Unit 3 1
Unit 3 1
IP SECURITY OVERVIEW
In 1994, the Internet Architecture Board (IAB) issued a report titled “Security in the Internet
Architecture” (RFC 1636). The report identified key areas for security mechanisms. Among these
were the need to secure the network infrastructure from unauthorized monitoring and control of
network traffic and the need to secure end-user-to-end-user traffic using authentication and
encryption mechanisms.
To provide security, the IAB included authentication and encryption as necessary security features
in the next-generation IP, which has been issued as IPv6. Fortunately, these security capabilities
were designed to be usable both with the current IPv4 and the future IPv6. This means that vendors
can begin offering these features now, and many vendors now do have some IPsec capabil- ity in
their products. The IPsec specification now exists as a set of Internet standards.
APPLICATIONS OF IPSEC
IPsec provides the capability to secure communications across a LAN, across private
and public WANs, andacross the Internet. Examples of its use include:
BENEFITS OF IPSEC
Some of the benefits of IPsec:
ROUTING APPLICATIONS
In addition to supporting end users and protecting premises systems and networks, IPsec can play a
vital role in the routing architecture required for internetworking. IPsec can assure that
o A router advertisement (a new router advertises its presence) comes from an authorized router.
o A neighbor advertisement (a router seeks to establish or maintain a neighbor relationship with a
router in another routing domain) comes from an autho- rized router.
o A redirect message comes from the router to which the initial IP packet was sent.
o A routing update is not forged.
IP SECURITY ARCHITECTURE
Ipsec documents
The documents can becategorized into the following groups.
• Architecture: Covers the general concepts, security requirements, definitions, and
mechanisms defining IPsec technology.
• Authentication Header (AH): AH is an extension header to provide message
authentication.
• Encapsulating Security Payload (ESP): ESP consists of an encapsulating header and
trailer used to provide encryption or combined encryption/authentication.
• Internet Key Exchange (IKE): This is a collection of documents describing the key
management schemes for use with IPsec.
• Cryptographic algorithms: This category encompasses a large set of docu ments that
define and describe cryptographic algorithms for encryption, mes-sage authentication,
pseudorandom functions (PRFs), and cryptographic key exchange.
• Other: There are a variety of other IPsec-related RFCs, including those deal- ing with
security policy and management information base (MIB) content.
IPsec Services
IPsec provides security services at the IP layer by enabling a system to select required security
protocols, determine the algorithm(s) to use for the service(s), and put in place any cryptographic
keys required to provide the requested services. Two protocols are used to provide security: an
authentication protocol designated by the header of the protocol, Authentication Header (AH); and
a combined encryption/ authentication protocol designated by the format of the packet for that
protocol. Encapsulating SecurityPayload (ESP). lists the following services:
• Access control
• Connectionless integrity
• Data origin authentication
• Rejection of replayed packets (a form of partial sequence integrity)
• Confidentiality (encryption)
• Limited traffic flow confidentiality
• Next Header (8 bits): Identifies the type of header immediately following this header.
• Payload Length (8 bits): Length of Authentication Header in 32-bit words, minus 2.
• Reserved (16 bits): For future use.
• Security Parameters Index (32 bits): Identifies a security association.
• Sequence Number (32 bits): A monotonically increasing counter value, discussed later.
• Authentication Data (variable): A variable-length field (must be an integral number of
32-bit words) that contains the Integrity Check Value (ICV), or MAC, for this packet.
Anti-Replay Service
Anti-replay service is designed to overcome the problems faced due to replay attacks in which an
intruder intervenes the packet being transferred, make one or more duplicate copies of that
authenticated packet and then sends the packets to the desired destination, thereby causing
inconvenient processing at the destination node. The Sequence Number field is designed to thwart
such attacks.
When a new SA is established, the sender initializes a sequence number counter to 0. Each time that
a packet is sent on this SA, the sender increments the counter and places the value in the Sequence
Number field. Thus, the first value to be used is 1. This value goes on increasing with respect to the
number of packets being transmitted. The sequence number field in each packet represents the value
of this counter. The maximum value of the sequence number field can go up to 232-1. If the limit of
232-1 is reached, the sender should terminate this SA and negotiate a new SA with a new key.
The IPSec authentication document dictates that the receiver should implement a window of size
W, with a default of W = 64. The right edge of the window represents the highest sequence number,
N, so far received for a valid packet. For any packet with a sequence number in the range from N-
W+1 to N that has been correctly received (i.e., properly authenticated), the corresponding slot in
the window is marked as shown. Inbound processing proceeds as follows when a packet is received:
• Transport adjacency: Refers to applying more than one security protocol to the same IP
packet without invoking tunneling.
• Iterated tunneling: Refers to the application of multiple layers of security protocols
effected through IP tunneling.
• Transport mode ESP: Authentication and encryption apply to the IP payload delivered to
the host, but the IP header is not protected.
• Tunnel mode ESP: Authentication applies to the entire IP packet delivered to the outer IP
destination address (e.g., a firewall), and authentication is performed at that destination. The
entire inner IP packet is protected by the privacy mechanism for delivery to the inner IP
destination.
For both cases, authentication applies to the cipher text rather than the plaintext.
TRANSPORT ADJACENCY
Another way to apply authentication after encryption is to use two bundled transport SAs, with the
inner being an ESP SA and the outer being an AH SA.
TRANSPORT-TUNNEL BUNDLE
The use of authentication prior to encryption might be preferable for several reasons.
BASIC COMBINATION OF SECURITY ASSOCIATIONS
The IPsec Architecture document lists four examples of combinations of SAs that must be
supported by compliant IPsec hosts (e.g., workstation, server) or security gateways (e.g. firewall,
router). These areillustrated in Figure 19.10. The lower part of each case in the figure represents the
physical connectivity of the elements; the upper part represents logical connectivity via one or more
nested SAs. Each SA can be either AH or ESP. For host-to-host SAs, the mode may be either
transport or tunnel; otherwise it must be tunnel mode.
Case 1. All security is provided between end systems that implement IPsec. For any two end
systems to communicate via an SA, they must share the appropri- ate secret keys. Among the
possible combinations are
• AH in transport mode
• ESP in transport mode
• ESP followed by AH in transport mode (an ESP SA inside an AH SA)
• Any one of a, b, or c inside an AH or ESP in tunnel mode
We have already discussed how these various combinations can be used to support
authentication,encryption, authentication before encryption, and authenti- cation after encryption.
Case 2. Security is provided only between gateways (routers, firewalls, etc.) and no hosts
implement IPsec. This case illustrates simple virtual private network support. The security
architecture document specifies tha tonly a single tunnel SA is needed for this case. The tunnel
could support AH, ESP, or ESP with the authenti- cation option. Nested tunnels are not required,
because the IPsec services apply to the entire inner packet.
Case 3. This builds on case 2 by adding end-to-end security. The same combi- nations discussed for
cases 1 and 2 are allowed here. The gateway-to-gateway tunnel provides either authentication,
confidentiality, or both for all traffic between end systems. When the gateway-to-gateway tunnel is
ESP, it also provides a limited form of traffic confidentiality. Individual hosts can implement any
additional IPsec ser- vices required for given applications or given users by means of end-to-end
SAs.
Case 4. This provides support for a remote host that uses the Internet to reach an organization’s
firewall and then to gain access to some server or workstation behind the firewall. Only tunnel
mode is required between there mote host and the firewall. As in case 1, one or two SAs may be
used between the remote host and the localhost.
KEY MANAGEMENT
The key management portion of IPsec involves the determination and distribution of secret keys. A
typical requirement is four keys for communication between two applications: transmit and receive
pairs for both integrity and confidentiality. The IPsec Architecture document mandates support for
two types of key management:
• Manual: A system administrator manually configures each system with its own keys and
with the keys of other communicating systems. This is practical for small, relatively static
environments.
• Automated: An automated system enables the on-demand creation of keys for SAs and
facilitates the use of keys in a large distributed system with an evolving configuration.
The default automated key management protocol for IPsec is referred to as ISAKMP/Oakley and
consists of the following elements:
• Oakley Key Determination Protocol: Oakley is a key exchange protocol based on the
Diffie-Hellman algorithm but providing added security. Oakley is generic in that it does not
dictate specific formats.
• Internet Security Association and Key Management Protocol (ISAKMP): ISAKMP
provides aframework for Internet key management and provides the specific protocol
support, including formats, fornegotiation of security attributes.
• It does not provide any information about the identities of the parties.
• It is subject to a man-in-the-middle attack, in which a third party C impersonates B while
communicating with A and impersonates A while communicating with B. Both A and B end
up negotiating a key with C, which can then listen to and pass on traffic.
• It is computationally intensive.
OEKLEY key determination is designed to retain the advantages of Diffie- Hellman, while
countering its weaknesses.
OEKLEY key determination supports the use of different groups for the Diffie- Hellman key
exchange. Each group includes the definition of the two global parameters and the identity of the
algorithm. The current specification includes the following groups.
OEKLEY key determination employs nonces to ensure against replay attacks. Each nonce is a
locally generated pseudorandom number. Nonces appear in responses and are encrypted during
certain portions of the exchange to secure their use.
Three different authentication methods can be used with OEKLEY key determination:
• Digital signatures
• Public-key encryption
• Symmetric-key encryption:
ISAKMP
It defines procedures and packet formats to establish, negotiate, modify, and delete security
associations.As part of SA establishment, IKE defines payloads for exchanging key generation and
authentication data.
ISAKMP HEADER FORMAT
An IKE message consists of an IKE header followed by one or more payloads. All of this is carried
in a transport protocol. The specification dictates that implementations must support the use of UDP
for the transport protocol.
It consists of the following fields.
• Initiator SPI (64 bits): A value chosen by the initiator to identify a unique IKE security
association(SA).
• Responder SPI (64 bits): A value chosen by the responder to identify a unique IKE SA.
• Next Payload (8 bits): Indicates the type of the first payload in the message; payloads are
discussed in the next subsection.
• Major Version (4 bits): Indicates major version of IKE in use.
• Minor Version (4 bits): Indicates minor version in use.
• Exchange Type (8 bits): Indicates the type of exchange; these are discussed later in this
section.
• Flags (8 bits): Indicates specific options set for this IKE exchange.
• Message ID (32 bits): Used to control retransmission of lost packets and matching of
requests and responses.
• Length (32 bits): Length of total message (header plus all payloads) in octets.