iLab IPsec Minoo Rouhi rouhi@net.in.tum.de Slides by Benjamin Hof - - PowerPoint PPT Presentation

iLab

IPsec Minoo Rouhi rouhi@net.in.tum.de Slides by Benjamin Hof hof@in.tum.de

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Lab 8 – 18ss

1 / 29

Outline

Overview IPsec databases Internet Key Exchange version 2 Encapsulating Security Payload IPsec processing

2 / 29

Outline

Overview IPsec databases Internet Key Exchange version 2 Encapsulating Security Payload IPsec processing

3 / 29

IPsec goals

Add protection to IP datagrams:

◮ confidentiality ◮ integrity protection ◮ access control ◮ data source authentication

Handle multicast, and, of course, deal with NAT again. . .

4 / 29

Typical setups

EP EP EP R EP SG EP SG SG (IPsec remote access server/client)

5 / 29

Mode

◮ tunnel ◮ transport 6 / 29

IPsec protocols

◮ handshake: IKEv2 ◮ authenticated encryption with replay protection: ESP

. . . . . . initiator responder IKE ESP

7 / 29

IPsec overview

Internet Key Exchange (IKEv2)

◮ mutual authentication ◮ establish shared state: Security Associations (SA) ◮ UDP port 500 or 4500

Security Association

◮ IKE SA ◮ child SAs

◮ authenticated encryption using Encapsulating Security Payload

(ESP)

◮ authentication using Authentication Header (AH) ◮ on IP layer or UDP port 4500 ◮ transport or tunnel mode

◮ replay protection 8 / 29

Outline

Overview IPsec databases Internet Key Exchange version 2 Encapsulating Security Payload IPsec processing

9 / 29

IPsec concepts

◮ Security Policy Database (SPD) determines required protection ◮ key exchange and authentication with Internet Key Exchange

version 2 (IKEv2)

◮ during IKE, authorization is checked in the Peer Authorization

Database (PAD)

◮ IKE sets up shared state: Security Associations (SA) 10 / 29

Relationships

SPD PAD IKE SAD

11 / 29

Security Policy Database

◮ discard, bypass, protect ◮ direction ◮ selectors

◮ local, remote IP ranges ◮ next layer protocol ◮ local, remote ports ◮ ICMP type/code ◮ populate from packet flag

◮ name ◮ IPsec mode ◮ IPsec protocol

And many more.

12 / 29

Security Association Database

◮ Security Parameter Index ◮ 64 bit sequence number counter ◮ anti-replay window ◮ algorithms, keys, IV ◮ lifetime ◮ IPsec mode

And many more.

13 / 29

Peer Authorization Database

For each peer or group of peers:

◮ name ◮ IPsec protocol ◮ authentication method ◮ authentication requirements ◮ use name or remote IP in traffic selector during SPD lookup?

Checked during IKE.

14 / 29

Outline

Overview IPsec databases Internet Key Exchange version 2 Encapsulating Security Payload IPsec processing

15 / 29

IKEv2 concepts

◮ initiator, responder ◮ pairs of messages: request, response

Shared state can also be established by hand.

16 / 29

IKEv2 format

header format (on port 4500 preceeded by 4 zero octets):

7 8 11 12 15 16 23 24 31

initiator Security Parameter Index (SPI) responder SPI next payload

• maj. v. min. v. exchange type

flags message ID length generic payload format:

7 8 9 15 16 31

next payload C reserved payload length

17 / 29

Security Associations and Traffic Selectors

Traffic selectors (TS)

◮ IP version ◮ next layer protocol ◮ port range or ICMP

code/type

◮ IP range

SA proposals

◮ IKE/ESP/AH ◮ SPI, size ◮ encryption algorithm ◮ integrity algorithm ◮ PRF algorithm ◮ DH group

“Assembly of Security Association payloads requires great peace of mind.” — RFC 7296

18 / 29

IKEv2 overview

initiator responder IKE SA, key agreement authentication, child SA S AIKE

i

, D Hi , Ni S AIKE

r

, D Hr , Nr I Di , C E R Ti , I Dr , A U T Hi , S Achild

i

, T Si , T Sr I Dr , C E R Tr , A U T Hr , S Achild

r

, T Si , T Sr SKd|SK a

i |SK a r |SK e i |SK e r |SK p i |SK p r := KDF(Ni|Nr, DH, SPIi|SPIr)

AUTHi ← sign(msg1, Nr, prf (SK p

i , id)) 19 / 29

IKEv2 messages

◮ IKE_SA_INIT ◮ IKE_AUTH ◮ CREATE_CHILD_SA ◮ INFORMATIONAL 20 / 29

CREATE_CHILD_SA

initiator responder SAi, Ni, DHi, TSi, TSr SAr, Nr, DHr, TSi, TSr

◮ sent in IKE SA ◮ may include additional information, e. g. signal rekeying 21 / 29

Outline

Overview IPsec databases Internet Key Exchange version 2 Encapsulating Security Payload IPsec processing

22 / 29

ESP format

source port destination port = 4500 length checksum

7 8 15 16 31

SPI sequence number (optional) initialization vector (variable) payload (variable) Traffic Flow Confidentiality padding (optional, variable) block cipher padding (optional, variable) pad length next header Integrity Check Value (variable)

23 / 29

Protocols and modes

plain IP IP TCP L7 ESP tunnel IP ESP IP TCP L7 ESP ESP transport IP ESP TCP L7 ESP AH tunnel IP AH IP TCP L7 AH transport IP AH TCP L7

24 / 29

Replay protection and integrity

◮ check ICV ◮ some fields are not transmitted, e. g. part of the sequence

number Replay protection:

◮ counter starts at zero ◮ right window edge: highest received ◮ 64 lower allowed; even lower: discard ◮ bit mask in between 25 / 29

Outline

Overview IPsec databases Internet Key Exchange version 2 Encapsulating Security Payload IPsec processing

26 / 29

Red to black

red SPD lookup SAD lookup apply SA transformations create SA forwarding protect SA found discard bypass

27 / 29

Black to red

black wait for fragments lookup SA using SPI process ESP/AH check SPD inbound selector SPD check forwarding IPsec found SA matches bypass discard

28 / 29

Software

◮ ip xfrm ◮ strongswan ◮ setkey ◮ racoon/racoon2 29 / 29