CERBERUS

CERBERUS An IPsec Reference Implementation Rob Glenn Rob.Glenn@nist.gov

IPsec & IKE • IPsec is defined by the following sets of specifications: • Security Architecture For IP • Authentication Header Protocol (AH) • Encapsulated Security Protocol (ESP) • Internet Key Exchange (IKE) • Algorithms NIST/ITL/ANTD

Security Architecture For IP • “…to provide interoperable, high quality, cryptographically-based security for IPv4 and IPv6”. • Offers access control, connectionless integrity, data origin authentication, protection against replays, confidentiality, and limited traffic flow confidentiality. • Provides host-to-host, router-to-router, and host-to-router security services. • Independent of any particular algorithms. • Secure communications between two systems is defined by Security Associations (SAs). NIST/ITL/ANTD

Security Architecture For IP(continued) • SAs are indexed by the triple, Security Parameter Index (SPI), Destination Address, Protocol. • Security is provided by two encapsulation protocols, ESP & AH • SAs can be setup manually or dynamically through the use of IKE. • SA bundles allow for multiple encapsulations between systems. • Some pre-defined IP functions are affected by ESP & AH, (e.g. PMTU, ICMP, Fragmentation). • Encapsulations can be within a IP-IP Tunnel. NIST/ITL/ANTD

AH • “…provides connectionless integrity, data origin authentication, and an optional anti-replay service.” • Provides access control through the distribution of secret cryptographic keying material. • Outbound packets compute and include cryptographic checksum over entire IP packet. • Inbound packets compute and compare cryptographic checksum. • Anti-replay is provided by including and verifying a 32-bit sequence number. NIST/ITL/ANTD

AH Packet Format IP Header Next Header Payload Len Reserved Security Parameters Index (SPI) Transport Data (TCP, UDP, IP-IP) Sequence Number Field Authentication Data (variable) NIST/ITL/ANTD

ESP • MAY provide confidentiality, limited traffic flow confidentiality, connectionless integrity, data origin authentication, and an anti-replay service. • “One or more of these services must be applied whenever ESP is invoked.” • Provides access control through the distribution of secret cryptographic keying material. • Confidentiality is provided by encrypting outbound packets and decrypting inbound packets. NIST/ITL/ANTD

ESP(continued) • Integrity and authentication is provided in a very similar manner to AH (excludes the IP header when computing the cryptographic checksum). • Traffic flow confidentiality is provided by concealing the IP addresses, and including extra padding to conceal the message length. • Anti-replay is provided by including and verifying a 32-bit sequence number. NIST/ITL/ANTD

ESP Packet Format IP Header Security Parameters Index (SPI) Auth. Coverage Sequence Number Field Confid. Coverage Payload Data (variable) (Initialization Vector, Transport Data) Padding (0-255 bytes) Pad Len Next Header Authentication Data (variable) NIST/ITL/ANTD

IKE • A scalable, automated, SA management protocol to facilitate the use of the anti-replay features of AH and ESP, and to accommodate the on-demand creation of SAs. • Combines the ISAKMP framework (which is independent of key exchanges) with a particular key exchange algorithm to provide authentication, key exchange, and SA management. • SAs established as part of a 2 Phase exchange of messages • In Phase I the two IKE peers use a Diffie-Helman exchange to establish a secure authenticated channel with which to communicate. NIST/ITL/ANTD

IKE(continued) • In Phase II the secure channel from Phase I is used to negotiate and exchange SA parameters. • Allows for perfect forward secrecy by performing Phase I with each Phase II. • Uses either digital signatures, public keys, or pre-shared secret keys for authentication. NIST/ITL/ANTD

Algorithms • IPsec is independent of the cryptographic algorithms used to secure traffic • IPsec algorithms specifications remove some of the variable aspects of particular algorithms to assist with interoperability. • Specifications re-iterate aspects of particular algorithms to emphasize issues that pertain to interoperability and the correctness of the implementation. NIST/ITL/ANTD

Cerberus • Cerberus has been developed to assist developers, researchers, and potential users in better understanding this new technology. • Interoperability testing tool. • Connecting home and corporate offices. NIST/ITL/ANTD

Cerberus Software Architecture Manual SADB Interface IPsec Input IPv4 IPsec Output SADB IKE Applications Linux Kernel Linux Netlink Sockets TCP UDP MSS/ PMTU SADB Management TCP/IP Data Flow IPv6 IPsec Calls Transforms and Algorithms NIST/ITL/ANTD

SADB • Made up of 3 databases. A system policy database, an inbound SA database, and an outbound SA database. • The policy database is a simple table that allows IPsec to determine how to use the information in the SADB (or lack thereof) to process IP packets. This is specified as levels such that: • 0 - All traffic must be IPsec traffic (ESP or AH) • 1 - Null SAs can be used • 2 - Traffic in the clear (i.e. No SA present) is allowed NIST/ITL/ANTD

SADB(continued) • SAs are stored in two sorted chained hash tables as a single piece of data with two sets of pointers. • SADB is organized for both unidirectional SAs and bi-directional SAs • The fields that make up an SA entry are as follows: • Destination Address, Prefix Length, Local SPI, Peer Address, Peer SPI, Linked SPI, Linked Protocol, Sequence Number, Replay Window Bitmap, Last Sequence Number Received, Flags: <M, C, T>, Protocol: (ESP, AH, NULL_SA) NIST/ITL/ANTD

SADB(continued) • For ESP protocol: • Crypto Algorithm Identifier, Ivec Length, Outbound Key, Inbound Key, Auth Algorithm Identifier, Outbound Key, Inbound Key, Auth Data Length • For AH protocol: • Auth Algorithm Identifier, Outbound Key, Inbound Key, Auth Data Length NIST/ITL/ANTD

SADB Management Routines • SADB management routines receive requests through a Linux Netlink socket in the form of an SADB message: • SADBM_ADD • SADBM_DELETE • SADBM_GET • SADBM_FLUSH NIST/ITL/ANTD

User Interface • A command line interface (sadb) originally based on the BSD route command. • Allows systems administrators to manually manage SAs. • Reads SA arguments from the command line, performs simple syntax checking, and sends a completed SADBM message via a Netlink socket to the Linux kernel. • For SADBM_GET messages, sadb waits for incoming SADBM messages and processes them until an end-of-message message is received. NIST/ITL/ANTD

Inbound IPsec Processing • Inbound IPsec processing is processed in the following steps. • If not encapsulated, check policy. • Verify the correctness of the protocol information. • Lookup the SA using source address in packet (matched to peer address), SPI, and protocol. • Check the sequence number. • For ESP, lookup the authentication transform, verify the authentication data, lookup the crypto transform, decrypt the packet. NIST/ITL/ANTD

Inbound IPsec Processing(continued) • For AH, lookup the authentication transform, verify the authentication data. • Build non-encapsulated packet. • Remove tunnel. • Return the IP packet to IP for forwarding or sinking. • All failures are logged. • Inbound processing is recursive. NIST/ITL/ANTD

Outbound IPsec Processing • Outbound IPsec processing is processed in the following steps. All IP packets go through IPsec processing. • Lookup SA based on the destination address. • If no SA is found, check policy and either return the packet to IP for further processing or drop the packet and log a failure. • Check the sequence number for wrapping. • Prepare for tunnel if specified in SA. • For ESP, lookup the crypto transform, encrypt the packet, lookup the authentication transform, compute the authentication data. NIST/ITL/ANTD

Outbound IPsec Processing(continued) • For AH, lookup the authentication transform, compute the authentication data. • Return the IP packet to IP for forwarding. • All failures are logged. • Outbound processing is recursive. NIST/ITL/ANTD

Transforms & Crypto Routines • Most of the specified algorithms have been included: • DES/CBC, 3DES/CBC, IDEA/CBC, RC5/CBC, Blowfish/CBC, HMAC-SHA1-96, HMAC-MD5-96, ESP-NULL, Auth-Test, Crypto-Test • The transform object is made up of a name, ID, input function, output function, add function, and delete function. • Transforms are stored in a small hash table indexed by algorithm identifiers. • Transforms can be compiled and run a complete and separate Linux run-time modules. NIST/ITL/ANTD

TCP & IP Interface • IP<->IPsec hooks • ip_build_xmit heavily modified. • TCP was modified to allow for the extra bytes added to the IP packet that has to be accounted for in the PMTU and MSS calculations. NIST/ITL/ANTD

Future Work • Better way to handle TCP MSS calculations. • Tune performance by tying SAs to routing table. • Better way to handle the ip_build_xmit problem. • Additional policy support. • IKE reference implementation • Session/port specific SAs. • Compression (IPPCP) • Port to IPv6 • PKIX client support for IKE authentication • Mobile IPsec NIST/ITL/ANTD

Additional Information • IETF IPsec WG Charter, RFCs, and Internet Drafts: • http://www.ietf.org/html.charters/ipsec-charter.html • Cerberus • http://www.antd.nist.gov/cerberus/ • NIST IP Security Project • http://www.antd.nist.gov/antd/html/security.html • NIST Internetworking Technologies Group • http://www.antd.nist.gov/html/itg.html NIST/ITL/ANTD

CERBERUS

CERBERUS

Presentation Transcript

Pan, Cerberus, and the Centaurs: Genetic Engineering

New Tiny Multimedia PC, Cerberus MPC1, launches

Cerberus

Cerberus

Cerberus

S1 Cerberus – translation objectives

View photos of Cerberus (5)

Cerberus

Pan, Cerberus, and the Centaurs: Genetic Engineering

What could the management of Cerberus do to more effectively manage situations like this

What could the management of Cerberus do to more effectively manage situations like this

Geekvape Aegis Solo 100W Kit with Cerberus Tank