overview of ikev2
play

Overview of IKEv2 Dan Harkins Charlie Kaufman Radia Perlman 1 - PDF document

Feb 03, 2023 •468 likes •643 views

A n a l y s i s o f I K E Overview of IKEv2 Dan Harkins Charlie Kaufman Radia Perlman 1 Radia Perlman A n a l y s i s o f I K E What we were trying to do Consolidate RFCs 2407, 2408, and 2409 in one document Not make gratuitous

  1. A n a l y s i s o f I K E Overview of IKEv2 Dan Harkins Charlie Kaufman Radia Perlman 1 Radia Perlman

  2. A n a l y s i s o f I K E What we were trying to do • Consolidate RFCs 2407, 2408, and 2409 in one document • Not make gratuitous changes • Simplify • Fix ambiguities (commit bit, meaning of major/minor version numbers) • Fix bugs (reflection attacks, lost messages) • Add flexibility where it seemed necessary (e.g., traffic selectors, critical bit) • Reduce latency • Allow stateless cookies 2 Radia Perlman

  3. A n a l y s i s o f I K E Basic IKEv2 • IKE SA+IPsec SA established in 4 messages • Exchange based on public signature keys • Hides both identities from passive attacker • 1st child-SA (ESP, AH, IPcomp) established during messages 3 and 4 of the IKE SA • Future child-SAs (new IPsec SA, or rekeying of IKE SA) established in 2 messages 3 Radia Perlman

  4. A n a l y s i s o f I K E Forward Compatibility • Version numbers - minor v# informational only. Ignored by node with smaller v# - major changed if protocol incompatible. Reject message if v# not supported - Rejection is unauthenticated - Major v# in header is v# of packet - Bit in header “I could do higher version” • Critical flag in payloads (so can add new payloads and decide if it’s appropriate to reject message with those, or skip that payload) • Critical bit only relevant for unknown payloads. All the ones in the IKEv2 draft are required to be known. 4 Radia Perlman

  5. A n a l y s i s o f I K E Reliability • All messages request/response • Messages have sequence numbers (not, as in IKEv1, random message IDs) • Initiator is responsible for retransmission if it doesn’t receive a reply • Multiple requests allowed in transit (e.g. in parallel setting up a bunch of child-SAs) • Window size stated (not negotiated) in SA payload, can be different in the two directions 5 Radia Perlman

  6. A n a l y s i s o f I K E Traffic Selectors in v2 • “ID” payload only for IKE SA • Child-SA uses “traffic selector” payload • Allows lists of IP address ranges, port ranges • Responder can narrow choice. Not just reject • Can choose subset of ranges, or subset within a range, or say “no, must be single address pair” 6 Radia Perlman

  7. A n a l y s i s o f I K E Cookies • Rather than defining IKE-SA by (c i , c r ), treat each side’s cookie like an SPI • Both appear in the header, so can reply to the other side’s SPI (can’t do that with ESP/AH) • Only difference on wire from v1 is order of cookies is reversed in the two directions • v1’s (c i , c r ): - potential collision (unlikely unless malice ) - Only unlikely because cookies are required to be randomly chosen (but makes stateless choice impossible) - “must be unique” (also prevents stateless) 7 Radia Perlman

  8. A n a l y s i s o f I K E Dead Peers, SA Lifetimes • Always allowed to forget IKE-SA and all child-SAs at any time (what you’d do if you crash) • Unauthenticated messages (ICMP, IKE “no such SPI”) raise suspicion about dead peer • If suspicious (rate-limited) send reliable IKE message. If no reply, then delete SA • No reason to negotiate lifetime • If delete, send (reliable IKE) delete notification • Deleting IKE SA automatically deletes all child-SAs • Deleting child-SA just deletes that child-SA 8 Radia Perlman

  9. A n a l y s i s o f I K E Rekeying • Either side can rekey at any time • Rekeying of either child-SA or IKE-SA is done by creating new SA, and then deleting the old one • Rekeyed IKE-SA inherits all the child-SAs 9 Radia Perlman

  10. A n a l y s i s o f I K E Encryption/Integrity Protection Format • Complex in IKEv1 and different from anything else, weird IV calculation • We liked the “encrypt and integrity protect this blob” syntax from the ESP spec better length depends on crypto IV alg, usually 8 bytes data encrypted padding encrypted pad length encrypted reserved 1 byte, must be zero integrity includes IKE header 10 Radia Perlman

  11. A n a l y s i s o f I K E Negotiating Security Parameters • SA payload in IKEv1 - very complex - exponential explosion • v2: - Simpler - Allows a proposal with “any of these algorithms for, say, encryption, with any of these algorithms for, say integrity”. Responder chooses one of each type of algorithm when accepting the P - I wanted to change the name from “SA” but got outvoted 11 Radia Perlman

  12. A n a l y s i s o f I K E Negotiating Traffic Restrictions • An IPsec policy thing: say “I want this SA to only carry traffic from these sources to these destinations, using these ports, etc • IKEv1: Responder can just say “no” • IKEv2: We added ability for responder to give subset, or say “single pair” • Also allows sets of ranges of addresses, ports 12 Radia Perlman

  13. A n a l y s i s o f I K E The Exchange • Our paper from a year ago recommended - have Bob prove ID first - and a 3-message exchange for public signature keys • Decided instead Alice should prove ID first - Else trivial to poll to see who is at an address • Decided 4 msgs better - piggybacking child-SA: Alice has better idea of appropriate policy - initiator has data to send. If no 4th msg, can’t know when OK to send the data - spec easier: reliability burden on initiator - can do stateless cookie without extra 2 msgs 13 Radia Perlman

  14. A n a l y s i s o f I K E The Exchange Alice Bob g A mod p, crypto proposal, N i , [certreq] g B mod p, crypto accepted, N r , [certreq] K=f(nonces, SPIs, g AB mod p) {“Alice”, sig on msgs 1/2, [cert], child}K {“Bob”, sig on msgs 1/2, [cert], child}K • Bob can optionally refuse 1st message and require return of stateless cookie, extra 2 msgs • If Alice repeats info in msg 3, can avoid extra 2 msgs 14 Radia Perlman

  15. A n a l y s i s o f I K E Create Child-SA Alice Bob {proposal, nonce, [g A mod p], TS} {proposal, nonce, [g B mod p], TS} • proposal = crypto suites, SPI, protocol (ESP, AH, and/or IPcomp) • TS=description of traffic to be sent • Derived keys=function of IKE keying material plus nonces in this exchange, plus output of optional Diffie-Hellman 15 Radia Perlman

  16. A n a l y s i s o f I K E Variants • Now that spec written, easy to modify • The exchange is easily changed • Things to consider - Bill Sommerfeld’s “birth certificate” - Different keys in the two directions for IKE - Specifying encryption/integrity format explicitly - Making stateless 4-message exchange - Preshared secret keys...weak secrets (SRP)? 16 Radia Perlman

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Minimal IKEv2 AuthenTec Oy Tero Kivinen kivinen@iki.fi draft-kivinen-ipsecme-minimal-ikev2-01

Minimal IKEv2 AuthenTec Oy Tero Kivinen kivinen@iki.fi draft-kivinen-ipsecme-minimal-ikev2-01

Minimal IKEv2 AuthenTec Oy Tero Kivinen kivinen@iki.fi draft-kivinen-ipsecme-minimal-ikev2-01 What Problem Does This Document Solve Tries to educate implementors that IKEv2 is not complex and difficult to implement. Why Do People

363 views • 5 slides
IKEv2 with CGA Jean-Michel Combes jeanmichel.combes@orange.com Aurlien Wailly

IKEv2 with CGA Jean-Michel Combes jeanmichel.combes@orange.com Aurlien Wailly

IKEv2 with CGA Jean-Michel Combes jeanmichel.combes@orange.com Aurlien Wailly aurelien.wailly@orange.com Maryline Laurent Maryline.Laurent@it-sudparis.eu 2011-10-25 ICSNA 2011 1 Outline IPsec IKEv2 CGA IKEv2 with CGA?

744 views • 36 slides
Key Exchange in IPsec revisited: Formal Analysis of IKEv1 and IKEv2 Cas Cremers, ETH Zurich

Key Exchange in IPsec revisited: Formal Analysis of IKEv1 and IKEv2 Cas Cremers, ETH Zurich

Key Exchange in IPsec revisited: Formal Analysis of IKEv1 and IKEv2 Cas Cremers, ETH Zurich Overview What is IKE ? Internet Key Exchange , part of IPsec Formal analysis of IKE Previously considered infeasible Using Scyther

410 views • 19 slides
Privacy-Preserving Authenticated Key Exchange and the Case of IKEv2 Sven Schge, Jrg Schwenk,

Privacy-Preserving Authenticated Key Exchange and the Case of IKEv2 Sven Schge, Jrg Schwenk,

Privacy-Preserving Authenticated Key Exchange and the Case of IKEv2 Sven Schge, Jrg Schwenk, Sebastian Lauer Ruhr-University Bochum Classical Key Exchange Setting m1 Bob Alice m2 skA skB pkB pkA mq-1 mq derive K derive K 2

185 views • 18 slides
CGA as alternative security credentials with IKEv2: implementation and analysis SAR-SSI 2012

CGA as alternative security credentials with IKEv2: implementation and analysis SAR-SSI 2012

CGA as alternative security credentials with IKEv2: implementation and analysis SAR-SSI 2012 Orange Labs Jean-Michel Combes (France Telecom - Orange) Aurlien Wailly (France Telecom - Orange) Maryline Laurent (Telecom Sud Paris)

580 views • 26 slides
Use of IKEv2 and IPsec with Multiple CoA support MONAMI6 WG, IETF 68 Vijay Devarapalli

Use of IKEv2 and IPsec with Multiple CoA support MONAMI6 WG, IETF 68 Vijay Devarapalli

Use of IKEv2 and IPsec with Multiple CoA support MONAMI6 WG, IETF 68 Vijay Devarapalli (vijay.devarapalli@azairenet.com) Assumptions in RFC 3775, 3963 There is only one primary care-of address per mobile node The primary care-of

240 views • 7 slides
IKEv2: IPSec Key Management Protocol Lecture 20 Acknowledgement: Slides from Vincent Luk, revised

IKEv2: IPSec Key Management Protocol Lecture 20 Acknowledgement: Slides from Vincent Luk, revised

IKEv2: IPSec Key Management Protocol Lecture 20 Acknowledgement: Slides from Vincent Luk, revised by Cunsheng Ding IP Security Architecture IPSec module 1 IPSec module 2 SPD SPD IKE IKE AH/ESP AH/ESP SAD SAD SA IKE: Internet Key

702 views • 26 slides
ilab 2 - IPSec with IKEv2 and Strongswan Lukas Grillmayer and Linus Lotz Chair for Network

ilab 2 - IPSec with IKEv2 and Strongswan Lukas Grillmayer and Linus Lotz Chair for Network

ilab 2 - IPSec with IKEv2 and Strongswan Lukas Grillmayer and Linus Lotz Chair for Network Architectures and Services Department for Computer Science Technische Universit at M unchen June 4, 2014 Lukas Grillmayer and Linus Lotz: ilab 2 -

1.39k views • 51 slides
Labeled IPsec draft-jml-ipsec-ikev1-security-context-00.txt

Labeled IPsec draft-jml-ipsec-ikev1-security-context-00.txt

Labeled IPsec draft-jml-ipsec-ikev1-security-context-00.txt draft-jml-ipsec-ikev2-security-context-00.txt Presented by: Joy Latten Document authors: Serge Hallyn, Trent Jaeger, Joy Latten, and George Wilson Problem Description Mandatory

295 views • 6 slides
Security Analysis of Network Protocols John Mitchell Stanford University Usenix Security

Security Analysis of Network Protocols John Mitchell Stanford University Usenix Security

Security Analysis of Network Protocols John Mitchell Stanford University Usenix Security Symposium, 2008 Many Protocols Authentication and key exchange SSL/TLS, Kerberos, IKE, JFK, IKEv2, Wireless and mobile computing Mobile IP, WEP,

959 views • 71 slides
OVERVIEW PRESENTATION / 1 OVERVIEW PRESENTATION / 1 SF park overview OVERVIEW PRESENTATION / 2

OVERVIEW PRESENTATION / 1 OVERVIEW PRESENTATION / 1 SF park overview OVERVIEW PRESENTATION / 2

OVERVIEW PRESENTATION / 1 OVERVIEW PRESENTATION / 1 SF park overview OVERVIEW PRESENTATION / 2 Coin and card meters OVERVIEW PRESENTATION / 3 Making garages work better OVERVIEW PRESENTATION / 4 User interface and customer experience OVERVIEW

1.3k views • 24 slides
OVERVIEW PRESENTATION / 1 OVERVIEW PRESENTATION / 1 Acknowledgements OVERVIEW PRESENTATION / 2 SF

OVERVIEW PRESENTATION / 1 OVERVIEW PRESENTATION / 1 Acknowledgements OVERVIEW PRESENTATION / 2 SF

OVERVIEW PRESENTATION / 1 OVERVIEW PRESENTATION / 1 Acknowledgements OVERVIEW PRESENTATION / 2 SF park overview OVERVIEW PRESENTATION / 3 Coin and card meters OVERVIEW PRESENTATION / 4 Improving the customer experience at garages OVERVIEW

567 views • 25 slides
GSM System Overview GSM System Overview GSM System Overview GSM System Overview Phone Lin

GSM System Overview GSM System Overview GSM System Overview GSM System Overview Phone Lin

National Taiwan University Department of Computer Science and Information Engineering GSM System Overview GSM System Overview GSM System Overview GSM System Overview Phone Lin Phone Lin Ph.D. Ph.D. Email: plin@csie.ntu.edu.tw Email:

686 views • 41 slides
i c r o g u a r d s OVERVIEW The m i c r o g u a r d BIOFUELS s OVERVIEW

i c r o g u a r d s OVERVIEW The m i c r o g u a r d BIOFUELS s OVERVIEW

LGE UNICAMP The m i c r o g u a r d s OVERVIEW The m i c r o g u a r d BIOFUELS s OVERVIEW The m i c r o g u a r d ETHANOL s OVERVIEW The m i c Ideal conditions r o g Costs-benefits u a r d

1.39k views • 59 slides
Football First Aid: Football First Aid: An Overview An Overview Steven Richmond 95#

Football First Aid: Football First Aid: An Overview An Overview Steven Richmond 95#

Football First Aid: Football First Aid: An Overview An Overview Steven Richmond 95# Commissioner --BRYC Firefighter II, EMT-B, HTR & HZMT Tech City of Alexandria Fire and EMS Overview Overview Hyperthermia (Heat Related Injuries)

2.61k views • 31 slides
1 Corporate Overview Transaction 1 Corporate Overview Overview of Libre Group Structure

1 Corporate Overview Transaction 1 Corporate Overview Overview of Libre Group Structure

1 Corporate Overview Transaction 1 Corporate Overview Overview of Libre Group Structure Industry Business Model Hotels Overview Disclaimer This presentation does not constitute, or form any part of any offer for sale or subscription

808 views • 32 slides
2019 Academic Advising In Service Training June 18th & 19th Hosted by the Office of Campus

2019 Academic Advising In Service Training June 18th & 19th Hosted by the Office of Campus

2019 Academic Advising In Service Training June 18th & 19th Hosted by the Office of Campus Advising Coordination Why were here Why were focusing on the 4th year Focus on Advising NACADAs Concept of Advising Advising as a

989 views • 79 slides
State of Multicore OCaml KC Sivaramakrishnan University of OCaml Labs Cambridge Outline

State of Multicore OCaml KC Sivaramakrishnan University of OCaml Labs Cambridge Outline

State of Multicore OCaml KC Sivaramakrishnan University of OCaml Labs Cambridge Outline Overview of the multicore OCaml project Multicore OCaml runtime design Future directions Multicore OCaml Multicore OCaml Add native

932 views • 62 slides
Your Resume or CV as an Undergrad or Recent Grad Whats Your Spark? This Lesson: Read OR

Your Resume or CV as an Undergrad or Recent Grad Whats Your Spark? This Lesson: Read OR

How to W Walk Through Your Resume or CV as an Undergrad or Recent Grad Whats Your Spark? This Lesson: Read OR Watch It This video walks you through the key points of our undergrad/recent grad templates but its not really

234 views • 12 slides
INTRODUCTION TO BRINGING MULTIPLE STRANDS OF WORK TOGETHER Paul Gaston Norm Jones Dan

INTRODUCTION TO BRINGING MULTIPLE STRANDS OF WORK TOGETHER Paul Gaston Norm Jones Dan

INTRODUCTION TO BRINGING MULTIPLE STRANDS OF WORK TOGETHER Paul Gaston Norm Jones Dan McInerney Op Opening g reminder Would you like yo share more information with colleagues on your campus about the DQP and Tuning?

480 views • 44 slides
Application Crash Consistency and Performance with CCFS Thanumalayan Sankaranarayana Pillai,

Application Crash Consistency and Performance with CCFS Thanumalayan Sankaranarayana Pillai,

Application Crash Consistency and Performance with CCFS Thanumalayan Sankaranarayana Pillai, Ramnatthan Alagappan, Lanyue Lu, Vijay Chidambaram, Andrea C. Arpaci-Dusseau, Remzi H. Arpaci-Dusseau Application-Level Crash Consistency Storage must

2.09k views • 139 slides
BEYOND MAJOR AND MINOR 21 st -Century Elementary Music Textbooks by Diane M. Lange Expanding

BEYOND MAJOR AND MINOR 21 st -Century Elementary Music Textbooks by Diane M. Lange Expanding

An Examination of the Tonalities and Meters in BEYOND MAJOR AND MINOR 21 st -Century Elementary Music Textbooks by Diane M. Lange Expanding Musical There is a rich history of songs tonalities. Publishers of kindergarten and throughout the

190 views • 4 slides
POLITICAL Everything youll need to do to graduate is listed in your catalog SCIENCE

POLITICAL Everything youll need to do to graduate is listed in your catalog SCIENCE

SDSU 2020 THE CATALOG POLITICAL Everything youll need to do to graduate is listed in your catalog SCIENCE https://curriculum.sdsu.edu/curriculum-services/general- catalog Use this, and your degree evaluation, throughout

308 views • 6 slides
Disclosures Arrhythmogenic Right Ventricular Cardiomyopathy: Abbott Labs: Grant support

Disclosures Arrhythmogenic Right Ventricular Cardiomyopathy: Abbott Labs: Grant support

9/14/2019 Disclosures Arrhythmogenic Right Ventricular Cardiomyopathy: Abbott Labs: Grant support Diagnosis Harikrishna Tandri Associate Professor of Medicine Director of VT Ablation Johns Hopkins Medical Institutions www.ARVD.com

582 views • 10 slides

More recommend