1

r r r r
IPsec
Security in Routing
DDoS at Network Layer and IP Traceback
IPv6 Security
2

r
RFC 1636: “Security in the Internet Architecture” m Issued in 1994 by the Internet Architecture Board (IAB) m
Identifies key areas for security mechanisms
• Need to secure the network infrastructure from unauthorized monitoring and control of network traffic
• Need to secure end-user-to-end-user traffic using authentication and encryption mechanisms m IAB included authentication and encryption as necessary security features in next generation IP (IPv6)
• The IPsec specification now exists as a set of Internet standards
3

r r r
Provides capability to secure communications across a
LAN, private and public WANs, and the Internet
Examples include: m Secure branch office connectivity over the Internet m Secure remote access over the Internet m Establishing extranet and intranet connectivity with partners m Enhancing electronic commerce security
Principal feature of IPsec: can encrypt and/or authenticate all traffic at network (IP) level m So all distributed applications (remote logon, client/server, e-mail, file transfer, Web access) can be secured
4

5

r r r r r
When IPsec is implemented in firewall or router, it provides strong security applicable to all traffic crossing the perimeter m
Traffic within company/workgroup has no overhead from securityrelated processing
IPsec in firewall resists bypass if all outside traffic must use IP and the firewall is the only way Internet traffic enters organization
IPsec below the transport layer (TCP, UDP); transparent to applications m No need to change software on a user or server system when IPsec is implemented in the firewall or router
IPsec can be transparent to end users m No need to train users on security mechanisms, issue keys on a peruser basis, or revoke keys when users leave organization
IPsec can provide security for individual users if needed m Useful for offsite workers, setting up secure virtual subnetwork within an organization for sensitive applications
6

r r
IPsec can play vital role in the routing architecture required for internetworking
IPsec can assure that: m
Router advertisement comes from authorized router m Router seeking to establish or maintain a neighbor relationship with a router in another routing domain is an authorized router m Redirect message comes from the router to which the initial IP packet was sent m Routing updates are not forged
7

Encapsulating Security
Payload (ESP)
• Consists of an encapsulating header and trailer used to provide encryption or combined encryption/authentication
• The current specification is
RFC 4303, IP Encapsulating
Security Payload (ESP)
Authentication Header (AH)
• An extension header to provide message authentication
• The current specification is
RFC 4302, IP Authentication
Header
Architecture
• Covers the general concepts, security requirements, definitions, and mechanisms defining IPsec technology
• Current specification is RFC
4301, Security Architecture for the Internet Protocol
Internet Key Exchange (IKE)
• A collection of documents describing the key management schemes for use with IPsec
• The main specification is RFC
5996, Internet Key Exchange
(IKEv2) Protocol, but there are a number of related RFCs
IPsec
Documents
Cryptographic algorithms
• This category encompasses a large set of documents that define and describe cryptographic algorithms for encryption, message authentication, pseudorandom functions
(PRFs), and cryptographic key exchange
Other
• There are a variety of other IPsec-related RFCs, including those dealing with security policy and management information base (MIB) content
8

r IPsec provides network layer security services by enabling a system to: m m m
Select required security protocols
Determine the algorithm(s) to use for the service(s)
Establish crypto keys required to provide requested services
 RFC 4301 lists the following services: m m m m m m
Access control
Connectionless integrity
Data origin authentication
Reject replayed packets (form of partial sequence integrity)
Confidentiality (encryption)
Limited traffic flow confidentiality
9

Transport Mode
• Provides protection mostly for upper-layer protocols, e.g., TCP or
UDP segment, ICMP packet
• Typically used for end-to-end communication between two hosts
• ESP in transport mode encrypts and optionally authenticates the IP payload but not the IP header
• AH in transport mode authenticates the IP payload and selected portions of the IP header
Tunnel Mode
• Provides protection to the entire IP packet
• Used when one or both ends of a security association (SA) are a security gateway
• Number of hosts on networks behind firewalls can securely communicate without implementing IPsec
• ESP in tunnel mode encrypts, can authenticate entire inner IP packet, including inner IP header
• AH in tunnel mode authenticates the entire inner IP packet and selected portions of outer IP header
10

11

12

Uniquely identified by three parameters: r r
One-way logical connection between sender and receiver that affords security services to traffic carried on it
In any IP packet, the SA is uniquely identified by the Destination Address in the IPv4 or IPv6 header and the SPI in the enclosed extension header (AH or ESP)
Security Parameters
Index (SPI)
• A 32-bit unsigned integer assigned to this SA with local significance only
Security protocol identifier
• Indicates whether the association is an AH or
ESP security association
IP Destination
Address
• Address of destination endpoint of SA, which can be an end-user system or a network system, e.g., firewall or router
13

r r Defines the parameters associated with each SA
Normally defined by the following parameters in a
SAD entry: m Security parameter index m Sequence number counter m Sequence counter overflow m Anti-replay window m AH information m ESP information m Lifetime of this security association m IPsec protocol mode m Path MTU
14

r r
The means by which IP traffic is related to specific SAs m Contains entries, each of which defines a subset of IP traffic and points to an SA for that traffic
In more complex environments, may be multiple entries that potentially relate to a one or more
SAs associated with a single SPD entry m
Each SPD entry is defined by a set of IP and upperlayer protocol field values called selectors m These are used to filter outgoing traffic in order to map it into a particular SA
15

r The following selectors determine an SPD entry:
Remote IP address
This may be a single IP address, an enumerated list or range of addresses, or a wildcard (mask) address
Latter two required to support more than one destination system sharing the same SA
Local IP address
This may be a single IP address, an enumerated list or range of addresses, or a wildcard (mask) address
Latter two required to support more than one source system sharing the same SA
Next layer protocol
Name
A user identifier from the operating system
The IP protocol header includes a field that designates the protocol operating over IP
Not a field in the
IP or upper-layer headers but is available if IPsec is running on the same operating system as the user
Local and remote ports
These may be individual TCP or UDP port values, an enumerated list of ports, or a wildcard port
16

17

18

19

20

r r r
Used to encrypt the Payload Data, Padding, Pad Length, and Next
Header fields m If the algorithm requires cryptographic synchronization data then these data may be carried explicitly at the beginning of the Payload Data field
An optional ICV field is present only if the integrity service is selected and is provided by either a separate integrity algorithm or a combined mode algorithm that uses an ICV m m m
ICV is computed after the encryption is performed
This order of processing facilitates reducing the impact of DoS attacks
Because the ICV is not protected by encryption, a keyed integrity algorithm must be employed to compute the ICV
The Padding field serves several purposes: m m m
If an encryption algorithm requires the plaintext to be a multiple of some number of bytes, the Padding field is used to expand the plaintext to the required length
Used to assure alignment of Pad Length and Next Header fields
Additional padding may be added to provide partial traffic-flow confidentiality by concealing the actual length of the payload
21

22

I nternal
Network
Encrypted
TCP Session
External
Network
(a) Transport-level security
Corporate
Network
Encrypted tunnels carrying I P traffic
I nternet
Corporate
Network
Corporate
Network
Corporate
Network
(b) A virtual private network via Tunnel M ode
Figure 9.7 Transport-M ode vs. Tunnel-M ode Encryption
23

I Pv4 orig I P hdr
TCP Data
I Pv6 orig I P hdr extension headers
(if present)
TCP
(a) Before Applying ESP
Data
I Pv4 orig I P hdr
ESP hdr
TCP authenticated encrypted
Data
ESP trlr
ESP auth
I Pv6 orig I P hdr authenticated encrypted hop-by-hop, dest, routing, fragment
ESP hdr dest TCP Data
(b) Transport M ode authenticated encrypted
I Pv4
New I P hdr
ESP hdr orig I P hdr
TCP Data
ESP trlr
ESP auth
ESP trlr
ESP auth
I Pv6 new I P hdr authenticated encrypted ext headers
ESP hdr orig I P hdr ext headers
TCP Data
ESP trlr
ESP auth
(c) Tunnel M ode
Figure 9.8 Scope of ESP Encryption and Authentication
24

Application Data
TCP
I P
I Psec
TCP hdr orig I P hdr
TCP hdr orig I P hdr
ESP hdr
TCP hdr
(a) Transport mode
Data
Data
Data
ESP trlr
ESP auth
Application Data
TCP
I P
I Psec
I P
TCP hdr orig I P hdr
TCP hdr
ESP hdr orig I P hdr
TCP hdr new I P hdr
ESP hdr orig I P hdr
TCP hdr
Data
Data
(b) Tunnel mode
Figure 9.9 Protocol Operation for ESP
Data
Data
ESP trlr
ESP auth
ESP trlr
ESP auth
25

r r r
An individual SA can implement either the AH or ESP protocol but not both
Security association bundle m Refers to a sequence of SAs through which traffic must be processed to provide a desired set of IPsec services m The SAs in a bundle may terminate at different endpoints or at the same endpoint
May be combined into bundles in two ways:
• Refers to applying more than one security protocol to the same IP packet without invoking tunneling
• This approach allows for only one level of combination
• Refers to the application of multiple layers of security protocols effected through IP tunneling
• This approach allows for multiple levels of nesting
26

r In this approach, the first user applies ESP to the data to be protected and then appends the authentication data field
Transport mode ESP
• Authentication and encryption apply to the IP payload delivered to the host, but the IP header is not protected
Tunnel mode ESP
• Authentication applies to the entire IP packet delivered to the outer IP destination address and authentication is performed at that destination
• The entire inner IP packet is protected by the privacy mechanism for delivery to the inner IP destination m For both cases authentication applies to the ciphertext rather than the plaintext
27

r Another way to apply authentication after encryption is to use two bundled transport SAs, with the inner being an ESP SA and the outer being an AH SA m
In this case ESP is used without its authentication option m Encryption is applied to the IP payload m
AH is then applied in transport mode m Advantage of this approach is that the authentication covers more fields m Disadvantage is the overhead of two SAs versus one
SA
28

r The use of authentication prior to encryption might be preferable for several reasons: m m
It is impossible for anyone to intercept the message and alter the authentication data without detection
It may be desirable to store the authentication information with the message at the destination for later reference r One approach is to use a bundle consisting of an inner AH transport SA and an outer ESP tunnel
SA m m
Authentication is applied to the IP payload plus the IP header
The resulting IP packet is then processed in tunnel mode by ESP
• The result is that the entire authenticated inner packet is encrypted and a new outer
IP header is added
29

Tunnel SA
One or M ore SAs
One or Two SAs
Host*
Local
I ntranet
Router
I nternet
(a) Case 1
Tunnel SA
Router
Local
I ntranet
Host* Host*
Local
I ntranet
Security
Gateway*
I nternet
(c) Case 3
Tunnel SA
Security
Gateway*
Local
I ntranet
Host*
One or Two SAs
Host
Local
I ntranet
Security
Gateway*
I nternet
(b) Case 2
Security
Gateway*
Local
I ntranet
Host
* = implements I Psec
Host*
I nternet
(d) Case 4
Figure 9.10 Basic Combinations of Security Associations
Security
Gateway*
Host*
Local
I ntranet
30

r The key management portion of IPsec involves the determination and distribution of secret keys m A typical requirement is four keys for communication between two applications
• Transmit and receive pairs for both integrity and confidentiality
The IPsec Architecture document mandates support for two types of key management:
• A system administrator manually configures each system with its own keys and with the keys of other communicating systems
• This is practical for small, relatively static environments
• Enables the on-demand creation of keys for SAs and facilitates the use of keys in a large distributed system with an evolving configuration
31

r r
The default automated key management protocol of
IPsec
Consists of: m Oakley Key Determination Protocol
• A key exchange protocol based on the Diffie-Hellman algorithm but providing added security
• Generic in that it does not dictate specific formats m Internet Security Association and Key Management Protocol
(ISAKMP)
• Provides a framework for Internet key management and provides the specific protocol support, including formats, for negotiation of security attributes
• Consists of a set of message types that enable the use of a variety of key exchange algorithms
32

r Algorithm characterized by 5 important features:
1.
• It employs a mechanism known as cookies to thwart clogging attacks
2.
• It enables the two parties to negotiate a group; this, in essence, specifies the global parameters of the Diffie-Hellman key exchange
3.
• It uses nonces to ensure against replay attacks
4.
• It enables the exchange of Diffie-Hellman public key values
5.
• It authenticates the Diffie-Hellman exchange to thwart man-in-themiddle-attacks
33

I nitiator
HDR, SAi1, KEi, Ni
HDR, SAr1, KEr, Nr, [CERTREQ]
HDR, SK {I Di, [CERT,] [CERTREQ,] [I Dr,] AUTH, SAi2, TSi, TSr}
HDR, SK {I Dr, [CERT,] AUTH, SAr2, TSi, TSr}
Responder
(a) I nitial exchanges
HDR, SK {[N], SA, Ni, [KEi], [TSi, TSr]}
HDR, SK {SA, Nr, [KEr], [TSi, TSr]}
(b) CREATE_CHI LD_SA Exchange
HDR, SK {[N,] [D,] [CP,] ...}
HDR, SK {[N,] [D,] [CP], ...}
(c) I nformational Exchange
HDR = IKE header
SAx1 = offered and chosen algorithms, DH group
KEx = Diffie-Hellman public key
Nx= nonces
CERTREQ = Certificate request
IDx = identity
CERT = certificate
SK {...} = MAC and encrypt
AUTH = Authentication
SAx2 = algorithms, parameters for IPsec SA
TSx = traffic selectors for IPsec SA
N = Notify
D = Delete
CP = Configuration
Figure 9.11 I KEv2 Exchanges
34

Bit: 0 8 16
Initiator’s Security Parameter Index (SPI)
24 31
Responder’s Security Parameter Index (SPI)
Next payload M jVer M nVer Exchangetype
M essage I D
Length
(a) I KE Header
Flags
Bit: 0 8 16
Next payload C RESERVED Payload length
(b) Generic Payload Header
31
35
Figure 9.12 I KE Formats

36

37

r r
IP security overview m m m m m m
Applications of IPsec
Benefits of IPsec
Routing applications
IPsec documents
IPsec services
Transport and tunnel modes
IP security policy m m m m
Security associations
Security association database
Security policy database
IP traffic processing m Cryptographic suites r r r
Encapsulating security payload m
ESP format m m m
Encryption and authentication algorithms
Padding anti-replay service
Transport and tunnel modes
Combining security associations m
Authentication plus confidentiality m
Basic combinations of security associations
Internet key exchange m m
Key determination protocol
Header and payload formats
38

r r r r
IPsec
Security in Routing
DDoS at Network Layer and IP Traceback
IPv6 Security
39

• The Global Internet consists of Autonomous Systems
(AS) interconnected with each other:
– Stub AS : small corporation
– Multihomed AS : large corporation (no transit)
– Transit AS : provider
• Two-level routing:
– Intra-AS: administrator is responsible for choice: RIP,
OSPF
– Inter-AS: unique standard: BGP
40

Intra-AS border (exterior gateway) routers
Inter-AS interior (gateway) routers
4: Network Layer 4b-41

r r Also known as Interior Gateway Protocols (IGP)
Most common IGPs: m RIP: Routing Information Protocol (distance vector –
Bellman-Ford algorithm) m OSPF: Open Shortest Path First (link state –
Dijkstra’s algorithm) m IGRP: Interior Gateway Routing Protocol
(Cisco proprietary) (distance vector)
4: Network Layer 4b-42

4: Network Layer 4b-43

r r
Policy:
Inter-AS: admin wants control over how its traffic routed, who routes through its net.
Intra-AS: single admin, so no policy decisions needed
Scale: r r
Hierarchical routing saves table size, reduced update traffic r
Performance :
Intra-AS: can focus on performance
Inter-AS: policy may dominate over performance
4: Network Layer 4b-44

r r
Security attacks can come from: m Misconfigured routers m IP packet handling bugs m
SNMP “common” strings m Weak passwords, poor encryption m DoS from malformed packets
However, these attacks are well-known; defense measures can defend against them
45

r r
Intra-AS Routing Attacks m
RIP Attack m OSPF Attacks
Inter-AS Routing Attacks: BGP
46

 Routing decisions based on number of hops
 Works only within a AS
 Supports only 15 hops ⟹ unsuited for large networks
 RIP v1 communicates only its own information
 Has no authentication
 Can’t carry subnet mask so applies default subnet mask
47

 Can communicate other router information
 Supports authentication up to 16-char password
 Can carry subnet information
 But authentication is provided in clear text…
48

 Identify RIP router via nmap scan: nmap –v –sU –p 520
 Determine routing table:
 If you are on same physical segment, sniff it
 Remotely: run rprobe , sniff
 Add route using srip to redirect traffic to your system
49

 Disable RIP, use OSPF: security is better
 Restrict TCP/UDP port 520 packets at border router
50

r r r r r
OSPF: dynamic link-state routing protocol
Keeps map of entire network, chooses shortest path
Update neighbors using LSAs messages
“Hello” packets generated every 10 s, sent to 224.0.0.5
Uses protocol type 89
51

r r r
Identify target: scan for proto 89
NCSU: JiNao project identified 4 OSPF attacks m Max Age attack m Sequence++ attack m Max Sequence attack m
Bogus LSA attack
Attack tool: nemiss-ospf (hard to use?)
52

r r
Do not use dynamic routing on hosts wherever not required
Implement MD5 authentication m You need to deal with key expiration, changeover and coordination across routers
53

r r r r
Allows inter-domain routing between two ASs
Guarantees loop-free exchange
Only routing protocol which works on TCP (179)
Routing information is exchanged after connection establishment
54

r r r r
Large network backbone: special attention to security
So medium size networks are easier targets
Packet injection vulnerabilities: very dangerous
If we identify BGP routers, they have similar weaknesses as TCP: m SYN flood attacks m
Sequence number prediction m DoS m Possible advertisement of bad routes
55

r r r r
IPsec
Security in Routing
DDoS at Network Layer and IP Traceback
IPv6 Security
56

r What is a DDoS attack?
r How do we defend against a DDoS attack?
57


Internet DDoS attack is real threat o On websites

Yahoo, CNN, Amazon, eBay, etc. (Feb. 2000)
 Services were unavailable for several hours o On Internet infrastructure

13 root DNS servers (Oct, 2002)

7 were shut down, 2 others partially unavailable

Lack of defense mechanisms on current Internet
58

 Denial-of-Service (DoS) attacks: o Attempt to prevent legitimate users of a service from using it
 Examples of DoS attacks include: o Flooding a network o Disrupting connections between machines o Disrupting a service
 Distributed Denial-of-Service (DDoS) Attacks o Many machines are involved in the attack against one or more victim(s)
59

60

r r r r Internet was designed with functionality, not security, in mind
Internet security is highly interdependent
Internet resources are limited
Power of many greater than power of a few
61

 Ingress filtering o P. Ferguson and D. Senie, RFC 2267, Jan 1998 o Block packets that has illegitimate source addresses o Disadvantage : Overhead makes routing slow
 Identification of origin (Traceback problem) o IP spoofing enables attackers to hide their identity o Many IP traceback techniques are suggested
 Mitigating the effect during the attack o Pushback
62

•
• Allows victim to identify attackers’ origin
Several approaches
– ICMP trace messages
– Probabilistic Packet Marking (PPM)*
–
–
Hash-based IP traceback
…
*S. Savage, D. Weatherall, A. Karlin, and T. Anderson, “Practical
Network Support for IP Traceback”, Proc. SIGCOMM 2000.
63

r PPM scheme: m Probabilistically inscribe local path information m Use constant space in the packet header m Reconstruct attack path with high probability
64

Legitimate user
Victim
Attacker
65

legitimate user
Victim attacker
66

legitimate user attacker
Victim
67

legitimate user attacker
Victim
R
R
R
R
R
V
68

r r
Mechanism that lets a router ask adjacent upstream routers to limit the traffic rate
How it works: m A congested router asks other adjacent routers to limit the rate of traffic for that particular aggregate.
m Router sends pushback message m
Received routers propagates pushback
69

r r r r
IPsec
Security in Routing
DDoS at Network Layer and IP Traceback
IPv6 Security
70

r r r IP packets can be sniffed
IP addresses can be spoofed
IP connections can be hijacked
71

r r r
Two header extensions proposed for IPv6 security: m Authentication Header (AH): ensures authenticity and integrity of datagram m Encrypted Security Payload (ESP): contains encrypted data
Security Associations (SAs) used for senders and receivers to agree on security requirements, e.g., cipher to be used
These are very similar to respective IPsec concepts
72

r
r r r
IPsec already exists for IPv4
Problems with IPsec deployment as a general endto-end security mechanism
Deployment of IPsec (v6) has similar problems as those of IPsec (v4). So IPsec (v6) is not deployed as a general end-to-end security mechanism…
73

r r r 128-bit IP address ⟹ ~10 38 possible IP addresses
Myth: “
It is unfeasible to brute-force scan an IPv6 network for alive nodes, as the IPv6 address space is so large. Such a scan would take ages!
”
[Malone, 2008] measured IPv6 address assignement patterns
For hosts: 50% autoconf, 20% IPv4-based, 10%
Teredo (IPv6→IPv4 conversion), 8% “low-byte” r For infrastructure: 70% “low-byte”, 5% IPv4-based r Most compromised systems are hosts, which makes brute-force scanning feasible (after compromise)
D. Malone, “Observations of IPv6 Addresses,” Proc. Passive and Active Measurement
Conference (PAM), LNCS 4979, 2008.
74

r r r r r
Based on Neighbor Discovery (ND) messages in ICMPv6
Stateless autoconfiguration more powerful than IPv4 counterpart…but also provides more potential vectors for attackers to exploit
Less support in Layer 2 machines for mitigation of ND attacks
Secure Neighbor Discovery (SEND) was specified for mitigating ND security threats, employing: m m m
Cryptographically-Generated Addresses (CGAs)
RSA signatures (RSA signature option)
Certificates
Not widely supported (e.g., in Windows XP/Vista/7)
75

r r r
IPv6 is in its infancy: m Few attack tools publicly available m
Many bugs to be discovered…
IPv6 not widely supported in intrusion detection systems (yet)
Much training is needed for IPv6 networks
76

r r r r
IPsec provides network layer security (IPv4): authentication, encapsulation, crypto key setup
Routing protocols (e.g., RIP) prone to attacks
DoS attacks possible at network layer m Mitigation: ingress filtering, traceback, etc.
IPv6 may offer better security (in theory) m
In practice, attacks can still occur m Training and safeguards needed for IPv6 networks
77

r These slides are partially based on
W. Stallings, Network Security Essentials , Pearson, 2011, http://williamstallings.com/NetworkSecurity/NetSec5e-
Instructor/ (Ch. 9)
B. Rathore, “Router and Routing Protocol Attacks”, http://www.slideshare.net/vaceitunofist/router-and-routingprotocol-attacks
F. Gont, “The Truth about IPv6 Security,” FutureNet 2010, http://www.gont.com.ar/talks/futurenet2010/fgontfuturenet2010-ipv6-security.ppt
78