the libreswan project
play

THE LIBRESWAN PROJECT An Internet Key Exchange (IKE) daemon for - PowerPoint PPT Presentation

Jan 30, 2024 •661 likes •917 views

THE LIBRESWAN PROJECT An Internet Key Exchange (IKE) daemon for IPsec Enterprise IPsec based VPN solution Make encryption the default mode of communication Certifjcations (FIPS, Common Criteria, USGv6, etc.)

  1. THE LIBRESWAN PROJECT An Internet Key Exchange (“IKE”) daemon for IPsec • Enterprise IPsec based VPN solution • Make encryption the default mode of communication • Certifjcations (FIPS, Common Criteria, USGv6, etc.) • Contributing to IETF Standards for IKE and IPsec 1 Opportunistic Encryption using IPsec

  2. TYPICAL SITE TO SITE VPN Individual networks are unencryped, only the interconnect is encrypted 2 Opportunistic Encryption using IPsec

  3. TYPICAL REMOTE ACCESS VPN End device to site network access point encrpyted – LAN still unencrypted 3 Opportunistic Encryption using IPsec

  4. “OPPORTUNISTIC ENCRYPTION” • “Try to setup IPsec to everyone” • It failed to be deployed widely: Packet trigger based needs to map to some kind of identity – IKE/IPsec had only mutual authentication, mobile users could not – easily get an identity and publish it. Used reverse DNS zone (in-addr.arpa) which no one controlled – DNSSEC deployment needed for secure use of DNS – NAT s breaks everything – Users didn't care too much (until Snowden) – 4 Opportunistic Encryption using IPsec

  5. “OPPORTUNISTIC IPSEC” • T erm used to mean “any packet trigger based IPsc” enterprise mesh encryption – Internet wide – 5 Opportunistic Encryption using IPsec

  6. NULL AUTHENTICATION FOR IKEV2 (2015) • IKEv2 (2005) already allowed asymmetrical authentication • We needed Anonymous client to Authenticated Server • We wanted Anonymous to Anonymous (passive attack protection) • Makes IPsec work like TLS 6 Opportunistic Encryption using IPsec

  7. OPPORTUNISTIC IPSEC DEPLOYMENT End-to-end encryption using IPsec 7 Opportunistic Encryption using IPsec

  8. OPPORTUNISTIC IPSEC GATEWAY Use a Linux gateway to protect devices not able to run opportunistic 8 Opportunistic Encryption using IPsec

  9. LIBRESWAN – GROUP POLICIES Group fjles in /etc/ipsec.d/policies/*.conf list network CIDRs to match /etc/ipsec.d/policies/block Drop all packets /etc/ipsec.d/policies/block Drop all packets /etc/ipsec.d/policies/clear Only allow cleartext /etc/ipsec.d/policies/clear Only allow cleartext /etc/ipsec.d/policies/clear-or-private Default clear, allow /etc/ipsec.d/policies/clear-or-private Default clear, allow crypto crypto /etc/ipsec.d/policies/private Mandate crypto, hard fail /etc/ipsec.d/policies/private Mandate crypto, hard fail /etc/ipsec.d/policies/private-or-clear Attempt crypto, allow /etc/ipsec.d/policies/private-or-clear Attempt crypto, allow clear clear # cat /etc/ipsec.d/policies/private-or-clear # cat /etc/ipsec.d/policies/private-or-clear 193.110.157.0/24 193.110.157.0/24 193.111.228.0/24 193.111.228.0/24 # cat /etc/ipsec.d/policies/private # cat /etc/ipsec.d/policies/private 10.0.0.0/8 10.0.0.0/8 192.168.0.0/16 192.168.0.0/16 9 Opportunistic Encryption using IPsec

  10. ENTERPRISE CLOUD MESH ENCRYPTION Confjguration for mandated mutual certifjcate based authentication For example add 10.0.0.0/8 to /etc/ipsec.d/policies/private For example add 10.0.0.0/8 to /etc/ipsec.d/policies/private # install localcertificate: ipsec import node1.example.com.p12 # install localcertificate: ipsec import node1.example.com.p12 # /etc/ipsec.d/YourCloud.conf # /etc/ipsec.d/YourCloud.conf conn private conn private left=%defaultroute left=%defaultroute leftid=%fromcert leftid=%fromcert # our certificate # our certificate leftcert=node1.example.com leftcert=node1.example.com right=%opportunisticgroup right=%opportunisticgroup rightid=%fromcert rightid=%fromcert # their certificate transmitted via IKE # their certificate transmitted via IKE rightca=%same rightca=%same ikev2=insist ikev2=insist authby=rsasig authby=rsasig failureshunt=drop failureshunt=drop negotiationshunt=hold negotiationshunt=hold auto=ondemand auto=ondemand 10 Opportunistic Encryption using IPsec

  11. OPTIONAL OPPORTUNISTIC IPSEC Confjguration for optional anonymous IPsec For example add 0.0.0.0/0 to /etc/ipsec.d/policies/private-or- For example add 0.0.0.0/0 to /etc/ipsec.d/policies/private-or- clear clear conn private-or-clear conn private-or-clear left=%defaultroute left=%defaultroute leftauth=null leftauth=null leftid=%null leftid=%null rightauth=null rightauth=null rightid=%null rightid=%null right=%opportunisticgroup right=%opportunisticgroup authby=null authby=null ikev2=insist ikev2=insist failureshunt=passthrough failureshunt=passthrough negotiationshunt=passthrough negotiationshunt=passthrough # to not leak during IKE negotiation, use # to not leak during IKE negotiation, use # negotiationshunt=hold # negotiationshunt=hold auto=ondemand auto=ondemand # clear-or-private uses auto=add # clear-or-private uses auto=add 11 Opportunistic Encryption using IPsec

  12. UNBOUND DNS IPSEC MODULE Use DNS based public keys for IPsec authentication 1. Unbound DNS server IPsec module • When looking up A/AAAA records, also lookup IPSECKEY records • If no IPSECKEY records: return A/AAAA answers ● • If IPSECKEY record found: give DNS QNAME, IPSECKEY, TTL, A/AAAA records to IKE ● libreswan initiates IKE and establishes IPSEC tunnel ● – Server authenticated against IPSECKEY record – Client uses AUTH-NULL and remains anonymous – On failure, returns error, causes DNS ServFail error return A/AAAA answers to application (and cache) ● 12 Opportunistic Encryption using IPsec

  13. UNBOUND CONFIGURATION /etc /unbound/unbound.conf 13 Opportunistic Encryption using IPsec

  14. A “NAT” LAYER INSIDE IPSEC Obtained IP address (for tunnel mode) only lives inside IPsec 193.110.15.131 Remote Opportunistic IPsec server 193.110.15.131 Remote Opportunistic IPsec server 192.168.2.45 Opportunistic Client pre-NAT IP address 192.168.2.45 Opportunistic Client pre-NAT IP address 100.64.0.1 IP address from IPsec server address pool 100.64.0.1 IP address from IPsec server address pool # ip xfrm pol # ip xfrm pol src 100.64.0.2/32 dst 193.110.157.131/32 src 100.64.0.2/32 dst 193.110.157.131/32 dir out priority 2080 ptype main dir out priority 2080 ptype main tmpl src 192.1.2.45 dst 193.110.157.131 tmpl src 192.1.2.45 dst 193.110.157.131 proto esp reqid 16389 mode tunnel proto esp reqid 16389 mode tunnel src 193.110.157.131/32 dst 100.64.0.2/32 src 193.110.157.131/32 dst 100.64.0.2/32 dir fwd priority 2080 ptype main dir fwd priority 2080 ptype main tmpl src 193.110.157.131 dst 192.1.2.45 tmpl src 193.110.157.131 dst 192.1.2.45 proto esp reqid 16389 mode tunnel proto esp reqid 16389 mode tunnel src 193.110.157.131/32 dst 100.64.0.2/32 src 193.110.157.131/32 dst 100.64.0.2/32 dir in priority 2080 ptype main dir in priority 2080 ptype main tmpl src 193.110.157.131 dst 192.1.2.45 tmpl src 193.110.157.131 dst 192.1.2.45 proto esp reqid 16389 mode tunnel proto esp reqid 16389 mode tunnel src 192.168.2.45/32 dst 193.110.157.131/32 src 192.168.2.45/32 dst 193.110.157.131/32 dir out priority 2080 ptype main dir out priority 2080 ptype main tmpl src 192.1.2.45 dst 193.110.157.131 tmpl src 192.1.2.45 dst 193.110.157.131 proto esp reqid 16389 mode tunnel proto esp reqid 16389 mode tunnel 14 Opportunistic Encryption using IPsec

  15. A “NAT” LAYER INSIDE IPSEC use iptables to NAT to the IP address assigned via IKE 193.110.15.131 Remote Opportunistic IPsec server 193.110.15.131 Remote Opportunistic IPsec server 192.168.2.45 Opportunistic Client pre-NAT IP address 192.168.2.45 Opportunistic Client pre-NAT IP address 100.64.0.1 IP addres from IPsec server addresspool 100.64.0.1 IP addres from IPsec server addresspool # iptables -t nat -L -n # iptables -t nat -L -n Chain PREROUTING (policy ACCEPT) Chain PREROUTING (policy ACCEPT) target prot opt source destination target prot opt source destination DNAT all -- 193.110.157.131 100.64.0.1 DNAT all -- 193.110.157.131 100.64.0.1 policy \ match dir in pol ipsec to:192.168.2.45 policy \ match dir in pol ipsec to:192.168.2.45 Chain POSTROUTING (policy ACCEPT) Chain POSTROUTING (policy ACCEPT) target prot opt source destination target prot opt source destination SNAT all -- 0.0.0.0/0 193.110.157.131 SNAT all -- 0.0.0.0/0 193.110.157.131 policy \ match dir out pol ipsec to:100.64.0.1 policy \ match dir out pol ipsec to:100.64.0.1 Basically: NAT within the IPsec subsystem Basically: NAT within the IPsec subsystem 15 Opportunistic Encryption using IPsec

  17. IPSEC ISSUES FOR HUMAN BEING 1. XFRM without interfaces is too hard for fjrewall admins to confjgure rules 2. XFRM + tcpdump = madness 3. NAT + IPsec = foot bullet 4. IPsec MTU issues / workaround is hard (TCPMSS, clamping) 5. XFRM for hub-spoke tunnel kills lan trafc (10.0.0.0/8 ↔ 10.0.0.0/24) 6. XFRM + DSL/LAN (one interface) + rp_fjlter = martians 7. IPsec SA fags are undocumented: noecn, decap-dscp, nopmtudisc, esn wildrecv, icmp, af-unspec, align4 8. ip xfrm monitor throws error for XFRM_MIGRATE messages 9. Using /proc values is dangerous / undefjned / unknown /proc/sys/net/core/xfrm_acq_expires (linked to get_newspi() ) – /proc/sys/net/core/xfrm_larval_drop (linked to packet caching) – /proc/ sys/net/core/xfrm_aevent_etime / aevent_rseqth (?) – 17 Opportunistic Encryption using IPsec

  18. IPSEC ISSUES FOR HUMAN BEING Errors in /proc/net/xfrm_stat 18 Opportunistic Encryption using IPsec

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Libreswan Teaching old code new tricks! Libreswan is an IKE (Internet Key Exchange) daemon. Its

Libreswan Teaching old code new tricks! Libreswan is an IKE (Internet Key Exchange) daemon. Its

Libreswan Teaching old code new tricks! Libreswan is an IKE (Internet Key Exchange) daemon. Its origins can be traced back to the 90s. But what is IKE and why should it run on NetBSD? BSDCan 2020 Andrew Cagney freenode.net #swan cagney

681 views • 40 slides
OPPORTUNISTIC ENCRYPTION USING IPSEC Linux Security Summit, Toronto August 2016 Presented by

OPPORTUNISTIC ENCRYPTION USING IPSEC Linux Security Summit, Toronto August 2016 Presented by

OPPORTUNISTIC ENCRYPTION USING IPSEC Linux Security Summit, Toronto August 2016 Presented by Paul Wouters, RHEL Security THE LIBRESWAN PROJECT An Internet Key Exchange (IKE) daemon for IPsec Enterprise IPsec based VPN solution

736 views • 32 slides
Project Project Project Evolution of project Structured Collaborative Project Unstructured

Project Project Project Evolution of project Structured Collaborative Project Unstructured

Alain Fournier Presentation: Project Management Tools for Increasing Project Success! Alain is a Project and Portfolio Management Solutions Executive with Microsoft Canada specializing in Cloud Productivity Solutions Have over 20 years of

428 views • 21 slides
evaluations An unsuccessful project? An unsuccessful project? An unsuccessful project? A

evaluations An unsuccessful project? An unsuccessful project? An unsuccessful project? A

Effective post project evaluations An unsuccessful project? An unsuccessful project? An unsuccessful project? A successful project? Agenda for today Who are LCMB? The context for post project evaluation The project lifecycle Post project

476 views • 32 slides
BPR4GDPR Project Presentation Project ID Project acronym: BPR4GDPR Project title:

BPR4GDPR Project Presentation Project ID Project acronym: BPR4GDPR Project title:

BPR4GDPR Project Presentation Project ID Project acronym: BPR4GDPR Project title: Business Process Re-engineering and functional toolkit for GDPR compliance Contract number: 787149 Funded under the H2020 call DS-08-2017

421 views • 22 slides
HIT MODERNIZATION PROJECT HHS // IHS HIT Modernization Project PROJECT PURPOSE The HHS IHS HIT

HIT MODERNIZATION PROJECT HHS // IHS HIT Modernization Project PROJECT PURPOSE The HHS IHS HIT

HHS // IHS HIT MODERNIZATION PROJECT HHS // IHS HIT Modernization Project PROJECT PURPOSE The HHS IHS HIT Modernization Project is sponsored by the U.S. Department of Health and Human Services Office of the Chief Technology Officer (HHS OCTO)

712 views • 13 slides
NORTH FORK BIOENERGY PROJECT PROJECT STATUS Project Overview Project Team and Organization

NORTH FORK BIOENERGY PROJECT PROJECT STATUS Project Overview Project Team and Organization

2 nd Annual Rural Community Development Initiative Capacity Building and Wood Utilization Workshop NORTH FORK BIOENERGY PROJECT PROJECT STATUS Project Overview Project Team and Organization Major Milestones Accomplishments

631 views • 12 slides
2013 Project Excellence Awards Project Requirements In-house design project Project

2013 Project Excellence Awards Project Requirements In-house design project Project

2013 Project Excellence Awards Project Requirements In-house design project Project constructed or near completion Judging Criteria Unique design considerations Constructability Post-construction performance Stakeholder

682 views • 29 slides
This project goes under eight different steps. This project goes under eight different steps.

This project goes under eight different steps. This project goes under eight different steps.

This project goes under eight different steps. This project goes under eight different steps. Chapter One: The first step is about narrating some facts, by which my project and research were based on. Egypt is located in north east africa,

690 views • 46 slides
Agenda 1. Introductions 2. Sign-in 3. Project Location 4. Project Background 5. POE

Agenda 1. Introductions 2. Sign-in 3. Project Location 4. Project Background 5. POE

Agenda 1. Introductions 2. Sign-in 3. Project Location 4. Project Background 5. POE Drainage Alternatives 6. Project Benefits 7. Open Forum 8. Adjourn Project Location Project Background ASCG Inc. completed a Project Development

321 views • 15 slides
Trees Algorithms CSE 373 SU 18 BEN JONES 1 Announcements - Project 3 Due Tonight - Project

Trees Algorithms CSE 373 SU 18 BEN JONES 1 Announcements - Project 3 Due Tonight - Project

Minimum Spanning Data Structures and Trees Algorithms CSE 373 SU 18 BEN JONES 1 Announcements - Project 3 Due Tonight - Project 4 Assigned Today - Same partners as project 3 - We will re-run project 3 grading on project 4, just like the

704 views • 59 slides
Presentation Agenda Project History/Background Project Overview Current Project Status

Presentation Agenda Project History/Background Project Overview Current Project Status

Presentation Agenda Project History/Background Project Overview Current Project Status Project Opportunities 1 1 Pre-Solicitation Conference June 2018 www.newnicebridge.com 2 Welcome and Introductions Project Team MDTA

776 views • 38 slides
1 We will begin with some background information on the project. We will then talk about why we

1 We will begin with some background information on the project. We will then talk about why we

Welcome. My name is Mark Frechette. I am the project director for the New York State Department of Transportations (NYSDOT) I 81 Viaduct Project. Thank you for being here tonight. The project team has been working hard and we are excited to

548 views • 39 slides
I-84 Danbury Project Project Advisory Committee (PAC) Meeting No. 3 September 24, 2019 0

I-84 Danbury Project Project Advisory Committee (PAC) Meeting No. 3 September 24, 2019 0

I-84 Danbury Project Project Advisory Committee (PAC) Meeting No. 3 September 24, 2019 0 Agenda PAC Membership and Recap of Outreach Efforts Perspective Gathering Exercise Project Need Project Need Check-in Project Purpose

940 views • 54 slides
PROJECT INFORMATION SESSION May 14, 2020 TOPICS TO COVER Project Purpose Project

PROJECT INFORMATION SESSION May 14, 2020 TOPICS TO COVER Project Purpose Project

WETLAND & RIPARIAN INVENTORIES FOR UGB EXPANSION AREAS PROJECT INFORMATION SESSION May 14, 2020 TOPICS TO COVER Project Purpose Project Approach Who is Involved What is Needed to Make it Happen How the Project Will

581 views • 46 slides
ORMONDE MINING BARRUECOPARDO TUNGSTEN PROJECT Project Permitted Project Funded Project

ORMONDE MINING BARRUECOPARDO TUNGSTEN PROJECT Project Permitted Project Funded Project

ORMONDE MINING BARRUECOPARDO TUNGSTEN PROJECT Project Permitted Project Funded Project Upside Mar 2017 1 ORMONDE MINING Disclaimer The content of this document has not been approved by an authorised person within the meaning of the

712 views • 21 slides
Generalization Correctness David Greve Rockwell Collins March 15, 2017 This research was

Generalization Correctness David Greve Rockwell Collins March 15, 2017 This research was

Generalization Correctness David Greve Rockwell Collins March 15, 2017 This research was developed with funding from the Defense Advanced Research Projects Agency (DARPA) under Contract FA8750-16-C-0218. Distribution Statement A: Approved for

631 views • 15 slides
Networking based on slides by Prof. Sirer, Bracy, Van Renesse, Ross, Kurose 1 Basic Network

Networking based on slides by Prof. Sirer, Bracy, Van Renesse, Ross, Kurose 1 Basic Network

Networking based on slides by Prof. Sirer, Bracy, Van Renesse, Ross, Kurose 1 Basic Network Abstraction A process can create endpoints Each endpoint has a unique address Processes can receive messages on endpoints Processes can send

1.82k views • 154 slides
Hybrid Apps Mike Hartington, GDE & Developer Advocate at Ionic Gary Schultz, VP of Marketing

Hybrid Apps Mike Hartington, GDE & Developer Advocate at Ionic Gary Schultz, VP of Marketing

Hybrid Apps Mike Hartington, GDE & Developer Advocate at Ionic Gary Schultz, VP of Marketing & Sales at BrieBug What is a Hybrid Application? Hybrid applications are a blend of both native mobile (iOS / Android) and web technologies where

348 views • 8 slides
Network Layer (The Data Plane): Recap Network Layer Overview Router Architecture

Network Layer (The Data Plane): Recap Network Layer Overview Router Architecture

Network Layer (The Data Plane): Recap Network Layer Overview Router Architecture Network Layer Functions and Service Models Network Layer Functions IP Addressing DHCP Network Service Models: Virtual Circuit

745 views • 56 slides
Massive Stars Mass Loss Mathieu Renzo Advisors: S. N. Shore, C. D. Ott 1 / 8 Mass Loss - Why is

Massive Stars Mass Loss Mathieu Renzo Advisors: S. N. Shore, C. D. Ott 1 / 8 Mass Loss - Why is

TASC 2014, November 7, UCSD Massive Stars Mass Loss Mathieu Renzo Advisors: S. N. Shore, C. D. Ott 1 / 8 Mass Loss - Why is it important ... ... for the stellar structure? ... for the environment? Evolutionary timescale chemical and

653 views • 8 slides
TITLE Los Gatos Rotary Club visit Orrin Mahoney A little bit about me 35 year career at HP

TITLE Los Gatos Rotary Club visit Orrin Mahoney A little bit about me 35 year career at HP

TITLE Los Gatos Rotary Club visit Orrin Mahoney A little bit about me 35 year career at HP Second life as a volunteer and elected official (Councilmember and two time Cupertino Mayor Cupertino Rotary member since 2000 How did I

507 views • 25 slides
D4 project https://www.d4-project.org/ 20190207 Alexandre Dulaunoy - Sami Mokaddem P roblem

D4 project https://www.d4-project.org/ 20190207 Alexandre Dulaunoy - Sami Mokaddem P roblem

D4 Project Open and collaborative network monitoring Team CIRCL D4 project https://www.d4-project.org/ 20190207 Alexandre Dulaunoy - Sami Mokaddem P roblem statement CSIRTs (or private organisations) build their own honeypot, honeynet or

549 views • 28 slides
IPv6 Security Training Course February 2019 09:00 - 09:30 Coffee, Tea 11:00 - 11:15 Break

IPv6 Security Training Course February 2019 09:00 - 09:30 Coffee, Tea 11:00 - 11:15 Break

IPv6 Security Training Course February 2019 09:00 - 09:30 Coffee, Tea 11:00 - 11:15 Break 13:00 - 14:00 Lunch 15:30 - 15:45 Break 17:30 End 2 Introductions Name Number in the list Experience with Security and IPv6

1.9k views • 173 slides

More recommend