IKE details

advertisement
Header and Payload
Formats
The IKE Header
• Each IKE message begins with the IKE header
IKE-SA Initiator’s SPI
IKE-SA Responder’s SPI
Next
MjVer MnVer
Payload
Exchange
Type
Message ID
Length
Flags
The IKE Header
• The message begins with the IKE header
followed by one or more IKE payloads
• Payloads are processed in the order they
appear in the IKE message
The IKE Header Fields
• Initiator’s SPI¹ (8 octets) – chosen by the
Initiator to identify a unique IKE SA.
must not be zero
• Responder’s SPI (8 octets) – chosen by
the responder to identify a unique IKE SA.
must be zero in the first message of the
Initial Exchange and must not be zero in
any other message
1. SPI – Security Parameter Index
The IKE Header Fields
• Next Payload (1 octet) – indicates the type
of payload that immediately follows the
header
• Major Version (4 bits) – indicates the major
version of the IKE protocol in use.
Implementations based on version 2 must
reject (or ignore) messages containing a
version number greater than 2.
The IKE Header Fields
• Minor Version (4 octets) – indicates the
minor version of the IKE protocol in use.
• Exchange Type (1 octets) – indicates the
type of exchange being used.
This dictates the payloads sent in each
message and message orderings in the
exchanges
The IKE Header Fields
• Flags (1 octet)
– R(eserved) (bits 0-2)
– I(nitiator) (bit 3) – set when the message is
from the Original Initiator of the IKE-SA, and
cleared otherwise. Used by the recipient to
determine whether the message is a request
or a response.
– V(ersion) (bit 4) – indicates that the
transmitter is capable of speaking a higher
major version number than the one indicated
in the major version number field
– R(eserved) (bits 5-7)
The IKE Header Fields
• Message Id (4 octets) – used to control
retransmission of lost packets and
matching requests and responses
• Length (4 octets) – length of the total
message (header + payloads) in octets.
Generic Payload header
Next
Payload
C RESERVED
Payload
Length
• Each IKE payload (that will be discussed
later) begins with a generic header
• The construction and processing of the
generic payload header is identical for
each payload
Generic Payload header Fields
• Next payload (1 octet) – indicates the type of
the next payload in the message
In the last payload in the message the field is
zero
• Critical (1 bit) – indicates if the sender wants
the receiver to skip (set to 0) or to reject
(set to 1) this payload if he doesn’t understand
the payload type code.
If the recipient understands the code he should
ignore this field
Generic Payload header Fields
• RESERVED (7 bits)
• Payload Length (2 octets) – length in
octets of the current payload, including the
generic payload header
SA (Security Association) Payload
• Used to negotiate attributes of a security
association
• May contain multiple proposals
• Each proposal includes a Suite-ID which
implies one or more protocols and the
associated cryptographic algorithms
Proposal Structure
• Contains a Proposal # , a Suite-ID and the
sending entity SPI(s)
• When the SA is accepted, the SA payload
send back must contain a single proposal
and its number must match the number in
the accepted proposal
KE (Key Exchange) Payload
• Used to exchange Diffie-Hellman public
numbers as part of a DH key exchange
• The length of the DH public value must be
equal to the length of the prime modulus over
which the exponentiation was performed
(prepending zero bits if necessary)
KE (Key Exchange) Payload
• Alice sends her DH value in the
IKE_SA_INIT, so she must guess the DH
group that Bob will select from her list
• If she guesses wrong, Bob will reply with a
Notify payload indicating the selected suite
ID (Identification) payload
• Allows peers to assert an identity to one
another
• Names the identity to be authenticated
with the AUTH payload
• Assigned values for the ID Type field
contain:
ID_IPV4_ADDR, ID_IPV6_ADDR,
ID_FQDN (a fully-qualified domain name
string), ID_KEY_ID (may be used to pass
vendor-specific information) and more
CERT (Certificate) Payload
• Provides a means to transport certificates
or other certificate-related information via
IKE
• CERT payloads should be included in an
exchange if certificates are available to the
sender
• Certificate Encoding field indicates the type
of certificate contained in the Certificate
Data field.
CERTREQ (Certificate Request)
Payload
• Provides a means to request preferred
certificates via IKE
• Can appear in the first, second, or third
message of Phase 1
• CERTREQ payloads should be included
in an exchange whenever the peer may
have multiple certificates,
some of which might be trusted while
others not
CERTREQ Payload Processing
Certificate Encoding
has
Certificate Authority
has
send it
doesn’t
have
doesn’t
have
no processing
Not an error condition
of the protocol
AUTH (Authentication) Payload
• Contains data used for authentication purposes
• Auth Method field specifies the method of
authentication used: Digital Signature (1) or
Shared Key Message Integrity Code (2)
• Authentication Data field contains the results
from applying the method to the IKE state
• If the specified authentication method is not
supported or validation fails an error must be
sent and the connection closed
Nonce Payload
• Ni – Initiator’s nonce
• Nr – Responder’s nonce
• Contains random data used:
– In IKE_SA_INIT
as inputs to cryptographic functions
– In CREATE_CHILD_SA
to add freshness to the key derivation
technique used to obtain keys for CHILDSAs
• Nonce values must not be reused
N (Notify) Payload
• Used to transmit informational data: error
conditions and state transitions
• May appear in a response message
(usually specifying why a request was
rejected), or in an Informational Exchange
N (Notify) Payload Fields
• Protocol-Id (1 octet) – specifies the protocol
about which this notification is being sent.
For phase 2 will contain an IPsec protocol (AH or
ESP), in other cases must be zero
• SPI Size (1 octet)
• Notify message type (2 octets) – the type of the
notification message (next slide)
• SPI (variable length)
• Notification Data (variable length) –
informational or error data transmitted in addition
to the Notify Message Type
Notify Messages – Error Types
• UNSUPPORTED-CRITICAL-PAYLOAD
sent if the payload has the “critical” bit set
and the payload type is not recognized
• INVALID-SPI
indicates an IKE message was received
with an unrecognized destination SPI
(usually indicates that the recipient has
rebooted and forgotten the existence of an
IKE-SA)
Notify Messages – Error Types
• INVALID-SYNTAX
Indicates that the message was invalid (type,
length, or value out of range or the request was
rejected for policy reasons)
To avoid DOS attack using forged messages,
this status may only be returned for and in a
(valid) encrypted packet
• INVALID-MESSAGE-ID
sent when received a MESSAGE-ID outside the
supported window
Notify Messages – Error Types
• NO-PROPOSAL-CHOSEN
none of the proposed crypto suites was acceptable
• AUTHENTICATION-FAILED
sent in response to an IKE_AUTH message when
the authentication failed
• NO-ADDITIONAL-SAS
indicates that Phase 2 SA request is unacceptable
because the Responder is unwilling to accept any
more CHILD-SAs on this IKE-SA.
Notify Messages – Status Types
• INITIAL-CONTACT
asserts that this IKE-SA is the only IKE-SA
currently active between the authenticated
identities
• SET-WINDOW-SIZE
sends the size of the window
D (Delete) Payload
• ESP and AH SAs always exist in pairs
• To delete an SA, an Informational
Exchange with one or more Delete
Payloads is sent, listing the SPIs of the
SAs to be deleted
• May be deletion of IKE-SA or of a
CHILD-SA
Vendor ID Payload
• Contains a vendor defined constant
• the constant is used by vendors to identify
and recognize remote instances of their
implementations
• allows a vendor to experiment with new
features, while maintaining backwards
compatibility
TS (Traffic Selector) Payload
• Allows endpoints to communicate some of
the information from their SPD to their
peers
• 2 TS payloads appear in each of the
messages in the exchange that creates
the CHILD-SA pair
• Each traffic selector consists of an
address range, a port range and a
protocol ID
Encrypted Payload
• Contains other payloads in encrypted form
• Must be the last payload in message
often it is the only payload in a message
CP (Configuration Payload)
• Used to exchange configuration
information between IKE peers
Some more …
Rekeying
• SAs should be used for a limited time and
protect limited amount of data
• Rekeying means reestablishment of SAs to take
place of ones which expire
• Done to IKE-SA and CHILD-SA
• An IKE-SA created inherits all of the original IKESA’s CHILD-SAs
• The new SA should be established before the
old one expires and becomes unusable
Error Handling
• Errors that occur before a
cryptographically protected IKE-SA is
established must be handled very carefully
because it can be a part of a DOS attack
based on forged messages
• The frequency of liveliness tests for
IKE-SA should be limited to avoid being
tricked into participating in a Denial Of
Service attack
Download