1 IP Security Behzad Akbari Fall 2009 In the Name of the Most High

Outline Need for Internet Security Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header Encapsulating Security Payload Combinations of Security Associations Key Management

Need for Internet Security Based on public-domain standards  Potential intruders know how things work The Internet is ever-increasingly pervasive  No need for specialist tools to get access Applications (e.g. web servers and browsers) are extensible  Now used for much more than protocol designers envisaged originally TCP/IP weaknesses  e.g. easy to masquerade as someone else

Why secure at the IP layer? Can put security in place once, in a consistent manner, for multiple applications All applications are secured, without the need for the user to be involved Central management of security, including access policy, keys, algorithms, etc.

Secured IP Diverse Apps Web Game DB queries FTPSNMPIM TCPUDP Other Transport Independent of Applications and Transport

Internet Protocols Internet Protocol (IP)provides functionality for interconnecting end systems across multiple networks. IPv4 and IPv6 Routers provide connections between networks Data is encapsulated in an IP Protocol Data Unit (PDU) for transmission

Uses of IPsec Virtual Private Network (VPN) establishment  For connecting remote offices and users using public Internet Low-cost remote access  e.g. teleworker gains secure access to company network via local call to ISP Extranet connectivity  Secure communication with partners, suppliers, etc.

OSI 7 Layer Model 7 Application  HTTP, SMTP, SNMP, FTP, Telnet, SIP, SSH, NFS,, Whois, HTTPSMTPSNMPFTPTelnetSIPSSHNFSWhois 6 Presentation  XDR, ASN.1, SMB, AFP, NCP XDRASN.1SMBAFPNCP 5 Session  ASAP, TLS, SSH,RPC, NetBIOS, ASP, Winsock, BSD sockets ASAPTLSSSHRPCNetBIOSASPWinsockBSD sockets 4 Transport  TCP, UDP, RTP, SCTP, SPX, ATP, TCPUDPRTPSCTPSPXATP 3 Network  IP, ICMP, IPX, BGP, OSPF, RIP, ARP, X.25 IPICMPIPXBGPOSPFRIPARPX.25 2 Data Link  Ethernet, Token ring, HDLC, Frame relay, ISDN, ATM, WiFi, FDDI, PPPEthernetToken ringHDLCFrame relayISDNATM WiFiFDDIPPP 1Physical  wire, radio, fiber opticwireradiofiber optic

5 Layer Internet Protocol Model 1. Physical 2. Network Interface (like Data Link) 3. Internet 4. Transport 5. Application Logical Link Control (LLC) Media Access Control (MAC) IP TCP, UDP

TCP/IP Example

IP Security Overview Application–specific security mechanisms  (S/MIME, PGP)  Client-server (Kerberos)  Web Access ( Secure sockets) IP level security (IPSec)  Authentication (received unaltered from source in header)  Confidentiality (encrypted to prevent eavesdropping)  Key Management (secure exchange of keys)

IP Security Overview IPSec is not a single protocol. Instead, IPSec provides a set of security algorithms plus a general framework that allows a pair of communicating entities to use whichever algorithms provide security appropriate for the communication.

IP Security Overview Applications of IPSec  Secure branch office connectivity over the Internet  Secure remote access over the Internet  Establishing extranet and intranet connectivity with partners  Enhancing electronic commerce security

IP Security Scenario

IP Security Overview Benefits of IPSec  Transparent to applications (below transport layer (TCP, UDP)  Provide security for individual users IPSec can assure that:  A router or neighbor advertisement comes from an authorized router  A redirect message comes from the router to which the initial packet was sent  A routing update is not forged

IP Security Architecture IPSec documents:  RFC 2401: An overview of security architecture  RFC 2402: Description of a packet encryption extension to IPv4 and IPv6  RFC 2406: Description of a packet emcryption extension to IPv4 and IPv6  RFC 2408: Specification of key managament capabilities

IPsec Architecture Two alternative protocols:  Authentication Header (AH) Provides authentication but not confidentiality Adds extra field to traditional IP packet; used to verify authenticity of the packet  Encapsulating Security Payload (ESP) Provides packet encryption and, optionally, authentication Content of IP packet is encrypted and encapsulated between header and trailer fields

IPSec Document Overview

IPSec Services IPSec provides security services at the IP layer by enabling a system to select required protocols, determine the algorithm(s) to use, and to put in place the cryptographic keys. Two protocols are needed:  Authentication Header (AH)  Encapsulating Security Payload (ESP)

IPSec Services Access Control Connectionless integrity Data origin authentication Rejection of replayed packets Confidentiality (encryption) Limited traffic flow confidentiallity

Security Association (SA) In order to communicate, each pair of hosts must set up SA with each other Acts as virtual connection for which various parameters are set:  Type of protection  Algorithms  Keys  … Specifies one-way relationship For either AH or ESP, but not both

Security Associations (SA) A one way relationship between a sender and a receiver. Identified by three parameters:  Security Parameter Index (SPI)  IP Destination address  Security Protocol Identifier

Security Association (SA) Each SA uniquely identified by:  Security Parameters Index (SPI) 32-bit string assigned to this SA (local meaning only)  IP destination address of packets May be end user system, or firewall or router  Choice of AH or ESP For each IP packet, governing SA is identified by:  Destination IP address in packet header  SPI in extension header (AH or ESP)

Before applying AH

IPsec modes Transport Mode:  Protects payload only i.e. protects original data and upper-level protocols  Typically used for end-to-end communication

Transport Mode Security

Transport Mode (AH Authentication)

IPsec modes Tunnel Mode:  Protects entire IP packet Including the IP header  Typically used for connecting secure gateways (firewalls or routers that implement IPsec)  Hosts don’t need to be IPsec-enabled

Tunnel Mode Security

Tunnel Mode (AH Authentication)

Adds extra field to traditional IP packet This is used to verify authenticity & integrity of the packet Before applying AH: Transport Mode:  data is authenticated, as well as parts of IP header Tunnel Mode:  entire original packet is authenticated + parts of new header Authenticated (Data + orig IP header + parts of new header) Authentication Header (AH) Authenticated (Data + parts of IP header)

Authentication Header Provides support for data integrity and authentication (MAC code) of IP packets. Guards against replay attacks. Parties share a secret key, K

Authentication Header (AH) Protection against replay attack with use of sequence number Why have an Authentication-only protocol (AH)?  May be used where export/import/use of encryption is restricted  Faster implementation  Receiver can choose whether to expend the effort to verify authenticity/integrity

Encapsulating Security Payload (ESP) Content of IP packet is encrypted and encapsulated between header and trailer fields. Authentication data optionally added

Original IP packet: Transport Mode:  only data is encrypted & authenticated Tunnel Mode:  entire packet encrypted & authenticated Authenticated (optionally) Encrypted Authenticated (optionally) Encrypted Encapsulating Security Payload (ESP)

ESP Format

Encrypts inner IP packet. Authenticates inner IP packet. Encrypts IP payload and any IPv6 extesion header. Authenticates IP payload but no IP header ESP with authentication Encrypts inner IP packet Encrypts IP payload and any IPv6 extesion header ESP Authenticates entire inner IP packet plus selected portions of outer IP header Authenticates IP payload and selected portions of IP header and IPv6 extension headers AH Tunnel Mode SA Transport Mode SA Main difference is that Tunnel mode secures the IP header as well as the payload

End-to-end versus End-to-Intermediate Authentication

Encapsulating Security Payload ESP provides confidentiality services

Encryption and Authentication Algorithms Encryption:  Three-key triple DES  RC5  IDEA  Three-key triple IDEA  CAST  Blowfish Authentication:  HMAC-MD5-96  HMAC-SHA-1-96

ESP Encryption and Authentication

Combinations of Security Associations

Key Management Two types:  Manual  Automated Oakley Key Determination Protocol( a refinement of the Difffie-HellProject Objectives and Plans man exchange algorithm) Internet Security Association and Key Management Protocol (ISAKMP)

Key Management in IPsec Generation and distribution of secret keys Manual  System admin configures keys (doesn’t scale well) Automated  Oakley Key Determination Protocol based on Diffie-Hellman  ISAKMP & IKE – Internet Security Association and Key Management Protocol & Internet Key Exchange  Default is referred to as ISAKMP/Oakley

Oakley Key determination protocol, based on Diffie-Hellman algorithm with added security Secret keys are created only when needed Key exchange requires no pre-exisitng structure, only an agreement on global parameters Three authentication methods:  Digital signatures  Public-key encryption  Symmetric-key encryption

Oakley Algorithm Characteristics:  uses a method known as cookies to thwart clogging attacks (See next slide)  enables two parties to negotiate a group  uses nonces to ensure against replay attacks  enables the exchange of Diffie-Hellman public key values  authenticates Diffie-Hellman exchange to thwart “man-in-the-middle” attack

Clogging Attacks An opponent forges the source address of a legitimate user and send a public key to the victim. The victim computes the secret key. Repeated messages can clog the victim’s system with useless work. Cookie exchange requires that each side send a pseudorandom number (cookie) in the initial message, which the other side acknowledges and repeats in the first message of the Diffie-Hellman key exchange. If the source address was forged, the opponent gets no answer.

ISAKMP Internet Security Association and Key Management Protocol (ISAKMP)  provides framework for key management and specific protocol supports  defines procedures and packet formats to establish, modify and delete security associations.  Provides consistent independent of the key exchange protocol, encryption algorithm and authentication mechanism

ISAKMP

IPsec Benefits Provides a level of security for all applications.  Allows deployment of new/emerging applications that may not have their own security. Transparent to transport layer Transparent to end-users  No need for training, key issue, key revocation, etc. Can be provided to individual users where needed (e.g. off- site workers) Extensible to new, stronger, cryptographic methods as these become available

IPsec Drawbacks Processing performance overhead  Protection is applied to all traffic, though only a small portion may be security-sensitive Blocks access to non-IPsec hosts Hosts must have security association  Not great for short-lived connections Requirement for pair-wise SA limits usefulness for arbitrary Internet-based transactions Not practical for broadcast

Note on VPN concept Private Network  A set of computers connected together and protected from the Internet (usually with a firewall)  Traditionally made up of LAN(s) within individual locations. If needed, wide area (e.g. inter-branch) connection is made by secure leased telecommunications lines.

Virtual Private Networks (a) A leased-line private network. (b) A virtual private network.

Recommended Reading Comer, D. Internetworking with TCP/IP, Volume I: Principles, Protocols and Architecture. Prentic Hall, 1995 Stevens, W. TCP/IP Illustrated, Volume 1: The Protocols. Addison-Wesley, 1994