18CSE354T-NETWORK SECURITY

UNIT - 2
 UNIT - 2 TOPICS
 Overview of IPSEC  Internet Key Exchange
 Security Association  Phases of IKE
 Security Association DB  Phase I IKE – Modes and key
 Security Policy DB types
 AH & ESP
 Phase I IKE Protocols
 Tunnel and Transport Mode
 Phase II IKE
 IP Header Protection
 ISAKMP / IKE Encoding
 IP and IPv6
 IPV4 and IPV6 header
 Authentication Header
 Mutable,Immutable and
Mutable but predictable
 Encapsulation Security
Payload(ESP)
 IP Security
 Have a range of application-specific
security mechanisms
 E.g. S/MIME, PGP, Kerberos, SSL/HTTPS
- however, there are security concerns that
cut across protocol layers
 People would like security to be
implemented by the network for all
applications
 IPSec
 General IP Security mechanisms provides
 authentication
 confidentiality
 key management
 Applicable to use over LANs, across public
& private WANs, & for the Internet
 Applications of IPSec
 Build a secure virtual private network over the
Internet or over a public WAN.
 Secure remote access over the Internet to his
company, for example.
 Establishing extranet and intranet connectivity
with partners
- ensuring authentication and confidentiality and
providing a key exchange mechanism
 Enhancing electronic commerce security
 Benefits of IPSec
 IPSec in a firewall/router provides strong
security to all traffic crossing the perimeter
 IPSec in a firewall/router is resistant to bypass
traffic as long as all traffic is IP
 IPSec is below transport layer, hence
transparent to applications
 IPSec can be transparent to end users
 IPSec can provide security for individual users
 IPSec secures routing architecture
IPSec Uses
 IP Security Architecture
 Specification is quite complex
 Defined in numerous RFC’s
 incl. RFC 2401/2402/2406/2408
 many others, grouped by category
 Mandatory in IPv6, optional in IPv4
 Have two security header extensions:
 Authentication Header (AH)
 Encapsulating Security Payload (ESP)
 Seven Groups
 Architecture
 Encapsulating Security Payload (ESP)
 Authentication Header (AH)
 Encryption algorithms
 Authentication algorithms
 Key management
 Domain of Interpretation (DOI)
~ From RFC 2406

ESP is used to provide confidentiality, data origin authentication, connectionless

integrity, an anti-replay service (a form of partial sequence integrity), and limited
traffic flow confidentiality. The set of services provided depends on options selected
at the time of Security Association establishment and on the placement of the
implementation. Confidentiality may be selected independent of all other services.
However, use of confidentiality without integrity/authentication (either in ESP or
separately in AH) may subject traffic to certain forms of active attacks that could
undermine the confidentiality service. Data origin authentication and connectionless
integrity are joint services (hereafter referred to jointly as "authentication) and are offered
as an option in conjunction with (optional) confidentiality. The anti- replay service may be
selected only if data origin authentication is selected, and its election is solely at the
discretion of the receiver. (Although the default calls for the sender to increment the
Sequence Number used for anti-replay, the service is effective only if the receiver
checks the Sequence Number.) Traffic flow confidentiality requires selection of tunnel
mode, and is most effective if implemented at a security gateway, where traffic
aggregation may be able to mask true source-destination patterns. Note that although
both confidentiality and authentication are optional, at least one of them MUST be
selected.
IPSec Services
 UNIT - 2 TOPICS
 Overview of IPSEC  Internet Key Exchange
 Security Association  Phases of IKE
 Security Association DB  Phase I IKE – Modes and key
 Security Policy DB types
 AH & ESP
 Phase I IKE Protocols
 Tunnel and Transport Mode
 Phase II IKE
 IP Header Protection
 ISAKMP / IKE Encoding
 IP and IPv6
 IPV4 and IPV6 header
 Authentication Header
 Mutable,Immutable and
Mutable but predictable
 Encapsulation Security
Payload(ESP)
 Security Associations
 A one-way relationship between sender &
receiver that affords security for traffic flow
 Defined by 3 parameters:
 Security Parameters Index (SPI): The SPI is carried in
AH and ESP headers to enable the receiving system
to select the SA under which a received packet will be
processed.
 IP Destination Address: the address of the destination
endpoint of the SA
 Security Protocol Identifier: indicates whether the
association is an AH or ESP security association
 UNIT - 2 TOPICS
 Overview of IPSEC  Internet Key Exchange
 Security Association  Phases of IKE
 Security Association DB  Phase I IKE – Modes and key
 Security Policy DB types
 AH & ESP
 Phase I IKE Protocols
 Tunnel and Transport Mode
 Phase II IKE
 IP Header Protection
 ISAKMP / IKE Encoding
 IP and IPv6
 IPV4 and IPV6 header
 Authentication Header
 Mutable,Immutable and
Mutable but predictable
 Encapsulation Security
Payload(ESP)
 IP Security Policy
IPSec policy is determined by the interaction
of two databases ,

Security Association Database(SAD)

Security Policy Database(SPD)
Security Association Database(SAD)

 All Security Association’s (SA) maintained

in a Data Base called SAD – Security
Association Database.
 Security Association Database(SAD)
SA is normally defined by the following parameters in an
SAD entry .
- Sequence Number (SN) Counter: 32-bit for SN
- SN Overflow: a flag indicating overflow of SN
- Anti-Replay Window: an AH or ESP packet is a replay?
- AH Information: related parameters used with AH
- ESP Information: related parameters used with ESP
- Lifetime of the SA
- IPSec Protocol Mode: tunnel, transport
- Path MTU: observed path maximum transmission unit
Authentication and privacy is independent of any specific
key management mechanism
 Security Policy Database (SPD)
 The means by which IP traffic is related to specific SAs is
the nominal Security Policy Database.

 Security Policy Database (SPD)

 Entry defined by set of IP and upper layer protocol field

values called selectors.

 Selectors can be dest ip, src ip, user id, data

sensitivity,transport layer protocol,src port and dest port

 Store policies
 Security Policy Database (SPD)
 When sending IPsec datagram, sender accesses SAD (Security
Association Database)to determine how to process datagram.

 When IPsec datagram arrives to receiver ,examines SPI in IPsec

datagram, indexes SAD with SPI, and processes datagram accordingly.

 Policy: For a given datagram, sending entity needs to know if it should use
IPsec.

 Needs also to know which SA to use

 May use: source and destination IP address; protocol number.
 Info in SPD indicates “what” to do with arriving datagram;
 Info in the SAD indicates “how” to do it.
 How They Fit Together

SPD
SA-1
SA-2
SADB SPI

SPI

26
 SPD and SADB Example

Transport Mode A’s SPD

From To Protocol Port Policy
A B
C D A B Any Any AH[HMAC-MD5]
Tunnel Mode
From To Protocol SPI SA Record
A’s SADB
A B AH 12 HMAC-MD5 key

From To Protocol Port Policy Tunnel Dest

Asub Bsub Any Any ESP[3DES] D C’s SPD

From To Protocol SPI SA Record

C’s SADB
Asub Bsub ESP 14 3DES key
27
 UNIT - 2 TOPICS
 Overview of IPSEC  Internet Key Exchange
 Security Association  Phases of IKE
 Security Association DB  Phase I IKE – Modes and key
 Security Policy DB types
 AH & ESP
 Phase I IKE Protocols
 Tunnel and Transport Mode
 Phase II IKE
 IP Header Protection
 ISAKMP / IKE Encoding
 IP and IPv6
 IPV4 and IPV6 header
 Authentication Header
 Mutable,Immutable and
Mutable but predictable
 Encapsulation Security
Payload(ESP)
 Authentication Header (AH)
 Provides support for data integrity &
authentication of IP packets
 end system/router can authenticate user/app
 prevents address spoofing attacks by tracking
sequence numbers
 HMAC-MD5-96 or HMAC-SHA-1-96
- parties must share a secret key
Authentication Header
Encapsulating Security Payload
(ESP)
 Provides message content confidentiality &
limited traffic flow confidentiality
 ESP can optionally provide the same
authentication services as AH
 ESP supports a range of ciphers, modes,
padding
 incl. DES, Triple-DES, RC5, IDEA, CAST etc
 CBC & other modes
 padding needed to fill block size, fields, for traffic flow
ESP Packet Format
 UNIT - 2 TOPICS
 Overview of IPSEC  Internet Key Exchange
 Security Association  Phases of IKE
 Security Association DB  Phase I IKE – Modes and key
 Security Policy DB types
 AH & ESP
 Phase I IKE Protocols
 Tunnel and Transport Mode
 Phase II IKE
 IP Header Protection
 ISAKMP / IKE Encoding
 IP and IPv6
 IPV4 and IPV6 header
 Authentication Header
 Mutable,Immutable and
Mutable but predictable
 Encapsulation Security
Payload(ESP)
Transport & Tunnel Mode
Transport & Tunnel Modes

Transport mode

Tunnel mode
 Transport vs Tunnel Mode
ESP
 Transport mode is used to encrypt and
optionally authenticate IP data
 data protected but header left in clear
 good for ESP host to host traffic
 Tunnel mode encrypts the entire IP packet
 add new header for next hop
 good for VPNs, gateway to gateway security
IPSec tunnel mode is the default mode.

Tunnel mode is used to encrypt traffic between secure IPSec Gateways( for
example two Cisco routers connected over the Internet via IPSec VPN.)

Traffic from the client is encrypted, encapsulated inside a new IP packet and
sent to the other end.

In tunnel mode, an IPSec header (AH or ESP header) is inserted between

the IP header and the upper layer protocol

37
 IPSec Tunnel mode with ESP
header:

ESP is identified in the New IP header with an IP protocol ID of 50.

38
 IPSec Tunnel mode with AH header:

The AH can be applied alone or together with the ESP, when IPSec is in tunnel
mode.

AH’s job is to protect the entire packet.

The AH does not protect all of the fields in the New IP Header because some
change in transit, and the sender cannot predict how they might change.

The AH protects everything that does not change in transit.

AH is identified in the New IP header with an IP protocol ID of 51.

39
Transport mode provides the protection of our data, also known as IP Payload, and
consists of TCP/UDP header + Data, through an AH or ESP header.

The payload is encapsulated by the IPSec headers and trailers.

The original IP headers remain intact, except that the IP protocol field is changed to
ESP (50) or AH (51), and the original protocol value is saved in the IPsec trailer to
be restored when the packet is decrypted.

IPSec transport mode is usually used when another tunneling protocol (like GRE) is
used to first encapsulate the IP data packet, then IPSec is used to protect the GRE
tunnel packets. IPSec protects the GRE tunnel traffic in transport mode.

40
 IPSec Transport mode with ESP header:

the original IP Header is moved to the front.

Placing the sender’s IP header at the front (with minor changes to the protocol
ID), proves that transport mode does not provide protection or encryption to the
original IP header .

ESP is identified in the New IP header with an IP protocol ID of 50.

41
 IPSec Transport mode with AH header:

The AH can be applied alone or together with the ESP when IPSec is in
transport mode.

AH’s job is to protect the entire packet, however, IPSec in transport mode
does not create a new IP header in front of the packet but places a copy of
the original with some minor changes to the protocol ID therefore not
providing essential protection to the details contained in the IP header
(Source IP, destination IP etc).

AH is identified in the New IP header with an IP protocol ID of 51.

42
 Combining Security
Associations
 SA’s can implement either AH or ESP (but
not both)
 To implement both need to combine SA’s
 form a SA bundle
 may terminate at different or same endpoints
 combined by
• transport adjacency
• iterated tunneling
 issue of authentication & encryption order
Transport mode

Tunnel mode
 ESP – TRANSPORT & TUNNEL MODE
 Transport Mode

 Tunnel Mode
 AH – TRANSPORT & TUNNEL MODE
AH Transport Mode

AH Tunnel Mode
Summary – AH & ESP
 UNIT - 2 TOPICS
 Overview of IPSEC  Internet Key Exchange
 Security Association  Phases of IKE
 Security Association DB  Phase I IKE – Modes and key
 Security Policy DB types
 AH & ESP
 Phase I IKE Protocols
 Tunnel and Transport Mode
 Phase II IKE
 IP Header Protection
 ISAKMP / IKE Encoding
 IP and IPv6
 IPV4 and IPV6 header
 Authentication Header
 Mutable,Immutable and
Mutable but predictable
 Encapsulation Security
Payload(ESP)
Internet Key
Exchange
 ?Where does IKE fit in
SA’s building and managing is either:
• Static (manual) – keys and other attributes
of SA are manually configured by system
administrator. Practical for small, relatively
static environments.
• Dynamic (automated) – On-demand
creation of keys. Handled by IKE protocol
 IKE
• IKE is a protocol that builds and manages IPSec
SA’s between two computers that implement
IPSec.
• IKE is the only standard protocol for building
IPSec SA’s (Standard IPSec implementation must
also implement IKE)
• IKE (like IPSec) is carried out either between a
pair of hosts, a pair of security gateways or a host
and a security gateway
 IKE version
• There are two version of IKE (IKEv1 and
IKEv2)
• IKE version 1 is a hybrid of three protocols
(actually a framework and two protocols)
• Version 1 grew out of ISAKMP framework
and OAKLEY and SKEME protocols that
work within that framework.
 ISAKMP (IKE version 1)
• Stands for “Internet Security Association
and Key Management” Protocol
• Created by NSA (National Security
Agency)
• Framework (not really a protocol) for
authentication and key exchange.
• This framework decides on the SA’s
attributes that the parties will use.
 ISAKMP (IKE version 1)

• Designed to be key exchange independent

(supports many different key exchanges)
• In IKE version 1 ISAKMP uses part of
OAKLEY and part of SKEME.
 SKEME (IKE version 1)
• Describes a versatile key exchange
technique
Provides:
• anonymity
• quick key refreshment
 OAKLEY (IKE version 1)
• Describes a series of key exchanges and
details the services provided by each
• Based on Diffie-Hellman algorithm but
providing added security
• Generic in that it does not dictate specific
formats
 OAKLEY (IKE version 1)
Characterized by five important features:
1. Cookies to prevent clogging attacks
2. Negotiation of a group (specifying global
parameters of DH)
3. Use of nonces to ensure against replay
attacks
4. Exchange of public key values
5. Authentication of DH to prevent man-in-
the-middle attacks
 IKE Version 2

• IKE version 2 is a single protocol rather

than three that cross reference one another
and is described in a single self-contained
document
 Benefits of IKE Version 2
over Version 1
• IKEv2 preserves most of the features of IKEv1.The idea behind
IKEv2 was to make it as easy as possible for IKEv1
implementations to be modified for IKEv2.
• cryptographic syntax replaced with one simplified syntax.
• possible error states reduced
 IKE uses two phases:
• IKE Phase 1

• IKE Phase 2
 How It Works
 IKE has two phases
 Phase 1: Establish bi-directional IKE SA
• Note: IKE SA different from IPsec SA
• Also called ISAKMP security association
 Phase 2: ISAKMP is used to securely negotiate the
IPsec pair of SAs
 Phase 1 has two modes: aggressive mode and
main mode
 Aggressive mode uses fewer messages
 Main mode provides identity protection and is more
flexible
 Both phases use Diffie-Hellman key exchange to
establish a shared key
 IKE Phase 1
 Goal: to establish a secure channel
between two end points
 This channel provides basic security features:
• Source authentication
• Data integrity and data confidentiality
• Protection against replay attacks

66
 IKE Phase 1
 Rationale: each application has different
security requirements
 But they all need to negotiate policies and
exchange keys!
 So, provide the basic security features
and allow application to establish custom
sessions

67
 IKE Phase 1
 Themain purpose of IKE phase 1 is
to establish a secure tunnel that we can
use for IKE phase 2.

Step 1 : Negotiation
Step 2: DH Key Exchange
Step 3: Authentication
 Step 1 : Negotiation
• Hashing: We use MD5 or SHA for this.

• Authentication: Two commonly used options are a pre-shared key or digital

certificates.

• DH (Diffie Hellman) group: the DH group determines the strength of the key that
is used in the key exchange process.

• Lifetime: how long does the IKE phase 1 tunnel stand up? the shorter the lifetime,
the more secure it is because rebuilding it means we will also use new keying
material.

• Encryption: what algorithm do we use for encryption? For example, DES, 3DES or
AES.
 Step 2: DH Key Exchange

 Use the DH group that they negotiated to exchange

keying material. The end result will be that both peers
will have a shared key.
 Step 3: Authentication
 Authenticate each other using the authentication
method that they agreed upon on in the negotiation.
 When the authentication is successful, we have
completed IKE phase 1.
 The end result is a IKE phase 1 tunnel (aka
ISAKMP tunnel) which is bidirectional.
 This means that both peers can send and receive on
this tunnel.
Summary – IKE Phase 1
 Modes
 The three steps in IKE Phase 1 can be
completed using two different modes:

• Main mode
• Aggressive mode
 Phase 1 Exchange
 Can operate in two modes:
 Main mode
• Six messages in three round trips
• More options
 Aggressive mode
• Three messages in two exchanges
• Less options

75
 Phase 1 (Main Mode)

Initiator Responder

[Header, SA1]

76
 Phase 1 (Main Mode)

Initiator Responder

[Header, SA1]

[Header, SA2]

Establish vocabulary for further communication

77
 Phase 1 (Main Mode)

Initiator Responder

[Header, SA1]

[Header, SA2]
[Header, KE, Ni, {Cert_Reg} ]

78
 Phase 1 (Main Mode)

Initiator Responder

Header, SA1

[Header, SA1]

[Header, KE, Ni { , Cert_Req} ]

[Header, KE, Nr {, Cert_Req}]

Establish secret key using Diffie-Hellman key exchange

Use nonces to prevent replay attacks

79
 Phase 1 (Main Mode)

Initiator Responder

[Header, SA1]

[Header, SA1]

[Header, KE, Ni {,Cert_Req} ]

[Header, KE, Nr {,Cert_Req}]

[Header, IDi, {CERT} sig]

80
 Phase 1 (Main Mode)

Initiator Responder

[Header, SA1]

[Header, SA1]

[Header, KE, Ni {, Cert_req}]

[Header, KE, Nr {, Cert_req}]

[Header, IDi, {CERT} sig]

[Header, IDr, {CERT} sig]

Signed hash of IDi (without Cert_req , just send the hash)

81
Phase 1 (Aggressive Mode)

Initiator Responder

[Header, SA1, KE, Ni, IDi]

82
Phase 1 (Aggressive Mode)

Initiator Responder

[Header, SA1, KE, Ni, IDi]

[Header, SA2, KE, Nr,

IDr, [Cert]sig]

[Header, [Cert]sig]

First two messages combined into one

(combine Hello and DH key exchange)

83
 IPSec (Phase 1)
 Four different way to authenticate (either
mode)
 Digital signature
 Two forms of authentication with public key
encryption
 Pre-shared key
 NOTE: IKE does use public-key based
cryptography for encryption
84
 IKE Version Difference
 Mainand aggressive modes applies only to
IKEv1 protocol.
 IKEv2 protocol does not negotiate using main
and aggressive modes.
 IPSec (Phase 2)
 Goal: to establish custom secure channels
between two end points
 End points are identified by <IP, port>:
• e.g. <www.mybank.com, 8000>
 Or by packet:
• e.g. All packets going to 128.124.100.0/24
 Use the secure channel established in Phase
1 for communication

86
Regardless of the mode used in Phase 1, Phase 2
always operates in quick mode and involves the
exchange of three messages.
 Expectations from IKE
 Secrecy and authenticity
 Protection against replay attacks
 Scalability (being suitable for big networks)
 Privacy and anonymity (protecting identity of
players in the protocol)
 Protection against DOS
 Efficiency (both computational and minimal in
the number of messages)
 Independence of cryptographic algorithms
 Minimize protocol complexity
 Reliability
 UNIT - 2 TOPICS
 Overview of IPSEC  Internet Key Exchange
 Security Association  Phases of IKE
 Security Association DB  Phase I IKE – Modes and key
 Security Policy DB types
 AH & ESP
 Phase I IKE Protocols
 Tunnel and Transport Mode
 Phase II IKE
 IP Header Protection
 ISAKMP / IKE Encoding
 IP and IPv6
 IPV4 and IPV6 header
 Authentication Header
 Mutable,Immutable and
Mutable but predictable
 Encapsulation Security
Payload(ESP)