IP SECURITY

1
IP SECURITY Chapter 16
Security Mechanisms email S/MIME,
PGP client/server - Kerberos web access -
Secure Sockets Layer network -
TCP/IP Three Areas 1. Authentication
verifies source / no alteration 2.
Confidentiality no eavesdropper
3. Key Management secure exchange
2
ATTACKS - REQUIREMENTS

• IP Spoofing - false IP address
• eavesdropping / packet sniffing
• - logon data, database contents
• Secure Branch Office over Internet
• - Virtual Private Network
• Secure Remote Access over Internet
• - local call to ISP ? remote company
• extranet/internet secure comms ? other orgs
• Secure Commerce enhanced by IPSEC
• because encrypt/decrypt all traffic at IP
  level
• (fig 16.1)

3
IP SECURITY SCENARIO
4
BENEFITS of IPSEC

• Traffic within company
• no need for security
• Transparent applications and end users
• Security for off-site individuals

5
IPSEC and ROUTING

• Authorises Routing Advertisement
• Authorises Neighbour Advertisement
• Redirect
• Routing Update - not forged

6
EXTENSION HEADER
- follows main IP header Authentication
Header Encapsulating Security Payload
(ESP) header (encrypted) Fig 16.2
AH - Authentication Header ESP
Encryption Authentication
Table 16.1
7
IPSec DOCUMENT OVERVIEW
8
SECURITY ASSOCIATIONS (SAs)

• One-way relationship between
• sender and receiver
• For two-way, need two SAs
• Three Parameters
• 1. Security Parameter Index (SPI)
• 2. IP Destination Address
• 3. Security Protocol Identifier

9
SECURITY ASSOCIATIONS (SAs)
1. Security Parameter Index (SPI) - bit string
carried in AH and ESP headers enables
receiver to select SA for processing
packet. 2. IP Destination Address - end user or
network system (e.g. firewall,
router) 3. Security Protocol Identifier
indicates AH or ESP
10
SA PARAMETERS

• Sequence Number Counter
• Sequence Counter Overflow
• - overflow auditable?
• Anti-Replay Windows
• - is incoming AH or ESP a replay?
• AH information
• - auth. alg., keys, key lifetimes
• ESP information
• - encryp. alg., auth. alg., keys,
• init. values, key lifetimes
• Lifetime of SA
• IPSec Protocol Mode
• - Tunnel/Transport/Wildcard (mask)
• Path MTU max packet size

11
SECURITY POLICY DATABASE (SPD)
Relates IP traffic to specific SAs Subset0 of
IP Traffic SA Subset1 of IP
Traffic and/or Subset of
IP Traffic SA0
SA1
12
SPD IP and UPPER LAYER SELECTORS

• - filters/maps traffic ? SA
• Dest. IP Address single/list/range/wildcard
• Source IP Address single/list/range/wildcard
• User ID
• Data Sensitivity Levele.g.secret/unclassified
• Transport Layer Protocol
• (number) individual/list/range
• IPSEC Protocol AH/ESP/AH and ESP
• Source and Dest. Ports
• (TCP or UDP values) individual/list/wildcard

13
SPD IP and UPPER LAYER SELECTORS

• - filters/maps traffic ? SA
• IPv6 Class specific/wildcard
• IPv6 Flowlabel specific/wildcard
• IPv4 Type of Service (TOS)
• specific/wildcard

14
TRANSPORT MODE
Transport Upper-layer protection
End-to-end communication (e.g. client
?? server, two workstations) ESP encrypts IP
payload (not header)
(optionally authenticates) AH authenticates
IP payload selected
portions of header
15
TUNNEL MODE
Tunnel Protects entire IP packet entire
packet security fields treated as
outer payload with new IP header Original
(inner) packet travels through
tunnel.
Routers cannot examine inner IP header
e.g. tunneled through firewall
Table 16.2
16
AUTHENTICATION HEADER
- Detects modification - Prevents address
spoofing, replay Uses MAC - Alice, Bob
share secret key Fig 16.3
17
AUTHENTICATION HEADER
18
ANTI-REPLAY SERVICE
Sequence Number Field (SNF)
thwarts attack New SA Sender
initialises C0 For every new packet on
SA C Anti-Replay operates up to
max C 232 1 If
max reached, terminate SA
19
ANTI-REPLAY SERVICE

• IP is,
• connectionless,
• unreliable
• ?
• protocol does NOT guarantee
• packets delivered in order
• all packets delivered

20
ANTI-REPLAY MECHANISM
21
ANTI-REPLAY MECHANISM
(Fig 16.4) 1. if Rx packet falls in window and
new then check MAC. if authentic
then mark slot 2. if Rx packet to right of
window and new then check MAC. if
authentic advance window up to
packet. 3. if Rx
packet to left of window or authentication
fails then, discard, audit
22
INTEGRITY CHECK VALUE (ICV) - MAC
HMACMD5-96, HMAC-SHA-1-96
(trunc to 96 bits) MAC over IP
Header Fields which are unchanged in
transit (or are predictable at receiver),
other fields set ot 0 for calculation
purposes. AH Header except Authentication
Data Field AD ? 0 Upper-Level protocol
data
23
TRANSPORT / TUNNEL MODES
Fig 16.5 Transport SA workst. ??
server
(secret key) Tunnel SA workst.

intern. network
firewall
intern. server

without auth. Fig 16.6 IP Payload is TCP
or data for other
protocol.
24
End-to-End vs. End-to-intermediate Auth.
25
SCOPE OF AH AUTHENTICATION
26
ENCAPSULATING SECURITY
PAYLOAD (ESP)
Message Confidentiality Limited Traffic flow
Confidentiality Authentication (like AH)
Fig 16.7
27
ENCAPSULATING SECURITY PAYLOAD (ESP)
28
ENCAPSULATING SECURITY
PAYLOAD (ESP)

• SPI Security Association
• Sequence Number
• Payload Transport/Tunnel encrypt
• Padding - 0 255 bytes
• Pad Length
• Next Header Payload type by
• identifying first
  header
• in payload.
• Auth. Data ICV (MAC)

29
ESP
Encrypts payload, padding, pad length,
next
header Optimal init. vector (IV) for encryp.
alg. at beginning of
Payload Uses DES(CBC), 3DES, RC5, IDEA,
3IDEA, CAST, Blowfish Uses HMAC-MD5-96,
HMAC-SHA-1-96
30
PADDING

• Required,
• if encryp. alg. requires plaintext to be
• certain multiple of bytes.
• to make ciphertext a multiple of 32-bits
• for Partial Traffic Flow Confidentiality

31
TRANSPORT and TUNNEL MODES
Fig 16.8 Transport - confidentiality for all
appl. - drawback traffic
analysis Tunnel hosts avoid security (VPN)
Fig 16.9

32
Transport vs. Tunnel Encryp.
33
Scope of ESP Encryp. and Auth.
34
COMBINING SAs
Each SA implements AH or ESP, but, Some traffic
flow may require both. ?
multiple SAs Security Association Bundle
Sequence of SAs SAs may terminate at different
endpoints
35
TWO BUNDLE TYPES
Transport Adjacency more than one security
protocol to same IP packet, no tunneling,
one endpoint. Iterated
Tunneling multiple (nested) security layers
using tunnelling, possible different
end points.
36
TWO BUNDLE TYPES
Two approaches can be Combined e.g.
Transport SA between hosts travels
partway through a Tunnel SA between
security gateways.
37
AUTHENTICATION CONFIDENTIALITY
1. ESP with Auth. Option - Fig 16.9
Transport mode ESP IP header not
protected Tunnel mode ESP
Auth. entire outer IP packet Encryp.
entire inner IP packet For both cases,
ciphertext authenticated
38
Scope of ESP Encryp. and Auth.
39
AUTHENTICATION CONFIDENTIALITY
2. Transport Adjacency Two Bundled SAs
- inner being ESP (no auth.) outer
being AH - advantage auth. covers
more fields - disadvantage two SAs versus
one
40
AUTHENTICATION CONFIDENTIALITY
3. Transport-Tunnel Bundle Auth. Prior to
encryp. - advantages
Impossible to intercept and alter
without detection.
Store MAC with message at
destination for later. Use Bundle
Inner AH Transport SA Outer ESP Tunnel
SA ? entire auth. inner packet
encrypted.
new outer IP header added
41
BASIC COMBINATION OF SAs
CASE 1 End systems implement IPSec - share
keys CASE 2 Security between gateways
(routers,firewalls) No hosts implement IPSec
Simple VPN Nested tunnels not required
because IPSec
applied to entire packet. CASE 3 Case 2
end-to-end security. Gateway-to-gateway ESP
provides traffic
confidentiality. CASE 4
Support for remote host to reach firewall.
Only tunnel mode required.
Key Management - Read
42
BASIC COMBINATION OF SAs