IPSec Introduction
IPSec Overview
IP Security (IPSec) refers to a series of protocols defined by IETF to provide high quality, interoperable, and cryptology-based security for IP packets. By means of facilities including encryption and data origin authentication, it delivers these security services at the IP layer:
l Confidentiality: The sender encrypts the packets before transmitting them over the Internet.
l Data integrity: The receiver verifies the packets received from the sender to ensure they are not tampered during transmission.
l Data origin authentication: The receiver authenticates the legality of the sender.
l Anti-replay: The receiver examines the packets and rejects outdated or repeated packets.
Moreover, the Internet Key Exchange (IKE) protocol provides automatic key negotiation and security association (SA) setup and maintenance services to simplify the use and management of IPSec. IPSec policies and algorithms can also be configured manually, in which case IKE negotiation is not necessary.
Operation of IPSec
IPSec provides security services through the following two protocols:
l Authentication Header (AH), protocol 51: AH provides data origin authentication, data integrity, and anti-replay services. It supports Message Digest (MD5) and Secure Hash Algorithm (SHA-1). AH is inserted behind the IP header to ensure data integrity and authenticity, preventing attackers from intercepting packets or inserting pseudo packets.
l Encapsulating Security Payload (ESP), protocol 50: Unlike AH, ESP encrypts user data before encapsulating it into IP packets to protect data confidentiality. ESP supports encryption algorithms including DES, 3DES, and AES. As an option, you can use MD5 and SHA-1 algorithms to protect data integrity and authenticity.
AH and ESP can be employed independently or in combination. In the implementation of AH and ESP combination on the device, a packet is encapsulated first by ESP and then by AH, and therefore a resulting packet includes the original IP message, ESP header, AH header, and outer IP header (from inner layer outer).
Basic Concepts of IPSec
I. Security association
IPSec provides secure communication between two ends, which are called IPSec peers.
Security association (SA) is fundamental to IPSec. An SA is a combination of such communication aspects as the protocol(s) (AH, ESP or both), encapsulation mode (transport mode or tunnel mode), encryption algorithm (DES, 3DES, or AES), shared key used for protection of particular specific flows, and key lifetime.
An SA is unidirectional. Therefore, at least two SAs are needed to protect data flows in a bidirectional communication. Moreover, if both AH and ESP are used to protect data flows between peers, each peer will construct an independent SA for each protocol.
An SA is uniquely identified by a triplet, which consists of the security parameter index (SPI), destination IP address, and security protocol (AH or ESP).
An SPI is a 32-bit number generated for uniquely identifying an SA. It is transmitted in the AH/ESP header. A manually configured SA requires an SPI to be specified manually for it; while an IKE created SA will have an SPI generated at random.
SA lifetime applies to only SAs set up through IKE negotiation and comes in two types:
l Time-based lifetime: Defines the duration of an SA, that is, the period after an SA is created and before it becomes invalid.
l Traffic-based lifetime: Defines the maximum traffic that an SA is allowed to process.
An SA becomes invalid when its lifetime expires. Before an SA becomes invalid, IKE will negotiate to set up a new SA and, once created, the new SA takes over the responsibility immediately.
II. Encapsulation modes
IPSec can work in the following two modes:
l Tunnel mode: The whole IP packet is used to calculate the AH/ESP header, which will be encapsulated into a new IP packet together with the ESP-encrypted data. Generally, tunnel mode is used for communication between two security gateways.
l Transport mode: Only the transport layer data is used to calculate the AH/ESP header, which will be put after the original IP header and before the ESP-encrypted data. Generally, transport mode is used for communication between two hosts or a host and a security gateway.
Figure 1-1 illustrates how data are encapsulated by different security protocols in tunnel and transport modes. Here, the term data refers to the transport layer data.
Figure 1 Encapsulation by security protocols in different modes
III. Authentication algorithms and encryption algorithms
1) Authentication algorithms
Authentication algorithms are implemented through hash functions. A hash function takes a message of arbitrary length and generates a message digest of fixed length. IPSec peers calculate the message digests respectively. If the resulting digests are identical, the packet is considered intact and not tampered.
There are two types of IPSec authentication algorithms:
l MD5: Takes a message of arbitrary length and generates a 128-bit message digest.
l SHA-1: Takes a message of a length less than the 64th power of 2 in bits and generates a 160-bit message digest.
MD5 is faster than SHA-1, yet SHA-1 provides higher security than MD5.
2) Encryption algorithms
Most encryption algorithms depend on symmetric key systems, which decrypt data by using the same keys for encryption. Currently, three encryption algorithms are available for IPSec on the device:
l DES: Data encryption standard, encrypts a 64-bit block of plain text with a 56-bit key.
l 3DES: Triple DES, encrypts a plain text with three 56-bit DES keys, which total up to 168 bits.
l AES: Advanced encryption standard, Encrypts a plain text with a 128-bit, 192-bit, or 256-bit key.
AES, 3DES, and DES are in descending order in terms of security. Higher security means more complex implementation and lower speed. DES is enough to meet general requirements.
IV. Negotiation modes
There are two negotiation modes for setting up an SA:
l Manual mode: This mode requires that all information that an SA needs to operate be configured manually. In this mode, the configuration is relatively complex and some advanced features like periodical key update are not supported. However, this mode implements IPSec independently of IKE.
l IKE negotiation mode (ISAKMP): In this mode, the configuration is much easier because SAs can be set up and maintained through IKE negotiation as long as the information for IKE negotiation is configured properly.
Manual mode applies to scenarios with a small number of peer devices and little changes. For medium- to large-sized environments, IKE negotiation mode is recommended.
V. IPSec tunnel
An IPSec tunnel is a bidirectional channel created between two peers. An IPSec tunnel consists of one or more sets of SAs.
Encryption Card
IPSec can either be implemented through software or an encryption card. When implemented through software, encryption/decryption and authentication algorithms consume large amounts of CPU resources due to their complexity, degrading the overall operation efficiency of the device. With an encryption card, complicated algorithms are completed on the hardware, and therefore the processing efficiency of the device is improved.
With an encryption card, a device sends data IPSec protected or to be IPSec protected to the encryption card, which processes the data and then sends it back to the device for forwarding.
Protocols and Standards
These protocols and standards are relevant to IPSec:
l RFC2401: Security Architecture for the Internet Protocol
l RFC2402: IP Authentication Header
l RFC2406: IP Encapsulating Security Payload
IKE Overview
Built on a framework defined by the Internet Security Association and Key Management Protocol (ISAKMP), Internet Key Exchange (IKE) provides automatic key negotiation and SA establishment services for IPSec, simplifying the application, management, configuration and maintenance of IPSec dramatically.
Instead of transmitting keys directly across a network, IKE calculates shared keys after exchanging a series of data. This disables a third party from decrypting the keys even if the third party captured all exchanged data that is used to calculate the keys.
Security Mechanism of IKE
IKE has a series of self-protection mechanisms and supports secure identity authentication, key distribution, and IPSec SA establishment on unsecured networks.
I. Data authentication
Data authentication involves two concepts:
l Identity authentication: Mutual identity authentication between peers. Two authentication methods are available: pre-shared key authentication and PKI-based digital signature authentication (RSA signature).
l Identity protection: Protecting identity information by using the generated keys to encrypt it before transmitting.
II. DH
The Diffie-Hellman (DH) algorithm is a public key algorithm. With this algorithm, two peers can exchange some data and then use the data to calculate the shared keys, rather than transmitting the keys directly. Due to the decryption complexity, a third party cannot decrypt the keys even after intercepting all the exchanged data.
III. PFS
The Perfect Forward Secrecy (PFS) feature is a security feature based on the DH algorithm. It guarantees that decryption of a key makes no impact on the security of other keys (because the keys have no derivative relations). For IPSec, PFS is implemented by adding an additional key exchange at IKE negotiation phase 2.
Operation of IKE
IKE negotiates keys and establishes SAs for IPSec in two phases:
1) Phase 1: The two peers establish an ISAKMP SA (a secure, authenticated channel for communication). In this phase, two modes are available: main mode and aggressive mode.
2) Phase 2: Using the ISAKMP SA established in phase 1, the two peers negotiate to establish IPSec SAs.
As shown in Figure 2-1, the main mode of IKE negotiation in phase 1 involves three pairs of messages:
l SA exchange, used for negotiating the security policy.
l Key exchange, used for exchanging the Diffie-Hellman public value and other values like the random number. Key data is generated in this stage.
l ID information and authentication data exchange, used for identity authentication and the whole SA exchange.
The main difference between main mode and aggressive mode is that aggressive mode does not provide identity protection and only exchanges the above three messages. As aggressive mode exchanges less information and features higher negotiation speed, it is better for scenarios where the requirement for identity protection is lower. For scenarios with higher requirement for identity protection, main mode is recommended.
Functions of IKE
l IKE automatically negotiates IPSec parameters such as the keys, reducing the manual configuration complexity greatly.
l IKE always uses DH when establishing an SA, ensuring that each SA has a key with no relation with any other key.
l IPSec uses the sequence number, a 32-bit value in an IP header, for anti-replay. If the value overflows, a new SA needs to be established for anti-replay, in which procedure IKE is required.
l IKE allows for end-to-end dynamic authentication.
l Identity authentication and management of peers influence IPSec deployment. A large-scale IPSec deployment needs the certificate authority (CA) or other institutes which manage identity data centrally.
Relationship Between IKE and IPSec
Figure 3 Relationship between IKE and IPSec
Relationship between IKE and IPSec:
l IKE is an application layer protocol using UDP and functions as the signaling protocol of IPSec.
l IKE negotiates SAs for IPSec and delivers negotiated parameters and generated keys to IPSec.
IPSec uses the SAs set up through IKE negotiation for encryption and/or authentication of IP packets.