290 likes | 480 Views
Internet Security 1 ( IntSi1 ). 13 Virtual Private Networks. Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications (ITA). Communication layers. Security protocols. Application layer. ssh , S/MIME, PGP, Kerberos , WSS. Transport layer. TLS, [SSL].
E N D
Internet Security 1 (IntSi1) 13 Virtual Private Networks Prof. Dr. Andreas SteffenInstitute for Internet Technologies andApplications (ITA)
Communication layers Security protocols Application layer ssh, S/MIME, PGP, Kerberos, WSS Transport layer TLS, [SSL] Network layer IPsec Data Link layer [PPTP, L2TP], IEEE 802.1X,IEEE 802.1AE, IEEE 802.11i (WPA2) Physical layer Quantum Communications Layer 2 versus Layer 3 versus Layer 4
Internet Security 1 (IntSi1) 13.1 Point-to-Point Protocol(PPP)
Public Switched Telephone Network Private Network Remote Client Remote Access Server IP, IPX Payload PSTN (POTS / ISDN) IP, IPX Payload PPP–based Remote Access using Dial–In • Authentication using PAP (password), CHAP (challenge/response), or the Extensible Authentication Protocol (EAP) supporting e.g. token cards • Optional PPP packet encryption (ECP) using preshared secrets • Individual PPP packets are not authenticated • The Link Control Protocol (LCP), as well as EAP and ECP are not protected !! PPP Encapsulation PPP
0x8053 Code ID Length ECP Options (algorithm, IV) 0x0053 Seq. Nr Ciphertext The PPP Encryption Control Protocol (ECP) • The Encryption Control Protocol (ECP, RFC 1968) uses the same packet exchange mechanism as the Link Control Protocol (LCP, RFC 1661). • ECP packets may not be exchanged until PPP has reached the Network-Layer Protocol phase and should wait for an optional Authentication phase. • Exactly one ECP packet is encapsulated in the PPP Information field,where the PPP Protocol field indicates type 0x8053. • An encrypted packet is encapsulated in the PPP Information field, where the PPP Protocol field indicates type 0x0053 (Encrypted datagram). • Compression may also be negotiated using the Compression Control Protocol (CCP, RFC 1962). • ECP implementations should use the PPP Triple-DES Encryption Protocol (3DESE, RFC 2420). DES-EDE3-CBC with a 168 bit key is used.
0xC227 Code ID Length Type Data The PPP Extensible Authentication Protocol (EAP) • Some of the authentication types supported by EAP (RFC 2284): 1 Identity 4 MD5-Challenge 5 One-Time Password (OTP, RFC 2289) 6 Generic Token Card 9 RSA Public Key Authentication 13EAP-TLS (RFC 2716, supported by Windows XP) 15 RSA Security SecurID EAP 17EAP-Cisco Wireless 18 Nokia IP smart card authentication 23 UMTS Authentication and Key Argreement 24EAP-3Com Wireless 25 PEAP (Protected EAP, supported by Windows XP) 29EAP-MSCHAP-V2 (supported by Windows XP) 35EAP-Actiontec Wireless 36 Cogent Systems Biometrics Authentication EAP
Internet Security 1 (IntSi1) 13.2 Layer 2/3/4 VPNs
Compulsory Mode PSTN Private Network InternetIP ISP NAS Remote Client Network Access Server IP, IPX Payload PPP over PSTN Layer 2 PPP IP, IPX Payload PSTN L2TP PPP IP, IPX Payload L2TPTunnel LAC L2TP PPP IP, IPX Payload LNS UDP Port 1701 over IP Layer 3 IP UDP Layer 2 Tunneling Protocol (L2TP)
PSTN Private Network InternetIP ISP NAS Remote Client Network Access Server IP, IPX Payload Layer 2 Connection (Wire) L2TPTunnel LAC L2TP PPP IP, IPX Payload LNS L2TP PPP IP, IPX Payload IP UDP UDP Port 1701 over IP PSTN L2TP PPP IP, IPX Payload PPP over PSTN PPP IP UDP Layer 2 Tunneling Protocol (L2TP)Voluntary Mode
PSTN Private Network InternetIP ISP VPN Client VPN Gateway IP Payload IPsec Tunnel IP ESP IP Payload PSTN PPP IP ESP IP Payload Layer 3 Tunnel based on IPSec
PSTN Private Network InternetIP ISP NAS Remote Client Network Access Server IP, IPX Payload Layer 2 Connection (Wire) L2TPTunnel LAC L2TP PPP IP, IPX Payload LNS IPSecTransport Mode IP ESP UDP L2TP PPP IP, IPX Payload PPP over PSTN PPP IP ESP UDP L2TP PPP IP, IPX Payload L2TP overIPsec(RFC 3193) – Voluntary Mode
PSTN Private Network InternetIP SSL/TLSBrowser with Plugin ISP SSL/TLS Proxy Server IP Payload SSL/TLSTunnel IP TCP* SSL IP Payload PSTN PPP IP TCP* SSL IP Payload Layer 4 Tunnel based on SSL/TLS *OpenVPN uses SSL over UDP
Layer 2/3/4 VPNs – Pros and Cons • Layer 2 – L2TP • Same login procedure as PPP (preshared secrets, RADIUS, etc.) • Same auxiliary information as with PPP (virtual IP, DNS/WINS servers) • No strong security without IPsec, LCP can be cheated into establishing no encryption. Non-authenticated L2TP packets prone to replay attacks. • Layer 3 – IPSec • Cryptographically strong encryption and authentication of VPN tunnel • Can negotiate and enforce complex VPN access control policies • XAUTH and IKEv2-EAP authentication offer PPP-like features • Does not allow the tunneling of non-IP protocols (IPX, etc.) • Complex connection setup, PKI management overhead • Layer 4 - TLS • Clientless and simple: Internet Browser plus Java Applets or Plugin. • Cryptographically strong encryption and authentication of VPN tunnel • Access to certain applications need special plugin (still clientless?)
Internet Security 1 (IntSi1) 13.3 Multi-Protocol LabelSwitching (MPLS)
E3 E1 L A IP L A IP User A L 1 L A IP L 5 L A IP User A L 3 L A IP N1 N3 L 4 L B IP User B User B L 2 L B IP L 6 L B IP E4 E2 L B IP L B IP MPLS based Virtual Private Networks IP-Network of a Service Provider
4 Bytes Time to Live, 8 Bits Bottom of Stack, 1 Bit Class of Service, 3 Bits 20 Bits MPLS Layer 2 Shim Header (RFC 3032) Label CoS B TTL
Internet Security 1 (IntSi1) 13.4 IPsec Transport Mode
Internet IP connection 160.85.128.3 194.230.203.86 IPsec – Transport Mode secure • IP datagrams should be authenticated • IP datagrams should be encrypted and authenticated
Before applying AH OriginalIP Header TCPHeader Data IPv4 After applying AH OriginalIP Header AHHeader TCPHeader Data IPv4 authenticated except for mutable fields IPsec – Transport ModeIP Authentication Header (AH) • IP protocol number for AH: 51 • Mutable fields: Type of Service (TOS), Fragment Offset, Flags, Time to Live (TTL), IP header checksum AH: RFC 4302
Before applying ESP OriginalIP Header TCPHeader Data IPv4 After applying ESP OriginalIP Header ESPHeader TCPHeader Data ESPTrailer ESPAuth IPv4 encrypted authenticated IPsec – Transport ModeIP Encapsulating Security Payload (ESP) • IP protocol number for ESP: 50 • ESP authentication is optional • With ESP authentication the IP header is not protected. ESP: RFC 4303
Internet Security (IntSi1) 13.5 IPsec Tunnel Mode
Internet 10.1.0.2 10.2.0.2 194.230.203.86 Subnet10.1.0.0/16 Subnet10.2.0.0/16 secure IP tunnel 10.1.0.1 10.2.0.1 SecurityGateway SecurityGateway 160.85.180.0 10.1.0.3 10.2.0.3 IPsec – Tunnel ModeVirtual Private Network (VPN)
Before applying ESP OriginalIP Header TCPHeader Data IPv4 After applying ESP OuterIP Header ESPHeader OriginalIP Header TCPHeader Data ESPTrailer ESPAuth IPv4 encrypted authenticated IPsec Tunnel Mode using ESP • IP protocolnumberfor ESP: 50 • ESP authenticationis optional butoftenused in place of AH • Original IP Headerisencrypted and thereforehidden Encapsulating SecurityPayload (ESP): RFC 4303
0 1 2 3 4 bytes Security Parameters Index (SPI) authenticated Anti-Replay Sequence Number Payload Data (variable, including IV) After applying ESP encrypted Padding (0-255 bytes) Pad Length Next Header Authentication Data (variable) ESP Header (Initial Header / Payload / Trailer)
IPsec Tunnel Mode CBC Packet Overhead Outer IP Header 20 20 20 20 20 20 20 20 20 20 20 SPI / Seq. Number 8 8 8 8 8 8 8 8 8 8 8 3DES_CBC IV 8 8 8 8 8 8 AES_CBC IV 16 16 16 16 16 16 3DES_CBC maxPad 7 7 7 7 7 7 AES_CBC maxPad 15 15 15 15 15 15 Pad Len / Next Header 2 2 2 2 2 2 2 2 2 2 2 HMAC_SHA1_96 12 12 12 AES_XCBC_96 12 12 12 HMAC_SHA2_256_128 16 16 16 HMAC_SHA2_384_192 24 24 24 HMAC_SHA2_512_256 32 32 32 Best Case Overhead 50 50 54 62 70 58 58 62 70 78 Worst Case Overhead 57 57 61 69 77 73 73 77 85 93 Bytes
Authenticated Encryption with Associated Data (AEAD) • AEAD isbased on specialblock ciphermodes: • Block size: 128 bits • Key size: 128/256 bits • Tag size : 128/96/64 bits • Noncesize: 96 bits32 bits 64 bits 32 bits • Recommended AEAD Modes: AES-Galois/CounterModeAES-GMAC (auth. only) • Alternative AEAD Modes:AES-CCMCAMELLIA-GCMCAMELLIA-CCM Salt IV 2 Salt IV 0 Salt IV 1 Key K Key K Salt IV Counter HashSubkey Derivation 0………………..0 Key K HashSubkey H
IPsec Tunnel Mode AEAD Packet Overhead Outer IP Header 20 20 20 Additional Authenticated Data: 20 SPI / Seq. Number 8 8 8 8 0 1 2 3 AES_GCM IV 8 8 8 8 Security Parameter Index AES_CNT maxPad 3 3 3 3 SequenceNumber Pad Len / Next Header 2 2 2 2 or AES_GCM_64 Tag 8 8 AES_GCM_96 Tag 12 12 0 1 2 3 AES_GCM_128 Tag 16 16 Security Parameter Index Best Case Overhead 46 50 54 ExtendedSequenceNumber Worst Case Overhead 49 53 57 Bytes
Before applying AH OriginalIP Header TCPHeader Data IPv4 After applying AH OuterIP Header AH Header OriginalIP Header TCPHeader Data IPv4 authenticated IPsec Tunnel Mode using AH • IP protocol number for AH: 51 • Mutable fields: Type of Service (TOS), Fragment Offset, Flags, Time to Live (TTL), IP header checksum • ESP can be encapsulated in AH Authentication Header(AH): RFC 4302