ilab
play

iLab IPsec Minoo Rouhi rouhi@net.in.tum.de Slides by Benjamin Hof - PowerPoint PPT Presentation

Feb 23, 2024 •268 likes •563 views

iLab IPsec Minoo Rouhi rouhi@net.in.tum.de Slides by Benjamin Hof hof@in.tum.de Chair of Network Architectures and Services Department of Informatics Technical University of Munich Lab 8 18ss 1 / 29 Outline Overview IPsec databases

  1. iLab IPsec Minoo Rouhi rouhi@net.in.tum.de Slides by Benjamin Hof hof@in.tum.de Chair of Network Architectures and Services Department of Informatics Technical University of Munich Lab 8 – 18ss 1 / 29

  2. Outline Overview IPsec databases Internet Key Exchange version 2 Encapsulating Security Payload IPsec processing 2 / 29

  3. Outline Overview IPsec databases Internet Key Exchange version 2 Encapsulating Security Payload IPsec processing 3 / 29

  4. IPsec goals Add protection to IP datagrams: ◮ confidentiality ◮ integrity protection ◮ access control ◮ data source authentication Handle multicast, and, of course, deal with NAT again. . . 4 / 29

  5. Typical setups EP EP EP R EP SG EP SG SG (IPsec remote access server/client) 5 / 29

  6. Mode ◮ tunnel ◮ transport 6 / 29

  7. IPsec protocols ◮ handshake: IKEv2 ◮ authenticated encryption with replay protection: ESP responder initiator IKE . . . ESP . . . 7 / 29

  8. IPsec overview Internet Key Exchange (IKEv2) ◮ mutual authentication ◮ establish shared state: Security Associations (SA) ◮ UDP port 500 or 4500 Security Association ◮ IKE SA ◮ child SAs ◮ authenticated encryption using Encapsulating Security Payload (ESP) ◮ authentication using Authentication Header (AH) ◮ on IP layer or UDP port 4500 ◮ transport or tunnel mode ◮ replay protection 8 / 29

  9. Outline Overview IPsec databases Internet Key Exchange version 2 Encapsulating Security Payload IPsec processing 9 / 29

  10. IPsec concepts ◮ Security Policy Database (SPD) determines required protection ◮ key exchange and authentication with Internet Key Exchange version 2 (IKEv2) ◮ during IKE, authorization is checked in the Peer Authorization Database (PAD) ◮ IKE sets up shared state: Security Associations (SA) 10 / 29

  11. Relationships SPD PAD SAD IKE 11 / 29

  12. Security Policy Database ◮ discard, bypass, protect ◮ direction ◮ selectors ◮ local, remote IP ranges ◮ next layer protocol ◮ local, remote ports ◮ ICMP type/code ◮ populate from packet flag ◮ name ◮ IPsec mode ◮ IPsec protocol And many more. 12 / 29

  13. Security Association Database ◮ Security Parameter Index ◮ 64 bit sequence number counter ◮ anti-replay window ◮ algorithms, keys, IV ◮ lifetime ◮ IPsec mode And many more. 13 / 29

  14. Peer Authorization Database For each peer or group of peers: ◮ name ◮ IPsec protocol ◮ authentication method ◮ authentication requirements ◮ use name or remote IP in traffic selector during SPD lookup? Checked during IKE. 14 / 29

  15. Outline Overview IPsec databases Internet Key Exchange version 2 Encapsulating Security Payload IPsec processing 15 / 29

  16. IKEv2 concepts ◮ initiator, responder ◮ pairs of messages: request, response Shared state can also be established by hand. 16 / 29

  17. IKEv2 format header format (on port 4500 preceeded by 4 zero octets): 0 7 8 11 12 15 16 23 24 31 initiator Security Parameter Index (SPI) responder SPI next payload maj. v. min. v. exchange type flags message ID length generic payload format: 0 7 8 9 15 16 31 next payload C reserved payload length 17 / 29

  18. Security Associations and Traffic Selectors Traffic selectors (TS) SA proposals ◮ IKE/ESP/AH ◮ IP version ◮ SPI, size ◮ next layer protocol ◮ encryption algorithm ◮ port range or ICMP code/type ◮ integrity algorithm ◮ IP range ◮ PRF algorithm ◮ DH group “Assembly of Security Association payloads requires great peace of mind.” — RFC 7296 18 / 29

  19. IKEv2 overview responder initiator S A IKE D H i N i i , , IKE SA, N r A IKE H r key agreement D S , r , I D i C E R T i I D r A U T H i , A child S , T , S i T S r , i , , authentication, T S r A child S i T child SA S H r T A U T r , E R r , C I D r , , , r | SK p i | SK p SK d | SK a i | SK a r | SK e i | SK e r := KDF ( N i | N r , DH , SPI i | SPI r ) AUTH i ← sign ( msg 1 , N r , prf ( SK p i , id )) 19 / 29

  20. IKEv2 messages ◮ IKE_SA_INIT ◮ IKE_AUTH ◮ CREATE_CHILD_SA ◮ INFORMATIONAL 20 / 29

  21. CREATE_CHILD_SA responder initiator SA i , N i , DH i , TS i , TS r SA r , N r , DH r , TS i , TS r ◮ sent in IKE SA ◮ may include additional information, e. g. signal rekeying 21 / 29

  22. Outline Overview IPsec databases Internet Key Exchange version 2 Encapsulating Security Payload IPsec processing 22 / 29

  23. ESP format source port destination port = 4500 length checksum 0 7 8 15 16 31 SPI sequence number (optional) initialization vector (variable) payload (variable) Traffic Flow Confidentiality padding (optional, variable) block cipher padding (optional, variable) pad length next header Integrity Check Value (variable) 23 / 29

  24. Protocols and modes plain IP IP TCP L7 ESP tunnel IP ESP IP TCP L7 ESP ESP transport IP ESP TCP L7 ESP AH tunnel IP AH IP TCP L7 AH transport IP AH TCP L7 24 / 29

  25. Replay protection and integrity ◮ check ICV ◮ some fields are not transmitted, e. g. part of the sequence number Replay protection: ◮ counter starts at zero ◮ right window edge: highest received ◮ 64 lower allowed; even lower: discard ◮ bit mask in between 25 / 29

  26. Outline Overview IPsec databases Internet Key Exchange version 2 Encapsulating Security Payload IPsec processing 26 / 29

  27. Red to black red discard SPD lookup protect SAD lookup bypass SA found apply SA transformations create SA forwarding 27 / 29

  28. Black to red black IPsec wait for fragments discard lookup SA using SPI SPD check found SA process ESP/AH bypass matches forwarding check SPD inbound selector 28 / 29

  29. Software ◮ ip xfrm ◮ strongswan ◮ setkey ◮ racoon/racoon2 29 / 29

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

your exercise iLab 1+2 info event online Tell your friends!

your exercise iLab 1+2 info event online Tell your friends!

The iLab Experience a blended learning hands-on course concept you set the focus Final Lecture Marc-Oliver Pahl, Jul 25, 2017 your exercise iLab 1+2 info event online Tell your friends!

1.81k views • 96 slides
ilab 2 - IPSec with IKEv2 and Strongswan Lukas Grillmayer and Linus Lotz Chair for Network

ilab 2 - IPSec with IKEv2 and Strongswan Lukas Grillmayer and Linus Lotz Chair for Network

ilab 2 - IPSec with IKEv2 and Strongswan Lukas Grillmayer and Linus Lotz Chair for Network Architectures and Services Department for Computer Science Technische Universit at M unchen June 4, 2014 Lukas Grillmayer and Linus Lotz: ilab 2 -

1.39k views • 51 slides
iLab Countersurveillance Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab Countersurveillance Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab Countersurveillance Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Surveillance and operational security 14ws 1 lecture evaluation oral

916 views • 30 slides
ilab Lab 5 DNS and DNSSec History and Motivation of DNS Problem: The Internet needs IP

ilab Lab 5 DNS and DNSSec History and Motivation of DNS Problem: The Internet needs IP

Lehrstuhl fr Netzarchitekturen und Netzdienste Institut fr Informatik Technische Universitt Mnchen ilab Lab 5 DNS and DNSSec History and Motivation of DNS Problem: The Internet needs IP addresses. Human beings do not memorize IP

779 views • 23 slides
ilab Lab 4 TCP/UDP Purpose of the Transport Layer Provides an end to end connectivity to

ilab Lab 4 TCP/UDP Purpose of the Transport Layer Provides an end to end connectivity to

Lehrstuhl fr Netzarchitekturen und Netzdienste Institut fr Informatik Technische Universitt Mnchen ilab Lab 4 TCP/UDP Purpose of the Transport Layer Provides an end to end connectivity to applications application application 4

647 views • 26 slides
iLab TLS and packet filters Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab TLS and packet filters Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab TLS and packet filters Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Lab 7 17ws 1 / 41 Outline Trust Transport Layer Security Packet filter

1.19k views • 43 slides
iLab Onion Routing Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste

iLab Onion Routing Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste

iLab Onion Routing Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Lab 9 18ss 1 / 36 Outline Introduction Trust architecture Protocols Attacks

663 views • 45 slides
iLab Onion Routing Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste

iLab Onion Routing Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste

iLab Onion Routing Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Lab 9 16ss 1 / 38 Outline Introduction Trust architecture Protocols Attacks

879 views • 47 slides
iLab NAT / DHCP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab NAT / DHCP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab NAT / DHCP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Lab 6 16ss 1 / 34 Motivation: IPv4 Address Scarcity source:

784 views • 54 slides
course evaluation room for attestations: 03.05.051 iLab Threat modelling, surveillance,

course evaluation room for attestations: 03.05.051 iLab Threat modelling, surveillance,

course evaluation room for attestations: 03.05.051 iLab Threat modelling, surveillance, operational security Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt

986 views • 47 slides
iLab TCP / UDP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab TCP / UDP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab TCP / UDP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Lab 4 14ws 1 Outline Transport Layer UDP TCP MTCP / SCTP 2 Outline

720 views • 32 slides
ilab Lab 8 - SSL/TLS and IPSec Outlook: On Layer 4: Goal: Provide security for one

ilab Lab 8 - SSL/TLS and IPSec Outlook: On Layer 4: Goal: Provide security for one

Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen ilab Lab 8 - SSL/TLS and IPSec Outlook: On Layer 4: Goal: Provide security for one specific port SSL (Secure Socket Layer) /

812 views • 25 slides
iLab 2 Internet Protocol version 6 Stefan Liebald liebald@net.in.tum.de Lehrstuhl fr

iLab 2 Internet Protocol version 6 Stefan Liebald liebald@net.in.tum.de Lehrstuhl fr

iLab 2 Internet Protocol version 6 Stefan Liebald liebald@net.in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen October 18, 2017 Based on slides of Lukas Schwaighofer 1

678 views • 46 slides
iLab 2 Internet Protocol version 6 Stefan Liebald liebald@net.in.tum.de Lehrstuhl fr

iLab 2 Internet Protocol version 6 Stefan Liebald liebald@net.in.tum.de Lehrstuhl fr

iLab 2 Internet Protocol version 6 Stefan Liebald liebald@net.in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen April 25, 2017 Based on slides of Lukas Schwaighofer 1

471 views • 10 slides
iLab Static routing Minoo Rouhi rouhi@net.in.tum.de Slides by Benjamin Hof hof@in.tum.de

iLab Static routing Minoo Rouhi rouhi@net.in.tum.de Slides by Benjamin Hof hof@in.tum.de

iLab Static routing Minoo Rouhi rouhi@net.in.tum.de Slides by Benjamin Hof hof@in.tum.de Chair of Network Architectures and Services Department of Informatics Technical University of Munich Lab 2 17ws 1 / 21 Outline Meta

540 views • 27 slides
The iLab Experience a blended learning hands-on course concept you set the focus Do It Yourself

The iLab Experience a blended learning hands-on course concept you set the focus Do It Yourself

The iLab Experience a blended learning hands-on course concept you set the focus Do It Yourself - Hardware YE - Topic Outline May 29, 2018 10.4. Kick Off, IPv6 1 IPv6 BGP 17.4. 2 Minilab 1 2 mini labs Advanced Wireless Playground BGP

1.64k views • 125 slides
IPsec encapsulation over TCP Sabrina Dubroca sd@queasysnail.net Red Hat netdev 0x13, 2019-03-22

IPsec encapsulation over TCP Sabrina Dubroca sd@queasysnail.net Red Hat netdev 0x13, 2019-03-22

IPsec encapsulation over TCP Sabrina Dubroca sd@queasysnail.net Red Hat netdev 0x13, 2019-03-22 1 / 22 Introduction 2 / 22 ESP and IKE Components of the IPsec protocol suite ESP Encapsulating Security Payload AH Authentication Header IKE

478 views • 22 slides
IKE Context Transfer IKE Context Transfer in an IPv6 Mobility Environment in an IPv6 Mobility

IKE Context Transfer IKE Context Transfer in an IPv6 Mobility Environment in an IPv6 Mobility

IKE Context Transfer IKE Context Transfer in an IPv6 Mobility Environment in an IPv6 Mobility Environment Fabien Allard Fabien Allard (FT R&D) (FT R&D) Jean-Marie Bonnin (Tlcom Bretagne) Jean-Marie Bonnin (Tlcom Bretagne)

441 views • 14 slides
Key Exchange in IPsec revisited: Formal Analysis of IKEv1 and IKEv2 Cas Cremers, ETH Zurich

Key Exchange in IPsec revisited: Formal Analysis of IKEv1 and IKEv2 Cas Cremers, ETH Zurich

Key Exchange in IPsec revisited: Formal Analysis of IKEv1 and IKEv2 Cas Cremers, ETH Zurich Overview What is IKE ? Internet Key Exchange , part of IPsec Formal analysis of IKE Previously considered infeasible Using Scyther

410 views • 19 slides
IPSec Slides by Vitaly Shmatikov UT Austin slide 1 TCP/IP Example slide 2 IP Security Issues

IPSec Slides by Vitaly Shmatikov UT Austin slide 1 TCP/IP Example slide 2 IP Security Issues

IPSec Slides by Vitaly Shmatikov UT Austin slide 1 TCP/IP Example slide 2 IP Security Issues Eavesdropping Modification of packets in transit Identity spoofing (forged source IP addresses) Denial of service Many solutions

543 views • 25 slides
What's New with SELinux Stephen D. Smalley sds@tycho.nsa.gov National Information Assurance

What's New with SELinux Stephen D. Smalley sds@tycho.nsa.gov National Information Assurance

What's New with SELinux Stephen D. Smalley sds@tycho.nsa.gov National Information Assurance Research Laboratory National Security Agency National Information Assurance Research Laboratory 1 Advances in SELinux Deploying new

440 views • 25 slides
Network Infrastructure Security APRICOT 2005 Workshop February 18-20, 2005 Merike Kaeo

Network Infrastructure Security APRICOT 2005 Workshop February 18-20, 2005 Merike Kaeo

Network Infrastructure Security APRICOT 2005 Workshop February 18-20, 2005 Merike Kaeo merike@doubleshotsecurity.com Agenda (Day 2) Securing Data Traffic Packet Filters Encryption (IPsec vs SSL) Logging Information What to

1.38k views • 114 slides
Computer Security 3e Dieter Gollmann Security.di.unimi.it/sicurezza1415/ Chapter 16: 1 Chapter

Computer Security 3e Dieter Gollmann Security.di.unimi.it/sicurezza1415/ Chapter 16: 1 Chapter

Computer Security 3e Dieter Gollmann Security.di.unimi.it/sicurezza1415/ Chapter 16: 1 Chapter 16: Communications Security Chapter 16: 2 Agenda Threat model Secure tunnels Protocol design principles IPsec SSL/TLS EAP

695 views • 48 slides
Network Access for Remote Users Dr John S. Graham ULCC j.graham@ulcc.ac.uk Review of

Network Access for Remote Users Dr John S. Graham ULCC j.graham@ulcc.ac.uk Review of

Network Access for Remote Users Dr John S. Graham ULCC j.graham@ulcc.ac.uk Review of Technologies Remote Site Private Leased Lines Kilostream or Megastream Circuits LES ISDN EPS9 ISP Remote User

957 views • 21 slides

More recommend