15. IPsec and VPN

IP security: framework for ensuring secure communications over IP networks; similar security services as TLS, but running at a lower level of the protocol stack.

VPNs: extending a private network across a public network.

IP Layer Security

TLS runs at the transport layer; IPsec runs at the network layer. Hence, it allows protection for any higher levels, including TCP and UDP.

Provides encryption, authentication and key management algorithms.

Standardized in 2005 with RFC 4301-4305; commonly used to provide VPNs.

Security services:

• Confidentiality: encryption to protect against unauthorized data disclosure
• Integrity: MACs to determine if data has been modified in transit
• Limited traffic analysis protection: difficult to know which parties are communicating, how often, or how much
  • Possible by concealing IP datagram details (e.g. source/destination addresses)
• Message reply protection: data not delivered multiple times or badly out-of-order
• Peer authentication: each endpoint confirms its identity with the other IPsec endpoint

Architectures

Gateway-to-Gateway Architecture:

• Secure communication between two networks
• Protects only data between the two gateways

Host-to-Gateway Architecture:

• For secure remote access (e.g. VPN gateway) - allowing access to resources on secured networks from insecure networks
• Each remote access user establishes a connection to the gateway

Host-to-Host Architecture:

• Most secure but also most costly; typically used for special purpose needs e.g. remote management of a single server
• Provides end-to-end protection for data
• All user systems and servers need to have VPN software installed/configured; resource intensive to implement
• Key management through a manual process

Protocols

Encapsulating security payload (ESP): provides confidentiality, authentication, integrity and reply protection.

Authentication header (AH) (depreciated): authentication, integrity and reply protection, but NOT confidentiality.

Internet key exchange (IKE): negotiation, creation and management of session keys in security associations (SAs).

IPsec Connection Setup

With the IKEv2 protocol (RFC 7296, 2014):

• Diffie-Hellman protocol authenticated with X.509 certificates
• Includes cookies to mitigate DDOS attacks
  • Provides proof of reachability before expensive cryptographic operations are run
  • When server under load, server responds to initial respond with stateless cookie; cookie whose value can be derived from the initial request without storing responder-side state
    • Client must repeat the request, but this time with the stateless cookie
  • Proof of work: pre-image for a partial hash value (find message whose hash is less than a given value)
    • Reduces the number of negotiations an attacker can initiate

Security Associations (SA)

Runs after connection setup allows keys to be established.

SAs contain information needed to support an IPsec connection.

It may include:

• Cryptographic keys and algorithms
• Key lifetimes
• Security parameter index (SPI)
• Security protocol identifier (ESP/AH)

SAs tells the endpoint how it should process inbound IPsec packets and/or generate outbound packets.

SAs are unidirectional: there is one SA for each direction.

Cryptographic Suites

Cryptographic suites in IPsec are:

• Similar to TLS cipher suites
• Allow specific groups for Diffie-Hellman (both finite field and symmetric key)
• 3DES and AES for encryption in CBC or GCM mode
  • HMAC or CMAC used for integrity if GCM mode not used

Modes of Operation

ESH and AH can run in two different modes:

• Transport mode:
  • Maintain the IP header of the original packet
  • Only protects the payload
  • Generally used in host-to-host architecture
• Tunnel mode
  • Encapsulates the entire packet in another packet
  • Generally used in gateway-to-gateway or host-to-gateway architectures

Transport Mode ESP

ESP components:

• Header: SPI identifying the SA and sequence numbers
• Trailer: padding, length, and possibly extra padding for enhanced traffic flow confidentiality
• Auth: MAC of encrypted data and ESP header (not required if authenticated-encryption mode used)

----------------------------------------------------------
| IP header | ESP header | Data | ESP trailer | ESP Auth |
-------------------------|--------------------|-----------
                         |     encrypted      |
            |         authenticated           |

Outbound packet processing:

• Original IP data and ESP trailer encrypted with symmetric cipher
  • Padding added in ESP trailer
  • If SA using authentication service, MAC calculated for ESP header, data and ESP trailer, and appended to the end of the packet (ESP auth)
    • i.e. encrypt-then-MAC
• IP header updated
  • Protocol field updated to ESP
  • Total length field updated
  • Checksums recalculated

Tunnel Mode ESP

--------------------------------------------------------------------------
| New IP header | ESP header | IP header | Data | ESP trailer | ESP Auth |
--------------------------------------------------------------|-----------
                             |           encrypted            |
                |                authenticated                |

Outbound packet processing:

• Entire packet, along with ESP trailer, encrypted
• If authentication service being used by SA, MAC calculated for ESP header + encrypted section and appended to the end (ESP auth)
  • i.e. encrypt-then-MAC
• New outer IP header prepended
  • Inner packet contains ultimate source/destination address
  • Destination address of outer packet may be different (e.g. may be to a security gateway)
  • Set to an ESP protocol packet

Security

• Active attacks exist only for the encryption-only mode of ESP; encryption without integrity known to be insecure
• Attacks due to MAC-then-encrypt configuration
  • AH: encryption after MAC
  • ESP: encryption before MAC

Virtual Private Networks

Secure channel over insecure connection.

Types:

• Branch office interconnect (intranet VPN)
• Supplier/business partner access (extranet VPN)
• Remote access

Internet VPN: Branch Office Interconnect

Enterprise | Firewall | Internet | Firewall | Branch |
                    <---- VPN ----->

• VPN tunnel between router/firewalls of main company and branch office
  • AH to authenticate data from tunnel endpoints
  • ESP to encrypt data over the internet
• Only routers/firewalls need to support IPsec; transparent to clients

Extranet VPN: Supplier Network

Enterprise | Firewall | Internet | Firewall | Supplier Clients |
                    <---------- VPN --------->

• Supplier may not be part of the enterprise
• VPN extended to operate between router/firewall of main company and individual parts/clients of the supplier TODO

Remote Access

ISPs can provide VPN services across the un-trusted internet.