Lecture 11

Security at the IP level

 Outline

• Review of IP
• Security concerns at IP level
• What can be done at IP level
• IP Sec architecture
• How IP Sec works

2
 IP Review

• What is the role of IP ?

• TCP/ IP Layers
• Protocols
• Attacks
• Security Vulnerabilities

3
 ISO Layers – TCP/IP Layers
Application

presentation
Session Application
Transport
TCP/UDP
Network
IP
Data Link

Physical Network access

4
 TCP/IP Example

Logical Link Control (LLC) and Media Access Control (MAC)

5
 Network Layer
• provides the functional and procedural means of transferring
variable length data sequences from a source to a destination
via one or more networks, while maintaining the quality of
service requested by the Transport layer.

• performs network routing functions and report delivery errors.

• Routers operate at this layer—sending data throughout the

extended network and making the Internet possible. This is a
logical addressing scheme – values are chosen by the
network engineer.

• The best-known example of a layer 3 protocol is the

Internet Protocol (IP).

6
IPv4 Header

7
 IP header details:
• Version: 4 bits, Identifies the version of IP used to
generate the datagram.
• Internet Header Length (IHL): 4 bits, Specifies the
length of the IP header.
• Type Of Service (TOS): A field designed to carry
information to provide quality of service features, such
as prioritized delivery, for IP datagrams.
• Total Length (TL): Specifies the total length of the IP
datagram, in bytes.
• Identification: This field contains a 16-bit value that is
common to each of the fragments belonging to a
particular message.
• Flags: Three control flags two of which is used to
manage fragmentation and one is reserved
8
 IP header details:
• Fragment Offset: When fragmentation of a message occurs, this field
specifies the offset, or position, in the overall message where the data in
this fragment goes.
• Time To Live (TTL): Short version: Specifies how long the datagram is
allowed to “live” on the network, in terms of router hops. 
• Protocol: Identifies the higher layer protocol .(Generally Transport layer
Protocol/encapsulated network layer protocol.)
• Header Checksum: A checksum computed over the header to provide
basic protection against corruption in transmission
• Options: One or more of several types of options may be included after
the standard headers in certain IP datagrams.(how IP handles datagrams
)
• Padding: If one or more options are included, and the number of bits
used for them is not a multiple of 32, enough zero bits are added to “pad
out” the header to a multiple of 32 bits (4 bytes).

9
Internet Protocol Version 4 (IPv4) Datagram Format
10
 Transport Layer
• It provides transparent transfer of data between end
users, providing reliable data transfer services to
the upper layers.
• This layer controls the reliability of a given link
through flow control, segmentation/de-
segmentation, and error control.
• Some protocols are state and connection oriented.
This means that the transport layer can keep track
of the segments and retransmit those that fail.
• The best known examples are the Transmission
Control Protocol (TCP) and User Datagram Protocol
(UDP).

11
SYN – synchronize request
ISN - Initial sequence number
ACK – acknowledgement for the ISN Handshake in TCP THREE-WAY CONNECTION
CLIENTSYN 1 SERVER
41521 w Segment 1 shows the client sending a SYN segment
in 4096 <mss 102 with an Initial Sequence Number of 141521. The ISN is
Segment 1
4>
randomly generated. This is called an Active Open. The
field win 4096 shows the advertised window size of the
sending station while the field <mss 1024> shows the
0 24>
win 40 96<mss 1 receiving maximum segment size specified by the
15 21 ac k 141522 sender.
SYN 18
Three-way
Segment 2 Segment 2 shows the server responding with a SYN
Open ack 18152 segment of 181521 and ACKknowledging the clients
2 ISN with ISN + 1. This is called a Passive Open..
Segment 3

Segment 3 shows the client responding by

ACKnowledging the servers ISN with ISN + 1.

Data can now be transmitted.

FOUR-WAY TERMINATION
Segment 4 shows the client sending a FIN segment with
an ACKnowledgement of the server's sequence number +
FIN 1415 1. This is called an Active Close and will start closing
22 ack 1
81522 one-half the connection.
Segment 4
Segment 5 shows an ACKnowledgement of the clients
sequence number + 1 and will complete the closing of this
ack 141523 one-half of the connection.

Four-way
k 141523
Segment 6 shows the server sending a FIN segment with
Segment 5 2 2 ac
Close FIN 1815 an ACKnowledgement of the clients sequence number +
1, This is called a Passive Close and starts the closure
Segment 6 ack 18152 of this one-half of the connection.
3
Segment 7

Segment 7 shows the client ACKnowledging the server's

sequence number + 1 and completing the closing of this
one-half of the connection.

12
COMMON TCP PORT NUMBERS

Port Application Description

9 Discard Discard all incoming data port
19 Chargen Exchange streams of data port
20 FTP-Data File transfer data port
21 FTP-CMD File transfer command port
23 Telnet Telnet remote login port
25 SMTP Simple Mail Transfer Protocol port
79 Finger Obtains information about active users
80 HTTP Hypertext Transfer Protocol port
88 Kerberos Authentication Protocol
110 POP3 PC Mail retrieval service port
119 NNTP Network news access port
179 BGP Border Gateway Protocol
513 Rlogin Remote Login In
514 Rexec Remote Execute

13
 IP Vulnerabilities and Attacks
• IP Spoofing
– host rename (LAN)
– DNS(Domain Name System )
– source routing
– TCP sequence number guessing / splicing
• Session hijacking
• Denial of service
– ICMP bombing, redirects, unreachable
– TCP SYN flooding

14
 IP Vulnerabilities and Attacks
• What kind of attacks can occur ?
• Interruption: Denial of Service ?
• Interception ?
• Replay ?
• Masquerading ?
• MITM?

15
 Security at IP layer

• Security at the IP layer is related to the

layer’s function of end-to-end datagram
delivery.
• The security weakness are:
• Authentication issues
• Message replay
• Message alteration
• Message delay and denial
• Etc.

16
 Reasons

• Authentication and confidentiality

were not enforced at the IP level
• IP address from IP header can be forged
by opponents => cannot ensure that a
received packet was transmitted by the
party identified as the source in the
packet header
• Contents of a packet can be inspected
when in transit
• Old IP packets can be replayed

17
1.3 Security Attacks
passive attacks:

Reveals what Bob is saying to Alice

18
19
Relatively hard to do in TCP

20
Active attacks:

21
IP source address spoofing –easy to do

22
 Address Masquerading attack (e.g)

router

a.b.c.100 x.y.z.200 x.y.x.201

NSF server Authorized NFS client UNAuthorized NFS client

route
r
a.b.c.100 x.y.z.200 - shutdown x.y.x.201 -> x.y.x.200
NSF server For maintenance Authorized NFS client
Masquerading as authorised
client 23
Relatively hard to do in TCP

24
TCP connection hijacking

25
“SYN FLOODING” – easy to do in TCP

26
 ICMP ECHO Request Attack (e.g)

Ping o' Death Attack

 ICMP is a user of IP, and is utilized to report network
errors.
 PING (Packet InterNet Grouper) utilizes ICMP Echo and
Reply packets to test host reachability.
 ICMP messages normally consist of the IP Header and
enclosed ICMP data with a default size of 64 bytes.
If the Hacker sends an ICMP Echo request that is greater than
65,536 this can freeze, crash or reboot the system.
 A newer attack method modifies the header to indicate
that there is more data in the packet than there actually is.
Countermeasure
 Router updates that check the size of the ICMP packet.
 Block PING (ICMP) traffic at the Firewall.

27
 ICMP ECHO Flooding (e.g)

SMURF Attack
 The Hacker sends an ICMP Echo request to the target
network with a destination broadcast address and a spoofed
source address of the target.
 The network serves as a "bounce site" and returns an
Echo Reply for each station on the network.
The network serves to multiply the effect of the "ping". The Echo
Request could be sent to multiple networks.
Countermeasures:
 Disable IP-directed broadcasts at your router.
 Configure the workstation to not respond to an IP broadcast
packet.

28
 Why look for security at IP level?

• It is below Transport Layer => no need to

change software at Application Layer
• It is transparent to users => no need to train
users
• Can be used to enhance security when used
with higher-level applications
• Can provide better security for
communications via untrusted networks
• Can enhance security of firewalls

29
What can be done to improve IP security ?

• Authentication: Allows the receiver to

validate the identity of a sender, client
process or server process
• Integrity: Provides assurance to the
receiver that the transmitted data has not
been changed
• Confidentiality: Preventing the
unwanted disclosure of information during
transmission
30
TCP/IP & Possible Security Enhancement

Kerboros, SHTTP, SMINE, PGP…

Application
SSL, TLS
Transport
(TCP, UDP)
IP Sec Network (IP)

Data Link

Physical

31
 IPSec: Security Association (SA)
• SA is a contract between two nodes on
keys, algorithms, etc.
• It forms the basis for IPSec operations
• There are protocols for negotiating about
keys: IKE(Internet Key Exchange ),
ISAKMP(Internet Security Association
and Key Management Protocol )
• ISAKMP typically utilizes IKE for key
exchange

32
 Security Associations (SA)

• A one way relationship between a

sender and a receiver.
• Identified by three parameters:
• Security Parameter Index (SPI)
• IP Destination address
• Security Protocol Identifier

33
IPSec Architecture

(borrowed from Stallings)

34
 IPSec Architecture
• Authentication Header (AH)
• AH makes it possible to authenticate the sender of IP
packets, guarantees connectionless integrity and data
origin authentication of IP packets.
• determines the authentication algorithm to be used
• Encapsulating Security Payload (ESP)
• ESP makes it possible to authenticate the sender and
ensure confidentiality
• determines the encryption algorithm to be used
• Policy: determines if two entities will be able to
communicate with each other
• DOI (Domain of Interpretation): Contains identifiers
for approved encryption and authentication
algorithms, key lifetime parameters, etc.
• Key management: involves the determination and
distribution of secret keys
35
 How does IPSec work?

• Authentication is done by using a

Secure Hash Algorithm (or message
Digest – MD5) to generate
authentication data that is inserted into
AH
• Encryption is done using some
encryption algorithm (3D, IDEA, etc) to
generate cipher text that is inserted
into the Payload Data field of
ESP(Encapsulating security Payload)
36
 How does IPSec work? (e.g)
• An application on computer A generates outbound packets to
send to computer B
• IPSec A checks if the packets need to be secured
• If the packets need to be secured, then A begins security
negotiation with B using either IKE(Internet Key Exchange (IKE)
Protocol) or ISAKMP(Internet Security Association and Key
Management Protocol )
• The negotiation establishes two SAs with specific security
methods and keys
• IPSec A signs the outgoing packets for integrity (generates
AH), and optionally encrypts them (generates ESP), then
transmits the secured packets to B
• IPSec B checks the packets for integrity and decrypts their
contents if necessary.

37
IP Security Scenario

38
 IPSec modes
• Transport mode:
• is typically used in peer-to-peer
communications, especially for internal
networks
• the data packet is encrypted but the IP header is
not.
• Tunnel mode:
• is used for remote access and site-to-site
security
• the entire packet (header & payload) is encrypted

39
 Transport Mode Tunnel Mode
SA SA
Authenticates IP Authenticates entire
AH payload and selected inner IP packet plus
portions of IP header selected portions of
and IPv6 extension outer IP header
headers
Encrypts IP payload and Encrypts inner IP
ESP any IPv6 extesion packet – data +
header header

Encrypts IP payload and Encrypts inner IP

ESP with any IPv6 extesion packet. Authenticates
authentication header. Authenticates IP inner IP packet.
payload but no IP
header

40
 IPSec Applications
• Secure branch office connectivity over
the Internet
• Secure remote access over the
Internet
• Establishing extranet and intranet
connectivity with partners
• Enhancing electronic commerce
security

41
 IPSec Details
• IPSec can be used with IPv4 or IPv6
• IPSec is a set of protocols
• It provides a set of security
algorithms plus a general framework
that allows parties to use appropriate
algorithms

42
Encryption and Authentication
Algorithms
• Encryption:
• Three-key triple DES
• RC5
• IDEA
• Three-key triple IDEA
• CAST
• Blowfish
• Authentication:
• HMAC-MD5-96
• HMAC-SHA-1-96

43
Authentication with AH

Before applying AH

Borrowed from Stallings 44

Authentication with AH

After applying AH

Transport mode

Borrowed from Stallings

45
Authentication with AH

After applying AH

Tunnel mode
Borrowed from Stallings
46
ESP Encryption and
Authentication

47
ESP Encryption and
Authentication

48
 Advantages of IPSec
• IPSec is the most general way to provide
security services to the Internet with less
constraints
• Higher-level security services are less
general and protect some single protocol
(e.g: PGP protects mail)
• Lowever-level services protect single
medium (eg: a pair of encryption chips on
the end of a line)
• IPSec can, in general, protect any medium
used below IP level and any protocol
running above IP level

49
 Benefits of IPSec
• Enable business to rely heavily on the Internet and
reduce its need for private networks => saving
costs & network management
• Provide secure network access over the Internet
• An end-user whose system is equipped with
IPSec can make a local call to ISP and gain
secure access to her/his company
• Provide secure communications between
organisations by ensuring authentication and
confidentiality
• IPSec can be used to create secure tunnel through
untrusted (especially the Internet) networks
• Sites connected by these tunnels form Virtual
Private Networks (VPN)

50
 Benefits of IPSec

• Packet authentication makes various attacks

harder
• address masquerading
• address spoofing
• replay
• IPSec tunnels can be very useful for secure
remote administration
• In a non-end-to-end service, IPSec can
ensure that messages between a pair or a
group of sites are encrypted

51