1 IPsec Youngjip Kim

2 Objective Providing interoperable, high quality, cryptographically-based security for IPv4 and IPv6 Services  Access control  connectionless integrity  data origin authentication  protection against replays  Confidentiality  Limited traffic flow confidentiality

3 Implementation Points Implemented between IP layer and other upper later Implemented in a host or a security gateway (router or firewall)  Integration of IPsec into the native IP implementation  Bump-in-the-stack (BITS)  Bump-in-the-wire (BITW)

4 IPsec Scenario

5 Components Policy  Security Policy Database (SPD)  Security Association (SA)  Security Association Database (SAD) Protocol  IP Authentication Header (AH)  Encapsulating Security Payload (ESP)  Internet Key Exchange (IKE)

6 SPD (1/3) Contains policy entries  processing type, selectors, SA specification Specified for inbound and outbound traffic Consulted during the processing of all traffic, including non-IPsec traffic Three processing choices  Discard, bypass IPsec or apply IPsec

7 SPD (2/3) Selectors  Destination IP Address(es)  Source IP Address(es)  Name (User ID or System name)  Data sensitivity level  Transport Layer Protocol  Source and Destination Ports  IPv6 Class  IPv6 Flow Label  IPv4 Type of Service

8 SPD (3/3) SA specification  IPsec protocol (AH, ESP)  Modes (Transport, Tunnel)  Algorithms (Encryption algorithms, Authentication algorithms)

9 SA A one-way relationship between sender an d receiver that affords security for traffic fl ow Defined by 3 parameters:  Security Parameters Index (SPI)  IP Destination Address (Endpoints of the SA)  Security Protocol Identifier Has a number of other parameters  SEQ no, AH & EH info, lifetime etc Have a database of Security Associations Manual and Automated Techniques

10 SAD Each entry defines the parameters associated with one SA  Sequence Number Counter  Anti_replay window  AH Authentication algorithm, keys  ESP Encryption algorithm, keys  ESP Authentication algorithm, keys  Lifetime of SA  IPsec Protocol Mode

11 AH (1/3) Provides connectionless integrity, data origin authentication and optional anti- replay service

12 AH (2/3) Autentication Data  Integrity Check Value  Authentication algorithm HMAC-MD5-96, HMAC-SHA-1-96  Input of authentication algorithm IP header fields except mutable and unpredictable fields  E.g. TOS, Flags, Fragment Offset, TTL and Header Checksum are mutable in the case of IPv4 AH header (Authentication Data field is set to zero) Entire upper-level protocol data (immutable). Padding

13 AH (3/3) Transport and Tunnel Modes

14 ESP (1/4) Provides confidentiality and limited traffic flow confidentiality Provides connectionless integrity, data origin authentication and optional anti- replay service

15 ESP (2/4) Encryption  Payload Data, Padding, Pad Length and Next Header are encrypted  Payload Data Transport mode : original upper lay protocol information Tunnel mode : entire original IP datagram  Padding may be used to provide partial traffic flow confidentiality  Algorithm 3DES, RC5, IDEA, 3IDEA, CAST, Blowfish, etc.

16 ESP (3/4) Authentication  ICV computed over the ESP packet minus the Authentication Data  Length of the ICV must be specified by authentication algorithm specification  Algorithm HMAC-MD5-96, MHAC-SHA-1-96, etc.  Can’t protect IP header in transport mode

17 ESP (4/4) Transport and Tunnel Modes

18 Anti-replay Service (AH, ESP)

19 Fragmentation (AH, ESP) Inbound  Before AH or ESP processing, fragments must be resembled Outbound  Transport mode : Before AH or ESP processing, fragments must be resembled  Tunnel mode : AH or ESP processing is applied to a fragmented IP packet

20 Combining Security Associations

21 IKE ISAKMP/Oakley  ISAKMP : Framework for authentication and key exchange  Oakley : key exchange protocol based on the Diffie-Hellman algorithm General purpose key exchange protocol  Generates SAs, refresh them and delete them  Generates a symmetric key for a session  Used by not only IPsec but also other protocols who need SAs as well Does not use Public Key Infrastructure  man-in-the-middle attack is possible

22 IKE Exchanges  Phase I Establish a secure channel (ISAKMP SA) Authenticate computer identity  Phase II Establishes a secure channel between computers intended for the transmission of data (IPsec SA)

23 IKE – Phase I Authenticated with signatures  Main Mode

24 IKE – Phase I  Aggressive Mode Authenticated with public key encryption Authenticated with a revised mode of public key encryption Authenticated with a pre-shared key

25 IKE – Phase I SKEYID_d  prf(SKEYID, g^xy | CKY-I | CKY-R | 0) SKEYID_a  prf(SKEYID, SKEYID_d | g^xy | CKY-I | CKY-R | 1) SKEYID_e  prf(SKEYID, SKEYID_a | g^xy | CKY-I | CKY-R | 2)

26 IKE – Phase II Quick Mode  All traffic is encrypted using the ISAKMP Security Association  Each quick mode negotiation results in two IPsec Security Associations (one inbound, one outbound)

27 IKE – Phase II KEYMAT = K1 | K2 | K3 |...  K1 = prf(SKEYID_d, [ g(qm)^xy | ] protocol | SPI | Ni_b | Nr_b)  K2 = prf(SKEYID_d, K1 | [ g(qm)^xy | ] protocol | SPI | Ni_b | Nr_b)  K3 = prf(SKEYID_d, K2 | [ g(qm)^xy | ] protocol | SPI | Ni_b | Nr_b

28 IKE2-Exchanges (1/3) IKE_SA_INIT  SKEYSEED = prf(Ni | Nr, g^ir)  {SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr } = prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr)

29 IKE2-Exchanges (2/3) IKE_AUTH

30 IKE2-Exchanges (3/3) IKE_CHILD_SA  KEYMAT = prf+(SK_d, Ni | Nr )  KEYMAT = prf+(SK_d, g^ir | Ni | Nr )

31 Reference RFC Security Architectures for IP RFC IP Authentication Header RFC IP Encapsulating Security Payload RFC The Internet Key Exchange William Stallings, Cryptography and Network Security: Principles and Practice, 3nd ed., Prentice Hall, 2003, pp