作者 basilguo@163.com
简介 Basic IPsec knowledge.
1. Internet Security Protocols
Of cause, I will distinguish IPsec version 1 with ipsec, and IPsec version 2 with ipsec-v2.
| Item | IPsec | SSL |
|---|---|---|
| layer | network | application and transport(socket) |
| location | Host OS, no changes to the application | application, no changes to OS |
| feature | encryption, integrity, authentication, etc. | encryption, integrity, authentication, etc. |
| complexity | overly complex | simpler relatively |
| common usage | VPN | Web application |
- Reluctance to retrofit applications for SSL
- Reluctance to use IPSec due to complexity and interoperability issues
IPsec is a complex protocol. It is:
- over-engineered: including lots of generally useless extra features.
- flawed: including some serious security flaws.
- interoperability is serious challenge: defeats the purpose of having a standard.
- complex
1.1. Intro to IPsec
IPsec is protocols and mechanisms to suport security at the network layer (IP layer). It is implemented on end hosts (host-to-host) and gateways (site-to-site/host). It has security policies and SPD (security policies database) which defines rules to decide if an IP packet (datagram) needs to be processed and how. It also has security associations (SA) and SAD (SA database) which includes information about the unique security connection; separats associations in each direction (outbound and inbound). SA is unique defined by SPI (security parameters index), destination IP address, and IPsec protocol(ESP or AH).
IPsec has two components:
- IKE: Internet Key Exchange
- mutual authentication
- establish shared symmetric key
- two "phases"
- ESP/AH
- after SA (symmetric key) has been established
- ESP: encapsulating security payload -- for encryption, and/or integrity of IP packets.
- AH: authentication header -- integrity only.
IPsec provides services include:
- data connect confidentiality
- connectionless integrity
- data origin authentication
- replay protection
- privacy
- traffic flow masking
2. IPsec architecture
- security policy defines treatment of traffic.
- security associations between nodes components.
- security protocols
- AH: provides data integrity/authentication
- ESP: provides encryption+integrity/authentication(optional)
- key management uses IKEv1.
- Algorithms for authentication and encryption
IPsec AH uses protocol value 51, and IPsec ESP uses protocol value 50.
ipsec transport mode designed for host-to-host. It is efficient, adds a minimal amount of extra header. The original header remains so the passive attackers can see who is talking.
# IPsec Transport Mode
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| IP header | data |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| \
V V
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| IP header | ESP/AH | data |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
ipsec tunnel mode for firewall to firewall (site-to-site) traffic. Original IP packet encapsulated in IPsec. Original IP header not visible to attacker (if use ESP) because new header inserted before original IP header so attackers do not know which hosts are talking.
# IPsec Tunnel Mode
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| IP header | data |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
V V
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|new IP header| ESP/AH | IP header | data |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Encapsulates header | Encapsulates payload | Works for hostto-host | Works for siteto-site | |
|---|---|---|---|---|
| Tunnel Mode | YES | YES | YES | YES |
| Transport Mode | NO | YES | YES | NO |
Transport mode is not necessary even it is more efficient.
If you don't know which protocol to use, just use ESP.
3. RFC 4302 (IP AH)
IP AH is used to provide connectionless integrity, data origin authentication, and protection against replays.
AH provides authentication for as much of the IP header as possible, but cannot all be protected by AH. Data privacy is not provided by AH (all data is in the clear).
3.1. IPsec AH in transport mode
AH covers all immutable fields of IP & AH headers and payload by computing a MAC. It does not cover TOS, flags, frag offset, TTL, header checksum (covers pkt len modified value) in IP header and authentication data in AH header.
When add AH header to a packet, it should change the protocol field to AH=51 and insert current protocol value to the next header field of IPsec header. It also changes the packet length field.
3.2. IPsec AH in tunnel mode
AH convers all immutable fields of the headers and payload. It does not cover TOS, flags, frag offset, TTL, header checksum in IP header and authentication data in AH header.
The new IP header is created with appropriate source and destination IP address. It sets the protocol value to AH=51 in new IP header and next header value to IP=4 in IPsec header.
3.3. Notes on AH
- HMAC incorporates a secret key
- Exact authentication function and keys negotiated by end points
- Tunnel Mode vs. Transport Mode identified by the next header type in the IPSec Header (also true of ESP)
- if 4 then must be Tunnel mode
- else Transport mode
- AH is incompatible with NAT / PAT devices
- Network Address Translation
- Port address translation, another way of NAT.
- change of (private) source address, for example, at a NAT box does not allow re-computation of the HMAC by the destination
4. RFC 4303 (IP ESP)
ESP allows for encryption as well as authentication. But both are optional, defined by the SPI and policies. A null encryption algorithm was proposed(ESP-NULL). Thus AH in a sense is not needed. Protocol type in IP header is set to 50.
ESP does not protect the IP header, only the payload. In tunnel mode original packet is encrypted. In tranport mode original packet data is encrypted. This includes higher level protocols and ports. (NATs and firewalls may need this information).
ESP header is actually a header plus a trailer as it "surrounds" the packet data.
It can actually combine AH and ESP but rarely done.
ESP provides services include
- confidentiality
- data origin authentication
- connectionless integrity
- anti-replay services
- limited traffic flow confidentiality
And, security services can be provided between
- a pair of communciation hosts
- a pair of security gateways
- a security gateway and a host
4.1. Notes on ESP
Packet Format: header-data-trailer
ESP can also have NAT/PAT problems if tranport layer information is used.
5. SAD & SPD
The IPSec protocol maintains two databases for both endpoints:
- SAD: Indexed by SPI’s, contains the information needed to encapsulate packets for one association: cryptographic algorithms, keys, sequence numbers, etc.
- SPD: Allows for implementation of packet filtering policies. Defines whether or not to accept non-protected packets, what to require, etc.
5.1. SAD
- Sequence number
- Sequence number overflow
- Anti-replay window
- AH information
- Algorithms, initialization values, keys, etc.
- ESP information
- Algorithms, initialization values, keys, etc.
- SA lifetime
- IPSec protocol mode
- Tunnel destination
- Path MTU (max packet size)
5.2. SPD
SPD defines
- Traffic to be protected
- How to protect it
It must be consulted for each packet entering or leaving the IP stack.
Three possible actions
- Discard
- Bypass IPSec
- Apply IPSec
5.3. SA
An IPSec protected connection is called a security association
The SPI used in identifying the SA is normally chosen by the receiving system (destination)
For outbound packets, a packet’s selector is used to determine the processing to be applied to the packet. But, More complex than for inbound where the received SPI, destination address and protocol type uniquely point to an SA.
Some SA Selectors includes destination IP address, source IP address, name, next layer protocol, etc.
6. IKE
IKE is Internet Key Exchange. It negotiates algorithms/keys needed to establish secure channel between peers. IKEv1 consists of 2 phases. - phase1: IKE security association (SA) - phase2: AH/ESP SA
Phase 1 is comparable to SSL session and phase 2 is comparable to SSL connection. Not an obvious need for two phases in IKE. If multiple Phase 2’s do not occur, then it is moreexpensive to have two phases!
IKE Phase 1
It has four different key options:
- public key encryption (original version)
- public key encryption (improved version)
- public key signature
- pre-shared symmetric key
For each of these, two different "modes"
- Main mode (6 messages)
- Aggressive mode (3 messages)
<span style="color: red">There are 8 versions of IKE Phase1!</span>
IKE phase 1 generally can use ephemeral Diffie-Hellman to establish session key to achieve perfect forward secrecy (PFS).
- Let
abe Alice's DH exponent - Let
bbe Bob's DH exponent - Let
gbe generated andpprime - Recall
pandgare public
Main vs Aggressive modes
- Main mode must be implemented
- tring to protect identities
- crypto including DH parameters can be negotiated
- Aggressive mode should be implemented. In othere words, if aggressive mode is not implemented, "you should feel guilty about it".
- Might create interoperability issuses.
IKE Phase 2
Phase 1 establishes IKE SA, while Phase 2 establishs IPsec SA. IKE could be used for lots of things, but it is not in practice.
After IKE Phase 1, we have an IKE SA. After IKE Phase 2, we have an IPSec SA. Both sides have a shared symmetric key. We can now proceed IP datagram using ESP/AH.
MISC
