1 / 33

CSE 5/7349 – February 15 th 2006

CSE 5/7349 – February 15 th 2006. IPSec. Basics. Stack Level V4 vs V6 Provides Authentication Confidentiality. Architecture & Concepts. Placement Mode Security association (SA) ESP AH. IPSec Placement. Transport Mode Security. ESP protects higher layer payload only

willow
Download Presentation

CSE 5/7349 – February 15 th 2006

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CSE 5/7349 – February 15th 2006 IPSec

  2. Basics • Stack Level • V4 vs V6 • Provides • Authentication • Confidentiality

  3. Architecture & Concepts • Placement • Mode • Security association (SA) • ESP • AH

  4. IPSec Placement

  5. Transport Mode Security • ESP protects higher layer payload only • AH can protect IP headers as well as higher layer payload IP header IP options IPSec header Higher layer protocol ESP Real IP destination AH

  6. Tunnel Mode Security • ESP applies only to the tunneled packet • AH can be applied to portions of the outer header Outer IP header IPSec header Inner IP header Higher layer protocol ESP Real IP destination Destination IPSec entity AH

  7. Tunnel Mode New IP Header AH or ESP Header Orig IP Header TCP Data Encrypted Tunnel Gateway Gateway Encrypted Unencrypted Unencrypted A B

  8. Security Association - SA • One way relationship (uni-directional) • Determine IPSec processing for senders • Determine IPSec decoding for destination • SAs are not fixed! Generated and customized per traffic flows (manual as well as dynamic) • If manual, no lifetime; dynamic has lifetime

  9. Security Parameters Index - SPI • Can be up to 32 bits large • The SPI allows the destination to select the correct SA under which the received packet will be processed (according to the agreement with the sender) • The SPI is sent with the packet by the sender • SPI + Dest IP address + IPSec Protocol (AH or ESP) uniquely identifies a SA

  10. SA Bundle • More than 1 SA can apply to a packet • Example: ESP does not authenticate new IP header. How to authenticate? • Use SA to apply ESP w/out authentication to original packet • Use 2nd SA to apply AH

  11. Authenticated Header (AH)

  12. AH Security • Connectionless integrity • Flow/error control left to transport layer • Data integrity • Authentication • Can “trust” IP address source • Use MAC to authenticate • Anti-replay feature • Integrity check value

  13. AH Header Format Payload Length Next Header (TCP/UDP) Reserved SPI Sequence Number Auth Data

  14. Anti-Replay • Message authentication code (MAC) calculated over • IP header field that do not change or are predictable • IPSec protocol header minus where the ICV value goes • Upper-level data • Code may be truncated to first 96 bits

  15. Integrity Check Value - ICV • Message authentication code (MAC) calculated over • IP header field that do not change or are predictable • IPSec protocol header minus where the ICV value goes • Upper-level data • Code may be truncated to first 96 bits

  16. AH Modes • Tunnel • Transport • Nested headers • Multiple SAs applied to same message • Nested tunnels

  17. Processing Outbound Messages • Insert Next Header and SPI field • Compute the sequence no. field • If transport mode … • If tunnel mode … • Compute authentication value

  18. Outbound Processing (cont’d) • If transport mode • If tunnel mode • Compute authentication value

  19. Outbound Processing (cont’d)Fragment the Message • IPSec processing may result in large message which will be fragmented • Transport mode • Tunnel mode

  20. Input Processing • Identify the inbound SA • Replay protection check

  21. Inbound Processing (cont’d) • Verify authentication data • Strip off the AH header and continue IPSec processing for any remaining IPSec headers

  22. Replay Protection • Sequence number checking • Anti-replay is used only if authentication is selected • Sequence number should be the first check on a packet upon looking up an SA • Duplicates are rejected! Check bitmap, verify if new verify reject Sliding Window size >= 32 0

  23. Anti-replay Feature • Sequence number counter - 32 bit for outgoing IPSec packets • Anti-replay window

  24. Internet Key Exchange (IKE)

  25. Key Management • AH and ESP require encryption and authentication keys • Process to negotiate and establish IPSec SA’s between two entities

  26. Manual Key Management • Mandatory • Useful when IPSec developers are debugging • Keys exchanged offline (phone, email, etc.) • Set up SPI and negotiate parameters • Not scalable

  27. Oakley Key Exchange • Designed to • Leverage advantages of DH • Counter DH weaknesses

  28. Oakley - Major Features

  29. Cookies

  30. Initiator Responder SA, CKY-I I R SA, CKY-R NonceI, YI NonceR, YR IDI, HashI IDR, HashR Example: Main Mode Preshared Negotiate IKE SA parameters Exchange items to generate secret Generate SKEYID Send hash digest so peer can authenticate sender

  31. Main Mode Preshared Hashes • To authenticate each other, each entity generates a hash digest that only the peer could know Hash-I=PRF(SKEYID,YI|YR|CKY-I|CKY-R|SA Offer|ID-I) Hash-R =PRF(SKEYID,YR|YI|CKY-R|CKY-I|SA Offer|ID-R)

  32. Phase II • What traffic does SA cover ? • Initiator specifies which entries (selectors) in SPD are for this IPSec SA, sends off to responder • Keys and SA attributes communicated with the Phase I - IKE SA • Passes encrypted & authenticated

  33. Initiator Responder I R HASH1, IPSec SA, NonceI, [New K] HASH3 HASH2, SA, NonceR, [New K] Example: Quick Mode Negotiate IPSec SA Parameters, [PFS] ‘Liveness’ proof for Responder

More Related