IPSec - AH.ppt

8/12/2019 IPSec - AH.ppt

1/22

IP Security (IPSec)Authentication Header (AH)

Dr Milan Markovi

UNIVERZITET APEIRON

Fakultet poslovne informatike


2/22

Introduction This presentation examines the IPsec framework and

its three main components: Authentication Header (AH),

Encapsulating Security Payload (ESP), and

Internet Key Exchange (IKE).

IPsec adds integrity checking, authentication,encryption and replay protection to IP packets. It isused for end-to-end security and also for creatingsecure tunnels between gateways.

IPsec was designed for interoperability. Whencorrectly implemented, it does not affect networksand hosts that do not support it.

IPsec is independent of the current cryptographicalgorithms; it can accommodate new ones as they

become available.


3/22

Introduction It works both with IPv4 and IPv6. In fact, IPsec is

a mandatory component of IPv6.

IPsec uses state-of-the-art cryptographicalgorithms.

The specific implementation of an algorithm foruse by an IPsec protocol is often called atransform.

For example, the DES algorithm used by ESP is

called the ESP DES-CBC transform. The transforms, like the protocols, are published

in the RFCs.

Two major IPsec concepts should be clarified:

Security Associations and tunneling.


4/22

Security Associations (SA) An SA is a unidirectional (simplex) logical connection

between two IPsec systems, uniquely identified by thefollowing triple:

The definition of the members is as follows: Security parameter index (SPI) This is a 32-bit value used to

identify different SAs with the same destination address andsecurity protocol. The SPI is carried in the header of the security

protocol (AH or ESP). The SPI has only local significance, asdefined by the creator of the SA. SPI values in the range 1 to 255are reserved by the Internet Assigned Numbers Authority(IANA). Generally, the SPI is selected by the destination systemduring SA establishment.

IP destination address This address can be a unicast, broadcast,or multicast IP address. However, currently SA managementmechanisms are defined only for unicast addresses.

Security protocol This can be either AH or ESP.


5/22

Security Associations (SA) An SA can be in either of two modes, transport or tunnel,

depending on the mode of the protocol in that SA. SAs are simplex, hence, for bidirectional communication

between two IPsec systems, there must be two SAs defined, onein each direction.

A single SA gives security services to the traffic carried by it

either by using AH or ESP, but not both. In other words, for a connection that should be protected by both

AH and ESP, two SAs must be defined for each direction.

In this case, the set of SAs that define the connection is referredto as an SA bundle.

The SAs in the bundle do not have to terminate at the sameendpoint.

For example, a mobile host could use an AH SA between itselfand a firewall and a nested ESP SA that extends to a host behindthe firewall.


6/22

Security Associations (SA) An IPsec implementation maintains two databases related to SAs:

Security Policy Database (SPD) The Security Policy Database

specifies what security services are to be offered to the IP traffic,depending on factors such as source, destination, whether it isinbound, outbound, etc. It contains an ordered list of policyentries, separate for inbound and outbound traffic. These entriesmight specify that some traffic must bypass the IPsec processing,some must be discarded, and the rest must be processed by the

IPsec module. Entries in this database are similar to firewall rulesor packet filters.

Security Association Database (SAD) The Security AssociationDatabase contains parameter information about each SA, such asAH or ESP algorithms and keys, sequence numbers, protocol

mode and SA lifetime. For outbound processing, an SPD entrypoints to an entry in the SAD. That is, the SPD determines whichSA is to be used for a given packet. For inbound processing, theSAD is consulted to determine how the packet must be processed.

The user interface of an IPsec implementation usually hides or

presents these databases in a more friendly way.


7/22

Tunneling

Tunneling or encapsulation is a common technique inpacket-switched networks.

It consists of wrapping a packet in a new one. That is,a new header is attached to the original packet.

The entire original packet becomes the payload of thenew one.


8/22

Tunneling In general, tunneling is used to carry traffic of one protocol over a

network that does not support that protocol directly. For example,NetBIOS or IPX can be encapsulated in IP to carry it over aTCP/IP WAN link.

In the case of IPsec, IP is tunneled through IP for a slightlydifferent purpose: To provide total protection, including the

header of the encapsulated packet. If the encapsulated packet isencrypted, an intruder cannot figure out, for example, thedestination address of that packet. (Without tunneling, he or shecould.) The internal structure of a private network can beconcealed in this way.

Tunneling requires intermediate processing of the original packetwhile en-route. The destination specified in the outer header,usually an IPsec firewall or router, receives the tunneled packet,extracts the original packet, and sends it to the ultimatedestination. The processing overhead is compensated by the extrasecurity.


9/22

Tunneling A notable advantage of IP tunneling is the possibility

to exchange packets with private IP addressesbetween two intranets over the public Internet,which requires globally unique addresses.

Since the encapsulated header is not processed bythe Internet routers, only the endpoints of the tunnel(the gateways) need to have globally assignedaddresses; the hosts in the intranets behind them can

be assigned private addresses (for example,10.x.x.x).

As globally unique IP addresses are becoming ascarce resource, this interconnection method gainsimportance.


10/22

Authentication Header (AH) AH is used to provide integrity and authentication to IP datagrams.

Replay protection is also possible. Although its usage is optional,the replay protection service must be implemented by any IPsec-compliant system.

The services are connectionless, that is they work on a per-packetbasis.

AH is used in two modes, transport mode and tunnel mode.

AH authenticates as much of the IP datagram as possible. Intransport mode some fields in the IP header change en-route andtheir value cannot be predicted by the receiver. These fields arecalled mutable and are not protected by AH. The mutable IPv4 fields are:

Type of service (TOS)

Flags

Fragment offset

Time to live (TTL)

Header checksum

When protection of these fields is required, tunneling should be

used.


11/22

Authentication Header (AH) The payload of the IP packet is considered immutable and is

always protected by AH.

AH is identified by protocol number 51, assigned by the IANA. AH processing is applied only to non-fragmented IP packets.

However, an IP packet with AH applied can be fragmented byintermediate routers. In this case, the destination first reassemblesthe packet and then applies AH processing to it.

If an IP packet that appears to be a fragment (offset field is non-zero, or the More Fragments bit is set) is input to AH processing,it is discarded.

This prevents the so-called overlapping fragment attack, whichmisuses the fragment reassembly algorithm in order to create

forged packets and force them through a firewall. Packets that fail authentication are discarded and never delivered

to upper layers.

This mode of operation greatly reduces the chances of successfuldenial of service attacks, which aim to block the communication

of a host or gateway by flooding it with bogus packets.


12/22

AH Header format


13/22

AH Header format The fields are as follows:

Next header The next header t is an 8-bit field that identifies

the type of what follows. The value of this field is chosen from

the set of IP protocol numbers defined in the most recent

Assigned Numbers RFC from the IANA. In other words, the IP

header protocol field is set to 51, and the value which would

have gone in the protocol field goes in the AH next header field.

Payload length This field is 8 bits long and contains the length

of the AH header expressed in 32-bit words, minus 2. It does

not relate to the actual payload length of the IP packet as a

whole. If default options are used, the value is 4 (three 32-bitfixed words plus three 32-bit words of authentication data

minus two).

Reserved This field is reserved for future use. Its length is 16

bits and it is set to zero.


14/22

AH Header format Security parameter index (SPI) This field is 32 bits in length. See

Security parameter index (SPI) This is a 32-bitvalue used to identify

different SAs with the same destination address and security protocol. TheSPI is carried in the header of the security protocol (AH or ESP).

Generally, the SPI is selected by the destination system during SA

establishment.

Sequence number This 32-bit field is a monotonically increasing counter,

which is used for replay protection. Replay protection is optional; however,this field is mandatory. The sender always includes this field and it is at the

discretion of the receiver to process it or not. At the establishment of an SA,

the sequence number is initialized to zero. The first packet transmitted

using the SA has a sequence number of 1. Sequence numbers are not

allowed to repeat. Thus the maximum number of IP packets that can betransmitted on any given SA is 232-1. After the highest sequence number is

used, a new SA and consequently a new key is established. Anti-replay is

enabled at the sender by default. If upon SA establishment the receiver

chooses not to use it, the sender need not be concerned with the value in

this field anymore. Typically, the anti-replay mechanism is not used with

manual key management.


15/22

AH Header format Authentication data This is a variable-length field containing

the Integrity Check Value (ICV), and is padded to 32 bits for

IPv4 or 64 bits for IPv6. The ICV for each packet is calculated

with the algorithm selected at SA initialization. As its name

implies, it is used by the receiver to verify the integrity of the

incoming packet. In theory, any MAC algorithm can be used tocalculate the ICV. The specification requires that HMAC-

MD5-96 and HMAC-SHA-1-96 must be supported. The old

RFC 1826 requires Keyed MD5. In practice, Keyed SHA-1 is

also used. Implementations usually support two to four

algorithms. When doing the ICV calculation, the mutable

fields are considered to be filled with zero.


16/22

Keyed MD5 and Keyed SHA-1


17/22

HMAC-MD5-96 and HMAC-SHA1-96


18/22

AH in Transport Mode


19/22

AH in Tunnel Mode


20/22

AH in Transport and Tunnel Modes AH in transport mode In this mode, the authentication header is

inserted immediately after the IP header. If the datagram alreadyhas IPsec header(s), then the AH is inserted before them

Transport mode is used by hosts, not by gateways. Gateways are

not required to support transport mode. The advantage of

transport mode is less processing overhead. The disadvantage isthat mutable fields are not authenticated.

AH in tunnel mode With this mode, the tunneling concept is

applied, a new IP datagram is constructed and the original IP

datagram is made the payload of it. AH in transport mode isapplied to the resulting datagram. Tunnel mode is used whenever

either end of a security association is a gateway. Thus, between

two firewalls, tunnel mode is always used. Gateways often also

support transport mode.


21/22

AH in Tunnel Modes

This mode is allowed when the gateway acts as a host, that is, incases when traffic is destined to the gateway itself. For example,

SNMP commands could be sent to the gateway using transport

mode. In tunnel mode the outer headers' IP addresses do not need

to be the same as the inner headers addresses. For example, two

security gateways can operate an AH tunnel which is used to

authenticate all traffic between the networks they connect

together. This is a very typical mode of operation. The advantages

of tunnel mode include total protection of the encapsulated IP

datagram and the possibility of using private addresses. However,there is extra processing overhead associated with this mode.


22/22

Documents

IPSec - AH.ppt