IPsec
1 / 43
IPsec Encryption at Different Layers Link Layer IPsec History Why IPsec? Protects All Applications IPsec Structure Some Packet Layouts Tunnel and Transport Mode Implementation Choices IPsec Addressing Security Associations Topologies Paths Uses for IPsec Outbound Packet Processing Inbound Packet Processing Security Policy Database: Theory Security Policy Database: Reality Triangle Routing End-to-End ESP vs. Firewalls
IPsec
2 / 43
Encryption at Different Layers IPsec Encryption at Different Layers Link Layer IPsec History Why IPsec? Protects All Applications IPsec Structure Some Packet Layouts Tunnel and Transport Mode Implementation Choices IPsec Addressing Security Associations Topologies Paths Uses for IPsec Outbound Packet Processing Inbound Packet Processing Security Policy Database: Theory Security Policy Database: Reality Triangle Routing End-to-End ESP vs. Firewalls
■
■
■
Most layers have control information that must be decoded before decryption is possible — this must always be sent in the clear If the layer does demultiplexing, the information for that must be in the clear, too, to permit different keys for different destinations Anything higher-level is hidden
3 / 43
Link Layer IPsec Encryption at Different Layers Link Layer IPsec History Why IPsec? Protects All Applications IPsec Structure Some Packet Layouts Tunnel and Transport Mode Implementation Choices IPsec Addressing Security Associations Topologies Paths Uses for IPsec Outbound Packet Processing Inbound Packet Processing Security Policy Database: Theory Security Policy Database: Reality Triangle Routing End-to-End ESP vs. Firewalls
■ ■ ■ ■ ■ ■
Framing information must be in cleartext Link layer (if used) addresses must be cleartext, to permit proper delivery Link layer type field must be cleartext Protects IP source and destination addresses — but only for that hop Common for especially-vulnerable links: WiFi, satellite downlinks, etc. Often used for access control
4 / 43
IPsec IPsec Encryption at Different Layers Link Layer IPsec History Why IPsec? Protects All Applications IPsec Structure Some Packet Layouts Tunnel and Transport Mode Implementation Choices IPsec Addressing Security Associations Topologies Paths Uses for IPsec Outbound Packet Processing Inbound Packet Processing Security Policy Database: Theory Security Policy Database: Reality Triangle Routing End-to-End ESP vs. Firewalls
Network-layer security protocol for the Internet. ■ Operates at the IP layer — has a cleartext IP header ■ Completely transparent to applications. - Generally must modify protocol stack or kernel; out of reach of application writers or users. ■
5 / 43
History IPsec Encryption at Different Layers Link Layer IPsec History Why IPsec? Protects All Applications IPsec Structure Some Packet Layouts Tunnel and Transport Mode Implementation Choices IPsec Addressing Security Associations Topologies Paths Uses for IPsec Outbound Packet Processing Inbound Packet Processing Security Policy Database: Theory Security Policy Database: Reality Triangle Routing End-to-End ESP vs. Firewalls
SP3 Layer 3 security protocol for SDNS. NLSP OSIfied version of SP3, with an incomprehensible spec. swIPe UNIX implementation by Ioannidis and Blaze (1993). ka9q Phil Karn’s proto-IPsec IPsec Many years of design in the IETF 1995 First IETF version of IPsec 1998 Revised version with sequence numbers and authentication 2005 IPsec v3, for newer algorithms and larger sequence numbers 6 / 43
Why IPsec? IPsec Encryption at Different Layers Link Layer IPsec History Why IPsec? Protects All Applications IPsec Structure Some Packet Layouts Tunnel and Transport Mode Implementation Choices IPsec Addressing Security Associations Topologies Paths Uses for IPsec Outbound Packet Processing Inbound Packet Processing Security Policy Database: Theory Security Policy Database: Reality Triangle Routing End-to-End ESP vs. Firewalls
■ ■ ■
■
SSL doesn’t protected against certain attacks Example: enemy sends forged packet with RST bit set; tears down connection Example: enemy sends bogus data for connection — SSL detects that, but can’t recover, since TCP has accepted the data Also — SSL can’t (easily) protect UDP
7 / 43
Protects All Applications IPsec Encryption at Different Layers Link Layer IPsec History Why IPsec? Protects All Applications IPsec Structure Some Packet Layouts Tunnel and Transport Mode Implementation Choices IPsec Addressing Security Associations Topologies Paths Uses for IPsec Outbound Packet Processing Inbound Packet Processing Security Policy Database: Theory Security Policy Database: Reality Triangle Routing End-to-End ESP vs. Firewalls
■ ■ ■ ■
To protect an application that uses TLS, you have to change its code IPsec protects all traffic But — how does an application know if IPsec is present? Can it request IPsec protection?
8 / 43
IPsec Structure IPsec Encryption at Different Layers Link Layer IPsec History Why IPsec? Protects All Applications IPsec Structure Some Packet Layouts Tunnel and Transport Mode Implementation Choices IPsec Addressing Security Associations Topologies Paths Uses for IPsec Outbound Packet Processing Inbound Packet Processing Security Policy Database: Theory Security Policy Database: Reality Triangle Routing End-to-End ESP vs. Firewalls
■ ■ ■ ■ ■
Nested headers: IP; ESP or AH; maybe another IP; TCP or UDP; then data. Cryptographic protection can be host to host, host to firewall, or firewall to firewall. Option for user-granularity keying. Works with IPv4 and IPv6. Implements Virtual Private Networks (VPNs)
9 / 43
Some Packet Layouts IPsec Encryption at Different Layers Link Layer IPsec History Why IPsec? Protects All Applications IPsec Structure Some Packet Layouts Tunnel and Transport Mode Implementation Choices IPsec Addressing Security Associations Topologies Paths Uses for IPsec Outbound Packet Processing Inbound Packet Processing Security Policy Database: Theory Security Policy Database: Reality Triangle Routing End-to-End ESP vs. Firewalls
Transport Mode
Tunnel Mode
IP
IP
ESP
ESP
TCP
IP
user data
TCP user data 10 / 43
Tunnel and Transport Mode IPsec Encryption at Different Layers Link Layer IPsec History Why IPsec? Protects All Applications IPsec Structure Some Packet Layouts Tunnel and Transport Mode Implementation Choices IPsec Addressing Security Associations Topologies Paths Uses for IPsec Outbound Packet Processing Inbound Packet Processing Security Policy Database: Theory Security Policy Database: Reality Triangle Routing End-to-End ESP vs. Firewalls
■ ■ ■
Transport mode protects end-to-end connections Tunnel mode — much more common — is used for VPNs and telecommuter-to-firewwall The inner IP header can have site-local addresses
11 / 43
Implementation Choices IPsec Encryption at Different Layers Link Layer IPsec History Why IPsec? Protects All Applications IPsec Structure Some Packet Layouts Tunnel and Transport Mode Implementation Choices IPsec Addressing Security Associations Topologies Paths Uses for IPsec Outbound Packet Processing Inbound Packet Processing Security Policy Database: Theory Security Policy Database: Reality Triangle Routing End-to-End ESP vs. Firewalls
■ ■ ■ ■
“Bump in the stack” — host-resident In network hardware; explicitly controlled by the host “Bump in the wire” — external device in the network cable; not known to the host Gateway- or firewall-resident — not known to any hosts within the protected net
12 / 43
IPsec Addressing IPsec Encryption at Different Layers Link Layer IPsec History Why IPsec? Protects All Applications IPsec Structure Some Packet Layouts Tunnel and Transport Mode Implementation Choices IPsec Addressing Security Associations Topologies Paths Uses for IPsec Outbound Packet Processing Inbound Packet Processing Security Policy Database: Theory Security Policy Database: Reality Triangle Routing End-to-End ESP vs. Firewalls
■ ■ ■
Packets are always addressed to the decryptor No need for “snooping” May be further forwarded
13 / 43
Security Associations IPsec Encryption at Different Layers Link Layer IPsec History Why IPsec? Protects All Applications IPsec Structure Some Packet Layouts Tunnel and Transport Mode Implementation Choices IPsec Addressing Security Associations Topologies Paths Uses for IPsec Outbound Packet Processing Inbound Packet Processing Security Policy Database: Theory Security Policy Database: Reality Triangle Routing End-to-End ESP vs. Firewalls
■ ■ ■
■
SA: Security Association Think of it as an IPsec connection All of the parameters needed for an IPsec session: crypto algorithms (AES, SHA1, etc.), modes of operation (CBC, HMAC, etc.), key lengths, digest lengths, traffic to be protected, etc. Both sides must agree on the SA for secure communications to work
14 / 43
Topologies IPsec Encryption at Different Layers Link Layer IPsec History Why IPsec? Protects All Applications IPsec Structure Some Packet Layouts Tunnel and Transport Mode Implementation Choices IPsec Addressing Security Associations Topologies Paths Uses for IPsec Outbound Packet Processing Inbound Packet Processing Security Policy Database: Theory Security Policy Database: Reality Triangle Routing End-to-End ESP vs. Firewalls
E1
A1
C
F1
E4
GW-A
WAN
E5
GW-F
E3 E2
A2 GW-B
B2 15 / 43
Paths IPsec Encryption at Different Layers Link Layer IPsec History Why IPsec? Protects All Applications IPsec Structure Some Packet Layouts Tunnel and Transport Mode Implementation Choices IPsec Addressing Security Associations Topologies Paths Uses for IPsec Outbound Packet Processing Inbound Packet Processing Security Policy Database: Theory Security Policy Database: Reality Triangle Routing End-to-End ESP vs. Firewalls
■ ■ ■
A1 to F1: Encryptors E1 , E5 (tunnel mode) B2 to F1: Encryptors E3 , E5 (tunnel mode) A2 to C: Encryptors E2 , E4 (transport mode)
16 / 43
Uses for IPsec IPsec Encryption at Different Layers Link Layer IPsec History Why IPsec? Protects All Applications IPsec Structure Some Packet Layouts Tunnel and Transport Mode Implementation Choices IPsec Addressing Security Associations Topologies Paths Uses for IPsec Outbound Packet Processing Inbound Packet Processing Security Policy Database: Theory Security Policy Database: Reality Triangle Routing End-to-End ESP vs. Firewalls
■ ■ ■
Virtual Private Networks. “Phone home” for laptops, telecommuters. General Internet security?
17 / 43
Outbound Packet Processing IPsec Encryption at Different Layers Link Layer IPsec History Why IPsec? Protects All Applications IPsec Structure Some Packet Layouts Tunnel and Transport Mode Implementation Choices IPsec Addressing Security Associations Topologies Paths Uses for IPsec Outbound Packet Processing Inbound Packet Processing Security Policy Database: Theory Security Policy Database: Reality Triangle Routing End-to-End ESP vs. Firewalls
■
■ ■
Compare packet — src and dst addr, src and dst port numbers — against Security Policy Database (SPD) If packet should be protected, consult Security Association Database (SADB) to find SA Add appropriate IPsec header
18 / 43
Inbound Packet Processing IPsec Encryption at Different Layers Link Layer IPsec History Why IPsec? Protects All Applications IPsec Structure Some Packet Layouts Tunnel and Transport Mode Implementation Choices IPsec Addressing Security Associations Topologies Paths Uses for IPsec Outbound Packet Processing Inbound Packet Processing Security Policy Database: Theory Security Policy Database: Reality Triangle Routing End-to-End ESP vs. Firewalls
■ ■
■ ■
If IPsec-protected, look up SA, authenticate, and decrypt Compare packet — src and dst addr, src and dst port numbers, as before — against SPD to see if it should have been protected, and by which SA If the protection characteristics match, accept the packet If they do not match, discard it
19 / 43
Security Policy Database: Theory IPsec Encryption at Different Layers Link Layer IPsec History Why IPsec? Protects All Applications IPsec Structure Some Packet Layouts Tunnel and Transport Mode Implementation Choices IPsec Addressing Security Associations Topologies Paths Uses for IPsec Outbound Packet Processing Inbound Packet Processing Security Policy Database: Theory Security Policy Database: Reality Triangle Routing End-to-End ESP vs. Firewalls
■ ■ ■ ■
IP address range or subnet: protect everything going to 128.59.0.0/16 Port number list or range: 25,110,143 Protect all addresses and/or all port numbers: full protection Multiple sets of the above
20 / 43
Security Policy Database: Reality IPsec Encryption at Different Layers Link Layer IPsec History Why IPsec? Protects All Applications IPsec Structure Some Packet Layouts Tunnel and Transport Mode Implementation Choices IPsec Addressing Security Associations Topologies Paths Uses for IPsec Outbound Packet Processing Inbound Packet Processing Security Policy Database: Theory Security Policy Database: Reality Triangle Routing End-to-End ESP vs. Firewalls
■ ■
■
Most IPsec usage is for VPNs Two options: send all traffic to the main site for relaying (triangle routing) or send Internet-bound traffic directly to the Internet Tradeoff: performance and reliability versus protection and policy enforcement by the organizational firewall
21 / 43
Triangle Routing IPsec Encryption at Different Layers Link Layer IPsec History Why IPsec? Protects All Applications IPsec Structure Some Packet Layouts Tunnel and Transport Mode Implementation Choices IPsec Addressing Security Associations Topologies Paths Uses for IPsec Outbound Packet Processing Inbound Packet Processing Security Policy Database: Theory Security Policy Database: Reality Triangle Routing End-to-End ESP vs. Firewalls
Organization
Internet
For Triangle Routing, the SPD says “protect everything”. For Direct Routing, the SPD says “protect traffic destined for the organization”. 22 / 43
End-to-End ESP vs. Firewalls IPsec Encryption at Different Layers Link Layer IPsec History Why IPsec? Protects All Applications IPsec Structure Some Packet Layouts Tunnel and Transport Mode Implementation Choices IPsec Addressing Security Associations Topologies Paths Uses for IPsec Outbound Packet Processing Inbound Packet Processing Security Policy Database: Theory Security Policy Database: Reality Triangle Routing End-to-End ESP vs. Firewalls
■ ■
■
■
Suppose you have a firewall that allows some outgoing connections Further suppose that some internal host wishes to talk end-to-end (transport mode) ESP to the outside When the firewall sees the encrypted packet, it can’t tell if it’s a new connection (SYN bit set) or not It also can’t tell what port number it’s going to, or even if it’s transport mode or tunnel mode
23 / 43
IPsec IPsec Details Authentication Header (AH) Truncating HMACs AH Layout What is an SPI? Other AH Fields Why a Sequence Number? Mutable Parts of the IP Header Encapsulating Security Payload (ESP) ESP Layout Padding Traffic Analysis of IP Packets Using ESP Nested IPsec
IPsec Details
Issues
24 / 43
Authentication Header (AH) IPsec IPsec Details Authentication Header (AH) Truncating HMACs AH Layout What is an SPI? Other AH Fields Why a Sequence Number? Mutable Parts of the IP Header Encapsulating Security Payload (ESP) ESP Layout Padding Traffic Analysis of IP Packets Using ESP Nested IPsec
■ ■ ■ ■ ■ ■
Based on keyed cryptographic hash function. Covers AH header, payload and immutable portion of preceeding IP header. Not that useful today, compared to ESP with null encryption Usually used with HMAC-SHA1 or HMAC-MD5 HMAC output is frequently truncated Details: see RFC 4302
Issues
25 / 43
Truncating HMACs IPsec IPsec Details Authentication Header (AH) Truncating HMACs AH Layout What is an SPI? Other AH Fields Why a Sequence Number? Mutable Parts of the IP Header Encapsulating Security Payload (ESP) ESP Layout Padding Traffic Analysis of IP Packets Using ESP Nested IPsec
■ ■ ■ ■
It is not necessary to send the full HMAC Tradeoff between packet size (i.e., network performance) and probability of forgery 8 or 12 bytes is generally enough: forgery probability is 2−64 or 2−96 Also — makes it harder to verify a possibly-recovered key
Issues
26 / 43
AH Layout IPsec IPsec Details Authentication Header (AH) Truncating HMACs AH Layout What is an SPI? Other AH Fields Why a Sequence Number? Mutable Parts of the IP Header Encapsulating Security Payload (ESP) ESP Layout Padding Traffic Analysis of IP Packets Using ESP Nested IPsec
proto
length
reserved SPI
Sequence Number digest (variable length)
Issues
27 / 43
What is an SPI? IPsec IPsec Details Authentication Header (AH) Truncating HMACs AH Layout What is an SPI? Other AH Fields Why a Sequence Number? Mutable Parts of the IP Header Encapsulating Security Payload (ESP) ESP Layout Padding Traffic Analysis of IP Packets Using ESP Nested IPsec
■ ■ ■ ■
SPI — Security Parameter Index Identifies Security Association Each SA has its own keys, algorithms, policy rules On packet receipt, look up SA from hSPI, dstaddri pair
Issues
28 / 43
Other AH Fields IPsec IPsec Details Authentication Header (AH) Truncating HMACs AH Layout What is an SPI? Other AH Fields Why a Sequence Number? Mutable Parts of the IP Header Encapsulating Security Payload (ESP) ESP Layout Padding Traffic Analysis of IP Packets Using ESP Nested IPsec
■ ■ ■
■
“Proto” — what transport protocol header is next (i.e., TCP, UDP, etc.) “length” — length of AH header in 32-bit words, minus 2 Actually, length is implicit in the security association; putting it in the header permits context-free (and unkeyed) examination of the packet “Sequence” — prevents replay attacks
Issues
29 / 43
Why a Sequence Number? IPsec IPsec Details Authentication Header (AH) Truncating HMACs AH Layout What is an SPI? Other AH Fields Why a Sequence Number? Mutable Parts of the IP Header Encapsulating Security Payload (ESP) ESP Layout Padding Traffic Analysis of IP Packets Using ESP Nested IPsec
■ ■ ■
Prevent packet replays Permitted by the IP model — but accidents are not the same as malice Many attacks possible if replays are permitted
Issues
30 / 43
Mutable Parts of the IP Header IPsec IPsec Details Authentication Header (AH) Truncating HMACs AH Layout What is an SPI? Other AH Fields Why a Sequence Number? Mutable Parts of the IP Header Encapsulating Security Payload (ESP) ESP Layout Padding Traffic Analysis of IP Packets Using ESP Nested IPsec
■ ■ ■ ■ ■
Some parts of the IP header change in transit Obvious: TTL (and hence IP checksum) Fragmentation? You generally reassemble fragments before doing AH processing DSCP (previously known as ToS) IP options — some change in flight (record route, source route); others do not. See RFC 4302 for details
Issues
31 / 43
Encapsulating Security Payload (ESP) IPsec IPsec Details Authentication Header (AH) Truncating HMACs AH Layout What is an SPI? Other AH Fields Why a Sequence Number? Mutable Parts of the IP Header Encapsulating Security Payload (ESP) ESP Layout Padding Traffic Analysis of IP Packets Using ESP Nested IPsec
■ ■ ■
Carries encrypted packet. An SPI is used, as with AH. Preferred use of ESP is for AES in CBC mode with HMAC-SHA1
Issues
32 / 43
ESP Layout IPsec IPsec Details Authentication Header (AH) Truncating HMACs AH Layout What is an SPI? Other AH Fields Why a Sequence Number? Mutable Parts of the IP Header Encapsulating Security Payload (ESP) ESP Layout Padding Traffic Analysis of IP Packets Using ESP Nested IPsec Issues
SPI sequence number Digest range
data data padding
padding padlen
payload
digest digest digest digest 33 / 43
Padding IPsec IPsec Details Authentication Header (AH) Truncating HMACs AH Layout What is an SPI? Other AH Fields Why a Sequence Number? Mutable Parts of the IP Header Encapsulating Security Payload (ESP) ESP Layout Padding Traffic Analysis of IP Packets Using ESP Nested IPsec
■ ■ ■
“padlen” says how many bytes of padding should be removed from the packet Primary purpose: handle CBC blocksize issue Secondary purpose: add random extra padding, to confuse traffic analysts (but it doesn’t do a very good job of that)
Issues
34 / 43
Traffic Analysis of IP Packets IPsec IPsec Details Authentication Header (AH) Truncating HMACs AH Layout What is an SPI? Other AH Fields Why a Sequence Number? Mutable Parts of the IP Header Encapsulating Security Payload (ESP) ESP Layout Padding Traffic Analysis of IP Packets Using ESP Nested IPsec
■ ■ ■ ■ ■ ■
What can you learn from encrypted packets? Source address Destination address Length Time Hard to hide these things, even with crypto
Issues
35 / 43
Using ESP IPsec IPsec Details Authentication Header (AH) Truncating HMACs AH Layout What is an SPI? Other AH Fields Why a Sequence Number? Mutable Parts of the IP Header Encapsulating Security Payload (ESP) ESP Layout Padding Traffic Analysis of IP Packets Using ESP Nested IPsec
■ ■ ■ ■ ■
Can be used with null authentication or null encryption With null encryption, provides authentication only Easier to implement than AH Note: you should virtually always use authentication with ESP Similarly, sequence numbers should be used whenever possible
Issues
36 / 43
Nested IPsec IPsec IPsec Details Authentication Header (AH) Truncating HMACs AH Layout What is an SPI? Other AH Fields Why a Sequence Number? Mutable Parts of the IP Header Encapsulating Security Payload (ESP) ESP Layout Padding Traffic Analysis of IP Packets Using ESP Nested IPsec
■ ■ ■ ■
In theory, can nest IPsec headers Outer layer: tunnel mode for VPN Inner layer: transport mode for host-to-host protection Rarely implemented
Issues
37 / 43
IPsec IPsec Details Issues IPsec and Firewalls IPsec and the DNS Implementation Issues Requesting Protection Implementation Status
Issues
38 / 43
IPsec and Firewalls IPsec
■
IPsec Details Issues IPsec and Firewalls IPsec and the DNS Implementation Issues Requesting Protection Implementation Status
■ ■ ■
Encryption is not authentication or authorization Access controls may need to be applied to encrypted traffic, depending on the source. The source IP address is only authenticated if it is somehow bound to the certificate. Encrypted traffic can use a different firewall; however, co-ordination of policies may be needed.
39 / 43
IPsec and the DNS IPsec
■
IPsec Details
IPsec often relies on the DNS. Users specify hostnames. IPsec operates at the IP layer, where IP addresses are used. ◆ An attacker could try to subvert the mapping. ◆ ◆
Issues IPsec and Firewalls IPsec and the DNS Implementation Issues Requesting Protection Implementation Status
■ ■ ■
We need to protect the DNS, via DNSSEC (later in the term) DNSSEC may not meet some organizational security standards. DNSSEC — which isn’t deployed yet, either — uses its own certificates, not X.509. 40 / 43
Implementation Issues IPsec
■
IPsec Details Issues IPsec and Firewalls IPsec and the DNS Implementation Issues Requesting Protection Implementation Status
■ ■
How do applications request cryptographic protection? How do they verify its existence? How do adminstrators mandate cryptography between host or network pairs? We need to resolve authorization issues.
41 / 43
Requesting Protection IPsec
■
IPsec Details Issues IPsec and Firewalls IPsec and the DNS Implementation Issues Requesting Protection Implementation Status
■ ■ ■ ■
Some stacks permit applications to request IPsec protection Creates temporary SPD entry May cause key management negotiation or SA change (wait till next class) But — what about bump-in-the-wire or gateway-resident IPsec implementations? Would need marking in the packets, but no mechanism for that has ever been defined
42 / 43
Implementation Status IPsec
■
IPsec Details Issues IPsec and Firewalls IPsec and the DNS Implementation Issues Requesting Protection Implementation Status
■ ■ ■
IPsec is available for all major operating systems Not all of them support all of the many options Hard to use for specific application protection Nested IPsec rarely available
43 / 43
