10 - 1 IPsec – SANS GIAC LevelTwo - ©2000, 2001 1 IP Security IPsec Protocols This course was originally authored by Jean Triquet, a senior communications specialist with Public Works and Government Services of Canada. In the last two years, he participated in a project for the implementation of secure remote access services for the organization. The technology of choice was Virtual Private Network (VPN) through IPsec. In this course, the student will learn how Internet Protocol (IP) (an inherently unsecure protocol) can be secured using the IPsec suite of protocols which focus on security via the network (IP) layer. The Internet Protocol is the layer that is responsible for networking and has no built-in mechanisms for prevention of alteration or eavesdropping of data in transit. IPsec can assist in ensuring the integrity and privacy of the data that is sent. IPsec is one of three widely used VPN protocols. A VPN essentially offers private network connectivity between two communicating hosts using shared public links, such as the Internet. Before the use of VPN’s the only way that hosts could privately communicate was by using hardwired dedicated links. But, now with protocols such as IPsec, these communications don’t require dedicated private links. You’ll see how this is done using IPsec. 10 - 2 IPsec – SANS GIAC LevelTwo - ©2000, 2001 2 Outline • IPSEC - security services • Security Association (SA) • Internet Key Exchange (IKE) • The Authentication Header (AH) protocol • The Encapsulating Security Payload (ESP) protocol • Practical applications • Summary The objective of this presentation is to teach the underlying theory of IPsec. First, we will have a very brief introduction to IPsec and what it does. Building on the information presented in the intro, we will continue by studying the concept of the Security Associations. The student will see how two network nodes can have a secure relationship at the IP layer and how the same two nodes know which security rules to apply to their relationship. Various types of relationships available through IPsec’s Security Associations will be presented. Then, we will study how a Security Association is built. The student will see how the keys, security parameters, etc. are securely negotiated and exchanged when two IP nodes try to establish a Security Association. The mechanisms of the Internet Key Exchange protocol will be examined. Once the student knows how to build a Security Association, we will study the two security protocols offered by IPsec, the Authentication Header and the Encapsulating Security Payload. The functionality of these protocols and their format is the theme for these sections. We will put all that together by studying two practical applications of IPsec and we will complete the study by a summary in which we will recreate, step-by-step, an IPsec session between two nodes. 10 - 3 IPsec – SANS GIAC LevelTwo - ©2000, 2001 3 IPsec - Security Services The security can cover communications: - Host-to-Host - Security gateway-to-Security gateway - Host-to-Security gateway IPsec is a set of protocols (IKE, AH, ESP) which add security services to the network layer. These services include: -Confidentiality -Authentication -Integrity -Access control -Partial protection against traffic flow analysis Public IP Network Security Gateway Host Security Gateway Host Private IP Network Private IP Network Look at slide “IPsec – Security Services” to see the network diagram representing the different type of relationships that can be established with IPsec. IPsec can be implemented between two hosts, two security gateways or between a host and a security gateway. A host can be any network device, for example a computer or a router, even a firewall. A firewall can also be a security gateway. The difference between a host and a security gateway, for the purpose of IPsec, resides in how IPsec is used by the network device. If the device uses IPsec to secure communications between itself (its own IP stack) and another IPsec node, then it’s considered a host. If the network device uses IPsec to secure communications coming from and going to a network segment, than it is a security gateway (for IPsec purposes). IPsec is a set of protocols which, when combined, offer security over IP networks. The protocols work at the IP layer, protecting all the upper layers (TCP, UDP, ICMP). The IPsec suite consists of three protocols: Internet Key Exchange (IKE) Authentication Header (AH) Encapsulating Security Payload (ESP) The security services available through IPsec include, but are not limited to, confidentiality, integrity, authentication, partial protection against traffic flow analysis and access control. 10 - 4 IPsec – SANS GIAC LevelTwo - ©2000, 2001 4 IPsec and Firewall or Intrusion Detection System • Fundamentals of protocol to tunnel through firewall • Secure channel from sensor to analysis station • Analyst should be able to identify IPsec is in use • Incident handler may use IPsec within team communications We continue with the slide “IPsec and Firewall or Intrusion Detection System” to understand that IPsec is important to the intrusion analyst or firewall specialist since it is becoming more and more common. Take a look at recent PGP implementations and you have the ability to connect securely machine to machine. The analyst must understand the fundamentals of the protocol and how to identify it since it is tunneled through her/his networks. 10 - 5 IPsec – SANS GIAC LevelTwo - ©2000, 2001 5 Tcpdump Output of an IPsec “Discussion” Building a secure association Authentication 192.168.30.57.1038 > 192.168.167.40.389 : S 395784:395784(0) win … 192.168.167.40.389 > 192.168.30.57.1038: S 1757781809:1757781809(0) ack 395785 win… Key and security parameters exchanges 192.168.30.57.500 > 192.168.167.40.500: udp 990 (ttl 128, id 37896) 192.168.30.57.500 > 192.168.167.40.500: udp 92 (ttl 128, id 38152) IPsec traffic 192.168.30.57 > 192.168.167.40: ip-proto-50 132 (ttl 128, id 32522) 192.168.30.57 > 192.168.167.40: ip-proto-50 132 (ttl 128, id 32778) Before we start studying in details the various components of IPsec, let’s take a look at some IPsec traffic through the eyes of tcpdump. It will give us an overview of the IPsec behavior. On the slide, “Tcpdump Output of an IPsec “Discussion”, we see extracts of a tcpdump trace from a remote PC, 192.168.30.57, establishing an IPsec link with a security gateway, 192.168.167.40. The traffic is divided in three major parts. In the first two tcpdump lines, we see the TCP port number 389 in the trace. That indicates an LDAP request. Therefore, we have an authentication activity occurring between the two IPsec nodes and a X.500 directory service part of a Public Key Infrastructure. This corresponds to the primary authentication services which must take place before any IPsec process can begin. Authentication could also be something as simple as the manual exchange of keys through email, face-to-face, etc. The next segment of traces shows UDP port number 500 in the tcpdump lines three and four. This well- known port number is assigned to the ISAKMP protocol. We will study this protocol later in the class. This portion of network traffic corresponds to the negotiations about the security policies, the encryption keys and other ancillary parameters. It indicates that Security Associations are being created. The last two tcpdump lines show IPsec traffic. For this trace, I have captured an FTP session. There is no indication of this by just looking at the traffic. This is because the traffic is of type ESP, as shown by ip-proto-50, displayed in the trace. 50 is the IP protocol number assigned to ESP. 10 - 6 IPsec – SANS GIAC LevelTwo - ©2000, 2001 6 Security Associations What is it? • The set of security policies to apply to an IPsec device, the Security Policy Database (SPD) example: For access to Network A, use 3DES for encryption with HMAC-MD5 for authentication • The information describing an active security link established between two IPsec peers, the Security Association Database (SAD) There are two SAs per link, one on each IPsec peer Slide “Security Associations What is it?” describes the Security Associations (SA) concept as the foundation of every IPsec implementation. It has two components, called databases. First, the Security Policy Database (SPD) will define, for an IPsec node, the engagement rules to use when another IPsec node requests connectivity. Or, what you are ready to propose to a node you want to communicate with. Without these rules one cannot establish any secure communication with other IPsec nodes. The same applies if there are no compatible rules between the two IPsec nodes: communication won’t be established between the nodes. IPsec nodes build relationships based on the Security Policy Database. Second, if two IPsec nodes succeed in negotiating engagement rules, the result is an entry in the Security Association Database (SAD), describing the relationship between the two nodes. To keep track of the relationship, there are two active SAs, one on each node. 10 - 7 IPsec – SANS GIAC LevelTwo - ©2000, 2001 7 Security Associations Unique Identification • For the Security Associations concept to work Each active Security Association created for an IPsec session must be uniquely identified • The unique identification is made up of the following information • SPI, the Security Parameter Index • The destination IP address • A security protocol (AH or ESP) identifier Slide “Security Associations Unique Identification” describes that we have learned that to create a secure link between two IPsec peers, we have to create Security Associations (one on each IPsec peer). It is possible to have multiple SAs between two peers or one peer may have multiple SAs with multiple peers. Consequently, each SA must be uniquely identified. The unique identification is built from the combination of: -The Security Parameter Index (points to the right SA in the Security Association database); the SPI is a random integer number 32 bits long, chosen by the receiving end of a SA. The device initiating an IPsec negotiation has no idea of what SPI is already being used by the recipient of the request. Therefore, to avoid duplications, it is left to the recipient to choose the SPI. -The destination address -The security protocol identifier, it may be AH(IP protocol 51) or ESP (IP protocol 50). 10 - 8 IPsec – SANS GIAC LevelTwo - ©2000, 2001 8 Security Associations A Sample Network 10.0.1.0 10.0.0.0 10.0.2.0 Security Gateway A 192.168.0.0 Security Gateway B 10.0.3.0 Public IP Network SA (security gateway A) The Rules - If you want to access my network, you have to authenticate and encrypt your information SA (security gateway B) The Rules - If you want to access my network segment 10.0.1.0 or 10.0.2.0, you have to authenticate and encrypt your information - Anything else, I will discard the packets This slide “Security Associations A Sample Network” presents a fictitious network. We will use this network to explain the Security Policy Database and how policies are selected. Let’s define some of the terms we are going to use in our discussions of Security Associations. We aren’t going to have encryption without keys. In IPsec we will use the Diffie-Hellman (see Annex A for a discussion on Diffie-Helman) algorithm for public key exchange so we produce a shared secret value. Hash Message Authentication code (HMAC) is a symmetric key algorithm for integrity and authentication. HMAC-MD5 is a hash function that produces a 128 bit value. If you want a longer hash, HMAC-SHA is a 160 bit value. 10 - 9 IPsec – SANS GIAC LevelTwo - ©2000, 2001 9 Security Associations Security Policy Database (SPD) "Secret" IPsec "ESP DES HMAC MD5 MINUTES 300 or ESP 3DES HMAC MD5 MINUTES 300" ISAKMP "DES MD5 MINUTES 1440" ”Top Secret" IPsec "ESP 3DES HMAC MD5 MINUTES 300" ISAKMP "DES MD5 MINUTES 1440" The first SA database, the Security Policy Database (SPD) is described in slide “Security Associations Security Policy Database (SPD)”. The slide presents examples of different level of security with different security parameters options which provide the means to enforce the generic policy formulated on the previous slide. That’s what the SPD is used for, to list various set of security parameters which will be mapped against specific IP addresses or network segments. The security parameters must include the security protocol to be used as well as the encryption and authentication algorithms. The lifetime of the SA also needs to be specified. Other parameters can be included, usually parameters that will be used for the normal processing of the encryption or authentication algorithm. Let’s examine the security associations for what this site has called a “Secret” association to see what this policy actually means. The IPsec protocol used will be ESP, the encryption will be done using DES or 3DES, the authentication algorithm will HMAC MD5, and the security association will be good for a maximum of 300 minutes or 5 hours. The key exchange will be done using DES encryption, MD5 authentication and the keys will be good for 1440 minutes. 10 - 10 IPsec – SANS GIAC LevelTwo - ©2000, 2001 10 Security Associations Selectors, Processing & Location Local resource Processing Security Level 10.0.0.0 Discard packets N/A 10.0.1.0 Apply IPsec Secret 10.0.2.0 Apply IPsec Top Secret 10.0.3.0 Discard packets N/A From the 10.0.0.0 network’s perspective… From the 192.168.0.0 network’s perspective… Remote resource Processing Security Level Tunnel End Point 10.0.1.0 Apply IPsec Top Secret Security Gateway B Turn to slide “Security Associations Selectors, Processing & Location”. The security policies are quite useless by themselves. Some configuration has to be done to map the policies to something. In IPsec, that something is called a selector. So, to create SAs, a configuration mechanism will be used to select the security policies and map them to IP addresses or range of IP addresses. Also, the SA “law” proposes three processing modes which also need to be configured: Apply IPsec, Discard packets and Bypass IPsec. And the last configuration element, in order to allow a node to initiate a connection with another IPsec implementation, the tunnel end point must be specified. If we look at the tables on the slide, on the Security Gateway B, the one protecting 10.0.0.0, we would have this configuration information somewhere. For example, the local (protected) network 10.0.1.0 selects the processing mode Apply IPsec and the security policies labeled Secret. On the previous slide, we listed the policy database entry for a “secret” association. In the bottom table, we have the 192.168.0.0 network’s perspective. To be able to communicate with the network 10.0.1.0, its security gateway will have to Apply IPsec, a security level Top Secret and the tunnel end point to reach that network is Security Gateway B. Somehow, all this information must be present. However, how it is implemented is very different from one product to another. [...]... 192.168.0.10 > 192.168.0.1: 192.168.0.10 > 192.168.0.1: 192.168.0.1 > 192.168.0.10: 192.168.0.10 > 192.168.0.1: ip- proto-50 ip- proto-50 ip- proto-50 ip- proto-50 ip- proto-50 ip- proto-50 ip- proto-50 ip- proto-50 ip- proto-50 ip- proto-50 ip- proto-50 ip- proto-50 ip- proto-50 ip- proto-50 ip- proto-50 ip- proto-50 88 (DF) [tos 0x1d] (ttl 128, 88 (DF) (ttl 127, id 37383) 80 (DF) [tos 0x1d] (ttl 128, 128 (DF) (ttl... 192.168.0.1: 192.168.0.1 > 192.168.0.10: 192.168.0.10 > 192.168.0.1: 192.168.0.1 > 192.168.0.10: 192.168.0.10 > 192.168.0.1: ip- proto-51 ip- proto-51 ip- proto-51 ip- proto-51 ip- proto-51 ip- proto-51 ip- proto-51 ip- proto-51 ip- proto-51 ip- proto-51 ip- proto-51 ip- proto-51 ip- proto-51 ip- proto-51 ip- proto-51 90 (DF) [tos 0xd] (ttl 128, id 94 (DF) (ttl 127, id 16135) 80 (DF) [tos 0xd] (ttl 128, id 129 (DF) (ttl 127,... between hosts IPsec requires security gateways to use tunnel mode 10 - 12 Security Associations Tunnel Mode 192.168.0.0 IP address = 10.0.1.1 IP address = 192.67.1.1 Security Gateway B 192.168.0.10 10.0.0.0 Security Gateway A Public IP Network 10.0.0.10 ENCRYPTED and/or AUTHENTICATED Tunnel IP header Source 10.0.1.1 IP header Destination 192.67.1.1 Source 10.0.010 Destination 192.168.0.10 Payload IPsec –... calls for the use of the ESP security protocol The trace is very similar to the trace generated with AH as a security protocol The only difference is the IP protocol type 50, (ip- proto-50) The tunneling is also visible by the presence of the security gateway IP address instead of the address of the FTP server CA/X.500 (PKI) IP network 10.0.0.1 IPsec security gateway Remote PC IPsec host 192.68.0.10 192.168.0.1... destination IP addresses, or if the receiver is an IPsec host, the packet stays in the IP stack, but is processed like a standard IP packet 10 - 27 Encapsulating Security Payload Outbound Processing TRANSPORT MODE And After original IP header Before ESP ESP TCP Data ESP Trailer ESP Auth Encrypted Authenticated original IP header TCP Data TUNNEL MODE And After New IP header ESP original IP header TCP... ©2000, 2001 13 Slide Security Associations Tunnel Mode” discusses the concept of the tunnel mode An SA tunnel is very similar to an IP tunnel An IP header is appended to an original IP packet, hiding the initiator IP address as well as the receiver IP address Let’s take a look at what happens when the host 10.0.0.10 sends a packet to 192.168.0.10 through the two security gateways The security gateways... New IP header) New IP header TCP Data original IP header IPsec – SANS GIAC LevelTwo - ©2000, 2001 18 Turning to slide “Authentication Header Inbound Processing”, we contrast the inbound datagram composition using the transport and tunnel modes When an IPsec node receives an IP packet, it searches for information on how to handle the packet With the help of the IP protocol number presented in the IP. .. with a server behind a security gateway There is an IPsec Bump-in-the-stack implementation on the PC and a native IP implementation in the gateway Before we move on to the next slide, let me describe briefly the two new elements introduced in these notes: native IP and bump-in-the-stack implementations The native IP implementation is simply the integration of IPsec within the native IP implementation It... that later 10 - 19 Authentication Header FTP Traffic Through IPsec - the Setup CA/X.500 (PKI) IP network 10.0.0.1 IPsec security gateway Ethernet Ethernet 192.68.0.1 192.168.0.1 FTP server 10.0.0.10 Remote PC IPsec host 192.68.0.10 192.168.0.10 IPsec – SANS GIAC LevelTwo - ©2000, 2001 20 This slide “Authentication Header FTP Traffic Through IPsec – the Setup” describes the setup used to generate the... - 26 Encapsulating Security Payload Inbound Processing TRANSPORT MODE When it arrives original IP header ESP TCP ESP Trailer Data ESP Auth Encrypted Authenticated After ESP original IP header TCP Data TUNNEL MODE When it arrives New IP header ESP original IP header TCP Data ESP Trailer ESP Auth Encrypted Authenticated IPsec – SANS GIAC LevelTwo - ©2000, 2001 27 So, how does an IPsec node deal with . 3 IPsec - Security Services The security can cover communications: - Host-to-Host - Security gateway-to -Security gateway - Host-to -Security gateway IPsec. flow analysis Public IP Network Security Gateway Host Security Gateway Host Private IP Network Private IP Network Look at slide “IPsec – Security Services”