Header, A to B AH TCP Header Application Header Data IP Hdr, A to Rb AH IP Hdr A to B TCP Hdr Application Header Data Authenticated IPsec Encapsulated Secure Payload (ESP) IP Header, A to Rb ESP Header TCP Header Application Header Data Encrypted IPsec Encapsulated Secure Payload (ESP) with AH IP Header, A to Rb AH ESP Header TCP Header Application Hdr Data Encrypted Authenticated Rb is the Gateway Router to B 19