Transcript Virtual Private Networks

Information Security 2 (InfSi2)
4 Virtual Private Networks
Prof. Dr. Andreas Steffen
Institute for Internet Technologies and Applications (ITA)
Andreas Steffen, 1.10.2013, 4-VPN.pptx 1
Layer 2 versus Layer 3 versus Layer 4
Communication layers Security protocols
Application layer
ssh, S/MIME, PGP, Kerberos, WSS
Transport layer
TLS, [SSL]
Network layer
IPsec
Data Link layer
[PPTP, L2TP], IEEE 802.1X,
IEEE 802.1AE, IEEE 802.11i (WPA2)
Physical layer
Quantum Communications
Andreas Steffen, 1.10.2013, 4-VPN.pptx 2
Information Security 2 (InfSi2)
4.1 Point-to-Point Protocol
(PPP)
Andreas Steffen, 1.10.2013, 4-VPN.pptx 3
PPP–based Remote Access using Dial–In
Public Switched Telephone
Network
Remote Client
PSTN (POTS / ISDN)
Private
Network
Remote Access Server
IP, IPX
PPP IP, IPX
Payload
Payload
PPP
Encapsulation
• Authentication using PAP (password), CHAP (challenge/response), or the
•
•
•
Extensible Authentication Protocol (EAP) supporting e.g. token cards
Optional PPP packet encryption (ECP) using preshared secrets
Individual PPP packets are not authenticated
The Link Control Protocol (LCP), as well as EAP and ECP are not protected !!
Andreas Steffen, 1.10.2013, 4-VPN.pptx 4
The PPP Encryption Control Protocol (ECP)
0x8053
Code
ID
Length
ECP Options (algorithm, IV)
• The Encryption Control Protocol (ECP, RFC 1968) uses the same packet
•
•
exchange mechanism as the Link Control Protocol (LCP, RFC 1661).
ECP packets may not be exchanged until PPP has reached the NetworkLayer Protocol phase and should wait for an optional Authentication phase.
Exactly one ECP packet is encapsulated in the PPP Information field,
where the PPP Protocol field indicates type 0x8053.
0x0053
Seq. Nr
Ciphertext
• An encrypted packet is encapsulated in the PPP Information field, where
•
•
the PPP Protocol field indicates type 0x0053 (Encrypted datagram).
Compression may also be negotiated using the Compression Control
Protocol (CCP, RFC 1962).
ECP implementations should use the PPP Triple-DES Encryption Protocol
(3DESE, RFC 2420). DES-EDE3-CBC with a 168 bit key is used.
Andreas Steffen, 1.10.2013, 4-VPN.pptx 5
The PPP Extensible Authentication Protocol (EAP)
0xC227
Code
ID
Length
Type
Data
• Some of the authentication types supported by EAP (RFC 2284):
1
4
5
6
9
13
15
17
18
23
24
25
29
35
36
Identity
MD5-Challenge
One-Time Password (OTP, RFC 2289)
Generic Token Card
RSA Public Key Authentication
EAP-TLS (RFC 2716, supported by Windows XP)
RSA Security SecurID EAP
EAP-Cisco Wireless
Nokia IP smart card authentication
UMTS Authentication and Key Argreement
EAP-3Com Wireless
PEAP (Protected EAP, supported by Windows XP)
EAP-MSCHAP-V2 (supported by Windows XP)
EAP-Actiontec Wireless
Cogent Systems Biometrics Authentication EAP
Andreas Steffen, 1.10.2013, 4-VPN.pptx 6
Information Security 2 (InfSi2)
4.2 Layer 2/3/4 VPNs
Andreas Steffen, 1.10.2013, 4-VPN.pptx 7
Layer 2 Tunneling Protocol (L2TP)
Compulsory Mode
PSTN
Remote Client
ISP NAS
Payload
PPP IP, IPX
Payload
L2TP PPP IP, IPX
Payload
UDP L2TP PPP IP, IPX
Payload
Layer 2
LAC
IP
Network Access Server
IP, IPX
PSTN
Layer 3
Private
Network
Internet
IP
PPP
over PSTN
LNS
L2TP
Tunnel
UDP Port 1701
over IP
Andreas Steffen, 1.10.2013, 4-VPN.pptx 8
Layer 2 Tunneling Protocol (L2TP)
Voluntary Mode
PSTN
Remote Client
Private
Network
Internet
IP
ISP NAS
Network Access Server
IP, IPX
Payload
L2TP PPP IP, IPX
Payload
IP
UDP L2TP PPP IP, IPX
Payload
UDP Port 1701
over IP
IP
UDP L2TP PPP IP, IPX
Payload
PPP
over PSTN
Layer 2 Connection (Wire)
LAC
PSTN
PPP
LNS
L2TP
Tunnel
Andreas Steffen, 1.10.2013, 4-VPN.pptx 9
Layer 3 Tunnel based on IPSec
PSTN
VPN Client
Private
Network
Internet
IP
ISP
PSTN
PPP
VPN Gateway
IP
Payload
IP
ESP
IP
Payload
IP
ESP
IP
Payload
IPsec
Tunnel
Andreas Steffen, 1.10.2013, 4-VPN.pptx 10
L2TP over IPsec (RFC 3193) – Voluntary Mode
PSTN
ISP NAS
Remote Client
Network Access Server
IP, IPX
Payload
L2TP PPP IP, IPX
Payload
IP
ESP UDP L2TP PPP IP, IPX
Payload
IPSec
Transport Mode
IP
ESP UDP L2TP PPP IP, IPX
Payload
PPP
over PSTN
Layer 2 Connection (Wire)
LAC
PPP
Private
Network
Internet
IP
LNS
L2TP
Tunnel
Andreas Steffen, 1.10.2013, 4-VPN.pptx 11
Layer 4 Tunnel based on SSL/TLS
PSTN
Private
Network
Internet
IP
SSL/TLS
Browser with Plugin
SSL/TLS Proxy Server
ISP
IP
Payload
IP
TCP*
SSL
IP
Payload
IP
TCP*
SSL
IP
Payload
PSTN
PPP
SSL/TLS
Tunnel
*OpenVPN uses SSL over UDP
Andreas Steffen, 1.10.2013, 4-VPN.pptx 12
Layer 2/3/4 VPNs – Pros and Cons
•
Layer 2 – L2TP
 Same login procedure as PPP (preshared secrets, RADIUS, etc.)
 Same auxiliary information as with PPP (virtual IP, DNS/WINS servers)
 No strong security without IPsec, LCP can be cheated into establishing
no encryption. Non-authenticated L2TP packets prone to replay attacks.
•
Layer 3 – IPSec
 Cryptographically strong encryption and authentication of VPN tunnel
 Can negotiate and enforce complex VPN access control policies
 XAUTH and IKEv2-EAP authentication offer PPP-like features
 Does not allow the tunneling of non-IP protocols (IPX, etc.)
 Complex connection setup, PKI management overhead
•
Layer 4 - TLS
 Clientless and simple: Internet Browser plus Java Applets or Plugin.
 Cryptographically strong encryption and authentication of VPN tunnel
 Access to certain applications need special plugin (still clientless?)
Andreas Steffen, 1.10.2013, 4-VPN.pptx 13
Information Security 2 (InfSi2)
4.3 Multi-Protocol Label
Switching (MPLS)
Andreas Steffen, 1.10.2013, 4-VPN.pptx 14
MPLS based Virtual Private Networks
IP-Network of a Service Provider
LA
IP
E3
E1
User A
L1
LA
IP
L3
L5
LA
LB
IP
E2
LB
IP
User A
IP
User B
N3
L4
L2
IP
IP
N1
User B
LA
LA
IP
LB
IP
L6
LB
E4
LB
IP
Andreas Steffen, 1.10.2013, 4-VPN.pptx 15
MPLS Layer 2 Shim Header (RFC 3032)
4 Bytes
Label
CoS
B
TTL
Time to Live, 8 Bits
Bottom of Stack, 1 Bit
Class of Service, 3 Bits
20 Bits
Andreas Steffen, 1.10.2013, 4-VPN.pptx 16
Information Security 2 (InfSi2)
4.4 IPsec Transport Mode
Andreas Steffen, 1.10.2013, 4-VPN.pptx 17
IPsec – Transport Mode
Internet
secure IP connection
194.230.203.86
•
•
160.85.128.3
IP datagrams should be authenticated
IP datagrams should be encrypted and authenticated
Andreas Steffen, 1.10.2013, 4-VPN.pptx 18
IPsec – Transport Mode
IP Authentication Header (AH)
Before applying AH
Original
TCP
IPv4 IP Header Header
Data
AH: RFC 4302
After applying AH
Original
AH
TCP
IPv4 IP Header Header Header
Data
authenticated
except for mutable fields
•
•
IP protocol number for AH: 51
Mutable fields: Type of Service (TOS), Fragment Offset, Flags,
Time to Live (TTL), IP header checksum
Andreas Steffen, 1.10.2013, 4-VPN.pptx 19
IPsec – Transport Mode
IP Encapsulating Security Payload (ESP)
Before applying ESP
Original
TCP
IPv4 IP Header Header
Data
ESP: RFC 4303
After applying ESP
Original
ESP
TCP
IPv4 IP Header Header Header
Data
ESP
Trailer
ESP
Auth
encrypted
authenticated
•
•
•
IP protocol number for ESP: 50
ESP authentication is optional
With ESP authentication the IP header is not protected.
Andreas Steffen, 1.10.2013, 4-VPN.pptx 20
Information Security 2 (InfSi2)
4.5 IPsec Tunnel Mode
Andreas Steffen, 1.10.2013, 4-VPN.pptx 21
IPsec – Tunnel Mode
Virtual Private Network (VPN)
10.1.0.2
Internet
10.2.0.2
194.230.203.86
Subnet
Subnet
secure IP tunnel
10.1.0.0/16
10.2.0.0/16
10.1.0.1
10.2.0.1
Security
Gateway
Security
Gateway
160.85.180.0
10.1.0.3
10.2.0.3
Andreas Steffen, 1.10.2013, 4-VPN.pptx 22
IPsec Tunnel Mode using ESP
Before applying ESP
Original
TCP
IPv4 IP Header Header
Data
Encapsulating Security
Payload (ESP): RFC 4303
After applying ESP
Outer
ESP
Original
TCP
IPv4 IP Header Header IP Header Header
Data
ESP
Trailer
ESP
Auth
encrypted
authenticated
•
•
•
IP protocol number for ESP: 50
ESP authentication is optional but often used in place of AH
Original IP Header is encrypted and therefore hidden
Andreas Steffen, 1.10.2013, 4-VPN.pptx 23
ESP Header (Initial Header / Payload / Trailer)
0
1
2
3
4 bytes
Security Parameters Index (SPI)
Anti-Replay Sequence Number
AfterPayload
applyingData
ESP (variable, including IV)
authenticated
encrypted
Padding (0-255 bytes)
Pad Length Next Header
Authentication Data (variable)
Andreas Steffen, 1.10.2013, 4-VPN.pptx 24
IPsec Tunnel Mode CBC Packet Overhead
Outer IP Header
20 20 20 20 20 20 20 20 20 20 20
SPI / Seq. Number
8
8
8
8
8
8
3DES_CBC IV
8
8
8
8
8
8
AES_CBC IV
16
3DES_CBC max Pad
7
AES_CBC max Pad
15
Pad Len / Next Header
2
HMAC_SHA1_96
AES_XCBC_96
HMAC_SHA2_256_128 16
HMAC_SHA2_384_192 24
HMAC_SHA2_512_256 32
8
8
8
8
16 16 16 16 16
7
7
7
7
7
15 15 15 15 15
2
2
2
2
2
12 12
12
8
2
2
2
2
2
12
12
12
16
16
24
24
32
32
Best Case Overhead
50 50 54 62 70 58 58 62 70 78
Worst Case Overhead
57 57 61 69 77 73 73 77 85 93 Bytes
Andreas Steffen, 1.10.2013, 4-VPN.pptx 25
Authenticated Encryption with Associated Data
(AEAD)
Salt
IV
0
Salt
IV
Key K
Salt
1
Key K
IV
2
•
AEAD is based on special
block cipher modes:
•
•
•
•
Block size: 128 bits
Key size: 128/256 bits
Tag size : 128/96/64 bits
Nonce size: 96 bits
Key K
IV
Counter
32 bits
64 bits
32 bits
•
Recommended AEAD Modes:
AES-Galois/Counter Mode
AES-GMAC (auth. only)
•
Alternative AEAD Modes:
AES-CCM
CAMELLIA-GCM
CAMELLIA-CCM
Hash Subkey Derivation
0………………..0
Salt
Hash Subkey H
Andreas Steffen, 1.10.2013, 4-VPN.pptx 26
IPsec Tunnel Mode AEAD Packet Overhead
Outer IP Header
20 20 20 20
SPI / Seq. Number
8
8
8
8
AES_GCM IV
8
8
8
8
AES_CNT max Pad
3
3
3
3
Pad Len / Next Header
2
2
2
2
8
AES_GCM_64
Tag
8
AES_GCM_96
Tag
12
AES_GCM_128 Tag
16
Additional Authenticated Data:
0
1
2
3
Security Parameter Index
Sequence Number
or
12
0
16
Best Case Overhead
46 50 54
Worst Case Overhead
49 53 57
1
2
3
Security Parameter Index
Extended
Sequence Number
Bytes
Andreas Steffen, 1.10.2013, 4-VPN.pptx 27
IPsec Tunnel Mode using AH
Before applying AH
Original
TCP
IPv4 IP Header Header
Data
Authentication Header
(AH): RFC 4302
After applying AH
Outer
AH
Original
TCP
IPv4 IP Header Header IP Header Header
Data
authenticated
•
•
•
IP protocol number for AH: 51
Mutable fields: Type of Service (TOS), Fragment Offset, Flags,
Time to Live (TTL), IP header checksum
ESP can be encapsulated in AH
Andreas Steffen, 1.10.2013, 4-VPN.pptx 28