IPSec provides a framework for securing communications over IP networks by authenticating and encrypting IP packets. It includes protocols for authentication (Authentication Header or AH) and encryption (Encapsulating Security Payload or ESP). Key management protocols like Oakley and ISAKMP are used to establish security associations (SA) to protect communications between two endpoints. IPSec can operate in either transport mode to secure communications between applications, or tunnel mode to secure entire IP packets between network devices like VPN gateways.

1. IP Security

2. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header Encapsulating Security Payload Combinations of Security Associations Key Management

3. TCP/IP Example

4. Security facilities in the TCP/IP protocol stack

5. Need for IPSec Application level security services Electronic mail S/MIME, PGP Client Server Kerberos, X.509 Web access SSL, TLS, SET Enterprises need security at IP layer To protect security ignorant applications Additional security to applications with security mechanisms Establish private secure network

6. IPv4 Header

7. IPv6 Header

8. IP Security Overview IPSec is not a single protocol. IPSec provides a set of security algorithms IPSec provides a general security framework for a pair of communicating entities Across LAN, Private & Public WANs Across Internet

9. IP Security Overview Applications of IPSec Secure branch office connectivity over the Internet Secure remote access over the Internet Establsihing extranet and intranet connectivity with partners Enhancing electronic commerce security

10. IP Security Overview Benefits of IPSec Better firewall protection Transparent to applications (below transport layer (TCP, UDP) Provide security for individual users IPSec can assure that: A router or neighbor advertisement comes from an authorized router A redirect message comes from the router to which the initial packet was sent A routing update is not forged

11. IP Security Scenario

12. IP Security Architectures Integrated architecture Supported in IPv6 Difficult to implement in IPv4 Bump in The stack (BITS) for IPv4 Between Data link and IP layers Bump in The Wire (BITW) Hardware implementation

13. IPSec RFCs IPSec documents: RFC 2401: An overview of security architecture RFC 2402: Description of a packet authentication extension to IPv4 and IPv6 RFC 2406: Description of a packet encryption extension to IPv4 and IPv6 RFC 2408: Specification of key managament capabilities

14. IPSec Document Overview

15. IPSec Services Access Control Connectionless integrity Data origin authentication Rejection of replayed packets Confidentiality (encryption) Limited traffic flow confidentiallity

16. IPSec protocols Authentication header (AH) Encapsulating security payload (ESP) ESP with Authentication

17. Protocols vs services ESP(encryption and authentication) ESP(encryption only) AH yes yes no Limited traffic flow confidentiality yes yes no confidentiality yes yes yes Rejection of replay attacks yes yes Data origin authentication yes yes Connectionless integrity yes yes yes Access control

18. IPSec modes of operations Transport IPSec protects IP payload IPSec headers added before IP payload No change in IP header Tunnel IPSec protects total IP packet IPSec headers encapsulates IP packet New IP header is created

19. Discussion onTunnel and Transport mode Tunnel mode header order New IP hdr->IPsec hdr->old IP hdr->IP payload BITS or BITW architecture Choice for VPN Transport mode header order IP hdr->IPSec hdr->IP payload IPSec integrated architecture End to End security

20. Security services Encrypts inner IP packet. Authenticates inner IP packet. Encrypts IP payload and any IPv6 extesion header. Authenticates IP payload but no IP header ESP with authentication Encrypts inner IP packet Encrypts IP payload and any IPv6 extesion header ESP Authenticates entire inner IP packet plus selected portions of outer IP header Authenticates IP payload and selected portions of IP header and IPv6 extension headers AH Tunnel Mode SA Transport Mode SA Protocols

21. Security Associations (SA) One SA for one way relationship between a sender and a receiver Two SAs for two way relationship One SA for one protocol Uniquely Identified by three parameters: Security Parameter Index (SPI) Each SA identified by a bit string Carried in Ah & ESP headers IP Destination address Security Protocol Identifier

22. SA: Other parameters Seq num cntr : 32 bit value Seq cntr overflow: overflow flag Anti replay window: to find if incoming AH or ESP is a replay AH info: algo, keys etc ESP info: algo, keysetc Life time of this SA IPSec mode: transport, tunnel Path MTU:

23. Security Policy database (SPD) Each entry in SPD define a subset of IP traffic Selectors for IP and UL protocol values Points to an SA for that traffic Multiple entries -> single SA Multiple SAs -> single entry

24. SPD selector entries Dest IP address SRC IP address UserID Data sensitivity level ( Classification) Transport layer protocol:IPv4/IPv6 IPSec protocol: AH or ESP or both SRC dest ports IPv6 class IPv6 flow label IPv4 TOS

25. Authentication Header Provides support for data integrity and authentication (MAC code) of IP packets. Guards against replay attacks.

26. Anti-replay service Use of seq number field- 32 bits On each SA it is initialised to 0 Incremented for each packet When seq number > 2 32 -1 new SA Anti replay window

27. Authentication data Holds integrity check value HMAC-MD5-96, HMAC-SHA-1-96 MAC calculated over IP header field that unchange in transit Fields that are predictable Others set to zero for MAC AH header Other than authentication data which is set to 0 Entire UL protocol data Immutable IHL, src address Mutable but predictable Destination address Mutable TTL, hdr checksum

28. Before applying AH

29. Transport Mode (AH Authentication)

30. Tunnel Mode (AH Authentication)

31. End-to-end versus End-to-Intermediate Authentication

32. Encapsulating Security Payload ESP provides confidentiality services

33. Encryption and Authentication Algorithms Encryption: Three-key triple DES RC5 IDEA Three-key triple IDEA CAST Blowfish Authentication: HMAC-MD5-96 HMAC-SHA-1-96

34. ESP Encryption and Authentication

35. ESP Encryption and Authentication

36. Combinations of Security Associations

37. Combinations of Security Associations

38. Combinations of Security Associations

39. Combinations of Security Associations

40. Key Management Ipsec management determination of keys Distribution of keys Typical requirements 4 keys between communicating applications Transmit and receive pairs Two types: Manual Automated on demand Oakley Key Determination Protocol Internet Security Association and Key Management Protocol (ISAKMP)

41. Diffie Hellman Key Exchange

42. Example Alice and Bob agree to use a prime number p =23 and base g =5. Alice chooses a secret integer a =6, then sends Bob ( g a mod p ) 5 6 mod 23 = 8. Bob chooses a secret integer b =15, then sends Alice ( g b mod p ) 5 15 mod 23 = 19. Alice computes ( g b mod p ) a mod p 19 6 mod 23 = 2. Bob computes ( g a mod p ) b mod p 8 15 mod 23 = 2.

43. Issues in Diffie Hellman key exchange Attractive features Secret keys created only when needed No pre-existing infrastructure required Weaknesses No information about identities of parties Man-in-the-middle attack Clogging attack

44. Oakley Based on Diffie Hellman algo Exchange of DH PK values Providing added security Cookies to thwart clogging attacks Two parties to negotiate a group Selection of global parameters Nonces to prevent replay attacks Authentication of DH exchange to prevent MITM attack Generic no specific format

45. Oakley : Use of Cookies exchange Each side send a PRN (cookie) initially Each side ack other This ack repeated in the first DH key exchange If the src address was forged opponent does not get ack Cannot make user calculate DH

46. Oakley : Use of Groups Each group define Global parameters q and α Modular expo with a 768 bit modulus Modular expo with a 1024 bit modulus Modular expo with a 1536 bit modulus Elliptical curve over 2 155 Elliptical curve over 2 185 Identity of algorithm DH Elliptical curve

47. Oakley: Authentication Three authentication methods: Digital signatures Eks[ H [Nonces, ID]] Public-key encryption EKra [ ID, Nonces] Symmetric-key encryption Eksym [ ID, Nonces]

48. ISAKMP Set of procedures, messages for SAs Establish, negotiate, modify and delete ISAKMP message Header + payloads Payload format independent of Key exchange protocol, encryption algo, authentication mechanism Uses UDP

49. ISAKMP

50. ISAKMP: payload types SA : SA initiation Proposal, Transform, KE ID Certificate Certificate request Hash Signature Nonce Notification Delete

51. ISAKMP: Exchange types Base exchange I->R: SA;Nonce R->I: SA:Nonce I->R: KE;IDi;Auth R->I: KE:IDr;Auth 4 messages; no ID protection

52. ISAKMP: Exchange types ID protection exchange I->R: SA R->I: SA I->R: KE;Nonce R->I: KE:Nonce * I->R: IDi;Auth * R->I: IDr;Auth 6 messages; ID protected

53. ISAKMP: Exchange types Authentication only exchange I->R: SA: Nonce R->I: SA; Nonce;IDr;Auth I->R: IDi;Auth 3 messages; authentication wo key exchange

54. ISAKMP: Exchange types Aggressive exchange I->R: SA: KE; Nonce;IDi R->I: SA; KE; Nonce;IDr;Auth * I->R: Auth 3 messages; Express SA set up wo ID protection

55. ISAKMP: Exchange types Informational exchange * I->R: N/D 1 message; Error or Status notification or deletion

56. Recommended Reading Comer, D. Internetworking with TCP/IP, Volume I: Principles, Protocols and Architecture . Prentic Hall, 1995 Stevens, W. TCP/IP Illustrated, Volume 1: The Protocols . Addison-Wesley, 1994