IPsec ===== Summary of Network Attacks -------------------------- + Snooping - Attacker listens to all traffic on a network link. This requires unencrypted connections. - Attacker take over a router (for example) and can listen and/or modify all traffic passing through the router. This attacker is more powerful than the eavesdropper because she can make modifications to the traffic, block the traffic, or replay previously recorded traffic. + IP Spoofing - Attacker sends an IP packet to a destination using a "fake" source address. Purpose: If the destination is using "IP authentication" (only allow service for certain IP addresses), this would allow the attacker to access the service from what would ordinarily be an unauthorized machine. - The main problem (for the attacker) is that the reply, if any, goes back to the faked source address and thus not to the attacker's actual machine. Also the unsuspecting machine that receives the reply might be confused and respond in a way to negate the attack (the attacker could use a fake source address that doesn't correspond to any machine to avoid that issue). - Particularly useful (to the attacker) for UDP services that don't require connections and for which the attacker doesn't care about the reply. Can be useful for denial-of-service attacks where the reply isn't the point, hiding the true source of the attack is more important. - If TCP is being used, it is hard for attacker to create a valid connection because the attacker must ACK the server's initial sequence number (ISN). Thus the attacker must get the reply or, more likely, guess the ISN without seeing it. Normal TCP connections are formed like this (A is the client; B is the server): A -> SYN -> B (contains A's ISN) A <- SYN-ACK <- B (contains B's ISN, B acks A's ISN) A -> ACK -> B (A acks B's ISN) A -> data -> B It is necessary for the client to ack the server's ISN in the third segment. This is difficult without seeing that ISN in the second segment. Attackers will try to guess what to ACK but this requires the server to pick "easily" guessable ISNs. Security TCP implementations use "random" ISNs, but computing a truly random ISN is computationally expensive. + Attacks Against Routing Protocols The attacker injects routing protocol packets to confuse existing routers into sending everything to the attacker's machine. This allows the attacker to see all data being sent, for example, to the Internet and to simulate all responses from the Internet. + TCP Connection Hijacking The attacker waits until a TCP connection is made (and fully authenticated) and then injects packets on the network to forcibly take it over. a RST segment is sent to one side of the connection to terminate that endpoint. The attacker then poses as that endpoint. This requires noting the sequence numbers in both directions so the injected segments will be seen as in the proper sequence. + SYN Flooding The attacker creates a large number of half open connections with the server to fill its pending connection queue. Ultimately this will prevent legitimate connections from being accepted. It is a form of denial-of-service. Note that the server application has no idea the attack is taking place since it is not informed by the OS about half open connections. A -> SYN -> B (A (bad person) sends a SYN segment to B and nothing else) A <- SYN-ACK <- B (B is now waiting for the ACK from A) A -> SYN -> B (A (bad person) sends a SYN segment to B and nothing else) A <- SYN-ACK <- B (B is now waiting for the ACK from A) A -> SYN -> B (A (bad person) sends a SYN segment to B and nothing else) A <- SYN-ACK <- B (B is now waiting for the ACK from A) A -> SYN -> B (A (bad person) sends a SYN segment to B and nothing else) A <- SYN-ACK <- B (B is now waiting for the ACK from A) etc... Enter IPsec ----------- + Applies security processing at the network layer rather than at the transport layer. - It can be used even for connectionless communications (UDP, raw IP). - It can support applications that have no built-in network security features (no TLS) - It can deal with low level problems that arise before the applications are involved (IP spoofing and SYN flooding). + IPsec consists of - AH Authentication Header (deprecated) - ESP Encapsulating Security Protocol (supports both encryption and authentication) - IPcomp IP compression (not often used due to increased computational overhead) - IKE Internet Key Exchange (used to exchange symmetric keys) + Two modes - Transport Mode. One host to another. Each packet gets "security processing" before it is launched. Here security processing means (perhaps) compression, followed by encryption, followed by the addition of a MAC. - Tunnel Mode. One gateway to another (but can be used with hosts too). Each packet is put inside the payload of an enclosing packet. The enclosing packet gets processed by the gateways and has a source/destination address that corresponds to the gateways. + Security Association (SA) - Cryptographic parameters (algorithms used, keys used) must be "attached" to some state so the endpoints know how to process each packet. With SSL/TLS these parameters can be attached to the connection itself. What about a connectionless protocol such as IP? - A "security association" is mutually agreed-upon collection of crypto parameters to be used for processing certain packets. - The Security Association Database (SAD) is a database of security associations. A machine might have several (many) SAs active at once. + Security Policy - Which packets are to receive IPsec processing? This can be configured based on various parameters such as the protocol (TCP vs UDP), port numbers, IP addresses, and others. A Security Policy Database (SPD) defines a mapping from these "selectors" to the SA to be applied (if any). The SPD defines *which* packets are to be processed. The SAD defined *how* they are to be processed.