Chapter 9: IP Security

Question 1

What three functional areas does IP-level security encompass?

Answer 1

1. Authentication
2. Confidentiality
3. Key management

Question 2

What is the principal feature of IPSec?

Answer 2

It can can encrypt and/or authenticate ALL traffic at the IP level

Question 3

What are some benefits of IPSec?

Answer 3

1. When implemented in a firewall or router it provides strong security for all traffic passing through the perimeter.
2. Is resistant to bypass in a firewall –> if all outside traffic must use IP AND firewall is the only way in.
3. Below TCP, UDP and is transparent to applications.
4. Can be transparent to end users. No training needed.
5. Can provide security for individual users if needed.

Question 4

What two protocols are used to provide security?

Answer 4

Application Header (AH)

Encapsulating Security Payload (ESP)

Question 5

What security services does IPSec provide?

Answer 5

1. Access control
2. Connection-less integrity
3. Data origin authentication
4. Rejection of replayed packets
5. Confidentiality
6. Limited traffic flow confidentiality

Question 6

What is the transport mode?

Answer 6

It provides protection primarily for upper-layer protocols. The protection extends to the payload of an IP packet (IPv4 datagram/IPv6 packet)

Examples: TCP/UDP segment or ICMP packet.

Typically used for end-to-end communication between two hosts.

Question 7

What is tunnel mode?

Answer 7

It provides protection to the entire IP packet.

The entire packet + security fields are treated as the payload of a new outer IP packet with a new outer IP header.

The entire original , inner, packet travels through a tunnel from one point of an IP network to another; not routers along the way are able to examine the inner IP header.

Question 8

When is tunnel mode used?

Answer 8

When one or both ends of a security association are a security gateway, such as a firewall or router that implements IPSec.

Question 9

What is a security association (SA)?

Answer 9

It is a one-way logical connection between a sender and a receiver that affords security services to the traffic carried on it.

If a peer relationship is needed for a two-way secure exchange, then two SAs are required.

Question 10

What three parameters uniquely identify a SA?

Answer 10

1. Security Parameters Index (SPI): Carried in headers to enable the receiving system to select the SA under which a received packet will be processed.
2. IP destination
3. Security protocol ID: if it is an AH or ESP SA

Question 11

What is a SAD?

Answer 11

A security association database. It defines the parameters associated with each SA.

Question 12

What is a security policy database (SPD)?

Answer 12

The means by which IP traffic is related to specific SAs. In its simplest form it contains entries, each of which defines a subset of IP traffic and points to an SA for that traffic.

Question 13

What are the 5 steps for processing outbound packets?

Answer 13

1. Search the SPD for a match
2. Match = false –> packet is discarded and error message generated
3. Match = true –> processing is determined by the first matching entry in the SPD. Policy = DISCARD or BYPASS. If BYPASS –> forwarded with no further processing.
4. Policy = PROTECT, then a SAD search to find a matching entry. If no entry found –> IKE is invoked to create an SA
5. The matching entry in the SAD determined the processing for this packet. I.e. encryption/authentication, tunnel/transport. The packet is then forwarded.

Question 14

What are the 3 steps for processing inbound packets?

Answer 14

1. Determines if is unsecured or has an AH or ESP header.
2. Unsecured = true –> search SPD for match. If BYPASS –> forward. If PROTECT or DISCARD or no match –> discard.
3. Secured = true –> search SAD. No match = discard. Match = applies appropriate processing. Packet is delivered to the next higher layer.

Question 15

Which parts of an ESP packet are encrypted?

Answer 15

payload data
padding
pad length
next header

Question 16

What fields are in and ESP packet?

Answer 16

SPI
Sequence number
Payload data
Padding
Pad length
Next header
Integrity check value

Conditional fields:
IV
traffic flow confidentiality

Question 17

How does the anti-replay service work for ESP packets?

Answer 17

It used the sequence number to thwart that attack.

When a new SA is established the sender init a sequence number counter to 0. Each time a packet is sent on this SA, the counter is incremented. When anti-replay is enabled the sequence number must not cycle past 2^32 - 1 back to 0. If the limit is reached a new SA must be created.

Question 18

How does transport mode work for ESP?

Answer 18

Encrypts and optionally authenticates the data.

The transport-level segment and the ESP trailer = encrypted. Authentication covers ciphertext and ESP header.

1. Source –> encrypts and (optionally) authenticates.
2. Routed to the destination. Intermediate routers examine and process the IP header.
3. Destination examines and processed the IP header. Then decrypts it.

Drawback = traffic analysis is possible

Question 19

How does tunnel mode work for ESP?

Answer 19

1. Source prepare an inner IP packet, prefixed by an ESP header. the packet and trailers are encrypted and (optionally) authenticated. Encapsulated with a new IP header, destination header = firewall; forms the outer IP packet.
2. Outer packet is routed to the destination firewall. Intermediate routers examine the outer IP header.
3. Destination firewall examined and processes outer IP header. Decrypts and transmits in the internal network.
4. The inner packet is routed to its destination

Question 20

What is IKE?

Answer 20

Internet Key Exchange. It is the key management of IPSec.

Question 21

What is the automated key management protocol referred to as and what elements does it consist of?

Answer 21

ISAKMP/Oakley

Oakley key determination protocol: key exchange based on Diffie-Hellman with added security.

Internet security association and key management protocol provided:
1. framework for internet key management
2. framework for specific protocol support (incl. formats and negotiation of security attributes.

Question 22

Recall the pros and cons of Diffie-Hellman

Answer 22

Pros:
1. Secret keys only created when needed. No long term storage of keys.
2. Exchange requires no pre-existing infrastructure

Cons:
1. Provides no info about identities
2. MITM attack when employing the basic implementation
3. Computationally intensive

Question 23

What are the five important features of IKE that retains the advantages of DH and counters the weaknesses?

Answer 23

1. Cookies to thwart clogging attacks
2. Enables two parties to negotiate a group:
   - global parameters of DH exchange
   - ID of the algorithm
3. Uses nonces to ensure against replay attacks
4. Enabled exchange of DH public key values
5. Authenticates DH exchange to thwart MITM attacks:
   - Digital signatures
   - Public-key
   - Symmetric-key

Question 24

How does the cookie exchange work?

Answer 24

1. Requires that each side send a pseudorandom number, the other side acknowledges.
2. Repeat in the 1st msg of the DH exchange
3. Recommended method to create it is to use a fast hash over the IP source and destination addresses, UDP source and destination ports and a locally generated secret value.

Question 25

What is the IKE working procedure?

Answer 25

1. Traffic requiring IPSec protection is processed
2. Establish a secure authenticated channel (IKE SA)
3. Creating two IPSec SAs between the IPSec peers
4. Data is transmitted

Question 26

The first two pairs of exchanges are referred to as the initial exchanges, what do they do?

Answer 26

1. Two peers exchange information concerning cryptographic algorithms and other security parameters, along with nonces and DH values.

The result is a special SA called IKE SA –> defines parameters for a secure channel between peers

2. Two parties authenticate each other and set up a fist IPSec SA to be placed in the SAD(B). Used to protect ordinary (i.e. non-IKE) communication.

Question 27

What does CREATE_CHILD_SA exchange do?

Answer 27

Used to establish further SAs for protecting traffic

Question 28

What is the purpose of the informational exchange?

Answer 28

Exchange management information, IKEv2 error messages + other notifications