Escolar Documentos
Profissional Documentos
Cultura Documentos
Computer Networks
Guy Leduc
Mainly based on
Network Security - PRIVATE
Communication in a PUBLIC World
C. Kaufman, R. Pearlman, M. Speciner
Pearson Education, 2002.
(chapters 17 and 18)
Chapter 5:
Network Layer Security
5: Securing IP
5-1
5: Securing IP
5-2
Chapter Roadmap
Security in the network layer
IPsec - The big picture
IPsec protocols: AH and ESP
IPsec Key Exchange protocol: IKE
5: Securing IP
5-3
FTP
SMTP
TCP / UDP
IP / IPsec
HTTP
FTP
SMTP
SSL / TLS
TCP
IP
IPsec protects the whole IP payload, including transport headers (e.g. port #)
IPsec is from network entity to network entity, not from application process
to application process
Does work with UDP, and any other protocol above IP (e.g., ICMP, OSPF)
Traffic analysis is thus more difficult (could be web, email, )
Blanket coverage
5: Securing IP
5-4
security
5: Securing IP
5-5
Secure
payloa
d
router w/
IPv4 and IPsec
IPsec
heade
r
IP er
ad
he
pa
ylo
ad
e
cur
Se load
y
pa
router w/
IPv4 and IPsec
laptop
w/ IPsec
salesperson
in hotel
ec
IPs der
a
he
IP
heade
r
IPsec
heade
r
IP r
e
ad
he
Secu
re
paylo
ad
public
Internet
I
he P
ad
er
ad
ylo
pa
headquarters
From Computer Networking, by Kurose&Ross
branch office
5: Securing IP
5-6
3 functional areas:
confidentiality
key management
5: Securing IP
5-7
IP Security Overview
In 1994, the Internet Architecture Board (IAB) issued a
5-8
Benefits of IPsec
When IPsec is implemented in a firewall or router, it
5: Securing IP
5-9
5: Securing IP
5-10
Chapter Roadmap
Security in the network layer
IPsec - The big picture
IPsec protocols: AH and ESP
IPsec Key Exchange protocol: IKE
IPsec
IPsec
end-system
Protects upper level protocols
5: Securing IP
5-11
5: Securing IP
5-12
IPsec
IPsec
IPsec
IPsec
5: Securing IP
5-13
5: Securing IP
5-14
Host mode
with ESP
Tunnel mode
with AH
Tunnel mode
with ESP
5-15
IP Security Overview
IPsec enables a system to
select security protocols,
determine the algorithm(s) to use, and
put in place any cryptographic keys required
IPsec services and their support by AH and ESP
AH
Access Control
Connectionless integrity
Data origin authentication
Rejection of replayed packets
Confidentiality
Limited traffic flow confidentiality
From Computer Networking, by Kurose&Ross
x
x
x
x
ESP
ESP
encryption only encryption+authentication
x
x
x
x
x
x
x
x
x
x
5: Securing IP
5-16
5: Securing IP
5-17
The same SPI can be assigned to both an ESP SA and an AH SA, so this
security protocol identifier is needed to remove ambiguity
For multicast, the SPI is chosen by the source, so the destination
address field is also needed to remove ambiguity
fields
5: Securing IP
5-18
Example SA from R1 to R2
Internet
headquarters
200.168.1.100
R1
172.16.1/24
branch office
193.68.2.23
security association
R2
172.16.2/24
5: Securing IP
5-19
5: Securing IP
5-20
10
IPsec datagram
Focus for now on tunnel mode with ESP
enchilada authenticated
encrypted
new IP
header
ESP
hdr
SPI
original
IP hdr
Original IP
datagram payload
Seq
#
padding
ESP
trl
ESP
auth
pad
next
length header
5: Securing IP
5-21
What happens?
Internet
headquarters
200.168.1.100
R1
branch office
193.68.2.23
security association
172.16.1/24
R2
172.16.2/24
enchilada authenticated
encrypted
new IP
header
ESP
hdr
SPI
original
IP hdr
Seq
#
Original IP
datagram payload
padding
ESP
trl
ESP
auth
pad
next
length header
5: Securing IP
5-22
11
5: Securing IP
5-23
ESP
hdr
SPI
original
IP hdr
Seq
#
Original IP
datagram payload
padding
ESP
trl
ESP
auth
pad
next
length header
ESP header:
5: Securing IP
5-24
12
Goal:
Prevent attacker from sniffing and replaying a packet
Receipt of duplicate, authenticated IP packets may disrupt
service
Method:
Destination checks for duplicates
But doesnt keep track of ALL received packets; instead uses
a window
5: Securing IP
5-25
#3
#2
R2
#1
#2
#2
#2
#2
#4
#2
#1
Packet #3 lost,
no problem
5: Securing IP
5-26
13
#3
#2
R2
#1
Network
may change the
packet order
#4
#1
#3
#2
Packet #1
out of sequence.
If in window: OK,
otherwise: drop & log
From Computer Networking, by Kurose&Ross
5: Securing IP
5-27
to process datagram
When IPsec datagram arrives to R2, R2 examines SPI in IPsec
datagram, indexes SAD with SPI, and processes datagram
accordingly
Parameters associated with each SA:
5: Securing IP
5-28
14
5: Securing IP
5-29
5: Securing IP
5-30
15
Chapter Roadmap
Security in the network layer
IPsec - The big picture
IPsec protocols: AH and ESP
IPsec Key Exchange protocol: IKE
5: Securing IP
5-31
5: Securing IP
5-32
16
AH - Transport Mode
Original IP datagram
Original
IP header
secret key
Non mutable
fields only
Parts
of
Original
Auth. header
IP header
AH
but PT = 51
Authenticated IP datagram
5-33
AH - Tunnel Mode
Original IP datagram
New IP
header
built by
tunnel end
Original
IP header
secret key
Parts
of
New IP
header
Auth. header
AH
Original
IP header
Authenticated IP datagram
5: Securing IP
5-34
17
IPsec AH Header
0
1
2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next Header
| Payload Len |
RESERVED
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
Security Parameters Index (SPI)
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
Sequence Number Field
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
+
Authentication Data (variable)
|
|
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
5-35
Encryption algorithm
(e.g. DES with CBC)
Original
IP header
but PT = 50
ESP trailer
(padding)
secret key
5: Securing IP
5-36
18
built by
tunnel end
IP header
ESP trailer
(padding)
secret key
Encryption algorithm
(e.g. DES with CBC)
new IP
header
ESP header
IP header
5: Securing IP
5-37
ESP trailer
Encrypted part
ESP header
ESP
authentication
Authenticated part
From Computer Networking, by Kurose&Ross
5: Securing IP
5-38
19
ESP trailer
Encrypted part
ESP header
ESP
authentication
Authenticated part
5: Securing IP
5-39
---^Auth.
|Cov|erage
| ---|
^
|
|
|Conf.
|Cov|erage*
|
|
v
v
------
5: Securing IP
5-40
20
does not authenticate the non mutable parts of the IP header (in
transport mode) or new IP header (in tunnel mode)
applies encryption before authentication
5: Securing IP
5-41
Do we need AH?
We clearly need ESP for encryption, but do we need
AH?
AH protects the IP header itself. But does IP header
protection matter?
5: Securing IP
5-42
21
IP
IP
UDP
TCP
User
Data
Encrypted Data
HASH
Payload
5: Securing IP
5-43
TOS / DSCP
new IP
header
IP payload
ESP header
IP header
IP payload
5: Securing IP
5-44
22
Chapter Roadmap
Security in the network layer
IPsec - The big picture
IPsec protocols: AH and ESP
IPsec Key Exchange protocol: IKE
5: Securing IP
5-45
100s of endpoints
IPsec IKE (Internet Key Exchange)
Instead use
5: Securing IP
5-46
23
and certificate:
run IKE to authenticate each other and obtain IPsec SAs (one
in each direction)
Similar with handshake in SSL
5: Securing IP
5-47
Result: one shared key used in (possibly many instances of) phase 2
More precisely, 3 keys are derived from this one (one for IKE encryption,
one for IKE authentication, and one for phase 2)
5: Securing IP
5-48
24
c1
Gets it
only if
initial IP
address
was not
spoofed
c2, c1
DHparam, c2
Check c2,
if OK
starts DH
5: Securing IP
5-49
c1
c2, c1
DHparam, c2
So, cookies must depend on (i.e. be a hash of) the specific parties
5: Securing IP
5-50
25
Then
Also, the fact that YA and YB are permanent makes them more
5: Securing IP
5-51
Then they can use this secret to prove it was they who generated
their DH values
Several solutions:
5: Securing IP
5-52
26
attack
After all, one party could have generated the secret key and sent it
encrypted with the other partys public key!
With DH, both parties contribute to the shared secret/key. So it
will be random if either side has a good random number generator.
5: Securing IP
5-53
27
proof Im A
Note: in both modes (main and aggressive), nonces are added to messages.
Take-it-or-leave-it negotiation.
In particular, A chooses a (g,p) pair.
The DH shared key is then computed from the DH values AND the nonces
For example: KAB = hash (nonces, standard DH key)
This allows IKE to reuse the same DH values in successive runs and still
generate different shared keys
5: Securing IP
5-55
5: Securing IP
5-56
28
certificates
5: Securing IP
5-57
Certificates
peer name
peer public key
expiration date
other info
signature
by the CA
5: Securing IP
5-58
29
3. peers certificate
signed by CA
2. peer transmits
4. peer fetches
its public key
its certificate
5: Securing IP
5-59
List)
CRL
List of revoked certificates signed by CA
Stored on CA or directory service
No requirement on devices to ensure CRL is current
From Computer Networking, by Kurose&Ross
5: Securing IP
5-60
30
5: Securing IP
5-61
IPsec: summary
IKE used to establish shared
destination handshake:
shortcomings
IPsec departs from the
pure connectionless
paradigm
IPsec interferes with
NAT boxes
IPsec only authenticates a
host, not a user
IPsec is complex: more
than a dozen RFCs
5: Securing IP
5-62
31