CS 114: Network

Security
Lecture 16 - Virtual Private Networks

Prof. Daniel Votipka

Spring 2023
(some slides courtesy of Prof. Micah Sherr)
 Plan for today
• Administrivia
• Wireless Review
• Virtual Private Networks
• Overview
• Protocol - IPsec
• Key Management
• Packet Processing
• Alternatives
2
 Administrivia
• Mid-semester course surveys (end of class)
• Homework 1, part 2 grades are available
• Homework 1, part 3 now due 3/30
• Homework 2 now due 4/27

3
Wireless Review

4
Unsecured wireless:
Problem #1:
Everybody is the receiver.

5
MAC Filtering

6
 SSID hiding
• APs broadcast Service Set Identifiers (SSIDs) to announce their
presence
• In theory, these should identify a particular wireless LAN
• In practice, SSID can be anything that’s 2-32 octets long
• To join network, client must present SSID
• Crappy security mechanism for preventing interlopers:
• Don’t advertise SSID
• Problem:
• To join network, client must present SSID
• This is not encrypted, even if network supports WEP or WPA

7
 Wired Equivalent Privacy (WEP)

• Data transmission:
• Produce keystream S using RC4 with seed function f(K,IV)
• C=M⊕S
• send (IV, C) frames
• knowledge of IV and K sufficient to decrypt C
8
 WPA Authentication
Pairwise Transit Key (PTK) =
f(PSK, ANonce, SNonce, AP
MAC address, STA MAC
address)

Pre-Shared Key (PSK)

 Plan for today
• Wireless Review
• Virtual Private Networks
• Overview
• Protocol - IPsec
• Key Management
• Packet Processing
• Alternatives
10
Problem:

11
Work from home
Enterprise Servers
Virtual Private Networks
(VPNs)
• Provides secure access to private network over public links
• Often, goal is to provide access to corporate network
(intranet) from outside (Internet)
• Or, logically join physically separated networks
• Achieves some combination of:
• Confidentiality
• Integrity
• Mutual authentication

13
Telecommuter VPNs:
Client-to-Gateway
Enterprise Network
Enterprise Servers

14
Gateway-to-Gateway VPNs
Branch Branch

Branch Branch

15
How do we
build VPNs?

16
We can’t rebuild the Internet

17
 VPN Tunneling
Enterprise Network
Enterprise Servers

IP
EA,VPN(@MailServer,Data)

@MailServ
er,Dat a

18
 Plan for today
• Wireless Review
• Virtual Private Networks
• Overview
• Protocol - IPsec
• Key Management
• Packet Processing
19
 IPsec (not IPSec!)
• Host level protection service
• IP-layer security (below TCP/UDP)
• De-facto standard for host level security
• Developed by the IETF (over many years)
• Available in most operating systems/devices
• E.g., Windows, OS X, Linux, BSD*, …
• Not a single protocol; IPsec is a protocol suite
• Implements a wide range of protocols and cryptographic algorithms
• Selectively provides ….
• Confidentiality, integrity, authenticity, replay protection, DoS protection
20
“The spelling IPsec is preferred and used
throughout this and all related IPsec
standards. All other capitalizations of
IPsec (e.g., IPSEC, IPSec, ipsec) are
deprecated.”
Source: RFC 4301 Security Architecture for the Internet Protocol (December 2005)
https://datatracker.ietf.org/doc/html/rfc4301
 IPsec (not IPSec!)
• Host level protection service
• IP-layer security (below TCP/UDP)
• De-facto standard for host level security
• Developed by the IETF (over many years)
• Available in most operating systems/devices
• E.g., Windows, OS X, Linux, BSD*, …
• Not a single protocol; IPsec is a protocol suite
• Implements a wide range of protocols and cryptographic algorithms
• Selectively provides ….
• Confidentiality, integrity, authenticity, replay protection, DoS protection
22
 IPsec Protocol Suite
Policy/
Configuration Key Packet
Management Management Processing

(SPS) (ESP)
Security Policy Manual Encapsulating
System Security Payload

(IKE) (AH)
Internet Key Authentication
Exchange Header
23
 Key Management

• Two options:
• Manual: use pre-shared secrets; or
• Internet Key Exchange (IKE)

24
 Internet Key Exchange (IKE)
• Two phase protocol used to establish parameters and keys for session
• Phase 1: authenticate peers, establish secure channel via Diffie-
Hellman key exchange
• Phase
(SA)
2: negotiate parameters, establish a security association

• The SA defines algorithms, keys, and policy used to secure the session
for a unidirectional traffic flow
• Pairing requires two SAs -- one for each direction
• SAs stored in host’s Security Association Database (SADB)
• Each gateway may define policies for each SA
• Policies stored in the SADB
25
 IPsec: Packet Handling
Application

Presentation

Session

Transport

SADB Network (IP)

IPsec
Data Link

Physical
26
 Internet Key Exchange
Harkins and Carrel, RFC2409, Nov. 1998

• Phase 1: Key Exchange (Simplified)

1.Initiator sends list of supported crypto algos to responder
2.Responder chooses crypto algo from sender’s list
3.Initiator sends first half of DH exchange and a nonce to responder
I

4.Responder sends second half of DH exchange, and a nonce to R

initiator
5.Initiator sends its id, its cert, and a sig, all encrypted using key
derived from previously exchanged messages
6.Responder sends its id, its cert, and a sig, all encrypted using key
derived from previously exchanged messages

27
Internet Key Exchange

• Phase II: Security Associations

• Using secure channel, establish at least 2
security associations:
• inbound
• outbound
28
 IPsec Protocol Suite
Policy/
Configuration Key Packet
Management Management Processing

(SPS) (ESP)
Security Policy Manual Encapsulating
System Security Payload

(IKE) (AH)
Internet Key Authentication
Exchange Header
29
 IPsec and the IP protocol stack
• IPsec puts the two main
protocols in between IP and the
other protocols HTTP FTP SMTP

• AH: Authentication
Header
TCP UDP
AH ESP
• ESP: Encapsulating
Security Payload IP

• Other functions provided by

external protocols and
architectures
30
Authentication Header

31
Authentication Header (AH)
• Provides authenticity and integrity
• via HMAC
• over immutable IP headers and data
• Advantage:
protected
the authenticity of data and IP header information is

32
IPsec AH Packet Format
IPv4 AH Packet Format
Higher Level
IPv4 Header Authentication Header
Protocol Data

AH Header Format
Next Header Length Reserved

Security Parameter Index

Sequence Number

Authentication Data (variable number of 32-bit words)

33
Authentication Header (AH)
• Provides authenticity and integrity
• via HMAC
• over immutable IP headers and data
• Advantage:
protected
the authenticity of data and IP header information is

• Replay protection via AH sequence numbers

• note that this replicates some features of TCP
• Disadvantage: the set of immutable IP headers isn’t necessarily fixed
• For example?

34
Mutable fields

35
 IPsec Authentication
• SPI: (spy) identifies the SA for this packet
• Type of crypto checksum, how large it is, and how it is
computed
• Authentication data
• Hash
SPI
of packet contents include IP header as specified by

• Treat mutable fields (TTL, header checksum) as zero

• Keyed MD5 Hash is default

36
Authentication Header (AH)
• Provides authenticity and integrity
• via HMAC
• over immutable IP headers and data
• Advantage:
protected
the authenticity of data and IP header information is

• Replay protection via AH sequence numbers

• note that this replicates some features of TCP
• Disadvantage: the set of immutable IP headers isn’t necessarily fixed
• For example?
• Confidentiality of data is not preserved

37
Encapsulating Security Payload

38
Encapsulating Security Payload (ESP)
• Confidentiality, authenticity, and integrity
• via encryption and HMAC
• over IP payload (data)

39
 ESP Packet Format
IPv4 ESP Packet Format
Unencrypted Encrypted
Other IP
IP Header Headers ESP Header Encrypted Data

ESP Header Format

Security Parameter Identifier (SPI)
Opaque Transform Data, variable length

ESP Format
Security Parameters Index (SPI)
Initialization Vector (optional)
Replay Prevention Field (incrementing count)
Payload Data (with padding)
Authentication checksum

40
Encapsulating Security Payload (ESP)
• Confidentiality, authenticity, and integrity
• via encryption and HMAC
• over IP payload (data)
• Advantage: encapsulated packet is fully secured
• Use “null” encryption to get authenticity/integrity only
• Note that the TCP/UDP ports are hidden when encrypted
• good: better security, less is known about traffic
• bad: impossible for FW to filter/traffic based on port
• Cost: can require many more resources than AH

41
Modes of Operation

42
 Modes of Operation
• Transport: the payload is (optionally) encrypted and the
non-mutable fields are integrity verified (via MAC)

• Tunnel: each packet is completely encapsulated (and

optionally encrypted) in an outer IP packet

• Hides/protects not only data, but some routing

information

43
 Authenticated Header

Transport
Mode

Tunnel
Mode
 Encapsulating Security Payload

Transport
Mode

Tunnel
Mode
Practical Issues and Limitations

• IPsec implementations
• Large footprint
• resource poor devices are in trouble
• New standards to simplify (e.g, JFK, IKE2)
• Slow to adopt new technologies
• Configuration
obscure
is extremely complicated/

46
Practical Issues and Limitations

• Issues
• IPsec tries to be “everything for everybody at all
times”
• Massive, complicated, and unwieldy
• Large-scale management tools are limited (e.g.,
CISCO)
• Often not used securely (common pre-shared
keys)

47
 Plan for today
• Wireless Review
• Virtual Private Networks
• Overview
• Protocol - IPsec
• Key Management
• Packet Processing
• Alternatives
48
 Alternatives to IPsec
• SSH Tunneling: Tunnel packets over SSH
connection
• OpenVPN: Tunnel traffic via SSL/TLS
connections
• Point-to-Point Tunneling Protocol
(PPTP): Tunnel using Control (TCP) and
Data (GRE) channels; mostly a Microsoft
thing

49
 SSH Tunneling

• Alice has an account on linux.cs.tufts.edu

• Alice wants to access page that is is only available to Tufts IP addresses
• ... and Alice lives off campus
•ssh -D9999 -NfCx linux.cs.tufts.edu
• run SOCKS server locally on port 9999, forwarding all traffic to linux.cs
• If we tell our browser to use use localhost:9999 as our SOCKS proxy,
everything from the browser goes through the tunnel

50
 Summary
• Wireless Review
• Virtual Private Networks
• Overview
• Protocol - IPsec
• Key Management
• Packet Processing
• Alternatives
51