BIRLA INSTITUTE OF TECHNOLOGY & SCIENCE, PILANI

WORK INTEGRATED LEARNING PROGRAMMES

Network Security
Security at Network Layer

Session : 5 & 6
Outline

• Recap from previous class

• Network Layer
• Network Layer Attacks
• Defense Mechanisms
• Summary

2
Network Layer

3
Communication Between Layers

Application Data
Application layer Application layer
Transport payload
Transport layer Transport layer
Network Payload
Network layer Network layer Network layer Network layer
Data Link Payload
Data Link layer Data Link layer Data Link layer Data Link layer

Host A Router Router Host B

4
Security at Network Layer
• Implementing security in application layer provides flexibility in security
policy and key management
• Problem is need to implement security mechanism in every application
individually
• To reduce the overhead, implement security in network layer to provide
security for all applications between selected pair of computers

5
IPSec
• Framework of open standards to ensure secure communications over the Internet for
the Network Layer
• Two protocols
• Authentication Header (AH)
• Encapsulating Security Payload (ESP)
• Provide general security services for IP
• Authentication
• Confidentiality
• Anti-replay
• Key management
• IPSec provides the capability to secure communications across a LAN, private and public
WANs, and the Internet
• Secure branch office connectivity over the Internet
• Secure remote access over the Internet
• Establishing extranet and intranet connectivity with partners
• Enhancing electronic commerce security

9/30/2004 6
Scenario of IPSec Usage
• An organization maintains LANs at
dispersed locations
• Non-secure IP traffic is conducted on
each LAN
• IPSec protocols are used for external
communication
• These protocols operate in networking
devices that connect each LAN to the
outside world i.e. routers & firewalls
• The IPSec networking device will
typically encrypt and compress all traffic
going into the WAN, and decrypt and
decompress traffic coming from the
WAN

9/30/2004 7
Benefits of IPSec
• Provide strong security to all traffic crossing the perimeter if installed in a
firewall/router
• Resistant to bypass
• IPSec is below transport layer, hence transparent to applications
• transparent to end users
• provide security for individual users if desired

9/30/2004 8
IPSec Security Architecture
• Following are the building blocks of IPSec:
• Architecture
• RFC4301 Security Architecture for Internet Protocol
• Other RFCs are 2401/2402/2406/2408
• Authentication Header (AH)
• RFC4302 IP Authentication Header
• Encapsulating Security Payload (ESP)
• RFC4303 IP Encapsulating Security Payload (ESP)
• Internet Key Exchange (IKE)
• RFC4306 Internet Key Exchange (IKEv2) Protocol
• Cryptographic algorithms

9/30/2004 9
IPSec Services
• Access control Upper
IP layer
• Connectionless integrity Header data Case 1 : Insecure IP Packet

• Data origin authentication Internet/ IPSec disabled host

Intranet
• Rejection of replayed packets IP
Header
IPSec
Header
Upper
layer
Case 2 : Secure IP Packet
data

• Confidentiality (encryption)
IPSec enabled host

• Limited traffic flow confidentiality

9/30/2004 10
Security Association (SA)
• A unidirectional relationship between sender and receiver that affords security for
traffic flow. Minimum of 2 SAs are required for single IPSec connection.
• SAs are the combination of a given Security Parameter Index (SPI) and Destination
Address.
• Each IPSec computer maintains a database of SA’s
• Uniquely defined by 3 parameters
• Security Parameters Index (SPI)
• IP Destination Address
• Security Protocol Identifier
• Has a number of other parameters
• Seq no, AH & EH info, Lifetime etc

9/30/2004 11
Security Association (SA) 20.2 / IP SECURITY POLICY 633
Key exchange
A security association is uniquely identified by three
IKEv2
IKE SA
IKEv2
parameters.
SPD
Security
SPD
Security
• Security Parameters Index (SPI): A 32-bit unsigned
policy
database
IPsecv3 IPsec SA Pair IPsecv3 policy
database
integer assigned to this SA and having local
significance only. The SPI is carried in AH and ESP
Security Security
SAD association
database ESP protects data
association
database
SAD headers to enable the receiving system to select the
SA under which a received packet will be processed.
Figure 20.2 IPsec Architecture • IP Destination Address: This is the address of the
overview of these two databases and then summarizes their use during IPsec opera-
tion. Figure 20.2 illustrates the relevant relationships.
destination endpoint of the SA, which may be an end-
Security Associations user system or a network system such as a firewall or
A key concept that appears in both the authentication and confidentiality mecha- router.
nisms for IP is the security association (SA). An association is a one-way logical
connection between a sender and a receiver that affords security services to the traf- • Security Protocol Identifier: This field from the outer
fic carried on it. If a peer relationship is needed for two-way secure exchange, then
two security associations are required. IP header indicates whether the association is an AH
A security association is uniquely identified by three parameters.
Security Parameters Index (SPI): A 32-bit unsigned integer assigned to this
or ESP security association.
SA and having local significance only. The SPI is carried in AH and ESP head-
ers to enable the receiving system to select the SA under which a received
packet will be processed.
IP Destination Address: This is the address of the destination endpoint of the
SA, which may be an end-user system or a network system such as a firewall
or router.
Security Protocol Identifier: This field from the outer IP header indicates
whether the association is an AH or ESP security association.
9/30/2004 12
Hence, in any IP packet, the security association is uniquely identified by the
Destination Address in the IPv4 or IPv6 header and the SPI in the enclosed exten-
SA Parameters
• Security Parameter Index: A 32-bit value selected by the receiving end of an SA to uniquely identify the
SA. In an SAD entry for an outbound SA, the SPI is used to construct the packet’s AH or ESP header. In an
SAD entry for an inbound SA, the SPI is used to map traffic to the appropriate SA
• Sequence Number Counter: A 32-bit value used to generate the Sequence Number field in AH or ESP
headers
• Sequence Counter Overflow: A flag indicating whether overflow of the Sequence Number Counter
should generate an auditable event and prevent further transmission of packets on this SA
• Anti-Replay Window: Used to determine whether an inbound AH or ESP packet is a replay
• AH Information: Authentication algorithm, keys, key lifetimes, and related parameters being used with
AH
• ESP Information: Encryption and authentication algorithm, keys, initialization values, key lifetimes, and
related parameters being used with ESP
• Lifetime of this Security Association: A time interval or byte count after which an SA must be replaced
with a new SA (and new SPI) or terminated, plus an indication of which of these actions should occur
• IPsec Protocol Mode: Tunnel, transport, or wildcard
• Path MTU: Any observed path maximum transmission unit (maximum size of a packet that can be
transmitted without fragmentation) and aging variables

9/30/2004 13
Security Policy Database

SPD is Mechanism to relates IP

traffic to specific SAs
• Match subset of IP traffic to
relevant SA
• Use selectors to filter outgoing
traffic to map
• Based on: local & remote IP
addresses, next layer protocol,
name, local & remote ports

9/30/2004 14
 IPSec Processing of Outbound Packet
OUTBOUND PACKETS Figure 20.3 highlights the main elements of IPsec processing
for outbound traffic. A block of data from a higher layer, such as TCP, is passed

Outbound IP packet
(e.g., from TCP or UDP) • IPsec searches the SPD for a match to this packet.
• If no match is found, then the packet is discarded and an
No match
found
Search error message is generated.
security policy
database
• If a match is found, further processing is determined by
Match found
the first matching entry in the SPD. If the policy for this
Discard DISCARD
packet
Determine
policy
PROTECT
packet is DISCARD, then the packet is discarded. If the
policy is BYPASS, then there is no further IPsec processing;
BYPASS
Match
No match the packet is forwarded to the network for transmission.
Search found
found
security association
database
• If the policy is PROTECT, then a search is made of the SAD
for a matching entry. If no entry is found, then IKE is
Process Internet invoked to create an SA with the ap- propriate keys and an
(AH/ESP) key
exchange
entry is made in the SA.
• The matching entry in the SAD determines the processing
Forward for this packet. Either encryption, authentication, or both
packet via
IP can be performed, and either trans- port or tunnel mode
Figure 20.3 Processing Model for Outbound Packets
can be used. The packet is then forwarded to the network
for transmission.
SHANNON.IR

9/30/2004 15
cur:
IPSec Processing of Inbound Packet
sec determines whether this is an unsecured IP packet or one that has ESP
AH headers/trailers, by examining the IP Protocol field (IPv4) or Next
eader field (IPv6).
• IPsec determines whether this is an unsecured IP packet
Deliver packet
to higher layer
or one that has ESP or AH headers/trailers, by examining
(e.g., TCP, UDP) the IP Protocol field (IPv4) or Next Header field (IPv6).
• If the packet is unsecured, IPsec searches the SPD for a
Process match to this packet. If the first matching entry has a
(AH/ESP)
policy of BYPASS, the IP header is processed and
Match stripped off and the packet body is delivered to the next
BYPASS Not
BYPASS
No match
found
found
higher layer, such as TCP. If the first matching entry has a
Search
security policy
Discard
packet
Search
security association policy of PROTECT or DISCARD, or if there is no matching
database database entry, the packet is discarded.
• For a secured packet, Ipsec searches the SAD. If no
IP Packet
type
IPsec
match is found, the packet is discarded. Otherwise, IPsec
applies the appropriate ESP or AH processing. Then, the
IP header is processed and stripped off and the packet
Inbound IP packet
(from Internet)
body is delivered to the next higher layer, such as TCP.
Figure 20.4 Processing Model for Inbound Packets

SHANNON.IR

9/30/2004 16
 Authentication Header (AH) &
Encapsulation Security Payload (ESP)

17
Authentication Header (AH)
• Provide support for data integrity and
authentication of IP packets
• end system/router can authenticate user/app
• prevent address spoofing attacks by tracking
sequence numbers
• Based on use of a MAC
• HMAC-MD5-96 or HMAC-SHA-1-96
• Parties must share a secret key

9/30/2004 18
Scope of AH Authentication

9/30/2004 19
Encapsulating Security Payload (ESP)
• Provide message content
confidentiality and limited traffic
flow confidentiality
• Can optionally provide the same
authentication services as AH
• Support range of ciphers, modes,
padding
• DES, Triple-DES, RC5, IDEA, CAST etc
• CBC most common
• pad to meet blocksize, for traffic flow

9/30/2004 20
Encapsulating Security Payload (ESP)
• Security Parameters Index (32 bits): Identifies a security association.
• Sequence Number (32 bits): A monotonically increasing counter value; this provides an anti-
replay function
• Payload Data (variable): This is a transport-level segment (transport mode) or IP packet (tunnel
mode) that is protected by encryption.
• Padding (0–255 bytes): The purpose of this field is discussed later.
• PadLength(8bits): Indicates the number of pad bytes immediately preceding this field.
• Next Header (8 bits): Identifies the type of data contained in the payload data field by
identifying the first header in that payload (e.g., an extension header in IPv6, or an upper-layer
protocol such as TCP).
• Integrity Check Value (variable): A variable-length field (must be an integral number of 32-bit
words) that contains the Integrity Check Value computed over the ESP packet minus the
Authentication Data field.

9/30/2004 21
Encryption & Authentication Algorithms & Padding
• ESP can encrypt payload data, padding, pad length, and next
header fields
• if needed have IV at start of payload data
• ESP can have optional ICV for integrity
• is computed after encryption is performed
• ESP uses padding
• to expand plaintext to required length
• to align pad length and next header fields
• to provide partial traffic flow confidentiality
Scope of ESP Encryption and Authentication

9/30/2004 23
Basic Difference: AH or ESP ?
Which Protocol: AH or ESP ?
• Differences between AH and ESP:
• ESP provides encryption, AH does not.
• AH provides integrity of the IP header, EPS does not
• AH can provide non-repudiation, EPS does not
• However, we don’t have to choose since both protocols can be used
in together.
• Why have two protocols?
• Some countries have strict laws on encryption. If you can’t use encryption
in those countries, AH still provides good security mechanisms. Two
protocols ensures wide acceptance of IPSec on the Internet.
Anti-Replay Service 20.3 / ENCAPSULATING SECURITY PAYLOAD 641
Advance window if
valid packet to the

• Replay is when attacker resends a right is received

copy of an authenticated packet Fixed window size W

• Use sequence number to thwart this N

attack N"W N!1

Marked if valid Unmarked if valid

• Sender initializes sequence number Figure 20.6

packet received
Anti-replay Mechanism
packet not yet received

to 0 when a new SA is established • If the received packet falls within the window and is new, the
MAC is checked. If the packet is authenticated, the
• increment for each packet corresponding
corresponding slot
slot in the in the
window window
is marked
ceeds as follows when a packet is received:
is marked.
(Figure 20.6). Inbound processing pro-
• If the received packet is to the right of the window and is
• must not exceed limit of 232 – 1 1. If the received packet falls within the window and is new, the MAC is checked.
new,
If thethe MAC
packet is checked.
is authenticated, theIf the packetslotisinauthenticated,
corresponding the
the window is marked.
• Receiver then accepts packets with window
2. is advanced
If the received packet is so that
to the this
right of sequence
the window andnumber
is new,is
thethe right
MAC is
edge of the
checked. window,
If the packet is and the corresponding
authenticated, the window is slot in the
advanced so that this
seq no within window of (N –W+1) sequence number is the right edge of the window, and the corresponding slot
window is marked.
in the window is marked.
• 3.If Ifthe
thereceived packet
received packet is to is
thetoleftthe left
of the of the
window or window or iffails, the
if authentication
packet is discarded;
authentication this is
fails, thean packet
auditableis event.
discarded; this is an
auditable
Transport andevent.
Tunnel Modes
Figure 20.7 shows two ways in which the IPsec ESP service can be used. In the
upper part of the figure, encryption (and optionally authentication) is provided di-
rectly between two hosts. Figure 20.7b shows how tunnel mode operation can be
Transport & Tunnel Mode

27
Transport v/s Tunnel Mode
• Transport mode is used to encrypt and
optionally authenticate IP data
• Data protected (encrypted) but header left
in clear
• Can do traffic analysis
• Good for host to host traffic (peer to peer
communication)
• Tunnel mode encrypts entire IP packet
• Adds new header for next hop
• No routers on way can examine inner IP
header
• Used for site to site communication
• Good for VPNs, gateway to gateway
security

9/30/2004 28
Transport v/s Tunnel Mode Protocol
Transport Mode
• Transport mode is used when the cryptographic endpoints
are also the communication endpoints of the secured IP
packets.
• Cryptographic endpoints: The entities that generate /
process an IPSec header (AH or ESP)
• Communication endpoints: Source and Destination of an IP
packet

Tunnel Mode
• Tunnel mode is used when at least one cryptographic
endpoint is not a communication endpoint of the secured IP
packets.
• Outer IP Header – Destination for the router.
• Inner IP Header – Ultimate Destination

9/30/2004 29
Combining Security Associates
• SA’s can implement either AH or
ESP
• to implement both need to
combine SA’s
• form a security association bundle
• may terminate at different or same
endpoints
• combined by
• transport adjacency
• iterated tunneling
• combining authentication &
encryption
• ESP with authentication, bundled
inner ESP & outer AH, bundled inner
transport & outer ESP

9/30/2004 30
Key Management

31
How IPSec Works: Phase 1
• Internet Key Exchange (IKE) is used to setup IPSec.
• IKE Phase 1:
• Establishes a secure, authenticated channel between the two computers
• Authenticates and protects the identities of the peers
• Negotiates what SA policy to use
• Performs an authenticated shared secret keys exchange
• Sets up a secure tunnel for phase 2
• Two modes: Main mode or Aggressive mode
• Main Mode IKE
• Negotiate algorithms & hashes.
• Generate shared secret keys using a Diffie-Hillman exchange.
• Verification of Identities.
• Aggressive Mode IKE
• Squeezes all negotiation, key exchange, etc. into less packets.
• Advantage: Less network traffic & faster than main mode.
• Disadvantage: Information exchanged before a secure channel is created. Vulnerable to sniffing.
How IPSec Works: Phase 2
• An AH or ESP packet is then sent using the agreed upon SA during the IKE
phase 1.
• IKE Phase 2
• Negotiates IPSec SA parameters
• Establishes IPSec security associations for specific connections (like FTP, telnet, etc)
• Renegotiates IPSec SAs periodically
• Optionally performs an additional Diffie-Hellman exchange
How IPSec Works: Communication
• Once Phase 2 has established an SA for a particular connection, all
traffic on that connection is communicated using the SA.
Key Management
• Handles key generation &
distribution
• Typically need 2 pairs of keys
• 2 per direction for AH & ESP
• Manual key management
• sysadmin manually configures every
system
• Automated key management
• automated system for on demand
creation of keys for SA’s in large
systems
• has Oakley & ISAKMP elements

9/30/2004 35
Key Determinations Protocol

• IKE key determination is a refined Diffie-Hellman key exchange algorithm.

• Users A and B have prior agreement on two global parameters: q, a large prime number and g, a
primitive root of q.
• A selects a random integer XA as its private key and transmits to B its public key ΥA = gXA mod q.
• B selects a random integer XB as its private key and transmits to A its public key ΥB = gXB mod q.
• Each side now computes the secret session key:
• K = (ΥB)XA mod q = (ΥA)XB mod q = gXAXB mod q

• This algorithm has two advantages:

• Secret keys are created only when needed. There is no need to store secret keys for a long period
of time, exposing them to increased vulnerability.
• The exchange requires no pre-existing infrastructure other than an agreement on the global
parameters.

9/30/2004 36
Key Determinations Protocol

• Digital signatures: The exchange is authenticated by signing a

mutually obtainable hash; each party encrypts the hash with its
private key. The hash is generated over important parameters,
such as user IDs and nonces.
• Public-key encryption: The exchange is authenticated by
encrypting parameters such as IDs and nonces with the sender’s
private key.
• Symmetric-key encryption: A key derived by some out-of-band
mechanism can be used to authenticate the exchange by
symmetric encryption of exchange parameters.

9/30/2004 37
IKEv2 Key Exchange Protocol

• The IKEv2 protocol involves the exchange of messages in pairs.

• The first two pairs of exchanges are referred to as the initial exchanges.
• Two peers exchange information concerning cryptographic algorithms and other
security parameters they are willing to use along with nonces and Diffie-Hellman
(DH) values.
• The result of this exchange is to set up a special SA called the IKE SA.
• This SA defines parameters for a secure channel between the peers over which
subsequent message exchanges take place.
• All subsequent IKE message exchanges are protected by encryption and message
authentication.
• The second exchange, the two parties authenticate one another and set up
a first IPsec SA to be placed in the SADB and used for protecting normal
communications between the peers.

9/30/2004 38
OAKLEY
• A key exchange protocol based on Diffie-Hellman key
exchange
• Adds features to address weaknesses of Diffie-Hellman
• adds cookies, groups (global params), DH key exchange with
authentication
• cookies to counter clogging attacks
• replay counter mechanism
• key exchange authentication to counter man-in-the-middle
attacks

9/30/2004 39
ISAKMP
• Internet Security Association and Key
Management Protocol (ISAKMP)
• ISAKMP by itself does not dictate a specific
key exchange algorithm; rather, its a set of
message types that enable the use of a
variety of key exchange algorithms.
• Provide framework for key management
• Define procedures and packet formats to
establish, negotiate, modify, and delete SAs
• Independent of key exchange protocol,
encryption algorithm, and authentication
method

9/30/2004 40
Cryptographic Suites
Cryptographic algorithms defined for use with IPsec are:
• HMAC-SHA1/SHA2 for integrity protection and authenticity.
• TripleDES-CBC for confidentiality
• AES-CBC for confidentiality.
• AES-GCM providing confidentiality and authentication together
efficiently.
• ChaCha20 + Poly1305 providing confidentiality and authentication
together efficiently.
Summary
• Have considered:
• IPSec security framework
• IPSec security policy
• AH & ESP
• Combining security associations
• Internet key exchange
• Cryptographic suites
THANK YOU

43
Usage of Cookies
• Three basic requirements
• Must depend on specific parties
• Impossible for anyone other than issuing entity to generate cookies that will
be accepted by issuing party
• Cookie generation and verification must be fast
• To create a cookie, perform a fast hash over source and destination IP
addresses, source and destination ports, and a locally generated
secret value

9/30/2004 44
End-to-End v/s End-to-Intermediate Authentication

9/30/2004 45
IKEV2 Exchanges and Payload
• have a number of ISAKMP
payload types:
• Security Association, Key Exchange,
Identification, Certificate,
Certificate Request,
Authentication, Nonce, Notify,
Delete, Vendor ID, Traffic Selector,
Encrypted, Configuration,
Extensible Authentication Protocol
• payload has complex hierarchical
structure
• may contain multiple proposals,
with multiple protocols &
multiple transforms

9/30/2004 46
IPv4 v/s IPv6
IPv4 IPv6
Size of IP address IPv4 is a 32-Bit IP Address. IPv6 is 128 Bit IP Address.
Addressing method IPv4 is a numeric address, and its binary bits are IPv6 is an alphanumeric address whose binary bits
separated by a dot (.) are separated by a colon (:). It also contains
hexadecimal.
Length of header 20 40
Checksum Has checksum fields Does not have checksum fields
Example 12.244.233.165 2001:0db8:0000:0000:0000:ff00:0042:7879
Type of Addresses Unicast, broadcast, and multicast. Unicast, multicast, and anycast.
Number of classes IPv4 offers five different classes of IP Address. Class lPv6 allows storing an unlimited number of IP
A to E. Address.
Security Security is dependent on applications - IPv4 was IPSec(Internet Protocol Security) is built into the
not designed with security in mind. IPv6 protocol, usable with a proper key
infrastructure.
IPSec Internet Protocol Security (IPSec) concerning Internet Protocol Security (IPSec) Concerning
network security is optional network security is mandatory

9/30/2004 47