ipsec
play

IPsec real end-to-end security without VPNs FUKT Computer Society - PowerPoint PPT Presentation

May 19, 2023 •460 likes •927 views

IPsec real end-to-end security without VPNs FUKT Computer Society Teddy Hogeborn Bjrn Phlsson Who are we? FUKT Computer Society Unix system since 1995 Using IPsec since 2003 FUKT is a society/club for computer enthusiasts

  1. IPsec real end-to-end security without VPNs FUKT Computer Society Teddy Hogeborn Björn Påhlsson

  2. Who are we? ● FUKT Computer Society – Unix system since 1995 – Using IPsec since 2003 ● FUKT is a society/club for computer enthusiasts – A computer system with many servers – Holds lectures ☺ – Meet, experiment and tinker – A lot of (almost 100) members – Had some nice rooms until recently

  3. What is IPsec? A more basic and conceptually cleaner way to encrypt and authenticate Internet communications. IP TCP Data IP TCP Data IP ESP TCP Data Encrypted UDP ICMP etc.

  4. ● IPsec is simpler on a conceptual level, like speaking Navajo* instead of using Enigma. ● It’s still hard to learn Navajo * http://www.navajocodetalkers.org/

  5. Is IPsec some special Linux thing? No. ● First standard in 1995 ● Third standard in 2005 ● Supported for a long time – Unix – Mac OS X – Windows NT and later (2000, XP, etc.) – Most other operating systems

  6. Why is IPsec not more widely used? ● Complex to configure – People prefer simpler methods ● Old key management standard “IKE” very complex – Phase 1/Phase 2/Main mode/Quick mode/ Aggressive mode/ – 4 different methods, 8 ways to do it – New “IKEv2” standard is better ● Not widely supported yet

  7. What will be covered in this lecture? ● Why use IPsec? ● How IPsec works, in theory... ● ...and practice – (in Debian with Racoon and an early release of OpenIKEv2)

  8. Why use IPsec? ● Why encryption/authentication? ● Single point of failure? ● What's wrong with using VPNs? ● Why not use an SSH tunnel? ● Why not use TLS? ● Monitoring and external firewalls? ● How is IPsec better? – Pros and cons of IPsec

  9. Why encryption/ authentication? ● Encryption is important – Privacy from traffic sniffers ● Authentication is important – Protection from spoofing and man-in-the- middle attacks ● Examples: – Protect NFS, NIS, SMB... – Targeted security (lazy sysadmins) ● Forced encryption for all applications ● Also on the local network!

  10. Single point of failure? ● IPsec is only meant for – Encryption – Authentication of hosts – Replay protection – Traffic flow confidentiality ● Not meant for authorization or user authentication – Left to individual services and programs ● Extra security can easily be added – Beyond the scope of this talk

  11. What’s wrong with VPNs? ● Why a tunnel? – Two identical IP headers ● Does not protect individual hosts ● Creates stereotypical network design – Makes you fall into a design pattern which may not be appropriate ● End-to-end principle* states: – Intelligence at the end points – As little intelligence as possible in between – No host should rely on something else to protect it from “bad” traffic. *http://www.reed.com/Papers/endtoend.pdf

  12. Why not use SSH tunnels? ● SSH is a remote login system – SSH tunnels not a general tunneling mechanism ● Tunnels always alongside a login – Needs a remote user ● Authenticates users, not machines ● Only passwords and its own unique public key system

  13. Why not use TLS? (Used to be called SSL, as used in HTTPS) ● Only for TCP traffic ● Can only use X.509 certificates ● Support must exist in all applications – A lot of work to configure all of them ● Both client and server programs need access to their respective private keys – If a single host key is used, all server programs need access to it.

  14. Brute force works , but… ● You can tunnel anything over anything ● TLS over TCP over IP over PPP over Telnet over TCP over IP… IP TCP Telnet PPP IP TCP TLS Data ● Rainbows are pretty, but not elegant ● …nor efficient

  15. What about monitoring and firewalls? ● The goal of encryption is to defeat packet sniffing – Any encrypted traffic will bypass any external firewalls and can not be monitored ● IPsec potentially encrypts everything – The end hosts must secure themselves ● Some statistical analysis can still be done – IPsec has features to make even this difficult, since the person who makes the analysis might not be you

  16. How is IPsec better? ● Can encrypt everything (TCP, UDP, ICMP, SCTP, etc.) ● Does not require application support – I now run Telnet every day ● Offloads key management to a separate application – Can most often use at least either pre- shared keys or X.509 certificates – Can be upgraded and replaced over time ● Does not need to be handled and managed – it’s just there, invisible

  17. Downsides ● Need to be configured on both sides. ● Must be configured on the Operating System level – can not be changed or accessed by users ● Is CPU-bound – can be slow – Not compared to other encryption methods ● Algorithms can be selected and tuned – We encrypt everything… ● Adds some size overhead to packets – Not much compared to other methods Security Architecture for Control Networks using IPsec and KINK, Nobuo Okabe et al. http://www.taca.jp/docs/saint2005/12_nobuo_okabe.pdf Vincent Roy, Benchmarks for Native IPsec in the 2.6 Kernel, Linux Journal, October 2004 http://www.linuxjournal.com/article/7840

  18. Can IPsec be of use in WLANs? Yes, certainly. ● To IPsec, a WLAN is nothing special and is treated like any other network medium. ● WLANs, on the other hand, might need IPsec more than wire-based networks do, since WLANs are inherently less secure. ● If IPsec is used for everything , you could turn off WPA etc, since IPsec is better anyway. ● Won't give authority control – A Network Access Server with EAP-IKEv2 support can fix this

  19. What about IPv6? Yes, IPsec can do IPv6. ● IPsec is designed to be used with both IPv4 and IPv6. ● The IPv6 standards mandates IPsec support.

  20. Why bother with IPsec if it is so complex? ● It is getting better all the time. ● Since you only need to configure it once per host to secure all IP traffic , it is worth the effort. ● You don't really need to understand all of it to get it to work. – We are proof of this. ☺

  21. How does IPsec work? ● Much like a stateful firewall ● Security Policy Database (SPD) – Like a firewall rule list ● Security Association Database (SAD) – Like a stateful firewall’s list of current connection states

  22. ● Security Policy Database (SPD) ● Much like a firewall rule list ● Lists what packets should be encrypted or not ● Can specify by addresses, protocols and/or port numbers

  23. Security Association Database (SAD) ● Much like a stateful firewall’s list of current connection states ● Each Security Association (SA) has: – Encryption and hash algorithm – Session keys – Maximum lifetime and byte counts ● An SA must exist for packets to be encrypted. The SPD rules does nothing but indicate the need for an SA.

  24. Sequence of events (first outgoing packet) ● An outgoing packet is created locally ● The SPD is searched for a match ● An SA is created to match the parameters specified in the SPD – Any existing matching SA is reused ● Packet is encrypted, signed, padded, etc. according to the SA settings ● Packet is sent

  25. Sequence of events (first outgoing packet) SPD Encrypted Packet Packet SAD

  26. SPD Entry Found ● SA not created by the Kernel – only holds SPD and already created SAs ● A Key management daemon is signaled – Daemon uses IKE or IKEv2 protocol for key negotiation ● UDP port 500 ● Common Daemons are Racoon, ISAKMPd, Pluto, …

  27. A working connection ● Two SPD and SA entries on each host – one for outgoing, one for incoming ● Similarly configured key management daemons – Need to agree to use same algorithms, authentication method, etc. ● Negotiation phase need to be setup – can be same as for the SA ● Need access to authentication data – PSK, Private certificate

  28. Practical examples ● Have: – Two Debian computers – One certificate for the Certificate Authority , and one signed certificate for each host – Working network between ● On same local network or using the global Internet to a different continent does not matter – any connection works ● Want: – End to end IPsec ● Transport mode, not Tunnel mode (VPN)

  29. X.509 Certificates? ( very briefly) Host 1 Host 2 Internet communication CA cert CA cert copy copy Cert 1 Cert 2 CA cert key1 key2 key0 copy copy Signs Signs Cert 1 Cert 2 key1 key2

  30. X.509 Certificate programs ● These are graphical programs to manage X.509 certificates: – TinyCA ● http://tinyca.sm-zone.net/ – XCA ● http://www.hohnstaedt.de/xca.html

  31. X.509 is a nightmare itself ● If you don’t believe us: – Everything you Never Wanted to Know about PKI but were Forced to Find Out ● http://www.cs.auckland.ac.nz/~pgut001/pubs/pkitutorial.pdf – Generating X.509 Certificates ● From “ The official IPsec Howto for Linux ” – http://www.ipsec-howto.org/x595.html – The Open–source PKI Book http://ospkibook.sourceforge.net/docs/OSPKI-2.4.7/OSPKI-html/ospki-book.htm ● *(PKI = Public Key Infrastructure)

  32. Recap ● IPsec encrypts and authenticates ● Rule list called SPD, Security Policy Database ● An ongoing connection is an SA, a Security Association – Contains session key ● An SA is most often created by a key negotiation daemon – Typically uses IKE or IKEv2 to negotiate ● Kept in kernel

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Uses of IPSEC with VPNs VPNs Uses of IPSEC with Purpose Outline some scenarios where IPSEC

Uses of IPSEC with VPNs VPNs Uses of IPSEC with Purpose Outline some scenarios where IPSEC

Uses of IPSEC with VPNs VPNs Uses of IPSEC with Purpose Outline some scenarios where IPSEC can be used with VPNs Identify areas where extensions to IPSEC could be useful Bryan Gleeson, Page-1 VPN Reference Model CE CE PE

352 views • 9 slides
IPSEC VPN overview IPSEC VPN overview Basic VPN Architecture CPE/CLE CPE/CLE PE

IPSEC VPN overview IPSEC VPN overview Basic VPN Architecture CPE/CLE CPE/CLE PE

IPSEC VPN overview IPSEC VPN overview Basic VPN Architecture CPE/CLE CPE/CLE PE PE CPE/CLE Host PE CPE to CPE IPSEC can be used for : PE to PE PE to CPE Bryan Gleeson, Page-1 CPE to CPE IPSEC tunnels

680 views • 8 slides
Labeled IPsec draft-jml-ipsec-ikev1-security-context-00.txt

Labeled IPsec draft-jml-ipsec-ikev1-security-context-00.txt

Labeled IPsec draft-jml-ipsec-ikev1-security-context-00.txt draft-jml-ipsec-ikev2-security-context-00.txt Presented by: Joy Latten Document authors: Serge Hallyn, Trent Jaeger, Joy Latten, and George Wilson Problem Description Mandatory

295 views • 6 slides
Ipsec unter Linux 2.6 Einleitung: Die native IPsec Implementierung im Linux Kernel ab

Ipsec unter Linux 2.6 Einleitung: Die native IPsec Implementierung im Linux Kernel ab

Ipsec unter Linux 2.6 Einleitung: Die native IPsec Implementierung im Linux Kernel ab Version 2.5.47 basiert auf dem USAGI Projekt. Hierbei handelt es sich um eine alternative Implementierung des IPsec Stacks zum FreeS/WAN Projekt.

610 views • 8 slides
THE LIBRESWAN PROJECT An Internet Key Exchange (IKE) daemon for IPsec Enterprise IPsec

THE LIBRESWAN PROJECT An Internet Key Exchange (IKE) daemon for IPsec Enterprise IPsec

THE LIBRESWAN PROJECT An Internet Key Exchange (IKE) daemon for IPsec Enterprise IPsec based VPN solution Make encryption the default mode of communication Certifjcations (FIPS, Common Criteria, USGv6, etc.)

917 views • 25 slides
Yasser F. O. Mohammad REMIDER 1: IPSec Uses REMINDER 2: IPSec Services Access control

Yasser F. O. Mohammad REMIDER 1: IPSec Uses REMINDER 2: IPSec Services Access control

Yasser F. O. Mohammad REMIDER 1: IPSec Uses REMINDER 2: IPSec Services Access control Connectionless integrity Data origin authentication Rejection of replayed packets a form of partial sequence integrity Confidentiality

818 views • 37 slides
Firewalls, IPsec and Linux by Harald Welte <laforge@netfilter.org> Firewalls, IPsec and

Firewalls, IPsec and Linux by Harald Welte <laforge@netfilter.org> Firewalls, IPsec and

Firewalls, IPsec and Linux by Harald Welte <laforge@netfilter.org> Firewalls, IPsec and Linux Contents Introduction Highly Scalable Linux Network Stack Netfilter Hooks Packet selection based on IP Tables The Connection Tracking

444 views • 9 slides
OPPORTUNISTIC ENCRYPTION USING IPSEC Linux Security Summit, Toronto August 2016 Presented by

OPPORTUNISTIC ENCRYPTION USING IPSEC Linux Security Summit, Toronto August 2016 Presented by

OPPORTUNISTIC ENCRYPTION USING IPSEC Linux Security Summit, Toronto August 2016 Presented by Paul Wouters, RHEL Security THE LIBRESWAN PROJECT An Internet Key Exchange (IKE) daemon for IPsec Enterprise IPsec based VPN solution

736 views • 32 slides
Requirements for IPsec Negotiation in the SIP Framework

Requirements for IPsec Negotiation in the SIP Framework

Requirements for IPsec Negotiation in the SIP Framework draft-saito-mmusic-ipsec-negotiation-req-00.txt August 1, 2005 Makoto Saito (ma.saito@ntt.com) Shingo Fujimoto (shingo_fujimoto@jp.fujitsu.com) 1 Motivation To secure communication

83 views • 6 slides
Introduction to IPsec Charlie Kaufman charliek@microsoft.com 1 IP Security (IPsec) IETF

Introduction to IPsec Charlie Kaufman charliek@microsoft.com 1 IP Security (IPsec) IETF

Introduction to IPsec Charlie Kaufman charliek@microsoft.com 1 IP Security (IPsec) IETF standard for Network Layer security Popular for creating trusted link (VPN), either firewall-firewall, or machine to firewall Done at

868 views • 51 slides
IKEv2: IPSec Key Management Protocol Lecture 20 Acknowledgement: Slides from Vincent Luk, revised

IKEv2: IPSec Key Management Protocol Lecture 20 Acknowledgement: Slides from Vincent Luk, revised

IKEv2: IPSec Key Management Protocol Lecture 20 Acknowledgement: Slides from Vincent Luk, revised by Cunsheng Ding IP Security Architecture IPSec module 1 IPSec module 2 SPD SPD IKE IKE AH/ESP AH/ESP SAD SAD SA IKE: Internet Key

702 views • 26 slides
iLab IPsec Minoo Rouhi rouhi@net.in.tum.de Slides by Benjamin Hof hof@in.tum.de Chair of

iLab IPsec Minoo Rouhi rouhi@net.in.tum.de Slides by Benjamin Hof hof@in.tum.de Chair of

iLab IPsec Minoo Rouhi rouhi@net.in.tum.de Slides by Benjamin Hof hof@in.tum.de Chair of Network Architectures and Services Department of Informatics Technical University of Munich Lab 8 18ss 1 / 29 Outline Overview IPsec databases

563 views • 29 slides
IP IPSec ( ) 13 Network

IP IPSec ( ) 13 Network

IP IPSec ( ) 13 Network Security, Principles and Practice,2nd Ed. : http://www.fata.ir

567 views • 23 slides
IPsec encapsulation over TCP Sabrina Dubroca sd@queasysnail.net Red Hat netdev 0x13, 2019-03-22

IPsec encapsulation over TCP Sabrina Dubroca sd@queasysnail.net Red Hat netdev 0x13, 2019-03-22

IPsec encapsulation over TCP Sabrina Dubroca sd@queasysnail.net Red Hat netdev 0x13, 2019-03-22 1 / 22 Introduction 2 / 22 ESP and IKE Components of the IPsec protocol suite ESP Encapsulating Security Payload AH Authentication Header IKE

478 views • 22 slides
Why IPsec and BGP dont play well together in real networks Brian Weis Overview Of

Why IPsec and BGP dont play well together in real networks Brian Weis Overview Of

Why IPsec and BGP dont play well together in real networks Brian Weis Overview Of course IKE/IPsec can be configured on routers to provide transport security for BGP and other similar control plane protocols. And certainly

480 views • 16 slides
for Constrained Environments dra%-raza-6lo-ipsec-02 {shahid.raza, simon.duquennoy}@sics.se

for Constrained Environments dra%-raza-6lo-ipsec-02 {shahid.raza, simon.duquennoy}@sics.se

Compression of IPsec AH and ESP Headers for Constrained Environments dra%-raza-6lo-ipsec-02 {shahid.raza, simon.duquennoy}@sics.se goran.selandaer@ericsson.com 1 Status of the Document First submi<ed as a posi=on paper to the Smart

209 views • 18 slides
Linux Plumbers Conference 2011 LTTng 2.0 : Application, Library and Kernel tracing within your

Linux Plumbers Conference 2011 LTTng 2.0 : Application, Library and Kernel tracing within your

Linux Plumbers Conference 2011 LTTng 2.0 : Application, Library and Kernel tracing within your Linux distribution. E-mail: mathieu.desnoyers@efficios.com Mathieu Desnoyers September 9th, 2011 1 > Presenter Mathieu Desnoyers

421 views • 23 slides
DBIS: Directory-Based Information Services A replacement for NIS and RFC2307 by Mark R.

DBIS: Directory-Based Information Services A replacement for NIS and RFC2307 by Mark R.

DBIS: Directory-Based Information Services A replacement for NIS and RFC2307 by Mark R. Bannister dbis.sf.net Background RFC 2307, late 1990s (experimental) RFC 2307bis, 2002-2009 (draft) RFC 4876, 2007 nss_ldap (PADL, Sun

283 views • 9 slides
Project Plan Kubernetes Cluster Inspection Tool The Capstone Experience Team Google Dave Ackley

Project Plan Kubernetes Cluster Inspection Tool The Capstone Experience Team Google Dave Ackley

Project Plan Kubernetes Cluster Inspection Tool The Capstone Experience Team Google Dave Ackley Linghao Ji Guillermo Jimenez Haylee Quarles Casey Schneider Ben Whitelaw Department of Computer Science and Engineering Michigan State

310 views • 12 slides
S9545 - USING THE DEEPSTREAM SDK FOR AI-BASED VIDEO ANALYTICS Anudeep Nallamothu - NVIDIA

S9545 - USING THE DEEPSTREAM SDK FOR AI-BASED VIDEO ANALYTICS Anudeep Nallamothu - NVIDIA

S9545 - USING THE DEEPSTREAM SDK FOR AI-BASED VIDEO ANALYTICS Anudeep Nallamothu - NVIDIA Solutions Architect Andrew Bull - NVIDIA Solutions Architect Realtime Streaming Video Analytics Framework for Analyzing Video Understand

525 views • 51 slides
Next generation web scanning New Zealand: A case study First presented at KIWICON III 2009 By

Next generation web scanning New Zealand: A case study First presented at KIWICON III 2009 By

Next generation web scanning New Zealand: A case study First presented at KIWICON III 2009 By Andrew Horton aka urbanadventurer NZ Web Recon Goal: To scan all of New Zealand's web-space to see what's there. Requirements: Targets

802 views • 61 slides
Exploding the Linux Container Host Presenter: Ben Corrie (@bensdoings) Containers vs VMs

Exploding the Linux Container Host Presenter: Ben Corrie (@bensdoings) Containers vs VMs

Exploding the Linux Container Host Presenter: Ben Corrie (@bensdoings) Containers vs VMs Google Wisdom: VMs and Containers are similar but different Try running containers in VMs for security Containers are best for scale-out

314 views • 17 slides
FINFISHER: FinFly ISP 2.0 Infrastructure Product Training Table of content 2 1. Introduction

FINFISHER: FinFly ISP 2.0 Infrastructure Product Training Table of content 2 1. Introduction

1 FINFISHER: FinFly ISP 2.0 Infrastructure Product Training Table of content 2 1. Introduction 2. The infrastructure - ADMF Client and Infection GUI - Administration: ADMF - iProxy: NDP01/02 - Radius Probe: RP01/02 - Communication 3. Use

901 views • 67 slides
Adaptive Scheduling Parameters Manager for A.Balsini SCHED DEADLINE Introduction Problem

Adaptive Scheduling Parameters Manager for A.Balsini SCHED DEADLINE Introduction Problem

SCHED DL: Adaptive Scheduling Parameters Manager Adaptive Scheduling Parameters Manager for A.Balsini SCHED DEADLINE Introduction Problem Optimistic vs Pessimistic Alessio Balsini Tools Overview a.balsini@sssup.it Kernel Module

784 views • 47 slides

More recommend