ilab 2 - IPSec with IKEv2 and Strongswan Lukas Grillmayer and Linus - - PowerPoint PPT Presentation

ilab2 - IPSec with IKEv2 and Strongswan

Lukas Grillmayer and Linus Lotz

Chair for Network Architectures and Services Department for Computer Science Technische Universit¨ at M¨ unchen

June 4, 2014

Lukas Grillmayer and Linus Lotz: ilab2 - IPSec with IKEv2 and Strongswan 1

Motivation

Imagine you are a huge search engine company you recently found out that some government agancy has the audacity to sniff in your network “F*** these guys.” - a engineer from a huge search engine company

Lukas Grillmayer and Linus Lotz: ilab2 - IPSec with IKEv2 and Strongswan 2

Motivation

Imagine you are a huge search engine company you recently found out that some government agancy has the audacity to sniff in your network “F*** these guys.” - a engineer from a huge search engine company

Lukas Grillmayer and Linus Lotz: ilab2 - IPSec with IKEv2 and Strongswan 2

Motivation

Imagine you are a huge search engine company you recently found out that some government agancy has the audacity to sniff in your network “F*** these guys.” - a engineer from a huge search engine company

Lukas Grillmayer and Linus Lotz: ilab2 - IPSec with IKEv2 and Strongswan 2

Situation

We have several locations that need to be connected We have some users who need to access our network from

• utside

= ⇒ What we need is a VPN

Lukas Grillmayer and Linus Lotz: ilab2 - IPSec with IKEv2 and Strongswan 3

Situation

We have several locations that need to be connected We have some users who need to access our network from

• utside

= ⇒ What we need is a VPN

Lukas Grillmayer and Linus Lotz: ilab2 - IPSec with IKEv2 and Strongswan 3

Situation

We have several locations that need to be connected We have some users who need to access our network from

• utside

= ⇒ What we need is a VPN

Lukas Grillmayer and Linus Lotz: ilab2 - IPSec with IKEv2 and Strongswan 3

Outline

1

Motivation

2

Outline

3

IPSec AH ESP IKEv2

4

Summary

Lukas Grillmayer and Linus Lotz: ilab2 - IPSec with IKEv2 and Strongswan 4

Outline

1

Motivation

2

Outline

3

IPSec AH ESP IKEv2

4

Summary

Lukas Grillmayer and Linus Lotz: ilab2 - IPSec with IKEv2 and Strongswan 4

Outline

1

Motivation

2

Outline

3

IPSec AH ESP IKEv2

4

Summary

Lukas Grillmayer and Linus Lotz: ilab2 - IPSec with IKEv2 and Strongswan 4

Outline

1

Motivation

2

Outline

3

IPSec AH ESP IKEv2

4

Summary

Lukas Grillmayer and Linus Lotz: ilab2 - IPSec with IKEv2 and Strongswan 4

IPSec - What is it good for?

For encrypting data between two parties Consists of a number of different protocols

1 AH 2 ESP 3 ISAKMP 4 IKE(v2)

A lot of RFCs about IPSec: 2403,2404,2405,2410,2451,2857,3526,3686,3947,3948,4106,4301, 4302,4303,4304,4307,4308,4309,4543,4555,4806,4835,5945,5996

Lukas Grillmayer and Linus Lotz: ilab2 - IPSec with IKEv2 and Strongswan 5

IPSec - What is it good for?

For encrypting data between two parties Consists of a number of different protocols

1 AH 2 ESP 3 ISAKMP 4 IKE(v2)

A lot of RFCs about IPSec: 2403,2404,2405,2410,2451,2857,3526,3686,3947,3948,4106,4301, 4302,4303,4304,4307,4308,4309,4543,4555,4806,4835,5945,5996

Lukas Grillmayer and Linus Lotz: ilab2 - IPSec with IKEv2 and Strongswan 5

IPSec - What is it good for?

For encrypting data between two parties Consists of a number of different protocols

1 AH 2 ESP 3 ISAKMP 4 IKE(v2)

A lot of RFCs about IPSec: 2403,2404,2405,2410,2451,2857,3526,3686,3947,3948,4106,4301, 4302,4303,4304,4307,4308,4309,4543,4555,4806,4835,5945,5996

Lukas Grillmayer and Linus Lotz: ilab2 - IPSec with IKEv2 and Strongswan 5

IPSec - What is it good for?

For encrypting data between two parties Consists of a number of different protocols

1 AH 2 ESP 3 ISAKMP 4 IKE(v2)

A lot of RFCs about IPSec: 2403,2404,2405,2410,2451,2857,3526,3686,3947,3948,4106,4301, 4302,4303,4304,4307,4308,4309,4543,4555,4806,4835,5945,5996

Lukas Grillmayer and Linus Lotz: ilab2 - IPSec with IKEv2 and Strongswan 5

IPSec - What is it good for?

For encrypting data between two parties Consists of a number of different protocols

1 AH 2 ESP 3 ISAKMP 4 IKE(v2)

A lot of RFCs about IPSec: 2403,2404,2405,2410,2451,2857,3526,3686,3947,3948,4106,4301, 4302,4303,4304,4307,4308,4309,4543,4555,4806,4835,5945,5996

Lukas Grillmayer and Linus Lotz: ilab2 - IPSec with IKEv2 and Strongswan 5

Tunnel and Transport Mode

Tunnelmode: Transportmode:

Lukas Grillmayer and Linus Lotz: ilab2 - IPSec with IKEv2 and Strongswan 6

AH - Authentication Header - RFC 4302

Operates on top of IP Authentication and Integrity Protection Protects from replay attacks Protects the IP header and it’s payload No encryption!

Lukas Grillmayer and Linus Lotz: ilab2 - IPSec with IKEv2 and Strongswan 7

AH - Authentication Header - RFC 4302

Operates on top of IP Authentication and Integrity Protection Protects from replay attacks Protects the IP header and it’s payload No encryption!

Lukas Grillmayer and Linus Lotz: ilab2 - IPSec with IKEv2 and Strongswan 7

AH - Authentication Header - RFC 4302

Operates on top of IP Authentication and Integrity Protection Protects from replay attacks Protects the IP header and it’s payload No encryption!

Lukas Grillmayer and Linus Lotz: ilab2 - IPSec with IKEv2 and Strongswan 7

AH - Authentication Header - RFC 4302

Operates on top of IP Authentication and Integrity Protection Protects from replay attacks Protects the IP header and it’s payload No encryption!

Lukas Grillmayer and Linus Lotz: ilab2 - IPSec with IKEv2 and Strongswan 7

AH - Authentication Header - RFC 4302

Operates on top of IP Authentication and Integrity Protection Protects from replay attacks Protects the IP header and it’s payload No encryption!

Lukas Grillmayer and Linus Lotz: ilab2 - IPSec with IKEv2 and Strongswan 7

AH - Header Format

Lukas Grillmayer and Linus Lotz: ilab2 - IPSec with IKEv2 and Strongswan 8

ESP - Encapsulating Security Payload

RFC 4303 Operates on top of IP Encrypts the transported payload Integrity Check AH can be added to protect the outer IP header

Lukas Grillmayer and Linus Lotz: ilab2 - IPSec with IKEv2 and Strongswan 9

ESP - Encapsulating Security Payload

RFC 4303 Operates on top of IP Encrypts the transported payload Integrity Check AH can be added to protect the outer IP header

Lukas Grillmayer and Linus Lotz: ilab2 - IPSec with IKEv2 and Strongswan 9

ESP - Encapsulating Security Payload

RFC 4303 Operates on top of IP Encrypts the transported payload Integrity Check AH can be added to protect the outer IP header

Lukas Grillmayer and Linus Lotz: ilab2 - IPSec with IKEv2 and Strongswan 9

ESP - Encapsulating Security Payload

RFC 4303 Operates on top of IP Encrypts the transported payload Integrity Check AH can be added to protect the outer IP header

Lukas Grillmayer and Linus Lotz: ilab2 - IPSec with IKEv2 and Strongswan 9

ESP - Encapsulating Security Payload

RFC 4303 Operates on top of IP Encrypts the transported payload Integrity Check AH can be added to protect the outer IP header

Lukas Grillmayer and Linus Lotz: ilab2 - IPSec with IKEv2 and Strongswan 9

ESP - Header Format

Lukas Grillmayer and Linus Lotz: ilab2 - IPSec with IKEv2 and Strongswan 10

Internet Key Exchange Protocol v2

Current version specified in RFC 5996 Used to establish encryption and authentication keys Find the best mutually supported algorithms Authentication between the parties Selection of supported authentication methods: PSK X.509 certificates EAP

Lukas Grillmayer and Linus Lotz: ilab2 - IPSec with IKEv2 and Strongswan 11

Internet Key Exchange Protocol v2

Current version specified in RFC 5996 Used to establish encryption and authentication keys Find the best mutually supported algorithms Authentication between the parties Selection of supported authentication methods: PSK X.509 certificates EAP

Lukas Grillmayer and Linus Lotz: ilab2 - IPSec with IKEv2 and Strongswan 11

Internet Key Exchange Protocol v2

Current version specified in RFC 5996 Used to establish encryption and authentication keys Find the best mutually supported algorithms Authentication between the parties Selection of supported authentication methods: PSK X.509 certificates EAP

Lukas Grillmayer and Linus Lotz: ilab2 - IPSec with IKEv2 and Strongswan 11

Internet Key Exchange Protocol v2

Current version specified in RFC 5996 Used to establish encryption and authentication keys Find the best mutually supported algorithms Authentication between the parties Selection of supported authentication methods: PSK X.509 certificates EAP

Lukas Grillmayer and Linus Lotz: ilab2 - IPSec with IKEv2 and Strongswan 11

Internet Key Exchange Protocol v2

Current version specified in RFC 5996 Used to establish encryption and authentication keys Find the best mutually supported algorithms Authentication between the parties Selection of supported authentication methods: PSK X.509 certificates EAP

Lukas Grillmayer and Linus Lotz: ilab2 - IPSec with IKEv2 and Strongswan 11

Summary

We need a VPN We have IPSec We want to give a road warrior access

Lukas Grillmayer and Linus Lotz: ilab2 - IPSec with IKEv2 and Strongswan 12

Summary

We need a VPN We have IPSec We want to give a road warrior access

Lukas Grillmayer and Linus Lotz: ilab2 - IPSec with IKEv2 and Strongswan 12

Summary

We need a VPN We have IPSec We want to give a road warrior access

Lukas Grillmayer and Linus Lotz: ilab2 - IPSec with IKEv2 and Strongswan 12

Practical Part

Lukas Grillmayer and Linus Lotz: ilab2 - IPSec with IKEv2 and Strongswan 13

Image sources

http://en.wikipedia.org/wiki/IPSec Ilab 1 - Security I

Lukas Grillmayer and Linus Lotz: ilab2 - IPSec with IKEv2 and Strongswan 14

SNMP – SIMPLE NETWORK MANAGEMENT PROTOCOL

Denis Huber and Daniel Metz

1

Motivation

Networks:

– various device classes

• different operating systems
• different instruction syntax
• functionality

– tasks:

• configuration
• monitoring of devices

2

Motivation

Achievable via:

– Ping, SSH, Telnet

So could we ease network management by a standard/protocol? SNMP!

3

Motivation

SNMP

• powerful, widespread standard
• standardized

– simple network-object management – resource monitoring

• lightweight device software
• “One Framework to rule them all”

4

Lecture Overview

• MIB
• SNMP
• Summary

5

MIB

• NOT “Men in Black”
• Management Information Base
• Used for specifying network objects (network

relevant objects on network devices)

• “Address” of network object
• Unique scope on device scope

6

MIB

• Tree structure
• Leaves hold information
• Many predefined nodes by standard

Notation (MIB-OID):

• .1.3.6.[…]
• iso.organization.DoD
• .1.3.6.1.2.1.2.2.1.6.7 ≙ MAC-Adr. interface 7

7

1 3 6

SNMP

• Application Layer Protocol uses mostly UDP

(but also TCP)

• Protocol entities

– Manager monitors/configures Agents – Agent is a network device processing the requests

• f a Manager
• MIB acts as an interface between manager

and agent

8

SNMP

• Communication

– manager uses various requests:

• GetRequest
• GetNextRequest
• SetRequest

– agent responses with a GetResponse – “trap messages” are used for asychonous notification from agent to manager

9

Teaser Practical Part

10

Management Network Agent Manager

Summary

• SNMP: Standard for network management
• MIB: Database for network objects
• Manager: Controls the network devices
• Agent: Network device to be managed

11

12

Questions