IN3210/4210 Network and Communications Security IP security (IPsec) and Media Access Control security (MACsec) Nils Nordbotten October 2020 Security may be provided at different layers in the network stack OSI model 7: Application layer TCP/IP model 6: Presentation layer ….. Application 5: Session layer 4: Transport layer (D)TLS TCP/UDP 3: Network layer IPsec IP 2: Data link layer MACsec & RSN Link 1: Physical layer IN3210/4210 2 1 IPsec vs. MACsec Supports MACsec IPsec Confidentiality Yes Yes Connectionless Yes Yes integrity Access control To network only Yes (policy) Traffic flow conf. Normally not Yes (limited) / depends Replay Yes Yes protection Transparent to Yes Yes applications Figure from: Cisco, «Innovations in Works across No Yes Ethernet Encryption (802.1AE - (layer 3) routers MACsec) for Securing High Speed (1- 100GE) WAN Deployments White Protection of link Yes No Paper», 2019 layer protocols IN3210/4210 (e.g., ARP) 3 Media Access Control (MAC) security – MACsec ● Specified in ANSI/IEEE 802.1ae (2006) - Using GCM-AES-128 ● Several amendments and related specifications - Including support for GCM-AES-256 in 802.1AEbn (2011) ● Supported by numerous switches and network interface cards, and from 2016 also in Linux kernel (4.6 and above) IN3210/4210 4 2 MACsec adds the SecTAG and Integrity Check Value (ICV) fields to the Ethernet frame, and provides optional encryption Dest adr. Src. adr. SecTAG Ethertype Headers Payload ICV Optionally encrypted Integrity protected Sender Receiver Secure Channel (with SC Identifier) Secure Association (with SA number): Key(s) Packet number A secure channel is ….. unidirectional and point-to-(multi)point IN3210/4210 5 MACsec use case: host-to-host (switch is not MACsec aware) Figure from: S. Dubroca, «MACsec: a different solution to encrypt network traffic», 2016 (https://developers.redhat.com/blog/2016/10/14/macsec-a-different-solution-to-encrypt-network-traffic/) IN3210/4210 6 3 MACsec use-case: host-to-switch (MACsec capable switch) Figure from: S. Dubroca, «MACsec: a different solution to encrypt network traffic», 2016 (https://developers.redhat.com/blog/2016/10/14/macsec-a-different-solution-to-encrypt-network-traffic/) IN3210/4210 7 MACsec use case – high speed WANs Figure: Cisco, “Innovations in Ethernet Encryption (802.1AE - MACsec) for Securing High Speed (1-100GE) WAN DepLoyMents White Paper” (https://www.cisco.coM/c/en/us/products/coLLateraL/ios-nx-os- software/identity-based-networking-services/white-paper-c11-737544.html) IN3210/4210 8 4 IP security (IPsec) May refer to RFC 4301 “Security Architecture for the Internet ProtocoL” (and the other RFCs identified on sLide 16) for additional information - https://tooLs.ietf.org/htML/rfc4301 IN3210/4210 9 IPsec provides both authentication, confidentiality, and key management ● Applied at the IP (network) layer - i.e., to IP packets ● Applicable for use over (W)LANs, Internet, WANs, etc. ● Applicable with both IPv4 and IPv6 - Support for IPsec was originally mandatory for IPv6 compliance, but IPsec support is now only recommended ● Can be used with multicast, but we only consider unicast traffic in this lecture IN3210/4210 10 5 IPsec can be used to provide security between both hosts and networks, transparent to higher layers IN3210/4210 11 Figure from W. Stallings, Network Security Essentials: Applications and Standards IPsec advantages ● An IPsec gateway can provide strong and non-bypassable security applied to all traffic crossing the perimeter ● Is transparent to applications as it resides at the network layer ● Can be transparent to end users ● Can provide security for individual users (e.g., off-site) ● Can be used to secure routing protocols ● Protects the transport layer protocols IN3210/4210 12 6 IPsec security services at the IP layer ● Access control ● Connectionless integrity ● Data origin authentication ● ReJection of replayed packets ● Confidentiality ● Limited traffic flow confidentiality IN3210/4210 13 Main IPsec protocols Encapsulating Security Payload (ESP) - Extension header and trailer providing encryption and optionally also authentication of payload Authentication Header (AH) - Extension header to provide message authentication of payload and immutable header fields - Use of ESP is favored before less supported AH Internet Key Exchange - The Internet Key Exchange (IKEv2) protocol is used to establish IPsec Security Associations (SA) with associated keys etc. IN3210/4210 14 7 “At one final IETF meeting before AH and ESP were finalized, someone from Microsoft got up and gave an impassioned speech about how AH was useless given the existence of ESP, cluttered up the spec, and couldn’t be implemented efficiently (because of the MAC in the front of the data). Our impression of what happened next was that everyone in the room looked around at each other and said, “Hmm. He’s right, and we hate AH also, but if it annoys Microsoft let’s leave it in, since we hate Microsoft more than we hate AH.” Network Security – Private Communication in a public world, 2002 IN3210/4210 15 IPsec and Internet Key Exchange (IKE) documentation interrelationship (RFC6071 IPsec and IKE Document Roadmap) Architecture (RFC4301) ESP AH (RFC4303) (RFC4302) Encryption Combined Authentication algorithm algorithm algorithm IKE protocol (RFC5996) Numerous cryptographic algorithms are defined IN3210/4210 16 8 Both AH and ESP supports two modes: Transport and Tunnel mode Tunnel mode (typically used for gateway-to-gateway/host security, VPN): - ESP: Protects the entire inner IP packet (including header), but not the outer IP header - AH: Authenticates the entire inner IP packet (including header), and selected parts of the outer IP header (including selected IPv6 extension headers) IN3210/4210 17 Figure from W. Stallings, Network Security Essentials: Applications and Standards Both AH and ESP supports two modes: Transport and Tunnel mode Transport mode (typically used for end-to-end security): - ESP: Protects the IP payload, but not the IP header (except IPv6 extension headers following the ESP header) - AH: Authenticates the IP payload and selected parts of the IP header (including selected IPv6 extension headers) - Less overhead than tunnel mode, but does not provide traffic flow confidentiality IN3210/4210 18 Figure from W. Stallings, Network Security Essentials: Applications and Standards 9 Transport mode vs. Tunnel mode (ESP) (it’s assumed in the figure that TCP is used) Transport mode Tunnel mode (The green colour identifies the fields from the above layer) IN3210/4210 19 Figure from W. Stallings, Network Security Essentials: Applications and Standards A Security Association (SA) is a one-way logical connection Consists of various parameters, e.g.: - Security Parameters Index (SPI): 32-bit identifier seLected by receiver - IP destination address - Security protocol identifier: AH or ESP - Sequence number counter (64/32-bit) - Sequence number overfLow: fLag indicating whether counter wraparound is aLLowed - Anti-repLay window - AH/ESP inforMation: aLgorithMs, keys, key LifetiMes, and reLated inforMation (e.g., ESP initiaLization vaLues) - LifetiMe of security association - IPsec ProtocoL Mode: TunneL, transport or wiLdcard - Path MTU The SAs are contained in the Security Association Database IN3210/4210 20 10 The Security Policy Database (SPD) is used to control whether and how IPsec is applied to different traffic, and what traffic to block/discard (the rules are processed in order) Protocol Local IP Port Remote IP Port Action Comment UDP 1.2.3.101 500 * 500 BYPASS IKE ICMP 1.2.3.101 * * * BYPASS Error Messages * 1.2.3.101 * 1.2.3.0/24 * PROTECT: ESP Encrypt intranet intransport-mode traffic TCP 1.2.3.101 * 1.2.4.10 80 PROTECT: ESP Encrypt to server intransport-mode TCP 1.2.3.101 * 1.2.4.10 443 BYPASS TLS: avoid doubLe encryption * 1.2.3.101 * 1.2.4.0/24 * DISCARD Others in DMZ * 1.2.3.101 * * * BYPASS Internet IN3210/4210 21 Outbound packet processing Figure from W. Stallings, Network Use selectors to match traffic to SA Security Essentials: Applications and Standards (may include source address, destination address, source port, destination port, IN3210/4210 upper layer protocol, name) 22 11 Inbound packet processing Use SPI (possibly in combination with protocol type) to lookup SA IN3210/4210 23 Figure from W. Stallings, Network Security Essentials: Applications and Standards Encapsulating Security Payload (ESP) can provide message content confidentiality, data origin authentication, connectionless integrity, anti-replay and (in tunnel mode) limited traffic-flow confidentiality (depending on options selected in SA) IN3210/4210 24 Figure from W. Stallings, Network Security Essentials: Applications and Standards 12 Transport mode ESP IN3210/4210 25 Figure from W. Stallings, Network Security Essentials: Applications and Standards Tunnel mode ESP IN3210/4210 26 Figure from W. Stallings, Network Security Essentials: Applications and Standards 13 Anti-replay service based on sequence numbers The same anti-replay mechanism is also used in DTLS IN3210/4210 27 Figure from W. Stallings, Network Security Essentials: Applications and Standards Combining security associations ● Transport adjacency: Applying more than one security protocol/association to the same IP packet without using tunneling (i.e., using both ESP and AH between two hosts) ● Iterated tunneling: Applying multiple layers of security protocols through tunneling (where each tunnel can originate and terminate at different nodes on the path). A transport adjacent SA bundle may again